From a44ee8f739e11ef40402ea7eab92508f70445e68 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sat, 7 Sep 2019 14:53:19 -0400
Subject: [PATCH] various improvements

---
 .git_template/hooks/pre-commit                |   5 +-
 brc                                           |  17 +-
 btrbk-run                                     |   2 +-
 distro-end                                    |  15 +-
 .../etc/systemd/system/btrfsmaint.service     |   2 +
 install-my-scripts                            |  11 +-
 mail-route                                    |   4 +
 mail-setup                                    | 722 +++++++++---------
 pkgs                                          |   2 +
 primary-setup                                 |   2 +
 subdir_files/.gnupg/gpg.conf                  |   3 +-
 11 files changed, 418 insertions(+), 367 deletions(-)

diff --git a/.git_template/hooks/pre-commit b/.git_template/hooks/pre-commit
index 182dcb9..33a6f8c 100755
--- a/.git_template/hooks/pre-commit
+++ b/.git_template/hooks/pre-commit
@@ -94,8 +94,9 @@ if ! git rev-list HEAD --count &>/dev/null; then
     cat <<'EOF'
 Whitespace issues found. We can't fix in a pre-commit hook for the first commit.
 Either fix on your own. I suggest https://github.com/dlenski/wtf, from git root:
-find . -not -name .git -type f -exec bash -c \
-         'grep -Il "" "$1" &>/dev/null && wtf.py -i -E lf "$1"' _ {} \;
+
+git ls-files --exclude-standard -cmo --no-empty-directory | while read -r f; do if [[ -L $f ]] || ! grep -Iq . "$f"; then continue; fi;  wtf.py -i -E lf "$f"; done
+
 or allow whitespace with:
 git config hooks.allowwhitespace true, or export GIT_ALLOWWHITESPACE=true
 EOF
diff --git a/brc b/brc
index 9fff367..6ea6aad 100644
--- a/brc
+++ b/brc
@@ -692,8 +692,8 @@ fa() {
   done < <(find "$@" -print0);
 }
 
-faf() { # find all files
-  find -L $1 -not \( -name .svn -prune -o -name .git -prune \
+faf() { # find all files. use -L to follow symlinks
+  find $@ -not \( -name .svn -prune -o -name .git -prune \
        -o -name .hg -prune -o -name .editor-backups -prune \
        -o -name .undo-tree-history -prune \) -type f 2>/dev/null
 }
@@ -1273,7 +1273,7 @@ mbenable() {
   [[ -e $src ]] || { set +x; return 1; }
   mv -T $src $dst || { set +x; return 1; }
   ln -s -T $dst $src
-  /a/exe/lnf /p/.mu ~
+  /a/exe/lnf /m/.mu ~
   mu index --maildir=/m/4e
   set +x
 }
@@ -1906,9 +1906,10 @@ testexim() {
   # note, for exim daemon, you can turn on debug options by
   # adding -d, etc to COMMONOPTIONS in
   # /etc/default/exim4
-  exim -d -t <<'EOF'
+#  exim -d -t <<'EOF'
+  exim -i 'test@zroe.org, t2@zroe.org'  <<'EOF'
 From: ian@iankelling.org
-To: root@lists0p.fsf.org
+To: test@zroe.org, t2@zroe.org
 Subject: Testing Exim
 
 This is a test message.
@@ -2325,13 +2326,17 @@ path_add --end $HOME/.cargo/bin
 
 # taken from default changes to bashrc and bash_profile
 path_add --end $HOME/.rvm/bin
+path_add --end $HOME/.gem/ruby/2.3.0/bin
 
 # shellcheck disable=SC1090
 [[ -s "$HOME/.rvm/scripts/rvm" ]] && source "$HOME/.rvm/scripts/rvm" # Load RVM into a shell session *as a function*
 
 export BASEFILE_DIR=/a/bin/fai-basefiles
 
-export ANDROID_HOME=/opt/android
+#export ANDROID_HOME=/a/opt/android-home
+# https://f-droid.org/en/docs/Installing_the_Server_and_Repo_Tools/
+#export USE_SDK_WRAPPER=yes
+#PATH=$PATH:$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools
 
 # didnt get drush working, if I did, this seems like the
 # only good thing to include for it.
diff --git a/btrbk-run b/btrbk-run
index f964f6c..3e610de 100644
--- a/btrbk-run
+++ b/btrbk-run
@@ -125,7 +125,7 @@ if [[ -v targets && $source ]]; then
 fi
 
 if $verbose; then
-  e "options: conf_only=%s\ndry_run=%s\nrate_limit=%s\nverbose=%s\ncmd_arg=%s" "$conf_only" "$dry_run" "$rate_limit" "$verbose" "$cmd_arg"
+  printf "options: conf_only=%s\ndry_run=%s\nrate_limit=%s\nverbose=%s\ncmd_arg=%s" "$conf_only" "$dry_run" "$rate_limit" "$verbose" "$cmd_arg"
 fi
 ### end options parsing
 
diff --git a/distro-end b/distro-end
index 3cc63c2..fe3ebcf 100755
--- a/distro-end
+++ b/distro-end
@@ -164,7 +164,13 @@ case $HOSTNAME in
   li)
 
