summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6a851b4)
raw | patch | inline | side by side (parent: 6a851b4)
| author | Ian Kelling <ian@iankelling.org> | |
| Fri, 20 Nov 2020 22:25:28 +0000 (17:25 -0500) | ||
| committer | Ian Kelling <ian@iankelling.org> | |
| Fri, 20 Nov 2020 22:25:28 +0000 (17:25 -0500) |
index f3ea26daf1cfd4b0592405ad77020a4d7964d581..1aab809ff7ecdd534db69c9eb9a06e5a05b26cd8 100644 (file)
--- a/.bashrc
+++ b/.bashrc
HISTIGNORE='pass *:[ ]*:otp *:oathtool *'
#### begin section that works with sl() function to return from
-#### noninteractive ssh shells
-if [[ $SSH_CONNECTION ]] \
- && [[ $LC_USEBASHRC != t ]]; then
+# noninteractive ssh shells, or tty. tty because often i
+# use it when something is going and io is slow and my bashrc
+# is too slow.
+if [[ $SSH_CONNECTION && $LC_USEBASHRC != t || $TERM == linux ]]; then
# Here we did not opt-in to running our .bashrc file so we just
# return, but we still setup a function to source it without returning
# so if we want it we don't have to restart our ssh connection.
index d51ccb95b35b150c8932270e9f568cda62980eef..fcc17eb4d691b137eabb225d364affc01737cc07 100644 (file)
--- a/brc
+++ b/brc
-o -name .undo-tree-history -prune \) -iname "*$**" 2>/dev/null
}
+ifd() {
+ # insensitive find directory
+ find -L . -type d -not \( -name .svn -prune -o -name .git -prune \
+ -o -name .hg -prune -o -name .editor-backups -prune \
+ -o -name .undo-tree-history -prune \) -iname "*$**" 2>/dev/null
+}
+
+
ipdrop() {
sudo iptables -A INPUT -s $1 -j DROP
}
f=/etc/dnsmasq-servers.conf
hr; echo $f:; ccat $f
fi
+ hr
+ echo /etc/nsswitch.conf:
+ grep '^ *files' /etc/nsswitch.conf
if systemctl is-enabled systemd-resolved &>/dev/null || [[ $(systemctl is-active systemd-resolved ||:) != inactive ]]; then
hr; m ser status systemd-resolved | cat || :
hr; m systemd-resolve --status | cat
index 34fb1dca03bfcb68a5093f82b7aae2edae11d1b0..744a92c365e75ae5a2606f8fdcc878a17749b0a2 100644 (file)
--- a/brc2
+++ b/brc2
fi
}
+cp-blocked-domains-to-brains() {
+ cp /a/f/ans/roles/exim/files/mx/simple/etc/exim4/bad-sender_domains /a/f/brains/sysadmin/kb/blocked_email_domains.mdwn
+}
+cp-blocked-domains-to-ansible() {
+ cp /a/f/brains/sysadmin/kb/blocked_email_domains.mdwn /a/f/ans/roles/exim/files/mx/simple/etc/exim4/bad-sender_domains
+}
+
+
anki() {
# crashes on adding new cards in t9
schroot -c buster -- anki
diff --git a/distro-begin b/distro-begin
index 47103e7f3ca0f254d11a2ab2db356e2c970d8159..905d36d1b7a081179a8803063e964f02852e6b28 100755 (executable)
--- a/distro-begin
+++ b/distro-begin
##### use systemd-resolved for glibc resolutions
+
+pi libnss-resolve
+
if [[ ! -L /etc/nsswitch.conf ]]; then
- sudo mkdir -p /etc/nsswitch
- sudo mv /etc/nsswitch.conf /etc/nsswitch
- sudo ln -sf /etc/nsswitch/nsswitch.conf /etc
+ sudo mkdir -p /etc/resolved-nsswitch
+ sudo mv /etc/nsswitch.conf /etc/resolved-nsswitch
+ sudo ln -sf /etc/resolved-nsswitch/nsswitch.conf /etc
fi
-f=/etc/nn-resolv/nsswitch.conf
+f=/etc/basic-nsswitch/nsswitch.conf
if [[ ! -e $f ]]; then
sudo mkdir -p ${f%/*}
sudo cp /etc/nsswitch.conf $f
sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f
fi
-
-f=/etc/apparmor.d/abstractions/nameservice
-if ! grep -q /etc/nsswitch/nsswitch.conf $f; then
- sudo sed -i '/\/etc\/nsswitch.conf/a /etc/nsswitch/nsswitch.conf r,' $f
- m ser reload apparmor
-fi
-
-pi libnss-resolve
-# default is
-# files mdns4_minimal [NOTFOUND=return] dns myhostname
-# mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
-# https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
-# seems more important than some potential use case.
-# Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
-# removing files makes hostname -f not actually give the fully qualified domain name.
case $HOSTNAME in
bk)
sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' /etc/nsswitch.conf
;;
*)
- sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/nsswitch.conf
+ # default is
+ # files mdns4_minimal [NOTFOUND=return] dns myhostname
+ # mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
+ # https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
+ # seems more important than some potential use case.
+ # Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
+ # removing files makes hostname -f not actually give the fully qualified domain name.
+ sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/resolved-nsswitch/nsswitch.conf
;;
esac
+f=/etc/apparmor.d/abstractions/nameservice
+if [[ -e $f ]] && ! grep -q /etc/nsswitch/nsswitch.conf $f; then
+ sudo sed -i '/\/etc\/nsswitch.conf/a /etc/resolved-nsswitch/nsswitch.conf r,' $f
+ sudo sed -i '/\/etc\/nsswitch.conf/a /etc/basic-nsswitch/nsswitch.conf r,' $f
+ if sytemctl is-enabled apparmor; then
+ m ser reload apparmor
+ fi
+fi
+
+
+
if dpkg -s -- nscd &>/dev/null; then
sudo apt-get -y remove --purge --auto-remove nscd
sudo systemctl stop nscd ||: # fails if already stopped
first_root_crypt=$(awk '$2 == "/" {print $1}' /etc/mtab)
tu /etc/fstab <<EOF
-$first_root_crypt /nocow btrfs noatime,subvol=nocow 0 0
+$first_root_crypt /nocow btrfs noatime,subvol=nocow$( ((`nproc` > 2)) && echo ,compress=zstd ) 0 0
EOF
sudo mkdir -p $dir
sudo chown $USER:$USER $dir
diff --git a/filesystem/etc/systemd/system/vpn-static-ip@.service b/filesystem/etc/systemd/system/vpn-static-ip@.service
index 7af37936066c507236009164100c15141ad85a28..b677e7cf6ba2271f9a93bf11094c0307b3b6a55d 100644 (file)
[Unit]
Description=vpn-static-ip
-
+After=syslog.target network-online.target vpn-static-ip@%i.service
+Wants=network-online.target
[Service]
Type=oneshot
diff --git a/mail-setup b/mail-setup
index 9efd5696720f3ef0bd2a8c8e6fb21105d6a58048..4e277efa03494e2e27c6c5fadd1d040bcd264ad3 100755 (executable)
--- a/mail-setup
+++ b/mail-setup
#!/bin/bash
+
+# todo: figure out
+
# * intro
# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later
+# todo: monitor for msft unblock, and then remove on bk:
+# /etc/exim4/conf.d/router/190_msft
+# dnslookup_msft
+# domains = hotmail.com : live.com : msn.com : passport.com : outlook.com
+
+
# todo: on bk, dont send email if mailvpn is not up
# todo: disable postgrey
#
# echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
-# * other dms
+# * other dns
# # 2017-02 spf policies:
# # host -t txt lists.fedoraproject.org
# * mail vpn config
-i /etc/systemd/system/mailnn.service <<'EOF'
-[Unit]
-Description=Network Namespace for mailvpn.service
-After=syslog.target network-online.target
-Wants=network-online.target
-
-[Service]
-Type=simple
-PrivateNetwork=true
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
-ExecStart=/bin/sleep infinity
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-# old service name
-rm -fv /etc/systemd/system/openvpn-client-mail@.service
+case $HOSTNAME in
+ $MAIL_HOST)
+ bindpaths="/etc/127.0.0.1-resolv:/run/systemd/resolve /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind"
+ ;;&
+ bk)
+ bindpaths="/etc/10.173.8.1-resolv:/etc/127.0.0.1-resolv"
+ ;;&
+esac
# https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
-i /etc/systemd/system/mailvpn.service <<'EOF'
+i /etc/systemd/system/mailvpn.service <<EOF
[Unit]
