From 4449f2d68a8b7e6d7d01abcca20b16602db9d385 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Tue, 8 Jun 2021 16:37:33 -0400
Subject: [PATCH] various fixes

---
 brc                                           |  23 +-
 brc2                                          |  59 ++--
 conflink                                      |   4 +-
 distro-begin                                  |  30 +-
 distro-end                                    |  62 ++--
 epanic-clean                                  |  16 +-
 filesystem/etc/apt-cacher-ng/iank.conf        |  31 ++
 filesystem/etc/apt/detect-http-proxy          |  14 +-
 .../{iank.conf => zziank.conf}                |   2 +-
 .../systemd/system/openvpn-client-tr@.service |   2 +-
 .../system/transmission-daemon-nn.service     |   2 +-
 filesystem/usr/local/bin/abrowser             |   9 +-
 install-my-scripts                            |   3 +-
 .../etc/systemd/system/btrbk.service          |   8 +-
 .../kd/filesystem/etc/btrbk/rust.conf         |   5 +-
 machine_specific/kd/filesystem/etc/cron.d/kd  |   7 +
 mail-setup                                    |  56 ++--
 pkgs                                          |   4 +
 subdir_files/sieve/lists.sieve                | 267 +++++++++---------
 subdir_files/sieve/liststest.sieve            | 267 +++++++++---------
 switch-mail-host                              |  26 +-
 system-status                                 |  16 +-
 trusted-network                               |  11 +-
 untrusted-network                             |  17 +-
 24 files changed, 557 insertions(+), 384 deletions(-)
 create mode 100644 filesystem/etc/apt-cacher-ng/iank.conf
 rename filesystem/etc/systemd/resolved.conf.d/{iank.conf => zziank.conf} (88%)
 create mode 100644 machine_specific/kd/filesystem/etc/cron.d/kd

diff --git a/brc b/brc
index 537cb77..34f3dce 100644
--- a/brc
+++ b/brc
@@ -293,7 +293,7 @@ fpst() { # file paste
 
 _khfix_common() {
   local host ip port
-  read -r host ip port < <(timeout 1 ssh -oBatchMode=yes -oControlMaster=no -oControlPath=/ -v $1 |& sed -rn "s/debug1: Connecting to ([^ ]+) \[([^\]*)] port ([0-9]+).*/\1 \2 \3/p" || [[ $? == 124 ]])
+  read -r host ip port < <(timeout -s 9 2 ssh -oBatchMode=yes -oControlMaster=no -oControlPath=/ -v $1 |& sed -rn "s/debug1: Connecting to ([^ ]+) \[([^\]*)] port ([0-9]+).*/\1 \2 \3/p" || [[ $? == 124 ]])
   if [[ ! $ip ]]; then
     echo "khfix: ssh failed"
     return 1
@@ -310,6 +310,7 @@ _khfix_common() {
   fi
   echo "khfix: removing key for $ip_entry"
   ssh-keygen -R "$ip_entry" -f $(readlink -f ~/.ssh/known_hosts)
+  rootsshsync
 }
 khfix() { # known hosts fix
   _khfix_common "$@" || return 1
@@ -648,6 +649,19 @@ eqrmf() {
   exiqgrep -i | xargs exim -Mrm
 }
 
+econfdevnew() {
+  rm -rf /tmp/edev
+  mkdir -p /tmp/edev/etc
+  cp -ra /etc/exim4 /tmp/edev/etc
+  cp -ra /etc/alias* /tmp/edev/etc
+  find /tmp/edev/etc/exim4 -type f -execdir sed -i "s,/etc/,/tmp/edev/etc/,g" '{}' +
+  econfdev
+}
+econfdev() {
+  update-exim4.conf -d /tmp/edev/etc/exim4 -o /tmp/edev/e.conf
+}
+
+
 
 # shellcheck disable=SC2032
 f() {
@@ -1019,6 +1033,10 @@ nags() {
   /usr/bin/nagstamon &
 }
 
+nmt() {
+  s nmtui-connect "$@"
+}
+
 nopanic() {
   # shellcheck disable=SC2024
   sudo tee -a /var/log/exim4/paniclog-archive </var/log/exim4/paniclog; sudo truncate -s0 /var/log/exim4/paniclog
@@ -1191,6 +1209,9 @@ reresolv() {
   if [[ $(systemctl is-active systemd-resolved ||:) != inactive ]]; then
     m sudo systemctl restart systemd-resolved
   fi
+  if type -P resolvectl &>/dev/null; then
+    resolvectl flush-caches
+  fi
 }
 
 rmstrips() {
diff --git a/brc2 b/brc2
index 169b847..b563c9e 100644
--- a/brc2
+++ b/brc2
@@ -86,7 +86,19 @@ rsync -rptL --delete --filter=". /b/ds/sl/rsync-filter" /a/opt/emacs-trisquel8-n
 EOF
 }
 
+# usage mkschroot [-] distro codename packages
+# - means no piping in of sources.list
 mkschroot() {
+  local force=false
+  while [[ $1 == -* ]]; do
+    case $1 in
+      -f) force=true; shift ;;
+      -s)
+        sources="$2"
+        shift 2
+        ;;
+    esac
+  done
   distro=$1
   shift
   case $distro in
@@ -101,8 +113,9 @@ mkschroot() {
       ;;
   esac
   n=$1
+
   shift
-  if schroot -l | grep -xFq chroot:$n; then
+  if ! $force && schroot -l | grep -xFq chroot:$n; then
     echo "$0: $n schroot already installed, skipping"
     return 0
   fi
@@ -117,20 +130,19 @@ profile=desktop
 preserve-environment=true
 users=$USER,user2
 EOF
-  if [[ -e $d/bin ]]; then
-    sudo chroot $d apt-get update
-    sudo chroot $d DEBIAN_FRONTEND=noninteractive apt-get -y dist-upgrade --purge --auto-remove
-    cd; sudo schroot -c $n -- DEBIAN_FRONTEND=noninteractive apt-get install --allow-unauthenticated -y ${apps[@]}
-  else
+  cd
+  if [[ ! -e $d/bin ]]; then
     sudo mkdir -p $d
     # resolvconf otherwise schroot fails with
     #  cp: not writing through dangling symlink '/var/run/schroot/mount/flidas-7a2362e0-81b3-4848-92c1-610203ef5976/etc/resolv.conf'
     sudo debootstrap --exclude=resolvconf $n $d $repo
-    cd
-    if (( ${#apps[@]} )); then
-      sudo schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
-    fi
   fi
+  if [[ $sources ]]; then
+    sudo install -m 644 $sources $d/etc/apt/sources.list
+  fi
+  sudo chroot $d apt-get update
+  sudo DEBIAN_FRONTEND=noninteractive chroot $d apt-get -y dist-upgrade --purge --auto-remove
+  sudo DEBIAN_FRONTEND=noninteractive schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
   sudo cp -P {,$d}/etc/localtime
 }
 
@@ -179,12 +191,13 @@ bum() {
   (( $# == 1 )) || return 1
   cur="$(awk '$2 == "/bu/mnt" {print $1}' /proc/mounts)"
   if [[ $cur ]]; then
-    if [[ $cur != "$host:/bu/md" ]]; then
+    if [[ $cur == "$host:/bu/md" ]]; then
+      return 0
+    else
       fusermount -u /bu/mnt
     fi
-  else
-    sshfs $host:/bu/md /bu/mnt
   fi
+  sshfs $host:/bu/md /bu/mnt
   ser start exim4
 }
 bu() {
@@ -287,7 +300,7 @@ astudio() {
 
 # todo: make sm pull/push use systemd instead of the journal cat command
 bbk() { # btrbk wrapper
-
+  local ret=0
   c /
   local active=true
   systemctl is-active btrbk.timer || active=false
@@ -328,7 +341,7 @@ jrun() { # journal run. run args, log to journal, tail and grep the journal.
   # Note, an alternative without systemd would be something like ts.
   # Note, I tried using systemd-cat, but this seems obviously better,
   # and that seemed to have a problem exiting during a systemctl daemon-reload
-  local cmd_name ret jr_pid s
+  local cmd_name jr_pid s
   ret=0
   cmd_name=${1##*/}
   cmd=$1
@@ -354,7 +367,6 @@ jrun() { # journal run. run args, log to journal, tail and grep the journal.
   kill $jr_pid &>/dev/null ||:
   unset jr_pid
   fg &>/dev/null ||:
-  return $ret
 }
 # service run, and watch the output
 srun() {
@@ -543,7 +555,7 @@ chrome() {
     cmd=chromium
   else
     cd /
-    cmd="schroot -c stretch chromium"
+    cmd="schroot -c buster chromium"
     CHROMIUM_FLAGS='--enable-remote-extensions' $cmd &r
   fi
 }
@@ -896,13 +908,7 @@ tl() {
   to "$*"
   t s lunch
   t in -a "$*"
-  m t out -a $(date +%F.%T -d @$(( $(date -d "$(echo $*|sed 's/\./ /')" +%s) + 60*45 )) )
-  t s w
-}
-tlo() {
-  t s lunch
-  t in -a "$*"
-  m t out -a $(date +%F.%T -d @$(( $(date -d "$(echo $*|sed 's/\./ /')" +%s) + 60*45 )) )
+  m t out -a $(date +%F.%T -d @$(( $(date -d "$(echo $*|sed 's/[_.]/ /g')" +%s) + 60*45 )) )
   t s w
 }
 
