# This works in addition to HISTCONTROL to do more flexible things
# it could also do the same things as HISTCONTROL and thus replace it,
# but meh. dunno why, but just " *" does glob expansion, so use [ ] to avoid it.
-HISTIGNORE='pass *:[ ]*:otp *:oathtool *:histrm *:k *:ks *:ksu *'
+HISTIGNORE='pass *:[ ]*:otp *:oathtool *:histrm *'
#### begin section that works with sl() function to return from
# or git checkout -b my-branch origin/whatever
# autoSetupMerge = always
-# git pull always does rebase by default
+# make git pull always rebase by default
autoSetupRebase = always
[push]
default = simple
chumount() {
local d
# dev/pts needed for pacman signature check
- for d in dev proc sys dev/pts; do
+ for d in dev/pts dev proc sys; do
[[ -d $d ]]
if mountpoint $d &>/dev/null; then
m s umount $d
dt() {
date "+%A, %B %d, %r" "$@"
}
-ccomp date dt
+dtr() {
+ date -R "$@"
+}
+ccomp date dt dtr
dus() { # du, sorted, default arg of
du -sh ${@:-*} | sort -h
ccomp du dus
-e() { echo "$@"; }
+e() { printf "%s\n" "$@"; }
# echo args
ea() {
etail() {
tail -F /var/log/exim4/mainlog -n 200 "$@"
}
-ccomp tail etail
+etail2() {
+ tail -F /var/log/exim4/mymain -n 200 "$@"
+}
+
+ccomp tail etail etail2
# print exim old pids
eoldpids() {
-o -name .undo-tree-history -prune \) -type f 2>/dev/null
}
+# full path without resolving symlinks
+fp() {
+ local dir base
+ base="${1##*/}"
+ dir="${1%$base}"
+ printf "%s/%s\n" $(cd $dir; pwd) "$base"
+}
+
# mail related
frozen() {
EOF
}
+rm-docker-iptables() {
+ s iptables -S | gr docker | gr -- -A | sed 's/-A/-D/'| while read -r l; do sudo iptables $l; done
+ s iptables -S -t nat | gr docker | gr -- -A | sed 's/-A/-D/'| while read -r l; do sudo iptables -t nat $l; done
+ s iptables -S | gr docker | gr -- -N | sed 's/-N/-X/'| while read -r l; do sudo iptables $l; done
+ s iptables -S -t nat | gr docker | gr -- -N | sed 's/-N/-X/'| while read -r l; do sudo iptables -t nat $l; done
+}
+
# usage mkschroot [-] distro codename packages
# - means no piping in of sources.list
mkschroot() {
if $active; then
ser stop btrbk.timer
fi
- if [[ $(systemctl is-active btrbk.service ||:) != inactive ]]; then
- echo "cron btrbk is already running"
- if $active; then ser start btrbk.timer; fi
- return 1
- fi
+ btrbk_is_active=$(systemctl is-active btrbk.service ||:)
+ case $btrbk_is_active in
+ inactive|failed) : ;;
+ *)
+ echo "bbk: error: systemctl is-active btrbk.service output: $btrbk_is_active"
+ if $active; then ser start btrbk.timer; fi
+ return 1
+ ;;
+ esac
# run latest
install-my-scripts
# todo: consider changing this to srun and having the args come
lom() {
+ # l = the loopback device
local l base
if [[ $1 == /* ]]; then
base=${1##*/}
+ fs_file=$1
if mns $base mountpoint -q /mnt/$base; then
return 0
fi
- l=$(losetup -j $1 | sed -rn 's/^([^ ]+): .*/\1/p' | head -n1 ||:)
+ l=$(losetup -j $fs_file | sed -rn 's/^([^ ]+): .*/\1/p' | head -n1 ||:)
if [[ ! $l ]]; then
l=$(sudo losetup -f)
- m sudo losetup $l $1
+ m sudo losetup $l $fs_file
fi
if ! sudo cryptsetup status /dev/mapper/$base &>/dev/null; then
if ! sudo cryptsetup luksOpen $l $base; then
return 1
fi
fi
- l=$(losetup -l --noheadings | awk '$6 ~ /\/'$1'$/ {print $1}')
+ l=$(losetup -l --noheadings | awk '$6 ~ /\/'$base'$/ {print $1}')
if [[ $l ]]; then
m sudo losetup -d $l
else
mv -T $src $dst
set +x
}
+mb2disable() {
+ local mb=$1
+ dst=/m/md/$mb
+ src=/m/4e2/$mb
+ set -x
+ [[ -e $src ]] || { set +x; return 1; }
+ if [[ -L $dst ]]; then rm $dst; fi
+ mv -T $src $dst
+ set +x
+}
mdt() {
PATH=/usr/local/spdhackfix:$PATH command spd "$@"
}
-spend() {
- sudo systemctl suspend
-}
-
spamf() { # spamtest on FILE
local spamcpre spamdpid
done
}
+# alert on changes to a webpage (just the base page that curl gets)
+# usage: weblert URL [SUBJECT...]
+weblert() {
+ local u old new quiet
+ quiet=false
+ case $1 in
+ # dont send a diff of the html. some html is not very readable
+ -q) quiet=true
+ shift
+ ;;
+ esac
+ u="$1"
+ shift
+ subject="${*:-weblert}"
+ old=$(curl -s "$u") ||:
+ while true; do
+ new=$(curl -s "$u") ||:
+ if [[ $old && $new ]]; then
+ if [[ $new != "$old" ]]; then
+ if $quiet; then
+ echo | daylertme "$subject"
+ else
+ diff <(printf "%s\n" "$old") <(printf "%s\n" "$new") | daylertme "$subject" ||:
+ fi
+ fi
+ old="$new"
+ fi
+ sleep $(( 60 + RANDOM % 120 ))
+ done
+}
+
+torshell() {
+ # per man torsocks
+ source `type -p torsocks` on
+}
+
+eless2() {
+ less /var/log/exim4/mymain
+}
+
# mail related
testexim() {
m s nsenter -t $pid -n -m $ecmd "$@"
}
+# get pid of systemd service
+servicepid() {
+ local pid unit
+ unit="$1"
+ pid=$(systemctl show --property MainPID --value "$unit")
+ case $pid in
+ [1-9]*) : ;;
+ *)
+ # 0 or empty. This file includes the MainPid, so I expect we
+ # could just get this in the first place, but i don't know if that
+ # is always the case.
