From 83d44c57a6aa6e1e8b4cb3c46ce65e4eaa2cbc6a Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Mon, 7 Oct 2024 13:50:32 -0400 Subject: [PATCH] various fixes --- brc | 7 +++- brc2 | 15 ++++---- distro-end | 37 ++++++------------- .../etc/apparmor.d/local/transmission-daemon | 2 + .../etc/systemd/system/navidrome.service | 2 +- .../system/transmission-daemon-nn.service | 12 +++++- filesystem/usr/local/bin/switch-mail-host | 2 +- pkgs | 3 ++ 8 files changed, 42 insertions(+), 38 deletions(-) create mode 100644 filesystem/etc/apparmor.d/local/transmission-daemon diff --git a/brc b/brc index 97f5c34..a00bb8d 100644 --- a/brc +++ b/brc @@ -2813,7 +2813,7 @@ serj() { tmpstr=$(jobs 2>/dev/null) mapfile -t jobs_out <<<"$tmpstr" found_job=false - regex="^[^[:space:]]+[[:space:]]+Running[[:space:]]+ journalctl --since=now -qn2 -f -u $service &" + regex="^[^[:space:]]+[[:space:]]+Running[[:space:]]+journalctl --since=now -qn2 -f -u $service &" for line in "${jobs_out[@]}"; do if [[ $line =~ $regex ]]; then found_job=true @@ -2821,7 +2821,10 @@ serj() { done if ! $found_job; then - journalctl --since=now -qn2 -f -u "$service" & + # without eval, jobs output will include literal "$service". We + # could match that, but then we can run serj on different services + # in the same terminal. + eval "journalctl --since=now -qn2 -f -u $service &" sleep 3 fi if [[ $EUID == 0 ]]; then diff --git a/brc2 b/brc2 index 8379eab..ce21d4f 100644 --- a/brc2 +++ b/brc2 @@ -270,9 +270,8 @@ mkschroot() { esac done n=$1 - shift - codename=$1 - shift + codename=$2 + shift 2 case $codename in aramo|ecne|nabia|etiona) @@ -286,9 +285,11 @@ mkschroot() { ;; esac - if ! $force && schroot -l | grep -xFq chroot:$n; then - echo "$0: $n schroot already installed, skipping" - return 0 + if ! $force; then + if schroot -l | grep -xFq chroot:$n || [[ -s /etc/schroot/chroot.d/$n.conf ]]; then + echo "$0: $n schroot already exists, skipping" + return 0 + fi fi apps=($@) if [[ ! $d ]]; then @@ -5189,7 +5190,7 @@ gwentmp() { chro-pull() { local pull_host="$1" scp -ra --delete iank@$pull_host:.config/chromium /home/iank/.config - } +} export BASEFILE_DIR=/a/bin/fai-basefiles diff --git a/distro-end b/distro-end index 4ab5b46..a0fcf88 100755 --- a/distro-end +++ b/distro-end @@ -1554,7 +1554,14 @@ case $HOSTNAME in $d_host) # to persist upload/dl metadata. initially, moved all the stuff # in /var/lib/transmission-daemon to /d/tor - s usermod --home /d/tor debian-transmission + + transmission_home=$(eval echo ~debian-transmission) + if [[ $transmission_home != /d/tor ]]; then + if ser is-active transmission-daemon-nn &>/dev/null; then + ser stop transmission-daemon-nn + fi + s usermod --home /d/tor debian-transmission + fi sgo transmission-daemon-nn ;; *) @@ -1602,6 +1609,7 @@ EOF fi d=$f/.config/transmission-remote-gtk sudo -u $u mkdir -p $d + d_host_suffix=$(awk '$2 == "'$d_host'" {print $1}' /p/c/host-info) # i tried setting hostname to transmission.b8.nz, so i could dynamically change where # this connects to, but it said some 421 denied error when I did that. Then it # froze X when i ran it under strace. Whatever. @@ -1610,7 +1618,7 @@ EOF "profiles" : [ { "profile-name" : "Default", - "hostname" : "10.174.2.2", + "hostname" : "10.174.