From ec4efaeb603f21de169aeedff4907d2279bada3a Mon Sep 17 00:00:00 2001
From: Ian Kelling
Date: Wed, 17 Apr 2024 22:59:31 -0400
Subject: [PATCH 01/16] improve automatic updates
---
distro-end | 3 ++-
filesystem/usr/local/bin/myupgrade | 6 ++++++
filesystem/usr/local/bin/myupgrade-iank | 4 ++--
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/distro-end b/distro-end
index 500a496..d81950c 100755
--- a/distro-end
+++ b/distro-end
@@ -1563,7 +1563,8 @@ m /a/bin/buildscripts/go
# only needed for rg. cargo takes up 11 gigs, filled up the disk on je.
m /a/bin/buildscripts/rust
m /a/bin/buildscripts/misc
-m /a/bin/buildscripts/pithosfly
+
+#m /a/bin/buildscripts/pithosfly
#m /a/bin/buildscripts/alacritty
#m /a/bin/buildscripts/kitty
diff --git a/filesystem/usr/local/bin/myupgrade b/filesystem/usr/local/bin/myupgrade
index 664c2d2..49197fb 100755
--- a/filesystem/usr/local/bin/myupgrade
+++ b/filesystem/usr/local/bin/myupgrade
@@ -84,6 +84,12 @@ case $hn in
;;
esac
+case $hn in
+ sy)
+ /b/fai/config/distro-install-common/install-stable-kernel-debs
+ ;;
+esac
+
# TODO: executed from cron, this doesnt sent an email when we reboot,
# because rebooting from the script stops the ability to send email.
diff --git a/filesystem/usr/local/bin/myupgrade-iank b/filesystem/usr/local/bin/myupgrade-iank
index e2e3296..7c7a2bf 100755
--- a/filesystem/usr/local/bin/myupgrade-iank
+++ b/filesystem/usr/local/bin/myupgrade-iank
@@ -35,6 +35,7 @@ fi
hn=$(hostname -f)
+/a/bin/buildscripts/go
/a/bin/buildscripts/rust
has_x=false
@@ -46,12 +47,11 @@ for pkg in xorg wayland; do
done
if $has_x; then
- /a/bin/buildscripts/tor-browser
/a/bin/buildscripts/misc
+ /a/bin/buildscripts/tor-browser
fi
-
# source /a/bin/distro-setup/path-add-function
# export GOPATH=$HOME/go
# path-add $GOPATH/bin
--
2.30.2
From 1723d09bec8364d16a156b195fd08b9f62cbc98b Mon Sep 17 00:00:00 2001
From: Ian Kelling
Date: Thu, 18 Apr 2024 01:22:18 -0400
Subject: [PATCH 02/16] mail perf tuning
---
mail-setup | 43 +++++++++++++++++++++++++++----------------
mount-latest-subvol | 4 +++-
2 files changed, 30 insertions(+), 17 deletions(-)
diff --git a/mail-setup b/mail-setup
index 08ec7ae..9c46689 100755
--- a/mail-setup
+++ b/mail-setup
@@ -2061,6 +2061,23 @@ protocol lmtp {
# default is just $mail_plugins
mail_plugins = $mail_plugins sieve
}
+
+# /etc/dovecot/conf.d/10-master.conf says the default is 256M.
+# but I started getting oom errors in the syslog
+# Mar 27 15:10:04 sy dovecot[330088]: lmtp(iank)<3839880>: Fatal: master: service(lmtp): child 3839880 returned error 83 (Out of memory (service lmtp { vsz_limit=256 MB }, you may need to increase it) - set CORE_OUTOFMEM=1 environment to get core dump)
+# exim would just queue mail until it eventually succeeded.
+# Deciding what to increase it to, I found this
+# https://dovecot.org/list/dovecot/2011-December/080056.html
+# which suggests 3x the largest dovecot.index.cache file
+# and then I found that
+# md/l/testignore/dovecot.index.cache is 429M, my largest cache file,
+# but that folder only has 2k messages.
+# next biggest is md/l/qemu-devel/dovecot.index.cache 236M
+# which lead to me a search https://doc.dovecot.org/admin_manual/known_issues/large_cache/
+# which suggests 1.5x the maximum cache file size 1G, and
+# that I can safely rm the index.
+default_vsz_limit = 1500M
+
EOF
if dpkg --compare-versions "$(dpkg-query -f='${Version}\n' --show dovecot-core)" ge 1:2.3; then
cat <>/etc/dovecot/local.conf <: Fatal: master: service(lmtp): child 3839880 returned error 83 (Out of memory (service lmtp { vsz_limit=256 MB }, you may need to increase it) - set CORE_OUTOFMEM=1 environment to get core dump)
-# exim would just queue mail until it eventually succeeded.
-# Deciding what to increase it to, I found this
-# https://dovecot.org/list/dovecot/2011-December/080056.html
-# which suggests 3x the largest dovecot.index.cache file
-# and then I found that
-# md/l/testignore/dovecot.index.cache is 429M, my largest cache file,
-# but that folder only has 2k messages.
-# next biggest is md/l/qemu-devel/dovecot.index.cache 236M
-# which lead to me a search https://doc.dovecot.org/admin_manual/known_issues/large_cache/
-# which suggests 1.5x the maximum cache file size 1G, and
-# that I can safely rm the indix
-default_vsz_limit = 1500M
+# This will decrease memory use, and seems likely to decrease cpu & disk
+# use since I rarely use dovecot for most folders.
+mail_cache_max_size = 50M
+
# simple password file based login
!include conf.d/auth-passwdfile.conf.ext
# ian: %u is used for alerts user vs iank
-mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
+mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX:INDEX=/var/dovecot-indexes/%u
mail_uid = $u
mail_gid = $u
diff --git a/mount-latest-subvol b/mount-latest-subvol
index c66eebc..eb682f4 100644
--- a/mount-latest-subvol
+++ b/mount-latest-subvol
@@ -271,8 +271,10 @@ fi
fa=(/mnt/o/btrbk/o.*); f=${fa[0]}
if [[ -e $f ]]; then
if [[ $o_dev != "$root_dev" ]]; then
+ # ,compress=zstd regardless of mopts since these are all text files
+ # and it cuts disk use by about half.
