browsers: mark DarkReader as allowed, rename Ecosia on Chromium, update comments, pre-commit

This reverts commit 22df7c73a864aed3c0d5083c970d34cb0a093872.

.gitignore

@@ -19,6 +19,7 @@
 !.python-version
 !.renovate-shared.json*
 !.reuse
+!.wokeignore
 
 # Certificates (unlikely to happen, but better safe than sorry)
 *.pem

.pre-commit-config.yaml

@@ -9,8 +9,6 @@ ci:
 
 default_language_version:
   node: "lts"
-  # Remember .python-version !
-  python: "3.13"
   ruby: ".ruby-version"
 
 repos:
@@ -73,7 +71,7 @@ repos:
 
   # GitHub Actions etc. configuration validity checking
   - repo: https://github.com/python-jsonschema/check-jsonschema
-    rev: 0.31.3
+    rev: 0.32.1
     hooks:
       #- id: check-jsonschema
       - id: check-dependabot

.python-version

@@ -1 +0,0 @@
-system

.wokeignore

@@ -0,0 +1,17 @@
+# ASCII armoured GPG content, I don't control words included.
+*.asc
+
+# When you become IRC operator on Charybdis IRCd, it will tell you:
+#   We would like to take this moment to remind you that we accept
+#   absolutely no liability for the INSANITY you're about to endure.
+# I think it's appropiate reminder for logging in as root (which people
+# shouldn't be doing, sudo logs superuser actions better) and thus I wish to
+# keep it in my configuration and I hope everyone doing system administration
+# understands it without getting upset. That is not to say I am not open for
+# alternatives, if you know of an more inclusive saying and are a person,
+# please contact me.
+rc/bashrc
+rc/zshrc
+
+# A certain CAPITALIZED word above is an issue.
+.wokeignore

conf/autoconfig.js

@@ -1,5 +1,3 @@
-/** @format */
-
 // This file belongs to Firefox `default/pref` directory.
 // E.g. /usr/lib64/firefox/defaults/pref/ or ~/.local/firefox/defaults/pref/
 

conf/autoconfig.js.online

@@ -1,15 +1,12 @@
-/** @format */
-
 // This file belongs to Firefox `default/pref` directory as `autoconfig.js`.
 // E.g. /usr/lib64/firefox/defaults/pref/autoconfig.js
 
 // WARNING: lockPref() IS NOT ALLOWED HERE!
 
-//pref("autoadmin.global_config_url","https://codeberg.org/Aminda/shell-things/raw/branch/master/conf/firefox-forbidden-policies.js");
+// prettier-ignore
-pref(
+pref("autoadmin.global_config_url", "https://raw.githubusercontent.com/Mikaela/shell-things/refs/heads/cxefa/conf/firefox-forbidden-policies.js");
-	"autoadmin.global_config_url",
+// prettier-ignore
-	"file:///home/aminda/public_html/autoconfig.js",
+//pref("autoadmin.global_config_url", "file:///home/aminda/public_html/autoconfig.js");
-);
 pref("general.config.obscure_value", 0);
 pref("autoadmin.refresh_interval", 120);
 pref("autoadmin.offline_failover", true);

conf/firefox-forbidden-policies.js

@@ -28,6 +28,8 @@ lockPref(
 	"font.name-list.monospace.x-western",
 	"Comic Shanns Mono, Roboto Mono, Liberation Mono, Noto Sans Mono, monospace",
 );
+// REMEMBER! OpenDyslexic won't work here for some reason, use the extension
+// once it returns to Firefox! https://github.com/OpenDyslexic/extension/issues/75
 lockPref(
 	"font.name-list.sans-serif.x-cyrillic",
 	"Inclusive Sans, Roboto, Liberation Sans, Noto Sans, sans-serif",
@@ -86,5 +88,8 @@ lockPref("sidebar.revamp", true);
 lockPref("sidebar.verticalTabs", true);
 lockPref("sidebar.visibility", "always-show");
 
+// Per process isolation
+lockPref("fission.autostart", true);
+
 // No making configuration on the last line of the file!
 //

etc/default/grub.d/itwjyg.cfg

@@ -1,4 +1,5 @@
 # Itwjyg is a MacBook 7,1, brcmsmac is the WLAN driver, Nouveau is the
 # driver that actually gets picture visible and I think nvidia is the
 # propietary driver that doesn't manage that.
+# wokeignore:rule=blacklist
 GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT brcmsmac nouveau module_blacklist=nvidia"

etc/dracut.conf.d/99-cmdline.conf.sedric

@@ -1,2 +1,3 @@
+# wokeignore:rule=blacklist
 kernel_cmdline="root=UUID=c3df30ca-878b-4125-bcb4-ba3ba4398efd rw rootflags=subvol=root rd.lvm.lv=fedora_localhost-live/root rd.luks.uuid=luks-f9a33e19-4176-44b3-8e06-2ee7fb70f3d0 mitigations=auto,nosmt btusb.force_scofix=1 btusb.enable_autosuspend=0 cpufreq.default_governor=schedutil rd.driver.blacklist=nouveau modprobe.blacklist=nouveau"
 # vim: filetype=conf

