1 These tech notes are rough and often only personally relevant. For
2 actually meant for publication notes, see FSF Tech Notes
3 https://savannah.gnu.org/maintenance/fsf/ . Some things here will end
4 up there after someone edits them for the benefit of readers besides me
7 * obs/i3 keybind reminders
18 s+space: float a window & make it sticky to keep streaming it while I use another workspace
20 obof/obon # turn on/off automatic obs scene switching
25 If you are viewing a tall window and want to show it to the audience,
26 go to the preview (click if the red lines aren't there), press
27 ctrl-f. Then reset with ctrl-r. If the source has a custom transform,
28 the procedure is different: first do ctrl-shift-c to copy the transform,
29 then ctrl-f, ten ctrl-shift-v to restore the transform.
31 ** i3 keybinds to remember
33 shift+g i3 auto-layout-toggle
36 shift+6 [class="Emacs" title="^(?!#[a-zA-Z][a-zA-Z-]*$)"] move workspace current
37 shift+w fullscreen toggle
38 space toggle window float (useful for obs, keeping window visible)
41 equal $ex "dunstctl close-all"
44 # change focus between tiling / floating windows
45 shift+65 focus mode_toggle
47 * TODO : Galene LibreJS
49 ** TODO add logcheck as a todo item in the prometheus project
54 No cli interface, but should be easily scriptable.
59 strange thing: they don't allow strangers to file bugs. need to
60 investigate how the distributed bug tracking works in practice.
62 missing javascript license, but doesn't look hard to fix.
64 *** probably not good programs
67 barely maintained https://github.com/MichaelMure/git-bug
68 Not librejs marked. ReactJS webpack crap.
78 Their own use as bug tracker is not well maintained (it has spam
79 bugs). https://rt.bestpractical.com/
82 can of worms. no easy interface.
86 javascript heavy, issues as git commits opens up a lot of questions &
87 problems that are unanswered by their documentation. It explicitly says
88 it doesn't support rewriting history, no, I think we ought to have
93 *** dead distributed projects
95 git-issue 2022 https://github.com/dspinellis/git-issue
96 sciit 2021 https://gitlab.com/sciit/sciit
97 bug 2019 https://github.com/driusan/bug
98 git-dit 2020 https://github.com/neithernut/git-dit
99 issue 2020 (unclear/unreliable distribution method) https://github.com/marekjm/issue
100 bugseverwhere 2017 https://gitlab.com/bugseverywhere/bugseverywhere
101 deft 2011 https://github.com/npryce/deft
104 * TODO add integrity check for backups
105 * TODO revisit missing backups script
106 * TODO test irc instant message notification in emacs bar
110 wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq &&\
113 cat /a/f/ans/roles/prom/files/simple/etc/prometheus/rules/fsf.yml | yq '.groups[].rules[] | select(.alert).alert'
114 cat /a/f/ans/roles/prom/files/simple/etc/prometheus/rules/fsf.yml | yq '.groups[].rules[] | select(.alert).expr |@uri'
115 cat /a/f/ans/roles/prom/files/simple/etc/prometheus/rules/fsf.yml | yq '.groups[].rules[] | select(.alert).alert = "RedirectMatch \"^/f/" + .alert + "$\"" + " \"/graph?g0.expr=" + (.expr |@uri) | .alert + "&g0.tab=1\""' >/tmp/fsf-redirs.conf
119 * TODO check if wildebeest firewall rule for outbound ssh can go into ansible
121 * TODO check/fix enhanced tracking protection civicrm payment failure
125 p install tigervnc-scraping-server
128 generated the pass by running vncpasswd
130 /usr/bin/X0tigervnc -display :0 -localhost=0 -AcceptSetDesktopSize=0 -rfbport 5900 -PasswordFile /home/iank/.vnc/passwd -SecurityTypes VncAuth,TLSVnc
132 xtigervncviewer -SecurityTypes VncAuth,TLSVnc -passwd /home/iank/.vnc/passwd bow:0
134 there's a wrapper script x0tigervncserver which puts it in the background, which I'd like to use, but I need the AcceptSetDesktopSize to avoid remote screen resolution being resized. looks like I can do that with an option:
137 /usr/share/perl5/TigerVNC/Config.pm
140 just need to test out the perl syntax, and set it in
145 * TODO make sure we are watching SMART stats on community0p
152 http://127.0.0.1/nagios4/
155 /etc/nagios4/nagios.cfg
158 https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/config.html
159 nrpe is used to run processes on a monitored machine and get back data.
161 FSF uses check-mk for that now, but check-mk stopped working that way in
162 newer versions, now it wants to replace nagios entirely. We don't want that.
166 * TODO setup public inbox
168 * TODO patch gnu upload manual
170 to say about the fencepost debug file,
171 and to say about signing old key with new key,
172 and to not send mime signatures
173 and something else i wrote about before in an email.
176 * TODO ansiblize the gnu.org watchdog
179 * TODO make a libreplanet page documenting our discourse freedom fixes
181 * TODO alert when exim leaves around old processes
182 there is a message in the journal on restart.
183 logcheck could help here?
