From 321791921e2cffabbb3c2b8fa838fdb258143848 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Thu, 8 Oct 2020 01:59:55 -0400 Subject: [PATCH] mostly improve mail-setup to use network namespace --- .bashrc | 5 +- brc | 8 +- brc2 | 31 +- filesystem/etc/profile.d/environment.sh | 25 +- ...nn@.service => openvpn-client-tr@.service} | 9 +- .../etc/systemd/system/openvpn-nn@.service | 49 -- mail-route | 5 + mail-setup | 430 ++++++++++++------ pkgs | 1 + subdir_files/.gnupg/gpg.conf | 4 +- transmission-firewall/netns.rules | 5 +- 11 files changed, 357 insertions(+), 215 deletions(-) rename filesystem/etc/systemd/system/{openvpn-client-nn@.service => openvpn-client-tr@.service} (74%) delete mode 100644 filesystem/etc/systemd/system/openvpn-nn@.service diff --git a/.bashrc b/.bashrc index b9c560c..f3ea26d 100644 --- a/.bashrc +++ b/.bashrc @@ -48,8 +48,9 @@ else ###### Begin sourcing of files ##### # The distinction between login and non-login shells is super lame - # and pretty random. get rid of that distinction. - if ! shopt -q login_shell; then + # and pretty random. get rid of that distinction. The var check is + # just a random variable i set there and no where else. + if ! shopt -q login_shell && [[ ! $PITHOSFLY_SAVE_DIR ]]; then if [[ -r /etc/profile ]]; then source /etc/profile fi diff --git a/brc b/brc index f30cffa..4823951 100644 --- a/brc +++ b/brc @@ -823,12 +823,8 @@ grr() { # grep recursive } ccomp grep gr grr -if type -P rg &>/dev/null; then - rg() { command rg -i -M 200 "$@"; } -else - rg() { grr "$@"; } - ccomp grep rg -fi +rg() { grr "$@"; } +ccomp grep rg hr() { # horizontal row. used to break up output printf "$(tput setaf 5 2>/dev/null ||:)█$(tput sgr0 2>/dev/null||:)%.0s" $(eval echo "{1..${COLUMNS:-60}}") diff --git a/brc2 b/brc2 index b9f0c3f..3a6164e 100644 --- a/brc2 +++ b/brc2 @@ -1009,7 +1009,7 @@ rcat() { resolvcat | less } reresolv() { - sudo nscd -i hosts + m sudo nscd -i hosts if [[ $(systemctl is-active dnsmasq ||:) != inactive ]]; then m sudo systemctl restart dnsmasq fi @@ -1038,6 +1038,9 @@ r2eadd() { # usage: name url } r2e() { command r2e -d /p/c/rss2email.json -c /p/c/rss2email.cfg "$@"; } +rg() { command rg -i -M 200 "$@"; } +complete -r rg + rspicy() { # usage: HOST DOMAIN # connect to spice vm remote host. use vspicy for local host local port @@ -1214,8 +1217,32 @@ tu() { $s /a/exe/teeu "$@" } +enn() { + local ecmd pid + + ecmd="/usr/sbin/exim4 -C /etc/exim4/my.conf" + if ip a show veth1-mail &>/dev/null; then + s $ecmd "$@" + return + fi + + pid=$(pgrep -f "/usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf") + + if $dosudo; then + s nsenter -t $pid -n -m $ecmd "$@" + fi +} + + +mailbash() { + m sudo nsenter -t $(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*mail.conf") -n -m sudo -u $USER -i bash +} +eximbash() { + m sudo nsenter -t $(pgrep -f "/usr/sbin/exim4 -bd -q30m -C /etc/exim4/my.conf") -n -m sudo -u $USER -i bash +} + + vpncmd() { - #m s nsenter -t $(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*pia.conf") -n -m "$@" m s nsenter -t $(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*client.conf") -n -m "$@" } vpnf() { diff --git a/filesystem/etc/profile.d/environment.sh b/filesystem/etc/profile.d/environment.sh index e880ab0..8712fc9 100644 --- a/filesystem/etc/profile.d/environment.sh +++ b/filesystem/etc/profile.d/environment.sh @@ -89,18 +89,19 @@ if test "$EUID" && [ "$EUID" != 0 ]; then _sysenv=$(mktemp) _sysenvnames=$(mktemp) _unsetnames=$(mktemp) - systemctl --user show-environment >$_sysenv - grep -o '^[^=]*' $_sysenv | sort > $_sysenvnames - env -0 | grep -zo '^[^=]*' | xargs -0 printf "%s\n" | sort | \ - comm --nocheck-order -13 - $_sysenvnames >$_unsetnames - while read -r unsetname; do - while read -r