HISTIGNORE='pass *:[ ]*:otp *:oathtool *'
#### begin section that works with sl() function to return from
-#### noninteractive ssh shells
-if [[ $SSH_CONNECTION ]] \
- && [[ $LC_USEBASHRC != t ]]; then
+# noninteractive ssh shells, or tty. tty because often i
+# use it when something is going and io is slow and my bashrc
+# is too slow.
+if [[ $SSH_CONNECTION && $LC_USEBASHRC != t || $TERM == linux ]]; then
# Here we did not opt-in to running our .bashrc file so we just
# return, but we still setup a function to source it without returning
# so if we want it we don't have to restart our ssh connection.
-o -name .undo-tree-history -prune \) -iname "*$**" 2>/dev/null
}
+ifd() {
+ # insensitive find directory
+ find -L . -type d -not \( -name .svn -prune -o -name .git -prune \
+ -o -name .hg -prune -o -name .editor-backups -prune \
+ -o -name .undo-tree-history -prune \) -iname "*$**" 2>/dev/null
+}
+
+
ipdrop() {
sudo iptables -A INPUT -s $1 -j DROP
}
f=/etc/dnsmasq-servers.conf
hr; echo $f:; ccat $f
fi
+ hr
+ echo /etc/nsswitch.conf:
+ grep '^ *files' /etc/nsswitch.conf
if systemctl is-enabled systemd-resolved &>/dev/null || [[ $(systemctl is-active systemd-resolved ||:) != inactive ]]; then
hr; m ser status systemd-resolved | cat || :
hr; m systemd-resolve --status | cat
fi
}
+cp-blocked-domains-to-brains() {
+ cp /a/f/ans/roles/exim/files/mx/simple/etc/exim4/bad-sender_domains /a/f/brains/sysadmin/kb/blocked_email_domains.mdwn
+}
+cp-blocked-domains-to-ansible() {
+ cp /a/f/brains/sysadmin/kb/blocked_email_domains.mdwn /a/f/ans/roles/exim/files/mx/simple/etc/exim4/bad-sender_domains
+}
+
+
anki() {
# crashes on adding new cards in t9
schroot -c buster -- anki
##### use systemd-resolved for glibc resolutions
+
+pi libnss-resolve
+
if [[ ! -L /etc/nsswitch.conf ]]; then
- sudo mkdir -p /etc/nsswitch
- sudo mv /etc/nsswitch.conf /etc/nsswitch
- sudo ln -sf /etc/nsswitch/nsswitch.conf /etc
+ sudo mkdir -p /etc/resolved-nsswitch
+ sudo mv /etc/nsswitch.conf /etc/resolved-nsswitch
+ sudo ln -sf /etc/resolved-nsswitch/nsswitch.conf /etc
fi
-f=/etc/nn-resolv/nsswitch.conf
+f=/etc/basic-nsswitch/nsswitch.conf
if [[ ! -e $f ]]; then
sudo mkdir -p ${f%/*}
sudo cp /etc/nsswitch.conf $f
sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f
fi
-
-f=/etc/apparmor.d/abstractions/nameservice
-if ! grep -q /etc/nsswitch/nsswitch.conf $f; then
- sudo sed -i '/\/etc\/nsswitch.conf/a /etc/nsswitch/nsswitch.conf r,' $f
- m ser reload apparmor
-fi
-
-pi libnss-resolve
-# default is
-# files mdns4_minimal [NOTFOUND=return] dns myhostname
-# mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
-# https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
-# seems more important than some potential use case.
-# Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
-# removing files makes hostname -f not actually give the fully qualified domain name.
case $HOSTNAME in
bk)
sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' /etc/nsswitch.conf
;;
*)
- sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/nsswitch.conf
+ # default is
+ # files mdns4_minimal [NOTFOUND=return] dns myhostname
+ # mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
+ # https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
+ # seems more important than some potential use case.
+ # Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
+ # removing files makes hostname -f not actually give the fully qualified domain name.
+ sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/resolved-nsswitch/nsswitch.conf
;;
esac
+f=/etc/apparmor.d/abstractions/nameservice
+if [[ -e $f ]] && ! grep -q /etc/nsswitch/nsswitch.conf $f; then
+ sudo sed -i '/\/etc\/nsswitch.conf/a /etc/resolved-nsswitch/nsswitch.conf r,' $f
+ sudo sed -i '/\/etc\/nsswitch.conf/a /etc/basic-nsswitch/nsswitch.conf r,' $f
+ if sytemctl is-enabled apparmor; then
+ m ser reload apparmor
+ fi
+fi
+
+
+
if dpkg -s -- nscd &>/dev/null; then
sudo apt-get -y remove --purge --auto-remove nscd
sudo systemctl stop nscd ||: # fails if already stopped
first_root_crypt=$(awk '$2 == "/" {print $1}' /etc/mtab)
tu /etc/fstab <<EOF
-$first_root_crypt /nocow btrfs noatime,subvol=nocow 0 0
+$first_root_crypt /nocow btrfs noatime,subvol=nocow$( ((`nproc` > 2)) && echo ,compress=zstd ) 0 0
EOF
sudo mkdir -p $dir
sudo chown $USER:$USER $dir
[Unit]
Description=vpn-static-ip
-
+After=syslog.target network-online.target vpn-static-ip@%i.service
+Wants=network-online.target
[Service]
Type=oneshot
#!/bin/bash
+
+# todo: figure out
+
# * intro
# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later
+# todo: monitor for msft unblock, and then remove on bk:
+# /etc/exim4/conf.d/router/190_msft
+# dnslookup_msft
+# domains = hotmail.com : live.com : msn.com : passport.com : outlook.com
+
+
# todo: on bk, dont send email if mailvpn is not up
# todo: disable postgrey
#
# echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
-# * other dms
+# * other dns
# # 2017-02 spf policies:
# # host -t txt lists.fedoraproject.org
# * mail vpn config
-i /etc/systemd/system/mailnn.service <<'EOF'
-[Unit]
-Description=Network Namespace for mailvpn.service
-After=syslog.target network-online.target
-Wants=network-online.target
-
-[Service]
-Type=simple
-PrivateNetwork=true
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
-ExecStart=/bin/sleep infinity
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-# old service name
-rm -fv /etc/systemd/system/openvpn-client-mail@.service
+case $HOSTNAME in
+ $MAIL_HOST)
+ bindpaths="/etc/127.0.0.1-resolv:/run/systemd/resolve /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind"
+ ;;&
+ bk)
+ bindpaths="/etc/10.173.8.1-resolv:/etc/127.0.0.1-resolv"
+ ;;&
+esac
# https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
-i /etc/systemd/system/mailvpn.service <<'EOF'
+i /etc/systemd/system/mailvpn.service <<EOF
[Unit]
Description=OpenVPN tunnel for mail
After=syslog.target network-online.target mailnn.service
# dns from leaking in my network namespaced vpn.
# I also like the idea of patching systemd-resolved so it
# will listen on other interfaces, but its not worth my time.
-BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+BindPaths=$bindpaths
Restart=always
# time to sleep before restarting a service
RestartSec=1
WantedBy=multi-user.target
EOF
+i /etc/systemd/system/mailnn.service <<'EOF'
+[Unit]
+Description=Network Namespace for mailvpn.service
+After=syslog.target network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+PrivateNetwork=true
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# old service name
+rm -fv /etc/systemd/system/openvpn-client-mail@.service
+
# We use a local unbound because systemd-resolved wont accept our
# request, it will only listen to 127.0.0.53 in the main network
# namespace, and rejected feature requests to change that (although I
#
# If we ever notice this change, chattr +i on it
# trust-ad is used in t10+, glibc 2.31
-i /etc/nn-resolv/stub-resolv.conf <<'EOF'
+
+i /etc/127.0.0.1-resolv/stub-resolv.conf <<'EOF'
nameserver 127.0.0.1
options edns0 trust-ad
EOF
-i /etc/bk-resolv/stub-resolv.conf <<'EOF'
+i /etc/127.0.0.53-resolv/stub-resolv.conf <<'EOF'
+nameserver 127.0.0.53
+options edns0 trust-ad
+EOF
+
+
+i /etc/10.173.8.1-resolv/stub-resolv.conf <<'EOF'
