diff options
-rw-r--r-- | .config/bat/config | 2 | ||||
-rw-r--r-- | .newsboat/urls | 1 | ||||
-rw-r--r-- | .vimrc | 1 | ||||
-rw-r--r-- | .zshrc | 15 | ||||
-rwxr-xr-x | bin/get_random_ua.sh | 53 | ||||
-rw-r--r-- | db/mongo/build_db.js | 2 | ||||
-rw-r--r-- | kubernetes/bitlbee-purple/docker-compose.yaml | 27 | ||||
-rw-r--r-- | kubernetes/postgres/postgres-deployment.yaml | 2 | ||||
-rw-r--r-- | postit | 1 | ||||
-rw-r--r-- | redirector/Redirector.json | 57 | ||||
-rwxr-xr-x | seccomp/bwrap_generator.sh | 25 | ||||
-rw-r--r-- | seccomp/makefile | 237 | ||||
-rw-r--r-- | seccomp/seccomp_filter.c | 75 | ||||
-rw-r--r-- | stylus/manganato_sepia.css | 2 | ||||
-rw-r--r-- | terminaldweller.com/browsh/nginx.conf | 40 | ||||
-rw-r--r-- | terminaldweller.com/cargo/nginx.conf | 11 | ||||
-rw-r--r-- | terminaldweller.com/cgit/cgit.conf | 11 | ||||
-rw-r--r-- | terminaldweller.com/ejabberd/ejabberd.yml | 5 | ||||
-rw-r--r-- | terminaldweller.com/rss-bridge/nginx.conf | 40 | ||||
-rwxr-xr-x | tmux/date.sh | 4 |
20 files changed, 599 insertions, 12 deletions
diff --git a/.config/bat/config b/.config/bat/config index 3334823..329b5c9 100644 --- a/.config/bat/config +++ b/.config/bat/config @@ -24,4 +24,4 @@ --map-syntax "*.ino:C++" --map-syntax ".ignore:Git Ignore" ---style="numbers,changes,header,rule,grid,snip" +--style="full" diff --git a/.newsboat/urls b/.newsboat/urls index 1cae29e..e60118a 100644 --- a/.newsboat/urls +++ b/.newsboat/urls @@ -18,6 +18,7 @@ https://rssgen.terminaldweller.com/?action=display&bridge=TwitterBridge&context= https://rssgen.terminaldweller.com/?action=display&bridge=TwitterBridge&context=By+username&u=binance&norep=on&noretweet=on&nopinned=on&nopic=on&noimg=on&noimgscaling=on&format=Atom "~binance"_("Twitter") https://rssgen.terminaldweller.com/?action=display&bridge=TwitterBridge&context=By+username&u=igor_chubin&norep=on&noretweet=on&nopinned=on&nopic=on&noimg=on&noimgscaling=on&format=Atom "~igor_chubin"_("Twitter") https://rssgen.terminaldweller.com/?action=display&bridge=TwitterBridge&context=By+username&u=TheBlock__&norep=on&noretweet=on&nopinned=on&nopic=on&noimg=on&noimgscaling=on&format=Atom "~the_block"_("Twitter") +https://rssgen.terminaldweller.com/?action=display&bridge=TwitterBridge&context=By+username&u=whale_alert&norep=on&noretweet=on&nopinned=on&nopic=on&noimg=on&noimgscaling=on&format=Atom "~whatle_alert"_("Twitter") # (Youtube) # Horror @@ -252,6 +252,7 @@ Plug 'goerz/jupytext.vim' " Plug 'gcmt/wildfire.vim' " Plug 'luochen1990/rainbow' " Plug 'voldikss/vim-floaterm' +" Plug 'fidian/hexmode' call plug#end() filetype plugin indent on @@ -178,7 +178,7 @@ alias pwsh="/mnt/c/Program\ Files/PowerShell/7/pwsh.exe" alias wincmd="/mnt/c/Windows/System32/runas.exe /profile /user:administrator cmd.exe" alias xonshrc="vim ~/scripts/.xonshrc" alias fixxonshrc="cp ~/scripts/.xonshrc ~/.xonshrc" -alias deviphone="ssh u0_a601@deviphone.lan -p 8022" +alias deviphone="ssh -p 8022 u0_a601@farzad-s-galaxy-a51.lan" alias rpiz2="ssh 192.168.1.205 -l pi" alias rpiz13="ssh 192.168.1.101 -l root" alias moshvpn="mosh rooot@192.99.102.52 --ssh='ssh -p 1022'" @@ -292,7 +292,7 @@ alias swe_proxy="proxychains4 -q -f ~/proxies/swe/proxychains.conf" alias ir_proxy="proxychains4 -q -f ~/proxies/ir/proxychains.conf" alias