summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6b13b9b)
raw | patch | inline | side by side (parent: 6b13b9b)
| author | Ian Kelling <ian@iankelling.org> | |
| Mon, 5 Oct 2020 19:49:45 +0000 (15:49 -0400) | ||
| committer | Ian Kelling <ian@iankelling.org> | |
| Mon, 5 Oct 2020 19:49:45 +0000 (15:49 -0400) |
23 files changed:
index 2bb1722c92965df268f09027ad28d9fd5a95637a..b9c560c61fcea224775303714c2e494d42fcca87 100644 (file)
--- a/.bashrc
+++ b/.bashrc
# but meh. dunno why, but just " *" does glob expansion, so use [ ] to avoid it.
HISTIGNORE='pass *:[ ]*:otp *:oathtool *'
-
#### begin section that works with sl() function to return from
#### noninteractive ssh shells
if [[ $SSH_CONNECTION ]] \
diff --git a/.inputrc b/.inputrc
index 7518b31e830028bee038ddf9db476955d4cf3e57..c54a4c6e73549808066a6ab8bf12765ddfd2c18b 100644 (file)
--- a/.inputrc
+++ b/.inputrc
-
-
-
-
####### commented out stuff ###########
# vi mode settings and observatoins
diff --git a/aresolv.conf b/aresolv.conf
--- /dev/null
+++ b/aresolv.conf
@@ -0,0 +1 @@
+nameserver 8.8.8.8
index 2ce4471764282dfe4d6d9477f1c5c92530d773c4..f30cffa90efc61dc53839595fc088df7695abb08 100644 (file)
--- a/brc
+++ b/brc
if [[ -s $bashrc_dir/path-add-function ]]; then
source $bashrc_dir/path-add-function
if [[ $SSH_CLIENT ]]; then
- if [[ -d /home/iank/.iank/e/e ]]; then
+ # [[ -d /home/iank/.iank/e/e ]] mounts it unnecessarily, so use this.
+ if grep -qF /home/iank/.iank/e/e /etc/auto.iank /etc/exports &>/dev/null; then
export EMACSDIR=/home/iank/.iank/e/e
fi
- if [[ $EMACSDIR ]]; then
- path-add "$EMACSDIR/lib-src" "$EMACSDIR/src"
- fi
fi
fi
# * functions
-# when testing for completions, uncomment this
-# cm() { _completion_loader $1 &>/dev/null ||:; complete -p $1; }
-ccomp() {
+ccomp() { # copy completion
local src=$1
+ local c
shift
- _completion_loader $src &>/dev/null ||:
- complete -p $src &>/dev/null || return 0
- eval $(complete -p $src | sed -r "s/ $src($| )/ $*\1/")
+ if ! c=$(complete -p $src 2>/dev/null); then
+ _completion_loader $src &>/dev/null ||:
+ c=$(complete -p $src 2>/dev/null) || return 0
+ fi
+ # remove $src( .*|$)
+ c=${c% $src}
+ c=${c%% $src *}
+ eval $c $*
}
.....() { c ../../../..; }
......() { c ../../../../..; }
+chere() {
+ local f path
+ for f; do
+ path=$(readlink -e "$f")
+ echo "cat >$path <<'EOF'"
+ cat "$f"
+ echo EOF
+ done
+}
+
+
# file cut copy and paste, like the text buffers :)
# I havnt tested these.
_fbufferinit() { # internal use
}
_khfix_common() {
- local host=${1##*@}
- local ip port
- read -r ip port < <(timeout 1 ssh -oBatchMode=yes -oControlMaster=no -oControlPath=/ -v $1 |& sed -rn "s/debug1: Connecting to $host \[([^\]*)] port ([0-9]+).*/\1 \2/p" || [[ $? == 124 ]])
+ local host ip port
+ read -r host ip port < <(timeout 1 ssh -oBatchMode=yes -oControlMaster=no -oControlPath=/ -v $1 |& sed -rn "s/debug1: Connecting to ([^ ]+) \[([^\]*)] port ([0-9]+).*/\1 \2 \3/p" || [[ $? == 124 ]])
if [[ ! $ip ]]; then
echo "khfix: ssh failed"
return 1
ip_entry=$ip
host_entry=$host
fi
- ssh-keygen -R "$host_entry" -f $(readlink -f ~/.ssh/known_hosts)
+ if [[ $host != $ip ]]; then
+ ssh-keygen -R "$host_entry" -f $(readlink -f ~/.ssh/known_hosts)
+ fi
echo "khfix: removing key for $ip_entry"
ssh-keygen -R "$ip_entry" -f $(readlink -f ~/.ssh/known_hosts)
}
# todo: patch emacs so it will look elsewhere. this is kinda sad:
# https://emacs.stackexchange.com/questions/4253/how-to-start-emacs-with-a-custom-user-emacs-directory
- local args
+ local args gdb=false
+
+ if [[ $EMACSDIR ]]; then
+ path-add "$EMACSDIR/lib-src" "$EMACSDIR/src"
+ fi
+
if [[ $DISPLAY ]]; then
args=-n
fi
- if ! pgrep -u $EUID emacsclient || (( $# == 0 )); then
+ if (( $# == 0 )); then
args+=" -c"
fi
+ # duplicate -c, but oh well
+ if ! pgrep -u $EUID emacsclient; then
+ if (( $# == 0 )) && type -p gdb &>/dev/null; then
+ gdb=true
+ else
+ args+=" -c"
+ fi
+ fi
if [[ $EMACSDIR ]]; then
- EHOME=$HOME HOME=$EMACSDIR m emacsclient -a "" $args "$@"
+ # Alter the path here, otherwise the nfs mount gets triggered on the
+ # first path lookup when emacs is not being used.
+ PATH="$EMACSDIR/lib-src:$EMACSDIR/src:$PATH" EHOME=$HOME HOME=$EMACSDIR m emacsclient -a "" $args "$@"
else
- m emacsclient -a "" $args "$@"
+ if $gdb; then
+ # due to a bug, we cant debug from the start unless we get a new gdb
+ # https://sourceware.org/bugzilla/show_bug.cgi?id=24454
+ # m gdb -ex="set follow-fork-mode child" -ex=r -ex=quit --args emacs --daemon
+ m emacsclient -a "" $args "$@"
+ sleep 1
+ cd /a/opt/emacs-$(distro-name)$(distro-num)
+ s gdb -p $(pgrep -f 'emacs --daemon') -ex c
+ cd -
+ else
+ m emacsclient -a "" $args "$@"
+ fi
fi
}
}
ccomp grep gr grr
-rg() {
- command rg -i -M 200 "$@"
-}
+if type -P rg &>/dev/null; then
+ rg() { command rg -i -M 200 "$@"; }
+else
+ rg() { grr "$@"; }
+ ccomp grep rg
+fi
hr() { # horizontal row. used to break up output
printf "$(tput setaf 5 2>/dev/null ||:)█$(tput sgr0 2>/dev/null||:)%.0s" $(eval echo "{1..${COLUMNS:-60}}")
"$@"
fi
}
-ccomp sudo s
+sb() { # sudo bash -c
+ # use sb instead of s is for sudo redirections,
+ # eg. sb 'echo "ok fine" > /etc/file'
+ # shellcheck disable=SC2034
+ local SUDOD="$PWD"
+ sudo -i bash -c "$@"
+}
+ccomp sudo s sb
safe_rename() { # warn and dont rename if file exists.
# mv -n exists, but it\'s silent
}
-sb() { # sudo bash -c
- # use sb instead of s is for sudo redirections,
- # eg. sb 'echo "ok fine" > /etc/file'
- # shellcheck disable=SC2034
- local SUDOD="$PWD"
- sudo -i bash -c "$@"
-}
-complete -F _root_command s sb
sd() {
sudo dd of="$1" 2>/dev/null
index 92f55ec59178a8f0e44dd8c51d73349335ce9493..b9f0c3f236369ba8b11cf6d2214f6ee2b229b772 100644 (file)
--- a/brc2
+++ b/brc2
# note, i had --delete-excluded, but that deletes all files in --exclude-from on
# the remote site, which doesn't make sense, so not sure why i had it.
local p a
- p=(/a/bin /a/exe /a/h /a/c /p/c/machine_specific/vps{,.hosts} /a/opt/{emacs-debianstable,mu})
+ p=(/a/bin /a/exe /a/h /a/c /p/c/machine_specific/vps{,.hosts} /a/opt/{emacs-debian10,mu})
a="-ahviSAXPH --specials --devices --delete --relative --exclude-from=/p/c/li-rsync-excludes"
ret=0
m rsync "$@" $a ${p[@]} /p/c/machine_specific/bk root@bk.b8.nz:/ || ret=$?
