From 7a82762b44f4732f6b075a0cb5d8b258f5022d12 Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Mon, 4 Dec 2017 20:42:20 -0500
Subject: [PATCH] various improvements and fixes, some flidas related

---
 btrbk-run           |  25 +++++---
 conflink            |   7 +++
 distro-begin        |  42 +++++++++++--
 distro-end          | 118 ++++++++++++++++++++++++++++--------
 keyscript-off       |   5 +-
 mail-route          |  14 ++++-
 mail-setup          | 142 +++++++++++++++++++++++---------------------
 mount-latest-subvol |  19 +++---
 radicale-setup      |  11 +++-
 switch-mail-host    |   7 +--
 vpn-client-connect  |   2 +-
 11 files changed, 266 insertions(+), 126 deletions(-)

diff --git a/btrbk-run b/btrbk-run
index 454f12c..f45fe36 100755
--- a/btrbk-run
+++ b/btrbk-run
@@ -113,14 +113,23 @@ if (( ${#mountpoints[@]} )); then
         fi
     done
 else # set default mountpoints
-    if [[ $HOSTNAME == frodo ]]; then
-        prospective_mps=(/i)
-    else
-        prospective_mps=(/a /q)
-        if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
-            prospective_mps+=(/o)
-        fi
-    fi
+    case $HOSTNAME in
+        frodo)
+            prospective_mps=(/i)
+            ;;
+        *)
+            prospective_mps=(/a /q)
+            if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+                prospective_mps+=(/o)
+            fi
+            ;;
+    esac
+    case ${targets[0]} in
+        kw|kww)
+            prospective_mps=(/a)
+            ;;
+    esac
+
     for mp in ${prospective_mps[@]}; do # default mountpoints to sync
         if [[ -e /nocow/btrfs-stale/$mp ]]; then
             echo "$0: warning: $mp stale, not adding to default mountpoints"
diff --git a/conflink b/conflink
index 139096f..1bc997b 100755
--- a/conflink
+++ b/conflink
@@ -75,6 +75,9 @@ case $USER in
     ian|iank)
         # p needs to go first so .ssh link is created, then config link inside it
         m common-file-setup ${all_dirs[@]}
+
+        #### begin special extra stuff ####
+        install -d -m700 ~/gpg-agent-socket
         if [[ -d /etc/bind/bind-writable ]]; then
             # need bind writable dir for nsupdate, or else we get
             # named[20823]: /etc/bind/db.iank.pw.jnl: create: permission denied
@@ -83,6 +86,10 @@ case $USER in
         if [[ -e /etc/davpass ]] && getent group www-data &>/dev/null; then
             s chgrp www-data /etc/davpass
         fi
+        ##### end special extra stuff #####
+
+
+
         m sudo -H -u traci "$BASH_SOURCE"
         ;;
     traci)
diff --git a/distro-begin b/distro-begin
index 5ae900f..4ea0842 100755
--- a/distro-begin
+++ b/distro-begin
@@ -239,6 +239,8 @@ if isdeb; then
 
 fi
 
+
+###### begin arch aur wrapper ########
 if isarch; then
     #https://wiki.archlinux.org/index.php/Arch_User_Repository#Installing_packages
     sudo pacman -S --noconfirm --needed base-devel jq
@@ -264,18 +266,44 @@ if isarch; then
     sudo systemctl enable pacserve.service
     sudo systemctl start pacserve.service
 
+fi
+###### end arch aur wrapper ########
+
+pup
+
+
+###### begin trash cli install ######
+if isarch; then
     # strange error if just installing trash-cli: "pyalpm requires python",
     # so I see that it requires python2, and installing that manually fixes it.
-    # I didn't see this on earlier installation, main thing which changed was
-    # pacserve, so not sure if it's related.
+    # I didn\'t see this on earlier installation, main thing which changed was
+    # pacserve, so not sure if it\'s related.
     pi python2
 fi
-
-pup
 pi trash-cli
+###### end trash cli install ######
 
