From 3786489d47a7cf75232e527b700d8935f7d5ed3d Mon Sep 17 00:00:00 2001 From: Thien Tran Date: Thu, 8 Jun 2023 11:38:10 -0700 Subject: [PATCH 01/10] Hugo v0.113.0 Signed-off-by: Thien Tran --- netlify.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netlify.toml b/netlify.toml index 0d3e536..a1dea1f 100644 --- a/netlify.toml +++ b/netlify.toml @@ -1,5 +1,5 @@ [build.environment] - HUGO_VERSION = "0.112.7" + HUGO_VERSION = "0.113.0" [context.deploy-preview] command = "hugo -b $DEPLOY_PRIME_URL" From ac27eed590a93cc46e66a85a0c5c04189dd6908e Mon Sep 17 00:00:00 2001 From: Thien Tran Date: Thu, 8 Jun 2023 13:30:07 -0700 Subject: [PATCH 02/10] Rename container Signed-off-by: Thien Tran --- .devcontainer/devcontainer.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 818541c..96011a8 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,7 +1,7 @@ // For format details, see https://aka.ms/devcontainer.json. For config options, see the // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu { - "name": "Ubuntu", + "name": "Ubuntu-Hugo", // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile "image": "mcr.microsoft.com/devcontainers/base:jammy", "features": { From 2090622bbcca40194456d1cb49238fd10ffa48c2 Mon Sep 17 00:00:00 2001 From: Thien Tran Date: Tue, 13 Jun 2023 02:53:54 -0700 Subject: [PATCH 03/10] /var/lib/zypp/AnonymousUniqueId should be emptied Signed-off-by: Thien Tran --- content/posts/linux/Desktop Linux Hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index d024d2b..1cf926a 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -75,7 +75,7 @@ Many Linux distributions sends some telemetry data by default to count how many The Fedora Project offers a ["countme" variable](https://dnf.readthedocs.io/en/latest/conf_ref.html#countme-label) to much more accurately [count unique systems accessing its mirrors](https://fedoraproject.org/wiki/Changes/DNF_Better_Counting) without involving unique IDs. While currently disabled by default, you could add `countme=false` to `/etc/dnf/dnf.conf` in case the default changes in the future. On rpm‑ostree systems such as Fedora Silverblue and Kinoite, the `countme` option can be disabled by [masking the rpm-ostree-countme timer](https://coreos.github.io/rpm-ostree/countme/). -[openSUSE uses a unique ID to count systems](https://en.opensuse.org/openSUSE:Statistics), which can be disabled by deleting the `/var/lib/zypp/AnonymousUniqueId` file. +[openSUSE uses a unique ID to count systems](https://en.opensuse.org/openSUSE:Statistics), which can be disabled by emptying the `/var/lib/zypp/AnonymousUniqueId` file. [Zorin OS also uses a unique ID to count systems.](https://zorin.com/legal/privacy/#census) You can opt‑out by running `sudo apt purge zorin-os-census` and optionally holding the package with `sudo apt-mark hold zorin-os-census` to avoid accidental reinstallation. From 0a1d5a899e9089bfb45a139dea3d4a3b46788c44 Mon Sep 17 00:00:00 2001 From: Thien Tran Date: Tue, 13 Jun 2023 02:57:28 -0700 Subject: [PATCH 04/10] Typo Fixes Signed-off-by: Thien Tran --- content/posts/linux/Desktop Linux Hardening.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index 1cf926a..1c1cd24 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -458,7 +458,7 @@ First, you need to boot into your firmware interface and enter Secure Boot setup On certain hardware, this will not work. Instead, you will need to export the public key to your EFI partition and manually import it through your firmware interface: ``` -openssl x509 -in /usr/share/secureboot/keys/db/db.pem -outform DER -out /boot/efi/EFI/fedora/DB.cer +openssl x509 -in /usr/share/secureboot/keys/db/db.pem -outform DER -out /boot/efi/EFI/fedora/DB.der ``` ### Unified Kernel Image @@ -467,7 +467,7 @@ On most desktop Linux systems, it is possible to create a [unified kernel image] For Fedora Workstation, you can follow [Håvard Moen's guide](https://haavard.name/2022/06/22/full-uefi-secure-boot-on-fedora-using-signed-initrd-and-systemd-boot/) which covers sbctl installation, unified kernel image generation with [dracut](https://wiki.archlinux.org/title/Dracut), and automatic signing with systemd‑boot. -On Arch, the process is very similar, though sbctl is already included in the official repositories and you will need to switch from [mkinitpcio](https://wiki.archlinux.org/title/Mkinitcpio) to dracut. Arch with linux‑hardened works well with sbctl, but some level of tedious pacman hooks are required for appropriately timing the re‑signing of all relevant files every time the kernel or bootloader is updated. +On Arch, the process is very similar, though sbctl is already included in the official repositories and you will need to switch from [mkinitcpio](https://wiki.archlinux.org/title/Mkinitcpio) to dracut. Arch with linux‑hardened works well with sbctl, but some level of tedious pacman hooks are required for appropriately timing the re‑signing of all relevant files every time the kernel or bootloader is updated. In my opinion, this is the most straightforward setup, with a lot of potential such as [systemd's future UKI plans including support for early‑boot attestation](https://0pointer.de/blog/brave-new-trusted-boot-world.html). With that being said, it does not appear to work well with specialized setups such as Fedora Silverblue/Kinoite or Ubuntu with [ZSys](https://github.com/ubuntu/zsys). More testing is needed to see if they can be made to work. From a12c7d3231efa054b2941719830e8fc4ed54dd9a Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 16 Jun 2023 00:16:16 -0700 Subject: [PATCH 05/10] Create cloudflare-build.sh (#128) Signed-off-by: Tommy --- cloudflare-build.sh | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 cloudflare-build.sh diff --git a/cloudflare-build.sh b/cloudflare-build.sh new file mode 100644 index 0000000..3f4c924 --- /dev/null +++ b/cloudflare-build.