mirror of
https://gitea.blesmrt.net/mikaela/shell-things.git
synced 2024-12-22 10:42:55 +01:00
run prettier on markdown again?
This commit is contained in:
parent
5106f8d98e
commit
b39b5db0d4
@ -4,7 +4,7 @@ repository as dotfiles, but historical reasons...
|
||||
# Directories explained
|
||||
|
||||
- .mikaela — files that most likely aren't suitable for places where other
|
||||
people than me have access too
|
||||
people than me have access too
|
||||
- Windows — files releated to Windows
|
||||
- conf — config files like .tmux.conf
|
||||
- etc — /etc/
|
||||
|
@ -22,11 +22,11 @@ I think the first method is likely the best, but I cannot rule these working
|
||||
on another system out yet. They didn't work on my first system tried.
|
||||
|
||||
- `00-AllowUpgradesWithUnsupportedTPMOrCPU.reg` - the official Microsoft
|
||||
recommendation and the only one that should be used. If after reboot
|
||||
nothing happens, maybe try the rest rebooting every failure.
|
||||
- https://support.microsoft.com/windows/windows-11-n-asentaminen-e0edbbfb-cfc5-4011-868b-2ce77ac7c70e
|
||||
recommendation and the only one that should be used. If after reboot
|
||||
nothing happens, maybe try the rest rebooting every failure.
|
||||
- https://support.microsoft.com/windows/windows-11-n-asentaminen-e0edbbfb-cfc5-4011-868b-2ce77ac7c70e
|
||||
- `01-LabConfig.reg` - widely reported to work
|
||||
- `01-Setup.reg` - ^
|
||||
- `02-DevRing.reg` - after joining the Insider program, this should enforce
|
||||
joining to Dev ring which should offer Windows 11 instantly. It may be
|
||||
advisable to leave after successful update.
|
||||
joining to Dev ring which should offer Windows 11 instantly. It may be
|
||||
advisable to leave after successful update.
|
||||
|
@ -3,17 +3,17 @@
|
||||
Requires Windows 11.
|
||||
|
||||
- `GPO-EnforceDoH.reg` enables the group policy to require DoH. However it
|
||||
didn't seem to work for me or it allowed me to set the DNS server to not
|
||||
use DoH.
|
||||
didn't seem to work for me or it allowed me to set the DNS server to not
|
||||
use DoH.
|
||||
|
||||
- `DohWellKnownServers` adds DoH support for multiple IPv4 & IPv6 addresses
|
||||
that Windows 11 isn't shipping by default, currently:
|
||||
- Adguard
|
||||
- Cloudflare antimalware
|
||||
- DNS0 (& Zero)
|
||||
- Mullvad
|
||||
- Mullvad Adblock
|
||||
- Quad9 ECS (Windows 11 defaults include Quad9 default)
|
||||
that Windows 11 isn't shipping by default, currently:
|
||||
- Adguard
|
||||
- Cloudflare antimalware
|
||||
- DNS0 (& Zero)
|
||||
- Mullvad
|
||||
- Mullvad Adblock
|
||||
- Quad9 ECS (Windows 11 defaults include Quad9 default)
|
||||
|
||||
## Configuration
|
||||
|
||||
@ -21,6 +21,6 @@ Once Windows knows about the DoH servers (DohWellKnownServers.reg), DNS-over
|
||||
HTTPS can be enabled for:
|
||||
|
||||
- All networks: `Windows-I (Settings) -> Network & Internet -> Advanced network settings -> WLAN -> View additional properties -> DNS Server assignment -> Edit`
|
||||
- Same place for Ethernet etc.
|
||||
- Same place for Ethernet etc.
|
||||
- Specific network: `Windows-I (Settings) -> Network & Internet -> WiFi -> Connected SSID -> DNS server assignment -> Edit`
|
||||
- Note: if the all networks one is configured, there is a warning about it not being used.
|
||||
- Note: if the all networks one is configured, there is a warning about it not being used.
|
||||
|
@ -3,6 +3,6 @@ Some kind of explaining for [IPv6.reg](IPv6.reg) like
|
||||
|
||||
- Resolve IPv6 even without native connectivity.
|
||||
- Enable Teredo
|
||||
- As EnterpriseClient so it also works when joined into domain.