#net.sourceforge.opencamera
#
fdroid_pkgs=(
+ net.mullvad.mullvadvpn
+ org.schabi.newpipe
+ io.github.subhamtyagi.lastlauncher
+ io.anuke.mindustry
+ com.biglybt.android.client
de.marmaro.krt.ffupdater
me.ccrama.redditslide
org.fedorahosted.freeotp
gse() {
local email=ian@iankelling.org
- if readlink ~/.mu | grep fsf &>/dev/null; then
- email=iank@fsf.org
- fi
git send-email --notes "--envelope-sender=<$email>" \
--suppress-cc=self "$@"
}
fi
}
-# mu personality. for origina, just run mp. for 2, run mp 2.
+# mu personality. for original, just run mp. for 2, run mp 2.
# this is partly duplicated in mail-setup
mp() {
killall mu ||:
suf=$1
- set -- /m/mucache ~/.cache/mu /m/.mu ~/.mu
+ set -- /m/mucache ~/.cache/mu /m/.mu ~/.config/mu
while (($#)); do
target=$1$suf
f=$2
shift 2
if [[ -e $f && ! -L $f ]]; then
- rm -rf $f
+ m rm -rf $f
fi
m ln -sf -T $target $f
done
[[ -e $src ]] || { echo "src:$src does not exist"; return 1; }
m mv -T $src $dst
m ln -s -T $dst $src
- m /a/exe/lnf /m/.mu ~
mu index --maildir=/m/4e
}
mb2enable() {
diff --git a/btrbk-run b/btrbk-run
index 00052da389f1fb0c9c7c1759d45a8bf39abf8b96..ec0e377a7104141651e46626b558aeebc55bcc1b 100644 (file)
--- a/btrbk-run
+++ b/btrbk-run
targets=($home kw.office.fsf.org)
;;
kd)
- targets=(frodo x2.b8.nz)
+ # todo: add frodo when it comes back online
+ targets=(x2.b8.nz)
# might not be connected to the vpn
if timeout -s 9 6 ssh kw.office.fsf.org :; then
targets+=(kw.office.fsf.org)
diff --git a/certbot-renew-hook b/certbot-renew-hook
index ba1e68d0798388ae7556b8fba3b6d79a6adb0d5b..120420a887354f577c7ecbbf77f1dd4f82b35f1d 100755 (executable)
--- a/certbot-renew-hook
+++ b/certbot-renew-hook
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-domain_user=(
- pump.iankelling.org pumpio
- mumble.iankelling.org mumble-server
-)
-
-for ((i=0; i<${#domain_user[@]}; i+=2)); do
- domain=${domain_user[i]}
- user=${domain_user[i+1]}
-
- d=/etc/letsencrypt/live/$domain
- if [[ $RENEWED_LINEAGE == "$d" ]]; then
- install -m 640 -g $user $d/{privkey.pem,fullchain.pem} $(eval echo ~$user)
- exit 0
- fi
-done
-
-if [[ $RENEWED_LINEAGE == /etc/letsencrypt/live/iankelling.org ]]; then
- cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
-fi
+dir=$RENEWED_LINEAGE # long caps vars just bother me
+
+case $dir in
+ /etc/letsencrypt/live/iankelling.org)
+ cat $dir/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
+ ;;
+ /etc/letsencrypt/live/mumble.iankelling.org)
+ install -m 640 -g mumble-server $dir/{privkey,fullchain}.pem /var/lib/mumble-server
+ ;;
+ /etc/letsencrypt/live/mail2.iankelling.org)
+ install -m 644 $dir/fullchain.pem /etc/exim4/exim.crt
+ install -m 640 -g Debian-exim $dir/privkey.pem /etc/exim4/exim.key
+ ;;
+esac
diff --git a/check-stale-alerts b/check-stale-alerts
index 1bb73e5a4a41f62db0c850887a20326a3580d791..93eaf4f960ed5679eb4b5336f1ed85ec3e738277 100755 (executable)
--- a/check-stale-alerts
+++ b/check-stale-alerts
+
#!/bin/bash
if [[ ! -e /dev/shm/iank-status ]]; then
exit 0
if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
exit 0
fi
-find /var/local/cron-errors /home/iank/cron-errors /sysd-mail-once-state -type f -mtime +4
-ssh bk.b8.nz find /m/md/INBOX/new /var/local/cron-errors /home/iank/cron-errors /sysd-mail-once-state -type f -mtime +1
+out=$(find /var/local/cron-errors /home/iank/cron-errors /sysd-mail-once-state -type f -mtime +4)
+if [[ $out ]]; then
+ echo HOSTNAME: $HOSTNAME
+ printf "%s\n" "$out"
+fi
+out=$(ssh bk.b8.nz find /m/md/INBOX/new /var/local/cron-errors /home/iank/cron-errors /sysd-mail-once-state -type f -mtime +1)
+fi [[ $out ]]; then
+ echo bk.b8.nz:
+ printf "%s\n" "$out"
+fi
diff --git a/distro-begin b/distro-begin
index 63f01f76cac4b3512eb88ce341b6cfeb957849fb..ce37ed20d7d3ccd9c23d4dae9d183dee6a18a377 100755 (executable)
--- a/distro-begin
+++ b/distro-begin
# allow to fail because they could have read-only mounts on them
sudo chown $USER:$USER "${dirs[@]}" ||:
+# disabled temporarily
###### setup /i
-if home_network; then
- tu /etc/fstab <<'EOF'
-/i/w /w none bind,noauto 0 0
-/i/k /k none bind,noauto 0 0
-EOF
- if ! mountpoint /kr; then
- sudo mkdir -p /kr
- sudo chown $USER:user2 /kr
- fi
- if [[ $HOSTNAME == frodo ]]; then
- tu /etc/fstab <<'EOF'
-/k /kr none bind,noauto 0 0
-EOF
- else
- tu /etc/fstab <<'EOF'
-frodo:/k /kr nfs noauto 0 0
-EOF
- fi
- sudo mkdir -p /i/{w,k}
- for dir in /{i,w,k}; do
- if mountpoint $dir; then continue; fi # already mounted
- sudo mkdir -p $dir
- sudo chown $USER:$USER $dir
- done
- # debian auto mounting of multi-disk encrypted btrfs is busted. It is
- # in jessie, and in stretch as of 11/26/2016 I have 4 disks in cryptab,
- # based on 3 of those, it creates .device units for /dev/mapper/dev...
- # then waits endlessly for them on bootup, after the /dev/mapper disks
- # have already been created and exist. todo: create a simple repro
- # for this in a vm and report it upstream.
