}
eqrmf() {
exiqgrep -i | xargs exim -Mrm
- }
+}
# shellcheck disable=SC2032
}
jr() { journalctl "$@" ; }
jrf() { journalctl -f "$@" ; }
+jru() {
+ journalctl -u exim4 _SYSTEMD_INVOCATION_ID=$(systemctl show -p InvocationID --value $1)
+}
l() {
if [[ $PWD == /[iap] ]]; then
# general vpn for as needed use
vpn-server-setup -d -r -4 10.5.5 -p 443 -n hole
+
+ # sullivan d8
+ sd /etc/openvpn/client-config-hole/sd8 <<'EOF'
+ifconfig-push 10.5.5.41 255.255.255.0
+EOF
+ # hsieh d8
+ sd /etc/openvpn/client-config-hole/hd8 <<'EOF'
+ifconfig-push 10.5.5.42 255.255.255.0
+EOF
+
sd /etc/openvpn/client-config-hole/sy <<'EOF'
ifconfig-push 10.5.5.12 255.255.255.0
EOF
ifconfig-push 10.5.5.2 255.255.255.0
EOF
+ # for adding to current system:
#vpn-mk-client-cert -s "" -n hole 72.14.176.105
+ # adding to remove system 107,
+ #vpn-mk-client-cert -s "" -n hole -c 10.2.0.107 -b hd8 iankelling.org
# requested from linode via a support ticket.
# https://www.linode.com/docs/networking/an-overview-of-ipv6-on-linode/
# in case.
LLMNR=no
MulticastDNS=no
+DNSOverTLS=yes
# we pass options to use different location.
ExecStart=/a/bin/log-quiet/sysd-mail-once -1 btrfsmaint /a/bin/ds/btrfsmaint
IOSchedulingClass=idle
-CPUSchedulingPolicy=idle
\ No newline at end of file
+CPUSchedulingPolicy=idle
# todo: on bk, dont send email if mailvpn is not up
+# todo: mailtest-check should check on bk too
+
# todo: disable postgrey
# todo: in testforward-check, we should also look
COMMIT
EOF
# load it now.
- m ip6tables -S &>/dev/null
+ m ip6tables -S >/dev/null
fi
# our nostart pi fails to avoid enabling
domain=${bkdomains[i]}
ncdir=${ncdirs[i]}
ncbase=${ncdir##*/}
- cd /var/www
+ m cd /var/www
if [[ ! -e $ncdir/index.php ]]; then
- m wget -nv -N https://download.nextcloud.com/server/releases/latest.zip
- m unzip -q latest.zip
- m rm -f latest.zip
+ # as of march 14 2021, user_external is broken for nextcloud 21
+ # https://github.com/nextcloud/user_external/issues/165
+ #file=latest.zip
+ file=latest-20.zip
+ m wget -nv -N https://download.nextcloud.com/server/releases/$file
+ m unzip -q $file
+ m rm -f $file
m chown -R www-data.www-data nextcloud
m mv nextcloud $ncdir
m cd $ncdir
\$CONFIG['htaccess.RewriteBase'] = '/nextcloud';
\$CONFIG['trusted_domains'] = array (
0 => '$domain',
- );s
+ );
#\$CONFIG[''] = '';
fwrite(STDOUT, "<?php\n\\\$CONFIG = ");
var_export(\$CONFIG);
fwrite(STDOUT, ";\n");
EOF
- m php tmp.php >config.php 2>/dev/null
+ m php tmp.php >config.php
m rm tmp.php
m sudo -u www-data php $ncdir/occ maintenance:update:htaccess
list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list)
m sudo -u www-data php $ncdir/occ app:install $app
fi
done
- i /etc/cron.d/$ncbase <<'EOF'
+ i /etc/systemd/system/$ncbase.service <<EOF
+[Unit]
+Description=ncup $ncbase
+After=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/ncup $ncbase
+User=www-data
+IOSchedulingClass=idle
+CPUSchedulingPolicy=idle
+EOF
+ i /etc/systemd/system/$ncbase.timer <<EOF
+[Unit]
+Description=ncup $ncbase timer
+
+[Timer]
+OnCalendar=Daily
