From: Ian Kelling Date: Tue, 8 Feb 2022 23:19:21 +0000 (-0500) Subject: bunch of fixes, change sy host, deploy some new stuff X-Git-Url: https://iankelling.org/git/?p=distro-setup;a=commitdiff_plain;h=12cab163424e3a7b0815646d1d4407f9b5839bcb bunch of fixes, change sy host, deploy some new stuff --- diff --git a/.bashrc b/.bashrc index c593e83..d2057c4 100644 --- a/.bashrc +++ b/.bashrc @@ -29,7 +29,7 @@ HISTCONTROL=ignoredups # This works in addition to HISTCONTROL to do more flexible things # it could also do the same things as HISTCONTROL and thus replace it, # but meh. dunno why, but just " *" does glob expansion, so use [ ] to avoid it. -HISTIGNORE='pass *:[ ]*:otp *:oathtool *' +HISTIGNORE='pass *:[ ]*:otp *:oathtool *:histrm *' #### begin section that works with sl() function to return from diff --git a/brc b/brc index 1f3aeea..cc38787 100644 --- a/brc +++ b/brc @@ -161,20 +161,31 @@ if [[ $- == *i* ]]; then TERM=xterm-256color fi + # copying from the alacritty example above, + if [[ $TERM == xterm-kitty ]]; then + if [[ ! -e /usr/share/terminfo/x/xterm-kitty ]]; then + TERM=xterm-256color + else + if [[ -e /a/opt/kitty/shell-integration/bash/kitty.bash ]]; then + KITTY_SHELL_INTEGRATION=t + source /a/opt/kitty/shell-integration/bash/kitty.bash + fi + fi + fi # todo: not sure this works in sakura #stty werase undef #bind "\C-w": kill-region # sakura == xterm-256color # konsole == xterm - if [[ $TERM == xterm* ]]; then + if [[ $TERM != xterm-kitty && $TERM == xterm* ]]; then # control + arrow keys. for other terminals, see http://unix.stackexchange.com/questions/10806/how-to-change-previous-next-word-shortcut-in-bash bind '"\e[1;5C": shell-forward-word' 2>/dev/null bind '"\e[1;5D": shell-backward-word' 2>/dev/null else # make ctrl-backspace work. for konsole, i fixed it through # /home/iank/.local/share/konsole/default.keytab - stty werase '^h' + stty werase ^h bind '"\eOc": shell-forward-word' bind '"\eOd": shell-backward-word' fi @@ -693,6 +704,19 @@ faf() { # find all files. use -L to follow symlinks -o -name .undo-tree-history -prune \) -type f 2>/dev/null } +# todo: id like to do maybe a daily or hourly cronjob to +# check that my history file size is increasing. Ive had it +# inexplicably truncated in the past. +histrm() { + history -n + history | awk -v IGNORECASE=1 '{ a=$1; sub(/^( *[^ ]+){4} */, "") }; /'"$*"'/' + read -p "press anything but contrl-c to delete" + for entry in $(history | awk -v IGNORECASE=1 '{ a=$1; sub(/^( *[^ ]+){4} */, "") }; /'"$*"'/ { print a }' | tac); do + history -d $entry + done + history -w +} + # mail related frozen() { rm -rf /tmp/frozen @@ -1638,7 +1662,7 @@ ssk() { ccomp ssh sl slr sss ssk # plain ssh ssh() { - if [[ $TERM == alacritty ]]; then + if [[ $TERM == alacritty || $TERM == xterm-kitty ]]; then TERM=xterm-256color LC_USEBASHRC=t command ssh "$@" else LC_USEBASHRC=t command ssh "$@" diff --git a/brc2 b/brc2 index af437b3..1e2f999 100644 --- a/brc2 +++ b/brc2 @@ -427,12 +427,12 @@ lipush() { # note, i had --delete-excluded, but that deletes all files in --exclude-from on # the remote site, which doesn't make sense, so not sure why i had it. local p a - p=(/a/opt/{emacs-debian10{,-nox},mu,emacs} /a/bin /a/exe /a/h /a/c /p/c/machine_specific/vps{,.hosts}) + p=(/a/opt/{emacs-debian11{,-nox},mu,emacs} /a/bin /a/exe /a/h /a/c /p/c/machine_specific/vps{,.hosts}) a="-ahviSAXPH --specials --devices --delete --relative --exclude-from=/p/c/li-rsync-excludes" ret=0 for h in li je bk; do m s rsync "$@" $a ${p[@]} /p/c/machine_specific/$h root@$h.b8.nz:/ || ret=$? - # only li is debian10 + # only li is debian11 p[0]=/a/opt/emacs-ubuntu20.04 p[1]=/a/opt/emacs-ubuntu20.04-nox done @@ -1497,6 +1497,19 @@ trc() { TR_AUTH=":$(jq -r .profiles[0].password ~/.config/transmission-remote-gtk/config.json)" transmission-remote transmission.lan -ne "$@" } +trysleep() { + retries="$1" + sleepsecs="$2" + shift 2 + for (( i=0; i < retries - 1; i++ )); do + if "$@"; then + return 0 + fi + sleep $sleepsecs + done + "$@" +} + tu() { local s @@ -1541,7 +1554,7 @@ spamnn() { } unboundbash() { m sudo nsenter -t $(systemctl status unbound| sed -n '/^ *Main PID:/s/[^0-9]//gp') -n -m sudo -u $USER -i bash - } +} mailnncheck() { local pid ns mailnn @@ -1606,6 +1619,80 @@ vpn() { sudo systemd-tty-ask-password-agent } +# systemctl is-enabled / status / cat says nothing, instead theres +# some obscure symlink. paths copied from man systemd.unit. +# possibly also usefull, but incomplete, doesnt show units not loaded in memory: +# seru list-dependencies --reverse --all UNIT +sysd-deps() { + local f + local -a dirs search + ngset + + case $1 in + u) + search=( + ~/.config/systemd/user.control/* + $XDG_RUNTIME_DIR/systemd/user.control/* + $XDG_RUNTIME_DIR/systemd/transient/* + $XDG_RUNTIME_DIR/systemd/generator.early/* + ~/.config/systemd/user/* + /etc/systemd/user/* + $XDG_RUNTIME_DIR/systemd/user/* + /run/systemd/user/* + $XDG_RUNTIME_DIR/systemd/generator/* + ~/.local/share/systemd/user/* + /usr/lib/systemd/user/* + $XDG_RUNTIME_DIR/systemd/generator.late/* + ) + ;; + *) + search=( + /etc/systemd/system.control/* + /run/systemd/system.control/* + /run/systemd/transient/* + /run/systemd/generator.early/* + /etc/systemd/system/* + /etc/systemd/systemd.attached/* + /run/systemd/system/* + /run/systemd/systemd.attached/* + /run/systemd/generator/* + /lib/systemd/system/* + /run/systemd/generator.late/* + ) + ;; + esac + for f in "${search[@]}"; do + [[ -d $f ]] || continue + case $f in + *.requires|*.wants) + dirs+=("$f") + ;; + esac + done + # dirs is just so we write out the directory names, ls does it when there is 2 or more dirs. + case ${#dirs[@]} in + 1) + echo "${dirs[0]}:" + ll "${dirs[@]}" + ;; + 0) : ;; + *) + ll "${dirs[@]}" + ;; + esac + ngreset +} + +fixvpndns() { + local link istls + read _ link _ istls < <(resolvectl dnsovertls tunfsf) + case $istls in + yes|no) : ;; + *) echo fixvpndns error: unexpected istls value: $istls >&2; return 1 ;; + esac + s busctl call org.freedesktop.resolve1 /org/freedesktop/resolve1 org.freedesktop.resolve1.Manager SetLinkDNSOverTLS is $link no +} + vpnoff() { [[ $1 ]] || { echo need arg; return 1; } if [[ -e /lib/systemd/system/openvpn-client@.service ]]; then diff --git a/btrbk-run b/btrbk-run index e96bb52..c83b763 100644 --- a/btrbk-run +++ b/btrbk-run @@ -198,13 +198,19 @@ if [[ ! -v targets && ! $source ]]; then x2|x3|sy) targets+=($home) if $at_work; then - targets+=(kw.office.fsf.org) + targets+=(kw.office.fsf.org x2.b8.nz) else targets+=(kw.b8.nz) fi ;; kd) - targets+=(x2.b8.nz sy.b8.nz kw.b8.nz) + targets+=(x2.b8.nz kw.b8.nz) + ## sy is unused + # if ping -q -c1 -w1 sy.b8.nz &>/dev/null; then + # targets+=(sy.b8.nz) + # else + # targets+=(syw.b8.nz) + # fi ;; frodo) # no targets diff --git a/btrfsmaint b/btrfsmaint index 070b501..bcad450 100755 --- a/btrfsmaint +++ b/btrfsmaint @@ -1,9 +1,10 @@ #!/bin/bash -set -eE -o pipefail -trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@" + +source /a/bin/errhandle/err + # inspired from # https://github.com/kdave/btrfsmaintenance diff --git a/check-remote-mailqs b/check-remote-mailqs index 8a2fc85..b478101 100755 --- a/check-remote-mailqs +++ b/check-remote-mailqs @@ -9,12 +9,27 @@ source /a/bin/errhandle/err shopt -s nullglob shopt -s dotglob - -for h in bk.b8.nz je.b8.nz tp.b8.nz vpn1 x2 x3.b8.nz frodo.b8.nz kd.b8.nz kw iankelling.org bk.b8.nz; do - if [[ $HOSTNAME == "${h%%.