From: Ian Kelling <iank@fsf.org>
Date: Sun, 5 Nov 2017 18:14:46 +0000 (-0500)
Subject: lots of updates, things working
X-Git-Url: https://iankelling.org/git/?p=distro-setup;a=commitdiff_plain;h=86ebcd0416223ded297f6cbbcb0906b85793e359

lots of updates, things working
---

diff --git a/disabled/README b/disabled/README
new file mode 100644
index 0000000..5fc6ca7
--- /dev/null
+++ b/disabled/README
@@ -0,0 +1,2 @@
+Things I stopped using and will become broken over time, but better to
+have here than just in git history.
diff --git a/disabled/kodi-setup b/disabled/kodi-setup
new file mode 100644
index 0000000..004acac
--- /dev/null
+++ b/disabled/kodi-setup
@@ -0,0 +1,73 @@
+#!/bin/bash -l
+
+# this is from distro-end
+
+pi kodi
+
+# based on https://wiki.debian.org/SecuringNFS
+# but the quota stuff is either outdated or optional,
+# i guessed that it was not needed and it worked fine.
+s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF'
+fs.nfs.nfs_callback_tcpport = 32764
+fs.nfs.nlm_tcpport = 32768
+fs.nfs.nlm_udpport = 32768
+EOF
+s sysctl --system
+s $sed -ri -f - /etc/default/nfs-common <<'EOF'
+/^\s*STATDOPTS=/d
+$a STATDOPTS="--port 32765 --outgoing-port 32766"
+EOF
+
+s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF'
+/^\s*RPCMOUNTDOPTS=/d
+$a RPCMOUNTDOPTS="--manage-gids --port 32767"
+EOF
+ser restart nfs-kernel-server
+
+if [[ $HOSTNAME == treetowl ]]; then
+    # persistent one time steps for webdav:
+    # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml,
+    # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi
+    # htpasswd -c /p/c/filesystem/etc/davpass dav
+    # chmod 640 /p/c/filesystem/etc/davpass
+    # in conflink, set group to www-data.
+    # In kodi, i set the music source, server address: my domain,
+    # path: k/music. Then copied the file
+    # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting.
+    s a2enmod dav dav_fs
+    web-conf -r /a/c/playlists - apache2 dav.$HOME_DOMAIN <<'EOF'
+<Directory /a/c/playlists>
+    DAV On
+  AuthType Basic
+  AuthName "Authentication Required"
+  AuthUserFile "/etc/davpass"
+  Require valid-user
+
+# outside the standard /var/www, so use this:
+  Order allow,deny
+  Allow from all
+</Directory>
+EOF
+    s mkdir -p /var/www/davlock
+    s chown www-data:www-data /var/www/davlock
+    s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.$HOME_DOMAIN.conf
+    ser reload apache2
+
+    teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)"
+    exportfs -ra
+
+    # kodi uses sqlite by default, but supports mysql.
+    pi mariadb-server
+
+    # see ofswiki.org for explanation.
+    dbpass="$(cat /p/mysql-root-pass)"
+    if ! echo exit|mysql -uroot "-p$dbpass"; then
+        echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
+    fi
+    mysql -uroot "-p$dbpass" <<EOF
+GRANT ALL PRIVILEGES ON *.* TO 'kodi' IDENTIFIED BY '$(</p/mysql-kodi-pass)';
+EOF
+    s sed -ri 's/^(\s*bind-address\s*=).*/\1 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
+    ser restart mariadb
+
+fi
diff --git a/phabricator-setup b/disabled/phabricator-setup
similarity index 100%
rename from phabricator-setup
rename to disabled/phabricator-setup
diff --git a/disabled/samba-setup b/disabled/samba-setup
new file mode 100644
index 0000000..2932fa3
--- /dev/null
+++ b/disabled/samba-setup
@@ -0,0 +1,47 @@
+#!/bin/bash
+
+# this is from distro-end
+
+if [[ $HOSTNAME == treetowl ]]; then
+    pi samba
+    # note samba re-reads it\'s config every 1 minute
+    case $distro in
+        arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
+    esac
+
+    # add 2 lines after workgroup option
+    s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
+    s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
+    s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/'  /etc/samba/smb.conf
+    # remove default homes section. not sharing that.
+    s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
+
+    if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
+        s tee -a /etc/samba/smb.conf <<'EOF'
+[public]
+      guest ok = yes
+      read only = no
+      path = /kr
+EOF
+    fi
+
+    case $distro in
+        debian|trisquel|ubuntu)
+            # systemd claims it generates units from /etc/init.d, but it
+            # clearly doesn\'t in debian. I have no idea how they are
+            # related. fuck debian right now. It\'s not documented.  samba
+            # has a systemd init file linked to /dev/null.  There\'s this
+            # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
+            # claims samba\'s sub-services will be started automatically by
+            # systemd... it didn\'t on install, wonder if it will on
+            # boot. It clued me in how to start it manually though. Nothing
+            # in /usr/share/doc/samba, debian admin guide says nothing about
+            # any of this. (this is in debian testing as of 4/2016).
+
+            s /etc/init.d/samba start
+            ;;
+        arch)
+            sgo samba
+            ;;
+    esac
+fi
diff --git a/distro-begin b/distro-begin
index 9ef6891..0e61f2b 100755
--- a/distro-begin
+++ b/distro-begin
@@ -175,10 +175,8 @@ case $distro in
         ;;
 esac
 
