From 7772331aa5df0b8106f3523a0070269fae735894 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 17 Mar 2024 21:09:42 -0700 Subject: xyzca init --- etc/.cfgl/config | 4 ++-- etc/fstab | 8 ++------ etc/hostname | 2 +- etc/myconf/cfgl_meta | 7 ------- etc/services | 5 ----- etc/systemd/network/default.network | 4 ++-- .../system/multi-user.target.wants/qbittorrent-nox@xyz.service | 1 - home/xyz/.bashrc | 2 +- home/xyz/.config/myconf/pacman_Qqme | 1 - home/xyz/.config/myconf/pacman_Qqne | 1 - home/xyz/.config/myconf/sye | 1 - home/xyz/.local/share/qBittorrent/nova3/engines/jackett.json | 6 ------ 12 files changed, 8 insertions(+), 34 deletions(-) delete mode 120000 etc/systemd/system/multi-user.target.wants/qbittorrent-nox@xyz.service delete mode 100644 home/xyz/.local/share/qBittorrent/nova3/engines/jackett.json diff --git a/etc/.cfgl/config b/etc/.cfgl/config index f54a1e6d..608699e2 100644 --- a/etc/.cfgl/config +++ b/etc/.cfgl/config @@ -11,6 +11,6 @@ fetch = +refs/heads/*:refs/remotes/origin/* [commit] gpgsign = false -[branch "ia"] +[branch "ca"] remote = origin - merge = refs/heads/ia + merge = refs/heads/ca diff --git a/etc/fstab b/etc/fstab index 0ab5716a..2b9bc910 100644 --- a/etc/fstab +++ b/etc/fstab @@ -2,10 +2,6 @@ # See fstab(5) for details. # -# /dev/sda1 LABEL=root -UUID=ed61e67e-7605-4383-ac16-fe54ee2ede87 / ext4 rw,relatime,errors=remount-ro 0 1 +/dev/sda3 / xfs rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 1 -# /dev/sdb1 -UUID=cfbeb3bb-f781-4e63-9635-9155fe85f12c /home ext4 rw,relatime 0 2 - -/swapfile none swap defaults 0 0 +/dev/sda2 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2 diff --git a/etc/hostname b/etc/hostname index 45c80593..8eb04e15 100644 --- a/etc/hostname +++ b/etc/hostname @@ -1 +1 @@ -xyzia +xyzca diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 20beab3b..ab512d08 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -27,7 +27,6 @@ 644 systemd-network systemd-network //etc/systemd/network/default.network 755 root root //etc/systemd/system 755 root root //etc/systemd/system/multi-user.target.wants -777 root root //etc/systemd/system/multi-user.target.wants/qbittorrent-nox@xyz.service 777 root root //etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service 755 root root //etc/systemd/system/paccache.service.d 644 root root //etc/systemd/system/paccache.service.d/10-remove-all.conf @@ -50,12 +49,6 @@ 755 xyz wheel //home/xyz/.config/nvim 644 xyz wheel //home/xyz/.config/nvim/init.vim 600 xyz wheel //home/xyz/.config/user-dirs.dirs -755 xyz wheel //home/xyz/.local -755 xyz wheel //home/xyz/.local/share -755 xyz wheel //home/xyz/.local/share/qBittorrent -755 xyz wheel //home/xyz/.local/share/qBittorrent/nova3 -755 xyz wheel //home/xyz/.local/share/qBittorrent/nova3/engines -644 xyz wheel //home/xyz/.local/share/qBittorrent/nova3/engines/jackett.json 644 xyz wheel //home/xyz/.profile 700 xyz wheel //home/xyz/.ssh 600 xyz wheel //home/xyz/.ssh/authorized_keys diff --git a/etc/services b/etc/services index 03819fb0..b1b9f5bc 100644 --- a/etc/services +++ b/etc/services @@ -11512,8 +11512,3 @@ wireguard 49432/udp # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/ ssh-isp 49812/tcp iperf3 53497/tcp -# qbittorrent-nox web ui port for remote access browser gui -qbt-nox 57151/tcp -# qbittorrent/ options/ connection/ listening port -qbt 57737/tcp -qbt 57737/udp diff --git a/etc/systemd/network/default.network b/etc/systemd/network/default.network index cb28d02e..43f05d95 100644 --- a/etc/systemd/network/default.network +++ b/etc/systemd/network/default.network @@ -2,5 +2,5 @@ Name=eth0 [Network] -Gateway=89.213.174.1 -Address=89.213.174.95/24 +Gateway=216.181.107.1 +Address=216.181.107.253/24 diff --git a/etc/systemd/system/multi-user.target.wants/qbittorrent-nox@xyz.service b/etc/systemd/system/multi-user.target.wants/qbittorrent-nox@xyz.service deleted file mode 120000 index 41aa9f51..00000000 --- a/etc/systemd/system/multi-user.target.wants/qbittorrent-nox@xyz.service +++ /dev/null @@ -1 +0,0 @@ -/usr/lib/systemd/system/qbittorrent-nox@.service \ No newline at end of file diff --git a/home/xyz/.bashrc b/home/xyz/.bashrc index 33d8cd11..4d81b50f 100644 --- a/home/xyz/.bashrc +++ b/home/xyz/.bashrc @@ -29,7 +29,7 @@ esac # tput is better for different terminals? # but also need \[ and \] around color code for PS1! but seems no need for printf in script? why? # setaf and sgr0 see `man terminfo` -PS1="\[$(tput setaf 5)\][\u@\h \W]\$ \[$(tput sgr0)\]" +PS1="\[$(tput setaf 6)\][\u@\h \W]\$ \[$(tput sgr0)\]" # https://github.com/LukeSmithxyz/voidrice/blob/master/.config/shell/aliasrc for cmd in hardcode-fixer ventoy units_cur fbgrab powertop nft rpi-imager fdisk dmesg; do diff --git a/home/xyz/.config/myconf/pacman_Qqme b/home/xyz/.config/myconf/pacman_Qqme index 4e8e5af9..49e49a7d 100644 --- a/home/xyz/.config/myconf/pacman_Qqme +++ b/home/xyz/.config/myconf/pacman_Qqme @@ -5,7 +5,6 @@ bash-complete-alias dashbinsh grub-hook htop-vim -jackett-bin librespeed-cli neofetch-git neovim-plug diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index b8907d10..0d6c35db 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -30,7 +30,6 @@ posix-software-development posix-user-portability posix-xsi python-pip -qbittorrent-nox rebuild-detector reflector rsync diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye index a0dc6868..9f1da6e7 100644 --- a/home/xyz/.config/myconf/sye +++ b/home/xyz/.config/myconf/sye @@ -1,6 +1,5 @@ UNIT FILE STATE PRESET getty@.service enabled enabled -jackett.service enabled disabled nftables.service enabled disabled sshd.service enabled disabled systemd-network-generator.service enabled enabled diff --git a/home/xyz/.local/share/qBittorrent/nova3/engines/jackett.json b/home/xyz/.local/share/qBittorrent/nova3/engines/jackett.json deleted file mode 100644 index 5b715a13..00000000 --- a/home/xyz/.local/share/qBittorrent/nova3/engines/jackett.json +++ /dev/null @@ -1,6 +0,0 @@ -{ - "api_key": "qsl99mxd991t5f3azf9bcgf22cbbjeum", - "thread_count": 20, - "tracker_first": false, - "url": "http://127.0.0.1:9117" -} -- cgit v1.2.3-70-g09d2 From 9b24c4ed18f9751713c71e9caeee1c290751272b Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 18 Mar 2024 05:12:03 +0000 Subject: add swapfile fstab --- etc/fstab | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/fstab b/etc/fstab index 2b9bc910..7c8698e7 100644 --- a/etc/fstab +++ b/etc/fstab @@ -5,3 +5,5 @@ /dev/sda3 / xfs rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 1 /dev/sda2 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2 + +/swapfile none swap defaults 0 0 -- cgit v1.2.3-70-g09d2 From 1867975e6045c5f81b658ac90d26612825c7a484 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 18 Mar 2024 05:12:15 +0000 Subject: ca no qbt --- etc/nftables.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/nftables.conf b/etc/nftables.conf index ab16ed11..b0c2c669 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -29,8 +29,8 @@ table inet my_table { tcp dport ssh accept #tcp dport qbt-nox accept - tcp dport qbt accept - udp dport qbt accept + #tcp dport qbt accept + #udp dport qbt accept #tcp dport iperf3 accept udp dport wireguard accept -- cgit v1.2.3-70-g09d2 From fef849e7c6212ed2d8c47f6c5d5e7cfc8592fc87 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 18 Mar 2024 05:16:39 +0000 Subject: no jackett, one less service --- home/xyz/.config/myconf/sye | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye index 9f1da6e7..23d37551 100644 --- a/home/xyz/.config/myconf/sye +++ b/home/xyz/.config/myconf/sye @@ -14,4 +14,4 @@ remote-fs.target enabled enabled paccache.timer enabled disabled pacman-filesdb-refresh.timer enabled disabled -15 unit files listed. +14 unit files listed. -- cgit v1.2.3-70-g09d2 From 724688b2fb519d5fd39bf88c39353ec2df319d9e Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 18 Mar 2024 05:17:43 +0000 Subject: ca default use xfs. I may switch to ext4 in the future. But for now I will try xfs --- home/xyz/.config/myconf/pacman_Qqne | 1 + 1 file changed, 1 insertion(+) diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index 0d6c35db..780b4d53 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -46,5 +46,6 @@ unzip vidir2-git wireguard-tools xdg-user-dirs +xfsprogs zip zoxide -- cgit v1.2.3-70-g09d2 From 62e23a287b8e5194130ad33570e6849a3fcb9892 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Wed, 20 Mar 2024 09:10:33 +0000 Subject: add future maybe enable ports to nft conf --- etc/nftables.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/nftables.conf b/etc/nftables.conf index b0c2c669..bd943c12 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -33,6 +33,12 @@ table inet my_table { #udp dport qbt accept #tcp dport iperf3 accept udp dport wireguard accept + # email ports + #tcp dport smtp accept + #udp dport smtp accept + # other email ports? seems blocked by crunchbits + #tcp dport 465 accept + #tcp dport 587 accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" -- cgit v1.2.3-70-g09d2 From 0e4a49e53b2c241e9ef32edf5e3080f6a8e443ff Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Wed, 20 Mar 2024 09:11:09 +0000 Subject: remove rustup, do `rustup toolchain remove stable` first, to save storage --- home/xyz/.config/myconf/pacman_Qqne | 1 - 1 file changed, 1 deletion(-) diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index 780b4d53..1b50d72a 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -33,7 +33,6 @@ python-pip rebuild-detector reflector rsync -rustup shellcheck speedtest-cli strace -- cgit v1.2.3-70-g09d2 From 63d5617fa2a44f7bf8e093703ad65dbecd0e3452 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 31 Mar 2024 04:13:54 +0000 Subject: update --- home/xyz/.config/myconf/pacman_Qqme | 1 - 1 file changed, 1 deletion(-) diff --git a/home/xyz/.config/myconf/pacman_Qqme b/home/xyz/.config/myconf/pacman_Qqme index 49e49a7d..920f3141 100644 --- a/home/xyz/.config/myconf/pacman_Qqme +++ b/home/xyz/.config/myconf/pacman_Qqme @@ -1,5 +1,4 @@ absolutely-proprietary -asp atool2-git bash-complete-alias dashbinsh -- cgit v1.2.3-70-g09d2 From 79e4f5062a1dbf38b59fbea2e298109da6d9edcf Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 03:25:47 +0000 Subject: default --- etc/postfix/aliases | 267 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 267 insertions(+) create mode 100644 etc/postfix/aliases diff --git a/etc/postfix/aliases b/etc/postfix/aliases new file mode 100644 index 00000000..8f1a2845 --- /dev/null +++ b/etc/postfix/aliases @@ -0,0 +1,267 @@ +# +# Sample aliases file. Install in the location as specified by the +# output from the command "postconf alias_maps". Typical path names +# are /etc/aliases or /etc/mail/aliases. +# +# >>>>>>>>>> The program "newaliases" must be run after +# >> NOTE >> this file is updated for any changes to +# >>>>>>>>>> show through to Postfix. +# + +# Person who should get root's mail. Don't receive mail as root! +#root: you + +# Basic system aliases -- these MUST be present +MAILER-DAEMON: postmaster +postmaster: root + +# General redirections for pseudo accounts +bin: root +daemon: root +named: root +nobody: root +uucp: root +www: root +ftp-bugs: root +postfix: root + +# Put your local aliases here. + +# Well-known aliases +manager: root +dumper: root +operator: root +abuse: postmaster + +# trap decode to catch security attacks +decode: root + +# ALIASES(5) ALIASES(5) +# +# NAME +# aliases - Postfix local alias database format +# +# SYNOPSIS +# newaliases +# +# DESCRIPTION +# The aliases(5) table provides a system-wide mechanism to +# redirect mail for local recipients. The redirections are +# processed by the Postfix local(8) delivery agent. +# +# Normally, the aliases(5) table is specified as a text file +# that serves as input to the postalias(1) command. The +# result, an indexed file in dbm or db format, is used for +# fast lookup by the mail system. Execute the command +# newaliases in order to rebuild the indexed file after +# changing the Postfix alias database. +# +# When the table is provided via other means such as NIS, +# LDAP or SQL, the same lookups are done as for ordinary +# indexed files. +# +# Alternatively, the table can be provided as a regu- +# lar-expression map where patterns are given as regular +# expressions. In this case, the lookups are done in a +# slightly different way as described below under "REGULAR +# EXPRESSION TABLES". +# +# Users can control delivery of their own mail by setting up +# .forward files in their home directory. Lines in per-user +# .forward files have the same syntax as the right-hand side +# of aliases(5) entries. +# +# The format of the alias database input file is as follows: +# +# o An alias definition has the form +# +# name: value1, value2, ... +# +# o Empty lines and whitespace-only lines are ignored, +# as are lines whose first non-whitespace character +# is a `#'. +# +# o A logical line starts with non-whitespace text. A +# line that starts with whitespace continues a logi- +# cal line. +# +# The name is a local address (no domain part). Use double +# quotes when the name contains any special characters such +# as whitespace, `#', `:', or `@'. The name is folded to +# lowercase, in order to make database lookups case insensi- +# tive. +# +# In addition, when an alias exists for owner-name, this +# will override the envelope sender address, so that deliv- +# ery diagnostics are directed to owner-name, instead of the +# originator of the message (for details, see +# owner_request_special, expand_owner_alias and +# reset_owner_alias). This is typically used to direct +# delivery errors to the maintainer of a mailing list, who +# is in a better position to deal with mailing list delivery +# problems than the originator of the undelivered mail. +# +# The value contains one or more of the following: +# +# address +# Mail is forwarded to address, which is compatible +# with the RFC 822 standard. +# +# /file/name +# Mail is appended to /file/name. For details on how +# a file is written see the sections "EXTERNAL FILE +# DELIVERY" and "DELIVERY RIGHTS" in the local(8) +# documentation. Delivery is not limited to regular +# files. For example, to dispose of unwanted mail, +# deflect it to /dev/null. +# +# |command +# Mail is piped into command. Commands that contain +# special characters, such as whitespace, should be +# enclosed between double quotes. For details on how +# a command is executed see "EXTERNAL COMMAND DELIV- +# ERY" and "DELIVERY RIGHTS" in the local(8) documen- +# tation. +# +# When the command fails, a limited amount of command +# output is mailed back to the sender. The file +# /usr/include/sysexits.h defines the expected exit +# status codes. For example, use "|exit 67" to simu- +# late a "user unknown" error, and "|exit 0" to +# implement an expensive black hole. +# +# :include:/file/name +# Mail is sent to the destinations listed in the +# named file. Lines in :include: files have the same +# syntax as the right-hand side of alias entries. +# +# A destination can be any destination that is +# described in this manual page. However, delivery to +# "|command" and /file/name is disallowed by default. +# To enable, edit the allow_mail_to_commands and +# allow_mail_to_files configuration parameters. +# +# ADDRESS EXTENSION +# When alias database search fails, and the recipient local- +# part contains the optional recipient delimiter (e.g., +# user+foo), the search is repeated for the unextended +# address (e.g., user). +# +# The propagate_unmatched_extensions parameter controls +# whether an unmatched address extension (+foo) is propa- +# gated to the result of table lookup. +# +# CASE FOLDING +# The local(8) delivery agent always folds the search string +# to lowercase before database lookup. +# +# REGULAR EXPRESSION TABLES +# This section describes how the table lookups change when +# the table is given in the form of regular expressions. For +# a description of regular expression lookup table syntax, +# see regexp_table(5) or pcre_table(5). NOTE: these formats +# do not use ":" at the end of a pattern. +# +# Each regular expression is applied to the entire search +# string. Thus, a search string user+foo is not broken up +# into user and foo. +# +# Regular expressions are applied in the order as specified +# in the table, until a regular expression is found that +# matches the search string. +# +# Lookup results are the same as with indexed file lookups. +# For security reasons there is no support for $1, $2 etc. +# substring interpolation. +# +# SECURITY +# The local(8) delivery agent disallows regular expression +# substitution of $1 etc. in alias_maps, because that would +# open a security hole. +# +# The local(8) delivery agent will silently ignore requests +# to use the proxymap(8) server within alias_maps. Instead +# it will open the table directly. Before Postfix version +# 2.2, the local(8) delivery agent will terminate with a +# fatal error. +# +# CONFIGURATION PARAMETERS +# The following main.cf parameters are especially relevant. +# The text below provides only a parameter summary. See +# postconf(5) for more details including examples. +# +# alias_database (see 'postconf -d' output) +# The alias databases for local(8) delivery that are +# updated with "newaliases" or with "sendmail -bi". +# +# alias_maps (see 'postconf -d' output) +# The alias databases that are used for local(8) +# delivery. +# +# allow_mail_to_commands (alias, forward) +# Restrict local(8) mail delivery to external com- +# mands. +# +# allow_mail_to_files (alias, forward) +# Restrict local(8) mail delivery to external files. +# +# expand_owner_alias (no) +# When delivering to an alias "aliasname" that has an +# "owner-aliasname" companion alias, set the envelope +# sender address to the expansion of the +# "owner-aliasname" alias. +# +# propagate_unmatched_extensions (canonical, virtual) +# What address lookup tables copy an address exten- +# sion from the lookup key to the lookup result. +# +# owner_request_special (yes) +# Enable special treatment for owner-listname entries +# in the aliases(5) file, and don't split owner-list- +# name and listname-request address localparts when +# the recipient_delimiter is set to "-". +# +# recipient_delimiter (empty) +# The set of characters that can separate an email +# address localpart, user name, or a .forward file +# name from its extension. +# +# Available in Postfix version 2.3 and later: +# +# frozen_delivered_to (yes) +# Update the local(8) delivery agent's idea of the +# Delivered-To: address (see prepend_deliv- +# ered_header) only once, at the start of a delivery +# attempt; do not update the Delivered-To: address +# while expanding aliases or .forward files. +# +# STANDARDS +# RFC 822 (ARPA Internet Text Messages) +# +# SEE ALSO +# local(8), local delivery agent +# newaliases(1), create/update alias database +# postalias(1), create/update alias database +# postconf(5), configuration parameters +# +# README FILES +# Use "postconf readme_directory" or "postconf html_direc- +# tory" to locate this information. +# DATABASE_README, Postfix lookup table overview +# +# LICENSE +# The Secure Mailer license must be distributed with this +# software. +# +# AUTHOR(S) +# Wietse Venema +# IBM T.J. Watson Research +# P.O. Box 704 +# Yorktown Heights, NY 10598, USA +# +# Wietse Venema +# Google, Inc. +# 111 8th Avenue +# New York, NY 10011, USA +# +# ALIASES(5) -- cgit v1.2.3-70-g09d2 From 56dfdbb37097672db18cb8c0d23b54116728e26d Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 03:26:03 +0000 Subject: meta --- etc/myconf/cfgl_meta | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index ab512d08..cefb6275 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -13,6 +13,8 @@ 600 root root //etc/myconf/cfgl_meta 644 root root //etc/nftables.conf 644 root root //etc/pacman.conf +755 root root //etc/postfix +644 root root //etc/postfix/aliases 777 root root //etc/resolv.conf 644 root root //etc/services 755 root root //etc/ssh -- cgit v1.2.3-70-g09d2 From e5ef65730ee2900fcd08ab0f8238ccccc47f6e2c Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 03:27:01 +0000 Subject: use xyz for root emails --- etc/postfix/aliases | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/postfix/aliases b/etc/postfix/aliases index 8f1a2845..c2ff6c98 100644 --- a/etc/postfix/aliases +++ b/etc/postfix/aliases @@ -9,7 +9,8 @@ # # Person who should get root's mail. Don't receive mail as root! -#root: you +# https://wiki.archlinux.org/title/Postfix#Aliases +root: xyz # Basic system aliases -- these MUST be present MAILER-DAEMON: postmaster -- cgit v1.2.3-70-g09d2 From a105215f497eec21149fe7b96c47558e869a4aac Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 03:45:10 +0000 Subject: default --- etc/postfix/main.cf | 689 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 689 insertions(+) create mode 100644 etc/postfix/main.cf diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf new file mode 100644 index 00000000..1d93a701 --- /dev/null +++ b/etc/postfix/main.cf @@ -0,0 +1,689 @@ +# Global Postfix configuration file. This file lists only a subset +# of all parameters. For the syntax, and for a complete parameter +# list, see the postconf(5) manual page (command: "man 5 postconf"). +# +# TIP: use the command "postconf -n" to view main.cf parameter +# settings, "postconf parametername" to view a specific parameter, +# and "postconf 'parametername=value'" to set a specific parameter. +# +# For common configuration examples, see BASIC_CONFIGURATION_README +# and STANDARD_CONFIGURATION_README. To find these documents, use +# the command "postconf html_directory readme_directory", or go to +# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc. +# +# For best results, change no more than 2-3 parameters at a time, +# and test if Postfix still works after every change. + +# COMPATIBILITY +# +# The compatibility_level determines what default settings Postfix +# will use for main.cf and master.cf settings. These defaults will +# change over time. +# +# To avoid breaking things, Postfix will use backwards-compatible +# default settings and log where it uses those old backwards-compatible +# default settings, until the system administrator has determined +# if any backwards-compatible default settings need to be made +# permanent in main.cf or master.cf. +# +# When this review is complete, update the compatibility_level setting +# below as recommended in the RELEASE_NOTES file. +# +# The level below is what should be used with new (not upgrade) installs. +# +compatibility_level = 3.8 + +# SOFT BOUNCE +# +# The soft_bounce parameter provides a limited safety net for +# testing. When soft_bounce is enabled, mail will remain queued that +# would otherwise bounce. This parameter disables locally-generated +# bounces, and prevents the SMTP server from rejecting mail permanently +# (by changing 5xx replies into 4xx replies). However, soft_bounce +# is no cure for address rewriting mistakes or mail routing mistakes. +# +#soft_bounce = no + +# LOCAL PATHNAME INFORMATION +# +# The queue_directory specifies the location of the Postfix queue. +# This is also the root directory of Postfix daemons that run chrooted. +# See the files in examples/chroot-setup for setting up Postfix chroot +# environments on different UNIX systems. +# +queue_directory = /var/spool/postfix + +# The command_directory parameter specifies the location of all +# postXXX commands. +# +command_directory = /usr/bin + +# The daemon_directory parameter specifies the location of all Postfix +# daemon programs (i.e. programs listed in the master.cf file). This +# directory must be owned by root. +# +daemon_directory = /usr/lib/postfix/bin + +# The data_directory parameter specifies the location of Postfix-writable +# data files (caches, random numbers). This directory must be owned +# by the mail_owner account (see below). +# +data_directory = /var/lib/postfix + +# QUEUE AND PROCESS OWNERSHIP +# +# The mail_owner parameter specifies the owner of the Postfix queue +# and of most Postfix daemon processes. Specify the name of a user +# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS +# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM. In +# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED +# USER. +# +mail_owner = postfix + +# The default_privs parameter specifies the default rights used by +# the local delivery agent for delivery to external file or command. +# These rights are used in the absence of a recipient user context. +# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER. +# +#default_privs = nobody + +# INTERNET HOST AND DOMAIN NAMES +# +# The myhostname parameter specifies the internet hostname of this +# mail system. The default is to use the fully-qualified domain name +# from gethostname(). $myhostname is used as a default value for many +# other configuration parameters. +# +#myhostname = host.domain.tld +#myhostname = virtual.domain.tld + +# The mydomain parameter specifies the local internet domain name. +# The default is to use $myhostname minus the first component. +# $mydomain is used as a default value for many other configuration +# parameters. +# +#mydomain = domain.tld + +# SENDING MAIL +# +# The myorigin parameter specifies the domain that locally-posted +# mail appears to come from. The default is to append $myhostname, +# which is fine for small sites. If you run a domain with multiple +# machines, you should (1) change this to $mydomain and (2) set up +# a domain-wide alias database that aliases each user to +# user@that.users.mailhost. +# +# For the sake of consistency between sender and recipient addresses, +# myorigin also specifies the default domain name that is appended +# to recipient addresses that have no @domain part. +# +#myorigin = $myhostname +#myorigin = $mydomain + +# RECEIVING MAIL + +# The inet_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on. By default, +# the software claims all active interfaces on the machine. The +# parameter also controls delivery of mail to user@[ip.address]. +# +# See also the proxy_interfaces parameter, for network addresses that +# are forwarded to us via a proxy or network address translator. +# +# Note: you need to stop/start Postfix when this parameter changes. +# +#inet_interfaces = all +#inet_interfaces = $myhostname +#inet_interfaces = $myhostname, localhost + +# The proxy_interfaces parameter specifies the network interface +# addresses that this mail system receives mail on by way of a +# proxy or network address translation unit. This setting extends +# the address list specified with the inet_interfaces parameter. +# +# You must specify your proxy/NAT addresses when your system is a +# backup MX host for other domains, otherwise mail delivery loops +# will happen when the primary MX host is down. +# +#proxy_interfaces = +#proxy_interfaces = 1.2.3.4 + +# The mydestination parameter specifies the list of domains that this +# machine considers itself the final destination for. +# +# These domains are routed to the delivery agent specified with the +# local_transport parameter setting. By default, that is the UNIX +# compatible delivery agent that lookups all recipients in /etc/passwd +# and /etc/aliases or their equivalent. +# +# The default is $myhostname + localhost.$mydomain + localhost. On +# a mail domain gateway, you should also include $mydomain. +# +# Do not specify the names of virtual domains - those domains are +# specified elsewhere (see VIRTUAL_README). +# +# Do not specify the names of domains that this machine is backup MX +# host for. Specify those names via the relay_domains settings for +# the SMTP server, or use permit_mx_backup if you are lazy (see +# STANDARD_CONFIGURATION_README). +# +# The local machine is always the final destination for mail addressed +# to user@[the.net.work.address] of an interface that the mail system +# receives mail on (see the inet_interfaces parameter). +# +# Specify a list of host or domain names, /file/name or type:table +# patterns, separated by commas and/or whitespace. A /file/name +# pattern is replaced by its contents; a type:table is matched when +# a name matches a lookup key (the right-hand side is ignored). +# Continue long lines by starting the next line with whitespace. +# +# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS". +# +#mydestination = $myhostname, localhost.$mydomain, localhost +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain +#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, +# mail.$mydomain, www.$mydomain, ftp.$mydomain + +# REJECTING MAIL FOR UNKNOWN LOCAL USERS +# +# The local_recipient_maps parameter specifies optional lookup tables +# with all names or addresses of users that are local with respect +# to $mydestination, $inet_interfaces or $proxy_interfaces. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown local users. This parameter is defined by default. +# +# To turn off local recipient checking in the SMTP server, specify +# local_recipient_maps = (i.e. empty). +# +# The default setting assumes that you use the default Postfix local +# delivery agent for local delivery. You need to update the +# local_recipient_maps setting if: +# +# - You define $mydestination domain recipients in files other than +# /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. +# For example, you define $mydestination domain recipients in +# the $virtual_mailbox_maps files. +# +# - You redefine the local delivery agent in master.cf. +# +# - You redefine the "local_transport" setting in main.cf. +# +# - You use the "luser_relay", "mailbox_transport", or "fallback_transport" +# feature of the Postfix local delivery agent (see local(8)). +# +# Details are described in the LOCAL_RECIPIENT_README file. +# +# Beware: if the Postfix SMTP server runs chrooted, you probably have +# to access the passwd file via the proxymap service, in order to +# overcome chroot restrictions. The alternative, having a copy of +# the system passwd file in the chroot jail is just not practical. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify a bare username, an @domain.tld +# wild-card, or specify a user@domain.tld address. +# +#local_recipient_maps = unix:passwd.byname $alias_maps +#local_recipient_maps = proxy:unix:passwd.byname $alias_maps +#local_recipient_maps = + +# The unknown_local_recipient_reject_code specifies the SMTP server +# response code when a recipient domain matches $mydestination or +# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty +# and the recipient address or address local-part is not found. +# +# The default setting is 550 (reject mail) but it is safer to start +# with 450 (try again later) until you are certain that your +# local_recipient_maps settings are OK. +# +unknown_local_recipient_reject_code = 550 + +# TRUST AND RELAY CONTROL + +# The mynetworks parameter specifies the list of "trusted" SMTP +# clients that have more privileges than "strangers". +# +# In particular, "trusted" SMTP clients are allowed to relay mail +# through Postfix. See the smtpd_recipient_restrictions parameter +# in postconf(5). +# +# You can specify the list of "trusted" network addresses by hand +# or you can let Postfix do it for you (which is the default). +# +# By default (mynetworks_style = host), Postfix "trusts" only +# the local machine. +# +# Specify "mynetworks_style = subnet" when Postfix should "trust" +# SMTP clients in the same IP subnetworks as the local machine. +# On Linux, this works correctly only with interfaces specified +# with the "ifconfig" or "ip" command. +# +# Specify "mynetworks_style = class" when Postfix should "trust" SMTP +# clients in the same IP class A/B/C networks as the local machine. +# Don't do this with a dialup site - it would cause Postfix to "trust" +# your entire provider's network. Instead, specify an explicit +# mynetworks list by hand, as described below. +# +# Specify "mynetworks_style = host" when Postfix should "trust" +# only the local machine. +# +#mynetworks_style = class +#mynetworks_style = subnet +#mynetworks_style = host + +# Alternatively, you can specify the mynetworks list by hand, in +# which case Postfix ignores the mynetworks_style setting. +# +# Specify an explicit list of network/netmask patterns, where the +# mask specifies the number of bits in the network part of a host +# address. +# +# You can also specify the absolute pathname of a pattern file instead +# of listing the patterns here. Specify type:table for table-based lookups +# (the value on the table right-hand side is not used). +# +#mynetworks = 168.100.3.0/28, 127.0.0.0/8 +#mynetworks = $config_directory/mynetworks +#mynetworks = hash:/etc/postfix/network_table + +# The relay_domains parameter restricts what destinations this system will +# relay mail to. See the smtpd_relay_restrictions and +# smtpd_recipient_restrictions descriptions in postconf(5) for detailed +# information. +# +# By default, Postfix relays mail +# - from "trusted" clients (IP address matches $mynetworks, or is +# SASL authenticated) to any destination, +# - from "untrusted" clients to destinations that match $relay_domains or +# subdomains thereof, except addresses with sender-specified routing. +# The default relay_domains value is empty. +# +# In addition to the above, the Postfix SMTP server by default accepts mail +# that Postfix is final destination for: +# - destinations that match $inet_interfaces or $proxy_interfaces, +# - destinations that match $mydestination +# - destinations that match $virtual_alias_domains, +# - destinations that match $virtual_mailbox_domains. +# These destinations do not need to be listed in $relay_domains. +# +# Specify a list of hosts or domains, /file/name patterns or type:name +# lookup tables, separated by commas and/or whitespace. Continue +# long lines by starting the next line with whitespace. A file name +# is replaced by its contents; a type:name table is matched when a +# (parent) domain appears as lookup key. +# +# NOTE: Postfix will not automatically forward mail for domains that +# list this system as their primary or backup MX host. See the +# permit_mx_backup restriction description in postconf(5). +# +#relay_domains = + +# INTERNET OR INTRANET + +# The relayhost parameter specifies the default host to send mail to +# when no entry is matched in the optional transport(5) table. When +# no relayhost is given, mail is routed directly to the destination. +# +# On an intranet, specify the organizational domain name. If your +# internal DNS uses no MX records, specify the name of the intranet +# gateway host instead. +# +# In the case of SMTP, specify a domain, host, host:port, [host]:port, +# [address] or [address]:port; the form [host] turns off MX lookups. +# +# If you're connected via UUCP, see also the default_transport parameter. +# +#relayhost = $mydomain +#relayhost = [gateway.my.domain] +#relayhost = [mailserver.isp.tld] +#relayhost = uucphost +#relayhost = [an.ip.add.ress] + +# REJECTING UNKNOWN RELAY USERS +# +# The relay_recipient_maps parameter specifies optional lookup tables +# with all addresses in the domains that match $relay_domains. +# +# If this parameter is defined, then the SMTP server will reject +# mail for unknown relay users. This feature is off by default. +# +# The right-hand side of the lookup tables is conveniently ignored. +# In the left-hand side, specify an @domain.tld wild-card, or specify +# a user@domain.tld address. +# +#relay_recipient_maps = hash:/etc/postfix/relay_recipients + +# INPUT RATE CONTROL +# +# The in_flow_delay configuration parameter implements mail input +# flow control. This feature is turned on by default, although it +# still needs further development (it's disabled on SCO UNIX due +# to an SCO bug). +# +# A Postfix process will pause for $in_flow_delay seconds before +# accepting a new message, when the message arrival rate exceeds the +# message delivery rate. With the default 100 SMTP server process +# limit, this limits the mail inflow to 100 messages a second more +# than the number of messages delivered per second. +# +# Specify 0 to disable the feature. Valid delays are 0..10. +# +#in_flow_delay = 1s + +# ADDRESS REWRITING +# +# The ADDRESS_REWRITING_README document gives information about +# address masquerading or other forms of address rewriting including +# username->Firstname.Lastname mapping. + +# ADDRESS REDIRECTION (VIRTUAL DOMAIN) +# +# The VIRTUAL_README document gives information about the many forms +# of domain hosting that Postfix supports. + +# "USER HAS MOVED" BOUNCE MESSAGES +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# TRANSPORT MAP +# +# See the discussion in the ADDRESS_REWRITING_README document. + +# ALIAS DATABASE +# +# The alias_maps parameter specifies the list of alias databases used +# by the local delivery agent. The default list is system dependent. +# +# On systems with NIS, the default is to search the local alias +# database, then the NIS alias database. See aliases(5) for syntax +# details. +# +# If you change the alias database, run "postalias /etc/aliases" (or +# wherever your system stores the mail alias file), or simply run +# "newaliases" to build the necessary DBM or DB file. +# +# It will take a minute or so before changes become visible. Use +# "postfix reload" to eliminate the delay. +# +#alias_maps = dbm:/etc/aliases +#alias_maps = hash:/etc/aliases +#alias_maps = hash:/etc/aliases, nis:mail.aliases +#alias_maps = netinfo:/aliases +alias_maps = hash:/etc/postfix/aliases + +# The alias_database parameter specifies the alias database(s) that +# are built with "newaliases" or "sendmail -bi". This is a separate +# configuration parameter, because alias_maps (see above) may specify +# tables that are not necessarily all under control by Postfix. +# +#alias_database = dbm:/etc/aliases +#alias_database = dbm:/etc/mail/aliases +#alias_database = hash:/etc/aliases +#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases +alias_database = $alias_maps + +# ADDRESS EXTENSIONS (e.g., user+foo) +# +# The recipient_delimiter parameter specifies the separator between +# user names and address extensions (user+foo). See canonical(5), +# local(8), relocated(5) and virtual(5) for the effects this has on +# aliases, canonical, virtual, relocated and .forward file lookups. +# Basically, the software tries user+foo and .forward+foo before +# trying user and .forward. +# +#recipient_delimiter = + + +# DELIVERY TO MAILBOX +# +# The home_mailbox parameter specifies the optional pathname of a +# mailbox file relative to a user's home directory. The default +# mailbox file is /var/spool/mail/user or /var/mail/user. Specify +# "Maildir/" for qmail-style delivery (the / is required). +# +#home_mailbox = Mailbox +#home_mailbox = Maildir/ + +# The mail_spool_directory parameter specifies the directory where +# UNIX-style mailboxes are kept. The default setting depends on the +# system type. +# +#mail_spool_directory = /var/mail +#mail_spool_directory = /var/spool/mail + +# The mailbox_command parameter specifies the optional external +# command to use instead of mailbox delivery. The command is run as +# the recipient with proper HOME, SHELL and LOGNAME environment settings. +# Exception: delivery for root is done as $default_user. +# +# Other environment variables of interest: USER (recipient username), +# EXTENSION (address extension), DOMAIN (domain part of address), +# and LOCAL (the address localpart). +# +# Unlike other Postfix configuration parameters, the mailbox_command +# parameter is not subjected to $parameter substitutions. This is to +# make it easier to specify shell syntax (see example below). +# +# Avoid shell meta characters because they will force Postfix to run +# an expensive shell process. Procmail alone is expensive enough. +# +# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN +# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER. +# +#mailbox_command = /some/where/procmail +#mailbox_command = /some/where/procmail -a "$EXTENSION" + +# The mailbox_transport specifies the optional transport in master.cf +# to use after processing aliases and .forward files. This parameter +# has precedence over the mailbox_command, fallback_transport and +# luser_relay parameters. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +# Cyrus IMAP over LMTP. Specify ``lmtpunix cmd="lmtpd" +# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf. +#mailbox_transport = lmtp:unix:/var/imap/socket/lmtp +# +# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and +# subsequent line in master.cf. +#mailbox_transport = cyrus + +# The fallback_transport specifies the optional transport in master.cf +# to use for recipients that are not found in the UNIX passwd database. +# This parameter has precedence over the luser_relay parameter. +# +# Specify a string of the form transport:nexthop, where transport is +# the name of a mail delivery transport defined in master.cf. The +# :nexthop part is optional. For more details see the sample transport +# configuration file. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must update the "local_recipient_maps" setting in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#fallback_transport = lmtp:unix:/file/name +#fallback_transport = cyrus +#fallback_transport = + +# The luser_relay parameter specifies an optional destination address +# for unknown recipients. By default, mail for unknown@$mydestination, +# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned +# as undeliverable. +# +# The following expansions are done on luser_relay: $user (recipient +# username), $shell (recipient shell), $home (recipient home directory), +# $recipient (full recipient address), $extension (recipient address +# extension), $domain (recipient domain), $local (entire recipient +# localpart), $recipient_delimiter. Specify ${name?value} or +# ${name:value} to expand value only when $name does (does not) exist. +# +# luser_relay works only for the default Postfix local delivery agent. +# +# NOTE: if you use this feature for accounts not in the UNIX password +# file, then you must specify "local_recipient_maps =" (i.e. empty) in +# the main.cf file, otherwise the SMTP server will reject mail for +# non-UNIX accounts with "User unknown in local recipient table". +# +#luser_relay = $user@other.host +#luser_relay = $local@other.host +#luser_relay = admin+$local + +# JUNK MAIL CONTROLS +# +# The controls listed here are only a very small subset. The file +# SMTPD_ACCESS_README provides an overview. + +# The header_checks parameter specifies an optional table with patterns +# that each logical message header is matched against, including +# headers that span multiple physical lines. +# +# By default, these patterns also apply to MIME headers and to the +# headers of attached messages. With older Postfix versions, MIME and +# attached message headers were treated as body text. +# +# For details, see "man header_checks". +# +#header_checks = regexp:/etc/postfix/header_checks + +# FAST ETRN SERVICE +# +# Postfix maintains per-destination logfiles with information about +# deferred mail, so that mail can be flushed quickly with the SMTP +# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld". +# See the ETRN_README document for a detailed description. +# +# The fast_flush_domains parameter controls what destinations are +# eligible for this service. By default, they are all domains that +# this server is willing to relay mail to. +# +#fast_flush_domains = $relay_domains + +# SHOW SOFTWARE VERSION OR NOT +# +# The smtpd_banner parameter specifies the text that follows the 220 +# code in the SMTP server's greeting banner. Some people like to see +# the mail version advertised. By default, Postfix shows no version. +# +# You MUST specify $myhostname at the start of the text. That is an +# RFC requirement. Postfix itself does not care. +# +#smtpd_banner = $myhostname ESMTP $mail_name +#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) + +# PARALLEL DELIVERY TO THE SAME DESTINATION +# +# How many parallel deliveries to the same user or domain? With local +# delivery, it does not make sense to do massively parallel delivery +# to the same user, because mailbox updates must happen sequentially, +# and expensive pipelines in .forward files can cause disasters when +# too many are run at the same time. With SMTP deliveries, 10 +# simultaneous connections to the same domain could be sufficient to +# raise eyebrows. +# +# Each message delivery transport has its XXX_destination_concurrency_limit +# parameter. The default is $default_destination_concurrency_limit for +# most delivery transports. For the local delivery agent the default is 2. + +#local_destination_concurrency_limit = 2 +#default_destination_concurrency_limit = 20 + +# DEBUGGING CONTROL +# +# The debug_peer_level parameter specifies the increment in verbose +# logging level when an SMTP client or server host name or address +# matches a pattern in the debug_peer_list parameter. +# +debug_peer_level = 2 + +# The debug_peer_list parameter specifies an optional list of domain +# or network patterns, /file/name patterns or type:name tables. When +# an SMTP client or server host name or address matches a pattern, +# increase the verbose logging level by the amount specified in the +# debug_peer_level parameter. +# +#debug_peer_list = 127.0.0.1 +#debug_peer_list = some.domain + +# The debugger_command specifies the external command that is executed +# when a Postfix daemon program is run with the -D option. +# +# Use "command .. & sleep 5" so that the debugger can attach before +# the process marches on. If you use an X-based debugger, be sure to +# set up your XAUTHORITY environment variable before starting Postfix. +# +debugger_command = + PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin + ddd $daemon_directory/$process_name $process_id & sleep 5 + +# If you can't use X, use this to capture the call stack when a +# daemon crashes. The result is in a file in the configuration +# directory, and is named after the process name and the process ID. +# +# debugger_command = +# PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont; +# echo where) | gdb $daemon_directory/$process_name $process_id 2>&1 +# >$config_directory/$process_name.$process_id.log & sleep 5 +# +# Another possibility is to run gdb under a detached screen session. +# To attach to the screen session, su root and run "screen -r +# " where uniquely matches one of the detached +# sessions (from "screen -list"). +# +# debugger_command = +# PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen +# -dmS $process_name gdb $daemon_directory/$process_name +# $process_id & sleep 1 + +# INSTALL-TIME CONFIGURATION INFORMATION +# +# The following parameters are used when installing a new Postfix version. +# +# sendmail_path: The full pathname of the Postfix sendmail command. +# This is the Sendmail-compatible mail posting interface. +# +sendmail_path = /usr/bin/sendmail + +# newaliases_path: The full pathname of the Postfix newaliases command. +# This is the Sendmail-compatible command to build alias databases. +# +newaliases_path = /usr/bin/newaliases + +# mailq_path: The full pathname of the Postfix mailq command. This +# is the Sendmail-compatible mail queue listing command. +# +mailq_path = /usr/bin/mailq + +# setgid_group: The group for mail submission and queue management +# commands. This must be a group name with a numerical group ID that +# is not shared with other accounts, not even with the Postfix account. +# +setgid_group = postdrop + +# html_directory: The location of the Postfix HTML documentation. +# +html_directory = no + +# manpage_directory: The location of the Postfix on-line manual pages. +# +manpage_directory = /usr/share/man + +# sample_directory: The location of the Postfix sample configuration files. +# This parameter is obsolete as of Postfix 2.1. +# +sample_directory = /etc/postfix + +# readme_directory: The location of the Postfix README files. +# +readme_directory = /usr/share/doc/postfix +inet_protocols = ipv4 +shlib_directory = /usr/lib/postfix +meta_directory = /etc/postfix -- cgit v1.2.3-70-g09d2 From a27fab3591a86ce66a0c4bff3831d07069d3e678 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 03:45:24 +0000 Subject: meta --- etc/myconf/cfgl_meta | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index cefb6275..05c15d61 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -15,6 +15,7 @@ 644 root root //etc/pacman.conf 755 root root //etc/postfix 644 root root //etc/postfix/aliases +644 root root //etc/postfix/main.cf 777 root root //etc/resolv.conf 644 root root //etc/services 755 root root //etc/ssh -- cgit v1.2.3-70-g09d2 From 1f7639e561760bf83e1630cbef71514fec54928c Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 07:14:01 +0000 Subject: make ipv6 work --- etc/systemd/network/default.network | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/etc/systemd/network/default.network b/etc/systemd/network/default.network index 43f05d95..dc46831e 100644 --- a/etc/systemd/network/default.network +++ b/etc/systemd/network/default.network @@ -1,6 +1,25 @@ +# not fully understood +# https://unix.stackexchange.com/q/509430/ +# man `systemd.network` +# https://superuser.com/q/1562380 +# https://docs.netgate.com/pfsense/en/latest/network/ipv6/subnets.html + [Match] Name=eth0 -[Network] -Gateway=216.181.107.1 +[Address] Address=216.181.107.253/24 + +[Address] +# 2606:a8c0:3:38d::1/64 also works, but I use 2606:a8c0:3:38d::a/64 because crunchbits panel reverse DNS support this address +Address=2606:a8c0:3:38d::a/64 +# use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 +#Address=2606:a8c0:3:38d::a/48 + +[Route] +Gateway=216.181.107.1 + +[Route] +Gateway=2606:a8c0:3::1 +# GatewayOnLink=yes needed for 2606:a8c0:3::1 gateway, maybe because 2606:a8c0:3::1 is not in the same subnet as 2606:a8c0:3:38d::a/64? see: https://serverfault.com/q/814419 +GatewayOnLink=yes -- cgit v1.2.3-70-g09d2 From a1aa00ec962710241609205869e386a44a3bded5 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 08:01:26 +0000 Subject: acme.sh.service override --- etc/systemd/system/acme.sh.service.d/override.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/system/acme.sh.service.d/override.conf diff --git a/etc/systemd/system/acme.sh.service.d/override.conf b/etc/systemd/system/acme.sh.service.d/override.conf new file mode 100644 index 00000000..722f60a6 --- /dev/null +++ b/etc/systemd/system/acme.sh.service.d/override.conf @@ -0,0 +1,2 @@ +[Service] +ReadWritePaths=/etc/acme.sh /var/log/acme.sh /etc/postfix -- cgit v1.2.3-70-g09d2 From 5a071a872820af88dbd4460ee11d69238068192c Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 08:01:53 +0000 Subject: meta --- etc/myconf/cfgl_meta | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 05c15d61..48abd648 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -29,6 +29,8 @@ 755 root root //etc/systemd/network 644 systemd-network systemd-network //etc/systemd/network/default.network 755 root root //etc/systemd/system +755 root root //etc/systemd/system/acme.sh.service.d +644 root root //etc/systemd/system/acme.sh.service.d/override.conf 755 root root //etc/systemd/system/multi-user.target.wants 777 root root //etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service 755 root root //etc/systemd/system/paccache.service.d -- cgit v1.2.3-70-g09d2 From 3bc9a95d047dc6a4592b6b3b24c2e6cab73aafc9 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 10:26:12 +0000 Subject: default --- etc/postfix/master.cf | 147 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 147 insertions(+) create mode 100644 etc/postfix/master.cf diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf new file mode 100644 index 00000000..fd282dd2 --- /dev/null +++ b/etc/postfix/master.cf @@ -0,0 +1,147 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master" or +# on-line: http://www.postfix.org/master.5.html). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (no) (never) (100) +# ========================================================================== +smtp inet n - n - - smtpd +#smtp inet n - n - 1 postscreen +#smtpd pass - - n - - smtpd +#dnsblog unix - - n - 0 dnsblog +#tlsproxy unix - - n - 0 tlsproxy +# Choose one: enable submission for loopback clients only, or for any client. +#127.0.0.1:submission inet n - n - - smtpd +#submission inet n - n - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_tls_auth_only=yes +# -o local_header_rewrite_clients=static:all +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +# Choose one: enable submissions for loopback clients only, or for any client. +#127.0.0.1:submissions inet n - n - - smtpd +#submissions inet n - n - - smtpd +# -o syslog_name=postfix/submissions +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o local_header_rewrite_clients=static:all +# -o smtpd_reject_unlisted_recipient=no +# Instead of specifying complex smtpd__restrictions here, +# specify "smtpd__restrictions=$mua__restrictions" +# here, and specify mua__restrictions in main.cf (where +# "" is "client", "helo", "sender", "relay", or "recipient"). +# -o smtpd_client_restrictions= +# -o smtpd_helo_restrictions= +# -o smtpd_sender_restrictions= +# -o smtpd_relay_restrictions= +# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - n - - qmqpd +pickup unix n - n 60 1 pickup +cleanup unix n - n - 0 cleanup +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr +tlsmgr unix - - n 1000? 