*}" ]]; then +for h in bk je li frodo kwwg x3wg x2wg kdwg; do + statedir=/b/bash_unpublished/mailq-state + statefile=$statedir/$h + [[ -d $statedir ]] || continue + if [[ $HOSTNAME == "${h%wg}" ]]; then + rm -f $statefile continue fi - if c=$(timeout 1 ssh root@$h /b/ds/check-mailq 2>/dev/null ) && [[ $c ]]; then - echo q:$h=$c + if c=$(timeout -v 10 ssh root@$h.b8.nz /usr/local/bin/check-mailq 2>&1 ); then + rm -f $statefile + if [[ $c ]]; then + echo q:$h=$c + fi + else + if [[ -s $statefile ]]; then + logsec=$(date +%s -d "$(head -n1 $statefile | awk '{print $1,$2}')") + nowsec=$(date +%s) + if (( logsec < nowsec - 60*60*48 )); then + echo $0: host $h ssh /usr/local/bin/check-mailq fail for over 48 hours + fi + fi + printf "%s\n" "$c" | ts "%F %T" >> $statefile fi done diff --git a/desktop-20-autostart.sh b/desktop-20-autostart.sh index 8dc4ed6..ff8e654 100755 --- a/desktop-20-autostart.sh +++ b/desktop-20-autostart.sh @@ -32,7 +32,10 @@ if echo "$xout" | grep "^HDMI-1 connected" &>/dev/null; then # this command created by using arandr and then clicking save, copying the result. xrandr --output VGA-1 --off --output HDMI-1 --mode 3840x2160 --pos 0x0 --rotate normal --output eDP-1 --off fi -/a/bin/distro-setup/input-setup m +case $HOSTNAME in + sy) /a/bin/distro-setup/input-setup l ;; + *) /a/bin/distro-setup/input-setup m ;; +esac echo -n "ending " >> /tmp/desktop-20-autostart-log date "+%A, %B %d, %r, %S seconds" >> /tmp/desktop-20-autostart-log diff --git a/distro-end b/distro-end index 0746d82..51f4bc4 100755 --- a/distro-end +++ b/distro-end @@ -3,7 +3,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later # shellcheck source=/a/bin/ds/.bashrc -export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi +export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]]; then . ~/.bashrc; fi ### setup source /a/bin/errhandle/err @@ -839,10 +839,7 @@ deb http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main deb-src http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main EOF # ubuntu keyserver is prone to intermittent failures - for (( i=0; i <= 4 ; i++ )); do - s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5D1F3A80254F6AFBA254FED5ACD442D1C8B7748B && break - sleep 10 - done + trysleep 4 15 s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5D1F3A80254F6AFBA254FED5ACD442D1C8B7748B p update # https://support.system76.com/articles/install-ubuntu/ # but i'm hoping this is not needed @@ -867,16 +864,13 @@ case $distro in trisquel|ubuntu) # ppa:obsproject/obs-studio - if [[ ! -d /etc/apt/sources.list.d/obs.list ]]; then + if [[ ! -s /etc/apt/sources.list.d/obs.list ]]; then # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html sd /etc/apt/sources.list.d/obs.list </dev/null; then sudo -u gdm dbus-launch gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type 'nothing' - m systemctl --user stop gvfs-daemon - m systemctl --user disable gvfs-daemon fi ;;& focal) @@ -1156,74 +1148,84 @@ if [[ $HOSTNAME == frodo ]]; then fi ############# begin syncthing setup ########### -if [[ $HOSTNAME == frodo ]]; then - # It\'s simpler to just worry about running it in one place for now. - # I assume it would work to clone it\'s config to another non-phone - # and just run it in one place instead of the normal having a - # separate config. I lean toward using the same