6c0f446642d15916512a929ce22caad4ef9a71f2
[distro-setup] / distro-end
1 #!/bin/bash -l
2 # Copyright (C) 2019 Ian Kelling
3 # SPDX-License-Identifier: AGPL-3.0-or-later
4
5 ### setup
6 source /a/bin/errhandle/err
7 src="$(readlink -f -- "${BASH_SOURCE[0]}")"; src=${src%/*} # directory of this file
8
9 if [[ $EUID == 0 ]]; then
10 echo "$0: error: run as regular user" >&2
11 exit 1
12 fi
13
14 _errcatch_cleanup() {
15 echo 1 >~/.local/distro-end
16 }
17
18 # shellcheck source=./pkgs
19 source $src/pkgs
20
21 set -x
22 exec &> >(sudo tee -a /var/log/distro-end)
23 echo "$0: $(date): starting now)"
24 # see example of usage to understand.
25 end_msg() {
26 local y
27 IFS= read -r -d '' y ||:
28 end_msg_var+="$y"
29 }
30 die() {
31 printf "$0: %s\n" "$*" >&2; exit 1
32 }
33 spa() { # simple package add
34 simple_packages+=($@)
35 }
36 distro=$(distro-name)
37 codename=$(debian-codename)
38 codename_compat=$(debian-codename-compat)
39 pending_reboot=false
40 sed="sed --follow-symlinks"
41 # template
42 case $distro in
43 esac
44
45 #### initial packages
46 pup
47 if isdeb; then
48 pi aptitude
49 fi
50
51 # avoid prompts
52 s debconf-set-selections <<EOF
53 popularity-contest popularity-contest/participate boolean true
54 EOF
55
56 ########### begin section including li ################
57 pi ${p2[@]}
58
59
60 conflink
61
62 case $distro in
63 arch) sgo cronie ;;
64 esac
65
66 case $distro in
67 arch) sgo atd ;;
68 # not needed for deb, dependency of at.
69 esac
70
71
72
73 # no equivalent in other distros:
74 if isdeb && pcheck apt-file; then
75 # this condition is just a speed optimization
76 pi apt-file
77 s apt-file update
78 fi
79
80
81 # disable motd junk.
82 case $distro in
83 debian)
84 # allows me to pipe with ssh -t, and gets rid of spam
85 # http://forums.debian.net/viewtopic.php?f=5&t=85822
86 # i'd rather disable the service than comment the init file
87 # this says disabling the service, it will still get restarted
88 # but this script doesn't do anything on restart, so it should be fine
89 s dd of=/var/run/motd.dynamic if=/dev/null
90 ;;
91 trisquel|ubuntu)
92 # this isn't a complete solution. It still shows me when updates are available,
93 # but it's no big deal.
94 s rm -f /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
95 ;;
96 esac
97
98
99
100
101 ### begin certbot install ###
102 if [[ $distro == debian ]]; then
103 # note, need python-certbot-nginx for nginx, but it depends on nginx,
104 # and I'm not installing nginx by default right now.
105 pi certbot python-certbot-apache
106 elif [[ $codename_compat == xenial ]]; then
107 # not packaged in xenial or flidas
108 pi software-properties-common
109 l="deb http://ppa.launchpad.net/certbot/certbot/ubuntu xenial main"
110 if ! grep -xFq "$l" /etc/apt/sources.list{,.d/*.list}; then
111 s add-apt-repository -y ppa:certbot/certbot ||:
112 p update
113 fi
114 pi python-certbot-apache
115 else
116 die "distro unknown for certbot"
117 fi
118 # make a version of the certbot timer that emails me.
