From 3ca4714d6b02ff279a0c724415f3e0a3a6f49059 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sat, 12 Nov 2022 14:03:03 -0500
Subject: [PATCH] fixes and refactor

---
 brc                                           |  24 +++
 distro-begin                                  |  13 +-
 distro-end                                    |  30 +++-
 filesystem/etc/profile.d/environment.sh       |   5 +-
 .../etc/systemd/logind.conf.d/iank.conf       |   1 +
 mail-setup                                    | 158 +++++++++---------
 switch-mail-host                              |   2 -
 7 files changed, 135 insertions(+), 98 deletions(-)
 create mode 100644 filesystem/etc/systemd/logind.conf.d/iank.conf

diff --git a/brc b/brc
index 3c54796..5f43270 100644
--- a/brc
+++ b/brc
@@ -2171,6 +2171,30 @@ nonet() {
 
 m() { printf "%s\n" "$*";  "$@"; }
 
+# update file. note: duplicated in mail-setup
+u() {
+  local tmp tmpdir dest="$1"
+  local base="${dest##*/}"
+  local dir="${dest%/*}"
+  if [[ $dir != "$base" ]]; then
+    # dest has a directory component
+    mkdir -p "$dir"
+  fi
+  ur=false # u result
+  tmpdir=$(mktemp -d)
+  cat >$tmpdir/"$base"
+  tmp=$(rsync -ic $tmpdir/"$base" "$dest")
+  if [[ $tmp ]]; then
+    printf "%s\n" "$tmp"
+    ur=true
+    if [[ $dest == /etc/systemd/system/* ]]; then
+      reload=true
+    fi
+  fi
+  rm -rf $tmpdir
+}
+
+
 uptime() {
   if type -p uprecords &>/dev/null; then
     uprecords -B
diff --git a/distro-begin b/distro-begin
index ac86b2d..4b591c1 100755
--- a/distro-begin
+++ b/distro-begin
@@ -705,20 +705,17 @@ if has_monitor; then
   dir=/etc/X11/xinit/xinitrc.d/
   sudo mkdir -p $dir
   sudo cp /a/bin/distro-setup/desktop-20-autostart.sh $dir
-  s teeu /etc/systemd/logind.conf <<'EOF'
-HandleLidSwitch=
-EOF
 
-  # this works on
-  dir=/etc/gdm3
-  sudo mkdir -p $dir/PostLogin
-  sudo cp /a/bin/distro-setup/desktop-20-autostart.sh $dir/PostLogin/Default
+  ## disabled since i'm not using gdm atm
+  # dir=/etc/gdm3
+  # sudo mkdir -p $dir/PostLogin
+  # sudo cp /a/bin/distro-setup/desktop-20-autostart.sh $dir/PostLogin/Default
   sudo mkdir -p /etc/lightdm/lightdm.conf.d
   # etiona lightdm.log:
   # [SeatDefaults] is now called [Seat:*], please update this configuration
   sudo dd of=/etc/lightdm/lightdm.conf.d/12-iank.conf <<'EOF'
 [Seat:*]
-display-setup-script=/a/bin/ds/lightdm-start
+# display-setup-script=/a/bin/ds/lightdm-start
 session-setup-script=/a/bin/distro-setup/desktop-20-autostart.sh
 EOF
 
diff --git a/distro-end b/distro-end
index e07ab78..ce51793 100755
--- a/distro-end
+++ b/distro-end
@@ -1070,6 +1070,22 @@ esac
 # dependent packages.
 pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distro-pkgs)
 
+# schroot service will restart schroot sessions after reboot.
+# I dont want that.
+pi-nostart schroot
+
+# fix systemd unit failure. i dont know of any actual impact
+# other than systemd showing in degraded state. So, we dont bother
+# fixing the current state, let it fix on the next reboot.
+# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a
+tmp=$(systemctl cat binfmt-support.service | grep ^After=)
+if [[ $tmp != *systemd-binfmt.service* ]]; then
+  s u /etc/systemd/system/binfmt-support.service.d/override.conf <<EOF
+[Unit]
+$tmp systemd-binfmt.service
+EOF
+fi
+
 
 # commented, not worth the hassle i think.
 #seru enable psd
@@ -2096,13 +2112,13 @@ EOF
 
 # in the default config, we have these definitions
 
-     # 11 define command {
-     #  2 define contact {
-     #  1 define contactgroup {
-     #  9 define host {
-     #  4 define hostgroup {
-     # 23 define service {
-     #  5 define timeperiod {
+# 11 define command {
+#  2 define contact {
+#  1 define contactgroup {
+#  9 define host {
+#  4 define hostgroup {
+# 23 define service {
+#  5 define timeperiod {
 
