From: Ian Kelling <ian@iankelling.org>
Date: Sun, 14 Mar 2021 13:27:31 +0000 (-0400)
Subject: fixes
X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=ad52f54f16b0f50fc12162a83118c7fae68978ad;p=distro-setup

fixes
---

diff --git a/brc b/brc
index f7d64f4..537cb77 100644
--- a/brc
+++ b/brc
@@ -646,7 +646,7 @@ eqcat() {
 }
 eqrmf() {
   exiqgrep -i | xargs exim -Mrm
-  }
+}
 
 
 # shellcheck disable=SC2032
@@ -930,6 +930,9 @@ jtail() {
 }
 jr() { journalctl "$@" ; }
 jrf() { journalctl -f "$@" ; }
+jru() {
+  journalctl -u exim4 _SYSTEMD_INVOCATION_ID=$(systemctl show -p InvocationID --value $1)
+}
 
 l() {
   if [[ $PWD == /[iap] ]]; then
diff --git a/distro-end b/distro-end
index 78162c9..81b31d8 100755
--- a/distro-end
+++ b/distro-end
@@ -555,6 +555,16 @@ case $HOSTNAME in
 
     # general vpn for as needed use
     vpn-server-setup -d -r -4 10.5.5 -p 443 -n hole
+
+    # sullivan d8
+    sd /etc/openvpn/client-config-hole/sd8 <<'EOF'
+ifconfig-push 10.5.5.41 255.255.255.0
+EOF
+    # hsieh d8
+    sd /etc/openvpn/client-config-hole/hd8 <<'EOF'
+ifconfig-push 10.5.5.42 255.255.255.0
+EOF
+
     sd /etc/openvpn/client-config-hole/sy <<'EOF'
 ifconfig-push 10.5.5.12 255.255.255.0
 EOF
@@ -580,7 +590,10 @@ EOF
 ifconfig-push 10.5.5.2 255.255.255.0
 EOF
 
+    # for adding to current system:
     #vpn-mk-client-cert -s "" -n hole 72.14.176.105
+    # adding to remove system 107,
+    #vpn-mk-client-cert -s "" -n hole -c 10.2.0.107 -b hd8 iankelling.org
 
     # requested from linode via a support ticket.
     # https://www.linode.com/docs/networking/an-overview-of-ipv6-on-linode/
diff --git a/filesystem/etc/systemd/resolved.conf.d/iank.conf b/filesystem/etc/systemd/resolved.conf.d/iank.conf
index 323c406..7f14efc 100644
--- a/filesystem/etc/systemd/resolved.conf.d/iank.conf
+++ b/filesystem/etc/systemd/resolved.conf.d/iank.conf
@@ -4,3 +4,4 @@
 # in case.
 LLMNR=no
 MulticastDNS=no
+DNSOverTLS=yes
diff --git a/filesystem/etc/systemd/system/btrfsmaint.service b/filesystem/etc/systemd/system/btrfsmaint.service
index 61d6343..88705fe 100644
--- a/filesystem/etc/systemd/system/btrfsmaint.service
+++ b/filesystem/etc/systemd/system/btrfsmaint.service
@@ -9,4 +9,4 @@ Type=oneshot
 # we pass options to use different location.
 ExecStart=/a/bin/log-quiet/sysd-mail-once -1 btrfsmaint /a/bin/ds/btrfsmaint
 IOSchedulingClass=idle
-CPUSchedulingPolicy=idle
\ No newline at end of file
+CPUSchedulingPolicy=idle
diff --git a/mail-setup b/mail-setup
index b11993a..5b9ed95 100755
--- a/mail-setup
+++ b/mail-setup
@@ -12,6 +12,8 @@
 
 # todo: on bk, dont send email if mailvpn is not up
 
+# todo: mailtest-check should check on bk too
+
 # todo: disable postgrey
 
 # todo: in testforward-check, we should also look
@@ -375,7 +377,7 @@ COMMIT
 COMMIT
 EOF
   # load it now.
-  m ip6tables -S &>/dev/null
+  m ip6tables -S >/dev/null
 fi
 