119 x=/systemd/system/certbot
120 $sed -r -f - /lib$x.timer <<'EOF' |s dd of=/etc${x}mail.timer
121 s,^Description.*,\0 mail version,
122 EOF
123 $sed -r -f - /lib$x.service <<'EOF' |s dd of=/etc${x}mail.service
124 s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
125 EOF
126 ser daemon-reload
127 sgo certbotmail.timer
128 ### end certbot install ###
129
130
131 # dogcam setup. not using atm
132 # case $HOSTNAME in
133 # lj|li)
134 # /a/bin/webcam/install-server
135 # ;;
136 # kw)
137 # /a/bin/webcam/install-client
138 # ;;
139 # esac
140
141
142 ## not actually using prometheus just yet
143 # # office is not exposed to internet yet
144 # if [[ $HOSTNAME != kw ]]; then
145 # ## prometheus node exporter setup
146 # web-conf -f 9100 -p 9101 apache2 $(hostname -f) <<'EOF'
147 # #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
148 # # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
149 # <Location />
150 # AllowOverride None
151 # AuthType basic
152 # AuthName "Authentication Required"
153 # # setup one time, with root:www-data, 640
154 # AuthUserFile "/etc/prometheus-htpasswd"
155 # Require valid-user
156 # </Location>
157 # EOF
158 # fi
159
160
161 ######### begin flidas pinned packages ######
162 case $(debian-codename) in
163 # needed for debootstrap scripts for fai since fai requires debian
164 flidas)
165 curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg | s apt-key add -
166 s dd of=/etc/apt/preferences.d/flidas-xenial <<EOF
167 Package: *
168 Pin: release a=xenial
169 Pin-Priority: -100
170
171 Package: *
172 Pin: release a=xenial-updates
173 Pin-Priority: -100
174
175 Package: *
176 Pin: release a=xenial-security
177 Pin-Priority: -100
178 EOF
179 s dd of=/etc/apt/sources.list.d/xenial.list 2>/dev/null <<EOF
180 deb http://us.archive.ubuntu.com/ubuntu/ xenial main
181 deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main
182 deb http://us.archive.ubuntu.com/ubuntu/ xenial-security main
183 EOF
184
185 s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
186 s dd of=/etc/apt/preferences.d/flidas-bionic <<EOF
187 Package: *
188 Pin: release a=bionic
189 Pin-Priority: -100
190
191 Package: *
192 Pin: release a=bionic-updates
193 Pin-Priority: -100
194
195 Package: *
196 Pin: release a=bionic-security
197 Pin-Priority: -100
198 EOF
199
200 # better to run btrfs-progs which matches our kernel version
201 # (note, renamed from btrfs-tools)
202 s dd of=/etc/apt/preferences.d/btrfs-progs <<EOF
203 Package: btrfs-progs libzstd1
204 Pin: release a=bionic
205 Pin-Priority: 1005
206
207 Package: btrfs-progs libzstd1
208 Pin: release a=bionic-updates
209 Pin-Priority: 1005
210
211 Package: btrfs-progs libzstd1
212 Pin: release a=bionic-security
213 Pin-Priority: 1005
214 EOF
215
216
217 t=$(mktemp)
218 cat >$t <<EOF
219 deb http://us.archive.ubuntu.com/ubuntu/ bionic main
220 deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main
221 deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main
222 EOF
223 f=/etc/apt/sources.list.d/bionic.list
224 if ! diff -q $t $f; then
225 s cp $t $f
226 s chmod 644 $f
227 p update
228 fi
229
230 # no special reason, but its better for btrfs-progs to
231 # be closer to our kernel version
232 pi btrfs-progs
233
234 t=$(mktemp -d)
235 cd $t
236 aptitude download debootstrap/xenial
237 ex ./*
238 s cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
239
240 s dd of=/etc/apt/preferences.d/flidas-etiona <<EOF
241 Package: *
242 Pin: release a=etiona
243 Pin-Priority: -100
244
245 Package: *
246 Pin: release a=etiona-updates
247 Pin-Priority: -100
248
249 Package: *
250 Pin: release a=etiona-security
251 Pin-Priority: -100
252
253 Package: *
254 Pin: release a=etiona-backports
255 Pin-Priority: -100
256 EOF
257
258 t=$(mktemp)
259 cat >$t <<EOF
260 deb http://mirror.fsf.org/trisquel/ etiona main
261 deb http://mirror.fsf.org/trisquel/ etiona-updates main
262 deb http://archive.trisquel.info/trisquel/ etiona-security main
263 deb http://mirror.fsf.org/trisquel/ etiona-backports main
264 EOF
265 f=/etc/apt/sources.list.d/etiona.list
266 if ! diff -q $t $f; then
267 s cp $t $f
268 s chmod 644 $f
269 p update
270 fi
271
272 s dd of=/etc/apt/preferences.d/debian-goodies <<EOF
273 Package: debian-goodies
274 Pin: release n=etiona
275 Pin-Priority: 1005
276 EOF
277
278
279 s dd of=/etc/apt/preferences.d/flidas-buster <<EOF
280 Package: *
281 Pin: release n=buster
282 Pin-Priority: -100
283
284 Package: *
285 Pin: release n=buster-updates
286 Pin-Priority: -100
287 EOF
288
289 # dont use buster because it causes dist-upgrade to think its downgrading
290 # packages while really just reinstalling the same version.
