From 6459d4698ef983f7b1540589b87013c76913393d Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sun, 11 Aug 2019 19:44:27 -0400
Subject: [PATCH] changes for buster linode

---
 brc                                     |  13 +-
 btrbk-run                               |   2 +-
 certbot-renew-hook                      |   4 +
 checkrestart-blacklist                  |   1 -
 conflink                                |   6 +-
 disabled/docker                         |  24 +
 disabled/mastodon                       | 128 +++++
 disabled/pump.io                        | 107 +++++
 distro-begin                            | 286 +++++------
 distro-end                              | 604 +++++++-----------------
 dynamic-ip-update                       |   9 +-
 filesystem/etc/ansible/hosts            |   4 +-
 filesystem/usr/local/bin/mycheckrestart |   7 +-
 filesystem/usr/local/bin/myupgrade      |   6 +-
 keyscript-off                           |   2 +-
 keyscript-on                            |  28 +-
 mail-setup                              |  26 +-
 pkgs                                    |  11 +-
 rootsshsync                             |  12 +-
 switch-mail-host                        |   4 +-
 vpn-mail-forward                        |   8 +-
 21 files changed, 648 insertions(+), 644 deletions(-)
 delete mode 100644 checkrestart-blacklist
 create mode 100644 disabled/docker
 create mode 100644 disabled/mastodon
 create mode 100644 disabled/pump.io

diff --git a/brc b/brc
index 5df2c27..9fff367 100644
--- a/brc
+++ b/brc
@@ -426,6 +426,14 @@ bpush() {
   install-my-scripts
   switch-mail-host $HOSTNAME $1
 }
+lipush() {
+  rsync $@ --delete-excluded -ahviSAXPH --specials --devices --delete --relative \
+        --exclude-from=/p/c/li-rsync-excludes /a/bin /a/exe /a/h /a/c /p/c/machine_specific/li /a/opt/{emacs,emacs-debianstable,mu} root@li:/
+}
+lipushnoe() {
+  rsync $@ --delete-excluded -ahviSAXPH --specials --devices --delete --relative \
+        --exclude-from=/p/c/li-rsync-excludes /a/bin /a/exe /a/h /a/c /p/c/machine_specific/li  root@li:/
+}
 
 
 btc() {
@@ -1554,7 +1562,7 @@ rspicy() { # usage: HOST DOMAIN
 sudo virsh dumpxml $2|grep "<graphics.*type='spice'" | \
        sed -rn "s/.*port='([0-9]+).*/\1/p"
 EOF
-        )
+      )
   if [[ $port ]]; then
     spicy -h $1 -p $port
   else
@@ -1944,7 +1952,8 @@ tu() {
   if [[ -e $1 && ! -w $1 || ! -w $(dirname "$1") ]]; then
     s=s;
   fi
-  $s teeu "$@"
+  # full path for using in some initial setup steps
+  $s /a/exe/teeu "$@"
 }
 
 tx() { # toggle set -x, and the prompt so it doesnt spam
diff --git a/btrbk-run b/btrbk-run
index 48550db..f964f6c 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -44,7 +44,7 @@ rsync-dirs() {
 
 pre="${0##*/}: "
 m() { if $verbose; then printf "$pre%s\n"  "$*"; fi;  "$@"; }
-e() { printf "$pre%s\n"  "$*"; "$@"; }
+e() { printf "$pre%s\n"  "$*"; }
 die() { printf "$pre%s\n" "$*" >&2;  exit 1; }
 
 # latest $MAIL_HOST
diff --git a/certbot-renew-hook b/certbot-renew-hook
index 9725594..ba1e68d 100755
--- a/certbot-renew-hook
+++ b/certbot-renew-hook
@@ -31,3 +31,7 @@ for ((i=0; i<${#domain_user[@]}; i+=2)); do
         exit 0
     fi
 done
+
+if [[ $RENEWED_LINEAGE == /etc/letsencrypt/live/iankelling.org ]]; then
+  cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
+fi
diff --git a/checkrestart-blacklist b/checkrestart-blacklist
deleted file mode 100644
index c168beb..0000000
--- a/checkrestart-blacklist
+++ /dev/null
@@ -1 +0,0 @@
-/m/.*
\ No newline at end of file
diff --git a/conflink b/conflink
index bb5d480..bbe1312 100755
--- a/conflink
+++ b/conflink
@@ -64,7 +64,7 @@ common-file-setup() {
 }
 
 user=$(id -un)
-all_dirs=({/a/c,/p/c}{,/machine_specific/$HOSTNAME})
+all_dirs=({/a/bin/ds,/p/c}{,/machine_specific/$HOSTNAME})
 # note, we assume a group of hosts does not have the
 # same name as a single host, which is no problem on our scale.
 for x in /p/c/machine_specific/*.hosts /a/bin/ds/machine_specific/*.hosts; do
@@ -113,7 +113,9 @@ case $user in
 
     ##### end special extra stuff #####
 
-    sudo bash -c 'shopt -s nullglob; cd /etc/openvpn; for f in client/* server/*; do ln -sf $f .; done'
+    if [[ -e /etc/openvpn ]]; then
+      sudo bash -c 'shopt -s nullglob && cd /etc/openvpn && for f in client/* server/*; do ln -sf $f .; done'
+    fi
 
