From 2cff2dd2b8040e6cbd721932ae09142881d7e0a6 Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Mon, 28 May 2018 18:44:02 -0400
Subject: [PATCH] various fies, change network

---
 .gitconfig                              |  3 ++
 brc                                     |  2 +
 conflink                                |  6 +--
 distro-begin                            |  5 +++
 distro-end                              | 59 ++++++++++++++++++-------
 distro-pkgs                             |  2 +-
 filesystem/etc/profile.d/environment.sh |  3 ++
 lan-dns                                 |  4 +-
 pkgs                                    |  3 +-
 primary-setup                           | 24 +++++-----
 transmission-firewall/netns.rules       |  7 ++-
 11 files changed, 84 insertions(+), 34 deletions(-)

diff --git a/.gitconfig b/.gitconfig
index f1c2019..7dd509e 100644
--- a/.gitconfig
+++ b/.gitconfig
@@ -1,6 +1,7 @@
 [user]
 name = Ian Kelling
 email = iank@fsf.org
+#email = ian@iankelling.org
 [alias]
 # Always use the git lg alias instead of git log.  It's too easy to get
 # confused by not seeing branches in git log output.
@@ -24,6 +25,8 @@ helper = cache
 [diff]
 ignoreSubmodules = dirty
 tool = meld
+# gitinspector complained
+renamelimit = 5000
 
 [gitreview]
 username = iank
diff --git a/brc b/brc
index 046edbe..8084ba0 100644
--- a/brc
+++ b/brc
@@ -386,6 +386,8 @@ cam() {
   git commit -am "$*"
 }
 
+cbfstool () { /a/opt/coreboot/build/cbfstool "$@"; }
+
 ccat () { # config cat. see a config without extra lines.
   grep '^\s*[^;[:space:]#]' "$@"
 }
diff --git a/conflink b/conflink
index 03649f5..ec1b623 100755
--- a/conflink
+++ b/conflink
@@ -90,9 +90,9 @@ case $USER in
         if [[ -e /etc/davpass ]] && getent group www-data &>/dev/null; then
             s chgrp www-data /etc/davpass
         fi
-        if [[ -e /var/lib/znc/configs/znc.conf ]] && getent group znc; then
-          s chown znc:znc /var/lib/znc/configs/znc.conf
-          fi
+        if [[ -e /var/lib/znc ]] && getent group znc; then
+          s chown -R znc:znc /var/lib/znc
+        fi
         /a/exe/lnf -T /p/arbtt-capture.log ~/.arbtt/capture.log
         ##### end special extra stuff #####
 
diff --git a/distro-begin b/distro-begin
index 4c889b3..fa5db41 100755
--- a/distro-begin
+++ b/distro-begin
@@ -223,6 +223,11 @@ Defaults  env_keep += SUDOD
 # makes ubuntu be like debian
 # https://unix.stackexchange.com/a/91572
 Defaults always_set_home
+# default setting is to have  minimum umask of 0022
+# This lets us have user-specific umasks which are more permissive.
+# I did this for transmission and set it's umask gecos on install,
+# see there for more info.
+Defaults !umask
 EOF
 