291 f=/etc/apt/apt.conf.d/01iank
292 rm -f $f
293 # # stupid buster uses some key algorithm not supported by flidas gpg that apt uses.
294 # s dd of=/etc/apt/apt.conf.d/01iank <<'EOF'
295 # Acquire::AllowInsecureRepositories "true";
296 # EOF
297
298 f=/etc/apt/sources.list.d/buster.list
299 rm -f $f
300 # t=$(mktemp)
301 # cat >$t <<EOF
302 # deb http://http.us.debian.org/debian buster main
303 # deb-src http://http.us.debian.org/debian buster main
304
305 # deb http://security.debian.org/ buster/updates main
306 # deb-src http://security.debian.org/ buster/updates main
307
308 # deb http://http.us.debian.org/debian buster-updates main
309 # deb-src http://http.us.debian.org/debian buster-updates main
310 # EOF
311 # if ! diff -q $t $f; then
312 # s cp $t $f
313 # s chmod 644 $f
314 # p update
315 # fi
316
317 # newer version needed for false positive in checkrestart.
318 # I did buster at first, but other problem above with having
319 # buster repos. not sure if the false positive exists in etiona.
320 p install -y --allow-unauthenticated debian-goodies
321
322 s dd of=/etc/apt/preferences.d/shellcheck <<EOF
323 Package: shellcheck
324 Pin: release a=etiona
325 Pin-Priority: 1005
326
327 Package: shellcheck
328 Pin: release a=etiona-updates
329 Pin-Priority: 1005
330
331 Package: shellcheck
332 Pin: release a=etiona-security
333 Pin-Priority: 1005
334 EOF
335
336 s dd of=/etc/apt/preferences.d/bash <<EOF
337 Package: bash
338 Pin: release a=etiona
339 Pin-Priority: 1005
340
341 Package: bash
342 Pin: release a=etiona-updates
343 Pin-Priority: 1005
344
345 Package: bash
346 Pin: release a=etiona-security
347 Pin-Priority: 1005
348 EOF
349
350
351 ;;
352 *)
353 if isdeb; then
354 pi debian-goodies shellcheck
355 fi
356 ;;
357 esac
358 ######### end flidas pinned packages ######
359
360 ##### begin automatic upgrades (after checkrestart has been installed) ####
361 s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF'
362 # this file was mostly just comments.
