From 95719938f1e8e62577d4c5631607ac075b78b6d9 Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Sun, 13 Sep 2020 01:19:27 +1200 Subject: Remove hardening from systemd units I suspect most-to-all of this doesn't actually work, and probably shouldn't deploy it unless and until I am. --- newsboat/systemd/user/reload-newsboat.service | 20 -------------------- systemd/user/notify-email@.service | 11 ----------- 2 files changed, 31 deletions(-) diff --git a/newsboat/systemd/user/reload-newsboat.service b/newsboat/systemd/user/reload-newsboat.service index 981ef7bc..2699697c 100644 --- a/newsboat/systemd/user/reload-newsboat.service +++ b/newsboat/systemd/user/reload-newsboat.service @@ -8,23 +8,3 @@ Type=oneshot LogsDirectory=newsboat LogsDirectoryMode=0700 ExecStart=newsboat --execute=reload --log-file=%L/newsboat/%p.log --log-level=5 -# Hardening -IPAddressDeny=any -IPAddressAllow=localhost -KeyringMode=private -LockPersonality=true -MemoryDenyWriteExecute=true -NoNewPrivileges=true -RestrictAddressFamilies=AF_UNIX -RestrictAddressFamilies=~AF_UNIX -RestrictNamespaces=true -RestrictRealtime=true -SystemCallArchitectures=native -SystemCallErrorNumber=EPERM -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources -UMask=0077 -# Slowing -Nice=10 -IOSchedulingClass=best-effort -IOSchedulingPriority=7 diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service index bddee12a..9293c423 100644 --- a/systemd/user/notify-email@.service +++ b/systemd/user/notify-email@.service @@ -4,14 +4,3 @@ Description=unit status mailer service for %i [Service] Type=oneshot ExecStart=sh -c 'systemctl --user status %i | mail --append="From: systemd" --append="X-systemd: %H %m %b" --subject="[systemd] %i failure" %u' -# Hardening -DevicePolicy=closed -IPAddressDeny=any -PrivateMounts=true -PrivateTmp=true -ProtectControlGroups=true -ProtectHome=true -ProtectSystem=full -RemoveIPC=true -SystemCallErrorNumber=EPERM -UMask=027 -- cgit v1.2.3 From f3a764cc47382a26cd345c3a078e85a52459223a Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Sun, 13 Sep 2020 01:20:32 +1200 Subject: Add random delay to Newsboat reloading --- newsboat/systemd/user/reload-newsboat.timer | 1 + 1 file changed, 1 insertion(+) diff --git a/newsboat/systemd/user/reload-newsboat.timer b/newsboat/systemd/user/reload-newsboat.timer index 6e59d66e..748f03e1 100644 --- a/newsboat/systemd/user/reload-newsboat.timer +++ b/newsboat/systemd/user/reload-newsboat.timer @@ -4,6 +4,7 @@ Description=fetch new Newsboat articles [Timer] OnBootSec=10m OnUnitActiveSec=10m +RandomizedDelaySec=2m [Install] WantedBy=timers.target -- cgit v1.2.3 From 5e32253dc3852fd7fededa8c0833b4fc798e1cc1 Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Sun, 13 Sep 2020 01:21:13 +1200 Subject: Add word to timer description for clarity --- newsboat/systemd/user/reload-newsboat.timer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/newsboat/systemd/user/reload-newsboat.timer b/newsboat/systemd/user/reload-newsboat.timer index 748f03e1..c3c0cb00 100644 --- a/newsboat/systemd/user/reload-newsboat.timer +++ b/newsboat/systemd/user/reload-newsboat.timer @@ -1,5 +1,5 @@ [Unit] -Description=fetch new Newsboat articles +Description=fetch new Newsboat articles schedule [Timer] OnBootSec=10m -- cgit v1.2.3 From ff020c0d672ac151c5f1e52ad2d04a8a45b071ee Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Sun, 13 Sep 2020 01:23:39 +1200 Subject: Add timeout to mail notification unit --- systemd/user/notify-email@.service | 1 + 1 file changed, 1 insertion(+) diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service index 9293c423..c136effa 100644 --- a/systemd/user/notify-email@.service +++ b/systemd/user/notify-email@.service @@ -4,3 +4,4 @@ Description=unit status mailer service for %i [Service] Type=oneshot ExecStart=sh -c 'systemctl --user status %i | mail --append="From: systemd" --append="X-systemd: %H %m %b" --subject="[systemd] %i failure" %u' +TimeoutStartSec=1m -- cgit