Update systemd- and Neovim-related notes

2025-02-22 15:18:59 +00:00 · 2022-04-20 19:05:37 +08:00 · 2022-04-20 19:05:37 +08:00 · 8c378fc029
commit 8c378fc029
parent 3fa5539c66
10 changed files with 137 additions and 40 deletions
--- a/notebook/editor.neovim.help-system.org
+++ b/notebook/editor.neovim.help-system.org
@ -3,13 +3,17 @@
 :END:
 #+title: Neovim help system
 #+date: 2022-04-01 16:20:55 +08:00
-#+date_modified: 2022-04-03 16:59:48 +08:00
+#+date_modified: 2022-04-20 19:04:55 +08:00
 #+language: en
- the main command is ~:h~ which should open ~help.txt~ if given no arguments;
+- the main command is =:h= which should open =help.txt= if given no arguments;
-  this should be enough if you want to explore much of Neovim itself as the document has
+  this should be enough if you want to explore much of Neovim itself as the document has an index of tutorials and local additions (most likely from the installed plugins)
 - the help documents are written in a custom formatting language that is recognized as a separate filetype;
  in addition to navigating the buffer like any other buffer, you can also run =gO= to show the table of contents
 - if given an argument, Vim will open the section of the document with the closest match
 - some points of interest
-  - you can view the complete listing of help tags with ~help-tags~
+  - you can view the complete listing of help tags with =help-tags=
-  - there is also a index of tags from ~index.txt~
+  - there is also a index of tags from =index.txt=
  - you can easily get the keybind with =CTRL-V= (e.g., =CTRL-V= then =META-D= will quickly print the keymap)
  - tab completion is present
--- a/notebook/editor.neovim.lua-modules.org
+++ b/notebook/editor.neovim.lua-modules.org
@ -0,0 +1,19 @@
 :PROPERTIES:
 :ID:       bdcff35e-15e1-4539-9c4e-5fdd5b978c26
 :END:
 #+title: Neovim Lua modules
 #+date: 2022-04-20 18:36:23 +08:00
 #+date_modified: 2022-04-20 18:39:40 +08:00
 #+language: en
 - Neovim will load the requires files from its runtime paths;
  see =runtimepath= from the [[id:0a0fe63e-dcf3-4928-9e82-5513784c1244][Neovim help system]]
 - built on top of the already existing [[id:ffb8b08a-ca0a-48a4-bebc-d2bf11aa5ccf][Lua modules]] system
 - while searching for the runtime paths, Neovim will search for certain folders
  - =plugin/= will load all of the Lua files that are placed in that subdirectory
  - =lua/= also contains Lua files but does not automatically load until some other module will call ~require~ to that module
  - =init.lua= is basically the =index.html= for HTML files, =default.nix= for [[id:a57e63a7-6daa-4639-910d-c6648df156a3][Nix language]], or =mod.rs= for [[id:d7d7d8f0-adf9-461d-ace5-c8624dab1083][Rust language]]
 - in module names that are ~require~'d, =.= is treated as a separator and representing as a directory in the file tree;
  e.g., when running ~require("custom.plugins")~, =custom.plugins= should have a module at =$RUNTIMEPATH/lua/custom/plugins/init.lua=
 - at some point, Neovim can make use of more Lua modules with [[https://luarocks.org/][Luarocks]]
--- a/notebook/editor.neovim.lua.org
+++ b/notebook/editor.neovim.lua.org
@ -3,34 +3,35 @@
 :END:
 #+title: Neovim Lua integration
 #+date: "2021-07-15 07:45:50 +08:00"
-#+date_modified: "2021-11-16 19:15:13 +08:00"
+#+date_modified: "2022-04-20 18:49:17 +08:00"
 #+language: en
- [[https://github.com/nanotee/nvim-lua-guide][go-to resource when introducing using Lua into Neovim]]
+- with Lua integration, you can create [[id:bdcff35e-15e1-4539-9c4e-5fdd5b978c26][Neovim Lua modules]]
- similar to VimL configs, really
+- you can start with =lua-intro= section from [[id:0a0fe63e-dcf3-4928-9e82-5513784c1244][Neovim help system]];
- init file is =${XDG_CONFIG_HOME}/nvim/init.lua=
+  it gives all of the information on the things you need to get started with configuring Neovim with Lua as well as pointers for more things to do with Lua;
- Lua configs doesn't configure much by default
+- Neovim also extends the Lua standard library found in =vim= object;
- you can start with =lua-intro= help section in the =lua= help page from Neovim — i.e., =:h lua=
+  see the =lua-stdlib= in [[id:0a0fe63e-dcf3-4928-9e82-5513784c1244][Neovim help system]]
