# Test if we are in noninteractive ssh shells or tty. tty because often
# i use it when for example, io on the remote host is really slow and my
-# bashrc is too slow.
-if [[ $LC_USEBASHRC != t && ( $SSH_CONNECTION || $TERM == linux ) ]]; then
+# bashrc is too slow. 3 SECONDS because if the shell is around longer
+# than that, I'm probably sourcing the file manually, not as part of
+# shell startup.
+if [[ ( $SECONDS && $SECONDS -lt 3 ) && $LC_USEBASHRC != t && ( $SSH_CONNECTION || $TERM == linux ) ]]; then
# Here we did not opt-in to running our .bashrc file so we just
# return, but we still setup a function to source it without returning
# so if we want it we don't have to restart our ssh connection.
first_play=false
for (( i=0; i<20; i++ )); do
if [[ $(mpvrpco '{ "command": ["get_property", "idle-active"] }' 2>/dev/null | jq .data) == true ]]; then
- mpvrpc-loadfile "$path" 2>/dev/null
+ mpvrpc-loadfile "$path"
break
fi
sleep .1
ns=$1
unit=$2
shift 2
- pid=$(servicepid $unit)
+ pid=$(servicepid -n $unit)
env-tmpf "$@"
if $alt_user; then
final_args=("$@")
shift 2
## end command line args ##
- pid=$(servicepid $unit)
+ pid=$(servicepid -n $unit)
env-tmpf "$@"
if $alt_user; then
final_args=("$@")
fi
}
-# get pid of systemd service
+# Check that ns of pid $1 really exists, like joins-namespace-of-check
+ns-exists() {
+ local service_ns default_ns pid
+ pid="$1"
+ [[ $pid ]]
+ service_ns=$(s readlink /proc/$pid/ns/net)
+ default_ns=$(s readlink /proc/1/ns/net)
+ [[ $service_ns && $service_ns != "$default_ns" ]]
+}
+
+# Get pid of systemd service
+#
+# -n also call ns-exists on pid.
servicepid() {
- local pid unit dir
+ local pid unit dir ns_check=false
+ if [[ $1 == -n ]]; then
+ ns_check=true
+ shift
+ fi
unit="$1"
pid=$(systemctl show --property MainPID --value "$unit")
case $pid in
;;
esac
if [[ $pid ]]; then
+ ns-exists "$pid"
printf "%s\n" "$pid"
else
return 1
return 1
fi
unit=$1
- pid=$(servicepid $unit)
+ pid=$(servicepid -n $unit)
m sudo nsenter -t $pid -n -m sudo -u $USER -i bash
}
return 1
fi
unit=$1
- pid=$(servicepid $unit)
+ pid=$(servicepid -n $unit)
m sudo nsenter -t $pid -n -m bash
}
unit=$1
shift
- pid=$(servicepid $unit)
+ pid=$(servicepid -n $unit)
env-tmpf "$@"
if $alt_user; then
final_args=("$@")
fi
unit=$1
shift
- pid=$(servicepid $unit)
+ pid=$(servicepid -n $unit)
m sudm nsenter -t $pid -n -m "$@"
}
fi
unit=$1
shift
- pid=$(servicepid $unit)
+ pid=$(servicepid -n $unit)
env-tmpf "$@"
m sudo nsenter -t $pid -n sudo -u $USER -i bash -c ". $tmpf"
}
# mailvpn would belong on the list if using openvpn
for unit in mailnn unbound dovecot $spamd_ser exim4 radicale; do
- pid=$(servicepid $unit)
+ if ! pid=$(servicepid $unit); then
+ if [[ $unit == mailnn ]]; then
+ echo error: could not find service pid of unit: $unit returning early
+ return 1
+ else
+ echo error: could not find service pid of unit: $unit, continuing with other units
+ continue
+ fi
+ fi
echo debug: unit=$unit pid=$pid
if [[ ! $pid ]]; then
- echo failed to find pid for unit=$unit
+ echo error: failed to find pid for unit=$unit
continue
fi
if ! ns=$(s readlink /proc/$pid/ns/net); then
- echo failed to find ns for unit=$unit pid=$pid
+ echo error: failed to find ns for unit=$unit pid=$pid
continue
fi
- if [[ $mailnn ]]; then
- if [[ $ns != "$mailnn" ]]; then
- echo "$unit ns $ns != $mailnn"
- fi
- else
+ if [[ $unit == mailnn ]]; then
mailnn=$ns
+ default_ns=$(s readlink /proc/1/ns/net)
+ fi
+ if [[ $ns == "$default_ns" ]]; then
+ echo error: $unit ns == default_ns, $ns == $default_ns
+ fi
+ if [[ $ns != "$mailnn" ]]; then
+ echo "error: $unit ns $ns != $mailnn"
fi
done
-
}
m rsync -clgoDiSAX --chmod=g+r --chown=root:icecast /p/c/user-specific/icecast2/icecast.xml /etc/icecast2
fi
+ # note: if we wanted to be robust, in the case that cupsd is
+ # running, we would do a dry run, see if anything would change, then
+ # stop cupsd, rsync, and start it again.