ice_proxy="proxychains4 -q -f ~/proxies/ice/proxychains.conf" alias tor_carrier_proxy="proxychains4 -q -f ~/proxies/tor_carrier/proxychains.conf" -alias glow="glow -s ~/.config/glow/dark.json -p" +alias glow="glow --style ~/.config/glow/dark.json --pager --local" alias nmap="grc nmap" alias fdisk="grc fdisk" alias blkid="grc blkid" @@ -300,12 +300,19 @@ alias b="buku --suggest" alias whois="grc whois -H" alias scapy="scapy -H" alias dg="grc /usr/bin/dig" +alias lsof="grc lsof" +alias xxd="xxd -g 2 -E -u -c 32" +alias torcurl="curl --user-agent '' --sock5-hostname localhost:9053" # change the 4th terminal color to #0000ff # echo -e '\e]P40000ff' # reset all # echo -e '\e]R' +# mdcat(){ +# mdcat --fail --local "$@" | bat +# } + get_domain_dns_records() { jcurl -X GET -H "Accept: application/json" -H "Authorization: $(cat ~/scripts/arvan-api-key)" "https://napi.arvancloud.com/cdn/4.0/domains/terminaldweller.com/dns-records" } @@ -667,6 +674,10 @@ xcurl() { curl "$@" | xml_pp | pygmentize -l xml -P style=$PYGMENTIZE_STYLE } +hcurl() { + torsocks --port 9054 curl -i -D /dev/stderr --user-agent 'Chrome/79' "https://papers.ssrn.com/sol3/papersstract_id=1925128" "$@" | pygmentize -l html -P style=$PYGMENTIZE_STYLE +} + # these i stole from junegunn to try out fzf_gf() { is_in_git_repo || return diff --git a/bin/get_random_ua.sh b/bin/get_random_ua.sh new file mode 100755 index 0000000..3737a89 --- /dev/null +++ b/bin/get_random_ua.sh @@ -0,0 +1,53 @@ +#!/usr/bin/env sh + +USER_AGENT_PATH=/home/devi/devi/List-of-user-agents +ANDY_FILE="Android+Webkit+Browser.txt" +OPERA_FILE="Opera.txt" +FFOX_FILE="Firefox.txt" +IE_FILE="Internet+Explorer.txt" +CHROME_FILE="Chrome.txt" +EDGE_FILE="Edge.txt" +SAFARI_FILE="Safari.txt" + +get_ua() { + if [ "$1" = "andy" ]; then + UA_FILE="${USER_AGENT_PATH}"/"${ANDY_FILE}" + elif [ "$1" = "opera" ]; then + UA_FILE="${USER_AGENT_PATH}"/"${OPERA_FILE}" + elif [ "$1" = "ffox" ]; then + UA_FILE="${USER_AGENT_PATH}"/"${FFOX_FILE}" + elif [ "$1" = "ie" ]; then + UA_FILE="${USER_AGENT_PATH}"/"${IE_FILE}" + elif [ "$1" = "chrome" ]; then + UA_FILE="${USER_AGENT_PATH}"/"${CHROME_FILE}" + elif [ "$1" = "edge" ]; then + UA_FILE="${USER_AGENT_PATH}"/"${EDGE_FILE}" + elif [ "$1" = "safari" ]; then + UA_FILE="${USER_AGENT_PATH}"/"${SAFARI_FILE}" + elif [ "$1" = "all" ]; then + cat ${USER_AGENT_PATH}/${ANDY_FILE} \ + ${USER_AGENT_PATH}/${OPERA_FILE} \ + ${USER_AGENT_PATH}/${FFOX_FILE} \ + ${USER_AGENT_PATH}/${IE_FILE} \ + ${USER_AGENT_PATH}/${CHROME_FILE} \ + ${USER_AGENT_PATH}/${EDGE_FILE} \ + ${USER_AGENT_PATH}/${SAFARI_FILE} \ + > /tmp/random_uas_concat + UA_FILE="/tmp/random_uas_concat" + else + echo "error: unknown kind. must be one of andy,opera,ffox,ie,chrome,edge,safari,all" + exit 1 + fi + + shuf -n 1 "${UA_FILE}" +} + +if [ "$1" = "--help" ]; then + echo "prints a random user agent string." + echo "you can specify a --kind to get a random user agent of a specific browser." + echo "currently the valid values are: andy,opera,ffox,ie,chrome,edge,safari,all" +elif [ "$1" = "--kind" ]; then + get_ua "$2" +else + get_ua all +fi diff --git a/db/mongo/build_db.js b/db/mongo/build_db.js index 2483347..a50162e 100644 --- a/db/mongo/build_db.js +++ b/db/mongo/build_db.js @@ -92,7 +92,7 @@ db.mangas.updateOne( { _id: mangas_id }, { $set: { - "gantz:e": "https://manganato.com/manga-ho984623", + "at the mountains of madness": "https://manganato.com/manga-ct979576", }, } ); diff --git a/kubernetes/bitlbee-purple/docker-compose.yaml b/kubernetes/bitlbee-purple/docker-compose.yaml new file mode 100644 index 0000000..84e1842 --- /dev/null +++ b/kubernetes/bitlbee-purple/docker-compose.yaml @@ -0,0 +1,27 @@ +version: "3" +services: + bitlbee: + image: ezkrg/bitlbee-libpurple:debian-20220408145536 + networks: + - bitlbeenet + ports: + - "7777:6667" + restart: unless-stopped + user: "101:101" + volumes: + - ./bitlbee.conf:/var/lib/bitlbee/bitlbee.conf:ro + - bitlbeedata:/bitlbee-user-data + entrypoint: ["/usr/sbin/bitlbee"] + command: ["-F", "-n", "-u", "bitlbee", "-c", "/var/lib/bitlbee/bitlbee.conf","-d","/bitlbee-user-data"] + env_file: + - .env + cap_drop: + - ALL + cap_add: + - CHOWN + - SETGID + - SETUID +networks: + bitlbeenet: +volumes: + bitlbeedata: diff --git a/kubernetes/postgres/postgres-deployment.yaml b/kubernetes/postgres/postgres-deployment.yaml index 2711117..41d4942 100644 --- a/kubernetes/postgres/postgres-deployment.yaml +++ b/kubernetes/postgres/postgres-deployment.yaml @@ -52,7 +52,7 @@ spec: optional: false volumeMounts: - name: postgres-data - mountPath: /var/lib/postgres/data + mountPath: /var/lib/postgresql/data volumes: - name: postgres-data persistentVolumeClaim: @@ -47,3 +47,4 @@ irancell 196242684 rust tutorial https://www.youtube.com/watch?v=ygL_xcavzQ4 https://wms.cs.kuleuven.be/cs/studeren/master-artificial-intelligence/MAI_SIP/masters-thesis/thesis-topic-proposals https://www.ssllabs.com/ssltest +ntfs-3g diff --git a/redirector/Redirector.json b/redirector/Redirector.json new file mode 100644 index 0000000..3aa64fc --- /dev/null +++ b/redirector/Redirector.json @@ -0,0 +1,57 @@ +{ + "createdBy": "Redirector v3.5.3", + "createdAt": "2022-11-29T07:44:23.356Z", + "redirects": [ + { + "description": "medium redirect", + "exampleUrl": "https://medium.com/zocdoc-engineering/monorepo-magic-escaping-version-hell-by-decoupling-dependencies-46e817073bdf", + "exampleResult": "https://scribe.rip/zocdoc-engineering/monorepo-magic-escaping-version-hell-by-decoupling-dependencies-46e817073bdf", + "error": null, + "includePattern": "https://medium.com/*", + "excludePattern": "", + "patternDesc": "", + "redirectUrl": "https://scribe.rip/$1", + "patternType": "W", + "processMatches": "noProcessing", + "disabled": false, + "grouped": false, + "appliesTo": [ + "main_frame" + ] + }, + { + "description": "reddit redirect", + "exampleUrl": "https://www.reddit.com/r/voidlinux/", + "exampleResult": "https://teddit.net/r/voidlinux/", + "error": null, + "includePattern": "https://www.reddit.com/*", + "excludePattern": "", + "patternDesc": "", + "redirectUrl": "https://teddit.net/$1", + "patternType": "W", + "processMatches": "noProcessing", + "disabled": false, + "grouped": false, + "appliesTo": [ + "main_frame" + ] + }, + { + "description": "medium redirect", + "exampleUrl": "https://dreamume.medium.com/leetcode-458-poor-pigs-adc1bef981c1", + "exampleResult": "https://scribe.rip/leetcode-458-poor-pigs-adc1bef981c1", + "error": null, + "includePattern": "https://*.medium.com/*", + "excludePattern": "", + "patternDesc": "", + "redirectUrl": "https://scribe.rip/$2", + "patternType": "W", + "processMatches": "noProcessing", + "disabled": true, + "grouped": false, + "appliesTo": [ + "main_frame" + ] + } + ] +}
