From ec4efaeb603f21de169aeedff4907d2279bada3a Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Wed, 17 Apr 2024 22:59:31 -0400
Subject: [PATCH 01/16] improve automatic updates

---
 distro-end                              | 3 ++-
 filesystem/usr/local/bin/myupgrade      | 6 ++++++
 filesystem/usr/local/bin/myupgrade-iank | 4 ++--
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/distro-end b/distro-end
index 500a496..d81950c 100755
--- a/distro-end
+++ b/distro-end
@@ -1563,7 +1563,8 @@ m /a/bin/buildscripts/go
 # only needed for rg. cargo takes up 11 gigs, filled up the disk on je.
 m /a/bin/buildscripts/rust
 m /a/bin/buildscripts/misc
-m /a/bin/buildscripts/pithosfly
+
+#m /a/bin/buildscripts/pithosfly
 #m /a/bin/buildscripts/alacritty
 #m /a/bin/buildscripts/kitty
 
diff --git a/filesystem/usr/local/bin/myupgrade b/filesystem/usr/local/bin/myupgrade
index 664c2d2..49197fb 100755
--- a/filesystem/usr/local/bin/myupgrade
+++ b/filesystem/usr/local/bin/myupgrade
@@ -84,6 +84,12 @@ case $hn in
     ;;
 esac
 
+case $hn in
+  sy)
+    /b/fai/config/distro-install-common/install-stable-kernel-debs
+    ;;
+esac
+
 
 # TODO: executed from cron, this doesnt sent an email when we reboot,
 # because rebooting from the script stops the ability to send email.
diff --git a/filesystem/usr/local/bin/myupgrade-iank b/filesystem/usr/local/bin/myupgrade-iank
index e2e3296..7c7a2bf 100755
--- a/filesystem/usr/local/bin/myupgrade-iank
+++ b/filesystem/usr/local/bin/myupgrade-iank
@@ -35,6 +35,7 @@ fi
 
 hn=$(hostname -f)
 
+/a/bin/buildscripts/go
 /a/bin/buildscripts/rust
 
 has_x=false
@@ -46,12 +47,11 @@ for pkg in xorg wayland; do
 done
 
 if $has_x; then
-  /a/bin/buildscripts/tor-browser
   /a/bin/buildscripts/misc
+  /a/bin/buildscripts/tor-browser
 fi
 
 
-
 # source /a/bin/distro-setup/path-add-function
 # export GOPATH=$HOME/go
 # path-add $GOPATH/bin
-- 
2.30.2


From 1723d09bec8364d16a156b195fd08b9f62cbc98b Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Thu, 18 Apr 2024 01:22:18 -0400
Subject: [PATCH 02/16] mail perf tuning

---
 mail-setup          | 43 +++++++++++++++++++++++++++----------------
 mount-latest-subvol |  4 +++-
 2 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/mail-setup b/mail-setup
index 08ec7ae..9c46689 100755
--- a/mail-setup
+++ b/mail-setup
@@ -2061,6 +2061,23 @@ protocol lmtp {
 # default is just $mail_plugins
   mail_plugins = $mail_plugins sieve
 }
+
+# /etc/dovecot/conf.d/10-master.conf says the default is 256M.
+# but I started getting oom errors in the syslog
+# Mar 27 15:10:04 sy dovecot[330088]: lmtp(iank)<3839880><gO/BDwtvBGaIlzoA7AdaJQ>: Fatal: master: service(lmtp): child 3839880 returned error 83 (Out of memory (service lmtp { vsz_limit=256 MB }, you may need to increase it) - set CORE_OUTOFMEM=1 environment to get core dump)
+# exim would just queue mail until it eventually succeeded.
+# Deciding what to increase it to, I found this
+# https://dovecot.org/list/dovecot/2011-December/080056.html
+# which suggests 3x the largest dovecot.index.cache file
+# and then I found that
+# md/l/testignore/dovecot.index.cache is 429M, my largest cache file,
+# but that folder only has 2k messages.
+# next biggest is md/l/qemu-devel/dovecot.index.cache 236M
+# which lead to me a search https://doc.dovecot.org/admin_manual/known_issues/large_cache/
+# which suggests 1.5x the maximum cache file size 1G, and
+# that I can safely rm the index.
+default_vsz_limit = 1500M
+
 EOF
       if dpkg --compare-versions "$(dpkg-query -f='${Version}\n' --show dovecot-core)" ge 1:2.3; then
         cat <<EOF
@@ -2084,30 +2101,24 @@ EOF
     fi
 
     rm -fv /etc/dovecot/conf.d/20-lmtp.conf # file from prev version
+
+    # Having backups of indexes is a waste of space. This also means we
+    # don't send them around with btrbk, I think it is probably
+    # preferable use a bit more cpu to recalculate indexes.
+    install -d -o iank -g iank /var/dovecot-indexes
     cat >>/etc/dovecot/local.conf <<EOF
 
-# /etc/dovecot/conf.d/10-master.conf says the default is 256M.
-# but I started getting oom errors in the syslog
-# Mar 27 15:10:04 sy dovecot[330088]: lmtp(iank)<3839880><gO/BDwtvBGaIlzoA7AdaJQ>: Fatal: master: service(lmtp): child 3839880 returned error 83 (Out of memory (service lmtp { vsz_limit=256 MB }, you may need to increase it) - set CORE_OUTOFMEM=1 environment to get core dump)
-# exim would just queue mail until it eventually succeeded.
-# Deciding what to increase it to, I found this
-# https://dovecot.org/list/dovecot/2011-December/080056.html
-# which suggests 3x the largest dovecot.index.cache file
-# and then I found that
-# md/l/testignore/dovecot.index.cache is 429M, my largest cache file,
-# but that folder only has 2k messages.
-# next biggest is md/l/qemu-devel/dovecot.index.cache 236M
-# which lead to me a search https://doc.dovecot.org/admin_manual/known_issues/large_cache/
-# which suggests 1.5x the maximum cache file size 1G, and
-# that I can safely rm the indix
 
-default_vsz_limit = 1500M
+# This will decrease memory use, and seems likely to decrease cpu & disk
+# use since I rarely use dovecot for most folders.
+mail_cache_max_size = 50M
+
 
 # simple password file based login
 !include conf.d/auth-passwdfile.conf.ext
 
 # ian: %u is used for alerts user vs iank
-mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
+mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX:INDEX=/var/dovecot-indexes/%u
 mail_uid = $u
 mail_gid = $u
 
diff --git a/mount-latest-subvol b/mount-latest-subvol
index c66eebc..eb682f4 100644
--- a/mount-latest-subvol
+++ b/mount-latest-subvol
@@ -271,8 +271,10 @@ fi
 fa=(/mnt/o/btrbk/o.*); f=${fa[0]}
 if [[ -e $f ]]; then
   if [[ $o_dev != "$root_dev" ]]; then
+    # ,compress=zstd regardless of mopts since these are all text files
+    # and it cuts disk use by about half.
     fstab <<EOF
-$o_dev  /o  btrfs  noatime,subvol=o$mopts  0 0
+$o_dev  /o  btrfs  noatime,subvol=o${mopts/,compress=zstd/},compress=zstd  0 0
 EOF
   fi
   fstab <<EOF
-- 
2.30.2


From da8b091d08c731d798c522b1cb08e59c48e348cc Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Thu, 18 Apr 2024 02:28:33 -0400
Subject: [PATCH 03/16] minor fixes

---
 mount-latest-remote | 4 ++--
 ssh-emacs-setup     | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/mount-latest-remote b/mount-latest-remote
index 3363311..f63a6f7 100755
--- a/mount-latest-remote
+++ b/mount-latest-remote
@@ -26,8 +26,8 @@
 
 set -e; . /usr/local/lib/bash-bear; set +e
 
-readonly this_file; this_file="$(readlink -f -- "${BASH_SOURCE[0]}")";
-script_dir=${this_file%/*}
+this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"
+readonly this_file script_dir="${this_file%/*}"
 
 if (( ! $# )); then
   echo "mount-latest-remote: error: a host argument"
diff --git a/ssh-emacs-setup b/ssh-emacs-setup
index b89f2bd..309ab0a 100755
--- a/ssh-emacs-setup
+++ b/ssh-emacs-setup
@@ -32,7 +32,9 @@ if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
 
-readonly this_file; this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd ${this_file%/*}
+this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"
+readonly this_file this_dir="${this_file%/*}"
+cd "$this_dir"
 # get rid of useless motd stuff
 sed -i --follow-symlinks 's/^\s*PrintLastLog .*/PrintLastLog no/' /etc/ssh/sshd_config
 rm -f /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
-- 
2.30.2


From b3550a17945f87000eca28a3ea9ed7ee87895121 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Thu, 18 Apr 2024 10:28:57 -0400
Subject: [PATCH 04/16] fix switch-host2

---
 switch-mail-host | 59 +++++++++++++++++++++++++-----------------------
 1 file changed, 31 insertions(+), 28 deletions(-)

diff --git a/switch-mail-host b/switch-mail-host
index b0b35a6..56676b9 100644
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -134,6 +134,26 @@ source /a/bin/bash_unpublished/source-state
 direction=$1
 host=$2
 