     m sudo -H -u user2 "${BASH_SOURCE[0]}"
     ;;
diff --git a/disabled/docker b/disabled/docker
new file mode 100644
index 0000000..bd9d198
--- /dev/null
+++ b/disabled/docker
@@ -0,0 +1,24 @@
+
+### begin docker install ####
+if isdeb; then
+  # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
+  pi  software-properties-common apt-transport-https
+  curl -fsSL https://download.docker.com/linux/$(distro-name-compat)/gpg | sudo apt-key add -
+  url=https://download.docker.com/linux/$(distro-name-compat)
+  l="deb [arch=amd64] $url $codename_compat stable"
+
+  if ! grep -xFq "$l" /etc/apt/sources.list{,.d/*.list}; then
+    sudo add-apt-repository "$l"
+    p update
+  fi
+  # docker eats up a fair amount of cpu when doing nothing, so don't enable it unless
+  # we really need it.
+  pi-nostart docker-ce
+  # and docker is even more crap, it ignores that it shouldnt start
+  ser stop docker
+  ser disable docker
+  case $HOSTNAME in
+    li|lj)  sgo docker ;;
+  esac
+fi
+###  end docker install ####
diff --git a/disabled/mastodon b/disabled/mastodon
new file mode 100644
index 0000000..78b08f8
--- /dev/null
+++ b/disabled/mastodon
@@ -0,0 +1,128 @@
+    ############# begin setup mastodon ##############
+
+    # main doc is Docker-Guide.md in docs repo
+
+    # I'd like to try gnu social just cuz of gnu, but it's not being
+    # well maintained, for example, simple pull requests
+    # languishing:
+    # https://git.gnu.io/gnu/gnu-social/merge_requests/143
+    # and I submitted my own bugs, basic docs are broken
+    # https://git.gnu.io/gnu/gnu-social/issues/269
+
+    # note, docker required, but we installed it earlier
+
+    # i subscrubed to https://github.com/docker/compose/releases.atom
+    # to see release notes.
+    # i had some problems upgrading. blew things away with
+    # docker-compose down
+    # docker rmi $(docker images -q)
+    # s reboot now
+    # when running docker-compose run, kernel stack traces are printed to the journal.
+    # things seem to succeed, google says nothing, so ignoring them.
+    curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-$(uname -s)-$(uname -m) | s dd of=/usr/local/bin/docker-compose
+    s chmod +x /usr/local/bin/docker-compose
+
+
+    cd ~
+    s rm -rf mastodon
+    i clone https://github.com/tootsuite/mastodon
+    cd mastodon
+    # subbed to atom feed to deal with updates
+    git checkout $(git tag | grep -v rc | tail -n1)
+
+    # per instructions, uncomment redis/postgres persistence in docker-compose.yml
+    sed -i 's/^#//' docker-compose.yml
+
+    cat >.env.production <<'EOF'
+REDIS_HOST=redis
+REDIS_PORT=6379
+DB_HOST=db
+DB_USER=postgres
+DB_NAME=postgres
+DB_PASS=
+DB_PORT=5432
+
+LOCAL_DOMAIN=mast.iankelling.org
+LOCAL_HTTPS=true
+
+SINGLE_USER_MODE=true
+
+SMTP_SERVER=mail.iankelling.org
+SMTP_PORT=25
+SMTP_LOGIN=li
+SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
+SMTP_DOMAIN=mast.iankelling.org
+SMTP_DELIVERY_METHOD=smtp
+EOF
+
+    for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
+      # 1 minute 7 seconds to run this docker command
+      # to generate a secret, and it has ^M chars at the end. wtf. really dumb
+      printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|dos2unix|tail -n1)" >>.env.production
+    done
+    found=false
+    while read -r domain _ pass; do
+      if [[ $domain == mail.iankelling.org ]]; then
+        found=true
+        # remove the username part
+        pass="${pass#*:}"
+        printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production
+        break
+      fi
+    done < <(s cat /etc/mailpass)
+    if ! $found; then
+      echo "$0: error, failed to find mailpass domain for mastadon"
+      exit 1
+    fi
+
+    # docker compose makes an interface named like br-8f3e208558f2. we need mail to
+    # get routed to us.
+    if ! s /sbin/iptables -t nat -C PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25; then
+      s /sbin/iptables -t nat -A PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25
+    fi
+
+    docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production
+    logq docker-compose run --rm web rake db:migrate
+    docker-compose run --rm web rails assets:precompile
+
+    # avatar failed to upload, did
+    # docker logs mastodon_web_1
+    # google lead me to this
+    s chown -R 991:991 public/system
+
+    # docker daemon takes care of starting on boot.
+    docker-compose up -d
+
+    s a2enmod proxy_wstunnel headers
+    web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF'
+   ProxyPreserveHost On
+   RequestHeader set X-Forwarded-Proto "https"
+   ProxyPass /500.html !
+   ProxyPass /oops.png !
+   ProxyPass /api/v1/streaming/ ws://localhost:4000/
+   ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
+   ErrorDocument 500 /500.html
+   ErrorDocument 501 /500.html
+   ErrorDocument 502 /500.html
+   ErrorDocument 503 /500.html
+   ErrorDocument 504 /500.html
+EOF
+
+
+    ############### !!!!!!!!!!!!!!!!!
+    ############### manual steps:
+
+    # only following a few people atm, so not bothering to figure out backups
+    # when mastodon has not documented it at all.
+    #
+    # fsf@status.fsf.org
+    # cwebber@toot.cat
+    # dbd@status.fsf.org
+    # johns@status.fsf.org
+
+    # sign in page is at https://mast.iankelling.org/auth/sign_in
+    # register as iank, then
+    # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
+    # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
+
+    ############# end setup mastodon ##############
diff --git a/disabled/pump.io b/disabled/pump.io
new file mode 100644
index 0000000..ebb10b9
--- /dev/null
+++ b/disabled/pump.io
@@ -0,0 +1,107 @@
+    ########## begin pump.io setup ##########
+
+    # once pump adds a logrotation script, turn off nologger,
+    # and add
+    #        "logfile": "/var/log/pumpio/pumpio.log",
+    #
+    s dd of=/etc/pump.io.json <<'EOF'
+{
+    "secret":  "SECRET_REPLACE_ME",
+    "driver":  "mongodb",
+    "params":  { "dbname": "pumpio" },
+    "noweb":  false,
+    "site":  "pump.iankelling.org",
+    "owner":  "Ian Kelling",
+    "ownerURL":  "https://iankelling.org/",
+    "port":  8001,
+    "urlPort": 443,
+    "hostname":  "pump.iankelling.org",
+    "nologger": true,
+    "datadir": "/home/pumpio/pumpdata",
+    "enableUploads": true,
+    "debugClient": false,
+    "disableRegistration": true,
+    "noCDN": true,
+    "key": "/home/pumpio/privkey.pem",
+    "cert": "/home/pumpio/fullchain.pem",
+    "address":  "localhost",
+    "sockjs": false
+}
+EOF
+    s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
+
+    # stretch node is too old
+    # https://nodejs.org/en/download/package-manager/
+    curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
+    pi nodejs graphicsmagick mongodb
+    cd /home/iank
+    if [[ -e pump.io ]]; then
+      cd pump.io
+      git pull
+    else
+      git clone https://github.com/pump-io/pump.io.git
+      cd pump.io
+    fi
+    # note: these 2 commands seem
+    # note: doing this or the npm install pump.io as root had problems.
+    npm install
+    npm run build
+    # normally, next command would be
+    # s npm install -g   odb
+    # but it\'s this until a bug in pump gets fixed
+    # https://github.com/pump-io/pump.io/issues/1287
+    s npm install -g databank-mongodb@0.19.2
+    if ! getent passwd pumpio &>/dev/null; then
+      s useradd -Um -s /bin/false pumpio
+    fi
+    sudo -u pumpio mkdir -p /home/pumpio/pumpdata
+    # for testing browser when only listening to localhost,
+    # in the pump.io.json, set hostname localhost, urlPort 5233
+    #ssh -L 5233:localhost:5233 li
+
+    s mkdir -p /var/log/pumpio/
+    s chown pumpio:pumpio /var/log/pumpio/
+
+    web-conf - apache2 pump.iankelling.org <<'EOF'
+# currently a bug in pump that we cant terminate ssl
+         SSLProxyEngine On
+         ProxyPreserveHost On
+         ProxyPass /  https://127.0.0.1:8001/
+         ProxyPassReverse /  https://127.0.0.1:8001/
+         # i have sockjs disabled per people suggesting that
+         # it won\'t work with apache right now.
+         # not sure if it would work with this,
+         # but afaik, this is pointless atm.
+         <Location /main/realtime/sockjs/>
+             ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
+             ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
+         </Location>
+EOF
+
+    sudo -i <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
+EOF
+
+    s dd of=/etc/systemd/system/pump.service <<'EOF'
+[Unit]
+Description=pump.io
+After=syslog.target network.target mongodb.service
+Requires=mongodb.service
+
+[Service]
+Type=simple
+User=pumpio
+Group=pumpio
+ExecStart=/home/iank/pump.io/bin/pump
+Environment=NODE_ENV=production
+# failed to find databank-mongodb without this.
+# I just looked at my environment variables took a guess.
+Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
+
+[Install]
+WantedBy=multi-user.target
+EOF
+    ser daemon-reload
+    sgo pump
+    ########## end pump.io setup ############
diff --git a/distro-begin b/distro-begin
index 633e8d1..b2b21f7 100755
--- a/distro-begin
+++ b/distro-begin
@@ -14,7 +14,8 @@
 # limitations under the License.
 
 # for setting up a new machine
-# usage: $0 [-r] HOSTNAME
+# usage: $0 [-r] [HOSTNAME]
+# HOSTNAME changes the machine's hostname
 
 # tips:
 # run any sudo command first so your pass is cached
@@ -35,6 +36,7 @@ if ! $interactive; then
   set -x
 fi
 source /a/bin/errhandle/err
+source /a/bin/distro-functions/src/package-manager-abstractions
 
 ### setup logging
 exec &> >(sudo tee -a /var/log/distro-begin)
@@ -54,9 +56,11 @@ fi
 
 ### arg parsing
 recompile=false
+emacs=true
 while [[ $1 == -* ]]; do
   case $1 in
     -r) recompile=true; shift ;;
+    -e) emacs=false; shift ;;
   esac
 done
 if [[ $1 ]]; then
@@ -71,17 +75,19 @@ source $script_dir/pkgs
 set +x
 source /a/bin/distro-functions/src/identify-distros
 $interactive || set -x
-for f in iank-dev htpc kd x2 x3 frodo tp li lj demohost kw fz; do
+for f in kd x2 x3 frodo tp li lj demohost kw; do
   eval "$f() { [[ $HOSTNAME == $f ]]; }"
 done
 codename=$(debian-codename)
-has_wayland() { [[ $codename == buster ]]; }
-has_x() { [[ $codename != buster ]]; }
+has_wayland() { has_monitor && [[ $codename == buster ]]; }
+has_x() { has_monitor && [[ $codename != buster ]]; }
 has_monitor() { ! linode ; }
 linode() { lj || li; }
+# linode actually has btrfs now, but we dont do anything with it.
 has_btrfs() { ! linode; }
-home_network() { ! linode; }
-encrypted() { has_p; }
+home_network() { ! linode && ! kw; }
+has_p() { ! linode; }
+encrypted() { true; }
 shopt -s extglob
 export GLOBIGNORE="*/.:*/.."
 umask 022
@@ -138,14 +144,24 @@ EOF
   sudo systemctl enable keyscriptoff.service
   sudo systemctl start keyscriptoff.service
 
+  pi rsync
+
   # from /usr/share/doc/dropbear-initramfs/README.initramfs.gz
+  tmp=$(mktemp)
   while read -r m _; do /sbin/modinfo -F filename "$m"; done </proc/modules | \
     sed -nr "s@^/lib/modules/$(uname -r)/kernel/drivers/net(/.*)?/([^/]+)\.ko\$@\2@p" \
-    | sudo dd of=/etc/initramfs-tools/modules
-  sudo apt-get -y install initramfs-tools-core
+    | sudo dd of=$tmp
+  if ! diff -q /etc/initramfs-tools/modules $tmp &>/dev/null; then
+    sudo dd if=$tmp of=/etc/initramfs-tools/modules
+    sudo /usr/sbin update-initramfs -u -k all
+  fi
   # initram auth keys get setup with rootsshsync
+  $script_dir/rootsshsync
   # then for remote unlock, ssh and do this once per crypt disk:
   # echo -n PASS >/lib/cryptsetup/passfifo
+  # or for buster+
+  # cryptroot-unlock
+
 fi
 ##### end setup encryption scripts ######
 