 
-###### link files ###########
+######## begin fix evbug bug ######
+case $distro in
+    trisquel|ubuntu)
+        # noticed in flidas.
+        #https://bugs.launchpad.net/ubuntu/+source/module-init-tools/+bug/240553
+        sudo rmmod evbug ||: # might not be loaded yet
+        file=/etc/modprobe.d/blacklist.conf
+        line="blacklist evbug"
+        if ! grep -xFq "$line" $file; then
+            sudo tee -a $file &>/dev/null <<<"$line"
+            sudo depmod -a
+            sudo update-initramfs -u
+        fi
+        ;;
+esac
+######## end fix evbug bug ######
+
+
+
+###### begin link files ###########
 # convenient to just do all file linking in one place
 
 
@@ -303,6 +331,8 @@ if has_p; then
     lnf -T /i/k/mboxes ~/mail
 fi
 
+###### end link files ###########
+
 
 ##### basic needed packages
 
@@ -511,7 +541,7 @@ if encrypted; then
     sudo systemctl enable fstrim.timer
 fi
 
-dirs=(/mnt/{1,2,3,4,5,6,7,8,9})
+dirs=(/mnt/{1,2,3,4,5,6,7,8,9} /nocow/t)
 s mkdir -p "${dirs[@]}"
 s chown $USER:$USER  "${dirs[@]}"
 
diff --git a/distro-end b/distro-end
index 3b109c8..ca71ad9 100755
--- a/distro-end
+++ b/distro-end
@@ -67,6 +67,8 @@ case $HOSTNAME in
         # mutagen for pithos
         # guvcview set webcam brightness to highest
         # pidgin-otr, i went into pidgin pluggin settings and generated a key for some accounts
+        # xawtv has webcam cli control. v4lctl bright 80%; v4lctl list
+        # guvcview also adjusts webcam
         simple_packages+=(
             apache2
             apache2-doc
@@ -83,6 +85,7 @@ case $HOSTNAME in
             cloc
             cpulimit
             cron
+            debootstrap
             debconf-doc
             dirmngr
             dnsutils
@@ -143,10 +146,10 @@ case $HOSTNAME in
             pry
             python-autopep8
             python3-doc
-            python3-mutagen
             qrencode
             reportbug
             $(aptitude show ruby | sed -rn 's/Depends: (.*)/\1/p')-doc
+            schroot
             sqlite3-doc
             squashfs-tools
             swh-plugins
@@ -157,6 +160,10 @@ case $HOSTNAME in
             vlc
             whois
             wondershaper
+            xawtv
+            xbacklight
+            xprintidle
+            xscreensaver
         )
         spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
         ;;
@@ -328,6 +335,16 @@ EOF
     # todo: other distros unknown
 esac
 
+# dogcam setup
+case $HOSTNAME in
+    lj|li)
+        /a/bin/webcam/install-server
+        ;;
+    kw)
+        /a/bin/webcam/install-client
+        ;;
+esac
+
 # website setup
 case $HOSTNAME in
     lj|li)
@@ -361,6 +378,19 @@ EOF
 ifconfig-push 10.8.0.4 255.255.255.0
 EOF
 
+        # it\'s strange. docker seems to make the default for forward
+        # be drop, but then I set it to accept and it\'s stuck that way,
+        # I dun know why. But, let\'s make sure we can forward anyways.
+        s DEBIAN_FRONTEND=noninteractive pi iptables-persistent
+        rm /etc/iptables/rules.v6
+        s tee /etc/iptables/rules.v4 <<'EOF'
+*filter
+-A FORWARD -i tun+ -o eth0 -j ACCEPT
+-A FORWARD -i eth0 -o tun+ -j ACCEPT
+COMMIT
+EOF
+
+
 
         sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
 [Unit]
@@ -843,6 +873,7 @@ if [[ $HOSTNAME == frodo ]]; then
             ;;
     esac
     lnf -T /w/syncthing /home/iank/.config/syncthing
+    ser daemon-reload # syncthing likely not properly packaged
     sgo syncthing@iank # runs as iank
 
