# case $distro in
# esac
+
+# old repo. remove when all machines updated
+sudo rm -fv /etc/apt/sources.list.d/wireguard-ubuntu-wireguard-bionic.list
+# remove old file
+sudo rm -fv /etc/apt/preferences.d/minetest
+
#### initial packages
pup
if isdeb; then
export RENEWED_LINEAGE=/etc/letsencrypt/live/mail2.iankelling.org
/a/bin/distro-setup/certbot-renew-hook
EOF
- mail-setup
+ mail-setup
end
;;
li)
- case $HOSTNAME in
- li)
- m /a/h/setup.sh iankelling.org
- ;;
- # # i dont work on my website that much, so commented to run these as needed
- # kd)
- # m /a/h/setup.sh -s b8.nz
- # ;;
- # *)
- # # allow symlinks on non-main hosts so i can host files in arbitrary paths
- # m /a/h/setup.sh -s -p 80
- #;;
- esac
- m /a/h/build.rb
+ m /a/h/setup.sh iankelling.org
# start mumble only when im going to use it, since i dont use it much
pi-nostart mumble-server
EOF
# general vpn for as needed use
- #vpn-server-setup -d -r -4 10.2.2 -p 443 -n hole
+ vpn-server-setup -d -r -4 10.2.2 -p 443 -n hole
+ sd /etc/openvpn/client-config-hole/frodo <<'EOF'
+ifconfig-push 10.2.2.5 255.255.255.0
+EOF
+ sd /etc/openvpn/client-config-hole/amy <<'EOF'
+ifconfig-push 10.2.2.3 255.255.255.0
+EOF
+ sd /etc/openvpn/client-config-hole/kd <<'EOF'
+ifconfig-push 10.2.2.2 255.255.255.0
+EOF
+
#vpn-mk-client-cert -s "" -n hole 72.14.176.105
# requested from linode via a support ticket.
ifconfig-ipv6-push 2600:3c00:e000:280::2/64
EOF
- if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
- vpn_service=openvpn-server@mail
- else
- vpn_service=openvpn@mail
- fi
-
- sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
+ sudo dd of=/etc/systemd/system/vpnmail.service <<'EOF'
[Unit]
Description=Turns on iptables mail nat
ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
[Install]
-WantedBy=$vpn_service.service
+WantedBy=openvpn-server@mail.service
EOF
ser daemon-reload
sgo vpnmail.service
# needed for li's local mail delivery.
tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
- sgo $vpn_service
+ sgo openvpn-server@mail
# setup let's encrypt cert
m web-conf apache2 mail.iankelling.org
sudo rm -fv /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
m /a/bin/distro-setup/radicale-setup
fi
+if [[ $HOSTNAME == frodo ]]; then
+ vpn-mk-client-cert -b frodo -n hole iankelling.org
+fi
############# begin syncthing setup ###########
####### end transmission
-
-# trisquel 8 = openvpn, debian stretch = openvpn-client
-vpn_ser=openvpn-client
-if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
- vpn_ser=openvpn
+f=/etc/nn-resolv/nsswitch.conf
+if [[ ! -e $f ]]; then
+ s mkdir -p ${f%/*}
+ s cp /etc/nsswitch.conf $f
+ s sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f
+ s chattr +i $f
fi
+
+
+# trisquel 8 = openvpn, debian stretch = openvpn-client
sd /etc/systemd/system/transmission-daemon-nn.service <<EOF
[Unit]
Description=Transmission BitTorrent Daemon netns
After=network.target
-Requires=${vpn_ser}-nn@client.service
-After=${vpn_ser}-nn@client.service
-JoinsNamespaceOf=${vpn_ser}-nn@client.service
+Requires=openvpn-client-tr@client.service
+After=openvpn-client-tr@client.service
+JoinsNamespaceOf=openvpn-client-tr@client.service
[Service]
User=debian-transmission
ExecStop=/bin/kill -s STOP \$MAINPID
PrivateNetwork=true
Nice=19
-BindPaths=/a/bin/ds/aresolv.conf:/etc/resolv.conf:norbind
+BindReadOnlyPaths=/etc/nn-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
[Install]
WantedBy=multi-user.target
fi
d=$f/.config/transmission-remote-gtk
sudo -u $u mkdir -p $d
+ # i tried setting hostname to transmission.b8.nz, so i could dynamically change where
+ # this connects to, but it said some 421 denied error when I did that. Then it
+ # froze X when i ran it under strace. Whatever.
