From 4dfbcacf66336ded41274669c1c1e09c8479e334 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Tue, 20 Oct 2020 15:54:50 -0400
Subject: [PATCH] lots of improvements and fixes

---
 bk-backup                                     |  14 +
 brc                                           |  30 +-
 brc2                                          |  31 +-
 btrbk-run                                     |   3 +-
 check-stale-alerts                            |   3 +-
 distro-begin                                  |  24 +-
 distro-end                                    | 121 ++---
 dynamic-ip-update                             |   3 +-
 filesystem/etc/apt/preferences.d/minetest     |   3 -
 filesystem/etc/cron.d/ian                     |   1 +
 .../systemd/system/openvpn-client-tr@.service |   6 +-
 i3-sway/common.conf                           |   2 +
 mail-setup                                    | 425 ++++++++++++------
 pkgs                                          |   2 +-
 radicale-setup                                |  23 +-
 subdir_files/.config/i3/config                |   3 +
 subdir_files/.config/sway/config              |   3 +
 17 files changed, 444 insertions(+), 253 deletions(-)
 create mode 100755 bk-backup
 delete mode 100644 filesystem/etc/apt/preferences.d/minetest

diff --git a/bk-backup b/bk-backup
new file mode 100755
index 0000000..0069b37
--- /dev/null
+++ b/bk-backup
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?. PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
+
+source /a/bin/bash_unpublished/source-state
+if [[ $HOSTNAME == $MAIL_HOST ]]; then
+  mkdir -p /p/bkbackup
+  ssh root@bk sudo -u www-data php /var/www/nextcloud/occ -q maintenance:mode --on
+  rsync -ra root@bk.b8.nz:/var/www/nextcloud/{config,data,themes} root@bk.b8.nz:/m/rc  /p/bkbackup
+  ssh root@bk sudo -u www-data php /var/www/nextcloud/occ -q maintenance:mode --off
+fi
diff --git a/brc b/brc
index 96b6812..7bf75e7 100644
--- a/brc
+++ b/brc
@@ -1762,42 +1762,46 @@ if [[ $- == *i* ]]; then
     fi
     PS1="${PS1%"${PS1#*[wW]}"} \[$ps_color\]$ps_char\[$term_nocolor\] "
 
-    # set titlebar
-    #echo -ne "$title_escape ${PWD/#$HOME/~} \007"
+    # set titlebar. instead, using more advanced
+    # titelbar below
+    #echo -ne "$_title_escape $HOSTNAME ${PWD/#$HOME/~}  \007"
   }
   PROMPT_COMMAND=prompt-command
 
   if [[ $TERM == screen* ]]; then
     _title_escape="\033]..2;"
   else
+    # somme sites recommend this, i dunno what the diff is.
+    #_title_escape="\033]30;"
     _title_escape="\033]0;"
   fi
 
   settitle () {
     # this makes it so we show the current command if
     # one is running, otherwise, show nothing
+
     if [[ $1 == prompt-command ]]; then
-      set --
+      return 0
     fi
-    if [[ ${#BASH_ARGC[@]} == 1 ]]; then
+    if (( ${#BASH_ARGC[@]} == 1 )); then
       echo -ne "$_title_escape ${PWD/#$HOME/~} "
       printf "%s" "$*"
       echo -ne "\007"
     fi
   }
 
-  # this is busted. for example, this wont work:
+  # note, this wont work:
   # x=$(mktemp); cp a $x
   # I havnt figured out why, bigger fish to fry.
   #
-  # # for titlebar.
-  # # condition from the screen man page i think.
-  # # note: duplicated in tx()
-  # if [[ $TERM == *(screen*|xterm*|rxvt*) ]]; then
-  #   trap 'settitle "$BASH_COMMAND"' DEBUG
-  # else
-  #   trap DEBUG
-  # fi
+  # for titlebar.
+  # condition from the screen man page i think.
+  # note: duplicated in tx()
+  if [[ $TERM == *(screen*|xterm*|rxvt*) ]]; then
+    trap 'settitle "$BASH_COMMAND"' DEBUG
+  else
+    trap DEBUG
+  fi
 
 fi
 
diff --git a/brc2 b/brc2
index 3a6164e..2e44a11 100644
--- a/brc2
+++ b/brc2
@@ -527,7 +527,6 @@ fdroid_pkgs=(
   com.artifex.mupdf.viewer.app
   com.danielkim.soundrecorder
   com.fsck.k9
-  com.ghostsq.commander
   com.ichi2.anki
   com.jmstudios.redmoon
   com.jmstudios.chibe
@@ -727,7 +726,7 @@ hstatus() {
 wlog() {
   local day now i
   now=$(date +%s)
-  for (( i=0; i<30; i++ )); do
+  for (( i=0; i<60; i++ )); do
     day=$( date +%F -d @$((now - 86400*i )) )
     date "+%a %b %d" -d @$((now - 86400*i )) | tr '\n' ' '
     /a/opt/timetrap/bin/t d -ftotal -s $day -e $day all -m '^w|lunch$'
@@ -749,7 +748,7 @@ tlo() {
   t s w
 }
 
-arbttlog() { arbtt-dump "$@" | grep -v '( )\|Current Desktop' | less;   }
+arbttlog() { arbtt-dump "$@" | grep -v '( )\|Current Desktop' | sed -rn '/^[^ ]/{N;s/^(.{21})([0-9]*)[0-9]{3}m.*\(\*/\1\2/;s/^(.{21})[0-9]*.*\(\*/\1/;s/\n//;p}' ;   }
 
 idea() {
   /a/opt/idea-IC-163.7743.44/bin/idea.sh "$@" &r
@@ -878,10 +877,17 @@ mdt() {
 mo() { xset dpms force off; } # monitor off
 
 myirc() {
-  chan=${1:-fsf-office}
+  if [[ ! $1 ]]; then
+    set -- fsf-office
+  fi
+  local d=/var/lib/znc/moddata/log/iank/freenode
   # use * instead of -r since that does sorted order
-  ssh root@iankelling.org "cd /var/lib/znc/moddata/log/iank/freenode/#$chan; grep '\<iank.*' *" \
-    | cut --complement -c12-16
+  ssh root@iankelling.org "cd $d/#$1; grep '\<iank.*' *" | cut --complement -c12-16
+}
+allmyirc() {
+  local d
+  d=/var/lib/znc/moddata/log/iank/freenode
+  ssh root@iankelling.org "cd $d; find . -mtime -60 -type f -exec grep '\<iank.*' {} +" | sed -r 's,^..([^/]*)/(.{11})(.{5})(.{8}).,\2\4 \1,' | sort
 }
 
