2025-08-17 20:07:20 +02:00
23 changed files with 96 additions and 170 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1 +1 @@
-* @Mikaela
+*	@Mikaela
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,5 +1,3 @@
 # @format
 # Based on https://pre-commit.com
 image: python:alpine
 gitlab-ci-pre-commit:
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -121,7 +121,7 @@ repos:
  # Easierish licensing when attempting reuse compliancy
  - repo: https://github.com/fsfe/reuse-tool
-    rev: v4.0.1
+    rev: v3.1.0a1
    hooks:
      - id: reuse
--- a/.prettierrc
+++ b/.prettierrc
@ -13,11 +13,11 @@
 		{ "files": ".prettierrc", "options": { "parser": "json" } },
 		{
 			"files": "conf/librewolf.overrides.cfg",
-			"options": { "parser": "babel" }
+			"options": { "parser": ".js" }
 		},
 		{
 			"files": "conf/autoconfig.js.online",
-			"options": { "parser": "babel" }
+			"options": { "parser": ".js" }
 		}
 	]
 }
--- a/README.md
+++ b/README.md
@ -1,5 +1,3 @@
 <!-- @format -->
 Config files that I wish to have everywhere. You could probably call this
 repository as dotfiles, but historical reasons...
--- a/Windows/DoH/README.md
+++ b/Windows/DoH/README.md
@ -1,12 +1,10 @@
 <!-- @format -->
 # DNS over HTTPS in Windows 11
 Requires Windows 11.
 - `GPO-EnforceDoH.reg` enables the group policy to require DoH. However it
-  didn't seem to work for me or it allowed me to set the DNS server to not use
+  didn't seem to work for me or it allowed me to set the DNS server to not
-  DoH.
+  use DoH.
 - `DohWellKnownServers` adds DoH support for multiple IPv4 & IPv6 addresses
  that Windows 11 isn't shipping by default, currently:
@ -19,18 +17,14 @@ Requires Windows 11.
  - Mullvad
  - Mullvad Adblock
  - Quad9 ECS (Windows 11 defaults include Quad9 default)
-  - TREX (actually points to Quad9 as per
+  - TREX (actually points to Quad9 as per [their documentation](https://www.trex.fi/service/resolvers.html))
    [their documentation](https://www.trex.fi/service/resolvers.html))
 ## Configuration
 Once Windows knows about the DoH servers (DohWellKnownServers.reg), DNS-over
 HTTPS can be enabled for:
- All networks:
+- All networks: `Windows-I (Settings) -> Network & Internet -> Advanced network settings -> WLAN -> View additional properties -> DNS Server assignment -> Edit`
  `Windows-I (Settings) -> Network & Internet -> Advanced network settings -> WLAN -> View additional properties -> DNS Server assignment -> Edit`
  - Same place for Ethernet etc.
- Specific network:
+- Specific network: `Windows-I (Settings) -> Network & Internet -> WiFi -> Connected SSID -> DNS server assignment -> Edit`
-  `Windows-I (Settings) -> Network & Internet -> WiFi -> Connected SSID -> DNS server assignment -> Edit`
+  - Note: if the all networks one is configured, there is a warning about it not being used.
  - Note: if the all networks one is configured, there is a warning about it
    not being used.
--- a/Windows/Windows.reg.markdown
+++ b/Windows/Windows.reg.markdown
@ -1,5 +1,3 @@
 <!-- @format -->
 This file is supposed to explain [Windows.reg](Windows.reg).
 ```
@ -12,10 +10,9 @@ Windows Registry Editor Version 5.00
 - Make the file Windows Registry Editor script
 - Ask admins for password/PIN in UAC
  - 2 would ask for yes or no, 0 disable entirely (don't do that).
- prompt standard users for username and password. 2021-12-19: I don't
+- prompt standard users for username and password. 2021-12-19: I don't understand this or the line below.
-  understand this or the line below.
+  - The other option (1) doesn't even give them UAC prompt so you must
-  - The other option (1) doesn't even give them UAC prompt so you must always
+    always login as admin to do anything.
    login as admin to do anything.