sudo -u $u dd of=$d/config.json <<EOF
{
"profiles" : [
{
"profile-name" : "Default",
- "hostname" : "transmission.b8.nz",
-
- "rpc-url-path" : "/transmission/rpc",
- "username" : "",
- "password" : "$rpc_pass",
- "auto-connect" : true,
- "ssl" : false,
- "timeout" : 40,
- "retries" : 3,
- "update-active-only" : false,
- "activeonly-fullsync-enabled" : false,
- "activeonly-fullsync-every" : 2,
- "update-interval" : 3,
- "min-update-interval" : 3,
- "session-update-interval" : 60,
- "exec-commands" : [],
- "destinations" : []
- },
- {
- "profile-name" : "local",
"hostname" : "10.173.0.2",
-
+ "rpc-url-path" : "/transmission/rpc",
"username" : "",
"password" : "$rpc_pass",
"auto-connect" : true,
########### misc stuff
+if [[ $HOSTNAME != frodo ]]; then
+ s cedit hole /etc/hosts <<EOF ||:
+10.2.2.3 amy amy.b8.nz
+10.2.2.5 frodo frodo.b8.nz
+EOF
+fi
if [[ ! -e ~/.local/bin/pip ]]; then
tmp=$(mktemp)
# nfs server
pi-nostart nfs-kernel-server
-# wireguard
-if [[ ! -e /etc/apt/sources.list.d/wireguard-ubuntu-wireguard-bionic.list ]]; then
- sudo add-apt-repository -y ppa:wireguard/wireguard
- sudo apt-get update
- pi wireguard
-fi
if [[ $HOSTNAME == tp ]]; then
sd /etc/wireguard/wg0.conf <<EOF
[Interface]
sudo systemctl start wg-quick@wg0
fi
-if [[ $HOSTNAME == frodo ]]; then
- # nohide = export filesystems mounted deeper than the export point
- # fsid=0 makes this export the "root" export
- # not documented in the man page, but this means
- # 1. it can be mounted with a shorthand of server:/
- # 2. exports that are subdirectories of this one will automatically be mounted
- tu /etc/exports <<'EOF'
-/k 10.0.0.0/24(rw,nohide,no_root_squash,async,no_subtree_check,insecure)
-EOF
- sudo exportfs -rav
-fi
-
if [[ $HOSTNAME == kw ]]; then
# hosts 1-199. 200+ are dynamic, avoid those
# SPDX-License-Identifier: AGPL-3.0-or-later
-# todo: look into changing nsswitch.com to make programs prefer using systemd-resolved
-# but not over the network.
-
# background: I want to run exim in a network namespace so it can send
# and receive through a vpn. This is needed so it can do ipv6, because
# outside the namespace if we dont have ipv6, to send ipv6 through the
exit 1
fi
source /a/bin/distro-functions/src/identify-distros
+f=/p/c/machine_specific/bk/mail
+if [[ -e $f ]]; then
+ source $f
+fi
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
usage() {
cat <<EOF
-Usage: ${0##*/}
+Usage: ${0##*/} anything_here_to_debug
Setup exim4 & dovecot & related things
-h|--help Print help and exit.
exit $1
}
+debug=false
+if (( $# )); then
+ debug=true
+ set -x
+fi
####### instructions for icedove #####
err-exit $ret "failed apt-get install above"