+case $script_name in
+  switch-mail-host)
+    if [[ $MAIL_HOST != "$HOST2" ]]; then
+      mail_only=true
+    fi
+    ;;
+  switch-host2)
+    host2_only=true
+    ;;
+  *)
+    err unexpected script name
+    ;;
+esac
+
+if $mail_only; then
+  mp_args="-m /o"
+elif $host2_only; then
+  mp_args="-m /a,/q,/qd,/qr"
+fi
+
 
 if ! $force && { $check_installed || [[ $direction == push ]]; } ; then
   install_bin_files=(
@@ -196,7 +216,7 @@ case $direction in
         fi
       done
       if $diff; then
-        e "found different version on old_host=$old_hostname, reexecing"
+        e "found different version on old_host=$old_host, reexecing"
         m /usr/local/bin/switch-mail-host --pull-reexec "${orig_args[@]}"
         exit 0
       fi
@@ -218,25 +238,6 @@ case $direction in
     ;;
 esac
 
-case $script_name in
-  switch-mail-host)
-    if [[ $MAIL_HOST != "$HOST2" ]]; then
-      mail_only=true
-    fi
-    ;;
-  switch-host2)
-    host2_only=true
-    ;;
-  *)
-    err unexpected script name
-    ;;
-esac
-
-if $mail_only; then
-  mp_args="-m /o"
-elif $host2_only; then
-  mp_args="-m /a,/q,/qd,/qr"
-fi
 
 if ! $force; then
   if $host2_only; then
@@ -288,12 +289,13 @@ while $active; do
   done
 done
 
-# ensure these are unused before doing anything
-e "On $new_host: umounting /m and /o, checking emacs"
-{
-  cat /usr/local/bin/unsaved-buffers
-  if ! $host2_only; then
-    cat <<EOF
+if ! $host2_only; then
+  # ensure these are unused before doing anything
+  e "On $new_host: umounting /m and /o, checking emacs"
+  {
+    cat /usr/local/bin/unsaved-buffers
+    if ! $host2_only; then
+      cat <<EOF
 for dir in m o; do
   if mountpoint -q /\$dir; then
     echo On $new_host: umount /\$dir
@@ -301,8 +303,9 @@ for dir in m o; do
   fi
 done
 EOF
-  fi
-} | $new_shell bash -s
+    fi
+  } | $new_shell bash -s
+fi
 
 if ! $mail_only; then
   cat /usr/local/bin/unsaved-buffers - <<'EOF' |  $old_shell bash -s
-- 
2.30.2


From c56f26063f141a0d13ccad28981e697da135163b Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Thu, 18 Apr 2024 10:32:48 -0400
Subject: [PATCH 05/16] fix for btrbk-run archive

---
 btrbk-run | 1 +
 1 file changed, 1 insertion(+)

diff --git a/btrbk-run b/btrbk-run
index 70fc704..7a22d42 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -28,6 +28,7 @@
 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
 
 set -e; . /usr/local/lib/bash-bear; set +e
+shopt -s nullglob
 
 usage() {
   cat <<'EOF'
-- 
2.30.2


From 7f94df0eb6002f4fd05ab3fc2d61e94a92ef5a1a Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Thu, 18 Apr 2024 14:24:26 -0400
Subject: [PATCH 06/16] various fixes

---
 brc2               |  2 +-
 btrbk-run          |  5 ++++-
 check-subvol-stale |  2 +-
 distro-end         |  5 ++++-
 mail-cert-cron     | 21 +++++++++++++++++++--
 mail-setup         | 11 ++++++-----
 6 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/brc2 b/brc2
index a28d7b7..aa370ac 100644
--- a/brc2
+++ b/brc2
@@ -2950,7 +2950,7 @@ mdenable() {
 
   two=false
   case $1 in
-    -2) two=true shift ;;
+    -2) two=true; shift ;;
   esac
 
   for md; do
diff --git a/btrbk-run b/btrbk-run
index 7a22d42..93e8dab 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -542,7 +542,10 @@ if ! $pull_reexec && [[ $source ]] && $pulla ; then
   fi
 fi
 
-
+# todo: check if we have no snapshots yet, because I always want to run
+# archive instead of run. Likely, I should give an error unless a cli
+# override is passed. perhaps check-subvol-stale could give the error.
+# see the error message "no snapshots found" in that file.
 if ! $fast; then
   # if our mountpoints are from stale snapshots,
   # it doesn't make sense to do a backup.
diff --git a/check-subvol-stale b/check-subvol-stale
index af7c60e..9b5e88d 100644
--- a/check-subvol-stale
+++ b/check-subvol-stale
@@ -162,7 +162,7 @@ for d; do
     mapfile -t snaps <$tmpf
   else
     # no snapshots yet
-    # TODO: make this an error and override with a cli flag
+    # TODO: consider making this an error and override with a cli flag
     echo "$0: warning: no snapshots found at $root_dir/btrbk/$subvol_dir.20*. this is expected for a brand new volume"
     continue
   fi
diff --git a/distro-end b/distro-end
index d81950c..77cfa4b 100755
--- a/distro-end
+++ b/distro-end
@@ -194,8 +194,11 @@ EOF
     if $doupdate; then
       tmpdir=$(mktemp -d)
       cd $tmpdir
+      # otherwise we get a warning message:
+      # W: Download is performed unsandboxed as root as file '/tmp/tmp.UwxbPFG3CZ/debian-archive-keyring_2021.1.1+deb11u1_all.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
+      chmod 775 .
       p download debian-archive-keyring
-      s dpkg -i debian-archive-keyring
+      s dpkg -i ./debian-archive-keyring*
       p update
       cd -
       rm -rf $tmpdir
diff --git a/mail-cert-cron b/mail-cert-cron
index 01fb689..b69bc28 100755
--- a/mail-cert-cron
+++ b/mail-cert-cron
@@ -25,10 +25,16 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
 
+interactive=false
 case $1 in
   # For first run, accept host key. Note, known_hosts is saved in /p.
   -1)
     opt=(-e 'ssh -oStrictHostKeyChecking=no')
+    shift
+    ;;
+  -i)
+    interactive=true
+    shift
     ;;
 esac
 
@@ -38,11 +44,22 @@ if [[ -e $f ]]; then
   source $f
 fi
 
+try() {
+  local ret=0
+  "$@" || ret=$?
+  if $interactive && (( ret >=1 )); then
+    echo "$0: ERROR: exit $ret on: $*"
+  fi
+}
+
+# note: when certificate is expired, you will get this in /var/log/mail.log when k-9 mail tries to fetch:
+# imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=redacted, lip=10.8.0.4, TLS handshaking: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46, session=<EsdzzmAWosNKXpza
+
 case $HOSTNAME in
   $MAIL_HOST|bk)
     # ||: is to allow for temporary connection issues.
-    rsync "${opt[@]}" -ogtL --chown=root:Debian-exim --chmod=640 \
-          root@li.iankelling.org:/etc/letsencrypt/live/mail.iankelling.org/{fullchain.pem,privkey.pem} /etc/exim4 ||:
+    try rsync "${opt[@]}" -ogtL --chown=root:Debian-exim --chmod=640 \
+          root@li.iankelling.org:/etc/letsencrypt/live/mail.iankelling.org/{fullchain.pem,privkey.pem} /etc/exim4
     if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
       echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
       exit 1
diff --git a/mail-setup b/mail-setup
index 9c46689..36b3ab5 100755
--- a/mail-setup
+++ b/mail-setup
@@ -2105,7 +2105,7 @@ EOF
     # Having backups of indexes is a waste of space. This also means we
     # don't send them around with btrbk, I think it is probably
     # preferable use a bit more cpu to recalculate indexes.
-    install -d -o iank -g iank /var/dovecot-indexes
+    install -d -m 700 -o iank -g iank /var/dovecot-indexes
     cat >>/etc/dovecot/local.conf <<EOF
 
 
@@ -2118,9 +2118,10 @@ mail_cache_max_size = 50M
 !include conf.d/auth-passwdfile.conf.ext
 
 # ian: %u is used for alerts user vs iank
+# https://doc.dovecot.org/configuration_manual/mail_location/Maildir/
 mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX:INDEX=/var/dovecot-indexes/%u
-mail_uid = $u
-mail_gid = $u
+mail_uid = iank
+mail_gid = iank
 
 protocol lmtp {
 # For a normal setup with exim, we need something like this, which
@@ -3803,8 +3804,8 @@ case $HOSTNAME in
 esac
 
 # optimization, this only needs to run once.
-if [[ ! -e /etc/exim4/fullchain.pem ]]; then
-  m /a/bin/ds/mail-cert-cron -1
+if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
+  m /a/bin/ds/mail-cert-cron -1 -i
   m systemctl --now enable mailcert.timer
 fi
 
-- 
2.30.2


From 86c0ed3d5d8b0df8b961935fe931c8f57edd0240 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Thu, 18 Apr 2024 14:34:30 -0400
Subject: [PATCH 07/16] comments

