git commit -am "$*"
}
+ipp() {
+ git pull
+ git push
+}
+
ifn() {
# insensitive find
cat $tmp >$mnt/btrfs-dev-stats
fi
fi
+ rm -f $tmp
if ! $idle; then
if $dryrun; then
reload_systemd=true
fi
done
+rm -f /etc/cron.daily/check-lets-encrypt-ssl-settings
c_dirs=(/a/c{,/machine_specific/$HOSTNAME})
case $user in
14 * * * * root /a/bin/ds/bk-backup |& log-once -24 bk-backup
0 7 * * * iank failmail myupgrade-iank
20 7 * * * root myupgrade |& log-once -1 myupgrade
-# maybe try this again sometime. it needs updating to be like
-# myupgrade.
-#0 * * * * root mycheckrestart |& log-once -1 mycheckrestart
19 * * * * root check-crypttab
+4 20 * * 5 iank /usr/local/bin/check-lets-encrypt-ssl-settings
source ~/.bashrc
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
if [[ ! -e /dev/shm/iank-status ]]; then
exit 0
fi
--- /dev/null
+server:
+
+# Based on reading the manual, it seems these log options would create
+# duplicative logs to verbosity 4, but they may also be less verbose and
+# have the info we want. dunno, maybe try it sometime.
+#
+#log-queries: yes
+#log-replies: yes
+#log-tag-queryreply: yes
+#log-servfail: yes
+#val-log-level: 1
+verbosity: 4
+
+interface: 127.0.0.1
+interface: ::1
+interface: 10.173.8.1
+# from https://nlnetlabs.nl/documentation/unbound/unbound.conf/
+# it is unclear if we want both or one of these.
+ip-transparent: yes
+ip-freebind: yes
+
+access-control: 10.173.8.0/24 allow
//========================================================================
dnssec-validation auto;
- listen-on-v6 { any; };
-
-// iank, allow queries from network namespace
-// even if the interface doesnt exist when bind starts.
-allow-recursion {
- 10.173.8.0/24;
- localhost;
-};
-allow-query-cache {
- 10.173.8.0/24;
- localhost;
-};
+ // iank: only listen on our public addresses, lets use unbound for
+ // local process resolution, like we do at fsf, so debugging issues
+ // works for both.
+ listen-on { 85.119.83.50; };
+ listen-on-v6 { 2001:ba8:1f1:f0c9::2; };
// end options
};
--- /dev/null
+// this is the default for t10, plus my commented additions
+options {
+ directory "/var/cache/bind";
+
+ // If there is a firewall between you and nameservers you want
+ // to talk to, you may need to fix the firewall to allow multiple
+ // ports to talk. See http://www.kb.cert.org/vuls/id/800113
+
+ // If your ISP provided one or more IP addresses for stable
+ // nameservers, you probably want to use them as forwarders.
+ // Uncomment the following block, and insert the addresses replacing
+ // the all-0's placeholder.
+
+ // forwarders {
+ // 0.0.0.0;
+ // };
+
+ //========================================================================
+ // If BIND logs error messages about the root key being expired,
+ // you will need to update your keys. See https://www.isc.org/bind-keys
+ //========================================================================
+ dnssec-validation auto;
+
+ // iank: only listen on our public addresses, lets use unbound for
+ // local process resolution, like we do at fsf, so debugging issues
+ // works for both.
+ listen-on { 85.119.82.128; };
+ listen-on-v6 { 2001:ba8:1f1:f09d::2; };
+
+// end options
+};
# SPDX-License-Identifier: AGPL-3.0-or-later
-# todo: install new alertmanager, like new prometheus
-
-# todo: setup a logrotate for /var/log/mymain and mypanic
-
# todo: setup an alert for bouncing test emails.
# todo: bounces to my fsf mail can come from fsf@iankelling.org,
# todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it.
# todo: consider hardening cups listening on 0.0.0.0
# todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use.
-# todo: check that spamd and unbound only listen locally.
