summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 83cb9e1)
raw | patch | inline | side by side (parent: 83cb9e1)
| author | Ian Kelling <ian@iankelling.org> | |
| Mon, 20 Dec 2021 05:27:31 +0000 (00:27 -0500) | ||
| committer | Ian Kelling <ian@iankelling.org> | |
| Mon, 20 Dec 2021 05:27:31 +0000 (00:27 -0500) |
| brc2 | patch | blob | history | |
| btrbk-run | patch | blob | history | |
| distro-end | patch | blob | history | |
| hssh | patch | blob | history | |
| mail-route | patch | blob | history | |
| mail-setup | patch | blob | history | |
| vpn-mail-forward | patch | blob | history |
index 4dc573bed2f8bc406cbb8d765a2d906cfa6d0cc3..0e9736e516d25645623943e642a64cc8b1f701f8 100644 (file)
--- a/brc2
+++ b/brc2
[Interface]
# contents hole-priv.key
PrivateKey = $(cat hole-priv.key)
-# UDP service port
-ListenPort = 32454
-Address = 10.5.3.$ipsuf/24
+ListenPort = 1194
+Address = 10.8.0.$ipsuf/24
# https://dev.to/tangramvision/what-they-don-t-tell-you-about-setting-up-a-wireguard-vpn-1h2g
-PostUp = ping -c1 10.5.3.1
+# ||: makes the systemd service not fail due to the failed command
+PostUp = ping -c1 10.8.0.1 ||:
[Peer]
# li
PublicKey = zePGl7LoS3iv6ziTI/k8BMh4L3iL3K2t9xJheMR4hQA=
-AllowedIPs = 10.5.3.0/24
-Endpoint = 72.14.176.105:32454
+AllowedIPs = 10.8.0.0/24
+Endpoint = 72.14.176.105:1194
PersistentKeepalive = 25
EOF
umask $umask_orig
cedit -q $host /p/c/machine_specific/li/filesystem/etc/wireguard/wghole.conf <<EOF || [[ $? == 1 ]]
[Peer]
PublicKey = $(cat hole-pub.key)
-AllowedIPs = 10.5.3.$ipsuf/32
+AllowedIPs = 10.8.0.$ipsuf/32
EOF
cd - >/dev/null
}
diff --git a/btrbk-run b/btrbk-run
index 99c980e523bb1c67e69bc1036f8ee766f12dbc5e..e96bb52cdc9294faf7e5fae96b5a1e254013cff4 100644 (file)
--- a/btrbk-run
+++ b/btrbk-run
if [[ $ret == 0 ]]; then
for tg in ${targets[@]}; do
- ssh root@$tg /a/exe/mail-backup-clean
+ :
+ #ssh root@$tg /a/exe/mail-backup-clean
done
fi
diff --git a/distro-end b/distro-end
index 880c25b3fe39cac0da05ccb7cf7a7e253afdca91..117042edbdb0cddbfa1afd0ec0c2b5bd70cf6a5f 100755 (executable)
--- a/distro-end
+++ b/distro-end
# case $distro in
# esac
-# get sudo pass cached right away
-if ! sudo -nv 2>/dev/null; then
- sudo -v
-fi
+case $HOSTNAME in
+ li|bk|je) : ;;
+ *)
+ # get sudo pass cached right away
+ if ! sudo -nv 2>/dev/null; then
+ sudo -v
+ fi
+ ;;
+esac
# old repo. remove when all machines updated
sudo rm -fv /etc/apt/sources.list.d/wireguard-ubuntu-wireguard-bionic.list
s rm -fv /etc/apt/preferences.d/radicale
######### end universal pinned packages ######
-### system76 things ###
-case $HOSTNAME in
- sy)
- # note, i stored the initial popos packages at /a/bin/data/popos-pkgs
- if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
- # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
- sd /etc/apt/sources.list.d/system76.list <<EOF
-deb http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
-deb-src http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
-EOF
- s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5D1F3A80254F6AFBA254FED5ACD442D1C8B7748B
- p update
- # https://support.system76.com/articles/install-ubuntu/
- # but i'm hoping this is not needed
- # sd /etc/apt/preferences.d/system76 <<'EOF'
- # Package: *
- # Pin: release o=LP-PPA-system76-dev-stable
- # Pin-Priority: 1001
- # EOF
- pi system76-driver system76-firmware-cli
- # if you get a notice about a firmware update, the notifier on i3
- # is too dumb to do anything when you click it. so to see
- # a changelog, cd to
- # /var/cache/system76-firmware-daemon
- # extract the xz files there, one will contain a changelog.