---
 mail-setup | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mail-setup b/mail-setup
index 36b3ab5..e15a31e 100755
--- a/mail-setup
+++ b/mail-setup
@@ -2120,6 +2120,7 @@ mail_cache_max_size = 50M
 # ian: %u is used for alerts user vs iank
 # https://doc.dovecot.org/configuration_manual/mail_location/Maildir/
 mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX:INDEX=/var/dovecot-indexes/%u
+# note: i don't know if these need to be set, but this seems fine.
 mail_uid = iank
 mail_gid = iank
 
@@ -3803,7 +3804,8 @@ case $HOSTNAME in
     ;;
 esac
 
-# optimization, this only needs to run once.
+# optimization, this only needs to run once.  But, if we move to a
+# computer we haven't used much, we need to fetch a fresh cert.
 if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
   m /a/bin/ds/mail-cert-cron -1 -i
   m systemctl --now enable mailcert.timer
-- 
2.30.2


From 8e6b1a997f8dcf71feccd390a06a3229277952b8 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Thu, 18 Apr 2024 23:23:05 -0400
Subject: [PATCH 08/16] minor fix

---
 mount-latest-subvol | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/mount-latest-subvol b/mount-latest-subvol
index eb682f4..1f4229e 100644
--- a/mount-latest-subvol
+++ b/mount-latest-subvol
@@ -24,6 +24,7 @@ cd /
 [[ $EUID == 0 ]] || exec sudo -E "$this_file" "$@"
 
 set -e; . /usr/local/lib/bash-bear; set +e
+shopt -s nullglob
 
 usage() {
   cat <<EOF
@@ -176,7 +177,11 @@ done
 if (( $# )); then
   all_vols=( "$@" )
 else
-  all_vols=(q a o i ar qd qr)
+  all_vols=(q a o i qd qr)
+  ar_snaps=(/mnt/root/btrbk/ar.*)
+  if [[ -e /mnt/root/ar ]] || (( ${#ar_snaps[@]} > 0 )); then
+    all_vols+=(ar)
+  fi
 fi
 
 ##### end command line parsing ########
@@ -237,7 +242,6 @@ fstab <<EOF
 $crypt_dev  /a  btrfs  noatime,subvol=a$mopts  0 0
 EOF
 
-shopt -s nullglob
 
 # ssh and probably some other things care about parent directory
 # ownership, and ssh doesn\'t allow any group writable parent
-- 
2.30.2


From c91604aff2ce49bd4ce9b429b9e738286a319923 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Mon, 22 Apr 2024 00:24:05 -0400
Subject: [PATCH 09/16] unify dns related config, change some dns settings

---
 brc                                           |  3 +-
 brc2                                          | 85 ++++++++++++++-----
 dynamic-ip-update                             |  5 +-
 easiest-to-type-numbers                       | 83 ++++++++++++++++++
 laptop-xrandr                                 | 10 +--
 .../systemd/system/openvpn-client-tr@.service |  4 +-
 .../systemd/system/openvpn-client-tr@.service |  4 +-
 .../systemd/system/openvpn-client-tr@.service |  4 +-
 .../systemd/system/openvpn-client-tr@.service | 36 --------
 .../systemd/system/openvpn-client-tr@.service |  0
 mail-setup                                    |  6 ++
 mount-latest-subvol                           |  2 +-
 pkgs                                          |  1 +
 ptr-data                                      |  7 --
 14 files changed, 171 insertions(+), 79 deletions(-)
 create mode 100755 easiest-to-type-numbers
 rename machine_specific/{frodo => bow}/filesystem/etc/systemd/system/openvpn-client-tr@.service (94%)
 rename machine_specific/{kw => sow}/filesystem/etc/systemd/system/openvpn-client-tr@.service (93%)
 rename machine_specific/{sy => syw}/filesystem/etc/systemd/system/openvpn-client-tr@.service (93%)
 delete mode 100644 machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
 rename machine_specific/{bo => x2w}/filesystem/etc/systemd/system/openvpn-client-tr@.service (100%)
 delete mode 100644 ptr-data

diff --git a/brc b/brc
index 2ffd91c..5105c59 100644
--- a/brc
+++ b/brc
@@ -2139,7 +2139,7 @@ pkx() { # package extract
   c "$(mktemp -d)"
   pkg=$1
   # shellcheck disable=SC2012
-  cached=$(ls -t /var/cache/apt/archives/${pkg}_* | tail -n1 2>/dev/null) ||:
+  cached=$(ls -t /var/cache/apt/archives/${pkg}_* 2>/dev/null | tail -n1 2>/dev/null) ||:
   if [[ $cached ]]; then
     m cp $cached .
   else
@@ -2900,6 +2900,7 @@ nonet() {
 }
 
 m() { printf "%s\n" "$*";  "$@"; }
+m2() { printf "%s\n" "$*" >&2;  "$@"; }
 
 # update file. note: duplicated in mail-setup.
 # updates $ur u result to true or false
diff --git a/brc2 b/brc2
index aa370ac..9e2b548 100644
--- a/brc2
+++ b/brc2
@@ -840,6 +840,7 @@ mpvrpc-loadfile() {
 # q quit
 # ret next
 #
+# todo: enter should also unpause
 beetag()  {
   local last_genre_i fstring tag id char new_item char_i genre tag remove doplay i j random path
   local do_rare_genres read_wait help line lsout tmp ls_line skip_lookback
@@ -2055,6 +2056,7 @@ apache-apply() {
 }
 # strip out the apache license from a file.
 apache-strip() {
+  # shellcheck disable=SC2044 # meh
   for f in $(find . -type f -maxdepth 1); do if head -n1 "$f"| grep -E '^#!/bin/bash\b' &>/dev/null; then { head -n 20 $f | tac | sed '/^# limitations under the License.$/,/^# Copyright.*Ian Kelling$/d' | tac; tail -n+21 $f; } |sponge $f; fi ; done
 }
 
@@ -2628,19 +2630,52 @@ wgkey() {
   umask $umask_orig
 }
 
-declare -A vpn_ips
-vpn_ips[kd]=2
-# note: 1, 4, 5 are occupied by mail wireguard
-vpn_ips[x3]=8
-vpn_ips[sy]=12
-vpn_ips[x2]=13
-vpn_ips[kw]=27
-vpn_ips[bo]=28
-vpn_ips[frodo]=34
-vpn_ips[s23b]=49
+host-info-update() {
+
+  local -A vpn_ips host_ips host_macs nonvpn_ips
+  local -a root_hosts nonroot_hosts
+
+  # the hosts with no mac
+  root_hosts=( bk je li b8.nz )
+  for h in ${root_hosts[@]}; do
+    root_hosts+=(${h}ex)
+  done
+  root_hosts+=(cmc)
+
+  while read -r ip host mac opts; do
+    if [[ $ip == *#*  || ! $host ]]; then continue; fi
+    if [[ $opts == vpn ]]; then
+      vpn_ips[$host]=$ip
+    else
+      nonvpn_ips[$host]=$ip
+    fi
+
+
+    if [[ $opts == user=root ]]; then
+      root_hosts+=($host i$host)
+    else
+      nonroot_hosts+=($host i$host)
+    fi
+
+    host_ips[$host]=$ip
+    host_macs[$host]=$mac
+  done </p/c/host-info
+
+  cedit /p/c/subdir_files/.ssh/config <<EOF || [[ $? == 1 ]]
+Host ${nonroot_hosts[@]}
+User iank
+IdentityFile ~/.ssh/home
+
+Host ${root_hosts[@]}
+IdentityFile ~/.ssh/home
+EOF
+
+
+  grep -E '^[a-z0-9]+[[:space:]]' /p/c/machine_specific/vps/bind-initial/db.b8.nz | awk '{print $1,$3}'
 
-vpn-ips-update() {
   local host ipsuf f files
+
+  sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf
   for host in ${!vpn_ips[@]}; do
     ipsuf=${vpn_ips[$host]}
     wghole $host $ipsuf
@@ -2685,15 +2720,28 @@ EOF
   done
 
   {
-    for host in ${!vpn_ips[@]}; do
-      ipsuf=${vpn_ips[$host]}
-      cat <<EOF
-local-data-ptr: "10.2.0.$ipsuf $host.b8.nz"
-EOF
+    echo "cat <<EOF"
+    for host in ${!host_ips[@]}; do
+      ipsuf=${host_ips[$host]}
+      echo 'local-data-ptr: "$l.'$ipsuf $host.b8.nz'"'
+    done
+    echo "EOF"
+  } | u /p/ptr-data
+
+  {
+    echo "cat <<EOF"
+    for host in ${!host_ips[@]}; do
+      ipsuf=${host_ips[$host]}
+      echo "dhcp-host=${host_macs[$host]},set:$host,\$l.7,$host"
     done
-  } | u /b/ds/ptr-data
+    echo "EOF"
+  } | u /p/dnsmaq-data
 
