conf_only=false
dry_run=false # mostly for testing
resume_arg=
+rate_limit=no
+verbose=false
default_args_file=/etc/btrbk-run.conf
if [[ -s $default_args_file ]]; then
- echo "$0: warning: options file default options set:"
- cat $default_args_file
- sleep 5
set -- $(< $default_args_file) "$@"
fi
-temp=$(getopt -l help hcm:nprt: "$@") || usage 1
+temp=$(getopt -l help cl:m:nprt:vh "$@") || usage 1
eval set -- "$temp"
while true; do
case $1 in
-c) conf_only=true; shift ;;
+ -l) rate_limit=$2; shift 2 ;;
-m) IFS=, mountpoints=($2); unset IFS; shift 2 ;;
-n) dry_run=true; dry_run_arg=-n; shift ;;
-p) progress_arg="--progress"; shift ;;
# btrbk arg: Resume only. Skips snapshot creation.
-r) resume_arg=-r; shift ;;
-t) IFS=, targets=($2); unset IFS; shift 2 ;;
+ -v) verbose=true; verbose_arg=-v; shift ;;
-h|--help) usage ;;
--) shift; break ;;
*) echo "$0: Internal error!" ; exit 1 ;;
esac
done
-echo "$0: options: conf_only=$conf_only, dry_run=$dry_run, resume_arg=$resume_arg"
+if [[ -s $default_args_file ]]; then
+ echo "$0: warning: default btrbk-run options set in $default_args_file (sleeping 5 seconds):"
+ cat $default_args_file
+ sleep 5
+fi
+
+echo -e "$0: options: conf_only=$conf_only\ndry_run=$dry_run\nresume_arg=$resume_arg\nrate_limit=$rate_limit\nverbose=$verbose"
# set default targets
if ! (( ${#targets[@]} )); then
-# set default mountpoints
-if ! (( ${#mountpoints[@]} )); then
+if (( ${#mountpoints[@]} )); then
+ for mp in ${mountpoints[@]}; do
+ if [[ -e /nocow/btrfs-stale/$mp ]]; then
+ echo "$0: warning: $mp stale. Sleeping for 3 seconds in case you want to cancel."
+ sleep 3
+ fi
+ done
+else # set default mountpoints
prospective_mps=(/a /q)
if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
prospective_mps+=(/o)
fi
done
for mp in ${prospective_mps[@]}; do # default mountpoints to sync
+ if [[ -e /nocow/btrfs-stale/$mp ]]; then
+ echo "$0: warning: $mp stale, not adding to default mountpoints"
+ continue
+ fi
if awk '{print $2}' /etc/fstab | grep -xF $mp &>/dev/null; then
mountpoints+=($mp)
fi
echo "$0: error: no btrbk binary found"
fi
-cat >/etc/btrbk.conf <<'EOF'
+cat >/etc/btrbk.conf <<EOF
ssh_identity /root/.ssh/id_rsa
# Just a guess that local7 is a good facility to pick.
# It's a bit odd that the transaction log has to be logged to
# if something fails and it's not obvious, try doing
# btrbk -l debug -v dryrun
+
+rate_limit $rate_limit
EOF
fi
if $dry_run; then
- m btrbk -n $resume_arg run
+ m btrbk -v -n $resume_arg run
else
# -q and just using the syslog option seemed nice,
# but it doesn't show when a send has a parent and when it doesn't.
- m btrbk $progress_arg $resume_arg run
+ m btrbk $verbose_arg $progress_arg $resume_arg run
fi
# if we have it, sync to systems which don't
echo "$0: error: expected mountpoint argument"
fi
+stale-file() {
+ stale_dir=/nocow/btrfs-stale
+ stale_file=$stale_dir/$vol
+ if $stale; then
+ mkdir -p $stale_dir
+ printf "%s\n" $freshest_snap > $stale_file
+ ret=1
+ else
+ rm -f $stale_file
+ fi
+
+}
+
ret=0
for d; do
vol=${d##*/}
- cd /mnt/root/btrbk
- snaps=($vol.20*) # Assumes we are in the 21st century.
