From d46190aff6f5dc65bd39524e3937dc5765895b42 Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Sat, 21 Oct 2017 19:37:58 -0700
Subject: [PATCH] move some stuff to frodo, rename user to iank, fixes

---
 btrbk-run            |  24 +++++----
 check-subvol-stale   |  19 ++++---
 conflink             |   6 +--
 demohost-mount       |  30 ++++-------
 distro-begin         |  28 +++++-----
 distro-end           | 118 +++++++++++++++++++++++--------------------
 dynamic-ip-update.sh |   2 +-
 input-setup          |   2 +-
 keyscript-off        |   2 +-
 keyscript-on         |   2 +-
 mail-setup           |  77 ++++++++++++++++------------
 mount-latest-subvol  |  27 ++++++++--
 phabricator-setup    |   2 +-
 13 files changed, 190 insertions(+), 149 deletions(-)

diff --git a/btrbk-run b/btrbk-run
index 4713820..d05616a 100755
--- a/btrbk-run
+++ b/btrbk-run
@@ -30,7 +30,6 @@ script_dir=$(dirname $(readlink -f "$BASH_SOURCE"))
 # note p/m is owned 1000:1000 and chmod 700
 
 
-targets=()
 mountpoints=()
 
 rsync_mountpoint=/q
@@ -50,6 +49,7 @@ temp=$(getopt -l help cl:m:nprt:vh "$@") || usage 1
 eval set -- "$temp"
 while true; do
     case $1 in
+        # only creates the config file, does not run btrbk
         -c) conf_only=true; shift ;;
         -l) rate_limit=$2; shift 2 ;;
         -m) IFS=, mountpoints=($2); unset IFS; shift 2 ;;
@@ -57,6 +57,8 @@ while true; do
         -p) progress_arg="--progress"; shift ;;
         # btrbk arg: Resume only. Skips snapshot creation.
         -r) resume_arg=-r; shift ;;
+        # empty is valid for just doing local snapshot. we have default hosts
+        # we will populate
         -t) IFS=, targets=($2); unset IFS; shift 2 ;;
         -v) verbose=true; verbose_arg=-v; shift ;;
         -h|--help) usage ;;
@@ -74,7 +76,7 @@ fi
 echo -e "$0: options: conf_only=$conf_only\ndry_run=$dry_run\nresume_arg=$resume_arg\nrate_limit=$rate_limit\nverbose=$verbose"
 
 # set default targets
-if ! (( ${#targets[@]} )); then
+if [[ ! -v targets ]]; then
     case $HOSTNAME in
         x2)
             if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
@@ -89,6 +91,9 @@ if ! (( ${#targets[@]} )); then
                 fi
             fi
             ;;
+        frodo)
+            targets=()
+            ;;
         *)
             echo "$0: error: no default targets for this host, use -t"
             exit 1
@@ -108,15 +113,14 @@ if (( ${#mountpoints[@]} )); then
         fi
     done
 else # set default mountpoints
-    prospective_mps=(/a /q)
-    if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
-        prospective_mps+=(/o)
-    fi
-    for tg in ${targets[@]}; do
-        if [[ $tg == frodo && $HOSTNAME == treetowl ]]; then
-            prospective_mps+=(/i)
+    if [[ $HOSTNAME == frodo ]]; then
+        prospective_mps=(/i)
+    else
+        prospective_mps=(/a /q)
+        if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+            prospective_mps+=(/o)
         fi
-    done
+    fi
     for mp in ${prospective_mps[@]}; do # default mountpoints to sync
         if [[ -e /nocow/btrfs-stale/$mp ]]; then
             echo "$0: warning: $mp stale, not adding to default mountpoints"
diff --git a/check-subvol-stale b/check-subvol-stale
index afa711f..bdb4749 100644
--- a/check-subvol-stale
+++ b/check-subvol-stale
@@ -53,11 +53,14 @@ for d; do
     vol=${d##*/}
     dev=$(sed -rn "s,^\s*([^#]\S*)\s+$d\s.*,\1,p" /etc/fstab|head -n1)
     subvol_dir=$(sed -rn "s,^\s*[^#]\S*\s+$d\s.*\bsubvol=([a-zA-A/]+).*,\1,p" /etc/fstab|head -n1)
-    root_dir=$(sed -rn "s,^\s*$dev\s+(\S+).*\bsubvolid=0\b.*,\1,p" /etc/fstab|head -n1)
+    # note, we need $dev because $d might not be mounted, and we do this loop
+    # because the device in fstab for the rootfs can be different.
+    for devx in $(btrfs fi show $dev| sed -rn 's#.*path (/\S+)$#\1#p'); do
+        root_dir=$(sed -rn "s,^\s*$devx\s+(\S+).*\bsubvolid=0\b.*,\1,p" /etc/fstab|head -n1)
+        if [[ $root_dir ]]; then break; fi
+    done
     svp=$root_dir/$subvol_dir # subvolume path
 
