.gitignore

@@ -19,7 +19,6 @@
 !.python-version
 !.renovate-shared.json*
 !.reuse
-!.wokeignore
 
 # Certificates (unlikely to happen, but better safe than sorry)
 *.pem

.pre-commit-config.yaml

@@ -9,6 +9,8 @@ ci:
 
 default_language_version:
   node: "lts"
+  # Remember .python-version !
+  python: "3.13"
   ruby: ".ruby-version"
 
 repos:
@@ -71,7 +73,7 @@ repos:
 
   # GitHub Actions etc. configuration validity checking
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.32.1
+    rev: 0.31.3
     hooks:
       #- id: check-jsonschema
       - id: check-dependabot

.python-version

@@ -0,0 +1 @@
+system

.wokeignore

@@ -1,17 +0,0 @@
-# ASCII armoured GPG content, I don't control words included.
-*.asc
-
-# When you become IRC operator on Charybdis IRCd, it will tell you:
-#   We would like to take this moment to remind you that we accept
-#   absolutely no liability for the INSANITY you're about to endure.
-# I think it's appropiate reminder for logging in as root (which people
-# shouldn't be doing, sudo logs superuser actions better) and thus I wish to
-# keep it in my configuration and I hope everyone doing system administration
-# understands it without getting upset. That is not to say I am not open for
-# alternatives, if you know of an more inclusive saying and are a person,
-# please contact me.
-rc/bashrc
-rc/zshrc
-
-# A certain CAPITALIZED word above is an issue.
-.wokeignore

conf/autoconfig.js

@@ -1,3 +1,5 @@
+/** @format */
+
 // This file belongs to Firefox `default/pref` directory.
 // E.g. /usr/lib64/firefox/defaults/pref/ or ~/.local/firefox/defaults/pref/
 

conf/autoconfig.js.online

@@ -1,12 +1,15 @@
+/** @format */
+
 // This file belongs to Firefox `default/pref` directory as `autoconfig.js`.
 // E.g. /usr/lib64/firefox/defaults/pref/autoconfig.js
 
 // WARNING: lockPref() IS NOT ALLOWED HERE!
 
-// prettier-ignore
-pref("autoadmin.global_config_url", "https://raw.githubusercontent.com/Mikaela/shell-things/refs/heads/cxefa/conf/firefox-forbidden-policies.js");
-// prettier-ignore
-//pref("autoadmin.global_config_url", "file:///home/aminda/public_html/autoconfig.js");
+//pref("autoadmin.global_config_url","https://codeberg.org/Aminda/shell-things/raw/branch/master/conf/firefox-forbidden-policies.js");
+pref(
+	"autoadmin.global_config_url",
+	"file:///home/aminda/public_html/autoconfig.js",
+);
 pref("general.config.obscure_value", 0);
 pref("autoadmin.refresh_interval", 120);
 pref("autoadmin.offline_failover", true);

conf/firefox-forbidden-policies.js

@@ -28,8 +28,6 @@ lockPref(
 	"font.name-list.monospace.x-western",
 	"Comic Shanns Mono, Roboto Mono, Liberation Mono, Noto Sans Mono, monospace",
 );
-// REMEMBER! OpenDyslexic won't work here for some reason, use the extension
-// once it returns to Firefox! https://github.com/OpenDyslexic/extension/issues/75
 lockPref(
 	"font.name-list.sans-serif.x-cyrillic",
 	"Inclusive Sans, Roboto, Liberation Sans, Noto Sans, sans-serif",
@@ -88,8 +86,5 @@ lockPref("sidebar.revamp", true);
 lockPref("sidebar.verticalTabs", true);
 lockPref("sidebar.visibility", "always-show");
 
-// Per process isolation
-lockPref("fission.autostart", true);
-
 // No making configuration on the last line of the file!
 //

etc/default/grub.d/itwjyg.cfg

@@ -1,5 +1,4 @@
 # Itwjyg is a MacBook 7,1, brcmsmac is the WLAN driver, Nouveau is the
 # driver that actually gets picture visible and I think nvidia is the
 # propietary driver that doesn't manage that.
-# wokeignore:rule=blacklist
 GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT brcmsmac nouveau module_blacklist=nvidia"

etc/dracut.conf.d/99-cmdline.conf.sedric

@@ -1,3 +1,2 @@
-# wokeignore:rule=blacklist
 kernel_cmdline="root=UUID=c3df30ca-878b-4125-bcb4-ba3ba4398efd rw rootflags=subvol=root rd.lvm.lv=fedora_localhost-live/root rd.luks.uuid=luks-f9a33e19-4176-44b3-8e06-2ee7fb70f3d0 mitigations=auto,nosmt btusb.force_scofix=1 btusb.enable_autosuspend=0 cpufreq.default_governor=schedutil rd.driver.blacklist=nouveau modprobe.blacklist=nouveau"
 # vim: filetype=conf