+ dev=$(sed -rn "s,^\s*([^#]\S*)\s+$d\s.*,\1,p" /etc/fstab|head -n1)
+ subvol_dir=$(sed -rn "s,^\s*[^#]\S*\s+$d\s.*\bsubvol=([a-zA-A/]+).*,\1,p" /etc/fstab|head -n1)
+ root_dir=$(sed -rn "s,^\s*$dev\s+(\S+).*\bsubvolid=0\b.*,\1,p" /etc/fstab|head -n1)
+ svp=$root_dir/$subvol_dir # subvolume path
+
+
+
+ snaps=($root_dir/btrbk/$subvol_dir.20*) # Assumes we are in the 21st century.
if [[ ! $snaps ]]; then
# no snapshots yet
+ echo "$0: warning. no snapshots found. this is expected for a brand new volume"
continue
fi
+
+ # get info on last received sub
+ last_received_gen=0
+ for f in ${snaps[@]}; do
+ show="$(btrfs sub show $f)"
+ if echo "$show" | grep -E "Received UUID:\s+[[:alnum:]]" &>/dev/null; then
+ cgen=$(echo "$show" | sed -rn 's,^\s*Gen at creation:\s+([0-9]+).*,\1,p')
+ if [[ $cgen -gt $last_received_gen ]]; then
+ last_received_cgen=$cgen
+ last_received=$f
+ fi
+ fi
+ done
+
+ # Get last_snap by date.
# when a btrbk bugfix makes it into the distro,
# we might replace this with btrbk list latest /mnt/root/$vol | ...
- # note: this is duplicated in mount-latest-subvol
last_snap=$(
- for f in ${snaps[@]}; do
+ for s in ${snaps[@]}; do
+ f=${s##*/}
printf "%s %s\n" $(date -d $(sed -r 's/(.{4})(..)(.{5})(..)(.*)/\1-\2-\3:\4:\5/' <<<${f#$vol.}) +%s) $f
done | sort -r | head -n 1 | awk '{print $2}'
)
if [[ ! $last_snap ]]; then
# should not happen.
- echo "$0: error: could not find latest snapshot for $d among ${snaps[@]}"
+ echo "$0: error: could not find latest snapshot for $svp among ${snaps[*]}"
ret=1
continue
fi
- # check that $d has $last_snap as a snapshot,
- # or else $d is a snapshot of $last_snap. In the second
- # case, we use a uuid comparison, which if I remember from the
- # docs, is a bit more robust, perhaps to renames.
- if btrfs sub show $d 2>/dev/null | sed '0,/^\s*Snapshot(s):/d;s/^\s*//' | \
- grep -xF btrbk/$last_snap &>/dev/null; then
- stale=false
- else
- last_snap_uuid=$(btrfs sub show $last_snap| awk '$1 == "UUID:" {print $2}')
- if btrfs sub show $d| grep "^\s*Parent UUID:\s*$last_snap_uuid$" &>/dev/null; then
- stale=false
- fi
+ if [[ ! -e $svp ]]; then
+ echo "$0: warning: subvol we want to check does not exist: $svp"
+ stale-file=$last_snap
+ stale-file
+ continue
fi
- # check if $d is a snapshot of any of the btrbk backups other than the latest
- if [[ ! $stale ]]; then
- for f in ${snaps[@]}; do
- if [[ $f == $last_snap ]]; then continue; fi
- uuid=$(btrfs sub show $f| awk '$1 == "UUID:" {print $2}')
- if btrfs sub show $d| grep "^\s*Parent UUID:\s*$uuid$" &>/dev/null; then
- stale=true
- echo "$d stale: it's a snapshot of $f"
- break
- fi
- done
- fi
- # check if $d generation is later than last_snap
- if [[ ! $stale ]]; then
- last_snap_gen=$(btrfs sub show $last_snap| awk '$1 == "Generation:" {print $2}')
- d_gen=$(btrfs sub show $d| awk '$1 == "Generation:" {print $2}')
- if (( d_gen < last_snap_gen )); then
+
+ # if there is a last_received, we can assume stale or fresh if we are newer/older
+ if [[ $last_received ]]; then
+ svp_cgen=$(btrfs sub show $svp | sed -rn 's,^\s*Gen at creation:\s+([0-9]+).*,\1,p')
+ if [[ $svp_cgen -ge $last_received_cgen ]]; then
