From 4c39892ef8fa3379ce36adbe870723324cb71cea Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Mon, 9 Oct 2017 12:58:45 -0700 Subject: [PATCH] lots of updates --- btrbk-run | 39 ++++++--- check-subvol-stale | 115 +++++++++++++++---------- distro-begin | 3 +- distro-end | 28 ++++++- dynamic-ip-update.sh | 43 +++++++--- fsf-get-mail | 7 +- input-setup | 6 +- lan-dns | 2 + lan-dyn-dns-update | 27 ++++++ mail-route | 15 ++-- mail-setup | 196 ++++++++++++++++++++++++------------------- mount-latest-subvol | 18 ++-- rew | 11 ++- switch-mail-host | 28 ++++--- trusted-network | 13 +++ untrusted-network | 19 +++++ vpn-client-connect | 18 ++++ 17 files changed, 400 insertions(+), 188 deletions(-) create mode 100644 lan-dns create mode 100644 lan-dyn-dns-update create mode 100755 trusted-network create mode 100755 untrusted-network create mode 100755 vpn-client-connect diff --git a/btrbk-run b/btrbk-run index eb8a7b5..4713820 100755 --- a/btrbk-run +++ b/btrbk-run @@ -38,33 +38,40 @@ rsync_mountpoint=/q conf_only=false dry_run=false # mostly for testing resume_arg= +rate_limit=no +verbose=false default_args_file=/etc/btrbk-run.conf if [[ -s $default_args_file ]]; then - echo "$0: warning: options file default options set:" - cat $default_args_file - sleep 5 set -- $(< $default_args_file) "$@" fi -temp=$(getopt -l help hcm:nprt: "$@") || usage 1 +temp=$(getopt -l help cl:m:nprt:vh "$@") || usage 1 eval set -- "$temp" while true; do case $1 in -c) conf_only=true; shift ;; + -l) rate_limit=$2; shift 2 ;; -m) IFS=, mountpoints=($2); unset IFS; shift 2 ;; -n) dry_run=true; dry_run_arg=-n; shift ;; -p) progress_arg="--progress"; shift ;; # btrbk arg: Resume only. Skips snapshot creation. -r) resume_arg=-r; shift ;; -t) IFS=, targets=($2); unset IFS; shift 2 ;; + -v) verbose=true; verbose_arg=-v; shift ;; -h|--help) usage ;; --) shift; break ;; *) echo "$0: Internal error!" ; exit 1 ;; esac done -echo "$0: options: conf_only=$conf_only, dry_run=$dry_run, resume_arg=$resume_arg" +if [[ -s $default_args_file ]]; then + echo "$0: warning: default btrbk-run options set in $default_args_file (sleeping 5 seconds):" + cat $default_args_file + sleep 5 +fi + +echo -e "$0: options: conf_only=$conf_only\ndry_run=$dry_run\nresume_arg=$resume_arg\nrate_limit=$rate_limit\nverbose=$verbose" # set default targets if ! (( ${#targets[@]} )); then @@ -93,8 +100,14 @@ echo "targets: ${targets[*]}" -# set default mountpoints -if ! (( ${#mountpoints[@]} )); then +if (( ${#mountpoints[@]} )); then + for mp in ${mountpoints[@]}; do + if [[ -e /nocow/btrfs-stale/$mp ]]; then + echo "$0: warning: $mp stale. Sleeping for 3 seconds in case you want to cancel." + sleep 3 + fi + done +else # set default mountpoints prospective_mps=(/a /q) if [[ $HOSTNAME == "$MAIL_HOST" ]]; then prospective_mps+=(/o) @@ -105,6 +118,10 @@ if ! (( ${#mountpoints[@]} )); then fi done for mp in ${prospective_mps[@]}; do # default mountpoints to sync + if [[ -e /nocow/btrfs-stale/$mp ]]; then + echo "$0: warning: $mp stale, not adding to default mountpoints" + continue + fi if awk '{print $2}' /etc/fstab | grep -xF $mp &>/dev/null; then mountpoints+=($mp) fi @@ -143,7 +160,7 @@ if ! which btrbk &>/dev/null; then echo "$0: error: no btrbk binary found" fi -cat >/etc/btrbk.conf <<'EOF' +cat >/etc/btrbk.conf < $stale_file + ret=1 + else + rm -f $stale_file + fi + +} + ret=0 for d; do vol=${d##*/} - cd /mnt/root/btrbk - snaps=($vol.20*) # Assumes we are in the 21st century. + dev=$(sed -rn "s,^\s*([^#]\S*)\s+$d\s.