etc/firefox/policies/policies.json

@@ -52,7 +52,7 @@
 					"advancedSettings": [
 						[
 							"filterAuthorMode",
-							"false"
+							"true"
 						],
 						[
 							"trustedListPrefixes",
@@ -102,7 +102,6 @@
 							"ublock-cookies-adguard",
 							"ublock-cookies-easylist",
 							"https://secure.fanboy.co.nz/fanboy-annoyance.txt",
-							"https://gitflic.ru/project/magnolia1234/bypass-paywalls-clean-filters/blob/raw?file=bpc-paywall-filter.txt",
 							"https://ads-for-open-source.readthedocs.io/en/latest/_static/lists/opensource-ads.txt"
 						]
 					},
@@ -119,10 +118,6 @@
 							"collapseBlocked",
 							"true"
 						],
-						[
-							"colorBlindFriendly",
-							"false"
-						],
 						[
 							"ignoreGenericCosmeticFilters",
 							"true"
@@ -219,42 +214,23 @@
 			"ATBC@EasonWong": {
 				"default_area": "menupanel",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/adaptive-tab-bar-colour/latest.xpi",
-				"installation_mode": "force_installed",
-				"private_browsing": true
+				"installation_mode": "normal_installed",
+				"private_browsing": false
 			},
 			"CanvasBlocker@kkapsner.de": {
-				"blocked_install_message": "Likely overlaps with JShelter in a negative way",
-				"comment": "Requested by LibreAwoo for those who don't have RFP/FPP, neither of which I can specify through this policy. Additionally its own description says compatible with the Firefox integrated one. Anyway I will probably unload it personally.",
+				"comment": "Requested by LibreAwoo for those who don't have RFP/FPP, neither of which I can specify through this policy. Additionally its own description says compatible with the Firefox integrated one.",
 				"default_area": "menupanel",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/canvasblocker/latest.xpi",
-				"installation_mode": "blocked",
+				"installation_mode": "normal_installed",
 				"private_browsing": true,
 				"restricted_domains": []
 			},
 			"addon@darkreader.org": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi",
-				"installation_mode": "allowed",
+				"installation_mode": "normal_installed",
 				"private_browsing": true
 			},
-			"chrome-mask@overengineer.dev": {
-				"default_area": "navbar",
-				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/chrome-mask/latest.xpi",
-				"installation_mode": "force_installed",
-				"private_browsing": false
-			},
-			"goeuropean@example.com": {
-				"default_area": "navbar",
-				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/go-european/latest.xpi",
-				"installation_mode": "force_installed",
-				"private_browsing": false
-			},
-			"gps-detect@allanwirth.com": {
-				"default_area": "menupanel",
-				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/gpsdetect/latest.xpi",
-				"installation_mode": "force_installed",
-				"private_browsing": false
-			},
 			"ipvfoo@pmarks.net": {
 				"default_area": "menupanel",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/ipvfoo/latest.xpi",
@@ -262,12 +238,6 @@
 				"private_browsing": false,
 				"restricted_domains": []
 			},
-			"jid0-3GUEt1r69sQNSrca5p8kx9Ezc3U@jetpack": {
-				"default_area": "navbar",
-				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/terms-of-service-didnt-read/latest.xpi",
-				"installation_mode": "force_installed",
-				"private_browsing": false
-			},
 			"jid1-MnnxcxisBPnSXQ-eff@jetpack": {
 				"blocked_install_message": "Already installed from AMO",
 				"default_area": "navbar",
@@ -284,17 +254,11 @@
 				"private_browsing": true,
 				"restricted_domains": []
 			},
-			"jsr@javascriptrestrictor": {
-				"default_area": "navbar",
-				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/javascript-restrictor/latest.xpi",
-				"installation_mode": "allowed",
-				"private_browsing": true
-			},
 			"offline-qr-code@rugk.github.io": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/offline-qr-code-generator/latest.xpi",
 				"installation_mode": "force_installed",
-				"private_browsing": false,
+				"private_browsing": true,
 				"restricted_domains": []
 			},
 			"optout@google.com": {
@@ -321,7 +285,7 @@
 			"uBlock0@raymondhill.net": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
-				"installation_mode": "force_installed",
+				"installation_mode": "normal_installed",
 				"private_browsing": true,
 				"restricted_domains": []
 			},
@@ -361,10 +325,6 @@
 				"private_browsing": true,
 				"restricted_domains": []
 			},
-			"{6003eac6-4b07-4aaf-960b-92fa006cd444}": {
-				"blocked_install_message": "AI hurts climate and the crawlers are DDoSing the internet",
-				"installation_mode": "blocked"
-			},
 			"{6a65273e-2b26-40f5-b66e-8eed317307da}": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/new-tab-suspender/latest.xpi",
@@ -382,7 +342,7 @@
 			"{73a6fe31-595d-460b-a920-fcc0f8843232}": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/noscript/latest.xpi",
-				"installation_mode": "allowed",
+				"installation_mode": "normal_installed",
 				"private_browsing": true,
 				"restricted_domains": []
 			},
@@ -392,22 +352,16 @@
 				"installation_mode": "normal_installed",
 				"private_browsing": false
 			},
-			"{90b8ecca-860a-4f1c-8476-e181df2cf635}": {
-				"default_area": "navbar",
-				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/grayscale-bro/latest.xpi",
-				"installation_mode": "normal_installed",
-				"private_browsing": true
-			},
 			"{b11bea1f-a888-4332-8d8a-cec2be7d24b9}": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/torproject-snowflake/latest.xpi",
 				"installation_mode": "normal_installed",
-				"private_browsing": false
+				"private_browsing": true
 			},
 			"{b86e4813-687a-43e6-ab65-0bde4ab75758}": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/localcdn-fork-of-decentraleyes/latest.xpi",
-				"installation_mode": "allowed",
+				"installation_mode": "normal_installed",
 				"private_browsing": true,
 				"restricted_domains": []
 			},
@@ -442,7 +396,7 @@
 		"LegacySameSiteCookieBehaviorEnabled": false,
 		"NetworkPrediction": false,
 		"NewTabPage": true,
-		"OverrideFirstRunPage": "about:mozilla|https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide|https://addons.mozilla.org/firefox/addon/noscript/",
+		"OverrideFirstRunPage": "about:mozilla|https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide",
 		"PDFjs": {
 			"EnablePermissions": false,
 			"Enabled": true
@@ -536,15 +490,16 @@
 				"Value": 0
 			},
 			"browser.ml.chat.enabled": {
-				"Comment": "Disable AI.",
-				"Status": "locked",
+				"Comment": "Disable AI by default.",
+				"Status": "default",
 				"Type": "boolean",
 				"Value": false
 			},
 			"browser.ml.chat.provider": {
-				"Status": "default",
+				"Comment": "Ask every time which AI to use, if enabled.",
+				"Status": "clear",
 				"Type": "string",
-				"Value": "https://chat.mistral.ai/chat"
+				"Value": "https://www.ecosia.org/chat"
 			},
 			"browser.preferences.moreFromMozilla": {
 				"Status": "default",
@@ -624,11 +579,6 @@
 				"Type": "boolean",
 				"Value": true
 			},
-			"browser.tabs.groups.smart.enabled": {
-				"Status": "default",
-				"Type": "boolean",
-				"Value": true
-			},
 			"browser.tabs.inTitlebar_commented": {
 				"Comment": "without _commented 0 enables system title bar and 2 is default.",
 				"Status": "default",
@@ -650,12 +600,6 @@
 				"Type": "boolean",
 				"Value": false
 			},
-			"browser.taskbarTabs.enabled": {
-				"Comment": "Rumoured PWA support",
-				"Status": "default",
-				"Type": "boolean",
-				"Value": true
-			},
 			"browser.translations.automaticallyPopup": {
 				"Status": "locked",
 				"Type": "boolean",
@@ -681,11 +625,6 @@
 				"Type": "boolean",
 				"Value": true
 			},
-			"browser.uidensity": {
-				"Status": "default",
-				"Type": "number",
-				"Value": 1
-			},
 			"browser.urlbar.trimHttps": {
 				"Status": "locked",
 				"Type": "boolean",
@@ -747,12 +686,6 @@
 				"Type": "string",
 				"Value": ""
 			},
-			"fission.autostart": {
-				"Comment": "Enable fission, site separation per process, security. Preference not allowed for stability reasons. :(",
-				"Status": "locked",
-				"Type": "boolean",
-				"Value": true
-			},
 			"general.config.obscure_value": {
 				"Comment": "Required for autoconfig.",
 				"Status": "locked",
@@ -776,12 +709,6 @@
 				"Type": "boolean",
 				"Value": false
 			},
-			"gfx.webrender.all": {
-				"Comment": "Enable fission, site separation per process, security",
-				"Status": "locked",
-				"Type": "boolean",
-				"Value": true
-			},
 			"image.animation.mode": {
 				"Comment": "Preference not allowed for stability reasons. :(",
 				"Status": "default",
@@ -844,14 +771,8 @@
 				"Type": "boolean",
 				"Value": false
 			},
-			"media.autoplay.blocking_policy": {
-				"Comment": "2 - Click to play media",
-				"Status": "default",
-				"Type": "number",
-				"Value": 2
-			},
 			"media.autoplay.default": {
-				"Comment": "5 blocks autoplay entirely (unless allowed per site from the navbar menu). 2 should open the prompt by default.",
+				"Comment": "Not even autoplaying silently?",
 				"Status": "default",
 				"Type": "number",
 				"Value": 5
@@ -1088,7 +1009,7 @@
 					"URLTemplate": "https://start.duckduckgo.com/?q={searchTerms}"
 				},
 				{
-					"Name": "Ecosia search",
+					"Name": "Ecosia",
 					"Alias": "e",
 					"Description": "Ecosia Search Engine",
 					"IconURL": "https://cdn-static.ecosia.org/static/icons/favicon.ico",
@@ -1123,13 +1044,11 @@
 					"URLTemplate": "https://search.brave.com/goggles?q={searchTerms}"
 				}
 			],
-			"Default": "Ecosia search"
+			"Default": "Ecosia"
 		},
 		"SearchSuggestEnabled": false,
 		"SecurityDevices": {
 			"Add": {
-				"Debian OpenSC onepin": "/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so",
-				"Fedora OpenSC onepin": "/usr/lib64/onepin-opensc-pkcs11.so",
 				"Fujitsu mPollux DigiSignApplication": "/usr/lib64/libcryptoki.so"
 			}
 		},

