cwmccabe · April 29, 2018 22:57
diff --git a/git.diff.txt b/git.diff.txt
 diff --git a/.etckeeper b/.etckeeper
 index 2373f10..32d85d1 100755
 --- a/.etckeeper
 +++ b/.etckeeper
 @@ -2,6 +2,8 @@
 
 mkdir -p './X11/xkb'
 mkdir -p './apache2/mods-available'
 +mkdir -p './apt/preferences.d'
 +mkdir -p './apt/sources.list.d'
 mkdir -p './binfmt.d'
 mkdir -p './ca-certificates/update.d'
 mkdir -p './dbus-1/session.d'
 @@ -35,17 +37,20 @@ mkdir -p './polkit-1/localauthority/90-mandatory.d'
 mkdir -p './postfix/sasl'
 mkdir -p './security/limits.d'
 mkdir -p './security/namespace.d'
 +mkdir -p './sssd'
 mkdir -p './systemd/network'
 mkdir -p './systemd/ntp-units.d'
 mkdir -p './systemd/user'
 +mkdir -p './tmpfiles.d'
 mkdir -p './udev/hwdb.d'
 +mkdir -p './udev/rules.d'
 maybe chmod 0755 '.'
 maybe chmod 0700 '.etckeeper'
 -maybe chmod 0640 '.gitignore'
 -maybe chmod 0750 '.java'
 -maybe chmod 0750 '.java/.systemPrefs'
 -maybe chmod 0640 '.java/.systemPrefs/.system.lock'
 -maybe chmod 0640 '.java/.systemPrefs/.systemRootModFile'
 +maybe chmod 0600 '.gitignore'
 +maybe chmod 0755 '.java'
 +maybe chmod 0755 '.java/.systemPrefs'
 +maybe chmod 0644 '.java/.systemPrefs/.system.lock'
 +maybe chmod 0644 '.java/.systemPrefs/.systemRootModFile'
 maybe chmod 0755 'ImageMagick-6'
 maybe chmod 0644 'ImageMagick-6/coder.xml'
 maybe chmod 0644 'ImageMagick-6/colors.xml'
 @@ -60,22 +65,43 @@ maybe chmod 0644 'ImageMagick-6/type-dejavu.xml'
 maybe chmod 0644 'ImageMagick-6/type-ghostscript.xml'
 maybe chmod 0644 'ImageMagick-6/type-windows.xml'
 maybe chmod 0644 'ImageMagick-6/type.xml'
 -maybe chmod 0644 'LICENSE.md'
 maybe chmod 0644 'Muttrc'
 maybe chmod 0755 'Muttrc.d'
 maybe chmod 0644 'Muttrc.d/charset.rc'
 maybe chmod 0644 'Muttrc.d/colors.rc'
 maybe chmod 0644 'Muttrc.d/compressed-folders.rc'
 maybe chmod 0644 'Muttrc.d/gpg.rc'
 -maybe chmod 0644 'Muttrc.d/sidebar.rc'
 maybe chmod 0644 'Muttrc.d/smime.rc'
 -maybe chmod 0644 'README.md'
 maybe chmod 0755 'X11'
 +maybe chmod 0755 'X11/Xreset'
 +maybe chmod 0755 'X11/Xreset.d'
 +maybe chmod 0644 'X11/Xreset.d/README'
 +maybe chmod 0755 'X11/Xresources'
 +maybe chmod 0644 'X11/Xresources/x11-common'
 +maybe chmod 0755 'X11/Xsession'
 maybe chmod 0755 'X11/Xsession.d'
 +maybe chmod 0644 'X11/Xsession.d/20x11-common_process-args'
 +maybe chmod 0644 'X11/Xsession.d/30x11-common_xresources'
 +maybe chmod 0644 'X11/Xsession.d/35x11-common_xhost-local'
 +maybe chmod 0644 'X11/Xsession.d/40x11-common_xsessionrc'
 +maybe chmod 0644 'X11/Xsession.d/50x11-common_determine-startup'
 maybe chmod 0644 'X11/Xsession.d/60xdg-user-dirs-update'
 maybe chmod 0644 'X11/Xsession.d/75dbus_dbus-launch'
 maybe chmod 0644 'X11/Xsession.d/90gpg-agent'
 maybe chmod 0644 'X11/Xsession.d/90qt-a11y'
 +maybe chmod 0644 'X11/Xsession.d/90x11-common_ssh-agent'
 +maybe chmod 0644 'X11/Xsession.d/99x11-common_start'
 +maybe chmod 0644 'X11/Xsession.options'
 +maybe chmod 0644 'X11/Xwrapper.config'
 +maybe chmod 0755 'X11/app-defaults'
 +maybe chmod 0644 'X11/app-defaults/GXditview'
 +maybe chmod 0644 'X11/app-defaults/GXditview-color'
 +maybe chmod 0644 'X11/app-defaults/SshAskpass'
 +maybe chmod 0644 'X11/app-defaults/Xvidtune'
 +maybe chmod 0755 'X11/fonts'
 +maybe chmod 0755 'X11/fonts/misc'
 +maybe chmod 0644 'X11/fonts/misc/xfonts-base.alias'
 +maybe chmod 0644 'X11/rgb.txt'
 maybe chmod 0755 'X11/xkb'
 maybe chmod 0755 'acpi'
 maybe chmod 0755 'acpi/events'
 @@ -83,10 +109,12 @@ maybe chmod 0644 'acpi/events/powerbtn-acpi-support'
 maybe chmod 0755 'acpi/powerbtn-acpi-support.sh'
 maybe chmod 0644 'adduser.conf'
 maybe chmod 0644 'aliases'
 +maybe chmod 0644 'aliases.db'
 maybe chmod 0755 'alternatives'
 maybe chmod 0644 'alternatives/README'
 maybe chmod 0755 'ansible'
 maybe chmod 0644 'ansible/ansible.cfg'
 +maybe chmod 0644 'ansible/hosts'
 maybe chmod 0755 'apache2'
 maybe chmod 0755 'apache2/conf-available'
 maybe chmod 0644 'apache2/conf-available/javascript-common.conf'
 @@ -100,38 +128,20 @@ maybe chmod 0755 'apparmor.d/force-complain'
 maybe chmod 0755 'apparmor.d/local'
 maybe chmod 0644 'apparmor.d/local/system_tor'
 maybe chmod 0644 'apparmor.d/local/usr.sbin.sssd'
 -maybe chmod 0644 'apparmor.d/local/usr.sbin.unbound'
 maybe chmod 0644 'apparmor.d/system_tor'
 maybe chmod 0644 'apparmor.d/usr.sbin.sssd'
 -maybe chmod 0644 'apparmor.d/usr.sbin.unbound'
 maybe chmod 0755 'apt'
 maybe chmod 0644 'apt/apt-file.conf'
 maybe chmod 0755 'apt/apt.conf.d'
 -maybe chmod 0644 'apt/apt.conf.d/00CDMountPoint'
 -maybe chmod 0644 'apt/apt.conf.d/00InstallRecommends'
 -maybe chmod 0644 'apt/apt.conf.d/00trustcdrom'
 maybe chmod 0644 'apt/apt.conf.d/01autoremove'
 maybe chmod 0644 'apt/apt.conf.d/01autoremove-kernels'
 maybe chmod 0644 'apt/apt.conf.d/05etckeeper'
 maybe chmod 0644 'apt/apt.conf.d/50unattended-upgrades'
 maybe chmod 0644 'apt/apt.conf.d/70debconf'
 -maybe chmod 0644 'apt/preferences'
 maybe chmod 0755 'apt/preferences.d'
 -maybe chmod 0640 'apt/preferences.d/.keep'
 -maybe chmod 0644 'apt/preferences.d/ansible'
 -maybe chmod 0644 'apt/preferences.d/firejail'
 -maybe chmod 0644 'apt/preferences.d/kernel'
 -maybe chmod 0644 'apt/preferences.d/mksh'
 -maybe chmod 0644 'apt/preferences.d/mosh'
 -maybe chmod 0644 'apt/preferences.d/openntpd'
 -maybe chmod 0644 'apt/preferences.d/unbound'
 maybe chmod 0644 'apt/sources.list'
 maybe chmod 0755 'apt/sources.list.d'
 -maybe chmod 0644 'apt/sources.list.d/tor.list'
 -maybe chmod 0644 'apt/sources.list.d/weechat.list'
 -maybe chmod 0644 'apt/trusted.gpg'
 maybe chmod 0755 'apt/trusted.gpg.d'
 -maybe chmod 0644 'apt/trusted.gpg.d/deb.torproject.org-keyring.gpg'
 maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg'
 maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg'
 maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-jessie-stable.gpg'
 @@ -140,7 +150,6 @@ maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gp
 maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-stretch-stable.gpg'
 maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg'
 maybe chmod 0644 'apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg'
 -maybe chmod 0644 'apt/trusted.gpg.d/weechat.gpg'
 maybe chmod 0755 'at-spi2'
 maybe chmod 0644 'at-spi2/accessibility.conf'
 maybe chgrp 'daemon' 'at.deny'
 @@ -152,7 +161,7 @@ maybe chmod 0750 'audisp/plugins.d'
 maybe chmod 0640 'audisp/plugins.d/af_unix.conf'
 maybe chmod 0640 'audisp/plugins.d/syslog.conf'
 maybe chmod 0750 'audit'
 -maybe chmod 0644 'audit/audit.rules'
 +maybe chmod 0640 'audit/audit.rules'
 maybe chmod 0640 'audit/auditd.conf'
 maybe chmod 0750 'audit/rules.d'
 maybe chmod 0640 'audit/rules.d/audit.rules'
 @@ -168,11 +177,13 @@ maybe chmod 0644 'bash_completion.d/ctest'
 maybe chmod 0644 'bash_completion.d/debconf'
 maybe chmod 0644 'bash_completion.d/devscripts.chdist'
 maybe chmod 0644 'bash_completion.d/devscripts.pkgnames'
 +maybe chmod 0644 'bash_completion.d/dput'
 maybe chmod 0644 'bash_completion.d/etckeeper'
 maybe chmod 0644 'bash_completion.d/git-prompt'
 maybe chmod 0644 'bash_completion.d/grub'
 maybe chmod 0644 'bash_completion.d/initramfs-tools'
 maybe chmod 0644 'bash_completion.d/insserv'
 +maybe chmod 0644 'bash_completion.d/mosh'
 maybe chmod 0644 'bash_completion.d/npm'
 maybe chmod 0644 'bash_completion.d/pygmentize'
 maybe chmod 0644 'bash_completion.d/redis-cli'
 @@ -186,7 +197,7 @@ maybe chmod 0644 'bindresvport.blacklist'
 maybe chmod 0755 'binfmt.d'
 maybe chmod 0755 'bitlbee'
 maybe chgrp 'bitlbee' 'bitlbee/bitlbee.conf'
 -maybe chmod 0644 'bitlbee/bitlbee.conf'
 +maybe chmod 0640 'bitlbee/bitlbee.conf'
 maybe chmod 0644 'bitlbee/motd.txt'
 maybe chmod 0755 'byobu'
 maybe chmod 0644 'byobu/backend'
 @@ -197,6 +208,8 @@ maybe chmod 0755 'ca-certificates/update.d'
 maybe chmod 0755 'calendar'
 maybe chmod 0644 'calendar/default'
 maybe chmod 0755 'console-setup'
 +maybe chmod 0644 'console-setup/cached_Lat15-Fixed16.psf.gz'
 +maybe chmod 0644 'console-setup/cached_UTF-8_del.kmap.gz'
 maybe chmod 0644 'console-setup/compose.ARMSCII-8.inc'
 maybe chmod 0644 'console-setup/compose.CP1251.inc'
 maybe chmod 0644 'console-setup/compose.CP1255.inc'
 @@ -238,12 +251,10 @@ maybe chmod 0644 'cron.daily/.placeholder'
 maybe chmod 0755 'cron.daily/apt'
 maybe chmod 0755 'cron.daily/aptitude'
 maybe chmod 0755 'cron.daily/bsdmainutils'
 -maybe chmod 0755 'cron.daily/clean-lurkers'
 maybe chmod 0755 'cron.daily/cracklib-runtime'
 maybe chmod 0755 'cron.daily/debsums'
 maybe chmod 0755 'cron.daily/dpkg'
 maybe chmod 0755 'cron.daily/etckeeper'
 -maybe chmod 0750 'cron.daily/gpg-keyring'
 maybe chmod 0755 'cron.daily/locate'
 maybe chmod 0755 'cron.daily/logrotate'
 maybe chmod 0755 'cron.daily/man-db'
 @@ -254,7 +265,6 @@ maybe chmod 0644 'cron.hourly/.placeholder'
 maybe chmod 0755 'cron.monthly'
 maybe chmod 0644 'cron.monthly/.placeholder'
 maybe chmod 0755 'cron.monthly/debsums'
 -maybe chmod 0750 'cron.monthly/ieee-data'
 maybe chmod 0755 'cron.weekly'
 maybe chmod 0644 'cron.weekly/.placeholder'
 maybe chmod 0755 'cron.weekly/debsums'
 @@ -298,6 +308,7 @@ maybe chmod 0644 'default/halt'
 maybe chmod 0644 'default/haveged'
 maybe chmod 0644 'default/hddtemp'
 maybe chmod 0644 'default/hwclock'
 +maybe chmod 0644 'default/irqbalance'
 maybe chmod 0644 'default/kexec'
 maybe chmod 0644 'default/keyboard'
 maybe chmod 0644 'default/locale'
 @@ -316,13 +327,13 @@ maybe chmod 0644 'default/sssd'
 maybe chmod 0644 'default/sysstat'
 maybe chmod 0644 'default/tmpfs'
 maybe chmod 0644 'default/tor'
 +maybe chmod 0644 'default/unbound'
 maybe chmod 0644 'default/useradd'
 maybe chmod 0644 'deluser.conf'
 -maybe chmod 0640 'devscripts.conf'
 +maybe chmod 0644 'devscripts.conf'
 maybe chmod 0755 'dhcp'
 maybe chmod 0755 'dhcp/dhclient-enter-hooks.d'
 maybe chmod 0644 'dhcp/dhclient-enter-hooks.d/debug'
 -maybe chmod 0644 'dhcp/dhclient-enter-hooks.d/resolvconf'
 maybe chmod 0755 'dhcp/dhclient-exit-hooks.d'
 maybe chmod 0644 'dhcp/dhclient-exit-hooks.d/debug'
 maybe chmod 0644 'dhcp/dhclient-exit-hooks.d/rfc3442-classless-routes'
 @@ -342,6 +353,8 @@ maybe chmod 0755 'dpkg/origins'
 maybe chmod 0644 'dpkg/origins/debian'
 maybe chmod 0644 'dpkg/shlibs.default'
 maybe chmod 0644 'dpkg/shlibs.override'
 +maybe chmod 0644 'dput.cf'
 +maybe chmod 0644 'drirc'
 maybe chmod 0755 'elinks'
 maybe chmod 0644 'elinks/elinks.conf'
 maybe chmod 0755 'emacs'
 @@ -366,7 +379,7 @@ maybe chmod 0755 'etckeeper/commit.d/30darcs-add'
 maybe chmod 0755 'etckeeper/commit.d/30git-add'
 maybe chmod 0755 'etckeeper/commit.d/30hg-addremove'
 maybe chmod 0755 'etckeeper/commit.d/50vcs-commit'
 -maybe chmod 0750 'etckeeper/commit.d/99push'
 +maybe chmod 0755 'etckeeper/commit.d/99push'
 maybe chmod 0644 'etckeeper/commit.d/README'
 maybe chmod 0644 'etckeeper/etckeeper.conf'
 maybe chmod 0755 'etckeeper/init.d'
 @@ -382,7 +395,6 @@ maybe chmod 0644 'etckeeper/init.d/README'
 maybe chmod 0755 'etckeeper/list-installed.d'
 maybe chmod 0755 'etckeeper/list-installed.d/50list-installed'
 maybe chmod 0755 'etckeeper/post-install.d'
 -maybe chmod 0755 'etckeeper/post-install.d/00package-list'
 maybe chmod 0755 'etckeeper/post-install.d/50vcs-commit'
 maybe chmod 0644 'etckeeper/post-install.d/README'
 maybe chmod 0755 'etckeeper/pre-commit.d'
 @@ -393,7 +405,6 @@ maybe chmod 0755 'etckeeper/pre-install.d'
 maybe chmod 0755 'etckeeper/pre-install.d/10packagelist'
 maybe chmod 0755 'etckeeper/pre-install.d/50uncommitted-changes'
 maybe chmod 0644 'etckeeper/pre-install.d/README'
 -maybe chmod 0755 'etckeeper/push.d'
 maybe chmod 0755 'etckeeper/unclean.d'
 maybe chmod 0755 'etckeeper/unclean.d/50test'
 maybe chmod 0644 'etckeeper/unclean.d/README'
 @@ -414,27 +425,17 @@ maybe chmod 0644 'ferm/ferm.conf'
 maybe chmod 0755 'firejail'
 maybe chmod 0644 'firejail/0ad.profile'
 maybe chmod 0644 'firejail/7z.profile'
 -maybe chmod 0644 'firejail/Cryptocat.profile'
 maybe chmod 0644 'firejail/Cyberfox.profile'
 -maybe chmod 0644 'firejail/FossaMail.profile'
 maybe chmod 0644 'firejail/Mathematica.profile'
 maybe chmod 0644 'firejail/Telegram.profile'
 -maybe chmod 0644 'firejail/VirtualBox.profile'
 -maybe chmod 0644 'firejail/Wire.profile'
 maybe chmod 0644 'firejail/abrowser.profile'
 -maybe chmod 0644 'firejail/amarok.profile'
 -maybe chmod 0644 'firejail/ark.profile'
 maybe chmod 0644 'firejail/atom-beta.profile'
 maybe chmod 0644 'firejail/atom.profile'
 -maybe chmod 0644 'firejail/atool.profile'
 maybe chmod 0644 'firejail/atril.profile'
 maybe chmod 0644 'firejail/audacious.profile'
 maybe chmod 0644 'firejail/audacity.profile'
 maybe chmod 0644 'firejail/aweather.profile'
 maybe chmod 0644 'firejail/bitlbee.profile'
 -maybe chmod 0644 'firejail/bleachbit.profile'
 -maybe chmod 0644 'firejail/bless.profile'
 -maybe chmod 0644 'firejail/brasero.profile'
 maybe chmod 0644 'firejail/brave.profile'
 maybe chmod 0644 'firejail/cherrytree.profile'
 maybe chmod 0644 'firejail/chromium-browser.profile'
 @@ -445,100 +446,62 @@ maybe chmod 0644 'firejail/cmus.profile'
 maybe chmod 0644 'firejail/conkeror.profile'
 maybe chmod 0644 'firejail/corebird.profile'
 maybe chmod 0644 'firejail/cpio.profile'
 -maybe chmod 0644 'firejail/cryptocat.profile'
 maybe chmod 0644 'firejail/cyberfox.profile'
 maybe chmod 0644 'firejail/deadbeef.profile'
 maybe chmod 0644 'firejail/default.profile'
 maybe chmod 0644 'firejail/deluge.profile'
 maybe chmod 0644 'firejail/dillo.profile'
 maybe chmod 0644 'firejail/disable-common.inc'
 -maybe chmod 0644 'firejail/disable-common.local'
 maybe chmod 0644 'firejail/disable-devel.inc'
 -maybe chmod 0644 'firejail/disable-devel.local'
 maybe chmod 0644 'firejail/disable-passwdmgr.inc'
 -maybe chmod 0644 'firejail/disable-passwdmgr.local'
 maybe chmod 0644 'firejail/disable-programs.inc'
 -maybe chmod 0644 'firejail/disable-programs.local'
 -maybe chmod 0644 'firejail/display.profile'
 maybe chmod 0644 'firejail/dnscrypt-proxy.profile'
 maybe chmod 0644 'firejail/dnsmasq.profile'
 -maybe chmod 0644 'firejail/dolphin.profile'
 maybe chmod 0644 'firejail/dosbox.profile'
 -maybe chmod 0644 'firejail/dragon.profile'
 maybe chmod 0644 'firejail/dropbox.profile'
 -maybe chmod 0644 'firejail/elinks.profile'
 maybe chmod 0644 'firejail/emacs.profile'
 maybe chmod 0644 'firejail/empathy.profile'
 -maybe chmod 0644 'firejail/enchant.profile'
 maybe chmod 0644 'firejail/eog.profile'
 maybe chmod 0644 'firejail/eom.profile'
 maybe chmod 0644 'firejail/epiphany.profile'
 maybe chmod 0644 'firejail/evince.profile'
 maybe chmod 0644 'firejail/evolution.profile'
 -maybe chmod 0644 'firejail/exiftool.profile'
 maybe chmod 0644 'firejail/fbreader.profile'
 maybe chmod 0644 'firejail/feh.profile'
 -maybe chmod 0644 'firejail/file-roller.profile'
 maybe chmod 0644 'firejail/file.profile'
 maybe chmod 0644 'firejail/filezilla.profile'
 maybe chmod 0644 'firejail/firefox-esr.profile'
 maybe chmod 0644 'firejail/firefox.profile'
 -maybe chmod 0644 'firejail/firejail-default'
 maybe chmod 0644 'firejail/firejail.config'
 maybe chmod 0644 'firejail/flashpeak-slimjet.profile'
 maybe chmod 0644 'firejail/flowblade.profile'
 -maybe chmod 0644 'firejail/fossamail.profile'
 maybe chmod 0644 'firejail/franz.profile'
 maybe chmod 0644 'firejail/gajim.profile'
 -maybe chmod 0644 'firejail/gedit.profile'
 maybe chmod 0644 'firejail/gimp.profile'
 maybe chmod 0644 'firejail/git.profile'
 maybe chmod 0644 'firejail/gitter.profile'
 -maybe chmod 0644 'firejail/gjs.profile'
 -maybe chmod 0644 'firejail/gnome-2048.profile'
 -maybe chmod 0644 'firejail/gnome-books.profile'
 -maybe chmod 0644 'firejail/gnome-calculator.profile'
 maybe chmod 0644 'firejail/gnome-chess.profile'
 -maybe chmod 0644 'firejail/gnome-clocks.profile'
 -maybe chmod 0644 'firejail/gnome-contacts.profile'
 -maybe chmod 0644 'firejail/gnome-documents.profile'
 -maybe chmod 0644 'firejail/gnome-maps.profile'
 maybe chmod 0644 'firejail/gnome-mplayer.profile'
 -maybe chmod 0644 'firejail/gnome-music.profile'
 -maybe chmod 0644 'firejail/gnome-photos.profile'
 -maybe chmod 0644 'firejail/gnome-weather.profile'
 -maybe chmod 0644 'firejail/goobox.profile'
 maybe chmod 0644 'firejail/google-chrome-beta.profile'
 maybe chmod 0644 'firejail/google-chrome-stable.profile'
 maybe chmod 0644 'firejail/google-chrome-unstable.profile'
 maybe chmod 0644 'firejail/google-chrome.profile'
 maybe chmod 0644 'firejail/google-play-music-desktop-player.profile'
 -maybe chmod 0644 'firejail/gpa.profile'
 -maybe chmod 0644 'firejail/gpg-agent.profile'
 -maybe chmod 0644 'firejail/gpg.profile'
 maybe chmod 0644 'firejail/gpredict.profile'
 maybe chmod 0644 'firejail/gtar.profile'
 maybe chmod 0644 'firejail/gthumb.profile'
 -maybe chmod 0644 'firejail/guayadeque.profile'
 maybe chmod 0644 'firejail/gwenview.profile'
 maybe chmod 0644 'firejail/gzip.profile'
 maybe chmod 0644 'firejail/hedgewars.profile'
 maybe chmod 0644 'firejail/hexchat.profile'
 -maybe chmod 0644 'firejail/highlight.profile'
 maybe chmod 0644 'firejail/icecat.profile'
 maybe chmod 0644 'firejail/icedove.profile'
 maybe chmod 0644 'firejail/iceweasel.profile'
 -maybe chmod 0644 'firejail/img2txt.profile'
 maybe chmod 0644 'firejail/inkscape.profile'
 maybe chmod 0644 'firejail/inox.profile'
 -maybe chmod 0644 'firejail/jd-gui.profile'
 maybe chmod 0644 'firejail/jitsi.profile'
 -maybe chmod 0644 'firejail/k3b.profile'
 -maybe chmod 0644 'firejail/kate.profile'
 maybe chmod 0644 'firejail/keepass.profile'
 -maybe chmod 0644 'firejail/keepass2.profile'
 maybe chmod 0644 'firejail/keepassx.profile'
 -maybe chmod 0644 'firejail/keepassx2.profile'
 maybe chmod 0644 'firejail/kmail.profile'
 maybe chmod 0644 'firejail/konversation.profile'
 maybe chmod 0644 'firejail/less.profile'
 @@ -549,27 +512,20 @@ maybe chmod 0644 'firejail/loffice.profile'
 maybe chmod 0644 'firejail/lofromtemplate.profile'
 maybe chmod 0644 'firejail/login.users'
 maybe chmod 0644 'firejail/loimpress.profile'
 -maybe chmod 0644 'firejail/lollypop.profile'
 maybe chmod 0644 'firejail/lomath.profile'
 maybe chmod 0644 'firejail/loweb.profile'
 maybe chmod 0644 'firejail/lowriter.profile'
 maybe chmod 0644 'firejail/luminance-hdr.profile'
 maybe chmod 0644 'firejail/lxterminal.profile'
 -maybe chmod 0644 'firejail/lynx.profile'
 maybe chmod 0644 'firejail/mathematica.profile'
 maybe chmod 0644 'firejail/mcabber.profile'
 -maybe chmod 0644 'firejail/mediainfo.profile'
 maybe chmod 0644 'firejail/midori.profile'
 maybe chmod 0644 'firejail/mpv.profile'
 -maybe chmod 0644 'firejail/multimc5.profile'
 -maybe chmod 0644 'firejail/mumble.profile'
 maybe chmod 0644 'firejail/mupdf.profile'
 maybe chmod 0644 'firejail/mupen64plus.profile'
 maybe chmod 0644 'firejail/mutt.profile'
 -maybe chmod 0644 'firejail/nautilus.profile'
 maybe chmod 0644 'firejail/netsurf.profile'
 maybe chmod 0644 'firejail/nolocal.net'
 -maybe chmod 0644 'firejail/odt2txt.profile'
 maybe chmod 0644 'firejail/okular.profile'
 maybe chmod 0644 'firejail/openbox.profile'
 maybe chmod 0644 'firejail/openshot.profile'
 @@ -577,22 +533,15 @@ maybe chmod 0644 'firejail/opera-beta.profile'
 maybe chmod 0644 'firejail/opera.profile'
 maybe chmod 0644 'firejail/palemoon.profile'
 maybe chmod 0644 'firejail/parole.profile'
 -maybe chmod 0644 'firejail/pdfsam.profile'
 -maybe chmod 0644 'firejail/pdftotext.profile'
 maybe chmod 0644 'firejail/pidgin.profile'
 -maybe chmod 0644 'firejail/pithos.profile'
 maybe chmod 0644 'firejail/pix.profile'
 -maybe chmod 0644 'firejail/pluma.profile'
 maybe chmod 0644 'firejail/polari.profile'
 maybe chmod 0644 'firejail/psi-plus.profile'
 maybe chmod 0644 'firejail/qbittorrent.profile'
 -maybe chmod 0644 'firejail/qemu-launcher.profile'
 -maybe chmod 0644 'firejail/qemu-system-x86_64.profile'
 maybe chmod 0644 'firejail/qpdfview.profile'
 maybe chmod 0644 'firejail/qtox.profile'
 maybe chmod 0644 'firejail/quassel.profile'
 maybe chmod 0644 'firejail/quiterss.profile'
 -maybe chmod 0644 'firejail/qupzilla.profile'
 maybe chmod 0644 'firejail/qutebrowser.profile'
 maybe chmod 0644 'firejail/ranger.profile'
 maybe chmod 0644 'firejail/rhythmbox.profile'
 @@ -600,17 +549,13 @@ maybe chmod 0644 'firejail/rtorrent.profile'
 maybe chmod 0644 'firejail/seamonkey-bin.profile'
 maybe chmod 0644 'firejail/seamonkey.profile'
 maybe chmod 0644 'firejail/server.profile'
 -maybe chmod 0644 'firejail/simple-scan.profile'
 -maybe chmod 0644 'firejail/skanlite.profile'
 maybe chmod 0644 'firejail/skype.profile'
 maybe chmod 0644 'firejail/skypeforlinux.profile'
 maybe chmod 0644 'firejail/slack.profile'
 maybe chmod 0644 'firejail/snap.profile'
 maybe chmod 0644 'firejail/soffice.profile'
 maybe chmod 0644 'firejail/spotify.profile'
 -maybe chmod 0644 'firejail/ssh-agent.profile'
 maybe chmod 0644 'firejail/ssh.profile'
 -maybe chmod 0644 'firejail/start-tor-browser.profile'
 maybe chmod 0644 'firejail/steam.profile'
 maybe chmod 0644 'firejail/stellarium.profile'
 maybe chmod 0644 'firejail/strings.profile'
 @@ -619,11 +564,8 @@ maybe chmod 0644 'firejail/tar.profile'
 maybe chmod 0644 'firejail/telegram.profile'
 maybe chmod 0644 'firejail/thunderbird.profile'
 maybe chmod 0644 'firejail/totem.profile'
 -maybe chmod 0644 'firejail/tracker.profile'
 -maybe chmod 0644 'firejail/transmission-cli.profile'
 maybe chmod 0644 'firejail/transmission-gtk.profile'
 maybe chmod 0644 'firejail/transmission-qt.profile'
 -maybe chmod 0644 'firejail/transmission-show.profile'
 maybe chmod 0644 'firejail/uget-gtk.profile'
 maybe chmod 0644 'firejail/unbound.profile'
 maybe chmod 0644 'firejail/unrar.profile'
 @@ -634,34 +576,21 @@ maybe chmod 0644 'firejail/virtualbox.profile'
 maybe chmod 0644 'firejail/vivaldi-beta.profile'
 maybe chmod 0644 'firejail/vivaldi.profile'
 maybe chmod 0644 'firejail/vlc.profile'
 -maybe chmod 0644 'firejail/w3m.profile'
 maybe chmod 0644 'firejail/warzone2100.profile'
 maybe chmod 0644 'firejail/webserver.net'
 maybe chmod 0644 'firejail/weechat-curses.profile'
 maybe chmod 0644 'firejail/weechat.profile'
 maybe chmod 0644 'firejail/wesnoth.profile'
 -maybe chmod 0644 'firejail/wget.profile'
 maybe chmod 0644 'firejail/whitelist-common.inc'
 -maybe chmod 0644 'firejail/whitelist-common.local'
 maybe chmod 0644 'firejail/wine.profile'
 -maybe chmod 0644 'firejail/wire.profile'
 -maybe chmod 0644 'firejail/wireshark.profile'
 maybe chmod 0644 'firejail/xchat.profile'
 -maybe chmod 0644 'firejail/xed.profile'
 -maybe chmod 0644 'firejail/xfburn.profile'
 -maybe chmod 0644 'firejail/xiphos.profile'
 -maybe chmod 0644 'firejail/xonotic-glx.profile'
 -maybe chmod 0644 'firejail/xonotic-sdl.profile'
 -maybe chmod 0644 'firejail/xonotic.profile'
 maybe chmod 0644 'firejail/xpdf.profile'
 maybe chmod 0644 'firejail/xplayer.profile'
 -maybe chmod 0644 'firejail/xpra.profile'
 maybe chmod 0644 'firejail/xreader.profile'
 maybe chmod 0644 'firejail/xviewer.profile'
 maybe chmod 0644 'firejail/xz.profile'
 maybe chmod 0644 'firejail/xzdec.profile'
 maybe chmod 0644 'firejail/zathura.profile'
 -maybe chmod 0644 'firejail/zoom.profile'
 maybe chmod 0755 'fish'
 maybe chmod 0644 'fish/config.fish'
 maybe chmod 0755 'fonts'
 @@ -682,7 +611,7 @@ maybe chmod 0644 'fonts/conf.avail/69-droid-sans-fallback.conf'
 maybe chmod 0755 'fonts/conf.d'
 maybe chmod 0644 'fonts/conf.d/README'
 maybe chmod 0644 'fonts/fonts.conf'
 -maybe chmod 0644 'fstab.sample'
 +maybe chmod 0644 'fstab'
 maybe chmod 0644 'fuse.conf'
 maybe chmod 0644 'gai.conf'
 maybe chmod 0755 'gconf'
 @@ -695,7 +624,6 @@ maybe chmod 0755 'gconf/gconf.xml.mandatory'
 maybe chmod 0644 'gconf/gconf.xml.mandatory/%gconf-tree.xml'
 maybe chmod 0755 'gdb'
 maybe chmod 0644 'gdb/gdbinit'
 -maybe chmod 0644 'gemrc'
 maybe chmod 0755 'ghostscript'
 maybe chmod 0755 'ghostscript/cidfmap.d'
 maybe chmod 0644 'ghostscript/cidfmap.d/90gs-cjk-resource-cns1.conf'
 @@ -707,12 +635,11 @@ maybe chmod 0755 'ghostscript/fontmap.d'
 maybe chmod 0644 'ghostscript/fontmap.d/10gsfonts.conf'
 maybe chmod 0755 'glances'
 maybe chmod 0644 'glances/glances.conf'
 -maybe chmod 0755 'gnupg'
 -maybe chmod 0644 'gnupg/README.md'
 maybe chmod 0755 'groff'
 maybe chmod 0644 'groff/man.local'
 maybe chmod 0644 'groff/mdoc.local'
 maybe chmod 0644 'group'
 +maybe chmod 0600 'group-'
 maybe chmod 0755 'grub.d'
 maybe chmod 0755 'grub.d/00_header'
 maybe chmod 0755 'grub.d/05_debian_theme'
 @@ -723,6 +650,9 @@ maybe chmod 0755 'grub.d/30_uefi-firmware'
 maybe chmod 0755 'grub.d/40_custom'
 maybe chmod 0755 'grub.d/41_custom'
 maybe chmod 0644 'grub.d/README'
 +maybe chgrp 'shadow' 'gshadow'
 +maybe chmod 0640 'gshadow'
 +maybe chmod 0600 'gshadow-'
 maybe chmod 0755 'gss'
 maybe chmod 0755 'gss/mech.d'
 maybe chmod 0644 'gss/mech.d/README'
 @@ -730,14 +660,10 @@ maybe chmod 0755 'gtk-2.0'
 maybe chmod 0644 'gtk-2.0/im-multipress.conf'
 maybe chmod 0755 'gtk-3.0'
 maybe chmod 0644 'gtk-3.0/im-multipress.conf'
 -maybe chmod 0755 'hashbang'
 -maybe chmod 0755 'hashbang/welcome'
 -maybe chmod 0644 'hashbang/welcome.notmux'
 -maybe chmod 0644 'hashbang/welcome.post'
 -maybe chmod 0644 'hashbang/welcome.pre'
 -maybe chmod 0644 'hashbang/welcome.tmux'
 maybe chmod 0644 'hddtemp.db'
 maybe chmod 0644 'host.conf'
 +maybe chmod 0644 'hostname'
 +maybe chmod 0644 'hosts'
 maybe chmod 0644 'hosts.allow'
 maybe chmod 0644 'hosts.deny'
 maybe chmod 0755 'init'
 @@ -764,6 +690,7 @@ maybe chmod 0755 'init.d/haveged'
 maybe chmod 0755 'init.d/hddtemp'
 maybe chmod 0755 'init.d/hostname.sh'
 maybe chmod 0755 'init.d/hwclock.sh'
 +maybe chmod 0755 'init.d/irqbalance'
 maybe chmod 0755 'init.d/kbd'
 maybe chmod 0755 'init.d/kexec'
 maybe chmod 0755 'init.d/kexec-load'
 @@ -792,7 +719,6 @@ maybe chmod 0755 'init.d/rc.local'
 maybe chmod 0755 'init.d/rcS'
 maybe chmod 0755 'init.d/reboot'
 maybe chmod 0755 'init.d/redis-server'
 -maybe chmod 0755 'init.d/resolvconf'
 maybe chmod 0755 'init.d/rmnologin'
 maybe chmod 0755 'init.d/rsync'
 maybe chmod 0755 'init.d/rsyslog'
 @@ -815,14 +741,14 @@ maybe chmod 0755 'init.d/umountroot'
 maybe chmod 0755 'init.d/unattended-upgrades'
 maybe chmod 0755 'init.d/unbound'
 maybe chmod 0755 'init.d/urandom'
 -maybe chmod 0755 'init.d/xe-linux-distribution'
 +maybe chmod 0755 'init.d/x11-common'
 maybe chmod 0644 'init/binfmt-support.conf'
 +maybe chmod 0644 'init/irqbalance.conf'
 maybe chmod 0644 'init/network-interface-container.conf'
 maybe chmod 0644 'init/network-interface-security.conf'
 maybe chmod 0644 'init/network-interface.conf'
 maybe chmod 0644 'init/networking.conf'
 maybe chmod 0644 'init/php5-fpm.conf'
 -maybe chmod 0644 'init/resolvconf.conf'
 maybe chmod 0644 'init/ssh.conf'
 maybe chmod 0644 'init/startpar-bridge.conf'
 maybe chmod 0644 'init/udev-fallback-graphics.conf'
 @@ -846,7 +772,6 @@ maybe chmod 0755 'initramfs-tools/scripts/nfs-bottom'
 maybe chmod 0755 'initramfs-tools/scripts/nfs-premount'
 maybe chmod 0755 'initramfs-tools/scripts/nfs-top'
 maybe chmod 0755 'initramfs-tools/scripts/panic'
 -maybe chmod 0640 'initramfs-tools/scripts/repartition-drive'
 maybe chmod 0644 'initramfs-tools/update-initramfs.conf'
 maybe chmod 0644 'inittab'
 maybe chmod 0644 'inputrc'
 @@ -865,8 +790,6 @@ maybe chmod 0644 'iproute2/rt_realms'
 maybe chmod 0644 'iproute2/rt_scopes'
 maybe chmod 0644 'iproute2/rt_tables'
 maybe chmod 0644 'irssi.conf'
 -maybe chmod 0755 'iscsi'
 -maybe chmod 0644 'iscsi/iscsid.conf'
 maybe chmod 0644 'issue'
 maybe chmod 0644 'issue.net'
 maybe chmod 0755 'joe'
 @@ -885,7 +808,6 @@ maybe chmod 0755 'kbd'
 maybe chmod 0644 'kbd/config'
 maybe chmod 0644 'kbd/remap'
 maybe chmod 0755 'kernel'
 -maybe chmod 0644 'kernel-img.conf'
 maybe chmod 0755 'kernel/postinst.d'
 maybe chmod 0755 'kernel/postinst.d/apt-auto-removal'
 maybe chmod 0755 'kernel/postinst.d/initramfs-tools'
 @@ -911,6 +833,7 @@ maybe chmod 0755 'lighttpd'
 maybe chmod 0755 'lighttpd/conf-available'
 maybe chmod 0644 'lighttpd/conf-available/90-javascript-alias.conf'
 maybe chmod 0755 'lighttpd/conf-enabled'
 +maybe chmod 0644 'lintianrc'
 maybe chmod 0644 'locale.alias'
 maybe chmod 0644 'locale.gen'
 maybe chmod 0644 'localtime'
 @@ -938,22 +861,15 @@ maybe chmod 0644 'logrotate.d/unattended-upgrades'
 maybe chmod 0644 'ltrace.conf'
 maybe chmod 0755 'luarocks'
 maybe chmod 0644 'luarocks/config-5.1.lua'
 -maybe chmod 0644 'luarocks/config-5.2.lua'
 -maybe chmod 0644 'luarocks/config-5.3.lua'
 maybe chmod 0755 'lynx-cur'
 maybe chmod 0644 'lynx-cur/lynx.cfg'
 maybe chmod 0644 'lynx-cur/lynx.lss'
 +maybe chmod 0444 'machine-id'
 maybe chmod 0644 'magic'
 maybe chmod 0644 'magic.mime'
 +maybe chmod 0644 'mail.rc'
 maybe chmod 0644 'mailcap'
 maybe chmod 0644 'mailcap.order'
 -maybe chmod 0644 'mailname'
 -maybe chown 'man' 'man'
 -maybe chmod 0755 'man'
 -maybe chown 'man' 'man/man7'
 -maybe chmod 0755 'man/man7'
 -maybe chown 'man' 'man/man7/hashbang.7'
 -maybe chmod 0644 'man/man7/hashbang.7'
 maybe chmod 0644 'manpath.config'
 maybe chmod 0644 'matplotlibrc'
 maybe chmod 0755 'mc'
 @@ -975,7 +891,6 @@ maybe chmod 0644 'modprobe.d/fbdev-blacklist.conf'
 maybe chmod 0644 'modules'
 maybe chmod 0755 'modules-load.d'
 maybe chmod 0644 'motd'
 -maybe chmod 0644 'msmtprc'
 maybe chmod 0755 'mysql'
 maybe chmod 0755 'mysql/conf.d'
 maybe chmod 0644 'mysql/conf.d/.keepme'
 @@ -987,27 +902,24 @@ maybe chmod 0644 'nethack/nethackrc.tty'
 maybe chmod 0755 'network'
 maybe chmod 0755 'network/if-down.d'
 maybe chmod 0755 'network/if-down.d/postfix'
 -maybe chmod 0755 'network/if-down.d/resolvconf'
 maybe chmod 0755 'network/if-down.d/upstart'
 maybe chmod 0755 'network/if-post-down.d'
 maybe chmod 0755 'network/if-pre-up.d'
 maybe chmod 0755 'network/if-up.d'
 -maybe chmod 0755 'network/if-up.d/000resolvconf'
 maybe chmod 0755 'network/if-up.d/mountnfs'
 maybe chmod 0755 'network/if-up.d/nslcd'
 maybe chmod 0755 'network/if-up.d/openntpd'
 maybe chmod 0755 'network/if-up.d/openssh-server'
 maybe chmod 0755 'network/if-up.d/postfix'
 maybe chmod 0755 'network/if-up.d/upstart'
 +maybe chmod 0644 'network/interfaces'
 maybe chmod 0755 'network/interfaces.d'
 -maybe chmod 0644 'network/interfaces.example'
 -maybe chmod 0755 'network/run'
 +maybe chmod 0644 'networks'
 maybe chmod 0755 'newt'
 maybe chmod 0644 'newt/palette.original'
 -maybe chmod 0644 'nova-agent.env'
 -maybe chmod 0644 'npmrc'
 maybe chmod 0644 'nscd.conf'
 -maybe chmod 0644 'nslcd.conf'
 +maybe chgrp 'nslcd' 'nslcd.conf'
 +maybe chmod 0640 'nslcd.conf'
 maybe chmod 0644 'nsswitch.conf'
 maybe chmod 0644 'oidentd.conf'
 maybe chmod 0644 'oidentd_masq.conf'
 @@ -1016,7 +928,6 @@ maybe chmod 0644 'openal/alsoft.conf'
 maybe chmod 0755 'openntpd'
 maybe chmod 0644 'openntpd/ntpd.conf'
 maybe chmod 0755 'opt'
 -maybe chmod 0600 'packages.txt'
 maybe chmod 0644 'pam.conf'
 maybe chmod 0755 'pam.d'
 maybe chmod 0644 'pam.d/atd'
 @@ -1042,7 +953,8 @@ maybe chmod 0644 'pam.d/sudo'
 maybe chmod 0644 'pam.d/systemd-user'
 maybe chmod 0644 'papersize'
 maybe chmod 0755 'parallel'
 -maybe chmod 0600 'passwd'
 +maybe chmod 0644 'passwd'
 +maybe chmod 0600 'passwd-'
 maybe chmod 0755 'perl'
 maybe chmod 0755 'perl/CPAN'
 maybe chmod 0755 'perl/Net'
 @@ -1070,6 +982,7 @@ maybe chmod 0644 'php5/mods-available/opcache.ini'
 maybe chmod 0644 'php5/mods-available/pdo.ini'
 maybe chmod 0644 'php5/mods-available/pdo_mysql.ini'
 maybe chmod 0644 'php5/mods-available/pdo_sqlite.ini'
 +maybe chmod 0644 'php5/mods-available/readline.ini'
 maybe chmod 0644 'php5/mods-available/sqlite3.ini'
 maybe chmod 0755 'pm'
 maybe chmod 0755 'pm/sleep.d'
 @@ -1088,7 +1001,7 @@ maybe chmod 0755 'polkit-1/nullbackend.conf.d'
 maybe chmod 0644 'polkit-1/nullbackend.conf.d/50-nullbackend.conf'
 maybe chmod 0755 'postfix'
 maybe chmod 0644 'postfix/dynamicmaps.cf'
 -maybe chmod 0640 'postfix/main.cf'
 +maybe chmod 0644 'postfix/main.cf'
 maybe chmod 0644 'postfix/master.cf'
 maybe chmod 0755 'postfix/post-install'
 maybe chmod 0644 'postfix/postfix-files'
 @@ -1096,26 +1009,16 @@ maybe chmod 0755 'postfix/postfix-script'
 maybe chmod 0755 'postfix/sasl'
 maybe chmod 0755 'ppp'
 maybe chmod 0755 'ppp/ip-down.d'
 -maybe chmod 0755 'ppp/ip-down.d/000resolvconf'
 maybe chmod 0755 'ppp/ip-down.d/postfix'
 maybe chmod 0755 'ppp/ip-up.d'
 -maybe chmod 0755 'ppp/ip-up.d/000resolvconf'
 maybe chmod 0755 'ppp/ip-up.d/postfix'
 -maybe chmod 0644 'procmailrc'
 maybe chmod 0644 'profile'
 maybe chmod 0755 'profile.d'
 maybe chmod 0644 'profile.d/Z97-byobu.sh'
 maybe chmod 0644 'profile.d/bash_completion.sh'
 -maybe chmod 0644 'profile.d/dotfiles.sh'
 -maybe chmod 0644 'profile.d/go.sh'
 -maybe chmod 0644 'profile.d/local_path.sh'
 -maybe chmod 0644 'profile.d/luarocks_aliases.sh'
 -maybe chmod 0644 'profile.d/npm.sh'
 -maybe chmod 0644 'profile.d/nvm.sh'
 -maybe chmod 0644 'profile.d/user_ruby_bin_directory.sh'
 -maybe chmod 0644 'profile.d/wall.sh'
 -maybe chmod 0644 'profile.d/z_manpath.sh'
 maybe chmod 0644 'protocols'
 +maybe chmod 0755 'pulse'
 +maybe chmod 0644 'pulse/client.conf'
 maybe chmod 0755 'purple'
 maybe chmod 0644 'purple/prefs.xml'
 maybe chmod 0755 'python'
 @@ -1131,7 +1034,7 @@ maybe chmod 0755 'qemu-ifup'
 maybe chmod 0755 'ranger'
 maybe chmod 0755 'ranger/config'
 maybe chmod 0755 'ranger/data'
 -maybe chmod 0754 'rc.local'
 +maybe chmod 0755 'rc.local'
 maybe chmod 0755 'rc0.d'
 maybe chmod 0644 'rc0.d/README'
 maybe chmod 0755 'rc1.d'
 @@ -1152,17 +1055,12 @@ maybe chmod 0755 'redis'
 maybe chmod 0644 'redis/redis.conf'
 maybe chmod 0644 'redis/sentinel.conf'
 maybe chmod 0644 'reportbug.conf'
 +maybe chmod 0644 'resolv.conf'
 maybe chmod 0755 'resolvconf'
 -maybe chmod 0644 'resolvconf/interface-order'
 -maybe chmod 0755 'resolvconf/resolv.conf.d'
 -maybe chmod 0644 'resolvconf/resolv.conf.d/base'
 -maybe chmod 0644 'resolvconf/resolv.conf.d/head'
 -maybe chmod 0640 'resolvconf/resolv.conf.d/tail'
 maybe chmod 0755 'resolvconf/update-libc.d'
 maybe chmod 0755 'resolvconf/update-libc.d/postfix'
 maybe chmod 0755 'resolvconf/update.d'
 -maybe chmod 0755 'resolvconf/update.d/libc'
 -maybe chmod 0644 'resolvconf/update.d/unbound'
 +maybe chmod 0755 'resolvconf/update.d/unbound'
 maybe chmod 0755 'rmt'
 maybe chmod 0644 'rpc'
 maybe chmod 0644 'rsyslog.conf'
 @@ -1257,11 +1155,10 @@ maybe chmod 0644 'security/access.conf'
 maybe chmod 0644 'security/group.conf'
 maybe chmod 0644 'security/limits.conf'
 maybe chmod 0755 'security/limits.d'
 -maybe chmod 0755 'security/limits.sh'
 maybe chmod 0644 'security/namespace.conf'
 maybe chmod 0755 'security/namespace.d'
 maybe chmod 0755 'security/namespace.init'
 -maybe chmod 0644 'security/opasswd'
 +maybe chmod 0600 'security/opasswd'
 maybe chmod 0644 'security/pam_env.conf'
 maybe chmod 0644 'security/pwquality.conf'
 maybe chmod 0644 'security/sepermit.conf'
 @@ -1275,39 +1172,53 @@ maybe chmod 0644 'services'
 maybe chmod 0755 'sgml'
 maybe chmod 0644 'sgml/docutils-common.cat'
 maybe chmod 0644 'sgml/xml-core.cat'
 +maybe chgrp 'shadow' 'shadow'
 +maybe chmod 0640 'shadow'
 +maybe chmod 0600 'shadow-'
 maybe chmod 0644 'shells'
 maybe chmod 0755 'siege'
 maybe chmod 0644 'siege/siegerc'
 maybe chmod 0644 'siege/urls.txt'
 maybe chmod 0755 'skel'
 +maybe chmod 0644 'skel/.bash_logout'
 +maybe chmod 0644 'skel/.bashrc'
 maybe chmod 0644 'skel/.mkshrc'
 -maybe chmod 0755 'skel/Mail'
 -maybe chmod 0755 'skel/Mail/new'
 -maybe chmod 0644 'skel/Mail/new/msg.welcome'
 -maybe chmod 0755 'skel/Public'
 -maybe chmod 0644 'skel/Public/index.html'
 +maybe chmod 0644 'skel/.profile'
 maybe chmod 0755 'ssh'
 maybe chmod 0644 'ssh/moduli'
 maybe chmod 0644 'ssh/ssh_config'
 +maybe chmod 0600 'ssh/ssh_host_dsa_key'
 +maybe chmod 0644 'ssh/ssh_host_dsa_key.pub'
 +maybe chmod 0600 'ssh/ssh_host_ecdsa_key'
 +maybe chmod 0644 'ssh/ssh_host_ecdsa_key.pub'
 +maybe chmod 0600 'ssh/ssh_host_ed25519_key'
 +maybe chmod 0644 'ssh/ssh_host_ed25519_key.pub'
 +maybe chmod 0600 'ssh/ssh_host_rsa_key'
 +maybe chmod 0644 'ssh/ssh_host_rsa_key.pub'
 maybe chmod 0644 'ssh/sshd_config'
 maybe chmod 0755 'ssl'
 maybe chmod 0755 'ssl/certs'
 +maybe chmod 0644 'ssl/certs/ca-certificates.crt'
 +maybe chmod 0644 'ssl/certs/ssl-cert-snakeoil.pem'
 maybe chmod 0644 'ssl/openssl.cnf'
 maybe chgrp 'ssl-cert' 'ssl/private'
 maybe chmod 0710 'ssl/private'
 +maybe chgrp 'ssl-cert' 'ssl/private/ssl-cert-snakeoil.key'
 +maybe chmod 0640 'ssl/private/ssl-cert-snakeoil.key'
 maybe chmod 0755 'sssd'
 -maybe chmod 0600 'sssd/sssd.conf'
 maybe chmod 0644 'staff-group-for-usr-local'
 +maybe chmod 0644 'subgid'
 +maybe chmod 0600 'subgid-'
 +maybe chmod 0644 'subuid'
 +maybe chmod 0600 'subuid-'
 maybe chmod 0755 'subversion'
 maybe chmod 0644 'subversion/config'
 maybe chmod 0644 'subversion/servers'
 maybe chmod 0440 'sudoers'
 maybe chmod 0755 'sudoers.d'
 maybe chmod 0440 'sudoers.d/README'
 -maybe chmod 0640 'sudoers.d/hashbangctl'
 maybe chmod 0644 'sysctl.conf'
 maybe chmod 0755 'sysctl.d'
 -maybe chmod 0644 'sysctl.d/10-dmsg.conf'
 maybe chmod 0644 'sysctl.d/README.sysctl'
 maybe chmod 0755 'sysstat'
 maybe chmod 0644 'sysstat/sysstat'
 @@ -1321,12 +1232,10 @@ maybe chmod 0755 'systemd/ntp-units.d'
 maybe chmod 0644 'systemd/resolved.conf'
 maybe chmod 0755 'systemd/system'
 maybe chmod 0644 'systemd/system.conf'
 -maybe chmod 0600 'systemd/system/crontab.target'
 -maybe chmod 0600 'systemd/system/crontab@.service'
 -maybe chmod 0640 'systemd/system/crontab@.timer'
 -maybe chmod 0600 'systemd/system/crontab@day.service'
 maybe chmod 0755 'systemd/system/default.target.wants'
 +maybe chmod 0644 'systemd/system/getty-static.service'
 maybe chmod 0755 'systemd/system/getty.target.wants'
 +maybe chmod 0644 'systemd/system/getty@.service'
 maybe chmod 0755 'systemd/system/halt.target.wants'
 maybe chmod 0755 'systemd/system/multi-user.target.wants'
 maybe chmod 0755 'systemd/system/paths.target.wants'
 @@ -1334,8 +1243,6 @@ maybe chmod 0755 'systemd/system/poweroff.target.wants'
 maybe chmod 0755 'systemd/system/reboot.target.wants'
 maybe chmod 0755 'systemd/system/shutdown.target.wants'
 maybe chmod 0755 'systemd/system/sockets.target.wants'
 -maybe chmod 0755 'systemd/system/sysinit.target.wants'
 -maybe chmod 0700 'systemd/system/unbound.service.wants'
 maybe chmod 0644 'systemd/timesyncd.conf'
 maybe chmod 0755 'systemd/user'
 maybe chmod 0644 'systemd/user.conf'
 @@ -1343,8 +1250,9 @@ maybe chmod 0755 'terminfo'
 maybe chmod 0644 'terminfo/README'
 maybe chmod 0644 'tigrc'
 maybe chmod 0644 'timezone'
 +maybe chmod 0755 'timidity'
 +maybe chmod 0644 'timidity/freepats.cfg'
 maybe chmod 0755 'tmpfiles.d'
 -maybe chmod 0644 'tmpfiles.d/namespaces'
 maybe chmod 0755 'tor'
 maybe chmod 0644 'tor/torrc'
 maybe chmod 0644 'tor/torsocks.conf'
 @@ -1362,14 +1270,15 @@ maybe chmod 0644 'ufw/applications.d/postfix'
 maybe chmod 0755 'unbound'
 maybe chmod 0644 'unbound/unbound.conf'
 maybe chmod 0755 'unbound/unbound.conf.d'
 -maybe chmod 0644 'unbound/unbound.conf.d/debian.conf'
 -maybe chmod 0644 'unbound/unbound.conf.d/harden.conf'
 -maybe chmod 0644 'unbound/unbound.conf.d/prefetch.conf'
 -maybe chmod 0644 'unbound/unbound.conf.d/qname-minimisation.conf'
 maybe chmod 0644 'unbound/unbound.conf.d/root-auto-trust-anchor-file.conf'
 +maybe chmod 0640 'unbound/unbound_control.key'
 +maybe chmod 0640 'unbound/unbound_control.pem'
 +maybe chmod 0640 'unbound/unbound_server.key'
 +maybe chmod 0640 'unbound/unbound_server.pem'
 maybe chmod 0755 'urlview'
 maybe chmod 0644 'urlview/system.urlview'
 maybe chmod 0755 'urlview/url_handler.sh'
 +maybe chmod 0644 'vdpau_wrapper.cfg'
 maybe chmod 0755 'vim'
 maybe chmod 0644 'vim/vimrc'
 maybe chmod 0644 'vim/vimrc.tiny'
 @@ -1388,9 +1297,12 @@ maybe chmod 0755 'xdg/systemd'
 maybe chmod 0644 'xdg/user-dirs.conf'
 maybe chmod 0644 'xdg/user-dirs.defaults'
 maybe chmod 0755 'xml'
 -maybe chmod 0640 'xml/catalog'
 +maybe chmod 0644 'xml/catalog'
 maybe chmod 0644 'xml/docutils-common.xml'
 -maybe chmod 0640 'xml/xml-core.xml'
 +maybe chmod 0644 'xml/xml-core.xml'
 +maybe chmod 0755 'xpra'
 +maybe chmod 0644 'xpra/xorg.conf'
 +maybe chmod 0644 'xpra/xpra.conf'
 maybe chmod 0755 'zsh'
 maybe chmod 0644 'zsh/newuser.zshrc.recommended'
 maybe chmod 0644 'zsh/zlogin'
 diff --git a/.gitignore b/.gitignore
 index 800d5c5..9196cf5 100644
 --- a/.gitignore
 +++ b/.gitignore
 @@ -52,42 +52,3 @@ check_mk/logwatch.state
 DEADJOE
 
 # end section managed by etckeeper
 -
 -shadow
 -shadow.org
 -gshadow
 -passwd.org
 -subgid
 -subuid
 -group.org
 -ssl/certs
 -ssl/private
 -ssh/ssh_host_*_key
 -ssh/ssh_host_*_key.pub
 -unbound/unbound_*.key
 -unbound/unbound_*.pem
 -*-
 -*+
 -*.gz
 -network/interfaces
 -networks
 -fstab
 -hosts
 -resolv.conf
 -resolvconf/resolv.conf.d/original
 -udev/rules.d/70-persistent-net.rules
 -hostname
 -machine-id
 -provisor.ini
 -hashbangctl.conf
 -xml/catalog.legacy
 -
 -src/*
 -
 -aliases.db
 -
 -# Sometimes generated by ld when using firejail
 -ld.so.preload
 -
 -# Files created by systemd
 -systemd/system/user-*
 diff --git a/LICENSE.md b/LICENSE.md
 deleted file mode 100644
 index d1bccae..0000000
 --- a/LICENSE.md
 +++ /dev/null
 @@ -1,21 +0,0 @@
 -The MIT License (MIT)
 -
 -Copyright (c) 2015 Hashbang Inc.
 -
 -Permission is hereby granted, free of charge, to any person obtaining a copy
 -of this software and associated documentation files (the "Software"), to deal
 -in the Software without restriction, including without limitation the rights
 -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 -copies of the Software, and to permit persons to whom the Software is
 -furnished to do so, subject to the following conditions:
 -
 -The above copyright notice and this permission notice shall be included in all
 -copies or substantial portions of the Software.
 -
 -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 -SOFTWARE.
 diff --git a/Muttrc.d/sidebar.rc b/Muttrc.d/sidebar.rc
 deleted file mode 100644
 index b8ae716..0000000
 --- a/Muttrc.d/sidebar.rc
 +++ /dev/null
 @@ -1,5 +0,0 @@
 -# Configuration for the sidebar patch.
 -# See /usr/share/doc/mutt/README.Patches for documentation.
 -
 -ifdef sidebar_visible set sidebar_visible sidebar_width=20
 -
 diff --git a/README.md b/README.md
 deleted file mode 100644
 index b113803..0000000
 --- a/README.md
 +++ /dev/null
 @@ -1,94 +0,0 @@
 -# shell-etc #
 -
 -<http://github.com/hashbang/shell-etc>
 -
 -## About ##
 -
 -This is the '/etc' directory of the #! shell servers.
 -Git management is handled via [etckeeper](http://etckeeper.branchable.com/)
 -
 -New servers added to the pool will also have this configuration to give users an equal experience.
 -
 -## Requirements ##
 -
 -  * Debian 7+
 -
 -## Contribution ##
 -
 -Making changes to this repo will require a running #! [shell server](https://github.com/hashbang/shell-server).
 -
 -An easy way to set this up locally is by running our latest shell-server 
 -[Docker image](https://hub.docker.com/r/hashbang/shell-server/).
 -
 -A command like the following can get you going with a local development server:
 -
 -```
 -docker run -d \
 -  -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
 -  -v $PWD:/etc-git \
 -  -v $HOME/.gitconfig:/root/.gitconfig:ro \
 -  --name shell-server \
 -  --cap-add SYS_ADMIN \
 -  hashbang/shell-server
 -```
 -
 -From here you can enter this environment with:
 -
 -```
 -docker exec -it shell-server bash
 -```
 -
 -In this environment you can make updates and install packages with ```apt-get```.
 -Changes will automatically be committed and pushed to your working shell-etc
 -checkout by etckeeper. Assuming you chose to mount your .gitconfig above, the
 -changes should be attributed correctly as you.
 -
 -Any changes made to /etc without apt-get will need to be committed/pushed in
 -place, which should be reflected in your local checkout as well.
 -
 -When you are ready to contribute your changes upstream, please push to a branch
 -or a fork and make a pull request.
 -
 -Note: the above workflow is only suitable for making very basic changes like
 -new package installations etc. If you want to do something more complex that
 -requires interaction with a user database, etc, please consider using our
 -end-to-end local development setup, documented here: [hashbang/hashbang](https://github.com/hashbang/hashbang)
 -
 -### GPG signing ###
 -
 -If you prefer to GPG sign your commits, a couple of options exist.
 -
 -#### Manual ####
 -
 -You can manually sign your most recent commit before pushing with:
 -
 -```
 -git commit -S --amend
 -```
 -
 -#### Automatic ####
 -
 -Assuming you use git auto-signing and have ssh-agents set up properly,
 -you can opt to expose your gpg/ssh sockets by adding the following arguments
 -to your docker run command:
 -
 -```
 -...
 -  -v $HOME/.gitconfig:/root/.gitconfig:ro \
 -  -v $HOME/.gnupg:/root/.gnupg \
 -  -v $SSH_AUTH_SOCK:/root/.ssh-agent \
 -  -e SSH_AUTH_SOCK=/root/.ssh-agent \
 -...
 -```
 -
 -## Notes ##
 -
 -  Use at your own risk. You may be eaten by a grue.
 -
 -  Questions/Comments?
 -
 -  Talk to us via:
 -
 -  [Email](mailto://team@hashbang.sh) |
 -  [IRC](ircs://irc.hashbang.sh:6697/#!) |
 -  [Github](http://github.com/hashbang/)
 diff --git a/aliases b/aliases
 index 92fa913..93a3249 100644
 --- a/aliases
 +++ b/aliases
 @@ -1,3 +1,2 @@
 # See man 5 aliases for format
 postmaster:    root
 -root: root@hashbang.sh
 diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
 index 06ba04a..e6bc86c 100644
 --- a/ansible/ansible.cfg
 +++ b/ansible/ansible.cfg
 @@ -1,7 +1,7 @@
 # config file for ansible -- http://ansible.com/
 # ==============================================
 
 -# nearly all parameters can be overridden in ansible-playbook
 +# nearly all parameters can be overridden in ansible-playbook 
 # or with command line flags. ansible will read ANSIBLE_CONFIG,
 # ansible.cfg in the current working directory, .ansible.cfg in
 # the home directory or /etc/ansible/ansible.cfg, whichever it
 @@ -11,19 +11,18 @@
 
 # some basic default values...
 
 -#inventory      = /etc/ansible/hosts
 -#library        = /usr/share/my_modules/
 -#remote_tmp     = ~/.ansible/tmp
 -#local_tmp      = ~/.ansible/tmp
 -#forks          = 5
 -#poll_interval  = 15
 -#sudo_user      = root
 +hostfile       = /etc/ansible/hosts
 +library        = /usr/share/ansible
 +remote_tmp     = $HOME/.ansible/tmp
 +pattern        = *
 +forks          = 5
 +poll_interval  = 15
 +sudo_user      = root
 #ask_sudo_pass = True
 #ask_pass      = True
 -#transport      = smart
 -#remote_port    = 22
 -#module_lang    = C
 -#module_set_locale = False
 +transport      = smart
 +remote_port    = 22
 +module_lang    = C
 
