two=false
case $1 in
- -2) two=true shift ;;
+ -2) two=true; shift ;;
esac
for md; do
fi
fi
-
+# todo: check if we have no snapshots yet, because I always want to run
+# archive instead of run. Likely, I should give an error unless a cli
+# override is passed. perhaps check-subvol-stale could give the error.
+# see the error message "no snapshots found" in that file.
if ! $fast; then
# if our mountpoints are from stale snapshots,
# it doesn't make sense to do a backup.
mapfile -t snaps <$tmpf
else
# no snapshots yet
- # TODO: make this an error and override with a cli flag
+ # TODO: consider making this an error and override with a cli flag
echo "$0: warning: no snapshots found at $root_dir/btrbk/$subvol_dir.20*. this is expected for a brand new volume"
continue
fi
if $doupdate; then
tmpdir=$(mktemp -d)
cd $tmpdir
+ # otherwise we get a warning message:
+ # W: Download is performed unsandboxed as root as file '/tmp/tmp.UwxbPFG3CZ/debian-archive-keyring_2021.1.1+deb11u1_all.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
+ chmod 775 .
p download debian-archive-keyring
- s dpkg -i debian-archive-keyring
+ s dpkg -i ./debian-archive-keyring*
p update
cd -
rm -rf $tmpdir
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+interactive=false
case $1 in
# For first run, accept host key. Note, known_hosts is saved in /p.
-1)
opt=(-e 'ssh -oStrictHostKeyChecking=no')
+ shift
+ ;;
+ -i)
+ interactive=true
+ shift
;;
esac
source $f
fi
+try() {
+ local ret=0
+ "$@" || ret=$?
+ if $interactive && (( ret >=1 )); then
+ echo "$0: ERROR: exit $ret on: $*"
+ fi
+}
+
+# note: when certificate is expired, you will get this in /var/log/mail.log when k-9 mail tries to fetch:
+# imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=redacted, lip=10.8.0.4, TLS handshaking: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46, session=<EsdzzmAWosNKXpza
+
case $HOSTNAME in
$MAIL_HOST|bk)
# ||: is to allow for temporary connection issues.
- rsync "${opt[@]}" -ogtL --chown=root:Debian-exim --chmod=640 \
- root@li.iankelling.org:/etc/letsencrypt/live/mail.iankelling.org/{fullchain.pem,privkey.pem} /etc/exim4 ||:
+ try rsync "${opt[@]}" -ogtL --chown=root:Debian-exim --chmod=640 \
+ root@li.iankelling.org:/etc/letsencrypt/live/mail.iankelling.org/{fullchain.pem,privkey.pem} /etc/exim4
if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
exit 1
# Having backups of indexes is a waste of space. This also means we
# don't send them around with btrbk, I think it is probably
# preferable use a bit more cpu to recalculate indexes.
- install -d -o iank -g iank /var/dovecot-indexes
+ install -d -m 700 -o iank -g iank /var/dovecot-indexes
cat >>/etc/dovecot/local.conf <<EOF
!include conf.d/auth-passwdfile.conf.ext
# ian: %u is used for alerts user vs iank
+# https://doc.dovecot.org/configuration_manual/mail_location/Maildir/
mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX:INDEX=/var/dovecot-indexes/%u
-mail_uid = $u
-mail_gid = $u
+mail_uid = iank
+mail_gid = iank
protocol lmtp {
# For a normal setup with exim, we need something like this, which
esac
# optimization, this only needs to run once.
-if [[ ! -e /etc/exim4/fullchain.pem ]]; then
- m /a/bin/ds/mail-cert-cron -1
+if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
+ m /a/bin/ds/mail-cert-cron -1 -i
m systemctl --now enable mailcert.timer
fi
iankelling.org / git / distro-setup / commitdiff