systemd/networkd: add 00-family-visit.network.sample as an actually useful example configuration

firefox: add Google opt-out for consistency with Chromium
iwd/main.conf: enable ManagementFrameProtection by default
2024-11-22 11:19:22 +01:00 · 2024-07-23 11:21:16 +03:00 · 2024-07-23 10:40:41 +03:00 · 2024-07-23 09:01:32 +03:00 · 2024-07-23 08:51:56 +03:00 · 2024-07-23 08:49:18 +03:00
10 changed files with 66 additions and 24 deletions
--- a/etc/firefox/policies/policies.json
+++ b/etc/firefox/policies/policies.json
@ -199,6 +199,10 @@
        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/offline-qr-code-generator/latest.xpi",
        "installation_mode": "force_installed"
      },
+      "optout@google.com": {
+        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/interest-advertising-opt-out/latest.xpi",
+        "installation_mode": "force_installed"
+      },
      "plasma-browser-integration@kde.org": {
        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/plasma-integration/latest.xpi",
        "installation_mode": "force_installed"
@ -215,6 +219,10 @@
        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
        "installation_mode": "force_installed"
      },
+      "{2f182d41-fd03-4a6d-938d-081419586c37}": {
+        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/google-analytics-opt-out/latest.xpi",
+        "installation_mode": "force_installed"
+      },
      "{3c078156-979c-498b-8990-85f7987dd929}": {
        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/sidebery/latest.xpi",
        "installation_mode": "normal_installed"
--- a/etc/iwd/main.conf
+++ b/etc/iwd/main.conf
@ -8,11 +8,11 @@
 # To check/refresh regdomain, `iw wlan0 scan | egrep -e "SSID:|Country:"`
 Country=FI

-# legacy compatibility, at least on Lumina?
-use_default_interface=true
+# Legacy compatibility. Doesn't seem necessary on Lumina.
+#use_default_interface=true

-# build-in network configuration including DHCP client
-# true if not using systemd-networkd!
+# Build-in network configuration including DHCP client (and server when
+# tethering), true if not using systemd-networkd!
 #EnableNetworkConfiguration=false

 # NOTE! Disable this in case of trouble connecting to network entirely, e.g.
@ -28,12 +28,18 @@ AddressRandomization=network
 # Helsinki City WLAN (and variations) doesn't seem to like "full" (default)
 AddressRandomizationRange=nic

+# Always require management frame protection. May break things especially with
+# legacy networks and hardware! Switch to 1 (default) for only when supported
+# by both sides (downgrade attack possible?).
+ManagementFrameProtection=2
+
 [Network]
 EnableIPv6=true
 # My /etc/resolf.conf is generally ::1 127.0.0.1 127.0.0.53 and I am not
 # entirely opposed to local servers. The two first are unbound, the third/this
-# systemd-resolved
-NameResolvingService=systemd
+# systemd-resolved. NOTE! Must be used in conjunction with
+# EnableNetworkConfiguration!
+#NameResolvingService=systemd
 #NameResolvingService=none
 # Default 300, lower preferred by system. Useful when WiFi is known faster
 # than ethernet like having 10 Mbps switch from time before the building had
--- a/etc/systemd/network/00-family-visit.network.sample
+++ b/etc/systemd/network/00-family-visit.network.sample
@ -0,0 +1,35 @@
+[Match]
+Type=ether
+
+[Link]
+RequiredForOnline=false
+#ActivationPolicy=always-up
+
+[Network]
+DHCP=false
+Address=192.168.0.2/24
+Gateway=192.168.8.1
+IPv6PrivacyExtensions=true
+IPv6LinkLocalAddressGenerationMode=stable-privacy
+DNS=
+DNS=::1
+DNS=127.0.0.1
+Domains=.
+
+[Match]
+Type=wlan
+
+[Link]
+ActivationPolicy=always-up
+
+[Network]
+DHCP=false
+Address=192.168.0.3/24
+Gateway=192.168.8.1
+IPv6PrivacyExtensions=true
+IPv6LinkLocalAddressGenerationMode=stable-privacy
+DNS=
+DNS=::1
+DNS=127.0.0.1
+DNS=127.0.0.53
+Domains=.
--- a/etc/systemd/network/10-ether.network
+++ b/etc/systemd/network/10-ether.network
@ -1,12 +1,8 @@
 [Match]
-#Name=*
-# Can be {colon,hyphen,dot}-delimited hexadecimal or IPv{4,6} address
 #MACAddress=
 Type=ether

