# but meh. dunno why, but just " *" does glob expansion, so use [ ] to avoid it.
HISTIGNORE='pass *:[ ]*:otp *:oathtool *'
+case $EUID in
+ 0)
+ if [[ ! -e /run/no_root_ssh_agent ]]; then
+ export SSH_AGENT_LAUNCHER=openssh SSH_AUTH_SOCK=/run/openssh_agent
+ fi
+ ;;
+esac
+
#### begin section that works with sl() function to return from
# noninteractive ssh shells, or tty. tty because often i
# use it when something is going and io is slow and my bashrc
--- /dev/null
+#ian: seemingly sensible defaults from running reportbug
+
+# reportbug preferences file
+# character encoding: UTF-8
+# Version of reportbug this preferences file was written by
+reportbug_version "7.6.0ubuntu1"
+# default operating mode: one of: novice, standard, advanced, expert
+mode standard
+# default user interface
+ui text
+# offline setting - comment out to be online
+#offline
+# name and email setting (if non-default)
+realname "Ian Kelling"
+email "iank@fsf.org"
+# If nothing else works, remove the # at the beginning
+# of the following three lines:
+#no-cc
+#list-cc-me
+#smtphost reportbug.debian.org
+# You can add other settings after this line. See
+# /etc/reportbug.conf for a full listing of options.
+bts debian
# files wont be deleted on rsync, you can add --delete-excluded
# to the rsync command if that is desired.
+# SL_SSH_ARGS: Env var. Default arguments passed to ssh.
+
# For when ~/.bashrc is already customized on the remote server, you
# might find it problematic that ~/.bashrc is sourced for ALL ssh
# commands, even in scripts. This paragraph is all about that. bash
sync_dirname testcmd extra_info testbool files_sec sl_test_cmd sl_test_hook
declare -a args tmpa
+ args=($SL_SSH_ARGS)
# ssh [-1246Antivivisectionist] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
# [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L address]
export WCDHOME=/a
+case $EUID in
+ 0)
+ SL_SSH_ARGS="-F $HOME/.ssh/confighome"
+ ;;
+esac
+
# * include files
# * functions
+hstest() {
+ install-my-scripts
+ d=$(mktemp -d)
+ sed '/^ *IdentityFile/d' ~/.ssh/config >$d/config
+ s command ssh -F $d/config -i /q/root/h "$@"
+}
+
+hrtest() {
+ install-my-scripts
+ d=$(mktemp -d)
+ sed '/^ *IdentityFile/d' ~/.ssh/config >$d/config
+ s rsync -e "ssh -F $d/config -i /q/root/h" "$@"
+}
+
+
slemacs() {
local arg rtime v
arg="$1"
fi
}
+checkre() {
+ s checkrestart -b /a/bin/ds/checkrestart-blacklist -pv
+}
+
cp-blocked-domains-to-brains() {
cp /a/f/ans/roles/exim/files/mx/simple/etc/exim4/bad-sender_domains /a/f/brains/sysadmin/kb/blocked_email_domains.mdwn
}
fi
journalctl -qn2 -f -u "$cmd_name" &
# Guess of time needed to avoid missing initial lines.
- # .5 was not reliable. 1 was not reliable
- sleep 2
+ # .5 was not reliable. 1 was not reliable. 2 was not reliable
+ sleep 3
# We kill this in prompt-command for the case that we ctrl-c the
# systemd-cat. i dont know any way to trap ctrl-c and still run the
# normal action for it. There might be a way, unsure.
c /
# run latest
install-my-scripts
- jrun switch-mail-host "$@"
+ s jrun switch-mail-host "$@"
return $ret
}
# sieve with output filter. arg is mailbox, like INBOX.
# This depends on dovecot conf, notably mail_location in /etc/dovecot/conf.d/10-mail.conf
-_dosieve() {
- sieve-filter "$@" 2> >(head; tail) >/tmp/testsieve.log && sed -rn '/^Performed actions:/,/^[^ ]/{/^ /p}' /tmp/testsieve.log | sort | uniq -c
-}
-
# always run this first, edit the test files, then run the following
testsieve() {
- _dosieve ~/sieve/maintest.sieve ${1:-INBOX} delete
+ sieve-filter ~/sieve/maintest.sieve ${1:-INBOX} delete 2> >(head; tail) >/tmp/testsieve.log && sed -rn '/^Performed actions:/,/^[^ ]/{/^ /p}' /tmp/testsieve.log | sort | uniq -c
+ _dosieve
}
runsieve() {
c ~/sieve; cp personal{test,}.sieve; cp lists{test,}.sieve; cp personalend{test,}.sieve
- _dosieve ~/sieve/main.sieve -eWv ${1:-INBOX} delete
+ sieve-filter -eWv ~/sieve/maintest.sieve ${1:-INBOX} delete &> /tmp/testsieve.log
+ sed -r '/^info: filtering:/{h;d};/^info: msgid=$/N;/^info: msgid=.*left message in mailbox [^ ]+$/d;/^info: msgid=/{H;g};/^info: message kept in source mailbox.$/d' /tmp/testsieve.log