stale=false
else
- echo "$d stale: it's generation, $d_gen, is earlier than the last snapshot's, $last_snap_gen"
+ echo "$svp stale: it's gen at creation, $svp_cgen, is earlier than the last received snapshot, $last_received's gen at creation: $last_received_cgen"
+ freshest_snap=$last_received
stale=true
fi
+ stale-file
+ continue
fi
-
- stale_dir=/nocow/btrfs-stale
- stale_file=$stale_dir/$vol
- if $stale; then
- mkdir -p $stale_dir
- printf "%s\n" $last_snap > $stale_file
- ret=1
- continue
- else
- rm -f $stale_file
+ freshest_snap=$last_snap
+ stale=true
+ # fresh if $svp has $last_snap as a snapshot,
+ if btrfs sub show $svp 2>/dev/null | sed '0,/^\s*Snapshot(s):/d;s/^\s*//' | \
+ grep -xF btrbk/$last_snap &>/dev/null; then
+ stale=false
+ else # or else $svp is a snapshot of $last_snap. we use a uuid
+ # comparison, which if I remember from the docs, is a bit more
+ # robust, perhaps to renames.
+ last_snap_uuid=$(btrfs sub show $last_snap| awk '$1 == "UUID:" {print $2}')
+ if btrfs sub show $svp| grep "^\s*Parent UUID:\s*$last_snap_uuid$" &>/dev/null; then
+ stale=false
+ fi
fi
+
+ stale-file
+
done
exit $ret
sudo $sed -i 's/^Defaults *requiretty/#\0 # ian commented/' /etc/sudoers
# turn on magic sysrq commands for this boot cycle
echo 1 > sudo dd of=/proc/sys/kernel/sysrq
+ echo "kernel.sysrq = 1" > /etc/sysctl.d/90-sysrq.conf
# selinux is not user friendly. Like, you enable samba, but you haven't run the magic selinux commands so it doesn't work
# and you have no idea why.
sudo $sed -i 's/^\(SELINUX=\).*/\1disabled/' /etc/selinux/config
if linode; then
sudo $sed -i '/^127\.0\.1\.1/d' /etc/hosts
- echo "127.0.1.1 $HOSTNAME.lan $HOSTNAME" | sudo tee -a /etc/hosts
+ echo "127.0.1.1 $HOSTNAME.b8.nz $HOSTNAME" | sudo tee -a /etc/hosts
fi
# universal packages
# swh-plugins is for karaoke pulsaudio filter.
# mutagen for pithos
+ # guvcview set webcam brightness to highest
+ # pidgin-otr, i went into pidgin pluggin settings and generated a key for some accounts
simple_packages+=(
apache2
apache2-doc
chromium
cpio-doc
cloc
+ cpulimit
cron
debconf-doc
dirmngr
goaccess
gnome-screenshot
gnome-session-flashback
+ guvcview
i3lock
inetutils-traceroute
iproute2-doc
perl-doc
pianobar
pidgin
+ pidgin-otr
pry
python-autopep8
python3-doc
transmission-remote-gtk
vlc
whois
+ wondershaper
)
spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
;;
########### end section including li/lj ###############
if [[ $HOSTNAME == treetowl ]]; then
+
+ # vpn-server setup via:
+
+ vpn-server-setup -r -d
+ s tee -a /etc/openvpn/server/server.conf <<'EOF'
+push "dhcp-option DNS 192.168.1.1"
+push "route 192.168.1.0 255.255.255.0"
+client-connect /a/bin/distro-setup/vpn-client-connect
+EOF
+ s sed -i --follow-symlinks 's/10.8./10.9./g' /etc/openvpn/server/server.conf
+ ser restart openvpn-server@server
+ vpn-mk-client-cert -s /etc/update-resolv-conf-home -c x2 -n home b8.nz
+ dir=/p/c/machine_specific/x2/filesystem/etc/openvpn/client
+ mkdir -p $dir
+ # background: We have these files locally, but we\'d have to duplicate the logic
+ # in vpn-mk-client-cert to get them, and this is just simpler.
