From 1fd90e6a23fc2fd46b90dcfa944d71766ecaec09 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Mon, 30 Sep 2024 16:05:09 -0400 Subject: [PATCH] mainly move home server stuff to different host --- brc2 | 74 +++++---- btrbkr2 | 3 + conflink | 5 +- distro-begin | 24 ++- distro-end | 152 ++++++++++-------- dynamic-ip-update | 4 +- filesystem/etc/cron.d/ian | 2 + filesystem/usr/local/bin/btrbk-run | 10 +- filesystem/usr/local/bin/btrbk-spread-wrap | 2 +- filesystem/usr/local/bin/prof | 5 +- filesystem/usr/local/bin/spend | 3 +- generate-ui.sh | 67 -------- .../bo/filesystem/etc/btrbk/btrbk.conf | 36 +++++ .../etc/systemd/system/btrbk.service | 8 + .../filesystem/etc/systemd/system/btrbk.timer | 8 + .../filesystem/etc/btrbk/rust.conf | 0 .../kd => frodo/filesystem/etc/cron.d/d_host} | 0 .../etc/systemd/system/btrbkrust.service | 0 .../etc/systemd/system/btrbkrust.timer | 0 .../kd/filesystem/etc/btrbk/root2.conf | 45 ------ mail-setup | 1 - pkgs | 2 + 22 files changed, 224 insertions(+), 227 deletions(-) delete mode 100755 generate-ui.sh create mode 100644 machine_specific/bo/filesystem/etc/btrbk/btrbk.conf create mode 100644 machine_specific/bo/filesystem/etc/systemd/system/btrbk.service create mode 100644 machine_specific/bo/filesystem/etc/systemd/system/btrbk.timer rename machine_specific/{kd => frodo}/filesystem/etc/btrbk/rust.conf (100%) rename machine_specific/{kd/filesystem/etc/cron.d/kd => frodo/filesystem/etc/cron.d/d_host} (100%) rename machine_specific/{kd => frodo}/filesystem/etc/systemd/system/btrbkrust.service (100%) rename machine_specific/{kd => frodo}/filesystem/etc/systemd/system/btrbkrust.timer (100%) delete mode 100644 machine_specific/kd/filesystem/etc/btrbk/root2.conf diff --git a/brc2 b/brc2 index b156819..69c4b70 100644 --- a/brc2 +++ b/brc2 @@ -614,7 +614,8 @@ update annotation set rating = $rating # Export beets ratings into navidrome beetrating() { local ssh_prefix - if [[ $HOSTNAME != kd ]]; then + source /p/c/domain-info + if [[ $HOSTNAME != $d_host ]]; then ssh_prefix="ssh b8.nz" fi # shellcheck disable=SC2016 # obvious reason @@ -837,7 +838,8 @@ mpvrpc-loadfile() { # note: logic duplicated in beetpull local remote_p=true - if [[ $HOSTNAME == kd ]]; then + source /p/c/domain-info + if [[ $HOSTNAME == $d_host ]]; then remote_p=false fi @@ -1344,7 +1346,8 @@ beet2nav() { beetpull() { local sshfs_host sshfs_cmd sshfs_host=b8.nz - if [[ $HOSTNAME == kd ]]; then + source /p/c/domain-info + if [[ $HOSTNAME == $d_host ]]; then return 0 fi if [[ ! -e /i ]]; then @@ -1362,7 +1365,8 @@ beetpull() { nav-rm-plists() { local tmpf id tmpf=$(mktemp) - if [[ $HOSTNAME != kd ]]; then + source /p/c/domain-info + if [[ $HOSTNAME != $d_host ]]; then echo "error: run on kd" return 1 fi @@ -1705,13 +1709,12 @@ lipush() { # excluding emacs for now #p=(/a/opt/{emacs-debian11{,-nox},mu,emacs} /a/bin /a/exe /a/h /a/c /p/c/machine_specific/vps{,.hosts}) p=( - /a/bin /a/exe /a/h /a/c /p/c/machine_specific/vps{,.hosts} + /a/bin /a/exe /a/h /a/c /p/c/machine_specific/vps{,.hosts} /p/c/user-specific/{bind,znc,icecast2} /a/f/ans/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter /a/opt/fpaste /a/opt/bbdb-csv-import /a/opt/spray - /p/c/user-specific/www-data/icecast-fsf{,-tech}-htpasswd - /p/c/icecast.xml + /p/c/user-specific/www-data/{caldav,icecast-fsf{,-tech}}-htpasswd ) a="-ahviSAXPH --specials --devices --delete --relative --exclude-from=/p/c/li-rsync-excludes" ret=0 @@ -1724,7 +1727,8 @@ lipush() { m s rsync "$@" -ahviSAXPH root@li.b8.nz:/a/h/proposed-comments/ /a/h/proposed-comments || ret=$? return $ret } -bkpush() { # no emacs. for running faster. +# compared to li, no emacs and some user-specific files. +bkpush() { p=(/a/bin /a/exe /a/h /a/c /p/c/machine_specific/vps{,.hosts} /a/f/ans/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter ) @@ -2694,7 +2698,7 @@ option dest_port $i_port EOF done echo "EOF" - } >/p/c/cmc-firewall-data + } | cedit -s redir /p/c/cmc-firewall-data local host ipsuf f files @@ -2815,8 +2819,7 @@ EOF } | cedit -e vpn-ips-update /p/c/machine_specific/vps/bind-initial/db.b8.nz - echo checking for stray files: - + stray_found=false initial_dir="$PWD" while read -r dir path; do cd $dir @@ -2827,6 +2830,10 @@ EOF for f in "${files[@]}"; do host=${f%%/*} if [[ ! ${vpn_ips[$host]} ]]; then + if ! $stray_found; then + stray_found=true + echo hiup: begin found stray files. removal commands: + fi e rm $dir/$f fi done @@ -2834,6 +2841,9 @@ EOF /a/bin/ds/machine_specific filesystem/etc/systemd/system/openvpn-client-tr@.service /p/c/machine_specific filesystem/etc/wireguard/wghole.conf EOF + if $stray_found; then + echo "hiup: end found stray files" + fi files=( /b/ds/machine_specific/li/filesystem/etc/openvpn/client-config-hole/* ) for f in "${files[@]}"; do @@ -3464,11 +3474,12 @@ myprof() { } -# Tail all recent prof logs. Copying from profanity has unwanted line breaks +# Tail all recent profanity logs. Copying from profanity has unwanted line breaks # especially for links. profr() { + source /p/c/domain-info case $HOSTNAME in - kd) + $d_host) profr-local ;; *) @@ -3495,8 +3506,9 @@ profr-local() { # didn't check for pms beforehand. Assume the most recent logs are on kd. # If that isn't the case, use prof-recent-local prof-recent() { + source /p/c/domain-info case $HOSTNAME in - kd) + $d_host) prof-recent-local ;; *) @@ -3524,8 +3536,9 @@ prof-recent-local() { } prof-sort() { + source /p/c/domain-info case $HOSTNAME in - kd) + $d_host) prof-recent-sort ;; *) @@ -4853,18 +4866,16 @@ path-add --end --ifexists $HOME/.rvm/bin # ya, hacky hardcoded hostnames in 2023. we could do better hssh-update() { local -a failed_hosts hosts - case $HOSTNAME in - sy|so|kd) - hosts=( - kd.b8.nz x3.office.fsf.org sy so x2.b8.nz - ) - ;; - x3) - hosts=( - b8.nz sywg.b8.nz sowg.b8.nz - ) - ;; - esac + source /p/c/domain-info + + for host in ${active_hosts[@]}; do + host=${host%wg} + if [[ $host == $HOSTNAME ]]; then + continue + fi + hosts+=($host) + done + for host in ${hosts[@]}; do e $host if ! scp /b/fai/fai/config/files/usr/local/bin/hssh/IANK root@$host:/usr/local/bin/hssh; then @@ -4908,6 +4919,10 @@ ftoc() { units "tempF($1)" tempC } +set-cmc-http() { + echo http_ip=$1 | cedit http /p/c/cmc-firewall-data ||: +} + # local icecast localic() { local mod=false @@ -4920,9 +4935,8 @@ EOF echo "error: failed to get ip: $ip" >&2 exit 1 fi - cat >/p/c/cmc-firewall-data-http </dev/null; then - s chgrp www-data /etc/caldav-htpasswd - fi if [[ -e /p/c/user-specific/prometheus ]]; then if getent passwd prometheus &>/dev/null; then v s rsync -clpgoDiSAX --chmod=g+r --chown=root:prometheus /p/c/user-specific/prometheus/prometheus-pass /etc @@ -313,7 +310,7 @@ case $user in # "var/lib/bind/dsset-*" if [[ -e /p/c/user-specific/bind ]]; then if getent group bind &>/dev/null; then - v s rsync -clpgoDiSAX --chmod=g+r --chown=root:bind /p/c/user-specific/bind/etc/* /etc/bind + v s rsync -clpgoDiSAX --chmod=g+r --chown=root:bind /p/c/user-specific/bind/etc/bind/* /etc/bind v s rsync -clpgoDiSAX --chmod=g+r --chown=root:bind /p/c/user-specific/bind/var/lib/bind/* /var/lib/bind fi fi diff --git a/distro-begin b/distro-begin index d421e9a..5432093 100755 --- a/distro-begin +++ b/distro-begin @@ -113,10 +113,12 @@ script_dir="$(readlink -f "${BASH_SOURCE[@]}")"; script_dir=${script_dir%/*} source $script_dir/pkgs set +x source /a/bin/distro-functions/src/identify-distros +source /p/c/domain-info $interactive || set -x for f in kd x2 x3 x8 frodo tp li bk je demohost kw sy bo so; do eval "$f() { [[ $HOSTNAME == $f ]]; }" done + codename=$(debian-codename) bitfolk() { je || bk; } has_wayland() { has_monitor && [[ $codename == buster ]]; } @@ -574,21 +576,27 @@ else sudo mkdir -p $dir fi +mnt-fstab() { + sudo mount $1 + # strangely, mount will return success if the device in fstab does not + # exist. Here, we catch that. + mountpoint -q $1 + } case $HOSTNAME in - kd) + $d_host) sudo /a/exe/teeu /etc/fstab <<'EOF' -/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7 /d btrfs nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvol=d 0 0 +/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part6 /d btrfs nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvol=d 0 0 /d/m /i none bind,compress=zstd 0 0 EOF if ! mountpoint /d &>/dev/null; then sudo mkdir -p /d if [[ -d /mnt/r7/d ]]; then - sudo mount /d + mnt-fstab /d + fi + if ! mountpoint /i &>/dev/null; then + sudo mkdir -p /i + mnt-fstab /i fi - fi - if ! mountpoint /i &>/dev/null; then - sudo mkdir -p /i - sudo mount /i fi ;; esac @@ -691,7 +699,7 @@ if $emacs; then /a/exe/ssh-emacs-setup fi -if [[ $HOSTNAME == kd ]] && ! mountpoint /d &>/dev/null; then +if [[ $HOSTNAME == $d_host ]] && ! mountpoint /d &>/dev/null; then cat <<'EOFOUTER' # if this is a fresh reinstall, need to run something like this # to restore data: diff --git a/distro-end b/distro-end index 025e5d2..4ab5b46 100755 --- a/distro-end +++ b/distro-end @@ -21,6 +21,8 @@ # shellcheck disable=SC2317 # false positive export LC_USEBASHRC=t source /a/bin/ds/.bashrc +source /a/bin/bash_unpublished/source-state +source /p/c/domain-info ### setup source /a/bin/bash-bear-trap/bash-bear @@ -35,6 +37,8 @@ err-cleanup() { echo 1 >~/.local/distro-end } +d_host=frodo + # shellcheck source=./pkgs source $src/pkgs @@ -1128,36 +1132,6 @@ EOF fi -######### begin irc periodic backup ############# -if [[ $HOSTNAME == kd ]]; then - sd /etc/systemd/system/ircbackup.service <<'EOF' -[Unit] -Description=irc li backup -After=multi-user.target - -[Service] -User=iank -Type=oneshot -ExecStart=/usr/local/bin/sysd-mail-once irc-backup rsync -rlptDhSAX root@iankelling.org:/var/lib/znc/moddata/log/iank/freenode/ /p/irc-backup -EOF - sd /etc/systemd/system/ircbackup.timer <<'EOF' -[Unit] -Description=irc li backup hourly - -[Timer] -OnCalendar=hourly - -[Install] -WantedBy=timers.target -EOF - sudo systemctl daemon-reload - sgo ircbackup.timer -fi - - -######### end irc periodic backup ############# - - pi-nostart openvpn # pi-nostart does not disable ser disable openvpn @@ -1173,7 +1147,7 @@ fi ############# begin syncthing setup ########### case $HOSTNAME in - kd) + $d_host) f=/usr/share/keyrings/syncthing-archive-keyring.gpg if [[ ! -e $f ]]; then s curl -s -o $f https://syncthing.net/release-key.gpg @@ -1193,6 +1167,9 @@ case $HOSTNAME in fi sgo syncthing@ziva ;; + *) + soff syncthing@ziva + ;; esac # user for short term use dropping of privileges @@ -1253,25 +1230,44 @@ fi ####### begin misc packages ########### +# some $d_host switching commands. edit partition script. edit this. edit distro-begin. +# cd /a/c +# mkmv machine_specific/kd/filesystem/etc/btrbk/* machine_specific/frodo/filesystem/etc/btrbk +# mv machine_specific/kd/filesystem/etc/systemd/system/btrbkrust* machine_specific/frodo/filesystem/etc/systemd/system +# mkmv /b/ds/machine_specific/kd/filesystem/etc/cron.d/d_host /b/ds/machine_specific/frodo/filesystem/etc/cron.d +# # edit file and then deploy: +# scp /a/bin/ds/machine_specific/bo/filesystem/etc/btrbk/btrbk.conf bo:/etc/btrbk +# mkmv /p/c/machine_specific/kd/subdir_files/.ssh/authorized_keys2 /p/c/machine_specific/frodo/subdir_files/.ssh/ + + # old location, 2023. sudo rm -fv /etc/systemd/system/profanity.service case $HOSTNAME in - kd) + $d_host) # i dunno why i put it here ln -sfT /d/p/profanity ~/.local/share/profanity ln -sfT /d/p/profanity-config ~/.config/profanity - source /a/bin/bash_unpublished/source-state if [[ $HOSTNAME == "$HOST2" || ! -e /p/profanity-here ]]; then systemctl --user --now enable profanity fi ;; *) - ln -sfT /p/profanity ~/.local/share/profanity ln -sfT /p/profanity-config ~/.config/profanity ;; esac +case $HOSTNAME in + $d_host) + sgo btrbkrust.timer + ;; + *) + soff btrbkrust.timer + s rm -f /etc/systemd/system/btrbkrust* + ;; +esac + + # template case $codename in flidas) @@ -1448,7 +1444,7 @@ pi anki ####### begin transmission case $HOSTNAME in - kd) + $d_host) tdir=/d/tor ;; *) @@ -1555,12 +1551,15 @@ fi ####### end transmission case $HOSTNAME in - kd) + $d_host) # to persist upload/dl metadata. initially, moved all the stuff # in /var/lib/transmission-daemon to /d/tor s usermod --home /d/tor debian-transmission sgo transmission-daemon-nn - + ;; + *) + # set to the default + s usermod --home /var/lib/transmission-daemon debian-transmission ;; esac @@ -1639,7 +1638,13 @@ fi ### printer setup -pi cups +pi-nostart cups +# I don't need network printer shares. And, lets just start cups when we +# need it, since I don't on most computers. +ser disable cups-browsed +ser mask cups-browsed +ser disable cups + sudo gpasswd -a $USER lpadmin # based on ubuntu wiki # goto http://127.0.0.1:631 @@ -1970,7 +1975,7 @@ fi ### begin prometheus ### case $HOSTNAME in - kd) + $d_host) # Font awesome is needed for the alertmanager ui. pi prometheus-alertmanager prometheus fonts-font-awesome /a/f/ans/roles/prom/files/simple/usr/local/bin/fsf-install-prometheus @@ -1999,19 +2004,6 @@ Require valid-user EOF - # by default, the alertmanager web ui is not enabled other than a page - # that suggests to use the amtool cli. that tool is good, but you cant - # silence things nearly as easily as with the gui. - if [[ ! -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then - # default script didnt work, required some changes to get elm 19.1, - # which is a dependency of the latest alertmanager. I modified - # and copied it into /b/ds. In future, might need some other - # solution. - #sudo /usr/share/prometheus/alertmanager/generate-ui.sh - sudo /b/ds/generate-ui.sh - ser restart prometheus-alertmanager - fi - s /a/f/ans/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter -l 127.0.0.1 for ser in prometheus-node-exporter prometheus-alertmanager prometheus; do @@ -2020,6 +2012,22 @@ EOF ;; *) + ## Begin cleanup of prometheus install above. ## + # + # + # This is in case our host type has changed. We don't cleanup all + # stray files, just stop services