 net-dev-info() {
@@ -1009,7 +1015,12 @@ rcat() {
   resolvcat | less
 }
 reresolv() {
-  m sudo nscd -i hosts
+  if [[ $(systemctl is-active nscd ||:) != inactive ]]; then
+    m ser stop nscd
+    sleep .5
+    m ser start nscd
+    m sudo nscd -i hosts
+  fi
   if [[ $(systemctl is-active dnsmasq ||:) != inactive ]]; then
     m sudo systemctl restart dnsmasq
   fi
@@ -1243,13 +1254,13 @@ eximbash() {
 
 
 vpncmd() {
-  m s nsenter -t $(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*client.conf") -n -m "$@"
+  m sudo --preserve-env=PATH -E nsenter -t $(pgrep -f "/usr/sbin/openvpn .* --config /etc/openvpn/.*client.conf") -n -m "$@"
 }
 vpnf() {
-  vpncmd gksudo -u iank "firefox -no-remote -P vpn" &r
+  vpncmd sudo --preserve-env=PATH -E -u iank abrowser -no-remote -P vpn &r
 }
 vpni() {
-  vpncmd gksudo -u iank "$*"
+  vpncmd sudo --preserve-env=PATH -E -u iank "$@"
 }
 vpnbash() {
   vpncmd bash
diff --git a/btrbk-run b/btrbk-run
index ec0e377..c2b9e80 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -181,7 +181,7 @@ if [[ ! -v targets && ! $source ]]; then
       ;;
     kd)
       # todo: add frodo when it comes back online
-      targets=(x2.b8.nz)
+      targets=(x2.b8.nz frodo.b8.nz)
       # might not be connected to the vpn
       if timeout -s 9 6 ssh kw.office.fsf.org :; then
         targets+=(kw.office.fsf.org)
@@ -231,6 +231,7 @@ else
           fi
         else
           if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+            # HOST2 is really the mail host if it exists
             if [[ $HOST2 && $HOST2 != "$HOSTNAME" ]]; then
               echo "skipping /o because HOST2 is not us"
             else
diff --git a/check-stale-alerts b/check-stale-alerts
index 93eaf4f..275a6ab 100755
--- a/check-stale-alerts
+++ b/check-stale-alerts
@@ -1,4 +1,3 @@
-
 #!/bin/bash
 if [[ ! -e /dev/shm/iank-status ]]; then
   exit 0
@@ -14,7 +13,7 @@ if [[ $out ]]; then
   printf "%s\n" "$out"
 fi
 out=$(ssh bk.b8.nz find /m/md/INBOX/new /var/local/cron-errors /home/iank/cron-errors /sysd-mail-once-state -type f -mtime +1)
-fi [[ $out ]]; then
+if [[ $out ]]; then
   echo bk.b8.nz:
   printf "%s\n" "$out"
 fi
diff --git a/distro-begin b/distro-begin
index ce37ed2..12fff61 100755
--- a/distro-begin
+++ b/distro-begin
@@ -233,6 +233,28 @@ sudo sed -i --follow-symlinks -f - /etc/hosts <<EOF
 /^127\.0\.1\.1/d
 EOF
 
+##### use systemd-resolved for glibc resolutions
+if [[ ! -L /etc/nsswitch.conf ]]; then
+  sudo mkdir -p /etc/nsswitch
+  sudo mv /etc/nsswitch.conf /etc/nsswitch
+  sudo ln -sf /etc/nsswitch/nsswitch.conf /etc
+fi
+
+pi libnss-resolve
+# default is
+# files mdns4_minimal [NOTFOUND=return] dns myhostname
+# mdns4 is needed for my printer and for bbb webrtc, not sure exactly why.
+# https://www.freedesktop.org/software/systemd/man/nss-resolve.html#
+# seems more important than some potential use case.
+# Interestingly, t9 man page says use files before resolve, debian 10 says the opposite.
+sudo sed -i --follow-symlinks 's/^ *hosts:.*/hosts: resolve [!UNAVAIL=return] mdns4_minimal [NOTFOUND=return] myhostname/' /etc/nsswitch.conf
+
+## we can remove this when all hosts are updated 2020/10
+if dpkg -s -- nscd &>/dev/null; then
+  sudo apt-get -y remove --purge --auto-remove nscd
+  sudo systemctl stop nscd ||: # fails if already stopped
+fi
+
 
 ##### exit first stage if running as root
 if [[ $EUID == 0 ]]; then
@@ -449,7 +471,7 @@ sudo chown $USER:$USER  "${dirs[@]}" ||:
 # trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 # for dir in /i /k /kr /w; do
 #     if ! mountpoint $dir &>/dev/null && \
-#             awk '{print $2}' /etc/fstab | grep -xF $dir &>/dev/null; then
+  #             awk '{print $2}' /etc/fstab | grep -xF $dir &>/dev/null; then
 #         if awk '{print $3}' /etc/fstab | grep -xF nfs &>/dev/null; then
 #             mount $dir || echo "warning: failed to mount nfs on $dir"
 #         else
diff --git a/distro-end b/distro-end
index 46d267d..1fa28a5 100755
--- a/distro-end
+++ b/distro-end
@@ -58,6 +58,12 @@ sed="sed --follow-symlinks"
 # case $distro in
 # esac
 
+
+# old repo. remove when all machines updated
+sudo rm -fv /etc/apt/sources.list.d/wireguard-ubuntu-wireguard-bionic.list
+# remove old file
+sudo rm -fv /etc/apt/preferences.d/minetest
+
 #### initial packages
 pup
 if isdeb; then
@@ -504,25 +510,12 @@ EOF
 export RENEWED_LINEAGE=/etc/letsencrypt/live/mail2.iankelling.org
 /a/bin/distro-setup/certbot-renew-hook
 EOF
-      mail-setup
+    mail-setup
     end
     ;;
   li)
 