@@ -155,19 +171,6 @@ fi
 
 # todo, it would be nice to cut down on some of the output
 
-##### fedora prereq/fundamental settings
-if isfedora; then
-  # comment out line disallowing calling sudo in scripts
-  sudo $sed -i 's/^Defaults *requiretty/#\0 # ian commented/' /etc/sudoers
-  # turn on magic sysrq commands
-  echo 1 > sudo dd of=/proc/sys/kernel/sysrq
-  echo "kernel.sysrq = 1" > /etc/sysctl.d/90-sysrq.conf
-  # selinux is not user friendly. Like, you enable samba, but you haven't run the magic selinux commands so it doesn't work
-  # and you have no idea why.
-  sudo $sed -i 's/^\(SELINUX=\).*/\1disabled/' /etc/selinux/config
-  selinuxenabled && sudo setenforce 0
-fi
-
 
 #### rerun my fai-time scripts
 # already ran for pxe installs, but used for vps & updates
@@ -183,6 +186,10 @@ case $distro in
 esac
 
 ###### setup hostname
+if [[ $HOSTNAME != $(cat /etc/hostname) ]]; then
+  echo $HOSTNAME > /etc/hostname
+  hostname -F /etc/hostname
+fi
 sudo $sed -i '/^127\.0\.1\.1/d' /etc/hosts
 echo "127.0.1.1 $HOSTNAME.b8.nz $HOSTNAME" | sudo tee -a /etc/hosts
 
@@ -221,16 +228,20 @@ $interactive || set -x
 
 
 #### setup passwordless sudo
-tu /etc/sudoers <<EOF
-$USER  ALL=(ALL)  NOPASSWD: ALL
-Defaults  env_keep += SUDOD
+
+# always_set_home
 # makes ubuntu be like debian
 # https://unix.stackexchange.com/a/91572
-Defaults always_set_home
-# default setting is to have  minimum umask of 0022
+
+# umask: default setting is to have  minimum umask of 0022
 # This lets us have user-specific umasks which are more permissive.
 # I did this for transmission and set it's umask gecos on install,
 # see there for more info.
+
+tu /etc/sudoers <<EOF
+$USER  ALL=(ALL)  NOPASSWD: ALL
+Defaults  env_keep += SUDOD
+Defaults always_set_home
 Defaults !umask
 EOF
 
@@ -285,14 +296,6 @@ pup
 
 
 ###### p1 packages install ######
-if isarch; then
-  # requirement for trash-cli.
-  # background: strange error if just installing trash-cli: "pyalpm requires python",
-  # so I see that it requires python2, and installing that manually fixes it.
-  # I didn\'t see this on earlier installation, main thing which changed was
-  # pacserve, so not sure if it\'s related.
-  pi python2
-fi
 pi ${p1[@]}
 
 
@@ -318,62 +321,18 @@ esac
 
 ###### link files
 # convenient to just do all file linking in one place
-s lnf -T /a/bin /b
-s lnf -T /nocow/t /t
+s /a/exe/lnf -T /a/bin /b
+s /a/exe/lnf -T /nocow/t /t
 if has_p; then
   lnf -T /p/News ~/News
 fi
-s lnf /q/root/.editor-backups /q/root/.undo-tree-history \
+s /a/exe/lnf /q/root/.editor-backups /q/root/.undo-tree-history \
   /a/opt /a/c/.emacs.d $HOME/mw_vars /k/backup /root
-pi rsync # needed for rootsshsync
-/a/bin/ds/install-my-scripts # needed for rootsshsync
-rootsshsync
-s lnf /a/c/.vim /a/c/.vimrc /a/c/.gvimrc /root
-if has_p; then
-  # for dovecot
-  lnf -T /i/k/mboxes ~/mail
-fi
+/a/bin/ds/install-my-scripts # needed for rootsshsync cronjob
+s /a/exe/lnf /a/c/.vim /a/c/.vimrc /a/c/.gvimrc /root
 
 
 
-##### install xinput
-if has_x; then
-  case $(distro-name) in
-    trisquel|ubuntu|debian)
-      pi xinput
-      ;;
-    fedora)
-      pi xinput_calibrator
-      ;;
-    arch)
-      pi xorg-xinput
-      ;;
-  esac
-
-  #### install redshift
-  case $(distro-name) in
-    trisquel|ubuntu|debian)
-      # recommends gets us geoclue (for darkening automatically at night i assume),
-      # which recommends modemmanager, which is annoying to fix for the model01 keyboard.
-      pi --no-install-recommends gtk-redshift
-      ;;&
-    fedora)
-      pi redshift-gtk
-      ;;&
-    arch)
-      pi redshift
-      ;;&
-  esac
-fi
-
-if has_wayland; then
-  pi sway xwayland
-  # originally used xkbcomp, documented in input-setup.sh, this doesnt
-  # work under wayland, but its still useful for creating the config,
-  # then modifying the system files.
-  s sed -i.orig '/key *<KPMU> *{/,/}/s/KP_Multiply/underscore/g' /usr/share/X11/xkb/symbols/keypad
-fi
-
 
 
 #### arch specific early packages
@@ -385,22 +344,12 @@ case $(distro-name) in
     ;;
 esac
 
-#### fedora specific packages
-case $(distro-name) in
-  fedora)
-    # todo, this could probably come later
-    p -y groupinstall development-tools c-development books admin-tools
-    pi man-pages
-    ;;
-  # other distros unknown
-esac
-
 #### enable trim
 # enable trim for volume delete, other rare commands
 sudo $sed -ri 's/( *issue_discards\b).*/\1 = 1/' /etc/lvm/lvm.conf
 if encrypted; then
   # flidas or so, these units arent built-in
-  if isdeb && ! systemctl list-unit-files | grep -xF fstrim.timer &>/dev/null ; then
+  if isdeb && ! systemctl list-unit-files | grep ^fstrim.timer &>/dev/null ; then
     sudo cp /usr/share/doc/util-linux/examples/fstrim.{service,timer} /etc/systemd/system
   fi
   # does weekly trim
@@ -413,15 +362,15 @@ s mkdir -p "${dirs[@]}"
 s chown $USER:$USER  "${dirs[@]}"
 
 ###### setup /i
-tu /etc/fstab <<'EOF'
+if home_network; then
+  tu /etc/fstab <<'EOF'
 /i/w  /w  none  bind,noauto  0 0
 /i/k  /k  none  bind,noauto  0 0
 EOF
-if ! mountpoint /kr; then
-  s mkdir -p /kr
-  s chown $USER:user2 /kr
-fi
-if home_network; then
+  if ! mountpoint /kr; then
+    s mkdir -p /kr
+    s chown $USER:user2 /kr
+  fi
   if [[ $HOSTNAME == frodo ]]; then
     tu /etc/fstab <<'EOF'
 /k  /kr  none  bind,noauto  0 0
@@ -431,22 +380,20 @@ EOF
 frodo:/k  /kr  nfs  noauto  0 0
 EOF
   fi
-fi
-s mkdir -p /q /i/{w,k}
-for dir in /{i,w,k}; do
-  if mountpoint $dir; then continue; fi # already mounted
-  s mkdir -p $dir
-  s chown $USER:$USER $dir
-done
-# not needed for all hosts, but rather just keep it uniform
-s mkdir -p /mnt/iroot
-# debian auto mounting of multi-disk encrypted btrfs is busted.  It is
-# in jessie, and in stretch as of 11/26/2016 I have 4 disks in cryptab,
-# based on 3 of those, it creates .device units for /dev/mapper/dev...
-# then waits endlessly for them on bootup, after the /dev/mapper disks
-# have already been created and exist. todo: create a simple repro
-# for this in a vm and report it upstream.
-if has_btrfs || home_network; then
+  s mkdir -p /q /i/{w,k}
+  for dir in /{i,w,k}; do
+    if mountpoint $dir; then continue; fi # already mounted
+    s mkdir -p $dir
+    s chown $USER:$USER $dir
+  done
+  # not needed for all hosts, but rather just keep it uniform
+  s mkdir -p /mnt/iroot
+  # debian auto mounting of multi-disk encrypted btrfs is busted.  It is
+  # in jessie, and in stretch as of 11/26/2016 I have 4 disks in cryptab,
+  # based on 3 of those, it creates .device units for /dev/mapper/dev...
+  # then waits endlessly for them on bootup, after the /dev/mapper disks
+  # have already been created and exist. todo: create a simple repro
+  # for this in a vm and report it upstream.
   pi nfs-common
   s dd of=/root/imount <<'EOF'
 #!/bin/bash
@@ -465,7 +412,6 @@ for dir in /i /mnt/iroot /k /kr /w; do
 done
 EOF
   s chmod +x /root/imount
-
   s dd of=/etc/systemd/system/imount.service <<EOF
 [Unit]
 Description=Mount /i and related mountpoints
@@ -487,6 +433,7 @@ EOF
   sudo systemctl enable imount.service
   sudo systemctl start imount.service
 fi
+###### end setup /i
 