etc/firefox/policies/policies.json

@@ -52,7 +52,7 @@
 					"advancedSettings": [
 						[
 							"filterAuthorMode",
-							"true"
+							"false"
 						],
 						[
 							"trustedListPrefixes",
@@ -102,6 +102,7 @@
 							"ublock-cookies-adguard",
 							"ublock-cookies-easylist",
 							"https://secure.fanboy.co.nz/fanboy-annoyance.txt",
+							"https://gitflic.ru/project/magnolia1234/bypass-paywalls-clean-filters/blob/raw?file=bpc-paywall-filter.txt",
 							"https://ads-for-open-source.readthedocs.io/en/latest/_static/lists/opensource-ads.txt"
 						]
 					},
@@ -118,6 +119,10 @@
 							"collapseBlocked",
 							"true"
 						],
+						[
+							"colorBlindFriendly",
+							"false"
+						],
 						[
 							"ignoreGenericCosmeticFilters",
 							"true"
@@ -214,23 +219,42 @@
 			"ATBC@EasonWong": {
 				"default_area": "menupanel",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/adaptive-tab-bar-colour/latest.xpi",
-				"installation_mode": "normal_installed",
+				"installation_mode": "force_installed",
-				"private_browsing": false
+				"private_browsing": true
 			},
 			"CanvasBlocker@kkapsner.de": {
-				"comment": "Requested by LibreAwoo for those who don't have RFP/FPP, neither of which I can specify through this policy. Additionally its own description says compatible with the Firefox integrated one.",
+				"blocked_install_message": "Likely overlaps with JShelter in a negative way",
+				"comment": "Requested by LibreAwoo for those who don't have RFP/FPP, neither of which I can specify through this policy. Additionally its own description says compatible with the Firefox integrated one. Anyway I will probably unload it personally.",
 				"default_area": "menupanel",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/canvasblocker/latest.xpi",
-				"installation_mode": "normal_installed",
+				"installation_mode": "blocked",
 				"private_browsing": true,
 				"restricted_domains": []
 			},
 			"addon@darkreader.org": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi",
-				"installation_mode": "normal_installed",
+				"installation_mode": "allowed",
 				"private_browsing": true
 			},
+			"chrome-mask@overengineer.dev": {
+				"default_area": "navbar",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/chrome-mask/latest.xpi",
+				"installation_mode": "force_installed",
+				"private_browsing": false
+			},
+			"goeuropean@example.com": {
+				"default_area": "navbar",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/go-european/latest.xpi",
+				"installation_mode": "force_installed",
+				"private_browsing": false
+			},
+			"gps-detect@allanwirth.com": {
+				"default_area": "menupanel",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/gpsdetect/latest.xpi",
+				"installation_mode": "force_installed",
+				"private_browsing": false
+			},
 			"ipvfoo@pmarks.net": {
 				"default_area": "menupanel",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/ipvfoo/latest.xpi",
@@ -238,6 +262,12 @@
 				"private_browsing": false,
 				"restricted_domains": []
 			},
+			"jid0-3GUEt1r69sQNSrca5p8kx9Ezc3U@jetpack": {
+				"default_area": "navbar",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/terms-of-service-didnt-read/latest.xpi",
+				"installation_mode": "force_installed",
+				"private_browsing": false
+			},
 			"jid1-MnnxcxisBPnSXQ-eff@jetpack": {
 				"blocked_install_message": "Already installed from AMO",
 				"default_area": "navbar",
@@ -254,11 +284,17 @@
 				"private_browsing": true,
 				"restricted_domains": []
 			},
+			"jsr@javascriptrestrictor": {
+				"default_area": "navbar",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/javascript-restrictor/latest.xpi",
+				"installation_mode": "allowed",
+				"private_browsing": true
+			},
 			"offline-qr-code@rugk.github.io": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/offline-qr-code-generator/latest.xpi",
 				"installation_mode": "force_installed",
-				"private_browsing": true,
+				"private_browsing": false,
 				"restricted_domains": []
 			},
 			"optout@google.com": {
@@ -285,7 +321,7 @@
 			"uBlock0@raymondhill.net": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi",
-				"installation_mode": "normal_installed",
+				"installation_mode": "force_installed",
 				"private_browsing": true,
 				"restricted_domains": []
 			},
@@ -325,6 +361,10 @@
 				"private_browsing": true,
 				"restricted_domains": []
 			},
+			"{6003eac6-4b07-4aaf-960b-92fa006cd444}": {
+				"blocked_install_message": "AI hurts climate and the crawlers are DDoSing the internet",
+				"installation_mode": "blocked"
+			},
 			"{6a65273e-2b26-40f5-b66e-8eed317307da}": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/new-tab-suspender/latest.xpi",
@@ -342,7 +382,7 @@
 			"{73a6fe31-595d-460b-a920-fcc0f8843232}": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/noscript/latest.xpi",
-				"installation_mode": "normal_installed",
+				"installation_mode": "allowed",
 				"private_browsing": true,
 				"restricted_domains": []
 			},
@@ -352,16 +392,22 @@
 				"installation_mode": "normal_installed",
 				"private_browsing": false
 			},
+			"{90b8ecca-860a-4f1c-8476-e181df2cf635}": {
+				"default_area": "navbar",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/grayscale-bro/latest.xpi",
+				"installation_mode": "normal_installed",
+				"private_browsing": true
+			},
 			"{b11bea1f-a888-4332-8d8a-cec2be7d24b9}": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/torproject-snowflake/latest.xpi",
 				"installation_mode": "normal_installed",
-				"private_browsing": true
+				"private_browsing": false
 			},
 			"{b86e4813-687a-43e6-ab65-0bde4ab75758}": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/localcdn-fork-of-decentraleyes/latest.xpi",
-				"installation_mode": "normal_installed",
+				"installation_mode": "allowed",
 				"private_browsing": true,
 				"restricted_domains": []
 			},
@@ -396,7 +442,7 @@
 		"LegacySameSiteCookieBehaviorEnabled": false,
 		"NetworkPrediction": false,
 		"NewTabPage": true,
-		"OverrideFirstRunPage": "about:mozilla|https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide",
+		"OverrideFirstRunPage": "about:mozilla|https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-quick-guide|https://addons.mozilla.org/firefox/addon/noscript/",
 		"PDFjs": {
 			"EnablePermissions": false,
 			"Enabled": true
@@ -490,16 +536,15 @@
 				"Value": 0
 			},
 			"browser.ml.chat.enabled": {
-				"Comment": "Disable AI by default.",
+				"Comment": "Disable AI.",
-				"Status": "default",
+				"Status": "locked",
 				"Type": "boolean",
 				"Value": false
 			},
 			"browser.ml.chat.provider": {
-				"Comment": "Ask every time which AI to use, if enabled.",
+				"Status": "default",
-				"Status": "clear",
 				"Type": "string",
-				"Value": "https://www.ecosia.org/chat"
+				"Value": "https://chat.mistral.ai/chat"
 			},
 			"browser.preferences.moreFromMozilla": {
 				"Status": "default",
@@ -579,6 +624,11 @@
 				"Type": "boolean",
 				"Value": true
 			},
+			"browser.tabs.groups.smart.enabled": {
+				"Status": "default",
+				"Type": "boolean",
+				"Value": true
+			},
 			"browser.tabs.inTitlebar_commented": {
 				"Comment": "without _commented 0 enables system title bar and 2 is default.",
 				"Status": "default",
@@ -600,6 +650,12 @@
 				"Type": "boolean",
 				"Value": false
 			},
+			"browser.taskbarTabs.enabled": {
+				"Comment": "Rumoured PWA support",
+				"Status": "default",
+				"Type": "boolean",
+				"Value": true
+			},
 			"browser.translations.automaticallyPopup": {
 				"Status": "locked",
 				"Type": "boolean",
@@ -625,6 +681,11 @@
 				"Type": "boolean",
 				"Value": true
 			},
+			"browser.uidensity": {
+				"Status": "default",
+				"Type": "number",
+				"Value": 1
+			},
 			"browser.urlbar.trimHttps": {
 				"Status": "locked",
 				"Type": "boolean",
@@ -686,6 +747,12 @@
 				"Type": "string",
 				"Value": ""
 			},
+			"fission.autostart": {
+				"Comment": "Enable fission, site separation per process, security. Preference not allowed for stability reasons. :(",
+				"Status": "locked",
+				"Type": "boolean",
+				"Value": true
+			},
 			"general.config.obscure_value": {
 				"Comment": "Required for autoconfig.",
 				"Status": "locked",
@@ -709,6 +776,12 @@
 				"Type": "boolean",
 				"Value": false
 			},
+			"gfx.webrender.all": {
+				"Comment": "Enable fission, site separation per process, security",
+				"Status": "locked",
+				"Type": "boolean",
+				"Value": true
+			},
 			"image.animation.mode": {
 				"Comment": "Preference not allowed for stability reasons. :(",
 				"Status": "default",
@@ -771,8 +844,14 @@
 				"Type": "boolean",
 				"Value": false
 			},
+			"media.autoplay.blocking_policy": {
+				"Comment": "2 - Click to play media",
+				"Status": "default",
+				"Type": "number",
+				"Value": 2
+			},
 			"media.autoplay.default": {
-				"Comment": "Not even autoplaying silently?",
+				"Comment": "5 blocks autoplay entirely (unless allowed per site from the navbar menu). 2 should open the prompt by default.",
 				"Status": "default",
 				"Type": "number",
 				"Value": 5
@@ -1009,7 +1088,7 @@
 					"URLTemplate": "https://start.duckduckgo.com/?q={searchTerms}"
 				},
 				{
-					"Name": "Ecosia",
+					"Name": "Ecosia search",
 					"Alias": "e",
 					"Description": "Ecosia Search Engine",
 					"IconURL": "https://cdn-static.ecosia.org/static/icons/favicon.ico",
@@ -1044,11 +1123,13 @@
 					"URLTemplate": "https://search.brave.com/goggles?q={searchTerms}"
 				}
 			],
-			"Default": "Ecosia"
+			"Default": "Ecosia search"
 		},
 		"SearchSuggestEnabled": false,
 		"SecurityDevices": {
 			"Add": {
+				"Debian OpenSC onepin": "/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so",
+				"Fedora OpenSC onepin": "/usr/lib64/onepin-opensc-pkcs11.so",
 				"Fujitsu mPollux DigiSignApplication": "/usr/lib64/libcryptoki.so"
 			}
 		},

etc/init-browser-policies.bash

@@ -5,16 +5,41 @@ set -x
 
 # Require root or exit
 if [ "$(id -u)" != "0" ]; then
-	echo "This script requires root for managing /etc/" 1>&2
+	echo "This script requires root for managing /etc/..."
-	exit 1
+
+	# Firefox Flatpak
+	mkdir -vp "$HOME/.local/share/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/stable/policies/"
+	mkdir -vp "$HOME/.local/share/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/beta/policies/"
+	cp -v firefox/policies/policies.json "$HOME/.local/share/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/stable/policies/"
+	cp -v firefox/policies/policies.json "$HOME/.local/share/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/beta/policies/"
+
+	# Chromium Flatpak
+	mkdir -vp "$HOME/.local/share/flatpak/extension/org.chromium.Chromium.Extension.system-policies/$(uname -m)/1/managed"
+	mkdir -vp "$HOME/.local/share/flatpak/extension/org.chromium.Chromium.Extension.system-policies/$(uname -m)/1/recommended"
+
+	echo "...but flatpaks were more or less handled."
+	exit 0
 fi
 