*,\1,p" /etc/fstab|head -n1) + subvol_dir=$(sed -rn "s,^\s*[^#]\S*\s+$d\s.*\bsubvol=([a-zA-A/]+).*,\1,p" /etc/fstab|head -n1) + root_dir=$(sed -rn "s,^\s*$dev\s+(\S+).*\bsubvolid=0\b.*,\1,p" /etc/fstab|head -n1) + svp=$root_dir/$subvol_dir # subvolume path + + + + snaps=($root_dir/btrbk/$subvol_dir.20*) # Assumes we are in the 21st century. if [[ ! $snaps ]]; then # no snapshots yet + echo "$0: warning. no snapshots found. this is expected for a brand new volume" continue fi + + # get info on last received sub + last_received_gen=0 + for f in ${snaps[@]}; do + show="$(btrfs sub show $f)" + if echo "$show" | grep -E "Received UUID:\s+[[:alnum:]]" &>/dev/null; then + cgen=$(echo "$show" | sed -rn 's,^\s*Gen at creation:\s+([0-9]+).*,\1,p') + if [[ $cgen -gt $last_received_gen ]]; then + last_received_cgen=$cgen + last_received=$f + fi + fi + done + + # Get last_snap by date. # when a btrbk bugfix makes it into the distro, # we might replace this with btrbk list latest /mnt/root/$vol | ... - # note: this is duplicated in mount-latest-subvol last_snap=$( - for f in ${snaps[@]}; do + for s in ${snaps[@]}; do + f=${s##*/} printf "%s %s\n" $(date -d $(sed -r 's/(.{4})(..)(.{5})(..)(.*)/\1-\2-\3:\4:\5/' <<<${f#$vol.}) +%s) $f done | sort -r | head -n 1 | awk '{print $2}' ) if [[ ! $last_snap ]]; then # should not happen. - echo "$0: error: could not find latest snapshot for $d among ${snaps[@]}" + echo "$0: error: could not find latest snapshot for $svp among ${snaps[*]}" ret=1 continue fi - # check that $d has $last_snap as a snapshot, - # or else $d is a snapshot of $last_snap. In the second - # case, we use a uuid comparison, which if I remember from the - # docs, is a bit more robust, perhaps to renames. - if btrfs sub show $d 2>/dev/null | sed '0,/^\s*Snapshot(s):/d;s/^\s*//' | \ - grep -xF btrbk/$last_snap &>/dev/null; then - stale=false - else - last_snap_uuid=$(btrfs sub show $last_snap| awk '$1 == "UUID:" {print $2}') - if btrfs sub show $d| grep "^\s*Parent UUID:\s*$last_snap_uuid$" &>/dev/null; then - stale=false - fi + if [[ ! -e $svp ]]; then + echo "$0: warning: subvol we want to check does not exist: $svp" + stale-file=$last_snap + stale-file + continue fi - # check if $d is a snapshot of any of the btrbk backups other than the latest - if [[ ! $stale ]]; then - for f in ${snaps[@]}; do - if [[ $f == $last_snap ]]; then continue; fi - uuid=$(btrfs sub show $f| awk '$1 == "UUID:" {print $2}') - if btrfs sub show $d| grep "^\s*Parent UUID:\s*$uuid$" &>/dev/null; then - stale=true - echo "$d stale: it's a snapshot of $f" - break - fi - done - fi - # check if $d generation is later than last_snap - if [[ ! $stale ]]; then - last_snap_gen=$(btrfs sub show $last_snap| awk '$1 == "Generation:" {print $2}') - d_gen=$(btrfs sub show $d| awk '$1 == "Generation:" {print $2}') - if (( d_gen < last_snap_gen )); then + + # if there is a last_received, we can assume stale or fresh if we are newer/older + if [[ $last_received ]]; then + svp_cgen=$(btrfs sub show $svp | sed -rn 's,^\s*Gen at creation:\s+([0-9]+).