diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/cgitrc | 116 | ||||
| -rw-r--r-- | etc/dnsmasq.conf | 696 | ||||
| -rw-r--r-- | etc/dovecot/dovecot.conf | 38 | ||||
| -rw-r--r-- | etc/highlight/filetypes.conf | 185 | ||||
| -rw-r--r-- | etc/myconf/cfgl_meta | 38 | ||||
| -rw-r--r-- | etc/nftables.conf | 30 | ||||
| -rw-r--r-- | etc/nginx/nginx.conf | 227 | ||||
| -rw-r--r-- | etc/pacman.d/hooks/highlight-css.hook | 13 | ||||
| -rw-r--r-- | etc/postfix/main.cf | 2 | ||||
| -rw-r--r--[l---------] | etc/resolv.conf | 4 | ||||
| -rw-r--r-- | etc/services | 32 | ||||
| -rw-r--r-- | etc/ssh/ssh_config.d/my_ssh_config.conf | 2 | ||||
| -rw-r--r-- | etc/sudoers | 2 | ||||
| -rw-r--r-- | etc/systemd/system/acme.sh.service.d/override.conf | 9 | ||||
| l--------- | etc/systemd/system/sockets.target.wants/uwsgi@cgit.socket | 1 | ||||
| -rw-r--r-- | etc/uwsgi/cgit.ini | 14 |
16 files changed, 1355 insertions, 54 deletions
diff --git a/etc/cgitrc b/etc/cgitrc new file mode 100644 index 00000000..1b439c53 --- /dev/null +++ b/etc/cgitrc @@ -0,0 +1,116 @@ +# https://wiki.archlinux.org/title/Cgit#Configuration_of_cgit +# https://wiki.gentoo.org/wiki/User:Halcon/HOWTO_cgit_uwsgi_nginx +# `man cgitrc` + +cache-size=1000 +enable-index-owner=0 +mimetype-file=/etc/mime.types +# https://stackoverflow.com/questions/16182421/cgit-and-nginx-url-rewrite +virtual-root=/ + +# useful but may makes page generation slow, maybe disable +# can see the log via `journalctl -b -u uwsgi@cgit` and search less pager with sth. like `/[0-9]{3} msecs` +#enable-blame=1 +#enable-log-filecount=1 +#enable-log-linecount=1 +# showing branch merge, ex: https://git.flylightning.xyz/dwm_fly/log/?h=fly +#enable-commit-graph=1 + +# not very useful, maybe disable +#enable-follow-links=1 +#enable-subject-links=1 + +# `man cgitrc` uses $CGIT_REPO_URL instead of $CGIT_REPO_NAME, I guess maybe because repo name can be different from repo url? +#clone-url=https://git.flylightning.xyz/$CGIT_REPO_URL https://codeberg.org/flyxyz123/$CGIT_REPO_URL +clone-prefix=https://git.flylightning.xyz https://codeberg.org/flyxyz123 + +source-filter=/usr/lib/cgit/filters/syntax-highlighting-edited.sh +css=/mycgit.css + +about-filter=/usr/lib/cgit/filters/about-formatting-edited.sh +#readme=:README.markdown +#readme=:readme.markdown +#readme=:README.mdown +#readme=:readme.mdown +readme=:README.md +#readme=:readme.md +#readme=:README.mkd +#readme=:readme.mkd +#readme=:README.rst +#readme=:readme.rst +#readme=:README.html +#readme=:readme.html +#readme=:README.htm +#readme=:readme.htm +#readme=:README.txt +#readme=:readme.txt +readme=:README +#readme=:readme +#readme=:INSTALL.markdown +#readme=:install.markdown +#readme=:INSTALL.mdown +#readme=:install.mdown +#readme=:INSTALL.md +#readme=:install.md +#readme=:INSTALL.mkd +#readme=:install.mkd +#readme=:INSTALL.rst +#readme=:install.rst +#readme=:INSTALL.html +#readme=:install.html +#readme=:INSTALL.htm +#readme=:install.htm +#readme=:INSTALL.txt +#readme=:install.txt +#readme=:INSTALL +#readme=:install + +root-title=flylightning.xyz git repositories +root-desc= + +repo.url=config_local_arch +repo.path=/var/lib/gitolite/repositories/config_local_arch.git +repo.desc=Device dependent config files for Arch Linux, managed by https://git.flylightning.xyz/fsh/tree/sh/cfg (git bare repo method) + +repo.url=xcross +repo.path=/var/lib/gitolite/repositories/xcross.git +repo.desc=X11 draw a cross at cursor across screen + +repo.url=fly +repo.path=/var/lib/gitolite/repositories/fly.git +repo.desc=Arch Linux custom local repository + +repo.url=aur +repo.path=/var/lib/gitolite/repositories/aur.git +repo.desc=PKGBUILDs I maintain for AUR + +repo.url=fsh +repo.path=/var/lib/gitolite/repositories/fsh.git +repo.desc=My shell utilities + +section=Archived. Have license issues. + +repo.url=remote_plot +repo.path=/var/lib/gitolite/repositories/remote_plot.git +repo.desc=Archived. Has license issues. Plot on GUI a remote file updating using https://git.flylightning.xyz/mycan + +repo.url=mycan +repo.path=/var/lib/gitolite/repositories/mycan.git +repo.desc=Archived. Has license issues. Read CAN and write to a file. + +section=forks + +repo.url=dwm_fly +repo.path=/var/lib/gitolite/repositories/dwm_fly.git +repo.desc=My fork of https://git.suckless.org/dwm +#repo.readme=:dwm.1 + +section=archives + +repo.url=config_local_arch_studio +repo.path=/var/lib/gitolite/repositories/config_local_arch_studio.git +repo.desc=Archived config_local_arch studio branch + +repo.url=public_archive_codes +repo.path=/var/lib/gitolite/repositories/public_archive_codes.git +repo.desc=My mostly not used, not maintained, archived codes/configs diff --git a/etc/dnsmasq.conf b/etc/dnsmasq.conf new file mode 100644 index 00000000..743f55aa --- /dev/null +++ b/etc/dnsmasq.conf @@ -0,0 +1,696 @@ +# Configuration file for dnsmasq. +# +# Format is one option per line, legal options are the same +# as the long options legal on the command line. See +# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. + +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + +# The following two options make you a better netizen, since they +# tell dnsmasq to filter out queries which the public DNS cannot +# answer, and which load the servers (especially the root servers) +# unnecessarily. If you have a dial-on-demand link they also stop +# these requests from bringing up the link unnecessarily. + +# Never forward plain names (without a dot or domain part) +#domain-needed +# Never forward addresses in the non-routed address spaces. +#bogus-priv + +# Uncomment these to enable DNSSEC validation and caching: +# (Requires dnsmasq to be built with DNSSEC option.) +#conf-file=/usr/share/dnsmasq/trust-anchors.conf +#dnssec + +# Replies which are not DNSSEC signed may be legitimate, because the domain +# is unsigned, or may be forgeries. Setting this option tells dnsmasq to +# check that an unsigned reply is OK, by finding a secure proof that a DS +# record somewhere between the root and the domain does not exist. +# The cost of setting this is that even queries in unsigned domains will need +# one or more extra DNS queries to verify. +#dnssec-check-unsigned + +# Uncomment this to filter useless windows-originated DNS requests +# which can trigger dial-on-demand links needlessly. +# Note that (amongst other things) this blocks all SRV requests, +# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk. +# This option only affects forwarding, SRV records originating for +# dnsmasq (via srv-host= lines) are not suppressed by it. +#filterwin2k + +# Change this line if you want dns to get its upstream servers from +# somewhere other that /etc/resolv.conf +#resolv-file= + +# By default, dnsmasq will send queries to any of the upstream +# servers it knows about and tries to favour servers to are known +# to be up. Uncommenting this forces dnsmasq to try each query +# with each server strictly in the order they appear in +# /etc/resolv.conf +#strict-order + +# If you don't want dnsmasq to read /etc/resolv.conf or any other +# file, getting its servers from this file instead (see below), then +# uncomment this. +no-resolv + +# If you don't want dnsmasq to poll /etc/resolv.conf or other resolv +# files for changes and re-read them then uncomment this. +#no-poll + +# Add other name servers here, with domain specs if they are for +# non-public domains. +#server=/localnet/192.168.0.1 + +# Example of routing PTR queries to nameservers: this will send all +# address->name queries for 192.168.3/24 to nameserver 10.1.2.3 +#server=/3.168.192.in-addr.arpa/10.1.2.3 + +# Add local-only domains here, queries in these domains are answered +# from /etc/hosts or DHCP only. +#local=/localnet/ + +# Add domains which you want to force to an IP address here. +# The example below send any host in double-click.net to a local +# web-server. +#address=/double-click.net/127.0.0.1 + +# --address (and --server) work with IPv6 addresses too. +#address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 + +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to netfilters sets, which is equivalent to +# 'nft add element ip test vpn { ... }; nft add element ip test search { ... }' +#nftset=/yahoo.com/google.com/ip#test#vpn,ip#test#search + +# Use netfilters sets for both IPv4 and IPv6: +# This adds all addresses in *.yahoo.com to vpn4 and vpn6 for IPv4 and IPv6 addresses. +#nftset=/yahoo.com/4#ip#test#vpn4 +#nftset=/yahoo.com/6#ip#test#vpn6 + +# You can control how dnsmasq talks to a server: this forces +# queries to 10.1.2.3 to be routed via eth1 +# server=10.1.2.3@eth1 + +# and this sets the source (ie local) address used to talk to +# 10.1.2.3 to 192.168.1.1 port 55 (there must be an interface with that +# IP on the machine, obviously). +# server=10.1.2.3@192.168.1.1#55 + +# If you want dnsmasq to change uid and gid to something other +# than the default, edit the following lines. +#user= +#group= + +# If you want dnsmasq to listen for DHCP and DNS requests only on +# specified interfaces (and the loopback) give the name of the +# interface (eg eth0) here. +# Repeat the line for more than one interface. +#interface= +# Or you can specify which interface _not_ to listen on +#except-interface= +# Or which to listen on by address (remember to include 127.0.0.1 if +# you use this.) +#listen-address= +# If you want dnsmasq to provide only DNS service on an interface, +# configure it as shown above, and then use the following line to +# disable DHCP and TFTP on it. +#no-dhcp-interface= + +# On systems which support it, dnsmasq binds the wildcard address, +# even when it is listening on only some interfaces. It then discards +# requests that it shouldn't reply to. This has the advantage of +# working even when interfaces come and go and change address. If you +# want dnsmasq to really bind only the interfaces it is listening on, +# uncomment this option. About the only time you may need this is when +# running another nameserver on the same machine. +#bind-interfaces + +# If you don't want dnsmasq to read /etc/hosts, uncomment the +# following line. +#no-hosts +# or if you want it to read another file, as well as /etc/hosts, use +# this. +#addn-hosts=/etc/banner_add_hosts + +# Set this (and domain: see below) if you want to have a domain +# automatically added to simple names in a hosts-file. +#expand-hosts + +# Set the domain for dnsmasq. this is optional, but if it is set, it +# does the following things. +# 1) Allows DHCP hosts to have fully qualified domain names, as long +# as the domain part matches this setting. +# 2) Sets the "domain" DHCP option thereby potentially setting the +# domain of all systems configured by DHCP +# 3) Provides the domain part for "expand-hosts" +#domain=thekelleys.org.uk + +# Set a different domain for a particular subnet +#domain=wireless.thekelleys.org.uk,192.168.2.0/24 + +# Same idea, but range rather then subnet +#domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200 + +# Uncomment this to enable the integrated DHCP server, you need +# to supply the range of addresses available for lease and optionally +# a lease time. If you have more than one network, you will need to +# repeat this for each network on which you want to supply DHCP +# service. +#dhcp-range=192.168.0.50,192.168.0.150,12h + +# This is an example of a DHCP range where the netmask is given. This +# is needed for networks we reach the dnsmasq DHCP server via a relay +# agent. If you don't know what a DHCP relay agent is, you probably +# don't need to worry about this. +#dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h + +# This is an example of a DHCP range which sets a tag, so that +# some DHCP options may be set only for this network. +#dhcp-range=set:red,192.168.0.50,192.168.0.150 + +# Use this DHCP range only when the tag "green" is set. +#dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h + +# Specify a subnet which can't be used for dynamic address allocation, +# is available for hosts with matching --dhcp-host lines. Note that +# dhcp-host declarations will be ignored unless there is a dhcp-range +# of some type for the subnet in question. +# In this case the netmask is implied (it comes from the network +# configuration on the machine running dnsmasq) it is possible to give +# an explicit netmask instead. +#dhcp-range=192.168.0.0,static + +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC algorithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do router advertisements for all subnets where we're doing DHCPv6 +# Unless overridden by ra-stateless, ra-names, et al, the router +# advertisements will have the M and O bits set, so that the clients +# get addresses and configuration from DHCPv6, and the A bit reset, so the +# clients don't use SLAAC addresses. +#enable-ra + +# Supply parameters for specified hosts using DHCP. There are lots +# of valid alternatives, so we will give examples of each. Note that +# IP addresses DO NOT have to be in the range given above, they just +# need to be on the same network. The order of the parameters in these +# do not matter, it's permissible to give name, address and MAC in any +# order. + +# Always allocate the host with Ethernet address 11:22:33:44:55:66 +# The IP address 192.168.0.60 +#dhcp-host=11:22:33:44:55:66,192.168.0.60 + +# Always set the name of the host with hardware address +# 11:22:33:44:55:66 to be "fred" +#dhcp-host=11:22:33:44:55:66,fred + +# Always give the host with Ethernet address 11:22:33:44:55:66 +# the name fred and IP address 192.168.0.60 and lease time 45 minutes +#dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m + +# Give a host with Ethernet address 11:22:33:44:55:66 or +# 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume +# that these two Ethernet interfaces will never be in use at the same +# time, and give the IP address to the second, even if it is already +# in use by the first. Useful for laptops with wired and wireless +# addresses. +#dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60 + +# Give the machine which says its name is "bert" IP address +# 192.168.0.70 and an infinite lease +#dhcp-host=bert,192.168.0.70,infinite + +# Always give the host with client identifier 01:02:02:04 +# the IP address 192.168.0.60 +#dhcp-host=id:01:02:02:04,192.168.0.60 + +# Always give the InfiniBand interface with hardware address +# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the +# ip address 192.168.0.61. The client id is derived from the prefix +# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of +# hex digits of the hardware address. +#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61 + +# Always give the host with client identifier "marjorie" +# the IP address 192.168.0.60 +#dhcp-host=id:marjorie,192.168.0.60 + +# Enable the address given for "judge" in /etc/hosts +# to be given to a machine presenting the name "judge" when +# it asks for a DHCP lease. +#dhcp-host=judge + +# Never offer DHCP service to a machine whose Ethernet +# address is 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,ignore + +# Ignore any client-id presented