From 5828d638ed22819f9d5fd6e5a1cc67ac02ec1b56 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sun, 4 Aug 2024 22:07:38 -0400 Subject: [PATCH] minor fixes and updates --- .bashrc | 2 +- b | 1 + brc2 | 16 +++- distro-end | 28 ++++++- filesystem/usr/local/bin/i3-abrowser | 9 +- filesystem/usr/local/bin/mount-latest-subvol | 72 +--------------- filesystem/usr/local/bin/myupgrade | 2 +- filesystem/usr/local/bin/switch-mail-host | 2 +- filesystem/usr/local/bin/umount-funcs | 84 +++++++++++++++++++ i3-sway/common.conf | 6 +- .../etc/openvpn/client-config-hole/so | 2 +- .../etc/openvpn/client-config-hole/sy | 1 - .../systemd/system/openvpn-client-tr@.service | 4 +- .../systemd/system/openvpn-client-tr@.service | 36 -------- myx | 6 +- pkgs | 5 ++ rshiank | 45 ---------- subdir_files/.config/mpv/mpv.conf | 7 ++ 18 files changed, 160 insertions(+), 168 deletions(-) create mode 120000 b create mode 100644 filesystem/usr/local/bin/umount-funcs delete mode 100644 machine_specific/li/filesystem/etc/openvpn/client-config-hole/sy delete mode 100644 machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service delete mode 100755 rshiank diff --git a/.bashrc b/.bashrc index ea49780..c863938 100644 --- a/.bashrc +++ b/.bashrc @@ -49,7 +49,7 @@ HISTCONTROL=ignoredups # This works in addition to HISTCONTROL to do more flexible things # it could also do the same things as HISTCONTROL and thus replace it, # but meh. dunno why, but just " *" does glob expansion, so use [ ] to avoid it. -HISTIGNORE='pass *:otp *:oathtool *:histrm *' +HISTIGNORE='pass *:otp *:oathtool *:histrm *:h *' # note: duplicated in /a/bin/ds/filesystem/etc/profile.d/environment.sh umask 022 diff --git a/b b/b new file mode 120000 index 0000000..0d73b4e --- /dev/null +++ b/b @@ -0,0 +1 @@ +filesystem/usr/local/bin \ No newline at end of file diff --git a/brc2 b/brc2 index d06685f..0555d7b 100644 --- a/brc2 +++ b/brc2 @@ -3037,6 +3037,10 @@ mnsd() { # mount namespace + systemd namespace mns-setup $ns pid=$(servicepid $unit) + # i can't remember the exact reason i started exporting, but it does keep the + # environment vars perfectly accurate, whereas sudo -E does not quite. Although, + # we could just set those explicity, PATH is the main one. It also + # seems less secure since another process could modify the temp file. tmpf=$(mktemp --tmpdir $unit.XXXXXXXXXX) export -p >$tmpf printf "%s " "${@@Q}" >>$tmpf @@ -3046,13 +3050,19 @@ mnsd() { # mount namespace + systemd namespace } -mnsr() { # mns run +mnsr() { # mns run (as normal user) local ns=$1 + local -a cmd shift - mns $ns sudo -u iank -E env "PATH=$PATH" "$@" + if [[ $1 ]]; then + cmd=("$@") + else + cmd=(bash) + fi + mns $ns sudo -u iank -E env "PATH=$PATH" "${cmd[@]}" } -mnsnonetr() { +mnsnonetroot() { ns=$1 lomh if ! s ip netns list | grep -Fx nonet &>/dev/null; then diff --git a/distro-end b/distro-end index 77ff9d8..5dce39a 100755 --- a/distro-end +++ b/distro-end @@ -1431,10 +1431,11 @@ sgo schrootupdate.timer case $distro in trisquel|ubuntu) m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/bookworm.list/BOOKWORM_FREE \ - debian bookworm chromium + debian bookworm chromium fonts-noto-color-emoji ;; debian) - pi chromium + # fonts are for emojis, which tend to get used as buttons on the web. + pi chromium fonts-noto-color-emoji ;; esac @@ -2146,6 +2147,29 @@ curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo ### end gh #### +##### begin docker install +if ! pcheck "$@"; then + # https://docs.docker.com/engine/install/ubuntu/ + # Add Docker's official GPG key: + sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc + sudo chmod a+r /etc/apt/keyrings/docker.asc + + # Add the repository to Apt sources: + echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ + $(debian-codename-compat) stable" | \ + sudo tee /etc/apt/sources.list.d/docker.list > /dev/null + + p update + + + # docker eats up a fair amount of cpu when doing nothing, so don't enable it unless + # we really need it. + pi-nostart docker-ce + +fi +##### end docker install ##### + # remove trisquel banner. it is cool but takes up too much space. sudo rm -f /etc/update-motd.d/01-banner diff --git a/filesystem/usr/local/bin/i3-abrowser b/filesystem/usr/local/bin/i3-abrowser index d592ceb..e42f9e6 100755 --- a/filesystem/usr/local/bin/i3-abrowser +++ b/filesystem/usr/local/bin/i3-abrowser @@ -33,8 +33,13 @@ else b=firefox fi +tag=abrowser +if (( $# >= 1 )); then + tag=$tag"${@:$#}" +fi + # spawn and mark if we dont have a mark already -if ! i3-focus-maybe abrowser; then +if ! i3-focus-maybe $tag; then i3-msg "workspace 2" i3-split-maybe @@ -44,7 +49,7 @@ if ! i3-focus-maybe abrowser; then for (( i=0; i < 15; i++ )); do sleep 1 - if i3-msg "[workspace=__focused__ class=\"$b\" instance=\"Navigator\" window_role=\"browser\"] mark abrowser"; then + if i3-msg "[workspace=__focused__ class=\"$b\" instance=\"Navigator\" window_role=\"browser\"] mark $tag"; then break fi done diff --git a/filesystem/usr/local/bin/mount-latest-subvol b/filesystem/usr/local/bin/mount-latest-subvol index cd87863..e39da52 100755 --- a/filesystem/usr/local/bin/mount-latest-subvol +++ b/filesystem/usr/local/bin/mount-latest-subvol @@ -19,13 +19,16 @@ # SPDX-License-Identifier: GPL-3.0-or-later this_file="$(readlink -f -- "${BASH_SOURCE[0]}")" -readonly this_file +readonly this_file this_dir="${this_file%/*}" + cd / [[ $EUID == 0 ]] || exec sudo -E "$this_file" "$@" set -e; . /usr/local/lib/bash-bear; set +e shopt -s nullglob +source "$this_dir/umount-funcs" + usage() { cat <&2 - ps -f -p $p - exit 1 - fi - done - done -} -kill-dir() { - for sig; do - echo kill-dir $sig - found_pids=false - if pids=$(timeout 4 lsof -t $dir); then - found_pids=true - timeout 4 lsof -w $dir - pid-check - kill -$sig $pids - fi - # fuser will find open sockets that lsof won't, for example from gpg-agent. - # note: -v shows kernel processes, which then doesn't return true when we want - if pids=$(timeout 4 fuser -m $dir 2>/dev/null); then - pid-check - found_pids=true - fuser -$sig -mvk $dir - fi - sleep .5 - if ! $found_pids; then - return 0 - fi - done - return 1 -} -umount-kill() { - dir=$1 - if mountpoint -q $dir; then - if m umount -R $dir; then - unmounted+=($dir) - else - if ! kill-dir TERM TERM TERM INT INT HUP HUP TERM TERM TERM INT INT HUP HUP; then - if $force; then kill-dir KILL; fi - fi - if m umount -R $dir; then - unmounted+=($dir) - else - echo "$0: failed to umount $dir" - umount_ret=false - ret=1 - fi - fi - fi -} # duplicated in check-subvol # Reassign $1 var from /dev/dm- to corresponding /dev/mapper/ @@ -290,19 +239,6 @@ fi ##### end setup fstab for subvols we care about ###### -### begin get pids that this program depends on so we dont kill them -my_pids=($$ $PPID) -loop_limit=30 -count=0 -while [[ ${my_pids[-1]} != 1 && ${my_pids[-1]} != "${my_pids[-2]}" && $count -lt $loop_limit ]]; do - count=$((count + 1)) - p=$(ps -p ${my_pids[-1]} -o ppid=) - if [[ $p == 0 || ! $p ]]; then - break - fi - my_pids+=($p) -done -### end get pids that this program depends on so we dont kill them for vol in ${all_vols[@]}; do d=/$vol diff --git a/filesystem/usr/local/bin/myupgrade b/filesystem/usr/local/bin/myupgrade index 49197fb..1f50c6f 100755 --- a/filesystem/usr/local/bin/myupgrade +++ b/filesystem/usr/local/bin/myupgrade @@ -36,7 +36,7 @@ err() { echo "[$(date +'%Y-%m-%d %H:%M:%S%z')]: $pre: $*" >&2; } [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" -hn=$(hostname -f) +hn=$(hostname) source /a/bin/bash_unpublished/source-state d() { diff --git a/filesystem/usr/local/bin/switch-mail-host b/filesystem/usr/local/bin/switch-mail-host index e7084c6..5c1bdce 100755 --- a/filesystem/usr/local/bin/switch-mail-host +++ b/filesystem/usr/local/bin/switch-mail-host @@ -163,7 +163,7 @@ if ! $force && { $check_installed || [[ $direction == push ]]; } ; then switch-mail-host ) for f in ${install_bin_files[@]}; do - if ! diff -q /a/bin/ds/$f /usr/local/bin/$f; then + if ! diff -q /a/bin/ds/filesystem/usr/local/bin/$f /usr/local/bin/$f; then uninstalled-file-die $f fi done diff --git a/filesystem/usr/local/bin/umount-funcs b/filesystem/usr/local/bin/umount-funcs new file mode 100644 index 0000000..4f86186 --- /dev/null +++ b/filesystem/usr/local/bin/umount-funcs @@ -0,0 +1,84 @@ +#!/bin/bash + +# meant to be sourced + +if ! type -p m &>/dev/null; then + m() { + printf "$0:${SSH_CLIENT:+ $HOSTNAME:} %s\n" "$*" + "$@" + } +fi +get-my-pids() { + if (( ${#my_pids[@]} )); then + return 0 + fi + my_pids=($$ $PPID) + loop_limit=30 + count=0 + while [[ ${my_pids[-1]} != 1 && ${my_pids[-1]} != "${my_pids[-2]}" && $count -lt $loop_limit ]]; do + count=$((count + 1)) + p=$(ps -p ${my_pids[-1]} -o ppid=) + if [[ $p == 0 || ! $p ]]; then + break + fi + my_pids+=($p) + done +} +pid-check() { + get-my-pids + for p in ${pids}; do + for m in ${my_pids[@]}; do + if (( p == m )); then + echo "$0: error: pids to kill includes our pid or a parent. ps output:" >&2 + ps -f -p $p + exit 1 + fi + done + done +} +kill-dir() { + for sig; do + echo kill-dir $sig + found_pids=false + if pids=$(timeout 4 lsof -t $dir); then + found_pids=true + timeout 4 lsof -w $dir + pid-check + kill -$sig $pids + fi + # fuser will find open sockets that lsof won't, for example from gpg-agent. + # note: -v shows kernel processes, which then doesn't return true when we want + if pids=$(timeout 4 fuser -m $dir 2>/dev/null); then + pid-check + found_pids=true + fuser -$sig -mvk $dir + fi + sleep .5 + if ! $found_pids; then + return 0 + fi + done + return 1 +} + +# leaf function. others are just used by this one. +umount-kill() { + dir=$1 + if mountpoint -q $dir; then + if m umount -R $dir; then + unmounted+=($dir) + else + if ! kill-dir TERM TERM TERM INT INT HUP HUP TERM TERM TERM INT INT HUP HUP; then + if $force; then kill-dir KILL; fi + fi + + if m umount -R $dir; then + unmounted+=($dir) + else + echo "$0: failed to umount $dir" + umount_ret=false + ret=1 + fi + fi + fi +} diff --git a/i3-sway/common.conf b/i3-sway/common.conf index bb92fe5..c66b238 100644 --- a/i3-sway/common.conf +++ b/i3-sway/common.conf @@ -30,7 +30,7 @@ bindsym $mod+2 $ex "i3-split-maybe"; exec "pavucontrol" # it suddenly started working again. #bindsym $mod+3 exec "abrowser 2>&1 >/tmp/l" #bindsym $mod+3 exec "abrowser -no-remote -P sfw" -bindsym $mod+4 $ex "i3-split-maybe"; exec "abrowser -no-remote -P firefox-main-profile" +bindsym $mod+4 $ex "i3-abrowser -no-remote -P firefox-main-profile" bindsym $mod+5 $ex "/a/bin/ds/stream-interlude" bindsym $mod+6 $ex "i3-split-maybe"; exec "/usr/local/bin/start-tor-browser" bindsym $mod+7 $ex "/a/bin/ds/myx" @@ -63,6 +63,8 @@ bindsym $mod+e $ex "i3-emacs" #bindsym $mod+shift+e bindsym $mod+r $ex "/a/bin/ds/xl" +bindsym $mod+backslash $ex "gnome-screenshot" + bindsym $mod+t $ex "i3-set-layout splitv" bindsym $mod+g $ex "i3-set-layout tabbed" @@ -100,7 +102,7 @@ bindsym $mod+s workspace 4 bindsym $mod+Shift+d move container to workspace 3 bindsym $mod+d workspace 3 -bindsym $mod+Shift+fq move container to workspace 2 +bindsym $mod+Shift+f move container to workspace 2 bindsym $mod+f workspace 2 bindsym $mod+Shift+z move container to workspace 5 diff --git a/machine_specific/li/filesystem/etc/openvpn/client-config-hole/so b/machine_specific/li/filesystem/etc/openvpn/client-config-hole/so index 0ba69f2..bfad767 100644 --- a/machine_specific/li/filesystem/etc/openvpn/client-config-hole/so +++ b/machine_specific/li/filesystem/etc/openvpn/client-config-hole/so @@ -1 +1 @@ -ifconfig-push 10.5.5.3 255.255.255.0 +ifconfig-push 10.5.5.7 255.255.255.0 diff --git a/machine_specific/li/filesystem/etc/openvpn/client-config-hole/sy b/machine_specific/li/filesystem/etc/openvpn/client-config-hole/sy deleted file mode 100644 index bfad767..0000000 --- a/machine_specific/li/filesystem/etc/openvpn/client-config-hole/sy +++ /dev/null @@ -1 +0,0 @@ -ifconfig-push 10.5.5.7 255.255.255.0 diff --git a/machine_specific/so/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/so/filesystem/etc/systemd/system/openvpn-client-tr@.service index dae65d4..f85639d 100644 --- a/machine_specific/so/filesystem/etc/systemd/system/openvpn-client-tr@.service +++ b/machine_specific/so/filesystem/etc/systemd/system/openvpn-client-tr@.service @@ -24,10 +24,10 @@ LimitNPROC=10 # we use .1 to make this be on a different network than kd, so that we can # talk to transmission on kd from remote host, and still use this # vpn. -ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.3 start %i +ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.7 start %i ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules # allow wireguard network to connect -ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.3.1 dev veth1-client +ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.7.1 dev veth1-client ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i PrivateNetwork=true BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind diff --git a/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service deleted file mode 100644 index f85639d..0000000 --- a/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service +++ /dev/null @@ -1,36 +0,0 @@ -[Unit] -Description=OpenVPN tunnel for %I -After=syslog.target network-online.target -Wants=network-online.target -Documentation=man:openvpn(8) -Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage -Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO -Requires=iptables.service - -[Service] -Type=notify -RuntimeDirectory=openvpn-client -RuntimeDirectoryMode=0710 -WorkingDirectory=/etc/openvpn/client -ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf -# todo, try reenabling this from the default openvpn, -# it was disabled so we could do bind mounts as a command, -# but now systemd handles it -#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE -LimitNPROC=10 -# DeviceAllow=/dev/null rw -# DeviceAllow=/dev/net/tun rw - -# we use .1 to make this be on a different network