@@ -1065,6 +1071,11 @@ myirc() {
   # use * instead of -r since that does sorted order
   ssh root@iankelling.org "cd $d/#$1; grep '\<iank.*' *" | cut --complement -c12-16
 }
+myjab() {
+  c /p/c/.purple/logs/jabber/iank@fsf.org/office@conference.fsf.org.chat
+  for x in *.html; do html2text -o ${x%.html}.txt $x; done;
+  grep -A1 ') iank:' *.txt | sed -r 's/^(.{10})[^ ]*\.txt:\(?([^ ]*)[[:space:]](..). iank:/\1_\2_\3/;s/^[^ ]*\.txt-//;/^--$/d;s/^[^ ]*\.txt:\((.{2}).(.{2}).(.{4}) (.{8}) (.{2})\)?/\3-\1-\2_\4_\5/' | sed -n 'x;1d;0~2{G;s/\n/ /;p};${x;p}'
+        }
 allmyirc() {
   local d
   d=/var/lib/znc/moddata/log/iank/freenode
diff --git a/conflink b/conflink
index 1e0c767..187f959 100755
--- a/conflink
+++ b/conflink
@@ -86,7 +86,7 @@ common-file-setup() {
             --exclude='/etc/exim4/passwd*'
             --exclude='/etc/exim4/*.pem'
             $fs/ / )
-      echo "${cmd[*]}"
+      echo "${cmd[@]@Q}"
       while read -r line; do
         file="${line:12}"
         case $file in
@@ -107,7 +107,7 @@ common-file-setup() {
         # A = preserve acls
         # X = preserve extended attributes
         # i = itemize
-      done < <(${cmd[@]})
+      done < <("${cmd[@]}")
     fi
 
     if [[ -e $dir/subdir_files ]]; then
diff --git a/distro-begin b/distro-begin
index df59a3e..34eac6a 100755
--- a/distro-begin
+++ b/distro-begin
@@ -319,7 +319,7 @@ case $HOSTNAME in
 esac
 
 f=/etc/apparmor.d/abstractions/nameservice
-if [[ -e $f ]] && ! grep -q /etc/nsswitch/nsswitch.conf $f; then
+if [[ -e $f ]] && ! grep -q /etc/resolved-nsswitch/nsswitch.conf $f; then
   sudo sed -i '/\/etc\/nsswitch.conf/a /etc/resolved-nsswitch/nsswitch.conf r,' $f
   sudo sed -i '/\/etc\/nsswitch.conf/a /etc/basic-nsswitch/nsswitch.conf r,' $f
   if sytemctl is-enabled apparmor; then
@@ -349,7 +349,7 @@ fi
 if isdeb && [[ $(debian-codename) == nabia ]]; then
   sudo dd of=/etc/apt/preferences.d/nabia-focal-missing <<'EOF'
 Explanation: libkf5* are for konsole libilmbase* are needed for emacs
-Package: libkf5solid5 libkf5solid5-data libilmbase-dev libilmbase24 ansible unrar-free genisoimage pidgin pidgin-* libpurple0 linux-doc p7zip genisoimage mumble hplip cups-filters libcupsfilters1 libfontembed1 cups-filters-core-drivers tor lightdm mate-desktop-environment mate-desktop-environment-* mate-menus mate-panel mate-panel-* mate-session-manager libmate-* libgoa-* ubuntu-mate-default-settings mate-control-center mate-control-center-common gir1.2-matemenu-* lightdm-gtk-greeter liblightdm-gobject-* firefox
+Package: libkf5solid5 libkf5solid5-data libilmbase-dev libilmbase24 ansible unrar-free pidgin pidgin-* libpurple0 linux-doc p7zip mumble hplip cups-filters libcupsfilters1 libfontembed1 cups-filters-core-drivers lightdm mate-desktop-environment mate-desktop-environment-* mate-menus mate-panel mate-panel-* mate-session-manager libmate-* libgoa-* ubuntu-mate-default-settings mate-control-center mate-control-center-common gir1.2-matemenu-* lightdm-gtk-greeter liblightdm-gobject-* firefox libfdk-aac1
 Pin: release n=focal,o=Ubuntu
 Pin-Priority: 500
 EOF
@@ -581,6 +581,21 @@ else
   sudo mkdir -p $dir
 fi
 
+case $HOSTNAME in
+  kd)
+    tu /etc/fstab <<'EOF'
+/dev/mapper/crypt_dev_ata-Samsung_SSD_870_QVO_8TB_S5VUNG0N900656V-part7  /d  btrfs  nofail,x-systemd.device-timeout=30s,x-systemd.mount-timeout=30s,noatime,compress=zstd,subvol=d  0 0
+EOF
+    if ! mountpoint /d &>/dev/null; then
+      sudo mkdir /d
+      if [[ -d /mnt/r7/d ]]; then
+        sudo mount /d
+      fi
+    fi
+    ;;
+esac
+
+
 
 ##### setup email
 primary-setup
@@ -689,6 +704,17 @@ if $emacs; then
   /a/exe/ssh-emacs-setup
 fi
 
+if [[ $HOSTNAME == kd ]] && ! mountpoint /d &>/dev/null; then
+  cat <<'EOFOUTER'
+# if this is a fresh reinstall, need to run something like this
+# to restore data:
+mkdir /mnt/r7/btrbk
+btrbk archive /mnt/rust1/btrbk /mnt/r7/btrbk
+btrfs sub snap /mnt/r7/btrbk/LATEST /mnt/r7/d
+mount /d
+EOFOUTER
+fi
+
 
 echo 0 >~/.local/distro-begin
 echo "$0: $(date): ending now"
diff --git a/distro-end b/distro-end
index 81b31d8..dfc0340 100755
--- a/distro-end
+++ b/distro-end
@@ -53,6 +53,10 @@ codename=$(debian-codename)
 codename_compat=$(debian-codename-compat)
 pending_reboot=false
 sed="sed --follow-symlinks"
+
+# when we schroot, it will fail if we are in a directory that doesnt exist in the chroot
+cd /
+
 ## template:
 # case $distro in
 # esac
@@ -448,14 +452,14 @@ EOF
 esac
 
 # 2020-03-03 old file
-rm -fv /etc/apt/preferences.d/radicale
+s rm -fv /etc/apt/preferences.d/radicale
 ######### end universal pinned packages ######
 
 ### system76 things ###
 case $HOSTNAME in
   sy)
     # note, i stored the initial popos packages at /a/bin/data/popos-pkgs
-    if [[ ! -d /etc/apt/sources.list.d/system76.list ]]; then
+    if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
       # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
       sd /etc/apt/sources.list.d/system76.list <<EOF
 deb http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
@@ -473,6 +477,34 @@ EOF
     ;;
 esac
 
+# ppa:obsproject/obs-studio
+if [[ ! -d /etc/apt/sources.list.d/obs.list ]]; then
+  # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
+  sd /etc/apt/sources.list.d/obs.list <<EOF
+deb http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
+deb-src http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
+EOF
+  s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC7345F522079769F5BBE987EFC71127F425E228
+  p update
+fi
+
+case $codename in
+  etiona)
+    sd /etc/apt/preferences.d/obs <<EOF
+Package: libfdk-aac1
+Pin: release n=bionic
+Pin-Priority: 500
+EOF
+    sd /etc/apt/preferences.d/chromium <<EOF
+Package: chromium-*
+Pin: release n=bionic
+Pin-Priority: 500
+EOF
+
+    ;;
+esac
+
+
 
 ##### begin automatic upgrades (after checkrestart has been installed) ####
 # if apt-config-auto-update is installed,
@@ -851,6 +883,9 @@ pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distr
 #seru start psd
 
 
+# old filename
+sudo rm -fv /etc/systemd/resolved.conf.d/iank.conf
+
 # website is dead june 14 2019. back in october, but meh
 sudo rm -fv /etc/apt/sources.list.d/iridium-browser.list
 # case $distro in
@@ -1210,30 +1245,18 @@ sgo schrootupdate.timer
 # for my roommate
 case $distro in
   trisquel)
-    m mkschroot debian buster firefox-esr pulseaudio chromium anki
+    m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/buster.list/BUSTER_FREE \
+      debian buster firefox-esr pulseaudio chromium anki
     case $(debian-codename) in
       etiona|nabia)
         # we have a lot of t8 stuff, useful to have
-        mkschroot trisquel flidas
+        m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/flidas.list/FLIDAS \
+          trisquel flidas
         tu /nocow/schroot/flidas/etc/sudoers <<EOF
 $USER  ALL=(ALL)  NOPASSWD: ALL
 Defaults  env_keep += SUDOD
 Defaults always_set_home
 Defaults !umask
-EOF
-        sd /nocow/schroot/flidas/etc/apt/sources.list <<'EOF'
-deb http://mirror.fsf.org/trisquel/ flidas main
-deb-src http://mirror.fsf.org/trisquel/ flidas main
-
-deb http://mirror.fsf.org/trisquel/ flidas-updates main
-deb-src http://mirror.fsf.org/trisquel/ flidas-updates main
-
-deb http://archive.trisquel.info/trisquel/ flidas-security main
-deb-src http://archive.trisquel.info/trisquel/ flidas-security main
-
-# Uncomment this lines to enable the backports optional repository
-deb http://mirror.fsf.org/trisquel/ flidas-backports main
-deb-src http://mirror.fsf.org/trisquel/ flidas-backports main
 EOF
         sd /nocow/schroot/flidas//etc/locale.gen <<'EOF'
 en_US.UTF-8 UTF-8
@@ -1263,7 +1286,7 @@ case $HOSTNAME in
     tdir=/d/tor
     ;;
   *)
-    tdir=/nocow/user
+    tdir=/nocow/user/tor
     ;;
 esac
 