     pi bind9
-
+    f=/var/lib/bind/db.b8.nz
+    if [[ ! -e $f ]]; then
+      ser stop bind9
+      rm -f $f.jnl
+      install -m 644 -o bind -g bind /p/c/machine_specific/li/bind-initial/db.b8.nz $f
+      ser restart bind9
+    fi
 
     case $HOSTNAME in
       li) domain=iankelling.org ;;
@@ -500,13 +506,14 @@ EOF
 
     s dd of=/etc/apt/apt.conf.d/50unattended-upgrades  <<EOF
 # fyi: default file has comments about available options,
-# you may want to read that.
+# you may want to read that, do pkx unattended-upgrades
 Unattended-Upgrade::Mail "root";
 Unattended-Upgrade::MailOnlyOnError "true";
 Unattended-Upgrade::Remove-Unused-Dependencies "true";
 Unattended-Upgrade::Origins-Pattern {
-       # default is just security updates.
-       "origin=*";
+  # default is just security updates. this list found from reading
+  # match_whitelist_string() in `which unattended-upgrades`
+  "o=*,l=*,a=*,c=*,site=*,n=*";
 };
 EOF
 
diff --git a/filesystem/etc/systemd/system/btrfsmaint.service b/filesystem/etc/systemd/system/btrfsmaint.service
index b7c2741..61d6343 100644
--- a/filesystem/etc/systemd/system/btrfsmaint.service
+++ b/filesystem/etc/systemd/system/btrfsmaint.service
@@ -8,3 +8,5 @@ Type=oneshot
 # it copies over its files without respecting symlinks, so
 # we pass options to use different location.
 ExecStart=/a/bin/log-quiet/sysd-mail-once -1 btrfsmaint /a/bin/ds/btrfsmaint
+IOSchedulingClass=idle
+CPUSchedulingPolicy=idle
\ No newline at end of file
diff --git a/install-my-scripts b/install-my-scripts
index 0e36a4f..63084ee 100755
--- a/install-my-scripts
+++ b/install-my-scripts
@@ -28,7 +28,12 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 x="$(readlink -f -- "${BASH_SOURCE[0]}")"; cd ${x%/*} # directory of this file
 
 
-# scripts that would interfere with unmounting /a, put them elsewhere
-install /a/bin/log-quiet/log-once switch-mail-host btrbk-run mount-latest-subvol \
+# scripts that would interfere with unmounting /a, put them elsewhere.
+# note: previously used the install command, but it had this habit of
+# like, once a month or so the files would be "not found" by a script
+# trying to use them, within a few minute of the last time this
+# ran. Very strange, dunno why, but rsync won't do anything unless these
+# changed, so that should fix it.
+rsync -t --chmod=755 --chown=root:root /a/bin/log-quiet/log-once switch-mail-host btrbk-run mount-latest-subvol \
         check-subvol-stale /usr/local/bin
-install /a/bin/errhandle/err /usr/local/lib
+rsync -t --chmod=755 --chown=root:root /a/bin/errhandle/err /usr/local/lib
diff --git a/mail-route b/mail-route
index 0b89084..332f1ed 100755
--- a/mail-route
+++ b/mail-route
@@ -186,3 +186,7 @@ exit 0
 # background: something like this does not work for packets which
 # exim is replying to. I don't know why.
 #iptables -t mangle -A OUTPUT -m owner --uid-owner Debian-exim -j MARK --set-mark 0x1
+#
+# note: exim will misreport the I= interface for remote hosts that would
+# not use the default route. It still goes through the vpn, you can
+# verify with tcpdump.
diff --git a/mail-setup b/mail-setup
index 11f8dff..87f644a 100755
--- a/mail-setup
+++ b/mail-setup
@@ -1,19 +1,11 @@
 #!/bin/bash
-set -x
-
+# -*- eval: (outline-minor-mode); -*-
+# * intro
 # Copyright (C) 2019 Ian Kelling
+# SPDX-License-Identifier: AGPL-3.0-or-later
 
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
 
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+set -x
 
 # TODO: copy dkim keys from within this file. its now done in conflink.
 # TODO: fix dkim key to b chmod 640, group Debian-exim
@@ -56,7 +48,7 @@ EOF
 #######
 
 
-####### begin perstent password instructions ######
+# * perstent password instructions
 # # exim passwords:
 # # for hosts which have all private files I just use the same user
 # # for other hosts, each one get\'s their own password.
@@ -88,7 +80,7 @@ EOF
 ####### end perstent password instructions ######
 
 
-####### begin persistent dkim/dns instructions #########
+# * persistent dkim/dns instructions
 # # Remove 1 level of comments in this section, set the domain var
 # # for the domain you are setting up, then run this and copy dns settings
 # # into dns.
@@ -114,7 +106,7 @@ EOF
 # chmod 640 $domain-private.pem
 # # in conflink, we chown these to group debian
 # conflink
-# # selector was also put into /etc/exim4/conf.d/main/000_localmacros,
+# # selector was also put into /etc/exim4/conf.d/main/000_local,
 # # via the mail-setup scripts
 
 # # 2017-02 dmarc policies:
@@ -133,7 +125,6 @@ EOF
 # # i include fastmail\'s settings, per their instructions,
 # # and follow their policy. In mail in a box, or similar instructions,
 # # I\'ve seen recommended to not use a restrictive policy.
-# echo "spf dns: name is empty, value: v=spf1 a include:spf.messagingengine.com ?all"
 