sysenv; do - case "$sysenv" in - "$unsetname"*) eval export "$sysenv" ;; - esac - done < $_sysenv - done < $_unsetnames - rm -f $_tmpf + if systemctl --user show-environment >$_sysenv 2>/dev/null; then + grep -o '^[^=]*' $_sysenv | sort > $_sysenvnames + env -0 | grep -zo '^[^=]*' | xargs -0 printf "%s\n" | sort | \ + comm --nocheck-order -13 - $_sysenvnames >$_unsetnames + while read -r unsetname; do + while read -r sysenv; do + case "$sysenv" in + "$unsetname"*) eval export "$sysenv" ;; + esac + done < $_sysenv + done < $_unsetnames + rm -f $_tmpf + fi fi # and it seems that if we log into mate, it screws up the systemd env var anyways. _tmp=$(pgrep -a '^ssh-agent$' | sed -r 's/.*-a *([^ ]+).*/\1/') diff --git a/filesystem/etc/systemd/system/openvpn-client-nn@.service b/filesystem/etc/systemd/system/openvpn-client-tr@.service similarity index 74% rename from filesystem/etc/systemd/system/openvpn-client-nn@.service rename to filesystem/etc/systemd/system/openvpn-client-tr@.service index 6926a4d..6b20bb3 100644 --- a/filesystem/etc/systemd/system/openvpn-client-nn@.service +++ b/filesystem/etc/systemd/system/openvpn-client-tr@.service @@ -13,12 +13,9 @@ RuntimeDirectory=openvpn-client RuntimeDirectoryMode=0710 WorkingDirectory=/etc/openvpn/client ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf -# Ian: commented out these lines from upstream -# until we get the next systemd version (233), which can do bind mounts -# inside a mnt namespace via systemd, we have to setup our own, which requires -# full priveledges. -# when we enable CababilityBoundingSet, s/=/=+/ on these ExecStart/Stop lines. -# systemd ver in flidas does not suppot =+ +# todo, try reenabling this from the default openvpn, +# it was disabled so we could do bind mounts as a command, +# but now systemd handles it #CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE LimitNPROC=10 # DeviceAllow=/dev/null rw diff --git a/filesystem/etc/systemd/system/openvpn-nn@.service b/filesystem/etc/systemd/system/openvpn-nn@.service deleted file mode 100644 index 0f94abd..0000000 --- a/filesystem/etc/systemd/system/openvpn-nn@.service +++ /dev/null @@ -1,49 +0,0 @@ -[Unit] - - -Description=OpenVPN connection to %i -PartOf=openvpn.service -ReloadPropagatedFrom=openvpn.service - -# ian, this is starting too early, added this from stretch's openvpn-client@.service -After=syslog.target network-online.target -Wants=network-online.target -# ian, commented out, we are starting too early, no need to be before anything. -Before=systemd-user-sessions.service - -Documentation=man:openvpn(8) -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage -Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO - -[Service] -# these cause ExecStart to fail with "nsenter: reassociate to namespace -# 'ns/mnt' failed: Invalid argument" on trisquel 8. Probably because we -# get put into some mount namespace and the one that I setup does not -# exist within it or something stupid that systemd does not -# document. Whatev. -#PrivateTmp=true -#ProtectSystem=yes - -KillMode=mixed -Type=forking -ExecStart=/usr/sbin/openvpn --daemon ovpn-%i --status /run/openvpn/%i.status 10 --cd /etc/openvpn --script-security 2 --config /etc/openvpn/client/%i.conf --writepid /run/openvpn/%i.pid -PIDFile=/run/openvpn/%i.pid -ExecReload=/bin/kill -HUP $MAINPID -WorkingDirectory=/etc/openvpn -# Ian: commented out these lines from upstream -#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_AUDIT_WRITE -LimitNPROC=10 -#DeviceAllow=/dev/null rw -#DeviceAllow=/dev/net/tun rw - -# ian: added just these lines from upstream -ExecStartPre=/a/bin/newns/newns -n 10.173.0 start %i -ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules -# note, this doesnt get run on trisquel 8 