+# TODO: Snap based browsers or at least Firefox can supposedly run with less
+# snap sandboxing. Consider these if need arises:
+# sudo snap set firefox confinement=classic
+# https://bugs.launchpad.net/snapd/+bug/1972762
+# sudo snap connect {firefox,chromium,vivaldi}:pcscd
+#
+# OFFTOPIC TODO: more flatseal style management is coming, consider
+# snap refresh snapd --channel=candidate
+# snap install desktop-security-center
+# snap install prompting-client
+# https://discourse.ubuntu.com/t/ubuntu-desktop-s-24-10-dev-cycle-part-5-introducing-permissions-prompting/47963?p-119405-enabling-the-feature
+
 # Firefox and LibreWolf (caution! https://codeberg.org/librewolf/issues/issues/1767)
 mkdir -vp /etc/firefox/policies
-setfacl --recursive --modify=u:root:rwX,o:rX /etc/firefox/policies
+setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/firefox/policies
 chmod -v a+rx /etc/firefox/
 chmod -v a+rx /etc/firefox/policies/
-touch /etc/firefox/policies/policies.json
+#touch /etc/firefox/policies/policies.json
+cp -v firefox/policies/policies.json /etc/firefox/policies/policies.json
 chmod -v a+r /etc/firefox/policies/policies.json
 printf "WARNING! LibreWolf default profile may be masked!\nhttps://codeberg.org/librewolf/issues/issues/1767\n"
 
@@ -31,35 +56,57 @@ ln -nsfv /etc/firefox /etc/firefox-esr
 
 # Chromium
 mkdir -vp /etc/opt/chromium/policies/{managed,recommended}
-setfacl --recursive --modify=u:root:rwX,o:rX /etc/firefox/policies
+setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/opt/chromium/policies
 chmod -v a+rx /etc/opt/chromium/policies/
 chmod -v a+rx /etc/opt/chromium/policies/{managed,recommended}/
+# Chromium snap
+mkdir -p /etc/chromium-browser
+setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/chromium-browser
+ln -nsfv /etc/opt/chromium/policies /etc/chromium-browser/policies
 
 # Brave
 mkdir -p /etc/brave
-setfacl --recursive --modify=u:root:rwX,o:rX /etc/brave
+setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/brave
 ln -nsfv /etc/opt/chromium/policies /etc/brave/policies
 
 # Vivaldi
 mkdir -p /etc/chromium
-setfacl --recursive --modify=u:root:rwX,o:rX /etc/chromium
+setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/chromium
 ln -nsfv /etc/opt/chromium/policies /etc/chromium/policies
 
 # Google Chrome
 mkdir -p /etc/opt/chrome
-setfacl --recursive --modify=u:root:rwX,o:rX /etc/opt/chrome
+setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/opt/chrome
 ln -nsfv /etc/opt/chromium/policies /etc/opt/chrome/policies
 
 # Naggig suspicion of another Google Chrome
 mkdir -p /etc/chrome
-setfacl --recursive --modify=u:root:rwX,o:rX /etc/chrome
+setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/chrome
 ln -nsfv /etc/opt/chromium/policies /etc/chrome/policies
 
 # Microsoft Edge
 # I used to have a separate policy for it so remember to remove this manually
 # if it exists!
 mkdir -p /etc/opt/edge
-setfacl --recursive --modify=u:root:rwX,o:rX /etc/opt/edge
+setfacl --recursive --modify=u:root:rwX,g:root:rwX,o:rX /etc/opt/edge
 ln -nsfv /etc/opt/chromium/policies /etc/opt/edge/policies
 
+# Firefox Flatpak
+mkdir -vp "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/stable/policies/"
+mkdir -vp "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/beta/policies/"
+#cp -v /etc/firefox/policies/policies.json "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/stable/policies/"
+#cp -v /etc/firefox/policies/policies.json "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/beta/policies/"
+cp -v firefox/policies/policies.json "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/stable/policies/"
+cp -v firefox/policies/policies.json "/var/lib/flatpak/extension/org.mozilla.firefox.systemconfig/$(uname -m)/beta/policies/"
+
+# Firefox flatpak autoconfig
+cp -v ../conf/autoconfig.js.online /var/lib/flatpak/app/org.mozilla.firefox/current/active/files/lib/firefox/defaults/pref/autoconfig.js
+#cp -v ../conf/firefox-forbidden-policies.js /var/lib/flatpak/app/org.mozilla.firefox/current/active/files/lib/firefox/
+chmod -v a+r /var/lib/flatpak/app/org.mozilla.firefox/current/active/files/lib/firefox/defaults/pref/autoconfig.js
+chmod -v a+r /var/lib/flatpak/app/org.mozilla.firefox/current/active/files/lib/firefox/firefox-forbidden-policies.js
+
+# Chromium Flatpak
+mkdir -vp "/var/lib/flatpak/extension/org.chromium.Chromium.Extension.system-policies/$(uname -m)/1/"
+cp -rv /etc/opt/chromium/policies/ "/var/lib/flatpak/extension/org.chromium.Chromium.Extension.system-policies/$(uname -m)/1/"
+
 set +x

etc/modprobe.d/blocklist-hdmi-audio.conf

@@ -1,3 +1,4 @@
 # Prevents HDMI driver from getting loaded and thus it appearing in
 # pavucontrol. Source: https://askubuntu.com/a/1127760
+# wokeignore:rule=blacklist
 blacklist snd_hda_codec_hdmi