+ pid=$(head -n1 /sys/fs/cgroup/systemd/system.slice/${unit%.service}.service/cgroup.procs)
+ ;;
+ esac
+ if [[ $pid ]]; then
+ printf "%s\n" "$pid"
+ else
+ return 1
+ fi
+}
+
sdnbash() { # systemd namespace bash
- local unit=$1
- m sudo nsenter -t $(systemctl show --property MainPID --value $unit) -n -m sudo -u $USER -i bash
+ local unit pid
+ unit=$1
+ pid=$(servicepid $unit)
+ m sudo nsenter -t $pid -n -m sudo -u $USER -i bash
}
-mailnnbash() {
- m sudo nsenter -t $(systemctl show --property MainPID --value mailnn) -n -m sudo -u $USER -i bash
+sdncmd() { # systemd namespace cmd
+ local unit pid
+ unit=$1
+ shift
+ pid=$(servicepid $unit)
+ m sudo nsenter -t $pid -n -m sudo -u $USER -i "$@"
}
-mailvpnbash() {
- m sudo nsenter -t $(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*mail.conf") -n -m sudo -u $USER -i bash
+
+mailnnbash() {
+ sdnbash mailnn
}
+
+# we use wireguard now, use mailnnbash.
+# mailvpnbash() {
+# m sudo nsenter -t $(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*mail.conf") -n -m sudo -u $USER -i bash
+# }
+
eximbash() {
local pid
pid=$(pgrep -f "/usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf"|h1)
m sudo nsenter -t $(systemctl status unbound| sed -n '/^ *Main PID:/s/[^0-9]//gp') -n -m sudo -u $USER -i bash
}
+nmtc() {
+ s nmtui-connect "$@"
+}
+
mailnncheck() {
local p pid ns mailnn
# mailvpn would belong on the list if using openvpn
for p in mailnn unbound dovecot spamassassin exim4 radicale; do
- case $p in
- exim4|radicale)
- pid=$(ps -eo pid,cgroup | grep /system.slice/$p.service | awk '{print $1}')
- ;;
+
+
+ pid=$(systemctl show --property MainPID --value $unit)
+ case $pid in
+ [1-9]*) : ;;
*)
- pid=$(s systemctl show --property MainPID --value $p)
+ # 0 or empty. This file includes the MainPid, so I expect we
+ # could just get this in the first place, but i don't know if
+ # that is always the case.
+ pid=$(head -n1 /sys/fs/cgroup/systemd/system.slice/${unit%.service}.service/cgroup.procs)
;;
esac
echo p=$p pid=$pid
if type -P rg &>/dev/null; then
# --no-messages because of annoying errors on broken symlinks
- rg() { command rg --no-messages -L -i -M 300 --no-ignore "$@" || return $?; }
+ # -z = search .gz etc files
+ # -. = search dotfilesq
+ rg() { command rg -. -z --no-messages -L -i -M 900 --no-ignore "$@" || return $?; }
#fails if not exist. ignore
complete -r rg 2>/dev/null ||:
else
early=false # quit early, just btrbk, no extra remounting etc.
cron=false
orig_args=("$@")
-temp=$(getopt -l cron,pull-reexec,help ceil:m:npqs:t:vh "$@") || usage 1
+temp=$(getopt -l cron,pull-reexec,help ceil:m:npqrs:t:vh "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
-n) dry_run=true; dry_run_arg=-n; shift ;;
-p) progress_arg="--progress"; shift ;;
--pull-reexec) pull_reexec=true; shift ;;
+ -r) archive=false; shift ;;
-q) verbose=false; verbose_arg=; progress_arg=; shift ;;
# source host to receive a backup from
-s)
targets=(frodo.b8.nz)
case $HOSTNAME in
- kw)
+ x2|kw)
at_work=true
;;&
x2|x3|sy|bo)
fi
;;&
kw)
- targets+=($home x3)
+ targets+=($home x2.office.fsf.org)
;;
x2|x3|sy|bo)
targets+=($home)
if $at_work; then
- targets+=(kw.office.fsf.org x2.b8.nz)
+ targets+=(x2.office.fsf.org x2.b8.nz)
else
- targets+=(kw.b8.nz)
+ targets+=(x2wg.b8.nz)
fi
;;
kd)
- targets+=(x2.b8.nz kw.b8.nz)
+ targets+=(x2wg.b8.nz x3.b8.nz)
if ping -q -c1 -w1 sy.b8.nz &>/dev/null; then
targets+=(sy.b8.nz)
else
fi
# note: put q last just in case its specific retention options were to
# affect other config sections. I havent tested if that is the case.
- prospective_mps+=(/a /q)
+ prospective_mps+=(/a /ar /qr /q)
;;
esac
fi
fi
-if ! which btrbk &>/dev/null; then
+if ! command -v btrbk &>/dev/null; then
die "error: no btrbk binary found"
fi
# if our mountpoints are from stale snapshots,
check-subvol-stale ${mountpoints[@]} || die "found stale mountpoints in ${mountpoints[*]}"
