From dea3bb554e3ed9c0e4734dc82db650006390222b Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Mon, 23 Sep 2024 19:22:53 -0400 Subject: [PATCH] ditch buggy metastore for /p/c, use explicit perms in conflink --- conflink | 265 ++++++++++++++++++++++++++++++++--------------------- distro-end | 5 + 2 files changed, 163 insertions(+), 107 deletions(-) diff --git a/conflink b/conflink index c785a9b..6ddf355 100755 --- a/conflink +++ b/conflink @@ -115,7 +115,7 @@ subdir-link-r() { local fullpath fullpath="$(readlink -f "$path")" if [[ -f $path || $(dirname "$fullpath") == "$below" ]]; then - m lnf -T "$path" "$HOME/${path#"$root/"}" + lnf -T "$path" "$HOME/${path#"$root/"}" elif [[ -d "$path" ]]; then subdir-link-r "$root" "$path" fi @@ -124,72 +124,56 @@ subdir-link-r() { common-file-setup() { - local dir fs x f reload_systemd - local -a restart_services + local dir fs f reload_systemd + local -a link_glob + local -A restart_services reload_systemd=false - # note, i ran chmod -R g-s on the filesystem dirs - # so i could keep permissions of secret files + for dir in "$@"; do - fs=$dir/filesystem - if [[ -e $fs && $user =~ ^iank?$ ]]; then - # we dont want t, instead c for checksum. - # That way we dont set times on directories. - # -a = -rlptgoD - # -A is acls, implies -p - cmd=( s rsync -rclgoDiSAX --chmod=Dg-s --chown=root:root - --exclude=/etc/dovecot/users - --exclude='/etc/exim4/passwd*' - --exclude='/etc/exim4/*.pem' - $fs/ / ) - echo "${cmd[@]@Q}" - "${cmd[@]}" | tee $tmpf - while read -r line; do - file="${line:12}" - case $file in - etc/prometheus/rules/iank.yml|etc/prometheus/prometheus.yml) - case $HOSTNAME in - kd) - if systemctl is-active prometheus &>/dev/null; then - v s systemctl reload prometheus - fi - ;; - esac - ;; - etc/systemd/system/*) - reload_systemd=true - ;; - etc/dnsmasq.d/*) - restart_services+=(dnsmasq) - ;; - etc/systemd/resolved.conf.d/*) - restart_services+=(systemd-resolved) - ;; - esac - # Previously did this with tar, but it doesn't - # update directory permissions. - # - # S = do spare files efficiently - # A = preserve acls - # X = preserve extended attributes - # i = itemize - done <$tmpf - fi if ! $fast && [[ -e $dir/subdir_files ]]; then - m subdir-link-r $dir/subdir_files + subdir-link-r $dir/subdir_files fi - local x=( $dir/!(binds|subdir_files|filesystem|machine_specific|..|.|.#*) ) - (( ${#x[@]} >= 1 )) || continue - m lnf ${x[@]} ~ + link_glob=( $dir/!(binds|subdir_files|filesystem|machine_specific|..|.|.#*) ) + (( ${#link_glob[@]} >= 1 )) || continue + lnf ${link_glob[@]} ~ done - if $reload_systemd; then - v s systemctl daemon-reload + +} + +old-files-cleanup() { + # old files 2022-03 + for t in systemstatus epanicclean btrfsmaintstop dynamicipupdate; do + f=/etc/systemd/system/$t.timer + if [[ -e $f ]]; then + v systemctl stop $t.timer + v systemctl disable $t.timer + s rm -fv $f + reload_systemd=true + fi + done + # old 2022-04 + if [[ -e /etc/cron.daily/check-lets-encrypt-ssl-settings ]]; then + s rm -f /etc/cron.daily/check-lets-encrypt-ssl-settings + fi + # conversion from whole folder subdir to individual files. + if [[ -L /home/iank/.config/copyq ]]; then + rm -fv /home/iank/.config/copyq fi - for service in ${restart_services[@]}; do - if systemctl is-active $service >/dev/null; then - v s systemctl restart $service + +} + +find-maybe() { + local path + local -a paths + for path in "${find_paths[@]}"; do + if [[ -e $path ]]; then + paths+=( "$path" ) fi done + if (( ${#paths[@]} >= 1 )); then + s find "${paths[@]}" "$@" + fi } #### end function definitions, begin