|
||||
- As EnterpriseClient so it also works when joined into domain.
|
||||
- Use `teredo.trex.fi` as Teredo server. This should be replaced with
|
||||
something that is as near as possible.
|
||||
something that is as near as possible.
|
||||
|
@ -9,10 +9,10 @@ Windows Registry Editor Version 5.00
|
||||
|
||||
- Make the file Windows Registry Editor script
|
||||
- Ask admins for password/PIN in UAC
|
||||
- 2 would ask for yes or no, 0 disable entirely (don't do that).
|
||||
- 2 would ask for yes or no, 0 disable entirely (don't do that).
|
||||
- prompt standard users for username and password. 2021-12-19: I don't understand this or the line below.
|
||||
- The other option (1) doesn't even give them UAC prompt so you must
|
||||
always login as admin to do anything.
|
||||
- The other option (1) doesn't even give them UAC prompt so you must
|
||||
always login as admin to do anything.
|
||||
|
||||
```
|
||||
"dontdisplaylastusername"=dword:00000000
|
||||
@ -39,8 +39,8 @@ Windows Registry Editor Version 5.00
|
||||
```
|
||||
|
||||
- Sets hardware clock to UTC time (doesn't affect system clock!)
|
||||
- qword for 64-bit, dword for 32-bit systems. The actual reg file has
|
||||
only qword as I haven't seen 32-bit Windowses lately.
|
||||
- qword for 64-bit, dword for 32-bit systems. The actual reg file has
|
||||
only qword as I haven't seen 32-bit Windowses lately.
|
||||
|
||||
```
|
||||
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
|
||||
|
@ -7,16 +7,16 @@ w32tm /query /peers
|
||||
```
|
||||
|
||||
- The list is space separated NTP servers, while I think Windows uses SNTP instead
|
||||
of NTP.
|
||||
of NTP.
|
||||
- `/resync` may sync current time, but is also required for the GUI
|
||||
(Windows + I, Date & time) and following command to get aware of peers.
|
||||
(Windows + I, Date & time) and following command to get aware of peers.
|
||||
- Shows where time is synced from and statistics.
|
||||
- There is also `net time` to sync, I am unsure of the differences while
|
||||
that may be blocked while the second keeps working. It may also not
|
||||
show all the peers, just the primary one, while `w32tm` is more verbose
|
||||
and has all of them.
|
||||
- There is also `net time` to sync, I am unsure of the differences while
|
||||
that may be blocked while the second keeps working. It may also not
|
||||
show all the peers, just the primary one, while `w32tm` is more verbose
|
||||
and has all of them.
|
||||
- As Windows doesn't support NTS and probably won't in near future, there is
|
||||
no point in listing distant foreign servers.
|
||||
no point in listing distant foreign servers.
|
||||
|
||||
## Variations
|
||||
|
||||
@ -47,14 +47,14 @@ w32tm /config /syncfromflags:manual /manualpeerlist:"time.cloudflare.com ntp1.ko
|
||||
- https://www.netnod.se/nts/network-time-security
|
||||
- https://www.vttresearch.com/fi/palvelut/suomen-aika-ntp-palvelu#julkinen
|
||||
- https://www.ntppool.org/use.html
|
||||
- Also mentions the syntax for multiple servers, but considering this Elisa
|
||||
list has so many servers I am only picking one pool address just in case
|
||||
the others somehow fail.
|
||||
- Also mentions the syntax for multiple servers, but considering this Elisa
|
||||
list has so many servers I am only picking one pool address just in case
|
||||
the others somehow fail.
|
||||
|
||||
## Additional reading
|
||||
|
||||
- Above links
|
||||
- https://jasoncoltrin.com/2018/08/02/how-to-set-clock-time-on-ad-domain-controller-and-sync-windows-clients/
|
||||
- this file might not exist without this post, while it doesn't mention
|
||||
multiple servers, uses `time.windows.com` and I am yet to actually touch
|
||||
NTP on Windows Server environment.
|
||||
- this file might not exist without this post, while it doesn't mention
|
||||
multiple servers, uses `time.windows.com` and I am yet to actually touch
|
||||
NTP on Windows Server environment.