# todo: hosts should only allow external mail that is authed and
# destined for backup route. it is a minor issue since traffic is
fi
# light version of exim does not have sasl auth support.
+# note: for bitfolk hosts, unbound has important config with conflink.
pi-nostart exim4 exim4-daemon-heavy spamassassin unbound clamav-daemon wireguard
# note: pyzor debian readme says you need to run some initialization command
eggs.gnu.org * F,1d,4m;F,14d,1h
fencepost.gnu.org * F,1d,4m;F,14d,1h
+# afaik our retry doesnt need this, but just using everything
+mx.amnimal.ninja * F,1d,4m;F,14d,1h
+mx.expertpathologyreview.com * F,1d,4m;F,14d,1h
+
+
mail.fsf.org * F,1d,15m;F,14d,1h
EOF
# this makes it easier to see which exim is doing what
log_file_path = /var/log/exim4/my%s
EOF
+
+ cat >/etc/logrotate.d/myexim <<'EOF'
+/var/log/exim4/mymain /var/log/exim4/myreject {
+ daily
+ missingok
+ rotate 1000
+ delaycompress
+ notifempty
+ nocreate
+}
+/var/log/exim4/mypanic {
+ size 10M
+ missingok
+ rotate 10
+ compress
+ delaycompress
+ notifempty
+ nocreate
+}
+EOF
+
# If we ever wanted to have a separate spool,
# we could do it like this.
# cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF'
MAILTO=daylert@iankelling.org
*/5 * * * * $u send-test-forward |& log-once send-test-forward
*/10 * * * * root chmod -R g+rw /m/md/bounces |& log-once -1 bounces-chmod
-*/5 * * * * root timeout 290 mailtest-check slow |& log-once -4 mailtest-check
+# todo: delete, this is old
+#*/5 * * * * root timeout 290 mailtest-check slow |& log-once -1 mailtest-check
# if a bounce happened yesterday, dont let it slip through the cracks
8 1 * * * root export MAILTO=alerts@iankelling.org; [[ -s /var/log/exim4/mainlog.1 ]] && awk '\$5 == "**"' /var/log/exim4/mainlog.1
EOF
+
+
m sudo rsync -ahhi --chown=root:root --chmod=0755 \
/b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
+ cat >/etc/systemd/system/mailtest-check.service <<'EOF'
+[Unit]
+Description=mailtest-check
+After=local-fs.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/mailtest-check slow
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=graphical.target
+EOF
+ sysd-prom-fail-install mailtest-check
+ sre mailtest-check
;;&
$MAIL_HOST)
test_froms=(ian@iankelling.org z@zroe.org iank@gnu.org)
EOF
;;&
bk)
- test_froms=(testignore@expertpathologyreview.com testignore@amnimal.ninja)
- test_tos=(testignore@iankelling.org testignore@zroe.org testignore@je.b8.nz)
+ test_froms=(testignore@amnimal.ninja testignore@expertpathologyreview.com)
+ test_tos=(testignore@iankelling.org testignore@je.b8.nz)
+ # We dont need to send from different addresses to the same
+ # address. this breaks down our nice elegant logic of building up
+ # froms and tos , so I just handle expertpath in a special case
+ # below and set the to: to be testignore@zroe.org. If we did sent
+ # that way, it would also mess up our mailtest-check logic that
+ # finds which messages to check.
+ # for example: from testignore@amnimal.ninja to: testignore@iankelling.org testignore@zroe.org
+ # that would become 2 messages and we'd only check 1.