-if linode; then
-    sudo $sed -i '/^127\.0\.1\.1/d' /etc/hosts
-    echo "127.0.1.1 $HOSTNAME.b8.nz $HOSTNAME" | sudo tee -a /etc/hosts
-fi
+sudo $sed -i '/^127\.0\.1\.1/d' /etc/hosts
+echo "127.0.1.1 $HOSTNAME.b8.nz $HOSTNAME" | sudo tee -a /etc/hosts
 
 
 if [[ $EUID == 0 ]]; then
@@ -331,14 +329,16 @@ Pin-Priority: 500
 EOF
             fi
         fi
-        # for hosts which require nonfree drivers
-        # i previously had extra packages listed here linux-image-amd64
-        # firmware-linux-free linux-headers-amd64, but I
-        # don\'t see any reason why. seems to work in testing without.
-        # remove this note if it continues to work.
-        p=firmware-linux-nonfree
-        if apt-cache show $p &>/dev/null; then
-            pi $p
+        # # no hosts have nonfree firmware anymore, yay. but leaving commented,
+        # # as i might run into one for a little while still.
+        # p=firmware-linux-nonfree
+        # if apt-cache show $p &>/dev/null; then
+        #     pi $p
+        # fi
+        ;;&
+    trisquel|ubuntu)
+        if has_x; then
+            pi abrowser
         fi
         ;;&
     trisquel|ubuntu|debian)
@@ -693,14 +693,16 @@ fi
 # E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)
 # E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?
 sleep 1
+# todo: this is not idempotent, it fails when running twice, due to prepopulated values.
+# check into unsetting them using debconf-set-selection.
 s apt-get -y install --no-install-recommends expect
-s expect <<EOF
+s expect <<EOF ||:
 set force_conservative 0
 spawn dpkg-reconfigure tzdata -freadline
 expect -nocase timeout {exit 1} "Geographic area:"
-send "12\r"
+send "\02512\r"
 expect -nocase timeout {exit 1} "Time zone:"
-send "5\r"
+send "\0255\r"
 expect eof
 exit
 EOF
diff --git a/distro-end b/distro-end
index 5a7dd92..973dc85 100755
--- a/distro-end
+++ b/distro-end
@@ -22,8 +22,9 @@ echo "$0: $(date): starting now)"
 
 src="${BASH_SOURCE%/*}"
 
+# see example of usage to understand.
 end_msg() {
-    =    local y
+    local y
     IFS= read -r -d '' y  ||:
     end_msg_var+="$y"
 }
@@ -42,9 +43,11 @@ case $distro in
 esac
 
 pup
+pi aptitude
 
 simple_packages=(
     htop
+    iptables
     mailutils
     nmon
     rdiff-backup
@@ -53,6 +56,7 @@ simple_packages=(
     tree
     vim
     wcd
+    wget
 )
 
 case $HOSTNAME in
@@ -74,10 +78,8 @@ case $HOSTNAME in
             beets-doc
             binutils-doc
             bind9-doc
-            bind9-utils
+            bind9utils
             bwm-ng
-            chromium
-            cpio-doc
             cloc
             cpulimit
             cron
@@ -104,7 +106,6 @@ case $HOSTNAME in
             glibc-doc
             goaccess
             gnome-screenshot
-            gnome-session-flashback
             guvcview
             i3lock
             inetutils-traceroute
@@ -119,14 +120,17 @@ case $HOSTNAME in
             make-doc
             manpages
             manpages-dev
+            mb2md
             meld
             mps-youtube
             mumble
             nagstamon
+            ncdu
             nginx-doc
             nmap
             offlineimap
             oathtool
+            opendkim-tools
             p7zip
             paprefs
             parted-doc
@@ -162,12 +166,6 @@ esac
 ########### begin section including li ################
 
 
-case $distro in
-    fedora) spa unrar ;;
-    *) spa unrar-free ;;
-esac
-
-
 case $distro in
     arch)
         # ubuntu 14.04 uses b-cron,
@@ -181,10 +179,6 @@ case $distro in
 esac
 
 
-if isdeb; then
-    pi debian-goodies
-fi
-
 
 case $distro in
     *) pi at ;;&
@@ -206,12 +200,12 @@ esac
 
 case $distro in
     arch) spa the_silver_searcher ;;
-    debian|ubuntu|trisquel) spa silversearcher-ag ;;
+    debian|trisquel|ubuntu) spa silversearcher-ag ;;
     # fedora unknown
 esac
 
 case $distro in
-    debian|ubuntu|trisquel) spa ntp;;
+    debian|trisquel|ubuntu) spa ntp;;
     arch)
         pi ntp
         sgo ntpd
@@ -222,7 +216,7 @@ esac
 
 # no equivalent in other distros:
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         pi aptitude
         if ! dpkg -s apt-file &>/dev/null; then
             # this condition is just a speed optimization
@@ -234,14 +228,9 @@ case $distro in
         ;;
 esac
 
-case $distro in
-    ubuntu|trisquel|debian) spa ack-grep ;;
-    arch|fedora) spa ack ;;
-    # fedora unknown
-esac
 
 case $distro in
-    arch|debian|ubuntu|trisquel)
+    arch|debian|trisquel|ubuntu)
         spa bash-completion
         ;;
     # others unknown
@@ -265,7 +254,7 @@ case $distro in
             s update-rc.d motd disable
         fi
         ;;
-    ubuntu|trisquel)
+    trisquel|ubuntu)
         # this isn't a complete solution. It still shows me when updates are available,
         # but it's no big deal.
         s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
@@ -289,16 +278,20 @@ simple_packages=()
 
 
 ### begin docker install ####
-# https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
-pi  software-properties-common apt-transport-https
-curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
-sudo add-apt-repository \
-     "deb [arch=amd64] https://download.docker.com/linux/debian \
-         $(lsb_release -cs) \
+
+if isdeb; then
+    # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
+    pi  software-properties-common apt-transport-https
+    curl -fsSL https://download.docker.com/linux/$(distro-name-compat)/gpg | sudo apt-key add -
+    sudo add-apt-repository \
+         "deb [arch=amd64] https://download.docker.com/linux/$(distro-name-compat) \
+         $(debian-codename-compat) \
          stable"
-p update
-pi docker-ce
-sgo docker
+    p update
+    pi docker-ce
+    sgo docker
+    # other distros unknown
+fi
 ###  end docker install ####
 
 
@@ -322,6 +315,13 @@ EOF
         ser daemon-reload
         sgo certbotmail.timer
 
+        ;;
+    trisquel|ubuntu)
+        # not packaged in xenial or flidas
+        pi software-properties-common
+        s add-apt-repository -y ppa:certbot/certbot
+        p update
+        pi python-certbot-apache
         ;;
     # todo: other distros unknown
 esac
@@ -616,6 +616,55 @@ esac
 
