+# * start / stop services
+
+reifactive dnsmasq nscd
+
+if $reload; then
+ m systemctl daemon-reload
+fi
+
+# optimization, this only needs to run once.
+if [[ ! -e /sys/class/net/wghole ]]; then
+ # checking bhost_t is redundant, but could help us catch errors.
+ if $bhost_t || [[ -e /etc/wireguard/wghole.conf ]]; then
+ # todo: in mail-setup, we have a static list of backup hosts, not *y
+ m systemctl --now enable wg-quick@wghole
+ fi
+fi
+
+# optimization, this only needs to be run once
+if [[ ! -e /var/lib/prometheus/node-exporter/exim_paniclog.prom ]]; then
+ sysd-prom-fail-install epanicclean
+ m systemctl --now enable epanicclean
+fi
+
+case $HOSTNAME in
+ je)
+ /a/exe/web-conf apache2 je.b8.nz
+ ;;
+ bk)
+ /a/exe/web-conf apache2 mail2.iankelling.org
+ ;;
+esac
+
+# optimization, this only needs to run once. But, if we move to a
+# computer we haven't used much, we need to fetch a fresh cert.
+# Existence check is just to avoid ugly error message from openssl.
+if [[ ! -e /etc/exim4/fullchain.pem ]] || ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
+ m /a/bin/ds/mail-cert-cron -1 -i
+ m systemctl --now enable mailcert.timer
+fi
+
+case $HOSTNAME in
+ $MAIL_HOST|bk)
+ m systemctl --now enable mailnn mailnnroute
+ ;;&
+ $MAIL_HOST)
+ # we use dns to start wg
+ if $reload; then
+ sre unbound
+ else
+ m systemctl --now enable unbound
+ fi
+ ;;&
+ $MAIL_HOST|bk)
+ # If these have changes, id rather manually restart it, id rather
+ # not restart and cause temporary errors
+ if $reload; then
+ sre $vpnser
+ else
+ m systemctl --now enable $vpnser
+ fi
+ ;;&
+ bk)
+ if ! systemctl is-active clamav-daemon >/dev/null; then
+ m systemctl --now enable clamav-daemon
+ out=$(rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/filesystem/etc/systemd/system/epanicclean.service /etc/systemd/system)
+ if [[ $out ]]; then
+ reload=true
+ fi
+
+ # note, this will cause paniclog entries because it takes like 45
+ # seconds for clamav to start, i use ./epanic-clean to remove
+ # them.
+ fi
+ ;;&
+ $MAIL_HOST|bk|je)
+ # start spamassassin/dovecot before exim.
+ sre dovecot $spamd_ser mailtest-check
+ # Wait a bit before restarting exim, else I get a paniclog entry
+ # like: spam acl condition: all spamd servers failed. But I'm tired
+ # of waiting. I'll deal with this some other way.
+ #
+ # sleep 3
+ m systemctl --now enable mailclean.timer
+ ;;&
+ $MAIL_HOST)
+ # < 2.1 (eg: in t9), uses a different data format which required manual
+ # migration. dont start if we are running an old version.
+ if dpkg --compare-versions "$(dpkg -s radicale | awk '$1 == "Version:" { print $2 }')" ge 2.1; then
+ m systemctl --now enable radicale
+ fi
+ ;;&
+esac
+
+# for debugging dns issues
+case $HOSTNAME in
+ je|bk)
+ systemctl enable --now logrotate-fast.timer
+ ;;
+esac
+
+# last use of $reload happens in previous block
+rm -f /var/local/mail-setup-reload
+
+
+case $HOSTNAME in
+ $MAIL_HOST|bk|je|li)
+ # on li, these are never started, except $vpnser
+ :
+ ;;
+ *)
+ soff radicale mailclean.timer dovecot $spamd_ser $vpnser mailnn clamav-daemon
+ ;;
+esac
+
+sre exim4
+
+case $HOSTNAME in
+ $MAIL_HOST)
+ m systemctl --now enable mailbindwatchdog
+ ;;
+ *)
+ soff mailbindwatchdog
+ ;;
+esac
+
+
+case $HOSTNAME in
+ bk) sre exim4in ;;
+esac