# iank: initial file from 2.24, added to empty ARGS.
+# overlapping-blocks is for backfil of recording rules,
+# https://jessicagreben.medium.com/prometheus-fill-in-data-for-new-recording-rules-30a14ccb8467
-# Set the command-line arguments to pass to the server.
+# config.file and tsdb.path are to configure the upstream version to use
+# the default locations of the debian package.
-ARGS="--web.listen-address=127.0.0.1:9090 --web.external-url=https://i.b8.nz:9091 --log.level=info"
+# Sets the command-line arguments to pass to the server.
+ARGS="--web.listen-address=127.0.0.1:9090
+--web.external-url=https://i.b8.nz:9091
+--log.level=info
+--storage.tsdb.allow-overlapping-blocks
+--config.file=/etc/prometheus/prometheus.yml
+--storage.tsdb.path=/var/lib/prometheus/metrics2/"
-# Prometheus supports the following options:
-# --config.file="/etc/prometheus/prometheus.yml"
-# Prometheus configuration file path.
-# --web.listen-address="0.0.0.0:9090"
-# Address to listen on for UI, API, and telemetry.
-# --web.read-timeout=5m Maximum duration before timing out read of the
-# request, and closing idle connections.
-# --web.max-connections=512 Maximum number of simultaneous connections.
-# --web.external-url=<URL> The URL under which Prometheus is externally
-# reachable (for example, if Prometheus is served
-# via a reverse proxy). Used for generating
-# relative and absolute links back to Prometheus
-# itself. If the URL has a path portion, it will
-# be used to prefix all HTTP endpoints served by
-# Prometheus. If omitted, relevant URL components
-# will be derived automatically.
-# --web.route-prefix=<path> Prefix for the internal routes of web endpoints.
-# Defaults to path of --web.external-url.
-# --web.local-assets="/usr/share/prometheus/web/"
-# Path to static asset/templates directory.
-# --web.user-assets=<path> Path to user asset directory, available at
-# /user.
-# --web.enable-lifecycle Enable shutdown and reload via HTTP request.
-# --web.enable-admin-api Enable API endpoints for admin control actions.
-# --web.console.templates="/etc/prometheus/consoles"
-# Path to the console template directory,
-# available at /consoles.
-# --web.console.libraries="/etc/prometheus/console_libraries"
-# Path to the console library directory.
-# --web.page-title="Prometheus Time Series Collection and Processing Server"
-# Document title of Prometheus instance.
-# --web.cors.origin=".*" Regex for CORS origin. It is fully anchored.
-# Example: 'https?://(domain1|domain2)\.com'
-# --storage.tsdb.path="/var/lib/prometheus/metrics2/"
-# Base path for metrics storage.
-# --storage.tsdb.retention=15d
-# [DEPRECATED] How long to retain samples in
-# storage. This flag has been deprecated, use
-# "storage.tsdb.retention.time" instead
-# --storage.tsdb.retention.time=15d
-# How long to retain samples in storage. When this
-# flag is set it overrides
-# "storage.tsdb.retention".
-# If neither this flag nor "storage.tsdb.retention"
-# nor "storage.tsdb.retention.size" is set, the
-# retention time defaults to 15d.
-# Units Supported: y, w, d, h, m, s, ms.
-# --storage.tsdb.retention.size=
-# [EXPERIMENTAL] Maximum number of bytes that can
-# be stored for blocks. Units supported: KB, MB,
-# GB, TB, PB. This flag is experimental and can be
-# changed in future releases.
-# --storage.tsdb.use-lockfile
-# Create a lockfile in data directory.
-# --storage.tsdb.allow-overlapping-blocks
-# [EXPERIMENTAL] Allow overlapping blocks, which
-# in turn enables vertical compaction and
-# vertical query merge.
-# --storage.tsdb.wal-compression
-# Compress the tsdb WAL.
-# --storage.remote.flush-deadline=<duration>
-# How long to wait flushing sample on shutdown or
-# config reload.
-# --storage.remote.read-sample-limit=5e7
-# Maximum overall number of samples to return via
-# the remote read interface, in a single query. 0
-# means no limit. This limit is ignored for
-# streamed response types.
