From: Ian Kelling <ian@iankelling.org>
Date: Tue, 17 Nov 2020 22:14:51 +0000 (-0500)
Subject: cam fix bk to use recursive resolver
X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=6a851b480e9dc20d12f9a113a578f805ac04d40f;p=distro-setup

cam fix bk to use recursive resolver
---

diff --git a/a/site.yml b/a/site.yml
index e1a2777..e9e48ed 100644
--- a/a/site.yml
+++ b/a/site.yml
@@ -14,9 +14,9 @@
             - targets:
                 - "{{ ansible_fqdn }}:9090"
         - job_name: "node"
-          # basic_auth:
-          #   username: prom
-          #   password_file: /etc/prometheus-pass
+          basic_auth:
+            username: prom
+            password_file: /etc/prometheus-pass
           #scheme: "https"
           file_sd_configs:
             - files:
@@ -29,7 +29,13 @@
 
 
     - role: node-exporter
+      tags: a
+      # node_exporter_tls_server_config:
+      #   cert_file: /etc/node_exporter/fullchain.pem
+      #   key_file: /etc/node_exporter/privkey.pem
       node_exporter_web_listen_address: "127.0.1.1:9100"
+      node_exporter_basic_auth_users:
+        prom: incarnadine.bloodied.maker
 
     - role: alertmanager
       alertmanager_smtp:
diff --git a/distro-begin b/distro-begin
index df11e93..47103e7 100755
--- a/distro-begin
+++ b/distro-begin
@@ -293,6 +293,13 @@ if [[ ! -L /etc/nsswitch.conf ]]; then
   sudo ln -sf /etc/nsswitch/nsswitch.conf /etc
 fi
 
+f=/etc/nn-resolv/nsswitch.conf
+if [[ ! -e $f ]]; then
+  sudo mkdir -p ${f%/*}
+  sudo cp /etc/nsswitch.conf $f
+  sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f
+fi
+
 f=/etc/apparmor.d/abstractions/nameservice
 if ! grep -q /etc/nsswitch/nsswitch.conf $f; then
   sudo sed -i '/\/etc\/nsswitch.conf/a /etc/nsswitch/nsswitch.conf r,' $f
@@ -307,7 +314,15 @@ pi libnss-resolve
 # seems more important than some potential use case.
 # Interestingly, t9/t10 man page says use files before resolve, debian 10 says the opposite.
 # removing files makes hostname -f not actually give the fully qualified domain name.
-sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/nsswitch.conf
+case $HOSTNAME in
+  bk)
+    sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' /etc/nsswitch.conf
+    ;;
+  *)
+    sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/nsswitch.conf
+    ;;
+esac
+
 if dpkg -s -- nscd &>/dev/null; then
   sudo apt-get -y remove --purge --auto-remove nscd
   sudo systemctl stop nscd ||: # fails if already stopped
diff --git a/distro-end b/distro-end
index 390bf55..0e34b6e 100755
--- a/distro-end
+++ b/distro-end
@@ -1188,14 +1188,6 @@ EOF
 ####### end transmission
 
 
-f=/etc/nn-resolv/nsswitch.conf
-if [[ ! -e $f ]]; then
-  s mkdir -p ${f%/*}
-  s cp /etc/nsswitch.conf $f
-  s sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f
-  s chattr +i $f
-fi
-
 
 case $HOSTNAME in
   kd|rp)
diff --git a/filesystem/etc/letsencrypt/renewal-hooks/deploy/certbot-renew-hook b/filesystem/etc/letsencrypt/renewal-hooks/deploy/certbot-renew-hook
index f10f818..0ee609d 100755
--- a/filesystem/etc/letsencrypt/renewal-hooks/deploy/certbot-renew-hook
+++ b/filesystem/etc/letsencrypt/renewal-hooks/deploy/certbot-renew-hook
@@ -19,6 +19,10 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 dir=$RENEWED_LINEAGE # long caps vars just bother me
 