 - you can still execute Vimscript with =vim.cmd=;
  more information is at =:h lua-vimscript=
 - basics from VimL
  + to set options, it's mostly in =vim.opt= — e.g., ~set number relativenumber~ versus ~vim.opt.number, vim.opt.relativenumber = true, true~
  + highlight options are mostly in =vim.highlight= — e.g., ~highlight clear SpellCap~ versus ~vim.highlight~
  + to set local options, use =vim.opt_local= — e.g., ~setlocal spell~ versus ~vim.opt_local.spell = true~
  + otherwise, to set global options, use =vim.opt_global=
  + you can access environment variables through =vim.env= — e.g., ~vim.env.HOME~, ~vim.env.MYVIMRC~
  + you can manipulate variables of various scales from =vim.{g,b,t}=;
    to see more details, see =lua-vim-variables= help section
  + =vim.opt= will return an Option object, it has a common API;
    to learn more about it, see =vim.opt= and its subsections
  + to run Vimscript, you can use =vim.cmd= — e.g., ~vim.cmd "colorscheme nord"~
  + interacting with Neovim API through =vim.api=
 - there are Neovim configurations written in Lua
  + [[https://github.com/mjlbach/defaults.nvim][defaults.nvim]]
 - comprehensive examples include Neovim plugins that are already written in Lua
  + [[https://github.com/savq/paq-nvim][paq-nvim]] is a simple Neovim package manager
  + [[https://github.com/wbthomason/packer.nvim][packer.nvim]] is a more comprehensive package manager
  + [[https://github.com/L3MON4D3/LuaSnip][LuaSnip]] is a snippet engine
  + [[https://github.com/nvim-telescope/telescope.nvim][telescope.nvim]] is a fuzzy finder integrated inside Neovim
- for more information to create Lua modules, see =lua-require-example= help section
+
 * Setting configuration with Lua
 - you can still execute Vimscript with =vim.cmd=;
  more information is at =:h lua-vimscript=
 - to set options, it's mostly in =vim.opt= — e.g., ~set number relativenumber~ versus ~vim.opt.number, vim.opt.relativenumber = true, true~
 - highlight options are mostly in =vim.highlight= — e.g., ~highlight clear SpellCap~ versus ~vim.highlight~
 - to set local options, use =vim.opt_local= — e.g., ~setlocal spell~ versus ~vim.opt_local.spell = true~
 - otherwise, to set global options, use =vim.opt_global=
 - you can access environment variables through =vim.env= — e.g., ~vim.env.HOME~, ~vim.env.MYVIMRC~
 - you can manipulate variables of various scales from =vim.{g,b,t}=;
  to see more details, see =lua-vim-variables= help section
 - =vim.opt= will return an Option object, it has a common API;
  to learn more about it, see =vim.opt= and its subsections
 - to run Vimscript, you can use =vim.cmd= — e.g., ~vim.cmd "colorscheme nord"~
 - interacting with Neovim API through =vim.api=
--- a/notebook/lang.lua.modules.org
+++ b/notebook/lang.lua.modules.org
@ -0,0 +1,14 @@
 :PROPERTIES:
 :ID:       ffb8b08a-ca0a-48a4-bebc-d2bf11aa5ccf
 :END:
 #+title: Lua modules
 #+date: 2022-04-20 18:36:59 +08:00
 #+date_modified: 2022-04-20 18:37:17 +08:00
 #+language: en
 - for future references, this is documented from the [[https://www.lua.org/manual][Lua manual]]
 - to use the modules from =lua=, you can call =require= builtin;
  the ~require~'d module are stored in a table =packages.loaded= and its content will be loaded inside of a function;
  the module will only load once and it will only cache the return value
 - to unload a module, you can set the package from the package table to null (i.e., ~nil~)
--- a/notebook/lang.oil.org
+++ b/notebook/lang.oil.org
@ -3,7 +3,7 @@
 :END:
 #+title: Oil shell language
 #+date: "2021-05-09 16:40:50 +08:00"
-#+date_modified: "2021-07-28 10:52:44 +08:00"
+#+date_modified: "2022-04-16 20:18:16 +08:00"
 #+language: en
 #+property: header-args:oil  :eval no
@ -21,7 +21,7 @@ Ripping off from the [[https://www.oilshell.org/blog/2020/01/simplest-explanatio
 Oil is also aimed at people who know say Python or JavaScript, but purposely avoid shell.
 #+end_quote
-A modern shell attempting the replace Bash slowly.
+A modern shell attempting the replace [[id:dd9d3ffa-03ff-42a1-8c5d-55dc9fcc70fe][GNU Bash]] slowly.
 The project has an ambitious goal with a wide scope.
