add security considerations + remove unused code made for hid interaction

README.md

@@ -0,0 +1,21 @@
+## Security Considerations
+
+- boot security
+    - add BIOS password
+    - use motherboard with TPM2.0 and BIOS password not stored in volatile memory
+    - use secure boot
+    - use full disk encryption with TPM keys
+    - disable unneeded device ports in BIOS
+- prevent user input
+    - blacklist all HID modules
+        - usb
+        - serial decies /dev/tty* (or more fine-grained) using a udev rule
+    - disable unneeded device ports in software
+- prevent leakage through network
+    - use https
+        - use a self-signed certificate as to not worry about expiration
+    - use firewall to block all ports except the two needed
+- vulnerabilty exploits
+    - reduce software stack
+    - apply some hardening
+    - add update schedule

dot-config/aliasrc

@@ -1,70 +0,0 @@
-# adding some colors to the world
-alias ls='ls --color=auto'
-alias grep='grep --color=auto'
-alias diff='diff --color=auto'
-
-# human readable pls
-alias du='du -h'
-alias df='df -h'
-alias free='free -h'
-
-# basic system aliases
-alias p='doas pacman'
-alias sc='doas systemctl'
-alias q='exit'
-alias sw='Hyprland'
-alias ll='ls -l'
-alias la='ls -A'
-
-# faster directory switching
-alias ..='cd ..'
-alias ...='cd ../..'
-alias ....='cd ../../..'
-alias .....='cd ../../../..'
-
-# vim, v -> neovim
-alias vim='nvim'
-alias v='vim'
-
-# safety features
-alias rm='rm -i'
-alias cp='cp -i'
-alias mv='mv -i'
-
-alias loc='find -type f | grep -v "^./.git\|LICENSE\|^.*\.md" | xargs wc -l | sort -h'
-
-# fast dir switching
-s() {
-    cd "$(ls -d ~/.local/src/* | fzf)"
-}
-
-b() {
-    file="$(ls ~/.local/bin/* | fzf)"
-    [ -n "$file" ] && "$EDITOR" "$file"
-}
-
-c() {
-    pushd "$HOME/.local/src/videopc-infra" > /dev/null || exit 1
-    file="$(find dot-config -type f | fzf)"
-    [ -n "$file" ] &&
-        "$EDITOR" "${file/dot-config\//${XDG_CONFIG_HOME:-$HOME/.config}/}"
-    popd > /dev/null
-}
-
-
-# useful extended system aliases
-alias perm="stat -c \"%a %n\" --"
-installedsize() {
-    pacman -Qi | egrep '^(Name|Installed)' | cut -f2 -d':' | sed 's/^ //' | \
-    grep -A1 "$1" | grep -v "\-\-" | \
-    awk '{ printf "%s%s", $0, (NR%2==1 ? FS : RS) }' | column -t
-}
-etouch() {
-    [ -n "$1" ] && touch "$1" chmod +x "$1"
-}
-evim() {
-    [ -n "$1" ] && touch "$1" && chmod +x "$1" && v "$1"
-}
-mkcd() {
-    [ -n "$1" ] && mkdir "$1" && cd "$1"
-}

dot-config/exportrc

@@ -1,8 +0,0 @@
-# setting basic variables
-export EDITOR=nvim
-export VISUAL=nvim
-export PATH=$PATH:~/.local/bin
-export SHELL=/bin/zsh
-
-# ~/ cleanup
-export INPUTRC="$XDG_CONFIG_HOME/readline/inputrc"

dot-config/hypr/hyprland.conf

@@ -1,24 +1,6 @@
 $mainMod = SUPER
 
-# MONITOR CONFIG
-monitor=,preferred,auto,1
-monitor=,addreserved, 0, 0, 0, 0
-input {
-    # Keyboard
-    kb_layout = ch
-    kb_options = caps:swapescape,altwin:swap_lalt_lwin
-    numlock_by_default = true
-    repeat_delay = 250
-    repeat_rate = 35
-}
-
-binds {
-    scroll_event_delay = 0
-}
-
 general {
-    cursor_inactive_timeout 0
-    # max_fps = 75
     # Gaps and border
     gaps_in = 0
     gaps_out = 0
@@ -26,10 +8,8 @@ general {
     border_size = 0
 
