From 77917a8fbf2032a8b2634a1b3de0879ec45cf213 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Sun, 5 Jan 2020 13:41:50 -0500 Subject: [PATCH] updates, especially for etiona --- .bashrc | 4 ++ Makefile | 2 +- brc | 1 - brc2 | 34 ++++++++------ btrbk-run | 12 ++--- check-subvol-stale | 5 +- conflink | 4 -- distro-begin | 68 +++++++++++++-------------- distro-end | 75 ++++++++++++++++++------------ filesystem/usr/local/bin/myupgrade | 2 +- mail-setup | 45 +++++++++--------- pkgs | 1 - ssh-emacs-setup | 1 + subdir_files/sieve/lists.sieve | 2 + subdir_files/sieve/liststest.sieve | 2 + 15 files changed, 138 insertions(+), 120 deletions(-) diff --git a/.bashrc b/.bashrc index d374dd4..04df859 100644 --- a/.bashrc +++ b/.bashrc @@ -36,6 +36,10 @@ HISTIGNORE='pass *:[ ]*:otp *:oathtool *' # see comments in brc2 sl() function for background. if [[ $SSH_CONNECTION ]] \ && [[ $BRC != t ]]; then + brc() { + export BRC=t + source ~/.bashrc + } return 0 else diff --git a/Makefile b/Makefile index 3c19e63..eeb913a 100644 --- a/Makefile +++ b/Makefile @@ -3,5 +3,5 @@ all: ~/.local/distro-begin ~/.local/distro-end ~/.local/distro-begin: distro-begin mail-setup /a/bin/buildscripts/emacs ssh-emacs-setup distro-begin -~/.local/distro-end: distro-end distro-pkgs pkgs primary-setup /a/bin/buildscripts/tor-browser /a/bin/buildscripts/go /a/bin/buildscripts/rust /a/bin/buildscripts/misc +~/.local/distro-end: distro-end distro-pkgs pkgs primary-setup /a/bin/buildscripts/tor-browser /a/bin/buildscripts/go /a/bin/buildscripts/rust /a/bin/buildscripts/misc /p/c/gen-fsf-vpn distro-end diff --git a/brc b/brc index 30ee49a..a85cd66 100644 --- a/brc +++ b/brc @@ -479,7 +479,6 @@ ev() { done } - ediff() { [[ ${#@} == 2 ]] || { echo "error: ediff requires 2 arguments"; return 1; } emacs --eval "(ediff-files \"$1\" \"$2\")" diff --git a/brc2 b/brc2 index d9c7cbd..cdac34b 100644 --- a/brc2 +++ b/brc2 @@ -114,11 +114,11 @@ bbk() { # btrbk wrapper local active=true systemctl is-active btrbk.timer || active=false if $active; then - ser disable btrbk.timer + ser stop btrbk.timer fi - if systemctl is-active btrbk.service; then - $active && ser enable btrbk.timer + if [[ $(systemctl is-active btrbk.service ||:) != inactive ]]; then echo "cron btrbk is already running" + if $active; then ser start btrbk.timer; fi return 1 fi # run latest @@ -126,9 +126,9 @@ bbk() { # btrbk wrapper jrun -p btrbk btrbk-run "$@" if $active; then if (( $ret )); then - echo bbk: WARNING: btrbk.timer not reenabled due to failure + echo bbk: WARNING: btrbk.timer not restarted due to failure else - ser enable btrbk.timer + ser start btrbk.timer fi fi return $ret @@ -807,22 +807,28 @@ resolvcat() { m s nscd -i hosts f=/etc/resolv.conf echo $f:; ccat $f - # this will fail is dnsmasq is failed - hr; m ser status dnsmasq | cat || : hr; s ss -lpn 'sport = 53' - #hr; echo dnsmasq is $(systemctl is-active dnsmasq) - f=/var/run/dnsmasq/resolv.conf - hr; echo $f:; ccat $f - hr; m grr '^ *(servers-file|server) *=|^ *no-resolv *$' /etc/dnsmasq.conf /etc/dnsmasq.d - f=/etc/dnsmasq-servers.conf - hr; echo $f:; ccat $f + if systemctl is-enabled dnsmasq &>/dev/null || [[ $(systemctl is-active dnsmasq ||:) != inactive ]]; then + # this will fail is dnsmasq is failed + hr; m ser status dnsmasq | cat || : + f=/var/run/dnsmasq/resolv.conf + hr; echo $f:; ccat $f + hr; m grr '^ *(servers-file|server) *=|^ *no-resolv *$' /etc/dnsmasq.conf /etc/dnsmasq.d + f=/etc/dnsmasq-servers.conf + hr; echo $f:; ccat $f + fi + if systemctl is-enabled systemd-resolved &>/dev/null || [[ $(systemctl is-active systemd-resolved ||:) != inactive ]]; then + hr; m ser status systemd-resolved | cat || : + hr; m systemd-resolve --status + fi + } rcat() { resolvcat | less } reresolv() { sudo nscd -i hosts - sudo systemctl restart dnsmasq + #sudo systemctl restart dnsmasq } # only run on MAIL_HOST. simpler to keep this on one system. diff --git a/btrbk-run b/btrbk-run index 04a71a8..6836382 100644 --- a/btrbk-run +++ b/btrbk-run @@ -176,16 +176,17 @@ if [[ ! -v targets && ! $source ]]; then tp) # kd disabled temporarily while its hot and i plan to work on it. #targets=(frodo kd) - targets=(frodo x3.b8.nz) + #targets=(frodo x2.b8.nz) + targets=(frodo) # might not be connected to the vpn - if timeout -s 9 10 ssh kw :; then + if timeout -s 9 6 ssh kw :; then targets+=(kw) fi ;; kd) targets=(frodo tp) # might not be connected to the vpn - if timeout -s 9 10 ssh kw :; then + if timeout -s 9 6 ssh kw :; then targets+=(kw) fi ;; @@ -278,7 +279,6 @@ fi - if ! which btrbk &>/dev/null; then die "error: no btrbk binary found" fi @@ -306,7 +306,7 @@ else for h in ${targets[@]}; do if zone=$(ssh root@$h "mkdir -p /mnt/root/btrbk && date +%z"); then # This is a separate ssh because xprintidle can fail and thats ok. - if $cron && idle_ms=$(ssh $h DISPLAY=:0 xprintidle); then + if $cron && idle_ms=$(timeout -s 9 6 ssh $h DISPLAY=:0 xprintidle); then if (( idle_ms < min_idle_ms )); then # Ignore this host. i sometimes use a non-main machine for @@ -449,7 +449,7 @@ if mountpoint $rsync_mountpoint >/dev/null; then fi if [[ $source ]]; then - m mount-latest-subvol $verbose_arg + m mount-latest-subvol else m /a/exe/mount-latest-remote ${targets[@]} fi diff --git a/check-subvol-stale b/check-subvol-stale index d514baf..8e7d754 100644 --- a/check-subvol-stale +++ b/check-subvol-stale @@ -100,7 +100,7 @@ for d; do echo "$0: error could not find root subvol mount for $dev" >&2 exit 1 fi - svp=$root_dir/$subvol_dir + svp=$root_dir/$subvol_dir # subvolume path d "svp=$svp # subvolume path" snaps=($root_dir/btrbk/$subvol_dir.20*) # Assumes we are in the 21st century. @@ -136,7 +136,8 @@ for d; do f=${s##*/} unix_time=$(date -d $(sed -r 's/(.{4})(..)(.{5})(..)(.*)/\1-\2-\3:\4:\5/' <<<${f#$vol.}) +%s) printf "%s %s\n" $unix_time $s - done | sort -r | head -n 1 | awk '{print $2}' + # sort will fail + done | sort -r | head -n 1 | awk '{print $2}' || [[ ${PIPESTATUS[1]} == 2 ]] ) if [[ ! $last_snap ]]; then # should not happen. diff --git a/conflink b/conflink index 8deae09..69b6a6e 100755 --- a/conflink +++ b/conflink @@ -173,10 +173,6 @@ case $user in ##### end special extra stuff ##### - if [[ -e /etc/openvpn ]]; then - sudo bash -c 'shopt -s nullglob && cd /etc/openvpn && for f in client/* server/*; do ln -sf $f .; done' - fi - m sudo -H -u user2 "${BASH_SOURCE[0]}" f=/a/bin/distro-setup/system-status diff --git a/distro-begin b/distro-begin index eb51dcb..16d3359 100755 --- a/distro-begin +++ b/distro-begin @@ -46,7 +46,6 @@ ### make ssh interactive shell run better. for when running line interactively line