From 63c4fc7fdbfd916bc2b3eeb918552db221a1f64a Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sun, 15 Feb 2026 18:37:07 -0500
Subject: [PATCH] bunch of fixes

---
 brc2                                          |  18 +-
 brc3                                          |   2 +-
 distro-end                                    |   8 +-
 filesystem/usr/local/bin/prof                 |   3 +-
 filesystem/usr/local/bin/prof-tail            |   2 +-
 .../etc/systemd/system/wg-quick-tr@.service   |   6 +-
 .../etc/systemd/system/wg-quick-tr@.service   |   6 +-
 .../etc/systemd/system/wg-quick-tr@.service   |   6 +-
 .../etc/systemd/system/wg-quick-tr@.service   |   6 +-
 .../etc/systemd/system/wg-quick-tr@.service   |   6 +-
 .../etc/systemd/system/wg-quick-tr@.service   |   6 +-
 .../etc/systemd/system/wg-quick-tr@.service   |   6 +-
 .../etc/systemd/system/wg-quick-tr@.service   |   6 +-
 .../etc/systemd/system/wg-quick-tr@.service   |   6 +-
 mail-setup                                    | 165 ++++++------------
 mailtest-check                                |   8 +
 16 files changed, 88 insertions(+), 172 deletions(-)

diff --git a/brc2 b/brc2
index ee7940d..293b50f 100644
--- a/brc2
+++ b/brc2
@@ -1185,7 +1185,7 @@ lipush() {
     /p/c/subdir_files/eggdrop/eggdrop-fsysbot.conf
     /p/c/subdir_files
   )
-  a="-ahviSAXPH --specials --devices --delete --relative --exclude-from=/p/c/li-rsync-excludes"
+  a="-ahviSAXPH --specials --devices --delete --delete-excluded --relative --exclude-from=/p/c/li-rsync-excludes"
   ret=0
   for h in li je bk; do
     m s rsync "$@" $a ${p[@]} /p/c/machine_specific/$h root@$h.b8.nz:/
@@ -2086,7 +2086,7 @@ host-info-all() {
 
   bindpushb8
   # for wireguard configs
-  ssh iank@li.b8.nz "conflink; ser reload wg-quick@wgmail"
+  ssh iank@li.b8.nz "conflink; ser reload wg-quick-mail"
   wrt-setup
 }
 
@@ -2227,7 +2227,7 @@ EOF
   local host ipsuf f files
 
   # shellcheck disable=SC2016 # shellcheck doesnt know this is sed
-  sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf
+  sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/mail.conf
 
   for host in ${!vpn_ips[@]}; do
     if [[ ${root_hosts_a[$host]} ]]; then
@@ -2247,9 +2247,8 @@ Description=Initial setup of netns for wg-quick-tr %I
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.$ipsuf start %i
-# no need to stop
-#ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /usr/local/bin/newns/newns -n 10.174.$ipsuf start %i
+ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /usr/local/bin/newns/newns stop %i
 RemainAfterExit=yes
 
 [Install]
@@ -2261,7 +2260,6 @@ EOF
 Description=WireGuard via wg-quick(8) for %I
 After=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
 Wants=network-online.target nss-lookup.target wg-quick-tr-pre@%i.service
-PartOf=wg-quick.target
 Documentation=man:wg-quick(8)
 Documentation=man:wg(8)
 
@@ -2276,6 +2274,8 @@ ExecStopPost=/usr/bin/wg-quick down %i
 ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.$ipsuf.1 dev veth1-client
 NetworkNamespacePath=/var/run/netns/%i
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
+# copied from wg-quick@.service
+Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
 
 [Install]
 WantedBy=multi-user.target
@@ -2292,7 +2292,7 @@ EOF
 PublicKey = $(cat /p/c/machine_specific/$host/filesystem/etc/wireguard/hole-pub.key)
 AllowedIPs = 10.8.0.$ipsuf/32,10.174.${vpn_ips[$host]}.2/32
 EOF
-  done | cedit /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf || [[ $? == 1 ]]
+  done | cedit /p/c/machine_specific/li/filesystem/etc/wireguard/mail.conf || [[ $? == 1 ]]
 