     # Functionality
-    # resize_on_border = true
     no_focus_fallback = true
     layout = master
-
     allow_tearing = false # some guy told me tearing might make things smoother idk
 }
 
@@ -49,47 +29,11 @@ misc {
     new_window_takes_over_fullscreen = 2
 }
 
-debug {
-	#overlay = true
-	#damage_tracking = 0
-
-	#damage_blink = yes
-}
-
-######## Window rules ########
+# Window rules
 windowrule = workspace 1 silent, title:^(pulpit_in)(.*)$
 windowrule = workspace 2 silent, title:^(rtmp_in)(.*)$
 
-
-####### Keybinds ########
-bind = Super, Return, exec, kitty
-bind = Super, E, exec, nautilus --new-window
-bind = Super, 1, workspace, 1
-bind = Super, 2, workspace, 2
-bind = Super, 3, workspace, 3
-bind = Super, 4, workspace, 4
-bind = Super, 5, workspace, 5
-bind = Super, 6, workspace, 6
-bind = Super, 7, workspace, 7
-bind = Super, 8, workspace, 8
-bind = Super, 9, workspace, 9
-bind = Super, 0, workspace, 10
-bind = Super Shift, 1, movetoworkspacesilent, 1
-bind = Super Shift, 2, movetoworkspacesilent, 2
-bind = Super Shift, 3, movetoworkspacesilent, 3
-bind = Super Shift, 4, movetoworkspacesilent, 4
-bind = Super Shift, 5, movetoworkspacesilent, 5
-bind = Super Shift, 6, movetoworkspacesilent, 6
-bind = Super Shift, 7, movetoworkspacesilent, 7
-bind = Super Shift, 8, movetoworkspacesilent, 8
-bind = Super Shift, 9, movetoworkspacesilent, 9
-bind = Super Shift, 0, movetoworkspacesilent, 10
-bind = Super, F, fullscreen, 0
-bind = SuperShift, F, fakefullscreen, 0
-bind = Super, Q, killactive,
-bind = SuperShift, Q, exec, gracefully-quit-all-hypr-windows; hyprctl clients | grep -q "mapped:\s*1" || killall Hyprland
-bind = SuperCtrl, Q, exec, killall Hyprland
-
-exec-once=[workspace 4 silent] kitty -e videopc_api
-exec-once=[workspace 4 silent] kitty -e show-rtmp-in
-exec-once=[workspace 4 silent] kitty -e show-pulpit-in
+# Exec Rules
+exec-once=[workspace 4 silent] kitty -e ~/.local/bin/videopc_api
+exec-once=[workspace 4 silent] kitty -e ~/.local/bin/show-rtmp-in
+exec-once=[workspace 4 silent] kitty -e ~/.local/bin/show-pulpit-in

dot-config/kitty/kitty.conf

@@ -6,60 +6,3 @@ confirm_os_window_close 0
 
 # disable terminal bell
 enable_audio_bell no
-
-# font
-font_family      JetBrainsMono Nerd Font
-font_size 12.0
-
-# cursor
-cursor #add8e6
-cursor_blink_interval 0
-
-# gui
-window_padding_width 3
-
-# urls
-url_color #0087bd
-url_style curly
-
-# colors
-
-foreground #e4e1e6
-background #1b1b1f
-
-selection_foreground #000000
-selection_background #fffacd
-
-color0 #3b4252
-color1 #bf616a
-color2 #a3be8c
-color3 #ebcb8b
-color4 #81a1c1
-color5 #b48ead
-color6 #88c0d0
-color7 #e5e9f0
-
-color8 #3b4252
-color9 #bf616a
-color10 #a3be8c
-color11 #ebcb8b
-color12 #81a1c1
-color13 #b48ead
-color14 #88c0d0
-color15 #e5e9f0
-
-# keybinds
-clear_all_shortcuts	yes
-
-map alt+c copy_to_clipboard
-map alt+v paste_from_clipboard
-
-map alt+k scroll_line_up
-map alt+j scroll_line_down
-
-map alt+u scroll_page_up
-map alt+d scroll_page_down
-
-map alt+shift+k change_font_size all +1.0
-map alt+shift+j change_font_size all -1.0
-map alt+0 change_font_size all 0

