From: Ian Kelling Date: Fri, 17 Sep 2021 20:23:03 +0000 (-0400) Subject: improvements, some fixes for newly using sudo/ssh pass X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=8be1447133f3c98062e8610985776ce44e1fd3f4;p=distro-setup improvements, some fixes for newly using sudo/ssh pass --- diff --git a/.bashrc b/.bashrc index cb6324b..c593e83 100644 --- a/.bashrc +++ b/.bashrc @@ -31,13 +31,6 @@ HISTCONTROL=ignoredups # but meh. dunno why, but just " *" does glob expansion, so use [ ] to avoid it. HISTIGNORE='pass *:[ ]*:otp *:oathtool *' -case $EUID in - 0) - if [[ ! -e /run/no_root_ssh_agent ]]; then - export SSH_AGENT_LAUNCHER=openssh SSH_AUTH_SOCK=/run/openssh_agent - fi - ;; -esac #### begin section that works with sl() function to return from # noninteractive ssh shells, or tty. tty because often i diff --git a/brc b/brc index 9ecd5e3..1531e63 100644 --- a/brc +++ b/brc @@ -240,7 +240,6 @@ fi # * functions - ccomp() { # copy completion local src=$1 local c @@ -1267,6 +1266,7 @@ s() { if [[ $EUID != 0 || $1 == -* ]]; then # shellcheck disable=SC2034 SUDOD="$PWD" command sudo -i "$@" + DID_SUDO=true else "$@" fi @@ -1602,9 +1602,9 @@ sl() { command ssh "${args[@]}" "$remote" LC_USEBASHRC=t bash fi fi - # this function inspired from https://github.com/Russell91/sshrc } + slr() { sl --rsync "$@" } @@ -1911,6 +1911,12 @@ if [[ $- == *i* ]]; then if [[ ! $SSH_CLIENT && $MAIL_HOST != "$HOSTNAME" ]]; then ps_char="@ $ps_char" fi + # We could test if sudo is active with sudo -nv + # but then we get an email and log of lots of failed sudo commands. + # We could turn those off, but seems better not to. + if [[ $EUID != 0 ]] && [[ $DID_SUDO ]]; then + ps_char="SUDO $ps_char" + fi PS1="${PS1%"${PS1#*[wW]}"} \[$ps_color\]$ps_char\[$term_nocolor\] " # set titlebar. instead, using more advanced diff --git a/brc2 b/brc2 index 1048d4c..a17779e 100644 --- a/brc2 +++ b/brc2 @@ -346,7 +346,7 @@ bbk() { # btrbk wrapper install-my-scripts # todo: consider changing this to srun and having the args come # from a file like /etc/default/btrbk, like is done in exim - jrun btrbk-run "$@" + s jrun btrbk-run "$@" if $active; then if (( ret )); then echo bbk: WARNING: btrbk.timer not restarted due to failure @@ -394,7 +394,9 @@ jrun() { # journal run. run args, log to journal, tail and grep the journal. # it does sudo ssh, that will leave a process around that we can't kill # and it will leave the unit hanging around in a failed state needing manual # killing of the process. - m s systemd-run --uid $(id -u) --gid $(id -g) --unit "$cmd_name" --wait --collect "$cmd" "${@:2}" || ret=$? + m s systemd-run --uid $(id -u) --gid $(id -g) \ + -E SSH_AUTH_SOCK=/run/openssh_agent \ + --unit "$cmd_name" --wait --collect "$cmd" "${@:2}" || ret=$? # This justs lets the journal output its last line # before the prompt comes up. sleep .5 @@ -416,8 +418,14 @@ srun() { } sm() { + local tmp keyhash c / # run latest + keyhash=$(s ssh-keygen -lf /root/.ssh/home | awk '{print $2}') + tmp=$(s ssh-add -l | awk '$2 == "'$keyhash'"') + if [[ ! $tmp ]]; then + s ssh-add /root/.ssh/home + fi install-my-scripts s jrun switch-mail-host "$@" return $ret @@ -1122,8 +1130,14 @@ allmyirc() { } mygajim() { + local now time time_sec + now=$(date +%s) sqlite3 -separator ' ' /p/c/subdir_files/.local/share/gajim/logs.db "select time, message from logs where contact_name = 'iank' and jid_id = 17;" | while read -r time l; do - echo $(date +%F.