by the machine with Ethernet +# address 11:22:33:44:55:66. This is useful to prevent a machine +# being treated differently when running under different OS's or +# between PXE boot and OS boot. +#dhcp-host=11:22:33:44:55:66,id:* + +# Send extra options which are tagged as "red" to +# the machine with Ethernet address 11:22:33:44:55:66 +#dhcp-host=11:22:33:44:55:66,set:red + +# Send extra options which are tagged as "red" to +# any machine with Ethernet address starting 11:22:33: +#dhcp-host=11:22:33:*:*:*,set:red + +# Give a fixed IPv6 address and name to client with +# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 +# Note the MAC addresses CANNOT be used to identify DHCPv6 clients. +# Note also that the [] around the IPv6 address are obligatory. +#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] + +# Ignore any clients which are not specified in dhcp-host lines +# or /etc/ethers. Equivalent to ISC "deny unknown-clients". +# This relies on the special "known" tag which is set when +# a host is matched. +#dhcp-ignore=tag:!known + +# Send extra options which are tagged as "red" to any machine whose +# DHCP vendorclass string includes the substring "Linux" +#dhcp-vendorclass=set:red,Linux + +# Send extra options which are tagged as "red" to any machine one +# of whose DHCP userclass strings includes the substring "accounts" +#dhcp-userclass=set:red,accounts + +# Send extra options which are tagged as "red" to any machine whose +# MAC address matches the pattern. +#dhcp-mac=set:red,00:60:8C:*:*:* + +# If this line is uncommented, dnsmasq will read /etc/ethers and act +# on the ethernet-address/IP pairs found there just as if they had +# been given as --dhcp-host options. Useful if you keep +# MAC-address/host mappings there for other purposes. +#read-ethers + +# Send options to hosts which ask for a DHCP lease. +# See RFC 2132 for details of available options. +# Common options can be given to dnsmasq by name: +# run "dnsmasq --help dhcp" to get a list. +# Note that all the common settings, such as netmask and +# broadcast address, DNS server and default route, are given +# sane defaults by dnsmasq. You very likely will not need +# any dhcp-options. If you use Windows clients and Samba, there +# are some options which are recommended, they are detailed at the +# end of this section. + +# Override the default route supplied by dnsmasq, which assumes the +# router is the same machine as the one running dnsmasq. +#dhcp-option=3,1.2.3.4 + +# Do the same thing, but using the option name +#dhcp-option=option:router,1.2.3.4 + +# Override the default route supplied by dnsmasq and send no default +# route at all. Note that this only works for the options sent by +# default (1, 3, 6, 12, 28) the same line will send a zero-length option +# for all other option numbers. +#dhcp-option=3 + +# Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 +#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 + +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Ask client to poll for option changes every six hours. (RFC4242) +#dhcp-option=option6:information-refresh-time,6h + +# Set option 58 client renewal time (T1). Defaults to half of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T1,1m + +# Set option 59 rebinding time (T2). Defaults to 7/8 of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T2,2m + +# Set the NTP time server address to be the same machine as +# is running dnsmasq +#dhcp-option=42,0.0.0.0 + +# Set the NIS domain name to "welly" +#dhcp-option=40,welly + +# Set the default time-to-live to 50 +#dhcp-option=23,50 + +# Set the "all subnets are local" flag +#dhcp-option=27,1 + +# Send the etherboot magic flag and then etherboot options (a string). +#dhcp-option=128,e4:45:74:68:00:00 +#dhcp-option=129,NIC=eepro100 + +# Specify an option which will only be sent to the "red" network +# (see dhcp-range for the declaration of the "red" network) +# Note that the tag: part must precede the option: part. +#dhcp-option = tag:red, option:ntp-server, 192.168.1.1 + +# The following DHCP options set up dnsmasq in the same way as is specified +# for the ISC dhcpcd in +# https://web.archive.org/web/20040313070105/http://us1.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt +# adapted for a typical dnsmasq installation where the host running +# dnsmasq is also the host running samba. +# you may want to uncomment some or all of them if you use +# Windows clients and Samba. +#dhcp-option=19,0 # option ip-forwarding off +#dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s) +#dhcp-option=45,0.0.0.0 # netbios datagram distribution server +#dhcp-option=46,8 # netbios node type + +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + +# Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client +# probably doesn't support this...... +#dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com + +# Send RFC-3442 classless static routes (note the netmask encoding) +#dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8 + +# Send vendor-class specific options encapsulated in DHCP option 43. +# The meaning of the options is defined by the vendor-class so +# options are sent only when the client supplied vendor class +# matches the class given here. (A substring match is OK, so "MSFT" +# matches "MSFT" and "MSFT 5.0"). This example sets the +# mtftp address to 0.0.0.0 for PXEClients. +#dhcp-option=vendor:PXEClient,1,0.0.0.0 + +# Send microsoft-specific option to tell windows to release the DHCP lease +# when it shuts down. Note the "i" flag, to tell dnsmasq to send the +# value as a four-byte integer - that's what microsoft wants. See +# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true +#dhcp-option=vendor:MSFT,2,1i + +# Send the Encapsulated-vendor-class ID needed by some configurations of +# Etherboot to allow is to recognise the DHCP server. +#dhcp-option=vendor:Etherboot,60,"Etherboot" + +# Send options to PXELinux. Note that we need to send the options even +# though they don't appear in the parameter request list, so we need +# to use dhcp-option-force here. +# See http://syslinux.zytor.com/pxe.php#special for details. +# Magic number - needed before anything else is recognised +#dhcp-option-force=208,f1:00:74:7e +# Configuration file name +#dhcp-option-force=209,configs/common +# Path prefix +#dhcp-option-force=210,/tftpboot/pxelinux/files/ +# Reboot time. (Note 'i' to send 32-bit value) +#dhcp-option-force=211,30i + +# Set the boot filename for netboot/PXE. You will only need +# this if you want to boot machines over the network and you will need +# a TFTP server; either dnsmasq's built-in TFTP server or an +# external one. (See below for how to enable the TFTP server.) +#dhcp-boot=pxelinux.0 + +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 + +# Boot for iPXE. The idea is to send two different +# filenames, the first loads iPXE, and the second tells iPXE what to +# load. The dhcp-match sets the ipxe tag for requests from iPXE. +#dhcp-boot=undionly.kpxe +#dhcp-match=set:ipxe,175 # iPXE sends a 175 option. +#dhcp-boot=tag:ipxe,http://boot.ipxe.org/demo/boot.php + +# Encapsulated options for iPXE. All the options are +# encapsulated within option 175 +#dhcp-option=encap:175, 1, 5b # priority code +#dhcp-option=encap:175, 176, 1b # no-proxydhcp +#dhcp-option=encap:175, 177, string # bus-id +#dhcp-option=encap:175, 189, 1b # BIOS drive code +#dhcp-option=encap:175, 190, user # iSCSI username +#dhcp-option=encap:175, 191, pass # iSCSI password + +# Test for the architecture of a netboot client. PXE