   {
+    for host in ${!nonvpn_ips[@]}; do
+      ipsuf=${nonvpn_ips[$host]}
+      echo "$host	A	10.2.0.$ipsuf"
+    done
     for host in ${!vpn_ips[@]}; do
       ipsuf=${vpn_ips[$host]}
       cat <<EOF
@@ -2729,8 +2777,7 @@ EOF
   for f in "${files[@]}"; do
     host=${f%%/*}
     if [[ ! ${vpn_ips[$host]} ]]; then
-      e /p/c/machine_specific/$host/filesystem/etc/wireguard/wghole.conf
-      e cedit -s $host /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf '<<<""'
+      e rm /p/c/machine_specific/$host/filesystem/etc/wireguard/wghole.conf
     fi
   done
 }
diff --git a/dynamic-ip-update b/dynamic-ip-update
index f4cec4b..12726ae 100755
--- a/dynamic-ip-update
+++ b/dynamic-ip-update
@@ -88,7 +88,6 @@ main() {
   case $gateway in
     10.2.0.1)
       dyndomain=b8.nz
-      dynhost=i.b8.nz
       ;;
     *)
       return 0
@@ -116,7 +115,7 @@ main() {
 
 
   if $athome; then
-    if ! cur4="$(dig +short $dynhost @iankelling.org | tail -1)"; then
+    if ! cur4="$(dig +short $dyndomain @iankelling.org | tail -1)"; then
       if [[ ! $INVOCATION_ID ]]; then
         echo "$0: dig failed. internet looks down. giving up"
       fi
@@ -175,8 +174,6 @@ EOF
 
   if $up4; then
     cat >>$tmpf <<EOF
-update delete $dynhost. A
-update add $dynhost. 300 A $ip4
 update delete $dyndomain. A
 update add $dyndomain. 300 A $ip4
 EOF
diff --git a/easiest-to-type-numbers b/easiest-to-type-numbers
new file mode 100755
index 0000000..279151f
--- /dev/null
+++ b/easiest-to-type-numbers
@@ -0,0 +1,83 @@
+#!/bin/bash
+# I, Ian Kelling, follow the GNU license recommendations at
+# https://www.gnu.org/licenses/license-recommendations.en.html. They
+# recommend that small programs, < 300 lines, be licensed under the
+# Apache License 2.0. This file contains or is part of one or more small
+# programs. If a small program grows beyond 300 lines, I plan to switch
+# its license to GPL.
+
+# Copyright 2024 Ian Kelling
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+source /a/bin/bash-bear-trap/bash-bear
+
+e () {
+    printf "%s\n" "$*"
+}
+
+
+prefix=$1
+suffix=$2
+
+# print number
+pn() {
+  for n; do
+    e $prefix$n$suffix
+  done
+}
+
+# level 1 numbers
+l1=(2 3 8 9)
+
+# level 2 numbers
+l2=(4 7)
+
+l12=( ${l1[@]} ${l2[@]} )
+
+t1() {
+
+  pn ${l1[@]}
+}
+
+t2() {
+
+  pn ${l2[@]}
+}
+
+declare -A used
+t3() {
+  for d1 in ${l1[@]}; do
+    for d2 in ${l1[@]}; do
+      if (( d1 == d2 )); then continue; fi
+      pn $d1$d2
+      used[$d1$d2]=t
+    done
+  done
+}
+
+t4() {
+  for d1 in ${l12[@]}; do
+    for d2 in ${l12[@]}; do
+      if (( d1 == d2 )); then continue; fi
+      if [[ ${used[$d1$d2]} ]]; then continue; fi
+      pn $d1$d2
+      used[$d1$d2]=t
+    done
+  done
+}
+
+for t in {1..4}; do
+  e tier $t
+  t$t
+done
diff --git a/laptop-xrandr b/laptop-xrandr
index 417c9f7..4a0891a 100755
--- a/laptop-xrandr
+++ b/laptop-xrandr
@@ -23,12 +23,9 @@
 set -e; . /usr/local/lib/bash-bear; set +e
 
 
-output=HDMI2
-output=DP1
+output=$(xrandr | grep -E "^(HDMI.?|DP1) connected" | awk '{print $1}' ||:)
 
-if xrandr | grep -q "^$output disconnected" &>/dev/null; then
-  xrandr --auto
-else
+if [[ $output ]]; then
   xrandr --output $output --off
   sleep 2
   xrandr --output $output --right-of eDP1 --mode 3840x2160
@@ -37,4 +34,7 @@ else
     # if the workspace is already there, this will fail
     i3-msg '[workspace="'$i'"]' move workspace to output $output ||:
   done
+else
+  xrandr --auto
+
 fi
diff --git a/machine_specific/frodo/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/bow/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 94%
rename from machine_specific/frodo/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/bow/filesystem/etc/systemd/system/openvpn-client-tr@.service
index e96fdd7..9a5afec 100644
--- a/machine_specific/frodo/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ b/machine_specific/bow/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -24,10 +24,10 @@ LimitNPROC=10
 # we use .1 to make this be on a different network than kd, so that we can
 # talk to transmission on kd from remote host, and still use this
 # vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.34 start %i
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.29 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 # allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.34.1 dev veth1-client
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.29.1 dev veth1-client
 ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
 PrivateNetwork=true
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
diff --git a/machine_specific/kw/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/sow/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 93%
rename from machine_specific/kw/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/sow/filesystem/etc/systemd/system/openvpn-client-tr@.service
index f6ac66a..dae65d4 100644
--- a/machine_specific/kw/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ b/machine_specific/sow/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -24,10 +24,10 @@ LimitNPROC=10
 # we use .1 to make this be on a different network than kd, so that we can
 # talk to transmission on kd from remote host, and still use this
 # vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.27 start %i
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.3 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 # allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.27.1 dev veth1-client
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.3.1 dev veth1-client
 ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
 PrivateNetwork=true
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
diff --git a/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/syw/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 93%
rename from machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/syw/filesystem/etc/systemd/system/openvpn-client-tr@.service
index d6010de..f85639d 100644
--- a/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ b/machine_specific/syw/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -24,10 +24,10 @@ LimitNPROC=10
 # we use .1 to make this be on a different network than kd, so that we can
 # talk to transmission on kd from remote host, and still use this
 # vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.12 start %i
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.7 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 # allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.12.1 dev veth1-client
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.7.1 dev veth1-client
 ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
 PrivateNetwork=true
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
diff --git a/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
deleted file mode 100644
index d16312d..0000000
--- a/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ /dev/null
@@ -1,36 +0,0 @@
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.13 start %i
-ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.13.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-
-[Install]
-WantedBy=multi-user.target
diff --git a/machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/x2w/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 100%
rename from machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/x2w/filesystem/etc/systemd/system/openvpn-client-tr@.service
diff --git a/mail-setup b/mail-setup
index e15a31e..3ac3476 100755
--- a/mail-setup
+++ b/mail-setup
@@ -3344,6 +3344,12 @@ EOF
     # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
     echo iankelling.org > /etc/mailname
 
+    # mail default domain.
+    u /etc/mailutils.conf <<'EOF'
+address {
+  email-domain iankelling.org;
+};
+EOF
 
     # mail.iankelling.org so local imap clients can connect with tls and
     # when they happen to not be local.
diff --git a/mount-latest-subvol b/mount-latest-subvol
index 1f4229e..433c7c2 100644
--- a/mount-latest-subvol
+++ b/mount-latest-subvol
@@ -267,7 +267,7 @@ fi
 # fa=(/mnt/root/btrbk/ar.*); f=${fa[0]}
 # if [[ -e $f ]]; then
 #   fstab <<EOF
-# $crypt_dev  /ar  btrfs  noatime,subvol=ar,uid=1000$mopts  0 0
+# $crypt_dev  /ar  btrfs  noatime,subvol=ar$mopts  0 0
 # EOF
 # fi
 
diff --git a/pkgs b/pkgs
index edb6c6c..e55f92c 100644
--- a/pkgs
+++ b/pkgs
@@ -233,6 +233,7 @@ p3=(
   nginx-doc
   nmap
   nyancat
+  nzbget
   obs-studio
   offlineimap
   oathtool
diff --git a/ptr-data b/ptr-data
deleted file mode 100644
index c8dfa67..0000000
--- a/ptr-data
+++ /dev/null
@@ -1,7 +0,0 @@
-local-data-ptr: "10.2.0.8 x3.b8.nz"
-local-data-ptr: "10.2.0.13 x2.b8.nz"
-local-data-ptr: "10.2.0.12 sy.b8.nz"
-local-data-ptr: "10.2.0.34 frodo.b8.nz"
-local-data-ptr: "10.2.0.27 kw.b8.nz"
-local-data-ptr: "10.2.0.2 kd.b8.nz"
-local-data-ptr: "10.2.0.28 bo.b8.nz"
-- 
2.30.2


From d69c535c6bfafa5e6dc0d1be277478a5927790c5 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Mon, 22 Apr 2024 00:57:47 -0400
Subject: [PATCH 10/16] fixes to last commit

---
 brc2 | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/brc2 b/brc2
index 9e2b548..5804466 100644
--- a/brc2
+++ b/brc2
@@ -2652,7 +2652,9 @@ host-info-update() {
 
 
     if [[ $opts == user=root ]]; then
-      root_hosts+=($host i$host)
+      # note: the b8.nz suffix is for the User part, the IdentityFile
+      # part is redundant to *.b8.nz.
+      root_hosts+=($host i$host $host.b8.nz i$host.b8.nz)
     else
       nonroot_hosts+=($host i$host)
     fi
@@ -2732,10 +2734,10 @@ EOF
     echo "cat <<EOF"
     for host in ${!host_ips[@]}; do
       ipsuf=${host_ips[$host]}
-      echo "dhcp-host=${host_macs[$host]},set:$host,\$l.7,$host"
+      echo "dhcp-host=${host_macs[$host]},set:$host,\$l.$ipsuf,$host"
     done
     echo "EOF"
-  } | u /p/dnsmaq-data
+  } | u /p/dnsmasq-data
 
