From fbb0315374736f92d950545796beaa79cbdc1f49 Mon Sep 17 00:00:00 2001
From: Ian Kelling <iank@fsf.org>
Date: Sun, 12 May 2019 23:22:41 -0400
Subject: [PATCH] more dynamic ip updating

---
 conflink                                      |   5 +-
 dynamic-ip-update                             | 106 ++++++++++++++++++
 dynamic-ip-update.sh                          |  47 --------
 .../systemd/system/dynamicipupdate.service    |   7 ++
 .../etc/systemd/system/dynamicipupdate.timer  |  11 ++
 machine_specific/kd/filesystem/etc/cron.d/kd  |   1 -
 .../li/filesystem/etc/bind/named.conf.local   |   8 +-
 myunison                                      |   3 +
 switch-mail-host                              |  12 +-
 9 files changed, 145 insertions(+), 55 deletions(-)
 create mode 100755 dynamic-ip-update
 delete mode 100755 dynamic-ip-update.sh
 create mode 100644 filesystem/etc/systemd/system/dynamicipupdate.service
 create mode 100644 filesystem/etc/systemd/system/dynamicipupdate.timer

diff --git a/conflink b/conflink
index 5ac5639..555d4d4 100755
--- a/conflink
+++ b/conflink
@@ -82,6 +82,7 @@ case $USER in
       m s chgrp -R bind ${files[@]}
       m s chmod g+w ${files[@]}
     fi
+    sudo bash -c 'shopt -s nullglob; cd /etc/bind; for f in *.key *.private key.*; do chgrp bind $f; done'
     if [[ -e /etc/davpass ]] && getent group www-data &>/dev/null; then
       s chgrp www-data /etc/davpass
     fi
@@ -91,8 +92,8 @@ case $USER in
     /a/exe/lnf -T /p/arbtt-capture.log ~/.arbtt/capture.log
     ##### end special extra stuff #####
 
-    sudo bash -c 'cd /etc/openvpn; for f in client/* server/*; do ln -sf $f .; done'
-    sudo bash -c 'cd /etc/openvpn; for f in server/*.key client/*.key; do chmod 600 $f; done'
+    sudo bash -c 'shopt -s nullglob; cd /etc/openvpn; for f in client/* server/*; do ln -sf $f .; done'
+    sudo bash -c 'shopt -s nullglob; cd /etc/openvpn; for f in server/*.key client/*.key; do chmod 600 $f; done'
 