   {
     echo "cat <<EOF"
@@ -2511,7 +2511,7 @@ Address = 10.8.0.$ipsuf/24
 PostUp = ping -w10 -c1 10.8.0.1 ||:
 
 [Peer]
-# li. called wgmail on that server
+# li. called mail on that server
 PublicKey = CTFsje45qLAU44AbX71Vo+xFJ6rt7Cu6+vdMGyWjBjU=
 AllowedIPs = 10.8.0.0/24$vpn_allowed$extrahost
 Endpoint = 72.14.176.105:1194
diff --git a/brc3 b/brc3
index abfc453..d6ba3c6 100644
--- a/brc3
+++ b/brc3
@@ -33,7 +33,7 @@ ecne-noble-get-missing() {
   noble=$(echo ${prefix}ubuntu.com_ubuntu_dists_noble{,-security,-updates}_{main,universe}_binary-amd64_Packages)
   ecne=$(echo ${prefix}trisquel.org_trisquel_dists_ecne{,-updates,-security}_main_binary-amd64_Packages)
   test-ecne-noble-package-lists-exist
-  u24_kernel_pkgs="virtual|oem|image|generic|firmware|aws|azure|buildinfo|cloud|gcp|gke|headers|hwe|ibm|lowlatency|modules|nvidia|riscv|tools|intel|oracle|lib-rust"
+  u24_kernel_pkgs="virtual|oem|image|generic|firmware|aws|azure|buildinfo|cloud|gcp|gke|headers|hwe|ibm|lowlatency|modules|nvidia|signatures-nvidia|riscv|tools|intel|oracle|lib-rust|xilinx|realtime"
   for dist in ecne noble; do
     # shellcheck disable=SC2094 # false positive
     {
diff --git a/distro-end b/distro-end
index daf16f6..183f1b9 100755
--- a/distro-end
+++ b/distro-end
@@ -337,7 +337,7 @@ EOF
     ;;&
 
   bk)
-    sgo wg-quick@wgmail
+    sgo wg-quick-mail
 
     # i just dont feel like setting up a special purpose ssh key to do this automatically.
     end_msg <<'EOF'
@@ -461,11 +461,7 @@ EOF
     # needed for li's local mail delivery.
     tu /etc/hosts <<<"10.8.0.4 mx.iankelling.org"
 
-    # wgmail handles this.
-    #sgo vpn-mail-forward.service
-    # old:
-    #sgo openvpn-server@mail
-    sgo wg-quick@wgmail
+    sgo wg-quick-mail
 
     # setup let's encrypt cert
     m web-conf apache2 mail.iankelling.org
diff --git a/filesystem/usr/local/bin/prof b/filesystem/usr/local/bin/prof
index 601942f..e28fc62 100755
--- a/filesystem/usr/local/bin/prof
+++ b/filesystem/usr/local/bin/prof
@@ -41,6 +41,7 @@ if $dossh; then
   export IANK_BASHRC_RUN="prof-remote $remote"
   konsole --profile profanity
 else
-  prof-tail |& ts "%F %T" | tee -a /home/iank/.local/prof-tail.log &
+  # output will go to ~/.xsession-errors
+  prof-tail |& ts "%F %T" &
   konsole --profile profanity -e tmux -L profanity a
 fi
diff --git a/filesystem/usr/local/bin/prof-tail b/filesystem/usr/local/bin/prof-tail
index 061f542..a59f48e 100755
--- a/filesystem/usr/local/bin/prof-tail
+++ b/filesystem/usr/local/bin/prof-tail
@@ -127,7 +127,7 @@ while true; do
   if $remote; then
     tail-cmd
   else
-    tail-cmd | while :; do read -r l; notify-cmd "$l"; done
+    tail-cmd | while read -r l 2>/dev/null; do notify-cmd "$l"; done
   fi
 
