fix root mail on bk, nonroot stuff, misc prom updates

diff --git a/filesystem/etc/prometheus/rules/iank.yml b/filesystem/etc/prometheus/rules/iank.yml
index 043b64d695a4226e8c9103cb7fcce25314527eef..b78368fef48df7af5332d0633fc5e8fa3fafeb7d 100644 (file)
--- a/filesystem/etc/prometheus/rules/iank.yml
+++ b/filesystem/etc/prometheus/rules/iank.yml
@@ -155,3 +155,19 @@ groups:
     annotations:
       description: '{{ $labels.instance }} ianktest.'
       summary: Instance {{ $labels.instance }} - ianktest
+  - alert: ianktest
+    expr: node_systemd_version >= 300
+    labels:
+      severity: critical
+    annotations:
+      description: '{{ $labels.instance }} ianktest.'
+      summary: Instance {{ $labels.instance }} - ianktest
+
+  - alert: ianktest
+    expr: |-
+      time() - mailtest_check_last_usec > 60 * 8
+    labels:
+      severity: critical
+    annotations:
+      description: '{{ $labels.instance }} mailtest'
+      summary: Instance {{ $labels.instance }} - ianktest

diff --git a/filesystem/usr/local/bin/myupgrade b/filesystem/usr/local/bin/myupgrade
index 7be700124f79cf8c50c741803d4d0ce0571ad315..3577864d76363fbbb71ba0fd1f81850a286b217e 100755 (executable)
--- a/filesystem/usr/local/bin/myupgrade
+++ b/filesystem/usr/local/bin/myupgrade
@@ -43,7 +43,7 @@ myreboot() {
 # We should figure some workaround.
 
 if ! out=$(/sbin/needrestart -p 2>&1); then
-  e "$out"
+  printf "%s\n\n" "$out"
   if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
     myreboot
   fi

diff --git a/mail-setup b/mail-setup
index 46933160539e29a67fbc258a3c5ae0c208268d82..aca7d8d04890256fcba6c845d3853ad89185bae1 100755 (executable)
--- a/mail-setup
+++ b/mail-setup
@@ -3,6 +3,10 @@
 # Copyright (C) 2019 Ian Kelling
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+# todo: handle errors like this:
+# Mar 02 12:44:26 kw systemd[1]: exim4.service: Found left-over process 68210 (exim4) in control group while starting unit. Ignoring.
+# Mar 02 12:44:26 kw systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
+
 #  todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
 #  todo: consider hardening cups listening on 0.0.0.0
 #  todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.
@@ -2374,7 +2378,13 @@ case $HOSTNAME in
     rm -fv /etc/systemd/system/exim4.service.d/nonroot.conf
     ;;
   *)
-    i /etc/systemd/system/exim4.service.d/nonroot.conf <<'EOF'
+    dirs=()
+    for d in /d /m /media /mnt /nocow /o /p /q; do
+      if [[ -d $d ]]; then
+        dirs+=($d)
+      fi
+    done
+    i /etc/systemd/system/exim4.service.d/nonroot.conf <<EOF
 [Service]
 # see 56.2 Root privilege in exim spec
 AmbientCapabilities=CAP_NET_BIND_SERVICE
@@ -2385,7 +2395,7 @@ ProtectHome=yes
 # note, in t10 systemd, if one of these is an sshfs mountpoint,
 # this whole setting doesnt work. tried it with a newer systemd 250 though
 # an nspawn, and it worked there.
-InaccessiblePaths=d m media mnt nocow o p q
+InaccessiblePaths=${dirs[@]}
 NoNewPrivileges=yes
 ProtectSystem=yes
 
@@ -2721,8 +2731,6 @@ EOF
     echo|i /etc/exim4/conf.d/rcpt_local_acl
     echo|i /etc/exim4/conf.d/router/880_universal_forward
 
-    echo amnimal.ninja > /etc/mailname
-
     /a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]]
 10.173.8.2 nn.b8.nz
 EOF
@@ -2752,9 +2760,10 @@ COMMONOPTIONS='-oP /run/exim4/eximin.pid'
 UPEX4OPTS='-d /etc/myexim4'
 EOF
 
+    echo bk.b8.nz > /etc/mailname
     cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 # man page: is used to build the local_domains list, together with "localhost"
-dc_other_hostnames='amnimal.ninja;expertpathologyreview.com'
+dc_other_hostnames='amnimal.ninja;expertpathologyreview.com;bk.b8.nz'
 EOF
 
     ;;
@@ -2817,7 +2826,10 @@ EOF
 
     if $bhost_t; then
       install -d /bu
-      install -d -g $u -o $u -m 771 /bu/md
+      install -d -g Debian-exim -o Debian-exim -m 771 /bu/md
+      if [[ -e /bu/md/cur && $(stat -c %u /bu/md/cur) == 1000 ]]; then
+        chown -R Debian-exim:Debian-exim /bu/md
+      fi
       i /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
 # modified debian maildir transport
 backup_maildir:
@@ -2829,7 +2841,6 @@ backup_maildir:
   directory_mode = 0700
   mode = 0644
   mode_fail_narrower = false
-  user = $u
 EOF
 
       i /etc/exim4/conf.d/router/870_backup_local <<'EOF'
@@ -3102,7 +3113,7 @@ MAILTO=alerts@iankelling.org
 #0 * * * *   root mailtest-check slow |& log-once -1 mailtest-slow
 */5 * * * *   root timeout 290 mailtest-check slow |& log-once -12 mailtest-check
 # if a bounce happened yesterday, dont let it slip through the cracks
-8   1 * * *   root awk '$5 == "**"' /var/log/exim4/mainlog.1
+8   1 * * *   root awk '\$5 == "**"' /var/log/exim4/mainlog.1
 EOF
     m sudo rsync -ahhi --chown=root:root --chmod=0755 \
       /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/

diff --git a/mailtest-check b/mailtest-check
index 1975dc960b71f2023b2162f3e929de7aed0b56e3..2dcc7b215a7bc4cb748c98191f0953d809756f5b 100755 (executable)
--- a/mailtest-check
+++ b/mailtest-check
@@ -81,7 +81,9 @@ getspamdpid() {
 }
 getspamdpid
 pr() {
-  cat >>/var/lib/prometheus/node-exporter/mailtest-check.prom.$$
+  if [[ -e /var/lib/prometheus/node-exporter ]]; then
+    cat >>/var/lib/prometheus/node-exporter/mailtest-check.prom.$$
+  fi
 }
 pr <<EOF
 mailtest_check_found_spamd_pid_bool $(( ${spamdpid:-0} > 0 ))
@@ -217,4 +219,8 @@ if $slow; then
 mailtest_check_unexpected_spamd_results $unexpected
 EOF
 fi
-mv /var/lib/prometheus/node-exporter/mailtest-check.prom.$$ /var/lib/prometheus/node-exporter/mailtest-check.prom
+
+dir=/var/lib/prometheus/node-exporter
+if [[ -e $dir  ]]; then
+  mv $dir/mailtest-check.prom.$$ $dir/mailtest-check.prom
+fi