summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fefb2a4)
raw | patch | inline | side by side (parent: fefb2a4)
| author | Ian Kelling <ian@iankelling.org> | |
| Mon, 19 Sep 2022 10:58:39 +0000 (06:58 -0400) | ||
| committer | Ian Kelling <ian@iankelling.org> | |
| Mon, 19 Sep 2022 10:58:55 +0000 (06:58 -0400) |
12 files changed:
| brc | patch | blob | history | |
| brc2 | patch | blob | history | |
| distro-end | patch | blob | history | |
| epanic-clean | patch | blob | history | |
| filesystem/usr/local/bin/oftc | [new file with mode: 0755] | patch | blob |
| install-my-scripts | patch | blob | history | |
| machine_specific/kd/filesystem/etc/cron.d/kd | patch | blob | history | |
| mail-setup | patch | blob | history | |
| nextcloud-setup | [new file with mode: 0755] | patch | blob |
| subdir_files/.config/sakura/sakura.conf | patch | blob | history | |
| switch-mail-host | patch | blob | history | |
| ziva-screen | [new file with mode: 0755] | patch | blob |
index 138fd896b26df6b2ae9361ba75709abd9855fe93..02ad1a67b78073f1cb58f6bac878d3e64def4582 100644 (file)
--- a/brc
+++ b/brc
"|sort -r
}
+# Run script by copying it to a temporary location first,
+# and changing directory, so we don't have any open
+# directories or files that could cause problems when
+# remounting.
+z() {
+ local tmp
+ tmp=$(type -p "$1")
+ if [[ $tmp ]]; then
+ cd $(mktemp -d)
+ cp -a "$tmp" .
+ shift
+ ./"${tmp##*/}" "$@"
+ else
+ "$@"
+ fi
+}
+
# * misc stuff
index b97d0670ea568d2fa9022321c3072bd3da578637..1905c792569e431e9b2ed9124236644e58a140d7 100644 (file)
--- a/brc2
+++ b/brc2
s rsync -e "ssh -F /root/.ssh/confighome" "$@"
}
+zcheck() {
+ s ssh bow DISPLAY=:0 scrot /tmp/oegu.jpg
+ s scp bow:/tmp/oegu.jpg /t
+ s ssh bow rm /tmp/oegu.jpg
+ feh /t/oegu.jpg
+ }
slemacs() {
local arg rtime v
fi
}
-# alert when a page goes live. not urgent.
+# alert when a page goes live.
alert200() {
+ local quiet url tmpdir
+ quiet=false
+ case $1 in
+ # dont send a diff of the html. some html is not very readable
+ -q) quiet=true
+ shift
+ ;;
+ esac
url="$1"
tmpdir="$(mktemp -d)"
cd $tmpdir
while true; do
- if torsocks wget -q "$url"; then
- alertme $tmpdir
+ if wget -q "$url"; then
+ if $quiet; then
+ echo | daylert 200
+ else
+ alertme $tmpdir
+ fi
fi
- sleep $(( 600 + RANDOM % 300 ))
+ sleep $(( 120 + RANDOM % 300 ))
done
}
diff --git a/distro-end b/distro-end
index a8f5eed51dfdd1c3bdf8510f36d6213ff021f5bd..98a28bd9b1bc171118a599c64ffd669d74908127 100755 (executable)
--- a/distro-end
+++ b/distro-end
case $codename_compat in
jammy)
- s systemctl enable ssh-agent-iank
+ s systemctl enable --now ssh-agent-iank
;;
esac
diff --git a/epanic-clean b/epanic-clean
index f69182b9482b7146501670b4c2f32df910c359bf..01755304a08de69fd8e5a5d0d245bc175e40565f 100755 (executable)
