diff options
author | Tom Ryder <tom@sanctum.geek.nz> | 2020-06-28 16:31:30 +1200 |
---|---|---|
committer | Tom Ryder <tom@sanctum.geek.nz> | 2020-06-28 16:31:30 +1200 |
commit | 9af2aad89ece6b837a68d72d8c45ee560df8f26a (patch) | |
tree | 3706b279093ae7121501a4c0484ca2091487620a | |
parent | Merge branch 'hotfix/v9.26.1' (diff) | |
parent | Bump VERSION (diff) | |
download | dotfiles-9af2aad89ece6b837a68d72d8c45ee560df8f26a.tar.gz dotfiles-9af2aad89ece6b837a68d72d8c45ee560df8f26a.zip |
Merge branch 'release/v9.27.0'v9.27.0
* release/v9.27.0:
Use less intense logging for Newsboat
Add IP address hardening to Newsboat service
Add hardening to Newsboat
Add reload logs for Newsboat
Use better location for verse cache
Use blank value for default fortunes
Use long option in newsboat config file
Add hardening for systemd notify task
Define newsboat systemd service as oneshot
Define Newsboat systemd service as oneshot
Remove Tor dependency from Newsboat task
Simplify welcome.sh feature test
Apply XDG basedirs to welcome.sh
Use tabs in Mutt mailcap
Remove pgp_self_encrypt Mutt setting
-rw-r--r-- | VERSION | 4 | ||||
-rw-r--r-- | mutt/mailcap | 12 | ||||
-rw-r--r-- | mutt/muttrc | 1 | ||||
-rw-r--r-- | newsboat/systemd/user/reload-newsboat.service | 26 | ||||
-rw-r--r-- | sh/profile.d/welcome.sh | 20 | ||||
-rw-r--r-- | systemd/user/notify-email@.service | 13 |
6 files changed, 56 insertions, 20 deletions
@@ -1,2 +1,2 @@ -tejr dotfiles v9.26.1 -Sun, 21 Jun 2020 03:17:46 +0000 +tejr dotfiles v9.27.0 +Sun, 28 Jun 2020 04:31:26 +0000 diff --git a/mutt/mailcap b/mutt/mailcap index 3ce21d24..ebf86c98 100644 --- a/mutt/mailcap +++ b/mutt/mailcap @@ -2,10 +2,10 @@ # anyway and deal with it on a shell, or pass it to a GUI machine. # text/html; lynx -dump -force_html %s; \ - copiousoutput; \ - description=HTML; \ - nametemplate=%s.html + copiousoutput; \ + description=HTML; \ + nametemplate=%s.html application/pdf; pdftotext -layout -nopgbrk -q %s -; \ - copiousoutput; \ - description=PDF; \ - nametemplate=%s.pdf + copiousoutput; \ + description=PDF; \ + nametemplate=%s.pdf diff --git a/mutt/muttrc b/mutt/muttrc index 71b3ca25..ccd88412 100644 --- a/mutt/muttrc +++ b/mutt/muttrc @@ -172,7 +172,6 @@ set crypt_replysignencrypted # My kingdom for muttrc(5) conditionals... # set pgp_default_key = $GPG_KEYID -set pgp_self_encrypt set postpone_encrypt # Always include OpenPGP header with the selected default key, regardless of diff --git a/newsboat/systemd/user/reload-newsboat.service b/newsboat/systemd/user/reload-newsboat.service index 24e4117c..981ef7bc 100644 --- a/newsboat/systemd/user/reload-newsboat.service +++ b/newsboat/systemd/user/reload-newsboat.service @@ -1,8 +1,30 @@ [Unit] Description=fetch new Newsboat articles OnFailure=notify-email@%n -After=tor.service ConditionPathExists=!%h/.local/share/newsboat/cache.db.lock [Service] -ExecStart=newsboat -x reload +Type=oneshot +LogsDirectory=newsboat +LogsDirectoryMode=0700 +ExecStart=newsboat --execute=reload --log-file=%L/newsboat/%p.log --log-level=5 +# Hardening +IPAddressDeny=any +IPAddressAllow=localhost +KeyringMode=private +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +RestrictAddressFamilies=AF_UNIX +RestrictAddressFamilies=~AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +UMask=0077 +# Slowing +Nice=10 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 diff --git a/sh/profile.d/welcome.sh b/sh/profile.d/welcome.sh index 3cb420c5..19231c2e 100644 --- a/sh/profile.d/welcome.sh +++ b/sh/profile.d/welcome.sh @@ -14,15 +14,17 @@ esac ( # Temporary helper function welcome() { - [ -e "$HOME"/.config/welcome/"$1" ] || return - command -v "$1" >/dev/null 2>&1 || return + test -e "${XDG_CONFIG_HOME:-"$HOME"/.config}"/welcome/"$1" } # Show a fortune if welcome fortune ; then - if [ -z "$FORTUNE_PATH" ] && - [ -d "$HOME"/.local/share/games/fortunes ] ; then - FORTUNE_PATH=$HOME/.local/share/games/fortunes + if [ -z "$FORTUNE_PATH" ] ; then + FORTUNE_PATH=${XDG_DATA_HOME:-$HOME}/.local/share/fortune + set -- "$FORTUNE_PATH"/*.dat + if ! [ -e "$1" ] ; then + FORTUNE_PATH= + fi fi fortune -s "$FORTUNE_PATH" printf '\n' @@ -36,14 +38,16 @@ esac # Run verse(1) if we haven't seen it already today if welcome verse ; then - if [ -f "$HOME"/.verse ] ; then - read -r last <"$HOME"/.verse + cache=${XDG_CACHE_HOME:-$HOME/.cache}/welcome + mkdir -p -- "$cache" || return + if [ -f "$cache"/verse ] ; then + read -r last <"$cache"/verse fi now=$(date +%Y%m%d) if [ "$now" -gt "${last:-0}" ] ; then verse printf '\n' - printf '%s\n' "$now" >"$HOME"/.verse + printf '%s\n' "$now" >"$cache"/verse fi fi ) diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service index 78c95a70..bddee12a 100644 --- a/systemd/user/notify-email@.service +++ b/systemd/user/notify-email@.service @@ -2,5 +2,16 @@ Description=unit status mailer service for %i [Service] -Type=simple +Type=oneshot ExecStart=sh -c 'systemctl --user status %i | mail --append="From: systemd" --append="X-systemd: %H %m %b" --subject="[systemd] %i failure" %u' +# Hardening +DevicePolicy=closed +IPAddressDeny=any +PrivateMounts=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectSystem=full +RemoveIPC=true +SystemCallErrorNumber=EPERM +UMask=027 |