From b7f0cf45282bfed6c35930a41f59dad57fdc3fcc Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Thu, 15 May 2025 21:56:34 -0400
Subject: [PATCH] avoid reloading systemd when MAIL_HOST changes to hopefully
 avoid joinsnamespaceof bug

---
 mail-setup | 149 +++++++++++++++++++++++++++++++----------------------
 1 file changed, 86 insertions(+), 63 deletions(-)

diff --git a/mail-setup b/mail-setup
index d559f18..3faf0af 100755
--- a/mail-setup
+++ b/mail-setup
@@ -417,6 +417,23 @@ sgo() {
 mailhost() {
   [[ $HOSTNAME == "$MAIL_HOST" ]]
 }
+serverp() {
+  case $HOSTNAME in
+    li|bk|je)
+      return true
+      ;;
+  esac
+  return false
+}
+nn-hostp() {
+  case $HOSTNAME in
+    li|je)
+      return false
+      ;;
+  esac
+  return true
+}
+
 reifactive() {
   local service
   for service; do
@@ -733,6 +750,7 @@ EOF
 # there are no modifications to iptables rules on a succsfull run,
 # and
 
+
 vpnser=wg-quick@wgmail.service
 
 case $HOSTNAME in
@@ -947,12 +965,12 @@ if ! grep -qF "$good_string" $f; then
   fi
 fi
 
-
-
-case $HOSTNAME in
-  $MAIL_HOST)
-    # todo, should this be after vpn service
-    u /etc/systemd/system/unbound.service.d/nn.conf <<EOF
+if ! serverp; then
+  # note: this config is only needed for MAIL_HOST, but it doesn't hurt
+  # and avoids reloading systemd.
+  #
+  # todo, should this be after vpn service?
+  u /etc/systemd/system/unbound.service.d/nn.conf <<EOF
 [Unit]
 After=mailnn.service
 JoinsNamespaceOf=mailnn.service
@@ -969,40 +987,40 @@ BindPaths=$bindpaths
 Restart=always
 RestartSec=20
 EOF
+fi
 
-    # sooo, there are a few ways to get traffic from the mail network
-    # namespace to go over the wghole.
-    #
-    #1: unify the mail vpn and wghole
-    # into 1 network.  this seems simple and logical, so I'm doing it.
-    # One general downside is tying things together, if I need to mess
-    # with one thing, it breaks the other. Oh well for now.
-    #
-    # 2. We can route 10.5.3.0/24 out of the mail nn and nat it into wghole.
-    #
-    # 3. We can setup the routing to happen on li, which seemed like I
-    # just needed to add 10.8.0.4/24 to AllowedIPs in at least the
-    # wghole clients, but I think that is kind of hacky and breaks ipv4
-    # routing within the mailvpn, it happened to work just because exim
-    # prefers ipv6 and that was also available in the mailvpn.
-    #
-    # 4. Put the hole interface into the mail network namespace. This
-    # doesn't work if the mail vpn is wg.  For openvpn, it bypasses the
-    # vpn routing and establishes a direct connection.  I only use the
-    # hole vpn for randomish things, it should be fine to join the mail
-    # nn for that. There should be some way to fix the routing issue
-    # by doing manual routing, but that doesn't seem like a good use of time.
-    # relevant:
-    # https://www.wireguard.com/netns/#
-    #
-    # for wireguard debugging
-    # echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
-    # dmesg -w
+# sooo, there are a few ways to get traffic from the mail network
+# namespace to go over the wghole.
+#
+#1: unify the mail vpn and wghole
+# into 1 network.  this seems simple and logical, so I'm doing it.
+# One general downside is tying things together, if I need to mess
+# with one thing, it breaks the other. Oh well for now.
+#
+# 2. We can route 10.5.3.0/24 out of the mail nn and nat it into wghole.
+#
+# 3. We can setup the routing to happen on li, which seemed like I
+# just needed to add 10.8.0.4/24 to AllowedIPs in at least the
+# wghole clients, but I think that is kind of hacky and breaks ipv4
+# routing within the mailvpn, it happened to work just because exim
+# prefers ipv6 and that was also available in the mailvpn.
+#
+# 4. Put the hole interface into the mail network namespace. This
+# doesn't work if the mail vpn is wg.  For openvpn, it bypasses the
+# vpn routing and establishes a direct connection.  I only use the
+# hole vpn for randomish things, it should be fine to join the mail
+# nn for that. There should be some way to fix the routing issue
+# by doing manual routing, but that doesn't seem like a good use of time.
+# relevant:
+# https://www.wireguard.com/netns/#
+#
+# for wireguard debugging
+# echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
+# dmesg -w
 
