/p/c/subdir_files/eggdrop/eggdrop-fsysbot.conf
/p/c/subdir_files
)
- a="-ahviSAXPH --specials --devices --delete --relative --exclude-from=/p/c/li-rsync-excludes"
+ a="-ahviSAXPH --specials --devices --delete --delete-excluded --relative --exclude-from=/p/c/li-rsync-excludes"
ret=0
for h in li je bk; do
m s rsync "$@" $a ${p[@]} /p/c/machine_specific/$h root@$h.b8.nz:/
bindpushb8
# for wireguard configs
- ssh iank@li.b8.nz "conflink; ser reload wg-quick@wgmail"
+ ssh iank@li.b8.nz "conflink; ser reload wg-quick-mail"
wrt-setup
}
local host ipsuf f files
# shellcheck disable=SC2016 # shellcheck doesnt know this is sed
- sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf
+ sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/mail.conf
for host in ${!vpn_ips[@]}; do
if [[ ${root_hosts_a[$host]} ]]; then
[Service]
Type=oneshot
-ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.$ipsuf start %i
-# no need to stop
-#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /usr/local/bin/newns/newns -n 10.174.$ipsuf start %i
+ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /usr/local/bin/newns/newns stop %i
RemainAfterExit=yes
[Install]
Description=WireGuard via wg-quick(8) for %I
After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
-PartOf=wg-quick.target
Documentation=man:wg-quick(8)
Documentation=man:wg(8)
ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.$ipsuf.1 dev veth1-client
NetworkNamespacePath=/var/run/netns/%i
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+# copied from wg-quick@.service
+Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
[Install]
WantedBy=multi-user.target
PublicKey = $(cat /p/c/machine_specific/$host/filesystem/etc/wireguard/hole-pub.key)
AllowedIPs = 10.8.0.$ipsuf/32,10.174.${vpn_ips[$host]}.2/32
EOF
- done | cedit /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf || [[ $? == 1 ]]
+ done | cedit /p/c/machine_specific/li/filesystem/etc/wireguard/mail.conf || [[ $? == 1 ]]
{
echo "cat <<EOF"
PostUp = ping -w10 -c1 10.8.0.1 ||:
[Peer]
-# li. called wgmail on that server
+# li. called mail on that server
PublicKey = CTFsje45qLAU44AbX71Vo+xFJ6rt7Cu6+vdMGyWjBjU=
AllowedIPs = 10.8.0.0/24$vpn_allowed$extrahost
Endpoint = 72.14.176.105:1194
noble=$(echo ${prefix}ubuntu.com_ubuntu_dists_noble{,-security,-updates}_{main,universe}_binary-amd64_Packages)
ecne=$(echo ${prefix}trisquel.org_trisquel_dists_ecne{,-updates,-security}_main_binary-amd64_Packages)
test-ecne-noble-package-lists-exist
- u24_kernel_pkgs="virtual|oem|image|generic|firmware|aws|azure|buildinfo|cloud|gcp|gke|headers|hwe|ibm|lowlatency|modules|nvidia|riscv|tools|intel|oracle|lib-rust"
+ u24_kernel_pkgs="virtual|oem|image|generic|firmware|aws|azure|buildinfo|cloud|gcp|gke|headers|hwe|ibm|lowlatency|modules|nvidia|signatures-nvidia|riscv|tools|intel|oracle|lib-rust|xilinx|realtime"
for dist in ecne noble; do
# shellcheck disable=SC2094 # false positive
{
;;&
bk)
- sgo wg-quick@wgmail
+ sgo wg-quick-mail
# i just dont feel like setting up a special purpose ssh key to do this automatically.
end_msg <<'EOF'
# needed for li's local mail delivery.
tu /etc/hosts <<<"10.8.0.4 mx.iankelling.org"
- # wgmail handles this.
