Imported config file examples, improved ssh's

2026-02-09 05:44:23 +00:00 · 2023-02-12 15:04:20 +01:00
parent 4f8f151509
commit 67c560e174
6 changed files with 283 additions and 77 deletions
--- a/examples/Brewfile
+++ b/examples/Brewfile
@@ -0,0 +1,47 @@
+################################################################################
+## ~/.Brewfile
+##
+## Gotchas:
+## - `moreutils` installs its own old version of parallel, which conflicts with
+##   the `parallel` formula; install `gettext`, `parallel` and `sponge` instead
+##
+## Sources:
+## - https://github.com/Homebrew/homebrew-bundle
+################################################################################
+
+tap "homebrew/bundle"
+tap "homebrew/cask"
+tap "homebrew/core"
+
+brew "asdf"
+brew "chezmoi"
+brew "diff-pdf"
+brew "git-lfs"
+brew "mas"
+brew "parallel"
+brew "pre-commit"
+brew "python-yq"
+brew "rename"
+brew "sponge"
+
+cask_args appdir: "~/Applications"
+
+cask "aldente"
+cask "desmume"
+cask "docker"
+cask "firefox"
+cask "gpg-suite-no-mail"
+cask "iterm2"
+cask "keka"
+cask "little-snitch", args: { appdir: "/Applications" }
+cask "monitorcontrol"
+cask "openzfs"
+cask "skype"
+cask "spotify"
+cask "steam"
+cask "vlc"
+
+mas "be focused", id: 973134470
+mas "prime video", id: 545519333
+mas "whatsapp", id: 1147396723
+mas "xcode", id: 497799835
--- a/examples/azure/config
+++ b/examples/azure/config
@@ -0,0 +1,15 @@
+################################################################################
+## ~/.azure/config
+##
+## Sources:
+## - https://learn.microsoft.com/en-us/cli/azure/azure-cli-configuration
+################################################################################
+
+[cloud]
+name = AzureCloud
+
+[core]
+collect_telemetry = false
+
+[defaults]
+location = eastus
--- a/examples/oci/config
+++ b/examples/oci/config
@@ -0,0 +1,10 @@
+################################################################################
+## ~/.oci/config
+################################################################################
+
+[DEFAULT]
+user=ocid1.user.oc1..aaaaaaaayap6nsl77k2u34v2k7t47uidv27qfhv43av7ryn2xp37tezezlha
+fingerprint=aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99
+key_file=/home/user/.oci/oci_api_key.pem
+tenancy=ocid1.tenancy.oc1..aaaaaaaawtuhnzgr175bto5wmddky4nqorr9txnjxugmtrcsoatsbv4nn6qt4
+region=eu-amsterdam-1
--- a/examples/ssh/ssh_config
+++ b/examples/ssh/ssh_config
@@ -0,0 +1,88 @@
+################################################################################
+## ~/.ssh/config
+##
+## Gotchas:
+## - options are applied first-come-first-served, so:
+##   - specific and higher priority settings go on top, generic and lower ones
+##     go on the bottom
+##   - user defaults MUST come last to be treated as such
+## - host specificity is NOT a factor of priority
+## - multiple host names (and aliases) may be specified per section
+## - targets may match multiple host sections and have settings applied in order
+## - host sections only apply to the matched names
+## - canonicalization forces a configuration reload to check the now canonical
+##   host name against the configuration
+################################################################################
+
+# Canonicalize host names as first thing
+# Forces a configuration reload so that only the canonical host name is matched
+# against the rest of the configuration
+CanonicalizeHostname  yes
+CanonicalDomains      lan localdomain my.org
+
+# 'special' devices
+# E.g. work ones
+Host  net?a?-fw? org?-h?-sw?
+	CanonicalDomains     that.org
+	CanonicalizeMaxDots  0
+Host  !bastion* *.brt*.my.org *.brs? *.brs??
+	AddressFamily  inet6
+	ProxyCommand   ssh -W %h:%p `host bastion.my.org | awk '/address/ {print $4; exit}' | xargs host | cut -d\  -f5`
+
+# Connect to secured hosts
+# E.g. targets using non-default configuration
+Host  *-bastion-* *-fw
+	IdentitiesOnly  yes
+	IdentityFile    ~/.ssh/id_rsa
+	Port            2222
+
+# Avoid OS incompatibility nuisances
+# E.g. LANG not set when connecting to Linux from Darwin
+Host  linux-* raspberrypi?