;;&
je)
test_froms=(testignore@je.b8.nz)
test_tos=(testignore@iankelling.org testignore@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
;;&
$MAIL_HOST|bk|je)
- test_to=${test_tos[0]}
- # dont put these test messages into the sent folder or else it will
+
+ # Dont put these test messages into the sent folder or else it will
# overwhelm it, plus i dont want to save a copy at all.
- echo $test_to > /etc/exim4/ignore-sent
- for t in ${test_tos[@]:1}; do
- test_to+=", $t"
+ rm -f /etc/exim4/ignore-sent
+ for t in ${test_tos[@]}; do
echo $t >> /etc/exim4/ignore-sent
done
+
cat >/usr/local/bin/send-test-forward <<'EOF'
#!/bin/bash
+# we remove from the queue older than 4.3 minutes since we send every 5 minutes.
olds=(
$(/usr/sbin/exiqgrep -o 260 -i -r '^(testignore@(iankelling\.org|zroe\.org|expertpathologyreview\.com|amnimal\.ninja|je\.b8\.nz)|jtuttle@gnu\.org)$')
)
fi
EOF
for test_from in ${test_froms[@]}; do
+
+ test_to=${test_tos[0]}
+ for t in ${test_tos[@]:1}; do
+ test_to+=", $t"
+ done
+ case $test_from in
+ testignore@expertpathologyreview.com)
+ test_to=testignore@zroe.org
+ ;;
+ esac
+
cat >>/usr/local/bin/send-test-forward <<EOFOUTER
/usr/sbin/exim -f $test_from -t <<EOF
From: $test_from
m chmod +x /usr/local/bin/send-test-forward
;;
*)
+ soff mailtest-check.service
rm -fv /etc/cron.d/mailtest
;;
esac
e() { $int || return 0; printf "mailtest-check: %s\n" "$*"; }
-
-## Minutes before we give error.
-# We run this cronjob along with sending the test email every 5 minutes,
-# so give it 1 minute to arrive, then if the latest email is older than
-# 7 minutes, the last 2 haven't arrived in a reasonable amount of time.
-# However, when machines reboot things can get delayed, so add 10 mins,
-# not sure if that is a good number or not.
-min_limit=17
+getspamdpid() {
+ if [[ ! $spamdpid || ! -d /proc/$spamdpid ]]; then
+ # try twice in case we are restarting, it happens.
+ for i in 1 2; do
+ spamdpid=$(systemctl show --property MainPID --value spamassassin | sed 's/^[10]$//' ||:)
+ if [[ $spamdpid ]]; then
+ break
+ fi
+ sleep 30
+ done
+ fi
+}
+pr() {
+ if [[ -e /var/lib/prometheus/node-exporter ]]; then
+ cat >>/var/lib/prometheus/node-exporter/mailtest-check.prom.$$
+ fi
+}
-# spamassassin checking takes about 8 seconds. only do that every
-# once in a while.
+#### begin arg processing ####
+# spamassassin checking takes about 8 seconds.
slow=false
if [[ $1 == slow ]]; then
slow=true
if [[ $1 == nonint ]]; then
int=false
fi
+#### end arg processing ####
if ! $int; then
sleep 60
fi
-# avoid errors like this:
-# Nov 8 08:16:05.439 [6080] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WLBLEval.pm: lib/Mail/SpamAssassin/Plugin/WLBLEval.pm: Permission denied at (eval 59) line 1.
-#Nov 8 08:16:05.439 [6080] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/VBounce.pm: lib/Mail/SpamAssassin/Plugin/VBounce.pm: Permission denied at (eval 60) line 1.
-# i dont know why, i just found the solution online
-cd /m/md
+
# TODO, get je to deliver the local mailbox: /m/md/INBOX
# dovecot appears to setup, i can t be sure.
-case $HOSTNAME in
- bk)
- folders=(/m/md/{expertpathologyreview.com,amnimal.ninja}/testignore)
- froms=(ian@iankelling.org z@zroe.org testignore@je.b8.nz iank@gnu.org)
- ;;
- je)
- froms=(ian@iankelling.org z@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
- folders=(/m/md/je.b8.nz/testignore)
- ;;
- *)
- folders=(/m/md/l/testignore)
- froms=(testignore@je.b8.nz testignore@expertpathologyreview.com testignore@amnimal.ninja ian@iankelling.org z@zroe.org iank@gnu.org)
- if ! $int; then
- timeout 120 rsync --chown iank:iank -e "ssh -oIdentitiesOnly=yes -F /dev/null -i /root/.ssh/jtuttle" -t --inplace -r 'jtuttle@fencepost.gnu.org:/home/j/jtuttle/Maildir/new/' /m/md/l/testignore/new
- fi
- ;;
-esac
-getspamdpid() {
- if [[ ! $spamdpid || ! -d /proc/$spamdpid ]]; then
- # try twice in case we are restarting, it happens.
