17 files changed, 157 insertions, 56 deletions

diff --git a/etc/dnsmasq.conf b/etc/dnsmasq.conf
index 9ab206b1..743f55aa 100644
--- a/etc/dnsmasq.conf
+++ b/etc/dnsmasq.conf
@@ -118,7 +118,7 @@ no-resolv
 #except-interface=
 # Or which to listen on by address (remember to include 127.0.0.1 if
 # you use this.)
-listen-address=::1,127.0.0.1
+#listen-address=
 # If you want dnsmasq to provide only DNS service on an interface,
 # configure it as shown above, and then use the following line to
 # disable DHCP and TFTP on it.
diff --git a/etc/dovecot/dovecot.conf b/etc/dovecot/dovecot.conf
index e7d11a07..b4001ada 100644
--- a/etc/dovecot/dovecot.conf
+++ b/etc/dovecot/dovecot.conf
@@ -1,8 +1,23 @@
+# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#default-settings
+# needed for 2.4
+dovecot_config_version = 2.4.2
+dovecot_storage_version = 2.4.2
+
 # Edited from `doveconf -nP`, see https://doc.dovecot.org/2.3/configuration_manual/quick_configuration/#split-configuration-files
-mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
+# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#converted-settings
+# > mail_location setting & mail userdb field Split into multiple mail_* settings.
+mail_driver = maildir
+mail_path = ~/Mail
+# https://doc.dovecot.org/2.4.1/core/config/mail_location.html#mail_inbox_path
+mail_inbox_path = ~/Mail/Inbox
+# https://doc.dovecot.org/2.4.1/core/config/mailbox_formats/maildir.html#directory-layout
+# > use hierarchical directories, such as Maildir/folder/ Maildir/folder/subfolder/
+mailbox_list_layout = fs
 namespace inbox {
 	inbox = yes
-	location =
+	# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#converted-settings
+	# namespace { location } setting is changed in 2.4, it is kinda no need to
+	# so I just removed, not remove will error
 	mailbox Archive {
 		auto = subscribe
 		special_use = \Archive
@@ -29,7 +44,9 @@ namespace inbox {
 	}
 	prefix =
 }
-passdb {
+# https://doc.dovecot.org/2.4.1/installation/upgrade/2.3-to-2.4.html#passdb-userdb-section-naming
+# > passdb and userdb sections now require a name
+passdb some_name {
 	driver = pam
 }
 service auth {
@@ -40,9 +57,16 @@ service auth {
 	}
 }
 ssl = required
-ssl_cert = </etc/postfix/flylightning.pem
-ssl_dh = </etc/dovecot/dh.pem
-ssl_key = </etc/postfix/flylightning.key
-userdb {
+# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#converted-settings
+# ssl_cert, ssl_dh, ssl_key name changed
+ssl_server_cert_file = /etc/postfix/flylightning.pem
+ssl_server_dh_file = /etc/dovecot/dh.pem
+ssl_server_key_file = /etc/postfix/flylightning.key
+userdb some_name {
 	driver = passwd
 }
+# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#default-settings
+# > No protocols are enabled by default.
+# In the past, imap pop3 lmtp are enabled by default. Now none I only need
+# imaps, so I put imap here
+protocols = imap
diff --git a/etc/gai.conf b/etc/gai.conf
new file mode 100644
index 00000000..ac96e422
--- /dev/null
+++ b/etc/gai.conf
@@ -0,0 +1,65 @@
+# Configuration for getaddrinfo(3).
+#
+# So far only configuration for the destination address sorting is needed.
+# RFC 3484 governs the sorting.  But the RFC also says that system
+# administrators should be able to overwrite the defaults.  This can be
+# achieved here.
+#
+# All lines have an initial identifier specifying the option followed by
+# up to two values.  Information specified in this file replaces the
+# default information.  Complete absence of data of one kind causes the
+# appropriate default information to be used.  The supported commands include:
+#
+# reload  <yes|no>
+#    If set to yes, each getaddrinfo(3) call will check whether this file
+#    changed and if necessary reload.  This option should not really be
+#    used.  There are possible runtime problems.  The default is no.
+#
+# label   <mask>   <value>
+#    Add another rule to the RFC 3484 label table.  See section 2.1 in
+#    RFC 3484.  The default is:
+#
+#label ::1/128       0
+#label ::/0          1
+#label 2002::/16     2
+#label ::/96         3
+#label ::ffff:0:0/96 4
+#label fec0::/10     5
+#label fc00::/7      6
+#label 2001:0::/32   7
+#
+#    This default differs from the tables given in RFC 3484 by handling
+#    (now obsolete) site-local IPv6 addresses and Unique Local Addresses.