     # these things persist in ~/.config/syncthing, which I save in
@@ -900,7 +931,17 @@ case $distro in
 esac
 
 
-####### misc packages ###########
+####### begin misc packages ###########
+
+
+if [[ $HOSTNAME == kw ]]; then
+    cat <<'EOF'
+NOTE: after this finishes, i did
+s nmtui-connect
+# remove br from auto:
+s vim /etc/network/interfaces
+EOF
+fi
 
 # nagstamon setting which were set through the ui
 # in filters tab:
@@ -925,6 +966,54 @@ case $distro in
     # others unknown
 esac
 
+# /run and /dev/shm are listed as required for pulseaudio. All 4 in the group
+# listed in the default config as suggested.
+# /run/usr/1000 i noticed was missing for pulseaudio
+# /run/user/0 just seemed like a not bad idea, given the above
+tu /etc/schroot/desktop/fstab <<'EOF'
+/run           /run            none    rw,bind         0       0
+/run/lock      /run/lock       none    rw,bind         0       0
+/dev/shm       /dev/shm        none    rw,bind         0       0
+/run/shm       /run/shm        none    rw,bind         0       0
+/run/user/1000 /run/user/1000  none    rw,bind         0       0
+/run/user/0    /run/user/0     none    rw,bind         0       0
+EOF
+
+mkschroot() {
+    n=$1
+    shift
+    apps=($@)
+    d=/nocow/schroot/$n
+    if [[ -e $d/bin ]]; then
+        s chroot $d apt-get update
+        s chroot $d apt-get -y dist-upgrade --purge --auto-remove
+        s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
+    else
+        s mkdir -p $d
+        s debootstrap $n $d http://deb.debian.org/debian/
+        s dd of=/etc/schroot/chroot.d/$n.conf <<EOF
+[$n]
+description=$n
+type=directory
+directory=$d
+profile=desktop
+preserve-environment=true
+users=$USER
+EOF
+
+        s cp -P {,$d}/etc/localtime
+        cd #schroot fails if our current directory is not in the chroot
+        s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
+    fi
+}
+
+# for my roommate
+case $distro in
+    trisquel)
+        mkschroot stretch firefox-esr pulseaudio chromium
+    ;;
+esac
+
 s mkdir -p /nocow/user
 s chown $USER:$USER /nocow/user
 case $distro in
@@ -934,30 +1023,7 @@ case $distro in
                 pi anki
                 ;;
             *)
-                pi debootstrap schroot
-                d=/nocow/user/schroot/anki
-                if [[ -e $d/bin ]]; then
-                    s chroot $d apt-get update
-                    s chroot $d apt-get -y dist-upgrade --purge --auto-remove
-                else
-
-                    mkdir -p /nocow/user/schroot/anki
-                    s debootstrap jessie $d http://deb.debian.org/debian/
-                    s dd of=/etc/schroot/chroot.d/anki.conf <<EOF
-[anki]
-description=Anki on jessie
-type=directory
-directory=$d
-profile=desktop
-preserve-environment=true
-users=$USER
-EOF
-
-                    s cp {,$d}/etc/locale.gen
-                    s cp -P {,$d}/etc/localtime
-                    cd
-                    s schroot -c anki -- apt-get install -y anki locales mplayer
-                fi
+                mkschroot jessie anki pulsaudio mplayer
                 ;;
         esac
         ;;
diff --git a/keyscript-off b/keyscript-off
index 9f6ab0f..bb63cb2 100755
--- a/keyscript-off
+++ b/keyscript-off
@@ -21,9 +21,12 @@ if [[ $- != *i* ]]; then
     exec &>/var/log/keyscript-off.log
     echo "$0: starting. $(date)"
 fi
-
 sed="sed --follow-symlinks"
 
+if [[ $HOSTNAME == kw ]]; then
+    exit 0
+fi
+
 if [[ $($sed -rn 's/^ID=(.*)/\1/p' /etc/os-release) == arch ]]; then
     if grep -q '^\s*FILES=' /etc/mkinitcpio.conf; then
         $sed -ri 's/^\s*FILES=/#\0/' /etc/mkinitcpio.conf # comment out
diff --git a/mail-route b/mail-route
index 41e833e..29f152b 100755
--- a/mail-route
+++ b/mail-route
@@ -70,6 +70,13 @@ show() {
     e iptables -t nat -S
     e ip rule
     e ip route show table 1
+
+    tun_dev=$(ip a show to 10.8.0.4/24 | sed -rn '1s/^\S+\s+([^:]+).*/\1/p')
+    if [[ $tun_dev == tun* ]]; then
+        e sysctl net.ipv4.conf.$tun_dev.rp_filter
+    else
+        echo "$0: note, no tun device found"
+    fi
     exit 0
 }
 