 
 # on klaxon
diff --git a/filesystem/etc/profile.d/environment.sh b/filesystem/etc/profile.d/environment.sh
index f059e4d..42513fa 100644
--- a/filesystem/etc/profile.d/environment.sh
+++ b/filesystem/etc/profile.d/environment.sh
@@ -77,8 +77,9 @@ if [ -f /etc/fedora-release ]; then
   fi
 fi
 
-# and broken again. see /usr/lib/systemd/user-environment-generators/90gpg-agent
-export GPG_AGENT_INFO=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent:0:1
+# 2020: and broken again. see /usr/lib/systemd/user-environment-generators/90gpg-agent.
+# 2022: not sure exactly what this fixed, but gpg seems to work now without it.
+#export GPG_AGENT_INFO=$XDG_RUNTIME_DIR/gnupg/S.gpg-agent:0:1
 
 # and now trisquel9 + mate + i3 has broken ssh agent. I've had to fix
 # ssh or gpg agent like 10 times in different distros, and once again, i
diff --git a/filesystem/etc/systemd/logind.conf.d/iank.conf b/filesystem/etc/systemd/logind.conf.d/iank.conf
new file mode 100644
index 0000000..6c4b2ee
--- /dev/null
+++ b/filesystem/etc/systemd/logind.conf.d/iank.conf
@@ -0,0 +1 @@
+HandleLidSwitch=
diff --git a/mail-setup b/mail-setup
index 85bd17b..8283d7c 100755
--- a/mail-setup
+++ b/mail-setup
@@ -292,7 +292,7 @@ reload=false
 if [[ -e /var/local/mail-setup-reload ]]; then
   reload=true
 fi
-i() { # install file
+u() { # update file. note: duplicated in brc
   local tmp tmpdir dest="$1"
   local base="${dest##*/}"
   local dir="${dest%/*}"
@@ -300,13 +300,13 @@ i() { # install file
     # dest has a directory component
     mkdir -p "$dir"
   fi
-  ir=false # i result
+  ur=false # u result
   tmpdir=$(mktemp -d)
   cat >$tmpdir/"$base"
   tmp=$(rsync -ic $tmpdir/"$base" "$dest")
   if [[ $tmp ]]; then
     printf "%s\n" "$tmp"
-    ir=true
+    ur=true
     if [[ $dest == /etc/systemd/system/* ]]; then
       touch /var/local/mail-setup-reload
       reload=true
@@ -432,7 +432,7 @@ fi
 
 # * Mail clean cronjob
 
-i /etc/systemd/system/mailclean.timer <<'EOF'
+u /etc/systemd/system/mailclean.timer <<'EOF'
 [Unit]
 Description=Run mailclean daily
 
@@ -443,7 +443,7 @@ OnCalendar=monthly
 WantedBy=timers.target
 EOF
 
-i /etc/systemd/system/mailclean.service <<EOF
+u /etc/systemd/system/mailclean.service <<EOF
 [Unit]
 Description=Delete and archive old mail files
 After=multi-user.target
@@ -457,7 +457,7 @@ EOF
 # * postgrey
 
 
-i /etc/default/postgrey <<'EOF'
+u /etc/default/postgrey <<'EOF'
 POSTGREY_OPTS="--exim --unix=/var/run/postgrey/postgrey.sock --retry-window=4 --max-age=60"
 EOF
 
@@ -465,7 +465,7 @@ EOF
 
 m usermod -a -G Debian-exim clamav
 
-i /etc/systemd/system/clamav-daemon.service.d/fix.conf <<EOF
+u /etc/systemd/system/clamav-daemon.service.d/fix.conf <<EOF
 [Service]
 ExecStartPre=-/bin/mkdir -p /var/run/clamav
 ExecStartPre=/bin/chown clamav /var/run/clamav
@@ -538,7 +538,7 @@ esac
 case $HOSTNAME in
   li) : ;;
   *)
-    i /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
+    u /etc/systemd/system/wg-quick@wgmail.service.d/override.conf <<EOF
 [Unit]
 Requires=mailnn.service
 JoinsNamespaceOf=mailnn.service
@@ -558,7 +558,7 @@ esac
 
 
 # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
-i /etc/systemd/system/mailvpn.service <<EOF
+u /etc/systemd/system/mailvpn.service <<EOF
 [Unit]
 Description=OpenVPN tunnel for mail
 After=syslog.target network-online.target mailnn.service
@@ -602,7 +602,7 @@ RestartSec=20
 WantedBy=multi-user.target
 EOF
 
-i /etc/systemd/system/mailnnroute.service <<'EOF'
+u /etc/systemd/system/mailnnroute.service <<'EOF'
 [Unit]
 Description=Network routing for mailnn
 After=syslog.target network-online.target mailnn.service
@@ -626,7 +626,7 @@ WantedBy=multi-user.target
 EOF
 