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +if [ "$CF_PAGES_BRANCH" == "main" ]; then + hugo --minify +else + hugo -b $CF_PAGES_URL --minify +fi From 1b7118d19d1ae336984e97516b6caa8386201c32 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 16 Jun 2023 00:38:31 -0700 Subject: [PATCH 06/10] Change to Cloudflare format (#129) Signed-off-by: Tommy --- static/_headers | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/static/_headers b/static/_headers index 1b90e23..05e6de3 100644 --- a/static/_headers +++ b/static/_headers @@ -11,33 +11,42 @@ # Cross-Origin-Opener-Policy : same-origin /posts/knowledge/multi-factor-authentication/ + ! Content-Security-Policy Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/android/android-tips/ + ! Content-Security-Policy Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/android/choosing-your-android-based-operating-system/ + ! Content-Security-Policy Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self' https://i.ytimg.com; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/linux/choosing-your-desktop-linux-distribution/ + ! Content-Security-Policy Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /posts/linux/desktop-linux-hardening/ + ! Content-Security-Policy Content-Security-Policy : default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'; frame-src https://www.youtube-nocookie.com https://www.google.com; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none' Cross-Origin-Embedder-Policy : unsafe-none /*.xml + ! Content-Security-Policy Content-Security-Policy : default-src 'none'; img-src 'self' data: https://www.w3.org/; style-src 'self' 'unsafe-inline'; block-all-mixed-content; base-uri 'none' /*.png + ! Content-Security-Policy Cross-Origin-Resource-Policy : cross-origin /*.jpg + ! Content-Security-Policy Cross-Origin-Resource-Policy : cross-origin /.well-known/openpgpkey/hu/* + ! Content-Security-Policy Access-Control-Allow-Origin: * From e6dccd56e6ca01b0a103464963455f9b608daaa7 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 16 Jun 2023 03:13:52 -0700 Subject: [PATCH 07/10] Update Netlify preview command (#131) Signed-off-by: Tommy --- netlify.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/netlify.toml b/netlify.toml index a1dea1f..0c2d0d6 100644 --- a/netlify.toml +++ b/netlify.toml @@ -2,7 +2,7 @@ HUGO_VERSION = "0.113.0" [context.deploy-preview] - command = "hugo -b $DEPLOY_PRIME_URL" + command = "sed -i 's/! Content-Security-Policy//g' static/_headers && hugo --minify" [[plugins]] package = "netlify-plugin-checklinks" From 8567512998cacb82163d9a2966fdbadef64e5ce8 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 16 Jun 2023 05:19:15 -0700 Subject: [PATCH 08/10] Use the latest Hugo version Signed-off-by: Tommy --- cloudflare-build.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cloudflare-build.sh b/cloudflare-build.sh index 3f4c924..550344d 100644 --- a/cloudflare-build.sh +++ b/cloudflare-build.sh @@ -1,5 +1,11 @@ #!/bin/bash +export GOPROXY=direct +export GOSUMD=off +export CGO_ENABLED=1 + +go install -tags extended github.com/gohugoio/hugo@latest + if [ "$CF_PAGES_BRANCH" == "main" ]; then hugo --minify else From c26ee81c69315a347525eec3f3bed402060c2414 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 16 Jun 2023 05:59:11 -0700 Subject: [PATCH 09/10] Download hugo instead of compiling Signed-off-by: Tommy --- cloudflare-build.sh | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/cloudflare-build.sh b/cloudflare-build.sh index 550344d..c4e3742 100644 --- a/cloudflare-build.sh +++ b/cloudflare-build.sh @@ -1,13 +1,12 @@ #!/bin/bash -export GOPROXY=direct -export GOSUMD=off -export CGO_ENABLED=1 +curl -L -s https://api.github.com/repos/gohugoio/hugo/releases/latest | grep "browser_download_url.*extended.*linux-amd64.tar.gz" | cut -d : -f 2,3 | sed 's/"//g' | xargs wget -go install -tags extended github.com/gohugoio/hugo@latest +tar xvf *.tar.gz +chmod u+x ./hugo if [ "$CF_PAGES_BRANCH" == "main" ]; then - hugo --minify + ./hugo --minify else - hugo -b $CF_PAGES_URL --minify + ./hugo -b $CF_PAGES_URL --minify fi From a06d28e69a0c8136ee1cc2fd60a35ce30bcc68dc Mon Sep 17 00:00:00 2001 From: samsepi0l Date: Fri, 16 Jun 2023 15:16:10 +0200 Subject: [PATCH 10/10] Shellchecked (#132) Signed-off-by: samsepi0l --- cloudflare-build.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cloudflare-build.sh b/cloudflare-build.sh index c4e3742..07a149a 100644 --- a/cloudflare-build.sh +++ b/cloudflare-build.sh @@ -2,11 +2,11 @@ curl -L -s https://api.github.com/repos/gohugoio/hugo/releases/latest | grep "browser_download_url.*extended.*linux-amd64.tar.gz" | cut -d : -f 2,3 | sed 's/"//g' | xargs wget -tar xvf *.tar.gz +tar xvf ./*.tar.gz chmod u+x ./hugo if [ "$CF_PAGES_BRANCH" == "main" ]; then ./hugo --minify else - ./hugo -b $CF_PAGES_URL --minify + ./hugo -b "$CF_PAGES_URL" --minify fi