@@ -90,7 +97,12 @@ modify() {
     e iptables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 10.8.0.4
     e ip rule $ip_op fwmark 1 table 1
     # note, this rule does not persist when the tun interface is deleted
-    #e ip route $ip_op default via 10.8.0.1 table 1
+    e ip route $ip_op default via 10.8.0.1 table 1
+
+    # on debian this is 0 (no filter), on ubuntu it\'s 1, which is no good. 0 or 2 both work fine.
+    # 2 drops it if the packet is not routable, martian address, or my default route is screwed up,
+    # so, eh, might as well. some rhel docs recommend using it.
+    e sysctl net.ipv4.conf.$tun_dev.rp_filter=2
 
     exit 0
 }
diff --git a/mail-setup b/mail-setup
index 70a15a2..7cc7a32 100755
--- a/mail-setup
+++ b/mail-setup
@@ -1,4 +1,6 @@
 #!/bin/bash
+set -x
+
 # Copyright (C) 2016 Ian Kelling
 
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -108,7 +110,7 @@ u=$SUDO_USER
 # # host -t txt _dmarc.gmail.com
 # # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
 # # there were articles claiming gmail would be  changing
-# # to p=reject, in early 2017, which didn't happen. I see no sources on them. It's
+# # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s
 # # expected to cause problems
 # # with a few old mailing lists, copying theirs for now.
 #
@@ -253,7 +255,7 @@ smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
 inet_protocols = ipv4
 EOF
     # msg_size_limit: I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
-    # inet_protocols: without this, I've had postfix try an ipv6 lookup then gives
+    # inet_protocols: without this, I\'ve had postfix try an ipv6 lookup then gives
     # up and fail forever. snippet from syslog: type=AAAA: Host not found, try again
 
 
@@ -354,6 +356,57 @@ EOF
     mkdir -p $exim_main_dir
 
 
+
+    #### begin mail cert setup ###
+    f=/usr/local/bin/mail-cert-cron
+    cat >$f <<'EOF'
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+[[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"
+
+f=/a/bin/bash_unpublished/source-semi-priv
+if [[ -e $f ]]; then
+    source $f
+fi
+if [[ $HOSTNAME == $MAIL_HOST ]]; then
+    local_mx=mail.iankelling.org
+    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/"
+    ${rsync_common}fullchain.pem /etc/exim4/exim.crt
+    ${rsync_common}privkey.pem /etc/exim4/exim.key
+fi
+EOF
+    chmod 755 $f
+
+    cat >/etc/systemd/system/mailcert.service <<'EOF'
+[Unit]
+Description=Mail cert rsync
+After=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
+EOF
+
+    cat >/etc/systemd/system/mailcert.timer <<'EOF'
+[Unit]
+Description=Run mail-cert once a day
+
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target
+EOF
+    systemctl daemon-reload
+    systemctl start mailcert
+    systemctl restart mailcert.timer
+    systemctl enable mailcert.timer
+
+    ##### end mailcert setup #####
+
+
+
     if [[ $HOSTNAME == $MAIL_HOST ]]; then
 
         debconf-set-selections <<EOF
@@ -552,12 +605,12 @@ EOF
 /^\s*mail_location\s*=/d
 EOF
 
-        cat >/etc/dovecot/conf.d/20-lmtp.conf <<'EOF'
+        cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
 protocol lmtp {
 #per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
-  mail_plugins = $mail_plugins sieve
+  mail_plugins = \$mail_plugins sieve
 # default was
-  #mail_plugins = $mail_plugins
+  #mail_plugins = \$mail_plugins
 
