diff --git a/certbot-ocsp-fetcher b/certbot-ocsp-fetcher new file mode 100755 index 0000000..7ce74b8 --- /dev/null +++ b/certbot-ocsp-fetcher @@ -0,0 +1,512 @@ +#!/usr/bin/env bash + +# Unofficial Bash strict mode +set \ + -o errexit \ + -o errtrace \ + -o noglob \ + -o nounset \ + -o pipefail +IFS=$'\n\t' +shopt -s inherit_errexit + +exit_with_error() { + echo "${@}" >&2 + exit 1 +} + +check_for_dependencies() { + if ((BASH_VERSINFO[0] == 4 && \ + BASH_VERSINFO[1] < 3 || \ + BASH_VERSINFO[0] < 4)); then + exit_with_error \ + error:$'\t\t'"${0##*/} requires Bash 4.3+." + fi + + if ! { command -v openssl >&- && + [[ $(openssl version) =~ ^OpenSSL\ ([[:digit:]]+)\.([[:digit:]]+) ]] && + ((BASH_REMATCH[1] == 1 && \ + BASH_REMATCH[2] >= 1 || \ + BASH_REMATCH[1] > 1)); }; then + # shellcheck disable=2016 + exit_with_error \ + error:$'\t\t'"${0##*/} requires OpenSSL 1.1.0+," \ + 'but it is not available on $PATH.' + fi +} + +parse_cli_arguments() { + local -r usage=( + "USAGE: ${0}" + "[-c/--certbot-dir DIRECTORY]" + "[-f/--force-update]" + "[-h/--help]" + "[-n/--cert-name NAME[,NAME...] [-u/--ocsp-responder URL]]" + "[-o/--output-dir DIRECTORY]" + "[-q/--quiet]" + "[-v/--verbose]" + "[-w/--no-reload-webserver]" + ) + + declare -gl ERROR_ENCOUNTERED + + declare -gi VERBOSITY=1 + local -r verbosity_error=( + "error: -q/--quiet cannot be specified in conjunction with -v/--verbose." + ) + + while ((${#} > 0)); do + local parameter=${1} + + case ${parameter} in + -[^-]?*) + set -- "-${parameter:1:1}" "-${parameter:2}" "${@:2}" + ;; + -c | --certbot-dir | --certbot-dir=?*) + if [[ -v CERTBOT_DIR ]]; then + exit_with_error "${usage[@]}" + fi + + if [[ ${parameter} =~ --certbot-dir=(.+) ]]; then + CERTBOT_DIR=${BASH_REMATCH[1]} + else + if [[ -n ${2:-} ]]; then + CERTBOT_DIR=${2} + shift + else + exit_with_error "${usage[@]}" + fi + fi + + CERTBOT_DIR=$( + realpath \ + --canonicalize-missing \ + --relative-base . \ + -- "${CERTBOT_DIR}" + echo x + ) + CERTBOT_DIR=${CERTBOT_DIR%??} + shift + ;; + -f | --force-update) + if [[ ! -v FORCE_UPDATE ]]; then + declare -glr FORCE_UPDATE=true + fi + shift + ;; + -h | --help) + echo >&2 "${usage[@]}" + exit + ;; + -n | --cert-name | --cert-name=?*) + if [[ ${parameter} =~ --cert-name=(.+) ]]; then + local cert_lineages_value=${BASH_REMATCH[1]} + shift + else + if [[ -n ${2:-} ]]; then + local cert_lineages_value=${2} + shift 2 + else + exit_with_error "${usage[@]}" + fi + fi + + # Loop over any lineages passed in the same value of --cert-name. + OLDIFS=${IFS} + IFS=, + declare -Ag CERT_LINEAGES + # Check if a hardcoded OCSP responder was specified for this set of + # lineages. + case ${1:-} in + -u | --ocsp-responder) + if [[ -n ${2:-} ]]; then + for lineage_name in ${cert_lineages_value}; do + CERT_LINEAGES["${lineage_name}"]=${2} + done + shift + else + exit_with_error "${usage[@]}" + fi + shift + ;; + --ocsp-responder=?*) + [[ ${1} =~ --ocsp-responder=(.+) ]] + for lineage_name in ${cert_lineages_value}; do + CERT_LINEAGES["${lineage_name}"]=${BASH_REMATCH[1]} + done + shift + ;; + *) + # If no OCSP responder was specified, just save the lineage + # name as the key, with an empty value. + for lineage_name in ${cert_lineages_value}; do + CERT_LINEAGES["${lineage_name}"]= + done + ;; + esac + unset lineage_name cert_lineages_value + IFS=${OLDIFS} + ;; + -o | --output-dir | --output-dir=?*) + if [[ -v OUTPUT_DIR ]]; then + exit_with_error "${usage[@]}" + fi + + if [[ ${parameter} =~ --output-dir=(.+) ]]; then + OUTPUT_DIR=${BASH_REMATCH[1]} + else + if [[ -n ${2:-} ]]; then + OUTPUT_DIR=${2} + shift + else + exit_with_error "${usage[@]}" + fi + fi + + OUTPUT_DIR=$( + realpath \ + --canonicalize-missing \ + --relative-base . \ + -- "${OUTPUT_DIR}" + echo x + ) + OUTPUT_DIR=${OUTPUT_DIR%??} + shift + ;; + -q | --quiet) + if ((VERBOSITY != 1)); then + exit_with_error "${verbosity_error[@]}" + else + readonly VERBOSITY=0 + shift + fi + ;; + -v | --verbose) + if ((VERBOSITY == 0)); then + exit_with_error "${verbosity_error[@]}" + else + VERBOSITY+=1 + shift + fi + ;; + -w | --no-reload-webserver) + if [[ ! -v RELOAD_WEBSERVER ]]; then + declare -glr RELOAD_WEBSERVER=false + fi + shift + ;; + *) + exit_with_error "${usage[@]}" + ;; + esac + done + + # When not parsed, the stdout and/or stderr output of all external commands + # we call in the script is redirected to file descriptor 3. Depending on the + # desired verbosity, we redirect this file descriptor to either stderr or to + # /dev/null. + if ((VERBOSITY >= 2)); then + exec 3>&2 + else + exec 3>/dev/null + fi +} + +# Set output directory if necessary and check if it's writeable +prepare_output_dir() { + if [[ -v OUTPUT_DIR ]]; then + if [[ ! -e ${OUTPUT_DIR} ]]; then + # Don't yet fail if it's not possible to create the directory, so we can + # exit with a custom error down below + mkdir \ + --parents \ + -- "${OUTPUT_DIR}" || true + fi + else + readonly OUTPUT_DIR=. + fi + + if [[ ! -w ${OUTPUT_DIR} ]]; then + exit_with_error \ + error:$'\t\t'"no write access to output directory (\"${OUTPUT_DIR}\")" + fi +} + +start_in_correct_mode() { + # Create temporary directory to store OCSP staple file, + # before having checked the certificate status in the response + local temp_output_dir + temp_output_dir=$(mktemp --directory) + readonly temp_output_dir + trap "rm -r -- ""${temp_output_dir}" EXIT + + declare -A lineages_processed + + # These two environment variables are set if this script is invoked by Certbot + if [[ ! -v RENEWED_DOMAINS || ! -v RENEWED_LINEAGE ]]; then + run_standalone + else + run_as_deploy_hook + fi + + print_and_handle_result +} + +# Run in "check one or all certificate lineage(s) managed by Certbot" mode +# $1 - Path to temporary output directory +run_standalone() { + readonly CERTBOT_DIR=${CERTBOT_DIR:-/etc/letsencrypt} + + if [[ ! -r ${CERTBOT_DIR} || (-d ${CERTBOT_DIR}/live && ! -r ${CERTBOT_DIR}/live) ]]; then + exit_with_error \ + error:$'\t\t'"can't access ${CERTBOT_DIR}/live" + fi + + # Check specific lineage if passed on CLI, + # or otherwise all lineages in Certbot's dir + if [[ -v CERT_LINEAGES[@] ]]; then + for lineage_name in "${!CERT_LINEAGES[@]}"; do + if [[ -r ${CERTBOT_DIR}/live/${lineage_name} ]]; then + fetch_ocsp_response \ + "--standalone" \ + "${temp_output_dir}" \ + "${lineage_name}" \ + "${CERT_LINEAGES["${lineage_name}"]}" + else + exit_with_error \ + "error:"$'\t\t'"can't access ${CERTBOT_DIR}/live/${lineage_name}" + fi + done + else + set +f + shopt -s nullglob + for lineage_dir in "${CERTBOT_DIR}"/live/*; do + set -f + + # Skip non-directories, like Certbot's README file + [[ -d ${lineage_dir} ]] || continue + + fetch_ocsp_response \ + "--standalone" "${temp_output_dir}" "${lineage_dir##*/}" + done + unset lineage_dir + fi +} + +# Run in deploy-hook mode, only processing the passed lineage +# $1 - Path to temporary output directory +run_as_deploy_hook() { + if [[ -v CERTBOT_DIR ]]; then + # The directory is already inferred from the environment variable that + # Certbot passes + exit_with_error \ + error:$'\t\t'"-c/--certbot-dir cannot be passed" \ + "when run as Certbot hook" + fi + + if [[ -v FORCE_UPDATE ]]; then + # When run as deploy hook the behavior of this flag is used by default. + # Therefore passing this flag would not have any effect. + exit_with_error \ + error:$'\t\t'"-f/--force-update cannot be passed" \ + "when run as Certbot hook" + fi + + if [[ -v CERT_LINEAGES[@] ]]; then + # The certificate lineage is already inferred from the environment + # variable that Certbot passes + exit_with_error \ + error:$'\t\t'"-n/--cert-name cannot be passed when run as Certbot hook" + fi + + fetch_ocsp_response \ + --deploy_hook "${temp_output_dir}" "${RENEWED_LINEAGE##*/}" +} + +# Check if it's necessary to fetch a new OCSP response +check_for_existing_ocsp_staple_file() { + [[ -f ${OUTPUT_DIR}/${lineage_name}.der ]] || return 1 + + # Validate and verify the existing local OCSP staple file + local existing_ocsp_response + set +e + existing_ocsp_response=$(openssl ocsp \ + -no_nonce \ + -issuer "${lineage_dir}/chain.pem" \ + -cert "${lineage_dir}/cert.pem" \ + -verify_other "${lineage_dir}/chain.pem" \ + -respin "${OUTPUT_DIR}/${lineage_name}.der" 2>&3) + local -ir existing_ocsp_response_rc=${?