185 * TODO write alert for prometheus not running,
187 * TODO get logcheck working
188 * TODO redirect info@h-node.org
189 to where, is this old?
192 * TODO improve rt workflow
194 https://rt.gnu.org/Ticket/Update.html?Action=Comment&DefaultStatus=resolved&id=1767459
195 javascript:self.location=self.location+'&Status=resolved;Action=Take;id=1431087'
196 javascript:self.location=self.location+'&DefaultStatus=resolved;Action=Comment'
197 https://rt.gnu.org/Ticket/Display.html?id=1767459
198 https://rt.gnu.org/Ticket/Update.html?Action=Comment&DefaultStatus=resolved&id=1767459
200 * TODO email a patch to civicrm to increase bounce count
201 to 2 on ones that are normally 1, because of problems like this:
202 https://www.bleepingcomputer.com/news/google/gmail-hit-by-a-second-outage-within-a-single-day/
203 * TODO remove autofs stuff from gnuhope
204 * TODO get german server up and running
205 * TODO fix rt cc's etc
207 Thanks for connecting the dots here.
209 When people are CC'd on RT queue messages they get the original
210 message without ever seeing the RT queue id number. And then later
211 when the subject line is changed or whatever that comes back with an
212 RT queue number. But when I searched my mailbox for parts of that
213 subject line I couldn't find anything to connect it to. I knew that
214 it might or might not contain the RT number but couldn't find anything
215 by the pieces of it. This is a place where RT could be nicer.
217 Another problem is that if someone is CC'd on an RT message and RT
218 replies then it appears to me that it comes directly to me and I don't
219 see anyone else having been CC'd on the message. This is a routine
220 thing where Karl and I might both be on a CC. Then later I
221 subsequently feel I need to forward the message to Karl (or whomever)
222 so that they are not left out of the conversation. And sometimes they
223 have been copied on the reply and sometimes they have not been. This
224 is very confusing to me and another area where RT could be nicer.
226 In any case, thanks for updating me on the connection. Now I know
227 what was going on there. Thanks! :-)
231 * TODO make ./update-zone easier
232 it can easily detect changed files with git and update those,
233 prompting to ask if the zones are right. Also, the log cat it does
234 is broken and should be fixed.
235 * TODO make cronjob to clear old duplicates in email sql table
237 * TODO look into List-Unsubscribe header for fsf newsletters
238 its an email address, i think we aren't processing it
239 My main objection was that the data requirement was extremely broad,
240 which they mostly addressed.
242 However, I have other big objections to this license.
244 1. Probably 99% of free software which is designed to be a service does
245 not implement data export functionality required by this license. Doing
246 so would often require hundreds of hours or programming.
248 2. You may submit data to a remote program, but the computing done is
251 “any data that is an input to or an output
252 from the Work, where the presence of the data is necessary for
253 substantially identical use of the Work in an equivalent context chosen
254 by the Recipient, and ... (some condition) or has been assigned to the
257 Imagine a dating website software. You input your profile, output is:
258 every profile with a score of how well they match to you, however, you
259 only get displayed the top X matches.
262 * TODO check vault backport sources/preferences into ansible
263 * TODO fix emacs outline mode
264 to deal with the fact that comments get indented then not recognized
266 * TODO alert for spammers on lists0p
267 * TODO fix ticket about duplicate changes happening when running ansible
268 https://rt.gnu.org/Ticket/Display.html?id=1409745
269 * TODO mail reliability
270 ** get alerts when mail system fails
273 * prometheus / ansible
277 This prints all vars, despite google saying otherwise.
281 ** TODO standardize on whether to use = or list item in yml
284 Node exporter can do tls & basic auth, but it is not worth it.
285 Better to just make an iptables rule to disallow all but the
286 prometheus server, and maybe some other ips used for testing.
288 *** for running scripts and exporting results, there are multiple ways
289 https://utcc.utoronto.ca/~cks/space/blog/sysadmin/PrometheusScriptExporterWhy
291 pushgateway: seems best to avoid this, prometheus doesnt recommend it
292 unless the service is not tied to the specific host, afaik, all ours
294 related: https://github.com/aecolley/client_bash
296 node exporters textfile collector: you run a cronjob and output to the
297 textfile. Use this for anything that you specifically want to collect
298 less than a 2 mins apart, prometheus considers metrics 5+ minutes old to
300 https://github.com/prometheus/node_exporter
302 https://github.com/adhocteam/script_exporter
303 https://github.com/ricoberger/script_exporter
305 a few other ways are listed here:
306 https://nsrc.org/workshops/2021/sanog37/nmm/netmgmt/en/prometheus/ex-custom-metrics.htm
309 https://github.com/prometheus-community/node-exporter-textfile-collector-scripts
310 https://prometheus.io/docs/instrumenting/exporters/
312 only exim exporters found on google:
313 https://github.com/gvengel/exim_exporter
314 https://github.com/fstab/exim_prometheus_exporter
316 useful for converting nagios check plugins to prometheus:
317 https://www.howtoforge.com/tutorial/write-a-custom-nagios-check-plugin/
320 useful general info to keep in mind:
321 https://prometheus.io/docs/concepts/metric_types/
322 https://prometheus.io/docs/concepts/data_model/
323 https://prometheus.io/docs/concepts/jobs_instances/
324 especially the example section:
325 https://prometheus.io/docs/instrumenting/exposition_formats/#text-format-details
326 for a boolean metric, 0 for false, 1 for true.