   if (( loop_start >= EPOCH_SECONDS - 1 )); then
diff --git a/machine_specific/bo/filesystem/etc/systemd/system/wg-quick-tr@.service b/machine_specific/bo/filesystem/etc/systemd/system/wg-quick-tr@.service
index fb0203d..0532d94 100644
--- a/machine_specific/bo/filesystem/etc/systemd/system/wg-quick-tr@.service
+++ b/machine_specific/bo/filesystem/etc/systemd/system/wg-quick-tr@.service
@@ -9,17 +9,13 @@ Documentation=man:wg(8)
 [Service]
 Type=simple
 ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.29 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.29.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
 ExecStartPre=/usr/bin/wg-quick up %i
 ExecStart=/bin/sleep infinity
 ExecStopPost=/usr/bin/wg-quick down %i
 ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.29.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
 
 [Install]
diff --git a/machine_specific/frodo/filesystem/etc/systemd/system/wg-quick-tr@.service b/machine_specific/frodo/filesystem/etc/systemd/system/wg-quick-tr@.service
index db8187c..d6fb761 100644
--- a/machine_specific/frodo/filesystem/etc/systemd/system/wg-quick-tr@.service
+++ b/machine_specific/frodo/filesystem/etc/systemd/system/wg-quick-tr@.service
@@ -9,17 +9,13 @@ Documentation=man:wg(8)
 [Service]
 Type=simple
 ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.34 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.34.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
 ExecStartPre=/usr/bin/wg-quick up %i
 ExecStart=/bin/sleep infinity
 ExecStopPost=/usr/bin/wg-quick down %i
 ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.34.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
 
 [Install]
diff --git a/machine_specific/kd/filesystem/etc/systemd/system/wg-quick-tr@.service b/machine_specific/kd/filesystem/etc/systemd/system/wg-quick-tr@.service
index 8e56179..3f49e0a 100644
--- a/machine_specific/kd/filesystem/etc/systemd/system/wg-quick-tr@.service
+++ b/machine_specific/kd/filesystem/etc/systemd/system/wg-quick-tr@.service
@@ -9,17 +9,13 @@ Documentation=man:wg(8)
 [Service]
 Type=simple
 ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.2 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.2.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
 ExecStartPre=/usr/bin/wg-quick up %i
 ExecStart=/bin/sleep infinity
 ExecStopPost=/usr/bin/wg-quick down %i
 ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.2.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
 
 [Install]
diff --git a/machine_specific/librestation01/filesystem/etc/systemd/system/wg-quick-tr@.service b/machine_specific/librestation01/filesystem/etc/systemd/system/wg-quick-tr@.service
index 30ef28d..c1816c6 100644
--- a/machine_specific/librestation01/filesystem/etc/systemd/system/wg-quick-tr@.service
+++ b/machine_specific/librestation01/filesystem/etc/systemd/system/wg-quick-tr@.service
@@ -9,17 +9,13 @@ Documentation=man:wg(8)
 [Service]
 Type=simple
 ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.97 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.97.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
 ExecStartPre=/usr/bin/wg-quick up %i
 ExecStart=/bin/sleep infinity
 ExecStopPost=/usr/bin/wg-quick down %i
 ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.97.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
 
 [Install]
diff --git a/machine_specific/librestation03/filesystem/etc/systemd/system/wg-quick-tr@.service b/machine_specific/librestation03/filesystem/etc/systemd/system/wg-quick-tr@.service
index a4f299c..a05093e 100644
--- a/machine_specific/librestation03/filesystem/etc/systemd/system/wg-quick-tr@.service
+++ b/machine_specific/librestation03/filesystem/etc/systemd/system/wg-quick-tr@.service
@@ -9,17 +9,13 @@ Documentation=man:wg(8)
 [Service]
 Type=simple
 ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.99 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.99.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
 ExecStartPre=/usr/bin/wg-quick up %i
 ExecStart=/bin/sleep infinity
 ExecStopPost=/usr/bin/wg-quick down %i
 ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.99.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
 