--- a/epanic-clean
+++ b/epanic-clean
# I think we could alert on anything else older than 61 seconds,
# but lets just add some slack, make it 2 minutes.
while read -r day time _; do
+ # some lines dont have dates, just skip them
+ # 2022-09-16 15:21:06.250 [438097] Exim configuration error:
+ # can't redefine an undefined macro "REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS"
+ if [[ $day != [2-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] ]]; then
+ continue
+ fi
log_s=$(date -d "$day $time" +%s)
if (( EPOCHSECONDS - 120 > log_s )); then
pr_metric=1
diff --git a/filesystem/usr/local/bin/oftc b/filesystem/usr/local/bin/oftc
--- /dev/null
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec emacs -f oftc
diff --git a/install-my-scripts b/install-my-scripts
index 42332c13ede2c052b9f4a4d1cb81340ed6540bdb..6d27eeea51a04e1a7dcdf188216b87d20c001768 100755 (executable)
--- a/install-my-scripts
+++ b/install-my-scripts
# ran. Very strange, dunno why, but rsync won't do anything unless these
# changed, so that should fix it.
/a/bin/log-quiet/setup
-rsync -t --chmod=755 --chown=root:root switch-mail-host btrbk-run mount-latest-subvol \
+rsync -tl --chmod=755 --chown=root:root \
+ switch-mail-host \
+ switch-host2 \
+ btrbk-run mount-latest-subvol \
check-subvol-stale myi3status \
mailbindwatchdog \
check-mailq \
diff --git a/machine_specific/kd/filesystem/etc/cron.d/kd b/machine_specific/kd/filesystem/etc/cron.d/kd
index 41de0d92aab4754c7ea61b21c88787e318005580..d0f78b03165474db06d341cbc5f318ddc99ef35e 100644 (file)
#10 21 * * 1,2,3,4,5 root failmail wrt-setup -z
0 17 * * 1,2,3,4,5 root failmail wrt-setup -z
-# new 5pm rule
-0 6 * * 0,7 root failmail wrt-setup -y
-0 17 * * 0,7 root failmail wrt-setup -z
+# weekends
+0 6 * * 6,7 root failmail wrt-setup -y
+0 17 * * 6,7 root failmail wrt-setup -z
# saturday morning
# old
#0 11 * * 0,6 root failmail wrt-setup -z
5 1 * * * root ziva-backup-check |& log-once ziva-backup-check
+* * * * * root ziva-screen |& log-once ziva-screen
diff --git a/mail-setup b/mail-setup
index 36b0e9d6345334396ab4010b79a06f3b85bac9a0..c40c56c0b6eab97923f57686a5c617eaed7040ca 100755 (executable)
--- a/mail-setup
+++ b/mail-setup
done
} | i /etc/exim4/conf.d/my-dkim-domains
-cat >/etc/exim4/conf.d/transport/11_iank <<'EOF'
+if grep -Fq REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS \
+ /etc/exim4/conf.d/transport/10_exim4-config_transport-macros; then
+ cat >/etc/exim4/conf.d/transport/11_iank <<'EOF'
# This unsets the default macro defined in on t11 in
# /etc/exim4/conf.d/transport/10_exim4-config_transport-macros
# It seems like a very odd choice that this has become
# auth. Oh well.
REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS ==
EOF
+else
+ rm -f /etc/exim4/conf.d/transport/11_iank
+fi
cat >/etc/exim4/conf.d/main/000_local <<'EOF'
MAIN_TLS_ENABLE = true
DKIM_CANON = relaxed
DKIM_SELECTOR = li
-# From comments in
-# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
-# and its best for this to align https://tools.ietf.org/html/rfc7489#page-8
-# There could be some circumstance when the
-# from: isnt our domain, but the envelope sender is
-# and so still want to sign, but I cant think of any case.
-#DKIM_DOMAIN = ${lc:${domain:$rh_from:}}
-# In t11, we cant do the above anymore because this is tainted data used in a file lookup.
-# /usr/share/doc/exim4/NEWS.Debian.gz suggests to use lookups to untaint data.
-DKIM_DOMAIN = ${lookup {${domain:$rh_from:}}lsearch,ret=key{/etc/exim4/conf.d/my-dkim-domains}}
# The file is based on the outgoing domain-name in the from-header.
# sign if key exists
LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl
EOF
+if dpkg --compare-versions "$(dpkg-query -f='${Version}\n' --show exim4)" ge 4.94; then
+ cat >>/etc/exim4/conf.d/main/000_local <<'EOF'
+# In t11, we cant do the old anymore because this is tainted data used in a file lookup.