+
+[Install]
+WantedBy=timers.target
+EOF
+ i /usr/local/bin/ncup <<'EOFOUTER'
+#!/bin/bash
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
+
+ncbase=$1
+if ! php /var/www/$ncbase/updater/updater.phar -n; then
+ echo failed nextcloud update for $ncbase >&2
+ /sbin/exim -t <<EOF
+To: alerts@iankelling.org
+From: root@$(hostname -f)
+Subject: failed nextcloud update for $ncbase
+
+For logs, run: jru $ncbase
+EOF
+fi
+EOFOUTER
+
+ i /etc/cron.d/$ncbase <<EOF
SHELL=/bin/bash
-# automatic update. https://stackoverflow.com/questions/26915448/how-do-i-copy-stderr-without-stopping-it-writing-to-the-terminal
-0 9 * * * www-data php { $ncdir/updater/updater.phar -n 2> >(tee >(cat 1>&2)) || echo fail >&2; } | systemd-cat -t ncupdate
-# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html
+# https://docs.nextcloud.com/server/20/admin_manual/configuration_server/background_jobs_configuration.html
*/5 * * * * php -f $ncdir/cron.php --define apc.enable_cli=1 |& log-once nccron
EOF
for folder in ${folders[@]}; do
for from in ${froms[@]}; do
latest=
- cd $folder
last_sec=0
# webmail sends them to cur it seems
while read -r file; do
if [[ $file -nt $latest ]]; then
latest=$file
fi
- done < <(grep -rlFx "From: $from" new cur)
+ done < <(grep -rlFx "From: $from" $folder/{new,cur} )
if [[ $latest ]]; then
- e latest = $folder/$latest
+ e latest = $latest
last_sec=$(awk '/^Subject: / {print $4}' $latest)
if $slow; then
fi
done
if (( ${#results[@]} || ${#missing[@]} )); then
- printf "$HOSTNAME spamtest %s/%s\n" "$folder" "$latest"
+ printf "$HOSTNAME spamtest %s/%s\n" "$latest"
if (( ${#results[@]} )); then
printf "unexpected %s" "${!results[*]} "
fi
printf "missing %s" "${missing[*]}"
fi
echo
- echo mailtest-check: cat $folder/$latest:
- cat $folder/$latest
+ echo mailtest-check: cat $latest:
+ cat $latest
echo mailtest-check: end of cat
fi
fi # if spamdpid
# Usage: run when switching from an untrusted network like public wifi
# to a trusted one.
-if [[ -e /etc/dnsmasq.d/untrusted-network.conf ]]; then
- rm -f /etc/dnsmasq.d/untrusted-network.conf /etc/systemd/resolved.conf.d/untrusted-network.conf
- reresolv
-fi
-
-
if [[ -e /etc/NetworkManager/conf.d/dns.conf ]]; then
rm -f /etc/NetworkManager/conf.d/dns.conf
if [[ $(systemctl is-active NetworkManager) == active ]]; then
systemctl restart NetworkManager
fi
fi
+
+dhclient_restart=false
+# man dhclient.conf
+if ! grep -qP '\bdomain-name-servers\b' /etc/dhcp/dhclient.conf; then
+ sed -i 's/^ *request/request domain-name-servers,/' /etc/dhcp/dhclient.conf
+ dhclient_restart=true
+fi
+
+
+
+read -r _ _ _ _ gateway_if _ < <(ip route get 8.8.8.8)
+if [[ $gateway_if ]]; then
+ # we could do this, but dhclient is still running and will use its old settings
+ # from dependencies of ifupdown,
+ # from man dhclient-script
+ # from /etc/dhcp/dhclient-enter-hooks.d/resolved
+ # rm -f /run/systemd/resolved.conf.d/*$gateway_if*
+
+
+ if $dhclient_restart && grep -Pq '^ *auto ($gateway_if|.* $gateway_if( |$))' /etc/network/interfaces; then
