Idk, what is this

config/linux-server/applications.md

@@ -867,16 +867,39 @@ See [Team Fortress 2 (TF2)](/config/game-servers/tf2/).
 1. (Optional) Disable NetBIOS: `systemctl disable --now nmbd` and `systemctl mask nmbd`
 1. Configure it (see usage).
 
+#### Configuration
+
+- Note: Unless otherwise states, all options should go in the `global` section.
+- General:
+    - Set description (shown some places): `server string`
+    - Set authentication method to standalone: `security = user`
+    - Set the minimum SMB version: `server min protocol = SMB3`
+- Guest user:
+    - (Optional) Disable guest user: `map to guest = never`
+    - Set guest UNIX username: `guest account = <username>` (typically defaults to `nobody`)
+    - Set logins with unknown UNIX users (e.g. `guest`) to use the guest user: `map to guest = bad user`
+    - Allow or disallow guest access on shares (share option): `guest ok = {yes|no}`
+    - Allow only guest access on shares (if `guest ok` is set) (share option): `only guest = yes`
+- NetBIOS:
+    - (Optional) Disable: `disable netbios = yes`
+    - (If enabled) Set name: `netbios name = <name>` (defaults to hostname)
+    - (If enabled) Set workgroup: `workgroup = <workgroup>`
+- Encryption:
+    - (Samba 1.13 and earlier) Enable for all clients and shares: `smb encrypt = required`
+    - (Samba 1.14 and later) **TODO** `server smb encrypt = required`
+- Multi channel:
+    - (Samba 1.3 and earlier) Enable support: `server multi channel support`
+    - **TODO** I haven't tested thid, you may need to do more. Set the `rss` interface option and stuff. Maybe multiple NICs/IP addresses are required.
+- Performance tuning:
+    - Socket options (overrides system defaults, only set if you know what you're doing):
+        - For LAN: `socket options = SO_KEEPALIVE TCP_NODELAY IPTOS_LOWDELAY`
+        - For WAN: `socket options = SO_KEEPALIVE IPTOS_THROUGHPUT`
+    - Async RW (better performance and required for multi-channel): `aio read size = 1` and `aio write size = 1`
+    - Sendfile (may use a more efficient syscall for reading): `use sendfile = yes`
+    - Zero-copy (doesn't work with encryption): `min receivefile size = 16384`
+
 #### Usage
 
-- Enforce encryption and signing (`server signing` and `smb encrypt`) on important volumes.
-- Performance tuning:
-    - Socket options: `socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY`
-    - If the stuff is not important and the network is secure and high throughput is desired: `smb encrypt = disabled`
-    - Raw IO: `read raw = yes` and `read raw = yes`
-    - Sendfile: `use sendfile = yes`
-    - Zero-copy from net to FS (doesn't work for signed connections): `min receivefile size = 16384`
-    - Async RW for large files: `aio read size = 16384` and `aio write size = 16384`
 - Making changes:
     - Change the configuration file: `/etc/samba/smb.conf`
     - Test the configuration: `testparm -t`
@@ -889,9 +912,8 @@ See [Team Fortress 2 (TF2)](/config/game-servers/tf2/).
 - Manage users:
     - Samba users are somewhat using Linux users but with a different password.
     - To separate pure Samba users from *real* users, you can add a "smb-" prefix to its username and make it a system user.
-    - Create a new Linux (system) user without shell login: `useradd -r <name>`
-        - Or: `useradd `
-    - Add a user and set its password: `smbpasswd -a <user>`
+    - (Optional) Create a new Linux system user (no homedir or login): `useradd -r <name>`
+    - Add a Samba user (matching the UNIX user) and set its password: `smbpasswd -a <user>`
     - Show users: `sudo pdbedit -L -v`
 
 ### Client
@@ -901,7 +923,7 @@ See [Team Fortress 2 (TF2)](/config/game-servers/tf2/).
 1. Install: `apt install cifs-utils`
 1. Add permanent shares (see usage).
 