 [Install]
diff --git a/machine_specific/so/filesystem/etc/systemd/system/wg-quick-tr@.service b/machine_specific/so/filesystem/etc/systemd/system/wg-quick-tr@.service
index 70c583a..3542536 100644
--- a/machine_specific/so/filesystem/etc/systemd/system/wg-quick-tr@.service
+++ b/machine_specific/so/filesystem/etc/systemd/system/wg-quick-tr@.service
@@ -9,17 +9,13 @@ Documentation=man:wg(8)
 [Service]
 Type=simple
 ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.3 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.3.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
 ExecStartPre=/usr/bin/wg-quick up %i
 ExecStart=/bin/sleep infinity
 ExecStopPost=/usr/bin/wg-quick down %i
 ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.3.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
 
 [Install]
diff --git a/machine_specific/sy/filesystem/etc/systemd/system/wg-quick-tr@.service b/machine_specific/sy/filesystem/etc/systemd/system/wg-quick-tr@.service
index 9c7b876..9902ad7 100644
--- a/machine_specific/sy/filesystem/etc/systemd/system/wg-quick-tr@.service
+++ b/machine_specific/sy/filesystem/etc/systemd/system/wg-quick-tr@.service
@@ -9,17 +9,13 @@ Documentation=man:wg(8)
 [Service]
 Type=simple
 ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.7 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.7.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
 ExecStartPre=/usr/bin/wg-quick up %i
 ExecStart=/bin/sleep infinity
 ExecStopPost=/usr/bin/wg-quick down %i
 ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.7.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
 
 [Install]
diff --git a/machine_specific/x2/filesystem/etc/systemd/system/wg-quick-tr@.service b/machine_specific/x2/filesystem/etc/systemd/system/wg-quick-tr@.service
index 64e0d95..1541fba 100644
--- a/machine_specific/x2/filesystem/etc/systemd/system/wg-quick-tr@.service
+++ b/machine_specific/x2/filesystem/etc/systemd/system/wg-quick-tr@.service
@@ -9,17 +9,13 @@ Documentation=man:wg(8)
 [Service]
 Type=simple
 ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.28 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.28.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
 ExecStartPre=/usr/bin/wg-quick up %i
 ExecStart=/bin/sleep infinity
 ExecStopPost=/usr/bin/wg-quick down %i
 ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.28.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
 
 [Install]
diff --git a/machine_specific/x3/filesystem/etc/systemd/system/wg-quick-tr@.service b/machine_specific/x3/filesystem/etc/systemd/system/wg-quick-tr@.service
index 2bf60cd..659fa17 100644
--- a/machine_specific/x3/filesystem/etc/systemd/system/wg-quick-tr@.service
+++ b/machine_specific/x3/filesystem/etc/systemd/system/wg-quick-tr@.service
@@ -9,17 +9,13 @@ Documentation=man:wg(8)
 [Service]
 Type=simple
 ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf %i <(exec /usr/bin/wg-quick strip %i)'
-#ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.8 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.8.1 dev veth1-client
-# normal wg-quick has these as ExecStart and ExecStop
 ExecStartPre=/usr/bin/wg-quick up %i
 ExecStart=/bin/sleep infinity
 ExecStopPost=/usr/bin/wg-quick down %i
 ExecStopPost=/usr/sbin/ip r del 10.8.0.0/24 via 10.174.8.1 dev veth1-client
-#ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-#PrivateNetwork=true
-NetworkNamespacePath=/var/run/netns/client
+NetworkNamespacePath=/var/run/netns/%i
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
 
 [Install]
diff --git a/mail-setup b/mail-setup
index 8ded245..c9482ad 100755
--- a/mail-setup
+++ b/mail-setup
@@ -749,8 +749,6 @@ EOF
 # and
 
 
-vpnser=wg-quick@wgmail.service
-
 case $HOSTNAME in
   $MAIL_HOST)
     rsync -aiSAX --chown=root:root --chmod=g-s /p/c/filesystem/etc/wireguard/ /etc/wireguard
@@ -770,69 +768,41 @@ esac
 case $HOSTNAME in
   li) : ;;
   *)
-    u /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
+    u /etc/systemd/system/wg-quick-mail.service <<EOF
 [Unit]
-Requires=mailnn.service
-BindsTo=mailnn.service
-StartLimitIntervalSec=0
+Description=WireGuard in a netns and other mail specific configs
+After=network.target wg-quick-mail-pre.service
+Wants=network.target wg-quick-mail-pre.service
 