$d_host_suffix.2", "rpc-url-path" : "/transmission/rpc", "username" : "", "password" : "$rpc_pass", @@ -1977,8 +1985,8 @@ fi case $HOSTNAME in $d_host) # Font awesome is needed for the alertmanager ui. - pi prometheus-alertmanager prometheus fonts-font-awesome - /a/f/ans/roles/prom/files/simple/usr/local/bin/fsf-install-prometheus + pi prometheus-blackbox-exporter prometheus-alertmanager prometheus fonts-font-awesome + s /a/f/ans/roles/prom/files/simple/usr/local/bin/fsf-install-prometheus # make it available for other machines rsync -a /usr/local/bin/amtool /a/opt/bin @@ -2202,27 +2210,6 @@ EOF # Remove dep that came in with desktop to fix associations. m pu transmission-gtk -f=/home/iank/Videos -case $HOSTNAME in - $d_host) - if [[ ! -L $f || $(readlink $f) != /d/vidshare ]]; then - fs=($f/*) - if (( ${#fs[@]} >= 1 )); then - echo "$0: I wanted to make a link $f -> /d/vidshare, but $f is not empty. Please do something with its contents. ll $f:" - ll $f - exit 1 - fi - lnf -T /d/vidshare $f - fi - ;; - *) - if [[ -L $f && $(readlink $f) == /d/vidshare ]]; then - rm -f $f - mkdir $f - fi - ;; -esac - # # Based on guix manual instructions, also added code to profile. # # disabled since i'm not using it now. # pi nscd diff --git a/filesystem/etc/apparmor.d/local/transmission-daemon b/filesystem/etc/apparmor.d/local/transmission-daemon new file mode 100644 index 0000000..ca4a68a --- /dev/null +++ b/filesystem/etc/apparmor.d/local/transmission-daemon @@ -0,0 +1,2 @@ +owner /d/tor/** rw, +owner /nocow/user/tor/** rw, diff --git a/filesystem/etc/systemd/system/navidrome.service b/filesystem/etc/systemd/system/navidrome.service index a638231..e51224b 100644 --- a/filesystem/etc/systemd/system/navidrome.service +++ b/filesystem/etc/systemd/system/navidrome.service @@ -10,7 +10,7 @@ WantedBy=multi-user.target User=iank Group=iank Type=simple -ExecStart=/i/navidrome/navidrome --configfile "/i/navidrome/navidrome.toml" +ExecStart=/i/navidrome/navidrome --nobanner --configfile "/i/navidrome/navidrome.toml" WorkingDirectory=/i/navidrome TimeoutStopSec=20 KillMode=process diff --git a/filesystem/etc/systemd/system/transmission-daemon-nn.service b/filesystem/etc/systemd/system/transmission-daemon-nn.service index 0d0cd40..0843fc2 100644 --- a/filesystem/etc/systemd/system/transmission-daemon-nn.service +++ b/filesystem/etc/systemd/system/transmission-daemon-nn.service @@ -7,13 +7,21 @@ JoinsNamespaceOf=openvpn-client-tr@client.service [Service] User=debian-transmission -Type=notify +# The default is broken due to apparmor it seems +# https://github.com/transmission/transmission/issues/6991 +#Type=notify +Type=simple ExecStart=/usr/bin/transmission-daemon -f --log-error ExecReload=/bin/kill -s HUP $MAINPID -ExecStop=/bin/kill -s STOP $MAINPID PrivateNetwork=true Nice=19 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind + +NoNewPrivileges=true +MemoryDenyWriteExecute=true +ProtectSystem=true +PrivateTmp=true + [Install] WantedBy=multi-user.target diff --git a/filesystem/usr/local/bin/switch-mail-host b/filesystem/usr/local/bin/switch-mail-host index 58a84a7..7165acf 100755 --- a/filesystem/usr/local/bin/switch-mail-host +++ b/filesystem/usr/local/bin/switch-mail-host @@ -312,7 +312,7 @@ if ! $mail_only; then # Try to prevent emacs from saving stale data it has in memory to disk. eg: files, recentf list, etc. # But if emacs ignores the signal, let it live. -pkill -xf 'emacs( --daemon| -f znc-all)' ||: +pkill -xf 'emacs --daemon' ||: if [[ -e /p/profanity-here ]]; then systemctl disable --now profanity diff --git a/pkgs b/pkgs index 36281ce..dc10690 100644 --- a/pkgs +++ b/pkgs @@ -139,6 +139,8 @@ p3=( duplicity elinks evince + # used by digikam, it complains in stdout if its not there. + exiftool exim4-doc-html exfat-fuse # was exfat-utils before aramo @@ -282,6 +284,7 @@ p3=( rygel sakura schroot + secure-delete shellcheck # for sig2dot signing-party -- 2.30.2