-#### Usage
+#### Usage and Configuration
 
 - Add permanent share:
     1. Create the mountpoint.

config/linux-server/storage-zfs.md

@@ -84,10 +84,12 @@ The backports repo is used to get the newest version of ZoL.
 ### Pools
 
 - Recommended pool options:
-    - Typical example: `-o ashift=<9|12> -O compression=zstd -O xattr=sa -O atime=off -O relatime=on`
+    - Typical example: `-o ashift=<9|12> -o autotrim=on -O compression=zstd -O xattr=sa -O atime=off -O relatime=on` (`autotrim` only for SSDs)
     - Specifying options during creation: For `zpool`/pools, use `-o` for pool options and `-O` for dataset options. For `zfs`/datasets, use `-o` for dataset options.
     - Set physical block/sector size (pool option): `ashift=<9|12>`
         - Use 9 for 512 (2^9) and 12 for 4096 (2^12). Use 12 if unsure (bigger is safer).
+    - Enable TRIM (for SSDs): `autotrim=on`
+        - It's also recommended to create a cron job to run `zpool trim` periodically for the SSD pool.
     - Enable compression (dataset option): `compression=zstd`
         - Use `lz4` for boot drives (`zstd` booting isn't currently supported) or if `zstd` isn't yet available in the version you're using.
     - Store extended attributes in the inodes (dataset option): `xattr=sa`
@@ -153,6 +155,7 @@ The backports repo is used to get the newest version of ZoL.
 - Recommended dataset options:
     - Set quota: `quota=<size>`
     - Set reservation: `reservation=<size>`
+    - Disable data caching (in the ARC) if the upper layer already uses caching (databases, VMs, etc.): `primarycache=metadata`
     - (See the recommended pool options since most are inherited.)
 - Create dataset:
     - Format: `zfs create [options] <pool>/<name>`
@@ -293,7 +296,7 @@ The backports repo is used to get the newest version of ZoL.
     - Use an appropriate recordsize with `recordsize=<size>`.
         - InnoDB should use 16k for data files and 128k on log files (two datasets).
         - PostgreSQL should use 8k (or 16k) for both data and WAL.
-    - Disable caching with `primarycache=metadata`. DMBSes typically handle caching themselves.
+    - Disable data caching (in the ARC) with `primarycache=metadata`. DMBSes typically handle caching themselves.
         - For InnoDB.
         - For PostgreSQL if the working set fits in RAM.
     - Disable the ZIL with `logbias=throughput` to prevent writing twice.
@@ -301,7 +304,7 @@ The backports repo is used to get the newest version of ZoL.
         - Consider not using it for high-traffic applications.
     - PostgreSQL:
         - Use the same dataset for data and logs.
-        - Use one dataset per database instance. Requires you to specify it when creating the database.
+        - Use one dataset per database instance, if practically possible. Requires you to specify it when creating the database.
         - Don't use PostgreSQL checksums or compression.
         - Example: `su postgres -c 'initdb --no-locale -E=UTF8 -n -N -D /db/pgdb1'`
 
@@ -314,7 +317,7 @@ The backports repo is used to get the newest version of ZoL.
 - Some SSD models come with a build-in cache. Make sure it actually flushes it on power loss.
 - ZFS is always consistent, even in case of data loss.
 - Bitrot is real.
-    - 4.2% to 34% of SSDs have one UBER (uncorrectable bit error rate) per year.
+    - 4.2% to 34% of SSDs have a UBER (uncorrectable bit error rate) of at least 1 per year.
     - External factors:
         - Temperature.
         - Bus power consumption.

config/media/ffmpeg.md

@@ -8,7 +8,8 @@ breadcrumbs:
 
 ## Resources
 
-- [steven2358's FFmpeg cheat sheet](https://gist.github.com/steven2358/ba153c642fe2bb1e47485962df07c730)
+- [steven2358: FFmpeg cheat sheet](https://gist.github.com/steven2358/ba153c642fe2bb1e47485962df07c730)
+- [NVIDIA Developer Blog: NVIDIA FFmpeg Transcoding Guide](https://developer.nvidia.com/blog/nvidia-ffmpeg-transcoding-guide/)
 
 ## General
 
@@ -18,7 +19,7 @@ breadcrumbs:
     - Windows: Download the binary.
 - View video feed: `ffplay <dev>`
     - For some reason this typically uses a limited framerate and resolution.
-- Options:
+- Options (**TODO** move this):
     - `-crf 23`: Constant rate factor. Defaults to 23. Set to 0 for lossless video.
 