 [Service]
+Type=simple
+ExecReload=/bin/bash -c 'exec /usr/bin/wg syncconf mail <(exec /usr/bin/wg-quick strip mail)'
+ExecStartPre=/usr/bin/wg-quick up mail
+ExecStart=/bin/sleep infinity
+ExecStopPost=/usr/bin/wg-quick down mail
 NetworkNamespacePath=/var/run/netns/mail
-# i dont think we need any of these, but it doesnt hurt to stay consistent
 BindPaths=$bindpaths
-
+# copied from wg-quick@.service
+Environment=WG_ENDPOINT_RESOLUTION_RETRIES=infinity
 Restart=on-failure
 RestartSec=20
-EOF
-    ;;
-esac
-
-
-# https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
-u /etc/systemd/system/mailvpn.service <<EOF
-[Unit]
-Description=OpenVPN tunnel for mail
-After=syslog.target network-online.target mailnn.service
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-# needed to continually restatr
-BindsTo=mailnn.service
-StartLimitIntervalSec=0
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-NetworkNamespacePath=/var/run/netns/mail
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/mail.conf
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-# in the network namespace, we cant connect to systemd-resolved on 127.0.0.53,
-# because of
-# https://unix.stackexchange.com/questions/445782/how-to-allow-systemd-resolved-to-listen-to-an-interface-other-than-loopback
-# there is a workaround there, but i dont think its really worth it,
-# the mail server is fine with a static dns anyways.
-# This thread is also interesting,
-# https://github.com/slingamn/namespaced-openvpn/issues/7
-# todo: the iptables rule at the bottom could be useful to prevent
-# dns from leaking in my network namespaced vpn.
-# I also like the idea of patching systemd-resolved so it
-# will listen on other interfaces, but its not worth my time.
-BindPaths=$bindpaths
-Restart=always
-# time to sleep before restarting a service
-RestartSec=20
 
 [Install]
 WantedBy=multi-user.target
+
 EOF
+    ;;
+esac
 
-u /etc/systemd/system/mailnnroute.service <<'EOF'
+## openvpn based config and overly complex wireguard.
+rm -f /etc/systemd/system/mailvpn.service
+for s in mailnn mailnnroute; do
+  soff $s
+  rm -fr /etc/systemd/system/$s.service /etc/systemd/system/$s.service.d
+done
+rm -f /etc/wireguard/wgmail.conf
+
+u /etc/systemd/system/wg-quick-mail-pre.service <<'EOF'
 [Unit]
 Description=Initial setup of mail netns
 After=network.target
@@ -842,34 +812,8 @@ StartLimitIntervalSec=0
 [Service]
 Type=oneshot
 RemainAfterExit=true
-ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
-ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
-Restart=always
-RestartSec=20
-
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-u /etc/systemd/system/mailnn.service <<'EOF'
-[Unit]
-Description=Network Namespace for mail vpn service that will live forever and cant fail
-# These are the same as unbound.service, plus mailnnroute, except no wants=, which seems
-# to me could only make it run earlier, not later. Note, that if we had an
-# After= for a later target
-# than nss-lookup, systemd would just ignore unbound's After=mailnn.service and
-# start it first. It seems logically, that we should not need the Before= here,
-# but I'm not confident that systemd would do something unexpected and still start
-# unbound earlier than this.
-After=network.target mailnnroute.service
-Wants=mailnnroute.service
-Before=nss-lookup.target
-
-[Service]
-Type=simple
-ExecStart=/bin/sleep infinity
-NetworkNamespacePath=/var/run/netns/mail
+ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /usr/local/bin/newns -n 10.173.8 start mail
+ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /usr/local/bin/newns -n 10.173.8 stop mail
 
