From 24f19dd46cd7bb1c5bc1a46694a3b4ac928c16e2 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Mon, 20 Dec 2021 00:27:31 -0500
Subject: [PATCH] fully adopt wireguard

---
 brc2             |  14 +++---
 btrbk-run        |   3 +-
 distro-end       | 122 ++++++++++++++++++++++++++++-------------------
 hssh             |   5 +-
 mail-route       |   3 +-
 mail-setup       |  82 +++++++++++++++++--------------
 vpn-mail-forward |  18 +++++--
 7 files changed, 148 insertions(+), 99 deletions(-)

diff --git a/brc2 b/brc2
index 4dc573b..0e9736e 100644
--- a/brc2
+++ b/brc2
@@ -1028,17 +1028,17 @@ wghole() {
 [Interface]
 # contents hole-priv.key
 PrivateKey = $(cat hole-priv.key)
-# UDP service port
-ListenPort = 32454
-Address = 10.5.3.$ipsuf/24
+ListenPort = 1194
+Address = 10.8.0.$ipsuf/24
 # https://dev.to/tangramvision/what-they-don-t-tell-you-about-setting-up-a-wireguard-vpn-1h2g
-PostUp = ping -c1 10.5.3.1
+# ||: makes the systemd service not fail due to the failed command
+PostUp = ping -c1 10.8.0.1 ||:
 
 [Peer]
 # li
 PublicKey = zePGl7LoS3iv6ziTI/k8BMh4L3iL3K2t9xJheMR4hQA=
-AllowedIPs = 10.5.3.0/24
-Endpoint = 72.14.176.105:32454
+AllowedIPs = 10.8.0.0/24
+Endpoint = 72.14.176.105:1194
 PersistentKeepalive = 25
 EOF
   umask $umask_orig
@@ -1047,7 +1047,7 @@ EOF
   cedit -q $host /p/c/machine_specific/li/filesystem/etc/wireguard/wghole.conf <<EOF || [[ $? == 1 ]]
 [Peer]
 PublicKey = $(cat hole-pub.key)
-AllowedIPs = 10.5.3.$ipsuf/32
+AllowedIPs = 10.8.0.$ipsuf/32
 EOF
   cd - >/dev/null
 }
diff --git a/btrbk-run b/btrbk-run
index 99c980e..e96bb52 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -524,7 +524,8 @@ fi
 
 if [[ $ret == 0 ]]; then
   for tg in ${targets[@]}; do
-    ssh root@$tg /a/exe/mail-backup-clean
+    :
+    #ssh root@$tg /a/exe/mail-backup-clean
   done
 fi
 
diff --git a/distro-end b/distro-end
index 880c25b..117042e 100755
--- a/distro-end
+++ b/distro-end
@@ -61,10 +61,15 @@ cd /
 # case $distro in
 # esac
 
-# get sudo pass cached right away
-if ! sudo -nv 2>/dev/null; then
-  sudo -v
-fi
+case $HOSTNAME in
+  li|bk|je) : ;;
+  *)
+    # get sudo pass cached right away
+    if ! sudo -nv 2>/dev/null; then
+      sudo -v
+    fi
+    ;;
+esac
 
 # old repo. remove when all machines updated
 sudo rm -fv /etc/apt/sources.list.d/wireguard-ubuntu-wireguard-bionic.list
@@ -505,47 +510,6 @@ esac
 s rm -fv /etc/apt/preferences.d/radicale
 ######### end universal pinned packages ######
 