config, since btrfs - # syncs between comps. - # testing has relatively up to date packages - if ! isdebian-testing; then - # based on error when doing apt-get update: - # E: The method driver /usr/lib/apt/methods/https could not be found. - pi apt-transport-https - # google led me here: - # https://apt.syncthing.net/ - curl -s https://syncthing.net/release-key.txt | sudo apt-key add - - s="deb http://apt.syncthing.net/ syncthing release" +case $HOSTNAME in + kd|frodo) + f=/usr/share/keyrings/syncthing-archive-keyring.gpg + if [[ ! -e $f ]]; then + s curl -s -o $f https://syncthing.net/release-key.gpg + fi + s="deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable" if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != "$s" ]]; then echo "$s" | sd /etc/apt/sources.list.d/syncthing.list p update fi - fi - pi syncthing - m lnf -T /w/syncthing /home/iank/.config/syncthing - ser daemon-reload # syncthing likely not properly packaged - sgo syncthing@iank # runs as iank - - # these things persist in ~/.config/syncthing, which I save in - # /w/syncthing (not in /p, because syncthing should continue to - # run on home server even when using laptop as primary device) - # open http://localhost:8384/ - # change listen address from default to tcp://:22001, - # this is because we do port forward so it doesn\'t have to use - # some external server, but the syncthing is broken for port forward, - # you get a message, something "like connected to myself, this should not happen" - # when connecting to other local devices, so I bump the port up by 1, - # based on - # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19. - # Without this, it was being stuck syncing at 0%. - # Set gui username and password. - # - # install syncthing via f-droid, - # folder setting, turn off send only. - # on phone, add device, click bar code icon - # on dekstop, top right, actions, device id - # after adding, notification will appear on desktop to confirm - # - # syncing folder. from phone to desktop: select desktop in the - # folder on phone\'s sync options, notification will appear in - # desktop\'s web ui within a minute. For the reverse, the - # notification will appear in android\'s notifications, you have to - # swipe down and tap it to add the folder. It won\'t appear in the - # syncthing ui, which would be intuitive, but don\'t wait for it - # there. The notification may not work, instead open the web gui - # from in the app, there should be a notification within there. - # - # On phone, set settings to run syncthing all the time, and - # show no notification. - # - # Folder versioning would make sense if I didn\'t already use btrfs - # for backups. I would choose staggered, or trash can for more space. - # - # if needed to install on a remote comp: - # ssh -L 8384:localhost:8384 -N frodo - # open http://localhost:8384/ - # - # Note, the other thing i did was port forward port 22000, - # per https://docs.syncthing.net/users/firewall.html + pi syncthing + ;;& + frodo) + m lnf -T /w/syncthing /home/iank/.config/syncthing + ser daemon-reload # syncthing likely not properly packaged + sgo syncthing@iank # runs as iank + ;; + kd) + + # 1003 just happens to be what was on my system + if ! getent passwd ziva; then + s groupadd -g 1003 ziva + # syncthing state / config / db are all in ~/.config/syncthing + s useradd -g 1003 -u 1003 -d /d/ziva-home -c ziva -s /bin/bash ziva + fi + sgo syncthing@ziva + ;; +esac + +# user for short term use dropping of privileges +s groupadd -g 1023 zu +s useradd -g 1023 -u 1023 -c zu -s /bin/bash zu + + + +# these things