 # plays will gather facts by default, which contain information about
 # the remote system.
 @@ -31,26 +30,7 @@
 # smart - gather by default, but don't regather if already gathered
 # implicit - gather by default, turn off with gather_facts: False
 # explicit - do not gather by default, must say gather_facts: True
 -#gathering = implicit
 -
 -# by default retrieve all facts subsets
 -# all - gather all subsets
 -# network - gather min and network facts
 -# hardware - gather hardware facts (longest facts to retrieve)
 -# virtual - gather min and virtual facts
 -# facter - import facts from facter
 -# ohai - import facts from ohai
 -# You can combine them using comma (ex: network,virtual)
 -# You can negate them using ! (ex: !hardware,!facter,!ohai)
 -# A minimal set of facts is always gathered.
 -#gather_subset = all
 -
 -# some hardware related facts are collected
 -# with a maximum timeout of 10 seconds. This
 -# option lets you increase or decrease that
 -# timeout to something more suitable for the
 -# environment. 
 -# gather_timeout = 10
 +gathering = implicit
 
 # additional paths to search for roles in, colon separated
 #roles_path    = /etc/ansible/roles
 @@ -58,30 +38,14 @@
 # uncomment this to disable SSH key host checking
 #host_key_checking = False
 
 -# change the default callback
 -#stdout_callback = skippy
 -# enable additional callbacks
 -#callback_whitelist = timer, mail
 -
 -# Determine whether includes in tasks and handlers are "static" by
 -# default. As of 2.0, includes are dynamic by default. Setting these
 -# values to True will make includes behave more like they did in the
 -# 1.x versions.
 -#task_includes_static = True
 -#handler_includes_static = True
 -
 -# Controls if a missing handler for a notification event is an error or a warning
 -#error_on_missing_handler = True
 -
 # change this for alternative sudo implementations
 -#sudo_exe = sudo
 +sudo_exe = sudo
 
 -# What flags to pass to sudo
 -# WARNING: leaving out the defaults might create unexpected behaviours
 -#sudo_flags = -H -S -n
 +# what flags to pass to sudo
 +#sudo_flags = -H
 
 # SSH timeout
 -#timeout = 10
 +timeout = 10
 
 # default user to use for playbooks if user is not specified
 # (/usr/bin/ansible will use current user as default)
 @@ -104,47 +68,25 @@
 # this can also be set to 'merge'.
 #hash_behaviour = replace
 
 -# by default, variables from roles will be visible in the global variable
 -# scope. To prevent this, the following option can be enabled, and only
 -# tasks and handlers within the role will see the variables there
 -#private_role_vars = yes
 -
 # list any Jinja2 extensions to enable here:
 #jinja2_extensions = jinja2.ext.do,jinja2.ext.i18n
 
 -# if set, always use this private key file for authentication, same as
 +# if set, always use this private key file for authentication, same as 
 # if passing --private-key to ansible or ansible-playbook
 #private_key_file = /path/to/file
 
 -# If set, configures the path to the Vault password file as an alternative to
 -# specifying --vault-password-file on the command line.
 -#vault_password_file = /path/to/vault_password_file
 -
 -# format of string {{ ansible_managed }} available within Jinja2
 +# format of string {{ ansible_managed }} available within Jinja2 
 # templates indicates to users editing templates files will be replaced.
 # replacing {file}, {host} and {uid} and strftime codes with proper values.
 -#ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
 -# {file}, {host}, {uid}, and the timestamp can all interfere with idempotence
 -# in some situations so the default is a static string:
 -#ansible_managed = Ansible managed
 +ansible_managed = Ansible managed: {file} modified on %Y-%m-%d %H:%M:%S by {uid} on {host}
 
 # by default, ansible-playbook will display "Skipping [host]" if it determines a task
 -# should not be run on a host.  Set this to "False" if you don't want to see these "Skipping"
 -# messages. NOTE: the task header will still be shown regardless of whether or not the
 +# should not be run on a host.  Set this to "False" if you don't want to see these "Skipping" 
 +# messages. NOTE: the task header will still be shown regardless of whether or not the 
 # task is skipped.
 #display_skipped_hosts = True
 
 -# by default, if a task in a playbook does not include a name: field then
 -# ansible-playbook will construct a header that includes the task's action but
 -# not the task's args.  This is a security feature because ansible cannot know
 -# if the *module* considers an argument to be no_log at the time that the
 -# header is printed.  If your environment doesn't have a problem securing
 -# stdout from ansible-playbook (or you have manually specified no_log in your
 -# playbook on all of the tasks where you have secret information) then you can
 -# safely set this to True to get more informative messages.
 -#display_args_to_stdout = False
 -
 -# by default (as of 1.3), Ansible will raise errors when attempting to dereference
 +# by default (as of 1.3), Ansible will raise errors when attempting to dereference 
 # Jinja2 variables that are not set in templates or action lines. Uncomment this line
 # to revert the behavior to pre-1.3.
 #error_on_undefined_vars = False
 @@ -160,116 +102,35 @@
 # to disable these warnings, set the following value to False:
 #deprecation_warnings = True
 
 -# (as of 1.8), Ansible can optionally warn when usage of the shell and
 -# command module appear to be simplified by using a default Ansible module
 -# instead.  These warnings can be silenced by adjusting the following
 -# setting or adding warn=yes or warn=no to the end of the command line
 -# parameter string.  This will for example suggest using the git module
 -# instead of shelling out to the git command.
 -# command_warnings = False
 -
 -
 # set plugin path directories here, separate with colons
 -#action_plugins     = /usr/share/ansible/plugins/action
 -#cache_plugins      = /usr/share/ansible/plugins/cache
 -#callback_plugins   = /usr/share/ansible/plugins/callback
 -#connection_plugins = /usr/share/ansible/plugins/connection
 -#lookup_plugins     = /usr/share/ansible/plugins/lookup
 -#inventory_plugins  = /usr/share/ansible/plugins/inventory
 -#vars_plugins       = /usr/share/ansible/plugins/vars
 -#filter_plugins     = /usr/share/ansible/plugins/filter
 -#test_plugins       = /usr/share/ansible/plugins/test
 -#strategy_plugins   = /usr/share/ansible/plugins/strategy
 -
 -# by default callbacks are not loaded for /bin/ansible, enable this if you
 -# want, for example, a notification or logging callback to also apply to
 -# /bin/ansible runs
 -#bin_ansible_callbacks = False
 -
 +action_plugins     = /usr/share/ansible_plugins/action_plugins
 +callback_plugins   = /usr/share/ansible_plugins/callback_plugins
 +connection_plugins = /usr/share/ansible_plugins/connection_plugins
 +lookup_plugins     = /usr/share/ansible_plugins/lookup_plugins
 +vars_plugins       = /usr/share/ansible_plugins/vars_plugins
 +filter_plugins     = /usr/share/ansible_plugins/filter_plugins
 
 # don't like cows?  that's unfortunate.
 -# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1
 +# set to 1 if you don't want cowsay support or export ANSIBLE_NOCOWS=1 
 #nocows = 1
 
 -# set which cowsay stencil you'd like to use by default. When set to 'random',
 -# a random stencil will be selected for each task. The selection will be filtered
 -# against the `cow_whitelist` option below.
 -#cow_selection = default
 -#cow_selection = random
 -
 -# when using the 'random' option for cowsay, stencils will be restricted to this list.
 -# it should be formatted as a comma-separated list with no spaces between names.
 -# NOTE: line continuations here are for formatting purposes only, as the INI parser
 -#       in python does not support them.
 -#cow_whitelist=bud-frogs,bunny,cheese,daemon,default,dragon,elephant-in-snake,elephant,eyes,\
 -#              hellokitty,kitty,luke-koala,meow,milk,moofasa,moose,ren,sheep,small,stegosaurus,\
 -#              stimpy,supermilker,three-eyes,turkey,turtle,tux,udder,vader-koala,vader,www
 -
 # don't like colors either?
 # set to 1 if you don't want colors, or export ANSIBLE_NOCOLOR=1
 #nocolor = 1
 
 -# if set to a persistent type (not 'memory', for example 'redis') fact values
 -# from previous runs in Ansible will be stored.  This may be useful when
 -# wanting to use, for example, IP information from one group of servers
 -# without having to talk to them in the same playbook run to get their
 -# current IP information.
 -#fact_caching = memory
 -
 -
 -# retry files
 -# When a playbook fails by default a .retry file will be created in ~/
 -# You can disable this feature by setting retry_files_enabled to False
 -# and you can change the location of the files by setting retry_files_save_path
 -
 -#retry_files_enabled = False
 -#retry_files_save_path = ~/.ansible-retry
 -
 -# squash actions
 -# Ansible can optimise actions that call modules with list parameters
 -# when looping. Instead of calling the module once per with_ item, the
 -# module is called once with all items at once. Currently this only works
 -# under limited circumstances, and only with parameters named 'name'.
 -#squash_actions = apk,apt,dnf,homebrew,package,pacman,pkgng,yum,zypper
 -
 -# prevents logging of task data, off by default
 -#no_log = False
 -
 -# prevents logging of tasks, but only on the targets, data is still logged on the master/controller
 -#no_target_syslog = False
 -
 -# controls whether Ansible will raise an error or warning if a task has no
 -# choice but to create world readable temporary files to execute a module on
 -# the remote machine.  This option is False by default for security.  Users may
 -# turn this on to have behaviour more like Ansible prior to 2.1.x.  See
 -# https://docs.ansible.com/ansible/become.html#becoming-an-unprivileged-user
 -# for more secure ways to fix this than enabling this option.
 -#allow_world_readable_tmpfiles = False
 -
 -# controls the compression level of variables sent to
 -# worker processes. At the default of 0, no compression
 -# is used. This value must be an integer from 0 to 9.
 -#var_compression_level = 9
 -
 -# controls what compression method is used for new-style ansible modules when
 -# they are sent to the remote system.  The compression types depend on having
 -# support compiled into both the controller's python and the client's python.
 -# The names should match with the python Zipfile compression types:
 -# * ZIP_STORED (no compression. available everywhere)
 -# * ZIP_DEFLATED (uses zlib, the default)
 -# These values may be set per host via the ansible_module_compression inventory
 -# variable
 -#module_compression = 'ZIP_DEFLATED'
 -
 -# This controls the cutoff point (in bytes) on --diff for files
 -# set to 0 for unlimited (RAM may suffer!).
 -#max_diff_size = 1048576
 -
 -[privilege_escalation]
 -#become=True
 -#become_method=sudo
 -#become_user=root
 -#become_ask_pass=False
 +# the CA certificate path used for validating SSL certs. This path 
 +# should exist on the controlling node, not the target nodes
 +# common locations:
 +# RHEL/CentOS: /etc/pki/tls/certs/ca-bundle.crt
 +# Fedora     : /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
 +# Ubuntu     : /usr/share/ca-certificates/cacert.org/cacert.org.crt
 +#ca_file_path = 
 +
 +# the http user-agent string to use when fetching urls. Some web server
 +# operators block the default urllib user agent as it is frequently used
 +# by malicious attacks/scripts, so we set it to something unique to 
 +# avoid issues.
 +#http_user_agent = ansible-agent
 
 [paramiko_connection]
 
 @@ -285,50 +146,43 @@
 [ssh_connection]
 
 # ssh arguments to use
 -# Leaving off ControlPersist will result in poor performance, so use
 -# paramiko on older platforms rather than removing it, -C controls compression use
 -#ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s
 +# Leaving off ControlPersist will result in poor performance, so use 
 +# paramiko on older platforms rather than removing it
 +#ssh_args = -o ControlMaster=auto -o ControlPersist=60s
 
 # The path to use for the ControlPath sockets. This defaults to
 # "%(directory)s/ansible-ssh-%%h-%%p-%%r", however on some systems with
 -# very long hostnames or very long path names (caused by long user names or
 +# very long hostnames or very long path names (caused by long user names or 
 # deeply nested home directories) this can exceed the character limit on
 -# file socket names (108 characters for most platforms). In that case, you
 +# file socket names (108 characters for most platforms). In that case, you 
 # may wish to shorten the string below.
 -#
 -# Example:
 +# 
 +# Example: 
 # control_path = %(directory)s/%%h-%%r
 #control_path = %(directory)s/ansible-ssh-%%h-%%p-%%r
 
 -# Enabling pipelining reduces the number of SSH operations required to
 -# execute a module on the remote server. This can result in a significant
 -# performance improvement when enabled, however when using "sudo:" you must
 +# Enabling pipelining reduces the number of SSH operations required to 
 +# execute a module on the remote server. This can result in a significant 
 +# performance improvement when enabled, however when using "sudo:" you must 
 # first disable 'requiretty' in /etc/sudoers
 #
 # By default, this option is disabled to preserve compatibility with
 # sudoers configurations that have requiretty (the default on many distros).
 -#
 +# 
 #pipelining = False
 
 -# Control the mechanism for transfering files
 -#   * smart = try sftp and then try scp [default]
 -#   * True = use scp only
 -#   * False = use sftp only
 -#scp_if_ssh = smart
 -
 -# if False, sftp will not use batch mode to transfer files. This may cause some
 -# types of file transfer failures impossible to catch however, and should
 -# only be disabled if your sftp version has problems with batch mode
 -#sftp_batch_mode = False
 +# if True, make ansible use scp if the connection type is ssh 
 +# (default is sftp)
 +#scp_if_ssh = True
 
 [accelerate]
 -#accelerate_port = 5099
 -#accelerate_timeout = 30
 -#accelerate_connect_timeout = 5.0
 +accelerate_port = 5099
 +accelerate_timeout = 30
 +accelerate_connect_timeout = 5.0
 
 # The daemon timeout is measured in minutes. This time is measured
 # from the last activity to the accelerate daemon.
 -#accelerate_daemon_timeout = 30
 +accelerate_daemon_timeout = 30 
 
 # If set to yes, accelerate_multi_key will allow multiple
 # private keys to be uploaded to it, though each user must
 @@ -336,26 +190,3 @@
 # is "no".
 #accelerate_multi_key = yes
 
 -[selinux]
 -# file systems that require special treatment when dealing with security context
 -# the default behaviour that copies the existing context or uses the user default
 -# needs to be changed to use the file system dependent context.
 -#special_context_filesystems=nfs,vboxsf,fuse,ramfs
 -
 -# Set this to yes to allow libvirt_lxc connections to work without SELinux.
 -#libvirt_lxc_noseclabel = yes
 -
 -[colors]
 -#highlight = white
 -#verbose = blue
 -#warn = bright purple
 -#error = red
 -#debug = dark gray
 -#deprecate = purple
 -#skip = cyan
 -#unreachable = red
 -#ok = green
 -#changed = yellow
 -#diff_add = green
 -#diff_remove = red
 -#diff_lines = cyan
 diff --git a/apparmor.d/abstractions/tor b/apparmor.d/abstractions/tor
 index 15601a4..f3aef3c 100644
 --- a/apparmor.d/abstractions/tor
 +++ b/apparmor.d/abstractions/tor
 @@ -7,7 +7,7 @@
   network udp,
 
   capability chown,
 -  capability dac_read_search,
 +  capability dac_override,
   capability fowner,
   capability fsetid,
   capability setgid,
 @@ -16,9 +16,6 @@
   /usr/bin/tor r,
   /usr/sbin/tor r,
 
 -  # Needed by obfs4proxy
 -  /proc/sys/net/core/somaxconn r,
 -
   /proc/sys/kernel/random/uuid r,
   /sys/devices/system/cpu/ r,
   /sys/devices/system/cpu/** r,
 @@ -27,4 +24,3 @@
   /usr/share/tor/** r,
 
   /usr/bin/obfsproxy PUx,
 -  /usr/bin/obfs4proxy Pix,
 diff --git a/apparmor.d/local/usr.sbin.unbound b/apparmor.d/local/usr.sbin.unbound
 deleted file mode 100644
 index 13ab55b..0000000
 --- a/apparmor.d/local/usr.sbin.unbound
 +++ /dev/null
 @@ -1,2 +0,0 @@
 -# Site-specific additions and overrides for usr.sbin.unbound.
 -# For more details, please see /etc/apparmor.d/local/README.
 diff --git a/apparmor.d/system_tor b/apparmor.d/system_tor
 index eb13ccd..1c5f539 100644
 --- a/apparmor.d/system_tor
 +++ b/apparmor.d/system_tor
 @@ -1,24 +1,16 @@
 # vim:syntax=apparmor
 #include <tunables/global>
 
 -profile system_tor flags=(attach_disconnected) {
 +profile system_tor {
   #include <abstractions/tor>
 
   owner /var/lib/tor/** rwk,
 -  owner /var/lib/tor/ r,
   owner /var/log/tor/* w,
 
 -  # During startup, tor (as root) tries to open various things such as
 -  # directories via check_private_dir().  Let it.
 -  /var/lib/tor/** r,
 -
 -  /{,var/}run/tor/ r,
   /{,var/}run/tor/control w,
 -  /{,var/}run/tor/socks w,
   /{,var/}run/tor/tor.pid w,
   /{,var/}run/tor/control.authcookie w,
   /{,var/}run/tor/control.authcookie.tmp rw,
 -  /{,var/}run/systemd/notify w,
 
   # Site-specific additions and overrides. See local/README for details.
   #include <local/system_tor>
 diff --git a/apparmor.d/usr.sbin.unbound b/apparmor.d/usr.sbin.unbound
 deleted file mode 100644
 index 624341c..0000000
 --- a/apparmor.d/usr.sbin.unbound
 +++ /dev/null
 @@ -1,45 +0,0 @@
 -# Author: Simon Deziel
 -# vim:syntax=apparmor
 -#include <tunables/global>
 -
 -/usr/sbin/unbound {
 -  #include <abstractions/base>
 -  #include <abstractions/nameservice>
 -  #include <abstractions/openssl>
 -
 -  # needlessly chown'ing the PID
 -  deny capability chown,
 -
 -  capability net_bind_service,
 -  capability setgid,
 -  capability setuid,
 -  capability sys_chroot,
 -  capability sys_resource,
 -
 -  # root trust anchor
 -  owner /var/lib/unbound/root.key* rw,
 -
 -  # root hints from dns-data-root
 -  /usr/share/dns/root.* r,
 -
 -  # non-chrooted paths
 -  /etc/unbound/** r,
 -  owner /etc/unbound/*.key* rw,
 -  audit deny /etc/unbound/unbound_control.{key,pem} rw,
 -  audit deny /etc/unbound/unbound_server.key w,
 -
 -  # chrooted paths
 -  /var/lib/unbound/** r,
 -  owner /var/lib/unbound/**/*.key* rw,
 -  audit deny /var/lib/unbound/**/unbound_control.{key,pem} rw,
 -  audit deny /var/lib/unbound/**/unbound_server.key w,
 -
 -  /usr/sbin/unbound mr,
 -
 -  /{,var/}run/{unbound/,}unbound.pid rw,
 -
 -  # Unix control socket
 -  /{,var/}run/unbound.ctl rw,
 -
 -  #include <local/usr.sbin.unbound>
 -}
 diff --git a/apt/apt.conf.d/00CDMountPoint b/apt/apt.conf.d/00CDMountPoint
 deleted file mode 100644
 index 6a2c664..0000000
 --- a/apt/apt.conf.d/00CDMountPoint
 +++ /dev/null
 @@ -1,4 +0,0 @@
 -Acquire::cdrom {
 -  mount "/media/cdrom";
 -};
 -Dir::Media::MountPath "/media/cdrom";
 diff --git a/apt/apt.conf.d/00InstallRecommends b/apt/apt.conf.d/00InstallRecommends
 deleted file mode 100644
 index b781f7f..0000000
 --- a/apt/apt.conf.d/00InstallRecommends
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -APT::Install-Recommends "false";
 -APT::Install-Suggests   "false";
 -
 diff --git a/apt/apt.conf.d/00trustcdrom b/apt/apt.conf.d/00trustcdrom
 deleted file mode 100644
 index c7588cb..0000000
 --- a/apt/apt.conf.d/00trustcdrom
 +++ /dev/null
 @@ -1 +0,0 @@
 -APT::Authentication::TrustCDROM "true";
 diff --git a/apt/apt.conf.d/01autoremove-kernels b/apt/apt.conf.d/01autoremove-kernels
 index a91071b..2a1d0a2 100644
 --- a/apt/apt.conf.d/01autoremove-kernels
 +++ b/apt/apt.conf.d/01autoremove-kernels
 @@ -1,26 +1,37 @@
 // DO NOT EDIT! File autogenerated by /etc/kernel/postinst.d/apt-auto-removal
 APT::NeverAutoRemove
 {
 -   "^linux-image-4\.9\.0-0\.bpo\.4-amd64$";
 -   "^linux-image-4\.9\.0-0\.bpo\.5-amd64$";
 -   "^linux-headers-4\.9\.0-0\.bpo\.4-amd64$";
 -   "^linux-headers-4\.9\.0-0\.bpo\.5-amd64$";
 -   "^linux-image-extra-4\.9\.0-0\.bpo\.4-amd64$";
 -   "^linux-image-extra-4\.9\.0-0\.bpo\.5-amd64$";
 -   "^linux-signed-image-4\.9\.0-0\.bpo\.4-amd64$";
 -   "^linux-signed-image-4\.9\.0-0\.bpo\.5-amd64$";
 -   "^kfreebsd-image-4\.9\.0-0\.bpo\.4-amd64$";
 -   "^kfreebsd-image-4\.9\.0-0\.bpo\.5-amd64$";
 -   "^kfreebsd-headers-4\.9\.0-0\.bpo\.4-amd64$";
 -   "^kfreebsd-headers-4\.9\.0-0\.bpo\.5-amd64$";
 -   "^gnumach-image-4\.9\.0-0\.bpo\.4-amd64$";
 -   "^gnumach-image-4\.9\.0-0\.bpo\.5-amd64$";
 -   "^.*-modules-4\.9\.0-0\.bpo\.4-amd64$";
 -   "^.*-modules-4\.9\.0-0\.bpo\.5-amd64$";
 -   "^.*-kernel-4\.9\.0-0\.bpo\.4-amd64$";
 -   "^.*-kernel-4\.9\.0-0\.bpo\.5-amd64$";
 -   "^linux-backports-modules-.*-4\.9\.0-0\.bpo\.4-amd64$";
 -   "^linux-backports-modules-.*-4\.9\.0-0\.bpo\.5-amd64$";
 -   "^linux-tools-4\.9\.0-0\.bpo\.4-amd64$";
 -   "^linux-tools-4\.9\.0-0\.bpo\.5-amd64$";
 +   "^linux-image-3\.16\.0-4-amd64$";
 +   "^linux-image-3\.16\.0-5-amd64$";
 +   "^linux-image-4\.4\.0-121-generic$";
 +   "^linux-headers-3\.16\.0-4-amd64$";
 +   "^linux-headers-3\.16\.0-5-amd64$";
 +   "^linux-headers-4\.4\.0-121-generic$";
 +   "^linux-image-extra-3\.16\.0-4-amd64$";
 +   "^linux-image-extra-3\.16\.0-5-amd64$";
 +   "^linux-image-extra-4\.4\.0-121-generic$";
 +   "^linux-signed-image-3\.16\.0-4-amd64$";
 +   "^linux-signed-image-3\.16\.0-5-amd64$";
 +   "^linux-signed-image-4\.4\.0-121-generic$";
 +   "^kfreebsd-image-3\.16\.0-4-amd64$";
 +   "^kfreebsd-image-3\.16\.0-5-amd64$";
 +   "^kfreebsd-image-4\.4\.0-121-generic$";
 +   "^kfreebsd-headers-3\.16\.0-4-amd64$";
 +   "^kfreebsd-headers-3\.16\.0-5-amd64$";
 +   "^kfreebsd-headers-4\.4\.0-121-generic$";
 +   "^gnumach-image-3\.16\.0-4-amd64$";
 +   "^gnumach-image-3\.16\.0-5-amd64$";
 +   "^gnumach-image-4\.4\.0-121-generic$";
 +   "^.*-modules-3\.16\.0-4-amd64$";
 +   "^.*-modules-3\.16\.0-5-amd64$";
 +   "^.*-modules-4\.4\.0-121-generic$";
 +   "^.*-kernel-3\.16\.0-4-amd64$";
 +   "^.*-kernel-3\.16\.0-5-amd64$";
 +   "^.*-kernel-4\.4\.0-121-generic$";
 +   "^linux-backports-modules-.*-3\.16\.0-4-amd64$";
 +   "^linux-backports-modules-.*-3\.16\.0-5-amd64$";
 +   "^linux-backports-modules-.*-4\.4\.0-121-generic$";
 +   "^linux-tools-3\.16\.0-4-amd64$";
 +   "^linux-tools-3\.16\.0-5-amd64$";
 +   "^linux-tools-4\.4\.0-121-generic$";
 };
 diff --git a/apt/preferences b/apt/preferences
 deleted file mode 100644
 index 8086fdb..0000000
 --- a/apt/preferences
 +++ /dev/null
 @@ -1,14 +0,0 @@
 -# Give jessie priority over everything
 -Package: *
 -Pin: release n=jessie
 -Pin-Priority: 900
 -
 -# Give backports priority over stretch
 -Package: *
 -Pin: release n=jessie-backports
 -Pin-Priority: 800
 -
 -# Never silently install from testing
 -Package: *
 -Pin: release n=stretch
 -Pin-Priority: -1
 diff --git a/apt/preferences.d/.keep b/apt/preferences.d/.keep
 deleted file mode 100644
 index e69de29..0000000
 diff --git a/apt/preferences.d/ansible b/apt/preferences.d/ansible
 deleted file mode 100644
 index e6f4d9a..0000000
 --- a/apt/preferences.d/ansible
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -Package: ansible ieee-data python-netaddr
 -Pin: release n=jessie-backports
 -Pin-Priority: 990
 diff --git a/apt/preferences.d/firejail b/apt/preferences.d/firejail
 deleted file mode 100644
 index b3b8401..0000000
 --- a/apt/preferences.d/firejail
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -Package: firejail
 -Pin: release n=stretch
 -Pin-Priority: 990
 diff --git a/apt/preferences.d/kernel b/apt/preferences.d/kernel
 deleted file mode 100644
 index 9e873db..0000000
 --- a/apt/preferences.d/kernel
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -Package: linux-base linux-image-amd64 linux-image-*-amd64
 -Pin: release n=jessie-backports
 -Pin-Priority: 990
 diff --git a/apt/preferences.d/mksh b/apt/preferences.d/mksh
 deleted file mode 100644
 index 4104ba2..0000000
 --- a/apt/preferences.d/mksh
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -Package: mksh
 -Pin: release n=jessie-backports
 -Pin-Priority: 990
 diff --git a/apt/preferences.d/mosh b/apt/preferences.d/mosh
 deleted file mode 100644
 index 03a05c9..0000000
 --- a/apt/preferences.d/mosh
 +++ /dev/null
 @@ -1,4 +0,0 @@
 -# v1.2.5 (jessie-backports) is required for mouse support
 -Package: mosh
 -Pin: release n=jessie-backports
 -Pin-Priority: 990
 diff --git a/apt/preferences.d/openntpd b/apt/preferences.d/openntpd
 deleted file mode 100644
 index 9aa9510..0000000
 --- a/apt/preferences.d/openntpd
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -Package: openntpd
 -Pin: release n=jessie-backports
 -Pin-Priority: 990
 diff --git a/apt/preferences.d/unbound b/apt/preferences.d/unbound
 deleted file mode 100644
 index efb711f..0000000
 --- a/apt/preferences.d/unbound
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -Package: libunbound2 libunbound-dev unbound* python-unbound
 -Pin: release n=jessie-backports
 -Pin-Priority: 990
 diff --git a/apt/sources.list b/apt/sources.list
 index 97c54de..24baca8 100644
 --- a/apt/sources.list
 +++ b/apt/sources.list
 @@ -1,16 +1,21 @@
 -deb     http://deb.debian.org/debian/          jessie           main contrib non-free
 -deb-src http://deb.debian.org/debian/          jessie           main contrib non-free
 +## ORIGINAL /ETC/APT/SOURCES.LIST:
 +#deb [arch=amd64] http://httpredir.debian.org/debian          jessie         main
 +#deb [arch=amd64] http://security.debian.org/ jessie/updates main
 
 -deb     http://deb.debian.org/debian-security/ jessie/updates   main contrib non-free
 -deb-src http://deb.debian.org/debian-security/ jessie/updates   main contrib non-free
 +## MODIFIED, AFTER LOOKING AT !#'S SOURCES LIST:
 +deb [arch=amd64] http://deb.debian.org/debian/          jessie           main contrib non-free
 +deb [arch=amd64] http://deb.debian.org/debian-security/ jessie/updates   main contrib non-free
 +deb [arch=amd64] http://deb.debian.org/debian/          jessie-backports main contrib non-free
 
 -# Backports.  Must be enabled per-package using a pin
 -deb     http://deb.debian.org/debian/          jessie-backports main contrib non-free
 -deb-src http://deb.debian.org/debian/          jessie-backports main contrib non-free
 
 -# Newer releases.  Use with care and pin.
 -deb     http://deb.debian.org/debian/          stretch          main contrib non-free
 -deb-src http://deb.debian.org/debian/          stretch          main contrib non-free
 +## BELOW, MINUS THE #'S, IS THE HASHBANG.SH /ETC/APT/SOURCES.LIST:
 +
 +#deb     http://deb.debian.org/debian/          jessie           main contrib non-free
 +#deb-src http://deb.debian.org/debian/          jessie           main contrib non-free
 
 -deb     http://deb.debian.org/debian-security/ stretch/updates  main contrib non-free
 -deb-src http://deb.debian.org/debian-security/ stretch/updates  main contrib non-free
 +#deb     http://deb.debian.org/debian-security/ jessie/updates   main contrib non-free
 +#deb-src http://deb.debian.org/debian-security/ jessie/updates   main contrib non-free
 +
 +# Backports.  Must be enabled per-package using a pin
 +#deb     http://deb.debian.org/debian/          jessie-backports main contrib non-free
 +#deb-src http://deb.debian.org/debian/          jessie-backports main contrib non-free
 diff --git a/apt/sources.list.d/tor.list b/apt/sources.list.d/tor.list
 deleted file mode 100644
 index 5b54fd7..0000000
 --- a/apt/sources.list.d/tor.list
 +++ /dev/null
 @@ -1 +0,0 @@
 -deb	https://deb.torproject.org/torproject.org	jessie	main
 diff --git a/apt/sources.list.d/weechat.list b/apt/sources.list.d/weechat.list
 deleted file mode 100644
 index 973a27b..0000000
 --- a/apt/sources.list.d/weechat.list
 +++ /dev/null
 @@ -1,2 +0,0 @@
 -deb https://weechat.org/debian jessie main
 -deb-src https://weechat.org/debian jessie main
 diff --git a/apt/trusted.gpg b/apt/trusted.gpg
 deleted file mode 100644
 index e69de29..0000000
 diff --git a/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg b/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg
 deleted file mode 100644
 index 7f064b8..0000000
 Binary files a/apt/trusted.gpg.d/deb.torproject.org-keyring.gpg and /dev/null differ
 diff --git a/apt/trusted.gpg.d/weechat.gpg b/apt/trusted.gpg.d/weechat.gpg
 deleted file mode 100644
 index 32ea2bf..0000000
 Binary files a/apt/trusted.gpg.d/weechat.gpg and /dev/null differ
 diff --git a/ca-certificates.conf b/ca-certificates.conf
 index ef16bf1..07747d2 100644
 --- a/ca-certificates.conf
 +++ b/ca-certificates.conf
 @@ -21,38 +21,40 @@ mozilla/AffirmTrust_Commercial.crt
 mozilla/AffirmTrust_Networking.crt
 mozilla/AffirmTrust_Premium.crt
 mozilla/AffirmTrust_Premium_ECC.crt
 -!mozilla/America_Online_Root_Certification_Authority_1.crt
 -!mozilla/America_Online_Root_Certification_Authority_2.crt
 mozilla/ApplicationCA_-_Japanese_Government.crt
 mozilla/Atos_TrustedRoot_2011.crt
 -!mozilla/A-Trust-nQual-03.crt
 mozilla/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.crt
 mozilla/Baltimore_CyberTrust_Root.crt
 mozilla/Buypass_Class_2_CA_1.crt
 mozilla/Buypass_Class_2_Root_CA.crt
 -!mozilla/Buypass_Class_3_CA_1.crt
 mozilla/Buypass_Class_3_Root_CA.crt
 -!mozilla/CA_Disig.crt
 mozilla/CA_Disig_Root_R1.crt
 mozilla/CA_Disig_Root_R2.crt
 mozilla/Camerfirma_Chambers_of_Commerce_Root.crt
 mozilla/Camerfirma_Global_Chambersign_Root.crt
 +mozilla/CA_WoSign_ECC_Root.crt
 +mozilla/Certification_Authority_of_WoSign_G2.crt
 mozilla/Certigna.crt
 mozilla/Certinomis_-_Autorité_Racine.crt
 +mozilla/Certinomis_-_Root_CA.crt
 mozilla/Certplus_Class_2_Primary_CA.crt
 +mozilla/Certplus_Root_CA_G1.crt
 +mozilla/Certplus_Root_CA_G2.crt
 mozilla/certSIGN_ROOT_CA.crt
 mozilla/Certum_Root_CA.crt
 +mozilla/Certum_Trusted_Network_CA_2.crt
 mozilla/Certum_Trusted_Network_CA.crt
 +mozilla/CFCA_EV_ROOT.crt
 mozilla/Chambers_of_Commerce_Root_-_2008.crt
 mozilla/China_Internet_Network_Information_Center_EV_Certificates_Root.crt
 mozilla/CNNIC_ROOT.crt
 mozilla/Comodo_AAA_Services_root.crt
 mozilla/COMODO_Certification_Authority.crt
 mozilla/COMODO_ECC_Certification_Authority.crt
 +mozilla/COMODO_RSA_Certification_Authority.crt
 mozilla/Comodo_Secure_Services_root.crt
 mozilla/Comodo_Trusted_Services_root.crt
 mozilla/ComSign_CA.crt
 -!mozilla/ComSign_Secured_CA.crt
 mozilla/Cybertrust_Global_Root.crt
 mozilla/Deutsche_Telekom_Root_CA_2.crt
 mozilla/DigiCert_Assured_ID_Root_CA.crt
 @@ -63,8 +65,6 @@ mozilla/DigiCert_Global_Root_G2.crt
 mozilla/DigiCert_Global_Root_G3.crt
 mozilla/DigiCert_High_Assurance_EV_Root_CA.crt
 mozilla/DigiCert_Trusted_Root_G4.crt
 -!mozilla/Digital_Signature_Trust_Co._Global_CA_1.crt
 -!mozilla/Digital_Signature_Trust_Co._Global_CA_3.crt
 mozilla/DST_ACES_CA_X6.crt
 mozilla/DST_Root_CA_X3.crt
 mozilla/D-TRUST_Root_Class_3_CA_2_2009.crt
 @@ -72,9 +72,10 @@ mozilla/D-TRUST_Root_Class_3_CA_2_EV_2009.crt
 mozilla/EBG_Elektronik_Sertifika_Hizmet_Sağlayıcısı.crt
 mozilla/EC-ACC.crt
 mozilla/EE_Certification_Centre_Root_CA.crt
 -!mozilla/E-Guven_Kok_Elektronik_Sertifika_Hizmet_Saglayicisi.crt
 mozilla/Entrust.net_Premium_2048_Secure_Server_CA.crt
 mozilla/Entrust_Root_Certification_Authority.crt
 +mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
 +mozilla/Entrust_Root_Certification_Authority_-_G2.crt
 mozilla/ePKI_Root_Certification_Authority.crt
 mozilla/Equifax_Secure_CA.crt
 mozilla/Equifax_Secure_eBusiness_CA_1.crt
 @@ -88,26 +89,32 @@ mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
 mozilla/GeoTrust_Universal_CA_2.crt
 mozilla/GeoTrust_Universal_CA.crt
 mozilla/Global_Chambersign_Root_-_2008.crt
 +mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
 +mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
 mozilla/GlobalSign_Root_CA.crt
 mozilla/GlobalSign_Root_CA_-_R2.crt
 mozilla/GlobalSign_Root_CA_-_R3.crt
 mozilla/Go_Daddy_Class_2_CA.crt
 mozilla/Go_Daddy_Root_Certificate_Authority_-_G2.crt
 -!mozilla/GTE_CyberTrust_Global_Root.crt
 +mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
 mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2011.crt
 +mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
 mozilla/Hongkong_Post_Root_CA_1.crt
 +mozilla/IdenTrust_Commercial_Root_CA_1.crt
 +mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
 mozilla/IGC_A.crt
 +mozilla/ISRG_Root_X1.crt
 mozilla/Izenpe.com.crt
 mozilla/Juur-SK.crt
 mozilla/Microsec_e-Szigno_Root_CA_2009.crt
 mozilla/Microsec_e-Szigno_Root_CA.crt
 mozilla/NetLock_Arany_=Class_Gold=_Főtanúsítvány.crt
 -!mozilla/NetLock_Business_=Class_B=_Root.crt
 -!mozilla/NetLock_Express_=Class_C=_Root.crt
 -!mozilla/NetLock_Notary_=Class_A=_Root.crt
 -!mozilla/NetLock_Qualified_=Class_QA=_Root.crt
 mozilla/Network_Solutions_Certificate_Authority.crt
 mozilla/OISTE_WISeKey_Global_Root_GA_CA.crt
 +mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt
 +mozilla/OpenTrust_Root_CA_G1.crt
 +mozilla/OpenTrust_Root_CA_G2.crt
 +mozilla/OpenTrust_Root_CA_G3.crt
 mozilla/PSCProcert.crt
 mozilla/QuoVadis_Root_CA_1_G3.crt
 mozilla/QuoVadis_Root_CA_2.crt
 @@ -123,11 +130,10 @@ mozilla/SecureTrust_CA.crt
 mozilla/Security_Communication_EV_RootCA1.crt
 mozilla/Security_Communication_RootCA2.crt
 mozilla/Security_Communication_Root_CA.crt
 -!mozilla/SG_TRUST_SERVICES_RACINE.crt
 -!mozilla/Sonera_Class_1_Root_CA.crt
 mozilla/Sonera_Class_2_Root_CA.crt
 -!mozilla/Staat_der_Nederlanden_Root_CA.crt
 +mozilla/Staat_der_Nederlanden_EV_Root_CA.crt
 mozilla/Staat_der_Nederlanden_Root_CA_-_G2.crt
 +mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt
 mozilla/Starfield_Class_2_CA.crt
 mozilla/Starfield_Root_Certificate_Authority_-_G2.crt
 mozilla/Starfield_Services_Root_Certificate_Authority_-_G2.crt
 @@ -135,46 +141,41 @@ mozilla/StartCom_Certification_Authority_2.crt
 mozilla/StartCom_Certification_Authority.crt
 mozilla/StartCom_Certification_Authority_G2.crt
 mozilla/S-TRUST_Authentication_and_Encryption_Root_CA_2005_PN.crt
 +mozilla/S-TRUST_Universal_Root_CA.crt
 mozilla/Swisscom_Root_CA_1.crt
 mozilla/Swisscom_Root_CA_2.crt
 mozilla/Swisscom_Root_EV_CA_2.crt
 mozilla/SwissSign_Gold_CA_-_G2.crt
 mozilla/SwissSign_Platinum_CA_-_G2.crt
 mozilla/SwissSign_Silver_CA_-_G2.crt
 +mozilla/SZAFIR_ROOT_CA2.crt
 mozilla/Taiwan_GRCA.crt
 -!mozilla/TC_TrustCenter_Class_2_CA_II.crt
 mozilla/TC_TrustCenter_Class_3_CA_II.crt
 -!mozilla/TC_TrustCenter_Universal_CA_I.crt
 mozilla/TeliaSonera_Root_CA_v1.crt
 -!mozilla/Thawte_Premium_Server_CA.crt
 mozilla/thawte_Primary_Root_CA.crt
 mozilla/thawte_Primary_Root_CA_-_G2.crt
 mozilla/thawte_Primary_Root_CA_-_G3.crt
 -!mozilla/Thawte_Server_CA.crt
 mozilla/Trustis_FPS_Root_CA.crt
 mozilla/T-TeleSec_GlobalRoot_Class_2.crt
 mozilla/T-TeleSec_GlobalRoot_Class_3.crt
 mozilla/TÜBİTAK_UEKAE_Kök_Sertifika_Hizmet_Sağlayıcısı_-_Sürüm_3.crt
 -!mozilla/TURKTRUST_Certificate_Services_Provider_Root_1.crt
 mozilla/TURKTRUST_Certificate_Services_Provider_Root_2007.crt
 -!mozilla/TURKTRUST_Certificate_Services_Provider_Root_2.crt
 +mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt
 +mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.crt
 mozilla/TWCA_Global_Root_CA.crt
 mozilla/TWCA_Root_Certification_Authority.crt
 -!mozilla/UTN_DATACorp_SGC_Root_CA.crt
 +mozilla/USERTrust_ECC_Certification_Authority.crt
 +mozilla/USERTrust_RSA_Certification_Authority.crt
 mozilla/UTN_USERFirst_Email_Root_CA.crt
 mozilla/UTN_USERFirst_Hardware_Root_CA.crt
 mozilla/Verisign_Class_1_Public_Primary_Certification_Authority.crt
 -!mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G2.crt
 mozilla/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.crt
 mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G2.crt
 mozilla/Verisign_Class_2_Public_Primary_Certification_Authority_-_G3.crt
 -!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_2.crt
 mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
 -!mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G2.crt
 mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt
 mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G4.crt
 mozilla/VeriSign_Class_3_Public_Primary_Certification_Authority_-_G5.crt
 -!mozilla/Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.crt
 mozilla/VeriSign_Universal_Root_Certification_Authority.crt
 mozilla/Visa_eCommerce_Root.crt
 mozilla/WellsSecure_Public_Root_Certificate_Authority.crt
 @@ -182,32 +183,3 @@ mozilla/WoSign_China.crt
 mozilla/WoSign.crt
 mozilla/XRamp_Global_CA_Root.crt
 spi-inc.org/spi-cacert-2008.crt
 -mozilla/CA_WoSign_ECC_Root.crt
 -mozilla/Certification_Authority_of_WoSign_G2.crt
 -mozilla/Certinomis_-_Root_CA.crt
 -mozilla/CFCA_EV_ROOT.crt
 -mozilla/COMODO_RSA_Certification_Authority.crt
 -mozilla/Entrust_Root_Certification_Authority_-_EC1.crt
 -mozilla/Entrust_Root_Certification_Authority_-_G2.crt
 -mozilla/GlobalSign_ECC_Root_CA_-_R4.crt
 -mozilla/GlobalSign_ECC_Root_CA_-_R5.crt
 -mozilla/IdenTrust_Commercial_Root_CA_1.crt
 -mozilla/IdenTrust_Public_Sector_Root_CA_1.crt
 -mozilla/OISTE_WISeKey_Global_Root_GB_CA.crt
 -mozilla/Staat_der_Nederlanden_EV_Root_CA.crt
 -mozilla/Staat_der_Nederlanden_Root_CA_-_G3.crt
 -mozilla/S-TRUST_Universal_Root_CA.crt
 -mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H5.crt
 -mozilla/TÜRKTRUST_Elektronik_Sertifika_Hizmet_Sağlayıcısı_H6.crt
 -mozilla/USERTrust_ECC_Certification_Authority.crt
 -mozilla/USERTrust_RSA_Certification_Authority.crt
 -mozilla/Certplus_Root_CA_G1.crt
 -mozilla/Certplus_Root_CA_G2.crt
 -mozilla/Certum_Trusted_Network_CA_2.crt
 -mozilla/Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.crt
 -mozilla/Hellenic_Academic_and_Research_Institutions_RootCA_2015.crt
 -mozilla/ISRG_Root_X1.crt
 -mozilla/OpenTrust_Root_CA_G1.crt
 -mozilla/OpenTrust_Root_CA_G2.crt
 -mozilla/OpenTrust_Root_CA_G3.crt
 -mozilla/SZAFIR_ROOT_CA2.crt
 diff --git a/cron.daily/clean-lurkers b/cron.daily/clean-lurkers
 deleted file mode 100755
 index c9107d5..0000000
 --- a/cron.daily/clean-lurkers
 +++ /dev/null
 @@ -1,13 +0,0 @@
 -#!/bin/sh
 -# See https://xkcd.com/686/ -- Admin mourning
 -
 -DAYS=30
 -
 -for range in 1000-59999 65536-4294967293; do
 -    for user in $(lastlog -b "$DAYS" -t "$((DAYS + 2))" -u "$range" | \
 -                  tail -n +2 | cut -d' ' -f1); do
 -        if [ ! -f "/home/${user}/.keep-account" ]; then
 -            loginctl terminate-user "$user"
 -        fi
 -    done
 -done
 diff --git a/cron.daily/gpg-keyring b/cron.daily/gpg-keyring
 deleted file mode 100755
 index b12f509..0000000
 --- a/cron.daily/gpg-keyring
 +++ /dev/null
 @@ -1,26 +0,0 @@
 -#!/bin/bash -e
 -KEYRING=/var/lib/hashbang/admins.gpg
 -
 -umask 002
 -mkdir -p   "$(dirname "${KEYRING}")"
 -chmod 0755 "$(dirname "${KEYRING}")"
 -
 -unset GNUPGHOME
 -trap 'rm -rf -- "${GNUPGHOME}"' EXIT
 -export GNUPGHOME="$(mktemp -d)"
 -
 -ADMIN_KEYS=(
 -    0x954A3772D62EF90E4B31FBC6C91A9911192C187A # daurnimator
 -    0x0A1F87C7936EB2461C6A9D9BAD9970F98EB884FD # DeviaVir
 -    0xC92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD # drGrove
 -    0xF2B7999666D83093F8D4212926CDD32189AA2885 # dpflug
 -    0xAE2D535ABD2E5B42CE1E97110527B4EFFB4A3AEB # kellerfuchs
 -    0x6B61ECD76088748C70590D55E90A401336C8AAA9 # lrvick
 -    0xA251FDF79171F98674EB2176FCC2D6E33BA86209 # ryan
 -    0x3D7C8D39E8C4DF771583D3F0A8A091FD346001CA # singlerider
 -)
 -
 -[ ! -f "${KEYRING}" ] || gpg -q --import "${KEYRING}"
 -gpg -q --batch --keyserver pool.sks-keyservers.net --recv-keys "${ADMIN_KEYS[@]}"
 -gpg -q --batch --yes --export --export-options export-clean,export-minimal \
 -     -o "${KEYRING}" "${ADMIN_KEYS[@]}"
 diff --git a/cron.monthly/ieee-data b/cron.monthly/ieee-data
 deleted file mode 100755
 index 02978ad..0000000
 --- a/cron.monthly/ieee-data
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -#!/bin/sh
 -test -x /usr/bin/update-oui || exit 0
 -BASEDIR=/var/lib/ieee-data/ /usr/bin/update-oui -f -q
 diff --git a/crontab b/crontab
 index 9d060fb..95edd9b 100644
 --- a/crontab
 +++ b/crontab
 @@ -12,7 +12,4 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
 47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
 52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
 -
 -32 7	* * 7	root	update-command-not-found
 #
 -#*/3 * * * * root /etc/cron.hourly/udev.sh
 diff --git a/default/grub b/default/grub
 index 3ec5681..b3a3467 100644
 --- a/default/grub
 +++ b/default/grub
 @@ -6,7 +6,7 @@
 GRUB_DEFAULT=0
 GRUB_TIMEOUT=5
 GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
 -GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0 console=tty0"
 +GRUB_CMDLINE_LINUX_DEFAULT="quiet"
 GRUB_CMDLINE_LINUX=""
 
 # Uncomment to enable BadRAM filtering, modify to suit your needs
 @@ -23,7 +23,7 @@ GRUB_CMDLINE_LINUX=""
 #GRUB_GFXMODE=640x480
 
 # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
 -GRUB_DISABLE_LINUX_UUID="true"
 +#GRUB_DISABLE_LINUX_UUID=true
 
 # Uncomment to disable generation of recovery mode menu entries
 #GRUB_DISABLE_RECOVERY="true"
 diff --git a/default/haveged b/default/haveged
 index 000e38e..77b6941 100644
 --- a/default/haveged
 +++ b/default/haveged
 @@ -2,4 +2,4 @@
 
 # Options to pass to haveged:
 #   -w sets low entropy watermark (in bits)
 -DAEMON_ARGS="-w 2048"
 +DAEMON_ARGS="-w 1024"
 diff --git a/default/locale b/default/locale
 index be3e730..ae35878 100644
 --- a/default/locale
 +++ b/default/locale
 @@ -1,2 +1,2 @@
 -# Created by cloud-init v. 0.7.6 on Mon, 11 May 2015 19:43:00 +0000
 -LANG="en_US.UTF-8"
 +#  File generated by update-locale
 +LANG=en_US.UTF-8
 diff --git a/default/rcS b/default/rcS
 index 6508e99..694ffc7 100644
 --- a/default/rcS
 +++ b/default/rcS
 @@ -21,4 +21,4 @@
 #VERBOSE=no
 
 # automatically repair filesystems with inconsistencies during boot
 -FSCKFIX=yes
 +#FSCKFIX=no
 diff --git a/default/tor b/default/tor
 index 7a1b832..9301708 100644
 --- a/default/tor
 +++ b/default/tor
 @@ -1,10 +1,6 @@
 # Defaults for tor initscript
 # sourced by /etc/init.d/tor
 # installed at /etc/default/tor by the maintainer scripts
 -#
 -# Note that this file is not being used for controlling Tor-startup
 -# when Tor is launched by systemd.
 -#
 
 #
 # This is a bash shell fragment
 diff --git a/default/useradd b/default/useradd
 index 4e27ca4..a834fef 100644
 --- a/default/useradd
 +++ b/default/useradd
 @@ -5,7 +5,7 @@
 # Similar to DHSELL in adduser. However, we use "sh" here because
 # useradd is a low level utility and should be as general
 # as possible
 -SHELL=/bin/bash
 +SHELL=/bin/sh
 #
 # The default group for users
 # 100=users on Debian systems
 diff --git a/devscripts.conf b/devscripts.conf
 index ebe18d5..c9843ea 100644
 --- a/devscripts.conf
 +++ b/devscripts.conf
 @@ -16,7 +16,7 @@
 # descriptions and default values will be appended as comments
 # to this file.
 
 -# Variables recognised as of devscripts version 2.15.3:
 +# Variables recognised as of devscripts version 2.15.3+deb8u1:
 
 ##### Package-wide variables
 #
 @@ -286,7 +286,7 @@
 
 ##### debrelease
 #
 -# This specifies which uploader program to use.  As of devscripts 2.15.3
 +# This specifies which uploader program to use.  As of devscripts 2.15.3+deb8u1
 # the recognised values are "dupload" (default) and "dput".  Check the
 # debrelease(1) manpage for any recent changes to this variable
 # DEBRELEASE_UPLOADER=dupload
 @@ -314,7 +314,7 @@
 # DEBSIGN_PROGRAM=
 #
 # How the signing program works; must be either gpg or pgp as of
 -# devscripts version 2.15.3.  The default is described in the
 +# devscripts version 2.15.3+deb8u1.  The default is described in the
 # manpage.  Corresponds to -sgpg and -spgp.
 # DEBSIGN_SIGNLIKE=
 #
 @@ -637,430 +637,3 @@
 #
 # No variables currently
 
 -
 -# debchange/dch option added in version 2.7.90:
 -#
 -# Query the BTS when --closes is being used?
 -# DEBCHANGE_QUERY_BTS=yes
 -#
 -# uupdate option added in version 2.7.90:
 -#
 -# Should we symlink the .orig.tar.gz file to its new name or
 -# copy it instead?  yes=symlink, no=copy
 -# UUPDATE_SYMLINK_ORIG=yes
 -
 -# debuild options added in version 2.7.93:
 -#
 -# Do we run linda at the end of a full run?
 -# DEBUILD_LINDA=no
 -#
 -# Extra options given to linda before any command-line options
 -# specified.
 -# DEBUILD_LINDA_OPTS=""
 -
 -##### Package-wide variables first introduced in version 2.7.93:
 -#
 -# Lists of which scripts are affected by these package-wide variables
 -# can be found in the devscripts.conf(5) manpage.
 -#
 -#
 -# Directory Name Checking
 -#
 -# Several programs check the directory name and refuse to function if
 -# it does not match the name of the package being worked on.  (The
 -# details are described in the individual manpages.)
 -# These two variables control this behaviour, corresponding to the
 -# --check-dirname-level and --check-dirname-regex command line options.
 -# The possible values of DEVSCRIPTS_CHECK_DIRNAME_LEVEL are:
 -#   0    never check the directory name
 -#   1    check the directory name only if the program has changed directory
 -#   2    always check the directory name
 -# The variable DEVSCRIPTS_DIRNAME_REGEXP is a Perl regex which
 -# defines what is considered a valid directory name for the source
 -# package PACKAGE; if it includes a '/', then it must match the full
 -# directory path, otherwise it must match the full directory name.
 -#
 -# The default settings are:
 -# DEVSCRIPTS_CHECK_DIRNAME_LEVEL=1
 -# DEVSCRIPTS_CHECK_DIRNAME_REGEX='PACKAGE(-.+)?'
 -
 -##### bts options added in versions 2.8.6 and 2.8.7:
 -#
 -# Default bts show/bugs to run in offline mode?
 -# BTS_OFFLINE=no
 -#
 -# Cache all visited bug reports once a cache has been established
 -# for the first time?
 -# BTS_CACHE=yes
 -#
 -# How much to mirror when caching?  The minimal amount (min), the mbox
 -# version as well (mbox) or the whole works (full)?
 -# BTS_CACHE_MODE=min
 -#
 -# Always refresh the cache, even if nothing's changed?
 -# BTS_FORCE_REFRESH=no
 -#
 -# How do we read an mbox?  This will be split on whitespace, then
 -# %s is replaced by the mbox name and %% by a single %.
 -# BTS_MAIL_READER='mutt -f %s'
 -
 -##### uscan option added in version 2.8.12:
 -#
 -# Should we use DEHS style output (XML format)?
 -# USCAN_DEHS_OUTPUT=no
 -#
 -
 -##### debchange option added in version 2.8.15:
 -#
 -# Select a heuristic to use to determine whether the package has released.
 -# See the debchange man page for details.
 -# DEBCHANGE_RELEASE_HEURISTIC=log
 -# DEBCHANGE_RELEASE_HEURISTIC=changelog
 -
 -##### debchange option added in version 2.9.5:
 -#
 -# Introduce multiple-maintainer markers in changelog sections?
 -# DEBCHANGE_MULTIMAINT=yes
 -
 -##### bts option added in version 2.9.15
 -#
 -# What sendmail command do we use?  This will be split on whitespace.
 -# BTS_SENDMAIL_COMMAND='/usr/sbin/sendmail'
 -
 -##### dpkg-sig options added in version 2.9.15
 -#
 -# dpkg-sig is not a part of devscripts, but shares this configuration file.
 -# It pays attention to the values of DEBSIGN_MAINT and DEBSIGN_KEY in
 -# addition to the following.
 -#
 -# This key ID takes precedence over the rest
 -# DPKGSIG_KEYID=
 -#
 -# Do we sign the .changes and .dsc files?  See the manpage for more
 -# info.  Valid options are no, auto, yes, full and force_full.
 -# DPKGSIG_SIGN_CHANGES=auto
 -#
 -# Do we cache the gpg passphrase by default?  This can be dangerous!
 -# DPKGSIG_CACHE_PASS=no
 -
 -##### pts-subscribe added in version 2.9.15
 -#
 -# How long will we subscribe for by default?  The default is 30 days.
 -# Setting this to 'forever' means that no unsubscription request will
 -# be scheduled.
 -# PTS_UNTIL='now + 30 days'
 -
 -##### debdiff option added in version 2.9.17
 -#
 -# Which control files to compare?  A comma-separated list, with
 -# possibilities such as postinst, config and so on; ALL means compare
 -# all control files.
 -# DEBDIFF_CONTROLFILES=control
 -
 -##### debrelease/debc/debi option added in version 2.9.17
 -#
 -# This specifies the directory, relative to the top of the source
 -# tree, in which the .changes and .debs files are to be found.  Note
 -# that this option affects all of debrelease, debc and debi.
 -# DEBRELEASE_DEBS_DIR=..
 -
 -##### debuild options added in version 2.9.17
 -#
 -# Do we check for the existence of the .orig.tar.gz before calling
 -# dpkg-buildpackage?
 -# DEBUILD_TGZ_CHECK=yes
 -#
 -# Hooks; see the manpage for details of these
 -# DEBUILD_DPKG_BUILDPACKAGE_HOOK=""
 -# DEBUILD_CLEAN_HOOK=""
 -# DEBUILD_DPKG_SOURCE_HOOK=""
 -# DEBUILD_BUILD_HOOK=""
 -# DEBUILD_BINARY_HOOK=""
 -# DEBUILD_FINAL_CLEAN_HOOK=""
 -# DEBUILD_LINTIAN_HOOK=""
 -# DEBUILD_SIGNING_HOOK=""
 -# DEBUILD_POST_DPKG_BUILDPACKAGE_HOOK=""
 -
 -##### who-uploads options added in version 2.9.17
 -#
 -# Maximum number of uploads to display per package
 -# WHOUPLOADS_MAXUPLOADS=3
 -#
 -# Colon-separated list of keyrings to examine by default
 -# WHOUPLOADS_KEYRINGS=/usr/share/keyrings/debian-keyring.gpg:/usr/share/keyrings/debian-keyring.pgp
 -
 -##### nmudiff options added in versions 2.9.25 and 2.9.26
 -#
 -# Should we use mutt to edit and send the message or just a plain old
 -# editor?
 -# NMUDIFF_MUTT=yes
 -#
 -# Should we always submit a new report (yes), always send to the bugs
 -# which are being closed (no), or send to the bug being closed if
 -# there is only one of them, otherwise send a new report (maybe)?
 -# NMUDIFF_NEWREPORT=maybe
 -#
 -# nmudiff also uses the value of BTS_SENDMAIL_COMMAND if NMUDIFF_MUTT=no
 -
 -##### dget option added in version 2.9.26
 -#
 -# Extra directories to search for files in addition to
 -# /var/cache/apt/archives.  This is a colon-separated list of directories.
 -# DGET_PATH=""
 -
 -##### licensecheck options added in version 2.10.3
 -#
 -# Print the file header being parsed before the corresponding license
 -# information?
 -# LICENSECHECK_VERBOSE=no
 -#
 -# How many lines of each file should be parsed for license information?
 -# LICENSECHECK_PARSELINES=60
 -
 -##### debchange option added in version 2.10.3
 -#
 -# Use a fixed timezone in changelog entries?
 -# DEBCHANGE_TZ=UTC
 -
 -##### debchange option added in version 2.10.4
 -#
 -# When appending to a multiple-maintainer changelog, if there are
 -# existing changes made by the current maintainer, should new
 -# changelog entries be appended to the existing entries?
 -# DEBCHANGE_MULTIMAINT_MERGE=no
 -
 -##### bts option added in version 2.10.2
 -# Download only new bugs when caching?  If set to yes, don't check for
 -# updates in bugs we already have.
 -# BTS_ONLY_NEW=no
 -
 -##### bts options added in version 2.10.5
 -#
 -# Which SMTP host should be used?  Note that if both an SMTP host and
 -# sendmail command are specified in the configuration file(s), the SMTP
 -# host will be used unless overridden by --sendmail on the command line
 -# BTS_SMTP_HOST=bugs.debian.org
 -#
 -# Include resolved bugs when caching?
 -# BTS_INCLUDE_RESOLVED=yes
 -
 -##### uscan option added in version 2.10.7
 -#
 -# What user agent string should we send with requests?
 -# (Default is 'Debian uscan X.Y.Z')
 -# USCAN_USER_AGENT=''
 -
 -##### debcommit option added in version 2.10.8
 -#
 -# Strip a leading "* " from commit messages taken from changelogs?
 -# DEBCOMMIT_STRIP_MESSAGE=no
 -
 -##### debcommit option added in version 2.10.10
 -#
 -# Sign created tags using gnupg?
 -# DEBCOMMIT_SIGN_TAGS=no
 -##### debchange option added in version 2.10.12
 -#
 -# When appending entries to the changelog, should the trailer line
 -# be maintained as-is?
 -# DEBCHANGE_MAINTTRAILER=yes
 -
 -##### uscan option added in version 2.10.9
 -#
 -# Where should downloaded files be placed?
 -# USCAN_DESTDIR=..
 -
 -##### bts option added in version 2.10.14
 -#
 -# Suppress BTS acknowledgment e-mails (ignored by the control bot)
 -# BTS_SUPPRESS_ACKS=no
 -
 -##### dget options added in version 2.10.17
 -#
 -# Unpack downloaded source packages
 -# DGET_UNPACK=yes
 -# Verify source package signatures using dscverify
 -# DGET_VERIFY=yes
 -#
 -##### bts options added in version 2.10.17
 -#
 -# Allow the generated message to be edited and, if necessary, abandoned
 -# before sending it to the control bot?
 -#
 -# If set to yes, prompt for confirmation / edit / abandonment.
 -# If set to force, spawn an editor and then proceed as if set to yes
 -# BTS_INTERACTIVE=no
 -
 -##### debchange option added in version 2.10.19
 -#
 -# Allow a new version to be lower than the current package version
 -# if the new version matches the specified regular expression
 -# DEBCHANGE_LOWER_VERSION_PATTERN=bpo
 -
 -##### debcommit option added in version 2.10.20
 -#
 -# Take any uncommitted changes in the changelog in
 -# to account when determining the commit message
 -# for a release?
 -# DEBCOMMIT_RELEASE_USE_CHANGELOG=no
 -
 -##### debuild options added in version 2.10.20
 -#
 -# Colon-separated list of options to be added to the beginning
 -# of PATH once it has been sanitised
 -# DEBUILD_PREPEND_PATH="/usr/lib/ccache"
 -#
 -# Credentials to pass to debrsign when signing dsc / changes files
 -# Setting this option to a non-blank string implies using debrsign
 -# DEBUILD_SIGNING_USERNAME="user@host"
 -
 -##### bts options added in version 2.10.21
 -#
 -# If the SMTP host specified above requires authentication, the following
 -# options may be used to specify the username and password to use.
 -# If only a username is provided then the password will be prompted for
 -# before sending the e-mail
 -# BTS_SMTP_AUTH_USERNAME=user
 -# BTS_SMTP_AUTH_PASSWORD=pass
 -
 -##### debdiff option added in version 2.10.21
 -# Include the output of diffstat?
 -# DEBDIFF_SHOW_DIFFSTAT=no
 -
 -##### bts option added in version 2.10.22
 -#
 -# Specify a list of e-mail addresses to which a carbon copy of the
 -# generated e-mail to the control bot should automatically be sent.
 -# BTS_DEFAULT_CC=example@example.com
 -
 -##### debchange option added in version 2.10.24
 -#
 -# Attempt to automatically determine whether the current changelog
 -# stanza represents an NMU?
 -# DEBCHANGE_AUTO_NMU=yes
 -
 -##### rmadison option added in version 2.10.26
 -#
 -# Add a custom URL to the default list of shorthands so one
 -# can use it with -u without having to specify the full URL
 -#
 -# RMADISON_URL_MAP_EXAMPLE=http://example.com/madison.cgi
 -
 -##### who-uploads option added in version 2.10.30
 -#
 -# Display the date of the upload?
 -#
 -# WHOUPLOADS_DATE=no
 -
 -##### debdiff option added in version 2.10.36
 -#
 -# Compare control files in source packages using widff?
 -#
 -# DEBDIFF_WDIFF_SOURCE_CONTROL=no
 -
 -##### mk-build-deps options added in version 2.10.38
 -#
 -# Which tool to use for installing build depends?
 -# MKBUILDDEPS_TOOL=/usr/bin/apt-get
 -#
 -# Remove package files after install?
 -# MKBUILDDEPS_REMOVE_AFTER_INSTALL=yes
 -##### bts option added in version 2.10.39
 -#
 -# Specify a HELO to use when connecting to the SMTP host. If not supplied
 -# and the file /etc/mailname exists, its contents will be used as the HELO
 -# BTS_SMTP_HELO=foo.example.com
 -
 -##### debcheckout option added in version 2.10.40
 -#
 -# List of space-separated pairs REGEXP/REPLACEMENT_TEXT to define
 -# custom rules to enable authenticated mode.
 -# See debcheckout(1) for a more precise description of syntax and
 -# semantics of this setting.
 -# DEBCHECKOUT_AUTH_URLS=''
 -
 -##### uscan option added in version 2.10.40
 -#
 -# Automatically repack bzipped tar or zip archives to gzipped tars?
 -# USCAN_REPACK=no
 -##### bts option added in 2.10.44
 -#
 -# Which debbugs server should be used?
 -# BTS_SERVER=bugs.debian.org
 -
 -##### debsnap options added in 2.10.45
 -#
 -# Where to put the directory named <prefix>-<package>/
 -# default: source- if unset
 -# DEBSNAP_DESTDIR=
 -#
 -# Verbosely show messages (yes/no)
 -# default: no
 -# DEBSNAP_VERBOSE=no
 -#
 -# The base URL of the archive to download from
 -# DEBSNAP_BASE_URL=http://snapshot-dev.debian.org
 -
 -##### debdiff option added in 2.10.45
 -#
 -# Always compare package in version order, rather than the order specified
 -# on the command line?
 -# DEBDIFF_AUTO_VER_SORT=no
 -
 -##### dcontrol option added in 2.10.47
 -#
 -# URL to query
 -# DCONTROL_URL="https://qa.debian.org/cgi-bin/dcontrol"
 -
 -#### nmudiff option added in 2.10.47
 -#
 -# Number of days to indicate that an NMU upload has been delayed by
 -# using the DELAYED upload queue. 0 indicates no delay.
 -# Defaults to "XX" which adds a placeholder to the e-mail.
 -# NMUDIFF_DELAY=3
 -
 -#### rmadison option added in 2.10.49
 -#
 -# Default URL to use if none is specified on the command line.
 -# RMADISON_DEFAULT_URL=debian
 -
 -#### debchange option added in 2.10.49
 -#
 -# When --release was used and an editor presented, force the changelog
 -# to be explicitly saved in the editor?  If this is set to "no" then
 -# the changes made by --release will be automatically saved.
 -# DEBCHANGE_FORCE_SAVE_ON_RELEASE=yes
 -
 -#### debdiff option added in 2.10.54
 -#
 -# Unpack tarballs found in the top level source directory.
 -# DEBDIFF_UNPACK_TARBALLS=yes
 -
 -#### debcheckout option added in 2.10.70
 -#
 -# For debian-dir-only repositories, also retrieve the source
 -# package, unpack it, and move the missing files over.
 -# (never auto download-only always)
 -# DEBCHECKOUT_SOURCE=auto
 -
 -#### rmadison option added in 2.10.70
 -#
 -# Default architecture to use if none is specified on the command line.
 -# use --architecture='*' to override RMADISON_ARCHITECTURE
 -# RMADISON_ARCHITECTURE=source,i386,amd64,all
 -
 -#### mk-build-deps option added in 2.10.72
 -#
 -# Tool used to gain root privileges to install the deb
 -# MKBUILDDEPS_ROOTCMD=''
 -
 -#### debsign option added in 2.11.0
 -#
 -# Always re-sign files even if they are already signed, without prompting.
 -# DEBSIGN_ALWAYS_RESIGN=yes
 -
 -### debcommit option added in 2.14.2
 -#
 -# Sign commits using gnupg?
 -# DEBCOMMIT_SIGN_COMMITS=no
 -
 diff --git a/dhcp/dhclient-enter-hooks.d/resolvconf b/dhcp/dhclient-enter-hooks.d/resolvconf
 deleted file mode 100644
 index 72b2be7..0000000
 --- a/dhcp/dhclient-enter-hooks.d/resolvconf
 +++ /dev/null
 @@ -1,81 +0,0 @@
 -#
 -# Script fragment to make dhclient supply nameserver information to resolvconf
 -#
 -
 -# Tips:
 -# * Be careful about changing the environment since this is sourced
 -# * This script fragment uses bash features
 -# * As of isc-dhcp-client 4.2 the "reason" (for running the script) can be one of the following.
 -#   (Listed on man page:) MEDIUM(0) PREINIT(0)  BOUND(M)  RENEW(M)  REBIND(M)  REBOOT(M)         EXPIRE(D)  FAIL(D) RELEASE(D)  STOP(D) NBI(-) TIMEOUT(M)
 -#   (Also used in master script:)                                                                                                                         ARPCHECK(0), ARPSEND(0)
 -#   (Also used in master script:)   PREINIT6(0) BOUND6(M) RENEW6(M) REBIND6(M)        DEPREF6(0) EXPIRE6(D)         RELEASE6(D) STOP6(D)
 -#   (0) = master script does not run make_resolv_conf
 -#   (M) = master script runs make_resolv_conf
 -#   (D) = master script downs interface
 -#   (-) = master script does nothing with this
 -
 -if [ -x /sbin/resolvconf ] ; then
 -	# For safety, first undefine the nasty default make_resolv_conf()
 -	make_resolv_conf() { : ; }
 -	case "$reason" in
 -	  BOUND|RENEW|REBIND|REBOOT|TIMEOUT)
 -		# Define a resolvconf-compatible m_r_c() function
 -		# It gets run later (or, in the TIMEOUT case, MAY get run later)
 -		make_resolv_conf() {
 -			local R
 -			local N
 -			R=""
 -			if [ "$new_domain_name_servers" ] && [ "$new_domain_name" ] ; then
 -				R="${R}domain $new_domain_name
 -"
 -			fi
 -			if [ "$new_domain_name_servers" ] && [ "$new_domain_search" ] ; then
 -				R="${R}search $new_domain_search
 -"
 -			fi
 -			for N in $new_domain_name_servers ; do
 -				R="${R}nameserver $N
 -"
 -			done
 -			[ ! "$interface" ] || echo -n "$R" | /sbin/resolvconf -a "${interface}.dhclient"
 -		}
 -		;;
 -	  BOUND6|RENEW6|REBIND6)
 -		# Define a resolvconf-compatible m_r_c() function
 -		# It gets run later (or, in the TIMEOUT case, MAY get run later)
 -		make_resolv_conf() {
 -			local R
 -			local N
 -			local N_LOW
 -			local ZONE_ID
 -			R=""
 -			if [ "$new_dhcp6_name_servers" ] && [ "$new_dhcp6_domain_search" ] ; then
 -				R="${R}search $new_dhcp6_domain_search
 -"
 -			fi
 -			for N in $new_dhcp6_name_servers ; do
 -
 -				# If the nameserver has a link-local address
 -				# then add a zone ID (interface name) to it.
 -				N_LOW="$(echo "$N" | tr '[:upper:]' '[:lower:]')"
 -				if expr "$N_LOW" : ^fe80:: >/dev/null ; then
 -					ZONE_ID="%$interface"
 -				else
 -					ZONE_ID=""
 -				fi
 -				R="${R}nameserver $N$ZONE_ID
 -"
 -			done
 -			[ ! "$interface" ] || echo -n "$R" | /sbin/resolvconf -a "${interface}.ip6.dhclient"
 -		}
 -		;;
 -	  EXPIRE|FAIL|RELEASE|STOP)
 -		# Delete resolv.conf info 
 -		[ ! "$interface" ] || /sbin/resolvconf -d "${interface}.dhclient"
 -		;;
 -	  EXPIRE6|RELEASE6|STOP6)
 -		# Delete resolv.conf info 
 -		[ ! "$interface" ] || /sbin/resolvconf -d "${interface}.ip6.dhclient"
 -		;;
 -	esac
 -fi
 diff --git a/environment b/environment
 index 761bde9..e69de29 100644
 --- a/environment
 +++ b/environment
 @@ -1 +0,0 @@
 -MAIL=~/Mail
 diff --git a/etckeeper/commit.d/99push b/etckeeper/commit.d/99push
 index ff54261..b5418f7 100755
 --- a/etckeeper/commit.d/99push
 +++ b/etckeeper/commit.d/99push
 @@ -1,12 +1,8 @@
 -#!/bin/sh -e
 -if [ -n "$ETCKEEPER_NO_PUSH" ]; then
 -    exit 0
 -fi
 -
 +#!/bin/sh
 if [ -n "$PUSH_REMOTE" ]; then
 	if [ "$VCS" = git ] && [ -d .git ]; then
 		for REMOTE in $PUSH_REMOTE; do
 -			GIT_SSH_COMMAND="ssh -o PasswordAuthentication=no" git push "$REMOTE" "master:$(hostname)"
 +			git push "$REMOTE" master || true
 		done
 	elif [ "$VCS" = hg ] && [ -d .hg ]; then
 		for REMOTE in $PUSH_REMOTE; do
 diff --git a/etckeeper/etckeeper.conf b/etckeeper/etckeeper.conf
 index 9798abd..f988c10 100644
 --- a/etckeeper/etckeeper.conf
 +++ b/etckeeper/etckeeper.conf
 @@ -18,7 +18,7 @@ DARCS_COMMIT_OPTIONS="-a"
 
