path-add /a/exe
# add this with absolute paths as needed for better security
#path-add --end /path/to/node_modules/.bin
+## for yarn, etc
+#path-add --end /usr/lib/node_modules/corepack/shims/
# pip3 --user things go here:
path-add --end ~/.local/bin
# also would be nice if erc supported
# https://wiki.znc.in/self-message
# https://wiki.znc.in/Query_buffers \
- #
+ #
+ # for geekshed, there was no sasl support as far as I can tell,
+ # so I set to msg nickserv to identify upon connect.
if ! getent passwd znc > /dev/null; then
sudo useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc
fi
#
# Changed the cache-size to 256 mb, reduces disk use.
# It is a read & write cache.
-sudo ruby <<EOF
+if ! systemctl is-active transmission-daemon-nn &>/dev/null && \
+ ! systemctl is-active transmission-daemon; then
+ sudo ruby <<EOF | sponge /etc/transmission-daemon/settings.json
require 'json'
p = '/etc/transmission-daemon/settings.json'
-File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
-'rpc-whitelist-enabled' => false,
-'rpc-authentication-required' => false,
-'incomplete-dir' => '$tdir/partial-torrents',
-'incomplete-dir-enabled' => true,
-'download-dir' => '$tdir/torrents',
-"speed-limit-up" => 800,
-"speed-limit-up-enabled" => true,
-"peer-port" => 61486,
-"cache-size-mb" => 256,
-"ratio-limit" => 5.0,
-"ratio-limit-enabled" => false,
-})) + "\n")
+s = {
+ 'rpc-whitelist-enabled' => false,
+ 'rpc-authentication-required' => false,
+ 'incomplete-dir' => '$tdir/partial-torrents',
+ 'incomplete-dir-enabled' => true,
+ 'download-dir' => '$tdir/torrents',
+ "speed-limit-up" => 800,
+ "speed-limit-up-enabled" => true,
+ "peer-port" => 61486,
+ "cache-size-mb" => 256,
+ "ratio-limit" => 5.0,
+ "ratio-limit-enabled" => false,
+}
+puts(JSON.pretty_generate(JSON.parse(File.read(p)).merge()))
EOF
+fi
####### end transmission
--- /dev/null
+#!/bin/bash
+
+if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi
+shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR
+
+# This prevents exim from connecting out to an ip not through the vpn.
+# Before this, I had set exim to be BindsTo=wg-quick@wgmail, which
+# generally made sure it wouldn't run unless the vpn ran, and plus I set
+# a specific interface in the main remote smtp transport. However,
+# However, that wasn't bulletproof, exim spec says about "interface: The
+# first interface of the correct type (IPv4 or IPv6) is used for the
+# outgoing connection. If none of them are the correct type, the option
+# is ignored." And then I found out that the BindsTo results in exim
+# never starting if the vpn fails to start the first time, then starts
+# on the systemd automatic restart. Ugh. So, better to use Wants instead
+# and this.
+
+if !/usr/sbin/iptables -C OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT &>/dev/null; then
+ /usr/sbin/iptables -I OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT
+fi
+
+
+if !/usr/sbin/ip6tables -C OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT &>/dev/null; then
+ /usr/sbin/ip6tables -I OUTPUT -p tcp -m tcp --dport 25 -o veth1-mail -j REJECT
+fi
dir=$RENEWED_LINEAGE # long caps vars just bother me
case $dir in
- /etc/letsencrypt/live/je.b8.nz)
- install -m 644 $dir/fullchain.pem /etc/node_exporter/fullchain.pem
- install -m 640 -g node-exp $dir/privkey.pem /etc/node_exporter/privkey.pem
- ;;
/etc/letsencrypt/live/iankelling.org)
cat $dir/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
;;
mail-backup-clean \
iptables-exim \
ip6tables-exim \
+ exim-nn-iptables \
/usr/local/bin
rsync -t --chmod=755 --chown=root:root /a/bin/errhandle/err /usr/local/lib
for unit in ${nn_progs[@]}; do
i /etc/systemd/system/$unit.service.d/nn.conf <<EOF
[Unit]
-# commented for old openvpn
-Requires=$vpnser
+
+# Wants appears better than requires because with requires,
+# if the vpnser fails to start, this service won't get run at
+# all, even if the vpnser starts on an automatic restart.
+
+Wants=$vpnser
After=network.target mailnn.service $vpnser
JoinsNamespaceOf=mailnn.service
BindsTo=mailnn.service
i /etc/systemd/system/radicale.service.d/override.conf <<EOF
[Unit]
-# this unit is configured to start and stop whenever
-# $vpnser does
After=network.target network-online.target mailnn.service $vpnser
-BindsTo=$vpnser
-Wants=network-online.target
+Wants=$vpnser
JoinsNamespaceOf=mailnn.service
StartLimitIntervalSec=0
i /etc/dovecot/dovecot-sql.conf.ext <<'EOF'
# from mailinabox
driver = sqlite
+# for je and bk, populated the testignore users for the relevant domains
connect = /m/rc/users.sqlite
default_pass_scheme = SHA512-CRYPT
password_query = SELECT email as user, password FROM users WHERE email='%u';
privileges TEXT NOT NULL DEFAULT '');
EOF
fi
+ # users.sqlite is saved into /p/c/machine_specific, so update it there!.
+ #
# example of adding a user:
# hash: doveadm pw -s SHA512-CRYPT -p passhere
# sqlite3 /m/rc/users.sqlite <<'EOF'
# without local-fs on exim, we get these kind of errors in paniclog on shutdown:
# Failed to create spool file /var/spool/exim4//input//1jCLxz-0008V4-V9-D: Permission denied
After=local-fs.target
+
+[Service]
+ExecStartPre=/usr/local/bin/exim-nn-iptables
EOF
if ! mountpoint -q $sdir; then
stopifactive exim4 exim4in
#Nov 8 08:16:05.439 [6080] warn: plugin: failed to parse plugin (from @INC): Can't locate Mail/SpamAssassin/Plugin/VBounce.pm: lib/Mail/SpamAssassin/Plugin/VBounce.pm: Permission denied at (eval 60) line 1.
# i dont know why, i just found the solution online
cd /m/md
+# TODO, get je to deliver the local mailbox: /m/md/INBOX
+# dovecot appears to setup, i can t be sure.
case $HOSTNAME in
bk)
iankelling.org / git / distro-setup / commitdiff