 ```
 "dontdisplaylastusername"=dword:00000000
@ -42,8 +39,8 @@ Windows Registry Editor Version 5.00
 ```
 - Sets hardware clock to UTC time (doesn't affect system clock!)
-  - qword for 64-bit, dword for 32-bit systems. The actual reg file has only
+  - qword for 64-bit, dword for 32-bit systems. The actual reg file has
-    qword as I haven't seen 32-bit Windowses lately.
+    only qword as I haven't seen 32-bit Windowses lately.
 ```
 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters]
--- a/conf/autoconfig.js
+++ b/conf/autoconfig.js
@ -1,5 +1,3 @@
 /** @format */
 // This file belongs to Firefox `default/pref` directory.
 // E.g. /usr/lib64/firefox/defaults/pref/ or ~/.local/firefox/defaults/pref/
--- a/conf/autoconfig.js.online
+++ b/conf/autoconfig.js.online
@ -1,15 +1,10 @@
 /** @format */
 // This file belongs to Firefox `default/pref` directory as `autoconfig.js`.
 // E.g. /usr/lib64/firefox/defaults/pref/autoconfig.js
 // WARNING: lockPref() IS NOT ALLOWED HERE!
 //pref("autoadmin.global_config_url","https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/firefox-forbidden-policies.js");
-pref(
+pref("autoadmin.global_config_url","file:///home/aminda/public_html/autoconfig.js");
 	"autoadmin.global_config_url",
 	"file:///home/aminda/public_html/autoconfig.js",
 );
 pref("general.config.obscure_value", 0);
 pref("autoadmin.refresh_interval", 120);
 pref("autoadmin.offline_failover", true);
--- a/conf/librewolf.overrides.cfg
+++ b/conf/librewolf.overrides.cfg
@ -1,4 +1,3 @@
 /** @format */
 // ~/.{librewolf,var/app/io.gitlab.librewolf-community/.librewolf}/librewolf.overrides.cfg
 // The first line of this file is supposed to be empty.
@ -12,10 +11,7 @@
 // NOTE! A lot is commented either for being a note, wrong, TODO, whatever, or most likely in my /etc/firefox/policies/policies.json
 // Firefox autoconfig
-pref(
+pref("autoadmin.global_config_url", "https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/librewolf.overrides.cfg");
 	"autoadmin.global_config_url",
 	"https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/librewolf.overrides.cfg",
 );
 //pref("general.config.obscure_value", 0);
 pref("autoadmin.refresh_interval", 120);
 pref("autoadmin.offline_failover", true);
@ -55,10 +51,7 @@ pref("privacy.fingerprintingProtection.pbmode", true);
 // usability and reveal the real platform (voting for Linux
 // existing in statistics). https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc
 // It's not like I have any uniqueness with `intl.accept_languages` below...
-pref(
+pref("privacy.fingerprintingProtection.overrides", "+AllTargets,-KeyboardEvents,-SpeechSynthesis,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-NavigatorPlatform,-NavigatorUserAgent,-JSDateTimeUTC,-HttpUserAgent,-FontVisibilityRestrictGenerics,-FontVisibilityBaseSystem,-FontVisibilityLangPack");
 	"privacy.fingerprintingProtection.overrides",
 	"+AllTargets,-KeyboardEvents,-SpeechSynthesis,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-NavigatorPlatform,-NavigatorUserAgent,-JSDateTimeUTC,-HttpUserAgent,-FontVisibilityRestrictGenerics,-FontVisibilityBaseSystem,-FontVisibilityLangPack",
 );
 // :( but fingerprintability
 pref("javascript.use_us_english_locale", true);
@ -154,14 +147,8 @@ pref("browser.cache.memory.enable", true);
 //pref("privacy.userContext.ui.enabled", true);
 //pref("browser.contentblocking.category", "strict");
-pref(
+pref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
-	"privacy.partition.always_partition_third_party_non_cookie_storage",
+pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false);
 	true,
 );
 pref(
 	"privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage",
 	false,
 );
 /** prevent media cache from being written to disk in pb, but increase max cache size to avoid playback issues */
 pref("browser.privatebrowsing.forceMediaMemoryCache", true);
@ -202,7 +189,7 @@ pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // force webr
 /** [SECTION] DNS */
 //pref("network.dns.disablePrefetch", true); // disable dns prefetching
-pref("network.dns.skipTRR-when-parental-control-enabled", false); // Arkenfox user.js v117
+pref("network.dns.skipTRR-when-parental-control-enabled", false);  // Arkenfox user.js v117
 /** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS
 * disable prefecthing for different things such as links, bookmarks and predictions.