-    ;;&
-  $MAIL_HOST|bk)
-    for unit in ${nn_progs[@]}; do
-      u /etc/systemd/system/$unit.service.d/nn.conf <<EOF
+if nn-hostp; then
+  for unit in ${nn_progs[@]}; do
+    u /etc/systemd/system/$unit.service.d/nn.conf <<EOF
 [Unit]
 
 # Wants appears better than requires because with requires,
@@ -1024,21 +1042,22 @@ BindPaths=$bindpaths
 Restart=always
 RestartSec=20
 EOF
-    done
-    ;;
-  *)
-    # note: this does not include unbound, because we don't use unbound
-    # as a non-nn service, and we are getting failure in joins-namespace-of-check for unbound,
-    # and I wonder if changing its config has anything to do with it.
-    for unit in exim4 $spamd_ser $spamd_remove dovecot; do
-      f=/etc/systemd/system/$unit.service.d/nn.conf
-      if [[ -s $f ]]; then
-        rm -fv $f
-        reload=true
-      fi
-    done
-    ;;
-esac
+  done
+fi
+
+# We could do this for all hosts but bk and MAIL_HOST. If we did,
+# then we are get failure in joins-namespace-of-check for unbound
+# and mailnnroute when we switch-mail-host. It is a systemd bug, but
+# I realized I have no reason to run these outside of the network
+# namespace, so I will avoid the bug that way.
+
+# for unit in exim4 unbound $spamd_ser $spamd_remove dovecot; do
+#   f=/etc/systemd/system/$unit.service.d/nn.conf
+#   if [[ -s $f ]]; then
+#     rm -fv $f
+#     reload=true
+#   fi
+# done
 
 # * wghole (another mail vpn)
 
@@ -1053,6 +1072,20 @@ RestartSec=20
 EOF
 fi
 
+#  exim will fail to start without internet connectivity if we tell it
+#  to bind to a wireguard interface that is not up. I had this set to
+#  only be for bhost_t not MAIL_HOST, but I'm avoiding needlessly
+#  causing systemd reloads.
+u /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
+[Unit]
+StartLimitIntervalSec=0
+
+[Service]
+Restart=always
+RestartSec=20
+EOF
+
+
 # * rspamd config
 
 if $use_rspamd; then
@@ -3967,15 +4000,6 @@ dc_other_hostnames='eximbackup.b8.nz'
 dc_local_interfaces='127.0.0.1;::1;$wgholeip'
 EOF
 
-      # wghole & thus exim will fail to start without internet connectivity.
-      u /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
-[Unit]
-StartLimitIntervalSec=0
-
-[Service]
-Restart=always
-RestartSec=20
-EOF
 
     else
       cat >>/etc/exim4/update-exim4.conf.conf <<EOF
@@ -3984,7 +4008,6 @@ EOF
 # instead of a permanent 5xx.
 dc_local_interfaces='127.0.0.1;::1'
 EOF
-      rm -fv /etc/systemd/system/exim4.service.d/backup.conf
     fi
     cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 dc_eximconfig_configtype='smarthost'
-- 
2.30.2