Commit Graph

600 Commits

Author SHA1 Message Date
f75bc7bd07
sshd/basic-security.conf: remove deprecated option
> /etc/ssh/sshd_config.d/basic-security.conf line 24: Deprecated option UsePrivilegeSeparation

OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS  8 Dec 2020
2021-01-31 13:39:51 +02:00
0151bee9b0
sshd/mikaela-prohibit-password.conf: add AuthenticationMethods publickey 2021-01-30 22:15:51 +02:00
f1ea1e17d9
etc/ssh: rm copy 2021-01-30 21:35:05 +02:00
0572613d99
etc/ssh: cut sshd_config into multiple .confs 2021-01-30 21:31:38 +02:00
c5fa3daf29
sshd_config.d: read Mozilla docs & adjust accordingly
https://infosec.mozilla.org/guidelines/openssh
2021-01-30 21:18:41 +02:00
5211fb772c
sshd_config.d: add anoncvs.conf 2021-01-30 21:00:06 +02:00
de3a0739b4
sshd_config.d: add mikaela-prohibit-password.conf
Resolves: #88
2021-01-30 20:50:21 +02:00
a7c643bb7a
etc/sshd_config.d: add basic-security.conf
Ref: 88
2021-01-30 20:47:21 +02:00
8628ec28e0
yum.repos.d: add Dino 2021-01-30 11:01:17 +02:00
84ee7aeada
yum.repos.d: list Keybase too 2021-01-29 19:18:11 +02:00
27d1914424
etc: add dnf/dnf.conf & yum.repos.d/README.md 2021-01-29 19:15:08 +02:00
81296a241c
chrony: cut chrony.d/ into conf.d/ and sources.d/
I hope these are wider defaults than just Debian and allow me to not
conflit with package manager, but regardless having a separate
sources.d/ looks like a good idea for being able to `chronyc reload sources`
2021-01-29 12:56:38 +02:00
fc0730d7a5
sudoers.d/protonvpn.conf: add /usr/bin/protonvpn 2021-01-28 13:13:28 +02:00
16b19fb34d
torrc-client: add etro.mikaela.info 2021-01-26 19:42:25 +02:00
6216d8cda3
sudoers.d: add passwordless protonvpn-{tray,gui} 2021-01-16 20:40:21 +02:00
2df7aed162
chrony/yggdrasil: add comment & Kotka computers 2021-01-08 11:25:16 +02:00
Mikaela Suomalainen
0f94c59b81
chrony: add hetzner srevers 2020-12-19 13:03:54 +02:00
abb0c37ef2
unbound.conf.d: add yggdrasil-override.conf
Begins #89 at a better time
2020-12-15 20:34:01 +02:00
b26c9f698d
chrony/yggdrasil: add Etro 2020-12-15 14:30:30 +02:00
b20f3367b1
systemd/yggdrasil: add mullvad-exclude (& fix chrony override typo) 2020-12-09 09:38:49 +02:00
36b6a99e85
chrony.d: local-servers: add notes + xleave to the first comment 2020-12-09 08:44:34 +02:00
40d535f2c0
systemd/chrony.service.d/mullvad-exclude: actually fix this 2020-12-08 18:36:34 +02:00
f92b8d8d05
chrony.d/yggdrasil.conf: add y.Jolly-Roger 2020-12-06 19:49:12 +02:00
e27e88efd8
chrony.d: add hwtimestamp.conf 2020-12-06 19:26:04 +02:00
4a25481db2
chrony/yggdrasil.conf: add Sedric 2020-12-06 18:36:23 +02:00
5e94147e81
chrony.d/yggdrasil.conf: initial commit 2020-12-06 18:02:43 +02:00
2a615d8241
chrony: note that confdir and NTS require 4.0 2020-12-03 10:52:47 +02:00
e9aefd711b
blocklist.conf: refuse blocked instead of nxdomain
Only the Firefox DoH needs to be NXDOMAIN while REFUSE may be more
accurate for the rest.
