# This works in addition to HISTCONTROL to do more flexible things
# it could also do the same things as HISTCONTROL and thus replace it,
# but meh. dunno why, but just " *" does glob expansion, so use [ ] to avoid it.
-HISTIGNORE='pass *:[ ]*:otp *:oathtool *'
+HISTIGNORE='pass *:[ ]*:otp *:oathtool *:histrm *'
#### begin section that works with sl() function to return from
TERM=xterm-256color
fi
+ # copying from the alacritty example above,
+ if [[ $TERM == xterm-kitty ]]; then
+ if [[ ! -e /usr/share/terminfo/x/xterm-kitty ]]; then
+ TERM=xterm-256color
+ else
+ if [[ -e /a/opt/kitty/shell-integration/bash/kitty.bash ]]; then
+ KITTY_SHELL_INTEGRATION=t
+ source /a/opt/kitty/shell-integration/bash/kitty.bash
+ fi
+ fi
+ fi
# todo: not sure this works in sakura
#stty werase undef
#bind "\C-w": kill-region
# sakura == xterm-256color
# konsole == xterm
- if [[ $TERM == xterm* ]]; then
+ if [[ $TERM != xterm-kitty && $TERM == xterm* ]]; then
# control + arrow keys. for other terminals, see http://unix.stackexchange.com/questions/10806/how-to-change-previous-next-word-shortcut-in-bash
bind '"\e[1;5C": shell-forward-word' 2>/dev/null
bind '"\e[1;5D": shell-backward-word' 2>/dev/null
else
# make ctrl-backspace work. for konsole, i fixed it through
# /home/iank/.local/share/konsole/default.keytab
- stty werase '^h'
+ stty werase ^h
bind '"\eOc": shell-forward-word'
bind '"\eOd": shell-backward-word'
fi
-o -name .undo-tree-history -prune \) -type f 2>/dev/null
}
+# todo: id like to do maybe a daily or hourly cronjob to
+# check that my history file size is increasing. Ive had it
+# inexplicably truncated in the past.
+histrm() {
+ history -n
+ history | awk -v IGNORECASE=1 '{ a=$1; sub(/^( *[^ ]+){4} */, "") }; /'"$*"'/'
+ read -p "press anything but contrl-c to delete"
+ for entry in $(history | awk -v IGNORECASE=1 '{ a=$1; sub(/^( *[^ ]+){4} */, "") }; /'"$*"'/ { print a }' | tac); do
+ history -d $entry
+ done
+ history -w
+}
+
# mail related
frozen() {
rm -rf /tmp/frozen
ccomp ssh sl slr sss ssk
# plain ssh
ssh() {
- if [[ $TERM == alacritty ]]; then
+ if [[ $TERM == alacritty || $TERM == xterm-kitty ]]; then
TERM=xterm-256color LC_USEBASHRC=t command ssh "$@"
else
LC_USEBASHRC=t command ssh "$@"
# note, i had --delete-excluded, but that deletes all files in --exclude-from on
# the remote site, which doesn't make sense, so not sure why i had it.
local p a
- p=(/a/opt/{emacs-debian10{,-nox},mu,emacs} /a/bin /a/exe /a/h /a/c /p/c/machine_specific/vps{,.hosts})
+ p=(/a/opt/{emacs-debian11{,-nox},mu,emacs} /a/bin /a/exe /a/h /a/c /p/c/machine_specific/vps{,.hosts})
a="-ahviSAXPH --specials --devices --delete --relative --exclude-from=/p/c/li-rsync-excludes"
ret=0
for h in li je bk; do
m s rsync "$@" $a ${p[@]} /p/c/machine_specific/$h root@$h.b8.nz:/ || ret=$?
