eval "$f() { [[ $HOSTNAME == $f ]]; }"
done
codename=$(debian-codename)
+bitfolk() { je || bk; }
has_wayland() { has_monitor && [[ $codename == buster ]]; }
has_x() { has_monitor && [[ $codename != buster ]]; }
has_monitor() { ! vps ; }
-vps() { je || bk || li; }
+vps() { bitfolk || li; }
# linode actually has btrfs now, but we dont do anything with it.
has_btrfs() { ! vps; }
home_network() { ! vps && ! tp; }
has_p() { ! vps && ! tp; }
-encrypted() { ! bk && ! je; }
+encrypted() { ! bitfolk; }
shopt -s extglob
export GLOBIGNORE="*/.:*/.."
umask 022
####### end setup environment #######
-
-
##### begin setup encryption scripts ######
if encrypted; then
# I tried making a service which was dependent on reboot.target,
/^127\.0\.1\.1/d
EOF
-##### use systemd-resolved for glibc resolutions
-if [[ ! -L /etc/nsswitch.conf ]]; then
- sudo mkdir -p /etc/nsswitch
- sudo mv /etc/nsswitch.conf /etc/nsswitch
- sudo ln -sf /etc/nsswitch/nsswitch.conf /etc
-fi
-
-pi libnss-resolve
-# default is
-# files mdns4_minimal [NOTFOUND=return] dns myhostname
-# mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
-# https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
-# seems more important than some potential use case.
-# Interestingly, t9 man page says use files before resolve, debian 10 says the opposite.
-sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/nsswitch.conf
-
-## we can remove this when all hosts are updated 2020/10
-if dpkg -s -- nscd &>/dev/null; then
- sudo apt-get -y remove --purge --auto-remove nscd
- sudo systemctl stop nscd ||: # fails if already stopped
-fi
-
-
##### exit first stage if running as root
if [[ $EUID == 0 ]]; then
echo "$0: running as root. exiting now that users are setup"
EOF
+##### use systemd-resolved for glibc resolutions
+if [[ ! -L /etc/nsswitch.conf ]]; then
+ sudo mkdir -p /etc/nsswitch
+ sudo mv /etc/nsswitch.conf /etc/nsswitch
+ sudo ln -sf /etc/nsswitch/nsswitch.conf /etc
+fi
+pi libnss-resolve
+# default is
+# files mdns4_minimal [NOTFOUND=return] dns myhostname
+# mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
+# https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
+# seems more important than some potential use case.
+# Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
+# removing files makes hostname -f not actually give the fully qualified domain name.
+sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/nsswitch.conf
+if dpkg -s -- nscd &>/dev/null; then
+ sudo apt-get -y remove --purge --auto-remove nscd
+ sudo systemctl stop nscd ||: # fails if already stopped
+fi
+
+if bitfolk; then
+ # remove line like this: 85.119.82.128 je.iankelling.org je
+ # it messes with hostname -f.
+ sudo sed -ri "/^127\./n;/[[:space:]]$HOSTNAME\$/d" /etc/hosts
+fi
+
+
#### setup firefox backport
## ian: disabled. backports are not being published atm due to rust packaging issue
# if isdeb; then
}
m() { printf "$pre %s\n" "$*"; "$@"; }
e() { printf "$pre %s\n" "$*"; }
-err() { echo "[$(date +'%Y-%m-%d %H:%M:%S%z')]: $0: $*" >&2; }
distro=$(distro-name)
codename=$(debian-codename)
codename_compat=$(debian-codename-compat)
-### begin certbot install ###
-if [[ $distro == debian || $codename_compat == bionic ]]; then
- # note, need python-certbot-nginx for nginx, but it depends on nginx,
- # and I'm not installing nginx by default right now.
- pi certbot python3-certbot-apache
-elif [[ $codename_compat == xenial ]]; then
- # not packaged in xenial or flidas
- pi software-properties-common
- l="deb http://ppa.launchpad.net/certbot/certbot/ubuntu xenial main"
- if ! grep -xFq "$l" /etc/apt/sources.list{,.d/*.list}; then
- sudo add-apt-repository -y ppa:certbot/certbot ||:
- m p update
- fi
- pi python-certbot-apache
-else
- err "distro unknown for certbot"
-fi
-# make a version of the certbot timer that emails me.