   {
     for host in ${!nonvpn_ips[@]}; do
-- 
2.30.2


From 3e5e60efe20de2e109ad48745a5dcee04d7417a1 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Tue, 23 Apr 2024 20:51:06 -0400
Subject: [PATCH 11/16] dns fix, some improvements

---
 brc  | 35 ++++++++++++++++++++++-------------
 brc2 | 49 ++++++++++++++++++++++++++++++++-----------------
 2 files changed, 54 insertions(+), 30 deletions(-)

diff --git a/brc b/brc
index 5105c59..4a6f672 100644
--- a/brc
+++ b/brc
@@ -879,14 +879,14 @@ _khfix-common() {
   fi
   ll ~/.ssh/known_hosts
 }
-khfix-r() { # known hosts fix + root
+khfix-r() { # known hosts fix without syncing to root user
   _khfix-common "$@" || return 1
   ssh $1 :
-  rootsshsync
 }
 khfix() {
   _khfix-common "$@" || return 1
   ssh $1 :
+  rootsshsync
 }
 
 # copy path into clipboard
@@ -1672,9 +1672,9 @@ grr() { # grep recursive
   # Don't return 1 on nonmatch because this is meant to be
   # interactive, not in a conditional.
   if [[ ${#@} == 1 ]]; then
-    grep --exclude-dir='*.emacs.d' --exclude-dir='*.git' -riIP --color=auto "$@" . || [[ $? == 1 ]]
+    grep -E --exclude-dir='*.emacs.d' --exclude-dir='*.git' -riIP --color=auto "$@" . || [[ $? == 1 ]]
   else
-    grep --exclude-dir='*.emacs.d' --exclude-dir='*.git' -riIP --color=auto "$@" || [[ $? == 1 ]]
+    grep -E --exclude-dir='*.emacs.d' --exclude-dir='*.git' -riIP --color=auto "$@" || [[ $? == 1 ]]
   fi
 }
 ccomp grep gr grr
@@ -3243,6 +3243,16 @@ if [[ $- == *i* ]]; then
   # so I've thrown a bunch of things at the wall to speed it up.
   prompt-command() {
     local return=$? # this MUST COME FIRST
+
+    # all usable colors:
+    # black
+    # green         nonzero exit (pri 1)
+    # purple        default
+    # purple bold
+    # red           pwd different owner & group & not writable (pri 2)
+    # red bold      pwd different owner & group & writable (pri 2)
+    # yellow
+
     local ps_char ps_color
     unset IFS
 
@@ -3250,22 +3260,21 @@ if [[ $- == *i* ]]; then
       history -a # save history
     fi
 
-    case $return in
-      0) ps_color="$term_purple"
-         ps_char='\$'
-         ;;
-      *) ps_color="$term_green"
-         ps_char="$return \\$"
-         ;;
-    esac
+    ps_color="$term_purple"
+    ps_char='\$'
     if [[ ! -O . ]]; then # not owner
       if [[ -w . ]]; then # writable
 	ps_color="$term_bold$term_red"
       else
-	ps_color="$term_bold$term_green"
+	ps_color="$term_red"
       fi
     fi
 
+    if [[ $return != 0 ]]; then
+      ps_color="$term_green"
+      ps_char="$return \\$"
+    fi
+
     # faster than sourceing the file im guessing
     if [[ -e /dev/shm/iank-status && ! -e /tmp/quiet-status ]]; then
       eval "$(< /dev/shm/iank-status)"
diff --git a/brc2 b/brc2
index 5804466..33384bc 100644
--- a/brc2
+++ b/brc2
@@ -1792,21 +1792,13 @@ bindpush() {
   dsign iankelling.org expertpathologyreview.com zroe.org amnimal.ninja
   lipush
   for h in li bk; do
-    e sshing $h
-    ssh $h.b8.nz <<'EOF'
-source ~/.bashrc
-m dnsup
-EOF
+    m ssh $h.b8.nz dnsup
   done
 }
 bindpushb8() {
   lipush
   for h in li bk; do
-    e sshing $h
-    ssh $h.b8.nz <<'EOF'
-source ~/.bashrc
-m dnsb8
-EOF
+    m ssh $h.b8.nz dnsb8
   done
 }
 
@@ -1817,8 +1809,18 @@ dnsup() {
 dnsb8() {
   local f=/var/lib/bind/db.b8.nz
   m ser stop named
-  m sleep 1
-  m sudo rm -fv $f.jnl $f.signed.jnl
+  # jbk is like a temp file. dunno if removing it helps
+
+  i=0
+  while pgrep '^named$' &>/dev/null; do
+    sleep .5
+    i=$(( i + 1 ))
+    if (( i > 100 )); then
+      echo "dnsb8: error: timeout waiting for named to exit"
+      return 1
+    fi
+  done
+  m sudo rm -fv $f.jnl $f.signed.jnl $f.jbk
   m sudo install -m 644 -o bind -g bind /p/c/machine_specific/vps/bind-initial/db.b8.nz $f
   m ser restart named
 }
@@ -2630,6 +2632,16 @@ wgkey() {
   umask $umask_orig
 }
 
+host-info-all() {
+  host-info-update
+  bindpushb8
+  wrt-setup
+}
+
+
+# if you change a host's ip, then run
+# bindpushb8
+# wrt-setup
 host-info-update() {
 
   local -A vpn_ips host_ips host_macs nonvpn_ips
@@ -2673,8 +2685,6 @@ IdentityFile ~/.ssh/home
 EOF
 
 
-  grep -E '^[a-z0-9]+[[:space:]]' /p/c/machine_specific/vps/bind-initial/db.b8.nz | awk '{print $1,$3}'
-
   local host ipsuf f files
 
   sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf
@@ -2728,7 +2738,7 @@ EOF
       echo 'local-data-ptr: "$l.'$ipsuf $host.b8.nz'"'
     done
     echo "EOF"
-  } | u /p/ptr-data
+  } | u /p/c/ptr-data
 
   {
     echo "cat <<EOF"
@@ -2737,7 +2747,7 @@ EOF
       echo "dhcp-host=${host_macs[$host]},set:$host,\$l.$ipsuf,$host"
     done
     echo "EOF"
-  } | u /p/dnsmasq-data
+  } | u /p/c/dnsmasq-data
 
   {
     for host in ${!nonvpn_ips[@]}; do
@@ -4176,13 +4186,18 @@ monero() {
 }
 
 
+# grep + find
+gef() {
+  faf | grep -E "$@" ||:
+  rgv "$@"
+}
+
 # rg my main files
 rgm() {
   rg "$@" /p/w.org /a/t.org /a/work.org /b
 }
 
 # re all my files more expansively
-
 rem() {
   local paths
   paths="/p/c /b/"
-- 
2.30.2


From 45341164894a4765fba78cb4465ebe13707fe70c Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Tue, 23 Apr 2024 20:52:26 -0400
Subject: [PATCH 12/16] minor fixes

---
 btrbk-run | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/btrbk-run b/btrbk-run
index 93e8dab..a28bfac 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -74,7 +74,7 @@ set-location() {
     kd|frodo)
       at_home=true
       ;;
-    x2|x3|sy)
+    x2|x3|sy|so)
       if [[ $(dig +short @10.2.0.1 -x 10.2.0.2 2>&1 ||:) == kd.b8.nz. ]] \
            && ip n show 10.2.0.1 | grep . &>/dev/null; then
         at_home=true
@@ -92,7 +92,7 @@ exit-if-no-default-targets() {
     mexit 0
   fi
   case $HOSTNAME in
-    kw|kd|frodo|x2|x3|sy) : ;;
+    kw|kd|frodo|x2|x3|sy|so) : ;;
     *)
       die "error: no default targets for this host, use -t"
       ;;
@@ -366,6 +366,7 @@ if [[ ! -v targets && ! $source ]]; then
     wireless_home_hosts=(
       x2
       sy
+      so
     )
     for h in ${wireless_home_hosts[@]}; do
       if [[ $HOSTNAME != "$h" ]]; then
@@ -500,6 +501,7 @@ if $verbose; then
     for opt in ${opts_show[@]}; do
       if $first; then
         printf "%s" "$opt"
+        first=false
       else
         printf " %s" "$opt"
       fi
@@ -575,13 +577,17 @@ else
 
   sshable=()
   sshfail=()
+  remote_str_cmd="mkdir -p /mnt/root/btrbk /mnt/o/btrbk && \
+date +%z && \
+df --output=size,pcent / | tail -n1"
+
   for h in ${targets[@]}; do
     if $fast || $conf_only; then
       # Use some typical values in this case
       root_size=$(( 1024 * 1024 * 2000 )) #2tb
       percent_used=10
       zone=$(date +%z)
-    elif remote_str=$(timeout -s 9 6 ssh root@$h "mkdir -p /mnt/root/btrbk /mnt/o/btrbk && date +%z && df --output=size,pcent / | tail -n1"); then
+    elif remote_str=$(timeout -s 9 6 ssh root@$h "$remote_str_cmd"); then
       mapfile -t tmp_array <<<"$remote_str"
       zone="${tmp_array[0]}"
       IFS=" " read -r root_size percent_used <<<"${tmp_array[1]}"
@@ -606,6 +612,7 @@ else
     min_root_kb=$(( 1024 * 1024 * 200 )) # 200 gb
     tmp=$(( root_size < min_root_kb ))
     if (( tmp )); then
+      e "warning: $h: root_size=$root_zie < 200gb, perhaps it is booted to bootstrap vol. skipping for now"
       continue
     fi
 