main script #### @@ -205,82 +189,149 @@ done c_dirs=(/a/c{,/machine_specific/$HOSTNAME}) + case $user in iank) - # old files 2022-03 - for t in systemstatus epanicclean btrfsmaintstop dynamicipupdate; do - f=/etc/systemd/system/$t.timer - if [[ -e $f ]]; then - v systemctl stop $t.timer - v systemctl disable $t.timer - s rm -fv $f - reload_systemd=true - fi - done - # old 2022-04 - if [[ -e /etc/cron.daily/check-lets-encrypt-ssl-settings ]]; then - m s rm -f /etc/cron.daily/check-lets-encrypt-ssl-settings - fi - # conversion from whole folder subdir to individual files. - if [[ -L /home/iank/.config/copyq ]]; then - rm -fv /home/iank/.config/copyq - fi + + old-files-cleanup /a/bin/ds/install-my-scripts - files=(/p/c/machine_specific/*/filesystem/etc/ssh/*_key - /p/c/machine_specific/*/filesystem/etc/openvpn/client/*.key - /p/c/filesystem/etc/openvpn/client/*.key - /p/c/filesystem/etc/openvpn/easy-rsa/keys/*.key - ) - if [[ -e ${files[0]} ]]; then - chmod 600 ${files[@]} + + # setup permissions in /p/c to be user only except some filesystem files + if [[ -e /p/c ]]; then + chmod -R g-s,u=rwX,go= /p/c fi + find_paths=(/p/c/filesystem /p/c/machine_specific/*/filesystem /p/c/user-specific) + find-maybe -type d \! -name wireguard \! -path '*/moddata/*' \! -name moddata -exec chmod go+rX '{}' + + + find_paths=(/p/c/filesystem/etc/ssh /p/c/machine_specific/*/filesystem/etc/ssh) + find-maybe -type f -name '*.pub' -exec chmod go+rX '{}' + + + # note: intentionally letting a few files have more restrictive + # permissions than needed: a few openvpn files, some pub wireguard + # keys. + std_perm_paths=( + etc/udev/hwdb.d/01-ian.hwdb + etc/prometheus/alertmanager.yml + etc/debbugs/ + usr/ + etc/apt/preferences.d + ) + + for path in ${std_perm_paths[@]}; do + find_paths=(/p/c/filesystem/$path /p/c/machine_specific/*/filesystem/$path) + find-maybe -type f -exec chmod go+rX '{}' + + done + # p needs to go first so .ssh link is created, then config link inside it - m common-file-setup ${all_dirs[@]} + common-file-setup ${all_dirs[@]} + + rsync_args=() + for dir in ${all_dirs[@]}; do + fs=$dir/filesystem + if [[ -r $fs ]]; then + rsync_args+=($fs/) + fi + done + + cmd=( s rsync -rclgoDiSAX --chown=root:root + --exclude=/etc/dovecot/users + --exclude='/etc/exim4/passwd*' + --exclude='/etc/exim4/*.pem' + ${rsync_args[@]} / ) + echo "${cmd[@]@Q}" + "${cmd[@]}" | tee $tmpf + + while read -r line; do + file="${line:12}" + case $file in + etc/prometheus/rules/iank.yml|etc/prometheus/prometheus.yml) + case $HOSTNAME in + kd) + if systemctl is-active prometheus &>/dev/null; then + v s systemctl reload prometheus + fi + ;; + esac + ;; + etc/systemd/system/*) + reload_systemd=true + ;; + etc/dnsmasq.d/*) + restart_services[dnsmasq]=t + ;; + etc/systemd/resolved.conf.d/*) + restart_services[systemd-resolved]=t + ;; + esac + # Previously did this with tar, but it doesn't + # update directory permissions. + # + # S = do spare files efficiently + # A = preserve acls + # X = preserve extended attributes + # i = itemize + done <$tmpf + + if $reload_systemd; then + v s systemctl daemon-reload + fi + for service in ${!restart_services[@]}; do + if systemctl is-active $service >/dev/null; then + v s systemctl restart $service + fi + done #### begin special extra stuff #### install -d -m700 ~/gpg-agent-socket - f=/var/lib/bind - if [[ -e $f ]]; then - # reset to the original permissions. - m s chgrp -R bind $f - m s chmod g+w $f - fi - # shellcheck disable=SC2016 # obviously expected - s bash -c 'shopt -s nullglob; for f in /etc/bind/*.key /etc/bind/*.private /etc/bind/key.