+#    The reason for this difference is that these addresses are never
+#    NATed while IPv4 site-local addresses most probably are.  Given
+#    the precedence of IPv6 over IPv4 (see below) on machines having only
+#    site-local IPv4 and IPv6 addresses a lookup for a global address would
+#    see the IPv6 be preferred.  The result is a long delay because the
+#    site-local IPv6 addresses cannot be used while the IPv4 address is
+#    (at least for the foreseeable future) NATed.  We also treat Teredo
+#    tunnels special.
+#
+# precedence  <mask>   <value>
+#    Add another rule to the RFC 3484 precedence table.  See section 2.1
+#    and 10.3 in RFC 3484.  The default is:
+#
+#precedence  ::1/128       50
+#precedence  ::/0          40
+#precedence  2002::/16     30
+#precedence ::/96          20
+#precedence ::ffff:0:0/96  10
+#
+#    For sites which prefer IPv4 connections change the last line to
+#
+precedence ::ffff:0:0/96  100
+
+#
+# scopev4  <mask>  <value>
+#    Add another rule to the RFC 6724 scope table for IPv4 addresses.
+#    By default the scope IDs described in section 3.2 in RFC 6724 are
+#    used.  Changing these defaults should hardly ever be necessary.
+#    The defaults are equivalent to:
+#
+#scopev4 ::ffff:169.254.0.0/112  2
+#scopev4 ::ffff:127.0.0.0/104    2
+#scopev4 ::ffff:0.0.0.0/96       14
diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta
index 69812ef9..6c9f2ab2 100644
--- a/etc/myconf/cfgl_meta
+++ b/etc/myconf/cfgl_meta
@@ -8,6 +8,7 @@
 755 root root //etc/dovecot
 644 root root //etc/dovecot/dovecot.conf
 644 root root //etc/fstab
+644 root root //etc/gai.conf
 644 root root //etc/hostname
 644 root root //etc/locale.conf
 644 root root //etc/locale.gen
@@ -34,8 +35,6 @@
 644 root root //etc/resolv.conf
 644 root root //etc/services
 755 root root //etc/ssh
-755 root root //etc/ssh/ssh_config.d
-644 root root //etc/ssh/ssh_config.d/my_ssh_config.conf
 644 root root //etc/ssh/sshd_config
 440 root root //etc/sudoers
 755 root root //etc/systemd
@@ -54,8 +53,7 @@
 644 root root //etc/systemd/system/paccache.service.d/10-remove-all.conf
 755 root root //etc/systemd/system/qbittorrent-nox@.service.d
 644 root root //etc/systemd/system/qbittorrent-nox@.service.d/override.conf
-755 root root //etc/systemd/system/swgp-go.service.d
-644 root root //etc/systemd/system/swgp-go.service.d/override.conf
+644 root root //etc/systemd/system/sshd-ns0.service
 755 root root //etc/systemd/system/wg-quick@.service.d
 644 root root //etc/systemd/system/wg-quick@.service.d/override.conf
 755 root root //etc/tmpfiles.d
diff --git a/etc/netns/ns0/nftables.conf b/etc/netns/ns0/nftables.conf
index b0c1237c..d0643505 100644
--- a/etc/netns/ns0/nftables.conf
+++ b/etc/netns/ns0/nftables.conf
@@ -22,17 +22,17 @@ table inet my_table {
 		ct state invalid drop comment "early drop of invalid connections"
 		ct state {established, related} accept comment "allow tracked connections"
 		iifname lo accept comment "allow from loopback"
-		iifname $wg_iface accept comment "allow from wireguard"
+		iifname $wg_iface ip saddr 10.0.0.1 accept comment "allow from wireguard insp ip"
+		iifname $wg_iface ip6 saddr fdc9:281f:04d7:9ee9::1 accept comment "allow from wireguard insp ip"
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
 
-		#tcp dport ssh accept
+		tcp dport ssh accept
 		#tcp dport qbt-nox accept
 		tcp dport qbt accept
 		udp dport qbt accept
 		#tcp dport iperf3 accept
 		udp dport wireguard accept
-		udp dport swgp accept
 
 		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
 		counter comment "count any other traffic"
diff --git a/etc/nftables.conf b/etc/nftables.conf
index ebf4a082..6aed40f0 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -32,12 +32,12 @@ table inet my_table {