-x=/systemd/system/certbot
-$sed -r -f - /lib$x.timer <<'EOF' |sd /etc${x}mail.timer
-s,^Description.*,\0 mail version,
-EOF
-$sed -r -f - /lib$x.service <<'EOF' |sd /etc${x}mail.service
-s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
-EOF
-ser daemon-reload
-soff certbot.timer
-sgo certbotmail.timer
-### end certbot install ###
# dogcam setup. not using atm
##### end automatic upgrades ####
+# commented in case i want to use this sometime later
+# sd /etc/apt/preferences.d/buster-backports <<EOF
+# Package: *
+# Pin: release a=buster-backports
+# Pin-Priority: 500
+# EOF
+
###### begin website setup
case $HOSTNAME in
dnsb8
fi
;;&
- bk)
-
- sd /etc/apt/preferences.d/buster-backports <<EOF
-Package: *
-Pin: release a=buster-backports
-Pin-Priority: 500
-EOF
-
- # setup let's encrypt cert
- m web-conf apache2 mail2.iankelling.org
- s <<'EOF'
-export RENEWED_LINEAGE=/etc/letsencrypt/live/mail2.iankelling.org
-/a/bin/distro-setup/certbot-renew-hook
-EOF
- mail-setup
+ bk|je)
end
;;
li)
# how to do this.
m web-conf apache2 mumble.iankelling.org
sudo rm -fv /etc/apache2/sites-enabled/mumble.iankelling.org
- s <<'EOF'
-export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
-/a/bin/distro-setup/certbot-renew-hook
-EOF
# general vpn for as needed use
vpn-server-setup -d -r -4 10.2.2 -p 443 -n hole
# to get into the web interface,
# then use non-main browser or else it doebsn't allow it based on ocsp stapling from my main site.
# https://iankelling.org:12533/
- s <<'EOF'
-export RENEWED_LINEAGE=/etc/letsencrypt/live/iankelling.org
-/a/bin/distro-setup/certbot-renew-hook
-EOF
# znc config generated by doing
# znc --makeconf
# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later
+# todo: look at mailinabox extra dns records
+#
+# todo: i think daemon-reload
+# is being called when it shouldnt when rereunning we are probably
+# updating systemd config file that doesnt need to be or something.
+
# background: I want to run exim in a network namespace so it can send
# and receive through a vpn. This is needed so it can do ipv6, because
# outside the namespace if we dont have ipv6, to send ipv6 through the
source /a/bin/distro-functions/src/identify-distros
# has nextcloud_admin_pass in it
-f=/p/c/machine_specific/je/mail
+f=/p/c/machine_specific/$HOSTNAME/mail
if [[ -e $f ]]; then
source $f
fi
m sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
e CRON=1 /etc/default/spamassassin
-case $HOSTNAME in
- $MAIL_HOST|bk)
- l='NICE="--nicelevel 15"'
- if grep -qFx "$l" /etc/default/spamassassin; then
- # Just noticed this in the config file, seems like a good idea.
- m sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
- e "$l" | tee -a /etc/default/spamassassin
- fi
- ;;
-esac
+l='NICE="--nicelevel 15"'
+if grep -qFx "$l" /etc/default/spamassassin; then
+ # Just noticed this in the config file, seems like a good idea.
+ m sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
+ e "$l" | tee -a /etc/default/spamassassin
+fi
##### end spamassassin config
m /a/exe/vpn-mk-client-cert -b mailclient -n mail -s /b/ds/mail-route li.iankelling.org
m /a/exe/vpn-mk-client-cert -c bk.b8.nz -b expertpath -n mail -s /b/ds/mail-route li.iankelling.org
fi
+case $HOSTNAME in
+ bk)
+ if [[ ! -e /etc/openvpn/client/mail.conf ]]; then
+ echo "$0: error: first, on a system with /p/c/filesystem, run mail-setup, or the vpn-mk-client-cert line above this err" 2>&2
+ exit 1
+ fi
+ ;;
+esac
m rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/mail-cert-cron /usr/local/bin
m ln -sf -T /m/md/bounces $d
done
-# Note, even the server needs permissions of this file right
-# if it exists, so do this up here.
