summaryrefslogtreecommitdiff
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rwxr-xr-xetc/NetworkManager/dispatcher.d/70-wifi-wired-exclusive16
-rwxr-xr-xetc/NetworkManager/dispatcher.d/pre-down.d/20-monerod10
-rw-r--r--etc/NetworkManager/system-connections/wired_internet.nmconnection16
-rw-r--r--etc/NetworkManager/system-connections/wired_two_computer.nmconnection19
-rw-r--r--etc/conf.d/distccd-armv89
l---------etc/localtime2
l---------etc/mimic/enp3s0.conf1
-rw-r--r--etc/mimic/wlp2s0.conf44
-rw-r--r--etc/mkinitcpio.conf12
-rw-r--r--etc/myconf/cfgl_meta18
-rw-r--r--etc/nftables.conf6
-rw-r--r--etc/pacman.conf2
-rw-r--r--etc/services28
-rw-r--r--etc/ssh/ssh_config.d/my_ssh_config.conf2
-rw-r--r--etc/ssh/sshd_config151
-rw-r--r--etc/sudoers2
-rw-r--r--etc/systemd/system/monerod@.service48
l---------etc/systemd/system/multi-user.target.wants/mimic@wlp2s0.service1
18 files changed, 336 insertions, 51 deletions
diff --git a/etc/NetworkManager/dispatcher.d/70-wifi-wired-exclusive b/etc/NetworkManager/dispatcher.d/70-wifi-wired-exclusive
deleted file mode 100755
index a0f0c4c8..00000000
--- a/etc/NetworkManager/dispatcher.d/70-wifi-wired-exclusive
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-
-# https://wiki.archlinux.org/title/NetworkManager#Use_dispatcher_to_automatically_toggle_wireless_depending_on_LAN_cable_being_plugged_in
-
-if [ "$1" = "enp3s0" ]; then
- case "$2" in
- up)
- nmcli radio wifi off
- ;;
- down)
- nmcli radio wifi on
- ;;
- esac
-elif [ "$(nmcli -g GENERAL.STATE device show enp3s0)" = "20 (unavailable)" ]; then
- nmcli radio wifi on
-fi
diff --git a/etc/NetworkManager/dispatcher.d/pre-down.d/20-monerod b/etc/NetworkManager/dispatcher.d/pre-down.d/20-monerod
new file mode 100755
index 00000000..9c10aa0a
--- /dev/null
+++ b/etc/NetworkManager/dispatcher.d/pre-down.d/20-monerod
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# `man NetworkManager-dispatcher`
+
+if [ "$1" = wg_ba ]; then
+ case "$2" in
+ # my test shows only pre-down will be emitted, vpn-pre-down and down will not be emitted here
+ pre-down) systemctl stop monerod@xyz;;
+ esac
+fi
diff --git a/etc/NetworkManager/system-connections/wired_internet.nmconnection b/etc/NetworkManager/system-connections/wired_internet.nmconnection
new file mode 100644
index 00000000..45df4dea
--- /dev/null
+++ b/etc/NetworkManager/system-connections/wired_internet.nmconnection
@@ -0,0 +1,16 @@
+[connection]
+id=wired_internet
+uuid=e50d6197-b7c0-4062-b37a-844ba4fc6b40
+type=ethernet
+autoconnect-priority=1
+
+[ethernet]
+
+[ipv4]
+method=auto
+
+[ipv6]
+addr-gen-mode=stable-privacy
+method=auto
+
+[proxy]
diff --git a/etc/NetworkManager/system-connections/wired_two_computer.nmconnection b/etc/NetworkManager/system-connections/wired_two_computer.nmconnection
new file mode 100644
index 00000000..a16520df
--- /dev/null
+++ b/etc/NetworkManager/system-connections/wired_two_computer.nmconnection
@@ -0,0 +1,19 @@
+[connection]
+id=wired_two_computer
+uuid=84d6186e-c0c6-469f-bb8b-6cdc509954dd
+type=ethernet
+autoconnect-priority=2
+
+[ethernet]
+
+[ipv4]
+address1=10.0.3.1/32
+method=manual
+route1=10.0.3.2/32
+
+[ipv6]
+address1=fdc9:281f:4d7:9eec::1/64
+method=manual
+route1=fdc9:281f:4d7:9eec::2/128
+
+[proxy]
diff --git a/etc/conf.d/distccd-armv8 b/etc/conf.d/distccd-armv8
new file mode 100644
index 00000000..0fe7d752
--- /dev/null
+++ b/etc/conf.d/distccd-armv8
@@ -0,0 +1,9 @@
+#
+# Parameters to be passed to distccd
+#
+# You must explicitly add IPs (or subnets) that are allowed to connect,
+# using the --allow switch. See the distccd manpage for more info.