 		tcp dport http accept
 		# email related ports
 		tcp dport smtp accept
-		tcp dport pop3 accept
-		tcp dport imap accept
+		#tcp dport pop3 accept
+		#tcp dport imap accept
 		tcp dport submissions accept
 		tcp dport submission accept
 		tcp dport imaps accept
-		tcp dport pop3s accept
+		#tcp dport pop3s accept
 
 		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
 		counter comment "count any other traffic"
diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf
index a919bc84..f7b2a56b 100644
--- a/etc/postfix/main.cf
+++ b/etc/postfix/main.cf
@@ -743,5 +743,5 @@ sample_directory = /etc/postfix
 #
 readme_directory = /usr/share/doc/postfix
 inet_protocols = ipv4
-meta_directory = /etc/postfix
 shlib_directory = /usr/lib/postfix
+meta_directory = /etc/postfix
diff --git a/etc/services b/etc/services
index b7d2fd1c..e42132f7 100644
--- a/etc/services
+++ b/etc/services
@@ -455,6 +455,7 @@ fxp               286/tcp
 fxp               286/udp
 k-block           287/tcp
 k-block           287/udp
+tacacss           300/tcp
 novastorbakcup    308/tcp
 novastorbakcup    308/udp
 entrusttime       309/tcp
@@ -1315,12 +1316,6 @@ pkix-3-ca-ra      829/tcp
 pkix-3-ca-ra      829/udp
 netconf-ssh       830/tcp
 netconf-ssh       830/udp
-netconf-beep      831/tcp
-netconf-beep      831/udp
-netconfsoaphttp   832/tcp
-netconfsoaphttp   832/udp
-netconfsoapbeep   833/tcp
-netconfsoapbeep   833/udp
 dhcp-failover2    847/tcp
 dhcp-failover2    847/udp
 gdoi              848/tcp
@@ -7675,8 +7670,8 @@ perrla           4313/tcp
 choiceview-agt   4314/tcp
 choiceview-clt   4316/tcp
 opentelemetry    4317/tcp
-fox-skytale      4319/tcp
-fox-skytale      4319/udp
+skytale          4319/tcp
+skytale          4319/udp
 fdt-rcatp        4320/tcp
 fdt-rcatp        4320/udp
 rwhois           4321/tcp
@@ -7799,8 +7794,8 @@ netcabinet-com   4409/tcp
 itwo-server      4410/tcp
 found            4411/tcp
 smallchat        4412/udp
-avi-nms          4413/tcp
-avi-nms-disc     4413/udp
+vision-mon       4413/tcp
+vision-mon-disc  4413/udp
 updog            4414/tcp
 brcd-vr-req      4415/tcp
 pjj-player       4416/tcp
@@ -7875,6 +7870,7 @@ awacs-ice        4488/udp
 ipsec-nat-t      4500/tcp
 ipsec-nat-t      4500/udp
 a25-fap-fgw      4502/sctp
+m-bus-oms        4503/udp
 armagetronad     4534/udp
 ehs              4535/tcp
 ehs              4535/udp
@@ -8094,6 +8090,7 @@ vxlan-gpe        4790/udp
 roce             4791/udp
 unified-bus      4792/tcp
 unified-bus      4792/udp
+uet              4793/udp
 iims             4800/tcp
 iims             4800/udp
 iwec             4801/tcp
@@ -10479,6 +10476,7 @@ odnsp            9966/udp
 xybrid-rt        9978/tcp
 visweather       9979/tcp
 pumpkindb        9981/tcp
+kaostransport    9986/tcp
 dsm-scm-target   9987/tcp
 dsm-scm-target   9987/udp
 nsesrvr          9988/tcp
@@ -11014,6 +11012,7 @@ notezilla-lan   21010/tcp
 trinket-agent   21212/tcp
 cohesity-agent  21213/tcp
 aigairserver    21221/tcp
+xahaud          21337/tcp
 rdm-tfs         21553/tcp
 dfserver        21554/tcp
 dfserver        21554/udp
@@ -11128,6 +11127,7 @@ binkp           24554/tcp
 binkp           24554/udp
 bilobit         24577/tcp
 bilobit-update  24577/udp
+udpstp          24601/udp
 sdtvwcam        24666/tcp
 canditv         24676/tcp
 canditv         24676/udp
@@ -11443,8 +11443,8 @@ ciscocsdb       43441/udp
 z-wave-tunnel   44123/tcp
 pmcd            44321/tcp
 pmcd            44321/udp
-pmcdproxy       44322/tcp
-pmcdproxy       44322/udp
+pmproxy         44322/tcp
+pmproxy         44322/udp
 pmwebapi        44323/tcp
 cognex-dataman  44444/tcp
 acronis-backup  44445/tcp
@@ -11522,9 +11522,7 @@ inspider        49150/tcp
 # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server.
 # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/
 wireguard       49432/udp
-ssh-isp         49812/tcp
 iperf3          53497/tcp
-swgp            54635/udp
 # qbittorrent-nox web ui port for remote access browser gui
 qbt-nox         57151/tcp
 # qbittorrent/ options/ connection/ listening port
diff --git a/etc/ssh/ssh_config.d/my_ssh_config.conf b/etc/ssh/ssh_config.d/my_ssh_config.conf
deleted file mode 100644
index a5f1fca3..00000000
--- a/etc/ssh/ssh_config.d/my_ssh_config.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-Host flylightning.xyz
-	Port ssh-isp
diff --git a/etc/sudoers b/etc/sudoers
index 94678ba5..faf0e3f7 100644
--- a/etc/sudoers
+++ b/etc/sudoers
@@ -128,7 +128,7 @@ root ALL=(ALL:ALL) ALL
 # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
 
 ## Uncomment to allow members of group sudo to execute any command
-# %sudo	ALL=(ALL:ALL) ALL
+# %sudo ALL=(ALL:ALL) ALL
 
 ## Uncomment to allow any user to run sudo if they know the password
 ## of the user they are running the command as (root by default).
diff --git a/etc/systemd/system/sshd-ns0.service b/etc/systemd/system/sshd-ns0.service
new file mode 100644
index 00000000..d66b8932
--- /dev/null
+++ b/etc/systemd/system/sshd-ns0.service
@@ -0,0 +1,19 @@
+# modified from /usr/lib/systemd/system/sshd.service
+
+[Unit]
+After=network.target sshdgenkeys.service
+Before=ssh-access.target
+Description=OpenSSH Daemon
+Documentation=man:sshd(8) man:sshd_config(5)
+Wants=sshdgenkeys.service ssh-access.target
+After=ns0.service
+
+[Service]
+Type=notify-reload
+ExecStart=/usr/bin/sshd -D
+KillMode=process
+Restart=always
+NetworkNamespacePath=/run/netns/ns0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/etc/systemd/system/swgp-go.service.d/override.conf b/etc/systemd/system/swgp-go.service.d/override.conf
deleted file mode 100644
index bb775d08..00000000
--- a/etc/systemd/system/swgp-go.service.d/override.conf
+++ /dev/null
@@ -1,5 +0,0 @@
-[Unit]
-After=ns0.service
-
-[Service]
-NetworkNamespacePath=/run/netns/ns0
diff --git a/home/xyz/.bashrc b/home/xyz/.bashrc
index 98accc32..375c0d5d 100644
--- a/home/xyz/.bashrc
+++ b/home/xyz/.bashrc
@@ -53,7 +53,12 @@ alias c=cfg
 alias cri='curl -Is'
 alias crig='curl -Is www.google.com'
 alias d='sdcv --color'
-alias e='"$PAGER"'
+# Using '"$PAGER"' will cause complete-alias unable to complete "e <tab>" and
+# "e --<tab>". I don't know why alias v='"$EDITOR"' does not have this issue, I
+# guess maybe it is related to less has some fzf completion? see `complete -p
+# less` output is "complete -F _fzf_path_completion less". Temporary ignore
+# shellcheck warnings about this if not met any issues.
+alias e="$PAGER"
 # https://superuser.com/a/1202867
 alias fdu="find . -maxdepth 1 -execdir du -sh '{}' \+ | sort -h"
 alias g=git
@@ -63,13 +68,17 @@ alias grr='grep --color=auto -iIR'
 alias h=htop
 alias i=nsxiv
 alias j=journalctl
+alias ju='journalctl --user'
 alias l='ls --color=auto -A --group-directories-first'
 alias ll='ls --color=auto -lAh --group-directories-first'
 #alias lo=loop
 alias lop='loop ping'
 alias lopd='loop ping 9.9.9.9'
 alias m=man
+alias mpf='mpra -c "$HOME/programs/repos/fly/any/fsh-git"; sudo pacman -Sy fsh-git --noconfirm'
 alias p=pacman
+# Pacman Qqne Redirect
+alias pqr='pacman -Qqne > "$XDG_CONFIG_HOME/myconf/pacman_Qqne"; pacman -Qqme > "$XDG_CONFIG_HOME/myconf/pacman_Qqme"'
 alias pt=pactree
 alias pu=paru
 alias qre='qrencode -t utf8i -m 1'
@@ -80,10 +89,6 @@ alias sa='ssh-add -l || ssh-add'
 alias se='sudo -E '
 alias sp='ssh pp'
 alias spd='speedtest; librespeed-cli'
-alias sst='ssh studio'