@@ -643,7 +650,7 @@ else
     fi
   done
   if [[ ! ${sshable[*]} ]] || { $force && [[ ${sshfail[*]} ]]; }; then
-    die "failed to ssh to hosts: ${sshfail[*]}"
+    die "see skipped host warning above or sshfail hosts: ${sshfail[*]}"
   else
     if [[ ${sshfail[*]} ]]; then
       ret=1
@@ -876,7 +883,8 @@ if [[ $ret == 0 ]]; then
       m ssh root@$tg 'btrbk-spread-wrap &>/dev/null </dev/null &'
     fi
     rsync --mkpath -a -f"- */" -f"+ *" /var/log/btrbk/ root@$tg:/var/log/btrbk/$tg
-    ssh root@$tg /usr/local/bin/mail-backup-clean
+    cmd=/usr/local/bin/mail-backup-clean
+    ssh root@$tg "if test -x $cmd; then $cmd; fi"
   done
   if [[ $source ]]; then
     rsync --mkpath -a -f"- */" -f"+ *" $source:/var/log/btrbk/ /var/log/btrbk/$source
-- 
2.30.2


From 9de134ab81ba8b62daaf276e02f06d5499d0aa3c Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Tue, 23 Apr 2024 23:32:34 -0400
Subject: [PATCH 13/16] new host related fixes

---
 brc2              |  2 +-
 distro-begin      |  2 +-
 distro-end        | 14 +++++++-------
 dsremote          |  3 +--
 mail-backup-clean |  4 ++++
 pkgs              |  3 ++-
 6 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/brc2 b/brc2
index 33384bc..2795e2e 100644
--- a/brc2
+++ b/brc2
@@ -4480,7 +4480,7 @@ hssh-update() {
   case $HOSTNAME in
     sy|kd)
       hosts=(
-        kd x3.office.fsf.org syw
+        kd.b8.nz x3.office.fsf.org syw x2.b8.nz
       )
       ;;
     x3)
diff --git a/distro-begin b/distro-begin
index 4638980..8da3f16 100755
--- a/distro-begin
+++ b/distro-begin
@@ -55,7 +55,7 @@
 
 
 ### make ssh interactive shell run better. for when running line interactively line by line
-sudo bash -c '/a/exe/ssh-emacs-setup'
+sudo bash -c '/a/exe/ssh-emacs-setup' || exit $?
 
 ##### setup error handling
 interactive=true  # set this to false to force set -x
diff --git a/distro-end b/distro-end
index 77cfa4b..e9b797a 100755
--- a/distro-end
+++ b/distro-end
@@ -167,8 +167,6 @@ EOF
       t=$(mktemp)
       case $n in
         bookworm)
-          cat >$t <<'EOF'
-EOF
           cat >$t <<EOF
 deb http://deb.debian.org/debian bookworm main
 deb-src http://deb.debian.org/debian bookworm main
@@ -194,11 +192,13 @@ EOF
     if $doupdate; then
       tmpdir=$(mktemp -d)
       cd $tmpdir
-      # otherwise we get a warning message:
-      # W: Download is performed unsandboxed as root as file '/tmp/tmp.UwxbPFG3CZ/debian-archive-keyring_2021.1.1+deb11u1_all.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
-      chmod 775 .
-      p download debian-archive-keyring
-      s dpkg -i ./debian-archive-keyring*
+      # cant apt get the keyring without doing an update, can't update
+      # without the keyring, this is a stupid chicken and egg problem
+      # that apt should have some feature to solve, but doesn't as far
+      # as I know.
+      f=debian-archive-keyring_2023.3+deb12u1_all.deb
+      wget http://ftp.debian.org/debian/pool/main/d/debian-archive-keyring/$f
+      dpkg -i $f
       p update
       cd -
       rm -rf $tmpdir
diff --git a/dsremote b/dsremote
index 65e27c0..31d85e1 100755
--- a/dsremote
+++ b/dsremote
@@ -35,5 +35,4 @@ if [[ ! $host || $host == -h ]]; then
 fi
 
 bbk -t $host
-ssh $host /a/bin/distro-setup/distro-begin
-ssh $host /a/bin/distro-setup/distro-end
+ssh -t $host "/a/bin/distro-setup/distro-begin && /a/bin/distro-setup/distro-end"
diff --git a/mail-backup-clean b/mail-backup-clean
index 9f6b14b..210173c 100755
--- a/mail-backup-clean
+++ b/mail-backup-clean
@@ -38,4 +38,8 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${P
 # time=$(( $(date -d $(sed -r  's/(.{4})(..)(.{5})(..)(.*)/\1-\2-\3:\4:\5/' <<<$last_snap_date) +%s) -1 ))
 # find /bu/md -type f \! -newermt @$time -delete
 
+if [[ ! -d /bu/md ]]; then
+  exit 0
+fi
+
 find /bu/md -type f -mtime +100 -delete
diff --git a/pkgs b/pkgs
index e55f92c..ee3efb9 100644
--- a/pkgs
+++ b/pkgs
@@ -136,7 +136,8 @@ p3=(
   evince
   exim4-doc-html
   exfat-fuse
-  exfat-utils
+  # was exfat-utils before aramo
+  exfatprogs
   expect
   # for ftp upload dejagnu test
   libdate-manip-perl libemail-messageid-perl
-- 
2.30.2


From c536de80536e71af6e69eb1a57575ca1a41101c6 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Wed, 24 Apr 2024 00:52:50 -0400
Subject: [PATCH 14/16] minor fixes/improves for new host

---
 brc2            |   2 +-
 disabled/nagios | 124 ++++++++++++++++++++++++++++++++++++++++++++++++
 distro-begin    |   2 +-
 distro-end      | 122 +++++------------------------------------------
 mail-setup      |  19 +++++---
 5 files changed, 151 insertions(+), 118 deletions(-)
 create mode 100644 disabled/nagios

diff --git a/brc2 b/brc2
index 2795e2e..e936bad 100644
--- a/brc2
+++ b/brc2
@@ -2777,7 +2777,7 @@ EOF
   for f in "${files[@]}"; do
     host=${f%%/*}
     if [[ ! ${vpn_ips[$host]} ]]; then
-      e /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service
+      e rm /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service
     fi
   done
 
diff --git a/disabled/nagios b/disabled/nagios
new file mode 100644
index 0000000..f9f38eb
--- /dev/null
+++ b/disabled/nagios
@@ -0,0 +1,124 @@
+#!/bin/bash
+# I, Ian Kelling, follow the GNU license recommendations at
+# https://www.gnu.org/licenses/license-recommendations.en.html. They
+# recommend that small programs, < 300 lines, be licensed under the
+# Apache License 2.0. This file contains or is part of one or more small
+# programs. If a small program grows beyond 300 lines, I plan to switch
+# its license to GPL.
+
+# Copyright 2024 Ian Kelling
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# this was part of distro-end
+
+### begin nagios ###
+
+pi nagios-nrpe-server
+
+case $HOSTNAME in
+  kd)
+    # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345
+    pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports
+    s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+    # to add a password for admin:
+    # htdigest /etc/nagios4/htdigest.users Nagios4 iank
+    # now using the same pass as prometheus
+
+    # nagstamon auth settings, set to digest instead of basic.
+
+    web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
+# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+# Where the stylesheets (config files) reside
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+
+# Where the HTML pages live
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+    Options FollowSymLinks
+    DirectoryIndex index.php index.html
+    AllowOverride AuthConfig
+    #
+    # The default Debian nagios4 install sets use_authentication=0 in
+    # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+    # This is insecure.  As a compromise this default apache2 configuration
+    # only allows private IP addresses access.
+    #
+    # The <Files>...</Files> below shows how you can secure the nagios4
+    # web site so anybody can view it, but only authenticated users can issue
+    # commands (such as silence notifications).  To do that replace the
+    # "Require all granted" with "Require valid-user", and use htdigest
+    # program from the apache2-utils package to add users to
+    # /etc/nagios4/htdigest.users.
+    #
+    # A step up is to insist all users validate themselves by moving
+    # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
+    # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+    # can configure which people get to see a particular service from
+    # within the nagios configuration.
+    #
+	AuthDigestDomain "Nagios4"
+	AuthDigestProvider file
+	AuthUserFile	"/etc/nagios4-htdigest.users"
+	AuthGroupFile	"/etc/group"
+	AuthName	"Nagios4"
+	AuthType	Digest
+	Require	valid-user
+</DirectoryMatch>
+
+<Directory /usr/share/nagios4/htdocs>
+    Options	+ExecCGI
+</Directory>
+EOF
+    ;;
+esac
+
+# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
+# notifications_enabled=1
+# note, the same variable exists in the correspdonding "define service {"
+
+# in the default config, we have these definitions
+
+# 11 define command {
+#  2 define contact {
+#  1 define contactgroup {
+#  9 define host {
+#  4 define hostgroup {
+# 23 define service {
+#  5 define timeperiod {
+
+
+# on klaxon
+
+# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
+#      76 define command
+#      11 define contact
+#       6 define contactgroup
+#     162 define host
+#       1 define hostextinfo
+#      16 define hostgroup
+#    3040 define service
+#       2 define servicedependency
+#       6 define timeperiod
+
+
+
+
+### end nagios ###
diff --git a/distro-begin b/distro-begin
index 8da3f16..5752961 100755
--- a/distro-begin
+++ b/distro-begin
@@ -382,7 +382,7 @@ if [[ -e $f ]]; then
       fi
     fi
   done
-  if $apparmor_reload && systemctl is-enabled apparmor; then
+  if $apparmor_reload && systemctl is-active apparmor; then
     m ser reload apparmor
   fi
 fi
diff --git a/distro-end b/distro-end
index e9b797a..19cdaba 100755
--- a/distro-end
+++ b/distro-end
@@ -1906,10 +1906,11 @@ case $HOSTNAME in
   # listen on the wireguard interface
 