@ -284,6 +271,7 @@ pref("browser.urlbar.weather.featureGate", false);
 // these are from Arkenfox, I decided to put them here.
 pref("browser.download.start_downloads_in_tmp_dir", true); // Arkenfox user.js v118
 /**
 * the pref disables the whole feature and hide it from the ui
 * (as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1755057).
@ -319,6 +307,8 @@ pref("browser.link.open_newwindow.restriction", 0);
 /** [SECTION] MOUSE */
 pref("browser.tabs.searchclipboardfor.middleclick", false); // prevent mouse middle click on new tab button to trigger searches or page loads
 /** [CATEGORY] EXTENSIONS */
 /** [SECTION] USER INSTALLED
@ -373,20 +363,14 @@ pref("browser.shopping.experience2023.active", false);
 /** [SECTION] OTHERS */
 pref("webchannel.allowObject.urlWhitelist", ""); // remove web channel whitelist
-pref("services.settings.server", "https://%.invalid"); // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code)
+pref("services.settings.server", "https://%.invalid") // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code)
 /** [SECTION] NEW TAB PAGE
 * we want NTP to display nothing but the search bar without anything distracting.
 * the three prefs below are just for minimalism and they should be easy to revert for users.
 */
-pref(
+pref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
-	"browser.newtabpage.activity-stream.section.highlights.includeDownloads",
+pref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);
 	false,
 );
 pref(
 	"browser.newtabpage.activity-stream.section.highlights.includeVisited",
 	false,
 );
 pref("browser.newtabpage.activity-stream.feeds.topsites", false);
 // hide stories and sponsored content from Firefox Home
 pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
@ -396,10 +380,7 @@ pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false);
 pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
 pref("browser.newtabpage.activity-stream.telemetry", false);
 // hide stories UI in about:preferences#home, empty highlights list
-pref(
+pref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}");
 	"browser.newtabpage.activity-stream.feeds.section.topstories.options",
 	'{"hidden":true}',
 );
 pref("browser.newtabpage.activity-stream.default.sites", "");
 /** [SECTION] ABOUT
@ -425,14 +406,8 @@ pref("browser.preferences.moreFromMozilla", false);
 /** [SECTION] RECOMMENDED
 * disable all "recommend as you browse" activity.
 */
-pref(
+pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
-	"browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features",
+pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
 	false,
 );
 pref(
 	"browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons",
 	false,
 );
 // Maybe Windows specific, but looks useful.
 pref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store
--- a/etc/dnscrypt-proxy/README.md
+++ b/etc/dnscrypt-proxy/README.md
@ -1,18 +1,16 @@
 <!-- @format -->
 My configs for [dnscrypt-proxy]
 At the time of writing, hosts-mikaela.txt is intended for not having to
-remember or trust the DNS for all of the domains or the hypothetical scenario
+remember or trust the DNS for all of the domains or the hypothetical
-where I have no access to DNS, but for some reason having access to
+scenario where I have no access to DNS, but for some reason having access
-[Yggdrasil] and/or [Hyperboria] or just to answer the question, why to rely on
+to [Yggdrasil] and/or [Hyperboria] or just to answer the question, why to
-centralized technology on decentralized web.
+rely on centralized technology on decentralized web.