 # Uncomment to avoid etckeeper committing existing changes
 # to /etc automatically once per day.
 -AVOID_DAILY_AUTOCOMMITS=1
 +#AVOID_DAILY_AUTOCOMMITS=1
 
 # Uncomment the following to avoid special file warning
 # (the option is enabled automatically by cronjob regardless).
 @@ -27,7 +27,7 @@ AVOID_DAILY_AUTOCOMMITS=1
 # Uncomment to avoid etckeeper committing existing changes to 
 # /etc before installation. It will cancel the installation,
 # so you can commit the changes by hand.
 -AVOID_COMMIT_BEFORE_INSTALL=1
 +#AVOID_COMMIT_BEFORE_INSTALL=1
 
 # The high-level package manager that's being used.
 # (apt, pacman-g2, yum, zypper etc)
 @@ -40,5 +40,4 @@ LOWLEVEL_PACKAGE_MANAGER=dpkg
 # To push each commit to a remote, put the name of the remote here.
 # (eg, "origin" for git). Space-separated lists of multiple remotes
 # also work (eg, "origin gitlab github" for git).
 -# commit.d/99push has been modified to push to the $(hostname) branch
 -PUSH_REMOTE="git@git-infra.hashbang.sh:shell-etc.git"
 +PUSH_REMOTE=""
 diff --git a/etckeeper/post-install.d/00package-list b/etckeeper/post-install.d/00package-list
 deleted file mode 100755
 index 291170d..0000000
 --- a/etckeeper/post-install.d/00package-list
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -#!/bin/sh -e
 -
 -dpkg --get-selections > /etc/packages.txt
 diff --git a/etckeeper/push.d/99push b/etckeeper/push.d/99push
 deleted file mode 120000
 index 09fa886..0000000
 --- a/etckeeper/push.d/99push
 +++ /dev/null
 @@ -1 +0,0 @@
 -../commit.d/99push
 \ No newline at end of file
 diff --git a/ferm/ferm.conf b/ferm/ferm.conf
 index dcd3148..fded11e 100644
 --- a/ferm/ferm.conf
 +++ b/ferm/ferm.conf
 @@ -5,25 +5,48 @@
 
 table filter {
     chain INPUT {
 -	policy ACCEPT;
 +        policy DROP;
 
 -	# connection tracking
 -	mod state state INVALID DROP;
 -    }
 +        # connection tracking
 +        mod state state INVALID DROP;
 +        mod state state (ESTABLISHED RELATED) ACCEPT;
 
 -    chain OUTPUT {
 -	policy ACCEPT;
 +        # allow local packet
 +        interface lo ACCEPT;
 
 -	# connection tracking
 -	mod state state INVALID DROP;
 +        # respond to ping
 +        proto icmp ACCEPT; 
 
 -	# Feathercoin mining pool
 -	daddr (176.31.126.191 188.165.223.132) REJECT;
 +        # allow IPsec
 +        proto udp dport 500 ACCEPT;
 +        proto (esp ah) ACCEPT;
 
 -	# bitcoinshell.mooo.com
 -	daddr (92.222.41.125) REJECT;
 +        # allow SSH connections
 +        proto tcp dport ssh ACCEPT;
 +    }
 +    chain OUTPUT {
 +        policy ACCEPT;
 
 -	# Bitcoin-related protocols
 -	proto (udp tcp) dport (8082 8332 8333 50002) REJECT;
 +        # connection tracking
 +        #mod state state INVALID DROP;
 +        mod state state (ESTABLISHED RELATED) ACCEPT;
 +    }
 +    chain FORWARD {
 +        policy DROP;
 +
 +        # connection tracking
 +        mod state state INVALID DROP;
 +        mod state state (ESTABLISHED RELATED) ACCEPT;
     }
 }
 +
 +# IPv6:
 +#domain ip6 {
 +#    table filter {
 +#        chain INPUT {
 +#            policy ACCEPT;
 +#            # ...
 +#        }
 +#        # ...
 +#    }
 +#}
 diff --git a/firejail/7z.profile b/firejail/7z.profile
 index 3191265..0cb72ff 100644
 --- a/firejail/7z.profile
 +++ b/firejail/7z.profile
 @@ -1,14 +1,9 @@
 # 7zip crompression tool profile
 quiet
 ignore noroot
 -
 include /etc/firejail/default.profile
 -
 -blacklist /tmp/.X11-unix
 -
 tracelog
 net none
 shell none
 private-dev
 nosound
 -no3d
 diff --git a/firejail/Cryptocat.profile b/firejail/Cryptocat.profile
 deleted file mode 100644
 index b61b88f..0000000
 --- a/firejail/Cryptocat.profile
 +++ /dev/null
 @@ -1,20 +0,0 @@
 -# Firejail profile for Cryptocat
 -noblacklist ${HOME}/.config/Cryptocat
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix,inet,inet6,netlink
 -seccomp
 -shell none
 -
 -private-dev
 -private-tmp
 diff --git a/firejail/FossaMail.profile b/firejail/FossaMail.profile
 deleted file mode 100644
 index 0da2354..0000000
 --- a/firejail/FossaMail.profile
 +++ /dev/null
 @@ -1,2 +0,0 @@
 -# Firejail profile for FossaMail
 -include /etc/firejail/fossamail.profile
 diff --git a/firejail/VirtualBox.profile b/firejail/VirtualBox.profile
 deleted file mode 100644
 index ff0a4b6..0000000
 --- a/firejail/VirtualBox.profile
 +++ /dev/null
 @@ -1 +0,0 @@
 -include /etc/firejail/virtualbox.profile
 diff --git a/firejail/Wire.profile b/firejail/Wire.profile
 deleted file mode 100644
 index bd9645c..0000000
 --- a/firejail/Wire.profile
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -# wire messenger profile
 -
 -include /etc/firejail/wire.profile
 diff --git a/firejail/abrowser.profile b/firejail/abrowser.profile
 index f25bbd9..4aa18aa 100644
 --- a/firejail/abrowser.profile
 +++ b/firejail/abrowser.profile
 @@ -1,4 +1,5 @@
 # Firejail profile for Abrowser
 +
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
 include /etc/firejail/disable-common.inc
 @@ -29,14 +30,14 @@ whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
 +
 #silverlight
 whitelist ~/.wine-pipelight
 whitelist ~/.wine-pipelight64
 diff --git a/firejail/amarok.profile b/firejail/amarok.profile
 deleted file mode 100644
 index 8d5b35d..0000000
 --- a/firejail/amarok.profile
 +++ /dev/null
 @@ -1,19 +0,0 @@
 -# amarok profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -shell none
 -#seccomp
 -protocol unix,inet,inet6
 -
 -#private-bin amarok
 -private-dev
 -private-tmp
 -#private-etc none
 diff --git a/firejail/ark.profile b/firejail/ark.profile
 deleted file mode 100644
 index 61b4c6f..0000000
 --- a/firejail/ark.profile
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -# ark profile
 -noblacklist ~/.config/arkrc
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -shell none
 -seccomp
 -protocol unix
 -
 -# private-bin
 -private-dev
 -private-tmp
 -# private-etc
 -
 diff --git a/firejail/atom-beta.profile b/firejail/atom-beta.profile
 index fa0b316..9a8d938 100644
 --- a/firejail/atom-beta.profile
 +++ b/firejail/atom-beta.profile
 @@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 nosound
 protocol unix,inet,inet6,netlink
 diff --git a/firejail/atom.profile b/firejail/atom.profile
 index 61930d5..3cb8684 100644
 --- a/firejail/atom.profile
 +++ b/firejail/atom.profile
 @@ -8,8 +8,8 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 nosound
 protocol unix,inet,inet6,netlink
 diff --git a/firejail/atool.profile b/firejail/atool.profile
 deleted file mode 100644
 index 578a88f..0000000
 --- a/firejail/atool.profile
 +++ /dev/null
 @@ -1,27 +0,0 @@
 -# atool profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -# include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -net none
 -no3d
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -# private-bin atool
 -private-tmp
 -private-dev
 -private-etc none
 -
 -
 diff --git a/firejail/atril.profile b/firejail/atril.profile
 index fbcca0c..d9e10b0 100644
 --- a/firejail/atril.profile
 +++ b/firejail/atril.profile
 @@ -7,8 +7,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 -nogroups
 nonewprivs
 +nogroups
 noroot
 nosound
 protocol unix
 diff --git a/firejail/audacity.profile b/firejail/audacity.profile
 index 827fa43..be3fac9 100644
 --- a/firejail/audacity.profile
 +++ b/firejail/audacity.profile
 @@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 protocol unix
 seccomp
 diff --git a/firejail/aweather.profile b/firejail/aweather.profile
 index fa8654f..4e5c36f 100644
 --- a/firejail/aweather.profile
 +++ b/firejail/aweather.profile
 @@ -11,8 +11,8 @@ whitelist ~/.config/aweather
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 nosound
 protocol unix,inet,inet6
 diff --git a/firejail/bleachbit.profile b/firejail/bleachbit.profile
 deleted file mode 100644
 index 0a71db9..0000000
 --- a/firejail/bleachbit.profile
 +++ /dev/null
 @@ -1,21 +0,0 @@
 -# bleachbit profile
 -include /etc/firejail/disable-common.inc
 -# include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -shell none
 -seccomp
 -protocol unix
 -
 -# private-bin
 -# private-dev
 -# private-tmp
 -# private-etc
 -
 diff --git a/firejail/bless.profile b/firejail/bless.profile
 deleted file mode 100644
 index 752edad..0000000
 --- a/firejail/bless.profile
 +++ /dev/null
 @@ -1,20 +0,0 @@
 -#
 -#Profile for bless
 -#
 -
 -#No Blacklist Paths
 -noblacklist ${HOME}/.config/bless
 -
 -#Blacklist Paths
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-devel.inc
 -
 -#Options
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 diff --git a/firejail/brasero.profile b/firejail/brasero.profile
 deleted file mode 100644
 index 66de6fa..0000000
 --- a/firejail/brasero.profile
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -# brasero profile
 -noblacklist ~/.config/brasero
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin brasero
 -# private-tmp
 -# private-dev
 -# private-etc fonts
 diff --git a/firejail/brave.profile b/firejail/brave.profile
 index 21ea7f9..4fc3a5b 100644
 --- a/firejail/brave.profile
 +++ b/firejail/brave.profile
 @@ -1,4 +1,5 @@
 # Profile for Brave browser
 +
 noblacklist ~/.config/brave
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 diff --git a/firejail/cherrytree.profile b/firejail/cherrytree.profile
 index 139dec8..ec6d0d6 100644
 --- a/firejail/cherrytree.profile
 +++ b/firejail/cherrytree.profile
 @@ -9,10 +9,11 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 noroot
 nosound
 seccomp
 protocol unix,inet,inet6,netlink
 tracelog
 +
 +
 diff --git a/firejail/chromium.profile b/firejail/chromium.profile
 index 7610d9b..4109af9 100644
 --- a/firejail/chromium.profile
 +++ b/firejail/chromium.profile
 @@ -18,11 +18,10 @@ whitelist ~/.cache/chromium
 mkdir ~/.pki
 whitelist ~/.pki
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
 diff --git a/firejail/claws-mail.profile b/firejail/claws-mail.profile
 index 8921bb2..1b6d2f6 100644
 --- a/firejail/claws-mail.profile
 +++ b/firejail/claws-mail.profile
 @@ -1,4 +1,5 @@
 # claws-mail profile
 +
 noblacklist ~/.claws-mail
 noblacklist ~/.signature
 noblacklist ~/.gnupg
 diff --git a/firejail/corebird.profile b/firejail/corebird.profile
 index 6fb8219..077ae30 100644
 --- a/firejail/corebird.profile
 +++ b/firejail/corebird.profile
 @@ -1,4 +1,5 @@
 # Firejail corebird profile
 +
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 diff --git a/firejail/cpio.profile b/firejail/cpio.profile
 index cf89acd..519bd24 100644
 --- a/firejail/cpio.profile
 +++ b/firejail/cpio.profile
 @@ -16,7 +16,6 @@ shell none
 tracelog
 net none
 nosound
 -no3d
 
 -blacklist /tmp/.X11-unix
 +
 
 diff --git a/firejail/cryptocat.profile b/firejail/cryptocat.profile
 deleted file mode 100644
 index 0d392b2..0000000
 --- a/firejail/cryptocat.profile
 +++ /dev/null
 @@ -1 +0,0 @@
 -include /etc/Cryptocat.profile
 diff --git a/firejail/cyberfox.profile b/firejail/cyberfox.profile
 index f722915..ae487fa 100644
 --- a/firejail/cyberfox.profile
 +++ b/firejail/cyberfox.profile
 @@ -1,4 +1,5 @@
 # Firejail profile for Cyberfox (based on Mozilla Firefox)
 +
 noblacklist ~/.8pecxstudios
 noblacklist ~/.cache/8pecxstudios
 include /etc/firejail/disable-common.inc
 @@ -29,14 +30,14 @@ whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
 +
 #silverlight
 whitelist ~/.wine-pipelight
 whitelist ~/.wine-pipelight64
 diff --git a/firejail/default.profile b/firejail/default.profile
 index 6033213..a2de726 100644
 --- a/firejail/default.profile
 +++ b/firejail/default.profile
 @@ -5,20 +5,11 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 +#blacklist ${HOME}/.wine
 +
 caps.drop all
 netfilter
 nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
 -
 -#
 -# depending on you usage, you can enable some of the commands below: 
 -#
 -# nogroups
 -# shell none
 -# private-bin program
 -# private-etc none
 -# private-dev
 -# private-tmp
 -
 diff --git a/firejail/dillo.profile b/firejail/dillo.profile
 index 1087879..2ddd363 100644
 --- a/firejail/dillo.profile
 +++ b/firejail/dillo.profile
 @@ -1,4 +1,5 @@
 # Firejail profile for Dillo web browser
 +
 noblacklist ~/.dillo
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 diff --git a/firejail/disable-common.inc b/firejail/disable-common.inc
 index 5a281a9..ebe98b6 100644
 --- a/firejail/disable-common.inc
 +++ b/firejail/disable-common.inc
 @@ -4,7 +4,6 @@ include /etc/firejail/disable-common.local
 # History files in $HOME
 blacklist-nolog ${HOME}/.history
 blacklist-nolog ${HOME}/.*_history
 -blacklist-nolog ${HOME}/.bash_history
 blacklist ${HOME}/.local/share/systemd
 blacklist-nolog ${HOME}/.adobe
 blacklist-nolog ${HOME}/.macromedia
 @@ -27,7 +26,6 @@ blacklist ${HOME}/.config/openbox/autostart
 blacklist ${HOME}/.config/openbox/environment
 blacklist ${HOME}/.gnomerc
 blacklist /etc/X11/Xsession.d/
 -# blacklist ${HOME}/.xpra - this will kill --x11=xpra cmdline option for all programs
 
 # VirtualBox
 blacklist ${HOME}/.VirtualBox
 @@ -42,24 +40,9 @@ blacklist /usr/share/applications/veracrypt.*
 blacklist /usr/share/pixmaps/veracrypt.*
 blacklist ${HOME}/.VeraCrypt
 
 -# TrueCrypt
 -blacklist ${PATH}/truecrypt
 -blacklist ${PATH}/truecrypt-uninstall.sh
 -blacklist /usr/share/truecrypt
 -blacklist /usr/share/applications/truecrypt.*
 -blacklist /usr/share/pixmaps/truecrypt.*
 -blacklist ${HOME}/.TrueCrypt
 -
 -# zuluCrypt
 -blacklist ${HOME}/.zuluCrypt
 -blacklist ${HOME}/.zuluCrypt-socket
 -blacklist ${PATH}/zuluCrypt-cli
 -blacklist ${PATH}/zuluMount-cli
 -
 # var
 blacklist /var/spool/cron
 blacklist /var/spool/anacron
 -blacklist /var/mail
 blacklist /var/run/acpid.socket
 blacklist /var/run/minissdpd.sock
 blacklist /var/run/rpcbind.sock
 @@ -70,7 +53,7 @@ blacklist /var/lib/mysql/mysql.sock
 blacklist /var/run/docker.sock
 
 # etc
 -blacklist /etc/cron*
 +blacklist /etc/cron.*
 blacklist /etc/profile.d
 blacklist /etc/rc.local
 blacklist /etc/anacrontab
 @@ -84,7 +67,6 @@ read-only ${HOME}/.profile
 read-only ${HOME}/.antigen
 read-only ${HOME}/.bash_login
 read-only ${HOME}/.bashrc
 -read-only ${HOME}/.bash_aliases
 read-only ${HOME}/.bash_profile
 read-only ${HOME}/.bash_logout
 read-only ${HOME}/.zsh.d
 @@ -105,9 +87,6 @@ read-only ${HOME}/.caffrc
 read-only ${HOME}/.dotfiles
 read-only ${HOME}/dotfiles
 read-only ${HOME}/.mailcap
 -read-only ${HOME}/.muttrc
 -read-only ${HOME}/.mutt/muttrc
 -read-only ${HOME}/.msmtprc
 read-only ${HOME}/.exrc
 read-only ${HOME}/_exrc
 read-only ${HOME}/.vimrc
 @@ -120,6 +99,9 @@ read-only ${HOME}/.emacs.d
 read-only ${HOME}/.nano
 read-only ${HOME}/.tmux.conf
 read-only ${HOME}/.iscreenrc
 +read-only ${HOME}/.muttrc
 +read-only ${HOME}/.mutt/muttrc
 +read-only ${HOME}/.msmtprc
 read-only ${HOME}/.reportbugrc
 read-only ${HOME}/.xmonad
 read-only ${HOME}/.xscreensaver
 @@ -128,8 +110,6 @@ read-only ${HOME}/.xscreensaver
 read-only ${HOME}/bin
 
 # top secret
 -blacklist ${HOME}/.ecryptfs
 -blacklist ${HOME}/.Private
 blacklist ${HOME}/.ssh
 blacklist ${HOME}/.cert
 blacklist ${HOME}/.gnome2/keyrings
 @@ -159,19 +139,11 @@ blacklist /etc/shadow+
 blacklist /etc/gshadow+
 blacklist /etc/ssh
 blacklist /var/backup
 -blacklist /home/.ecryptfs
 -
 -# system directories
 -blacklist /sbin
 -blacklist /usr/sbin
 -blacklist /usr/local/sbin
 
 # system management
 blacklist ${PATH}/umount
 blacklist ${PATH}/mount
 blacklist ${PATH}/fusermount
 -blacklist ${PATH}/ntfs-3g
 -blacklist ${PATH}/at
 blacklist ${PATH}/su
 blacklist ${PATH}/sudo
 blacklist ${PATH}/xinput
 @@ -180,25 +152,11 @@ blacklist ${PATH}/xev
 blacklist ${PATH}/strace
 blacklist ${PATH}/nc
 blacklist ${PATH}/ncat
 -blacklist ${PATH}/gpasswd
 -blacklist ${PATH}/newgidmap
 -blacklist ${PATH}/newgrp
 -blacklist ${PATH}/newuidmap
 -blacklist ${PATH}/pkexec
 -blacklist ${PATH}/sg
 -blacklist ${PATH}/crontab
 -blacklist ${PATH}/ksu
 -blacklist ${PATH}/chsh
 -blacklist ${PATH}/chfn
 -blacklist ${PATH}/chage
 -blacklist ${PATH}/expiry
 -blacklist ${PATH}/unix_chkpwd
 -blacklist ${PATH}/procmail
 -blacklist ${PATH}/mount.ecryptfs_private
 
 -# other SUID binaries
 -blacklist /usr/lib/virtualbox
 -blacklist /usr/lib64/virtualbox
 +# system directories	
 +blacklist /sbin
 +blacklist /usr/sbin
 +blacklist /usr/local/sbin
 
 # prevent lxterminal connecting to an existing lxterminal session
 blacklist /tmp/.lxterminal-socket*
 @@ -217,9 +175,3 @@ blacklist ${PATH}/roxterm-config
 blacklist ${PATH}/terminix
 blacklist ${PATH}/urxvtc
 blacklist ${PATH}/urxvtcd
 -#konsole doesn't seem to have this problem - last tested on Ubuntu 16.04
 -#blacklist ${PATH}/konsole
 -
 -# kernel files
 -blacklist /vmlinuz*
 -blacklist /initrd*
 diff --git a/firejail/disable-common.local b/firejail/disable-common.local
 deleted file mode 100644
 index 2d50b34..0000000
 --- a/firejail/disable-common.local
 +++ /dev/null
 @@ -1,7 +0,0 @@
 -# This file is meant for local customizations of disable-common.inc
 -
 -# Make directories that can override $PATH or libs read-only
 -read-only ${HOME}/.gem
 -read-only ${HOME}/.local
 -read-only ${HOME}/.luarocks
 -read-only ${HOME}/.npm-packages
 diff --git a/firejail/disable-devel.local b/firejail/disable-devel.local
 deleted file mode 100644
 index 580420b..0000000
 --- a/firejail/disable-devel.local
 +++ /dev/null
 @@ -1 +0,0 @@
 -# This file is meant for local customizations of disable-devel.inc
 diff --git a/firejail/disable-passwdmgr.inc b/firejail/disable-passwdmgr.inc
 index 7d129b2..dbf2603 100644
 --- a/firejail/disable-passwdmgr.inc
 +++ b/firejail/disable-passwdmgr.inc
 @@ -4,10 +4,7 @@ include /etc/firejail/disable-passwdmgr.local
 blacklist ${HOME}/.pki/nssdb
 blacklist ${HOME}/.lastpass
 blacklist ${HOME}/.keepassx
 -blacklist ${HOME}/.keepass
 blacklist ${HOME}/.password-store
 blacklist ${HOME}/keepassx.kdbx
 blacklist ${HOME}/.config/keepassx
 -blacklist ${HOME}/.config/keepass
 -blacklist ${HOME}/.config/KeePass
 
 diff --git a/firejail/disable-passwdmgr.local b/firejail/disable-passwdmgr.local
 deleted file mode 100644
 index b4dd1da..0000000
 --- a/firejail/disable-passwdmgr.local
 +++ /dev/null
 @@ -1 +0,0 @@
 -# This file is meant for local customizations of disable-passwdmgr.inc
 diff --git a/firejail/disable-programs.inc b/firejail/disable-programs.inc
 index 96bf146..d72ff97 100644
 --- a/firejail/disable-programs.inc
 +++ b/firejail/disable-programs.inc
 @@ -1,274 +1,167 @@
 # Local customizations come here
 include /etc/firejail/disable-programs.local
 
 -blacklist ${HOME}/.*coin
 -blacklist ${HOME}/.8pecxstudios
 +# various programs
 blacklist ${HOME}/.Atom
 +blacklist ${HOME}/.remmina
 +blacklist ${HOME}/.tconn
 blacklist ${HOME}/.FBReader
 -blacklist ${HOME}/.LuminanceHDR
 +blacklist ${HOME}/.wine
 blacklist ${HOME}/.Mathematica
 -blacklist ${HOME}/.Natron
 -blacklist ${HOME}/.Skype
 -blacklist ${HOME}/.TelegramDesktop
 -blacklist ${HOME}/.VirtualBox
 blacklist ${HOME}/.Wolfram Research
 -blacklist ${HOME}/.arduino15
 -blacklist ${HOME}/.atom
 -blacklist ${HOME}/.audacity-data
 -blacklist ${HOME}/.bcast5
 -blacklist ${HOME}/.cache/0ad
 -blacklist ${HOME}/.cache/8pecxstudios
 -blacklist ${HOME}/.cache/Franz
 -blacklist ${HOME}/.cache/INRIA
 -blacklist ${HOME}/.cache/QuiteRss
 -blacklist ${HOME}/.cache/champlain
 -blacklist ${HOME}/.cache/chromium
 -blacklist ${HOME}/.cache/qupzilla
 -blacklist ${HOME}/.cache/chromium-dev
 -blacklist ${HOME}/.cache/darktable
 -blacklist ${HOME}/.cache/epiphany
 -blacklist ${HOME}/.cache/evolution
 -blacklist ${HOME}/.cache/gajim
 -blacklist ${HOME}/.cache/google-chrome
 -blacklist ${HOME}/.cache/google-chrome-beta
 -blacklist ${HOME}/.cache/google-chrome-unstable
 -blacklist ${HOME}/.cache/icedove
 -blacklist ${HOME}/.cache/inox
 -blacklist ${HOME}/.cache/libgweather
 -blacklist ${HOME}/.cache/midori
 -blacklist ${HOME}/.cache/mozilla
 -blacklist ${HOME}/.cache/mutt
 -blacklist ${HOME}/.cache/netsurf
 -blacklist ${HOME}/.cache/opera
 -blacklist ${HOME}/.cache/opera-beta
 -blacklist ${HOME}/.cache/org.gnome.Books
 -blacklist ${HOME}/.cache/qutebrowser
 -blacklist ${HOME}/.cache/simple-scan
 -blacklist ${HOME}/.cache/slimjet
 -blacklist ${HOME}/.cache/spotify
 -blacklist ${HOME}/.cache/telepathy
 -blacklist ${HOME}/.cache/thunderbird
 -blacklist ${HOME}/.cache/torbrowser
 -blacklist ${HOME}/.cache/transmission
 -blacklist ${HOME}/.cache/vivaldi
 -blacklist ${HOME}/.cache/wesnoth
 -blacklist ${HOME}/.cache/xreader
 -blacklist ${HOME}/.claws-mail
 -blacklist ${HOME}/.config/0ad
 +blacklist ${HOME}/.stellarium
 blacklist ${HOME}/.config/Atom
 -blacklist ${HOME}/.config/Brackets
 -blacklist ${HOME}/.config/Cryptocat
 -blacklist ${HOME}/.config/Franz
 -blacklist ${HOME}/.config/Gitter
 -blacklist ${HOME}/.config/Google
 +blacklist ${HOME}/.config/gthumb
 +blacklist ${HOME}/.config/mupen64plus
 +blacklist ${HOME}/.config/transmission
 +blacklist ${HOME}/.config/uGet
 blacklist ${HOME}/.config/Gpredict
 -blacklist ${HOME}/.config/INRIA
 -blacklist ${HOME}/.config/Luminance
 -blacklist ${HOME}/.config/Meltytech
 -blacklist ${HOME}/.config/Mumble
 -blacklist ${HOME}/.config/QuiteRss
 -blacklist ${HOME}/.config/QuiteRssrc
 -blacklist ${HOME}/.config/Slack
 -blacklist ${HOME}/.config/VirtualBox
 -blacklist ${HOME}/.config/Wire
 -blacklist ${HOME}/.config/ardour4
 -blacklist ${HOME}/.config/ardour5
 -blacklist ${HOME}/.config/arkrc
 -blacklist ${HOME}/.config/atril
 -blacklist ${HOME}/.config/autostart
 -blacklist ${HOME}/.config/autostart/dropbox.desktop
 blacklist ${HOME}/.config/aweather
 -blacklist ${HOME}/.config/blender
 -blacklist ${HOME}/.config/bless
 -blacklist ${HOME}/.config/brasero
 -blacklist ${HOME}/.config/brave
 +blacklist ${HOME}/.config/stellarium
 +blacklist ${HOME}/.config/atril
 +blacklist ${HOME}/.config/xreader
 +blacklist ${HOME}/.config/xviewer
 +blacklist ${HOME}/.config/libreoffice
 +blacklist ${HOME}/.config/pix
 +blacklist ${HOME}/.config/mate/eom
 +blacklist ${HOME}/.kde/share/apps/okular
 +blacklist ${HOME}/.kde/share/config/okularrc
 +blacklist ${HOME}/.kde/share/config/okularpartrc
 +blacklist ${HOME}/.kde/share/apps/gwenview
 +blacklist ${HOME}/.kde/share/config/gwenviewrc
 +blacklist ${HOME}/.config/qpdfview
 +blacklist ${HOME}/.config/Luminance
 +blacklist ${HOME}/.config/synfig
 +blacklist ${HOME}/.synfig
 +blacklist ${HOME}/.inkscape
 +blacklist ${HOME}/.gimp*
 +blacklist ${HOME}/.config/zathura
 blacklist ${HOME}/.config/cherrytree
 -blacklist ${HOME}/.config/chromium
 -blacklist ${HOME}/.config/qupzilla
 -blacklist ${HOME}/.config/chromium-dev
 -blacklist ${HOME}/.config/chromium-flags.conf
 +blacklist ${HOME}/.xpdfrc
 +blacklist ${HOME}/.openshot
 +blacklist ${HOME}/.openshot_qt
 +blacklist ${HOME}/.flowblade
 +blacklist ${HOME}/.config/flowblade
 +blacklist ${HOME}/.config/eog
 +
 +
 +# Media players
 blacklist ${HOME}/.config/cmus
 -blacklist ${HOME}/.config/darktable
 blacklist ${HOME}/.config/deadbeef
 -blacklist ${HOME}/.config/dolphinrc
 -blacklist ${HOME}/.config/dragonplayerrc
 -blacklist ${HOME}/.config/enchant
 -blacklist ${HOME}/.config/eog
 -blacklist ${HOME}/.config/epiphany
 -blacklist ${HOME}/.config/evince
 -blacklist ${HOME}/.config/evolution
 -blacklist ${HOME}/.config/filezilla
 -blacklist ${HOME}/.config/flowblade
 -blacklist ${HOME}/.config/gajim
 -blacklist ${HOME}/.config/gedit
 +blacklist ${HOME}/.config/spotify
 +blacklist ${HOME}/.config/vlc
 +blacklist ${HOME}/.config/mpv
 +blacklist ${HOME}/.config/totem
 +blacklist ${HOME}/.config/xplayer
 +blacklist ${HOME}/.audacity-data
 +
 +# HTTP / FTP / Mail
 +blacklist ${HOME}/.icedove
 +blacklist ${HOME}/.thunderbird
 +blacklist ${HOME}/.sylpheed-2.0
 +blacklist ${HOME}/.config/midori
 +blacklist ${HOME}/.mozilla
 +blacklist ${HOME}/.config/chromium
 blacklist ${HOME}/.config/google-chrome
 blacklist ${HOME}/.config/google-chrome-beta
 blacklist ${HOME}/.config/google-chrome-unstable
 -blacklist ${HOME}/.config/gthumb
 -blacklist ${HOME}/.config/hexchat
 -blacklist ${HOME}/.config/inox
 -blacklist ${HOME}/.config/jd-gui.cfg
 -blacklist ${HOME}/.config/katepartrc
 -blacklist ${HOME}/.config/katerc
 -blacklist ${HOME}/.config/kateschemarc
 -blacklist ${HOME}/.config/katesyntaxhighlightingrc
 -blacklist ${HOME}/.config/katevirc
 -blacklist ${HOME}/.config/libreoffice
 -blacklist ${HOME}/.config/mate/eom
 -blacklist ${HOME}/.config/midori
 -blacklist ${HOME}/.config/mpv
 -blacklist ${HOME}/.config/mupen64plus
 -blacklist ${HOME}/.config/nautilus
 -blacklist ${HOME}/.config/netsurf
 blacklist ${HOME}/.config/opera
 blacklist ${HOME}/.config/opera-beta
 -blacklist ${HOME}/.config/pix
 -blacklist ${HOME}/.config/pluma
 -blacklist ${HOME}/.config/psi+
 -blacklist ${HOME}/.config/qpdfview
 +blacklist ${HOME}/.opera
 +blacklist ${HOME}/.config/vivaldi
 +blacklist ${HOME}/.filezilla
 +blacklist ${HOME}/.config/filezilla
 +blacklist ${HOME}/.dillo
 +blacklist ${HOME}/.conkeror.mozdev.org
 +blacklist ${HOME}/.config/epiphany
 +blacklist ${HOME}/.config/slimjet
 blacklist ${HOME}/.config/qutebrowser
 -blacklist ${HOME}/.config/ranger
 -blacklist ${HOME}/.config/redshift.conf
 +blacklist ${HOME}/.8pecxstudios
 +blacklist ${HOME}/.config/brave
 +blacklist ${HOME}/.config/inox
 +blacklist ${HOME}/.muttrc
 +blacklist ${HOME}/.mutt
 +blacklist ${HOME}/.mutt/muttrc
 +blacklist ${HOME}/.msmtprc
 +blacklist ${HOME}/.config/evolution
 +blacklist ${HOME}/.local/share/evolution
 +blacklist ${HOME}/.cache/evolution
 +
 +# Instant Messaging
 +blacklist ${HOME}/.config/hexchat
 +blacklist ${HOME}/.mcabber
 +blacklist ${HOME}/.mcabberrc
 +blacklist ${HOME}/.purple
 +blacklist ${HOME}/.config/psi+
 +blacklist ${HOME}/.retroshare
 +blacklist ${HOME}/.weechat
 +blacklist ${HOME}/.config/xchat
 +blacklist ${HOME}/.Skype
 blacklist ${HOME}/.config/skypeforlinux
 -blacklist ${HOME}/.config/slimjet
 -blacklist ${HOME}/.config/spotify
 -blacklist ${HOME}/.config/stellarium
 -blacklist ${HOME}/.config/synfig
 -blacklist ${HOME}/.config/telepathy-account-widgets
 -blacklist ${HOME}/.config/torbrowser
 -blacklist ${HOME}/.config/totem
 blacklist ${HOME}/.config/tox
 -blacklist ${HOME}/.config/transmission
 -blacklist ${HOME}/.config/uGet
 -blacklist ${HOME}/.config/vivaldi
 -blacklist ${HOME}/.config/vlc
 +blacklist ${HOME}/.TelegramDesktop
 +blacklist ${HOME}/.config/Gitter
 +blacklist ${HOME}/.config/Franz
 +blacklist ${HOME}/.jitsi
 +blacklist ${HOME}/.config/Slack
 +blacklist ${HOME}/.cache/gajim
 +blacklist ${HOME}/.local/share/gajim
 +blacklist ${HOME}/.config/gajim
 +
 +# Games
 +blacklist ${HOME}/.hedgewars
 +blacklist ${HOME}/.steam
 blacklist ${HOME}/.config/wesnoth
 -blacklist ${HOME}/.config/wire
 -blacklist ${HOME}/.config/wireshark
 -blacklist ${HOME}/.config/xchat
 -blacklist ${HOME}/.config/xed
 -blacklist ${HOME}/.config/xfburn
 -blacklist ${HOME}/.config/xplayer
 -blacklist ${HOME}/.config/xreader
 -blacklist ${HOME}/.config/xviewer
 -blacklist ${HOME}/.config/zathura
 -blacklist ${HOME}/.config/zoomus.conf
 -blacklist ${HOME}/.conkeror.mozdev.org
 -blacklist ${HOME}/.dillo
 +blacklist ${HOME}/.config/0ad
 +blacklist ${HOME}/.warzone2100-3.1
 blacklist ${HOME}/.dosbox
 -blacklist ${HOME}/.dropbox-dist
 +
 +# Cryptocoins
 +blacklist ${HOME}/.*coin
 blacklist ${HOME}/.electrum*
 -blacklist ${HOME}/.elinks
 -blacklist ${HOME}/.emacs
 -blacklist ${HOME}/.emacs.d
 -blacklist ${HOME}/.filezilla
 -blacklist ${HOME}/.flowblade
 -blacklist ${HOME}/.fltk
 -blacklist ${HOME}/.gimp*
 -blacklist ${HOME}/.git-credential-cache
 +blacklist ${HOME}/wallet.dat
 +
 +# git, subversion
 +blacklist ${HOME}/.subversion
 blacklist ${HOME}/.gitconfig
 -blacklist ${HOME}/.googleearth/Cache/
 -blacklist ${HOME}/.googleearth/Temp/
 -blacklist ${HOME}/.googleearth/myplaces.backup.kml
 -blacklist ${HOME}/.googleearth/myplaces.kml
 -blacklist ${HOME}/.guayadeque
 -blacklist ${HOME}/.hedgewars
 -blacklist ${HOME}/.icedove
 -blacklist ${HOME}/.inkscape
 -blacklist ${HOME}/.jitsi
 -blacklist ${HOME}/.kde/share/apps/gwenview
 -blacklist ${HOME}/.kde/share/apps/okular
 -blacklist ${HOME}/.kde/share/config/gwenviewrc
 -blacklist ${HOME}/.kde/share/config/okularpartrc
 -blacklist ${HOME}/.kde/share/config/okularrc
 -blacklist ${HOME}/.killingfloor
 -blacklist ${HOME}/.linphone-history.db
 -blacklist ${HOME}/.linphonerc
 -blacklist ${HOME}/.lmmsrc.xml
 -blacklist ${HOME}/.local/.share/maps-places.json
 -blacklist ${HOME}/.local/lib/python2.7/site-packages
 -blacklist ${HOME}/.local/share/0ad
 -blacklist ${HOME}/.local/share/3909/PapersPlease
 -blacklist ${HOME}/.local/share/Empathy
 -blacklist ${HOME}/.local/share/Mumble
 -blacklist ${HOME}/.local/share/QuiteRss
 -blacklist ${HOME}/.local/share/Ricochet
 -blacklist ${HOME}/.local/share/Steam
 -blacklist ${HOME}/.local/share/SuperHexagon
 -blacklist ${HOME}/.local/share/Terraria
 -blacklist ${HOME}/.local/share/TpLogger
 -blacklist ${HOME}/.local/share/aspyr-media
 -blacklist ${HOME}/.local/share/cdprojektred
 -blacklist ${HOME}/.local/share/data/Mumble
 -blacklist ${HOME}/.local/share/dolphin
 +blacklist ${HOME}/.git-credential-cache
 +
 +# cache
 +blacklist ${HOME}/.cache/mozilla
 +blacklist ${HOME}/.cache/chromium
 +blacklist ${HOME}/.cache/google-chrome
 +blacklist ${HOME}/.cache/google-chrome-beta
 +blacklist ${HOME}/.cache/google-chrome-unstable
 +blacklist ${HOME}/.cache/opera
 +blacklist ${HOME}/.cache/opera-beta
 +blacklist ${HOME}/.cache/vivaldi
 +blacklist ${HOME}/.cache/epiphany
 +blacklist ${HOME}/.cache/slimjet
 +blacklist ${HOME}/.cache/qutebrowser
 +blacklist ${HOME}/.cache/spotify
 +blacklist ${HOME}/.cache/thunderbird
 +blacklist ${HOME}/.cache/icedove
 +blacklist ${HOME}/.cache/transmission
 +blacklist ${HOME}/.cache/wesnoth
 +blacklist ${HOME}/.cache/0ad
 +blacklist ${HOME}/.cache/8pecxstudios
 +blacklist ${HOME}/.cache/xreader
 +blacklist ${HOME}/.cache/Franz
 +
 +# share
 blacklist ${HOME}/.local/share/epiphany
 -blacklist ${HOME}/.local/share/evolution
 -blacklist ${HOME}/.local/share/feral-interactive
 -blacklist ${HOME}/.local/share/gajim
 -blacklist ${HOME}/.local/share/gnome-2048
 -blacklist ${HOME}/.local/share/gnome-chess
 -blacklist ${HOME}/.local/share/gnome-music
 -blacklist ${HOME}/.local/share/gnome-photos
 -blacklist ${HOME}/.local/share/kate
 -blacklist ${HOME}/.local/share/lollypop
 -blacklist ${HOME}/.local/share/multimc5
 blacklist ${HOME}/.local/share/mupen64plus
 -blacklist ${HOME}/.local/share/pix
 -blacklist ${HOME}/.local/share/psi+
 -blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/spotify
 blacklist ${HOME}/.local/share/steam
 -blacklist ${HOME}/.local/share/telepathy
 -blacklist ${HOME}/.local/share/torbrowser
 -blacklist ${HOME}/.local/share/totem
 -blacklist ${HOME}/.local/share/vpltd
 -blacklist ${HOME}/.local/share/vulkan
 blacklist ${HOME}/.local/share/wesnoth
 +blacklist ${HOME}/.local/share/0ad
 blacklist ${HOME}/.local/share/xplayer
 -blacklist ${HOME}/.local/share/xreader
 +blacklist ${HOME}/.local/share/totem
 +blacklist ${HOME}/.local/share/psi+
 +blacklist ${HOME}/.local/share/pix
 +blacklist ${HOME}/.local/share/gnome-chess
 +blacklist ${HOME}/.local/share/qpdfview
 blacklist ${HOME}/.local/share/zathura
 -blacklist ${HOME}/.lv2
 -blacklist ${HOME}/.mcabber
 -blacklist ${HOME}/.mcabberrc
 -blacklist ${HOME}/.mozilla
 -blacklist ${HOME}/.mozilla/seamonkey
 -blacklist ${HOME}/.mpdconf
 -blacklist ${HOME}/.msmtprc
 -blacklist ${HOME}/.multimc5
 -blacklist ${HOME}/.mutt
 -blacklist ${HOME}/.mutt/muttrc
 -blacklist ${HOME}/.muttrc
 -blacklist ${HOME}/.nv
 -blacklist ${HOME}/.openshot
 -blacklist ${HOME}/.openshot_qt
 -blacklist ${HOME}/.opera
 -blacklist ${HOME}/.opera-beta
 -blacklist ${HOME}/.pki
 -blacklist ${HOME}/.purple
 -blacklist ${HOME}/.qemu-launcher
 -blacklist ${HOME}/.remmina
 -blacklist ${HOME}/.retroshare
 -blacklist ${HOME}/.scribus
 -blacklist ${HOME}/.steam
 -blacklist ${HOME}/.steampath
 -blacklist ${HOME}/.steampid
 -blacklist ${HOME}/.stellarium
 -blacklist ${HOME}/.subversion
 -blacklist ${HOME}/.sword
 -blacklist ${HOME}/.sylpheed-2.0
 -blacklist ${HOME}/.synfig
 -blacklist ${HOME}/.tconn
 -blacklist ${HOME}/.thunderbird
 -blacklist ${HOME}/.ts3client
 -blacklist ${HOME}/.vst
 -blacklist ${HOME}/.w3m
 -blacklist ${HOME}/.warzone2100-3.1
 -blacklist ${HOME}/.weechat
 -blacklist ${HOME}/.wine
 -blacklist ${HOME}/.wine64
 -blacklist ${HOME}/.xiphos
 -blacklist ${HOME}/.xonotic
 -blacklist ${HOME}/.xpdfrc
 -blacklist ${HOME}/.zoom
 -blacklist ${HOME}/wallet.dat
 +
 +# ssh
 blacklist /tmp/ssh-*
 diff --git a/firejail/disable-programs.local b/firejail/disable-programs.local
 deleted file mode 100644
 index 12932c7..0000000
 --- a/firejail/disable-programs.local
 +++ /dev/null
 @@ -1 +0,0 @@
 -# This file is meant for local customizations of disable-programs.inc
 diff --git a/firejail/display.profile b/firejail/display.profile
 deleted file mode 100644
 index ec041bf..0000000
 --- a/firejail/display.profile
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -# display (ImageMagick tool) image viewer profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -seccomp
 -protocol unix
 -netfilter
 -net none
 -nonewprivs
 -noroot
 -nogroups
 -nosound
 -shell none
 -x11 xorg
 -
 -private-bin display 
 -private-tmp
 -private-dev
 -private-etc none
 -
 diff --git a/firejail/dolphin.profile b/firejail/dolphin.profile
 deleted file mode 100644
 index 09a86f8..0000000
 --- a/firejail/dolphin.profile
 +++ /dev/null
 @@ -1,27 +0,0 @@
 -# dolphin profile
 -
 -# warning: firejail is currently not effectively constraining dolphin since used services are started by kdeinit5
 -
 -noblacklist ~/.config/dolphinrc
 -noblacklist ~/.local/share/dolphin
 -
 -include /etc/firejail/disable-common.inc
 -# dolphin needs to be able to start arbitrary applications so we cannot blacklist their files
 -#include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -shell none
 -seccomp
 -protocol unix
 -
 -# private-bin
 -# private-dev
 -# private-tmp
 -# private-etc
 -
 diff --git a/firejail/dragon.profile b/firejail/dragon.profile
 deleted file mode 100644
 index 09cb738..0000000
 --- a/firejail/dragon.profile
 +++ /dev/null
 @@ -1,22 +0,0 @@
 -# dragon player profile
 -noblacklist ~/.config/dragonplayerrc
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -shell none
 -seccomp
 -protocol unix,inet,inet6
 -
 -private-bin dragon
 -private-dev
 -private-tmp
 -# private-etc
 -
 diff --git a/firejail/elinks.profile b/firejail/elinks.profile
 deleted file mode 100644
 index ade15f2..0000000
 --- a/firejail/elinks.profile
 +++ /dev/null
 @@ -1,27 +0,0 @@
 -# elinks profile
 -noblacklist ~/.elinks
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -no3d
 -protocol unix,inet,inet6
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -# private-bin elinks
 -private-tmp
 -private-dev
 -# private-etc none
 -
 diff --git a/firejail/emacs.profile b/firejail/emacs.profile
 index 2b9c580..cbdba77 100644
 --- a/firejail/emacs.profile
 +++ b/firejail/emacs.profile
 @@ -1,4 +1,5 @@
 # emacs profile
 +
 noblacklist ~/.emacs
 noblacklist ~/.emacs.d
 
 diff --git a/firejail/empathy.profile b/firejail/empathy.profile
 index 2a0a638..3711008 100644
 --- a/firejail/empathy.profile
 +++ b/firejail/empathy.profile
 @@ -6,7 +6,5 @@ include /etc/firejail/disable-devel.inc
 caps.drop all
 netfilter
 nonewprivs
 -nogroups
 -noroot
 protocol unix,inet,inet6
 seccomp
 diff --git a/firejail/enchant.profile b/firejail/enchant.profile
 deleted file mode 100644
 index cf82889..0000000
 --- a/firejail/enchant.profile
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -# enchant profile
 -noblacklist ~/.config/enchant
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin enchant
 -# private-tmp
 -# private-dev
 -# private-etc fonts
 diff --git a/firejail/eog.profile b/firejail/eog.profile
 index d463f3a..32b54a0 100644
 --- a/firejail/eog.profile
 +++ b/firejail/eog.profile
 @@ -1,4 +1,5 @@
 # eog (gnome image viewer) profile
 +
 noblacklist ~/.config/eog
 
 include /etc/firejail/disable-common.inc
 @@ -8,10 +9,9 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 noroot
 -nosound
 +nogroups
 protocol unix
 seccomp
 shell none
 @@ -20,3 +20,4 @@ private-bin eog
 private-dev
 private-etc fonts
 private-tmp
 +
 diff --git a/firejail/evince.profile b/firejail/evince.profile
 index 1ec3849..894c7c7 100644
 --- a/firejail/evince.profile
 +++ b/firejail/evince.profile
 @@ -1,14 +1,10 @@
 # evince pdf reader profile
 -noblacklist ~/.config/evince
 -
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 -netfilter
 -#net none - creates some problems on some distributions
 nogroups
 nonewprivs
 noroot
 @@ -20,6 +16,3 @@ tracelog
 
 private-bin evince,evince-previewer,evince-thumbnailer
 private-dev
 -private-etc fonts
 -# evince needs access to /tmp/mozilla* to work in firefox
 -# private-tmp
 diff --git a/firejail/evolution.profile b/firejail/evolution.profile
 index 1707e56..cf58164 100644
 --- a/firejail/evolution.profile
 +++ b/firejail/evolution.profile
 @@ -1,4 +1,5 @@
 # evolution profile
 +
 noblacklist ~/.config/evolution
 noblacklist ~/.local/share/evolution
 noblacklist ~/.cache/evolution
 @@ -6,9 +7,6 @@ noblacklist ~/.pki
 noblacklist ~/.pki/nssdb
 noblacklist ~/.gnupg
 
 -noblacklist /var/spool/mail
 -noblacklist /var/mail
 -
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 @@ -16,10 +14,9 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 noroot
 -nosound
 +nogroups
 protocol unix,inet,inet6
 seccomp
 shell none
 diff --git a/firejail/exiftool.profile b/firejail/exiftool.profile
 deleted file mode 100644
 index 1cae8c0..0000000
 --- a/firejail/exiftool.profile
 +++ /dev/null
 @@ -1,31 +0,0 @@
 -# exiftool profile
 -noblacklist /usr/bin/perl
 -noblacklist /usr/share/perl*
 -noblacklist /usr/lib/perl*
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -net none
 -no3d
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -# private-bin exiftool,perl
 -private-tmp
 -private-dev
 -private-etc none
 -
 -
 diff --git a/firejail/fbreader.profile b/firejail/fbreader.profile
 index ec098d5..de31ce8 100644
 --- a/firejail/fbreader.profile
 +++ b/firejail/fbreader.profile
 @@ -16,5 +16,6 @@ seccomp
 
 shell none
 private-bin fbreader,FBReader
 +whitelist /tmp/.X11-unix
 private-dev
 -private-tmp
 +nosound
 diff --git a/firejail/feh.profile b/firejail/feh.profile
 index 2812eff..5fcb6bf 100644
 --- a/firejail/feh.profile
 +++ b/firejail/feh.profile
 @@ -5,17 +5,17 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 +seccomp
 +protocol unix
 netfilter
 net none
 -nogroups
 nonewprivs
 noroot
 +nogroups
 nosound
 -protocol unix
 -seccomp
 shell none
 
 private-bin feh
 +whitelist /tmp/.X11-unix
 private-dev
 private-etc feh
 -private-tmp
 \ No newline at end of file
 diff --git a/firejail/file-roller.profile b/firejail/file-roller.profile
 deleted file mode 100644
 index 6116389..0000000
 --- a/firejail/file-roller.profile
 +++ /dev/null
 @@ -1,21 +0,0 @@
 -# file-roller profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin file-roller
 -# private-tmp
 -private-dev
 -# private-etc fonts
 diff --git a/firejail/file.profile b/firejail/file.profile
 index d145fe1..2e54030 100644
 --- a/firejail/file.profile
 +++ b/firejail/file.profile
 @@ -1,26 +1,16 @@
 # file profile
 quiet
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 +ignore noroot
 +include /etc/firejail/default.profile
 
 -caps.drop all
 -hostname file
 -netfilter
 +tracelog
 net none
 -no3d
 -nogroups
 -nonewprivs
 -#noroot
 -nosound
 -protocol unix
 -seccomp
 shell none
 -tracelog
 -x11 none
 -
 -blacklist /tmp/.X11-unix
 -
 -private-dev
 private-bin file
 private-etc magic.mgc,magic,localtime
 +hostname file
 +private-dev
 +nosound
 +no3d
 +blacklist /tmp/.X11-unix
 +
 diff --git a/firejail/filezilla.profile b/firejail/filezilla.profile
 index a40fcee..551c17a 100644
 --- a/firejail/filezilla.profile
 +++ b/firejail/filezilla.profile
 @@ -13,8 +13,10 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
 -shell none
 
 +shell none
 private-bin filezilla,uname,sh,python,lsb_release,fzputtygen,fzsftp
 +whitelist /tmp/.X11-unix
 private-dev
 -private-tmp
 +nosound
 +
 diff --git a/firejail/firefox.profile b/firejail/firefox.profile
 index c3a9b2a..170d0fe 100644
 --- a/firejail/firefox.profile
 +++ b/firejail/firefox.profile
 @@ -1,9 +1,7 @@
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 +
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
 -noblacklist ~/.config/qpdfview
 -noblacklist ~/.local/share/qpdfview
 -noblacklist ~/.kde/share/apps/okular
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 @@ -31,18 +29,15 @@ whitelist ~/.keysnail.js
 whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 -whitelist ~/.config/qpdfview
 -whitelist ~/.local/share/qpdfview
 -whitelist ~/.kde/share/apps/okular
 -
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
 +
 #silverlight
 whitelist ~/.wine-pipelight
 whitelist ~/.wine-pipelight64
 @@ -52,7 +47,4 @@ whitelist ~/.config/pipelight-silverlight5.1
 include /etc/firejail/whitelist-common.inc
 
 # experimental features
 -#private-bin firefox,which,sh,dbus-launch,dbus-send,env
 -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,gtk-2.0,gtk-3.0,X11,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
 -private-dev
 -private-tmp
 +#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
 diff --git a/firejail/firejail-default b/firejail/firejail-default
 deleted file mode 100644
 index 1b0eb76..0000000
 --- a/firejail/firejail-default
 +++ /dev/null
 @@ -1,154 +0,0 @@
 -#########################################
 -# Generic Firejail AppArmor profile
 -#########################################
 -
 -##########
 -# A simple PID declaration based on Ubuntu's @{pid}
 -# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
 -# We don't know if this definition is available outside Debian and Ubuntu, so
 -# we declare our own here.
 -##########
 -@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9]}
 -
 -profile firejail-default {
 -
 -##########
 -# D-Bus is a huge security hole. Uncomment this line if you need D-Bus
 -# functionality.
 -##########
 -#dbus,
 -
 -##########
 -# Mask /proc and /sys information leakage. The configuration here is barely
 -# enough to run "top" or "ps aux".
 -##########
 -/ r,
 -/[^proc,^sys]** mrwlk,
 -/{,var/}run/ r,
 -/{,var/}run/** r,
 -/{,var/}run/user/**/dconf/ rw,
 -/{,var/}run/user/**/dconf/user rw,
 -/{,var/}run/user/**/pulse/ rw,
 -/{,var/}run/user/**/pulse/** rw,
 -/{,var/}run/firejail/mnt/fslogger r,
 -/{,var/}run/firejail/appimage r,
 -/{,var/}run/firejail/appimage/** r,
 -/{,var/}run/firejail/appimage/** ix,
 -/{run,dev}/shm/ r,
 -/{run,dev}/shm/** rmwk,
 -
 -/proc/ r,
 -/proc/meminfo r,
 -/proc/cpuinfo r,
 -/proc/filesystems r,
 -/proc/uptime r,
 -/proc/loadavg r,
 -/proc/stat r,
 -
 -/proc/@{PID}/ r,
 -/proc/@{PID}/fd/ r,
 -/proc/@{PID}/task/ r,
 -/proc/@{PID}/cmdline r,
 -/proc/@{PID}/comm r,
 -/proc/@{PID}/stat r,
 -/proc/@{PID}/statm r,
 -/proc/@{PID}/status r,
 -/proc/@{PID}/task/@{PID}/stat r,
 -/proc/sys/kernel/pid_max r,
 -/proc/sys/kernel/shmmax r,
 -/proc/sys/vm/overcommit_memory r,
 -/proc/sys/vm/overcommit_ratio r,
 -
 -/sys/ r,
 -/sys/bus/ r,
 -/sys/bus/** r,
 -/sys/class/ r,
 -/sys/class/** r,
 -/sys/devices/ r,
 -/sys/devices/** r,
 -
 -/proc/@{PID}/maps r,
 -/proc/@{PID}/mounts r,
 -/proc/@{PID}/mountinfo r,
 -/proc/@{PID}/oom_score_adj r,
 -
 -##########
 -# Allow running programs only from well-known system directories. If you need
 -# to run programs from your home directory, uncomment /home line.
 -##########
 -/lib/** ix,
 -/lib64/** ix,
 -/bin/** ix,
 -/sbin/** ix,
 -/usr/bin/** ix,
 -/usr/sbin/** ix,
 -/usr/local/** ix,
 -/usr/lib/** ix,
 -/usr/games/** ix,
 -/opt/ r,
 -/opt/** r,
 -/opt/** ix,
 -#/home/** ix,
 -
 -##########
 -# Allow all networking functionality, and control it from Firejail.
 -##########
 -network inet,
 -network inet6,
 -network unix,
 -network netlink,
 -network raw,
 -
 -##########
 -# There is no equivalent in Firejail for filtering signals.
 -##########
 -signal,
 -
 -##########
 -# We let Firejail deal with capabilities.
 -##########
 -capability chown,
 -capability dac_override,
 -capability dac_read_search,
 -capability fowner,
 -capability fsetid,
 -capability kill,
 -capability setgid,
 -capability setuid,
 -capability setpcap,
 -capability linux_immutable,
 -capability net_bind_service,
 -capability net_broadcast,
 -capability net_admin,
 -capability net_raw,
 -capability ipc_lock,
 -capability ipc_owner,
 -capability sys_module,
 -capability sys_rawio,
 -capability sys_chroot,
 -capability sys_ptrace,
 -capability sys_pacct,
 -capability sys_admin,
 -capability sys_boot,
 -capability sys_nice,
 -capability sys_resource,
 -capability sys_time,
 -capability sys_tty_config,
 -capability mknod,
 -capability lease,
 -capability audit_write,
 -capability audit_control,
 -capability setfcap,
 -capability mac_override,
 -capability mac_admin,
 -
 -##########
 -# We let Firejail deal with mount/umount functionality.
 -##########
 -mount,
 -remount,
 -umount,
 -pivot_root,
 -
 -}
 -
 diff --git a/firejail/firejail.config b/firejail/firejail.config
 index 993582a..2ea767f 100644
 --- a/firejail/firejail.config
 +++ b/firejail/firejail.config
 @@ -17,14 +17,11 @@
 # Enable or disable file transfer support, default enabled.
 # file-transfer yes
 