 #
-i /etc/systemd/system/mailnn.service <<'EOF'
+u /etc/systemd/system/mailnn.service <<'EOF'
 [Unit]
 Description=Network Namespace for mail vpn service that will live forever and cant fail
 After=syslog.target network-online.target
@@ -641,7 +641,7 @@ ExecStart=/bin/sleep infinity
 WantedBy=multi-user.target
 EOF
 
-i /etc/systemd/system/mailbindwatchdog.service <<EOF
+u /etc/systemd/system/mailbindwatchdog.service <<EOF
 [Unit]
 Description=Watchdog to restart services relying on systemd-resolved dir
 After=syslog.target network-online.target
@@ -675,18 +675,18 @@ rm -fv /etc/systemd/system/openvpn-client-mail@.service
 # If we ever notice this change, chattr +i on it
 # trust-ad is used in t10+, glibc 2.31
 
-i /etc/127.0.0.1-resolv/stub-resolv.conf <<'EOF'
+u /etc/127.0.0.1-resolv/stub-resolv.conf <<'EOF'
 nameserver 127.0.0.1
 options edns0 trust-ad
 EOF
 
-i /etc/127.0.0.53-resolv/stub-resolv.conf <<'EOF'
+u /etc/127.0.0.53-resolv/stub-resolv.conf <<'EOF'
 nameserver 127.0.0.53
 options edns0 trust-ad
 EOF
 
 
-i /etc/10.173.8.1-resolv/stub-resolv.conf <<'EOF'
+u /etc/10.173.8.1-resolv/stub-resolv.conf <<'EOF'
 nameserver 10.173.8.1
 options edns0 trust-ad
 EOF
@@ -717,7 +717,7 @@ fi
 case $HOSTNAME in
   $MAIL_HOST)
     # todo, should this be after vpn service
-    i /etc/systemd/system/unbound.service.d/nn.conf <<EOF
+    u /etc/systemd/system/unbound.service.d/nn.conf <<EOF
 [Unit]
 After=mailnn.service
 JoinsNamespaceOf=mailnn.service
@@ -766,7 +766,7 @@ EOF
     ;;&
   $MAIL_HOST|bk)
     for unit in ${nn_progs[@]}; do
-      i /etc/systemd/system/$unit.service.d/nn.conf <<EOF
+      u /etc/systemd/system/$unit.service.d/nn.conf <<EOF
 [Unit]
 
 # Wants appears better than requires because with requires,
@@ -804,7 +804,7 @@ esac
 # * wghole (another mail vpn)
 
 if $bhost_t; then
-  i /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
+  u /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
 [Unit]
 StartLimitIntervalSec=0
 
@@ -815,15 +815,15 @@ EOF
 fi
 
 # * spamassassin config
-i /etc/sysctl.d/80-iank-mail.conf <<'EOF'
+u /etc/sysctl.d/80-iank-mail.conf <<'EOF'
 # see exim spec
 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 120
 EOF
-if $ir; then
+if $ur; then
   m sysctl -p
 fi
 
-i /etc/spamassassin/mylocal.cf <<'EOF'
+u /etc/spamassassin/mylocal.cf <<'EOF'
 # this is mylocal.cf because the normal local.cf has a bunch of upstream stuff i dont want to mess with
 
 # /usr/share/doc/exim4-base/README.Debian.gz:
@@ -842,7 +842,7 @@ EOF
 # 2020-10-19 remove old file. remove this when all hosts updated
 rm -fv /etc/systemd/system/spamddnsfix.{timer,service}
 
-i /etc/default/spamassassin <<'EOF'
+u /etc/default/spamassassin <<'EOF'
 # defaults plus debugging flags for an issue im having
 OPTIONS="--create-prefs --max-children 5 --helper-home-dir"
 PIDFILE="/var/run/spamd.pid"
@@ -881,7 +881,7 @@ EOF
 
 m rsync -aiSAX --chown=root:root --chmod=g-s /a/bin/ds/mail-cert-cron /usr/local/bin
 
-i /etc/systemd/system/mailcert.service <<'EOF'
+u /etc/systemd/system/mailcert.service <<'EOF'
 [Unit]
 Description=Mail cert rsync
 After=multi-user.target
@@ -890,7 +890,7 @@ After=multi-user.target
 Type=oneshot
 ExecStart=/usr/local/bin/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
 EOF
-i /etc/systemd/system/mailcert.timer <<'EOF'
+u /etc/systemd/system/mailcert.timer <<'EOF'
 [Unit]
 Description=Run mail-cert once a day
 