327 https://www.robustperception.io/booleans-logic-and-math
330 * TODO when lp registration form is going up,
331 make sure there is an opt-out for getting emails
332 * TODO fix topic in #fsf, etc to say how to identify fsf staff
335 * TODO make bash history writes and reads immediately for fsf
337 * TODO fix whitespace in work code
338 Note, I have changes in my local wtf to deal with this:
339 https://github.com/dlenski/wtf/issues/17
342 remove trailing whitespace, add final newline if needed
344 Done by the following command: this lists all files except .git, and
345 ignored files, then ignores symlnks and files that grep finds to be
346 binary, then runs wtf.py on them, https://github.com/dlenski/wtf .
348 git ls-files --exclude-standard -cmo --no-empty-directory | \
349 while read f; do if [[ -L $f ]] || ! grep -Iq . "$f"; then continue; fi; wtf.py -i -E lf "$f"; done
351 Note, to avoid these in the first place, in emacs I have in my config
352 (ws-butler-global-mode), and (setq mode-require-final-newline t)
355 ** TODO I should also research how this is done in vim, and
356 maybe add a commit hook to at least warn people
359 * TODO locale in ansible
360 commit a7cbf81b9710030bb0a07e4fe0c5ce6279a0f46f
361 Author: Andrew Engelbrecht <andrew@fsf.org>
362 Date: Tue Jan 23 18:10:44 2018 -0500
364 added /etc/default/locale
366 this is needed to set a proper locale for things like postgres
370 $ cat files/common/etc/default/locale
371 # File generated by update-locale
376 I think LANG should be set as it is, but not LC_ALL.
379 https://wiki.debian.org/Locale
381 "End users should never set LC_ALL, at least not permanently"
383 "Using LC_ALL is strongly discouraged as it overrides everything. Please use it only when testing and never set it in a startup file. "
385 I've found LC_ALL to cause problems for me in the past when testing it
388 * TODO review sshd config in ansible
389 rwp reported it has bad settings, like allowing X forwarding
391 * TODO make ticket for alert on eggs spamassin
394 https://libreboot.org/docs/hardware/kgpe-d16.html
395 2MiB flash chips are included by default, on these boards. It’s on a
396 P-DIP 8 slot (SPI chip). The flash chip can be upgraded to higher sizes:
397 4MiB, 8MiB or 16MiB. With at least 8MiB, you could feasibly fit a
398 compressed linux+initramfs image (BusyBox+Linux system) into CBFS and
399 boot that, loading it into memory.
402 https://www.flashrom.org/Technology#DIP8:_Dual_In-line_Package.2C_8_pins
406 https://www.digikey.com/products/en/integrated-circuits-ics/memory/774?k=&pkeyword=&sv=0&pv16=6547&sf=1&FV=ffe00306%2C2380414%2C23805db%2C23805dc%2C23805dd%2C23805de%2C23805df%2C23805e0%2C1fec000a%2C1fec000b%2C1fec000d%2C1fec000e%2C1fec0011%2C1fec0012%2C1fec0015%2C1fec0006%2C1fec0009&quantity=&ColumnSort=0&page=1&pageSize=25
408 https://www.digikey.com/products/en/integrated-circuits-ics/memory/774?k=&pkeyword=&sv=0&pv142=391&pv142=1639&pv142=1640&pv142=1641&pv142=1642&pv142=1643&pv142=1644&pv142=1645&pv142=1646&pv142=1647&pv142=1648&pv142=1651&pv142=1615&pv142=1616&pv142=1688&pv142=392&pv142=1708&pv142=1709&pv142=1710&pv142=1711&pv142=1712&pv142=1713&pv142=1714&pv142=1716&pv142=1718&pv142=1719&pv142=1484&pv142=1044&pv142=1499&pv142=1500&pv142=1501&pv142=1502&pv142=1503&pv142=1504&pv142=1505&pv142=1506&pv142=1507&pv142=1727&pv2043=6&pv2043=11&pv2043=9&pv2043=10&pv2043=21&pv2043=14&pv2043=13&pv2043=17&pv2043=18&pv16=12930&pv16=6547&sf=1&FV=ffe00306&quantity=&ColumnSort=0&page=1&pageSize=25
414 * TODO put approveGoodRevs into git from directory
415 * TODO complete alyssa's intern projects
416 * TODO update general-audit
417 with the +30 day thing for people who need recon,
418 and make sure to account for this member who intentionally has multiple
420 https://rt.gnu.org/Ticket/Display.html?id=1147159
422 (later: dunno what this is talking about)
423 * TODO put /usr/local/bin/mysql-postrotate.sh in ansible if it fixes
424 the postrotate problem. on my.fsf.org
426 * TODO ansible improvements
428 document the emails I sent to emba, asking for them to sign the machine
429 use policy, and handing off the vm.