 # # to check if dns has updated, you do
 # host -a mesmtp._domainkey.$domain
@@ -144,13 +135,11 @@ EOF
 # cat <<'EOF'
 # mx records, 2 records each, for * and empty domain
 # pri 10 mail.iankelling.org
-# pri 20 in1-smtp.messagingengine.com
-# pri 30 in2-smtp.messagingengine.com
 # EOF
 ####### end  persistent dkim instructions #########
 
 
-
+# * functions  constants
 e() { printf "%s\n" "$*"; }
 pi() { # package install
   local f
@@ -175,10 +164,11 @@ forward=$u@$mxhost
 # mxport=587
 # forward=ian@iankelling.org
 
-smarthost="$mxhost::$mxport" # exim
+smarthost="$mxhost::$mxport"
 
+## * Install packages
 # light version of exim does not have sasl auth support.
-pi exim4-daemon-heavy spamassassin spf-tools-perl
+pi exim4-daemon-heavy spamassassin spf-tools-perl openvpn dnsmasq
 
 # trisquel 8 = openvpn, debian stretch = openvpn-client
 vpn_ser=openvpn-client
@@ -186,6 +176,7 @@ if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
   vpn_ser=openvpn
 fi
 
+### * user forward file
 if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
   # afaik, these will get ignored because they are routing to my own
   # machine, but rm them is safer
@@ -196,10 +187,86 @@ else
   install -m 644 {-o,-g}$u <(e $forward) $(eval echo ~$u)/.forward
 fi
 
+# * Mail clean cronjob
+
+cat >/etc/systemd/system/mailclean.timer <<'EOF'
+[Unit]
+Description=Run mailclean daily
+
+[Timer]
+OnCalendar=monthly
+
+[Install]
+WantedBy=timers.target
+EOF
+
+cat >/etc/systemd/system/mailclean.service <<EOF
+[Unit]
+Description=Delete and archive old mail files
+After=multi-user.target
+
+[Service]
+User=$u
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
+EOF
+
+systemctl daemon-reload
 
-# light version of exim does not have sasl auth support.
-pi exim4-daemon-heavy spamassassin spf-tools-perl openvpn dnsmasq
 
+# * spamassassin
+
+if [[ $HOSTNAME != "$MAIL_HOST" ]]; then
+  systemctl stop spamassassin
+  systemctl disable spamassassin
+
+else
+
+  # per readme.debian
+  sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
+  e CRON=1 >>/etc/default/spamassassin
+  # just noticed this in the config file, seems like a good idea.
+  sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
+  e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
+
+  systemctl enable spamassassin
+  systemctl start spamassassin
+  systemctl reload spamassassin
+
+  cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
+[Unit]
+Description=spamd dns bug fix cronjob
+
+[Service]
+Type=oneshot
+ExecStart=/a/bin/distro-setup/spamd-dns-fix
+EOF
+  # 2017-09, debian closed the bug on this saying upstream had fixed it.
+  # remove this when i\'m using the newer package, ie, debian 10, or maybe
+  # ubuntu 18.04.
+  cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
+[Unit]
+Description=run spamd bug fix script every 10 minutes
+
+[Timer]
+OnActiveSec=60
+# the script looks back 9 minutes into the journal,
+# it takes a second to run,
+# so lets run every 9 minutes and 10 seconds.
+OnUnitActiveSec=550
+
+[Install]
+WantedBy=timers.target
+EOF
+  systemctl daemon-reload
+  systemctl restart spamddnsfix.timer
+  systemctl enable spamddnsfix.timer
+
+fi # [[ $HOSTNAME != "$MAIL_HOST" ]]
+#####   end spamassassin config
+
+
+# * Update mail cert
 if [[ -e /p/c/filesystem ]]; then
   # allow failure of these commands when our internet is down, they are likely not needed,
   # we check that a valid cert is there already.
@@ -218,35 +285,131 @@ if [[ -e /p/c/filesystem ]]; then
 fi
 
 
-cat >/etc/systemd/system/mailclean.timer <<'EOF'
-[Unit]
-Description=Run mailclean daily
 
-[Timer]
-OnCalendar=monthly
+f=/usr/local/bin/mail-cert-cron
+cat >$f <<'EOF'
+#!/bin/bash
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
-[Install]
-WantedBy=timers.target
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
+f=/a/bin/bash_unpublished/source-state
+if [[ -e $f ]]; then
+    source $f
+fi
+if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+    local_mx=mail.iankelling.org
+    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
+    ${rsync_common}fullchain.pem /etc/exim4/exim.crt
+    ret=$?
+    ${rsync_common}privkey.pem /etc/exim4/exim.key
+    new_ret=$?
+    if [[ $ret != $new_ret ]]; then
+       echo "$0: error: differing rsync returns, $ret, $new_ret"
+       exit 1
+    fi
+fi
+if [[ $new_ret != 0 ]]; then
+    if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
+        echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
+        exit 1
+    fi
+fi
+exit 0
 EOF
+chmod 755 $f
 