- # then to install an update:
- # s system76-firmware-cli schedule
- fi
- ;;
-esac
-
-# ppa:obsproject/obs-studio
-if [[ ! -d /etc/apt/sources.list.d/obs.list ]]; then
- # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
- sd /etc/apt/sources.list.d/obs.list <<EOF
-deb http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
-deb-src http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
-EOF
- s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC7345F522079769F5BBE987EFC71127F425E228
- p update
-fi
case $codename in
etiona)
fi
;;&
bk)
+ sgo wg-quick@wgmail
+
# i just dont feel like setting up a special purpose ssh key to do this automatically.
end_msg <<'EOF'
# run this once for bk on local machine:
+# only used for old openvpn setup
/a/exe/vpn-mk-client-cert -c bk.b8.nz -b expertpath -n mail li.iankelling.org
EOF
end
# /64, it didn't work but I didn't investigate closely.
- m vpn-server-setup -n mail -d -6 2600:3c00:e002:3800::/64 2600:3c00:e002:3800::1/64
+ # not starting as i intend to replace it
+ m vpn-server-setup -s -i tunmail -n mail -d -6 2600:3c00:e002:3800::/64 2600:3c00:e002:3800::1/64
sudo tee /etc/openvpn/client-config-mail/mailclient <<'EOF'
ifconfig-push 10.8.0.4 255.255.255.0
ifconfig-ipv6-push 2600:3c00:e002:3800::4/64
ifconfig-ipv6-push 2600:3c00:e002:3800::5/64
EOF
+
sudo dd of=/etc/systemd/system/vpn-mail-forward.service <<'EOF'
[Unit]
Description=Turns on iptables mail nat
[Service]
Type=oneshot
RemainAfterExit=yes
-ExecStart=/a/bin/distro-setup/vpn-mail-forward start
-ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
+ExecStart=/a/bin/distro-setup/vpn-mail-forward tunmail start
+ExecStop=/a/bin/distro-setup/vpn-mail-forward tunmail stop
[Install]
RequiredBy=openvpn-server@mail.service
EOF
ser daemon-reload
- sgo vpn-mail-forward.service
+
+ # commented, wgmail handles this.
+ #sgo vpn-mail-forward.service
+
# needed for li's local mail delivery.
tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
- sgo openvpn-server@mail
+ #sgo openvpn-server@mail
+ ser start wg-quick@wgmail
+
# setup let's encrypt cert
m web-conf apache2 mail.iankelling.org
sudo rm -fv /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
#### desktop stuff
+
+### system76 things ###
+case $HOSTNAME in
+ sy)
+ # note, i stored the initial popos packages at /a/bin/data/popos-pkgs
+ if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
+ # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
+ sd /etc/apt/sources.list.d/system76.list <<EOF
+deb http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
+deb-src http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
+EOF
+ s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5D1F3A80254F6AFBA254FED5ACD442D1C8B7748B
+ p update
+ # https://support.system76.com/articles/install-ubuntu/
+ # but i'm hoping this is not needed
+ # sd /etc/apt/preferences.d/system76 <<'EOF'
+ # Package: *
+ # Pin: release o=LP-PPA-system76-dev-stable
+ # Pin-Priority: 1001
+ # EOF
+ pi system76-driver system76-firmware-cli
+ # if you get a notice about a firmware update, the notifier on i3
+ # is too dumb to do anything when you click it. so to see
+ # a changelog, cd to
+ # /var/cache/system76-firmware-daemon
+ # extract the xz files there, one will contain a changelog.
+ # then to install an update:
+ # s system76-firmware-cli schedule
+ fi
+ ;;
+esac
+
+case $distro in
+ trisquel|ubuntu)
+
+ # ppa:obsproject/obs-studio
+ if [[ ! -d /etc/apt/sources.list.d/obs.list ]]; then
+ # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
+ sd /etc/apt/sources.list.d/obs.list <<EOF
+deb http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
+deb-src http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
+EOF
+ s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC7345F522079769F5BBE987EFC71127F425E228
+ p update
+ fi
+ ;;
+esac
+
case $codename_compat in
xenial)
# mate-indicator-applet and beyond are msc things I noticed diffing a
index 316969444927084d32b70e0e0a8d38477cce00e8..8af5f0ad17e5059f785b15c72b399ba2f50a19a3 100755 (executable)
--- a/hssh
+++ b/hssh
# mount-latest-remote
timeout -s 9 600 /usr/local/bin/mount-latest-subvol
rsync --server -OtpRe.LsfxC . /usr/local
+/a/exe/mail-backup-clean
EOF
allow=false
fi
done
if $allow; then
- eval $SSH_ORIGINAL_COMMAND
+ eval $SSH_ORIGINAL_COMMAND || exit $?