363 APT::Periodic::Update-Package-Lists "1";
364 APT::Periodic::Download-Upgradeable-Packages "1";
365 APT::Periodic::AutocleanInterval "7";
366 APT::Periodic::Unattended-Upgrade "1";
367 EOF
368
369 s dd of=/etc/apt/apt.conf.d/50unattended-upgrades <<EOF
370 # fyi: default file has comments about available options,
371 # you may want to read that, do pkx unattended-upgrades
372 Unattended-Upgrade::Mail "root";
373 Unattended-Upgrade::MailOnlyOnError "true";
374 Unattended-Upgrade::Remove-Unused-Dependencies "true";
375 Unattended-Upgrade::Origins-Pattern {
376 # default is just security updates. this list found from reading
377 # match_whitelist_string() in `which unattended-upgrades`
378 "o=*,l=*,a=*,c=*,site=*,n=*";
379 };
380 EOF
381
382 # old names, too verbose
383 s rm -f /etc/cron.d/unattended-upgrade-reboot /usr/local/bin/zelous-unattended-reboot
384
385 s dd of=/etc/cron.d/myupgrade <<'EOF'
386 # Setup reboots when running outdated stuff, unattended upgrades happen
387 # at 6 am + rand(60 min).
388 20 7 * * * root /usr/local/bin/myupgrade | /usr/local/bin/log-once -1 myupgrade
389 0 * * * * root /usr/local/bin/mycheckrestart | /usr/local/bin/log-once -1 mycheckrestart
390 EOF
391 ##### end automatic upgrades ####
392
393
394
395 ###### begin website setup
396 case $HOSTNAME in
397 li)
398
399 pi bind9
400 f=/var/lib/bind/db.b8.nz
401 if [[ ! -e $f ]]; then
402 ser stop bind9
403 rm -f $f.jnl
404 install -m 644 -o bind -g bind /p/c/machine_specific/li/bind-initial/db.b8.nz $f
405 ser restart bind9
406 fi
407
408 case $HOSTNAME in
409 li) domain=iankelling.org ;;
410 esac
411 /a/h/setup.sh $domain
412 /a/h/build.rb
413
414 # start mumble only when im going to use it, since i dont use it much
415 pi-nostart mumble-server
416 s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
417
418 # do certificate to avoid warning about unsigned cert,
419 # which is overkill for my use, but hey, I'm cool, I know
420 # how to do this.
421 web-conf apache2 mumble.iankelling.org
422 s rm -f /etc/apache2/sites-enabled/mumble.iankelling.org
423 sudo -i <<'EOF'
424 export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
425 /a/bin/distro-setup/certbot-renew-hook
426 EOF
427
428
429 # requested from linode via a support ticket.
430 # https://www.linode.com/docs/networking/an-overview-of-ipv6-on-linode/
431 # ipv6 stuff pieced together
432 # via slightly wrong information from
433 # https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh
434 # https://community.openvpn.net/openvpn/wiki/IPv6
435 # and man openvpn
436
437 vpn-server-setup -rd 2600:3c00:e000:280::1/64 2600:3c00::f03c:91ff:feb4:0bf3
438 s tee /etc/openvpn/client-config/mail <<'EOF'
439 ifconfig-push 10.8.0.4 255.255.255.0
440 ifconfig-ipv6-push 2600:3c00:e000:280::2/64
441 EOF
442
443 if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
444 vpn_service=openvpn-server@server
445 else
446 vpn_service=openvpn@server
447 fi
448
449 sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
450 [Unit]
451 Description=Turns on iptables mail nat
452
453 [Service]
454 Type=oneshot
455 RemainAfterExit=yes
456 ExecStart=/a/bin/distro-setup/vpn-mail-forward start
457 ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
458
459 [Install]
460 WantedBy=$vpn_service.service
461 EOF
462 ser daemon-reload
463 sgo vpnmail.service
464 # needed for li's local mail delivery.