+#
+
+PATH=/opt/x-tools8/aarch64-unknown-linux-gnu/bin:$PATH
+DISTCC_ARGS="--allow 10.0.0.7/32 --log-level info --log-file /tmp/distccd-armv8.log --port 49710"
diff --git a/etc/localtime b/etc/localtime
index 099d0edb..da516301 120000
--- a/etc/localtime
+++ b/etc/localtime
@@ -1 +1 @@
-/usr/share/zoneinfo/America/Los_Angeles \ No newline at end of file
+/usr/share/zoneinfo/Asia/Shanghai \ No newline at end of file
diff --git a/etc/mimic/enp3s0.conf b/etc/mimic/enp3s0.conf
new file mode 120000
index 00000000..22cac32f
--- /dev/null
+++ b/etc/mimic/enp3s0.conf
@@ -0,0 +1 @@
+wlp2s0.conf \ No newline at end of file
diff --git a/etc/mimic/wlp2s0.conf b/etc/mimic/wlp2s0.conf
new file mode 100644
index 00000000..7bac3ce9
--- /dev/null
+++ b/etc/mimic/wlp2s0.conf
@@ -0,0 +1,44 @@
+# This is an example configuration for Mimic. For each interface, you may
+# create <interface>.conf in /etc/mimic and in the following format to
+# pass arguments to Mimic's systemd service (mimic@<interface>.service).
+#
+# Each configuration should be in the format of `key=value`. There might be
+# whitespaces between key, '=' and value, and should be kept in one line. Empty
+# lines and ones that start with '#' are ignored.
+
+# Sets log verbosity. Log level equal to or higher (in number) than log
+# verbosity will be discarded. Both number and string matching log levels are
+# accepted. Number must be greater than or equal to 0. Defaults to info (2).
+#
+# Log levels:
+# 0 - error (cannot be discarded)
+# 1 - warn
+# 2 - info
+# 3 - debug
+# 4 - trace
+#log.verbosity = trace
+
+# Specify link layer type, can be 'eth' (Ethernet) or 'none' (no L2 header,
+# like PPP or TUN). Defaults to 'eth'.
+#link_type = eth
+
+# Force XDP attach mode, either 'skb' or 'native'. Defaults to 'native' if
+# target interface supports it, or 'skb'.
+#xdp_mode = skb
+
+# Use libxdp instead of libbpf to load XDP program. libxdp supports chaining
+# multiple XDP programs on one interface. Mimic loads libxdp dynamically using
+# dlopen. Defaults to false.
+#use_libxdp = false
+
+# Whether to always use maximum window size in TCP packets. Defaults to false.
+#max_window = false
+
+# Specifies which packets should be processed by Mimic. Can be set more
+# than once to allow parallel rules (OR'ed).
+#
+# Filter format follows `(local|remote)=IP:port`. For IPv6, IP addresses
+# need to be surrounded by square brackets. See below for examples.
+filter = remote=104.224.159.210:54635
+filter = remote=104.224.159.210:54644
+filter = remote=104.224.159.210:54645
diff --git a/etc/mkinitcpio.conf b/etc/mkinitcpio.conf
index 413a707b..86f13bb0 100644
--- a/etc/mkinitcpio.conf
+++ b/etc/mkinitcpio.conf
@@ -34,25 +34,25 @@ FILES=()
#
## This setup will autodetect all modules for your system and should
## work as a sane default
-# HOOKS=(base udev autodetect modconf block filesystems fsck)
+# HOOKS=(base udev autodetect microcode modconf block filesystems fsck)
#
## This setup will generate a 'full' image which supports most systems.
## No autodetection is done.
-# HOOKS=(base udev modconf block filesystems fsck)
+# HOOKS=(base udev microcode modconf block filesystems fsck)
#
## This setup assembles a mdadm array with an encrypted root file system.
## Note: See 'mkinitcpio -H mdadm_udev' for more information on RAID devices.
-# HOOKS=(base udev modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
+# HOOKS=(base udev microcode modconf keyboard keymap consolefont block mdadm_udev encrypt filesystems fsck)