 Mosts of the domains in hosts-mikaela.txt should also work without the file
 when mikaela.internal is replaced with mikaela.info, however relying on DNS,
-but that way you must trust DNSSEC, CloudFlare and wherever the CNAME points
+but that way you must trust DNSSEC, CloudFlare and wherever the CNAME
-to who may not have DNSSEC. If you are using this file (you shouldn't), you
+points to who may not have DNSSEC. If you are using this file
-are already trusting me.
+(you shouldn't), you are already trusting me.
 [dnscrypt-proxy]: https://github.com/jedisct1/dnscrypt-proxy
 [hyperboria]: https://hyperboria.net/
--- a/etc/firefox/policies/README.md
+++ b/etc/firefox/policies/README.md
@ -1,5 +1,3 @@
 <!-- @format -->
 # Firefox `policies.json`
 - https://mozilla.github.io/policy-templates/
@ -34,8 +32,8 @@ per whatever I am doing.
 ## WARNING TO LIBREWOLF USERS
 This file takes priority over
-`/usr/share/librewolf/distribution/policies.json` so don't apply this or a lot
+`/usr/share/librewolf/distribution/policies.json` so don't apply this or
-of LibreWolf specific customizations stops being in force.
+a lot of LibreWolf specific customizations stops being in force.
 ## General warning
--- a/etc/motd.d/startplasma.motd
+++ b/etc/motd.d/startplasma.motd
@ -1,3 +0,0 @@
 Suorita "startplasma" saadaksesi graafisen käyttöliittymän.
--- a/etc/opt/chromium/policies/managed/README.md
+++ b/etc/opt/chromium/policies/managed/README.md
@ -1,5 +1,3 @@
 <!-- @format -->
 # Chromium policies
 - https://chromeenterprise.google/policies/
@ -202,8 +200,8 @@ disabling GTK/Qt themes.
 ## `brave-shields-disabled.json`
-Allowlist for sites where I think Brave Shields may be breaking things.
+Allowlist for sites where I think Brave Shields may be breaking things. Similar is also in
-Similar is also in `aminda-extensions.json` for Privacy Badger.
+`aminda-extensions.json` for Privacy Badger.
 ## `disable-brave-ipfs.json`
@ -256,15 +254,14 @@ Simply forces DNS-over-HTTPS with DNS0.eu.
 ## `doh-mullvad-base.json`
-Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker
+Forces DNS-over-HTTPS with Mullvad Base, which features ad, malware & tracker blocking.
 blocking.
 - https://mullvad.net/en/help/dns-over-https-and-dns-over-tls#specifications
 ## `doh-quad9-ecs.json`
-Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also
+Forces DNS over HTTPS with Quad9 ECS enabled threat-blocking server and also contains
-contains their alternative port.
+their alternative port.
 ## `doh-quad9.json`
@ -273,18 +270,15 @@ their alternative port.
 ## `doh-unlocked-unset.json`
-Allows configuring DoH even with managed policies present (unless another DoH
+Allows configuring DoH even with managed policies present (unless another DoH rule is in force) since enabling any managed policy will otherwise gray out the option.
 rule is in force) since enabling any managed policy will otherwise gray out
 the option.
-If no DNS over HTTPS policy is used, this unlocks the setting. Enabling
+If no DNS over HTTPS policy is used, this unlocks the setting. Enabling managed policies disable it by default.
 managed policies disable it by default.
 My other `doh-*.json` set this as well, because `secure` doesn't allow
-downgrade to system resolver and Chromium seems somewhat unreliable with it
+downgrade to system resolver and Chromium seems somewhat unreliable with it often reporting
-often reporting `DNS_PROBE_POSSIBLE` and while this occassionally disables
+`DNS_PROBE_POSSIBLE` and while this occassionally disables ECH, it works and
-ECH, it works and my system resolvers are encrypted. I hope they will
+my system resolvers are encrypted. I hope they will implement ECH with system
-implement ECH with system resolver soon to fix this.
+resolver soon to fix this.