- # only li is debian10
+ # only li is debian11
p[0]=/a/opt/emacs-ubuntu20.04
p[1]=/a/opt/emacs-ubuntu20.04-nox
done
TR_AUTH=":$(jq -r .profiles[0].password ~/.config/transmission-remote-gtk/config.json)" transmission-remote transmission.lan -ne "$@"
}
+trysleep() {
+ retries="$1"
+ sleepsecs="$2"
+ shift 2
+ for (( i=0; i < retries - 1; i++ )); do
+ if "$@"; then
+ return 0
+ fi
+ sleep $sleepsecs
+ done
+ "$@"
+}
+
tu() {
local s
}
unboundbash() {
m sudo nsenter -t $(systemctl status unbound| sed -n '/^ *Main PID:/s/[^0-9]//gp') -n -m sudo -u $USER -i bash
- }
+}
mailnncheck() {
local pid ns mailnn
sudo systemd-tty-ask-password-agent
}
+# systemctl is-enabled / status / cat says nothing, instead theres
+# some obscure symlink. paths copied from man systemd.unit.
+# possibly also usefull, but incomplete, doesnt show units not loaded in memory:
+# seru list-dependencies --reverse --all UNIT
+sysd-deps() {
+ local f
+ local -a dirs search
+ ngset
+
+ case $1 in
+ u)
+ search=(
+ ~/.config/systemd/user.control/*
+ $XDG_RUNTIME_DIR/systemd/user.control/*
+ $XDG_RUNTIME_DIR/systemd/transient/*
+ $XDG_RUNTIME_DIR/systemd/generator.early/*
+ ~/.config/systemd/user/*
+ /etc/systemd/user/*
+ $XDG_RUNTIME_DIR/systemd/user/*
+ /run/systemd/user/*
+ $XDG_RUNTIME_DIR/systemd/generator/*
+ ~/.local/share/systemd/user/*
+ /usr/lib/systemd/user/*
+ $XDG_RUNTIME_DIR/systemd/generator.late/*
+ )
+ ;;
+ *)
+ search=(
+ /etc/systemd/system.control/*
+ /run/systemd/system.control/*
+ /run/systemd/transient/*
+ /run/systemd/generator.early/*
+ /etc/systemd/system/*
+ /etc/systemd/systemd.attached/*
+ /run/systemd/system/*
+ /run/systemd/systemd.attached/*
+ /run/systemd/generator/*
+ /lib/systemd/system/*
+ /run/systemd/generator.late/*
+ )
+ ;;
+ esac
+ for f in "${search[@]}"; do
+ [[ -d $f ]] || continue
+ case $f in
+ *.requires|*.wants)
+ dirs+=("$f")
+ ;;
+ esac
+ done
+ # dirs is just so we write out the directory names, ls does it when there is 2 or more dirs.
+ case ${#dirs[@]} in
+ 1)
+ echo "${dirs[0]}:"
+ ll "${dirs[@]}"
+ ;;
+ 0) : ;;
+ *)
+ ll "${dirs[@]}"
+ ;;
+ esac
+ ngreset
+}
+
+fixvpndns() {
+ local link istls
+ read _ link _ istls < <(resolvectl dnsovertls tunfsf)
+ case $istls in
+ yes|no) : ;;
+ *) echo fixvpndns error: unexpected istls value: $istls >&2; return 1 ;;
+ esac
+ s busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedesktop.resolve1.Manager SetLinkDNSOverTLS is $link no
+}
+
vpnoff() {
[[ $1 ]] || { echo need arg; return 1; }
if [[ -e /lib/systemd/system/openvpn-client@.service ]]; then
x2|x3|sy)
targets+=($home)
if $at_work; then
- targets+=(kw.office.fsf.org)
+ targets+=(kw.office.fsf.org x2.b8.nz)
else
targets+=(kw.b8.nz)
fi
;;
kd)
- targets+=(x2.b8.nz sy.b8.nz kw.b8.nz)
+ targets+=(x2.b8.nz kw.b8.nz)
+ ## sy is unused
+ # if ping -q -c1 -w1 sy.b8.nz &>/dev/null; then
+ # targets+=(sy.b8.nz)
+ # else
+ # targets+=(syw.b8.nz)
+ # fi
;;
frodo)
# no targets
#!/bin/bash
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
+source /a/bin/errhandle/err
+
# inspired from
# https://github.com/kdave/btrfsmaintenance
shopt -s nullglob
shopt -s dotglob
-