@@ -1360,6 +1383,7 @@ case $HOSTNAME in
     # in /var/lib/transmission-daemon to /d/tor
     s usermod --home /d/tor debian-transmission
     sgo transmission-daemon-nn
+
     ;;
 esac
 
diff --git a/epanic-clean b/epanic-clean
index 83533ea..0f2cfaf 100755
--- a/epanic-clean
+++ b/epanic-clean
@@ -17,8 +17,11 @@ if [[ ! -s /var/log/exim4/paniclog ]]; then
   exit 0
 fi
 
-wipe=false
+regex="malware acl condition"
+found=false
+wipe=true
 while read -r d1 d2; do
+  found=true
   tmptime=$(date -d "$d1 $d2" +%s)
   # dont consider every matching line, just those in > 60 second intervals
   if [[ ! $logtime ]]; then
@@ -32,14 +35,13 @@ while read -r d1 d2; do
   sec_max=$((logtime + 60))
   jmin="$(date -d @$sec_min "+%F %H:%M:%S")"
   jmax="$(date -d @$sec_max "+%F %H:%M:%S")"
-  if journalctl -S "$jmin" -U "$jmax" \
-      | awk '$6 == "spamd:" && $7 == "restarting"' | grep . &>/dev/null; then
-    wipe=true
+  if ! journalctl -u clamav-daemon -S "$jmin" -U "$jmax" \
+      | grep 'Starting Clam AntiVirus userspace daemon' &>/dev/null; then
+    wipe=false
     break
   fi
-done < <(awk '/spam acl condition/ {print $1,$2}' /var/log/exim4/paniclog)
-if $wipe; then
-  regex="^$(date -d @$logtime "+%F %H:%M" )|^${jmin%:*}|^${jmax%:*}"
+done < <(awk "/$regex/ "'{print $1,$2}' /var/log/exim4/paniclog)
+if $found && $wipe; then
   grep -E "$regex" /var/log/exim4/paniclog >> /var/log/exim4/paniclog-archive
   sed -ri "/$regex/d" /var/log/exim4/paniclog
 fi
diff --git a/filesystem/etc/apt-cacher-ng/iank.conf b/filesystem/etc/apt-cacher-ng/iank.conf
new file mode 100644
index 0000000..8c52557
--- /dev/null
+++ b/filesystem/etc/apt-cacher-ng/iank.conf
@@ -0,0 +1,31 @@
+# if this happens, probably some bad dns or something on faiserver,
+# if you cant figure it out, uncomment this
+# Debug: 6
+# then try again, but it logs so much, you dont
+# want to leave it enabled.
+
+# p update
+# Err:1 http://archive.ubuntu.com/ubuntu focal InRelease
+#   500  Connection failure: Address family not supported by protocol [IP: 10.2.0.3 3142]
+# Err:2 http://archive.ubuntu.com/ubuntu focal-security InRelease
+#   500  Connection failure: Address family not supported by protocol [IP: 10.2.0.3 3142]
+# Hit:3 http://http.us.debian.org/debian buster InRelease
+# Hit:4 http://mirror.fsf.org/trisquel etiona InRelease
+# Hit:5 http://http.us.debian.org/debian buster-updates InRelease
+# Hit:6 http://mirror.fsf.org/trisquel etiona-updates InRelease
+# Err:7 http://archive.ubuntu.com/ubuntu focal-updates InRelease
+#   500  Connection failure: Address family not supported by protocol [IP: 10.2.0.3 3142]
+# Hit:8 http://mirror.fsf.org/trisquel etiona-backports InRelease
+# Err:9 http://archive.ubuntu.com/ubuntu focal-backports InRelease
+#   500  Connection failure: Address family not supported by protocol [IP: 10.2.0.3 3142]
+# Hit:10 http://security.debian.org buster/updates InRelease
+# Hit:11 http://us.archive.ubuntu.com/ubuntu bionic InRelease
+# Hit:12 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease
+# Hit:13 http://us.archive.ubuntu.com/ubuntu bionic-security InRelease
+# Hit:14 http://archive.trisquel.info/trisquel etiona-security InRelease
+# Reading package lists... Done
+# W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal/InRelease  500  Connection failure: Address family not supported by protocol [IP: 10.2.0.3 3142]
+# W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-security/InRelease  500  Connection failure: Address family not supported by protocol [IP: 10.2.0.3 3142]
+# W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-updates/InRelease  500  Connection failure: Address family not supported by protocol [IP: 10.2.0.3 3142]
+# W: Failed to fetch http://archive.ubuntu.com/ubuntu/dists/focal-backports/InRelease  500  Connection failure: Address family not supported by protocol [IP: 10.2.0.3 3142]
+# W: Some index files failed to download. They have been ignored, or old ones used instead.
diff --git a/filesystem/etc/apt/detect-http-proxy b/filesystem/etc/apt/detect-http-proxy
index 4bb8f3c..6f67003 100755
--- a/filesystem/etc/apt/detect-http-proxy
+++ b/filesystem/etc/apt/detect-http-proxy
@@ -6,7 +6,19 @@
 # locally for 10 minutes. Also, using newer option based on man apt.conf.
 #
 # Once when I was testing, it seemed I needed to have it output
-# DIRECT after toutputing the proxy url
+# DIRECT after outputing the proxy url
+
+# note, the url we are trying to fetch is $1
+
+# note, if there is a problem, some ways to debug:
+# first,
+# edit /etc/apt/apt.conf.d/02proxy
+# add, remove the autodetec
+# Acquire::http::proxy "http://CacheServerIp:3142";
+# see the /var/log/apt-cacher-ng logs
+# read
+# file:///usr/share/doc/apt-cacher-ng/html/index.html
+
 proxy_host=faiserver
 proxy_port=3142
 proxy_url=http://$proxy_host:$proxy_port/
diff --git a/filesystem/etc/systemd/resolved.conf.d/iank.conf b/filesystem/etc/systemd/resolved.conf.d/zziank.conf
similarity index 88%
rename from filesystem/etc/systemd/resolved.conf.d/iank.conf
rename to filesystem/etc/systemd/resolved.conf.d/zziank.conf
index 7f14efc..bce0966 100644
--- a/filesystem/etc/systemd/resolved.conf.d/iank.conf
+++ b/filesystem/etc/systemd/resolved.conf.d/zziank.conf
@@ -4,4 +4,4 @@
 # in case.
 LLMNR=no
 MulticastDNS=no
-DNSOverTLS=yes
+Domains=fsf.org gnu.org
diff --git a/filesystem/etc/systemd/system/openvpn-client-tr@.service b/filesystem/etc/systemd/system/openvpn-client-tr@.service
index 7a7d130..e99c755 100644
--- a/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ b/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -26,7 +26,7 @@ ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
 PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
 
 [Install]
 WantedBy=multi-user.target
diff --git a/filesystem/etc/systemd/system/transmission-daemon-nn.service b/filesystem/etc/systemd/system/transmission-daemon-nn.service
index 4f16ec4..0d0cd40 100644
--- a/filesystem/etc/systemd/system/transmission-daemon-nn.service
+++ b/filesystem/etc/systemd/system/transmission-daemon-nn.service
@@ -13,7 +13,7 @@ ExecReload=/bin/kill -s HUP $MAINPID
 ExecStop=/bin/kill -s STOP $MAINPID
 PrivateNetwork=true
 Nice=19
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
+BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
 
 [Install]
 WantedBy=multi-user.target
diff --git a/filesystem/usr/local/bin/abrowser b/filesystem/usr/local/bin/abrowser
index 36c64a6..2b727bb 100755
--- a/filesystem/usr/local/bin/abrowser
+++ b/filesystem/usr/local/bin/abrowser
@@ -11,9 +11,14 @@ PATH=$tmp
 # -allow-downgrade good enough?
 #rm -f {/p/c/firefox-main-profile,/p/c/firefox-main-profile,/p/c/firefox-vpn2-profile,/mnt/z/firefox-vpn-profile}/compatibility.ini
 