2020-11-21 12:13:55 +02:00
e7a6e00b83
unbound/dns-over-tls: comment Adguard & NextDNS for not being in FI 2020-11-15 09:46:50 +02:00
aadcc009a0
unbound/dns-over-tls.conf: add Adguard (unfiltered) & NextDNS 2020-11-12 16:12:18 +02:00
3289a812ee
unbound: add dns-mullvad.conf (not encrypted)
Contains Mullvad Wireguard, OpenVPN and public addresses
2020-11-10 16:04:48 +02:00
9536101263
resolv.csv: add BlahDNS DoH CDNs
Just doh1, because it and doh2 resolve into the same addresses for me
and I don't want to add duplicate DoH field when only BlahDNS has two
differnt addresses for the same thing.
2020-11-08 12:50:31 +02:00
49d969822b
etc/resolv.csv: add BlahDNS
Resolves: #85
2020-11-04 12:56:48 +02:00
c302b10caf
chrony.d: restore log.conf 2020-11-01 11:57:57 +02:00
07e8c52f3b
chrony.d/local-servers: remove duplicate line
it's in README.md
2020-11-01 11:36:30 +02:00
dced82b820
etc/chrony: break chrony.conf into README.md & chrony.d/ 2020-11-01 11:23:59 +02:00
52458cc8aa
chrony.conf: add xleave for peer 2020-11-01 10:47:30 +02:00
84a669f51f
chrony.conf: add note for Windows on nettime 2020-10-31 18:10:25 +02:00
c55e6b97e8
chrony.conf: comments for nmap and VPNs 2020-10-31 14:34:47 +02:00
0c7038da14
systemd: systemd-resolved.service.d/unbound.conf: After unbound 2020-10-30 10:19:39 +02:00
fe83cbbb3a
systemd: add config for excluding Chrony from Mullvad 2020-10-30 08:04:58 +02:00
f878041e2e
unbound/dns-over-tls.conf: reverse order of providers
It seems to have some (small?) relevance to where queries go to.
2020-10-29 16:24:52 +02:00
6e1f41533c
unbound/dns-over-tls.conf: comment the 443 appliedprivacy
Thinking it a bit more, it's not useful to use their resources on
devices that practically never encounter blocked port 853.
2020-10-29 13:22:19 +02:00
b03e00faaa
local/share/apps: add firejailed mirage (todo: test it) 2020-10-29 13:15:48 +02:00
c93034ba7f
unbound/dns-over-tls.conf: major cleanup 2020-10-29 13:15:23 +02:00
8b04c26065
chrony.conf: add a peer comment for LOCALMACHINE.local 2020-10-27 10:35:09 +02:00
dc2ac02412
begin depulseaudioing
https://wiki.archlinux.org/index.php/PulseAudio/Troubleshooting#No_sound_below_a_volume_cutoff_or_Clipping_on_a_particular_output_device
is too much for me. I expect to suffer this decision too though.

* i3: bind audio buttons to amixer (TODO: there are still pulse-specific
  shortcuts and no shortcut for any kind of a mixer. $TERMINAL
  alsamixer?)
* i3status: comment pulse to make it see alsa
* apt: pin pulseaudio to negative priority
2020-10-26 17:21:39 +02:00
9b197cbaed
chrony.conf: add a local server example 2020-10-26 07:34:10 +02:00
258cf72ccb
chrony.conf: mark Cloudflare as a pool of 2 2020-10-25 19:46:36 +02:00
9ae9856c0a
chrony.conf: mark Snopyta & Telia as pools with maxsources 3 2020-10-25 18:54:53 +02:00
51080f52d8
chrony.conf: add comments on allowing lan access 2020-10-25 17:43:07 +02:00
b4ca31e6c6
chrony.conf: add DNA & Telia NTP servers
Resolves: #83
2020-10-25 17:22:59 +02:00
4cebe7fbd5
chrony.conf: list NTP servers
Ref: #83
2020-10-25 12:44:53 +02:00
993759577e
Bind systemd-resolved to Unbound 2020-10-25 09:05:07 +02:00
73f273f4bb
etc/chrony: add small chrony.conf notes 2020-10-24 11:32:07 +03:00
d3e00fb1a3
xdg-applications: add firejailed appimage of chatterino 2020-10-24 09:11:14 +03:00
1e70d7d4d7
etc/systemd-resolved&unbound: add Quad9 ECS configs
Untested. The last time I saw the documentation, they didn't mention
DoT.