we aren't using anymore. + # + f=/etc/apache2/sites-enabled/b8.nz-9091.conf + if [[ -e $f ]]; then + rm -f $f /etc/apache2/sites-enabled/b8.nz-9094.conf + if systemctl is-active apache2 &>/dev/null; then + systemctl reload apache2 + fi + fi + soff prometheus prometheus-blackbox-exporter prometheus-alertmanager + ## End cleanup of prometheus install above. ## + s /a/f/ans/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter ;; esac @@ -2185,14 +2193,6 @@ fi # remove trisquel banner. it is cool but takes up too much space. sudo rm -f /etc/update-motd.d/01-banner -case $HOSTNAME in - kw|x3) - sd /etc/cups/client.conf <<'EOF' -ServerName printserver1.office.fsf.org -EOF - ;; -esac - end_msg <<'EOF' In mate settings settings, change scrolling to two-finger, @@ -2202,9 +2202,24 @@ EOF # Remove dep that came in with desktop to fix associations. m pu transmission-gtk +f=/home/iank/Videos case $HOSTNAME in - kd) - lnf -T /d/vidshare /home/iank/Videos + $d_host) + if [[ ! -L $f || $(readlink $f) != /d/vidshare ]]; then + fs=($f/*) + if (( ${#fs[@]} >= 1 )); then + echo "$0: I wanted to make a link $f -> /d/vidshare, but $f is not empty. Please do something with its contents. ll $f:" + ll $f + exit 1 + fi + lnf -T /d/vidshare $f + fi + ;; + *) + if [[ -L $f && $(readlink $f) == /d/vidshare ]]; then + rm -f $f + mkdir $f + fi ;; esac @@ -2232,10 +2247,18 @@ s ln -sf /a/opt/tor-browser/Browser/start-tor-browser /usr/local/bin case $HOSTNAME in - kd) + $d_host) web-conf -p 4500 -f 4533 -e ian@iankelling.org apache2 b8.nz sgo navidrome ;; + *) + soff navidrome + f=/etc/apache2/sites-enabled/b8.nz.conf + if [[ -e $f ]]; then + rm -f $f + # todo: reload apache if enabled + fi + ;; esac # nfs server @@ -2284,8 +2307,7 @@ hiup # delete this once run everywhere. delete old file: - -rm -f /etc/systemd/system/openvpn-client@client.service.d/iank.conf +sudo rm -f /etc/systemd/system/openvpn-client@client.service.d/iank.conf # if I was going to create a persistent vm, i might do it like this: # variant=something # from: virt-install --os-variant list diff --git a/dynamic-ip-update b/dynamic-ip-update index d524718..b18b1bb 100755 --- a/dynamic-ip-update +++ b/dynamic-ip-update @@ -206,9 +206,9 @@ answer quit EOF - chronic nsupdate $ip_arg -k /p/c/user_specific/bind/etc/bind/Kb8.nz.*.private <$tmpf || nsupdate_fails=$((nsupdate_fails + 1)) + chronic nsupdate $ip_arg -k /p/c/user-specific/bind/etc/bind/Kb8.nz.*.private <$tmpf || nsupdate_fails=$((nsupdate_fails + 1)) sed -i 's/^server .*/server bk.b8.nz/' $tmpf - chronic nsupdate $ip_arg -k /p/c/user_specific/bind/etc/bind/Kb8.nz.*.private <$tmpf || nsupdate_fails=$((nsupdate_fails + 1)) + chronic nsupdate $ip_arg -k /p/c/user-specific/bind/etc/bind/Kb8.nz.*.private <$tmpf || nsupdate_fails=$((nsupdate_fails + 1)) if (( nsupdate_fails > nsupdate_fail_limit )); then echo error: nsupdate is persistently failing >&2 exit 1 diff --git a/filesystem/etc/cron.d/ian b/filesystem/etc/cron.d/ian index fb67cf9..80dcd61 100644 --- a/filesystem/etc/cron.d/ian +++ b/filesystem/etc/cron.d/ian @@ -30,10 +30,12 @@ MAILTO=root 20 7 * * * root myupgrade |& log-once -1 myupgrade 20 5 * * * root prof-backup |& log-once -1 prof-backup 19 * * * * root check-crypttab +4 6,12,18 * * * root failmail rsync -rlptDhSAX root@iankelling.org:/var/lib/znc/moddata/log/iank/freenode/ /p/irc-backup 4 20 * * 5 iank check-lets-encrypt-ssl-settings 4 21 * * 5 iank auto-commit-changes /a /p 4 23 * * 5 iank failmail eggdrop-upgrade + # avoid dnssec expirations. This is a hack, what we should # do instead is something like, sign only if expiration is # coming soon, and send an email notication, because this diff --git a/filesystem/usr/local/bin/btrbk-run b/filesystem/usr/local/bin/btrbk-run index f7affa4..8693406 100755 --- a/filesystem/usr/local/bin/btrbk-run +++ b/filesystem/usr/local/bin/btrbk-run @@ -97,6 +97,7 @@ uninstalled-file-die() { } set-location() { + laptop=false case $HOSTNAME in kw) at_work=true @@ -105,6 +106,7 @@ set-location() { at_home=true ;; x2|x3|sy|so) + laptop=true if [[ $(timeout 1 dig +short @10.2.0.1 -x 10.2.0.2 2>&1 ||:) == kd.b8.nz. ]] \ && ip n show 10.2.0.1 | grep . &>/dev/null; then # note: logic duplicated in 11-iank @@ -366,6 +368,12 @@ if [[ -e /b/bash_unpublished/source-state ]]; then source /b/bash_unpublished/source-state fi +# get $d_host +if [[ -e /p/c/domain-info ]]; then + source /p/c/domain-info +fi + + # note q is owned by root:1000 declare -A source_snaps @@ -1018,7 +1026,7 @@ EOF rm $localtmp $remotetmp ret=1 fi - if [[ $h == kd && $HOSTNAME == x3 && $HOSTNAME == "$MAIL_HOST" ]]; then + if $laptop && ! $at_home && [[ $h == $d_host && $HOSTNAME == "$MAIL_HOST" ]]; then d ssh root@$tg 'btrbk-spread-wrap &>/dev/null /etc/btrbk-run-once.conf # running start if it is already starting causes it to just wait until -# it done starting. In that case, we'd need to run it twice, or we have +# it is done starting. In that case, we'd need to run it twice, or we have # another unit which has an After=, eg btrbk-spread, but that isn't as # good because, we can't have btrbk have After= on btrbk-spread, and # what if btrbk-spread is itself already running, we have the same diff --git a/filesystem/usr/local/bin/prof b/filesystem/usr/local/bin/prof index 4fa705b..9ca3047 100755 --- a/filesystem/usr/local/bin/prof +++ b/filesystem/usr/local/bin/prof @@ -23,13 +23,14 @@ set -e; . /usr/local/lib/bash-bear; set +e - +# get $d_host, note that is not consistently used everywhere. +source /a/bin/bash_unpublished/source-state dossh=true if (( $# >= 1 )); then remote=$1 else remote=prof - if systemctl --user --quiet is-active profanity || [[ $HOSTNAME == kd ]]; then + if systemctl --user --quiet is-active profanity || [[ $HOSTNAME == $d_host ]]; then dossh=false fi fi diff --git a/filesystem/usr/local/bin/spend b/filesystem/usr/local/bin/spend index c282f37..9e2e310 100755 --- a/filesystem/usr/local/bin/spend +++ b/filesystem/usr/local/bin/spend @@ -22,7 +22,8 @@ for (( i=0; i<3; i++ )); do - systemctl suspend + # -i fixes error such as: User root is logged in on sshd. + systemctl suspend -i echo $$ suspending in 180 seconds sleep 180 done diff --git a/generate-ui.sh b/generate-ui.sh deleted file mode 100755 index fba46ca..0000000 --- a/generate-ui.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/bash -# I, Ian Kelling, follow the GNU license recommendations at -# https://www.gnu.org/licenses/license-recommendations.en.html. They -# recommend that small programs, < 300 lines, be licensed under the -# Apache License 2.0. This file contains or is part of one or more small -# programs. If a small program grows beyond 300 lines, I plan to switch -# its license to GPL. - -# Copyright 2024 Ian Kelling - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# iank: fixed version of /usr/share/prometheus/alertmanager/generate-ui.sh, plus exit if already build -set -e - -if [[ -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then - exit 0 -fi - - -ELMDISTURL=https://github.com/elm/compiler/releases/download/0.19.1/binary-for-linux-64-bit.gz -SRCDIR=/usr/share/gocode/src/github.com/prometheus/alertmanager/ui/app -DSTDIR=/usr/share/prometheus/alertmanager/ui - -echo "Installing dependencies..." >&2 -apt install libjs-bootstrap4 fonts-font-awesome curl uglifyjs \ - golang-github-prometheus-alertmanager-dev - -#/usr/share/fonts-font-awesome/ -TMPDIR=$(mktemp -d) - -echo "Downloading Elm tools..." >&2 -cd $TMPDIR -curl --location $ELMDISTURL | zcat >$TMPDIR/elm -chmod +x $TMPDIR/elm - -echo "Compiling source code..." >&2 -ln -s $SRCDIR/src $SRCDIR/elm.json $TMPDIR -(cd $TMPDIR; ./elm make src/Main.elm --optimize --output $TMPDIR/app.js) - -echo "Optimising source code..." >&2 -uglifyjs $TMPDIR/app.js \ - --compress 'pure_funcs="F2,F3,F4,F5,F6,F7,F8,F9,A2,A3,A4,A5,A6,A7,A8,A9",pure_getters,keep_fargs=false,unsafe_comps,unsafe' \ - --mangle --output $TMPDIR/script.js - -echo "Installing in Alertmanager directory..." >&2 -mkdir -p $DSTDIR -mkdir -p $DSTDIR/lib -cp $TMPDIR/script.js $DSTDIR -cp $SRCDIR/index.html $SRCDIR/favicon.ico $DSTDIR -ln -s /usr/share/fonts-font-awesome $DSTDIR/lib/font-awesome -ln -s /usr/share/nodejs/bootstrap/dist $DSTDIR/lib/bootstrap4 - -rm -rf $TMPDIR - -echo "Finished! Please, restart prometheus-alertmanager to activate UI." >&2 diff --git a/machine_specific/bo/filesystem/etc/btrbk/btrbk.conf b/machine_specific/bo/filesystem/etc/btrbk/btrbk.conf new file mode 100644 index 0000000..834d4b3 --- /dev/null +++ b/machine_specific/bo/filesystem/etc/btrbk/btrbk.conf @@ -0,0 +1,36 @@ +ssh_identity /root/.ssh/id_ed25519 +transaction_syslog local7 + +# note, i had this because man said 20% speedup, but ran into +# this issue, https://github.com/digint/btrbk/issues/275 +#stream_buffer 512m + +# so we only run one at a time +lockfile /var/lock/btrbk.lock + +# default format of short does not accomidate hourly preservation setting +timestamp_format long-iso + +# only make a snapshot if things have changed +snapshot_create onchange +# I could make this different from target_preserve, +# if one disk had less space. +# for now, keeping them equal. +snapshot_preserve_min 2h +snapshot_dir btrbk + +target_preserve_min 2h +stream_buffer 512m + +#rate_limit 2m +volume /mnt/root +snapshot_preserve 6h 14d 8w 24m +target_preserve 6h 14d 8w 24m +subvolume root_ubuntubionic +target send-receive ssh://i.b8.nz:2234/mnt/r7/amy/root/btrbk + +volume /mnt/boot +snapshot_preserve 6h 14d 8w 6m +target_preserve 6h 14d 8w 6m +subvolume boot_ubuntubionic +target send-receive ssh://i.b8.nz:2234/mnt/r7/amy/boot/btrbk diff --git a/machine_specific/bo/filesystem/etc/systemd/system/btrbk.service b/machine_specific/bo/filesystem/etc/systemd/system/btrbk.service new file mode 100644 index 0000000..9a1429b --- /dev/null +++ b/machine_specific/bo/filesystem/etc/systemd/system/btrbk.service @@ -0,0 +1,8 @@ +[Unit] +Description=btrbk backup +Documentation=man:btrbk(1) +After=multi-user.target + +[Service] +Type=oneshot +ExecStart=/usr/sbin/btrbk run diff --git a/machine_specific/bo/filesystem/etc/systemd/system/btrbk.timer b/machine_specific/bo/filesystem/etc/systemd/system/btrbk.timer new file mode 100644 index 0000000..32a784f --- /dev/null +++ b/machine_specific/bo/filesystem/etc/systemd/system/btrbk.timer @@ -0,0 +1,8 @@ +[Unit] +Description=Run btrbk + +[Timer] +OnCalendar=daily + +[Install] +WantedBy=timers.target diff --git a/machine_specific/kd/filesystem/etc/btrbk/rust.conf