- pi nfs-common
- sudo dd of=/root/imount <<'EOF'
-#!/bin/bash
-[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-for dir in /i /k /kr /w; do
- if ! mountpoint $dir &>/dev/null && \
- awk '{print $2}' /etc/fstab | grep -xF $dir &>/dev/null; then
- if awk '{print $3}' /etc/fstab | grep -xF nfs &>/dev/null; then
- mount $dir || echo "warning: failed to mount nfs on $dir"
- else
- mount $dir
- fi
- fi
-done
-EOF
- sudo chmod +x /root/imount
- sudo dd of=/etc/systemd/system/imount.service <<EOF
-[Unit]
-Description=Mount /i and related mountpoints
-Before=syncthing@$USER.service
-
-[Service]
-Type=oneshot
-ExecStart=/root/imount
-
-[Install]
-RequiredBy=syncthing@$USER.service
-# note /kr needs networking, this target is the simplest way to
-# time it when the network should be up, but not do something
-# dumb like delay startup until the network is up. It happens
-# at some time after network.target
-WantedBy=multi-user.target
-EOF
- sudo systemctl daemon-reload # needed if the file was already there
- sudo systemctl enable imount.service
- sudo systemctl start imount.service
-fi
+# if home_network; then
+# tu /etc/fstab <<'EOF'
+# /i/w /w none bind,noauto 0 0
+# /i/k /k none bind,noauto 0 0
+# EOF
+# if ! mountpoint /kr; then
+# sudo mkdir -p /kr
+# sudo chown $USER:user2 /kr
+# fi
+# if [[ $HOSTNAME == frodo ]]; then
+# tu /etc/fstab <<'EOF'
+# /k /kr none bind,noauto 0 0
+# EOF
+# else
+# tu /etc/fstab <<'EOF'
+# frodo:/k /kr nfs noauto 0 0
+# EOF
+# fi
+# sudo mkdir -p /i/{w,k}
+# for dir in /{i,w,k}; do
+# if mountpoint $dir; then continue; fi # already mounted
+# sudo mkdir -p $dir
+# sudo chown $USER:$USER $dir
+# done
+# # debian auto mounting of multi-disk encrypted btrfs is busted. It is
+# # in jessie, and in stretch as of 11/26/2016 I have 4 disks in cryptab,
+# # based on 3 of those, it creates .device units for /dev/mapper/dev...
+# # then waits endlessly for them on bootup, after the /dev/mapper disks
+# # have already been created and exist. todo: create a simple repro
+# # for this in a vm and report it upstream.
+# pi nfs-common
+# sudo dd of=/root/imount <<'EOF'
+# #!/bin/bash
+# [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+# set -eE -o pipefail
+# trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+# for dir in /i /k /kr /w; do
+# if ! mountpoint $dir &>/dev/null && \
+# awk '{print $2}' /etc/fstab | grep -xF $dir &>/dev/null; then
+# if awk '{print $3}' /etc/fstab | grep -xF nfs &>/dev/null; then
+# mount $dir || echo "warning: failed to mount nfs on $dir"
+# else
+# mount $dir
+# fi
+# fi
+# done
+# EOF
+# sudo chmod +x /root/imount
+# sudo dd of=/etc/systemd/system/imount.service <<EOF
+# [Unit]
+# Description=Mount /i and related mountpoints
+# Before=syncthing@$USER.service
+
+# [Service]
+# Type=oneshot
+# ExecStart=/root/imount
+
+# [Install]
+# RequiredBy=syncthing@$USER.service
+# # note /kr needs networking, this target is the simplest way to
+# # time it when the network should be up, but not do something
+# # dumb like delay startup until the network is up. It happens
+# # at some time after network.target
+# WantedBy=multi-user.target
+# EOF
+# sudo systemctl daemon-reload # needed if the file was already there
+# sudo systemctl enable imount.service
+# sudo systemctl start imount.service
+# fi
###### end setup /i
##### setup /nocow.
diff --git a/distro-end b/distro-end
index f18d81001b1c30279054633d012ee8ca29267d5b..46d267d36b0c79a9e7438478b4598ed9bab634e0 100755 (executable)
--- a/distro-end
+++ b/distro-end
s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
EOF
ser daemon-reload
+soff certbot.timer
sgo certbotmail.timer
### end certbot install ###
fi
;;&
bk)
+
+ sd /etc/apt/preferences.d/buster-backports <<EOF
+Package: *
+Pin: release a=buster-backports
+Pin-Priority: 500
+EOF
+
# setup let's encrypt cert
- m web-conf apache2 bk.b8.nz
- # And leave apache running so renewals can happen.
- s lnf -T /etc/letsencrypt/live/bk.b8.nz/fullchain.pem /etc/exim4/exim.crt
- if [[ ! -L /etc/exim4/exim.key ]]; then
- s lnf -T /etc/letsencrypt/live/bk.b8.nz/privkey.pem /etc/exim4/exim.key
+ m web-conf apache2 mail2.iankelling.org
+ s <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/mail2.iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
+EOF
mail-setup
- fi
end
;;
li)
m mkschroot debian buster firefox-esr pulseaudio chromium anki
case $(debian-codename) in
etiona)
- mkschroot trisquel etiona
+ mkschroot trisquel flidas
tu /nocow/schroot/flidas/etc/sudoers <<EOF
$USER ALL=(ALL) NOPASSWD: ALL
Defaults env_keep += SUDOD
# plus a simple symlink to the config file which it\'s
# not worth separating out.
# between comps, the uid can change
+
f=$tdir/transmission-daemon
-mkdir -p $f
+for d in $tdir/partial-torrents $tdir/torrents $f; do
+ if [[ ! -d $d ]]; then
+ mkdir $d
+ fi
+ sudo chown -R debian-transmission:user2 $d
+done
s lnf -T $f /var/lib/transmission-daemon/.config/transmission-daemon
s lnf -T /etc/transmission-daemon/settings.json $f/settings.json
sudo chown -R debian-transmission:debian-transmission $f
-for f in $tdir/partial-torrents $tdir/torrents; do
- if [[ -e $f ]]; then
- sudo chown -R debian-transmission:user2 $f
- fi
-done
sudo chown -R debian-transmission:debian-transmission /var/lib/transmission-daemon
#
# config file documented here, and it\'s the same config
JoinsNamespaceOf=${vpn_ser}-nn@client.service
[Service]
-#User=debian-transmission
-# notify type doesn't work with sudo
-#Type=notify
-ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/client sudo -u debian-transmission /usr/bin/transmission-daemon -f --log-error
+User=debian-transmission
+Type=notify
+ExecStart=/usr/bin/transmission-daemon -f --log-error
ExecReload=/bin/kill -s HUP \$MAINPID
+ExecStop=/bin/kill -s STOP \$MAINPID
PrivateNetwork=true
Nice=19
+BindPaths=/a/bin/ds/aresolv.conf:/etc/resolv.conf:norbind
[Install]
WantedBy=multi-user.target
EOF
ser daemon-reload
-if [[ $HOSTNAME == frodo ]]; then
- sgo transmission-daemon-nn
-fi
+case $HOSTNAME in
+ kd|rp)
+ sgo transmission-daemon-nn
+ ;;
+esac
######### begin transmission client setup ######
# -n some_name --import --os-variant $variant --cpu host-model-only
+# for brother HL-2270DW, this worked:
+# https://askubuntu.com/questions/1067234/cant-use-wireless-brother-printer-2270dw-ubuntu-18-04
+# /a/opt/linux-brprinter-installer-2.2.2-1
+# answer n when it asks about uri.
+# Then go to cups, delete the existing printer, added on with dnssd url. browsed to
+# ppd at /usr/share/ppd/HL2270DW.ppd, which is duplicated at /usr/share/cups/model/HL2270DW.ppd
+# ppd file got installed from bash -x ./usr/local/Brother/Printer/HL2270DW/cupswrapper/cupswrap,
+# which I downloaded from their driver. but dont do that again, i copied it to /a/opt/HL2270DW.ppd,
+# use that.
+
+# I had to reset it to use wired instead of wifi. it only uses 1 at a time. boot with go button held, after lights turn off, tap go 6 times.
+# Then it was already configured, but if i needed to, go to its web ui, default pass is "access".
######### begin stuff belonging at the end ##########
diff --git a/filesystem/etc/cron.daily/check-lets-encrypt-ssl-settings b/filesystem/etc/cron.daily/check-lets-encrypt-ssl-settings
index e052b5f98ab175c6ee5d240a0d1c9fbcdfca5e2f..5646d7570d5249dcacbc9d497d876cc5f92ffa49 100755 (executable)
if [[ $out ]]; then
cat <<EOF
-Let's encrypt has new ssl settings. Update your web servers, then
-edit the date in $0, and
-rm $lock_file
+Let's encrypt has new ssl settings.