 ## Examples

config/virt-cont/proxmox-ve.md

@@ -67,30 +67,30 @@ Follow the instructions for [Debian](/config/linux-server/debian/), but with the
 **Possibly outdated**
 
 - Guide: [Proxmox VE: Pci passthrough](https://pve.proxmox.com/wiki/Pci_passthrough)
-- Requires support for  IOMMU, IOMMU interrupt remapping, and for dome PCI devices, UEFI support
-- Only 4 devices are are supported
-- For graphics cards, additional steps are required
+- Requires support for  IOMMU, IOMMU interrupt remapping, and for dome PCI devices, UEFI support.
+- Only 4 devices are are supported.
+- For graphics cards, additional steps are required.
 - Setup BIOS/UEFI features:
-    - Enable UEFI
-    - Enable VT-d and SR-IOV Global Enable
-    - Disable I/OAT
-- Enable SR-IOT for NICs in BIOS/ROM
-- Enable IOMMU: Add `intel_iommu=on` to GRUB command line (edit `/etc/default/grub` and add to line `GRUB_CMDLINE_LINUX_DEFAULT`) and run `update-grub`
-- Enable modules: Add `vfio vfio_iommu_type1 vfio_pci vfio_virqfd pci_stub` (newline-separated) to `/etc/modules` and run `update-initramfs -u -k all`
-- Reboot
+    - Enable UEFI.
+    - Enable VT-d and SR-IOV Global Enable.
+    - Disable I/OAT.
+- Enable SR-IOT for NICs in BIOS/ROM.
+- Enable IOMMU: Add `intel_iommu=on` to GRUB command line (edit `/etc/default/grub` and add to line `GRUB_CMDLINE_LINUX_DEFAULT`) and run `update-grub`.
+- Enable modules: Add `vfio vfio_iommu_type1 vfio_pci vfio_virqfd pci_stub` (newline-separated) to `/etc/modules` and run `update-initramfs -u -k all`.
+- Reboot.
 - Test for IOMMU interrupt remapping: Run `dmesg | grep ecap` and check if the last character of the `ecap` value is 8, 9, a, b, c, d, e, or an f. Also, run `dmesg | grep vfio` to check for - errors. If it is not supported, set `options vfio_iommu_type1 allow_unsafe_interrupts=1` in `/etc/modules`, which also makes the host vulnerable to interrupt injection attacks.
 - Test NIC SR-IOV support: `lspci -s <NIC_BDF> -vvv | grep -i "Single Root I/O Virtualization"`
 - List PCI devices: `lspci`
 - List PCI devices and their IOMMU groups: `find /sys/kernel/iommu_groups/ -type l`
-- A device with all of its functions can be added by removing the function suffix of the path
+- A device with all of its functions can be added by removing the function suffix of the path.
 - Add PCIe device to VM:
-    - Add `machine: q35` to the config
-- Add `hostpci<n>: <pci-path>,pcie=1,driver=vfio` to the config for every device
-- Test if the VM can see the PCI card: Run `qm monitor <vm-id>`, then `info pci` inside
+    - Add `machine: q35` to the config.
+- Add `hostpci<n>: <pci-path>,pcie=1,driver=vfio` to the config for every device.
+- Test if the VM can see the PCI card: Run `qm monitor <vm-id>`, then `info pci` inside.
 
 ### Troubleshooting
 
-**Failed login:**
+**Failed login**:
 
 Make sure `/etc/hosts` contains both the IPv4 and IPv6 addresses for the management networks.
 