431 document how to change volunteer keys
433 document how to change the list of files for volunteers
435 document how to change the list of files/folders that is exported for volunteers
438 /a/work/ansible-configs/roles/kvmhost-ceph/files/usr/local/bin/create-vm-ceph-luks.sh
439 should also be in ansible.
441 * TODO periodically search for emails that got no response and follow up
442 * nonfree fsf firmware
446 fiber optical converter
447 smart switch in data center
448 bios of a few machines we havnt upgraded yet
450 * TODO fix rss feed from header in r2e is FSF blogs: <author>
454 todo: fix archive command to add -verbose, send to a log in /home/mharc/log, rotate that log,
455 search that log for indexing errors.
457 todo: look into fixing the negative number error
460 */15 * * * * mharc /home/mharc/bin/web-archive >/dev/null 2>&1
462 */15 * * * * mharc /home/mharc/bin/web-archive -verbose &> /home/mharc/log/web-archive-test2.log
464 mharc is used to configure namazu.
466 Alias /archive/html /home/mharc/html
467 ScriptAlias /archive/cgi-bin/ /home/mharc/cgi-bin/
469 a typical query url looks like this:
470 https://lists.gnu.org/archive/cgi-bin/namazu.cgi?query=test&submit=Search%21&idxname=gforth&max=20&result=normal&sort=score
473 mknmz command compiles the index into NMZ.* files in the current
474 directory, or the -O directory
477 Warning: Non-zero exit status returned from "/usr/bin/mknmz --mhonarc -f /home/mharc/cgi-bin/mknmzrc -T /home/mharc/cgi-bin/template -O /home/mharc/html/qemu-devel -Y --quiet /home/mharc/html/qemu-devel/2017-11": 256
480 /usr/bin/mknmz --mhonarc -f /home/mharc/cgi-bin/mknmzrc -T /home/mharc/cgi-bin/template -O /home/mharc/html/qemu-devel -Y /home/mharc/html/qemu-devel
483 Cgnu-reindex-failure of commit-gnuradio
484 ^Cgnu-reindex-failure of commit-grub
485 ^Cgnu-reindex-failure of commit-hurd
489 Reminder from John: rms will undermine and confuse ppl on things we do with gnu.
491 * TODO look into more appropriately / rt bounces
492 * TODO read about gnu webmasters
493 https://www.gnu.org/server/standards/README.webmastering.html
494 https://www.gnu.org/server/standards/README.editors.html
495 https://www.gnu.org/server/fsf-html-style-sheet.html
497 * TODO get notification on new tickets in sysadmin
498 because sometimes i want them. sometimes i won't.
499 * TODO file debian bug for exim dmarc
500 the default signed headers breaks debian mailing lists,
501 so change the default to what google uses
502 * bootloader / coreboot notes
504 https://unix.stackexchange.com/questions/190865/is-it-possible-to-add-some-pxe-network-boot-option-to-grub
505 (07:02:41 PM) sudoman: http://ipxe.org/embed
507 https://www.coreboot.org/IPXE
508 seems to have a bunch of outdated build options, I skipped those.
509 Also, using cbfstool from that page appears to build the same image
510 as selecting equivalent options in the ncurses menu and just building
513 for building coreboot, followed instructions plus
514 left default 2mb flash size based on googling and finding https://libreboot.org/docs/hardware/kgpe-d16.html
516 output of coreboot build is
519 to install new rom, using flashrom from latest libreboot-util release,
520 sudo ./flashrom -p internal -w ./coreboot.rom
522 coreboot wiki says you can call buildgcc directly, but that doesn't build
523 everything you need, so it's a bunch of horseshit.
526 print info about a rom:
527 ./build/cbfstool ./build/coreboot.rom print
529 flashing from office beaglebone
530 ./flashrom -p linux_spi:dev=/dev/spidev1.0,spispeed=2048K -w ROMFILE
532 ** seabios boot order
534 usefull command to have around:
535 screen /dev/ttyUSB1 115200
537 # https://www.seabios.org/Runtime_config
540 cd coreboot/utils/cbmem
542 sudo ./cbmem -c |tee c
544 # https://www.coreboot.org/SeaBIOS
548 https://libreboot.org/docs/#version
551 find appropriate rom, get size via
552 apt-get install flashrom
553 flashrom -p internal -V
555 if error, reboot, add kernel arg iomem=relaxed
557 download and extract from http://mirrors.mit.edu/libreboot/stable/20160907/rom/grub/
558 eg. depending on rom size,
559 wget http://mirrors.mit.edu/libreboot/stable/20160907/rom/grub/libreboot_r20160907_grub_x200_8mb.tar.xz
561 http://mirrors.mit.edu/libreboot/stable/20160907/libreboot_r20160907_util.tar.xz
565 find probably x200_8mb_usqwerty_vesafb.rom (depending on size determined
566 earlier). rename it libreboot.rom.
568 get the mac address of eth0 or equivalent
570 move libreboot.rom to the following folder; this is where the executable for ich9gen is located:
572 mv libreboot_r20160907_grub_x200_8mb/x200_8mb_usqwerty_vesafb.rom libreboot_r20160907_util/ich9deblob/x86_64/libreboot.rom
575 ./ich9gen --macaddress XX:XX:XX:XX:XX:XX
576 replace 8m with correct rom size,
577 dd if=ich9fdgbe_8m.bin of=libreboot.rom bs=1 count=12k conv=notrunc
578 mv libreboot.rom ../..