v1.2.3 From f03c4568d49cccc2398cd9e3c0f423bf7f349584 Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Sun, 13 Sep 2020 01:24:14 +1200 Subject: Add timeout to Newsboat reload service --- newsboat/systemd/user/reload-newsboat.service | 1 + 1 file changed, 1 insertion(+) diff --git a/newsboat/systemd/user/reload-newsboat.service b/newsboat/systemd/user/reload-newsboat.service index 2699697c..f495e67b 100644 --- a/newsboat/systemd/user/reload-newsboat.service +++ b/newsboat/systemd/user/reload-newsboat.service @@ -8,3 +8,4 @@ Type=oneshot LogsDirectory=newsboat LogsDirectoryMode=0700 ExecStart=newsboat --execute=reload --log-file=%L/newsboat/%p.log --log-level=5 +TimeoutStartSec=5m -- cgit v1.2.3 From c8d006aef5eea53538597493312f34ff54d3e7b1 Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Sun, 13 Sep 2020 02:17:11 +1200 Subject: Use short `mail` options for compat with BSD mail --- systemd/user/notify-email@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service index c136effa..1368f2b9 100644 --- a/systemd/user/notify-email@.service +++ b/systemd/user/notify-email@.service @@ -3,5 +3,5 @@ Description=unit status mailer service for %i [Service] Type=oneshot -ExecStart=sh -c 'systemctl --user status %i | mail --append="From: systemd" --append="X-systemd: %H %m %b" --subject="[systemd] %i failure" %u' +ExecStart=sh -c 'systemctl --user status %i | mail -a "From: systemd" -a "X-systemd: %H %m %b" -s "[systemd] %i failure" %u' TimeoutStartSec=1m -- cgit v1.2.3 From 084dda592c5b23183cc413598a5c80cf04f77047 Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Sun, 13 Sep 2020 02:17:43 +1200 Subject: Remove forced From: header --- systemd/user/notify-email@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systemd/user/notify-email@.service b/systemd/user/notify-email@.service index 1368f2b9..fba9cdaf 100644 --- a/systemd/user/notify-email@.service +++ b/systemd/user/notify-email@.service @@ -3,5 +3,5 @@ Description=unit status mailer service for %i [Service] Type=oneshot -ExecStart=sh -c 'systemctl --user status %i | mail -a "From: systemd" -a "X-systemd: %H %m %b" -s "[systemd] %i failure" %u' +ExecStart=sh -c 'systemctl --user status %i | mail -a "X-systemd: %H %m %b" -s "[systemd] %i failure" %u' TimeoutStartSec=1m -- cgit v1.2.3 From a80c03f4b65e15262318ba229eb55a0519e9d7a8 Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Mon, 14 Sep 2020 14:29:34 +1200 Subject: Correct and extend 'backupskip' patterns for .git --- vim/vimrc | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/vim/vimrc b/vim/vimrc index ef02a401..e9e940c2 100644 --- a/vim/vimrc +++ b/vim/vimrc @@ -2,7 +2,7 @@ " Tom Ryder (tejr)’s Literate Vimrc " ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ " -" Last updated: Sat, 12 Sep 2020 05:21:43 UTC +" Last updated: Mon, 14 Sep 2020 02:28:57 UTC " " │ And I was lifted up in heart, and thought " │ Of all my late-shown prowess in the lists, @@ -273,12 +273,14 @@ if has#('unix') set backupskip+=/usr/tmp/*,/var/tmp/* " Per-repository temporary files for Git - "" Commit messages - set backupskip+=*.git/*_EDITMSG - "" Patch edits - set backupskip+=*.git/ADD_EDIT.patch + "" Commit and tag messages + set backupskip+=*/*.git/?*_EDITMSG + "" Edited patches + set backupskip+=*/*.git/ADD_EDIT.patch + "" Email messages + set backupskip+=*/*.git/.gitsendemail.msg.* "" Interactive rebase manifests - set backupskip+=*.git/rebase-merge/git-rebase-todo + set backupskip+=*/*.git/rebase-merge/git-rebase-todo " systemd user manager unit files "" Full unit files -- cgit v1.2.3 From bcde63f59a7b8c69dd85004b0200bfaee147033d Mon Sep 17 00:00:00 2001 From: Tom Ryder Date: Mon, 14 Sep 2020 14:30:21 +1200 Subject: Bump VERSION --- VERSION | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index a0eb6c25..ad615fe6 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -tejr dotfiles v10.7.0 -Sat, 12 Sep 2020 05:30:54 +0000 +tejr dotfiles v10.8.0 +Mon, 14 Sep 2020 02:30:21 +0000 -- cgit v1.2.3