+# /usr/share/doc/exim4/NEWS.Debian.gz suggests to use lookups to untaint data.
+DKIM_DOMAIN = ${lookup {${domain:$rh_from:}}lsearch,ret=key{/etc/exim4/conf.d/my-dkim-domains}}
+EOF
+else
+ cat >>/etc/exim4/conf.d/main/000_local <<'EOF'
+# From comments in
+# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
+# and its best for this to align https://tools.ietf.org/html/rfc7489#page-8
+# There could be some circumstance when the
+# from: isnt our domain, but the envelope sender is
+# and so still want to sign, but I cant think of any case.
+DKIM_DOMAIN = ${lc:${domain:$rh_from:}}
+EOF
+fi
+
rm -fv /etc/exim4/rcpt_local_acl # old path
i /etc/exim4/conf.d/local_deny_exceptions_acl <<'EOF'
EOF
+# It is important for this to exist universally, instead of
+# just on the mail host because if we change mail host and
+# still have something in the queue which was destined for
+# this router, but hosts were unreachable, the routers will
+# be reevaluated on the next retry.
+i /etc/exim4/conf.d/router/890_backup_copy <<EOF
+### router/900_exim4-config_local_user
+#################################
+
+# todo, it would be nice backup sent email too,
+# but its not so important, they still exist in my head
+
+backup_copy:
+driver = manualroute
+domains = eximbackup.b8.nz
+transport = backup_remote
+ignore_target_hosts = ${HOSTNAME}wg.b8.nz
+# note changes here also require change in passwd.client
+route_list = * eximbackup.b8.nz
+same_domain_copy_routing = yes
+errors_to = alerts@iankelling.org
+no_more
+EOF
+
+# exim4-config transports are the same as default except for
+# message_linelength_limit = 2097152
+#
+# TODO: copy the defaults into their own file, and setup a cronjob so
+# that if file.dpkg-dist shows up, and it is different, we get an alert.
+
+i /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost <<'EOF'
+### transport/30_exim4-config_remote_smtp_smarthost
+#################################
+
+# This transport is used for delivering messages over SMTP connections
+# to a smarthost. The local host tries to authenticate.
+# This transport is used for smarthost and satellite configurations.
+
+remote_smtp_smarthost:
+ debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
+ driver = smtp
+ message_linelength_limit = 2097152
+ multi_domain
+ hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
+ {\
+ ${lookup{$host}nwildlsearch{CONFDIR/passwd.client}{$host_address}}\
+ }\
+ {} \
+ }
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+ hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+ hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+ tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+ tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+ headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+ return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+ helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+ headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_PROTOCOL
+ protocol = REMOTE_SMTP_SMARTHOST_PROTOCOL
+.endif
+EOF
+
+i /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp <<'EOF'
+### transport/30_exim4-config_remote_smtp
+#################################
+# This transport is used for delivering messages over SMTP connections.