 ##### setup /nocow.
 # a nocow dir that is common to multiple distros installed on the same system
@@ -523,23 +470,6 @@ if isubuntu; then
 fi
 
 
-##### install  emacs
-if isarch; then
-  # emacs git build was broken last time i checked,
-  x=$(mktemp -d)
-  pushd $x
-  aurex emacs-git
-  makepkg -si --noconfirm
-  popd
-  rm -rf $x
-  pi hunspell hunspell-en
-else
-  if $recompile; then
-    /a/bin/buildscripts/emacs
-  else
-    /a/bin/buildscripts/emacs --no-r || /a/bin/buildscripts/emacs
-  fi
-fi
 
 ##### install laptop hardware packages
 if tp || x2 || x3; then
@@ -556,23 +486,38 @@ if tp || x2 || x3; then
   esac
 fi
 
-
-##### install x stuff
-if has_monitor; then
-  pi ${p2[@]}
-  if has_x; then
-    pi i3
-    if isarch; then
-      # xorg-xmessage for displaying error messages.
-      # optional dependency in arch, standard elsewhere.
-      pi xorg-server xorg-xmessage xorg-xsetroot xorg-xinit
-    fi
+if has_x; then
+  ###### install X
+  pi i3
+  if isarch; then
+    # xorg-xmessage for displaying error messages.
+    # optional dependency in arch, standard elsewhere.
+    pi xorg-server xorg-xmessage xorg-xsetroot xorg-xinit
   fi
-fi
 
+  ##### install xinput
+  case $(distro-name) in
+    trisquel|ubuntu|debian)
+      pi xinput
+      ;;
+    arch)
+      pi xorg-xinput
+      ;;
+  esac
 
-##### setup X autostart
-if has_x; then
+  #### install redshift
+  case $(distro-name) in
+    trisquel|ubuntu|debian)
+      # recommends gets us geoclue (for darkening automatically at night i assume),
+      # which recommends modemmanager, which is annoying to fix for the model01 keyboard.
+      pi --no-install-recommends gtk-redshift
+      ;;&
+    arch)
+      pi redshift
+      ;;&
+  esac
+
+  ##### setup X autostart
   if isarch; then
     # https://wiki.archlinux.org/index.php/Xinitrc
     for homedir in /home/*; do
@@ -588,12 +533,7 @@ EOF
   else
     # todo, figure this out for arch if we ever try out gnome.
     # install for multiple display managers in case we use one
-    if isdeb; then
-      dir=/etc/gdm3
-    elif isfedora; then
-      # fedora didn\'t have the 3.
-      dir=/etc/gdm
-    fi
+    dir=/etc/gdm3
     s mkdir -p $dir/PostLogin
     s command cp /a/bin/distro-setup/desktop-20-autostart.sh $dir/PostLogin/Default
     s mkdir /etc/lightdm/lightdm.conf.d
@@ -602,13 +542,45 @@ EOF
 session-setup-script=/a/bin/distro-setup/desktop-20-autostart.sh
 EOF
   fi
+
 fi
 
+### install and configure wayland
+if has_wayland; then
+  pi sway xwayland
+  # originally used xkbcomp, documented in input-setup.sh, this doesnt
+  # work under wayland, but its still useful for creating the config,
+  # then modifying the system files.
+  s sed -i.orig '/key *<KPMU> *{/,/}/s/KP_Multiply/underscore/g' /usr/share/X11/xkb/symbols/keypad
+fi
+
+##### basic graphical packages
+if has_monitor; then
+  pi konsole suckless-tools
+fi
 
-#### refix interactive ssh terminal
-# the first pup command can kill off our /etc/ mod, so rerun this
-/a/exe/ssh-emacs-setup
 
+##### install  emacs
+if $emacs; then
+  if isarch; then
+    # emacs git build was broken last time i checked,
+    x=$(mktemp -d)
+    pushd $x
+    aurex emacs-git
+    makepkg -si --noconfirm
+    popd
+    rm -rf $x
+    pi hunspell hunspell-en
+  else
+    if $recompile; then
+      /a/bin/buildscripts/emacs
+    else
+      /a/bin/buildscripts/emacs --no-r
+    fi
+  fi
+  # the first pup command can kill off our /etc/ mod, so rerun this
+  /a/exe/ssh-emacs-setup
+fi
 
 echo "$0: $(date): ending now"
 exit 0
diff --git a/distro-end b/distro-end
index 14cc2f5..2e6b687 100755
--- a/distro-end
+++ b/distro-end
@@ -50,29 +50,13 @@ if isdeb; then
   pi aptitude
 fi
 
-# avoid ptompts!
+# avoid prompts
 s debconf-set-selections <<EOF
 popularity-contest popularity-contest/participate boolean true
 EOF
 
 ########### begin section including li ################
-pi ${p3[@]}
-
-#### desktop stuff
-case $codename_compat in
-  xenial)
-    # mate-indicator-applet and beyond are msc things I noticed diffing a
-    # standard install with mine.
-    pi xorg lightdm mate-desktop-environment mate-desktop-environment-extras mate-indicator-applet anacron
-    ;;
-  stretch)
-    pi task-mate-desktop
-    ;;
-  buster)
-    # mate doesnt have wayland support yet
-    pi task-gnome-desktop
-    ;;
-esac
+pi ${p2[@]}
 
 
 conflink
@@ -83,16 +67,13 @@ esac
 
 case $distro in
   arch) sgo atd ;;
+  # not needed for deb, dependency of at.
 esac
 
 
-case $distro in
-  arch) sgo ntpd ;;
-esac
-
 
 # no equivalent in other distros:
-if isdeb && ! dpkg -s -- "$@" | grep -Fx "Status: install ok installed" &> /dev/null; then
+if isdeb && pcheck apt-file; then
   # this condition is just a speed optimization
   pi apt-file
   s apt-file update
@@ -117,30 +98,6 @@ case $distro in
 esac
 
 
-### begin docker install ####
-if isdeb; then
-  # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
-  pi  software-properties-common apt-transport-https
-  curl -fsSL https://download.docker.com/linux/$(distro-name-compat)/gpg | sudo apt-key add -
-  url=https://download.docker.com/linux/$(distro-name-compat)
-  l="deb [arch=amd64] $url $codename_compat stable"
-
-  if ! grep -xFq "$l" /etc/apt/sources.list{,.d/*.list}; then
-    sudo add-apt-repository "$l"
-    p update
-  fi
-  # docker eats up a fair amount of cpu when doing nothing, so don't enable it unless
-  # we really need it.
-  pi-nostart docker-ce
-  # and docker is even more crap, it ignores that it shouldnt start
-  ser stop docker
-  ser disable docker
-  case $HOSTNAME in
-    li|lj)  sgo docker ;;
-  esac
-fi
-###  end docker install ####
-
 
 
 ### begin certbot install ###
@@ -183,72 +140,39 @@ sgo certbotmail.timer
 #     ;;
 # esac
 
-pi ${p1[@]}
 
-##### begin automatic upgrades ####
-
-s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF'
-# this file was mostly just comments.
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Download-Upgradeable-Packages "1";
-APT::Periodic::AutocleanInterval "7";
-APT::Periodic::Unattended-Upgrade "1";
-EOF
-
-s dd of=/etc/apt/apt.conf.d/50unattended-upgrades  <<EOF
-# fyi: default file has comments about available options,
-# you may want to read that.
-Unattended-Upgrade::Mail "root";
-Unattended-Upgrade::MailOnlyOnError "true";
-Unattended-Upgrade::Remove-Unused-Dependencies "true";
-Unattended-Upgrade::Origins-Pattern {
-       # default is just security updates.
-       "origin=*";
-};
-EOF
-
-# Setup reboots when running outdated stuff, unattended upgrades happen
-# at 6 am + rand(60 min).
-/usr/local/bin/log-once checkrestart
+## not actually using prometheus just yet
+# # office is not exposed to internet yet
+# if [[ $HOSTNAME != kw ]]; then
+#   ## prometheus node exporter setup
+#   web-conf -f 9100 -p 9101 apache2 $(hostname -f) <<'EOF'
+# #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
+# # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
+# <Location />
+#    AllowOverride None
+#    AuthType basic
+#    AuthName "Authentication Required"
+#    # setup one time, with root:www-data, 640
+#    AuthUserFile "/etc/prometheus-htpasswd"
+#    Require valid-user
+# </Location>
+# EOF
+# fi
 
-# old names, too verbose
-s rm -f /etc/cron.d/unattended-upgrade-reboot /usr/local/bin/zelous-unattended-reboot
+# website setup
+case $HOSTNAME in
+  li)
 
-s dd of=/etc/cron.d/myupgrade <<'EOF'
-20 7 * * * root /usr/local/bin/myupgrade | /usr/local/bin/log-once -1 myupgrade
-0 * * * * root /usr/local/bin/mycheckrestart | /usr/local/bin/log-once -1 mycheckrestart
-EOF
-##### end automatic upgrades ####
+    pi bind9
 