by line sudo bash -c '/a/exe/ssh-emacs-setup' -if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi ##### setup error handling interactive=true # set this to false to force set -x [[ $- == *i* ]] || interactive=false @@ -168,15 +167,26 @@ EOF pi rsync - # from /usr/share/doc/dropbear-initramfs/README.initramfs.gz - tmp=$(mktemp) - while read -r m _; do /sbin/modinfo -F filename "$m"; done /dev/null; then - sudo dd if=$tmp of=/etc/initramfs-tools/modules + ## /usr/share/doc/dropbear-initramfs/README.initramfs.gz + ## claims we need to do this. but it works fine without it. + # tmp=$(mktemp) + # while read -r m _; do /sbin/modinfo -F filename "$m"; done /dev/null; then + # sudo dd if=$tmp of=/etc/initramfs-tools/modules + # sudo /usr/sbin/update-initramfs -u -k all + # fi + # + ## if we were creating an intall for a different machine needing different modules, we could include them all like this: + ## find /lib/modules/*/kernel/drivers/net /lib/modules/*/kernel/net -type f -name '*.ko' -printf "%f\n" | sed 's/.ko$//' | sort -u >/etc/initramfs-tools/modules + + # this is here to cleanup the leftover from the comments above. remove it eventually. + if [[ -s /etc/initramfs-tools/modules ]]; then + sudo truncate -s0 /etc/initramfs-tools/modules sudo /usr/sbin/update-initramfs -u -k all fi + # initram auth keys get setup with rootsshsync $script_dir/rootsshsync # then for remote unlock, ssh and do this once per crypt disk: @@ -516,36 +526,28 @@ if tp || x2 || x3; then esac fi -if has_x; then +if has_monitor; then + + # sway not packaged for t9, not bothering to build it yet since + # i3 doesnt seem to tear and stutter on video anymore. + if [[ $codename == buster ]]; then + pi sway xwayland + fi + + ###### install X pi i3 - if isarch; then - # xorg-xmessage for displaying error messages. - # optional dependency in arch, standard elsewhere. - pi xorg-server xorg-xmessage xorg-xsetroot xorg-xinit - fi ##### install xinput case $(distro-name) in trisquel|ubuntu|debian) pi xinput ;; - arch) - pi xorg-xinput - ;; esac - #### install redshift - case $(distro-name) in - trisquel|ubuntu|debian) - # recommends gets us geoclue (for darkening automatically at night i assume), - # which recommends modemmanager, which is annoying to fix for the model01 keyboard. - pi --no-install-recommends gtk-redshift - ;;& - arch) - pi redshift - ;;& - esac + # recommends gets us geoclue (for darkening automatically at night i assume), + # which recommends modemmanager, which is annoying to fix for the model01 keyboard. + pi --no-install-recommends gtk-redshift ##### setup X autostart # todo, figure this out for arch if we ever try out gnome. @@ -558,23 +560,19 @@ if has_x; then [SeatDefaults] session-setup-script=/a/bin/distro-setup/desktop-20-autostart.sh EOF -fi -### install and configure wayland -if has_wayland; then - pi sway xwayland + # originally used xkbcomp, documented in input-setup.sh, this doesnt # work under wayland, but its still useful for creating the config, # then modifying the system files. sudo sed -i.orig '/key * *{/,/}/s/KP_Multiply/underscore/g' /usr/share/X11/xkb/symbols/keypad -fi -##### basic graphical packages -if has_monitor; then + ##### basic graphical packages pi konsole suckless-tools fi + ##### install emacs if $emacs; then if isarch; then diff --git a/distro-end b/distro-end index a53c8c8..0c6b463 100755 --- a/distro-end +++ b/distro-end @@ -1,7 +1,7 @@ #!