+1. edit mail-setup and web-conf
+2. Update servers
+3. edit the date in $0
+4. rm $lock_file
The change is:
$out
EOF
index b0f35e1ee25adfd1de6159430a54446ec58cdce9..70a9152a3e9ba55bf91f136da4efd0abdad09ce1 100644 (file)
-ServerName printserver0.office.fsf.org
+#ServerName printserver0.office.fsf.org
diff --git a/filesystem/etc/systemd/system/openvpn-client-nn@.service b/filesystem/etc/systemd/system/openvpn-client-nn@.service
index ab5ccba2958e68dc5102ef62764bb25accc6651a..6926a4d169d44a2de02f1786125255a2d04d31da 100644 (file)
RuntimeDirectory=openvpn-client
RuntimeDirectoryMode=0710
WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/%i /usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
# Ian: commented out these lines from upstream
# until we get the next systemd version (233), which can do bind mounts
# inside a mnt namespace via systemd, we have to setup our own, which requires
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
ExecStopPost=/a/bin/newns/newns stop %i
PrivateNetwork=true
-
+BindPaths=/a/bin/ds/aresolv.conf:/etc/resolv.conf:norbind
[Install]
WantedBy=multi-user.target
diff --git a/filesystem/etc/systemd/system/openvpn-nn@.service b/filesystem/etc/systemd/system/openvpn-nn@.service
index c814a3fbb2424af985aaaac7869bef64c34888e6..0f94abd16bef268d7bd917e09c68d3f503c080dd 100644 (file)
KillMode=mixed
Type=forking
-ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/%i /usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client/%i.conf --writepid /run/openvpn/%i.pid
+ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client/%i.conf --writepid /run/openvpn/%i.pid
PIDFile=/run/openvpn/%i.pid
ExecReload=/bin/kill -HUP $MAINPID
WorkingDirectory=/etc/openvpn
# documentation says it should
ExecStopPost=/a/bin/newns/newns stop %i
PrivateNetwork=true
+BindPaths=/a/bin/ds/aresolv.conf:/etc/resolv.conf:norbind
[Install]
WantedBy=multi-user.target
diff --git a/i3-sway/common.conf b/i3-sway/common.conf
index 7bc5fc20311a444e5769a8234f6c461a9a85d953..ccd022a8e3dfd77042c15052415d9a64ecee7381 100644 (file)
--- a/i3-sway/common.conf
+++ b/i3-sway/common.conf
bindsym $mod+2 exec "pavucontrol"
bindsym $mod+3 exec "x-www-browser"
bindsym $mod+4 exec "x-www-browser -no-remote -P firefox-main-profile"
-bindsym $mod+5 exec "/a/bin/redshift.sh"
+bindsym $mod+5 exec "/usr/local/bin/start-tor-browser"
+bindsym $mod+6 exec "/a/bin/redshift.sh"
bindsym $mod+equal exec "t s w; t in"
bindsym $mod+Home exec "t out"
#bindsym $mod+End exec "t s x; t in"
diff --git a/machine_specific/vps/filesystem/etc/bind/named.conf.local b/machine_specific/vps/filesystem/etc/bind/named.conf.local
index 39df3fa2ee6c6bc6a8f36e6c57827250b362c03f..ead4c18e2a8e272d86085e3b8e4eeb55faa56529 100644 (file)
type master;
file "/var/lib/bind/db.zroe.org";
};
+
+zone "expertpathologyreview.com" {
+type master;
+file "/var/lib/bind/db.expertpathologyreview.com";
+};
+
+zone "9.c.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa" {
+type master;
+file "/var/lib/bind/db.9.c.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa";
+};
diff --git a/mail-route b/mail-route
index b91bf66af439e800b89e2f1187a452c61257dfed..387208c258c755b953004081fab556f89d5669d6 100755 (executable)
--- a/mail-route
+++ b/mail-route
# http://www.apache.org/licenses/LICENSE-2.0
-#set -x
-exec &> >(logger)
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+#set -x
+#exec &> >(logger)
+
source /a/bin/errhandle/err
usage() {
Is idempotent.
-todo: Need to give mail.iankelling.org an ipv6 dns address.
-
EOF
exit $1
}
diff --git a/mail-setup b/mail-setup
index 1e073baf892d880c91576cab203e3f81efd38642..8ddb6b988f9ed439a6819b98b8f4a58b3c034b72 100755 (executable)
--- a/mail-setup
+++ b/mail-setup
####### instructions for icedove #####
-# Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password
-# we could also just use 127.0.0.1 with no ssl, but todo: disable that in dovecot, so mail is secure from local programs.
+# Incoming mail server: mail.iankelling.org, port 143, username iank, connection security starttls, authentication method normal password,
+# then click advanced so it accepts it.
+# we could also just use 127.0.0.1 with no ssl
#
# hamburger -> preferences -> preferences -> advanced tab -> config editor button -> security.ssl.enable_ocsp_must_staple = false
# background: dovecot does not yet have ocsp stapling support
# # dovecot password, i just need 1 as I\'m the only user
# mkdir /p/c/filesystem/etc/dovecot
-# echo "iank:$(doveadm pw -s ssha256)::::::" >>/p/c/filesystem/etc/dovecot/users
+# echo "iank:$(doveadm pw -s SHA512-CRYPT)::::::" >>/p/c/filesystem/etc/dovecot/users
####### end perstent password instructions ######
# * persistent dkim/dns instructions
+
+#### begin dkim generation section ####
# # Remove 1 level of comments in this section, set the domain var
# # for the domain you are setting up, then run this and copy dns settings
# # into dns.
# # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
# openssl genrsa -out $domain-private.pem 2048
-# Then, to get the public key strings to put in bind:
-#
-# sed explanation: skip the first few lines, then put them into the hold space, then
-# on the last line, back to the patern space, remove the newlines, then add a newline
-# at the last char - 240, because bind txt records need strings <=255 chars,
-# other dkim stuff at the begining is is 25 chars, and the pubkey is 393, so this
-# leaves us a bit of extra room at the end and a bunch at the beginning.
-#
+# # Then, to get the public key strings to put in bind:
+
# # selector is needed for having multiple keys for one domain.
# # I dun do that, so just use a static one: li
-# echo "txt record name: li._domainkey.$domain"
# # Debadmin page does not have v=, fastmail does, and this
# # says it\'s recommended in 3.6.1, default is DKIM1 anyways.
# # https://www.ietf.org/rfc/rfc6376.txt
# # Join and print all but first and last line.
# # last line: swap hold & pattern, remove newlines, print.
# # lines 2+: append to hold space
-# echo "bind txt record contents:"
+# echo "bind txt record:"
# cat <<EOF
-# v=DKIM1\059 k=rsa\059 p="string1" "string2"
-# replace strin1 and 2 with
-# openssl rsa -in $domain-private.pem -pubout |&sed -rn '${x;s/\n//g;s/^(.*)(.{240}$)/\1\n\2/p};3,$H'
+# li._domainkey.$domain TXT (
+# v=DKIM1\059 k=rsa\059 p="$(openssl rsa -in $domain-private.pem -pubout |&sed -rn '${x;s/\n//g;s/^(.*)(.{240}$)/\1"\n"\2/p};3,$H')" )
+# EOF
+# # sed explanation: skip the first few lines, then put them into the hold space, then
+# # on the last line, back to the patern space, remove the newlines, then add a newline
+# # at the last char - 240, because bind txt records need strings <=255 chars,
+# # other dkim stuff at the begining is is 25 chars, and the pubkey is 393, so this
+# # leaves us a bit of extra room at the end and a bunch at the beginning.
+
# # selector was also put into /etc/exim4/conf.d/main/000_local,
+#### end dkim generation section ####
+
# # 2017-02 dmarc policies:
# # host -t txt _dmarc.gmail.com
fi
}
-postmaster=alerts
mxhost=mail.iankelling.org
mxport=587
forward=$u@$mxhost
@@ -201,7 +204,7 @@ pi exim4 exim4-daemon-heavy spamassassin spf-tools-perl openvpn p0f postgrey pyz
if [[ $(debian-codename) == etiona ]]; then
# ip6tables stopped loading on boot. openvpn has reduced capability set,
# so running iptables as part of openvpn startup wont work. This should do it.
- # todo: im sure there is a better way.