580 sudo ./flash update libreboot.rom
581 # equivalent flashrom command:
582 flashrom -p internal -w libreboot.rom
584 Ocassionally, coreboot changes the name of a given board. If flashrom complains about a board mismatch, but you are sure that you chose the correct ROM image, then run this alternative command:
586 $ sudo ./flash forceupdate libreboot.rom
588 You will see the flashrom program running for a little while, and you might see errors, but if it says Verifying flash... VERIFIED at the end, then it’s flashed, and should boot. If you see errors, try again (and again, and again). The message, Chip content is identical to the requested image is also an indication of a successful installation.
594 backup-scripts on vcs and /root on monolith
595 backups go to /backup and
596 whizbackup exclude files are in /backup on monolith
598 * TODO put this transaction note somewhere
599 5th payment failure, recurring contribution will get marked as
600 cancelled, and we tell tc, or else they keep trying forever
604 ** TODO update https://libreboot.org/docs/install/index.html,
607 put the actual complete error for seo.
609 ** TODO document some lower proprity todos from john's meeting
611 ** TODO make emacs meetup mailing list
612 ** TODO follow up on slides email
613 ** TODO send out command to technical-discuss to archive panic logs instead of delete
614 ** TODO fix mu4e~view-browse-url-from-binding
615 it's broken for rt tickets
616 ** TODO delete creds from this file which are in firefox
617 ** TODO learn screen or the other one
618 ** TODO new staff checklist, any new items to add?
619 ** TODO think about rt priority system.
620 there are tags, tags in subject, and priority field
621 ** TODO brains page review
623 how to handle different kinds of rt tickets.
626 wishlist page, be familiar with it
627 ** TODO record how staff use irc
628 andrew wants to try quasl irc client,
629 ruben uses weechat + addon + android client.
630 ** TODO add my jabber contact info to my webpage
631 ** TODO Add a link to donate to the FSF or join as a member to your email signature, and your RT signature.
632 ** TODO sub to https://gluestick.office.fsf.org/recentchanges/index.atom
633 and https://brains.fsf.org/wiki/blogs/johns/
635 ** TODO add spd setup to new host automation
636 ** TODO Move tarantula:/nfs-root/NEW_HOST/root/.ssh/authorized_keys to authorized_keys.disabled
637 on all workstations, assuming nothing has gone wrong by doing it on
641 convert ipv6 ip to /64 in back
643 ip64() { IFS=: read -a ipa <<<$ip; ip=; for x in ${ipa[@]:0:4}; do [[ $x ]] || break; ip+=$x:; done; ip+=:/64; }
645 to run cfengine manually, either run on the target host:
646 cfagent --verbose --no-splay
647 or from the cfengine server,
648 ssh faiserver0 cfrun HOSTNAME
650 server form factors we have: supermicro 825, 113, 213
652 jeanie answers info@fsf.org and membership@fsf.org
654 fsf financial year starts oct 1st.
656 amt: pre-civicrm logmember database. might still be used for some financial
657 stuff. For access, ssh to amt.fsf.org, use history to connect to mysql
658 and mysql history to look up someone if needed.
661 ** drupal access from cli
663 sudoman: iank: if you ever need to get access to drupal from the command line, you can do this:
664 (02:00:21 PM) sudoman: cd /var/www/site_name ; drush uli admin
665 (02:00:36 PM) sudoman: then edit the url, if necessary, replacing "default" with "example.com" and put that in a url bar
668 ** searching talos licenses
670 /a/opt/talos-openbmc ALERT! $ git grep -E -i -e '^ *license *=' --and --not -e '= *["'"'"']\(? *(Apache-2.0|L?GPL[v-]?[123]\.[01]\+?|L?GPL[v-]?[123]\+?|MIT|BSD-[234]-Clause|BSD|CC-BY-3.0|X11|MPL-1.1|MIT-X|EPL-1.0|PSF|Artistic-2.0|Apache-2|ISC|MPL-2.0|Zlib|ClArtistic|copyleft-next-0.3.0|Artistic-1.0 \| GPL.*|IPL-1.0|SPL-1.0|NTP|BSD-0-Clause|SSPL-1|CC-BY-SA-3.0|BSL-1.0|gnuplot|PHP-3.0|GPL-2.0-with-OpenSSL-exception|tcl|openssl|OFL-1.1|IPA||SGI-1|BitstreamVera|netperf|iozone3|\$\{LICENSE_DEFAULT\} & BSD-2-Clause|MPLv1.1|zsh|ImageMagick|HDF5|GPL-2.0-with-GCC-exception|Artistic-1.0\|GPL.*|AGPL-3.0|Python-2.0|PD & MIT|MPL-1|GFDL-1.2|Artisticv1 \| GPLv1+|\(Apache-2.0|LGPL|PSFv2|Ruby|GPL|GPL-3.0-with-GCC-exception|MIT-style|FreeType|Khronos|nbench-byte|PD|radvd|Apache-2.0|Artisticv1 \| GPL.*|openldap|MIT license|CPL-1.0|BSD-1-Clause|ZPL-2.1|Artistic-1.0|read-edid|MIT license|Xdebug|ManishSingh)( *[|&]|["'"'"']$)' > /t/talos-openbmc
674 ** misc services/ hosts
677 for workstations: home directories and root filesystems. served over
678 nfs. also, dhcp server.