+
+remote_smtp:
+ debug_print = "T: remote_smtp for $local_part@$domain"
+ driver = smtp
+ message_linelength_limit = 2097152
+.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
+ hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+ headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_RETURN_PATH
+ return_path = REMOTE_SMTP_RETURN_PATH
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+ helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef REMOTE_SMTP_INTERFACE
+ interface = REMOTE_SMTP_INTERFACE
+.endif
+.ifdef DKIM_DOMAIN
+dkim_domain = DKIM_DOMAIN
+.endif
+.ifdef DKIM_IDENTITY
+dkim_identity = DKIM_IDENTITY
+.endif
+.ifdef DKIM_SELECTOR
+dkim_selector = DKIM_SELECTOR
+.endif
+.ifdef DKIM_PRIVATE_KEY
+dkim_private_key = DKIM_PRIVATE_KEY
+.endif
+.ifdef DKIM_CANON
+dkim_canon = DKIM_CANON
+.endif
+.ifdef DKIM_STRICT
+dkim_strict = DKIM_STRICT
+.endif
+.ifdef DKIM_SIGN_HEADERS
+dkim_sign_headers = DKIM_SIGN_HEADERS
+.endif
+.ifdef DKIM_TIMESTAMPS
+dkim_timestamps = DKIM_TIMESTAMPS
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_HOSTS_REQUIRE_TLS
+ hosts_require_tls = REMOTE_SMTP_HOSTS_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+ headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+.endif
+
+EOF
+
+i /etc/exim4/conf.d/transport/30_backup_remote <<'EOF'
+backup_remote:
+ driver = smtp
+ multi_domain
+ message_linelength_limit = 2097152
+ hosts_require_auth = *
+ hosts_try_auth = *
+ envelope_to_add
+ # manual return path because we want it to be the envelope sender
+ # we got not the one we are using in this smtp transport
+ headers_add = "Return-path: $sender_address"
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+ hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+ hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+ tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
+ tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST
+.endif
+.ifdef REMOTE_SMTP_HEADERS_REWRITE
+ headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
+.endif
+.ifdef REMOTE_SMTP_HELO_DATA
+ helo_data=REMOTE_SMTP_HELO_DATA
+.endif
+.ifdef TLS_DH_MIN_BITS
+tls_dh_min_bits = TLS_DH_MIN_BITS
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
+.endif
+.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
+.endif
+.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+ headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
+.endif
+EOF
+
i /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
### router/900_exim4-config_local_user
#################################
remote_smtp_vpn:
debug_print = "T: remote_smtp_vpn for $local_part@$domain"
driver = smtp
+ message_linelength_limit = 2097152
.ifdef REMOTE_SMTP_HOSTS_AVOID_TLS
hosts_avoid_tls = REMOTE_SMTP_HOSTS_AVOID_TLS
.endif
smarthost_dkim:
debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
driver = smtp
+ message_linelength_limit = 2097152
multi_domain
hosts_try_auth = <; ${if exists{CONFDIR/passwd.client} \
{\
rcdir=${rcdirs[i]}
rcbase=${rcdir##*/}
ncdir=${ncdirs[i]}
+ myncdir=/root/${ncdir##*/}
+ mkdir -p $myncdir
# copied from debians cronjob
i /etc/cron.d/$rcbase <<EOF
### begin php setup for rc ###
# Enable PHP modules.
m phpenmod -v php mcrypt imap
- # dpkg says this is required
+ # dpkg says this is required.
+ # nextcloud needs these too
m a2enmod proxy_fcgi setenvif
fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.4-fpm
phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p')
m rm -f $file
m chown -R www-data.www-data nextcloud
m mv nextcloud $ncdir
+ fi
+
+ if [[ ! -e $myncdir/done-install ]]; then
m cd $ncdir
m sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass $nextcloud_admin_pass
+ m touch $myncdir/done-install
fi
+
# note, strange this happend where updater did not increment the version var,
# mine was stuck on 20. I manually updated it.
m cd $ncdir/config
- if [[ ! -e config.php-orig ]]; then
- m cp -a config.php config.php-orig
+ if [[ ! -e $myncdir/config.php-orig ]]; then
+ m cp -a config.php $myncdir/config.php-orig
fi
- cat config.php-orig - >tmp.php <<EOF
+ cat $myncdir/config.php-orig - >$myncdir/tmp.php <<EOF
# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/email_configuration.html
\$CONFIG["mail_smtpmode"] = "sendmail";
\$CONFIG["mail_smtphost"] = "127.0.0.1";
var_export(\$CONFIG);
fwrite(STDOUT, ";\n");
EOF
- e running php tmp.php
- php tmp.php >config.php
- # leave in place for debugging
- #m rm -f tmp.php
- m sudo -u www-data php $ncdir/occ maintenance:update:htaccess
+ e running php $myncdir/tmp.php
+ # note: we leave it around place for debugging
+ php $myncdir/tmp.php >config.php
+ cd $ncdir
+ m sudo -u www-data php occ maintenance:update:htaccess
list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list)
# user_external not compaible with nc 23
for app in contacts calendar; do
if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then
- m sudo -u www-data php $ncdir/occ app:install $app
+ cd $ncdir
+ m sudo -u www-data php occ app:install $app
fi
done
i /etc/systemd/system/$ncbase.service <<EOF
ncbase=$1
cd /var/www/$ncbase
+# https://docs.nextcloud.com/server/22/admin_manual/maintenance/update.html?highlight=updater+phar