clients are +# supposed to send their architecture as option 93. (See RFC 4578) +#dhcp-match=peecees, option:client-arch, 0 #x86-32 +#dhcp-match=itanics, option:client-arch, 2 #IA64 +#dhcp-match=hammers, option:client-arch, 6 #x86-64 +#dhcp-match=mactels, option:client-arch, 7 #EFI x86-64 + +# Do real PXE, rather than just booting a single file, this is an +# alternative to dhcp-boot. +#pxe-prompt="What system shall I netboot?" +# or with timeout before first available action is taken: +#pxe-prompt="Press F8 for menu.", 60 + +# Available boot services. for PXE. +#pxe-service=x86PC, "Boot from local disk" + +# Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server. +#pxe-service=x86PC, "Install Linux", pxelinux + +# Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4. +# Beware this fails on old PXE ROMS. +#pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4 + +# Use bootserver on network, found my multicast or broadcast. +#pxe-service=x86PC, "Install windows from RIS server", 1 + +# Use bootserver at a known IP address. +#pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4 + +# If you have multicast-FTP available, +# information for that can be passed in a similar way using options 1 +# to 5. See page 19 of +# http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf + + +# Enable dnsmasq's built-in TFTP server +#enable-tftp + +# Set the root directory for files available via FTP. +#tftp-root=/var/ftpd + +# Do not abort if the tftp-root is unavailable +#tftp-no-fail + +# Make the TFTP server more secure: with this set, only files owned by +# the user dnsmasq is running as will be send over the net. +#tftp-secure + +# This option stops dnsmasq from negotiating a larger blocksize for TFTP +# transfers. It will slow things down, but may rescue some broken TFTP +# clients. +#tftp-no-blocksize + +# Set the boot file name only when the "red" tag is set. +#dhcp-boot=tag:red,pxelinux.red-net + +# An example of dhcp-boot with an external TFTP server: the name and IP +# address of the server are given after the filename. +# Can fail with old PXE ROMS. Overridden by --pxe-service. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 + +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fashion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + +# Set the limit on DHCP leases, the default is 150 +#dhcp-lease-max=150 + +# The DHCP server needs somewhere on disk to keep its lease database. +# This defaults to a sane location, but if you want to change it, use +# the line below. +#dhcp-leasefile=/var/lib/misc/dnsmasq.leases + +# Set the DHCP server to authoritative mode. In this mode it will barge in +# and take over the lease for any client which broadcasts on the network, +# whether it has a record of the lease or not. This avoids long timeouts +# when a machine wakes up on a new network. DO NOT enable this if there's +# the slightest chance that you might end up accidentally configuring a DHCP +# server for your campus/company accidentally. The ISC server uses +# the same option, and this URL provides more information: +# http://www.isc.org/files/auth.html +#dhcp-authoritative + +# Set the DHCP server to enable DHCPv4 Rapid Commit Option per RFC 4039. +# In this mode it will respond to a DHCPDISCOVER message including a Rapid Commit +# option with a DHCPACK including a Rapid Commit option and fully committed address +# and configuration information. This must only be enabled if either the server is +# the only server for the subnet, or multiple servers are present and they each +# commit a binding for all clients. +#dhcp-rapid-commit + +# Run an executable when a DHCP lease is created or destroyed. +# The arguments sent to the script are "add" or "del", +# then the MAC address, the IP address and finally the hostname +# if there is one. +#dhcp-script=/bin/echo + +# Set the cachesize here. +#cache-size=150 + +# If you want to disable negative caching, uncomment this. +#no-negcache + +# Normally responses which come from /etc/hosts and the DHCP lease +# file have Time-To-Live set as zero, which conventionally means +# do not cache further. If you are happy to trade lower load on the +# server for potentially stale date, you can set a time-to-live (in +# seconds) here. +#local-ttl= + +# If you want dnsmasq to detect attempts by Verisign to send queries +# to unregistered .com and .net hosts to its sitefinder service and +# have dnsmasq instead return the correct NXDOMAIN response, uncomment +# this line. You can add similar lines to do the same for other +# registries which have implemented wildcard A records. +#bogus-nxdomain=64.94.110.11 + +# If you want to fix up DNS results from upstream servers, use the +# alias option. This only works for IPv4. +# This alias makes a result of 1.2.3.4 appear as 5.6.7.8 +#alias=1.2.3.4,5.6.7.8 +# and this maps 1.2.3.x to 5.6.7.x +#alias=1.2.3.0,5.6.7.0,255.255.255.0 +# and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40 +#alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0 + +# Change these lines if you want dnsmasq to serve MX records. + +# Return an MX record named "maildomain.com" with target +# servermachine.com and preference 50 +#mx-host=maildomain.com,servermachine.com,50 + +# Set the default target for MX records created using the localmx option. +#mx-target=servermachine.com + +# Return an MX record pointing to the mx-target for all local +# machines. +#localmx + +# Return an MX record pointing to itself for all local machines. +#selfmx + +# Change the following lines if you want dnsmasq to serve SRV +# records. These are useful if you want to serve ldap requests for +# Active Directory and other windows-originated DNS requests. +# See RFC 2782. +# You may add multiple srv-host lines. +# The fields are <name>,<target>,<port>,<priority>,<weight> +# If the domain part if missing from the name (so that is just has the +# service and protocol sections) then the domain given by the domain= +# config option is used. (Note that expand-hosts does not need to be +# set for this to work.) + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389 + +# A SRV record sending LDAP for the example.com domain to +# ldapserver.example.com port 389 (using domain=) +#domain=example.com +#srv-host=_ldap._tcp,ldapserver.example.com,389 + +# Two SRV records for LDAP, each with different priorities +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1 +#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2 + +# A SRV record indicating that there is no LDAP server for the domain +# example.com +#srv-host=_ldap._tcp.example.com + +# The following line shows how to make dnsmasq serve an arbitrary PTR +# record. This is useful for DNS-SD. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for PTR records.) +#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services" + +# Change the following lines to enable dnsmasq to serve TXT records. +# These are used for things like SPF and zeroconf. (Note that the +# domain-name expansion done for SRV records _does_not +# occur for TXT records.) + +#Example SPF. +#txt-record=example.com,"v=spf1 a -all" + +#Example zeroconf +#txt-record=_http._tcp.example.com,name=value,paper=A4 + +# Provide an alias for a "local" DNS name. Note that this _only_ works +# for targets which are names from DHCP or /etc/hosts. Give host +# "bert" another name, bertrand +#cname=bertrand,bert + +# For debugging purposes, log each DNS query as it passes through +# dnsmasq. +#log-queries + +# Log lots of extra information about DHCP transactions. +#log-dhcp + +# Include another lot of configuration options. +#conf-file=/etc/dnsmasq.more.conf +#conf-dir=/etc/dnsmasq.d + +# Include all the files in a directory except those ending in .bak +#conf-dir=/etc/dnsmasq.d,.bak + +# Include all files in a directory which end in .conf +#conf-dir=/etc/dnsmasq.d/,*.conf + +# If a DHCP client claims that its name is "wpad", ignore that. +# This fixes a security hole. see CERT Vulnerability VU#598349 +#dhcp-name-match=set:wpad-ignore,wpad +#dhcp-ignore-names=tag:wpad-ignore + +server=2001:4860:4860::8888 +server=2606:4700:4700::1111 +server=2620:fe::9 +server=8.8.8.8 +server=1.1.1.1 +server=9.9.9.9 diff --git a/etc/dovecot/dovecot.conf b/etc/dovecot/dovecot.conf index e7d11a07..b4001ada 100644 --- a/etc/dovecot/dovecot.conf +++ b/etc/dovecot/dovecot.conf @@ -1,8 +1,23 @@ +# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#default-settings +# needed for 2.4 +dovecot_config_version = 2.4.2 +dovecot_storage_version = 2.4.2 + # Edited from `doveconf -nP`, see https://doc.dovecot.org/2.3/configuration_manual/quick_configuration/#split-configuration-files -mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs +# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#converted-settings +# > mail_location setting & mail userdb field Split into multiple mail_* settings. +mail_driver = maildir +mail_path = ~/Mail +# https://doc.dovecot.org/2.4.1/core/config/mail_location.html#mail_inbox_path +mail_inbox_path = ~/Mail/Inbox +# https://doc.dovecot.org/2.4.1/core/config/mailbox_formats/maildir.html#directory-layout +# > use hierarchical directories, such as Maildir/folder/ Maildir/folder/subfolder/ +mailbox_list_layout = fs namespace inbox { inbox = yes - location = + # https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#converted-settings + # namespace { location } setting is changed in 2.4, it is kinda no need to + # so I just removed, not remove will error mailbox Archive { auto = subscribe special_use = \Archive @@ -29,7 +44,9 @@ namespace inbox { } prefix = } -passdb { +# https://doc.dovecot.org/2.4.1/installation/upgrade/2.3-to-2.4.html#passdb-userdb-section-naming +# > passdb and userdb sections now require a name +passdb some_name { driver = pam } service auth { @@ -40,9 +57,16 @@ service auth { } } ssl = required -ssl_cert = </etc/postfix/flylightning.pem -ssl_dh = </etc/dovecot/dh.pem -ssl_key = </etc/postfix/flylightning.key -userdb { +# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#converted-settings +# ssl_cert, ssl_dh, ssl_key name changed +ssl_server_cert_file = /etc/postfix/flylightning.pem +ssl_server_dh_file = /etc/dovecot/dh.pem +ssl_server_key_file = /etc/postfix/flylightning.key +userdb some_name { driver = passwd } +# https://doc.dovecot.org/2.4.2/installation/upgrade/2.3-to-2.4.html#default-settings +# > No protocols are enabled by default. +# In the past, imap pop3 lmtp are enabled by default. Now none I only need +# imaps, so I put imap here +protocols = imap diff --git a/etc/highlight/filetypes.conf b/etc/highlight/filetypes.conf new file mode 100644 index 00000000..5028b5c3 --- /dev/null +++ b/etc/highlight/filetypes.conf @@ -0,0 +1,185 @@ +-- Filename and shebang mapping +-- +-- Add an entry for a language syntax which is occupied by multiple source file extensions. +-- If there is only one extension, just name the lang file accordingly and it will work (no entry needed here). +-- The filetype entries in gui_files/ext/fileopenfilter.conf should also be updated for the GUI file dialogs. +-- +-- Extensions can be configured for multiple languages (see "asm", which is assigned to assembler and fasm). +-- The command line (CLI) and Qt GUI builds handle ambiguous assignments as follows: +-- - CLI: the first association listed here will be used +-- - GUI: a syntax selection prompt will be shown +-- +-- If a filename has no extension by convention (ie. makefile), it may be added here nevertheless or be +-- configured as "Shebang". +-- +-- You can assign complete filenames to a syntax with "Filenames", see the "cmake" entry. +-- To define both filenames and extensions, add two separate entries (see "sh" entry). +-- +-- A default input encoding can be set with an EncodingHint attribute (requires v. 3.55). +-- +-- The first filetypes.conf found in a highlight search directory wins. See README.adoc for search dirs. +-- +-- You can override specific settings in ~/.highlight/filetypes.conf like this: +-- +-- dofile "/etc/highlight/filetypes.conf" +-- +-- table.insert(FileMapping, { Lang="yourlang", Shebang=[[^#!\s*(/usr)?(/local)?/bin/(env\s+)?yourlang]] }) + +FileMapping = { + + { Lang="abap", Extensions={"abp"} }, + { Lang="ada", Extensions={"adb", "ads", "a", "gnad"} }, + { Lang="agda", Extensions={"lagda"} }, + { Lang="alan", Extensions={"alan", "i"} }, + { Lang="algol", Extensions={"alg"} }, + { Lang="ampl", Extensions={"dat", "run"} }, + { Lang="amtrix", Extensions={"s4", "s4t", "s4h", "hnd", "t4"} }, + { Lang="assembler", Extensions={"asm", "a51", "29k", "68s", "68x", "x86"} }, + { Lang="fasm", Extensions={"asm", "inc"} }, + { Lang="asp", Extensions={"aspx", "ashx", "ascx"} }, + { Lang="ats", Extensions={"dats"} }, + { Lang="aspect", Extensions={"was", "wud"} }, + { Lang="ballerina", Extensions={"bal"} }, + { Lang="bat", Extensions={"cmd"} }, + { Lang="c", Extensions={"c++", "cpp", "cxx", "cc", "h", "hh", "hxx", "hpp", "cu", "inl", "ipp", "ino", "ixx", "cppm"} }, + { Lang="cmake", Filenames={"CMakeLists.txt"} }, + { Lang="charmm", Extensions={"inp"} }, + { Lang="clojure", Extensions={"boot", "cl2", "clj", "cljscm", "cljx", "hic"} }, + { Lang="coldfusion", Extensions={"cfc","cfm"} }, + { Lang="cobol", Extensions={"cob", "cbl"} }, + { Lang="crystal", Extensions={"cr"} }, + { Lang="coffeescript", Extensions={"coffee", "cakefile", "cjsx", "coffee", "iced"} }, + { Lang="conf", Extensions={"anacrontab"} }, + { Lang="delphi", Extensions={"pas", "dpr"} }, + { Lang="diff", Extensions={"patch"} }, + { Lang="dts", Extensions={"dtsi"} }, + { Lang="eiffel", Extensions={"e", "se"} }, + { Lang="elixir", Extensions={"ex", "exs", "heex"} }, + { Lang="erlang", Extensions={"hrl", "erl", "xrl", "yrl"} }, + { Lang="euphoria", Extensions={"ex", "exw", "wxu", "ew", "eu"} }, + { Lang="fortran77", Extensions={"f", "for", "ftn"} }, + { Lang="fortran90", Extensions={"f95", "f90"} }, + { Lang="gambas", Extensions={"class"} }, + { Lang="gdscript", Extensions={"gd"} }, + { Lang="haskell", Extensions={"hs"} }, + { Lang="hugo", Extensions={"hug"} }, + { Lang="ini", Extensions={"doxyfile", "desktop", "kdev3", "reg", "cfg", "inf", "config", ".gitconfig", "service", "network"} }, + { Lang="jam", Extensions={"jam", "ham"} }, + { Lang="java", Extensions={"groovy", "grv", "jenkinsfile", "gradle"} }, + { Lang="javascript", Extensions={"js"} }, + { Lang="julia", Extensions={"jl"} }, + { Lang="kotlin", Extensions={"kt", "kts"} }, + { Lang="limbo", Extensions={"b"} }, + { Lang="lisp", Extensions={"cl", "clisp", "el", "lsp", "sbcl", "scom", "fas", "scm", "mud", "fasl" } }, + { Lang="makefile", Extensions={"mak", "mk", "gnumakefile"} }, + { Lang="meson", Filenames={ "meson.build", "meson_options.txt" } }, + { Lang="snmp", Extensions={"mib", "smi"} }, + { Lang="ocaml", Extensions={"ml","mli", "eliom", "eliomi", "ml4", "mll", "mly"} }, + { Lang="mod2", Extensions={"mod", "def"} }, + { Lang="mod3", Extensions={"m3", "i3"} }, + { Lang="oberon", Extensions={"ooc"} }, + { Lang="php", Extensions={"php3", "php4", "php5", "php6", "php7", "phps", "phpt"} }, + { Lang="pike", Extensions={"pmod"} }, + { Lang="pl1", Extensions={"ff", "fp", "fpp", "rpp","sf", "sp", "spb", + "spp","sps", "wp", "wf", "wpp","wps","wpb","bdy","spe"} }, + { Lang="perl", Extensions={"pl","perl", "cgi", "pm", "plx", "plex"} }, + { Lang="polygen", Extensions={"grm"} }, + { Lang="pro", Extensions={"pro"} }, + { Lang="qmake", Extensions={"pro"} }, + { Lang="progress", Extensions={"p", "i", "w"} }, + { Lang="purescript", Extensions={"purs"} }, + { Lang="ruby", Extensions={"rb","ruby", "pp", "rjs", "gemfile", "rakefile", "appfile", "appraisals", "berksfile", + "brewfile", "capfile", "cgi", "cheffile", "config.ru", "deliverfile", "fastfile", "fcgi", "gemspec", + "guardfile", "irbrc", "jbuilder", "podfile", "podspec", "prawn", "rabl", "rake", "rantfile", "rbx", + "scanfile", "simplecov", "snapfile", "thor", "thorfile", "vagrantfile" } }, + { Lang="rexx", Extensions={"rex", "rx", "the"} }, + { Lang="shellscript", Filenames={".zshrc", ".bashrc"} }, + { Lang="shellscript", Extensions={"sh", "bash", "zsh", "ebuild", "eclass"} }, + { Lang="smalltalk", Extensions={"st", "gst", "sq"} }, + { Lang="sybase", Extensions={"sp"} }, + { Lang="tcl", Extensions={"wish", "itcl"} }, + { Lang="tcsh", Extensions={"csh", "tcsh", ".cshrc", ".tcshrc"} }, + { Lang="terraform", Extensions={"tf", "tfvars"} }, + { Lang="tex", Extensions={"sty", "cls"} }, + { Lang="vb", Extensions={"bas", "basic", "bi", "vbs"} }, + { Lang="verilog", Extensions={"v"} }, + { Lang="html", Extensions={"htm", "xhtml", "twig", "jinja"} }, + { Lang="xml", Extensions={"sgm", "sgml", "nrm", "ent","hdr", "hub", "dtd", "glade", + "wml","vxml", "wml", "tld", "csproj","xsl", "ecf", "jnlp", "xsd", + "resx", "rng", "rss", "opml", "graphml"} }, + { Lang="fsharp", Extensions={"fs","fsi","fsx"} }, + { Lang="informix", Extensions={"4gl"} }, + { Lang="blitzbasic", Extensions={"bb"} }, + { Lang="innosetup", Extensions={"iss"} }, + { Lang="lotus", Extensions={"ls"} }, + { Lang="ascend", Extensions={"a4c"} }, + { Lang="actionscript", Extensions={"as"} }, + { Lang="express", Extensions={"exp"} }, + { Lang="hare", Extensions={"ha"} }, + { Lang="haxe", Extensions={"hx"} }, + { Lang="pyrex", Extensions={"pyx"} }, + + { Lang="abap4", Extensions={"abp"} }, + { Lang="csharp", Extensions={"cs"} }, + { Lang="interlis", Extensions={"ili"} }, + { Lang="logtalk", Extensions={"lgt"} }, + { Lang="matlab", Extensions={"m"} }, + { Lang="nsis", Extensions={"nsi", "nsh"} }, + { Lang="bison", Extensions={"y"} }, + { Lang="squirrel", Extensions={"nut"} }, + { Lang="luban", Extensions={"lbn"} }, + { Lang="maya", Extensions={"mel"} }, + { Lang="nemerle", Extensions={"n"} }, + { Lang="nim", Extensions={"nimble", "nimrod", "nims"} }, + { Lang="paradox", Extensions={"sc"} }, + { Lang="netrexx", Extensions={"nrx"} }, + { Lang="clearbasic", Extensions={"cb"} }, + { Lang="graphviz", Extensions={"dot"} }, + { Lang="small", Extensions={"sma"} }, + { Lang="autoit", Extensions={"au3"} }, + { Lang="chill", Extensions={"chl"} }, + { Lang="autohotkey", Extensions={"ahk"} }, + { Lang="fame", Extensions={"fame"} }, + { Lang="modelica", Extensions={"mo"} }, + { Lang="maple", Extensions={"mpl"} }, + { Lang="jasmin", Extensions={"j"} }, + { Lang="snobol", Extensions={"sno"} }, + { Lang="icon", Extensions={"icn"} }, + { Lang="felix", Extensions={"flx"} }, + { Lang="lindenscript", Extensions={"lsl"} }, + { Lang="lilypond", Extensions={"ly"} }, + { Lang="nasal", Extensions={"nas"} }, + { Lang="clean", Extensions={"icl"} }, + { Lang="bibtex", Extensions={"bib"} }, + { Lang="python", Extensions={"py", "py3", "pyw", "pyi", "pyx", "pxd", "pxi", "rpy", "cpy", + "sconstruct", "gyp", "gypi", "snakefile", "wscript" } }, + { Lang="python", Filenames={"SConstruct"} }, + { Lang="rust", Extensions={"rs"} }, + + { Lang="txt", Extensions={"text"} }, + { Lang="n3", Extensions={"ttl", "nt"} }, + { Lang="biferno", Extensions={"bfr"} }, + { Lang="scilab", Extensions={"sci", "sce"} }, + { Lang="msl", Extensions={"nbs"} }, + { Lang="yaml", Extensions={"yml"} }, + { Lang="vimscript", Extensions={"vim", "vimrc", "gvimrc"} }, + { Lang="purebasic", Extensions={"pb", "pbi", "pbf"} }, + { Lang="markdown", Extensions={"md", "markdown", "mdwn", "mdx", "mkd", "mkdn", "mkdown", "ronn", "workbook"} }, + { Lang="clojure", Extensions={"clj", "cljc", "cljs", "edn"} }, + { Lang="solidity", Extensions={"sol"} }, + { Lang="powershell", Extensions={"ps1", "psm1", "psd1"} }, + { Lang="typescript", Extensions={"ts"} }, + + { Lang="exapunks", Extensions={"exapunks", "exa"} }, + { Lang="exapunks", Shebang=[[^(?i:NOTE\sEXAPUNKS)\b]] }, + + { Lang="xml", Shebang=[[^\s*<\?xml\s+version=\"1\.0\"\s+[^(>)]*?>\s*$]] }, + { Lang="shellscript", Shebang=[[^#!\s*(/usr)?(/local)?/bin/(env\s+)?([bd]ash|t?csh|[akz]?sh)]] }, + { Lang="makefile",Shebang=[[^#!\s*(/usr)?(/local)?/bin/(env\s+)?make]] }, + { Lang="awk", Shebang=[[^#!\s*(/usr)?(/local)?/bin/(env\s+)?[gnm]?awk]] }, + { Lang="perl", Shebang=[[^#!\s*(/usr)?(/local)?/bin/(env\s+)?perl]] }, + { Lang="python", Shebang=[[^#!\s*(/usr)?(/local)?/bin/(env\s+)?python]] }, + { Lang="ruby", Shebang=[[^#!\s*(/usr)?(/local)?/bin/(env\s+)?ruby]] }, + { Lang="php", Shebang=[[^#!\s*(/usr)?(/local)?/bin/(env\s+)?php]] }, + { Lang="javascript", Shebang=[[^#!\s*(/usr)?(/local)?/bin/(env\s+)?node]] } +} diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 111342b8..92955539 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -4,9 +4,13 @@ 600 root root //etc/.cfgl/config.worktree 700 root root //etc/.cfgl/info 600 root root //etc/.cfgl/info/sparse-checkout +644 root root //etc/cgitrc +644 root root //etc/dnsmasq.conf 755 root root //etc/dovecot 644 root root //etc/dovecot/dovecot.conf 644 root root //etc/fstab +755 root root //etc/highlight +644 root root //etc/highlight/filetypes.conf 644 root root //etc/hostname 644 root root //etc/locale.conf 644 root root //etc/locale.gen @@ -17,20 +21,23 @@ 755 root root //etc/myconf 600 root root //etc/myconf/cfgl_meta 644 root root //etc/nftables.conf +755 root root //etc/nginx +644 root root //etc/nginx/nginx.conf 700 opendkim mail //etc/opendkim 644 opendkim mail //etc/opendkim/opendkim.conf 755 root root //etc/opendmarc 640 opendmarc mail //etc/opendmarc/opendmarc.conf 644 root root //etc/pacman.conf +755 root root //etc/pacman.d +755 root root //etc/pacman.d/hooks +644 root root //etc/pacman.d/hooks/highlight-css.hook 755 root root //etc/postfix 644 root root //etc/postfix/aliases 644 root root //etc/postfix/main.cf 644 root root //etc/postfix/master.cf -777 root root //etc/resolv.conf +644 root root //etc/resolv.conf 644 root root //etc/services 755 root root //etc/ssh -755 root root //etc/ssh/ssh_config.d -644 root root //etc/ssh/ssh_config.d/my_ssh_config.conf 644 root root //etc/ssh/sshd_config 440 root root //etc/sudoers 755 root root //etc/sysctl.d @@ -47,8 +54,12 @@ 644 root root //etc/systemd/system/opendmarc.service.d/override.conf 755 root root //etc/systemd/system/paccache.service.d 644 root root //etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf +755 root root //etc/systemd/system/sockets.target.wants +777 root root //etc/systemd/system/sockets.target.wants/uwsgi@cgit.socket 755 root root //etc/tmpfiles.d 644 root root //etc/tmpfiles.d/opendmarc.conf +755 root root //etc/uwsgi +644 root root //etc/uwsgi/cgit.ini 755 root root //home 700 xyz wheel //home/xyz 644 xyz wheel //home/xyz/.bashrc @@ -71,3 +82,24 @@ 644 xyz wheel //home/xyz/.profile 700 xyz wheel //home/xyz/.ssh 600 xyz wheel //home/xyz/.ssh/authorized_keys +755 root root //srv +755 root root //srv/http +755 root root //srv/http/master +644 root root //srv/http/master/index.html +644 root root //srv/http/master/pub_pgp_key.asc +644 root root //srv/http/master/pub_ssh_key.txt +755 root root //usr +755 root root //usr/lib +755 root root //usr/lib/cgit +755 root root //usr/lib/cgit/filters +755 root root //usr/lib/cgit/filters/about-formatting-edited.sh +755 root root //usr/lib/cgit/filters/syntax-highlighting-edited.sh +755 root root //usr/share +755 root root //usr/share/webapps +755 root root //usr/share/webapps/cgit +644 root root //usr/share/webapps/cgit/highlight.css +644 root root //usr/share/webapps/cgit/mycgit.css +755 root root //var +755 root root //var/lib +750 gitolite gitolite //var/lib/gitolite +600 gitolite gitolite //var/lib/gitolite/.gitolite.rc diff --git a/etc/nftables.conf b/etc/nftables.conf index 1ea06d6b..0f1aceeb 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -19,28 +19,27 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" - iifname $wg_iface accept comment "allow from wireguard" + iifname $wg_iface ip saddr 10.0.0.1 accept comment "allow from wireguard insp ip" + iifname $wg_iface ip6 saddr fdc9:281f:04d7:9ee9::1 accept comment "allow from wireguard insp ip" ip protocol icmp accept meta l4proto ipv6-icmp accept tcp dport ssh accept - #tcp dport qbt-nox accept - #tcp dport qbt accept - #udp dport qbt accept #tcp dport iperf3 accept udp dport wireguard accept - udp dport swgp accept - # for acme.sh standalone mode builtin webserver to renew ssl cert tcp dport http accept + tcp dport https accept + # http3 quic + # seems no need open port 80 udp for http3, see https://serverfault.com/q/1185886 + udp dport https accept # email related ports tcp dport smtp accept - tcp dport pop3 accept - tcp dport imap accept + #tcp dport pop3 accept + #tcp dport imap accept tcp dport submissions accept tcp dport submission accept tcp dport imaps accept - tcp dport pop3s accept - tcp dport monerod-p2p accept + #tcp dport pop3s accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" @@ -72,14 +71,6 @@ table inet nat { # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }` if has `chain postrouting` # also vice versa, no need `chain postrouting` if has `chain prerouting` # more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ - chain prerouting { - type nat hook prerouting priority -100 - policy accept - # port forwarding from client - # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet - iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p - iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p - } # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface chain postrouting { type nat hook postrouting priority 100 @@ -87,8 +78,5 @@ table inet nat { # Needed for VPN. Needed for port forwarding from cilent with VPN through server # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#default-route oifname $pub_iface masquerade - # needed for port forwarding from client without VPN through server - # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#masquerading - #oifname $wg_iface masquerade } } diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf new file mode 100644 index 00000000..4fad34f0 --- /dev/null +++ b/etc/nginx/nginx.conf @@ -0,0 +1,227 @@ + +#user http; +# https://freenginx.org/en/docs/ngx_core_module.html#worker_processes +worker_processes auto; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + + # nginx warning in journal or `sudo nginx -t`: "could not build optimal types_hash, you should increase either types_hash_max_size: 1024 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size" + # default is 1024, I increased to 2048 and still throws warning, I increase 4096 and warning is gone + # not fully understood + # https://wiki.archlinux.org/title/nginx#Warning:_Could_not_build_optimal_types_hash + # https://nginx.org/en/docs/http/ngx_http_core_module.html + # https://nginx.org/en/docs/hash.html + # https://nginx.org/en/docs/http/server_names.html + types_hash_max_size 4096; + + # https://freenginx.org/en/docs/http/ngx_http_v2_module.html#example + http2 on; + + server { + listen 80; + # needed for ipv6 + listen [::]:80; + # needed for http3 quic + # https://freenginx.org/en/docs/quic.html + # https://oheng.com/enabling-http-3-under-nginx/ + # + # http3 quic can be testd with https://http3check.net + # + # Note reuseport should only be used once per address:port pair. + # https://serverfault.com/a/1000428 points out that + # https://freenginx.org/en/docs/http/ngx_http_core_module.html#listen + # wrote: "The listen directive can have several additional parameters + # specific to socket-related system calls. These parameters can be + # specified in any listen directive, but only once for a given + # address:port pair." Also see https://stackoverflow.com/q/76348128 + listen 443 quic reuseport; + listen [::]:443 quic reuseport; + # https://nginx.org/en/docs/http/configuring_https_servers.html#single_http_https_server + listen 443 ssl; + listen [::]:443 ssl; + server_name flylightning.xyz; + + ssl_certificate /etc/postfix/flylightning.pem; + ssl_certificate_key /etc/postfix/flylightning.key; + + # needed for http3 quic + # https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Alt-Svc + add_header Alt-Svc 'h3=":443"; ma=86400'; + + #charset koi8-r; + + #access_log logs/host.access.log main; + + location / { + root /srv/http/master; + index index.html; + } + + #error_page 404 /404.html; + + # redirect server error pages to the static page /50x.html + # + #error_page 500 502 503 504 /50x.html; + #location = /50x.html { + # root /usr/share/nginx/html; + #} + + # proxy the PHP scripts to Apache listening on 127.0.0.1:80 + # + #location ~ \.php$ { + # proxy_pass http://127.0.0.1; + #} + + # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 + # + #location ~ \.php$ { + # root html; + # fastcgi_pass 127.0.0.1:9000; + # fastcgi_index index.php; + # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; + # include fastcgi_params; + #} + + # deny access to .htaccess files, if Apache's document root + # concurs with nginx's one + # + #location ~ /\.ht { + # deny all; + #} + } + + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + server { + listen 80; + listen [::]:80; + listen 443 quic; + listen [::]:443 quic; + listen 443 ssl; + listen [::]:443 ssl; + server_name mirrors.flylightning.xyz; + + ssl_certificate /etc/postfix/flylightning.pem; + ssl_certificate_key /etc/postfix/flylightning.key; + + add_header Alt-Svc 'h3=":443"; ma=86400'; + + location / { + root /srv/http/mirrors; + autoindex on; + } + } + + # https://wiki.archlinux.org/title/Cgit#Using_uwsgi + # https://wiki.gentoo.org/wiki/User:Halcon/HOWTO_cgit_uwsgi_nginx + # https://uwsgi-docs.readthedocs.io/en/latest/Nginx.html + # https://nginx.org/en/docs/http/ngx_http_uwsgi_module.html + # https://stackoverflow.com/questions/16182421/cgit-and-nginx-url-rewrite + server { + listen 80; + listen [::]:80; + listen 443 quic; + listen [::]:443 quic; + listen 443 ssl; + listen [::]:443 ssl; + server_name git.flylightning.xyz; + root /usr/share/webapps/cgit; + + ssl_certificate /etc/postfix/flylightning.pem; + ssl_certificate_key /etc/postfix/flylightning.key; + + add_header Alt-Svc 'h3=":443"; ma=86400'; + + # about nginx location regex: + # - https://nginx.org/en/docs/http/ngx_http_core_module.html#location + # - https://stackoverflow.com/a/59846239 + # - note in nginx / only means / and no other meaning, so no need \/ + # - ~ means case-sensitive regex + # about (?:) non-capturing group: + # - https://manifold.net/doc/radian/why_do_non-capture_groups_exist_.htm + # - non-capturing group won't capture things inside () which may use later like in sed \1 + # - note: I don't think sed support ?: , because POSIX ERE and BRE doesn't seem to support ?: + # - maybe improve a little bit performance by not storing things (not tested, also I did not read the source code) + # Serve static files with nginx + location ~ ^/(?:cgit\.