- #sgo vpn-mail-forward.service
- # old:
- #sgo openvpn-server@mail
- sgo wg-quick@wgmail
+ sgo wg-quick-mail
# setup let's encrypt cert
m web-conf apache2 mail.iankelling.org
export IANK_BASHRC_RUN="prof-remote $remote"
konsole --profile profanity
else
- prof-tail |& ts "%F %T" | tee -a /home/iank/.local/prof-tail.log &
+ # output will go to ~/.xsession-errors
+ prof-tail |& ts "%F %T" &
konsole --profile profanity -e tmux -L profanity a
fi
if $remote; then
tail-cmd
else
- tail-cmd | while :; do read -r l; notify-cmd "$l"; done
+ tail-cmd | while read -r l 2>/dev/null; do notify-cmd "$l"; done
fi
if (( loop_start >= EPOCH_SECONDS - 1 )); then
[Service]
Type=simple
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.29 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.29.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
ExecStartPre=/usr/bin/wg-quick up %i
ExecStart=/bin/sleep infinity
ExecStopPost=/usr/bin/wg-quick down %i
ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.29.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
[Install]
[Service]
Type=simple
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.34 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.34.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
ExecStartPre=/usr/bin/wg-quick up %i
ExecStart=/bin/sleep infinity
ExecStopPost=/usr/bin/wg-quick down %i
ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.34.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
[Install]
[Service]
Type=simple
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.2 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.2.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
ExecStartPre=/usr/bin/wg-quick up %i
ExecStart=/bin/sleep infinity
ExecStopPost=/usr/bin/wg-quick down %i
ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.2.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
[Install]
[Service]
Type=simple
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.97 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.97.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
ExecStartPre=/usr/bin/wg-quick up %i
ExecStart=/bin/sleep infinity
ExecStopPost=/usr/bin/wg-quick down %i
ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.97.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
[Install]
[Service]
Type=simple
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.99 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.99.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
ExecStartPre=/usr/bin/wg-quick up %i
ExecStart=/bin/sleep infinity
ExecStopPost=/usr/bin/wg-quick down %i
ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.99.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
[Install]
[Service]
Type=simple
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.3 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.3.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
ExecStartPre=/usr/bin/wg-quick up %i
ExecStart=/bin/sleep infinity
ExecStopPost=/usr/bin/wg-quick down %i
ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.3.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
[Install]
[Service]
Type=simple
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.7 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.7.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
ExecStartPre=/usr/bin/wg-quick up %i
ExecStart=/bin/sleep infinity
ExecStopPost=/usr/bin/wg-quick down %i
ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.7.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
[Install]
[Service]
Type=simple
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.28 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.28.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
ExecStartPre=/usr/bin/wg-quick up %i
ExecStart=/bin/sleep infinity
ExecStopPost=/usr/bin/wg-quick down %i
ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.28.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
[Install]
[Service]
Type=simple
ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.8 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.8.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
ExecStartPre=/usr/bin/wg-quick up %i
ExecStart=/bin/sleep infinity
ExecStopPost=/usr/bin/wg-quick down %i
ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.8.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
[Install]
# and
-vpnser=wg-quick@wgmail.service
-
case $HOSTNAME in
$MAIL_HOST)
rsync -aiSAX --chown=root:root --chmod=g-s /p/c/filesystem/etc/wireguard/ /etc/wireguard
case $HOSTNAME in
li) : ;;
*)
- u /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
+ u /etc/systemd/system/wg-quick-mail.service <<EOF
[Unit]
-Requires=mailnn.service
-BindsTo=mailnn.service
-StartLimitIntervalSec=0
+Description=WireGuard in a netns and other mail specific configs
+After=network.target wg-quick-mail-pre.service
+Wants=network.target wg-quick-mail-pre.service
[Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf mail <(exec /usr/bin/wg-quick strip mail)'
+ExecStartPre=/usr/bin/wg-quick up mail
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down mail
NetworkNamespacePath=/var/run/netns/mail
-# i dont think we need any of these, but it doesnt hurt to stay consistent
BindPaths=$bindpaths
-
+# copied from wg-quick@.service
+Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
Restart=on-failure
RestartSec=20
-EOF
- ;;
-esac
-
-
-# https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
-u /etc/systemd/system/mailvpn.service <<EOF
-[Unit]
-Description=OpenVPN tunnel for mail
-After=syslog.target network-online.target mailnn.service
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-# needed to continually restatr
-BindsTo=mailnn.service
-StartLimitIntervalSec=0
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-NetworkNamespacePath=/var/run/netns/mail
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/mail.conf
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-# in the network namespace, we cant connect to systemd-resolved on 127.0.0.53,
-# because of
-# https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback
-# there is a workaround there, but i dont think its really worth it,
-# the mail server is fine with a static dns anyways.