1 tlsmgr +rewrite unix - - n - - trivial-rewrite +bounce unix - - n - 0 bounce +defer unix - - n - 0 bounce +trace unix - - n - 0 bounce +verify unix - - n - 1 verify +flush unix n - n 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - n - - smtp +relay unix - - n - - smtp + -o syslog_name=postfix/$service_name +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - n - - showq +error unix - - n - - error +retry unix - - n - - error +discard unix - - n - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - n - - lmtp +anvil unix - - n - 1 anvil +scache unix - - n - 1 scache +postlog unix-dgram n - n - 1 postlogd +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +#maildrop unix - n n - - pipe +# flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# flags=DRX user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +#uucp unix - n n - - pipe +# flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# ==================================================================== +# +# Other external delivery methods. +# +#ifmail unix - n n - - pipe +# flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +# +#bsmtp unix - n n - - pipe +# flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient +# +#scalemail-backend unix - n n - 2 pipe +# flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store +# ${nexthop} ${user} ${extension} +# +#mailman unix - n n - - pipe +# flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py +# ${nexthop} ${user} -- cgit v1.2.3-70-g09d2 From ff312bee581c66f2e71f614a979c2cfd237cbcd5 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 10:26:27 +0000 Subject: meta --- etc/myconf/cfgl_meta | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 48abd648..0d5c3346 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -16,6 +16,7 @@ 755 root root //etc/postfix 644 root root //etc/postfix/aliases 644 root root //etc/postfix/main.cf +644 root root //etc/postfix/master.cf 777 root root //etc/resolv.conf 644 root root //etc/services 755 root root //etc/ssh -- cgit v1.2.3-70-g09d2 From e21eb708e394dc4c1b1997013f829ab502ce7415 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 4 Apr 2024 13:00:17 +0000 Subject: working on mail server... --- home/xyz/.config/myconf/pacman_Qqme | 1 + home/xyz/.config/myconf/pacman_Qqne | 4 ++++ home/xyz/.config/myconf/sye | 3 ++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/home/xyz/.config/myconf/pacman_Qqme b/home/xyz/.config/myconf/pacman_Qqme index 920f3141..6ff8423a 100644 --- a/home/xyz/.config/myconf/pacman_Qqme +++ b/home/xyz/.config/myconf/pacman_Qqme @@ -1,4 +1,5 @@ absolutely-proprietary +acme.sh-systemd atool2-git bash-complete-alias dashbinsh diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index 1b50d72a..66f2ef1a 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -3,6 +3,7 @@ base-devel bash-completion dash devtools +dovecot fio fsh-git fzf @@ -15,6 +16,7 @@ lf linux lostfiles lsof +mailutils man-pages moreutils neovim @@ -29,11 +31,13 @@ posix-c-development posix-software-development posix-user-portability posix-xsi +postfix python-pip rebuild-detector reflector rsync shellcheck +socat speedtest-cli strace systemd-resolvconf diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye index 23d37551..c5147c99 100644 --- a/home/xyz/.config/myconf/sye +++ b/home/xyz/.config/myconf/sye @@ -11,7 +11,8 @@ systemd-timesyncd.service enabled enabled systemd-networkd.socket enabled disabled systemd-userdbd.socket enabled enabled remote-fs.target enabled enabled +acme.sh.timer enabled disabled paccache.timer enabled disabled pacman-filesdb-refresh.timer enabled disabled -14 unit files listed. +15 unit files listed. -- cgit v1.2.3-70-g09d2 From f960c6b8365ad292ec224241e10bcdc46b8cc8e0 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 03:30:54 +0000 Subject: default --- etc/dovecot/conf.d/10-ssl.conf | 82 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 etc/dovecot/conf.d/10-ssl.conf diff --git a/etc/dovecot/conf.d/10-ssl.conf b/etc/dovecot/conf.d/10-ssl.conf new file mode 100644 index 00000000..ad847664 --- /dev/null +++ b/etc/dovecot/conf.d/10-ssl.conf @@ -0,0 +1,82 @@ +## +## SSL settings +## + +# SSL/TLS support: yes, no, required. +#ssl = yes + +# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before +# dropping root privileges, so keep the key file unreadable by anyone but +# root. Included doc/mkcert.sh can be used to easily generate self-signed +# certificate, just make sure to update the domains in dovecot-openssl.cnf +ssl_cert = Date: Fri, 5 Apr 2024 03:31:08 +0000 Subject: meta --- etc/myconf/cfgl_meta | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 0d5c3346..3519568f 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -4,6 +4,9 @@ 600 root root //etc/.cfgl/config.worktree 700 root root //etc/.cfgl/info 600 root root //etc/.cfgl/info/sparse-checkout +755 root root //etc/dovecot +755 root root //etc/dovecot/conf.d +644 root root //etc/dovecot/conf.d/10-ssl.conf 644 root root //etc/fstab 644 root root //etc/hostname 644 root root //etc/locale.conf -- cgit v1.2.3-70-g09d2 From f320378aeb9cab4e064be0a8d0064e9fb06d1173 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 04:00:51 +0000 Subject: default --- etc/dovecot/conf.d/10-mail.conf | 415 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 415 insertions(+) create mode 100644 etc/dovecot/conf.d/10-mail.conf diff --git a/etc/dovecot/conf.d/10-mail.conf b/etc/dovecot/conf.d/10-mail.conf new file mode 100644 index 00000000..de48f92d --- /dev/null +++ b/etc/dovecot/conf.d/10-mail.conf @@ -0,0 +1,415 @@ +## +## Mailbox locations and namespaces +## + +# Location for users' mailboxes. The default is empty, which means that Dovecot +# tries to find the mailboxes automatically. This won't work if the user +# doesn't yet have any mail, so you should explicitly tell Dovecot the full +# location. +# +# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u) +# isn't enough. You'll also need to tell Dovecot where the other mailboxes are +# kept. This is called the "root mail directory", and it must be the first +# path given in the mail_location setting. +# +# There are a few special variables you can use, eg.: +# +# %u - username +# %n - user part in user@domain, same as %u if there's no domain +# %d - domain part in user@domain, empty if there's no domain +# %h - home directory +# +# See doc/wiki/Variables.txt for full list. Some examples: +# +# mail_location = maildir:~/Maildir +# mail_location = mbox:~/mail:INBOX=/var/mail/%u +# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n +# +# +# +#mail_location = + +# If you need to set multiple mailbox locations or want to change default +# namespace settings, you can do it by defining namespace sections. +# +# You can have private, shared and public namespaces. Private namespaces +# are for user's personal mails. Shared namespaces are for accessing other +# users' mailboxes that have been shared. Public namespaces are for shared +# mailboxes that are managed by sysadmin. If you create any shared or public +# namespaces you'll typically want to enable ACL plugin also, otherwise all +# users can access all the shared mailboxes, assuming they have permissions +# on filesystem level to do so. +namespace inbox { + # Namespace type: private, shared or public + #type = private + + # Hierarchy separator to use. You should use the same separator for all + # namespaces or some clients get confused. '/' is usually a good one. + # The default however depends on the underlying mail storage format. + #separator = + + # Prefix required to access this namespace. This needs to be different for + # all namespaces. For example "Public/". + #prefix = + + # Physical location of the mailbox. This is in same format as + # mail_location, which is also the default for it. + #location = + + # There can be only one INBOX, and this setting defines which namespace + # has it. + inbox = yes + + # If namespace is hidden, it's not advertised to clients via NAMESPACE + # extension. You'll most likely also want to set list=no. This is mostly + # useful when converting from another server with different namespaces which + # you want to deprecate but still keep working. For example you can create + # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/". + #hidden = no + + # Show the mailboxes under this namespace with LIST command. This makes the + # namespace visible for clients that don't support NAMESPACE extension. + # "children" value lists child mailboxes, but hides the namespace prefix. + #list = yes + + # Namespace handles its own subscriptions. If set to "no", the parent + # namespace handles them (empty prefix should always have this as "yes") + #subscriptions = yes + + # See 15-mailboxes.conf for definitions of special mailboxes. +} + +# Example shared namespace configuration +#namespace { + #type = shared + #separator = / + + # Mailboxes are visible under "shared/user@domain/" + # %%n, %%d and %%u are expanded to the destination user. + #prefix = shared/%%u/ + + # Mail location for other users' mailboxes. Note that %variables and ~/ + # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the + # destination user's data. + #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u + + # Use the default namespace for saving subscriptions. + #subscriptions = no + + # List the shared/ namespace only if there are visible shared mailboxes. + #list = children +#} +# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"? +#mail_shared_explicit_inbox = no + +# System user and group used to access mails. If you use multiple, userdb +# can override these by returning uid or gid fields. You can use either numbers +# or names. +#mail_uid = +#mail_gid = + +# Group to enable temporarily for privileged operations. Currently this is +# used only with INBOX when either its initial creation or dotlocking fails. +# Typically this is set to "mail" to give access to /var/mail. +#mail_privileged_group = + +# Grant access to these supplementary groups for mail processes. Typically +# these are used to set up access to shared mailboxes. Note that it may be +# dangerous to set these if users can create symlinks (e.g. if "mail" group is +# set here, ln -s /var/mail ~/mail/var could allow a user to delete others' +# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it). +#mail_access_groups = + +# Allow full filesystem access to clients. There's no access checks other than +# what the operating system does for the active UID/GID. It works with both +# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/ +# or ~user/. +#mail_full_filesystem_access = no + +# Dictionary for key=value mailbox attributes. This is used for example by +# URLAUTH and METADATA extensions. +#mail_attribute_dict = + +# A comment or note that is associated with the server. This value is +# accessible for authenticated users through the IMAP METADATA server +# entry "/shared/comment". +#mail_server_comment = "" + +# Indicates a method for contacting the server administrator. According to +# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that +# is currently not enforced. Use for example mailto:admin@example.com. This +# value is accessible for authenticated users through the IMAP METADATA server +# entry "/shared/admin". +#mail_server_admin = + +## +## Mail processes +## + +# Don't use mmap() at all. This is required if you store indexes to shared +# filesystems (NFS or clustered filesystem). +#mmap_disable = no + +# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL +# since version 3, so this should be safe to use nowadays by default. +#dotlock_use_excl = yes + +# When to use fsync() or fdatasync() calls: +# optimized (default): Whenever necessary to avoid losing important data +# always: Useful with e.g. NFS when write()s are delayed +# never: Never use it (best performance, but crashes can lose data) +#mail_fsync = optimized + +# Locking method for index files. Alternatives are fcntl, flock and dotlock. +# Dotlocking uses some tricks which may create more disk I/O than other locking +# methods. NFS users: flock doesn't work, remember to change mmap_disable. +#lock_method = fcntl + +# Directory where mails can be temporarily stored. Usually it's used only for +# mails larger than >= 128 kB. It's used by various parts of Dovecot, for +# example LDA/LMTP while delivering large mails or zlib plugin for keeping +# uncompressed mails. +#mail_temp_dir = /tmp + +# Valid UID range for users, defaults to 500 and above. This is mostly +# to make sure that users can't log in as daemons or other system users. +# Note that denying root logins is hardcoded to dovecot binary and can't +# be done even if first_valid_uid is set to 0. +#first_valid_uid = 500 +#last_valid_uid = 0 + +# Valid GID range for users, defaults to non-root/wheel. Users having +# non-valid GID as primary group ID aren't allowed to log in. If user +# belongs to supplementary groups with non-valid GIDs, those groups are +# not set. +#first_valid_gid = 1 +#last_valid_gid = 0 + +# Maximum allowed length for mail keyword name. It's only forced when trying +# to create new keywords. +#mail_max_keyword_length = 50 + +# ':' separated list of directories under which chrooting is allowed for mail +# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too). +# This setting doesn't affect login_chroot, mail_chroot or auth chroot +# settings. If this setting is empty, "/./" in home dirs are ignored. +# WARNING: Never add directories here which local users can modify, that +# may lead to root exploit. Usually this should be done only if you don't +# allow shell access for users. +#valid_chroot_dirs = + +# Default chroot directory for mail processes. This can be overridden for +# specific users in user database by giving /./ in user's home directory +# (eg. /home/./user chroots into /home). Note that usually there is no real +# need to do chrooting, Dovecot doesn't allow users to access files outside +# their mail directory anyway. If your home directories are prefixed with +# the chroot directory, append "/." to mail_chroot. +#mail_chroot = + +# UNIX socket path to master authentication server to find users. +# This is used by imap (for shared users) and lda. +#auth_socket_path = /var/run/dovecot/auth-userdb + +# Directory where to look up mail plugins. +#mail_plugin_dir = /usr/lib/dovecot + +# Space separated list of plugins to load for all services. Plugins specific to +# IMAP, LDA, etc. are added to this list in their own .conf files. +#mail_plugins = + +## +## Mailbox handling optimizations +## + +# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are +# also required for IMAP NOTIFY extension to be enabled. +#mailbox_list_index = yes + +# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost +# of potentially returning out-of-date results after e.g. server crashes. +# The results will be automatically fixed once the folders are opened. +#mailbox_list_index_very_dirty_syncs = yes + +# Should INBOX be kept up-to-date in the mailbox list index? By default it's +# not, because most of the mailbox accesses will open INBOX anyway. +#mailbox_list_index_include_inbox = no + +# The minimum number of mails in a mailbox before updates are done to cache +# file. This allows optimizing Dovecot's behavior to do less disk writes at +# the cost of more disk reads. +#mail_cache_min_mail_count = 0 + +# When IDLE command is running, mailbox is checked once in a while to see if +# there are any new mails or other changes. This setting defines the minimum +# time to wait between those checks. Dovecot can also use inotify and +# kqueue to find out immediately when changes occur. +#mailbox_idle_check_interval = 30 secs + +# Save mails with CR+LF instead of plain LF. This makes sending those mails +# take less CPU, especially with sendfile() syscall with Linux and FreeBSD. +# But it also creates a bit more disk I/O which may just make it slower. +# Also note that if other software reads the mboxes/maildirs, they may handle +# the extra CRs wrong and cause problems. +#mail_save_crlf = no + +# Max number of mails to keep open and prefetch to memory. This only works with +# some mailbox formats and/or operating systems. +#mail_prefetch_count = 0 + +# How often to scan for stale temporary files and delete them (0 = never). +# These should exist only after Dovecot dies in the middle of saving mails. +#mail_temp_scan_interval = 1w + +# How many slow mail accesses sorting can perform before it returns failure. +# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long. +# The untagged SORT reply is still returned, but it's likely not correct. +#mail_sort_max_read_count = 0 + +protocol !indexer-worker { + # If folder vsize calculation requires opening more than this many mails from + # disk (i.e. mail sizes aren't in cache already), return failure and finish + # the calculation via indexer process. Disabled by default. This setting must + # be 0 for indexer-worker processes. + #mail_vsize_bg_after_count = 0 +} + +## +## Maildir-specific settings +## + +# By default LIST command returns all entries in maildir beginning with a dot. +# Enabling this option makes Dovecot return only entries which are directories. +# This is done by stat()ing each entry, so it causes more disk I/O. +# (For systems setting struct dirent->d_type, this check is free and it's +# done always regardless of this setting) +#maildir_stat_dirs = no + +# When copying a message, do it with hard links whenever possible. This makes +# the performance much better, and it's unlikely to have any side effects. +#maildir_copy_with_hardlinks = yes + +# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only +# when its mtime changes unexpectedly or when we can't find the mail otherwise. +#maildir_very_dirty_syncs = no + +# If enabled, Dovecot doesn't use the S= in the Maildir filenames for +# getting the mail's physical size, except when recalculating Maildir++ quota. +# This can be useful in systems where a lot of the Maildir filenames have a +# broken size. The performance hit for enabling this is very small. +#maildir_broken_filename_sizes = no + +# Always move mails from new/ directory to cur/, even when the \Recent flags +# aren't being reset. +#maildir_empty_new = no + +## +## mbox-specific settings +## + +# Which locking methods to use for locking mbox. There are four available: +# dotlock: Create .lock file. This is the oldest and most NFS-safe +# solution. If you want to use /var/mail/ like directory, the users +# will need write access to that directory. +# dotlock_try: Same as dotlock, but if it fails because of permissions or +# because there isn't enough disk space, just skip it. +# fcntl : Use this if possible. Works with NFS too if lockd is used. +# flock : May not exist in all systems. Doesn't work with NFS. +# lockf : May not exist in all systems. Doesn't work with NFS. +# +# You can use multiple locking methods; if you do the order they're declared +# in is important to avoid deadlocks if other MTAs/MUAs are using multiple +# locking methods as well. Some operating systems don't allow using some of +# them simultaneously. +#mbox_read_locks = fcntl +#mbox_write_locks = dotlock fcntl + +# Maximum time to wait for lock (all of them) before aborting. +#mbox_lock_timeout = 5 mins + +# If dotlock exists but the mailbox isn't modified in any way, override the +# lock file after this much time. +#mbox_dotlock_change_timeout = 2 mins + +# When mbox changes unexpectedly we have to fully read it to find out what +# changed. If the mbox is large this can take a long time. Since the change +# is usually just a newly appended mail, it'd be faster to simply read the +# new mails. If this setting is enabled, Dovecot does this but still safely +# fallbacks to re-reading the whole mbox file whenever something in mbox isn't +# how it's expected to be. The only real downside to this setting is that if +# some other MUA changes message flags, Dovecot doesn't notice it immediately. +# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK +# commands. +#mbox_dirty_syncs = yes + +# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE, +# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored. +#mbox_very_dirty_syncs = no + +# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK +# commands and when closing the mailbox). This is especially useful for POP3 +# where clients often delete all mails. The downside is that our changes +# aren't immediately visible to other MUAs. +#mbox_lazy_writes = yes + +# If mbox size is smaller than this (e.g. 100k), don't write index files. +# If an index file already exists it's still read, just not updated. +#mbox_min_index_size = 0 + +# Mail header selection algorithm to use for MD5 POP3 UIDLs when +# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired +# algorithm, but it fails if the first Received: header isn't unique in all +# mails. An alternative algorithm is "all" that selects all headers. +#mbox_md5 = apop3d + +## +## mdbox-specific settings +## + +# Maximum dbox file size until it's rotated. +#mdbox_rotate_size = 10M + +# Maximum dbox file age until it's rotated. Typically in days. Day begins +# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled. +#mdbox_rotate_interval = 0 + +# When creating new mdbox files, immediately preallocate their size to +# mdbox_rotate_size. This setting currently works only in Linux with some +# filesystems (ext4, xfs). +#mdbox_preallocate_space = no + +## +## Mail attachments +## + +# sdbox and mdbox support saving mail attachments to external files, which +# also allows single instance storage for them. Other backends don't support +# this for now. + +# Directory root where to store mail attachments. Disabled, if empty. +#mail_attachment_dir = + +# Attachments smaller than this aren't saved externally. It's also possible to +# write a plugin to disable saving specific attachments externally. +#mail_attachment_min_size = 128k + +# Filesystem backend to use for saving attachments: +# posix : No SiS done by Dovecot (but this might help FS's own deduplication) +# sis posix : SiS with immediate byte-by-byte comparison during saving +# sis-queue posix : SiS with delayed comparison and deduplication +#mail_attachment_fs = sis posix + +# Hash format to use in attachment filenames. You can add any text and +# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}. +# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits +#mail_attachment_hash = %{sha1} + +# Settings to control adding $HasAttachment or $HasNoAttachment keywords. +# By default, all MIME parts with Content-Disposition=attachment, or inlines +# with filename parameter are consired attachments. +# add-flags - Add the keywords when saving new mails or when fetching can +# do it efficiently. +# content-type=type or !type - Include/exclude content type. Excluding will +# never consider the matched MIME part as attachment. Including will only +# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar). +# exclude-inlined - Exclude any Content-Disposition=inline MIME part. +#mail_attachment_detection_options = -- cgit v1.2.3-70-g09d2 From 87f17af9e300116781e9a2890443bda642c379ce Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 04:01:17 +0000 Subject: meta --- etc/myconf/cfgl_meta | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 3519568f..0015f9a2 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -6,6 +6,7 @@ 600 root root //etc/.cfgl/info/sparse-checkout 755 root root //etc/dovecot 755 root root //etc/dovecot/conf.d +644 root root //etc/dovecot/conf.d/10-mail.conf 644 root root //etc/dovecot/conf.d/10-ssl.conf 644 root root //etc/fstab 644 root root //etc/hostname -- cgit v1.2.3-70-g09d2 From 21178d287954c2ea98767f8d21bcbe65475bb8de Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 04:15:04 +0000 Subject: default --- etc/dovecot/conf.d/10-master.conf | 133 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 etc/dovecot/conf.d/10-master.conf diff --git a/etc/dovecot/conf.d/10-master.conf b/etc/dovecot/conf.d/10-master.conf new file mode 100644 index 00000000..64fa0f2c --- /dev/null +++ b/etc/dovecot/conf.d/10-master.conf @@ -0,0 +1,133 @@ +#default_process_limit = 100 +#default_client_limit = 1000 + +# Default VSZ (virtual memory size) limit for service processes. This is mainly +# intended to catch and kill processes that leak memory before they eat up +# everything. +#default_vsz_limit = 256M + +# Login user is internally used by login processes. This is the most untrusted +# user in Dovecot system. It shouldn't have access to anything at all. +#default_login_user = dovenull + +# Internal user is used by unprivileged processes. It should be separate from +# login user, so that login processes can't disturb other processes. +#default_internal_user = dovecot + +service imap-login { + inet_listener imap { + #port = 143 + } + inet_listener imaps { + #port = 993 + #ssl = yes + } + + # Number of connections to handle before starting a new process. Typically + # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0 + # is faster. + #service_count = 1 + + # Number of processes to always keep waiting for more connections. + #process_min_avail = 0 + + # If you set service_count=0, you probably need to grow this. + #vsz_limit = $default_vsz_limit +} + +service pop3-login { + inet_listener pop3 { + #port = 110 + } + inet_listener pop3s { + #port = 995 + #ssl = yes + } +} + +service submission-login { + inet_listener submission { + #port = 587 + } + inet_listener submissions { + #port = 465 + } +} + +service lmtp { + unix_listener lmtp { + #mode = 0666 + } + + # Create inet listener only if you can't use the above UNIX socket + #inet_listener lmtp { + # Avoid making LMTP visible for the entire internet + #address = + #port = + #} +} + +service imap { + # Most of the memory goes to mmap()ing files. You may need to increase this + # limit if you have huge mailboxes. + #vsz_limit = $default_vsz_limit + + # Max. number of IMAP processes (connections) + #process_limit = 1024 +} + +service pop3 { + # Max. number of POP3 processes (connections) + #process_limit = 1024 +} + +service submission { + # Max. number of SMTP Submission processes (connections) + #process_limit = 1024 +} + +service auth { + # auth_socket_path points to this userdb socket by default. It's typically + # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have + # full permissions to this socket are able to get a list of all usernames and + # get the results of everyone's userdb lookups. + # + # The default 0666 mode allows anyone to connect to the socket, but the + # userdb lookups will succeed only if the userdb returns an "uid" field that + # matches the caller process's UID. Also if caller's uid or gid matches the + # socket's uid or gid the lookup succeeds. Anything else causes a failure. + # + # To give the caller full permissions to lookup all users, set the mode to + # something else than 0666 and Dovecot lets the kernel enforce the + # permissions (e.g. 0777 allows everyone full permissions). + unix_listener auth-userdb { + #mode = 0666 + #user = + #group = + } + + # Postfix smtp-auth + #unix_listener /var/spool/postfix/private/auth { + # mode = 0666 + #} + + # Auth process is run as this user. + #user = $default_internal_user +} + +service auth-worker { + # Auth worker process is run as root by default, so that it can access + # /etc/shadow. If this isn't necessary, the user should be changed to + # $default_internal_user. + #user = root +} + +service dict { + # If dict proxy is used, mail processes should have access to its socket. + # For example: mode=0660, group=vmail and global mail_access_groups=vmail + unix_listener dict { + #mode = 0600 + #user = + #group = + } +} -- cgit v1.2.3-70-g09d2 From 8acccf350db4ceeb6a634a560145cb85494bf35c Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 04:36:06 +0000 Subject: default --- etc/opendkim/opendkim.conf | 769 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 769 insertions(+) create mode 100644 etc/opendkim/opendkim.conf diff --git a/etc/opendkim/opendkim.conf b/etc/opendkim/opendkim.conf new file mode 100644 index 00000000..fa3559a3 --- /dev/null +++ b/etc/opendkim/opendkim.conf @@ -0,0 +1,769 @@ +## +## opendkim.conf -- configuration file for OpenDKIM filter +## +## Copyright (c) 2010-2015, 2018, The Trusted Domain Project. +## All rights reserved. +## + +## +## For settings that refer to a "dataset", see the opendkim(8) man page. +## + +## DEPRECATED CONFIGURATION OPTIONS +## +## The following configuration options are no longer valid. They should be +## removed from your existing configuration file to prevent potential issues. +## Failure to do so may result in opendkim being unable to start. +## +## Removed in 2.10.0: +## AddAllSignatureResults +## ADSPAction +## ADSPNoSuchDomain +## BogusPolicy +## DisableADSP +## LDAPSoftStart +## LocalADSP +## NoDiscardableMailTo +## On-PolicyError +## SendADSPReports +## UnprotectedPolicy + +## CONFIGURATION OPTIONS + +## AllowSHA1Only { yes | no } +## default "no" +## +## By default, the filter will refuse to start if support for SHA256 is +## not available since this violates the strong recommendations of +## RFC6376 Section 3.3, which says: +## +## "Verifiers MUST implement both rsa-sha1 and rsa-sha256. Signers MUST +## implement and SHOULD sign using rsa-sha256." +## +## This forces that violation to be explicitly selected by the administrator. + +# AllowSHA1Only no + +## AlwaysAddARHeader { yes | no } +## default "no" +## +## Add an "Authentication-Results:" header even to unsigned messages +## from domains with no "signs all" policy. The reported DKIM result +## will be "none" in such cases. Normally unsigned mail from non-strict +## domains does not cause the results header to be added. + +# AlwaysAddARHeader no + +## AuthservID string +## default (local host name) +## +## Defines the "authserv-id" token to be used when generating +## Authentication-Results headers after message verification. + +# AuthservID example.com + +## AuthservIDWithJobID +## default "no" +## +## Appends a "/" followed by the MTA's job ID to the "authserv-id" token +## when generating Authentication-Results headers after message verification. + +# AuthservIDWithJobId no + +## AutoRestart { yes | no } +## default "no" +## +## Indicate whether or not the filter should arrange to restart automatically +## if it crashes. + +# AutoRestart No + +## AutoRestartCount n +## default 0 +## +## Sets the maximum automatic restart count. After this number of +## automatic restarts, the filter will give up and terminate. A value of 0 +## implies no limit. + +# AutoRestartCount 0 + +## AutoRestartRate n/t[u] +## default (none) +## +## Sets the maximum automatic restart rate. See the opendkim.conf(5) +## man page for the format of this parameter. + +# AutoRestartRate n/tu + +## Background { yes | no } +## default "yes" +## +## Indicate whether or not the filter should run in the background. + +# Background Yes + +## BaseDirectory path +## default (none) +## +## Causes the filter to change to the named directory before beginning +## operation. Thus, cores will be dumped here and configuration files +## are read relative to this location. + +# BaseDirectory /run/opendkim + +## BodyLengthDB dataset +## default (none) +## +## A data set that is checked against envelope recipients to see if a +## body length tag should be included in the generated signature. +## This has security implications; see opendkim.conf(5) for details. + +# BodyLengthDB dataset + +## Canonicalization hdrcanon[/bodycanon] +## default "simple/simple" +## +## Select canonicalizations to use when signing. If the "bodycanon" is +## omitted, "simple" is used. Valid values for each are "simple" and +## "relaxed". + +# Canonicalization simple/simple + +## ClockDrift n +## default 300 +## +## Specify the tolerance range for expired signatures or signatures +## which appear to have timestamps in the future, allowing for clock +## drift. + +# ClockDrift 300 + +## Diagnostics { yes | no } +## default "no" +## +## Specifies whether or not signatures with header diagnostic tags should +## be generated. + +# Diagnostics No + +## DNSTimeout n +## default 10 +## +## Specify the time in seconds to wait for replies from the nameserver when +## requesting keys or signing policies. + +# DNSTimeout 10 + +## Domain dataset +## default (none) +## +## Specify for which domain(s) signing should be done. No default; must +## be specified for signing. + +Domain example.com + +## DomainKeysCompat { yes | no } +## default "no" +## +## When enabled, backward compatibility with DomainKeys (RFC4870) key +## records is enabled. Otherwise, such key records are considered to be +## syntactically invalid. + +# DomainKeysCompat no + +## DontSignMailTo dataset +## default (none) +## +## Gives a list of recipient addresses or address patterns whose mail should +## not be signed. + +# DontSignMailTo addr1,addr2,... + +## EnableCoredumps { yes | no } +## default "no" +## +## On systems which have support for such, requests that the kernel dump +## core even though the process may change user ID during its execution. + +# EnableCoredumps no + +## ExemptDomains dataset +## default (none) +## +## A data set of domain names that are checked against the message sender's +## domain. If a match is found, the message is ignored by the filter. + +# ExemptDomains domain1,domain2,... + +## ExternalIgnoreList filename +## +## Names a file from which a list of externally-trusted hosts is read. +## These are hosts which are allowed to send mail through you for signing. +## Automatically contains 127.0.0.1. See man page for file format. + +# ExternalIgnoreList filename + +## FixCRLF { yes | no } +## +## Requests that the library convert "naked" CR and LF characters to +## CRLFs during canonicalization. The default is "no". + +# FixCRLF no + +## IgnoreMalformedMail { yes | no } +## default "no" +## +## Silently passes malformed messages without alteration. This includes +## messages that fail the RequiredHeaders check, if enabled. The default is +## to pass those messages but add an Authentication-Results field indicating +## that they were malformed. + +# IgnoreMalformedMail no + +## InternalHosts dataset +## default "127.0.0.1" +## +## Names a file from which a list of internal hosts is read. These are +## hosts from which mail should be signed rather than verified. +## Automatically contains 127.0.0.1. + +# InternalHosts dataset + +## KeepTemporaryFiles { yes | no } +## default "no" +## +## If set, causes temporary files generated during message signing or +## verifying to be left behind for debugging use. Not for normal operation; +## can fill your disks quite fast on busy systems. + +# KeepTemporaryFiles no + +## KeyFile filename +## default (none) +## +## Specifies the path to the private key to use when signing. Ignored if +## SigningTable and KeyTable are used. No default; must be specified for +## signing if SigningTable/KeyTable are not in use. + +KeyFile /var/db/dkim/example.private + +## KeyTable dataset +## default (none) +## +## Defines a table that will be queried to convert key names to +## sets of data of the form (signing domain, signing selector, private key). +## The private key can either contain a PEM-formatted private key, +## a base64-encoded DER format private key, or a path to a file containing +## one of those. + +# KeyTable dataset + +## LogWhy { yes | no } +## default "no" +## +## If logging is enabled (see Syslog below), issues very detailed logging +## about the logic behind the filter's decision to either sign a message +## or verify it. The logic behind the decision is non-trivial and can be +## confusing to administrators not familiar with its operation. A +## description of how the decision is made can be found in the OPERATIONS +## section of the opendkim(8) man page. This causes a large increase +## in the amount of log data generated for each message, so it should be +## limited to debugging use and not enabled for general operation. + +# LogWhy no + +## MacroList macro[=value][,...] +## +## Gives a set of MTA-provided macros which should be checked to see +## if the sender has been determined to be a local user and therefore +## whether or not signing should be done. See opendkim.conf(5) for +## more information. + +# MacroList foo=bar,baz=blivit + +## MaximumHeaders n +## +## Disallow messages whose header blocks are bigger than "n" bytes. +## Intended to detect and block a denial-of-service attack. The default +## is 65536. A value of 0 disables this test. + +# MaximumHeaders n + +## MaximumSignaturesToVerify n +## (default 3) +## +## Verify no more than "n" signatures on an arriving message. +## A value of 0 means "no limit". + +# MaximumSignaturesToVerify n + +## MaximumSignedBytes n +## +## Don't sign more than "n" bytes of the message. The default is to +## sign the entire message. Setting this implies "BodyLengths". + +# MaximumSignedBytes n + +## MilterDebug n +## +## Request a debug level of "n" from the milter library. The default is 0. + +# MilterDebug 0 + +## Minimum n[% | +] +## default 0 +## +## Sets a minimum signing volume; one of the following formats: +## n at least n bytes (or the whole message, whichever is less) +## must be signed +## n% at least n% of the message must be signed +## n+ if a length limit was presented in the signature, no more than +## n bytes may have been added + +# Minimum n + +## MinimumKeyBits n +## default 1024 +## +## Causes the library not to accept signatures matching keys made of fewer +## than the specified number of bits, even if they would otherwise pass +## DKIM signing. + +# MinimumKeyBits 1024 + +## Mode [sv] +## default sv +## +## Indicates which mode(s) of operation should be provided. "s" means +## "sign", "v" means "verify". + +# Mode sv + +## MTA dataset +## default (none) +## +## Specifies a list of MTAs whos mail should always be signed rather than +## verified. The "mtaname" is extracted from the DaemonPortOptions line +## in effect. + +# MTA name + +## MultipleSignatures { yes | no } +## default no +## +## Allows multiple signatures to be added. If set to "true" and a SigningTable +## is in use, all SigningTable entries that match the candidate message will +## cause a signature to be added. Otherwise, only the first matching +## SigningTable entry will be added, or only the key defined by Domain, +## Selector and KeyFile will be added. + +# MultipleSignatures no + +## MustBeSigned dataset +## default (none) +## +## Defines a list of headers which, if present on a message, must be +## signed for the signature to be considered acceptable. + +# MustBeSigned header1,header2,... + +## Nameservers addr1[,addr2[,...]] +## default (none) +## +## Provides a comma-separated list of IP addresses that are to be used when +## doing DNS queries to retrieve DKIM keys, VBR records, etc. +## These override any local defaults built in to the resolver in use, which +## may be defined in /etc/resolv.conf or hard-coded into the software. + +# Nameservers addr1,addr2,... + +## NoHeaderB { yes | no } +## default "no" +## +## Suppresses addition of "header.b" tags on Authentication-Results +## header fields. + +# NoHeaderB no + +## OmitHeaders dataset +## default (none) +## +## Specifies a list of headers that should always be omitted when signing. +## Header names should be separated by commas. + +# OmitHeaders header1,header2,... + +## On-... +## +## Specifies what to do when certain error conditions are encountered. +## +## See opendkim.conf(5) for more information. + +# On-Default +# On-BadSignature +# On-DNSError +# On-InternalError +# On-NoSignature +# On-Security +# On-SignatureError + +## OversignHeaders dataset +## default (none) +## +## Specifies a set of header fields that should be included in all signature +## header lists (the "h=" tag) once more than the number of times they were +## actually present in the signed message. See opendkim.conf(5) for more +## information. + +# OverSignHeaders header1,header2,... + +## PeerList dataset +## default (none) +## +## Contains a list of IP addresses, CIDR blocks, hostnames or domain names +## whose mail should be neither signed nor verified by this filter. See man +## page for file format. + +# PeerList filename + +## PidFile filename +## default (none) +## +## Name of the file where the filter should write its pid before beginning +## normal operations. + +# PidFile filename + +## POPDBFile dataset +## default (none) +## +## Names a database which should be checked for "POP before SMTP" records +## as a form of authentication of users who may be sending mail through +## the MTA for signing. Requires special compilation of the filter. +## See opendkim.conf(5) for more information. + +# POPDBFile filename + +## Quarantine { yes | no } +## default "no" +## +## Indicates whether or not the filter should arrange to quarantine mail +## which fails verification. Intended for diagnostic use only. + +# Quarantine No + +## QueryCache { yes | no } +## default "no" +## +## Instructs the DKIM library to maintain its own local cache of keys and +## policies retrieved from DNS, rather than relying on the nameserver for +## caching service. Useful if the nameserver being used by the filter is +## not local. The filter must be compiled with the QUERY_CACHE flag to enable +## this feature, since it adds a library dependency. + +# QueryCache No + +## RedirectFailuresTo address +## default (none) +## +## Redirects signed messages to the specified address if none of the +## signatures present failed to verify. + +# RedirectFailuresTo postmaster@example.com + +## RemoveARAll { yes | no } +## default "no" +## +## Remove all Authentication-Results: headers on all arriving mail. + +# RemoveARAll No + +## RemoveARFrom dataset +## default (none) +## +## Remove all Authentication-Results: headers on all arriving mail that +## claim to have been added by hosts listed in this parameter. The list +## should be comma-separated. Entire domains may be specified by preceding +## the dopmain name by a single dot (".") character. + +# RemoveARFrom host1,host2,.domain1,.domain2,... + +## RemoveOldSignatures { yes | no } +## default "no" +## +## Remove old signatures on messages, if any, when generating a signature. + +# RemoveOldSignatures No + +## ReportAddress addr +## default (executing user)@(hostname) +## +## Specifies the sending address to be used on From: headers of outgoing +## failure reports. By default, the e-mail address of the user executing +## the filter is used. + +# ReportAddress "DKIM Error Postmaster" + +## ReportBccAddress addr +## default (none) +## +## Specifies additional recipient address(es) to receive outgoing failure +## reports. + +# ReportBccAddress postmaster@example.com, john@example.com + +## RequiredHeaders { yes | no } +## default no +## +## Rejects messages which don't conform to RFC5322 header count requirements. + +# RequiredHeaders No + +## RequireSafeKeys { yes | no } +## default yes +## +## Refuses to use key files that appear to have unsafe permissions. + +# RequireSafeKeys Yes + +## ResignAll { yes | no } +## default no +## +## Where ResignMailTo triggers a re-signing action, this flag indicates +## whether or not all mail should be signed (if set) versus only verified +## mail being signed (if not set). + +# ResignAll No + +## ResignMailTo dataset +## default (none) +## +## Checks each message recipient against the specified dataset for a +## matching record. The full address is checked in each case, then the +## hostname, then each domain preceded by ".". If there is a match, the +## value returned is presumed to be the name of a key in the KeyTable +## (if defined) to be used to re-sign the message in addition to +## verifying it. If there is a match without a KeyTable, the default key +## is applied. + +# ResignMailTo dataset + +## ResolverConfiguration string +## +## Passes arbitrary configuration data to the resolver. For the stock UNIX +## resolver, this is ignored; for Unbound, it names an unbound.conf(5)-style +## file that should be read for configuration information. + +# ResolverConfiguration string + +## ResolverTracing { yes | no } +## +## Requests enabling of resolver trace features, if available. The effect +## of setting this flag depends on how trace features, if any, are implemented +## in the resolver in use. Currently only effective when used with the +## OpenDKIM asynchronous resolver. + +# ResolverTracing no + +## Selector name +## +## The name of the selector to use when signing. No default; must be +## specified for signing. + +Selector my-selector-name + +## SenderHeaders dataset +## default (none) +## +## Overrides the default list of headers that will be used to determine +## the sending domain when deciding whether to sign the message and with +## with which key(s). See opendkim.conf(5) for details. + +# SenderHeaders From + +## SendReports { yes | no } +## default "no" +## +## Specifies whether or not the filter should generate report mail back +## to senders when verification fails and an address for such a purpose +## is provided. See opendkim.conf(5) for details. + +# SendReports No + +## SignatureAlgorithm signalg +## default "rsa-sha256" +## +## Signature algorithm to use when generating signatures. Must be one of +## "rsa-sha1", "rsa-sha256", or "ed25519-sha256". + +# SignatureAlgorithm rsa-sha256 + +## SignatureTTL seconds +## default "0" +## +## Specifies the lifetime in seconds of signatures generated by the +## filter. A value of 0 means no expiration time is included in the +## signature. + +# SignatureTTL 0 + +## SignHeaders dataset +## default (none) +## +## Specifies the list of headers which should be included when generating +## signatures. The string should be a comma-separated list of header names. +## See the opendkim.conf(5) man page for more information. + +# SignHeaders header1,header2,... + +## SigningTable dataset +## default (none) +## +## Defines a dataset that will be queried for the message sender's address +## to determine which private key(s) (if any) should be used to sign the +## message. The sender is determined from the value of the sender +## header fields as described with SenderHeaders above. The key for this +## lookup should be an address or address pattern that matches senders; +## see the opendkim.conf(5) man page for more information. The value +## of the lookup should return the name of a key found in the KeyTable +## that should be used to sign the message. If MultipleSignatures +## is set, all possible lookup keys will be attempted which may result +## in multiple signatures being applied. + +# SigningTable filename + +## SingleAuthResult { yes | no} +## default "no" +## +## When DomainKeys verification is enabled, multiple Authentication-Results +## will be added, one for DK and one for DKIM. With this enabled, only +## a DKIM result will be reported unless DKIM failed but DK passed, in which +## case only a DK result will be reported. + +# SingleAuthResult no + +## SMTPURI uri +## +## Specifies a URI (e.g., "smtp://localhost") to which mail should be sent +## via SMTP when notifications are generated. + +# SMTPURI smtp://localhost + +## Socket socketspec +## +## Names the socket where this filter should listen for milter connections +## from the MTA. Required. Should be in one of these forms: +## +## inet:port@address to listen on a specific interface +## inet:port to listen on all interfaces +## local:/path/to/socket to listen on a UNIX domain socket + +Socket inet:port@localhost + +## SoftwareHeader { yes | no } +## default "no" +## +## Add a DKIM-Filter header field to messages passing through this filter +## to identify messages it has processed. + +# SoftwareHeader no + +## StrictHeaders { yes | no } +## default "no" +## +## Requests that the DKIM library refuse to process a message whose +## header fields do not conform to the standards, in particular Section 3.6 +## of RFC5322. + +# StrictHeaders no + +## StrictTestMode { yes | no } +## default "no" +## +## Selects strict CRLF mode during testing (see the "-t" command line +## flag in the opendkim(8) man page). Messages for which all header +## fields and body lines are not CRLF-terminated are considered malformed +## and will produce an error. + +# StrictTestMode no + +## SubDomains { yes | no } +## default "no" +## +## Sign for subdomains as well? + +# SubDomains No + +## Syslog { yes | no } +## default "yes" +## +## Log informational and error activity to syslog? + +Syslog Yes + +## SyslogFacility facility +## default "mail" +## +## Valid values are : +## auth cron daemon kern lpr mail news security syslog user uucp +## local0 local1 local2 local3 local4 local5 local6 local7 +## +## syslog facility to be used + +# SyslogFacility mail + +## SyslogName ident +## default "opendkim" (or the name of the executable) +## +## Identifier to be prepended to all generated log entries. + +# SyslogName opendkim + +## SyslogSuccess { yes | no } +## default "no" +## +## Log success activity to syslog? + +# SyslogSuccess No + +## TemporaryDirectory path +## default /tmp +## +## Specifies which directory will be used for creating temporary files +## during message processing. + +# TemporaryDirectory /tmp + +## TestPublicKeys filename +## default (none) +## +## Names a file from which public keys should be read. Intended for use +## only during automated testing. + +# TestPublicKeys /tmp/testkeys + +## TrustAnchorFile filename +## default (none) +## +## Specifies a file from which trust anchor data should be read when doing +## DNS queries and applying the DNSSEC protocol. See the Unbound documentation +## at http://unbound.net for the expected format of this file. + +# TrustAnchorFile /var/named/trustanchor + +## UMask mask +## default (none) +## +## Change the process umask for file creation to the specified value. +## The system has its own default which will be used (usually 022). +## See the umask(2) man page for more information. + +# UMask 022 + +## Userid userid +## default (none) +## +## Change to user "userid" before starting normal operation? May include +## a group ID as well, separated from the userid by a colon. + +# UserID userid -- cgit v1.2.3-70-g09d2 From 5bfde9c10bc25e35771e9d3d0d74d1810233e6d4 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 04:39:02 +0000 Subject: meta --- etc/myconf/cfgl_meta | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 0015f9a2..0065b990 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -7,6 +7,7 @@ 755 root root //etc/dovecot 755 root root //etc/dovecot/conf.d 644 root root //etc/dovecot/conf.d/10-mail.conf +644 root root //etc/dovecot/conf.d/10-master.conf 644 root root //etc/dovecot/conf.d/10-ssl.conf 644 root root //etc/fstab 644 root root //etc/hostname @@ -16,6 +17,8 @@ 755 root root //etc/myconf 600 root root //etc/myconf/cfgl_meta 644 root root //etc/nftables.conf +700 opendkim mail //etc/opendkim +644 opendkim mail //etc/opendkim/opendkim.conf 644 root root //etc/pacman.conf 755 root root //etc/postfix 644 root root //etc/postfix/aliases -- cgit v1.2.3-70-g09d2 From dddbf00aca3f9181d7ce372d6e057e2708e5e9b9 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 06:41:43 +0000 Subject: default --- etc/opendmarc/opendmarc.conf | 370 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 370 insertions(+) create mode 100644 etc/opendmarc/opendmarc.conf diff --git a/etc/opendmarc/opendmarc.conf b/etc/opendmarc/opendmarc.conf new file mode 100644 index 00000000..84ea1a83 --- /dev/null +++ b/etc/opendmarc/opendmarc.conf @@ -0,0 +1,370 @@ +## opendmarc.conf -- configuration file for OpenDMARC filter +## +## Copyright (c) 2012-2015, The Trusted Domain Project. All rights reserved. + +## DEPRECATED CONFIGURATION OPTIONS +## +## The following configuration options are no longer valid. They should be +## removed from your existing configuration file to prevent potential issues. +## Failure to do so may result in opendmarc being unable to start. +## +## Renamed in 1.3.0: +## ForensicReports became FailureReports +## ForensicReportsBcc became FailureReportsBcc +## ForensicReportsOnNone became FailureReportsOnNone +## ForensicReportsSentBy became FailureReportsSentBy + +## CONFIGURATION OPTIONS + +## AuthservID (string) +## defaults to MTA name +## +## Sets the "authserv-id" to use when generating the Authentication-Results: +## header field after verifying a message. If the string "HOSTNAME" is +## provided, the name of the host running the filter (as returned by the +## gethostname(3) function) will be used. +# +# AuthservID name +AuthservID HOSTNAME + +## AuthservIDWithJobID { true | false } +## default "false" +## +## If "true", requests that the authserv-id portion of the added +## Authentication-Results header fields contain the job ID of the message +## being evaluated. +# +# AuthservIDWithJobID false + +## AutoRestart { true | false } +## default "false" +## +## Automatically re-start on failures. Use with caution; if the filter fails +## instantly after it starts, this can cause a tight fork(2) loop. +# +# AutoRestart false + +## AutoRestartCount n +## default 0 +## +## Sets the maximum automatic restart count. After this number of automatic +## restarts, the filter will give up and terminate. A value of 0 implies no +## limit. +# +# AutoRestartCount 0 + +## AutoRestartRate n/t[u] +## default (no limit) +## +## Sets the maximum automatic restart rate. If the filter begins restarting +## faster than the rate defined here, it will give up and terminate. This +## is a string of the form n/t[u] where n is an integer limiting the count +## of restarts in the given interval and t[u] defines the time interval +## through which the rate is calculated; t is an integer and u defines the +## units thus represented ("s" or "S" for seconds, the default; "m" or "M" +## for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a +## value of "10/1h" limits the restarts to 10 in one hour. There is no +## default, meaning restart rate is not limited. +# +# AutoRestartRate n/t[u] + +## Background { true | false } +## default "true" +## +## Causes opendmarc to fork and exits immediately, leaving the service +## running in the background. +# +# Background true + +## BaseDirectory (string) +## default (none) +## +## If set, instructs the filter to change to the specified directory using +## chdir(2) before doing anything else. This means any files referenced +## elsewhere in the configuration file can be specified relative to this +## directory. It's also useful for arranging that any crash dumps will be +## saved to a specific location. +# +# BaseDirectory /var/run/opendmarc + +## ChangeRootDirectory (string) +## default (none) +## +## Requests that the operating system change the effective root directory of +## the process to the one specified here prior to beginning execution. +## chroot(2) requires superuser access. A warning will be generated if +## UserID is not also set. +# +# ChangeRootDirectory /var/chroot/opendmarc + +## CopyFailuresTo (string) +## default (none) +## +## Requests addition of the specified email address to the envelope of +## any message that fails the DMARC evaluation. +# +# CopyFailuresTo postmaster@localhost + +## DNSTimeout (integer) +## default 5 +## +## Sets the DNS timeout in seconds. A value of 0 causes an infinite wait. +## (NOT YET IMPLEMENTED) +# +# DNSTimeout 5 + +## EnableCoredumps { true | false } +## default "false" +## +## On systems that have such support, make an explicit request to the kernel +## to dump cores when the filter crashes for some reason. Some modern UNIX +## systems suppress core dumps during crashes for security reasons if the +## user ID has changed during the lifetime of the process. Currently only +## supported on Linux. +# +# EnableCoreDumps false + +## FailureReports { true | false } +## default "false" +## +## Enables generation of failure reports when the DMARC test fails and the +## purported sender of the message has requested such reports. Reports are +## formatted per RFC6591. +# +# FailureReports false + +## FailureReportsBcc (string) +## default (none) +## +## When failure reports are enabled and one is to be generated, always +## send one to the address(es) specified here. If a failure report is +## requested by the domain owner, the address(es) are added in a Bcc: field. +## If no request is made, they address(es) are used in a To: field. There +## is no default. +# +# FailureReportsBcc postmaster@example.coom + +## FailureReportsOnNone { true | false } +## default "false" +## +## Supplements the "FailureReports" setting by generating reports for +## domains that advertise "none" policies. By default, reports are only +## generated (when enabled) for sending domains advertising a "quarantine" +## or "reject" policy. +# +# FailureReportsOnNone false + +## FailureReportsSentBy string +## default "USER@HOSTNAME" +## +## Specifies the email address to use in the From: field of failure +## reports generated by the filter. The default is to use the userid of +## the user running the filter and the local hostname to construct an +## email address. "postmaster" is used in place of the userid if a name +## could not be determined. +# +# FailureReportsSentBy USER@HOSTNAME + +## HistoryFile path +## default (none) +## +## If set, specifies the location of a text file to which records are written +## that can be used to generate DMARC aggregate reports. Records are groups +## of rows containing information about a single received message, and +## include all relevant information needed to generate a DMARC aggregate +## report. It is expected that this will not be used in its raw form, but +## rather periodically imported into a relational database from which the +## aggregate reports can be extracted by a tool such as opendmarc-import(8). +# +# HistoryFile /var/run/opendmarc.dat + +## IgnoreAuthenticatedClients { true | false } +## default "false" +## +## If set, causes mail from authenticated clients (i.e., those that used +## SMTP AUTH) to be ignored by the filter. +# +IgnoreAuthenticatedClients true + +## IgnoreHosts path +## default (internal) +## +## Specifies the path to a file that contains a list of hostnames, IP +## addresses, and/or CIDR expressions identifying hosts whose SMTP +## connections are to be ignored by the filter. If not specified, defaults +## to "127.0.0.1" only. +# +# IgnoreHosts /etc/opendmarc/ignore.hosts + +## IgnoreMailFrom domain[,...] +## default (none) +## +## Gives a list of domain names whose mail (based on the From: domain) is to +## be ignored by the filter. The list should be comma-separated. Matching +## against this list is case-insensitive. The default is an empty list, +## meaning no mail is ignored. +# +# IgnoreMailFrom example.com + +## MilterDebug (integer) +## default 0 +## +## Sets the debug level to be requested from the milter library. +# +# MilterDebug 0 + +## PidFile path +## default (none) +## +## Specifies the path to a file that should be created at process start +## containing the process ID. +# +# PidFile /var/run/opendmarc.pid + +## PublicSuffixList path +## default (none) +## +## Specifies the path to a file that contains top-level domains (TLDs) that +## will be used to compute the Organizational Domain for a given domain name, +## as described in the DMARC specification. If not provided, the filter will +## not be able to determine the Organizational Domain and only the presented +## domain will be evaluated. +# +# PublicSuffixList path + +## RecordAllMessages { true | false } +## default "false" +## +## If set and "HistoryFile" is in use, all received messages are recorded +## to the history file. If not set (the default), only messages for which +## the From: domain published a DMARC record will be recorded in the +## history file. +# +# RecordAllMessages false + +## RejectFailures { true | false } +## default "false" +## +## If set, messages will be rejected if they fail the DMARC evaluation, or +## temp-failed if evaluation could not be completed. By default, no message +## will be rejected or temp-failed regardless of the outcome of the DMARC +## evaluation of the message. Instead, an Authentication-Results header +## field will be added. +# +# RejectFailures false + +## ReportCommand string +## default "/usr/sbin/sendmail -t" +## +## Indicates the shell command to which failure reports should be passed for +## delivery when "FailureReports" is enabled. +# +# ReportCommand /usr/sbin/sendmail -t + +## RequiredHeaders { true | false } +## default "false" +## +## If set, the filter will ensure the header of the message conforms to the +## basic header field count restrictions laid out in RFC5322, Section 3.6. +## Messages failing this test are rejected without further processing. A +## From: field from which no domain name could be extracted will also be +## rejected. +# +# RequiredHeaders false + +## Socket socketspec +## default (none) +## +## Specifies the socket that should be established by the filter to receive +## connections from sendmail(8) in order to provide service. socketspec is +## in one of two forms: local:path, which creates a UNIX domain socket at +## the specified path, or inet:port[@host] or inet6:port[@host] which creates +## a TCP socket on the specified port for the appropriate protocol family. +## If the host is not given as either a hostname or an IP address, the +## socket will be listening on all interfaces. This option is mandatory +## either in the configuration file or on the command line. If an IP +## address is used, it must be enclosed in square brackets. +# +# Socket inet:8893@localhost +Socket unix:/var/spool/opendmarc/opendmarc.sock + +## SoftwareHeader { true | false } +## default "false" +## +## Causes the filter to