fstab <
Date: Thu, 18 Apr 2024 02:28:33 -0400
Subject: [PATCH 03/16] minor fixes
---
mount-latest-remote | 4 ++--
ssh-emacs-setup | 4 +++-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/mount-latest-remote b/mount-latest-remote
index 3363311..f63a6f7 100755
--- a/mount-latest-remote
+++ b/mount-latest-remote
@@ -26,8 +26,8 @@
set -e; . /usr/local/lib/bash-bear; set +e
-readonly this_file; this_file="$(readlink -f -- "${BASH_SOURCE[0]}")";
-script_dir=${this_file%/*}
+this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"
+readonly this_file script_dir="${this_file%/*}"
if (( ! $# )); then
echo "mount-latest-remote: error: a host argument"
diff --git a/ssh-emacs-setup b/ssh-emacs-setup
index b89f2bd..309ab0a 100755
--- a/ssh-emacs-setup
+++ b/ssh-emacs-setup
@@ -32,7 +32,9 @@ if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
-readonly this_file; this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd ${this_file%/*}
+this_file="$(readlink -f -- "${BASH_SOURCE[0]}")"
+readonly this_file this_dir="${this_file%/*}"
+cd "$this_dir"
# get rid of useless motd stuff
sed -i --follow-symlinks 's/^\s*PrintLastLog .*/PrintLastLog no/' /etc/ssh/sshd_config
rm -f /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
--
2.30.2
From b3550a17945f87000eca28a3ea9ed7ee87895121 Mon Sep 17 00:00:00 2001
From: Ian Kelling
Date: Thu, 18 Apr 2024 10:28:57 -0400
Subject: [PATCH 04/16] fix switch-host2
---
switch-mail-host | 59 +++++++++++++++++++++++++-----------------------
1 file changed, 31 insertions(+), 28 deletions(-)
diff --git a/switch-mail-host b/switch-mail-host
index b0b35a6..56676b9 100644
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -134,6 +134,26 @@ source /a/bin/bash_unpublished/source-state
direction=$1
host=$2
+case $script_name in
+ switch-mail-host)
+ if [[ $MAIL_HOST != "$HOST2" ]]; then
+ mail_only=true
+ fi
+ ;;
+ switch-host2)
+ host2_only=true
+ ;;
+ *)
+ err unexpected script name
+ ;;
+esac
+
+if $mail_only; then
+ mp_args="-m /o"
+elif $host2_only; then
+ mp_args="-m /a,/q,/qd,/qr"
+fi
+
if ! $force && { $check_installed || [[ $direction == push ]]; } ; then
install_bin_files=(
@@ -196,7 +216,7 @@ case $direction in
fi
done
if $diff; then
- e "found different version on old_host=$old_hostname, reexecing"
+ e "found different version on old_host=$old_host, reexecing"
m /usr/local/bin/switch-mail-host --pull-reexec "${orig_args[@]}"
exit 0
fi
@@ -218,25 +238,6 @@ case $direction in
;;
esac
-case $script_name in
- switch-mail-host)
- if [[ $MAIL_HOST != "$HOST2" ]]; then
- mail_only=true
- fi
- ;;
- switch-host2)
- host2_only=true
- ;;
- *)
- err unexpected script name
- ;;
-esac
-
-if $mail_only; then
- mp_args="-m /o"
-elif $host2_only; then
- mp_args="-m /a,/q,/qd,/qr"
-fi
if ! $force; then
if $host2_only; then
@@ -288,12 +289,13 @@ while $active; do
done
done
-# ensure these are unused before doing anything
-e "On $new_host: umounting /m and /o, checking emacs"
-{
- cat /usr/local/bin/unsaved-buffers
- if ! $host2_only; then
- cat <
Date: Thu, 18 Apr 2024 10:32:48 -0400
Subject: [PATCH 05/16] fix for btrbk-run archive
---
btrbk-run | 1 +
1 file changed, 1 insertion(+)
diff --git a/btrbk-run b/btrbk-run
index 70fc704..7a22d42 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -28,6 +28,7 @@
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
set -e; . /usr/local/lib/bash-bear; set +e
+shopt -s nullglob
usage() {
cat <<'EOF'
--
2.30.2
From 7f94df0eb6002f4fd05ab3fc2d61e94a92ef5a1a Mon Sep 17 00:00:00 2001
From: Ian Kelling
Date: Thu, 18 Apr 2024 14:24:26 -0400
Subject: [PATCH 06/16] various fixes
---
brc2 | 2 +-
btrbk-run | 5 ++++-
check-subvol-stale | 2 +-
distro-end | 5 ++++-
mail-cert-cron | 21 +++++++++++++++++++--
mail-setup | 11 ++++++-----
6 files changed, 35 insertions(+), 11 deletions(-)
diff --git a/brc2 b/brc2
index a28d7b7..aa370ac 100644
--- a/brc2
+++ b/brc2
@@ -2950,7 +2950,7 @@ mdenable() {
two=false
case $1 in
- -2) two=true shift ;;
+ -2) two=true; shift ;;
esac
for md; do
diff --git a/btrbk-run b/btrbk-run
index 7a22d42..93e8dab 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -542,7 +542,10 @@ if ! $pull_reexec && [[ $source ]] && $pulla ; then
fi
fi
-
+# todo: check if we have no snapshots yet, because I always want to run
+# archive instead of run. Likely, I should give an error unless a cli
+# override is passed. perhaps check-subvol-stale could give the error.
+# see the error message "no snapshots found" in that file.
if ! $fast; then
# if our mountpoints are from stale snapshots,
# it doesn't make sense to do a backup.
diff --git a/check-subvol-stale b/check-subvol-stale
index af7c60e..9b5e88d 100644
--- a/check-subvol-stale
+++ b/check-subvol-stale
@@ -162,7 +162,7 @@ for d; do
mapfile -t snaps <$tmpf
else
# no snapshots yet
- # TODO: make this an error and override with a cli flag
+ # TODO: consider making this an error and override with a cli flag
echo "$0: warning: no snapshots found at $root_dir/btrbk/$subvol_dir.20*. this is expected for a brand new volume"
continue
fi
diff --git a/distro-end b/distro-end
index d81950c..77cfa4b 100755
--- a/distro-end
+++ b/distro-end
@@ -194,8 +194,11 @@ EOF
if $doupdate; then
tmpdir=$(mktemp -d)
cd $tmpdir
+ # otherwise we get a warning message:
+ # W: Download is performed unsandboxed as root as file '/tmp/tmp.UwxbPFG3CZ/debian-archive-keyring_2021.1.1+deb11u1_all.deb' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
+ chmod 775 .
p download debian-archive-keyring
- s dpkg -i debian-archive-keyring
+ s dpkg -i ./debian-archive-keyring*
p update
cd -
rm -rf $tmpdir
diff --git a/mail-cert-cron b/mail-cert-cron
index 01fb689..b69bc28 100755
--- a/mail-cert-cron
+++ b/mail-cert-cron
@@ -25,10 +25,16 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+interactive=false
case $1 in
# For first run, accept host key. Note, known_hosts is saved in /p.
-1)
opt=(-e 'ssh -oStrictHostKeyChecking=no')
+ shift
+ ;;
+ -i)
+ interactive=true
+ shift
;;
esac
@@ -38,11 +44,22 @@ if [[ -e $f ]]; then
source $f
fi
+try() {
+ local ret=0
+ "$@" || ret=$?
