Yeah, they do, some of things they are doing now, like the photo scanning feature, give me pause though. They occasionally make a good stand on privacy, and then turn around and do something that is completely opposed to privacy. I want to like them, but it is frustrating. I’m hoping that their lawsuit with Epic will make them a little easier to live with, but probably not.

I do recognize that full control of an Android is not possible, but there are some really good things you can do with root that are handy, like enforcing granular app permissions. Unfortunately, most App makers have adopted a “take it or leave it approach”. By that I mean that in order for the app to run at all you must grant it access to far more data than it needs.

you dont need root for that on android 12 and 11

like what? Root is a hack. Root is not needed for these things. Teaching your app to use the security framework is all you need

I haven’t paid attention to Android in a while. I guess that is improved since the last time I really looked at it. Thanks for the info!

When you develop an app. Any app can access low level stuff… IF you program it into the security framework… properly… it can access stuff even like low level stuff on the battery but people are lazy and dont do this so they just dirty hack root it

I think you said this earlier in the thread, but what kind of phone do you use?

My next big step in automation

ANSIBLE

Getting the git folder ready to master and place all my configs so I can push them with ansible

Im thinking this will be my directory strucutre

etc
├── baldr
│   ├── cockpit
│   ├── openssl
│   ├── ssh
|   ├── nginx
│   └── sysDservices
├── bifrost
│   ├── cockpit
│   ├── compose
│   ├── doh
│   ├── iptables
│   ├── nginx
│   ├── openssl
│   ├── pihole
│   ├── ssh
│   ├── sysDservices
│   ├── turn
│   ├── unbound
│   └── vouch
├── heimdallr
│   ├── cockpit
│   ├── openssl
│   ├── ssh
│   └── sysDservices
├── nanna
│   ├── cockpit
│   ├── openssl
│   ├── ssh
│   └── sysDservices
├── ns1
│   ├── bind9
│   ├── cockpit
│   ├── openssl
│   ├── ssh
│   └── sysDservices
├── ns2
│   ├── bind9
│   ├── cockpit
│   ├── openssl
│   ├── ssh
│   └── sysDservices
└── odin
    ├── cockpit
    ├── compose
    ├── openssl
    ├── pihole
    ├── ssh
    └── sysDservices

47 directories, 0 files

Pixel 3 XL

Planned Upgrade end of 2022 → Pixel 6 Pro

You’ll want to not worry about the directory structure until you build out the ansible script.

It’s better to make a role for each service, then put the configs in a template dir there and infer system-specific values from the hostvars.

@felixthecat @ThatGuyB @NorthernWing @Novasty @HaaStyleCat @SgtAwesomesauce and ALL other YubiKey users

image1760×694 42.1 KB

This is what I meant by pin protected touch. You physically cant release the key via NFC or USB or any interface without my 9 digit pin code. I find this to be a much more secure way of implementing the key since if the key is lost… nobody can use it against you. If you forget the pin… You have no way of modifying the key except to erase it and start over

Its requires the pin even on SSH connection

The setup is more complicated. You have to set this up using the advanced personalization tool on Linux but its worth it IMHO. Keys must be protected… the keys of keys for MFA… must be protected. There cant be a point of failure. If you loose it or forget it… the data SHOULD be gone for good

I have a total of 5 keys. 2 hot (1 main 1 spare)… 1 cold… stays in apartment safe… 2 Offsite… stays in places I wont disclose… they are the backups of backups

Also the pin to service and change the key information is different but its hint I dont mind publicly disclosing “If you want sex reverse the hex”

Kind of wish there was a way to encrypt ZFS but also integrate a yubikey into its decryption.

If anybody DOES know how to do this or has a theory on how to suggest to the OpenZFS devs on creating it… sound off… because its a feature I would love… MFA encryption for filesystems…

Fed cant get in if you thermite the key

TBH, I would like to see SQRL protocol (don’t tell Pete about it) get more adoption. I would prefer to use that instead of a key. But it seems like the internet is going more and more with FIDO.

@psycho_666

What’s wrong with fido

Nothing wrong in itself, just feels inconvenient.

