+
+host-info-update() {
+
+ local -A vpn_ips host_ips host_macs nonvpn_ips
+ local -a root_hosts nonroot_hosts
+
+ # the hosts with no mac
+ root_hosts=( bk je li b8.nz )
+ for h in ${root_hosts[@]}; do
+ root_hosts+=(${h}ex)
+ done
+ root_hosts+=(cmc)
+
+ while read -r ip host mac opts; do
+ if [[ $ip == *#* || ! $host ]]; then continue; fi
+ if [[ $opts == vpn ]]; then
+ vpn_ips[$host]=$ip
+ else
+ nonvpn_ips[$host]=$ip
+ fi
+
+
+ if [[ $opts == user=root ]]; then
+ root_hosts+=($host i$host)
+ else
+ nonroot_hosts+=($host i$host)
+ fi
+
+ host_ips[$host]=$ip
+ host_macs[$host]=$mac
+ done </p/c/host-info
+
+ cedit /p/c/subdir_files/.ssh/config <<EOF || [[ $? == 1 ]]
+Host ${nonroot_hosts[@]}
+User iank
+IdentityFile ~/.ssh/home
+
+Host ${root_hosts[@]}
+IdentityFile ~/.ssh/home
+EOF
+
+
+ grep -E '^[a-z0-9]+[[:space:]]' /p/c/machine_specific/vps/bind-initial/db.b8.nz | awk '{print $1,$3}'
+
+ local host ipsuf f files
+
+ sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf
+ for host in ${!vpn_ips[@]}; do
+ ipsuf=${vpn_ips[$host]}
+ wghole $host $ipsuf
+ u /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service <<EOF
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# todo, try reenabling this from the default openvpn,
+# it was disabled so we could do bind mounts as a command,
+# but now systemd handles it
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+
+# we use .1 to make this be on a different network than kd, so that we can
+# talk to transmission on kd from remote host, and still use this
+# vpn.
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.$ipsuf start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+# allow wireguard network to connect
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.$ipsuf.1 dev veth1-client
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ done
+
+ {
+ echo "cat <<EOF"
+ for host in ${!host_ips[@]}; do
+ ipsuf=${host_ips[$host]}
+ echo 'local-data-ptr: "$l.'$ipsuf $host.b8.nz'"'
+ done
+ echo "EOF"
+ } | u /p/ptr-data
+
+ {
+ echo "cat <<EOF"
+ for host in ${!host_ips[@]}; do
+ ipsuf=${host_ips[$host]}
+ echo "dhcp-host=${host_macs[$host]},set:$host,\$l.7,$host"
+ done
+ echo "EOF"
+ } | u /p/dnsmaq-data
+
+ {
+ for host in ${!nonvpn_ips[@]}; do
+ ipsuf=${nonvpn_ips[$host]}
+ echo "$host A 10.2.0.$ipsuf"
+ done
+ for host in ${!vpn_ips[@]}; do
+ ipsuf=${vpn_ips[$host]}
+ cat <<EOF
+$host A 10.2.0.$ipsuf
+${host}wg A 10.8.0.$ipsuf
+${host}vp A 10.5.5.$ipsuf
+${host}tr A 10.174.$ipsuf.2
+EOF
+ done
+ } | cedit vpn-ips-update /p/c/machine_specific/vps/bind-initial/db.b8.nz ||:
+
+
+ echo checking for stray files:
+
+ initial_dir=$PWD
+ cd /a/bin/ds/machine_specific
+ ngset
+ files=( */filesystem/etc/systemd/system/openvpn-client-tr@.service )
+ ngreset
+ cd $initial_dir
+ for f in "${files[@]}"; do
+ host=${f%%/*}
+ if [[ ! ${vpn_ips[$host]} ]]; then
+ e /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service
+ fi
+ done
+
+ cd /p/c/machine_specific
+ ngset
+ files=( */filesystem/etc/wireguard/wghole.conf )
+ ngreset
+ cd $initial_dir
+ for f in "${files[@]}"; do
+ host=${f%%/*}
+ if [[ ! ${vpn_ips[$host]} ]]; then
+ e rm /p/c/machine_specific/$host/filesystem/etc/wireguard/wghole.conf
+ fi
+ done
+}
+
+# usage host ipsuf [extrahost]
+#
+# If the keys already exist and you want new ones, remove them:
+# rm /p/c/machine_specific/$host/filesystem/etc/wireguard/hole-{priv,pub}.key
+#
+# extrahost is a host/cidr that is allowed to go be routed through the
+# vpn by this host.