297 lines
6.8 KiB
Markdown
297 lines
6.8 KiB
Markdown
|
# Router
|
||
|
https://store.ui.com/collections/operator-edgemax-routers/products/edgerouter-x
|
||
|
|
||
|
https://en.wikipedia.org/wiki/Category_6_cable
|
||
|
|
||
|
https://umhau.github.io/openbsd-router/
|
||
|
|
||
|
https://www.openbsdhandbook.com/howto/simple_router/
|
||
|
|
||
|
# Rust Raspi 3
|
||
|
|
||
|
Install `cross-aarch64-linux-gnu`
|
||
|
|
||
|
`rustup target add aarch64-unknown-linux-gnu`
|
||
|
|
||
|
`.cargo/config.toml` <<
|
||
|
|
||
|
```
|
||
|
[target.aarch64-unknown-linux-gnu]
|
||
|
linker = "aarch64-linux-gnu-gcc"
|
||
|
```
|
||
|
|
||
|
`cargo build --target=aarch64-unknown-linux-gnu`
|
||
|
|
||
|
# Keyrings
|
||
|
|
||
|
Install KeePassXC
|
||
|
|
||
|
Create a new group for keyring stuff
|
||
|
|
||
|
`Setting > Secret Service Integration`
|
||
|
|
||
|
Enable it
|
||
|
|
||
|
Click the icon next to the database in the list, go to SSI
|
||
|
|
||
|
Click "Expose entries under this group" and select the group you made
|
||
|
|
||
|
Install `pinentry-gtk`
|
||
|
|
||
|
In `.gnupg/gpg-agent.conf`: `pinentry-program /usr/bin/pinentry-gtk-2`
|
||
|
|
||
|
## SSH
|
||
|
|
||
|
Add to `.zshrc`:
|
||
|
```
|
||
|
if ! pgrep -u "$USER" ssh-agent > /dev/null; then
|
||
|
ssh-agent -t 5h > "$XDG_RUNTIME_DIR/ssh-agent.env"
|
||
|
fi
|
||
|
if [[ ! "$SSH_AUTH_SOCK" ]]; then
|
||
|
source "$XDG_RUNTIME_DIR/ssh-agent.env" >/dev/null
|
||
|
fi
|
||
|
```
|
||
|
|
||
|
Run `ssh-add ~/.ssh/id_ed25519`
|
||
|
|
||
|
# VPS
|
||
|
|
||
|
## Services
|
||
|
- Website
|
||
|
- Writefreely
|
||
|
- Gitea
|
||
|
- Matrix
|
||
|
- go-ssb-room
|
||
|
- Agate (Gemini Server)
|
||
|
- mastodon-ebooks
|
||
|
- mail server
|
||
|
|
||
|
# OS Setup
|
||
|
|
||
|
## Software
|
||
|
- Void Linux
|
||
|
- polybar
|
||
|
- bspwm
|
||
|
- sxhkd
|
||
|
- pipewire
|
||
|
- kitty
|
||
|
- btrfs
|
||
|
- Full encryption
|
||
|
- [Ventoy](https://www.ventoy.net/en/index.html)
|
||
|
- LibreSprite
|
||
|
- Manyverse
|
||
|
- Rust tools: `zoxide, lsd, bat, pier, ouch, kalker, lethe, fd, ripgrep, procs, xh, kondo, sniffglue, ttyper`
|
||
|
|
||
|
## Games
|
||
|
- Dwarf Fortress
|
||
|
- Veloren
|
||
|
- [Cataclysm DDA](https://github.com/CleverRaven/Cataclysm-DDA)
|
||
|
- [Mindustry](https://anuke.itch.io/mindustry)
|
||
|
|
||
|
# Software
|
||
|
|
||
|
[PrismBreak](https://prism-break.org/en/)
|
||
|
|
||
|
[switching.software](https://switching.software/)
|
||
|
|
||
|
[Ethical Tech](https://ethical.net/)
|
||
|
|
||
|
[Surveillance Self-Defense](https://ssd.eff.org/en)
|
||
|
|
||
|
# DNS-over-TLS
|
||
|
Install `unbound`
|
||
|
|
||
|
Disable `systemd-resolved`, etc.