I laughed so hard man… Pete’s not this techy u know. He doesnt even want to touch Linux yet.

I know lol

La didah didah

❯ ls
swap.conf  userset.conf  vmtweaks.conf
❯ cat swap.conf
vm.swappiness=5
kernel.unprivileged_userns_clone=1
#vm.overcommit_memory=0
#vm.overcommit_ratio=100
❯ cat userset.conf
# Maximum socket buffer size
net.core.optmem_max = 134217728

# Maximum receive socket buffer size
net.core.rmem_max = 134217728 

# Maximum send socket buffer size
net.core.wmem_max = 134217728 

# Minimum, initial and max TCP Receive buffer size in Bytes
net.ipv4.tcp_rmem = 4096 33554432 134217728 

# Minimum, initial and max buffer space allocated
net.ipv4.tcp_wmem = 4096 33554432 134217728 

# Minimum, initial and max buffer space allocated
net.ipv4.tcp_mem = 6672016 6682016 7185248

# Maximum number of packets queued on the input side
net.core.netdev_max_backlog = 300000 

# Auto tuning
net.ipv4.tcp_moderate_rcvbuf =1

# Don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1

# Congestion Control
net.ipv4.tcp_congestion_control=reno

# If you are using jumbo frames set this to avoid MTU black holes.
net.ipv4.tcp_mtu_probing = 1

# Define mine free vm memory
vm.min_free_kbytes = 524288

# Extra TCP Tweaks
net.ipv4.tcp_sack = 1
net.ipv4.tcp_timestamps = 1
net.core.netdev_max_backlog = 250000
net.ipv4.tcp_low_latency = 1
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_rfc1337=1
net.ipv4.tcp_workaround_signed_windows=1
net.ipv4.tcp_window_scaling=1
net.ipv4.ip_no_pmtu_disc=0
net.ipv4.tcp_mtu_probing=1
net.ipv4.tcp_syncookies=1
net.ipv4.ip_local_port_range=30000 65535
net.ipv4.tcp_mtu_probing=1
net.ipv4.tcp_keepalive_time=60
net.ipv4.tcp_keepalive_intvl=10
net.ipv4.tcp_keepalive_probes=6

# Eanble BBR
net.core.default_qdisc=cake
net.ipv4.tcp_congestion_control=bbr

# Log Martians
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.all.log_martians=1

# allow all the users in the system to create IPPROTO_ICMP sockets
net.ipv4.ping_group_range=0 65535

❯ cat vmtweaks.conf
vm.max_map_count=33554432
fs.file-max=1048576
vm.dirty_ratio=5
vm.dirty_background_ratio=2
vm.vfs_cache_pressure=25
vm.dirty_background_bytes=4194304
vm.dirty_bytes=4194304
    /etc/sysctl.d ▓▒░                                                                    ░▒▓ ✔  at 20:32:21  

❯ cd modprobe.d
❯ ls
airspy.conf  blacklist.conf  hackrf.conf  kvm.conf  no-conntrack-helper.conf  vfio.conf  zfs.conf
❯ cat airspy.conf
# disable official kernel driver
# (remove this when Airspy supports kernel driver)
blacklist airspy
❯ cat blacklist.conf
blacklist nouveau
❯ cat hackrf.conf
# disable kernel drivers
blacklist hackrf
❯ cat kvm.conf
#options kvm_amd nested=1
#options kvm_amd npt=1
#options kvm_intel nested=1
#options kvm ignore_msrs=1
❯ cat no-conntrack-helper.conf
options nf_conntrack nf_conntrack_helper=0 
❯ cat vfio.conf
#softdep amdgpu pre: vfio vfio_pci vfio-pci
#softdep xhci_pci pre: vfio vfio_pci vfio-pci
#softdep pcieport pre: vfio vfio_pci vfio-pci
#softdep nouveau pre: vfio vfio_pci vfio-pci
#softdep nvidia pre: vfio vfio_pci vfio-pci
#options vfio_pci ids=10de:1b81,10de:10f0
❯ cat zfs.conf
options zfs zfs_arc_max=15032385536

