+host-info-all() {
+ host-info-update
+ bindpushb8
+ ssh iank@li.b8.nz conflink
+ wrt-setup
+}
+
+
+# if you change a host's ip, then run
+# bindpushb8
+# wrt-setup
+host-info-update() {
+
+ local -A vpn_ips host_ips host_macs nonvpn_ips all_ips
+ local -a root_hosts nonroot_hosts host_usbs
+
+ # the hosts with no mac
+ root_hosts=( bk je li b8.nz )
+ for h in ${root_hosts[@]}; do
+ root_hosts+=(${h}ex)
+ done
+ root_hosts+=(cmc)
+
+ while read -r ip host mac opts; do
+ if [[ $ip == *#* || ! $host ]]; then continue; fi
+
+ # opt parsing
+ vpn=false
+ root=false
+ for opt in $opts; do
+ case $opt in
+ user=root)
+ root=true
+ ;;
+ vpn)
+ vpn=true
+ ;;
+ esac
+ done
+
+ all_ips[$host]=$ip
+ if $vpn; then
+ vpn_ips[$host]=$ip
+ else
+ nonvpn_ips[$host]=$ip
+ fi
+ if $root; then
+ # note: the reason we have b8.nz suffix here but not for non_root
+ # hosts is that it is for the User part, the IdentityFile part is
+ # redundant to *.b8.nz. Also note ${host}i, we only setup those for vpn hosts, but there is no harm in overspecifying here.
+ root_hosts+=($host ${host}i $host.b8.nz ${host}i.b8.nz)
+ else
+ nonroot_hosts+=($host ${host}i)
+ fi
+ host_ips[$host]=$ip
+ if [[ $mac ]]; then
+ host_macs[$host]=$mac
+ fi
+
+ done </p/c/host-info
+
+ {
+ cat <<EOF
+Host ${nonroot_hosts[@]}
+User iank
+IdentityFile ~/.ssh/home
+
+Host ${root_hosts[@]}
+IdentityFile ~/.ssh/home
+
+EOF
+ for host in ${!vpn_ips[@]}; do
+ ipsuf=${vpn_ips[$host]}
+ cat <<EOF
+Host ${host}i
+Hostname b8.nz
+Port $((2200 + ipsuf))
+
+EOF
+ done
+
+ # convenience of one auth key entry
+ for host in ${!all_ips[@]}; do
+ cat <<EOF
+Host $host ${host}i $host.b8.nz ${host}i.b8.nz
+HostKeyAlias $host.b8.nz
+EOF
+ done
+ } | cedit /p/c/subdir_files/.ssh/config || [[ $? == 1 ]]
+
+ {
+ # hack to please emacs parser
+ here_begin="cat <<EOF"
+ echo "$here_begin"
+ for host in ${!vpn_ips[@]}; do
+ ipsuf=${vpn_ips[$host]}
+ i_port=$(( 2200 + ipsuf ))
+ cat <<EOF
+config redirect
+option name ssh$host
+option src wan
+option src_dport $i_port
+option dest_port 22
+option dest_ip \$l.$ipsuf
+option dest lan
+config rule
+option src wan
+option target ACCEPT
+option dest_port $i_port
+EOF
+ done
+ echo "EOF"
+ } >/p/c/cmc-firewall-data
+
+
+ local host ipsuf f files
+
+ # shellcheck disable=SC2016 # shellcheck doesnt know this is sed
+ sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf
+ for host in ${!vpn_ips[@]}; do
+ if [[ ${root_ips[$host]} ]]; then
+ # root machines dont actually need vpn, but
+ # the classification still helps with other
+ # configurations.
+ continue
+ fi
+ ipsuf=${vpn_ips[$host]}
+ wghole $host $ipsuf
+ sd /b/ds/machine_specific/li/filesystem/etc/openvpn/client-config-hole/$host <<EOF
+ifconfig-push 10.5.5.${vpn_ips[$host]} 255.255.255.0
+EOF
+ u /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service <<EOF
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# todo, try reenabling this from the default openvpn,
+# it was disabled so we could do bind mounts as a command,
+# but now systemd handles it
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+
+# we use .1 to make this be on a different network than kd, so that we can
+# talk to transmission on kd from remote host, and still use this
+# vpn.