-for h in bk.b8.nz je.b8.nz tp.b8.nz vpn1 x2 x3.b8.nz frodo.b8.nz kd.b8.nz kw iankelling.org bk.b8.nz; do
- if [[ $HOSTNAME == "${h%%.*}" ]]; then
+for h in bk je li frodo kwwg x3wg x2wg kdwg; do
+ statedir=/b/bash_unpublished/mailq-state
+ statefile=$statedir/$h
+ [[ -d $statedir ]] || continue
+ if [[ $HOSTNAME == "${h%wg}" ]]; then
+ rm -f $statefile
continue
fi
- if c=$(timeout 1 ssh root@$h /b/ds/check-mailq 2>/dev/null ) && [[ $c ]]; then
- echo q:$h=$c
+ if c=$(timeout -v 10 ssh root@$h.b8.nz /usr/local/bin/check-mailq 2>&1 ); then
+ rm -f $statefile
+ if [[ $c ]]; then
+ echo q:$h=$c
+ fi
+ else
+ if [[ -s $statefile ]]; then
+ logsec=$(date +%s -d "$(head -n1 $statefile | awk '{print $1,$2}')")
+ nowsec=$(date +%s)
+ if (( logsec < nowsec - 60*60*48 )); then
+ echo $0: host $h ssh /usr/local/bin/check-mailq fail for over 48 hours
+ fi
+ fi
+ printf "%s\n" "$c" | ts "%F %T" >> $statefile
fi
done
# this command created by using arandr and then clicking save, copying the result.
xrandr --output VGA-1 --off --output HDMI-1 --mode 3840x2160 --pos 0x0 --rotate normal --output eDP-1 --off
fi
-/a/bin/distro-setup/input-setup m
+case $HOSTNAME in
+ sy) /a/bin/distro-setup/input-setup l ;;
+ *) /a/bin/distro-setup/input-setup m ;;
+esac
echo -n "ending " >> /tmp/desktop-20-autostart-log
date "+%A, %B %d, %r, %S seconds" >> /tmp/desktop-20-autostart-log
# SPDX-License-Identifier: AGPL-3.0-or-later
# shellcheck source=/a/bin/ds/.bashrc
-export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi
+export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]]; then . ~/.bashrc; fi
### setup
source /a/bin/errhandle/err
deb-src http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
EOF
# ubuntu keyserver is prone to intermittent failures
- for (( i=0; i <= 4 ; i++ )); do
- s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5D1F3A80254F6AFBA254FED5ACD442D1C8B7748B && break
- sleep 10
- done
+ trysleep 4 15 s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5D1F3A80254F6AFBA254FED5ACD442D1C8B7748B
p update
# https://support.system76.com/articles/install-ubuntu/
# but i'm hoping this is not needed
trisquel|ubuntu)
# ppa:obsproject/obs-studio
- if [[ ! -d /etc/apt/sources.list.d/obs.list ]]; then
+ if [[ ! -s /etc/apt/sources.list.d/obs.list ]]; then
# https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
sd /etc/apt/sources.list.d/obs.list <<EOF
deb http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
deb-src http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
EOF
- for (( i=0; i <= 4 ; i++ )); do
- s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC7345F522079769F5BBE987EFC71127F425E228 && break
- sleep 10
- done
+ trysleep 4 15 s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC7345F522079769F5BBE987EFC71127F425E228
p update
fi
;;
# stop that.
if id -u gdm &>/dev/null; then
sudo -u gdm dbus-launch gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type 'nothing'
- m systemctl --user stop gvfs-daemon
- m systemctl --user disable gvfs-daemon
fi
;;&
focal)
fi
############# begin syncthing setup ###########
-if [[ $HOSTNAME == frodo ]]; then
- # It\'s simpler to just worry about running it in one place for now.