when ExecStart command fails, -# documentation says it should -ExecStopPost=/a/bin/newns/newns stop %i -PrivateNetwork=true -BindPaths=/a/bin/ds/aresolv.conf:/etc/resolv.conf:norbind - -[Install] -WantedBy=multi-user.target diff --git a/mail-route b/mail-route index 387208c..c2b7959 100755 --- a/mail-route +++ b/mail-route @@ -155,6 +155,11 @@ modify() { exists=true; ip -6 route show $iproutecmd | grep . &>/dev/null || exists=false if runtest; then e ip -6 route $ip_op $iproutecmd; fi + # We have to ensure we have a normal default ipv6 route, or else linux will + # refuse to do send ipv6 packets at all. When running in a network namespace, + # having the table 1 route is totally redundant since I dont setup a + # normal default ipv6 route. But maybe I will someday. + # # We could only do this if we dont have a default route with [[ ! $(ip -6 r show default) ]] but # metric seems to be perfectly good. 6000 because on my home comp, # its about 6 times slower to ping google than the default 1024 metric. diff --git a/mail-setup b/mail-setup index 8ddb6b9..45a6cb0 100755 --- a/mail-setup +++ b/mail-setup @@ -3,6 +3,62 @@ # Copyright (C) 2019 Ian Kelling # SPDX-License-Identifier: AGPL-3.0-or-later + +# todo: look into changing nsswitch.com to make programs prefer using systemd-resolved +# but not over the network. + +# background: I want to run exim in a network namespace so it can send +# and receive through a vpn. This is needed so it can do ipv6, because +# outside the namespace if we dont have ipv6, to send ipv6 through the +# vpn, we have to send all our ipv6 through the vpn. I did this for a +# long time, it was fine, but it causes various pains, like increased +# latency, increased recaptcha because my ip is from a data center, just +# various issues I dont want on all the time. The problem with the +# namespace is that all kinds of programs want to invoke exim, but they +# wont be in the namespace. I could replace exim with a wrapper that +# jumps into the namespace, i tried that, it works fine. One remaining +# problem was that I would have needed to hook into exim upgrades to +# move exim and replace it with my wrapper script. Also, my script to +# join the namespace is not super reliable because it uses a pgrep. +# Instead, I should have created a systemd service for a process that +# will never die and just writes its pid somewhere convenient. +# That implementation +# is below here: +# +# sudoers: +# user ALL=(ALL) /usr/sbin/exim4 +# +# move exim4 to eximian, use this script for exim4: +# +# #!/bin/bash +# if ip a show veth1-mail &>/dev/null; then +# /usr/sbin/eximian "$@" +# exit +# fi +# dosudo=false +# if [[ $USER && $USER != root ]]; then +# dosudo=true +# fi +# pid=$(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*mail.conf") +# if $dosudo; then +# sudo nsenter -t $pid -n -m sudo -u $USER /usr/sbin/eximian "$@" +# else +# nsenter -t $pid -n -m /usr/sbin/eximian "$@" +# fi +# ## end script +# +# an alternate solution: there is a small setguid program for +# network namespaces in my bookmarks. +# +# However, the solution I went with is: have 2 exim +# configs. A nonstandard location for the daemon that runs +# in the namespace. For all other invocations, it uses +# the default config location, which is altered to be +# in a smarthost config which sends mail to the deaemon. +# +# I have a bash function, enn to invoke exim like the daemon is running. +# and mailbash to just enter its network namespace. + if [ -z "$BASH_VERSION" ]; then echo "error: shell is not bash" >&2; exit 1; fi pre="${0##*/}:" @@ -219,12 +275,6 @@ fi # our nostart pi fails to avoid enabling systemctl disable openvpn -# trisquel 8 = openvpn, debian stretch = openvpn-client -vpn_ser=openvpn-client -if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then - vpn_ser=openvpn -fi - uhome=$(eval echo ~$u) ### * user forward file @@ -276,6 +326,7 @@ POSTGREY_OPTS="--exim --unix=/var/run/postgrey/postgrey.sock --retry-window=4 -- EOF # * spamassassin +## also has a bit of exim config cat >/etc/sysctl.d/80-iank-mail.conf <<'EOF' # see exim spec @@ -298,6 +349,41 @@ trusted_networks 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 2 EOF case $HOSTNAME in + $MAIL_HOST) + + f=/etc/nn-resolv/stub-resolv.conf + l="nameserver 8.8.8.8" + if ! grep -Fxq "$l" /etc/nn-resolv/stub-resolv.conf &>/dev/null; then + mkdir -p ${f%/*} + echo "$l" >$f + chattr +i $f + fi + + reload=false + for unit in exim4 spamassassin; do + f=/etc/systemd/system/$unit.service.d/nn.conf + if [[ ! -s $f || $(stat -c%s $f) != 244 ]]; then + reload=true + echo creating $f + mkdir -p ${f%/*} + cat >$f <<'EOF' +[Unit] +After=network.target +Requires=openvpn-client-mail@mail.service +After=openvpn-client-mail@mail.service +JoinsNamespaceOf=openvpn-client-mail@mail.service + +[Service] +PrivateNetwork=true +BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind +EOF + fi + done + if $reload; then + m systemctl daemon-reload + fi +;; + bk|$MAIL_HOST) m systemctl stop spamassassin m systemctl disable spamassassin @@ -366,7 +452,8 @@ if [[ -e /p/c/filesystem ]]; then fi -rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/mail-cert-cron /usr/local/bin + +m rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/mail-cert-cron /usr/local/bin cat >/etc/systemd/system/mailcert.service <<'EOF' @@ -398,11 +485,11 @@ m systemctl enable mailcert.timer # * common exim4 config source /a/bin/bash_unpublished/source-state - if [[ ! $MAIL_HOST ]]; then err "\$MAIL_HOST not set" fi + m gpasswd -a iank adm #needed for reading logs @@ -442,6 +529,23 @@ b=userforward_higher_priority # replace the router name so it is unique sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b +#### begin setup alternate config for daemon +update-exim4defaults -f --commonoptions '-C /etc/exim4/my.conf' +l="UPEX4OPTS='-o /etc/exim4/my.conf'" +if ! grep -Fxq "$l" /etc/default/exim4; then + sed -i '/^ *UPEX4OPTS=/d' /etc/default/exim4 + echo "$l" >> /etc/default/exim4 +fi +cat >/etc/exim4/trusted_configs <<'EOF' +/etc/exim4/my.conf +EOF +#### end setup alternate config for daemon + +# alerts is basically the postmaster address +sed -i --follow-symlinks -f - /etc/aliases </etc/exim4/conf.d/main/000_local </etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF' ### router/900_exim4-config_local_user @@ -717,7 +819,6 @@ xioE3sYKdjOt+p6mlg3l8+OLtODEFPHDqwIBAg== -----END DH PARAMETERS----- EOF cat >/etc/dovecot/local.conf </etc/dovecot/local.conf.ext <<'EOF' -passdb { - driver = sql - args = /etc/dovecot/dovecot-sql.conf.ext -} -userdb { - driver = sql - args = /etc/dovecot/dovecot-sql.conf.ext -} - -EOF - - cat >/etc/dovecot/dovecot-sql.conf.ext <<'EOF' -# from mailinabox -driver = sqlite -connect = /m/rc/users.sqlite -default_pass_scheme = SHA512-CRYPT -password_query = SELECT email as user, password FROM users WHERE email='%u'; -user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "/m/md/%d/%n" as home FROM users WHERE email='%u'; -iterate_query = SELECT email AS user FROM users; -EOF - chmod 0600 /etc/dovecot/dovecot-sql.conf.ext # per Dovecot instructions - - # db needs to be in a www-data writable directory - db=/m/rc/users.sqlite - if [[ ! -s $db ]]; then - sqlite3 $db <<'EOF' -CREATE TABLE users ( -id INTEGER PRIMARY KEY AUTOINCREMENT, -email TEXT NOT NULL UNIQUE, -password TEXT NOT NULL, -extra, -privileges TEXT NOT NULL DEFAULT ''); -EOF - fi - # example of adding a user: - # hash: doveadm pw -s SHA512-CRYPT -p passhere - # sqlite3 /m/rc/users.sqlite <<'EOF' - #insert into users (email, password) values ('testignore@bk.b8.nz', 'hash'); - #EOF - - - case $HOSTNAME in $MAIL_HOST) @@ -863,13 +902,39 @@ EOF if [[ -e $f ]]; then mv $f $f-iank-disabled fi + cat >>/etc/dovecot/local.conf </etc/dovecot/local.conf.ext <<'EOF' +passdb { + driver = sql + args = /etc/dovecot/dovecot-sql.conf.ext +} +userdb { + driver = sql + args = /etc/dovecot/dovecot-sql.conf.ext +} + +EOF + + cat >/etc/dovecot/dovecot-sql.conf.ext <<'EOF' +# from mailinabox +driver = sqlite +connect = /m/rc/users.sqlite +default_pass_scheme = SHA512-CRYPT +password_query = SELECT email as user, password FROM users WHERE email='%u'; +user_query = SELECT email AS user, "mail" as uid, "mail" as gid, "/m/md/%d/%n" as home FROM users WHERE email='%u'; +iterate_query = SELECT email AS user FROM users; +EOF + chmod 0600 /etc/dovecot/dovecot-sql.conf.ext # per Dovecot instructions + + # db needs to be in a www-data writable directory + db=/m/rc/users.sqlite + if [[ ! -s $db ]]; then + mkdir -p /m/rc + sqlite3 $db <<'EOF' +CREATE TABLE users ( +id INTEGER PRIMARY KEY AUTOINCREMENT, +email TEXT NOT NULL UNIQUE, +password TEXT NOT NULL, +extra, +privileges TEXT NOT NULL DEFAULT ''); +EOF + fi + # example of adding a user: + # hash: doveadm pw -s SHA512-CRYPT -p passhere + # sqlite3 /m/rc/users.sqlite <<'EOF' + #insert into users (email, password) values ('testignore@bk.b8.nz', 'hash'); + #EOF + + ;; esac ####### end dovecot-setup ######## @@ -930,10 +1039,11 @@ EOF # * nextcloud setup -# https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html -# curl from the web installer requirement, but i switched to cli -pi php-curl php-fileinfo php-bz2 -web-conf - apache2 expertpathologyreview.com <<'EOF' +nextcloud-setup() { + # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html + # curl from the web installer requirement, but i switched to cli + pi php-curl php-fileinfo php-bz2 + /a/exe/web-conf - apache2 expertpathologyreview.com <<'EOF' Alias /nextcloud "/var/www/nextcloud/" Require all granted @@ -947,20 +1057,20 @@ Alias /nextcloud "/var/www/nextcloud/" EOF -cd /var/www -wget https://download.nextcloud.com/server/releases/latest.zip -unzip -q latest.zip -rm latest.zip -chown -R www-data.www-data nextcloud -cd /var/www/nextcloud -sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass swarm.numbered.alienist -cd /var/www/nextcloud/config -# https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html -cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF' + cd /var/www + wget https://download.nextcloud.com/server/releases/latest.zip + unzip -q latest.zip + rm latest.zip + chown -R www-data.www-data nextcloud + cd /var/www/nextcloud + sudo -u www-data php occ maintenance:install --database sqlite --admin-user iank --admin-pass swarm.numbered.alienist + cd /var/www/nextcloud/config + # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html + cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF' [www] clear_env = no EOF -cat config.php - >tmp.php <<'EOF' + cat config.php - >tmp.php <<'EOF' $CONFIG['overwrite.cli.url'] = 'https://expertpathologyreview.com/nextcloud'; $CONFIG['htaccess.RewriteBase'] = '/nextcloud'; $CONFIG['trusted_domains'] = array ( @@ -971,10 +1081,10 @@ fwrite(STDOUT, "config.php 2>/dev/null -rm tmp.php -sudo -u www-data php /var/www/nextcloud/occ maintenance:update:htaccess - + php tmp.php >config.php 2>/dev/null + rm tmp.php + sudo -u www-data php /var/www/nextcloud/occ maintenance:update:htaccess +} # * roundcube setup @@ -1138,8 +1248,11 @@ EOF } -# * if MAIL_HOST +# * exim host conditional config + + case $HOSTNAME in + # ** $MAIL_HOST|bk) $MAIL_HOST|bk) dovecot-setup m systemctl enable dovecot @@ -1174,14 +1287,11 @@ EOF m systemctl start mailclean.timer ;;& + # ** $MAIL_HOST) $MAIL_HOST) - - # * exim - sudo rsync -ahhi --chown=root:Debian-exim --chmod=0640 \ /p/c/filesystem/etc/exim4/passwd /p/c/filesystem/etc/exim4/*.pem /etc/exim4/ - # mail.iankelling.org so local imap clients can connect with tls and # when they happen to not be local. sed -ri -f - /etc/hosts <<'EOF' @@ -1263,41 +1373,88 @@ EOF m chmod 755 $f # make all system users be aliases - for u in $(awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ { print $1 }' /etc/passwd); do - if ! grep -q "^$u:" aliases; then + for user in $(awk 'BEGIN { FS = ":" } ; $6 !~ /^\/home/ { print $1 }' /etc/passwd); do + if ! grep -q "^$user:" /etc/aliases; then echo "$u: root" |tee -a /etc/aliases fi done - # alerts is basically the postmaster address - sed -i --follow-symlinks -f - /etc/aliases <$f <<'EOF' +[Unit] +Description=OpenVPN tunnel for %I +After=syslog.target network-online.target +Wants=network-online.target +Documentation=man:openvpn(8) +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO +Requires=iptables.service +# needed to continually restatr +StartLimitIntervalSec=0 - # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html - d=/etc/systemd/system/$vpn_ser@mail.service.d - m mkdir -p $d - cat >$d/override.conf <<'EOF' [Service] +Type=notify +RuntimeDirectory=openvpn-client +RuntimeDirectoryMode=0710 +WorkingDirectory=/etc/openvpn/client +ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf +#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +LimitNPROC=10 +# DeviceAllow=/dev/null rw +# DeviceAllow=/dev/net/tun rw +ExecStartPre=/a/bin/newns/newns -n 10.173.8 start %i +ExecStopPost=/a/bin/newns/newns stop %i +PrivateNetwork=true +# in the network namespace, we cant connect to systemd-resolved on 127.0.0.53, +# because of +# https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback +# there is a workaround there, but i dont think its really worth it, +# the mail server is fine with a static dns anyways. +# This thread is also interesting, +# https://github.com/slingamn/namespaced-openvpn/issues/7 +# todo: the iptables rule at the bottom could be useful to prevent +# dns from leaking in my network namespaced vpn. +# I also like the idea of patching systemd-resolved so it +# will listen on other interfaces, but its not worth my time. +BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind + Restart=always # time to sleep before restarting a service RestartSec=1 -[Unit] -StartLimitIntervalSec=0 + +[Install] +WantedBy=multi-user.target EOF - if ! systemctl cat $vpn_ser@mail.service|grep -xF StartLimitInterval=0 &>/dev/null; then - # needed for the above config to go into effect - m systemctl daemon-reexec + m systemctl daemon-reload + m systemctl restart openvpn-client-mail@mail fi - m systemctl restart $vpn_ser@mail - m systemctl enable $vpn_ser@mail + m systemctl start openvpn-client-mail@mail + m systemctl enable openvpn-client-mail@mail + + /a/exe/cedit nn.b8.nz /etc/hosts <<'EOF' || [[ $? == 1 ]] +# note: i put this into bind for good measure +10.173.8.2 nn.b8.nz +# this is just here to avoid mainlog errors, however, it doesnt seem to work +# todo: look into it more. nsswitch.conf? cached result? i dunno +# list matching forced to fail: failed to find host name for 10.173.8.1 +10.173.8.1 defaultnn.b8.nz +EOF + + rsync -ra --delete /etc/exim4/ /etc/myexim4 + cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF' +dc_eximconfig_configtype='smarthost' +dc_smarthost='nn.b8.nz' +EOF + update-exim4.conf -d /etc/myexim4 + ;; - # * bk + # ** bk ## we use this host to monitor MAIL_HOST and host a mail server for someone bk) @@ -1367,9 +1524,15 @@ EOF EOF roundcube-setup + nextcloud-setup ;; - # * not MAIL_HOST and not bk + # ** not MAIL_HOST and not bk *) + for unit in exim4 spamassassin; do + f=/etc/systemd/system/$unit.service.d/nn.conf + rm -fv $f + done + # remove mail. uses 2 lines to properly remove whitespace sed -ri -f - /etc/hosts <<'EOF' s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1# @@ -1384,26 +1547,22 @@ EOF m systemctl disable mailclean.timer &>/dev/null ||: m systemctl stop mailclean.timer &>/dev/null ||: - m systemctl disable $vpn_ser@mail - m systemctl stop $vpn_ser@mail + m systemctl disable openvpn-client-mail@mail + m systemctl stop openvpn-client-mail@mail rm -fv /etc/exim4/conf.d/main/000_localmacros # old filename - cat >>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <<'EOF' dc_eximconfig_configtype='smarthost' dc_smarthost='$smarthost' -# The manpage incorrectly states this will do header rewriting, but -# that only happens if we have dc_hide_mailname is set. -dc_readhost='iankelling.org' EOF hostname -f >/etc/mailname - # This ends up at alerts mailbox on MAIL_HOST - sed -i --follow-symlinks -f - /etc/aliases <>/etc/exim4/update-exim4.conf.conf <>/etc/fstab fi + reload=false f=/etc/systemd/system/exim4.service.d/override.conf - if [[ ! -s $f ]]; then - # without this, we get these kind of errors in paniclog on shutdown: - # 2020-03-12 07:25:31.965 [32678] 1jCLxz-0008V4-V9 Failed to create spool file /var/spool/exim4//input//1jCLxz-0008V4-V9-D: Permission denied - mkdir -p /etc/systemd/system/exim4.service.d + if [[ ! -s $f || $(stat -c%s $f) != 220 ]]; then + reload=true + mkdir -p ${f%/*} cat >$f <<'EOF' [Unit] +# without this on exim, we get these kind of errors in paniclog on shutdown: +# Failed to create spool file /var/spool/exim4//input//1jCLxz-0008V4-V9-D: Permission denied After=local-fs.target +After=network.target EOF m systemctl daemon-reload fi @@ -1547,7 +1711,7 @@ esac # * misc -sudo -u $u mkdir -p /home/$u/.cache +m sudo -u $u mkdir -p /home/$u/.cache set -- /m/mucache /home/$u/.cache/mu /m/.mu /home/$u/.mu while (($#)); do target=$1 diff --git a/pkgs b/pkgs index 949b014..82a5a5b 100644 --- a/pkgs +++ b/pkgs @@ -57,6 +57,7 @@ p3=( apt-rdepends apt-show-versions aptitude-doc-en + arandr # dictionary / thesaurus artha asciidoc diff --git a/subdir_files/.gnupg/gpg.conf b/subdir_files/.gnupg/gpg.conf index 19d62ea..c60b19d 100644 --- a/subdir_files/.gnupg/gpg.conf +++ b/subdir_files/.gnupg/gpg.conf @@ -42,8 +42,8 @@ default-key B125F60B7B287FF6A2B7DF8F170AF0E2954295DF #keyserver hkp://keys.openpgp.org #keyserver hkp://pgp.mit.edu #keyserver hkp://keyserver.pgp.com -#keyserver hkp://ipv4.pool.sks-keyservers.net -keyserver hkp://keys.gnupg.net +keyserver hkp://ipv4.pool.sks-keyservers.net +#keyserver hkp://keys.gnupg.net #keyserver hkp://keyserver.ubuntu.com #keyserver hkp://keyring.debian.org #keyserver keyserver.ubuntu.com diff --git a/transmission-firewall/netns.rules b/transmission-firewall/netns.rules index 96b404f..65c87c9 100644 --- a/transmission-firewall/netns.rules +++ b/transmission-firewall/netns.rules @@ -1,6 +1,5 @@ # note, transmission specific thing here is to -# allow one extra port for transmission-remote, but thats no big deal, -# might as well use this in general for openvpn-nn +# allow one extra port for transmission-remote # format from iptables-save. [0:0] are comments of packet-count/byte-count # which I removed @@ -18,9 +17,9 @@ # although just having output should do fine. # We could also firewall from outside the nat, for example like this, -# but I'm thinking this is simpler. #-A FORWARD -i brvpn -p udp -m udp --dport 1194:1195 -j ACCEPT #-A FORWARD -i brvpn -j REJECT +# but I'm thinking firewall from inside is simpler. # prevent dns leaks, openvpn runs as root, allow root to # make non-vpn dns calls, but not transmission which does not run as root. -- 2.30.2