 ## `edge-appsfavorites.json`
@ -304,8 +298,7 @@ Explicitly enables Chromecast support.
 ## `enable-labs.json`
-Enables the beaker button "Experiments" for easier management than
+Enables the beaker button "Experiments" for easier management than `about:flags`.
 `about:flags`.
 ## `enable-passwordleakdetection.json`
@ -339,14 +332,14 @@ This file evolved to merge another one, so now it:
 ## `prefetch.json`
-Enables prefetching. Will make sites very speedy, but decreases privacy and
+Enables prefetching. Will make sites very speedy, but decreases privacy and may
-may conflict with uBlock Origin. However AdNauseam is already clicking those
+conflict with uBlock Origin. However AdNauseam is already clicking those ads, so
-ads, so maybe it's not that big of an issue.
+maybe it's not that big of an issue.
 ## `profilemanager.json`
-Forces the profile screen even with only one profile. I love the feature in
+Forces the profile screen even with only one profile. I love the feature in Firefox
-Firefox and want to see it here too, now that I accidentally noticed it.
+and want to see it here too, now that I accidentally noticed it.
 ## `README.md`
--- a/etc/systemd/resolved.conf.d/README.md
+++ b/etc/systemd/resolved.conf.d/README.md
@ -1,5 +1,3 @@
 <!-- @format -->
 # systemd-resolved additional config files
 <!-- editorconfig-checker-disable -->
@ -19,8 +17,8 @@
 ## Quickstart
-This is also done by `../../systemd-resolv.conf-restore.bash` which takes into
+This is also done by `../../systemd-resolv.conf-restore.bash` which takes
-account more circumstances...
+into account more circumstances...
 ```bash
 sudo systemctl enable --now systemd-resolved.service
@ -35,13 +33,13 @@ offer.
 ## Files explained
- `00-defaults.conf` - configuration that should be used everywhere. Enables
+- `00-defaults.conf` - configuration that should be used everywhere.
-  DNSSEC (regardless of systemd-resolved not handling it properly), enables
+  Enables DNSSEC (regardless of systemd-resolved not handling it properly),
-  opportunistic DoT, caching and local DNS servers (because they should exist
+  enables opportunistic DoT, caching and local DNS servers (because they
-  anyway as I don't trust systemd-resolved entirely. Anyway if there truly is
+  should exist anyway as I don't trust systemd-resolved entirely. Anyway if
-  no local resolver, systemd-resolved will detect that and act accordingly.)
+  there truly is no local resolver, systemd-resolved will detect that and act accordingly.)
-  - To rephrase, this is to be used together with other files, especially some
+  - To rephrase, this is to be used together with other files, especially
-    of those beginning with `10-dot-`.
+    some of those beginning with `10-dot-`.
 - `05-do53-dna-moi.conf` - DNS servers used by DNA and Moi (who is on DNA's
  network and owned by them)
 - `05-do53-elisa.conf` - DNS servers used by Elisa and apparently their
@ -50,12 +48,12 @@ offer.
  At least one of these should be used in addition to `00-defaults.conf`
 - `98-local-resolver.conf` attempts to configure localhost resolver and
  disables unnecessary features for that scenario. The number 10 takes
-  priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will also
+  priority over 00 and 05 so if a DNSOverTLS=true is uncommented, it will
-  apply to the former ones that are unlikely to support it. When numbering the
+  also apply to the former ones that are unlikely to support it. When
-  files, I didn't think I would be adding the plaintext DNS servers that I am
+  numbering the files, I didn't think I would be adding the plaintext DNS
-  unlikely to use whenever Unbound is available (and I currently have only one
+  servers that I am unlikely to use whenever Unbound is available (and I
-  system that has systemd-resolved while not having Unbound and it seems to
+  currently have only one system that has systemd-resolved while not having
-  prefer DoT over my router anyway).
+  Unbound and it seems to prefer DoT over my router anyway).
 - `99-lan-resolver.conf.sample` when renamed would allow enabling resolvers on
  LAN assuming they are trusted. Note that if used together with
  `98-local-resolver.conf`, DNSSEC would be disabled.