/bin/bash # Copyright (C) 2019 Ian Kelling # SPDX-License-Identifier: AGPL-3.0-or-later -if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi +export BRC=t; if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi ### setup source /a/bin/errhandle/err @@ -362,7 +362,18 @@ Pin-Priority: 1005 EOF - ;; + ;;& + etiona) + sd /etc/apt/preferences.d/etiona-bionic <<'EOF' +Package: * +Pin: release n=bionic +Pin-Priority: -100 + +Package: firefox gnome-screenshot gnome-icon-theme libnautilus-extension1a gnome-settings-daemon nautilus yelp gnome-settings-daemon-schemas nautilus-data ubuntu-wallpapers gnome-control-center gnome-control-center-data gnome-control-center-faces libsnapd-glib1 ubuntu-wallpapers-bionic gir1.2-snapd-1 ubuntu-drivers-common ubuntu-docs libyelp0 +Pin: release n=bionic +Pin-Priority: 500 +EOF + ;;& *) if isdeb; then pi debian-goodies shellcheck @@ -793,16 +804,11 @@ fi ######### end irc periodic backup ############# -case $distro in - debian|trisquel|ubuntu) - # suggests resolvconf package. installing it here is redundant, but make sure anyways. - # todo: check other distros to make sure it\'s installed - pi-nostart openvpn resolvconf - # pi-nostart does not disable - ser disable openvpn - ;; - *) pi openvpn;; -esac +pi-nostart openvpn +# pi-nostart does not disable +ser disable openvpn + +/p/c/gen-fsf-vpn m /a/bin/distro-setup/radicale-setup @@ -1045,6 +1051,7 @@ sgo schrootupdate.timer # for my roommate case $distro in trisquel) + # cant do buster due to old gpg m mkschroot debian stretch firefox-esr pulseaudio chromium ;; debian) @@ -1377,16 +1384,31 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \ ########### misc stuff -pi-nostart network-manager -# make networkmanager use resolvconf instead of its own dnsmasq which -# conflicts with the normal dnsmasq package. -f=/etc/NetworkManager/NetworkManager.conf -m=$(md5sum $f) -sudo sed -ri '/ *\[main\]/,/^ *\[[^]]+\]/{/^\s*dns[[:space:]=]/d}' $f -sudo sed -ri '/ *\[main\]/a dns=default' $f -if [[ $m != $(md5sum $f) ]]; then - srestart NetworkManager -fi +case $(debian-codename) in + # needed for debootstrap scripts for fai since fai requires debian + flidas) + pi dnsmasq + pi-nostart network-manager + # make networkmanager use resolvconf instead of its own dnsmasq which + # conflicts with the normal dnsmasq package. + f=/etc/NetworkManager/NetworkManager.conf + m=$(md5sum $f) + sudo sed -ri '/ *\[main\]/,/^ *\[[^]]+\]/{/^\s*dns[[:space:]=]/d}' $f + sudo sed -ri '/ *\[main\]/a dns=default' $f + if [[ $m != $(md5sum $f) ]]; then + srestart NetworkManager + fi + # networkmanager has this nasty behavior on flidas: if the machine + # crashes with dnsmasq running, on subsequent boot, it adds an entry to + # resolvconf for 127.0.0.1 in some stupid attempt to restore + # nameservers. + # This can be manually fixed by stoping dnsmasq, + # then based on whats in /run/dnsmasq/, i see we can run + # s resolvconf -d NetworkManager + # oh ya, and stoping NetworkManager leaves this crap behind without cleaning it up. + ser disable NetworkManager + ;; +esac # make my /etc/fonts/conf.d/ get used. # I have a new sans-serif font there because the default one @@ -1465,15 +1487,6 @@ m /a/bin/buildscripts/tor-browser # nfs server pi-nostart nfs-kernel-server -# networkmanager has this nasty behavior on flidas: if the machine -# crashes with dnsmasq running, on subsequent boot, it adds an entry to -# resolvconf for 127.0.0.1 in some stupid attempt to restore -# nameservers. -# This can be manually fixed by stoping dnsmasq, -# then based on whats in /run/dnsmasq/, i see we can run -# s resolvconf -d NetworkManager -# oh ya, and stoping NetworkManager leaves this crap behind without cleaning it up. -ser disable NetworkManager if [[ $HOSTNAME == frodo ]]; then diff --git a/filesystem/usr/local/bin/myupgrade b/filesystem/usr/local/bin/myupgrade index eedc62d..737cb13 100755 --- a/filesystem/usr/local/bin/myupgrade +++ b/filesystem/usr/local/bin/myupgrade @@ -46,7 +46,7 @@ l go get -u mvdan.cc/fdroidcl cmd="sudo /usr/sbin/checkrestart -p" if [[ $($cmd | sed '/^Found 0 processes using old versions of upgraded files$/d' | wc -l) != 0 ]]; then - $cmd -v | pee cat "wall -n" + $cmd | pee cat wall fi # no automatic reboot for these hosts diff --git a/mail-setup b/mail-setup index 6f96982..b045484 100755 --- a/mail-setup +++ b/mail-setup @@ -308,25 +308,19 @@ f=/a/bin/bash_unpublished/source-state if [[ -e $f ]]; then source $f fi -if [[ $HOSTNAME == "$MAIL_HOST" ]]; then - local_mx=mail.iankelling.org - mkdir -p /etc/letsencrypt/live/$local_mx - chmod 700 /etc/letsencrypt/live - rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/" - ${rsync_common}fullchain.pem /etc/exim4/exim.crt - ret=$? - ${rsync_common}privkey.pem /etc/exim4/exim.key - new_ret=$? - if [[ $ret != $new_ret ]]; then - echo "$0: error: differing rsync returns, $ret, $new_ret" - exit 1 - fi +if [[ $HOSTNAME != "$MAIL_HOST" ]]; then + exit 0 fi -if [[ $new_ret != 0 ]]; then - if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then - echo "$0: error!: cert rsync failed and it will expire in less than 3 days" - exit 1 - fi +local_mx=mail.iankelling.org +mkdir -p /etc/letsencrypt/live/$local_mx +chmod 700 /etc/letsencrypt/live +rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/" +# allow for temporary connection issues +${rsync_common}fullchain.pem /etc/exim4/exim.crt ||: +${rsync_common}privkey.pem /etc/exim4/exim.key ||: +if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then + echo "$0: error!: cert rsync failed and it will expire in less than 3 days" + exit 1 fi exit 0 EOF @@ -446,7 +440,7 @@ DKIM_SELECTOR = li # The file is based on the outgoing domain-name in the from-header. DKIM_DOMAIN = \${lc:\${domain:\$h_from:}} # sign if key exists -DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}} +DKIM_PRIVATE_KEY = \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}} # most of the ones that gmail seems to use. # Exim has horrible default of signing unincluded @@ -689,13 +683,16 @@ case $HOSTNAME in /^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d} /^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/ EOF + + # note: systemd-resolved will consult /etc/hosts, dnsmasq wont. this assumes + # weve configured this file in dnsmasq if we are using it. /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]] server=/mail.iankelling.org/127.0.1.1 EOF if systemctl is-active dnsmasq >/dev/null; then m systemctl restart dnsmasq - m nscd -i hosts fi + m nscd -i hosts # I used to use debconf-set-selections + dpkg-reconfigure, # which then updates this file @@ -818,7 +815,7 @@ EOF ;; # * not MAIL_HOST *) # $HOSTNAME != $MAIL_HOST - # remove mail. 2 lines to properly remove whitespace + # remove mail. uses 2 lines to properly remove whitespace sed -ri -f - /etc/hosts <<'EOF' s#^(127\.0\.1\.1 .