-# --storage.remote.read-concurrent-limit=10
-# Maximum number of concurrent remote read calls.
-# 0 means no limit.
-# --storage.remote.read-max-bytes-in-frame=1048576
-# Maximum number of bytes in a single frame for
-# streaming remote read response types before
-# marshalling. Note that client might have limit on
-# frame size as well. 1MB as recommended by
-# protobuf by default.
-# --rules.alert.for-outage-tolerance=1h
-# Max time to tolerate prometheus outage for
-# restoring "for" state of alert.
-# --rules.alert.for-grace-period=10m
-# Minimum duration between alert and restored "for"
-# state. This is maintained only for alerts with
-# configured "for" time greater than grace period.
-# --rules.alert.resend-delay=1m
-# Minimum amount of time to wait before resending
-# an alert to Alertmanager.
-# --alertmanager.notification-queue-capacity=10000
-# The capacity of the queue for pending
-# Alertmanager notifications.
-# --alertmanager.timeout=10s
-# Timeout for sending alerts to Alertmanager.
-# --query.lookback-delta=5m The maximum lookback duration for retrieving
-# metrics during expression evaluations and
-# federation.
-# --query.timeout=2m Maximum time a query may take before being
-# aborted.
-# --query.max-concurrency=20
-# Maximum number of queries executed concurrently.
-# --query.max-samples=50000000
-# Maximum number of samples a single query can load
-# into memory. Note that queries will fail if they
-# try to load more samples than this into memory,
-# so this also limits the number of samples a query
-# can return.
-# --log.level=info Only log messages with the given severity or
-# above. One of: [debug, info, warn, error]
-# --log.format=logfmt Output format of log messages. One of: [logfmt,
-# json]
+
+# --config.file="prometheus.yml"
+# Prometheus configuration file path.
+# --web.listen-address="0.0.0.0:9090"
+# Address to listen on for UI, API, and telemetry.
+# --web.config.file="" [EXPERIMENTAL] Path to configuration file that can enable TLS or authentication.
+# --web.read-timeout=5m Maximum duration before timing out read of the request, and closing idle connections.
+# --web.max-connections=512 Maximum number of simultaneous connections.
+# --web.external-url=<URL> The URL under which Prometheus is externally reachable (for example, if Prometheus is served via a reverse proxy). Used for generating relative and absolute links back to
+# Prometheus itself. If the URL has a path portion, it will be used to prefix all HTTP endpoints served by Prometheus. If omitted, relevant URL components will be derived
+# automatically.
+# --web.route-prefix=<path> Prefix for the internal routes of web endpoints. Defaults to path of --web.external-url.
+# --web.user-assets=<path> Path to static asset directory, available at /user.
+# --web.enable-lifecycle Enable shutdown and reload via HTTP request.
+# --web.enable-admin-api Enable API endpoints for admin control actions.
+# --web.enable-remote-write-receiver
+# Enable API endpoint accepting remote write requests.
+# --web.console.templates="consoles"
+# Path to the console template directory, available at /consoles.
+# --web.console.libraries="console_libraries"
+# Path to the console library directory.
+# --web.page-title="Prometheus Time Series Collection and Processing Server"
+# Document title of Prometheus instance.
+# --web.cors.origin=".*" Regex for CORS origin. It is fully anchored. Example: 'https?://(domain1|domain2)\.com'
+# --storage.tsdb.path="data/"
+# Base path for metrics storage. Use with server mode only.
+# --storage.tsdb.retention=STORAGE.TSDB.RETENTION
+# [DEPRECATED] How long to retain samples in storage. This flag has been deprecated, use "storage.tsdb.retention.time" instead. Use with server mode only.
+# --storage.tsdb.retention.time=STORAGE.TSDB.RETENTION.TIME
+# How long to retain samples in storage. When this flag is set it overrides "storage.tsdb.retention". If neither this flag nor "storage.tsdb.retention" nor
+# "storage.tsdb.retention.size" is set, the retention time defaults to 15d. Units Supported: y, w, d, h, m, s, ms. Use with server mode only.