%R -d @$time) "$l"; done + echo $(date +%F.%R -d @$time) "$l" + time_sec=${time%%.*} + # only look at the last 18 days. generally just use this for timesheet. + if (( time_sec < now - 60 * 60 * 24 * 18 )); then break; fi + done } net-dev-info() { @@ -1652,7 +1666,8 @@ path-add --end $HOME/.cargo/bin if type -P rg &>/dev/null; then rg() { command rg -L -i -M 300 --no-ignore "$@"; } - complete -r rg +#fails if not exist. ignore + complete -r rg 2>/dev/null ||: else alias rg=grr fi diff --git a/btrbk-run b/btrbk-run index 2bd7468..d513071 100644 --- a/btrbk-run +++ b/btrbk-run @@ -182,8 +182,12 @@ if [[ ! -v targets && ! $source ]]; then fi ;;& kw|x2|x3|sy) - if $at_work && ping -q -c1 -w1 iank.vpn.office.fsf.org &>/dev/null; then - home=iank.vpn.office.fsf.org + if $at_work; then + if ping -q -c1 -w1 iank.vpn.office.fsf.org &>/dev/null; then + home=iank.vpn.office.fsf.org + else + home=i.b8.nz + fi else home=b8.nz fi diff --git a/checkrestart-blacklist b/checkrestart-blacklist index 85d9399..2f6f9bd 100644 --- a/checkrestart-blacklist +++ b/checkrestart-blacklist @@ -1 +1,7 @@ +# false positive ^/var/lib/nfs/etab \(deleted\)$ +# According to the file, this is a helper that checks if a +# unattended-upgrade is in progress and waits until it exists. +# It seems to get hit more often than it should, doesnt seem +# important to restart. +^/usr/share/unattended-upgrades/unattended-upgrade-shutdown\(| .*\)$ diff --git a/distro-begin b/distro-begin index 7467e7b..b135e05 100755 --- a/distro-begin +++ b/distro-begin @@ -187,9 +187,10 @@ EOF sudo /usr/sbin/update-initramfs -u -k all fi - # initram auth keys get setup with rootsshsync + # initram auth keys get setup with rootsshsync later on. $script_dir/rootsshsync - # then for remote unlock, ssh and do this once per crypt disk: + + ### To do a remote unlock: ssh and do this once per crypt disk: # echo -n PASS >/lib/cryptsetup/passfifo # or for buster+ # cryptroot-unlock @@ -255,6 +256,9 @@ fi # this needs to be before installing pacserve so we have gpg conf. conflink rootsshsync +if [[ -e /etc/rootsudoenv ]]; then + source /etc/rootsudoenv +fi ###### bash environment setup set +x @@ -266,9 +270,6 @@ source ~/.bashrc err-catch $interactive || set -x -# remove old lines, todo: remove this when all systems are updated. 2021-09-03 -tu /etc/sudoers - ##### use systemd-resolved for glibc resolutions pi libnss-resolve diff --git a/distro-end b/distro-end index b4304b1..aff5b49 100755 --- a/distro-end +++ b/distro-end @@ -61,6 +61,10 @@ cd / # case $distro in # esac +# get sudo pass cached right away +if ! sudo -nv 2>/dev/null; then + sudo -v +fi # old repo. remove when all machines updated sudo rm -fv /etc/apt/sources.list.d/wireguard-ubuntu-wireguard-bionic.list @@ -464,7 +468,7 @@ Pin: release a=buster-backports Pin-Priority: 500 EOF p install