# for an initial run, btrbk requires the dir to exist.
-mkdir -p /mnt/root/btrbk
+mkdir -p /mnt/{root,o}/btrbk
local_zone=$(date +%z)
if [[ $source ]]; then
sshfail=()
min_idle_ms=$((1000 * 60 * 15))
for h in ${targets[@]}; do
- if remote_info=( $(timeout -s 9 6 ssh root@$h "mkdir -p /mnt/root/btrbk && date +%z && df --output=size,pcent / | tail -n1") ); then
+ if remote_info=( $(timeout -s 9 6 ssh root@$h "mkdir -p /mnt/root/btrbk /mnt/o/btrbk && date +%z && df --output=size,pcent / | tail -n1") ); then
zone=${remote_info[0]}
root_size=${remote_info[1]}
percent_used=${remote_info[2]%%%}
EOF
fi
-vol=/mnt/root
for m in ${mountpoints[@]}; do
+ case $m in
+ /o)
+ vol=/mnt/o
+ ;;
+ *)
+ vol=/mnt/root
+ ;;
+ esac
+
sub=${m#/}
if [[ $source ]]; then
cat >>/etc/btrbk.conf <<EOF
target_preserve_min 2h
EOF
;;
- esac
+ esac
for tg in ${targets[@]}; do
# handle ipv6
if [[ $tg == *:* ]]; then
fi
- tmp=$(mktemp)
fnd="findmnt --types btrfs --noheading"
for x in $($fnd --output "SOURCE" --nofsroot | sort -u); do
mnt=$($fnd --output "TARGET" --first-only --source $x)
# Only run for $check, since it runs in parallel to non-check, avoid
# race condition.
if $check; then
- if ! btrfs dev stats -c $mnt >$tmp; then
- if diff -q $mnt/btrfs-dev-stats $tmp; then
- diff -u $mnt/btrfs-dev-stats $tmp | mail -s "$HOSTNAME: error: btrfs dev stats -c $mnt" root@localhost
- cat $tmp >$mnt/btrfs-dev-stats
+ tmp=$(mktemp)
+ # if mnt is /, avoid making a buggy looking path
+ stats_path=${mnt%/}/btrfs-dev-stats
+ if [[ ! -e $stats_path ]]; then
+ btrfs dev stats -c $mnt >$stats_path ||: # populate initial reading
+ elif ! btrfs dev stats -c $mnt >$tmp; then
+ if ! diff -q $stats_path $tmp; then
+ exim -t <<EOF
+From: root@$HOSTNAME.b8.nz
+To: alerts@iankelling.org
+Subject: btrfsmaintstop: btrfs dev stats -c $mnt
+
+$(diff -u $stats_path $tmp)
+EOF
+ mv $stats_path $stats_path.1
+ cat $tmp >$stats_path
fi
fi
rm -f $tmp
In git this is not not executable because it's meant to be installed
using ./install-my-scripts
-If latest subvols \$@ are not mounted, print a message, and print
-the unstale subvol name into /nocow/btrfs-stale/\$subvol
+Print the unstale subvol name into /nocow/btrfs-stale/\$subvol
+
+If latest subvols \$@ are not mounted, print a message to terminal.
Fresh is opposite of stale. To be fresh, either SUBVOL_MOUNTPOINT is a
snapshot of the latest, or the latest snapshot is snapshot of
}
# duplicated in mount-latest-sub
+# Reassign $1 var from /dev/dm- to corresponding /dev/mapper/
mapper-dev() {
local mapdev
local -n devref=$1
sudo sed -ri "/^127\./n;/[[:space:]]$HOSTNAME\$/d" /etc/hosts
fi
+if isdeb && [[ $(debian-codename) == nabia ]]; then
+ sudo dd of=/etc/apt/preferences.d/aramo-jammy-missing <<'EOF'
+Package: linux-libc-dev libmysqlclient21
+Pin: release n=jammy,o=Ubuntu
+Pin-Priority: 500
+EOF
+fi
+
# libfdk just has some patent worries.
# https://www.gnu.org/licenses/license-list.en.html#fdk
if isdeb && [[ $(debian-codename) == nabia ]]; then
/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7 /d btrfs nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvol=d 0 0
EOF
if ! mountpoint /d &>/dev/null; then
- sudo mkdir /d
+ sudo mkdir -p /d
if [[ -d /mnt/r7/d ]]; then
sudo mount /d
fi
}
pre="${0##*/}:"
sudo() {
- printf "$pre %s\n" "$*"
+ printf "$pre sudo %s\n" "$*"
SUDOD="$PWD" command sudo "$@";
}
m() { printf "$pre %s\n" "$*"; "$@"; }
# fi
+
+
pi debootstrap
######### begin universal pinned packages ######
case $(debian-codename) in
- nabia|etiona|flidas)
+ etiona|flidas|nabia|aramo)
sudo rm -fv /etc/apt/preferences.d/etiona-buster
sd /etc/apt/preferences.d/trisquel-debian <<EOF
Explanation: Debian* includes Debian + Debian Backports
;;&
- nabia|etiona)
+ aramo|nabia|etiona)
# for ziva
#p install --no-install-recommends minetest/buster libleveldb1d/buster libncursesw6/buster libtinfo6/buster
doupdate=false
- for n in buster bullseye; do