nameserver 10.173.8.1
options edns0 trust-ad
EOF
PrivateNetwork=true
# note the nsswitch bind is actually not needed for bk, but
# its the same file so it does no harm.
-BindPaths=${r}:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+BindPaths=$bindpaths
Restart=always
RestartSec=1
i /etc/default/spamassassin <<'EOF'
# defaults plus debugging flags for an issue im having
-OPTIONS="--create-prefs --max-children 5 --helper-home-dir -D dkim,dns"
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
# my additions
NICE="--nicelevel 15"
[Service]
PrivateNetwork=true
-BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+BindPaths=$bindpaths
[Install]
RequiredBy=mailvpn.service
case $HOSTNAME in
bk)
+ # todo, this should be done in distro-begin
soff systemd-resolved
- ln -sf nn-resolv/stub-resolv.conf /etc/resolv.conf
+ ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf
;;&
$MAIL_HOST|bk)
sstart mailnn
# I want to hop into conversations about our mailing
# systems there, but I don't need many old messages.
myfind /m/md/l/qemu-devel/new -type f -mtime +14 -execdir rm -- '{}' +
+myfind /m/md/l/listhelper-moderatre/new -type f -mtime +14 -execdir rm -- '{}' +
myfind /m/md/{sec,Spam,Drafts,{rtcc,sysadmin}/new} -type f -mtime +100 -execdir rm -- '{}' +
myfind /m/md/log -type f -mtime +300 -execdir rm -- '{}' +
myfind /m/md/dmarc -type f -mtime +60 -execdir rm -- '{}' +
if cryptsetup status $root_dev &>/dev/null; then
crypt_dev=$root_dev
else # if we are in a recovery boot, find the next best crypt device
- noauto=,noauto
+ mopts=,noauto
for dev in $(dmsetup ls --target crypt | awk '{print $1}'); do
dev=/dev/mapper/$dev
if awk '{print $1}' /etc/mtab | grep -Fx $dev &>/dev/null; then
fi
done
fi
-
+# dont tax the cpus of old laptops
+if ((`nproc` > 2)); then
+ mopts+=,compress=zstd
+fi
fstab <<EOF
-$crypt_dev /a btrfs noatime,subvol=a$noauto 0 0
+$crypt_dev /a btrfs noatime,subvol=a$mopts 0 0
EOF
shopt -s nullglob
f=(/mnt/root/btrbk/q.*); f=${f[0]}
if [[ -e $f ]]; then
fstab <<EOF
-$crypt_dev /q btrfs noatime,subvol=q,gid=1000$noauto 0 0
-/q/p /p none bind$noauto 0 0
+$crypt_dev /q btrfs noatime,subvol=q,gid=1000$mopts 0 0
+/q/p /p none bind$mopts 0 0
EOF
fi
f=(/mnt/root/btrbk/o.*); f=${f[0]}
if [[ -e $f ]]; then
fstab <<EOF
-$crypt_dev /o btrfs noatime,subvol=o$noauto 0 0
-/o/m /m none bind$noauto 0 0
+$crypt_dev /o btrfs noatime,subvol=o$mopts 0 0
+/o/m /m none bind$mopts 0 0
EOF
fi
if [[ $HOSTNAME == frodo ]]; then
fstab <<EOF
-$crypt_dev /i btrfs noatime,subvol=i$noauto 0 0
+$crypt_dev /i btrfs noatime,subvol=i$mopts 0 0
EOF
fi
##### end setup fstab for subvols we care about ######
#loop-file=inf
loop-file=no
#shuffle
-#volume=20
+volume=50
#save-position-on-quit
# use --profile d
# Profiled it using time and also adding to the top of the file:
# set -x
# PS4='+ $(date "+%2N") '
+ # allow failure in case there are no snapshots yet.
# shellcheck disable=SC2012
- snaps=($(ls -1avdr /mnt/root/btrbk/$vol.20*|head -n1 || [[ $? == 141 ]] ))
+ shopt -u nullglob
+ snaps=($(ls -1avdr /mnt/root/btrbk/$vol.20* 2>/dev/null |head -n1 || : ))
+ shopt -s nullglob
now=$(date +%s)
maxtime=0
for s in ${snaps[@]}; do
# there might be some other workaround, but just resolving to static ips
# is a simple fix.
+main() {
+ while read -r host port; do
+ while read -r ip; do
+ printf "remote %s %s\n" "$ip" "$port" >>$conf
+ ret=0
+ done < <(dig +short $host ||:)
+ done < <(sed -rn 's/^ *# *remote //p' $conf)
+
+}
+
+
sed --follow-symlinks -i '/^ *remote /d' $conf
ret=1
-while read -r host port; do
- while read -r ip; do
- printf "remote %s %s\n" "$ip" "$port" >>$conf
- ret=0
- done < <(dig +short $host ||:)
-done < <(sed -rn 's/^ *# *remote //p' $conf)
+main
+# give it one retry if it failed initially
+if (( ret )); then
+ sleep 2
+ main
+fi
+
if ((ret)); then
echo "vpn-static-ip: error: failed to set any ips" >&2
exit 1
iankelling.org / git / distro-setup / commitdiff