}
# mail related
# I have both because I was trying to solve an issue that
# turned out to be unrelated.
# ARDUINO_PATH=/a/opt/Arduino/build/linux/work
-export ARDUINO_PATH=/a/opt/arduino-1.8.9
+export ARDUINO_PATH=/a/opt/arduino-1.8.15
+export KALEIDOSCOPE_DIR=/a/opt/Kaleidoscope
# They want to be added to the start, but i think
# that should be avoided unless we really need it.
pi asciidoctor
fi
cd /a/opt/btrbk
- m make
- m sudo make install
+ m make install
fi
# TODO: i wonder if there should be an option to send to the default
echo "source: $source"
fi
-
if [[ ${mountpoints[0]} ]]; then
for mp in ${mountpoints[@]}; do
if [[ -e /nocow/btrfs-stale/$mp ]]; then
cat >/etc/btrbk.conf <<EOF
-ssh_identity /root/.ssh/home
+ssh_identity /q/root/h
+#ssh_identity /root/.ssh/home
+
# Just a guess that local7 is a good facility to pick.
# It's a bit odd that the transaction log has to be logged to
# a file or syslog, while other output is sent to std out.
--- /dev/null
+^/var/lib/nfs/etab \(deleted\)$
err-catch
$interactive || set -x
-
-#### setup passwordless sudo
-
-
-tu /etc/sudoers <<EOF
-$USER ALL=(ALL) NOPASSWD: ALL
-Defaults env_keep += SUDOD
-# always_set_home
-# makes ubuntu be like debian
-# https://unix.stackexchange.com/a/91572
-Defaults always_set_home
-# umask: default setting is to have minimum umask of 0022
-# This lets us have user-specific umasks which are more permissive.
-# I did this for transmission and set it's umask gecos on install,
-# see there for more info.
-Defaults !umask
-# i use sudo in cronjobs, it spams the logs rather uselessly
-# https://stackoverflow.com/questions/14277116/suppress-log-entry-for-single-sudo-commands
-Defaults:root,iank !log_allowed, !pam_session
-EOF
-
+# remove old lines, todo: remove this when all systems are updated. 2021-09-03
+tu /etc/sudoers
##### use systemd-resolved for glibc resolutions
sgo systemstatus.timer
-# aren't autoupdating this, but I do check on it somewhat regularly.
-m cd /a/opt/btrbk
-sudo make install
-
if grep -xFq $HOSTNAME /a/bin/ds/machine_specific/btrbk.hosts; then
sgo btrbk.timer
fi
# so report if we did
4 9 * * 5 root /a/bin/ds/check-stale-alerts
4 15 * * 5 iank /a/bin/ds/mailclean
-14 * * * * iank /a/bin/ds/bk-backup |& log-once -24 bk-backup
+14 * * * * root /a/bin/ds/bk-backup |& log-once -24 bk-backup
--- /dev/null
+export SSH_AGENT_LAUNCHER=openssh
+export SSH_AUTH_SOCK=/run/openssh_agent
--- /dev/null
+[Unit]
+Description=OpenSSH Agent for root
+Documentation=man:ssh-agent(1)
+
+[Service]
+# using -d for debug info as i try this out
+#ExecStart=/usr/bin/ssh-agent -D -a /run/openssh_agent
+ExecStart=/usr/bin/ssh-agent -d -a /run/openssh_agent
+
+[Install]
+WantedBy=multi-user.target
+++ /dev/null
-#!/bin/bash
-# Copyright (C) 2019 Ian Kelling
-# SPDX-License-Identifier: AGPL-3.0-or-later
-if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-hn=$(hostname -f)
-source /a/bin/bash_unpublished/source-state
-if [[ $HOSTNAME != "$MAIL_HOST" && $hn != li.b8.nz && ! $DISPLAY ]]; then
- exit 0
-fi
-
-# note this is duplicated in /a/bin/ds/filesystem/usr/local/bin/myupgrade
-ignore_lines=(
- "Found 0 processes using old versions of upgraded files"
- "lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1000/gvfs"
- "Output information may be incomplete."