-# office is not exposed to internet yet
-if [[ $(hostname -f) != *.office.fsf.org ]]; then
-  ## prometheus node exporter setup
-  web-conf -f 9100 -p 9101 apache2 $(hostname -f) <<'EOF'
-#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
-# https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-<Location />
-   AllowOverride None
-   AuthType basic
-   AuthName "Authentication Required"
-   # setup one time, with root:www-data, 640
-   AuthUserFile "/etc/prometheus-htpasswd"
-   Require valid-user
-</Location>
-EOF
-fi
 
-# website setup
-case $HOSTNAME in
-  lj|li)
     case $HOSTNAME in
-      lj) domain=iank.bid; exit 0 ;;
       li) domain=iankelling.org ;;
     esac
     /a/h/setup.sh $domain
     /a/h/build.rb
 
-    sudo -E /a/bin/mediawiki-setup/mw-setup-script
-
+    # start mumble only when im going to use it, since i dont use it much
     pi-nostart mumble-server
     s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
 
@@ -262,25 +186,17 @@ export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
 /a/bin/distro-setup/certbot-renew-hook
 EOF
 
-    sgo mumble-server
 
     vpn-server-setup -rd
     s tee /etc/openvpn/client-config/mail <<'EOF'
 ifconfig-push 10.8.0.4 255.255.255.0
 EOF
 
-    # it\'s strange. docker seems to make the default for forward
-    # be drop, but then I set it to accept and it\'s stuck that way,
-    # I dun know why. But, let\'s make sure we can forward anyways.
-    s DEBIAN_FRONTEND=noninteractive pi iptables-persistent
-    rm /etc/iptables/rules.v6
-    s tee /etc/iptables/rules.v4 <<'EOF'
-*filter
--A FORWARD -i tun+ -o eth0 -j ACCEPT
--A FORWARD -i eth0 -o tun+ -j ACCEPT
-COMMIT
-EOF
-
+    if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
+      vpn_service=openvpn-server@server
+    else
+      vpn_service=openvpn@server
+    fi
 
     sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
 [Unit]
@@ -293,17 +209,12 @@ ExecStart=/a/bin/distro-setup/vpn-mail-forward start
 ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
 
 [Install]
-WantedBy=openvpn.service
+WantedBy=$vpn_service.service
 EOF
     ser daemon-reload
-    ser enable vpnmail.service
+    sgo vpnmail.service
     # needed for li's local mail delivery.
     tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
-    if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
-      vpn_service=openvpn-server@server
-    else
-      vpn_service=openvpn@server
-    fi
     sgo $vpn_service
     # setup let's encrypt cert
     web-conf apache2 mail.iankelling.org
@@ -314,263 +225,34 @@ EOF
     web-conf -f 10.8.0.4:5232 - apache2 $domain <<'EOF'
 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
 # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-        <Location />
-                Options +FollowSymLinks +Multiviews +Indexes
-                AllowOverride None
-                AuthType basic
-                AuthName "Authentication Required"
-                # setup one time, with root:www-data, 640
-                AuthUserFile "/etc/caldav-htpasswd"
-                Require valid-user
-        </Location>
+<Location />
+   Options +FollowSymLinks +Multiviews +Indexes
+   AllowOverride None
+   AuthType basic
+   AuthName "Authentication Required"
+   # setup one time, with root:www-data, 640
+   AuthUserFile "/etc/caldav-htpasswd"
+   Require valid-user
+</Location>
 EOF
     # nginx version of above would be:
     # auth_basic "Not currently available";
     # auth_basic_user_file /etc/nginx/caldav/htpasswd;
 
 
-    ########## begin pump.io setup ##########
 
-    # once pump adds a logrotation script, turn off nologger,
-    # and add
-    #        "logfile": "/var/log/pumpio/pumpio.log",
-    #
-    s dd of=/etc/pump.io.json <<'EOF'
-{
-    "secret":  "SECRET_REPLACE_ME",
-    "driver":  "mongodb",
-    "params":  { "dbname": "pumpio" },
-    "noweb":  false,
-    "site":  "pump.iankelling.org",
-    "owner":  "Ian Kelling",
-    "ownerURL":  "https://iankelling.org/",
-    "port":  8001,
-    "urlPort": 443,
-    "hostname":  "pump.iankelling.org",
-    "nologger": true,
-    "datadir": "/home/pumpio/pumpdata",
-    "enableUploads": true,
-    "debugClient": false,
-    "disableRegistration": true,
-    "noCDN": true,
-    "key": "/home/pumpio/privkey.pem",
-    "cert": "/home/pumpio/fullchain.pem",
-    "address":  "localhost",
-    "sockjs": false
-}
-EOF
-    s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
-
-    # stretch node is too old
-    # https://nodejs.org/en/download/package-manager/
-    curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
-    pi nodejs graphicsmagick mongodb
-    cd /home/iank
-    if [[ -e pump.io ]]; then
-      cd pump.io
-      git pull
-    else
-      git clone https://github.com/pump-io/pump.io.git
-      cd pump.io
-    fi
-    # note: these 2 commands seem
-    # note: doing this or the npm install pump.io as root had problems.
-    npm install
-    npm run build
-    # normally, next command would be
-    # s npm install -g   odb
-    # but it\'s this until a bug in pump gets fixed
-    # https://github.com/pump-io/pump.io/issues/1287
-    s npm install -g databank-mongodb@0.19.2
-    if ! getent passwd pumpio &>/dev/null; then
-      s useradd -Um -s /bin/false pumpio
-    fi
-    sudo -u pumpio mkdir -p /home/pumpio/pumpdata
-    # for testing browser when only listening to localhost,
-    # in the pump.io.json, set hostname localhost, urlPort 5233
-    #ssh -L 5233:localhost:5233 li
-
-    s mkdir -p /var/log/pumpio/
-    s chown pumpio:pumpio /var/log/pumpio/
-
-    web-conf - apache2 pump.iankelling.org <<'EOF'
-# currently a bug in pump that we cant terminate ssl
-         SSLProxyEngine On
-         ProxyPreserveHost On
-         ProxyPass /  https://127.0.0.1:8001/
-         ProxyPassReverse /  https://127.0.0.1:8001/
-         # i have sockjs disabled per people suggesting that
-         # it won\'t work with apache right now.
-         # not sure if it would work with this,
-         # but afaik, this is pointless atm.
-         <Location /main/realtime/sockjs/>
-             ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
-             ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
-         </Location>
-EOF
+    ###### begin znc setup #####
+    pi znc
 
+    # https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart after cert change.
+    # to get into the web interface,
+    # then use non-main browser or else it doebsn't allow it based on ocsp stapling from my main site.
+    # https://iankelling.org:12533/
     sudo -i <<'EOF'
-export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
+export RENEWED_LINEAGE=/etc/letsencrypt/live/iankelling.org
 /a/bin/distro-setup/certbot-renew-hook
 EOF
 