 ########### end section including li/lj ###############
 
+case $distro in
+    debian) spa gnome-session-flashback ;;
+    # flidas is missing dependency gnome-panel. others unknown
+esac
+
+
+
+case $distro in
+    trisquel|ubuntu|debian) spa ack-grep ;;
+    arch|fedora) spa ack ;;
+    # fedora unknown
+esac
+
+
+if isdeb; then
+    spa debian-goodies
+fi
+
+
+case $distro in
+    debian)
+        pi chromium ;;
+    xenial|ubuntu)
+        wget -qO - https://downloads.iridiumbrowser.de/ubuntu/iridium-release-sign-01.pub|sudo apt-key add -
+        cat <<EOF | sudo tee /etc/apt/sources.list.d/iridium-browser.list
+deb [arch=amd64] https://downloads.iridiumbrowser.de/deb/ stable main
+#deb-src https://downloads.iridiumbrowser.de/deb/ stable main
+EOF
+        p update
+        pi iridium-browser
+        ;;
+esac
+
+case $distro in
+    debian)
+        spa cpio-doc ;;
+    # not packaged in flidas. others unknown. gfdl nonfree issue
+esac
+
+
+
+
+case $distro in
+    fedora) spa unrar ;;
+    *) spa unrar-free ;;
+esac
+
+
+
 if [[ $HOSTNAME == treetowl ]]; then
 
     # vpn-server setup via:
@@ -697,7 +746,7 @@ fi
 #########  end  pump.io periodic backup #############
 
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         # suggests because we want the resolvconf package.
         # todo: check other distros to make sure it\'s installed
         pi-nostart --install-suggests openvpn
@@ -731,7 +780,7 @@ if [[ $HOSTNAME == treetowl ]]; then
     # syncs between comps.
     case $distro in
         arch) pi syncthing ;;
-        ubuntu|trisquel|debian)
+        trisquel|ubuntu|debian)
             # testing has relatively up to date packages
             if ! isdebian-testing; then
                 # based on error when doing apt-get update:
@@ -800,7 +849,7 @@ fi
 
 # no equivalent in other distros:
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         # for gui bug reporting
         spa python-vte
         ;;
@@ -823,7 +872,7 @@ esac
 # in display tab: icon in systray.
 
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         # it asks if it should make users in it's group capture packets without root,
         # which is arguably more secure than running wireshark as root. default is no,
         # which is what i prefer, since I plan to use tcpdump to input to wireshark.
@@ -834,16 +883,19 @@ esac
 
 
 case $distro in
-    debian|ubuntu|trisquel)
+    debian)
         # no recommends because it wanted some other unstable package, something to
         # do with math or something, which I didn't want to deal with.
         p -y --no-install-recommends install python3-send2trash/unstable anki/unstable
         ;;
+    trisquel|ubuntu)
+        pi anki
+        ;;
     # others unknown
 esac
 
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         # note i had to do this, which is persistent:
         # cd /i/k
         # s chgrp debian-transmission torrents partial-torrents
@@ -865,6 +917,9 @@ EOF
         # plus a simple symlink to the config file which it\'s
         # not worth separating out.
         s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
+        # between comps, the uid can change
+        s chown -R debian-transmission:debian-transmission /i/transmission-daemon /var/lib/transmission-daemon
+        s chown -R debian-transmission:traci /i/k/partial-torrents /i/k/torrents
         #
         # config file documented here, and it\'s the same config
         # for daemon vs client, so it\'s documented in the gui.
@@ -922,6 +977,36 @@ if ! getent passwd debian-transmission > /dev/null; then
             ;;
     esac
 fi
+
+
+# trisquel 8 = openvpn, debian stretch = openvpn-client
+vpn_ser=openvpn-client
+if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
+    vpn_ser=openvpn
+fi
+
+s dd of=/etc/systemd/system/transmission-daemon-nn.service <<EOF
+[Unit]
+Description=Transmission BitTorrent Daemon netns
+After=network.target
+Requires=${vpn_ser}-nn@client.service
+After=${vpn_ser}-nn@client.service
+JoinsNamespaceOf=${vpn_ser}-nn@client.service
+
+[Service]
+#User=debian-transmission
+# notify type doesn't work with sudo
+#Type=notify
+ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/client sudo -u debian-transmission /usr/bin/transmission-daemon -f --log-error
+ExecReload=/bin/kill -s HUP \$MAINPID
+PrivateNetwork=true
+Nice=19
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ser daemon-reload
+
 if [[ $HOSTNAME == frodo ]]; then
     sgo transmission-daemon-nn
 fi
@@ -994,40 +1079,6 @@ case $HOSTNAME in
 esac
 
 
-pi wget
-case $HOSTNAME in
-    tp|frodo)
-        case $distro in
-            debian|ubuntu|trisquel)
-                log=$(mktemp)
-                cd /a/opt
-                wget -nv -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
-                errallow
-                set -o pipefail
-                s dpkg -i google-chrome-stable_current_amd64.deb |& tee $log
-                code=$?
-                errcatch
-                case $code in
-                    0) : ;;
-                    *)
-                        # previously I had a more specific search, but dpkg
-                        # changed it\'s output as of 7/2016
-                        if grep 'dependency problems' \
-                                $log &>/dev/null; then
-                            s apt-get -fy install
-                        else
-                            exit 1
-                        fi
-                        ;;
-                esac
-                ;;
-            arch)
-                pi google-chrome
-                ;;
-        esac
-        ;;
-esac
-
 # printer
 case $distro in
     arch)
@@ -1040,7 +1091,7 @@ case $distro in
         # In debian, I could use hte recommended driver,
         # in arch, I had to pick out the 6L driver.
         ;;
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         spa hplip
         ;;
     # other distros unknown
@@ -1048,39 +1099,25 @@ esac
 
 
 case $distro in
-    ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
+    trisquel|ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
     fedora|arch) spa mairix notmuch ;;
 esac
 case $distro in
     arch) spa nfs-utils ;;
-    ubuntu|debian) spa nfs-client ;;
+    trisquel|ubuntu|debian) spa nfs-client ;;
 esac
 case $distro in
-    ubuntu|debian) spa par2 ;;
+    trisquel|ubuntu|debian) spa par2 ;;
     arch|fedora) spa par2cmdline ;;
 esac
 