etc/opt/chromium/policies/managed/aminda-extensions.json

@@ -11,7 +11,7 @@
 				"advancedSettings": [
 					[
 						"filterAuthorMode",
-						"true"
+						"false"
 					],
 					[
 						"trustedListPrefixes",
@@ -61,6 +61,7 @@
 						"ublock-cookies-adguard",
 						"ublock-cookies-easylist",
 						"https://secure.fanboy.co.nz/fanboy-annoyance.txt",
+						"https://gitflic.ru/project/magnolia1234/bypass-paywalls-clean-filters/blob/raw?file=bpc-paywall-filter.txt",
 						"https://ads-for-open-source.readthedocs.io/en/latest/_static/lists/opensource-ads.txt"
 					]
 				},
@@ -77,6 +78,10 @@
 						"collapseBlocked",
 						"true"
 					],
+					[
+						"colorBlindFriendly",
+						"false"
+					],
 					[
 						"ignoreGenericCosmeticFilters",
 						"true"
@@ -118,20 +123,6 @@
 					"+annoyances-overlays"
 				]
 			},
-			"mlojlfildnehdpnlmpkeiiglhhkofhpb": {
-				"toAdd": {
-					"trustedSiteDirectives": [
-						""
-					]
-				},
-				"toOverwrite": {
-					"filterLists": [
-						"easylist",
-						"adnauseam-filters",
-						"eff-dnt-whitelist"
-					]
-				}
-			},
 			"nngceckbapebfimnlniiiahkandclblb": {
 				"environment": {
 					"base": "https://vault.bitwarden.eu",
@@ -192,6 +183,12 @@
 			"toolbar_pin": "default_unpinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
+		"ammoloihpcbognfddfjcljgembpibcmb": {
+			"installation_mode": "allowed",
+			"override_update_url": true,
+			"toolbar_pin": "force_pinned",
+			"update_url": "https://clients2.google.com/service/update2/crx"
+		},
 		"cbimgpnbgalffiohilfglgkkhpegpjlo": {
 			"installation_mode": "normal_installed",
 			"override_update_url": true,
@@ -223,7 +220,7 @@
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
 		"doojmbjmlfjjnbmnoijecmcbfeoakpjm": {
-			"installation_mode": "normal_installed",
+			"installation_mode": "allowed",
 			"override_update_url": true,
 			"toolbar_pin": "force_pinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
@@ -235,7 +232,7 @@
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
 		"eimadpbcbfnmbkopoojfekhnkhdbieeh": {
-			"installation_mode": "normal_installed",
+			"installation_mode": "allowed",
 			"override_update_url": true,
 			"toolbar_pin": "force_pinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
@@ -275,12 +272,24 @@
 			"toolbar_pin": "force_pinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
+		"hjdoplcnndgiblooccencgcggcoihigg": {
+			"installation_mode": "force_installed",
+			"override_update_url": true,
+			"toolbar_pin": "force_pinned",
+			"update_url": "https://clients2.google.com/service/update2/crx"
+		},
 		"hojggiaghnldpcknpbciehjcaoafceil": {
 			"installation_mode": "normal_installed",
 			"override_update_url": true,
 			"toolbar_pin": "default_unpinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
+		"klmgadmgadfhjgomffmpamppmkajdloc": {
+			"installation_mode": "force_installed",
+			"override_update_url": true,
+			"toolbar_pin": "force_pinned",
+			"update_url": "https://clients2.google.com/service/update2/crx"
+		},
 		"mafpmfcccpbjnhfhjnllmmalhifmlcie": {
 			"installation_mode": "normal_installed",
 			"override_update_url": true,
@@ -316,6 +325,12 @@
 			"toolbar_pin": "default_unpinned",
 			"update_url": "https://clients2.google.com/service/update2/crx"
 		},
+		"pbnndmlekkboofhnbonilimejonapojg": {
+			"installation_mode": "normal_installed",
+			"override_update_url": true,
+			"toolbar_pin": "force_pinned",
+			"update_url": "https://clients2.google.com/service/update2/crx"
+		},
 		"pkehgijcmpdhfbdbbnkijodmdjhbjlgp": {
 			"installation_mode": "force_installed",
 			"override_update_url": true,

etc/opt/chromium/policies/managed/aminda-extensions.tsv

@@ -1,5 +1,6 @@
 ID	Name	Comment
 ajhmfdgkijocedmfjonnpjfojldioehi	Silk	
+ammoloihpcbognfddfjcljgembpibcmb	JShelter	
 bkdgflcldnnnapblkhphbgpggdiikppg	DuckDuckGo	
 caoacbimdbbljakfhgikoodekdnlcgpk	DuckDuckGo	
 cbimgpnbgalffiohilfglgkkhpegpjlo	QR Code	
@@ -16,8 +17,10 @@ fpnmgdkabkmnadcjpehmlllkndpkmiak	Wayback Machine
 gbiekjoijknlhijdjbaadobpkdhmoebb	Google IBA opt-out	Preparing for eventuality of Google killing adblockers by opting into non-targeted ads instead.
 gecgipfabdickgidpmbicneamekgbaej	Chrome Apps Launcher	BLOCKED. It means the ages ago deprecated Chrome apps, not PWAs.
 hgcomhbcacfkpffiphlmnlhpppcjgmbl	HTTP Indicator	
+hjdoplcnndgiblooccencgcggcoihigg	Terms of Service; Didn’t Read	
 hojggiaghnldpcknpbciehjcaoafceil	Fedora User Agent	
 iimpkhokkfekbpmoamlmcndclohnehhk	IPVFooBar	ManifestV2 unlike original IPvFoo
+klmgadmgadfhjgomffmpamppmkajdloc	Go European	
 mafpmfcccpbjnhfhjnllmmalhifmlcie	Tor Snowflake	
 mlojlfildnehdpnlmpkeiiglhhkofhpb	AdNauseam	
 mlojlfildnehdpnlmpkeiiglhhkofhpb	Ad Nauseam	
@@ -26,4 +29,5 @@ nngceckbapebfimnlniiiahkandclblb	Bitwarden
 obpoeflheeknapimliioeoefbfaakefn	Regrets Reporter	
 odfafepnkmbhccpbejgmiehpchacaeak	uBlock Origin	
 palihjnakafgffnompkdfgbgdbcagbko	UpdateSWH	
+pbnndmlekkboofhnbonilimejonapojg	Midnight Lizard	currently ManifestV2
 pkehgijcmpdhfbdbbnkijodmdjhbjlgp	PrivacyBadger	

etc/opt/chromium/policies/managed/generative-ai.json

@@ -1,6 +0,0 @@
-{
-	"CreateThemesSettings": 1,
-	"GenAILocalFoundationalModelSettings": 0,
-	"HelpMeWriteSettings": 1,
-	"TabOrganizerSettings": 1
-}

etc/opt/chromium/policies/recommended/ecosia.json

@@ -2,7 +2,7 @@
 	"DefaultSearchProviderEnabled": true,
 	"DefaultSearchProviderImageURL": "https://cdn-static.ecosia.org/static/icons/favicon.ico",
 	"DefaultSearchProviderKeyword": "e",
-	"DefaultSearchProviderName": "Ecosia",
+	"DefaultSearchProviderName": "Ecosia search",
 	"DefaultSearchProviderNewTabURL": "https://www.ecosia.org/newtab/?addon=chromegpo",
 	"DefaultSearchProviderSearchURL": "https://www.ecosia.org/search?q={searchTerms}&addon=chromegpo",
 	"DefaultSearchProviderSuggestURL": "https://ac.ecosia.org/autocomplete?q={searchTerms}",

