+
+
+## for updating host info like ip, location, update /p/c/host-info and
+## host_info below. the host_info array should probably be in its own
+## file that gets sourced so that it can be more easily updated.
+
+# todo: this is so long that it becomes confusing,
+# try to split it up.
+#
+# To make some changes take effect, run host-info-all.
+host-info-update() {
+
+ local -A vpn_ips host_ips host_macs portfw_ips nonvpn_ips all_ips
+ local -a root_hosts nonroot_hosts
+
+ # the hosts with no mac
+ root_hosts=( bk je li b8.nz )
+ for h in ${root_hosts[@]}; do
+ root_hosts+=(${h}ex)
+ done
+ root_hosts+=(cmc)
+
+ while read -r ip host mac opts; do
+ if [[ $ip == *#* || ! $host ]]; then continue; fi
+
+ # opt parsing
+ vpn=false
+ root=false
+ for opt in $opts; do
+ case $opt in
+ user=root)
+ root=true
+ ;;
+ vpn)
+ vpn=true
+ ;;
+ esac
+ done
+
+ all_ips[$host]=$ip
+ if $vpn; then
+ portfw_ips[$host]=$ip
+ vpn_ips[$host]=$ip
+ else
+ nonvpn_ips[$host]=$ip
+ fi
+ if $root; then
+ # note: the reason we have b8.nz suffix here but not for non_root
+ # hosts is that it is for the User part, the IdentityFile part is
+ # redundant to *.b8.nz. Also note ${host}i, we only setup those for vpn hosts, but there is no harm in overspecifying here.
+ root_hosts+=($host ${host}i $host.b8.nz ${host}i.b8.nz)
+ # shellcheck disable=SC2004 # false positive
+ root_hosts_a[$host]=t # a for associative array
+ else
+ nonroot_hosts+=($host ${host}i)
+ fi
+ host_ips[$host]=$ip
+ if [[ $mac ]]; then
+ host_macs[$host]=$mac
+ fi
+
+ done </p/c/host-info
+
+ {
+ cat <<EOF
+Host ${nonroot_hosts[@]}
+User iank
+IdentityFile ~/.ssh/home
+
+Host ${root_hosts[@]}
+IdentityFile ~/.ssh/home
+
+EOF
+ for host in ${!vpn_ips[@]}; do
+ ipsuf=${vpn_ips[$host]}
+ cat <<EOF
+Host ${host}i ${host}i.b8.nz
+Port $((2200 + ipsuf))
+EOF
+ done
+
+ # convenience of one auth key entry
+ for host in ${!all_ips[@]}; do
+ cat <<EOF
+Host $host ${host}i $host.b8.nz ${host}i.b8.nz
+HostKeyAlias $host.b8.nz
+EOF
+ done
+ } | cedit -e /p/c/subdir_files/.ssh/config-static
+
+ {
+ # hack to please emacs parser
+ here_begin="cat <<EOF"
+ echo "$here_begin"
+ for host in ${!vpn_ips[@]}; do
+ ipsuf=${vpn_ips[$host]}
+ i_port=$(( 2200 + ipsuf ))
+ cat <<EOF
+config redirect
+option name ssh$host
+option src wan
+option src_dport $i_port
+option dest_port 22
+option dest_ip \$l.$ipsuf
+option dest lan
+config rule
+option src wan
+option target ACCEPT
+option dest_port $i_port
+EOF
+ done
+ echo "EOF"
+ } >/p/c/cmc-firewall-data
+
+
+ local host ipsuf f files
+
+ # shellcheck disable=SC2016 # shellcheck doesnt know this is sed
+ sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf
+ for host in ${!vpn_ips[@]}; do
+ if [[ ${root_hosts_a[$host]} ]]; then
+ # root machines dont actually need vpn, but
+ # the classification still helps with other
+ # configurations.