dot-config/readline/inputrc

@@ -1,16 +0,0 @@
-set editing-mode vi
-$if mode=vi
-
-set keymap vi-command
-# these are for vi-command mode
-Control-l: clear-screen
-
-set keymap vi-insert
-# these are for vi-insert mode
-Control-l: clear-screen 
-$endif
-
-# different cursor dependig on editing mode
-set show-mode-in-prompt on
-set vi-cmd-mode-string "\1\e[2 q\2"
-set vi-ins-mode-string "\1\e[6 q\2"

dot-config/user-dirs.dirs

@@ -1,15 +0,0 @@
-# This file is written by xdg-user-dirs-update
-# If you want to change or add directories, just edit the line you're
-# interested in. All local changes will be retained on the next run.
-# Format is XDG_xxx_DIR="$HOME/yyy", where yyy is a shell-escaped
-# homedir-relative path, or XDG_xxx_DIR="/yyy", where /yyy is an
-# absolute path. No other format is supported.
-# 
-XDG_DOCUMENTS_DIR="$HOME/dox"
-XDG_DOWNLOAD_DIR="$HOME/dl"
-XDG_MUSIC_DIR="$HOME/mus"
-XDG_PICTURES_DIR="$HOME/pix"
-XDG_VIDEOS_DIR="$HOME/vids"
-XDG_DESKTOP_DIR="$HOME/.local/share/desktop"
-XDG_TEMPLATES_DIR="$HOME/.local/share/templates"
-XDG_PUBLICSHARE_DIR="$HOME/.local/share/public"