+# --allow-downgrade
+# ^ useful option for when the browser refuses to run, but it always
+# causes a new browser window to open, even if normally it would open a
+# new tab
+
 # abrowser is 2 releases behind, so prefer firefox for now
 if type -P firefox &>/dev/null; then
-  firefox -allow-downgrade "$@"
+  firefox "$@"
 else
-  abrowser -allow-downgrade "$@"
+  abrowser "$@"
 fi
diff --git a/install-my-scripts b/install-my-scripts
index 25e9c8e..2848142 100755
--- a/install-my-scripts
+++ b/install-my-scripts
@@ -34,6 +34,7 @@ x="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd ${x%/*} # directory of this file
 # trying to use them, within a few minute of the last time this
 # ran. Very strange, dunno why, but rsync won't do anything unless these
 # changed, so that should fix it.
-rsync -t --chmod=755 --chown=root:root /a/bin/log-quiet/log-once switch-mail-host btrbk-run mount-latest-subvol \
+/a/bin/log-quiet/setup
+rsync -t --chmod=755 --chown=root:root switch-mail-host btrbk-run mount-latest-subvol \
       check-subvol-stale system-status myi3status mailtest-check /usr/local/bin
 rsync -t --chmod=755 --chown=root:root /a/bin/errhandle/err /usr/local/lib
diff --git a/machine_specific/btrbk/filesystem/etc/systemd/system/btrbk.service b/machine_specific/btrbk/filesystem/etc/systemd/system/btrbk.service
index e89a85e..84707c4 100644
--- a/machine_specific/btrbk/filesystem/etc/systemd/system/btrbk.service
+++ b/machine_specific/btrbk/filesystem/etc/systemd/system/btrbk.service
@@ -4,7 +4,7 @@ After=multi-user.target
 
 [Service]
 Type=oneshot
-ExecStart=/a/exe/install-my-scripts
-ExecStart=/a/bin/log-quiet/sysd-mail-once btrbk /usr/local/bin/btrbk-run -q --cron
-ExecStart=/bin/sleep 1
-ExecStart=/a/exe/install-my-scripts
+ExecStartPre=/a/exe/install-my-scripts
+ExecStart=/usr/local/bin/sysd-mail-once btrbk /usr/local/bin/btrbk-run -q --cron
+ExecStartPost=/bin/sleep 1
+ExecStartPost=/a/exe/install-my-scripts
diff --git a/machine_specific/kd/filesystem/etc/btrbk/rust.conf b/machine_specific/kd/filesystem/etc/btrbk/rust.conf
index cf64295..c7ca32a 100644
--- a/machine_specific/kd/filesystem/etc/btrbk/rust.conf
+++ b/machine_specific/kd/filesystem/etc/btrbk/rust.conf
@@ -14,6 +14,7 @@ target_preserve 18h 14d 8w 12m
 target_preserve_min 2h
 
 rate_limit no
-volume /mnt/r6
+volume /mnt/r7
 subvolume d
-target send-receive /mnt/rust/btrbk
+target send-receive /mnt/rust1/btrbk
+target send-receive /mnt/rust2/btrbk
diff --git a/machine_specific/kd/filesystem/etc/cron.d/kd b/machine_specific/kd/filesystem/etc/cron.d/kd
new file mode 100644
index 0000000..fa2224b
--- /dev/null
+++ b/machine_specific/kd/filesystem/etc/cron.d/kd
@@ -0,0 +1,7 @@
+SHELL=/bin/bash
+PATH=/usr/bin:/bin:/usr/local/bin:/a/exe:/a/bin/fai
+MAILTO=root
+0 7 * * 1,2,3,4,5 iank failmail wrt-setup -y
+45 7 * * 1,2,3,4,5 iank failmail wrt-setup -z
+0 7 * * 0,6 iank failmail wrt-setup -y
+0 11 * * 0,6 iank failmail wrt-setup -z
diff --git a/mail-setup b/mail-setup
index 5b9ed95..735bb33 100755
--- a/mail-setup
+++ b/mail-setup
@@ -354,12 +354,13 @@ EOF
 fi
 
 # light version of exim does not have sasl auth support.
-pi-nostart exim4 exim4-daemon-heavy spamassassin openvpn unbound
+pi-nostart exim4 exim4-daemon-heavy spamassassin openvpn unbound clamav-daemon
 
 # note: pyzor debian readme says you need to run some initialization command
 # but its outdated.
-pi spf-tools-perl p0f postgrey pyzor razor jq moreutils clamav-daemon
-
+pi spf-tools-perl p0f postgrey pyzor razor jq moreutils
+# bad packages that sometimes get automatically installed
+pu openresolv resolvconf
 
 soff openvpn
 
@@ -367,9 +368,7 @@ soff openvpn
 if [[ $(debian-codename) == etiona ]]; then
   # ip6tables stopped loading on boot. openvpn has reduced capability set,
   # so running iptables as part of openvpn startup wont work. This should do it.
-  # Im sure there is a better way, but this works fine. running as a systemd
-  # unit, yes returns 1, broken pipe.
-  yes no | pi iptables-persistent || [[ $? == 141 || ${PIPESTATUS[1]} == 0 ]]
+  pi iptables-persistent
   cat >/etc/iptables/rules.v6 <<'EOF'
 *mangle
 COMMIT
@@ -569,14 +568,14 @@ EOF
 
 # this is just a bug fix for trisquel.
 f=/etc/apparmor.d/usr.sbin.unbound
-if [[ $f ]]; then
-  line="/usr/sbin/unbound flags=(attach_disconnected) {"
-  if ! grep -qFx "$line" $f; then
-    badline="/usr/sbin/unbound {"
-    if ! grep -qFx "$badline" $f; then
-      err expected line in $f not found
-    fi
-    sed -i "s,^$badline$,$line," $f
+line="/usr/sbin/unbound flags=(attach_disconnected) {"
+if ! grep -qFx "$line" $f; then
+  badline="/usr/sbin/unbound {"
+  if ! grep -qFx "$badline" $f; then
+    err expected line in $f not found
+  fi
+  sed -i "s,^$badline$,$line," $f
+  if systemctl is-active apparmor &>/dev/null; then
     m systemctl reload apparmor
   fi
 fi
@@ -791,6 +790,7 @@ QUEUERUNNER='combined'
 QUEUEINTERVAL='30m'
 COMMONOPTIONS='-C /etc/exim4/my.conf'
 UPEX4OPTS='-o /etc/exim4/my.conf'
+#E4BCD_PANICLOG_NOISE='malware acl condition: clamd /var/run/clamav/clamd\.ctl : unable to connect to UNIX socket'
 EOF
     i /etc/exim4/trusted_configs <<'EOF'
 /etc/exim4/my.conf
@@ -866,8 +866,6 @@ DKIM_PRIVATE_KEY = \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/ex
 # keep your dkim signature intact but add list- headers.
 DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
 
-av_scanner = clamd:/var/run/clamav/clamd.ctl
-
 domainlist local_hostnames = ! je.b8.nz : ! bk.b8.nz : *.b8.nz : b8.nz
 
 hostlist iank_trusted = <; \\
@@ -929,12 +927,6 @@ warn
   add_header = X-Spam_report: $spam_report
   add_header = X-Spam_action: $spam_action
 
-
-deny
-  malware = */defer_ok
-  !condition = ${if match {$malware_name}{\N^Heuristic\N}}
-  message = This message was detected as possible malware ($malware_name).
-
 warn
   condition = ${if def:malware_name}
   remove_header = Subject:
@@ -1447,8 +1439,6 @@ fi
 
 if [[ $HOSTNAME == bk ]]; then
 
-  # avoid prompt
-  export DEBIAN_FRONTEND=noninteractive
   # zip according to /installer
   # which requires adding a line to /usr/local/lib/roundcubemail/config/config.inc.php
   # $config['enable_installer'] = true;
@@ -1855,6 +1845,7 @@ OnCalendar=Daily
 [Install]
 WantedBy=timers.target
 EOF
+    systemctl enable --now $ncbase.timer
     i /usr/local/bin/ncup <<'EOFOUTER'
 #!/bin/bash
 if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
@@ -1985,7 +1976,18 @@ EOF
 
   # ** $MAIL_HOST|bk)
   $MAIL_HOST|bk)
+
+    cat >> /etc/exim4/conf.d/data_local_acl <<'EOF'
+deny
+  malware = */defer_ok
+  !condition = ${if match {$malware_name}{\N^Heuristic\N}}
+  message = This message was detected as possible malware ($malware_name).
+EOF
+
     cat >/etc/exim4/conf.d/main/000_local-nn <<EOF
+# je.b8.nz will run out of memory with freshclam
+av_scanner = clamd:/var/run/clamav/clamd.ctl
+
 # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
 # smarthost config type, not sure.
 # failing message on mail-tester.com:
@@ -2396,9 +2398,9 @@ case $HOSTNAME in
   $MAIL_HOST|bk)
     if ! systemctl is-active clamav-daemon >/dev/null; then
       sstart clamav-daemon
-      # checking a log, clamav took 27 seconds to start.
-      # we get paniclog entries if its not available
-      m sleep 30
+      # note, this will cause paniclog entries because it takes like 45
+      # seconds for clamav to start, i use ./epanic-clean to remove
+      # them.
     fi
     ;;&
   $MAIL_HOST|bk|je)
diff --git a/pkgs b/pkgs
index e7b29f9..1eba787 100644
--- a/pkgs
+++ b/pkgs
@@ -125,10 +125,13 @@ p3=(
   gnome-screenshot
   grepmail
   guvcview
+  # for my / office hp printers
+  hplip
   hunspell
   i3lock
   info
   inotify-tools
+  ipcalc
   iputils-tracepath
   iperf3
   iproute2-doc
@@ -161,6 +164,7 @@ p3=(
   ncdu
   nginx-doc
   nmap
+  obs-studio
   offlineimap
   oathtool
   opendkim-tools
diff --git a/subdir_files/sieve/lists.sieve b/subdir_files/sieve/lists.sieve
index 940f61d..1fda5cd 100644
--- a/subdir_files/sieve/lists.sieve
+++ b/subdir_files/sieve/lists.sieve
@@ -1,154 +1,161 @@
 require [ "regex", "variables", "fileinto", "envelope", "mailbox", "imap4flags", "include" ];
 