+ if [[ -e /p/c/user-specific/cups && -d /etc/cups/ppd ]] && getent group lp &>/dev/null && ! systemctl is-active --quiet cupsd; then
+ # note, group lp shouldn't matter since it has no permissions, but I'm just replicating the default.
+ m rsync -clgoDiSAX --chown=root:lp /p/c/user-specific/cups/printers.conf /etc/cups
+ m rsync -clgoDiSAX --chmod=g+r --chown=root:lp /p/c/user-specific/cups/ppd/* /etc/cups/ppd
+ fi
+
+
# disabled
# if [[ -d /var/lib/bitcoind && -d /p/c/user-specific/bitcoin ]]; then
# s rsync -clpgoDiSAX --chown=bitcoin:bitcoin /p/c/user-specific/bitcoin/settings.json /var/lib/bitcoind
m cp /p/.linphonerc-initial ~/.linphonerc
fi
-# linphone in t10 wont do dns with systemd-resolved or something
+# linphone in t10 & t11 wont do dns with systemd-resolved or something
s teeu /etc/hosts <<'EOF'
-74.94.156.215 watson.fsf.org
+209.51.188.90 watson.fsf.org
+2001:470:142::90 watson.fsf.org
EOF
# https://github.com/transmission/transmission/issues/6991
#Type=notify
Type=simple
+ExecStartPre=/usr/local/bin/joins-namespace-of-check openvpn-client-tr@client
ExecStart=/usr/bin/transmission-daemon -f --log-error
ExecReload=/bin/kill -s HUP $MAINPID
PrivateNetwork=true
--- /dev/null
+## This file sets up a few things for selected Kaleidoscope-powered keyboards:
+## - We first symlink the device to a more friendly name, based on the product
+## name.
+## - We then ask ModemManager to ignore the serial ports on the device, and not
+## consider them a candidate.
+## - We also tell systemd to grant access to the device (via ACLs) to the user
+## at-seat.
+##
+## For more information about the access part, see the following resources:
+## - https://github.com/systemd/systemd/issues/4288
+## - https://www.freedesktop.org/software/systemd/man/sd-login.html
+
+## iank: substituted := for =, based on
+## Jun 09 12:27:48 so systemd-udevd[1385]: /etc/udev/rules.d/99-kaleidoscope.rules:18 ENV key ta
+## kes '==', '!=', '=', or '+=' operator, assuming '='.
+
+## iank, starting in t12, this has to be a number less than 70 due to /usr/lib/udev/rules.d/70-uaccess.rules
+## pretty lame.
+
+SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="2300", SYMLINK+="model01", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
+SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="2301", SYMLINK+="model01", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
+SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="2302", SYMLINK+="Atreus2", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
+SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="2303", SYMLINK+="Atreus2", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
+SUBSYSTEM=="usb", ATTR{idVendor}=="3496", ATTR{idProduct}=="0005", SYMLINK+="model100", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
+SUBSYSTEM=="usb", ATTR{idVendor}=="3496", ATTR{idProduct}=="0006", SYMLINK+="model100", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
+++ /dev/null
-## This file sets up a few things for selected Kaleidoscope-powered keyboards:
-## - We first symlink the device to a more friendly name, based on the product
-## name.
-## - We then ask ModemManager to ignore the serial ports on the device, and not
-## consider them a candidate.
-## - We also tell systemd to grant access to the device (via ACLs) to the user
-## at-seat.
-##
-## For more information about the access part, see the following resources:
-## - https://github.com/systemd/systemd/issues/4288
-## - https://www.freedesktop.org/software/systemd/man/sd-login.html
-
-## iank: substituted := for =, based on
-## Jun 09 12:27:48 so systemd-udevd[1385]: /etc/udev/rules.d/99-kaleidoscope.rules:18 ENV key ta
-## kes '==', '!=', '=', or '+=' operator, assuming '='.