etc/resolv.tsv

@@ -26,10 +26,10 @@ Mullvad All	https://all.dns.mullvad.net/dns-query	all.dns.mullvad.net	2a07:e340:
 Mullvad Base	https://base.dns.mullvad.net/dns-query	base.dns.mullvad.net	2a07:e340::4		194.242.2.4		https://github.com/mullvad/encrypted-dns-profiles		
 Mullvad Extended	https://extended.dns.mullvad.net/dns-query	extended.dns.mullvad.net	2a07:e340::5		194.242.2.5		https://github.com/mullvad/encrypted-dns-profiles		
 Mullvad Vanilla	https://dns.mullvad.net/dns-query	dns.mullvad.net	2a07:e340::2		194.242.2.2		https://github.com/mullvad/encrypted-dns-profiles	No 2023-03-11	I tested with https://gitea.blesmrt.net/mikaela/scripts/src/branch/master/bash/dns-ecs-debug.bash
-NextDNS	https://dns.nextdns.io	dns.nextdns.io	2a07:a8c1::	2a07:a8c0::	45.90.30.0	45.90.28.0	https://apple.nextdns.io/	opt-in, private, upstream whitelist	https://medium.com/nextdns/how-we-made-dns-both-fast-and-private-with-ecs-4970d70401e5
+NextDNS	https://dns.nextdns.io	dns.nextdns.io	2a07:a8c1::	2a07:a8c0::	45.90.30.0	45.90.28.0	https://apple.nextdns.io/	opt-in, private, upstream inclusion list	https://medium.com/nextdns/how-we-made-dns-both-fast-and-private-with-ecs-4970d70401e5
 NextDNS Firefox	https://firefox.dns.nextdns.io							no	
-OpenDNS	https://doh.opendns.com/dns-query	dns.opendns.com ? (#127)	2620:119:35::35	2620:119:53::53	208.67.222.222	208.67.220.220		yes, upstream whitelist	https://support.opendns.com/hc/articles/227987647-EDNS-Client-Subnet-FAQ
+OpenDNS	https://doh.opendns.com/dns-query	dns.opendns.com ? (#127)	2620:119:35::35	2620:119:53::53	208.67.222.222	208.67.220.220		yes, upstream inclusion list	https://support.opendns.com/hc/articles/227987647-EDNS-Client-Subnet-FAQ
-OpenDNS Family	https://doh.familyshield.opendns.com/dns-query				208.67.222.123	208.67.220.123		yes, upstream whitelist	https://support.opendns.com/hc/articles/227987647-EDNS-Client-Subnet-FAQ
+OpenDNS Family	https://doh.familyshield.opendns.com/dns-query				208.67.222.123	208.67.220.123		yes, upstream inclusion list	https://support.opendns.com/hc/articles/227987647-EDNS-Client-Subnet-FAQ
 Quad9 (Secure)	https://dns.quad9.net/dns-query	dns.quad9.net	2620:fe::fe	2620:fe::9	9.9.9.9	149.112.112.112	https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/#download-profile	no	https://www.quad9.net/support/faq/#edns
 Quad9-10 (No Threat Blocking)	https://dns10.quad9.net/dns-query	dns10.quad9.net	2620:fe::10	2620:fe::fe:10	9.9.9.10	149.112.112.10	https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/#download-profile	no	https://docs.quad9.net/services/
 Quad9-11 (Secure + ECS)	https://dns11.quad9.net/dns-query	dns11.quad9.net	2620:fe::11	2620:fe::fe:11	9.9.9.11	149.112.112.11	https://docs.quad9.net/Setup_Guides/iOS/iOS_14_and_later_%28Encrypted%29/#download-profile	yes	https://www.quad9.net/support/faq/#edns

etc/systemd/resolved.conf.d/10-dot-quad9.conf

@@ -3,14 +3,14 @@
 # encryption, but host a Quad9 node and giving these addresses instead.
 [Resolve]
 # Secure
-#DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net
+DNS=2620:fe::9#dns.quad9.net 2620:fe::fe#dns.quad9.net [2620:fe::9]:8853#dns.quad9.net [2620:fe::fe]:8853#dns.quad9.net
-#DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net
+DNS=149.112.112.112#dns.quad9.net 9.9.9.9#dns.quad9.net 149.112.112.112:8853#dns.quad9.net 9.9.9.9:8853#dns.quad9.net
 # No Threat Blocking
 #DNS=2620:fe::10#dns10.quad9.net 2620:fe::fe:10#dns10.quad9.net [2620:fe::10]:8853#dns10.quad9.net [2620:fe::fe:10]:8853#dns10.quad9.net
 #DNS=149.112.112.10#dns10.quad9.net 9.9.9.10#dns10.quad9.net 149.112.112.10:8853#dns10.quad9.net 9.9.9.10:8853#dns10.quad9.net
 # Secure + ECS. IPv4 first so it gets preferred as my Unbound likely prefers IPv6 anyway.
-DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
+#DNS=149.112.112.11#dns11.quad9.net 9.9.9.11#dns11.quad9.net 149.112.112.11:8853#dns11.quad9.net 9.9.9.11:8853#dns11.quad9.net
-DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net
+#DNS=2620:fe::11#dns11.quad9.net 2620:fe::fe:11#dns11.quad9.net [2620:fe::11]:8853#dns11.quad9.net [2620:fe::fe:11]:8853#dns11.quad9.net
 # No Threat Blocking + ECS
 #DNS=2620:fe::12#dns12.quad9.net 2620:fe::fe:12#dns12.quad9.net [2620:fe::12]:8853#dns12.quad9.net [2620:fe::fe:12]:8853#dns12.quad9.net
 #DNS=9.9.9.12#dns12.quad9.net 149.112.112.12#dns12.quad9.net 9.9.9.12:8853#dns12.quad9.net 149.112.112.12:8853#dns12.quad9.net

etc/unbound/unbound.conf.d/.gitignore

@@ -1,4 +1,4 @@
+dot-.conf
 dot-nextdns.conf
 dot-trex.conf
 cache.conf
-dot-adguard-dns0.conf

etc/unbound/unbound.conf.d/dns-over-tls.conf

@@ -9,11 +9,16 @@ server:
 	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
 	qname-minimisation: no
 
-# This list is for my travel laptop to have at least one DoT443 server
+# This file keeps changing purpose between being just for my travel laptop
-# which seems to be applied-privacy.net. They advice having multiple DoT servers
+# and sometimes helps when I cannot decide what is important in a DNS server.
-# for redundancy and as they don't filter, it's best I use other non-filtering ones.
+
-# Since then this expanded to include <https://www.privacyguides.org/en/dns/>.
+# - applied-privacy.net provides DoT over 443 and tells you to use multiple
-# just look at git blame...
+#   servers for redundancy.
+# - cloudflare-dns.com contributes to https://radar.cloudflare.com which gets
+#   used by many others including PrivacyBadger most popular domains for its
+#   badgersett pretraining
+# - dns0.eu provides servers located only in the EU and private ECS
+# - adguard-dns.com provides private ECS around the world
 
 forward-zone:
 	name: "."
@@ -22,8 +27,8 @@ forward-zone:
 	# https://appliedprivacy.net/services/dns/ - Vienna, Austria, no ECS
 	forward-addr: 2a02:1b8:10:234::2@443#dot1.applied-privacy.net
 	forward-addr: 146.255.56.98@443#dot1.applied-privacy.net
-	forward-addr: 2a02:1b8:10:234::2@853#dot1.applied-privacy.net
+	#forward-addr: 2a02:1b8:10:234::2@853#dot1.applied-privacy.net
-	forward-addr: 146.255.56.98@853#dot1.applied-privacy.net
+	#forward-addr: 146.255.56.98@853#dot1.applied-privacy.net
 
 	# Cloudflare unfiltered, anycast, no ECS
 	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
@@ -32,24 +37,34 @@ forward-zone:
 	forward-addr: 1.0.0.1@853#cloudflare-dns.com
 
 	# Mullvad unfiltered, Anycast Sweden, no ECS
-	forward-addr: 194.242.2.2@853#dns.mullvad.net
+	#forward-addr: 194.242.2.2@853#dns.mullvad.net
-	forward-addr: 2a07:e340::2@853#dns.mullvad.net
+	#forward-addr: 2a07:e340::2@853#dns.mullvad.net
 
 	# Control D Free DNS unfilterd, anycast, no ECS
-	forward-addr: 76.76.2.0@853#p0.freedns.controld.com
+	#forward-addr: 76.76.2.0@853#p0.freedns.controld.com
-	forward-addr: 2606:1a40::@853#s0.freedns.controld.com
+	#forward-addr: 2606:1a40::@853#s0.freedns.controld.com
-	forward-addr: 76.76.10.0@853#p0.freedns.controld.com
+	#forward-addr: 76.76.10.0@853#p0.freedns.controld.com
-	forward-addr: 2606:1a40:1::@853#s0.freedns.controld.com
+	#forward-addr: 2606:1a40:1::@853#s0.freedns.controld.com
 