-    s dd of=/etc/systemd/system/pump.service <<'EOF'
-[Unit]
-Description=pump.io
-After=syslog.target network.target mongodb.service
-Requires=mongodb.service
-
-[Service]
-Type=simple
-User=pumpio
-Group=pumpio
-ExecStart=/home/iank/pump.io/bin/pump
-Environment=NODE_ENV=production
-# failed to find databank-mongodb without this.
-# I just looked at my environment variables took a guess.
-Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
-
-[Install]
-WantedBy=multi-user.target
-EOF
-    ser daemon-reload
-    sgo pump
-    ########## end pump.io setup ############
-
-
-    ############# begin setup mastodon ##############
-
-    # main doc is Docker-Guide.md in docs repo
-
-    # I'd like to try gnu social just cuz of gnu, but it's not being
-    # well maintained, for example, simple pull requests
-    # languishing:
-    # https://git.gnu.io/gnu/gnu-social/merge_requests/143
-    # and I submitted my own bugs, basic docs are broken
-    # https://git.gnu.io/gnu/gnu-social/issues/269
-
-    # note, docker required, but we installed it earlier
-
-    # i subscrubed to https://github.com/docker/compose/releases.atom
-    # to see release notes.
-    # i had some problems upgrading. blew things away with
-    # docker-compose down
-    # docker rmi $(docker images -q)
-    # s reboot now
-    # when running docker-compose run, kernel stack traces are printed to the journal.
-    # things seem to succeed, google says nothing, so ignoring them.
-    curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-$(uname -s)-$(uname -m) | s dd of=/usr/local/bin/docker-compose
-    s chmod +x /usr/local/bin/docker-compose
-
-
-    cd ~
-    s rm -rf mastodon
-    i clone https://github.com/tootsuite/mastodon
-    cd mastodon
-    # subbed to atom feed to deal with updates
-    git checkout $(git tag | grep -v rc | tail -n1)
-
-    # per instructions, uncomment redis/postgres persistence in docker-compose.yml
-    sed -i 's/^#//' docker-compose.yml
-
-    cat >.env.production <<'EOF'
-REDIS_HOST=redis
-REDIS_PORT=6379
-DB_HOST=db
-DB_USER=postgres
-DB_NAME=postgres
-DB_PASS=
-DB_PORT=5432
-
-LOCAL_DOMAIN=mast.iankelling.org
-LOCAL_HTTPS=true
-
-SINGLE_USER_MODE=true
-
-SMTP_SERVER=mail.iankelling.org
-SMTP_PORT=25
-SMTP_LOGIN=li
-SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
-SMTP_DOMAIN=mast.iankelling.org
-SMTP_DELIVERY_METHOD=smtp
-EOF
-
-    for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
-      # 1 minute 7 seconds to run this docker command
-      # to generate a secret, and it has ^M chars at the end. wtf. really dumb
-      printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|dos2unix|tail -n1)" >>.env.production
-    done
-    found=false
-    while read -r domain _ pass; do
-      if [[ $domain == mail.iankelling.org ]]; then
-        found=true
-        # remove the username part
-        pass="${pass#*:}"
-        printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production
-        break
-      fi
-    done < <(s cat /etc/mailpass)
-    if ! $found; then
-      echo "$0: error, failed to find mailpass domain for mastadon"
-      exit 1
-    fi
-
-    # docker compose makes an interface named like br-8f3e208558f2. we need mail to
-    # get routed to us.
-    if ! s /sbin/iptables -t nat -C PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25; then
-      s /sbin/iptables -t nat -A PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25
-    fi
-
-    docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production
-    logq docker-compose run --rm web rake db:migrate
-    docker-compose run --rm web rails assets:precompile
-
-    # avatar failed to upload, did
-    # docker logs mastodon_web_1
-    # google lead me to this
-    s chown -R 991:991 public/system
-
-    # docker daemon takes care of starting on boot.
-    docker-compose up -d
-
-    s a2enmod proxy_wstunnel headers
-    web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF'
-   ProxyPreserveHost On
-   RequestHeader set X-Forwarded-Proto "https"
-   ProxyPass /500.html !
-   ProxyPass /oops.png !
-   ProxyPass /api/v1/streaming/ ws://localhost:4000/
-   ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
-   ErrorDocument 500 /500.html
-   ErrorDocument 501 /500.html
-   ErrorDocument 502 /500.html
-   ErrorDocument 503 /500.html
-   ErrorDocument 504 /500.html
-EOF
-
-
-    ############### !!!!!!!!!!!!!!!!!
-    ############### manual steps:
-
-    # only following a few people atm, so not bothering to figure out backups
-    # when mastodon has not documented it at all.
-    #
-    # fsf@status.fsf.org
-    # cwebber@toot.cat
-    # dbd@status.fsf.org
-    # johns@status.fsf.org
-
-    # sign in page is at https://mast.iankelling.org/auth/sign_in
-    # register as iank, then
-    # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
-    # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
-
-    ############# end setup mastodon ##############
-
-    # we use nsupdate to update the ip of home
-    pi bind9
-
-    pi znc
     # znc config generated by doing
     # znc --makeconf
     # selected port is also used in erc config
@@ -588,11 +270,6 @@ EOF
     # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf
     # and made a copy of the config files into /p/c
     # /msg *status LoadMod --type=global log -sanitize
-    # to get into the web interface,
-    # cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
-    # then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site.
-    # https://iankelling.org:12533/
-    # i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart.
     # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it.
     # /msg *status LoadMod --type=network perform
     # /msg *perform add PRIVMSG ChanServ :invite #fsf-office
@@ -605,12 +282,12 @@ EOF
     # on killing the,
     # an example seems to be here:	https://github.com/zenspider/elisp/blob/master/rwd-irc.el
     # if that was the case i could remove the module clearbufferonmsg
-    # alo would be nice if erc supported
+    # also would be nice if erc supported
     # https://wiki.znc.in/self-message
     # https://wiki.znc.in/Query_buffers                                                \
       #
     s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already
-    chmod 700 /var/lib/znc
+    s chmod 700 /var/lib/znc
     s chown -R znc:znc /var/lib/znc
     s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF'
 [Unit]
@@ -626,20 +303,15 @@ WantedBy=multi-user.target
 EOF
     ser daemon-reload
     sgo znc
-
-    echo "$0: $(date): ending now)"
-    exit 0
-    ;;
-esac
-
-########### end section including li/lj ###############
+    ###### stop znc setup #####
 
 
-case $(debian-codename) in
-  # needed for debootstrap scripts for fai since fai requires debian
-  flidas)
-    curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg | s apt-key add -
-    s dd of=/etc/apt/preferences.d/flidas-xenial <<EOF
+    ######### begin flidas pinned packages ######
+    case $(debian-codename) in
+      # needed for debootstrap scripts for fai since fai requires debian
+      flidas)
+        curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg | s apt-key add -
+        s dd of=/etc/apt/preferences.d/flidas-xenial <<EOF
 Package: *
 Pin: release a=xenial
 Pin-Priority: -100
@@ -652,14 +324,14 @@ Package: *
 Pin: release a=xenial-security
 Pin-Priority: -100
 EOF
-    s dd of=/etc/apt/sources.list.d/xenial.list 2>/dev/null <<EOF
+        s dd of=/etc/apt/sources.list.d/xenial.list 2>/dev/null <<EOF
 deb http://us.archive.ubuntu.com/ubuntu/ xenial main
 deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main
 deb http://us.archive.ubuntu.com/ubuntu/ xenial-security main
 EOF
 
-    s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
-    s dd of=/etc/apt/preferences.d/flidas-bionic <<EOF
+        s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+        s dd of=/etc/apt/preferences.d/flidas-bionic <<EOF
 Package: *
 Pin: release a=bionic
 Pin-Priority: -100
@@ -673,9 +345,9 @@ Pin: release a=bionic-security
 Pin-Priority: -100
 EOF
 
-    # better to run btrfs-progs which matches our kernel version
-    # (note, renamed from btrfs-tools)
-    s dd of=/etc/apt/preferences.d/btrfs-progs <<EOF
+        # better to run btrfs-progs which matches our kernel version
+        # (note, renamed from btrfs-tools)
+        s dd of=/etc/apt/preferences.d/btrfs-progs <<EOF
 Package: btrfs-progs libzstd1
 Pin: release a=bionic
 Pin-Priority: 1005
@@ -690,30 +362,30 @@ Pin-Priority: 1005
 EOF
 
 
-    t=$(mktemp)
-    cat >$t <<EOF
+        t=$(mktemp)
+        cat >$t <<EOF
 deb http://us.archive.ubuntu.com/ubuntu/ bionic main
 deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main
 deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main
 EOF
-    f=/etc/apt/sources.list.d/bionic.list
-    if ! diff -q $t $f; then
-      s cp $t $f
-      s chmod 644 $f
-      p update
-    fi
+        f=/etc/apt/sources.list.d/bionic.list
+        if ! diff -q $t $f; then
+          s cp $t $f
+          s chmod 644 $f
+          p update
+        fi
 
-    # no special reason, but its better for btrfs-progs to
-    # be closer to our kernel version
-    pi btrfs-progs
+        # no special reason, but its better for btrfs-progs to
+        # be closer to our kernel version
+        pi btrfs-progs
 
-    t=$(mktemp -d)
-    cd $t
-    aptitude download debootstrap/xenial
-    ex ./*
-    s cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
+        t=$(mktemp -d)
+        cd $t
+        aptitude download debootstrap/xenial
+        ex ./*
+        s cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
 
-    s dd of=/etc/apt/preferences.d/flidas-etiona <<EOF
+        s dd of=/etc/apt/preferences.d/flidas-etiona <<EOF
 Package: *
 Pin: release a=etiona
 Pin-Priority: -100
@@ -731,40 +403,40 @@ Pin: release a=etiona-backports
 Pin-Priority: -100
 EOF
 
-    t=$(mktemp)
-    cat >$t <<EOF
+        t=$(mktemp)
+        cat >$t <<EOF
 deb http://mirror.fsf.org/trisquel/ etiona main
 deb http://mirror.fsf.org/trisquel/ etiona-updates main
 deb http://archive.trisquel.info/trisquel/ etiona-security main
 deb http://mirror.fsf.org/trisquel/ etiona-backports main
 EOF
-    f=/etc/apt/sources.list.d/etiona.list
-    if ! diff -q $t $f; then
-      s cp $t $f
-      s chmod 644 $f
-      p update
-    fi
+        f=/etc/apt/sources.list.d/etiona.list
+        if ! diff -q $t $f; then
+          s cp $t $f
+          s chmod 644 $f
+          p update
+        fi
 
-    s dd of=/etc/apt/preferences.d/debian-goodies <<EOF
+        s dd of=/etc/apt/preferences.d/debian-goodies <<EOF
 Package: debian-goodies
 Pin: release n=buster
 Pin-Priority: 1005
 EOF
 
