From d4366929e6e200155b010dc05ce74255ee6a45ed Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Fri, 18 Feb 2022 23:10:25 -0500
Subject: [PATCH] various improvements

---
 .gitconfig     |  2 ++
 a/setup.sh     | 17 ++++++++++++++++
 a/site.yml     |  4 ++--
 brc            | 15 ++++++++++----
 brc2           | 53 ++++++++++++++++++++++++++++++++++++--------------
 epanic-clean   |  4 ++++
 mailtest-check |  2 +-
 system-status  |  1 +
 8 files changed, 76 insertions(+), 22 deletions(-)
 create mode 100755 a/setup.sh

diff --git a/.gitconfig b/.gitconfig
index a5bc2ef..47ab26a 100644
--- a/.gitconfig
+++ b/.gitconfig
@@ -12,6 +12,8 @@ s = status
 ci = commit
 lol = log --graph --pretty=oneline --abbrev-commit --all
 dt = difftool
+# https://stackoverflow.com/questions/17369254/is-there-a-way-to-cause-git-reflog-to-show-a-date-alongside-each-entry
+rl = reflog --format='%C(auto)%h %<|(17)%gd %C(blue)%ci%C(reset) %s'
 
 [core]
 excludesfile = ~/.gitignore_global
diff --git a/a/setup.sh b/a/setup.sh
new file mode 100755
index 0000000..4d253b9
--- /dev/null
+++ b/a/setup.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Copyright (C) 2019 Ian Kelling
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+source /a/bin/errhandle/err
+
+[[ $EUID == 0 ]] || exec sudo -E "${BASH_SOURCE[0]}" "$@"
+
+# shellcheck source=/a/bin/ds/.bashrc
+export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]]; then . ~/.bashrc; fi
+
+# dependency of node exporter, per README.md
+pi python3-passlib
+
+# after running ansible, run
+# conflink
+# ser restart prometheus
diff --git a/a/site.yml b/a/site.yml
index 12792fd..b9a0276 100644
--- a/a/site.yml
+++ b/a/site.yml
@@ -1,5 +1,5 @@
 ---
-- hosts: kd.b8.nz
+- hosts: localhost
   roles:
     - role: prom
       tags: a
@@ -35,7 +35,7 @@
       #   key_file: /etc/node_exporter/privkey.pem
       node_exporter_web_listen_address: "127.0.1.1:9100"
       node_exporter_basic_auth_users:
-        prom: incarnadine.bloodied.maker
+        prom: "incarnadine.bloodied.maker"
 
     - role: alertmanager
       alertmanager_smtp:
diff --git a/brc b/brc
index c47fca9..a51d7db 100644
--- a/brc
+++ b/brc
@@ -322,8 +322,9 @@ fpst() { # file paste
 }
 
 _khfix_common() {
-  local host ip port
+  local host ip port file key
   read -r host ip port < <(timeout -s 9 2 ssh -oBatchMode=yes -oControlMaster=no -oControlPath=/ -v $1 |& sed -rn "s/debug1: Connecting to ([^ ]+) \[([^\]*)] port ([0-9]+).*/\1 \2 \3/p" ||: )
+  file=$(readlink -f ~/.ssh/known_hosts)
   if [[ ! $ip ]]; then
     echo "khfix: ssh failed"
     return 1
@@ -335,11 +336,17 @@ _khfix_common() {
     ip_entry=$ip
     host_entry=$host
   fi
+  tmpfile=$(mktemp)
   if [[ $host != $ip ]]; then
-    m ssh-keygen -R "$host_entry" -f $(readlink -f ~/.ssh/known_hosts)
-    ll ~/.ssh/known_hosts
+    key=$(ssh-keygen -F "$host_entry" -f $file | sed -r 's/^.*([^ ]+ +[^ ]+) *$/\1/')
+    if [[ $key ]]; then
+      grep -Fv "$key" "$file" | sponge "$file"
+    fi
+  fi
+  key=$(ssh-keygen -F "$ip_entry" -f $file | sed -r 's/^.*([^ ]+ +[^ ]+) *$/\1/')
+  if [[ $key ]]; then
+    grep -Fv "$key" "$file" | sponge "$file"
   fi
-  m ssh-keygen -R "$ip_entry" -f $(readlink -f ~/.ssh/known_hosts)
   ll ~/.ssh/known_hosts
   rootsshsync
 }
diff --git a/brc2 b/brc2
index 9bc89d5..bd959d8 100644
--- a/brc2
+++ b/brc2
@@ -1079,14 +1079,19 @@ lom() {
   local l base
   if [[ $1 == /* ]]; then
     base=${1##*/}
-    if mountpoint /mnt/$base; then
+    if mountpoint -q /mnt/$base; then
       return 0
     fi
-    l=$(sudo losetup -f)
-    sudo losetup $l $1
-    if ! sudo cryptsetup luksOpen $l $base; then
-      sudo losetup -d $l
-      return 1
+    l=$(losetup -j $1 | sed -rn 's/^([^ ]+): .*/\1/p' | head -n1 ||:)
+    if [[ ! $l ]]; then
+      l=$(sudo losetup -f)
+      sudo losetup $l $1
+    fi
+    if ! sudo cryptsetup status /dev/mapper/$base &>/dev/null; then
+      if ! sudo cryptsetup luksOpen $l $base; then
+        sudo losetup -d $l
+        return 1
+      fi
     fi
     sudo mkdir -p /mnt/$base
     sudo mount /dev/mapper/$base /mnt/$base
@@ -1096,9 +1101,18 @@ lom() {
     if mountpoint /mnt/$base &>/dev/null; then
       sudo umount /mnt/$base
     fi
-    l=$(sudo cryptsetup status /dev/mapper/$base|sed -rn 's/^\s*device:\s*(.*)/\1/p')
-    sudo cryptsetup luksClose /dev/mapper/$base || return 1
-    sudo losetup -d $l
+    if sudo cryptsetup status /dev/mapper/$base &>/dev/null; then
+      if ! sudo cryptsetup luksClose /dev/mapper/$base; then
+        echo lom: failed cryptsetup luksClose /dev/mapper/$base
+        return 1
+      fi
+    fi
+    l=$(losetup -j $1 | sed -rn 's/^([^ ]+): .*/\1/p' | head -n1 ||:)
+    if [[ $l ]]; then
+      sudo losetup -d $l
+    else
+      echo lom: warning: no loopback device found
+    fi
   fi
 }
 