-# This thread is also interesting,
-# https://github.com/slingamn/namespaced-openvpn/issues/7
-# todo: the iptables rule at the bottom could be useful to prevent
-# dns from leaking in my network namespaced vpn.
-# I also like the idea of patching systemd-resolved so it
-# will listen on other interfaces, but its not worth my time.
-BindPaths=$bindpaths
-Restart=always
-# time to sleep before restarting a service
-RestartSec=20
[Install]
WantedBy=multi-user.target
+
EOF
+ ;;
+esac
-u /etc/systemd/system/mailnnroute.service <<'EOF'
+## openvpn based config and overly complex wireguard.
+rm -f /etc/systemd/system/mailvpn.service
+for s in mailnn mailnnroute; do
+ soff $s
+ rm -fr /etc/systemd/system/$s.service /etc/systemd/system/$s.service.d
+done
+rm -f /etc/wireguard/wgmail.conf
+
+u /etc/systemd/system/wg-quick-mail-pre.service <<'EOF'
[Unit]
Description=Initial setup of mail netns
After=network.target
[Service]
Type=oneshot
RemainAfterExit=true
-ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
-ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
-Restart=always
-RestartSec=20
-
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-u /etc/systemd/system/mailnn.service <<'EOF'
-[Unit]
-Description=Network Namespace for mail vpn service that will live forever and cant fail
-# These are the same as unbound.service, plus mailnnroute, except no wants=, which seems
-# to me could only make it run earlier, not later. Note, that if we had an
-# After= for a later target
-# than nss-lookup, systemd would just ignore unbound's After=mailnn.service and
-# start it first. It seems logically, that we should not need the Before= here,
-# but I'm not confident that systemd would do something unexpected and still start
-# unbound earlier than this.
-After=network.target mailnnroute.service
-Wants=mailnnroute.service
-Before=nss-lookup.target
-
-[Service]
-Type=simple
-ExecStart=/bin/sleep infinity
-NetworkNamespacePath=/var/run/netns/mail
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /usr/local/bin/newns -n 10.173.8 start mail
+ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /usr/local/bin/newns -n 10.173.8 stop mail
[Install]
WantedBy=multi-user.target
[Unit]
Description=Watchdog to restart services relying on systemd-resolved dir
After=network.target
-BindsTo=mailnn.service
+BindsTo=wg-quick-mail.service
[Service]
Type=simple
-ExecStart=/usr/local/bin/mailbindwatchdog $vpnser ${nn_progs[@]} unbound.service radicale.service
+ExecStart=/usr/local/bin/mailbindwatchdog wg-quick-mail.service ${nn_progs[@]} unbound.service radicale.service
Restart=always
# time to sleep before restarting a service
RestartSec=10
# todo, should this be after vpn service?
u /etc/systemd/system/unbound.service.d/nn.conf <<EOF
[Unit]
-After=mailnn.service
-BindsTo=mailnn.service
+After=wg-quick-mail.service
+BindsTo=wg-quick-mail.service
StartLimitIntervalSec=0
[Service]
# if the vpnser fails to start, this service won't get run at
# all, even if the vpnser starts on an automatic restart.
-Wants=$vpnser
-After=network.target mailnn.service $vpnser
-BindsTo=mailnn.service
+Wants=wg-quick-mail.service
+After=network.target wg-quick-mail.service
+BindsTo=wg-quick-mail.service
StartLimitIntervalSec=0
[Service]
done
fi
-# We could do this for all hosts but bk and MAIL_HOST. If we did,
-# then we are get failure in joins-namespace-of-check for unbound
-# and mailnnroute when we switch-mail-host. It is a systemd bug, but
-# I realized I have no reason to run these outside of the network
-# namespace, so I will avoid the bug that way.
+# We could do this for all hosts but bk and MAIL_HOST, but I avoided
+# that due to the systemd bug: todo reconsider.