} + set -e + readonly existing_ocsp_response + + ((existing_ocsp_response_rc == 0)) || return 1 + + for existing_ocsp_response_line in ${existing_ocsp_response}; do + if [[ ${existing_ocsp_response_line} =~ ^[[:blank:]]*"This Update: "(.+)$ ]]; then + local -r this_update=${BASH_REMATCH[1]} + elif [[ ${existing_ocsp_response_line} =~ ^[[:blank:]]*"Next Update: "(.+)$ ]]; then + local -r next_update=${BASH_REMATCH[1]} + fi + done + [[ -n ${this_update:-} && -n ${next_update:-} ]] || return 1 + + # Only continue fetching OCSP response if existing response expires within + # half of its lifetime. + local -ri response_lifetime_in_seconds=$((\ + $(date +%s --date "${next_update}") - $(date +%s --date "${this_update}"))) + (($(date +%s) < \ + $(date +%s --date "${this_update}") + response_lifetime_in_seconds / 2)) || return 1 +} + +# Generate file used by ssl_stapling_file in nginx config of websites +# $1 - Whether to run as a deploy hook for Certbot, or standalone +# $2 - Path to temporary output directory +# $3 - Name of certificate lineage +# $4 - OCSP endpoint (if specified on command line) +fetch_ocsp_response() { + local -r temp_output_dir=${2} + local -r lineage_name=${3} + case ${1} in + --standalone) + local -r lineage_dir=${CERTBOT_DIR}/live/${lineage_name} + + if [[ ${FORCE_UPDATE:-} != true ]] && + check_for_existing_ocsp_staple_file; then + lineages_processed["${lineage_name}"]="not updated"$'\t'"valid staple file on disk" + return + fi + ;; + --deploy_hook) + local -r lineage_dir=${RENEWED_LINEAGE} + ;; + *) + return 1 + ;; + esac + shift 3 + + # Verify that the leaf certificate is still valid. If the certificate is + # expired, we don't have to request a (new) OCSP response. + local cert_expiry_output + set +e + cert_expiry_output=$(openssl x509 \ + -in "${lineage_dir}/cert.pem" \ + -checkend 0 \ + -noout 2>&3) + local -ri cert_expiry_rc=${?} + set -e + if ((cert_expiry_rc != 0)); then + ERROR_ENCOUNTERED=true + lineages_processed["${lineage_name}"]="not updated" + if [[ ${cert_expiry_output} == "Certificate will expire" ]]; then + lineages_processed["${lineage_name}"]+=$'\t'"leaf certificate expired" + fi + return + fi + + local ocsp_endpoint + if [[ -n ${1-} ]]; then + ocsp_endpoint=${1} + else + ocsp_endpoint=$(openssl x509 \ + -noout \ + -ocsp_uri \ + -in "${lineage_dir}/cert.pem" \ + 2>&3) + fi + + # Request, verify and temporarily save the actual OCSP response, + # and check whether the certificate status is "good" + local ocsp_call_output + set +e + ocsp_call_output=$(openssl ocsp \ + -no_nonce \ + -url "${ocsp_endpoint}" \ + -issuer "${lineage_dir}/chain.pem" \ + -cert "${lineage_dir}/cert.pem" \ + -verify_other "${lineage_dir}/chain.pem" \ + -respout "${temp_output_dir}/${lineage_name}.der" 2>&3) + local -ir ocsp_call_rc=${?} + set -e + readonly ocsp_call_output=${ocsp_call_output#${lineage_dir}/cert.pem: } + local -r cert_status=${ocsp_call_output%%$'\n'*} + + if [[ ${ocsp_call_rc} != 0 || ${cert_status} != good ]]; then + ERROR_ENCOUNTERED=true + + lineages_processed["${lineage_name}"]="not updated" + if ((VERBOSITY >= 2)); then + lineages_processed["${lineage_name}"]+=$'\t'"${ocsp_call_output//[[:space:]]/ }" + else + lineages_processed["${lineage_name}"]+=$'\t'"${cert_status}" + fi + + return + fi + + # If arrived here status was good, so move OCSP staple file to definitive + # folder + mv "${temp_output_dir}/${lineage_name}.der" "${OUTPUT_DIR}/" + + lineages_processed["${lineage_name}"]=updated +} + +print_and_handle_result() { + local -r header=LINEAGE$'\t'RESULT$'\t'REASON + + for lineage_name in "${!lineages_processed[@]}"; do + local lineages_processed_formatted+=$'\n'"${lineage_name}"$'\t'"${lineages_processed["${lineage_name}"]}" + done + unset lineage_name + lineages_processed_formatted=$(sort <<<"${lineages_processed_formatted:-}") + readonly lineages_processed_formatted + + if [[ ${RELOAD_WEBSERVER:-} != false ]]; then + reload_webserver + fi + + local -r output=${header}${lineages_processed_formatted:-}${nginx_status-} + + if ((VERBOSITY >= 1)); then + if command -v column >&-; then + column -ts$'\t' <<<"${output}" + else + # shellcheck disable=2016 + echo >&2 \ + 'Install the BSD utility `column` for properly formatted output.'$'\n' + echo "${output}" + fi + fi + + [[ ${ERROR_ENCOUNTERED:-} != true ]] +} + +reload_webserver() { + for lineage_name in "${!lineages_processed[@]}"; do + if [[ ${lineages_processed["${lineage_name}"]} == updated ]]; then + if nginx -s reload >&3 2>&1; then + # The last line includes a leading space, to workaround the lack of the + # `-n` flag in later versions of `column`. + local -r nginx_status=$'\n\n \t'"nginx reloaded" + else + ERROR_ENCOUNTERED=true + local -r nginx_status=$'\n\n \t'"nginx not reloaded"$'\t'"unable to reload nginx service, try manually" + fi + break + fi + done + unset lineage_name +} + +main() { + check_for_dependencies + + parse_cli_arguments "${@}" + + prepare_output_dir + + start_in_correct_mode +} + +main "${@}" diff --git a/certbot-ocsp-fetcher.service b/certbot-ocsp-fetcher.service new file mode 100644 index 0000000..86c131d --- /dev/null +++ b/certbot-ocsp-fetcher.service @@ -0,0 +1,13 @@ +[Unit] +Description=Fetch OCSP responses for all certificates issued with Certbot + +[Service] +Type=oneshot + +# When systemd v244+ is available, this should be uncommented to enable retries +# on failure. +Restart=on-failure + +User=root +Group=root +ExecStart=/usr/local/bin/certbot-ocsp-fetcher -o /etc/nginx/ocsp-cache diff --git a/certbot-ocsp-fetcher.timer b/certbot-ocsp-fetcher.timer new file mode 100644 index 0000000..9ff79e9 --- /dev/null +++ b/certbot-ocsp-fetcher.