+ # Im sure there is a better way, but this works fine.
yes no | pi iptables-persistent || [[ $? == 141 ]]
cat >/etc/iptables/rules.v6 <<'EOF'
*nat
fi
# our nostart pi fails to avoid enabling
-sudo systemctl disable openvpn
+systemctl disable openvpn
# trisquel 8 = openvpn, debian stretch = openvpn-client
vpn_ser=openvpn-client
# entirely of whitespace".) This is a safe, terse alternative:
clear_report_template
report (_SCORE_ / _REQD_ requ) _TESTSSCORES(,)_ autolearn=_AUTOLEARN
-internal_networks 85.119.83.50 2001:ba8:1f1:f0c9::2 209.51.188.13 2001:470:142::13
+internal_networks 85.119.83.50
+trusted_networks 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48
EOF
-
-if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
- m systemctl stop spamassassin
- m systemctl disable spamassassin
-
- # per readme.debian
- sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
- e CRON=1 >>/etc/default/spamassassin
- # just noticed this in the config file, seems like a good idea.
- sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
- e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
-
- m systemctl enable spamassassin
- m systemctl start spamassassin
- m systemctl reload spamassassin
-
- cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
+case $HOSTNAME in
+ bk|$MAIL_HOST)
+ m systemctl stop spamassassin
+ m systemctl disable spamassassin
+
+ # per readme.debian
+ sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
+ e CRON=1 >>/etc/default/spamassassin
+ # just noticed this in the config file, seems like a good idea.
+ sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
+ e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
+
+ m systemctl enable spamassassin
+ m systemctl start spamassassin
+ m systemctl reload spamassassin
+
+ cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
[Unit]
Description=spamd dns bug fix cronjob
Type=oneshot
ExecStart=/a/bin/distro-setup/spamd-dns-fix
EOF
- # 2017-09, debian closed the bug on this saying upstream had fixed it.
- # remove this when i\'m using the newer package, ie, debian 10, or maybe
- # ubuntu 18.04.
- cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
+ # 2017-09, debian closed the bug on this saying upstream had fixed it.
+ # remove this when i\'m using the newer package, ie, debian 10, or maybe
+ # ubuntu 18.04.
+ cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
[Unit]
Description=run spamd bug fix script every 10 minutes
[Install]
WantedBy=timers.target
EOF
- m systemctl daemon-reload
- m systemctl restart spamddnsfix.timer
- m systemctl enable spamddnsfix.timer
-fi
+ m systemctl daemon-reload
+ m systemctl restart spamddnsfix.timer
+ m systemctl enable spamddnsfix.timer
+ ;;
+esac
+
##### end spamassassin config
err "\$MAIL_HOST not set"
fi
-m sudo gpasswd -a iank adm #needed for reading logs
+m gpasswd -a iank adm #needed for reading logs
### make local bounces go to normal maildir
m mkdir -p ${dirs[@]}
m chown iank:iank /m /m/md
m ln -sfT /m/md /m/iank
-m chmod 700 /m /m/md
+m chmod 771 /m /m/md
m chown -R $u:Debian-exim /m/md/bounces
m chmod 775 ${dirs[@]}
m usermod -a -G Debian-exim $u
if [[ ! -e $f ]]; then
f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
fi
-m sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/
+m rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/
# by default, only 10 days of logs are kept. increase that.
m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
# pretty quickly looking through my spam folder.
warn
+ # all internal ips. note this is duplicated in mylocal.cf, shouldnt have any effect there but leaving just in case
+ !hosts = <; 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48
+ remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : X-Spam_report
+
+warn
+ !hosts = <; 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48
condition = ${if < {$message_size}{5000K}}
spam = Debian-exim:true
- add_header = X-Spam_score: $spam_score\n\
- X-Spam_score_int: $spam_score_int\n\
- X-Spam_bar: $spam_bar\n\
- X-Spam_report: $spam_report
+ add_header = X-Spam_score_int: $spam_score_int
+ add_header = X-Spam_score: $spam_score
+ add_header = X-Spam_bar: $spam_bar
+ add_header = X-Spam_report: $spam_report
+ add_header = X-Spam_action: $spam_action
#accept
# spf = pass:fail:softfail:none:neutral:permerror:temperror
# add_header = Reply-to: dmarctest@iankelling.org
EOF
-cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+
+case $HOSTNAME in
+ $MAIL_HOST)
+ cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
# from 30_exim4-config_examples
plain_server:
server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}}
.endif
EOF
+ ;;
+ bk)
+
+ # avoid accepting mail for invalid users
+ # https://wiki.dovecot.org/LMTP/Exim
+ cat >>/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+deny
+ message = invalid recipient
+ domains = +local_domains
+ !verify = recipient/callout=no_cache
+EOF
+
+ cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+dovecot_plain:
+ driver = dovecot
+ public_name = PLAIN
+ server_socket = /var/run/dovecot/auth-client
+ server_set_id = $auth1
+EOF
+ ;;
+esac
+# todo: for mail submission, test imap based authentication for bk.
+# eg: can we send as other ppl?
+# see sender validation in /a/opt/mailinabox/setup/mail-users.sh
cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
### router/900_exim4-config_local_user
#################################
EOF
cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
dovecot_lmtp:
- driver = lmtp
- socket = /var/run/dovecot/lmtp
- #maximum number of deliveries per batch, default 1
- batch_max = 200
+ driver = lmtp
+ socket = /var/run/dovecot/lmtp
+ #maximum number of deliveries per batch, default 1
+ batch_max = 200
+ envelope_to_add
EOF
# this avoids some error. i cant remember what. todo:
#
# dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
# directly. The reason to do this is to use dovecot\'s sieve, which
- # has extensions that allow it to be almost equivalent to exim\'s
- # filter capabilities, some ways probably better, some worse, and
+ # can generally do more than exims filters (a few things less) and
# sieve has the benefit of being supported in postfix and
# proprietary/weird environments, so there is more examples on the
- # internet. I was torn about whether to do this or not, meh.
- pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
+ # internet.
+ pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd dovecot-sqlite
for f in /p/c{/machine_specific/$HOSTNAME,}/filesystem/etc/dovecot/users; do
e $f
if [[ -e $f ]]; then
- m sudo rsync -ahhi --chown=root:dovecot --chmod=0640 $f /etc/dovecot/
+ m rsync -ahhi --chown=root:dovecot --chmod=0640 $f /etc/dovecot/
break
fi
done
m sudo -u $u /a/exe/lnf -T $f $uhome/sieve/${f##*/}
done
+ # https://wiki.dovecot.org/SSL/DovecotConfiguration
+ cat >/etc/dovecot/dhparam <<'EOF'
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEAoleil6SBxGqQKk7j0y2vV3Oklv6XupZKn7PkPv485QuFeFagifeS
+A+Jz6Wquqk5zhGyCu63Hp4wzGs4TyQqoLjkaWL6Ra/Bw3g3ofPEzMGEsV1Qdqde4
+jorwiwtr2i9E6TXQp0noT/7VFeHulIkayTeW8JulINdMHs+oLylv16McGCIrxbkM
+8D1PuO0TP/CNDs2QbRvJ1RjY3CeGpxMhrSHVgBCUMwnA2cvz3bYjI7UMYMMDPNrE
+PLrwsYzXGGCdJsO2vsmmqqgLsZiapYJlUNjfiyWLt7E2H6WzkNB3VIhIPfLqFDPK
+xioE3sYKdjOt+p6mlg3l8+OLtODEFPHDqwIBAg==
+-----END DH PARAMETERS-----
+EOF
+ cat >/etc/dovecot/local.conf <<EOF
+!include /etc/dovecot/local.conf.ext
+# https://ssl-config.mozilla.org
+ssl = required
+ssl_cert = </etc/exim4/exim.crt
+ssl_key = </etc/exim4/exim.key
+# this is the same as the certbot list, in my cert cronjob, I check if that has changed upstream.
+ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ssl_protocols = TLSv1.2
+ssl_prefer_server_ciphers = no
+ssl_dh_parameters_length = 2048
- # If we changed 90-sieve.conf and removed the active part of the
- # sieve option, we wouldn\'t need this, but I\'d rather not modify a
- # default config if not needed. This won\'t work as a symlink in /a/c
- # unfortunately.