-
-
     snaps=($root_dir/btrbk/$subvol_dir.20*) # Assumes we are in the 21st century.
     if [[ ! $snaps ]]; then
         # no snapshots yet
@@ -84,7 +87,8 @@ for d; do
     last_snap=$(
         for s in ${snaps[@]}; do
             f=${s##*/}
-            printf "%s %s\n" $(date -d $(sed -r  's/(.{4})(..)(.{5})(..)(.*)/\1-\2-\3:\4:\5/' <<<${f#$vol.}) +%s) $f
+            unix_time=$(date -d $(sed -r  's/(.{4})(..)(.{5})(..)(.*)/\1-\2-\3:\4:\5/' <<<${f#$vol.}) +%s)
+            printf "%s %s\n" $unix_time $s
         done | sort -r | head -n 1 | awk '{print $2}'
              )
     if [[ ! $last_snap ]]; then
@@ -95,8 +99,10 @@ for d; do
     fi
 
     if [[ ! -e $svp ]]; then
-        echo "$0: warning: subvol we want to check does not exist: $svp"
-        stale-file=$last_snap
+        echo "$0: warning: subvol does not exist: $svp"
+        echo "$0 assuming this host was just for receiving and latest snap is freshest"
+        freshest_snap=$last_snap
+        stale=true
         stale-file
         continue
     fi
@@ -116,6 +122,7 @@ for d; do
         continue
     fi
 
+    # fallback to using last_snap as the freshest
     freshest_snap=$last_snap
     stale=true
     # fresh if $svp has $last_snap as a snapshot,
diff --git a/conflink b/conflink
index 7a597e3..139096f 100755
--- a/conflink
+++ b/conflink
@@ -49,9 +49,9 @@ common-file-setup() {
     local dir fs x bdir f dst
     for dir in "$@"; do
         fs=$dir/filesystem
-        if [[ -e $fs && $USER == ian ]]; then
+        if [[ -e $fs && $USER =~ ^iank?$ ]]; then
             # note, symlinks get resolved, not copied.
-            m s cp -RLT --preserve=mode,timestamps $fs /
+            s tar --mode=g-s --owner=0 --group=0 -cz -C $fs . | s tar -xz -C /
         fi
 
         if [[ -e $dir/subdir_files ]]; then
@@ -72,7 +72,7 @@ done
 
 c_dirs=(/a/c{,/machine_specific/$HOSTNAME})
 case $USER in
-    ian)
+    ian|iank)
         # p needs to go first so .ssh link is created, then config link inside it
         m common-file-setup ${all_dirs[@]}
         if [[ -d /etc/bind/bind-writable ]]; then
diff --git a/demohost-mount b/demohost-mount
index 416ab2e..6445187 100755
--- a/demohost-mount
+++ b/demohost-mount
@@ -5,36 +5,28 @@ trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 [[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
 
-virsh destroy demohost ||:
 
-# there's some other ways to configure it, but by default, we get perms of this user
-usermod -a -G ian libvirt-qemu
-usermod -a -G traci libvirt-qemu
 