m php /var/www/$ncbase/updater/updater.phar -n
-# just being overly cautious
-sleep 3
-m php occ -n upgrade
EOFOUTER
chmod +x /usr/local/bin/ncup
# which required using a dedicated user, but realized smtp will be
# more reliable and less fuss. If I ever need that again, see the
# history of this file, and bum in brc2.
-
i /etc/exim4/conf.d/router/890_backup_copy <<EOF
-### router/900_exim4-config_local_user
-#################################
-
-# todo, it would be nice to save sent email too,
-# but its not so important, they still exist in my head
-
backup_redir:
driver = redirect
domains = +local_domains
# redirected earlier, so that is just being overly cautious.
local_parts = ! root : ! testignore : ! alerts
unseen = true
-
-backup_copy:
-driver = manualroute
-domains = eximbackup.b8.nz
-transport = backup_remote
-ignore_target_hosts = ${HOSTNAME}wg.b8.nz
-# note changes here also require change in passwd.client
-route_list = * eximbackup.b8.nz
-same_domain_copy_routing = yes
errors_to = alerts@iankelling.org
-no_more
EOF
- i /etc/exim4/conf.d/transport/30_backup_remote <<'EOF'
-backup_remote:
- driver = smtp
- multi_domain
-.ifdef IGNORE_SMTP_LINE_LENGTH_LIMIT
- message_linelength_limit = 1000000
-.endif
- hosts_require_auth = *
- hosts_try_auth = *
- envelope_to_add
- # manual return path because we want it to be the envelope sender
- # we got not the one we are using in this smtp transport
- headers_add = "Return-path: $sender_address"
-.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
- hosts_avoid_tls = REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS
-.endif
-.ifdef REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
- hosts_require_tls = REMOTE_SMTP_SMARTHOST_HOSTS_REQUIRE_TLS
-.endif
-.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
- tls_verify_certificates = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_CERTIFICATES