else
f=/usr/local/bin/ssh_filter_btrbk.sh
if [[ ! -e $f ]]; then
f=/a/opt/btrbk/ssh_filter_btrbk.sh
fi
- $f --target --delete --source --info
+ $f --target --delete --source --info || exit $?
fi
diff --git a/mail-route b/mail-route
index 5316b795564b83eb04d310c6a17bbc732d827707..0f10d2861c0d421bfd02b6596812559fcb9ec68a 100755 (executable)
--- a/mail-route
+++ b/mail-route
a vpn ip. If called from --up/--down in openvpn, (we have multiple args) $1 is the
tun_dev, and action is from $script_type env variable, openvpn sets this.
-Is idempotent.
+It is idempotent.
+I'm not using this script currently:
The problem with this approach is that if we dont have a non-vpn global
ipv6 address and route, we need to send all ipv6 traffic through the
vpn. Using a network namespace for the vpn fixes that, so I've switched
diff --git a/mail-setup b/mail-setup
index 82d3d373c814ae51fdeb10a4e9d1da462b3ad33c..59a122af106ed8aa5ca04c278eaae1a2720a6675 100755 (executable)
--- a/mail-setup
+++ b/mail-setup
# * mail vpn config
+vpnser=mailvpn.service
+vpnser=wg-quick@wgmail.service
case $HOSTNAME in
$MAIL_HOST)
;;&
esac
+i /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
+[Unit]
+Requires=mailnn.service
+After=network.target mailnn.service
+JoinsNamespaceOf=mailnn.service
+BindsTo=mailnn.service
+
+[Service]
+PrivateNetwork=true
+# i dont think we need any of these, but it doesnt hurt to stay consistent
+BindPaths=$bindpaths
+EOF
+
# https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
i /etc/systemd/system/mailvpn.service <<EOF
[Unit]
BindsTo=mailnn.service
StartLimitIntervalSec=0
-
[Service]
Type=simple
RemainAfterExit=true
#
i /etc/systemd/system/mailnn.service <<'EOF'
[Unit]
-Description=Network Namespace for mailvpn.service that will live forever and cant fail
+Description=Network Namespace for mail vpn service that will live forever and cant fail
After=syslog.target network-online.target
Wants=network-online.target
if mailhost; then
# Note dovecots lmtp doesnt need to be in the same nn to accept delivery.
# Its in the nn so remote clients can connect to it.
- nn_progs+=(spamassassin dovecot wg-quick@mail)
+ nn_progs+=(spamassassin dovecot)
fi
case $HOSTNAME in
# namespace to go over the wghole.
#
#1: unify the mail vpn and wghole
- # into 1 network. this seems simple and logical, but the thing is
- # that if we ever have a network block we need to overcome, for
- # example with a tcp 443 vpn connection, then i'd need to setup some
- # hole hosts on that vpn too, which is kind of a pain.
+ # into 1 network. this seems simple and logical, so I'm doing it.
+ # One general downside is tying things together, if I need to mess
+ # with one thing, it breaks the other. Oh well for now.
#
# 2. We can route 10.5.3.0/24 out of the mail nn and nat it into wghole.
#
# routing within the mailvpn, it happened to work just because exim
# prefers ipv6 and that was also available in the mailvpn.
#
- # 4. Put the hole interface into the mail network
- # namespace. Apparently wireguard is smart enough to get around the
- # mailvpn default routing and establish a direct connection. That is
- # what I'm doing here. I only use the hole vpn for randomish things,
- # it should be fine to join the mail nn for that. If that becomes a
- # problem, I think I'd go with option #2.
- i /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
-[Unit]
-Requires=mailvpn.service
-After=network.target mailnn.service mailvpn.service
-JoinsNamespaceOf=mailnn.service
-BindsTo=mailnn.service
-
-[Service]
-PrivateNetwork=true
-# i dont think we need any of these, but it doesnt hurt to stay consistent
-BindPaths=$bindpaths
-EOF
+ # 4. Put the hole interface into the mail network namespace. This
+ # doesn't work if the mail vpn is wg. For openvpn, it bypasses the
+ # vpn routing and establishes a direct connection. I only use the
+ # hole vpn for randomish things, it should be fine to join the mail
+ # nn for that. There should be some way to fix the routing issue
+ # by doing manual routing, but that doesn't seem like a good use of time.