+	SendEnv  -LC_* PAGER
+	SetEnv   LANG=C LANGUAGE=en LC_ALL=C
+
+# Connect to unresolvable host names
+# E.g. home routers
+Host  router fixed-ip
+	HostName  192.168.50.1
+	User      root
+
+# Enable connections to old SSH server versions
+# E.g. legacy targets using old key algorithms
+Host  legacy-hosts azure-vm-* oci-bastion-*
+	HostKeyAlgorithms         +ssh-dss +ssh-rsa
+	PubkeyAcceptedAlgorithms  +ssh-rsa
+
+# Avoid nuisances with ephemeral hosts and localhost
+# E.g. preemptible or testing virtual machines which are often recreated
+Host  localhost *-vm-*
+	StrictHostKeyChecking  no
+	UserKnownHostsFile     /dev/null
+
+# User-specific settings
+# E.g. programmatic accesses
+Match  user  robots
+	AddKeysToAgent       no
+	BatchMode            yes
+	ForwardAgent         no
+	IdentitiesOnly       yes
+	IdentityFile         ~/.ssh/robots.id_ed25519
+	ServerAliveCountMax  1
+	ServerAliveInterval  30
+	UseKeyChain          no
+
+# Keep connections open for some time to reuse them
+# %C returns a hash of different information and is useful as socket identifier
+ControlMaster   auto
+ControlPersist  30s
+ControlPath     ~/.ssh/control-%C
+
+# User defaults
+AddKeysToAgent       yes
+Compression          yes
+ForwardAgent         yes
+HashKnownHosts       no
+ServerAliveCountMax  2
+ServerAliveInterval  300
+UseKeyChain          yes
--- a/examples/ssh/sshd_config
+++ b/examples/ssh/sshd_config
@@ -0,0 +1,123 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/ssh/sftp-server
+
+# This enables accepting locale enviroment variables LC_* LANG, see sshd_config(5).
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
--- a/examples/ssh_config
+++ b/examples/ssh_config
@@ -1,77 +0,0 @@
-################################################################################
-## ~/.ssh/config
-##
-## Gotchas:
-## - priority goes from top to bottom
-##   - defaults MUST come last
-##   - canonicalization as a default MUST be on top to force a config reload
-##     when checking hosts matching it
-##   - host specificity is NOT a factor of priority
-## - host sections can be specified multiple times
-## - multiple hostnames (and aliases) may be specified per section
-## - host sections apply to the name you use (not what it resolves to)
-################################################################################
-
-# Canonicalize host names before connecting
-# On top, so it forces a config reload for canonical hosts
-CanonicalizeHostname  yes
-CanonicalDomains      lan local my.org
-
-# Legacy hosts' specific settings
-# E.g. old key algorithms
-Host  legacy
-	BatchMode          yes
-	ForwardAgent       yes
-	HostKeyAlgorithms  +ssh-dss
-	Port               2222
-
-# Virtual Machines' specific settings
-# E.g. no key checking due to them being ephemeral
-Host  local vm*
-	Hostname               localhost
-	IdentitiesOnly         yes
-	IdentityFile           ~/.ssh/id_rsa
-	StrictHostKeyChecking  no
-	UserKnownHostsFile     /dev/null
-
-# Network devices' specific settings
-# E.g. firewalls and switches
-Host  net?a?-fw? org?-h?-sw?
-	CanonicalDomains     my.org
-	CanonicalizeMaxDots  0
-Host !bastion* *.brt*.my.org *.brs? *.brs??
-	ProxyCommand ssh -W %h:%p `host bastion.my.org | awk '/address/ {print $4; exit}' | xargs host | cut -d\  -f5`
-
-# Home devices' specific settings
-Host  omnia turris
-	AddressFamily   inet6
-	IdentitiesOnly  yes
-	User            root
-Host  raspberrypi*
-	AddKeysToAgent  no
-	SendEnv         -LC_* PAGER
-	SetEnv          FOO=bar
-	UseKeyChain     no
-	User            pi
-
-# User-specific settings
-Match  user  robots
-	IdentityFile  ~/.ssh/id_ed25519
-	ServerAliveInterval 300
-	ServerAliveCountMax 2
-
-# Default settings
-# ------------------
-
-AddKeysToAgent       yes
-Compression          yes
-HashKnownHosts       no
-ServerAliveInterval  300
-ServerAliveCountMax  2
-UseKeyChain          yes
-
-# Keep connections open for some time to reuse them
-# %C returns a hash of different information and is useful as socket identifier
-ControlMaster   auto
-ControlPersist  30s
-ControlPath     ~/.ssh/control-%C