# for unit in exim4 unbound $spamd_ser $spamd_remove dovecot; do
# f=/etc/systemd/system/$unit.service.d/nn.conf
u /etc/systemd/system/radicale.service.d/override.conf <<EOF
[Unit]
-After=network.target network-online.target mailnn.service $vpnser
+After=network.target network-online.target wg-quick-mail.service
-Wants=$vpnser
+Wants=wg-quick-mail.service
StartLimitIntervalSec=0
[Service]
[Install]
# for openvpn
-RequiredBy=$vpnser
+RequiredBy=wg-quick-mail.service
EOF
accept
EOF
;;
- esac
+esac
case $HOSTNAME in
bk|je)
# ** exim non-root related setting
case $HOSTNAME in
+ # these should be able to run nonroot, but not bothering.
je|li)
# no reason to expect it to ever be there.
rm -fv /etc/systemd/system/exim4.service.d/nonroot.conf
# note: nonroot settings also exists in
# /b/ds/filesystem/usr/local/bin/mailbindwatchdog
run_as_nonroot=true
+ if [[ $HOSTNAME == bk ]]; then
+ # i tried, but t11 still runs init script, which needs to do some root things.
+ run_as_nonroot=false
+ fi
if $run_as_nonroot; then
owners=$(stat -c %U:%G /usr/sbin/exim4)
fi
done
{
- cat <<EOF
+ cat <<EOF
[Service]
# see 56.2 Root privilege in exim spec
# https://www.redhat.com/sysadmin/mastering-systemd
# socket bind() to port 25 for address (any IPv6) failed: Permission denied
# but we also have to set the file capabilities to avoid the error.
#NoNewPrivileges=yes
-ProtectSystem=full
-
# when we get newer systemd
#ProtectDevices=yes
SystemCallArchitectures=native
EOF
- if $run_as_nonroot; then
- cat <<'EOF'
+ if $run_as_nonroot; then
+ cat <<'EOF'
+ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
ExecStartPre=
ExecStartPre=+/usr/sbin/update-exim4.conf $UPEX4OPTS
EOF
- fi
+ fi
} | u /etc/systemd/system/exim4.service.d/nonroot.conf
;;
# ** ! MAILHOST
*)
-# note: this depends on the previous section having ;; vs ;;&
+ # note: this depends on the previous section having ;; vs ;;&
# this router is only hit by je and bk, but it is defined on all hosts for convenience.
cat >>/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
cat >>/etc/nonn-exim4/conf.d/main/000_local <<'EOF'
MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org
EOF
+ # exim4in.service should do this, but it is too easy to start exim4 in the meantime.
+ m update-exim4.conf -d /etc/nonn-exim4
+
;;
$MAIL_HOST)
errors_to = alerts@iankelling.org
EOF
- # for bk, we have a exim4in.service that will do this for us.
m update-exim4.conf -d /etc/nonn-exim4
;;
esac
case $HOSTNAME in
$MAIL_HOST|bk)
# If any of these have config changes, then restart them as needed:
- # sre mailnn mailnnroute $vpnser
- son mailnn mailnnroute $vpnser
+ # sre wg-quick-mail
+ son wg-quick-mail
;;&
$MAIL_HOST)
# If this service's config changes, add a manual restart here.
## wip to only restart services that actually need restarting.
all_units=(
- mailnn.service mailnnroute.service $vpnser.service
+ wg-quick-mail.service
unbound.service
clamav-daemon.service
dovecot.service $myspam_ser.service mailtest-check.service
soff $spamd_ser clamav-daemon unbound
;;
*)
- soff radicale mailclean.timer dovecot $spamd_ser $vpnser mailnn clamav-daemon unbound
+ soff radicale mailclean.timer dovecot $spamd_ser wg-quick-mail clamav-daemon unbound
;;
esac
#set -x
+## todo: fix negative sleep:
+##
+##mailtest-check: end of spam debug results
+# Feb 15 14:12:21 frodo mailtest-check[68446]: sleep: invalid option -- '6'
+# Feb 15 14:12:21 frodo mailtest-check[68446]: Try 'sleep --help' for more information.
+# Feb 15 14:12:21 frodo mailtest-check[58304]: /usr/local/bin/mailtest-check:457: `sleep $(( 300 - ( EPOCHSECONDS - premain_sec ) ))'
+
+
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
source /b/bash-bear-trap/bash-bear
iankelling.org / git / distro-setup / commitdiff