persist in ~/.config/syncthing, which I save in +# /w/syncthing (not in /p, because syncthing should continue to +# run on home server even when using laptop as primary device) +# open http://localhost:8384/ +# change listen address from default to tcp://:22001, +# this is because we do port forward so it doesn\'t have to use +# some external server, but the syncthing is broken for port forward, +# you get a message, something "like connected to myself, this should not happen" +# when connecting to other local devices, so I bump the port up by 1, +# based on +# https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19. +# Without this, it was being stuck syncing at 0%. +# Set gui username and password. +# +# install syncthing via f-droid, +# folder setting, turn off send only. +# on phone, add device, click bar code icon +# on dekstop, top right, actions, device id +# after adding, notification will appear on desktop to confirm +# +# syncing folder. from phone to desktop: select desktop in the +# folder on phone\'s sync options, notification will appear in +# desktop\'s web ui within a minute. For the reverse, the +# notification will appear in android\'s notifications, you have to +# swipe down and tap it to add the folder. It won\'t appear in the +# syncthing ui, which would be intuitive, but don\'t wait for it +# there. The notification may not work, instead open the web gui +# from in the app, there should be a notification within there. +# +# On phone, set settings to run syncthing all the time, and +# show no notification. +# +# Folder versioning would make sense if I didn\'t already use btrfs +# for backups. I would choose staggered, or trash can for more space. +# +# if needed to install on a remote comp: +# ssh -L 8384:localhost:8384 -N frodo +# open http://localhost:8384/ +# +# Note, the other thing i did was port forward port 22000, +# per https://docs.syncthing.net/users/firewall.html -fi ############# end syncthing setup ########### @@ -1622,7 +1624,8 @@ m /a/bin/buildscripts/go m /a/bin/buildscripts/rust m /a/bin/buildscripts/misc m /a/bin/buildscripts/pithosfly -m /a/bin/buildscripts/alacritty +#m /a/bin/buildscripts/alacritty +m /a/bin/buildscripts/kitty pi-nostart virtinst virt-manager soff libvirtd @@ -1707,11 +1710,8 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \ ########### misc stuff if [[ $HOSTNAME != frodo ]]; then - s cedit hole /etc/hosts </dev/null); then + if ! read -r _ _ gateway _ ifdev _ < <(ip -4 route get 85.119.83.50 2>/dev/null); then # if our internet is down, just give up, no need to have an error if [[ ! $INVOCATION_ID ]]; then echo $0: failed to get route, giving up @@ -28,8 +30,22 @@ main() { ;; esac - if timeout -s 9 5 ssh-keyscan -p 2220 -t rsa $gateway 2>/dev/null | grep -qFx "[$gateway]:2220 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCH+/h1dGEfKEusBblndU2e6QT4wLCm5+yqr/sqh/0X9YfjR7BfWWm8nNmuP55cYc+Wuf5ljB1H1acXEcsl1y8e0j3agHfF0V74FE1N1zz5nn2Ep8NHnmqgEhza38ZxMPh+4p3X7zklEKU7+3SzybKBi8sg0wLzlS2LM0JaUN80zR2sK11Kye3dURUXPk78u5wodOkgcEYRwSYaDMJlUzWP+poRXIDJwFaMQnwmxbl/c84yOyaU0x/d6hFwoRscWecihX+vvBNeSyxR4xr2HDOyUWwJkctyAgt2p7w3tfkXOKcCRzTAjGVIMQLTvo0sG/yJbcyHoEFdFybCsgDvfyYn"; then - # we are on a home network + athome=false + if [[ -s /dev/shm/dynamic-ip-update-state ]]; then + oldbytes=$(cat /dev/shm/dynamic-ip-update-state) + newbytes=$(awk '$1 == "'$ifdev':" {print $2 + $10}' /proc/net/dev) + if [[ $oldbytes == [1-9]* ]] && (( newbytes >= oldbytes )); then + athome=true + printf "%s\n" "$newbytes" >/dev/shm/dynamic-ip-update-state + fi + fi + if ! $athome && timeout -s 9 5 ssh-keyscan -p 2220 -t rsa $gateway 2>/dev/null | grep -qFx "[$gateway]:2220 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCH+/h1dGEfKEusBblndU2e6QT4wLCm5+yqr/sqh/0X9YfjR7BfWWm8nNmuP55cYc+Wuf5ljB1H1acXEcsl1y8e0j3agHfF0V74FE1N1zz5nn2Ep8NHnmqgEhza38ZxMPh+4p3X7zklEKU7+3SzybKBi8sg0wLzlS2LM0JaUN80zR2sK11Kye3dURUXPk78u5wodOkgcEYRwSYaDMJlUzWP+poRXIDJwFaMQnwmxbl/c84yOyaU0x/d6hFwoRscWecihX+vvBNeSyxR4xr2HDOyUWwJkctyAgt2p7w3tfkXOKcCRzTAjGVIMQLTvo0sG/yJbcyHoEFdFybCsgDvfyYn"; then + athome=true + awk '$1 == "'$ifdev':" {print $2 + $10}' /proc/net/dev > /dev/shm/dynamic-ip-update-state + fi + + + if $athome; then cur4="$(dig +short $dynhost @iankelling.org | tail -1)" if ip4=$(curl -s4 https://iankelling.org/cgi/pubip); then if [[ $cur4 && $ip4 && $cur4 != $ip4 ]]; then diff --git a/epanic-clean b/epanic-clean index a7220c2..8c26855 100755 --- a/epanic-clean +++ b/epanic-clean @@ -38,8 +38,8 @@ main() { grep "$regex" $pl >> $pl-archive ||: sed -i "/$regex/d" $pl - ## begin broken pipe ## - regex="Failed writing transport results to pipe: Broken pipe$" + ## begin broken pipe & write lock ## + regex="Failed to get write lock\|Failed writing transport results to pipe: Broken pipe$" now_s=$(date +%s) newlines=false count=0 @@ -51,11 +51,11 @@ main() { fi done < <(grep "$regex" $pl ||:) if (( count )); then - # i see these in groups of 3 for the same message around once a day + # I see broken pipe in groups of 3 for the same message around once a day # randomly. I'm guessing they are related to running 2 instances of # exim which share the same spool. So, if we have some, but not in # the last 5 minutes, and less than 20, it should be fine to clear - # them. + # them. write lock happens less but can fit under the same rule. if (( count > 20 )); then cat $pl elif ! $newlines; then diff --git a/filesystem/etc/cron.daily/check-lets-encrypt-ssl-settings b/filesystem/etc/cron.daily/check-lets-encrypt-ssl-settings index 5646d75..c108521 100755 --- a/filesystem/etc/cron.daily/check-lets-encrypt-ssl-settings +++ b/filesystem/etc/cron.daily/check-lets-encrypt-ssl-settings @@ -33,7 +33,7 @@ if [[ -e $lock_file ]]; then fi d=/a/opt/certbot -gitget https://github.com/certbot/certbot.git $d &>/tmp/${0##*/}.log +gitget https://github.com/certbot/certbot.git $d |& ts "%F %T" >>/tmp/${0##*/}.log cd $d f=certbot-apache/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf diff --git a/filesystem/etc/firejail/globals.local b/filesystem/etc/firejail/globals.local new file mode 100644 index 0000000..54da422 --- /dev/null +++ b/filesystem/etc/firejail/globals.local @@ -0,0 +1,10 @@ +blacklist /a +blacklist /bu +blacklist /boot +blacklist /d +blacklist /m +blacklist /o +blacklist /p +blacklist /q +blacklist /w +blacklist /nocow diff --git a/filesystem/etc/firejail/makekitty.profile b/filesystem/etc/firejail/makekitty.profile new file mode 100644 index 0000000..19c06f8 --- /dev/null +++ b/filesystem/etc/firejail/makekitty.profile @@ -0,0 +1,33 @@ +private +net none + +include globals.local + + +# below is copied from makepkg + +include disable-common.inc +include disable-exec.inc +include disable-passwdmgr.inc +include disable-programs.inc + +caps.drop all +ipc-namespace +netfilter +no3d +nodvd +nogroups +nonewprivs +# noroot is only disabled to allow the creation of kernel headers from an official PKGBUILD. +noroot +nosound +notv +novideo +protocol unix,inet,inet6 +seccomp +shell none + +disable-mnt +private-tmp + +memory-deny-write-execute diff --git a/filesystem/etc/needrestart/conf.d/iank.conf b/filesystem/etc/needrestart/conf.d/iank.conf new