p[0]=/a/opt/emacs-ubuntu20.04
p[1]=/a/opt/emacs-ubuntu20.04-nox
done
- m rsync "$@" -ahviSAXPH root@iankelling.org:/a/h/proposed-comments/ /a/h/proposed-comments || ret=$?
+ m rsync "$@" -ahviSAXPH root@li:/a/h/proposed-comments/ /a/h/proposed-comments || ret=$?
return $ret
}
bkpush() { # no emacs. for running faster.
return $ret
}
-
bindpush() {
- lipush || return 1
+ lipush
for h in li bk; do
- sl $h <<'EOF' || return 1
-set -e
+ m sl $h <<'EOF'
source ~/.bashrc
-dnsup
-dnsb8
+m dnsup
+m dnsb8
EOF
done
}
-
dnsup() {
conflink
- ser reload bind9
+ m ser reload bind9
}
dnsb8() {
local f=/var/lib/bind/db.b8.nz
sudo install -m 644 -o bind -g bind /p/c/machine_specific/vps/bind-initial/db.b8.nz $f
ser restart bind9
}
+dnsecgen() {
+ # keys generated like this
+ # because of https://ftp.isc.org/isc/dnssec-guide/dnssec-guide.pdf
+ # https://blog.apnic.net/2019/05/23/how-to-deploying-dnssec-with-bind-and-ubuntu-server/
+
+ # key length is longer than that guide because
+ # we are using those at fsf and when old key lengths
+ # become insecure, I want some extra time to update.
+ # dnsecgen (in brc2)
+
+ local zone=$1
+ local f tag
+ dnssec-keygen -a RSASHA256 -b 2048 $zone
+ dnssec-keygen -f KSK -a RSASHA256 -b 4096 $zone
+ for f in K$zone.*.key; do
+ # eg Kb8.nz.+008+47995.key tag=47995
+ # in dnsimple, you add the long string from this.
+ # in gandi, you add the long string from the .key file,
+ # then see that the digest matches the ds.
+ echo "tag is the number after DS"
+ dnssec-dsfromkey -a SHA-256 $f
+ done
+ # For b8.nz, we let bind read the keys and sign, and
+ # right now they have root ownership, so let them
+ # get group read.
+ chmod g+r *.private
+}
+dsign() {
+ # created .signed file that
+ # note: full paths probably not needed.
+ local arg=$1
+ local zone=${arg#db.}
+ local dir=/p/c/machine_specific/vps/filesystem/var/lib/bind
+ dnssec-signzone -S -e +31536000 -o $zone -K $dir -d $dir $dir/db.$zone
+}
#### begin bitcoin related things
$s /a/exe/teeu "$@"
}
+# a1 = awk {print $1}
+for field in {1..20}; do
+ eval a$field"() { awk '{print \$$field}'; }"
+done
+
enn() {
local ecmd pid
s $ecmd "$@"
return
fi
-
- pid=$(pgrep -f "/usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf")
-
- if $dosudo; then
- s nsenter -t $pid -n -m $ecmd "$@"
- fi
+ pid=$(pgrep -f "/usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf"|a1)
+ m s nsenter -t $pid -n -m $ecmd "$@"
}
mailnnbash() {
m sudo nsenter -t $(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*mail.conf") -n -m sudo -u $USER -i bash
}
eximbash() {
- m sudo nsenter -t $(pgrep -f "/usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf") -n -m sudo -u $USER -i bash
+ m sudo nsenter -t $(pgrep -f "/usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf"|a1) -n -m sudo -u $USER -i bash
}
zone "b8.nz" {
type master;
file "/var/lib/bind/db.b8.nz";
+key-directory "/var/lib/bind";
+auto-dnssec maintain;
+inline-signing yes;
update-policy {
// allow updating almost anything in the zone or subdomains.