+# --storage.tsdb.retention.size=STORAGE.TSDB.RETENTION.SIZE
+# Maximum number of bytes that can be stored for blocks. A unit is required, supported units: B, KB, MB, GB, TB, PB, EB. Ex: "512MB". Based on powers-of-2, so 1KB is 1024B. Use
+# with server mode only.
+# --storage.tsdb.no-lockfile
+# Do not create lockfile in data directory. Use with server mode only.
+# --storage.tsdb.allow-overlapping-blocks
+# Allow overlapping blocks, which in turn enables vertical compaction and vertical query merge. Use with server mode only.
+# --storage.tsdb.head-chunks-write-queue-size=0
+# Size of the queue through which head chunks are written to the disk to be m-mapped, 0 disables the queue completely. Experimental. Use with server mode only.
+# --storage.agent.path="data-agent/"
+# Base path for metrics storage. Use with agent mode only.
+# --storage.agent.wal-compression
+# Compress the agent WAL. Use with agent mode only.
+# --storage.agent.retention.min-time=STORAGE.AGENT.RETENTION.MIN-TIME
+# Minimum age samples may be before being considered for deletion when the WAL is truncated Use with agent mode only.
+# --storage.agent.retention.max-time=STORAGE.AGENT.RETENTION.MAX-TIME
+# Maximum age samples may be before being forcibly deleted when the WAL is truncated Use with agent mode only.
+# --storage.agent.no-lockfile
+# Do not create lockfile in data directory. Use with agent mode only.
+# --storage.remote.flush-deadline=<duration>
+# How long to wait flushing sample on shutdown or config reload.
+# --storage.remote.read-sample-limit=5e7
+# Maximum overall number of samples to return via the remote read interface, in a single query. 0 means no limit. This limit is ignored for streamed response types. Use with
+# server mode only.
+# --storage.remote.read-concurrent-limit=10
+# Maximum number of concurrent remote read calls. 0 means no limit. Use with server mode only.
+# --storage.remote.read-max-bytes-in-frame=1048576
+# Maximum number of bytes in a single frame for streaming remote read response types before marshalling. Note that client might have limit on frame size as well. 1MB as
+# recommended by protobuf by default. Use with server mode only.
+# --rules.alert.for-outage-tolerance=1h
+# Max time to tolerate prometheus outage for restoring "for" state of alert. Use with server mode only.
+# --rules.alert.for-grace-period=10m
+# Minimum duration between alert and restored "for" state. This is maintained only for alerts with configured "for" time greater than grace period. Use with server mode only.
+# --rules.alert.resend-delay=1m
+# Minimum amount of time to wait before resending an alert to Alertmanager. Use with server mode only.
+# --alertmanager.notification-queue-capacity=10000
+# The capacity of the queue for pending Alertmanager notifications. Use with server mode only.
+# --query.lookback-delta=5m The maximum lookback duration for retrieving metrics during expression evaluations and federation. Use with server mode only.
+# --query.timeout=2m Maximum time a query may take before being aborted. Use with server mode only.
+# --query.max-concurrency=20
+# Maximum number of queries executed concurrently. Use with server mode only.
+# --query.max-samples=50000000
+# Maximum number of samples a single query can load into memory. Note that queries will fail if they try to load more samples than this into memory, so this also limits the
+# number of samples a query can return. Use with server mode only.
+# --enable-feature= ... Comma separated feature names to enable. Valid options: agent, exemplar-storage, expand-external-labels, memory-snapshot-on-shutdown, promql-at-modifier,
+# promql-negative-offset, remote-write-receiver (DEPRECATED), extra-scrape-metrics, new-service-discovery-manager. See https://prometheus.io/docs/prometheus/latest/feature_flags/
+# for more details.
+# --log.level=info Only log messages with the given severity or above. One of: [debug, info, warn, error]
+# --log.format=logfmt Output format of log messages. One of: [logfmt, json]
# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later
+# todo: setup a logrotate for /var/log/mymain and mypanic
+
+# todo: setup an alert for bouncing test emails.