 [Install]
 WantedBy=multi-user.target
@@ -893,11 +837,11 @@ u /etc/systemd/system/mailbindwatchdog.service <<EOF
 [Unit]
 Description=Watchdog to restart services relying on systemd-resolved dir
 After=network.target
-BindsTo=mailnn.service
+BindsTo=wg-quick-mail.service
 
 [Service]
 Type=simple
-ExecStart=/usr/local/bin/mailbindwatchdog $vpnser ${nn_progs[@]} unbound.service radicale.service
+ExecStart=/usr/local/bin/mailbindwatchdog wg-quick-mail.service ${nn_progs[@]} unbound.service radicale.service
 Restart=always
 # time to sleep before restarting a service
 RestartSec=10
@@ -959,8 +903,8 @@ if ! serverp; then
   # todo, should this be after vpn service?
   u /etc/systemd/system/unbound.service.d/nn.conf <<EOF
 [Unit]
-After=mailnn.service
-BindsTo=mailnn.service
+After=wg-quick-mail.service
+BindsTo=wg-quick-mail.service
 StartLimitIntervalSec=0
 
 [Service]
@@ -1012,9 +956,9 @@ if nn-hostp; then
 # if the vpnser fails to start, this service won't get run at
 # all, even if the vpnser starts on an automatic restart.
 
-Wants=$vpnser
-After=network.target mailnn.service $vpnser
-BindsTo=mailnn.service
+Wants=wg-quick-mail.service
+After=network.target wg-quick-mail.service
+BindsTo=wg-quick-mail.service
 StartLimitIntervalSec=0
 
 [Service]
@@ -1029,11 +973,8 @@ EOF
   done
 fi
 
-# We could do this for all hosts but bk and MAIL_HOST. If we did,
-# then we are get failure in joins-namespace-of-check for unbound
-# and mailnnroute when we switch-mail-host. It is a systemd bug, but
-# I realized I have no reason to run these outside of the network
-# namespace, so I will avoid the bug that way.
+# We could do this for all hosts but bk and MAIL_HOST, but I avoided
+# that due to the systemd bug: todo reconsider.
 
 # for unit in exim4 unbound $spamd_ser $spamd_remove dovecot; do
 #   f=/etc/systemd/system/$unit.service.d/nn.conf
@@ -2231,9 +2172,9 @@ if mailhost; then
   u /etc/systemd/system/radicale.service.d/override.conf <<EOF
 [Unit]
 
-After=network.target network-online.target mailnn.service $vpnser
+After=network.target network-online.target wg-quick-mail.service
 
-Wants=$vpnser
+Wants=wg-quick-mail.service
 StartLimitIntervalSec=0
 
 [Service]
@@ -2245,7 +2186,7 @@ RestartSec=20
 
 [Install]
 # for openvpn
-RequiredBy=$vpnser
+RequiredBy=wg-quick-mail.service
 EOF
 
 
@@ -3742,7 +3683,7 @@ acl_check_rcpt:
   accept
 EOF
     ;;
-  esac
+esac
 
 case $HOSTNAME in
   bk|je)
@@ -3814,6 +3755,7 @@ esac
 # ** exim non-root related setting
 
 case $HOSTNAME in
+  # these should be able to run nonroot, but not bothering.
   je|li)
     # no reason to expect it to ever be there.
     rm -fv /etc/systemd/system/exim4.service.d/nonroot.conf
@@ -3825,6 +3767,10 @@ case $HOSTNAME in
     # note: nonroot settings also exists in
     # /b/ds/filesystem/usr/local/bin/mailbindwatchdog
     run_as_nonroot=true
+    if [[ $HOSTNAME == bk ]]; then
+      # i tried, but t11 still runs init script, which needs to do some root things.
+      run_as_nonroot=false
+    fi
 
     if $run_as_nonroot; then
       owners=$(stat -c %U:%G /usr/sbin/exim4)
@@ -3871,7 +3817,7 @@ case $HOSTNAME in
       fi
     done
     {
-     cat <<EOF
+      cat <<EOF
 [Service]
 # see 56.2 Root privilege in exim spec
 # https://www.redhat.com/sysadmin/mastering-systemd
@@ -3886,8 +3832,6 @@ InaccessiblePaths=${dirs[@]}
 # socket bind() to port 25 for address (any IPv6) failed: Permission denied
 # but we also have to set the file capabilities to avoid the error.
 #NoNewPrivileges=yes
-ProtectSystem=full
-
 # when we get newer systemd
 #ProtectDevices=yes
 