-cat >/etc/systemd/system/mailclean.service <<EOF
+cat >/etc/systemd/system/mailcert.service <<'EOF'
 [Unit]
-Description=Delete and archive old mail files
+Description=Mail cert rsync
 After=multi-user.target
 
 [Service]
-User=$u
 Type=oneshot
-ExecStart=/a/bin/log-quiet/sysd-mail-once mailclean /a/bin/distro-setup/mailclean
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
 EOF
 
+cat >/etc/systemd/system/mailcert.timer <<'EOF'
+[Unit]
+Description=Run mail-cert once a day
+
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target
+EOF
 systemctl daemon-reload
+systemctl start mailcert
+systemctl restart mailcert.timer
+systemctl enable mailcert.timer
 
 
+
+# * common exim4 config
 source /a/bin/bash_unpublished/source-state
-mkdir -p /etc/exim4/conf.d/{main,transport,auth,router}
 
-cat >/etc/exim4/rcpt_local_acl <<'EOF'
+
+### make local bounces go to normal maildir
+# local mail that bounces goes to /Maildir or /root/Maildir
+dirs=(/m/md/bounces/{cur,tmp,new})
+mkdir -p ${dirs[@]}
+chown -R $u:Debian-exim /m/md/bounces
+chmod 775 ${dirs[@]}
+usermod -a -G Debian-exim $u
+for d in /Maildir /root/Maildir; do
+  if [[ ! -L $d ]]; then
+    rm -rf $d
+  fi
+  ln -sf -T /m/md/bounces $d
+done
+
+
+### begin setup passwd.client
+f=/etc/exim4/passwd.client
+rm -f /etc/exim4/passwd.client
+install -m 640 -g Debian-exim /dev/null $f
+while read -r domain _ pass; do
+  # reference: exim4_passwd_client(5)
+  printf "%s:%s\n" "$domain" "$pass" >>$f
+done </etc/mailpass
+###  end setup passwd.client
+
+# by default, only 10 days of logs are kept. increase that.
+sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
+
+
+## https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
+# i only need .forwards, so just doing that one.
+cd /etc/exim4/conf.d/router
+b=userforward_higher_priority
+# replace the router name so it is unique
+sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
+
+
+rm -f /etc/exim4/conf.d/main/000_localmacros # old filename
+cat >/etc/exim4/conf.d/main/000_local <<EOF
+MAIN_TLS_ENABLE = true
+
+
+# debian exim config added this in 2016 or so?
+# it's part of the smtp spec, to limit lines to 998 chars
+# but a fair amount of legit mail does not adhere to it. I don't think
+# this should be default, like it says in
+# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
+# todo: the bug for introducing this was about headers, but
+# the fix maybe is for all lines? one says gmail rejects, the
+# other says gmail does not reject. figure out and open a new bug.
+IGNORE_SMTP_LINE_LENGTH_LIMIT = true
+
+# more verbose logs
+MAIN_LOG_SELECTOR = +all
+
+EOF
+
+rm -f /etc/exim4/rcpt_local_acl # old path
+cat >/etc/exim4/conf.d/rcpt_local_acl <<'EOF'
 # Only hosts we control send to @mail.iankelling.org, so make sure
 # they are all authed.
 # Note, if we wanted authed senders for all domains,
@@ -256,7 +419,8 @@ deny
   !authenticated = *
   domains = mail.iankelling.org
 EOF
-cat >/etc/exim4/data_local_acl <<'EOF'
+rm -f /etc/exim4/data_local_acl # old path
+cat >/etc/exim4/conf.d/data_local_acl <<'EOF'
 # Except for the "condition =", this was
 # a comment in the check_data acl. The comment about this not
 # being suitable is mostly bs. The only thing related I found was to
@@ -342,69 +506,6 @@ fsfsmarthost:
 EOF
 
 
-#### begin mail cert setup ###
-f=/usr/local/bin/mail-cert-cron
-cat >$f <<'EOF'
-#!/bin/bash
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
-
-f=/a/bin/bash_unpublished/source-state
-if [[ -e $f ]]; then
-    source $f
-fi
-if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
-    local_mx=mail.iankelling.org
-    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li.iankelling.org:/etc/letsencrypt/live/$local_mx/"
-    ${rsync_common}fullchain.pem /etc/exim4/exim.crt
-    ret=$?
-    ${rsync_common}privkey.pem /etc/exim4/exim.key
-    new_ret=$?
-    if [[ $ret != $new_ret ]]; then
-       echo "$0: error: differing rsync returns, $ret, $new_ret"
-       exit 1
-    fi
-fi
-if [[ $new_ret != 0 ]]; then
-    if ! openssl x509 -checkend $(( 60 * 60 * 24 * 3 )) -noout -in /etc/exim4/exim.crt; then
-        echo "$0: error!: cert rsync failed and it will expire in less than 3 days"
-        exit 1
-    fi
-fi
-exit 0
-EOF
-chmod 755 $f
-
-cat >/etc/systemd/system/mailcert.service <<'EOF'
-[Unit]
-Description=Mail cert rsync
-After=multi-user.target
-
-[Service]
-Type=oneshot
-ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
-EOF
-
-cat >/etc/systemd/system/mailcert.timer <<'EOF'
-[Unit]
-Description=Run mail-cert once a day
-
-[Timer]
-OnCalendar=daily
-
-[Install]
-WantedBy=timers.target
-EOF
-systemctl daemon-reload
-systemctl start mailcert
-systemctl restart mailcert.timer
-systemctl enable mailcert.timer
-
-##### end mailcert setup #####
-
-# comon stuff
 cat >/etc/exim4/update-exim4.conf.conf  <<'EOF'
 # default stuff, i havent checked if its needed
 dc_minimaldns='false'
@@ -415,20 +516,116 @@ dc_local_interfaces=''
 dc_mailname_in_oh='true'
 EOF
 