@ -63,33 +61,30 @@ offer.
 ## General commentary
- DNSOverTLS became supported in systemd v239, strict mode (true) in v243 (big
+- DNSOverTLS became supported in systemd v239, strict mode (true) in
-  improvements in v244).
+  v243 (big improvements in v244).
  - TODO: find out when SNI became supported, I have just spotted it in the
    fine manual in 2020-06-??.
- Domains has to be `.~` for them to override DHCP. See
+- Domains has to be `.~` for them to override DHCP. See https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
  https://www.internetsociety.org/blog/2018/12/dns-privacy-in-linux-systemd
  without which I wouldn't have got this right.
 - DNSSEC may not work if the system is down for a long time and not updated.
  Thus `allow-downgrade` may be better for non-tech people, even with the
  potential downgrade attack. There are also captive portals, affecting
-  `DNSOverTLS`. Both take `true` or `false` or their own special option, for
+  `DNSOverTLS`. Both take `true` or `false` or their own special option,
-  DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
+  for DNSSEC the `allow-downgrade`, for DNSOverTLS `opportunistic`.
  - Then again when was any system that outdated to not have working DNSSEC?
    - TODO: return to this configuration should that actually happen?
    - I am actually running Unbound simultaneously with `resolv.conf` pointing
      to both with `options rotate edns0 trust-ad` which might workaround that
      potential issue.
 - DNS server priority is the one they are specified in. The first working one
-  will be used when it won't work anymore and then the next is used as long as
+  will be used when it won't work anymore and then the next is used as long
-  it works and then it's back to the beginning.
+  as it works and then it's back to the beginning.
  - https://github.com/systemd/systemd/issues/16322#issuecomment-724143641
 Other links I have found important and my files are based on:
 - https://wiki.archlinux.org/index.php/Systemd-resolved
-  - Also provides the serious issues systemd-resolved+DNSSEC issues,
+  - Also provides the serious issues systemd-resolved+DNSSEC issues, https://github.com/systemd/systemd/issues/10579 & https://github.com/systemd/systemd/issues/9867
    https://github.com/systemd/systemd/issues/10579 &
    https://github.com/systemd/systemd/issues/9867
 - request for strict DoT: https://github.com/systemd/systemd/issues/10755
 - vulnerable to MITM: https://github.com/systemd/systemd/issues/9397
--- a/etc/systemd/system/README.md
+++ b/etc/systemd/system/README.md
@ -1,19 +1,15 @@
 <!-- @format -->
 Systemd services. These are sorted by some kind of category into
 subdirectories. The sudirectories won't exist in the real
 `/etc/systemd/system` unless they end `.wants` or `.d` or something similar
 and I forget to update this README file if that happens.
- reflector.service is copied from
+- reflector.service is copied from https://wiki.archlinux.org/index.php/Reflector
-  https://wiki.archlinux.org/index.php/Reflector but uses https instead of
+  but uses https instead of http, because there is no reason I would want
-  http, because there is no reason I would want someone to see what I
+  someone to see what I download.
  download.
 ## Worth reading
 - Waiting for network devices to have IP address (**I only use this for
-  cables**)
+  cables**) https://wiki.freedesktop.org/www/Software/systemd/NetworkTarget/#cutthecraphowdoimakenetwork.targetworkforme
  https://wiki.freedesktop.org/www/Software/systemd/NetworkTarget/#cutthecraphowdoimakenetwork.targetworkforme
  - `systemctl enable NetworkManager-wait-online.service`
  - `systemctl enable systemd-networkd-wait-online.service`
--- a/etc/xdg/autostart/README.md
+++ b/etc/xdg/autostart/README.md
@ -1,5 +1,3 @@
 <!-- @format -->
 # Autostart files for graphical desktop environments
 This mostly caters for my family.
--- a/local/share/applications/README.md
+++ b/local/share/applications/README.md
@ -1,5 +1,3 @@
 <!-- @format -->
 # Custom app menu entries
 These can be used for either `~/.local/share/applications` or
@ -27,12 +25,12 @@ so graphical desktop environments started the apps on login.