btrfs-progs - ;; + ;; esac @@ -473,26 +477,35 @@ s rm -fv /etc/apt/preferences.d/radicale ######### end universal pinned packages ###### ### system76 things ### -# case $HOSTNAME in -# sy) -# # note, i stored the initial popos packages at /a/bin/data/popos-pkgs -# if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then -# # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html -# sd /etc/apt/sources.list.d/system76.list </dev/null; then case $codename in etiona|nabia) pi arbtt - seru enable arbtt - seru start arbtt + # same as seru enable arbtt, but works over ssh when systemctl --user causes error: + # Failed to connect to bus: No such file or directory + lnf -T /a/bin/ds/subdir_files/.config/systemd/user/arbtt.service /home/iank/.config/systemd/user/default.target.wants/arbtt.service + # allow failure + seru start arbtt ||: ;; esac fi @@ -1546,8 +1558,9 @@ soff libvirtd # its disabled. note: it leaves around dnsmasq instances even # if you stop it. what the hell systemd? soff libvirt-guests -# allow user to run vms, from debian handbook -for x in iank user2; do s usermod -a -G libvirt,kvm $x; done +# allow user to run vms, from debian handbook. libvirt-qemu +# based on https://www.whonix.org/wiki/KVM#First-time_User.3F +for x in iank user2; do s usermod -a -G libvirt,kvm,libvirt-qemu $x; done pi --no-install-recommends kdeconnect @@ -1700,6 +1713,7 @@ m /a/bin/distro-setup/mymimes sgo dynamicipupdate.timer +sgo epanicclean.timer # stop autopoping windows when i plug in an android phone. @@ -1771,6 +1785,9 @@ lnf -T /a/opt ~/src pi tor m /a/bin/buildscripts/tor-browser +# one root command needed to install +s ln -sf /a/opt/tor-browser_en-US/Browser/start-tor-browser /usr/local/bin + # nfs server pi-nostart nfs-kernel-server diff --git a/epanic-clean b/epanic-clean index 92bc8d6..b2d6b41 100755 --- a/epanic-clean +++ b/epanic-clean @@ -11,69 +11,79 @@ shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR +[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" + debug=false if [[ $1 ]]; then debug=true fi -if [[ $EUID != 0 ]]; then - s=sudo -fi - -if [[ ! -s /var/log/exim4/paniclog ]]; then - exit 0 -fi d() { if $debug; then printf "%s\n" "$*" - fi - } + fi +} -while read -r service regex; do - found=false - wipe=true - d "$service $regex" - while read -r d1 d2; do - d "$d1 $d2" - found=true - tmptime=$(date -d "$d1 $d2" +%s) - # dont consider every matching line, just those in > 60 second intervals - if [[ ! $logtime ]]; then - logtime=$tmptime - elif (( tmptime > logtime + 60 )); then - logtime=$tmptime - else - continue - fi - sec_min=$((logtime - 60)) - sec_max=$((logtime + 60)) - jmin="$(date -d @$sec_min "+%F %H:%M:%S")" - jmax="$(date -d @$sec_max "+%F %H:%M:%S")" - description=$(systemctl cat $service | sed -rn 's/^ *Description=(.