+ for n in bullseye; do
f=/etc/apt/sources.list.d/$n.list
t=$(mktemp)
case $n in
- buster)
- cat >$t <<'EOF'
-deb http://http.us.debian.org/debian buster main
-deb-src http://http.us.debian.org/debian buster main
-
-deb http://security.debian.org/ buster/updates main
-deb-src http://security.debian.org/ buster/updates main
-
-deb http://http.us.debian.org/debian buster-updates main
-deb-src http://http.us.debian.org/debian buster-updates main
-
-deb http://http.debian.net/debian buster-backports main
-deb-src http://http.debian.net/debian buster-backports main
-EOF
- ;;
bullseye)
cat >$t <<'EOF'
EOF
Pin-Priority: -100
EOF
+ ;;&
+ nabia)
+ sd /etc/apt/preferences.d/aramo-nabia <<'EOF'
+Package: *
+Pin: release n=aramo*,o=Trisquel
+Pin-Priority: -100
+EOF
+ f=/etc/apt/sources.list.d/aramo.list
+ t=$(mktemp)
+ cat >$t <<'EOF'
+deb http://mirror.fsf.org/trisquel/ aramo main
+deb-src http://mirror.fsf.org/trisquel/ aramo main
+
+deb http://mirror.fsf.org/trisquel/ aramo-updates main
+deb-src http://mirror.fsf.org/trisquel/ aramo-updates main
+
+deb http://archive.trisquel.info/trisquel/ aramo-security main
+deb-src http://archive.trisquel.info/trisquel/ aramo-security main
+
+# Uncomment this lines to enable the backports optional repository
+deb http://mirror.fsf.org/trisquel/ aramo-backports main
+deb-src http://mirror.fsf.org/trisquel/ aramo-backports main
+EOF
+ if ! diff -q $t $f; then
+ sudo dd if=$t of=$f 2>/dev/null
+ p update
+ fi
+
;;&
*)
if isdeb; then
;;
esac
-
+case $codename_compat in
+ jammy)
+ s systemctl enable ssh-agent-iank
+ ;;
+esac
case $codename_compat in
focal)
Package: chromium chromium-* libicu67 libjpeg62-turbo libjsoncpp24 libre2-9 libwebpmux3
Pin: release o=Debian*,n=bullseye
Pin-Priority: 500
+EOF
+ ;;
+ aramo)
+ # obs dependency not in trisquel
+ sd /etc/apt/preferences.d/obs <<EOF
+Package: libfdk-aac2
+Pin: release n=jammy,o=Ubuntu
+Pin-Priority: 500
EOF
;;
esac
# https://radicale.org/2.1.html
#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
# https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-<Location /radicale/>
- Options +FollowSymLinks +Multiviews +Indexes
+
+# this doesn't exactly fit with the documentation.
+# We need location / to do an auth, it cant be done outside,
+# in order to pass on X-Remote-User. And we need
+# the other location in order to remove the /radicale/ for
+# requests which have it. This could be done with a rewrite,
+# but i just get something working and call it a day.
+
+<Location "/">
AllowOverride None
- AuthType basic
+ AuthType Basic
AuthName "Authentication Required"
# setup one time, with root:www-data, 640
AuthUserFile "/etc/caldav-htpasswd"
Require valid-user
+ RequestHeader set X-Remote-User expr=%{REMOTE_USER}
+</Location>
+<Location "/radicale/">
+ Options +FollowSymLinks +Multiviews -Indexes
RequestHeader set X-Script-Name /radicale/
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
ProxyPass "http://10.8.0.4:5232/" retry=0
# and choose lightdm.
#
;;
+ jammy)
+ # not yet bothering with mate
+ pi lightdm-gtk-greeter
+ ;;
esac
# flidas is missing dependency gnome-panel. others unknown
esac
-case $distro in
- trisquel|ubuntu|debian) e ack-grep ;;
- arch|fedora) e ack ;;
- # fedora unknown
-esac
-
case $distro in
debian)
e cpio-doc ;;
arch)
e spacefm ;;
esac
+
+
+case $(debian-codename) in
+ aramo)
+ e ncal ;;
+esac
# misc settings not worth making another settings file
APT::AutoRemove::SuggestsImportant "false";
+
+# https://discourse.ubuntu.com/t/phased-updates-in-apt-in-21-04/20345
+# interesting, but so far it has caused breakage:
+# p -y build-dep emacs
+# The following packages have unmet dependencies:
+# libsystemd-dev : Depends: libsystemd0 (= 249.11-0ubuntu3) but 249.11-0ubuntu3.4 is to be installed
+# 249.11-0ubuntu3.4 for libsystemd-dev was phased, while libsystemd0 wasn't
+
+APT::Get::Always-Include-Phased-Updates "true";