|
||
|
|
||
|
`sudo chattr -i /etc/resolv.conf`
|
||
|
|
||
|
```
|
||
|
/etc/resolv.conf <<
|
||
|
|
||
|
nameserver 127.0.0.1
|
||
|
nameserver ::1
|
||
|
options trust-ad
|
||
|
```
|
||
|
|
||
|
`sudo chattr +i /etc/resolv.conf`
|
||
|
|
||
|
Add basic unbound config to `/etc/unbound/unbound.conf`
|
||
|
|
||
|
`unbound-checkconf`
|
||
|
|
||
|
Enable & test
|
||
|
|
||
|
```
|
||
|
sudo unbound-control-setup
|
||
|
sudo unbound-anchor
|
||
|
```
|
||
|
|
||
|
Add tls config to `/etc/unbound/unbound.conf`
|
||
|
|
||
|
Restart & test again.
|
||
|
|
||
|
```
|
||
|
sudo tcpdump -v -i enp0s31f6 -s 65535 -w dns.pcap dst port 53 or 853
|
||
|
dig example.com
|
||
|
tshark -r dns.pcap
|
||
|
```
|
||
|
|
||
|
# SSH
|
||
|
|
||
|
## Generate new key
|
||
|
ed25519 algorithm
|
||
|
|
||
|
`ssh-keygen -t <algorithm> -b <size> -f <file name>`
|
||
|
|
||
|
`ssh-copy-id -i <priv-key file> user@host.name`
|
||
|
|
||
|
## Configure
|
||
|
in `~/.ssh/config`:
|
||
|
|
||
|
```
|
||
|
Host <alias-name>
|
||
|
HostName <domain/ip>
|
||
|
User <username>
|
||
|
Port <port>
|
||
|
IdentityFile ~/.ssh/<privkey file>
|
||
|
```
|
||
|
|
||
|
then `ssh <alias>`
|
||
|
|
||
|
## SSH over tor
|
||
|
On host:
|
||
|
|
||
|
```
|
||
|
HiddenServiceDir /home/tor/ssh
|
||
|
HiddenServicePort 22 127.0.0.1:22
|
||
|
```
|
||
|
|
||
|
On client:
|
||
|
|
||
|
Uninstall `gnu-netcat`, install `openbsd-netcat`
|
||
|
|
||
|
In ssh config:
|
||
|
|
||
|
```
|
||
|
Host onion-ssh
|
||
|
HostName <onion address>
|
||
|
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
|
||
|
```
|
||
|
|
||
|
# Browser Security
|
||
|
|
||
|
## about:config tweaks
|
||
|
```
|
||
|
// Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
|
||
|
privacy.firstparty.isolate = true
|
||
|
|
||
|
// makes Firefox more resistant to browser fingerprinting.
|
||
|
privacy.resistFingerprinting = true
|
||
|
|
||
|
// Blocks Fingerprinting
|
||
|
privacy.trackingprotection.fingerprinting.enabled = true
|
||
|
|
||
|
// Blocks cryptomining
|
||
|
privacy.trackingprotection.cryptomining.enabled = true
|
||
|
|
||
|
// Tracking protection
|
||
|
privacy.trackingprotection.enabled = true
|
||
|
|
||
|
// The attribute would be useful for letting websites track visitors' clicks.
|
||
|
browser.send_pings = false
|
||
|
|
||
|
// Disable preloading of autocomplete URLs.
|
||
|
browser.urlbar.speculativeConnect.enabled = false
|
||
|
|
||
|
// Disable that websites can get notifications if you copy, paste, or cut something
|
||
|
dom.event.clipboardevents.enabled = false
|
||
|
|
||
|
// Disables playback of DRM-controlled HTML5 content
|
||
|
media.eme.enabled = false
|
||
|
|
||
|
// Disables the Widevine Content Decryption Module provided by Google
|
||
|
media.gmp-widevinecdm.enabled = false
|
||
|
|
||
|
// Websites can track the microphone and camera status of your device.
|
||
|
media.navigator.enabled = false
|
||
|
|
||
|
// Disable cookies
|
||
|
network.cookie.cookieBehavior = 1
|
||
|
|
||
|
// Only send Referer header when the full hostnames match.