-### system76 things ###
-case $HOSTNAME in
-  sy)
-    # note, i stored the initial popos packages at /a/bin/data/popos-pkgs
-    if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
-      # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
-      sd /etc/apt/sources.list.d/system76.list <<EOF
-deb http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
-deb-src http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
-EOF
-      s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5D1F3A80254F6AFBA254FED5ACD442D1C8B7748B
-      p update
-      # https://support.system76.com/articles/install-ubuntu/
-      # but i'm hoping this is not needed
-      #       sd /etc/apt/preferences.d/system76 <<'EOF'
-      # Package: *
-      # Pin: release o=LP-PPA-system76-dev-stable
-      # Pin-Priority: 1001
-      # EOF
-      pi system76-driver system76-firmware-cli
-      # if you get a notice about a firmware update, the notifier on i3
-      # is too dumb to do anything when you click it. so to see
-      # a changelog, cd to
-      # /var/cache/system76-firmware-daemon
-      # extract the xz files there, one will contain a changelog.
-      # then to install an update:
-      # s system76-firmware-cli schedule
-    fi
-    ;;
-esac
-
-# ppa:obsproject/obs-studio
-if [[ ! -d /etc/apt/sources.list.d/obs.list ]]; then
-  # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
-  sd /etc/apt/sources.list.d/obs.list <<EOF
-deb http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
-deb-src http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
-EOF
-  s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC7345F522079769F5BBE987EFC71127F425E228
-  p update
-fi
 
 case $codename in
   etiona)
@@ -622,9 +586,12 @@ case $HOSTNAME in
     fi
     ;;&
   bk)
+    sgo wg-quick@wgmail
+
     # i just dont feel like setting up a special purpose ssh key to do this automatically.
     end_msg <<'EOF'
 # run this once for bk on local machine:
+# only used for old openvpn setup
 /a/exe/vpn-mk-client-cert -c bk.b8.nz -b expertpath -n mail li.iankelling.org
 EOF
     end
@@ -718,7 +685,8 @@ EOF
     # /64, it didn't work but I didn't investigate closely.
 
 
-    m vpn-server-setup -n mail -d -6 2600:3c00:e002:3800::/64 2600:3c00:e002:3800::1/64
+    # not starting as i intend to replace it
+    m vpn-server-setup -s -i tunmail -n mail -d -6 2600:3c00:e002:3800::/64 2600:3c00:e002:3800::1/64
     sudo tee /etc/openvpn/client-config-mail/mailclient <<'EOF'
 ifconfig-push 10.8.0.4 255.255.255.0
 ifconfig-ipv6-push 2600:3c00:e002:3800::4/64
@@ -728,6 +696,7 @@ ifconfig-push 10.8.0.5 255.255.255.0
 ifconfig-ipv6-push 2600:3c00:e002:3800::5/64
 EOF
 
+
     sudo dd of=/etc/systemd/system/vpn-mail-forward.service <<'EOF'
 [Unit]
 Description=Turns on iptables mail nat
@@ -736,17 +705,22 @@ BindsTo=openvpn-server@mail.service
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/a/bin/distro-setup/vpn-mail-forward start
-ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
+ExecStart=/a/bin/distro-setup/vpn-mail-forward tunmail start
+ExecStop=/a/bin/distro-setup/vpn-mail-forward tunmail stop
 
 [Install]
 RequiredBy=openvpn-server@mail.service
 EOF
     ser daemon-reload
-    sgo vpn-mail-forward.service
+
+    # commented, wgmail handles this.
+    #sgo vpn-mail-forward.service
+
     # needed for li's local mail delivery.
     tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
-    sgo openvpn-server@mail
+    #sgo openvpn-server@mail
+    ser start wg-quick@wgmail
+
     # setup let's encrypt cert
     m web-conf apache2 mail.iankelling.org
     sudo rm -fv /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
@@ -844,6 +818,54 @@ esac
 