path-add --end /snap/bin
- for p in $HOME/.gem/ruby/*/bin; do
+ # ~/.local is newer, eg ruby 3.0+
+ for p in $HOME/.gem/ruby/*/bin $HOME/.local/share/gem/ruby/*/bin; do
path-add --ifexists --end $p
done
# in case.
LLMNR=no
MulticastDNS=no
-Domains=fsf.org gnu.org
+# this can be useful when working not on the vpn
+#Domains=fsf.org gnu.org
--- /dev/null
+[Unit]
+Description=OpenSSH Agent for root
+Documentation=man:ssh-agent(1)
+
+[Service]
+User=iank
+Environment=DISPLAY=:0
+ExecStart=/usr/bin/ssh-agent -a /run/user/1000/openssh_agent
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+#!/bin/sh
+
+systemctl suspend
+++ /dev/null
-#!/bin/bash
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-# restricted ssh does not allow arguments, but they exist in $SSH_ORIGINAL_COMMAND
-# debug
-dfile=/tmp/hssh-debug-$(id -u)
-date >>$dfile
-echo SSH_ORIGINAL_COMMAND: $SSH_ORIGINAL_COMMAND >>$dfile
-
-if [[ ! $SSH_ORIGINAL_COMMAND ]]; then
- echo "no SSH_ORIGINAL_COMMAND" >&2
- exit 1
-fi
-
-mapfile -t cmds <<'EOF'
-# btrbk-run
-date +%z
-cat /a/bin/bash_unpublished/source-state
-cat /etc/hostname
-ps --no-headers -o comm 1
-systemctl is-active btrbk.service
-mkdir -p /mnt/root/btrbk && date +%z && df --output=size,pcent / | tail -n1
-DISPLAY=:0 xprintidle
-rsync --server --sender -logDtprRe.iLsfxC . /usr/local/./bin/mount-latest-subvol /usr/local/./bin/check-subvol-stale /usr/local/./lib/err
-rsync --server --sender -logDtpre.iLsfxC . /usr/local/lib/err
-rsync --server --sender -logDtpre.iLsfxC . /usr/local/bin/mount-latest-subvol /usr/local/bin/check-subvol-stale
-scp -f /a/bin/distro-setup/btrbk-run
-# mount-latest-remote
-timeout -s 9 600 /usr/local/bin/mount-latest-subvol
-rsync --server -OtpRe.LsfxC . /usr/local
-/usr/local/bin/mail-backup-clean
-/usr/local/bin/check-mailq
-find /var/local/cron-errors /home/iank/cron-errors /sysd-mail-once-state -type f
-EOF
-
-allow=false
-for c in "${cmds[@]}"; do
- # echo "c $c" # debug
- if [[ $c == \#* ]]; then continue; fi
- if [[ $SSH_ORIGINAL_COMMAND == "$c" ]]; then
- allow=true
- break
- fi
-done
-if $allow; then
- eval $SSH_ORIGINAL_COMMAND || exit $?
-else
- f=/usr/local/bin/ssh_filter_btrbk.sh
- if [[ ! -e $f ]]; then
- f=/a/opt/btrbk/ssh_filter_btrbk.sh
- fi
- $f --target --delete --source --info || exit $?
-fi
ip6tables-exim \
exim-nn-iptables \
check-crypttab \
+ /a/bin/cedit/cedit \
/usr/local/bin
rsync -t --chmod=755 --chown=root:root /a/bin/errhandle/err /usr/local/lib
#!/bin/bash
-sudo xhost +si:localuser:lightdm # grants localuser rights to X session
-sudo su lightdm -s /bin/bash <<'EOF'
-
-xset dpms 0 0 120
-
-EOF
+# sudo xhost +si:localuser:lightdm # grants localuser rights to X session
+# sudo su lightdm -s /bin/bash <<'EOF'
+# xset dpms 0 0 120
+# EOF
# i wanted the system to stop going to sleep, so
0 6 * * 1,2,3,4,5 root failmail wrt-setup -y
45 7 * * 1,2,3,4,5 root failmail wrt-setup -z
0 9 * * 1,2,3,4,5 root failmail wrt-setup -y
-10 21 * * 1,2,3,4,5 root failmail wrt-setup -z
+# old rule, 9:10
+#10 21 * * 1,2,3,4,5 root failmail wrt-setup -z
+0 17 * * 1,2,3,4,5 root failmail wrt-setup -z
+
+# new 5pm rule
+0 6 * * 0,7 root failmail wrt-setup -y
+0 17 * * 0,7 root failmail wrt-setup -z
+
# saturday morning
-0 6 * * 6 root failmail wrt-setup -y
+# old
+#0 6 * * 6 root failmail wrt-setup -y
# sunday evening
-10 21 * * 0 root failmail wrt-setup -z
+# old
+#10 21 * * 0 root failmail wrt-setup -z
# old rules, weekends allow only morning.
#0 7 * * 0,6 root failmail wrt-setup -y
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
-cd /mnt/root/btrbk
+cd /mnt/o/btrbk
tmp=(o*)
last_snap_date=${tmp[-1]#o.}
time=$(( $(date -d $(sed -r 's/(.{4})(..)(.{5})(..)(.*)/\1-\2-\3:\4:\5/' <<<$last_snap_date) +%s) -1 ))
# disable power management feature, set to 240 min sync interval,
# so it shouldn't be bad.
- # davdroid from f-druid.
+ # davx^5 from f-droid
# login with url and user name
# url https://cal.iankelling.org/ian
# username ian
m() { printf "%s\n" "$*"; "$@"; }
err-cleanup() {
-echo failed nextcloud update for $ncbase >&2
- /sbin/exim -t <<EOF
+ echo failed nextcloud update for $ncbase >&2
+ # -odf or else systemd will kill the background delivery process
+ # and the message will sit in the queue until the next queue run.