+ m ifdown $gateway_if
+ m ifup $gateway_if
+ fi
+
+ # at least on systemd 237 ifupdown it sets a global and this is not needed
+ systemd-resolve --interface=$gateway_if --revert
+fi
+
+reresolv
# Usage: use when switching from a trusted network to an untrusted one,
# like public wifi.
-if [[ -s /etc/dnsmasq.d/untrusted-network.conf ]]; then
- exit 0
+read -r _ ver _ < <(systemd-resolve --version)
+
+
+servers=(1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001)
+servers=(1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003)
+# first version that supports this syntax
+if (( ver >= 239 )); then
+ servers=(${servers[@]/%/#cloudflare-dns.com})
fi
-cat >/etc/dnsmasq.d/untrusted-network.conf <<'EOF'
-server=8.8.4.4
-server=8.8.8.8
-server=2001:4860:4860::8844
-server=2001:4860:4860::8888
-no-resolv
-# https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
-stop-dns-rebind
-EOF
# https://wiki.archlinux.org/index.php/Systemd-resolved#Manually
-cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<'EOF'
+cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
[Resolve]
-DNS=8.8.4.4 8.8.8.8 2001:4860:4860::8844 2001:4860:4860::8888
-Domains=~.
+DNS=${servers[@]}
+Domains=~. b8.nz
+DNSOverTLS=yes
EOF
cat >/etc/NetworkManager/conf.d/dns.conf <<'EOF'
if [[ $(systemctl is-active NetworkManager) == active ]]; then
systemctl restart NetworkManager
+fi
+
+dhclient_restart=false
+# man dhclient.conf
+if grep -qP '\bdomain-name-servers\b' /etc/dhcp/dhclient.conf; then
+ sed -i 's/domain-name-servers,\?//' /etc/dhcp/dhclient.conf
+ dhclient_restart=true
+fi
+
+read -r _ _ _ _ gateway_if _ < <(ip route get 8.8.8.8)
+if [[ $gateway_if ]]; then
+ # we could do this, but dhclient is still running and will use its old settings
+ # from dependencies of ifupdown,
+ # from man dhclient-script
+ # from /etc/dhcp/dhclient-enter-hooks.d/resolved
+ # rm -f /run/systemd/resolved.conf.d/*$gateway_if*
+
+
+ if $dhclient_restart && grep -Pq '^ *auto ($gateway_if|.* $gateway_if( |$))' /etc/network/interfaces; then
+ m ifdown $gateway_if
+ m ifup $gateway_if
fi
+ # at least on systemd 237 ifupdown it sets a global and this is not needed
+ systemd-resolve --interface=$gateway_if --revert
+fi
+
reresolv
+
+# just for curiosity i did a
+# wrapper around dhclient, then ifdown eth0; ifup eth0:
+
+# Tue Mar 9 18:29:05 EST 2021
+# args -4 -v -r -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
+# env
+# ADDRFAM=inet
+# PHASE=pre-down
+# VERBOSITY=0
+# PWD=/sbin
+# IFACE=eth0
+# METHOD=dhcp
+# SHLVL=1
+# LOGICAL=eth0
+# MODE=stop
+# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# IFUPDOWN_eth0=pre-down
+# _=/usr/bin/env
+# Tue Mar 9 18:29:07 EST 2021
+# args -1 -4 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
+# env
+# ADDRFAM=inet
+# PHASE=post-up
+# VERBOSITY=0
+# PWD=/sbin
+# IFACE=eth0
+# METHOD=dhcp
+# SHLVL=1
+# LOGICAL=eth0
+# MODE=start
+# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# IFUPDOWN_eth0=post-up
+# _=/usr/bin/env
iankelling.org / git / distro-setup / commitdiff