From: Ian Kelling Date: Sat, 12 May 2018 18:38:09 +0000 (-0400) Subject: various minor fixes X-Git-Url: https://iankelling.org/git/?p=distro-setup;a=commitdiff_plain;h=b857462732e15f455e41f26e3048a390d7b399c0 various minor fixes --- diff --git a/.gitconfig b/.gitconfig index c4fd69d..f1c2019 100644 --- a/.gitconfig +++ b/.gitconfig @@ -12,9 +12,6 @@ lol = log --graph --decorate --pretty=oneline --abbrev-commit --all [core] excludesfile = ~/.gitignore_global -[github] -user = ian-kelling -token = d2dc0c5c6fef5378cc896a617e53c1a9 [credential] helper = cache @@ -31,9 +28,6 @@ tool = meld [gitreview] username = iank remote = origin -# this is for newer git version. Doesn't work for ubuntu 12.04's version -#[push] -# default = simple [color] ui = auto status = auto diff --git a/.inputrc b/.inputrc index 51d74a7..fba266e 100644 --- a/.inputrc +++ b/.inputrc @@ -42,12 +42,13 @@ set mark-symlinked-directories on # key bindings: -# note c-i/m/h are unusable, duplicating tab, enter, ctrl-del or something +# note c-i/m/h/w are unusable, duplicating tab, enter, ctrl-del or something, backspace # C-x would be hard to rebind because emacs. "\C-q": exchange-point-and-mark # default not bound -"\C-w": kill-region + +"\C-e": kill-region # default M-S-3 "\C-a": insert-comment diff --git a/brc b/brc index 9ec776d..046edbe 100644 --- a/brc +++ b/brc @@ -7,10 +7,7 @@ # trap 'trap ERR' RETURN - -############ -# settings # -############ +# * settings CDPATH=. @@ -109,6 +106,10 @@ if [[ $- == *i* ]]; then bind 'set print-completions-horizontally on' bind '"\C-i": self-insert' else + + # todo: not sure this works in sakura + #stty werase undef + #bind "\C-w": kill-region # sakura == xterm-256color # konsole == xterm if [[ $TERM == "xterm" ]]; then @@ -152,7 +153,7 @@ HISTCONTROL=ignoredups # works in addition to HISTCONTROL to do more flexible things # it could also do the same things as HISTCONTROL and thus replace it, # but meh. dunno why, but just " *" does glob expansion, so use [ ] to avoid it. -HISTIGNORE='pass *:k *:[ ]*' +HISTIGNORE='pass *:k *:[ ]*:lom ' export BC_LINE_LENGTH=0 @@ -163,9 +164,7 @@ export BC_LINE_LENGTH=0 C_DEFAULT_DIR=/a -################### -## include files ### -################### +# * include files for _x in /a/bin/distro-functions/src/* /a/bin/!(githtml)/*-function?(s); do source "$_x" done @@ -182,9 +181,7 @@ _x=/usr/share/wcd/wcd-include.sh if [[ -e $_x ]]; then source $_x; fi -############### -### aliases ### -############### +# * aliases # very few aliases, functions are always preferred. @@ -210,15 +207,7 @@ unalias ls ll grep &>/dev/null ||: - - - - - - -##################### -### functions #### -##################### +# * functions ..() { c ..; } @@ -865,6 +854,11 @@ gdkill() { pk1 emacs --daemon } +# at least in flidas, things rely on gpg being gpg1 +gpg() { + command gpg2 "$@" +} + gse() { git send-email --notes '--envelope-sender=' \ --suppress-cc=self "$@" @@ -876,20 +870,24 @@ gr() { grr() { if [[ ${#@} == 1 ]]; then - grep -riIP --color=auto "$@" . + grep --exclude-dir='*.emacs.d' --exclude-dir='*.git' -riIP --color=auto "$@" . else - grep -riIP --color=auto "$@" + grep --exclude-dir='*.emacs.d' --exclude-dir='*.git' -riIP --color=auto "$@" fi } hstatus() { # do git status on published repos cd /a/bin/githtml - for x in !(forks) forks/* ian-specific/*; do + do_hr=false + for x in *; do cd `readlink -f $x`/.. - hr - echo $x - i status + status=$(i status -s) || pwd + if [[ $status ]]; then + hr + echo $x + printf "%s\n" "$status" + fi cd /a/bin/githtml done } @@ -1020,8 +1018,32 @@ l() { lcn() { locate -i "*$**"; } +lt() { ll -tr "$@"; } + lld() { ll -d "$@"; } +lom() { + local l base + if [[ $1 == /* ]]; then + l=$(sudo losetup -f) + sudo losetup $l $1 + base=${1##*/} + if ! sudo cryptsetup luksOpen $l $base; then + sudo losetup -d $l + return 1 + fi + sudo mkdir -p /mnt/$base + sudo mount /dev/mapper/$base /mnt/$base + sudo chown $USER:$USER /mnt/$base + else + base=$1 + sudo umount /mnt/$base + l=$(sudo cryptsetup status /dev/mapper/$base|sed -rn 's/^\s*device:\s*(.*)/\1/p') + sudo cryptsetup luksClose /dev/mapper/$base + sudo losetup -d $l + fi +} + low() { # make filenames lowercase, remove bad chars local f new for f in "$@"; do @@ -1082,6 +1104,7 @@ mbdisable() { set +x } + mdt() { markdown "$1" >/tmp/mdtest.html firefox /tmp/mdtest.html @@ -1103,10 +1126,17 @@ mkdir() { command mkdir -p "$@"; } mo() { xset dpms force off; } # monitor off + +nopanic() { + sudo tee -a /var/log/exim4/paniclog-archive /dev/null; then s chgrp www-data /etc/davpass fi + if [[ -e /var/lib/znc/configs/znc.conf ]] && getent group znc; then + s chown znc:znc /var/lib/znc/configs/znc.conf + fi /a/exe/lnf -T /p/arbtt-capture.log ~/.arbtt/capture.log ##### end special extra stuff ##### - + sudo bash -c 'cd /etc/openvpn; for f in client/*; do ln -sf $f .; done' m sudo -H -u traci "$BASH_SOURCE" ;; diff --git a/distro-end b/distro-end index 8e35839..00827b6 100755 --- a/distro-end +++ b/distro-end @@ -23,12 +23,12 @@ exec &> >(sudo tee -a /var/log/distro-end) echo "$0: $(date): starting now)" # see example of usage to understand. end_msg() { - local y - IFS= read -r -d '' y ||: - end_msg_var+="$y" + local y + IFS= read -r -d '' y ||: + end_msg_var+="$y" } spa() { # simple package add - simple_packages+=($@) + simple_packages+=($@) } distro=$(distro-name) pending_reboot=false @@ -40,7 +40,7 @@ esac #### initial packages pup if isdeb; then - pi aptitude + pi aptitude fi ########### begin section including li ################ @@ -49,50 +49,50 @@ pi ${p3[@]} $($src/distro-pkgs) conflink case $distro in - arch) sgo cronie ;; + arch) sgo cronie ;; esac case $distro in - arch) sgo atd ;; + arch) sgo atd ;; esac case $distro in - arch) sgo ntpd ;; + arch) sgo ntpd ;; esac # no equivalent in other distros: case $distro in - debian|trisquel|ubuntu) - if ! dpkg -s apt-file &>/dev/null; then - # this condition is just a speed optimization - pi apt-file - s apt-file update - fi - ;; + debian|trisquel|ubuntu) + if ! dpkg -s apt-file &>/dev/null; then + # this condition is just a speed optimization + pi apt-file + s apt-file update + fi + ;; esac # disable motd junk. case $distro in - debian) - # allows me to pipe with ssh -t, and gets rid of spam - # http://forums.debian.net/viewtopic.php?f=5&t=85822 - # i'd rather disable the service than comment the init file - # this says disabling the service, it will still get restarted - # but this script doesn't do anything on restart, so it should be fine - s dd of=/var/run/motd.dynamic if=/dev/null - # stretch doesn't have initscripts pkg installed by default - if [[ $(debian-codename) == jessie ]]; then - s update-rc.d motd disable - fi - ;; - trisquel|ubuntu) - # this isn't a complete solution. It still shows me when updates are available, - # but it's no big deal. - s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header - ;; + debian) + # allows me to pipe with ssh -t, and gets rid of spam + # http://forums.debian.net/viewtopic.php?f=5&t=85822 + # i'd rather disable the service than comment the init file + # this says disabling the service, it will still get restarted + # but this script doesn't do anything on restart, so it should be fine + s dd of=/var/run/motd.dynamic if=/dev/null + # stretch doesn't have initscripts pkg installed by default + if [[ $(debian-codename) == jessie ]]; then + s update-rc.d motd disable + fi + ;; + trisquel|ubuntu) + # this isn't a complete solution. It still shows me when updates are available, + # but it's no big deal. + s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header + ;; esac # automatic updates @@ -102,56 +102,47 @@ esac # /usr/share/doc/unattended-upgrades# cat README.md # /etc/apt/apt.conf.d/50unattended-upgrades if isdebian; then - setup-debian-auto-update + setup-debian-auto-update fi ### begin docker install #### if isdeb; then - # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description - pi software-properties-common apt-transport-https - curl -fsSL https://download.docker.com/linux/$(distro-name-compat)/gpg | sudo apt-key add - - sudo add-apt-repository \ - "deb [arch=amd64] https://download.docker.com/linux/$(distro-name-compat) \ + # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description + pi software-properties-common apt-transport-https + curl -fsSL https://download.docker.com/linux/$(distro-name-compat)/gpg | sudo apt-key add - + sudo add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/$(distro-name-compat) \ $(debian-codename-compat) \ stable" - p update - pi docker-ce - sgo docker - # other distros unknown + p update + pi docker-ce + sgo docker + # other distros unknown fi ### end docker install #### ### begin certbot install ### case $distro in - debian) - # note, need python-certbot-nginx for nginx, but it depends on nginx, - # and I'm not installing nginx by default right now. - # note python-certbot-apache is in suggests, but so is a doc package that brought in xorg - if [[ $(debian-codename) == jessie ]]; then - pi -t jessie-backports certbot python-certbot-apache - else - pi certbot python-certbot-apache - fi - ;; - trisquel|ubuntu) - # not packaged in xenial or flidas - pi software-properties-common - # this fails with: - # - # gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported - # gpg: Total number processed: 1 - # gpg: imported: 1 - # gpg: no valid OpenPGP data found. - # Failed to add key. - # - # but it seems to work fine, perhaps it's only failing on the second run. - s add-apt-repository -y ppa:certbot/certbot ||: - p update - pi python-certbot-apache - ;; - # todo: other distros unknown + debian) + # note, need python-certbot-nginx for nginx, but it depends on nginx, + # and I'm not installing nginx by default right now. + # note python-certbot-apache is in suggests, but so is a doc package that brought in xorg + if [[ $(debian-codename) == jessie ]]; then + pi -t jessie-backports certbot python-certbot-apache + else + pi certbot python-certbot-apache + fi + ;; + trisquel|ubuntu) + # not packaged in xenial or flidas + pi software-properties-common + s add-apt-repository -y ppa:certbot/certbot ||: + p update + pi python-certbot-apache + ;; + # todo: other distros unknown esac # make a version of the certbot timer that emails me. x=/systemd/system/certbot @@ -168,52 +159,52 @@ sgo certbotmail.timer # dogcam setup case $HOSTNAME in - lj|li) - /a/bin/webcam/install-server - ;; - kw) - /a/bin/webcam/install-client - ;; + lj|li) + /a/bin/webcam/install-server + ;; + kw) + /a/bin/webcam/install-client + ;; esac # website setup case $HOSTNAME in - lj|li) - case $HOSTNAME in - lj) domain=iank.bid; exit 0 ;; - li) domain=iankelling.org ;; - esac - /a/h/setup.sh $domain - /a/h/build.rb - - sudo -E /a/bin/mediawiki-setup/mw-setup-script - - pi-nostart mumble-server - s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini - - # do certificate to avoid warning about unsigned cert, - # which is overkill for my use, but hey, I'm cool, I know - # how to do this. - web-conf apache2 mumble.iankelling.org - s rm -f /etc/apache2/sites-enabled/mumble.iankelling.org - sudo -i <<'EOF' + lj|li) + case $HOSTNAME in + lj) domain=iank.bid; exit 0 ;; + li) domain=iankelling.org ;; + esac + /a/h/setup.sh $domain + /a/h/build.rb + + sudo -E /a/bin/mediawiki-setup/mw-setup-script + + pi-nostart mumble-server + s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini + + # do certificate to avoid warning about unsigned cert, + # which is overkill for my use, but hey, I'm cool, I know + # how to do this. + web-conf apache2 mumble.iankelling.org + s rm -f /etc/apache2/sites-enabled/mumble.iankelling.org + sudo -i <<'EOF' export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org /a/bin/distro-setup/certbot-renew-hook EOF - sgo mumble-server + sgo mumble-server - vpn-server-setup -rd - s tee /etc/openvpn/client-config/mail <<'EOF' + vpn-server-setup -rd + s tee /etc/openvpn/client-config/mail <<'EOF' ifconfig-push 10.8.0.4 255.255.255.0 EOF - # it\'s strange. docker seems to make the default for forward - # be drop, but then I set it to accept and it\'s stuck that way, - # I dun know why. But, let\'s make sure we can forward anyways. - s DEBIAN_FRONTEND=noninteractive pi iptables-persistent - rm /etc/iptables/rules.v6 - s tee /etc/iptables/rules.v4 <<'EOF' + # it\'s strange. docker seems to make the default for forward + # be drop, but then I set it to accept and it\'s stuck that way, + # I dun know why. But, let\'s make sure we can forward anyways. + s DEBIAN_FRONTEND=noninteractive pi iptables-persistent + rm /etc/iptables/rules.v6 + s tee /etc/iptables/rules.v4 <<'EOF' *filter -A FORWARD -i tun+ -o eth0 -j ACCEPT -A FORWARD -i eth0 -o tun+ -j ACCEPT @@ -221,7 +212,7 @@ COMMIT EOF - sudo dd of=/etc/systemd/system/vpnmail.service < @@ -263,18 +254,18 @@ EOF Require valid-user EOF - # nginx version of above would be: - # auth_basic "Not currently available"; - # auth_basic_user_file /etc/nginx/caldav/htpasswd; + # nginx version of above would be: + # auth_basic "Not currently available"; + # auth_basic_user_file /etc/nginx/caldav/htpasswd; - ########## begin pump.io setup ########## + ########## begin pump.io setup ########## - # once pump adds a logrotation script, turn off nologger, - # and add - # "logfile": "/var/log/pumpio/pumpio.log", - # - s dd of=/etc/pump.io.json <<'EOF' + # once pump adds a logrotation script, turn off nologger, + # and add + # "logfile": "/var/log/pumpio/pumpio.log", + # + s dd of=/etc/pump.io.json <<'EOF' { "secret": "SECRET_REPLACE_ME", "driver": "mongodb", @@ -298,40 +289,40 @@ EOF "sockjs": false } EOF - s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json - - # stretch node is too old - # https://nodejs.org/en/download/package-manager/ - curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash - - pi nodejs graphicsmagick mongodb - cd /home/iank - if [[ -e pump.io ]]; then - cd pump.io - git pull - else - git clone https://github.com/pump-io/pump.io.git - cd pump.io - fi - # note: doing this or the npm install pump.io as root had problems. - npm install - npm run build - # normally, next command would be - # s npm install -g odb - # but it\'s this until a bug in pump gets fixed - # https://github.com/pump-io/pump.io/issues/1287 - s npm install -g databank-mongodb@0.19.2 - if ! getent passwd pumpio &>/dev/null; then - s useradd -m -s /bin/false pumpio - fi - sudo -u pumpio mkdir -p /home/pumpio/pumpdata - # for testing browser when only listening to localhost, - # in the pump.io.json, set hostname localhost, urlPort 5233 - #ssh -L 5233:localhost:5233 li + s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json + + # stretch node is too old + # https://nodejs.org/en/download/package-manager/ + curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash - + pi nodejs graphicsmagick mongodb + cd /home/iank + if [[ -e pump.io ]]; then + cd pump.io + git pull + else + git clone https://github.com/pump-io/pump.io.git + cd pump.io + fi + # note: doing this or the npm install pump.io as root had problems. + npm install + npm run build + # normally, next command would be + # s npm install -g odb + # but it\'s this until a bug in pump gets fixed + # https://github.com/pump-io/pump.io/issues/1287 + s npm install -g databank-mongodb@0.19.2 + if ! getent passwd pumpio &>/dev/null; then + s useradd -m -s /bin/false pumpio + fi + sudo -u pumpio mkdir -p /home/pumpio/pumpdata + # for testing browser when only listening to localhost, + # in the pump.io.json, set hostname localhost, urlPort 5233 + #ssh -L 5233:localhost:5233 li - s mkdir -p /var/log/pumpio/ - s chown pumpio:pumpio /var/log/pumpio/ + s mkdir -p /var/log/pumpio/ + s chown pumpio:pumpio /var/log/pumpio/ - web-conf - apache2 pump.iankelling.org <<'EOF' + web-conf - apache2 pump.iankelling.org <<'EOF' # currently a bug in pump that we cant terminate ssl SSLProxyEngine On ProxyPreserveHost On @@ -347,15 +338,16 @@ EOF EOF - sudo -i <<'EOF' + sudo -i <<'EOF' export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org /a/bin/distro-setup/certbot-renew-hook EOF - s dd of=/etc/systemd/system/pump.service <<'EOF' + s dd of=/etc/systemd/system/pump.service <<'EOF' [Unit] Description=pump.io -After=syslog.target network.target +After=syslog.target network.target mongodb.service +Requires=mongodb.service [Service] Type=simple @@ -370,47 +362,47 @@ Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascrip [Install] WantedBy=multi-user.target EOF - ser daemon-reload - sgo pump - ########## end pump.io setup ############ + ser daemon-reload + sgo pump + ########## end pump.io setup ############ - ############# begin setup mastodon ############## + ############# begin setup mastodon ############## - # main doc is Docker-Guide.md in docs repo + # main doc is Docker-Guide.md in docs repo - # I'd like to try gnu social just cuz of gnu, but it's not being - # well maintained, for example, simple pull requests - # languishing: - # https://git.gnu.io/gnu/gnu-social/merge_requests/143 - # and I submitted my own bugs, basic docs are broken - # https://git.gnu.io/gnu/gnu-social/issues/269 + # I'd like to try gnu social just cuz of gnu, but it's not being + # well maintained, for example, simple pull requests + # languishing: + # https://git.gnu.io/gnu/gnu-social/merge_requests/143 + # and I submitted my own bugs, basic docs are broken + # https://git.gnu.io/gnu/gnu-social/issues/269 - # note, docker required, but we installed it earlier + # note, docker required, but we installed it earlier - # i subscrubed to https://github.com/docker/compose/releases.atom - # to see release notes. - # i had some problems upgrading. blew things away with - # docker-compose down - # docker rmi $(docker images -q) - # s reboot now - # when running docker-compose run, kernel stack traces are printed to the journal. - # things seem to succeed, google says nothing, so ignoring them. - curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose - s chmod +x /usr/local/bin/docker-compose + # i subscrubed to https://github.com/docker/compose/releases.atom + # to see release notes. + # i had some problems upgrading. blew things away with + # docker-compose down + # docker rmi $(docker images -q) + # s reboot now + # when running docker-compose run, kernel stack traces are printed to the journal. + # things seem to succeed, google says nothing, so ignoring them. + curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose + s chmod +x /usr/local/bin/docker-compose - cd ~ - s rm -rf mastodon - i clone https://github.com/tootsuite/mastodon - cd mastodon - # subbed to atom feed to deal with updates - git checkout $(git tag | grep -v rc | tail -n1) + cd ~ + s rm -rf mastodon + i clone https://github.com/tootsuite/mastodon + cd mastodon + # subbed to atom feed to deal with updates + git checkout $(git tag | grep -v rc | tail -n1) - # per instructions, uncomment redis/postgres persistence in docker-compose.yml - sed -i 's/^#//' docker-compose.yml + # per instructions, uncomment redis/postgres persistence in docker-compose.yml + sed -i 's/^#//' docker-compose.yml - cat >.env.production <<'EOF' + cat >.env.production <<'EOF' REDIS_HOST=redis REDIS_PORT=6379 DB_HOST=db @@ -432,46 +424,46 @@ SMTP_DOMAIN=mast.iankelling.org SMTP_DELIVERY_METHOD=smtp EOF - for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do - # 1 minute 7 seconds to run this docker command - # to generate a secret, and it has ^M chars at the end. wtf. really dumb - printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|dos2unix|tail -n1)" >>.env.production - done - found=false - while read -r domain port pass; do - if [[ $domain == mail.iankelling.org ]]; then - found=true - # remove the username part - pass="${pass#*:}" - printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production - break - fi - done < <(s cat /etc/mailpass) - if ! $found; then - echo "$0: error, failed to find