+ scp root@x2:/etc/openvpn/client/home* $dir
+
+
+
# note, see bashrc for more documentation.
pi rss2email
s dd of=/etc/systemd/system/rss2email.service <<'EOF'
"profiles" : [
{
"profile-name" : "Default",
- "hostname" : "transmission",
+ "hostname" : "transmission.b8.nz",
"rpc-url-path" : "/transmission/rpc",
"username" : "",
"password" : "$rpc_pass",
show
send
EOF
-fi
-# persistent initial setup for this:
-#mkc /p/c/machine_specific/li/filesystem/etc/bind
-#s dnssec-keygen -a HMAC-MD5 -b 512 -n HOST iank.life
-#s chown ian:ian *
-
-f=key.iank.life
-cat >$f <<EOF
-key iank.life. {
-algorithm HMAC-MD5;
-secret "$(awk '$1 == "Key:" {print $2}' Kiank.life.*.private)";
-};
+ nsupdate -k /p/c/machine_specific/li/filesystem/etc/bind/Kb8.nz.*.private <<EOF
+server iankelling.org
+zone b8.nz
+update delete b8.nz. A
+update add b8.nz. 300 A $ip
+update delete *.b8.nz. A
+update add *.b8.nz. 300 A $ip
+show
+send
EOF
+fi
+
+# # persistent initial setup for this:
+# # create files in /a/c/machine_specific/li/filesystem/etc/bind
+
+# mkc /p/c/machine_specific/li/filesystem/etc/bind
+# s dnssec-keygen -a HMAC-MD5 -b 512 -n HOST b8.nz
+# s chown ian:ian *
+
+# f=key.b8.nz
+# cat >$f <<EOF
+# key b8.nz. {
+# algorithm HMAC-MD5;
+# secret "$(awk '$1 == "Key:" {print $2}' Kb8.nz.*.private)";
+# };
+# EOF
+
+# chmod 640 $f
-chmod 640 $f
+# myunison -ob li
+# ssh li conflink
+# ssh li ser restart bind9
#!/bin/bash
offlineimap -a fsf
-sieve-filter -eW -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX /a/c/fsf.sieve INBOX &>/tmp/fsfsieve.log
+sieve-filter -eW -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf.sieve INBOX &>/tmp/fsfsieve.log
+
+
+# to test new rules, update fsf-test.sieve, run these commands, then copy new fsf-test.sieve to fsf.sieve
+# sieve-filter -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf-test.sieve INBOX &>/tmp/testfsfsieve.log
+# sed -rn '/^Performed actions:/{n;n;p}' /tmp/testfsfsieve.log | sort -u
# limitations under the License.
# set to oppsite if the order is flipped.
-k2flip=false
+k2flip=true
if $k2flip; then
-k2inorder=false
+ k2inorder=false
else
k2inorder=true
- fi
+fi
case $HOSTNAME in
x2|tp) type=laptop ;;
--- /dev/null
+192.168.1.5 x2
+192.168.1.8 tp
--- /dev/null
+#!/bin/bash
+
+# usage: I run this script on a timer to correct the dns on wrt for
+# clients where dns is updated dynamically by openvpn, in the case that
+# openvpn crashes or the computer running openvpn crashes.