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Nightly run certbot-ocsp-fetcher + +[Timer] +OnCalendar=*-*-* 01:00:00 +RandomizedDelaySec=21600 +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/hosts b/hosts new file mode 100644 index 0000000..37a9306 --- /dev/null +++ b/hosts @@ -0,0 +1,2 @@ +# Static table lookup for hostnames. +# See hosts(5) for details. diff --git a/local.conf b/local.conf new file mode 100644 index 0000000..6e93d67 --- /dev/null +++ b/local.conf @@ -0,0 +1,36 @@ +net.ipv4.tcp_ecn = 1 +net.ipv4.tcp_slow_start_after_idle = 0 +net.ipv4.tcp_fin_timeout = 30 +net.ipv4.tcp_rfc1337 = 1 +net.ipv4.tcp_tw_reuse = 1 + +net.ipv4.tcp_max_syn_backlog = 4096 + +net.ipv4.ip_local_port_range = 1024 65535 + +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 + +kernel.yama.ptrace_scope = 2 + +vm.mmap_rnd_bits = 32 +vm.mmap_rnd_compat_bits = 16 + +kernel.kptr_restrict = 2 + +kernel.unprivileged_bpf_disabled = 1 +net.core.bpf_jit_harden = 2 + +kernel.kexec_load_disabled = 1 + +kernel.pid_max = 4194304 + +fs.protected_regular = 2 +fs.protected_fifos = 2 + +kernel.panic = 10 +kernel.panic_on_oops = 1 + +dev.tty.ldisc_autoload = 0 diff --git a/mirrorlist b/mirrorlist new file mode 100644 index 0000000..f9c9aa6 --- /dev/null +++ b/mirrorlist @@ -0,0 +1,755 @@ +## +## Arch Linux repository mirrorlist +## Generated on 2021-07-18 +## + +## Worldwide +#Server = http://mirrors.evowise.com/archlinux/$repo/os/$arch +#Server = http://mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = https://mirror.rackspace.com/archlinux/$repo/os/$arch + +## Australia +#Server = https://mirror.aarnet.edu.au/pub/archlinux/$repo/os/$arch +#Server = http://archlinux.mirror.digitalpacific.com.au/$repo/os/$arch +#Server = https://archlinux.mirror.digitalpacific.com.au/$repo/os/$arch +#Server = http://ftp.iinet.net.au/pub/archlinux/$repo/os/$arch +#Server = http://mirror.internode.on.net/pub/archlinux/$repo/os/$arch +#Server = http://mirror.launtel.net.au/repo/arch/$repo/os/$arch +#Server = https://mirror.launtel.net.au/repo/arch/$repo/os/$arch +#Server = http://arch.lucassymons.net/$repo/os/$arch +#Server = https://arch.lucassymons.net/$repo/os/$arch +#Server = http://syd.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = https://syd.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = http://ftp.swin.edu.au/archlinux/$repo/os/$arch + +## Austria +#Server = http://mirror.digitalnova.at/archlinux/$repo/os/$arch +#Server = http://mirror.easyname.at/archlinux/$repo/os/$arch +#Server = http://mirror.reisenbauer.ee/archlinux/$repo/os/$arch +#Server = https://mirror.reisenbauer.ee/archlinux/$repo/os/$arch + +## Bangladesh +#Server = http://mirror.xeonbd.com/archlinux/$repo/os/$arch + +## Belarus +#Server = http://ftp.byfly.by/pub/archlinux/$repo/os/$arch +#Server = http://mirror.datacenter.by/pub/archlinux/$repo/os/$arch + +## Belgium +#Server = http://archlinux.cu.be/$repo/os/$arch +#Server = http://archlinux.mirror.kangaroot.net/$repo/os/$arch +#Server = http://mirror.tiguinet.net/arch/$repo/os/$arch + +## Bosnia and Herzegovina +#Server = http://archlinux.mirror.ba/$repo/os/$arch + +## Brazil +#Server = http://br.mirror.archlinux-br.org/$repo/os/$arch +#Server = http://archlinux.c3sl.ufpr.br/$repo/os/$arch +#Server = http://www.caco.ic.unicamp.br/archlinux/$repo/os/$arch +#Server = https://www.caco.ic.unicamp.br/archlinux/$repo/os/$arch +#Server = http://linorg.usp.br/archlinux/$repo/os/$arch +#Server = http://archlinux.pop-es.rnp.br/$repo/os/$arch +#Server = http://mirror.ufam.edu.br/archlinux/$repo/os/$arch +#Server = http://mirror.ufscar.br/archlinux/$repo/os/$arch + +## Bulgaria +#Server = https://mirror.darklinux.uk/archlinux/$repo/os/$arch +#Server = http://mirror.host.ag/archlinux/$repo/os/$arch +#Server = http://mirrors.netix.net/archlinux/$repo/os/$arch +#Server = http://mirror.telepoint.bg/archlinux/$repo/os/$arch +#Server = https://mirror.telepoint.bg/archlinux/$repo/os/$arch +#Server = http://mirrors.uni-plovdiv.net/archlinux/$repo/os/$arch +#Server = https://mirrors.uni-plovdiv.net/archlinux/$repo/os/$arch + +## Canada +#Server = https://mirror.0xem.ma/arch/$repo/os/$arch +#Server = http://mirror.cedille.club/archlinux/$repo/os/$arch +#Server = http://archlinux.mirror.colo-serv.net/$repo/os/$arch +#Server = http://mirror.csclub.uwaterloo.ca/archlinux/$repo/os/$arch +#Server = https://mirror.csclub.uwaterloo.ca/archlinux/$repo/os/$arch +#Server = http://mirror2.evolution-host.com/archlinux/$repo/os/$arch +#Server = https://mirror2.evolution-host.com/archlinux/$repo/os/$arch +#Server = http://mirror.its.dal.ca/archlinux/$repo/os/$arch +#Server = http://muug.ca/mirror/archlinux/$repo/os/$arch +#Server = https://muug.ca/mirror/archlinux/$repo/os/$arch +#Server = http://arch.powerfly.ca/$repo/os/$arch +#Server = https://arch.powerfly.ca/$repo/os/$arch +#Server = http://archlinux.mirror.rafal.ca/$repo/os/$arch +#Server = http://mirror.scd31.com/arch/$repo/os/$arch +#Server = https://mirror.scd31.com/arch/$repo/os/$arch +#Server = http://mirror.sergal.org/archlinux/$repo/os/$arch +#Server = https://mirror.sergal.org/archlinux/$repo/os/$arch + +## Chile +#Server = http://mirror.anquan.cl/archlinux/$repo/os/$arch +#Server = http://mirror.archlinux.cl/$repo/os/$arch +#Server = http://mirror1.cl.netactuate.com/archlinux/$repo/os/$arch +#Server = https://mirror1.cl.netactuate.com/archlinux/$repo/os/$arch +#Server = http://mirror.ufro.cl/archlinux/$repo/os/$arch +#Server = https://mirror.ufro.cl/archlinux/$repo/os/$arch + +## China +#Server = http://mirrors.163.com/archlinux/$repo/os/$arch +#Server = http://mirrors.bfsu.edu.cn/archlinux/$repo/os/$arch +#Server = https://mirrors.bfsu.edu.cn/archlinux/$repo/os/$arch +#Server = http://mirrors.cqu.edu.cn/archlinux/$repo/os/$arch +#Server = https://mirrors.cqu.edu.cn/archlinux/$repo/os/$arch +#Server = http://mirrors.dgut.edu.cn/archlinux/$repo/os/$arch +#Server = https://mirrors.dgut.edu.cn/archlinux/$repo/os/$arch +#Server = http://mirrors.hit.edu.cn/archlinux/$repo/os/$arch +#Server = https://mirrors.hit.edu.cn/archlinux/$repo/os/$arch +#Server = http://mirror.lzu.edu.cn/archlinux/$repo/os/$arch +#Server = http://mirrors.neusoft.edu.cn/archlinux/$repo/os/$arch +#Server = https://mirrors.neusoft.edu.cn/archlinux/$repo/os/$arch +#Server = http://mirrors.nju.edu.cn/archlinux/$repo/os/$arch +#Server = https://mirrors.nju.edu.cn/archlinux/$repo/os/$arch +#Server = http://mirror.redrock.team/archlinux/$repo/os/$arch +#Server = https://mirror.redrock.team/archlinux/$repo/os/$arch +#Server = https://mirrors.sjtug.sjtu.edu.cn/archlinux/$repo/os/$arch +#Server = http://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$arch +#Server = https://mirrors.tuna.tsinghua.edu.cn/archlinux/$repo/os/$arch +#Server = http://mirrors.ustc.edu.cn/archlinux/$repo/os/$arch +#Server = https://mirrors.ustc.edu.cn/archlinux/$repo/os/$arch +#Server = https://mirrors.xjtu.edu.cn/archlinux/$repo/os/$arch +#Server = http://mirrors.zju.edu.cn/archlinux/$repo/os/$arch + +## Colombia +#Server = http://mirrors.udenar.edu.co/archlinux/$repo/os/$arch + +## Croatia +#Server = http://archlinux.iskon.hr/$repo/os/$arch + +## Czechia +#Server = http://mirror.dkm.cz/archlinux/$repo/os/$arch +#Server = https://mirror.dkm.cz/archlinux/$repo/os/$arch +#Server = https://europe.mirror.pkgbuild.com/$repo/os/$arch +#Server = http://ftp.fi.muni.cz/pub/linux/arch/$repo/os/$arch +#Server = http://ftp.linux.cz/pub/linux/arch/$repo/os/$arch +#Server = http://gluttony.sin.cvut.cz/arch/$repo/os/$arch +#Server = https://gluttony.sin.cvut.cz/arch/$repo/os/$arch +#Server = http://mirrors.nic.cz/archlinux/$repo/os/$arch +#Server = http://ftp.sh.cvut.cz/arch/$repo/os/$arch +#Server = https://ftp.sh.cvut.cz/arch/$repo/os/$arch +#Server = http://mirror.vpsfree.cz/archlinux/$repo/os/$arch + +## Denmark +#Server = http://mirrors.dotsrc.org/archlinux/$repo/os/$arch +#Server = https://mirrors.dotsrc.org/archlinux/$repo/os/$arch +#Server = http://mirror.one.com/archlinux/$repo/os/$arch +#Server = https://mirror.one.com/archlinux/$repo/os/$arch + +## Ecuador +#Server = http://mirror.cedia.org.ec/archlinux/$repo/os/$arch +#Server = http://mirror.espoch.edu.ec/archlinux/$repo/os/$arch +#Server = http://mirror.uta.edu.ec/archlinux/$repo/os/$arch + +## Estonia +#Server = http://mirror.cspacehostings.com/archlinux/$repo/os/$arch +#Server = https://mirror.cspacehostings.com/archlinux/$repo/os/$arch +#Server = http://mirrors.xtom.ee/archlinux/$repo/os/$arch +#Server = https://mirrors.xtom.ee/archlinux/$repo/os/$arch + +## Finland +#Server = https://arch.mcstrugs.org/$repo/os/$arch +#Server = http://mirror.arctic.lol/ArchMirror/$repo/os/$arch +#Server = http://arch.mirror.far.fi/$repo/os/$arch +#Server = http://mirror.hosthink.net/archlinux/$repo/os/$arch +#Server = https://mirror.srv.fail/archlinux/$repo/os/$arch +#Server = http://mirror.wuki.li/archlinux/$repo/os/$arch +#Server = https://mirror.wuki.li/archlinux/$repo/os/$arch +#Server = http://arch.yhtez.xyz/$repo/os/$arch +#Server = https://arch.yhtez.xyz/$repo/os/$arch + +## France +#Server = http://archlinux.de-labrusse.fr/$repo/os/$arch +#Server = http://mirror.archlinux.ikoula.com/archlinux/$repo/os/$arch +#Server = https://archlinux.vi-di.fr/$repo/os/$arch +#Server = http://archlinux.mirrors.benatherton.com/$repo/os/$arch +#Server = http://mirror.cyberbits.eu/archlinux/$repo/os/$arch +#Server = https://mirror.cyberbits.eu/archlinux/$repo/os/$arch +#Server = http://archlinux.datagr.am/$repo/os/$arch +#Server = https://mirrors.eric.ovh/arch/$repo/os/$arch +#Server = http://mirror.ibcp.fr/pub/archlinux/$repo/os/$arch +#Server = http://mirror.lastmikoi.net/archlinux/$repo/os/$arch +#Server = https://arch-mirror.cloud.louifox.house/$repo/os/$arch +#Server = http://archlinux.mailtunnel.eu/$repo/os/$arch +#Server = https://archlinux.mailtunnel.eu/$repo/os/$arch +#Server = http://mir.archlinux.fr/$repo/os/$arch +#Server = http://mirrors.celianvdb.fr/archlinux/$repo/os/$arch +#Server = https://mirrors.celianvdb.fr/archlinux/$repo/os/$arch +#Server = http://arch.nimukaito.net/$repo/os/$arch +#Server = https://arch.nimukaito.net/$repo/os/$arch +#Server = http://mirror.oldsql.cc/archlinux/$repo/os/$arch +#Server = https://mirror.oldsql.cc/archlinux/$repo/os/$arch +#Server = http://archlinux.mirrors.ovh.net/archlinux/$repo/os/$arch +#Server = http://archlinux.polymorf.fr/$repo/os/$arch +#Server = http://archlinux.rezopole.net/$repo/os/$arch +#Server = https://mirrors.slaanesh.org/archlinux/$repo/os/$arch +#Server = http://mirrors.standaloneinstaller.com/archlinux/$repo/os/$arch +#Server = https://mirror.sysa.tech/archlinux/$repo/os/$arch +#Server = https://mirror.thekinrar.fr/archlinux/$repo/os/$arch +#Server = http://ftp.u-strasbg.fr/linux/distributions/archlinux/$repo/os/$arch +#Server = https://mirror.wormhole.eu/archlinux/$repo/os/$arch +#Server = http://mirroir.wptheme.fr/archlinux/$repo/os/$arch +#Server = https://mirroir.wptheme.fr/archlinux/$repo/os/$arch +#Server = http://arch.yourlabs.org/$repo/os/$arch +#Server = https://arch.yourlabs.org/$repo/os/$arch + +## Georgia +#Server = http://archlinux.grena.ge/$repo/os/$arch +#Server = https://archlinux.grena.ge/$repo/os/$arch + +## Germany +#Server = http://mirror.23media.com/archlinux/$repo/os/$arch +#Server = https://mirror.23media.com/archlinux/$repo/os/$arch +#Server = http://ftp.agdsn.de/pub/mirrors/archlinux/$repo/os/$arch +#Server = https://ftp.agdsn.de/pub/mirrors/archlinux/$repo/os/$arch +#Server = https://appuals.com/archlinux/$repo/os/$arch +#Server = http://artfiles.org/archlinux.org/$repo/os/$arch +#Server = https://mirror.bethselamin.de/$repo/os/$arch +#Server = http://mirror.chaoticum.net/arch/$repo/os/$arch +#Server = https://mirror.chaoticum.net/arch/$repo/os/$arch +#Server = http://mirror.checkdomain.de/archlinux/$repo/os/$arch +#Server = https://mirror.checkdomain.de/archlinux/$repo/os/$arch +#Server = http://mirror.clientvps.com/archlinux/$repo/os/$arch +#Server = https://mirror.clientvps.com/archlinux/$repo/os/$arch +#Server = https://mirror.dogado.de/archlinux/$repo/os/$arch +#Server = http://mirror.f4st.host/archlinux/$repo/os/$arch +#Server = https://mirror.f4st.host/archlinux/$repo/os/$arch +#Server = http://ftp.fau.de/archlinux/$repo/os/$arch +#Server = https://ftp.fau.de/archlinux/$repo/os/$arch +#Server = https://pkg.fef.moe/archlinux/$repo/os/$arch +#Server = https://dist-mirror.fem.tu-ilmenau.de/archlinux/$repo/os/$arch +#Server = http://mirror.fsrv.services/archlinux/$repo/os/$arch +#Server = https://mirror.fsrv.services/archlinux/$repo/os/$arch +#Server = https://mirror.gnomus.de/$repo/os/$arch +#Server = http://www.gutscheindrache.com/mirror/archlinux/$repo/os/$arch +#Server = http://ftp.gwdg.de/pub/linux/archlinux/$repo/os/$arch +#Server = http://archlinux.honkgong.info/$repo/os/$arch +#Server = http://ftp.hosteurope.de/mirror/ftp.archlinux.org/$repo/os/$arch +#Server = http://ftp-stud.hs-esslingen.de/pub/Mirrors/archlinux/$repo/os/$arch +#Server = http://archlinux.mirror.iphh.net/$repo/os/$arch +#Server = http://arch.jensgutermuth.de/$repo/os/$arch +#Server = https://arch.jensgutermuth.de/$repo/os/$arch +#Server = http://mirror.kumi.systems/archlinux/$repo/os/$arch +#Server = https://mirror.kumi.systems/archlinux/$repo/os/$arch +#Server = http://mirror.fra10.de.leaseweb.net/archlinux/$repo/os/$arch +#Server = https://mirror.fra10.de.leaseweb.net/archlinux/$repo/os/$arch +#Server = http://mirror.metalgamer.eu/archlinux/$repo/os/$arch +#Server = https://mirror.metalgamer.eu/archlinux/$repo/os/$arch +#Server = http://mirror.mikrogravitation.org/archlinux/$repo/os/$arch +#Server = https://mirror.mikrogravitation.org/archlinux/$repo/os/$arch +#Server = https://mirror.pkgbuild.com/$repo/os/$arch +#Server = http://mirror.moson.org/arch/$repo/os/$arch +#Server = https://mirror.moson.org/arch/$repo/os/$arch +#Server = http://mirrors.n-ix.net/archlinux/$repo/os/$arch +#Server = https://mirrors.n-ix.net/archlinux/$repo/os/$arch +#Server = http://mirror.netcologne.de/archlinux/$repo/os/$arch +#Server = https://mirror.netcologne.de/archlinux/$repo/os/$arch +#Server = http://mirrors.niyawe.de/archlinux/$repo/os/$arch +#Server = https://mirrors.niyawe.de/archlinux/$repo/os/$arch +#Server = http://mirror.orbit-os.com/archlinux/$repo/os/$arch +#Server = https://mirror.orbit-os.com/archlinux/$repo/os/$arch +#Server = http://packages.oth-regensburg.de/archlinux/$repo/os/$arch +#Server = https://packages.oth-regensburg.de/archlinux/$repo/os/$arch +#Server = http://phinau.de/arch/$repo/os/$arch +#Server = https://phinau.de/arch/$repo/os/$arch +#Server = https://mirror.pseudoform.org/$repo/os/$arch +#Server = https://www.ratenzahlung.de/mirror/archlinux/$repo/os/$arch +#Server = http://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch +#Server = https://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch +#Server = http://linux.rz.rub.de/archlinux/$repo/os/$arch +#Server = http://mirror.satis-faction.de/archlinux/$repo/os/$arch +#Server = https://mirror.satis-faction.de/archlinux/$repo/os/$arch +#Server = http://mirror.selfnet.de/archlinux/$repo/os/$arch +#Server = https://mirror.selfnet.de/archlinux/$repo/os/$arch +#Server = http://ftp.spline.inf.fu-berlin.de/mirrors/archlinux/$repo/os/$arch +#Server = https://ftp.spline.inf.fu-berlin.de/mirrors/archlinux/$repo/os/$arch +#Server = http://archlinux.thaller.ws/$repo/os/$arch +#Server = https://archlinux.thaller.ws/$repo/os/$arch +#Server = http://ftp.tu-chemnitz.de/pub/linux/archlinux/$repo/os/$arch +#Server = http://mirror.ubrco.de/archlinux/$repo/os/$arch +#Server = https://mirror.ubrco.de/archlinux/$repo/os/$arch +#Server = http://mirror.undisclose.de/archlinux/$repo/os/$arch +#Server = https://mirror.undisclose.de/archlinux/$repo/os/$arch +#Server = http://ftp.uni-bayreuth.de/linux/archlinux/$repo/os/$arch +#Server = http://ftp.uni-hannover.de/archlinux/$repo/os/$arch +#Server = http://ftp.uni-kl.de/pub/linux/archlinux/$repo/os/$arch +#Server = http://mirror.united-gameserver.de/archlinux/$repo/os/$arch +#Server = https://arch.unixpeople.org/$repo/os/$arch +#Server = http://ftp.wrz.de/pub/archlinux/$repo/os/$arch +#Server = https://ftp.wrz.de/pub/archlinux/$repo/os/$arch +#Server = http://mirror.wtnet.de/arch/$repo/os/$arch +#Server = https://mirror.wtnet.de/arch/$repo/os/$arch +#Server = http://mirrors.xtom.de/archlinux/$repo/os/$arch +#Server = https://mirrors.xtom.de/archlinux/$repo/os/$arch +#Server = http://arch.mirror.zachlge.org/$repo/os/$arch +#Server = https://arch.mirror.zachlge.org/$repo/os/$arch + +## Greece +#Server = http://ftp.cc.uoc.gr/mirrors/linux/archlinux/$repo/os/$arch +#Server = https://repo.greeklug.gr/data/pub/linux/archlinux/$repo/os/$arch +#Server = http://mirrors.myaegean.gr/linux/archlinux/$repo/os/$arch +#Server = http://ftp.ntua.gr/pub/linux/archlinux/$repo/os/$arch +#Server = http://ftp.otenet.gr/linux/archlinux/$repo/os/$arch + +## Hong Kong +#Server = https://asia.mirror.pkgbuild.com/$repo/os/$arch +#Server = http://mirror-hk.koddos.net/archlinux/$repo/os/$arch +#Server = https://mirror-hk.koddos.net/archlinux/$repo/os/$arch +#Server = http://hkg.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = https://hkg.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = https://arch-mirror.wtako.net/$repo/os/$arch +#Server = http://mirror.xtom.com.hk/archlinux/$repo/os/$arch +#Server = https://mirror.xtom.com.hk/archlinux/$repo/os/$arch + +## Hungary +#Server = http://ftp.ek-cer.hu/pub/mirrors/ftp.archlinux.org/$repo/os/$arch +#Server = http://archmirror.hbit.sztaki.hu/archlinux/$repo/os/$arch +#Server = http://nova.quantum-mirror.hu/mirrors/pub/archlinux/$repo/os/$arch +#Server = http://quantum-mirror.hu/mirrors/pub/archlinux/$repo/os/$arch +#Server = http://super.quantum-mirror.hu/mirrors/pub/archlinux/$repo/os/$arch +#Server = https://nova.quantum-mirror.hu/mirrors/pub/archlinux/$repo/os/$arch +#Server = https://quantum-mirror.hu/mirrors/pub/archlinux/$repo/os/$arch +#Server = https://super.quantum-mirror.hu/mirrors/pub/archlinux/$repo/os/$arch + +## Iceland +#Server = http://mirror.system.is/arch/$repo/os/$arch +#Server = https://mirror.system.is/arch/$repo/os/$arch + +## India +#Server = http://mirror.cse.iitk.ac.in/archlinux/$repo/os/$arch +#Server = http://mirrors.piconets.webwerks.in/archlinux-mirror/$repo/os/$arch +#Server = https://mirrors.piconets.webwerks.in/archlinux-mirror/$repo/os/$arch + +## Indonesia +#Server = http://mirror.cloudweeb.com/archlinux/$repo/os/$arch +#Server = http://mirror.faizuladib.com/archlinux/$repo/os/$arch +#Server = http://mirror.gi.co.id/archlinux/$repo/os/$arch +#Server = https://mirror.gi.co.id/archlinux/$repo/os/$arch +#Server = http://vpsmurah.jagoanhosting.com/archlinux/$repo/os/$arch +#Server = https://vpsmurah.jagoanhosting.com/archlinux/$repo/os/$arch +#Server = http://mirror.labkom.id/archlinux/$repo/os/$arch +#Server = http://mirror.papua.go.id/archlinux/$repo/os/$arch +#Server = https://mirror.papua.go.id/archlinux/$repo/os/$arch +#Server = http://mirror.poliwangi.ac.id/archlinux/$repo/os/$arch +#Server = http://suro.ubaya.ac.id/archlinux/$repo/os/$arch +#Server = http://mirror.telkomuniversity.ac.id/archlinux/$repo/os/$arch +#Server = https://mirror.telkomuniversity.ac.id/archlinux/$repo/os/$arch + +## Iran +#Server = http://mirror.hostiran.ir/archlinux/$repo/os/$arch +#Server = https://mirror.hostiran.ir/archlinux/$repo/os/$arch +#Server = http://repo.iut.ac.ir/repo/archlinux/$repo/os/$arch +#Server = http://mirror.nak-mci.ir/arch/$repo/os/$arch +#Server = http://mirror.rasanegar.com/archlinux/$repo/os/$arch +#Server = https://mirror.rasanegar.com/archlinux/$repo/os/$arch + +## Ireland +#Server = http://ftp.heanet.ie/mirrors/ftp.archlinux.org/$repo/os/$arch +#Server = https://ftp.heanet.ie/mirrors/ftp.archlinux.org/$repo/os/$arch + +## Israel +#Server = http://mirror.isoc.org.il/pub/archlinux/$repo/os/$arch +#Server = https://mirror.isoc.org.il/pub/archlinux/$repo/os/$arch +#Server = https://archlinux.mivzakim.net/$repo/os/$arch + +## Italy +#Server = https://archmirror.it/repos/$repo/os/$arch +#Server = http://archlinux.mirror.garr.it/archlinux/$repo/os/$arch +#Server = http://mirrors.prometeus.net/archlinux/$repo/os/$arch +#Server = http://archlinux.mirror.server24.net/$repo/os/$arch +#Server = https://archlinux.mirror.server24.net/$repo/os/$arch + +## Japan +#Server = http://mirrors.cat.net/archlinux/$repo/os/$arch +#Server = https://mirrors.cat.net/archlinux/$repo/os/$arch +#Server = http://ftp.tsukuba.wide.ad.jp/Linux/archlinux/$repo/os/$arch +#Server = http://ftp.jaist.ac.jp/pub/Linux/ArchLinux/$repo/os/$arch +#Server = https://ftp.jaist.ac.jp/pub/Linux/ArchLinux/$repo/os/$arch + +## Kazakhstan +#Server = http://mirror.hoster.kz/archlinux/$repo/os/$arch +#Server = https://mirror.hoster.kz/archlinux/$repo/os/$arch +#Server = http://mirror.ps.kz/archlinux/$repo/os/$arch +#Server = https://mirror.ps.kz/archlinux/$repo/os/$arch + +## Kenya +#Server = http://archlinux.mirror.liquidtelecom.com/$repo/os/$arch +#Server = https://archlinux.mirror.liquidtelecom.com/$repo/os/$arch + +## Latvia +#Server = http://archlinux.koyanet.lv/archlinux/$repo/os/$arch +#Server = https://archlinux.koyanet.lv/archlinux/$repo/os/$arch + +## Lithuania +#Server = http://mirrors.atviras.lt/archlinux/$repo/os/$arch +#Server = https://mirrors.atviras.lt/archlinux/$repo/os/$arch +#Server = http://mirrors.ims.nksc.lt/archlinux/$repo/os/$arch +#Server = https://mirrors.ims.nksc.lt/archlinux/$repo/os/$arch + +## Luxembourg +#Server = http://archlinux.mirror.root.lu/$repo/os/$arch + +## Mexico +#Server = https://arch.mirror.jsc.mx/$repo/os/$arch + +## Moldova +#Server = http://mirror.ihost.md/archlinux/$repo/os/$arch +#Server = https://mirror.ihost.md/archlinux/$repo/os/$arch + +## Monaco +#Server = http://archlinux.qontinuum.space/$repo/os/$arch +#Server = https://archlinux.qontinuum.space:4443/$repo/os/$arch + +## Netherlands +#Server = https://archlinux.beccacervello.it/archlinux/$repo/os/$arch +#Server = http://mirror.cj2.nl/archlinux/$repo/os/$arch +#Server = https://mirror.cj2.nl/archlinux/$repo/os/$arch +#Server = https://mirrors.daan.vodka/archlinux/$repo/os/$arch +#Server = http://mirror.erickochen.nl/archlinux/$repo/os/$arch +#Server = https://mirror.erickochen.nl/archlinux/$repo/os/$arch +#Server = http://mirror.i3d.net/pub/archlinux/$repo/os/$arch +#Server = https://mirror.i3d.net/pub/archlinux/$repo/os/$arch +#Server = https://arch.jeweet.net/$repo/os/$arch +#Server = http://mirror.koddos.net/archlinux/$repo/os/$arch +#Server = https://mirror.koddos.net/archlinux/$repo/os/$arch +#Server = http://arch.mirrors.lavatech.top/$repo/os/$arch +#Server = https://arch.mirrors.lavatech.top/$repo/os/$arch +#Server = http://mirror.ams1.nl.leaseweb.net/archlinux/$repo/os/$arch +#Server = https://mirror.ams1.nl.leaseweb.net/archlinux/$repo/os/$arch +#Server = http://archlinux.mirror.liteserver.nl/$repo/os/$arch +#Server = https://archlinux.mirror.liteserver.nl/$repo/os/$arch +#Server = http://mirror.lyrahosting.com/archlinux/$repo/os/$arch +#Server = https://mirror.lyrahosting.com/archlinux/$repo/os/$arch +#Server = http://mirror.mijn.host/archlinux/$repo/os/$arch +#Server = https://mirror.mijn.host/archlinux/$repo/os/$arch +#Server = http://mirror.neostrada.nl/archlinux/$repo/os/$arch +#Server = https://mirror.neostrada.nl/archlinux/$repo/os/$arch +#Server = http://ftp.nluug.nl/os/Linux/distr/archlinux/$repo/os/$arch +#Server = http://archlinux.mirror.pcextreme.nl/$repo/os/$arch +#Server = https://archlinux.mirror.pcextreme.nl/$repo/os/$arch +#Server = http://mirror.serverion.com/archlinux/$repo/os/$arch +#Server = https://mirror.serverion.com/archlinux/$repo/os/$arch +#Server = http://ftp.snt.utwente.nl/pub/os/linux/archlinux/$repo/os/$arch +#Server = http://mirror.tarellia.net/distr/archlinux/$repo/os/$arch +#Server = https://mirror.tarellia.net/distr/archlinux/$repo/os/$arch +#Server = http://archlinux.mirror.wearetriple.com/$repo/os/$arch +#Server = https://archlinux.mirror.wearetriple.com/$repo/os/$arch +#Server = http://mirror-archlinux.webruimtehosting.nl/$repo/os/$arch +#Server = https://mirror-archlinux.webruimtehosting.nl/$repo/os/$arch +#Server = http://mirrors.xtom.nl/archlinux/$repo/os/$arch +#Server = https://mirrors.xtom.nl/archlinux/$repo/os/$arch + +## New Caledonia +#Server = http://mirror.lagoon.nc/pub/archlinux/$repo/os/$arch +#Server = http://archlinux.nautile.nc/archlinux/$repo/os/$arch +#Server = https://archlinux.nautile.nc/archlinux/$repo/os/$arch + +## New Zealand +#Server = http://mirror.2degrees.nz/archlinux/$repo/os/$arch +#Server = https://mirror.2degrees.nz/archlinux/$repo/os/$arch +#Server = http://mirror.fsmg.org.nz/archlinux/$repo/os/$arch +#Server = https://mirror.fsmg.org.nz/archlinux/$repo/os/$arch +#Server = http://mirror.smith.geek.nz/archlinux/$repo/os/$arch +#Server = https://mirror.smith.geek.nz/archlinux/$repo/os/$arch + +## North Macedonia +#Server = http://arch.softver.org.mk/archlinux/$repo/os/$arch +#Server = http://mirror.onevip.mk/archlinux/$repo/os/$arch +#Server = http://mirror.t-home.mk/archlinux/$repo/os/$arch +#Server = https://mirror.t-home.mk/archlinux/$repo/os/$arch + +## Norway +#Server = http://mirror.archlinux.no/$repo/os/$arch +#Server = https://mirror.archlinux.no/$repo/os/$arch +#Server = http://archlinux.uib.no/$repo/os/$arch +#Server = http://mirror.neuf.no/archlinux/$repo/os/$arch +#Server = https://mirror.neuf.no/archlinux/$repo/os/$arch +#Server = http://mirror.terrahost.no/linux/archlinux/$repo/os/$arch + +## Pakistan +#Server = http://repo.inara.pk/archlinux/$repo/os/$arch +#Server = https://repo.inara.pk/archlinux/$repo/os/$arch + +## Paraguay +#Server = http://archlinux.mirror.py/archlinux/$repo/os/$arch + +## Poland +#Server = http://ftp.icm.edu.pl/pub/Linux/dist/archlinux/$repo/os/$arch +#Server = https://ftp.icm.edu.pl/pub/Linux/dist/archlinux/$repo/os/$arch +#Server = http://mirror.juniorjpdj.pl/archlinux/$repo/os/$arch +#Server = https://mirror.juniorjpdj.pl/archlinux/$repo/os/$arch +#Server = http://arch.midov.pl/arch/$repo/os/$arch +#Server = https://arch.midov.pl/arch/$repo/os/$arch +#Server = http://arch.nixlab.pl/$repo/os/$arch +#Server = https://arch.nixlab.pl/$repo/os/$arch +#Server = http://mirror.onet.pl/pub/mirrors/archlinux/$repo/os/$arch +#Server = http://piotrkosoft.net/pub/mirrors/ftp.archlinux.org/$repo/os/$arch +#Server = http://mirror.sfinae.tech/pub/mirrors/archlinux/$repo/os/$arch +#Server = https://mirror.sfinae.tech/pub/mirrors/archlinux/$repo/os/$arch +#Server = http://repo.skni.umcs.pl/archlinux/$repo/os/$arch +#Server = https://repo.skni.umcs.pl/archlinux/$repo/os/$arch +#Server = http://ftp.vectranet.pl/archlinux/$repo/os/$arch + +## Portugal +#Server = http://glua.ua.pt/pub/archlinux/$repo/os/$arch +#Server = https://glua.ua.pt/pub/archlinux/$repo/os/$arch +#Server = http://ftp.rnl.tecnico.ulisboa.pt/pub/archlinux/$repo/os/$arch +#Server = https://ftp.rnl.tecnico.ulisboa.pt/pub/archlinux/$repo/os/$arch + +## Romania +#Server = http://mirrors.chroot.ro/archlinux/$repo/os/$arch +#Server = https://mirrors.chroot.ro/archlinux/$repo/os/$arch +#Server = http://mirror.efect.ro/archlinux/$repo/os/$arch +#Server = https://mirror.efect.ro/archlinux/$repo/os/$arch +#Server = http://mirrors.go.ro/archlinux/$repo/os/$arch +#Server = https://mirrors.go.ro/archlinux/$repo/os/$arch +#Server = http://mirrors.hostico.ro/archlinux/$repo/os/$arch +#Server = https://mirrors.hostico.ro/archlinux/$repo/os/$arch +#Server = http://archlinux.mirrors.linux.ro/$repo/os/$arch +#Server = http://mirrors.m247.ro/archlinux/$repo/os/$arch +#Server = http://mirrors.nav.ro/archlinux/$repo/os/$arch +#Server = http://mirrors.nxthost.com/archlinux/$repo/os/$arch +#Server = https://mirrors.nxthost.com/archlinux/$repo/os/$arch +#Server = http://mirrors.pidginhost.com/arch/$repo/os/$arch +#Server = https://mirrors.pidginhost.com/arch/$repo/os/$arch + +## Russia +#Server = http://mirror.surf/archlinux/$repo/os/$arch +#Server = https://mirror.surf/archlinux/$repo/os/$arch +#Server = http://mirror.nw-sys.ru/archlinux/$repo/os/$arch +#Server = https://mirror.nw-sys.ru/archlinux/$repo/os/$arch +#Server = http://mirrors.powernet.com.ru/archlinux/$repo/os/$arch +#Server = http://mirror.rol.ru/archlinux/$repo/os/$arch +#Server = https://mirror.rol.ru/archlinux/$repo/os/$arch +#Server = http://mirror.truenetwork.ru/archlinux/$repo/os/$arch +#Server = https://mirror.truenetwork.ru/archlinux/$repo/os/$arch +#Server = http://mirror.yandex.ru/archlinux/$repo/os/$arch +#Server = https://mirror.yandex.ru/archlinux/$repo/os/$arch +#Server = http://archlinux.zepto.cloud/$repo/os/$arch + +## Serbia +#Server = http://arch.petarmaric.com/$repo/os/$arch +#Server = http://mirror.pmf.kg.ac.rs/archlinux/$repo/os/$arch + +## Singapore +#Server = http://mirror.0x.sg/archlinux/$repo/os/$arch +#Server = https://mirror.0x.sg/archlinux/$repo/os/$arch +#Server = http://mirror.aktkn.sg/archlinux/$repo/os/$arch +#Server = https://mirror.aktkn.sg/archlinux/$repo/os/$arch +#Server = https://download.nus.edu.sg/mirror/archlinux/$repo/os/$arch +#Server = http://mirror.guillaumea.fr/archlinux/$repo/os/$arch +#Server = https://mirror.guillaumea.fr/archlinux/$repo/os/$arch +#Server = http://mirror.nus.edu.sg/archlinux/$repo/os/$arch + +## Slovakia +#Server = http://mirror.lnx.sk/pub/linux/archlinux/$repo/os/$arch +#Server = https://mirror.lnx.sk/pub/linux/archlinux/$repo/os/$arch +#Server = http://tux.rainside.sk/archlinux/$repo/os/$arch + +## Slovenia +#Server = http://archimonde.ts.si/archlinux/$repo/os/$arch +#Server = https://archimonde.ts.si/archlinux/$repo/os/$arch + +## South Africa +#Server = http://archlinux.za.mirror.allworldit.com/archlinux/$repo/os/$arch +#Server = https://archlinux.za.mirror.allworldit.com/archlinux/$repo/os/$arch +#Server = http://za.mirror.archlinux-br.org/$repo/os/$arch +#Server = http://mirror.is.co.za/mirror/archlinux.org/$repo/os/$arch +#Server = http://arch.opnmirror.co.za/$repo/os/$arch +#Server = https://arch.opnmirror.co.za/$repo/os/$arch +#Server = http://mirrors.urbanwave.co.za/archlinux/$repo/os/$arch +#Server = https://mirrors.urbanwave.co.za/archlinux/$repo/os/$arch + +## South Korea +#Server = http://mirror.anigil.com/archlinux/$repo/os/$arch +#Server = https://mirror.anigil.com/archlinux/$repo/os/$arch +#Server = http://ftp.harukasan.org/archlinux/$repo/os/$arch +#Server = https://ftp.harukasan.org/archlinux/$repo/os/$arch +#Server = http://ftp.lanet.kr/pub/archlinux/$repo/os/$arch +#Server = https://ftp.lanet.kr/pub/archlinux/$repo/os/$arch +#Server = http://mirror.premi.st/archlinux/$repo/os/$arch +#Server = https://mirror.premi.st/archlinux/$repo/os/$arch + +## Spain +#Server = https://mirror.cloroformo.org/archlinux/$repo/os/$arch +#Server = http://mirror.librelabucm.org/archlinux/$repo/os/$arch +#Server = https://mirror.librelabucm.org/archlinux/$repo/os/$arch +#Server = http://ftp.rediris.es/mirror/archlinux/$repo/os/$arch +#Server = http://sharing.thelinuxsect.com/archlinux/$repo/os/$arch + +## Sweden +#Server = http://ftp.acc.umu.se/mirror/archlinux/$repo/os/$arch +#Server = https://ftp.acc.umu.se/mirror/archlinux/$repo/os/$arch +#Server = http://ftpmirror.infania.net/mirror/archlinux/$repo/os/$arch +#Server = https://ftp.ludd.ltu.se/mirrors/archlinux/$repo/os/$arch +#Server = http://ftp.lysator.liu.se/pub/archlinux/$repo/os/$arch +#Server = https://ftp.lysator.liu.se/pub/archlinux/$repo/os/$arch +#Server = http://ftp.myrveln.se/pub/linux/archlinux/$repo/os/$arch +#Server = https://ftp.myrveln.se/pub/linux/archlinux/$repo/os/$arch +#Server = https://mirror.osbeck.com/archlinux/$repo/os/$arch +#Server = http://tedwall.se/archlinux/$repo/os/$arch +#Server = https://tedwall.se/archlinux/$repo/os/$arch + +## Switzerland +#Server = http://pkg.adfinis.com/archlinux/$repo/os/$arch +#Server = https://pkg.adfinis.com/archlinux/$repo/os/$arch +#Server = http://mirror.init7.net/archlinux/$repo/os/$arch +#Server = https://mirror.init7.net/archlinux/$repo/os/$arch +#Server = http://mirror.puzzle.ch/archlinux/$repo/os/$arch +#Server = https://mirror.puzzle.ch/archlinux/$repo/os/$arch +#Server = https://theswissbay.ch/archlinux/$repo/os/$arch +#Server = https://mirror.ungleich.ch/mirror/packages/archlinux/$repo/os/$arch + +## Taiwan +#Server = http://archlinux.ccns.ncku.edu.tw/archlinux/$repo/os/$arch +#Server = http://free.nchc.org.tw/arch/$repo/os/$arch +#Server = https://free.nchc.org.tw/arch/$repo/os/$arch +#Server = http://archlinux.cs.nctu.edu.tw/$repo/os/$arch +#Server = http://shadow.ind.ntou.edu.tw/archlinux/$repo/os/$arch +#Server = https://shadow.ind.ntou.edu.tw/archlinux/$repo/os/$arch +#Server = http://ftp.tku.edu.tw/Linux/ArchLinux/$repo/os/$arch +#Server = http://ftp.yzu.edu.tw/Linux/archlinux/$repo/os/$arch +#Server = https://ftp.yzu.edu.tw/Linux/archlinux/$repo/os/$arch + +## Thailand +#Server = https://mirror.cyberbits.asia/archlinux/$repo/os/$arch +#Server = http://mirror.kku.ac.th/archlinux/$repo/os/$arch +#Server = https://mirror.kku.ac.th/archlinux/$repo/os/$arch +#Server = http://mirror2.totbb.net/archlinux/$repo/os/$arch + +## Turkey +#Server = http://ftp.linux.org.tr/archlinux/$repo/os/$arch +#Server = http://mirror.veriteknik.net.tr/archlinux/$repo/os/$arch + +## Ukraine +#Server = http://archlinux.ip-connect.vn.ua/$repo/os/$arch +#Server = https://archlinux.ip-connect.vn.ua/$repo/os/$arch +#Server = http://mirror.mirohost.net/archlinux/$repo/os/$arch +#Server = https://mirror.mirohost.net/archlinux/$repo/os/$arch +#Server = http://mirrors.nix.org.ua/linux/archlinux/$repo/os/$arch +#Server = https://mirrors.nix.org.ua/linux/archlinux/$repo/os/$arch + +## United Kingdom +#Server = http://archlinux.uk.mirror.allworldit.com/archlinux/$repo/os/$arch +#Server = https://archlinux.uk.mirror.allworldit.com/archlinux/$repo/os/$arch +#Server = http://mirror.bytemark.co.uk/archlinux/$repo/os/$arch +#Server = https://mirror.bytemark.co.uk/archlinux/$repo/os/$arch +#Server = http://mirrors.gethosted.online/archlinux/$repo/os/$arch +#Server = https://mirrors.gethosted.online/archlinux/$repo/os/$arch +#Server = http://mirrors.manchester.m247.com/arch-linux/$repo/os/$arch +#Server = http://mirrors.melbourne.co.uk/archlinux/$repo/os/$arch +#Server = https://mirrors.melbourne.co.uk/archlinux/$repo/os/$arch +#Server = http://www.mirrorservice.org/sites/ftp.archlinux.org/$repo/os/$arch +#Server = https://www.mirrorservice.org/sites/ftp.archlinux.org/$repo/os/$arch +#Server = http://mirror.netweaver.uk/archlinux/$repo/os/$arch +#Server = https://mirror.netweaver.uk/archlinux/$repo/os/$arch +#Server = http://lon.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = https://lon.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = http://arch.serverspace.co.uk/arch/$repo/os/$arch +#Server = http://archlinux.mirrors.uk2.net/$repo/os/$arch +#Server = http://mirrors.ukfast.co.uk/sites/archlinux.org/$repo/os/$arch +#Server = https://mirrors.ukfast.co.uk/sites/archlinux.org/$repo/os/$arch + +## United States +#Server = http://mirrors.acm.wpi.edu/archlinux/$repo/os/$arch +#Server = http://mirrors.advancedhosters.com/archlinux/$repo/os/$arch +#Server = http://mirrors.aggregate.org/archlinux/$repo/os/$arch +#Server = https://america.mirror.pkgbuild.com/$repo/os/$arch +#Server = http://ca.us.mirror.archlinux-br.org/$repo/os/$arch +#Server = http://il.us.mirror.archlinux-br.org/$repo/os/$arch +#Server = http://mirror.arizona.edu/archlinux/$repo/os/$arch +#Server = https://mirror.arizona.edu/archlinux/$repo/os/$arch +#Server = http://arlm.tyzoid.com/$repo/os/$arch +#Server = https://arlm.tyzoid.com/$repo/os/$arch +#Server = https://mirror.ava.dev/archlinux/$repo/os/$arch +#Server = http://mirrors.cat.pdx.edu/archlinux/$repo/os/$arch +#Server = http://mirror.cc.columbia.edu/pub/linux/archlinux/$repo/os/$arch +#Server = http://arch.mirror.constant.com/$repo/os/$arch +#Server = https://arch.mirror.constant.com/$repo/os/$arch +#Server = http://mirror.cs.pitt.edu/archlinux/$repo/os/$arch +#Server = http://mirror.cs.vt.edu/pub/ArchLinux/$repo/os/$arch +#Server = http://mirror.cybersecurity.nmt.edu/archlinux/$repo/os/$arch +#Server = https://mirror.cybersecurity.nmt.edu/archlinux/$repo/os/$arch +#Server = http://distro.ibiblio.org/archlinux/$repo/os/$arch +#Server = http://mirror.es.its.nyu.edu/archlinux/$repo/os/$arch +#Server = http://mirror.ette.biz/archlinux/$repo/os/$arch +#Server = https://mirror.ette.biz/archlinux/$repo/os/$arch +#Server = http://mirrors.gigenet.com/archlinux/$repo/os/$arch +#Server = http://www.gtlib.gatech.edu/pub/archlinux/$repo/os/$arch +#Server = http://mirror.hackingand.coffee/arch/$repo/os/$arch +#Server = https://mirror.hackingand.coffee/arch/$repo/os/$arch +#Server = https://mirror.hodgepodge.dev/archlinux/$repo/os/$arch +#Server = http://mirror.hostup.org/archlinux/$repo/os/$arch +#Server = https://mirror.hostup.org/archlinux/$repo/os/$arch +#Server = http://arch.hu.fo/archlinux/$repo/os/$arch +#Server = https://arch.hu.fo/archlinux/$repo/os/$arch +#Server = http://repo.ialab.dsu.edu/archlinux/$repo/os/$arch +#Server = https://repo.ialab.dsu.edu/archlinux/$repo/os/$arch +#Server = http://mirrors.kernel.org/archlinux/$repo/os/$arch +Server = https://mirrors.kernel.org/archlinux/$repo/os/$arch +#Server = http://mirror.dal10.us.leaseweb.net/archlinux/$repo/os/$arch +#Server = http://mirror.mia11.us.leaseweb.net/archlinux/$repo/os/$arch +#Server = http://mirror.sfo12.us.leaseweb.net/archlinux/$repo/os/$arch +#Server = http://mirror.wdc1.us.leaseweb.net/archlinux/$repo/os/$arch +#Server = https://mirror.dal10.us.leaseweb.net/archlinux/$repo/os/$arch +#Server = https://mirror.mia11.us.leaseweb.net/archlinux/$repo/os/$arch +#Server = https://mirror.sfo12.us.leaseweb.net/archlinux/$repo/os/$arch +#Server = https://mirror.wdc1.us.leaseweb.net/archlinux/$repo/os/$arch +#Server = http://mirrors.liquidweb.com/archlinux/$repo/os/$arch +#Server = http://mirror.lty.me/archlinux/$repo/os/$arch +#Server = https://mirror.lty.me/archlinux/$repo/os/$arch +#Server = http://mirrors.lug.mtu.edu/archlinux/$repo/os/$arch +#Server = https://mirrors.lug.mtu.edu/archlinux/$repo/os/$arch +#Server = http://mirror.math.princeton.edu/pub/archlinux/$repo/os/$arch +#Server = http://mirror.metrocast.net/archlinux/$repo/os/$arch +#Server = http://mirror.kaminski.io/archlinux/$repo/os/$arch +#Server = https://mirror.kaminski.io/archlinux/$repo/os/$arch +#Server = http://iad.mirrors.misaka.one/archlinux/$repo/os/$arch +#Server = https://iad.mirrors.misaka.one/archlinux/$repo/os/$arch +#Server = http://repo.miserver.it.umich.edu/archlinux/$repo/os/$arch +#Server = http://mirrors.mit.edu/archlinux/$repo/os/$arch +#Server = https://mirrors.mit.edu/archlinux/$repo/os/$arch +#Server = http://mirrors.ocf.berkeley.edu/archlinux/$repo/os/$arch +#Server = https://mirrors.ocf.berkeley.edu/archlinux/$repo/os/$arch +#Server = http://archmirror1.octyl.net/$repo/os/$arch +#Server = https://archmirror1.octyl.net/$repo/os/$arch +#Server = http://ftp.osuosl.org/pub/archlinux/$repo/os/$arch +#Server = http://arch.mirrors.pair.com/$repo/os/$arch +#Server = http://dfw.