-    case $HOSTNAME in
-      li)
-        m /a/h/setup.sh iankelling.org
-        ;;
-      # # i dont work on my website that much, so commented to run these as needed
-      # kd)
-      #   m /a/h/setup.sh -s b8.nz
-      #   ;;
-      # *)
-      #   # allow symlinks on non-main hosts so i can host files in arbitrary paths
-      #   m /a/h/setup.sh -s -p 80
-      #;;
-    esac
-    m /a/h/build.rb
+    m /a/h/setup.sh iankelling.org
 
     # start mumble only when im going to use it, since i dont use it much
     pi-nostart mumble-server
@@ -539,7 +532,17 @@ export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
 EOF
 
     # general vpn for as needed use
-    #vpn-server-setup -d -r -4 10.2.2 -p 443 -n hole
+    vpn-server-setup -d -r -4 10.2.2 -p 443 -n hole
+    sd /etc/openvpn/client-config-hole/frodo <<'EOF'
+ifconfig-push 10.2.2.5 255.255.255.0
+EOF
+    sd /etc/openvpn/client-config-hole/amy <<'EOF'
+ifconfig-push 10.2.2.3 255.255.255.0
+EOF
+    sd /etc/openvpn/client-config-hole/kd <<'EOF'
+ifconfig-push 10.2.2.2 255.255.255.0
+EOF
+
     #vpn-mk-client-cert -s "" -n hole 72.14.176.105
 
     # requested from linode via a support ticket.
@@ -556,13 +559,7 @@ ifconfig-push 10.8.0.4 255.255.255.0
 ifconfig-ipv6-push 2600:3c00:e000:280::2/64
 EOF
 
-    if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
-      vpn_service=openvpn-server@mail
-    else
-      vpn_service=openvpn@mail
-    fi
-
-    sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
+    sudo dd of=/etc/systemd/system/vpnmail.service <<'EOF'
 [Unit]
 Description=Turns on iptables mail nat
 
@@ -573,13 +570,13 @@ ExecStart=/a/bin/distro-setup/vpn-mail-forward start
 ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
 
 [Install]
-WantedBy=$vpn_service.service
+WantedBy=openvpn-server@mail.service
 EOF
     ser daemon-reload
     sgo vpnmail.service
     # needed for li's local mail delivery.
     tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
-    sgo $vpn_service
+    sgo openvpn-server@mail
     # setup let's encrypt cert
     m web-conf apache2 mail.iankelling.org
     sudo rm -fv /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
@@ -867,6 +864,9 @@ if mountpoint /o &>/dev/null; then
   m /a/bin/distro-setup/radicale-setup
 fi
 
+if [[ $HOSTNAME == frodo ]]; then
+  vpn-mk-client-cert -b frodo -n hole iankelling.org
+fi
 
 
 ############# begin syncthing setup ###########
@@ -1225,20 +1225,24 @@ EOF
 ####### end transmission
 
 
-
-# trisquel 8 = openvpn, debian stretch = openvpn-client
-vpn_ser=openvpn-client
-if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
-  vpn_ser=openvpn
+f=/etc/nn-resolv/nsswitch.conf
+if [[ ! -e $f ]]; then
+  s mkdir -p ${f%/*}
+  s cp /etc/nsswitch.conf $f
+  s sed -i --follow-symlinks 's/^ *hosts:.*/hosts: files dns myhostname/' $f
+  s chattr +i $f
 fi
 
+
+
+# trisquel 8 = openvpn, debian stretch = openvpn-client
 sd /etc/systemd/system/transmission-daemon-nn.service <<EOF
 [Unit]
 Description=Transmission BitTorrent Daemon netns
 After=network.target
-Requires=${vpn_ser}-nn@client.service
-After=${vpn_ser}-nn@client.service
-JoinsNamespaceOf=${vpn_ser}-nn@client.service
+Requires=openvpn-client-tr@client.service
+After=openvpn-client-tr@client.service
+JoinsNamespaceOf=openvpn-client-tr@client.service
 
 [Service]
 User=debian-transmission
@@ -1248,7 +1252,7 @@ ExecReload=/bin/kill -s HUP \$MAINPID
 ExecStop=/bin/kill -s STOP \$MAINPID
 PrivateNetwork=true
 Nice=19
-BindPaths=/a/bin/ds/aresolv.conf:/etc/resolv.conf:norbind
+BindReadOnlyPaths=/etc/nn-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
 
 [Install]
 WantedBy=multi-user.target
@@ -1297,33 +1301,16 @@ EOF
     fi
     d=$f/.config/transmission-remote-gtk
     sudo -u $u mkdir -p $d
+    # i tried setting hostname to transmission.b8.nz, so i could dynamically change where
+    # this connects to, but it said some 421 denied error when I did that. Then it
+    # froze X when i ran it under strace. Whatever.
     sudo -u $u dd of=$d/config.json <<EOF
 {
   "profiles" : [
       {
       "profile-name" : "Default",
-      "hostname" : "transmission.b8.nz",
-
-      "rpc-url-path" : "/transmission/rpc",
-      "username" : "",
-      "password" : "$rpc_pass",
-      "auto-connect" : true,
-      "ssl" : false,
-      "timeout" : 40,
-      "retries" : 3,
-      "update-active-only" : false,
-      "activeonly-fullsync-enabled" : false,
-      "activeonly-fullsync-every" : 2,
-      "update-interval" : 3,
-      "min-update-interval" : 3,
-      "session-update-interval" : 60,
-      "exec-commands" : [],
-      "destinations" : []
-      },
-      {
-      "profile-name" : "local",
       "hostname" : "10.173.0.2",
-
+      "rpc-url-path" : "/transmission/rpc",
       "username" : "",
       "password" : "$rpc_pass",
       "auto-connect" : true,
@@ -1457,6 +1444,12 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
 
 ########### misc stuff
 
+if [[ $HOSTNAME != frodo ]]; then
+  s cedit hole /etc/hosts <<EOF ||:
+10.2.2.3 amy amy.b8.nz
+10.2.2.5 frodo frodo.b8.nz
+EOF
+fi
 
 if [[ ! -e ~/.local/bin/pip ]]; then
   tmp=$(mktemp)
@@ -1595,12 +1588,6 @@ m /a/bin/buildscripts/tor-browser
 # nfs server
 pi-nostart nfs-kernel-server
 