 
 #### desktop stuff
+
+### system76 things ###
+case $HOSTNAME in
+  sy)
+    # note, i stored the initial popos packages at /a/bin/data/popos-pkgs
+    if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
+      # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
+      sd /etc/apt/sources.list.d/system76.list <<EOF
+deb http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
+deb-src http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
+EOF
+      s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5D1F3A80254F6AFBA254FED5ACD442D1C8B7748B
+      p update
+      # https://support.system76.com/articles/install-ubuntu/
+      # but i'm hoping this is not needed
+      #       sd /etc/apt/preferences.d/system76 <<'EOF'
+      # Package: *
+      # Pin: release o=LP-PPA-system76-dev-stable
+      # Pin-Priority: 1001
+      # EOF
+      pi system76-driver system76-firmware-cli
+      # if you get a notice about a firmware update, the notifier on i3
+      # is too dumb to do anything when you click it. so to see
+      # a changelog, cd to
+      # /var/cache/system76-firmware-daemon
+      # extract the xz files there, one will contain a changelog.
+      # then to install an update:
+      # s system76-firmware-cli schedule
+    fi
+    ;;
+esac
+
+case $distro in
+  trisquel|ubuntu)
+
+    # ppa:obsproject/obs-studio
+    if [[ ! -d /etc/apt/sources.list.d/obs.list ]]; then
+      # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
+      sd /etc/apt/sources.list.d/obs.list <<EOF
+deb http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
+deb-src http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
+EOF
+      s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC7345F522079769F5BBE987EFC71127F425E228
+      p update
+    fi
+    ;;
+esac
+
 case $codename_compat in
   xenial)
     # mate-indicator-applet and beyond are msc things I noticed diffing a
diff --git a/hssh b/hssh
index 3169694..8af5f0a 100755
--- a/hssh
+++ b/hssh
@@ -29,6 +29,7 @@ scp -f /a/bin/distro-setup/btrbk-run
 # mount-latest-remote
 timeout -s 9 600 /usr/local/bin/mount-latest-subvol
 rsync --server -OtpRe.LsfxC . /usr/local
+/a/exe/mail-backup-clean
 EOF
 
 allow=false
@@ -41,11 +42,11 @@ for c in "${cmds[@]}"; do
   fi
 done
 if $allow; then
-  eval $SSH_ORIGINAL_COMMAND
+  eval $SSH_ORIGINAL_COMMAND || exit $?
 else
   f=/usr/local/bin/ssh_filter_btrbk.sh
   if [[ ! -e $f ]]; then
     f=/a/opt/btrbk/ssh_filter_btrbk.sh
   fi
-  $f --target --delete --source --info
+  $f --target --delete --source --info || exit $?
 fi
diff --git a/mail-route b/mail-route
index 5316b79..0f10d28 100755
--- a/mail-route
+++ b/mail-route
@@ -27,8 +27,9 @@ Marks tcp packets on port 25, 143 and 587 to be routed through
 a vpn ip. If called from --up/--down in openvpn, (we have multiple args) $1 is the
 tun_dev, and action is from $script_type env variable, openvpn sets this.
 
-Is idempotent.
+It is idempotent.
 
+I'm not using this script currently:
 The problem with this approach is that if we dont have a non-vpn global
 ipv6 address and route, we need to send all ipv6 traffic through the
 vpn. Using a network namespace for the vpn fixes that, so I've switched
diff --git a/mail-setup b/mail-setup
index 82d3d37..59a122a 100755
--- a/mail-setup
+++ b/mail-setup
@@ -462,6 +462,8 @@ EOF
 
 # * mail vpn config
 
+vpnser=mailvpn.service
+vpnser=wg-quick@wgmail.service
 
 case $HOSTNAME in
   $MAIL_HOST)
@@ -472,6 +474,19 @@ case $HOSTNAME in
     ;;&
 esac
 
+i /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
+[Unit]
+Requires=mailnn.service
+After=network.target mailnn.service
+JoinsNamespaceOf=mailnn.service
+BindsTo=mailnn.service
+
+[Service]
+PrivateNetwork=true
+# i dont think we need any of these, but it doesnt hurt to stay consistent
+BindPaths=$bindpaths
+EOF
+
 # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
 i /etc/systemd/system/mailvpn.service <<EOF
 [Unit]
@@ -526,7 +541,6 @@ JoinsNamespaceOf=mailnn.service
 BindsTo=mailnn.service
 StartLimitIntervalSec=0
 