*; do chgrp bind $f; done' if [[ -e /etc/caldav-htpasswd ]] && getent group www-data &>/dev/null; then s chgrp www-data /etc/caldav-htpasswd fi - if [[ -e /var/lib/znc ]] && getent group znc; then - s chown -R znc:znc /var/lib/znc - fi if [[ -e /p/c/user-specific/prometheus ]]; then if getent passwd prometheus &>/dev/null; then - v s rsync -clpgoDiSAX --chmod=Dg-s --chown=root:prometheus /p/c/user-specific/prometheus/prometheus-pass /etc - v s rsync -clpgoDiSAX --chmod=Dg-s --chown=root:prometheus /p/c/user-specific/prometheus/prometheus/ssl/* /etc/prometheus/ssl + v s rsync -clpgoDiSAX --chmod=g+r --chown=root:prometheus /p/c/user-specific/prometheus/prometheus-pass /etc + v s rsync -clpgoDiSAX --chmod=g+r --chown=root:prometheus /p/c/user-specific/prometheus/prometheus/ssl/* /etc/prometheus/ssl fi fi if [[ -e /p/c/user-specific/www-data ]]; then if getent passwd www-data &>/dev/null; then - v s rsync -clpgoDiSAX --chmod=Dg-s --chown=root:www-data /p/c/user-specific/www-data/* /etc + v s rsync -clpgoDiSAX --chmod=g+r --chown=root:www-data /p/c/user-specific/www-data/* /etc fi fi + if [[ -e /p/c/user-specific/znc ]]; then + if getent group znc &>/dev/null; then + v s rsync -rclpgoDiSAX --chown=znc:znc /p/c/user-specific/znc/ /var/lib/znc + fi + fi + + # These files would naturally be world readable, but I see no point + # in bothering to write the code to do that. + # "var/lib/bind/db.*" + # "var/lib/bind/*.key" + # "var/lib/bind/dsset-*" + if [[ -e /p/c/user-specific/bind ]]; then + if getent group bind &>/dev/null; then + v s rsync -clpgoDiSAX --chmod=g+r --chown=root:bind /p/c/user-specific/bind/etc/* /etc/bind + v s rsync -clpgoDiSAX --chmod=g+r --chown=root:bind /p/c/user-specific/bind/var/lib/bind/* /var/lib/bind + fi + fi + + # this folder strangely requires ownership as icecast2 (and icecast2 group is icecast without the 2). + if [[ -d /etc/icecast2 && -e /p/c/user-specific/icecast ]]; then + v s rsync -clgoDiSAX --chmod=g+r --chown=root:icecast /p/c/user-specific/icecast2/icecast.xml /etc/icecast2 + fi + # disabled # if [[ -d /var/lib/bitcoind && -d /p/c/user-specific/bitcoin ]]; then - # s rsync -clpgoDiSAX --chmod=Dg-s --chown=bitcoin:bitcoin /p/c/user-specific/bitcoin/settings.json /var/lib/bitcoind - # s rsync -rclpgoDiSAX --chmod=Dg-s --chown=root:bitcoin /p/c/user-specific/bitcoin/bitcoin /etc + # s rsync -clpgoDiSAX --chown=bitcoin:bitcoin /p/c/user-specific/bitcoin/settings.json /var/lib/bitcoind + # s rsync -rclpgoDiSAX --chown=root:bitcoin /p/c/user-specific/bitcoin/bitcoin /etc # fi - - # this folder strangely requires ownership as icecast2 - if [[ -d /etc/icecast2 && -f /p/c/icecast.xml ]]; then - m s rsync -rclgoDiSAX --chmod=0644 --chown=root:root /p/c/icecast.xml /etc/icecast2 - fi ##### end special extra stuff ##### if ! $fast; then - m s -H -u user2 "${BASH_SOURCE[0]}" + s -H -u user2 "${BASH_SOURCE[0]}" fi mkdir -p ~/.local @@ -294,7 +345,7 @@ case $user in ;; user2) - m common-file-setup ${c_dirs[@]} + common-file-setup ${c_dirs[@]} ;; *) echo "$0: error: unexpected user"; exit 1 diff --git a/distro-end b/distro-end index 2ba7205..025e5d2 100755 --- a/distro-end +++ b/distro-end @@ -2282,6 +2282,11 @@ hiup /p/c/distro-extra + +# delete this once run everywhere. delete old file: + +rm -f /etc/systemd/system/openvpn-client@client.service.d/iank.conf + # if I was going to create a persistent vm, i might do it like this: # variant=something # from: virt-install --os-variant list # s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \ -- 2.30.2