+ if $interactive && (( ret >=1 )); then
+ echo "$0: ERROR: exit $ret on: $*"
+ fi
+}
+
+# note: when certificate is expired, you will get this in /var/log/mail.log when k-9 mail tries to fetch:
+# imap-login: Disconnected: Connection closed: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46 (no auth attempts in 0 secs): user=<>, rip=redacted, lip=10.8.0.4, TLS handshaking: SSL_accept() failed: error:0A000416:SSL routines::sslv3 alert certificate unknown: SSL alert number 46, session=>/etc/dovecot/local.conf <
Date: Thu, 18 Apr 2024 14:34:30 -0400
Subject: [PATCH 07/16] comments
---
mail-setup | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/mail-setup b/mail-setup
index 36b3ab5..e15a31e 100755
--- a/mail-setup
+++ b/mail-setup
@@ -2120,6 +2120,7 @@ mail_cache_max_size = 50M
# ian: %u is used for alerts user vs iank
# https://doc.dovecot.org/configuration_manual/mail_location/Maildir/
mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX:INDEX=/var/dovecot-indexes/%u
+# note: i don't know if these need to be set, but this seems fine.
mail_uid = iank
mail_gid = iank
@@ -3803,7 +3804,8 @@ case $HOSTNAME in
;;
esac
-# optimization, this only needs to run once.
+# optimization, this only needs to run once. But, if we move to a
+# computer we haven't used much, we need to fetch a fresh cert.
if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/fullchain.pem; then
m /a/bin/ds/mail-cert-cron -1 -i
m systemctl --now enable mailcert.timer
--
2.30.2
From 8e6b1a997f8dcf71feccd390a06a3229277952b8 Mon Sep 17 00:00:00 2001
From: Ian Kelling
Date: Thu, 18 Apr 2024 23:23:05 -0400
Subject: [PATCH 08/16] minor fix
---
mount-latest-subvol | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/mount-latest-subvol b/mount-latest-subvol
index eb682f4..1f4229e 100644
--- a/mount-latest-subvol
+++ b/mount-latest-subvol
@@ -24,6 +24,7 @@ cd /
[[ $EUID == 0 ]] || exec sudo -E "$this_file" "$@"
set -e; . /usr/local/lib/bash-bear; set +e
+shopt -s nullglob
usage() {
cat < 0 )); then
+ all_vols+=(ar)
+ fi
fi
##### end command line parsing ########
@@ -237,7 +242,6 @@ fstab <
Date: Mon, 22 Apr 2024 00:24:05 -0400
Subject: [PATCH 09/16] unify dns related config, change some dns settings
---
brc | 3 +-
brc2 | 85 ++++++++++++++-----
dynamic-ip-update | 5 +-
easiest-to-type-numbers | 83 ++++++++++++++++++
laptop-xrandr | 10 +--
.../systemd/system/openvpn-client-tr@.service | 4 +-
.../systemd/system/openvpn-client-tr@.service | 4 +-
.../systemd/system/openvpn-client-tr@.service | 4 +-
.../systemd/system/openvpn-client-tr@.service | 36 --------
.../systemd/system/openvpn-client-tr@.service | 0
mail-setup | 6 ++
mount-latest-subvol | 2 +-
pkgs | 1 +
ptr-data | 7 --
14 files changed, 171 insertions(+), 79 deletions(-)
create mode 100755 easiest-to-type-numbers
rename machine_specific/{frodo => bow}/filesystem/etc/systemd/system/openvpn-client-tr@.service (94%)
rename machine_specific/{kw => sow}/filesystem/etc/systemd/system/openvpn-client-tr@.service (93%)
rename machine_specific/{sy => syw}/filesystem/etc/systemd/system/openvpn-client-tr@.service (93%)
delete mode 100644 machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename machine_specific/{bo => x2w}/filesystem/etc/systemd/system/openvpn-client-tr@.service (100%)
delete mode 100644 ptr-data
diff --git a/brc b/brc
index 2ffd91c..5105c59 100644
--- a/brc
+++ b/brc
@@ -2139,7 +2139,7 @@ pkx() { # package extract
c "$(mktemp -d)"
pkg=$1
# shellcheck disable=SC2012
- cached=$(ls -t /var/cache/apt/archives/${pkg}_* | tail -n1 2>/dev/null) ||:
+ cached=$(ls -t /var/cache/apt/archives/${pkg}_* 2>/dev/null | tail -n1 2>/dev/null) ||:
if [[ $cached ]]; then
m cp $cached .
else
@@ -2900,6 +2900,7 @@ nonet() {
}
m() { printf "%s\n" "$*"; "$@"; }
+m2() { printf "%s\n" "$*" >&2; "$@"; }
# update file. note: duplicated in mail-setup.
# updates $ur u result to true or false
diff --git a/brc2 b/brc2
index aa370ac..9e2b548 100644
--- a/brc2
+++ b/brc2
@@ -840,6 +840,7 @@ mpvrpc-loadfile() {
# q quit
# ret next
#
+# todo: enter should also unpause
beetag() {
local last_genre_i fstring tag id char new_item char_i genre tag remove doplay i j random path