-# wireguard
-if [[ ! -e /etc/apt/sources.list.d/wireguard-ubuntu-wireguard-bionic.list ]]; then
-  sudo add-apt-repository -y ppa:wireguard/wireguard
-  sudo apt-get update
-  pi wireguard
-fi
 if [[ $HOSTNAME == tp ]]; then
   sd /etc/wireguard/wg0.conf <<EOF
 [Interface]
@@ -1618,18 +1605,6 @@ EOF
   sudo systemctl start wg-quick@wg0
 fi
 
-if [[ $HOSTNAME == frodo ]]; then
-  # nohide = export filesystems mounted deeper than the export point
-  # fsid=0 makes this export the "root" export
-  # not documented in the man page, but this means
-  # 1. it can be mounted with a shorthand of server:/
-  # 2. exports that are subdirectories of this one will automatically be mounted
-  tu /etc/exports <<'EOF'
-/k 10.0.0.0/24(rw,nohide,no_root_squash,async,no_subtree_check,insecure)
-EOF
-  sudo exportfs -rav
-fi
-
 
 if [[ $HOSTNAME == kw ]]; then
   # hosts 1-199. 200+ are dynamic, avoid those
diff --git a/dynamic-ip-update b/dynamic-ip-update
index 2c3ccbd..710c11e 100755
--- a/dynamic-ip-update
+++ b/dynamic-ip-update
@@ -5,8 +5,7 @@ fqdn=$(hostname -f)
 
 up4=false
 
-
-read -r _ _  gateway _ < <(ip -4 route get $(dig +short iankelling.org | tail -1))
+read -r _ _  gateway _ < <(ip -4 route get 85.119.83.50)
 
 case $gateway in
   10.2.0.1)
diff --git a/filesystem/etc/apt/preferences.d/minetest b/filesystem/etc/apt/preferences.d/minetest
deleted file mode 100644
index 537ab1c..0000000
--- a/filesystem/etc/apt/preferences.d/minetest
+++ /dev/null
@@ -1,3 +0,0 @@
-Package: minetest minetest* libleveldb1d libncursesw6 libtinfo6
-Pin: release n=buster
-Pin-Priority: 500
diff --git a/filesystem/etc/cron.d/ian b/filesystem/etc/cron.d/ian
index b143a69..3e18e33 100644
--- a/filesystem/etc/cron.d/ian
+++ b/filesystem/etc/cron.d/ian
@@ -7,3 +7,4 @@ PATH=/usr/bin:/bin:/usr/local/bin:/a/exe
 # so report if we did
 4 9  * * 5   root /a/bin/ds/check-stale-alerts
 4 15 * * 5   iank /a/bin/ds/mailclean
+14 * * * *   iank /a/bin/ds/bk-backup |& log-once -24 bk-backup
diff --git a/filesystem/etc/systemd/system/openvpn-client-tr@.service b/filesystem/etc/systemd/system/openvpn-client-tr@.service
index 6b20bb3..5ba2c91 100644
--- a/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ b/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -21,11 +21,11 @@ LimitNPROC=10
 # DeviceAllow=/dev/null rw
 # DeviceAllow=/dev/net/tun rw
 
-ExecStartPre=/a/bin/newns/newns -n 10.173.0 start %i
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.0 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-ExecStopPost=/a/bin/newns/newns stop %i
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
 PrivateNetwork=true
-BindPaths=/a/bin/ds/aresolv.conf:/etc/resolv.conf:norbind
+BindReadOnlyPaths=/etc/nn-resolv:/run/systemd/resolve:norbind /etc/nn-resolv:/etc/nsswitch:norbind
 
 [Install]
 WantedBy=multi-user.target
diff --git a/i3-sway/common.conf b/i3-sway/common.conf
index 3da74b8..b69c26a 100644
--- a/i3-sway/common.conf
+++ b/i3-sway/common.conf
@@ -70,6 +70,8 @@ bindsym $mod+8 workspace 7
 bindsym $mod+Shift+9 move container to workspace 8
 bindsym $mod+9 workspace 8
 
+# random keybind, feel free to change
+bindsym $mod+Shift+m border toggle
 
 bindsym $mod+j exec emacsclient -c
 bindsym $mod+k exec konsole
diff --git a/mail-setup b/mail-setup
index 45a6cb0..d3b5691 100755
--- a/mail-setup
+++ b/mail-setup
@@ -4,9 +4,6 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 
-# todo: look into changing nsswitch.com to make programs prefer using systemd-resolved
-# but not over the network.
-
 # background: I want to run exim in a network namespace so it can send
 # and receive through a vpn. This is needed so it can do ipv6, because
 # outside the namespace if we dont have ipv6, to send ipv6 through the
@@ -77,6 +74,10 @@ else
   exit 1
 fi
 source /a/bin/distro-functions/src/identify-distros
+f=/p/c/machine_specific/bk/mail
+if [[ -e $f ]]; then
+  source $f
+fi
 
 
 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
@@ -89,7 +90,7 @@ u=$SUDO_USER
 
 usage() {
   cat <<EOF
-Usage: ${0##*/}
+Usage: ${0##*/} anything_here_to_debug
 Setup exim4 & dovecot & related things
 
 -h|--help  Print help and exit.
@@ -97,6 +98,11 @@ EOF
   exit $1
 }
 
+debug=false
+if (( $# )); then
+  debug=true
+  set -x
+fi
 
 
 ####### instructions for icedove #####
@@ -229,6 +235,13 @@ EOF
     err-exit $ret "failed apt-get install above"
   fi
 }
+reifactive() {
+  for service; do
+    if systemctl is-active $service >/dev/null; then
+      m systemctl restart $service
+    fi
+  done
+}
 
 mxhost=mail.iankelling.org
 mxport=587
@@ -253,7 +266,7 @@ fi
 
 ## * Install packages
 # light version of exim does not have sasl auth support.
-pi exim4 exim4-daemon-heavy spamassassin spf-tools-perl openvpn p0f postgrey pyzor razor
+pi exim4 exim4-daemon-heavy spamassassin spf-tools-perl openvpn p0f postgrey pyzor razor jq moreutils
 # note: pyzor debian readme says you need to run some initialization command
 # but its outdated.
 