+
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} # directory of this file
+
+while read -r ip host; do
+ found=false
+ is_connected="grep -q "^CLIENT_LIST,$host," /run/openvpn-server/status-server.log"
+ if $is_connected; then continue; fi
+ if ! grep -q "^CLIENT_LIST,$host," /run/openvpn-server/status-server.log; then
+ cd $(mktemp -d); dir=$PWD
+ ssh wrt tar -C /etc -c hosts | tar -x
+ if grep -qFx "$ip $host" hosts; then continue; fi
+ # openvpn udpates its status file every 60 seconds by default
+ if (( $(stat -c%Y hosts) > $(( $(date +%s) + 60 )) )); then
+ sleep 60
+ if $is_connected; then continue; fi
+ fi
+ ssh root@wrt.b8.nz cedit ovpn-$host <<<"$ip $host" || [[ $? == 1 ]]
+ fi
+done <lan-dns
start)
iptables_op=-A
ip_op=add
- tun_dev=$(ip a show to 10.8.0.4/24 | sed -rn '1s/^\S+\s+([^:]+).*/\1/p')
- if [[ $tun_dev != tun* ]]; then
- echo "$0: error: failed to find tun device"
- exit 1
- fi
+ # systemd around stretch release time, would wait until openvpn actually connected,
+ # so this was unnecessary, but now it returns immediately.
+ while true; do
+ tun_dev=$(ip a show to 10.8.0.4/24 | sed -rn '1s/^\S+\s+([^:]+).*/\1/p')
+ if [[ $tun_dev == tun* ]]; then
+ break
+ fi
+ echo "$0: waiting for tun_dev, found: $tun_dev"
+ sleep 4
+ done
e() { "$@"; }
;;
stop)
# The full list of option settings for any particular driver instance,
# including all the defaulted values, can be extracted by making use of
# the -bP command line option.
+# exim -bP config_file to see what config file it used
+# exim -bP config to see
# exim clear out message queue. as root:
# adapted from somewhere on stackoverflow.
else # begin exim. has debian specific stuff for now
if [[ -e /p/c/filesystem ]]; then
- /a/exe/vpn-mk-client-cert -n mail li
+ /a/exe/vpn-mk-client-cert -b mail -n mail li
fi
cat >/etc/systemd/system/mailroute.service <<'EOF'
# options exim has to avoid having to alter the default config files
CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/rcpt_local_acl
CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/data_local_acl
+
+# debian exim config added this in 2016 or so?
+# it's part of the smtp spec, to limit lines to 998 chars
+# but a fair amount of legit mail does not adhere to it. I don't think
+# this should be default, like it says in
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
+# todo: the bug for introducing this was about headers, but
+# the fix maybe is for all lines? one says gmail rejects, the
+# other says gmail does not reject. figure out and open a new bug.
+IGNORE_SMTP_LINE_LENGTH_LIMIT = true
+EOF
+
+
+ ####### begin dovecot setup ########
+ # based on a little google and package search, just the dovecot
+ # packages we need instead of dovecot-common.
+ #
+ # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
+ # directly. The reason to do this is to use dovecot\'s sieve, which
+ # has extensions that allow it to be almost equivalent to exim\'s
+ # filter capabilities, some ways probably better, some worse, and
+ # sieve has the benefit of being supported in postfix and
+ # proprietary/weird environments, so there is more examples on the
+ # internet. I was torn about whether to do this or not, meh.
+ apt-get -y install --purge --auto-remove \
+ dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
+
+ # if we changed 90-sieve.conf and removed the active part of the
+ # sieve option, we wouldn\'t need this, but I\'d rather not modify a
+ # default config if not needed. This won\'t work as a symlink in /a/c
+ # unfortunately.
+ sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve
+
+ sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
+1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX
+/^\s*mail_location\s*=/d
+EOF
+
+ cat >/etc/dovecot/conf.d/20-lmtp.conf <<'EOF'
+protocol lmtp {
+#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+ mail_plugins = $mail_plugins sieve
+# default was
+ #mail_plugins = $mail_plugins
+
+# For a normal setup with exim, we need something like this, which
+# removes the domain part
+# auth_username_format = %Ln
+#
+# or else # Exim says something like
+# "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
+# Dovecot verbose log says something like
+# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
+# reference: http://wiki.dovecot.org/LMTP/Exim
+#
+# However, I use this to direct all mail to the same inbox.
