From 1f92f5f3fc715cc3fd55cf8aefacce9d130331de Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Tue, 29 Mar 2022 02:54:49 -0400 Subject: [PATCH] fixes --- brc2 | 2 ++ distro-end | 36 +++++++++++-------- exim-nn-iptables | 27 ++++++++++++++ .../renewal-hooks/deploy/certbot-renew-hook | 4 --- install-my-scripts | 1 + mail-setup | 19 ++++++---- mailtest-check | 2 ++ 7 files changed, 66 insertions(+), 25 deletions(-) create mode 100755 exim-nn-iptables diff --git a/brc2 b/brc2 index e392cf5..486bd25 100644 --- a/brc2 +++ b/brc2 @@ -12,6 +12,8 @@ source /a/bin/distro-setup/path-add-function path-add /a/exe # add this with absolute paths as needed for better security #path-add --end /path/to/node_modules/.bin +## for yarn, etc +#path-add --end /usr/lib/node_modules/corepack/shims/ # pip3 --user things go here: path-add --end ~/.local/bin diff --git a/distro-end b/distro-end index b1b7a9f..878a6ab 100755 --- a/distro-end +++ b/distro-end @@ -842,7 +842,9 @@ EOF # also would be nice if erc supported # https://wiki.znc.in/self-message # https://wiki.znc.in/Query_buffers \ - # + # + # for geekshed, there was no sasl support as far as I can tell, + # so I set to msg nickserv to identify upon connect. if ! getent passwd znc > /dev/null; then sudo useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc fi @@ -1548,23 +1550,27 @@ sudo chown -R debian-transmission:debian-transmission /var/lib/transmission-daem # # Changed the cache-size to 256 mb, reduces disk use. # It is a read & write cache. -sudo ruby </dev/null && \ + ! systemctl is-active transmission-daemon; then + sudo ruby < false, -'rpc-authentication-required' => false, -'incomplete-dir' => '$tdir/partial-torrents', -'incomplete-dir-enabled' => true, -'download-dir' => '$tdir/torrents', -"speed-limit-up" => 800, -"speed-limit-up-enabled" => true, -"peer-port" => 61486, -"cache-size-mb" => 256, -"ratio-limit" => 5.0, -"ratio-limit-enabled" => false, -})) + "\n") +s = { + 'rpc-whitelist-enabled' => false, + 'rpc-authentication-required' => false, + 'incomplete-dir' => '$tdir/partial-torrents', + 'incomplete-dir-enabled' => true, + 'download-dir' => '$tdir/torrents', + "speed-limit-up" => 800, + "speed-limit-up-enabled" => true, + "peer-port" => 61486, + "cache-size-mb" => 256, + "ratio-limit" => 5.0, + "ratio-limit-enabled" => false, +} +puts(JSON.pretty_generate(JSON.parse(File.read(p)).merge())) EOF +fi ####### end transmission diff --git a/exim-nn-iptables b/exim-nn-iptables new file mode 100755 index 0000000..119eaf0 --- /dev/null +++ b/exim-nn-iptables @@ -0,0 +1,27 @@ +#!/bin/bash + +if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi +shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR + +# This prevents exim from connecting out to an ip not through the vpn. +# Before this, I had set exim to be BindsTo=wg-quick@wgmail, which +# generally made sure it wouldn't run unless the vpn ran, and plus I set +# a specific interface in the main remote smtp transport. However, +# However, that wasn't bulletproof, exim spec says about "interface: The +# first interface of the correct type (IPv4 or IPv6) is used for the +# outgoing connection. If none of them are the correct type, the option +# is ignored." And then I found out that the BindsTo results in exim +# never starting if the vpn fails to start the first time, then starts +# on the systemd automatic restart. Ugh. So, better to use Wants instead +# and this. + +if !/usr/sbin/iptables -C OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT &>/dev/null; then + /usr/sbin/iptables -I OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT +fi + + +if !/usr/sbin/ip6tables -C OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT &>/dev/null; then + /usr/sbin/ip6tables -I OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT +fi diff --git a/filesystem/etc/letsencrypt/renewal-hooks/deploy/certbot-renew-hook b/filesystem/etc/letsencrypt/renewal-hooks/deploy/certbot-renew-hook index 0ee609d..f10f818 100755 --- a/filesystem/etc/letsencrypt/renewal-hooks/deploy/certbot-renew-hook +++ b/filesystem/etc/letsencrypt/renewal-hooks/deploy/certbot-renew-hook @@ -19,10 +19,6 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR dir=$RENEWED_LINEAGE # long caps vars just bother me case $dir in - /etc/letsencrypt/live/je.b8.nz) - install -m 644 $dir/fullchain.pem /etc/node_exporter/fullchain.pem - install -m 640 -g node-exp $dir/privkey.pem /etc/node_exporter/privkey.pem - ;; /etc/letsencrypt/live/iankelling.org) cat $dir/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem ;; diff --git a/install-my-scripts b/install-my-scripts index c6f960a..27c5c4b 100755 --- a/install-my-scripts +++ b/install-my-scripts @@ -43,6 +43,7 @@ rsync -t --chmod=755 --chown=root:root switch-mail-host btrbk-run mount-latest-s mail-backup-clean \ iptables-exim \ ip6tables-exim \ + exim-nn-iptables \ /usr/local/bin rsync -t --chmod=755 --chown=root:root /a/bin/errhandle/err /usr/local/lib diff --git a/mail-setup b/mail-setup index 5166faa..f47f6ab 100755 --- a/mail-setup +++ b/mail-setup @@ -717,8 +717,12 @@ EOF for unit in ${nn_progs[@]}; do i /etc/systemd/system/$unit.service.d/nn.conf <