2020-10-21 17:09:20 +03:00
1467454284
hosts.append: prepend empty line
It makes it easier to see where this begins in the appended /etc/hosts
2020-10-21 15:18:03 +03:00
de7184794a
etc: add hosts.append for appending into hosts for systemd-resolved 2020-10-21 15:16:56 +03:00
ca4c85b7df
etc/resolv.csv: add Quad9 ECS
The DoT address is guessed and verified to be open through nmap, as it's
not documented, I don't know surely that it's what it should.

DoH is mentioned in https://www.quad9.net/doh-quad9-dns-servers/

via https://gitlab.com/nitrohorse/ios14-encrypted-dns-mobileconfigs/-/issues/6
2020-10-18 11:11:27 +03:00
cb5781044c
resolv.conf: add OpenDNS Family 2020-10-03 14:56:52 +03:00
5f9cf10c68
resolv.csv: add Cleanbrowsing 2020-10-03 14:07:41 +03:00
531abc1f42
resolv.csv: fix Cloudflare DoT address 2020-10-03 13:49:04 +03:00
96d19d99cb
resolv.csv: add Cloudflare family, fill CF antimalware IPv6 2020-10-03 13:46:13 +03:00
8241d0e695
resolv.csv: add AdGuard Family 2020-10-03 13:42:05 +03:00
ae533261ab
etc/resolv.csv restore Firefox addresses 2020-10-03 13:38:31 +03:00
13a03812ba
resolv.conf: move resolvers to resolv.csv 2020-09-27 15:05:53 +03:00
31a15a9abc
systemd-resolved & unbound: update AdGuard IPs
Resolves: #81
2020-09-27 14:34:54 +03:00
09d7a87dfb
fix zaldaryn-r8168? 2020-09-03 19:39:34 +03:00
6c2475676c
unbound.conf.d/dot-adguard.conf: fix SNI domain 2020-08-30 16:56:51 +03:00
edb259b1c8
unbound.conf.d: add dot-adguard.conf 2020-08-30 16:45:35 +03:00
cc965d4692
blocklist.conf: add empty line & incoming.telemetry.mozilla.org 2020-08-22 23:31:54 +03:00
263f828550
unbound blocklist: add ssl.google-analytics.com 2020-08-20 19:30:47 +03:00
94eace15e7
unbound/blocklist.conf: specify it's server clause
Introduced by e4d18d47c5
2020-08-20 18:38:37 +03:00
cabf7c570d
blocklist.conf: add [www.]google-analytics.com. 2020-08-20 18:33:51 +03:00
b5cafdeb90
unbound: the mass file is not a good idea? cut it? 2020-08-16 12:18:07 +03:00
e4d18d47c5
etc/.../unbound.conf: update for 1.11.0-1+ 2020-08-15 10:27:50 +03:00
cf8dc85ec0
systemd/timesyncd.conf.d: add cloudflare.conf 2020-08-09 10:51:36 +03:00
82cf5e7742
systemd/resolved.conf.d: add generic NextDNS confs 2020-08-09 00:07:06 +03:00
c3f9205610
resolv.conf: fix nextdns addresses 2020-08-09 00:03:13 +03:00
bbbe4a2f04
resolv.conf: add Firefox DoH resolvers
Excluding Comcast
2020-08-08 20:06:39 +03:00
f58ba9424e
resolv.conf: more notes, hilight systemd-resolved, add DoH addresses 2020-08-08 19:44:08 +03:00
ca25fa1a66
sources.list: rm 16.04.archive.ubuntu.com
I don't see enough difference compared to ubuntu.

Resolves: #78
2020-08-07 15:58:54 +03:00
Mikaela Suomalainen
0be7388798
sources.list: add ubuntu
Resolves: #77
2020-08-07 10:40:22 +03:00
73fb88e11d
systemd-resolved.conf.d: everywhere -> 00-everywhere 2020-07-24 12:16:31 +03:00
8af19aab5e
resolv.conf: link to Mullvad issue while at it 2020-07-23 23:28:14 +03:00
99cda3d7ed
resolv.conf: add a missing word 2020-07-23 23:27:37 +03:00
7da5babc43
resolv.conf: add missing empty line 2020-07-23 22:59:53 +03:00
d3e1aaee30
resolv.conf: more systemd-resolved info 2020-07-23 22:52:32 +03:00
6289837766
resolv.conf: note the systemd-resolved files 2020-07-23 22:43:04 +03:00
a8e9d7d81f
etc/resolv.conf: add option trust-ad 2020-07-20 23:11:55 +03:00
69f55cd724
systemd/resolved: adguard-strict -> adguard-dot 2020-07-18 14:05:36 +03:00
550b68d149
etc/systemd/resolved: add [adguard,cloudflare}-strict.conf
I am not actually using either though and I am not sure if I will,
but maybe they are nice to have as a backup here just in case.