 ## `a-*.desktop`
 These files are companions to my script repos `bash/usr-local-bin/*` belonging
-to `/usr/local/share/applications` and are named so to avoid masking package
+to `/usr/local/share/applications` and are named so to
-manager. They have clearly different names such as using all caps.
+avoid masking package manager. They have clearly different names such as using
 all caps.
-Apparently one can also have subdirectories in
+Apparently one can also have subdirectories in `/usr/local/share/applications/`
-`/usr/local/share/applications/` and `~/.local/share/applications/` making
+and `~/.local/share/applications/` making life easier.
 life easier.
 ## Refreshing the menus
--- a/submodules/comic-shanns-mono
+++ b/submodules/comic-shanns-mono
@ -1 +1 @@
-Subproject commit 5a13931471e3a5546adcf5dd772946aa34602e79
+Subproject commit e06882aee157cf76d91d884f921fd7a3be5d32a4
--- a/submodules/jauderho-nts-servers
+++ b/submodules/jauderho-nts-servers
@ -1 +1 @@
-Subproject commit 8bdf724242a8f56388aa6f8f526c258c66514de0
+Subproject commit 2d7b059fd26c1383fcaea7264d9f3ca0c686b449
--- a/submodules/opendyslexic
+++ b/submodules/opendyslexic
@ -1 +1 @@
-Subproject commit 2eda7aa4889f43d0e5304ad871a8fc589a9b74c4
+Subproject commit e7ac50af1aabb8cb0fbf81db105f21f81fbb5284
--- a/submodules/serious-sans
+++ b/submodules/serious-sans
@ -1 +1 @@
-Subproject commit fba8a1125af01fad20c0618bf1729ed442c2eeb2
+Subproject commit abeaecdcbb5065385bdbf480eda8ee607644e4ec
--- a/var/lib/iwd/README.md
+++ b/var/lib/iwd/README.md
@ -1,5 +1,3 @@
 <!-- @format -->
 iwd network configuration lives in this directory
 See also `../../../etc/iwd/main.conf` especially in standalone iwd without
@ -7,11 +5,11 @@ NetworkManager.
 Notes:
- `git commit`ing the same SSID with different capitalisations breaks Windows
+- `git commit`ing the same SSID with different capitalisations breaks
-  and more common macOS setups due to their filesystems being
+  Windows and more common macOS setups due to their filesystems being
  case-insensitive.
- `Settings.AutoConnect=true` is unnecessary as it defaults to true according
+- `Settings.AutoConnect=true` is unnecessary as it defaults to true
-  to `man iwd.network`.
+  according to `man iwd.network`.
 - `IPv6.Enabled=true` defauls to true being also unnecessary.
 - `private-home-sample.psk` has a comment on MAC address override and sends
  hostname with IPv4 DHCP. `private-cafe-sample.psk` always randomizes MAC
		`@ -1,3 +0,0 @@`

			`Suorita "startplasma" saadaksesi graafisen käyttöliittymän.`
		`@ -1 +1 @@`
			`Subproject commit 5a13931471e3a5546adcf5dd772946aa34602e79`				`Subproject commit e06882aee157cf76d91d884f921fd7a3be5d32a4`
		`@ -1 +1 @@`
			`Subproject commit 8bdf724242a8f56388aa6f8f526c258c66514de0`				`Subproject commit 2d7b059fd26c1383fcaea7264d9f3ca0c686b449`
		`@ -1 +1 @@`
			`Subproject commit 2eda7aa4889f43d0e5304ad871a8fc589a9b74c4`				`Subproject commit e7ac50af1aabb8cb0fbf81db105f21f81fbb5284`
		`@ -1 +1 @@`
			`Subproject commit fba8a1125af01fad20c0618bf1729ed442c2eeb2`				`Subproject commit abeaecdcbb5065385bdbf480eda8ee607644e4ec`