@@ -348,17 +361,72 @@ internal_networks 85.119.83.50
 trusted_networks 72.14.176.105 2600:3c00:e000:280::2 85.119.83.50 18.4.89.0/24 209.51.188.0/24 74.94.156.208/28 2603:3005:71a:2e00::/64 2001:470:142::/48
 EOF
 
-case $HOSTNAME in
-  $MAIL_HOST)
 
-    f=/etc/nn-resolv/stub-resolv.conf
-    l="nameserver 8.8.8.8"
-    if ! grep -Fxq "$l" /etc/nn-resolv/stub-resolv.conf &>/dev/null; then
-      mkdir -p ${f%/*}
-      echo "$l" >$f
-      chattr +i $f
-    fi
+# https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
+f=/etc/systemd/system/openvpn-client-mail@.service
+if [[ ! -s $f || $(stat -c%s $f) != 1709 ]]; then
+  cat >$f <<'EOF'
+[Unit]
+Description=OpenVPN tunnel for %I
+After=syslog.target network-online.target
+Wants=network-online.target
+Documentation=man:openvpn(8)
+Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
+Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
+Requires=iptables.service
+# needed to continually restatr
+StartLimitIntervalSec=0
+
+
+[Service]
+Type=notify
+RuntimeDirectory=openvpn-client
+RuntimeDirectoryMode=0710
+WorkingDirectory=/etc/openvpn/client
+ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
+#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
+LimitNPROC=10
+# DeviceAllow=/dev/null rw
+# DeviceAllow=/dev/net/tun rw
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start %i
+ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+PrivateNetwork=true
+# in the network namespace, we cant connect to systemd-resolved on 127.0.0.53,
+# because of
+# https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback
+# there is a workaround there, but i dont think its really worth it,
+# the mail server is fine with a static dns anyways.
+# This thread is also interesting,
+# https://github.com/slingamn/namespaced-openvpn/issues/7
+# todo: the iptables rule at the bottom could be useful to prevent
+# dns from leaking in my network namespaced vpn.
+# I also like the idea of patching systemd-resolved so it
+# will listen on other interfaces, but its not worth my time.
+BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind
+
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
+
+
+[Install]
+WantedBy=multi-user.target
+EOF
+  m systemctl daemon-reload
+fi
+
+
+f=/etc/nn-resolv/stub-resolv.conf
+l="nameserver 8.8.8.8"
+if ! grep -Fxq "$l" /etc/nn-resolv/stub-resolv.conf &>/dev/null; then
+  mkdir -p ${f%/*}
+  echo "$l" >$f
+  chattr +i $f
+fi
 
+### begin setup network namespace ###
+case $HOSTNAME in
+  $MAIL_HOST)
     reload=false
     for unit in exim4 spamassassin; do
       f=/etc/systemd/system/$unit.service.d/nn.conf
@@ -373,21 +441,43 @@ Requires=openvpn-client-mail@mail.service
 After=openvpn-client-mail@mail.service
 JoinsNamespaceOf=openvpn-client-mail@mail.service
 
+# needed to continually restart
+StartLimitIntervalSec=0
+
 [Service]
 PrivateNetwork=true
 BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind
+
+Restart=always
+# time to sleep before restarting a service
+RestartSec=1
 EOF
       fi
     done
     if $reload; then
       m systemctl daemon-reload
     fi
-;;
+    ;;
+  *)
+    reload=false
+    for unit in exim4 spamassassin; do
+      f=/etc/systemd/system/$unit.service.d/nn.conf
+      if [[ -s $f ]]; then
+        rm -fv $f
+        reload=true
+      fi
+    done
+    if $reload; then
+      m systemctl daemon-reload
+    fi
+
+    ;;
+esac
+### end setup network namespace ###
 
-  bk|$MAIL_HOST)
-    m systemctl stop spamassassin
-    m systemctl disable spamassassin
 
+case $HOSTNAME in
+  $MAIL_HOST)
     # per readme.debian
     sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
     e CRON=1 >>/etc/default/spamassassin
@@ -430,25 +520,22 @@ EOF
     ;;
 esac
 
+case $HOSTNAME in
+  $MAIL_HOST|bk)
+    m systemctl restart spamassassin
+    ;;
+esac
+
 #####   end spamassassin config
 
 
 # * Update mail cert
 if [[ -e /p/c/filesystem ]]; then
-  # allow failure of these commands when our internet is down, they are likely not needed,
-  # we check that a valid cert is there already.
-  # to put the hostname in the known hosts
-  if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then
-    # This just causes failure if our cert is going to expire in the next 30 days.
-    # Certs I generate last 10 years.
-    openssl x509 -checkend $(( 60 * 60 * 24 * 30 )) -noout -in /etc/openvpn/mail.crt
-  else
-    # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
-    # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
-    # after my internet was down for a bit:
-    # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
-    m /a/exe/vpn-mk-client-cert -b mailclient -n mail -s /b/ds/mail-route li.iankelling.org
-  fi
+  # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with
+  # systemd, buuut it can remake the tun device unexpectedly, i got this in the log
+  # after my internet was down for a bit:
+  # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device.
+  m /a/exe/vpn-mk-client-cert -b mailclient -n mail -s /b/ds/mail-route li.iankelling.org
 fi
 
 
@@ -1030,8 +1117,7 @@ EOF
       # sqlite3 /m/rc/users.sqlite <<'EOF'
       #insert into users (email, password) values ('testignore@bk.b8.nz', 'hash');
       #EOF
-
-
+      # update users set password = 'hash' where email = 'testignore@bk.b8.nz';
       ;;
   esac
   ####### end dovecot-setup ########
@@ -1043,27 +1129,18 @@ nextcloud-setup() {
   # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
   # curl from the web installer requirement, but i switched to cli
   pi php-curl php-fileinfo php-bz2
-  /a/exe/web-conf - apache2 expertpathologyreview.com <<'EOF'
-Alias /nextcloud "/var/www/nextcloud/"
-<Directory /var/www/nextcloud/>
-  Require all granted
-  AllowOverride All
-  Options FollowSymLinks MultiViews
-
-  <IfModule mod_dav.c>
-    Dav off
-  </IfModule>
-
-</Directory>
-EOF
+  # install checker, nextcloud/settings/admin/overview
+  pi php-gmp php-bcmath php-imagick php-apcu
 