 
-virsh attach-device demohost <(e "<filesystem type='mount' accessmode='mapped'> <source dir='/q'/> <target dir='/q'/> </filesystem>") --config ||:
-virsh attach-device demohost <(e "<filesystem type='mount' accessmode='mapped'> <source dir='/a'/> <target dir='/a'/> </filesystem>") --config ||:
-
-virsh start demohost
-while ! timeout -s 9 5 ssh demohost :; do sleep 3; done
+ip=$(host demohost | sed -rn 's/^\S+ has address //p;T;q')/32
+cedit demohost /etc/exports <<EOF
+/a $ip(async,rw,no_subtree_check,no_root_squash)
+/q $ip(async,rw,no_subtree_check,no_root_squash)
+EOF
+exportfs -ra
 
 ssh root@demohost bash -s <<'EOFOUTER'
 set -eE -o pipefail
 
-cat >>/etc/modules <<EOF
-loop
-virtio
-9p
-9pnet
-9pnet_virtio
-EOF
-service kmod start
+apt-get install -y nfs-common
 
+sed -ri '\%^(faiserver:/[aq]|/q/p)\s%d' /etc/fstab
 cat >>/etc/fstab <<'EOF'
-/a /a            9p             trans=virtio    0       0
-/q /q            9p             trans=virtio    0       0
+faiserver:/a /a  nfs defaults 0 0
+faiserver:/q /q  nfs defaults 0 0
 /q/p  /p  none  bind  0 0
 EOF
+
 mkdir -p /a /q /p
 mount /a
 mount /q
diff --git a/distro-begin b/distro-begin
index dde7c8e..214c33f 100755
--- a/distro-begin
+++ b/distro-begin
@@ -30,7 +30,7 @@ sudo bash -c 'source /a/c/.bashrc && source /a/exe/ssh-emacs-setup'
 # set the scrollback to unlimited in case something goes wrong
 
 if [[ $EUID == 0 ]]; then
-    if getent passwd ian; then
+    if getent passwd iank || getent passwd ian ; then
         echo "$0: error: running as root. unprivileged user exists. use it."
         exit 1
     else
@@ -167,7 +167,7 @@ fi
 distro=$(distro-name)
 case $distro in
     ubuntu|debian|trisquel)
-        sudo bash -c ". /a/bin/fai/fai-wrapper && /a/bin/fai/fai/config/scripts/GRUB_PC/11-ian"
+        sudo bash -c ". /a/bin/fai/fai-wrapper && /a/bin/fai/fai/config/scripts/GRUB_PC/11-iank"
         ;;
     *)
         sudo bash -c ". /a/bin/fai/fai-wrapper &&
@@ -207,8 +207,8 @@ $interactive || set -x
 
 
 # passwordless sudo
-tu /etc/sudoers <<'EOF'
-ian  ALL=(ALL)  NOPASSWD: ALL
+tu /etc/sudoers <<EOF
+$USER  ALL=(ALL)  NOPASSWD: ALL
 Defaults  env_keep += SUDOD
 # makes ubuntu be like debian
 # https://unix.stackexchange.com/a/91572
@@ -543,7 +543,7 @@ fi
 
 dirs=(/mnt/{1,2,3,4,5,6,7,8,9})
 s mkdir -p "${dirs[@]}"
-s chown ian:ian  "${dirs[@]}"
+s chown $USER:$USER  "${dirs[@]}"
 
 
 tu /etc/fstab <<'EOF'
@@ -554,11 +554,11 @@ EOF
 
 if ! mountpoint /kr; then
     s mkdir -p /kr
-    s chown ian:traci /kr
+    s chown $USER:traci /kr
 fi
 
 if home_network; then
-    if [[ $HOSTNAME == treetowl ]]; then
+    if [[ $HOSTNAME == frodo ]]; then
         tu /etc/fstab <<'EOF'
 /k  /kr  none  bind,noauto  0 0
 EOF
@@ -573,7 +573,7 @@ s mkdir -p /q /i/{w,k}
 for dir in /{i,w,k}; do
     if mountpoint $dir; then continue; fi # already mounted
     s mkdir -p $dir
-    s chown ian:ian $dir
+    s chown $USER:$USER $dir
 done
 
 # not needed for all hosts, but rather just keep it uniform
@@ -605,17 +605,17 @@ done
 EOF
     s chmod +x /root/imount
 
-    s dd of=/etc/systemd/system/imount.service <<'EOF'
+    s dd of=/etc/systemd/system/imount.service <<EOF
 [Unit]
 Description=Mount /i and related mountpoints
-Before=syncthing@ian.service
+Before=syncthing@$USER.service
 