*) +mail\.iankelling\.org$#\1# s#^(127\.0\.1\.1 .*)mail\.iankelling\.org +(.*)#\1\2# @@ -826,9 +823,9 @@ EOF echo | /a/exe/cedit mail /etc/dnsmasq-servers.conf || [[ $? == 1 ]] if systemctl is-active dnsmasq >/dev/null; then - m nscd -i hosts m systemctl restart dnsmasq # reload does not ensure new config is used fi + m nscd -i hosts m systemctl disable mailclean.timer &>/dev/null ||: m systemctl stop mailclean.timer &>/dev/null ||: @@ -941,8 +938,8 @@ elif [[ $uid != 608 ]]; then m usermod -u 608 Debian-exim m groupmod -g 608 Debian-exim m usermod -g 608 Debian-exim - m find / /nocow -xdev -uid $uid -exec chown -h 608 {} + - m find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} + + m find / /nocow -path ./var/tmp -prune -o -xdev -uid $uid -execdir chown -h 608 {} + + m find / /nocow -path ./var/tmp -prune -o -xdev -gid $gid -execdir chgrp -h 608 {} + fi diff --git a/pkgs b/pkgs index 7bc4db7..c24084c 100644 --- a/pkgs +++ b/pkgs @@ -76,7 +76,6 @@ p3=( dillo dirmngr dnsutils - dnsmasq python-dnspython python3-dnspython dtrx diff --git a/ssh-emacs-setup b/ssh-emacs-setup index 65679fd..ff3e2d0 100755 --- a/ssh-emacs-setup +++ b/ssh-emacs-setup @@ -25,6 +25,7 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR cd $(dirname $0) teeu /etc/ssh/ssh_config 'SendEnv INSIDE_EMACS BRC COLUMNS' +## note, duplicated in /a/bin/fai/fai/config/scripts/GRUB_PC/11-iank teeu /etc/ssh/sshd_config 'AcceptEnv INSIDE_EMACS BRC COLUMNS' # get rid of useless motd stuff sed -i --follow-symlinks 's/^\s*PrintLastLog .*/PrintLastLog no/' /etc/ssh/sshd_config diff --git a/subdir_files/sieve/lists.sieve b/subdir_files/sieve/lists.sieve index 00b9443..6c09b2f 100644 --- a/subdir_files/sieve/lists.sieve +++ b/subdir_files/sieve/lists.sieve @@ -72,6 +72,7 @@ if anyof ( header :contains "list-id" "", header :contains "list-id" "", header :contains "list-id" "", + header :contains "list-id" "", header :contains "list-id" "") { if header :regex "list-id" "<([a-z_0-9-]+)[.@]" { set :lower "listname" "${1}"; @@ -116,6 +117,7 @@ if anyof ( header :contains "list-id" "", header :contains "list-id" "", header :contains "from" "", + header :contains "list-id" "", header :contains "list-id" "" ) { fileinto :create "community"; diff --git a/subdir_files/sieve/liststest.sieve b/subdir_files/sieve/liststest.sieve index 00b9443..c69155c 100644 --- a/subdir_files/sieve/liststest.sieve +++ b/subdir_files/sieve/liststest.sieve @@ -71,6 +71,7 @@ if anyof ( header :contains "list-id" "", header :contains "list-id" "", header :contains "list-id" "", + header :contains "list-id" "", header :contains "list-id" "", header :contains "list-id" "") { if header :regex "list-id" "<([a-z_0-9-]+)[.@]" { @@ -116,6 +117,7 @@ if anyof ( header :contains "list-id" "", header :contains "list-id" "", header :contains "from" "", + header :contains "list-id" "", header :contains "list-id" "" ) { fileinto :create "community"; -- 2.30.2