*)/\1/p') - jrregex="^Starting $description" - if [[ $service == spamassassin ]]; then - jrregex+="\|^spamd: restarting" - fi - d "jrregex=$jrregex jmin=$jmin jmax=$jmax" - # the sed clears out the initial time and process+pid - if ! journalctl -u $service -S "$jmin" -U "$jmax" \ - | sed -r 's/^([^[:space:]]*[[:space:]]+){5}//' | grep "$jrregex" &>/dev/null; then - wipe=false - break - fi - done < <(awk "/$regex/ "'{print $1,$2}' /var/log/exim4/paniclog) - if $found && $wipe; then - d "wiping $regex" - if [[ ! -w /var/log/exim4/paniclog-archive ]]; then - $s touch /var/log/exim4/paniclog-archive - $s chgrp adm /var/log/exim4/paniclog-archive - $s chmod 664 /var/log/exim4/paniclog-archive - fi - grep -E "$regex" /var/log/exim4/paniclog >> /var/log/exim4/paniclog-archive - $s sed -ri "/$regex/d" /var/log/exim4/paniclog +main() { + if [[ ! -s /var/log/exim4/paniclog ]]; then + return 0 fi -done <<'EOF' + while read -r service regex; do + found=false + wipe=true + d "$service $regex" + while read -r d1 d2; do + d "$d1 $d2" + found=true + tmptime=$(date -d "$d1 $d2" +%s) + # dont consider every matching line, just those in > 60 second intervals + if [[ ! $logtime ]]; then + logtime=$tmptime + elif (( tmptime > logtime + 60 )); then + logtime=$tmptime + else + continue + fi + sec_min=$((logtime - 60)) + sec_max=$((logtime + 60)) + jmin="$(date -d @$sec_min "+%F %H:%M:%S")" + jmax="$(date -d @$sec_max "+%F %H:%M:%S")" + description=$(systemctl cat $service | sed -rn 's/^ *Description=(.*)/\1/p') + jrregex="^Starting $description" + if [[ $service == spamassassin ]]; then + jrregex+="\|^spamd: restarting" + fi + d "jrregex=$jrregex jmin=$jmin jmax=$jmax" + # the sed clears out the initial time and process+pid + if ! journalctl -u $service -S "$jmin" -U "$jmax" \ + | sed -r 's/^([^[:space:]]*[[:space:]]+){5}//' | grep "$jrregex" &>/dev/null; then + wipe=false + break + fi + done < <(awk "/$regex/ "'{print $1,$2}' /var/log/exim4/paniclog) + if $found && $wipe; then + d "wiping $regex" + if [[ ! -w /var/log/exim4/paniclog-archive ]]; then + touch /var/log/exim4/paniclog-archive + chgrp adm /var/log/exim4/paniclog-archive + chmod 664 /var/log/exim4/paniclog-archive + fi + grep -E "$regex" /var/log/exim4/paniclog >> /var/log/exim4/paniclog-archive + sed -ri "/$regex/d" /var/log/exim4/paniclog + fi + done <<'EOF' clamav-daemon malware acl condition spamassassin spam acl condition EOF +} + +if [[ $INVOCATION_ID ]]; then + # this is to prevent systemd from filling up the journal + for (( runcount=0; runcount < 100; runcount++ )); do + main + sleep 30 + done +else + main +fi diff --git a/filesystem/etc/cron.d/ian b/filesystem/etc/cron.d/ian index 5d29b59..867f6c9 100644 --- a/filesystem/etc/cron.d/ian +++ b/filesystem/etc/cron.d/ian @@ -1,5 +1,7 @@ +# default is /bin/sh SHELL=/bin/bash -PATH=/usr/bin:/bin:/usr/local/bin:/a/exe +# default is /usr/bin:/bin +PATH=/sbin:/usr/sbin:/usr/bin:/bin:/usr/local/bin:/a/exe MAILTO=root */10 * * * * root rootsshsync |& log-once -15 rootsshsync # If theres any logged errors we didnt handle in 4 days, maybe we accidentally missed them, @@ -7,3 +9,8 @@ MAILTO=root 4 9 * * 5 root /a/bin/ds/check-stale-alerts 4 15 * * 5 iank /a/bin/ds/mailclean 14 * * * * root /a/bin/ds/bk-backup |& log-once -24 bk-backup +0 7 * * * iank failmail myupgrade-iank +20 7 * * * root myupgrade |& log-once -1 myupgrade +# maybe try this again sometime. it needs updating to be like +# myupgrade. +#0 * * * * root mycheckrestart |& log-once -1 mycheckrestart diff --git a/filesystem/etc/profile.d/environment.sh b/filesystem/etc/profile.d/environment.sh index 8712fc9..df27665 100644 --- a/filesystem/etc/profile.d/environment.sh +++ b/filesystem/etc/profile.d/environment.sh @@ -104,10 +104,12 @@ if test "$EUID" && [ "$EUID" != 0 ]; then fi fi # and it seems that if we log into mate, it screws up the systemd env var anyways. -_tmp=$(pgrep -a '^ssh-agent$' | sed -r 's/.