+
+# todo: bounces to my fsf mail can come from fsf@iankelling.org,
+# think about making bounces go from the original address.
# todo: add a prometheus alert for dovecot.
port = 25,587
filter = exim
banaction = iptables-exim
+
+# 209.51.188.13 = mail.fsf.org
+# 2001:470:142::13 = mail.fsf.org
+# 209.51.188.92 = eggs.gnu.org
+# 2001:470:142:3::10 = eggs.gnu.org
+# 72.14.176.105 2600:3c00:e000:280::2 = mail.iankelling.org
+# 10.173.8.1 = non-nn net
+ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1
EOF
if $ir; then
m systemctl restart fail2ban
EOF
echo|i /etc/exim4/conf.d/router/880_universal_forward
+
+ cat >>/etc/exim4/conf.d/main/000_local <<EOF
+MAILDIR_HOME_MAILDIR_LOCATION = /m/md/Sent
+EOF
+
# for iank@fsf.org, i have mail.fsf.org forward it to fsf@iankelling.org.
# and also have mail.iankelling.org whitelisted as a relay domain.
# I could avoid that if I changed this to submit to 587 with a
# password like a standard mua.
i /etc/exim4/conf.d/router/188_exim4-config_smarthost <<'EOF'
+# ian: save a copy of sent mail. i thought of other ways to
+# do this, for example, to only save sent mail that is not sent
+# from my mail client which saves a copy by default, but in the
+# end, it seems simplest to turn that off. We want to save
+# external mail sent by smarthosts.
+sentarchive:
+ driver = redirect
+ domains = ! +local_domains
+ condition = ${if !bool{${lookup{$local_part@$domain}lsearch{/etc/exim4/ignore-sent}{true}}}}
+ data = vojdedIdNejyebni@b8.nz
+ unseen
+
# ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
# replaced DCsmarthost with hostname
fsfsmarthost:
host_find_failed = ignore
same_domain_copy_routing = yes
no_more
-
EOF
# Greping /etc/exim4, unqualified mails this would end up as
$MAIL_HOST|bk)
# config for the non-nn exim
m rsync -ra --delete /etc/exim4/ /etc/myexim4
+ cat >>/etc/myexim4/conf.d/main/000_local-nn <<'EOF'
+# this makes it easier to see which exim is doing what
+log_file_path = /var/log/exim4/my%s
+EOF
# If we ever wanted to have a separate spool,
# we could do it like this.
# cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF'
;;&
$MAIL_HOST)
test_froms=(ian@iankelling.org z@zroe.org iank@gnu.org)
- test_to="testignore@expertpathologyreview.com, testignore@je.b8.nz, testignore@amnimal.ninja, jtuttle@gnu.org"
+ test_tos=(testignore@expertpathologyreview.com testignore@je.b8.nz testignore@amnimal.ninja jtuttle@gnu.org)
cat >>/etc/cron.d/mailtest <<EOF
0 13 * * * root echo "1pm alert. You are not in the matrix."
;;&
bk)
test_froms=(testignore@expertpathologyreview.com testignore@amnimal.ninja)
- test_to="testignore@iankelling.org, testignore@zroe.org, testignore@je.b8.nz"
+ test_tos=(testignore@iankelling.org testignore@zroe.org testignore@je.b8.nz)
;;&
je)
test_froms=(testignore@je.b8.nz)
- test_to="testignore@iankelling.org, testignore@zroe.org, testignore@expertpathologyreview.com, testignore@amnimal.ninja"
+ test_tos=(testignore@iankelling.org testignore@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
;;&
$MAIL_HOST|bk|je)
+ test_to=${test_tos[0]}
+ # dont put these test messages into the sent folder or else it will
+ # overwhelm it, plus i dont want to save a copy at all.
+ echo $test_to > /etc/exim4/ignore-sent
+ for t in ${test_tos[@]:1}; do
+ test_to+=", $t"
+ echo $t >> /etc/exim4/ignore-sent
+ done
cat >/usr/local/bin/send-test-forward <<'EOF'
#!/bin/bash
olds=(
iankelling.org / git / distro-setup / commitdiff