   cd /var/www
-  wget https://download.nextcloud.com/server/releases/latest.zip
-  unzip -q latest.zip
-  rm latest.zip
-  chown -R www-data.www-data nextcloud
-  cd /var/www/nextcloud
-  sudo -u www-data php occ  maintenance:install --database sqlite --admin-user iank --admin-pass swarm.numbered.alienist
+  if [[ ! -e nextcloud/index.php ]]; then
+    wget https://download.nextcloud.com/server/releases/latest.zip
+    unzip -q latest.zip
+    rm -f latest.zip
+    chown -R www-data.www-data nextcloud
+    cd /var/www/nextcloud
+    sudo -u www-data php occ  maintenance:install --database sqlite --admin-user iank --admin-pass $nextcloud_admin_pass
+  fi
   cd /var/www/nextcloud/config
   # https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html
   cat >/etc/php/$phpver/fpm/pool.d/localwww.conf <<'EOF'
@@ -1071,6 +1148,27 @@ EOF
 clear_env = no
 EOF
   cat config.php - >tmp.php <<'EOF'
+# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/email_configuration.html
+$CONFIG["mail_smtpmode"] = "sendmail";
+$CONFIG["mail_smtphost"] = "127.0.0.1";
+$CONFIG["mail_smtpport"] = 25;
+$CONFIG["mail_smtptimeout"] = 10;
+$CONFIG["mail_smtpsecure"] = "";
+$CONFIG["mail_smtpauth"] = false;
+$CONFIG["mail_smtpauthtype"] = "LOGIN";
+$CONFIG["mail_smtpname"] = "";
+$CONFIG["mail_smtppassword"] = "";
+$CONFIG["mail_domain"] = "expertpathologyreview.com";
+
+# https://github.com/nextcloud/user_external#readme
+# plus mailinabox example
+$CONFIG['user_backends'] = array(array('class' => 'OC_User_IMAP','arguments' => array('127.0.0.1', 143, null),),);
+
+
+# based on installer check
+# https://docs.nextcloud.com/server/19/admin_manual/configuration_server/caching_configuration.html
+$CONFIG['memcache.local'] = '\OC\Memcache\APCu';
+
 $CONFIG['overwrite.cli.url'] = 'https://expertpathologyreview.com/nextcloud';
 $CONFIG['htaccess.RewriteBase'] = '/nextcloud';
 $CONFIG['trusted_domains'] = array (
@@ -1084,15 +1182,40 @@ EOF
   php tmp.php >config.php 2>/dev/null
   rm tmp.php
   sudo -u www-data php /var/www/nextcloud/occ maintenance:update:htaccess
+  list=$(sudo -u www-data php /var/www/nextcloud/occ --output=json_pretty app:list)
+  for app in contacts calendar user_external; do
+    if [[ $(printf "%s\n" "$list"| jq ".enabled.$app") == null ]]; then
+      m sudo -u www-data php /var/www/nextcloud/occ app:install $app
+    fi
+  done
+
+  # todo: install apps with occ. contacts, calendar, mail
 }
 
 # * roundcube setup
 
 roundcube-setup() {
+
+  ### begin composer install
+  # https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
+  cd $(mktemp -d)
+  sum="$(wget -q -O - https://composer.github.io/installer.sig)"
+  php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
+  if [[ $sum != $(php -r "echo hash_file('sha384', 'composer-setup.php');") ]]; then
+    echo 'ERROR: Invalid composer installer checksum' >&2
+    rm composer-setup.php
+    exit 1
+  fi
+  php composer-setup.php --quiet
+  rm composer-setup.php
+  mv composer.phar /usr/local/bin
+  ### end composer install
+
+
+
+
   # avoid prompt
-  debconf-set-selections <<'EOF'
-roundcube-core roundcube/dbconfig-install boolean false
-EOF
+  export DEBIAN_FRONTEND=noninteractive
   # zip according to /installer
   # which requires adding a line to /usr/local/lib/roundcubemail/config/config.inc.php
   # $config['enable_installer'] = true;
@@ -1108,8 +1231,6 @@ EOF
     m ln -sfT $rcdir/bin/cleandb.sh /usr/share/roundcube/bin/cleandb.sh
   fi
 
-  # todo, consider installing the extensions mailinabox uses
-
   #### begin dl roundcube
   # note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom
   v=1.4.8; f=roundcubemail-$v-complete.tar.gz
@@ -1121,7 +1242,7 @@ EOF
   fi
   m wget -nv -N https://github.com/roundcube/roundcubemail/releases/download/$v/$f
   new_timestamp=$(stat -c %Y $f)
-  if [[ $timestamp != $new_timestamp ]]; then
+  if [[ $timestamp != $new_timestamp ||  ! -e $rcdir/config/secret ]]; then
     m tar -C /usr/local/lib --no-same-owner -zxf $f
     m rm -rf $rcdir
     m mv $rcdir-$v $rcdir
@@ -1129,7 +1250,9 @@ EOF
   cd -
   #### end dl roundcube
 
-  /a/exe/web-conf -r $rcdir - apache2 mail.expertpathologyreview.com <<EOF
+  /a/exe/web-conf - apache2 expertpathologyreview.com <<EOF
+Alias /roundcube $rcdir
+### begin roundcube settings
 # taken from /etc/apache2/conf-available/roundcube.conf version 1.4.8+dfsg.1-1~bpo10+1
 <Directory $rcdir/>
   Options +FollowSymLinks
@@ -1142,6 +1265,30 @@ EOF
   Options -FollowSymLinks
   AllowOverride None
 </Directory>
+### end roundcube settings
+
+
+### begin nextcloud settings
+Alias /nextcloud "/var/www/nextcloud/"
+<Directory /var/www/nextcloud/>
+  Require all granted
+  AllowOverride All
+  Options FollowSymLinks MultiViews
+
+  <IfModule mod_dav.c>
+    Dav off
+  </IfModule>
+
+</Directory>
+
+# based on install checker, links to
+# https://docs.nextcloud.com/server/19/admin_manual/issues/general_troubleshooting.html#service-discovery
+RewriteRule ^\.well-known/host-meta /nextcloud/public.php?service=host-meta [QSA,L]
+RewriteRule ^\.well-known/host-meta\.json /nextcloud/public.php?service=host-meta-json [QSA,L]
+RewriteRule ^\.well-known/webfinger /nextcloud/public.php?service=webfinger [QSA,L]
+RewriteRule ^\.well-known/carddav /nextcloud/remote.php/dav/ [R=301,L]
+RewriteRule ^\.well-known/caldav /nextcloud/remote.php/dav/ [R=301,L]
+### end nextcloud settings
 EOF
 
   if [[ ! -e $rcdir/config/secret ]]; then
@@ -1178,23 +1325,87 @@ EOF
  );
 \$config['product_name'] = 'webmail';
 \$config['des_key'] = '$secret';
-\$config['plugins'] = array('archive', 'zipdownload', 'password', 'managesieve', 'jqueryui');
+\$config['plugins'] = array('archive', 'zipdownload', 'password', 'managesieve', 'jqueryui', 'carddav');
 \$config['skin'] = 'elastic';
 \$config['login_autocomplete'] = 2;
 \$config['password_charset'] = 'UTF-8';
 \$config['junk_mbox'] = 'Spam';
+# disable builtin addressbook
+\$config['address_book_type'] = '';
 ?>
 EOF
 