*-a *([^ ]+).*/\1/') -if test "_$tmp" && [ "$_tmp" != "$SSH_AUTH_SOCK" ]; then - export SSH_AUTH_SOCK="$_tmp" -fi +for _file in $(pgrep -a '^ssh-agent$' | sed -r 's/.*-a *([^ ]+).*/\1/'); do + if test -O "$_file"; then + export SSH_AUTH_SOCK="$_file" + break + fi +done # background: diff --git a/filesystem/etc/systemd/system/epanicclean.service b/filesystem/etc/systemd/system/epanicclean.service new file mode 100644 index 0000000..d7f2231 --- /dev/null +++ b/filesystem/etc/systemd/system/epanicclean.service @@ -0,0 +1,7 @@ +[Unit] +Description=epanic-clean +After=multi-user.target + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/sysd-mail-once -3 epanic-clean /usr/local/bin/epanic-clean diff --git a/filesystem/etc/systemd/system/epanicclean.timer b/filesystem/etc/systemd/system/epanicclean.timer new file mode 100644 index 0000000..c8d7d39 --- /dev/null +++ b/filesystem/etc/systemd/system/epanicclean.timer @@ -0,0 +1,11 @@ +[Unit] +Description=epanic-clean + +[Timer] +# for initial run. required. +OnActiveSec=10 +# for subsequent runs. +OnUnitInactiveSec=30 + +[Install] +WantedBy=timers.target diff --git a/filesystem/usr/local/bin/myupgrade b/filesystem/usr/local/bin/myupgrade index c3e19f4..c358fcb 100755 --- a/filesystem/usr/local/bin/myupgrade +++ b/filesystem/usr/local/bin/myupgrade @@ -2,10 +2,14 @@ # Copyright (C) 2019 Ian Kelling # SPDX-License-Identifier: AGPL-3.0-or-later +# Note: running this inside a cronjob, it wont mail any output if we end +# up rebooting from this script. + if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi source /usr/local/lib/err pre="${0##*/}:" +PATH="/sbin:$PATH" m() { printf "$pre %s\n" "$*"; "$@"; } e() { printf "$pre %s\n" "$*"; } err() { echo "[$(date +'%Y-%m-%d %H:%M:%S%z')]: $pre: $*" >&2; } @@ -19,6 +23,12 @@ l() { "$@" |& systemd-cat -t myupgrade } +## temporary +case $HOSTNAME in + kd) + exit 0 + ;; +esac if checkrestart -b /a/bin/ds/checkrestart-blacklist -p -t &>/dev/null; then exit 0 diff --git a/filesystem/usr/local/bin/myupgrade-iank b/filesystem/usr/local/bin/myupgrade-iank index 6f9abfb..969db8b 100755 --- a/filesystem/usr/local/bin/myupgrade-iank +++ b/filesystem/usr/local/bin/myupgrade-iank @@ -17,10 +17,7 @@ fi hn=$(hostname -f) -l() { - "$@" |& systemd-cat -t myupgrade-iank -} -l /a/bin/buildscripts/rust +/a/bin/buildscripts/rust has_x=false for pkg in xorg wayland; do @@ -31,8 +28,8 @@ for pkg in xorg wayland; do done if $has_x; then - l /a/bin/buildscripts/tor-browser - l /a/bin/buildscripts/misc + /a/bin/buildscripts/tor-browser + /a/bin/buildscripts/misc fi diff --git a/hssh b/hssh index 00d06b8..142e68c 100755 --- a/hssh +++ b/hssh @@ -18,6 +18,10 @@ ps --no-headers -o comm 1 