 -# Enable Firejail green prompt in terminal, default disabled
 -# firejail-prompt no
 -
 # Force use of nonewprivs.  This mitigates the possibility of
 # a user abusing firejail's features to trick a privileged (suid
 # or file capabilities) process into loading code or configuration
 # that is partially under their control.  Default disabled.
 -force-nonewprivs yes
 +# force-nonewprivs no
 
 # Enable or disable networking features, default enabled.
 # network yes
 @@ -48,7 +45,7 @@ force-nonewprivs yes
 # networking features should also be enabled (network yes).
 # Restricted networking grants access to --interface, --net=ethXXX and
 # --netfilter only to root user. Regular users are only allowed --net=none.
 -restricted-network yes
 +# restricted-network no
 
 # Change default netfilter configuration. When using --netfilter option without
 # a file argument, the default filter is hardcoded (see man 1 firejail). This
 @@ -67,7 +64,7 @@ restricted-network yes
 # whitelist yes
 
 # Enable or disable X11 sandboxing support, default enabled.
 -x11 no
 +# x11 yes
 
 # Screen size for --x11=xephyr, default 800x600. Run /usr/bin/xrandr for
 # a full list of resolutions available on your specific setup.
 diff --git a/firejail/flashpeak-slimjet.profile b/firejail/flashpeak-slimjet.profile
 index 3c23ff6..7e0eb48 100644
 --- a/firejail/flashpeak-slimjet.profile
 +++ b/firejail/flashpeak-slimjet.profile
 @@ -29,11 +29,10 @@ whitelist ~/.cache/slimjet
 mkdir ~/.pki
 whitelist ~/.pki
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
 diff --git a/firejail/flowblade.profile b/firejail/flowblade.profile
 index 12afdb0..e1ec291 100644
 --- a/firejail/flowblade.profile
 +++ b/firejail/flowblade.profile
 @@ -1,4 +1,4 @@
 -# FlowBlade profile
 +# OpenShot profile
 noblacklist ${HOME}/.flowblade
 noblacklist ${HOME}/.config/flowblade
 include /etc/firejail/disable-common.inc
 diff --git a/firejail/fossamail.profile b/firejail/fossamail.profile
 deleted file mode 100644
 index a0dc8ae..0000000
 --- a/firejail/fossamail.profile
 +++ /dev/null
 @@ -1,15 +0,0 @@
 -# Firejail profile for FossaMail
 -
 -noblacklist ~/.gnupg
 -mkdir ~/.gnupg
 -whitelist ~/.gnupg
 -
 -noblacklist ~/.fossamail
 -mkdir ~/.fossamail
 -whitelist ~/.fossamail
 -
 -noblacklist ~/.cache/fossamail
 -mkdir ~/.cache/fossamail
 -whitelist ~/.cache/fossamail
 -
 -include /etc/firejail/firefox.profile
 diff --git a/firejail/franz.profile b/firejail/franz.profile
 index 0b3be55..3cb7942 100644
 --- a/firejail/franz.profile
 +++ b/firejail/franz.profile
 @@ -6,12 +6,12 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 
 caps.drop all
 +seccomp
 +protocol unix,inet,inet6,netlink
 netfilter
 +#tracelog
 nonewprivs
 noroot
 -protocol unix,inet,inet6,netlink
 -seccomp
 -#tracelog
 
 whitelist ${DOWNLOADS}
 mkdir ~/.config/Franz
 diff --git a/firejail/gajim.profile b/firejail/gajim.profile
 index eb60f85..04902a7 100644
 --- a/firejail/gajim.profile
 +++ b/firejail/gajim.profile
 @@ -1,7 +1,4 @@
 # Firejail profile for Gajim
 -noblacklist ${HOME}/.cache/gajim
 -noblacklist ${HOME}/.local/share/gajim
 -noblacklist ${HOME}/.config/gajim
 
 mkdir ${HOME}/.cache/gajim
 mkdir ${HOME}/.local/share/gajim
 @@ -25,14 +22,12 @@ include /etc/firejail/disable-devel.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 protocol unix,inet,inet6
 seccomp
 shell none
 
 #private-bin python2.7 gajim
 -#private-etc fonts
 private-dev
 -#private-tmp
 diff --git a/firejail/gedit.profile b/firejail/gedit.profile
 deleted file mode 100644
 index a25286b..0000000
 --- a/firejail/gedit.profile
 +++ /dev/null
 @@ -1,26 +0,0 @@
 -# gedit profile
 -
 -# when gedit is started via gnome-shell, firejail is not applied because systemd will start it
 -
 -noblacklist ~/.config/gedit
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -#include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin gedit
 -private-tmp
 -private-dev
 -# private-etc fonts
 diff --git a/firejail/gimp.profile b/firejail/gimp.profile
 index cb441fc..23361b7 100644
 --- a/firejail/gimp.profile
 +++ b/firejail/gimp.profile
 @@ -6,15 +6,13 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 noroot
 -nosound
 protocol unix
 seccomp
 -
 -noexec ${HOME}
 -noexec /tmp
 -
 private-dev
 private-tmp
 +noexec ${HOME}
 +noexec /tmp
 +nogroups
 +nosound
 diff --git a/firejail/git.profile b/firejail/git.profile
 index 80e534e..abd49cb 100644
 --- a/firejail/git.profile
 +++ b/firejail/git.profile
 @@ -12,17 +12,15 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 +
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 noroot
 +nogroups
 nosound
 -no3d
 protocol unix,inet,inet6
 seccomp
 shell none
 
 -blacklist /tmp/.X11-unix
 -
 private-dev
 diff --git a/firejail/gjs.profile b/firejail/gjs.profile
 deleted file mode 100644
 index 8d71728..0000000
 --- a/firejail/gjs.profile
 +++ /dev/null
 @@ -1,28 +0,0 @@
 -# gjs (gnome javascript bindings) profile
 -
 -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 -
 -noblacklist ~/.cache/org.gnome.Books
 -noblacklist ~/.config/libreoffice
 -noblacklist ~/.local/share/gnome-photos
 -noblacklist ~/.cache/libgweather
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin gjs,gnome-books,gnome-documents,gnome-photos,gnome-maps,gnome-weather
 -private-tmp
 -private-dev
 -# private-etc fonts
 diff --git a/firejail/gnome-2048.profile b/firejail/gnome-2048.profile
 deleted file mode 100644
 index f9982da..0000000
 --- a/firejail/gnome-2048.profile
 +++ /dev/null
 @@ -1,25 +0,0 @@
 -#
 -#Profile for gnome-2048
 -#
 -
 -#No Blacklist Paths
 -noblacklist ${HOME}/.local/share/gnome-2048
 -
 -#Blacklist Paths
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-devel.inc
 -
 -#Whitelist Paths
 -mkdir ${HOME}/.local/share/gnome-2048
 -whitelist ${HOME}/.local/share/gnome-2048
 -include /etc/firejail/whitelist-common.inc
 -
 -#Options
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 diff --git a/firejail/gnome-books.profile b/firejail/gnome-books.profile
 deleted file mode 100644
 index 10b06e1..0000000
 --- a/firejail/gnome-books.profile
 +++ /dev/null
 @@ -1,26 +0,0 @@
 -# gnome-books profile
 -
 -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 -
 -noblacklist ~/.cache/org.gnome.Books
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin gjs gnome-books
 -private-tmp
 -private-dev
 -private-etc fonts
 diff --git a/firejail/gnome-calculator.profile b/firejail/gnome-calculator.profile
 deleted file mode 100644
 index 49e0681..0000000
 --- a/firejail/gnome-calculator.profile
 +++ /dev/null
 @@ -1,19 +0,0 @@
 -#
 -#Profile for gnome-calculator
 -#
 -
 -#Blacklist Paths
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-devel.inc
 -
 -include /etc/firejail/whitelist-common.inc
 -
 -#Options
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 diff --git a/firejail/gnome-chess.profile b/firejail/gnome-chess.profile
 index 4db485e..297f7e6 100644
 --- a/firejail/gnome-chess.profile
 +++ b/firejail/gnome-chess.profile
 @@ -1,5 +1,5 @@
 # Firejail profile for gnome-chess
 -noblacklist ~/.local/share/gnome-chess
 +noblacklist /.local/share/gnome-chess
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-devel.inc
 diff --git a/firejail/gnome-clocks.profile b/firejail/gnome-clocks.profile
 deleted file mode 100644
 index 6cccf9d..0000000
 --- a/firejail/gnome-clocks.profile
 +++ /dev/null
 @@ -1,21 +0,0 @@
 -# gnome-clocks profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix,inet,inet6
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin gnome-clocks
 -private-tmp
 -private-dev
 -# private-etc fonts
 diff --git a/firejail/gnome-contacts.profile b/firejail/gnome-contacts.profile
 deleted file mode 100644
 index 9dc25b2..0000000
 --- a/firejail/gnome-contacts.profile
 +++ /dev/null
 @@ -1,19 +0,0 @@
 -#
 -#Profile for gnome-contacts
 -#
 -
 -#Blacklist Paths
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-devel.inc
 -
 -include /etc/firejail/whitelist-common.inc
 -
 -#Options
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 diff --git a/firejail/gnome-documents.profile b/firejail/gnome-documents.profile
 deleted file mode 100644
 index c5def7a..0000000
 --- a/firejail/gnome-documents.profile
 +++ /dev/null
 @@ -1,24 +0,0 @@
 -# gnome-documents profile
 -
 -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 -
 -noblacklist ~/.config/libreoffice
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -private-tmp
 -private-dev
 diff --git a/firejail/gnome-maps.profile b/firejail/gnome-maps.profile
 deleted file mode 100644
 index f145150..0000000
 --- a/firejail/gnome-maps.profile
 +++ /dev/null
 @@ -1,24 +0,0 @@
 -# gnome-maps profile
 -
 -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix,inet,inet6
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin gjs gnome-maps
 -private-tmp
 -private-dev
 -# private-etc fonts
 diff --git a/firejail/gnome-mplayer.profile b/firejail/gnome-mplayer.profile
 index 488c7e0..1b0fc98 100644
 --- a/firejail/gnome-mplayer.profile
 +++ b/firejail/gnome-mplayer.profile
 @@ -12,6 +12,6 @@ protocol unix,inet,inet6
 seccomp
 shell none
 
 -private-bin gnome-mplayer,mplayer
 +private-bin gnome-mplayer
 private-dev
 private-tmp
 diff --git a/firejail/gnome-music.profile b/firejail/gnome-music.profile
 deleted file mode 100644
 index 4a8adeb..0000000
 --- a/firejail/gnome-music.profile
 +++ /dev/null
 @@ -1,22 +0,0 @@
 -# gnome-music profile
 -noblacklist ~/.local/share/gnome-music
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin gnome-music,python3
 -private-tmp
 -private-dev
 -# private-etc fonts
 diff --git a/firejail/gnome-photos.profile b/firejail/gnome-photos.profile
 deleted file mode 100644
 index 8f9d60c..0000000
 --- a/firejail/gnome-photos.profile
 +++ /dev/null
 @@ -1,26 +0,0 @@
 -# gnome-photos profile
 -
 -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 -
 -noblacklist ~/.local/share/gnome-photos
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin gjs gnome-photos
 -private-tmp
 -private-dev
 -# private-etc fonts
 diff --git a/firejail/gnome-weather.profile b/firejail/gnome-weather.profile
 deleted file mode 100644
 index 9f93b8f..0000000
 --- a/firejail/gnome-weather.profile
 +++ /dev/null
 @@ -1,26 +0,0 @@
 -# gnome-weather profile
 -
 -# when gjs apps are started via gnome-shell, firejail is not applied because systemd will start them
 -
 -noblacklist ~/.cache/libgweather
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix,inet,inet6
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin gjs gnome-weather
 -private-tmp
 -private-dev
 -# private-etc fonts
 diff --git a/firejail/goobox.profile b/firejail/goobox.profile
 deleted file mode 100644
 index 8990943..0000000
 --- a/firejail/goobox.profile
 +++ /dev/null
 @@ -1,20 +0,0 @@
 -# goobox profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin goobox
 -# private-tmp
 -# private-dev
 -# private-etc fonts
 diff --git a/firejail/google-chrome-beta.profile b/firejail/google-chrome-beta.profile
 index 3d48396..fe87027 100644
 --- a/firejail/google-chrome-beta.profile
 +++ b/firejail/google-chrome-beta.profile
 @@ -19,10 +19,9 @@ mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 diff --git a/firejail/google-chrome-unstable.profile b/firejail/google-chrome-unstable.profile
 index 0189ce4..f6680ac 100644
 --- a/firejail/google-chrome-unstable.profile
 +++ b/firejail/google-chrome-unstable.profile
 @@ -19,10 +19,9 @@ mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 diff --git a/firejail/google-chrome.profile b/firejail/google-chrome.profile
 index 3083c2a..a9fcebe 100644
 --- a/firejail/google-chrome.profile
 +++ b/firejail/google-chrome.profile
 @@ -19,10 +19,10 @@ mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 +
 diff --git a/firejail/gpa.profile b/firejail/gpa.profile
 deleted file mode 100644
 index 9da750f..0000000
 --- a/firejail/gpa.profile
 +++ /dev/null
 @@ -1,21 +0,0 @@
 -# gpa profile
 -noblacklist ~/.gnupg
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix,inet,inet6
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin gpa,gpg
 -private-dev
 diff --git a/firejail/gpg-agent.profile b/firejail/gpg-agent.profile
 deleted file mode 100644
 index f587f0d..0000000
 --- a/firejail/gpg-agent.profile
 +++ /dev/null
 @@ -1,24 +0,0 @@
 -# gpg-agent profile
 -noblacklist ~/.gnupg
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix,inet,inet6
 -seccomp
 -netfilter
 -no3d
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -# private-bin gpg-agent,gpg
 -private-dev
 diff --git a/firejail/gpg.profile b/firejail/gpg.profile
 deleted file mode 100644
 index 963ff5e..0000000
 --- a/firejail/gpg.profile
 +++ /dev/null
 @@ -1,24 +0,0 @@
 -# gpg profile
 -noblacklist ~/.gnupg
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix,inet,inet6
 -seccomp
 -netfilter
 -no3d
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -# private-bin gpg,gpg-agent
 -private-dev
 diff --git a/firejail/gpredict.profile b/firejail/gpredict.profile
 index 801304c..353ecce 100644
 --- a/firejail/gpredict.profile
 +++ b/firejail/gpredict.profile
 @@ -6,12 +6,13 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 # Whitelist
 +mkdir ~/.config/Gpredict
 whitelist ~/.config/Gpredict
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 nosound
 protocol unix,inet,inet6
 @@ -20,6 +21,5 @@ shell none
 tracelog
 
 private-bin gpredict
 -private-etc fonts,resolv.conf
 private-dev
 private-tmp
 diff --git a/firejail/gthumb.profile b/firejail/gthumb.profile
 index 055d789..3ffd10a 100644
 --- a/firejail/gthumb.profile
 +++ b/firejail/gthumb.profile
 @@ -17,5 +17,5 @@ shell none
 tracelog
 
 private-bin gthumb
 +whitelist /tmp/.X11-unix
 private-dev
 -private-tmp
 \ No newline at end of file
 diff --git a/firejail/guayadeque.profile b/firejail/guayadeque.profile
 deleted file mode 100644
 index 0c6ad00..0000000
 --- a/firejail/guayadeque.profile
 +++ /dev/null
 @@ -1,19 +0,0 @@
 -noblacklist ${HOME}/.guayadeque
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-devel.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6,netlink
 -seccomp
 -shell none
 -
 -private-bin guayadeque
 -private-dev
 -private-tmp
 diff --git a/firejail/gwenview.profile b/firejail/gwenview.profile
 index c866c9e..67f10c4 100644
 --- a/firejail/gwenview.profile
 +++ b/firejail/gwenview.profile
 @@ -7,15 +7,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 -nogroups
 nonewprivs
 noroot
 +nogroups
 +private-dev
 protocol unix
 seccomp
 nosound
 
 -private-dev
 -
 #Experimental:
 #shell none
 #private-bin gwenview
 diff --git a/firejail/gzip.profile b/firejail/gzip.profile
 index feb27c1..5e73969 100644
 --- a/firejail/gzip.profile
 +++ b/firejail/gzip.profile
 @@ -2,13 +2,11 @@
 quiet
 ignore noroot
 include /etc/firejail/default.profile
 -
 -blacklist /tmp/.X11-unix
 -
 +tracelog
 net none
 -no3d
 -nosound
 shell none
 -tracelog
 -
 +blacklist /tmp/.X11-unix
 private-dev
 +nosound
 +no3d
 +
 diff --git a/firejail/highlight.profile b/firejail/highlight.profile
 deleted file mode 100644
 index 4bab183..0000000
 --- a/firejail/highlight.profile
 +++ /dev/null
 @@ -1,28 +0,0 @@
 -# highlight profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -net none
 -no3d
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -private-bin highlight
 -# private-etc none
 -private-tmp
 -private-dev
 -
 -
 -
 diff --git a/firejail/icecat.profile b/firejail/icecat.profile
 index 038afc8..2f8e2df 100644
 --- a/firejail/icecat.profile
 +++ b/firejail/icecat.profile
 @@ -1,4 +1,5 @@
 # Firejail profile for GNU Icecat
 +
 noblacklist ~/.mozilla
 noblacklist ~/.cache/mozilla
 include /etc/firejail/disable-common.inc
 @@ -29,14 +30,14 @@ whitelist ~/.config/gnome-mplayer
 whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
 +
 #silverlight
 whitelist ~/.wine-pipelight
 whitelist ~/.wine-pipelight64
 diff --git a/firejail/icedove.profile b/firejail/icedove.profile
 index 310684b..2325475 100644
 --- a/firejail/icedove.profile
 +++ b/firejail/icedove.profile
 @@ -14,8 +14,5 @@ noblacklist ~/.cache/icedove
 mkdir ~/.cache/icedove
 whitelist ~/.cache/icedove
 
 -# allow browsers
 -ignore private-tmp
 include /etc/firejail/firefox.profile
 -#include /etc/firejail/chromium.profile - chromium runs as suid!
 
 diff --git a/firejail/img2txt.profile b/firejail/img2txt.profile
 deleted file mode 100644
 index d55a31c..0000000
 --- a/firejail/img2txt.profile
 +++ /dev/null
 @@ -1,24 +0,0 @@
 -# img2txt profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -net none
 -shell none
 -tracelog
 -
 -#private-bin img2txt
 -private-tmp
 -private-dev
 -#private-etc none
 -
 -
 diff --git a/firejail/inkscape.profile b/firejail/inkscape.profile
 index a0e86b6..cf885fb 100644
 --- a/firejail/inkscape.profile
 +++ b/firejail/inkscape.profile
 @@ -6,15 +6,13 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 noroot
 -nosound
 protocol unix
 seccomp
 -
 -noexec ${HOME}
 -noexec /tmp
 -
 private-dev
 private-tmp
 +noexec ${HOME}
 +noexec /tmp
 +nogroups
 +nosound
 diff --git a/firejail/inox.profile b/firejail/inox.profile
 index 6f6d140..49d2f28 100644
 --- a/firejail/inox.profile
 +++ b/firejail/inox.profile
 @@ -14,11 +14,10 @@ whitelist ~/.cache/inox
 mkdir ~/.pki
 whitelist ~/.pki
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
 diff --git a/firejail/jd-gui.profile b/firejail/jd-gui.profile
 deleted file mode 100644
 index 1d6eb41..0000000
 --- a/firejail/jd-gui.profile
 +++ /dev/null
 @@ -1,19 +0,0 @@
 -#
 -#Profile for jd-gui
 -#
 -
 -noblacklist ${HOME}/.config/jd-gui.cfg
 -
 -#Blacklist Paths
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-devel.inc
 -
 -#Options
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 diff --git a/firejail/jitsi.profile b/firejail/jitsi.profile
 index 046499a..c61158f 100644
 --- a/firejail/jitsi.profile
 +++ b/firejail/jitsi.profile
 @@ -6,8 +6,8 @@ include /etc/firejail/disable-passwdmgr.inc
 include /etc/firejail/disable-programs.inc
 
 caps.drop all
 -nogroups
 nonewprivs
 +nogroups
 noroot
 protocol unix,inet,inet6
 seccomp
 diff --git a/firejail/k3b.profile b/firejail/k3b.profile
 deleted file mode 100644
 index 8a5fff0..0000000
 --- a/firejail/k3b.profile
 +++ /dev/null
 @@ -1,21 +0,0 @@
 -# k3b profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -shell none
 -seccomp
 -protocol unix
 -
 -# private-bin 
 -# private-dev
 -# private-tmp
 -# private-etc
 -
 diff --git a/firejail/kate.profile b/firejail/kate.profile
 deleted file mode 100644
 index 4b07ea6..0000000
 --- a/firejail/kate.profile
 +++ /dev/null
 @@ -1,28 +0,0 @@
 -# kate profile
 -noblacklist ~/.local/share/kate
 -noblacklist ~/.config/katerc
 -noblacklist ~/.config/katepartrc
 -noblacklist ~/.config/kateschemarc
 -noblacklist ~/.config/katesyntaxhighlightingrc
 -noblacklist ~/.config/katevirc
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -#include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin kate
 -private-tmp
 -private-dev
 -# private-etc fonts
 diff --git a/firejail/keepass.profile b/firejail/keepass.profile
 index 18a5f4e..23f9a7b 100644
 --- a/firejail/keepass.profile
 +++ b/firejail/keepass.profile
 @@ -1,4 +1,5 @@
 # keepass password manager profile
 +
 noblacklist ${HOME}/.config/keepass
 noblacklist ${HOME}/.keepass
  
 diff --git a/firejail/keepass2.profile b/firejail/keepass2.profile
 deleted file mode 100644
 index 9daa014..0000000
 --- a/firejail/keepass2.profile
 +++ /dev/null
 @@ -1,5 +0,0 @@
 -# keepass password manager profile
 -#noblacklist ${HOME}/.config/KeePass
 -#noblacklist ${HOME}/.keepass
 - 
 -include /etc/firejail/keepass.profile
 diff --git a/firejail/keepassx.profile b/firejail/keepassx.profile
 index d862177..415160d 100644
 --- a/firejail/keepassx.profile
 +++ b/firejail/keepassx.profile
 @@ -1,4 +1,5 @@
 # keepassx password manager profile
 +
 noblacklist ${HOME}/.config/keepassx
 noblacklist ${HOME}/.keepassx
 noblacklist ${HOME}/keepassx.kdbx
 diff --git a/firejail/keepassx2.profile b/firejail/keepassx2.profile
 deleted file mode 100644
 index d862177..0000000
 --- a/firejail/keepassx2.profile
 +++ /dev/null
 @@ -1,22 +0,0 @@
 -# keepassx password manager profile
 -noblacklist ${HOME}/.config/keepassx
 -noblacklist ${HOME}/.keepassx
 -noblacklist ${HOME}/keepassx.kdbx
 - 
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -
 -private-tmp
 -private-dev 
 diff --git a/firejail/kmail.profile b/firejail/kmail.profile
 index 410ff36..8c8fd18 100644
 --- a/firejail/kmail.profile
 +++ b/firejail/kmail.profile
 @@ -8,12 +8,12 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 protocol unix,inet,inet6,netlink
 seccomp
 tracelog
 
 private-dev
 -# private-tmp
 +private-tmp
 diff --git a/firejail/konversation.profile b/firejail/konversation.profile
 index c00b91c..e9546fd 100644
 --- a/firejail/konversation.profile
 +++ b/firejail/konversation.profile
 @@ -1,4 +1,5 @@
 # Firejail konversation profile
 +
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 diff --git a/firejail/less.profile b/firejail/less.profile
 index c01dfc4..6dfae02 100644
 --- a/firejail/less.profile
 +++ b/firejail/less.profile
 @@ -2,13 +2,8 @@
 quiet
 ignore noroot
 include /etc/firejail/default.profile
 -
 +tracelog
 net none
 -nosound
 -no3d
 shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 private-dev
 +nosound
 diff --git a/firejail/lollypop.profile b/firejail/lollypop.profile
 deleted file mode 100644
 index 41a662b..0000000
 --- a/firejail/lollypop.profile
 +++ /dev/null
 @@ -1,20 +0,0 @@
 -#
 -#Profile for lollypop
 -#
 -
 -#No Blacklist Paths
 -noblacklist ${HOME}/.local/share/lollypop
 -
 -#Blacklist Paths
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-devel.inc
 -
 -#Options
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 diff --git a/firejail/luminance-hdr.profile b/firejail/luminance-hdr.profile
 index 76e864e..6e059ea 100644
 --- a/firejail/luminance-hdr.profile
 +++ b/firejail/luminance-hdr.profile
 @@ -5,19 +5,17 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 -ipc-namespace
 netfilter
 -nogroups
 +protocol unix
 nonewprivs
 noroot
 -nosound
 -protocol unix
 seccomp
 shell none
 tracelog
 -
 -noexec ${HOME}
 -noexec /tmp
 -
 private-tmp
 private-dev
 +noexec ${HOME}
 +noexec /tmp
 +nogroups
 +nosound
 +ipc-namespace
 diff --git a/firejail/lxterminal.profile b/firejail/lxterminal.profile
 index 12765c2..d1d0b8a 100644
 --- a/firejail/lxterminal.profile
 +++ b/firejail/lxterminal.profile
 @@ -1,4 +1,5 @@
 # lxterminal (LXDE) profile
 +
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 diff --git a/firejail/lynx.profile b/firejail/lynx.profile
 deleted file mode 100644
 index 3e8d721..0000000
 --- a/firejail/lynx.profile
 +++ /dev/null
 @@ -1,25 +0,0 @@
 -# lynx profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -no3d
 -protocol unix,inet,inet6
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -# private-bin lynx
 -private-tmp
 -private-dev
 -# private-etc none
 -
 diff --git a/firejail/mediainfo.profile b/firejail/mediainfo.profile
 deleted file mode 100644
 index 65d12c4..0000000
 --- a/firejail/mediainfo.profile
 +++ /dev/null
 @@ -1,29 +0,0 @@
 -# mediainfo profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -no3d
 -protocol unix
 -seccomp
 -netfilter
 -net none
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -private-bin mediainfo
 -private-tmp
 -private-dev
 -private-etc none
 -
 -
 -
 -
 diff --git a/firejail/multimc5.profile b/firejail/multimc5.profile
 deleted file mode 100644
 index cc310f2..0000000
 --- a/firejail/multimc5.profile
 +++ /dev/null
 @@ -1,27 +0,0 @@
 -#
 -#Profile for multimc5
 -#
 -
 -#No Blacklist Paths
 -noblacklist ${HOME}/.local/share/multimc5
 -noblacklist ${HOME}/.multimc5
 -
 -#Blacklist Paths
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-devel.inc
 -
 -#Whitelist Paths
 -mkdir ${HOME}/.local/share/multimc5
 -whitelist ${HOME}/.local/share/multimc5
 -mkdir ${HOME}/.multimc5
 -whitelist ${HOME}/.multimc5
 -include /etc/firejail/whitelist-common.inc
 -
 -#Options
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 diff --git a/firejail/mumble.profile b/firejail/mumble.profile
 deleted file mode 100644
 index ddd7082..0000000
 --- a/firejail/mumble.profile
 +++ /dev/null
 @@ -1,26 +0,0 @@
 -# mumble profile
 -noblacklist ${HOME}/.config/Mumble
 -noblacklist ${HOME}/.local/share/data/Mumble
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -mkdir ${HOME}/.config/Mumble
 -mkdir ${HOME}/.local/share/data/Mumble
 -whitelist ${HOME}/.config/Mumble
 -whitelist ${HOME}/.local/share/data/Mumble
 -include /etc/firejail/whitelist-common.inc
 -
 -caps.drop all
 -netfilter
 -nonewprivs
 -nogroups
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 -shell none
 -tracelog
 -
 -private-bin mumble
 -private-tmp
 diff --git a/firejail/mupdf.profile b/firejail/mupdf.profile
 index 7f9261d..c1c4980 100644
 --- a/firejail/mupdf.profile
 +++ b/firejail/mupdf.profile
 @@ -12,7 +12,6 @@ nosound
 protocol unix
 seccomp
 netfilter
 -net none
 shell none
 tracelog
 
 diff --git a/firejail/mutt.profile b/firejail/mutt.profile
 index 34dd247..b532ded 100644
 --- a/firejail/mutt.profile
 +++ b/firejail/mutt.profile
 @@ -1,13 +1,4 @@
 # mutt email client profile
 -read-only ~/
 -
 -# In case GnuPG is called
 -read-write  ~/.gnupg
 -
 -# Allow write access to mailboxes
 -read-write ~/Mail
 -read-write ~/sent
 -read-write ~/postponed
 
 noblacklist ~/.muttrc
 noblacklist ~/.mutt
 @@ -30,10 +21,6 @@ noblacklist ~/.emacs
 noblacklist ~/.emacs.d
 noblacklist ~/.signature
 noblacklist ~/.bogofilter
 -noblacklist ~/.msmtprc
 -
 -# Allow executing /usr/sbin/sendmail
 -noblacklist /usr/sbin
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 @@ -46,11 +33,8 @@ nogroups
 nonewprivs
 noroot
 nosound
 -no3d
 protocol unix,inet,inet6
 seccomp
 shell none
 
 -blacklist /tmp/.X11-unix
 -
 private-dev
 diff --git a/firejail/nautilus.profile b/firejail/nautilus.profile
 deleted file mode 100644
 index 264ee0b..0000000
 --- a/firejail/nautilus.profile
 +++ /dev/null
 @@ -1,26 +0,0 @@
 -# nautilus profile
 -
 -# Nautilus is started by systemd on most systems. Therefore it is not firejailed by default. Since there is already a nautilus process running on gnome desktops firejail will have no effect.
 -
 -noblacklist ~/.config/nautilus
 -
 -include /etc/firejail/disable-common.inc
 -# nautilus needs to be able to start arbitrary applications so we cannot blacklist their files
 -#include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin nautilus
 -# private-tmp
 -# private-dev
 -# private-etc fonts
 diff --git a/firejail/netsurf.profile b/firejail/netsurf.profile
 index 644a160..1ed2163 100644
 --- a/firejail/netsurf.profile
 +++ b/firejail/netsurf.profile
 @@ -1,4 +1,5 @@
 # Firejail profile for Mozilla Firefox (Iceweasel in Debian)
 +
 noblacklist ~/.config/netsurf
 noblacklist ~/.cache/netsurf
 include /etc/firejail/disable-common.inc
 @@ -19,11 +20,10 @@ whitelist ~/.config/netsurf
 mkdir ~/.cache/netsurf
 whitelist ~/.cache/netsurf
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
 diff --git a/firejail/odt2txt.profile b/firejail/odt2txt.profile
 deleted file mode 100644
 index c4e28f7..0000000
 --- a/firejail/odt2txt.profile
 +++ /dev/null
 @@ -1,27 +0,0 @@
 -# odt2txt profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -net none
 -no3d
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -private-bin odt2txt
 -private-tmp
 -private-dev
 -private-etc none
 -
 -read-only ${HOME}
 diff --git a/firejail/okular.profile b/firejail/okular.profile
 index 22e223c..df142cc 100644
 --- a/firejail/okular.profile
 +++ b/firejail/okular.profile
 @@ -9,17 +9,16 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 -netfilter
 nonewprivs
 nogroups
 noroot
 -nosound
 +private-dev
 protocol unix
 seccomp
 -shell none
 -tracelog
 +nosound
 
 -# private-bin okular,kbuildsycoca4,kbuildsycoca5  
 -# private-etc X11
 -private-dev
 -private-tmp
 +#Experimental:
 +#net none
 +#shell none
 +#private-bin okular,kbuildsycoca4,kbuildsycoca5
 +#private-etc X11
 diff --git a/firejail/opera-beta.profile b/firejail/opera-beta.profile
 index 4cdb0a9..12c91c7 100644
 --- a/firejail/opera-beta.profile
 +++ b/firejail/opera-beta.profile
 @@ -16,10 +16,10 @@ mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 +
 diff --git a/firejail/opera.profile b/firejail/opera.profile
 index a337ccc..e0c89a1 100644
 --- a/firejail/opera.profile
 +++ b/firejail/opera.profile
 @@ -19,10 +19,10 @@ mkdir ~/.pki
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 +
 diff --git a/firejail/palemoon.profile b/firejail/palemoon.profile
 index 1476369..71deec6 100644
 --- a/firejail/palemoon.profile
 +++ b/firejail/palemoon.profile
 @@ -44,11 +44,11 @@ private-tmp
 #whitelist ~/.config/pipelight-widevine
 #whitelist ~/.config/pipelight-silverlight5.1
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
 diff --git a/firejail/pdfsam.profile b/firejail/pdfsam.profile
 deleted file mode 100644
 index 6e50f37..0000000
 --- a/firejail/pdfsam.profile
 +++ /dev/null
 @@ -1,17 +0,0 @@
 -#
 -#Profile for pdfsam
 -#
 -
 -#Blacklist Paths
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-devel.inc
 -
 -#Options
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 diff --git a/firejail/pdftotext.profile b/firejail/pdftotext.profile
 deleted file mode 100644
 index fe9e9e3..0000000
 --- a/firejail/pdftotext.profile
 +++ /dev/null
 @@ -1,25 +0,0 @@
 -# pdftotext profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -net none
 -no3d
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -private-bin pdftotext
 -private-tmp
 -private-dev
 -private-etc none
 diff --git a/firejail/pidgin.profile b/firejail/pidgin.profile
 index 8507061..47be2b6 100644
 --- a/firejail/pidgin.profile
 +++ b/firejail/pidgin.profile
 @@ -8,8 +8,8 @@ include /etc/firejail/disable-programs.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 protocol unix,inet,inet6
 seccomp
 diff --git a/firejail/pithos.profile b/firejail/pithos.profile
 deleted file mode 100644
 index 8270b8b..0000000
 --- a/firejail/pithos.profile
 +++ /dev/null
 @@ -1,19 +0,0 @@
 -#
 -#Profile for pithos
 -#
 -
 -#Blacklist Paths
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-devel.inc
 -
 -include /etc/firejail/whitelist-common.inc
 -
 -#Options
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 diff --git a/firejail/pix.profile b/firejail/pix.profile
 index dc8192b..80c05fd 100644
 --- a/firejail/pix.profile
 +++ b/firejail/pix.profile
 @@ -8,8 +8,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 -nogroups
 nonewprivs
 +nogroups
 noroot
 nosound
 protocol unix
 @@ -18,5 +18,6 @@ shell none
 tracelog
 
 private-bin pix
 +whitelist /tmp/.X11-unix
 private-dev
 -private-tmp
 \ No newline at end of file
 +
 diff --git a/firejail/pluma.profile b/firejail/pluma.profile
 deleted file mode 100644
 index 895cc23..0000000
 --- a/firejail/pluma.profile
 +++ /dev/null
 @@ -1,21 +0,0 @@
 -# Firejail profile for Xed
 -noblacklist ${HOME}/.config/pluma
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -net none
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -seccomp
 -shell none
 -tracelog
 -
 -private-bin pluma
 -private-dev
 -private-tmp
 diff --git a/firejail/psi-plus.profile b/firejail/psi-plus.profile
 index e4e69b9..22c5baf 100644
 --- a/firejail/psi-plus.profile
 +++ b/firejail/psi-plus.profile
 @@ -1,4 +1,5 @@
 # Firejail profile for Psi+
 +
 noblacklist ${HOME}/.config/psi+
 noblacklist ${HOME}/.local/share/psi+
 include /etc/firejail/disable-common.inc
 @@ -13,10 +14,10 @@ whitelist ~/.local/share/psi+
 mkdir ~/.cache/psi+
 whitelist ~/.cache/psi+
 
 +include /etc/firejail/whitelist-common.inc
 +
 caps.drop all
 netfilter
 noroot
 protocol unix,inet,inet6
 seccomp
 -
 -include /etc/firejail/whitelist-common.inc
 diff --git a/firejail/qbittorrent.profile b/firejail/qbittorrent.profile
 index 89e0e4c..138b6db 100644
 --- a/firejail/qbittorrent.profile
 +++ b/firejail/qbittorrent.profile
 @@ -15,5 +15,6 @@ seccomp
 # there are some problems with "Open destination folder", see bug #536
 #shell none
 #private-bin qbittorrent
 +whitelist /tmp/.X11-unix
 private-dev
 -private-tmp
 +nosound
 diff --git a/firejail/qemu-launcher.profile b/firejail/qemu-launcher.profile
 deleted file mode 100644
 index f9c8e63..0000000
 --- a/firejail/qemu-launcher.profile
 +++ /dev/null
 @@ -1,19 +0,0 @@
 -# qemu-launcher profile
 -noblacklist ~/.qemu-launcher
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 -shell none
 -tracelog
 -
 -private-tmp
 -
 diff --git a/firejail/qemu-system-x86_64.profile b/firejail/qemu-system-x86_64.profile
 deleted file mode 100644
 index 65e1e44..0000000
 --- a/firejail/qemu-system-x86_64.profile
 +++ /dev/null
 @@ -1,17 +0,0 @@
 -# qemu profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 -shell none
 -tracelog
 -
 -private-tmp
 -
 diff --git a/firejail/qpdfview.profile b/firejail/qpdfview.profile
 index 06c0db2..07ea173 100644
 --- a/firejail/qpdfview.profile
 +++ b/firejail/qpdfview.profile
 @@ -18,5 +18,5 @@ shell none
 tracelog
 
 private-bin qpdfview
 -private-dev
 private-tmp
 +private-dev
 diff --git a/firejail/qtox.profile b/firejail/qtox.profile
 index 81d8aa1..9274870 100644
 --- a/firejail/qtox.profile
 +++ b/firejail/qtox.profile
 @@ -11,8 +11,8 @@ whitelist ${DOWNLOADS}
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 protocol unix,inet,inet6
 seccomp
 diff --git a/firejail/quiterss.profile b/firejail/quiterss.profile
 index 47ab776..2ab5d8a 100644
 --- a/firejail/quiterss.profile
 +++ b/firejail/quiterss.profile
 @@ -1,8 +1,3 @@
 -noblacklist ${HOME}/.cache/QuiteRss
 -noblacklist ${HOME}/.config/QuiteRss
 -noblacklist ${HOME}/.config/QuiteRssrc
 -noblacklist ${HOME}/.local/share/QuiteRss
 -
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 @@ -12,25 +7,23 @@ whitelist ${HOME}/quiterssfeeds.opml
 mkdir ~/.config/QuiteRss
 whitelist ${HOME}/.config/QuiteRss/
 whitelist ${HOME}/.config/QuiteRssrc
 -mkdir ~/.local/share/data
 -mkdir ~/.local/share/data/QuiteRss
 -whitelist ${HOME}/.local/share/data/QuiteRss
 +mkdir ~/.local/share
 +whitelist ${HOME}/.local/share/
 mkdir ~/.cache/QuiteRss
 whitelist ${HOME}/.cache/QuiteRss
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 +private-bin quiterss
 +private-dev
 nosound
 +#private-etc X11,ssl
 protocol unix,inet,inet6
 seccomp
 shell none
 tracelog
 
 -private-bin quiterss
 -private-dev
 -#private-etc X11,ssl
 -
 include /etc/firejail/whitelist-common.inc
 diff --git a/firejail/qupzilla.profile b/firejail/qupzilla.profile
 deleted file mode 100644
 index 387ddef..0000000
 --- a/firejail/qupzilla.profile
 +++ /dev/null
 @@ -1,22 +0,0 @@
 -# Firejail profile for Qupzilla web browser
 -noblacklist ${HOME}/.config/qupzilla
 -noblacklist ${HOME}/.cache/qupzilla
 -include /etc/firejail/disable-mgmt.inc
 -include /etc/firejail/disable-secret.inc
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-devel.inc
 -caps.drop all
 -seccomp
 -protocol unix,inet,inet6,netlink
 -netfilter
 -tracelog
 -noroot
 -whitelist ${DOWNLOADS}
 -whitelist ~/.config/qupzilla
 -whitelist ~/.cache/qupzilla
 -include /etc/firejail/whitelist-common.inc
 -
 -# experimental features
 -#private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,iceweasel,firefox,adobe,mime.types,mailcap,asound.conf,pulse
 -
 -
 diff --git a/firejail/qutebrowser.profile b/firejail/qutebrowser.profile
 index dcacd4f..0efb7b6 100644
 --- a/firejail/qutebrowser.profile
 +++ b/firejail/qutebrowser.profile
 @@ -1,4 +1,5 @@
 # Firejail profile for Qutebrowser (Qt5-Webkit+Python) browser
 +
 noblacklist ~/.config/qutebrowser
 noblacklist ~/.cache/qutebrowser
 include /etc/firejail/disable-common.inc
 @@ -18,6 +19,4 @@ mkdir ~/.config/qutebrowser
 whitelist ~/.config/qutebrowser
 mkdir ~/.cache/qutebrowser
 whitelist ~/.cache/qutebrowser
 -mkdir ~/.local/share/qutebrowser
 -whitelist ~/.local/share/qutebrowser
 include /etc/firejail/whitelist-common.inc
 diff --git a/firejail/ranger.profile b/firejail/ranger.profile
 index 3538f3e..a040cd6 100644
 --- a/firejail/ranger.profile
 +++ b/firejail/ranger.profile
 @@ -3,7 +3,6 @@ noblacklist /usr/bin/perl
 #noblacklist /usr/bin/cpan*
 noblacklist /usr/share/perl*
 noblacklist /usr/lib/perl*
 -noblacklist ~/.config/ranger
 
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 @@ -13,12 +12,13 @@ include /etc/firejail/disable-passwdmgr.inc
 caps.drop all
 netfilter
 net none
 -nogroups
 nonewprivs
 noroot
 +nogroups
 protocol unix
 seccomp
 nosound
 
 private-tmp
 private-dev
 +
 diff --git a/firejail/rhythmbox.profile b/firejail/rhythmbox.profile
 index e5e1924..0e8527a 100644
 --- a/firejail/rhythmbox.profile
 +++ b/firejail/rhythmbox.profile
 @@ -5,8 +5,8 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 -netfilter
 nogroups
 +netfilter
 nonewprivs
 noroot
 protocol unix,inet,inet6
 diff --git a/firejail/rtorrent.profile b/firejail/rtorrent.profile
 index 55bfcd7..15df2c3 100644
 --- a/firejail/rtorrent.profile
 +++ b/firejail/rtorrent.profile
 @@ -14,5 +14,6 @@ seccomp
 
 shell none
 private-bin rtorrent
 +whitelist /tmp/.X11-unix
 private-dev
 -private-tmp
 \ No newline at end of file
 +nosound
 diff --git a/firejail/seamonkey.profile b/firejail/seamonkey.profile
 index 5d817ac..b981d95 100644
 --- a/firejail/seamonkey.profile
 +++ b/firejail/seamonkey.profile
 @@ -31,11 +31,10 @@ whitelist ~/.cache/gnome-mplayer/plugin
 whitelist ~/.pki
 include /etc/firejail/whitelist-common.inc
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 
 diff --git a/firejail/server.profile b/firejail/server.profile
 index b8a34fe..22cef0a 100644
 --- a/firejail/server.profile
 +++ b/firejail/server.profile
 @@ -6,12 +6,11 @@ include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 -blacklist /tmp/.X11-unix
 -
 -no3d
 -nosound
 -seccomp
 -
 private
 private-dev
 +nosound
 +no3d
 private-tmp
 +blacklist /tmp/.X11-unix
 +seccomp
 +
 diff --git a/firejail/simple-scan.profile b/firejail/simple-scan.profile
 deleted file mode 100644
 index 0308948..0000000
 --- a/firejail/simple-scan.profile
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -# simple-scan profile
 -noblacklist ~/.cache/simple-scan
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix,inet,inet6
 -#seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin simple-scan
 -# private-tmp
 -# private-dev
 -# private-etc fonts
 diff --git a/firejail/skanlite.profile b/firejail/skanlite.profile
 deleted file mode 100644
 index 667b775..0000000
 --- a/firejail/skanlite.profile
 +++ /dev/null
 @@ -1,21 +0,0 @@
 -# skanlite profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -shell none
 -seccomp
 -# protocol unix,inet,inet6
 -
 -# private-bin skanlite
 -# private-dev
 -# private-tmp
 -# private-etc
 -
 diff --git a/firejail/slack.profile b/firejail/slack.profile
 index a85a28f..1009f7e 100644
 --- a/firejail/slack.profile
 +++ b/firejail/slack.profile
 @@ -1,4 +1,3 @@
 -# Firejail profile for Slack
 noblacklist ${HOME}/.config/Slack
 noblacklist ${HOME}/Downloads
 
 @@ -7,25 +6,25 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 +mkdir ${HOME}/.config
 +mkdir ${HOME}/.config/Slack
 +whitelist ${HOME}/.config/Slack
 +whitelist ${HOME}/Downloads
 +
 +protocol unix,inet,inet6,netlink
 +private-dev
 +private-tmp
 +private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
 +name slack
 blacklist /var
 
 +include /etc/firejail/whitelist-common.inc
 +
 caps.drop all
 -name slack
 +seccomp
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 -protocol unix,inet,inet6,netlink
 -seccomp
 shell none
 -
 private-bin slack
 -private-dev
 -private-etc fonts,resolv.conf,ld.so.conf,ld.so.cache,localtime
 -private-tmp
 -
 -mkdir ${HOME}/.config
 -mkdir ${HOME}/.config/Slack
 -whitelist ${HOME}/.config/Slack
 -whitelist ${HOME}/Downloads
 -include /etc/firejail/whitelist-common.inc
 diff --git a/firejail/snap.profile b/firejail/snap.profile
 index e2ada3a..270fdf1 100644
 --- a/firejail/snap.profile
 +++ b/firejail/snap.profile
 @@ -9,4 +9,6 @@ whitelist ~/snap
 whitelist ${DOWNLOADS}
 include /etc/firejail/whitelist-common.inc
 
 +caps.keep chown,sys_admin
 +
 
 diff --git a/firejail/spotify.profile b/firejail/spotify.profile
 index 6dbcc03..73d427d 100644
 --- a/firejail/spotify.profile
 +++ b/firejail/spotify.profile
 @@ -7,13 +7,16 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 -# Whitelist the folders needed by Spotify
 +# Whitelist the folders needed by Spotify - This is more restrictive
 +# than a blacklist though, but this is all spotify requires for
 +# streaming audio
 mkdir ${HOME}/.config/spotify
 whitelist ${HOME}/.config/spotify
 mkdir ${HOME}/.local/share/spotify
 whitelist ${HOME}/.local/share/spotify
 mkdir ${HOME}/.cache/spotify
 whitelist ${HOME}/.cache/spotify
 +include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 netfilter
 @@ -24,20 +27,5 @@ protocol unix,inet,inet6,netlink
 seccomp
 shell none
 
 -private-bin spotify
 -private-etc fonts,machine-id,pulse,resolv.conf
 +#private-bin spotify
 private-dev
 -private-tmp
 -
 -blacklist ${HOME}/.Xauthority
 -blacklist ${HOME}/.bashrc
 -blacklist /boot
 -blacklist /lost+found
 -blacklist /media
 -blacklist /mnt
 -blacklist /opt
 -blacklist /root
 -blacklist /sbin
 -blacklist /srv
 -blacklist /sys
 -blacklist /var
 diff --git a/firejail/ssh-agent.profile b/firejail/ssh-agent.profile
 deleted file mode 100644
 index bea3a60..0000000
 --- a/firejail/ssh-agent.profile
 +++ /dev/null
 @@ -1,19 +0,0 @@
 -# ssh-agent
 -quiet
 -noblacklist ~/.ssh
 -noblacklist /tmp/ssh-*
 -noblacklist /etc/ssh
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -no3d
 -protocol unix,inet,inet6
 -seccomp
 -
 -blacklist /tmp/.X11-unix
 diff --git a/firejail/start-tor-browser.profile b/firejail/start-tor-browser.profile
 deleted file mode 100644
 index ee19cee..0000000
 --- a/firejail/start-tor-browser.profile
 +++ /dev/null
 @@ -1,20 +0,0 @@
 -# Firejail profile for the Tor Brower Bundle
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-programs.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 -shell none
 -tracelog
 -
 -private-bin bash,grep,sed,tail,env,gpg,id,readlink,dirname,test,mkdir,ln,sed,cp,rm,getconf
 -private-etc fonts
 -private-dev
 -private-tmp
 diff --git a/firejail/strings.profile b/firejail/strings.profile
 index 2bbab13..f99a650 100644
 --- a/firejail/strings.profile
 +++ b/firejail/strings.profile
 @@ -2,11 +2,9 @@
 quiet
 ignore noroot
 include /etc/firejail/default.profile
 -
 +tracelog
 net none
 -nosound
 shell none
 -tracelog
 private-dev
 -no3d
 -blacklist /tmp/.X11-unix
 +nosound
 +
 diff --git a/firejail/synfigstudio.profile b/firejail/synfigstudio.profile
 index 69b2a0d..d46467b 100644
 --- a/firejail/synfigstudio.profile
 +++ b/firejail/synfigstudio.profile
 @@ -11,9 +11,7 @@ nonewprivs
 noroot
 protocol unix
 seccomp
 -
 -noexec ${HOME}
 -noexec /tmp
 -
 private-dev
 private-tmp
 +noexec ${HOME}
 +noexec /tmp
 diff --git a/firejail/tar.profile b/firejail/tar.profile
 index 3addb02..663ac38 100644
 --- a/firejail/tar.profile
 +++ b/firejail/tar.profile
 @@ -3,16 +3,16 @@ quiet
 ignore noroot
 include /etc/firejail/default.profile
 
 -blacklist /tmp/.X11-unix
 -
 -hostname tar
 +tracelog
 net none
 -no3d
 -nosound
 shell none
 -tracelog
 
 # support compressed archives
 private-bin sh,tar,gtar,compress,gzip,lzma,xz,bzip2,lbzip2,lzip,lzop
 private-dev
 +nosound
 +no3d
 private-etc passwd,group,localtime
 +hostname tar
 +blacklist /tmp/.X11-unix
 +
 diff --git a/firejail/telegram.profile b/firejail/telegram.profile
 index 7615c8e..8e91e42 100644
 --- a/firejail/telegram.profile
 +++ b/firejail/telegram.profile
 @@ -10,3 +10,4 @@ nonewprivs
 noroot
 protocol unix,inet,inet6
 seccomp
 +
 diff --git a/firejail/thunderbird.profile b/firejail/thunderbird.profile
 index 568343b..5db50da 100644
 --- a/firejail/thunderbird.profile
 +++ b/firejail/thunderbird.profile
 @@ -14,8 +14,5 @@ noblacklist ~/.cache/thunderbird
 mkdir ~/.cache/thunderbird
 whitelist ~/.cache/thunderbird
 
 -# allow browsers
 -ignore private-tmp
 include /etc/firejail/firefox.profile
 -#include /etc/firejail/chromium.profile - chromium runs as suid!
 
 diff --git a/firejail/tracker.profile b/firejail/tracker.profile
 deleted file mode 100644
 index 7f4f371..0000000
 --- a/firejail/tracker.profile
 +++ /dev/null
 @@ -1,27 +0,0 @@
 -# tracker profile
 -
 -# Tracker is started by systemd on most systems. Therefore it is not firejailed by default
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -no3d
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -# private-bin tracker
 -# private-tmp
 -# private-dev
 -# private-etc fonts
 diff --git a/firejail/transmission-cli.profile b/firejail/transmission-cli.profile
 deleted file mode 100644
 index 6cbc341..0000000
 --- a/firejail/transmission-cli.profile
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -# transmission-cli bittorrent profile
 -noblacklist ${HOME}/.config/transmission
 -noblacklist ${HOME}/.cache/transmission
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -nosound
 -protocol unix,inet,inet6
 -seccomp
 -shell none
 -tracelog
 -
 -#private-bin transmission-cli
 -private-tmp
 -private-dev
 -private-etc none
 diff --git a/firejail/transmission-gtk.profile b/firejail/transmission-gtk.profile
 index fa54ea8..0cfa4fc 100644
 --- a/firejail/transmission-gtk.profile
 +++ b/firejail/transmission-gtk.profile
 @@ -18,5 +18,6 @@ shell none
 tracelog
 
 private-bin transmission-gtk
 +whitelist /tmp/.X11-unix
 private-dev
 -private-tmp
 +
 diff --git a/firejail/transmission-qt.profile b/firejail/transmission-qt.profile
 index 100fadc..754211a 100644
 --- a/firejail/transmission-qt.profile
 +++ b/firejail/transmission-qt.profile
 @@ -14,9 +14,9 @@ noroot
 nosound
 protocol unix,inet,inet6
 seccomp
 -shell none
 tracelog
 
 +shell none
 private-bin transmission-qt
 +whitelist /tmp/.X11-unix
 private-dev
 -private-tmp
 diff --git a/firejail/transmission-show.profile b/firejail/transmission-show.profile
 deleted file mode 100644
 index 5e5284b..0000000
 --- a/firejail/transmission-show.profile
 +++ /dev/null
 @@ -1,24 +0,0 @@
 -# transmission-show profile
 -noblacklist ${HOME}/.config/transmission
 -noblacklist ${HOME}/.cache/transmission
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -net none
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -shell none
 -tracelog
 -
 -# private-bin
 -private-tmp
 -private-dev
 -private-etc none
 diff --git a/firejail/uget-gtk.profile b/firejail/uget-gtk.profile
 index 3ba28f7..522b4bd 100644
 --- a/firejail/uget-gtk.profile
 +++ b/firejail/uget-gtk.profile
 @@ -9,16 +9,17 @@ caps.drop all
 netfilter
 nonewprivs
 noroot
 -nosound
 protocol unix,inet,inet6
 seccomp
 -shell none
 -
 -private-bin uget-gtk
 -private-dev
 -private-tmp
 
 whitelist ${DOWNLOADS}
 mkdir ~/.config/uGet
 whitelist ~/.config/uGet
 include /etc/firejail/whitelist-common.inc
 +
 +shell none
 +private-bin uget-gtk
 +whitelist /tmp/.X11-unix
 +private-dev
 +nosound
 +
 diff --git a/firejail/unrar.profile b/firejail/unrar.profile
 index bde6f4e..f29d1b5 100644
 --- a/firejail/unrar.profile
 +++ b/firejail/unrar.profile
 @@ -3,16 +3,15 @@ quiet
 ignore noroot
 include /etc/firejail/default.profile
 
 -blacklist /tmp/.X11-unix
 -
 -hostname unrar
 +tracelog
 net none
 -no3d
 -nosound
 shell none
 -tracelog
 -
 private-bin unrar
 private-dev
 +nosound
 +no3d
 private-etc passwd,group,localtime
 +hostname unrar
 private-tmp
 +blacklist /tmp/.X11-unix
 +
 diff --git a/firejail/unzip.profile b/firejail/unzip.profile
 index 8c10d11..0722485 100644
 --- a/firejail/unzip.profile
 +++ b/firejail/unzip.profile
 @@ -2,15 +2,15 @@
 quiet
 ignore noroot
 include /etc/firejail/default.profile
 -blacklist /tmp/.X11-unix
 
 -hostname unzip
 +tracelog
 net none
 -no3d
 -nosound
 shell none
 -tracelog
 -
 private-bin unzip
 -private-dev
 private-etc passwd,group,localtime
 +hostname unzip
 +private-dev
 +nosound
 +no3d
 +blacklist /tmp/.X11-unix
 +
 diff --git a/firejail/uudeview.profile b/firejail/uudeview.profile
 index d5b750a..8ea9d51 100644
 --- a/firejail/uudeview.profile
 +++ b/firejail/uudeview.profile
 @@ -3,13 +3,13 @@ quiet
 ignore noroot
 include /etc/firejail/default.profile
 
 -blacklist /etc
 -
 -hostname uudeview
 +tracelog
 net none
 -nosound
 shell none
 -tracelog
 -
 private-bin uudeview
 private-dev
 +private-etc nonexisting_fakefile_for_empty_etc
 +hostname uudeview
 +nosound
 +uudeview
 +
 diff --git a/firejail/vim.profile b/firejail/vim.profile
 index b161fcb..3c1fefe 100644
 --- a/firejail/vim.profile
 +++ b/firejail/vim.profile
 @@ -1,4 +1,5 @@
 # vim profile
 +
 noblacklist ~/.vim
 noblacklist ~/.vimrc
 noblacklist ~/.viminfo
 @@ -9,8 +10,8 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 noroot
 +nogroups
 protocol unix,inet,inet6
 seccomp
 diff --git a/firejail/virtualbox.profile b/firejail/virtualbox.profile
 index 1e765b8..148b7ef 100644
 --- a/firejail/virtualbox.profile
 +++ b/firejail/virtualbox.profile
 @@ -1,22 +1,12 @@
 -# virtualbox profile
 +# VirtualBox profile
 +
 noblacklist ${HOME}/.VirtualBox
 noblacklist ${HOME}/VirtualBox VMs
 noblacklist ${HOME}/.config/VirtualBox
 -
 -mkdir ~/VirtualBox VMs
 -whitelist ~/VirtualBox VMs
 -mkdir ~/.config/VirtualBox
 -whitelist ~/.config/VirtualBox
 -
 -# noblacklist /usr/bin/virtualbox
 -noblacklist /usr/lib/virtualbox
 -noblacklist /usr/lib64/virtualbox
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/whitelist-common.inc
 
 caps.drop all
 -netfilter
 
 
 diff --git a/firejail/vivaldi.profile b/firejail/vivaldi.profile
 index b3a0960..08b0468 100644
 --- a/firejail/vivaldi.profile
 +++ b/firejail/vivaldi.profile
 @@ -14,10 +14,10 @@ mkdir ~/.cache/vivaldi
 whitelist ~/.cache/vivaldi
 include /etc/firejail/whitelist-common.inc
 
 -# lastpass, keepass
 -# for keepass we additionally need to whitelist our .kdbx password database
 -whitelist ~/.keepass
 -whitelist ~/.config/keepass
 -whitelist ~/.config/KeePass
 +# lastpass, keepassx
 +whitelist ~/.keepassx
 +whitelist ~/.config/keepassx
 +whitelist ~/keepassx.kdbx
 whitelist ~/.lastpass
 whitelist ~/.config/lastpass
 +
 diff --git a/firejail/w3m.profile b/firejail/w3m.profile
 deleted file mode 100644
 index 7ee91bb..0000000
 --- a/firejail/w3m.profile
 +++ /dev/null
 @@ -1,26 +0,0 @@
 -# w3m profile
 -noblacklist ~/.w3m
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -no3d
 -protocol unix,inet,inet6
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -blacklist /tmp/.X11-unix
 -
 -# private-bin w3m
 -private-tmp
 -private-dev
 -private-etc none
 diff --git a/firejail/weechat.profile b/firejail/weechat.profile
 index 405151f..4100612 100644
 --- a/firejail/weechat.profile
 +++ b/firejail/weechat.profile
 @@ -1,9 +1,5 @@
 # Weechat IRC profile
 -whitelist   ${HOME}/.dotfiles/weechat
 -noblacklist ${HOME}/.dotfiles/weechat
 -whitelist   ${HOME}/.weechat
 noblacklist ${HOME}/.weechat
 -
 include /etc/firejail/disable-common.inc
 include /etc/firejail/disable-programs.inc
 