@@ -168,21 +168,19 @@ The "Cloud-Init" notes can be ignored if you're not using Cloud-Init. See the se
 - Generally:
     - Use VirtIO if the guest OS supports it, since it provices a paravirtualized interface instead of an emulated physical interface.
 - General tab:
-    - Use start/shutdown order if som VMs depend on other VMs (like virtualized routers).
-      0 is first, unspecified is last. Shutdown follows reverse order.
-      For equal order, the VMID in is used in ascending order.
+    - Use start/shutdown order if som VMs depend on other VMs (like virtualized routers). 0 is first, unspecified is last. Shutdown follows reverse order. For equal order, the VMID in is used in ascending order.
 - OS tab:
     - If installing from an ISO, specify it here.
     - (Cloud-Init) Don't use any media (no ISO).
 - System tab:
     - Graphics card: Use the default. If you want SPICE, you can change to that later.
-    - Qemu Agent: It provides more information about the guest and allows PVE to perform some actions more intelligently,
-      but requires the guest to run the agent.
+    - Qemu Agent: It provides more information about the guest and allows PVE to perform some actions more intelligently, but requires the guest to run the agent.
     - BIOS/UEFI: BIOS w/ SeaBIOS is generally fine, but I prefer UEFI w/ OVMF (for PCIe pass-through support and stuff), assuming your OS/setup doesn't require one or the other.
-        - (Cloud-Init) Prepared Cloud-Init images may typically be using UEFI (and containing an EFI partition), so you probably need to use UEFI.
+        - (Cloud-Init) Prepared Cloud-Init images may be using UEFI (and containing an EFI partition), so you probably need to use UEFI. With an added "EFI disk".
         - About the EFI disk: Using UEFI in PVE typically requires a "EFI disk" (in the hardware tab). This is not the EFI system partition (ESP) and is not visible to the VM, but is used by PVE/OVMF to store the EFIVARS, which contains the boot order. (If a UEFI VM fails to boot, you may need to enter the UEFI/OVMF menu through the remote console to fix the boot entries.)
-    - Machine: Intel 440FX is generally fine, but I prefer Q35 (for PCIe pass-through support and stuff).
+    - Machine: Intel 440FX is generally fine, but Q35 supports more advanced features like PCIe pass-through support and stuff.
     - SCSI controller: VirtIO SCSI.
+    - Pre-enroll keys and TPM: **TODO** The docs don't mention pre-enrolled keys yet, so just use the defaults, I guess.
 - Hard disk tab:
     - (Cloud-Init) This doesn't matter, you're going to replace it afterwards with the imported Cloud-Init-ready qcow2 image. Just add something temporary since it can't be skipped.
     - Bus/device: Use the SCSI bus with the VirtIO SCSI controller selected in the system tab (it supersedes the VirtIO Block controller).
@@ -199,23 +197,17 @@ The "Cloud-Init" notes can be ignored if you're not using Cloud-Init. See the se
       this will create one I/O thread for each controller for maximum performance.
       This is generally not needed if not doing IO-heavy stuff with multiple disks in the VM.
 - CPU tab:
-    - CPU type: Generally, use "kvm64".
-      For HA, use "kvm64" or similar (since the new host must support the same CPU flags).
-      For maximum performance on one node or HA with same-CPU nodes, use "host".
-    - NUMA: Enable for NUMA systems. Set the socket count equal to the numbre of NUMA nodes.
+    - CPU type: Generally, use "kvm64". For HA, use "kvm64" or similar (since the new host must support the same CPU flags). For maximum performance on one node or HA with same-CPU nodes, use "host".
+    - NUMA: Enable for NUMA systems. Set the socket count equal to the number of NUMA nodes (if giving it more than one vCPU).
     - CPU limit: Aka CPU quota. Floating-point number where 1.0 is equivalent to 100% of *one* CPU core.
     - CPU units: Aka CPU shares/weight. Processing priority, higher is higher priority.
     - See the documentation for the various CPU flags (especially the ones related to Meltdown/Spectre).
 - Memory tab:
-    - Ballooning: Enable it.
-      It allows the guest OS to release memory back to the host when the host is running low on it.
-      For Linux, it uses the "balloon" kernel driver in the guest, which will swap out processes or start the OOM killer if needed.
-      For Windows, it must be added manually and may incur a slowdown of the guest.
+    - Ballooning: Enable it. It allows the guest OS to release memory back to the host when the host is running low on it. For Linux, it uses the "balloon" kernel driver in the guest, which will swap out processes or start the OOM killer if needed. For Windows, it must be added manually and may incur a slowdown of the guest.
 - Network tab:
     - Model: Use VirtIO.
     - Firewall: Enable if the guest does not provide one itself, or if you don't want it to immediately become accessible from the network during/after installation (i.e. before you've provisioned it properly).
-    - Multiqueue: When using VirtUO, it can be set to the total CPU cores of the VM for increased performance.
-      It will increase the CPU load, so only use it for VMs that need to handle a high amount of connections.
+    - Multiqueue: When using VirtUO, it can be set to the total CPU cores of the VM for increased performance. It will increase the CPU load, so only use it for VMs that need to handle a high amount of connections.
 - Start the VM:
     - (Cloud-Init) Don't start it yet, go back to the Cloud-Init section.
     - Open a graphical console to show what's going on.
@@ -300,7 +292,7 @@ The "Cloud-Init" notes can be ignored if you're not using Cloud-Init. See the se
     1. Open the Device Manager and find "PCI Simple Communications Controller".
     1. Click "Update driver" and select drivers disc dir `vioserial\w10\amd64`
     1. Open drivers disc dir `guest-agent` and install `qemu-ga-x86_64.msi`.
-1. Install drivers and services: 
+1. Install drivers and services:
     1. Download `virtio-win-gt-x64.msi` (see the wiki for the link).
     1. (Optional) Deselect "Qxl" and "Spice" if you don't plan to use SPICE.
 1. Install SPICE guest agent:

media/audio/basics.md

@@ -12,10 +12,13 @@ breadcrumbs:
     - High midrange (ca. 1kHz-10kHz)
     - Highs (ca. 10kHz-20kHz)
 - Signal levels:
-    - +4dBu: Professional equipment.
-    - -10dBV: Consumer equipment. Lower than +4dBu. Not to be confused with dB**v**.
+    - Note: This is the voltage (and somewhat impedance) inside cables/equipment.
+    - Mic level: Output from a microphone. Very weak, requires a preamp.
+    - Instrument level: Output from e.g. a guitar. Like mic level but slightly stronger.
+    - Line level (+4dBu): Professional equipment.
+    - Line level (-10dBV): Consumer equipment. Lower than +4dBu. Not to be confused with dB**v**.
+    - Speaker level: High-power signal going from an amplifier to a (passive) speaker.
     - Phono: Old, for turntables etc. Much lower voltage than line level. Typically needs a phono preamp/stage with RIAA equalization.
-    - Not to be confused with SPL dB.
 - Balance mode:
     - Unbalanced: Ground and signal.
     - Balanced: Ground and hot and cold signal with equal impedance. The cold signal is 0V but not (directly) connected to ground.

se/general/web-security.md

@@ -87,6 +87,28 @@ breadcrumbs:
 
 ## Mechanisms
 
+### Headers
+
+- Note: These are response headers unless otherwise stated.
+- `X-Frame-Options`: Determines if the current page can be framed. Can prevent e.g. clickjacking. Unless the page is intended to be framed on other sites, set it to `SAMEORIGIN` or `DENY`.
+- `X-Content-Type-Options`: Can prevent e.g. MINE sniffing by denying browsers to ignore the sent `Content-Type` and try to determine the content type of a document by itself, which can lead to XSS. Always set to `nosniff`.
+- `X-XSS-Protection`: Determines if built-in XSS features in the browser (e.g. for detecting reflected XSS) should be enabled or disabled. The default (`1`) is to detect and sanitize unsafe parts (which could potentially be exploited). Set to `1; mode=block` to stop loading the page when detected instead.
+- `Strict-Transport-Security`: See the HSTS section below.
+- `Access-Control-*`: See the CORS section below.
+- `Content-Security-Policy`: See the CSP section below.
+
+### HTTP Strict Transport Security (HSTS)
+
+**TODO**
+
+### Cross-origin resource sharing (CORS)
+
+**TODO**
+
+### Content Security Policy (CSP)
+
+**TODO**
+
 ### Cookies
 
 - Sent with every request.
@@ -98,10 +120,6 @@ breadcrumbs:
 - Scope: `Domain` specifies which domains the cookie will be sent to. If omitted, it will only be sent to the current host, excluding subdomains. If it is specified, it will include subdomains. `Path` specifies which paths the cookie will be sent to, including subdirectories. If omitted, all paths are allowed.
 - Same-site: `SameSite=None` allows the cookie to be sent for both same-site and cross-site requests. `SameSite=Strict` allows sending the cookie only when the origin is the same as for the cookie. `SameSite=Lax` allows sending the cookie when the browser navigates to the site as well (meaning the origin is different). Modern browsers are migrating to defaulting to `SameSite=Lax`.
 
-### Cross-origin resource sharing (CORS)
-
-**TODO**
-
 ### JSON Web Token (JWT)
 
 - Useful as single-use authorization tokens.