465 tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
466 sgo $vpn_service
467 # setup let's encrypt cert
468 web-conf apache2 mail.iankelling.org
469 s rm /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
470 ser reload apache2
471
472 domain=cal.iankelling.org
473 web-conf -f 10.8.0.4:5232 - apache2 $domain <<'EOF'
474 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
475 # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
476 <Location />
477 Options +FollowSymLinks +Multiviews +Indexes
478 AllowOverride None
479 AuthType basic
480 AuthName "Authentication Required"
481 # setup one time, with root:www-data, 640
482 AuthUserFile "/etc/caldav-htpasswd"
483 Require valid-user
484 </Location>
485 EOF
486 # nginx version of above would be:
487 # auth_basic "Not currently available";
488 # auth_basic_user_file /etc/nginx/caldav/htpasswd;
489
490
491
492 ###### begin znc setup #####
493 pi znc
494
495 # https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart after cert change.
496 # to get into the web interface,
497 # then use non-main browser or else it doebsn't allow it based on ocsp stapling from my main site.
498 # https://iankelling.org:12533/
499 sudo -i <<'EOF'
500 export RENEWED_LINEAGE=/etc/letsencrypt/live/iankelling.org
501 /a/bin/distro-setup/certbot-renew-hook
502 EOF
503
504 # znc config generated by doing
505 # znc --makeconf
506 # selected port is also used in erc config
507 # comma separated channel list worked.
508 # while figuring things out, running znc -D for debug in foreground.
509 # to exit and save config:
510 # /msg *status shutdown
511 # configed auth on freenode by following
512 # https://wiki.znc.in/Sasl:
513 # /msg *sasl RequireAuth yes
514 # /msg *sasl Mechanism PLAIN
515 # /msg *sasl Set ident_name password
516 # created the system service after, and had to do
517 # mv /home/iank/.znc/* /var/lib/znc
518 # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf
519 # and made a copy of the config files into /p/c
520 # /msg *status LoadMod --type=global log -sanitize
521 # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it.
522 # /msg *status LoadMod --type=network perform
523 # /msg *perform add PRIVMSG ChanServ :invite #fsf-office
524 # /msg *perform add JOIN #fsf-office
525 #
526 # i set Buffer = 500
527 # also ran /znc LoadMod clearbufferonmsg
528 # it would be nice if erc supported erc query buffers by doing
529 # /msg *status clearbuffer <name of the query/receiver
530 # on killing the,
531 # an example seems to be here: https://github.com/zenspider/elisp/blob/master/rwd-irc.el
532 # if that was the case i could remove the module clearbufferonmsg
533 # also would be nice if erc supported
534 # https://wiki.znc.in/self-message
535 # https://wiki.znc.in/Query_buffers \
536 #
537 s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already
538 s chmod 700 /var/lib/znc
539 s chown -R znc:znc /var/lib/znc
540 s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF'
541 [Unit]
542 Description=ZNC, an advanced IRC bouncer
543 After=network-online.target
544
545 [Service]
546 ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
547 User=znc
548
549 [Install]
550 WantedBy=multi-user.target
551 EOF
552 ser daemon-reload
553 sgo znc
554 ###### stop znc setup #####
555
556
557
558 echo "$0: $(date): ending now)"
559 exit 0
560 ;;
561 esac
562 ###### end website setup
563
564 ########### end section including li/lj ###############
565
566 #### desktop stuff
567 case $codename_compat in
568 xenial)
569 # mate-indicator-applet and beyond are msc things I noticed diffing a
570 # standard install with mine.
571 pi xorg lightdm mate-desktop-environment mate-desktop-environment-extras mate-indicator-applet anacron
572 ;;
573 stretch)
574 pi task-mate-desktop
575 ;;
576 buster)
577 # mate doesnt have wayland support yet
578 pi task-gnome-desktop
579 ;;
580 esac
581
582
583
584
585 # TODO: some of the X programs can be removed from pall when using wayland
586
587 # depends gcc is a way to install suggests. this is apparently the only
588 # way to install suggests even if the main package is already
589 # installed. reinstall doesn't work, uninstalling can cause removing
590 # dependent packages.