   *)
-    wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
-    # old filename. remove once all hosts are updated.
-    s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
-    web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
+    if [[ -e /etc/wireguard/wghole.conf ]]; then
+      wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
+      # old filename. remove once all hosts are updated.
+      s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
+      web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
 <Location "/">
 AuthType Basic
 AuthName "basic_auth"
@@ -1919,14 +1920,14 @@ AuthUserFile "/etc/prometheus-export-htpasswd"
 Require valid-user
 </Location>
 EOF
-    # For work, i think we will just use the firewall for hosts in the main data center, and
-    # vpn for hosts outside it.
+      # For work, i think we will just use the firewall for hosts in the main data center, and
+      # vpn for hosts outside it.
 
-    # TODO: figure out how to detect the ping failure and try again.
+      # TODO: figure out how to detect the ping failure and try again.
 
-    # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
-    s mkdir /etc/systemd/system/apache2.service.d
-    sd /etc/systemd/system/apache2.service.d/restart.conf <<EOF
+      # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
+      s mkdir /etc/systemd/system/apache2.service.d
+      sd /etc/systemd/system/apache2.service.d/restart.conf <<EOF
 [Unit]
 After=wg-quick@wghole.service
 StartLimitIntervalSec=0
@@ -1936,111 +1937,12 @@ Restart=always
 RestartSec=30
 EOF
 
+    fi
     ;;
 esac
 
 ### end prometheus ###
 
-### begin nagios ###
-
-pi nagios-nrpe-server
-
-case $HOSTNAME in
-  kd)
-    # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345
-    pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports
-    s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf
-
-    # to add a password for admin:
-    # htdigest /etc/nagios4/htdigest.users Nagios4 iank
-    # now using the same pass as prometheus
-
-    # nagstamon auth settings, set to digest instead of basic.
-
-    web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
-# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
-
-ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
-ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
-
-# Where the stylesheets (config files) reside
-Alias /nagios4/stylesheets /etc/nagios4/stylesheets
-
-# Where the HTML pages live
-Alias /nagios4 /usr/share/nagios4/htdocs
-
-<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
-    Options FollowSymLinks
-    DirectoryIndex index.php index.html
-    AllowOverride AuthConfig
-    #
-    # The default Debian nagios4 install sets use_authentication=0 in
-    # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
-    # This is insecure.  As a compromise this default apache2 configuration
-    # only allows private IP addresses access.
-    #
-    # The <Files>...</Files> below shows how you can secure the nagios4
-    # web site so anybody can view it, but only authenticated users can issue
-    # commands (such as silence notifications).  To do that replace the
-    # "Require all granted" with "Require valid-user", and use htdigest
-    # program from the apache2-utils package to add users to
-    # /etc/nagios4/htdigest.users.
-    #
-    # A step up is to insist all users validate themselves by moving
-    # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
-    # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
-    # can configure which people get to see a particular service from
-    # within the nagios configuration.
-    #
-	AuthDigestDomain "Nagios4"
-	AuthDigestProvider file
-	AuthUserFile	"/etc/nagios4-htdigest.users"
-	AuthGroupFile	"/etc/group"
-	AuthName	"Nagios4"
-	AuthType	Digest
-	Require	valid-user
-</DirectoryMatch>
-
-<Directory /usr/share/nagios4/htdocs>
-    Options	+ExecCGI
-</Directory>
-EOF
-    ;;
-esac
-
-# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
-# notifications_enabled=1
-# note, the same variable exists in the correspdonding "define service {"
-
-# in the default config, we have these definitions
-
-# 11 define command {
-#  2 define contact {
-#  1 define contactgroup {
-#  9 define host {
-#  4 define hostgroup {
-# 23 define service {
-#  5 define timeperiod {
-
-
-# on klaxon
-
-# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
-#      76 define command
-#      11 define contact
-#       6 define contactgroup
-#     162 define host
-#       1 define hostextinfo
-#      16 define hostgroup
-#    3040 define service
-#       2 define servicedependency
-#       6 define timeperiod
-
-
-
-
-### end nagios ###
-
 ### begin bitcoin ###
 
 case $HOSTNAME in
diff --git a/mail-setup b/mail-setup
index 3ac3476..050a716 100755
--- a/mail-setup
+++ b/mail-setup
@@ -454,7 +454,7 @@ fi
 bhost_t=false
 case $HOSTNAME in
   $MAIL_HOST) : ;;
-  kd|frodo|x2|x3|kw|sy|bo)
+  kd|x2|x3|kw|sy|bo|so)
     bhost_t=true
     ;;
 esac
@@ -1143,6 +1143,10 @@ banaction = iptables-exim
 ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1
 EOF
 if $ur; then
+  # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
+  if [[ ! -e /var/log/exim4/mainlog ]]; then
+    install -m 640 -o Debian-exim -g adm /dev/null /var/log/exim4/mainlog
+  fi
   m systemctl restart fail2ban
 fi
 
@@ -2533,8 +2537,8 @@ EOF
     m mkdir -p $rctmpdir /m/rc
     m chown -R www-data.www-data $rctmpdir /m/rc
     m chmod 750 $rctmpdir
-    # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
     # todo: check for other mailinabox things
+    # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
     m sudo -u www-data touch $rclogdir/errors.log
 
     #### begin carddav install
@@ -3564,11 +3568,13 @@ backup_local:
 EOF
 
       # Bind to wghole to receive mailbackup.
-      wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
-      cat >>/etc/exim4/update-exim4.conf.conf <<EOF
+      if [[ -e /etc/wireguard/wghole.conf ]]; then
+        wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
+        cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 dc_other_hostnames='eximbackup.b8.nz'
 dc_local_interfaces='127.0.0.1;::1;$wgholeip'
 EOF
+      fi
 
       # wghole & thus exim will fail to start without internet connectivity.
       u /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
@@ -3771,7 +3777,7 @@ fi
 # if [[ ! $uid ]]; then
 #   # /a/opt/debbugs/debian/README.mail
 #   adduser --uid 610 --system --group --home /o/debbugs \
-#           --no-create-home --disabled-login --force-badname debbugs
+  #           --no-create-home --disabled-login --force-badname debbugs
 # m find /o/debbugs -xdev -path ./var/tmp -prune -o -uid $uid -execdir chown -h 610 {} +
 # m find /o/debbugs -xdev -path ./var/tmp -prune -o -gid $gid -execdir chgrp -h 610 {} +
 # elif [[ $uid != 610 ]]; then
@@ -3812,7 +3818,8 @@ esac
 
 # optimization, this only needs to run once.  But, if we move to a
 # computer we haven't used much, we need to fetch a fresh cert.
-if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
+# Existence check is just to avoid ugly error message from openssl.
+if [[ ! -e /etc/exim4/fullchain.pem ]] ||  ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
   m /a/bin/ds/mail-cert-cron -1 -i
   m systemctl --now enable mailcert.timer
 fi
-- 
2.30.2


From 7f9af41bd119784d4f062731911d1485d224ec73 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Wed, 24 Apr 2024 00:53:09 -0400
Subject: [PATCH 15/16] fix vpn host naming