add a "DMARC-Filter" header field indicating the +## presence of this filter in the path of the message from injection to +## delivery. The product's name, version, and the job ID are included in +## the header field's contents. +# +# SoftwareHeader false + +## SPFIgnoreResults { true | false } +## default "false" +## +## Causes the filter to ignore any SPF results in the header of the +## message. This is useful if you want the filter to perfrom SPF checks +## itself, or because you don't trust the arriving header. +# +# SPFIgnoreResults false + +## SPFSelfValidate { true | false } +## default false +## +## Enable internal spf checking with --with-spf +## To use libspf2 instead: --with-spf --with-spf2-include=path --with-spf2-lib=path +## +## Causes the filter to perform a fallback SPF check itself when +## it can find no SPF results in the message header. If SPFIgnoreResults +## is also set, it never looks for SPF results in headers and +## always performs the SPF check itself when this is set. +# +SPFSelfValidate true + +## Syslog { true | false } +## default "false" +## +## Log via calls to syslog(3) any interesting activity. +# +# Syslog false + +## SyslogFacility facility-name +## default "mail" +## +## Log via calls to syslog(3) using the named facility. The facility names +## are the same as the ones allowed in syslog.conf(5). +# +# SyslogFacility mail + +## TrustedAuthservIDs string +## default HOSTNAME +## +## Specifies one or more "authserv-id" values to trust as relaying true +## upstream DKIM and SPF results. The default is to use the name of +## the MTA processing the message. To specify a list, separate each entry +## with a comma. The key word "HOSTNAME" will be replaced by the name of +## the host running the filter as reported by the gethostname(3) function. +# +# TrustedAuthservIDs HOSTNAME + +## UMask mask +## default (none) +## +## Requests a specific permissions mask to be used for file creation. This +## only really applies to creation of the socket when Socket specifies a +## UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary +## files are normally created by the mkstemp(3) function that enforces a +## specific file mode on creation regardless of the process umask. See +## umask(2) for more information. +# +# UMask 077 +UMask 002 + +## UserID user[:group] +## default (none) +## +## Attempts to become the specified userid before starting operations. +## The process will be assigned all of the groups and primary group ID of +## the named userid unless an alternate group is specified. +# +# UserID opendmarc +# ATTENTION: user and group are enforced throug the systemd service file -- cgit v1.2.3-70-g09d2 From 4ee251323a9fdb223fa9630cc4e3e834d340b318 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 06:42:15 +0000 Subject: meta --- etc/myconf/cfgl_meta | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 0065b990..2803edb9 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -19,6 +19,8 @@ 644 root root //etc/nftables.conf 700 opendkim mail //etc/opendkim 644 opendkim mail //etc/opendkim/opendkim.conf +755 root root //etc/opendmarc +640 opendmarc mail //etc/opendmarc/opendmarc.conf 644 root root //etc/pacman.conf 755 root root //etc/postfix 644 root root //etc/postfix/aliases -- cgit v1.2.3-70-g09d2 From d89421feba6d8bdc63a91078a8747a572b9c8260 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 06:52:24 +0000 Subject: arch wiki opendmarc --- etc/tmpfiles.d/opendmarc.conf | 1 + 1 file changed, 1 insertion(+) create mode 100644 etc/tmpfiles.d/opendmarc.conf diff --git a/etc/tmpfiles.d/opendmarc.conf b/etc/tmpfiles.d/opendmarc.conf new file mode 100644 index 00000000..126d2922 --- /dev/null +++ b/etc/tmpfiles.d/opendmarc.conf @@ -0,0 +1 @@ +D /run/opendmarc 0750 opendmarc postfix -- cgit v1.2.3-70-g09d2 From e6e7ab2f7029fc18c10e2a18d2e2fcc0c0440aa2 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 07:54:47 +0000 Subject: new --- etc/systemd/system/opendmarc.service.d/override.conf | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 etc/systemd/system/opendmarc.service.d/override.conf diff --git a/etc/systemd/system/opendmarc.service.d/override.conf b/etc/systemd/system/opendmarc.service.d/override.conf new file mode 100644 index 00000000..40ab443c --- /dev/null +++ b/etc/systemd/system/opendmarc.service.d/override.conf @@ -0,0 +1,4 @@ +# https://wiki.archlinux.org/title/OpenDMARC +[Service] +Group= +Group=postfix -- cgit v1.2.3-70-g09d2 From 820ec977a50ffe92d59ad7a2434d9efeafe99a49 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 11:49:36 +0000 Subject: meta --- etc/myconf/cfgl_meta | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 2803edb9..02c2616a 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -43,8 +43,12 @@ 644 root root //etc/systemd/system/acme.sh.service.d/override.conf 755 root root //etc/systemd/system/multi-user.target.wants 777 root root //etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service +755 root root //etc/systemd/system/opendmarc.service.d +644 root root //etc/systemd/system/opendmarc.service.d/override.conf 755 root root //etc/systemd/system/paccache.service.d 644 root root //etc/systemd/system/paccache.service.d/10-remove-all.conf +755 root root //etc/tmpfiles.d +644 root root //etc/tmpfiles.d/opendmarc.conf 755 root root //home 700 xyz wheel //home/xyz 644 xyz wheel //home/xyz/.bashrc -- cgit v1.2.3-70-g09d2 From 416a0ca8403db1d0b841b958ad4bc5e93990af5e Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 12:02:22 +0000 Subject: Add email server configs References: https://github.com/LukeSmithxyz/emailwiz https://landchad.net/ https://wiki.archlinux.org/title/Postfix https://wiki.archlinux.org/title/Dovecot https://wiki.archlinux.org/title/OpenDKIM https://wiki.archlinux.org/title/OpenDMARC Maybe useful: https://doc.dovecot.org/settings/core/#dovecot-core-settings https://workaround.org https://kyun.host/docs/guides/email `man postconf.5` More necessary commands notes see arch_install.md --- etc/dovecot/conf.d/10-mail.conf | 2 +- etc/dovecot/conf.d/10-master.conf | 12 ++++---- etc/dovecot/conf.d/10-ssl.conf | 8 +++--- etc/nftables.conf | 16 +++++++---- etc/opendkim/opendkim.conf | 14 +++++----- etc/opendmarc/opendmarc.conf | 3 +- etc/postfix/main.cf | 59 +++++++++++++++++++++++++++++++++++++++ etc/postfix/master.cf | 37 +++++++++++++----------- 8 files changed, 110 insertions(+), 41 deletions(-) diff --git a/etc/dovecot/conf.d/10-mail.conf b/etc/dovecot/conf.d/10-mail.conf index de48f92d..49e70cb9 100644 --- a/etc/dovecot/conf.d/10-mail.conf +++ b/etc/dovecot/conf.d/10-mail.conf @@ -27,7 +27,7 @@ # # # -#mail_location = +mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs # If you need to set multiple mailbox locations or want to change default # namespace settings, you can do it by defining namespace sections. diff --git a/etc/dovecot/conf.d/10-master.conf b/etc/dovecot/conf.d/10-master.conf index 64fa0f2c..fb03c64c 100644 --- a/etc/dovecot/conf.d/10-master.conf +++ b/etc/dovecot/conf.d/10-master.conf @@ -100,16 +100,18 @@ service auth { # To give the caller full permissions to lookup all users, set the mode to # something else than 0666 and Dovecot lets the kernel enforce the # permissions (e.g. 0777 allows everyone full permissions). - unix_listener auth-userdb { + #unix_listener auth-userdb { #mode = 0666 #user = #group = - } + #} # Postfix smtp-auth - #unix_listener /var/spool/postfix/private/auth { - # mode = 0666 - #} + unix_listener /var/spool/postfix/private/auth { + mode = 0666 + user = postfix + group = postfix + } # Auth process is run as this user. #user = $default_internal_user diff --git a/etc/dovecot/conf.d/10-ssl.conf b/etc/dovecot/conf.d/10-ssl.conf index ad847664..b9c2263e 100644 --- a/etc/dovecot/conf.d/10-ssl.conf +++ b/etc/dovecot/conf.d/10-ssl.conf @@ -3,14 +3,14 @@ ## # SSL/TLS support: yes, no, required. -#ssl = yes +ssl = required # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = _restrictions here, # specify "smtpd__restrictions=$mua__restrictions" # here, and specify mua__restrictions in main.cf (where @@ -30,17 +33,17 @@ smtp inet n - n - - smtpd # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= -# -o smtpd_relay_restrictions= -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING + -o smtpd_relay_restrictions= + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING # Choose one: enable submissions for loopback clients only, or for any client. #127.0.0.1:submissions inet n - n - - smtpd -#submissions inet n - n - - smtpd -# -o syslog_name=postfix/submissions -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes +submissions inet n - n - - smtpd + -o syslog_name=postfix/submissions + -o smtpd_tls_wrappermode=yes + -o smtpd_sasl_auth_enable=yes # -o local_header_rewrite_clients=static:all -# -o smtpd_reject_unlisted_recipient=no + -o smtpd_reject_unlisted_recipient=no # Instead of specifying complex smtpd__restrictions here, # specify "smtpd__restrictions=$mua__restrictions" # here, and specify mua__restrictions in main.cf (where @@ -48,9 +51,9 @@ smtp inet n - n - - smtpd # -o smtpd_client_restrictions= # -o smtpd_helo_restrictions= # -o smtpd_sender_restrictions= -# -o smtpd_relay_restrictions= -# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING + -o smtpd_relay_restrictions= + -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject + -o milter_macro_daemon_name=ORIGINATING #628 inet n - n - - qmqpd pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup -- cgit v1.2.3-70-g09d2 From d351d94de2a62610022e013ec4a2cefa46300d1f Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Apr 2024 12:26:41 +0000 Subject: more email server configs: packages and services --- home/xyz/.config/myconf/pacman_Qqne | 2 ++ home/xyz/.config/myconf/sye | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index 66f2ef1a..912426c0 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -23,6 +23,8 @@ neovim nethogs nftables openbsd-netcat +opendkim +opendmarc openssh p7zip pacman-contrib diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye index c5147c99..8d845498 100644 --- a/home/xyz/.config/myconf/sye +++ b/home/xyz/.config/myconf/sye @@ -1,6 +1,10 @@ UNIT FILE STATE PRESET +dovecot.service enabled disabled getty@.service enabled enabled nftables.service enabled disabled +opendkim.service enabled disabled +opendmarc.service enabled disabled +postfix.service enabled disabled sshd.service enabled disabled systemd-network-generator.service enabled enabled systemd-networkd-wait-online.service enabled enabled @@ -15,4 +19,4 @@ acme.sh.timer enabled disabled paccache.timer enabled disabled pacman-filesdb-refresh.timer enabled disabled -15 unit files listed. +19 unit files listed. -- cgit v1.2.3-70-g09d2 From 5306160d454c8a7fdf16968f90b5d3302609c6e2 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 7 Apr 2024 04:49:23 +0000 Subject: default --- etc/dovecot/conf.d/15-mailboxes.conf | 86 ++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 etc/dovecot/conf.d/15-mailboxes.conf diff --git a/etc/dovecot/conf.d/15-mailboxes.conf b/etc/dovecot/conf.d/15-mailboxes.conf new file mode 100644 index 00000000..71076d48 --- /dev/null +++ b/etc/dovecot/conf.d/15-mailboxes.conf @@ -0,0 +1,86 @@ +## +## Mailbox definitions +## + +# Each mailbox is specified in a separate mailbox section. The section name +# specifies the mailbox name. If it has spaces, you can put the name +# "in quotes". These sections can contain the following mailbox settings: +# +# auto: +# Indicates whether the mailbox with this name is automatically created +# implicitly when it is first accessed. The user can also be automatically +# subscribed to the mailbox after creation. The following values are +# defined for this setting: +# +# no - Never created automatically. +# create - Automatically created, but no automatic subscription. +# subscribe - Automatically created and subscribed. +# +# special_use: +# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the +# mailbox. There are no validity checks, so you could specify anything +# you want in here, but it's not a good idea to use flags other than the +# standard ones specified in the RFC: +# +# \All - This (virtual) mailbox presents all messages in the +# user's message store. +# \Archive - This mailbox is used to archive messages. +# \Drafts - This mailbox is used to hold draft messages. +# \Flagged - This (virtual) mailbox presents all messages in the +# user's message store marked with the IMAP \Flagged flag. +# \Important - This (virtual) mailbox presents all messages in the +# user's message store deemed important to user. +# \Junk - This mailbox is where messages deemed to be junk mail +# are held. +# \Sent - This mailbox is used to hold copies of messages that +# have been sent. +# \Trash - This mailbox is used to hold messages that have been +# deleted. +# +# comment: +# Defines a default comment or note associated with the mailbox. This +# value is accessible through the IMAP METADATA mailbox entries +# "/shared/comment" and "/private/comment". Users with sufficient +# privileges can override the default value for entries with a custom +# value. + +# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf. +namespace inbox { + # These mailboxes are widely used and could perhaps be created automatically: + mailbox Drafts { + special_use = \Drafts + } + mailbox Junk { + special_use = \Junk + } + mailbox Trash { + special_use = \Trash + } + + # For \Sent mailboxes there are two widely used names. We'll mark both of + # them as \Sent. User typically deletes one of them if duplicates are created. + mailbox Sent { + special_use = \Sent + } + mailbox "Sent Messages" { + special_use = \Sent + } + + # If you have a virtual "All messages" mailbox: + #mailbox virtual/All { + # special_use = \All + # comment = All my messages + #} + + # If you have a virtual "Flagged" mailbox: + #mailbox virtual/Flagged { + # special_use = \Flagged + # comment = All my flagged messages + #} + + # If you have a virtual "Important" mailbox: + #mailbox virtual/Important { + # special_use = \Important + # comment = All my important messages + #} +} -- cgit v1.2.3-70-g09d2 From db31f5f16744cb937fae20127bd62b0cbb208a04 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 7 Apr 2024 04:49:48 +0000 Subject: meta --- etc/myconf/cfgl_meta | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 02c2616a..96eda872 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -9,6 +9,7 @@ 644 root root //etc/dovecot/conf.d/10-mail.conf 644 root root //etc/dovecot/conf.d/10-master.conf 644 root root //etc/dovecot/conf.d/10-ssl.conf +644 root root //etc/dovecot/conf.d/15-mailboxes.conf 644 root root //etc/fstab 644 root root //etc/hostname 644 root root //etc/locale.conf -- cgit v1.2.3-70-g09d2 From 7f64ae790c90e7922869aa9cd9d6a18a561b9715 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 8 Apr 2024 10:32:09 +0000 Subject: feat: auto subscribe mailboxes, remove unneeded mailbox --- etc/dovecot/conf.d/15-mailboxes.conf | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/etc/dovecot/conf.d/15-mailboxes.conf b/etc/dovecot/conf.d/15-mailboxes.conf index 71076d48..95f99394 100644 --- a/etc/dovecot/conf.d/15-mailboxes.conf +++ b/etc/dovecot/conf.d/15-mailboxes.conf @@ -49,21 +49,30 @@ namespace inbox { # These mailboxes are widely used and could perhaps be created automatically: mailbox Drafts { special_use = \Drafts + auto = subscribe } mailbox Junk { special_use = \Junk + auto = subscribe } mailbox Trash { special_use = \Trash + auto = subscribe } # For \Sent mailboxes there are two widely used names. We'll mark both of # them as \Sent. User typically deletes one of them if duplicates are created. mailbox Sent { special_use = \Sent + auto = subscribe } - mailbox "Sent Messages" { - special_use = \Sent + #mailbox "Sent Messages" { + # special_use = \Sent + #} + + mailbox Archive { + special_use = \Archive + auto = subscribe } # If you have a virtual "All messages" mailbox: -- cgit v1.2.3-70-g09d2 From a0518e8d2104e67005f93ff13a5a806e7db88a11 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 8 Apr 2024 10:32:20 +0000 Subject: pacnew --- etc/postfix/aliases | 162 +++++++++++++++++++++++++++------------------------- etc/postfix/main.cf | 6 +- 2 files changed, 87 insertions(+), 81 deletions(-) diff --git a/etc/postfix/aliases b/etc/postfix/aliases index c2ff6c98..a4c4f8a0 100644 --- a/etc/postfix/aliases +++ b/etc/postfix/aliases @@ -46,25 +46,29 @@ decode: root # newaliases # # DESCRIPTION -# The aliases(5) table provides a system-wide mechanism to -# redirect mail for local recipients. The redirections are -# processed by the Postfix local(8) delivery agent. +# The optional aliases(5) table (alias_maps) redirects mail +# for local recipients. The redirections are processed by +# the Postfix local(8) delivery agent. +# +# This is unlike virtual(5) aliasing (virtual_alias_maps) +# which applies to all recipients: local(8), virtual, and +# remote, and which is implemented by the cleanup(8) daemon. # # Normally, the aliases(5) table is specified as a text file -# that serves as input to the postalias(1) command. The -# result, an indexed file in dbm or db format, is used for -# fast lookup by the mail system. Execute the command -# newaliases in order to rebuild the indexed file after +# that serves as input to the postalias(1) command. The +# result, an indexed file in dbm or db format, is used for +# fast lookup by the mail system. Execute the command +# newaliases in order to rebuild the indexed file after # changing the Postfix alias database. # -# When the table is provided via other means such as NIS, -# LDAP or SQL, the same lookups are done as for ordinary +# When the table is provided via other means such as NIS, +# LDAP or SQL, the same lookups are done as for ordinary # indexed files. # -# Alternatively, the table can be provided as a regu- -# lar-expression map where patterns are given as regular -# expressions. In this case, the lookups are done in a -# slightly different way as described below under "REGULAR +# Alternatively, the table can be provided as a regu- +# lar-expression map where patterns are given as regular +# expressions. In this case, the lookups are done in a +# slightly different way as described below under "REGULAR # EXPRESSION TABLES". # # Users can control delivery of their own mail by setting up @@ -78,61 +82,61 @@ decode: root # # name: value1, value2, ... # -# o Empty lines and whitespace-only lines are ignored, -# as are lines whose first non-whitespace character +# o Empty lines and whitespace-only lines are ignored, +# as are lines whose first non-whitespace character # is a `#'. # -# o A logical line starts with non-whitespace text. A -# line that starts with whitespace continues a logi- +# o A logical line starts with non-whitespace text. A +# line that starts with whitespace continues a logi- # cal line. # -# The name is a local address (no domain part). Use double -# quotes when the name contains any special characters such -# as whitespace, `#', `:', or `@'. The name is folded to +# The name is a local address (no domain part). Use double +# quotes when the name contains any special characters such +# as whitespace, `#', `:', or `@'. The name is folded to # lowercase, in order to make database lookups case insensi- # tive. # -# In addition, when an alias exists for owner-name, this -# will override the envelope sender address, so that deliv- +# In addition, when an alias exists for owner-name, this +# will override the envelope sender address, so that deliv- # ery diagnostics are directed to owner-name, instead of the -# originator of the message (for details, see -# owner_request_special, expand_owner_alias and -# reset_owner_alias). This is typically used to direct -# delivery errors to the maintainer of a mailing list, who +# originator of the message (for details, see +# owner_request_special, expand_owner_alias and +# reset_owner_alias). This is typically used to direct +# delivery errors to the maintainer of a mailing list, who # is in a better position to deal with mailing list delivery # problems than the originator of the undelivered mail. # # The value contains one or more of the following: # # address -# Mail is forwarded to address, which is compatible +# Mail is forwarded to address, which is compatible # with the RFC 822 standard. # # /file/name -# Mail is appended to /file/name. For details on how -# a file is written see the sections "EXTERNAL FILE -# DELIVERY" and "DELIVERY RIGHTS" in the local(8) -# documentation. Delivery is not limited to regular -# files. For example, to dispose of unwanted mail, +# Mail is appended to /file/name. For details on how +# a file is written see the sections "EXTERNAL FILE +# DELIVERY" and "DELIVERY RIGHTS" in the local(8) +# documentation. Delivery is not limited to regular +# files. For example, to dispose of unwanted mail, # deflect it to /dev/null. # # |command -# Mail is piped into command. Commands that contain -# special characters, such as whitespace, should be -# enclosed between double quotes. For details on how -# a command is executed see "EXTERNAL COMMAND DELIV- +# Mail is piped into command. Commands that contain +# special characters, such as whitespace, should be +# enclosed between double quotes. For details on how +# a command is executed see "EXTERNAL COMMAND DELIV- # ERY" and "DELIVERY RIGHTS" in the local(8) documen- # tation. # # When the command fails, a limited amount of command -# output is mailed back to the sender. The file -# /usr/include/sysexits.h defines the expected exit -# status codes. For example, use "|exit 67" to simu- -# late a "user unknown" error, and "|exit 0" to +# output is mailed back to the sender. The file +# /usr/include/sysexits.h defines the expected exit +# status codes. For example, use "|exit 67" to simu- +# late a "user unknown" error, and "|exit 0" to # implement an expensive black hole. # # :include:/file/name -# Mail is sent to the destinations listed in the +# Mail is sent to the destinations listed in the # named file. Lines in :include: files have the same # syntax as the right-hand side of alias entries. # @@ -144,12 +148,12 @@ decode: root # # ADDRESS EXTENSION # When alias database search fails, and the recipient local- -# part contains the optional recipient delimiter (e.g., -# user+foo), the search is repeated for the unextended +# part contains the optional recipient delimiter (e.g., +# user+foo), the search is repeated for the unextended # address (e.g., user). # -# The propagate_unmatched_extensions parameter controls -# whether an unmatched address extension (+foo) is propa- +# The propagate_unmatched_extensions parameter controls +# whether an unmatched address extension (+foo) is propa- # gated to the result of table lookup. # # CASE FOLDING @@ -157,83 +161,85 @@ decode: root # to lowercase before database lookup. # # REGULAR EXPRESSION TABLES -# This section describes how the table lookups change when +# This section describes how the table lookups change when # the table is given in the form of regular expressions. For -# a description of regular expression lookup table syntax, -# see regexp_table(5) or pcre_table(5). NOTE: these formats +# a description of regular expression lookup table syntax, +# see regexp_table(5) or pcre_table(5). NOTE: these formats # do not use ":" at the end of a pattern. # -# Each regular expression is applied to the entire search -# string. Thus, a search string user+foo is not broken up +# Each regular expression is applied to the entire search +# string. Thus, a search string user+foo is not broken up # into user and foo. # -# Regular expressions are applied in the order as specified -# in the table, until a regular expression is found that +# Regular expressions are applied in the order as specified +# in the table, until a regular expression is found that # matches the search string. # -# Lookup results are the same as with indexed file lookups. -# For security reasons there is no support for $1, $2 etc. +# Lookup results are the same as with indexed file lookups. +# For security reasons there is no support for $1, $2 etc. # substring interpolation. # # SECURITY -# The local(8) delivery agent disallows regular expression -# substitution of $1 etc. in alias_maps, because that would +# The local(8) delivery agent disallows regular expression +# substitution of $1 etc. in alias_maps, because that would # open a security hole. # -# The local(8) delivery agent will silently ignore requests -# to use the proxymap(8) server within alias_maps. Instead -# it will open the table directly. Before Postfix version -# 2.2, the local(8) delivery agent will terminate with a +# The local(8) delivery agent will silently ignore requests +# to use the proxymap(8) server within alias_maps. Instead +# it will open the table directly. Before Postfix version +# 2.2, the local(8) delivery agent will terminate with a # fatal error. # # CONFIGURATION PARAMETERS -# The following main.cf parameters are especially relevant. -# The text below provides only a parameter summary. See +# The following main.cf parameters are especially relevant. +# The text below provides only a parameter summary. See # postconf(5) for more details including examples. # # alias_database (see 'postconf -d' output) -# The alias databases for local(8) delivery that are +# The alias databases for local(8) delivery that are # updated with "newaliases" or with "sendmail -bi". # # alias_maps (see 'postconf -d' output) -# The alias databases that are used for local(8) -# delivery. +# Optional lookup tables with aliases that apply only +# to local(8) recipients; this is unlike vir- +# tual_alias_maps that apply to all recipients: +# local(8), virtual, and remote. # # allow_mail_to_commands (alias, forward) -# Restrict local(8) mail delivery to external com- +# Restrict local(8) mail delivery to external com- # mands. # # allow_mail_to_files (alias, forward) -# Restrict local(8) mail delivery to external files. +# Restrict local(8) mail delivery to external files. # # expand_owner_alias (no) # When delivering to an alias "aliasname" that has an # "owner-aliasname" companion alias, set the envelope -# sender address to the expansion of the +# sender address to the expansion of the # "owner-aliasname" alias. # # propagate_unmatched_extensions (canonical, virtual) -# What address lookup tables copy an address exten- +# What address lookup tables copy an address exten- # sion from the lookup key to the lookup result. # # owner_request_special (yes) # Enable special treatment for owner-listname entries # in the aliases(5) file, and don't split owner-list- -# name and listname-request address localparts when +# name and listname-request address localparts when # the recipient_delimiter is set to "-". # # recipient_delimiter (empty) -# The set of characters that can separate an email -# address localpart, user name, or a .forward file +# The set of characters that can separate an email +# address localpart, user name, or a .forward file # name from its extension. # # Available in Postfix version 2.3 and later: # # frozen_delivered_to (yes) -# Update the local(8) delivery agent's idea of the -# Delivered-To: address (see prepend_deliv- -# ered_header) only once, at the start of a delivery -# attempt; do not update the Delivered-To: address +# Update the local(8) delivery agent's idea of the +# Delivered-To: address (see prepend_deliv- +# ered_header) only once, at the start of a delivery +# attempt; do not update the Delivered-To: address # while expanding aliases or .forward files. # # STANDARDS @@ -246,12 +252,12 @@ decode: root # postconf(5), configuration parameters # # README FILES -# Use "postconf readme_directory" or "postconf html_direc- +# Use "postconf readme_directory" or "postconf html_direc- # tory" to locate this information. # DATABASE_README, Postfix lookup table overview # # LICENSE -# The Secure Mailer license must be distributed with this +# The Secure Mailer license must be distributed with this # software. # # AUTHOR(S) diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index 0c36d421..d4f29b68 100644 --- a/etc/postfix/main.cf +++ b/etc/postfix/main.cf @@ -90,7 +90,7 @@ smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc. # # The level below is what should be used with new (not upgrade) installs. # -compatibility_level = 3.8 +compatibility_level = 3.9 # SOFT BOUNCE # @@ -469,7 +469,7 @@ unknown_local_recipient_reject_code = 550 #alias_maps = hash:/etc/aliases #alias_maps = hash:/etc/aliases, nis:mail.aliases #alias_maps = netinfo:/aliases -alias_maps = hash:/etc/postfix/aliases +alias_maps = lmdb:/etc/postfix/aliases # The alias_database parameter specifies the alias database(s) that # are built with "newaliases" or "sendmail -bi". This is a separate @@ -513,7 +513,7 @@ alias_database = $alias_maps # The mailbox_command parameter specifies the optional external # command to use instead of mailbox delivery. The command is run as # the recipient with proper HOME, SHELL and LOGNAME environment settings. -# Exception: delivery for root is done as $default_user. +# Exception: delivery for root is done as $default_privs. # # Other environment variables of interest: USER (recipient username), # EXTENSION (address extension), DOMAIN (domain part of address), -- cgit v1.2.3-70-g09d2 From 1e20d2372ee99457c1efc609914015657b71f4ed Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 9 Apr 2024 01:10:31 -0700 Subject: swith to new ca server; wireguard no need --- etc/nftables.conf | 30 ++-------------------- etc/services | 1 - etc/sysctl.d/99-sysctl.conf | 7 ----- .../multi-user.target.wants/wg-quick@wg0.service | 1 - home/xyz/.config/myconf/pacman_Qqne | 1 - 5 files changed, 2 insertions(+), 38 deletions(-) delete mode 100644 etc/sysctl.d/99-sysctl.conf delete mode 120000 etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service diff --git a/etc/nftables.conf b/etc/nftables.conf index c4ca7f45..22e38dfe 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -3,17 +3,11 @@ # IPv4/IPv6 Simple & Safe firewall ruleset. # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. -# references, some codes from: -# https://wiki.archlinux.org/title/Nftables -# https://www.procustodibus.com/blog/2021/11/wireguard-nftables -# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT +# some codes from https://wiki.archlinux.org/title/Nftables # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset -define pub_iface = "eth0" -define wg_iface = "wg0" - table inet my_table { chain my_input { @@ -23,7 +17,6 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" - iifname $wg_iface accept comment "allow from wireguard" ip protocol icmp accept meta l4proto ipv6-icmp accept @@ -32,7 +25,7 @@ table inet my_table { #tcp dport qbt accept #udp dport qbt accept #tcp dport iperf3 accept - udp dport wireguard accept + #udp dport wireguard accept # for acme.sh standalone mode builtin webserver to renew ssl cert tcp dport http accept # email related ports @@ -52,12 +45,6 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. - - # needed for wireguard? - #iifname $wg_iface oifname $pub_iface accept - #iifname $pub_iface oifname $wg_iface accept - iifname $wg_iface accept - oifname $wg_iface accept } chain my_output { @@ -66,16 +53,3 @@ table inet my_table { # Accept every outbound connection } } - -# needed to wireguard NAT masquerade VPN traffic -# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? -# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families -table inet nat { - # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ - # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface - chain postrouting { - type nat hook postrouting priority 100 - policy accept - oifname $pub_iface masquerade - } -} diff --git a/etc/services b/etc/services index b1b9f5bc..500c6ac7 100644 --- a/etc/services +++ b/etc/services @@ -11507,7 +11507,6 @@ nusrp 49001/tcp nusdp-disc 49001/udp inspider 49150/tcp # my services -wireguard 49432/udp # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server. # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/ ssh-isp 49812/tcp diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf deleted file mode 100644 index b9677c02..00000000 --- a/etc/sysctl.d/99-sysctl.conf +++ /dev/null @@ -1,7 +0,0 @@ -# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites -# ka seems has this as default, maybe arch linux cloud-init image has this as default? -# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752 -# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding -# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522 -net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1 diff --git a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service deleted file mode 120000 index 0a92cb9a..00000000 --- a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service +++ /dev/null @@ -1 +0,0 @@ -/usr/lib/systemd/system/wg-quick@.service \ No newline at end of file diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index 912426c0..f60f41bc 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -49,7 +49,6 @@ tree unrar-free unzip vidir2-git -wireguard-tools xdg-user-dirs xfsprogs zip -- cgit v1.2.3-70-g09d2 From f0ff093564f27c7bd3ed6966f4e7fdc6d8c0dc11 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 9 Apr 2024 01:18:39 -0700 Subject: new ca bad default cloud-init routes --- etc/systemd/network/10-cloud-init-eth0.network | 21 +++++++++++++++++++++ etc/systemd/network/default.network | 25 ------------------------- 2 files changed, 21 insertions(+), 25 deletions(-) create mode 100644 etc/systemd/network/10-cloud-init-eth0.network delete mode 100644 etc/systemd/network/default.network diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network new file mode 100644 index 00000000..e1e0bd2d --- /dev/null +++ b/etc/systemd/network/10-cloud-init-eth0.network @@ -0,0 +1,21 @@ +[Address] +Address=2606:a8c0:3:773::a/64 + +[Address] +Address=2606:a8c0:3::75f/128 + +[Address] +Address=38.175.201.185/22 + +[Match] +MACAddress=00:46:d3:d8:15:5d +Name=eth0 + +[Network] +DHCP=no +DNS=9.9.9.9 1.1.1.1 2620:fe::fe 2620:fe::9 + +[Route] +Gateway=2606:a8c0:3::1 +Gateway=38.175.200.1 + diff --git a/etc/systemd/network/default.network b/etc/systemd/network/default.network deleted file mode 100644 index dc46831e..00000000 --- a/etc/systemd/network/default.network +++ /dev/null @@ -1,25 +0,0 @@ -# not fully understood -# https://unix.stackexchange.com/q/509430/ -# man `systemd.network` -# https://superuser.com/q/1562380 -# https://docs.netgate.com/pfsense/en/latest/network/ipv6/subnets.html - -[Match] -Name=eth0 - -[Address] -Address=216.181.107.253/24 - -[Address] -# 2606:a8c0:3:38d::1/64 also works, but I use 2606:a8c0:3:38d::a/64 because crunchbits panel reverse DNS support this address -Address=2606:a8c0:3:38d::a/64 -# use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 -#Address=2606:a8c0:3:38d::a/48 - -[Route] -Gateway=216.181.107.1 - -[Route] -Gateway=2606:a8c0:3::1 -# GatewayOnLink=yes needed for 2606:a8c0:3::1 gateway, maybe because 2606:a8c0:3::1 is not in the same subnet as 2606:a8c0:3:38d::a/64? see: https://serverfault.com/q/814419 -GatewayOnLink=yes -- cgit v1.2.3-70-g09d2 From f946a5ddb111497b3bf49da35e8249283c0b1b4d Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 9 Apr 2024 01:19:34 -0700 Subject: new ca fix ipv6 route --- etc/systemd/network/10-cloud-init-eth0.network | 29 ++++++++++++++++---------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network index e1e0bd2d..f98222e3 100644 --- a/etc/systemd/network/10-cloud-init-eth0.network +++ b/etc/systemd/network/10-cloud-init-eth0.network @@ -1,21 +1,28 @@ -[Address] -Address=2606:a8c0:3:773::a/64 +# not fully understood +# https://unix.stackexchange.com/q/509430/ +# man `systemd.network` +# https://superuser.com/q/1562380 +# https://docs.netgate.com/pfsense/en/latest/network/ipv6/subnets.html -[Address] -Address=2606:a8c0:3::75f/128 +[Match] +Name=eth0 [Address] Address=38.175.201.185/22 -[Match] -MACAddress=00:46:d3:d8:15:5d -Name=eth0 +[Address] +# ...:1/64 also works, but I use ...:a/64 because crunchbits panel reverse DNS support this address +Address=2606:a8c0:3:773::a/64 +# use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 +#Address=2606:a8c0:3:773::a/48 -[Network] -DHCP=no -DNS=9.9.9.9 1.1.1.1 2620:fe::fe 2620:fe::9 +[Address] +Address=2606:a8c0:3::75f/128 [Route] -Gateway=2606:a8c0:3::1 Gateway=38.175.200.1 +[Route] +Gateway=2606:a8c0:3::1 +# GatewayOnLink=yes needed for 2606:a8c0:3::1 gateway, maybe because 2606:a8c0:3::1 is not in the same subnet as 2606:a8c0:3:38d::a/64? see: https://serverfault.com/q/814419 +GatewayOnLink=yes -- cgit v1.2.3-70-g09d2 From c1353941ac428bf14e2a612a3a76d5c5d9cb43f0 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 9 Apr 2024 01:20:30 -0700 Subject: new ca fstab --- etc/fstab | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/etc/fstab b/etc/fstab index 7c8698e7..a3bf39b9 100644 --- a/etc/fstab +++ b/etc/fstab @@ -2,8 +2,4 @@ # See fstab(5) for details. # -/dev/sda3 / xfs rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota 0 1 - -/dev/sda2 /boot/efi vfat rw,relatime,fmask=0077,dmask=0077,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro 0 2 - -/swapfile none swap defaults 0 0 +/swap/swapfile none swap defaults 0 0 -- cgit v1.2.3-70-g09d2 From 3ad044bd524482662af6d3200f32e8afeab6b293 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 9 Apr 2024 01:21:12 -0700 Subject: new ca no need save storage, paccache can delete less --- etc/systemd/system/paccache.service.d/10-remove-all.conf | 8 -------- .../system/paccache.service.d/20-remove-all-uninstalled.conf | 9 +++++++++ 2 files changed, 9 insertions(+), 8 deletions(-) delete mode 100644 etc/systemd/system/paccache.service.d/10-remove-all.conf create mode 100644 etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf diff --git a/etc/systemd/system/paccache.service.d/10-remove-all.conf b/etc/systemd/system/paccache.service.d/10-remove-all.conf deleted file mode 100644 index a33a36a2..00000000 --- a/etc/systemd/system/paccache.service.d/10-remove-all.conf +++ /dev/null @@ -1,8 +0,0 @@ -[Service] -# may need `sudo systemctl daemon-reload` afterward -# need a line of `ExecStart=` to clear the list first, -# more about drop-in dir see `man systemd.unit`, more about ExecStart see `man systemd.service` -# https://wiki.archlinux.org/title/Systemd#Drop-in_files -# https://wiki.archlinux.org/title/Systemd#Examples -ExecStart= -ExecStart=/usr/bin/paccache -rk0 diff --git a/etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf b/etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf new file mode 100644 index 00000000..38d3c2d0 --- /dev/null +++ b/etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf @@ -0,0 +1,9 @@ +[Service] +# keep original `ExecStart=/usr/bin/paccache -r` while adding to the list +# because I want the default behavior and also remove all uninstalled pacman package cache +# may need `sudo systemctl daemon-reload` afterward +# if I want to clear the list first, I should do a line of `ExecStart=` first +# more about drop-in dir see `man systemd.unit`, more about ExecStart see `man systemd.service` +# https://wiki.archlinux.org/title/Systemd#Drop-in_files +# https://wiki.archlinux.org/title/Systemd#Examples +ExecStart=/usr/bin/paccache -ruk0 -- cgit v1.2.3-70-g09d2 From 3ab1d8c823a670117011b67caad791f03f290e18 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 9 Apr 2024 01:21:44 -0700 Subject: new ca cfgl meta --- etc/myconf/cfgl_meta | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 96eda872..37bceab0 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -34,20 +34,16 @@ 644 root root //etc/ssh/ssh_config.d/my_ssh_config.conf 644 root root //etc/ssh/sshd_config 440 root root //etc/sudoers -755 root root //etc/sysctl.d -644 root root //etc/sysctl.d/99-sysctl.conf 755 root root //etc/systemd 755 root root //etc/systemd/network -644 systemd-network systemd-network //etc/systemd/network/default.network +644 systemd-network systemd-network //etc/systemd/network/10-cloud-init-eth0.network 755 root root //etc/systemd/system 755 root root //etc/systemd/system/acme.sh.service.d 644 root root //etc/systemd/system/acme.sh.service.d/override.conf -755 root root //etc/systemd/system/multi-user.target.wants -777 root root //etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service 755 root root //etc/systemd/system/opendmarc.service.d 644 root root //etc/systemd/system/opendmarc.service.d/override.conf 755 root root //etc/systemd/system/paccache.service.d -644 root root //etc/systemd/system/paccache.service.d/10-remove-all.conf +644 root root //etc/systemd/system/paccache.service.d/20-remove-all-uninstalled.conf 755 root root //etc/tmpfiles.d 644 root root //etc/tmpfiles.d/opendmarc.conf 755 root root //home -- cgit v1.2.3-70-g09d2 From 0be48cdae85e0321c83db7da14b67cb80f21d83e Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 9 Apr 2024 11:01:46 +0100 Subject: I want 2606:a8c0:3:773::a which has RDNS to be the default It seems move 2606:a8c0:3::75f in front of 2606:a8c0:3:773::a will make the latter default? --- etc/systemd/network/10-cloud-init-eth0.network | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network index f98222e3..1bc579b9 100644 --- a/etc/systemd/network/10-cloud-init-eth0.network +++ b/etc/systemd/network/10-cloud-init-eth0.network @@ -10,15 +10,15 @@ Name=eth0 [Address] Address=38.175.201.185/22 +[Address] +Address=2606:a8c0:3::75f/128 + [Address] # ...:1/64 also works, but I use ...:a/64 because crunchbits panel reverse DNS support this address Address=2606:a8c0:3:773::a/64 # use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 #Address=2606:a8c0:3:773::a/48 -[Address] -Address=2606:a8c0:3::75f/128 - [Route] Gateway=38.175.200.1 -- cgit v1.2.3-70-g09d2 From c1dc3154c35bab540c7a5dc4e85b1422c89f230a Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 9 Apr 2024 12:34:06 +0100 Subject: ca use btrfs --- home/xyz/.config/myconf/pacman_Qqne | 1 + 1 file changed, 1 insertion(+) diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index f60f41bc..f95d7263 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -1,6 +1,7 @@ base base-devel bash-completion +btrfs-progs dash devtools dovecot -- cgit v1.2.3-70-g09d2 From 1a276df0ae08897abad9a0878bb070ebefc90cf7 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 16 Apr 2024 10:03:14 +0000 Subject: sshd accept COLORTERM env to fix ls no color If client use alacritty, after ssh into this remote server, ls doesn't show color. Can be workarounded by server sshd accept COLORTERM and client sshd send env. More see my comments in alacritty.toml config. --- etc/ssh/sshd_config | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/ssh/sshd_config b/etc/ssh/sshd_config index 1438778c..78118fad 100644 --- a/etc/ssh/sshd_config +++ b/etc/ssh/sshd_config @@ -7,6 +7,8 @@ PasswordAuthentication no # KbdInteractiveAuthentication no and UsePAM yes are Arch Linux default settings see /etc/ssh/sshd_config.d/00-archlinux.conf, I need these configs, I put them here just in case Arch Linux change the defaults in the future. KbdInteractiveAuthentication no UsePAM yes +# when ssh into this remote server, client if use alacritty need `SendEnv COLORTERM` to send the env to server, so server ls can default output color, more see comments in my alacritty.toml config +AcceptEnv COLORTERM # Include drop-in configurations Include /etc/ssh/sshd_config.d/*.conf -- cgit v1.2.3-70-g09d2 From 58fec6d40111c6095177b3797770d5c7bcfa068e Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Wed, 17 Apr 2024 11:47:52 +0100 Subject: install wget, because some scripts uses ony wget, e.g. network-speed.xyz --- home/xyz/.config/myconf/pacman_Qqne | 1 + 1 file changed, 1 insertion(+) diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index f95d7263..c299107f 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -50,6 +50,7 @@ tree unrar-free unzip vidir2-git +wget xdg-user-dirs xfsprogs zip -- cgit v1.2.3-70-g09d2 From fb833fa7ee92151c10cc815992e0e7190b3ed57c Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 7 Apr 2024 00:07:02 -0700 Subject: feat: mail filetype set colorcolumn remind me max line char --- home/xyz/.config/nvim/init.vim | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index e1b5dd1e..f5dd2272 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -54,6 +54,23 @@ augroup mycmd " .csx seems not c# but c# script file, this works tho " set syntax=cs also works autocmd BufNewFile,BufRead *.csx setfiletype cs + " for alerting me plain text email characters per line + " neomutt auto set new email filetype as mail so this will work + " https://mailformat.dan.info/body/linelength.html suggested 65 + "" https://superuser.com/q/827647/1282809 + " https://lkml.org shows Linus seems use 70 + " https://lkml.org Hottest messages shows people use around 70-80 + " https://en.wikipedia.org/wiki/Characters_per_line + " related: textwidth + " if want to do this only for some file extensions, see: + " https://useplaintext.email/ suggest 72 + "" https://stackoverflow.com/a/469576/9008720 + "" don't forget to put in augroup: + "" https://stackoverflow.com/a/60470085/9008720 + "" also other ways: + "" https://stackoverflow.com/q/158968/9008720 + "autocmd FileType mail setlocal colorcolumn=72 + autocmd FileType mail setlocal cc=72 augroup END " :h markdown, for vim default tpope/vim-markdown @@ -126,22 +143,6 @@ set smartcase " :h disable-mouse set mouse= -" for alerting me plain text email characters per line -" https://mailformat.dan.info/body/linelength.html suggested 65 -"" https://superuser.com/q/827647/1282809 -" https://lkml.org shows Linus seems use 70 -" https://lkml.org Hottest messages shows people use around 70-80 -" https://en.wikipedia.org/wiki/Characters_per_line -" related: textwidth -" if want to do this only for some file extensions, see: -"" https://stackoverflow.com/a/469576/9008720 -"" don't forget to put in augroup: -"" https://stackoverflow.com/a/60470085/9008720 -"" also other ways: -"" https://stackoverflow.com/q/158968/9008720 -"set colorcolumn=70 -"set cc=70 - " map ctrl+h/j/k/l to move between split windows map h map j -- cgit v1.2.3-70-g09d2 From cf8d26d82ce3d25390b66d701779ae1f1fcc5608 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 7 Apr 2024 00:27:28 -0700 Subject: feat: gitcommit filetype set cc --- home/xyz/.config/nvim/init.vim | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index f5dd2272..cf4d9818 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -56,6 +56,8 @@ augroup mycmd autocmd BufNewFile,BufRead *.csx setfiletype cs " for alerting me plain text email characters per line " neomutt auto set new email filetype as mail so this will work + " https://stackoverflow.com/q/2290016 suggest gitcommit main body shouldbe about 72 + " https://useplaintext.email/ suggest 72 " https://mailformat.dan.info/body/linelength.html suggested 65 "" https://superuser.com/q/827647/1282809 " https://lkml.org shows Linus seems use 70 @@ -63,14 +65,13 @@ augroup mycmd " https://en.wikipedia.org/wiki/Characters_per_line " related: textwidth " if want to do this only for some file extensions, see: - " https://useplaintext.email/ suggest 72 "" https://stackoverflow.com/a/469576/9008720 "" don't forget to put in augroup: "" https://stackoverflow.com/a/60470085/9008720 "" also other ways: "" https://stackoverflow.com/q/158968/9008720 - "autocmd FileType mail setlocal colorcolumn=72 - autocmd FileType mail setlocal cc=72 + " or use setlocal cc= + autocmd FileType mail,gitcommit setlocal colorcolumn=72 augroup END " :h markdown, for vim default tpope/vim-markdown -- cgit v1.2.3-70-g09d2 From 970ca530ea85a5cbb2f8f21da96cff9a274e4037 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 7 Apr 2024 00:29:54 -0700 Subject: update --- home/xyz/.config/nvim/init.vim | 1 + 1 file changed, 1 insertion(+) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index cf4d9818..2be50697 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -54,6 +54,7 @@ augroup mycmd " .csx seems not c# but c# script file, this works tho " set syntax=cs also works autocmd BufNewFile,BufRead *.csx setfiletype cs + " https://stackoverflow.com/q/28310094 multi filetypes " for alerting me plain text email characters per line " neomutt auto set new email filetype as mail so this will work " https://stackoverflow.com/q/2290016 suggest gitcommit main body shouldbe about 72 -- cgit v1.2.3-70-g09d2 From fe84f1b831505e71d89620e9b242bd02f4fc25af Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Wed, 17 Apr 2024 04:24:55 -0700 Subject: less show tab width as 4 space instead of 8 --- home/xyz/.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/xyz/.profile b/home/xyz/.profile index bc9db15f..c13c19dd 100644 --- a/home/xyz/.profile +++ b/home/xyz/.profile @@ -31,7 +31,7 @@ export PAGER=less # but other situation seems less use -F as default? # steal from sdcv arch wiki # CALCURSE_PAGER less can't use -F, else ? and > hotkey will only blink the text -export LESS=-FRXi +export LESS=-FRXix4 export MANPAGER='nvim +Man!' # This MANSECT prioritize POSIX manpages. After use it for a long time, I think it is not suitable for me any more. -- cgit v1.2.3-70-g09d2 From 82e40dac1d0d240fed415e881fb465c2cecd40f6 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 13 Apr 2024 23:32:55 -0700 Subject: lf change some keybindings to my like --- home/xyz/.config/lf/lfrc | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/home/xyz/.config/lf/lfrc b/home/xyz/.config/lf/lfrc index c78889d6..b0ca2284 100644 --- a/home/xyz/.config/lf/lfrc +++ b/home/xyz/.config/lf/lfrc @@ -1 +1,24 @@ +# maybe useful: +# /usr/share/doc/lf/lfrc.example +# `man lf` +# - ENVIRONMENT VARIABLES section +# - PREVIEWING FILES section +# https://github.com/LukeSmithxyz/voidrice/tree/master/.config/lf + set hidden + +# not using it because security concerns, see: https://wiki.archlinux.org/title/Lf#Sandboxing_previews +# I moved previewer script to public_archive_codes +# previewer use highlight which can show tab as 4 spaces +#set previewer ~/.config/lf/previewer +#map e $LESSOPEN='| ~/.config/lf/previewer %s' less -+F $f + +# change come default keybindings to my like +# see `man lf` PREFIXES section, $ at the beginning indicate it is shell command? +# also see "The following commands/keybindings are provided by default:" section +# I use -F in LESS env, need -+F to reset to default so no quit if one screen +map e $$PAGER -+F "$f" +# or wait for key press use ! prefix +#map e !$PAGER "$f" +map v $$EDITOR "$f" +map i invert -- cgit v1.2.3-70-g09d2 From 20c5d43d15cf54a0e3f799ce88ddb13dff0c01d7 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 13 Apr 2024 23:36:05 -0700 Subject: tab show 4 spaces width --- home/xyz/.bashrc | 2 ++ home/xyz/.profile | 1 + 2 files changed, 3 insertions(+) diff --git a/home/xyz/.bashrc b/home/xyz/.bashrc index 4d81b50f..ecbde6ca 100644 --- a/home/xyz/.bashrc +++ b/home/xyz/.bashrc @@ -13,6 +13,8 @@ esac . /usr/share/fzf/key-bindings.bash . /usr/share/bash-complete-alias/complete_alias +tabs 4 + # default PS1 #PS1='[\u@\h \W]\$ ' diff --git a/home/xyz/.profile b/home/xyz/.profile index c13c19dd..14fc542b 100644 --- a/home/xyz/.profile +++ b/home/xyz/.profile @@ -31,6 +31,7 @@ export PAGER=less # but other situation seems less use -F as default? # steal from sdcv arch wiki # CALCURSE_PAGER less can't use -F, else ? and > hotkey will only blink the text +# -x4 to use 4 spaces instead of default 8. Even if I specify `tabs 4` in .bashrc, this is still needed for less. export LESS=-FRXix4 export MANPAGER='nvim +Man!' -- cgit v1.2.3-70-g09d2 From a6c0efa89fad7dcfb696cc16fb97e216311fb023 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 14 Apr 2024 01:06:40 -0700 Subject: nvim better fold title contrast --- home/xyz/.config/nvim/init.vim | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index 2be50697..844ca58a 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -11,8 +11,9 @@ call plug#begin() "Plug 'glacambre/firenvim', { 'do': { _ -> firenvim#install(0) } } " chriskempson/base16-vim doesn't do bold/italic for markdown syntax, and not maintained " tinted-theming/base16-vim and RRethy/nvim-base16 seem both work, both support tree-sitter -" I prefer tinted-theming/base16-vim in the past because of darker status bar color? -Plug 'tinted-theming/base16-vim' +" In the past, I prefer tinted-theming/base16-vim because of darker status bar color? +" Now, I prefer RRethy/nvim-base16 because of higher contrast on fold title, so much more readable +Plug 'RRethy/nvim-base16' " nvim-treesitter does not support markdown right now, so wait "Plug 'nvim-treesitter/nvim-treesitter', {'do': ':TSUpdate'} " We recommend updating the parsers on update " use latest vim-markdown -- cgit v1.2.3-70-g09d2 From 33d604d849c362d54076aaf79f18f662b9657549 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 14 Apr 2024 19:11:14 -0700 Subject: nvim customize old theme make fold title higher contrast I choose to go back to old colorscheme plugin I use and customize it to make fold title higher contrast and more readable. Becase other theme plugins have other issues, so I would rather stick to the old plugin, plus it can be customized easily. --- home/xyz/.config/nvim/init.vim | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index 844ca58a..9f6f9a7c 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -9,11 +9,11 @@ call plug#begin() "Plug 'junegunn/fzf.vim' "Plug 'vim-perl/vim-perl', { 'for': 'perl', 'do': 'make clean carp dancer highlight-all-pragmas moose test-more try-tiny' } "Plug 'glacambre/firenvim', { 'do': { _ -> firenvim#install(0) } } +" tinted-theming/base16-vim has low contrast on fold title make it unreadable, but I customized it easily " chriskempson/base16-vim doesn't do bold/italic for markdown syntax, and not maintained +" RRethy/nvim-base16 does not highlight markdown codeblocks " tinted-theming/base16-vim and RRethy/nvim-base16 seem both work, both support tree-sitter -" In the past, I prefer tinted-theming/base16-vim because of darker status bar color? -" Now, I prefer RRethy/nvim-base16 because of higher contrast on fold title, so much more readable -Plug 'RRethy/nvim-base16' +Plug 'tinted-theming/base16-vim' " nvim-treesitter does not support markdown right now, so wait "Plug 'nvim-treesitter/nvim-treesitter', {'do': ':TSUpdate'} " We recommend updating the parsers on update " use latest vim-markdown @@ -42,6 +42,15 @@ function Autocmd_set_fenc() endif endfunction +" https://github.com/tinted-theming/base16-vim?tab=readme-ov-file#customization +function! s:base16_customize() abort + " make fold title more contrast and readable, by reverting some changes from: + " https://github.com/tinted-theming/base16-vim/pull/43/files + " tested with base16-tomorrow-night theme + call Base16hi("FoldColumn", g:base16_gui0C, g:base16_gui01, g:base16_cterm0C, g:base16_cterm01, "", "") + call Base16hi("Folded", g:base16_gui03, g:base16_gui01, g:base16_cterm03, g:base16_cterm01, "", "") +endfunction + " not fully understood augroup, recommanded in :help " https://www.youtube.com/watch?v=dBBUOO1PRIU augroup mycmd @@ -74,9 +83,12 @@ augroup mycmd "" https://stackoverflow.com/q/158968/9008720 " or use setlocal cc= autocmd FileType mail,gitcommit setlocal colorcolumn=72 + " https://github.com/tinted-theming/base16-vim?tab=readme-ov-file#customization + autocmd ColorScheme * call s:base16_customize() augroup END " :h markdown, for vim default tpope/vim-markdown +" enable markdown fold will make opening large files slower, so I don't enable it "let g:markdown_folding = 1 " g:markdown_minlines before nvim 0.8, 500 works well; version 0.8 makes even 400 noticeable slow when keep pressing gk let g:markdown_minlines = 350 -- cgit v1.2.3-70-g09d2 From a766cffed614645e228e1c9bfddca8ff0d47ece0 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 14 Apr 2024 20:21:09 -0700 Subject: edit init.vim comments RRethy/nvim-base16 change name to base16-nvim. I tested markdown treesitter, better but still not good. --- home/xyz/.config/nvim/init.vim | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index 9f6f9a7c..8928d4da 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -11,10 +11,12 @@ call plug#begin() "Plug 'glacambre/firenvim', { 'do': { _ -> firenvim#install(0) } } " tinted-theming/base16-vim has low contrast on fold title make it unreadable, but I customized it easily " chriskempson/base16-vim doesn't do bold/italic for markdown syntax, and not maintained -" RRethy/nvim-base16 does not highlight markdown codeblocks -" tinted-theming/base16-vim and RRethy/nvim-base16 seem both work, both support tree-sitter +" RRethy/base16-nvim does not highlight markdown codeblocks +" tinted-theming/base16-vim and RRethy/base16-nvim seem both work, both support tree-sitter Plug 'tinted-theming/base16-vim' -" nvim-treesitter does not support markdown right now, so wait +" nvim-treesitter seems support markdown highlight now, run `:TSEnable highlight`, more see vc notes +" but very slow when editing large markdown files so I sitll don't enable it, maybe related: +" https://github.com/nvim-treesitter/nvim-treesitter/issues/2206 "Plug 'nvim-treesitter/nvim-treesitter', {'do': ':TSUpdate'} " We recommend updating the parsers on update " use latest vim-markdown Plug 'tpope/vim-markdown' -- cgit v1.2.3-70-g09d2 From ec77aa3bdc0046ef59899011e9f13b4dc4556aea Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 18 Apr 2024 03:06:15 -0700 Subject: pacdiff --- etc/services | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/services b/etc/services index 500c6ac7..aa270681 100644 --- a/etc/services +++ b/etc/services @@ -5620,8 +5620,8 @@ jpegmpeg 3155/tcp jpegmpeg 3155/udp indura 3156/tcp indura 3156/udp -e3consultants 3157/tcp -e3consultants 3157/udp +lsa-comm 3157/tcp +lsa-comm 3157/udp stvp 3158/tcp stvp 3158/udp navegaweb-port 3159/tcp @@ -11153,6 +11153,7 @@ icl-twobase9 25008/tcp icl-twobase9 25008/udp icl-twobase10 25009/tcp icl-twobase10 25009/udp +db2c-tls 25100/tcp rna 25471/sctp sauterdongle 25576/tcp idtp 25604/tcp -- cgit v1.2.3-70-g09d2 From ffde248a8dc874ab4c9b8d595d21491bd3a68291 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 22 Apr 2024 08:30:23 +0000 Subject: Revert "according to manpage localtime.5: if no /etc/localtime, default UTC; thus no need" This reverts commit 9afc357eb6480d57b71762567690ebe46d01a3ec. Because crunchbits Arch Linux cloud init auto install deafult symlink to Europe/London timezone which is different from UTC. I want UTC. So I choose to always symlink timezome to prevent similar things happen again. --- etc/localtime | 1 + 1 file changed, 1 insertion(+) create mode 120000 etc/localtime diff --git a/etc/localtime b/etc/localtime new file mode 120000 index 00000000..0e35b576 --- /dev/null +++ b/etc/localtime @@ -0,0 +1 @@ +/usr/share/zoneinfo/UTC \ No newline at end of file -- cgit v1.2.3-70-g09d2 From eb86ed5de01632299364566c5ea0563935533f1e Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 22 Apr 2024 08:37:48 +0000 Subject: meta --- etc/myconf/cfgl_meta | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 37bceab0..9b63978b 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -14,6 +14,7 @@ 644 root root //etc/hostname 644 root root //etc/locale.conf 644 root root //etc/locale.gen +777 root root //etc/localtime 644 root root //etc/makepkg.conf 755 root root //etc/myconf 600 root root //etc/myconf/cfgl_meta -- cgit v1.2.3-70-g09d2 From 934b9a5bf8c0ed347a3462ec5abb67ef30098e42 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Wed, 1 May 2024 19:23:27 +0000 Subject: pacdiff --- etc/postfix/main.