-
+# * if MAIL_HOST
 if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+  # ** dovecot
+  ####### begin dovecot setup ########
+  # based on a little google and package search, just the dovecot
+  # packages we need instead of dovecot-common.
+  #
+  # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
+  # directly.  The reason to do this is to use dovecot\'s sieve, which
+  # has extensions that allow it to be almost equivalent to exim\'s
+  # filter capabilities, some ways probably better, some worse, and
+  # sieve has the benefit of being supported in postfix and
+  # proprietary/weird environments, so there is more examples on the
+  # internet. I was torn about whether to do this or not, meh.
+  pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
+
+  for f in /p/c/subdir_files/sieve/*sieve /a/c/subdir_files/sieve/*sieve; do
+    sudo -u $u /a/exe/lnf -T $f $(eval echo ~$u)/sieve/${f##*/}
+  done
+  # if we changed 90-sieve.conf and removed the active part of the
+  # sieve option, we wouldn\'t need this, but I\'d rather not modify a
+  # default config if not needed. This won\'t work as a symlink in /a/c
+  # unfortunately.
+  sudo -u $u /a/exe/lnf -T sieve/main.sieve $(eval echo ~$u)/.dovecot.sieve
+
+  # we set this later in local.conf
+  sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
+/^\s*mail_location\s*=/d
+EOF
+
+  cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
+protocol lmtp {
+#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
+  mail_plugins = \$mail_plugins sieve
+# default was
+  #mail_plugins = \$mail_plugins
+
+# For a normal setup with exim, we need something like this, which
+# removes the domain part
+#  auth_username_format = %Ln
+#
+#  or else # Exim says something like
+#  "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
+# Dovecot verbose log says something like
+# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
+# reference: http://wiki.dovecot.org/LMTP/Exim
+#
+# However, I use this to direct all mail to the same inbox.
+# A normal way to do this, which I did at first is to have
+# a router in exim almost at the end, eg 950,
+#local_catchall:
+#  debug_print = "R: catchall for \$local_part@\$domain"
+#  driver = redirect
+#  domains = +local_domains
+#  data = $u
+# based on
+# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
+# with superflous options removed.
+# However, this causes the envelope to be rewritten,
+# which makes filtering into mailboxes a little less robust or more complicated,
+# so I've done it this way instead. it also requires
+# modifying the local router in exim.
+  auth_username_format = $u
+}
+
+EOF
+
+
+  cat >/etc/dovecot/local.conf <<EOF
+# so I can use a different login that my shell login for mail.  this is
+# worth doing solely for the reason that if this login is compromised,
+# it won't also compromise my shell password.
+!include conf.d/auth-passwdfile.conf.ext
+
+# settings derived from wiki and 10-ssl.conf
+ssl = required
+ssl_cert = </etc/exim4/exim.crt
+ssl_key = </etc/exim4/exim.key
+# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
+# in my cert cronjob, I check if that has changed upstream.
+ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
+
+# ian: added this, more secure, per google etc
+ssl_prefer_server_ciphers = yes
+
+
+mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
+mail_uid = $u
+mail_gid = $u
+
+# for debugging info, uncomment these.
+# logs go to syslog and to /var/log/mail.log
+# auth_verbose=yes
+#mail_debug=yes
+EOF
+  ####### end dovecot setup ########
+
+  # ** exim
+
+  # mail.iankelling.org so local imap clients can connect with tls and
+  # when they happen to not be local.
+  sed -ri -f - /etc/hosts <<'EOF'
+/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d}
+/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
+EOF
+  /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
+server=/mail.iankelling.org/127.0.1.1
+EOF
+  systemctl reload dnsmasq
 
-  # mail.iankelling.org so local imap clients can connect with tls and
-  # when they happen to not be local.
-  sed -ri -f - /etc/hosts <<'EOF'
-/^127\.0\.1\.1.* mail\.iankelling\.org\b/{p;d}
-/^127\.0\.1\.1 /s/ *$/ mail.iankelling.org/
-EOF
-  /a/exe/cedit mail /etc/dnsmasq-servers.conf <<'EOF' || [[ $? == 1 ]]
-server=/mail.iankelling.org/127.0.1.1
-EOF
-  systemctl reload dnsmasq
-
   # I used to use debconf-set-selections + dpkg-reconfigure,
   # which then updates this file
   # but the process is slower than updating it directly and then I want to set other things in
@@ -472,13 +669,12 @@ EOF
   # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
   # smarthost config type, not sure. all other settings
   # would be unused in that config type.
-  rm -f /etc/exim4/conf.d/main/000_localmacros # old filename
-  cat >/etc/exim4/conf.d/main/000_local <<EOF
+  cat >>/etc/exim4/conf.d/main/000_local <<EOF
 # enable 587 in addition to the default 25, so that
 # i can send mail where port 25 is firewalled by isp
 daemon_smtp_ports = 25 : 587
-
-MAIN_TLS_ENABLE = true
+# i don't have ipv6 setup properly yet
+disable_ipv6 = true
 