etc/init-browser-policies.bash

@@ -5,41 +5,16 @@ set -x
 
 # Require root or exit
 if [ "$(id -u)" != "0" ]; then
-	echo "This script requires root for managing /etc/..."
-
-	# Firefox Flatpak
-	mkdir -vp "$HOME/.local/share/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/stable/policies/"
-	mkdir -vp "$HOME/.local/share/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/beta/policies/"
-	cp -v firefox/policies/policies.json "$HOME/.local/share/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/stable/policies/"
-	cp -v firefox/policies/policies.json "$HOME/.local/share/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/beta/policies/"
-
-	# Chromium Flatpak
-	mkdir -vp "$HOME/.local/share/flatpak/extension/org.chromium.Chromium.Extension.system-policies/$(uname -m)/1/managed"
-	mkdir -vp "$HOME/.local/share/flatpak/extension/org.chromium.Chromium.Extension.system-policies/$(uname -m)/1/recommended"
-
-	echo "...but flatpaks were more or less handled."
-	exit 0
+	echo "This script requires root for managing /etc/" 1>&2
+	exit 1
 fi
 
-# TODO: Snap based browsers or at least Firefox can supposedly run with less
-# snap sandboxing. Consider these if need arises:
-# sudo snap set firefox confinement=classic
-# https://bugs.launchpad.net/snapd/+bug/1972762
-# sudo snap connect {firefox,chromium,vivaldi}:pcscd
-#
-# OFFTOPIC TODO: more flatseal style management is coming, consider
-# snap refresh snapd --channel=candidate
-# snap install desktop-security-center
-# snap install prompting-client
-# https://discourse.ubuntu.com/t/ubuntu-desktop-s-24-10-dev-cycle-part-5-introducing-permissions-prompting/47963?p-119405-enabling-the-feature
-
 # Firefox and LibreWolf (caution! https://codeberg.org/librewolf/issues/issues/1767)
 mkdir -vp /etc/firefox/policies
-setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/firefox/policies
+setfacl --recursive --modify=u:root:rwX,o:rX /etc/firefox/policies
 chmod -v a+rx /etc/firefox/
 chmod -v a+rx /etc/firefox/policies/
-#touch /etc/firefox/policies/policies.json
-cp -v firefox/policies/policies.json /etc/firefox/policies/policies.json
+touch /etc/firefox/policies/policies.json
 chmod -v a+r /etc/firefox/policies/policies.json
 printf "WARNING! LibreWolf default profile may be masked!\nhttps://codeberg.org/librewolf/issues/issues/1767\n"
 
@@ -56,57 +31,35 @@ ln -nsfv /etc/firefox /etc/firefox-esr
 
 # Chromium
 mkdir -vp /etc/opt/chromium/policies/{managed,recommended}
-setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/opt/chromium/policies
+setfacl --recursive --modify=u:root:rwX,o:rX /etc/firefox/policies
 chmod -v a+rx /etc/opt/chromium/policies/
 chmod -v a+rx /etc/opt/chromium/policies/{managed,recommended}/
-# Chromium snap
-mkdir -p /etc/chromium-browser
-setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/chromium-browser
-ln -nsfv /etc/opt/chromium/policies /etc/chromium-browser/policies
 
 # Brave
 mkdir -p /etc/brave
-setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/brave
+setfacl --recursive --modify=u:root:rwX,o:rX /etc/brave
 ln -nsfv /etc/opt/chromium/policies /etc/brave/policies
 
 # Vivaldi
 mkdir -p /etc/chromium
-setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/chromium
+setfacl --recursive --modify=u:root:rwX,o:rX /etc/chromium
 ln -nsfv /etc/opt/chromium/policies /etc/chromium/policies
 
 # Google Chrome
 mkdir -p /etc/opt/chrome
-setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/opt/chrome
+setfacl --recursive --modify=u:root:rwX,o:rX /etc/opt/chrome
 ln -nsfv /etc/opt/chromium/policies /etc/opt/chrome/policies
 
 # Naggig suspicion of another Google Chrome
 mkdir -p /etc/chrome
-setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/chrome
+setfacl --recursive --modify=u:root:rwX,o:rX /etc/chrome
 ln -nsfv /etc/opt/chromium/policies /etc/chrome/policies
 
 # Microsoft Edge
 # I used to have a separate policy for it so remember to remove this manually
 # if it exists!
 mkdir -p /etc/opt/edge
-setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/opt/edge
+setfacl --recursive --modify=u:root:rwX,o:rX /etc/opt/edge
 ln -nsfv /etc/opt/chromium/policies /etc/opt/edge/policies
 
-# Firefox Flatpak
-mkdir -vp "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/stable/policies/"
-mkdir -vp "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/beta/policies/"
-#cp -v /etc/firefox/policies/policies.json "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/stable/policies/"
-#cp -v /etc/firefox/policies/policies.json "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/beta/policies/"
-cp -v firefox/policies/policies.json "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/stable/policies/"
-cp -v firefox/policies/policies.json "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/beta/policies/"
-
-# Firefox flatpak autoconfig
-cp -v ../conf/autoconfig.js.online /var/lib/flatpak/app/org.mozilla.firefox/current/active/files/lib/firefox/defaults/pref/autoconfig.js
-#cp -v ../conf/firefox-forbidden-policies.js /var/lib/flatpak/app/org.mozilla.firefox/current/active/files/lib/firefox/
-chmod -v a+r /var/lib/flatpak/app/org.mozilla.firefox/current/active/files/lib/firefox/defaults/pref/autoconfig.js
-chmod -v a+r /var/lib/flatpak/app/org.mozilla.firefox/current/active/files/lib/firefox/firefox-forbidden-policies.js
-
-# Chromium Flatpak
-mkdir -vp "/var/lib/flatpak/extension/org.chromium.Chromium.Extension.system-policies/$(uname -m)/1/"
-cp -rv /etc/opt/chromium/policies/ "/var/lib/flatpak/extension/org.chromium.Chromium.Extension.system-policies/$(uname -m)/1/"
-
 set +x

etc/modprobe.d/blacklist-hdmi-audio.conf

@@ -1,4 +1,3 @@
 # Prevents HDMI driver from getting loaded and thus it appearing in
 # pavucontrol. Source: https://askubuntu.com/a/1127760
-# wokeignore:rule=blacklist
 blacklist snd_hda_codec_hdmi