 # For a normal setup with exim, we need something like this, which
 # removes the domain part
@@ -573,10 +626,10 @@ protocol lmtp {
 # A normal way to do this, which I did at first is to have
 # a router in exim almost at the end, eg 950,
 #local_catchall:
-#  debug_print = "R: catchall for $local_part@$domain"
+#  debug_print = "R: catchall for \$local_part@\$domain"
 #  driver = redirect
 #  domains = +local_domains
-#  data = ian
+#  data = $u
 # based on
 # http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
 # with superflous options removed.
@@ -584,7 +637,7 @@ protocol lmtp {
 # which makes filtering into mailboxes a little less robust or more complicated,
 # so I've done it this way instead. it also requires
 # modifying the local router in exim.
-  auth_username_format = ian
+  auth_username_format = $u
 }
 
 EOF
@@ -677,7 +730,7 @@ Type=oneshot
 ExecStart=/a/bin/distro-setup/spamd-dns-fix
 EOF
     # 2017-09, debian closed the bug on this saying upstream had fixed it.
-    # remove this when i'm using the newer package, ie, debian 10, or maybe
+    # remove this when i\'m using the newer package, ie, debian 10, or maybe
     # ubuntu 18.04.
     cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
 [Unit]
@@ -700,53 +753,6 @@ EOF
     #####   end spamassassin config
 
 
-    f=/usr/local/bin/mail-cert-cron
-    cat >$f <<'EOF'
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-[[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"
-
-f=/a/bin/bash_unpublished/source-semi-priv
-if [[ -e $f ]]; then
-    source $f
-fi
-if [[ $HOSTNAME == $MAIL_HOST ]]; then
-    local_mx=mail.iankelling.org
-    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/"
-    ${rsync_common}fullchain.pem /etc/exim4/exim.crt
-    ${rsync_common}privkey.pem /etc/exim4/exim.key
-fi
-EOF
-    chmod 755 $f
-
-    cat >/etc/systemd/system/mailcert.service <<'EOF'
-[Unit]
-Description=Mail cert rsync
-After=multi-user.target
-
-[Service]
-Type=oneshot
-ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
-EOF
-
-    cat >/etc/systemd/system/mailcert.timer <<'EOF'
-[Unit]
-Description=Run mail-cert once a day
-
-[Timer]
-OnCalendar=daily
-
-[Install]
-WantedBy=timers.target
-EOF
-    systemctl daemon-reload
-    systemctl start mailcert
-    systemctl restart mailcert.timer
-    systemctl enable mailcert.timer
-
-
-
 
 
 
@@ -838,26 +844,26 @@ EOF
     sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
     systemctl restart exim4
 
-        fi  # end if exim4
+fi  #### end if exim4
 
-         # /etc/alias setup is debian specific, and
-         # exim config sets up an /etc/alias from root to the postmaster, which i
-         # config to ian, as long as there exists an entry for root, or there was
-         # no preexisting aliases file. based on the postinst file. postfix
-         # won't set up a root to $postmaster alias if it's already installed.
-         # Since postfix is not the greatest, just set it ourselves.
-         if [[ $postmaster != root ]]; then
-             sed -i --follow-symlinks -f - /etc/aliases <<EOF
+# /etc/alias setup is debian specific, and
+# exim config sets up an /etc/alias from root to the postmaster, which i
+# config to ian, as long as there exists an entry for root, or there was
+# no preexisting aliases file. based on the postinst file. postfix
+# won\'t set up a root to $postmaster alias if it\'s already installed.
+# Since postfix is not the greatest, just set it ourselves.
+if [[ $postmaster != root ]]; then
+    sed -i --follow-symlinks -f - /etc/aliases <<EOF
 \$a root: $postmaster
 /^root:/d
 EOF
-             newaliases
-         fi
+    newaliases
+fi
 