-  m mkdir -p /var/tmp/roundcubemail /m/rc
-  m chown -R www-data.www-data /var/tmp/roundcubemail /m/rc
-  m chmod 750 /var/tmp/roundcubemail
+  # todo rss subscribe to carddav plugin
+  m mkdir -p /var/tmp/roundcube /m/rc
+  m chown -R www-data.www-data /var/tmp/roundcube /m/rc
+  m chmod 750 /var/tmp/roundcube
   # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
   # todo: setup fail2ban
   # todo: setup dnssec.
   # todo: check for other mailinabox things
   m sudo -u www-data touch /var/log/roundcube/errors.log
 
+
+  # todo: look at .well-known for carddav?
+
+  #### begin carddav install
+  # This is the official roundcube carddav repo.
+  # Install doc suggests downloading with composer, but that
+  # didnt work, it said some ldap package for roundcube was missing,
+  # but I dont want to download some extra ldap thing.
+  # https://github.com/blind-coder/rcmcarddav/blob/master/doc/INSTALL.md
+  verf=$rcdir/plugins/carddav/myversion
+  upgrade=false
+  install=false
+  v=4.0.0
+  if [[ -e $verf ]]; then
+    if [[ $(cat $verf) != $v ]]; then
+      install=true
+      upgrade=true
+    fi
+  else
+    install=true
+  fi
+  if $install; then
+    rm -rf $rcdir/plugins/carddav
+    tmpd=$(mktemp -d)
+    m wget -nv -O $tmpd/t.tgz https://github.com/blind-coder/rcmcarddav/releases/download/v$v/carddav-v$v.tgz
+    cd $rcdir/plugins
+    tar xzf $tmpd/t.tgz
+    rm -rf $tmpd
+    chown -R www-data:www-data $rcdir/plugins/carddav
+    cd $rcdir/plugins/carddav
+    if $upgrade; then
+      sudo -u www-data composer.phar update --no-dev
+    else
+      sudo -u www-data composer.phar install --no-dev
+    fi
+    chown -R root:root $rcdir/plugins/carddav
+    echo $v >$verf
+  fi
+
+  cat > $rcdir/plugins/carddav/config.inc.php <<'EOF';
+<?php
+$prefs['_GLOBAL']['hide_preferences'] = true;
+$prefs['davserver'] = array(
+# name in the UI is kind of dumb. This is just something short that seems to fit ok.
+  'name'         =>  'Main',
+  'username'     =>  '%u', // login username
+  'password'     =>  '%p', // login password
+  'url'          =>  'https://expertpathologyreview.com/nextcloud/remote.php/carddav/addressbooks/%u/contacts',
+  'active'       =>  true,
+  'readonly'     =>  false,
+  'refresh_time' => '00:10:00',
+  'fixed'        =>  array('username','password'),
+  'hide'        =>  false,
+  'use_categories' => true, // https://www.davx5.com/tested-with/nextcloud
+);
+?>
+EOF
+  #### end carddav install
+
+  # todo: try out roundcube plugins: html5 notifier, nextcloud, thunderbird labels
+
   # Password changing plugin settings
   cat $rcdir/plugins/password/config.inc.php.dist - >$rcdir/plugins/password/config.inc.php <<'EOF'
 # following are from mailinabox
@@ -1232,19 +1443,30 @@ EOF
   # according to /install, we should set date.timezone,
   # but that is dumb, the system already has the right zone in
   # /var/log/roundcubemail/errors.log
+  # todo: consider other settings in
+  # /a/opt/mailinabox/setup/nextcloud.sh
+  cat >/etc/php/$phpver/cli/conf.d/30-local.ini <<'EOF'
+apc.enable_cli = 1
+EOF
+
   cat >/etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF'
 date.timezone = "America/New_York"
 # for nextcloud
 upload_max_filesize = 2000M
 post_max_size = 2000M
+# install checker, nextcloud/settings/admin/overview
+memory_limit = 512M
+EOF
+
+  # https://docs.nextcloud.com/server/19/admin_manual/configuration_server/background_jobs_configuration.html
+  cat >/etc/cron.d/nextcloud <<'EOF'
+*/5  *  *  *  * php -f /var/www/nextcloud/cron.php --define apc.enable_cli=1
 EOF
 
   m systemctl restart $fpm
   # dunno if reload/restart is needed
   m systemctl reload apache2
-  m systemctl reload exim4
-
-  # todo: backups, carddav w nextcloud
+  # note bk backups are defined in crontab outside this file
 }
 
 
@@ -1304,10 +1526,7 @@ EOF
     /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
 server=/mail.iankelling.org/127.0.1.1
 EOF
-    if systemctl is-active dnsmasq >/dev/null; then
-      m systemctl restart dnsmasq
-    fi
-    m nscd -i hosts
+    reifactive dnsmasq nscd
 
     # I used to use debconf-set-selections + dpkg-reconfigure,
     # which then updates this file
@@ -1379,60 +1598,6 @@ EOF
       fi
     done
 