 [Service]
 Type=oneshot
 ExecStart=/root/imount
 
 [Install]
-RequiredBy=syncthing@ian.service
+RequiredBy=syncthing@$USER.service
 # note /kr needs networking, this target is the simplest way to
 # time it when the network should be up, but not do something
 # dumb like delay startup until the network is up. It happens
@@ -642,7 +642,7 @@ if has_btrfs; then
 $first_root_crypt  /nocow  btrfs  noatime,subvol=nocow  0 0
 EOF
         s mkdir -p $dir
-        s chown ian:ian $dir
+        s chown $USER:$USER $dir
         s mount $dir
     fi
 else
@@ -653,7 +653,7 @@ fi
 # ownership, and ssh doesn\'t allow any group writable parent
 # directories, so we are forced to use a directory structure similar
 # to home directories
-s chown root:ian /q
+s chown root:$USER /q
 s chmod 755 /q
 
 
@@ -742,7 +742,7 @@ if has_x; then
         s mkdir -p $dir/PostLogin
         s command cp /a/bin/distro-setup/desktop-20-autostart.sh $dir/PostLogin/Default
         s mkdir /etc/lightdm/lightdm.conf.d
-        s dd of=/etc/lightdm/lightdm.conf.d/12-ian.conf <<'EOF'
+        s dd of=/etc/lightdm/lightdm.conf.d/12-iank.conf <<'EOF'
 [SeatDefaults]
 session-setup-script=/a/bin/distro-setup/desktop-20-autostart.sh
 EOF
diff --git a/distro-end b/distro-end
index 285b25c..b044f5c 100755
--- a/distro-end
+++ b/distro-end
@@ -108,6 +108,7 @@ case $HOSTNAME in
             guvcview
             i3lock
             inetutils-traceroute
+            iperf3
             iproute2-doc
             jq
             kid3-qt
@@ -282,7 +283,8 @@ if isdebian; then
 fi
 
 # we've got a few dependencies later on, so install them now.
-pi "${simple_packages[@]}"
+pi eatmydata
+s eatmydata apt-get -y install --purge --auto-remove "${simple_packages[@]}"
 simple_packages=()
 
 
@@ -437,7 +439,7 @@ EOF
         # https://nodejs.org/en/download/package-manager/
         curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
         pi nodejs
-        cd /home/ian
+        cd /home/iank
         rm -rf pump.io.git
         git clone https://github.com/pump-io/pump.io.git
         cd pump.io
@@ -487,7 +489,7 @@ After=syslog.target network.target
 Type=simple
 User=pumpio
 Group=pumpio
-ExecStart=/home/ian/pump.io/bin/pump
+ExecStart=/home/iank/pump.io/bin/pump
 Environment=NODE_ENV=production
 # failed to find databank-mongodb without this.
 # I just looked at my environment variables took a guess.
@@ -643,7 +645,7 @@ Description=rss2email
 After=multi-user.target
 
 [Service]
-User=ian
+User=iank
 Type=oneshot
 # about 24 hours of failures
 # it copies over its files without respecting symlinks, so
@@ -675,7 +677,7 @@ Description=pump li backup
 After=multi-user.target
 
 [Service]
-User=ian
+User=iank
 Type=oneshot
 ExecStart=/a/bin/log-quiet/sysd-mail-once pump-backup /a/bin/distro-setup/pump-backup
 EOF
@@ -747,8 +749,8 @@ if [[ $HOSTNAME == treetowl ]]; then
             pi syncthing
             ;;
     esac
-    lnf -T /w/syncthing /home/ian/.config/syncthing
-    sgo syncthing@ian # runs as ian
+    lnf -T /w/syncthing /home/iank/.config/syncthing
+    sgo syncthing@iank # runs as iank
 
     # these things persist in ~/.config/syncthing, which I save in
     # /w/syncthing (not in /p, because syncthing should continue to
@@ -920,7 +922,7 @@ if ! getent passwd debian-transmission > /dev/null; then
             ;;
     esac
 fi
-if [[ $HOSTNAME == treetowl ]]; then
+if [[ $HOSTNAME == frodo ]]; then
     sgo transmission-daemon-nn
 fi
 