680 @fsf.org email: mail.fsf.org
682 main office ip. we have 14 static ips at the office, we don't use all of them.
685 rt version: it's shown in login screen,
687 full text search was released on 4.4.2
692 /var/www/ConfigAndLog
695 also in the admin panel now
696 root@crmserver2p:/var/www/drupal-and-civi/sites/all# cat ./modules/civicrm/civicrm-version.php
699 crmserver1d / mysqlserver2d
700 crmserver2d (no pii in this one, for volunteers to use)
702 mysqlserver1p: civicrm db
704 drupal users. through here you can masquerade, and also find people
706 https://my.fsf.org/admin/people
708 to go from a civi user page to a drupal user page, there is a field on
709 the civi page called "CiviCRM ID / User ID" with a value like: 198055 /
711 the second number should be a link to their drupal profile.
723 sysadmin-nonrt@gnu.org
724 technical-discuss@fsf.org
729 mail.fsf.org:/etc/aliases-fsf.org
736 /usr/lib/mailman/Mailman/Cgi/subscribe.py
738 /usr/share/doc/exim4-base/spec.txt.gz
740 It is usually a good idea to test a new configuration for syntactic #
741 correctness before installing it (for example, by running the command #
742 "exim -C /config/file.new -bV
744 in debian, config file used is first found of:
745 CONFIGURE_FILE=/etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
746 on newer than fsf systems, exim's generated config is
747 /var/lib/exim4/config.autogenerated
748 to view it after preprocessor/include file parsing (introduced in a ver sometime after flidas)
751 s exim4 -bP configure_file
752 to view the options it's actually using, including defaults not
753 mentioned in the config, run this. however, it does not show acl's, and
754 i'm not sure what else it doesn't show
755 { eval exim\ -bP\ {,routers}\; ; eval exim\ -bP\ {transports,authenticators}\; | sed '/^[^=]*:$/b;s/^/ /'; } >/tmp/x
758 force retry of all queued messages:
759 exiqgrep -i | xargs exim -M
761 smtp protocol overview
762 https://cr.yp.to/smtp/mail.html
763 interesting reference:
764 https://mailinabox.email/static/architecture.svg
765 https://bitlair.nl/Projects/Mailserver_with_Debian,_Exim,_spamassassin,_greylistd,_DKIM,_SRS,_SPF,_DMARC,_forwarding,_LDAP,_dovecot,_LMTP,_disk_crypto
766 https://github.com/andryyy/mailcow
770 # describes what all the exim processes are doing
772 # list of messages in queue
777 # delete messages from queue, matching receiever
778 exiqgrep -r edward@gnu.org -i| xargs exim -Mrm
780 exim -Mvl id #view the message log for message id
781 exim -Mvh id #view message id's headers
782 exim -Mvb id #view message id's body
784 mailman won't let you post to subscribe unless you get first, and within a certain
787 # look for exim log failures
788 zgrep ' ==\|\*\*' mainlog*gz | sed -r 's/^mainlog.//' | sort -g | less
791 <= message arrival. following address is the envelope sender address
792 (= message fakereject
793 => normal message delivery
794 -> additional address in same delivery
795 >> cutthrough message delivery
796 *> delivery suppressed by -N
797 ** delivery failed; address bounced
798 == delivery deferred; temporary problem
800 A authenticator name (and optional id and sender)
801 C SMTP confirmation on delivery
802 command list for “no mail in SMTP session”
803 CV certificate verification status
804 D duration of “no mail in SMTP session”
805 DN distinguished name from peer certificate
806 DS DNSSEC secured lookups
807 DT on => lines: time taken for a delivery
808 F sender address (on delivery lines)
809 H host name and IP address
810 I local interface used
811 K CHUNKING extension used
812 id message id for incoming message
813 P on <= lines: protocol used
814 on => and ** lines: return path
815 PRDR PRDR extension used
816 PRX on <= and => lines: proxy address
817 Q alternate queue name
818 QT on => lines: time spent on queue so far
819 on “Completed” lines: time spent on queue
820 R on <= lines: reference for local bounce
821 on => >> ** and == lines: router name
822 S size of message in bytes
823 SNI server name indication from TLS client hello
824 ST shadow transport name
825 T on <= lines: message subject (topic)
826 on => ** and == lines: transport name
827 U local user or RFC 1413 identity
833 then manually enter smtp commands
834 http://www.samlogic.net/articles/smtp-commands-reference.htm
835 see below, org mode section on simulating messages.