2020-07-18 02:20:56 +03:00
b3cb953b9c
systemd/resolved: add a comment to everywhere.conf too
as every other file explains who it is for, why not this
2020-07-04 19:09:26 +03:00
0ae22081a0
etc/systemd-resolved: rework all files more or less
* explain things in README.md, don't duplicate comments
* opportunistic-insecure.conf should be used everywhere by default, so
  thus it's now everywhere.conf. However I am yet to test it does what
  I expect, so this is bad case of testing in production or after
  committing it in general.
2020-07-04 19:06:18 +03:00
7a73088beb
systemd/resolved.conf.d/quad9*.conf: enable SNI 2020-06-26 12:22:09 +03:00
bce9af0edd
resolved.conf: add quad9-compat.conf 2020-06-26 12:22:09 +03:00
Mikaela Suomalainen
507b9b15c7
etc/containers: add registries.conf example
linking to source, it seems to be enough to get started with podman
2020-05-27 11:01:08 +03:00
Mikaela Suomalainen
856085bd74
ssh_config: document ForwardAgent and ForwardX11...
...Previously they were no without explanation, but it never hurts to
explicitly have comments on not doing that, I didn't quickly find
anything nice for ForwardAgent, but I remember the Matrix.org people
somehow avoiding hearing it and ForwardX11 first result was that
StackExchange.
2020-05-22 14:36:26 +03:00
Mikaela Suomalainen
d8d48508bd
ssh_config: update comments, add Includes
Resolves: #69
2020-05-22 14:29:37 +03:00
c2c27c8adb
local: add firejail-appimage-patchwork.desktop 2020-05-08 18:14:42 +03:00
5226399637
grub.d: add quiet.cfg to remind me to not remove it 2020-04-08 19:24:22 +03:00
1e08997ad5
etc/sources.list: add (Debian's) experimental 2020-03-30 18:12:16 +03:00
6f2f986d2f
etc/fahclient/config.xml: let the slider be MEDIUM 2020-03-30 09:16:32 +03:00
d1fc83913b
systemd/user: add ipfs, transmission-daemon (from system) 2020-03-30 08:42:06 +03:00
b2dac44a64
etc: add fahclient/config.xml 2020-03-30 08:35:56 +03:00
d39ec4ccfe
grub.d/oldifnames.cfg: update comment
I seem to be using it in multiple systems so I cannot say I don't
recommend it, when it's understood.
2020-03-29 15:12:00 +03:00
53944a0673
grub.d: add forcefsck.cfg 2020-03-29 15:11:48 +03:00
b217baaec9
systemd/system: update syncplay-server.service
It never got the TLS flag apparently
2020-03-27 18:02:34 +02:00
d71357613f
apt/preferences.d/limit-unstable: add unstable-debug repo
It may be unhelpful to have debug symbols getting pulled from Unstable
while using packages from Testing or even Stable.