Migrating to fedora noises

❯ cat /etc/default/grub
# GRUB boot loader configuration

GRUB_DEFAULT=0
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="Arch Linux"
GRUB_CMDLINE_LINUX_DEFAULT="<REDACTED-AF> loglevel=3 nvidia-drm.modeset=1 cpufreq.default_governor=performance"
GRUB_CMDLINE_LINUX=""

# Preload both GPT and MBR modules so that they are not missed
GRUB_PRELOAD_MODULES="part_gpt part_msdos"
GRUB_DISABLE_OS_PROBER=false

# Uncomment to enable booting from LUKS encrypted devices
#GRUB_ENABLE_CRYPTODISK=y

# Set to 'countdown' or 'hidden' to change timeout behavior,
# press ESC key to display menu.
GRUB_TIMEOUT_STYLE=menu

# Uncomment to use basic console
GRUB_TERMINAL_INPUT=console

# Uncomment to disable graphical terminal
#GRUB_TERMINAL_OUTPUT=console

# The resolution used on graphical terminal
# note that you can use only modes which your graphic card supports via VBE
# you can see them in real GRUB with the command `vbeinfo'
GRUB_GFXMODE=auto

# Uncomment to allow the kernel use the same resolution used by grub
GRUB_GFXPAYLOAD_LINUX=keep

# Uncomment if you want GRUB to pass to the Linux kernel the old parameter
# format "root=/dev/xxx" instead of "root=/dev/disk/by-uuid/xxx"
#GRUB_DISABLE_LINUX_UUID=true

# Uncomment to disable generation of recovery mode menu entries
GRUB_DISABLE_RECOVERY=true

# Uncomment and set to the desired menu colors.  Used by normal and wallpaper
# modes only.  Entries specified as foreground/background.
#GRUB_COLOR_NORMAL="light-blue/black"
#GRUB_COLOR_HIGHLIGHT="light-cyan/blue"

# Uncomment one of them for the gfx desired, a image background or a gfxtheme
#GRUB_BACKGROUND="/path/to/wallpaper"
#GRUB_THEME="/path/to/gfxtheme"

# Uncomment to get a beep at GRUB start
#GRUB_INIT_TUNE="480 440 1"

# Uncomment to make GRUB remember the last selection. This requires
# setting 'GRUB_DEFAULT=saved' above.
#GRUB_SAVEDEFAULT=true

# Uncomment to disable submenus in boot menu
#GRUB_DISABLE_SUBMENU=y

Almos there … catching stragglers I forgot

❯ cd rules.d
❯ ls
60-ioschedulers.rules  64-limesuite.rules  69-hdparm.rules
❯ cat 60-ioschedulers.rules
# autoset scheduler for NVME, SSD, and Spinning Rust {Detection via ATTR}
ACTION=="add|change", KERNEL=="nvme[0-9]n[0-9]", ATTR{queue/scheduler}="none"
ACTION=="add|change", KERNEL=="sd[a-z]*|mmcblk[0-9]*", ATTR{queue/rotational}=="0", ATTR{queue/scheduler}="mq-deadline"
ACTION=="add|change", KERNEL=="sd[a-z]*", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq"
❯ cat 64-limesuite.rules
SUBSYSTEM=="usb", ATTR{idVendor}=="04b4", ATTR{idProduct}=="8613", SYMLINK+="stream-%k", MODE="666"
SUBSYSTEM=="usb", ATTR{idVendor}=="04b4", ATTR{idProduct}=="00f1", SYMLINK+="stream-%k", MODE="666"
SUBSYSTEM=="usb", ATTR{idVendor}=="0403", ATTR{idProduct}=="601f", SYMLINK+="stream-%k", MODE="666"
SUBSYSTEM=="usb", ATTR{idVendor}=="1d50", ATTR{idProduct}=="6108", SYMLINK+="stream-%k", MODE="666"
SUBSYSTEM=="xillybus", MODE="666", OPTIONS="last_rule"