- "Found 0 processes using old versions of upgraded files"
-)
-out=
-while read -r line; do
- ignore=false
- for l in "${ignore_lines[@]}"; do
- if [[ $line == "$l" ]]; then
- ignore=true
- break
- fi
- done
- if $ignore; then continue; fi
- out+="$line"$'\n'
-done < <(sudo /usr/sbin/checkrestart -p 2>&1)
-if (( ${#out} )); then
- printf "%s" "$out" | pee cat wall
-fi
}
-if checkrestart -p -t &>/dev/null; then
+if checkrestart -b /a/bin/ds/checkrestart-blacklist -p -t &>/dev/null; then
exit 0
fi
if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
# no automatic reboot for this host, just make an alert
- checkrestart -p 2>/dev/null ||:
+ checkrestart -b /a/bin/ds/checkrestart-blacklist -p 2>/dev/null ||:
exit 0
else
- l checkrestart -p 2>/dev/null ||:
+ l checkrestart -b /a/bin/ds/checkrestart-blacklist -p 2>/dev/null ||:
fi
for x in {30..1}; do
- echo "pid $PID. unattended upgrade, rebooting in $((x*10)) seconds" | wall -n
+ echo "pid $$. unattended upgrade, rebooting in $((x*10)) seconds" | wall -n
sleep 10
done
for x in {30..1}; do
if ! fuser /var/lib/dpkg/lock &> /dev/null; then
- echo "pid $PID. unattended upgrade, rebooting now" | pee cat "wall -n"
+ echo "pid $$. unattended upgrade, rebooting now" | pee cat "wall -n"
/a/bin/ds/keyscript-on
/sbin/reboot
exit 0
fi
- echo "pid $PID. unattended upgrade reboot waiting 10 seconds for dpkg lock" | wall -n
+ echo "pid $$. unattended upgrade reboot waiting 10 seconds for dpkg lock" | wall -n
sleep 10
done
-echo "pid $PID. dpkg locked for 5 minutes, automatic reboot failed" | pee cat "wall -n"
+echo "pid $$. dpkg locked for 5 minutes, automatic reboot failed" | pee cat "wall -n"
--- /dev/null
+#!/bin/bash
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+# restricted ssh does not allow arguments, but they exist in $SSH_ORIGINAL_COMMAND
+# debug
+dfile=/tmp/hssh-debug-$(id -u)
+date >>$dfile
+echo SSH_ORIGINAL_COMMAND: $SSH_ORIGINAL_COMMAND >>$dfile
+
+
+mapfile -t cmds <<'EOF'
+# btrbk-run
+date +%z
+cat /a/bin/bash_unpublished/source-state
+cat /etc/hostname
+ps --no-headers -o comm 1
+systemctl is-active btrbk.service
+mkdir -p /mnt/root/btrbk && date +%z && df --output=size,pcent / | tail -n1
+DISPLAY=:0 xprintidle
+# mount-latest-remote
+timeout -s 9 600 /usr/local/bin/mount-latest-subvol
+rsync --server -OtpRe.LsfxC . /usr/local
+EOF
+
+allow=false
+for c in "${cmds[@]}"; do
+ # echo "c $c" # debug
+ if [[ $c == \#* ]]; then continue; fi
+ if [[ $SSH_ORIGINAL_COMMAND == "$c" ]]; then
+ allow=true
+ break
+ fi
+done
+if $allow; then
+ eval $SSH_ORIGINAL_COMMAND
+else
+ /a/opt/btrbk/ssh_filter_btrbk.sh --target --delete --source --info
+fi
/a/bin/log-quiet/setup
rsync -t --chmod=755 --chown=root:root switch-mail-host btrbk-run mount-latest-subvol \
check-subvol-stale system-status myi3status mailtest-check \
- /a/bin/log-quiet/sysd-mail-once \
+ /a/bin/log-quiet/sysd-mail-once hssh \
btrfsmaint \
dynamic-ip-update \
/usr/local/bin
sed="sed --follow-symlinks"
+# for running under corn, we need this, else, if we call
+# /sbin/update-initramfs , it will fail with:
+# /sbin/update-initramfs: 157: mkinitramfs: not found
+PATH="/sbin:$PATH"
+
if [[ ! -e /tmp/keyscript-off ]]; then
if [[ $($sed -rn 's/^ID=(.*)/\1/p' /etc/os-release) == arch ]]; then
if ! grep -q '^\s*FILES=' /etc/mkinitcpio.conf; then
SHELL=/bin/bash
PATH=/usr/bin:/bin:/usr/local/bin:/a/exe:/a/bin/fai
MAILTO=root
-0 7 * * 1,2,3,4,5 iank failmail wrt-setup -y
-45 7 * * 1,2,3,4,5 iank failmail wrt-setup -z