local do_rare_genres read_wait help line lsout tmp ls_line skip_lookback
@@ -2055,6 +2056,7 @@ apache-apply() {
}
# strip out the apache license from a file.
apache-strip() {
+ # shellcheck disable=SC2044 # meh
for f in $(find . -type f -maxdepth 1); do if head -n1 "$f"| grep -E '^#!/bin/bash\b' &>/dev/null; then { head -n 20 $f | tac | sed '/^# limitations under the License.$/,/^# Copyright.*Ian Kelling$/d' | tac; tail -n+21 $f; } |sponge $f; fi ; done
}
@@ -2628,19 +2630,52 @@ wgkey() {
umask $umask_orig
}
-declare -A vpn_ips
-vpn_ips[kd]=2
-# note: 1, 4, 5 are occupied by mail wireguard
-vpn_ips[x3]=8
-vpn_ips[sy]=12
-vpn_ips[x2]=13
-vpn_ips[kw]=27
-vpn_ips[bo]=28
-vpn_ips[frodo]=34
-vpn_ips[s23b]=49
+host-info-update() {
+
+ local -A vpn_ips host_ips host_macs nonvpn_ips
+ local -a root_hosts nonroot_hosts
+
+ # the hosts with no mac
+ root_hosts=( bk je li b8.nz )
+ for h in ${root_hosts[@]}; do
+ root_hosts+=(${h}ex)
+ done
+ root_hosts+=(cmc)
+
+ while read -r ip host mac opts; do
+ if [[ $ip == *#* || ! $host ]]; then continue; fi
+ if [[ $opts == vpn ]]; then
+ vpn_ips[$host]=$ip
+ else
+ nonvpn_ips[$host]=$ip
+ fi
+
+
+ if [[ $opts == user=root ]]; then
+ root_hosts+=($host i$host)
+ else
+ nonroot_hosts+=($host i$host)
+ fi
+
+ host_ips[$host]=$ip
+ host_macs[$host]=$mac
+ done
>$tmpf </dev/null; then
- xrandr --auto
-else
+if [[ $output ]]; then
xrandr --output $output --off
sleep 2
xrandr --output $output --right-of eDP1 --mode 3840x2160
@@ -37,4 +34,7 @@ else
# if the workspace is already there, this will fail
i3-msg '[workspace="'$i'"]' move workspace to output $output ||:
done
+else
+ xrandr --auto
+
fi
diff --git a/machine_specific/frodo/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/bow/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 94%
rename from machine_specific/frodo/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/bow/filesystem/etc/systemd/system/openvpn-client-tr@.service
index e96fdd7..9a5afec 100644
--- a/machine_specific/frodo/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ b/machine_specific/bow/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -24,10 +24,10 @@ LimitNPROC=10
# we use .1 to make this be on a different network than kd, so that we can
# talk to transmission on kd from remote host, and still use this
# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.34 start %i
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.29 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.34.1 dev veth1-client
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.29.1 dev veth1-client
ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
PrivateNetwork=true
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
diff --git a/machine_specific/kw/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/sow/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 93%
rename from machine_specific/kw/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/sow/filesystem/etc/systemd/system/openvpn-client-tr@.service
index f6ac66a..dae65d4 100644
--- a/machine_specific/kw/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ b/machine_specific/sow/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -24,10 +24,10 @@ LimitNPROC=10
# we use .1 to make this be on a different network than kd, so that we can
# talk to transmission on kd from remote host, and still use this
# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.27 start %i
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.3 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.27.1 dev veth1-client
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.3.1 dev veth1-client
ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
PrivateNetwork=true
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
diff --git a/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/syw/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 93%
rename from machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/syw/filesystem/etc/systemd/system/openvpn-client-tr@.service
index d6010de..f85639d 100644
--- a/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ b/machine_specific/syw/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -24,10 +24,10 @@ LimitNPROC=10
# we use .1 to make this be on a different network than kd, so that we can
# talk to transmission on kd from remote host, and still use this
# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.12 start %i
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.7 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.12.1 dev veth1-client
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.7.1 dev veth1-client
ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
PrivateNetwork=true
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
diff --git a/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
deleted file mode 100644
index d16312d..0000000
--- a/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ /dev/null
@@ -1,36 +0,0 @@
-[Unit]
-Description=OpenVPN tunnel for %I
-After=syslog.target network-online.target
-Wants=network-online.target
-Documentation=man:openvpn(8)
-Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
-Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO
-Requires=iptables.service
-
-[Service]
-Type=notify
-RuntimeDirectory=openvpn-client
-RuntimeDirectoryMode=0710
-WorkingDirectory=/etc/openvpn/client
-ExecStart=/usr/sbin/openvpn --suppress-timestamps --nobind --config /etc/openvpn/client/%i.conf
-# todo, try reenabling this from the default openvpn,
-# it was disabled so we could do bind mounts as a command,
-# but now systemd handles it
-#CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
-LimitNPROC=10
-# DeviceAllow=/dev/null rw
-# DeviceAllow=/dev/net/tun rw
-
-# we use .1 to make this be on a different network than kd, so that we can
-# talk to transmission on kd from remote host, and still use this
-# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.13 start %i
-ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
-# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.13.1 dev veth1-client
-ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
-PrivateNetwork=true
-BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
-
-[Install]
-WantedBy=multi-user.target
diff --git a/machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/x2w/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 100%
rename from machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/x2w/filesystem/etc/systemd/system/openvpn-client-tr@.service
diff --git a/mail-setup b/mail-setup
index e15a31e..3ac3476 100755
--- a/mail-setup
+++ b/mail-setup
@@ -3344,6 +3344,12 @@ EOF
# This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
echo iankelling.org > /etc/mailname
+ # mail default domain.
+ u /etc/mailutils.conf <<'EOF'
+address {
+ email-domain iankelling.org;
+};
+EOF
# mail.iankelling.org so local imap clients can connect with tls and
# when they happen to not be local.
diff --git a/mount-latest-subvol b/mount-latest-subvol
index 1f4229e..433c7c2 100644
--- a/mount-latest-subvol
+++ b/mount-latest-subvol
@@ -267,7 +267,7 @@ fi
# fa=(/mnt/root/btrbk/ar.*); f=${fa[0]}
# if [[ -e $f ]]; then
# fstab <
Date: Mon, 22 Apr 2024 00:57:47 -0400
Subject: [PATCH 10/16] fixes to last commit
---
brc2 | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/brc2 b/brc2
index 9e2b548..5804466 100644
--- a/brc2
+++ b/brc2
@@ -2652,7 +2652,9 @@ host-info-update() {
if [[ $opts == user=root ]]; then
- root_hosts+=($host i$host)
+ # note: the b8.nz suffix is for the User part, the IdentityFile
+ # part is redundant to *.b8.nz.
+ root_hosts+=($host i$host $host.b8.nz i$host.b8.nz)
else
nonroot_hosts+=($host i$host)
fi
@@ -2732,10 +2734,10 @@ EOF
echo "cat <
Date: Tue, 23 Apr 2024 20:51:06 -0400
Subject: [PATCH 11/16] dns fix, some improvements
---
brc | 35 ++++++++++++++++++++++-------------
brc2 | 49 ++++++++++++++++++++++++++++++++-----------------
2 files changed, 54 insertions(+), 30 deletions(-)
diff --git a/brc b/brc
index 5105c59..4a6f672 100644
--- a/brc
+++ b/brc
@@ -879,14 +879,14 @@ _khfix-common() {
fi
ll ~/.ssh/known_hosts
}
-khfix-r() { # known hosts fix + root
+khfix-r() { # known hosts fix without syncing to root user
_khfix-common "$@" || return 1
ssh $1 :
- rootsshsync
}
khfix() {
_khfix-common "$@" || return 1
ssh $1 :
+ rootsshsync
}
# copy path into clipboard
@@ -1672,9 +1672,9 @@ grr() { # grep recursive
# Don't return 1 on nonmatch because this is meant to be
# interactive, not in a conditional.
if [[ ${#@} == 1 ]]; then
- grep --exclude-dir='*.emacs.d' --exclude-dir='*.git' -riIP --color=auto "$@" . || [[ $? == 1 ]]
+ grep -E --exclude-dir='*.emacs.d' --exclude-dir='*.git' -riIP --color=auto "$@" . || [[ $? == 1 ]]
else
- grep --exclude-dir='*.emacs.d' --exclude-dir='*.git' -riIP --color=auto "$@" || [[ $? == 1 ]]
+ grep -E --exclude-dir='*.emacs.d' --exclude-dir='*.git' -riIP --color=auto "$@" || [[ $? == 1 ]]