|
||||
|
@ -25,7 +25,7 @@ methods setting fonts):
|
||||
- Document text: Noto Serif Regular 11
|
||||
- Monospace text: Noto Sans Mono Regular 10
|
||||
- Legacy window title text: Noto Serif Bold 11
|
||||
- Apparently this means "apps that don't use client-side decorations"
|
||||
- Apparently this means "apps that don't use client-side decorations"
|
||||
|
||||
The number behind is obviously the number and it's based on what were the
|
||||
defaults before I touched them so I am hoping GNOME knows what they are
|
||||
@ -42,10 +42,10 @@ have trouble handling it, e.g. mpv (makes Ä and Ö and Å all Å) and Firefox
|
||||
Other font settings in GNOME-Tweak:
|
||||
|
||||
- Hinting: _a bit_
|
||||
- for no particular reason
|
||||
- for no particular reason
|
||||
- Antialiasing: _Subpixel (for LCD-displays)_
|
||||
- I have no idea where there are "standard grayscale" displays that aren't
|
||||
LCD.
|
||||
- I have no idea where there are "standard grayscale" displays that aren't
|
||||
LCD.
|
||||
|
||||
### Screen mirroring
|
||||
|
||||
@ -56,6 +56,6 @@ Workarounds:
|
||||
- Use VNC (see my Scripts repo [`bash/swaymirror.bash`](https://gitea.blesmrt.net/mikaela/scripts/src/branch/master/bash/swaymirror.bash))
|
||||
- Do something weird with OBS
|
||||
- Use a dedicated application that don't seem to be in Fedora repos, flatpak
|
||||
or snap.
|
||||
- [github.com/Ferdi265/wl-mirror](https://github.com/Ferdi265/wl-mirror)
|
||||
- [github.com/progandy/wdomirror](https://github.com/progandy/wdomirror)
|
||||
or snap.
|
||||
- [github.com/Ferdi265/wl-mirror](https://github.com/Ferdi265/wl-mirror)
|
||||
- [github.com/progandy/wdomirror](https://github.com/progandy/wdomirror)
|
||||
|
@ -5,7 +5,7 @@ Thus this `README.md` is not read, even if I happened to carelessly
|
||||
copy-paste it in.
|
||||
|
||||
- `autostart-communication.conf` - chat/communication apps I am expected to have
|
||||
open or at least check at times
|
||||
open or at least check at times
|
||||
- `autostart-fineid.conf` - Finnish electric identity card, that I also use as SSH key
|
||||
- `autostart-utilities.conf` - general utilities, like `nm-applet` or VPN etc.
|
||||
- `grimshot.conf` - screenshotting keybinds using `grimshot`
|
||||
@ -13,15 +13,15 @@ copy-paste it in.
|
||||
- `keyboard.conf` - keyboard configuration
|
||||
- `media.conf` - media key configuration and autostarts related to it
|
||||
- `pointer-accel.conf` - pointer/mouse configuration, mainly setting acceleration
|
||||
profile to `flat`
|
||||
profile to `flat`
|
||||
- `README.md` - you are currently reading this :wink:
|
||||
- `sedric.conf` - configuration specific to my laptop hostnamed `sedric`
|
||||
- `swaybar.conf` - `swaybar` configuration
|
||||
- `swayidle.conf` - `swayidle` configuration/autostart
|
||||
- `wlsunset-kotka.conf` - `wlsunset` configuration/autostart for my hometown for when
|
||||
I happen to visit for longer period of time
|
||||
I happen to visit for longer period of time
|
||||
- `wlsunset-lauttasaari.conf` - `wlsunset` configuration for my home neighbourhood
|
||||
- `zz-floating.conf` - configures windows that should float. For some reason
|
||||
that is inherited from my `i3` config, it tells to put float rules above the
|
||||
last line, so it should be read last and `z` is the last letter of English
|
||||
alphabet so it will hopefully be read last.
|
||||
that is inherited from my `i3` config, it tells to put float rules above the
|
||||
last line, so it should be read last and `z` is the last letter of English
|
||||
alphabet so it will hopefully be read last.
|
||||
|
@ -8,9 +8,9 @@ cannot read them from here.
|
||||
These files may age badly, so here are some hopefully timeless pointers:
|
||||
|
||||
- Generate the config file with https://ssl-config.mozilla.org/ (and if
|
||||
time eats it, try https://github.com/mozilla/ssl-config-generator/ in
|
||||
hope of finding where it is now. \* Name it 00-something so it will be the first file read and make
|
||||
everything a different file.