- # I assume it would work to clone it\'s config to another non-phone
- # and just run it in one place instead of the normal having a
- # separate config. I lean toward using the same config, since btrfs
- # syncs between comps.
- # testing has relatively up to date packages
- if ! isdebian-testing; then
- # based on error when doing apt-get update:
- # E: The method driver /usr/lib/apt/methods/https could not be found.
- pi apt-transport-https
- # google led me here:
- # https://apt.syncthing.net/
- curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
- s="deb http://apt.syncthing.net/ syncthing release"
+case $HOSTNAME in
+ kd|frodo)
+ f=/usr/share/keyrings/syncthing-archive-keyring.gpg
+ if [[ ! -e $f ]]; then
+ s curl -s -o $f https://syncthing.net/release-key.gpg
+ fi
+ s="deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable"
if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != "$s" ]]; then
echo "$s" | sd /etc/apt/sources.list.d/syncthing.list
p update
fi
- fi
- pi syncthing
- m lnf -T /w/syncthing /home/iank/.config/syncthing
- ser daemon-reload # syncthing likely not properly packaged
- sgo syncthing@iank # runs as iank
-
- # these things persist in ~/.config/syncthing, which I save in
- # /w/syncthing (not in /p, because syncthing should continue to
- # run on home server even when using laptop as primary device)
- # open http://localhost:8384/
- # change listen address from default to tcp://:22001,
- # this is because we do port forward so it doesn\'t have to use
- # some external server, but the syncthing is broken for port forward,
- # you get a message, something "like connected to myself, this should not happen"
- # when connecting to other local devices, so I bump the port up by 1,
- # based on
- # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
- # Without this, it was being stuck syncing at 0%.
- # Set gui username and password.
- #
- # install syncthing via f-droid,
- # folder setting, turn off send only.
- # on phone, add device, click bar code icon
- # on dekstop, top right, actions, device id
- # after adding, notification will appear on desktop to confirm
- #
- # syncing folder. from phone to desktop: select desktop in the
- # folder on phone\'s sync options, notification will appear in
- # desktop\'s web ui within a minute. For the reverse, the
- # notification will appear in android\'s notifications, you have to
- # swipe down and tap it to add the folder. It won\'t appear in the
- # syncthing ui, which would be intuitive, but don\'t wait for it
- # there. The notification may not work, instead open the web gui
- # from in the app, there should be a notification within there.
- #
- # On phone, set settings to run syncthing all the time, and
- # show no notification.
- #
- # Folder versioning would make sense if I didn\'t already use btrfs
- # for backups. I would choose staggered, or trash can for more space.
- #
- # if needed to install on a remote comp:
- # ssh -L 8384:localhost:8384 -N frodo
- # open http://localhost:8384/
- #
- # Note, the other thing i did was port forward port 22000,
- # per https://docs.syncthing.net/users/firewall.html
+ pi syncthing
+ ;;&
+ frodo)
+ m lnf -T /w/syncthing /home/iank/.config/syncthing
+ ser daemon-reload # syncthing likely not properly packaged
+ sgo syncthing@iank # runs as iank
+ ;;
+ kd)
+
+ # 1003 just happens to be what was on my system
+ if ! getent passwd ziva; then
+ s groupadd -g 1003 ziva
+ # syncthing state / config / db are all in ~/.config/syncthing
+ s useradd -g 1003 -u 1003 -d /d/ziva-home -c ziva -s /bin/bash ziva
+ fi
+ sgo syncthing@ziva
+ ;;
+esac
+
+# user for short term use dropping of privileges
+s groupadd -g 1023 zu
+s useradd -g 1023 -u 1023 -c zu -s /bin/bash zu
+
+
+
+# these things persist in ~/.config/syncthing, which I save in
+# /w/syncthing (not in /p, because syncthing should continue to
+# run on home server even when using laptop as primary device)
+# open http://localhost:8384/
+# change listen address from default to tcp://:22001,
+# this is because we do port forward so it doesn\'t have to use
+# some external server, but the syncthing is broken for port forward,
+# you get a message, something "like connected to myself, this should not happen"
+# when connecting to other local devices, so I bump the port up by 1,
+# based on
+# https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
+# Without this, it was being stuck syncing at 0%.