etc/opt/chromium/policies/managed/aminda-extensions.json

@@ -11,7 +11,7 @@
 				"advancedSettings": [
 					[
 						"filterAuthorMode",
-						"false"
+						"true"
 					],
 					[
 						"trustedListPrefixes",
@@ -61,7 +61,6 @@
 						"ublock-cookies-adguard",
 						"ublock-cookies-easylist",
 						"https://secure.fanboy.co.nz/fanboy-annoyance.txt",
-						"https://gitflic.ru/project/magnolia1234/bypass-paywalls-clean-filters/blob/raw?file=bpc-paywall-filter.txt",
 						"https://ads-for-open-source.readthedocs.io/en/latest/_static/lists/opensource-ads.txt"
 					]
 				},
@@ -78,10 +77,6 @@
 						"collapseBlocked",
 						"true"
 					],
-					[
-						"colorBlindFriendly",
-						"false"
-					],
 					[
 						"ignoreGenericCosmeticFilters",
 						"true"
@@ -123,6 +118,20 @@
 					"+annoyances-overlays"
 				]
 			},
+			"mlojlfildnehdpnlmpkeiiglhhkofhpb": {
+				"toAdd": {
+					"trustedSiteDirectives": [
+						""
+					]
+				},
+				"toOverwrite": {
+					"filterLists": [
+						"easylist",
+						"adnauseam-filters",
+						"eff-dnt-whitelist"
+					]
+				}
+			},
 			"nngceckbapebfimnlniiiahkandclblb": {
 				"environment": {
 					"base": "https://vault.bitwarden.eu",
@@ -183,12 +192,6 @@
 			"toolbar_pin": "default_unpinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
-		"ammoloihpcbognfddfjcljgembpibcmb": {
-			"installation_mode": "allowed",
-			"override_update_url": true,
-			"toolbar_pin": "force_pinned",
-			"update_url": "https://clients2.google.com/service/update2/crx"
-		},
 		"cbimgpnbgalffiohilfglgkkhpegpjlo": {
 			"installation_mode": "normal_installed",
 			"override_update_url": true,
@@ -220,7 +223,7 @@
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
 		"doojmbjmlfjjnbmnoijecmcbfeoakpjm": {
-			"installation_mode": "allowed",
+			"installation_mode": "normal_installed",
 			"override_update_url": true,
 			"toolbar_pin": "force_pinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
@@ -232,7 +235,7 @@
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
 		"eimadpbcbfnmbkopoojfekhnkhdbieeh": {
-			"installation_mode": "allowed",
+			"installation_mode": "normal_installed",
 			"override_update_url": true,
 			"toolbar_pin": "force_pinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
@@ -272,24 +275,12 @@
 			"toolbar_pin": "force_pinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
-		"hjdoplcnndgiblooccencgcggcoihigg": {
-			"installation_mode": "force_installed",
-			"override_update_url": true,
-			"toolbar_pin": "force_pinned",
-			"update_url": "https://clients2.google.com/service/update2/crx"
-		},
 		"hojggiaghnldpcknpbciehjcaoafceil": {
 			"installation_mode": "normal_installed",
 			"override_update_url": true,
 			"toolbar_pin": "default_unpinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
-		"klmgadmgadfhjgomffmpamppmkajdloc": {
-			"installation_mode": "force_installed",
-			"override_update_url": true,
-			"toolbar_pin": "force_pinned",
-			"update_url": "https://clients2.google.com/service/update2/crx"
-		},
 		"mafpmfcccpbjnhfhjnllmmalhifmlcie": {
 			"installation_mode": "normal_installed",
 			"override_update_url": true,
@@ -325,12 +316,6 @@
 			"toolbar_pin": "default_unpinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
-		"pbnndmlekkboofhnbonilimejonapojg": {
-			"installation_mode": "normal_installed",
-			"override_update_url": true,
-			"toolbar_pin": "force_pinned",
-			"update_url": "https://clients2.google.com/service/update2/crx"
-		},
 		"pkehgijcmpdhfbdbbnkijodmdjhbjlgp": {
 			"installation_mode": "force_installed",
 			"override_update_url": true,

etc/opt/chromium/policies/managed/aminda-extensions.tsv

@@ -1,6 +1,5 @@
 ID	Name	Comment
 ajhmfdgkijocedmfjonnpjfojldioehi	Silk	
-ammoloihpcbognfddfjcljgembpibcmb	JShelter	
 bkdgflcldnnnapblkhphbgpggdiikppg	DuckDuckGo	
 caoacbimdbbljakfhgikoodekdnlcgpk	DuckDuckGo	
 cbimgpnbgalffiohilfglgkkhpegpjlo	QR Code	
@@ -17,10 +16,8 @@ fpnmgdkabkmnadcjpehmlllkndpkmiak	Wayback Machine
 gbiekjoijknlhijdjbaadobpkdhmoebb	Google IBA opt-out	Preparing for eventuality of Google killing adblockers by opting into non-targeted ads instead.
 gecgipfabdickgidpmbicneamekgbaej	Chrome Apps Launcher	BLOCKED. It means the ages ago deprecated Chrome apps, not PWAs.
 hgcomhbcacfkpffiphlmnlhpppcjgmbl	HTTP Indicator	
-hjdoplcnndgiblooccencgcggcoihigg	Terms of Service; Didn’t Read	
 hojggiaghnldpcknpbciehjcaoafceil	Fedora User Agent	
 iimpkhokkfekbpmoamlmcndclohnehhk	IPVFooBar	ManifestV2 unlike original IPvFoo
-klmgadmgadfhjgomffmpamppmkajdloc	Go European	
 mafpmfcccpbjnhfhjnllmmalhifmlcie	Tor Snowflake	
 mlojlfildnehdpnlmpkeiiglhhkofhpb	AdNauseam	
 mlojlfildnehdpnlmpkeiiglhhkofhpb	Ad Nauseam	
@@ -29,5 +26,4 @@ nngceckbapebfimnlniiiahkandclblb	Bitwarden
 obpoeflheeknapimliioeoefbfaakefn	Regrets Reporter	
 odfafepnkmbhccpbejgmiehpchacaeak	uBlock Origin	
 palihjnakafgffnompkdfgbgdbcagbko	UpdateSWH	
-pbnndmlekkboofhnbonilimejonapojg	Midnight Lizard	currently ManifestV2
 pkehgijcmpdhfbdbbnkijodmdjhbjlgp	PrivacyBadger	

etc/opt/chromium/policies/managed/generative-ai.json

@@ -0,0 +1,6 @@
+{
+	"CreateThemesSettings": 1,
+	"GenAILocalFoundationalModelSettings": 0,
+	"HelpMeWriteSettings": 1,
+	"TabOrganizerSettings": 1
+}

etc/opt/chromium/policies/recommended/ecosia.json

@@ -2,7 +2,7 @@
 	"DefaultSearchProviderEnabled": true,
 	"DefaultSearchProviderImageURL": "https://cdn-static.ecosia.org/static/icons/favicon.ico",
 	"DefaultSearchProviderKeyword": "e",
-	"DefaultSearchProviderName": "Ecosia search",
+	"DefaultSearchProviderName": "Ecosia",
 	"DefaultSearchProviderNewTabURL": "https://www.ecosia.org/newtab/?addon=chromegpo",
 	"DefaultSearchProviderSearchURL": "https://www.ecosia.org/search?q={searchTerms}&addon=chromegpo",
 	"DefaultSearchProviderSuggestURL": "https://ac.ecosia.org/autocomplete?q={searchTerms}",