|
||||
time eats it, try https://github.com/mozilla/ssl-config-generator/ in
|
||||
hope of finding where it is now. \* Name it 00-something so it will be the first file read and make
|
||||
everything a different file.
|
||||
- If using my acmesh-ssl.bash script, the files to fill should be like:
|
||||
|
||||
(the script runs `$ACMESH --key-file $NGINXDIR/key.pem --fullchain-file $NGINXDIR/cert.pem --reloadcmd "$SYSTEMCTLRESTART nginx"`)
|
||||
@ -21,11 +21,11 @@ These files may age badly, so here are some hopefully timeless pointers:
|
||||
The header syntax is following, **_THIS LIKELY WON'T TIME WELL, ESPECIALLY CSP_**
|
||||
|
||||
```
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Content-Security-Policy "block-all-mixed-content; default-src 'none'; form-action 'self'; connect-src 'self' ws: wss:; style-src 'self' https: 'unsafe-inline'; script-src 'self'; worker-src 'self'; child-src 'self'; manifest-src 'self'; font-src 'self' https:; media-src 'self' https:; img-src 'self' data: https://user-images.githubusercontent.com" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||
add_header Content-Security-Policy "block-all-mixed-content; default-src 'none'; form-action 'self'; connect-src 'self' ws: wss:; style-src 'self' https: 'unsafe-inline'; script-src 'self'; worker-src 'self'; child-src 'self'; manifest-src 'self'; font-src 'self' https:; media-src 'self' https:; img-src 'self' data: https://user-images.githubusercontent.com" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
```
|
||||
|
||||
The CSP comes from `HEAD "http://[::]:9000/#/chan-1"` to figure out what
|
||||
@ -33,9 +33,9 @@ TheLounge would be setting without a reverse proxy in front of it. `HEAD` is
|
||||
in Debian package `libwww-perl`
|
||||
|
||||
- Refer to tester tools to see if the configuration is fine:
|
||||
- https://observatory.mozilla.org/
|
||||
- https://securityheaders.com/
|
||||
- https://www.ssllabs.com/ssltest/
|
||||
- https://observatory.mozilla.org/
|
||||
- https://securityheaders.com/
|
||||
- https://www.ssllabs.com/ssltest/
|
||||
|
||||
---
|
||||
|
||||
|
@ -33,9 +33,9 @@ don't exist by default anymore, they need to be copied and edited separately
|
||||
See also:
|
||||
|
||||
- https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/1220
|
||||
- marked as duplicate of: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/207
|
||||
- marked as duplicate of: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/207
|
||||
|
||||
## Bluetooth
|
||||
|
||||
- https://www.redpill-linpro.com/techblog/2021/05/31/better-bluetooth-headset-audio-with-msbc.html
|
||||
- https://web.archive.org/web/20210614103423/https://www.redpill-linpro.com/techblog/2021/05/31/better-bluetooth-headset-audio-with-msbc.html
|
||||
- https://web.archive.org/web/20210614103423/https://www.redpill-linpro.com/techblog/2021/05/31/better-bluetooth-headset-audio-with-msbc.html
|
||||
|
@ -12,31 +12,31 @@ sudo systemctl restart systemd-resolved
|
||||
## Files explained
|
||||
|
||||
- `00-defaults.conf` - configuration not touching resolvers. Disables DNSSEC (as
|
||||
systemd-resolved doesn't handle it properly), enables opportunistic DoT and
|
||||
caching.
|
||||
systemd-resolved doesn't handle it properly), enables opportunistic DoT and
|
||||
caching.
|
||||
- `dot-*.conf` - configuration to use the DNS provider with DNS-over-TLS. If
|
||||
captive portals are a concern, `DNSOverTLS=no`.
|
||||
captive portals are a concern, `DNSOverTLS=no`.
|
||||
- `README.md` - you are reading it right now.
|
||||
|
||||
## General commentary
|
||||
|
||||
- Based on my test DNSOverTLS is not supported in Ubuntu 18.04.x LTS (however
|
||||
at the time of writing this README.md, the current version is Ubuntu 20.04.0)
|
||||
(systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
|
||||
v243 (big improvements in v244).