systemctl is-active btrbk.service mkdir -p /mnt/root/btrbk && date +%z && df --output=size,pcent / | tail -n1 DISPLAY=:0 xprintidle +rsync --server --sender -logDtprRe.iLsfxC . /usr/local/./bin/mount-latest-subvol /usr/local/./bin/check-subvol-stale /usr/local/./lib/err +rsync --server --sender -logDtpre.iLsfxC . /usr/local/lib/err +rsync --server --sender -logDtpre.iLsfxC . /usr/local/bin/mount-latest-subvol /usr/local/bin/check-subvol-stale +scp -f /a/bin/distro-setup/btrbk-run # mount-latest-remote timeout -s 9 600 /usr/local/bin/mount-latest-subvol rsync --server -OtpRe.LsfxC . /usr/local diff --git a/i3-sway/common.conf b/i3-sway/common.conf index 48346c7..4a42fcf 100644 --- a/i3-sway/common.conf +++ b/i3-sway/common.conf @@ -76,7 +76,10 @@ bindsym $mod+Shift+m border toggle bindsym $mod+j exec emacsclient -c bindsym $mod+k exec konsole bindsym $mod+l exec dmenu_run - +# note default is 27% on my system76. not sure if these +# keybinds will screw up other laptop brightness keys. +bindsym XF86MonBrightnessUp exec brightnessctl s +5% +bindsym XF86MonBrightnessDown exec brightnessctl s 5%- # Font for window titles. Will also be used by the bar unless a different font # is used in the bar {} block below. diff --git a/install-my-scripts b/install-my-scripts index d3e7019..303bdbb 100755 --- a/install-my-scripts +++ b/install-my-scripts @@ -37,6 +37,7 @@ x="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd ${x%/*} # directory of this file /a/bin/log-quiet/setup rsync -t --chmod=755 --chown=root:root switch-mail-host btrbk-run mount-latest-subvol \ check-subvol-stale system-status myi3status mailtest-check \ + epanic-clean \ /a/bin/log-quiet/sysd-mail-once hssh \ btrfsmaint \ dynamic-ip-update \ diff --git a/lightdm-start b/lightdm-start index efa5876..55fe9b0 100755 --- a/lightdm-start +++ b/lightdm-start @@ -1,8 +1,19 @@ #!/bin/bash -#https://askubuntu.com/questions/942366/how-to-disable-sleep-suspend-at-login-screen sudo xhost +si:localuser:lightdm # grants localuser rights to X session sudo su lightdm -s /bin/bash <<'EOF' -/usr/bin/xset -dpms -/usr/bin/xset s off + +xset dpms 0 0 120 + EOF + + +# i wanted the system to stop going to sleep, so +# I did this, +#https://askubuntu.com/questions/942366/how-to-disable-sleep-suspend-at-login-screen +#/usr/bin/xset -dpms +#/usr/bin/xset s off + +# but then i started auto rebooting and found that the +# screen doesnt go into power save mode, so copied xset dpms 0 0 120 from here +# https://itectec.com/ubuntu/ubuntu-how-to-control-lightdm-power-saving-preferences/ diff --git a/mail-setup b/mail-setup index 3e6c05a..5c7dac3 100755 --- a/mail-setup +++ b/mail-setup @@ -129,7 +129,6 @@ fi [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" -export SSH_CONFIG_FILE_OVERRIDE=/root/.ssh/confighome u=$(id -nu 1000) @@ -699,7 +698,6 @@ if [[ -e /p/c/filesystem ]]; then # after my internet was down for a bit: # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. m /a/exe/vpn-mk-client-cert -b mailclient -n mail li.iankelling.org - m /a/exe/vpn-mk-client-cert -c bk.b8.nz -b expertpath -n mail li.iankelling.org fi case $HOSTNAME in bk) diff --git a/pkgs b/pkgs index bcfb321..ec2e0e5 100644 --- a/pkgs +++ b/pkgs @@ -75,6 +75,8 @@ p3=( binutils-doc bind9-doc bind9utils + # for system76 laptop with i3 keybind. + brightnessctl build-essential bwm-ng ccache diff --git a/rootsshsync b/rootsshsync index 1aebad8..dc87133 100755 --- a/rootsshsync +++ b/rootsshsync @@ -38,24 +38,34 @@ find $user_ssh_dir -xtype l -exec rm '{}' \; # -t times, so it won't rewrite the file every time, # -L resolve links rsync --exclude=/h --exclude=/h.pub --exclude /config --exclude /confighome -rtL --delete $user_ssh_dir/ /root/.ssh -rsync -tL $user_ssh_dir/config /root/.ssh/confighome -cp -a /q/root/h{,.pub} /root/.ssh -### The h key is like the home key, but only a whitelist of commands allowed, and -# not encrypted, so cron and whatnot can use it. -# For any interactive ssh command we want to run as root that is not in that -# whitelist, we need to ssh -F $HOME/.ssh/confighome -### I run a separate ssh-agent for root where I add keys without -# confirm. This the root ssh-agent is only available -# to root, and it allows us to have a working ssh when X isnt available, -# eg, in an ssh shell. confirm for regular user provides some protection -# that a rouge user program cant use my ssh key. -sed 's,^IdentityFile ~/\.ssh/home$,IdentityFile ~/\.ssh/h,;s,^AddKeysToAgent confirm,AddKeysToAgent yes,' /root/.ssh/confighome >/root/.ssh/config +if [[ -e /q/root/h ]]; then + cp -a /q/root/h{,.pub} /root/.ssh +fi + +if [[ -e $user_ssh_dir/config ]]; then + ### The h key is like the home key, but only a whitelist of commands allowed, and + # not encrypted, so cron and whatnot can use it. + # For any interactive ssh command we want to run as root that is not in that + # whitelist, we need to ssh -F $HOME/.ssh/confighome + ### I run a separate ssh-agent for root where I add keys without + # confirm. This the root ssh-agent is only available + # to root, and it allows us to have a working ssh when X isnt available, + # eg, in an ssh shell. confirm for regular user provides some protection + # that a rouge user program cant use my ssh key. + sed 's,^AddKeysToAgent confirm,AddKeysToAgent yes,' $user_ssh_dir/config >/root/.ssh/confighome + sed 's,^IdentityFile ~/\.ssh/home$,IdentityFile ~/\.ssh/h,' /root/.ssh/confighome >/root/.ssh/config +fi chown -R root:root /root/.ssh # notably: installs hssh /a/exe/install-my-scripts -install /a/opt/btrbk/ssh_filter_btrbk.sh /usr/local/bin -systemctl enable --now ssh-agent-root +if [[ -e /a/opt/btrbk/ssh_filter_btrbk.sh ]]; then + install /a/opt/btrbk/ssh_filter_btrbk.sh /usr/local/bin +fi + +if [[ -e /etc/systemd/system/ssh-agent-root.service ]]; then + systemctl enable --now ssh-agent-root +fi d=/etc/initramfs-tools if [[ -e $d ]] && ! diff -q /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys &>/dev/null; then diff --git a/subdir_files/.config/i3/config b/subdir_files/.config/i3/config index 957b432..ffbb22e 100644 --- a/subdir_files/.config/i3/config +++ b/subdir_files/.config/i3/config @@ -76,7 +76,10 @@ bindsym $mod+Shift+m border toggle bindsym $mod+j exec emacsclient -c bindsym $mod+k exec konsole bindsym $mod+l