\ No newline at end of file diff --git a/seccomp/bwrap_generator.sh b/seccomp/bwrap_generator.sh new file mode 100755 index 0000000..53b3d0c --- /dev/null +++ b/seccomp/bwrap_generator.sh @@ -0,0 +1,25 @@ +#!/usr/bin/env dash + +TEMP_LOG=/tmp/seccomp_logging_filter.bpf + +get_sos() { + SO_LIST=$(ldd "$1" | awk '{print $3}') + for SO in ${SO_LIST}; do + echo --ro-bind "${SO}" "${SO} \\" + done +} + +make && ./seccomp_filter --filter logging > ${TEMP_LOG} + +echo "env -i \\" +echo "bwrap \\" +echo "--unshare-all --share-net \\" +get_sos "$@" +echo "--uid $(id -u) \\" +echo "--gid $(id -g) \\" +echo "--chdir ${SANDBOX_DIR_NAME} \\" +echo "--bind $1 ${SANDBOX_DIR_NAME} \\" +echo "--setenv HTTP_PROXY socks5h://192.168.1.214 \\" +echo "--setenv HTTPS_PROXY socks5h://192.168.1.214 \\" +echo "--setenv NO_PROXY 10.0.0.0/8,localhost,127.0.0.1/8,192.168.0.0/16 \\" +echo "--seccomp 10 10<${TEMP_LOG} \\" diff --git a/seccomp/makefile b/seccomp/makefile new file mode 100644 index 0000000..35da2cd --- /dev/null +++ b/seccomp/makefile @@ -0,0 +1,237 @@ +TARGET?=seccomp_filter +SHELL=bash +SHELL?=bash +CC=clang +CC?=clang +ifdef OS +CC_FLAGS= +else +CC_FLAGS=-fpic +endif +CC_EXTRA?= +CTAGS_I_PATH?=./ +LD_FLAGS=-lseccomp +EXTRA_LD_FLAGS?= +ADD_SANITIZERS_CC= -g -fsanitize=address -fno-omit-frame-pointer +ADD_SANITIZERS_LD= -g -fsanitize=address +MEM_SANITIZERS_CC= -g -fsanitize=memory -fno-omit-frame-pointer +MEM_SANITIZERS_LD= -g -fsanitize=memory +UB_SANITIZERS_CC= -g -fsanitize=undefined -fno-omit-frame-pointer +UB_SANITIZERS_LD= -g -fsanitize=undefined +FUZZ_SANITIZERS_CC= -fsanitize=fuzzer,address -g -fno-omit-frame-pointer +FUZZ_SANITIZERS_LD= -fsanitize=fuzzer,address -g -fno-omit-frame-pointer +COV_CC= -fprofile-instr-generate -fcoverage-mapping +COV_LD= -fprofile-instr-generate +# BUILD_MODES are=RELEASE(default), DEBUG,ADDSAN,MEMSAN,UBSAN,FUZZ +BUILD_MODE?=RELEASE +#EXCLUSION_LIST='(\bdip)|(\bdim)' +EXCLUSION_LIST='xxxxxx' +OBJ_LIST:=$(patsubst %.c, %.o, $(shell find . -name '*.c' | grep -Ev $(EXCLUSION_LIST))) +OBJ_COV_LIST:=$(patsubst %.c, %.ocov, $(shell find . -name '*.c' | grep -Ev $(EXCLUSION_LIST))) +OBJ_DBG_LIST:=$(patsubst %.c, %.odbg, $(shell find . -name '*.c' | grep -Ev $(EXCLUSION_LIST))) +ASM_LIST:=$(patsubst %.c, %.s, $(shell find . -name '*.c' | grep -Ev $(EXCLUSION_LIST))) +WASM_LIST:=$(patsubst %.c, %.wasm, $(shell find . -name '*.c' | grep -Ev $(EXCLUSION_LIST))) +WAST_LIST:=$(patsubst %.c, %.wast, $(shell find . -name '*.c' | grep -Ev $(EXCLUSION_LIST))) +IR_LIST:=$(patsubst %.c, %.ir, $(shell find . -name '*.c' | grep -Ev $(EXCLUSION_LIST))) +JS_LIST:=$(patsubst %.c, %.js, $(shell find . -name '*.c' | grep -Ev $(EXCLUSION_LIST))) +AST_LIST:=$(patsubst %.c, %.ast, $(shell find . -name '*.c' | grep -Ev $(EXCLUSION_LIST))) + +ifeq ($(BUILD_MODE), ADDSAN) +ifeq ($(CC), gcc) +$(error This build mode is only useable with clang.) +endif +CC_EXTRA+=$(ADD_SANITIZERS_CC) +EXTRA_LD_FLAGS+=$(ADD_SANITIZERS_LD) +endif + +ifeq ($(BUILD_MODE), MEMSAN) +ifeq ($(CC), gcc) +$(error This build mode is only useable with clang.) +endif +CC_EXTRA+=$(MEM_SANITIZERS_CC) +EXTRA_LD_FLAGS+=$(MEM_SANITIZERS_LD) +endif + +ifeq ($(BUILD_MODE), UBSAN) +ifeq ($(CC), gcc) +$(error This build mode is only useable with clang.) +endif +CC_EXTRA+=$(UB_SANITIZERS_CC) +EXTRA_LD_FLAGS+=$(UB_SANITIZERS_LD) +endif + +ifeq ($(BUILD_MODE), FUZZ) +ifeq ($(CXX), g++) +$(error This build mode is only useable with clang++.) +endif +CXX_EXTRA+=$(FUZZ_SANITIZERS_CC) +EXTRA_LD_FLAGS+=$(FUZZ_SANITIZERS_LD) +endif + +SRCS:=$(wildcard *.c) +HDRS:=$(wildcard *.h) +CC_FLAGS+=$(CC_EXTRA) +LD_FLAGS+=$(EXTRA_LD_FLAGS) + +.DEFAULT:all + +.PHONY:all clean help ASM SO TAGS WASM JS IR WAST A ADBG AST cppcheck DOCKER + +all:$(TARGET) + +everything:$(TARGET) A ASM SO $(TARGET)-static $(TARGET)-dbg ADBG TAGS $(TARGET)-cov WASM JS IR WAST AST DOCKER + +depend:.depend + +.depend:$(SRCS) + rm -rf .depend + $(CC) -MM $(CC_FLAGS) $^ > ./.depend + echo $(patsubst %.o:, %.odbg:, $(shell $(CC) -MM $(CC_FLAGS) $^)) | sed -r 's/[A-Za-z0-9\-\_]+\.odbg/\n&/g' >> ./.depend + echo $(patsubst %.o:, %.ocov:, $(shell $(CC) -MM $(CC_FLAGS) $^)) | sed -r 's/[A-Za-z0-9\-\_]+\.ocov/\n&/g' >> ./.depend + +-include ./.depend + +.c.o: + $(CC) $(CC_FLAGS) -c $< -o $@ + +%.odbg:%.c + $(CC) $(CC_FLAGS) -g -c $< -o $@ + +%.ocov:%.c + $(CC) $(CC_FLAGS) $(COV_CC) -c $< -o $@ + +$(TARGET): $(OBJ_LIST) + $(CC) $(LD_FLAGS) $^ -o $@ + +$(TARGET)-static: $(OBJ_LIST) + $(CC) $(LD_FLAGS) $^ -static -o $@ + +$(TARGET)-dbg: $(OBJ_DBG_LIST) + $(CC) $(LD_FLAGS) $^ -g -o $@ + +$(TARGET)-cov: $(OBJ_COV_LIST) + $(CC) $(LD_FLAGS) $^ $(COV_LD) -o $@ + +cov: runcov + @llvm-profdata merge -sparse ./default.profraw -o ./default.profdata + @llvm-cov show $(TARGET)-cov -instr-profile=default.profdata + +covrep: runcov + @llvm-profdata merge -sparse ./default.profraw -o ./default.profdata + @llvm-cov report $(TARGET)-cov -instr-profile=default.profdata + +ASM:$(ASM_LIST) + +SO:$(TARGET).so + +A:$(TARGET).a + +ADBG:$(TARGET).adbg + +IR:$(IR_LIST) + +WASM:$(WASM_LIST) + +WAST:$(WAST_LIST) + +JS:$(JS_LIST) + +AST:$(AST_LIST) + +TAGS:tags + +#https://github.com/rizsotto/Bear +BEAR: clean + bear -- make + +tags:$(SRCS) + $(shell $(CC) -c -I $(CTAGS_I_PATH) -M $(SRCS)|\ + sed -e 's/[\\ ]/\n/g'|sed -e '/^$$/d' -e '/\.o:[ \t]*$$/d'|\ + ctags -L - --c++-kinds=+p --fields=+iaS --extra=+q) + +%.s: %.c + $(CC) -S $< -o $@ + # objdump -r -d -M intel -S $< > $@ + +%.ir: %.c + $(CC) -emit-llvm -S -o $@ $< + +%.wasm: %.c + emcc $< -o $@ + +%.wast: %.wasm + wasm2wat $< > $@ + +%.js: %.c + emcc $< -s FORCE_FILESYSTEM=1 -s EXIT_RUNTIME=1 -o $@ + +%.ast: %.c + $(CC) -Xclang -ast-dump -fsyntax-only $< > $@ + +$(TARGET).so: $(OBJ_LIST) + $(CC) $(LD_FLAGS) $^ -shared -o $@ + +$(TARGET).a: $(OBJ_LIST) + ar rcs $(TARGET).a $(OBJ_LIST) + +$(TARGET).adbg: $(OBJ_DBG_LIST) + ar rcs $(TARGET).adbg $(OBJ_DBG_LIST) + +runcov: $(TARGET)-cov + "./$(TARGET)-cov" + +test: $(TARGET) + "./$(TARGET)" + +run: $(TARGET) + "./$(TARGET)" + +valgrind: $(TARGET) + - valgrind --track-origins=yes --leak-check=full --show-leak-kinds=all "./$(TARGET)" + +cppcheck: + cppcheck $(SRCS) + +rundbg: $(TARGET)-dbg + gdb --batch --command=./debug.dbg --args "./$(TARGET)-dbg" + +format: + - clang-format -i $(SRCS) $(HDRS) + +DOCKER: Dockerfile + docker build -t proto ./ + +clean: + - rm -f *.o *.s *.odbg *.ocov *.js *.ir *~ $(TARGET) $(TARGET).so $(TARGET)-static \ + $(TARGET)-dbg $(TARGET).a $(TARGET)-cov *.wasm *.wast $(TARGET).adbg *.ast + +deepclean: clean + - rm tags + - rm .depend + - rm ./default.profraw ./default.profdata + - rm vgcore.