+# Set gui username and password.
+#
+# install syncthing via f-droid,
+# folder setting, turn off send only.
+# on phone, add device, click bar code icon
+# on dekstop, top right, actions, device id
+# after adding, notification will appear on desktop to confirm
+#
+# syncing folder. from phone to desktop: select desktop in the
+# folder on phone\'s sync options, notification will appear in
+# desktop\'s web ui within a minute. For the reverse, the
+# notification will appear in android\'s notifications, you have to
+# swipe down and tap it to add the folder. It won\'t appear in the
+# syncthing ui, which would be intuitive, but don\'t wait for it
+# there. The notification may not work, instead open the web gui
+# from in the app, there should be a notification within there.
+#
+# On phone, set settings to run syncthing all the time, and
+# show no notification.
+#
+# Folder versioning would make sense if I didn\'t already use btrfs
+# for backups. I would choose staggered, or trash can for more space.
+#
+# if needed to install on a remote comp:
+# ssh -L 8384:localhost:8384 -N frodo
+# open http://localhost:8384/
+#
+# Note, the other thing i did was port forward port 22000,
+# per https://docs.syncthing.net/users/firewall.html
-fi
############# end syncthing setup ###########
m /a/bin/buildscripts/rust
m /a/bin/buildscripts/misc
m /a/bin/buildscripts/pithosfly
-m /a/bin/buildscripts/alacritty
+#m /a/bin/buildscripts/alacritty
+m /a/bin/buildscripts/kitty
pi-nostart virtinst virt-manager
soff libvirtd
########### misc stuff
if [[ $HOSTNAME != frodo ]]; then
- s cedit hole /etc/hosts <<EOF ||:
-10.5.5.3 amy amy.b8.nz
-10.5.5.5 frodo frodo.b8.nz
-10.5.5.6 wclient wclient.b8.nz
-EOF
+ # remove. i moved this into dns
+ echo | s cedit hole /etc/hosts ||:
fi
if [[ ! -e ~/.local/bin/pip ]]; then
e debconf-utils
fi
-# needed for checkrestart
if isdeb; then
e debian-goodies
fi
#!/bin/bash
source ~/.bashrc
+
+
main() {
fqdn=$(hostname -f)
up4=false
- if ! read -r _ _ gateway _ < <(ip -4 route get 85.119.83.50 2>/dev/null); then
+ if ! read -r _ _ gateway _ ifdev _ < <(ip -4 route get 85.119.83.50 2>/dev/null); then
# if our internet is down, just give up, no need to have an error
if [[ ! $INVOCATION_ID ]]; then
echo $0: failed to get route, giving up
;;
esac
- if timeout -s 9 5 ssh-keyscan -p 2220 -t rsa $gateway 2>/dev/null | grep -qFx "[$gateway]:2220 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCH+/h1dGEfKEusBblndU2e6QT4wLCm5+yqr/sqh/0X9YfjR7BfWWm8nNmuP55cYc+Wuf5ljB1H1acXEcsl1y8e0j3agHfF0V74FE1N1zz5nn2Ep8NHnmqgEhza38ZxMPh+4p3X7zklEKU7+3SzybKBi8sg0wLzlS2LM0JaUN80zR2sK11Kye3dURUXPk78u5wodOkgcEYRwSYaDMJlUzWP+poRXIDJwFaMQnwmxbl/c84yOyaU0x/d6hFwoRscWecihX+vvBNeSyxR4xr2HDOyUWwJkctyAgt2p7w3tfkXOKcCRzTAjGVIMQLTvo0sG/yJbcyHoEFdFybCsgDvfyYn"; then
- # we are on a home network
