docs/otp.md

@@ -50,6 +50,19 @@ You can then run
 
 to generate a token to log in.
 
+## Rsync.net
+
+Run
+
+    pass otp insert -i rsync.net -a archlinux Rsync.net/archlinux-master-token -s
+
+When asked for a secret, provide the `2FA token seed` from `group_vars/all/vault_rsync.net.yml`.
+You can then run
+
+    pass otp code Rsync.net/archlinux-master-token
+
+to generate a token to log in.
+
 ### Adding your own account
 
 Hetzner supports multiple 2FA devices at once which allows you to add your own 2FA app of choice

roles/firewalld/templates/firewalld.conf.j2

@@ -5,12 +5,6 @@
 # Default: public
 DefaultZone=public
 
-# Minimal mark
-# Marks up to this minimum are free for use for example in the direct 
-# interface. If more free marks are needed, increase the minimum
-# Default: 100
-MinimalMark=100
-
 # Clean up on exit
 # If set to no or false the firewall configuration will not get cleaned up
 # on exit or stop of firewalld
@@ -26,7 +20,7 @@ Lockdown=no
 
 # IPv6_rpfilter
 # Performs a reverse path filter test on a packet for IPv6. If a reply to the
-# packet would be sent via the same interface that the packet arrived on, the 
+# packet would be sent via the same interface that the packet arrived on, the
 # packet will match and be accepted, otherwise dropped.
 # The rp_filter for IPv4 is controlled using sysctl.
 # Default: yes
@@ -46,19 +40,36 @@ IndividualCalls=no
 # Default: off
 LogDenied=off
 
-# AutomaticHelpers
-# For the secure use of iptables and connection tracking helpers it is
-# recommended to turn AutomaticHelpers off. But this might have side effects on
-# other services using the netfilter helpers as the sysctl setting in
-# /proc/sys/net/netfilter/nf_conntrack_helper will be changed.
-# With the system setting, the default value set in the kernel or with sysctl
-# will be used. Possible values are: yes, no and system.
-# Default: system
-AutomaticHelpers=system
-
 # FirewallBackend
 # Selects the firewall backend implementation.
 # Choices are:
 #	- nftables (default)
 #	- iptables (iptables, ip6tables, ebtables and ipset)
 FirewallBackend=nftables
+
+# FlushAllOnReload
+# Flush all runtime rules on a reload. In previous releases some runtime
+# configuration was retained during a reload, namely; interface to zone
+# assignment, and direct rules. This was confusing to users. To get the old
+# behavior set this to "no".
+# Default: yes
+FlushAllOnReload=yes
+
+# RFC3964_IPv4
+# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
+# correspond to IPv4 addresses that should not be routed over the public
+# internet.
+# Defaults to "yes".
+RFC3964_IPv4=yes
+
+# AllowZoneDrifting
+# Older versions of firewalld had undocumented behavior known as "zone
+# drifting". This allowed packets to ingress multiple zones - this is a
+# violation of zone based firewalls. However, some users rely on this behavior
+# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
+# desire such behavior. It's disabled by default for security reasons.
+# Note: If "yes" packets will only drift from source based zones to interface
+# based zones (including the default zone). Packets never drift from interface
+# based zones to other interfaces based zones (including the default zone).
+# Possible values; "yes", "no". Defaults to "no".
+AllowZoneDrifting=no