 @@ -16,4 +12,4 @@ seccomp
 
 # no private-bin support for various reasons:
 # Plugins loaded: alias, aspell, charset, exec, fifo, guile, irc,
 -# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins
 +# logger, lua, perl, python, relay, ruby, script, tcl, trigger, xferloading plugins 
 \ No newline at end of file
 diff --git a/firejail/wesnoth.profile b/firejail/wesnoth.profile
 index bb489dd..2ddb59d 100644
 --- a/firejail/wesnoth.profile
 +++ b/firejail/wesnoth.profile
 @@ -15,7 +15,8 @@ protocol unix,inet,inet6
 seccomp
 
 private-dev
 -private-tmp
 +
 +whitelist /tmp/.X11-unix
 
 mkdir ${HOME}/.local/share/wesnoth
 mkdir ${HOME}/.config/wesnoth
 diff --git a/firejail/wget.profile b/firejail/wget.profile
 deleted file mode 100644
 index ff4b92b..0000000
 --- a/firejail/wget.profile
 +++ /dev/null
 @@ -1,24 +0,0 @@
 -# wget profile
 -quiet
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -nogroups
 -nosound
 -no3d
 -protocol unix,inet,inet6
 -seccomp
 -shell none
 -
 -blacklist /tmp/.X11-unix
 -
 -# private-bin wget
 -# private-etc resolv.conf
 -private-dev
 -private-tmp
 -
 diff --git a/firejail/whitelist-common.inc b/firejail/whitelist-common.inc
 index cf77971..a3ba768 100644
 --- a/firejail/whitelist-common.inc
 +++ b/firejail/whitelist-common.inc
 @@ -17,7 +17,6 @@ whitelist ~/.fonts.d
 whitelist ~/.fontconfig
 whitelist ~/.fonts.conf
 whitelist ~/.fonts.conf.d
 -whitelist ~/.local/share/fonts
 whitelist ~/.config/fontconfig
 whitelist ~/.cache/fontconfig
 
 diff --git a/firejail/whitelist-common.local b/firejail/whitelist-common.local
 deleted file mode 100644
 index 7194622..0000000
 --- a/firejail/whitelist-common.local
 +++ /dev/null
 @@ -1 +0,0 @@
 -# This file is meant for local customizations of whitelist-common.inc
 diff --git a/firejail/wire.profile b/firejail/wire.profile
 deleted file mode 100644
 index ec8ed87..0000000
 --- a/firejail/wire.profile
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -# wire messenger profile
 -noblacklist ~/.config/Wire
 -noblacklist ~/.config/wire
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nonewprivs
 -nogroups
 -noroot
 -protocol unix,inet,inet6,netlink
 -seccomp
 -shell none
 -
 -private-tmp
 -private-dev
 -
 -# Note: the current beta version of wire is located in /opt/Wire/wire and therefore not in PATH.
 -# To use wire with firejail run "firejail /opt/Wire/wire" 
 diff --git a/firejail/wireshark.profile b/firejail/wireshark.profile
 deleted file mode 100644
 index 898fc78..0000000
 --- a/firejail/wireshark.profile
 +++ /dev/null
 @@ -1,22 +0,0 @@
 -# Firejail profile for 
 -noblacklist ${HOME}/.config/wireshark
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix,inet,inet6,netlink
 -seccomp
 -shell none
 -tracelog
 -
 -private-bin wireshark
 -private-dev
 -private-tmp
 diff --git a/firejail/xed.profile b/firejail/xed.profile
 deleted file mode 100644
 index 051710a..0000000
 --- a/firejail/xed.profile
 +++ /dev/null
 @@ -1,21 +0,0 @@
 -# Firejail profile for Xed
 -noblacklist ${HOME}/.config/xed
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -net none
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -seccomp
 -shell none
 -tracelog
 -
 -private-bin xed
 -private-dev
 -private-tmp
 diff --git a/firejail/xfburn.profile b/firejail/xfburn.profile
 deleted file mode 100644
 index 1dd24aa..0000000
 --- a/firejail/xfburn.profile
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -# xfburn profile
 -noblacklist ~/.config/xfburn
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix
 -seccomp
 -netfilter
 -shell none
 -tracelog
 -
 -# private-bin xfburn
 -# private-tmp
 -# private-dev
 -# private-etc fonts
 diff --git a/firejail/xiphos.profile b/firejail/xiphos.profile
 deleted file mode 100644
 index b7fb6ec..0000000
 --- a/firejail/xiphos.profile
 +++ /dev/null
 @@ -1,30 +0,0 @@
 -# Firejail profile for xiphos
 -noblacklist ~/.sword
 -noblacklist ~/.xiphos
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-programs.inc
 -
 -blacklist ~/.bashrc
 -blacklist ~/.Xauthority
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -protocol unix,inet,inet6
 -seccomp
 -shell none
 -tracelog
 -
 -private-bin xiphos
 -private-etc fonts,resolv.conf,sword
 -private-dev
 -private-tmp
 -
 -whitelist ${HOME}/.sword
 -whitelist ${HOME}/.xiphos
 diff --git a/firejail/xonotic-glx.profile b/firejail/xonotic-glx.profile
 deleted file mode 100644
 index b255ffd..0000000
 --- a/firejail/xonotic-glx.profile
 +++ /dev/null
 @@ -1,5 +0,0 @@
 -#
 -#Profile for xonotic:xonotic-glx
 -#
 -
 -include /etc/firejail/xonotic.profile
 diff --git a/firejail/xonotic-sdl.profile b/firejail/xonotic-sdl.profile
 deleted file mode 100644
 index 7836673..0000000
 --- a/firejail/xonotic-sdl.profile
 +++ /dev/null
 @@ -1,5 +0,0 @@
 -#
 -#Profile for xonotic:xonotic-sdl
 -#
 -
 -include /etc/firejail/xonotic.profile
 diff --git a/firejail/xonotic.profile b/firejail/xonotic.profile
 deleted file mode 100644
 index 75d6496..0000000
 --- a/firejail/xonotic.profile
 +++ /dev/null
 @@ -1,25 +0,0 @@
 -#
 -#Profile for xonotic
 -#
 -
 -#No Blacklist Paths
 -noblacklist ${HOME}/.xonotic
 -
 -#Blacklist Paths
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -include /etc/firejail/disable-devel.inc
 -
 -#Whitelist Paths
 -mkdir ${HOME}/.xonotic
 -whitelist ${HOME}/.xonotic
 -include /etc/firejail/whitelist-common.inc
 -
 -#Options
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 diff --git a/firejail/xpdf.profile b/firejail/xpdf.profile
 index 7ea368b..e036fba 100644
 --- a/firejail/xpdf.profile
 +++ b/firejail/xpdf.profile
 @@ -7,12 +7,15 @@ include /etc/firejail/disable-programs.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 -net none
 +shell none
 nonewprivs
 noroot
 protocol unix
 -shell none
 seccomp
 -
 private-dev
 private-tmp
 +net none
 +
 +
 +
 +
 diff --git a/firejail/xplayer.profile b/firejail/xplayer.profile
 index 191d2f6..54d5ed8 100644
 --- a/firejail/xplayer.profile
 +++ b/firejail/xplayer.profile
 @@ -9,8 +9,8 @@ include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 netfilter
 -nogroups
 nonewprivs
 +nogroups
 noroot
 protocol unix,inet,inet6
 seccomp
 diff --git a/firejail/xpra.profile b/firejail/xpra.profile
 deleted file mode 100644
 index 32be90b..0000000
 --- a/firejail/xpra.profile
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -# xpra profile
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -include /etc/firejail/disable-passwdmgr.inc
 -
 -caps.drop all
 -netfilter
 -nogroups
 -nonewprivs
 -noroot
 -nosound
 -shell none
 -seccomp
 -protocol unix,inet,inet6
 -
 -# blacklist /tmp/.X11-unix
 -
 -# private-bin 
 -private-dev
 -private-tmp
 -# private-etc
 -
 diff --git a/firejail/xviewer.profile b/firejail/xviewer.profile
 index ca380b4..cbb59d1 100644
 --- a/firejail/xviewer.profile
 +++ b/firejail/xviewer.profile
 @@ -1,4 +1,3 @@
 -# xviewer profile
 noblacklist ~/.config/xviewer
 
 include /etc/firejail/disable-common.inc
 diff --git a/firejail/xzdec.profile b/firejail/xzdec.profile
 index 6164e32..a9d027c 100644
 --- a/firejail/xzdec.profile
 +++ b/firejail/xzdec.profile
 @@ -2,13 +2,11 @@
 quiet
 ignore noroot
 include /etc/firejail/default.profile
 -
 -blacklist /tmp/.X11-unix
 -
 +tracelog
 net none
 -no3d
 -nosound
 shell none
 -tracelog
 -
 +blacklist /tmp/.X11-unix
 private-dev
 +nosound
 +no3d
 +
 diff --git a/firejail/zathura.profile b/firejail/zathura.profile
 index 6c93a24..7093c52 100644
 --- a/firejail/zathura.profile
 +++ b/firejail/zathura.profile
 @@ -7,20 +7,14 @@ include /etc/firejail/disable-devel.inc
 include /etc/firejail/disable-passwdmgr.inc
 
 caps.drop all
 +seccomp
 +protocol unix
 netfilter
 -net none
 -nogroups
 nonewprivs
 noroot
 +nogroups
 nosound
 shell none
 -seccomp
 -protocol unix
 
 private-bin zathura
 private-dev
 -private-etc fonts
 -private-tmp
 -
 -read-only ~/
 -read-write ~/.local/share/zathura/
 diff --git a/firejail/zoom.profile b/firejail/zoom.profile
 deleted file mode 100644
 index 4c08868..0000000
 --- a/firejail/zoom.profile
 +++ /dev/null
 @@ -1,22 +0,0 @@
 -# Firejail profile for zoom.us
 -noblacklist ~/.config/zoomus.conf
 -
 -include /etc/firejail/disable-common.inc
 -include /etc/firejail/disable-programs.inc
 -include /etc/firejail/disable-devel.inc
 -
 -
 -# Whitelists
 -
 -mkdir ~/.zoom
 -whitelist ~/.zoom
 -
 -
 -caps.drop all
 -netfilter
 -nonewprivs
 -noroot
 -protocol unix,inet,inet6
 -seccomp
 -
 -private-tmp
 diff --git a/fstab.sample b/fstab.sample
 deleted file mode 100644
 index 9465498..0000000
 --- a/fstab.sample
 +++ /dev/null
 @@ -1,6 +0,0 @@
 -# <file system> <mount point> <type>   <options>                 <dump> <pass>
 -/dev/xvda1      /             ext3     errors=remount-ro,noatime,barrier=0 0 1
 -/dev/xvda2      /home         ext4     defaults,nosuid,nodev,usrquota      0 2
 -proc            /proc         proc     defaults,hidepid=2                  0 0
 -udev            /dev          devtmpfs defaults,nosuid,noatime             0 0
 -devpts          /dev/pts      devpts   defaults,newinstance,ptmxmode=0666  0 0
 diff --git a/gemrc b/gemrc
 deleted file mode 100644
 index e3c25e1..0000000
 --- a/gemrc
 +++ /dev/null
 @@ -1 +0,0 @@
 -gem: --user-install --bindir ~/.gem/bin
 diff --git a/gnupg/README.md b/gnupg/README.md
 deleted file mode 100644
 index 5b1f640..0000000
 --- a/gnupg/README.md
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -# #! role keyrings
 -
 -This folder contains OpenPGP keyrings that correspond to
 -roles in Hashbang.  The only current role is “admins”,
 -and the keyring is used to check signatures on data that is
 -fetched from Git.
 -
 -
 -
 -## Creating and updating keyrings
 -
 -Each keyring is a OpenPGP binary file, and keys should be
 -exported with options `export-minimal` and `export-clean`.
 -
 -For instance, the `hashbang-admins.gpg` keyring can be
 -generated as follows, from the list of keys in the `pass(1)`
 -password database:
 -
 -  export GNUPGHOME=$(mktemp -d);
 -  cat ~/.password-store/Hashbang/.gpg-id | cut -d' ' -f1 | \
 -    xargs gpg --keyserver pgp.mit.edu --recv-key
 -  gpg --export > hashbang-admins.gpg
 -  unzer GNUPGHOME
 diff --git a/gnupg/hashbang-admins.gpg b/gnupg/hashbang-admins.gpg
 deleted file mode 120000
 index 3f899bd..0000000
 --- a/gnupg/hashbang-admins.gpg
 +++ /dev/null
 @@ -1 +0,0 @@
 -/var/lib/hashbang/admins.gpg
 \ No newline at end of file
 diff --git a/group b/group
 index 8328899..374c70a 100644
 --- a/group
 +++ b/group
 @@ -18,7 +18,7 @@ voice:x:22:
 cdrom:x:24:
 floppy:x:25:
 tape:x:26:
 -sudo:x:27:
 +sudo:x:27:username
 audio:x:29:
 dip:x:30:
 www-data:x:33:
 @@ -43,25 +43,27 @@ systemd-timesync:x:103:
 systemd-network:x:104:
 systemd-resolve:x:105:
 systemd-bus-proxy:x:106:
 -crontab:x:107:
 -netdev:x:108:
 -Debian-exim:x:109:
 +netdev:x:107:
 +ssh:x:108:
 +crontab:x:109:
 messagebus:x:110:
 -mlocate:x:111:
 -ssh:x:112:
 +scanner:x:111:saned
 +kvm:x:112:
 +nslcd:x:113:
 ssl-cert:x:114:
 postfix:x:115:
 postdrop:x:116:
 -nslcd:x:117:
 -utempter:x:118:
 -glances:x:119:
 -oident:x:113:
 -bitlbee:x:120:
 -_cvsadmin:x:121:
 -redis:x:122:
 -epmd:x:123:
 -kvm:x:124:
 -unbound:x:125:
 -debian-tor:x:127:
 -ntpd:x:126:
 -dirmngr:x:128:
 +bitlbee:x:117:
 +colord:x:118:
 +_cvsadmin:x:119:
 +dirmngr:x:120:
 +epmd:x:121:
 +utempter:x:122:
 +ntpd:x:123:
 +redis:x:124:
 +saned:x:125:
 +debian-tor:x:126:
 +unbound:x:127:
 +oident:x:128:
 +glances:x:129:
 +cmccabe:x:1000:
 diff --git a/hashbang/welcome b/hashbang/welcome
 deleted file mode 100755
 index 41c54b8..0000000
 --- a/hashbang/welcome
 +++ /dev/null
 @@ -1,11 +0,0 @@
 -#!/bin/sh
 -
 -cat /etc/hashbang/welcome.pre
 -
 -if [ -n "$TMUX" ]; then
 -	sed "s/\\\$USER/${USER}/" /etc/hashbang/welcome.tmux
 -else
 -	sed "s/\\\$USER/${USER}/" /etc/hashbang/welcome.notmux
 -fi
 -
 -cat /etc/hashbang/welcome.post
 diff --git a/hashbang/welcome.notmux b/hashbang/welcome.notmux
 deleted file mode 100644
 index 030e417..0000000
 --- a/hashbang/welcome.notmux
 +++ /dev/null
 @@ -1,11 +0,0 @@
 - Things to explore:
 -
 -   * You can start 'tmux' to enter a tmux session.
 -     Help will be displayed when tmux is started.
 -
 -   * You can resume a detached tmux session at any time.
 -     Use 'tmux attach' to resume your tmux session.
 -
 -   * Your Hashbang email address is $USER@hashbang.sh
 -     The `mutt` email client is preconfigured for you.
 -
 diff --git a/hashbang/welcome.post b/hashbang/welcome.post
 deleted file mode 100644
 index 32ccd9c..0000000
 --- a/hashbang/welcome.post
 +++ /dev/null
 @@ -1,8 +0,0 @@
 -   * To learn more about us and our offerings type: man hashbang
 -
 - Like what we're doing? Consider donating to expand our efforts.
 -   * Bitcoin       - [ 1DtTvCLiUMhs21QcETQzLyiqxoopUjqBSU ]
 -   * Google Wallet - [ donate@hashbang.sh ]
 -   * PayPal        - [ http://goo.gl/aSQWy0 ]
 -
 - Community shell servers generously sponsored by: (http://atlantic.net)
 diff --git a/hashbang/welcome.pre b/hashbang/welcome.pre
 deleted file mode 100644
 index bea2afd..0000000
 --- a/hashbang/welcome.pre
 +++ /dev/null
 @@ -1,7 +0,0 @@
 -   _  _    __
 - _| || |_ |  |  Welcome to #!. This network has three rules:
 -|_  __  _||  |
 - _| || |_ |  |  1. When people need help, teach. Don't do it for them
 -|_  __  _||__|  2. Don't use our resources for closed source projects
 -  |_||_|  (__)  3. Be excellent to each other
 -
 diff --git a/hashbang/welcome.tmux b/hashbang/welcome.tmux
 deleted file mode 100644
 index 37b7e34..0000000
 --- a/hashbang/welcome.tmux
 +++ /dev/null
 @@ -1,14 +0,0 @@
 - Things to explore:
 -
 -   * You are in a 'tmux' session. There are three tabs below.
 -     Navigate with <Ctrl-b> + a tab number.
 -
 -   * You are already in our IRC channel in "tab 1"
 -     Type <Ctrl-B> + 1 to reach it and chat with us.
 -
 -   * Your Hashbang email address is: $USER@hashbang.sh
 -     Type <Ctrl-B> + 2 to check your emails in mutt
 -
 -   * You can detach from this tmux session with <Ctrl-b> + <d>
 -     You can also re-attach outside of tmux with 'tmux attach'
 -
 diff --git a/init.d/nova-agent b/init.d/nova-agent
 deleted file mode 120000
 index 35b6c58..0000000
 --- a/init.d/nova-agent
 +++ /dev/null
 @@ -1 +0,0 @@
 -/usr/share/nova-agent/1.39.1/etc/generic/nova-agent
 \ No newline at end of file
 diff --git a/init.d/openntpd b/init.d/openntpd
 index 8ad65ef..e3e29db 100755
 --- a/init.d/openntpd
 +++ b/init.d/openntpd
 @@ -34,10 +34,6 @@ set -e
 
 case "$1" in
 	start)
 -		if [ ! -d "/var/run/openntpd" ]; then 
 -			mkdir -p /var/run/openntpd
 -		fi
 -
 		echo -n "Starting $DESC: "
 		if status_of_proc "$DAEMON" $DESC > /dev/null; then
 			log_begin_msg "Already running."
 @@ -49,13 +45,14 @@ case "$1" in
 
 	stop)
 		echo -n "Stopping $DESC: "
 -		start-stop-daemon --stop --oknodo --quiet --retry=TERM/30/KILL/5 --user root --exec $DAEMON
 +		start-stop-daemon --stop --oknodo --quiet --user root --exec $DAEMON
 		echo "$NAME."
 		;;
 
 	restart|force-reload)
 		echo -n "Restarting $DESC: "
 -		start-stop-daemon --stop --oknodo --quiet --retry=TERM/30/KILL/5 --user root --exec $DAEMON
 +		start-stop-daemon --stop --oknodo --quiet --user root --exec $DAEMON
 +		sleep 1
 		start-stop-daemon --start --quiet --exec $DAEMON -- $DAEMON_OPTS
 		echo "$NAME."
 		;;
 diff --git a/init.d/resolvconf b/init.d/resolvconf
 deleted file mode 100755
 index c478014..0000000
 --- a/init.d/resolvconf
 +++ /dev/null
 @@ -1,135 +0,0 @@
 -#!/bin/sh
 -#
 -### BEGIN INIT INFO
 -# Provides:          resolvconf
 -# Required-Start:    $local_fs
 -# Required-Stop:     $local_fs
 -# X-Start-Before:    networking ifupdown
 -# Default-Start:     S
 -# Default-Stop:      0 6
 -# Short-Description: Nameserver information manager
 -# Description:       This service manages the list of nameserver addresses
 -#                    used by the libc resolver and name service caches
 -### END INIT INFO
 -#
 -# This file is part of the resolvconf package.
 -#
 -# We really need "X-Stop-Before: networking ifupdown" too because
 -# terminal ifdowns shouldn't update resolv.conf;
 -# however there is unfortunately no such thing as "X-Stop-Before".
 -#
 -# This file is not used in Ubuntu.
 -#
 -
 -# Don't use set -e; check return status instead.
 -
 -[ -x /sbin/resolvconf ] || exit 0
 -
 -PATH=/sbin:/bin
 -RUN_DIR=/etc/resolvconf/run
 -ENABLE_UPDATES_FLAGFILE="${RUN_DIR}/enable-updates"
 -POSTPONED_UPDATE_FLAGFILE="${RUN_DIR}/postponed-update"
 -
 -. /lib/lsb/init-functions
 -
 -# Abort if Upstart is in use, as per Policy §9.11.1.
 -case "$1" in
 -  start|restart|force-reload)
 -	init_is_upstart && exit 1
 -	;;
 -  stop)
 -	init_is_upstart && exit 0
 -	;;
 -esac
 -
 -# $1 EXITSTATUS
 -# [$2 MESSAGE]
 -log_action_end_msg_and_exit()
 -{
 -	log_action_end_msg "$1" ${2:+"$2"}
 -	exit $1
 -}
 -
 -create_runtime_directories()
 -{
 -	umask 022
 -	if [ ! -d "$RUN_DIR" ] ; then
 -		[ -L "$RUN_DIR" ] || log_action_end_msg_and_exit 1 "$RUN_DIR is neither a directory nor a symbolic link"
 -		# It's a symlink. Its target is not a dir.
 -		{ RUN_CANONICALDIR="$(readlink -f "$RUN_DIR")" && [ "$RUN_CANONICALDIR" ] ; } || log_action_end_msg_and_exit 1 "Canonical path of the run directory could not be determined"
 -		# Create directory at the target
 -		mkdir "$RUN_CANONICALDIR" || log_action_end_msg_and_exit 1 "Error creating directory $RUN_CANONICALDIR"
 -	fi
 -	# The resolvconf run directory now exists.
 -	if [ ! -d "${RUN_DIR}/interface" ] ; then
 -		mkdir "${RUN_DIR}/interface" || log_action_end_msg_and_exit 1 "Error creating directory ${RUN_DIR}/interface"
 -	fi
 -	# The interface directory now exists.  We are done.
 -	return
 -}
 -
 -wipe_runtime_directories()
 -{
 -	# Delete files in the resolvconf run directory (target) but not the directory itself
 -	[ -d "$RUN_DIR" ] || return
 -	rm -f "$RUN_DIR"/resolv.conf
 -	rm -f "$ENABLE_UPDATES_FLAGFILE"
 -	rm -f "$POSTPONED_UPDATE_FLAGFILE"
 -	rm -rf "${RUN_DIR}/interface/*"
 -	return
 -}
 -
 -case "$1" in
 -  start)
 -	# The "start" method should only be used at boot time.
 -	# Don't run this on package upgrade, for example.
 -	log_action_begin_msg "Setting up resolvconf"
 -	# Wipe runtime directories in case they aren't on a tmpfs
 -	wipe_runtime_directories
 -	# Create runtime directories in case they are on a tmpfs
 -	create_runtime_directories
 -	# Request a postponed update (needed in case the base file has content).
 -	:> "$POSTPONED_UPDATE_FLAGFILE" || log_action_end_msg_and_exit 1 "failed requesting update"
 -	# Enable updates and perform the postponed update.
 -	resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to enable updates"
 -	log_action_end_msg_and_exit 0
 -	;;
 -  stop)
 -	# The "stop" method should only be used at shutdown time.
 -	log_action_begin_msg "Stopping resolvconf"
 -	resolvconf --disable-updates || log_action_end_msg_and_exit 1 "failed to disable updates"
 -	log_action_end_msg_and_exit 0
 -	;;
 -  restart)
 -	log_action_begin_msg "Restarting resolvconf"
 -	resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to enable updates"
 -	log_action_end_msg_and_exit 0
 -	;;
 -  reload|force-reload)
 -	resolvconf -u || log_action_end_msg_and_exit 1 "failed to update"
 -	exit 0
 -	;;
 -  enable-updates)
 -	resolvconf --enable-updates || log_action_end_msg_and_exit 1 "failed to enable updates"
 -	exit 0
 -	;;
 -  disable-updates)
 -	resolvconf --disable-updates || log_action_end_msg_and_exit 1 "failed to disable updates"
 -	exit 0
 -	;;
 -  status)
 -	if resolvconf --updates-are-enabled ; then
 -		log_success_msg "resolvconf updates are enabled"
 -	else
 -		log_failure_msg "resolvconf updates are disabled"
 -	fi
 -	exit 0
 -	;;
 -  *)
 -	echo "Usage: /etc/init.d/resolvconf {start|stop|restart|reload|force-reload|enable-updates|disable-updates|status}" >&2
 -	exit 3
 -	;;
 -esac
 -
 -# Don't reach here
 -exit 99
 diff --git a/init.d/tor b/init.d/tor
 index 1a89828..4170b6d 100755
 --- a/init.d/tor
 +++ b/init.d/tor
 @@ -99,7 +99,7 @@ wait_for_deaddaemon () {
 
 check_torpiddir () {
 	if test ! -d $TORPIDDIR; then
 -		mkdir -m 02755 "$TORPIDDIR"
 +		mkdir -m 02750 "$TORPIDDIR"
 		chown debian-tor:debian-tor "$TORPIDDIR"
 		! [ -x /sbin/restorecon ] || /sbin/restorecon "$TORPIDDIR"
 	fi
 @@ -154,12 +154,11 @@ case "$1" in
 		log_action_end_msg 0 "already running"
 	else
 		if [ "$USE_AA_EXEC" = "yes" ] &&
 -		   command -v aa-status > /dev/null &&
 -		   command -v aa-exec > /dev/null &&
 +		   [ -x /usr/sbin/aa-status ] && \
 +		   [ -x /usr/sbin/aa-exec ] && \
 		   [ -e /etc/apparmor.d/system_tor ] && \
 -		   aa-status --enabled ; then
 -			AA_EXEC_PATH=$(command -v aa-exec)
 -			AA_EXEC="--startas $AA_EXEC_PATH"
 +		   /usr/sbin/aa-status --enabled ; then
 +			AA_EXEC="--startas /usr/sbin/aa-exec"
 			AA_EXEC_ARGS="--profile=system_tor -- $DAEMON"
 		else
 			AA_EXEC=""
 diff --git a/init.d/unbound b/init.d/unbound
 index 5519daf..cb989a9 100755
 --- a/init.d/unbound
 +++ b/init.d/unbound
 @@ -9,67 +9,152 @@
 ### END INIT INFO
 # pidfile: /run/unbound.pid
 
 -NAME="unbound"
 -DESC="DNS server"
 -DAEMON="/usr/sbin/unbound"
 -PIDFILE="/run/unbound.pid"
 -
 -HELPER="/usr/lib/unbound/package-helper"
 +NAME=unbound
 +DESC="recursive DNS server"
 +DAEMON=/usr/sbin/unbound
 +PIDFILE="/var/run/unbound.pid"
 
 test -x $DAEMON || exit 0
 +test -x ${DAEMON}-checkconf || exit 0
 
 . /lib/lsb/init-functions
 
 -# Override this variable by editing or creating /etc/default/unbound.
 -DAEMON_OPTS=""
 +UNBOUND_ENABLE=true
 +UNBOUND_CONF=/etc/unbound/unbound.conf
 +UNBOUND_BASE_DIR=$(dirname $UNBOUND_CONF)
 +CHROOT_DIR=$(awk '{if ($1 ~ "^chroot" && $2 != "\"\"") print $2}' $UNBOUND_CONF|sed -e "s#\"##g")
 +ROOT_TRUST_ANCHOR_UPDATE=false
 +ROOT_TRUST_ANCHOR_FILE=/var/lib/unbound/root.key
 +RESOLVCONF=false
 +RESOLVCONF_FORWARDERS=false
 
 -if [ -f /etc/default/unbound ]; then
 -    . /etc/default/unbound
 +if [ -f /etc/default/$NAME ]; then
 +    . /etc/default/$NAME
 +    case "x$UNBOUND_ENABLE" in
 +        xtrue|x1|xyes)
 +            UNBOUND_ENABLE=true
 +            ;;
 +        *)
 +            UNBOUND_ENABLE=false
 +            ;;
 +    esac
 +    case "x$ROOT_TRUST_ANCHOR_UPDATE" in
 +        xtrue|x1|xyes)
 +            ROOT_TRUST_ANCHOR_UPDATE=true
 +            ;;
 +        *)
 +            ROOT_TRUST_ANCHOR_UPDATE=false
 +            ;;
 +    esac
 +    case "x$RESOLVCONF" in
 +        xtrue|x1|xyes)
 +            RESOLVCONF=true
 +            ;;
 +        *)
 +            RESOLVCONF=false
 +    esac
 +    case "x$RESOLVCONF_FORWARDERS" in
 +        xtrue|x1|xyes)
 +            RESOLVCONF_FORWARDERS=true
 +            ;;
 +        *)
 +            RESOLVCONF_FORWARDERS=false
 +    esac
 fi
 
 +do_resolvconf_start() {
 +    if $RESOLVCONF; then
 +        if [ -x /sbin/resolvconf ]; then
 +            unbound-checkconf $CHROOT_DIR/$UNBOUND_CONF -o interface | (
 +                default=yes
 +                while read interface; do
 +                    default=no
 +                    if [ "x$interface" = x0.0.0.0 -o "x$interface" = x127.0.0.1 ]; then
 +                        echo "nameserver 127.0.0.1"
 +                    elif [ "x$interface" = x::0 -o "x$interface" = x::1 ]; then
 +                        echo "nameserver ::1"
 +                    fi
 +                done
 +                if [ $default = yes ]; then
 +                    # unbound defaults to listening on localhost
 +                    echo "nameserver 127.0.0.1"
 +                fi
 +            ) | /sbin/resolvconf -a lo.unbound
 +        fi
 +    fi
 +}
 +
 +do_resolvconf_stop() {
 +    if $RESOLVCONF; then
 +        if [ -x /sbin/resolvconf ]; then
 +            /sbin/resolvconf -d lo.unbound
 +        fi
 +    fi
 +}
 +
 +do_chroot_setup() {
 +    if [ -d "$CHROOT_DIR" -a "$CHROOT_DIR" != "$UNBOUND_BASE_DIR" ]; then
 +        cd /
 +        tar --overwrite -cf - $(echo $UNBOUND_BASE_DIR | sed 's#^/##') | (cd $CHROOT_DIR && tar -xf -)
 +    fi
 +}
 +
 case "$1" in
     start)
 -        log_daemon_msg "Starting $DESC" "$NAME"
 -        $HELPER chroot_setup
 -        $HELPER root_trust_anchor_update 2>&1 | logger -p daemon.info -t unbound-anchor
 -        if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
 -            $HELPER resolvconf_start
 -            log_end_msg 0
 +        if $UNBOUND_ENABLE; then
 +            do_chroot_setup
 +            if $ROOT_TRUST_ANCHOR_UPDATE; then
 +                unbound-anchor -a $ROOT_TRUST_ANCHOR_FILE -v 2>&1 | logger -p daemon.info -t unbound-anchor
 +                chown unbound:unbound $ROOT_TRUST_ANCHOR_FILE
 +            fi
 +            log_daemon_msg "Starting $DESC" "$NAME"
 +            if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
 +                do_resolvconf_start
 +                log_end_msg 0
 +            else
 +                log_end_msg 1
 +            fi
         else
 -            log_end_msg 1
 +            log_warning_msg "Not starting $DESC $NAME, disabled via /etc/default/$NAME"
         fi
         ;;
 
     stop)
 -        log_daemon_msg "Stopping $DESC" "$NAME"
 -        if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name $NAME --retry 5; then
 -            $HELPER resolvconf_stop
 -            log_end_msg 0
 -        else
 -            log_end_msg 1
 +        if $UNBOUND_ENABLE; then
 +            log_daemon_msg "Stopping $DESC" "$NAME"
 +            if start-stop-daemon --stop --quiet --oknodo --pidfile $PIDFILE --name $NAME --retry 5; then
 +                do_resolvconf_stop
 +                log_end_msg 0
 +            else
 +                log_end_msg 1
 +            fi
         fi
         ;;
 
     restart|force-reload)
 -        log_daemon_msg "Restarting $DESC" "$NAME"
 -        start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME --retry 5
 -        $HELPER resolvconf_stop
 -        if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
 -            $HELPER chroot_setup
 -            $HELPER resolvconf_start
 -            log_end_msg 0
 -        else
 -            log_end_msg 1
 +        if $UNBOUND_ENABLE; then
 +            log_daemon_msg "Restarting $DESC" "$NAME"
 +            start-stop-daemon --stop --quiet --pidfile $PIDFILE --name $NAME --retry 5
 +            do_resolvconf_stop
 +            if start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --name $NAME --startas $DAEMON -- $DAEMON_OPTS; then
 +                do_chroot_setup
 +                do_resolvconf_start
 +                log_end_msg 0
 +            else
 +                log_end_msg 1
 +            fi
         fi
         ;;
 
     reload)
 -        log_daemon_msg "Reloading $DESC" "$NAME"
 -        if start-stop-daemon --stop --pidfile $PIDFILE --signal 1; then
 -            $HELPER chroot_setup
 -            log_end_msg 0
 -        else
 -            log_end_msg 1
 +        if $UNBOUND_ENABLE; then
 +            log_daemon_msg "Reloading $DESC" "$NAME"
 +            if start-stop-daemon --stop --pidfile $PIDFILE --signal 1; then
 +                do_chroot_setup
 +                log_end_msg 0
 +            else
 +                log_end_msg 1
 +            fi
         fi
         ;;
 
 @@ -84,4 +169,4 @@ case "$1" in
         ;;
 esac
 
 -exit 0
 +exit 0;
 diff --git a/init.d/xe-linux-distribution b/init.d/xe-linux-distribution
 deleted file mode 100755
 index 26c7f5b..0000000
 --- a/init.d/xe-linux-distribution
 +++ /dev/null
 @@ -1,105 +0,0 @@
 -#!/bin/bash
 -#
 -# xe-linux-distribution Write Linux distribution information to XenStore.
 -#
 -# chkconfig: 2345 14 86
 -# description: Writes Linux distribution version information to XenStore.
 -#
 -### BEGIN INIT INFO
 -# Provides:          xe-linux-distribution
 -# Required-Start:    $local_fs
 -# Required-Stop:     $local_fs
 -# Default-Start:     2 3 4 5
 -# Default-Stop:      0 1 6
 -# Short-Description: XenServer Virtual Machine daemon providing host integration services
 -# Description:       Writes Linux distribution version information to XenStore.
 -### END INIT INFO
 -
 -LANG="C"
 -export LANG
 -
 -if [ -f /etc/init.d/functions ] ; then
 -. /etc/init.d/functions
 -else
 -action()
 -{
 -    descr=$1 ; shift
 -    cmd=$@
 -    echo -n "$descr "
 -    $cmd
 -    ret=$?
 -    if [ $ret -eq 0 ] ; then
 -  echo "OK"
 -    else
 -  echo "Failed"
 -    fi
 -    return $ret
 -}
 -fi
 -
 -XE_LINUX_DISTRIBUTION=/usr/sbin/xe-linux-distribution
 -XE_LINUX_DISTRIBUTION_CACHE=/var/cache/xe-linux-distribution
 -XE_DAEMON=/usr/sbin/xe-daemon
 -XE_DAEMON_PIDFILE=/var/run/xe-daemon.pid
 -
 -if [ ! -x "${XE_LINUX_DISTRIBUTION}" ] ; then
 -    exit 0
 -fi
 -
 -start()
 -{
 -    if [ ! -e /proc/xen/xenbus ] ; then
 -  if [ ! -d /proc/xen ] ; then
 -      action $"Mounting xenfs on /proc/xen:" /bin/false
 -      echo "Could not find /proc/xen directory."
 -      echo "You need a post 2.6.29-rc1 kernel with CONFIG_XEN_COMPAT_XENFS=y and CONFIG_XENFS=y|m"
 -      exit 1
 -  else
 -      # This is needed post 2.6.29-rc1 when /proc/xen support was pushed upstream as a xen filesystem
 -      action $"Mounting xenfs on /proc/xen:" mount -t xenfs none /proc/xen
 -  fi
 -    fi
 -
 -    if [ -e /proc/xen/capabilities ] && grep -q control_d /proc/xen/capabilities ; then
 -  # Do not want daemon in domain 0
 -  exit 0
 -    fi
 -
 -    action $"Detecting Linux distribution version:" \
 -  ${XE_LINUX_DISTRIBUTION} ${XE_LINUX_DISTRIBUTION_CACHE}
 -
 -    action $"Starting xe daemon: " /bin/true
 -    mkdir -p $(dirname ${XE_DAEMON_PIDFILE})
 -    # This is equivalent to daemon() in C
 -    ( exec &>/dev/null ; ${XE_DAEMON} -p ${XE_DAEMON_PIDFILE} & )
 -}
 -
 -stop()
 -{
 -    action $"Stopping xe daemon: "   kill -TERM $(cat ${XE_DAEMON_PIDFILE})
 -}
 -
 -# fail silently if not running xen
 -if [ ! -d /proc/xen ]; then
 -   exit
 -fi
 -
 -case "$1" in
 -  start)
 -        start
 -        ;;
 -  stop)
 -  stop
 -  ;;
 -  force-reload|restart)
 -  stop
 -  start
 -  ;;
 -  *)
 -        # do not advertise unreasonable commands that there is no reason
 -        # to use with this device
 -        echo $"Usage: $0 start|restart"
 -        exit 1
 -esac
 -
 -exit $?
 diff --git a/init/resolvconf.conf b/init/resolvconf.conf
 deleted file mode 100644
 index 9346011..0000000
 --- a/init/resolvconf.conf
 +++ /dev/null
 @@ -1,19 +0,0 @@
 -# upstart script for resolvconf
 -
 -description "Initialize or finalize resolvconf"
 -
 -start on mounted MOUNTPOINT=/run
 -
 -stop on runlevel [06]
 -
 -pre-start script
 -	mkdir -p /run/resolvconf/interface
 -	# Request a postponed update (needed in case the base file has content).
 -	touch /run/resolvconf/postponed-update
 -	# Enable updates and perform the postponed update.
 -	resolvconf --enable-updates
 -end script
 -
 -post-stop script
 -	resolvconf --disable-updates
 -end script
 diff --git a/initramfs-tools/scripts/repartition-drive b/initramfs-tools/scripts/repartition-drive
 deleted file mode 100644
 index d29c520..0000000
 --- a/initramfs-tools/scripts/repartition-drive
 +++ /dev/null
 @@ -1,18 +0,0 @@
 -#!/bin/bash
 -
 -mount | grep /dev/sda && echo "/dev/sda mounted. Aborting" && exit
 -test -e /dev/sda2 && echo "/dev/sda2 already exists. Aborting" && exit
 -
 -mkdir /mnt
 -modprobe ext4
 -mount /dev/sda1 /mnt
 -cp -R /mnt/lib /
 -cp -R /mnt/lib64 /
 -cp -R /mnt/bin /
 -cp -R /mnt/sbin /
 -cp -R /mnt/usr /
 -umount /dev/sda1
 -e2fsck -f /dev/sda1
 -resize2fs /dev/sda1 20G
 -echo -e "d\nn\n\n\n\n+20G\nn\np\n\n\n\nw\n" | fdisk /dev/sda
 -mkfs.ext4 /dev/sda2
 diff --git a/inittab b/inittab
 index 04eabd6..7e27663 100644
 --- a/inittab
 +++ b/inittab
 @@ -1,24 +1,5 @@
 -# /etc/inittab: init(8) configuration.
 -# $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $
 -
 -# The default runlevel.
 -id:2:initdefault:
 -
 -# Boot-time system configuration/initialization script.
 -# This is run first except when booting in emergency (-b) mode.
 +id:3:initdefault:
 si::sysinit:/etc/init.d/rcS
 -
 -# What to do in single-user mode.
 -~~:S:wait:/sbin/sulogin
 -
 -# /etc/init.d executes the S and K scripts upon change
 -# of runlevel.
 -#
 -# Runlevel 0 is halt.
 -# Runlevel 1 is single-user.
 -# Runlevels 2-5 are multi-user.
 -# Runlevel 6 is reboot.
 -
 l0:0:wait:/etc/init.d/rc 0
 l1:1:wait:/etc/init.d/rc 1
 l2:2:wait:/etc/init.d/rc 2
 @@ -28,42 +9,10 @@ l5:5:wait:/etc/init.d/rc 5
 l6:6:wait:/etc/init.d/rc 6
 # Normally not reached, but fallthrough in case of emergency.
 z6:6:respawn:/sbin/sulogin
 -
 -# What to do when CTRL-ALT-DEL is pressed.
 -ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now
 -
 -# Action on special keypress (ALT-UpArrow).
 -#kb::kbrequest:/bin/echo "Keyboard Request--edit /etc/inittab to let this work."
 -
 -# What to do when the power fails/returns.
 -pf::powerwait:/etc/init.d/powerfail start
 -pn::powerfailnow:/etc/init.d/powerfail now
 -po::powerokwait:/etc/init.d/powerfail stop
 -
 -# /sbin/getty invocations for the runlevels.
 -#
 -# The "id" field MUST be the same as the last
 -# characters of the device (after "tty").
 -#
 -# Format:
 -#  <id>:<runlevels>:<action>:<process>
 -#
 -# Note that on most Debian systems tty7 is used by the X Window System,
 -# so if you want to add more getty's go ahead but skip tty7 if you run X.
 -#
 -1:2345:respawn:/sbin/getty 38400 tty1
 -2:23:respawn:/sbin/getty 38400 tty2
 -3:23:respawn:/sbin/getty 38400 tty3
 -4:23:respawn:/sbin/getty 38400 tty4
 -5:23:respawn:/sbin/getty 38400 tty5
 -6:23:respawn:/sbin/getty 38400 tty6
 -
 -# Example how to put a getty on a serial line (for a terminal)
 -#
 -#T0:23:respawn:/sbin/getty -L ttyS0 9600 vt100
 -#T1:23:respawn:/sbin/getty -L ttyS1 9600 vt100
 -
 -# Example how to put a getty on a modem line.
 -#
 -#T3:23:respawn:/sbin/mgetty -x0 -s 57600 ttyS3
 -
 +1:2345:respawn:/sbin/getty 38400 console
 +c1:12345:respawn:/sbin/getty 38400 tty1 linux
 +c2:12345:respawn:/sbin/getty 38400 tty2 linux
 +c3:12345:respawn:/sbin/getty 38400 tty3 linux
 +c4:12345:respawn:/sbin/getty 38400 tty4 linux
 +p6::ctrlaltdel:/sbin/init 6
 +p0::powerfail:/sbin/init 0
 diff --git a/inputrc b/inputrc
 index 5253889..d3da985 100644
 --- a/inputrc
 +++ b/inputrc
 @@ -50,6 +50,7 @@ $if mode=emacs
 "\e\e[D": backward-word
 
 $if term=rxvt
 +"\e[7~": beginning-of-line
 "\e[8~": end-of-line
 "\eOc": forward-word
 "\eOd": backward-word
 diff --git a/iscsi/iscsid.conf b/iscsi/iscsid.conf
 deleted file mode 100644
 index 34788af..0000000
 --- a/iscsi/iscsid.conf
 +++ /dev/null
 @@ -1,304 +0,0 @@
 -#
 -# Open-iSCSI default configuration.
 -# Could be located at /etc/iscsi/iscsid.conf or ~/.iscsid.conf
 -#
 -# Note: To set any of these values for a specific node/session run
 -# the iscsiadm --mode node --op command for the value. See the README
 -# and man page for iscsiadm for details on the --op command.
 -#
 -
 -######################
 -# iscsid daemon config
 -######################
 -# If you want iscsid to start the first time a iscsi tool
 -# needs to access it, instead of starting it when the init
 -# scripts run, set the iscsid startup command here. This
 -# should normally only need to be done by distro package
 -# maintainers.
 -#
 -# Default for Fedora and RHEL. (uncomment to activate).
 -# iscsid.startup = /etc/rc.d/init.d/iscsid force-start
 -# 
 -# Default for upstream open-iscsi scripts (uncomment to activate).
 -iscsid.startup = /usr/sbin/iscsid
 -
 -
 -#############################
 -# NIC/HBA and driver settings
 -#############################
 -# open-iscsi can create a session and bind it to a NIC/HBA.
 -# To set this up see the example iface config file.
 -
 -#*****************
 -# Startup settings
 -#*****************
 -
 -# To request that the iscsi initd scripts startup a session set to "automatic".
 -# node.startup = automatic
 -#
 -# To manually startup the session set to "manual". The default is manual.
 -node.startup = manual
 -
 -# For "automatic" startup nodes, setting this to "Yes" will try logins on each
 -# available iface until one succeeds, and then stop.  The default "No" will try
 -# logins on all availble ifaces simultaneously.
 -node.leading_login = No
 -
 -# *************
 -# CHAP Settings
 -# *************
 -
 -# To enable CHAP authentication set node.session.auth.authmethod
 -# to CHAP. The default is None.
 -#node.session.auth.authmethod = CHAP
 -
 -# To set a CHAP username and password for initiator
 -# authentication by the target(s), uncomment the following lines:
 -#node.session.auth.username = username
 -#node.session.auth.password = password
 -
 -# To set a CHAP username and password for target(s)
 -# authentication by the initiator, uncomment the following lines:
 -#node.session.auth.username_in = username_in
 -#node.session.auth.password_in = password_in
 -
 -# To enable CHAP authentication for a discovery session to the target
 -# set discovery.sendtargets.auth.authmethod to CHAP. The default is None.
 -#discovery.sendtargets.auth.authmethod = CHAP
 -
 -# To set a discovery session CHAP username and password for the initiator
 -# authentication by the target(s), uncomment the following lines:
 -#discovery.sendtargets.auth.username = username
 -#discovery.sendtargets.auth.password = password
 -
 -# To set a discovery session CHAP username and password for target(s)
 -# authentication by the initiator, uncomment the following lines:
 -#discovery.sendtargets.auth.username_in = username_in
 -#discovery.sendtargets.auth.password_in = password_in
 -
 -# ********
 -# Timeouts
 -# ********
 -#
 -# See the iSCSI REAME's Advanced Configuration section for tips
 -# on setting timeouts when using multipath or doing root over iSCSI.
 -#
 -# To specify the length of time to wait for session re-establishment
 -# before failing SCSI commands back to the application when running
 -# the Linux SCSI Layer error handler, edit the line.
 -# The value is in seconds and the default is 120 seconds.
 -# Special values:
 -# - If the value is 0, IO will be failed immediately.
 -# - If the value is less than 0, IO will remain queued until the session
 -# is logged back in, or until the user runs the logout command.
 -node.session.timeo.replacement_timeout = 120
 -
 -# To specify the time to wait for login to complete, edit the line.
 -# The value is in seconds and the default is 15 seconds.
 -node.conn[0].timeo.login_timeout = 15
 -
 -# To specify the time to wait for logout to complete, edit the line.
 -# The value is in seconds and the default is 15 seconds.
 -node.conn[0].timeo.logout_timeout = 15
 -
 -# Time interval to wait for on connection before sending a ping.
 -node.conn[0].timeo.noop_out_interval = 5
 -
 -# To specify the time to wait for a Nop-out response before failing
 -# the connection, edit this line. Failing the connection will
 -# cause IO to be failed back to the SCSI layer. If using dm-multipath
 -# this will cause the IO to be failed to the multipath layer.
 -node.conn[0].timeo.noop_out_timeout = 5
 -
 -# To specify the time to wait for abort response before
 -# failing the operation and trying a logical unit reset edit the line.
 -# The value is in seconds and the default is 15 seconds.
 -node.session.err_timeo.abort_timeout = 15
 -
 -# To specify the time to wait for a logical unit response
 -# before failing the operation and trying session re-establishment
 -# edit the line.
 -# The value is in seconds and the default is 30 seconds.
 -node.session.err_timeo.lu_reset_timeout = 30
 -
 -# To specify the time to wait for a target response
 -# before failing the operation and trying session re-establishment
 -# edit the line.
 -# The value is in seconds and the default is 30 seconds.
 -node.session.err_timeo.tgt_reset_timeout = 30
 -
 -
 -#******
 -# Retry
 -#******
 -
 -# To specify the number of times iscsid should retry a login
 -# if the login attempt fails due to the node.conn[0].timeo.login_timeout
 -# expiring modify the following line. Note that if the login fails
 -# quickly (before node.conn[0].timeo.login_timeout fires) because the network
 -# layer or the target returns an error, iscsid may retry the login more than
 -# node.session.initial_login_retry_max times.
 -#
 -# This retry count along with node.conn[0].timeo.login_timeout
 -# determines the maximum amount of time iscsid will try to
 -# establish the initial login. node.session.initial_login_retry_max is
 -# multiplied by the node.conn[0].timeo.login_timeout to determine the
 -# maximum amount.
 -#
 -# The default node.session.initial_login_retry_max is 8 and
 -# node.conn[0].timeo.login_timeout is 15 so we have:
 -#
 -# node.conn[0].timeo.login_timeout * node.session.initial_login_retry_max =
 -#								120 seconds
 -#
 -# Valid values are any integer value. This only
 -# affects the initial login. Setting it to a high value can slow
 -# down the iscsi service startup. Setting it to a low value can
 -# cause a session to not get logged into, if there are distuptions
 -# during startup or if the network is not ready at that time.
 -node.session.initial_login_retry_max = 8
 -
 -################################
 -# session and device queue depth
 -################################
 -
 -# To control how many commands the session will queue set
 -# node.session.cmds_max to an integer between 2 and 2048 that is also
 -# a power of 2. The default is 128.
 -node.session.cmds_max = 128
 -
 -# To control the device's queue depth set node.session.queue_depth
 -# to a value between 1 and 1024. The default is 32.
 -node.session.queue_depth = 32
 -
 -##################################
 -# MISC SYSTEM PERFORMANCE SETTINGS
 -##################################
 -
 -# For software iscsi (iscsi_tcp) and iser (ib_iser) each session
 -# has a thread used to transmit or queue data to the hardware. For
 -# cxgb3i you will get a thread per host.
 -#
 -# Setting the thread's priority to a lower value can lead to higher throughput
 -# and lower latencies. The lowest value is -20. Setting the priority to
 -# a higher value, can lead to reduced IO performance, but if you are seeing
 -# the iscsi or scsi threads dominate the use of the CPU then you may want
 -# to set this value higher.
 -#
 -# Note: For cxgb3i you must set all sessions to the same value, or the
 -# behavior is not defined.
 -#
 -# The default value is -20. The setting must be between -20 and 20.
 -node.session.xmit_thread_priority = -20
 -
 -
 -#***************
 -# iSCSI settings
 -#***************
 -
 -# To enable R2T flow control (i.e., the initiator must wait for an R2T
 -# command before sending any data), uncomment the following line:
 -#
 -#node.session.iscsi.InitialR2T = Yes
 -#
 -# To disable R2T flow control (i.e., the initiator has an implied
 -# initial R2T of "FirstBurstLength" at offset 0), uncomment the following line:
 -#
 -# The defaults is No.
 -node.session.iscsi.InitialR2T = No
 -
 -#
 -# To disable immediate data (i.e., the initiator does not send
 -# unsolicited data with the iSCSI command PDU), uncomment the following line:
 -#
 -#node.session.iscsi.ImmediateData = No
 -#
 -# To enable immediate data (i.e., the initiator sends unsolicited data
 -# with the iSCSI command packet), uncomment the following line:
 -#
 -# The default is Yes
 -node.session.iscsi.ImmediateData = Yes
 -
 -# To specify the maximum number of unsolicited data bytes the initiator
 -# can send in an iSCSI PDU to a target, edit the following line.
 -#
 -# The value is the number of bytes in the range of 512 to (2^24-1) and
 -# the default is 262144
 -node.session.iscsi.FirstBurstLength = 262144
 -
 -# To specify the maximum SCSI payload that the initiator will negotiate
 -# with the target for, edit the following line.
 -#
 -# The value is the number of bytes in the range of 512 to (2^24-1) and
 -# the defauls it 16776192
 -node.session.iscsi.MaxBurstLength = 16776192
 -
 -# To specify the maximum number of data bytes the initiator can receive
 -# in an iSCSI PDU from a target, edit the following line.
 -#
 -# The value is the number of bytes in the range of 512 to (2^24-1) and
 -# the default is 262144
 -node.conn[0].iscsi.MaxRecvDataSegmentLength = 262144
 -
 -# To specify the maximum number of data bytes the initiator will send
 -# in an iSCSI PDU to the target, edit the following line.
 -#
 -# The value is the number of bytes in the range of 512 to (2^24-1).
 -# Zero is a special case. If set to zero, the initiator will use
 -# the target's MaxRecvDataSegmentLength for the MaxXmitDataSegmentLength.
 -# The default is 0.
 -node.conn[0].iscsi.MaxXmitDataSegmentLength = 0
 -
 -# To specify the maximum number of data bytes the initiator can receive
 -# in an iSCSI PDU from a target during a discovery session, edit the
 -# following line.
 -#
 -# The value is the number of bytes in the range of 512 to (2^24-1) and
 -# the default is 32768
 -# 
 -discovery.sendtargets.iscsi.MaxRecvDataSegmentLength = 32768
 -
 -# To allow the targets to control the setting of the digest checking,
 -# with the initiator requesting a preference of enabling the checking, uncomment# one or both of the following lines:
 -#node.conn[0].iscsi.HeaderDigest = CRC32C,None
 -#node.conn[0].iscsi.DataDigest = CRC32C,None
 -#
 -# To allow the targets to control the setting of the digest checking,
 -# with the initiator requesting a preference of disabling the checking,
 -# uncomment one or both of the following lines:
 -#node.conn[0].iscsi.HeaderDigest = None,CRC32C
 -#node.conn[0].iscsi.DataDigest = None,CRC32C
 -#
 -# To enable CRC32C digest checking for the header and/or data part of
 -# iSCSI PDUs, uncomment one or both of the following lines:
 -#node.conn[0].iscsi.HeaderDigest = CRC32C
 -#node.conn[0].iscsi.DataDigest = CRC32C
 -#
 -# To disable digest checking for the header and/or data part of
 -# iSCSI PDUs, uncomment one or both of the following lines:
 -#node.conn[0].iscsi.HeaderDigest = None
 -#node.conn[0].iscsi.DataDigest = None
 -#
 -# The default is to never use DataDigests or HeaderDigests.
 -#
 -
 -# For multipath configurations, you may want more than one session to be
 -# created on each iface record.  If node.session.nr_sessions is greater
 -# than 1, performing a 'login' for that node will ensure that the
 -# appropriate number of sessions is created.
 -node.session.nr_sessions = 1
 -
 -#************
 -# Workarounds
 -#************
 -
 -# Some targets like IET prefer after an initiator has sent a task
 -# management function like an ABORT TASK or LOGICAL UNIT RESET, that
 -# it does not respond to PDUs like R2Ts. To enable this behavior uncomment
 -# the following line (The default behavior is Yes):
 -node.session.iscsi.FastAbort = Yes
 -
 -# Some targets like Equalogic prefer that after an initiator has sent
 -# a task management function like an ABORT TASK or LOGICAL UNIT RESET, that
 -# it continue to respond to R2Ts. To enable this uncomment this line
 -# node.session.iscsi.FastAbort = No
 diff --git a/kernel-img.conf b/kernel-img.conf
 deleted file mode 100644
 index e818d6e..0000000
 --- a/kernel-img.conf
 +++ /dev/null
 @@ -1,6 +0,0 @@
 -# Kernel image management overrides
 -# See kernel-img.conf(5) for details
 -do_symlinks = yes
 -do_bootloader = no
 -do_initrd = yes
 -link_in_boot = no
 diff --git a/locale.gen b/locale.gen
 index e9dfebc..0e17e14 100644
 --- a/locale.gen
 +++ b/locale.gen
 @@ -11,9 +11,11 @@
 # aa_ET UTF-8
 # af_ZA ISO-8859-1
 # af_ZA.UTF-8 UTF-8
 +# ak_GH UTF-8
 # am_ET UTF-8
 # an_ES ISO-8859-15
 # an_ES.UTF-8 UTF-8
 +# anp_IN UTF-8
 # ar_AE ISO-8859-6
 # ar_AE.UTF-8 UTF-8
 # ar_BH ISO-8859-6
 @@ -43,6 +45,7 @@
 # ar_SA.UTF-8 UTF-8
 # ar_SD ISO-8859-6
 # ar_SD.UTF-8 UTF-8
 +# ar_SS UTF-8
 # ar_SY ISO-8859-6
 # ar_SY.UTF-8 UTF-8
 # ar_TN ISO-8859-6
 @@ -85,6 +88,7 @@
 # ca_FR.UTF-8 UTF-8
 # ca_IT ISO-8859-15
 # ca_IT.UTF-8 UTF-8
 +# cmn_TW UTF-8
 # crh_UA UTF-8
 # cs_CZ ISO-8859-2
 # cs_CZ.UTF-8 UTF-8
 @@ -243,6 +247,7 @@ en_US.UTF-8 UTF-8
 # gv_GB ISO-8859-1
 # gv_GB.UTF-8 UTF-8
 # ha_NG UTF-8
 +# hak_TW UTF-8
 # he_IL ISO-8859-8
 # he_IL.UTF-8 UTF-8
 # hi_IN UTF-8
 @@ -303,6 +308,7 @@ en_US.UTF-8 UTF-8
 # lt_LT.UTF-8 UTF-8
 # lv_LV ISO-8859-13
 # lv_LV.UTF-8 UTF-8
 +# lzh_TW UTF-8
 # mag_IN UTF-8
 # mai_IN UTF-8
 # mg_MG ISO-8859-15
 @@ -321,6 +327,7 @@ en_US.UTF-8 UTF-8
 # mt_MT ISO-8859-3
 # mt_MT.UTF-8 UTF-8
 # my_MM UTF-8
 +# nan_TW UTF-8
 # nan_TW@latin UTF-8
 # nb_NO ISO-8859-1
 # nb_NO.UTF-8 UTF-8
 @@ -351,6 +358,8 @@ en_US.UTF-8 UTF-8
 # pa_IN UTF-8
 # pa_PK UTF-8
 # pap_AN UTF-8
 +# pap_AW UTF-8
 +# pap_CW UTF-8
 # pl_PL ISO-8859-2
 # pl_PL.UTF-8 UTF-8
 # ps_AF UTF-8
 @@ -359,6 +368,7 @@ en_US.UTF-8 UTF-8
 # pt_PT ISO-8859-1
 # pt_PT.UTF-8 UTF-8
 # pt_PT@euro ISO-8859-15
 +# quz_PE UTF-8
 # ro_RO ISO-8859-2
 # ro_RO.UTF-8 UTF-8
 # ru_RU ISO-8859-5
 @@ -413,6 +423,7 @@ en_US.UTF-8 UTF-8
 # tg_TJ.UTF-8 UTF-8
 # th_TH TIS-620
 # th_TH.UTF-8 UTF-8
 +# the_NP UTF-8
 # ti_ER UTF-8
 # ti_ET UTF-8
 # tig_ER UTF-8
 @@ -464,15 +475,4 @@ en_US.UTF-8 UTF-8
 # zh_TW.UTF-8 UTF-8
 # zu_ZA ISO-8859-1
 # zu_ZA.UTF-8 UTF-8
 -# en_US.UTF-8 UTF-8
 -# ak_GH UTF-8
 -# anp_IN UTF-8
 -# ar_SS UTF-8
 -# cmn_TW UTF-8
 -# hak_TW UTF-8
 -# lzh_TW UTF-8
 -# nan_TW UTF-8
 -# pap_AW UTF-8
 -# pap_CW UTF-8
 -# quz_PE UTF-8
 -# the_NP UTF-8
 +en_US.UTF-8 UTF-8
 diff --git a/localtime b/localtime
 index 5583f5b..b2c2377 100644
 Binary files a/localtime and b/localtime differ
 diff --git a/login.defs b/login.defs
 index afef90a..aeb8585 100644
 --- a/login.defs
 +++ b/login.defs
 @@ -148,7 +148,7 @@ TTYPERM		0600
 #
 ERASECHAR	0177
 KILLCHAR	025
 -UMASK		027
 +UMASK		022
 