 if anyof (
-    address :regex "to" "^testignore@"
-    ) {
-    fileinto :create "l/testignore";
-    stop;
-         }
+  address :regex "to" "^testignore@"
+  ) {
+  fileinto :create "l/testignore";
+  stop;
+}
 
 
 if anyof (
-    header :contains "list-id" "<debian-security-announce.lists.debian.org>",
-    header :contains "list-id" "<ubuntu-security-announce.lists.ubuntu.com>"
-    ) {
-    fileinto :create "sec";
-    stop;
-         }
+  header :contains "list-id" "<debian-security-announce.lists.debian.org>",
+  header :contains "list-id" "<ubuntu-security-announce.lists.ubuntu.com>"
+  ) {
+  fileinto :create "sec";
+  stop;
+}
 if anyof (
-    header :regex "list-id" "forum.members.fsf.org>"
-    ) {
-    fileinto :create "fsfmembers";
-    stop;
-         }
+  header :regex "list-id" "forum.members.fsf.org>"
+  ) {
+  fileinto :create "fsfmembers";
+  stop;
+}
 
 if anyof (
-    header :contains "list-id" "<mentors.lists.outreachy.org>"
-    ) {
-    fileinto :create "l/outreachy-mentors";
-    stop;
-         }
+  header :contains "list-id" "<mentors.lists.outreachy.org>"
+  ) {
+  fileinto :create "l/outreachy-mentors";
+  stop;
+}
 
 if anyof (
-    header :contains "list-id" "<bbdb-info.lists.sourceforge.net>",
-    header :contains "list-id" "<bug-bash.gnu.org>",
-    header :contains "list-id" "<bug-gnu-emacs.gnu.org>",
-    header :contains "list-id" "<debian-backports.lists.debian.org>",
-    header :contains "list-id" "<debian-security-announce.lists.debian.org>",
-    header :contains "list-id" "<debian-user.lists.debian.org>",
-    header :contains "list-id" "<debian-devel.lists.debian.org>",
-    header :contains "list-id" "<ding.gnus.org>",
-    header :contains "list-id" "<emacs-devel.gnu.org>",
-    header :contains "list-id" "<emacs-orgmode.gnu.org>",
-    header :contains "list-id" "<git.vger.kernel.org>",
-    header :contains "list-id" "<help-bash.gnu.org>",
-    header :contains "list-id" "<help-gnu-emacs.gnu.org>",
-    header :contains "list-id" "<hyperkitty-devel.lists.fedorahosted.org>",
-    header :contains "list-id" "<ipxe-devel.lists.ipxe.org>",
-    header :contains "list-id" "<kplug-list.kernel-panic.org>",
-    header :contains "list-id" "<kplug-newbie.kernel-panic.org>",
-    header :contains "list-id" "<libreplanet-discuss.libreplanet.org>",
-    header :contains "list-id" "<linux-btrfs.vger.kernel.org>",
-    header :contains "list-id" "<linux-fai.uni-koeln.de>",
-    header :contains "list-id" "<license-discuss.lists.opensource.org>",
-    header :contains "list-id" "<seagl_organize.googlegroups.com>",
-    header :contains "list-id" "<linux-fai-devel.uni-koeln.de>",
-    header :contains "list-id" "<linux-libre.fsfla.org>",
-    header :contains "list-id" "<maru-os-dev.googlegroups.com>",
-    header :contains "list-id" "<mediawiki-l.lists.wikimedia.org>",
-    header :contains "list-id" "<pywikibot.lists.wikimedia.org>",
-    header :contains "list-id" "<pywikipedia-l.lists.wikimedia.org>",
-    header :contains "list-id" "<unison-hackers.lists.seas.upenn.edu>",
-    header :contains "list-id" "<unison-users.yahoogroups.com>",
-    header :contains "list-id" "<whispersystems.lists.riseup.net>",
-    header :contains "list-id" "<wikitech-l.lists.wikimedia.org>",
-    header :contains "list-id" "<xapian-devel.lists.xapian.org>",
-    header :contains "list-id" "<kdeconnect.kde.org>",
-    header :contains "list-id" "<mu-discuss.googlegroups.com>",
-    header :contains "list-id" "<<devel.mediagoblin.org>",
-    header :contains "list-id" "<maru-os.googlegroups.com>",
-    header :contains "list-id" "<listhelper-moderate.nongnu.org>",
-    header :contains "list-id" "<coreboot.coreboot.org>",
-    header :contains "list-id" "<mailman-users.python.org>",
-    header :contains "list-id" "<duplicity-talk.nongnu.org>",
-    header :contains "list-id" "<qemu-devel.nongnu.org>",
-    header :contains "list-id" "<exim-dev.exim.org>",
-    header :contains "list-id" "<exim-users.exim.org>",
-    header :contains "list-id" "<octave-maintainers.gnu.org>",
-    header :contains "list-id" "<discuss-gnuradio.gnu.org>",
-    header :contains "list-id" "<seabios.seabios.org>",
-    header :contains "list-id" "<freetype-devel.nongnu.org>",
-    header :contains "list-id" "<mailman-developers.python.org>",
-    header :contains "list-id" "<linux-raid.vger.kernel.org>",
-    header :contains "list-id" "<mailop.mailop.org>",
-    header :contains "list-id" "<xmonad.haskell.org>") {
-    if header :regex "list-id" "<([a-z_0-9-]+)[.@]" {
-        set :lower "listname" "${1}";
-        fileinto :create "l/${listname}";
-            stop;
-        }
-         }
+  header :contains "list-id" "<bbdb-info.lists.sourceforge.net>",
+  header :contains "list-id" "<bug-bash.gnu.org>",
+  header :contains "list-id" "<bug-gnu-emacs.gnu.org>",
+  header :contains "list-id" "<debian-backports.lists.debian.org>",
+  header :contains "list-id" "<debian-security-announce.lists.debian.org>",
+  header :contains "list-id" "<debian-user.lists.debian.org>",
+  header :contains "list-id" "<debian-devel.lists.debian.org>",
+  header :contains "list-id" "<ding.gnus.org>",
+  header :contains "list-id" "<emacs-devel.gnu.org>",
+  header :contains "list-id" "<emacs-orgmode.gnu.org>",
+  header :contains "list-id" "<git.vger.kernel.org>",
+  header :contains "list-id" "<fail2ban-users.lists.sourceforge.net>",
+  header :contains "list-id" "<help-bash.gnu.org>",
+  header :contains "list-id" "<help-gnu-emacs.gnu.org>",
+  header :contains "list-id" "<hyperkitty-devel.lists.fedorahosted.org>",
+  header :contains "list-id" "<ipxe-devel.lists.ipxe.org>",
+  header :contains "list-id" "<kplug-list.kernel-panic.org>",
+  header :contains "list-id" "<kplug-newbie.kernel-panic.org>",
+  header :contains "list-id" "<libreplanet-discuss.libreplanet.org>",
+  header :contains "list-id" "<linux-btrfs.vger.kernel.org>",
+  header :contains "list-id" "<linux-fai.uni-koeln.de>",
+  header :contains "list-id" "<license-discuss.lists.opensource.org>",
+  header :contains "list-id" "<seagl_organize.googlegroups.com>",
+  header :contains "list-id" "<linux-fai-devel.uni-koeln.de>",
+  header :contains "list-id" "<linux-libre.fsfla.org>",
+  header :contains "list-id" "<maru-os-dev.googlegroups.com>",
+  header :contains "list-id" "<mediawiki-l.lists.wikimedia.org>",
+  header :contains "list-id" "<pywikibot.lists.wikimedia.org>",
+  header :contains "list-id" "<pywikipedia-l.lists.wikimedia.org>",
+  header :contains "list-id" "<unison-hackers.lists.seas.upenn.edu>",
+  header :contains "list-id" "<unison-users.yahoogroups.com>",
+  header :contains "list-id" "<whispersystems.lists.riseup.net>",
+  header :contains "list-id" "<wikitech-l.lists.wikimedia.org>",
+  header :contains "list-id" "<xapian-devel.lists.xapian.org>",
+  header :contains "list-id" "<kdeconnect.kde.org>",
+  header :contains "list-id" "<mu-discuss.googlegroups.com>",
+  header :contains "list-id" "<<devel.mediagoblin.org>",
+  header :contains "list-id" "<maru-os.googlegroups.com>",
+  header :contains "list-id" "<listhelper-moderate.nongnu.org>",
+  header :contains "list-id" "<coreboot.coreboot.org>",
+  header :contains "list-id" "<mailman-users.python.org>",
+  header :contains "list-id" "<duplicity-talk.nongnu.org>",
+  header :contains "list-id" "<qemu-devel.nongnu.org>",
+  header :contains "list-id" "<exim-dev.exim.org>",
+  header :contains "list-id" "<exim-users.exim.org>",
+  header :contains "list-id" "<octave-maintainers.gnu.org>",
+  header :contains "list-id" "<discuss-gnuradio.gnu.org>",
+  header :contains "list-id" "<seabios.seabios.org>",
+  header :contains "list-id" "<freetype-devel.nongnu.org>",
+  header :contains "list-id" "<mailman-developers.python.org>",
+  header :contains "list-id" "<linux-raid.vger.kernel.org>",
+  header :contains "list-id" "<mailop.mailop.org>",
+  header :contains "list-id" "<xmonad.haskell.org>") {
+  if header :regex "list-id" "<([a-z_0-9-]+)[.@]" {
+    set :lower "listname" "${1}";
+    fileinto :create "l/${listname}";
+    stop;
+  }
+}
 if anyof (
-    header :contains "list-id" "<websites.lists.fedoraproject.org>",
-    header :contains "list-id" "<docs.lists.fedoraproject.org>",
-    header :contains "list-id" "<users.lists.fedoraproject.org>") {
-    if header :regex "list-id" "<([a-z_0-9-]+)[.@]" {
-        set :lower "listname" "${1}";
-        fileinto :create "l/fedora.${listname}";
-            stop;
-        }
-         }
+  header :contains "list-id" "<websites.lists.fedoraproject.org>",
+  header :contains "list-id" "<docs.lists.fedoraproject.org>",
+  header :contains "list-id" "<users.lists.fedoraproject.org>") {
+  if header :regex "list-id" "<([a-z_0-9-]+)[.@]" {
+    set :lower "listname" "${1}";
+    fileinto :create "l/fedora.${listname}";
+    stop;
+  }
+}
 