+# A normal way to do this, which I did at first is to have
+# a router in exim almost at the end, eg 950,
+#local_catchall:
+# debug_print = "R: catchall for $local_part@$domain"
+# driver = redirect
+# domains = +local_domains
+# data = ian
+# based on
+# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
+# with superflous options removed.
+# However, this causes the envelope to be rewritten,
+# which makes filtering into mailboxes a little less robust or more complicated,
+# so I've done it this way instead. it also requires
+# modifying the local router in exim.
+ auth_username_format = ian
+}
+
+EOF
+
+
+ cat >/etc/dovecot/local.conf <<'EOF'
+# so I can use a different login that my shell login for mail. this is
+# worth doing solely for the reason that if this login is compromised,
+# it won't also compromise my shell password.
+!include conf.d/auth-passwdfile.conf.ext
+
+# settings derived from wiki and 10-ssl.conf
+ssl = required
+ssl_cert = </etc/exim4/exim.crt
+ssl_key = </etc/exim4/exim.key
+# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
+# in my cert cronjob, I check if that has changed upstream.
+ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
+
+# ian: added this, more secure, per google etc
+ssl_prefer_server_ciphers = yes
+
+# for debugging info, uncomment these.
+# logs go to syslog and to /var/log/mail.log
+# auth_verbose=yes
+#mail_debug=yes
EOF
+ ####### end dovecot setup ########
systemctl enable offlineimapsync.timer
systemctl start offlineimapsync.timer
systemctl restart openvpn-client@mail
systemctl enable openvpn-client@mail
+ systemctl enable dovecot
+ systemctl restart dovecot
else # $HOSTNAME != $MAIL_HOST
systemctl disable offlineimapsync.timer &>/dev/null ||:
systemctl stop offlineimapsync.timer &>/dev/null ||:
systemctl disable openvpn-client@mail
systemctl stop openvpn-client@mail
+ systemctl disable dovecot ||:
+ systemctl stop dovecot ||:
#
#
# would only exist because I wrote it i the previous condition,
Type=oneshot
ExecStart=/a/bin/distro-setup/spamd-dns-fix
EOF
+ # 2017-09, debian closed the bug on this saying upstream had fixed it.
+ # remove this when i'm using the newer package, ie, debian 10, or maybe
+ # ubuntu 18.04.
cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
[Unit]
Description=run spamd bug fix script every 10 minutes
systemctl enable mailcert.timer
- ####### begin dovecot setup ########
- if [[ $HOSTNAME == $MAIL_HOST ]]; then
- # based on a little google and package search, just the dovecot
- # packages we need instead of dovecot-common.
- #
- # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
- # directly. The reason to do this is to use dovecot\'s sieve, which
- # has extensions that allow it to be almost equivalent to exim\'s
- # filter capabilities, some ways probably better, some worse, and
- # sieve has the benefit of being supported in postfix and
- # proprietary/weird environments, so there is more examples on the
- # internet. I was torn about whether to do this or not, meh.
- apt-get -y install --purge --auto-remove \
- dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
-
- # if we changed 90-sieve.conf and removed the active part of the
- # sieve option, we wouldn\'t need this, but I\'d rather not modify a
- # default config if not needed. This won\'t work as a symlink in /a/c
- # unfortunately.
- sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve
-
- sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
-1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX
-/^\s*mail_location\s*=/d
-EOF
-
- cat >/etc/dovecot/conf.d/20-lmtp.conf <<'EOF'
-protocol lmtp {
-#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
- mail_plugins = $mail_plugins sieve
-# default was
- #mail_plugins = $mail_plugins
-
-# For a normal setup with exim, we need something like this, which
-# removes the domain part
-# auth_username_format = %Ln
-#
-# or else # Exim says something like
-# "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
-# Dovecot verbose log says something like
-# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
-# reference: http://wiki.dovecot.org/LMTP/Exim
-#
-# However, I use this to direct all mail to the same inbox.
-# A normal way to do this, which I did at first is to have
-# a router in exim almost at the end, eg 950,
-#local_catchall:
-# debug_print = "R: catchall for $local_part@$domain"
-# driver = redirect
-# domains = +local_domains
-# data = ian
-# based on
-# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
-# with superflous options removed.