dot-config/zsh/.zshrc

@@ -1,161 +0,0 @@
-# Enable colors and change prompt:
-autoload -U colors && colors
-PS1="%B%{$fg[red]%}[%{$fg[yellow]%}%n%{$fg[green]%}@%{$fg[blue]%}%M %{$fg[magenta]%}%~%{$fg[red]%}]%{$reset_color%}$%b "
-
-# History in cache directory:
-HISTSIZE=10000
-SAVEHIST=10000
-HISTFILE=~/.cache/zsh/history
-
-# Basic auto/tab complete:
-autoload -U compinit
-zstyle ':completion:*' menu select
-zmodload zsh/complist
-compinit
-_comp_options+=(globdots)		# Include hidden files.
-
-# vi mode
-bindkey -v
-export KEYTIMEOUT=1
-
-# Use vim keys in tab complete menu:
-bindkey -M menuselect 'h' vi-backward-char
-bindkey -M menuselect 'k' vi-up-line-or-history
-bindkey -M menuselect 'l' vi-forward-char
-bindkey -M menuselect 'j' vi-down-line-or-history
-bindkey -v '^?' backward-delete-char
-
-# Change cursor shape for different vi modes.
-function zle-keymap-select {
-  if [[ ${KEYMAP} == vicmd ]] ||
-     [[ $1 = 'block' ]]; then
-    echo -ne '\e[1 q'
-  elif [[ ${KEYMAP} == main ]] ||
-       [[ ${KEYMAP} == viins ]] ||
-       [[ ${KEYMAP} = '' ]] ||
-       [[ $1 = 'beam' ]]; then
-    echo -ne '\e[5 q'
-  fi
-}
-zle -N zle-keymap-select
-zle-line-init() {
-    zle -K viins # initiate `vi insert` as keymap (can be removed if `bindkey -V` has been set elsewhere)
-    echo -ne "\e[5 q"
-}
-zle -N zle-line-init
-echo -ne '\e[5 q' # Use beam shape cursor on startup.
-preexec() { echo -ne '\e[5 q' ;} # Use beam shape cursor for each new prompt.
-
-# Use lf to switch directories and bind it to ctrl-o
-lfcd () {
-    tmp="$(mktemp)"
-    lfub -last-dir-path="$tmp" "$@"
-    if [ -f "$tmp" ]; then
-        dir="$(cat "$tmp")"
-        rm -f "$tmp"
-        [ -d "$dir" ] && [ "$dir" != "$(pwd)" ] && cd "$dir"
-    fi
-}
-bindkey -s '^o' 'lfcd\n'
-
-# Edit line in vim with ctrl-e:
-autoload edit-command-line; zle -N edit-command-line
-bindkey '^e' edit-command-line
-
-# Load aliases and shortcuts if existent.
-[ -f "$HOME/.config/exportrc" ] && source "$HOME/.config/exportrc"
-[ -f "$HOME/.config/aliasrc" ] && source "$HOME/.config/aliasrc"
-[ -f "$HOME/.config/norisa.local" ] && source "$HOME/.config/norisa.local"
-
-if echo $USER | grep -q "miner"; then
-    if cat /tmp/norisa/currently-mining | grep -q "0"; then
-        echo "Start mining ..."
-        echo "1" > /tmp/norisa/currently-mining
-        nmine start
-    fi
-fi
-
-# This is the list for lf icons:
-export LF_ICONS="di=📁:\
-fi=📃:\
-tw=🤝:\
-ow=📂:\
-ln=⛓:\
-or=❌:\
-ex=🎯:\
-*.txt=✍:\
-*.mom=✍:\
-*.me=✍:\
-*.ms=✍:\
-*.png=🖼:\
-*.webp=🖼:\
-*.ico=🖼:\
-*.jpg=📸:\
-*.jpe=📸:\
-*.jpeg=📸:\
-*.gif=🖼:\
-*.svg=🗺:\
-*.tif=🖼:\
-*.tiff=🖼:\
-*.xcf=🖌:\
-*.html=🌎:\
-*.xml=📰:\
-*.gpg=🔒:\
-*.css=🎨:\
-*.pdf=📚:\
-*.djvu=📚:\
-*.epub=📚:\
-*.csv=📓:\
-*.xlsx=📓:\
-*.tex=📜:\
-*.md=📘:\
-*.r=📊:\
-*.R=📊:\
-*.rmd=📊:\
-*.Rmd=📊:\
-*.m=📊:\
-*.mp3=🎵:\
-*.opus=🎵:\
-*.ogg=🎵:\
-*.m4a=🎵:\
-*.flac=🎼:\
-*.wav=🎼:\
-*.mkv=🎥:\
-*.mp4=🎥:\
-*.webm=🎥:\
-*.mpeg=🎥:\
-*.avi=🎥:\
-*.mov=🎥:\
-*.mpg=🎥:\
-*.wmv=🎥:\
-*.m4b=🎥:\
-*.flv=🎥:\
-*.zip=📦:\
-*.rar=📦:\
-*.7z=📦:\
-*.tar.gz=📦:\
-*.z64=🎮:\
-*.v64=🎮:\
-*.n64=🎮:\
-*.gba=🎮:\
-*.nes=🎮:\
-*.gdi=🎮:\
-*.1=ℹ:\
-*.nfo=ℹ:\
-*.info=ℹ:\
-*.log=📙:\
-*.iso=📀:\
-*.img=📀:\
-*.bib=🎓:\
-*.ged=👪:\
-*.part=💔:\
-*.torrent=🔽:\
-*.jar=♨:\
-*.java=♨:\
-"
-
-# fish-like zsh autosuggestions
-source /usr/share/zsh/plugins/zsh-autosuggestions/zsh-autosuggestions.zsh
-
-# Load zsh-syntax-highlighting; should be last.
-source /usr/share/zsh/plugins/zsh-syntax-highlighting/zsh-syntax-highlighting.zsh 2>/dev/null

local-bin/gracefully-quit-all-hypr-windows

@@ -1,4 +0,0 @@
-#!/bin/sh
-
-HYPRCMDS=$(hyprctl -j clients | jq -j '.[] | "dispatch closewindow address:\(.address); "')
-hyprctl --batch "$HYPRCMDS"

local-bin/videopc_api.py

@@ -6,7 +6,7 @@ from fastapi import FastAPI
 
 api = FastAPI()
 
-with open("/etc/videopc_api_key", "r") as api_file_reader:
+with open("/etc/videopc_api_key", "r", encoding="utf-8") as api_file_reader:
     SECRET = api_file_reader.read().strip()
 