SUBSYSTEM=="tty", ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", MODE="0666", SYMLINK+="serial"
❯ cat 69-hdparm.rules
ACTION=="add", SUBSYSTEM=="block", KERNEL=="sdb", RUN+="/usr/bin/hdparm -B 255 -S 0 /dev/sdb"
ACTION=="add", SUBSYSTEM=="block", KERNEL=="sdc", RUN+="/usr/bin/hdparm -B 255 -S 0 /dev/sdc"
ACTION=="add", SUBSYSTEM=="block", KERNEL=="sdd", RUN+="/usr/bin/hdparm -B 255 -S 0 /dev/sdd"
ACTION=="add", SUBSYSTEM=="block", KERNEL=="sde", RUN+="/usr/bin/hdparm -B 255 -S 0 /dev/sde"
ACTION=="add", SUBSYSTEM=="block", KERNEL=="sdf", RUN+="/usr/bin/hdparm -B 255 -S 0 /dev/sdf"
ACTION=="add", SUBSYSTEM=="block", KERNEL=="sdg", RUN+="/usr/bin/hdparm -B 255 -S 0 /dev/sdg"
    /etc/udev/rules.d ▓▒░                                                                ░▒▓ ✔  at 20:36:31  

❯ cd modules-load.d
❯ ls
modules.conf
❯ cat modules.conf
echo "tcp_bbr" > /etc/modules-load.d/modules.conf
    /etc/modules-load.d ▓▒░                                                              ░▒▓ ✔  at 20:37:49  

The final one…

❯ cd /etc/X11/xorg.conf.d
❯ ls
00-keyboard.conf  nvidia.conf
❯ cat 00-keyboard.conf
# Written by systemd-localed(8), read by systemd-localed and Xorg. It's
# probably wise not to edit this file manually. Use localectl(1) to
# instruct systemd-localed to update it.
Section "InputClass"
        Identifier "system-keyboard"
        MatchIsKeyboard "on"
        Option "XkbLayout" "us"
        Option "XkbModel" "pc105+inet"
        Option "XkbOptions" "terminate:ctrl_alt_bksp"
EndSection
❯ cat nvidia.conf
# nvidia-settings: X configuration file generated by nvidia-settings
# nvidia-settings:  version 495.44

Section "ServerLayout"
    Identifier     "Layout0"
    Screen      0  "Screen0" 0 0
    InputDevice    "Keyboard0" "CoreKeyboard"
    InputDevice    "Mouse0" "CorePointer"
    Option         "Xinerama" "0"
EndSection

Section "Files"
EndSection

Section "InputDevice"
    # generated from default
    Identifier     "Mouse0"
    Driver         "mouse"
    Option         "Protocol" "auto"
    Option         "Device" "/dev/psaux"
    Option         "Emulate3Buttons" "no"
    Option         "ZAxisMapping" "4 5"
EndSection

Section "InputDevice"
    # generated from default
    Identifier     "Keyboard0"
    Driver         "kbd"
EndSection

Section "Monitor"
    # HorizSync source: edid, VertRefresh source: edid
    Identifier     "Monitor0"
    VendorName     "Unknown"
    ModelName      "Acer (You really dont need to know)"
    HorizSync       31.0 - 83.0
    VertRefresh     56.0 - 76.0
    Option         "DPMS"
EndSection

Section "Device"
    Identifier     "Device0"
    Driver         "nvidia"
    VendorName     "NVIDIA Corporation"
    BoardName      "NVIDIA GeForce GTX 1070 Ti"
   Option "Coolbits" "24"
EndSection

Section "Screen"
    Identifier     "Screen0"
    Device         "Device0"
    Monitor        "Monitor0"
    DefaultDepth    24
    Option         "Stereo" "0"
    Option         "nvidiaXineramaInfoOrder" "DFP-5"
    Option         "metamodes" "DP-3: nvidia-auto-select +1680+0 {ForceCompositionPipeline=On, ForceFullCompositionPipeline=On}, DVI-I-1: nvidia-auto-select +0+0 {ForceCompositionPipeline=On, ForceFullCompositionPipeline=On}"
    Option         "SLI" "Off"
    Option         "MultiGPU" "Off"
    Option         "BaseMosaic" "off"
    SubSection     "Display"
        Depth       24
    EndSubSection
EndSection

    /etc/X11/xorg.conf.d ▓▒░