+# dkim, client passwd file
+files=(/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/*)
f=/p/c/filesystem/etc/exim4/passwd.client
-if [[ ! -e $f ]]; then
- f=/p/c/machine_specific/$HOSTNAME/filesystem/etc/exim4/passwd.client
+if [[ -e $f ]]; then
+ files+=($f)
+fi
+if (( ${#files[@]} )); then
+ m rsync -ahhi --chown=root:Debian-exim --chmod=0640 \
+ ${files[@]} /etc/exim4
fi
-m rsync -ahhi --chown=root:Debian-exim --chmod=0640 $f /etc/exim4/
# by default, only 10 days of logs are kept. increase that.
m sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
# todo, consider 'separate' in etc/exim4.conf, could it help on busy systems?
#### begin setup alternate config for main daemon
-
-#in debian, config file used is first found of:
-#CONFIGURE_FILE=/etc/exim4/exim4.conf:/var/lib/exim4/config.autogenerated
-# but we can use this alternate for the daemon
-m update-exim4defaults -f --commonoptions '-C /etc/exim4/my.conf'
-l="UPEX4OPTS='-o /etc/exim4/my.conf'"
-if ! grep -Fxq "$l" /etc/default/exim4; then
- sed -i '/^ *UPEX4OPTS=/d' /etc/default/exim4
- echo "$l" |m tee -a /etc/default/exim4
-fi
-i /etc/exim4/trusted_configs <<'EOF'
+case $HOSTNAME in
+ bk|$MAIL_HOST)
+ # to see the default comments in /etc/default/exim4:
+ # s update-exim4defaults --force --init
+ # which will overwrite any existing file
+ i /etc/default/exim4 <<'EOF'
+QUEUERUNNER='combined'
+QUEUEINTERVAL='30m'
+COMMONOPTIONS='-C /etc/exim4/my.conf'
+UPEX4OPTS='-o /etc/exim4/my.conf'
+EOF
+ i /etc/exim4/trusted_configs <<'EOF'
/etc/exim4/my.conf
EOF
+ ;;
+ *)
+ # default file
+ i /etc/default/exim4 <<'EOF'
+QUEUERUNNER='combined'
+QUEUEINTERVAL='30m'
+EOF
+ ;;
+esac
#### end setup alternate config for main daemon
# alerts is basically the postmaster address
# rfc, but this messes up mailing lists, like gnu/debian which want to
# keep your dkim signature intact but add list- headers.
DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
+
+
+hostlist iank_trusted = <; \\
+# veth0
+10.173.8.1 ; \\
+# li li_ip6
+72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8; \\
+# li_vpn_net li_vpn_net_ip6
+10.8.0.0/24; 2600:3c00:e000:280::/64 ; \\
+# bk bk_ip6
+85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; \\
+# fsf_mit_net fsf_mit_net_ip6 fsf_net fsf_net_ip6 fsf_office_net
+18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28
EOF
# This file only exists in the nn config. for bk to accept mail
# pretty quickly looking through my spam folder.
warn
- # all internal ips.
- # veth0 li li_ip6 li_vpn_net li_vpn_net_ip6 bk bk_ip6 fsf_mit_net fsf_mit_net_ip6 fsf_net fsf_net_ip6 fsf_office_net
- !hosts = <; 10.173.8.1 ; 72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8; 10.8.0.0/24; 2600:3c00:e000:280::/64 ; 85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; 18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28
+ !hosts = +iank_trusted
remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : X-Spam_report
warn
- !hosts = <; 10.173.8.1 ; 72.14.176.105 ; 2600:3c00::f03c:91ff:fe6d:baf8; 10.8.0.0/24; 2600:3c00:e000:280::/64 ; 85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; 18.4.89.0/24 ; 2603:3005:71a:2e00::/64 ; 209.51.188.0/24 ; 2001:470:142::/48 ; 74.94.156.208/28
+ !hosts = +iank_trusted
condition = ${if < {$message_size}{5000K}}
spam = Debian-exim:true
add_header = X-Spam_score_int: $spam_score_int
# * dovecot
case $HOSTNAME in
- $MAIL_HOST|bk)
+ $MAIL_HOST|bk|je)