*,\1,p') + if [[ $svp_cgen -ge $last_received_cgen ]]; then stale=false else - echo "$d stale: it's generation, $d_gen, is earlier than the last snapshot's, $last_snap_gen" + echo "$svp stale: it's gen at creation, $svp_cgen, is earlier than the last received snapshot, $last_received's gen at creation: $last_received_cgen" + freshest_snap=$last_received stale=true fi + stale-file + continue fi - - stale_dir=/nocow/btrfs-stale - stale_file=$stale_dir/$vol - if $stale; then - mkdir -p $stale_dir - printf "%s\n" $last_snap > $stale_file - ret=1 - continue - else - rm -f $stale_file + freshest_snap=$last_snap + stale=true + # fresh if $svp has $last_snap as a snapshot, + if btrfs sub show $svp 2>/dev/null | sed '0,/^\s*Snapshot(s):/d;s/^\s*//' | \ + grep -xF btrbk/$last_snap &>/dev/null; then + stale=false + else # or else $svp is a snapshot of $last_snap. we use a uuid + # comparison, which if I remember from the docs, is a bit more + # robust, perhaps to renames. + last_snap_uuid=$(btrfs sub show $last_snap| awk '$1 == "UUID:" {print $2}') + if btrfs sub show $svp| grep "^\s*Parent UUID:\s*$last_snap_uuid$" &>/dev/null; then + stale=false + fi fi + + stale-file + done exit $ret diff --git a/distro-begin b/distro-begin index 1822afe..dde7c8e 100755 --- a/distro-begin +++ b/distro-begin @@ -155,6 +155,7 @@ if isfedora; then sudo $sed -i 's/^Defaults *requiretty/#\0 # ian commented/' /etc/sudoers # turn on magic sysrq commands for this boot cycle echo 1 > sudo dd of=/proc/sys/kernel/sysrq + echo "kernel.sysrq = 1" > /etc/sysctl.d/90-sysrq.conf # selinux is not user friendly. Like, you enable samba, but you haven't run the magic selinux commands so it doesn't work # and you have no idea why. sudo $sed -i 's/^\(SELINUX=\).*/\1disabled/' /etc/selinux/config @@ -176,7 +177,7 @@ esac if linode; then sudo $sed -i '/^127\.0\.1\.1/d' /etc/hosts - echo "127.0.1.1 $HOSTNAME.lan $HOSTNAME" | sudo tee -a /etc/hosts + echo "127.0.1.1 $HOSTNAME.b8.nz $HOSTNAME" | sudo tee -a /etc/hosts fi diff --git a/distro-end b/distro-end index c13ef34..285b25c 100755 --- a/distro-end +++ b/distro-end @@ -61,6 +61,8 @@ case $HOSTNAME in # universal packages # swh-plugins is for karaoke pulsaudio filter. # mutagen for pithos + # guvcview set webcam brightness to highest + # pidgin-otr, i went into pidgin pluggin settings and generated a key for some accounts simple_packages+=( apache2 apache2-doc @@ -77,6 +79,7 @@ case $HOSTNAME in chromium cpio-doc cloc + cpulimit cron debconf-doc dirmngr @@ -102,6 +105,7 @@ case $HOSTNAME in goaccess gnome-screenshot gnome-session-flashback + guvcview i3lock inetutils-traceroute iproute2-doc @@ -130,6 +134,7 @@ case $HOSTNAME in perl-doc pianobar pidgin + pidgin-otr pry python-autopep8 python3-doc @@ -146,6 +151,7 @@ case $HOSTNAME in transmission-remote-gtk vlc whois + wondershaper ) spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') ;; @@ -609,6 +615,26 @@ esac ########### end section including li/lj ############### if [[ $HOSTNAME == treetowl ]]; then + + # vpn-server setup via: + + vpn-server-setup -r -d + s tee -a /etc/openvpn/server/server.conf <<'EOF' +push "dhcp-option DNS 192.168.1.1" +push "route 192.168.1.0 255.255.255.0" +client-connect /a/bin/distro-setup/vpn-client-connect +EOF + s sed -i --follow-symlinks 's/10.8./10.9./g' /etc/openvpn/server/server.conf + ser restart openvpn-server@server + vpn-mk-client-cert -s /etc/update-resolv-conf-home -c x2 -n home b8.nz + dir=/p/c/machine_specific/x2/filesystem/etc/openvpn/client + mkdir -p $dir + # background: We have these files locally, but we\'d have to duplicate the logic + # in vpn-mk-client-cert to get them, and this is just simpler. + scp root@x2:/etc/openvpn/client/home* $dir + + + # note, see bashrc for more documentation. pi rss2email s dd of=/etc/systemd/system/rss2email.service <<'EOF' @@ -933,7 +959,7 @@ EOF "profiles" : [ { "profile-name" : "Default", - "hostname" : "transmission", + "hostname" : "transmission.b8.nz", "rpc-url-path" : "/transmission/rpc", "username" : "", "password" : "$rpc_pass", diff --git a/dynamic-ip-update.sh b/dynamic-ip-update.sh index 42dab1f..e49ff31 100755 --- a/dynamic-ip-update.sh +++ b/dynamic-ip-update.sh @@ -22,19 +22,36 @@ update add *.iank.life. 300 A $ip show send EOF -fi -# persistent initial setup for this: -#mkc /p/c/machine_specific/li/filesystem/etc/bind -#s dnssec-keygen -a HMAC-MD5 -b 512 -n HOST iank.life -#s chown ian:ian * - -f=key.iank.life -cat >$f <$f </tmp/fsfsieve.log +sieve-filter -eW -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf.sieve INBOX &>/tmp/fsfsieve.log + + +# to test new rules, update fsf-test.sieve, run these commands, then copy new fsf-test.sieve to fsf.sieve +# sieve-filter -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf-test.sieve INBOX &>/tmp/testfsfsieve.log +# sed -rn '/^Performed actions:/{n;n;p}' /tmp/testfsfsieve.log | sort -u diff --git a/input-setup b/input-setup index 6ec672c..4e2e66b 100755 --- a/input-setup +++ b/input-setup @@ -15,12 +15,12 @@ set -x # limitations under the License. # set to oppsite if the order is flipped. -k2flip=false +k2flip=true if $k2flip; then -k2inorder=false + k2inorder=false else k2inorder=true - fi +fi case $HOSTNAME in x2|tp) type=laptop ;; diff --git a/lan-dns b/lan-dns new file mode 100644 index 0000000..9913d4d --- /dev/null +++ b/lan-dns @@ -0,0 +1,2 @@ +192.168.1.5 x2 +192.168.1.8 tp diff --git a/lan-dyn-dns-update b/lan-dyn-dns-update new file mode 100644 index 0000000..206fa7a --- /dev/null +++ b/lan-dyn-dns-update @@ -0,0 +1,27 @@ +#!/bin/bash + +# usage: I run this script on a timer to correct the dns on wrt for +# clients where dns is updated dynamically by openvpn, in the case that +# openvpn crashes or the computer running openvpn crashes. + +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR + +x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} # directory of this file + +while read -r ip host; do + found=false + is_connected="grep -q "^CLIENT_LIST,$host," /run/openvpn-server/status-server.log" + if $is_connected; then continue; fi + if ! grep -q "^CLIENT_LIST,$host," /run/openvpn-server/status-server.log; then + cd $(mktemp -d); dir=$PWD + ssh wrt tar -C /etc -c hosts | tar -x + if grep -qFx "$ip $host" hosts; then continue; fi + # openvpn udpates its status file every 60 seconds by default + if (( $(stat -c%Y hosts) > $(( $(date +%s) + 60 )) )); then + sleep 60 + if $is_connected; then continue; fi + fi + ssh root@wrt.b8.nz cedit ovpn-$host <<<"$ip $host" || [[ $? == 1 ]] + fi +done /etc/systemd/system/mailroute.service <<'EOF' @@ -479,19 +481,121 @@ LOCAL_DELIVERY = dovecot_lmtp # options exim has to avoid having to alter the default config files CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/rcpt_local_acl CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/data_local_acl + +# debian exim config added this in 2016 or so? +# it's part of the smtp spec, to limit lines to 998 chars +# but a fair amount of legit mail does not adhere to it. I don't think +# this should be default, like it says in +# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801 +# todo: the bug for