fi
}
+reifactive() {
+ for service; do
+ if systemctl is-active $service >/dev/null; then
+ m systemctl restart $service
+ fi
+ done
+}
mxhost=mail.iankelling.org
mxport=587
## * Install packages
# light version of exim does not have sasl auth support.
-pi exim4 exim4-daemon-heavy spamassassin spf-tools-perl openvpn p0f postgrey pyzor razor
+pi exim4 exim4-daemon-heavy spamassassin spf-tools-perl openvpn p0f postgrey pyzor razor jq moreutils
# note: pyzor debian readme says you need to run some initialization command
# but its outdated.
trusted_networks 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48
EOF
-case $HOSTNAME in
- $MAIL_HOST)
- f=/etc/nn-resolv/stub-resolv.conf
- l="nameserver 8.8.8.8"
- if ! grep -Fxq "$l" /etc/nn-resolv/stub-resolv.conf &>/dev/null; then
- mkdir -p ${f%/*}
- echo "$l" >$f
- chattr +i $f
- fi
+# https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
+f=/etc/systemd/system/openvpn-client-mail@.service
+if [[ ! -s $f || $(stat -c%s $f) != 1709 ]]; then
+ cat >$f <<'EOF'
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+# needed to continually restatr
+StartLimitIntervalSec=0
+
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start %i
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+# in the network namespace, we cant connect to systemd-resolved on 127.0.0.53,
+# because of
+# https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback
+# there is a workaround there, but i dont think its really worth it,
+# the mail server is fine with a static dns anyways.
+# This thread is also interesting,
+# https://github.com/slingamn/namespaced-openvpn/issues/7
+# todo: the iptables rule at the bottom could be useful to prevent
+# dns from leaking in my network namespaced vpn.
+# I also like the idea of patching systemd-resolved so it
+# will listen on other interfaces, but its not worth my time.
+BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind
+
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
+
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ m systemctl daemon-reload
+fi
+
+
+f=/etc/nn-resolv/stub-resolv.conf
+l="nameserver 8.8.8.8"
+if ! grep -Fxq "$l" /etc/nn-resolv/stub-resolv.conf &>/dev/null; then
+ mkdir -p ${f%/*}
+ echo "$l" >$f
+ chattr +i $f
+fi
+### begin setup network namespace ###
+case $HOSTNAME in
+ $MAIL_HOST)
reload=false
for unit in exim4 spamassassin; do
f=/etc/systemd/system/$unit.service.d/nn.conf
After=openvpn-client-mail@mail.service
JoinsNamespaceOf=openvpn-client-mail@mail.service
+# needed to continually restart
+StartLimitIntervalSec=0
+
[Service]
PrivateNetwork=true
BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind
+
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
EOF
fi
done
if $reload; then
m systemctl daemon-reload
fi
-;;
+ ;;
+ *)
+ reload=false
+ for unit in exim4 spamassassin; do
+ f=/etc/systemd/system/$unit.service.d/nn.conf
+ if [[ -s $f ]]; then
+ rm -fv $f
+ reload=true
+ fi
+ done
+ if $reload; then
+ m systemctl daemon-reload
+ fi
+
+ ;;
+esac
+### end setup network namespace ###
- bk|$MAIL_HOST)
- m systemctl stop spamassassin
- m systemctl disable spamassassin
+case $HOSTNAME in
+ $MAIL_HOST)
# per readme.debian
sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
e CRON=1 >>/etc/default/spamassassin
;;
esac
+case $HOSTNAME in
+ $MAIL_HOST|bk)
+ m systemctl restart spamassassin
+ ;;
+esac
+
##### end spamassassin config
# * Update mail cert
if [[ -e /p/c/filesystem ]]; then
- # allow failure of these commands when our internet is down, they are likely not needed,
- # we check that a valid cert is there already.
- # to put the hostname in the known hosts
- if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then
- # This just causes failure if our cert is going to expire in the next 30 days.
- # Certs I generate last 10 years.
- openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in /etc/openvpn/mail.crt
- else
- # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
- # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
- # after my internet was down for a bit:
- # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
- m /a/exe/vpn-mk-client-cert -b mailclient -n mail -s /b/ds/mail-route li.iankelling.org
- fi
+ # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
+ # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
+ # after my internet was down for a bit:
+ # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
+ m /a/exe/vpn-mk-client-cert -b mailclient -n mail -s /b/ds/mail-route li.iankelling.org
fi
# sqlite3 /m/rc/users.sqlite <<'EOF'
#insert into users (email, password) values ('testignore@bk.b8.nz', 'hash');
#EOF
-
-
+ # update users set password = 'hash' where email = 'testignore@bk.b8.nz';
;;
esac
####### end dovecot-setup ########
# https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
# curl from the web installer requirement, but i switched to cli
pi php-curl php-fileinfo php-bz2
- /a/exe/web-conf - apache2 expertpathologyreview.com <<'EOF'
-Alias /nextcloud "/var/www/nextcloud/"
-<Directory /var/www/nextcloud/>
- Require all granted
- AllowOverride All
- Options FollowSymLinks MultiViews
-
- <IfModule mod_dav.c>
- Dav off
- </IfModule>
-
-</Directory>
-EOF
+ # install checker, nextcloud/settings/admin/overview
+ pi php-gmp php-bcmath php-imagick php-apcu
cd /var/www
- wget https://download.nextcloud.com/server/releases/latest.zip
- unzip -q latest.zip
- rm latest.zip
- chown -R www-data.www-data nextcloud
- cd /var/www/nextcloud
- sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass swarm.numbered.alienist
+ if [[ ! -e nextcloud/index.php ]]; then
+ wget https://download.nextcloud.com/server/releases/latest.zip
+ unzip -q latest.zip
+ rm -f latest.zip
+ chown -R www-data.www-data nextcloud
+ cd /var/www/nextcloud
+ sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass $nextcloud_admin_pass
+ fi
cd /var/www/nextcloud/config
# https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF'
clear_env = no
EOF
cat config.php - >tmp.php <<'EOF'
+# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/email_configuration.html
+$CONFIG["mail_smtpmode"] = "sendmail";
+$CONFIG["mail_smtphost"] = "127.0.0.1";
+$CONFIG["mail_smtpport"] = 25;
+$CONFIG["mail_smtptimeout"] = 10;
+$CONFIG["mail_smtpsecure"] = "";
+$CONFIG["mail_smtpauth"] = false;
+$CONFIG["mail_smtpauthtype"] = "LOGIN";
+$CONFIG["mail_smtpname"] = "";
+$CONFIG["mail_smtppassword"] = "";
+$CONFIG["mail_domain"] = "expertpathologyreview.com";
+
+# https://github.com/nextcloud/user_external#readme
+# plus mailinabox example
+$CONFIG['user_backends'] = array(array('class' => 'OC_User_IMAP','arguments' => array('127.0.0.1', 143, null),),);
+
+
+# based on installer check
+# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html
+$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
+
$CONFIG['overwrite.cli.url'] = 'https://expertpathologyreview.com/nextcloud';
$CONFIG['htaccess.RewriteBase'] = '/nextcloud';
$CONFIG['trusted_domains'] = array (
php tmp.php >config.php 2>/dev/null
rm tmp.php
sudo -u www-data php /var/www/nextcloud/occ maintenance:update:htaccess
+ list=$(sudo -u www-data php /var/www/nextcloud/occ --output=json_pretty app:list)
+ for app in contacts calendar user_external; do
+ if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then
+ m sudo -u www-data php /var/www/nextcloud/occ app:install $app
+ fi
+ done
+
+ # todo: install apps with occ. contacts, calendar, mail
}
# * roundcube setup
roundcube-setup() {
+
+ ### begin composer install
+ # https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
+ cd $(mktemp -d)
+ sum="$(wget -q -O - https://composer.github.io/installer.sig)"
+ php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+ if [[ $sum != $(php -r "echo hash_file('sha384', 'composer-setup.php');") ]]; then
+ echo 'ERROR: Invalid composer installer checksum' >&2
+ rm composer-setup.php
+ exit 1
+ fi
+ php composer-setup.php --quiet
+ rm composer-setup.php
+ mv composer.phar /usr/local/bin
+ ### end composer install
+
+
+
+
# avoid prompt
- debconf-set-selections <<'EOF'
-roundcube-core roundcube/dbconfig-install boolean false
-EOF
