nnn() { /a/opt/nnn -H "$@"; }
+# duplicated somewhat below.
jrun() { # journal run. run args, log to journal, tail and grep the journal.
# Note, an alternative without systemd would be something like ts.
# Note, I tried using systemd-cat, but this seems obviously better,
if [[ $cmd != /* ]]; then
cmd=$(which $1)
fi
- # We use >() so that $! is the pid of journalctl, otherwise its the sed pid and then
- # if we kill that, it takes journalctl about 10 seconds to catch up, and we get
- # an annoying message about job finishing then.
journalctl -qn2 -f -u "$cmd_name" &
# We kill this in prompt-command for the case that we ctrl-c the
# systemd-cat. i dont know any way to trap ctrl-c and still run the
# normal action for it. There might be a way, unsure.
jr_pid=$!
- s systemd-run --unit "$cmd_name" --wait --collect "$cmd" "${@:2}" || ret=$?
+ # note, we could have a version that does system --user, but if for example
+ # it does sudo ssh, that will leave a process around that we can't kill
+ # and it will leave the unit hanging around in a failed state needing manual
+ # killing of the process.
+ m s systemd-run --uid $(id -u) --gid $(id -g) --unit "$cmd_name" --wait --collect "$cmd" "${@:2}" || ret=$?
# This justs lets the journal output its last line
# before the prompt comes up.
sleep .5
if [[ $(debian-codename) == etiona ]]; then
# ip6tables stopped loading on boot. openvpn has reduced capability set,
# so running iptables as part of openvpn startup wont work. This should do it.
- # Im sure there is a better way, but this works fine.
- yes no | pi iptables-persistent || [[ $? == 141 ]]
+ # Im sure there is a better way, but this works fine. running as a systemd
+ # unit, yes returns 1, broken pipe.
+ yes no | pi iptables-persistent || [[ $? == 141 || ${PIPESTATUS[1]} == 0 ]]
cat >/etc/iptables/rules.v6 <<'EOF'
*mangle
COMMIT
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
# needed to continually restatr
-StartLimitIntervalSec=0
JoinsNamespaceOf=mailnn.service
+BindsTo=mailnn.service
+StartLimitIntervalSec=0
[Service]
Type=notify
WantedBy=multi-user.target
EOF
+i /etc/systemd/system/mailnnroute.service <<'EOF'
+[Unit]
+Description=Network routing for mailnn
+After=syslog.target network-online.target mailnn.service
+Wants=network-online.target
+JoinsNamespaceOf=mailnn.service
+BindsTo=mailnn.service
+StartLimitIntervalSec=0
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+PrivateNetwork=true
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
+ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
+Restart=always
+RestartSec=10
+
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+#
i /etc/systemd/system/mailnn.service <<'EOF'
[Unit]
-Description=Network Namespace for mailvpn.service
+Description=Network Namespace for mailvpn.service that will live forever and cant fail
After=syslog.target network-online.target
Wants=network-online.target
WantedBy=multi-user.target
EOF
+
+
# old service name
rm -fv /etc/systemd/system/openvpn-client-mail@.service
m ser reload apparmor
fi
+# note: anything added to nn_progs needs corresponding rm
+# down below in the host switch
nn_progs=(exim4)
if mailhost; then
# Note dovecots lmtp doesnt need to be in the same nn to accept delivery.
# Its in the nn so remote clients can connect to it.
- nn_progs+=(spamassassin dovecot unbound)
+ nn_progs+=(spamassassin dovecot)
fi
case $HOSTNAME in
$MAIL_HOST)
- r=/etc/nn-resolv:/run/systemd/resolve
- ;;&
- bk)
- r=/etc/bk-resolv:/etc/nn-resolv
+ i /etc/systemd/system/unbound.service.d/nn.conf <<EOF
+[Unit]
+JoinsNamespaceOf=mailnn.service
+BindsTo=mailnn.service
+StartLimitIntervalSec=0
+
+[Service]
+PrivateNetwork=true
+# note the nsswitch bind is actually not needed for bk, but
+# its the same file so it does no harm.
+BindPaths=$bindpaths
+
+Restart=always
+RestartSec=1
+EOF
+
;;&
$MAIL_HOST|bk)
for unit in ${nn_progs[@]}; do
Requires=mailvpn.service
After=mailvpn.service
JoinsNamespaceOf=mailnn.service
+BindsTo=mailnn.service
StartLimitIntervalSec=0
[Service]
done
;;
*)
- for unit in exim4 spamassassin; do
+ for unit in exim4 spamassassin dovecot unbound; do
f=/etc/systemd/system/$unit.service.d/nn.conf
if [[ -s $f ]]; then
rm -fv $f
BindsTo=mailvpn.service
After=mailvpn.service
JoinsNamespaceOf=mailnn.service
+StartLimitIntervalSec=0
[Service]
PrivateNetwork=true
BindPaths=$bindpaths
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1000
[Install]
RequiredBy=mailvpn.service
ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf
;;&
$MAIL_HOST|bk)
- sstart mailnn
+ sstart mailnn mailnnroute
# If these have changes, id rather manually restart it, id rather
# not restart and cause temporary errors
if $reload; then
iankelling.org / git / distro-setup / commitdiff