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = http://iad.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = http://ord.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = https://dfw.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = https://iad.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = https://ord.mirror.rackspace.com/archlinux/$repo/os/$arch +#Server = http://plug-mirror.rcac.purdue.edu/archlinux/$repo/os/$arch +#Server = https://plug-mirror.rcac.purdue.edu/archlinux/$repo/os/$arch +#Server = http://mirrors.rit.edu/archlinux/$repo/os/$arch +#Server = https://mirrors.rit.edu/archlinux/$repo/os/$arch +#Server = http://mirrors.rutgers.edu/archlinux/$repo/os/$arch +#Server = https://mirrors.rutgers.edu/archlinux/$repo/os/$arch +#Server = http://mirror.siena.edu/archlinux/$repo/os/$arch +#Server = http://mirrors.sonic.net/archlinux/$repo/os/$arch +#Server = https://mirrors.sonic.net/archlinux/$repo/os/$arch +#Server = http://mirror.phx1.us.spryservers.net/archlinux/$repo/os/$arch +#Server = https://mirror.phx1.us.spryservers.net/archlinux/$repo/os/$arch +#Server = http://arch.mirror.square-r00t.net/$repo/os/$arch +#Server = https://arch.mirror.square-r00t.net/$repo/os/$arch +#Server = http://mirror.stephen304.com/archlinux/$repo/os/$arch +#Server = https://mirror.stephen304.com/archlinux/$repo/os/$arch +#Server = http://ftp.sudhip.com/archlinux/$repo/os/$arch +#Server = https://ftp.sudhip.com/archlinux/$repo/os/$arch +#Server = http://mirror.pit.teraswitch.com/archlinux/$repo/os/$arch +#Server = https://mirror.pit.teraswitch.com/archlinux/$repo/os/$arch +#Server = http://mirror.umd.edu/archlinux/$repo/os/$arch +#Server = http://mirror.vtti.vt.edu/archlinux/$repo/os/$arch +#Server = http://mirrors.xmission.com/archlinux/$repo/os/$arch +#Server = http://mirrors.xtom.com/archlinux/$repo/os/$arch +#Server = https://mirrors.xtom.com/archlinux/$repo/os/$arch +#Server = https://zxcvfdsa.com/arch/$repo/os/$arch + +## Vietnam +#Server = http://f.archlinuxvn.org/archlinux/$repo/os/$arch +#Server = http://mirror.bizflycloud.vn/archlinux/$repo/os/$arch diff --git a/pacman.conf b/pacman.conf new file mode 100644 index 0000000..cd48bc0 --- /dev/null +++ b/pacman.conf @@ -0,0 +1,45 @@ +[options] +# The following paths are commented out with their default values listed. +# If you wish to use different paths, uncomment and update the paths. +#RootDir = / +#DBPath = /var/lib/pacman/ +#CacheDir = /var/cache/pacman/pkg/ +LogFile = /dev/null +#GPGDir = /etc/pacman.d/gnupg/ +#HookDir = /etc/pacman.d/hooks/ +HoldPkg = pacman glibc +#XferCommand = /usr/bin/curl -L -C - -f -o %o %u +#XferCommand = /usr/bin/wget --passive-ftp -c -O %o %u +#CleanMethod = KeepInstalled +Architecture = auto + +# Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup +#IgnorePkg = +#IgnoreGroup = + +#NoUpgrade = +#NoExtract = + +# Misc options +UseSyslog +Color +#NoProgressBar +CheckSpace +VerbosePkgLists +#ParallelDownloads = 5 +ILoveCandy + +# By default, pacman accepts packages signed by keys that its local keyring +# trusts (see pacman-key and its man page), as well as unsigned packages. +SigLevel = Required DatabaseOptional +LocalFileSigLevel = Optional +#RemoteFileSigLevel = Required + +[core] +Include = /etc/pacman.d/mirrorlist + +[extra] +Include = /etc/pacman.d/mirrorlist + +[community] +Include = /etc/pacman.d/mirrorlist diff --git a/sshd_config b/sshd_config new file mode 100644 index 0000000..2cb2c69 --- /dev/null +++ b/sshd_config @@ -0,0 +1,119 @@ +# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ + +# This is the sshd server system-wide configuration file. See +# sshd_config(5) for more information. + +# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/bin + +# The strategy used for options in the default sshd_config shipped with +# OpenSSH is to specify options with their default value where +# possible, but leave them commented. Uncommented options override the +# default value. + +#Port 22 +#AddressFamily any +#ListenAddress 0.0.0.0 +#ListenAddress :: + +HostKey /etc/ssh/ssh_host_ed25519_key +HostKeyAlgorithms ssh-ed25519 +KexAlgorithms curve25519-sha256 +PubkeyAcceptedKeyTypes ssh-ed25519 +Ciphers chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com +MACs hmac-sha2-512-etm@openssh.com + +# Ciphers and keying +#RekeyLimit default none + +# Logging +#SyslogFacility AUTH +#LogLevel INFO + +# Authentication: + +#LoginGraceTime 2m +#PermitRootLogin prohibit-password +#StrictModes yes +#MaxAuthTries 6 +#MaxSessions 10 + +#PubkeyAuthentication yes + +# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 +# but this is overridden so installations will only check .ssh/authorized_keys +AuthorizedKeysFile .ssh/authorized_keys + +#AuthorizedPrincipalsFile none + +#AuthorizedKeysCommand none +#AuthorizedKeysCommandUser nobody + +# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts +#HostbasedAuthentication no +# Change to yes if you don't trust ~/.ssh/known_hosts for +# HostbasedAuthentication +#IgnoreUserKnownHosts no +# Don't read the user's ~/.rhosts and ~/.shosts files +#IgnoreRhosts yes + +# To disable tunneled clear text passwords, change to no here! +PasswordAuthentication no +#PermitEmptyPasswords no + +# Change to no to disable s/key passwords +ChallengeResponseAuthentication no + +# Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#KerberosTicketCleanup yes +#KerberosGetAFSToken no + +# GSSAPI options +#GSSAPIAuthentication no +#GSSAPICleanupCredentials yes + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +UsePAM yes + +#AllowAgentForwarding yes +#AllowTcpForwarding yes +#GatewayPorts no +#X11Forwarding no +#X11DisplayOffset 10 +#X11UseLocalhost yes +#PermitTTY yes +PrintMotd no # pam does that +#PrintLastLog yes +#TCPKeepAlive yes +#PermitUserEnvironment no +#Compression delayed +#ClientAliveInterval 0 +#ClientAliveCountMax 3 +#UseDNS no +#PidFile /run/sshd.pid +#MaxStartups 10:30:100 +#PermitTunnel no +#ChrootDirectory none +#VersionAddendum none + +# no default banner path +#Banner none + +# override default of no subsystems +Subsystem sftp /usr/lib/ssh/sftp-server + +# Example of overriding settings on a per-user basis +#Match User anoncvs +# X11Forwarding no +# AllowTcpForwarding no +# PermitTTY no +# ForceCommand cvs server diff --git a/unbound.conf b/unbound.conf new file mode 100644 index 0000000..dc82492 --- /dev/null +++ b/unbound.conf @@ -0,0 +1,10 @@ +server: + qname-minimisation: yes + trust-anchor-file: /etc/unbound/trusted-key.key + tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt + +forward-zone: + name: "." + forward-tls-upstream: yes + forward-addr: 1.0.0.1@853#cloudflare-dns.com + forward-addr: 1.1.1.1@853#cloudflare-dns.com