introducing this was about headers, but +# the fix maybe is for all lines? one says gmail rejects, the +# other says gmail does not reject. figure out and open a new bug. +IGNORE_SMTP_LINE_LENGTH_LIMIT = true +EOF + + + ####### begin dovecot setup ######## + # based on a little google and package search, just the dovecot + # packages we need instead of dovecot-common. + # + # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir + # directly. The reason to do this is to use dovecot\'s sieve, which + # has extensions that allow it to be almost equivalent to exim\'s + # filter capabilities, some ways probably better, some worse, and + # sieve has the benefit of being supported in postfix and + # proprietary/weird environments, so there is more examples on the + # internet. I was torn about whether to do this or not, meh. + apt-get -y install --purge --auto-remove \ + dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd + + # if we changed 90-sieve.conf and removed the active part of the + # sieve option, we wouldn\'t need this, but I\'d rather not modify a + # default config if not needed. This won\'t work as a symlink in /a/c + # unfortunately. + sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve + + sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF' +1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX +/^\s*mail_location\s*=/d +EOF + + cat >/etc/dovecot/conf.d/20-lmtp.conf <<'EOF' +protocol lmtp { +#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration + mail_plugins = $mail_plugins sieve +# default was + #mail_plugins = $mail_plugins + +# For a normal setup with exim, we need something like this, which +# removes the domain part +# auth_username_format = %Ln +# +# or else # Exim says something like +# "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain" +# Dovecot verbose log says something like +# "auth-worker(9048): passwd(someuser@somedomain): unknown user" +# reference: http://wiki.dovecot.org/LMTP/Exim +# +# However, I use this to direct all mail to the same inbox. +# A normal way to do this, which I did at first is to have +# a router in exim almost at the end, eg 950, +#local_catchall: +# debug_print = "R: catchall for $local_part@$domain" +# driver = redirect +# domains = +local_domains +# data = ian +# based on +# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/ +# with superflous options removed. +# However, this causes the envelope to be rewritten, +# which makes filtering into mailboxes a little less robust or more complicated, +# so I've done it this way instead. it also requires +# modifying the local router in exim. + auth_username_format = ian +} + +EOF + + + cat >/etc/dovecot/local.conf <<'EOF' +# so I can use a different login that my shell login for mail. this is +# worth doing solely for the reason that if this login is compromised, +# it won't also compromise my shell password. +!include conf.d/auth-passwdfile.conf.ext + +# settings derived from wiki and 10-ssl.conf +ssl = required +ssl_cert = /dev/null ||: systemctl stop offlineimapsync.timer &>/dev/null ||: systemctl disable openvpn-client@mail systemctl stop openvpn-client@mail + systemctl disable dovecot ||: + systemctl stop dovecot ||: # # # would only exist because I wrote it i the previous condition, @@ -536,6 +640,9 @@ Description=spamd dns bug fix cronjob Type=oneshot ExecStart=/a/bin/distro-setup/spamd-dns-fix EOF + # 2017-09, debian closed the bug