2020-03-21 16:40:00 +02:00
9d70aa8119
org.signal.Signal.desktop: rename to Signal Tray 2020-03-09 09:35:19 +02:00
8fc2d8905c
etc/nginx/README.md: add future warning 2020-03-07 21:08:57 +02:00
64d5fef6f3
ipfs.service: point to the new meta issue 2020-02-29 18:03:32 +02:00
b125fc1804
etc/systemd/resolved.conf.d: general.conf -> opportunistic-insecure.conf 2020-02-21 19:03:56 +02:00
60cac14929
etc: add multi-user.cfg 2020-02-18 01:42:27 +02:00
585266bc28
update pomotroid.desktop & add ipfs-desktop.desktop
Pomotroid now stores data
2020-02-13 20:17:39 +02:00
a3d7b0af22
etc/default/grub.d/lockdown.cfg: notes + lockdown=integrity comment 2020-02-13 02:03:52 +02:00
b770e356cb
etc/default/grub.d: add lockdown.cfg 2020-02-13 01:17:39 +02:00
60899ca667
etc/sysctl.d: add kernel.yama.ptrace_scope = 1 2020-02-12 22:36:17 +02:00
3e325cca03
etc/sysctl.d: add 00-local-userns.conf with warnings/rant 2020-02-12 22:00:11 +02:00
bd6488e0ed
etc/default/grub.d: nouveau.cfg -> itwjyg.cfg + more modules 2020-02-10 17:54:47 +02:00
fafc6fad62
etc/xdg/autostart: add pomotroid.desktop
Resolves: #50
2020-02-09 20:36:56 +02:00
1a8c6fcd24
merge local/share/applications & etc/xdg/autostart 2020-02-09 20:35:54 +02:00
ee0038c568
add /etc/network/interfaces.d/eth0 2020-02-09 14:53:56 +02:00
8472ffa7cd
NetworkManager: add manage-ifupdown.conf 2020-02-09 14:53:01 +02:00
9177966264
etc/default/grub.d: -supposedly & modprobe r8168 2020-02-09 14:50:43 +02:00
da2f090f56
logind.conf.d/lidclose.conf: mention systemd-rfkill, ref: #51 2020-02-03 22:41:47 +02:00
d54ec98f99
NM/iwd.conf: add missing line (enable --now iwd) 2020-02-03 21:40:11 +02:00
d8740f54e1
NetworkManager/conf.d: add iwd.conf for replacing wpa_supplicant 2020-02-03 21:15:35 +02:00
c0399054bb
etc/systemd/login.conf.d/lidclose.conf: ignore lid close 2020-02-03 19:36:05 +02:00
a82e3fd989
etc/NetworkManager: add no-mac-randomizing.conf 2020-01-28 23:12:54 +02:00
b04c724b5b
etc/default/grub.d: add flags to disable hibernating 2020-01-19 13:47:33 +02:00
2168bc47ed
apt/preferences.d: don't consider firefox/jami as badideas 2020-01-12 13:24:11 +02:00
86cb1a02dc
etc/xdg/autostart: add com.github.wwmm.pulseeffects.desktop 2020-01-11 22:25:33 +02:00
e47568e178
etc/xdg/autostart: add Nextcloud.desktop 2020-01-11 22:24:23 +02:00
5c6f66e5fc
etc/apt/preferences.d: add hacks/limit-buster 2020-01-11 22:11:25 +02:00
eabd12a26d
etc/apt/preferenced: move not-so-good-ideas to badideas/ 2020-01-11 21:43:52 +02:00
31c53595f8
etc/apt/preferences.d: add limit-unstable from Wireguard 2020-01-11 21:41:09 +02:00
3011004856
NetworkManager/conf.d: add no-resolvconf.conf 2020-01-11 21:05:05 +02:00
346d726bb7
NetworkManager/unbound: note unbound-control-setup 2020-01-03 01:52:21 +02:00
2df7887dda
NetworkManager/conf.d: add unbound.conf
For Unbound which I generally use, even while it requires dnssec-trigger
2020-01-02 15:32:50 +02:00
6ae87b6de8
etc/default/grub.d: add oldifnames.cfg
see comments of the file for reason
2019-12-30 16:24:42 +02:00
05ffc40c7d
xdg/autostart: add Mullvad-VPN gui 2019-12-28 19:27:52 +02:00
a6c5902c08
etc/default/grub: add random.trust_cpu=on
Possibly some help to boot time entropy exhaustion, but it may have been
enabled by default already.
2019-12-27 19:46:30 +02:00
b1f7177d7f
etc/xdg/autostart: add dino & jami 2019-12-24 16:58:45 +02:00
4e640e3d50
etc/xdg/autostart: add Riot & -many to Telegram 2019-12-23 12:49:05 +02:00
bc46ad3119
torrc-client: add port 9119 for http 2019-12-23 12:48:33 +02:00
0c4bacc1ca
etc/xdg/autostart: add Gajim & Signal 2019-12-21 18:54:02 +02:00
7541d93206
dns-over-tls.conf: update BlahDNS-JP addresses 2019-12-01 12:48:02 +02:00
10b1b8ad86
unbound/dot: fix outdated comment 2019-11-03 00:49:19 +02:00