than kd, so that we can -# talk to transmission on kd from remote host, and still use this -# vpn. -ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.7 start %i -ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules -# allow wireguard network to connect -ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.7.1 dev veth1-client -ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i -PrivateNetwork=true -BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind - -[Install] -WantedBy=multi-user.target diff --git a/myx b/myx index 24beac5..d1cf563 100755 --- a/myx +++ b/myx @@ -106,10 +106,10 @@ if [[ $secondary_out ]]; then x_offset=$primary_x left_right_arg=--right-of - # This one is temporarily on the left. uncomment and move into conditional - # when it isn't anymore. - # [[ $secondary_out == DP-1 && $(edid card1-DP-1 ) == f3364bc6c1 ]] + # dp-1 moves from left to right sometimes, i just move it out of the + # conditional and comment it as needed. if [[ $secondary_out == HDMI2 && $(edid card0-HDMI-A-2) == 192efbdcef ]] || \ + [[ $secondary_out == DP-1 && $(edid card1-DP-1 ) == f3364bc6c1 ]] || \ [[ $secondary_out == HDMI-1 && $(edid card1-HDMI-A-1 ) == 7c58f9ac1e ]] || \ [[ $secondary_out == DP-2 && $(edid card1-DP-2 ) == 0c35564b67 ]]; then left_right_arg=--left-of diff --git a/pkgs b/pkgs index e2d35b3..f3c66c4 100644 --- a/pkgs +++ b/pkgs @@ -127,6 +127,9 @@ p3=( debconf-doc devscripts dillo + digikam + # used by digikam for icons + breeze-icon-theme dirmngr dos2unix dosfstools @@ -306,6 +309,8 @@ p3=( units uuid-runtime vlc + # vlc stdout complains that it doesn't find a file from this package. + libvdpau-va-gl1 wamerican-huge wireless-tools w3m diff --git a/rshiank b/rshiank deleted file mode 100755 index dd0fea4..0000000 --- a/rshiank +++ /dev/null @@ -1,45 +0,0 @@ -#!/bin/bash -set -eE -o pipefail -trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR - -# restricted ssh does not allow arguments, but they exist in $SSH_ORIGINAL_COMMAND -# debug -dfile=/tmp/rshiank -date >>$dfile -echo SSH_ORIGINAL_COMMAND: $SSH_ORIGINAL_COMMAND >>$dfile - -if [[ ! $SSH_ORIGINAL_COMMAND ]]; then - echo "no SSH_ORIGINAL_COMMAND" >&2 - exit 1 -fi - -mapfile -t cmds <<'EOF' -# allow rsyncing into my ~/tmp -rsync --server -re.iLsfxCIvu --log-format=X --partial . /home/iank/tmp -EOF -mapfile -t regex_cmds <<'EOF' -EOF - -allow=false -for c in "${regex_cmds[@]}"; do - if [[ $c == \#* ]]; then continue; fi - if [[ $SSH_ORIGINAL_COMMAND =~ $c ]]; then - allow=true - break - fi -done -if ! $allow; then - for c in "${cmds[@]}"; do - # echo "c $c" # debug - if [[ $c == \#* ]]; then continue; fi - if [[ $SSH_ORIGINAL_COMMAND == "$c" ]]; then - allow=true - break - fi - done -fi -if $allow; then - eval $SSH_ORIGINAL_COMMAND || exit $? -else - echo "rshiank: failed command: $SSH_ORIGINAL_COMMAND" | tee -a $dfile -fi diff --git a/subdir_files/.config/mpv/mpv.conf b/subdir_files/.config/mpv/mpv.conf index 9af96a3..c84a332 100644 --- a/subdir_files/.config/mpv/mpv.conf +++ b/subdir_files/.config/mpv/mpv.conf @@ -7,6 +7,13 @@ volume=50 player-operation-mode=pseudo-gui replaygain=track +# by default mpv does not hardware decode, but the distro package has +# /etc/mpv/mpv.conf : hwdec=vaapi that makes android videos black and +# white on one of my computers. vlc uses this library, which works on +# that computer, so going with that for now. This config file overrides +# the /etc one. +hwdec=vdpau + # use --profile d [d] loop-file=inf -- 2.30.2