 	# Quad9 unfiltered, anycast, no ECS, no DNSSEC (Unbound does that)
-	forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
+	#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
-	forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
+	#forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
-	forward-addr: 149.112.112.10@853#dns10.quad9.net
+	#forward-addr: 149.112.112.10@853#dns10.quad9.net
-	forward-addr: 149.112.112.10@8853#dns10.quad9.net
+	#forward-addr: 149.112.112.10@8853#dns10.quad9.net
-	forward-addr: 2620:fe::10@853#dns10.quad9.net
+	#forward-addr: 2620:fe::10@853#dns10.quad9.net
-	forward-addr: 2620:fe::10@8853#dns10.quad9.net
+	#forward-addr: 2620:fe::10@8853#dns10.quad9.net
-	forward-addr: 9.9.9.10@853#dns10.quad9.net
+	#forward-addr: 9.9.9.10@853#dns10.quad9.net
-	forward-addr: 9.9.9.10@8853#dns10.quad9.net
+	#forward-addr: 9.9.9.10@8853#dns10.quad9.net
+
+	# Quad9 unfiltered, anycast, ECS, no DNSSEC (Unbound does that)
+	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
+	forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net
+	#forward-addr: 9.9.9.12@853#dns12.quad9.net
+	forward-addr: 9.9.9.12@8853#dns12.quad9.net
+	#forward-addr: 2620:fe::12@853#dns12.quad9.net
+	forward-addr: 2620:fe::12@8853#dns12.quad9.net
+	#forward-addr: 149.112.112.12@853#dns12.quad9.net
+	forward-addr: 149.112.112.12@8853#dns12.quad9.net
 
 	# https://www.dns0.eu/open https://www.dns0.eu/network - French based. Private ECS
 	forward-addr: 193.110.81.254@853#open.dns0.eu

etc/unbound/unbound.conf.d/dot-.conf

@@ -0,0 +1 @@
+dns-over-tls.conf

etc/unbound/unbound.conf.d/dot-adguard-dns0.conf

@@ -1 +0,0 @@
-dot-private-ecs.conf

etc/unbound/unbound.conf.d/dot-dns0-quad9.conf

@@ -1,33 +0,0 @@
-# This is a merging of dot-dns0.conf & dot-quad9.conf with weight on DNS0
-# IPv4 and when using IPv6, Quad9 Secure with ECS. IPv6 private ECS is
-# horribly inaccurate and I have minor leaning towards having ECS enabled.
-# Private ECS is a compromise between privacy and local destinations.
-#
-# Both are filtering DNS servers, so this brings risk of something being
-# blocked by only one of them. However both are non-profits and have servers
-# in Finland.
-
-server:
-	# Debian ca-certificates location
-	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# Fedora
-	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-	# Use system certificates no matter where they are
-	tls-system-cert: yes
-	# Quad9 says pointless performance impact on forwarders.
-	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
-	qname-minimisation: no
-
-forward-zone:
-	name: "."
-	forward-tls-upstream: yes
-## DNS0.eu IPv4 Default
-	forward-addr: 193.110.81.0@853#dns0.eu
-	forward-addr: 185.253.5.0@853#dns0.eu
-## Quad9 IPv6 Secure + ECS
-	forward-addr: 2620:fe::11@8853#dns11.quad9.net
-	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
-	forward-addr: 2620:fe::11@853#dns11.quad9.net
-	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
-
-# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-fluhable-cache.conf.badidea

@@ -1,33 +0,0 @@
-# NOTE! Requires Unbound 1.7.3 or newer!
-# Based on https://www.ctrl.blog/entry/unbound-tls-forwarding.html
-
-server:
-	# Debian ca-certificates location
-	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# Fedora location
-	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-	# Use system certificates no matter where they are
-	tls-system-cert: yes
-	# Quad9 says pointless performance impact on forwarders.
-	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
-	qname-minimisation: no
-
-# DNS servers that have public button for flushing cache. Privacy not considered.
-
-forward-zone:
-	name: "."
-	forward-tls-upstream: yes
-
-	# Cloudflare / https://1.1.1.1/purge-cache/
-	forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
-	forward-addr: 1.1.1.1@853#cloudflare-dns.com
-	forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
-	forward-addr: 1.0.0.1@853#cloudflare-dns.com
-
-	# Google / https://dns.google/cache
-	forward-addr: 8.8.8.8@853#dns.google
-	forward-addr: 8.8.4.4@853#dns.google
-	forward-addr: 2001:4860:4860::8888@853#dns.google
-	forward-addr: 2001:4860:4860::8844@853#dns.google
-
-# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-private-ecs.conf

@@ -1,26 +0,0 @@
-server:
-	# Debian ca-certificates location
-	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# Fedora
-	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-	# Use system certificates no matter where they are
-	tls-system-cert: yes
-	# Quad9 says pointless performance impact on forwarders.
-	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
-	qname-minimisation: no
-# AdGuard Public DNS without filtering.
-forward-zone:
-	name: "."
-	forward-tls-upstream: yes
-	# AdGuard Public DNS without filtering
-	forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com
-	forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com
-	forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com
-	forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com
-	# DNS0.eu without filtering
-	forward-addr: 193.110.81.254@853#open.dns0.eu
-	forward-addr: 185.253.5.254@853#open.dns0.eu
-	forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu
-	forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu
-
-# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-provider-zones.conf.badidea

@@ -1,86 +0,0 @@
-# This file attempts to send zones belonging to DNS operators to their DNS servers.
-# Inclusion criteria: I know and use the service.
-
-server:
-	# Debian ca-certificates location
-	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
-	# Fedora
-	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
-	# Use system certificates no matter where they are
-	tls-system-cert: yes
-	# Quad9 says pointless performance impact on forwarders.
-	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
-	qname-minimisation: no
-
-forward-zone:
-	name: "google"
-	forward-tls-upstream: yes
-	# Must be explicit forward-addr for dns.google to be found
-	forward-addr: 2001:4860:4860::8844@853#dns.google
-	forward-addr: 2001:4860:4860::8888@853#dns.google
-	forward-addr: 8.8.4.4@853#dns.google
-	forward-addr: 8.8.8.8@853#dns.google
-
-forward-zone:
-	name: "google.fi"
-	forward-tls-upstream: yes
-	forward-host: dns.google@853#dns.google
-
-forward-zone:
-	name: "google.com"
-	forward-tls-upstream: yes
-	forward-host: dns.google@853#dns.google
-
-forward-zone:
-	name: "youtube.com"
-	forward-tls-upstream: yes
-	forward-host: dns.google@853#dns.google
-
-forward-zone:
-	name: "youtube-nocookie.com"
-	forward-tls-upstream: yes
-	forward-host: dns.google@853#dns.google
-
-forward-zone:
-	name: "youtu.be"
-	forward-tls-upstream: yes
-	forward-host: dns.google@853#dns.google
-
-forward-zone:
-	name: "googlevideo.com"
-	forward-tls-upstream: yes
-	forward-host: dns.google@853#dns.google
-
-forward-zone:
-	name: "ytimg.com"
-	forward-tls-upstream: yes
-	forward-host: dns.google@853#dns.google
-
-# forward-zone:
-# 	name: "googleusercontent.com"
-# 	forward-tls-upstream: yes
-#	forward-host: dns.google@853#dns.google
-
-
-forward-zone:
-	name: "gstatic.com"
-	forward-tls-upstream: yes
-	forward-host: dns.google@853#dns.google
-
-forward-zone:
-	name: "cloudflare-dns.com"
-	# Must be explicit for forward-addr
-	forward-addr: 2606:4700:4700::1112@853#security.cloudflare-dns.com
-	forward-addr: 2606:4700:4700::1002@853#security.cloudflare-dns.com
-	forward-addr: 1.1.1.2@853#security.cloudflare-dns.com
-	forward-addr: 1.0.0.2@853#security.cloudflare-dns.com
-
-forward-zone:
-	name: "cloudflare.com"
-	forward-host: security.cloudflare-dns.com@853#security.cloudflare-dns.com
-
-forward-zone:
-	name: "one.one"
-	forward-host: security.cloudflare-dns.com@853#security.cloudflare-dns.com
-
-# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/dot-quad9.conf