mailpass domain for mastadon" - exit 1 - fi + for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do + # 1 minute 7 seconds to run this docker command + # to generate a secret, and it has ^M chars at the end. wtf. really dumb + printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|dos2unix|tail -n1)" >>.env.production + done + found=false + while read -r domain port pass; do + if [[ $domain == mail.iankelling.org ]]; then + found=true + # remove the username part + pass="${pass#*:}" + printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production + break + fi + done < <(s cat /etc/mailpass) + if ! $found; then + echo "$0: error, failed to find mailpass domain for mastadon" + exit 1 + fi - # docker compose makes an interface named like br-8f3e208558f2. we need mail to - # get routed to us. - if ! s /sbin/iptables -t nat -C PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25; then - s /sbin/iptables -t nat -A PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25 - fi + # docker compose makes an interface named like br-8f3e208558f2. we need mail to + # get routed to us. + if ! s /sbin/iptables -t nat -C PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25; then + s /sbin/iptables -t nat -A PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25 + fi - docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production - logq docker-compose run --rm web rake db:migrate - docker-compose run --rm web rails assets:precompile + docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production + logq docker-compose run --rm web rake db:migrate + docker-compose run --rm web rails assets:precompile - # avatar failed to upload, did - # docker logs mastodon_web_1 - # google lead me to this - s chown -R 991:991 public/system + # avatar failed to upload, did + # docker logs mastodon_web_1 + # google lead me to this + s chown -R 991:991 public/system - # docker daemon takes care of starting on boot. - docker-compose up -d + # docker daemon takes care of starting on boot. + docker-compose up -d - s a2enmod proxy_wstunnel headers - web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF' + s a2enmod proxy_wstunnel headers + web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF' ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" ProxyPass /500.html ! @@ -486,52 +478,52 @@ EOF EOF - ############### !!!!!!!!!!!!!!!!! - ############### manual steps: - - # only following 2 people atm, so not bothering to figure out backups - # when mastodon has not documented it at all. - # - # fsf@status.fsf.org - # cwebber@toot.cat - # dbd@status.fsf.org - # johns@status.fsf.org - - # sign in page is at https://mast.iankelling.org/auth/sign_in - # register as iank, then - # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md - # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank - - ############# end setup mastodon ############## - - # we use nsupdate to update the ip of home - pi bind9 - - pi znc - # znc config generated by doing - # znc --makeconf - # selected port is also used in erc config - # comma separated channel list worked. - # while figuring things out, running znc -D for debug in foreground. - # to exit and save config: - # /msg *status shutdown - # configed auth on freenode by following - # https://wiki.znc.in/Sasl - # created the system service after, and had to do - # mv /home/iank/.znc/* /var/lib/znc - # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf - # and made a copy of the config files into /p/c - # added LoadModule = log -sanitize to the top level - # to get into the web interface, - # cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem - # then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site. - # i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart. - # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it. - # todo: figure out how to make playback in erc happe.n - s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already - chmod 700 /var/lib/znc - s chown -R znc:znc /var/lib/znc/config - s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF' + ############### !!!!!!!!!!!!!!!!! + ############### manual steps: + + # only following 2 people atm, so not bothering to figure out backups + # when mastodon has not documented it at all. + # + # fsf@status.fsf.org + # cwebber@toot.cat + # dbd@status.fsf.org + # johns@status.fsf.org + + # sign in page is at https://mast.iankelling.org/auth/sign_in + # register as iank, then + # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md + # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank + + ############# end setup mastodon ############## + + # we use nsupdate to update the ip of home + pi bind9 + + pi znc + # znc config generated by doing + # znc --makeconf + # selected port is also used in erc config + # comma separated channel list worked. + # while figuring things out, running znc -D for debug in foreground. + # to exit and save config: + # /msg *status shutdown + # configed auth on freenode by following + # https://wiki.znc.in/Sasl + # created the system service after, and had to do + # mv /home/iank/.znc/* /var/lib/znc + # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf + # and made a copy of the config files into /p/c + # added LoadModule = log -sanitize to the top level + # to get into the web interface, + # cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem + # then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site. + # i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart. + # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it. + # todo: figure out how to make playback in erc happe.n + s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already + chmod 700 /var/lib/znc + s chown -R znc:znc /var/lib/znc/config + s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF' [Unit] Description=ZNC, an advanced IRC bouncer After=network-online.target @@ -543,12 +535,12 @@ User=znc [Install] WantedBy=multi-user.target EOF - ser daemon-reload - sgo znc + ser daemon-reload + sgo znc - echo "$0: $(date): ending now)" - exit 0 - ;; + echo "$0: $(date): ending now)" + exit 0 + ;; esac ########### end section including li/lj ############### @@ -556,21 +548,33 @@ esac pi ${p4[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') +case $distro in + trisquel|ubuntu) + l="deb http://ppa.launchpad.net/ansible/ansible/ubuntu xenial main" + f=/etc/apt/sources.list.d/ansible-ubuntu-ansible-xenial.list + if ! grep -qF "$l" $f; then + s add-apt-repository -y ppa:ansible/ansible + p update + fi + pi ansible + ;; +esac + case $distro in - debian) - pi chromium ;; - xenial|ubuntu) - wget -qO - https://downloads.iridiumbrowser.de/ubuntu/iridium-release-sign-01.pub|sudo apt-key add - - cat < /dev/null; then - case $distro in - arch) - s useradd \ - --system \ - --create-home \ - --home-dir /var/lib/transmission-daemon \ - --shell /bin/false \ - debian-transmission - ;; - *) - s adduser --quiet \ - --system \ - --group \ - --no-create-home \ - --disabled-password \ - --home /var/lib/transmission-daemon \ - debian-transmission - ;; - esac + case $distro in + arch) + s useradd \ + --system \ + --create-home \ + --home-dir /var/lib/transmission-daemon \ + --shell /bin/false \ + debian-transmission + ;; + *) + s adduser --quiet \ + --system \ + --group \ + --no-create-home \ + --disabled-password \ + --home /var/lib/transmission-daemon \ + debian-transmission + ;; + esac fi # trisquel 8 = openvpn, debian stretch = openvpn-client vpn_ser=openvpn-client if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then - vpn_ser=openvpn + vpn_ser=openvpn fi s dd of=/etc/systemd/system/transmission-daemon-nn.service </tmp/fsfsieve.log +sieve-filter -eW -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf.sieve INBOX delete &>>/tmp/fsfsieve.log -# mu indexing happens after this, it gets files that have been moved -# from the above command. So, trying this out to fix it out. -sleep 0.5 +# mu indexing happens after this, and if offlineimap is running, +# it can index messages which are in the wrong folder. +# Just run it again if this happens. # to test new rules, update fsf-test.sieve, run these commands, then copy new fsf-test.sieve to fsf.sieve # sieve-filter -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf-test.sieve INBOX &>/tmp/testfsfsieve.log diff --git a/install-my-scripts b/install-my-scripts index 278a3b0..e2356ca 100755 --- a/install-my-scripts +++ b/install-my-scripts @@ -31,4 +31,4 @@ x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} e() { echo "$*"; "$@"; } # scripts that would interfere with unmounting /a, put them elsewhere -e install guest-apt mount-latest-subvol check-subvol-stale /usr/local/bin +e install mount-latest-subvol check-subvol-stale /usr/local/bin diff --git a/mail-setup b/mail-setup index 04e9661..c3b11d8 100755 --- a/mail-setup +++ b/mail-setup @@ -21,7 +21,7 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" usage() { - cat < /dev/null; then - return 0; - fi; - while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done - f=/var/cache/apt/pkgcache.bin; - if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then - apt-get update - fi - apt-get -y install --purge --auto-remove "$@" + local s f + if dpkg -s -- "$@" &> /dev/null; then + return 0; + fi; + while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done + f=/var/cache/apt/pkgcache.bin; + if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then + apt-get update + fi + apt-get -y install --purge --auto-remove "$@" } postmaster=$u @@ -215,60 +215,60 @@ smarthost="$mxhost::$mxport" # exim # trisquel 8 = openvpn, debian stretch = openvpn-client vpn_ser=openvpn-client if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then - vpn_ser=openvpn + vpn_ser=openvpn fi if [[ $HOSTNAME == $MAIL_HOST ]]; then - # afaik, these will get ignored because they are routing to my own - # machine, but rm them is safer - rm -f $(eval echo ~$postmaster)/.forward /root/.forward + # afaik, these will get ignored because they are routing to my own + # machine, but rm them is safer + rm -f $(eval echo ~$postmaster)/.forward /root/.forward else - # this can\'t be a symlink and has permission restrictions - # it might work in /etc/aliases, but this seems more proper. - install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward + # this can\'t be a symlink and has permission restrictions + # it might work in /etc/aliases, but this seems more proper. + install -m 644 {-o,-g}$postmaster <(e $forward) $(eval echo ~$postmaster)/.forward fi # offlineimap uses this too, it is much easier to use one location than to # condition it\'s config and postfix\'s config if [[ -f /etc/fedora-release ]]; then - /a/exe/lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt + /a/exe/lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt fi if postfix; then - # dunno why, but debian installed postfix with builddep emacs - # but I will just explicitly install it here since - # I use it for sending mail in emacs. - if command -v apt-get &> /dev/null; then - debconf-set-selections < /dev/null; then + debconf-set-selections </dev/null; then - while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done - dpkg-reconfigure -u -fnoninteractive postfix - else - pi postfix - fi + if dpkg -s postfix &>/dev/null; then + while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done + dpkg-reconfigure -u -fnoninteractive postfix else - source /a/bin/distro-functions/src/package-manager-abstractions - pi postfix - # Settings from reading the output when installing on debian, - # then seeing which were different in a default install on arch. - # I assume the same works for fedora. - postconfin <>$f - done - postmap hash:/etc/postfix/sasl_passwd - # need restart instead of reload when changing - # inet_protocols - service postfix restart + # msg_size_limit: I ran into a log file not sending cuz of size. double from 10 to 20 meg limit + # inet_protocols: without this, I\'ve had postfix try an ipv6 lookup then gives + # up and fail forever. snippet from syslog: type=AAAA: Host not found, try again + + + f=/etc/postfix/sasl_passwd + install -m 600 /dev/null $f + cat /etc/mailpass| while read -r domain port pass; do + # format: domain port user:pass + # mailpass is just a name i made up, since postfix and + # exim both use a slightly crazy format to translate to + # each other, it\'s easier to use my own format. + printf "[%s]:%s %s" "$domain" "$port" "${pass/@/#}" >>$f + done + postmap hash:/etc/postfix/sasl_passwd + # need restart instead of reload when changing + # inet_protocols + service postfix restart else # begin exim. has debian specific stuff for now - pi openvpn - - if [[ -e /p/c/filesystem ]]; then - # allow failure of these commands when our internet is down, they are likely not needed, - # we check that a valid cert is there already. - # to put the hostname in the known hosts - if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then - openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/openvpn/mail.crt - else - # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with - # systemd, buuut it can remake the tun device unexpectedly, i got this in the log - # after my internet was down for a bit: - # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. - /a/exe/vpn-mk-client-cert -b mail -n mail -s /b/ds/mail-route li.iankelling.org - fi + pi openvpn + + if [[ -e /p/c/filesystem ]]; then + # allow failure of these commands when our internet is down, they are likely not needed, + # we check that a valid cert is there already. + # to put the hostname in the known hosts + if ! ssh -o StrictHostKeyChecking=no root@li.iankelling.org :; then + openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/openvpn/mail.crt + else + # note, man openvpn implies we could just call mail-route on vpn startup/shutdown with + # systemd, buuut it can remake the tun device unexpectedly, i got this in the log + # after my internet was down for a bit: + # NOTE: Pulled options changed on restart, will need to close and reopen TUN/TAP device. + /a/exe/vpn-mk-client-cert -b mail -n mail -s /b/ds/mail-route li.iankelling.org fi + fi - cat >/etc/systemd/system/offlineimapsync.timer <<'EOF' + cat >/etc/systemd/system/offlineimapsync.timer <<'EOF' [Unit] Description=Run offlineimap-sync once every min @@ -326,7 +326,7 @@ OnCalendar=*:0/1 WantedBy=timers.target EOF - cat >/etc/systemd/system/offlineimapsync.service </etc/systemd/system/offlineimapsync.service <$f <<'EOF' + #### begin mail cert setup ### + f=/usr/local/bin/mail-cert-cron + cat >$f <<'EOF' set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR @@ -405,9 +405,9 @@ if [[ $new_ret != 0 ]]; then fi exit 0 EOF - chmod 755 $f + chmod 755 $f - cat >/etc/systemd/system/mailcert.service <<'EOF' + cat >/etc/systemd/system/mailcert.service <<'EOF' [Unit] Description=Mail cert rsync After=multi-user.target @@ -417,7 +417,7 @@ Type=oneshot ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron EOF - cat >/etc/systemd/system/mailcert.timer <<'EOF' + cat >/etc/systemd/system/mailcert.timer <<'EOF' [Unit] Description=Run mail-cert once a day @@ -427,18 +427,18 @@ OnCalendar=daily [Install] WantedBy=timers.target EOF - systemctl daemon-reload - systemctl start mailcert - systemctl restart mailcert.timer - systemctl enable mailcert.timer + systemctl daemon-reload + systemctl start mailcert + systemctl restart mailcert.timer + systemctl enable mailcert.timer - ##### end mailcert setup ##### + ##### end mailcert setup ##### - if [[ $HOSTNAME == $MAIL_HOST ]]; then + if [[ $HOSTNAME == $MAIL_HOST ]]; then - debconf-set-selections <$exim_main_dir/000_localmacros <$exim_main_dir/000_localmacros </etc/dovecot/conf.d/20-lmtp.conf </etc/dovecot/conf.d/20-lmtp.conf </etc/dovecot/local.conf <<'EOF' + cat >/etc/dovecot/local.conf <<'EOF' # so I can use a different login that my shell login for mail. this is # worth doing solely for the reason that if this login is compromised, # it won't also compromise my shell password. @@ -693,29 +693,29 @@ ssl_prefer_server_ciphers = yes # auth_verbose=yes #mail_debug=yes EOF - ####### end dovecot setup ######## - - - systemctl enable offlineimapsync.timer - systemctl start offlineimapsync.timer - systemctl restart $vpn_ser@mail - systemctl enable $vpn_ser@mail - systemctl enable dovecot - systemctl restart dovecot - - else # $HOSTNAME != $MAIL_HOST - systemctl disable offlineimapsync.timer &>/dev/null ||: - systemctl stop offlineimapsync.timer &>/dev/null ||: - systemctl disable $vpn_ser@mail - systemctl stop $vpn_ser@mail - systemctl disable dovecot ||: - systemctl stop dovecot ||: - # - # - # would only exist because I wrote it i the previous condition, - # it\'s not part of exim - rm -f $exim_main_dir/000_localmacros - debconf-set-selections </dev/null ||: + systemctl stop offlineimapsync.timer &>/dev/null ||: + systemctl disable $vpn_ser@mail + systemctl stop $vpn_ser@mail + systemctl disable dovecot ||: + systemctl stop dovecot ||: + # + # + # would only exist because I wrote it i the previous condition, + # it\'s not part of exim + rm -f $exim_main_dir/000_localmacros + debconf-set-selections </dev/null; then - # gotta remove this, otherwise the set-selections are completely - # ignored. It woulda been nice if this was documented somewhere! - rm -f /etc/exim4/update-exim4.conf.conf - while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done - dpkg-reconfigure -u -fnoninteractive exim4-config - fi - - # i have the spool directory be common to distro multi-boot, so - # we need the uid to be the same. 608 cuz it's kind of in the middle - # of the free system uids. - IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ); unset IFS - IFS=:; read _ _ gid _ < <(getent group Debian-exim ); unset IFS - if [[ ! $uid ]]; then - # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options - adduser --uid 608 --gid 608 --system --group --quiet --home /var/spool/exim4 \ - --no-create-home --disabled-login --force-badname Debian-exim - elif [[ $uid != 608 ]]; then - systemctl stop exim4 ||: - usermod -u 608 Debian-exim - groupmod -g 608 Debian-exim - usermod -g 608 Debian-exim - find / /nocow -xdev -uid $uid -exec chown -h 608 {} + - find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} + - fi - - # light version of exim does not have sasl auth support. - pi exim4-daemon-heavy spamassassin - - + fi # end $HOSTNAME != $MAIL_HOST - - ##### begin spamassassin config - systemctl enable spamassassin - # per readme.debian - sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin - e CRON=1 >>/etc/default/spamassassin - # just noticed this in the config file, seems like a good idea. - sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin - e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin - systemctl start spamassassin - systemctl reload spamassassin - - cat >/etc/systemd/system/spamddnsfix.service <<'EOF' + # if we already have it installed, need to reconfigure, without being prompted + if dpkg -s exim4-config &>/dev/null; then + # gotta remove this, otherwise the set-selections are completely + # ignored. It woulda been nice if this was documented somewhere! + rm -f /etc/exim4/update-exim4.conf.conf + while fuser /var/lib/dpkg/lock &>/dev/null; do sleep 1; done + dpkg-reconfigure -u -fnoninteractive exim4-config + fi + + # i have the spool directory be common to distro multi-boot, so + # we need the uid to be the same. 608 cuz it's kind of in the middle + # of the free system uids. + IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ); unset IFS + IFS=:; read _ _ gid _ < <(getent group Debian-exim ); unset IFS + if [[ ! $uid ]]; then + # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options + adduser --uid 608 --gid 608 --system --group --quiet --home /var/spool/exim4 \ + --no-create-home --disabled-login --force-badname Debian-exim + elif [[ $uid != 608 ]]; then + systemctl stop exim4 ||: + usermod -u 608 Debian-exim + groupmod -g 608 Debian-exim + usermod -g 608 Debian-exim + find / /nocow -xdev -uid $uid -exec chown -h 608 {} + + find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} + + fi + + # light version of exim does not have sasl auth support. + pi exim4-daemon-heavy spamassassin + + + + + ##### begin spamassassin config + systemctl enable spamassassin + # per readme.debian + sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin + e CRON=1 >>/etc/default/spamassassin + # just noticed this in the config file, seems like a good idea. + sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin + e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin + systemctl start spamassassin + systemctl reload spamassassin + + cat >/etc/systemd/system/spamddnsfix.service <<'EOF' [Unit] Description=spamd dns bug fix cronjob @@ -777,10 +777,10 @@ Description=spamd dns bug fix cronjob Type=oneshot ExecStart=/a/bin/distro-setup/spamd-dns-fix EOF - # 2017-09, debian closed the bug on this saying upstream had fixed it. - # remove this when i\'m using the newer package, ie, debian 10, or maybe - # ubuntu 18.04. - cat >/etc/systemd/system/spamddnsfix.timer <<'EOF' + # 2017-09, debian closed the bug on this saying upstream had fixed it. + # remove this when i\'m using the newer package, ie, debian 10, or maybe + # ubuntu 18.04. + cat >/etc/systemd/system/spamddnsfix.timer <<'EOF' [Unit] Description=run spamd bug fix script every 10 minutes @@ -794,17 +794,17 @@ OnUnitActiveSec=550 [Install] WantedBy=timers.target EOF - systemctl daemon-reload - systemctl restart spamddnsfix.timer - systemctl enable spamddnsfix.timer - # - ##### end spamassassin config + systemctl daemon-reload + systemctl restart spamddnsfix.timer + systemctl enable spamddnsfix.timer + # + ##### end spamassassin config - cat >/etc/exim4/rcpt_local_acl <<'EOF' + cat >/etc/exim4/rcpt_local_acl <<'EOF' # Only hosts we control send to mail.iankelling.org, so make sure # they are all authed. # Note, if we wanted authed senders for all domains, @@ -814,7 +814,7 @@ deny !authenticated = * domains = mail.iankelling.org EOF - cat >/etc/exim4/data_local_acl <<'EOF' + cat >/etc/exim4/data_local_acl <<'EOF' # Except for the "condition =", this was # a comment in the check_data acl. The comment about this not # being suitable is mostly bs. The only thing related I found was to @@ -833,7 +833,7 @@ EOF X-Spam_report: $spam_report EOF - cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF' + cat >/etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF' # from 30_exim4-config_examples plain_server: @@ -847,7 +847,7 @@ server_advertise_condition = ${if eq{$tls_in_cipher}{}{}{*}} .endif EOF - cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF' + cat >/etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF' ### router/900_exim4-config_local_user ################################# @@ -865,7 +865,7 @@ local_user: transport = LOCAL_DELIVERY cannot_route_message = Unknown user EOF - cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF' + cat >/etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF' dovecot_lmtp: driver = lmtp socket = /var/run/dovecot/lmtp @@ -873,7 +873,7 @@ dovecot_lmtp: batch_max = 200 EOF - cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF' + cat >/etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF' # smarthost for fsf mail # ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and # replaced DCsmarthost with mail.fsf.org @@ -889,85 +889,85 @@ fsfsmarthost: no_more EOF - # https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost - # i only need .forwards, so just doing that one. - cd /etc/exim4/conf.d/router - b=userforward_higher_priority - # replace the router name so it is unique - sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b - - # begin setup passwd.client - f=/etc/exim4/passwd.client - rm -f /etc/exim4/passwd.client - install -m 640 -g Debian-exim /dev/null $f - cat /etc/mailpass| while read -r domain port pass; do - # reference: exim4_passwd_client(5) - printf "%s:%s\n" "$domain" "$pass" >>$f - done - # end setup passwd.client - - # by default, only 10 days of logs are kept. increase that. - sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base - - systemctl restart exim4 - - fi #### end if exim4 - - # /etc/alias setup is debian specific, and - # exim config sets up an /etc/alias from root to the postmaster, which i - # config to ian, as long as there exists an entry for root, or there was - # no preexisting aliases file. based on the postinst file. postfix - # won\'t set up a root to $postmaster alias if it\'s already installed. - # Since postfix is not the greatest, just set it ourselves. - if [[ $postmaster != root ]]; then - sed -i --follow-symlinks -f - /etc/aliases <175_$b + + # begin setup passwd.client + f=/etc/exim4/passwd.client + rm -f /etc/exim4/passwd.client + install -m 640 -g Debian-exim /dev/null $f + cat /etc/mailpass| while read -r domain port pass; do + # reference: exim4_passwd_client(5) + printf "%s:%s\n" "$domain" "$pass" >>$f + done + # end setup passwd.client + + # by default, only 10 days of logs are kept. increase that. + sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base + + systemctl restart exim4 + +fi #### end if exim4 + +# /etc/alias setup is debian specific, and +# exim config sets up an /etc/alias from root to the postmaster, which i +# config to ian, as long as there exists an entry for root, or there was +# no preexisting aliases file. based on the postinst file. postfix +# won\'t set up a root to $postmaster alias if it\'s already installed. +# Since postfix is not the greatest, just set it ourselves. +if [[ $postmaster != root ]]; then + sed -i --follow-symlinks -f - /etc/aliases </dev/null; then - if [[ $HOSTNAME == $MAIL_HOST ]]; then - systemctl restart radicale - systemctl enable radicale - if [[ -e /etc/logrotate.d/radicale.disabled ]]; then - mv /etc/logrotate.d/radicale{.disabled,} - fi - else - systemctl stop radicale - systemctl disable radicale - # weekly logrotate tries to restart radicale even if it's a disabled service in flidas. - if [[ -e /etc/logrotate.d/radicale ]]; then - mv /etc/logrotate.d/radicale{,.disabled} - fi - fi - fi - exit 0 - - # if I wanted the from address to be renamed and sent to a different address, - # echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical - # sudo postmap hash:/etc/postfix/recipient_canonical - # sudo service postfix reload + newaliases +fi + +# put spool dir in directory that spans multiple distros. +# based on http://www.postfix.org/qmgr.8.html and