-
 [Service]
 Type=simple
 RemainAfterExit=true
@@ -544,7 +558,7 @@ EOF
 #
 i /etc/systemd/system/mailnn.service <<'EOF'
 [Unit]
-Description=Network Namespace for mailvpn.service that will live forever and cant fail
+Description=Network Namespace for mail vpn service that will live forever and cant fail
 After=syslog.target network-online.target
 Wants=network-online.target
 
@@ -609,7 +623,7 @@ nn_progs=(exim4)
 if mailhost; then
   # Note dovecots lmtp doesnt need to be in the same nn to accept delivery.
   # Its in the nn so remote clients can connect to it.
-  nn_progs+=(spamassassin dovecot wg-quick@mail)
+  nn_progs+=(spamassassin dovecot)
 fi
 
 case $HOSTNAME in
@@ -635,10 +649,9 @@ EOF
     # namespace to go over the wghole.
     #
     #1: unify the mail vpn and wghole
-    # into 1 network.  this seems simple and logical, but the thing is
-    # that if we ever have a network block we need to overcome, for
-    # example with a tcp 443 vpn connection, then i'd need to setup some
-    # hole hosts on that vpn too, which is kind of a pain.
+    # into 1 network.  this seems simple and logical, so I'm doing it.
+    # One general downside is tying things together, if I need to mess
+    # with one thing, it breaks the other. Oh well for now.
     #
     # 2. We can route 10.5.3.0/24 out of the mail nn and nat it into wghole.
     #
@@ -648,32 +661,27 @@ EOF
     # routing within the mailvpn, it happened to work just because exim
     # prefers ipv6 and that was also available in the mailvpn.
     #
-    # 4. Put the hole interface into the mail network
-    # namespace. Apparently wireguard is smart enough to get around the
-    # mailvpn default routing and establish a direct connection. That is
-    # what I'm doing here. I only use the hole vpn for randomish things,
-    # it should be fine to join the mail nn for that. If that becomes a
-    # problem, I think I'd go with option #2.
-    i /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
-[Unit]
-Requires=mailvpn.service
-After=network.target mailnn.service mailvpn.service
-JoinsNamespaceOf=mailnn.service
-BindsTo=mailnn.service
-
-[Service]
-PrivateNetwork=true
-# i dont think we need any of these, but it doesnt hurt to stay consistent
-BindPaths=$bindpaths
-EOF
+    # 4. Put the hole interface into the mail network namespace. This
+    # doesn't work if the mail vpn is wg.  For openvpn, it bypasses the
+    # vpn routing and establishes a direct connection.  I only use the
+    # hole vpn for randomish things, it should be fine to join the mail
+    # nn for that. There should be some way to fix the routing issue
+    # by doing manual routing, but that doesn't seem like a good use of time.
+    # relevant:
+    # https://www.wireguard.com/netns/#
+    #
+    # for wireguard debugging
+    # echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
+    # dmesg -w
 
     ;;&
   $MAIL_HOST|bk)
     for unit in ${nn_progs[@]}; do
       i /etc/systemd/system/$unit.service.d/nn.conf <<EOF
 [Unit]
-Requires=mailvpn.service
-After=network.target mailnn.service mailvpn.service
+# commented for old openvpn
+Requires=$vpnser
+After=network.target mailnn.service $vpnser
 JoinsNamespaceOf=mailnn.service
 BindsTo=mailnn.service
 StartLimitIntervalSec=0
@@ -1202,10 +1210,12 @@ if mailhost; then
   i /etc/systemd/system/radicale.service.d/override.conf <<EOF
 [Unit]
 # this unit is configured to start and stop whenever
-# openvpn-client-mail@mail does
-After=network.target network-online.target mailnn.service mailvpn.service
+# $vpnser does
+
+After=network.target network-online.target mailnn.service $vpnser
+BindsTo=$vpnser
+
 Wants=network-online.target
-BindsTo=mailvpn.service
 JoinsNamespaceOf=mailnn.service
 StartLimitIntervalSec=0
 