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index d4f29b68..5ca97507 100644 --- a/etc/postfix/main.cf +++ b/etc/postfix/main.cf @@ -744,5 +744,5 @@ sample_directory = /etc/postfix # readme_directory = /usr/share/doc/postfix inet_protocols = ipv4 -shlib_directory = /usr/lib/postfix meta_directory = /etc/postfix +shlib_directory = /usr/lib/postfix -- cgit v1.2.3-70-g09d2 From 073862da8dc8f8fea7934f8f746c7419c2d4dd75 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 3 May 2024 04:45:30 +0000 Subject: neofetch is archived, and no need neofetch on these computers --- home/xyz/.config/myconf/pacman_Qqme | 1 - 1 file changed, 1 deletion(-) diff --git a/home/xyz/.config/myconf/pacman_Qqme b/home/xyz/.config/myconf/pacman_Qqme index 6ff8423a..d219764c 100644 --- a/home/xyz/.config/myconf/pacman_Qqme +++ b/home/xyz/.config/myconf/pacman_Qqme @@ -6,7 +6,6 @@ dashbinsh grub-hook htop-vim librespeed-cli -neofetch-git neovim-plug paru-bin pipdeptree -- cgit v1.2.3-70-g09d2 From 06c9ffbc2a44b4e4fe9e0694a3e0d5057f281abf Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 5 May 2024 03:13:05 +0000 Subject: aur xxd-standalone deleted, switch to official tinyxxd pkg --- home/xyz/.config/myconf/pacman_Qqme | 1 - home/xyz/.config/myconf/pacman_Qqne | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/home/xyz/.config/myconf/pacman_Qqme b/home/xyz/.config/myconf/pacman_Qqme index d219764c..1ae6f3b5 100644 --- a/home/xyz/.config/myconf/pacman_Qqme +++ b/home/xyz/.config/myconf/pacman_Qqme @@ -10,4 +10,3 @@ neovim-plug paru-bin pipdeptree task-spooler -xxd-standalone diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index c299107f..79e9d4f8 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -5,6 +5,7 @@ btrfs-progs dash devtools dovecot +fastfetch fio fsh-git fzf @@ -45,6 +46,7 @@ speedtest-cli strace systemd-resolvconf tcpdump +tinyxxd traceroute tree unrar-free -- cgit v1.2.3-70-g09d2 From 4d0b5c7df14c94a2b22ce646fe86c1e79c961c40 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 4 May 2024 20:39:34 -0700 Subject: nvim config more universal, so all my computers can have the same config --- home/xyz/.config/nvim/init.vim | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index 8928d4da..4fbfebae 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -8,7 +8,9 @@ call plug#begin() "Plug 'junegunn/fzf', { 'do': { -> fzf#install() } } "Plug 'junegunn/fzf.vim' "Plug 'vim-perl/vim-perl', { 'for': 'perl', 'do': 'make clean carp dancer highlight-all-pragmas moose test-more try-tiny' } -"Plug 'glacambre/firenvim', { 'do': { _ -> firenvim#install(0) } } +if has('nvim') && executable('firefox') + Plug 'glacambre/firenvim', { 'do': { _ -> firenvim#install(0) } } +endif " tinted-theming/base16-vim has low contrast on fold title make it unreadable, but I customized it easily " chriskempson/base16-vim doesn't do bold/italic for markdown syntax, and not maintained " RRethy/base16-nvim does not highlight markdown codeblocks @@ -21,9 +23,16 @@ Plug 'tinted-theming/base16-vim' " use latest vim-markdown Plug 'tpope/vim-markdown' " alternatives: h-hg/fcitx.nvim, rlue/vim-barbaric, lilydjwg/fcitx.vim -"Plug 'rlue/vim-barbaric' +if executable('fcitx5') + Plug 'rlue/vim-barbaric' +endif " alternatives: 'thinca/vim-ref' with 'eiiches/vim-ref-info', 'HiPhish/info.vim', 'alx741/vinfo' Plug 'https://gitlab.com/HiPhish/info.vim.git' +" :h hexmode +" other related doc: :h hex-editing, :h 23.3, :h edit-binary +if executable('xxd') + Plug 'fidian/hexmode' +endif call plug#end() " next line must put below `Plug 'glacambre/firenvim'`, else if click github issue textarea, then click elsewhere, then click textarea, textarea will not be selected (no cursor in it), not sure why @@ -96,6 +105,12 @@ augroup END let g:markdown_minlines = 350 "let g:markdown_fenced_languages = ['python', 'sh', 'vim', 'c', 'cpp'] +" :h hexmode, fidian/hexmode plugin +" imagemagick .gray file format +let g:hexmode_patterns = '*.gray' +map h :Hexmode +"let g:hexmode_xxd_options = '-c 32' + " netrw-p preview vertial split let g:netrw_preview = 1 let g:netrw_winsize = 20 -- cgit v1.2.3-70-g09d2 From 36bb58e998f118e37e3d08e61ea679e7d36634ff Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 4 May 2024 20:57:12 -0700 Subject: some programs do not like 4 tab spaces, e.g., fdu, wtr, also pacman warned about it --- home/xyz/.bashrc | 2 -- 1 file changed, 2 deletions(-) diff --git a/home/xyz/.bashrc b/home/xyz/.bashrc index ecbde6ca..4d81b50f 100644 --- a/home/xyz/.bashrc +++ b/home/xyz/.bashrc @@ -13,8 +13,6 @@ esac . /usr/share/fzf/key-bindings.bash . /usr/share/bash-complete-alias/complete_alias -tabs 4 - # default PS1 #PS1='[\u@\h \W]\$ ' -- cgit v1.2.3-70-g09d2 From a3ee6fce9072653be42410d218cd954bdfd7e8ec Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 5 May 2024 01:50:56 -0700 Subject: similar .bashrc for all computers, easier to cherry-pick with ccp --- home/xyz/.bashrc | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/home/xyz/.bashrc b/home/xyz/.bashrc index 4d81b50f..f011eba6 100644 --- a/home/xyz/.bashrc +++ b/home/xyz/.bashrc @@ -61,6 +61,7 @@ alias gcd='git clone --depth=1' alias gr='grep --color=auto -i' alias grr='grep --color=auto -iIR' alias h=htop +alias i=nsxiv alias j=journalctl alias l='ls --color=auto -A --group-directories-first' alias ll='ls --color=auto -lAh --group-directories-first' @@ -75,8 +76,22 @@ alias qre='qrencode -t utf8i -m 1' alias r='rem -cu+2 -@' # https://askubuntu.com/a/22043 alias s='sudo ' +alias sa='ssh-add -l || ssh-add' +alias sca='ssh ca' alias se='sudo -E ' +alias sia='ssh ia' +alias sp='ssh pp' alias spd='speedtest; librespeed-cli' +alias sst='ssh studio' +# \" to consider $HOME contain space, need \ else " will be expanded locally, need \$ else $HOME will expand locally +# can test with: alias mytest='ssh studio for i in \"\$SSH_CONNECTION\"\; do echo \$i\; echo a\; done' +alias sstm='ssh -t -- studio mpra -c \"\$HOME/programs/repos/fly/any/fsh-git\"' +# from `man remind`: "Note that you can omit the reminder type, in which case it defaults to MSG" +# can test this mess with `alias tt='echo "\$haha \"lala\""'` +alias sun='printf "set \$Longitude \"-121.89\"\nset \$Latitude \"37.34\"\n[sunrise()] sunrise\n[sunset()] sunset" | remind -n -' +# another way: +# can test this mess with `alias tt="echo '\$haha \"lala\"'"` +#alias sun="printf 'set \$Longitude \"-121.89\"\nset \$Latitude \"37.34\"\n[sunrise()] sunrise\n[sunset()] sunset' | remind -n -" alias sv=sudoedit alias y=systemctl alias yd='systemctl list-dependencies --all' @@ -87,9 +102,18 @@ alias yu='systemctl --user' alias yue='systemctl --user list-unit-files --state=enabled' alias yus='systemctl --user status' alias v='"$EDITOR"' +alias va='"$EDITOR" "$XDG_DOCUMENTS_DIR/notes/computer/arch_install.md"' +alias vc='"$EDITOR" "$XDG_DOCUMENTS_DIR/notes/computer/cli_notes.md"' alias vd='vidir' alias vd2='vidir2 --linktargets' +alias vq='"$EDITOR" "$XDG_DOCUMENTS_DIR/notes/others/questions_ideas_tips.md"' +alias vn='"$EDITOR" "$(find "$XDG_DOCUMENTS_DIR/notes" -mindepth 1 -path "*/\.git" -prune -o -type f -print | fzf)"' +alias vr='"$EDITOR" "$DOTREMINDERS"' alias vrc='"$EDITOR" +e\ \$MYVIMRC' +alias vrm='"$EDITOR" "$XDG_DOCUMENTS_DIR/notes/others/recurring_maintenance.md"' +alias vt='"$EDITOR" "$XDG_DOCUMENTS_DIR/notes/others/tmp_mobile_notes.md"' +alias xmr='monero-wallet-cli --config-file="$HOME/.bitmonero/monero-wallet-cli.conf"' +alias xmrds='monerod status; monerod print_net_stats' alias za='zoxide add' #alias zq='zoxide query' #alias zqi='zoxide query -i' @@ -100,16 +124,19 @@ alias alsamixer='alsamixer -V all' # I can't find a quick and easy way to temperory disable cloc config file except to change config file. Using an alias can disable --vcs with just \cloc. alias cloc='cloc --vcs auto' alias diff='diff --color=auto' +alias glmark2='glmark2 --fullscreen --annotate' alias grep='grep --color=auto' #alias info='info --vi-keys' alias ls='ls --color=auto' +alias radeontop='radeontop -c' alias rem='rem -@' alias remind='remind -@' alias rm='rm -I' alias sdcv='sdcv --color' alias shellcheck='shellcheck -x' -alias tree='tree -aC | "$PAGER"' +alias tree='tree -aC -I .git | "$PAGER"' alias uname='uname -a' +alias vkmark='vkmark --fullscreen' # depreciated # all green color, no auto turn off color when pipe to nvim @@ -162,5 +189,7 @@ _completion_loader info eval "$(complete -p info | sed 's/\(.*\)info$/\1vinfo/')" _completion_loader git eval "$(complete -p git | sed 's/\(.*\)git$/\1cfg/')" +_completion_loader pass +eval "$(complete -p pass | sed 's/\(.*\)pass$/\1prp/')" # complete-alias readme complete -F _complete_alias "${!BASH_ALIASES[@]}" -- cgit v1.2.3-70-g09d2 From c64fb8811ed717a0fd468ef38814abdc09630f34 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 5 May 2024 16:44:57 -0700 Subject: vrc consider studio use headles firefox for douyu afk --- home/xyz/.config/nvim/init.vim | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index 4fbfebae..6a2bc6f4 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -8,7 +8,8 @@ call plug#begin() "Plug 'junegunn/fzf', { 'do': { -> fzf#install() } } "Plug 'junegunn/fzf.vim' "Plug 'vim-perl/vim-perl', { 'for': 'perl', 'do': 'make clean carp dancer highlight-all-pragmas moose test-more try-tiny' } -if has('nvim') && executable('firefox') +" xyzstudio maybe used for headless firefox douyu afk +if has('nvim') && executable('firefox') && ( hostname() != 'xyzstudio' ) Plug 'glacambre/firenvim', { 'do': { _ -> firenvim#install(0) } } endif " tinted-theming/base16-vim has low contrast on fold title make it unreadable, but I customized it easily -- cgit v1.2.3-70-g09d2 From 0928aad3f1ddb51d5b5f63c4d665d45b851efa95 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Wed, 8 May 2024 19:44:01 -0700 Subject: vrc statusline show if there is newline at EOF --- home/xyz/.config/nvim/init.vim | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index 6a2bc6f4..3f19b492 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -199,6 +199,10 @@ set statusline+=%< set statusline+=%f " %F or 1CTRL+G to show full path set statusline+=\ %m set statusline+=%= +" https://stackoverflow.com/questions/5375240/a-more-useful-statusline-in-vim#comment84812779_10416234 +" :h eol-and-eof +" show if there's newline at end of file +set statusline+=%{&eol?'':'noeol'} set statusline+=\ %y "set statusline+=\ %{&fileencoding?&fileencoding:&encoding} " below line doesn't work as expected, not sure why -- cgit v1.2.3-70-g09d2 From f7154e1fd14f01ff49e7823384edb17f8205e024 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 24 May 2024 19:25:12 -0700 Subject: nvim new release has my fix, so no need latest version of the plugin https://github.com/tpope/vim-markdown/commit/f2b82b7884a3d8bde0c5de7793b27e07030eb2bc --- home/xyz/.config/nvim/init.vim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index 3f19b492..64cdd4d9 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -22,7 +22,7 @@ Plug 'tinted-theming/base16-vim' " https://github.com/nvim-treesitter/nvim-treesitter/issues/2206 "Plug 'nvim-treesitter/nvim-treesitter', {'do': ':TSUpdate'} " We recommend updating the parsers on update " use latest vim-markdown -Plug 'tpope/vim-markdown' +"Plug 'tpope/vim-markdown' " alternatives: h-hg/fcitx.nvim, rlue/vim-barbaric, lilydjwg/fcitx.vim if executable('fcitx5') Plug 'rlue/vim-barbaric' -- cgit v1.2.3-70-g09d2 From ad770227cface87d122dd1c0291e9798f87dacb0 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 25 May 2024 16:18:30 -0700 Subject: nvim config to open readonly if file already been opened --- home/xyz/.config/nvim/init.vim | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index 64cdd4d9..fd368ebe 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -97,6 +97,15 @@ augroup mycmd autocmd FileType mail,gitcommit setlocal colorcolumn=72 " https://github.com/tinted-theming/base16-vim?tab=readme-ov-file#customization autocmd ColorScheme * call s:base16_customize() + " open file readonly if it already been open + " nvim seems change default from '' to 'e', but I prefer 'o' + " :h w325 e325 SwapExists swapchoice default-autocmds + " https://vi.stackexchange.com/questions/21784/vim-edit-anyway-without-prompting + " https://github.com/neovim/neovim/pull/25336 + " https://github.com/neovim/neovim/commit/29fe883aa9166bdbcae3f935523c75a8aa56fe45 + " remove nvim_swapfile autocmd is more correct, without also works but I think it change to 'e' then to 'o' which is not ideal, also it will echo "W325: ..." which is not what I want + autocmd! nvim_swapfile + autocmd SwapExists * let v:swapchoice = 'o' augroup END " :h markdown, for vim default tpope/vim-markdown -- cgit v1.2.3-70-g09d2 From 3ebba966f0b21a2686e5cc3fa803882e575a8827 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 26 May 2024 17:42:36 -0700 Subject: htop merge command name and command line https://unix.stackexchange.com/a/657002 --- home/xyz/.config/htop/htoprc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/xyz/.config/htop/htoprc b/home/xyz/.config/htop/htoprc index 444e8ad4..3b02ceda 100644 --- a/home/xyz/.config/htop/htoprc +++ b/home/xyz/.config/htop/htoprc @@ -18,7 +18,7 @@ highlight_changes=0 highlight_changes_delay_secs=5 find_comm_in_cmdline=1 strip_exe_from_cmdline=1 -show_merged_command=0 +show_merged_command=1 header_margin=1 screen_tabs=1 detailed_cpu_time=1 -- cgit v1.2.3-70-g09d2 From 6c63c6f13bca381f6f09145478c3b25e53357af7 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 27 May 2024 01:48:03 -0700 Subject: fix: make fzf ctrl-t work in symlink dir --- home/xyz/.profile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/home/xyz/.profile b/home/xyz/.profile index 14fc542b..02db6e72 100644 --- a/home/xyz/.profile +++ b/home/xyz/.profile @@ -52,7 +52,10 @@ export MAKEFLAGS="-j$(nproc --all)" export FZF_DEFAULT_COMMAND="find . -mindepth 1 -path '*/\.git' -prune -o -print" # https://askubuntu.com/questions/444551/get-absolute-path-of-files-using-find-command # following two lines if use "" on the outermost, will not perfom expected, not sure why -export FZF_CTRL_T_COMMAND='find "$PWD" -mindepth 1 -path "*/\.git" -prune -o -print' +# use "$(pwd -P)" instead of "$PWD", else it will not work in symlink dir +# -P to make it show realpath, another way is: "$(realpath .)", but I prefer pwd because it is shell builtin which maybe faster +# or I can use find -L or -H (not sure about differences between the two), but I prefer realpath instead of symlink +export FZF_CTRL_T_COMMAND='find "$(pwd -P)" -mindepth 1 -path "*/\.git" -prune -o -print' #export FZF_CTRL_T_COMMAND='sudo find "$(pwd)" -path "*/\.git" -prune -o -print' # ~+ is bashism #export FZF_CTRL_T_COMMAND="sudo find ~+ -path '*/\.git' -prune -o -print" -- cgit v1.2.3-70-g09d2 From a15d7097e161a914810e4d8f0ce48578a8224751 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 20 Jun 2024 05:11:48 +0000 Subject: add testdisk, just in case partition got broken and need fix --- home/xyz/.config/myconf/pacman_Qqne | 1 + 1 file changed, 1 insertion(+) diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index 79e9d4f8..21020ae5 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -46,6 +46,7 @@ speedtest-cli strace systemd-resolvconf tcpdump +testdisk tinyxxd traceroute tree -- cgit v1.2.3-70-g09d2 From 9c956cfe1ee447fc0968d88516e7c859a601b25a Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 28 Jun 2024 00:57:17 +0000 Subject: feat: wg and swgp config, mainly for aa --- etc/nftables.conf | 25 +++++++++++++++++++++- etc/services | 2 ++ etc/sysctl.d/99-sysctl.conf | 7 ++++++ etc/systemd/network/10-cloud-init-eth0.network | 7 ++++++ .../multi-user.target.wants/wg-quick@wg0.service | 1 + home/xyz/.config/myconf/pacman_Qqme | 3 ++- home/xyz/.config/myconf/pacman_Qqne | 2 +- home/xyz/.config/myconf/sye | 3 ++- 8 files changed, 46 insertions(+), 4 deletions(-) create mode 100644 etc/sysctl.d/99-sysctl.conf create mode 120000 etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service diff --git a/etc/nftables.conf b/etc/nftables.conf index 22e38dfe..b824edee 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -8,6 +8,8 @@ # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset +define pub_iface = "eth0" +define wg_iface = "wg0" table inet my_table { chain my_input { @@ -17,6 +19,7 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" + iifname $wg_iface accept comment "allow from wireguard" ip protocol icmp accept meta l4proto ipv6-icmp accept @@ -25,7 +28,8 @@ table inet my_table { #tcp dport qbt accept #udp dport qbt accept #tcp dport iperf3 accept - #udp dport wireguard accept + udp dport wireguard accept + udp dport swgp accept # for acme.sh standalone mode builtin webserver to renew ssl cert tcp dport http accept # email related ports @@ -45,6 +49,12 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. + + # needed for wireguard? + #iifname $wg_iface oifname $pub_iface accept + #iifname $pub_iface oifname $wg_iface accept + iifname $wg_iface accept + oifname $wg_iface accept } chain my_output { @@ -53,3 +63,16 @@ table inet my_table { # Accept every outbound connection } } + +# needed to wireguard NAT masquerade VPN traffic +# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? +# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families +table inet nat { + # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface + chain postrouting { + type nat hook postrouting priority 100 + policy accept + oifname $pub_iface masquerade + } +} diff --git a/etc/services b/etc/services index aa270681..91a89df2 100644 --- a/etc/services +++ b/etc/services @@ -11510,5 +11510,7 @@ inspider 49150/tcp # my services # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server. # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/ +wireguard 49432/udp ssh-isp 49812/tcp iperf3 53497/tcp +swgp 54635/udp diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf new file mode 100644 index 00000000..b9677c02 --- /dev/null +++ b/etc/sysctl.d/99-sysctl.conf @@ -0,0 +1,7 @@ +# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites +# ka seems has this as default, maybe arch linux cloud-init image has this as default? +# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752 +# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding +# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522 +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network index 1bc579b9..7829f528 100644 --- a/etc/systemd/network/10-cloud-init-eth0.network +++ b/etc/systemd/network/10-cloud-init-eth0.network @@ -14,7 +14,14 @@ Address=38.175.201.185/22 Address=2606:a8c0:3::75f/128 [Address] +# another ipv6 address for aa wireguard+swgp into +# not sure if it is corret, but it works +Address=2606:a8c0:3:773::b/64 + +[Address] +# the last address seems is the default? # ...:1/64 also works, but I use ...:a/64 because crunchbits panel reverse DNS support this address +# 2024-06-27, ...:1/64 seems doe not work any more, not sure why Address=2606:a8c0:3:773::a/64 # use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 #Address=2606:a8c0:3:773::a/48 diff --git a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service new file mode 120000 index 00000000..0a92cb9a --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/wg-quick@.service \ No newline at end of file diff --git a/home/xyz/.config/myconf/pacman_Qqme b/home/xyz/.config/myconf/pacman_Qqme index 1ae6f3b5..1ae88691 100644 --- a/home/xyz/.config/myconf/pacman_Qqme +++ b/home/xyz/.config/myconf/pacman_Qqme @@ -5,8 +5,9 @@ bash-complete-alias dashbinsh grub-hook htop-vim -librespeed-cli +librespeed-cli-bin neovim-plug paru-bin pipdeptree +swgp-go task-spooler diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index 21020ae5..c1e1c8bd 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -54,7 +54,7 @@ unrar-free unzip vidir2-git wget +wireguard-tools xdg-user-dirs -xfsprogs zip zoxide diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye index 8d845498..a47a970f 100644 --- a/home/xyz/.config/myconf/sye +++ b/home/xyz/.config/myconf/sye @@ -6,6 +6,7 @@ opendkim.service enabled disabled opendmarc.service enabled disabled postfix.service enabled disabled sshd.service enabled disabled +swgp-go.service enabled disabled systemd-network-generator.service enabled enabled systemd-networkd-wait-online.service enabled enabled systemd-networkd.service enabled enabled @@ -19,4 +20,4 @@ acme.sh.timer enabled disabled paccache.timer enabled disabled pacman-filesdb-refresh.timer enabled disabled -19 unit files listed. +20 unit files listed. -- cgit v1.2.3-70-g09d2 From 56d9be13ecef3db44a02e8dba77158fbb9df2a8b Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 28 Jun 2024 00:57:34 +0000 Subject: meta --- etc/myconf/cfgl_meta | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index 9b63978b..a72bbfb7 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -35,12 +35,16 @@ 644 root root //etc/ssh/ssh_config.d/my_ssh_config.conf 644 root root //etc/ssh/sshd_config 440 root root //etc/sudoers +755 root root //etc/sysctl.d +644 root root //etc/sysctl.d/99-sysctl.conf 755 root root //etc/systemd 755 root root //etc/systemd/network 644 systemd-network systemd-network //etc/systemd/network/10-cloud-init-eth0.network 755 root root //etc/systemd/system 755 root root //etc/systemd/system/acme.sh.service.d 644 root root //etc/systemd/system/acme.sh.service.d/override.conf +755 root root //etc/systemd/system/multi-user.target.wants +777 root root //etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service 755 root root //etc/systemd/system/opendmarc.service.d 644 root root //etc/systemd/system/opendmarc.service.d/override.conf 755 root root //etc/systemd/system/paccache.service.d -- cgit v1.2.3-70-g09d2 From ca57a66869de7a796b21d232073e542c54e66f02 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 24 Jun 2024 19:37:58 -0700 Subject: typo: use deprecated instead of depreciated https://tenthousandfailures.com/blog/2014/3/22/software-deprecate-versus-depreciate --- home/xyz/.bashrc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/home/xyz/.bashrc b/home/xyz/.bashrc index f011eba6..dab44c72 100644 --- a/home/xyz/.bashrc +++ b/home/xyz/.bashrc @@ -16,7 +16,7 @@ esac # default PS1 #PS1='[\u@\h \W]\$ ' -# depreciated +# deprecated # 0: not bold, 91: bright red # \e[m act like \e[0m, means reset so commands after it will not be colored # https://en.wikipedia.org/wiki/ANSI_escape_code#3-bit_and_4-bit @@ -138,7 +138,7 @@ alias tree='tree -aC -I .git | "$PAGER"' alias uname='uname -a' alias vkmark='vkmark --fullscreen' -# depreciated +# deprecated # all green color, no auto turn off color when pipe to nvim #alias pactree='pactree -c' -- cgit v1.2.3-70-g09d2 From f8a0d7531f5ecf6dff035d4cf22ac81c780b3279 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 27 Jun 2024 01:30:48 -0700 Subject: no dyafk now, studio no firefox --- home/xyz/.config/nvim/init.vim | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index fd368ebe..54293df0 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -8,8 +8,7 @@ call plug#begin() "Plug 'junegunn/fzf', { 'do': { -> fzf#install() } } "Plug 'junegunn/fzf.vim' "Plug 'vim-perl/vim-perl', { 'for': 'perl', 'do': 'make clean carp dancer highlight-all-pragmas moose test-more try-tiny' } -" xyzstudio maybe used for headless firefox douyu afk -if has('nvim') && executable('firefox') && ( hostname() != 'xyzstudio' ) +if has('nvim') && executable('firefox') Plug 'glacambre/firenvim', { 'do': { _ -> firenvim#install(0) } } endif " tinted-theming/base16-vim has low contrast on fold title make it unreadable, but I customized it easily -- cgit v1.2.3-70-g09d2 From a04be2e775ec001f889cc75ad46dbd69136f09c2 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 1 Jul 2024 16:39:31 -0700 Subject: comment --- home/xyz/.bashrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/xyz/.bashrc b/home/xyz/.bashrc index dab44c72..30d6c80c 100644 --- a/home/xyz/.bashrc +++ b/home/xyz/.bashrc @@ -28,7 +28,7 @@ esac # tput is better for different terminals? # but also need \[ and \] around color code for PS1! but seems no need for printf in script? why? -# setaf and sgr0 see `man terminfo` +# setaf and sgr0 see `man terminfo`, also it seems can have 256 different colors PS1="\[$(tput setaf 6)\][\u@\h \W]\$ \[$(tput sgr0)\]" # https://github.com/LukeSmithxyz/voidrice/blob/master/.config/shell/aliasrc -- cgit v1.2.3-70-g09d2 From ed878d4809ec65acc0d2713f79b76ce39341bbac Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 28 Jun 2024 18:42:35 -0700 Subject: update --- home/xyz/.bashrc | 1 + 1 file changed, 1 insertion(+) diff --git a/home/xyz/.bashrc b/home/xyz/.bashrc index 30d6c80c..ccd668ed 100644 --- a/home/xyz/.bashrc +++ b/home/xyz/.bashrc @@ -108,6 +108,7 @@ alias vd='vidir' alias vd2='vidir2 --linktargets' alias vq='"$EDITOR" "$XDG_DOCUMENTS_DIR/notes/others/questions_ideas_tips.md"' alias vn='"$EDITOR" "$(find "$XDG_DOCUMENTS_DIR/notes" -mindepth 1 -path "*/\.git" -prune -o -type f -print | fzf)"' +alias vni='"$EDITOR" -ni NONE' alias vr='"$EDITOR" "$DOTREMINDERS"' alias vrc='"$EDITOR" +e\ \$MYVIMRC' alias vrm='"$EDITOR" "$XDG_DOCUMENTS_DIR/notes/others/recurring_maintenance.md"' -- cgit v1.2.3-70-g09d2 From f936a34634e18610914390d02ea700980c57deb1 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 29 Jun 2024 15:17:21 -0700 Subject: feat: vrc enable markdown folding hotkey --- home/xyz/.config/nvim/init.vim | 2 ++ 1 file changed, 2 insertions(+) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index 54293df0..2f2a1ae6 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -201,6 +201,8 @@ nnoremap O O " for searching command in manpages map - /^ *- map * /\*\*.*\*\* +" enable markdown folding and re-edit current file +map m :let g:markdown_folding=1:e " default statusline:set statusline=%<%f\ %h%m%r%=%-14.(%l,%c%V%)\ %P set statusline+=%< -- cgit v1.2.3-70-g09d2 From 0ba24ac20dfc7f2108984b198b33b95091eaad21 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 29 Jun 2024 15:23:03 -0700 Subject: maybe more correct --- home/xyz/.config/nvim/init.vim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index 2f2a1ae6..de15f822 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -41,7 +41,7 @@ let g:firenvim_config = { 'localSettings': { '.