 # put spool dir in directory that spans multiple distros.
 # based on http://www.postfix.org/qmgr.8.html and my notes in gnus
 #
-# todo: I'm suspicious of uids for Debian-exim being the same across
+# todo: I\'m suspicious of uids for Debian-exim being the same across
 # distros. It would be good to test this.
 dir=/nocow/$type
 sdir=/var/spool/$type
diff --git a/mount-latest-subvol b/mount-latest-subvol
index b4bec8e..d39b882 100644
--- a/mount-latest-subvol
+++ b/mount-latest-subvol
@@ -163,19 +163,22 @@ for vol in q a o i; do
             if e umount -R $dir; then
                 unmounted+=($dir)
             else
-                echo "$0: failed to umount $dir"
-                # lsof will fail if it finds no pids
-                if ! e timeout 4 lsof $dir; then
-                    umount_ret=false
-                    ret=1
-                    continue
+                if pids=$(timeout 4 lsof -t $dir); then
+                    timeout 4 lsof -w $dir
+                    kill $pids
                 fi
-                pids=$(lsof -t $dir) ||:
-                kill $pids
+
+                # fuser will find open sockets that lsof won't, for example from gpg-agent.
+                # note: -v shows kernel processes, which then doesn't return true when we want
+                if timeout 4 fuser -m $dir &>/dev/null; then
+                    fuser -TERM -mvk $dir
+                fi
+
                 sleep .5
                 if e umount -R $dir; then
                     unmounted+=($dir)
                 else
+                    echo "$0: failed to umount $dir"
                     umount_ret=false
                     ret=1
                     continue
diff --git a/radicale-setup b/radicale-setup
index f43553d..aed914b 100755
--- a/radicale-setup
+++ b/radicale-setup
@@ -18,15 +18,20 @@
 # created password file with:
 # htpasswd -c /etc/davpass dav
 
+vpn_ser=openvpn-client
+if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
+    vpn_ser=openvpn
+fi
+
 d=/etc/systemd/system/radicale.service.d
 mkdir -p $d
-sudo dd of=$d/override.conf <<'EOF'
+sudo dd of=$d/override.conf <<EOF
 [Unit]
 # this unit is configured to start and stop whenever openvpn-client@mail.service
 # does
 After=network.target
-BindsTo=openvpn-client@mail.service
-After=openvpn-client@mail.service
+BindsTo=$vpn_ser@mail.service
+After=$vpn_ser@mail.service
 
 [Install]
 RequiredBy=openvpn-client@mail.service
diff --git a/switch-mail-host b/switch-mail-host
index ab57c13..bac2148 100755
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -22,7 +22,6 @@ EOF
 ##### begin command line parsing ########
 
 update_wrt=true # default
-long_opt=foo # default
 temp=$(getopt -l help wh "$@") || usage 1
 eval set -- "$temp"
 while true; do
@@ -148,7 +147,7 @@ mail-setup() {
 mail-setup "$old_shell"
 
 sudo dd of=/etc/btrbk.conf <<'EOF'
-ssh_identity /root/.ssh/id_rsa
+ssh_identity /root/.ssh/home
 # Just a guess that local7 is a good facility to pick.
 # It's a bit odd that the transaction log has to be logged to
 # a file or syslog, while other output is sent to std out.
@@ -198,10 +197,10 @@ target send-receive $btrbk_dst
 EOF
 
 
-sudo btrbk --progress run
+sudo btrbk run
 $new_shell mount-latest-subvol
 
-mail-setup
+mail-setup "$new_shell"
 
 if $restore_new_btrbk; then
     $new_shell sudo systemctl start btrbk.timer
diff --git a/vpn-client-connect b/vpn-client-connect
index 8c6cebe..c3c9e8a 100755
--- a/vpn-client-connect
+++ b/vpn-client-connect
@@ -8,7 +8,7 @@ x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} # directory of this file
 # see lan-dyn-dns-update. this is the corresponding script for on connect/disconnect from vpn
 
 d=/p/ovpn-ssh
-ssh_cmd="ssh -F$d/.config -i$d/id_rsa root@wrt.b8.nz cedit ovpn-$X509_0_CN /etc/hosts"
+ssh_cmd="ssh -F$d/.config -i$d/home root@wrt.b8.nz cedit ovpn-$X509_0_CN /etc/hosts"
 case $script_type in
     client-connect) $ssh_cmd <<<"$ifconfig_pool_remote_ip $X509_0_CN"|| [[ $? == 1 ]]
         ;;
-- 
2.30.2