Description=OpenVPN tunnel for mail
After=syslog.target network-online.target mailnn.service
# dns from leaking in my network namespaced vpn.
# I also like the idea of patching systemd-resolved so it
# will listen on other interfaces, but its not worth my time.
-BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+BindPaths=$bindpaths
Restart=always
# time to sleep before restarting a service
RestartSec=1
WantedBy=multi-user.target
EOF
+i /etc/systemd/system/mailnn.service <<'EOF'
+[Unit]
+Description=Network Namespace for mailvpn.service
+After=syslog.target network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+PrivateNetwork=true
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# old service name
+rm -fv /etc/systemd/system/openvpn-client-mail@.service
+
# We use a local unbound because systemd-resolved wont accept our
# request, it will only listen to 127.0.0.53 in the main network
# namespace, and rejected feature requests to change that (although I
#
# If we ever notice this change, chattr +i on it
# trust-ad is used in t10+, glibc 2.31
-i /etc/nn-resolv/stub-resolv.conf <<'EOF'
+
+i /etc/127.0.0.1-resolv/stub-resolv.conf <<'EOF'
nameserver 127.0.0.1
options edns0 trust-ad
EOF
-i /etc/bk-resolv/stub-resolv.conf <<'EOF'
+i /etc/127.0.0.53-resolv/stub-resolv.conf <<'EOF'
+nameserver 127.0.0.53
+options edns0 trust-ad
+EOF
+
+
+i /etc/10.173.8.1-resolv/stub-resolv.conf <<'EOF'
nameserver 10.173.8.1
options edns0 trust-ad
EOF
PrivateNetwork=true
# note the nsswitch bind is actually not needed for bk, but
# its the same file so it does no harm.
-BindPaths=${r}:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+BindPaths=$bindpaths
Restart=always
RestartSec=1
i /etc/default/spamassassin <<'EOF'
# defaults plus debugging flags for an issue im having
-OPTIONS="--create-prefs --max-children 5 --helper-home-dir -D dkim,dns"
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
PIDFILE="/var/run/spamd.pid"
# my additions
NICE="--nicelevel 15"
[Service]
PrivateNetwork=true
-BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+BindPaths=$bindpaths
[Install]
RequiredBy=mailvpn.service
case $HOSTNAME in
bk)
+ # todo, this should be done in distro-begin
soff systemd-resolved
- ln -sf nn-resolv/stub-resolv.conf /etc/resolv.conf
+ ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf
;;&
$MAIL_HOST|bk)
sstart mailnn
diff --git a/mailclean b/mailclean
index c4cd2c56558d12bc19d94da73ab0670c1425cb5e..072e4046e4637279451b7ab4ffdb102c947dd3f8 100755 (executable)