 # needed for my tex resume
 case $distro in
-    ubuntu|debian) spa texlive-full ;;
+    trisquel|ubuntu|debian) spa texlive-full ;;
     arch) spa texlive-most ;;
     # fedora unknown
 esac
 
-case $distro in
-    ubuntu)
-        # flash, unrar, codecs, ms fonts.
-        # This has a manual prompt.
-        spa ubuntu-restricted-extras
-        ;;
-    fedora)
-        pi yum-utils
-        # rpm fusion recommended codecs
-        s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
-        pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
-           xine-lib-extras-freeworld
-        ;;
-esac
 
 case $distro in
     # optional dep for firefox for h.264 video
@@ -1089,7 +1126,7 @@ case $distro in
 esac
 
 case $distro in
-    fedora|ubuntu|trisquel|debian) spa gnupg-agent ;;
+    fedora|trisquel|ubuntu|debian) spa gnupg-agent ;;
     arch) : ;;
 esac
 
@@ -1107,20 +1144,20 @@ esac
 
 case $distro in
     arch) spa ttf-dejavu;;
-    debian|ubuntu|trisquel) spa fonts-dejavu ;;
+    debian|trisquel|ubuntu) spa fonts-dejavu ;;
     # others unknown
 esac
 
 
 case $distro in
     arch) spa xorg-xev;;
-    debian|ubuntu|trisquel) spa x11-utils ;;
+    debian|trisquel|ubuntu) spa x11-utils ;;
     # others unknown
 esac
 
 case $distro in
     arch) pi virt-install;;&
-    debian|ubuntu|trisquel) pi virtinst ;;&
+    debian|trisquel|ubuntu) pi virtinst ;;&
     *) pi virt-manager ;; # creates the libvirt group in debian at least
     # others unknown
 esac
@@ -1140,20 +1177,20 @@ for x in iank traci; do s usermod -a -G libvirt,kvm $x; done
 
 case $distro in
     arch) spa cdrkit;;
-    debian|ubuntu|trisquel) spa genisoimage;;
+    debian|trisquel|ubuntu) spa genisoimage;;
     # others unknown
 esac
 
 case $distro in
     arch) spa spice-gtk3 ;;
-    debian|ubuntu|trisquel) spa spice-client-gtk;;
+    debian|trisquel|ubuntu) spa spice-client-gtk;;
     # others unknown
 esac
 
 # general known for debian/ubuntu, not for fedora
 
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         pi golang-go
         # a bit of googling, and added settings to bashrc
         go get -u github.com/mvdan/fdroidcl/cmd/fdroidcl
@@ -1199,7 +1236,7 @@ esac
 
 
 case $distro in
-    arch|debian|ubuntu|trisquel) spa pumpa ;;
+    arch|debian|trisquel|ubuntu) spa pumpa ;;
     # others unknown. do have a buildscript:
     # /a/bin/buildscripts/pumpa ;;
 esac
@@ -1207,112 +1244,118 @@ esac
 
 case $distro in
     debian) pi adb ;;
-    debian|ubuntu|trisquel) spa android-tools-adbd/unstable ;;
+    debian|trisquel|ubuntu) spa android-tools-adbd ;;
+    # todo: not sure this is needed anymore, or if trisqel etc works even
+#    debian) spa android-tools-adbd/unstable ;;
     arch) spa android-tools ;;
     # other distros unknown
 esac
 