fi
}
ccomp grep gr grr
@@ -3243,6 +3243,16 @@ if [[ $- == *i* ]]; then
# so I've thrown a bunch of things at the wall to speed it up.
prompt-command() {
local return=$? # this MUST COME FIRST
+
+ # all usable colors:
+ # black
+ # green nonzero exit (pri 1)
+ # purple default
+ # purple bold
+ # red pwd different owner & group & not writable (pri 2)
+ # red bold pwd different owner & group & writable (pri 2)
+ # yellow
+
local ps_char ps_color
unset IFS
@@ -3250,22 +3260,21 @@ if [[ $- == *i* ]]; then
history -a # save history
fi
- case $return in
- 0) ps_color="$term_purple"
- ps_char='\$'
- ;;
- *) ps_color="$term_green"
- ps_char="$return \\$"
- ;;
- esac
+ ps_color="$term_purple"
+ ps_char='\$'
if [[ ! -O . ]]; then # not owner
if [[ -w . ]]; then # writable
ps_color="$term_bold$term_red"
else
- ps_color="$term_bold$term_green"
+ ps_color="$term_red"
fi
fi
+ if [[ $return != 0 ]]; then
+ ps_color="$term_green"
+ ps_char="$return \\$"
+ fi
+
# faster than sourceing the file im guessing
if [[ -e /dev/shm/iank-status && ! -e /tmp/quiet-status ]]; then
eval "$(< /dev/shm/iank-status)"
diff --git a/brc2 b/brc2
index 5804466..33384bc 100644
--- a/brc2
+++ b/brc2
@@ -1792,21 +1792,13 @@ bindpush() {
dsign iankelling.org expertpathologyreview.com zroe.org amnimal.ninja
lipush
for h in li bk; do
- e sshing $h
- ssh $h.b8.nz <<'EOF'
-source ~/.bashrc
-m dnsup
-EOF
+ m ssh $h.b8.nz dnsup
done
}
bindpushb8() {
lipush
for h in li bk; do
- e sshing $h
- ssh $h.b8.nz <<'EOF'
-source ~/.bashrc
-m dnsb8
-EOF
+ m ssh $h.b8.nz dnsb8
done
}
@@ -1817,8 +1809,18 @@ dnsup() {
dnsb8() {
local f=/var/lib/bind/db.b8.nz
m ser stop named
- m sleep 1
- m sudo rm -fv $f.jnl $f.signed.jnl
+ # jbk is like a temp file. dunno if removing it helps
+
+ i=0
+ while pgrep '^named$' &>/dev/null; do
+ sleep .5
+ i=$(( i + 1 ))
+ if (( i > 100 )); then
+ echo "dnsb8: error: timeout waiting for named to exit"
+ return 1
+ fi
+ done
+ m sudo rm -fv $f.jnl $f.signed.jnl $f.jbk
m sudo install -m 644 -o bind -g bind /p/c/machine_specific/vps/bind-initial/db.b8.nz $f
m ser restart named
}
@@ -2630,6 +2632,16 @@ wgkey() {
umask $umask_orig
}
+host-info-all() {
+ host-info-update
+ bindpushb8
+ wrt-setup
+}
+
+
+# if you change a host's ip, then run
+# bindpushb8
+# wrt-setup
host-info-update() {
local -A vpn_ips host_ips host_macs nonvpn_ips
@@ -2673,8 +2685,6 @@ IdentityFile ~/.ssh/home
EOF
- grep -E '^[a-z0-9]+[[:space:]]' /p/c/machine_specific/vps/bind-initial/db.b8.nz | awk '{print $1,$3}'
-
local host ipsuf f files
sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf
@@ -2728,7 +2738,7 @@ EOF
echo 'local-data-ptr: "$l.'$ipsuf $host.b8.nz'"'
done
echo "EOF"
- } | u /p/ptr-data
+ } | u /p/c/ptr-data
{
echo "cat <
Date: Tue, 23 Apr 2024 20:52:26 -0400
Subject: [PATCH 12/16] minor fixes
---
btrbk-run | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/btrbk-run b/btrbk-run
index 93e8dab..a28bfac 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -74,7 +74,7 @@ set-location() {
kd|frodo)
at_home=true
;;
- x2|x3|sy)
+ x2|x3|sy|so)
if [[ $(dig +short @10.2.0.1 -x 10.2.0.2 2>&1 ||:) == kd.b8.nz. ]] \
&& ip n show 10.2.0.1 | grep . &>/dev/null; then
at_home=true
@@ -92,7 +92,7 @@ exit-if-no-default-targets() {
mexit 0
fi
case $HOSTNAME in
- kw|kd|frodo|x2|x3|sy) : ;;
+ kw|kd|frodo|x2|x3|sy|so) : ;;
*)
die "error: no default targets for this host, use -t"
;;
@@ -366,6 +366,7 @@ if [[ ! -v targets && ! $source ]]; then
wireless_home_hosts=(
x2
sy
+ so
)
for h in ${wireless_home_hosts[@]}; do
if [[ $HOSTNAME != "$h" ]]; then
@@ -500,6 +501,7 @@ if $verbose; then
for opt in ${opts_show[@]}; do
if $first; then
printf "%s" "$opt"
+ first=false
else
printf " %s" "$opt"
fi
@@ -575,13 +577,17 @@ else
sshable=()
sshfail=()
+ remote_str_cmd="mkdir -p /mnt/root/btrbk /mnt/o/btrbk && \
+date +%z && \
+df --output=size,pcent / | tail -n1"
+
for h in ${targets[@]}; do
if $fast || $conf_only; then
# Use some typical values in this case
root_size=$(( 1024 * 1024 * 2000 )) #2tb
percent_used=10
zone=$(date +%z)
- elif remote_str=$(timeout -s 9 6 ssh root@$h "mkdir -p /mnt/root/btrbk /mnt/o/btrbk && date +%z && df --output=size,pcent / | tail -n1"); then
+ elif remote_str=$(timeout -s 9 6 ssh root@$h "$remote_str_cmd"); then
mapfile -t tmp_array <<<"$remote_str"
zone="${tmp_array[0]}"
IFS=" " read -r root_size percent_used <<<"${tmp_array[1]}"
@@ -606,6 +612,7 @@ else
min_root_kb=$(( 1024 * 1024 * 200 )) # 200 gb
tmp=$(( root_size < min_root_kb ))
if (( tmp )); then
+ e "warning: $h: root_size=$root_zie < 200gb, perhaps it is booted to bootstrap vol. skipping for now"
continue
fi
@@ -643,7 +650,7 @@ else
fi
done
if [[ ! ${sshable[*]} ]] || { $force && [[ ${sshfail[*]} ]]; }; then
- die "failed to ssh to hosts: ${sshfail[*]}"
+ die "see skipped host warning above or sshfail hosts: ${sshfail[*]}"
else
if [[ ${sshfail[*]} ]]; then
ret=1
@@ -876,7 +883,8 @@ if [[ $ret == 0 ]]; then
m ssh root@$tg 'btrbk-spread-wrap &>/dev/null
Date: Tue, 23 Apr 2024 23:32:34 -0400
Subject: [PATCH 13/16] new host related fixes
---
brc2 | 2 +-
distro-begin | 2 +-
distro-end | 14 +++++++-------
dsremote | 3 +--
mail-backup-clean | 4 ++++
pkgs | 3 ++-
6 files changed, 16 insertions(+), 12 deletions(-)
diff --git a/brc2 b/brc2
index 33384bc..2795e2e 100644
--- a/brc2
+++ b/brc2
@@ -4480,7 +4480,7 @@ hssh-update() {
case $HOSTNAME in
sy|kd)
hosts=(
- kd x3.office.fsf.org syw
+ kd.b8.nz x3.office.fsf.org syw x2.b8.nz
)
;;
x3)
diff --git a/distro-begin b/distro-begin
index 4638980..8da3f16 100755
--- a/distro-begin
+++ b/distro-begin
@@ -55,7 +55,7 @@
### make ssh interactive shell run better. for when running line interactively line by line
-sudo bash -c '/a/exe/ssh-emacs-setup'
+sudo bash -c '/a/exe/ssh-emacs-setup' || exit $?