837 testing routers, transport, rewrite, etc:
839 $ exim -bt -f iank@fsf.org x@gmail.com
840 R: smarthost for x@gmail.com
842 router = fsfsmarthost, transport = remote_smtp_smarthost
843 host mail.fsf.org [209.51.188.13]
845 clear out retry database:
846 s exim_tidydb -t 0m /var/spool/exim4 retry
847 note: m is for minutes, it could be d for days, it doesnt matter
849 clear out specific host in retry database:
850 s exim_dumpdb /var/spool/exim4 retry | gr some_host
851 # copy first space delimited word
852 s exim_fixdb /var/spool/exim4 retry
853 # paste, enter, d, enter
857 for testing expansions:
863 /usr/share/doc/exim4-base/README.Debian.gz
864 /usr/share/doc/exim4-base/spec.txt.gz
867 also see brc file for testing exim.
870 dpatch patch-template -p 85-CVE_string2019 "string2019" \
871 < string.patch >debian/patches/85_CVE-string2019.dpatch
872 fakeroot debian/rules binary
876 I've setup my own strict dmarc domain, I'm using:
880 ** simulating messages
884 logwrite = test is good
886 for example, to test a failing dmarc message, run this on lists2d.fsf.org
888 while read -r line; do
891 done <<'EOF'| exim -d+all -bhc 127.0.0.1
893 mail from:<mailman@lists.dev.fsf.org>
894 rcpt to:<ian@iankelling.org>
896 From: i@dmarctest.b8.nz
897 To: mailman@dev.fsf.org
898 Subject: Testing Exim
900 This is a test message.
905 while read -r line; do
908 done <<'EOF'| exim -d+all -bhc 127.0.0.1
910 mail from:<qemu-devel-bounces+testignore=je.b8.nz@nongnu.org>
911 rcpt to:<testignore@je.b8.nz>
913 From: ian@iankelling.org
914 To: testignore@je.b8.nz
915 Subject: Testing Exim
917 This is a test message.
924 ** sending to not all mx hosts for yahoo
927 exim -bem /tmp/t '${lookup dnsdb{>:mxh=yahoo.com}}'
929 exim -bem /tmp/t '${lookup dnsdb {>:a=${lookup dnsdb{>:mxh=yahoo.com}}}}'
931 # setting ip list to a var
933 set acl_m_yahoomx = ${lookup dnsdb {>:a=${lookup dnsdb{>:mxh=yahoo.com}}}}
935 # random int generated based on the message, modulo length of the list
936 exim -bem /tmp/t '${eval10: $received_time % ${listcount:00:11:22:33}}'
938 # picking from the list
939 exim -be '${listextract{0}{00:11:22}'
940 exim -be '${listextract{1}{00:11:22}'
943 # length of dns list:
944 exim -bem /tmp/t '${listcount:${sg{${lookup dnsdb{>:,#mx=yahoo.com}}}{[^:]+#}{}}}'
945 # exim -be '${reduce {${sg{${lookup dnsdb{>:mx=yahoo.com}}}{[^:]+ }{}}}{0}{${eval:$value + 1}}}' # old exim way
946 # random time rotating per message number modulo length of dns list
947 exim -bem /tmp/t '${eval10:($tod_epoch / 100000 + $received_time) % ${listcount:${sg{${lookup dnsdb{>:,#mx=yahoo.com}}}{[^:]+#}{}}}}'
948 # pick 1 from mx list
949 exim -be '${listextract{1}{${sg{${lookup dnsdb{>:mx=yahoo.com}}}{[^:]+ }{}}}}'
950 exim -be '${extract{1}{:}{${sg{${lookup dnsdb{>:mx=yahoo.com}}}{[^:]+ }{}}}}'
951 # pick random from mx list
952 exim -bem /tmp/t '${extract{${eval10:($tod_epoch / 100000 + $received_time) % ${reduce {${sg{${lookup dnsdb{>:mx=yahoo.com}}}{[^:]+ }{}}}{0}{${eval:$value + 1}}} + 1}}{:}{${sg{${lookup dnsdb{>:mx=yahoo.com}}}{[^:]+ }{}}}}'
953 # a record list of fsf.org
954 exim -be '${lookup dnsdb{>: a=fsf.org }}'
956 exim -bem /tmp/t '${reduce {${lookup dnsdb{>: a=${extract{${eval10:($tod_epoch / 100000 + $received_time) % ${reduce {${sg{${lookup dnsdb{>:mx=yahoo.com}}}{[^:]+ }{}}}{0}{${eval:$value + 1}}} + 1}}{:}{${sg{${lookup dnsdb{>:mx=yahoo.com}}}{[^:]+ }{}}}} }}}{0}{${if gt {$item}{$value} {$item}{$value}}}}'
957 # max a record of random mx
959 # a record list from mx
960 exim -bem /tmp/t '${sort{${lookup dnsdb{>: a=${extract{${eval10:($tod_epoch / 100000 + $received_time) % ${reduce {${sg{${lookup dnsdb{>:,#mx=yahoo.com}}}{[^:]+#}{}}}{0}{${eval:$value + 1}}}}}{:}{${sg{${lookup dnsdb{>:mx=yahoo.com}}}{[^:]+ }{}}}} }}}{le}{$item}}'
963 # length of a record list:
964 exim -be '${reduce { }{0}{${eval:$value + 1}}}'
965 # pick 1 from a record list
966 exim -be '${extract{0}{:}{${sort{${lookup dnsdb{>: a=fsf.org }}}{le}{$item}}}}'
967 # pick random from a record list
968 exim -be '${extract{0}{:}{${sort{${lookup dnsdb{>: a=fsf.org }}}{le}{$item}}}}'
971 ** TODO figure out how the exim queue works, so many -qG processes
972 after just barely starting exim, and they seem to hang around long after
973 processing the queue. why?