     m sudo -H -u traci "$BASH_SOURCE"
     ;;
diff --git a/dynamic-ip-update b/dynamic-ip-update
new file mode 100755
index 0000000..007570c
--- /dev/null
+++ b/dynamic-ip-update
@@ -0,0 +1,106 @@
+#!/bin/bash
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+fqdn=$(hostname -f)
+
+up4=false
+if timeout -s 9 5 ssh-keyscan -p 2220 -t rsa 10.0.0.1 2>/dev/null | grep -qFx '[10.0.0.1]:2220 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCH+/h1dGEfKEusBblndU2e6QT4wLCm5+yqr/sqh/0X9YfjR7BfWWm8nNmuP55cYc+Wuf5ljB1H1acXEcsl1y8e0j3agHfF0V74FE1N1zz5nn2Ep8NHnmqgEhza38ZxMPh+4p3X7zklEKU7+3SzybKBi8sg0wLzlS2LM0JaUN80zR2sK11Kye3dURUXPk78u5wodOkgcEYRwSYaDMJlUzWP+poRXIDJwFaMQnwmxbl/c84yOyaU0x/d6hFwoRscWecihX+vvBNeSyxR4xr2HDOyUWwJkctyAgt2p7w3tfkXOKcCRzTAjGVIMQLTvo0sG/yJbcyHoEFdFybCsgDvfyYn'; then
+  # we are on home network
+  cur4="$(host -4 b8.nz iankelling.org | sed -rn 's/.*has address (.*)/\1/p;T;q')"
+  if ip4=$(curl -s4 https://iankelling.org/cgi/pubip); then
+    if [[ $cur4 && $ip4 && $cur4 != $ip4 ]]; then
+      up4=true
+    fi
+  fi
+fi
+
+# may not be set yet so allow fail
+cur6="$(host -4 -t aaaa $fqdn iankelling.org | sed -rn 's/.*has IPv6 address (.*)/\1/p;T;q')" ||:
+
+up6=false
+# maybe we dont have ipv6 working
+if out6=$(curl -s6 https://iankelling.org/cgi/pubip) && [[ $out6 ]]; then
+  dev=$(ip -o a show to $out6 | awk '{print $2}')
+  # we use slaac with privacy extension, so get our less private more permanent address
+  mac=$(cat /sys/class/net/$dev/address)
+
+  IFS=: read -a f <<<$mac; set -- ${f[@]}
+  ip6=${out6%:*:*:*:*}:$(printf %x $((0x$1 + 2)))$2:$3'ff:fe'$4:$5$6
+  # in case we aren't using slaac
+  if ! ip a | grep "^ *inet6 $ip6/" &>/dev/null; then
+    ip6=$out6
+  fi
+  if [[ $cur6 != $ip6 ]]; then
+    up6=true
+  fi
+fi
+
+
+if ! $up4 && ! $up6; then
+  exit 0
+fi
+
+# note, a simpler way to do this would be to ssh and use
+# "${SSH_CLIENT%% *}
+# to update bind if needed.
+
+f=$(mktemp)
+cat >>$f <<EOF
+server iankelling.org
+zone b8.nz
+EOF
+
+if $up4; then
+  cat >>$f <<EOF
+update delete b8.nz. A
+update add b8.nz. 300 A $ip4
+EOF
+fi
+
+if $up6; then
+  if [[ $HOSTNAME == tp ]]; then
+    cat >>$f <<EOF
+update delete b8.nz. AAAA
+update add b8.nz. 60 AAAA $ip6
+EOF
+  fi
+  cat >>$f <<EOF
+update delete $fqdn. AAAA
+update add $fqdn. 60 AAAA $ip6
+EOF
+fi
+
+cat >>$f <<EOF
+show
+send
+answer
+quit
+EOF
+
+nsupdate -k /p/c/machine_specific/li/filesystem/etc/bind/Kb8.nz.*.private <$f
+
+exit
+
+# # persistent initial setup for this:
+# # create files in /a/c/machine_specific/li/filesystem/etc/bind
+# # note, conflink also does some group ownership stuff.
+
+mkc /p/c/machine_specific/li/filesystem/etc/bind
+s dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST b8.nz
+s chown $USER:$USER *
+
+
+f=key.b8.nz
+cat >$f <<EOF
+key b8.nz. {
+algorithm HMAC-SHA512;
+secret "$(awk '$1 == "Key:" {print $2}' Kb8.nz.*.private)";
+};
+EOF
+
+chmod 640 [kK]*
+
+myunison -ob li
+ssh li conflink
+ssh li ser restart bind9
diff --git a/dynamic-ip-update.sh b/dynamic-ip-update.sh
deleted file mode 100755
index 336aaf3..0000000
--- a/dynamic-ip-update.sh
+++ /dev/null
@@ -1,47 +0,0 @@
-#!/bin/bash
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-
-cur="$(host -4 b8.nz iankelling.org | sed -rn 's/.*has address (.*)/\1/p;T;q')"
-ip=$(curl -s4 https://iankelling.org/cgi/pubip)
-
-# note, a simpler way to do this would be to ssh and use
-# "${SSH_CLIENT%% *}
-# to update bind if needed.
-
-if [[ $cur != $ip ]]; then
-    nsupdate -k /p/c/machine_specific/li/filesystem/etc/bind/Kb8.nz.*.private <<EOF
-server iankelling.org
-zone b8.nz
-update delete b8.nz. A
-update add b8.nz. 300 A $ip
-update delete *.b8.nz. A
-update add *.b8.nz. 300 A $ip
-show
-send
-EOF
-fi
-
-# # persistent initial setup for this:
-# # create files in /a/c/machine_specific/li/filesystem/etc/bind
-# # note, conflink also does some group ownership stuff.
-
-# mkc /p/c/machine_specific/li/filesystem/etc/bind
-# s dnssec-keygen -a HMAC-MD5 -b 512 -n HOST b8.nz
-# s chown $USER:$USER *
-
-# f=key.b8.nz
-# cat >$f <<EOF
-# key b8.nz. {
-# algorithm HMAC-MD5;
-# secret "$(awk '$1 == "Key:" {print $2}' Kb8.nz.*.private)";
-# };
-# EOF
-
-# chmod 640 [kK]*
-
-# myunison -ob li
-# ssh li conflink
-# ssh li ser restart bind9
diff --git a/filesystem/etc/systemd/system/dynamicipupdate.service b/filesystem/etc/systemd/system/dynamicipupdate.service
new file mode 100644
index 0000000..84c4615
--- /dev/null
+++ b/filesystem/etc/systemd/system/dynamicipupdate.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=dynamicipupdate
+After=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once -40 dynamicipupdate /a/bin/ds/dynamic-ip-update
diff --git a/filesystem/etc/systemd/system/dynamicipupdate.timer b/filesystem/etc/systemd/system/dynamicipupdate.timer
new file mode 100644
index 0000000..099350d
--- /dev/null
+++ b/filesystem/etc/systemd/system/dynamicipupdate.timer
@@ -0,0 +1,11 @@
+[Unit]
+Description=dynamicipupdate
+
+[Timer]
+# for initial run. required.
+OnActiveSec=10
+# for subsequent runs.
+OnUnitInactiveSec=30
+
+[Install]
+WantedBy=timers.target
diff --git a/machine_specific/kd/filesystem/etc/cron.d/kd b/machine_specific/kd/filesystem/etc/cron.d/kd
index 485813f..fccd071 100755
--- a/machine_specific/kd/filesystem/etc/cron.d/kd
+++ b/machine_specific/kd/filesystem/etc/cron.d/kd
@@ -7,7 +7,6 @@
 SHELL=/bin/bash
 0    4 * * * ian x=$(/usr/local/bin/logq /a/exe/small-backup --retry daily 2M); [[ $? != 0 ]] && echo "$x"
 0    3 * * sun ian echo weekly backup results:; /a/exe/small-backup --retry weekly
-*/5  * * * *   ian /a/bin/distro-setup/dynamic-ip-update.sh 2>&1 | /usr/local/bin/log-once -15
 */10 * * * *   ian /a/exe/small-backup 10minutes 3D 2>&1 | /usr/local/bin/log-once small-backup-10min
 # put things we don't want to send mail about below this:
 # MAILTO=""
diff --git a/machine_specific/li/filesystem/etc/bind/named.conf.local b/machine_specific/li/filesystem/etc/bind/named.conf.local
index 126da01..5253a12 100644
--- a/machine_specific/li/filesystem/etc/bind/named.conf.local
+++ b/machine_specific/li/filesystem/etc/bind/named.conf.local
@@ -7,14 +7,14 @@
 // ian: ok. uncommented. 1918 zones are private ip ranges.
 include "/etc/bind/zones.rfc1918";
 