@@ -1217,7 +1227,8 @@ Restart=always
 RestartSec=1000
 
 [Install]
-RequiredBy=mailvpn.service
+# for openvpn
+RequiredBy=$vpnser
 EOF
 
 
@@ -2018,7 +2029,8 @@ EOF
     m rm tmp.php
     m sudo -u www-data php $ncdir/occ maintenance:update:htaccess
     list=$(sudo -u www-data php $ncdir/occ --output=json_pretty app:list)
-    for app in contacts calendar user_external; do
+    # user_external not compaible with nc 23
+    for app in contacts calendar; do
       if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then
         m sudo -u www-data php $ncdir/occ app:install $app
       fi
@@ -2742,9 +2754,9 @@ case $HOSTNAME in
     # If these have changes, id rather manually restart it, id rather
     # not restart and cause temporary errors
     if $reload; then
-      sre mailvpn
+      sre $vpnser
     else
-      sstart mailvpn
+      sstart $vpnser
     fi
     ;;&
   $MAIL_HOST)
@@ -2786,7 +2798,7 @@ rm -f /var/local/mail-setup-reload
 case $HOSTNAME in
   $MAIL_HOST|bk|je) : ;;
   *)
-    soff radicale mailclean.timer dovecot spamassassin mailvpn mailnn clamav-daemon
+    soff radicale mailclean.timer dovecot spamassassin $vpnser mailnn clamav-daemon
     ;;
 esac
 
diff --git a/vpn-mail-forward b/vpn-mail-forward
index 059ad60..f6ff168 100755
--- a/vpn-mail-forward
+++ b/vpn-mail-forward
@@ -4,6 +4,10 @@ set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 m() { printf "%s\n" "$*";  "$@"; }
 found=false
+
+ifname=$1
+shift
+
 # wait up to 10 seconds for the gateway to appear
 for i in in {1..10}; do
   gw=$(/usr/sbin/ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
@@ -23,10 +27,18 @@ do-forward() {
     m /sbin/ip6tables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 2600:3c00:e002:3800::4
   done
   # for bk to talk to MAIL_HOST, only need port 25.
-  ip6tables -t nat $cmd PREROUTING -i tun1 -s 2600:3c00:e002:3800::5 -d 2600:3c00:e000:280::2 -p tcp -m tcp --dport 25 -j DNAT --to-destination 2600:3c00:e002:3800::4
+  ip6tables -t nat $cmd PREROUTING -i $ifname -s 2600:3c00:e002:3800::5 -d 2600:3c00:e000:280::2 -p tcp -m tcp --dport 25 -j DNAT --to-destination 2600:3c00:e002:3800::4
   # we could leave these on all the time but its convenient to do it here
-  m /sbin/iptables $cmd FORWARD -i tun+ -o $gw -j ACCEPT
-  m /sbin/iptables $cmd FORWARD -i $gw -o tun+ -j ACCEPT
+  m /sbin/iptables $cmd FORWARD -i $ifname -o $gw -j ACCEPT
+  m /sbin/iptables $cmd FORWARD -i $gw -o $ifname -j ACCEPT
+
+  case $ifname in
+    wg*)
+      /sbin/iptables -t nat $cmd POSTROUTING -s 10.8.0.0/24 -o $gw -j MASQUERADE
+      /sbin/ip6tables -t nat $cmd POSTROUTING -s 2600:3c00:e002:3800::/64 -o $gw -j MASQUERADE
+      ;;
+  esac
+
 }
 
 ports=(25 143 587)
-- 
2.30.2