-    # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
-    f=/etc/systemd/system/openvpn-client-mail@.service
-    if [[ ! -s $f || $(stat -c%s $f) != 1709 ]]; then
-      cat >$f <<'EOF'
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-# needed to continually restatr
-StartLimitIntervalSec=0
-
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-ExecStartPre=/a/bin/newns/newns -n 10.173.8 start %i
-ExecStopPost=/a/bin/newns/newns stop %i
-PrivateNetwork=true
-# in the network namespace, we cant connect to systemd-resolved on 127.0.0.53,
-# because of
-# https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback
-# there is a workaround there, but i dont think its really worth it,
-# the mail server is fine with a static dns anyways.
-# This thread is also interesting,
-# https://github.com/slingamn/namespaced-openvpn/issues/7
-# todo: the iptables rule at the bottom could be useful to prevent
-# dns from leaking in my network namespaced vpn.
-# I also like the idea of patching systemd-resolved so it
-# will listen on other interfaces, but its not worth my time.
-BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind
-
-Restart=always
-# time to sleep before restarting a service
-RestartSec=1
-
-
-[Install]
-WantedBy=multi-user.target
-EOF
-      m systemctl daemon-reload
-      m systemctl restart openvpn-client-mail@mail
-    fi
-
 
     m systemctl start openvpn-client-mail@mail
     m systemctl enable openvpn-client-mail@mail
@@ -1511,8 +1676,8 @@ EOF
     </emailProvider>
 
     <webMail>
-      <loginPage url="https://mail.expertpathologyreview.com" />
-      <loginPageInfo url="https://mail.expertpathologyreview.com" >
+      <loginPage url="https://expertpathologyreview.com/roundcube" />
+      <loginPageInfo url="https://expertpathologyreview.com/roundcube" >
         <username>%EMAILADDRESS%</username>
         <usernameField id="rcmloginuser" name="_user" />
         <passwordField id="rcmloginpwd" name="_pass" />
@@ -1540,10 +1705,7 @@ s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2#
 EOF
 
     echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]]
-    if systemctl is-active dnsmasq >/dev/null; then
-      m systemctl restart dnsmasq # reload does not ensure new config is used
-    fi
-    m nscd -i hosts
+    reifactive dnsmasq nscd
 
     m systemctl disable mailclean.timer &>/dev/null ||:
     m systemctl stop mailclean.timer &>/dev/null ||:
@@ -1662,7 +1824,6 @@ case $HOSTNAME in
     ;;
 esac
 
-
 # * mail monitoring / testing
 
 case $HOSTNAME in
diff --git a/pkgs b/pkgs
index 82a5a5b..d6a3674 100644
--- a/pkgs
+++ b/pkgs
@@ -8,7 +8,6 @@ p1=(
   lvm2
   mbuffer
   screen
-  nscd
 )
 p2=(
   bash-completion
@@ -188,6 +187,7 @@ p3=(
   # for sig2dot
   signing-party
   sipcalc
+  socat
   sqlite3-doc
   squashfs-tools
   strace
diff --git a/radicale-setup b/radicale-setup
index 3e3a997..95391fa 100755
--- a/radicale-setup
+++ b/radicale-setup
@@ -31,25 +31,25 @@ source /a/bin/distro-functions/src/package-manager-abstractions
 # created password file with:
 # htpasswd -c /etc/davpass dav
 
-vpn_ser=openvpn-client
-if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
-  vpn_ser=openvpn
-fi
-
 d=/etc/systemd/system/radicale.service.d
 mkdir -p $d
 cat >$d/override.conf <<EOF
 [Unit]
-# this unit is configured to start and stop whenever openvpn-client@mail.service
-# does
+# this unit is configured to start and stop whenever
+# openvpn-client-mail@mail does
 After=network.target
-BindsTo=$vpn_ser@mail.service
-After=$vpn_ser@mail.service
+BindsTo=openvpn-client-mail@mail.service
+After=openvpn-client-mail@mail.service
+JoinsNamespaceOf=openvpn-client-mail@mail.service
+
+[Service]
+PrivateNetwork=true
+BindPaths=/etc/nn-resolv:/run/systemd/resolve:norbind
 
 [Install]
-RequiredBy=$vpn_ser@mail.service
+RequiredBy=openvpn-client-mail@mail.service
 EOF
-systemctl daemon-reload # not sure this is needed
+systemctl daemon-reload
 
 pi-nostart radicale
 
@@ -91,7 +91,6 @@ setini hosts 10.8.0.4:5232 server
 
 if [[ $HOSTNAME == $MAIL_HOST ]]; then
   systemctl start radicale
-  systemctl enable radicale
 fi
 
 # disable power management feature, set to 240 min sync interval,
diff --git a/subdir_files/.config/i3/config b/subdir_files/.config/i3/config
index 14f3819..4ba0674 100644
--- a/subdir_files/.config/i3/config
+++ b/subdir_files/.config/i3/config
@@ -70,6 +70,8 @@ bindsym $mod+8 workspace 7
 bindsym $mod+Shift+9 move container to workspace 8
 bindsym $mod+9 workspace 8
 
+# random keybind, feel free to change
+bindsym $mod+Shift+m border toggle
 
 bindsym $mod+j exec emacsclient -c
 bindsym $mod+k exec konsole
@@ -92,6 +94,7 @@ font pango:monospace 8
 # shortcut to selection widget (primary)
 bindsym $mod+End exec /a/opt/clipster/clipster -sp
 
+# file:///usr/share/doc/i3-wm/userguide.html#_border_style_for_new_windows
 new_window none
 # exit i3 (logs you out of your X session)
 bindsym $mod+Shift+q exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -b 'Yes, exit i3' 'i3-msg exit'"
diff --git a/subdir_files/.config/sway/config b/subdir_files/.config/sway/config
index 6572f34..71a7fd3 100644
--- a/subdir_files/.config/sway/config
+++ b/subdir_files/.config/sway/config
@@ -70,6 +70,8 @@ bindsym $mod+8 workspace 7
 bindsym $mod+Shift+9 move container to workspace 8
 bindsym $mod+9 workspace 8
 
+# random keybind, feel free to change
+bindsym $mod+Shift+m border toggle
 
 bindsym $mod+j exec emacsclient -c
 bindsym $mod+k exec konsole
@@ -92,6 +94,7 @@ font pango:monospace 8
 # shortcut to selection widget (primary)
 bindsym $mod+End exec /a/opt/clipster/clipster -sp
 
+# file:///usr/share/doc/i3-wm/userguide.html#_border_style_for_new_windows
 new_window none
 # exit sway (logs you out of your Wayland session)
 bindsym $mod+Shift+e exec swaynag -t warning -m 'You pressed the exit shortcut. Do you really want to exit sway? This will end your Wayland session.' -b 'Yes, exit sway' 'swaymsg exit'
-- 
2.30.2