+ continue
+ fi
+ ipsuf=${vpn_ips[$host]}
+ wghole $host $ipsuf
+ u /b/ds/machine_specific/li/filesystem/etc/openvpn/client-config-hole/$host <<EOF
+ifconfig-push 10.5.5.${vpn_ips[$host]} 255.255.255.0
+EOF
+ u /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service <<EOF
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+# todo, try reenabling this from the default openvpn,
+# it was disabled so we could do bind mounts as a command,
+# but now systemd handles it
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+
+# we use .1 to make this be on a different network than kd, so that we can
+# talk to transmission on kd from remote host, and still use this
+# vpn.
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.$ipsuf start %i
+ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
+# allow wireguard network to connect
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.$ipsuf.1 dev veth1-client
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ done
+
+ {
+ echo "cat <<EOF"
+ for host in ${!host_ips[@]}; do
+ ipsuf=${host_ips[$host]}
+ # shellcheck disable=SC2016 # intentional
+ echo 'local-data-ptr: "$l.'$ipsuf $host.b8.nz'"'
+ done
+ echo "EOF"
+ } | u /p/c/ptr-data
+
+ {
+ echo "cat <<EOF"
+ for host in ${!host_macs[@]}; do
+ ipsuf=${host_ips[$host]}
+ echo "dhcp-host=${host_macs[$host]},set:$host,\$l.$ipsuf,$host"
+ done
+ echo "EOF"
+ } | u /p/c/dnsmasq-data
+
+
+ b8_ip=$(dig +short b8.nz @iankelling.org | tail -1)
+ # if our dynamic ip updates broke, set manually, eg:
+ #b8_ip=72.74.193.xxx
+ if [[ ! $b8_ip ]]; then
+ echo "$0: error: got empty b8.nz ip. returning 1"
+ return 1
+ fi
+ {
+ cat <<EOF
+@ A $b8_ip
+i A $b8_ip
+EOF
+ for host in ${!nonvpn_ips[@]}; do
+ ipsuf=${nonvpn_ips[$host]}
+ echo "$host A 10.2.0.$ipsuf"
+ done
+ for host in ${!vpn_ips[@]}; do
+ ipsuf=${vpn_ips[$host]}
+ cat <<EOF
+$host A 10.2.0.$ipsuf
+${host}wg A 10.8.0.$ipsuf
+${host}vp A 10.5.5.$ipsuf
+${host}tr A 10.174.$ipsuf.2
+${host}i CNAME i.b8.nz.
+EOF
+ done
+ } | cedit -e vpn-ips-update /p/c/machine_specific/vps/bind-initial/db.b8.nz
+
+
+ echo checking for stray files:
+
+ initial_dir="$PWD"
+ while read -r dir path; do
+ cd $dir
+ ngset
+ files=( */$path )
+ ngreset
+ cd "$initial_dir"
+ for f in "${files[@]}"; do
+ host=${f%%/*}
+ if [[ ! ${vpn_ips[$host]} ]]; then
+ e rm $dir/$f
+ fi
+ done
+ done <<'EOF'
+/a/bin/ds/machine_specific filesystem/etc/systemd/system/openvpn-client-tr@.service
+/p/c/machine_specific filesystem/etc/wireguard/wghole.conf
+EOF
+
+ files=( /b/ds/machine_specific/li/filesystem/etc/openvpn/client-config-hole/* )
+ for f in "${files[@]}"; do
+ host=${f##*/}
+ if [[ ! ${vpn_ips[$host]} ]]; then
+ e rm $f
+ e ssh root@li.b8.nz rm -f $f
+ fi
+ done
+
+ tmpf=$(mktemp)
+ {
+ printf "%s" "Host * "
+ sed -n '/^Host /h;/^IdentityFile .*\/home/{g;s/^Host//;s/ / !/gp}' /p/c/subdir_files/.ssh/config-static | tr '\n' ' ' \
+ | sed -r 's/ *$/\n/'
+ echo "IdentityFile ~/.ssh/work"
+ } >$tmpf
+ cedit -e work-identity /p/c/subdir_files/.ssh/config-static <$tmpf
+ rm -f $tmpf
+
+ ### begin focus on hosts file update ###
+ #
+ # This started as its own function, but it actually
+ # needed to alter the ssh config, so combined it.