+ export DEBIAN_FRONTEND=noninteractive
# zip according to /installer
# which requires adding a line to /usr/local/lib/roundcubemail/config/config.inc.php
# $config['enable_installer'] = true;
m ln -sfT $rcdir/bin/cleandb.sh /usr/share/roundcube/bin/cleandb.sh
fi
- # todo, consider installing the extensions mailinabox uses
-
#### begin dl roundcube
# note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom
v=1.4.8; f=roundcubemail-$v-complete.tar.gz
fi
m wget -nv -N https://github.com/roundcube/roundcubemail/releases/download/$v/$f
new_timestamp=$(stat -c %Y $f)
- if [[ $timestamp != $new_timestamp ]]; then
+ if [[ $timestamp != $new_timestamp || ! -e $rcdir/config/secret ]]; then
m tar -C /usr/local/lib --no-same-owner -zxf $f
m rm -rf $rcdir
m mv $rcdir-$v $rcdir
cd -
#### end dl roundcube
- /a/exe/web-conf -r $rcdir - apache2 mail.expertpathologyreview.com <<EOF
+ /a/exe/web-conf - apache2 expertpathologyreview.com <<EOF
+Alias /roundcube $rcdir
+### begin roundcube settings
# taken from /etc/apache2/conf-available/roundcube.conf version 1.4.8+dfsg.1-1~bpo10+1
<Directory $rcdir/>
Options +FollowSymLinks
Options -FollowSymLinks
AllowOverride None
</Directory>
+### end roundcube settings
+
+
+### begin nextcloud settings
+Alias /nextcloud "/var/www/nextcloud/"
+<Directory /var/www/nextcloud/>
+ Require all granted
+ AllowOverride All
+ Options FollowSymLinks MultiViews
+
+ <IfModule mod_dav.c>
+ Dav off
+ </IfModule>
+
+</Directory>
+
+# based on install checker, links to
+# https://docs.nextcloud.com/server/19/admin_manual/issues/general_troubleshooting.html#service-discovery
+RewriteRule ^\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
+RewriteRule ^\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
+RewriteRule ^\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
+RewriteRule ^\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L]
+RewriteRule ^\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L]
+### end nextcloud settings
EOF
if [[ ! -e $rcdir/config/secret ]]; then
);
\$config['product_name'] = 'webmail';
\$config['des_key'] = '$secret';
-\$config['plugins'] = array('archive', 'zipdownload', 'password', 'managesieve', 'jqueryui');
+\$config['plugins'] = array('archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'carddav');
\$config['skin'] = 'elastic';
\$config['login_autocomplete'] = 2;
\$config['password_charset'] = 'UTF-8';
\$config['junk_mbox'] = 'Spam';
+# disable builtin addressbook
+\$config['address_book_type'] = '';
?>
EOF
- m mkdir -p /var/tmp/roundcubemail /m/rc
- m chown -R www-data.www-data /var/tmp/roundcubemail /m/rc
- m chmod 750 /var/tmp/roundcubemail
+ # todo rss subscribe to carddav plugin
+ m mkdir -p /var/tmp/roundcube /m/rc
+ m chown -R www-data.www-data /var/tmp/roundcube /m/rc
+ m chmod 750 /var/tmp/roundcube
# Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
# todo: setup fail2ban
# todo: setup dnssec.
# todo: check for other mailinabox things
m sudo -u www-data touch /var/log/roundcube/errors.log
+
+ # todo: look at .well-known for carddav?
+
+ #### begin carddav install
+ # This is the official roundcube carddav repo.
+ # Install doc suggests downloading with composer, but that
+ # didnt work, it said some ldap package for roundcube was missing,
+ # but I dont want to download some extra ldap thing.
+ # https://github.com/blind-coder/rcmcarddav/blob/master/doc/INSTALL.md
+ verf=$rcdir/plugins/carddav/myversion
+ upgrade=false
+ install=false
+ v=4.0.0
+ if [[ -e $verf ]]; then
+ if [[ $(cat $verf) != $v ]]; then
+ install=true
+ upgrade=true
+ fi
+ else
+ install=true
+ fi
+ if $install; then
+ rm -rf $rcdir/plugins/carddav
+ tmpd=$(mktemp -d)
+ m wget -nv -O $tmpd/t.tgz https://github.com/blind-coder/rcmcarddav/releases/download/v$v/carddav-v$v.tgz
+ cd $rcdir/plugins
+ tar xzf $tmpd/t.tgz
+ rm -rf $tmpd
+ chown -R www-data:www-data $rcdir/plugins/carddav
+ cd $rcdir/plugins/carddav
+ if $upgrade; then
+ sudo -u www-data composer.phar update --no-dev
+ else
+ sudo -u www-data composer.phar install --no-dev
+ fi
+ chown -R root:root $rcdir/plugins/carddav
+ echo $v >$verf
+ fi
+
+ cat > $rcdir/plugins/carddav/config.inc.php <<'EOF';
+<?php
+$prefs['_GLOBAL']['hide_preferences'] = true;
+$prefs['davserver'] = array(
+# name in the UI is kind of dumb. This is just something short that seems to fit ok.