976 * spamassassin reference
978 /usr/share/spamassassin
981 in t9, the manual lists default plugins. grepping, i see an additional
983 Mail::SpamAssassin::Plugin::Rule2XSBody
985 todo: port over training info?
989 The following code adds the same keys with a high trust level in your trustdb (not the same as signing someone's key).
991 for k in $(gpg --import fsf-keyring |& sed -rn 's,^gpg: key (.*):.*,\1,p'); do
992 gpg --fingerprint -k $k | sed -nr 's, ,,g;s,$,:6:,;s,.*print=,,p;'; done | gpg --import-ownertrust
995 ** license request on bug tracker
999 I see you have no LICENSE file for this project.
1001 I suggest releasing the code under the GPLv3 or AGPLv3 license so that
1002 people are encouraged to make improvements and contribute them. Without
1003 a license, sharing the code or any changes is a violation of copyright
1013 default hosts is /etc/ansible/hosts
1016 https://docs.ansible.com/ansible/latest/reference_appendices/playbooks_keywords.html
1018 With until, the default value for “retries” is 3 and “delay” is 5.
1019 https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html
1021 to test commands locally, run apx (bashrc)
1022 and put something like this in /a/x.yml
1028 shell: sleep 10 && touch /tmp/t2
1033 shell: sleep 2 && touch /tmp/t1
1039 https://github.com/ansible/ansible/issues/44272
1043 ** asterisk debugging commands
1044 see calls as they are made, etc:
1047 from the asterisk shell, not sure what these do.
1050 * lists / mailman reference
1053 /var/lib/mailman/bin# ./list_lists | grep test
1055 usr/lib/mailman/Mailman/Handlers/AvoidDuplicates.py
1057 elif ccaddrs.has_key(r.lower()):
1058 del ccaddrs[r.lower()]
1060 usr/lib/mailman/Mailman/Utils.py
1061 def IsDMARCProhibited(mlist, email):
1063 https://en.wikipedia.org/wiki/DMARC
1064 https://tools.ietf.org/html/rfc7489#section-3
1065 https://dmarc.org/wiki/FAQ#senders
1067 https://www.exim.org/exim-html-current/doc/html/spec_html/ch-support_for_dkim_domainkeys_identified_mail.html
1068 https://www.ietf.org/rfc/rfc4871.txt
1071 newlist -q mailman ian@iankelling.org jetdirpAbsEtpiHa
1074 install mailman, follow
1075 https://www.gnu.org/software/mailman/mailman-install/node16.html
1076 better format /usr/share/doc/mailman/mailman-install.txt.gz
1077 it implies you can follow this,
1078 http://www.exim.org/howto/mailman21.html
1079 but the mailman docs seem to cover it better.
1081 /usr/lib/mailman/Mailman/mm_cfg.py
1082 MTA=None # Misnomer, suppresses alias output on newlist
1085 web-conf -p 80 apache2 x2.office.fsf.org
1088 /etc/apache2/sites-enabled/x2.office.fsf.org.conf
1090 Include /etc/mailman/apache.conf
1096 http://localhost/cgi-bin/mailman/admin/mailman/members
1099 tee -a /etc/exim4/conf.d/main/000_localmacros <<'EOF'
1100 # Home dir for your Mailman installation -- aka Mailman's prefix
1102 MAILMAN_HOME=/var/lib/mailman
1103 MAILMAN_WRAP=MAILMAN_HOME/mail/mailman
1105 # User and group for Mailman, should match your --with-mail-gid
1106 # switch to Mailman's configure script.
1111 s dd of=/etc/exim4/conf.d/router/099_exim4-config_mailman <<'EOF'
1114 require_files = MAILMAN_HOME/lists/$local_part/config.pck
1115 local_part_suffix_optional
1116 local_part_suffix = -admin : -bounces : -bounces+* : \
1117 -confirm : -confirm+* : \
1119 -owner : -request : \
1120 -subscribe : -unsubscribe
1121 transport = mailman_transport
1124 s dd of=/etc/exim4/conf.d/transport/29_exim4-config_mailman <<'EOF'
1127 command = MAILMAN_WRAP \
1128 '${if def:local_part_suffix \
1129 {${sg{$local_part_suffix}{-(\\w+)(\\+.*)?}{\$1}}} \
1132 current_directory = MAILMAN_HOME
1133 home_directory = MAILMAN_HOME
1135 group = MAILMAN_GROUP
1138 ** testing for dmarc strict senders
1140 wget -m ftp://lists.gnu.org/info-gnu
1141 cd lists.gnu.org/info-gnu
1142 sed -rn '/^From: /{s/.*@([^> ]*).*/\1/' * | sort -u | while -read -r l; do host -t txt _dmarc.$l; done