 if [[ $HOSTNAME == treetowl ]]; then
-    case $distro in
-        debian)
-            if [[ `debian-archive`  == testing ]]; then
-                # has no unstable dependencies
-                pi bitcoind/unstable
-                src=/a/opt/bitcoin/contrib/init/bitcoind.service
-                s cp $src /etc/systemd/system
-                p=/etc/bitcoin/bitcoin
-                dst=/etc/systemd/system/bitcoinjm.service
-                # jm for joinmarket
-                $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
-                     >/etc/systemd/system/bitcoinjm.service
-
-                d=jm; jm=d # being clever for succinctness
-                for s in d jm; do
-                    s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
-                      /etc/systemd/system/bitcoin${s}.service
-                done
-
-                ser daemon-reload
-
-                dir=/nocow/.bitcoin
-                s mkdir -p $dir
-                s chown -R bitcoin:bitcoin $dir
-                dir=/etc/bitcoin
-                s mkdir -p $dir
-                s chown -R root:bitcoin $dir
-                s chmod 750 $dir
-
-                # pruning decreases the bitcoin dir to 2 gb, keeps
-                # just the recent blocks. can\'t do a few things like
-                # import a wallet dump.
-                # pruning works, but people had to do
-                # some manual stuff in joinmarket. I dun need the
-                # disk space, so not bothering yet, maybe in a year or so.
-                # https://github.com/JoinMarket-Org/joinmarket/issues/431
-                #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
-                #prune=550
-
-                f=$dir/bitcoin.conf
-                s dd of=$f <<EOF
-server=1
-# necessary for joinmarket, not bad in general
-rpcpassword=$(openssl rand -base64 32)
-rpcuser=$(openssl rand -base64 32)
-EOF
-
-                # dunno about sharing a wallet between multiple instances
-                # manually did, wallet.dat symlinked in /nocow/.bitcoin
-                sgo bitcoind
-            fi
-            ;;
-        # other distros unknown
-    esac
-
-#     ## disabling joinmarket, its too expensive
-#     ### begin joinmarket setup ###
-
-#     case $distro in
-#         debian)
-#             f=$dir/bitcoin.conf
-#             f2=$dir/bitcoinjm.conf
-#             s cp $f $f2
-#             s tee -a $f2 >/dev/null <<EOF
-# # Joinmarket
-# walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
-# alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
-# wallet=joinmarket.dat
-# EOF
-
-#             ;;
-#         # other distros unknown
-#     esac
-
-#     pi libsodium-dev python-pip
-#     cd /a/opt/joinmarket
-#     # using develop branch, as it seems to be mostly bug fixes,
-#     # and this is quite new software.
-#     # note: python3 does not work.
-#     # has seg fault error due to some bug, but it still works
-#     pip install -r requirements.txt || [[ $? == 139 ]]
-#     # note, the target must exist ahead of time, or bitcoin
-#     # just overwrites the link, and it\'s not happy with an empty file,
-#     # so we have to create the wallet, then move and link it.
-#     s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
-#     s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
-#     # not technically needed, but seems cleaner not to have
-#     # symlinks be root owned unlike everything else
-#     s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
-
-#     for var in rpcuser rpcpassword; do
-#         u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
-#         # escape backslashes
-#         u="${u//\\/\\\\\\\\}"
-#         # escape commas
-#         u="${u//,/\\,}"
-#         sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
-#     done
-#     sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
-#     ### end joinmarket setup ###
+    :
+    ## bitcoin disabled. fees too high
+    #     case $distro in
+    #         debian)
+    #             if [[ `debian-archive`  == testing ]]; then
+    #                 # has no unstable dependencies
+    #                 pi bitcoind/unstable
+    #                 src=/a/opt/bitcoin/contrib/init/bitcoind.service
+    #                 s cp $src /etc/systemd/system
+    #                 p=/etc/bitcoin/bitcoin
+    #                 dst=/etc/systemd/system/bitcoinjm.service
+    #                 # jm for joinmarket
+    #                 $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
+        #                      >/etc/systemd/system/bitcoinjm.service
+
+    #                 d=jm; jm=d # being clever for succinctness
+    #                 for s in d jm; do
+    #                     s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
+        #                       /etc/systemd/system/bitcoin${s}.service
+    #                 done
+
+    #                 ser daemon-reload
+
+    #                 dir=/nocow/.bitcoin
+    #                 s mkdir -p $dir
+    #                 s chown -R bitcoin:bitcoin $dir
+    #                 dir=/etc/bitcoin
+    #                 s mkdir -p $dir
+    #                 s chown -R root:bitcoin $dir
+    #                 s chmod 750 $dir
+
+    #                 # pruning decreases the bitcoin dir to 2 gb, keeps
+    #                 # just the recent blocks. can\'t do a few things like
+    #                 # import a wallet dump.
+    #                 # pruning works, but people had to do
+    #                 # some manual stuff in joinmarket. I dun need the
+    #                 # disk space, so not bothering yet, maybe in a year or so.
+    #                 # https://github.com/JoinMarket-Org/joinmarket/issues/431
+    #                 #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
+    #                 #prune=550
+
+    #                 f=$dir/bitcoin.conf
+    #                 s dd of=$f <<EOF
+    # server=1
+    # # necessary for joinmarket, not bad in general
+    # rpcpassword=$(openssl rand -base64 32)
+    # rpcuser=$(openssl rand -base64 32)
+    # EOF
+
+    #                 # dunno about sharing a wallet between multiple instances
+    #                 # manually did, wallet.dat symlinked in /nocow/.bitcoin
+    #                 sgo bitcoind
+    #             fi
+    #             ;;
+    #         # other distros unknown
+    #     esac
+
+
+
+    #     ## disabling joinmarket, its too expensive
+    #     ### begin joinmarket setup ###
+
+    #     case $distro in
+    #         debian)
+    #             f=$dir/bitcoin.conf
+    #             f2=$dir/bitcoinjm.conf
+    #             s cp $f $f2
+    #             s tee -a $f2 >/dev/null <<EOF
+    # # Joinmarket
+    # walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
+    # alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
+    # wallet=joinmarket.dat
+    # EOF
+
+    #             ;;
+    #         # other distros unknown
+    #     esac
+
+    #     pi libsodium-dev python-pip
+    #     cd /a/opt/joinmarket
+    #     # using develop branch, as it seems to be mostly bug fixes,
+    #     # and this is quite new software.
+    #     # note: python3 does not work.
+    #     # has seg fault error due to some bug, but it still works
+    #     pip install -r requirements.txt || [[ $? == 139 ]]
+    #     # note, the target must exist ahead of time, or bitcoin
+    #     # just overwrites the link, and it\'s not happy with an empty file,
+    #     # so we have to create the wallet, then move and link it.
+    #     s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
+    #     s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
+    #     # not technically needed, but seems cleaner not to have
+    #     # symlinks be root owned unlike everything else
+    #     s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
+
+    #     for var in rpcuser rpcpassword; do
+    #         u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
+    #         # escape backslashes
+    #         u="${u//\\/\\\\\\\\}"
+    #         # escape commas
+    #         u="${u//,/\\,}"
+    #         sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
+    #     done
+    #     sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
+    #     ### end joinmarket setup ###
 
 
 fi
@@ -1321,9 +1364,9 @@ fi
 case $distro in
     fedora)
         cd $(mktemp -d)
-        wget http://tamacom.com/global/global-6.3.2.tar.gz
+        wget ftp://ftp.gnu.org/pub/gnu/global/global-6.5.7.tar.gz
         ex global*
-        cd global-6.3.2
+        cd global-6.5.7
         # based on https://github.com/leoliu/ggtags
         ./configure --with-exuberant-ctags=/usr/bin/ctags
         make
@@ -1336,7 +1379,7 @@ case $distro in
     arch)
         pi  python2-pygments
         ;;
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         pi python-pygments
         ;;
 esac
@@ -1344,11 +1387,16 @@ esac
 
 case $distro in
     debian)
-        pi task-mate-desktop
+        s eatmydata apt-get -y install --purge --auto-remove task-mate-desktop
         # in settings, change scrolling to two-finger,
         # because the default edge scroll doesn\'t work.
         pu transmission-gtk
         ;;
+    trisquel)
+        # mate-indicator-applet and beyond are msc things I noticed diffing a
+        # standard install with mine.
+        s eatmydata apt-get -y install --purge --auto-remove xorg lightdm mate-desktop-environment mate-desktop-environment-extras mate-indicator-applet anacron
+        ;;
     # others unknown
 esac
 
