Matthew Vance MatthewVance
MatthewVance
/ unbond.conf
Created
April 16, 2020 01:12
Example of how to configure Unbound as a local forwarder using DNS-over-TLS to forward queries.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server: | |
| ########################################################################### | |
| # BASIC SETTINGS | |
| ########################################################################### | |
| # Time to live maximum for RRsets and messages in the cache. If the maximum | |
| # kicks in, responses to clients still get decrementing TTLs based on the | |
| # original (larger) values. When the internal TTL expires, the cache item | |
| # has expired. Can be set lower to force the resolver to query for data | |
| # often, and not trust (very large) TTL values. | |
| cache-max-ttl: 86400 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##################### | |
| # Behavior Settings # | |
| ##################### | |
| # Make new lines contain the same amount of whitespace as line above. | |
| unset autoindent | |
| # Use a tab size of n columns. The value of n must be greater than 0. | |
| # The default value is 8. | |
| set tabsize 4 |
MatthewVance
/ HKPS
Last active
July 23, 2019 22:43
GPG related configuration options. More secure but less interoperable than typical defaults.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| gpg --import fake | |
| curl --tlsv1.2 -L https://sks-keyservers.net/sks-keyservers.netCA.pem -O | |
| curl --tlsv1.2 -L https://sks-keyservers.net/sks-keyservers.netCA.pem.asc -O | |
| # Move hkps pool cert to cert store | |
| sudo cp -v sks-keyservers.netCA.pem /etc/ssl/certs/ | |
| # Import key for HKPS signature | |
| gpg --recv-key 0x0B7F8B60E3EDFAE3 |
MatthewVance
/ Paperkey
Created
July 23, 2019 01:45
Install the Paperkey OpenPGP key archiver from source on Debian based distros https://www.jabberwocky.com/software/paperkey/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl https://www.jabberwocky.com/software/paperkey/paperkey-1.6.tar.gz -O | |
| curl https://www.jabberwocky.com/software/paperkey/paperkey-1.6.tar.gz.sig -O | |
| gpg --recv-key 0x99242560 | |
| gpg --verify paperkey-1.6.tar.gz.sig paperkey-1.6.tar.gz | |
| tar -xzvf paperkey-1.6.tar.gz | |
| cd paperkey-1.6 | |
| apt install build-essential | |
| ./configure | |
| make | |
| make check |
MatthewVance
/ issue.net
Created
May 30, 2019 02:59
While only a deterrent (plus some limited legal value), it is worth setting a server banner. My version is based off of https://help.ubuntu.com/community/StricterDefaults and https://ia.signal.army.mil/docs/NIST_SP_800_18_Planguide.pdf.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *************************************************************************** | |
| **WARNING**WARNING**WARNING** | |
| This computer system is the private property of its owner, whether | |
| individual, corporate or government. It is for authorized use only. | |
| Unauthorized access or use of this computer system may subject violators | |
| to criminal, civil, and/or administrative action. All data contained | |
| on this computer system may be monitored, intercepted, recorded, read, | |
| copied, or captured in any manner and disclosed in any manner, by | |
| authorized personnel. THERE IS NO RIGHT OF PRIVACY IN THIS SYSTEM. |
MatthewVance
/ ssh_config
Created
May 30, 2019 02:34
OpenSSH SSH client configuration example for Raspberry Pi, customized to improve security.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This is the ssh client system-wide configuration file. See | |
| # ssh_config(5) for more information. This file provides defaults for | |
| # users, and the values can be changed in per-user configuration files | |
| # or on the command line. | |
| # Configuration data is parsed as follows: | |
| # 1. command line options | |
| # 2. user-specific file | |
| # 3. system-wide file | |
| # Any configuration value is only changed the first time it is set. |
MatthewVance
/ sshd_config
Created
May 30, 2019 02:30
OpenSSH SSH daemon configuration example for Raspberry Pi, customized to improve security.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Package generated configuration file | |
| # See the sshd_config(5) manpage for details | |
| # What ports, IPs and protocols we listen for | |
| Port 22 | |
| # Use these options to restrict which interfaces/protocols sshd will bind to | |
| #ListenAddress :: | |
| ##ListenAddress 192.168.1.2 | |
| Protocol 2 | |
| # HostKeys for protocol version 2 |
MatthewVance
/ restic-stats.sh
Created
May 18, 2019 20:59
A script to return various stats about a Restic repo.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #: Title : restic stats | |
| #: Date : October 14, 2018 | |
| #: Author : Matt Vance | |
| #: Version : 1.0 | |
| #: Description : Script to fully sytem backlup | |
| #: License : MIT License (MIT) | |
| # Copyright (C) 2018 Matthew Vance |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #: Title : restic unlock | |
| #: Date : April 26, 2019 | |
| #: Author : Matt Vance | |
| #: Version : 1.0 | |
| #: Description : Script to manually unlock repo | |
| #: License : MIT License (MIT) | |
| # Copyright (C) 2019 Matthew Vance |
MatthewVance
/ Caddyfile
Last active
February 10, 2022 01:59
Caddy config (Caddyfile) and systemd service to reverse proxy Restic REST server running via Rclone.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| bind 192.168.1.106:8889 | |
| tls /etc/caddy/ssl/host_name-bundle.pem /etc/caddy/ssl/end_device-key.pem { | |
| protocols tls1.2 tls1.3 | |
| } | |
| # Reverse proxy to rclone restic rest service | |
| proxy / localhost:8080 { | |
| # health_check / | |
| transparent | |
| max_conns 1024 |
NewerOlder