mainly fix vpn dns issue

[distro-setup] / mail-setup

diff --git a/mail-setup b/mail-setup
index 86464f1aaf3ca337bb9ef2ede0d7e94f32826550..ee758faec98250d53e22f6740ec89ef581eecead 100755 (executable)
--- a/mail-setup
+++ b/mail-setup
@@ -369,7 +369,7 @@ fi
 bhost_t=false
 case $HOSTNAME in
   $MAIL_HOST) : ;;
-  kd|frodo|x2|x3|kw|sy)
+  kd|frodo|x2|x3|kw|sy|bo)
     bhost_t=true
     ;;
 esac
@@ -483,18 +483,28 @@ case $HOSTNAME in
     ;;
 esac
 
-i /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
+case $HOSTNAME in
+  li) : ;;
+  *)
+    i /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
 [Unit]
 Requires=mailnn.service
 After=network.target mailnn.service
 JoinsNamespaceOf=mailnn.service
 BindsTo=mailnn.service
+StartLimitIntervalSec=0
 
 [Service]
 PrivateNetwork=true
 # i dont think we need any of these, but it doesnt hurt to stay consistent
 BindPaths=$bindpaths
+
+Restart=on-failure
+RestartSec=20
 EOF
+    ;;
+esac
+
 
 # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
 i /etc/systemd/system/mailvpn.service <<EOF
@@ -535,7 +545,7 @@ PrivateNetwork=true
 BindPaths=$bindpaths
 Restart=always
 # time to sleep before restarting a service
-RestartSec=1
+RestartSec=20
 
 [Install]
 WantedBy=multi-user.target
@@ -557,7 +567,7 @@ PrivateNetwork=true
 ExecStart=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns -n 10.173.8 start mail
 ExecStop=/usr/bin/flock -w 20 /tmp/newns.flock /a/bin/newns/newns stop mail
 Restart=always
-RestartSec=10
+RestartSec=20
 
 
 [Install]
@@ -592,7 +602,7 @@ Type=simple
 ExecStart=/usr/local/bin/mailbindwatchdog $vpnser ${nn_progs[@]} unbound.service radicale.service
 Restart=always
 # time to sleep before restarting a service
-RestartSec=1
+RestartSec=10
 
 [Install]
 WantedBy=multi-user.target
@@ -669,7 +679,7 @@ PrivateNetwork=true
 BindPaths=$bindpaths
 
 Restart=always
-RestartSec=1
+RestartSec=20
 EOF
 
     # sooo, there are a few ways to get traffic from the mail network
@@ -720,7 +730,7 @@ PrivateNetwork=true
 BindPaths=$bindpaths
 
 Restart=always
-RestartSec=1
+RestartSec=20
 EOF
     done
     ;;
@@ -846,7 +856,7 @@ awk 'BEGIN { FS = ":" } ; $6 ~ /^\/home/ && $7 !~ /\/nologin$/ { print $1 }' /et
   case $HOSTNAME in
     $MAIL_HOST)
       sed -i "/^user:/d" /etc/aliases
-    ;;
+      ;;
     *)
       if ! grep -q "^$user:" /etc/aliases; then
         echo "$user: root" |m tee -a /etc/aliases
@@ -1271,7 +1281,7 @@ PrivateNetwork=true
 BindPaths=$bindpaths
 Restart=always
 # time to sleep before restarting a service
-RestartSec=1000
+RestartSec=20
 
 [Install]
 # for openvpn
@@ -1418,7 +1428,6 @@ ssl = required
 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
 ssl_protocols = TLSv1.2
 ssl_prefer_server_ciphers = no
-ssl_dh_parameters_length = 2048
 
 protocol lmtp {
 #per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
@@ -2424,10 +2433,10 @@ EOF
 
     # this avoids some error. i cant remember what. todo:
     # test it out and document why/if its needed.
-#     i /etc/exim4/host_local_deny_exceptions <<'EOF'
-# mail.fsf.org
-# *.posteo.de
-# EOF
+    #     i /etc/exim4/host_local_deny_exceptions <<'EOF'
+    # mail.fsf.org
+    # *.posteo.de
+    # EOF
 
     # cron email from smarthost hosts will automatically be to
     # USER@FQDN. I redirect that to alerts@, on the smarthosts, but in
@@ -2557,7 +2566,7 @@ StartLimitIntervalSec=0
 [Service]
 Restart=always
 # time to sleep before restarting a service
-RestartSec=1
+RestartSec=20
 EOF
 
     i /etc/default/exim4in <<'EOF'
@@ -2659,14 +2668,22 @@ backup_local:
 EOF
 
       # Bind to wghole to receive mailbackup.
-      # todo: will wghole fail to start without internet connectivity?
-      # if so, we need to set it automatically restart infinitely,
-      # and same with exim.
       wgholeip=$(sed -rn 's/^ *Address *= *([^/]+).*/\1/p' /etc/wireguard/wghole.conf)
       cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 dc_other_hostnames='eximbackup.b8.nz'
 dc_local_interfaces='127.0.0.1;::1;$wgholeip'
 EOF
+
+      # wghole & thus exim will fail to start without internet connectivity.
+      i /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
+[Unit]
+StartLimitIntervalSec=0
+
+[Service]
+Restart=always
+RestartSec=20
+EOF
+
     else
       cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 # Note: If theres like a temporary problem where mail gets sent to
@@ -2674,6 +2691,7 @@ EOF
 # instead of a permanent 5xx.
 dc_local_interfaces='127.0.0.1;::1'
 EOF
+      rm -fv /etc/systemd/system/exim4.service.d/backup.conf
     fi
     cat >>/etc/exim4/update-exim4.conf.conf <<EOF
 dc_eximconfig_configtype='smarthost'
@@ -2701,9 +2719,9 @@ case $HOSTNAME in
     m rsync -ra --delete /etc/exim4/ /etc/myexim4
     # If we ever wanted to have a separate spool,
     # we could do it like this.
-#     cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF'
-# spool_directory = /var/spool/myexim4
-# EOF
+    #     cat >>/etc/exim4/conf.d/main/000_local-nn <<'EOF'
+    # spool_directory = /var/spool/myexim4
+    # EOF
     cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF'
 dc_eximconfig_configtype='smarthost'
 dc_smarthost='nn.b8.nz'
@@ -2875,7 +2893,7 @@ sre exim4
 case $HOSTNAME in
   $MAIL_HOST)
     m systemctl --now enable mailbindwatchdog
-  ;;
+    ;;
   *)
     soff mailbindwatchdog
     ;;