-.endif
-.ifdef REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS
- tls_verify_hosts = REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOST
-.endif
-.ifdef REMOTE_SMTP_HEADERS_REWRITE
- headers_rewrite = REMOTE_SMTP_HEADERS_REWRITE
-.endif
-.ifdef REMOTE_SMTP_HELO_DATA
- helo_data=REMOTE_SMTP_HELO_DATA
-.endif
-.ifdef TLS_DH_MIN_BITS
-tls_dh_min_bits = TLS_DH_MIN_BITS
-.endif
-.ifdef REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
-tls_certificate = REMOTE_SMTP_SMARTHOST_TLS_CERTIFICATE
-.endif
-.ifdef REMOTE_SMTP_SMARTHOST_PRIVATEKEY
-tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
-.endif
-.ifdef REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
- headers_remove = REMOTE_SMTP_TRANSPORTS_HEADERS_REMOVE
-.endif
-EOF
-
- # This allows for forward mail to not get most rcpt checks, especially SPF,
+ # This allows for forwarded mail to not get most rcpt checks, especially SPF,
# which would incorrectly get denied.
i /etc/exim4/host_local_deny_exceptions <<'EOF'
mail.fsf.org
diff --git a/nextcloud-setup b/nextcloud-setup
--- /dev/null
+++ b/nextcloud-setup
@@ -0,0 +1,264 @@
+#!/bin/bash
+
+if [[ -s /usr/local/lib/err ]]; then
+ source /usr/local/lib/err
+else
+ exit 1
+fi
+
+
+pre="${0##*/}:"
+m() { printf "$pre %s\n" "$*"; "$@"; }
+e() { printf "$pre %s\n" "$*"; }
+err() { printf "$pre %s\n" "$*" >&2; exit 1; }
+i() { # install file
+ local tmp tmpdir dest="$1"
+ local base="${dest##*/}"
+ local dir="${dest%/*}"
+ if [[ $dir != "$base" ]]; then
+ # dest has a directory component
+ mkdir -p "$dir"
+ fi
+ ir=false # i result
+ tmpdir=$(mktemp -d)
+ cat >$tmpdir/"$base"
+ tmp=$(rsync -ic $tmpdir/"$base" "$dest")
+ if [[ $tmp ]]; then
+ printf "%s\n" "$tmp"
+ ir=true
+ if [[ $dest == /etc/systemd/system/* ]]; then
+ touch /var/local/mail-setup-reload
+ reload=true
+ fi
+ fi
+ rm -rf $tmpdir
+}
+setini() {
+ key="$1" value="$2" section="$3"
+ file="/etc/radicale/config"
+ sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*${key}[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file"
+}
+soff () {
+ for service; do
+ # ignore services that dont exist
+ if systemctl cat $service &>/dev/null; then
+ m systemctl disable --now $service
+ fi
+ done
+}
+sre() {
+ for service; do
+ m systemctl restart $service
+ m systemctl enable $service;
+ done
+}
+
+
+ncdir=/var/www/ncfsf
+myncdir=/root/ncfsf
+ncbase=${ncdir##*/}
+mkdir $myncdir
+domain=boardfiles.fsf.org
+
+apt-get -y install php-zip apache2 php-fpm
+
+fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.4-fpm
+phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p')
+m a2enconf $fpm
+# 3 useless guides on php fpm fcgi debian 10 later, i figure out from reading
+# /etc/apache2/conf-enabled/php7.3-fpm.conf
+# However, on t11,
+# ERROR: Module php8.1 does not exist. just allow it to fail
+m a2dismod php$phpver ||:
+
+# php with fpm doesnt work without this
+m a2enmod proxy_fcgi
+
+
+
+m web-conf - apache2 $domain <<EOF
+### begin nextcloud settings
+Alias /nextcloud "$ncdir/"
+<Directory $ncdir/>
+ Require all granted
+ AllowOverride All
+ Options FollowSymLinks MultiViews
+
+ <IfModule mod_dav.c>
+ Dav off
+ </IfModule>
+
+</Directory>
+
+# based on install checker, links to
+# https://docs.nextcloud.com/server/19/admin_manual/issues/general_troubleshooting.html#service-discovery
+# their example was a bit wrong, I figured it out by adding
+# LogLevel warn rewrite:trace5
+# then watching the apache logs
+
+RewriteEngine on
+RewriteRule ^/\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
+RewriteRule ^/\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
+RewriteRule ^/\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
+### end nextcloud settings
+EOF
+
+
+i /etc/php/$phpver/cli/conf.d/30-local.ini <<'EOF'
+apc.enable_cli = 1
+EOF
+
+
+i /etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF'
+date.timezone = "America/New_York"
+# for nextcloud
+upload_max_filesize = 2000M
+post_max_size = 2000M
+# install checker, nextcloud/settings/admin/overview
+memory_limit = 512M
+EOF
+
+m systemctl restart $fpm
+
+# some of these are based on errors later on.
+m apt-get -y install php-curl php-bz2 php-gmp php-bcmath php-imagick php-apcu php-mbstring php-xml php-gd sqlite3 php-sqlite3
+
+# https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
+cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF'
+[www]
+clear_env = no
+EOF
+
+
+
+nextcloud_admin_pass=casHiosidZyFraycs
+
+m cd /var/www
+if [[ ! -e $ncdir/index.php ]]; then
+ # if we wanted to only install a specific version, use something like
+ # file=latest-22.zip
+ file=latest.zip
+ m wget -nv -N https://download.nextcloud.com/server/releases/$file
+ m rm -rf nextcloud
+ m unzip -q $file
+ m rm -f $file
+ m chown -R www-data.www-data nextcloud
+ m mv nextcloud $ncdir
+fi
+
+if [[ ! -e $myncdir/done-install ]]; then
+ m cd $ncdir
+ m sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass $nextcloud_admin_pass
+ m touch $myncdir/done-install
+fi
+
+# note, strange this happend where updater did not increment the version var,
+# mine was stuck on 20. I manually updated it.