grant b8.nz. subdomain b8.nz.;
zone "iankelling.org" {
type master;
-file "/var/lib/bind/db.iankelling.org";
+file "/var/lib/bind/db.iankelling.org.signed";
};
zone "zroe.org" {
type master;
-file "/var/lib/bind/db.zroe.org";
+file "/var/lib/bind/db.zroe.org.signed";
};
zone "expertpathologyreview.com" {
type master;
-file "/var/lib/bind/db.expertpathologyreview.com";
+file "/var/lib/bind/db.expertpathologyreview.com.signed";
};
zone "amnimal.ninja" {
type master;
-file "/var/lib/bind/db.amnimal.ninja";
+file "/var/lib/bind/db.amnimal.ninja.signed";
};
zone "9.c.0.f.1.f.1.0.8.a.b.0.1.0.0.2.ip6.arpa" {
# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later
+# todo: create a cronjob to update or warn on expiring dnssec keys
+
+# todo: turn on dnssec validation for dns resolution.
+# use unbound on server so we have a unique ip for
+# dnsbl servers.
+
# todo: we should test failed mail daily or so
# failed cronjob, failed sysd-log-once,
# a local bounce from a cronjob, a local bounce
# to a bad remote address, perhaps a local failure
# when the sending daemon is down.
# And send an alert email if no alerts have been sent
-# in 2 or 3 days or something.
+# in 2 or 3 days or something. todo, test cron mail on li.
# todo: look at mailinabox extra dns records
# todo: mailtest-check failure on remote hosts is not going to alert me.
# sort that out.
-# todo: test out icedove
-
-# todo: test out nextcloud mail plugin
# background: I want to run exim in a network namespace so it can send
# and receive through a vpn. This is needed so it can do ipv6, because
####### end perstent password instructions ######
-# * persistent dkim/dns instructions
-
-#### begin dkim generation section ####
+# * dkim dns
# # Remove 1 level of comments in this section, set the domain var
# # for the domain you are setting up, then run this and copy dns settings
# # into dns.
# # leaves us a bit of extra room at the end and a bunch at the beginning.
# # selector was also put into /etc/exim4/conf.d/main/000_local,
-#### end dkim generation section ####
+# * dmarc dns
# # 2017-02 dmarc policies:
# # host -t txt _dmarc.gmail.com
#
# echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
+# * other dms
+
# # 2017-02 spf policies:
# # host -t txt lists.fedoraproject.org
# # google ~all, hotmail ~all, yahoo: ?all, fastmail ?all, outlook ~all
# mx records, 2 records each, for * and empty domain
# pri 10 mail.iankelling.org
# EOF
-####### end persistent dkim instructions #########
+# # dnssec
+# from brc2, run dnsecgen then dsign, update named.local.conf, publish keys to registrar
# * functions & constants
m mkdir -p $dir
# taken from mailinabox
i $dir/config-v1.1.xml <<EOF
-<?xml version="1.0"?>
+<?xml version="1.0" encoding="UTF-8"?>
<clientConfig version="1.1">
<emailProvider id="$domain">
<domain>$domain</domain>
?>
EOF
- # todo, default charset an option? set to utf-8
-
m mkdir -p $rclogdir
m chmod 750 $rclogdir
m chown www-data:adm $rclogdir
m chmod 750 $rctmpdir
# Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
# todo: setup fail2ban
- # todo: setup dnssec.
# todo: check for other mailinabox things
m sudo -u www-data touch $rclogdir/errors.log
cd $rcdir/plugins/html5_notifier
m git pull --rebase
- # todo: try out roundcube plugins: html5 notifier, nextcloud, thunderbird labels
+ # todo: try out roundcube plugins: thunderbird labels
# Password changing plugin settings
cat $rcdir/plugins/password/config.inc.php.dist - >$rcdir/plugins/password/config.inc.php <<'EOF'
case $HOSTNAME in
$MAIL_HOST|bk|je)
# note: cronjob "ian" also does some important monitoring
- # todo: setup test mail cron for 3rd host
cat >/etc/cron.d/mailtest <<EOF
SHELL=/bin/bash
PATH=/usr/bin:/bin:/usr/local/bin
iankelling.org / git / distro-setup / commitdiff