 # our nostart pi fails to avoid enabling
@@ -1772,11 +1774,15 @@ EOF
     domain=${bkdomains[i]}
     ncdir=${ncdirs[i]}
     ncbase=${ncdir##*/}
-    cd /var/www
+    m cd /var/www
     if [[ ! -e $ncdir/index.php ]]; then
-      m wget -nv -N https://download.nextcloud.com/server/releases/latest.zip
-      m unzip -q latest.zip
-      m rm -f latest.zip
+      # as of march 14 2021, user_external is broken for nextcloud 21
+      # https://github.com/nextcloud/user_external/issues/165
+      #file=latest.zip
+      file=latest-20.zip
+      m wget -nv -N https://download.nextcloud.com/server/releases/$file
+      m unzip -q $file
+      m rm -f $file
       m chown -R www-data.www-data nextcloud
       m mv nextcloud $ncdir
       m cd $ncdir
@@ -1812,13 +1818,13 @@ EOF
 \$CONFIG['htaccess.RewriteBase'] = '/nextcloud';
 \$CONFIG['trusted_domains'] = array (
         0 => '$domain',
-    );s
+    );
 #\$CONFIG[''] = '';
 fwrite(STDOUT, "<?php\n\\\$CONFIG = ");
 var_export(\$CONFIG);
 fwrite(STDOUT, ";\n");
 EOF
-    m php tmp.php >config.php 2>/dev/null
+    m php tmp.php >config.php
     m rm tmp.php
     m sudo -u www-data php $ncdir/occ maintenance:update:htaccess
     list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list)
@@ -1827,11 +1833,51 @@ EOF
         m sudo -u www-data php $ncdir/occ app:install $app
       fi
     done
-    i /etc/cron.d/$ncbase <<'EOF'
+    i /etc/systemd/system/$ncbase.service <<EOF
+[Unit]
+Description=ncup $ncbase
+After=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/ncup $ncbase
+User=www-data
+IOSchedulingClass=idle
+CPUSchedulingPolicy=idle
+EOF
+    i /etc/systemd/system/$ncbase.timer <<EOF
+[Unit]
+Description=ncup $ncbase timer
+
+[Timer]
+OnCalendar=Daily
+
+[Install]
+WantedBy=timers.target
+EOF
+    i /usr/local/bin/ncup <<'EOFOUTER'
+#!/bin/bash
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
+
+ncbase=$1
+if ! php /var/www/$ncbase/updater/updater.phar -n; then
+  echo failed nextcloud update for $ncbase >&2
+  /sbin/exim -t <<EOF
+To: alerts@iankelling.org
+From: root@$(hostname -f)
+Subject: failed nextcloud update for $ncbase
+
+For logs, run: jru $ncbase
+EOF
+fi
+EOFOUTER
+
+    i /etc/cron.d/$ncbase <<EOF
 SHELL=/bin/bash
-# automatic update. https://stackoverflow.com/questions/26915448/how-do-i-copy-stderr-without-stopping-it-writing-to-the-terminal
-0  9  *  *  * www-data php { $ncdir/updater/updater.phar -n 2> >(tee >(cat 1>&2)) || echo fail >&2; } | systemd-cat -t ncupdate
-# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html
+# https://docs.nextcloud.com/server/20/admin_manual/configuration_server/background_jobs_configuration.html
 */5  *  *  *  * php -f $ncdir/cron.php --define apc.enable_cli=1 |& log-once nccron
 EOF
 
diff --git a/mailtest-check b/mailtest-check
index 5b7b220..3c36b7c 100755
--- a/mailtest-check
+++ b/mailtest-check
@@ -63,17 +63,16 @@ fi
 for folder in ${folders[@]}; do
   for from in ${froms[@]}; do
     latest=
-    cd $folder
     last_sec=0
     # webmail sends them to cur it seems
     while read -r file; do
       if [[ $file -nt $latest ]]; then
         latest=$file
       fi
-    done < <(grep -rlFx "From: $from" new cur)
+    done < <(grep -rlFx "From: $from" $folder/{new,cur} )
 
     if [[ $latest ]]; then
-      e latest = $folder/$latest
+      e latest = $latest
       last_sec=$(awk '/^Subject: / {print $4}' $latest)
 
       if $slow; then
@@ -124,7 +123,7 @@ for folder in ${folders[@]}; do
             fi
           done
           if (( ${#results[@]} || ${#missing[@]} )); then
-            printf "$HOSTNAME spamtest %s/%s\n" "$folder" "$latest"
+            printf "$HOSTNAME spamtest %s/%s\n" "$latest"
             if (( ${#results[@]} )); then
               printf "unexpected %s" "${!results[*]} "
             fi
@@ -132,8 +131,8 @@ for folder in ${folders[@]}; do
               printf "missing %s" "${missing[*]}"
             fi
             echo
-            echo mailtest-check: cat $folder/$latest:
-            cat $folder/$latest
+            echo mailtest-check: cat $latest:
+            cat $latest
             echo mailtest-check: end of cat
           fi
         fi # if spamdpid
diff --git a/trusted-network b/trusted-network
index 39c73ee..263224f 100755
--- a/trusted-network
+++ b/trusted-network
@@ -8,15 +8,38 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 # Usage: run when switching from an untrusted network like public wifi
 # to a trusted one.
 