591 pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $(apt-cache depends gcc|grep -i suggests:| awk '{print $2}') $($src/distro-pkgs)
592
593 if ! type pip; then
594 x=$(mktemp)
595 wget -O$x https://bootstrap.pypa.io/get-pip.py
596 python3 $x --user
597 fi
598
599 sgo fsf-vpn-dns-cleanup
600
601
602 # website is dead june 14 2019
603 s rm -f /etc/apt/sources.list.d/iridium-browser.list
604 # case $distro in
605 # debian)
606 # pi chromium ;;
607 # trisquel|ubuntu)
608 # wget -qO - https://downloads.iridiumbrowser.de/ubuntu/iridium-release-sign-01.pub|sudo apt-key add -
609 # t=$(mktemp)
610 # cat >$t <<EOF
611 # deb [arch=amd64] https://downloads.iridiumbrowser.de/deb/ stable main
612 # #deb-src https://downloads.iridiumbrowser.de/deb/ stable main
613 # EOF
614 # f=/etc/apt/sources.list.d/iridium-browser.list
615 # if ! diff -q $t $f; then
616 # s cp $t $f
617 # s chmod 644 $f
618 # p update
619 # fi
620 # pi iridium-browser
621 # ;;
622 # esac
623
624
625 ### begin home vpn server setup
626
627
628 # # this section done initially to make persistent keys.
629 # # Also note, I temporarily set /etc/hosts so my host was
630 # # b8.nz when running this, since the vpn client config
631 # # generator assumes we need to go to that server to get
632 # # server keys.
633 # vpn-server-setup -rds
634 # s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
635 # s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
636 # # kw = kgpe work machine.
637 # for host in x2 x3 kw; do
638 # vpn-mk-client-cert -b $host -n home b8.nz 1196
639 # dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
640 # mkdir -p $dir
641 # s bash -c "cp /etc/openvpn/client/home* $dir"
642 # # note: /etc/update-resolv-conf-home also exists for all systems with /p
643 # done
644
645 # key already exists, so this won't generate one, just the configs.
646 vpn-server-setup -rds
647 s tee -a /etc/openvpn/server/server.conf <<'EOF'
648 push "dhcp-option DNS 10.0.0.1"
649 push "route 10.0.0.0 255.255.0.0"
650 client-connect /a/bin/distro-setup/vpn-client-connect
651 EOF
652 s sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
653
654 if [[ $HOSTNAME == tp ]]; then
655 if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
656 vpn_service=openvpn-server@server
657 else
658 vpn_service=openvpn@server
659 fi
660 sgo $vpn_service
661 fi
662 ### end vpn server setup
663
664
665 ##### rss2email
666 # note, see bashrc for more documentation.
667 pi rss2email
668 s dd of=/etc/systemd/system/rss2email.service <<'EOF'
669 [Unit]
670 Description=rss2email
671 After=multi-user.target
672
673 [Service]
674 User=iank
675 Type=oneshot
676 # about 24 hours of failures
677 # it copies over its files without respecting symlinks, so
678 # we pass options to use different location.
679 ExecStart=/a/bin/log-quiet/sysd-mail-once -288 rss2email r2e -d /p/c/rss2email.json -c /p/c/rss2email.cfg run
680 EOF
681 s dd of=/etc/systemd/system/rss2email.timer <<'EOF'
682 [Unit]
683 Description=rss2email
684
685 [Timer]
686 # for initial run. required.
687 OnActiveSec=30
688 # for subsequent runs.
