From: Ian Kelling <ian@iankelling.org>
Date: Fri, 20 Nov 2020 22:25:28 +0000 (-0500)
Subject: mail fixes, other misc stuff
X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=4da590f7ad8fef7a6ff27a3ffb766c15e06b8eb8;p=distro-setup

mail fixes, other misc stuff
---

diff --git a/.bashrc b/.bashrc
index f3ea26d..1aab809 100644
--- a/.bashrc
+++ b/.bashrc
@@ -32,9 +32,10 @@ HISTCONTROL=ignoredups
 HISTIGNORE='pass *:[ ]*:otp *:oathtool *'
 
 #### begin section that works with sl() function to return from
-#### noninteractive ssh shells
-if [[ $SSH_CONNECTION ]] \
-     && [[ $LC_USEBASHRC != t ]];  then
+# noninteractive ssh shells, or tty. tty because often i
+# use it when something is going and io is slow and my bashrc
+# is too slow.
+if [[ $SSH_CONNECTION && $LC_USEBASHRC != t || $TERM == linux ]];  then
   # Here we did not opt-in to running our .bashrc file so we just
   # return, but we still setup a function to source it without returning
   # so if we want it we don't have to restart our ssh connection.
diff --git a/brc b/brc
index d51ccb9..fcc17eb 100644
--- a/brc
+++ b/brc
@@ -897,6 +897,14 @@ ifn() {
        -o -name .undo-tree-history -prune \) -iname "*$**" 2>/dev/null
 }
 
+ifd() {
+  # insensitive find directory
+  find -L . -type d -not \( -name .svn -prune -o -name .git -prune \
+       -o -name .hg -prune -o -name .editor-backups -prune \
+       -o -name .undo-tree-history -prune \) -iname "*$**" 2>/dev/null
+}
+
+
 ipdrop() {
   sudo iptables -A INPUT -s $1 -j DROP
 }
@@ -1144,6 +1152,9 @@ resolvcat() {
     f=/etc/dnsmasq-servers.conf
     hr; echo $f:;  ccat $f
   fi
+  hr
+  echo /etc/nsswitch.conf:
+  grep '^ *files' /etc/nsswitch.conf
   if systemctl is-enabled systemd-resolved &>/dev/null || [[ $(systemctl is-active systemd-resolved ||:) != inactive ]]; then
     hr; m ser status systemd-resolved | cat || :
     hr; m systemd-resolve --status | cat
diff --git a/brc2 b/brc2
index 34fb1dc..744a92c 100644
--- a/brc2
+++ b/brc2
@@ -168,6 +168,14 @@ ngreset() {
   fi
 }
 
+cp-blocked-domains-to-brains() {
+  cp /a/f/ans/roles/exim/files/mx/simple/etc/exim4/bad-sender_domains /a/f/brains/sysadmin/kb/blocked_email_domains.mdwn
+}
+cp-blocked-domains-to-ansible() {
+  cp /a/f/brains/sysadmin/kb/blocked_email_domains.mdwn /a/f/ans/roles/exim/files/mx/simple/etc/exim4/bad-sender_domains
+}
+
+
 anki() {
   # crashes on adding new cards in t9
   schroot -c buster -- anki
diff --git a/distro-begin b/distro-begin
index 47103e7..905d36d 100755
--- a/distro-begin
+++ b/distro-begin
@@ -287,42 +287,48 @@ EOF
 
 
 ##### use systemd-resolved for glibc resolutions
+
+pi libnss-resolve
+
 if [[ ! -L /etc/nsswitch.conf ]]; then
-  sudo mkdir -p /etc/nsswitch
-  sudo mv /etc/nsswitch.conf /etc/nsswitch
-  sudo ln -sf /etc/nsswitch/nsswitch.conf /etc
+  sudo mkdir -p /etc/resolved-nsswitch
+  sudo mv /etc/nsswitch.conf /etc/resolved-nsswitch
+  sudo ln -sf /etc/resolved-nsswitch/nsswitch.conf /etc
 fi
 
