6.8 KiB
Router
https://store.ui.com/collections/operator-edgemax-routers/products/edgerouter-x
https://en.wikipedia.org/wiki/Category_6_cable
https://umhau.github.io/openbsd-router/
https://www.openbsdhandbook.com/howto/simple_router/
Rust Raspi 3
Install cross-aarch64-linux-gnu
rustup target add aarch64-unknown-linux-gnu
.cargo/config.toml <<
[target.aarch64-unknown-linux-gnu]
linker = "aarch64-linux-gnu-gcc"
cargo build --target=aarch64-unknown-linux-gnu
Keyrings
Install KeePassXC
Create a new group for keyring stuff
Setting > Secret Service Integration
Enable it
Click the icon next to the database in the list, go to SSI
Click "Expose entries under this group" and select the group you made
Install pinentry-gtk
In .gnupg/gpg-agent.conf: pinentry-program /usr/bin/pinentry-gtk-2
SSH
Add to .zshrc:
if ! pgrep -u "$USER" ssh-agent > /dev/null; then
ssh-agent -t 5h > "$XDG_RUNTIME_DIR/ssh-agent.env"
fi
if [[ ! "$SSH_AUTH_SOCK" ]]; then
source "$XDG_RUNTIME_DIR/ssh-agent.env" >/dev/null
fi
Run ssh-add ~/.ssh/id_ed25519
VPS
Services
- Website
- Writefreely
- Gitea
- Matrix
- go-ssb-room
- Agate (Gemini Server)
- mastodon-ebooks
- mail server
OS Setup
Software
- Void Linux
- polybar
- bspwm
- sxhkd
- pipewire
- kitty
- btrfs
- Full encryption
- Ventoy
- LibreSprite
- Manyverse
- Rust tools:
zoxide, lsd, bat, pier, ouch, kalker, lethe, fd, ripgrep, procs, xh, kondo, sniffglue, ttyper
Games
- Dwarf Fortress
- Veloren
- Cataclysm DDA
- Mindustry
Software
DNS-over-TLS
Install unbound
Disable systemd-resolved, etc.
sudo chattr -i /etc/resolv.conf
/etc/resolv.conf <<
nameserver 127.0.0.1
nameserver ::1
options trust-ad
sudo chattr +i /etc/resolv.conf
Add basic unbound config to /etc/unbound/unbound.conf
unbound-checkconf
Enable & test
sudo unbound-control-setup
sudo unbound-anchor
Add tls config to /etc/unbound/unbound.conf
Restart & test again.
sudo tcpdump -v -i enp0s31f6 -s 65535 -w dns.pcap dst port 53 or 853
dig example.com
tshark -r dns.pcap
SSH
Generate new key
ed25519 algorithm
ssh-keygen -t <algorithm> -b <size> -f <file name>
ssh-copy-id -i <priv-key file> user@host.name
Configure
in ~/.ssh/config:
Host <alias-name>
HostName <domain/ip>
User <username>
Port <port>
IdentityFile ~/.ssh/<privkey file>
then ssh <alias>
SSH over tor
On host:
HiddenServiceDir /home/tor/ssh
HiddenServicePort 22 127.0.0.1:22
On client:
Uninstall gnu-netcat, install openbsd-netcat
In ssh config:
Host onion-ssh
HostName <onion address>
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
Browser Security
about:config tweaks
// Isolates all browser identifier sources (e.g. cookies) to the first party domain, with the goal of preventing tracking across different domains.
privacy.firstparty.isolate = true
// makes Firefox more resistant to browser fingerprinting.
privacy.resistFingerprinting = true
// Blocks Fingerprinting
privacy.trackingprotection.fingerprinting.enabled = true
// Blocks cryptomining
privacy.trackingprotection.cryptomining.enabled = true
// Tracking protection
privacy.trackingprotection.enabled = true
// The attribute would be useful for letting websites track visitors' clicks.
browser.send_pings = false
// Disable preloading of autocomplete URLs.
browser.urlbar.speculativeConnect.enabled = false
// Disable that websites can get notifications if you copy, paste, or cut something
dom.event.clipboardevents.enabled = false
// Disables playback of DRM-controlled HTML5 content
media.eme.enabled = false
// Disables the Widevine Content Decryption Module provided by Google
media.gmp-widevinecdm.enabled = false
// Websites can track the microphone and camera status of your device.
media.navigator.enabled = false
// Disable cookies
network.cookie.cookieBehavior = 1
// Only send Referer header when the full hostnames match.
network.http.referer.XOriginPolicy = 2
// When sending Referer across origins, only send scheme, host, and port
network.http.referer.XOriginTrimmingPolicy = 2
// WebGL bad for security
webgl.disabled = true
// This preference controls when to store extra information about a session
browser.sessionstore.privacy_level = 2
// Disables sending additional analytics to web servers
beacon.enabled = false
// Prevents Firefox from sending information about downloaded executable files to Google Safe Browsing
browser.safebrowsing.downloads.remote.enabled = false
// Disable Firefox prefetching pages it thinks you will visit next
network.dns.disablePrefetch = true
network.dns.disablePrefetchFromHTTPS = true
network.predictor.enabled = false
network.predictor.enable-prefetch = false
network.prefetch-next = false
// Not rendering IDNs as their Punycode equivalent leaves you open to phishing attacks
network.IDN_show_punycode = true
Addons
Misc Settings
-
Confirm before quitting with Ctrl+Q
-
Play DRM-controlled content
-
Proxy DNS when using SOCKS v5
-
Search engine: http://pvlm2b54e6z7zzb3l5c5ninikhbm2xwq7fvstg7jfcr7fu4ulp5cthqd.onion