diff options
| -rw-r--r-- | VERSION | 4 | ||||
| -rw-r--r-- | mutt/mailcap | 12 | ||||
| -rw-r--r-- | mutt/muttrc | 1 | ||||
| -rw-r--r-- | newsboat/systemd/user/reload-newsboat.service | 26 | ||||
| -rw-r--r-- | sh/profile.d/welcome.sh | 20 | ||||
| -rw-r--r-- | systemd/user/notify-email@.service | 13 |
6 files changed, 56 insertions, 20 deletions
@@ -1,2 +1,2 @@ -tejr dotfiles v9.26.1 -Sun, 21 Jun 2020 03:17:46 +0000 +tejr dotfiles v9.27.0 +Sun, 28 Jun 2020 04:31:26 +0000 diff --git a/mutt/mailcap b/mutt/mailcap index 3ce21d24..ebf86c98 100644 --- a/mutt/mailcap +++ b/mutt/mailcap @@ -2,10 +2,10 @@ # anyway and deal with it on a shell, or pass it to a GUI machine. # text/html; lynx -dump -force_html %s; \ - copiousoutput; \ - description=HTML; \ - nametemplate=%s.html + copiousoutput; \ + description=HTML; \ + nametemplate=%s.html application/pdf; pdftotext -layout -nopgbrk -q %s -; \ - copiousoutput; \ - description=PDF; \ - nametemplate=%s.pdf + copiousoutput; \ + description=PDF; \ + nametemplate=%s.pdf diff --git a/mutt/muttrc b/mutt/muttrc index 71b3ca25..ccd88412 100644 --- a/mutt/muttrc +++ b/mutt/muttrc @@ -172,7 +172,6 @@ set crypt_replysignencrypted # My kingdom for muttrc(5) conditionals... # set pgp_default_key = $GPG_KEYID -set pgp_self_encrypt set postpone_encrypt # Always include OpenPGP header with the selected default key, regardless of diff --git a/newsboat/systemd/user/reload-newsboat.service b/newsboat/systemd/user/reload-newsboat.service index 24e4117c..981ef7bc 100644 --- a/newsboat/systemd/user/reload-newsboat.service +++ b/newsboat/systemd/user/reload-newsboat.service @@ -1,8 +1,30 @@ [Unit] Description=fetch new Newsboat articles OnFailure=notify-email@%n -After=tor.service ConditionPathExists=!%h/.local/share/newsboat/cache.db.lock [Service] -ExecStart=newsboat -x reload +Type=oneshot +LogsDirectory=newsboat +LogsDirectoryMode=0700 +ExecStart=newsboat --execute=reload --log-file=%L/newsboat/%p.log --log-level=5 +# Hardening +IPAddressDeny=any +IPAddressAllow=localhost +KeyringMode=private +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +RestrictAddressFamilies=AF_UNIX +RestrictAddressFamilies=~AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +UMask=0077 +# Slowing +Nice=10 +IOSchedulingClass=best-effort +IOSchedulingPriority=7 diff --git a/sh/profile.d/welcome.sh b/sh/profile.d/welcome.sh index 3cb420c5..19231c2e 100644 --- a/sh/profile.d/welcome.sh +++ b/sh/profile.d/welcome.sh @@ -14,15 +14,17 @@ esac ( # Temporary helper function welcome() { - [ -e "$HOME"/.config/welcome/"$1" ] || return - command -v "$1" >/dev/null 2>&1 || return + test -e "${XDG_CONFIG_HOME:-"$HOME"/.config}"/welcome/"$1" } # Show a fortune if welcome fortune ; then - if [ -z "$FORTUNE_PATH" ] && - [ -d "$HOME"/.local/share/games/fortunes ] ; then - FORTUNE_PATH=$HOME/.local/share/games/fortunes + if [ -z "$FORTUNE_PATH" ] ; then + FORTUNE_PATH=${XDG_DATA_HOME:-$HOME}/.local/share/fortune + set -- "$FORTUNE_PATH"/*.dat + if ! [ -e "$1" ] ; then + FORTUNE_PATH= + fi fi fortune -s "$FORTUNE_PATH" printf '\n' @@ -36,14 +38,16 @@ esac # Run verse(1) if we haven't seen it already today if welcome verse ; then - if [ -f "$HOME"/.verse ] ; then - read -r last <"$HOME"/.verse + cache=${XDG_CACHE_HOME:-$HOME/.cache}/welcome + mkdir -p -- "$cache" || return + if [ -f "$cache"/verse ] ; then + read -r last <"$cache"/verse fi now=$(date +%Y%m%d) if [ "$now" -gt "${last:-0}" ] ; then verse printf '\n' - printf '%s\n' "$now" >"$HOME"/.verse + printf '%s\n' "$now" >"$cache"/verse fi fi ) diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service index 78c95a70..bddee12a 100644 --- a/systemd/user/notify-email@.service +++ b/systemd/user/notify-email@.service @@ -2,5 +2,16 @@ Description=unit status mailer service for %i [Service] -Type=simple +Type=oneshot ExecStart=sh -c 'systemctl --user status %i | mail --append="From: systemd" --append="X-systemd: %H %m %b" --subject="[systemd] %i failure" %u' +# Hardening +DevicePolicy=closed +IPAddressDeny=any +PrivateMounts=true +PrivateTmp=true +ProtectControlGroups=true +ProtectHome=true +ProtectSystem=full +RemoveIPC=true +SystemCallErrorNumber=EPERM +UMask=027 |