 
 if anyof (
-    header :contains "list-id" "<license-review.lists.opensource.org>"
-    ) {
-    fileinto :create "l/license-discuss";
-    stop;
-         }
+  header :contains "list-id" "<license-review.lists.opensource.org>"
+  ) {
+  fileinto :create "l/license-discuss";
+  stop;
+}
 
 if anyof (
-    header :contains "list-id" "<~sircmpwn/sr.ht-discuss.lists.sr.ht>"
-    ) {
-    fileinto :create "l/sr.ht-discuss";
-    stop;
-         }
+  header :contains "list-id" "<~sircmpwn/sr.ht-discuss.lists.sr.ht>"
+  ) {
+  fileinto :create "l/sr.ht-discuss";
+  stop;
+}
 if anyof (
-    header :contains "list-id" "<lt.lists.liberationtech.org>"
-    ) {
-    fileinto :create "l/liberationtech";
-    stop;
-         }
+  header :contains "list-id" "<lt.lists.liberationtech.org>"
+  ) {
+  fileinto :create "l/liberationtech";
+  stop;
+}
 
 
 if anyof (
-    header :contains "list-id" "<activists_masspirates.org.lists.mayfirst.org>",
-    header :contains "list-id" "<gnu-prog-discuss.gnu.org>",
-    header :contains "list-id" "<gnu-prog.gnu.org>",
-    header :contains "list-id" "<www-discuss.gnu.org>",
-    header :contains "list-id" "<gnu-community-private.gnu.org>",
-    header :contains "list-id" "<gnu-system-discuss.gnu.org>",
-    header :contains "list-id" "<gvc.gnu.org>",
-    header :contains "list-id" "<discuss.blu.org>",
-    header :contains "list-id" "<Spdx-tech.lists.spdx.org>",
-    header :contains "list-id" "<gnu-misc-discuss.gnu.org>",
-    header :contains "list-id" "<Spdx-legal.lists.spdx.org>",
-    header :contains "list-id" "<info-gnu.gnu.org>",
-    header :contains "list-id" "<discussion.lists.fsfe.org>",
-    header :contains "list-id" "<gnu-system-discuss.gnu.org>",
-    header :contains "from" "<general-info@artisansasylum.com>",
-    header :contains "list-id" "<discuss.lists.blu.org>",
-    header :contains "list-id" "<spdx.lists.spdx.org>"
-    ) {
-    fileinto :create "community";
-    stop;
-         }
+  header :contains "list-id" "<gnu-prog-discuss.gnu.org>",
+  header :contains "list-id" "<gnu-prog.gnu.org>",
+  header :contains "list-id" "<www-discuss.gnu.org>",
+  header :contains "list-id" "<gnu-community-private.gnu.org>",
+  header :contains "list-id" "<gnu-system-discuss.gnu.org>",
+  header :contains "list-id" "<gvc.gnu.org>",
+  header :contains "list-id" "<Spdx-tech.lists.spdx.org>",
+  header :contains "list-id" "<gnu-misc-discuss.gnu.org>",
+  header :contains "list-id" "<Spdx-legal.lists.spdx.org>",
+  header :contains "list-id" "<info-gnu.gnu.org>",
+  header :contains "list-id" "<gnu-system-discuss.gnu.org>",
+  header :contains "list-id" "<spdx.lists.spdx.org>"
+  ) {
+  fileinto :create "community";
+  stop;
+}
+
+if anyof (
+  header :contains "list-id" "<gnhlug-discuss@mail.gnhlug.org>",
+  header :contains "list-id" "<discussion.lists.fsfe.org>",
+  header :contains "list-id" "<activists_masspirates.org.lists.mayfirst.org>",
+  header :contains "list-id" "<discuss.blu.org>",
+  header :contains "list-id" "<spdx.lists.spdx.org>"
+  ) {
+  fileinto :create "2community";
+  stop;
+}
 
 
 if allof (
-    address :is "from" "mailman-owner@zope.org",
-    header :is "subject" "zope.org mailing list memberships reminder"
-    ) {
-    discard;
-    stop;
-         }
+  address :is "from" "mailman-owner@zope.org",
+  header :is "subject" "zope.org mailing list memberships reminder"
+  ) {
+  discard;
+  stop;
+}
diff --git a/subdir_files/sieve/liststest.sieve b/subdir_files/sieve/liststest.sieve
index 940f61d..1fda5cd 100644
--- a/subdir_files/sieve/liststest.sieve
+++ b/subdir_files/sieve/liststest.sieve
@@ -1,154 +1,161 @@
 require [ "regex", "variables", "fileinto", "envelope", "mailbox", "imap4flags", "include" ];
 
 if anyof (
-    address :regex "to" "^testignore@"
-    ) {
-    fileinto :create "l/testignore";
-    stop;
-         }
+  address :regex "to" "^testignore@"
+  ) {
+  fileinto :create "l/testignore";
+  stop;
+}
 
 
 if anyof (
-    header :contains "list-id" "<debian-security-announce.lists.debian.org>",
-    header :contains "list-id" "<ubuntu-security-announce.lists.ubuntu.com>"
-    ) {
-    fileinto :create "sec";
-    stop;
-         }
+  header :contains "list-id" "<debian-security-announce.lists.debian.org>",
+  header :contains "list-id" "<ubuntu-security-announce.lists.ubuntu.com>"
+  ) {
+  fileinto :create "sec";
+  stop;
+}
 if anyof (
-    header :regex "list-id" "forum.members.fsf.org>"
-    ) {
-    fileinto :create "fsfmembers";
-    stop;
-         }
+  header :regex "list-id" "forum.members.fsf.org>"
+  ) {
+  fileinto :create "fsfmembers";
+  stop;
+}
 
 if anyof (
-    header :contains "list-id" "<mentors.lists.outreachy.org>"
-    ) {
-    fileinto :create "l/outreachy-mentors";
-    stop;
-         }
+  header :contains "list-id" "<mentors.lists.outreachy.org>"
+  ) {
+  fileinto :create "l/outreachy-mentors";
+  stop;
+}
 