 #
 # Password aging controls:
 diff --git a/logrotate.conf b/logrotate.conf
 index 27630af..4bd60ab 100644
 --- a/logrotate.conf
 +++ b/logrotate.conf
 @@ -18,7 +18,7 @@ include /etc/logrotate.d
 /var/log/wtmp {
     missingok
     monthly
 -    create 0660 root utmp
 +    create 0664 root utmp
     rotate 1
 }
 
 diff --git a/luarocks/config-5.1.lua b/luarocks/config-5.1.lua
 index 9a6fbb7..ac9306d 100644
 --- a/luarocks/config-5.1.lua
 +++ b/luarocks/config-5.1.lua
 @@ -1,5 +1,4 @@
 -variables = {
 -	LUA_INTERPRETER = "/usr/bin/lua5.1";
 -	LUA_INCDIR = "/usr/include/lua5.1";
 +rocks_trees = {
 +   home..[[/.luarocks]],
 +   [[/usr/local]]
 }
 -rocks_subdir = "/lib/luarocks/rocks-5.1"
 diff --git a/luarocks/config-5.2.lua b/luarocks/config-5.2.lua
 deleted file mode 100644
 index cbb0afa..0000000
 --- a/luarocks/config-5.2.lua
 +++ /dev/null
 @@ -1,7 +0,0 @@
 -export_lua_path = "export LUA_PATH_5_2='%s'";
 -export_lua_cpath = "export LUA_CPATH_5_2='%s'";
 -variables = {
 -	LUA_INTERPRETER = "/usr/bin/lua5.2";
 -	LUA_INCDIR = "/usr/include/lua5.2";
 -}
 -rocks_subdir = "/lib/luarocks/rocks-5.2"
 diff --git a/luarocks/config-5.3.lua b/luarocks/config-5.3.lua
 deleted file mode 100644
 index 0d4d15a..0000000
 --- a/luarocks/config-5.3.lua
 +++ /dev/null
 @@ -1,7 +0,0 @@
 -export_lua_path = "export LUA_PATH_5_3='%s'";
 -export_lua_cpath = "export LUA_CPATH_5_3='%s'";
 -variables = {
 -	LUA_INTERPRETER = "/usr/bin/lua5.3";
 -	LUA_INCDIR = "/usr/include/lua5.3";
 -}
 -rocks_subdir = "/lib/luarocks/rocks-5.3"
 diff --git a/mailcap b/mailcap
 index a4cb7a0..acf2bda 100644
 --- a/mailcap
 +++ b/mailcap
 @@ -120,6 +120,8 @@ image/x-xwindowdump; /usr/lib/x86_64-linux-gnu/ImageMagick-6.8.9/bin-Q16/display
 image/x-icon; /usr/lib/x86_64-linux-gnu/ImageMagick-6.8.9/bin-Q16/display %s; test=test -n "$DISPLAY"
 image/yuv; /usr/lib/x86_64-linux-gnu/ImageMagick-6.8.9/bin-Q16/display %s; test=test -n "$DISPLAY"
 text/plain; vim %s; needsterminal
 +x-scheme-handler/xpra; xpra attach %s; test=test -n "$DISPLAY"
 +text/x-xpraconfig; xpra_launcher %s; test=test -n "$DISPLAY"
 text/html; /usr/bin/elinks -force-html %s; needsterminal; description=HTML Text; nametemplate=%s.html
 text/plain; view %s; edit=vim %s; compose=vim %s; test=test -x /usr/bin/vim; needsterminal
 text/html; /usr/bin/w3m -T text/html %s; needsterminal; description=HTML Text; nametemplate=%s.html
 diff --git a/mailname b/mailname
 deleted file mode 100644
 index acd6707..0000000
 --- a/mailname
 +++ /dev/null
 @@ -1 +0,0 @@
 -hashbang.sh
 diff --git a/man/man7/hashbang.7 b/man/man7/hashbang.7
 deleted file mode 100644
 index acc2629..0000000
 --- a/man/man7/hashbang.7
 +++ /dev/null
 @@ -1,431 +0,0 @@
 -.\"   Man page for hashbang
 -.TH man 7 "29 May 2014" "0.5" "#! man page"
 -
 -.SH NAME
 -#! \- "shell" service and collective of awesome people.
 -
 -.SH SYNOPSIS
 -
 -bash <(curl hashbang.sh)
 -
 -.SH DESCRIPTION
 -
 -We are a diverse community of people who love teaching and learning.
 -Putting a #! at the beginning of a "script" style program tells a computer that
 -it needs to "do something" or "execute" the file. Likewise, we are a community
 -of people that like to "do stuff".
 -
 -If you like technology and want to learn to write your first program, learn to
 -use Linux, or even take on interesting challenges with some of the best in
 -the industry, you are in the right place.
 -.SH EXAMPLES
 -.TP
 -
 -.BI ssh\ someuser@hashbang.sh
 -Use the "ssh" command to get yourself back into your account from any computer
 -that has your private key.
 -.TP
 -.BI cat\ foo
 -echo the foo file to the console
 -
 -.SH AVAILABLE SOFTWARE
 -.SS Account Management
 -hashbangctl - An account management program which can update your ssh keys, account name, and default shell.
 -.SS Compilers / Interpreters / Programming Languages
 -perl - A high-level, general-purpose dynamic programming language. Commonly
 -referred to as "the duct tape of the internet."
 -
 -python - A high-level, general-purpose programming language that emphasizes
 -code readability.
 -
 -ruby - A dynamic, object-oriented general-purpose programming language.
 -
 -haskell [ghc] - A standardized, general-purpose programming language with non-strict
 -semantics and strong static typing.
 -
 -lua - A lightweight multi-paradigm programming language designed as a scripting
 -language.
 -
 -clojure - A general-purpose programming language with an emphasis on functional
 -programming. It is a dialect of the Lisp programming language.
 -
 -go - A statically-typed language developed at Google with syntax loosely derived from C with
 -garbage collection.
 -
 -nodejs - A cross-platform runtime environment for server-side and network
 -applications written in javascript.
 -
 -sbcl - (Steel Bank Common Lisp) A Lisp implementation that features a high
 -performance native compiler, Unicode support, and threading.
 -
 -ghc - (The Glorious Glasgow Haskell Compilation System) a native code compiler
 -for Haskell.
 -
 -gcc - (GNU Compiler Collection) A compiler system that supports C, C++ and
 -various other programming languages.
 -
 -smlnj -(Standard ML of New Jersey) a compiler and programming environment for
 -Standard ML
 -.SS Text Editors
 -vim - A popular vi clone and the IDE of choice of most of the #! regulars.
 -Ships by default on all operating systems that matter.
 -
 -emacs - A very capable scriptable text editor also capable of being a full IDE
 -with all the power of vim implemented in different ways. Not in as wide of
 -use as it once was but plenty of skilled hackers still swear by it.
 -
 -nano - A text editor that emulates the Pico text editor and is part of the GNU
 -Project.
 -
 -joe - (Joe's Own Editor) a text editor designed for ease of use.
 -
 -pico - (Pine Composer) a text editor originally integrated with the pine e-mail
 -client and designed at the Office of Computing and Communications at the
 -University of Washington.
 -
 -mcedit - Internal text editor for the Midnight Commander file manager.
 -
 -zile - An Emacs like text editor that is less resource intensive.
 -.SS Password Management
 -pass - A shell based password manager.
 -.SS Cryptography / Hashing
 -encfs - A FUSE-based cryptographic filesystem that transparently encrypts files
 -using an arbitrary directory as storage for the encrypted files.
 -
 -gpg - (GNU Privacy Guard) A GPL Licensed alternative to the PGP suite of
 -cryptographic software compliant with RFC 4880.
 -
 -md5sum - Calculates and verifies 128-bit MD5 hashes as described in RFC 1321.
 -
 -shasum - Calculates and verifies SHA hashes.
 -
 -bcrypt - A key derivation function for passwords based on the Blowfish cipher.
 -.SS Time Management
 -calendar - Checks current directory or CALENDAR_DIR environment variable for a
 -file named calendar and displays appointments and reminders.
 -
 -remind - A sophisticated reminder service.
 -
 -wyrd - A text-based front-end to the Remind program.
 -
 -tudu - A command-line tool to manage TODO lists hierarchically.
 -.SS Shells
 -bash - (Bourne Again Shell) The standard shell on most Linux and unix-like
 -systems which is a GNU replacement for the Unix Bourne shell. A linux classic
 -brah.
 -
 -zsh - (Z Shell) An extension of the Bourne shell extended with features from
 -ksh and tcsh.
 -
 -fish - (Friendly Interactive Shell) An attempt to make a more interactive,
 -user-friendly shell.
 -
 -ksh - (Korn Shell) A shell backwards compatible with the Bourne shell but also
 -includes many features of the C shell.
 -.SS Email
 -mutt - A text-based email client. "All mail clients suck. This one just sucks
 -less."
 -.SS Math
 -units - Unit conversion utility.
 -
 -dc - A reverse-polish desk calculator which supports arbitrary-precision
 -arithmetic.
 -
 -qalc - A small simple to use command-line calculator.
 -
 -bc - An arbitrary precision calculator language
 -
 -.SS Chat / IM
 -weechat-curses - Wee Enhanced Environment for Chat (Curses version)
 -
 -irssi - A text-based IRC client written in the C programming language.
 -
 -finch - A console-based instant messaging client based on the libpurple
 -library.
 -
 -bitlbee - Bitlbee brings Instant Messaging to IRC clients. It has support for 
 -multiple IM networks/protocols including Google Talk.
 -
 -.RS
 -To use bitlbee in weechat enter
 -.RS
 -.B
 -/server add bitlbee irc.hashbang.sh/6610
 -.RE
 -then
 -.RS
 -.B
 -/connect bitlbee 
 -.RE
 -this will force join you into the 
 -.B
 -&bitlbee
 -channel. If you are interested in using Google Talk follow this guide 
 -http://wiki.bitlbee.org/HowtoGtalk
 -.RE
 -
 -.SS Web Browsing
 -elinks - Similar to links, but also supports Form Input, Password Management,
 -and Tabbed Browsing
 -
 -lynx - A general purpose distributed information web browser.
 -
 -w3m - A text based web browser and pager.
 -
 -html2text - Reads an HTML document and outputs plain text characters.
 -.SS Database
 -redis [redis-*] - A networked, in-memory, key-value data store with optional durability
 -written in ANSI C.
 -.SS File Management
 -mc - (Midnight Commander) A text-based file manager similar to Norton
 -Commander.
 -
 -scp - (Secure Copy) A client that uses the Secure Shell protocol to securely
 -transfer files between hosts. 
 -
 -rsync - A file synchronization and file transfer program that minimizes network
 -data transfer by using a form of delta encoding called the rsync algorithm.
 -
 -duplicity - A software suite that provides encrypted, digitally signed,
 -versioned, remote backups of files.
 -
 -ranger - A text-based file manager written in Python.
 -
 -du - (disc usage) Estimates file space usage on a filesystem.
 -
 -ncdu - A simple ncurses disk usage analyzer.
 -
 -stow - A symlink manager. Helpful for managing several locally-installed things.
 -
 -find - Used to search the filesystem for a particular file.
 -
 -locate - Searches a prebuilt database for files on a filesystem.
 -
 -tree - A recursive directory listing program that produces a depth-indented
 -listing of files.
 -.SS Archiving
 -atool - A script for managing file archives of various types.
 -
 -zip - A PKZIP compatible compression and file packaging utility.
 -
 -unzip - Utility for uncompressing PKZIP compressed files.
 -
 -p7zip - A program for compressing and uncompressing 7-zip compressed files.
 -
 -tar - Utility used for compressing and uncompressing tar files.
 -
 -gzip - An application used to create gzip compressed files.
 -
 -zpaq - A program for creating journaling or append-only compression files.
 -.SS Network
 -iperf - A bandwidth measurement utility.
 -
 -nmap - (Network Mapper) A security scanner used to discover hosts and services
 -on a computer network.
 -
 -mtr - (Matt's TraceRoute) Combines the functionality of the traceroute and ping
 -programs in a single network diagnostic tool.
 -
 -telnet - Used to communicate with another host using the telnet protocol.
 -
 -ssh - A client used to connect to a host using the Secure Shell protocol.
 -
 -siege - A multi-threaded http load testing and benchmarking utility.
 -
 -lftp - A file transfer program that allows sophisticated ftp, http and other
 -connections to other hosts.
 -
 -curl - A tool used to transfer data from or to a server using HTTP, HTTPS, FTP,
 -FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE).
 -
 -aria2 [aria2c] - A utility for downloading files via HTTP(S), FTP, BitTorrent, and
 -Metalink.
 -
 -ipcalc - A program that calculates IP information for a host.
 -
 -socat - (SOcket CAT) A command line based utility that establishes two
 -bidirectional byte streams and transfers data between them.
 -
 -netcat - A networking utility which reads and writes data across networks from
 -the command line.
 -
 -ssh-copy-id - A script that uses SSH to copy a public key to a remote machine's
 -authorized_keys.
 -.SS Image Tools
 -imagemagick [convert, mogrify, ...] - A software suits used to create, edit, and compose bitmap images.
 -
 -.SS Code Management
 -cvs - (Concurrent Versions System) A revision control system using
 -client-server architecture.
 -
 -svn - (Subversion) A software versioning and revision control system
 -maintained by apache and designed as a successor to CVS
 -
 -mercurial [hg] - A distributed revision control system designed for high
 -performance, scalability, and decentralization.
 -
 -git - A distributed version control system with an emphasis on speed, data
 -integrity, and support for distributed, non-linear workflows.
 -
 -tig - A text-mode interface for git.
 -
 -cloc - Counts and computes differences of lines of source code and comments.
 -
 -diff - Compares files line by line.
 -
 -vimdiff - Edits 2 - 4 versions of a file with vim while showing differences.
 -
 -ctags - A programming tool that generates an index file of names found in
 -source and header files of various programming languages.
 -
 -cmake - Software for managing the build process of software using a
 -compiler-independent method.
 -
 -shellcheck - Linter for shell scripts
 -.SS Games/Toys
 -
 -zangband - A dungeon-crawling roguelike game derived from Angband and based on
 -Roger Zelazny's The Chronicles of Amber.
 -
 -nethack - A roguelike game descended from the game Hack and Rogue.
 -
 -slashem - (Super Lotsa Added Stuff Hack - Extended Magic) is a variant of the
 -roguelike game NetHack that offers extra features, monsters, and items.
 -
 -frotz - An interpreter for Infocom games and other z-machine games.
 -
 -bsdgames [adventure, ...] - A collection of text games from BSD systems.
 -
 -bastet - (Bastard Tetris) A Tetris clone.
 -
 -gnugo - Open source implementation of the game Go.
 -
 -gnuchess - Chess
 -.SS System Management Utilities
 -htop - An interactive system-monitor process-viewer.
 -
 -strace - Application for tracing system calls and signals.
 -
 -cgroups - (Control Groups) A kernel feature to limit, account, and isolate
 -resource usage of process groups.
 -
 -command-not-found - (Debian) Suggest a package when the user calls a command
 -that could not be found.
 -
 -.SS Window/Session Managers
 -
 -tmux - An Application used to multiplex several virtual consoles, allowing a
 -user to access multiple separate terminal sessions inside a single terminal.
 -
 -screen - Application used to multiplex several virtual consoles, allowing a
 -user to access multiple separate terminal sessions in a single terminal.
 -
 -byobu - An enhancement for the terminal multiplexers Screen or Tmux that can be
 -used to provide on screen notification or status as well as tabbed multi-window
 -management.
 -.SS Misc. / Unsorted (Sort these!)
 -pv - Monitors the progress of data through a pipe.
 -
 -tsung - Used to stress test HTTP, WebDAV, LDAP, MySQL, PostgreSQL, SOAP, and
 -XMPP servers.
 -
 -xargs - Used to build and execute command lines from standard input.
 -
 -parallel - Shell tool for executing jobs in parallel using one or more
 -computers.
 -
 -ag - A significantly faster replacement to ACK with a built in VCS.
 -
 -watch - Executes a program periodically, showing the output fullscreen.
 -
 -libev - A high-performance event loop for C.
 -
 -libevent - Provides a mechanism to execute a callback function when a specific
 -event occurs on a file descriptor or after a timeout has been reached.
 -
 -cowsay - Generates ASCII pictures of a cow with a message.
 -
 -dos2unix - Converts line breaks in a text file from DOS format to Unix format.
 -
 -unix2dos - Converts line breaks in a text file from Unix format to DOS format.
 -.SH HISTORY
 -2004 - lrvick secured free-for-all usage of a dedicated server, hosted at
 -"The Planet" datacenter in Austin, TX, in exchange for providing free system
 -administration services to an educational web application provider. He
 -distributed shell accounts to a group of friends for personal projects,
 -organizing resources and efforts via IRC.
 -
 -2006 - Having outgrown the shared server, the community opted to invest in our
 -own dedicated server, lovingly named "Adam". All projects were migrated over,
 -and a few months later "Eve" was added for redundancy and to minimize downtime.
 -These were hosted at SiteGenie in Rochester, MN.
 -
 -2008 - As a hosting service, we hosted many web projects visited by hundreds of
 -thousands of users, in addition to seeing hundreds of users on our IRC and
 -shell services. Our community was known in multiple IRC circles to have very
 -well-developed overall system security, and we regularly dealt with various
 -types of attacks trying to break through. A "Script Kiddie" named Piratox,
 -unable to break in through any usual methods, opted to make use of a large
 -botnet, disrupting us with a large scale DDOS attack.
 -
 -The attack was significant enough that the entire SiteGenie datacenter was
 -taken offline. Though we tracked down Piratox and ended the dispute, SiteGenie
 -was unprepared to deal with the possibility of further DDOS attacks of similar
 -scale and promptly ended our contract. They generously offered to overnight our
 -hard drives to any location we chose. Seeing the potential in this, we involved
 -it in the backup plans that had already been set in motion.
 -
 -Echelon, a volunteer admin, brought "Noah" online in his Ohio basement.
 -Bluescales, another volunteer admin, rushed to setup a VPS in a Montana
 -Datacenter. He dubbed it "Moses". We quickly routed essential services from
 -backups between the two servers while one of the two backup drives containing
 -user files was overnighted to Noah. Shell user files were available to our
 -community again within 24 hours.
 -
 -With emergency options in place, we sought a new primary server. After
 -reviewing our budget and options, we opted for a dedicated server at a newer
 -company, VolumeDrive, in Wilkes Barre, Pennsylvania. We took a chance on them
 -due to their reputation for inexpensive, unmetered bandwidth plans with
 -regular bandwidth testing. "Melchiz" was born, and quickly became responsible
 -for community services including shells, email, and IRC, as well as hosting
 -most smaller websites.
 -
 -VolumeDrive was a good fit for most of our services; however, like SiteGenie, 
 -they were unwilling to deal with the unwanted attention that our historical
 -reputation could bring. To address this, we deployed "Samson" in an undisclosed
 -location, ensuring it would be difficult to target by disruptive parties.
 -"Gideon" was deployed in Germany as a dumb proxy to more reliably protect
 -Samson's location. Were it to ever go down, more could rapidly take its place.
 -We felt really good about the maintainability of this setup.
 -
 -2010 - Samson needed a kernel update to address security issues that had
 -recently come to light. One of our volunteer admins, Viaken, decided to take on
 -the kernel update on his own, but did not include the correct SATA driver. On
 -reboot, Samson experienced a kernel panic. Per a special agreement with the
 -datacenter, hosting was available and free so long as support was never
 -contacted. Thus, Samson was to remain frozen at a kernel panic screen, and
 -may still be hung there to this day. Gideon, now purposeless, was taken
 -offline shortly thereafter.
 -
 -We were left with no choice but to risk hosting all services on Melchiz until
 -a better solution could be secured.
 -
 -2013 - After frequent downtime and multiple disputes with VolumeDrive
 -(including a case where they mistakenly formatted one of our production hard
 -drives), our community sought to "go big or go home". We went big and secured
 -the dedicated server "Og". Og's specs were more than overkill for everything
 -we provided, but we knew it would be worth it for our long-term goals of
 -expanding our free community offerings to the general public. 
 -
 -2014 - #! shells are now available to the general public. Welcome!
 -
 -
 -.SH You can help!
 -
 -Fork, make changes, and submit Github Pull Requests here:
 -
 -https://github.com/hashbang/shell-etc
 -
 -This man file can be updated here:
 -
 -https://github.com/hashbang/shell-etc/blob/master/man/man7/hashbang.7
 diff --git a/manpath.config b/manpath.config
 index 5c067f9..3b5b54f 100644
 --- a/manpath.config
 +++ b/manpath.config
 @@ -20,7 +20,6 @@
 MANDATORY_MANPATH			/usr/man
 MANDATORY_MANPATH			/usr/share/man
 MANDATORY_MANPATH			/usr/local/share/man
 -MANDATORY_MANPATH			/etc/man
 #---------------------------------------------------------
 # set up PATH to MANPATH mapping
 # ie. what man tree holds man pages for what binary directory.
 @@ -70,7 +69,6 @@ MANDB_MAP	/usr/local/man		/var/cache/man/oldlocal
 MANDB_MAP	/usr/local/share/man	/var/cache/man/local
 MANDB_MAP	/usr/X11R6/man		/var/cache/man/X11R6
 MANDB_MAP	/opt/man		/var/cache/man/opt
 -MANDB_MAP	/etc/man		/var/cache/man/etc
 #
 #---------------------------------------------------------
 # Program definitions.  These are commented out by default as the value
 diff --git a/mkshrc b/mkshrc
 index 13a1f54..233a10c 100644
 --- a/mkshrc
 +++ b/mkshrc
 @@ -1,9 +1,9 @@
 # $Id$
 -# $MirOS: src/bin/mksh/dot.mkshrc,v 1.108 2016/07/26 22:03:41 tg Exp $
 +# $MirOS: src/bin/mksh/dot.mkshrc,v 1.89 2014/07/28 21:45:44 tg Exp $
 #-
 # Copyright (c) 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2010,
 -#		2011, 2012, 2013, 2014, 2015, 2016
 -#	mirabilos <m@mirbsd.org>
 +#		2011, 2012, 2013, 2014
 +#	Thorsten Glaser <tg@mirbsd.org>
 #
 # Provided that these terms and disclaimer and all copyright notices
 # are retained or reproduced in an accompanying document, permission
 @@ -22,274 +22,268 @@
 #-
 # ${ENV:-~/.mkshrc}: mksh initialisation file for interactive shells
 
 -# catch non-mksh (including lksh) trying to run this file
 -case ${KSH_VERSION:-} in
 +# catch non-mksh (including lksh) trying to shell this file
 +case $KSH_VERSION in
 *MIRBSD\ KSH*) ;;
 *) return 0 ;;
 esac
 
 -PS1='#'; (( USER_ID )) && PS1='$'; \: "${TERM:=vt100}${HOSTNAME:=$(\ulimit -c \
 -    0; hostname 2>/dev/null)}${EDITOR:=/bin/ed}${USER:=$(\ulimit -c 0; id -un \
 -    2>/dev/null || \echo \?)}${MKSH:=$(\builtin whence -p mksh)}"
 -HOSTNAME=${HOSTNAME%%*([	 ]).*}; HOSTNAME=${HOSTNAME##*([	 ])}
 -[[ $HOSTNAME = ?(ip6-)localhost?(6) ]] && HOSTNAME=
 -\: "${HOSTNAME:=nil}${MKSH:=/bin/mksh}"; \export EDITOR HOSTNAME MKSH TERM USER
 -PS4='[$EPOCHREALTIME] '; PS1=$'\001\r''${|
 -	\typeset e=$?
 +PS1='#'; (( USER_ID )) && PS1='$'; [[ ${HOSTNAME:=$(ulimit -c 0; hostname -s \
 +    2>/dev/null)} = *([	 ]|localhost) ]] && HOSTNAME=$(ulimit -c 0; hostname \
 +    2>/dev/null); : ${EDITOR:=/bin/ed} ${HOSTNAME:=nil} ${TERM:=vt100}
 +: ${MKSH:=$(whence -p mksh)}; PS4='[$EPOCHREALTIME] '; PS1=$'\001\r''${|
 +	local e=$?
 
 	(( e )) && REPLY+="$e|"
 -	REPLY+=${USER}@${HOSTNAME%%.*}:
 +	REPLY+=${USER:=$(ulimit -c 0; id -un 2>/dev/null || echo \?)}
 +	REPLY+=@${HOSTNAME%%.*}:
 
 -	\typeset d=${PWD:-?}/ p=~; [[ $p = ?(*/) ]] || d=${d/#$p\//\~/}
 -	d=${d%/}; \typeset m=${%d} n p=...; (( m > 0 )) || m=${#d}
 +	local d=${PWD:-?} p=~; [[ $p = ?(*/) ]] || d=${d/#$p/~}
 +	local m=${%d} n p=...; (( m > 0 )) || m=${#d}
 	(( m > (n = (COLUMNS/3 < 7 ? 7 : COLUMNS/3)) )) && d=${d:(-n)} || p=
 	REPLY+=$p$d
 
 -	\return $e
 -} '"$PS1 "
 -\alias ls=ls
 -\unalias ls
 -\alias l='ls -F'
 -\alias la='l -a'
 -\alias ll='l -l'
 -\alias lo='l -alo'
 -\alias doch='sudo mksh -c "$(\builtin fc -ln -1)"'
 -\command -v rot13 >/dev/null || \alias rot13='tr \
 +	return $e
 +} '"$PS1 "; export EDITOR HOSTNAME MKSH TERM USER
 +alias ls=ls
 +unalias ls
 +alias l='ls -F'
 +alias la='l -a'
 +alias ll='l -l'
 +alias lo='l -alo'
 +alias doch='sudo mksh -c "$(fc -ln -1)"'
 +whence -p rot13 >/dev/null || alias rot13='tr \
     abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ \
     nopqrstuvwxyzabcdefghijklmNOPQRSTUVWXYZABCDEFGHIJKLM'
 -if \command -v hd >/dev/null; then \:; elif \command -v hexdump >/dev/null; then
 +if whence -p hd >/dev/null; then :; elif whence -p hexdump >/dev/null; then
 	function hd {
 		hexdump -e '"%08.8_ax  " 8/1 "%02X " " - " 8/1 "%02X "' \
 		    -e '"  |" "%_p"' -e '"|\n"' "$@"
 	}
 else
 	function hd {
 -		\typeset -Uui16 -Z11 pos=0
 -		\typeset -Uui16 -Z5 hv=2147483647
 -		\typeset dasc line i
 -		\set +U
 +		local -Uui16 -Z11 pos=0
 +		local -Uui16 -Z5 hv=2147483647
 +		local dasc line i
 
 -		\cat "$@" | if \read -arN -1 line; then
 -			\typeset -i1 'line[*]'
 +		cat "$@" | { set +U; if read -arN -1 line; then
 +			typeset -i1 line
 			i=0
 			while (( i < ${#line[*]} )); do
 				hv=${line[i++]}
 				if (( (pos & 15) == 0 )); then
 -					(( pos )) && \
 -					    \builtin print -r -- "$dasc|"
 -					\builtin print -n "${pos#16#}  "
 +					(( pos )) && print -r -- "$dasc|"
 +					print -n "${pos#16#}  "
 					dasc=' |'
 				fi
 -				\builtin print -n "${hv#16#} "
 -				#XXX EBCDIC, but we need [[:print:]] to fix this
 +				print -n "${hv#16#} "
 				if (( (hv < 32) || (hv > 126) )); then
 					dasc+=.
 				else
 					dasc+=${line[i-1]#1#}
 				fi
 -				(( (pos++ & 15) == 7 )) && \
 -				    \builtin print -n -- '- '
 +				(( (pos++ & 15) == 7 )) && print -n -- '- '
 			done
 			while (( pos & 15 )); do
 -				\builtin print -n '   '
 -				(( (pos++ & 15) == 7 )) && \
 -				    \builtin print -n -- '- '
 +				print -n '   '
 +				(( (pos++ & 15) == 7 )) && print -n -- '- '
 			done
 -			(( hv == 2147483647 )) || \builtin print -r -- "$dasc|"
 -		fi
 +			(( hv == 2147483647 )) || print -r -- "$dasc|"
 +		fi; }
 	}
 fi
 
 # Berkeley C shell compatible dirs, popd, and pushd functions
 # Z shell compatible chpwd() hook, used to update DIRSTACK[0]
 -DIRSTACKBASE=$(\builtin realpath ~/. 2>/dev/null || \
 -    \builtin print -nr -- "${HOME:-/}")
 +DIRSTACKBASE=$(realpath ~/. 2>/dev/null || print -nr -- "${HOME:-/}")
 set -A DIRSTACK
 function chpwd {
 -	DIRSTACK[0]=$(\builtin realpath . 2>/dev/null || \
 -	    \builtin print -r -- "$PWD")
 +	DIRSTACK[0]=$(realpath . 2>/dev/null || print -r -- "$PWD")
 	[[ $DIRSTACKBASE = ?(*/) ]] || \
 -	    DIRSTACK[0]=${DIRSTACK[0]/#$DIRSTACKBASE/\~}
 -	\:
 +	    DIRSTACK[0]=${DIRSTACK[0]/#$DIRSTACKBASE/~}
 +	:
 }
 -\chpwd .
 -cd() {
 -	\builtin cd "$@" || \return $?
 -	\chpwd "$@"
 +chpwd .
 +function cd {
 +	builtin cd "$@" || return $?
 +	chpwd "$@"
 }
 function cd_csh {
 -	\typeset d t=${1/#\~/$DIRSTACKBASE}
 +	local d t=${1/#~/$DIRSTACKBASE}
 
 -	if ! d=$(\builtin cd "$t" 2>&1); then
 -		\builtin print -u2 "${1}: ${d##*cd: $t: }."
 -		\return 1
 +	if ! d=$(builtin cd "$t" 2>&1); then
 +		print -u2 "${1}: ${d##*cd: $t: }."
 +		return 1
 	fi
 -	\cd "$t"
 +	cd "$t"
 }
 function dirs {
 -	\typeset d dwidth
 -	\typeset -i fl=0 fv=0 fn=0 cpos=0
 +	local d dwidth
 +	local -i fl=0 fv=0 fn=0 cpos=0
 
 -	while \getopts ":lvn" d; do
 +	while getopts ":lvn" d; do
 		case $d {
 		(l)	fl=1 ;;
 		(v)	fv=1 ;;
 		(n)	fn=1 ;;
 -		(*)	\builtin print -u2 'Usage: dirs [-lvn].'
 -			\return 1 ;;
 +		(*)	print -u2 'Usage: dirs [-lvn].'
 +			return 1 ;;
 		}
 	done
 -	\shift $((OPTIND - 1))
 +	shift $((OPTIND - 1))
 	if (( $# > 0 )); then
 -		\builtin print -u2 'Usage: dirs [-lvn].'
 -		\return 1
 +		print -u2 'Usage: dirs [-lvn].'
 +		return 1
 	fi
 	if (( fv )); then
 		fv=0
 		while (( fv < ${#DIRSTACK[*]} )); do
 			d=${DIRSTACK[fv]}
 -			(( fl )) && d=${d/#\~/$DIRSTACKBASE}
 -			\builtin print -r -- "$fv	$d"
 -			\builtin let fv++
 +			(( fl )) && d=${d/#~/$DIRSTACKBASE}
 +			print -r -- "$fv	$d"
 +			let fv++
 		done
 	else
 		fv=0
 		while (( fv < ${#DIRSTACK[*]} )); do
 			d=${DIRSTACK[fv]}
 -			(( fl )) && d=${d/#\~/$DIRSTACKBASE}
 +			(( fl )) && d=${d/#~/$DIRSTACKBASE}
 			(( dwidth = (${%d} > 0 ? ${%d} : ${#d}) ))
 			if (( fn && (cpos += dwidth + 1) >= 79 && \
 			    dwidth < 80 )); then
 -				\builtin print
 +				print
 				(( cpos = dwidth + 1 ))
 			fi
 -			\builtin print -nr -- "$d "
 -			\builtin let fv++
 +			print -nr -- "$d "
 +			let fv++
 		done
 -		\builtin print
 +		print
 	fi
 -	\return 0
 +	return 0
 }
 function popd {
 -	\typeset d fa
 -	\typeset -i n=1
 +	local d fa
 +	local -i n=1
 
 -	while \getopts ":0123456789lvn" d; do
 +	while getopts ":0123456789lvn" d; do
 		case $d {
 		(l|v|n)	fa+=" -$d" ;;
 		(+*)	n=2
 -			\break ;;
 -		(*)	\builtin print -u2 'Usage: popd [-lvn] [+<n>].'
 -			\return 1 ;;
 +			break ;;
 +		(*)	print -u2 'Usage: popd [-lvn] [+<n>].'
 +			return 1 ;;
 		}
 	done
 -	\shift $((OPTIND - n))
 +	shift $((OPTIND - n))
 	n=0
 	if (( $# > 1 )); then
 -		\builtin print -u2 popd: Too many arguments.
 -		\return 1
 +		print -u2 popd: Too many arguments.
 +		return 1
 	elif [[ $1 = ++([0-9]) && $1 != +0 ]]; then
 		if (( (n = ${1#+}) >= ${#DIRSTACK[*]} )); then
 -			\builtin print -u2 popd: Directory stack not that deep.
 -			\return 1
 +			print -u2 popd: Directory stack not that deep.
 +			return 1
 		fi
 	elif [[ -n $1 ]]; then
 -		\builtin print -u2 popd: Bad directory.
 -		\return 1
 +		print -u2 popd: Bad directory.
 +		return 1
 	fi
 	if (( ${#DIRSTACK[*]} < 2 )); then
 -		\builtin print -u2 popd: Directory stack empty.
 -		\return 1
 +		print -u2 popd: Directory stack empty.
 +		return 1
 	fi
 -	\unset DIRSTACK[n]
 -	\set -A DIRSTACK -- "${DIRSTACK[@]}"
 -	\cd_csh "${DIRSTACK[0]}" || \return 1
 -	\dirs $fa
 +	unset DIRSTACK[n]
 +	set -A DIRSTACK -- "${DIRSTACK[@]}"
 +	cd_csh "${DIRSTACK[0]}" || return 1
 +	dirs $fa
 }
 function pushd {
 -	\typeset d fa
 -	\typeset -i n=1
 +	local d fa
 +	local -i n=1
 
 -	while \getopts ":0123456789lvn" d; do
 +	while getopts ":0123456789lvn" d; do
 		case $d {
 		(l|v|n)	fa+=" -$d" ;;
 		(+*)	n=2
 -			\break ;;
 -		(*)	\builtin print -u2 'Usage: pushd [-lvn] [<dir>|+<n>].'
 -			\return 1 ;;
 +			break ;;
 +		(*)	print -u2 'Usage: pushd [-lvn] [<dir>|+<n>].'
 +			return 1 ;;
 		}
 	done
 -	\shift $((OPTIND - n))
 +	shift $((OPTIND - n))
 	if (( $# == 0 )); then
 		if (( ${#DIRSTACK[*]} < 2 )); then
 -			\builtin print -u2 pushd: No other directory.
 -			\return 1
 +			print -u2 pushd: No other directory.
 +			return 1
 		fi
 		d=${DIRSTACK[1]}
 		DIRSTACK[1]=${DIRSTACK[0]}
 -		\cd_csh "$d" || \return 1
 +		cd_csh "$d" || return 1
 	elif (( $# > 1 )); then
 -		\builtin print -u2 pushd: Too many arguments.
 -		\return 1
 +		print -u2 pushd: Too many arguments.
 +		return 1
 	elif [[ $1 = ++([0-9]) && $1 != +0 ]]; then
 		if (( (n = ${1#+}) >= ${#DIRSTACK[*]} )); then
 -			\builtin print -u2 pushd: Directory stack not that deep.
 -			\return 1
 +			print -u2 pushd: Directory stack not that deep.
 +			return 1
 		fi
 		while (( n-- )); do
 			d=${DIRSTACK[0]}
 -			\unset DIRSTACK[0]
 -			\set -A DIRSTACK -- "${DIRSTACK[@]}" "$d"
 +			unset DIRSTACK[0]
 +			set -A DIRSTACK -- "${DIRSTACK[@]}" "$d"
 		done
 -		\cd_csh "${DIRSTACK[0]}" || \return 1
 +		cd_csh "${DIRSTACK[0]}" || return 1
 	else
 -		\set -A DIRSTACK -- placeholder "${DIRSTACK[@]}"
 -		\cd_csh "$1" || \return 1
 +		set -A DIRSTACK -- placeholder "${DIRSTACK[@]}"
 +		cd_csh "$1" || return 1
 	fi
 -	\dirs $fa
 +	dirs $fa
 }
 
 # pager (not control character safe)
 -smores() (
 -	\set +m
 -	\cat "$@" |&
 -	\trap "rv=\$?; 'kill' $! >/dev/null 2>&1; 'exit' \$rv" EXIT
 -	while IFS= \read -pr line; do
 -		llen=${%line}
 -		(( llen == -1 )) && llen=${#line}
 -		(( llen = llen ? (llen + COLUMNS - 1) / COLUMNS : 1 ))
 -		if (( (curlin += llen) >= LINES )); then
 -			\builtin print -n -- '\e[7m--more--\e[0m'
 -			\read -u1 || \exit $?
 -			[[ $REPLY = [Qq]* ]] && \exit 0
 -			curlin=$llen
 -		fi
 -		\builtin print -r -- "$line"
 -	done
 -)
 +function smores {
 +	(
 +		set +m
 +		cat "$@" |&
 +		trap "rv=\$?; kill $! >/dev/null 2>&1; exit \$rv" EXIT
 +		while IFS= read -pr line; do
 +			llen=${%line}
 +			(( llen == -1 )) && llen=${#line}
 +			(( llen = llen ? (llen + COLUMNS - 1) / COLUMNS : 1 ))
 +			if (( (curlin += llen) >= LINES )); then
 +				print -n -- '\033[7m--more--\033[0m'
 +				read -u1 || exit $?
 +				[[ $REPLY = [Qq]* ]] && exit 0
 +				curlin=$llen
 +			fi
 +			print -r -- "$line"
 +		done
 +	)
 +}
 
 -# base64 encoder and decoder, RFC compliant, NUL safe, not EBCDIC safe
 +# base64 encoder and decoder, RFC compliant, NUL safe
 function Lb64decode {
 -	\set +U
 -	\typeset c s="$*" t
 -	[[ -n $s ]] || { s=$(\cat; \builtin print x); s=${s%x}; }
 -	\typeset -i i=0 j=0 n=${#s} p=0 v x
 -	\typeset -i16 o
 +	[[ -o utf8-mode ]]; local u=$?
 +	set +U
 +	local c s="$*" t=
 +	[[ -n $s ]] || { s=$(cat; print x); s=${s%x}; }
 +	local -i i=0 j=0 n=${#s} p=0 v x
 +	local -i16 o
 
 	while (( i < n )); do
 		c=${s:(i++):1}
 		case $c {
 -		(=)	\break ;;
 +		(=)	break ;;
 		([A-Z])	(( v = 1#$c - 65 )) ;;
 		([a-z])	(( v = 1#$c - 71 )) ;;
 		([0-9])	(( v = 1#$c + 4 )) ;;
 		(+)	v=62 ;;
 		(/)	v=63 ;;
 -		(*)	\continue ;;
 +		(*)	continue ;;
 		}
 		(( x = (x << 6) | v ))
 		case $((p++)) {
 -		(0)	\continue ;;
 +		(0)	continue ;;
 		(1)	(( o = (x >> 4) & 255 )) ;;
 		(2)	(( o = (x >> 2) & 255 )) ;;
 		(3)	(( o = x & 255 ))
 @@ -297,25 +291,27 @@ function Lb64decode {
 			;;
 		}
 		t+=\\x${o#16#}
 -		(( ++j & 4095 )) && \continue
 -		\builtin print -n $t
 +		(( ++j & 4095 )) && continue
 +		print -n $t
 		t=
 	done
 -	\builtin print -n $t
 +	print -n $t
 +	(( u )) || set -U
 }
 
 -\set -A Lb64encode_tbl -- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z \
 +set -A Lb64encode_code -- A B C D E F G H I J K L M N O P Q R S T U V W X Y Z \
     a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 + /
 function Lb64encode {
 -	\set +U
 -	\typeset c s t
 +	[[ -o utf8-mode ]]; local u=$?
 +	set +U
 +	local c s t
 	if (( $# )); then
 -		\read -raN-1 s <<<"$*"
 -		\unset s[${#s[*]}-1]
 +		read -raN-1 s <<<"$*"
 +		unset s[${#s[*]}-1]
 	else
 -		\read -raN-1 s
 +		read -raN-1 s
 	fi
 -	\typeset -i i=0 n=${#s[*]} j v
 +	local -i i=0 n=${#s[*]} j v
 
 	while (( i < n )); do
 		(( v = s[i++] << 16 ))
 @@ -323,281 +319,87 @@ function Lb64encode {
 		(( v |= j << 8 ))
 		(( j = i < n ? s[i++] : 0 ))
 		(( v |= j ))
 -		t+=${Lb64encode_tbl[v >> 18]}${Lb64encode_tbl[v >> 12 & 63]}
 -		c=${Lb64encode_tbl[v >> 6 & 63]}
 +		t+=${Lb64encode_code[v >> 18]}${Lb64encode_code[v >> 12 & 63]}
 +		c=${Lb64encode_code[v >> 6 & 63]}
 		if (( i <= n )); then
 -			t+=$c${Lb64encode_tbl[v & 63]}
 +			t+=$c${Lb64encode_code[v & 63]}
 		elif (( i == n + 1 )); then
 			t+=$c=
 		else
 			t+===
 		fi
 		if (( ${#t} == 76 || i >= n )); then
 -			\builtin print $t
 +			print $t
 			t=
 		fi
 	done
 +	(( u )) || set -U
 }
 
 # Better Avalanche for the Jenkins Hash
 -\typeset -Z11 -Uui16 Lbafh_v
 +typeset -Z11 -Uui16 Lbafh_v
 function Lbafh_init {
 	Lbafh_v=0
 }
 function Lbafh_add {
 -	\set +U
 -	\typeset s
 +	[[ -o utf8-mode ]]; local u=$?
 +	set +U
 +	local s
 	if (( $# )); then
 -		\read -raN-1 s <<<"$*"
 -		\unset s[${#s[*]}-1]
 +		read -raN-1 s <<<"$*"
 +		unset s[${#s[*]}-1]
 	else
 -		\read -raN-1 s
 +		read -raN-1 s
 	fi
 -	\typeset -i i=0 n=${#s[*]}
 +	local -i i=0 n=${#s[*]}
 
 	while (( i < n )); do
 		((# Lbafh_v = (Lbafh_v + s[i++] + 1) * 1025 ))
 		((# Lbafh_v ^= Lbafh_v >> 6 ))
 	done
 +
 +	(( u )) || set -U
 }
 function Lbafh_finish {
 -	\typeset -Ui t
 +	local -Ui t
 
 	((# t = (((Lbafh_v >> 7) & 0x01010101) * 0x1B) ^ \
 	    ((Lbafh_v << 1) & 0xFEFEFEFE) ))
 -	((# Lbafh_v = t ^ (t ^> 8) ^ (Lbafh_v ^> 8) ^ \
 -	    (Lbafh_v ^> 16) ^ (Lbafh_v ^> 24) ))
 -	\:
 +	((# Lbafh_v = t ^ (t >>> 8) ^ (Lbafh_v >>> 8) ^ \
 +	    (Lbafh_v >>> 16) ^ (Lbafh_v >>> 24) ))
 +	:
 }
 
 # strip comments (and leading/trailing whitespace if IFS is set) from
 # any file(s) given as argument, or stdin if none, and spew to stdout
 function Lstripcom {
 -	\set -o noglob
 -	\cat "$@" | while \read _line; do
 +	cat "$@" | { set -o noglob; while read _line; do
 		_line=${_line%%#*}
 -		[[ -n $_line ]] && \builtin print -r -- $_line
 -	done
 +		[[ -n $_line ]] && print -r -- $_line
 +	done; }
 }
 
 # give MidnightBSD's laffer1 a bit of csh feeling
 function setenv {
 -	if (( $# )); then
 -		\eval '\export "$1"="${2:-}"'
 -	else
 -		\typeset -x
 -	fi
 -}
 -
 -# toggle built-in aliases and utilities, and aliases and functions from mkshrc
 -function enable {
 -	\typeset doprnt=0 mode=1 x y z rv=0
 -	\typeset b_alias i_alias i_func nalias=0 nfunc=0 i_all
 -	\set -A b_alias
 -	\set -A i_alias
 -	\set -A i_func
 -
 -	# accumulate mksh built-in aliases, in ASCIIbetical order
 -	i_alias[nalias]=autoload; b_alias[nalias++]='\typeset -fu'
 -	i_alias[nalias]=functions; b_alias[nalias++]='\typeset -f'
 -	i_alias[nalias]=hash; b_alias[nalias++]='\builtin alias -t'
 -	i_alias[nalias]=history; b_alias[nalias++]='\builtin fc -l'
 -	i_alias[nalias]=integer; b_alias[nalias++]='\typeset -i'
 -	i_alias[nalias]=local; b_alias[nalias++]='\typeset'
 -	i_alias[nalias]=login; b_alias[nalias++]='\exec login'
 -	i_alias[nalias]=nameref; b_alias[nalias++]='\typeset -n'
 -	i_alias[nalias]=nohup; b_alias[nalias++]='nohup '
 -	i_alias[nalias]=r; b_alias[nalias++]='\builtin fc -e -'
 -	i_alias[nalias]=type; b_alias[nalias++]='\builtin whence -v'
 -
 -	# accumulate mksh built-in utilities, in definition order, even ifndef
 -	i_func[nfunc++]=.
 -	i_func[nfunc++]=:
 -	i_func[nfunc++]='['
 -	i_func[nfunc++]=alias
 -	i_func[nfunc++]=break
 -	i_func[nfunc++]=builtin
 -	i_func[nfunc++]=cat
 -	i_func[nfunc++]=cd
 -	i_func[nfunc++]=chdir
 -	i_func[nfunc++]=command
 -	i_func[nfunc++]=continue
 -	i_func[nfunc++]=echo
 -	i_func[nfunc++]=eval
 -	i_func[nfunc++]=exec
 -	i_func[nfunc++]=exit
 -	i_func[nfunc++]=export
 -	i_func[nfunc++]=false
 -	i_func[nfunc++]=fc
 -	i_func[nfunc++]=getopts
 -	i_func[nfunc++]=global
 -	i_func[nfunc++]=jobs
 -	i_func[nfunc++]=kill
 -	i_func[nfunc++]=let
 -	i_func[nfunc++]='let]'
 -	i_func[nfunc++]=print
 -	i_func[nfunc++]=pwd
 -	i_func[nfunc++]=read
 -	i_func[nfunc++]=readonly
 -	i_func[nfunc++]=realpath
 -	i_func[nfunc++]=rename
 -	i_func[nfunc++]=return
 -	i_func[nfunc++]=set
 -	i_func[nfunc++]=shift
 -	i_func[nfunc++]=source
 -	i_func[nfunc++]=suspend
 -	i_func[nfunc++]=test
 -	i_func[nfunc++]=times
 -	i_func[nfunc++]=trap
 -	i_func[nfunc++]=true
 -	i_func[nfunc++]=typeset
 -	i_func[nfunc++]=ulimit
 -	i_func[nfunc++]=umask
 -	i_func[nfunc++]=unalias
 -	i_func[nfunc++]=unset
 -	i_func[nfunc++]=wait
 -	i_func[nfunc++]=whence
 -	i_func[nfunc++]=bg
 -	i_func[nfunc++]=fg
 -	i_func[nfunc++]=bind
 -	i_func[nfunc++]=mknod
 -	i_func[nfunc++]=printf
 -	i_func[nfunc++]=sleep
 -	i_func[nfunc++]=domainname
 -	i_func[nfunc++]=extproc
 -
 -	# accumulate aliases from dot.mkshrc, in definition order
 -	i_alias[nalias]=l; b_alias[nalias++]='ls -F'
 -	i_alias[nalias]=la; b_alias[nalias++]='l -a'
 -	i_alias[nalias]=ll; b_alias[nalias++]='l -l'
 -	i_alias[nalias]=lo; b_alias[nalias++]='l -alo'
 -	i_alias[nalias]=doch; b_alias[nalias++]='sudo mksh -c "$(\builtin fc -ln -1)"'
 -	i_alias[nalias]=rot13; b_alias[nalias++]='tr abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ nopqrstuvwxyzabcdefghijklmNOPQRSTUVWXYZABCDEFGHIJKLM'
 -	i_alias[nalias]=cls; b_alias[nalias++]='\builtin print -n \\ec'
 -
 -	# accumulate functions from dot.mkshrc, in definition order
 -	i_func[nfunc++]=hd
 -	i_func[nfunc++]=chpwd
 -	i_func[nfunc++]=cd
 -	i_func[nfunc++]=cd_csh
 -	i_func[nfunc++]=dirs
 -	i_func[nfunc++]=popd
 -	i_func[nfunc++]=pushd
 -	i_func[nfunc++]=smores
 -	i_func[nfunc++]=Lb64decode
 -	i_func[nfunc++]=Lb64encode
 -	i_func[nfunc++]=Lbafh_init
 -	i_func[nfunc++]=Lbafh_add
 -	i_func[nfunc++]=Lbafh_finish
 -	i_func[nfunc++]=Lstripcom
 -	i_func[nfunc++]=setenv
 -	i_func[nfunc++]=enable
 -
 -	# collect all identifiers, sorted ASCIIbetically
 -	\set -sA i_all -- "${i_alias[@]}" "${i_func[@]}"
 -
 -	# handle options, we don't do dynamic loading
 -	while \getopts "adf:nps" x; do
 -		case $x {
 -		(a)
 -			mode=-1
 -			;;
 -		(d)
 -			# deliberately causing an error, like bash-static
 -			;|
 -		(f)
 -			\builtin print -u2 enable: dynamic loading not available
 -			\return 2
 -			;;
 -		(n)
 -			mode=0
 -			;;
 -		(p)
 -			doprnt=1
 -			;;
 -		(s)
 -			\set -sA i_all -- . : break continue eval exec exit \
 -			    export readonly return set shift times trap unset
 -			;;
 -		(*)
 -			\builtin print -u2 enable: usage: \
 -			    "enable [-adnps] [-f filename] [name ...]"
 -			return 2
 -			;;
 -		}
 -	done
 -	\shift $((OPTIND - 1))
 -
 -	# display builtins enabled/disabled/all/special?
 -	if (( doprnt || ($# == 0) )); then
 -		for x in "${i_all[@]}"; do
 -			y=$(\alias "$x") || y=
 -			[[ $y = "$x='\\builtin whence -p $x >/dev/null || (\\builtin print mksh: $x: not found; exit 127) && \$(\\builtin whence -p $x)'" ]]; z=$?
 -			case $mode:$z {
 -			(-1:0|0:0)
 -				\print -r -- "enable -n $x"
 -				;;
 -			(-1:1|1:1)
 -				\print -r -- "enable $x"
 -				;;
 -			}
 -		done
 -		\return 0
 -	fi
 -
 -	for x in "$@"; do
 -		z=0
 -		for y in "${i_alias[@]}" "${i_func[@]}"; do
 -			[[ $x = "$y" ]] || \continue
 -			z=1
 -			\break
 -		done
 -		if (( !z )); then
 -			\builtin print -ru2 enable: "$x": not a shell builtin
 -			rv=1
 -			\continue
 -		fi
 -		if (( !mode )); then
 -			# disable this
 -			\alias "$x=\\builtin whence -p $x >/dev/null || (\\builtin print mksh: $x: not found; exit 127) && \$(\\builtin whence -p $x)"
 -		else
 -			# find out if this is an alias or not, first
 -			z=0
 -			y=-1
 -			while (( ++y < nalias )); do
 -				[[ $x = "${i_alias[y]}" ]] || \continue
 -				z=1
 -				\break
 -			done
 -			if (( z )); then
 -				# re-enable the original alias body
 -				\alias "$x=${b_alias[y]}"
 -			else
 -				# re-enable the original utility/function
 -				\unalias "$x"
 -			fi
 -		fi
 -	done
 -	\return $rv
 +	eval export "\"$1\""'="$2"'
 }
 
 -\: place customisations below this line
 +: place customisations below this line
 
 for p in ~/.etc/bin ~/bin; do
 -	[[ -d $p/. ]] || \continue
 -	#XXX OS/2
 +	[[ -d $p/. ]] || continue
 	[[ :$PATH: = *:$p:* ]] || PATH=$p:$PATH
 done
 
 -\export SHELL=$MKSH MANWIDTH=80 LESSHISTFILE=-
 -\alias cls='\builtin print -n \\ec'
 +export SHELL=$MKSH MANWIDTH=80 LESSHISTFILE=-
 +alias cls='print -n \\033c'
 
 -#\unset LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_IDENTIFICATION LC_MONETARY \
 +#unset LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_IDENTIFICATION LC_MONETARY \
 #    LC_NAME LC_NUMERIC LC_TELEPHONE LC_TIME
 #p=en_GB.UTF-8
 -#\export LANG=C LC_CTYPE=$p LC_MEASUREMENT=$p LC_MESSAGES=$p LC_PAPER=$p
 -#\set -U
 +#set -U
 +#export LANG=C LC_CTYPE=$p LC_MEASUREMENT=$p LC_MESSAGES=$p LC_PAPER=$p
 
 -\unset p
 +unset p
 
 -\: place customisations above this line
 +: place customisations above this line
 diff --git a/msmtprc b/msmtprc
 deleted file mode 100644
 index ef8839b..0000000
 --- a/msmtprc
 +++ /dev/null
 @@ -1,25 +0,0 @@
 -# Global defaults
 -defaults
 -aliases /etc/aliases
 -logfile ~/.msmtp.log
 -
 -# Hashbang account
 -# Required for msmtp to function as sendmail
 -account hashbang.sh
 -host mail.hashbang.sh
 -
 -# Sender address
 -auto_from on
 -maildomain hashbang.sh
 -
 -# TLS configuration
 -tls on
 -tls_trust_file /etc/ssl/certs/ca-certificates.crt
 -
 -# Syslog logging with facility LOG_MAIL instead of the default LOG_USER.
 -# Only applies to the #! account
 -syslog LOG_MAIL
 -
 -
 -# Make hashbang the default account
 -account default : hashbang.sh
 diff --git a/network/if-down.d/resolvconf b/network/if-down.d/resolvconf
 deleted file mode 100755
 index 66e3a9f..0000000
 --- a/network/if-down.d/resolvconf
 +++ /dev/null
 @@ -1,16 +0,0 @@
 -#!/bin/sh
 -#
 -# ifdown hook script for resolvconf
 -#
 -# This file is part of the resolvconf package.
 -#
 -
 -[ -x /sbin/resolvconf ] || exit 0
 -
 -case "$ADDRFAM" in
 -  inet|inet6) :      ;;
 -  *)          exit 0 ;;
 -esac
 -
 -/sbin/resolvconf -d "${IFACE}.${ADDRFAM}" || :
 -
 diff --git a/network/if-up.d/000resolvconf b/network/if-up.d/000resolvconf
 deleted file mode 100755
 index f799371..0000000
 --- a/network/if-up.d/000resolvconf
 +++ /dev/null
 @@ -1,47 +0,0 @@
 -#!/bin/sh
 -#
 -# ifup hook script for resolvconf
 -#
 -# This file is part of the resolvconf package.
 -#
 -
 -[ -x /sbin/resolvconf ] || exit 0
 -
 -case "$ADDRFAM" in
 -  inet|inet6) : ;;
 -  *) exit 0 ;;
 -esac
 -
 -R=""
 -if [ "$IF_DNS_DOMAIN" ] ; then
 -	R="${R}domain $IF_DNS_DOMAIN
 -"
 -fi
 -if [ "$IF_DNS_SEARCH" ] ; then
 -	R="${R}search $IF_DNS_SEARCH
 -"
 -fi
 -if [ "$IF_DNS_SORTLIST" ] ; then
 -	R="${R}sortlist $IF_DNS_SORTLIST
 -"
 -fi
 -for NS in $IF_DNS_NAMESERVERS ; do
 -	R="${R}nameserver $NS
 -"
 -done
 -
 -# Note: arguments of multiple instances of options are separated by newlines
 -set_NS_to_first_arg() { NS="$1" ; }
 -STANDARD_IFS="$IFS"
 -IFS='
 -'
 -for OPT in $IF_DNS_NAMESERVER ; do
 -	IFS="$STANDARD_IFS"
 -	set_NS_to_first_arg $OPT
 -	[ "$NS" ] && R="${R}nameserver $NS
 -"
 -done
 -IFS="$STANDARD_IFS"
 -
 -echo -n "$R" | /sbin/resolvconf -a "${IFACE}.${ADDRFAM}" || :
 -
 diff --git a/network/if-up.d/openntpd b/network/if-up.d/openntpd
 index 203a4d9..0e55ce2 100755
 --- a/network/if-up.d/openntpd
 +++ b/network/if-up.d/openntpd
 @@ -7,4 +7,10 @@ then
 	exit 0
 fi
 
 +# Openntpd does not listen anything by default:
 +if ! grep -q '^[[:space:]]*listen' "$CONFIG"
 +then
 +	exit 0
 +fi
 +
 invoke-rc.d openntpd force-reload || true
 diff --git a/network/interfaces.example b/network/interfaces.example
 deleted file mode 100644
 index c562750..0000000
 --- a/network/interfaces.example
 +++ /dev/null
 @@ -1,37 +0,0 @@
 -# This file describes the network interfaces available on your system
 -# and how to activate them. For more information, see interfaces(5).
 -
 -source /etc/network/interfaces.d/*
 -
 -# The loopback network interface
 -auto lo
 -iface lo inet loopback
 -
 -# The primary network interface
 -# The networks 192.0.2.0/24 (TEST-NET-1) and 203.0.113.0/24 (TEST-NET-3)
 -#  are reserved for documentation, per RFC5737
 -auto eth0
 -iface eth0 inet static
 -	address 192.0.2.42
 -	netmask 255.255.255.0
 -	gateway 192.0.2.254
 -
 -# Assuming that native IPv6 is available:
 -iface eth0 inet6 static
 -	address 2001:DB8:f00d:b1a::10ca1
 -	netmask 64
 -
 -# Otherwise, using a Hurricane Electrics tunnel:
 -auto he-ipv6
 -iface he-ipv6 inet6 v4tunnel
 -	# Our IPv6 address for routing
 -	address 2001:DB8:f00d:b1a::2
 -	gateway 2001:DB8:f00d:b1a::1
 -	netmask 64
 -	# The tunnel endpoints
 -	endpoint 203.0.113.226
 -	local    192.0.2.42
 -	ttl 255
 -	# Sad hack
 -	up   ip a add dev $IFACE 2001:DB8:f00:b1a::/64
 -	down ip a del dev $IFACE 2001:DB8:f00:b1a::/64
 diff --git a/nova-agent.env b/nova-agent.env
 deleted file mode 100644
 index e69de29..0000000
 diff --git a/npmrc b/npmrc
 deleted file mode 100644
 index dc3f6fb..0000000
 --- a/npmrc
 +++ /dev/null
 @@ -1 +0,0 @@
 -prefix = ${HOME}/.npm-packages
 diff --git a/nslcd.conf b/nslcd.conf
 index 8abbbaf..aff19f2 100644
 --- a/nslcd.conf
 +++ b/nslcd.conf
 @@ -7,10 +7,10 @@ uid nslcd
 gid nslcd
 
 # The location at which the LDAP server(s) should be reachable.
 -uri ldaps://ldap.hashbang.sh/
 +uri ldap://92.242.140.21/
 
 # The search base that will be used for all queries.
 -base dc=hashbang,dc=sh
 +base dc=example,dc=net
 
 # The LDAP protocol version to use.
 #ldap_version 3
 @@ -24,7 +24,7 @@ base dc=hashbang,dc=sh
 
 # SSL options
 #ssl off
 -tls_reqcert never
 +#tls_reqcert never
 tls_cacertfile /etc/ssl/certs/ca-certificates.crt
 
 # The search scope.
 diff --git a/nsswitch.conf b/nsswitch.conf
 index 9b5d09c..9a8d1af 100644
 --- a/nsswitch.conf
 +++ b/nsswitch.conf
 @@ -18,4 +18,4 @@ ethers:         db files
 rpc:            db files
 
 netgroup:       nis sss
 -sudoers:        files
 +sudoers:        files sss
 diff --git a/oidentd.conf b/oidentd.conf
 index 134f37f..03b28d8 100644
 --- a/oidentd.conf
 +++ b/oidentd.conf
 @@ -1,10 +1,22 @@
 +# Configuration for oidentd
 +# see oidentd.conf(5)
 +# 
 default {
 	default {
 +		deny spoof
 		deny spoof_all
 		deny spoof_privport
 -		deny hide
 -		deny random
 +		allow random
 +		allow random_numeric
 		allow numeric
 -		deny random_numeric
 +		deny hide
 	}
 }
 +
 +# you may want to hide root connections
 +#user "root" {
 +#	default {
 +#		force reply "UNKNOWN"
 +#	}
 +#}
 +
 diff --git a/openntpd/ntpd.conf b/openntpd/ntpd.conf
 index a5c9544..b230e60 100644
 --- a/openntpd/ntpd.conf
 +++ b/openntpd/ntpd.conf
 @@ -1,4 +1,4 @@
 -# $OpenBSD: ntpd.conf,v 1.2 2015/02/10 06:40:08 reyk Exp $
 +# $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $
 # sample ntpd configuration file, see ntpd.conf(5)
 
 # Addresses to listen on (ntpd does not listen by default)
 @@ -9,8 +9,8 @@
 # sync to a single server
 #server ntp.example.org
 
 -# use a random selection of NTP Pool Time Servers
 -# see http://support.ntp.org/bin/view/Servers/NTPPoolServers
 +# use a random selection of 8 public stratum 2 servers
 +# see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers
 #servers pool.ntp.org
 