 DKIM_CANON = relaxed
 DKIM_SELECTOR = li
@@ -510,18 +706,8 @@ MAIN_TRUSTED_GROUPS = $u
 LOCAL_DELIVERY = dovecot_lmtp
 
 # options exim has to avoid having to alter the default config files
-CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/rcpt_local_acl
-CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/data_local_acl
-
-# debian exim config added this in 2016 or so?
-# it's part of the smtp spec, to limit lines to 998 chars
-# but a fair amount of legit mail does not adhere to it. I don't think
-# this should be default, like it says in
-# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828801
-# todo: the bug for introducing this was about headers, but
-# the fix maybe is for all lines? one says gmail rejects, the
-# other says gmail does not reject. figure out and open a new bug.
-IGNORE_SMTP_LINE_LENGTH_LIMIT = true
+CHECK_RCPT_LOCAL_ACL_FILE = /etc/exim4/conf.d/rcpt_local_acl
+CHECK_DATA_LOCAL_ACL_FILE = /etc/exim4/conf.d/data_local_acl
 
 # most of the ones that gmail seems to use.
 # Exim has horrible default of signing unincluded
@@ -538,8 +724,6 @@ CHECK_RCPT_SPF = true
 CHECK_RCPT_REVERSE_DNS = true
 CHECK_MAIL_HELO_ISSUED = true
 
-MAIN_LOG_SELECTOR = +all
-
 # testing dmarc
 #dmarc_tld_file = /etc/public_suffix_list.dat
 EOF
@@ -557,99 +741,6 @@ EOF
 /^root:/d
 EOF
 
-  ####### begin dovecot setup ########
-  # based on a little google and package search, just the dovecot
-  # packages we need instead of dovecot-common.
-  #
-  # dovecot-lmtpd is for exim to deliver to dovecot instead of maildir
-  # directly.  The reason to do this is to use dovecot\'s sieve, which
-  # has extensions that allow it to be almost equivalent to exim\'s
-  # filter capabilities, some ways probably better, some worse, and
-  # sieve has the benefit of being supported in postfix and
-  # proprietary/weird environments, so there is more examples on the
-  # internet. I was torn about whether to do this or not, meh.
-  pi dovecot-core dovecot-imapd dovecot-sieve dovecot-lmtpd
-
-  for f in /p/c/subdir_files/sieve/*sieve /a/c/subdir_files/sieve/*sieve; do
-    sudo -u $u /a/exe/lnf -T $f $(eval echo ~$u)/sieve/${f##*/}
-  done
-  # if we changed 90-sieve.conf and removed the active part of the
-  # sieve option, we wouldn\'t need this, but I\'d rather not modify a
-  # default config if not needed. This won\'t work as a symlink in /a/c
-  # unfortunately.
-  sudo -u $u /a/exe/lnf -T sieve/main.sieve $(eval echo ~$u)/.dovecot.sieve
-
-  # we set this later in local.conf
-  sed -ri -f - /etc/dovecot/conf.d/10-mail.conf <<'EOF'
-/^\s*mail_location\s*=/d
-EOF
-
-  cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
-protocol lmtp {
-#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
-  mail_plugins = \$mail_plugins sieve
-# default was
-  #mail_plugins = \$mail_plugins
-
-# For a normal setup with exim, we need something like this, which
-# removes the domain part
-#  auth_username_format = %Ln
-#
-#  or else # Exim says something like
-#  "LMTP error after RCPT ... 550 ... User doesn't exist someuser@somedomain"
-# Dovecot verbose log says something like
-# "auth-worker(9048): passwd(someuser@somedomain): unknown user"
-# reference: http://wiki.dovecot.org/LMTP/Exim
-#
-# However, I use this to direct all mail to the same inbox.
-# A normal way to do this, which I did at first is to have
-# a router in exim almost at the end, eg 950,
-#local_catchall:
-#  debug_print = "R: catchall for \$local_part@\$domain"
-#  driver = redirect
-#  domains = +local_domains
-#  data = $u
-# based on
-# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
-# with superflous options removed.
-# However, this causes the envelope to be rewritten,
-# which makes filtering into mailboxes a little less robust or more complicated,
-# so I've done it this way instead. it also requires
-# modifying the local router in exim.
-  auth_username_format = $u
-}
-
-EOF
-
-
-  cat >/etc/dovecot/local.conf <<EOF
-# so I can use a different login that my shell login for mail.  this is
-# worth doing solely for the reason that if this login is compromised,
-# it won't also compromise my shell password.
-!include conf.d/auth-passwdfile.conf.ext
-
-# settings derived from wiki and 10-ssl.conf
-ssl = required
-ssl_cert = </etc/exim4/exim.crt
-ssl_key = </etc/exim4/exim.key
-# https://github.com/certbot/certbot/raw/master/certbot-apache/certbot_apache/options-ssl-apache.conf
-# in my cert cronjob, I check if that has changed upstream.
-ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
-
-# ian: added this, more secure, per google etc
-ssl_prefer_server_ciphers = yes
-
-
-mail_location = maildir:/m/%u:LAYOUT=fs:INBOX=/m/%u/INBOX
-mail_uid = $u
-mail_gid = $u
-
-# for debugging info, uncomment these.
-# logs go to syslog and to /var/log/mail.log
-# auth_verbose=yes
-#mail_debug=yes
-EOF
-  ####### end dovecot setup ########
 