-# However, this causes the envelope to be rewritten,
-# which makes filtering into mailboxes a little less robust or more complicated,
-# so I've done it this way instead. it also requires
-# modifying the local router in exim.
- auth_username_format = ian
-}
-
-EOF
-
-
- cat >/etc/dovecot/local.conf <<'EOF'
-# so I can use a different login that my shell login for mail. this is
-# worth doing solely for the reason that if this login is compromised,
-# it won't also compromise my shell password.
-!include conf.d/auth-passwdfile.conf.ext
-
-# settings derived from wiki and 10-ssl.conf
-ssl = required
-ssl_cert = </etc/exim4/exim.crt
-ssl_key = </etc/exim4/exim.key
-# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
-# in my cert cronjob, I check if that has changed upstream.
-ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
-
-# ian: added this, more secure, per google etc
-ssl_prefer_server_ciphers = yes
-
-# for debugging info, uncomment these.
-# logs go to syslog and to /var/log/mail.log
-# auth_verbose=yes
-#mail_debug=yes
-EOF
- fi ####### end dovecot setup ########
set -o pipefail
}
bash-trace() {
- local -i argc_index=0 arg frame i start=${1:-1} max_indent=8 indent
+ local -i argc_index=0 frame i start=${1:-1} max_indent=8 indent
local source
local extdebug=false
if [[ $(shopt -p extdebug) == *-s* ]]; then
# if latest is already mounted, make sure binds are mounted and move on
if e check-subvol-stale $d; then
+ mnt $d
for b in ${binds[@]}; do
mnt $b
done
continue
fi
- last_snap=$(</nocow/btrfs-stale/$vol)
- if [[ ! $last_snap ]]; then
- echo "$0: error. empty last_snap var"
+ fresh_snap=$(</nocow/btrfs-stale/$vol)
+ if [[ ! $fresh_snap ]]; then
+ echo "$0: error. empty fresh_snap var"
ret=1
continue
fi
umount_ret=false
ret=1
echo "$0: failed to umount $dir"
+ e lsof $dir
break
fi
fi
continue
fi
+ # todo: decipher /mnt/root, like we do in check-subvol-stale
cd /mnt/root
if [[ -e $vol ]]; then
- e btrfs sub del $vol
+ e mv $vol $vol.leaf.$(date +%Y%m%dT%H%M%S%z)
fi
# Note, we make a few assumptions in this script, like
# $d was not a different subvol id than $vol, and
# things otherwise didn't get mounted very strangely.
- e btrfs sub snapshot btrbk/$last_snap $vol
+ e btrfs sub snapshot $fresh_snap $vol
for dir in $d ${binds[@]}; do
e mnt $dir
done
rm -f $stale_dir/$d
done
-if [[ $HOSTNAME == treetowl ]]; then
+### disabled
+if [[ $HOSTNAME == treetowlxxxxxxxxx ]]; then
# partitioned it with fai partitioner outside of fai,
# because it\'s worth it to have 1% space reserved for boot and
# swap partitions in case I ever want to boot off those drives.
#!/bin/bash
-p="$(lsof -i tcp:31416 -Fp -a -c java | sed -rn 's/^p//p')"
+
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+p="$(lsof -i tcp:31416 -Fp -a -c java | sed -rn 's/^p//p')" ||:
if [[ $p ]]; then
kill $p
fi
-cd /a/opt/gnirehtet
+
+# so we don't hold open the /a fs
+sudo rsync -r --delete /a/opt/gnirehtet /opt
+cd /opt/gnirehtet
./gnirehtet rt &>/tmp/rt &
# note, to kill it, you need to also kill
# lsof -i tcp:31416
if [[ $new_host == "$HOSTNAME" ]]; then
localhost_new=true
- new_shell="ssh $new_host"
+ new_shell=
else
localhost_new=false
- new_shell=
+ new_shell="ssh $new_host"
fi
-old_shell=
+old_shell="ssh $old_host"
if [[ $old_host == "$HOSTNAME" ]]; then
- old_shell="ssh $old_host"
+ old_shell=
fi
if [[ ! $new_host || ! $old_host ]]; then
fi
at_home=false
-if [[ $HOSTNAME == treetowl ]] || [[ $HOSTNAME == frodo ]] || timeout -s 9 5 ssh wrt.lan :; then
+if [[ $HOSTNAME == treetowl ]] || [[ $HOSTNAME == frodo ]] || timeout -s 9 5 ssh wrt.b8.nz :; then
at_home=true
fi
echo "$0: at_home = $at_home"
# because our port forward is not robust enough, we can't use proxy command,
-# todo: just open an ssh port to the world on wrt.lan
+# todo: setup vpn so this is all taken care of.