+ # relevant:
+ # https://www.wireguard.com/netns/#
+ #
+ # for wireguard debugging
+ # echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
+ # dmesg -w
;;&
$MAIL_HOST|bk)
for unit in ${nn_progs[@]}; do
i /etc/systemd/system/$unit.service.d/nn.conf <<EOF
[Unit]
-Requires=mailvpn.service
-After=network.target mailnn.service mailvpn.service
+# commented for old openvpn
+Requires=$vpnser
+After=network.target mailnn.service $vpnser
JoinsNamespaceOf=mailnn.service
BindsTo=mailnn.service
StartLimitIntervalSec=0
i /etc/systemd/system/radicale.service.d/override.conf <<EOF
[Unit]
# this unit is configured to start and stop whenever
-# openvpn-client-mail@mail does
-After=network.target network-online.target mailnn.service mailvpn.service
+# $vpnser does
+
+After=network.target network-online.target mailnn.service $vpnser
+BindsTo=$vpnser
+
Wants=network-online.target
-BindsTo=mailvpn.service
JoinsNamespaceOf=mailnn.service
StartLimitIntervalSec=0
RestartSec=1000
[Install]
-RequiredBy=mailvpn.service
+# for openvpn
+RequiredBy=$vpnser
EOF
m rm tmp.php
m sudo -u www-data php $ncdir/occ maintenance:update:htaccess
list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list)
- for app in contacts calendar user_external; do
+ # user_external not compaible with nc 23
+ for app in contacts calendar; do
if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then
m sudo -u www-data php $ncdir/occ app:install $app
fi
# If these have changes, id rather manually restart it, id rather
# not restart and cause temporary errors
if $reload; then
- sre mailvpn
+ sre $vpnser
else
- sstart mailvpn
+ sstart $vpnser
fi
;;&
$MAIL_HOST)
case $HOSTNAME in
$MAIL_HOST|bk|je) : ;;
*)
- soff radicale mailclean.timer dovecot spamassassin mailvpn mailnn clamav-daemon
+ soff radicale mailclean.timer dovecot spamassassin $vpnser mailnn clamav-daemon
;;
esac
diff --git a/vpn-mail-forward b/vpn-mail-forward
index 059ad60f3e1cb77cc30fa4ae592e75d19f03314f..f6ff1687cc706f580218822eb454c61fe1cbe8a4 100755 (executable)
--- a/vpn-mail-forward
+++ b/vpn-mail-forward
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
m() { printf "%s\n" "$*"; "$@"; }
found=false
+
+ifname=$1
+shift
+
# wait up to 10 seconds for the gateway to appear
for i in in {1..10}; do
gw=$(/usr/sbin/ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
m /sbin/ip6tables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 2600:3c00:e002:3800::4
done
# for bk to talk to MAIL_HOST, only need port 25.
- ip6tables -t nat $cmd PREROUTING -i tun1 -s 2600:3c00:e002:3800::5 -d 2600:3c00:e000:280::2 -p tcp -m tcp --dport 25 -j DNAT --to-destination 2600:3c00:e002:3800::4
+ ip6tables -t nat $cmd PREROUTING -i $ifname -s 2600:3c00:e002:3800::5 -d 2600:3c00:e000:280::2 -p tcp -m tcp --dport 25 -j DNAT --to-destination 2600:3c00:e002:3800::4
# we could leave these on all the time but its convenient to do it here
- m /sbin/iptables $cmd FORWARD -i tun+ -o $gw -j ACCEPT
- m /sbin/iptables $cmd FORWARD -i $gw -o tun+ -j ACCEPT
+ m /sbin/iptables $cmd FORWARD -i $ifname -o $gw -j ACCEPT
+ m /sbin/iptables $cmd FORWARD -i $gw -o $ifname -j ACCEPT
+
+ case $ifname in
+ wg*)
+ /sbin/iptables -t nat $cmd POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
+ /sbin/ip6tables -t nat $cmd POSTROUTING -s 2600:3c00:e002:3800::/64 -o $gw -j MASQUERADE
+ ;;
+ esac
+
}
ports=(25 143 587)