etc/resolv.tsv

@@ -26,10 +26,10 @@ Mullvad All	https://all.dns.mullvad.net/dns-query	all.dns.mullvad.net	2a07:e340:
 Mullvad Base	https://base.dns.mullvad.net/dns-query	base.dns.mullvad.net	2a07:e340::4		194.242.2.4		https://github.com/mullvad/encrypted-dns-profiles		
 Mullvad Extended	https://extended.dns.mullvad.net/dns-query	extended.dns.mullvad.net	2a07:e340::5		194.242.2.5		https://github.com/mullvad/encrypted-dns-profiles		
 Mullvad Vanilla	https://dns.mullvad.net/dns-query	dns.mullvad.net	2a07:e340::2		194.242.2.2		https://github.com/mullvad/encrypted-dns-profiles	No 2023-03-11	I tested with https://gitea.blesmrt.net/mikaela/scripts/src/branch/master/bash/dns-ecs-debug.bash
-NextDNS	https://dns.nextdns.io	dns.nextdns.io	2a07:a8c1::	2a07:a8c0::	45.90.30.0	45.90.28.0	https://apple.nextdns.io/	opt-in, private, upstream inclusion list	https://medium.com/nextdns/how-we-made-dns-both-fast-and-private-with-ecs-4970d70401e5
+NextDNS	https://dns.nextdns.io	dns.nextdns.io	2a07:a8c1::	2a07:a8c0::	45.90.30.0	45.90.28.0	https://apple.nextdns.io/	opt-in, private, upstream whitelist	https://medium.com/nextdns/how-we-made-dns-both-fast-and-private-with-ecs-4970d70401e5
 NextDNS Firefox	https://firefox.dns.nextdns.io							no	
-OpenDNS	https://doh.opendns.com/dns-query	dns.opendns.com ? (#127)	2620:119:35::35	2620:119:53::53	208.67.222.222	208.67.220.220		yes, upstream inclusion list	https://support.opendns.com/hc/articles/227987647-EDNS-Client-Subnet-FAQ
-OpenDNS Family	https://doh.familyshield.opendns.com/dns-query				208.67.222.123	208.67.220.123		yes, upstream inclusion list	https://support.opendns.com/hc/articles/227987647-EDNS-Client-Subnet-FAQ
+OpenDNS	https://doh.opendns.com/dns-query	dns.opendns.com ? (#127)	2620:119:35::35	2620:119:53::53	208.67.222.222	208.67.220.220		yes, upstream whitelist	https://support.opendns.com/hc/articles/227987647-EDNS-Client-Subnet-FAQ
+OpenDNS Family	https://doh.familyshield.opendns.com/dns-query				208.67.222.123	208.67.220.123		yes, upstream whitelist	https://support.opendns.com/hc/articles/227987647-EDNS-Client-Subnet-FAQ
 Quad9 (Secure)	https://dns.quad9.net/dns-query	dns.quad9.net	2620:fe::fe	2620:fe::9	9.9.9.9	149.112.112.112	https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/#download-profile	no	https://www.quad9.net/support/faq/#edns
 Quad9-10 (No Threat Blocking)	https://dns10.quad9.net/dns-query	dns10.quad9.net	2620:fe::10	2620:fe::fe:10	9.9.9.10	149.112.112.10	https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/#download-profile	no	https://docs.quad9.net/services/
 Quad9-11 (Secure + ECS)	https://dns11.quad9.net/dns-query	dns11.quad9.net	2620:fe::11	2620:fe::fe:11	9.9.9.11	149.112.112.11	https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/#download-profile	yes	https://www.quad9.net/support/faq/#edns

etc/systemd/resolved.conf.d/10-dot-quad9.conf

@@ -3,14 +3,14 @@
 # encryption, but host a Quad9 node and giving these addresses instead.
 [Resolve]
 # Secure
-DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net
-DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net
+#DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net
+#DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net
 # No Threat Blocking
 #DNS=2620:fe::10#dns10.quad9.net 2620:fe::fe:10#dns10.quad9.net [2620:fe::10]:8853#dns10.quad9.net [2620:fe::fe:10]:8853#dns10.quad9.net
 #DNS=149.112.112.10#dns10.quad9.net 9.9.9.10#dns10.quad9.net 149.112.112.10:8853#dns10.quad9.net 9.9.9.10:8853#dns10.quad9.net
 # Secure + ECS. IPv4 first so it gets preferred as my Unbound likely prefers IPv6 anyway.
-#DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
-#DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net
+DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
+DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net
 # No Threat Blocking + ECS
 #DNS=2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net [2620:fe::12]:8853#dns12.quad9.net [2620:fe::fe:12]:8853#dns12.quad9.net
 #DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 9.9.9.12:8853#dns12.quad9.net 149.112.112.12:8853#dns12.quad9.net

etc/unbound/unbound.conf.d/.gitignore

@@ -1,4 +1,4 @@
-dot-.conf
 dot-nextdns.conf
 dot-trex.conf
 cache.conf
+dot-adguard-dns0.conf

etc/unbound/unbound.conf.d/dns-over-tls.conf

@@ -9,16 +9,11 @@ server:
 	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
 	qname-minimisation: no
 
-# This file keeps changing purpose between being just for my travel laptop
-# and sometimes helps when I cannot decide what is important in a DNS server.
-
-# - applied-privacy.net provides DoT over 443 and tells you to use multiple
-#   servers for redundancy.
-# - cloudflare-dns.com contributes to https://radar.cloudflare.com which gets
-#   used by many others including PrivacyBadger most popular domains for its
-#   badgersett pretraining
-# - dns0.eu provides servers located only in the EU and private ECS
-# - adguard-dns.com provides private ECS around the world
+# This list is for my travel laptop to have at least one DoT443 server
+# which seems to be applied-privacy.net. They advice having multiple DoT servers
+# for redundancy and as they don't filter, it's best I use other non-filtering ones.
+# Since then this expanded to include <https://www.privacyguides.org/en/dns/>.
+# just look at git blame...
 
 forward-zone:
 	name: "."
@@ -27,8 +22,8 @@ forward-zone:
 	# https://appliedprivacy.net/services/dns/ - Vienna, Austria, no ECS
 	forward-addr: 2a02:1b8:10:234::2@443#dot1.applied-privacy.net
 	forward-addr: 146.255.56.98@443#dot1.applied-privacy.net
-	#forward-addr: 2a02:1b8:10:234::2@853#dot1.applied-privacy.net
-	#forward-addr: 146.255.56.98@853#dot1.applied-privacy.net
+	forward-addr: 2a02:1b8:10:234::2@853#dot1.applied-privacy.net
+	forward-addr: 146.255.56.98@853#dot1.applied-privacy.net
 
 	# Cloudflare unfiltered, anycast, no ECS
 	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
@@ -37,34 +32,24 @@ forward-zone:
 	forward-addr: 1.0.0.1@853#cloudflare-dns.com
 
 	# Mullvad unfiltered, Anycast Sweden, no ECS
-	#forward-addr: 194.242.2.2@853#dns.mullvad.net
-	#forward-addr: 2a07:e340::2@853#dns.mullvad.net
+	forward-addr: 194.242.2.2@853#dns.mullvad.net
+	forward-addr: 2a07:e340::2@853#dns.mullvad.net
 
 	# Control D Free DNS unfilterd, anycast, no ECS
-	#forward-addr: 76.76.2.0@853#p0.freedns.controld.com
-	#forward-addr: 2606:1a40::@853#s0.freedns.controld.com
-	#forward-addr: 76.76.10.0@853#p0.freedns.controld.com
-	#forward-addr: 2606:1a40:1::@853#s0.freedns.controld.com
+	forward-addr: 76.76.2.0@853#p0.freedns.controld.com
+	forward-addr: 2606:1a40::@853#s0.freedns.controld.com
+	forward-addr: 76.76.10.0@853#p0.freedns.controld.com
+	forward-addr: 2606:1a40:1::@853#s0.freedns.controld.com
 