if ! $at_home; then
- wrt_shell="ssh $HOME_DOMAIN ssh wrt.lan"
+ if [[ $old_host == iank.vpn.office.fsf.org || $new_host == iank.vpn.office.fsf.org ]]; then
+ wrt_shell="ssh iank.vpn.office.fsf.org ssh wrt.b8.nz"
+ else
+ wrt_shell="ssh $HOME_DOMAIN ssh wrt.b8.nz"
+ fi
else
- wrt_shell="ssh wrt.lan"
+ wrt_shell="ssh wrt.b8.nz"
fi
btrbk_test="systemctl is-active btrbk.service"
-while ! $new_shell $btrbk_test || $old_shell $btrbk_test; do
+while $new_shell $btrbk_test || $old_shell $btrbk_test; do
echo "$0: btrbk is running on new or old host. sleeping for 8 seconds"
sleep 6
echo "$0: testing for btrbk activity in 2 seconds"
echo | $wrt_shell cedit mail_host /etc/hosts || [[ $? == 1 ]] # 1 means file changed.
else
$wrt_shell bash -s <<EOFOUTER
- cedit mail_host /etc/hosts <<'EOF' || /etc/init.d/dnsmasq restart
-\$(grep "\b$new_host\b" /etc/hosts | awk '{print $1}') mail.iankelling.org
+ cedit mail_host /etc/hosts <<EOF || /etc/init.d/dnsmasq restart
+\$(grep "\b$new_host\b" /etc/hosts | awk '{print \$1}') mail.iankelling.org
EOF
EOFOUTER
fi
btrbk_dst=/mnt/root/btrbk
else
btrbk_src=/mnt/root
- btrbk_dst=ssh://$old_host/mnt/root/btrbk
+ btrbk_dst=ssh://$new_host/mnt/root/btrbk
fi
sudo tee -a /etc/btrbk.conf <<EOF
--- /dev/null
+#!/bin/bash
+
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+
+# Usage: run when switching from an untrusted network like public wifi
+# to a trusted one.
+
+rm -f /etc/dnsmasq.d/untrusted-network.conf
+
+systemctl reload dnsmasq
--- /dev/null
+#!/bin/bash
+
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+
+# Usage: use when switching from a trusted network to an untrusted one,
+# like public wifi.
+
+cat >/etc/dnsmasq.d/untrusted-network.conf <<'EOF'
+server=8.8.4.4
+server=8.8.8.8
+server=2001:4860:4860::8844
+server=2001:4860:4860::8888
+no-resolv
+EOF
+
+systemctl reload dnsmasq
--- /dev/null
+#!/bin/bash
+
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} # directory of this file
+
+# see lan-dyn-dns-update. this is the corresponding script for on connect/disconnect from vpn
+
+d=/p/ovpn-ssh
+ssh_cmd="ssh -F$d/.config -i$d/id_rsa root@wrt.b8.nz cedit ovpn-$X509_0_CN /etc/hosts"
+case $script_type in
+ client-connect) $ssh_cmd <<<"$ifconfig_pool_remote_ip $X509_0_CN"|| [[ $? == 1 ]]
+ ;;
+ client-disconnect)
+ $ssh_cmd <<<$(grep -F $X509_0_CN lan-dns) || [[ $? == 1 ]]
+ ;;
+esac
iankelling.org / git / distro-setup / commitdiff