From: Ian Kelling <ian@iankelling.org>
Date: Sun, 13 Dec 2020 23:32:55 +0000 (-0500)
Subject: fix mail for when network is down
X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=d473a5e71ba17460f4a50d1bb514177c1ec7e66a;p=distro-setup

fix mail for when network is down
---

diff --git a/brc2 b/brc2
index 37b2ee8..1a80fc6 100644
--- a/brc2
+++ b/brc2
@@ -270,6 +270,7 @@ bigclock() {
 nnn() { /a/opt/nnn -H "$@"; }
 
 
+# duplicated somewhat below.
 jrun() { # journal run. run args, log to journal, tail and grep the journal.
   # Note, an alternative without systemd would be something like ts.
   # Note, I tried using systemd-cat, but this seems obviously better,
@@ -281,15 +282,16 @@ jrun() { # journal run. run args, log to journal, tail and grep the journal.
   if [[ $cmd != /* ]]; then
     cmd=$(which $1)
   fi
-  # We use >() so that $! is the pid of journalctl, otherwise its the sed pid and then
-  # if we kill that, it takes journalctl about 10 seconds to catch up, and we get
-  # an annoying message about job finishing then.
   journalctl -qn2 -f -u "$cmd_name" &
   # We kill this in prompt-command for the case that we ctrl-c the
   # systemd-cat. i dont know any way to trap ctrl-c and still run the
   # normal action for it. There might be a way, unsure.
   jr_pid=$!
-  s systemd-run --unit "$cmd_name" --wait --collect "$cmd" "${@:2}" || ret=$?
+  # note, we could have a version that does system --user, but if for example
+  # it does sudo ssh, that will leave a process around that we can't kill
+  # and it will leave the unit hanging around in a failed state needing manual
+  # killing of the process.
+  m s systemd-run --uid $(id -u) --gid $(id -g) --unit "$cmd_name" --wait --collect "$cmd" "${@:2}" || ret=$?
   # This justs lets the journal output its last line
   # before the prompt comes up.
   sleep .5
diff --git a/mail-setup b/mail-setup
index ffb604b..57cc43e 100755
--- a/mail-setup
+++ b/mail-setup
@@ -367,8 +367,9 @@ soff openvpn
 if [[ $(debian-codename) == etiona ]]; then
   # ip6tables stopped loading on boot. openvpn has reduced capability set,
   # so running iptables as part of openvpn startup wont work. This should do it.
-  # Im sure there is a better way, but this works fine.
-  yes no | pi iptables-persistent || [[ $? == 141 ]]
+  # Im sure there is a better way, but this works fine. running as a systemd
+  # unit, yes returns 1, broken pipe.
+  yes no | pi iptables-persistent || [[ $? == 141 || ${PIPESTATUS[1]} == 0 ]]
   cat >/etc/iptables/rules.v6 <<'EOF'
 *mangle
 COMMIT
@@ -459,8 +460,9 @@ Documentation=man:openvpn(8)
 Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
 Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
 # needed to continually restatr
-StartLimitIntervalSec=0
 JoinsNamespaceOf=mailnn.service
+BindsTo=mailnn.service
+StartLimitIntervalSec=0
 
 [Service]
 Type=notify
@@ -493,9 +495,34 @@ RestartSec=1
 WantedBy=multi-user.target
 EOF
 
+i /etc/systemd/system/mailnnroute.service <<'EOF'
+[Unit]
+Description=Network routing for mailnn
+After=syslog.target network-online.target mailnn.service
+Wants=network-online.target
+JoinsNamespaceOf=mailnn.service
+BindsTo=mailnn.service
+StartLimitIntervalSec=0
+
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+PrivateNetwork=true
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
+ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
+Restart=always
+RestartSec=10
+
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+#
 i /etc/systemd/system/mailnn.service <<'EOF'
 [Unit]
-Description=Network Namespace for mailvpn.service
+Description=Network Namespace for mailvpn.service that will live forever and cant fail
 After=syslog.target network-online.target
 Wants=network-online.target
 