+ exim -odf -t <<EOF
To: alerts@iankelling.org
-From: root@$(hostname -f)
+From: www-data@$(hostname -f)
Subject: failed nextcloud update for $ncbase
For logs, run: jr -u $ncbase
fi
ncbase=$1
-echo running: php /var/www/$ncbase/updater/updater.phar -n
-m php /var/www/$ncbase/updater/updater.phar -n
cd /var/www/$ncbase
-m running php occ -n upgrade
+m php /var/www/$ncbase/updater/updater.phar -n
+# just being overly cautious
+sleep 3
+m php occ -n upgrade
EOFOUTER
chmod +x /usr/local/bin/ncup
esac
cat >>/usr/local/bin/send-test-forward <<EOFOUTER
-/usr/sbin/exim -f $test_from -t <<EOF
+/usr/sbin/exim -odf -f $test_from -t <<EOF
From: $test_from
To: $test_to
Subject: test \$(date +%Y-%m-%dT%H:%M:%S%z) \$EPOCHSECONDS
exit $1
}
+all_vols=(q a o i ar qr)
+
tu() {
while read -r line; do
}
# duplicated in check-subvol
+# Reassign $1 var from /dev/dm- to corresponding /dev/mapper/
mapper-dev() {
local mapdev
local -n devref=$1
mnt /mnt/boot2
fi
+do_o=true
root_dev=$(awk '$2 == "/" {print $1}' /etc/mtab)
mapper-dev root_dev
+o_dev=$(awk '$2 == "/mnt/o" {print $1}' /etc/mtab)
+mapper-dev o_dev
+
+if [[ $o_dev == "$root_dev" ]]; then
+ do_o=false
+fi
# root2_dev=$(awk '$2 == "/mnt/root2" {print $1}' /etc/mtab)
# mapper-dev root2_dev
crypt_dev=$root_dev
else # if we are in a recovery boot, find the next best crypt device
mopts=,noauto
+ do_o=false
for dev in $(dmsetup ls --target crypt | awk '{print $1}'); do
dev=/dev/mapper/$dev
if awk '{print $1}' /etc/mtab | grep -Fx $dev &>/dev/null; then
EOF
fi
-f=(/mnt/root/btrbk/o.*); f=${f[0]}
+f=(/mnt/o/btrbk/o.*); f=${f[0]}
if [[ -e $f ]]; then
fstab <<EOF
-$crypt_dev /o btrfs noatime,subvol=o$mopts 0 0
+$o_dev /o btrfs noatime,subvol=o$mopts 0 0
/o/m /m none bind$mopts 0 0
EOF
+else
+ do_o=false
fi
if [[ $HOSTNAME == frodo ]]; then
done
### end get pids that this program depends on so we dont kill them
-for vol in q a o i; do
+for vol in ${all_vols[@]}; do
d=/$vol
if ! awk '{print $2}' /etc/fstab | grep -xF $d &>/dev/null; then
continue
#pi python-jmespath # dependency of btrfs-snapshots-diff
# todo: need python3 port of btrfs-snapshots-diff, py2 no exist on nabia
parentid=$(btrfs sub show $leaf | awk '$1 == "Parent" && $2 == "UUID:" {print $3}')
- bsubs=(/mnt/root/btrbk/$vol.*)
+ bsubs=(btrbk/$vol.*)
bsub=
# go in reverse order as its more likely to be at the end
for ((i=${#bsubs[@]}-1; i>=0; i--)); do
asciidoc
backupninja
bash-doc
- beets
- beets-doc
+ # not using it currently and it has a dependency problem
+# beets
+# beets-doc
binutils-doc
bind9-doc
bind9utils
# -t times, so it won't rewrite the file every time,
# -L resolve links
rsync --exclude=/h --exclude=/h.pub \
- --exclude=/hrsa --exclude=/hrsa.pub \
+ --exclude=/hrsa --exclude=/hrsa.pub \
--exclude /config --exclude /confighome -rtL --delete $user_ssh_dir/ /root/.ssh
if [[ -e /q/root/h ]]; then
cp -a /q/root/{h,hrsa}{,.pub} /root/.ssh
fi
chown -R root:root /root/.ssh
-rsync -tp --chmod=755 --chown=root:root /a/bin/ds/hssh /usr/local/bin
+rsync -tp --chmod=755 --chown=root:root /a/bin/fai/fai/config/files/usr/local/bin/hssh/IANK /usr/local/bin/hssh
if [[ -e /a/opt/btrbk/ssh_filter_btrbk.sh ]]; then
install /a/opt/btrbk/ssh_filter_btrbk.sh /usr/local/bin
systemctl enable --now ssh-agent-root
fi
-d=/etc/initramfs-tools
-if [[ -e $d ]] && ! diff -q /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys &>/dev/null; then
- mkdir -p $d/root/.ssh /etc/dropbear-initramfs
- chmod 700 $d/root $d/root/.ssh
- cp -p /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys
- cp -p /root/.ssh/authorized_keys /etc/dropbear-initramfs
- if [[ -e /root/.ssh/authorized_keys2 ]]; then
- cat /root/.ssh/authorized_keys2 >>/etc/dropbear-initramfs
- fi
+
+# note: i previously had $auth_dir/root/.ssh/authorized_keys
+# but /usr/share/doc/dropbear-initramfs/README.initramfs
+# says differently. not sure what is up.
+
+auth_dir=/etc/dropbear/initramfs/
+candidate=$(apt-cache policy dropbear-initramfs | awk '$1 == "Candidate:" { print $2 }' | head -n1 ||:)
+if [[ $candidate ]] && dpkg --compare-versions "$candidate" lt 2020.81-4; then
+ auth_dir=/etc/dropbear-initramfs
+fi
+auth_file=$auth_dir/authorized_keys
+mkdir -p $auth_dir
+if [[ ! -e $auth_file ]] || ! diff -q /root/.ssh/authorized_keys $auth_file; then
+ cp -p /root/.ssh/authorized_keys $auth_file
update-initramfs -u -k all
fi
-<!DOCTYPE kpartgui>
-<kpartgui version="27" name="session">
+<?xml version='1.0'?>
+<!DOCTYPE gui SYSTEM 'kpartgui.dtd'>
+<gui name="session" version="29">
<MenuBar>
<Menu name="file">
- <Action group="session-operations" name="file_save_as"/>
+ <Action name="file_save_as" group="session-operations"/>
<Separator group="session-operations"/>
- <Action group="session-operations" name="file_print"/>
+ <Action name="file_print" group="session-operations"/>
<Separator group="session-operations"/>
- <Action group="session-operations" name="open-browser"/>
- <Action group="session-tab-operations" name="close-session"/>
+ <Action name="open-browser" group="session-operations"/>
+ <Action name="close-session" group="session-tab-operations"/>
</Menu>
<Menu name="edit">
- <Action group="session-edit-operations" name="edit_copy"/>