 [Link]
-# My devices generally also have WiFi so lack of ethernet is not a reason
-# to wait for systemd-networkd-wait-online.service
 RequiredForOnline=false
 # Takes "ipv4", "ipv6", "both", or "any" (default).
 RequiredFamilyForOnline=both
@ -15,7 +11,7 @@ RequiredFamilyForOnline=both
 # Always set administrative state to up. Implies RequiredForOnline=true
 #ActivationPolicy=always-up
 # Required for mDNS
-Multicast=true
+#Multicast=true

 [Network]
 #DHCP=true
--- a/etc/systemd/network/10-none.network
+++ b/etc/systemd/network/10-none.network
@ -4,7 +4,7 @@ Type=none

 [Link]
 Unmanaged=true
-Multicast=false
+#Multicast=false

 [Network]
 IPv6PrivacyExtensions=true
--- a/etc/systemd/network/10-wireguard.network
+++ b/etc/systemd/network/10-wireguard.network
@ -3,7 +3,7 @@ Type=wireguard

 [Link]
 Unmanaged=true
-Multicast=false
+#Multicast=false

 [Network]
 IPv6PrivacyExtensions=true
--- a/etc/systemd/network/10-wlan.network
+++ b/etc/systemd/network/10-wlan.network
@ -6,14 +6,14 @@ Type=wlan

 [Link]
 # Takes "ipv4", "ipv6", "both", or "any" (default).
-RequiredFamilyForOnline=both
+#RequiredFamilyForOnline=both
 # Always set administrative state to up. Implies RequiredForOnline=true
 ActivationPolicy=always-up
 # If something else (like iwd EnableNetworkConfiguration=true) manages network,
 # uncomment
 #Unmanaged=true
 # Required for mDNS
-Multicast=true
+#Multicast=true

 [Network]
 DHCP=true
--- a/etc/systemd/system/aminda-nocron-reboot.service
+++ b/etc/systemd/system/aminda-nocron-reboot.service
@ -29,7 +29,12 @@ ExecStart=-/usr/bin/firewall-cmd --permanent --add-port=6771/udp
 #ExecStart=-/root/fixcontroller.py
 # This is actually in the delayed variant of this service, but anyway
 ExecStart=-/usr/bin/systemctl enable --now yggdrasil.service
+ExecStart=-/usr/bin/systemctl enable --now ssh.service
+ExecStart=-/usr/bin/systemctl enable --now sshd.service
 ExecStart=-/usr/bin/systemctl enable --now sshguard.service
+ExecStart=-/usr/bin/systemctl enable --now unbound.service
+ExecStart=-/usr/bin/systemctl enable --now chrony.service
+ExecStart=-/usr/bin/systemctl enable --now chronyd.service
 User=root
 StandardOutput=journal
 StandardError=journal
--- a/etc/systemd/system/aminda-nocron-rebootish.service
+++ b/etc/systemd/system/aminda-nocron-rebootish.service
@ -7,6 +7,7 @@ TimeoutStartSec=infinity
 # - means it can fail, without failing those after it
 # Another attempt at ensuring Yggdrasil works with nordvpnd
 ExecStartPre=-/usr/sbin/sysctl net.ipv6.conf.all.disable_ipv6=0
+ExecStartPre=-/usr/bin/systemctl enable --now tlp
 ExecStart=-/usr/bin/systemctl restart yggdrasil.service
 ExecStart=-/bin/firewall-cmd --reload
 # If they somehow managed to not start already
--- a/etc/systemd/system/start-unbound.service
+++ b/etc/systemd/system/start-unbound.service
@ -1,9 +0,0 @@
-[Unit]
-Description=poke unbound as a stupid workaround for it not wanting to start with wireless devices
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/systemctl start unbound --quiet
-
-[Install]
-WantedBy=multi-user.target
Author	SHA1	Message	Date
Aminda Suomalainen	8586fd7dc1	systemd/networkd: add 00-family-visit.network.sample as an actually useful example configuration	2024-07-23 11:21:16 +03:00
Aminda Suomalainen	d8dcf38094	firefox: add Google opt-out for consistency with Chromium	2024-07-23 10:40:41 +03:00
Aminda Suomalainen	1fc8bcd7bc	iwd/main.conf: enable ManagementFrameProtection by default	2024-07-23 09:01:32 +03:00
Aminda Suomalainen	4c9caf7235	iwd: comment legacy, switch to NameResolvingService none	2024-07-23 08:51:56 +03:00
Aminda Suomalainen	d08c511875	aminda-nocron-*: add more services	2024-07-23 08:49:18 +03:00
Aminda Suomalainen	44a2f4b482	systemd-networkd: adjust comments	2024-07-23 08:43:39 +03:00