* + - rm compile_commands.json + - rm *.gch + +help: + @echo "--all is the default target, runs $(TARGET) target" + @echo "--everything will build everything" + @echo "--SO will generate the so" + @echo "--ASM will generate assembly files" + @echo "--TAGS will generate tags file" + @echo "--BEAR will generate a compilation database" + @echo "--IR will generate llvm IR" + @echo "--JS will make the js file" + @echo "--AST will make the llvm ast file" + @echo "--WASM will make the wasm file" + @echo "--WAST will make the wasm text debug file" + @echo "--$(TARGET) builds the dynamically-linked executable" + @echo "--$(TARGET)-dbg will generate the debug build. BUILD_MODE should be set to DEBUG to work" + @echo "--$(TARGET)-static will statically link the executable to the libraries" + @echo "--$(TARGET)-cov is the coverage build" + @echo "--cov will print the coverage report" + @echo "--covrep will print the line coverage report" + @echo "--A will build the static library" + @echo "--TAGS will build the tags file" + @echo "--clean" + @echo "--deepclean will clean almost everything" diff --git a/seccomp/seccomp_filter.c b/seccomp/seccomp_filter.c new file mode 100644 index 0000000..89ea917 --- /dev/null +++ b/seccomp/seccomp_filter.c @@ -0,0 +1,75 @@ +#include <errno.h> +#include <fcntl.h> +#include <inttypes.h> +#include <seccomp.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> + +void log_all_syscalls(void) { + scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_LOG); + seccomp_arch_add(ctx, SCMP_ARCH_X86_64); + seccomp_export_bpf(ctx, 1); + seccomp_export_pfc(ctx, 2); + seccomp_release(ctx); +} + +int log_current_seccomp(void) { + int rc = -1; + scmp_filter_ctx ctx; + int filter_fd; + + ctx = seccomp_init(SCMP_ACT_KILL); + if (ctx == NULL) + goto out; + + filter_fd = open("/tmp/seccomp_filter.bpf", + O_CREAT | O_WRONLY | O_NOFOLLOW | O_TRUNC, S_IRWXU); + if (filter_fd == -1) { + rc = -errno; + goto out; + } + + rc = seccomp_export_bpf(ctx, filter_fd); + if (rc < 0) { + close(filter_fd); + goto out; + } + close(filter_fd); + + filter_fd = open("/tmp/seccomp_filter.pfc", + O_CREAT | O_WRONLY | O_NOFOLLOW | O_TRUNC, S_IRWXU); + if (filter_fd == -1) { + rc = -errno; + goto out; + } + + rc = seccomp_export_pfc(ctx, filter_fd); + if (rc < 0) { + close(filter_fd); + goto out; + } + close(filter_fd); + +out: + seccomp_release(ctx); + return -rc; +} + +int main(int argc, char **argv) { + if (argc == 3) { + if (!strcmp("--filter", argv[1])) { + if (!strcmp("current", argv[2])) { + log_current_seccomp(); + } else if (!strcmp("logging", argv[2])) { + log_all_syscalls(); + } else { + } + } + } else { + printf("going with the default filter kind which is logging.