+m cd $ncdir/config
+if [[ ! -e $myncdir/config.php-orig ]]; then
+ m cp -a config.php $myncdir/config.php-orig
+fi
+cat $myncdir/config.php-orig - >$myncdir/tmp.php <<EOF
+# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/email_configuration.html
+\$CONFIG["mail_smtpmode"] = "sendmail";
+\$CONFIG["mail_smtphost"] = "127.0.0.1";
+\$CONFIG["mail_smtpport"] = 25;
+\$CONFIG["mail_smtptimeout"] = 10;
+\$CONFIG["mail_smtpsecure"] = "";
+\$CONFIG["mail_smtpauth"] = false;
+\$CONFIG["mail_smtpauthtype"] = "LOGIN";
+\$CONFIG["mail_smtpname"] = "";
+\$CONFIG["mail_smtppassword"] = "";
+\$CONFIG["mail_domain"] = "$domain";
+
+
+# based on installer check
+# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html
+\$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
+
+\$CONFIG['overwrite.cli.url'] = 'https://$domain/nextcloud';
+\$CONFIG['htaccess.RewriteBase'] = '/nextcloud';
+\$CONFIG['trusted_domains'] = array (
+ 0 => '$domain',
+ );
+#\$CONFIG[''] = '';
+fwrite(STDOUT, "<?php\n\\\$CONFIG = ");
+var_export(\$CONFIG);
+fwrite(STDOUT, ";\n");
+EOF
+e running php $myncdir/tmp.php
+# note: we leave it around place for debugging
+php $myncdir/tmp.php >config.php
+cd $ncdir
+m sudo -u www-data php occ maintenance:update:htaccess
+i /etc/systemd/system/$ncbase.service <<EOF
+[Unit]
+Description=ncup $ncbase
+After=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/ncup $ncbase
+User=www-data
+IOSchedulingClass=idle
+CPUSchedulingPolicy=idle
+EOF
+i /etc/systemd/system/$ncbase.timer <<EOF
+[Unit]
+Description=ncup $ncbase timer
+
+[Timer]
+OnCalendar=Daily
+
+[Install]
+WantedBy=timers.target
+EOF
+systemctl enable --now $ncbase.timer
+i /usr/local/bin/ncup <<'EOFOUTER'
+#!/bin/bash
+
+source /usr/local/lib/err
+
+m() { printf "%s\n" "$*"; "$@"; }
+err-cleanup() {
+ echo failed nextcloud update for $ncbase >&2
+ # -odf or else systemd will kill the background delivery process
+ # and the message will sit in the queue until the next queue run.
+ exim -odf -t <<EOF
+To: alerts@iankelling.org
+From: www-data@$(hostname -f)
+Subject: failed nextcloud update for $ncbase
+
+For logs, run: jr -u $ncbase
+EOF
+}
+
+if [[ $(id -u -n) != www-data ]]; then
+ echo error: running as wrong user: $(id -u -n), expected www-data
+ exit 1
+fi
+
+if [[ ! $1 ]]; then
+ echo error: expected an arg, nextcloud relative base dir
+ exit 1
+fi
+
+ncbase=$1
+cd /var/www/$ncbase
+# https://docs.nextcloud.com/server/22/admin_manual/maintenance/update.html?highlight=updater+phar
+m php /var/www/$ncbase/updater/updater.phar -n
+EOFOUTER
+chmod +x /usr/local/bin/ncup
+
+mkdir -p /var/www/cron-errors
+chown www-data.www-data /var/www/cron-errors
+i /etc/cron.d/$ncbase <<EOF
+PATH=/usr/sbin:/sbin:/usr/bin:/bin:/usr/local/bin
+SHELL=/bin/bash
+# https://docs.nextcloud.com/server/20/admin_manual/configuration_server/background_jobs_configuration.html
+*/5 * * * * www-data php -f $ncdir/cron.php --define apc.enable_cli=1 |& log-once nccron
+EOF
+
+if $reload; then
+ m systemctl daemon-reload
+fi
index 8854f2260299cb668dae238e5ebebcd05ce52827..0dba2713940de959b4e055f7851433d0e2f64e3b 100644 (file)