   # https://selivan.github.io/2017/12/30/systemd-serice-always-restart.html
   d=/etc/systemd/system/openvpn@mail
@@ -674,6 +765,7 @@ EOF
   systemctl enable dovecot
   systemctl restart dovecot
 
+# * not MAIL_HOST
 else # $HOSTNAME != $MAIL_HOST
   # remove mail. 2 lines to properly remove whitespace
   sed -ri -f - /etc/hosts <<'EOF'
@@ -716,132 +808,9 @@ EOF
 
 fi # end $HOSTNAME != $MAIL_HOST
 
-systemctl reload exim4
-
-# i have the spool directory be common to distro multi-boot, so
-# we need the uid to be the same. 608 cuz it's kind of in the middle
-# of the free system uids.
-IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
-IFS=:; read _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
-if [[ ! $uid ]]; then
-  # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
-  adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
-	  --no-create-home --disabled-login --force-badname Debian-exim
-elif [[ $uid != 608 ]]; then
-  systemctl stop exim4 ||:
-  usermod -u 608 Debian-exim
-  groupmod -g 608 Debian-exim
-  usermod -g 608 Debian-exim
-  find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
-  find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
-fi
-
-
-
-##### begin spamassassin config
-systemctl enable spamassassin
-# per readme.debian
-sed -i '/^\s*CRON\s*=/d' /etc/default/spamassassin
-e CRON=1 >>/etc/default/spamassassin
-# just noticed this in the config file, seems like a good idea.
-sed -i '/^\s*NICE\s*=/d' /etc/default/spamassassin
-e 'NICE="--nicelevel 15"' >>/etc/default/spamassassin
-systemctl start spamassassin
-systemctl reload spamassassin
-
-cat >/etc/systemd/system/spamddnsfix.service <<'EOF'
-[Unit]
-Description=spamd dns bug fix cronjob
-
-[Service]
-Type=oneshot
-ExecStart=/a/bin/distro-setup/spamd-dns-fix
-EOF
-# 2017-09, debian closed the bug on this saying upstream had fixed it.
-# remove this when i\'m using the newer package, ie, debian 10, or maybe
-# ubuntu 18.04.
-cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
-[Unit]
-Description=run spamd bug fix script every 10 minutes
-
-[Timer]
-OnActiveSec=60
-# the script looks back 9 minutes into the journal,
-# it takes a second to run,
-# so lets run every 9 minutes and 10 seconds.
-OnUnitActiveSec=550
-
-[Install]
-WantedBy=timers.target
-EOF
-systemctl daemon-reload
-systemctl restart spamddnsfix.timer
-systemctl enable spamddnsfix.timer
-#
-#####   end spamassassin config
-
-
-
-
-
-# https://blog.dhampir.no/content/make-exim4-on-debian-respect-forward-and-etcaliases-when-using-a-smarthost
-# i only need .forwards, so just doing that one.
-cd /etc/exim4/conf.d/router
-b=userforward_higher_priority
-# replace the router name so it is unique
-sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
-
-# begin setup passwd.client
-f=/etc/exim4/passwd.client
-rm -f /etc/exim4/passwd.client
-install -m 640 -g Debian-exim /dev/null $f
-while read -r domain _ pass; do
-  # reference: exim4_passwd_client(5)
-  printf "%s:%s\n" "$domain" "$pass" >>$f
-done </etc/mailpass
-# end setup passwd.client
-
-# by default, only 10 days of logs are kept. increase that.
-sed -ri 's/^(\s*rotate\s).*/\11000/' /etc/logrotate.d/exim4-base
-
-systemctl restart exim4
-
-
-
-# /etc/alias setup is debian specific, and exim postinst script sets up
-# an /etc/alias from root to the postmaster, based on the question
-# exim4-config exim4/dc_postmaster, as long as there exists an entry for
-# root, or there was no preexisting aliases file. postfix won\'t set up
-# a root to $postmaster alias if it\'s already installed. Easiest to
-# just set it ourselves.
-
-# debconf question for postmaster:
-# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
-# to the user account of the actual system administrator.
-# If this value is left empty, such mail will be saved in /var/mail/mail, which is not
-# recommended.
-# Note that postmaster\'s mail should be read on the system to which it is directed,
-# rather than being forwarded elsewhere, so (at least one of) the users listed here
-# should not redirect their mail off this machine. A 'real-' prefix can be used to
-# force local delivery.
-# Multiple user names need to be separated by spaces.
-# Root and postmaster mail recipient:
-
-# local mail that bounces goes to /Maildir or /root/Maildir
-dirs=(/m/md/bounces/{cur,tmp,new})
-mkdir -p ${dirs[@]}
-chown -R $u:Debian-exim /m/md/bounces
-chmod 775 ${dirs[@]}
-usermod -a -G Debian-exim $u
-for d in /Maildir /root/Maildir; do
-  if [[ ! -L $d ]]; then
-    rm -rf $d
-  fi
-  ln -sf -T /m/md/bounces $d
-done
-
-sudo -u $u ln -sf -T /m/.mu /home/$u/.mu
+# * spool dir setup
 