 It is known for its [[https://oilshell.org/blog][shell-oriented blog]] and the developer is very responsive and active with shell-related posts.
@ -107,7 +107,7 @@ If you want splitting, you could use =split= Oil function — e.g., ~@split(arra
 Arrays are mostly similar to Bash arrays except you have more options.
 - You can create a heterogenous list containing different types of data — e.g., ~var a = ['Dogs', 24, true ]~.
-  Useful for JSON compatability.
+  Useful for JSON compatibility.
 - A homogenous array is useful for data consistency.
  It can accept a list of data of the same type — e.g., ~var b = %("foo" "bar" "baz")~.
--- a/notebook/linux.systemd.environment-directives.org
+++ b/notebook/linux.systemd.environment-directives.org
@ -3,16 +3,18 @@
 :END:
 #+title: systemd environment directives
 #+date: 2021-08-07 19:58:29 +08:00
-#+date_modified: 2021-08-07 19:59:45 +08:00
+#+date_modified: 2022-04-16 20:19:15 +08:00
 #+language: en
 systemd enables setting the environment through environment directives.
-
+For some, this is a nice shell-agnostic way of setting environment variables and could replace setting through shell profiles (i.e., =.bashrc=, =.profile=).
 Just like how [[id:c7edff80-6dea-47fc-8ecd-e43b5ab8fb1e][systemd at user-level]], you can set it at user-level by placing them in certain user-level load paths (e.g., =$XDG_CONFIG_HOME/environment.d=).
 It needs a =*.conf= file in one of the load paths (seen from the =environment.d.5= manual page).
-Keep in mind it does not use the shell and instead makes use of shell-like syntax.
+Just like how [[id:c7edff80-6dea-47fc-8ecd-e43b5ab8fb1e][systemd at user-level]], you can set it at user-level by placing them in certain user-level load paths (e.g., =$XDG_CONFIG_HOME/environment.d=).
 Keep in mind it does not use the shell directly and instead makes use of shell-like syntax.
 The syntax takes variable substitutions and parameter expansion seen from [[id:dd9d3ffa-03ff-42a1-8c5d-55dc9fcc70fe][GNU Bash]].
 The following code block is an example of setting Nix-related environment variables to enable desktop integrations.
--- a/notebook/linux.systemd.org
+++ b/notebook/linux.systemd.org
@ -3,7 +3,7 @@
 :END:
 #+title: systemd
 #+date: "2021-05-20 22:37:22 +08:00"
-#+date_modified: "2022-01-03 22:03:26 +08:00"
+#+date_modified: "2022-04-19 20:21:56 +08:00"
 #+language: en
 #+property: header-args  :eval no
@ -21,6 +21,7 @@ Among other things, it has the following list of features.
 - [[id:e4dba4ef-71dd-4d30-9a2c-4ad97223510b][systemd-networkd]] is the network configuration manager in case you want to do [[id:a208dd50-2ebc-404d-b407-3ec2f556535e][Network configuration in Linux]].
 - [[id:8505f1f0-f15b-4b04-91fc-12be01913ce6][systemd-boot]] is a bootloader mainly for UEFI-based systems.
 - [[id:d83c099a-fc11-4ccc-b265-4de97c85dcbe][systemd-journald]] is the system logging service providing a structured way to manage your logs from different units.
 - [[id:7fce893f-418f-42aa-b2b1-59d9f0993406][systemd unit hardening]] can help your services secure.
@ -58,5 +59,7 @@ systemctl --user start $SERVICE
  Also contains the related manual pages for a deeper references.
  [fn:: How did I pass a year without knowing this?]
 - On a similar note, =systemd.index.7= is an alphabetical index of the important keywords found in systemd.
 - =systemd.mount= units require the filename to be the mountpoint.
  Though, it has to be converted to what systemd accepts (e.g., =systemd-escape --path $PATH=).
--- a/notebook/linux.systemd.timers.org
+++ b/notebook/linux.systemd.timers.org
@ -3,20 +3,40 @@
 :END:
 #+title: systemd timers
 #+date: 2021-07-19 21:45:47 +08:00
-#+date_modified: 2021-08-07 19:29:15 +08:00
+#+date_modified: 2022-04-16 19:37:37 +08:00
 #+language: en
 You can schedule tasks with timers.
 If systemd is compiled with the feature, it makes cron unnecessary.
 * Timer management
 In a fully-installed systemd-enabled system, there are multiple ways to manage your timers.
 While managing them is practically the same as any other units (see [[id:20830b22-9e55-42a6-9cef-62a1697ea63d][systemd]]), there are timer-specific ways to manage them easier.
 - ~systemctl list-timers~ is the go-to command that displays an overview of all active timers.