-# \" to consider $HOME contain space, need \ else " will be expanded locally, need \$ else $HOME will expand locally
-# can test with: alias mytest='ssh studio for i in \"\$SSH_CONNECTION\"\; do echo \$i\; echo a\; done'
-alias sstm='ssh -t -- studio mpra -c \"\$HOME/programs/repos/fly/any/fsh-git\"'
 # can test this mess with `alias tt='echo "\$haha \"lala\""'`
 alias sun='printf "set \$Longitude \"-121.89\"\nset \$Latitude \"37.34\"\nrem [sunrise()] msg sunrise\nrem [sunset()] msg sunset" | remind -n -'
 # another way:
@@ -94,6 +99,9 @@ alias y=systemctl
 alias yd='systemctl list-dependencies --all'
 alias ydr='systemctl list-dependencies --all --reverse'
 alias ye='systemctl list-unit-files --state=enabled'
+# sYstemctl Enabled Redirect
+alias yer='systemctl list-unit-files --state=enabled > "$XDG_CONFIG_HOME/myconf/sye"; systemctl --user list-unit-files --state=enabled > "$XDG_CONFIG_HOME/myconf/syue"'
+alias yr='systemctl restart'
 alias ys='systemctl status'
 alias yu='systemctl --user'
 alias yue='systemctl --user list-unit-files --state=enabled'
@@ -112,6 +120,7 @@ alias vrm='"$EDITOR" "$XDG_DOCUMENTS_DIR/notes/others/recurring_maintenance.md"'
 alias vt='"$EDITOR" "$XDG_DOCUMENTS_DIR/notes/others/tmp_mobile_notes.md"'
 alias xmr='monero-wallet-cli --config-file="$HOME/.bitmonero/monero-wallet-cli.conf"'
 alias xmrds='monerod status; monerod print_net_stats'
+alias xr='xset r rate 250 30'
 alias za='zoxide add'
 #alias zq='zoxide query'
 #alias zqi='zoxide query -i'
@@ -126,6 +135,7 @@ alias glmark2='glmark2 --fullscreen --annotate'
 alias grep='grep --color=auto'
 #alias info='info --vi-keys'
 alias ls='ls --color=auto'
+alias nethogs='nethogs -C'
 alias radeontop='radeontop -c'
 alias rem='rem -@'
 alias remind='remind -@'
diff --git a/home/xyz/.config/myconf/pacman_Qqme b/home/xyz/.config/myconf/pacman_Qqme
index 026331c3..c39c2113 100644
--- a/home/xyz/.config/myconf/pacman_Qqme
+++ b/home/xyz/.config/myconf/pacman_Qqme
@@ -1,6 +1,5 @@
 absolutely-proprietary
 acme.sh-systemd
-atool2-git
 bash-complete-alias
 dashbinsh
 grub-hook
@@ -10,5 +9,4 @@ librespeed-cli-bin
 neovim-plug
 paru-bin
 pipdeptree
-swgp-go
 task-spooler
diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne
index 1a867aca..e1d7a431 100644
--- a/home/xyz/.config/myconf/pacman_Qqne
+++ b/home/xyz/.config/myconf/pacman_Qqne
@@ -1,4 +1,3 @@
-7zip
 base
 base-devel
 bash-completion
@@ -52,11 +51,8 @@ testdisk
 tinyxxd
 traceroute
 tree
-unrar-free
-unzip
 vidir2-git
 wget
 wireguard-tools
 xdg-user-dirs
-zip
 zoxide
diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye
index d7692c8f..52c84f3f 100644
--- a/home/xyz/.config/myconf/sye
+++ b/home/xyz/.config/myconf/sye
@@ -9,8 +9,8 @@ ns0.service                          enabled disabled
 opendkim.service                     enabled disabled
 opendmarc.service                    enabled disabled
 postfix.service                      enabled disabled
+sshd-ns0.service                     enabled disabled
 sshd.service                         enabled disabled
-swgp-go.service                      enabled disabled
 systemd-network-generator.service    enabled enabled
 systemd-networkd-wait-online.service enabled enabled
 systemd-networkd.service             enabled enabled
diff --git a/home/xyz/.config/myconf/syue b/home/xyz/.config/myconf/syue
index a280d38a..e9f32533 100644
--- a/home/xyz/.config/myconf/syue
+++ b/home/xyz/.config/myconf/syue
@@ -1,5 +1,5 @@
-UNIT FILE                    STATE   PRESET
-xdg-user-dirs-update.service enabled enabled
-p11-kit-server.socket        enabled enabled
+UNIT FILE             STATE   PRESET
+xdg-user-dirs.service enabled enabled
+p11-kit-server.socket enabled enabled
 
 2 unit files listed.