b/machine_specific/frodo/filesystem/etc/btrbk/rust.conf similarity index 100% rename from machine_specific/kd/filesystem/etc/btrbk/rust.conf rename to machine_specific/frodo/filesystem/etc/btrbk/rust.conf diff --git a/machine_specific/kd/filesystem/etc/cron.d/kd b/machine_specific/frodo/filesystem/etc/cron.d/d_host similarity index 100% rename from machine_specific/kd/filesystem/etc/cron.d/kd rename to machine_specific/frodo/filesystem/etc/cron.d/d_host diff --git a/machine_specific/kd/filesystem/etc/systemd/system/btrbkrust.service b/machine_specific/frodo/filesystem/etc/systemd/system/btrbkrust.service similarity index 100% rename from machine_specific/kd/filesystem/etc/systemd/system/btrbkrust.service rename to machine_specific/frodo/filesystem/etc/systemd/system/btrbkrust.service diff --git a/machine_specific/kd/filesystem/etc/systemd/system/btrbkrust.timer b/machine_specific/frodo/filesystem/etc/systemd/system/btrbkrust.timer similarity index 100% rename from machine_specific/kd/filesystem/etc/systemd/system/btrbkrust.timer rename to machine_specific/frodo/filesystem/etc/systemd/system/btrbkrust.timer diff --git a/machine_specific/kd/filesystem/etc/btrbk/root2.conf b/machine_specific/kd/filesystem/etc/btrbk/root2.conf deleted file mode 100644 index d811240..0000000 --- a/machine_specific/kd/filesystem/etc/btrbk/root2.conf +++ /dev/null @@ -1,45 +0,0 @@ -snapshot_create onchange - -snapshot_preserve_min 2h -snapshot_dir btrbk -target_preserve_min 2h - - -ssh_identity /root/.ssh/home -# Just a guess that local7 is a good facility to pick. -# It's a bit odd that the transaction log has to be logged to -# a file or syslog, while other output is sent to std out. -# The man does not mention a way for them to be together, but -# I dunno if setting a log level like warn might also output -# transaction info. -transaction_syslog local7 - -# trying this out -stream_compress zstd - -archive_preserve_min latest - -# so we only run one at a time -lockfile /var/lock/btrbkroot2.lock - -# default format of short does not accomidate hourly preservation setting -timestamp_format long-iso - -# dont make new snapshot, we only receive new snapshots -snapshot_create no - -# if something fails and it's not obvious, try doing -# btrbk -l debug -v dryrun - -rate_limit no -volume ssh://syw/mnt/root -snapshot_preserve 18h 14d 4w 24m -target_preserve 18h 14d 4w 24m -subvolume root_ubuntubionic -target send-receive /mnt/r7/amy/root/btrbk - -volume ssh://syw/mnt/boot -snapshot_preserve 18h 14d 4w 6m -target_preserve 18h 14d 4w 6m -subvolume boot_ubuntubionic -target send-receive /mnt/r7/amy/boot/btrbk diff --git a/mail-setup b/mail-setup index 54c8b65..5038299 100755 --- a/mail-setup +++ b/mail-setup @@ -94,7 +94,6 @@ #Debian-+ 23058 1954 0 36821 10564 0 20:38 ? 00:00:00 /usr/sbin/exim4 -bd -q30m # todo: harden dovecot. need to do some research. one way is for it to only listen on a wireguard vpn interface, so only clients that are on the vpn can access it. -# todo: consider hardening cups listening on 0.0.0.0 # todo: stop/disable local apache, and rpc.mountd, and kdeconnect when not in use. # todo: hosts should only allow external mail that is authed and diff --git a/pkgs b/pkgs index e8e581c..36281ce 100644 --- a/pkgs +++ b/pkgs @@ -263,6 +263,8 @@ p3=( # unattended-upgrades.log: Please install powermgmt-base package to check power status powermgmt-base profanity + # for pactl + pulseaudio-utils pry pv python3-doc -- 2.30.2