-f=/etc/nn-resolv/nsswitch.conf
+f=/etc/basic-nsswitch/nsswitch.conf
 if [[ ! -e $f ]]; then
   sudo mkdir -p ${f%/*}
   sudo cp /etc/nsswitch.conf $f
   sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f
 fi
-
-f=/etc/apparmor.d/abstractions/nameservice
-if ! grep -q /etc/nsswitch/nsswitch.conf $f; then
-  sudo sed -i '/\/etc\/nsswitch.conf/a /etc/nsswitch/nsswitch.conf r,' $f
-  m ser reload apparmor
-fi
-
-pi libnss-resolve
-# default is
-# files mdns4_minimal [NOTFOUND=return] dns myhostname
-# mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
-# https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
-# seems more important than some potential use case.
-# Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
-# removing files makes hostname -f not actually give the fully qualified domain name.
 case $HOSTNAME in
   bk)
     sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' /etc/nsswitch.conf
     ;;
   *)
-    sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/nsswitch.conf
+    # default is
+    # files mdns4_minimal [NOTFOUND=return] dns myhostname
+    # mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
+    # https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
+    # seems more important than some potential use case.
+    # Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
+    # removing files makes hostname -f not actually give the fully qualified domain name.
+    sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/resolved-nsswitch/nsswitch.conf
     ;;
 esac
 
+f=/etc/apparmor.d/abstractions/nameservice
+if [[ -e $f ]] && ! grep -q /etc/nsswitch/nsswitch.conf $f; then
+  sudo sed -i '/\/etc\/nsswitch.conf/a /etc/resolved-nsswitch/nsswitch.conf r,' $f
+  sudo sed -i '/\/etc\/nsswitch.conf/a /etc/basic-nsswitch/nsswitch.conf r,' $f
+  if sytemctl is-enabled apparmor; then
+    m ser reload apparmor
+  fi
+fi
+
+
+
 if dpkg -s -- nscd &>/dev/null; then
   sudo apt-get -y remove --purge --auto-remove nscd
   sudo systemctl stop nscd ||: # fails if already stopped
@@ -543,7 +549,7 @@ if has_btrfs; then
 
     first_root_crypt=$(awk '$2 == "/" {print $1}' /etc/mtab)
     tu /etc/fstab <<EOF
-$first_root_crypt  /nocow  btrfs  noatime,subvol=nocow  0 0
+$first_root_crypt  /nocow  btrfs  noatime,subvol=nocow$( ((`nproc` > 2)) && echo ,compress=zstd )  0 0
 EOF
     sudo mkdir -p $dir
     sudo chown $USER:$USER $dir
diff --git a/filesystem/etc/systemd/system/vpn-static-ip@.service b/filesystem/etc/systemd/system/vpn-static-ip@.service
index 7af3793..b677e7c 100644
--- a/filesystem/etc/systemd/system/vpn-static-ip@.service
+++ b/filesystem/etc/systemd/system/vpn-static-ip@.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=vpn-static-ip
-
+After=syslog.target network-online.target vpn-static-ip@%i.service
+Wants=network-online.target
 
 [Service]
 Type=oneshot
diff --git a/mail-setup b/mail-setup
index 9efd569..4e277ef 100755
--- a/mail-setup
+++ b/mail-setup
@@ -1,8 +1,17 @@
 #!/bin/bash
+
+# todo: figure out
+
 # * intro
 # Copyright (C) 2019 Ian Kelling
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+# todo: monitor for msft unblock, and then remove on bk:
+# /etc/exim4/conf.d/router/190_msft
+# dnslookup_msft
+#  domains = hotmail.com : live.com : msn.com : passport.com : outlook.com
+
+
 # todo: on bk, dont send email if mailvpn is not up
 
 # todo: disable postgrey
@@ -224,7 +233,7 @@ fi
 #
 # echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
 
-# * other dms
+# * other dns
 
 # # 2017-02 spf policies:
 # # host -t txt lists.fedoraproject.org
@@ -421,28 +430,17 @@ EOF
 # * mail vpn config
 
 
-i /etc/systemd/system/mailnn.service <<'EOF'
-[Unit]
-Description=Network Namespace for mailvpn.service
-After=syslog.target network-online.target
-Wants=network-online.target
-
-[Service]
-Type=simple
-PrivateNetwork=true
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
-ExecStart=/bin/sleep infinity
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-# old service name
-rm -fv /etc/systemd/system/openvpn-client-mail@.service
+case $HOSTNAME in
+  $MAIL_HOST)
+    bindpaths="/etc/127.0.0.1-resolv:/run/systemd/resolve /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind"
+    ;;&
+  bk)
+    bindpaths="/etc/10.173.8.1-resolv:/etc/127.0.0.1-resolv"
+    ;;&
+esac
 
 # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
-i /etc/systemd/system/mailvpn.service <<'EOF'
+i /etc/systemd/system/mailvpn.service <<EOF
 [Unit]
 Description=OpenVPN tunnel for mail
 After=syslog.target network-online.target mailnn.service
@@ -476,7 +474,7 @@ PrivateNetwork=true
 # dns from leaking in my network namespaced vpn.
 # I also like the idea of patching systemd-resolved so it
 # will listen on other interfaces, but its not worth my time.
-BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+BindPaths=$bindpaths
 Restart=always
 # time to sleep before restarting a service
 RestartSec=1
@@ -485,6 +483,26 @@ RestartSec=1
 WantedBy=multi-user.target
 EOF
 
+i /etc/systemd/system/mailnn.service <<'EOF'
+[Unit]
+Description=Network Namespace for mailvpn.service
+After=syslog.target network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+PrivateNetwork=true
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+# old service name
+rm -fv /etc/systemd/system/openvpn-client-mail@.service
+
 # We use a local unbound because systemd-resolved wont accept our
 # request, it will only listen to 127.0.0.53 in the main network
 # namespace, and rejected feature requests to change that (although I
@@ -495,12 +513,19 @@ EOF
 #
 # If we ever notice this change, chattr +i on it
 # trust-ad is used in t10+, glibc 2.31
-i /etc/nn-resolv/stub-resolv.conf <<'EOF'
+
+i /etc/127.0.0.1-resolv/stub-resolv.conf <<'EOF'
 nameserver 127.0.0.1
 options edns0 trust-ad
 EOF
 
-i /etc/bk-resolv/stub-resolv.conf <<'EOF'
+i /etc/127.0.0.53-resolv/stub-resolv.conf <<'EOF'
+nameserver 127.0.0.53
+options edns0 trust-ad
+EOF
+
+
+i /etc/10.173.8.1-resolv/stub-resolv.conf <<'EOF'
 nameserver 10.173.8.1
 options edns0 trust-ad
 EOF
@@ -545,7 +570,7 @@ StartLimitIntervalSec=0
 PrivateNetwork=true
 # note the nsswitch bind is actually not needed for bk, but
 # its the same file so it does no harm.
-BindPaths=${r}:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+BindPaths=$bindpaths
 
 Restart=always
 RestartSec=1
@@ -595,7 +620,7 @@ rm -fv /etc/systemd/system/spamddnsfix.{timer,service}
 
 i /etc/default/spamassassin <<'EOF'
 # defaults plus debugging flags for an issue im having
-OPTIONS="--create-prefs --max-children 5 --helper-home-dir -D dkim,dns"
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
 PIDFILE="/var/run/spamd.pid"
 # my additions
 NICE="--nicelevel 15"
@@ -956,7 +981,7 @@ JoinsNamespaceOf=mailnn.service
 
 [Service]
 PrivateNetwork=true
-BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+BindPaths=$bindpaths
 
 [Install]
 RequiredBy=mailvpn.service
@@ -2187,8 +2212,9 @@ sre mailcert.timer
 
 case $HOSTNAME in
   bk)
+    # todo, this should be done in distro-begin
     soff systemd-resolved
-    ln -sf nn-resolv/stub-resolv.conf /etc/resolv.conf
+    ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf
     ;;&
   $MAIL_HOST|bk)
     sstart mailnn
diff --git a/mailclean b/mailclean
index c4cd2c5..072e404 100755
--- a/mailclean
+++ b/mailclean
@@ -32,6 +32,7 @@ myfind() {
 # I want to hop into conversations about our mailing
 # systems there, but I don't need many old messages.
 myfind /m/md/l/qemu-devel/new -type f -mtime +14 -execdir rm -- '{}' +
+myfind /m/md/l/listhelper-moderatre/new -type f -mtime +14 -execdir rm -- '{}' +
 myfind /m/md/{sec,Spam,Drafts,{rtcc,sysadmin}/new} -type f -mtime +100 -execdir rm -- '{}' +
 myfind /m/md/log -type f -mtime +300 -execdir rm -- '{}' +
 myfind /m/md/dmarc -type f -mtime +60 -execdir rm -- '{}' +
diff --git a/mount-latest-subvol b/mount-latest-subvol
index d2dccad..e3496d5 100644
--- a/mount-latest-subvol
+++ b/mount-latest-subvol
@@ -141,7 +141,7 @@ fi
 if cryptsetup status $root_dev &>/dev/null; then
   crypt_dev=$root_dev
 else # if we are in a recovery boot, find the next best crypt device
-  noauto=,noauto
+  mopts=,noauto
   for dev in $(dmsetup ls --target crypt | awk '{print $1}'); do
     dev=/dev/mapper/$dev
     if awk '{print $1}' /etc/mtab | grep -Fx $dev &>/dev/null; then
@@ -150,10 +150,13 @@ else # if we are in a recovery boot, find the next best crypt device
     fi
   done
 fi
-
+# dont tax the cpus of old laptops
+if ((`nproc` > 2)); then
+  mopts+=,compress=zstd
+fi
 