 
-    s dd of=/etc/apt/preferences.d/flidas-buster <<EOF
+        s dd of=/etc/apt/preferences.d/flidas-buster <<EOF
 Package: *
 Pin: release n=buster
 Pin-Priority: -100
 EOF
 
-    # stupid buster uses some key algorithm not supported by flidas gpg that apt uses.
-    s dd of=/etc/apt/apt.conf.d/01iank <<'EOF'
+        # stupid buster uses some key algorithm not supported by flidas gpg that apt uses.
+        s dd of=/etc/apt/apt.conf.d/01iank <<'EOF'
 Acquire::AllowInsecureRepositories "true";
 EOF
 
-    t=$(mktemp)
-    cat >$t <<EOF
+        t=$(mktemp)
+        cat >$t <<EOF
 deb http://http.us.debian.org/debian buster main
 deb-src http://http.us.debian.org/debian buster main
 
@@ -774,17 +446,17 @@ deb-src http://security.debian.org/ buster/updates main
 deb http://http.us.debian.org/debian buster-updates main
 deb-src http://http.us.debian.org/debian buster-updates main
 EOF
-    f=/etc/apt/sources.list.d/buster.list
-    if ! diff -q $t $f; then
-      s cp $t $f
-      s chmod 644 $f
-      p update
-    fi
+        f=/etc/apt/sources.list.d/buster.list
+        if ! diff -q $t $f; then
+          s cp $t $f
+          s chmod 644 $f
+          p update
+        fi
 
-    # newer version needed for false positive in checkrestart
-    p install -y --allow-unauthenticated debian-goodies
+        # newer version needed for false positive in checkrestart
+        p install -y --allow-unauthenticated debian-goodies
 
-    s dd of=/etc/apt/preferences.d/shellcheck <<EOF
+        s dd of=/etc/apt/preferences.d/shellcheck <<EOF
 Package: shellcheck
 Pin: release a=etiona
 Pin-Priority: 1005
@@ -799,10 +471,74 @@ Pin-Priority: 1005
 EOF
 
 
+        ;;
+      *)
+        if isdeb; then
+          pi debian-goodies shellcheck
+        fi
+        ;;
+    esac
+    ######### end flidas pinned packages ######
+
+    ##### begin automatic upgrades (after checkrestart has been installed) ####
+    s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF'
+# this file was mostly just comments.
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
+EOF
+
+    s dd of=/etc/apt/apt.conf.d/50unattended-upgrades  <<EOF
+# fyi: default file has comments about available options,
+# you may want to read that.
+Unattended-Upgrade::Mail "root";
+Unattended-Upgrade::MailOnlyOnError "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Origins-Pattern {
+       # default is just security updates.
+       "origin=*";
+};
+EOF
+
+    # old names, too verbose
+    s rm -f /etc/cron.d/unattended-upgrade-reboot /usr/local/bin/zelous-unattended-reboot
+
+    s dd of=/etc/cron.d/myupgrade <<'EOF'
+# Setup reboots when running outdated stuff, unattended upgrades happen
+# at 6 am + rand(60 min).
+20 7 * * * root /usr/local/bin/myupgrade | /usr/local/bin/log-once -1 myupgrade
+0 * * * * root /usr/local/bin/mycheckrestart | /usr/local/bin/log-once -1 mycheckrestart
+EOF
+    ##### end automatic upgrades ####
+
+
+    echo "$0: $(date): ending now)"
+    exit 0
+    ;;
+esac
+
+########### end section including li/lj ###############
+
+#### desktop stuff
+case $codename_compat in
+  xenial)
+    # mate-indicator-applet and beyond are msc things I noticed diffing a
+    # standard install with mine.
+    pi xorg lightdm mate-desktop-environment mate-desktop-environment-extras mate-indicator-applet anacron
+    ;;
+  stretch)
+    pi task-mate-desktop
+    ;;
+  buster)
+    # mate doesnt have wayland support yet
+    pi task-gnome-desktop
     ;;
 esac
 
 
+
+
 # TODO: some of the X programs can be removed from pall when using wayland
 
 # depends gcc is a way to install suggests. this is apparently the only
@@ -953,7 +689,7 @@ After=multi-user.target
 [Service]
 User=iank
 Type=oneshot
-ExecStart=/a/bin/log-quiet/sysd-mail-once irc-backup rsync -rlptDhSAX --delete root@iankelling.org:/var/lib/znc/moddata/log/iank/freenode/ /k/irclogs
+ExecStart=/a/bin/log-quiet/sysd-mail-once irc-backup rsync -rlptDhSAX root@iankelling.org:/var/lib/znc/moddata/log/iank/freenode/ /k/irclogs
 EOF
   s dd of=/etc/systemd/system/ircbackup.timer <<'EOF'
 [Unit]
@@ -1085,7 +821,7 @@ fi
 case $codename in
   flidas)
 
-    ;;
+  ;;
 esac
 
 
diff --git a/dynamic-ip-update b/dynamic-ip-update
index 3ba7f34..f696c0c 100755
--- a/dynamic-ip-update
+++ b/dynamic-ip-update
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -l
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
@@ -104,6 +104,7 @@ EOF
 
 chmod 640 [kK]*
 
-myunison -ob li
-ssh li conflink
-ssh li ser restart bind9
+# push here?
+#myunison -ob li
+#ssh li conflink
+ssh li systemctl reload bind9
diff --git a/filesystem/etc/ansible/hosts b/filesystem/etc/ansible/hosts
index 4717dbc..083d3bd 100644
--- a/filesystem/etc/ansible/hosts
+++ b/filesystem/etc/ansible/hosts
@@ -1,7 +1,7 @@
 [main]
 kd.b8.nz
-kw.office.fsf.org
+kw.b8.nz
 tp.b8.nz
 frodo.b8.nz
-x2.office.fsf.org
+x2.b8.nz
 x3.b8.nz
diff --git a/filesystem/usr/local/bin/mycheckrestart b/filesystem/usr/local/bin/mycheckrestart
index f6da8cd..eec8584 100755
--- a/filesystem/usr/local/bin/mycheckrestart
+++ b/filesystem/usr/local/bin/mycheckrestart
@@ -14,4 +14,9 @@ if [[ $HOSTNAME != "$MAIL_HOST" && $hn != li.b8.nz && ! $DISPLAY ]]; then
   exit 0
 fi
 
-$s /usr/sbin/checkrestart -v -i bash -b /a/bin/distro-setup/checkrestart-blacklist | sed '/^Found 0 processes using old versions of upgraded files$/d'
+cmd="$s /usr/sbin/checkrestart -p"
+if [[ $($cmd | sed '/^Found 0 processes using old versions of upgraded files$/d' | wc -l) != 0 ]]; then
+  $cmd
+  echo "with -v:"
+  $cmd -v
+fi
diff --git a/filesystem/usr/local/bin/myupgrade b/filesystem/usr/local/bin/myupgrade
index b990fbb..55e7221 100755
--- a/filesystem/usr/local/bin/myupgrade
+++ b/filesystem/usr/local/bin/myupgrade
@@ -13,8 +13,10 @@ if [[ $HOSTNAME == "$MAIL_HOST" || $hn == li.b8.nz ]]; then
   exit 0
 fi
 
-/usr/sbin/checkrestart -v -i bash -b /a/bin/distro-setup/checkrestart-blacklist | \
-  sed '/^Found 0 processes using old versions of upgraded files$/d' >/var/log/checkrestart.log
+cmd="$s /usr/sbin/checkrestart -p"
+if [[ $($cmd | sed '/^Found 0 processes using old versions of upgraded files$/d' | wc -l) != 0 ]]; then
+  $cmd -v | pee cat "wall -n"
+fi
 
 if [[ -s /var/log/checkrestart.log ]]; then
   for x in {30..1}; do
diff --git a/keyscript-off b/keyscript-off
index 84f253c..1cf19b0 100755
--- a/keyscript-off
+++ b/keyscript-off
@@ -31,7 +31,7 @@ if [[ $($sed -rn 's/^ID=(.*)/\1/p' /etc/os-release) == arch ]]; then
 else
     x=/root/keyscript
     if grep -q "${x}," /etc/crypttab; then
-        $sed -i "s#${x},#${x}-manual,#" /etc/crypttab
+      $sed -i "s#${x},#decrypt_keyctl,#" /etc/crypttab
 	update-initramfs -u
     fi
 fi
diff --git a/keyscript-on b/keyscript-on
index e62c7ed..246a971 100755
--- a/keyscript-on
+++ b/keyscript-on
@@ -18,26 +18,28 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
 if [[ $- != *i* ]]; then
-    exec &>>/var/log/keyscript-on.log
-    echo "$0: starting. $(date)"
+  exec &>>/var/log/keyscript-on.log
+  echo "$0: starting. $(date)"
 fi
 rootn=1
 
 sed="sed --follow-symlinks"
 