  Just give the =--all= flag to list all timers including disabled timers.
 - ~systemctl status ${TIMER_UNIT}~ is another way for a specific timer unit.
  It gives the same details as the =list-timers= subcommand so you'll rarely use this subcommand in practice.
 * Timedate formats
 systemd has different ways to denote time.
 - Timespans denote the duration — e.g., =100 seconds=, =5M 3w=.
 - Timestamps refer to a specific point in time — e.g., =2021-04-02=, =today=, =now=.
 - Calendar events can refer to more than one point of time — e.g., =*-*-4/2=, =Sun,Wed,Fri *-1/2-1/8=.
-To find more details about time notation, you can view the =systemd.time.5= manual page.
+To find more details about time notation, you can view the =systemd.time.7= manual page.
 Here's an example of setting a timer for an example backup service.
 The following timer unit sets it to execute every day at 18:00.
--- a/notebook/linux.systemd.transient-units.org
+++ b/notebook/linux.systemd.transient-units.org
@ -3,13 +3,13 @@
 :END:
 #+title: systemd transient units
 #+date: 2021-08-02 12:01:49 +08:00
-#+date_modified: 2021-08-02 12:05:06 +08:00
+#+date_modified: 2022-04-16 20:01:51 +08:00
 #+language: en
 You can create units on-the-go with =systemd-run=.
 Very useful for quickly creating and scheduling one-off services.
-This tool involves [[id:cd5f0d04-d9bb-44e8-a0f2-630ea58c1e94][systemd services]] and [[id:f1b21fc8-86a5-47cd-b3d8-da6ac7a34427][systemd timers]].
+This tool mainly involves [[id:cd5f0d04-d9bb-44e8-a0f2-630ea58c1e94][systemd services]] and [[id:f1b21fc8-86a5-47cd-b3d8-da6ac7a34427][systemd timers]].
 Like most systemd-related binaries, this can be run at system- and user-level (see [[id:c7edff80-6dea-47fc-8ecd-e43b5ab8fb1e][systemd at user-level]]).
@ -23,3 +23,5 @@ systemd-run --user borg-backup@external-drive.service --on-calendar=12:00
 The result should give you the generated name of the unit.
 Then, they can be managed like an ordinary unit.
 Unit generated this way will persist until the next boot.
 If you want to manage them on a permanent basis, create the appropriate unit files for them.
--- a/notebook/linux.systemd.unit-hardening.org
+++ b/notebook/linux.systemd.unit-hardening.org
@ -0,0 +1,32 @@
 :PROPERTIES:
 :ID:       7fce893f-418f-42aa-b2b1-59d9f0993406
 :END:
 #+title: systemd unit hardening
 #+date: 2022-04-19 20:19:26 +08:00
 #+date_modified: 2022-04-19 20:21:27 +08:00
 #+language: en
 - main command to interact is ~systemd-analyze security~;
  this will give a list of units along with their exposure score (lower is better);
  - take note the goal to a 1.0 score shouldn't be taken as a goal since not all units need are the same;
    security, after all, is about mitigating against your threat model
  - the only unit possible to attain the lowest score is a simple "Hello world" program or similar so don't go for a 1.0
 - several systemd unit options are only available in certain units such as system services
 - here is a list of sandboxing-related options;
  for more information, see ~systemd.exec.5~ manual page
  - ~ProtectHome~ will restrict process to interact with ~/home~, ~/root~, and ~/run/user~;
    can accept a boolean or certain values: ~read-only~ will set certain directories to read-only and ~tmpfs~ will mount the temporary filesystems to the directories as read-only;
  - ~ProtectControlGroups~ will make the control group filesystem (i.e., ~/sys/fs/cgroup~) to read-only
  - ~PrivateUsers~, if enabled, will run the processes through another user
  - ~ProtectClock~ prohibits interacting with the system clock
  - ~ProtectKernelModules~ restricts loading of kernel modules
  - ~ProtectKernelLogs~ prevents logging into the kernel ring buffer
  - ~PrivateTmp~ will create a new temporary filesystem for the unit
  - ~PrivateNetwork~ will create a new set of network devices only composing of a loopback network device;
    this will disallow network access and thus should only use for processes with no business with network access
  - ~PrivateDevices~ will create a new set of devices with only the pseudo-devices (e.g., ~/dev/null~, ~/dev/zero~);
    this will restrict device access and should be used for processes with no device access
 - extra resources
  - [[https://www.ctrl.blog/entry/systemd-service-hardening.html][systemd service hardening]] from ctrl.blog
  - also, a [[https://www.ctrl.blog/entry/systemd-opensmtpd-hardening.html][follow-up post that uses a real-life example for service hardening a web server with recent exploits]]