 if anyof (
-    header :contains "list-id" "<bbdb-info.lists.sourceforge.net>",
-    header :contains "list-id" "<bug-bash.gnu.org>",
-    header :contains "list-id" "<bug-gnu-emacs.gnu.org>",
-    header :contains "list-id" "<debian-backports.lists.debian.org>",
-    header :contains "list-id" "<debian-security-announce.lists.debian.org>",
-    header :contains "list-id" "<debian-user.lists.debian.org>",
-    header :contains "list-id" "<debian-devel.lists.debian.org>",
-    header :contains "list-id" "<ding.gnus.org>",
-    header :contains "list-id" "<emacs-devel.gnu.org>",
-    header :contains "list-id" "<emacs-orgmode.gnu.org>",
-    header :contains "list-id" "<git.vger.kernel.org>",
-    header :contains "list-id" "<help-bash.gnu.org>",
-    header :contains "list-id" "<help-gnu-emacs.gnu.org>",
-    header :contains "list-id" "<hyperkitty-devel.lists.fedorahosted.org>",
-    header :contains "list-id" "<ipxe-devel.lists.ipxe.org>",
-    header :contains "list-id" "<kplug-list.kernel-panic.org>",
-    header :contains "list-id" "<kplug-newbie.kernel-panic.org>",
-    header :contains "list-id" "<libreplanet-discuss.libreplanet.org>",
-    header :contains "list-id" "<linux-btrfs.vger.kernel.org>",
-    header :contains "list-id" "<linux-fai.uni-koeln.de>",
-    header :contains "list-id" "<license-discuss.lists.opensource.org>",
-    header :contains "list-id" "<seagl_organize.googlegroups.com>",
-    header :contains "list-id" "<linux-fai-devel.uni-koeln.de>",
-    header :contains "list-id" "<linux-libre.fsfla.org>",
-    header :contains "list-id" "<maru-os-dev.googlegroups.com>",
-    header :contains "list-id" "<mediawiki-l.lists.wikimedia.org>",
-    header :contains "list-id" "<pywikibot.lists.wikimedia.org>",
-    header :contains "list-id" "<pywikipedia-l.lists.wikimedia.org>",
-    header :contains "list-id" "<unison-hackers.lists.seas.upenn.edu>",
-    header :contains "list-id" "<unison-users.yahoogroups.com>",
-    header :contains "list-id" "<whispersystems.lists.riseup.net>",
-    header :contains "list-id" "<wikitech-l.lists.wikimedia.org>",
-    header :contains "list-id" "<xapian-devel.lists.xapian.org>",
-    header :contains "list-id" "<kdeconnect.kde.org>",
-    header :contains "list-id" "<mu-discuss.googlegroups.com>",
-    header :contains "list-id" "<<devel.mediagoblin.org>",
-    header :contains "list-id" "<maru-os.googlegroups.com>",
-    header :contains "list-id" "<listhelper-moderate.nongnu.org>",
-    header :contains "list-id" "<coreboot.coreboot.org>",
-    header :contains "list-id" "<mailman-users.python.org>",
-    header :contains "list-id" "<duplicity-talk.nongnu.org>",
-    header :contains "list-id" "<qemu-devel.nongnu.org>",
-    header :contains "list-id" "<exim-dev.exim.org>",
-    header :contains "list-id" "<exim-users.exim.org>",
-    header :contains "list-id" "<octave-maintainers.gnu.org>",
-    header :contains "list-id" "<discuss-gnuradio.gnu.org>",
-    header :contains "list-id" "<seabios.seabios.org>",
-    header :contains "list-id" "<freetype-devel.nongnu.org>",
-    header :contains "list-id" "<mailman-developers.python.org>",
-    header :contains "list-id" "<linux-raid.vger.kernel.org>",
-    header :contains "list-id" "<mailop.mailop.org>",
-    header :contains "list-id" "<xmonad.haskell.org>") {
-    if header :regex "list-id" "<([a-z_0-9-]+)[.@]" {
-        set :lower "listname" "${1}";
-        fileinto :create "l/${listname}";
-            stop;
-        }
-         }
+  header :contains "list-id" "<bbdb-info.lists.sourceforge.net>",
+  header :contains "list-id" "<bug-bash.gnu.org>",
+  header :contains "list-id" "<bug-gnu-emacs.gnu.org>",
+  header :contains "list-id" "<debian-backports.lists.debian.org>",
+  header :contains "list-id" "<debian-security-announce.lists.debian.org>",
+  header :contains "list-id" "<debian-user.lists.debian.org>",
+  header :contains "list-id" "<debian-devel.lists.debian.org>",
+  header :contains "list-id" "<ding.gnus.org>",
+  header :contains "list-id" "<emacs-devel.gnu.org>",
+  header :contains "list-id" "<emacs-orgmode.gnu.org>",
+  header :contains "list-id" "<git.vger.kernel.org>",
+  header :contains "list-id" "<fail2ban-users.lists.sourceforge.net>",
+  header :contains "list-id" "<help-bash.gnu.org>",
+  header :contains "list-id" "<help-gnu-emacs.gnu.org>",
+  header :contains "list-id" "<hyperkitty-devel.lists.fedorahosted.org>",
+  header :contains "list-id" "<ipxe-devel.lists.ipxe.org>",
+  header :contains "list-id" "<kplug-list.kernel-panic.org>",
+  header :contains "list-id" "<kplug-newbie.kernel-panic.org>",
+  header :contains "list-id" "<libreplanet-discuss.libreplanet.org>",
+  header :contains "list-id" "<linux-btrfs.vger.kernel.org>",
+  header :contains "list-id" "<linux-fai.uni-koeln.de>",
+  header :contains "list-id" "<license-discuss.lists.opensource.org>",
+  header :contains "list-id" "<seagl_organize.googlegroups.com>",
+  header :contains "list-id" "<linux-fai-devel.uni-koeln.de>",
+  header :contains "list-id" "<linux-libre.fsfla.org>",
+  header :contains "list-id" "<maru-os-dev.googlegroups.com>",
+  header :contains "list-id" "<mediawiki-l.lists.wikimedia.org>",
+  header :contains "list-id" "<pywikibot.lists.wikimedia.org>",
+  header :contains "list-id" "<pywikipedia-l.lists.wikimedia.org>",
+  header :contains "list-id" "<unison-hackers.lists.seas.upenn.edu>",
+  header :contains "list-id" "<unison-users.yahoogroups.com>",
+  header :contains "list-id" "<whispersystems.lists.riseup.net>",
+  header :contains "list-id" "<wikitech-l.lists.wikimedia.org>",
+  header :contains "list-id" "<xapian-devel.lists.xapian.org>",
+  header :contains "list-id" "<kdeconnect.kde.org>",
+  header :contains "list-id" "<mu-discuss.googlegroups.com>",
+  header :contains "list-id" "<<devel.mediagoblin.org>",
+  header :contains "list-id" "<maru-os.googlegroups.com>",
+  header :contains "list-id" "<listhelper-moderate.nongnu.org>",
+  header :contains "list-id" "<coreboot.coreboot.org>",
+  header :contains "list-id" "<mailman-users.python.org>",
+  header :contains "list-id" "<duplicity-talk.nongnu.org>",
+  header :contains "list-id" "<qemu-devel.nongnu.org>",
+  header :contains "list-id" "<exim-dev.exim.org>",
+  header :contains "list-id" "<exim-users.exim.org>",
+  header :contains "list-id" "<octave-maintainers.gnu.org>",
+  header :contains "list-id" "<discuss-gnuradio.gnu.org>",
+  header :contains "list-id" "<seabios.seabios.org>",
+  header :contains "list-id" "<freetype-devel.nongnu.org>",
+  header :contains "list-id" "<mailman-developers.python.org>",
+  header :contains "list-id" "<linux-raid.vger.kernel.org>",
+  header :contains "list-id" "<mailop.mailop.org>",
+  header :contains "list-id" "<xmonad.haskell.org>") {
+  if header :regex "list-id" "<([a-z_0-9-]+)[.@]" {
+    set :lower "listname" "${1}";
+    fileinto :create "l/${listname}";
+    stop;
+  }
+}
 if anyof (
-    header :contains "list-id" "<websites.lists.fedoraproject.org>",
-    header :contains "list-id" "<docs.lists.fedoraproject.org>",
-    header :contains "list-id" "<users.lists.fedoraproject.org>") {
-    if header :regex "list-id" "<([a-z_0-9-]+)[.@]" {
-        set :lower "listname" "${1}";
-        fileinto :create "l/fedora.${listname}";
-            stop;
-        }
-         }
+  header :contains "list-id" "<websites.lists.fedoraproject.org>",
+  header :contains "list-id" "<docs.lists.fedoraproject.org>",
+  header :contains "list-id" "<users.lists.fedoraproject.org>") {
+  if header :regex "list-id" "<([a-z_0-9-]+)[.@]" {
+    set :lower "listname" "${1}";
+    fileinto :create "l/fedora.${listname}";
+    stop;
+  }
+}
 
 
 if anyof (
-    header :contains "list-id" "<license-review.lists.opensource.org>"
-    ) {
-    fileinto :create "l/license-discuss";
-    stop;
-         }
+  header :contains "list-id" "<license-review.lists.opensource.org>"
+  ) {
+  fileinto :create "l/license-discuss";
+  stop;
+}
 
 if anyof (
-    header :contains "list-id" "<~sircmpwn/sr.ht-discuss.lists.sr.ht>"
-    ) {
-    fileinto :create "l/sr.ht-discuss";
-    stop;
-         }
+  header :contains "list-id" "<~sircmpwn/sr.ht-discuss.lists.sr.ht>"
+  ) {
+  fileinto :create "l/sr.ht-discuss";
+  stop;
+}
 if anyof (
-    header :contains "list-id" "<lt.lists.liberationtech.org>"
-    ) {
-    fileinto :create "l/liberationtech";
-    stop;
-         }
+  header :contains "list-id" "<lt.lists.liberationtech.org>"
+  ) {
+  fileinto :create "l/liberationtech";
+  stop;
+}
 