@@ -17,14 +17,14 @@ forward-zone:
 	name: "."
 	forward-tls-upstream: yes
 	## Secure
-	#forward-addr: 2620:fe::fe@853#dns.quad9.net
+	forward-addr: 2620:fe::fe@853#dns.quad9.net
-	#forward-addr: 2620:fe::fe@8853#dns.quad9.net
+	forward-addr: 2620:fe::fe@8853#dns.quad9.net
-	#forward-addr: 2620:fe::9@853#dns.quad9.net
+	forward-addr: 2620:fe::9@853#dns.quad9.net
-	#forward-addr: 2620:fe::9@8853#dns.quad9.net
+	forward-addr: 2620:fe::9@8853#dns.quad9.net
-	#forward-addr: 9.9.9.9@853#dns.quad9.net
+	forward-addr: 9.9.9.9@853#dns.quad9.net
-	#forward-addr: 9.9.9.9@8853#dns.quad9.net
+	forward-addr: 9.9.9.9@8853#dns.quad9.net
-	#forward-addr: 149.112.112.112@853#dns.quad9.net
+	forward-addr: 149.112.112.112@853#dns.quad9.net
-	#forward-addr: 149.112.112.112@8853#dns.quad9.net
+	forward-addr: 149.112.112.112@8853#dns.quad9.net
 	## No Threat Blocking
 	#forward-addr: 2620:fe::fe:10@853#dns10.quad9.net
 	#forward-addr: 2620:fe::fe:10@8853#dns10.quad9.net
@@ -35,14 +35,14 @@ forward-zone:
 	#forward-addr: 9.9.9.10@853#dns10.quad9.net
 	#forward-addr: 9.9.9.10@8853#dns10.quad9.net
 	## Secure + ECS
-	forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
+	#forward-addr: 2620:fe::fe:11@853#dns11.quad9.net
-	forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
+	#forward-addr: 2620:fe::fe:11@8853#dns11.quad9.net
-	forward-addr: 9.9.9.11@853#dns11.quad9.net
+	#forward-addr: 9.9.9.11@853#dns11.quad9.net
-	forward-addr: 9.9.9.11@8853#dns11.quad9.net
+	#forward-addr: 9.9.9.11@8853#dns11.quad9.net
-	forward-addr: 2620:fe::11@853#dns11.quad9.net
+	#forward-addr: 2620:fe::11@853#dns11.quad9.net
-	forward-addr: 2620:fe::11@8853#dns11.quad9.net
+	#forward-addr: 2620:fe::11@8853#dns11.quad9.net
-	forward-addr: 149.112.112.11@853#dns11.quad9.net
+	#forward-addr: 149.112.112.11@853#dns11.quad9.net
-	forward-addr: 149.112.112.11@8853#dns11.quad9.net
+	#forward-addr: 149.112.112.11@8853#dns11.quad9.net
 	## No Threat Blocking + ECS
 	#forward-addr: 2620:fe::fe:12@853#dns12.quad9.net
 	#forward-addr: 2620:fe::fe:12@8853#dns12.quad9.net

etc/unbound/unbound.conf.d/ecs.conf.sample

@@ -1,18 +0,0 @@
-# This will only affect servers that are accessed with public IP address!
-server:
-#module-config: "ipsecmod validator iterator"
-# subnetcache must be loaded for ecs
-module-config: "subnetcache validator iterator"
-# Send ECS everywhere always
-client-subnet-zone: "."
-client-subnet-always-forward: yes
-# Send different subnet size
-#max-client-subnet-ipv6: "16"
-#max-client-subnet-ipv4: "0"
-
-# IP address to send client subnets TO. Optionally /CIDR can be appended.
-# This actually means AUTHORITY servers!
-#send-client-subnet:
-#send-client-subnet:
-
-# vim: filetype=unbound.conf

etc/unbound/unbound.conf.d/well-known-dns.conf.badidea

@@ -1,89 +0,0 @@
-# The point of this file is to have these domains just work without having
-# to send queries, even if they are queried by web browser.
-server:
-# Quad9 Secure
-	local-zone: "dns.quad9.net." typetransparent
-	local-data: "dns.quad9.net. A 9.9.9.9"
-	local-data: "dns.quad9.net. A 149.112.112.112"
-	local-data: "dns.quad9.net. AAAA 2620:fe::fe"
-	local-data: "dns.quad9.net. AAAA 2620:fe::9"
-# Quad9 No Threat Blocking
-	local-zone: "dns10.quad9.net." typetransparent
-	local-data: "dns10.quad9.net. A 9.9.9.10"
-	local-data: "dns10.quad9.net. A 149.112.112.10"
-	local-data: "dns10.quad9.net. AAAA 2620:fe::10"
-	local-data: "dns10.quad9.net. AAAA 2620:fe::fe:10"
-# Quad9 Secure + ECS
-	local-zone: "dns11.quad9.net." typetransparent
-	local-data: "dns11.quad9.net. A 9.9.9.11"
-	local-data: "dns11.quad9.net. A 149.112.112.11"
-	local-data: "dns11.quad9.net. AAAA 2620:fe::11"
-	local-data: "dns11.quad9.net. AAAA 2620:fe::fe:11"
-# Quad9 No Threat Blocking + ECS
-	local-zone: "dns12.quad9.net." typetransparent
-	local-data: "dns12.quad9.net. A 9.9.9.12"
-	local-data: "dns12.quad9.net. A 149.112.112.12"
-	local-data: "dns12.quad9.net. AAAA 2620:fe::12"
-	local-data: "dns12.quad9.net. AAAA 2620:fe::fe:12"
-# DNS0 default
-	local-zone: "dns0.eu." typetransparent
-	local-data: "dns0.eu. A 193.110.81.0"
-	local-data: "dns0.eu. A 185.253.5.0"
-	local-data: "dns0.eu. AAAA 2a0f:fc80::"
-	local-data: "dns0.eu. AAAA 2a0f:fc81::"
-# DNS0 Zero
-	local-zone: "zero.dns0.eu." typetransparent
-	local-data: "zero.dns0.eu. A 193.110.81.9"
-	local-data: "zero.dns0.eu. A 185.253.5.9"
-	local-data: "zero.dns0.eu. AAAA 2a0f:fc80::9"
-	local-data: "zero.dns0.eu. AAAA 2a0f:fc81::9"
-# DNS0 Kids
-	local-zone: "kids.dns0.eu." typetransparent
-	local-data: "kids.dns0.eu. A 193.110.81.1"
-	local-data: "kids.dns0.eu. A 185.253.5.1"
-	local-data: "kids.dns0.eu. AAAA 2a0f:fc80::1"
-	local-data: "kids.dns0.eu. AAAA 2a0f:fc81::1"
-# DNS0 Open
-	local-zone: "open.dns0.eu." typetransparent
-	local-data: "open.dns0.eu. A 193.110.81.254"
-	local-data: "open.dns0.eu. A 185.253.5.254"
-	local-data: "open.dns0.eu. AAAA 2a0f:fc80::ffff"
-	local-data: "open.dns0.eu. AAAA 2a0f:fc81::ffff"
-# Cloudflare
-	local-zone: "cloudflare-dns.com." typetransparent
-	local-data: "cloudflare-dns.com. A 1.1.1.1"
-	local-data: "cloudflare-dns.com. A 1.0.0.1"
-	local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1111"
-	local-data: "cloudflare-dns.com. AAAA 2606:4700:4700::1001"
-	local-zone: "one.one.one.one." typetransparent
-	local-data: "one.one.one.one. CNAME cloudflare-dns.com."
-# Cloudflare Malware blocking
-	local-zone: "security.cloudflare-dns.com." typetransparent
-	local-data: "security.cloudflare-dns.com. A 1.1.1.2"
-	local-data: "security.cloudflare-dns.com. A 1.0.0.2"
-	local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1112"
-	local-data: "security.cloudflare-dns.com. AAAA 2606:4700:4700::1002"
-# Mullvad ad, tracker & malware block
-	local-zone: "base.dns.mullvad.net." typetransparent
-	local-data: "base.dns.mullvad.net. A 194.242.2.4"
-	local-data: "base.dns.mullvad.net. AAAA 2a07:e340::4"
-# AdGuard Default
-	local-zone: "dns.adguard-dns.com." typetransparent
-	local-data: "dns.adguard-dns.com. A 94.140.14.14"
-	local-data: "dns.adguard-dns.com. A 94.140.15.15"
-	local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad1:ff"
-	local-data: "dns.adguard-dns.com. AAAA 2a10:50c0::ad2:ff"
-# Google DNS
-	local-zone: "dns.google." typetransparent
-	local-data: "dns.google. A 8.8.8.8"
-	local-data: "dns.google. A 8.8.4.4"
-	local-data: "dns.google. AAAA 2001:4860:4860::8888"
-	local-data: "dns.google. AAAA 2001:4860:4860::8844"
-	local-zone: "dns.google.com." typetransparent
-	local-data: "dns.google.com. CNAME dns.google."
-# Google DNS64
-	local-zone: "dns64.dns.google." typetransparent
-	local-data: "dns64.dns.google. AAAA 2001:4860:4860::6464"
-	local-data: "dns64.dns.google. AAAA 2001:4860:4860::64"
-
-# vim: filetype=unbound.conf