##### setup error handling
interactive=true # set this to false to force set -x
diff --git a/distro-end b/distro-end
index 77cfa4b..e9b797a 100755
--- a/distro-end
+++ b/distro-end
@@ -167,8 +167,6 @@ EOF
t=$(mktemp)
case $n in
bookworm)
- cat >$t <<'EOF'
-EOF
cat >$t <
Date: Wed, 24 Apr 2024 00:52:50 -0400
Subject: [PATCH 14/16] minor fixes/improves for new host
---
brc2 | 2 +-
disabled/nagios | 124 ++++++++++++++++++++++++++++++++++++++++++++++++
distro-begin | 2 +-
distro-end | 122 +++++------------------------------------------
mail-setup | 19 +++++---
5 files changed, 151 insertions(+), 118 deletions(-)
create mode 100644 disabled/nagios
diff --git a/brc2 b/brc2
index 2795e2e..e936bad 100644
--- a/brc2
+++ b/brc2
@@ -2777,7 +2777,7 @@ EOF
for f in "${files[@]}"; do
host=${f%%/*}
if [[ ! ${vpn_ips[$host]} ]]; then
- e /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service
+ e rm /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service
fi
done
diff --git a/disabled/nagios b/disabled/nagios
new file mode 100644
index 0000000..f9f38eb
--- /dev/null
+++ b/disabled/nagios
@@ -0,0 +1,124 @@
+#!/bin/bash
+# I, Ian Kelling, follow the GNU license recommendations at
+# https://www.gnu.org/licenses/license-recommendations.en.html. They
+# recommend that small programs, < 300 lines, be licensed under the
+# Apache License 2.0. This file contains or is part of one or more small
+# programs. If a small program grows beyond 300 lines, I plan to switch
+# its license to GPL.
+
+# Copyright 2024 Ian Kelling
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# this was part of distro-end
+
+### begin nagios ###
+
+pi nagios-nrpe-server
+
+case $HOSTNAME in
+ kd)
+ # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345
+ pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports
+ s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ # to add a password for admin:
+ # htdigest /etc/nagios4/htdigest.users Nagios4 iank
+ # now using the same pass as prometheus
+
+ # nagstamon auth settings, set to digest instead of basic.
+
+ web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
+# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+# Where the stylesheets (config files) reside
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+
+# Where the HTML pages live
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+
+ Options FollowSymLinks
+ DirectoryIndex index.php index.html
+ AllowOverride AuthConfig
+ #
+ # The default Debian nagios4 install sets use_authentication=0 in
+ # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+ # This is insecure. As a compromise this default apache2 configuration
+ # only allows private IP addresses access.
+ #
+ # The ... below shows how you can secure the nagios4
+ # web site so anybody can view it, but only authenticated users can issue
+ # commands (such as silence notifications). To do that replace the
+ # "Require all granted" with "Require valid-user", and use htdigest
+ # program from the apache2-utils package to add users to
+ # /etc/nagios4/htdigest.users.
+ #
+ # A step up is to insist all users validate themselves by moving
+ # the stanza's in the .. into the .
+ # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+ # can configure which people get to see a particular service from
+ # within the nagios configuration.
+ #
+ AuthDigestDomain "Nagios4"
+ AuthDigestProvider file
+ AuthUserFile "/etc/nagios4-htdigest.users"
+ AuthGroupFile "/etc/group"
+ AuthName "Nagios4"
+ AuthType Digest
+ Require valid-user
+
+
+
+ Options +ExecCGI
+
+EOF
+ ;;
+esac
+
+# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
+# notifications_enabled=1
+# note, the same variable exists in the correspdonding "define service {"
+
+# in the default config, we have these definitions
+
+# 11 define command {
+# 2 define contact {
+# 1 define contactgroup {
+# 9 define host {
+# 4 define hostgroup {
+# 23 define service {
+# 5 define timeperiod {
+
+
+# on klaxon
+
+# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
+# 76 define command
+# 11 define contact
+# 6 define contactgroup
+# 162 define host
+# 1 define hostextinfo
+# 16 define hostgroup
+# 3040 define service
+# 2 define servicedependency
+# 6 define timeperiod
+
+
+
+
+### end nagios ###
diff --git a/distro-begin b/distro-begin
index 8da3f16..5752961 100755
--- a/distro-begin
+++ b/distro-begin
@@ -382,7 +382,7 @@ if [[ -e $f ]]; then
fi
fi
done
- if $apparmor_reload && systemctl is-enabled apparmor; then
+ if $apparmor_reload && systemctl is-active apparmor; then
m ser reload apparmor
fi
fi
diff --git a/distro-end b/distro-end
index e9b797a..19cdaba 100755
--- a/distro-end
+++ b/distro-end
@@ -1906,10 +1906,11 @@ case $HOSTNAME in
# listen on the wireguard interface
*)
- wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
- # old filename. remove once all hosts are updated.
- s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
- web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
+ if [[ -e /etc/wireguard/wghole.conf ]]; then
+ wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
+ # old filename. remove once all hosts are updated.
+ s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
+ web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
AuthType Basic
AuthName "basic_auth"
@@ -1919,14 +1920,14 @@ AuthUserFile "/etc/prometheus-export-htpasswd"
Require valid-user
EOF
- # For work, i think we will just use the firewall for hosts in the main data center, and
- # vpn for hosts outside it.
+ # For work, i think we will just use the firewall for hosts in the main data center, and
+ # vpn for hosts outside it.
- # TODO: figure out how to detect the ping failure and try again.
+ # TODO: figure out how to detect the ping failure and try again.
- # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
- s mkdir /etc/systemd/system/apache2.service.d
- sd /etc/systemd/system/apache2.service.d/restart.conf <
- Options FollowSymLinks
- DirectoryIndex index.php index.html
- AllowOverride AuthConfig
- #
- # The default Debian nagios4 install sets use_authentication=0 in
- # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
- # This is insecure. As a compromise this default apache2 configuration
- # only allows private IP addresses access.
- #
- # The ... below shows how you can secure the nagios4
- # web site so anybody can view it, but only authenticated users can issue
- # commands (such as silence notifications). To do that replace the
- # "Require all granted" with "Require valid-user", and use htdigest
- # program from the apache2-utils package to add users to
- # /etc/nagios4/htdigest.users.
- #
- # A step up is to insist all users validate themselves by moving
- # the stanza's in the .. into the .
- # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
- # can configure which people get to see a particular service from
- # within the nagios configuration.
- #
- AuthDigestDomain "Nagios4"
- AuthDigestProvider file
- AuthUserFile "/etc/nagios4-htdigest.users"
- AuthGroupFile "/etc/group"
- AuthName "Nagios4"
- AuthType Digest
- Require valid-user
-
-
-
- Options +ExecCGI
-
-EOF
- ;;
-esac
-
-# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
-# notifications_enabled=1
-# note, the same variable exists in the correspdonding "define service {"
-
-# in the default config, we have these definitions
-
-# 11 define command {
-# 2 define contact {
-# 1 define contactgroup {
-# 9 define host {
-# 4 define hostgroup {
-# 23 define service {
-# 5 define timeperiod {
-
-
-# on klaxon
-
-# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
-# 76 define command
-# 11 define contact
-# 6 define contactgroup
-# 162 define host
-# 1 define hostextinfo
-# 16 define hostgroup
-# 3040 define service
-# 2 define servicedependency
-# 6 define timeperiod
-
-
-
-
-### end nagios ###
-
### begin bitcoin ###
case $HOSTNAME in
diff --git a/mail-setup b/mail-setup
index 3ac3476..050a716 100755
--- a/mail-setup
+++ b/mail-setup
@@ -454,7 +454,7 @@ fi
bhost_t=false
case $HOSTNAME in
$MAIL_HOST) : ;;
- kd|frodo|x2|x3|kw|sy|bo)
+ kd|x2|x3|kw|sy|bo|so)
bhost_t=true
;;
esac
@@ -1143,6 +1143,10 @@ banaction = iptables-exim
ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1
EOF
if $ur; then
+ # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
+ if [[ ! -e /var/log/exim4/mainlog ]]; then
+ install -m 640 -o Debian-exim -g adm /dev/null /var/log/exim4/mainlog
+ fi
m systemctl restart fail2ban
fi
@@ -2533,8 +2537,8 @@ EOF
m mkdir -p $rctmpdir /m/rc
m chown -R www-data.www-data $rctmpdir /m/rc
m chmod 750 $rctmpdir
- # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
# todo: check for other mailinabox things
+ # Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
m sudo -u www-data touch $rclogdir/errors.log
#### begin carddav install
@@ -3564,11 +3568,13 @@ backup_local:
EOF
# Bind to wghole to receive mailbackup.
- wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
- cat >>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <
Date: Wed, 24 Apr 2024 00:53:09 -0400
Subject: [PATCH 15/16] fix vpn host naming
---
.../filesystem/etc/systemd/system/openvpn-client-tr@.service | 0
.../filesystem/etc/systemd/system/openvpn-client-tr@.service | 0
.../filesystem/etc/systemd/system/openvpn-client-tr@.service | 0
.../filesystem/etc/systemd/system/openvpn-client-tr@.service | 4 ++--
4 files changed, 2 insertions(+), 2 deletions(-)
rename machine_specific/{bow => bo}/filesystem/etc/systemd/system/openvpn-client-tr@.service (100%)
rename machine_specific/{sow => so}/filesystem/etc/systemd/system/openvpn-client-tr@.service (100%)
rename machine_specific/{syw => sy}/filesystem/etc/systemd/system/openvpn-client-tr@.service (100%)
rename machine_specific/{x2w => x2}/filesystem/etc/systemd/system/openvpn-client-tr@.service (94%)
diff --git a/machine_specific/bow/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 100%
rename from machine_specific/bow/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/bo/filesystem/etc/systemd/system/openvpn-client-tr@.service
diff --git a/machine_specific/sow/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/so/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 100%
rename from machine_specific/sow/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/so/filesystem/etc/systemd/system/openvpn-client-tr@.service
diff --git a/machine_specific/syw/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 100%
rename from machine_specific/syw/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/sy/filesystem/etc/systemd/system/openvpn-client-tr@.service
diff --git a/machine_specific/x2w/filesystem/etc/systemd/system/openvpn-client-tr@.service b/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
similarity index 94%
rename from machine_specific/x2w/filesystem/etc/systemd/system/openvpn-client-tr@.service
rename to machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
index 9d386a8..8a764b1 100644
--- a/machine_specific/x2w/filesystem/etc/systemd/system/openvpn-client-tr@.service
+++ b/machine_specific/x2/filesystem/etc/systemd/system/openvpn-client-tr@.service