*': { 'takeover': 'never' } } } let g:infoprg = '/usr/bin/info' " I use only one return for better readability -function Autocmd_set_fenc() +function! Autocmd_set_fenc() abort " need to test &modifiable for gO if &modifiable && (&fileencoding != "utf-8") let l:fenc_bef = &fileencoding -- cgit v1.2.3-70-g09d2 From f6d88d1230d6b436c95b9d00006fa2b116819f59 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 29 Jun 2024 16:05:52 -0700 Subject: feat: vrc toggle markdown fold --- home/xyz/.config/nvim/init.vim | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index de15f822..f40714d3 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -62,6 +62,20 @@ function! s:base16_customize() abort call Base16hi("Folded", g:base16_gui03, g:base16_gui01, g:base16_cterm03, g:base16_cterm01, "", "") endfunction +function! Md_toggle_fold() abort + " &markdown_folding won't work because markdown_folding is not an option + " two ways to check if g:markdown_folding variable exists and is true: + " more see https://stackoverflow.com/q/15864164/9008720 + "if exists('g:markdown_folding') && g:markdown_folding + if get(g:, 'markdown_folding') + let g:markdown_folding=0 + e + else + let g:markdown_folding=1 + e + endif +endfunction + " not fully understood augroup, recommanded in :help " https://www.youtube.com/watch?v=dBBUOO1PRIU augroup mycmd @@ -201,8 +215,8 @@ nnoremap O O " for searching command in manpages map - /^ *- map * /\*\*.*\*\* -" enable markdown folding and re-edit current file -map m :let g:markdown_folding=1:e +" toggle markdown folding and re-edit current file +map m :call Md_toggle_fold() " default statusline:set statusline=%<%f\ %h%m%r%=%-14.(%l,%c%V%)\ %P set statusline+=%< -- cgit v1.2.3-70-g09d2 From 691b1145250ea555a3dd5982796f3e3d493e8a82 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Wed, 3 Jul 2024 21:35:44 +0000 Subject: update --- home/xyz/.config/myconf/pacman_Qqne | 1 + 1 file changed, 1 insertion(+) diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index c1e1c8bd..48914a1a 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -14,6 +14,7 @@ grub ioping iotop-c iperf3 +ldns lf linux lostfiles -- cgit v1.2.3-70-g09d2 From db676b7ba8944b3dae2208f91e967d1555d7e401 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 5 Jul 2024 22:19:39 +0000 Subject: fix: postfix smtpd_use_tls will be deprecated, so remvoe postfix log warning "/etc/postfix/main.cf: support for parameter "smtpd_use_tls" will be removed; instead, specify "smtpd_tls_security_level"". I am already using smtpd_tls_security_level, so I just removed smtpd_use_tls. Also see https://github.com/LukeSmithxyz/emailwiz/issues/112 `man 5 postconf` has documentation about smtpd_tls_security_level --- etc/postfix/main.cf | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index 5ca97507..556ca8b9 100644 --- a/etc/postfix/main.cf +++ b/etc/postfix/main.cf @@ -18,7 +18,6 @@ mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain smtp_tls_security_level = may smtpd_tls_security_level = may -smtpd_use_tls = yes smtpd_tls_cert_file = /etc/postfix/flylightning.pem smtpd_tls_key_file = /etc/postfix/flylightning.key -- cgit v1.2.3-70-g09d2 From 07df571fe12fd015a5a2a3388d3e736e650fb8b9 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 6 Jul 2024 22:10:45 +0000 Subject: rsync as asdeps because if asexplict I need to add too many pkgs --- home/xyz/.config/myconf/pacman_Qqne | 1 - 1 file changed, 1 deletion(-) diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index 48914a1a..961590a5 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -40,7 +40,6 @@ postfix python-pip rebuild-detector reflector -rsync shellcheck socat speedtest-cli -- cgit v1.2.3-70-g09d2 From 5cbfb7729af3f2ca03385257275a10c38d11ddac Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Wed, 3 Jul 2024 00:26:46 -0700 Subject: vrc comment --- home/xyz/.config/nvim/init.vim | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index f40714d3..18f5dadc 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -92,7 +92,8 @@ augroup mycmd " https://stackoverflow.com/q/28310094 multi filetypes " for alerting me plain text email characters per line " neomutt auto set new email filetype as mail so this will work - " https://stackoverflow.com/q/2290016 suggest gitcommit main body shouldbe about 72 + " /usr/share/nvim/runtime/ftplugin/mail.vim default textwidth 72 + " https://stackoverflow.com/q/2290016 suggest gitcommit main body should be about 72 " https://useplaintext.email/ suggest 72 " https://mailformat.dan.info/body/linelength.html suggested 65 "" https://superuser.com/q/827647/1282809 -- cgit v1.2.3-70-g09d2 From 61b8c165b12e773739278fcdb7b1235a8d189992 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 19 Jul 2024 01:55:01 +0000 Subject: dovecot auto delete old emails in Junk and Trash mailbox --- etc/dovecot/conf.d/15-mailboxes.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/dovecot/conf.d/15-mailboxes.conf b/etc/dovecot/conf.d/15-mailboxes.conf index 95f99394..409c791c 100644 --- a/etc/dovecot/conf.d/15-mailboxes.conf +++ b/etc/dovecot/conf.d/15-mailboxes.conf @@ -54,10 +54,14 @@ namespace inbox { mailbox Junk { special_use = \Junk auto = subscribe + # https://doc.dovecot.org/configuration_manual/namespace/#core_setting-namespace/mailbox/autoexpunge + # https://github.com/LukeSmithxyz/emailwiz/blob/558c4de108a472eca70abca20888de2981ff17ca/emailwiz.sh#L259 + autoexpunge = 40d } mailbox Trash { special_use = \Trash auto = subscribe + autoexpunge = 40d } # For \Sent mailboxes there are two widely used names. We'll mark both of -- cgit v1.2.3-70-g09d2 From 6bac2ca29b53cd34b90db952dae084b5a10b7117 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 19 Jul 2024 02:01:28 +0000 Subject: dovecot change auto delete configs dovecot no auto delete Junk, read junk first to determine if it is spam. Trash only auto delete after 10 days, because consider in the future I may only do backup weekly, 10 days can make sure it is backuped. --- etc/dovecot/conf.d/15-mailboxes.conf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/etc/dovecot/conf.d/15-mailboxes.conf b/etc/dovecot/conf.d/15-mailboxes.conf index 409c791c..39e44737 100644 --- a/etc/dovecot/conf.d/15-mailboxes.conf +++ b/etc/dovecot/conf.d/15-mailboxes.conf @@ -54,14 +54,13 @@ namespace inbox { mailbox Junk { special_use = \Junk auto = subscribe - # https://doc.dovecot.org/configuration_manual/namespace/#core_setting-namespace/mailbox/autoexpunge - # https://github.com/LukeSmithxyz/emailwiz/blob/558c4de108a472eca70abca20888de2981ff17ca/emailwiz.sh#L259 - autoexpunge = 40d } mailbox Trash { special_use = \Trash auto = subscribe - autoexpunge = 40d + # https://doc.dovecot.org/configuration_manual/namespace/#core_setting-namespace/mailbox/autoexpunge + # https://github.com/LukeSmithxyz/emailwiz/blob/558c4de108a472eca70abca20888de2981ff17ca/emailwiz.sh#L259 + autoexpunge = 10d } # For \Sent mailboxes there are two widely used names. We'll mark both of -- cgit v1.2.3-70-g09d2 From 0b8ee2af84085c13f817e4c630c8000a89b45e2c Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 19 Jul 2024 02:05:29 +0000 Subject: update --- etc/dovecot/conf.d/15-mailboxes.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/dovecot/conf.d/15-mailboxes.conf b/etc/dovecot/conf.d/15-mailboxes.conf index 39e44737..a4f8ca0c 100644 --- a/etc/dovecot/conf.d/15-mailboxes.conf +++ b/etc/dovecot/conf.d/15-mailboxes.conf @@ -60,6 +60,7 @@ namespace inbox { auto = subscribe # https://doc.dovecot.org/configuration_manual/namespace/#core_setting-namespace/mailbox/autoexpunge # https://github.com/LukeSmithxyz/emailwiz/blob/558c4de108a472eca70abca20888de2981ff17ca/emailwiz.sh#L259 + # https://doc.dovecot.org/settings/types/#time autoexpunge = 10d } -- cgit v1.2.3-70-g09d2 From e2818cfe0149940034e583bc6982e7ce7039c071 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 19 Jul 2024 02:09:19 +0000 Subject: dovecot longer time auto delete trash, because my config only duplicity will backup it so maybe keep it longer --- etc/dovecot/conf.d/15-mailboxes.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/dovecot/conf.d/15-mailboxes.conf b/etc/dovecot/conf.d/15-mailboxes.conf index a4f8ca0c..5b2eebae 100644 --- a/etc/dovecot/conf.d/15-mailboxes.conf +++ b/etc/dovecot/conf.d/15-mailboxes.conf @@ -61,7 +61,7 @@ namespace inbox { # https://doc.dovecot.org/configuration_manual/namespace/#core_setting-namespace/mailbox/autoexpunge # https://github.com/LukeSmithxyz/emailwiz/blob/558c4de108a472eca70abca20888de2981ff17ca/emailwiz.sh#L259 # https://doc.dovecot.org/settings/types/#time - autoexpunge = 10d + autoexpunge = 30d } # For \Sent mailboxes there are two widely used names. We'll mark both of -- cgit v1.2.3-70-g09d2 From 276b268bd01e04a56cb9bd5f1a6b67c493a936d2 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 14 Jul 2024 22:22:33 -0700 Subject: git config use new email --- home/xyz/.config/git/config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/xyz/.config/git/config b/home/xyz/.config/git/config index 16b26035..27649804 100644 --- a/home/xyz/.config/git/config +++ b/home/xyz/.config/git/config @@ -1,5 +1,5 @@ [user] - email = gky44px1999@gmail.com + email = xyz@flylightning.xyz name = Xiao Pan [url "https://github.com/"] insteadOf = git://github.com/ -- cgit v1.2.3-70-g09d2 From b12e53afd9999113cbe169cc2cfe39237659051d Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 22 Jul 2024 18:19:51 -0700 Subject: /etc/sudoers pacnew --- etc/sudoers | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/etc/sudoers b/etc/sudoers index cfd22989..2569d3a2 100644 --- a/etc/sudoers +++ b/etc/sudoers @@ -27,11 +27,29 @@ ## Groups of commands. Often used to group related commands together. # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ # /usr/bin/pkill, /usr/bin/top +# # Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff +# +# Cmnd_Alias DEBUGGERS = /usr/bin/gdb, /usr/bin/lldb, /usr/bin/strace, \ +# /usr/bin/truss, /usr/bin/bpftrace, \ +# /usr/bin/dtrace, /usr/bin/dtruss +# +# Cmnd_Alias PKGMAN = /usr/bin/apt, /usr/bin/dpkg, /usr/bin/rpm, \ +# /usr/bin/yum, /usr/bin/dnf, /usr/bin/zypper, \ +# /usr/bin/pacman ## ## Defaults specification ## +## Preserve editor environment variables for visudo. +## To preserve these for all commands, remove the "!visudo" qualifier. +Defaults!/usr/bin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL" +## +## Use a hard-coded PATH instead of the user's to find commands. +## This also helps prevent poorly written scripts from running +## artbitrary commands under sudo. +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin" +## ## You may wish to keep some of the following environment variables ## when running commands via sudo. ## @@ -56,9 +74,6 @@ ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## -## Uncomment to use a hard-coded PATH instead of the user's to find commands -# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" -## ## Uncomment to restore the historic behavior where a command is run in ## the user's own terminal. # Defaults !use_pty @@ -75,6 +90,16 @@ # Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output # Defaults maxseq = 1000 +## +## Uncomment to disable intercept and log_subcmds for debuggers and +## tracers. Otherwise, anything that uses ptrace(2) will be unable +## to run under sudo if intercept_type is set to "trace". +# Defaults!DEBUGGERS !intercept, !log_subcmds +## +## Uncomment to disable intercept and log_subcmds for package managers. +## Some package scripts run a huge number of commands, which is made +## slower by these options and also can clutter up the logs. +# Defaults!PKGMAN !intercept, !log_subcmds ## ## Runas alias specification -- cgit v1.2.3-70-g09d2 From 392dab4b690e21cc9e15165171e36ec79d1da73b Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 23 Jul 2024 21:45:51 -0700 Subject: locale.gen pacnew --- etc/locale.gen | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/locale.gen b/etc/locale.gen index 713e52ac..7a3e3ee1 100644 --- a/etc/locale.gen +++ b/etc/locale.gen @@ -325,12 +325,14 @@ en_US ISO-8859-1 #lo_LA UTF-8 #lt_LT.UTF-8 UTF-8 #lt_LT ISO-8859-13 +#ltg_LV.UTF-8 UTF-8 #lv_LV.UTF-8 UTF-8 #lv_LV ISO-8859-13 #lzh_TW UTF-8 #mag_IN UTF-8 #mai_IN UTF-8 #mai_NP UTF-8 +#mdf_RU UTF-8 #mfe_MU UTF-8 #mg_MG.UTF-8 UTF-8 #mg_MG ISO-8859-15 @@ -406,6 +408,7 @@ en_US ISO-8859-1 #sah_RU UTF-8 #sat_IN UTF-8 #sc_IT UTF-8 +#scn_IT UTF-8 #sd_IN UTF-8 #sd_IN@devanagari UTF-8 #se_NO UTF-8 -- cgit v1.2.3-70-g09d2 From 5fe1225deaf17c804230bc4ff2692c83969ab141 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Wed, 31 Jul 2024 02:39:04 -0700 Subject: git configure format-patch always signoff This config add Signed-off-by in commit msg. Related urls: https://mikegerwitz.com/2012/05/a-git-horror-story-repository-integrity-with-signed-commits https://stackoverflow.com/questions/46314273/keeping-gpg-signature-in-git-patches-with-format-patch https://handbook.gnome.org/development/commit-messages.html https://docs.kernel.org/process/5.Posting.html https://docs.kernel.org/translations/zh_CN/process/5.Posting.html https://docs.kernel.org/translations/zh_CN/process/submitting-patches.html#cn-submittingpatches https://wiki.openstack.org/wiki/GitCommitMessages --- home/xyz/.config/git/config | 2 ++ 1 file changed, 2 insertions(+) diff --git a/home/xyz/.config/git/config b/home/xyz/.config/git/config index 27649804..10e19af9 100644 --- a/home/xyz/.config/git/config +++ b/home/xyz/.config/git/config @@ -3,3 +3,5 @@ name = Xiao Pan [url "https://github.com/"] insteadOf = git://github.com/ +[format] + signOff = true -- cgit v1.2.3-70-g09d2 From 5467841399e02e8713ec11e2f57b9745a314020c Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 15 Aug 2024 15:55:24 -0700 Subject: ca `nproc --all` report wrong cpu thread count ca actual cpu threads are 3, `nproc --all` wrongly report as 128. I tested on all my computers and it seems nproc output is fine. Weird thing is only ca report nproc and `nproc --all` differently. Anyway, I just use nproc instead. --- home/xyz/.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/home/xyz/.profile b/home/xyz/.profile index 02db6e72..4b95c04b 100644 --- a/home/xyz/.profile +++ b/home/xyz/.profile @@ -44,7 +44,7 @@ export INPUTRC="$XDG_CONFIG_HOME/.inputrc" export CLICOLOR=1 # for pacdiff, without using aur neovim-drop-in or neovim-symlinks export DIFFPROG='nvim -d' -export MAKEFLAGS="-j$(nproc --all)" +export MAKEFLAGS="-j$(nproc)" # use sudo find for some files or dirs that has no permission ex: ~/.cache/paru/clone/ #export FZF_DEFAULT_COMMAND="fd --no-ignore --hidden --exclude .git" #export FZF_CTRL_T_COMMAND="fd --absolute-path --no-ignore --hidden --exclude .git" -- cgit v1.2.3-70-g09d2 From ae6eb0904885794b020cff4e42be6fe0e9cb7e0a Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 18 Aug 2024 14:03:32 -0700 Subject: calculated estimated 1.47 MiB for .bash_history if HISTSIZE=100000, not too much --- home/xyz/.profile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/home/xyz/.profile b/home/xyz/.profile index 4b95c04b..4687f177 100644 --- a/home/xyz/.profile +++ b/home/xyz/.profile @@ -17,8 +17,8 @@ export XDG_VIDEOS_DIR PATH="$(find "$HOME/.local/bin" -type d -exec printf '%s:' '{}' \+)$PATH" export PATH -export HISTSIZE=15000 -export HISTFILESIZE=15000 +export HISTSIZE=100000 +export HISTFILESIZE=100000 export HISTCONTROL=ignorespace # sqlite uses VISUAL for the edit() SQL function default text editor -- cgit v1.2.3-70-g09d2 From 177538387b6a32cab1f89844d2b84ccc52d0363d Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 27 Aug 2024 15:14:24 -0700 Subject: pacdiff --- etc/services | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/services b/etc/services index 91a89df2..15f3ad1b 100644 --- a/etc/services +++ b/etc/services @@ -9121,6 +9121,7 @@ abb-escp 6316/tcp abb-escp 6316/udp nav-data-cmd 6317/tcp nav-data 6317/udp +iona-data 6318/tcp repsvc 6320/tcp repsvc 6320/udp emp-server1 6321/tcp @@ -9642,6 +9643,7 @@ aries-kfinder 7570/tcp aries-kfinder 7570/udp coherence 7574/tcp coherence-disc 7574/udp +wtmi-panel 7575/tcp sun-lm 7588/tcp sun-lm 7588/udp mipi-debug 7606/tcp -- cgit v1.2.3-70-g09d2 From 4cc61b1bda6ea7dccb7c906fdc6deff0d29283cf Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 14 Sep 2024 15:26:58 -0700 Subject: default rust.conf --- etc/makepkg.conf.d/rust.conf | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 etc/makepkg.conf.d/rust.conf diff --git a/etc/makepkg.conf.d/rust.conf b/etc/makepkg.conf.d/rust.conf new file mode 100644 index 00000000..092bf275 --- /dev/null +++ b/etc/makepkg.conf.d/rust.conf @@ -0,0 +1,19 @@ +#!/hint/bash +# shellcheck disable=2034 + +# +# /etc/makepkg.conf.d/rust.conf +# + +######################################################################### +# RUST LANGUAGE SUPPORT +######################################################################### + +# Flags used for the Rust compiler, similar in spirit to CFLAGS. Read +# linkman:rustc[1] for more details on the available flags. +RUSTFLAGS="-Cforce-frame-pointers=yes" + +# Additional compiler flags appended to `RUSTFLAGS` for use in debugging. +# Usually this would include: ``-C debuginfo=2''. Read linkman:rustc[1] for +# more details on the available flags. +DEBUG_RUSTFLAGS="-C debuginfo=2" -- cgit v1.2.3-70-g09d2 From daa86262c35616a0195abc8e33a09ca630bc569b Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 14 Sep 2024 15:27:17 -0700 Subject: meta --- etc/myconf/cfgl_meta | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/myconf/cfgl_meta b/etc/myconf/cfgl_meta index a72bbfb7..04ff1f47 100644 --- a/etc/myconf/cfgl_meta +++ b/etc/myconf/cfgl_meta @@ -16,6 +16,8 @@ 644 root root //etc/locale.gen 777 root root //etc/localtime 644 root root //etc/makepkg.conf +755 root root //etc/makepkg.conf.d +644 root root //etc/makepkg.conf.d/rust.conf 755 root root //etc/myconf 600 root root //etc/myconf/cfgl_meta 644 root root //etc/nftables.conf -- cgit v1.2.3-70-g09d2 From 0d98784d1acbcd5af4667e6bdeb67300fa3cfc1a Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 14 Sep 2024 15:27:51 -0700 Subject: migrate configs from /etc/makepkg.conf Commit https://gitlab.archlinux.org/pacman/pacman/-/commit/71764b6d4cdee1f74cfc603050ced59009950169 and https://gitlab.archlinux.org/archlinux/packaging/packages/pacman/-/commit/099295fdcb33c875d0659510dc8e82969463a7c4 migrate rustflags to /etc/makepkg.conf.d/rust.conf. Note I also change opt-level to 3 because https://doc.rust-lang.org/cargo/reference/profiles.html shows opt-level 3 is all optimization which I want. --- etc/makepkg.conf.d/rust.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/makepkg.conf.d/rust.conf b/etc/makepkg.conf.d/rust.conf index 092bf275..fc881521 100644 --- a/etc/makepkg.conf.d/rust.conf +++ b/etc/makepkg.conf.d/rust.conf @@ -11,7 +11,7 @@ # Flags used for the Rust compiler, similar in spirit to CFLAGS. Read # linkman:rustc[1] for more details on the available flags. -RUSTFLAGS="-Cforce-frame-pointers=yes" +RUSTFLAGS="-Cforce-frame-pointers=yes -C opt-level=2 -C target-cpu=native" # Additional compiler flags appended to `RUSTFLAGS` for use in debugging. # Usually this would include: ``-C debuginfo=2''. Read linkman:rustc[1] for -- cgit v1.2.3-70-g09d2 From f7b1fb0f27d6ae37559b21553bbff56394ca8df4 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 14 Sep 2024 15:39:16 -0700 Subject: migrate rustflags to /etc/makepkg.conf.d/rust.conf, merge zstd pacdiff https://gitlab.archlinux.org/archlinux/packaging/packages/pacman/-/commit/f02d4d01cc9bcaf566e72dbb769250f8c2752e9e https://gitlab.archlinux.org/pacman/pacman/-/commit/71764b6d4cdee1f74cfc603050ced59009950169 https://gitlab.archlinux.org/archlinux/packaging/packages/pacman/-/commit/319671cc720a31cfaa81e25354d58699a1bedf6c --- etc/makepkg.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/etc/makepkg.conf b/etc/makepkg.conf index d750f866..edfed293 100644 --- a/etc/makepkg.conf +++ b/etc/makepkg.conf @@ -48,13 +48,11 @@ CXXFLAGS="$CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS" LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--as-needed -Wl,-z,relro -Wl,-z,now \ -Wl,-z,pack-relative-relocs" LTOFLAGS="-flto=auto" -RUSTFLAGS="-Cforce-frame-pointers=yes -C opt-level=2 -C target-cpu=native" #-- Make Flags: change this for DistCC/SMP systems #MAKEFLAGS="-j2" #-- Debugging flags DEBUG_CFLAGS="-g" DEBUG_CXXFLAGS="$DEBUG_CFLAGS" -DEBUG_RUSTFLAGS="-C debuginfo=2" ######################################################################### # BUILD ENVIRONMENT @@ -144,7 +142,7 @@ LIB_DIRS=('lib:usr/lib' 'lib32:usr/lib32') COMPRESSGZ=(gzip -c -f -n) COMPRESSBZ2=(bzip2 -c -f) COMPRESSXZ=(xz -c -z -) -COMPRESSZST=(zstd -c -T0 --ultra -20 -) +COMPRESSZST=(zstd -c -T0 -) COMPRESSLRZ=(lrzip -q) COMPRESSLZO=(lzop -q) COMPRESSZ=(compress -c -f) -- cgit v1.2.3-70-g09d2 From 96a65263a5d41b16f0f0dd5d4669472ef799a015 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 14 Sep 2024 15:42:21 -0700 Subject: merge pacdiff --- etc/sudoers | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/etc/sudoers b/etc/sudoers index 2569d3a2..d590be97 100644 --- a/etc/sudoers +++ b/etc/sudoers @@ -74,9 +74,16 @@ Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin" ## this may allow users to subvert the command being run via sudo. # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ## -## Uncomment to restore the historic behavior where a command is run in -## the user's own terminal. -# Defaults !use_pty +## Uncomment to disable "use_pty" when running commands as root. +## Commands run as non-root users will run in a pseudo-terminal, +## not the user's own terminal, to prevent command injection. +# Defaults>root !use_pty +## +## Uncomment to run commands in the background by default. +## This can be used to prevent sudo from consuming user input while +## a non-interactive command runs if "use_pty" or I/O logging are +## enabled. Some commands may not run properly in the background. +# Defaults exec_background ## ## Uncomment to send mail if the user does not enter the correct password. # Defaults mail_badpass -- cgit v1.2.3-70-g09d2 From 26f27b8aec58c8f29abf88fb75babfbd83f7d5b2 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 14 Sep 2024 16:13:59 -0700 Subject: pacdiff --- etc/pacman.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/pacman.conf b/etc/pacman.conf index c69c6c5f..5dad9272 100644 --- a/etc/pacman.conf +++ b/etc/pacman.conf @@ -35,6 +35,8 @@ Color CheckSpace #VerbosePkgLists ParallelDownloads = 8 +DownloadUser = alpm +#DisableSandbox # By default, pacman accepts packages signed by keys that its local keyring # trusts (see pacman-key and its man page), as well as unsigned packages. -- cgit v1.2.3-70-g09d2 From 4ce52e4dea5de33c9327884af8299d25bd38aba2 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sat, 14 Sep 2024 16:39:06 -0700 Subject: forget to change opt-level to 3 --- etc/makepkg.conf.d/rust.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/makepkg.conf.d/rust.conf b/etc/makepkg.conf.d/rust.conf index fc881521..b6d6f5fa 100644 --- a/etc/makepkg.conf.d/rust.conf +++ b/etc/makepkg.conf.d/rust.conf @@ -11,7 +11,7 @@ # Flags used for the Rust compiler, similar in spirit to CFLAGS. Read # linkman:rustc[1] for more details on the available flags. -RUSTFLAGS="-Cforce-frame-pointers=yes -C opt-level=2 -C target-cpu=native" +RUSTFLAGS="-Cforce-frame-pointers=yes -C opt-level=3 -C target-cpu=native" # Additional compiler flags appended to `RUSTFLAGS` for use in debugging. # Usually this would include: ``-C debuginfo=2''. Read linkman:rustc[1] for -- cgit v1.2.3-70-g09d2 From b7f6d661dbc113c33d10f59e77693cf7e5184df0 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 25 Oct 2024 23:01:32 +0000 Subject: pacdiff --- etc/postfix/main.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf index 556ca8b9..fe83cc82 100644 --- a/etc/postfix/main.cf +++ b/etc/postfix/main.cf @@ -743,5 +743,5 @@ sample_directory = /etc/postfix # readme_directory = /usr/share/doc/postfix inet_protocols = ipv4 -meta_directory = /etc/postfix shlib_directory = /usr/lib/postfix +meta_directory = /etc/postfix -- cgit v1.2.3-70-g09d2 From 7a9070762b8eb14a39213583577a86a2a413592c Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 28 Oct 2024 14:49:39 -0700 Subject: outdated comment --- home/xyz/.bashrc | 1 - 1 file changed, 1 deletion(-) diff --git a/home/xyz/.bashrc b/home/xyz/.bashrc index ccd668ed..8b1dff90 100644 --- a/home/xyz/.bashrc +++ b/home/xyz/.bashrc @@ -86,7 +86,6 @@ alias sst='ssh studio' # \" to consider $HOME contain space, need \ else " will be expanded locally, need \$ else $HOME will expand locally # can test with: alias mytest='ssh studio for i in \"\$SSH_CONNECTION\"\; do echo \$i\; echo a\; done' alias sstm='ssh -t -- studio mpra -c \"\$HOME/programs/repos/fly/any/fsh-git\"' -# from `man remind`: "Note that you can omit the reminder type, in which case it defaults to MSG" # can test this mess with `alias tt='echo "\$haha \"lala\""'` alias sun='printf "set \$Longitude \"-121.89\"\nset \$Latitude \"37.34\"\n[sunrise()] sunrise\n[sunset()] sunset" | remind -n -' # another way: -- cgit v1.2.3-70-g09d2 From 30da5bb70ee3dc496898aa2b04c28089debcaff6 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 28 Oct 2024 14:50:18 -0700 Subject: pacdiff --- etc/services | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/services b/etc/services index 15f3ad1b..384c630d 100644 --- a/etc/services +++ b/etc/services @@ -11193,6 +11193,7 @@ exoconfig 26487/udp exonet 26489/tcp exonet 26489/udp flex-lmadmin 27010/tcp +chlenix 27016/tcp mongodb 27017/tcp imagepump 27345/tcp imagepump 27345/udp -- cgit v1.2.3-70-g09d2 From 6e2162ec5cebcd8025b9ca74cde339d56bf3ebcb Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Mon, 18 Nov 2024 18:54:57 -0800 Subject: pacdiff --- etc/sudoers | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/sudoers b/etc/sudoers index d590be97..94678ba5 100644 --- a/etc/sudoers +++ b/etc/sudoers @@ -47,7 +47,7 @@ Defaults!/usr/bin/visudo env_keep += "SUDO_EDITOR EDITOR VISUAL" ## ## Use a hard-coded PATH instead of the user's to find commands. ## This also helps prevent poorly written scripts from running -## artbitrary commands under sudo. +## arbitrary commands under sudo. Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin" ## ## You may wish to keep some of the following environment variables @@ -107,6 +107,10 @@ Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin" ## Some package scripts run a huge number of commands, which is made ## slower by these options and also can clutter up the logs. # Defaults!PKGMAN !intercept, !log_subcmds +## +## Uncomment to disable PAM silent mode. Otherwise messages by PAM +## modules such as pam_faillock will not be printed. +# Defaults !pam_silent ## ## Runas alias specification -- cgit v1.2.3-70-g09d2 From cf3c2c45538ccc9101f15e1099ed634844c1b129 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 12 Dec 2024 22:12:36 +0000 Subject: pacdiff --- etc/postfix/master.cf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf index 7ce6e816..46ed0b73 100644 --- a/etc/postfix/master.cf +++ b/etc/postfix/master.cf @@ -70,7 +70,7 @@ proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp - -o syslog_name=postfix/$service_name + -o syslog_name=${multi_instance_name?{$multi_instance_name}:{postfix}}/$service_name # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - n - - showq error unix - - n - - error -- cgit v1.2.3-70-g09d2 From a0d34d295ef002833ceb9c455779d1f2812f2bed Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Tue, 10 Dec 2024 01:09:04 -0800 Subject: tinted-theming/tinted-vim breaking changes https://github.com/tinted-theming/tinted-vim/pull/89 --- home/xyz/.config/nvim/init.vim | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/home/xyz/.config/nvim/init.vim b/home/xyz/.config/nvim/init.vim index 18f5dadc..cb19aff4 100644 --- a/home/xyz/.config/nvim/init.vim +++ b/home/xyz/.config/nvim/init.vim @@ -58,8 +58,8 @@ function! s:base16_customize() abort " make fold title more contrast and readable, by reverting some changes from: " https://github.com/tinted-theming/base16-vim/pull/43/files " tested with base16-tomorrow-night theme - call Base16hi("FoldColumn", g:base16_gui0C, g:base16_gui01, g:base16_cterm0C, g:base16_cterm01, "", "") - call Base16hi("Folded", g:base16_gui03, g:base16_gui01, g:base16_cterm03, g:base16_cterm01, "", "") + call Tinted_Hi("FoldColumn", g:tinted_gui0C, g:tinted_gui01, g:tinted_cterm0C, g:tinted_cterm01, "", "") + call Tinted_Hi("Folded", g:tinted_gui03, g:tinted_gui01, g:tinted_cterm03, g:tinted_cterm01, "", "") endfunction function! Md_toggle_fold() abort -- cgit v1.2.3-70-g09d2 From 46c65d1bdb88d39e72d6e7280176687b6ad9488d Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Thu, 12 Dec 2024 19:09:18 -0800 Subject: pacdiff --- etc/services | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/services b/etc/services index 384c630d..45722821 100644 --- a/etc/services +++ b/etc/services @@ -4904,6 +4904,8 @@ f5-globalsite 2792/tcp f5-globalsite 2792/udp initlsmsad 2793/tcp initlsmsad 2793/udp +urp 2794/tcp +urp 2794/udp livestats 2795/tcp livestats 2795/udp ac-tech 2796/tcp @@ -8946,6 +8948,9 @@ fis 5912/sctp aoc-acars 5913/tcp aoc-acars 5913/udp ads-c 5913/sctp +ipsdtls 5914/tcp +ipsdtls 5914/udp +ipsdtls 5914/sctp indy 5963/tcp indy 5963/udp mppolicy-v5 5968/tcp -- cgit v1.2.3-70-g09d2