+ athome=false
+ if [[ -s /dev/shm/dynamic-ip-update-state ]]; then
+ oldbytes=$(cat /dev/shm/dynamic-ip-update-state)
+ newbytes=$(awk '$1 == "'$ifdev':" {print $2 + $10}' /proc/net/dev)
+ if [[ $oldbytes == [1-9]* ]] && (( newbytes >= oldbytes )); then
+ athome=true
+ printf "%s\n" "$newbytes" >/dev/shm/dynamic-ip-update-state
+ fi
+ fi
+ if ! $athome && timeout -s 9 5 ssh-keyscan -p 2220 -t rsa $gateway 2>/dev/null | grep -qFx "[$gateway]:2220 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCH+/h1dGEfKEusBblndU2e6QT4wLCm5+yqr/sqh/0X9YfjR7BfWWm8nNmuP55cYc+Wuf5ljB1H1acXEcsl1y8e0j3agHfF0V74FE1N1zz5nn2Ep8NHnmqgEhza38ZxMPh+4p3X7zklEKU7+3SzybKBi8sg0wLzlS2LM0JaUN80zR2sK11Kye3dURUXPk78u5wodOkgcEYRwSYaDMJlUzWP+poRXIDJwFaMQnwmxbl/c84yOyaU0x/d6hFwoRscWecihX+vvBNeSyxR4xr2HDOyUWwJkctyAgt2p7w3tfkXOKcCRzTAjGVIMQLTvo0sG/yJbcyHoEFdFybCsgDvfyYn"; then
+ athome=true
+ awk '$1 == "'$ifdev':" {print $2 + $10}' /proc/net/dev > /dev/shm/dynamic-ip-update-state
+ fi
+
+
+ if $athome; then
cur4="$(dig +short $dynhost @iankelling.org | tail -1)"
if ip4=$(curl -s4 https://iankelling.org/cgi/pubip); then
if [[ $cur4 && $ip4 && $cur4 != $ip4 ]]; then
grep "$regex" $pl >> $pl-archive ||:
sed -i "/$regex/d" $pl
- ## begin broken pipe ##
- regex="Failed writing transport results to pipe: Broken pipe$"
+ ## begin broken pipe & write lock ##
+ regex="Failed to get write lock\|Failed writing transport results to pipe: Broken pipe$"
now_s=$(date +%s)
newlines=false
count=0
fi
done < <(grep "$regex" $pl ||:)
if (( count )); then
- # i see these in groups of 3 for the same message around once a day
+ # I see broken pipe in groups of 3 for the same message around once a day
# randomly. I'm guessing they are related to running 2 instances of
# exim which share the same spool. So, if we have some, but not in
# the last 5 minutes, and less than 20, it should be fine to clear
- # them.
+ # them. write lock happens less but can fit under the same rule.
if (( count > 20 )); then
cat $pl
elif ! $newlines; then
fi
d=/a/opt/certbot
-gitget https://github.com/certbot/certbot.git $d &>/tmp/${0##*/}.log
+gitget https://github.com/certbot/certbot.git $d |& ts "%F %T" >>/tmp/${0##*/}.log
cd $d
f=certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf
--- /dev/null
+blacklist /a
+blacklist /bu
+blacklist /boot
+blacklist /d
+blacklist /m
+blacklist /o
+blacklist /p
+blacklist /q
+blacklist /w
+blacklist /nocow
--- /dev/null
+private
+net none
+
+include globals.local
+
+
+# below is copied from makepkg
+
+include disable-common.inc
+include disable-exec.inc
+include disable-passwdmgr.inc
+include disable-programs.inc
+
+caps.drop all
+ipc-namespace
+netfilter
+no3d
+nodvd
+nogroups
+nonewprivs
+# noroot is only disabled to allow the creation of kernel headers from an official PKGBUILD.
