From 4db23113403f802bc06632e065416a502d74ac00 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sat, 29 Mar 2025 11:06:58 -0400 Subject: [PATCH] mostly fixes --- .gitignore | 1 + brc | 9 ++- distro-end | 74 ++++++++++--------- iank-shorewall-fix | 20 +++++ .../openvpn/client-config-hole/librestation01 | 1 + .../systemd/system/openvpn-client-tr@.service | 36 +++++++++ shellcheck-this-repo | 4 +- 7 files changed, 106 insertions(+), 39 deletions(-) create mode 100755 iank-shorewall-fix create mode 100644 machine_specific/li/filesystem/etc/openvpn/client-config-hole/librestation01 create mode 100644 machine_specific/librestation01/filesystem/etc/systemd/system/openvpn-client-tr@.service diff --git a/.gitignore b/.gitignore index 96e18f7..f703ec9 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,4 @@ /.mblaze/cur # bash script for testing things /ms +/ms2 diff --git a/brc b/brc index 2f9ec57..59175d6 100644 --- a/brc +++ b/brc @@ -65,8 +65,6 @@ fi # * settings -uint_regex='^[0-9]+$' - CDPATH=. # remove all aliases. aliases provided by the system tend to get in the way, @@ -335,7 +333,8 @@ mysrc() { dir=${path%/*} file=${path##*/} if [[ -s $path ]]; then - # shellcheck disable=SC1090 # this is dynamic, shellcheck can't follow it. + # We source several files but only need one for shellcheck. + # shellcheck source=/a/c/fsf-script-lib source $path elif [[ -s $bashrc_dir/$file ]]; then # shellcheck disable=SC1090 # this is dynamic, shellcheck can't follow it. @@ -874,6 +873,10 @@ screenrtp() { laptop_x=$(xrandr | awk '$1 == "LVDS-1" {print $4}' | sed 's/x.*//') || { sleep 1; continue; } total_x=$(xdpyinfo| awk '$1 == "dimensions:" {print $2}' | sed 's/x.*//') || { sleep 1; continue; } screen2_res=$(xrandr | awk '$2 == "connected" && $1 != "LVDS-1" { print $3 }' | sed 's/+.*//') + if [[ ! $laptop_x =~ $uint_regex || ! $total_x =~ $uint_regex ]]; then + sleep 1 + continue + fi if (( laptop_x < total_x )); then xoffset=$laptop_x fi diff --git a/distro-end b/distro-end index 77ff21f..10c0de0 100755 --- a/distro-end +++ b/distro-end @@ -1673,40 +1673,46 @@ rm -rf /home/iank/.mpv ## in ubuntu, you can install python3-venv -if [[ ! -e ~/.local/bin/pip ]]; then - tmp=$(mktemp) - wget -O$tmp https://bootstrap.pypa.io/get-pip.py - ### begin msg from below without --break-system-package - # error: externally-managed-environment - - # × This environment is externally managed - # ╰─> To install Python packages system-wide, try apt install - # python3-xyz, where xyz is the package you are trying to - # install. - - # If you wish to install a non-Debian-packaged Python package, - # create a virtual environment using python3 -m venv path/to/venv. - # Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make - # sure you have python3-full installed. - - # If you wish to install a non-Debian packaged Python application, - # it may be easiest to use pipx install xyz, which will manage a - # virtual environment for you. Make sure you have pipx installed. - - # See /usr/share/doc/python3.12/README.venv for more information. - - # note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages. - # hint: See PEP 668 for the detailed specification. - ### end msg - # - ### That stuff doesn't work in trisquel. - python3 $tmp --user --break-system-packages - hash -r - python3 -m pip install --user pipx --break-system-packages - # todo: periodically run this: - # Upgrade pipx with python3 -m pip install --user --upgrade pipx -fi +# if [[ ! -e ~/.local/bin/pip ]]; then +# tmp=$(mktemp) +# wget -O$tmp https://bootstrap.pypa.io/get-pip.py +# ### begin msg from below without +# # error: externally-managed-environment + +# # × This environment is externally managed +# # ╰─> To install Python packages system-wide, try apt install +# # python3-xyz, where xyz is the package you are trying to +# # install. + +# # If you wish to install a non-Debian-packaged Python package, +# # create a virtual environment using python3 -m venv path/to/venv. +# # Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make +# # sure you have python3-full installed. + +# # If you wish to install a non-Debian packaged Python application, +# # it may be easiest to use pipx install xyz, which will manage a +# # virtual environment for you. Make sure you have pipx installed. + +# # See /usr/share/doc/python3.12/README.venv for more information. + +# # note: If you believe this is a mistake, please contact your Python installation or