my notes in gnus +# +# todo: I\'m suspicious of uids for Debian-exim being the same across +# distros. It would be good to test this. +dir=/nocow/$type +sdir=/var/spool/$type +# we only do this if our system has $dir +if [[ -e /nocow && $(readlink -f $sdir) != $dir ]]; then + systemctl stop $type + if [[ ! -e $dir && -d $sdir ]]; then + mv $sdir $dir + fi + /a/exe/lnf -T $dir $sdir +fi + +systemctl restart $type +systemctl enable $type + +# MAIL_HOST also does radicale, and easier to start and stop it here +# for when MAIL_HOST changes, so radicale gets the synced files and +# does not stop us from remounting /o. +if dpkg -s radicale &>/dev/null; then + if [[ $HOSTNAME == $MAIL_HOST ]]; then + systemctl restart radicale + systemctl enable radicale + if [[ -e /etc/logrotate.d/radicale.disabled ]]; then + mv /etc/logrotate.d/radicale{.disabled,} + fi + else + systemctl stop radicale + systemctl disable radicale + # weekly logrotate tries to restart radicale even if it's a disabled service in flidas. + if [[ -e /etc/logrotate.d/radicale ]]; then + mv /etc/logrotate.d/radicale{,.disabled} + fi + fi +fi +exit 0 +: +# if I wanted the from address to be renamed and sent to a different address, +# echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical +# sudo postmap hash:/etc/postfix/recipient_canonical +# sudo service postfix reload diff --git a/myunison b/myunison index 30ee1cb..506e9c6 100755 --- a/myunison +++ b/myunison @@ -1,4 +1,4 @@ -#!/bin/bash -l +#!/bin/bash -lx set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR diff --git a/pkgs b/pkgs index f57b57f..9ae81c8 100644 --- a/pkgs +++ b/pkgs @@ -21,6 +21,7 @@ p3=( bash-completion curl eatmydata + fping git htop iptables @@ -106,6 +107,7 @@ p4=( markdown mb2md meld + moreutils mps-youtube mpv mumble @@ -131,12 +133,14 @@ p4=( python-autopep8 python3-doc qrencode + readline-doc reportbug rng-tools sakura schroot sqlite3-doc squashfs-tools + strace swh-plugins tar-doc tcpdump diff --git a/primary-setup b/primary-setup new file mode 100755 index 0000000..4641c93 --- /dev/null +++ b/primary-setup @@ -0,0 +1,36 @@ +#!/bin/bash + +# usage $0 [MAIL_HOST] + +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR + +# setup things which involve being the primary host or not + +if [[ $1 ]]; then + new_host=$1 + sed -ri "s/MAIL_HOST=.*/MAIL_HOST=$new_host/" /a/bin/bash_unpublished/source-semi-priv + source /a/bin/bash_unpublished/source-semi-priv +fi + +if [[ $HOSTNAME == $MAIL_HOST ]]; then + DISPLAY=:0 arbtt-capture --sample-rate=10 & + sudo systemctl start rss2email.timer + sudo systemctl enable rss2email.timer + +else + for ((i=0; i<10; i++)); do + killall arbtt-capture || break + sleep 1 + if [[ $i == 9 ]]; then + exit 1 + fi + sudo systemctl stop rss2email.timer + sudo systemctl stop rss2email.service + sudo systemctl disable rss2email.timer + done +fi + +mail-setup exim4 +exit 0 +: diff --git a/subdir_files/.gnupg/gpg.conf b/subdir_files/.gnupg/gpg.conf index 8d728b2..2e6db08 100644 --- a/subdir_files/.gnupg/gpg.conf +++ b/subdir_files/.gnupg/gpg.conf @@ -33,3 +33,6 @@ default-key B125F60B7B287FF6A2B7DF8F170AF0E2954295DF # and in /etc/X11/Xsession.d/01iank # install -o iank -g iank -d -m700 /home/iank/gpg-agent-socket # because something keeps deleting that directory + +# default keyserver +keyserver hkp://pool.sks-keyservers.net \ No newline at end of file diff --git a/switch-mail-host b/switch-mail-host index 8d4072b..b3e7832 100755 --- a/switch-mail-host +++ b/switch-mail-host @@ -73,15 +73,15 @@ echo "$0: at_home = $at_home" source /a/bin/bash_unpublished/source-semi-priv #### begin convert private hostnames to public hostnames #### -if ! $at_home; then - for var in old_host new_host; do - case ${!var} in - tp) - eval $var=$HOME_DOMAIN - ;; - esac - done -fi +#if ! $at_home; then +# for var in old_host new_host; do +# case ${!var} in +# tp) +# eval $var=$HOME_DOMAIN +# ;; +# esac +# done +#fi #### end convert private hostnames to public hostnames #### @@ -120,21 +120,6 @@ if $old_shell systemctl is-active btrbk.timer; then restore_old_btrbk=true fi -for ((i=0; i<10; i++)); do - $old_shell killall arbtt-capture || break - sleep 1 - if [[ i == 9 ]]; then - warn="WARNING!!! failed to kill arbtt-capture" - fi -done -for ((i=0; i<10; i++)); do - $new_shell killall arbtt-capture || break - sleep 1 - if [[ i == 9 ]]; then - warn="WARNING!!! failed to kill arbtt-capture" - fi -done - $new_shell bash -s <<'EOF' set -eE @@ -154,13 +139,9 @@ EOF EOFOUTER fi -mail-setup() { - shell="$1" - $shell sed -ri "s/MAIL_HOST=.*/MAIL_HOST=$new_host/" /a/bin/bash_unpublished/source-semi-priv - $shell /a/bin/distro-setup/mail-setup exim4 -} -mail-setup "$old_shell" +$old_shell /a/bin/distro-setup/install-my-scripts +$old_shell primary-setup $new_host sudo dd of=/etc/btrbk.conf <<'EOF' ssh_identity /root/.ssh/home @@ -214,9 +195,9 @@ EOF sudo btrbk -l debug --progress run +$new_shell /a/bin/distro-setup/install-my-scripts $new_shell mount-latest-subvol - -mail-setup "$new_shell" +$new_shell primary-setup $new_host if $restore_new_btrbk; then $new_shell sudo systemctl start btrbk.timer @@ -224,7 +205,3 @@ fi if $restore_old_btrbk; then $old_shell sudo systemctl start btrbk.timer fi - -$new_shell DISPLAY=:0 arbtt-capture --sample-rate=10 & - -echo $warn diff --git a/switch-primary-host b/switch-primary-host index f154975..eb9216e 100755 --- a/switch-primary-host +++ b/switch-primary-host @@ -1,5 +1,8 @@ #!/bin/bash +# this pulls from host $1 to the current host. +# not currently used, but it might be useful at some point + source /a/bin/errhandle/errcatch-function source /a/bin/errhandle/bash-trace-function errcatch diff --git a/transmission-firewall/netns.rules b/transmission-firewall/netns.rules index f1b6bdd..f0a37f7 100644 --- a/transmission-firewall/netns.rules +++ b/transmission-firewall/netns.rules @@ -33,8 +33,9 @@ -A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT # 1195 is used for the secondary vpn server --A OUTPUT -p udp -m udp --dport 1194:1195 -j ACCEPT --A INPUT -p udp -m udp --sport 1194:1195 -j ACCEPT +# 1198 is another vpn port, simpler syntax just to use range +-A OUTPUT -p udp -m udp --dport 1194:1198 -j ACCEPT +-A INPUT -p udp -m udp --sport 1194:1198 -j ACCEPT -A OUTPUT -o tun0 -j ACCEPT -A INPUT -i tun0 -j ACCEPT diff --git a/untrusted-network b/untrusted-network index 8fc3d7b..c9a43db 100755 --- a/untrusted-network +++ b/untrusted-network @@ -14,6 +14,8 @@ server=8.8.8.8 server=2001:4860:4860::8844 server=2001:4860:4860::8888 no-resolv +# https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/ +stop-dns-rebind EOF systemctl reload dnsmasq