- for i in 1 2; do
- spamdpid=$(systemctl show --property MainPID --value spamassassin | sed 's/^[10]$//' ||:)
- if [[ $spamdpid ]]; then
- break
+
+main() {
+
+ case $HOSTNAME in
+ bk)
+ folders=(/m/md/{expertpathologyreview.com,amnimal.ninja}/testignore)
+ froms=(ian@iankelling.org z@zroe.org testignore@je.b8.nz iank@gnu.org)
+ ;;
+ je)
+ froms=(ian@iankelling.org z@zroe.org testignore@expertpathologyreview.com testignore@amnimal.ninja)
+ folders=(/m/md/je.b8.nz/testignore)
+ ;;
+ *)
+ folders=(/m/md/l/testignore)
+ froms=(testignore@je.b8.nz testignore@expertpathologyreview.com testignore@amnimal.ninja ian@iankelling.org z@zroe.org iank@gnu.org)
+ if ! $int; then
+ timeout 120 rsync --chown iank:iank -e "ssh -oIdentitiesOnly=yes -F /dev/null -i /root/.ssh/jtuttle" -t --inplace -r 'jtuttle@fencepost.gnu.org:/home/j/jtuttle/Maildir/new/' /m/md/l/testignore/new
fi
- sleep 30
- done
- fi
-}
-getspamdpid
-pr() {
+ ;;
+ esac
+
+
+ # avoid errors like this:
+ # Nov 8 08:16:05.439 [6080] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/WLBLEval.pm: lib/Mail/SpamAssassin/Plugin/WLBLEval.pm: Permission denied at (eval 59) line 1.
+ #Nov 8 08:16:05.439 [6080] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/VBounce.pm: lib/Mail/SpamAssassin/Plugin/VBounce.pm: Permission denied at (eval 60) line 1.
+ # i dont know why, i just found the solution online
+ cd /m/md
+
+
+ getspamdpid
+ # first time we write, overwrite anything existing
if [[ -e /var/lib/prometheus/node-exporter ]]; then
- cat >>/var/lib/prometheus/node-exporter/mailtest-check.prom.$$
- fi
-}
-# first time we write, overwrite anything existing
-if [[ -e /var/lib/prometheus/node-exporter ]]; then
- cat >/var/lib/prometheus/node-exporter/mailtest-check.prom.$$ <<EOF
+ cat >/var/lib/prometheus/node-exporter/mailtest-check.prom.$$ <<EOF
mailtest_check_found_spamd_pid_bool $(( ${spamdpid:-0} > 0 ))
EOF
-fi
-e spamdpid: $spamdpid
-if [[ ! $spamdpid ]]; then
- echo $HOSTNAME mailtest spamd pid not found. systemctl status spamassassin:
- systemctl status spamassassin
-fi
-tmpfile=$(mktemp)
-declare -i unexpected=0
-for folder in ${folders[@]}; do
- for from in ${froms[@]}; do
- latest=
- last_sec=0
-
- if ! grep -rlFx "From: $from" $folder/{new,cur} >$tmpfile; then
- e "no message found from: $from"
- continue
- fi
- # webmail sends them to cur it seems
- while read -r file; do
- if [[ $file -nt $latest ]]; then
- latest=$file
+ fi
+ e spamdpid: $spamdpid
+ if [[ ! $spamdpid ]]; then
+ echo mailtest spamd pid not found. systemctl status spamassassin:
+ systemctl status spamassassin
+ fi
+ tmpfile=$(mktemp)
+ declare -i unexpected=0
+ for folder in ${folders[@]}; do
+ for from in ${froms[@]}; do
+ latest=