file mode 100644 index 0000000..78d20ce --- /dev/null +++ b/filesystem/etc/needrestart/conf.d/iank.conf @@ -0,0 +1,2 @@ +# Restart mode: (l)ist only, (i)nteractive or (a)utomatically. +$nrconf{restart} = 'a'; diff --git a/filesystem/etc/systemd/systemd-resolved.service.d/override.conf b/filesystem/etc/systemd/systemd-resolved.service.d/override.conf new file mode 100644 index 0000000..a9d504d --- /dev/null +++ b/filesystem/etc/systemd/systemd-resolved.service.d/override.conf @@ -0,0 +1,3 @@ +# uncomment for debugging +#[Service] +#Environment=SYSTEMD_LOG_LEVEL=debug diff --git a/filesystem/usr/local/bin/myupgrade b/filesystem/usr/local/bin/myupgrade index c358fcb..e5401dc 100755 --- a/filesystem/usr/local/bin/myupgrade +++ b/filesystem/usr/local/bin/myupgrade @@ -19,41 +19,35 @@ err() { echo "[$(date +'%Y-%m-%d %H:%M:%S%z')]: $pre: $*" >&2; } hn=$(hostname -f) source /a/bin/bash_unpublished/source-state -l() { - "$@" |& systemd-cat -t myupgrade +myreboot() { + for x in {30..1}; do + echo "pid $$. unattended upgrade, rebooting in $((x*10)) seconds" | wall -n + sleep 10 + done + for x in {30..1}; do + if ! fuser /var/lib/dpkg/lock &> /dev/null; then + echo "pid $$. unattended upgrade, rebooting now" | pee cat "wall -n" + /a/bin/ds/keyscript-on + /sbin/reboot + exit 0 + fi + echo "pid $$. unattended upgrade reboot waiting 10 seconds for dpkg lock" | wall -n + sleep 10 + done + echo "pid $$. dpkg locked for 5 minutes, automatic reboot failed" | pee cat "wall -n" } -## temporary -case $HOSTNAME in - kd) - exit 0 - ;; -esac -if checkrestart -b /a/bin/ds/checkrestart-blacklist -p -t &>/dev/null; then - exit 0 +if [[ $HOSTNAME != "$MAIL_HOST" ]]; then + ksta=$(needrestart -b | sed -n 's/NEEDRESTART-KSTA: *//p'); + case $ksta in + 1) : ;; + [023]) myreboot ;; + *) err error: unknown kernel status ;; + esac fi -if [[ $HOSTNAME == "$MAIL_HOST" ]]; then - # no automatic reboot for this host, just make an alert - checkrestart -b /a/bin/ds/checkrestart-blacklist -p 2>/dev/null ||: - exit 0 -else - l checkrestart -b /a/bin/ds/checkrestart-blacklist -p 2>/dev/null ||: +# needsrestarts automatic restarts failed. +if ! out=$(/sbin/needrestart -p 2>&1); then + e "$out" fi - -for x in {30..1}; do - echo "pid $$. unattended upgrade, rebooting in $((x*10)) seconds" | wall -n - sleep 10 -done -for x in {30..1}; do - if ! fuser /var/lib/dpkg/lock &> /dev/null; then - echo "pid $$. unattended upgrade, rebooting now" | pee cat "wall -n" - /a/bin/ds/keyscript-on - /sbin/reboot - exit 0 - fi - echo "pid $$. unattended upgrade reboot waiting 10 seconds for dpkg lock" | wall -n - sleep 10 -done -echo "pid $$. dpkg locked for 5 minutes, automatic reboot failed" | pee cat "wall -n" diff --git a/hssh b/hssh index 8af5f0a..47ca7a7 100755 --- a/hssh +++ b/hssh @@ -29,7 +29,8 @@ scp -f /a/bin/distro-setup/btrbk-run # mount-latest-remote timeout -s 9 600 /usr/local/bin/mount-latest-subvol rsync --server -OtpRe.LsfxC . /usr/local -/a/exe/mail-backup-clean +/usr/local/bin/mail-backup-clean +/usr/local/bin/check-mailq EOF allow=false diff --git a/iboot b/iboot new file mode 100644 index 0000000..78805bf --- /dev/null +++ b/iboot @@ -0,0 +1,24 @@ +#!