-0 7 * * 0,6 iank failmail wrt-setup -y
-0 11 * * 0,6 iank failmail wrt-setup -z
+0 7 * * 1,2,3,4,5 root failmail wrt-setup -y
+45 7 * * 1,2,3,4,5 root failmail wrt-setup -z
+0 7 * * 0,6 root failmail wrt-setup -y
+0 11 * * 0,6 root failmail wrt-setup -z
if [[ $tg == *:* ]]; then
rsynctg="[$tg]"
fi
- rsync -RtO bin/{mount-latest-subvol,check-subvol-stale} lib/err "root@$rsynctg:/usr/local"
- ssh root@$tg bash <<'EOF'
-set -e
-chmod +x /usr/local/bin/{mount-latest-subvol,check-subvol-stale}
-# this can hang if we have an old nfs mount
-timeout -s 9 600 /usr/local/bin/mount-latest-subvol
-EOF
+ # R = relative, t = times, O = omit-dir-times, p = perms
+ rsync -RtOp bin/{mount-latest-subvol,check-subvol-stale} lib/err "root@$rsynctg:/usr/local"
+ # this can hang if we have an old nfs mount
+ ssh root@$tg timeout -s 9 600 /usr/local/bin/mount-latest-subvol
done
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
-dest=/root/.ssh
-
# leftover
-if [[ -L $dest ]]; then
- rm $dest
+if [[ -L /root/.ssh ]]; then
+ rm /root/.ssh
fi
-mkdir -p $dest
-chmod 700 $dest
+mkdir -p /root/.ssh
+chmod 700 /root/.ssh
user=$(id -un 1000)
find $user_ssh_dir -xtype l -exec rm '{}' \;
# -t times, so it won't rewrite the file every time,
# -L resolve links
-rsync -rtL --delete $user_ssh_dir/ $dest
+rsync --exclude=/h --exclude=/h.pub --exclude /config --exclude /confighome -rtL --delete $user_ssh_dir/ /root/.ssh
+rsync -tL $user_ssh_dir/config /root/.ssh/confighome
+cp -a /q/root/h{,.pub} /root/.ssh
+# The h key is like the home key, but only a whitelist of commands allowed, and
+# not encrypted, so cron and whatnot can use it.
+# For any interactive ssh command we want to run as root that is not in that
+# whitelist, we need to ssh -F $HOME/.ssh/confighome
+sed 's,^IdentityFile ~/\.ssh/home$,IdentityFile ~/\.ssh/h,;s,^AddKeysToAgent confirm,AddKeysToAgent yes,' /root/.ssh/confighome >/root/.ssh/config
chown -R root:root /root/.ssh
+# notably: installs hssh
+/a/exe/install-my-scripts
+
+systemctl enable --now ssh-agent-root
d=/etc/initramfs-tools
if [[ -e $d ]] && ! diff -q /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys &>/dev/null; then
source /usr/local/lib/err
-if [[ $EUID == 0 && ! $SUDO_USER ]]; then
- err "requires running as nonroot or sudo"
- exit 1
-fi
-
usage() {
cat <<EOF
Usage: ${0##*/} [OPTIONS] push|pull HOST
e() { printf "$pre %s\n" "$*"; }
err() { echo "$pre ERROR: $*" >&2; }
+if [[ $EUID != 0 ]]; then
+ err "requires running as root"
+ exit 1
+fi
+
+
##### begin command line parsing ########
force=false
old_hostname=$HOSTNAME
new_host=$2
bbk_args="-t $new_host"
- new_shell="ssh root@$new_host"
+ new_shell="ssh -F $HOME/.ssh/confighome root@$new_host"
new_hostname=$($new_shell hostname)
;;
pull)
new_host=$HOSTNAME
new_hostname=$HOSTNAME
bbk_args="-s $old_host"
- old_shell="ssh root@$old_host"
+ old_shell="ssh -F $HOME/.ssh/confighome root@$old_host"
# tests ssh connection
if ! old_hostname=$($old_shell hostname); then
echo "retrying failed $old_shell with -v"
fi
# early in install process, we dont have permission yet for exiqgrep
- qlen=$(/usr/sbin/exiqgrep -o 60 -c -b | awk '{print $1}') ||:
+ qlen=$(/usr/sbin/exiqgrep -o 600 -c -b | awk '{print $1}') ||:
if ((qlen)); then
qmsg="queue length $qlen"
chars+=("q $qlen")
# No point in emailing about the mailq on a host where we don't
# check email.
$MAIL_HOST|bk)
- lo -1 qlen $qmsg
+ lo -10 qlen $qmsg
;;
esac
iankelling.org / git / distro-setup / commitdiff