# based on a little google and package search, just the dovecot
# packages we need instead of dovecot-common.
#
# sieve has the benefit of being supported in postfix and
# proprietary/weird environments, so there is more examples on the
# internet.
- pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd dovecot-sqlite
+ pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd dovecot-sqlite sqlite3
for f in /p/c{/machine_specific/$HOSTNAME,}/filesystem/etc/dovecot/users; do
if [[ -e $f ]]; then
}
EOF
;;&
- bk)
+ bk|je)
chown -R mail.mail /m/md
f=/etc/dovecot/conf.d/10-auth.conf
stop;
}
EOF
- m sievec /etc/dovecot/sieve-spam.sieve
-
i /etc/dovecot/local.conf.ext <<'EOF'
passdb {
#insert into users (email, password) values ('testignore@bk.b8.nz', 'hash');
#EOF
# update users set password = 'hash' where email = 'testignore@bk.b8.nz';
+
+ # this should be at the end since it requires a valid dovecot config
+ m sievec /etc/dovecot/sieve-spam.sieve
;;
esac
if [[ $HOSTNAME == bk ]]; then
- ### begin composer install
- # https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
- cd $(mktemp -d)
- sum="$(wget -q -O - https://composer.github.io/installer.sig)"
- m php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
- if [[ $sum != $(php -r "echo hash_file('sha384', 'composer-setup.php');") ]]; then
- echo 'ERROR: Invalid composer installer checksum' >&2
- rm -fv composer-setup.php
- exit 1
- fi
- m php composer-setup.php --quiet
- rm -fv composer-setup.php
- m mv composer.phar /usr/local/bin
- ### end composer install
-
# avoid prompt
export DEBIAN_FRONTEND=noninteractive
# zip according to /installer
# which requires adding a line to /usr/local/lib/roundcubemail/config/config.inc.php
# $config['enable_installer'] = true;
- pi roundcube roundcube-sqlite3 php-zip
+ pi roundcube roundcube-sqlite3 php-zip apache2 php-fpm
+
+ ### begin composer install
+ # https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
+ # cd $(mktemp -d)
+ # sum="$(wget -q -O - https://composer.github.io/installer.sig)"
+ # m php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+ # if [[ $sum != $(php -r "echo hash_file('sha384', 'composer-setup.php');") ]]; then
+ # echo 'ERROR: Invalid composer installer checksum' >&2
+ # rm -fv composer-setup.php
+ # exit 1
+ # fi
+ # m php composer-setup.php --quiet
+ # rm -fv composer-setup.php
+ # m mv composer.phar /usr/local/bin
+
+ # the above method gets composer2, carddav plugin at least doesnt work with that
+ # yet, it was just released 10-24-2020.
+ m cd /usr/local/bin
+ m wget -nv -N https://getcomposer.org/composer-1.phar
+ chmod +x composer-1.phar
+ ### end composer install
+
rcdirs=(/usr/local/lib/rcexpertpath /usr/local/lib/rcninja)
ncdirs=(/var/www/ncexpertpath /var/www/ncninja)
# point debian cronjob to our local install, preventing daily cron error
tar xzf $tmpd/t.tgz
rm -rf $tmpd
m chown -R www-data:www-data $rcdir/plugins/carddav
- cd $rcdir/plugins/carddav
+ m cd $rcdir/plugins/carddav
if $upgrade; then
- m sudo -u www-data composer.phar update --no-dev
+ m sudo -u www-data composer-1.phar update --no-dev
else
- m sudo -u www-data composer.phar install --no-dev
+ m sudo -u www-data composer-1.phar install --no-dev
fi
m chown -R root:root $rcdir/plugins/carddav
echo $v >$verf
.endif
EOF
;;
- bk)
+ bk|je)
# avoid accepting mail for invalid users
# https://wiki.dovecot.org/LMTP/Exim
cat >>/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
case $HOSTNAME in
- # ** $MAIL_HOST|bk)
- $MAIL_HOST|bk)
+ # ** $MAIL_HOST|bk|je)
+ $MAIL_HOST|bk|je)
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# note: some things we don't set that are here by default because they are unused.