 	# Quad9 unfiltered, anycast, no ECS, no DNSSEC (Unbound does that)
-	#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
-	#forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
-	#forward-addr: 149.112.112.10@853#dns10.quad9.net
-	#forward-addr: 149.112.112.10@8853#dns10.quad9.net
-	#forward-addr: 2620:fe::10@853#dns10.quad9.net
-	#forward-addr: 2620:fe::10@8853#dns10.quad9.net
-	#forward-addr: 9.9.9.10@853#dns10.quad9.net
-	#forward-addr: 9.9.9.10@8853#dns10.quad9.net
-
-	# Quad9 unfiltered, anycast, ECS, no DNSSEC (Unbound does that)
-	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
-	forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
-	#forward-addr: 9.9.9.12@853#dns12.quad9.net
-	forward-addr: 9.9.9.12@8853#dns12.quad9.net
-	#forward-addr: 2620:fe::12@853#dns12.quad9.net
-	forward-addr: 2620:fe::12@8853#dns12.quad9.net
-	#forward-addr: 149.112.112.12@853#dns12.quad9.net
-	forward-addr: 149.112.112.12@8853#dns12.quad9.net
+	forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
+	forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
+	forward-addr: 149.112.112.10@853#dns10.quad9.net
+	forward-addr: 149.112.112.10@8853#dns10.quad9.net
+	forward-addr: 2620:fe::10@853#dns10.quad9.net
+	forward-addr: 2620:fe::10@8853#dns10.quad9.net
+	forward-addr: 9.9.9.10@853#dns10.quad9.net
+	forward-addr: 9.9.9.10@8853#dns10.quad9.net
 
 	# https://www.dns0.eu/open https://www.dns0.eu/network - French based. Private ECS
 	forward-addr: 193.110.81.254@853#open.dns0.eu

etc/unbound/unbound.conf.d/dot-.conf

@@ -1 +0,0 @@
-dns-over-tls.conf

etc/unbound/unbound.conf.d/dot-adguard-dns0.conf

@@ -0,0 +1 @@
+dot-private-ecs.conf

etc/unbound/unbound.conf.d/dot-dns0-quad9.conf

@@ -0,0 +1,33 @@
+# This is a merging of dot-dns0.conf & dot-quad9.conf with weight on DNS0
+# IPv4 and when using IPv6, Quad9 Secure with ECS. IPv6 private ECS is
+# horribly inaccurate and I have minor leaning towards having ECS enabled.
+# Private ECS is a compromise between privacy and local destinations.
+#
+# Both are filtering DNS servers, so this brings risk of something being
+# blocked by only one of them. However both are non-profits and have servers
+# in Finland.
+
+server:
+	# Debian ca-certificates location
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	# Fedora
+	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
+
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+## DNS0.eu IPv4 Default
+	forward-addr: 193.110.81.0@853#dns0.eu
+	forward-addr: 185.253.5.0@853#dns0.eu
+## Quad9 IPv6 Secure + ECS
+	forward-addr: 2620:fe::11@8853#dns11.quad9.net
+	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
+	forward-addr: 2620:fe::11@853#dns11.quad9.net
+	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-fluhable-cache.conf.badidea

@@ -0,0 +1,33 @@
+# NOTE! Requires Unbound 1.7.3 or newer!
+# Based on https://www.ctrl.blog/entry/unbound-tls-forwarding.html
+
+server:
+	# Debian ca-certificates location
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	# Fedora location
+	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
+
+# DNS servers that have public button for flushing cache. Privacy not considered.
+
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+
+	# Cloudflare / https://1.1.1.1/purge-cache/
+	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
+	forward-addr: 1.1.1.1@853#cloudflare-dns.com
+	forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
+	forward-addr: 1.0.0.1@853#cloudflare-dns.com
+
+	# Google / https://dns.google/cache
+	forward-addr: 8.8.8.8@853#dns.google
+	forward-addr: 8.8.4.4@853#dns.google
+	forward-addr: 2001:4860:4860::8888@853#dns.google
+	forward-addr: 2001:4860:4860::8844@853#dns.google
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-private-ecs.conf

@@ -0,0 +1,26 @@
+server:
+	# Debian ca-certificates location
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	# Fedora
+	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
+# AdGuard Public DNS without filtering.
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+	# AdGuard Public DNS without filtering
+	forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com
+	forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com
+	forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com
+	forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com
+	# DNS0.eu without filtering
+	forward-addr: 193.110.81.254@853#open.dns0.eu
+	forward-addr: 185.253.5.254@853#open.dns0.eu
+	forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu
+	forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-provider-zones.conf.badidea

@@ -0,0 +1,86 @@
+# This file attempts to send zones belonging to DNS operators to their DNS servers.
+# Inclusion criteria: I know and use the service.
+
+server:
+	# Debian ca-certificates location
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	# Fedora
+	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
+
+forward-zone:
+	name: "google"
+	forward-tls-upstream: yes
+	# Must be explicit forward-addr for dns.google to be found
+	forward-addr: 2001:4860:4860::8844@853#dns.google
+	forward-addr: 2001:4860:4860::8888@853#dns.google
+	forward-addr: 8.8.4.4@853#dns.google
+	forward-addr: 8.8.8.8@853#dns.google
+
+forward-zone:
+	name: "google.fi"
+	forward-tls-upstream: yes
+	forward-host: dns.google@853#dns.google
+
+forward-zone:
+	name: "google.com"
+	forward-tls-upstream: yes
+	forward-host: dns.google@853#dns.google
+
+forward-zone:
+	name: "youtube.com"
+	forward-tls-upstream: yes
+	forward-host: dns.google@853#dns.google
+
+forward-zone:
+	name: "youtube-nocookie.com"
+	forward-tls-upstream: yes
+	forward-host: dns.google@853#dns.google
+
+forward-zone:
+	name: "youtu.be"
+	forward-tls-upstream: yes
+	forward-host: dns.google@853#dns.google
+
+forward-zone:
+	name: "googlevideo.com"
+	forward-tls-upstream: yes
+	forward-host: dns.google@853#dns.google
+
+forward-zone:
+	name: "ytimg.com"
+	forward-tls-upstream: yes
+	forward-host: dns.google@853#dns.google
+
+# forward-zone:
+# 	name: "googleusercontent.com"
+# 	forward-tls-upstream: yes
+#	forward-host: dns.google@853#dns.google
+
+
+forward-zone:
+	name: "gstatic.com"
+	forward-tls-upstream: yes
+	forward-host: dns.google@853#dns.google
+
+forward-zone:
+	name: "cloudflare-dns.com"
+	# Must be explicit for forward-addr
+	forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
+	forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com
+	forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
+	forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
+
+forward-zone:
+	name: "cloudflare.com"
+	forward-host: security.cloudflare-dns.com@853#security.cloudflare-dns.com
+
+forward-zone:
+	name: "one.one"
+	forward-host: security.cloudflare-dns.com@853#security.cloudflare-dns.com
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-quad9.conf