@@ -919,7 +919,7 @@ fi
 
 sed 's/^ *before *= *iptables-common.conf/before = iptables-common-exim.conf/' \
     /etc/fail2ban/action.d/iptables-multiport.conf| i /etc/fail2ban/action.d/iptables-exim.conf
-i /etc/fail2ban/action.d/iptables-common-exim.conf <<'EOF'
+u /etc/fail2ban/action.d/iptables-common-exim.conf <<'EOF'
 # iank: same as iptables-common, except iptables is iptables-exim, ip6tables is ip6tables-exim
 
 # Fail2Ban configuration file
@@ -1015,7 +1015,7 @@ blocktype = REJECT --reject-with icmp6-port-unreachable
 iptables = /usr/local/bin/ip6tables-exim <lockingopt>
 EOF
 
-i /etc/fail2ban/jail.d/exim.local <<'EOF'
+u /etc/fail2ban/jail.d/exim.local <<'EOF'
 [exim]
 enabled  = true
 port	 = 25,587
@@ -1030,7 +1030,7 @@ banaction = iptables-exim
 # 10.173.8.1 = non-nn net
 ignoreip = 209.51.188.13 2001:470:142::13 209.51.188.92 2001:470:142:3::10 72.14.176.105 2600:3c00:e000:280::2 10.173.8.1
 EOF
-if $ir; then
+if $ur; then
   m systemctl restart fail2ban
 fi
 
@@ -1300,7 +1300,7 @@ fi
 
 rm -fv /etc/exim4/rcpt_local_acl # old path
 
-i /etc/exim4/conf.d/local_deny_exceptions_acl <<'EOF'
+u /etc/exim4/conf.d/local_deny_exceptions_acl <<'EOF'
 # This acl already exists in rcpt, this just makes it more widespread.
 # See the comment there for its rationale. The reason it needs to be
 # more widespread is that I've turned on sender verification, but cron
@@ -1317,7 +1317,7 @@ EOF
 
 rm -fv /etc/exim4/data_local_acl # old path
 
-i /etc/exim4/conf.d/data_local_acl <<'EOF'
+u /etc/exim4/conf.d/data_local_acl <<'EOF'
 # Except for the "condition =", this was
 # a comment in the check_data acl. The comment about this not
 # being suitable has been changed in newer exim versions. The only thing
@@ -1364,7 +1364,7 @@ rm -fv /etc/exim4/conf.d/router/8{8,9}0_backup_copy \
 # but that is a problem if we change mail host and still have something
 # in the queue which was destined for this router, but hosts were
 # unreachable, the routers will be reevaluated on the next retry.
-i /etc/exim4/conf.d/router/170_backup_copy <<EOF
+u /etc/exim4/conf.d/router/170_backup_copy <<EOF
 ### router/900_exim4-config_local_user
 #################################
 
@@ -1387,7 +1387,7 @@ EOF
 # TODO: copy the defaults into their own file, and setup a cronjob so
 # that if file.dpkg-dist shows up, and it is different, we get an alert.
 
-i /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost <<'EOF'
+u /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp_smarthost <<'EOF'
 ### transport/30_exim4-config_remote_smtp_smarthost
 #################################
 
@@ -1444,7 +1444,7 @@ tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
 .endif
 EOF
 
-i /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp <<'EOF'
+u /etc/exim4/conf.d/transport/30_exim4-config_remote_smtp <<'EOF'
 ### transport/30_exim4-config_remote_smtp
 #################################
 # This transport is used for delivering messages over SMTP connections.
@@ -1510,7 +1510,7 @@ tls_privatekey = REMOTE_SMTP_PRIVATEKEY
 
 EOF
 
-i /etc/exim4/conf.d/transport/30_backup_remote <<'EOF'
+u /etc/exim4/conf.d/transport/30_backup_remote <<'EOF'
 backup_remote:
   driver = smtp
   multi_domain
@@ -1553,7 +1553,7 @@ tls_privatekey = REMOTE_SMTP_SMARTHOST_PRIVATEKEY
 .endif
 EOF
 
-i /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
+u /etc/exim4/conf.d/router/900_exim4-config_local_user <<'EOF'
 ### router/900_exim4-config_local_user
 #################################
 
@@ -1574,7 +1574,7 @@ local_user:
   local_part_suffix = +*
   local_part_suffix_optional
 EOF
-i /etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
+u /etc/exim4/conf.d/transport/30_exim4-config_dovecot_lmtp <<'EOF'
 dovecot_lmtp:
   driver = lmtp
   socket = /var/run/dovecot/lmtp
@@ -1583,7 +1583,7 @@ dovecot_lmtp:
   envelope_to_add
 EOF
 
-i /etc/exim4/conf.d/transport/30_remote_smtp_vpn <<'EOF'
+u /etc/exim4/conf.d/transport/30_remote_smtp_vpn <<'EOF'
 # same as debians 30_exim4-config_remote_smtp, but
 # with interface added at the end.
 