-
+# based on random internet tutorials, then reading
+# file:///usr/share/doc/bind9-doc/arm/Bv9ARM.ch06.html#dynamic_update_policies
 zone "b8.nz" {
 type master;
 file "/var/lib/bind/db.b8.nz";
   update-policy {
-    // allow host to update themselves with a key having their own name
-    grant b8.nz. name b8.nz. A TXT;
-    grant b8.nz. name *.b8.nz. A TXT;
+    // allow updating almost anything in the zone or subdomains.
+    grant b8.nz. subdomain b8.nz.;
   };
 };
 include "/etc/bind/key.b8.nz";
diff --git a/myunison b/myunison
index 506e9c6..f68ae34 100755
--- a/myunison
+++ b/myunison
@@ -83,6 +83,9 @@ else
     type -t $f &>/dev/null || f=unison-gtk2 # for arch
 fi
 
+
+  s ln -sTf ~/.unison /root/.unison
+
 if s $f  "$host"; then
     if [[ $host == frodo ]]; then
         # only send data to the machine i do full backups to
diff --git a/switch-mail-host b/switch-mail-host
index 2882112..5d7a679 100755
--- a/switch-mail-host
+++ b/switch-mail-host
@@ -65,8 +65,18 @@ if [[ ! $new_host || ! $old_host ]]; then
   exit 1
 fi
 
+# TODO: turn this home dns update into a separate script that also runs
+# as a cronjob for the MAIL_HOST, so it can update dns for a laptop that
+# moves to a different network.
+#
+# This exists because if mail_host is on the home network with a vpn
+# tunnel, and another host on the home network tries to connect to the
+# public tunnel ip, it won't work because from the public machine's
+# perspective, due to nat, both home network machines have the same
+# ip. We could solve this by using ipv6 addresses, but not all networks
+# i'm on with more than one machine are ipv6 enabled.
 at_home=false
-if [[ $HOSTNAME == tp ]] || [[ $HOSTNAME == frodo ]] || timeout -s 9 5 ssh wrt.b8.nz :; then
+if timeout -s 9 5 ssh-keyscan -p 2220 -t rsa 10.0.0.1 2>/dev/null | grep -qFx '[10.0.0.1]:2220 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCH+/h1dGEfKEusBblndU2e6QT4wLCm5+yqr/sqh/0X9YfjR7BfWWm8nNmuP55cYc+Wuf5ljB1H1acXEcsl1y8e0j3agHfF0V74FE1N1zz5nn2Ep8NHnmqgEhza38ZxMPh+4p3X7zklEKU7+3SzybKBi8sg0wLzlS2LM0JaUN80zR2sK11Kye3dURUXPk78u5wodOkgcEYRwSYaDMJlUzWP+poRXIDJwFaMQnwmxbl/c84yOyaU0x/d6hFwoRscWecihX+vvBNeSyxR4xr2HDOyUWwJkctyAgt2p7w3tfkXOKcCRzTAjGVIMQLTvo0sG/yJbcyHoEFdFybCsgDvfyYn'; then
   at_home=true
 fi
 echo "$0: at_home = $at_home"
-- 
2.30.2