+ #
+ # background: This is finally doing dynamic ip resolution via the hosts
+ # file. I considered detecting where each host was dynamically or
+ # something, but ultimately decided to mostly avoid that, other than
+ # detecting the status of the current machine I'm on. I want to be able
+ # to move it around without having to manually type much of anything.
+ local -a host_domain_suffix hosts
+ local -A ip_to_hosts
+ local suf ip i host at_home suf_from_here
+
+ source /p/c/domain-info
+
+ at_home=false
+ if ip n | grep -q "10.2.0.1 .* b4:75:0e:fd:06:4a"; then
+ at_home=true
+ fi
+
+ for i in ${host_domain_suffix[@]}; do
+ if [[ $i == *.* ]]; then
+ suf=$i
+ continue
+ fi
+ hosts+=($i)
+ if [[ $i == "$HOSTNAME" ]]; then
+ unset "portfw_ips[$i]"
+ continue
+ fi
+
+ suf_from_here=$suf
+ if ! $at_home && [[ $suf == .b8.nz || $suf == [wc].b8.nz ]]; then
+ suf_from_here=i.b8.nz
+ else
+ unset "portfw_ips[$i]"
+ fi
+
+ # note this might be outdated until we do a dns push
+ ip=$(dig +short "$i$suf_from_here" @iankelling.org | tail -n1) ||:
+ if [[ ! $ip ]]; then
+ if [[ $suf == .office.fsf.org ]]; then
+ suf_from_here=wg.b8.nz
+ ip=$(getent ahostsv4 "$i$suf_from_here" | awk '{ print $1 }' | head -n1) ||:
+ fi
+ fi
+ if [[ $ip ]]; then
+ ip_to_hosts[$ip]+=" $i"
+ else
+ echo error: failed to get ip of "$i$suf_from_here"
+ fi
+ done
+
+ for ip in "${!ip_to_hosts[@]}"; do
+ echo "$ip${ip_to_hosts[$ip]}"
+ done | s cedit -e hosts-file-up /etc/hosts
+ for host in ${hosts[@]}; do
+ echo $host
+ done >/p/c/subdir_files/.dsh/group/btrbk
+ ### end focus on hosts file update ###
+
+
+ # note: note sure if this is a great way to check.
+ # todo: think about it
+
+ if $at_home; then
+ # possible that in the future we want to create
+ # a dynamic file here, and then we can move the cat
+ # command above out of the conditional
+ rsync -a /p/c/subdir_files/.ssh/config-static ~/.ssh/config
+ else
+ for host in ${!portfw_ips[@]}; do
+ ipsuf=${portfw_ips[$host]}
+ cat <<EOF
+Host ${host}
+Port $((2200 + ipsuf))
+EOF
+ done > ~/.ssh/config-dynamic
+ cat /p/c/subdir_files/.ssh/config-static ~/.ssh/config-dynamic >~/.ssh/config
+ fi
+}
+
+# usage host ipsuf [extrahost]
+#
+# If the keys already exist and you want new ones, remove them:
+# rm /p/c/machine_specific/$host/filesystem/etc/wireguard/hole-{priv,pub}.key
+#
+# extrahost is a host/cidr that is allowed to go be routed through the
+# vpn by this host.