 case $dir in
+  /etc/letsencrypt/live/je.b8.nz)
+    install -m 644 $dir/fullchain.pem /etc/node_exporter/fullchain.pem
+    install -m 640 -g node-exp $dir/privkey.pem /etc/node_exporter/privkey.pem
+    ;;
   /etc/letsencrypt/live/iankelling.org)
     cat $dir/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
     ;;
diff --git a/machine_specific/vps/filesystem/etc/bind/named.conf.options b/machine_specific/vps/filesystem/etc/bind/named.conf.options
new file mode 100644
index 0000000..157e295
--- /dev/null
+++ b/machine_specific/vps/filesystem/etc/bind/named.conf.options
@@ -0,0 +1,38 @@
+// this is the default for t10, plus my commented additions
+options {
+        directory "/var/cache/bind";
+
+        // If there is a firewall between you and nameservers you want
+        // to talk to, you may need to fix the firewall to allow multiple
+        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
+
+        // If your ISP provided one or more IP addresses for stable
+        // nameservers, you probably want to use them as forwarders.
+        // Uncomment the following block, and insert the addresses replacing
+        // the all-0's placeholder.
+
+        // forwarders {
+        //      0.0.0.0;
+        // };
+
+        //========================================================================
+        // If BIND logs error messages about the root key being expired,
+        // you will need to update your keys.  See https://www.isc.org/bind-keys
+        //========================================================================
+        dnssec-validation auto;
+
+        listen-on-v6 { any; };
+
+// iank, allow queries from network namespace
+// even if the interface doesnt exist when bind starts.
+allow-recursion {
+ 10.173.8.0/24;
+ localhost;
+};
+allow-query-cache {
+ 10.173.8.0/24;
+ localhost;
+};
+
+// end options
+};
diff --git a/mail-setup b/mail-setup
index ea7ee46..9efd569 100755
--- a/mail-setup
+++ b/mail-setup
@@ -3,6 +3,8 @@
 # Copyright (C) 2019 Ian Kelling
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+# todo: on bk, dont send email if mailvpn is not up
+
 # todo: disable postgrey
 
 # todo: in testforward-check, we should also look
@@ -418,8 +420,6 @@ EOF
 
 # * mail vpn config
 
-# todo: figure out a reverse dns lookup for 10.173.8.1 in the nn.
-# perhaps adding files in nsswitch should fix it?
 
 i /etc/systemd/system/mailnn.service <<'EOF'
 [Unit]
@@ -494,11 +494,16 @@ EOF
 # use our own ip against dnsbl rate limits.
 #
 # If we ever notice this change, chattr +i on it
+# trust-ad is used in t10+, glibc 2.31
 i /etc/nn-resolv/stub-resolv.conf <<'EOF'
 nameserver 127.0.0.1
-options edns0
+options edns0 trust-ad
 EOF
 
+i /etc/bk-resolv/stub-resolv.conf <<'EOF'
+nameserver 10.173.8.1
+options edns0 trust-ad
+EOF
 
 # this is just a bug fix for trisquel.
 f=/etc/apparmor.d/usr.sbin.unbound
@@ -512,32 +517,37 @@ if ! grep -qFx "$line" $f; then
   m ser reload apparmor
 fi
 
-nn_progs=(exim4 unbound)
+nn_progs=(exim4)
 if mailhost; then
   # Note dovecots lmtp doesnt need to be in the same nn to accept delivery.
   # Its in the nn so remote clients can connect to it.
-  nn_progs+=(spamassassin dovecot)
+  nn_progs+=(spamassassin dovecot unbound)
 fi
 
 case $HOSTNAME in
+  $MAIL_HOST)
+    r=/etc/nn-resolv:/run/systemd/resolve
+    ;;&
+  bk)
+    r=/etc/bk-resolv:/etc/nn-resolv
+    ;;&
   $MAIL_HOST|bk)
     for unit in ${nn_progs[@]}; do
-      i /etc/systemd/system/$unit.service.d/nn.conf <<'EOF'
+      i /etc/systemd/system/$unit.service.d/nn.conf <<EOF
 [Unit]
 After=network.target
 Requires=mailvpn.service
 After=mailvpn.service
 JoinsNamespaceOf=mailnn.service
-
-# needed to continually restart
 StartLimitIntervalSec=0
 