-if [[ -e /etc/dnsmasq.d/untrusted-network.conf ]]; then
-  rm -f /etc/dnsmasq.d/untrusted-network.conf /etc/systemd/resolved.conf.d/untrusted-network.conf
-  reresolv
-fi
-
-
 if [[ -e /etc/NetworkManager/conf.d/dns.conf ]]; then
   rm -f /etc/NetworkManager/conf.d/dns.conf
   if [[ $(systemctl is-active NetworkManager) == active ]]; then
     systemctl restart NetworkManager
   fi
 fi
+
+dhclient_restart=false
+# man dhclient.conf
+if ! grep -qP '\bdomain-name-servers\b' /etc/dhcp/dhclient.conf; then
+  sed -i 's/^ *request/request domain-name-servers,/' /etc/dhcp/dhclient.conf
+  dhclient_restart=true
+fi
+
+
+
+read -r _ _ _ _  gateway_if _ < <(ip route get 8.8.8.8)
+if [[ $gateway_if ]]; then
+  # we could do this, but dhclient is still running and will use its old settings
+  # from dependencies of ifupdown,
+  # from man dhclient-script
+  # from /etc/dhcp/dhclient-enter-hooks.d/resolved
+  # rm -f /run/systemd/resolved.conf.d/*$gateway_if*
+
+
+  if $dhclient_restart && grep -Pq '^ *auto ($gateway_if|.* $gateway_if( |$))' /etc/network/interfaces; then
+    m ifdown $gateway_if
+    m ifup $gateway_if
+  fi
+
+  # at least on systemd 237 ifupdown it sets a global and this is not needed
+  systemd-resolve --interface=$gateway_if --revert
+fi
+
+reresolv
diff --git a/untrusted-network b/untrusted-network
index 5dec09c..008e21a 100755
--- a/untrusted-network
+++ b/untrusted-network
@@ -8,24 +8,22 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 # Usage: use when switching from a trusted network to an untrusted one,
 # like public wifi.
 
-if [[ -s /etc/dnsmasq.d/untrusted-network.conf ]]; then
-  exit 0
+read -r _ ver _ < <(systemd-resolve --version)
+
+
+servers=(1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001)
+servers=(1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003)
+# first version that supports this syntax
+if (( ver >= 239 )); then
+  servers=(${servers[@]/%/#cloudflare-dns.com})
 fi
-cat >/etc/dnsmasq.d/untrusted-network.conf <<'EOF'
-server=8.8.4.4
-server=8.8.8.8
-server=2001:4860:4860::8844
-server=2001:4860:4860::8888
-no-resolv
-# https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
-stop-dns-rebind
-EOF
 
 # https://wiki.archlinux.org/index.php/Systemd-resolved#Manually
-cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<'EOF'
+cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
 [Resolve]
-DNS=8.8.4.4 8.8.8.8 2001:4860:4860::8844 2001:4860:4860::8888
-Domains=~.
+DNS=${servers[@]}
+Domains=~. b8.nz
+DNSOverTLS=yes
 EOF
 
 cat >/etc/NetworkManager/conf.d/dns.conf <<'EOF'
@@ -36,6 +34,65 @@ EOF
 
 if [[ $(systemctl is-active NetworkManager) == active ]]; then
   systemctl restart NetworkManager
+fi
+
+dhclient_restart=false
+# man dhclient.conf
+if grep -qP '\bdomain-name-servers\b' /etc/dhcp/dhclient.conf; then
+  sed -i 's/domain-name-servers,\?//' /etc/dhcp/dhclient.conf
+  dhclient_restart=true
+fi
+
+read -r _ _ _ _  gateway_if _ < <(ip route get 8.8.8.8)
+if [[ $gateway_if ]]; then
+  # we could do this, but dhclient is still running and will use its old settings
+  # from dependencies of ifupdown,
+  # from man dhclient-script
+  # from /etc/dhcp/dhclient-enter-hooks.d/resolved
+  # rm -f /run/systemd/resolved.conf.d/*$gateway_if*
+
+
+  if $dhclient_restart && grep -Pq '^ *auto ($gateway_if|.* $gateway_if( |$))' /etc/network/interfaces; then
+    m ifdown $gateway_if
+    m ifup $gateway_if
   fi
 
+  # at least on systemd 237 ifupdown it sets a global and this is not needed
+  systemd-resolve --interface=$gateway_if --revert
+fi
+
 reresolv
+
+# just for curiosity i did a
+# wrapper around dhclient, then ifdown eth0; ifup eth0:
+
+# Tue Mar  9 18:29:05 EST 2021
+# args -4 -v -r -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
+# env
+# ADDRFAM=inet
+# PHASE=pre-down
+# VERBOSITY=0
+# PWD=/sbin
+# IFACE=eth0
+# METHOD=dhcp
+# SHLVL=1
+# LOGICAL=eth0
+# MODE=stop
+# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# IFUPDOWN_eth0=pre-down
+# _=/usr/bin/env
+# Tue Mar  9 18:29:07 EST 2021
+# args -1 -4 -v -pf /run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -I -df /var/lib/dhcp/dhclient6.eth0.leases eth0
+# env
+# ADDRFAM=inet
+# PHASE=post-up
+# VERBOSITY=0
+# PWD=/sbin
+# IFACE=eth0
+# METHOD=dhcp
+# SHLVL=1
+# LOGICAL=eth0
+# MODE=start
+# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# IFUPDOWN_eth0=post-up
+# _=/usr/bin/env