#
## This setup loads an lvm2 volume group.
-# HOOKS=(base udev modconf block lvm2 filesystems fsck)
+# HOOKS=(base udev microcode modconf block lvm2 filesystems fsck)
#
## This will create a systemd based initramfs which loads an encrypted root filesystem.
-# HOOKS=(base systemd autodetect modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)
+# HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole sd-encrypt block filesystems fsck)
#
## NOTE: If you have /usr on a separate partition, you MUST include the
# usr and fsck hooks.
-HOOKS=(base systemd autodetect keyboard modconf block sd-encrypt filesystems fsck)
+HOOKS=(base systemd autodetect microcode keyboard modconf block sd-encrypt filesystems fsck)
# COMPRESSION
# Use this to compress the initramfs image. By default, zstd compression
diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta
index f1057d90..e615505c 100644
--- a/etc/myconf/cfgl_meta
+++ b/etc/myconf/cfgl_meta
@@ -7,6 +7,8 @@
700 root root //etc/.cfgl/info
600 root root //etc/.cfgl/info/sparse-checkout
644 root root //etc/chrony.conf
+755 root root //etc/conf.d
+644 root root //etc/conf.d/distccd-armv8
600 root root //etc/crypttab
600 root root //etc/crypttab.initramfs
644 root root //etc/fstab
@@ -17,25 +19,32 @@
644 root root //etc/makepkg.conf
755 root root //etc/makepkg.conf.d
644 root root //etc/makepkg.conf.d/rust.conf
+755 root root //etc/mimic
+777 root root //etc/mimic/enp3s0.conf
+644 root root //etc/mimic/wlp2s0.conf
644 root root //etc/mkinitcpio.conf
755 root root //etc/myconf
600 root root //etc/myconf/cfgl_meta
755 root root //etc/NetworkManager
755 root root //etc/NetworkManager/dispatcher.d
-755 root root //etc/NetworkManager/dispatcher.d/70-wifi-wired-exclusive
755 root root //etc/NetworkManager/dispatcher.d/90-sbar
+755 root root //etc/NetworkManager/dispatcher.d/pre-down.d
+755 root root //etc/NetworkManager/dispatcher.d/pre-down.d/20-monerod
+700 root root //etc/NetworkManager/system-connections
+600 root root //etc/NetworkManager/system-connections/wired_internet.nmconnection
+600 root root //etc/NetworkManager/system-connections/wired_two_computer.nmconnection
644 root root //etc/nftables.conf
644 root root //etc/pacman.conf
777 root root //etc/resolv.conf
644 root root //etc/services
755 root root //etc/ssh
-755 root root //etc/ssh/ssh_config.d
-644 root root //etc/ssh/ssh_config.d/my_ssh_config.conf
+644 root root //etc/ssh/sshd_config
440 root root //etc/sudoers
755 root root //etc/systemd
755 root root //etc/systemd/system
644 root root //etc/systemd/system/monerod@.service
755 root root //etc/systemd/system/multi-user.target.wants
+777 root root //etc/systemd/system/multi-user.target.wants/mimic@wlp2s0.service
777 root root //etc/systemd/system/multi-user.target.wants/monerod@xyz.service
755 root root //etc/systemd/system/paccache.service.d
644 root root //etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf
@@ -81,8 +90,6 @@
600 xyz wheel //home/xyz/.config/mimeapps.list
700 xyz wheel //home/xyz/.config/mpv
644 xyz wheel //home/xyz/.config/mpv/mpv.conf
-755 xyz wheel //home/xyz/.config/mpv/scripts
-777 xyz wheel //home/xyz/.config/mpv/scripts/sponsorblock-minimal.lua
755 xyz wheel //home/xyz/.config/myconf
644 xyz wheel //home/xyz/.config/myconf/pacman_Qqme
644 xyz wheel //home/xyz/.config/myconf/pacman_Qqne
@@ -131,7 +138,6 @@
755 xyz wheel //home/xyz/.local/bin/alacritty
755 xyz wheel //home/xyz/.local/bin/matlab
755 xyz wheel //home/xyz/.local/bin/neomutt
-777 xyz wheel //home/xyz/.local/bin/zoom
755 xyz wheel //home/xyz/.local/share
700 xyz wheel //home/xyz/.local/share/applications
644 xyz wheel //home/xyz/.local/share/applications/editor.desktop