exec dmenu_run - +# note default is 27% on my system76. not sure if these +# keybinds will screw up other laptop brightness keys. +bindsym XF86MonBrightnessUp exec brightnessctl s +5% +bindsym XF86MonBrightnessDown exec brightnessctl s 5%- # Font for window titles. Will also be used by the bar unless a different font # is used in the bar {} block below. diff --git a/subdir_files/.config/sway/config b/subdir_files/.config/sway/config index 4e3014e..973e3f8 100644 --- a/subdir_files/.config/sway/config +++ b/subdir_files/.config/sway/config @@ -76,7 +76,10 @@ bindsym $mod+Shift+m border toggle bindsym $mod+j exec emacsclient -c bindsym $mod+k exec konsole bindsym $mod+l exec dmenu_run - +# note default is 27% on my system76. not sure if these +# keybinds will screw up other laptop brightness keys. +bindsym XF86MonBrightnessUp exec brightnessctl s +5% +bindsym XF86MonBrightnessDown exec brightnessctl s 5%- # Font for window titles. Will also be used by the bar unless a different font # is used in the bar {} block below. diff --git a/subdir_files/.gnupg/gpg.conf b/subdir_files/.gnupg/gpg.conf index 9868101..035415d 100644 --- a/subdir_files/.gnupg/gpg.conf +++ b/subdir_files/.gnupg/gpg.conf @@ -44,11 +44,11 @@ default-key B125F60B7B287FF6A2B7DF8F170AF0E2954295DF #keyserver hkp://keyserver.pgp.com #keyserver hkp://ipv4.pool.sks-keyservers.net #keyserver hkp://keys.gnupg.net -keyserver hkp://keyserver.ubuntu.com +#keyserver hkp://keyserver.ubuntu.com #keyserver hkp://keyring.debian.org #keyserver keyserver.ubuntu.com # more secure hkps, but had problems with my gpg version -#keyserver hkps://hkps.pool.sks-keyservers.net +keyserver hkps://hkps.pool.sks-keyservers.net ### begin things added by enigmail cert-digest-algo SHA256 diff --git a/switch-mail-host b/switch-mail-host index ba81d5f..0a80d2c 100644 --- a/switch-mail-host +++ b/switch-mail-host @@ -23,6 +23,7 @@ EOF exit $1 } + restore_new_btrbk=false restore_old_btrbk=false err-cleanup() { @@ -80,6 +81,7 @@ case $1 in new_host=$2 bbk_args="-t $new_host" new_shell="ssh -F $HOME/.ssh/confighome root@$new_host" + $new_shell -v hostname new_hostname=$($new_shell hostname) ;; pull) diff --git a/system-status b/system-status index 72ed5b5..5aa329c 100644 --- a/system-status +++ b/system-status @@ -92,7 +92,7 @@ write-status() { # No point in emailing about the mailq on a host where we don't # check email. $MAIL_HOST|bk) - lo -10 qlen $qmsg + lo -120 qlen $qmsg ;; esac @@ -176,8 +176,6 @@ write-status() { done fi - /a/bin/distro-setup/epanic-clean - if [[ -s /var/log/exim4/paniclog ]]; then chars+=("PANIC!") tail -n 20 /var/log/exim4/paniclog | lo -1 paniclog @@ -192,7 +190,7 @@ write-status() { chars+=("BTRBK.TIMER") bbkmsg="btrbk.timer not enabled" fi - lo -60 btrbk.timer $bbkmsg + lo -960 btrbk.timer $bbkmsg ## check if last snapshot was within an hour vol=o @@ -220,9 +218,9 @@ write-status() { maxtime=$t fi done - if (( maxtime < now - 2*60*60 )); then + if (( maxtime < now - 4*60*60 )); then chars+=("OLD-SNAP") - snapshotmsg="/o snapshot older than 2 hours" + snapshotmsg="/o snapshot older than 4 hours" fi lo -1 old-snapshot $snapshotmsg fi