@@ -17,14 +17,14 @@ forward-zone:
 	name: "."
 	forward-tls-upstream: yes
 	## Secure
-	forward-addr: 2620:fe::fe@853#dns.quad9.net
-	forward-addr: 2620:fe::fe@8853#dns.quad9.net
-	forward-addr: 2620:fe::9@853#dns.quad9.net
-	forward-addr: 2620:fe::9@8853#dns.quad9.net
-	forward-addr: 9.9.9.9@853#dns.quad9.net
-	forward-addr: 9.9.9.9@8853#dns.quad9.net
-	forward-addr: 149.112.112.112@853#dns.quad9.net
-	forward-addr: 149.112.112.112@8853#dns.quad9.net
+	#forward-addr: 2620:fe::fe@853#dns.quad9.net
+	#forward-addr: 2620:fe::fe@8853#dns.quad9.net
+	#forward-addr: 2620:fe::9@853#dns.quad9.net
+	#forward-addr: 2620:fe::9@8853#dns.quad9.net
+	#forward-addr: 9.9.9.9@853#dns.quad9.net
+	#forward-addr: 9.9.9.9@8853#dns.quad9.net
+	#forward-addr: 149.112.112.112@853#dns.quad9.net
+	#forward-addr: 149.112.112.112@8853#dns.quad9.net
 	## No Threat Blocking
 	#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
 	#forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
@@ -35,14 +35,14 @@ forward-zone:
 	#forward-addr: 9.9.9.10@853#dns10.quad9.net
 	#forward-addr: 9.9.9.10@8853#dns10.quad9.net
 	## Secure + ECS
-	#forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
-	#forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
-	#forward-addr: 9.9.9.11@853#dns11.quad9.net
-	#forward-addr: 9.9.9.11@8853#dns11.quad9.net
-	#forward-addr: 2620:fe::11@853#dns11.quad9.net
-	#forward-addr: 2620:fe::11@8853#dns11.quad9.net
-	#forward-addr: 149.112.112.11@853#dns11.quad9.net
-	#forward-addr: 149.112.112.11@8853#dns11.quad9.net
+	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
+	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
+	forward-addr: 9.9.9.11@853#dns11.quad9.net
+	forward-addr: 9.9.9.11@8853#dns11.quad9.net
+	forward-addr: 2620:fe::11@853#dns11.quad9.net
+	forward-addr: 2620:fe::11@8853#dns11.quad9.net
+	forward-addr: 149.112.112.11@853#dns11.quad9.net
+	forward-addr: 149.112.112.11@8853#dns11.quad9.net
 	## No Threat Blocking + ECS
 	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
 	#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net

etc/unbound/unbound.conf.d/ecs.conf.sample

@@ -0,0 +1,18 @@
+# This will only affect servers that are accessed with public IP address!
+server:
+#module-config: "ipsecmod validator iterator"
+# subnetcache must be loaded for ecs
+module-config: "subnetcache validator iterator"
+# Send ECS everywhere always
+client-subnet-zone: "."
+client-subnet-always-forward: yes
+# Send different subnet size
+#max-client-subnet-ipv6: "16"
+#max-client-subnet-ipv4: "0"
+
+# IP address to send client subnets TO. Optionally /CIDR can be appended.
+# This actually means AUTHORITY servers!
+#send-client-subnet:
+#send-client-subnet:
+
+# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/well-known-dns.conf.badidea

@@ -0,0 +1,89 @@
+# The point of this file is to have these domains just work without having
+# to send queries, even if they are queried by web browser.
+server:
+# Quad9 Secure
+	local-zone: "dns.quad9.net." typetransparent
+	local-data: "dns.quad9.net. A 9.9.9.9"
+	local-data: "dns.quad9.net. A 149.112.112.112"
+	local-data: "dns.quad9.net. AAAA 2620:fe::fe"
+	local-data: "dns.quad9.net. AAAA 2620:fe::9"
+# Quad9 No Threat Blocking
+	local-zone: "dns10.quad9.net." typetransparent
+	local-data: "dns10.quad9.net. A 9.9.9.10"
+	local-data: "dns10.quad9.net. A 149.112.112.10"
+	local-data: "dns10.quad9.net. AAAA 2620:fe::10"
+	local-data: "dns10.quad9.net. AAAA 2620:fe::fe:10"
+# Quad9 Secure + ECS
+	local-zone: "dns11.quad9.net." typetransparent
+	local-data: "dns11.quad9.net. A 9.9.9.11"
+	local-data: "dns11.quad9.net. A 149.112.112.11"
+	local-data: "dns11.quad9.net. AAAA 2620:fe::11"
+	local-data: "dns11.quad9.net. AAAA 2620:fe::fe:11"
+# Quad9 No Threat Blocking + ECS
+	local-zone: "dns12.quad9.net." typetransparent
+	local-data: "dns12.quad9.net. A 9.9.9.12"
+	local-data: "dns12.quad9.net. A 149.112.112.12"
+	local-data: "dns12.quad9.net. AAAA 2620:fe::12"
+	local-data: "dns12.quad9.net. AAAA 2620:fe::fe:12"
+# DNS0 default
+	local-zone: "dns0.eu." typetransparent
+	local-data: "dns0.eu. A 193.110.81.0"
+	local-data: "dns0.eu. A 185.253.5.0"
+	local-data: "dns0.eu. AAAA 2a0f:fc80::"
+	local-data: "dns0.eu. AAAA 2a0f:fc81::"
+# DNS0 Zero
+	local-zone: "zero.dns0.eu." typetransparent
+	local-data: "zero.dns0.eu. A 193.110.81.9"
+	local-data: "zero.dns0.eu. A 185.253.5.9"
+	local-data: "zero.dns0.eu. AAAA 2a0f:fc80::9"
+	local-data: "zero.dns0.eu. AAAA 2a0f:fc81::9"
+# DNS0 Kids
+	local-zone: "kids.dns0.eu." typetransparent
+	local-data: "kids.dns0.eu. A 193.110.81.1"
+	local-data: "kids.dns0.eu. A 185.253.5.1"
+	local-data: "kids.dns0.eu. AAAA 2a0f:fc80::1"
+	local-data: "kids.dns0.eu. AAAA 2a0f:fc81::1"
+# DNS0 Open
+	local-zone: "open.dns0.eu." typetransparent
+	local-data: "open.dns0.eu. A 193.110.81.254"
+	local-data: "open.dns0.eu. A 185.253.5.254"
+	local-data: "open.dns0.eu. AAAA 2a0f:fc80::ffff"
+	local-data: "open.dns0.eu. AAAA 2a0f:fc81::ffff"
+# Cloudflare
+	local-zone: "cloudflare-dns.com." typetransparent
+	local-data: "cloudflare-dns.com. A 1.1.1.1"
+	local-data: "cloudflare-dns.com. A 1.0.0.1"
+	local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1111"
+	local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1001"
+	local-zone: "one.one.one.one." typetransparent
+	local-data: "one.one.one.one. CNAME cloudflare-dns.com."
+# Cloudflare Malware blocking
+	local-zone: "security.cloudflare-dns.com." typetransparent
+	local-data: "security.cloudflare-dns.com. A 1.1.1.2"
+	local-data: "security.cloudflare-dns.com. A 1.0.0.2"
+	local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1112"
+	local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1002"
+# Mullvad ad, tracker & malware block
+	local-zone: "base.dns.mullvad.net." typetransparent
+	local-data: "base.dns.mullvad.net. A 194.242.2.4"
+	local-data: "base.dns.mullvad.net. AAAA 2a07:e340::4"
+# AdGuard Default
+	local-zone: "dns.adguard-dns.com." typetransparent
+	local-data: "dns.adguard-dns.com. A 94.140.14.14"
+	local-data: "dns.adguard-dns.com. A 94.140.15.15"
+	local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad1:ff"
+	local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad2:ff"
+# Google DNS
+	local-zone: "dns.google." typetransparent
+	local-data: "dns.google. A 8.8.8.8"
+	local-data: "dns.google. A 8.8.4.4"
+	local-data: "dns.google. AAAA 2001:4860:4860::8888"
+	local-data: "dns.google. AAAA 2001:4860:4860::8844"
+	local-zone: "dns.google.com." typetransparent
+	local-data: "dns.google.com. CNAME dns.google."
+# Google DNS64
+	local-zone: "dns64.dns.google." typetransparent
+	local-data: "dns64.dns.google. AAAA 2001:4860:4860::6464"
+	local-data: "dns64.dns.google. AAAA 2001:4860:4860::64"
+
+# vim: filetype=unbound.conf