# i can send mail where port 25 is firewalled by isp
daemon_smtp_ports = 25 : 587
# default of 25, can get stuck when catching up on mail
-smtp_accept_max = 200
-smtp_accept_reserve = 50
-smtp_reserve_hosts = <; 85.119.83.50 ; 2001:ba8:1f1:f0c9::2 ; 209.51.188.13 ; 2001:470:142::13
+smtp_accept_max = 400
+smtp_accept_reserve = 100
+smtp_reserve_hosts = +iank_trusted
# options exim has to avoid having to alter the default config files
CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
# testing dmarc
#dmarc_tld_file = /etc/public_suffix_list.dat
EOF
+ ;;&
+ # ** $MAIL_HOST|bk)
+ $MAIL_HOST|bk)
cat >>/etc/exim4/conf.d/main/000_local-nn <<EOF
# MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
# ** bk
## we use this host to monitor MAIL_HOST and host a mail server for someone
bk)
- echo bk.b8.nz > /etc/mailname
+ echo amnimal.ninja > /etc/mailname
i /etc/myexim4/conf.d/router/180_vpnmanual <<'EOF'
# copied from dnslookup, altered domains, added route_list,
UPEX4OPTS='-d /etc/myexim4'
EOF
- # dkim, client passwd file
- m rsync -ahhi --chown=root:Debian-exim --chmod=0640 \
- /p/c/machine_specific/bk/filesystem/etc/exim4/* /etc/exim4
-
cat >>/etc/exim4/update-exim4.conf.conf <<EOF
# man page: is used to build the local_domains list, together with "localhost"
dc_other_hostnames='amnimal.ninja;expertpathologyreview.com'
EOF
;;
- # ** not MAIL_HOST and not bk
+ # ** je
+ je)
+ echo je.b8.nz > /etc/mailname
+ cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+dc_other_hostnames='je.b8.nz'
+EOF
+
+ ;;
+ # ** not MAIL_HOST|bk|je
*)
for unit in ${nn_progs[@]}; do
f=/etc/systemd/system/$unit.service.d/nn.conf
-# ** $MAILHOST & bk, things that belong at the end
+# ** $MAILHOST|bk, things that belong at the end
case $HOSTNAME in
$MAIL_HOST|bk)
# config for the non-nn exim
m rsync -ra --delete /etc/exim4/ /etc/myexim4
cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF'
dc_eximconfig_configtype='smarthost'
-dc_smarthost='10.173.8.2'
+dc_smarthost='nn.b8.nz'
EOF
;;&
bk)
m systemctl daemon-reload
fi
-m systemctl start mailcert
+case $HOSTNAME in
+ je)
+ /a/exe/web-conf apache2 je.b8.nz
+ ;;
+ bk)
+ /a/exe/web-conf apache2 mail2.iankelling.org
+ ;;
+esac
+
+m /a/bin/ds/mail-cert-cron -1
sre mailcert.timer
case $HOSTNAME in
# If mailvpn has changes, id rather manually restart it, id rather
# not restart and lose connectivity.
sstart mailnn mailvpn
+ ;;
+ $MAIL_HOST|bk|je)
# start spamassassin/dovecot before exim.
sre dovecot spamassassin
sstart mailclean.timer
;;
*)
- soff mailclean.timer
soff mailclean.timer dovecot spamassassin mailvpn mailnn
;;
esac
# * mail monitoring / testing
case $HOSTNAME in
- $MAIL_HOST|bk)
+ $MAIL_HOST|bk|je)
# note: cronjob "ian" also does some important monitoring
# todo: setup test mail cron for 3rd host
cat >/etc/cron.d/mailtest <<EOF
;;&
$MAIL_HOST)
test_from=ian@iankelling.org
- test_to=testignore@expertpathologyreview.com
+ test_to="testignore@expertpathologyreview.com, testignore@je.bk.nz"
cat >>/etc/cron.d/mailtest <<EOF
2 * * * * $u check-remote-mailqs |& log-once check-remote-mailqs
;;&
bk)
test_from=testignore@expertpathologyreview.com
- test_to=testignore@iankelling.org
+ test_to="testignore@iankelling.org, testignore@je.bk.nz"
;;&
- $MAIL_HOST|bk)
+ je)
+ test_from=testignore@je.b8.nz
+ test_to="testignore@iankelling.org, testignore@expertpathologyreview.com"
+ ;;&
+ $MAIL_HOST|bk|je)
cat >/usr/local/bin/send-test-forward <<EOFOUTER
#!/bin/bash
/usr/sbin/exim -f $test_from -t <<EOF
From: $test_from
To: $test_to
-Subject: primary_test \$(date +%s) \$(date +%Y-%m-%dT%H:%M:%S%z)
+Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$(date +%s)
/usr/local/bin/send-test-forward
EOF
iankelling.org / git / distro-setup / commitdiff