@@ -1639,7 +1639,7 @@ tls_privatekey = REMOTE_SMTP_PRIVATEKEY
   interface = <; 10.8.0.4 ; 2600:3c00:e002:3800::4
 EOF
 
-i /etc/exim4/conf.d/transport/30_smarthost_dkim <<'EOF'
+u /etc/exim4/conf.d/transport/30_smarthost_dkim <<'EOF'
 # ian: this is remote_smtp_smarthost plus the dkim parts from remote_smtp
 
 smarthost_dkim:
@@ -1743,7 +1743,7 @@ if mailhost; then
 
   pi-nostart radicale
 
-  i /etc/systemd/system/radicale.service.d/override.conf <<EOF
+  u /etc/systemd/system/radicale.service.d/override.conf <<EOF
 [Unit]
 
 After=network.target network-online.target mailnn.service $vpnser
@@ -1875,7 +1875,7 @@ case $HOSTNAME in
     done
 
     # https://wiki.dovecot.org/SSL/DovecotConfiguration
-    i /etc/dovecot/dhparam <<'EOF'
+    u /etc/dovecot/dhparam <<'EOF'
 -----BEGIN DH PARAMETERS-----
 MIIBCAKCAQEAoleil6SBxGqQKk7j0y2vV3Oklv6XupZKn7PkPv485QuFeFagifeS
 A+Jz6Wquqk5zhGyCu63Hp4wzGs4TyQqoLjkaWL6Ra/Bw3g3ofPEzMGEsV1Qdqde4
@@ -2062,7 +2062,7 @@ namespace inbox {
 auth_mechanisms = plain login
 EOF
 
-    i /etc/dovecot/sieve-spam.sieve <<'EOF'
+    u /etc/dovecot/sieve-spam.sieve <<'EOF'
 require ["regex", "fileinto", "imap4flags"];
 
 if allof (header :regex "X-Spam-Status" "^Yes") {
@@ -2071,7 +2071,7 @@ if allof (header :regex "X-Spam-Status" "^Yes") {
 }
 EOF
 
-    i /etc/dovecot/local.conf.ext <<'EOF'
+    u /etc/dovecot/local.conf.ext <<'EOF'
 passdb {
   driver = sql
   args = /etc/dovecot/dovecot-sql.conf.ext
@@ -2083,7 +2083,7 @@ userdb {
 
 EOF
 
-    i /etc/dovecot/dovecot-sql.conf.ext <<'EOF'
+    u /etc/dovecot/dovecot-sql.conf.ext <<'EOF'
 # from mailinabox
 driver = sqlite
 # for je and bk, populated the testignore users for the relevant domains
@@ -2138,7 +2138,7 @@ if [[ $HOSTNAME == bk ]]; then
     dir=/var/www/autoconfig.$domain/html/mail
     m mkdir -p $dir
     # taken from mailinabox
-    i $dir/config-v1.1.xml <<EOF
+    u $dir/config-v1.1.xml <<EOF
 <?xml version="1.0" encoding="UTF-8"?>
 <clientConfig version="1.1">
     <emailProvider id="$domain">
@@ -2252,7 +2252,7 @@ if [[ $HOSTNAME == bk ]]; then
     mkdir -p $myncdir
 
     # copied from debians cronjob
-    i /etc/cron.d/$rcbase <<EOF
+    u /etc/cron.d/$rcbase <<EOF
 #  Roundcube database cleaning: finally removes all records that are
 #  marked as deleted.
 0   5  *   *   *   www-data $rcdir/bin/cleandb.sh >/dev/null
@@ -2312,7 +2312,7 @@ EOF
     rctmpdir=/var/tmp/$rcbase
     rcdb=/m/rc/$rcbase.sqlite
     # config from mailinabox
-    i $rcdir/config/config.inc.php <<EOF
+    u $rcdir/config/config.inc.php <<EOF
 <?php
 \$config = array();
 # debian creates this for us
@@ -2407,7 +2407,7 @@ EOF
 
     # About categories, see https://www.davx5.com/tested-with/nextcloud
     # https://github.com/blind-coder/rcmcarddav/blob/master/doc/GROUPS.md
-    i $rcdir/plugins/carddav/config.inc.php <<EOF;
+    u $rcdir/plugins/carddav/config.inc.php <<EOF;
 <?php
 \$prefs['_GLOBAL']['hide_preferences'] = false;
 \$prefs['davserver'] = array(
@@ -2477,11 +2477,11 @@ EOF
   # $rclogdir/errors.log
   # todo: consider other settings in
   # /a/opt/mailinabox/setup/nextcloud.sh
-  i /etc/php/$phpver/cli/conf.d/30-local.ini <<'EOF'
+  u /etc/php/$phpver/cli/conf.d/30-local.ini <<'EOF'
 apc.enable_cli = 1
 EOF
 