OS distribution provider. You can override this, at the risk of breaking your Python installation or OS, by passing --break-system-packages. +# # hint: See PEP 668 for the detailed specification. +# ### end msg +# # +# # The instructions from the message of course dont work in trisquel. I +# # tried using --break-system-packages, but then trying to use pipx +# # failed with something like: no module ensurepath, and again +# # complained that I should install system packages, but this time +# # there was no alternative. So, fuck it, just getting the system +# # package from ubuntu for now. +# python3 $tmp --user +# hash -r +# python3 -m pip install --user pipx --break-system-packages +# # todo: periodically run this: +# # Upgrade pipx with python3 -m pip install --user --upgrade pipx +# fi +pi pipx # run appimages without manually extracting. # https://github.com/AppImage/AppImageKit/wiki/FUSE @@ -1768,7 +1774,7 @@ esac # I ran this initially to make sure things were working, but don't need it again. -pipx ensurepath -v +#pipx ensurepath -v # # in brackets are nondefault plugins pipx install 'beets[lyrics,discogs,mbsync]' diff --git a/iank-shorewall-fix b/iank-shorewall-fix new file mode 100755 index 0000000..6dc7b95 --- /dev/null +++ b/iank-shorewall-fix @@ -0,0 +1,20 @@ +#!/bin/bash + +set -xe + +home_ip=108.26.192.250 +a=$(md5sum /etc/shorewall/rules) +l="ACCEPT net:$home_ip fw tcp ssh # iank" +sed -ri "s/^.*[[:space:]]ssh[[:space:]]*# *iank *$/$l/" /etc/shorewall/rules +if ! grep -qF $home_ip /etc/shorewall/rules; then + echo " + +############## ############# ERROR SED FAILED!!!################ + +" +fi +b=$(md5sum /etc/shorewall/rules) +if [[ $a != "$b" ]]; then + echo "diff:$a $b" + shorewall restart +fi diff --git a/machine_specific/li/filesystem/etc/openvpn/client-config-hole/librestation01 b/machine_specific/li/filesystem/etc/openvpn/client-config-hole/librestation01 new file mode 100644 index 0000000..da55e90 --- /dev/null +++ b/machine_specific/li/filesystem/etc/openvpn/client-config-hole/librestation01 @@ -0,0 +1 @@ +ifconfig-push 10.5.5.97 255.255.255.0 diff --git a/machine_specific/librestation01/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/librestation01/filesystem/etc/systemd/system/openvpn-client-tr@.service new file mode 100644 index 0000000..74f629c --- /dev/null +++ b/machine_specific/librestation01/filesystem/etc/systemd/system/openvpn-client-tr@.service @@ -0,0 +1,36 @@ +[Unit] +Description=OpenVPN tunnel for %I +After=syslog.target network-online.target +Wants=network-online.target +Documentation=man:openvpn(8) +Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage +Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO +Requires=iptables.service + +[Service] +Type=notify +RuntimeDirectory=openvpn-client +RuntimeDirectoryMode=0710 +WorkingDirectory=/etc/openvpn/client +ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf +# todo, try reenabling this from the default openvpn, +# it was disabled so we could do bind mounts as a command, +# but now systemd handles it +#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE +LimitNPROC=10 +# DeviceAllow=/dev/null rw +# DeviceAllow=/dev/net/tun rw + +# we use .1 to make this be on a different network than kd, so that we can +# talk to transmission on kd from remote host, and still use this +# vpn. +ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.97 start %i +ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules +# allow wireguard network to connect +ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.97.1 dev veth1-client +ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i +PrivateNetwork=true +BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind + +[Install] +WantedBy=multi-user.target diff --git a/shellcheck-this-repo b/shellcheck-this-repo index 80ec3f7..089e4f5 100755 --- a/shellcheck-this-repo +++ b/shellcheck-this-repo @@ -23,7 +23,7 @@ declare -a ls_files standard_files # used in other files that source them. Using -a like this is the only # way to solve it. We can't just -a on everything because then we would # get various files I didn't write and that don't pass shellcheck. -sk -a ${a_files[@]} +sk ${a_files[@]} tmp=$(git ls-files && git ls-files --others --exclude-standard) @@ -37,7 +37,7 @@ for f in "${ls_files[@]}"; do fi done if $skip; then continue; fi - if sk-p "$f"; then + if sk-p "$f" && [[ $f != *.conf ]]; then standard_files+=("$f") fi done -- 2.30.2