689 OnUnitInactiveSec=300
690
691 [Install]
692 WantedBy=timers.target
693 EOF
694 s systemctl daemon-reload
695
696
697 ######### begin pump.io periodic backup #############
698 if [[ $HOSTNAME == frodo ]]; then
699 s dd of=/etc/systemd/system/pumpbackup.service <<'EOF'
700 [Unit]
701 Description=pump li backup
702 After=multi-user.target
703
704 [Service]
705 User=iank
706 Type=oneshot
707 ExecStart=/a/bin/log-quiet/sysd-mail-once pump-backup /a/bin/distro-setup/pump-backup
708 EOF
709 s dd of=/etc/systemd/system/pumpbackup.timer <<'EOF'
710 [Unit]
711 Description=pump li backup hourly
712
713 [Timer]
714 OnCalendar=hourly
715
716 [Install]
717 WantedBy=timers.target
718 EOF
719 s systemctl daemon-reload
720 sgo pumpbackup.timer
721 fi
722 ######### end pump.io periodic backup #############
723
724
725 ######### begin irc periodic backup #############
726 if [[ $HOSTNAME == frodo ]]; then
727 s dd of=/etc/systemd/system/ircbackup.service <<'EOF'
728 [Unit]
729 Description=irc li backup
730 After=multi-user.target
731
732 [Service]
733 User=iank
734 Type=oneshot
735 ExecStart=/a/bin/log-quiet/sysd-mail-once irc-backup rsync -rlptDhSAX root@iankelling.org:/var/lib/znc/moddata/log/iank/freenode/ /k/irclogs
736 EOF
737 s dd of=/etc/systemd/system/ircbackup.timer <<'EOF'
738 [Unit]
739 Description=irc li backup hourly
740
741 [Timer]
742 OnCalendar=hourly
743
744 [Install]
745 WantedBy=timers.target
746 EOF
747 s systemctl daemon-reload
748 sgo ircbackup.timer
749 fi
750
751
752 ######### end irc periodic backup #############
753
754
755 # https://github.com/jlebon/textern
756 cd /a/opt/textern
757 make native-install USER=1
758
759 case $distro in
760 debian|trisquel|ubuntu)
761 # suggests resolvconf package. installing it here is redundant, but make sure anyways.
762 # todo: check other distros to make sure it\'s installed
763 pi-nostart openvpn resolvconf
764 # pi-nostart does not disable
765 ser disable openvpn
766 ;;
767 *) pi openvpn;;
768 esac
769
770 /a/bin/distro-setup/radicale-setup
771
772 ## android studio setup
773 # this contains the setting for android sdk to point to
774 # /a/opt/androidsdk, which is asked upon first run
775 lnf /a/opt/.AndroidStudio2.2 ~
776 # android site says it needs a bunch of packages for ubuntu,
777 # but I googled for debian, and someone says you just need lib32stdc++6 plus the
778 # jdk
779 # https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
780 # see w.org for more android studio details
781 spa lib32stdc++6 default-jdk
782
783
784 ############# begin syncthing setup ###########
785 if [[ $HOSTNAME == frodo ]]; then
786 # It\'s simpler to just worry about running it in one place for now.
787 # I assume it would work to clone it\'s config to another non-phone
788 # and just run it in one place instead of the normal having a
789 # separate config. I lean toward using the same config, since btrfs
790 # syncs between comps.
791 case $distro in
792 arch) pi syncthing ;;
793 trisquel|ubuntu|debian)
794 # testing has relatively up to date packages
795 if ! isdebian-testing; then
796 # based on error when doing apt-get update:
797 # E: The method driver /usr/lib/apt/methods/https could not be found.
798 pi apt-transport-https
799 # google led me here:
800 # https://apt.syncthing.net/
801 curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
802 s="deb http://apt.syncthing.net/ syncthing release"
803 if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != "$s" ]]; then
804 echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
805 p update
806 fi
807 fi
808 pi syncthing
809 ;;
810 esac
811 lnf -T /w/syncthing /home/iank/.config/syncthing
812 ser daemon-reload # syncthing likely not properly packaged
813 sgo syncthing@iank # runs as iank
814
815 # these things persist in ~/.config/syncthing, which I save in
816 # /w/syncthing (not in /p, because syncthing should continue to
817 # run on home server even when using laptop as primary device)
818 # open http://localhost:8384/
819 # change listen address from default to tcp://:22001,
820 # this is because we do port forward so it doesn\'t have to use
821 # some external server, but the syncthing is broken for port forward,
822 # you get a message, something "like connected to myself, this should not happen"
823 # when connecting to other local devices, so I bump the port up by 1,
824 # based on
825 # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
826 # Without this, it was being stuck syncing at 0%.