@@ -24,10 +24,10 @@ LimitNPROC=10
# we use .1 to make this be on a different network than kd, so that we can
# talk to transmission on kd from remote host, and still use this
# vpn.
-ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.28 start %i
+ExecStartPre=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.174.23 start %i
ExecStartPre=/sbin/iptables-restore /a/bin/distro-setup/transmission-firewall/netns.rules
# allow wireguard network to connect
-ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.28.1 dev veth1-client
+ExecStartPre=/usr/sbin/ip r add 10.8.0.0/24 via 10.174.23.1 dev veth1-client
ExecStopPost=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop %i
PrivateNetwork=true
BindReadOnlyPaths=/etc/tr-resolv:/run/systemd/resolve:norbind /etc/basic-nsswitch:/etc/resolved-nsswitch:norbind
--
2.30.2
From ef95a0340c000f1b047928e92bbb82f538726c51 Mon Sep 17 00:00:00 2001
From: Ian Kelling
Date: Wed, 24 Apr 2024 15:22:48 -0400
Subject: [PATCH 16/16] update bitcoin, new host related fixes
---
brc2 | 10 ++++++++--
distro-begin | 4 +++-
distro-end | 4 ++--
filesystem/etc/systemd/system/bitcoind.service | 16 +++++++++++-----
filesystem/usr/local/bin/bitcoinon | 2 +-
machine_specific/btrbk.hosts | 1 +
machine_specific/s76.hosts | 1 +
mail-setup | 2 +-
switch-mail-host | 8 --------
9 files changed, 28 insertions(+), 20 deletions(-)
diff --git a/brc2 b/brc2
index e936bad..45249e6 100644
--- a/brc2
+++ b/brc2
@@ -2749,7 +2749,13 @@ EOF
echo "EOF"
} | u /p/c/dnsmasq-data
+ b8_ip=$(dig +short b8.nz @iankelling.org | tail -1)
+ if [[ ! $b8_ip ]]; then
+ echo "$0: error: got empty b8.nz ip. returning 1"
+ return 1
+ fi
{
+ echo "@ A $b8_ip"
for host in ${!nonvpn_ips[@]}; do
ipsuf=${nonvpn_ips[$host]}
echo "$host A 10.2.0.$ipsuf"
@@ -2768,12 +2774,12 @@ EOF
echo checking for stray files:
- initial_dir=$PWD
+ initial_dir="$PWD"
cd /a/bin/ds/machine_specific
ngset
files=( */filesystem/etc/systemd/system/openvpn-client-tr@.service )
ngreset
- cd $initial_dir
+ cd "$initial_dir"
for f in "${files[@]}"; do
host=${f%%/*}
if [[ ! ${vpn_ips[$host]} ]]; then
diff --git a/distro-begin b/distro-begin
index 5752961..e97c6c3 100755
--- a/distro-begin
+++ b/distro-begin
@@ -25,6 +25,8 @@
# /a/bin/ds/filesystem/etc/prometheus/rules/iank.yml
#
# Update hostnames in /b/ds/check-remote-mailqs
+# Update hostnames in /b/ds/machine_specific/*.hosts /p/c/machine_specific/*.hosts
+# Update hostnames in this file
### end new machine setup
@@ -111,7 +113,7 @@ source $script_dir/pkgs
set +x
source /a/bin/distro-functions/src/identify-distros
$interactive || set -x
-for f in kd x2 x3 x8 frodo tp li bk je demohost kw sy bo; do
+for f in kd x2 x3 x8 frodo tp li bk je demohost kw sy bo so; do
eval "$f() { [[ $HOSTNAME == $f ]]; }"
done
codename=$(debian-codename)
diff --git a/distro-end b/distro-end
index 19cdaba..066264b 100755
--- a/distro-end
+++ b/distro-end
@@ -1946,8 +1946,8 @@ esac
### begin bitcoin ###
case $HOSTNAME in
- sy|kd)
- sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-26.0/bin/*
+ sy|kd|so)
+ sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-27.0/bin/*
# Note: i leave it to system-status to start and stop bitcoin.
# note: the bitcoin user & group are setup in fai
sudo usermod -a -G bitcoin iank
diff --git a/filesystem/etc/systemd/system/bitcoind.service b/filesystem/etc/systemd/system/bitcoind.service
index 1a754e9..1c3377f 100644
--- a/filesystem/etc/systemd/system/bitcoind.service
+++ b/filesystem/etc/systemd/system/bitcoind.service
@@ -1,5 +1,5 @@
# iank: copied from /a/opt/bitcoin/contrib/init/bitcoind.service
-# for sources as of 2022-11-14
+# for sources as of 2024-04-22
# It is not recommended to modify this file in-place, because it will
# be overwritten during package upgrades. If you want to add further
@@ -25,10 +25,11 @@ Wants=network-online.target
# between 100% and 180% cpu and makes the fan spin annoyingly.
# 50% still had annoying fan spin. trying out 20%
CPUQuota=20%
-ExecStart=/usr/bin/bitcoind -daemonwait \
- -pid=/run/bitcoind/bitcoind.pid \
+ExecStart=/usr/bin/bitcoind -pid=/run/bitcoind/bitcoind.pid \
-conf=/etc/bitcoin/bitcoin.conf \
- -datadir=/var/lib/bitcoind
+ -datadir=/var/lib/bitcoind \
+ -startupnotify='systemd-notify --ready' \
+ -shutdownnotify='systemd-notify --stopping'
# Make sure the config directory is readable by the service user
PermissionsStartOnly=true
@@ -37,8 +38,10 @@ ExecStartPre=/bin/chgrp bitcoin /etc/bitcoin
# Process management
####################
-Type=forking
+Type=notify
+NotifyAccess=all
PIDFile=/run/bitcoind/bitcoind.pid
+
Restart=on-failure
TimeoutStartSec=infinity
TimeoutStopSec=600
@@ -85,5 +88,8 @@ PrivateDevices=true
# Deny the creation of writable and executable memory mappings.
MemoryDenyWriteExecute=true
+# Restrict ABIs to help ensure MemoryDenyWriteExecute is enforced
+SystemCallArchitectures=native
+
[Install]
WantedBy=multi-user.target
diff --git a/filesystem/usr/local/bin/bitcoinon b/filesystem/usr/local/bin/bitcoinon
index 0b64d4d..d2509c7 100755
--- a/filesystem/usr/local/bin/bitcoinon
+++ b/filesystem/usr/local/bin/bitcoinon
@@ -22,7 +22,7 @@
[[ $EUID == 0 ]] || exec sudo "${BASH_SOURCE[0]}"
-if [[ -e /tmp/no-bitcoinon ]]; then
+if [[ -e /tmp/no-bitcoinon || ! -d /var/lib/bitcoind || ! -x /usr/bin/bitcoind ]]; then
exit 0
fi
systemctl start bitcoind
diff --git a/machine_specific/btrbk.hosts b/machine_specific/btrbk.hosts
index 43e86f2..54f98fb 100644
--- a/machine_specific/btrbk.hosts
+++ b/machine_specific/btrbk.hosts
@@ -4,4 +4,5 @@ x2
x3
frodo
sy
+so
bo
diff --git a/machine_specific/s76.hosts b/machine_specific/s76.hosts
index 90a6702..23f1aa3 100644
--- a/machine_specific/s76.hosts
+++ b/machine_specific/s76.hosts
@@ -1,2 +1,3 @@
bo
sy
+so
diff --git a/mail-setup b/mail-setup
index 050a716..9ada9b6 100755
--- a/mail-setup
+++ b/mail-setup
@@ -2868,7 +2868,7 @@ debbugsconfig
# ld for local debbugs
-/a/exe/web-conf -t -a 127.0.1.1 -p 80 -r /var/lib/debbugs/www - apache2 ld <<'EOF'
+/a/exe/web-conf -l -t -a 127.0.1.1 -p 80 -r /var/lib/debbugs/www - apache2 ld <<'EOF'
# copied from debbugs upstream example
Options Indexes SymLinksIfOwnerMatch MultiViews
diff --git a/switch-mail-host b/switch-mail-host
index 56676b9..053134a 100644
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -395,12 +395,4 @@ if (( ret )); then
exit $ret
fi
-if ! $mail_only && [[ -e /p/profanity-here ]]; then
- m $new_shell systemctl --now enable profanity || ret=$?
- if (( ret )); then
- err "failed final systemctl --now enable profanity, just fix and rerun"
- exit $ret
- fi
-fi
-
m exit 0
--
2.30.2