+ 'name' => 'Main',
+ 'username' => '%u', // login username
+ 'password' => '%p', // login password
+ 'url' => 'https://expertpathologyreview.com/nextcloud/remote.php/carddav/addressbooks/%u/contacts',
+ 'active' => true,
+ 'readonly' => false,
+ 'refresh_time' => '00:10:00',
+ 'fixed' => array('username','password'),
+ 'hide' => false,
+ 'use_categories' => true, // https://www.davx5.com/tested-with/nextcloud
+);
+?>
+EOF
+ #### end carddav install
+
+ # todo: try out roundcube plugins: html5 notifier, nextcloud, thunderbird labels
+
# Password changing plugin settings
cat $rcdir/plugins/password/config.inc.php.dist - >$rcdir/plugins/password/config.inc.php <<'EOF'
# following are from mailinabox
# according to /install, we should set date.timezone,
# but that is dumb, the system already has the right zone in
# /var/log/roundcubemail/errors.log
+ # todo: consider other settings in
+ # /a/opt/mailinabox/setup/nextcloud.sh
+ cat >/etc/php/$phpver/cli/conf.d/30-local.ini <<'EOF'
+apc.enable_cli = 1
+EOF
+
cat >/etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF'
date.timezone = "America/New_York"
# for nextcloud
upload_max_filesize = 2000M
post_max_size = 2000M
+# install checker, nextcloud/settings/admin/overview
+memory_limit = 512M
+EOF
+
+ # https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html
+ cat >/etc/cron.d/nextcloud <<'EOF'
+*/5 * * * * php -f /var/www/nextcloud/cron.php --define apc.enable_cli=1
EOF
m systemctl restart $fpm
# dunno if reload/restart is needed
m systemctl reload apache2
- m systemctl reload exim4
-
- # todo: backups, carddav w nextcloud
+ # note bk backups are defined in crontab outside this file
}
/a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
server=/mail.iankelling.org/127.0.1.1
EOF
- if systemctl is-active dnsmasq >/dev/null; then
- m systemctl restart dnsmasq
- fi
- m nscd -i hosts
+ reifactive dnsmasq nscd
# I used to use debconf-set-selections + dpkg-reconfigure,
# which then updates this file
fi
done
- # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
- f=/etc/systemd/system/openvpn-client-mail@.service
- if [[ ! -s $f || $(stat -c%s $f) != 1709 ]]; then
- cat >$f <<'EOF'
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-# needed to continually restatr
-StartLimitIntervalSec=0
-
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-ExecStartPre=/a/bin/newns/newns -n 10.173.8 start %i
-ExecStopPost=/a/bin/newns/newns stop %i
-PrivateNetwork=true
-# in the network namespace, we cant connect to systemd-resolved on 127.0.0.53,
-# because of
-# https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback
-# there is a workaround there, but i dont think its really worth it,
-# the mail server is fine with a static dns anyways.
-# This thread is also interesting,
-# https://github.com/slingamn/namespaced-openvpn/issues/7
-# todo: the iptables rule at the bottom could be useful to prevent
-# dns from leaking in my network namespaced vpn.
-# I also like the idea of patching systemd-resolved so it
-# will listen on other interfaces, but its not worth my time.
-BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind
-
-Restart=always
-# time to sleep before restarting a service
-RestartSec=1
-
-
-[Install]
-WantedBy=multi-user.target
-EOF
- m systemctl daemon-reload
- m systemctl restart openvpn-client-mail@mail
- fi
-
m systemctl start openvpn-client-mail@mail
m systemctl enable openvpn-client-mail@mail
</emailProvider>
<webMail>
- <loginPage url="https://mail.expertpathologyreview.com" />
- <loginPageInfo url="https://mail.expertpathologyreview.com" >
+ <loginPage url="https://expertpathologyreview.com/roundcube" />
+ <loginPageInfo url="https://expertpathologyreview.com/roundcube" >
<username>%EMAILADDRESS%</username>
<usernameField id="rcmloginuser" name="_user" />
<passwordField id="rcmloginpwd" name="_pass" />
EOF
echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
- if systemctl is-active dnsmasq >/dev/null; then
- m systemctl restart dnsmasq # reload does not ensure new config is used
- fi
- m nscd -i hosts
+ reifactive dnsmasq nscd
m systemctl disable mailclean.timer &>/dev/null ||:
m systemctl stop mailclean.timer &>/dev/null ||:
;;
esac
-
# * mail monitoring / testing
case $HOSTNAME in
iankelling.org / git / distro-setup / commitdiff