- m sudo -u $u /a/exe/lnf -T sieve/main.sieve $uhome/.dovecot.sieve
+protocol lmtp {
+#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+# default is just \$mail_plugins
+ mail_plugins = \$mail_plugins sieve
+# This downcases the localpart. default is case sensitive.
+# case sensitive local part will miss out on valid email when some person or system
+# mistakenly capitalizes things.
+ auth_username_format = %Lu
+}
+
+# make 147 only listen on localhost, plan to use for nextcloud.
+# copied from mailinabox
+service imap-login {
+ inet_listener imap {
+ address = 127.0.0.1
+ }
+}
+# https://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_dovecot_authenticator.html
+service auth {
+ unix_listener auth-client {
+ user = Debian-exim
+ group = Debian-exim
+ }
+}
+EOF
- if [[ ! -e $uhome/sieve/personal.sieve ]]; then
- touch $uhome/sieve/personal{,end}{,test}.sieve
+ if dpkg --compare-versions $(dpkg-query -f='${Version}\n' --show dovecot-core) ge 1:2.3; then
+ cat >>/etc/dovecot/local.conf <<EOF
+ssl_dh = </etc/dovecot/dhparam
+EOF
fi
- # we set this later in local.conf
- sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
-/^\s*mail_location\s*=/d
+ cat >/etc/dovecot/local.conf.ext <<'EOF'
+passdb {
+ driver = sql
+ args = /etc/dovecot/dovecot-sql.conf.ext
+}
+userdb {
+ driver = sql
+ args = /etc/dovecot/dovecot-sql.conf.ext
+}
+
EOF
- cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
-protocol lmtp {
-#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
- mail_plugins = \$mail_plugins sieve
-# default was
- #mail_plugins = \$mail_plugins
+ cat >/etc/dovecot/dovecot-sql.conf.ext <<'EOF'
+# from mailinabox
+driver = sqlite
+connect = /m/rc/users.sqlite
+default_pass_scheme = SHA512-CRYPT
+password_query = SELECT email as user, password FROM users WHERE email='%u';
+user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "/m/md/%d/%n" as home FROM users WHERE email='%u';
+iterate_query = SELECT email AS user FROM users;
+EOF
+ chmod 0600 /etc/dovecot/dovecot-sql.conf.ext # per Dovecot instructions
+
+ # db needs to be in a www-data writable directory
+ db=/m/rc/users.sqlite
+ if [[ ! -s $db ]]; then
+ sqlite3 $db <<'EOF'
+CREATE TABLE users (
+id INTEGER PRIMARY KEY AUTOINCREMENT,
+email TEXT NOT NULL UNIQUE,
+password TEXT NOT NULL,
+extra,
+privileges TEXT NOT NULL DEFAULT '');
+EOF
+ fi
+ # example of adding a user:
+ # hash: doveadm pw -s SHA512-CRYPT -p passhere
+ # sqlite3 /m/rc/users.sqlite <<'EOF'
+ #insert into users (email, password) values ('testignore@bk.b8.nz', 'hash');
+ #EOF
+
+
+
+
+ case $HOSTNAME in
+ $MAIL_HOST)
+ # If we changed 90-sieve.conf and removed the active part of the
+ # sieve option, we wouldn\'t need this, but I\'d rather not modify a
+ # default config if not needed. This won\'t work as a symlink in /a/c
+ # unfortunately.
+ m sudo -u $u /a/exe/lnf -T sieve/main.sieve $uhome/.dovecot.sieve
+
+ if [[ ! -e $uhome/sieve/personal.sieve ]]; then
+ touch $uhome/sieve/personal{,end}{,test}.sieve
+ fi
+ rm -fv /etc/dovecot/conf.d/20-lmtp.conf # file from prev version
+ cat >>/etc/dovecot/local.conf <<EOF
+# simple password file based login
+!include conf.d/auth-passwdfile.conf.ext
+
+# ian: %u is used for alerts user vs iank
+mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
+mail_uid = $u
+mail_gid = $u
+
+protocol lmtp {
# For a normal setup with exim, we need something like this, which
# removes the domain part
# auth_username_format = %Ln
# modifying the local router in exim.
auth_username_format = $u
}
-
EOF
+ ;;
+ bk)
+ chown -R mail.mail /m/md
+ f=/etc/dovecot/conf.d/10-auth.conf
+ if [[ -e $f ]]; then
+ mv $f $f-iank-disabled
+ fi
+ cat >>/etc/dovecot/local.conf <<EOF
- cat >/etc/dovecot/local.conf <<EOF
-# so I can use a different login that my shell login for mail. this is
-# worth doing solely for the reason that if this login is compromised,
-# it won't also compromise my shell password.
-!include conf.d/auth-passwdfile.conf.ext
+# for debugging info, uncomment these.
+# logs go to syslog and to /var/log/mail.log
+auth_verbose=yes
+mail_debug=yes
+
+plugin {
+ sieve_before = /etc/dovecot/sieve-spam.sieve
+ # from mailinabox
+ sieve = /m/sieve/%d/%n.sieve
+ sieve_dir = /m/sieve/%d/%n
+}
-# settings derived from wiki and 10-ssl.conf
-ssl = required
-ssl_cert = </etc/exim4/exim.crt
-ssl_key = </etc/exim4/exim.key
-# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
-# in my cert cronjob, I check if that has changed upstream.
-ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-# ian: added this, more secure, per google etc
-ssl_prefer_server_ciphers = yes
+# all taken from mailinabox.
+mail_location = maildir:/m/md/%d/%n
+# meh, ok.
+mail_privileged_group = mail
+# By default Dovecot allows users to log in only with UID numbers 500 and above. mail is 8
+first_valid_uid = 1
+
+# todo: test these changes in the universal config
+# mailboxes taken from mailinabox but removed
+# settings duplicate to defaults
+namespace inbox {
+ mailbox INBOX {
+ auto = subscribe
+ }
+ mailbox Spam {
+ special_use = \Junk
+ auto = subscribe
+ }
+ mailbox Drafts {
+ auto = subscribe
+ }
+ mailbox Sent {
+ auto = subscribe
+ }
+ mailbox Trash {
+ auto = subscribe
+ }
+ mailbox Archive {
+ special_use = \Archive
+ auto = subscribe
+ }
+}
+auth_mechanisms = plain login
+EOF
-# ian: %u is used for alerts user vs iank
-mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
-mail_uid = $u
-mail_gid = $u
+ cat >/etc/dovecot/sieve-spam.sieve <<'EOF'
+require ["regex", "fileinto", "imap4flags"];
-# for debugging info, uncomment these.