|
||||
- TODO: find out when SNI became supported, I have just spotted it in the
|
||||
fine manual in 2020-06-??.
|
||||
at the time of writing this README.md, the current version is Ubuntu 20.04.0)
|
||||
(systemd v237). DNSOverTLS became supported in v239, strict mode (yes) in
|
||||
v243 (big improvements in v244).
|
||||
- TODO: find out when SNI became supported, I have just spotted it in the
|
||||
fine manual in 2020-06-??.
|
||||
- Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
|
||||
without which I wouldn't have got this right.
|
||||
without which I wouldn't have got this right.
|
||||
- DNSSEC may not work if the system is down for a long time and not updated.
|
||||
Thus `allow-downgrade` may be better for non-tech people, even with the
|
||||
potential downgrade attack. There are also captive portals, affecting
|
||||
`DNSOverTLS`. Both take `yes` or `no` or their own special option,
|
||||
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||
Thus `allow-downgrade` may be better for non-tech people, even with the
|
||||
potential downgrade attack. There are also captive portals, affecting
|
||||
`DNSOverTLS`. Both take `yes` or `no` or their own special option,
|
||||
for DNNSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
|
||||
|
||||
Other links I have found important and my files are based on:
|
||||
|
||||
- https://wiki.archlinux.org/index.php/Systemd-resolved
|
||||
- Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
|
||||
- Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
|
||||
- request for strict DOT: https://github.com/systemd/systemd/issues/10755
|
||||
- vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
|
||||
|
@ -4,12 +4,12 @@ subdirectories. The sudirectories won't exist in the real
|
||||
and I forget to update this README file if that happens.
|
||||
|
||||
- reflector.service is copied from https://wiki.archlinux.org/index.php/Reflector
|
||||
but uses https instead of http, because there is no reason I would want
|
||||
someone to see what I download.
|
||||
but uses https instead of http, because there is no reason I would want
|
||||
someone to see what I download.
|
||||
|
||||
## Worth reading
|
||||
|
||||
- Waiting for network devices to have IP address (**I only use this for
|
||||
cables**) https://wiki.freedesktop.org/www/Software/systemd/NetworkTarget/#cutthecraphowdoimakenetwork.targetworkforme
|
||||
_ systemctl enable NetworkManager-wait-online.service
|
||||
_ systemctl enable systemd-networkd-wait-online.service
|
||||
cables**) https://wiki.freedesktop.org/www/Software/systemd/NetworkTarget/#cutthecraphowdoimakenetwork.targetworkforme
|
||||
_ systemctl enable NetworkManager-wait-online.service
|
||||
_ systemctl enable systemd-networkd-wait-online.service
|
||||
|
@ -3,4 +3,4 @@ Sailfish OS. It doesn't have cron, so I tried the nearest equivalent
|
||||
that is there out-of-box, systemd timers.
|
||||
|
||||
- aliendalvik-stopper again stops android support hourly so it won't waste
|
||||
battery.
|
||||
battery.
|
||||
|
@ -6,14 +6,14 @@ NetworkManager.
|
||||
Notes:
|
||||
|
||||
- `git commit`ing the same SSID with different capitalisations breaks
|
||||
Windows and more common macOS setups due to their filesystems being
|
||||
case-insensitive.
|
||||
Windows and more common macOS setups due to their filesystems being
|
||||
case-insensitive.
|
||||
- `Settings.AutoConnect=true` is unnecessary as it defaults to true
|
||||
according to `man iwd.network`.
|
||||
according to `man iwd.network`.
|
||||
- `IPv6.Enabled=true` defauls to true being also unnecessary.
|
||||
- `private-home-sample.psk` has a comment on MAC address override and sends
|
||||
hostname with IPv4 DHCP. `private-cafe-sample.psk` always randomizes MAC
|
||||
address and doesn't send hostname.
|
||||
hostname with IPv4 DHCP. `private-cafe-sample.psk` always randomizes MAC
|
||||
address and doesn't send hostname.
|
||||
- The `.open` networks always randomize MAC address too. If a network is
|
||||
private and needs MAC address for captive portal override or something,
|
||||
`private-home-sample.psk` should be adjusted from.
|
||||
private and needs MAC address for captive portal override or something,
|
||||
`private-home-sample.psk` should be adjusted from.
|
||||
|
Loading…
Reference in New Issue
Block a user