\n"); + log_all_syscalls(); + } +} diff --git a/stylus/manganato_sepia.css b/stylus/manganato_sepia.css index f168003..0712029 100644 --- a/stylus/manganato_sepia.css +++ b/stylus/manganato_sepia.css @@ -1,6 +1,6 @@ @-moz-document domain("readmanganato.com"), domain("chapmanganato.com") { img { - filter: sepia(1) brightness(0.7) contrast(0.9) saturate(0.9); + filter: sepia(1) brightness(0.5) contrast(1) saturate(0.6); } img:hover { diff --git a/terminaldweller.com/browsh/nginx.conf b/terminaldweller.com/browsh/nginx.conf new file mode 100644 index 0000000..eb40f31 --- /dev/null +++ b/terminaldweller.com/browsh/nginx.conf @@ -0,0 +1,40 @@ +events { + worker_connections 1024; +} +http { + include /etc/nginx/mime.types; + server_tokens off; + limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m; + server { + listen 443 ssl http2; + keepalive_timeout 60; + charset utf-8; + ssl_ciphers HIGH:!aNULL:!MD5:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_certificate /certs/fullchain1.pem; + ssl_certificate_key /certs/privkey1.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; + ssl_prefer_server_ciphers on; + sendfile on; + tcp_nopush on; + # add_header X-Content-Type-Options "nosniff" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' unpkg.com cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' unpkg.com cdnjs.cloudflare.com; connect-src *;"; + # add_header X-Frame-Options SAMEORIGIN always; + # add_header X-XSS-Protection "1; mode=block" always; + # add_header Permissions-Policy "geolocation=(self),midi=(self),sync-xhr=(self),microphone=(self),camera=(self),magnetometer=(self),gyroscope=(self),fullscreen=(self),payment=(self),usb=(self)"; + # add_header Referrer-Policy "no-referrer"; + fastcgi_hide_header X-Powered-By; + resolver 9.9.9.9 208.67.222.222; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /certs/cert1.pem; + + error_page 401 403 404 /404.html; + location / { + proxy_pass http://browsh:4333; + } + } +} diff --git a/terminaldweller.com/cargo/nginx.conf b/terminaldweller.com/cargo/nginx.conf index eafeeee..bec87f2 100644 --- a/terminaldweller.com/cargo/nginx.conf +++ b/terminaldweller.com/cargo/nginx.conf @@ -5,10 +5,17 @@ http { server { listen 8080 ssl http2; keepalive_timeout 70; - ssl_certificate /certs/cert1.pem; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + ssl_ciphers HIGH:!aNULL:!MD5:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers on; + ssl_certificate /certs/fullchain1.pem; ssl_certificate_key /certs/privkey1.pem; ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; + add_header Content-Security-Policy "default-src 'self';"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "no-referrer"; sendfile on; tcp_nopush on; diff --git a/terminaldweller.com/cgit/cgit.conf b/terminaldweller.com/cgit/cgit.conf index e180158..82a9877 100644 --- a/terminaldweller.com/cgit/cgit.conf +++ b/terminaldweller.com/cgit/cgit.conf @@ -1,10 +1,19 @@ -server.modules += ( "mod_cgi", "mod_rewrite", "mod_openssl" ) +server.modules += ( "mod_cgi", "mod_rewrite", "mod_openssl", "mod_setenv" ) $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/certs/fullchain1.pem" ssl.privkey = "/etc/certs/privkey1.pem" + setenv.add-response-header = ( + "Strict-Transport-Security"=>"max-age=63072000; includeSubdomains", + "X-Frame-Options"=>"DENY", + "X-XSS-Protection"=>"1; mode=block", + "X-Content-Type-Options" => "nosniff", + "Content-Security-Policy" => "script-src 'self'; object-src 'self'", + "X-Permitted-Cross-Domain-Policies" => "none", + "Referrer-Policy" => "no-referrer") + server.name = "git.terminaldweller.com" server.document-root = "/usr/share/webapps/cgit/" diff --git a/terminaldweller.com/ejabberd/ejabberd.yml b/terminaldweller.com/ejabberd/ejabberd.yml index 