Skip to content

config.md

Latest commit

 

History

History
246 lines (186 loc) · 5.88 KB

config.md

File metadata and controls

246 lines (186 loc) · 5.88 KB

Configuration Guide

Glocker reads configuration from /etc/glocker/config.yaml (sample in conf/conf.yaml).

Core Settings

# Development mode - bypasses delays for testing
dev: false

# Log level: debug, info, warn, error
log_level: "info"

# Enable/disable each enforcement mechanism
enable_hosts: true
enable_firewall: false
enable_forbidden_programs: true
enable_self_healing: false

# Enforcement loop interval (seconds)
enforce_interval_seconds: 60

# Paths (leave empty for defaults)
hosts_path: "/etc/hosts"

Blocked Domains

Domains are permanently blocked by default unless marked as unblockable:

domains:
  # Always blocked (permanent - default)
  - {name: "reddit.com"}

  # Always blocked, but can be temporarily unblocked
  - {name: "youtube.com", unblockable: true}

  # Time-based blocking - only blocked during specified windows
  - name: "twitter.com"
    time_windows:
      - start: "09:00"
        end: "17:00"
        days: ["Mon", "Tue", "Wed", "Thu", "Fri"]
      - start: "11:00"
        end: "15:00"
        days: ["Sat", "Sun"]

Domain Blocking Behavior

Default behavior: Domains are permanently blocked (cannot be temporarily unblocked).

  • No time windows → Always blocked (permanent by default)
  • Time windows specified → Only blocked during those time windows
  • unblockable: true → Domain can be temporarily unblocked (use for sites you occasionally need)
  • Time format: 24-hour HH:MM, supports midnight-crossing (e.g., 22:00 to 05:00)

Note: The always_block and absolute fields are deprecated. Domains are permanent by default; use unblockable: true for sites that can be temporarily unblocked.

Updating Domain Blocklists

The update_domains.py script automates updating domain lists from curated blocklists. It supports multiple sources with automatic timestamp checking for idempotent updates.

Available Sources

  1. Bon Appetit Porn Domains - Comprehensive adult content blocklist (~800K domains)
  2. StevenBlack Unified Hosts - Ads and malware domains
  3. HaGeZi DoH/VPN/TOR/Proxy Bypass - Blocks encrypted DNS, VPN, TOR, proxy bypass methods
  4. UnblockStop Proxy Bypass - Blocks proxy and filter-bypass sites (CroxyProxy, etc.)

Usage

# List all available sources and their status
./update_domains.py

# Update from a specific source
./update_domains.py 1

# Update from all sources
./update_domains.py all

# Remove all managed domain lists (keeps manual domains)
./update_domains.py strip

Features

  • Idempotent updates - Only updates if source timestamp has changed
  • Automatic deduplication - Removes duplicate domains and www. prefixes
  • Source markers - Each source is marked in the config file for easy identification
  • Preserves manual domains - Only modifies managed source sections

After updating domains, reload the configuration:

glocker -reload

Temporary Unblocking

unblocking:
  reasons: ["work", "research", "emergency", "education"]
  log_file: "/var/log/glocker-unblocks.log"
  temp_unblock_time: 20  # Minutes

Reason Validation:

  • The reasons list defines valid reasons for temporary unblocking
  • When unblocking, you must provide one of these reasons
  • Reason validation is case-insensitive (e.g., "Work" matches "work")
  • If the reasons list is empty, any reason will be accepted
  • Invalid reasons will be rejected with an error

Usage: glocker -unblock "youtube.com:work research"

Web Tracking

web_tracking:
  enabled: true
  command: "mpg123 /path/to/alert.mp3"

Content Monitoring

content_monitoring:
  enabled: true
  log_file: "/var/log/glocker-reports.log"

extension_keywords:
  url_keywords: ["gambling", "casino"]
  content_keywords: ["bet", "jackpot"]
  whitelist:
    - "stackoverflow.com"
    - "github.com"

Forbidden Programs

forbidden_programs:
  enabled: true
  check_interval_seconds: 5
  programs:
    - name: "chromium"
      time_windows:
        - start: "20:00"
          end: "05:00"
          days: ["Mon", "Tue", "Wed", "Thu", "Fri"]
    - name: "steam"  # Always killed (no time windows)

Sudoers Control

sudoers:
  enabled: true
  user: "noufal"
  allowed_sudoers_line: "noufal ALL=(ALL) NOPASSWD:ALL"
  blocked_sudoers_line: "noufal ALL=(ALL) NOPASSWD: /usr/bin/apt"
  time_allowed:
    - start: "10:00"
      end: "16:00"
      days: ["Mon", "Tue", "Wed", "Thu", "Fri"]

Violation Tracking

violation_tracking:
  enabled: true
  max_violations: 5
  time_window_minutes: 60
  command: "glocklock"
  lock_duration: "5m"  # For glocklock
  mindful_text: "I will focus on my work."  # For glocklock -mindful
  background: "/path/to/image.png"  # For glocklock

Tamper Detection

enable_self_healing: true
tamper_detection:
  enabled: true
  check_interval_seconds: 30
  alarm_command: "notify-send -u critical 'Glocker' 'Tampering detected!'"

Accountability

accountability:
  enabled: true
  partner_email: "friend@example.com"
  from_email: "me@example.com"
  api_key: "your-mailgun-api-key"

Sends notifications to accountability partner when:

  • Blocked sites are accessed
  • Domains are temporarily unblocked
  • Violations exceed threshold
  • Panic mode is activated/deactivated
  • Glocker is uninstalled

Panic Mode

panic_command: "sudo pm-suspend"

Time Window Logic

Time windows use HH:MM format and day-of-week arrays:

time_windows:
  - start: "09:00"
    end: "17:00"
    days: ["Mon", "Tue", "Wed", "Thu", "Fri"]

Applied to:

  • Domain blocking
  • Sudoers restrictions
  • Forbidden programs

Time windows support midnight-crossing (e.g., start: "22:00", end: "05:00").

Configuration Reload

After modifying the configuration file, reload without restarting:

glocker -reload

Check logs with:

journalctl -u glocker.service -f