-  i /etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF'
+  u /etc/php/$phpver/fpm/conf.d/30-local.ini <<'EOF'
 date.timezone = "America/New_York"
 # for nextcloud
 upload_max_filesize = 2000M
@@ -2587,7 +2587,7 @@ EOF
         m sudo -u www-data php occ app:install $app
       fi
     done
-    i /etc/systemd/system/$ncbase.service <<EOF
+    u /etc/systemd/system/$ncbase.service <<EOF
 [Unit]
 Description=ncup $ncbase
 After=multi-user.target
@@ -2599,7 +2599,7 @@ User=www-data
 IOSchedulingClass=idle
 CPUSchedulingPolicy=idle
 EOF
-    i /etc/systemd/system/$ncbase.timer <<EOF
+    u /etc/systemd/system/$ncbase.timer <<EOF
 [Unit]
 Description=ncup $ncbase timer
 
@@ -2610,7 +2610,7 @@ OnCalendar=Daily
 WantedBy=timers.target
 EOF
     systemctl enable --now $ncbase.timer
-    i /usr/local/bin/ncup <<'EOFOUTER'
+    u /usr/local/bin/ncup <<'EOFOUTER'
 #!/bin/bash
 
 source /usr/local/lib/err
@@ -2648,7 +2648,7 @@ EOFOUTER
 
     mkdir -p /var/www/cron-errors
     chown www-data.www-data /var/www/cron-errors
-    i /etc/cron.d/$ncbase <<EOF
+    u /etc/cron.d/$ncbase <<EOF
 PATH=/usr/sbin:/sbin:/usr/bin:/bin:/usr/local/bin
 SHELL=/bin/bash
 # https://docs.nextcloud.com/server/20/admin_manual/configuration_server/background_jobs_configuration.html
@@ -2696,7 +2696,7 @@ deny
   domains = +local_domains
   !verify = recipient/callout=no_cache
 EOF
-    i /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+    u /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
 dovecot_plain:
   driver = dovecot
   public_name = PLAIN
@@ -2706,7 +2706,7 @@ EOF
     ;;
 esac
 if $bhost_t; then
-  i /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
+  u /etc/exim4/conf.d/auth/29_exim4-config_auth <<'EOF'
 # from 30_exim4-config_examples
 plain_server:
 driver = plaintext
@@ -2726,7 +2726,7 @@ case $HOSTNAME in
     # to see the default comments in /etc/default/exim4:
     # s update-exim4defaults --force --init
     # which will overwrite any existing file
-    i /etc/default/exim4 <<'EOF'
+    u /etc/default/exim4 <<'EOF'
 QUEUERUNNER='combined'
 QUEUEINTERVAL='30m'
 COMMONOPTIONS='-C /etc/exim4/my.conf'
@@ -2745,13 +2745,13 @@ EOF
     # note: the daemon gives up and dies after retrying those 9 times.
     # I came upon this by guessing and trial and error.
     setcap CAP_NET_BIND_SERVICE+ei /usr/sbin/exim4
-    i /etc/exim4/trusted_configs <<'EOF'
+    u /etc/exim4/trusted_configs <<'EOF'
 /etc/exim4/my.conf
 EOF
     ;;
   *)
     # default file
-    i /etc/default/exim4 <<'EOF'
+    u /etc/default/exim4 <<'EOF'
 QUEUERUNNER='combined'
 QUEUEINTERVAL='30m'
 EOF
@@ -2772,7 +2772,7 @@ case $HOSTNAME in
         dirs+=($d)
       fi
     done
-    i /etc/systemd/system/exim4.service.d/nonroot.conf <<EOF
+    u /etc/systemd/system/exim4.service.d/nonroot.conf <<EOF
 [Service]
 # see 56.2 Root privilege in exim spec
 AmbientCapabilities=CAP_NET_BIND_SERVICE
@@ -2793,7 +2793,7 @@ ProtectSystem=yes
 # when we get newer systemd
 #ProtectDevices=yes
 EOF
-    i /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
+    u /etc/exim4/conf.d/main/000_local-noroot <<'EOF'
 # see 56.2 Root privilege in exim spec
 deliver_drop_privilege = true
 EOF
@@ -2847,7 +2847,7 @@ EOF
 
 
     # no clamav on je, it has 1.5g memory and clamav uses most of it
-    i /etc/exim4/conf.d/clamav_data_acl <<'EOF'
+    u /etc/exim4/conf.d/clamav_data_acl <<'EOF'
 warn
 !hosts = +iank_trusted
 !authenticated = plain_server:login_server
@@ -2891,7 +2891,7 @@ MAIN_TLS_CERTIFICATE = /etc/exim4/fullchain.pem
 MAIN_TLS_PRIVATEKEY = /etc/exim4/privkey.pem
 EOF
 