@@ -1123,7 +1125,7 @@ case $distro in
     # others unknown
 esac
 # allow user to run vms, from debian handbook
-for x in ian traci; do s usermod -a -G libvirt,kvm $x; done
+for x in iank traci; do s usermod -a -G libvirt,kvm $x; done
 # bridge networking as user fails. google lead here, but it doesn\'t work:
 # oh well, I give up.
 # http://wiki.qemu.org/Features-Done/HelperNetworking
@@ -1253,19 +1255,11 @@ if [[ $HOSTNAME == treetowl ]]; then
                 f=$dir/bitcoin.conf
                 s dd of=$f <<EOF
 server=1
+# necessary for joinmarket, not bad in general
 rpcpassword=$(openssl rand -base64 32)
 rpcuser=$(openssl rand -base64 32)
 EOF
 
-
-                f2=$dir/bitcoinjm.conf
-                s cp $f $f2
-                s tee -a $f2 >/dev/null <<EOF
-# Joinmarket
-walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
-alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
-wallet=joinmarket.dat
-EOF
                 # dunno about sharing a wallet between multiple instances
                 # manually did, wallet.dat symlinked in /nocow/.bitcoin
                 sgo bitcoind
@@ -1273,34 +1267,55 @@ EOF
             ;;
         # other distros unknown
     esac
-    pi libsodium-dev python-pip
-    cd /a/opt/joinmarket
-    # using develop branch, as it seems to be mostly bug fixes,
-    # and this is quite new software.
-    # note: python3 does not work.
-    # has seg fault error due to some bug, but it still works
-    pip install -r requirements.txt || [[ $? == 139 ]]
-    # note, the target must exist ahead of time, or bitcoin
-    # just overwrites the link, and it\'s not happy with an empty file,
-    # so we have to create the wallet, then move and link it.
-    s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
-    s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
-    # not technically needed, but seems cleaner not to have
-    # symlinks be root owned unlike everything else
-    s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
-
-    for var in rpcuser rpcpassword; do
-        u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
-        # escape backslashes
-        u="${u//\\/\\\\\\\\}"
-        # escape commas
-        u="${u//,/\\,}"
-        sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
-    done
-    sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
 
-fi
+#     ## disabling joinmarket, its too expensive
+#     ### begin joinmarket setup ###
+
+#     case $distro in
+#         debian)
+#             f=$dir/bitcoin.conf
+#             f2=$dir/bitcoinjm.conf
+#             s cp $f $f2
+#             s tee -a $f2 >/dev/null <<EOF
+# # Joinmarket
+# walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
+# alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
+# wallet=joinmarket.dat
+# EOF
 
+#             ;;
+#         # other distros unknown
+#     esac
+
+#     pi libsodium-dev python-pip
+#     cd /a/opt/joinmarket
+#     # using develop branch, as it seems to be mostly bug fixes,
+#     # and this is quite new software.
+#     # note: python3 does not work.
+#     # has seg fault error due to some bug, but it still works
+#     pip install -r requirements.txt || [[ $? == 139 ]]
+#     # note, the target must exist ahead of time, or bitcoin
+#     # just overwrites the link, and it\'s not happy with an empty file,
+#     # so we have to create the wallet, then move and link it.
+#     s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
+#     s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
+#     # not technically needed, but seems cleaner not to have
+#     # symlinks be root owned unlike everything else
+#     s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
+
+#     for var in rpcuser rpcpassword; do
+#         u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
+#         # escape backslashes
+#         u="${u//\\/\\\\\\\\}"
+#         # escape commas
+#         u="${u//,/\\,}"
+#         sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
+#     done
+#     sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
+#     ### end joinmarket setup ###
+
+
+fi
 
 
 case $distro in
@@ -1418,8 +1433,8 @@ fi
 #         s systemctl daemon-reload
 #         case $HOSTNAME in
 #             x2|treetowl)
-#                 ser enable synergyc@ian
-#                 ser start synergyc@ian ||: # X might not be running yet
+#                 ser enable synergyc@iank
+#                 ser start synergyc@iank ||: # X might not be running yet
 #                 ;;
 #             frodo)
 #                 systemctl --user start synergys ||:
@@ -1566,20 +1581,11 @@ if [[ $HOSTNAME == treetowl ]]; then
     # ser list-timers
 fi
 