package.json

@@ -1,13 +1,14 @@
 {
 	"devDependencies": {
-		"@aminda/global-prettier-config": "2025.10.0",
+		"@aminda/global-prettier-config": "2025.13.0",
 		"@prettier/plugin-ruby": "4.0.4",
 		"@prettier/plugin-xml": "3.4.1",
+		"corepack": "latest",
 		"prettier": "3.5.3",
 		"prettier-plugin-nginx": "1.0.3",
 		"prettier-plugin-sh": "0.15.0",
 		"prettier-plugin-toml": "2.0.2"
 	},
-	"packageManager": "pnpm@10.6.2+sha512.47870716bea1572b53df34ad8647b42962bc790ce2bf4562ba0f643237d7302a3d6a8ecef9e4bdfc01d23af1969aa90485d4cebb0b9638fa5ef1daef656f6c1b",
+	"packageManager": "pnpm@10.6.5+sha512.cdf928fca20832cd59ec53826492b7dc25dc524d4370b6b4adbf65803d32efaa6c1c88147c0ae4e8d579a6c9eec715757b50d4fa35eea179d868eada4ed043af",
 	"prettier": "@aminda/global-prettier-config"
 }

pnpm-lock.yaml

@@ -8,14 +8,17 @@ importers:
   .:
     devDependencies:
       "@aminda/global-prettier-config":
-        specifier: 2025.10.0
+        specifier: 2025.13.0
-        version: 2025.10.0
+        version: 2025.13.0
       "@prettier/plugin-ruby":
         specifier: 4.0.4
         version: 4.0.4(prettier@3.5.3)
       "@prettier/plugin-xml":
         specifier: 3.4.1
         version: 3.4.1(prettier@3.5.3)
+      corepack:
+        specifier: latest
+        version: 0.32.0
       prettier:
         specifier: 3.5.3
         version: 3.5.3
@@ -30,10 +33,10 @@ importers:
         version: 2.0.2(prettier@3.5.3)
 
 packages:
-  "@aminda/global-prettier-config@2025.10.0":
+  "@aminda/global-prettier-config@2025.13.0":
     resolution:
       {
-        integrity: sha512-7M2TWWTZDU6rU0AkcNeFSILuvh8lT3Mr0TAl/ZVctYWgWuzOzyRVZySwStl4o3Oj2QMCEEEky5wzJO8540rq1Q==,
+        integrity: sha512-1yRmlX7lrBu41eu7dcAF17fTYdbnTYp6o1zRKGUVku6ddz9rp0cjCw4QK1oNrUq7KU0GAAlxQtDfw0WlOzJw+A==,
       }
 
   "@prettier/plugin-ruby@4.0.4":
@@ -76,6 +79,14 @@ packages:
         integrity: sha512-wy3mC1x4ye+O+QkEinVJkPf5u2vsrDIYW9G7ZuwFl6v/Yu0LwUuT2POsb+NUWApebyxfkQq6+yDfRExbnI5rcw==,
       }
 
+  corepack@0.32.0:
+    resolution:
+      {
+        integrity: sha512-KhahVUFy7xL8OTty/ToY646hXMQhih8rnvUkA9/qnk/u4QUF2+SbQneX/zZnDxG1NiABFm5ojZCWnIv93oyhhQ==,
+      }
+    engines: { node: ^18.17.1 || ^20.10.0 || >=22.11.0 }
+    hasBin: true
+
   mvdan-sh@0.10.1:
     resolution:
       {
@@ -134,10 +145,11 @@ packages:
       }
 
 snapshots:
-  "@aminda/global-prettier-config@2025.10.0":
+  "@aminda/global-prettier-config@2025.13.0":
     dependencies:
       "@prettier/plugin-ruby": 4.0.4(prettier@3.5.3)
       "@prettier/plugin-xml": 3.4.1(prettier@3.5.3)
+      corepack: 0.32.0
       prettier: 3.5.3
       prettier-plugin-nginx: 1.0.3
       prettier-plugin-sh: 0.15.0(prettier@3.5.3)
@@ -166,6 +178,8 @@ snapshots:
     dependencies:
       regexp-to-ast: 0.5.0
 
+  corepack@0.32.0: {}
+
   mvdan-sh@0.10.1: {}
 
   prettier-plugin-nginx@1.0.3: {}

rc/bashrc

@@ -159,8 +159,8 @@ if hash lsb_release 2> /dev/null; then
 		unset LC_ALL
 	)
 
-	# Only print motivational phrases if username is aminda or mikaela
+	# Only print motivational phrases if username is aminda or mikaela or deck
-	if [[ $(whoami) == aminda ]] || [[ $(whoami) == mikaela ]]; then
+	if [[ $(whoami) == aminda ]] || [[ $(whoami) == mikaela ]] || [[ $(whoami) == deck ]]; then
 		if hash python3 2> /dev/null; then
 			(
 				# Motivational messages
@@ -191,6 +191,7 @@ Aferoj emas funkcii sin mem...\tOM MANI PEME HUNG...
 		# And this from sudo + the general advice for auditability
 		(printf "We trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n\t#1) Respect the privacy of others.\n\t#2) Think before you type.\n\t#3) With great power comes great responsibility.\n\nAdditionally you shouldn't be logging in as root directly.\n\n")
 	fi
+	printf "\tMake your tech grayscale painting your life with colours\n"
 fi
 
 #####	Environment					7RS56S	#####

rc/zshrc

@@ -55,8 +55,8 @@ if hash lsb_release 2> /dev/null; then
 		unset LC_ALL
 	)
 
-	# Only print motivational phrases if username is aminda or mikaela
+	# Only print motivational phrases if username is aminda or mikaela or deck
-	if [[ $(whoami) == aminda ]] || [[ $(whoami) == mikaela ]]; then
+	if [[ $(whoami) == aminda ]] || [[ $(whoami) == mikaela ]] || [[ $(whoami) == deck ]]; then
 		if hash python3 2> /dev/null; then
 			(
 				# Motivational messages
@@ -87,6 +87,7 @@ Aferoj emas funkcii sin mem...\tOM MANI PEME HUNG...
 		# And this from sudo + the general advice for auditability
 		(printf "We trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n\t#1) Respect the privacy of others.\n\t#2) Think before you type.\n\t#3) With great power comes great responsibility.\n\nAdditionally you shouldn't be logging in as root directly.\n\n")
 	fi
+	printf "\tMake your tech grayscale painting your life with colours\n"
 fi
 
 #####	Defaults etc...				M0TZLS	#####