 [Service]
 PrivateNetwork=true
-BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+# note the nsswitch bind is actually not needed for bk, but
+# its the same file so it does no harm.
+BindPaths=${r}:norbind /etc/nn-resolv:/etc/nsswitch:norbind
 
 Restart=always
-# time to sleep before restarting a service
 RestartSec=1
 EOF
     done
@@ -584,8 +594,8 @@ EOF
 rm -fv /etc/systemd/system/spamddnsfix.{timer,service}
 
 i /etc/default/spamassassin <<'EOF'
-# defaults
-OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
+# defaults plus debugging flags for an issue im having
+OPTIONS="--create-prefs --max-children 5 --helper-home-dir -D dkim,dns"
 PIDFILE="/var/run/spamd.pid"
 # my additions
 NICE="--nicelevel 15"
@@ -1096,7 +1106,7 @@ EOF
 
     ;;&
 
-# **  $MAIL_HOST)
+  # **  $MAIL_HOST)
   $MAIL_HOST)
     # If we changed 90-sieve.conf and removed the active part of the
     # sieve option, we wouldn\'t need this, but I\'d rather not modify a
@@ -1148,7 +1158,7 @@ protocol lmtp {
 }
 EOF
     ;;&
-# **  bk|je)
+  # **  bk|je)
   bk|je)
     chown -R mail.mail /m/md
 
@@ -1287,7 +1297,7 @@ EOF
     # this should be at the end since it requires a valid dovecot config
     m sievec /etc/dovecot/sieve-spam.sieve
     ;;&
-# **  bk)
+  # **  bk)
   bk)
     # roundcube uses this
     mkdir -p /m/sieve
@@ -1977,6 +1987,7 @@ EOF
   # ** bk
   ## we use this host to monitor MAIL_HOST and host a mail server for someone
   bk)
+
     echo amnimal.ninja > /etc/mailname
 
     /a/exe/cedit nn /etc/hosts <<'EOF' || [[ $? == 1 ]]
@@ -2175,22 +2186,34 @@ m /a/bin/ds/mail-cert-cron -1
 sre mailcert.timer
 
 case $HOSTNAME in
+  bk)
+    soff systemd-resolved
+    ln -sf nn-resolv/stub-resolv.conf /etc/resolv.conf
+    ;;&
   $MAIL_HOST|bk)
     sstart mailnn
+    # If these have changes, id rather manually restart it, id rather
+    # not restart and cause temporary errors
+    if $reload; then
+      sre mailvpn
+    else
+      sstart mailvpn
+    fi
+    ;;&
+  $MAIL_HOST)
+    if $reload; then
+      sre unbound
+    else
+      sstart unbound
+    fi
+    ;;&
+  $MAIL_HOST|bk)
     if ! systemctl is-active clamav-daemon >/dev/null; then
       sstart clamav-daemon
       # checking a log, clamav took 27 seconds to start.
       # we get paniclog entries if its not available
       m sleep 30
     fi
-
-    if $reload; then
-      sre mailvpn unbound
-    else
-      # If these have changes, id rather manually restart it, id rather
-      # not restart and lose connectivity
-      sstart mailvpn unbound
-    fi
     ;;&
   $MAIL_HOST|bk|je)
     # start spamassassin/dovecot before exim.
diff --git a/mailtest-check b/mailtest-check
index 38cfc91..1adec42 100755
--- a/mailtest-check
+++ b/mailtest-check
@@ -118,7 +118,7 @@ for folder in ${folders[@]}; do
               printf "missing %s" "${missing[*]}"
             fi
             echo
-            spamassassin -D <"$latest"
+            cat $folder/$latest
           fi
         else
           echo $HOSTNAME mailtest spamd pid not found