+noroot
+nosound
+notv
+novideo
+protocol unix,inet,inet6
+seccomp
+shell none
+
+disable-mnt
+private-tmp
+
+memory-deny-write-execute
--- /dev/null
+# Restart mode: (l)ist only, (i)nteractive or (a)utomatically.
+$nrconf{restart} = 'a';
--- /dev/null
+# uncomment for debugging
+#[Service]
+#Environment=SYSTEMD_LOG_LEVEL=debug
hn=$(hostname -f)
source /a/bin/bash_unpublished/source-state
-l() {
- "$@" |& systemd-cat -t myupgrade
+myreboot() {
+ for x in {30..1}; do
+ echo "pid $$. unattended upgrade, rebooting in $((x*10)) seconds" | wall -n
+ sleep 10
+ done
+ for x in {30..1}; do
+ if ! fuser /var/lib/dpkg/lock &> /dev/null; then
+ echo "pid $$. unattended upgrade, rebooting now" | pee cat "wall -n"
+ /a/bin/ds/keyscript-on
+ /sbin/reboot
+ exit 0
+ fi
+ echo "pid $$. unattended upgrade reboot waiting 10 seconds for dpkg lock" | wall -n
+ sleep 10
+ done
+ echo "pid $$. dpkg locked for 5 minutes, automatic reboot failed" | pee cat "wall -n"
}
-## temporary
-case $HOSTNAME in
- kd)
- exit 0
- ;;
-esac
-if checkrestart -b /a/bin/ds/checkrestart-blacklist -p -t &>/dev/null; then
- exit 0
+if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
+ ksta=$(needrestart -b | sed -n 's/NEEDRESTART-KSTA: *//p');
+ case $ksta in
+ 1) : ;;
+ [023]) myreboot ;;
+ *) err error: unknown kernel status ;;
+ esac
fi
-if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
- # no automatic reboot for this host, just make an alert
- checkrestart -b /a/bin/ds/checkrestart-blacklist -p 2>/dev/null ||:
- exit 0
-else
- l checkrestart -b /a/bin/ds/checkrestart-blacklist -p 2>/dev/null ||:
+# needsrestarts automatic restarts failed.
+if ! out=$(/sbin/needrestart -p 2>&1); then
+ e "$out"
fi
-
-for x in {30..1}; do
- echo "pid $$. unattended upgrade, rebooting in $((x*10)) seconds" | wall -n
- sleep 10
-done
-for x in {30..1}; do
- if ! fuser /var/lib/dpkg/lock &> /dev/null; then
- echo "pid $$. unattended upgrade, rebooting now" | pee cat "wall -n"
- /a/bin/ds/keyscript-on
- /sbin/reboot
- exit 0
- fi
- echo "pid $$. unattended upgrade reboot waiting 10 seconds for dpkg lock" | wall -n
- sleep 10
-done
-echo "pid $$. dpkg locked for 5 minutes, automatic reboot failed" | pee cat "wall -n"
# mount-latest-remote
timeout -s 9 600 /usr/local/bin/mount-latest-subvol
rsync --server -OtpRe.LsfxC . /usr/local
-/a/exe/mail-backup-clean
+/usr/local/bin/mail-backup-clean
+/usr/local/bin/check-mailq
EOF
allow=false
--- /dev/null
+#!/bin/bash
+
+[[ $EUID == 0 ]] || exec sudo -E "$script" "$@"
+
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
+
+set -x
+
+
+boot_part=$(awk '$2 == "/boot" {print $1}' /etc/mtab)
+boot_dev=${boot_part%[0-9]*}
+# from partition.DEFAULT
+new_boot_part=${boot_dev}4
+mount -o subvol=debianbuster_bootstrap $new_boot_part /mnt
+
+cd /mnt
+mount -o bind /dev dev
+mount -o bind /proc proc
+mount -o bind /sys sys
+mkdir -p boot/efi
+mount $(awk '$2 == "/boot/efi" {print $1}' /etc/mtab) boot/efi
/a/bin/log-quiet/sysd-mail-once hssh \
btrfsmaint \
dynamic-ip-update \
+ check-mailq \
+ unsaved-buffers.el \
+ mail-backup-clean \
/usr/local/bin
rsync -t --chmod=755 --chown=root:root /a/bin/errhandle/err /usr/local/lib
#### begin dl roundcube
# note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom
- v=1.4.11; f=roundcubemail-$v-complete.tar.gz