@@ -3897,8 +3841,9 @@ RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 EOF
 
-    if $run_as_nonroot; then
-      cat <<'EOF'
+      if $run_as_nonroot; then
+        cat <<'EOF'
+ProtectSystem=full
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
@@ -3909,7 +3854,7 @@ Group=Debian-exim
 ExecStartPre=
 ExecStartPre=+/usr/sbin/update-exim4.conf $UPEX4OPTS
 EOF
-    fi
+      fi
     } | u /etc/systemd/system/exim4.service.d/nonroot.conf
 
 
@@ -4352,7 +4297,7 @@ EOF
     ;;
   # ** ! MAILHOST
   *)
-# note: this depends on the previous section having ;; vs ;;&
+    # note: this depends on the previous section having ;; vs ;;&
 
     # this router is only hit by je and bk, but it is defined on all hosts for convenience.
     cat >>/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
@@ -4620,6 +4565,9 @@ EOF
     cat >>/etc/nonn-exim4/conf.d/main/000_local <<'EOF'
 MAIN_HARDCODE_PRIMARY_HOSTNAME = mail2.iankelling.org
 EOF
+    # exim4in.service should do this, but it is too easy to start exim4 in the meantime.
+    m update-exim4.conf -d /etc/nonn-exim4
+
     ;;
   $MAIL_HOST)
 
@@ -4650,7 +4598,6 @@ backup_redir:
   errors_to = alerts@iankelling.org
 EOF
 
-    # for bk, we have a exim4in.service that will do this for us.
     m update-exim4.conf -d /etc/nonn-exim4
     ;;
 esac
@@ -4904,8 +4851,8 @@ fi
 case $HOSTNAME in
   $MAIL_HOST|bk)
     # If any of these have config changes, then restart them as needed:
-    # sre mailnn mailnnroute $vpnser
-    son mailnn mailnnroute $vpnser
+    # sre  wg-quick-mail
+    son wg-quick-mail
     ;;&
   $MAIL_HOST)
     # If this service's config changes, add a manual restart here.
@@ -4947,7 +4894,7 @@ esac
 
 ## wip to only restart services that actually need restarting.
 all_units=(
-  mailnn.service mailnnroute.service $vpnser.service
+  wg-quick-mail.service
   unbound.service
   clamav-daemon.service
   dovecot.service $myspam_ser.service mailtest-check.service
@@ -4983,7 +4930,7 @@ case $HOSTNAME in
     soff $spamd_ser clamav-daemon unbound
     ;;
   *)
-    soff radicale mailclean.timer dovecot $spamd_ser $vpnser mailnn clamav-daemon unbound
+    soff radicale mailclean.timer dovecot $spamd_ser wg-quick-mail clamav-daemon unbound
     ;;
 esac
 
diff --git a/mailtest-check b/mailtest-check
index f416acd..eef5e8c 100755
--- a/mailtest-check
+++ b/mailtest-check
@@ -34,6 +34,14 @@
 #set -x
 
 
+## todo: fix negative sleep:
+##
+##mailtest-check: end of spam debug results
+# Feb 15 14:12:21 frodo mailtest-check[68446]: sleep: invalid option -- '6'
+# Feb 15 14:12:21 frodo mailtest-check[68446]: Try 'sleep --help' for more information.
+# Feb 15 14:12:21 frodo mailtest-check[58304]: /usr/local/bin/mailtest-check:457: `sleep $(( 300 - ( EPOCHSECONDS - premain_sec ) ))'
+
+
 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
 
 source /b/bash-bear-trap/bash-bear
-- 
2.30.2