-if [[ $HOSTNAME == treetowl ]] && [[ `debian-archive` != testing ]]; then
-    # fail2 ban is broken, with a workaround, per
-    # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171
-    # ill wait a while to see if it gets fixed
-    pi fail2ban
-    sgo fail2ban
-fi
-
-
 
 
 
 case $distro in
-    debian|ubuntu|trisquel) s gpasswd -a ian adm ;; #needed for reading logs
+    debian|ubuntu|trisquel) s gpasswd -a iank adm ;; #needed for reading logs
 esac
 
 # tor
diff --git a/dynamic-ip-update.sh b/dynamic-ip-update.sh
index e49ff31..e339f7c 100755
--- a/dynamic-ip-update.sh
+++ b/dynamic-ip-update.sh
@@ -40,7 +40,7 @@ fi
 
 # mkc /p/c/machine_specific/li/filesystem/etc/bind
 # s dnssec-keygen -a HMAC-MD5 -b 512 -n HOST b8.nz
-# s chown ian:ian *
+# s chown iank:iank *
 
 # f=key.b8.nz
 # cat >$f <<EOF
diff --git a/input-setup b/input-setup
index 4e2e66b..b3ad60b 100755
--- a/input-setup
+++ b/input-setup
@@ -15,7 +15,7 @@ set -x
 # limitations under the License.
 
 # set to oppsite if the order is flipped.
-k2flip=true
+k2flip=false
 if $k2flip; then
     k2inorder=false
 else
diff --git a/keyscript-off b/keyscript-off
index c4ac8d5..6aa5265 100755
--- a/keyscript-off
+++ b/keyscript-off
@@ -39,5 +39,5 @@ fi
 
 # switch to easy or hard pass which is the same as luks
 f=/q/root/shadow/traci
-[[ $HOSTNAME != tp ]] || usermod -p "$(cat $f)" ian
+[[ $HOSTNAME != tp ]] || usermod -p "$(cat $f)" iank
 echo "$0: finished. $(date)"
diff --git a/keyscript-on b/keyscript-on
index 54a655c..fc9f2a0 100755
--- a/keyscript-on
+++ b/keyscript-on
@@ -41,6 +41,6 @@ if [[ ! -e /tmp/keyscript-off ]]; then
 fi
 # switch to easy or hard login pass which is the same as luks
 f=/q/root/shadow/traci-simple
-[[ $HOSTNAME != tp ]] || usermod -p "$(cat $f)" ian
+[[ $HOSTNAME != tp ]] || usermod -p "$(cat $f)" iank
 
 echo "$0: finished. $(date)"
diff --git a/mail-setup b/mail-setup
index 1fd8fe8..07b87ef 100755
--- a/mail-setup
+++ b/mail-setup
@@ -38,6 +38,10 @@ if ! exim && ! postfix; then
     usage 1
 fi
 
+if [[ ! $SUDO_USER ]]; then
+    echo "$0: error: requires running as nonroot or sudo"
+fi
+u=$SUDO_USER
 
 
 ####### begin perstent password instructions ######
@@ -101,9 +105,13 @@ fi
 # # via the mail-setup scripts
 
 # # 2017-02 dmarc policies:
+# # host -t txt _dmarc.gmail.com
 # # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
-# # gmail will be changing to p=reject, which is expected to cause problems
+# # there were articles claiming gmail would be  changing
+# # to p=reject, in early 2017, which didn't happen. I see no sources on them. It's
+# # expected to cause problems
 # # with a few old mailing lists, copying theirs for now.
+#
 # echo "dmarc dns, name: _dmarc value: v=DMARC1; p=none; rua=mailto:mailauth-reports@$domain"
 
 # # 2017-02 spf policies:
@@ -156,7 +164,7 @@ fi
 # New one is smtp.fastmail.com
 
 # test delivery & rewrite settings:
-#exim4 -bt ian@localhost
+#exim4 -bt iank@localhost
 
 
 postconfin() {
@@ -167,10 +175,10 @@ postconfin() {
 }
 e() { printf "%s\n" "$*"; }
 
-postmaster=ian
+postmaster=$u
 mxhost=mail.iankelling.org
 mxport=25
-forward=ian@$mxhost
+forward=$u@$mxhost
 