 
diff --git a/distro-end b/distro-end
index 00827b6..728161d 100755
--- a/distro-end
+++ b/distro-end
@@ -303,6 +303,7 @@ EOF
       git clone https://github.com/pump-io/pump.io.git
       cd pump.io
     fi
+    # note: these 2 commands seem
     # note: doing this or the npm install pump.io as root had problems.
     npm install
     npm run build
@@ -312,7 +313,7 @@ EOF
     # https://github.com/pump-io/pump.io/issues/1287
     s npm install -g databank-mongodb@0.19.2
     if ! getent passwd pumpio &>/dev/null; then
-      s useradd -m -s /bin/false pumpio
+      s useradd -Um -s /bin/false pumpio
     fi
     sudo -u pumpio mkdir -p /home/pumpio/pumpdata
     # for testing browser when only listening to localhost,
@@ -508,21 +509,39 @@ EOF
     # to exit and save config:
     # /msg *status shutdown
     # configed auth on freenode by following
-    # https://wiki.znc.in/Sasl
+    # https://wiki.znc.in/Sasl:
+    # /msg *sasl RequireAuth yes
+    # /msg *sasl Mechanism PLAIN
+    # /msg *sasl Set ident_name password
     # created the system service after, and had to do
     # mv /home/iank/.znc/* /var/lib/znc
     # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf
     # and made a copy of the config files into /p/c
-    # added LoadModule = log -sanitize to the top level
+    # /msg *status LoadMod --type=global log -sanitize
     # to get into the web interface,
     # cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
     # then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site.
+    # https://iankelling.org:12533/
     # i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart.
     # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it.
-    # todo: figure out how to make playback in erc happe.n
+    # /msg *status LoadMod --type=network perform
+    # /msg *perform add PRIVMSG ChanServ :invite #fsf-office
+    # /msg *perform add JOIN #fsf-office
+    #
+    # i set  Buffer = 500
+    # also ran /znc LoadMod clearbufferonmsg
+    # it would be nice if erc supported erc query buffers by doing
+    # /msg *status clearbuffer <name of the query/receiver
+    # on killing the,
+    # an example seems to be here:	https://github.com/zenspider/elisp/blob/master/rwd-irc.el
+    # if that was the case i could remove the module clearbufferonmsg
+    # alo would be nice if erc supported
+    # https://wiki.znc.in/self-message
+    # https://wiki.znc.in/Query_buffers                                                \
+    #
     s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already
     chmod 700 /var/lib/znc
-    s chown -R znc:znc /var/lib/znc/config
+    s chown -R znc:znc /var/lib/znc
     s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF'
 [Unit]
 Description=ZNC, an advanced IRC bouncer
@@ -601,8 +620,8 @@ esac
 # key already exists, so this won't generate one, just the configs.
 vpn-server-setup -rds
 s tee -a /etc/openvpn/server/server.conf <<'EOF'
-push "dhcp-option DNS 192.168.1.1"
-push "route 192.168.1.0 255.255.255.0"
+push "dhcp-option DNS 10.0.0.1"
+push "route 10.0.0.0 255.255.0.0"
 client-connect /a/bin/distro-setup/vpn-client-connect
 EOF
 s sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
@@ -789,13 +808,15 @@ sudo -u traci -i reset-sakura
 reset-konsole
 sudo -u traci -i reset-konsole
 reset-xscreensaver
-# this is packaged, but i see it's gotten a fair amount of development lately,
-# so install from cabal. the options are needed to get over incompatible xmonad library versions
-# but that stuff is in the global namespace, and it seems they don't conflict in practice.
-pi libxss-dev # dependency based on build failure
-cabal update
-cabal install --upgrade-dependencies  --force-reinstalls arbtt
-lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
+
+
+# this would install from cabal for newer / consistent version across os, but it screws up xmonad, so disabled for now.
+# this is also in primary-setup
+# pi libxss-dev # dependency based on build failure
+# cabal update
+# cabal install --upgrade-dependencies  --force-reinstalls arbtt
+# also, i assume syncing this between machines somehow messed thin
+#lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
 
 primary-setup
 
@@ -1053,6 +1074,12 @@ if ! getent passwd debian-transmission > /dev/null; then
 fi
 
 
+# We want group writable stuff from transmission.
+# However, after setting this, I learn that transmission sets it's
+# own umask based on it's settings file. Well, no harm leaving this
+# so it's set right from the beginning.
+s chfn debian-transmission -o umask=0002
+
 # trisquel 8 = openvpn, debian stretch = openvpn-client
 vpn_ser=openvpn-client
 if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
@@ -1107,6 +1134,8 @@ require 'json'
 p = '/etc/transmission-daemon/settings.json'
 s = JSON.parse(File.read(p))
 s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
+# default is 0022 (18 in decimal)
+s["umask"] = 2
 File.write p, JSON.pretty_generate(s)
 EOF
 