@@ -1447,14 +1495,17 @@ fi
 
 
 ### kdeconnect for gnome. started in /a/bin/distro-setup/desktop-20-autostart.sh
-pi libgtk-3-dev python3-requests-oauthlib valac cmake python-nautilus
+pi libgtk-3-dev python3-requests-oauthlib valac cmake python-nautilus libappindicator3-dev
 cd /a/opt/indicator-kdeconnect
 mkdir -p build
 cd build
 cmake .. -DCMAKE_INSTALL_PREFIX=/usr
 make
 sudo make install
-
+# we can start it manually with /usr/lib/x86_64-linux-gnu/libexec/kdeconnectd
+# it seems, according to
+# /etc/xdg/autostart/kdeconnectd.desktop
+# I'm not seeing the icon, but the clipboard replication is working
 
 ######### end misc packages #########
 
@@ -1499,6 +1550,12 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
 
 ########### misc stuff
 
+# stop autopoping windows when i plug in an android phone.
+# dbus-launch makes this work within an ssh connection, otherwise you get this message,
+# with still 0 exit code.
+# dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
+dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
+
 devs=()
 for dev in $(s btrfs fi show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
     devs+=($(devbyid $dev),)
@@ -1507,7 +1564,7 @@ devs[-1]=${devs[-1]%,} # jonied by commas
 
 # on grub upgrade, we get prompts unless we do this
 s debconf-set-selections <<EOF
-grub-pc	grub-pc/install_devices	multiselect ${devs[*]}
+grub-pc grub-pc/install_devices multiselect ${devs[*]}
 EOF
 
 
@@ -1532,26 +1589,15 @@ EOF
 
 
 case $distro in
-    debian|ubuntu|trisquel)
-        case `debian-archive` in
-            stable)
-                s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
-Explanation: Allow unison-gtk to be upgraded
-Package: unison-gtk
-Pin: release a=testing
-Pin-Priority: 500
-EOF
-                # dont think using testing is needed since I figured out how to
-                # deal with mismatching unison compilers, but I dont
-                # see any reason to revert it, since it only installs
-                # a single package which is primarily a single binary
-                ;;
-        esac
-        pi unison/testing
-        pi unison-gtk/testing # after to make it the default unison
+    trisquel|ubuntu|debian)
+        # unison-gtk second, i want it to be default, not sure if that works
+        # with spa. note, I used to install from testing repo when using stable,
+        # but it shouldn't be needed since I wrote a script to handle mismatching
+        # compilers.
+        spa unison unison-gtk
         ;;
     arch)
-        pi unison gtk2
+        spa unison gtk2
         ;;
 esac
 
@@ -1568,7 +1614,7 @@ esac
 #
 # # disabled due to my patch being in btrbk
 # case $distro in
-#     arch|debian|ubuntu|trisquel) pi btrbk ;;
+#     arch|debian|trisquel|ubuntu) pi btrbk ;;
 #     # others unknown
 # esac
 cd /a/opt/btrbk
@@ -1585,7 +1631,7 @@ fi
 
 
 case $distro in
-    debian|ubuntu|trisquel) s gpasswd -a iank adm ;; #needed for reading logs
+    debian|trisquel|ubuntu) s gpasswd -a iank adm ;; #needed for reading logs
 esac
 
 # tor
@@ -1663,7 +1709,7 @@ EOF
         pi nfs-utils
         sgo nfs-server
         ;;
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         pi nfs-server
         ;;
     arch)
@@ -1675,81 +1721,9 @@ EOF
 esac
 
 
-########### begin kodi setup ############
-pi kodi
 
-# based on https://wiki.debian.org/SecuringNFS
-# but the quota stuff is either outdated or optional,
-# i guessed that it was not needed and it worked fine.
-s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF'
-fs.nfs.nfs_callback_tcpport = 32764
-fs.nfs.nlm_tcpport = 32768
-fs.nfs.nlm_udpport = 32768
-EOF
-s sysctl --system
-s $sed -ri -f - /etc/default/nfs-common <<'EOF'
-/^\s*STATDOPTS=/d
-$a STATDOPTS="--port 32765 --outgoing-port 32766"
-EOF
-
-s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF'
-/^\s*RPCMOUNTDOPTS=/d
-$a RPCMOUNTDOPTS="--manage-gids --port 32767"
-EOF
-ser restart nfs-kernel-server
 
-if [[ $HOSTNAME == treetowl ]]; then
-    # persistent one time steps for webdav:
-    # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml,
-    # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi
-    # htpasswd -c /p/c/filesystem/etc/davpass dav
-    # chmod 640 /p/c/filesystem/etc/davpass
-    # in conflink, set group to www-data.
-    # In kodi, i set the music source, server address: my domain,
-    # path: k/music. Then copied the file
-    # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting.
-    s a2enmod dav dav_fs
-    web-conf -r /a/c/playlists - apache2 dav.$HOME_DOMAIN <<'EOF'
-<Directory /a/c/playlists>
-    DAV On
-  AuthType Basic
-  AuthName "Authentication Required"
-  AuthUserFile "/etc/davpass"
-  Require valid-user
-
-# outside the standard /var/www, so use this:
-  Order allow,deny
-  Allow from all
-</Directory>
-EOF
-    s mkdir -p /var/www/davlock
-    s chown www-data:www-data /var/www/davlock
-    s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.$HOME_DOMAIN.conf
-    ser reload apache2
-
-    teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)"
-    exportfs -ra
-
-    # kodi uses sqlite by default, but supports mysql.
-    pi mariadb-server
-
-    # see ofswiki.org for explanation.
-    dbpass="$(cat /p/mysql-root-pass)"
-    if ! echo exit|mysql -uroot "-p$dbpass"; then
-        echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
-    fi
-    mysql -uroot "-p$dbpass" <<EOF
-GRANT ALL PRIVILEGES ON *.* TO 'kodi' IDENTIFIED BY '$(</p/mysql-kodi-pass)';
-EOF
-    s sed -ri 's/^(\s*bind-address\s*=).*/\1 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
-    ser restart mariadb
-
-fi
-
-###########  end kodi setup ############
-
-
-if [[ $HOSTNAME == treetowl ]]; then
+if [[ $HOSTNAME == frodo ]]; then
     # nohide = export filesystems mounted deeper than the export point
     # fsid=0 makes this export the "root" export
     # not documented in the man page, but this means
@@ -1766,114 +1740,17 @@ e "$end_msg_var"
 
