for f in "${files[@]}"; do
host=${f%%/*}
if [[ ! ${vpn_ips[$host]} ]]; then
- e /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service
+ e rm /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service
fi
done
--- /dev/null
+#!/bin/bash
+# I, Ian Kelling, follow the GNU license recommendations at
+# https://www.gnu.org/licenses/license-recommendations.en.html. They
+# recommend that small programs, < 300 lines, be licensed under the
+# Apache License 2.0. This file contains or is part of one or more small
+# programs. If a small program grows beyond 300 lines, I plan to switch
+# its license to GPL.
+
+# Copyright 2024 Ian Kelling
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# this was part of distro-end
+
+### begin nagios ###
+
+pi nagios-nrpe-server
+
+case $HOSTNAME in
+ kd)
+ # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345
+ pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports
+ s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ # to add a password for admin:
+ # htdigest /etc/nagios4/htdigest.users Nagios4 iank
+ # now using the same pass as prometheus
+
+ # nagstamon auth settings, set to digest instead of basic.
+
+ web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
+# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+# Where the stylesheets (config files) reside
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+
+# Where the HTML pages live
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+ Options FollowSymLinks
+ DirectoryIndex index.php index.html
+ AllowOverride AuthConfig
+ #
+ # The default Debian nagios4 install sets use_authentication=0 in
+ # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+ # This is insecure. As a compromise this default apache2 configuration
+ # only allows private IP addresses access.
+ #
+ # The <Files>...</Files> below shows how you can secure the nagios4
+ # web site so anybody can view it, but only authenticated users can issue
+ # commands (such as silence notifications). To do that replace the
+ # "Require all granted" with "Require valid-user", and use htdigest
+ # program from the apache2-utils package to add users to
+ # /etc/nagios4/htdigest.users.
+ #
+ # A step up is to insist all users validate themselves by moving
+ # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
+ # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+ # can configure which people get to see a particular service from
+ # within the nagios configuration.
+ #
+ AuthDigestDomain "Nagios4"
+ AuthDigestProvider file
+ AuthUserFile "/etc/nagios4-htdigest.users"
+ AuthGroupFile "/etc/group"
+ AuthName "Nagios4"
+ AuthType Digest
+ Require valid-user
+</DirectoryMatch>
+
+<Directory /usr/share/nagios4/htdocs>
+ Options +ExecCGI
+</Directory>
+EOF
+ ;;
+esac
+
+# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
+# notifications_enabled=1
+# note, the same variable exists in the correspdonding "define service {"
+
+# in the default config, we have these definitions
+
+# 11 define command {
+# 2 define contact {
+# 1 define contactgroup {
+# 9 define host {
+# 4 define hostgroup {
+# 23 define service {
+# 5 define timeperiod {
+
+
+# on klaxon
+
+# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
+# 76 define command
+# 11 define contact
+# 6 define contactgroup
+# 162 define host
+# 1 define hostextinfo
+# 16 define hostgroup
+# 3040 define service
+# 2 define servicedependency
+# 6 define timeperiod
+
+
+
+
+### end nagios ###
fi
fi
done
- if $apparmor_reload && systemctl is-enabled apparmor; then
+ if $apparmor_reload && systemctl is-active apparmor; then
m ser reload apparmor
fi
fi
# listen on the wireguard interface
*)
- wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
- # old filename. remove once all hosts are updated.
- s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
- web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
+ if [[ -e /etc/wireguard/wghole.conf ]]; then
+ wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
+ # old filename. remove once all hosts are updated.
+ s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
+ web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
<Location "/">
AuthType Basic
AuthName "basic_auth"
Require valid-user
</Location>
EOF
- # For work, i think we will just use the firewall for hosts in the main data center, and
- # vpn for hosts outside it.
+ # For work, i think we will just use the firewall for hosts in the main data center, and
+ # vpn for hosts outside it.
- # TODO: figure out how to detect the ping failure and try again.
+ # TODO: figure out how to detect the ping failure and try again.
- # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
- s mkdir /etc/systemd/system/apache2.service.d
- sd /etc/systemd/system/apache2.service.d/restart.conf <<EOF
+ # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
+ s mkdir /etc/systemd/system/apache2.service.d
+ sd /etc/systemd/system/apache2.service.d/restart.conf <<EOF
[Unit]
After=wg-quick@wghole.service
StartLimitIntervalSec=0
RestartSec=30
EOF
+ fi
;;
esac
### end prometheus ###
-### begin nagios ###
-
-pi nagios-nrpe-server
-
-case $HOSTNAME in
- kd)
- # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345
- pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports
- s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf
-
- # to add a password for admin:
- # htdigest /etc/nagios4/htdigest.users Nagios4 iank
- # now using the same pass as prometheus
-
- # nagstamon auth settings, set to digest instead of basic.