 # old setup. left as comment for example
 # mxhost=mail.messagingengine.com
@@ -180,7 +188,10 @@ forward=ian@$mxhost
 relayhost="[$mxhost]:$mxport" # postfix
 smarthost="$mxhost::$mxport" # exim
 
-
+vpn_ser=openvpn-client
+if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
+    vpn_ser=openvpn
+fi
 
 if [[ $HOSTNAME == $MAIL_HOST ]]; then
     # afaik, these will get ignored because they are routing to my own
@@ -261,18 +272,22 @@ EOF
 
 else # begin exim. has debian specific stuff for now
 
+    if ! dpkg -s openvpn &>/dev/null; then
+        apt-get -y install --purge --auto-remove openvpn
+    fi
+
     if [[ -e /p/c/filesystem ]]; then
         /a/exe/vpn-mk-client-cert -b mail -n mail li
     fi
 
-    cat >/etc/systemd/system/mailroute.service <<'EOF'
+    cat >/etc/systemd/system/mailroute.service <<EOF
 [Unit]
-# this unit is configured to start and stop whenever openvpn-client@mail.service
+# this unit is configured to start and stop whenever $vpn_ser@mail.service
 # does
 Description=Routing for email vpn
 After=network.target
-BindsTo=openvpn-client@mail.service
-After=openvpn-client@mail.service
+BindsTo=$vpn_ser@mail.service
+After=$vpn_ser@mail.service
 
 [Service]
 Type=oneshot
@@ -281,7 +296,7 @@ ExecStop=/a/bin/distro-setup/mail-route stop
 RemainAfterExit=yes
 
 [Install]
-RequiredBy=openvpn-client@mail.service
+RequiredBy=$vpn_ser@mail.service
 EOF
 
     cat >/etc/systemd/system/offlineimapsync.timer <<'EOF'
@@ -295,13 +310,13 @@ OnCalendar=*:0/5
 WantedBy=timers.target
 EOF
 
-    cat >/etc/systemd/system/offlineimapsync.service <<'EOF'
+    cat >/etc/systemd/system/offlineimapsync.service <<EOF
 [Unit]
 Description=Offlineimap sync
 After=multi-user.target
 
 [Service]
-User=ian
+User=$u
 Type=oneshot
 ExecStart=/a/bin/log-quiet/sysd-mail-once offlineimap-sync /a/bin/distro-setup/offlineimap-sync
 EOF
@@ -450,7 +465,7 @@ EOF
         # MAIN_HARDCODE_PRIMARY_HOSTNAME might mess up the
         # smarthost config type, not sure. all other settings
         # would be unused in that config type.
-        cat >$exim_main_dir/000_localmacros <<'EOF'
+        cat >$exim_main_dir/000_localmacros <<EOF
 MAIN_TLS_ENABLE = true
 
 DKIM_CANON = relaxed
@@ -460,9 +475,9 @@ DKIM_SELECTOR = li
 # https://debian-administration.org/article/718/DKIM-signing_outgoing_mail_with_exim4
 
 # The file is based on the outgoing domain-name in the from-header.
-DKIM_DOMAIN = ${lc:${domain:$h_from:}}
+DKIM_DOMAIN = \${lc:\${domain:\$h_from:}}
 # sign if key exists
-DKIM_PRIVATE_KEY= ${if exists{/etc/exim4/${dkim_domain}-private.pem} {/etc/exim4/${dkim_domain}-private.pem}}
+DKIM_PRIVATE_KEY= \${if exists{/etc/exim4/\${dkim_domain}-private.pem} {/etc/exim4/\${dkim_domain}-private.pem}}
 
 
 # failing message on mail-tester.com:
@@ -474,7 +489,7 @@ MAIN_HARDCODE_PRIMARY_HOSTNAME = li.iankelling.org
 
 # normally empty, I set this so I can set the envelope address
 # when doing mail redelivery to invoke filters
-MAIN_TRUSTED_GROUPS = ian
+MAIN_TRUSTED_GROUPS = $u
 