 # Choose servers announced from Debian NTP Pool
 @@ -18,9 +18,3 @@ servers 0.debian.pool.ntp.org
 servers 1.debian.pool.ntp.org
 servers 2.debian.pool.ntp.org
 servers 3.debian.pool.ntp.org
 -
 -# use a specific local timedelta sensor (radio clock, etc)
 -#sensor nmea0
 -
 -# use all detected timedelta sensors
 -#sensor *
 diff --git a/packages.txt b/packages.txt
 deleted file mode 100644
 index 200b6b9..0000000
 --- a/packages.txt
 +++ /dev/null
 @@ -1,1243 +0,0 @@
 -acl						install
 -acpi						install
 -acpi-support-base				install
 -acpid						install
 -adduser						install
 -aglfn						install
 -alpine						install
 -ansible						install
 -apt						install
 -apt-file					install
 -apt-transport-https				install
 -apt-utils					install
 -aptitude					install
 -aptitude-common					install
 -aria2						install
 -aspell						install
 -aspell-en					install
 -at						install
 -atool						install
 -auditd						install
 -autoconf					install
 -automake					install
 -autopoint					install
 -autotools-dev					install
 -base-files					install
 -base-passwd					install
 -bash						install
 -bash-completion					install
 -bastet						install
 -bc						install
 -bcrypt						install
 -bind9-host					install
 -binfmt-support					install
 -binutils					install
 -bitlbee						install
 -bitlbee-common					install
 -bsdgames					install
 -bsdmainutils					install
 -bsdutils					install
 -build-essential					install
 -busybox						install
 -byobu						install
 -bzip2						install
 -ca-certificates					install
 -cgroup-tools					install
 -checkpolicy					install
 -cloc						install
 -cloud-initramfs-dyn-netconf			install
 -cloud-initramfs-growroot			install
 -cloud-utils					install
 -cmake						install
 -cmake-data					install
 -command-not-found				install
 -console-setup					install
 -console-setup-linux				install
 -coreutils					install
 -cowsay						install
 -cpio						install
 -cpp						install
 -cpp-4.9						install
 -cracklib-runtime				install
 -cron						install
 -curl						install
 -cvs						install
 -dash						install
 -dbus						install
 -dbus-x11					install
 -dc						install
 -dconf-gsettings-backend:amd64			install
 -dconf-service					install
 -dctrl-tools					install
 -deb.torproject.org-keyring			install
 -debconf						install
 -debconf-i18n					install
 -debconf-utils					install
 -debhelper					install
 -debian-archive-keyring				install
 -debian-keyring					install
 -debianutils					install
 -debsums						install
 -devscripts					install
 -dh-lua						install
 -dh-python					install
 -dictionaries-common				install
 -diffutils					install
 -dirmngr						install
 -discount					install
 -discover					install
 -discover-data					install
 -distro-info					install
 -distro-info-data				install
 -dmidecode					install
 -dmsetup						install
 -dns-root-data					install
 -dnsutils					install
 -docutils-common					install
 -dos2unix					install
 -dpkg						install
 -dpkg-dev					install
 -duplicity					install
 -e2fslibs:amd64					install
 -e2fsprogs					install
 -eject						install
 -elinks						install
 -elinks-data					install
 -emacs-nox					install
 -emacs24-bin-common				install
 -emacs24-common					install
 -emacs24-common-non-dfsg				install
 -emacs24-nox					install
 -emacsen-common					install
 -encfs						install
 -erlang-asn1					install
 -erlang-base					install
 -erlang-crypto					install
 -erlang-inets					install
 -erlang-mnesia					install
 -erlang-os-mon					install
 -erlang-public-key				install
 -erlang-runtime-tools				install
 -erlang-snmp					install
 -erlang-ssl					install
 -etckeeper					install
 -euca2ools					install
 -exuberant-ctags					install
 -fakeroot					install
 -ferm						install
 -figlet						install
 -file						install
 -findutils					install
 -firejail					install
 -fish						install
 -fish-common					install
 -fontconfig					install
 -fontconfig-config				install
 -fonts-dejavu-core				install
 -fonts-droid					install
 -fonts-lyx					install
 -frotz						install
 -fuse						install
 -g++						install
 -g++-4.9						install
 -gawk						install
 -gcc						install
 -gcc-4.8-base:amd64				install
 -gcc-4.9						install
 -gcc-4.9-base:amd64				install
 -gcc-5-base:amd64				install
 -gcc-6-base:amd64				install
 -gconf-service					install
 -gconf2						install
 -gconf2-common					install
 -gdb						install
 -geoip-database					install
 -gettext						install
 -gettext-base					install
 -gforth						install
 -gforth-common					install
 -gforth-lib:amd64				install
 -ghc						install
 -gir1.2-glib-2.0:amd64				install
 -git						install
 -git-email					install
 -git-man						install
 -glances						install
 -glib-networking:amd64				install
 -glib-networking-common				install
 -glib-networking-services			install
 -gnuchess					install
 -gnugo						install
 -gnupg						install
 -gnupg-agent					install
 -gnupg2						install
 -gnuplot-data					install
 -gnuplot-nox					install
 -gnuplot-tex					install
 -golang-go					install
 -golang-go-linux-amd64				install
 -golang-src					install
 -gpgv						install
 -grep						install
 -groff-base					install
 -grub-common					install
 -grub-pc						install
 -grub-pc-bin					install
 -grub2-common					install
 -gsettings-desktop-schemas			install
 -gsfonts						install
 -gstreamer0.10-gconf:amd64			install
 -gstreamer0.10-nice:amd64			install
 -gstreamer0.10-plugins-base:amd64		install
 -gstreamer0.10-plugins-good:amd64		install
 -guile-2.0					install
 -guile-2.0-dev					install
 -guile-2.0-libs:amd64				install
 -gyp						install
 -gzip						install
 -haveged						install
 -hddtemp						install
 -hicolor-icon-theme				install
 -hostname					install
 -html2text					install
 -htop						install
 -httpie						install
 -iamerican					install
 -ibritish					install
 -ieee-data					install
 -ienglish-common					install
 -ifupdown					install
 -imagemagick					install
 -imagemagick-6.q16				install
 -imagemagick-common				install
 -info						install
 -init						install
 -init-system-helpers				install
 -initramfs-tools					install
 -initscripts					install
 -insserv						install
 -install-info					install
 -installation-report				install
 -intltool-debian					install
 -iotop						install
 -ipcalc						install
 -iperf						install
 -iproute						install
 -iproute2					install
 -iptables					install
 -iputils-ping					install
 -ipxe-qemu					install
 -irssi						install
 -isc-dhcp-client					install
 -isc-dhcp-common					install
 -iso-codes					install
 -ispell						install
 -java-common					install
 -javascript-common				install
 -joe						install
 -john						install
 -john-data					install
 -jq						install
 -kbd						install
 -kexec-tools					install
 -keyboard-configuration				install
 -klibc-utils					install
 -kmod						install
 -krb5-locales					install
 -ksh						install
 -laptop-detect					install
 -ldap-utils					install
 -ldnsutils					install
 -less						install
 -lftp						install
 -libaa1:amd64					install
 -libacl1:amd64					install
 -libaio1:amd64					install
 -libalgorithm-diff-perl				install
 -libalgorithm-diff-xs-perl			install
 -libalgorithm-merge-perl				install
 -libapol4:amd64					install
 -libapparmor1:amd64				install
 -libappconfig-perl				install
 -libapr1:amd64					install
 -libaprutil1:amd64				install
 -libapt-inst1.5:amd64				install
 -libapt-pkg-perl					install
 -libapt-pkg4.12:amd64				install
 -libarchive13:amd64				install
 -libasan1:amd64					install
 -libasm4-java					install
 -libasn1-8-heimdal:amd64				install
 -libasound2:amd64				install
 -libasound2-data					install
 -libaspell15:amd64				install
 -libasprintf-dev:amd64				install
 -libasprintf0c2:amd64				install
 -libass5:amd64					install
 -libassuan0:amd64				install
 -libasyncns0:amd64				install
 -libatk1.0-0:amd64				install
 -libatk1.0-data					install
 -libatomic1:amd64				install
 -libattr1:amd64					install
 -libaudit-common					install
 -libaudit1:amd64					install
 -libauparse0:amd64				install
 -libavahi-client3:amd64				install
 -libavahi-common-data:amd64			install
 -libavahi-common3:amd64				install
 -libavahi-glib1:amd64				install
 -libavc1394-0:amd64				install
 -libbasicobjects0:amd64				install
 -libbind9-90					install
 -libblas-common					install
 -libblas3					install
 -libblkid1:amd64					install
 -libbluetooth3:amd64				install
 -libboost-filesystem1.55.0:amd64			install
 -libboost-iostreams1.55.0:amd64			install
 -libboost-program-options1.55.0:amd64		install
 -libboost-serialization1.55.0:amd64		install
 -libboost-system1.55.0:amd64			install
 -libboost-thread1.55.0:amd64			install
 -libbrlapi0.6:amd64				install
 -libbsd-dev:amd64				install
 -libbsd0:amd64					install
 -libbz2-1.0:amd64				install
 -libc++-dev:amd64				install
 -libc++-helpers					install
 -libc++1:amd64					install
 -libc-ares-dev:amd64				install
 -libc-ares2:amd64				install
 -libc-bin					install
 -libc-dev-bin					install
 -libc6:amd64					install
 -libc6-dev:amd64					install
 -libcaca0:amd64					install
 -libcairo-gobject2:amd64				install
 -libcairo2:amd64					install
 -libcap-ng-utils					install
 -libcap-ng0:amd64				install
 -libcap2:amd64					install
 -libcap2-bin					install
 -libcdaudio1					install
 -libcdparanoia0:amd64				install
 -libcgroup1:amd64				install
 -libcilkrts5:amd64				install
 -libclass-method-modifiers-perl			install
 -libclass-methodmaker-perl			install
 -libcln6						install
 -libcloog-isl4:amd64				install
 -libcollection4:amd64				install
 -libcomerr2:amd64				install
 -libconfig-file-perl				install
 -libconvert-binhex-perl				install
 -libcrack2:amd64					install
 -libcroco3:amd64					install
 -libcryptsetup4:amd64				install
 -libcups2:amd64					install
 -libcupsfilters1:amd64				install
 -libcupsimage2:amd64				install
 -libcurl3:amd64					install
 -libcurl3-gnutls:amd64				install
 -libcwidget3:amd64				install
 -libdata-perl-perl				install
 -libdatrie1:amd64				install
 -libdb5.3:amd64					install
 -libdbus-1-3:amd64				install
 -libdbus-glib-1-2:amd64				install
 -libdc1394-22:amd64				install
 -libdca0:amd64					install
 -libdconf1:amd64					install
 -libdebconfclient0:amd64				install
 -libdevel-globaldestruction-perl			install
 -libdevmapper1.02.1:amd64			install
 -libdhash1:amd64					install
 -libdigest-hmac-perl				install
 -libdirac-encoder0:amd64				install
 -libdirectfb-1.2-9:amd64				install
 -libdiscover2					install
 -libdns-export100				install
 -libdns100					install
 -libdpkg-perl					install
 -libdrm2:amd64					install
 -libdv4:amd64					install
 -libdvdnav4:amd64				install
 -libdvdread4:amd64				install
 -libedit2:amd64					install
 -libee0						install
 -libelfg0:amd64					install
 -libenca0:amd64					install
 -libept1.4.12:amd64				install
 -liberror-perl					install
 -libestr0					install
 -libev4						install
 -libevent-2.0-5:amd64				install
 -libevent-core-2.0-5:amd64			install
 -libevent-extra-2.0-5:amd64			install
 -libevent-openssl-2.0-5:amd64			install
 -libevent-pthreads-2.0-5:amd64			install
 -libexpat1:amd64					install
 -libexpat1-dev:amd64				install
 -libexporter-tiny-perl				install
 -libfaad2:amd64					install
 -libfakeroot:amd64				install
 -libfdt1:amd64					install
 -libffcall1					install
 -libffi-dev:amd64				install
 -libffi6:amd64					install
 -libfftw3-double3:amd64				install
 -libfile-fcntllock-perl				install
 -libfile-find-rule-perl				install
 -libfile-fnmatch-perl				install
 -libflac8:amd64					install
 -libflite1:amd64					install
 -libfontconfig1:amd64				install
 -libfreetype6:amd64				install
 -libfribidi0:amd64				install
 -libfsplib0					install
 -libfuse2:amd64					install
 -libgadu3					install
 -libgc-dev:amd64					install
 -libgc1c2:amd64					install
 -libgcc-4.9-dev:amd64				install
 -libgcc1:amd64					install
 -libgconf-2-4:amd64				install
 -libgcrypt20:amd64				install
 -libgd3:amd64					install
 -libgdbm3:amd64					install
 -libgdk-pixbuf2.0-0:amd64			install
 -libgdk-pixbuf2.0-common				install
 -libgeoip1:amd64					install
 -libgettextpo-dev:amd64				install
 -libgettextpo0:amd64				install
 -libgfortran3:amd64				install
 -libgirepository-1.0-1:amd64			install
 -libgl1-mesa-glx:amd64				install
 -libglapi-mesa:amd64				install
 -libglib2.0-0:amd64				install
 -libglib2.0-data					install
 -libgme0						install
 -libgmp-dev:amd64				install
 -libgmp10:amd64					install
 -libgmpxx4ldbl:amd64				install
 -libgnupg-interface-perl				install
 -libgnutls-deb0-28:amd64				install
 -libgnutls-openssl27:amd64			install
 -libgomp1:amd64					install
 -libgpg-error0:amd64				install
 -libgpgme11:amd64				install
 -libgpm2:amd64					install
 -libgraphite2-3:amd64				install
 -libgsasl7					install
 -libgsm1:amd64					install
 -libgssapi-krb5-2:amd64				install
 -libgssapi3-heimdal:amd64			install
 -libgssdp-1.0-3					install
 -libgstreamer-plugins-bad0.10-0:amd64		install
 -libgstreamer-plugins-base0.10-0:amd64		install
 -libgstreamer0.10-0:amd64			install
 -libgtk2.0-0:amd64				install
 -libgtk2.0-bin					install
 -libgtk2.0-common				install
 -libgudev-1.0-0:amd64				install
 -libgumbo-dev:amd64				install
 -libgumbo1:amd64					install
 -libgupnp-1.0-4					install
 -libgupnp-igd-1.0-4:amd64			install
 -libharfbuzz0b:amd64				install
 -libhavege1:amd64				install
 -libhcrypto4-heimdal:amd64			install
 -libheimbase1-heimdal:amd64			install
 -libheimntlm0-heimdal:amd64			install
 -libhogweed2:amd64				install
 -libhx509-5-heimdal:amd64			install
 -libicu52:amd64					install
 -libidn11:amd64					install
 -libiec61883-0:amd64				install
 -libijs-0.35:amd64				install
 -libilmbase6:amd64				install
 -libimage-exiftool-perl				install
 -libimport-into-perl				install
 -libini-config5:amd64				install
 -libio-socket-inet6-perl				install
 -libio-socket-ssl-perl				install
 -libipa-hbac0					install
 -libirs-export91					install
 -libisc-export95					install
 -libisc95					install
 -libisccc90					install
 -libisccfg-export90				install
 -libisccfg90					install
 -libiscsi2:amd64					install
 -libisl10:amd64					install
 -libitm1:amd64					install
 -libjack-jackd2-0:amd64				install
 -libjasper1:amd64				install
 -libjbig0:amd64					install
 -libjbig2dec0					install
 -libjemalloc1					install
 -libjpeg62-turbo:amd64				install
 -libjs-jquery					install
 -libjs-jquery-ui					install
 -libjs-node-uuid					install
 -libjs-sphinxdoc					install
 -libjs-underscore				install
 -libjson-c2:amd64				install
 -libjsr166y-java					install
 -libk5crypto3:amd64				install
 -libkate1					install
 -libkeyutils1:amd64				install
 -libklibc					install
 -libkmod2:amd64					install
 -libkrb5-26-heimdal:amd64			install
 -libkrb5-3:amd64					install
 -libkrb5support0:amd64				install
 -libksba8:amd64					install
 -liblapack3					install
 -liblcms2-2:amd64				install
 -libldap-2.4-2:amd64				install
 -libldap2-dev:amd64				install
 -libldb1:amd64					install
 -libldns1					install
 -liblinear1:amd64				install
 -liblist-moreutils-perl				install
 -liblocale-gettext-perl				install
 -liblockfile-bin					install
 -liblockfile1:amd64				install
 -liblogging-stdlog0:amd64			install
 -liblognorm1:amd64				install
 -liblqr-1-0:amd64				install
 -liblsan0:amd64					install
 -libltdl-dev:amd64				install
 -libltdl7:amd64					install
 -liblua5.1-0:amd64				install
 -liblua5.1-0-dev:amd64				install
 -liblua5.2-0:amd64				install
 -liblua5.2-dev:amd64				install
 -liblua5.3-0:amd64				install
 -liblua5.3-dev:amd64				install
 -libluajit-5.1-common				install
 -liblwres90					install
 -liblzma5:amd64					install
 -liblzo2-2:amd64					install
 -libmagic1:amd64					install
 -libmagickcore-6.q16-2:amd64			install
 -libmagickwand-6.q16-2:amd64			install
 -libmail-sendmail-perl				install
 -libmailtools-perl				install
 -libmarkdown2:amd64				install
 -libmd0:amd64					install
 -libmeanwhile1					install
 -libmhash2:amd64					install
 -libmime-tools-perl				install
 -libmimic0					install
 -libmms0:amd64					install
 -libmng1:amd64					install
 -libmnl0:amd64					install
 -libmodplug1					install
 -libmodule-runtime-perl				install
 -libmoo-perl					install
 -libmoox-handlesvia-perl				install
 -libmoox-late-perl				install
 -libmount1:amd64					install
 -libmpc3:amd64					install
 -libmpcdec6:amd64				install
 -libmpdec2:amd64					install
 -libmpfr4:amd64					install
 -libmysqlclient18:amd64				install
 -libncurses5:amd64				install
 -libncurses5-dev:amd64				install
 -libncursesw5:amd64				install
 -libncursesw5-dev:amd64				install
 -libnet-dns-perl					install
 -libnet-idn-encode-perl				install
 -libnet-ip-perl					install
 -libnet-smtp-ssl-perl				install
 -libnet-ssleay-perl				install
 -libnetfilter-acct1:amd64			install
 -libnetpbm10					install
 -libnettle4:amd64				install
 -libnewt0.52:amd64				install
 -libnfnetlink0:amd64				install
 -libnice10:amd64					install
 -libnl-3-200:amd64				install
 -libnl-route-3-200:amd64				install
 -libnpth0:amd64					deinstall
 -libnspr4:amd64					install
 -libnss-ldapd:amd64				install
 -libnss-sss:amd64				install
 -libnss3:amd64					install
 -libntdb1:amd64					install
 -libntlm0:amd64					install
 -libnumber-compare-perl				install
 -libofa0						install
 -libogg0:amd64					install
 -libonig2:amd64					install
 -libopenal-data					install
 -libopenal1:amd64				install
 -libopenexr6:amd64				install
 -libopus0:amd64					install
 -liborc-0.4-0:amd64				install
 -libp11-kit0:amd64				install
 -libpam-ldapd:amd64				install
 -libpam-modules:amd64				install
 -libpam-modules-bin				install
 -libpam-pwquality:amd64				install
 -libpam-runtime					install
 -libpam-sss:amd64				install
 -libpam-systemd:amd64				install
 -libpam0g:amd64					install
 -libpango-1.0-0:amd64				install
 -libpango1.0-0:amd64				install
 -libpangocairo-1.0-0:amd64			install
 -libpangoft2-1.0-0:amd64				install
 -libpangox-1.0-0:amd64				install
 -libpangoxft-1.0-0:amd64				install
 -libpaper1:amd64					install
 -libparams-classify-perl				install
 -libparted2:amd64				install
 -libpath-utils1:amd64				install
 -libpcap0.8:amd64				install
 -libpci3:amd64					install
 -libpcre3:amd64					install
 -libpcre3-dev:amd64				install
 -libpcrecpp0:amd64				install
 -libpcsclite1:amd64				install
 -libperl4-corelibs-perl				install
 -libperl5.20					install
 -libpipeline1:amd64				install
 -libpixman-1-0:amd64				install
 -libpng12-0:amd64				install
 -libpolkit-agent-1-0:amd64			install
 -libpolkit-backend-1-0:amd64			install
 -libpolkit-gobject-1-0:amd64			install
 -libpopt0:amd64					install
 -libprocps3:amd64				install
 -libprotobuf-c1					install
 -libprotobuf9:amd64				install
 -libproxy1:amd64					install
 -libpsl0:amd64					install
 -libpth20:amd64					install
 -libpwquality-common				install
 -libpwquality1:amd64				install
 -libpython-dev:amd64				install
 -libpython-stdlib:amd64				install
 -libpython2.7:amd64				install
 -libpython2.7-dev:amd64				install
 -libpython2.7-minimal:amd64			install
 -libpython2.7-stdlib:amd64			install
 -libpython3-dev:amd64				install
 -libpython3-stdlib:amd64				install
 -libpython3.4:amd64				install
 -libpython3.4-dev:amd64				install
 -libpython3.4-minimal:amd64			install
 -libpython3.4-stdlib:amd64			install
 -libqalculate5:amd64				install
 -libqalculate5-data				install
 -libqdbm14					install
 -libqpol1:amd64					install
 -libqt4-network:amd64				install
 -libqt4-xml:amd64				install
 -libqtcore4:amd64				install
 -libqtdbus4:amd64				install
 -libquadmath0:amd64				install
 -librados2					install
 -libraptor2-0:amd64				install
 -librasqal3:amd64				install
 -libraw1394-11:amd64				install
 -librbd1						install
 -librdf0:amd64					install
 -libreadline-dev:amd64				install
 -libreadline6:amd64				install
 -libreadline6-dev:amd64				install
 -libref-array1:amd64				install
 -libregexp-assemble-perl				install
 -libregexp-common-perl				install
 -librlog5					install
 -libroken18-heimdal:amd64			install
 -librole-tiny-perl				install
 -librsvg2-2:amd64				install
 -librsync1:amd64					install
 -librtmp1:amd64					install
 -libruby2.1:amd64				install
 -libsamplerate0:amd64				install
 -libsasl2-2:amd64				install
 -libsasl2-dev					install
 -libsasl2-modules:amd64				install
 -libsasl2-modules-db:amd64			install
 -libsasl2-modules-gssapi-mit:amd64		install
 -libschroedinger-1.0-0:amd64			install
 -libsctp1:amd64					install
 -libseccomp2:amd64				install
 -libselinux1:amd64				install
 -libsemanage-common				install
 -libsemanage1:amd64				install
 -libsensors4:amd64				install
 -libsepol1:amd64					install
 -libserf-1-1:amd64				install
 -libshout3:amd64					install
 -libsigc++-2.0-0c2a:amd64			install
 -libsigsegv2:amd64				install
 -libslang2:amd64					install
 -libslv2-9					install
 -libsmartcols1:amd64				install
 -libsndfile1:amd64				install
 -libsocket6-perl					install
 -libsoundtouch0:amd64				install
 -libsoup-gnome2.4-1:amd64			install
 -libsoup2.4-1:amd64				install
 -libspandsp2:amd64				install
 -libspeex1:amd64					install
 -libspice-server1:amd64				install
 -libsqlite3-0:amd64				install
 -libss2:amd64					install
 -libssh2-1:amd64					install
 -libssl-dev:amd64				install
 -libssl-doc					install
 -libssl1.0.0:amd64				install
 -libsss-idmap0					install
 -libsss-sudo					install
 -libstdc++-4.9-dev:amd64				install
 -libstdc++6:amd64				install
 -libstrictures-perl				install
 -libsub-exporter-progressive-perl		install
 -libsvn1:amd64					install
 -libsys-hostname-long-perl			install
 -libsystemd0:amd64				install
 -libtag1-vanilla:amd64				install
 -libtag1c2a:amd64				install
 -libtalloc2:amd64				install
 -libtasn1-6:amd64				install
 -libtcl8.5:amd64					install
 -libtcl8.6:amd64					install
 -libtdb1:amd64					install
 -libtemplate-perl				install
 -libterm-readkey-perl				install
 -libtevent0:amd64				install
 -libtext-charwidth-perl				install
 -libtext-glob-perl				install
 -libtext-iconv-perl				install
 -libtext-template-perl				install
 -libtext-wrapi18n-perl				install
 -libthai-data					install
 -libthai0:amd64					install
 -libtheora0:amd64				install
 -libtiff5:amd64					install
 -libtimedate-perl				install
 -libtinfo-dev:amd64				install
 -libtinfo5:amd64					install
 -libtokyocabinet9:amd64				install
 -libtool						install
 -libtool-bin					install
 -libtorrent14:amd64				install
 -libtre5:amd64					install
 -libtsan0:amd64					install
 -libtype-tiny-perl				install
 -libubsan0:amd64					install
 -libudev1:amd64					install
 -libunbound2:amd64				install
 -libunistring0:amd64				install
 -liburi-perl					install
 -libusb-0.1-4:amd64				install
 -libusb-1.0-0:amd64				install
 -libusbredirparser1:amd64			install
 -libustr-1.0-1:amd64				install
 -libutempter0					install
 -libuuid1:amd64					install
 -libv4l-0:amd64					install
 -libv4lconvert0:amd64				install
 -libv8-3.14-dev					install
 -libv8-3.14.5					install
 -libval14:amd64					install
 -libvdeplug2					install
 -libvisual-0.4-0:amd64				install
 -libvo-aacenc0:amd64				install
 -libvo-amrwbenc0:amd64				install
 -libvorbis0a:amd64				install
 -libvorbisenc2:amd64				install
 -libvpx1:amd64					install
 -libwavpack1:amd64				install
 -libwbclient0:amd64				install
 -libwildmidi-config				install
 -libwildmidi1:amd64				install
 -libwind0-heimdal:amd64				install
 -libwmf0.2-7:amd64				install
 -libwrap0:amd64					install
 -libx11-6:amd64					install
 -libx11-data					install
 -libx11-xcb1:amd64				install
 -libxapian22					install
 -libxau6:amd64					install
 -libxcb-dri2-0:amd64				install
 -libxcb-dri3-0:amd64				install
 -libxcb-glx0:amd64				install
 -libxcb-present0:amd64				install
 -libxcb-render0:amd64				install
 -libxcb-shm0:amd64				install
 -libxcb-sync1:amd64				install
 -libxcb1:amd64					install
 -libxcomposite1:amd64				install
 -libxcursor1:amd64				install
 -libxdamage1:amd64				install
 -libxdmcp6:amd64					install
 -libxen-4.4:amd64				install
 -libxenstore3.0:amd64				install
 -libxext6:amd64					install
 -libxfixes3:amd64				install
 -libxft2:amd64					install
 -libxi6:amd64					install
 -libxinerama1:amd64				install
 -libxml2:amd64					install
 -libxml2-dev:amd64				install
 -libxmlrpc-core-c3				install
 -libxmuu1:amd64					install
 -libxpm4:amd64					install
 -libxrandr2:amd64				install
 -libxrender1:amd64				install
 -libxshmfence1:amd64				install
 -libxslt1-dev:amd64				install
 -libxslt1.1:amd64				install
 -libxtables10					install
 -libxv1:amd64					install
 -libxvidcore4:amd64				install
 -libxxf86vm1:amd64				install
 -libyajl2:amd64					install
 -libyaml-0-2:amd64				install
 -libzephyr4:amd64				install
 -libzvbi-common					install
 -libzvbi0:amd64					install
 -linux-base					install
 -linux-image-3.16.0-4-amd64			install
 -linux-image-4.9.0-0.bpo.2-amd64			deinstall
 -linux-image-4.9.0-0.bpo.3-amd64			install
 -linux-image-4.9.0-0.bpo.4-amd64			install
 -linux-image-4.9.0-0.bpo.5-amd64			install
 -linux-image-amd64				install
 -linux-libc-dev:amd64				install
 -lm-sensors					install
 -locales						install
 -locales-all					install
 -locate						install
 -login						install
 -logrotate					install
 -lsb-base					install
 -lsb-release					install
 -lsof						install
 -ltrace						install
 -lua5.1						install
 -lua5.2						install
 -lua5.3						install
 -luajit						install
 -luarocks					install
 -lynx						install
 -lynx-cur					install
 -m4						install
 -make						install
 -man-db						install
 -manpages					install
 -manpages-dev					install
 -mat						install
 -mawk						install
 -mc						install
 -mc-data						install
 -mime-support					install
 -mksh						install
 -mlock						install
 -mosh						install
 -mount						install
 -msmtp						install
 -mtr						install
 -multiarch-support				install
 -mutt						install
 -mutt-patched					deinstall
 -mysql-common					install
 -nano						install
 -ncdu						install
 -ncurses-base					install
 -ncurses-bin					install
 -ncurses-doc					install
 -ncurses-term					install
 -net-tools					install
 -netbase						install
 -netcat-traditional				install
 -nethack-common					install
 -nethack-console					install
 -nfacct						install
 -nmap						install
 -node-abbrev					install
 -node-ansi					install
 -node-ansi-color-table				install
 -node-archy					install
 -node-async					install
 -node-block-stream				install
 -node-combined-stream				install
 -node-cookie-jar					install
 -node-delayed-stream				install
 -node-forever-agent				install
 -node-form-data					install
 -node-fstream					install
 -node-fstream-ignore				install
 -node-github-url-from-git			install
 -node-glob					install
 -node-graceful-fs				install
 -node-gyp					install
 -node-inherits					install
 -node-ini					install
 -node-json-stringify-safe			install
 -node-lockfile					install
 -node-lru-cache					install
 -node-mime					install
 -node-minimatch					install
 -node-mkdirp					install
 -node-mute-stream				install
 -node-node-uuid					install
 -node-nopt					install
 -node-normalize-package-data			install
 -node-npmlog					install
 -node-once					install
 -node-osenv					install
 -node-qs						install
 -node-read					install
 -node-read-package-json				install
 -node-request					install
 -node-retry					install
 -node-rimraf					install
 -node-semver					install
 -node-sha					install
 -node-sigmund					install
 -node-slide					install
 -node-tar					install
 -node-tunnel-agent				install
 -node-underscore					install
 -node-which					install
 -nodejs						install
 -nodejs-dev					install
 -nodejs-legacy					install
 -npm						install
 -nscd						install
 -nslcd						install
 -nslcd-utils					install
 -oidentd						install
 -openbios-ppc					install
 -openbios-sparc					install
 -openhackware					install
 -openntpd					install
 -openssh-blacklist				install
 -openssh-blacklist-extra				install
 -openssh-client					install
 -openssh-server					install
 -openssh-sftp-server				install
 -openssl						install
 -os-prober					install
 -p7zip						install
 -pandoc						install
 -pandoc-data					install
 -parallel					install
 -parted						install
 -pass						install
 -passwd						install
 -patch						install
 -pciutils					install
 -pep8						install
 -perl						install
 -perl-base					install
 -perl-modules					install
 -php5-cgi					install
 -php5-cli					install
 -php5-common					install
 -php5-curl					install
 -php5-fpm					install
 -php5-json					install
 -php5-mysql					install
 -php5-sqlite					install
 -pidgin-data					install
 -pinentry-curses					install
 -pkg-config					install
 -po-debconf					install
 -policykit-1					install
 -poppler-data					install
 -postfix						install
 -procmail					install
 -procps						install
 -psmisc						install
 -pv						install
 -pwgen						install
 -pyflakes					install
 -python						install
 -python-apt					install
 -python-apt-common				install
 -python-audit					install
 -python-backports.ssl-match-hostname		install
 -python-boto					install
 -python-cffi					install
 -python-characteristic				install
 -python-chardet					install
 -python-chardet-whl				install
 -python-cheetah					install
 -python-colorama					install
 -python-colorama-whl				install
 -python-configobj				install
 -python-crypto					install
 -python-cryptography				install
 -python-dateutil					install
 -python-debian					install
 -python-debianbts				install
 -python-decorator				install
 -python-defusedxml				install
 -python-dev					install
 -python-distlib					install
 -python-distlib-whl				install
 -python-distro-info				install
 -python-docutils					install
 -python-ecdsa					install
 -python-flake8					install
 -python-gdbm					install
 -python-geoip					install
 -python-gi					install
 -python-hachoir-core				install
 -python-hachoir-parser				install
 -python-html5lib					install
 -python-html5lib-whl				install
 -python-httplib2					install
 -python-ipy					install
 -python-jinja2					install
 -python-json-pointer				install
 -python-jsonpatch				install
 -python-ldap					install
 -python-lockfile					install
 -python-lxml					install
 -python-markupsafe				install
 -python-matplotlib-data				install
 -python-mccabe					install
 -python-minimal					install
 -python-mock					install
 -python-mutagen					install
 -python-ndg-httpsclient				install
 -python-netaddr					install
 -python-networkx					install
 -python-newt					install
 -python-nose					install
 -python-numpy					install
 -python-oauth					install
 -python-openssl					install
 -python-paramiko					install
 -python-pdfrw					install
 -python-pip					install
 -python-pip-whl					install
 -python-pkg-resources				install
 -python-ply					install
 -python-potr					install
 -python-prettytable				install
 -python-pyasn1					install
 -python-pyasn1-modules				install
 -python-pycparser				install
 -python-pygments					install
 -python-pyparsing				install
 -python-reportbug				install
 -python-reportlab				install
 -python-reportlab-accel:amd64			install
 -python-requestbuilder				install
 -python-requests					install
 -python-requests-whl				install
 -python-roman					install
 -python-serial					install
 -python-service-identity				install
 -python-setuptools				install
 -python-setuptools-whl				install
 -python-six					install
 -python-six-whl					install
 -python-soappy					install
 -python-software-properties			install
 -python-sss					install
 -python-stevedore				install
 -python-support					install
 -python-talloc					install
 -python-torctl					install
 -python-tox					install
 -python-twisted					install
 -python-twisted-bin				install
 -python-twisted-conch				install
 -python-twisted-core				install
 -python-twisted-lore				install
 -python-twisted-mail				install
 -python-twisted-names				install
 -python-twisted-news				install
 -python-twisted-runner				install
 -python-twisted-web				install
 -python-twisted-words				install
 -python-tz					install
 -python-urllib3					install
 -python-urllib3-whl				install
 -python-virtualenv				install
 -python-websocket				install
 -python-wheel					install
 -python-wstools					install
 -python-yaml					install
 -python-zope.interface				install
 -python2.7					install
 -python2.7-dev					install
 -python2.7-minimal				install
 -python3						install
 -python3-apt					install
 -python3-bottle					install
 -python3-chardet					install
 -python3-colorama				install
 -python3-crypto					install
 -python3-decorator				install
 -python3-dev					install
 -python3-distlib					install
 -python3-html5lib				install
 -python3-jinja2					install
 -python3-markupsafe				install
 -python3-minimal					install
 -python3-numpy					install
 -python3-pip					install
 -python3-pkg-resources				install
 -python3-psutil					install
 -python3-py					install
 -python3-pyasn1					install
 -python3-pysnmp4					install
 -python3-requests				install
 -python3-scipy					install
 -python3-setuptools				install
 -python3-six					install
 -python3-urllib3					install
 -python3-venv					install
 -python3-virtualenv				install
 -python3-wheel					install
 -python3.4					install
 -python3.4-dev					install
 -python3.4-minimal				install
 -python3.4-venv					install
 -qalc						install
 -qemu-slof					install
 -qemu-system-common				install
 -qemu-user					install
 -qemu-utils					install
 -qprint						install
 -qtcore4-l10n					install
 -ranger						install
 -readline-common					install
 -redis-server					install
 -redis-tools					install
 -remind						install
 -reportbug					install
 -reptyr						install
 -resolvconf					install
 -rsync						install
 -rsyslog						install
 -rtorrent					install
 -ruby						install
 -ruby2.1						install
 -rubygems-integration				install
 -samba-libs:amd64				install
 -sbcl						install
 -screen						install
 -seabios						install
 -sed						install
 -sensible-utils					install
 -sgml-base					install
 -shared-mime-info				install
 -shellcheck					install
 -siege						install
 -signing-party					install
 -silversearcher-ag				install
 -silversearcher-ag-el				install
 -slashem						install
 -slashem-common					install
 -socat						install
 -sqlite3						install
 -ssh						install
 -ssl-cert					install
 -sssd						install
 -sssd-ad						install
 -sssd-ad-common					install
 -sssd-common					install
 -sssd-ipa					install
 -sssd-krb5					install
 -sssd-krb5-common				install
 -sssd-ldap					install
 -sssd-proxy					install
 -sssd-tools					install
 -startpar					install
 -stow						install
 -strace						install
 -subversion					install
 -sudo						install
 -swaks						install
 -sysstat						install
 -systemd						install
 -systemd-sysv					install
 -sysv-rc						install
 -sysvinit					install
 -sysvinit-utils					install
 -tar						install
 -task-english					install
 -tasksel						install
 -tasksel-data					install
 -tcl						install
 -tcl-tls						install
 -tcl8.5						install
 -tcl8.6						install
 -tcllib						install
 -tcpd						install
 -telnet						install
 -tig						install
 -tmux						install
 -toilet						install
 -toilet-fonts					install
 -topgit						install
 -tor						install
 -tor-arm						install
 -torsocks					install
 -traceroute					install
 -tree						install
 -tudu						install
 -tzdata						install
 -tzdata-java					install
 -ucf						install
 -udev						install
 -unattended-upgrades				install
 -unbound						install
 -unbound-anchor					install
 -units						install
 -unzip						install
 -urlview						install
 -usbutils					install
 -util-linux					install
 -util-linux-locales				install
 -vim-common					install
 -vim-nox						install
 -vim-runtime					install
 -vim-tiny					install
 -virtualenv					install
 -virtualenv-clone				install
 -virtualenvwrapper				install
 -w3m						install
 -wamerican					install
 -weechat						install
 -weechat-core					install
 -weechat-curses					install
 -weechat-lua                                     install
 -weechat-plugins					install
 -weechat-perl                                    install
 -weechat-python                                  install
 -wget						install
 -whiptail					install
 -whois						install
 -wyrd						install
 -xauth						install
 -xdg-user-dirs					install
 -xkb-data					install
 -xml-core					install
 -xz-utils					install
 -zangband-data					install
 -zile						install
 -zip						install
 -zlib1g:amd64					install
 -zlib1g-dev:amd64				install
 -znc						install
 -zpaq						install
 -zsh						install
 -zsh-common					install
 diff --git a/pam.d/atd b/pam.d/atd
 index c1964f3..0036e71 100644
 --- a/pam.d/atd
 +++ b/pam.d/atd
 @@ -6,5 +6,5 @@ auth	required	pam_env.so
 @include common-auth
 @include common-account
 session    required   pam_loginuid.so
 -session    substack   common-session-noninteractive
 +@include common-session-noninteractive
 session    required   pam_limits.so
 diff --git a/pam.d/chsh b/pam.d/chsh
 index f2c2621..7eb604d 100644
 --- a/pam.d/chsh
 +++ b/pam.d/chsh
 @@ -1,3 +1,20 @@
 -# Allow anyone in the users group to chsh
 +#
 +# The PAM configuration file for the Shadow `chsh' service
 +#
 +
 +# This will not allow a user to change their shell unless
 +# their current one is listed in /etc/shells. This keeps
 +# accounts with special shells from changing them.
 +auth       required   pam_shells.so
 +
 +# This allows root to change user shell without being
 +# prompted for a password
 +auth		sufficient	pam_rootok.so
 +
 +# The standard Unix authentication modules, used with
 +# NIS (man nsswitch) as well as normal /etc/passwd and
 +# /etc/shadow entries.
 +@include common-auth
 +@include common-account
 +@include common-session
 
 -auth		sufficient	pam_wheel.so	trust	group=users	use_uid
 \ No newline at end of file
 diff --git a/pam.d/common-account b/pam.d/common-account
 index 03df104..1774641 100644
 --- a/pam.d/common-account
 +++ b/pam.d/common-account
 @@ -13,10 +13,16 @@
 # pam-auth-update(8) for details.
 #
 
 -# Disallow non-root logins when /etc/nologin exists.
 -account	required	pam_nologin.so
 -
 -account	sufficient	pam_sss.so
 -account	sufficient	pam_unix.so
 -account	sufficient	pam_localuser.so
 -account	required	pam_deny.so
 +# here are the per-package modules (the "Primary" block)
 +account	[success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
 +# here's the fallback if no module succeeds
 +account	requisite			pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +account	required			pam_permit.so
 +# and here are more per-package modules (the "Additional" block)
 +account	sufficient			pam_localuser.so 
 +account	[default=bad success=ok user_unknown=ignore]	pam_sss.so 
 +account	[success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]	pam_ldap.so minimum_uid=1000
 +# end of pam-auth-update config
 diff --git a/pam.d/common-auth b/pam.d/common-auth
 index 76f2e92..1cabca7 100644
 --- a/pam.d/common-auth
 +++ b/pam.d/common-auth
 @@ -7,7 +7,21 @@
 # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
 # traditional Unix authentication mechanisms.
 #
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules.  See
 +# pam-auth-update(8) for details.
 
 -auth	sufficient                      pam_sss.so
 -auth	sufficient                      pam_unix.so use_first_pass
 -auth	required			pam_deny.so
 +# here are the per-package modules (the "Primary" block)
 +auth	[success=3 default=ignore]	pam_unix.so nullok_secure
 +auth	[success=2 default=ignore]	pam_sss.so use_first_pass
 +auth	[success=1 default=ignore]	pam_ldap.so minimum_uid=1000 use_first_pass
 +# here's the fallback if no module succeeds
 +auth	requisite			pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +auth	required			pam_permit.so
 +# and here are more per-package modules (the "Additional" block)
 +# end of pam-auth-update config
 diff --git a/pam.d/common-password b/pam.d/common-password
 index a5528aa..42a3991 100644
 --- a/pam.d/common-password
 +++ b/pam.d/common-password
 @@ -15,7 +15,22 @@
 #
 # See the pam_unix manpage for other options.
 
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules.  See
 +# pam-auth-update(8) for details.
 +
 +# here are the per-package modules (the "Primary" block)
 password	requisite			pam_pwquality.so retry=3
 +password	[success=3 default=ignore]	pam_unix.so obscure use_authtok try_first_pass sha512
 password	sufficient			pam_sss.so use_authtok
 -password	sufficient                      pam_unix.so obscure use_authtok try_first_pass sha512
 +password	[success=1 default=ignore]	pam_ldap.so minimum_uid=1000 try_first_pass
 +# here's the fallback if no module succeeds
 password	requisite			pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +password	required			pam_permit.so
 +# and here are more per-package modules (the "Additional" block)
 +# end of pam-auth-update config
 diff --git a/pam.d/common-session b/pam.d/common-session
 index 3f5636d..36b9bf9 100644
 --- a/pam.d/common-session
 +++ b/pam.d/common-session
 @@ -6,8 +6,23 @@
 # at the start and end of sessions of *any* kind (both interactive and
 # non-interactive).
 #
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules.  See
 +# pam-auth-update(8) for details.
 
 -session	substack	common-session-noninteractive
 -
 -session	optional	pam_mkhomedir.so
 -session	optional	pam_umask.so      usergroups
 +# here are the per-package modules (the "Primary" block)
 +session	[default=1]			pam_permit.so
 +# here's the fallback if no module succeeds
 +session	requisite			pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +session	required			pam_permit.so
 +# and here are more per-package modules (the "Additional" block)
 +session	required	pam_unix.so 
 +session	optional			pam_sss.so 
 +session	[success=ok default=ignore]	pam_ldap.so minimum_uid=1000
 +session	optional	pam_systemd.so 
 +# end of pam-auth-update config
 diff --git a/pam.d/common-session-noninteractive b/pam.d/common-session-noninteractive
 index 21e0d00..50dc49c 100644
 --- a/pam.d/common-session-noninteractive
 +++ b/pam.d/common-session-noninteractive
 @@ -6,17 +6,21 @@
 # and should contain a list of modules that define tasks to be performed
 # at the start and end of all non-interactive sessions.
 #
 +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
 +# To take advantage of this, it is recommended that you configure any
 +# local modules either before or after the default block, and use
 +# pam-auth-update to manage selection of other modules.  See
 +# pam-auth-update(8) for details.
 
 -# Environment setup
 -session	required	pam_env.so
 -
 -# User restrictions
 -session	required	pam_namespace.so  unmnt_remnt
 -session	required	pam_limits.so
 -session	required	pam_systemd.so
 -session	required	pam_exec.so       type=open_session /etc/security/limits.sh
 -
 -# Passwd database handling
 -session	sufficient	pam_sss.so
 -session	sufficient	pam_unix.so
 -session	required	pam_deny.so
 +# here are the per-package modules (the "Primary" block)
 +session	[default=1]			pam_permit.so
 +# here's the fallback if no module succeeds
 +session	requisite			pam_deny.so
 +# prime the stack with a positive return value if there isn't one already;
 +# this avoids us returning an error just because nothing sets a success code
 +# since the modules above will each just jump around
 +session	required			pam_permit.so
 +# and here are more per-package modules (the "Additional" block)
 +session	required	pam_unix.so 
 +session	[success=ok default=ignore]	pam_ldap.so minimum_uid=1000
 +# end of pam-auth-update config
 diff --git a/pam.d/cron b/pam.d/cron
 index 38b8c91..d6b06a5 100644
 --- a/pam.d/cron
 +++ b/pam.d/cron
 @@ -13,7 +13,7 @@ session       required   pam_env.so
 session       required   pam_env.so envfile=/etc/default/locale
 
 @include common-account
 -session       substack common-session-noninteractive
 +@include common-session-noninteractive 
 
 # Sets up user limits, please define limits for cron tasks
 # through /etc/security/limits.conf
 diff --git a/pam.d/login b/pam.d/login
 index 69009b0..b165d02 100644
 --- a/pam.d/login
 +++ b/pam.d/login
 @@ -31,6 +31,10 @@ auth       optional   pam_faildelay.so  delay=3000000
 # communicated over insecure lines.
 auth [success=ok new_authtok_reqd=ok ignore=ignore user_unknown=bad default=die] pam_securetty.so
 
 +# Disallows other than root logins when /etc/nologin exists
 +# (Replaces the `NOLOGINS_FILE' option from login.defs)
 +auth       requisite  pam_nologin.so
 +
 # SELinux needs to be the first session rule. This ensures that any 
 # lingering context has been cleared. Without out this it is possible 
 # that a module could execute code in the wrong domain.
 @@ -89,7 +93,7 @@ session    optional   pam_motd.so
 # in /etc/login.defs to make sure that removing a user 
 # also removes the user's mail spool file.
 # See comments in /etc/login.defs
 -session    optional   pam_mail.so dir=~/Mail standard
 +session    optional   pam_mail.so standard
 
 # Sets the loginuid process attribute
 session    required     pam_loginuid.so
 diff --git a/pam.d/sshd b/pam.d/sshd
 index a58d3ab..d70b384 100644
 --- a/pam.d/sshd
 +++ b/pam.d/sshd
 @@ -3,6 +3,9 @@
 # Standard Un*x authentication.
 @include common-auth
 
 +# Disallow non-root logins when /etc/nologin exists.
 +account    required     pam_nologin.so
 +
 # Uncomment and edit /etc/security/access.conf if you need to set complex
 # access limits that are hard to express in sshd_config.
 # account  required     pam_access.so
 @@ -31,7 +34,7 @@ session    optional     pam_motd.so  motd=/run/motd.dynamic
 session    optional     pam_motd.so noupdate
 
 # Print the status of the user's mailbox upon successful login.
 -session    optional     pam_mail.so dir=~/Mail standard noenv # [1]
 +session    optional     pam_mail.so standard noenv # [1]
 
 # Set up user limits from /etc/security/limits.conf.
 session    required     pam_limits.so
 diff --git a/pam.d/sudo b/pam.d/sudo
 index a30da2c..68c261a 100644
 --- a/pam.d/sudo
 +++ b/pam.d/sudo
 @@ -2,4 +2,4 @@
 
 @include common-auth
 @include common-account
 -session substack common-session-noninteractive
 +@include common-session-noninteractive
 diff --git a/pam.d/systemd-user b/pam.d/systemd-user
 index 88d4e0b..cf8d9c8 100644
 --- a/pam.d/systemd-user
 +++ b/pam.d/systemd-user
 @@ -3,9 +3,7 @@
 # Used by systemd when launching systemd user instances.
 
 @include common-account
 -session  substack common-session-noninteractive
 -
 -session  optional pam_systemd.so
 -
 -auth     required pam_deny.so
 +@include common-session-noninteractive
 +auth required pam_deny.so
 password required pam_deny.so
 +session optional pam_systemd.so
 diff --git a/passwd b/passwd
 index 03fea36..ca594ac 100644
 --- a/passwd
 +++ b/passwd
 @@ -20,18 +20,19 @@ systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/fal
 systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
 systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
 systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
 -Debian-exim:x:104:109::/var/spool/exim4:/bin/false
 +sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
 messagebus:x:105:110::/var/run/dbus:/bin/false
 -statd:x:106:65534::/var/lib/nfs:/bin/false
 -sshd:x:107:65534::/var/run/sshd:/usr/sbin/nologin
 -postfix:x:109:115::/var/spool/postfix:/bin/false
 -nslcd:x:110:117:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
 -glances:x:111:119::/var/lib/glances:/bin/false
 -oident:x:108:113::/:/bin/false
 -bitlbee:x:112:120::/var/lib/bitlbee/:/bin/false
 -redis:x:113:122::/var/lib/redis:/bin/false
 -epmd:x:114:123::/var/run/epmd:/bin/false
 -unbound:x:115:125::/var/lib/unbound:/bin/false
 -debian-tor:x:117:127::/var/lib/tor:/bin/false
 -ntpd:x:116:126::/var/run/openntpd:/bin/false
 -dirmngr:x:118:128::/var/cache/dirmngr:/bin/sh
 +nslcd:x:106:113:nslcd name service LDAP connection daemon,,,:/var/run/nslcd/:/bin/false
 +postfix:x:107:115::/var/spool/postfix:/bin/false
 +bitlbee:x:108:117::/var/lib/bitlbee/:/bin/false
 +colord:x:109:118:colord colour management daemon,,,:/var/lib/colord:/bin/false
 +dirmngr:x:110:120::/var/cache/dirmngr:/bin/sh
 +epmd:x:111:121::/var/run/epmd:/bin/false
 +ntpd:x:112:123::/var/run/openntpd:/bin/false
 +redis:x:113:124::/var/lib/redis:/bin/false
 +saned:x:114:125::/var/lib/saned:/bin/false
 +debian-tor:x:115:126::/var/lib/tor:/bin/false
 +unbound:x:116:127::/var/lib/unbound:/bin/false
 +oident:x:117:128::/:/bin/false
 +glances:x:118:129::/var/lib/glances:/bin/false
 +cmccabe:x:1000:1000:Carl McCabe,1234,123-456-7890,:/home/cmccabe:/bin/bash
 diff --git a/php5/cgi/php.ini b/php5/cgi/php.ini
 index a49a559..fec9d2e 100644
 --- a/php5/cgi/php.ini
 +++ b/php5/cgi/php.ini
 @@ -1208,6 +1208,19 @@ mysqlnd.collect_statistics = On
 ; http://php.net/mysqlnd.collect_memory_statistics
 mysqlnd.collect_memory_statistics = Off
 
 +; Records communication from all extensions using mysqlnd to the specified log
 +; file.
 +; http://php.net/mysqlnd.debug
 +;mysqlnd.debug =
 +
 +; Defines which queries will be logged.
 +; http://php.net/mysqlnd.log_mask
 +;mysqlnd.log_mask = 0
 +
 +; Default size of the mysqlnd memory pool, which is used by result sets.
 +; http://php.net/mysqlnd.mempool_default_size
 +;mysqlnd.mempool_default_size = 16000
 +
 ; Size of a pre-allocated buffer used when sending commands to MySQL in bytes.
 ; http://php.net/mysqlnd.net_cmd_buffer_size
 ;mysqlnd.net_cmd_buffer_size = 2048
 @@ -1217,6 +1230,15 @@ mysqlnd.collect_memory_statistics = Off
 ; http://php.net/mysqlnd.net_read_buffer_size
 ;mysqlnd.net_read_buffer_size = 32768
 
 +; Timeout for network requests in seconds.
 +; http://php.net/mysqlnd.net_read_timeout
 +;mysqlnd.net_read_timeout = 31536000
 +
 +; SHA-256 Authentication Plugin related. File with the MySQL server public RSA
 +; key.
 +; http://php.net/mysqlnd.sha256_server_public_key
 +;mysqlnd.sha256_server_public_key =
 +
 [OCI8]
 
 ; Connection: Enables privileged connections using external
 @@ -1932,6 +1954,12 @@ ldap.max_links = -1
 ; Useful for internal debugging only.
 ;opcache.protect_memory=0
 
 +; Validate cached file permissions.
 +; opcache.validate_permission=0
 +
 +; Prevent name collisions in chroot'ed environment.
 +; opcache.validate_root=0
 +
 [curl]
 ; A default value for the CURLOPT_CAINFO option. This is required to be an
 ; absolute path.
 diff --git a/php5/cli/php.ini b/php5/cli/php.ini
 index 8124e6e..5d0ea44 100644
 --- a/php5/cli/php.ini
 +++ b/php5/cli/php.ini
 @@ -1208,6 +1208,19 @@ mysqlnd.collect_statistics = On
 ; http://php.net/mysqlnd.collect_memory_statistics
 mysqlnd.collect_memory_statistics = Off
 
 +; Records communication from all extensions using mysqlnd to the specified log
 +; file.
 +; http://php.net/mysqlnd.debug
 +;mysqlnd.debug =
 +
 +; Defines which queries will be logged.
 +; http://php.net/mysqlnd.log_mask
 +;mysqlnd.log_mask = 0
 +
 +; Default size of the mysqlnd memory pool, which is used by result sets.
 +; http://php.net/mysqlnd.mempool_default_size
 +;mysqlnd.mempool_default_size = 16000
 +
 ; Size of a pre-allocated buffer used when sending commands to MySQL in bytes.
 ; http://php.net/mysqlnd.net_cmd_buffer_size
 ;mysqlnd.net_cmd_buffer_size = 2048
 @@ -1217,6 +1230,15 @@ mysqlnd.collect_memory_statistics = Off
 ; http://php.net/mysqlnd.net_read_buffer_size
 ;mysqlnd.net_read_buffer_size = 32768
 
 +; Timeout for network requests in seconds.
 +; http://php.net/mysqlnd.net_read_timeout
 +;mysqlnd.net_read_timeout = 31536000
 +
 +; SHA-256 Authentication Plugin related. File with the MySQL server public RSA
 +; key.
 +; http://php.net/mysqlnd.sha256_server_public_key
 +;mysqlnd.sha256_server_public_key =
 +
 [OCI8]
 
 ; Connection: Enables privileged connections using external
 @@ -1932,6 +1954,12 @@ ldap.max_links = -1
 ; Useful for internal debugging only.
 ;opcache.protect_memory=0
 
 +; Validate cached file permissions.
 +; opcache.validate_permission=0
 +
 +; Prevent name collisions in chroot'ed environment.
 +; opcache.validate_root=0
 +
 [curl]
 ; A default value for the CURLOPT_CAINFO option. This is required to be an
 ; absolute path.
 diff --git a/php5/fpm/php.ini b/php5/fpm/php.ini
 index a49a559..fec9d2e 100644
 --- a/php5/fpm/php.ini
 +++ b/php5/fpm/php.ini
 @@ -1208,6 +1208,19 @@ mysqlnd.collect_statistics = On
 ; http://php.net/mysqlnd.collect_memory_statistics
 mysqlnd.collect_memory_statistics = Off
 
 +; Records communication from all extensions using mysqlnd to the specified log
 +; file.
 +; http://php.net/mysqlnd.debug
 +;mysqlnd.debug =
 +
 +; Defines which queries will be logged.
 +; http://php.net/mysqlnd.log_mask
 +;mysqlnd.log_mask = 0
 +
 +; Default size of the mysqlnd memory pool, which is used by result sets.
 +; http://php.net/mysqlnd.mempool_default_size
 +;mysqlnd.mempool_default_size = 16000
 +
 ; Size of a pre-allocated buffer used when sending commands to MySQL in bytes.
 ; http://php.net/mysqlnd.net_cmd_buffer_size
 ;mysqlnd.net_cmd_buffer_size = 2048
 @@ -1217,6 +1230,15 @@ mysqlnd.collect_memory_statistics = Off
 ; http://php.net/mysqlnd.net_read_buffer_size
 ;mysqlnd.net_read_buffer_size = 32768
 
 +; Timeout for network requests in seconds.
 +; http://php.net/mysqlnd.net_read_timeout
 +;mysqlnd.net_read_timeout = 31536000
 +
 +; SHA-256 Authentication Plugin related. File with the MySQL server public RSA
 +; key.
 +; http://php.net/mysqlnd.sha256_server_public_key
 +;mysqlnd.sha256_server_public_key =
 +
 [OCI8]
 
 ; Connection: Enables privileged connections using external
 @@ -1932,6 +1954,12 @@ ldap.max_links = -1
 ; Useful for internal debugging only.
 ;opcache.protect_memory=0
 
 +; Validate cached file permissions.
 +; opcache.validate_permission=0
 +
 +; Prevent name collisions in chroot'ed environment.
 +; opcache.validate_root=0
 +
 [curl]
 ; A default value for the CURLOPT_CAINFO option. This is required to be an
 ; absolute path.
 diff --git a/postfix/dynamicmaps.cf b/postfix/dynamicmaps.cf
 index d953c54..1c48bdc 100644
 --- a/postfix/dynamicmaps.cf
 +++ b/postfix/dynamicmaps.cf
 @@ -4,4 +4,3 @@
 #====	================================	=============	============
 tcp	/usr/lib/postfix/dict_tcp.so		dict_tcp_open	
 sqlite	/usr/lib/postfix/dict_sqlite.so		dict_sqlite_open	
 -ldap	/usr/lib/postfix/dict_ldap.so		dict_ldap_open	
 diff --git a/postfix/main.cf b/postfix/main.cf
 index d945863..85dea39 100644
 --- a/postfix/main.cf
 +++ b/postfix/main.cf
 @@ -1,38 +1,40 @@
 -smtpd_banner        = $myhostname ESMTP $mail_name (Debian/GNU)
 -biff                = no
 +# See /usr/share/postfix/main.cf.dist for a commented, more complete version
 +
 +
 +# Debian specific:  Specifying a file name will cause the first
 +# line of that file to be used as the name.  The Debian default
 +# is /etc/mailname.
 +#myorigin = /etc/mailname
 +
 +smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
 +biff = no
 +
 +# appending .domain is the MUA's job.
 append_dot_mydomain = no
 -readme_directory    = no
 -
 -# We serve mail for hashbang.sh only
 -mydomain      = hashbang.sh
 -myorigin      = $mydomain
 -mydestination = $myhostname
 -alias_maps    = hash:/etc/aliases
 -
 -# Relay settings
 -relayhost                       = mail.$mydomain
 -smtp_tls_security_level         = secure
 -smtp_tls_CAfile                 = /etc/ssl/certs/ca-certificates.crt
 -smtp_tls_fingerprint_digest     = sha1
 -smtp_tls_mandatory_protocols    = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 -smtp_tls_protocols              = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
 -smtp_tls_exclude_ciphers        = NULL, MD5, DES, RC4
 -smtp_tls_mandatory_ciphers      = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
 -
 -# TLS Settings
 -smtpd_use_tls                    = yes
 -smtpd_tls_cert_file              = /etc/ssl/certs/ssl-cert-snakeoil.pem
 -smtpd_tls_key_file               = /etc/ssl/private/ssl-cert-snakeoil.key
 
 +# Uncomment the next line to generate "delayed mail" warnings
 +#delay_warning_time = 4h
 +
 +readme_directory = no
 +
 +# TLS parameters
 +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 +smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 -smtp_tls_session_cache_database  = btree:${data_directory}/smtp_scache
 +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
 -# Delivery configuration
 -mailbox_command     = procmail -a "$EXTENSION"
 -mailbox_size_limit  = 0
 -message_size_limit  = 52428800
 -recipient_delimiter = +
 +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
 +# information on enabling SSL in the smtp client.
 