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.$ipsuf start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+# allow wireguard network to connect
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.$ipsuf.1 dev veth1-client
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ done
+
+ {
+ echo "cat <<EOF"
+ for host in ${!host_ips[@]}; do
+ ipsuf=${host_ips[$host]}
+ # shellcheck disable=SC2016 # intentional
+ echo 'local-data-ptr: "$l.'$ipsuf $host.b8.nz'"'
+ done
+ echo "EOF"
+ } | u /p/c/ptr-data
+
+ {
+ echo "cat <<EOF"
+ for host in ${!host_ips[@]}; do
+ ipsuf=${host_ips[$host]}
+ echo "dhcp-host=${host_macs[$host]},set:$host,\$l.$ipsuf,$host"
+ done
+ echo "EOF"
+ } | u /p/c/dnsmasq-data
+
+
+ b8_ip=$(dig +short b8.nz @iankelling.org | tail -1)
+ if [[ ! $b8_ip ]]; then
+ echo "$0: error: got empty b8.nz ip. returning 1"
+ return 1
+ fi
+ {
+ echo "@ A $b8_ip"
+ for host in ${!nonvpn_ips[@]}; do
+ ipsuf=${nonvpn_ips[$host]}
+ echo "$host A 10.2.0.$ipsuf"
+ done
+ for host in ${!vpn_ips[@]}; do
+ ipsuf=${vpn_ips[$host]}
+ cat <<EOF
+$host A 10.2.0.$ipsuf
+${host}wg A 10.8.0.$ipsuf
+${host}vp A 10.5.5.$ipsuf
+${host}tr A 10.174.$ipsuf.2
+EOF
+ done
+ } | cedit vpn-ips-update /p/c/machine_specific/vps/bind-initial/db.b8.nz ||:
+
+
+ echo checking for stray files:
+
+ initial_dir="$PWD"
+ while read -r dir path; do
+ cd $dir
+ ngset
+ files=( */$path )
+ ngreset
+ cd "$initial_dir"
+ for f in "${files[@]}"; do
+ host=${f%%/*}
+ if [[ ! ${vpn_ips[$host]} ]]; then
+ e rm $dir/$f
+ fi
+ done
+ done <<'EOF'
+/a/bin/ds/machine_specific filesystem/etc/systemd/system/openvpn-client-tr@.service
+/p/c/machine_specific filesystem/etc/wireguard/wghole.conf
+EOF
+
+ files=(/b/ds/machine_specific/li/filesystem/etc/openvpn/client-config-hole/* )
+ for f in "${files[@]}"; do
+ host=${f##/*}
+ if [[ ! ${vpn_ips[$host]} ]]; then
+ e rm $f
+ e ssh root@li.b8.nz rm -f $f
+ fi
+ done
+
+}
+
+# usage host ipsuf [extrahost]
+#
+# If the keys already exist and you want new ones, remove them:
+# rm /p/c/machine_specific/$host/filesystem/etc/wireguard/hole-{priv,pub}.key
+#
+# extrahost is a host/cidr that is allowed to go be routed through the
+# vpn by this host.
+wghole() {
+ if (( $# < 2 || $# > 3 )); then
+ e expected 2-3 arg of hostname, ip suffix, and extrahost >&2
+ return 1
+ fi
+ local host ipsuf umask_orig vpn_allowed
+ host=$1
+ ipsuf=$2
+ if [[ $3 ]]; then
+ extrahost=,$3
+ fi
+ for vpn_host in ${!vpn_ips[@]}; do
+ if [[ $vpn_host == "$host" ]]; then
+ continue
+ fi
+ vpn_allowed+=",10.174.${vpn_ips[$vpn_host]}.2/32"
+ done
+ mkdir -p /p/c/machine_specific/$host/filesystem/etc/wireguard
+ (
+ cd /p/c/machine_specific/$host/filesystem/etc/wireguard
+ umask_orig=$(umask)
+ umask 0077
+ if [[ ! -s hole-priv.key || ! -s hole-pub.key ]]; then
+ wg genkey | tee hole-priv.key | wg pubkey > hole-pub.key
+ fi
+ cat >wghole.conf <<EOF
+[Interface]
+# contents hole-priv.key
+PrivateKey = $(cat hole-priv.key)
+ListenPort = 1194
+Address = 10.8.0.$ipsuf/24
+# https://dev.to/tangramvision/what-they-don-t-tell-you-about-setting-up-a-wireguard-vpn-1h2g
+# ||: makes the systemd service not fail due to the failed command
+PostUp = ping -w10 -c1 10.8.0.1 ||:
+
+[Peer]
+# li. called wgmail on that server
+PublicKey = CTFsje45qLAU44AbX71Vo+xFJ6rt7Cu6+vdMGyWjBjU=
+AllowedIPs = 10.8.0.0/24$vpn_allowed$extrahost
+Endpoint = 72.14.176.105:1194
+PersistentKeepalive = 25