- <Action group="session-edit-operations" name="edit_paste"/>
+ <Action name="edit_copy" group="session-edit-operations"/>
+ <Action name="edit_paste" group="session-edit-operations"/>
<Separator group="session-edit-operations"/>
- <Action group="session-edit-operations" name="select-all"/>
+ <Action name="select-all" group="session-edit-operations"/>
<Separator group="session-edit-operations"/>
- <Action group="session-edit-operations" name="copy-input-to"/>
- <Action group="session-edit-operations" name="send-signal"/>
- <Action group="session-edit-operations" name="rename-session"/>
- <Action group="session-edit-operations" name="zmodem-upload"/>
+ <Action name="copy-input-to" group="session-edit-operations"/>
+ <Action name="send-signal" group="session-edit-operations"/>
+ <Action name="rename-session" group="session-edit-operations"/>
+ <Action name="zmodem-upload" group="session-edit-operations"/>
<Separator group="session-edit-operations"/>
- <Action group="session-edit-operations" name="edit_find"/>
- <Action group="session-edit-operations" name="edit_find_next"/>
- <Action group="session-edit-operations" name="edit_find_prev"/>
+ <Action name="edit_find" group="session-edit-operations"/>
+ <Action name="edit_find_next" group="session-edit-operations"/>
+ <Action name="edit_find_prev" group="session-edit-operations"/>
</Menu>
<Menu name="view">
- <Action group="session-view-operations" name="monitor-silence"/>
- <Action group="session-view-operations" name="monitor-activity"/>
+ <Action name="monitor-silence" group="session-view-operations"/>
+ <Action name="monitor-activity" group="session-view-operations"/>
+ <Action name="monitor-process-finish" group="session-view-operations"/>
<Separator group="session-view-operations"/>
- <Action group="session-view-operations" name="view-readonly"/>
+ <Action name="view-readonly" group="session-view-operations"/>
<Separator group="session-view-operations"/>
- <Action group="session-view-operations" name="enlarge-font"/>
- <Action group="session-view-operations" name="reset-font-size"/>
- <Action group="session-view-operations" name="shrink-font"/>
- <Action group="session-view-operations" name="set-encoding"/>
+ <Action name="enlarge-font" group="session-view-operations"/>
+ <Action name="reset-font-size" group="session-view-operations"/>
+ <Action name="shrink-font" group="session-view-operations"/>
+ <Action name="set-encoding" group="session-view-operations"/>
<Separator group="session-view-operations"/>
- <Action group="session-view-operations" name="clear-history"/>
- <Action group="session-view-operations" name="clear-history-and-reset"/>
+ <Action name="clear-history" group="session-view-operations"/>
+ <Action name="clear-history-and-reset" group="session-view-operations"/>
</Menu>
<Menu name="settings">
- <Action group="session-settings" name="edit-current-profile"/>
- <Action group="session-settings" name="switch-profile"/>
+ <Action name="edit-current-profile" group="session-settings"/>
+ <Action name="switch-profile" group="session-settings"/>
</Menu>
</MenuBar>
<Menu name="session-popup-menu">
- <Action name="edit_copy"/>
+ <Action name="edit_copy_contextmenu"/>
<Action name="edit_paste"/>
<Action name="web-search"/>
<Action name="open-browser"/>
<Action name="switch-profile"/>
<Action name="edit-current-profile"/>
</Menu>
+ <ToolBar name="sessionToolbar">
+ <text>Session Toolbar</text>
+ <index>1</index>
+ <Spacer/>
+ <Action name="edit_copy"/>
+ <Action name="edit_paste"/>
+ <Action name="edit_find"/>
+ </ToolBar>
<ActionProperties>
<Action shortcut="Ctrl+Shift+R" name="edit_find_next"/>
<Action shortcut="Ctrl+Shift+E" name="edit_find_prev"/>
<Action shortcut="" name="rename-session"/>
<Action shortcut="" name="zmodem-upload"/>
</ActionProperties>
-</kpartgui>
+</gui>
-#!/bin/bash -l
+#!/bin/bash
+
+# Usage: run to trust or untrust dns. public wifi sometimes needs to
+# trust dns initially to log in.
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
-# Usage: run when switching from an untrusted network like public wifi
-# to a trusted one.
+source /a/bin/errhandle/err
+
+readonly this_file=$(readlink -f -- "${BASH_SOURCE[0]}")
+readonly this_dir="${this_file%/*}"
+script_name="${BASH_SOURCE[0]}"
+script_name="${script_name##*/}"
+
+# removes malware and adult content
+servers=(1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003)
+
+servers=(1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001)
+
+## trying out google
+servers=(8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844)
+
+
+
+m() { printf "%s\n" "$*"; "$@"; }
+e() { printf "%s\n" "$@"; }
+i() { # install file
+ local tmp tmpdir dest="$1"
+ local base="${dest##*/}"
+ mkdir -p ${dest%/*}
+ ir=false # i result
+ tmpdir=$(mktemp -d)
+ cat >$tmpdir/"$base"
+ tmp=$(rsync -ic $tmpdir/"$base" "$dest")
+ if [[ $tmp ]]; then
+ printf "%s\n" "$tmp"
+ ir=true
+ fi
+ rm -rf $tmpdir
+}
+
+e $script_name
+exit 0
+
+# i symlinked the script to another name to make it work different
+trust=true
+case $script_name in
+ untrusted-network)
+ trust=false
+ ;;
+esac
+
-if [[ -e /etc/NetworkManager/conf.d/dns.conf ]]; then