package.json

@@ -1,14 +1,13 @@
 {
 	"devDependencies": {
-		"@aminda/global-prettier-config": "2025.13.0",
+		"@aminda/global-prettier-config": "2025.10.0",
 		"@prettier/plugin-ruby": "4.0.4",
 		"@prettier/plugin-xml": "3.4.1",
-		"corepack": "latest",
 		"prettier": "3.5.3",
 		"prettier-plugin-nginx": "1.0.3",
 		"prettier-plugin-sh": "0.15.0",
 		"prettier-plugin-toml": "2.0.2"
 	},
-	"packageManager": "pnpm@10.6.5+sha512.cdf928fca20832cd59ec53826492b7dc25dc524d4370b6b4adbf65803d32efaa6c1c88147c0ae4e8d579a6c9eec715757b50d4fa35eea179d868eada4ed043af",
+	"packageManager": "pnpm@10.6.2+sha512.47870716bea1572b53df34ad8647b42962bc790ce2bf4562ba0f643237d7302a3d6a8ecef9e4bdfc01d23af1969aa90485d4cebb0b9638fa5ef1daef656f6c1b",
 	"prettier": "@aminda/global-prettier-config"
 }

pnpm-lock.yaml

@@ -8,17 +8,14 @@ importers:
   .:
     devDependencies:
       "@aminda/global-prettier-config":
-        specifier: 2025.13.0
-        version: 2025.13.0
+        specifier: 2025.10.0
+        version: 2025.10.0
       "@prettier/plugin-ruby":
         specifier: 4.0.4
         version: 4.0.4(prettier@3.5.3)
       "@prettier/plugin-xml":
         specifier: 3.4.1
         version: 3.4.1(prettier@3.5.3)
-      corepack:
-        specifier: latest
-        version: 0.32.0
       prettier:
         specifier: 3.5.3
         version: 3.5.3
@@ -33,10 +30,10 @@ importers:
         version: 2.0.2(prettier@3.5.3)
 
 packages:
-  "@aminda/global-prettier-config@2025.13.0":
+  "@aminda/global-prettier-config@2025.10.0":
     resolution:
       {
-        integrity: sha512-1yRmlX7lrBu41eu7dcAF17fTYdbnTYp6o1zRKGUVku6ddz9rp0cjCw4QK1oNrUq7KU0GAAlxQtDfw0WlOzJw+A==,
+        integrity: sha512-7M2TWWTZDU6rU0AkcNeFSILuvh8lT3Mr0TAl/ZVctYWgWuzOzyRVZySwStl4o3Oj2QMCEEEky5wzJO8540rq1Q==,
       }
 
   "@prettier/plugin-ruby@4.0.4":
@@ -79,14 +76,6 @@ packages:
         integrity: sha512-wy3mC1x4ye+O+QkEinVJkPf5u2vsrDIYW9G7ZuwFl6v/Yu0LwUuT2POsb+NUWApebyxfkQq6+yDfRExbnI5rcw==,
       }
 
-  corepack@0.32.0:
-    resolution:
-      {
-        integrity: sha512-KhahVUFy7xL8OTty/ToY646hXMQhih8rnvUkA9/qnk/u4QUF2+SbQneX/zZnDxG1NiABFm5ojZCWnIv93oyhhQ==,
-      }
-    engines: { node: ^18.17.1 || ^20.10.0 || >=22.11.0 }
-    hasBin: true
-
   mvdan-sh@0.10.1:
     resolution:
       {
@@ -145,11 +134,10 @@ packages:
       }
 
 snapshots:
-  "@aminda/global-prettier-config@2025.13.0":
+  "@aminda/global-prettier-config@2025.10.0":
     dependencies:
       "@prettier/plugin-ruby": 4.0.4(prettier@3.5.3)
       "@prettier/plugin-xml": 3.4.1(prettier@3.5.3)
-      corepack: 0.32.0
       prettier: 3.5.3
       prettier-plugin-nginx: 1.0.3
       prettier-plugin-sh: 0.15.0(prettier@3.5.3)
@@ -178,8 +166,6 @@ snapshots:
     dependencies:
       regexp-to-ast: 0.5.0
 
-  corepack@0.32.0: {}
-
   mvdan-sh@0.10.1: {}
 
   prettier-plugin-nginx@1.0.3: {}

rc/bashrc

@@ -159,8 +159,8 @@ if hash lsb_release 2> /dev/null; then
 		unset LC_ALL
 	)
 
-	# Only print motivational phrases if username is aminda or mikaela or deck
-	if [[ $(whoami) == aminda ]] || [[ $(whoami) == mikaela ]] || [[ $(whoami) == deck ]]; then
+	# Only print motivational phrases if username is aminda or mikaela
+	if [[ $(whoami) == aminda ]] || [[ $(whoami) == mikaela ]]; then
 		if hash python3 2> /dev/null; then
 			(
 				# Motivational messages
@@ -191,7 +191,6 @@ Aferoj emas funkcii sin mem...\tOM MANI PEME HUNG...
 		# And this from sudo + the general advice for auditability
 		(printf "We trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n\t#1) Respect the privacy of others.\n\t#2) Think before you type.\n\t#3) With great power comes great responsibility.\n\nAdditionally you shouldn't be logging in as root directly.\n\n")
 	fi
-	printf "\tMake your tech grayscale painting your life with colours\n"
 fi
 
 #####	Environment					7RS56S	#####

rc/zshrc

@@ -55,8 +55,8 @@ if hash lsb_release 2> /dev/null; then
 		unset LC_ALL
 	)
 
-	# Only print motivational phrases if username is aminda or mikaela or deck
-	if [[ $(whoami) == aminda ]] || [[ $(whoami) == mikaela ]] || [[ $(whoami) == deck ]]; then
+	# Only print motivational phrases if username is aminda or mikaela
+	if [[ $(whoami) == aminda ]] || [[ $(whoami) == mikaela ]]; then
 		if hash python3 2> /dev/null; then
 			(
 				# Motivational messages
@@ -87,7 +87,6 @@ Aferoj emas funkcii sin mem...\tOM MANI PEME HUNG...
 		# And this from sudo + the general advice for auditability
 		(printf "We trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n\t#1) Respect the privacy of others.\n\t#2) Think before you type.\n\t#3) With great power comes great responsibility.\n\nAdditionally you shouldn't be logging in as root directly.\n\n")
 	fi
-	printf "\tMake your tech grayscale painting your life with colours\n"
 fi
 
 #####	Defaults etc...				M0TZLS	#####