+wghole() {
+ if (( $# < 2 || $# > 3 )); then
+ e expected 2-3 arg of hostname, ip suffix, and extrahost >&2
+ return 1
+ fi
+ local host ipsuf umask_orig vpn_allowed
+ host=$1
+ ipsuf=$2
+ if [[ $3 ]]; then
+ extrahost=,$3
+ fi
+ for vpn_host in ${!vpn_ips[@]}; do
+ if [[ $vpn_host == "$host" ]]; then
+ continue
+ fi
+ vpn_allowed+=",10.174.${vpn_ips[$vpn_host]}.2/32"
+ done
+ mkdir -p /p/c/machine_specific/$host/filesystem/etc/wireguard
+ (
+ cd /p/c/machine_specific/$host/filesystem/etc/wireguard
+ umask_orig=$(umask)
+ umask 0077
+ if [[ ! -s hole-priv.key || ! -s hole-pub.key ]]; then
+ wg genkey | tee hole-priv.key | wg pubkey > hole-pub.key
+ fi
+ cat >wghole.conf <<EOF
+[Interface]
+# contents hole-priv.key
+PrivateKey = $(cat hole-priv.key)
+ListenPort = 1194
+Address = 10.8.0.$ipsuf/24
+# https://dev.to/tangramvision/what-they-don-t-tell-you-about-setting-up-a-wireguard-vpn-1h2g
+# ||: makes the systemd service not fail due to the failed command
+PostUp = ping -w10 -c1 10.8.0.1 ||:
+
+[Peer]
+# li. called wgmail on that server
+PublicKey = CTFsje45qLAU44AbX71Vo+xFJ6rt7Cu6+vdMGyWjBjU=
+AllowedIPs = 10.8.0.0/24$vpn_allowed$extrahost
+Endpoint = 72.14.176.105:1194
+PersistentKeepalive = 25
+EOF
+ umask $umask_orig
+ # old approach. systemd seems to work fine and cleaner.
+ rm -f ../network/interfaces.d/wghole
+ cedit -q $host /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf <<EOF || [[ $? == 1 ]]
+[Peer]
+PublicKey = $(cat hole-pub.key)
+AllowedIPs = 10.8.0.$ipsuf/32,10.174.${vpn_ips[$host]}.2/32
+EOF
+ )
+}
+
+# sudo maybe
+#
+# passes on any initial -* args to sudo.
+sudm() {
+ local arg
+ local -a sudo_opts
+ for arg; do
+ if [[ $arg == -* ]]; then
+ sudo_opts+=("$arg")
+ shift
+ else
+ break
+ fi
+ done
+ if [[ $EUID == 0 ]]; then
+ "$@"
+ else
+ sudo "${sudo_opts[@]}" "$@"
+ fi
+}
+
+mns-setup() {
+ local ns
+ ns=$1
+ sudm mkdir -p /root/mount_namespaces
+ if ! sudm mountpoint /root/mount_namespaces >/dev/null; then
+ m sudm mount --bind /root/mount_namespaces /root/mount_namespaces
+ fi
+ m sudm mount --make-private /root/mount_namespaces
+ if ! sudm test -e /root/mount_namespaces/$ns; then
+ m sudm touch /root/mount_namespaces/$ns
+ fi
+ if ! sudm mountpoint /root/mount_namespaces/$ns >/dev/null; then
+ m sudm unshare --propagation slave --mount=/root/mount_namespaces/$ns /bin/true
+ fi
+
+}
+
+mns() { # mount namespace
+ local ns
+ ns=$1
+ shift
+ mns-setup $ns
+ m sudm -E /usr/bin/nsenter --mount=/root/mount_namespaces/$ns "$@"
+}
+
+mnsd() { # mount namespace + systemd namespace
+ local ns unit
+ ns=$1
+ unit=$2
+ shift 2
+
+ mns-setup $ns
+
+ pid=$(servicepid $unit)
+ tmpf=$(mktemp --tmpdir $unit.XXXXXXXXXX)
+ export -p >$tmpf
+ printf "%s " "${@@Q}" >>$tmpf
+ echo >>$tmpf
+
+ m sudo nsenter -t $pid -n --mount=/root/mount_namespaces/$ns sudo -u $USER -i bash -c ". $tmpf & sleep 1; rm $tmpf"
+}
+
+
+mnsr() { # mns run
+ local ns=$1