@@ -1558,11 +1572,11 @@ enn() {
 
 sdnbash() { # systemd namespace bash
   local unit=$1
-  m sudo nsenter -t $(systemctl status $unit | sed -n '/^ *Main PID:/s/[^0-9]//gp') -n -m sudo -u $USER -i bash
+  m sudo nsenter -t $(systemctl show --property MainPID --value $unit') -n -m sudo -u $USER -i bash
 }
 
 mailnnbash() {
-  m sudo nsenter -t $(systemctl status mailnn| sed -n '/^ *Main PID:/s/[^0-9]//gp') -n -m sudo -u $USER -i bash
+  m sudo nsenter -t $(systemctl show --property MainPID --value mailnn') -n -m sudo -u $USER -i bash
 }
 
 mailvpnbash() {
@@ -1573,7 +1587,7 @@ eximbash() {
 }
 spamnn() {
   local spamdpid
-  spamdpid=$(systemctl status spamassassin| sed -n '/^ *Main PID:/s/[^0-9]//gp')
+  spamdpid=$(systemctl show --property MainPID --value spamassassin)
   m sudo nsenter -t $spamdpid -n -m sudo -u Debian-exim spamassassin "$@"
 }
 unboundbash() {
@@ -1581,9 +1595,18 @@ unboundbash() {
 }
 
 mailnncheck() {
-  local pid ns mailnn
-  for p in mailnn mailvpn unbound dovecot spamassassin exim4 radicale; do
-    pid=$(s systemctl status $p| sed -n '/^ *Main PID:/s/[^0-9]//gp')
+  local p pid ns mailnn
+  # mailvpn would belong on the list if using openvpn
+  for p in mailnn unbound dovecot spamassassin exim4 radicale; do
+    case $p in
+      exim4|radicale)
+        pid=$(ps -eo pid,cgroup | grep /system.slice/$p.service | awk '{print $1}')
+        ;;
+      *)
+        pid=$(s systemctl show --property MainPID --value $p)
+        ;;
+    esac
+    echo p=$p pid=$pid
     if [[ ! $pid ]]; then
       echo failed to find pid for $p
       continue
diff --git a/epanic-clean b/epanic-clean
index 354d88b..9886cb1 100755
--- a/epanic-clean
+++ b/epanic-clean
@@ -40,6 +40,10 @@ main() {
     sed -i "/$regex/d" $pl
   fi
 
+  # this is a strange message due to running as nonroot
+  # regex='exim user lost privilege for using -C option'
+  # sed -i "/$regex/d" $pl
+
   # seems to randomly be caused by
   # Starting exim4-base housekeeping, exim4-base.service
   regex="^[^ ]* 00:00:0.* Failed writing transport results to pipe: Broken pipe$"
diff --git a/mailtest-check b/mailtest-check
index 466908d..3fdefff 100755
--- a/mailtest-check
+++ b/mailtest-check
@@ -69,7 +69,7 @@ case $HOSTNAME in
     folders=(/m/md/l/testignore)
     froms=(testignore@je.b8.nz testignore@expertpathologyreview.com testignore@amnimal.ninja ian@iankelling.org z@zroe.org iank@gnu.org)
     if ! $int; then
-      timeout 120 rsync -e "ssh -oIdentitiesOnly=yes -F /dev/null -i /root/.ssh/jtuttle" -t --inplace -r 'jtuttle@fencepost.gnu.org:/home/j/jtuttle/Maildir/new/' /m/md/l/testignore/new
+      timeout 120 rsync --chown iank:iank -e "ssh -oIdentitiesOnly=yes -F /dev/null -i /root/.ssh/jtuttle" -t --inplace -r 'jtuttle@fencepost.gnu.org:/home/j/jtuttle/Maildir/new/' /m/md/l/testignore/new
     fi
     ;;
 esac
diff --git a/system-status b/system-status
index 8e24d8f..051de62 100644
--- a/system-status
+++ b/system-status
@@ -200,6 +200,7 @@ write-status() {
     done
   fi
 
+#  if [[ $(grep -v "exim user lost privilege for using -C option" /var/log/exim4/paniclog 2>/dev/null ||:) ]]; then
   if [[ -s /var/log/exim4/paniclog ]]; then
     chars+=("PANIC!")
     # leave it up to epanic-clean to send email notification
-- 
2.30.2