228ac6d..815d702 100644 --- a/terminaldweller.com/ejabberd/ejabberd.yml +++ b/terminaldweller.com/ejabberd/ejabberd.yml @@ -1,7 +1,7 @@ hosts: - jabber.terminaldweller.com -auth_method: internal +auth_method: internal auth_password_format: scram # pragma: allowlist secret # anonymous_protocol: both allow_multiple_connections: true @@ -16,6 +16,7 @@ define_macro: - "no_sslv3" - "no_tlsv1" - "no_tlsv1_1" + - "no_tlsv1_2" - "cipher_server_preference" - "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA" - "no_compression" @@ -200,7 +201,7 @@ max_fsm_queue: 10000 acme: # for auto ACME requests, we need this to be true auto: false - contact: + contact: - mailto:devi@terminaldweller.com ca_url: https://acme-v02.api.letsencrypt.org/directory diff --git a/terminaldweller.com/rss-bridge/nginx.conf b/terminaldweller.com/rss-bridge/nginx.conf new file mode 100644 index 0000000..b80883b --- /dev/null +++ b/terminaldweller.com/rss-bridge/nginx.conf @@ -0,0 +1,40 @@ +events { + worker_connections 1024; +} +http { + include /etc/nginx/mime.types; + server_tokens off; + limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m; + server { + listen 443 ssl; + keepalive_timeout 60; + charset utf-8; + ssl_certificate /certs/fullchain1.pem; + ssl_certificate_key /certs/privkey1.pem; + ssl_ciphers HIGH:!aNULL:!MD5:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; + ssl_prefer_server_ciphers on; + # sendfile on; + tcp_nopush on; + add_header X-Content-Type-Options "nosniff" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header Content-Security-Policy "default-src 'self';"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-XSS-Protection "1; mode=block" always; + # add_header Permissions-Policy "geolocation=(self),midi=(self),sync-xhr=(self),microphone=(self),camera=(self),magnetometer=(self),gyroscope=(self),fullscreen=(self),payment=(self),usb=(self)"; + add_header Referrer-Policy "no-referrer"; + fastcgi_hide_header X-Powered-By; + # resolver 9.9.9.9 208.67.222.222; + # ssl_stapling on; + # ssl_stapling_verify on; + ssl_trusted_certificate /certs/cert1.pem; + + error_page 401 403 404 /404.html; + location / { + proxy_pass http://rssbridge:80; + } + } +} diff --git a/tmux/date.sh b/tmux/date.sh index 1bfbc01..b3f6436 100755 --- a/tmux/date.sh +++ b/tmux/date.sh @@ -16,13 +16,15 @@ JDATE="#[fg=colour255 bg=colour29]"$(jdate | gawk '{print $2" "$3}') # OPENWEATHERMAP_TOKEN=$(jq -r ".token" < /home/devi/scripts/tmux/openweathermap.json) # WEATHER_INFO=$(sleep 120 && proxychains4 -q -f /home/devi/proxies/ice/proxychains.conf curl "https://api.openweathermap.org/data/2.5/weather?q=Tehran&appid=${OPENWEATHERMAP_TOKEN}&units=metric"|jq ".main.temp") -WEATHER_INFO=$(curl 'wttr.in/tehran?T&format=%f') +WEATHER_INFO=$(proxychains4 -f ~/proxies/ice/proxychains.conf curl 'wttr.in/tehran?T&format=%f') if echo "${WEATHER_INFO}" | grep Unknown\ location; then WEATHER="#[fg=colour255 bg=colour32]"no_temp else WEATHER="#[fg=colour255 bg=colour32]"${WEATHER_INFO} fi +date >> /tmp/time_counter + CPU_TEMP=$(sensors -j | jq .["\"coretemp-isa-0000\""]."\"Package id 0\"".temp1_input) CPU_SECTION="#[fg=colour36 bg=colour24]${SEPARATOR_LEFT_BOLD}#[fg=colour16 bg=colour36]${CPU_TEMP} C" BATTERY=$(upower -i "$(upower -e | grep 'BAT')" | grep -E "percentage" | awk '{print $2}') |