---
 .../filesystem/etc/systemd/system/openvpn-client-tr@.service  | 0
 .../filesystem/etc/systemd/system/openvpn-client-tr@.service  | 0
 .../filesystem/etc/systemd/system/openvpn-client-tr@.service  | 0
 .../filesystem/etc/systemd/system/openvpn-client-tr@.service  | 4 ++--
 4 files changed, 2 insertions(+), 2 deletions(-)
 rename machine_specific/{bow => bo}/filesystem/etc/systemd/system/openvpn-client-tr@.service (100%)
 rename machine_specific/{sow => so}/filesystem/etc/systemd/system/openvpn-client-tr@.service (100%)
 rename machine_specific/{syw => sy}/filesystem/etc/systemd/system/openvpn-client-tr@.service (100%)
 rename machine_specific/{x2w => x2}/filesystem/etc/systemd/system/openvpn-client-tr@.service (94%)

diff --git a/machine_specific/bow/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 100%
rename from machine_specific/bow/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service
diff --git a/machine_specific/sow/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/so/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 100%
rename from machine_specific/sow/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/so/filesystem/etc/systemd/system/openvpn-client-tr@.service
diff --git a/machine_specific/syw/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 100%
rename from machine_specific/syw/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service
diff --git a/machine_specific/x2w/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 94%
rename from machine_specific/x2w/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
index 9d386a8..8a764b1 100644
--- a/machine_specific/x2w/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ b/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -24,10 +24,10 @@ LimitNPROC=10
 # we use .1 to make this be on a different network than kd, so that we can
 # talk to transmission on kd from remote host, and still use this
 # vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.28 start %i
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.23 start %i
 ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
 # allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.28.1 dev veth1-client
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.23.1 dev veth1-client
 ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
 PrivateNetwork=true
 BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-- 
2.30.2


From ef95a0340c000f1b047928e92bbb82f538726c51 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Wed, 24 Apr 2024 15:22:48 -0400
Subject: [PATCH 16/16] update bitcoin, new host related fixes

---
 brc2                                           | 10 ++++++++--
 distro-begin                                   |  4 +++-
 distro-end                                     |  4 ++--
 filesystem/etc/systemd/system/bitcoind.service | 16 +++++++++++-----
 filesystem/usr/local/bin/bitcoinon             |  2 +-
 machine_specific/btrbk.hosts                   |  1 +
 machine_specific/s76.hosts                     |  1 +
 mail-setup                                     |  2 +-
 switch-mail-host                               |  8 --------
 9 files changed, 28 insertions(+), 20 deletions(-)

diff --git a/brc2 b/brc2
index e936bad..45249e6 100644
--- a/brc2
+++ b/brc2
@@ -2749,7 +2749,13 @@ EOF
     echo "EOF"
   } | u /p/c/dnsmasq-data
 
+  b8_ip=$(dig +short b8.nz @iankelling.org | tail -1)
+  if [[ ! $b8_ip ]]; then
+    echo "$0: error: got empty b8.nz ip. returning 1"
+    return 1
+  fi
   {
+    echo "@	A	$b8_ip"
     for host in ${!nonvpn_ips[@]}; do
       ipsuf=${nonvpn_ips[$host]}
       echo "$host	A	10.2.0.$ipsuf"
@@ -2768,12 +2774,12 @@ EOF
 
   echo checking for stray files:
 
-  initial_dir=$PWD
+  initial_dir="$PWD"
   cd /a/bin/ds/machine_specific
   ngset
   files=( */filesystem/etc/systemd/system/openvpn-client-tr@.service )
   ngreset
-  cd $initial_dir
+  cd "$initial_dir"
   for f in "${files[@]}"; do
     host=${f%%/*}
     if [[ ! ${vpn_ips[$host]} ]]; then
diff --git a/distro-begin b/distro-begin
index 5752961..e97c6c3 100755
--- a/distro-begin
+++ b/distro-begin
@@ -25,6 +25,8 @@
 # /a/bin/ds/filesystem/etc/prometheus/rules/iank.yml
 #
 # Update hostnames in /b/ds/check-remote-mailqs
+# Update hostnames in /b/ds/machine_specific/*.hosts /p/c/machine_specific/*.hosts
+# Update hostnames in this file
 
 ### end new machine setup
 
@@ -111,7 +113,7 @@ source $script_dir/pkgs
 set +x
 source /a/bin/distro-functions/src/identify-distros
 $interactive || set -x
-for f in kd x2 x3 x8 frodo tp li bk je demohost kw sy bo; do
+for f in kd x2 x3 x8 frodo tp li bk je demohost kw sy bo so; do
   eval "$f() { [[ $HOSTNAME == $f ]]; }"
 done
 codename=$(debian-codename)
diff --git a/distro-end b/distro-end
index 19cdaba..066264b 100755
--- a/distro-end
+++ b/distro-end
@@ -1946,8 +1946,8 @@ esac
 ### begin bitcoin ###
 
 case $HOSTNAME in
-  sy|kd)
-    sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-26.0/bin/*
+  sy|kd|so)
+    sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-27.0/bin/*
     # Note: i leave it to system-status to start and stop bitcoin.
     # note: the bitcoin user & group are setup in fai
     sudo usermod -a -G bitcoin iank
diff --git a/filesystem/etc/systemd/system/bitcoind.service b/filesystem/etc/systemd/system/bitcoind.service
index 1a754e9..1c3377f 100644
--- a/filesystem/etc/systemd/system/bitcoind.service
+++ b/filesystem/etc/systemd/system/bitcoind.service
@@ -1,5 +1,5 @@
 # iank: copied from /a/opt/bitcoin/contrib/init/bitcoind.service
-# for sources as of 2022-11-14
+# for sources as of 2024-04-22
 
 # It is not recommended to modify this file in-place, because it will
 # be overwritten during package upgrades. If you want to add further
@@ -25,10 +25,11 @@ Wants=network-online.target
 # between 100% and 180% cpu and makes the fan spin annoyingly.
 # 50% still had annoying fan spin. trying out 20%
 CPUQuota=20%
-ExecStart=/usr/bin/bitcoind -daemonwait \
-                            -pid=/run/bitcoind/bitcoind.pid \
+ExecStart=/usr/bin/bitcoind -pid=/run/bitcoind/bitcoind.pid \
                             -conf=/etc/bitcoin/bitcoin.conf \
-                            -datadir=/var/lib/bitcoind
+                            -datadir=/var/lib/bitcoind \
+                            -startupnotify='systemd-notify --ready' \
+                            -shutdownnotify='systemd-notify --stopping'
 
 # Make sure the config directory is readable by the service user
 PermissionsStartOnly=true
@@ -37,8 +38,10 @@ ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin
 # Process management
 ####################
 
-Type=forking
+Type=notify
+NotifyAccess=all
 PIDFile=/run/bitcoind/bitcoind.pid
+
 Restart=on-failure
 TimeoutStartSec=infinity
 TimeoutStopSec=600
@@ -85,5 +88,8 @@ PrivateDevices=true
 # Deny the creation of writable and executable memory mappings.
 MemoryDenyWriteExecute=true
 
+# Restrict ABIs to help ensure MemoryDenyWriteExecute is enforced
+SystemCallArchitectures=native
+
 [Install]
 WantedBy=multi-user.target
diff --git a/filesystem/usr/local/bin/bitcoinon b/filesystem/usr/local/bin/bitcoinon
index 0b64d4d..d2509c7 100755
--- a/filesystem/usr/local/bin/bitcoinon
+++ b/filesystem/usr/local/bin/bitcoinon
@@ -22,7 +22,7 @@
 
 [[ $EUID == 0 ]] || exec sudo "${BASH_SOURCE[0]}"
 
-if [[ -e /tmp/no-bitcoinon ]]; then
+if [[ -e /tmp/no-bitcoinon || ! -d /var/lib/bitcoind || ! -x /usr/bin/bitcoind ]]; then
   exit 0
 fi
 systemctl start bitcoind
diff --git a/machine_specific/btrbk.hosts b/machine_specific/btrbk.hosts
index 43e86f2..54f98fb 100644
--- a/machine_specific/btrbk.hosts
+++ b/machine_specific/btrbk.hosts
@@ -4,4 +4,5 @@ x2
 x3
 frodo
 sy
+so
 bo
diff --git a/machine_specific/s76.hosts b/machine_specific/s76.hosts
index 90a6702..23f1aa3 100644
--- a/machine_specific/s76.hosts
+++ b/machine_specific/s76.hosts
@@ -1,2 +1,3 @@
 bo
 sy
+so
diff --git a/mail-setup b/mail-setup
index 050a716..9ada9b6 100755
--- a/mail-setup
+++ b/mail-setup
@@ -2868,7 +2868,7 @@ debbugsconfig
 
 
 # ld for local debbugs
-/a/exe/web-conf -t -a 127.0.1.1 -p 80 -r /var/lib/debbugs/www - apache2 ld <<'EOF'
+/a/exe/web-conf -l -t -a 127.0.1.1 -p 80 -r /var/lib/debbugs/www - apache2 ld <<'EOF'
 # copied from debbugs upstream example
 <Directory /var/lib/debbugs/www>
    Options Indexes SymLinksIfOwnerMatch MultiViews
diff --git a/switch-mail-host b/switch-mail-host
index 56676b9..053134a 100644
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -395,12 +395,4 @@ if (( ret )); then
   exit $ret
 fi
 
-if ! $mail_only && [[ -e /p/profanity-here ]]; then
-  m $new_shell systemctl --now enable profanity || ret=$?
-  if (( ret )); then
-    err "failed final systemctl --now enable profanity, just fix and rerun"
-    exit $ret
-  fi
-fi
-
 m exit 0
-- 
2.30.2