 
 # persistent virtual machines
-
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         pi libosinfo-bin;
         ;;
 esac
+# if I was going to create a persistent vm, i might do it like this:
+# variant=something  # from: virt-install --os-variant list
+# s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
+    #   --disk=/a/images/some_name.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
+    #   -n some_name --import --os-variant $variant --cpu host-model-only
 
-# distro may not know about win 10 yet.
-variant=win7
-if ! virt-install --os-variant list &>/dev/null; then # we are using a newer virt-install
-    for v in 10 8.1 8; do
-        if osinfo-query os | gr "^\s*win${v/./\\.}\s" &>/dev/null; then
-            variant=win$v
-            break
-        fi
-    done
-fi
-
-if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
-
-    # created account with
-    # win10vmian@outlook.com, and easy to remember password
-    # win 10 virtio, makes disk way way way faster
-    # wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
-    # https://wiki.archlinux.org/index.php/QEMU#Change_Existing_Windows_VM_to_use_virtio
-    # for installing virtio after initial install instead of with initial iso:
-    # qemu-img create -f qcow2 fake.qcow2 1G
-    #    --disk=/a/images/virtio-win.iso,device=cdrom \
-        #          --disk=/a/images/fake.qcow2,bus=virtio
-    #  Also,
-    #   went to device manager, saw 2 pci devices with yellow !,
-    #   did search for drivers, pick  cdrom location, done.
-    #
-    # from http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html.
-    # google said there was a control panel option for it, but
-    # that turned out to be a lie.
-    # Put this in a .bat file and run as administrator to turn off
-    # hyberboot which fucks things up.
-    # REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_dWORD /D 0 /F
-    # power settings, turn off display: never
-    # run "control userpasswords2", turn on automatic login.
-    # note: when changing devices, I just undefine, the create the vm again.
-
-    if [[ -e /nocow/user/vms/win10.qcow2 ]]; then
-        s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
-          --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
-          -n win10 --import --os-variant $variant --cpu host-model-only
-
-        s virsh destroy win10
-    fi
-
-    if [[ -e /nocow/user/vms/win7.qcow2 ]]; then
-        # this one hasn\'t had the virtio fix done yet.
-        s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
-          --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
-          -n win7 --import --os-variant win7 --cpu host-model-only
-        s virsh destroy win7
-        # had a problem with --cpu host, so trying out
-        # --cpu host-model-only
-    fi
-fi
-
-
-if [[ $HOSTNAME == treetowl ]]; then
-    pi samba
-    # note samba re-reads it\'s config every 1 minute
-    case $distro in
-        arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
-    esac
-
-    # add 2 lines after workgroup option
-    s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
-    s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
-    s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/'  /etc/samba/smb.conf
-    # remove default homes section. not sharing that.
-    s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
-
-    if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
-        s tee -a /etc/samba/smb.conf <<'EOF'
-[public]
-      guest ok = yes
-      read only = no
-      path = /kr
-EOF
-    fi
-
-    case $distro in
-        debian|ubuntu|trisquel)
-            # systemd claims it generates units from /etc/init.d, but it
-            # clearly doesn\'t in debian. I have no idea how they are
-            # related. fuck debian right now. It\'s not documented.  samba
-            # has a systemd init file linked to /dev/null.  There\'s this
-            # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
-            # claims samba\'s sub-services will be started automatically by
-            # systemd... it didn\'t on install, wonder if it will on
-            # boot. It clued me in how to start it manually though. Nothing
-            # in /usr/share/doc/samba, debian admin guide says nothing about
-            # any of this. (this is in debian testing as of 4/2016).
-
-            s /etc/init.d/samba start
-            ;;
-        arch)
-            sgo samba
-            ;;
-    esac
-fi
-
-tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
 
 
 ######### begin stuff belonging at the end    ##########
diff --git a/mail-route b/mail-route
index e74b177..fdae30a 100755
--- a/mail-route
+++ b/mail-route
@@ -23,6 +23,9 @@ errcatch
 usage() {
     cat <<'EOF'
 Usage: mail-route start|stop|show
+
+Marks tcp packets on port 25 and 143 to be routed through
+a vpn ip.
 EOF
     exit $1
 }
diff --git a/mail-setup b/mail-setup
index 07b87ef..c0035c6 100755
--- a/mail-setup
+++ b/mail-setup
@@ -188,6 +188,7 @@ forward=$u@$mxhost
 relayhost="[$mxhost]:$mxport" # postfix
 smarthost="$mxhost::$mxport" # exim
 
+# trisquel 8 = openvpn, debian stretch = openvpn-client
 vpn_ser=openvpn-client
 if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
     vpn_ser=openvpn
@@ -390,7 +391,7 @@ exim4-config exim4/dc_eximconfig_configtype select internet site; mail is sent a
 # This name won\'t appear on From: lines of outgoing messages if rewriting is enabled.
 
 # System mail name:
-exim4-config exim4/mailname string li.iankelling.org
+exim4-config exim4/mailname string mail.iankelling.org
 
 
 
@@ -408,7 +409,7 @@ exim4-config exim4/mailname string li.iankelling.org
 # Other destinations for which mail is accepted:
 # iank.bid is for testing
 # mail.iankelling.org is for machines i own
-exim4-config exim4/dc_other_hostnames string *.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org
+exim4-config exim4/dc_other_hostnames string *.iankelling.org;iankelling.org;*iank.bid;iank.bid;*zroe.org;zroe.org;*.b8.nz;b8.nz
 
 
 