/bin/bash + +[[ $EUID == 0 ]] || exec sudo -E "$script" "$@" + +if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi +shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR + +set -x + + +boot_part=$(awk '$2 == "/boot" {print $1}' /etc/mtab) +boot_dev=${boot_part%[0-9]*} +# from partition.DEFAULT +new_boot_part=${boot_dev}4 +mount -o subvol=debianbuster_bootstrap $new_boot_part /mnt + +cd /mnt +mount -o bind /dev dev +mount -o bind /proc proc +mount -o bind /sys sys +mkdir -p boot/efi +mount $(awk '$2 == "/boot/efi" {print $1}' /etc/mtab) boot/efi diff --git a/install-my-scripts b/install-my-scripts index 6274111..2969a09 100755 --- a/install-my-scripts +++ b/install-my-scripts @@ -41,5 +41,8 @@ rsync -t --chmod=755 --chown=root:root switch-mail-host btrbk-run mount-latest-s /a/bin/log-quiet/sysd-mail-once hssh \ btrfsmaint \ dynamic-ip-update \ + check-mailq \ + unsaved-buffers.el \ + mail-backup-clean \ /usr/local/bin rsync -t --chmod=755 --chown=root:root /a/bin/errhandle/err /usr/local/lib diff --git a/mail-setup b/mail-setup index f7f1fc5..86464f1 100755 --- a/mail-setup +++ b/mail-setup @@ -1730,7 +1730,7 @@ if [[ $HOSTNAME == bk ]]; then #### begin dl roundcube # note, im r2e subbed to https://github.com/roundcube/roundcubemail/releases.atom - v=1.4.11; f=roundcubemail-$v-complete.tar.gz + v=1.4.13; f=roundcubemail-$v-complete.tar.gz cd /a/opt if [[ -e $f ]]; then timestamp=$(stat -c %Y $f) @@ -1969,7 +1969,7 @@ EOF m phpenmod -v php mcrypt imap # dpkg says this is required m a2enmod proxy_fcgi setenvif - fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.3-fpm + fpm=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* (php[^ ]*-fpm)( .*|$)/\1/p') # eg: php7.4-fpm phpver=$(dpkg-query -s php-fpm | sed -nr 's/^Depends:.* php([^ ]*)-fpm( .*|$)/\1/p') m a2enconf $fpm # 3 useless guides on php fpm fcgi debian 10 later, i figure out from reading @@ -2242,7 +2242,6 @@ EOF CHECK_RCPT_VERIFY_SENDER = true # default config comment says: If you enable this, you might reject legitimate mail, # but eggs has had this a long time, so that seems unlikely. -CHECK_DATA_VERIFY_HEADER_SYNTAX = true CHECK_RCPT_SPF = true CHECK_RCPT_REVERSE_DNS = true CHECK_MAIL_HELO_ISSUED = true @@ -2372,6 +2371,7 @@ ignore_target_hosts = ${HOSTNAME}wg.b8.nz # note changes here also require change in passwd.client route_list = * eximbackup.b8.nz same_domain_copy_routing = yes +errors_to = alerts@iankelling.org no_more EOF @@ -2385,9 +2385,8 @@ backup_remote: .endif hosts_require_auth = * hosts_try_auth = * - return_path = alerts@iankelling.org envelope_to_add - # manual return path because we dont want it to be the envelope sender + # manual return path because we want it to be the envelope sender # we got not the one we are using in this smtp transport headers_add = "Return-path: $sender_address" .ifdef REMOTE_SMTP_SMARTHOST_HOSTS_AVOID_TLS @@ -2425,10 +2424,10 @@ EOF # this avoids some error. i cant remember what. todo: # test it out and document why/if its needed. - i /etc/exim4/host_local_deny_exceptions <<'EOF' -mail.fsf.org -*.posteo.de -EOF +# i /etc/exim4/host_local_deny_exceptions <<'EOF' +# mail.fsf.org +# *.posteo.de +# EOF # cron email from smarthost hosts will automatically be to # USER@FQDN. I redirect that to alerts@, on the smarthosts, but in @@ -2630,7 +2629,10 @@ EOF echo | /a/exe/cedit nn /etc/hosts || [[ $? == 1 ]] echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]] + if $bhost_t; then + install -d /bu + install -d -g $u -o $u -m 771 /bu/md i /etc/exim4/conf.d/transport/30_backup_maildir <>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/update-exim4.conf.conf <>/etc/exim4/conf.d/main/000_local-nn <<'EOF' +# spool_directory = /var/spool/myexim4 +# EOF cat >>/etc/myexim4/update-exim4.conf.conf <<'EOF' dc_eximconfig_configtype='smarthost' dc_smarthost='nn.b8.nz' @@ -2906,7 +2916,7 @@ EOF test_to="testignore@expertpathologyreview.com, testignore@je.b8.nz, testignore@amnimal.ninja, jtuttle@gnu.org" cat >>/etc/cron.d/mailtest <