+# ** bind mount setup
 # put spool dir in directory that spans multiple distros.
 # based on http://www.postfix.org/qmgr.8.html and my notes in gnus
 #
@@ -877,10 +846,35 @@ fi
 
 
 
-systemctl restart exim4
-systemctl enable exim4
+# ** exim/spool uid setup
+# i have the spool directory be common to distro multi-boot, so
+# we need the uid to be the same. 608 cuz it's kind of in the middle
+# of the free system uids.
+IFS=:; read _ _ uid _ < <(getent passwd Debian-exim ||:) ||:; unset IFS
+IFS=:; read _ _ gid _ < <(getent group Debian-exim ||:) ||:; unset IFS
+if [[ ! $uid ]]; then
+  # from /var/lib/dpkg/info/exim4-base.postinst, plus uid and gid options
+  adduser --uid 608 --system --group --quiet --home /var/spool/exim4 \
+	  --no-create-home --disabled-login --force-badname Debian-exim
+elif [[ $uid != 608 ]]; then
+  systemctl stop exim4 ||:
+  usermod -u 608 Debian-exim
+  groupmod -g 608 Debian-exim
+  usermod -g 608 Debian-exim
+  find / /nocow -xdev -uid $uid -exec chown -h 608 {} +
+  find / /nocow -xdev -gid $gid -exec chgrp -h 608 {} +
+fi
+
+
+
+
+# * reload exim
 
+systemctl reload exim4
+systemctl start exim4
 
+
+# * mail monitoring / testing
 if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
   f=/usr/local/bin/send-test-forward
   cat >$f <<'EOFOUTER'
@@ -907,6 +901,9 @@ else
   rm -f /etc/cron.d/mailtest
 fi
 
+
+# * Radicale
+
 # MAIL_HOST also does radicale, and easier to start and stop it here
 # for when MAIL_HOST changes, so radicale gets the synced files and
 # does not stop us from remounting /o.
@@ -926,5 +923,30 @@ if dpkg -s radicale &>/dev/null; then
     fi
   fi
 fi
+
+# * misc
+sudo -u $u ln -sf -T /m/.mu /home/$u/.mu
+
+
+# /etc/alias setup is debian specific, and exim postinst script sets up
+# an /etc/alias from root to the postmaster, based on the question
+# exim4-config exim4/dc_postmaster, as long as there exists an entry for
+# root, or there was no preexisting aliases file. postfix won\'t set up
+# a root to $postmaster alias if it\'s already installed. Easiest to
+# just set it ourselves.
+
+# debconf question for postmaster:
+# Mail for the 'postmaster', 'root', and other system accounts needs to be redirected
+# to the user account of the actual system administrator.
+# If this value is left empty, such mail will be saved in /var/mail/mail, which is not
+# recommended.
+# Note that postmaster\'s mail should be read on the system to which it is directed,
+# rather than being forwarded elsewhere, so (at least one of) the users listed here
+# should not redirect their mail off this machine. A 'real-' prefix can be used to
+# force local delivery.
+# Multiple user names need to be separated by spaces.
+# Root and postmaster mail recipient:
+
+
 exit 0
 :
diff --git a/pkgs b/pkgs
index b14a881..4d8fa2c 100644
--- a/pkgs
+++ b/pkgs
@@ -70,6 +70,7 @@ p3=(
   debian-archive-keyring
   debootstrap
   debconf-doc
+  dillo
   dirmngr
   dnsutils
   dnsmasq
@@ -105,6 +106,7 @@ p3=(
   gnat-5
   gnome-screenshot
   gnupg-doc
+  grepmail
   guvcview
   hunspell
   i3lock
diff --git a/primary-setup b/primary-setup
index d6c0ed9..09ae728 100755
--- a/primary-setup
+++ b/primary-setup
@@ -23,6 +23,8 @@ if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
   #DISPLAY=:0 arbtt-capture --sample-rate=10 &
   sudo systemctl start rss2email.timer
   sudo systemctl enable rss2email.timer
+  sudo systemctl start btrbk.timer
+  sudo systemctl enable btrbk.timer
 
 else
   sudo systemctl stop rss2email.timer
diff --git a/subdir_files/.gnupg/gpg.conf b/subdir_files/.gnupg/gpg.conf
index 1f8d6f7..d45a291 100644
--- a/subdir_files/.gnupg/gpg.conf
+++ b/subdir_files/.gnupg/gpg.conf
@@ -44,7 +44,8 @@ default-key B125F60B7B287FF6A2B7DF8F170AF0E2954295DF
 #keyserver hkp://keyserver.pgp.com
 #keyserver hkp://ipv4.pool.sks-keyservers.net
 #keyserver hkp://keys.gnupg.net
+#keyserver hkp://keyserver.ubuntu.com
 keyserver hkp://keyring.debian.org
 
-# more secure, but had problems with my gpg version
+# more secure hkps, but had problems with my gpg version
 #keyserver hkps://hkps.pool.sks-keyservers.net
-- 
2.30.2