+ v=1.4.13; f=roundcubemail-$v-complete.tar.gz
cd /a/opt
if [[ -e $f ]]; then
timestamp=$(stat -c %Y $f)
m phpenmod -v php mcrypt imap
# dpkg says this is required
m a2enmod proxy_fcgi setenvif
- fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.3-fpm
+ fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.4-fpm
phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p')
m a2enconf $fpm
# 3 useless guides on php fpm fcgi debian 10 later, i figure out from reading
CHECK_RCPT_VERIFY_SENDER = true
# default config comment says: If you enable this, you might reject legitimate mail,
# but eggs has had this a long time, so that seems unlikely.
-CHECK_DATA_VERIFY_HEADER_SYNTAX = true
CHECK_RCPT_SPF = true
CHECK_RCPT_REVERSE_DNS = true
CHECK_MAIL_HELO_ISSUED = true
# note changes here also require change in passwd.client
route_list = * eximbackup.b8.nz
same_domain_copy_routing = yes
+errors_to = alerts@iankelling.org
no_more
EOF
.endif
hosts_require_auth = *
hosts_try_auth = *
- return_path = alerts@iankelling.org
envelope_to_add
- # manual return path because we dont want it to be the envelope sender
+ # manual return path because we want it to be the envelope sender
# we got not the one we are using in this smtp transport
headers_add = "Return-path: $sender_address"
.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
# this avoids some error. i cant remember what. todo:
# test it out and document why/if its needed.
- i /etc/exim4/host_local_deny_exceptions <<'EOF'
-mail.fsf.org
-*.posteo.de
-EOF
+# i /etc/exim4/host_local_deny_exceptions <<'EOF'
+# mail.fsf.org
+# *.posteo.de
+# EOF
# cron email from smarthost hosts will automatically be to
# USER@FQDN. I redirect that to alerts@, on the smarthosts, but in
echo | /a/exe/cedit nn /etc/hosts || [[ $? == 1 ]]
echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
+
if $bhost_t; then
+ install -d /bu
+ install -d -g $u -o $u -m 771 /bu/md
i /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
# modified debian maildir transport
backup_maildir:
transport = backup_maildir
EOF
+ # Bind to wghole to receive mailbackup.
+ # todo: will wghole fail to start without internet connectivity?
+ # if so, we need to set it automatically restart infinitely,
+ # and same with exim.
wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_other_hostnames='eximbackup.b8.nz'
dc_local_interfaces='127.0.0.1;::1;$wgholeip'
-
EOF
else
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
$MAIL_HOST|bk)
# config for the non-nn exim
m rsync -ra --delete /etc/exim4/ /etc/myexim4
+ # If we ever wanted to have a separate spool,
+ # we could do it like this.
+# cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF'
+# spool_directory = /var/spool/myexim4
+# EOF
cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF'
dc_eximconfig_configtype='smarthost'
dc_smarthost='nn.b8.nz'
test_to="testignore@expertpathologyreview.com, testignore@je.b8.nz, testignore@amnimal.ninja, jtuttle@gnu.org"
cat >>/etc/cron.d/mailtest <<EOF
-2 * * * * $u check-remote-mailqs |& log-once check-remote-mailqs
+2 * * * * root check-remote-mailqs |& log-once check-remote-mailqs
EOF
;;&
bk)
iankelling.org / git / distro-setup / commitdiff