From: Ian Kelling Date: Mon, 19 Sep 2022 10:58:39 +0000 (-0400) Subject: mostly fixes X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=5abdcfce00c6ff61bf3856f7b5101915dc096107;p=distro-setup mostly fixes --- diff --git a/brc b/brc index 138fd89..02ad1a6 100644 --- a/brc +++ b/brc @@ -2183,6 +2183,23 @@ s/^\Wcapability: (.*)/\1/;Ta;h;b "|sort -r } +# Run script by copying it to a temporary location first, +# and changing directory, so we don't have any open +# directories or files that could cause problems when +# remounting. +z() { + local tmp + tmp=$(type -p "$1") + if [[ $tmp ]]; then + cd $(mktemp -d) + cp -a "$tmp" . + shift + ./"${tmp##*/}" "$@" + else + "$@" + fi +} + # * misc stuff diff --git a/brc2 b/brc2 index b97d067..1905c79 100644 --- a/brc2 +++ b/brc2 @@ -110,6 +110,12 @@ rootrsync() { s rsync -e "ssh -F /root/.ssh/confighome" "$@" } +zcheck() { + s ssh bow DISPLAY=:0 scrot /tmp/oegu.jpg + s scp bow:/tmp/oegu.jpg /t + s ssh bow rm /tmp/oegu.jpg + feh /t/oegu.jpg + } slemacs() { local arg rtime v @@ -1731,16 +1737,28 @@ EOF fi } -# alert when a page goes live. not urgent. +# alert when a page goes live. alert200() { + local quiet url tmpdir + quiet=false + case $1 in + # dont send a diff of the html. some html is not very readable + -q) quiet=true + shift + ;; + esac url="$1" tmpdir="$(mktemp -d)" cd $tmpdir while true; do - if torsocks wget -q "$url"; then - alertme $tmpdir + if wget -q "$url"; then + if $quiet; then + echo | daylert 200 + else + alertme $tmpdir + fi fi - sleep $(( 600 + RANDOM % 300 )) + sleep $(( 120 + RANDOM % 300 )) done } diff --git a/distro-end b/distro-end index a8f5eed..98a28bd 100755 --- a/distro-end +++ b/distro-end @@ -509,7 +509,7 @@ esac case $codename_compat in jammy) - s systemctl enable ssh-agent-iank + s systemctl enable --now ssh-agent-iank ;; esac diff --git a/epanic-clean b/epanic-clean index f69182b..0175530 100755 --- a/epanic-clean +++ b/epanic-clean @@ -146,6 +146,12 @@ EOF # I think we could alert on anything else older than 61 seconds, # but lets just add some slack, make it 2 minutes. while read -r day time _; do + # some lines dont have dates, just skip them + # 2022-09-16 15:21:06.250 [438097] Exim configuration error: + # can't redefine an undefined macro "REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS" + if [[ $day != [2-9][0-9][0-9][0-9]-[0-9][0-9]-[0-9][0-9] ]]; then + continue + fi log_s=$(date -d "$day $time" +%s) if (( EPOCHSECONDS - 120 > log_s )); then pr_metric=1 diff --git a/filesystem/usr/local/bin/oftc b/filesystem/usr/local/bin/oftc new file mode 100755 index 0000000..c4c1c33 --- /dev/null +++ b/filesystem/usr/local/bin/oftc @@ -0,0 +1,2 @@ +#!/bin/bash +exec emacs -f oftc diff --git a/install-my-scripts b/install-my-scripts index 42332c1..6d27eee 100755 --- a/install-my-scripts +++ b/install-my-scripts @@ -47,7 +47,10 @@ fi # ran. Very strange, dunno why, but rsync won't do anything unless these # changed, so that should fix it. /a/bin/log-quiet/setup -rsync -t --chmod=755 --chown=root:root switch-mail-host btrbk-run mount-latest-subvol \ +rsync -tl --chmod=755 --chown=root:root \ + switch-mail-host \ + switch-host2 \ + btrbk-run mount-latest-subvol \ check-subvol-stale myi3status \ mailbindwatchdog \ check-mailq \ diff --git a/machine_specific/kd/filesystem/etc/cron.d/kd b/machine_specific/kd/filesystem/etc/cron.d/kd index 41de0d9..d0f78b0 100644 --- a/machine_specific/kd/filesystem/etc/cron.d/kd +++ b/machine_specific/kd/filesystem/etc/cron.d/kd @@ -8,9 +8,9 @@ MAILTO=root #10 21 * * 1,2,3,4,5 root failmail wrt-setup -z 0 17 * * 1,2,3,4,5 root failmail wrt-setup -z -# new 5pm rule -0 6 * * 0,7 root failmail wrt-setup -y -0 17 * * 0,7 root failmail wrt-setup -z +# weekends +0 6 * * 6,7 root failmail wrt-setup -y +0 17 * * 6,7 root failmail wrt-setup -z # saturday morning # old @@ -24,3 +24,4 @@ MAILTO=root #0 11 * * 0,6 root failmail wrt-setup -z 5 1 * * * root ziva-backup-check |& log-once ziva-backup-check +* * * * * root ziva-screen |& log-once ziva-screen diff --git a/mail-setup b/mail-setup index 36b0e9d..c40c56c 100755 --- a/mail-setup +++ b/mail-setup @@ -1174,7 +1174,9 @@ cd /etc/exim4 done } | i /etc/exim4/conf.d/my-dkim-domains -cat >/etc/exim4/conf.d/transport/11_iank <<'EOF' +if grep -Fq REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS \ + /etc/exim4/conf.d/transport/10_exim4-config_transport-macros; then + cat >/etc/exim4/conf.d/transport/11_iank <<'EOF' # This unsets the default macro defined in on t11 in # /etc/exim4/conf.d/transport/10_exim4-config_transport-macros # It seems like a very odd choice that this has become @@ -1182,6 +1184,9 @@ cat >/etc/exim4/conf.d/transport/11_iank <<'EOF' # auth. Oh well. REMOTE_SMTP_SMARTHOST_TLS_VERIFY_HOSTS == EOF +else + rm -f /etc/exim4/conf.d/transport/11_iank +fi cat >/etc/exim4/conf.d/main/000_local <<'EOF' MAIN_TLS_ENABLE = true @@ -1217,16 +1222,6 @@ smtp_accept_queue_per_connection = 500 DKIM_CANON = relaxed DKIM_SELECTOR = li -# From comments in -# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 -# and its best for this to align https://tools.ietf.org/html/rfc7489#page-8 -# There could be some circumstance when the -# from: isnt our domain, but the envelope sender is -# and so still want to sign, but I cant think of any case. -#DKIM_DOMAIN = ${lc:${domain:$rh_from:}} -# In t11, we cant do the above anymore because this is tainted data used in a file lookup. -# /usr/share/doc/exim4/NEWS.Debian.gz suggests to use lookups to untaint data. -DKIM_DOMAIN = ${lookup {${domain:$rh_from:}}lsearch,ret=key{/etc/exim4/conf.d/my-dkim-domains}} # The file is based on the outgoing domain-name in the from-header. # sign if key exists @@ -1280,6 +1275,24 @@ smtp_reserve_hosts = +iank_trusted LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE = /etc/exim4/conf.d/local_deny_exceptions_acl EOF +if dpkg --compare-versions "$(dpkg-query -f='${Version}\n' --show exim4)" ge 4.94; then + cat >>/etc/exim4/conf.d/main/000_local <<'EOF' +# In t11, we cant do the old anymore because this is tainted data used in a file lookup. +# /usr/share/doc/exim4/NEWS.Debian.gz suggests to use lookups to untaint data. +DKIM_DOMAIN = ${lookup {${domain:$rh_from:}}lsearch,ret=key{/etc/exim4/conf.d/my-dkim-domains}} +EOF +else + cat >>/etc/exim4/conf.d/main/000_local <<'EOF' +# From comments in +# https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4 +# and its best for this to align https://tools.ietf.org/html/rfc7489#page-8 +# There could be some circumstance when the +# from: isnt our domain, but the envelope sender is +# and so still want to sign, but I cant think of any case. +DKIM_DOMAIN = ${lc:${domain:$rh_from:}} +EOF +fi + rm -fv /etc/exim4/rcpt_local_acl # old path i /etc/exim4/conf.d/local_deny_exceptions_acl <<'EOF' @@ -1335,6 +1348,202 @@ warn EOF +# It is important for this to exist universally, instead of +# just on the mail host because if we change mail host and +# still have something in the queue which was destined for +# this router, but hosts were unreachable, the routers will +# be reevaluated on the next retry. +i /etc/exim4/conf.d/router/890_backup_copy <tmp.php <$myncdir/tmp.php <config.php - # leave in place for debugging - #m rm -f tmp.php - m sudo -u www-data php $ncdir/occ maintenance:update:htaccess + e running php $myncdir/tmp.php + # note: we leave it around place for debugging + php $myncdir/tmp.php >config.php + cd $ncdir + m sudo -u www-data php occ maintenance:update:htaccess list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list) # user_external not compaible with nc 23 for app in contacts calendar; do if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then - m sudo -u www-data php $ncdir/occ app:install $app + cd $ncdir + m sudo -u www-data php occ app:install $app fi done i /etc/systemd/system/$ncbase.service <&2; exit 1; } +i() { # install file + local tmp tmpdir dest="$1" + local base="${dest##*/}" + local dir="${dest%/*}" + if [[ $dir != "$base" ]]; then + # dest has a directory component + mkdir -p "$dir" + fi + ir=false # i result + tmpdir=$(mktemp -d) + cat >$tmpdir/"$base" + tmp=$(rsync -ic $tmpdir/"$base" "$dest") + if [[ $tmp ]]; then + printf "%s\n" "$tmp" + ir=true + if [[ $dest == /etc/systemd/system/* ]]; then + touch /var/local/mail-setup-reload + reload=true + fi + fi + rm -rf $tmpdir +} +setini() { + key="$1" value="$2" section="$3" + file="/etc/radicale/config" + sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*${key}[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file" +} +soff () { + for service; do + # ignore services that dont exist + if systemctl cat $service &>/dev/null; then + m systemctl disable --now $service + fi + done +} +sre() { + for service; do + m systemctl restart $service + m systemctl enable $service; + done +} + + +ncdir=/var/www/ncfsf +myncdir=/root/ncfsf +ncbase=${ncdir##*/} +mkdir $myncdir +domain=boardfiles.fsf.org + +apt-get -y install php-zip apache2 php-fpm + +fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.4-fpm +phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p') +m a2enconf $fpm +# 3 useless guides on php fpm fcgi debian 10 later, i figure out from reading +# /etc/apache2/conf-enabled/php7.3-fpm.conf +# However, on t11, +# ERROR: Module php8.1 does not exist. just allow it to fail +m a2dismod php$phpver ||: + +# php with fpm doesnt work without this +m a2enmod proxy_fcgi + + + +m web-conf - apache2 $domain < + Require all granted + AllowOverride All + Options FollowSymLinks MultiViews + + + Dav off + + + + +# based on install checker, links to +# https://docs.nextcloud.com/server/19/admin_manual/issues/general_troubleshooting.html#service-discovery +# their example was a bit wrong, I figured it out by adding +# LogLevel warn rewrite:trace5 +# then watching the apache logs + +RewriteEngine on +RewriteRule ^/\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L] +RewriteRule ^/\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L] +RewriteRule ^/\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L] +### end nextcloud settings +EOF + + +i /etc/php/$phpver/cli/conf.d/30-local.ini <<'EOF' +apc.enable_cli = 1 +EOF + + +i /etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF' +date.timezone = "America/New_York" +# for nextcloud +upload_max_filesize = 2000M +post_max_size = 2000M +# install checker, nextcloud/settings/admin/overview +memory_limit = 512M +EOF + +m systemctl restart $fpm + +# some of these are based on errors later on. +m apt-get -y install php-curl php-bz2 php-gmp php-bcmath php-imagick php-apcu php-mbstring php-xml php-gd sqlite3 php-sqlite3 + +# https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html +cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF' +[www] +clear_env = no +EOF + + + +nextcloud_admin_pass=casHiosidZyFraycs + +m cd /var/www +if [[ ! -e $ncdir/index.php ]]; then + # if we wanted to only install a specific version, use something like + # file=latest-22.zip + file=latest.zip + m wget -nv -N https://download.nextcloud.com/server/releases/$file + m rm -rf nextcloud + m unzip -q $file + m rm -f $file + m chown -R www-data.www-data nextcloud + m mv nextcloud $ncdir +fi + +if [[ ! -e $myncdir/done-install ]]; then + m cd $ncdir + m sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass $nextcloud_admin_pass + m touch $myncdir/done-install +fi + +# note, strange this happend where updater did not increment the version var, +# mine was stuck on 20. I manually updated it. +m cd $ncdir/config +if [[ ! -e $myncdir/config.php-orig ]]; then + m cp -a config.php $myncdir/config.php-orig +fi +cat $myncdir/config.php-orig - >$myncdir/tmp.php < '$domain', + ); +#\$CONFIG[''] = ''; +fwrite(STDOUT, "config.php +cd $ncdir +m sudo -u www-data php occ maintenance:update:htaccess +i /etc/systemd/system/$ncbase.service <&2 + # -odf or else systemd will kill the background delivery process + # and the message will sit in the queue until the next queue run. + exim -odf -t <= 1 )); then + lastf=$(ls -1 20*jpg | tail -n1) +fi + +ssh bow DISPLAY=:0 scrot -z $f 2>/dev/null || exit 0 +rsync --inplace bow:$f /d/ziva-log 2>/dev/null || exit 0 +ssh bow rm -f $f + +same=false +if [[ $lastf ]]; then + # returns 2 on error, but maybe in that case we want to ignore, file the image away + # and then it can go away in a subsequent comparison. going with that for now. + diff=$(compare -metric MSE $lastf ziva-tmp.jpg /dev/null |& sed 's/[^0-9].*//') ||: + if printf "%s\n" "$diff" | egrep '^[0-9]+$' &>/dev/null && (( diff < 200 )); then + same=true + fi +fi + +if $same; then + rm -f ziva-tmp.jpg +else + mv ziva-tmp.jpg $(date +%F.%R).jpg +fi