@@ -510,6 +537,8 @@ ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
 WantedBy=multi-user.target
 EOF
 
+
+
 # old service name
 rm -fv /etc/systemd/system/openvpn-client-mail@.service
 
@@ -552,19 +581,33 @@ if ! grep -qFx "$line" $f; then
   m ser reload apparmor
 fi
 
+# note: anything added to nn_progs needs corresponding rm
+# down below in the host switch
 nn_progs=(exim4)
 if mailhost; then
   # Note dovecots lmtp doesnt need to be in the same nn to accept delivery.
   # Its in the nn so remote clients can connect to it.
-  nn_progs+=(spamassassin dovecot unbound)
+  nn_progs+=(spamassassin dovecot)
 fi
 
 case $HOSTNAME in
   $MAIL_HOST)
-    r=/etc/nn-resolv:/run/systemd/resolve
-    ;;&
-  bk)
-    r=/etc/bk-resolv:/etc/nn-resolv
+    i /etc/systemd/system/unbound.service.d/nn.conf <<EOF
+[Unit]
+JoinsNamespaceOf=mailnn.service
+BindsTo=mailnn.service
+StartLimitIntervalSec=0
+
+[Service]
+PrivateNetwork=true
+# note the nsswitch bind is actually not needed for bk, but
+# its the same file so it does no harm.
+BindPaths=$bindpaths
+
+Restart=always
+RestartSec=1
+EOF
+
     ;;&
   $MAIL_HOST|bk)
     for unit in ${nn_progs[@]}; do
@@ -574,6 +617,7 @@ After=network.target
 Requires=mailvpn.service
 After=mailvpn.service
 JoinsNamespaceOf=mailnn.service
+BindsTo=mailnn.service
 StartLimitIntervalSec=0
 
 [Service]
@@ -588,7 +632,7 @@ EOF
     done
     ;;
   *)
-    for unit in exim4 spamassassin; do
+    for unit in exim4 spamassassin dovecot unbound; do
       f=/etc/systemd/system/$unit.service.d/nn.conf
       if [[ -s $f ]]; then
         rm -fv $f
@@ -988,10 +1032,14 @@ After=network.target
 BindsTo=mailvpn.service
 After=mailvpn.service
 JoinsNamespaceOf=mailnn.service
+StartLimitIntervalSec=0
 
 [Service]
 PrivateNetwork=true
 BindPaths=$bindpaths
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1000
 
 [Install]
 RequiredBy=mailvpn.service
@@ -2230,7 +2278,7 @@ case $HOSTNAME in
     ln -sf 127.0.0.1-resolv/stub-resolv.conf /etc/resolv.conf
     ;;&
   $MAIL_HOST|bk)
-    sstart mailnn
+    sstart mailnn mailnnroute
     # If these have changes, id rather manually restart it, id rather
     # not restart and cause temporary errors
     if $reload; then
diff --git a/pkgs b/pkgs
index 836185e..486382f 100644
--- a/pkgs
+++ b/pkgs
@@ -142,6 +142,7 @@ p3=(
   manpages-dev
   markdown
   mb2md
+  mdadm
   meld
   memtester
   mhonarc
diff --git a/switch-mail-host b/switch-mail-host
index c7cf265..a5e55c9 100644
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -2,6 +2,11 @@
 
 source /usr/local/lib/err
 
+if [[ $EUID == 0 && ! $SUDO_USER ]]; then
+  err "requires running as nonroot or sudo"
+  exit 1
+fi
+
 usage() {
   cat <<EOF
 Usage: ${0##*/} [OPTIONS] push|pull HOST
@@ -51,11 +56,12 @@ while true; do
   case $1 in
     --force) force=true ;;
     -i) incremental_arg="-i" ;;
-    -o) mp_args="-m /o"; shift ;;
+    -o) mp_args="-m /o" ;;
     -h|--help) usage ;;
     --) shift; break ;;
     *) echo "$0: Internal error! unexpected args: $*" ; exit 1 ;;
   esac
+  shift
 done