@@ -1602,7 +1631,7 @@ if [[ $HOSTNAME == frodo ]]; then
   # 1. it can be mounted with a shorthand of server:/
   # 2. exports that are subdirectories of this one will automatically be mounted
   tu /etc/exports <<'EOF'
-/k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
+/k 10.0.0.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
 EOF
   s exportfs -rav
 fi
diff --git a/distro-pkgs b/distro-pkgs
index 0c137cb..8aebe84 100755
--- a/distro-pkgs
+++ b/distro-pkgs
@@ -118,7 +118,7 @@ esac
 
 case $distro in
     arch) e nfs-utils ;;
-    trisquel|ubuntu|debian) e nfs-client ;;
+    trisquel|ubuntu|debian) e nfs-common ;;
 esac
 
 case $distro in
diff --git a/filesystem/etc/profile.d/environment.sh b/filesystem/etc/profile.d/environment.sh
index ebc73bb..d91cde1 100644
--- a/filesystem/etc/profile.d/environment.sh
+++ b/filesystem/etc/profile.d/environment.sh
@@ -60,6 +60,9 @@ fi
 # ubuntu has 002 for non-system users, debian has 022.  002 makes groups
 # be rw instead of r.
 #
+# I think the actual setting is somewhere in the pam settings, I haven't
+# bothered to figure that out.
+#
 # ubuntu is more user friendly when using multiple users. However,
 # it also makes it so if you create a file as a regular user then move
 # it to become a system file, it's got slightly wrong permissions, and
diff --git a/lan-dns b/lan-dns
index 9913d4d..844cd76 100644
--- a/lan-dns
+++ b/lan-dns
@@ -1,2 +1,2 @@
-192.168.1.5 x2
-192.168.1.8 tp
+10.0.0.5 x2
+10.0.0.8 tp
diff --git a/pkgs b/pkgs
index 9ae81c8..1038a28 100644
--- a/pkgs
+++ b/pkgs
@@ -14,7 +14,7 @@ p2=(
     konsole
     xmonad
     cabal-install
-    dmenu
+    suckless-tools
 )
 p3=(
     at
@@ -71,6 +71,7 @@ p4=(
     dtrx
     duplicity
     eclipse
+    elinks
     evince
     fdupes
     feh
diff --git a/primary-setup b/primary-setup
index 4641c93..4786827 100755
--- a/primary-setup
+++ b/primary-setup
@@ -14,21 +14,23 @@ if [[ $1 ]]; then
 fi
 
 if [[ $HOSTNAME == $MAIL_HOST ]]; then
-  DISPLAY=:0 arbtt-capture --sample-rate=10 &
+  # arbtt disabled for now
+  #DISPLAY=:0 arbtt-capture --sample-rate=10 &
   sudo systemctl start rss2email.timer
   sudo systemctl enable rss2email.timer
 
 else
-  for ((i=0; i<10; i++)); do
-    killall arbtt-capture || break
-    sleep 1
-    if [[ $i == 9 ]]; then
-      exit 1
-    fi
-    sudo systemctl stop rss2email.timer
-    sudo systemctl stop rss2email.service
-    sudo systemctl disable rss2email.timer
-  done
+  sudo systemctl stop rss2email.timer
+  sudo systemctl stop rss2email.service
+  sudo systemctl disable rss2email.timer
+  # arbtt disabled for now
+  # for ((i=0; i<10; i++)); do
+  #   killall arbtt-capture || break
+  #   sleep 1
+  #   if [[ $i == 9 ]]; then
+  #     exit 1
+  #   fi
+  # done
 fi
 
 mail-setup exim4
diff --git a/transmission-firewall/netns.rules b/transmission-firewall/netns.rules
index f0a37f7..96b404f 100644
--- a/transmission-firewall/netns.rules
+++ b/transmission-firewall/netns.rules
@@ -1,3 +1,7 @@
+# note, transmission specific thing here is to
+# allow one extra port for transmission-remote, but thats no big deal,
+# might as well use this in general for openvpn-nn
+
 # format from iptables-save. [0:0] are comments of packet-count/byte-count
 # which I removed
 *filter
@@ -7,7 +11,7 @@
 # from ip route, we can deduce that traffic goes to the
 # local 10.8.0.x tun0, then to the normal interface.
 # For the normal interface, we allow only some ports:
-# dns, vpn, transmission-remote.
+# dns for root user, vpn, and transmission-remote.
 # dns is only used to resolve the vpn server ip on initial
 # connection.
 # rules are mirror on input and output, just for extra safety,
@@ -29,6 +33,7 @@
 -A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
 -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
 
+# transmission-remote
 -A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
 -A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
 
-- 
2.30.2