 if [[ ! -e /tmp/keyscript-off ]]; then
-    if [[ $($sed -rn 's/^ID=(.*)/\1/p' /etc/os-release) == arch ]]; then
-        if ! grep -q '^\s*FILES=' /etc/mkinitcpio.conf; then
-            $sed -ri 's/^#(\s*FILES=.*)/\1/' /etc/mkinitcpio.conf # uncomment
-            mkinitcpio -p linux
-        fi
-    else
-        x=/root/keyscript
-        if grep -q "${x}-manual," /etc/crypttab; then
-            $sed -i "s#${x}-manual,#${x},#" /etc/crypttab
-	    update-initramfs -u
-        fi
+  if [[ $($sed -rn 's/^ID=(.*)/\1/p' /etc/os-release) == arch ]]; then
+    if ! grep -q '^\s*FILES=' /etc/mkinitcpio.conf; then
+      $sed -ri 's/^#(\s*FILES=.*)/\1/' /etc/mkinitcpio.conf # uncomment
+      mkinitcpio -p linux
     fi
+  else
+    x=decrypt_keyctl
+    # old name. can remove this sometime after aug 2019
+    $sed -i "s#/root/keyscript-manual,#${x},#" /etc/crypttab
+    if grep -q "${x}," /etc/crypttab; then
+      $sed -i "s#${x},#/root/keyscript,#" /etc/crypttab
+      update-initramfs -u
+    fi
+  fi
 fi
 # switch to easy or hard login pass which is the same as luks
 f=/q/root/shadow/traci-simple
diff --git a/mail-setup b/mail-setup
index 93d09c7..6e21394 100755
--- a/mail-setup
+++ b/mail-setup
@@ -162,7 +162,7 @@ pi() { # package install
   if [[ ! -r $f ]] || (( $(( $(date +%s) - $(stat -c %Y $f ) )) > 60*60*12 )); then
     apt-get update
   fi
-  apt-get -y install --purge --auto-remove "$@"
+  DEBIAN_FRONTEND=noninteractive apt-get -y install --purge --auto-remove "$@"
 }
 
 postmaster=alerts
@@ -177,6 +177,9 @@ forward=$u@$mxhost
 
 smarthost="$mxhost::$mxport" # exim
 
+# light version of exim does not have sasl auth support.
+pi exim4-daemon-heavy spamassassin spf-tools-perl
+
 # trisquel 8 = openvpn, debian stretch = openvpn-client
 vpn_ser=openvpn-client
 if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
@@ -194,7 +197,8 @@ else
 fi
 
 
-pi openvpn
+# light version of exim does not have sasl auth support.
+pi exim4-daemon-heavy spamassassin spf-tools-perl openvpn dnsmasq
 
 if [[ -e /p/c/filesystem ]]; then
   # allow failure of these commands when our internet is down, they are likely not needed,
@@ -694,7 +698,7 @@ EOF
   # it\'s not part of exim
   rm -f /etc/exim4/conf.d/main/000_localmacros
   cat >>/etc/exim4/update-exim4.conf.conf <<EOF
-dc_eximconfig_configtype='satellite'
+dc_eximconfig_configtype='smarthost'
 dc_smarthost='$smarthost'
 # The manpage incorrectly states this will do header rewriting, but
 # that only happens if we have dc_hide_mailname is set.
@@ -735,10 +739,6 @@ elif [[ $uid != 608 ]]; then
 fi
 
 
-# light version of exim does not have sasl auth support.
-pi exim4-daemon-heavy spamassassin spf-tools-perl
-
-
 
 ##### begin spamassassin config
 systemctl enable spamassassin
@@ -885,17 +885,23 @@ systemctl enable exim4
 
 if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
   f=/usr/local/bin/send-test-forward
-  cat >$f <<'EOF'
+  cat >$f <<'EOFOUTER'
 #!/bin/bash
-echo body_test | mail -s "primary_test $(date +%s) $(date +%Y-%m-%dT%H:%M:%S%z)" iank@posteo.de
+/usr/sbin/exim -t <<EOF
+From: ian@iankelling.org
+To: iank@posteo.de
+Subject: primary_test $(date +%s) $(date +%Y-%m-%dT%H:%M:%S%z)
+
+eom
 EOF
+EOFOUTER
   chmod +x $f
 
   cat >/etc/cron.d/mailtest <<EOF
 SHELL=/bin/bash
 # running as user just because no need to run as root
 */10 * * * *   $u $f 2>&1 | /usr/local/bin/log-once send-test-forward
-*/10 * * * *   $u /usr/local/bin/mailtest-check 2>&1 | /usr/local/bin/log-once -1 send-test-forward
+*/10 * * * *   $u /usr/local/bin/mailtest-check 2>&1 | /usr/local/bin/log-once -1 mailtest-check
 */10 * * * *   root chmod -R g+rw /m/md/bounces 2>&1 | /usr/local/bin/log-once -1 bounces-chmod
 EOF
   cp /a/bin/distro-setup/filesystem/usr/local/bin/mailtest-check /usr/local/bin
diff --git a/pkgs b/pkgs
index d8acab1..b14a881 100644
--- a/pkgs
+++ b/pkgs
@@ -10,12 +10,6 @@ p1=(
   screen
 )
 p2=(
-  # 2nd
-  konsole
-  suckless-tools
-)
-p3=(
-  at
   bash-completion
   curl
   ethtool
@@ -49,7 +43,8 @@ p3=(
 # gnat-5 & ccache is for coreboot
 # python-dnspython is needed by some ansible module and 3 is
 # for when ansible becomes py3.
-p4=(
+p3=(
+  at
   adb
   ansible
   apache2
@@ -196,4 +191,4 @@ p4=(
   xscreensaver-gl-extra
 )
 
-pall=(${p1[@]} ${p2[@]} ${p3[@]} ${p4[@]} )
+pall=(${p1[@]} ${p2[@]} ${p3[@]} )
diff --git a/rootsshsync b/rootsshsync
index c550149..c4cebbf 100755
--- a/rootsshsync
+++ b/rootsshsync
@@ -27,7 +27,12 @@ fi
 mkdir -p $dest
 chmod 700 $dest
 
-user_ssh_dir=$(eval echo ~${SUDO_USER:-$USER})/.ssh
+user=$(id -un)
+if [[ $SUDO_USER ]]; then
+  user=$SUDO_USER
+fi
+
+user_ssh_dir=$(eval echo ~$user)/.ssh
 
 # remove broken links, or else rsync has error about them.
 find $user_ssh_dir -xtype l -exec rm '{}' \;
@@ -35,10 +40,13 @@ find $user_ssh_dir -xtype l -exec rm '{}' \;
 # -L resolve links
 rsync -rtL --delete $user_ssh_dir/ $dest
 chown -R root:root /root/.ssh
+
+
 d=/etc/initramfs-tools
 if [[ -e $d ]] && ! diff -q /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys &>/dev/null; then
-  mkdir -p /etc/initramfs-tools/root/.ssh
+  mkdir -p $d/root/.ssh /etc/dropbear-initramfs
   chmod 700 $d/root $d/root/.ssh
   cp -p /root/.ssh/authorized_keys $d/root/.ssh/authorized_keys
+  cp -p /root/.ssh/authorized_keys /etc/dropbear-initramfs
   update-initramfs -u -k all
 fi
diff --git a/switch-mail-host b/switch-mail-host
index f26b945..1598695 100644
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -26,10 +26,10 @@ restore_new_btrbk=false
 restore_old_btrbk=false
 cleanup() {
   if $restore_new_btrbk; then
-    $new_shell sudo systemctl start btrbk.timer
+    m $new_shell sudo systemctl start btrbk.timer
   fi
   if $restore_old_btrbk; then
-    $old_shell sudo systemctl start btrbk.timer
+    m $old_shell sudo systemctl start btrbk.timer
   fi
 }
 _errcatch_cleanup=cleanup # used by sourced err
diff --git a/vpn-mail-forward b/vpn-mail-forward
index 30159a1..7965263 100755
--- a/vpn-mail-forward
+++ b/vpn-mail-forward
@@ -2,12 +2,16 @@
 
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
+m() { printf "%s\n" "$*";  "$@"; }
+gw=$(/usr/sbin/ip route | sed -rn 's/^default via .* dev (\S+).*/\1/p')
 do-forward() {
     cmd=$1; shift
     for port; do
-        /sbin/iptables -t nat $cmd PREROUTING -i eth0 -p tcp -m tcp --dport $port -j DNAT --to-destination 10.8.0.4:$port
+        m /sbin/iptables -t nat $cmd PREROUTING -i $gw -p tcp -m tcp --dport $port -j DNAT --to-destination 10.8.0.4:$port
+        # we could leave these on all the time but its convenient to do it here
     done
+    m /sbin/iptables $cmd FORWARD -i tun+ -o $gw -j ACCEPT
+    m /sbin/iptables $cmd FORWARD -i $gw -o tun+ -j ACCEPT
 }
 
 ports=(25 143 587)
-- 
2.30.2