-# logs go to syslog and to /var/log/mail.log
-# auth_verbose=yes
-#mail_debug=yes
+if allof (header :regex "X-Spam-Status" "^Yes") {
+ fileinto "Spam";
+ stop;
+}
EOF
+ sievec /etc/dovecot/sieve-spam.sieve
+
+ ;;
+ esac
####### end dovecot-setup ########
}
+# * nextcloud setup
+
+# https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
+# curl from the web installer requirement, but i switched to cli
+pi php-curl php-fileinfo php-bz2
+web-conf - apache2 expertpathologyreview.com <<'EOF'
+Alias /nextcloud "/var/www/nextcloud/"
+<Directory /var/www/nextcloud/>
+ Require all granted
+ AllowOverride All
+ Options FollowSymLinks MultiViews
+
+ <IfModule mod_dav.c>
+ Dav off
+ </IfModule>
+
+</Directory>
+EOF
+
+cd /var/www
+wget https://download.nextcloud.com/server/releases/latest.zip
+unzip -q latest.zip
+rm latest.zip
+chown -R www-data.www-data nextcloud
+cd /var/www/nextcloud
+sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass swarm.numbered.alienist
+cd /var/www/nextcloud/config
+# https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
+cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF'
+[www]
+clear_env = no
+EOF
+cat config.php - >tmp.php <<'EOF'
+$CONFIG['overwrite.cli.url'] = 'https://expertpathologyreview.com/nextcloud';
+$CONFIG['htaccess.RewriteBase'] = '/nextcloud';
+$CONFIG['trusted_domains'] = array (
+ 0 => 'expertpathologyreview.com',
+ );
+#$CONFIG[''] = '';
+fwrite(STDOUT, "<?php\n\$CONFIG = ");
+var_export($CONFIG);
+fwrite(STDOUT, ";\n");
+EOF
+php tmp.php >config.php 2>/dev/null
+rm tmp.php
+sudo -u www-data php /var/www/nextcloud/occ maintenance:update:htaccess
+
+
+# * roundcube setup
+
+roundcube-setup() {
+ # avoid prompt
+ debconf-set-selections <<'EOF'
+roundcube-core roundcube/dbconfig-install boolean false
+EOF
+ # zip according to /installer
+ # which requires adding a line to /usr/local/lib/roundcubemail/config/config.inc.php
+ # $config['enable_installer'] = true;
+ pi roundcube roundcube-sqlite3 php-zip
+ rcdir=/usr/local/lib/roundcubemail
+ # point debian cronjob to our local install, preventing daily cron error
+
+ f=/usr/share/roundcube/bin/cleandb.sh
+ if [[ ! -L $f ]]; then
+ if [[ -e $f ]]; then
+ m rm -f $f
+ fi
+ m ln -sfT $rcdir/bin/cleandb.sh /usr/share/roundcube/bin/cleandb.sh
+ fi
+
+ # todo, consider installing the extensions mailinabox uses
+
+ #### begin dl roundcube
+ # note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom
+ v=1.4.8; f=roundcubemail-$v-complete.tar.gz
+ cd /a/opt
+ if [[ -e $f ]]; then
+ timestamp=$(stat -c %Y $f)
+ else
+ timestamp=0
+ fi
+ m wget -nv -N https://github.com/roundcube/roundcubemail/releases/download/$v/$f
+ new_timestamp=$(stat -c %Y $f)
+ if [[ $timestamp != $new_timestamp ]]; then
+ m tar -C /usr/local/lib --no-same-owner -zxf $f
+ m rm -rf $rcdir
+ m mv $rcdir-$v $rcdir
+ fi
+ cd -
+ #### end dl roundcube
+
+ /a/exe/web-conf -r $rcdir - apache2 mail.expertpathologyreview.com <<EOF
+# taken from /etc/apache2/conf-available/roundcube.conf version 1.4.8+dfsg.1-1~bpo10+1
+<Directory $rcdir/>
+ Options +FollowSymLinks
+ # This is needed to parse $rcdir/.htaccess.
+ AllowOverride All
+ Require all granted
+</Directory>
+# Protecting basic directories:
+<Directory $rcdir/config>
+ Options -FollowSymLinks
+ AllowOverride None
+</Directory>
+EOF
+
+ if [[ ! -e $rcdir/config/secret ]]; then
+ base64 </dev/urandom | head -c24 >$rcdir/config/secret || [[ $? == 141 ]]
+ fi
+ secret=$(cat $rcdir/config/secret)
+ # todo: expire mail for testignore@b8.nz
+
+ # config from mailinabox
+ cat >$rcdir/config/config.inc.php <<EOF
+<?php
+\$config = array();
+# debian creates this for us
+\$config['log_dir'] = '/var/log/roundcube/';
+# debian also creates a temp dir, but it is under its install dir,
+# seems better to have our own.
+\$config['temp_dir'] = '/var/tmp/roundcube/';
+\$config['db_dsnw'] = 'sqlite:////m/rc/roundcube.sqlite?mode=0640';
+\$config['default_host'] = 'ssl://localhost';
+\$config['default_port'] = 993;
+\$config['imap_conn_options'] = array(
+ 'ssl' => array(
+ 'verify_peer' => false,
+ 'verify_peer_name' => false,
+ ),
+ );
+\$config['imap_timeout'] = 15;
+\$config['smtp_server'] = 'tls://127.0.0.1';
+\$config['smtp_conn_options'] = array(
+ 'ssl' => array(
+ 'verify_peer' => false,
+ 'verify_peer_name' => false,
+ ),
+ );
+\$config['product_name'] = 'webmail';
+\$config['des_key'] = '$secret';
+\$config['plugins'] = array('archive', 'zipdownload', 'password', 'managesieve', 'jqueryui');
+\$config['skin'] = 'elastic';
+\$config['login_autocomplete'] = 2;
+\$config['password_charset'] = 'UTF-8';
+\$config['junk_mbox'] = 'Spam';
+?>
+EOF
+
+ m mkdir -p /var/tmp/roundcubemail /m/rc
+ m chown -R www-data.www-data /var/tmp/roundcubemail /m/rc
+ m chmod 750 /var/tmp/roundcubemail
+ # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
+ # todo: setup fail2ban
+ # todo: setup dnssec.
+ # todo: check for other mailinabox things
+ m sudo -u www-data touch /var/log/roundcube/errors.log
+
+ # Password changing plugin settings
+ cat $rcdir/plugins/password/config.inc.php.dist - >$rcdir/plugins/password/config.inc.php <<'EOF'
+# following are from mailinabox
+$config['password_minimum_length'] = 8;
+$config['password_db_dsn'] = 'sqlite:////m/rc/users.sqlite';
+$config['password_query'] = 'UPDATE users SET password=%D WHERE email=%u';
+$config['password_dovecotpw'] = '/usr/bin/doveadm pw';
+$config['password_dovecotpw_method'] = 'SHA512-CRYPT';
+$config['password_dovecotpw_with_method'] = true;
+EOF
+ # so PHP can use doveadm, for the password changing plugin
+ m usermod -a -G dovecot www-data
+ m usermod -a -G mail $u
+
+ # so php can update passwords
+ m chown www-data:dovecot /m/rc/users.sqlite
+ m chmod 664 /m/rc/users.sqlite
+
+ # Run Roundcube database migration script (database is created if it does not exist)
+ m $rcdir/bin/updatedb.sh --dir $rcdir/SQL --package roundcube
+ m chown www-data:www-data /m/rc/roundcube.sqlite
+ m chmod 664 /m/rc/roundcube.sqlite
+
+ # Enable PHP modules.