diff --git a/etc/nftables.conf b/etc/nftables.conf
index c26ae020..6bd80b22 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -20,16 +20,18 @@ table inet my_table {
ip protocol icmp accept
meta l4proto ipv6-icmp accept
- #tcp dport ssh accept
+ iifname wg_* tcp dport ssh accept
#tcp dport qbt-nox accept
#tcp dport searx accept
tcp dport qrcp accept
udp dport mdns accept
tcp dport qbt accept
udp dport qbt accept
- tcp dport monerod-p2p accept
+ iifname wg_* tcp dport monerod-p2p accept
#tcp dport iperf3 accept
#udp dport wireguard accept
+ iifname wg_* ip saddr 10.0.0.7 tcp dport distccd-alarm-armv8 accept
+ iifname wg_* ip6 saddr fdc9:281f:04d7:9ee9::7 tcp dport distccd-alarm-armv8 accept
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter comment "count any other traffic"
diff --git a/etc/pacman.conf b/etc/pacman.conf
index 51a6053b..3ce87953 100644
--- a/etc/pacman.conf
+++ b/etc/pacman.conf
@@ -44,6 +44,8 @@ SigLevel = Required DatabaseOptional
LocalFileSigLevel = Optional
#RemoteFileSigLevel = Required
+DisableDownloadTimeout
+
# NOTE: You must run `pacman-key --init` before first using pacman; the local
# keyring can then be populated with the keys of all official Arch Linux
# packagers with `pacman-key --populate archlinux`.
diff --git a/etc/services b/etc/services
index 6a375314..af3c12cf 100644
--- a/etc/services
+++ b/etc/services
@@ -455,6 +455,7 @@ fxp 286/tcp
fxp 286/udp
k-block 287/tcp
k-block 287/udp
+tacacss 300/tcp
novastorbakcup 308/tcp
novastorbakcup 308/udp
entrusttime 309/tcp
@@ -1315,12 +1316,6 @@ pkix-3-ca-ra 829/tcp
pkix-3-ca-ra 829/udp
netconf-ssh 830/tcp
netconf-ssh 830/udp
-netconf-beep 831/tcp
-netconf-beep 831/udp
-netconfsoaphttp 832/tcp
-netconfsoaphttp 832/udp
-netconfsoapbeep 833/tcp
-netconfsoapbeep 833/udp
dhcp-failover2 847/tcp
dhcp-failover2 847/udp
gdoi 848/tcp
@@ -7675,8 +7670,8 @@ perrla 4313/tcp
choiceview-agt 4314/tcp
choiceview-clt 4316/tcp
opentelemetry 4317/tcp
-fox-skytale 4319/tcp
-fox-skytale 4319/udp
+skytale 4319/tcp
+skytale 4319/udp
fdt-rcatp 4320/tcp
fdt-rcatp 4320/udp
rwhois 4321/tcp
@@ -7799,8 +7794,8 @@ netcabinet-com 4409/tcp
itwo-server 4410/tcp
found 4411/tcp
smallchat 4412/udp
-avi-nms 4413/tcp
-avi-nms-disc 4413/udp
+vision-mon 4413/tcp
+vision-mon-disc 4413/udp
updog 4414/tcp
brcd-vr-req 4415/tcp
pjj-player 4416/tcp
@@ -7875,6 +7870,7 @@ awacs-ice 4488/udp
ipsec-nat-t 4500/tcp
ipsec-nat-t 4500/udp
a25-fap-fgw 4502/sctp
+m-bus-oms 4503/udp
armagetronad 4534/udp
ehs 4535/tcp
ehs 4535/udp
@@ -8094,6 +8090,7 @@ vxlan-gpe 4790/udp
roce 4791/udp
unified-bus 4792/tcp
unified-bus 4792/udp
+uet 4793/udp
iims 4800/tcp
iims 4800/udp
iwec 4801/tcp
@@ -10479,6 +10476,7 @@ odnsp 9966/udp
xybrid-rt 9978/tcp
visweather 9979/tcp
pumpkindb 9981/tcp
+kaostransport 9986/tcp
dsm-scm-target 9987/tcp
dsm-scm-target 9987/udp
nsesrvr 9988/tcp
@@ -11014,6 +11012,7 @@ notezilla-lan 21010/tcp
trinket-agent 21212/tcp
cohesity-agent 21213/tcp
aigairserver 21221/tcp
+xahaud 21337/tcp
rdm-tfs 21553/tcp
dfserver 21554/tcp
dfserver 21554/udp
@@ -11128,6 +11127,7 @@ binkp 24554/tcp
binkp 24554/udp
bilobit 24577/tcp
bilobit-update 24577/udp
+udpstp 24601/udp
sdtvwcam 24666/tcp
canditv 24676/tcp
canditv 24676/udp
@@ -11443,8 +11443,8 @@ ciscocsdb 43441/udp
z-wave-tunnel 44123/tcp
pmcd 44321/tcp
pmcd 44321/udp
-pmcdproxy 44322/tcp
-pmcdproxy 44322/udp
+pmproxy 44322/tcp
+pmproxy 44322/udp
pmwebapi 44323/tcp
cognex-dataman 44444/tcp
acronis-backup 44445/tcp
@@ -11524,9 +11524,7 @@ ai-webui 7860/tcp
monerod-p2p 18080/tcp
qrcp 49153/tcp
wireguard 49432/udp
-# My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server.