 
 if anyof (
-    header :contains "list-id" "<activists_masspirates.org.lists.mayfirst.org>",
-    header :contains "list-id" "<gnu-prog-discuss.gnu.org>",
-    header :contains "list-id" "<gnu-prog.gnu.org>",
-    header :contains "list-id" "<www-discuss.gnu.org>",
-    header :contains "list-id" "<gnu-community-private.gnu.org>",
-    header :contains "list-id" "<gnu-system-discuss.gnu.org>",
-    header :contains "list-id" "<gvc.gnu.org>",
-    header :contains "list-id" "<discuss.blu.org>",
-    header :contains "list-id" "<Spdx-tech.lists.spdx.org>",
-    header :contains "list-id" "<gnu-misc-discuss.gnu.org>",
-    header :contains "list-id" "<Spdx-legal.lists.spdx.org>",
-    header :contains "list-id" "<info-gnu.gnu.org>",
-    header :contains "list-id" "<discussion.lists.fsfe.org>",
-    header :contains "list-id" "<gnu-system-discuss.gnu.org>",
-    header :contains "from" "<general-info@artisansasylum.com>",
-    header :contains "list-id" "<discuss.lists.blu.org>",
-    header :contains "list-id" "<spdx.lists.spdx.org>"
-    ) {
-    fileinto :create "community";
-    stop;
-         }
+  header :contains "list-id" "<gnu-prog-discuss.gnu.org>",
+  header :contains "list-id" "<gnu-prog.gnu.org>",
+  header :contains "list-id" "<www-discuss.gnu.org>",
+  header :contains "list-id" "<gnu-community-private.gnu.org>",
+  header :contains "list-id" "<gnu-system-discuss.gnu.org>",
+  header :contains "list-id" "<gvc.gnu.org>",
+  header :contains "list-id" "<Spdx-tech.lists.spdx.org>",
+  header :contains "list-id" "<gnu-misc-discuss.gnu.org>",
+  header :contains "list-id" "<Spdx-legal.lists.spdx.org>",
+  header :contains "list-id" "<info-gnu.gnu.org>",
+  header :contains "list-id" "<gnu-system-discuss.gnu.org>",
+  header :contains "list-id" "<spdx.lists.spdx.org>"
+  ) {
+  fileinto :create "community";
+  stop;
+}
+
+if anyof (
+  header :contains "list-id" "<gnhlug-discuss@mail.gnhlug.org>",
+  header :contains "list-id" "<discussion.lists.fsfe.org>",
+  header :contains "list-id" "<activists_masspirates.org.lists.mayfirst.org>",
+  header :contains "list-id" "<discuss.blu.org>",
+  header :contains "list-id" "<spdx.lists.spdx.org>"
+  ) {
+  fileinto :create "2community";
+  stop;
+}
 
 
 if allof (
-    address :is "from" "mailman-owner@zope.org",
-    header :is "subject" "zope.org mailing list memberships reminder"
-    ) {
-    discard;
-    stop;
-         }
+  address :is "from" "mailman-owner@zope.org",
+  header :is "subject" "zope.org mailing list memberships reminder"
+  ) {
+  discard;
+  stop;
+}
diff --git a/switch-mail-host b/switch-mail-host
index a5e55c9..47f5fbe 100644
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -88,7 +88,11 @@ case $1 in
     bbk_args="-s $old_host"
     old_shell="ssh $old_host"
     # tests ssh connection
-    old_hostname=$($old_shell hostname)
+    if ! old_hostname=$($old_shell hostname); then
+      echo "retrying failed $old_shell with -v"
+      $old_shell -v hostname
+      exit 1
+    fi
     ;;
   *)
     err invalid first argument
@@ -172,7 +176,11 @@ if ! m btrbk-run -v $bbk_args $incremental_arg $mp_args; then
   exit $ret
 fi
 
-m $old_shell /a/exe/primary-setup $new_hostname
+if ! m $old_shell /a/exe/primary-setup $new_hostname; then
+  ret=$?
+  err "failed \$old_shell primary-setup \$new_hostname. fix and rerun switch-mail-host"
+  exit $ret
+fi
 
 e Running main btrbk
 m btrbk-run -v $bbk_args $incremental_arg -m /o || ret=$?
@@ -183,6 +191,18 @@ if (( ret )); then
   exit $ret
 fi
 
-m $new_shell /a/exe/primary-setup localhost
+# once I accidentally accepted incoming mail on old host. I used this script to copy over that mail:
+#
+# die=false; for d in o.leaf.2021-05-29T10:02:08-0400/m/{4e,md,4e2}/{,l/}!(*myarchive)/new; do if $die; then break; fi; find $d -type f -mtime -5 | while read -r f; do dir="${f%new/*}"; dir="btrbk/o.20210530T000011-0400/${dir#*/}"; fname="${f##*/}"; [[ -e $dir/new/$fname || -e $dir/cur/$fname ]] && continue; if ! e cp -a $f /${dir#*/*/}new; then echo failed cp; die=true; break; fi ; done; done
+
+# once I accidentally sent mail from non-main mail host. to copy into the main mail host's sent dir, cd into dir of non-mail mail host Sent/cur, then
+#
+# shopt -s nullglob; find . -type f -mtime -2 | while read -r f; do a=( /m/4e/Sent/cur/${f%,*}* ); if (( ${#a[@]} )); then e exists $a; else m cp -a $f /m/4e/Sent/cur; fi; done
+
+if ! m $new_shell /a/exe/primary-setup localhost; then
+  ret=$?
+  err "failed final primary-setup, just fix and rerun: $new_shell /a/exe/primary-setup localhost"
+  exit $ret
+fi
 
 m exit 0
diff --git a/system-status b/system-status
index 1167bfd..30c3802 100644
--- a/system-status
+++ b/system-status
@@ -172,21 +172,7 @@ write-status() {
     done
   fi
 
-
-  ## Clean the paniclog, but only up to 4 times per day, or else we
-  ## should investigate.
-  loglog=/tmp/panicloglog-$(date --rfc-3339=date)
-  if [[ -s $loglog ]]; then
-    spamcount=$(stat -c%s $loglog)
-  else
-    spamcount=0
-  fi
-  if (( spamcount <= 4 )); then
-    if grep -q 'spam acl condition' /var/log/exim4/paniclog &>/dev/null; then
-      printf . >>$loglog
-    fi
-    /a/bin/distro-setup/epanic-clean
-  fi
+  /a/bin/distro-setup/epanic-clean
 
   if [[ -s /var/log/exim4/paniclog ]]; then
     chars+=("PANIC!")
diff --git a/trusted-network b/trusted-network
index 263224f..3f51541 100755
--- a/trusted-network
+++ b/trusted-network
@@ -9,17 +9,20 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 # to a trusted one.
 
 if [[ -e /etc/NetworkManager/conf.d/dns.conf ]]; then
-  rm -f /etc/NetworkManager/conf.d/dns.conf
+  rm -fv /etc/NetworkManager/conf.d/dns.conf
   if [[ $(systemctl is-active NetworkManager) == active ]]; then
-    systemctl restart NetworkManager
+    m systemctl restart NetworkManager
   fi
 fi
 
+rm -f /etc/systemd/resolved.conf.d/untrusted-network.conf
+
 dhclient_restart=false
 # man dhclient.conf
 if ! grep -qP '\bdomain-name-servers\b' /etc/dhcp/dhclient.conf; then
   sed -i 's/^ *request/request domain-name-servers,/' /etc/dhcp/dhclient.conf
   dhclient_restart=true
+  e $0: dhclient_restart=true
 fi
 
 
@@ -33,13 +36,15 @@ if [[ $gateway_if ]]; then
   # rm -f /run/systemd/resolved.conf.d/*$gateway_if*
 
 
-  if $dhclient_restart && grep -Pq '^ *auto ($gateway_if|.* $gateway_if( |$))' /etc/network/interfaces; then
+  if $dhclient_restart && grep -Pq "^ *auto ($gateway_if|.* $gateway_if( |$))" /etc/network/interfaces; then
     m ifdown $gateway_if
     m ifup $gateway_if
   fi
 
   # at least on systemd 237 ifupdown it sets a global and this is not needed
   systemd-resolve --interface=$gateway_if --revert
+else
+  e $0: no gateway_if found
 fi
 
 reresolv
diff --git a/untrusted-network b/untrusted-network
index 008e21a..9167c9f 100755
--- a/untrusted-network
+++ b/untrusted-network
@@ -10,19 +10,20 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 read -r _ ver _ < <(systemd-resolve --version)
 
-
-servers=(1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001)
+# removes malware and adult content
 servers=(1.1.1.3 1.0.0.3 2606:4700:4700::1113 2606:4700:4700::1003)
-# first version that supports this syntax
-if (( ver >= 239 )); then
-  servers=(${servers[@]/%/#cloudflare-dns.com})
-fi
+
+servers=(1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001s)
+
+## trying out google
+#servers=(8.8.8.8 8.8.4.4 2001:4860:4860::8888 2001:4860:4860::8844)
+
 
 # https://wiki.archlinux.org/index.php/Systemd-resolved#Manually
 cat >/etc/systemd/resolved.conf.d/untrusted-network.conf <<EOF
 [Resolve]
 DNS=${servers[@]}
-Domains=~. b8.nz
+Domains=b8.nz
 DNSOverTLS=yes
 EOF
 
@@ -52,7 +53,7 @@ if [[ $gateway_if ]]; then
   # rm -f /run/systemd/resolved.conf.d/*$gateway_if*
 
 
-  if $dhclient_restart && grep -Pq '^ *auto ($gateway_if|.* $gateway_if( |$))' /etc/network/interfaces; then
+  if $dhclient_restart && grep -Pq "^ *auto ($gateway_if|.* $gateway_if( |$))" /etc/network/interfaces; then
     m ifdown $gateway_if
     m ifup $gateway_if
   fi
-- 
2.30.2