-
-SUBSYSTEMS=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="2300", SYMLINK+="model01", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
-SUBSYSTEMS=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="2301", SYMLINK+="model01", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
-SUBSYSTEMS=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="2302", SYMLINK+="Atreus2", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
-SUBSYSTEMS=="usb", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="2303", SYMLINK+="Atreus2", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
-SUBSYSTEMS=="usb", ATTRS{idVendor}=="3496", ATTRS{idProduct}=="0005", SYMLINK+="model100", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
-SUBSYSTEMS=="usb", ATTRS{idVendor}=="3496", ATTRS{idProduct}=="0006", SYMLINK+="model100", ENV{ID_MM_DEVICE_IGNORE}="1", ENV{ID_MM_CANDIDATE}="0", TAG+="uaccess", TAG+="seat"
--- /dev/null
+#!/bin/bash
+# I, Ian Kelling, follow the GNU license recommendations at
+# https://www.gnu.org/licenses/license-recommendations.en.html. They
+# recommend that small programs, < 300 lines, be licensed under the
+# Apache License 2.0. This file contains or is part of one or more small
+# programs. If a small program grows beyond 300 lines, I plan to change
+# to a recommended GPL license.
+
+# Copyright 2024 Ian Kelling
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# This script is for use like:
+# ExecStartPre=/usr/local/bin/joins-namespace-of-check mailnn
+# to do a check that the unit is being started in the intended network namespace.
+#
+#
+# This exists due to the note in man systemd.exec:
+#
+# PrivateNetwork= ... Note that the implementation of this setting might
+# be impossible (for example if network namespaces are not available),
+# and the unit should be written in a way that does not solely rely on
+# this setting for security.
+#
+# And based on experience that I've encountered unexpected conditions
+# which caused the JoinsNamespaceOf setting to fail.
+
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+
+unit="$1"
+pid=$(head -n1 /sys/fs/cgroup/system.slice/$unit.service/cgroup.procs)
+ns=$(readlink /proc/$pid/ns/net)
+default_ns=$(readlink /proc/1/ns/net)
+
+if [[ ! $ns || ! $default_ns || $ns == "$default_ns" ]]; then
+ echo "error: unexpected: ns=$ns default_ns=$default_ns" >&2
+ exit 1
+fi
+
+our_ns=$(readlink /proc/$$/ns/net)
+if [[ $our_ns != "$ns" ]]; then
+ echo "error: our_ns:$our_ns != ns:$ns"
+ exit 1
+fi
StartLimitIntervalSec=0
[Service]
+ExecStartPre=/usr/local/bin/joins-namespace-of-check mailnn
PrivateNetwork=true
# i dont think we need any of these, but it doesnt hurt to stay consistent
BindPaths=$bindpaths
RuntimeDirectory=openvpn-client
RuntimeDirectoryMode=0710
WorkingDirectory=/etc/openvpn/client
+ExecStartPre=/usr/local/bin/joins-namespace-of-check mailnn
ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/mail.conf
#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
LimitNPROC=10
Type=simple
RemainAfterExit=true
PrivateNetwork=true
+ExecStartPre=/usr/local/bin/joins-namespace-of-check mailnn
ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
Restart=always
u /etc/systemd/system/mailnn.service <<'EOF'
[Unit]
Description=Network Namespace for mail vpn service that will live forever and cant fail
-After=syslog.target network-online.target
+# These are the same as unbound.service. Note, that if we had an After= for a later target
+# than nss-lookup, systemd would just ignore unbound's After=mailnn.service and
+# start it first. It seems logically, that we should not need the Before= here,
+# but I'm not confident that systemd would do something unexpected and still start
+# unbound earlier than this.
+After=network.target
+Before=nss-lookup.target
Wants=network-online.target
[Service]
StartLimitIntervalSec=0
[Service]
+ExecStartPre=/usr/local/bin/joins-namespace-of-check mailnn
PrivateNetwork=true
# note the nsswitch bind is actually not needed for bk, but
# its the same file so it does no harm.
StartLimitIntervalSec=0
[Service]
+ExecStartPre=/usr/local/bin/joins-namespace-of-check mailnn
PrivateNetwork=true
BindPaths=$bindpaths
Restart=always
pixz
# unattended-upgrades.log: Please install powermgmt-base package to check power status
powermgmt-base
+ pngtools
profanity
# for pactl
pulseaudio-utils
iankelling.org / git / distro-setup / commitdiff