-# https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/
-ssh-isp 49812/tcp
+distccd-alarm-armv8 49710/tcp
iperf3 53497/tcp
# qemu port forward guest windows virtual machine ssh
qemu-win-ssh 53683/tcp
diff --git a/etc/ssh/ssh_config.d/my_ssh_config.conf b/etc/ssh/ssh_config.d/my_ssh_config.conf
deleted file mode 100644
index a5f1fca3..00000000
--- a/etc/ssh/ssh_config.d/my_ssh_config.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-Host flylightning.xyz
- Port ssh-isp
diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config
new file mode 100644
index 00000000..bf7498f8
--- /dev/null
+++ b/etc/ssh/sshd_config
@@ -0,0 +1,151 @@
+# `man sshd_config` says "for each keyword, the first obtained value will be used". So I decided to put my configs before all others to override them all.
+# Based on manpage, setting PasswordAuthentication no, and Arch Linux default KbdInteractiveAuthentication no, with other defaults seems already equivalent to AuthenticationMethods publickey, but I still put it here for redundancy.
+# https://wiki.archlinux.org/title/OpenSSH#Force_public_key_authentication
+AuthenticationMethods publickey
+PermitRootLogin no
+PasswordAuthentication no
+# KbdInteractiveAuthentication no and UsePAM yes are Arch Linux default settings see /etc/ssh/sshd_config.d/00-archlinux.conf, I need these configs, I put them here just in case Arch Linux change the defaults in the future.
+KbdInteractiveAuthentication no
+UsePAM yes
+# when ssh into this remote server, client if use alacritty need `SendEnv COLORTERM` to send the env to server, so server ls can default output color, more see comments in my alacritty.toml config
+AcceptEnv COLORTERM
+
+# https://unix.stackexchange.com/a/472848 wrote about sshd_config AllowUsers
+# CIDR address: "Notice that that will not work with 'inconsistent' addresses
+# (where the bits outside the mask are not all 0, eg. 192.168.177.0/22)". My
+# understanding is that 177 in binary is 10110001, 32-22=10 so 192.168.177.0
+# last 10 binary are 0100000000, note there's a 1 so it will not work; and
+# 192.168.176.0/22 works because its last 10 binary are all 0. `man
+# sshd_config` also wrote about this: "Note that the mask length provided must
+# be consistent with the address - it is an error to specify a mask length that
+# is too long for the address or one with bits set in this host portion of the
+# address. For example, 192.0.2.0/33 and 192.0.2.0/8, respectively."; the
+# second part of the comment "one with bits set in this host portion of the
+# address" with the example CIDR ip 192.0.2.0/8 matched my understanding above,
+# 192.0.2.0/8 has a 2 which is 10 in binary which is a bit set "in" the CIDR /8
+# range, so it will not work. Just before that quote, it also gives an example
+# of 192.0.2.0/24 which should work. Not tested.
+#
+# My test shows `AllowUsers gitolite@localhost` does not work, so I use
+# 127.0.0.1 and ::1
+AllowUsers gitolite@10.0.0.0/24 gitolite@127.0.0.1 gitolite@::1
+
+# Include drop-in configurations
+Include /etc/ssh/sshd_config.d/*.conf
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin prohibit-password
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile .ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to "no" here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to "no" to disable keyboard-interactive authentication. Depending on
+# the system's configuration, this may involve passwords, challenge-response,
+# one-time passwords or some combination of these and other methods.
+#KbdInteractiveAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the KbdInteractiveAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and KbdInteractiveAuthentication to 'no'.