-    i /etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
+    u /etc/exim4/conf.d/router/190_exim4-config_fsfsmarthost <<'EOF'
 gnusmarthost:
   debug_print = "R: smarthost for $local_part@$domain"
   driver = manualroute
@@ -2913,7 +2913,7 @@ EOF
   # ** $MAIL_HOST)
   $MAIL_HOST)
 
-    i /etc/exim4/conf.d/router/195_dnslookup_vpn <<'EOF'
+    u /etc/exim4/conf.d/router/195_dnslookup_vpn <<'EOF'
 # copied from /etc/exim4/conf.d/router/200_exim4-config_primary, but
 # use vpn transport. lower priority so it overrides the default route.
 # Use this in case our vpn fails, we dont send anything without it.
@@ -2935,7 +2935,7 @@ EOF
     # which required using a dedicated user, but realized smtp will be
     # more reliable and less fuss. If I ever need that again, see the
     # history of this file, and bum in brc2.
-    i /etc/exim4/conf.d/router/161_backup_redir_nn <<'EOF'
+    u /etc/exim4/conf.d/router/161_backup_redir_nn <<'EOF'
 backup_redir_nn:
 driver = redirect
 # b is just an arbirary short string
@@ -2953,7 +2953,7 @@ EOF
 
     # This allows for forwarded mail to not get most rcpt checks, especially SPF,
     # which would incorrectly get denied.
-    i /etc/exim4/host_local_deny_exceptions <<'EOF'
+    u /etc/exim4/host_local_deny_exceptions <<'EOF'
 mail.fsf.org
 *.posteo.de
 EOF
@@ -2963,7 +2963,7 @@ EOF
     # case that doesn't work, we still want to accept that mail, but not
     # from any host except the smarthosts. local_hostnames and this rule
     # is for that purpose.
-    i /etc/exim4/conf.d/rcpt_local_acl <<'EOF'
+    u /etc/exim4/conf.d/rcpt_local_acl <<'EOF'
 deny
   !authenticated = *
   domains = +local_hostnames
@@ -2982,7 +2982,7 @@ MAILDIR_HOME_MAILDIR_LOCATION = /m/md/Sent
 EOF
 
 
-    i /etc/exim4/conf.d/router/186_sentarchive_nn <<'EOF'
+    u /etc/exim4/conf.d/router/186_sentarchive_nn <<'EOF'
 # ian: save a copy of sent mail. i thought of other ways to
 # do this, for example, to only save sent mail that is not sent
 # from my mail client which saves a copy by default, but in the
@@ -3001,7 +3001,7 @@ EOF
     # and also have mail.iankelling.org whitelisted as a relay domain.
     # I could avoid that if I changed this to submit to 587 with a
     # password like a standard mua.
-    i /etc/exim4/conf.d/router/188_exim4-config_smarthost <<'EOF'
+    u /etc/exim4/conf.d/router/188_exim4-config_smarthost <<'EOF'
 # ian: copied from /etc/exim4/conf.d/router/200_exim4-config_primary, and added senders = and
 # replaced DCsmarthost with hostname
 fsfsmarthost:
@@ -3099,7 +3099,7 @@ s,(^[ #]*Provides:).*,\1 exim4in,
 s,(^[ #]*NAME=).*,\1"exim4in",
 EOF
     chmod +x /etc/init.d/exim4in
-    i /etc/systemd/system/exim4in.service.d/alwaysrestart.conf <<'EOF'
+    u /etc/systemd/system/exim4in.service.d/alwaysrestart.conf <<'EOF'
 [Unit]
 # needed to continually restart
 StartLimitIntervalSec=0
@@ -3110,7 +3110,7 @@ Restart=always
 RestartSec=20
 EOF
 
-    i /etc/default/exim4in <<'EOF'
+    u /etc/default/exim4in <<'EOF'
 # defaults but no queue runner and alternate config dir
 QUEUERUNNER='no'
 COMMONOPTIONS='-oP /run/exim4/eximin.pid'
@@ -3161,7 +3161,7 @@ EOF
     fi
 
     # catches things like cronjob email
-    i /etc/exim4/conf.d/router/880_universal_forward <<'EOF'
+    u /etc/exim4/conf.d/router/880_universal_forward <<'EOF'
 universal_forward:
   driver = redirect
   domains = +local_domains
@@ -3186,7 +3186,7 @@ EOF
       if [[ -e /bu/md/cur && $(stat -c %u /bu/md/cur) == 1000 ]]; then
         chown -R Debian-exim:Debian-exim /bu/md
       fi
-      i /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
+      u /etc/exim4/conf.d/transport/30_backup_maildir <<EOF
 # modified debian maildir transport
 backup_maildir:
   driver = appendfile
@@ -3199,7 +3199,7 @@ backup_maildir:
   mode_fail_narrower = false
 EOF
 