|
||
|
network.http.referer.XOriginPolicy = 2
|
||
|
|
||
|
// When sending Referer across origins, only send scheme, host, and port
|
||
|
network.http.referer.XOriginTrimmingPolicy = 2
|
||
|
|
||
|
// WebGL bad for security
|
||
|
webgl.disabled = true
|
||
|
|
||
|
// This preference controls when to store extra information about a session
|
||
|
browser.sessionstore.privacy_level = 2
|
||
|
|
||
|
// Disables sending additional analytics to web servers
|
||
|
beacon.enabled = false
|
||
|
|
||
|
// Prevents Firefox from sending information about downloaded executable files to Google Safe Browsing
|
||
|
browser.safebrowsing.downloads.remote.enabled = false
|
||
|
|
||
|
// Disable Firefox prefetching pages it thinks you will visit next
|
||
|
network.dns.disablePrefetch = true
|
||
|
network.dns.disablePrefetchFromHTTPS = true
|
||
|
network.predictor.enabled = false
|
||
|
network.predictor.enable-prefetch = false
|
||
|
network.prefetch-next = false
|
||
|
|
||
|
// Not rendering IDNs as their Punycode equivalent leaves you open to phishing attacks
|
||
|
network.IDN_show_punycode = true
|
||
|
```
|
||
|
|
||
|
## Addons
|
||
|
|
||
|
[uBlock Origin](https://addons.mozilla.org/en-CA/firefox/addon/ublock-origin/)
|
||
|
|
||
|
[Facebook Container](https://addons.mozilla.org/en-CA/firefox/addon/facebook-container/)
|
||
|
|
||
|
[ClearURLs](https://addons.mozilla.org/en-CA/firefox/addon/clearurls/)
|
||
|
|
||
|
[TOS;DR](https://addons.mozilla.org/en-CA/firefox/addon/terms-of-service-didnt-read/)
|
||
|
|
||
|
[Decentraleyes](https://addons.mozilla.org/en-CA/firefox/addon/decentraleyes/)
|
||
|
|
||
|
[Bypass Paywalls](https://addons.mozilla.org/en-CA/firefox/addon/bypass-paywalls-firefox/)
|
||
|
|
||
|
[Deadname Remover](https://addons.mozilla.org/en-CA/firefox/addon/deadname-remover/)
|
||
|
|
||
|
[Snowflake](https://addons.mozilla.org/en-CA/firefox/addon/torproject-snowflake/)
|
||
|
|
||
|
[Skip Redirect](https://addons.mozilla.org/en-CA/firefox/addon/skip-redirect/)
|
||
|
|
||
|
[Site Bleacher](https://addons.mozilla.org/en-CA/firefox/addon/site-bleacher/)
|
||
|
|
||
|
[Privacy Redirect](https://addons.mozilla.org/en-CA/firefox/addon/privacy-redirect/)
|
||
|
|
||
|
[NoScript](https://addons.mozilla.org/en-CA/firefox/addon/noscript/)
|
||
|
|
||
|
[CSS Exfil Protection](https://addons.mozilla.org/en-CA/firefox/addon/css-exfil-protection/)
|
||
|
|
||
|
[Chameleon](https://addons.mozilla.org/en-CA/firefox/addon/chameleon-ext/)
|
||
|
|
||
|
[Multi-Account Containers](https://addons.mozilla.org/firefox/addon/multi-account-containers/)
|
||
|
|
||
|
[HTTPZ](https://addons.mozilla.org/firefox/addon/httpz/)
|
||
|
|
||
|
[RTFM](https://addons.mozilla.org/en-US/firefox/addon/read-the-feminist-manual/)
|
||
|
|
||
|
[Refined Github](https://addons.mozilla.org/firefox/addon/refined-github-/)
|
||
|
|
||
|
## Misc Settings
|
||
|
|
||
|
- [x] Confirm before quitting with Ctrl+Q
|
||
|
|
||
|
- [ ] Play DRM-controlled content
|
||
|
|
||
|
- [x] Proxy DNS when using SOCKS v5
|
||
|
|
||
|
- Search engine: http://pvlm2b54e6z7zzb3l5c5ninikhbm2xwq7fvstg7jfcr7fu4ulp5cthqd.onion
|