aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Ryder <tom@sanctum.geek.nz>2020-06-28 16:31:30 +1200
committerTom Ryder <tom@sanctum.geek.nz>2020-06-28 16:31:30 +1200
commit9af2aad89ece6b837a68d72d8c45ee560df8f26a (patch)
tree3706b279093ae7121501a4c0484ca2091487620a
parentMerge branch 'hotfix/v9.26.1' (diff)
parentBump VERSION (diff)
downloaddotfiles-9af2aad89ece6b837a68d72d8c45ee560df8f26a.tar.gz
dotfiles-9af2aad89ece6b837a68d72d8c45ee560df8f26a.zip
Merge branch 'release/v9.27.0'v9.27.0
* release/v9.27.0: Use less intense logging for Newsboat Add IP address hardening to Newsboat service Add hardening to Newsboat Add reload logs for Newsboat Use better location for verse cache Use blank value for default fortunes Use long option in newsboat config file Add hardening for systemd notify task Define newsboat systemd service as oneshot Define Newsboat systemd service as oneshot Remove Tor dependency from Newsboat task Simplify welcome.sh feature test Apply XDG basedirs to welcome.sh Use tabs in Mutt mailcap Remove pgp_self_encrypt Mutt setting
-rw-r--r--VERSION4
-rw-r--r--mutt/mailcap12
-rw-r--r--mutt/muttrc1
-rw-r--r--newsboat/systemd/user/reload-newsboat.service26
-rw-r--r--sh/profile.d/welcome.sh20
-rw-r--r--systemd/user/notify-email@.service13
6 files changed, 56 insertions, 20 deletions
diff --git a/VERSION b/VERSION
index 9a248604..2acb458c 100644
--- a/VERSION
+++ b/VERSION
@@ -1,2 +1,2 @@
-tejr dotfiles v9.26.1
-Sun, 21 Jun 2020 03:17:46 +0000
+tejr dotfiles v9.27.0
+Sun, 28 Jun 2020 04:31:26 +0000
diff --git a/mutt/mailcap b/mutt/mailcap
index 3ce21d24..ebf86c98 100644
--- a/mutt/mailcap
+++ b/mutt/mailcap
@@ -2,10 +2,10 @@
# anyway and deal with it on a shell, or pass it to a GUI machine.
#
text/html; lynx -dump -force_html %s; \
- copiousoutput; \
- description=HTML; \
- nametemplate=%s.html
+ copiousoutput; \
+ description=HTML; \
+ nametemplate=%s.html
application/pdf; pdftotext -layout -nopgbrk -q %s -; \
- copiousoutput; \
- description=PDF; \
- nametemplate=%s.pdf
+ copiousoutput; \
+ description=PDF; \
+ nametemplate=%s.pdf
diff --git a/mutt/muttrc b/mutt/muttrc
index 71b3ca25..ccd88412 100644
--- a/mutt/muttrc
+++ b/mutt/muttrc
@@ -172,7 +172,6 @@ set crypt_replysignencrypted
# My kingdom for muttrc(5) conditionals...
#
set pgp_default_key = $GPG_KEYID
-set pgp_self_encrypt
set postpone_encrypt
# Always include OpenPGP header with the selected default key, regardless of
diff --git a/newsboat/systemd/user/reload-newsboat.service b/newsboat/systemd/user/reload-newsboat.service
index 24e4117c..981ef7bc 100644
--- a/newsboat/systemd/user/reload-newsboat.service
+++ b/newsboat/systemd/user/reload-newsboat.service
@@ -1,8 +1,30 @@
[Unit]
Description=fetch new Newsboat articles
OnFailure=notify-email@%n
-After=tor.service
ConditionPathExists=!%h/.local/share/newsboat/cache.db.lock
[Service]
-ExecStart=newsboat -x reload
+Type=oneshot
+LogsDirectory=newsboat
+LogsDirectoryMode=0700
+ExecStart=newsboat --execute=reload --log-file=%L/newsboat/%p.log --log-level=5
+# Hardening
+IPAddressDeny=any
+IPAddressAllow=localhost
+KeyringMode=private
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+RestrictAddressFamilies=AF_UNIX
+RestrictAddressFamilies=~AF_UNIX
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0077
+# Slowing
+Nice=10
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
diff --git a/sh/profile.d/welcome.sh b/sh/profile.d/welcome.sh
index 3cb420c5..19231c2e 100644
--- a/sh/profile.d/welcome.sh
+++ b/sh/profile.d/welcome.sh
@@ -14,15 +14,17 @@ esac
(
# Temporary helper function
welcome() {
- [ -e "$HOME"/.config/welcome/"$1" ] || return
- command -v "$1" >/dev/null 2>&1 || return
+ test -e "${XDG_CONFIG_HOME:-"$HOME"/.config}"/welcome/"$1"
}
# Show a fortune
if welcome fortune ; then
- if [ -z "$FORTUNE_PATH" ] &&
- [ -d "$HOME"/.local/share/games/fortunes ] ; then
- FORTUNE_PATH=$HOME/.local/share/games/fortunes
+ if [ -z "$FORTUNE_PATH" ] ; then
+ FORTUNE_PATH=${XDG_DATA_HOME:-$HOME}/.local/share/fortune
+ set -- "$FORTUNE_PATH"/*.dat
+ if ! [ -e "$1" ] ; then
+ FORTUNE_PATH=
+ fi
fi
fortune -s "$FORTUNE_PATH"
printf '\n'
@@ -36,14 +38,16 @@ esac
# Run verse(1) if we haven't seen it already today
if welcome verse ; then
- if [ -f "$HOME"/.verse ] ; then
- read -r last <"$HOME"/.verse
+ cache=${XDG_CACHE_HOME:-$HOME/.cache}/welcome
+ mkdir -p -- "$cache" || return
+ if [ -f "$cache"/verse ] ; then
+ read -r last <"$cache"/verse
fi
now=$(date +%Y%m%d)
if [ "$now" -gt "${last:-0}" ] ; then
verse
printf '\n'
- printf '%s\n' "$now" >"$HOME"/.verse
+ printf '%s\n' "$now" >"$cache"/verse
fi
fi
)
diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service
index 78c95a70..bddee12a 100644
--- a/systemd/user/notify-email@.service
+++ b/systemd/user/notify-email@.service
@@ -2,5 +2,16 @@
Description=unit status mailer service for %i
[Service]
-Type=simple
+Type=oneshot
ExecStart=sh -c 'systemctl --user status %i | mail --append="From: systemd" --append="X-systemd: %H %m %b" --subject="[systemd] %i failure" %u'
+# Hardening
+DevicePolicy=closed
+IPAddressDeny=any
+PrivateMounts=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectSystem=full
+RemoveIPC=true
+SystemCallErrorNumber=EPERM
+UMask=027