--- a/mailclean
+++ b/mailclean
# I want to hop into conversations about our mailing
# systems there, but I don't need many old messages.
myfind /m/md/l/qemu-devel/new -type f -mtime +14 -execdir rm -- '{}' +
+myfind /m/md/l/listhelper-moderatre/new -type f -mtime +14 -execdir rm -- '{}' +
myfind /m/md/{sec,Spam,Drafts,{rtcc,sysadmin}/new} -type f -mtime +100 -execdir rm -- '{}' +
myfind /m/md/log -type f -mtime +300 -execdir rm -- '{}' +
myfind /m/md/dmarc -type f -mtime +60 -execdir rm -- '{}' +
diff --git a/mount-latest-subvol b/mount-latest-subvol
index d2dccad37467a745af24bd2532da07416437b49c..e3496d581218cbe679ddcbe858dd38dd29997a04 100644 (file)
--- a/mount-latest-subvol
+++ b/mount-latest-subvol
if cryptsetup status $root_dev &>/dev/null; then
crypt_dev=$root_dev
else # if we are in a recovery boot, find the next best crypt device
- noauto=,noauto
+ mopts=,noauto
for dev in $(dmsetup ls --target crypt | awk '{print $1}'); do
dev=/dev/mapper/$dev
if awk '{print $1}' /etc/mtab | grep -Fx $dev &>/dev/null; then
fi
done
fi
-
+# dont tax the cpus of old laptops
+if ((`nproc` > 2)); then
+ mopts+=,compress=zstd
+fi
fstab <<EOF
-$crypt_dev /a btrfs noatime,subvol=a$noauto 0 0
+$crypt_dev /a btrfs noatime,subvol=a$mopts 0 0
EOF
shopt -s nullglob
f=(/mnt/root/btrbk/q.*); f=${f[0]}
if [[ -e $f ]]; then
fstab <<EOF
-$crypt_dev /q btrfs noatime,subvol=q,gid=1000$noauto 0 0
-/q/p /p none bind$noauto 0 0
+$crypt_dev /q btrfs noatime,subvol=q,gid=1000$mopts 0 0
+/q/p /p none bind$mopts 0 0
EOF
fi
f=(/mnt/root/btrbk/o.*); f=${f[0]}
if [[ -e $f ]]; then
fstab <<EOF
-$crypt_dev /o btrfs noatime,subvol=o$noauto 0 0
-/o/m /m none bind$noauto 0 0
+$crypt_dev /o btrfs noatime,subvol=o$mopts 0 0
+/o/m /m none bind$mopts 0 0
EOF
fi
if [[ $HOSTNAME == frodo ]]; then
fstab <<EOF
-$crypt_dev /i btrfs noatime,subvol=i$noauto 0 0
+$crypt_dev /i btrfs noatime,subvol=i$mopts 0 0
EOF
fi
##### end setup fstab for subvols we care about ######
index 273916640c1b944894bbceea2b04bef1e4dfa6db..cc4ead84ae823f38b019397ca4ef875ef1a03eea 100644 (file)
#loop-file=inf
loop-file=no
#shuffle
-#volume=20
+volume=50
#save-position-on-quit
# use --profile d
diff --git a/system-status b/system-status
index adf8dd57592ed342f29f5e8b26f519a892c26649..eaf35999a3c816fe34cbfe6fd0dc471969bb19af 100644 (file)
--- a/system-status
+++ b/system-status
# Profiled it using time and also adding to the top of the file:
# set -x
# PS4='+ $(date "+%2N") '
+ # allow failure in case there are no snapshots yet.
# shellcheck disable=SC2012
- snaps=($(ls -1avdr /mnt/root/btrbk/$vol.20*|head -n1 || [[ $? == 141 ]] ))
+ shopt -u nullglob
+ snaps=($(ls -1avdr /mnt/root/btrbk/$vol.20* 2>/dev/null |head -n1 || : ))
+ shopt -s nullglob
now=$(date +%s)
maxtime=0
for s in ${snaps[@]}; do
diff --git a/vpn-static-ip b/vpn-static-ip
index ae92d3c332fc748754e91b48ced32f4b4550719e..8d04891667d64990acd8c2bd112d280fcf08260a 100755 (executable)
--- a/vpn-static-ip
+++ b/vpn-static-ip
# there might be some other workaround, but just resolving to static ips
# is a simple fix.
+main() {
+ while read -r host port; do
+ while read -r ip; do
+ printf "remote %s %s\n" "$ip" "$port" >>$conf
+ ret=0
+ done < <(dig +short $host ||:)
+ done < <(sed -rn 's/^ *# *remote //p' $conf)
+
+}
+
+
sed --follow-symlinks -i '/^ *remote /d' $conf
ret=1
-while read -r host port; do
- while read -r ip; do
- printf "remote %s %s\n" "$ip" "$port" >>$conf
- ret=0
- done < <(dig +short $host ||:)
-done < <(sed -rn 's/^ *# *remote //p' $conf)
+main
+# give it one retry if it failed initially
+if (( ret )); then
+ sleep 2
+ main
+fi
+
if ((ret)); then
echo "vpn-static-ip: error: failed to set any ips" >&2
exit 1