+#UsePAM no
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/ssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
diff --git a/etc/sudoers b/etc/sudoers
index 94678ba5..faf0e3f7 100644
--- a/etc/sudoers
+++ b/etc/sudoers
@@ -128,7 +128,7 @@ root ALL=(ALL:ALL) ALL
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
-# %sudo ALL=(ALL:ALL) ALL
+# %sudo ALL=(ALL:ALL) ALL
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
diff --git a/etc/systemd/system/monerod@.service b/etc/systemd/system/monerod@.service
index 0dfd9e70..bcdbb700 100644
--- a/etc/systemd/system/monerod@.service
+++ b/etc/systemd/system/monerod@.service
@@ -1,6 +1,44 @@
[Unit]
Description=Monero Full Node for user %I
After=network.target
+# `man systemd.unit`
+
+# Notes about my tests with BindsTo= and other options see this url:
+# https://git.flylightning.xyz/public_archive_codes/tree/configs/configs_root_dir/etc/systemd/system/monerod_after_bindsto_mullvad.service
+#
+# I learned about using sys-subsystem-net-devices-wg_ba.device from:
+# https://unix.stackexchange.com/q/360214
+# https://unix.stackexchange.com/q/669660
+# More similar devices see `systemctl` or `systemctl --user`. I also have
+# sys-subsystem-net-devices-wg_ba.device which is related to
+# /sys/subsystem/net/devices/wg_ba, but my computer does not have
+# /sys/subsystem dir, and systemctl status
+# sys-subsystem-net-devices-wg_ba.device shows "Device:" is also
+# /sys/devices/virtual/net/wg_ba, so I choose to use
+# sys-subsystem-net-devices-wg_ba.device.
+#
+# I want monerod tunnel all traffic through wireguard, otherwise China ISP will
+# think I mine crypto and will be unhappy. This is one of the measures I take,
+# which is to only run monerod when wg_ba network interface is up. **Note it
+# seems there will still have some traffic being leaked when wg_ba is down**,
+# maybe due to moenrod does not being killed immediately. Maybe use use
+# KillSignal=SIGKILL can kill it faster, see `man systemd.kill`, but I don't
+# want it to be killed with SIGKILL even when proper poweroff computer so maybe
+# don't use it. It can be tested with sth. like `sudo tcpdump -i wlp2s0 port
+# 18080`. wg_ba is tunnelling all computer traffic through ba. I bind it to
+# wg_ba because trying to make monerod tunnel traffic to wireguard when
+# wg_master is up is hard. wg_master does not tunnel all computer traffic.
+# monerod --p2p-bind-ip does not work as expected when under wg_master, see vq
+# bug notes. ba VPS nftables.conf also need `oifname $wg_iface masquerade` for
+# monerod to tunnel some traffic through ba wireguard when insp is under
+# wg_master, but this has issue of insp can't access ib qbt and jackett because
+# I guess this maybe somehow also masquerade my website accessing ib qbt and
+# jackett with other ip which ib nft refuse to let the ip to see its local
+# ports. One way I could think to make monerod tunnel all traffic through
+# wireguard is to use virutal network interface and namespaces but that is very
+# complicated.
+After=sys-subsystem-net-devices-wg_ba.device
+BindsTo=sys-subsystem-net-devices-wg_ba.device
[Service]
User=%i
@@ -9,8 +47,14 @@ Type=simple
ExecStart=/usr/bin/monerod --non-interactive
StandardOutput=null
StandardError=null
-
-Restart=always
+# `man systemd.service`
+# I would like to kill monerod with my vpn script as one of the measures to
+# bind it to wg_ba wireguard network interface, so no restart. If restart,
+# after me kill monerod, it will be restarted which is not what I want. I don't
+# wish to always make it run, run only for some time after me start the
+# computer is ok for me, just need to sync and share the monero node a little
+# bit, I'm fine if later on moenrod got killed for whatever reason.
+Restart=no
[Install]
WantedBy=multi-user.target
diff --git a/etc/systemd/system/multi-user.target.wants/mimic@wlp2s0.service b/etc/systemd/system/multi-user.target.wants/mimic@wlp2s0.service
new file mode 120000
index 00000000..dce9a731
--- /dev/null
+++ b/etc/systemd/system/multi-user.target.wants/mimic@wlp2s0.service
@@ -0,0 +1 @@
+/usr/lib/systemd/system/mimic@.service \ No newline at end of file
generated by cgit v1.2.3-70-g09d2 (git 2.52.0) at 2025-12-13 21:49:11 +0000