+ m phpenmod -v php mcrypt imap
+
+ # dpkg says this is required
+ m a2enmod proxy_fcgi setenvif
+ fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.3-fpm
+ phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p')
+ m a2enconf $fpm
+ # 3 useless guides on php fpm fcgi debian 10 later, i figure out from reading
+ # /etc/apache2/conf-enabled/php7.3-fpm.conf
+ m a2dismod php$phpver
+ # according to /install, we should set date.timezone,
+ # but that is dumb, the system already has the right zone in
+ # /var/log/roundcubemail/errors.log
+ cat >/etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF'
+date.timezone = "America/New_York"
+# for nextcloud
+upload_max_filesize = 2000M
+post_max_size = 2000M
+EOF
+
+ m systemctl restart $fpm
+ # dunno if reload/restart is needed
+ m systemctl reload apache2
+ m systemctl reload exim4
+
+ # todo: backups, carddav w nextcloud
+}
# * if MAIL_HOST
# * exim
- # todo, these pem files look old and useless. whats going on
sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 \
/p/c/filesystem/etc/exim4/passwd /p/c/filesystem/etc/exim4/*.pem /etc/exim4/
# man page: is used to build the local_domains list, together with "localhost"
# iank.bid is for testing
# mail.iankelling.org is for machines i own
-dc_other_hostnames='*.iankelling.org;iankelling.org;*zroe.org;zroe.org;!bk.b8.nz;*.b8.nz;b8.nz'
-
+dc_other_hostnames='!mail2.iankelling.org;!mibtest.iankelling.org;*.iankelling.org;iankelling.org;zroe.org;!bk.b8.nz;*.b8.nz;b8.nz'
EOF
EOF
m chmod 755 $f
+ # make all system users be aliases
+ for u in $(awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ { print $1 }' /etc/passwd); do
+ if ! grep -q "^$u:" aliases; then
+ echo "$u: root" |tee -a /etc/aliases
+ fi
+ done
+
+ # alerts is basically the postmaster address
sed -i --follow-symlinks -f - /etc/aliases <<EOF
-\$a root: $postmaster
+\$a root: alerts@mail.iankelling.org
/^root:/d
EOF
m systemctl restart $vpn_ser@mail
m systemctl enable $vpn_ser@mail
;;
- # * not MAIL_HOST
- *) # $HOSTNAME != $MAIL_HOST
+ # * bk
+ ## we use this host to monitor MAIL_HOST and host a mail server for someone
+ bk)
+
+ # dkim, client passwd file
+ rsync -ahhi --chown=root:Debian-exim --chmod=0640 \
+ /p/c/machine_specific/bk/filesystem/etc/exim4/* /etc/exim4
+
+ echo mail2.iankelling.org > /etc/mailname
+ cat >>/etc/exim4/conf.d/main/000_local <<EOF
+CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
+MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org
+EOF
+
+ cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+# man page: is used to build the local_domains list, together with "localhost"
+dc_other_hostnames='bk.b8.nz;expertpathologyreview.com'
+EOF
+
+
+ /a/exe/web-conf apache2 autoconfig.expertpathologyreview.com
+ dir=/var/www/autoconfig.expertpathologyreview.com/html/mail
+ mkdir -p $dir
+ # taken from mailinabox
+ cat >$dir/config-v1.1.xml <<'EOF'
+<?xml version="1.0"?>
+<clientConfig version="1.1">
+ <emailProvider id="expertpathologyreview.com">
+ <domain>expertpathologyreview.com</domain>
+
+ <displayName>expertpathologyreview.com Mail</displayName>
+ <displayShortName>expertpathologyreview.com</displayShortName>
+
+ <incomingServer type="imap">
+ <hostname>mail2.iankelling.org</hostname>
+ <port>993</port>
+ <socketType>SSL</socketType>
+ <username>%EMAILADDRESS%</username>
+ <authentication>password-cleartext</authentication>
+ </incomingServer>
+
+ <outgoingServer type="smtp">
+ <hostname>mail2.iankelling.org</hostname>
+ <port>587</port>
+ <socketType>STARTTLS</socketType>
+ <username>%EMAILADDRESS%</username>
+ <authentication>password-cleartext</authentication>
+ <addThisServer>true</addThisServer>
+ <useGlobalPreferredServer>false</useGlobalPreferredServer>
+ </outgoingServer>
+
+ <documentation url="https://expertpathologyreview.com/">
+ <descr lang="en">expertpathologyreview.com website.</descr>
+ </documentation>
+ </emailProvider>
+
+ <webMail>
+ <loginPage url="https://mail.expertpathologyreview.com" />
+ <loginPageInfo url="https://mail.expertpathologyreview.com" >
+ <username>%EMAILADDRESS%</username>
+ <usernameField id="rcmloginuser" name="_user" />
+ <passwordField id="rcmloginpwd" name="_pass" />
+ <loginButton id="rcmloginsubmit" />
+ </loginPageInfo>
+ </webMail>
+ <clientConfigUpdate url="https://autoconfig.expertpathologyreview.com/mail/config-v1.1.xml" />
+</clientConfig>
+EOF
+
+ roundcube-setup
+ ;;
+ # * not MAIL_HOST and not bk
+ *)
# remove mail. uses 2 lines to properly remove whitespace
sed -ri -f - /etc/hosts <<'EOF'
s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1#
m systemctl stop mailclean.timer &>/dev/null ||:
m systemctl disable $vpn_ser@mail
m systemctl stop $vpn_ser@mail
- #
- #
- # would only exist because I wrote it i the previous condition,
- # it\'s not part of exim
- rm -fv /etc/exim4/conf.d/main/000_localmacros
+
+ rm -fv /etc/exim4/conf.d/main/000_localmacros # old filename
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_eximconfig_configtype='smarthost'
dc_smarthost='$smarthost'
hostname -f >/etc/mailname
-
- ;;&
- ## we use this host to monitor MAIL_HOST
- bk)
-
- cat >>/etc/exim4/update-exim4.conf.conf <<EOF
-# man page: is used to build the local_domains list, together with "localhost"
-# mail.iankelling.org is for machines i own
-dc_other_hostnames='bk.b8.nz'
-EOF
- # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
- # is no good.
- sed -i --follow-symlinks -f - /etc/aliases <<EOF
-\$a root: iank
-/^root:/d
-EOF
- ;;
- # not bk and not MAIL_HOST
- *)
-
-
- # This ends up at alerts mailbox on MAIL_HOST, but using a user that doesn't exist elsewhere
- # is no good.
+ # This ends up at alerts mailbox on MAIL_HOST
sed -i --follow-symlinks -f - /etc/aliases <<EOF
\$a root: root@mail.iankelling.org
/^root:/d
m systemctl disable dovecot ||:
m systemctl stop dovecot ||:
;;
-esac # end $HOSTNAME != $MAIL_HOST
+esac
# * spool dir setup
# put spool dir in directory that spans multiple distros.
# based on http://www.postfix.org/qmgr.8.html and my notes in gnus
#
-# todo: I\'m suspicious of uids for Debian-exim being the same across
-# distros. It would be good to test this.
dir=/nocow/exim4
sdir=/var/spool/exim4
# we only do this if our system has $dir
m systemctl start exim4
fi
-if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
- m systemctl stop spamassassin
- m systemctl disable spamassassin
-fi
+case $HOSTNAME in
+ bk|$MAIL_HOST) : ;;
+ *)
+ m systemctl stop spamassassin
+ m systemctl disable spamassassin
+ ;;
+esac
# * mail monitoring / testing
EOF
;;&
bk)
- test_from=iank@bk.b8.nz
+ test_from=testignore@bk.b8.nz
test_to=testignore@iankelling.org
;;&
$MAIL_HOST|bk)
index 1134b9e1615372ca5e3a2d2db6496f0ecb67da0b..949b01407e0d6ebd5896efe46a566b6791286ce4 100644 (file)
--- a/pkgs
+++ b/pkgs
markdown
mb2md
meld
+ memtester
mhonarc
moreutils
mps-youtube
tar-doc
tcpdump
telnet
+ tmate
transmission-remote-gtk
trash-cli
vlc
index ef9203dc2ff71618604c96de0b4e3de0eb66dd84..dbc2243583214dd04418c719d535abead99b713f 100644 (file)
bindsym $mod+2 exec "pavucontrol"
bindsym $mod+3 exec "x-www-browser"
bindsym $mod+4 exec "x-www-browser -no-remote -P firefox-main-profile"
-bindsym $mod+5 exec "/a/bin/redshift.sh"
+bindsym $mod+5 exec "/usr/local/bin/start-tor-browser"
bindsym $mod+equal exec "t s w; t in"
bindsym $mod+Home exec "t out"
#bindsym $mod+End exec "t s x; t in"
index 83251537d2cd9274ec45ed16ece924f21fe74d73..8e83e9d4af50f6fcad04d4770585dce32a30d1d3 100644 (file)
#loop-file=inf
loop-file=no
shuffle
-#volume=50
+volume=20
#save-position-on-quit
# use --profile d
index 494f7a7a20fa613a0b6f8c29659185acfa541279..1617507df593ccb161bc7d2bb16c4932d8aeb019 100644 (file)
bindsym $mod+2 exec "pavucontrol"
bindsym $mod+3 exec "x-www-browser"
bindsym $mod+4 exec "x-www-browser -no-remote -P firefox-main-profile"
-bindsym $mod+5 exec "/a/bin/redshift.sh"
+bindsym $mod+5 exec "/usr/local/bin/start-tor-browser"
bindsym $mod+equal exec "t s w; t in"
bindsym $mod+Home exec "t out"
#bindsym $mod+End exec "t s x; t in"
index 8b9920e1e19fe34d76b87ef1958690db62b5cba8..a22b6e945a9304632bee5b92f3f0d1e0e7bf4d27 100644 (file)
##
require [ "regex", "variables", "fileinto", "envelope", "mailbox", "imap4flags", "include" ];
-# many examples out there check for "X-Spam-Status" "^Yes", but we do
-# this in exim, which doesn't add that by default. We could modify it's
-# config to add $spam_action to a header, like other headers, but simply
-# using an integer threshold here is simpler: the default threshold for
+# The default threshold for
# spamassassin is 5, so we have 5 plus symbols here.
if header :regex "x-spam_bar" "^\\+{5}" {
fileinto :create "Junk";