 fstab <<EOF
-$crypt_dev  /a  btrfs  noatime,subvol=a$noauto  0 0
+$crypt_dev  /a  btrfs  noatime,subvol=a$mopts  0 0
 EOF
 
 shopt -s nullglob
@@ -165,22 +168,22 @@ shopt -s nullglob
 f=(/mnt/root/btrbk/q.*); f=${f[0]}
 if [[ -e $f ]]; then
   fstab <<EOF
-$crypt_dev  /q  btrfs  noatime,subvol=q,gid=1000$noauto  0 0
-/q/p  /p  none  bind$noauto  0 0
+$crypt_dev  /q  btrfs  noatime,subvol=q,gid=1000$mopts  0 0
+/q/p  /p  none  bind$mopts  0 0
 EOF
 fi
 
 f=(/mnt/root/btrbk/o.*); f=${f[0]}
 if [[ -e $f ]]; then
   fstab <<EOF
-$crypt_dev  /o  btrfs  noatime,subvol=o$noauto  0 0
-/o/m  /m  none  bind$noauto  0 0
+$crypt_dev  /o  btrfs  noatime,subvol=o$mopts  0 0
+/o/m  /m  none  bind$mopts  0 0
 EOF
 fi
 
 if [[ $HOSTNAME == frodo ]]; then
   fstab <<EOF
-$crypt_dev  /i  btrfs  noatime,subvol=i$noauto  0 0
+$crypt_dev  /i  btrfs  noatime,subvol=i$mopts  0 0
 EOF
 fi
 ##### end setup fstab for subvols we care about ######
diff --git a/subdir_files/.config/mpv/mpv.conf b/subdir_files/.config/mpv/mpv.conf
index 2739166..cc4ead8 100644
--- a/subdir_files/.config/mpv/mpv.conf
+++ b/subdir_files/.config/mpv/mpv.conf
@@ -4,7 +4,7 @@
 #loop-file=inf
 loop-file=no
 #shuffle
-#volume=20
+volume=50
 #save-position-on-quit
 
 # use --profile d
diff --git a/system-status b/system-status
index adf8dd5..eaf3599 100644
--- a/system-status
+++ b/system-status
@@ -212,8 +212,11 @@ write-status() {
     # Profiled it using time and also adding to the top of the file:
     # set -x
     # PS4='+ $(date "+%2N") '
+    # allow failure in case there are no snapshots yet.
     # shellcheck disable=SC2012
-    snaps=($(ls -1avdr /mnt/root/btrbk/$vol.20*|head -n1 || [[ $? == 141 ]] ))
+    shopt -u nullglob
+    snaps=($(ls -1avdr /mnt/root/btrbk/$vol.20* 2>/dev/null |head -n1 || : ))
+    shopt -s nullglob
     now=$(date +%s)
     maxtime=0
     for s in ${snaps[@]}; do
diff --git a/vpn-static-ip b/vpn-static-ip
index ae92d3c..8d04891 100755
--- a/vpn-static-ip
+++ b/vpn-static-ip
@@ -12,14 +12,26 @@ conf=$1
 # there might be some other workaround, but just resolving to static ips
 # is a simple fix.
 
+main() {
+  while read -r host port; do
+    while read -r ip; do
+      printf "remote %s %s\n" "$ip" "$port" >>$conf
+      ret=0
+    done < <(dig +short $host ||:)
+  done < <(sed -rn 's/^ *# *remote //p' $conf)
+
+}
+
+
 sed --follow-symlinks -i '/^ *remote /d' $conf
 ret=1
-while read -r host port; do
-  while read -r ip; do
-    printf "remote %s %s\n" "$ip" "$port" >>$conf
-    ret=0
-  done < <(dig +short $host ||:)
-done < <(sed -rn 's/^ *# *remote //p' $conf)
+main
+# give it one retry if it failed initially
+if (( ret )); then
+  sleep 2
+  main
+fi
+
 if ((ret)); then
   echo "vpn-static-ip: error: failed to set any ips" >&2
   exit 1