 -# Access restrictions
 -authorized_flush_users = root
 -authorized_mailq_users = root
 +smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
 +myhostname = hashbang
 +alias_maps = hash:/etc/aliases
 +alias_database = hash:/etc/aliases
 +mydestination = hashbang, localhost.localdomain, , localhost
 +relayhost = 
 +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
 +mailbox_command = procmail -a "$EXTENSION"
 +mailbox_size_limit = 0
 +recipient_delimiter = +
 +inet_interfaces = all
 diff --git a/ppp/ip-down.d/000resolvconf b/ppp/ip-down.d/000resolvconf
 deleted file mode 100755
 index 561ef41..0000000
 --- a/ppp/ip-down.d/000resolvconf
 +++ /dev/null
 @@ -1,21 +0,0 @@
 -#!/bin/sh
 -#
 -# PPP down hook script for resolvconf
 -#
 -# Reconfigures resolver to take into account
 -# the disappearance of the ppp interface.
 -#
 -# This file is part of the resolvconf package.
 -#
 -
 -[ -x /sbin/resolvconf ] || exit 0
 -
 -case "$6" in
 -  nm-pptp-service-*|nm-l2tp-service-*|/org/freedesktop/NetworkManager/PPP/*)
 -    # NetworkManager handles it
 -    exit 0
 -    ;;
 -esac
 -
 -/sbin/resolvconf -d "${PPP_IFACE}.pppd"
 -
 diff --git a/ppp/ip-up.d/000resolvconf b/ppp/ip-up.d/000resolvconf
 deleted file mode 100755
 index c83ea18..0000000
 --- a/ppp/ip-up.d/000resolvconf
 +++ /dev/null
 @@ -1,33 +0,0 @@
 -#!/bin/sh
 -#
 -# PPP up hook script for resolvconf
 -#
 -# Reconfigures resolver to take into account
 -# the appearance of the ppp interface.
 -#
 -# This file is part of the resolvconf package.
 -#
 -
 -[ -x /sbin/resolvconf ] || exit 0
 -
 -[ "$USEPEERDNS" ] || exit 0
 -
 -case "$6" in
 -  nm-pptp-service-*|nm-l2tp-service-*|/org/freedesktop/NetworkManager/PPP/*)
 -	# NetworkManager handles it
 -	exit 0
 -	;;
 -esac
 -
 -R=""
 -if [ "$DNS1" ] ; then
 -	R="${R}nameserver $DNS1
 -"
 -fi
 -if [ "$DNS2" ] ; then
 -	R="${R}nameserver $DNS2
 -"
 -fi
 -
 -echo -n "$R" | /sbin/resolvconf -a "${PPP_IFACE}.pppd"
 -
 diff --git a/procmailrc b/procmailrc
 deleted file mode 100644
 index 9816a35..0000000
 --- a/procmailrc
 +++ /dev/null
 @@ -1,2 +0,0 @@
 -ORGMAIL=${HOME}/Mail/new
 -DEFAULT=${ORGMAIL}
 diff --git a/profile b/profile
 index 7d37302..51d0430 100644
 --- a/profile
 +++ b/profile
 @@ -32,5 +32,3 @@ if [ -d /etc/profile.d ]; then
   done
   unset i
 fi
 -
 -umask 077
 diff --git a/profile.d/dotfiles.sh b/profile.d/dotfiles.sh
 deleted file mode 100644
 index 9529fec..0000000
 --- a/profile.d/dotfiles.sh
 +++ /dev/null
 @@ -1,68 +0,0 @@
 -###
 -# check if the dotfiles must be recreated
 -###
 -
 -# Check both ~/.dotfiles and ~/.bash_profile as we
 -# don't want to run if the user has “old style” dotfiles.
 -if [ -d ~/.dotfiles ] || [ -f ~/.bash_profile ]; then
 -    return
 -fi
 -
 -###
 -# pre-clone
 -###
 -
 -# Prepare GnuPG homedir
 -export GNUPGHOME=$(mktemp -d --tmpdir gpg.XXXXXX)
 -trap "rm -rf -- '${GNUPGHOME}'; unset GNUPGHOME" EXIT
 -
 -cat > "${GNUPGHOME}/gpg.conf" <<EOF
 -# Never, ever, ever do this in your personal gpg.conf
 -# However, this is sane when you know you use an empty GNUPGHOME
 -keyring /var/lib/hashbang/admins.gpg
 -trust-model always
 -EOF
 -
 -###
 -# cloning
 -###
 -
 -if ! git clone --recursive https://github.com/hashbang/dotfiles ~/.dotfiles; then
 -    cat >&2 <<EOF
 -CRITICAL: Failed to clone your dotfiles from
 -          https://github.com/hashbang/dotfiles
 -EOF
 -    rm -rf ~/.dotfiles
 -    return
 -fi
 -
 -if ! git -C ~/.dotfiles verify-commit HEAD; then
 -    echo "CRITICAL: Failed to verify signature on dotfiles" >&2
 -    rm -rf ~/.dotfiles
 -    return
 -fi
 -
 -rm -rf -- "${GNUPGHOME}"
 -unset GNUPGHOME
 -trap - EXIT
 -
 -###
 -# stowing
 -###
 -
 -cd ~/.dotfiles
 -stow bash git gnupg hashbang ssh tmux weechat zsh
 -cd
 -
 -###
 -# Make sure a proper maildir is in place
 -###
 -
 -mkdir -p ~/Mail/cur ~/Mail/new ~/Mail/tmp
 -
 -###
 -# Edit the welcome message
 -###
 -
 -sed -i "s/{date}/$(date '+%a, %-d %b %Y %T %Z')/g" Mail/new/msg.welcome
 -sed -i "s/{username}/$(whoami)/g"                  Mail/new/msg.welcome
 diff --git a/profile.d/go.sh b/profile.d/go.sh
 deleted file mode 100644
 index 5a83330..0000000
 --- a/profile.d/go.sh
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -# https://github.com/golang/go/wiki/GOPATH
 -export GOPATH="/usr/share/gocode:$HOME/.local/gocode"
 -export PATH="$GOPATH/bin:$PATH"
 diff --git a/profile.d/local_path.sh b/profile.d/local_path.sh
 deleted file mode 100644
 index b65f405..0000000
 --- a/profile.d/local_path.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -export PATH="$HOME/.local/bin:$PATH"
 diff --git a/profile.d/luarocks_aliases.sh b/profile.d/luarocks_aliases.sh
 deleted file mode 100644
 index 79147d5..0000000
 --- a/profile.d/luarocks_aliases.sh
 +++ /dev/null
 @@ -1,8 +0,0 @@
 -#!/bin/sh
 -alias luarocks-5.1="lua5.1 /usr/bin/luarocks --local"
 -alias luarocks-5.2="lua5.2 /usr/bin/luarocks --local"
 -alias luarocks-5.3="lua5.3 /usr/bin/luarocks --local"
 -# Need to do 5.1 last, as it adds to LUA_PATH, which would be picked up by the other commands
 -eval `lua5.3 /usr/bin/luarocks --bin path`
 -eval `lua5.2 /usr/bin/luarocks --bin path`
 -eval `lua5.1 /usr/bin/luarocks --bin path`
 diff --git a/profile.d/npm.sh b/profile.d/npm.sh
 deleted file mode 100644
 index 094a07e..0000000
 --- a/profile.d/npm.sh
 +++ /dev/null
 @@ -1,24 +0,0 @@
 -export PATH="$HOME/.npm-packages/bin:$PATH" # man 1 sh
 -export NODE_PATH="$HOME/.npm-packages/lib/node_modules" # man 1 node
 -export NPM_CONFIG_PREFIX="$HOME/.npm-packages" # man 7 npm-config
 -                                               # NOT man 1 or man 3
 -export N_PREFIX="$HOME/.npm-packages" # installs under ~/.npm-packages/n
 -
 -install_node_version() {
 -  mv "$HOME/.npm-packages" "$HOME/.npm-packages-$(node -v)"
 -  echo "The previous versions of your NPM packages have moved. They are now"
 -  echo "accessible at: $HOME/.npm-packages-$(node -v)"
 -  command npm install -g npm
 -  command npm install -g n
 -  n "$1"
 -  command npm install yarn
 -}
 -
 -npm() {
 -  echo "Use yarn instead!" >&2
 -  if ! command -v yarn >/dev/null; then
 -    echo 'Run `install_node_version latest` to update Node and install Yarn' >&2
 -    echo 'You can also specify an alias, such as `lts`, `latest`, etc.' >&2
 -  fi
 -  return 1
 -}
 diff --git a/profile.d/nvm.sh b/profile.d/nvm.sh
 deleted file mode 100644
 index 311809b..0000000
 --- a/profile.d/nvm.sh
 +++ /dev/null
 @@ -1,9 +0,0 @@
 -export NVM_DIR="$HOME/.nvm"
 -
 -install_nvm() {
 -  git clone https://github.com/creationix/nvm "$NVM_DIR"
 -  git -C "$NVM_DIR" checkout $(git -C "$NVM_DIR" describe --abbrev=0 --tags --match "v[0-9]*" origin)
 -  . "$NVM_DIR/nvm.sh"
 -}
 -
 -[ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"
 diff --git a/profile.d/user_ruby_bin_directory.sh b/profile.d/user_ruby_bin_directory.sh
 deleted file mode 100644
 index f189279..0000000
 --- a/profile.d/user_ruby_bin_directory.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -export PATH="$HOME/.gem/bin:$PATH"
 diff --git a/profile.d/wall.sh b/profile.d/wall.sh
 deleted file mode 100644
 index f6589cd..0000000
 --- a/profile.d/wall.sh
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -# By default, refuse to receive wall(1) messages from unprivileged users
 -# Set `mesg y` in your config if this is the desired behaviour.
 -mesg n
 diff --git a/profile.d/z_manpath.sh b/profile.d/z_manpath.sh
 deleted file mode 100644
 index 2702b49..0000000
 --- a/profile.d/z_manpath.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -export MANPATH="${MANPATH:-$(manpath)}"
 diff --git a/rc.local b/rc.local
 index ca916d0..65634df 100755
 --- a/rc.local
 +++ b/rc.local
 @@ -1 +1,14 @@
 +#!/bin/sh -e
 +#
 +# rc.local
 +#
 +# This script is executed at the end of each multiuser runlevel.
 +# Make sure that the script will "exit 0" on success or any other
 +# value on error.
 +#
 +# In order to enable or disable this script just change the execution
 +# bits.
 +#
 +# By default this script does nothing.
 +
 exit 0
 diff --git a/rc0.d/K01resolvconf b/rc0.d/K01resolvconf
 deleted file mode 120000
 index dcf5e06..0000000
 --- a/rc0.d/K01resolvconf
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/resolvconf
 \ No newline at end of file
 diff --git a/rc0.d/K01xe-linux-distribution b/rc0.d/K01xe-linux-distribution
 deleted file mode 120000
 index d061faa..0000000
 --- a/rc0.d/K01xe-linux-distribution
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/xe-linux-distribution
 \ No newline at end of file
 diff --git a/rc1.d/K01xe-linux-distribution b/rc1.d/K01xe-linux-distribution
 deleted file mode 120000
 index d061faa..0000000
 --- a/rc1.d/K01xe-linux-distribution
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/xe-linux-distribution
 \ No newline at end of file
 diff --git a/rc2.d/K01bitlbee b/rc2.d/K01bitlbee
 deleted file mode 120000
 index f4a0026..0000000
 --- a/rc2.d/K01bitlbee
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/bitlbee
 \ No newline at end of file
 diff --git a/rc2.d/K01nscd b/rc2.d/K01nscd
 deleted file mode 120000
 index 721f15f..0000000
 --- a/rc2.d/K01nscd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/nscd
 \ No newline at end of file
 diff --git a/rc2.d/K01nslcd b/rc2.d/K01nslcd
 deleted file mode 120000
 index 6e1cfb5..0000000
 --- a/rc2.d/K01nslcd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/nslcd
 \ No newline at end of file
 diff --git a/rc2.d/K01redis-server b/rc2.d/K01redis-server
 deleted file mode 120000
 index 6ef689e..0000000
 --- a/rc2.d/K01redis-server
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/redis-server
 \ No newline at end of file
 diff --git a/rc2.d/S01xe-linux-distribution b/rc2.d/S01xe-linux-distribution
 deleted file mode 120000
 index d061faa..0000000
 --- a/rc2.d/S01xe-linux-distribution
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/xe-linux-distribution
 \ No newline at end of file
 diff --git a/rc2.d/S02atd b/rc2.d/S02atd
 deleted file mode 120000
 index 8cd7248..0000000
 --- a/rc2.d/S02atd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/atd
 \ No newline at end of file
 diff --git a/rc2.d/S03cron b/rc2.d/S03cron
 deleted file mode 120000
 index b7a1f29..0000000
 --- a/rc2.d/S03cron
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/cron
 \ No newline at end of file
 diff --git a/rc2.d/S03postfix b/rc2.d/S03postfix
 deleted file mode 120000
 index 81e743c..0000000
 --- a/rc2.d/S03postfix
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/postfix
 \ No newline at end of file
 diff --git a/rc2.d/S04rc.local b/rc2.d/S04rc.local
 deleted file mode 120000
 index fb4ee0a..0000000
 --- a/rc2.d/S04rc.local
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/rc.local
 \ No newline at end of file
 diff --git a/rc2.d/S04rmnologin b/rc2.d/S04rmnologin
 deleted file mode 120000
 index 3000cf9..0000000
 --- a/rc2.d/S04rmnologin
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/rmnologin
 \ No newline at end of file
 diff --git a/rc3.d/K01bitlbee b/rc3.d/K01bitlbee
 deleted file mode 120000
 index f4a0026..0000000
 --- a/rc3.d/K01bitlbee
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/bitlbee
 \ No newline at end of file
 diff --git a/rc3.d/K01nscd b/rc3.d/K01nscd
 deleted file mode 120000
 index 721f15f..0000000
 --- a/rc3.d/K01nscd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/nscd
 \ No newline at end of file
 diff --git a/rc3.d/K01nslcd b/rc3.d/K01nslcd
 deleted file mode 120000
 index 6e1cfb5..0000000
 --- a/rc3.d/K01nslcd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/nslcd
 \ No newline at end of file
 diff --git a/rc3.d/K01redis-server b/rc3.d/K01redis-server
 deleted file mode 120000
 index 6ef689e..0000000
 --- a/rc3.d/K01redis-server
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/redis-server
 \ No newline at end of file
 diff --git a/rc3.d/S01xe-linux-distribution b/rc3.d/S01xe-linux-distribution
 deleted file mode 120000
 index d061faa..0000000
 --- a/rc3.d/S01xe-linux-distribution
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/xe-linux-distribution
 \ No newline at end of file
 diff --git a/rc3.d/S02atd b/rc3.d/S02atd
 deleted file mode 120000
 index 8cd7248..0000000
 --- a/rc3.d/S02atd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/atd
 \ No newline at end of file
 diff --git a/rc3.d/S03cron b/rc3.d/S03cron
 deleted file mode 120000
 index b7a1f29..0000000
 --- a/rc3.d/S03cron
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/cron
 \ No newline at end of file
 diff --git a/rc3.d/S03postfix b/rc3.d/S03postfix
 deleted file mode 120000
 index 81e743c..0000000
 --- a/rc3.d/S03postfix
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/postfix
 \ No newline at end of file
 diff --git a/rc3.d/S04rc.local b/rc3.d/S04rc.local
 deleted file mode 120000
 index fb4ee0a..0000000
 --- a/rc3.d/S04rc.local
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/rc.local
 \ No newline at end of file
 diff --git a/rc3.d/S04rmnologin b/rc3.d/S04rmnologin
 deleted file mode 120000
 index 3000cf9..0000000
 --- a/rc3.d/S04rmnologin
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/rmnologin
 \ No newline at end of file
 diff --git a/rc4.d/K01bitlbee b/rc4.d/K01bitlbee
 deleted file mode 120000
 index f4a0026..0000000
 --- a/rc4.d/K01bitlbee
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/bitlbee
 \ No newline at end of file
 diff --git a/rc4.d/K01nscd b/rc4.d/K01nscd
 deleted file mode 120000
 index 721f15f..0000000
 --- a/rc4.d/K01nscd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/nscd
 \ No newline at end of file
 diff --git a/rc4.d/K01nslcd b/rc4.d/K01nslcd
 deleted file mode 120000
 index 6e1cfb5..0000000
 --- a/rc4.d/K01nslcd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/nslcd
 \ No newline at end of file
 diff --git a/rc4.d/K01redis-server b/rc4.d/K01redis-server
 deleted file mode 120000
 index 6ef689e..0000000
 --- a/rc4.d/K01redis-server
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/redis-server
 \ No newline at end of file
 diff --git a/rc4.d/S01xe-linux-distribution b/rc4.d/S01xe-linux-distribution
 deleted file mode 120000
 index d061faa..0000000
 --- a/rc4.d/S01xe-linux-distribution
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/xe-linux-distribution
 \ No newline at end of file
 diff --git a/rc4.d/S02atd b/rc4.d/S02atd
 deleted file mode 120000
 index 8cd7248..0000000
 --- a/rc4.d/S02atd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/atd
 \ No newline at end of file
 diff --git a/rc4.d/S03cron b/rc4.d/S03cron
 deleted file mode 120000
 index b7a1f29..0000000
 --- a/rc4.d/S03cron
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/cron
 \ No newline at end of file
 diff --git a/rc4.d/S03postfix b/rc4.d/S03postfix
 deleted file mode 120000
 index 81e743c..0000000
 --- a/rc4.d/S03postfix
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/postfix
 \ No newline at end of file
 diff --git a/rc4.d/S04rc.local b/rc4.d/S04rc.local
 deleted file mode 120000
 index fb4ee0a..0000000
 --- a/rc4.d/S04rc.local
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/rc.local
 \ No newline at end of file
 diff --git a/rc4.d/S04rmnologin b/rc4.d/S04rmnologin
 deleted file mode 120000
 index 3000cf9..0000000
 --- a/rc4.d/S04rmnologin
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/rmnologin
 \ No newline at end of file
 diff --git a/rc5.d/K01bitlbee b/rc5.d/K01bitlbee
 deleted file mode 120000
 index f4a0026..0000000
 --- a/rc5.d/K01bitlbee
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/bitlbee
 \ No newline at end of file
 diff --git a/rc5.d/K01nscd b/rc5.d/K01nscd
 deleted file mode 120000
 index 721f15f..0000000
 --- a/rc5.d/K01nscd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/nscd
 \ No newline at end of file
 diff --git a/rc5.d/K01nslcd b/rc5.d/K01nslcd
 deleted file mode 120000
 index 6e1cfb5..0000000
 --- a/rc5.d/K01nslcd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/nslcd
 \ No newline at end of file
 diff --git a/rc5.d/K01redis-server b/rc5.d/K01redis-server
 deleted file mode 120000
 index 6ef689e..0000000
 --- a/rc5.d/K01redis-server
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/redis-server
 \ No newline at end of file
 diff --git a/rc5.d/S01xe-linux-distribution b/rc5.d/S01xe-linux-distribution
 deleted file mode 120000
 index d061faa..0000000
 --- a/rc5.d/S01xe-linux-distribution
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/xe-linux-distribution
 \ No newline at end of file
 diff --git a/rc5.d/S02atd b/rc5.d/S02atd
 deleted file mode 120000
 index 8cd7248..0000000
 --- a/rc5.d/S02atd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/atd
 \ No newline at end of file
 diff --git a/rc5.d/S03cron b/rc5.d/S03cron
 deleted file mode 120000
 index b7a1f29..0000000
 --- a/rc5.d/S03cron
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/cron
 \ No newline at end of file
 diff --git a/rc5.d/S03postfix b/rc5.d/S03postfix
 deleted file mode 120000
 index 81e743c..0000000
 --- a/rc5.d/S03postfix
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/postfix
 \ No newline at end of file
 diff --git a/rc5.d/S04rc.local b/rc5.d/S04rc.local
 deleted file mode 120000
 index fb4ee0a..0000000
 --- a/rc5.d/S04rc.local
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/rc.local
 \ No newline at end of file
 diff --git a/rc5.d/S04rmnologin b/rc5.d/S04rmnologin
 deleted file mode 120000
 index 3000cf9..0000000
 --- a/rc5.d/S04rmnologin
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/rmnologin
 \ No newline at end of file
 diff --git a/rc6.d/K01resolvconf b/rc6.d/K01resolvconf
 deleted file mode 120000
 index dcf5e06..0000000
 --- a/rc6.d/K01resolvconf
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/resolvconf
 \ No newline at end of file
 diff --git a/rc6.d/K01xe-linux-distribution b/rc6.d/K01xe-linux-distribution
 deleted file mode 120000
 index d061faa..0000000
 --- a/rc6.d/K01xe-linux-distribution
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/xe-linux-distribution
 \ No newline at end of file
 diff --git a/rcS.d/S04mountdevsubfs.sh b/rcS.d/S04mountdevsubfs.sh
 deleted file mode 120000
 index bf53fdc..0000000
 --- a/rcS.d/S04mountdevsubfs.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/mountdevsubfs.sh
 \ No newline at end of file
 diff --git a/rcS.d/S05hwclock.sh b/rcS.d/S05hwclock.sh
 deleted file mode 120000
 index c2b57ec..0000000
 --- a/rcS.d/S05hwclock.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/hwclock.sh
 \ No newline at end of file
 diff --git a/rcS.d/S06checkroot.sh b/rcS.d/S06checkroot.sh
 deleted file mode 120000
 index 79abfac..0000000
 --- a/rcS.d/S06checkroot.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/checkroot.sh
 \ No newline at end of file
 diff --git a/rcS.d/S07checkfs.sh b/rcS.d/S07checkfs.sh
 deleted file mode 120000
 index 1d95b78..0000000
 --- a/rcS.d/S07checkfs.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/checkfs.sh
 \ No newline at end of file
 diff --git a/rcS.d/S08checkroot-bootclean.sh b/rcS.d/S08checkroot-bootclean.sh
 deleted file mode 120000
 index e77f127..0000000
 --- a/rcS.d/S08checkroot-bootclean.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/checkroot-bootclean.sh
 \ No newline at end of file
 diff --git a/rcS.d/S08kmod b/rcS.d/S08kmod
 deleted file mode 120000
 index 6085cfe..0000000
 --- a/rcS.d/S08kmod
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/kmod
 \ No newline at end of file
 diff --git a/rcS.d/S09mountall.sh b/rcS.d/S09mountall.sh
 deleted file mode 120000
 index 63a9787..0000000
 --- a/rcS.d/S09mountall.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/mountall.sh
 \ No newline at end of file
 diff --git a/rcS.d/S10mountall-bootclean.sh b/rcS.d/S10mountall-bootclean.sh
 deleted file mode 120000
 index 49a3f45..0000000
 --- a/rcS.d/S10mountall-bootclean.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/mountall-bootclean.sh
 \ No newline at end of file
 diff --git a/rcS.d/S11procps b/rcS.d/S11procps
 deleted file mode 120000
 index 435622f..0000000
 --- a/rcS.d/S11procps
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/procps
 \ No newline at end of file
 diff --git a/rcS.d/S11resolvconf b/rcS.d/S11resolvconf
 deleted file mode 120000
 index dcf5e06..0000000
 --- a/rcS.d/S11resolvconf
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/resolvconf
 \ No newline at end of file
 diff --git a/rcS.d/S11udev-finish b/rcS.d/S11udev-finish
 deleted file mode 120000
 index ec67595..0000000
 --- a/rcS.d/S11udev-finish
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/udev-finish
 \ No newline at end of file
 diff --git a/rcS.d/S11urandom b/rcS.d/S11urandom
 deleted file mode 120000
 index 7f3aafd..0000000
 --- a/rcS.d/S11urandom
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/urandom
 \ No newline at end of file
 diff --git a/rcS.d/S12networking b/rcS.d/S12networking
 deleted file mode 120000
 index bd5b2c2..0000000
 --- a/rcS.d/S12networking
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/networking
 \ No newline at end of file
 diff --git a/rcS.d/S13mountnfs.sh b/rcS.d/S13mountnfs.sh
 deleted file mode 120000
 index 94b5f1f..0000000
 --- a/rcS.d/S13mountnfs.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/mountnfs.sh
 \ No newline at end of file
 diff --git a/rcS.d/S14mountnfs-bootclean.sh b/rcS.d/S14mountnfs-bootclean.sh
 deleted file mode 120000
 index 432307e..0000000
 --- a/rcS.d/S14mountnfs-bootclean.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/mountnfs-bootclean.sh
 \ No newline at end of file
 diff --git a/rcS.d/S15kbd b/rcS.d/S15kbd
 deleted file mode 120000
 index 6bfd1b7..0000000
 --- a/rcS.d/S15kbd
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/kbd
 \ No newline at end of file
 diff --git a/rcS.d/S16console-setup b/rcS.d/S16console-setup
 deleted file mode 120000
 index 28637af..0000000
 --- a/rcS.d/S16console-setup
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/console-setup
 \ No newline at end of file
 diff --git a/rcS.d/S17bootmisc.sh b/rcS.d/S17bootmisc.sh
 deleted file mode 120000
 index 1ab1097..0000000
 --- a/rcS.d/S17bootmisc.sh
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/bootmisc.sh
 \ No newline at end of file
 diff --git a/rcS.d/S17ferm b/rcS.d/S17ferm
 deleted file mode 120000
 index ca291ab..0000000
 --- a/rcS.d/S17ferm
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/ferm
 \ No newline at end of file
 diff --git a/rcS.d/S17lm-sensors b/rcS.d/S17lm-sensors
 deleted file mode 120000
 index f0eb19a..0000000
 --- a/rcS.d/S17lm-sensors
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/lm-sensors
 \ No newline at end of file
 diff --git a/rcS.d/S17screen-cleanup b/rcS.d/S17screen-cleanup
 deleted file mode 120000
 index 205268c..0000000
 --- a/rcS.d/S17screen-cleanup
 +++ /dev/null
 @@ -1 +0,0 @@
 -../init.d/screen-cleanup
 \ No newline at end of file
 diff --git a/resolvconf/interface-order b/resolvconf/interface-order
 deleted file mode 100644
 index 91f7684..0000000
 --- a/resolvconf/interface-order
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -# interface-order(5)
 -lo.inet6
 -lo.inet
 -lo.@(dnsmasq|pdnsd)
 -lo.!(pdns|pdns-recursor)
 -lo
 -tun*
 -tap*
 -hso*
 -em+([0-9])?(_+([0-9]))*
 -p+([0-9])p+([0-9])?(_+([0-9]))*
 -eth*([^.]).inet6
 -eth*([^.]).ip6.@(dhclient|dhcpcd|pump|udhcpc)
 -eth*([^.]).inet
 -eth*([^.]).@(dhclient|dhcpcd|pump|udhcpc)
 -eth*
 -@(ath|wifi|wlan)*([^.]).inet6
 -@(ath|wifi|wlan)*([^.]).ip6.@(dhclient|dhcpcd|pump|udhcpc)
 -@(ath|wifi|wlan)*([^.]).inet
 -@(ath|wifi|wlan)*([^.]).@(dhclient|dhcpcd|pump|udhcpc)
 -@(ath|wifi|wlan)*
 -ppp*
 -*
 diff --git a/resolvconf/resolv.conf.d/base b/resolvconf/resolv.conf.d/base
 deleted file mode 100644
 index bbc8559..0000000
 --- a/resolvconf/resolv.conf.d/base
 +++ /dev/null
 @@ -1 +0,0 @@
 -nameserver 127.0.0.1
 diff --git a/resolvconf/resolv.conf.d/head b/resolvconf/resolv.conf.d/head
 deleted file mode 100644
 index 74505dd..0000000
 --- a/resolvconf/resolv.conf.d/head
 +++ /dev/null
 @@ -1,2 +0,0 @@
 -# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
 -#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
 diff --git a/resolvconf/resolv.conf.d/tail b/resolvconf/resolv.conf.d/tail
 deleted file mode 100644
 index 6f6d913..0000000
 --- a/resolvconf/resolv.conf.d/tail
 +++ /dev/null
 @@ -1 +0,0 @@
 -domain hashbang.sh
 diff --git a/resolvconf/run b/resolvconf/run
 deleted file mode 120000
 index 7aa64da..0000000
 --- a/resolvconf/run
 +++ /dev/null
 @@ -1 +0,0 @@
 -/run/resolvconf
 \ No newline at end of file
 diff --git a/resolvconf/update.d/libc b/resolvconf/update.d/libc
 deleted file mode 100755
 index 08d923b..0000000
 --- a/resolvconf/update.d/libc
 +++ /dev/null
 @@ -1,161 +0,0 @@
 -#!/bin/sh
 -#
 -# Script to update resolv.conf, the libc resolver configuration file,
 -# and to notify users of the libc resolver of changes
 -#
 -# Assumption: On entry, PWD contains the resolv.conf-type files.
 -#
 -# This script is part of the resolvconf package.
 -#
 -# Set REPORT_ABSENT_SYMLINK=no to inhibit warning message that
 -# /etc/resolv.conf is not a symbolic link
 -#
 -# Set TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS=no
 -# to allow additional nameserver addresses to be listed in
 -# resolv.conf after an initial loopback address 127.* or ::1.
 -#
 -
 -set -e
 -PATH=/sbin:/bin
 -
 -[ -x /lib/resolvconf/list-records ] || exit 1
 -
 -# Default override
 -[ -r /etc/default/resolvconf ] && . /etc/default/resolvconf
 -
 -ETC=/etc
 -ETCRESOLVCONF="${ETC}/resolvconf"
 -RESOLVCONFDIR="${ETCRESOLVCONF}/resolv.conf.d"
 -BASEFILE="${RESOLVCONFDIR}/base"
 -HEADFILE="${RESOLVCONFDIR}/head"
 -TAILFILE="${RESOLVCONFDIR}/tail"
 -DYNAMICRSLVCNFFILE="${ETCRESOLVCONF}/run/resolv.conf"
 -TMPFILE="${DYNAMICRSLVCNFFILE}_new.$$"
 -
 -# Set unset variables to their defaults
 -if [ -z "$REPORT_ABSENT_SYMLINK" ] ; then
 -	# '..._ALTERED_...' is the old deprecated name for this variable
 -	if [ "$REPORT_ALTERED_SYMLINK" ] ; then
 -		REPORT_ABSENT_SYMLINK="$REPORT_ALTERED_SYMLINK"
 -	else
 -		# Set to default value
 -		REPORT_ABSENT_SYMLINK=y
 -	fi
 -fi
 -
 -if [ -z "$TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS" ] ; then
 -	# '..._127' is the old deprecated name for this variable
 -	if [ "$TRUNCATE_NAMESERVER_LIST_AFTER_127" ] ; then
 -		TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS="$TRUNCATE_NAMESERVER_LIST_AFTER_127"
 -	else
 -		# Set to default value
 -		TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS=y
 -	fi
 -fi
 -
 -
 -report_warning() { echo "$0: Warning: $*" >&2 ; }
 -
 -resolv_conf_is_symlinked_to_dynamic_file() {
 -	[ -L ${ETC}/resolv.conf ] && [ "$(readlink ${ETC}/resolv.conf)" = "$DYNAMICRSLVCNFFILE" ]
 -}
 -
 -if ! resolv_conf_is_symlinked_to_dynamic_file ; then
 -	case "$REPORT_ABSENT_SYMLINK" in
 -	  y|Y|yes|YES|Yes)
 -		report_warning "${ETC}/resolv.conf is not a symbolic link to $DYNAMICRSLVCNFFILE"
 -		;;
 -	esac
 -fi
 -
 -# Args are candidate items not containing spaces
 -# Returns RSLT -- space-separated list of items without duplicates
 -#
 -# Stores arguments (minus duplicates) in RSLT, separated by spaces
 -uniquify()
 -{
 -	RSLT=""
 -	local D
 -	while [ "$1" ] ; do
 -		# Remove the root domain suffix
 -		D="${1%.}"
 -		for E in $RSLT ; do
 -			[ "$D" = "$E" ] && { shift ; continue 2 ; }
 -		done
 -		RSLT="${RSLT:+$RSLT }$D"
 -		shift
 -	done
 -}
 -
 -# Args are candidate items not containing spaces
 -# Returns NSMSRVS -- space-separate list of no more than 3 items,
 -#                    without duplicates,
 -#                    truncated after loopback address if TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS set affirmatively
 -uniquify_nameserver_list()
 -{
 -	NMSRVRS=""
 -	N=0
 -	while [ "$1" ] ; do
 -		for E in $NMSRVRS ; do
 -			[ "$1" = "$E" ] && { shift ; continue 2 ; }
 -		done
 -		NMSRVRS="${NMSRVRS:+$NMSRVRS }$1"
 -		case "$TRUNCATE_NAMESERVER_LIST_AFTER_LOOPBACK_ADDRESS" in (y|Y|yes|YES|Yes) case "$1" in (127.*|::1) return 0 ;; esac ;; esac
 -		N=$(($N + 1))
 -		[ "$N" = 3 ] && return 0
 -		shift
 -	done
 -}
 -
 -RSLVCNFFILES="$(/lib/resolvconf/list-records)"
 -
 -[ -f "$BASEFILE" ] && RSLVCNFFILES="$RSLVCNFFILES
 -$BASEFILE"
 -
 -### Compile list of nameservers ###
 -NMSRVRS=""
 -if [ "$RSLVCNFFILES" ] ; then
 -	uniquify_nameserver_list $(sed -n 's/^[[:space:]]*nameserver[[:space:]]\+//p' $RSLVCNFFILES)
 -fi
 -
 -### Compile search list ###
 -SRCHS=""
 -if [ "$RSLVCNFFILES" ] ; then
 -	uniquify $(sed -n 's/^[[:space:]]*\(\(search\)\|\(domain\)\)[[:space:]]\+//p' $RSLVCNFFILES)
 -	SRCHS="$RSLT"
 -fi
 -
 -clean_up() { rm -f "$TMPFILE" ; }
 -trap clean_up EXIT
 -clean_up
 -
 -### Make the file ###
 -: > "$TMPFILE"
 -[ -f "$HEADFILE" ] && cat "$HEADFILE" >> "$TMPFILE"
 -for N in $NMSRVRS ; do echo "nameserver $N" >> "$TMPFILE" ; done
 -[ "$SRCHS" ] && echo "search $SRCHS" >> "$TMPFILE"
 -[ "$RSLVCNFFILES" ] && sed -e '/^[[:space:]]*$/d' -e '/^[[:space:]]*#/d' -e '/^[[:space:]]*\(\(nameserver\)\|\(search\)\|\(domain\)\)[[:space:]]/d' $RSLVCNFFILES >> "$TMPFILE" 2>/dev/null
 -[ -f "$TAILFILE" ] && cat "$TAILFILE" >> "$TMPFILE"
 -
 -### Put the file in place ###
 -
 -if [ -f "$DYNAMICRSLVCNFFILE" ] && [ "$(cat $TMPFILE)" = "$(cat $DYNAMICRSLVCNFFILE)" ] ; then
 -	# The file has not changed
 -	rm -f "$TMPFILE"
 -	exit 0
 -fi
 -
 -# The file has changed
 -mv -f "$TMPFILE" "$DYNAMICRSLVCNFFILE"
 -
 -# Only notify users of /etc/resolv.conf if /etc/resolv.conf is actually
 -# symlinked to the file we have just updated.
 -resolv_conf_is_symlinked_to_dynamic_file || exit 0
 -
 -# Notify users of the resolver
 -if [ -d "${ETCRESOLVCONF}/update-libc.d" ] ; then
 -	exec run-parts "${ETCRESOLVCONF}/update-libc.d"
 -fi
 -
 -exit 0
 -
 diff --git a/resolvconf/update.d/unbound b/resolvconf/update.d/unbound
 old mode 100644
 new mode 100755
 index ac9d838..fe0b0c9
 --- a/resolvconf/update.d/unbound
 +++ b/resolvconf/update.d/unbound
 @@ -14,18 +14,34 @@ if [ ! -x /lib/resolvconf/list-records ]; then
     exit 1
 fi
 
 -RESOLVCONF_FILES="$(/lib/resolvconf/list-records)"
 +RESOLVCONF_FORWARDERS=false
 
 -if [ -n "$RESOLVCONF_FILES" ]; then
 -    NS_IPS="$(sed -rne 's/^[[:space:]]*nameserver[[:space:]]+//p' $RESOLVCONF_FILES \
 -        | egrep -v '^(127\.|::1)' | sort -u)"
 -else
 -    NS_IPS=""
 +if [ -f /etc/default/unbound ]; then
 +    . /etc/default/unbound
 +    case "x$RESOLVCONF_FORWARDERS" in
 +        xtrue|x1|xyes)
 +            RESOLVCONF_FORWARDERS=true
 +            ;;
 +        *)
 +            RESOLVCONF_FORWARDERS=false
 +            ;;
 +    esac
 fi
 
 -if [ -n "$NS_IPS" ]; then
 -    FWD="$(echo $NS_IPS | tr '\n' ' ')"
 -    unbound-control forward $FWD 1>/dev/null 2>&1 || true
 -else
 -    unbound-control forward off 1>/dev/null 2>&1 || true
 +if $RESOLVCONF_FORWARDERS; then
 +    RESOLVCONF_FILES="$(/lib/resolvconf/list-records)"
 +
 +    if [ -n "$RESOLVCONF_FILES" ]; then
 +        NS_IPS="$(sed -rne 's/^[[:space:]]*nameserver[[:space:]]+//p' $RESOLVCONF_FILES \
 +            | egrep -v '^(127\.|::1)' | sort -u)"
 +    else
 +        NS_IPS=""
 +    fi
 +
 +    if [ -n "$NS_IPS" ]; then
 +        FWD="$(echo $NS_IPS | tr '\n' ' ')"
 +        unbound-control forward $FWD 1>/dev/null 2>&1 || true
 +    else
 +        unbound-control forward off 1>/dev/null 2>&1 || true
 +    fi
 fi
 diff --git a/rsyslog.conf b/rsyslog.conf
 index 17ffe62..0e33f48 100644
 --- a/rsyslog.conf
 +++ b/rsyslog.conf
 @@ -58,40 +58,40 @@ $IncludeConfig /etc/rsyslog.d/*.conf
 #
 # First some standard log files.  Log by facility.
 #
 -#auth,authpriv.*			/var/log/auth.log
 -#*.*;auth,authpriv.none		-/var/log/syslog
 +auth,authpriv.*			/var/log/auth.log
 +*.*;auth,authpriv.none		-/var/log/syslog
 #cron.*				/var/log/cron.log
 -#daemon.*			-/var/log/daemon.log
 -#kern.*				-/var/log/kern.log
 -#lpr.*				-/var/log/lpr.log
 -#mail.*				-/var/log/mail.log
 -#user.*				-/var/log/user.log
 +daemon.*			-/var/log/daemon.log
 +kern.*				-/var/log/kern.log
 +lpr.*				-/var/log/lpr.log
 +mail.*				-/var/log/mail.log
 +user.*				-/var/log/user.log
 
 #
 # Logging for the mail system.  Split it up so that
 # it is easy to write scripts to parse these files.
 #
 -#mail.info			-/var/log/mail.info
 -#mail.warn			-/var/log/mail.warn
 -#mail.err			/var/log/mail.err
 +mail.info			-/var/log/mail.info
 +mail.warn			-/var/log/mail.warn
 +mail.err			/var/log/mail.err
 
 #
 # Logging for INN news system.
 #
 -#news.crit			/var/log/news/news.crit
 -#news.err			/var/log/news/news.err
 -#news.notice			-/var/log/news/news.notice
 +news.crit			/var/log/news/news.crit
 +news.err			/var/log/news/news.err
 +news.notice			-/var/log/news/news.notice
 
 #
 # Some "catch-all" log files.
 #
 -#*.=debug;\
 -#	auth,authpriv.none;\
 -#	news.none;mail.none	-/var/log/debug
 -#*.=info;*.=notice;*.=warn;\
 -#	auth,authpriv.none;\
 -#	cron,daemon.none;\
 -#	mail,news.none		-/var/log/messages
 +*.=debug;\
 +	auth,authpriv.none;\
 +	news.none;mail.none	-/var/log/debug
 +*.=info;*.=notice;*.=warn;\
 +	auth,authpriv.none;\
 +	cron,daemon.none;\
 +	mail,news.none		-/var/log/messages
 
 #
 # Emergencies are sent to everybody logged in.
 diff --git a/security/limits.conf b/security/limits.conf
 index 8fe6da9..7ced053 100644
 --- a/security/limits.conf
 +++ b/security/limits.conf
 @@ -42,7 +42,15 @@
 #
 #<domain>      <type>  <item>         <value>
 #
 -1000:65535           soft    nproc           150
 -1000:65535           hard    nproc           200
 -1000:65535           soft    nofile          4096
 -1000:65535           hard    nofile          10240
 +
 +#*               soft    core            0
 +#root            hard    core            100000
 +#*               hard    rss             10000
 +#@student        hard    nproc           20
 +#@faculty        soft    nproc           20
 +#@faculty        hard    nproc           50
 +#ftp             hard    nproc           0
 +#ftp             -       chroot          /ftp
 +#@student        -       maxlogins       4
 +
 +# End of file
 diff --git a/security/limits.sh b/security/limits.sh
 deleted file mode 100755
 index 560b3ee..0000000
 --- a/security/limits.sh
 +++ /dev/null
 @@ -1,8 +0,0 @@
 -#!/bin/sh -e
 -
 -PAM_UID=$(getent passwd "${PAM_USER}" | cut -d: -f3)
 -
 -if [ "${PAM_UID}" -ge 1000 ]; then
 -    /bin/systemctl set-property "user-${PAM_UID}.slice" \
 -                   CPUQuota=50% MemoryLimit=512M BlockIOWeight=10
 -fi
 diff --git a/security/namespace.conf b/security/namespace.conf
 index d47e358..b611a0f 100644
 --- a/security/namespace.conf
 +++ b/security/namespace.conf
 @@ -2,9 +2,12 @@
 #
 # See /usr/share/doc/pam-*/txts/README.pam_namespace for more information.
 #
 -# /tmp, /var/tmp and /run/lock are polyinstantiated on a per-user basis,
 -# resulting in each user having a different, private directory mounted
 -# at those locations.
 +# Uncommenting the following three lines will polyinstantiate
 +# /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
 +# be polyinstantiated based on the MLS level part of the security context as well as user
 +# name, Polyinstantion will not be performed for user root and adm for directories
 +# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
 +# The user name and context is appended to the instance prefix.
 #
 # Note that instance directories do not have to reside inside the
 # polyinstantiated directory. In the examples below, instances of /tmp
 @@ -20,7 +23,6 @@
 # caution, as it will reduce security and isolation achieved by
 # polyinstantiation.
 #
 -#/dev      /dev/inst/           user      root
 -/tmp      /tmp/inst/           user      root
 -/var/tmp  /var/tmp/inst/       user      root
 -/run/lock /run/lock/inst/      user      root
 +#/tmp     /tmp-inst/       	level      root,adm
 +#/var/tmp /var/tmp/tmp-inst/   	level      root,adm
 +#$HOME    $HOME/$USER.inst/     level
 diff --git a/security/namespace.init b/security/namespace.init
 index 433a938..9ab5806 100755
 --- a/security/namespace.init
 +++ b/security/namespace.init
 @@ -1,44 +1,25 @@
 -#!/bin/sh -e
 +#!/bin/sh -p
 # It receives polydir path as $1, the instance path as $2,
 # a flag whether the instance dir was newly created (0 - no, 1 - yes) in $3,
 # and user name in $4.
 -
 -if [ "$1" = "/dev" ]; then
 -	# If we are creating /dev
 -	if [ "$3" = 1 ]; then
 -		# Major and minor number for devices come from
 -		# https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/devices.txt
 -		mknod -m 666 /dev/null      char  1   3
 -		mknod -m 666 /dev/zero      char  1   5
 -		mknod -m 666 /dev/full      char  1   7
 -		mknod -m 666 /dev/random    char  1   8
 -		mknod -m 666 /dev/urandom   char  1   9
 -		mknod -m 666 /dev/fuse      char 10 229
 -
 -		mknod -m 666 /dev/tty       char  5   0
 -		chown root:tty /dev/tty
 -
 -		# Create devpts mountpoint
 -		mkdir -m 755 /dev/pts
 -
 -		# Create the shm directory
 -		mkdir -m 1777 /dev/shm
 -
 -		# Mandatory symlinks
 -		ln -s /proc/self/fd  /dev/fd
 -		ln -s fd/0           /dev/stdin
 -		ln -s fd/1           /dev/stdout
 -		ln -s fd/2           /dev/stderr
 -		ln -s null           /dev/X0R
 -
 -		# Recommended symlinks
 -		ln -s /run/systemd/journal/dev-log /dev/log
 -	fi
 -
 -	mount -o gid=5,mode=620,ptmxmode=0666 \
 -		  -t devpts devpts /dev/pts
 -
 -	ln -sf pts/ptmx /dev/ptmx
 +#
 +# The following section will copy the contents of /etc/skel if this is a
 +# newly created home directory.
 +if [ "$3" = 1 ]; then
 +        # This line will fix the labeling on all newly created directories
 +        [ -x /sbin/restorecon ] && /sbin/restorecon "$1"
 +        user="$4"
 +        passwd=$(getent passwd "$user")
 +        homedir=$(echo "$passwd" | cut -f6 -d":")
 +        if [ "$1" = "$homedir" ]; then
 +                gid=$(echo "$passwd" | cut -f4 -d":")
 +                cp -rT /etc/skel "$homedir"
 +                chown -R "$user":"$gid" "$homedir"
 +                mask=$(awk '/^UMASK/{gsub("#.*$", "", $2); print $2; exit}' /etc/login.defs)
 +                mode=$(printf "%o" $((0777 & ~$mask)))
 +                chmod ${mode:-700} "$homedir"
 +                [ -x /sbin/restorecon ] && /sbin/restorecon -R "$homedir"
 +        fi
 fi
 
 exit 0
 diff --git a/shells b/shells
 index 561e78f..69355d3 100644
 --- a/shells
 +++ b/shells
 @@ -3,11 +3,11 @@
 /bin/dash
 /bin/bash
 /bin/rbash
 -/usr/bin/tmux
 -/usr/bin/screen
 /bin/zsh
 /usr/bin/zsh
 +/usr/bin/tmux
 +/usr/bin/screen
 /bin/ksh93
 -/usr/bin/fish
 /bin/mksh
 /bin/mksh-static
 +/usr/bin/fish
 diff --git a/skel/.mkshrc b/skel/.mkshrc
 index 3d0fd60..9d818e0 100644
 --- a/skel/.mkshrc
 +++ b/skel/.mkshrc
 @@ -1,14 +1,13 @@
 -# Debian mksh
 # Skeleton ~/.mkshrc file adding a level of indirection
 
 # check if this is really mksh	# {((
 -case ${KSH_VERSION:-} in
 +case $KSH_VERSION in
 *MIRBSD\ KSH*) ;;
 *) return 0 ;;
 esac				# }
 
 # source the system-wide mkshrc file
 -[[ -s /etc/mkshrc ]] && \. /etc/mkshrc
 +[[ -s /etc/mkshrc ]] && . /etc/mkshrc
 
 # prepend $debian_chroot support to PS1
 p=$'\001'
 @@ -21,29 +20,24 @@ fi
 [[ -z ${debian_chroot:-} && -r /etc/debian_chroot ]] && \
     debian_chroot=$(</etc/debian_chroot)
 PS1=$p$'\r${debian_chroot:+'$p$'\e[0;1m'$p'($debian_chroot)'$p$'\e[0m'$p'}'$PS1
 -\unset p
 +unset p
 
 -\: put your local alias/function definitions, patches, etc. here
 +# force sane environment
 +#export LC_ALL=C.UTF-8
 +#set -U
 
 -# fixup ncurses-term badness
 -#[[ $TERM = screen.* ]] && TERM=screen
 +: put your local alias/function definitions, patches, etc. here
 
 -# force sane environment (e.g. for scripting), Debian-specific libc patch
 -#\export LC_ALL=C.UTF-8
 -# - or - switch to a slightly user-friendly and more portable locale
 -#\unset LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_IDENTIFICATION LC_MONETARY \
 +#unset LANGUAGE LC_ADDRESS LC_ALL LC_COLLATE LC_IDENTIFICATION LC_MONETARY \
 #    LC_NAME LC_NUMERIC LC_TELEPHONE LC_TIME
 #p=en_GB.UTF-8
 -#\export LANG=C LC_CTYPE=$p LC_MEASUREMENT=$p LC_MESSAGES=$p LC_PAPER=$p
 -
 -# in either case: sync mksh UTF-8 mode to current locale (expected on GNU)
 -set -U; [[ ${LC_ALL:-${LC_CTYPE:-${LANG:-}}} = *[Uu][Tt][Ff]?(-)8* ]] || set +U
 -
 -# set a sensible editor
 -#p=$(\builtin whence -p jupp) || p=
 -#[[ -n $p ]] || p=$(\builtin whence -p jstar) || p=
 +#set -U
 +#export LANG=C LC_CTYPE=$p LC_MEASUREMENT=$p LC_MESSAGES=$p LC_PAPER=$p
 +#
 +#p=$(whence -p jupp)
 +#[[ -n $p ]] || p=$(whence -p jstar)
 #[[ -n $p ]] && export EDITOR=$p VISUAL=$p
 #
 -#\unset p
 +#unset p
 
 -\: make sure this is the last line, to ensure a good return code
 +: make sure this is the last line, to ensure a good return code
 diff --git a/skel/Mail/new/msg.welcome b/skel/Mail/new/msg.welcome
 deleted file mode 100644
 index 0925b2c..0000000
 --- a/skel/Mail/new/msg.welcome
 +++ /dev/null
 @@ -1,26 +0,0 @@
 -From: noreply@hashbang.sh
 -X-Original-To: {username}@hashbang.sh
 -Delivered-To: {username}@hashbang.sh
 -MIME-Version: 1.0
 -From: The Local Bot <noreply@hashbang.sh>
 -Date: {date}
 -Subject: Press Enter to open this!
 -To: {username} <{username}@hashbang.sh>
 -Content-Type: text/plain
 -
 -Hey! Welcome to #!
 -
 -Hashbang (The name of the #! symbol) is a community-run online "hackerspace" based off of the core principle of "Teach. Learn. Make things do." We are a community dedicated to helping, teaching, and providing people with resources for educational and productive services. With this in mind, Hashbang (while being called an online hackerspace) does not support nor does it encourage the engagement of illegal or otherwise disruptive activities that may have a negative impact on the resources of other users.
 -
 -The name of hashbang is based off of the symbol '#!', found at the start of a shell script. This symbol instructs the operating system what program is required to "do" something with the code. Hashbang runs the same way. We try to instruct our users on the tools and skills required to -do- whatever they want for themselves. Likewise if you want something done, -do- it yourself. Don't know how? Ask. We're here to help new people get used to a Linux/Unix environment and to start them off with making software, learning how the terminal and services work... or perhaps helping talk through a challenging work problem someone faces at a major tech company. We welcome all skill levels and backgrounds.
 -
 -Software is almost never complete, and there might always be something off. Being a community-run service, hashbang encourages users to find bugs within the software and attempt to fix them. Most of our repositories are stored online on GitHub (https://github.com/hashbang) and are easily accessible. If you have any questions about any of our offerings, or just want to chat, you can switch to the first window (ctrl-B then 1) and talk to a number of other users in real time.
 -
 -Thank you for taking the time to read this welcome message, and welcome to #!
 -
 -To find out more try 'man hashbang' on one of the terminal tabs [ <Ctrl-b> c ]
 -
 -Currently, the ~/Public folder isn't exposed over HTTP by default;
 -however, users can use the `SimpleHTTPServer.service` systemd unit file (in `~/.config/systemd/user`, modify it to set port) or a `@reboot` crontab entry to run `python3 -m http.server <port>` to provide a webserver exposing it.
 -
 -This message will self-destruct in 10 seconds.
 diff --git a/skel/Public/index.html b/skel/Public/index.html
 deleted file mode 100644
 index 3e101e0..0000000
 --- a/skel/Public/index.html
 +++ /dev/null
 @@ -1 +0,0 @@
 -Welcome to your #! personal site of things. Edit me!
 diff --git a/ssh/ssh_config b/ssh/ssh_config
 index 1ece023..3810e13 100644
 --- a/ssh/ssh_config
 +++ b/ssh/ssh_config
 @@ -52,5 +52,3 @@ Host *
     HashKnownHosts yes
     GSSAPIAuthentication yes
     GSSAPIDelegateCredentials no
 -
 -UseRoaming no
 diff --git a/ssh/sshd_config b/ssh/sshd_config
 index b645b3e..bb723de 100644
 --- a/ssh/sshd_config
 +++ b/ssh/sshd_config
 @@ -9,10 +9,11 @@ Port 22
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 +HostKey /etc/ssh/ssh_host_dsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 #Privilege Separation is turned on for security
 -UsePrivilegeSeparation sandbox
 +UsePrivilegeSeparation yes
 
 # Lifetime and size of ephemeral version 1 server key
 KeyRegenerationInterval 3600
 @@ -29,10 +30,7 @@ StrictModes yes
 
 RSAAuthentication yes
 PubkeyAuthentication yes
 -
 -AuthorizedKeysFile        none
 -AuthorizedKeysCommand     /usr/bin/sss_ssh_authorizedkeys
 -AuthorizedKeysCommandUser nobody
 +#AuthorizedKeysFile	%h/.ssh/authorized_keys
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 @@ -51,7 +49,7 @@ PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 
 # Change to no to disable tunnelled clear text passwords
 -PasswordAuthentication no
 +#PasswordAuthentication yes
 
 # Kerberos options
 #KerberosAuthentication no
 @@ -83,18 +81,8 @@ Subsystem sftp /usr/lib/openssh/sftp-server
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 -# the setting of "PermitRootLogin yes".
 +# the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 -
 -# When using -R with `ssh` client, allow binding to other interfaces when
 -# specified. Default is loopback only.
 -GatewayPorts clientspecified
 -
 -
 -# Honor authorized_keys and ignore LDAP for root.
 -Match User root
 -     AuthorizedKeysFile        .ssh/authorized_keys
 -     AuthorizedKeysCommand     /bin/true
 diff --git a/sssd/sssd.conf b/sssd/sssd.conf
 deleted file mode 100644
 index 06dfdc2..0000000
 --- a/sssd/sssd.conf
 +++ /dev/null
 @@ -1,24 +0,0 @@
 -[sssd]
 -domains = HASHBANG 
 -services = nss, pam, ssh
 -config_file_version = 2
 -
 -[nss]
 -
 -
 -[domain/HASHBANG]
 -enumerate = TRUE
 -id_provider = ldap
 -access_provider = ldap
 -ldap_uri = ldaps://ldap.hashbang.sh
 -ldap_search_base = dc=hashbang,dc=sh
 -ldap_tls_reqcert = demand
 -ldap_user_search_base = ou=People,dc=hashbang,dc=sh
 -ldap_user_ssh_public_key = sshPublicKey
 -ldap_pwd_policy = none
 -ldap_access_order = host
 -ldap_user_authorized_host = host
 -cache_credentials = true
 -
 -[pam]
 -id_provider = proxy
 diff --git a/sudoers b/sudoers
 index d7d9514..d4cc632 100644
 --- a/sudoers
 +++ b/sudoers
 @@ -9,8 +9,6 @@
 Defaults	env_reset
 Defaults	mail_badpass
 Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 -Defaults	!requiretty, !tty_tickets
 -Defaults	use_pty
 
 # Host alias specification
 
 diff --git a/sudoers.d/hashbangctl b/sudoers.d/hashbangctl
 deleted file mode 100644
 index 4f8918c..0000000
 --- a/sudoers.d/hashbangctl
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -# Allow all users to call hashbangctl(1) without
 -#   password.
 -ALL ALL = NOEXEC: NOPASSWD: /usr/local/bin/hashbangctl
 diff --git a/sysctl.conf b/sysctl.conf
 index 3921cc5..d9acd92 100644
 --- a/sysctl.conf
 +++ b/sysctl.conf
 @@ -16,8 +16,8 @@
 # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
 # Turn on Source Address Verification in all interfaces to
 # prevent some spoofing attacks
 -net.ipv4.conf.default.rp_filter=1
 -net.ipv4.conf.all.rp_filter=1
 +#net.ipv4.conf.default.rp_filter=1
 +#net.ipv4.conf.all.rp_filter=1
 
 # Uncomment the next line to enable TCP/IP SYN cookies
 # See http://lwn.net/Articles/277146/
 @@ -58,12 +58,3 @@ net.ipv4.conf.all.rp_filter=1
 # Log Martian Packets
 #net.ipv4.conf.all.log_martians = 1
 #
 -net.ipv4.conf.eth0.arp_notify = 1
 -vm.swappiness = 60
 -
 -# Use CoDel (controlled delay) to avoid bufferbloat
 -net.core.default_qdisc = fq_codel
 -
 -# Forbid unprivileged (~ CAP_SYS_ADMIN) processes to
 -#  instrument the kernel with perf_event_open(2)
 -kernel.perf_event_paranoid = 2
 diff --git a/sysctl.d/10-dmsg.conf b/sysctl.d/10-dmsg.conf
 deleted file mode 100644
 index fd707af..0000000
 --- a/sysctl.d/10-dmsg.conf
 +++ /dev/null
 @@ -1 +0,0 @@
 -kernel.dmesg_restrict = 1
 diff --git a/systemd/journald.conf b/systemd/journald.conf
 index f5381ac..cded4a9 100644
 --- a/systemd/journald.conf
 +++ b/systemd/journald.conf
 @@ -8,6 +8,28 @@
 # See journald.conf(5) for details
 
 [Journal]
 -MaxLevelStore=notice
 -MaxRetentionSec=1month
 -SystemMaxUse=1G
 +#Storage=auto
 +#Compress=yes
 +#Seal=yes
 +#SplitMode=uid
 +#SyncIntervalSec=5m
 +#RateLimitInterval=30s
 +#RateLimitBurst=1000
 +#SystemMaxUse=
 +#SystemKeepFree=
 +#SystemMaxFileSize=
 +#RuntimeMaxUse=
 +#RuntimeKeepFree=
 +#RuntimeMaxFileSize=
 +#MaxRetentionSec=
 +#MaxFileSec=1month
 +#ForwardToSyslog=yes
 +#ForwardToKMsg=no
 +#ForwardToConsole=no
 +#ForwardToWall=yes
 +#TTYPath=/dev/console
 +#MaxLevelStore=debug
 +#MaxLevelSyslog=debug
 +#MaxLevelKMsg=notice
 +#MaxLevelConsole=info
 +#MaxLevelWall=emerg
 diff --git a/systemd/system.conf b/systemd/system.conf
 index 956a8d4..65a35a0 100644
 --- a/systemd/system.conf
 +++ b/systemd/system.conf
 @@ -32,9 +32,9 @@
 #DefaultStartLimitInterval=10s
 #DefaultStartLimitBurst=5
 #DefaultEnvironment=
 -DefaultCPUAccounting=yes
 -DefaultBlockIOAccounting=yes
 -DefaultMemoryAccounting=yes
 +#DefaultCPUAccounting=no
 +#DefaultBlockIOAccounting=no
 +#DefaultMemoryAccounting=no
 #DefaultLimitCPU=
 #DefaultLimitFSIZE=
 #DefaultLimitDATA=
 diff --git a/systemd/system/crontab.target b/systemd/system/crontab.target
 deleted file mode 100644
 index fb03aab..0000000
 --- a/systemd/system/crontab.target
 +++ /dev/null
 @@ -1,7 +0,0 @@
 -[Install]
 -WantedBy=multi-user.target
 -
 -[Unit]
 -Description=Simulates cron, limited to /etc/cron.* 
 -Requires=crontab@hour.timer crontab@day.timer
 -Requires=crontab@week.timer crontab@month.timer
 diff --git a/systemd/system/crontab@.service b/systemd/system/crontab@.service
 deleted file mode 100644
 index 0b42f9a..0000000
 --- a/systemd/system/crontab@.service
 +++ /dev/null
 @@ -1,11 +0,0 @@
 -[Unit]
 -Description=%Ily job for /etc/cron.%Ily
 -RefuseManualStart=yes
 -RefuseManualStop=yes
 -ConditionDirectoryNotEmpty=/etc/cron.%Ily
 -
 -[Service]
 -Type=oneshot
 -IgnoreSIGPIPE=no
 -WorkingDirectory=/
 -ExecStart=/bin/run-parts --report /etc/cron.%Ily
 diff --git a/systemd/system/crontab@.timer b/systemd/system/crontab@.timer
 deleted file mode 100644
 index e248792..0000000
 --- a/systemd/system/crontab@.timer
 +++ /dev/null
 @@ -1,9 +0,0 @@
 -[Unit]
 -Description=%Ily timer simulating /etc/cron.%Ily
 -PartOf=crontab.target
 -RefuseManualStart=yes
 -RefuseManualStop=yes
 -
 -[Timer]
 -OnCalendar=%I
 -Persistent=yes
 diff --git a/systemd/system/crontab@day.service b/systemd/system/crontab@day.service
 deleted file mode 100644
 index d2fa350..0000000
 --- a/systemd/system/crontab@day.service
 +++ /dev/null
 @@ -1,11 +0,0 @@
 -[Unit]
 -Description=Daily job for /etc/cron.daily
 -RefuseManualStart=yes
 -RefuseManualStop=yes
 -ConditionDirectoryNotEmpty=/etc/cron.daily
 -
 -[Service]
 -Type=oneshot
 -IgnoreSIGPIPE=no
 -WorkingDirectory=/
 -ExecStart=/bin/run-parts --report /etc/cron.daily
 diff --git a/systemd/system/getty.target.wants/getty@tty1.service b/systemd/system/getty.target.wants/getty@tty1.service
 index facee85..c466b29 120000
 --- a/systemd/system/getty.target.wants/getty@tty1.service
 +++ b/systemd/system/getty.target.wants/getty@tty1.service
 @@ -1 +1 @@
 -/lib/systemd/system/getty@.service
 \ No newline at end of file
 +../getty@.service
 \ No newline at end of file
 diff --git a/systemd/system/multi-user.target.wants/crontab.target b/systemd/system/multi-user.target.wants/crontab.target
 deleted file mode 120000
 index b986a0a..0000000
 --- a/systemd/system/multi-user.target.wants/crontab.target
 +++ /dev/null
 @@ -1 +0,0 @@
 -../crontab.target
 \ No newline at end of file
 diff --git a/systemd/system/multi-user.target.wants/tor.service b/systemd/system/multi-user.target.wants/tor.service
 deleted file mode 120000
 index 3e34aaf..0000000
 --- a/systemd/system/multi-user.target.wants/tor.service
 +++ /dev/null
 @@ -1 +0,0 @@
 -/lib/systemd/system/tor.service
 \ No newline at end of file
 diff --git a/systemd/system/multi-user.target.wants/unbound.service b/systemd/system/multi-user.target.wants/unbound.service
 deleted file mode 120000
 index 16ca21d..0000000
 --- a/systemd/system/multi-user.target.wants/unbound.service
 +++ /dev/null
 @@ -1 +0,0 @@
 -/lib/systemd/system/unbound.service
 \ No newline at end of file
 diff --git a/systemd/system/sysinit.target.wants/resolvconf.service b/systemd/system/sysinit.target.wants/resolvconf.service
 deleted file mode 120000
 index cab7128..0000000
 --- a/systemd/system/sysinit.target.wants/resolvconf.service
 +++ /dev/null
 @@ -1 +0,0 @@
 -/lib/systemd/system/resolvconf.service
 \ No newline at end of file
 diff --git a/systemd/system/unbound.service.wants/unbound-resolvconf.service b/systemd/system/unbound.service.wants/unbound-resolvconf.service
 deleted file mode 120000
 index 0ef27d3..0000000
 --- a/systemd/system/unbound.service.wants/unbound-resolvconf.service
 +++ /dev/null
 @@ -1 +0,0 @@
 -/lib/systemd/system/unbound-resolvconf.service
 \ No newline at end of file
 diff --git a/timezone b/timezone
 index 7f39493..46ed5d3 100644
 --- a/timezone
 +++ b/timezone
 @@ -1 +1 @@
 -Etc/UTC
 +America/New_York
 diff --git a/tmpfiles.d/namespaces b/tmpfiles.d/namespaces
 deleted file mode 100644
 index ad3b4dd..0000000
 --- a/tmpfiles.d/namespaces
 +++ /dev/null
 @@ -1,5 +0,0 @@
 -#Type Path              Mode UID  GID  Age Argument
 -d     /dev/inst         0000 root root -   -
 -d     /tmp/inst         0000 root root -   -
 -d     /var/tmp/inst     0000 root root -   -
 -d     /run/lock/inst    0000 root root -   -
 diff --git a/tor/torrc b/tor/torrc
 index 64c0b1f..a05f52c 100644
 --- a/tor/torrc
 +++ b/tor/torrc
 @@ -1,5 +1,5 @@
 ## Configuration file for a typical Tor user
 -## Last updated 22 December 2017 for Tor 0.3.2.8-rc.
 +## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
 ## (may or may not work for much older or much newer versions of Tor.)
 ##
 ## Lines that begin with "## " try to explain what's going on. Lines
 @@ -12,20 +12,19 @@
 ## Tor will look for this file in various places based on your platform:
 ## https://www.torproject.org/docs/faq#torrc
 
 -## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
 -## configure one below. Set "SOCKSPort 0" if you plan to run Tor only
 +## Tor opens a socks proxy on port 9050 by default -- even if you don't
 +## configure one below. Set "SocksPort 0" if you plan to run Tor only
 ## as a relay, and not make any local application connections yourself.
 -#SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
 -#SOCKSPort 192.168.0.1:9100 # Bind to this address:port too.
 +#SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
 +#SocksPort 192.168.0.1:9100 # Bind to this address:port too.
 
 ## Entry policies to allow/deny SOCKS requests based on IP address.
 -## First entry that matches wins. If no SOCKSPolicy is set, we accept
 -## all (and only) requests that reach a SOCKSPort. Untrusted users who
 -## can access your SOCKSPort may be able to learn about the connections
 +## First entry that matches wins. If no SocksPolicy is set, we accept
 +## all (and only) requests that reach a SocksPort. Untrusted users who
 +## can access your SocksPort may be able to learn about the connections
 ## you make.
 -#SOCKSPolicy accept 192.168.0.0/16
 -#SOCKSPolicy accept6 FC00::/7
 -#SOCKSPolicy reject *
 +#SocksPolicy accept 192.168.0.0/16
 +#SocksPolicy reject *
 
 ## Logs go to stdout at level "notice" unless redirected by something
 ## else, like one of the below lines. You can have as many Log lines as
 @@ -95,35 +94,26 @@
 
 ## If you have multiple network interfaces, you can specify one for
 ## outgoing traffic to use.
 -## OutboundBindAddressExit will be used for all exit traffic, while
 -## OutboundBindAddressOR will be used for all OR and Dir connections
 -## (DNS connections ignore OutboundBindAddress).
 -## If you do not wish to differentiate, use OutboundBindAddress to
 -## specify the same address for both in a single line.
 -#OutboundBindAddressExit 10.0.0.4
 -#OutboundBindAddressOR 10.0.0.5
 +# OutboundBindAddress 10.0.0.5
 
 ## A handle for your relay, so people don't have to refer to it by key.
 -## Nicknames must be between 1 and 19 characters inclusive, and must
 -## contain only the characters [a-zA-Z0-9].
 #Nickname ididnteditheconfig
 
 ## Define these to limit how much relayed traffic you will allow. Your
 ## own traffic is still unthrottled. Note that RelayBandwidthRate must
 -## be at least 75 kilobytes per second.
 -## Note that units for these config options are bytes (per second), not
 -## bits (per second), and that prefixes are binary prefixes, i.e. 2^10,
 -## 2^20, etc.
 -#RelayBandwidthRate 100 KBytes  # Throttle traffic to 100KB/s (800Kbps)
 -#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb)
 +## be at least 20 KB.
 +## Note that units for these config options are bytes per second, not bits
 +## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
 +#RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
 +#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
 
 ## Use these to restrict the maximum traffic per day, week, or month.
 ## Note that this threshold applies separately to sent and received bytes,
 -## not to their sum: setting "40 GB" may allow up to 80 GB total before
 +## not to their sum: setting "4 GB" may allow up to 8 GB total before
 ## hibernating.
 ##
 -## Set a maximum of 40 gigabytes each way per period.
 -#AccountingMax 40 GBytes
 +## Set a maximum of 4 gigabytes each way per period.
 +#AccountingMax 4 GB
 ## Each period starts daily at midnight (AccountingMax is per day)
 #AccountingStart day 00:00
 ## Each period starts on the 3rd of the month at 15:00 (AccountingMax
 @@ -161,28 +151,14 @@
 ## using more than one of your relays in a single circuit. See
 ## https://www.torproject.org/docs/faq#MultipleRelays
 ## However, you should never include a bridge's fingerprint here, as it would
 -## break its concealability and potentially reveal its IP/TCP address.
 +## break its concealability and potentionally reveal its IP/TCP address.
 #MyFamily $keyid,$keyid,...
 
 -## Uncomment this if you do *not* want your relay to allow any exit traffic.
 -## (Relays allow exit traffic by default.)
 -#ExitRelay 0
 -
 -## Uncomment this if you want your relay to allow IPv6 exit traffic.
 -## (Relays only allow IPv4 exit traffic by default.)
 -#IPv6Exit 1
 -
 ## A comma-separated list of exit policies. They're considered first
 -## to last, and the first match wins.
 -##
 -## If you want to allow the same ports on IPv4 and IPv6, write your rules
 -## using accept/reject *. If you want to allow different ports on IPv4 and
 -## IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules
 -## using accept/reject *4.
 -##
 -## If you want to _replace_ the default exit policy, end this with either a
 -## reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to)
 -## the default exit policy. Leave commented to just use the default, which is
 +## to last, and the first match wins. If you want to _replace_
 +## the default exit policy, end this with either a reject *:* or an
 +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
 +## default exit policy. Leave commented to just use the default, which is
 ## described in the man page or at
 ## https://www.torproject.org/documentation.html
 ##
 @@ -194,15 +170,11 @@
 ## users will be told that those destinations are down.
 ##
 ## For security, by default Tor rejects connections to private (local)
 -## networks, including to the configured primary public IPv4 and IPv6 addresses,
 -## and any public IPv4 and IPv6 addresses on any interface on the relay.
 -## See the man page entry for ExitPolicyRejectPrivate if you want to allow
 -## "exit enclaving".
 +## networks, including to your public IP address. See the man page entry
 +## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
 ##
 -#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more
 -#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy
 -#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy
 -#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy
 +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
 +#ExitPolicy accept *:119 # accept nntp as well as default exit policy
 #ExitPolicy reject *:* # no exits allowed
 
 ## Bridge relays (or "bridges") are Tor relays that aren't listed in the
 @@ -218,12 +190,3 @@
 ## address manually to your friends, uncomment this line:
 #PublishServerDescriptor 0
 
 -## Configuration options can be imported from files or folders using the %include
 -## option with the value being a path. If the path is a file, the options from the
 -## file will be parsed as if they were written where the %include option is. If
 -## the path is a folder, all files on that folder will be parsed following lexical
 -## order. Files starting with a dot are ignored. Files on subfolders are ignored.
 -## The %include option can be used recursively.
 -#%include /etc/torrc.d/
 -#%include /etc/torrc.custom
 -
 diff --git a/tor/torsocks.conf b/tor/torsocks.conf
 index 016f0dd..c1596c0 100644
 --- a/tor/torsocks.conf
 +++ b/tor/torsocks.conf
 @@ -27,4 +27,4 @@ OnionAddrRange 127.42.42.0/24
 
 # Set Torsocks to accept inbound connections. If set to 1, listen() and
 # accept() will be allowed to be used with non localhost address. (Default: 0)
 -AllowInbound 1
 +#AllowInbound 1
 diff --git a/unbound/unbound.conf.d/debian.conf b/unbound/unbound.conf.d/debian.conf
 deleted file mode 100644
 index ab4c93e..0000000
 --- a/unbound/unbound.conf.d/debian.conf
 +++ /dev/null
 @@ -1,3 +0,0 @@
 -server:
 -  # Use DNS root hints from the dns-root-data Debian package
 -  root-hints: "/usr/share/dns/root.hints"
 diff --git a/unbound/unbound.conf.d/harden.conf b/unbound/unbound.conf.d/harden.conf
 deleted file mode 100644
 index a52fead..0000000
 --- a/unbound/unbound.conf.d/harden.conf
 +++ /dev/null
 @@ -1,23 +0,0 @@
 -server:
 -  # Do not expose information about the running deamon
 -  hide-identity: yes
 -  hide-version:  yes
 -  
 -  # Harden against ridiculously-short buffer sizes (potential DoS vector)
 -  # This is against spec, but we aren't a public resolver.
 -  harden-short-bufsize: yes
 -  
 -  # Harden against abnormaly large queries (same reasoning)
 -  harden-large-queries: yes
 -  
 -  # Return NXDOMAIN for queries under a terminal known (and DNSSEC-validated)
 -  #   to be NXDOMAIN.  Improves caching and avoids certain attacks
 -  harden-below-nxdomain: yes
 -  
 -  # Use 0x20-encoded random nonces for authenticating queries.
 -  # Implementation of draft-dns-0x20, makes DNS poisoning harder
 -  use-caps-for-id: yes
 -
 -  # Minimises queries sent upstream
 -  # Avoids information disclosure to root/TLD DNS servers & improves caching
 -  qname-minimisation: yes
 diff --git a/unbound/unbound.conf.d/prefetch.conf b/unbound/unbound.conf.d/prefetch.conf
 deleted file mode 100644
 index 88725e4..0000000
 --- a/unbound/unbound.conf.d/prefetch.conf
 +++ /dev/null
 @@ -1,4 +0,0 @@
 -server:
 -  # Prefetch popular domains before the cache expires
 -  prefetch:     yes
 -  prefetch-key: yes
 \ No newline at end of file
 diff --git a/unbound/unbound.conf.d/qname-minimisation.conf b/unbound/unbound.conf.d/qname-minimisation.conf
 deleted file mode 100644
 index 94a2ab0..0000000
 --- a/unbound/unbound.conf.d/qname-minimisation.conf
 +++ /dev/null
 @@ -1,9 +0,0 @@
 -server:
 -    # Send minimum amount of information to upstream servers to enhance
 -    # privacy. Only sends minimum required labels of the QNAME and sets
 -    # QTYPE to NS when possible.
 -
 -    # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
 -    # details.
 -
 -    qname-minimisation: yes
 diff --git a/xml/catalog b/xml/catalog
 index 8159df9..6522b71 100644
 --- a/xml/catalog
 +++ b/xml/catalog
 @@ -2,10 +2,10 @@
 <!DOCTYPE catalog PUBLIC "-//OASIS//DTD XML Catalogs V1.0//EN"
   "file:///usr/share/xml/schema/xml-core/catalog.dtd">
 <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
 -<delegateSystem systemIdStartString="http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd" catalog="file:///etc/xml/xml-core.xml"/>
 -<delegatePublic publicIdStartString="+//IDN docutils.sourceforge.net/" catalog="file:///etc/xml/docutils-common.xml"/>
 -<delegatePublic publicIdStartString="-//GlobalTransCorp//DTD XML Catalogs V1.0-Based Extension V1.0//EN" catalog="file:///etc/xml/xml-core.xml"/>
 <delegateSystem systemIdStartString="http://globaltranscorp.org/oasis/catalog/xml/tr9401.dtd" catalog="file:///etc/xml/xml-core.xml"/>
 +<delegatePublic publicIdStartString="-//GlobalTransCorp//DTD XML Catalogs V1.0-Based Extension V1.0//EN" catalog="file:///etc/xml/xml-core.xml"/>
 <delegateSystem systemIdStartString="http://docutils.sourceforge.net/" catalog="file:///etc/xml/docutils-common.xml"/>
 +<delegatePublic publicIdStartString="+//IDN docutils.sourceforge.net/" catalog="file:///etc/xml/docutils-common.xml"/>
 <delegatePublic publicIdStartString="-//OASIS//DTD XML Catalogs V1.0//EN" catalog="file:///etc/xml/xml-core.xml"/>
 +<delegateSystem systemIdStartString="http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd" catalog="file:///etc/xml/xml-core.xml"/>
 </catalog>
 diff --git a/xml/xml-core.xml b/xml/xml-core.xml
 index 3e0c4df..772b9a1 100644
 --- a/xml/xml-core.xml
 +++ b/xml/xml-core.xml
 @@ -2,8 +2,8 @@
 <!DOCTYPE catalog PUBLIC "-//OASIS//DTD XML Catalogs V1.0//EN"
   "file:///usr/share/xml/schema/xml-core/catalog.dtd">
 <catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
 +<delegatePublic publicIdStartString="-//GlobalTransCorp//DTD XML Catalogs V1.0-Based Extension V1.0//EN" catalog="file:///usr/share/xml/schema/xml-core/catalog.xml"/>
 +<delegateSystem systemIdStartString="http://globaltranscorp.org/oasis/catalog/xml/tr9401.dtd" catalog="file:///usr/share/xml/schema/xml-core/catalog.xml"/>
 <delegatePublic publicIdStartString="-//OASIS//DTD XML Catalogs V1.0//EN" catalog="file:///usr/share/xml/schema/xml-core/catalog.xml"/>
 <delegateSystem systemIdStartString="http://www.oasis-open.org/committees/entity/release/1.0/catalog.dtd" catalog="file:///usr/share/xml/schema/xml-core/catalog.xml"/>
 -<delegateSystem systemIdStartString="http://globaltranscorp.org/oasis/catalog/xml/tr9401.dtd" catalog="file:///usr/share/xml/schema/xml-core/catalog.xml"/>
 -<delegatePublic publicIdStartString="-//GlobalTransCorp//DTD XML Catalogs V1.0-Based Extension V1.0//EN" catalog="file:///usr/share/xml/schema/xml-core/catalog.xml"/>
 </catalog>
 diff --git a/zsh/zprofile b/zsh/zprofile
 index 4fd82ad..09db6f5 100644
 --- a/zsh/zprofile
 +++ b/zsh/zprofile
 @@ -5,5 +5,3 @@
 # shells invoked with the -l flag.)
 #
 # Global Order: zshenv, zprofile, zshrc, zlogin
 -umask 077
 -emulate sh -c 'source /etc/profile'