-
- web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
-# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
-
-ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
-ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
-
-# Where the stylesheets (config files) reside
-Alias /nagios4/stylesheets /etc/nagios4/stylesheets
-
-# Where the HTML pages live
-Alias /nagios4 /usr/share/nagios4/htdocs
-
-<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
- Options FollowSymLinks
- DirectoryIndex index.php index.html
- AllowOverride AuthConfig
- #
- # The default Debian nagios4 install sets use_authentication=0 in
- # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
- # This is insecure. As a compromise this default apache2 configuration
- # only allows private IP addresses access.
- #
- # The <Files>...</Files> below shows how you can secure the nagios4
- # web site so anybody can view it, but only authenticated users can issue
- # commands (such as silence notifications). To do that replace the
- # "Require all granted" with "Require valid-user", and use htdigest
- # program from the apache2-utils package to add users to
- # /etc/nagios4/htdigest.users.
- #
- # A step up is to insist all users validate themselves by moving
- # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
- # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
- # can configure which people get to see a particular service from
- # within the nagios configuration.
- #
- AuthDigestDomain "Nagios4"
- AuthDigestProvider file
- AuthUserFile "/etc/nagios4-htdigest.users"
- AuthGroupFile "/etc/group"
- AuthName "Nagios4"
- AuthType Digest
- Require valid-user
-</DirectoryMatch>
-
-<Directory /usr/share/nagios4/htdocs>
- Options +ExecCGI
-</Directory>
-EOF
- ;;
-esac
-
-# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
-# notifications_enabled=1
-# note, the same variable exists in the correspdonding "define service {"
-
-# in the default config, we have these definitions
-
-# 11 define command {
-# 2 define contact {
-# 1 define contactgroup {
-# 9 define host {
-# 4 define hostgroup {
-# 23 define service {
-# 5 define timeperiod {
-
-
-# on klaxon
-
-# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
-# 76 define command
-# 11 define contact
-# 6 define contactgroup
-# 162 define host
-# 1 define hostextinfo
-# 16 define hostgroup
-# 3040 define service
-# 2 define servicedependency
-# 6 define timeperiod
-
-
-
-
-### end nagios ###
-
### begin bitcoin ###
case $HOSTNAME in
bhost_t=false
case $HOSTNAME in
$MAIL_HOST) : ;;
- kd|frodo|x2|x3|kw|sy|bo)
+ kd|x2|x3|kw|sy|bo|so)
bhost_t=true
;;
esac
ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1
EOF
if $ur; then
+ # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
+ if [[ ! -e /var/log/exim4/mainlog ]]; then
+ install -m 640 -o Debian-exim -g adm /dev/null /var/log/exim4/mainlog
+ fi
m systemctl restart fail2ban
fi
m mkdir -p $rctmpdir /m/rc
m chown -R www-data.www-data $rctmpdir /m/rc
m chmod 750 $rctmpdir
- # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
# todo: check for other mailinabox things
+ # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
m sudo -u www-data touch $rclogdir/errors.log
#### begin carddav install
EOF
# Bind to wghole to receive mailbackup.
- wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
- cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+ if [[ -e /etc/wireguard/wghole.conf ]]; then
+ wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
+ cat >>/etc/exim4/update-exim4.conf.conf <<EOF
dc_other_hostnames='eximbackup.b8.nz'
dc_local_interfaces='127.0.0.1;::1;$wgholeip'
EOF
+ fi
# wghole & thus exim will fail to start without internet connectivity.
u /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
# if [[ ! $uid ]]; then
# # /a/opt/debbugs/debian/README.mail
# adduser --uid 610 --system --group --home /o/debbugs \
-# --no-create-home --disabled-login --force-badname debbugs
+ # --no-create-home --disabled-login --force-badname debbugs
# m find /o/debbugs -xdev -path ./var/tmp -prune -o -uid $uid -execdir chown -h 610 {} +
# m find /o/debbugs -xdev -path ./var/tmp -prune -o -gid $gid -execdir chgrp -h 610 {} +
# elif [[ $uid != 610 ]]; then
# optimization, this only needs to run once. But, if we move to a
# computer we haven't used much, we need to fetch a fresh cert.
-if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
+# Existence check is just to avoid ugly error message from openssl.
+if [[ ! -e /etc/exim4/fullchain.pem ]] || ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
m /a/bin/ds/mail-cert-cron -1 -i
m systemctl --now enable mailcert.timer
fi
iankelling.org / git / distro-setup / commitdiff