blinking_cursor=No
allow_bold=Yes
cursor_type=VTE_CURSOR_SHAPE_BLOCK
-palette=solarized_dark
+palette=1
add_tab_accelerator=5
del_tab_accelerator=5
switch_tab_accelerator=8
word_chars=-,./?%&#_~:
search_accelerator=5
search_key=F
+colorset1_scheme=1
+colorset2_scheme=1
+colorset3_scheme=1
+colorset4_scheme=1
+colorset5_scheme=1
+colorset6_scheme=1
+bold_is_bright=false
+paste_button=2
+menu_button=3
diff --git a/switch-mail-host b/switch-mail-host
index 09bd739abd4c294946ac96426cb79367446282ae..0bce486ecb4a3a50c4a2d8d81dbbdf73b0d6a08a 100644 (file)
--- a/switch-mail-host
+++ b/switch-mail-host
new_host=$host
bbk_args="-t $new_host"
new_shell="ssh -F $HOME/.ssh/confighome root@$new_host"
- $new_shell -v hostname
- new_hostname=$($new_shell hostname)
+ if ! new_hostname=$($new_shell hostname); then
+ echo "$pre: error: failed ssh. retrying failed $new_shell with -v for more info:"
+ $new_shell -v hostname
+ fi
;;
pull)
old_host=$host
new_hostname=$HOSTNAME
bbk_args="-s $old_host"
old_shell="ssh -F $HOME/.ssh/confighome root@$old_host"
+ old_shelliank="ssh -F $HOME/.ssh/confighome iank@$old_host"
# tests ssh connection. crafted this to not need to do escape chars
f=/a/bin/bash_unpublished/source-state
if ! old_info=($($old_shell "hostname; sed -n s,.*MAIL_HOST=,,p $f; sed -n s,.*HOST2=,,p $f")); then
;;
esac
-
if $mail_only; then
mp_args="-m /o"
elif $host2_only; then
fi
-
-if [[ $old_hostname != "$MAIL_HOST" ]] && ! $force; then
+if $host2_only; then
+ if [[ $old_hostname != "$HOST2" ]]; then
+ err "\$old_hostname($old_hostname) != \$HOST2($HOST2). Rerun with --force if you really want this."
+ exit 1
+ fi
+elif [[ $old_hostname != "$MAIL_HOST" ]] && ! $force; then
err "\$old_hostname($old_hostname) != \$MAIL_HOST($MAIL_HOST). Rerun with --force if you really want this."
exit 1
fi
fi
if $host2_only; then
+ if [[ $old_hostname != "$MAIL_HOST" ]]; then
+ m $old_shell systemctl --now disable btrbk.timer
+ fi
+ m $new_shell systemctl --now enable btrbk.timer
exit 0
fi
diff --git a/ziva-screen b/ziva-screen
--- /dev/null
+++ b/ziva-screen
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Get screenshots from bow, discard them if they dont change much.
+
+source /usr/local/lib/err
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
+f=/run/user/1000/ziva-tmp.jpg
+
+cd /d/ziva-log
+shopt -s nullglob
+jpgs=( 20*jpg )
+if (( ${#jpgs[@]} >= 1 )); then
+ lastf=$(ls -1 20*jpg | tail -n1)
+fi
+
+ssh bow DISPLAY=:0 scrot -z $f 2>/dev/null || exit 0
+rsync --inplace bow:$f /d/ziva-log 2>/dev/null || exit 0
+ssh bow rm -f $f
+
+same=false
+if [[ $lastf ]]; then
+ # returns 2 on error, but maybe in that case we want to ignore, file the image away
+ # and then it can go away in a subsequent comparison. going with that for now.
+ diff=$(compare -metric MSE $lastf ziva-tmp.jpg /dev/null |& sed 's/[^0-9].*//') ||:
+ if printf "%s\n" "$diff" | egrep '^[0-9]+$' &>/dev/null && (( diff < 200 )); then
+ same=true
+ fi
+fi
+
+if $same; then
+ rm -f ziva-tmp.jpg
+else
+ mv ziva-tmp.jpg $(date +%F.%R).jpg
+fi