+ last_sec=0
+
+ if ! grep -rlFx "From: $from" $folder/{new,cur} >$tmpfile; then
+ echo "no message found from: $from"
+ continue
fi
- done <$tmpfile
+ # webmail sends them to cur it seems
+ while read -r file; do
+ if [[ $file -nt $latest ]]; then
+ latest=$file
+ fi
+ done <$tmpfile
- if [[ ! $latest ]]; then
- # 10 is an arbitrary bad value
- unexpected+=10
- else
to=$(awk '/^Envelope-to: / {print $2}' $latest)
last_sec=$(awk '/^Subject: / {print $4}' $latest)
if (( ${#missing[@]} )); then
printf "missing %s" "${missing[*]}"
fi
- echo
- echo mailtest-check: cat $latest:
- cat $latest
- echo mailtest-check: end of cat
- printf "$(tput setaf 5 2>/dev/null ||:)█$(tput sgr0 2>/dev/null||:)%.0s" $(eval echo "{1..${COLUMNS:-60}}")
+ echo # ends our printf string buildup
+
+ if $int; then
+ echo mailtest-check: cat $latest:
+ cat $latest
+ echo mailtest-check: end of cat
+ echo "$(tput setaf 5 2>/dev/null ||:)█$(tput sgr0 2>/dev/null||:)%.0s" $(eval echo "{1..${COLUMNS:-60}}")
+ fi
fi
fi # if spamdpid
fi # if $slow
- fi # if [[ $latest ]]
- now=$EPOCHSECONDS
- limit=$(( now - 60 * min_limit ))
- age_sec=$(( now - last_sec ))
- e $((age_sec / 60)):$(( age_sec % 60 )) ago. to:$to from:$from $latest
+ now=$EPOCHSECONDS
+ age_sec=$(( now - last_sec ))
+ e $((age_sec / 60)):$(( age_sec % 60 )) ago. to:$to from:$from $latest
- if (( last_sec <= limit )); then
- echo $HOSTNAME mailtest $folder $from $(date -d @$last_sec +'%a %m-%d %H:%M')
- fi
- # usec = unix seconds
- pr <<EOF
+ # usec = unix seconds
+ pr <<EOF
mailtest_check_last_usec{folder="$folder",from="$from"} $last_sec
EOF
+ done
+ unexpected=$(( unexpected + ${#results[@]} + ${#missing[@]} ))
done
-done
-if $slow; then
- pr <<EOF
+ if $slow; then
+ pr <<EOF
mailtest_check_unexpected_spamd_results $unexpected
EOF
-fi
+ fi
-dir=/var/lib/prometheus/node-exporter
-if [[ -e $dir ]]; then
- mv $dir/mailtest-check.prom.$$ $dir/mailtest-check.prom
+ dir=/var/lib/prometheus/node-exporter
+ if [[ -e $dir ]]; then
+ mv $dir/mailtest-check.prom.$$ $dir/mailtest-check.prom
+ # note: node_textfile_mtime_seconds will tell us when this last happened. useful for debugging.
+ fi
+}
+
+loop-main() {
+ while true; do
+ premain_sec=$EPOCHSECONDS
+ main
+ sleep $(( 300 - ( $EPOCHSECONDS - premain_sec ) ))
+ done
+}
+
+
+if [[ $INVOCATION_ID ]]; then
+ loop-main
+else
+ main
fi
+
+exit 0
exit 0
fi
mkdir -p /mnt/tmptimer
-mount -o subvol=debianbullseye_bootstrap $dev /mnt/tmptimer
+if ! mountpoint /mnt/tmptimer &>/dev/null; then
+ mount -o subvol=debianbullseye_bootstrap $dev /mnt/tmptimer
+fi
cd /mnt/tmptimer
for d in dev proc sys dev/pts; do
[[ -d $d ]]
umount $d
fi
done
+umount /mnt/tmptimer
iankelling.org / git / distro-setup / commitdiff