 LOCAL_DELIVERY = dovecot_lmtp
 
@@ -584,16 +599,16 @@ EOF
 
         systemctl enable offlineimapsync.timer
         systemctl start offlineimapsync.timer
-        systemctl restart openvpn-client@mail
-        systemctl enable openvpn-client@mail
+        systemctl restart $vpn_ser@mail
+        systemctl enable $vpn_ser@mail
         systemctl enable dovecot
         systemctl restart dovecot
 
     else # $HOSTNAME != $MAIL_HOST
         systemctl disable offlineimapsync.timer &>/dev/null ||:
         systemctl stop offlineimapsync.timer &>/dev/null ||:
-        systemctl disable openvpn-client@mail
-        systemctl stop openvpn-client@mail
+        systemctl disable $vpn_ser@mail
+        systemctl stop $vpn_ser@mail
         systemctl disable dovecot ||:
         systemctl stop dovecot ||:
         #
@@ -802,21 +817,21 @@ EOF
     sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
     systemctl restart exim4
 
-fi  # end if exim4
+        fi  # end if exim4
 
-# /etc/alias setup is debian specific, and
-# exim config sets up an /etc/alias from root to the postmaster, which i
-# config to ian, as long as there exists an entry for root, or there was
-# no preexisting aliases file. based on the postinst file. postfix
-# won't set up a root to $postmaster alias if it's already installed.
-# Since postfix is not the greatest, just set it ourselves.
-if [[ $postmaster != root ]]; then
-    sed -i --follow-symlinks -f - /etc/aliases <<EOF
+         # /etc/alias setup is debian specific, and
+         # exim config sets up an /etc/alias from root to the postmaster, which i
+         # config to ian, as long as there exists an entry for root, or there was
+         # no preexisting aliases file. based on the postinst file. postfix
+         # won't set up a root to $postmaster alias if it's already installed.
+         # Since postfix is not the greatest, just set it ourselves.
+         if [[ $postmaster != root ]]; then
+             sed -i --follow-symlinks -f - /etc/aliases <<EOF
 \$a root: $postmaster
 /^root:/d
 EOF
-    newaliases
-fi
+             newaliases
+         fi
 
 # put spool dir in directory that spans multiple distros.
 # based on http://www.postfix.org/qmgr.8.html and my notes in gnus
diff --git a/mount-latest-subvol b/mount-latest-subvol
index 6bf68d7..e4c4d6b 100644
--- a/mount-latest-subvol
+++ b/mount-latest-subvol
@@ -91,9 +91,14 @@ $first_root_crypt  /o  btrfs  noatime,subvol=o  0 0
 EOF
         ;;
 esac
+if [[ $HOSTNAME == frodo ]]; then
+    tu /etc/fstab <<EOF
+$first_root_crypt  /i  btrfs  noatime,subvol=i  0 0
+EOF
+fi
 ##### end setup fstab for subvols we care about ######
 
-for vol in q a o; do
+for vol in q a o i; do
     d=/$vol
     if ! awk '{print $2}' /etc/fstab | grep -xF $d &>/dev/null; then
         continue
@@ -141,11 +146,23 @@ for vol in q a o; do
             if e umount -R $dir; then
                 unmounted+=($dir)
             else
-                umount_ret=false
-                ret=1
                 echo "$0: failed to umount $dir"
-                e lsof $dir
-                break
+                # lsof will fail if it finds no pids
+                if ! e lsof $dir; then
+                    umount_ret=false
+                    ret=1
+                    continue
+                fi
+                pids=$(lsof -t $dir) ||:
+                kill $pids
+                sleep .5
+                if e umount -R $dir; then
+                    unmounted+=($dir)
+                else
+                    umount_ret=false
+                    ret=1
+                    continue
+                fi
             fi
         fi
     done
diff --git a/phabricator-setup b/phabricator-setup
index 2265591..ebd9360 100755
--- a/phabricator-setup
+++ b/phabricator-setup
@@ -302,7 +302,7 @@ sudo systemctl daemon-reload
 # arcanist(), phabricator(), phutil()
 
 s usermod -a -G vcs www-data
-s usermod -a -G vcs ian
+s usermod -a -G vcs iank
 s usermod -a -G vcs phabricator
 s chown root:vcs /usr/share/phabricator/conf/local/local.json
 fbin config set diffusion.ssh-port $ssh_port
-- 
2.30.2