on this saying upstream had fixed it. + # remove this when i'm using the newer package, ie, debian 10, or maybe + # ubuntu 18.04. cat >/etc/systemd/system/spamddnsfix.timer <<'EOF' [Unit] Description=run spamd bug fix script every 10 minutes @@ -603,94 +710,7 @@ EOF systemctl enable mailcert.timer - ####### begin dovecot setup ######## - if [[ $HOSTNAME == $MAIL_HOST ]]; then - # based on a little google and package search, just the dovecot - # packages we need instead of dovecot-common. - # - # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir - # directly. The reason to do this is to use dovecot\'s sieve, which - # has extensions that allow it to be almost equivalent to exim\'s - # filter capabilities, some ways probably better, some worse, and - # sieve has the benefit of being supported in postfix and - # proprietary/weird environments, so there is more examples on the - # internet. I was torn about whether to do this or not, meh. - apt-get -y install --purge --auto-remove \ - dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd - - # if we changed 90-sieve.conf and removed the active part of the - # sieve option, we wouldn\'t need this, but I\'d rather not modify a - # default config if not needed. This won\'t work as a symlink in /a/c - # unfortunately. - sudo -u $postmaster /a/exe/lnf -T sieve/main.sieve $(eval echo ~$postmaster)/.dovecot.sieve - - sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF' -1i mail_location = maildir:/m/md:LAYOUT=fs:INBOX=/m/md/INBOX -/^\s*mail_location\s*=/d -EOF - - cat >/etc/dovecot/conf.d/20-lmtp.conf <<'EOF' -protocol lmtp { -#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration - mail_plugins = $mail_plugins sieve -# default was - #mail_plugins = $mail_plugins - -# For a normal setup with exim, we need something like this, which -# removes the domain part -# auth_username_format = %Ln -# -# or else # Exim says something like -# "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain" -# Dovecot verbose log says something like -# "auth-worker(9048): passwd(someuser@somedomain): unknown user" -# reference: http://wiki.dovecot.org/LMTP/Exim -# -# However, I use this to direct all mail to the same inbox. -# A normal way to do this, which I did at first is to have -# a router in exim almost at the end, eg 950, -#local_catchall: -# debug_print = "R: catchall for $local_part@$domain" -# driver = redirect -# domains = +local_domains -# data = ian -# based on -# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/ -# with superflous options removed. -# However, this causes the envelope to be rewritten, -# which makes filtering into mailboxes a little less robust or more complicated, -# so I've done it this way instead. it also requires -# modifying the local router in exim. - auth_username_format = ian -} - -EOF - - - cat >/etc/dovecot/local.conf <<'EOF' -# so I can use a different login that my shell login for mail. this is -# worth doing solely for the reason that if this login is compromised, -# it won't also compromise my shell password. -!include conf.d/auth-passwdfile.conf.ext - -# settings derived from wiki and 10-ssl.conf -ssl = required -ssl_cert = &2' ERR + +p="$(lsof -i tcp:31416 -Fp -a -c java | sed -rn 's/^p//p')" ||: if [[ $p ]]; then kill $p fi -cd /a/opt/gnirehtet + +# so we don't hold open the /a fs +sudo rsync -r --delete /a/opt/gnirehtet /opt +cd /opt/gnirehtet ./gnirehtet rt &>/tmp/rt & # note, to kill it, you need to also kill # lsof -i tcp:31416 diff --git a/switch-mail-host b/switch-mail-host index 40cb817..c74c54a 100755 --- a/switch-mail-host +++ b/switch-mail-host @@ -37,15 +37,15 @@ fi if [[ $new_host == "$HOSTNAME" ]]; then localhost_new=true - new_shell="ssh $new_host" + new_shell= else localhost_new=false - new_shell= + new_shell="ssh $new_host" fi -old_shell= +old_shell="ssh $old_host" if [[ $old_host == "$HOSTNAME" ]]; then - old_shell="ssh $old_host" + old_shell= fi if [[ ! $new_host || ! $old_host ]]; then @@ -54,7 +54,7 @@ if [[ ! $new_host || ! $old_host ]]; then fi at_home=false -if [[ $HOSTNAME == treetowl ]] || [[ $HOSTNAME == frodo ]] || timeout -s 9 5 ssh wrt.lan :; then +if [[ $HOSTNAME == treetowl ]] || [[ $HOSTNAME == frodo ]] || timeout -s 9 5 ssh wrt.b8.nz :; then at_home=true fi echo "$0: at_home = $at_home" @@ -74,15 +74,19 @@ fi # because our port forward is not robust enough, we can't use proxy command, -# todo: just open an ssh port to the world on wrt.lan +# todo: setup vpn so this is all taken care of. if ! $at_home; then - wrt_shell="ssh $HOME_DOMAIN ssh wrt.lan" + if [[ $old_host == iank.vpn.office.fsf.org || $new_host == iank.vpn.office.fsf.org ]]; then + wrt_shell="ssh iank.vpn.office.fsf.org ssh wrt.b8.nz" + else + wrt_shell="ssh $HOME_DOMAIN ssh wrt.b8.nz" + fi else - wrt_shell="ssh wrt.lan" + wrt_shell="ssh wrt.b8.nz" fi btrbk_test="systemctl is-active btrbk.service" -while ! $new_shell $btrbk_test || $old_shell $btrbk_test; do +while $new_shell $btrbk_test || $old_shell $btrbk_test; do echo "$0: btrbk is running on new or old host. sleeping for 8 seconds" sleep 6 echo "$0: testing for btrbk activity in 2 seconds" @@ -114,8 +118,8 @@ if [[ $new_host == $HOSTNAME ]] && ! $at_home; then echo | $wrt_shell cedit mail_host /etc/hosts || [[ $? == 1 ]] # 1 means file changed. else $wrt_shell bash -s <&2' ERR + +[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" + +# Usage: run when switching from an untrusted network like public wifi +# to a trusted one. + +rm -f /etc/dnsmasq.d/untrusted-network.conf + +systemctl reload dnsmasq diff --git a/untrusted-network b/untrusted-network new file mode 100755 index 0000000..8fc3d7b --- /dev/null +++ b/untrusted-network @@ -0,0 +1,19 @@ +#!/bin/bash + +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR + +[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@" + +# Usage: use when switching from a trusted network to an untrusted one, +# like public wifi. + +cat >/etc/dnsmasq.d/untrusted-network.conf <<'EOF' +server=8.8.4.4 +server=8.8.8.8 +server=2001:4860:4860::8844 +server=2001:4860:4860::8888 +no-resolv +EOF + +systemctl reload dnsmasq diff --git a/vpn-client-connect b/vpn-client-connect new file mode 100755 index 0000000..8c6cebe --- /dev/null +++ b/vpn-client-connect @@ -0,0 +1,18 @@ +#!/bin/bash + +set -eE -o pipefail +trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR + +x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} # directory of this file + +# see lan-dyn-dns-update. this is the corresponding script for on connect/disconnect from vpn + +d=/p/ovpn-ssh +ssh_cmd="ssh -F$d/.config -i$d/id_rsa root@wrt.b8.nz cedit ovpn-$X509_0_CN /etc/hosts" +case $script_type in + client-connect) $ssh_cmd <<<"$ifconfig_pool_remote_ip $X509_0_CN"|| [[ $? == 1 ]] + ;; + client-disconnect) + $ssh_cmd <<<$(grep -F $X509_0_CN lan-dns) || [[ $? == 1 ]] + ;; +esac -- 2.30.2