- rm -fv /etc/NetworkManager/conf.d/dns.conf
- if [[ $(systemctl is-active NetworkManager) == active ]]; then
+if $trust; then
+ if [[ -e /etc/NetworkManager/conf.d/dns.conf ]]; then
+ rm -fv /etc/NetworkManager/conf.d/dns.conf
+ if [[ $(systemctl is-active NetworkManager) == active ]]; then
+ m systemctl restart NetworkManager
+ fi
+ fi
+
+ rm -fv /etc/systemd/resolved.conf.d/untrusted-network.conf
+else #untrusted
+ # https://wiki.archlinux.org/index.php/Systemd-resolved#Manually
+ cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
+[Resolve]
+DNS=${servers[@]}
+Domains=b8.nz
+DNSOverTLS=yes
+EOF
+
+ i /etc/NetworkManager/conf.d/dns.conf <<'EOF'
+[main]
+dns=none
+systemd-resolved=false
+EOF
+
+ if $ir && [[ $(systemctl is-active NetworkManager) == active ]]; then
m systemctl restart NetworkManager
fi
fi
-rm -f /etc/systemd/resolved.conf.d/untrusted-network.conf
-
dhclient_restart=false
# man dhclient.conf
if ! grep -qP '\bdomain-name-servers\b' /etc/dhcp/dhclient.conf; then
fi
+# wait for networkmanager to come back
+for f in {1..20}; do
+ if read -r _ _ _ _ gateway_if _ < <(ip route get 8.8.8.8); then
+ break
+ fi
+ m sleep 2
+done
+
-read -r _ _ _ _ gateway_if _ < <(ip route get 8.8.8.8)
if [[ $gateway_if ]]; then
# we could do this, but dhclient is still running and will use its old settings
# from dependencies of ifupdown,
e $0: no gateway_if found
fi
-reresolv
+m systemctl restart systemd-resolved
+
+
+
+# just for curiosity i did a
+# wrapper around dhclient, then ifdown eth0; ifup eth0:
+
+# Tue Mar 9 18:29:05 EST 2021
+# args -4 -v -r -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
+# env
+# ADDRFAM=inet
+# PHASE=pre-down
+# VERBOSITY=0
+# PWD=/sbin
+# IFACE=eth0
+# METHOD=dhcp
+# SHLVL=1
+# LOGICAL=eth0
+# MODE=stop
+# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# IFUPDOWN_eth0=pre-down
+# _=/usr/bin/env
+# Tue Mar 9 18:29:07 EST 2021
+# args -1 -4 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
+# env
+# ADDRFAM=inet
+# PHASE=post-up
+# VERBOSITY=0
+# PWD=/sbin
+# IFACE=eth0
+# METHOD=dhcp
+# SHLVL=1
+# LOGICAL=eth0
+# MODE=start
+# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# IFUPDOWN_eth0=post-up
+# _=/usr/bin/env
+++ /dev/null
-#!/bin/bash -l
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
-
-# Usage: use when switching from a trusted network to an untrusted one,
-# like public wifi.
-
-
-
-i() { # install file
- local tmp tmpdir dest="$1"
- local base="${dest##*/}"
- mkdir -p ${dest%/*}
- ir=false # i result
- tmpdir=$(mktemp -d)
- cat >$tmpdir/"$base"
- tmp=$(rsync -ic $tmpdir/"$base" "$dest")
- if [[ $tmp ]]; then
- printf "%s\n" "$tmp"
- ir=true
- fi
- rm -rf $tmpdir
-}
-
-
-read -r _ ver _ < <(systemd-resolve --version)
-
-# removes malware and adult content
-servers=(1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003)
-
-servers=(1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001)
-
-## trying out google
-#servers=(8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844)
-
-
-# https://wiki.archlinux.org/index.php/Systemd-resolved#Manually
-cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
-[Resolve]
-DNS=${servers[@]}
-Domains=b8.nz
-DNSOverTLS=yes
-EOF
-
-i /etc/NetworkManager/conf.d/dns.conf <<'EOF'
-[main]
-dns=none
-systemd-resolved=false
-EOF
-
-if $ir && [[ $(systemctl is-active NetworkManager) == active ]]; then
- m systemctl restart NetworkManager
- m sleep 2
-fi
-
-dhclient_restart=false
-# man dhclient.conf
-if grep -qP '\bdomain-name-servers\b' /etc/dhcp/dhclient.conf; then
- sed -i 's/domain-name-servers,\?//' /etc/dhcp/dhclient.conf
- dhclient_restart=true
-fi
-
-read -r _ _ _ _ gateway_if _ < <(ip route get 8.8.8.8)
-if [[ $gateway_if ]]; then
- # we could do this, but dhclient is still running and will use its old settings
- # from dependencies of ifupdown,
- # from man dhclient-script
- # from /etc/dhcp/dhclient-enter-hooks.d/resolved
- # rm -f /run/systemd/resolved.conf.d/*$gateway_if*
-
-
- if $dhclient_restart && grep -Pq "^ *auto ($gateway_if|.* $gateway_if( |$))" /etc/network/interfaces; then
- m ifdown $gateway_if
- m ifup $gateway_if
- fi
-
- # at least on systemd 237 ifupdown it sets a global and this is not needed
- systemd-resolve --interface=$gateway_if --revert
-fi
-
-reresolv
-
-# just for curiosity i did a
-# wrapper around dhclient, then ifdown eth0; ifup eth0:
-
-# Tue Mar 9 18:29:05 EST 2021
-# args -4 -v -r -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
-# env
-# ADDRFAM=inet
-# PHASE=pre-down
-# VERBOSITY=0
-# PWD=/sbin
-# IFACE=eth0
-# METHOD=dhcp
-# SHLVL=1
-# LOGICAL=eth0
-# MODE=stop
-# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-# IFUPDOWN_eth0=pre-down
-# _=/usr/bin/env
-# Tue Mar 9 18:29:07 EST 2021
-# args -1 -4 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
-# env
-# ADDRFAM=inet
-# PHASE=post-up
-# VERBOSITY=0
-# PWD=/sbin
-# IFACE=eth0
-# METHOD=dhcp
-# SHLVL=1
-# LOGICAL=eth0
-# MODE=start
-# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-# IFUPDOWN_eth0=post-up
-# _=/usr/bin/env
--- /dev/null
+trusted-network
\ No newline at end of file
iankelling.org / git / distro-setup / commitdiff