 

videopc-bootstrap.sh

@@ -52,16 +52,6 @@ create_videopc_user() {
     done
 }
 
-choose_user() {
-    echo -e "\e[0;30;46m Available users: \e[0m"
-    ls /home
-    while true; do
-    echo -e "\e[0;30;42m Enter in your chosen user \e[0m"
-    read -rp " >>> " username
-        ls /home/ | grep -q "^$username$" && break
-    done
-}
-
 set_rtmp_key() {
     echo -e "\e[0;30;34mSetting rtmp key... \e[0m"
     while true; do
@@ -90,23 +80,6 @@ add_user_to_groups() {
     fi
 }
 
-ensure_history_file_exists() {
-    if ! [ -f /home/"$username"/.cache/zsh/history ]; then
-        echo -e "\e[0;30;34mEnsuring initial zsh history file exists ...\e[0m"
-        mkdir -vp /home/"$username"/.cache/zsh
-        touch /home/"$username"/.cache/zsh/history
-    fi
-}
-
-
-change_login_shell_to_zsh() {
-    if ! grep "^$username.*::/home/$username" /etc/passwd | sed 's/^.*://' | \
-        grep -q "^$(which zsh)$"; then
-        echo -e "\e[0;30;34mSetting default shell to $(which zsh)...\e[0m"
-        chsh -s "$(which zsh)" "$username" || exit 1
-    fi
-}
-
 
 make_user_owner_of_HOME_and_mnt_dirs() {
     echo -e "\e[0;30;34mChanging ownership of /home/$username + /mnt ...\e[0m"
@@ -194,27 +167,18 @@ set_api_key
 # download packages from the official repos
 # TODO: remove uneeded pkg's
 echo -e "\e[0;30;34mInstalling packages from repos ...\e[0m"
-pacman -S --noconfirm --needed xf86-video-vesa xf86-video-fbdev neovim ffmpeg arandr man-db python mediainfo pulseaudio-alsa ttf-linux-libertine noto-fonts-emoji xorg-setxkbmap dash neofetch htop wireless_tools mpv xorg-xinput cpupower zsh zsh-syntax-highlighting powertop zsh-autosuggestions xf86-video-amdgpu xf86-video-intel xf86-video-nouveau fzf dust lf ttf-jetbrains-mono-nerd foliate coreutils curl xorg-xrandr webp-pixbuf-loader wireplumber hyprland-git ttf-space-mono-nerd kitty opendoas-sudo adwaita-fake-cursors greetd-agreety openssh uvicorn python-fastapi wlr-randr || pacman_error_exit
+pacman -S --noconfirm --needed xf86-video-vesa xf86-video-fbdev neovim ffmpeg arandr python pulseaudio-alsa neofetch mpv xf86-video-amdgpu xf86-video-intel xf86-video-nouveau dust coreutils curl webp-pixbuf-loader wireplumber hyprland kitty opendoas-sudo adwaita-fake-cursors greetd-agreety openssh uvicorn python-fastapi || pacman_error_exit
 
 # install aur packages
 echo -e "\e[0;30;34mInstalling packages from AUR ...\e[0m"
-doas -u "$username" paru -S --noconfirm --needed dashbinsh doasedit mediamtx-bin || pacman_error_exit
+doas -u "$username" paru -S --noconfirm --needed doasedit mediamtx-bin || pacman_error_exit
 
 # enable mediamtx service
 echo -e "\e[0;30;34mEnabling mediamtx daemon ...\e[0m"
 systemctl enable mediamtx
 
-# set global zshenv
-echo -e "\e[0;30;34mSetting global zshenv ...\e[0m"
-mkdir -vp /etc/zsh
-echo "export ZDOTDIR=\$HOME/.config/zsh" > /etc/zsh/zshenv
-
-ensure_history_file_exists
-
 make_user_owner_of_HOME_and_mnt_dirs
 
-change_login_shell_to_zsh
-
 # setup autologin
 echo -e "\e[0;30;34mSetting up Autologin ...\e[0m"
 systemctl enable greetd