-      i /etc/exim4/conf.d/router/165_backup_local <<'EOF'
+      u /etc/exim4/conf.d/router/165_backup_local <<'EOF'
 ### router/900_exim4-config_local_user
 #################################
 
@@ -3218,7 +3218,7 @@ dc_local_interfaces='127.0.0.1;::1;$wgholeip'
 EOF
 
       # wghole & thus exim will fail to start without internet connectivity.
-      i /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
+      u /etc/systemd/system/exim4.service.d/backup.conf <<'EOF'
 [Unit]
 StartLimitIntervalSec=0
 
@@ -3311,7 +3311,7 @@ EOF
   $MAIL_HOST)
 
 
-    i /etc/myexim4/conf.d/router/185_sentarchive <<'EOF'
+    u /etc/myexim4/conf.d/router/185_sentarchive <<'EOF'
 sentarchive:
   driver = redirect
   domains = ! +local_domains
@@ -3322,7 +3322,7 @@ sentarchive:
 EOF
 
 
-    i /etc/myexim4/conf.d/router/160_backup_redir <<'EOF'
+    u /etc/myexim4/conf.d/router/160_backup_redir <<'EOF'
 backup_redir:
 driver = redirect
 # i dont email myself from my own machine much, so lets ignore that.
@@ -3363,7 +3363,7 @@ if [[ -e /nocow ]]; then
   if ! grep -Fx "/nocow/exim4  /var/spool/exim4  none  bind  0 0" /etc/fstab; then
     echo "/nocow/exim4  /var/spool/exim4  none  bind  0 0" >>/etc/fstab
   fi
-  i /etc/systemd/system/exim4.service.d/override.conf <<'EOF'
+  u /etc/systemd/system/exim4.service.d/override.conf <<'EOF'
 [Unit]
 # without local-fs on exim, we get these kind of errors in paniclog on shutdown:
 # Failed to create spool file /var/spool/exim4//input//1jCLxz-0008V4-V9-D: Permission denied
@@ -3534,7 +3534,7 @@ case $HOSTNAME in
     # note: cronjob "ian" also does some important monitoring
     # todo: this will sometimes cause an alert because mailtest-check will run
     # before we have setup network namespace and spamassassin
-    i /etc/cron.d/mailtest <<EOF
+    u /etc/cron.d/mailtest <<EOF
 SHELL=/bin/bash
 PATH=/usr/bin:/bin:/usr/local/bin
 MAILTO=daylert@iankelling.org
@@ -3547,7 +3547,7 @@ EOF
 
     m sudo rsync -ahhi --chown=root:root --chmod=0755 \
       /b/ds/mailtest-check /b/ds/check-remote-mailqs /usr/local/bin/
-    i /etc/systemd/system/mailtest-check.service <<'EOF'
+    u /etc/systemd/system/mailtest-check.service <<'EOF'
 [Unit]
 Description=mailtest-check
 After=local-fs.target
@@ -3596,7 +3596,7 @@ EOF
     # Dont put these test messages into the sent folder or else it will
     # overwhelm it, plus i dont want to save a copy at all.
     # Plus addresses we generally want to ignore.
-    i /etc/exim4/ignore-sent <<EOF
+    u /etc/exim4/ignore-sent <<EOF
 $(printf "%s\n" ${test_tos[@]})
 vojdedIdNejyebni@b8.nz
 b@eximbackup.b8.nz
diff --git a/switch-mail-host b/switch-mail-host
index 0ce2b65..08e74fc 100644
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -196,7 +196,6 @@ e "On $new_host: umounting /m and /o, checking emacs"
   cat <<'EOF'
 set -eE
 if pgrep -G iank -u iank -f 'emacs --daemon' &>/dev/null; then
-  export XDG_RUNTIME_DIR=/run/user/1000
   bufs="$(sudo -u iank emacsclient --eval "$(cat /a/bin/ds/unsaved-buffers.el)"| sed '/^"nil"$/d;s/^"(/E: /;s/)"$//')"
   if [[ $bufs ]]; then
     echo "error: on $HOSTNAME, unsaved emacs files: $bufs" >&2
@@ -218,7 +217,6 @@ EOF
 
 $old_shell bash -s <<'EOF'
 if pgrep -G iank -u iank -f 'emacs --daemon' &>/dev/null; then
-  export XDG_RUNTIME_DIR=/run/user/1000
   bufs="$(sudo -u iank emacsclient --eval "$(cat /a/bin/ds/unsaved-buffers.el)"| sed '/^"nil"$/d;s/^"(/E: /;s/)"$//')"
   if [[ $bufs ]]; then
     echo "error: on $HOSTNAME, unsaved emacs files: $bufs" >&2
-- 
2.30.2