@@ -484,8 +485,12 @@ DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exi
 # We check if there is a server (A Record) behind your hostname treetowl.
 # You may want to publish a DNS record (A type) for the hostname treetowl or use a different hostname in your mail software
 # https://serverfault.com/questions/46545/how-do-i-change-exim4s-primary-hostname-on-a-debian-box
-# and this one seemed appropriate from grepping config
-MAIN_HARDCODE_PRIMARY_HOSTNAME = li.iankelling.org
+# and this one seemed appropriate from grepping config.
+# I originally set this to li.iankelling.org, but then ended up with errors when li tried to send
+# mail to treetowl, so this should basically be a name that no host has as their
+# canonical hostname since the actual host sits behind a nat and changes.
+# Seems logical for this to be the same as mailname.
+MAIN_HARDCODE_PRIMARY_HOSTNAME = mail.iankelling.org
 
 # normally empty, I set this so I can set the envelope address
 # when doing mail redelivery to invoke filters
@@ -506,6 +511,14 @@ CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/data_local_acl
 # the fix maybe is for all lines? one says gmail rejects, the
 # other says gmail does not reject. figure out and open a new bug.
 IGNORE_SMTP_LINE_LENGTH_LIMIT = true
+
+# most of the ones that gmail seems to use.
+# Exim has horrible default of signing unincluded
+# list- headers since they got mentioned in an
+# rfc, but this messes up mailing lists, like gnu/debian which want to
+# keep your dkim signature intact but add list- headers.
+DKIM_SIGN_HEADERS = mime-version:in-reply-to:references:from:date:subject:to
+
 EOF
 
 
@@ -619,6 +632,9 @@ EOF
         debconf-set-selections <<EOF
 exim4-config exim4/dc_eximconfig_configtype select mail sent by smarthost; no local mail
 exim4-config exim4/dc_smarthost string $smarthost
+# the default, i think is from /etc/mailname. better to set it to
+# whatever the current fqdn is.
+exim4-config exim4/mailname string $(hostname -f)
 EOF
 
     fi # end $HOSTNAME != $MAIL_HOST
diff --git a/mount-latest-subvol b/mount-latest-subvol
index e4c4d6b..1b0a8e2 100644
--- a/mount-latest-subvol
+++ b/mount-latest-subvol
@@ -73,17 +73,25 @@ mnt() {
         e mount $dir
     fi
 }
+fstab() {
+    while read -r start mpoint end; do
+        l="$start $mpoint $end"
+        # kill off any lines that duplicate the mount point.
+        sed --follow-symlinks -ri "\%$l%b;\%^\s*\S+\s+$mpoint\s%d" /etc/fstab
+        tu /etc/fstab <<<"$l"
+    done
+}
 
 ret=0
 
 ##### begin setup fstab for subvols we care about ######
 first_root_crypt=$(awk '$2 == "/" {print $1}' /etc/mtab)
-tu /etc/fstab <<EOF
+fstab <<EOF
 $first_root_crypt  /a  btrfs  noatime,subvol=a  0 0
 EOF
 case $HOSTNAME in
     treetowl|x2|frodo)
-        tu /etc/fstab <<EOF
+        fstab <<EOF
 $first_root_crypt  /q  btrfs  noatime,subvol=q  0 0
 $first_root_crypt  /o  btrfs  noatime,subvol=o  0 0
 /q/p  /p  none  bind  0 0
@@ -92,7 +100,7 @@ EOF
         ;;
 esac
 if [[ $HOSTNAME == frodo ]]; then
-    tu /etc/fstab <<EOF
+    fstab <<EOF
 $first_root_crypt  /i  btrfs  noatime,subvol=i  0 0
 EOF
 fi
@@ -148,7 +156,7 @@ for vol in q a o i; do
             else
                 echo "$0: failed to umount $dir"
                 # lsof will fail if it finds no pids
-                if ! e lsof $dir; then
+                if ! e timeout 4 lsof $dir; then
                     umount_ret=false
                     ret=1
                     continue
diff --git a/radicale-setup b/radicale-setup
index cb27eda..f43553d 100755
--- a/radicale-setup
+++ b/radicale-setup
@@ -31,8 +31,9 @@ After=openvpn-client@mail.service
 [Install]
 RequiredBy=openvpn-client@mail.service
 EOF
+ser daemon-reload # not sure this is needed
 
-pi radicale
+pi-nostart radicale
 
 # I moved /var/lib/radicale after it's initialization.
 # I did a sudo -u radicale git init in the collections subfolder
diff --git a/switch-mail-host b/switch-mail-host
index c74c54a..b795596 100755
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -27,6 +27,7 @@ fi
 
 old_host=$1
 new_host=$2
+source /a/bin/bash_unpublished/source-semi-priv
 
 if [[ $old_host != $MAIL_HOST ]]; then
     read -p "warning: \$old_host != \$MAIL_HOST: $old_host != $MAIL_HOST, proceed? y/N "
diff --git a/switch-primary-host b/switch-primary-host
new file mode 100755
index 0000000..f154975
--- /dev/null
+++ b/switch-primary-host
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+source /a/bin/errhandle/errcatch-function
+source /a/bin/errhandle/bash-trace-function
+errcatch
+
+cd /
+
+old=$1
+new=$HOSTNAME
+
+if [[ ! $old ]]; then
+    echo "$0: error: no \$1 given, should be old host"
+    exit 1
+fi
+
+if ! timeout -s 9 2 ssh $old : ; then
+    echo "$0: error: can't ssh to $old"
+fi
+
+for p in emacs firefox pidgin; do
+    ssh $old killall $p ||:
+done
+
+# note: duplicated in check-subvol-stale
+last_a=$(
+    vol=a
+    for s in /mnt/root/btrbk/$vol.*; do
+        f=${s##*/}
+        unix_time=$(date -d $(sed -r  's/(.{4})(..)(.{5})(..)(.*)/\1-\2-\3:\4:\5/' <<<${f#$vol.}) +%s)
+        printf "%s\n" $unix_time
+    done | sort -r | head -n 1
+      )
+
+if [[ $last_a != [0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] ]]; then
+    echo "$0: error: last_a bad value: $last_a"
+    exit 1
+fi
+
+# if last_a is recent enough, skip doing btrbk
+if  (( last_a < $(date +%s) - 60*60 )); then
+    if ! ssh $old btrbk-run -pvt $new; then
+        echo "$0: error: failed btrbk-run"
+        exit 1
+    fi
+fi
+
+switch-mail-host $old $new