(?:css|png|js)|robots\.txt|highlight\.css|mycgit\.css|favicon\.ico)$ { + root /usr/share/webapps/cgit; + expires 30d; + } + location / { + include uwsgi_params; + uwsgi_modifier1 9; + uwsgi_pass unix:/run/uwsgi/cgit.sock; + } + } + + # needed for acme.sh to renew mail.flylightning.xyz + server { + listen 80; + listen [::]:80; + server_name mail.flylightning.xyz; + } +} + +# vim: expandtab diff --git a/etc/pacman.d/hooks/highlight-css.hook b/etc/pacman.d/hooks/highlight-css.hook new file mode 100644 index 00000000..f14acaa7 --- /dev/null +++ b/etc/pacman.d/hooks/highlight-css.hook @@ -0,0 +1,13 @@ +[Trigger] +Type = Package +Operation = Install +Operation = Upgrade +Target = highlight + +[Action] +Description = Upgrading highlight.css for cgit syntax highlighting... +When = PostTransaction +# mycgit.css import this highlight.css and cgit.css, for syntax-highlighting-edited.sh +# because cgit.css is not pacman backup file and will be overwritten when upgrade cgit +Exec = /usr/bin/sh -c '/usr/bin/mkdir -p /usr/share/webapps/cgit && /usr/bin/highlight -O xhtml --print-style -o /usr/share/webapps/cgit/highlight.css' +Depends = highlight diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index 63fa4261..0d45fedd 100644 --- a/etc/postfix/main.cf +++ b/etc/postfix/main.cf @@ -743,5 +743,5 @@ sample_directory = /etc/postfix # readme_directory = /usr/share/doc/postfix inet_protocols = ipv4 -meta_directory = /etc/postfix shlib_directory = /usr/lib/postfix +meta_directory = /etc/postfix diff --git a/etc/resolv.conf b/etc/resolv.conf index 36396629..647b840f 120000..100644 --- a/etc/resolv.conf +++ b/etc/resolv.conf @@ -1 +1,3 @@ -/run/systemd/resolve/stub-resolv.conf
\ No newline at end of file +nameserver ::1 +nameserver 127.0.0.1 +options trust-ad diff --git a/etc/services b/etc/services index a7275932..fe9042b6 100644 --- a/etc/services +++ b/etc/services @@ -455,6 +455,7 @@ fxp 286/tcp fxp 286/udp k-block 287/tcp k-block 287/udp +tacacss 300/tcp novastorbakcup 308/tcp novastorbakcup 308/udp entrusttime 309/tcp @@ -1315,12 +1316,6 @@ pkix-3-ca-ra 829/tcp pkix-3-ca-ra 829/udp netconf-ssh 830/tcp netconf-ssh 830/udp -netconf-beep 831/tcp -netconf-beep 831/udp -netconfsoaphttp 832/tcp -netconfsoaphttp 832/udp -netconfsoapbeep 833/tcp -netconfsoapbeep 833/udp dhcp-failover2 847/tcp dhcp-failover2 847/udp gdoi 848/tcp @@ -7675,8 +7670,8 @@ perrla 4313/tcp choiceview-agt 4314/tcp choiceview-clt 4316/tcp opentelemetry 4317/tcp -fox-skytale 4319/tcp -fox-skytale 4319/udp +skytale 4319/tcp +skytale 4319/udp fdt-rcatp 4320/tcp fdt-rcatp 4320/udp rwhois 4321/tcp @@ -7799,8 +7794,8 @@ netcabinet-com 4409/tcp itwo-server 4410/tcp found 4411/tcp smallchat 4412/udp -avi-nms 4413/tcp -avi-nms-disc 4413/udp +vision-mon 4413/tcp +vision-mon-disc 4413/udp updog 4414/tcp brcd-vr-req 4415/tcp pjj-player 4416/tcp @@ -7875,6 +7870,7 @@ awacs-ice 4488/udp ipsec-nat-t 4500/tcp ipsec-nat-t 4500/udp a25-fap-fgw 4502/sctp +m-bus-oms 4503/udp armagetronad 4534/udp ehs 4535/tcp ehs 4535/udp @@ -8094,6 +8090,7 @@ vxlan-gpe 4790/udp roce 4791/udp unified-bus 4792/tcp unified-bus 4792/udp +uet 4793/udp iims 4800/tcp iims 4800/udp iwec 4801/tcp @@ -9671,6 +9668,7 @@ cuseeme 7648/tcp cuseeme 7648/udp rome 7663/tcp rome 7663/udp +authoritygate 7668/tcp imqstomp 7672/tcp imqstomps 7673/tcp imqtunnels 7674/tcp @@ -10478,6 +10476,7 @@ odnsp 9966/udp xybrid-rt 9978/tcp visweather 9979/tcp pumpkindb 9981/tcp +kaostransport 9986/tcp dsm-scm-target 9987/tcp dsm-scm-target 9987/udp nsesrvr 9988/tcp @@ -11013,6 +11012,7 @@ notezilla-lan 21010/tcp trinket-agent 21212/tcp cohesity-agent 21213/tcp aigairserver 21221/tcp +xahaud 21337/tcp rdm-tfs 21553/tcp dfserver 21554/tcp dfserver 21554/udp @@ -11127,6 +11127,7 @@ binkp 24554/tcp binkp 24554/udp bilobit 24577/tcp bilobit-update 24577/udp +udpstp 24601/udp sdtvwcam 24666/tcp canditv 24676/tcp canditv 24676/udp @@ -11442,8 +11443,8 @@ ciscocsdb 43441/udp z-wave-tunnel 44123/tcp pmcd 44321/tcp pmcd 44321/udp -pmcdproxy 44322/tcp -pmcdproxy 44322/udp +pmproxy 44322/tcp +pmproxy 44322/udp pmwebapi 44323/tcp cognex-dataman 44444/tcp acronis-backup 44445/tcp @@ -11462,6 +11463,8 @@ rs-status 45002/tcp synctest 45045/tcp invision-ag 45054/tcp invision-ag 45054/udp +witsnet 45185/tcp +witsnet 45185/udp cloudcheck 45514/tcp cloudcheck-ping 45514/udp eba 45678/tcp @@ -11516,10 +11519,5 @@ nusrp 49001/tcp nusdp-disc 49001/udp inspider 49150/tcp # my services -monerod-p2p 18080/tcp wireguard 49432/udp -# My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server. -# https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/ -ssh-isp 49812/tcp iperf3 53497/tcp -swgp 54635/udp diff --git a/etc/ssh/ssh_config.d/my_ssh_config.conf b/etc/ssh/ssh_config.d/my_ssh_config.conf deleted file mode 100644 index a5f1fca3..00000000 --- a/etc/ssh/ssh_config.d/my_ssh_config.conf +++ /dev/null @@ -1,2 +0,0 @@ -Host flylightning.xyz - Port ssh-isp diff --git a/etc/sudoers b/etc/sudoers index 94678ba5..faf0e3f7 100644 --- a/etc/sudoers +++ b/etc/sudoers @@ -128,7 +128,7 @@ root ALL=(ALL:ALL) ALL # %wheel ALL=(ALL:ALL) NOPASSWD: ALL ## Uncomment to allow members of group sudo to execute any command -# %sudo ALL=(ALL:ALL) ALL +# %sudo ALL=(ALL:ALL) ALL ## Uncomment to allow any user to run sudo if they know the password ## of the user they are running the command as (root by default). diff --git a/etc/systemd/system/acme.sh.service.d/override.conf b/etc/systemd/system/acme.sh.service.d/override.conf index 722f60a6..d18024e2 100644 --- a/etc/systemd/system/acme.sh.service.d/override.conf +++ b/etc/systemd/system/acme.sh.service.d/override.conf @@ -1,2 +1,9 @@ +# Note need both /etc/nginx and /var/log/nginx, else acme.sh will error: "It +# seems that the nginx config is not correct, cannot continue." By editing +# /usr/share/acme.sh/acme.sh to change `nginx -t >/dev/null 2>&1` to `nginx +# -t`, we can see nginx's error log: "open() "/var/log/nginx/access.log" +# failed", this is the reason why /var/log/nginx is also included. Including +# both /etc/nginx and /var/log/nginx is also what I did on old studio laptop, +# see config_local_arch_studio repo. [Service] -ReadWritePaths=/etc/acme.sh /var/log/acme.sh /etc/postfix +ReadWritePaths=/etc/acme.sh /var/log/acme.sh /etc/postfix /etc/nginx /var/log/nginx diff --git a/etc/systemd/system/sockets.target.wants/uwsgi@cgit.socket b/etc/systemd/system/sockets.target.wants/uwsgi@cgit.socket new file mode 120000 index 00000000..ec2ebc97 --- /dev/null +++ b/etc/systemd/system/sockets.target.wants/uwsgi@cgit.socket @@ -0,0 +1 @@ +/usr/lib/systemd/system/uwsgi@.socket
\ No newline at end of file diff --git a/etc/uwsgi/cgit.ini b/etc/uwsgi/cgit.ini new file mode 100644 index 00000000..e2f750cb --- /dev/null +++ b/etc/uwsgi/cgit.ini @@ -0,0 +1,14 @@ +# https://wiki.archlinux.org/title/Cgit#Using_uwsgi +# https://wiki.gentoo.org/wiki/User:Halcon/HOWTO_cgit_uwsgi_nginx +# https://uwsgi-docs.readthedocs.io/en/latest/Configuration.html +# https://uwsgi-docs.readthedocs.io/en/latest/Options.html +[uwsgi] +master = true +plugins = cgi +socket = /run/uwsgi/%n.sock +uid = http +gid = http +procname-master = uwsgi cgit +processes = 1 +threads = 2 +cgi = /usr/lib/cgit/cgit.cgi |