sudo ln -sf /etc/nsswitch/nsswitch.conf /etc
fi
+f=/etc/nn-resolv/nsswitch.conf
+if [[ ! -e $f ]]; then
+ sudo mkdir -p ${f%/*}
+ sudo cp /etc/nsswitch.conf $f
+ sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f
+fi
+
f=/etc/apparmor.d/abstractions/nameservice
if ! grep -q /etc/nsswitch/nsswitch.conf $f; then
sudo sed -i '/\/etc\/nsswitch.conf/a /etc/nsswitch/nsswitch.conf r,' $f
# seems more important than some potential use case.
# Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
# removing files makes hostname -f not actually give the fully qualified domain name.
-sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/nsswitch.conf
+case $HOSTNAME in
+ bk)
+ sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' /etc/nsswitch.conf
+ ;;
+ *)
+ sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/nsswitch.conf
+ ;;
+esac
+
if dpkg -s -- nscd &>/dev/null; then
sudo apt-get -y remove --purge --auto-remove nscd
sudo systemctl stop nscd ||: # fails if already stopped
--- /dev/null
+// this is the default for t10, plus my commented additions
+options {
+ directory "/var/cache/bind";
+
+ // If there is a firewall between you and nameservers you want
+ // to talk to, you may need to fix the firewall to allow multiple
+ // ports to talk. See http://www.kb.cert.org/vuls/id/800113
+
+ // If your ISP provided one or more IP addresses for stable
+ // nameservers, you probably want to use them as forwarders.
+ // Uncomment the following block, and insert the addresses replacing
+ // the all-0's placeholder.
+
+ // forwarders {
+ // 0.0.0.0;
+ // };
+
+ //========================================================================
+ // If BIND logs error messages about the root key being expired,
+ // you will need to update your keys. See https://www.isc.org/bind-keys
+ //========================================================================
+ dnssec-validation auto;
+
+ listen-on-v6 { any; };
+
+// iank, allow queries from network namespace
+// even if the interface doesnt exist when bind starts.
+allow-recursion {
+ 10.173.8.0/24;
+ localhost;
+};
+allow-query-cache {
+ 10.173.8.0/24;
+ localhost;
+};
+
+// end options
+};
# Copyright (C) 2019 Ian Kelling
# SPDX-License-Identifier: AGPL-3.0-or-later
+# todo: on bk, dont send email if mailvpn is not up
+
# todo: disable postgrey
# todo: in testforward-check, we should also look
# * mail vpn config
-# todo: figure out a reverse dns lookup for 10.173.8.1 in the nn.
-# perhaps adding files in nsswitch should fix it?
i /etc/systemd/system/mailnn.service <<'EOF'
[Unit]
# use our own ip against dnsbl rate limits.
#
# If we ever notice this change, chattr +i on it
+# trust-ad is used in t10+, glibc 2.31
i /etc/nn-resolv/stub-resolv.conf <<'EOF'
nameserver 127.0.0.1
-options edns0
+options edns0 trust-ad
EOF
+i /etc/bk-resolv/stub-resolv.conf <<'EOF'
+nameserver 10.173.8.1
+options edns0 trust-ad
+EOF
# this is just a bug fix for trisquel.
f=/etc/apparmor.d/usr.sbin.unbound
m ser reload apparmor
fi
-nn_progs=(exim4 unbound)
+nn_progs=(exim4)
if mailhost; then
# Note dovecots lmtp doesnt need to be in the same nn to accept delivery.
# Its in the nn so remote clients can connect to it.
- nn_progs+=(spamassassin dovecot)
+ nn_progs+=(spamassassin dovecot unbound)
fi
case $HOSTNAME in
+ $MAIL_HOST)
+ r=/etc/nn-resolv:/run/systemd/resolve
+ ;;&
+ bk)
+ r=/etc/bk-resolv:/etc/nn-resolv
+ ;;&
$MAIL_HOST|bk)
for unit in ${nn_progs[@]}; do
- i /etc/systemd/system/$unit.service.d/nn.conf <<'EOF'
+ i /etc/systemd/system/$unit.service.d/nn.conf <<EOF
[Unit]
After=network.target
Requires=mailvpn.service
After=mailvpn.service
JoinsNamespaceOf=mailnn.service
-
-# needed to continually restart
StartLimitIntervalSec=0
[Service]
PrivateNetwork=true
-BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+# note the nsswitch bind is actually not needed for bk, but
+# its the same file so it does no harm.
+BindPaths=${r}:norbind /etc/nn-resolv:/etc/nsswitch:norbind
Restart=always
-# time to sleep before restarting a service
RestartSec=1
EOF
done
rm -fv /etc/systemd/system/spamddnsfix.{timer,service}
i /etc/default/spamassassin <<'EOF'
-# defaults
-OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
+# defaults plus debugging flags for an issue im having
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir -D dkim,dns"
PIDFILE="/var/run/spamd.pid"
# my additions
NICE="--nicelevel 15"
;;&
-# ** $MAIL_HOST)
+ # ** $MAIL_HOST)
$MAIL_HOST)
# If we changed 90-sieve.conf and removed the active part of the
# sieve option, we wouldn\'t need this, but I\'d rather not modify a
}
EOF
;;&
-# ** bk|je)
+ # ** bk|je)
bk|je)
chown -R mail.mail /m/md
# this should be at the end since it requires a valid dovecot config
m sievec /etc/dovecot/sieve-spam.sieve
;;&
-# ** bk)
+ # ** bk)
bk)
# roundcube uses this
mkdir -p /m/sieve
# ** bk
## we use this host to monitor MAIL_HOST and host a mail server for someone
bk)
+
echo amnimal.ninja > /etc/mailname
/a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]]
sre mailcert.timer
case $HOSTNAME in
+ bk)
+ soff systemd-resolved
+ ln -sf nn-resolv/stub-resolv.conf /etc/resolv.conf
+ ;;&
$MAIL_HOST|bk)
sstart mailnn
+ # If these have changes, id rather manually restart it, id rather
+ # not restart and cause temporary errors
+ if $reload; then
+ sre mailvpn
+ else
+ sstart mailvpn
+ fi
+ ;;&
+ $MAIL_HOST)
+ if $reload; then
+ sre unbound
+ else
+ sstart unbound
+ fi
+ ;;&
+ $MAIL_HOST|bk)
if ! systemctl is-active clamav-daemon >/dev/null; then
sstart clamav-daemon
# checking a log, clamav took 27 seconds to start.
# we get paniclog entries if its not available
m sleep 30
fi
-
- if $reload; then
- sre mailvpn unbound
- else
- # If these have changes, id rather manually restart it, id rather
- # not restart and lose connectivity
- sstart mailvpn unbound
- fi
;;&
$MAIL_HOST|bk|je)
# start spamassassin/dovecot before exim.
iankelling.org / git / distro-setup / commitdiff