827 # Set gui username and password.
828 #
829 # install syncthing via f-droid,
830 # folder setting, turn off send only.
831 # on phone, add device, click bar code icon
832 # on dekstop, top right, actions, device id
833 # after adding, notification will appear on desktop to confirm
834 #
835 # syncing folder. from phone to desktop: select desktop in the
836 # folder on phone\'s sync options, notification will appear in
837 # desktop\'s web ui within a minute. For the reverse, the
838 # notification will appear in android\'s notifications, you have to
839 # swipe down and tap it to add the folder. It won\'t appear in the
840 # syncthing ui, which would be intuitive, but don\'t wait for it
841 # there. The notification may not work, instead open the web gui
842 # from in the app, there should be a notification within there.
843 #
844 # On phone, set settings to run syncthing all the time, and
845 # show no notification.
846 #
847 # Folder versioning would make sense if I didn\'t already use btrfs
848 # for backups. I would choose staggered, or trash can for more space.
849 #
850 # if needed to install on a remote comp:
851 # ssh -L 8384:localhost:8384 -N frodo
852 # open http://localhost:8384/
853 #
854 # Note, the other thing i did was port forward port 22000,
855 # per https://docs.syncthing.net/users/firewall.html
856
857 fi
858 ############# end syncthing setup ###########
859
860
861
862 ####### begin misc packages ###########
863
864 case $codename in
865 flidas)
866
867 ;;
868 esac
869
870
871 # sakura config is owned by ian
872 reset-sakura
873 reset-konsole
874 sudo -u user2 -i reset-konsole
875 # user2 xscreensaver we don't want to reset
876 reset-xscreensaver
877
878
879 # this would install from cabal for newer / consistent version across os, but it screws up xmonad, so disabled for now.
880 # this is also in primary-setup
881 # pi libxss-dev # dependency based on build failure
882 # cabal update
883 # cabal install --upgrade-dependencies --force-reinstalls arbtt
884 # also, i assume syncing this between machines somehow messed thin
885 #lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
886
887 primary-setup
888
889 if [[ ! -e ~/.linphonerc && -e /p/.linphonerc-initial ]]; then
890 cp /p/.linphonerc-initial ~/.linphonerc
891 fi
892
893
894 ### begin spd install
895 pi libswitch-perl libdigest-md5-file-perl libgnupg-interface-perl
896 t=$(mktemp)
897 wget -O $t http://mirror.fsf.org/fsfsys-trisquel/fsfsys-trisquel/pool/main/s/spd-perl/spd-perl_0.2-1_amd64.deb
898 s dpkg -i $t
899 rm $t
900 # this guesses at the appropriate directory, adjust if needed
901 perldir=(/usr/lib/x86_64-linux-gnu/perl/5.*)
902 sudo ln -sf ../../../perl/5.18.2/SPD/ ${perldir[0]}
903 # newer distro had gpg2 as default, older one, flidas, need to make it that way
904 gpgpath=$(which gpg2)
905 if [[ $x ]]; then
906 s mkdir -p /usr/local/spdhackfix
907 s lnf -T $gpgpath /usr/local/spdhackfix/gpg
908 fi
909 ### end spd install
910
911
912 if [[ $HOSTNAME == kw ]]; then
913 cat <<'EOF'
914 NOTE: after this finishes, i did
915 s nmtui-connect
916 # remove br from auto:
917 s vim /etc/network/interfaces
918 EOF
919 fi
920
921 # nagstamon setting which were set through the ui
922 # in filters tab:
923 # all unknown sources
924 # all warning services
925 # acknowledged hosts & services
926 # hosts & services down for maintenence
927 # services on down hosts
928 # services on hosts in maintenece
929 # services on unreachable osts
930 # hosts in soft state
931 # services in soft state
932 # in display tab: fullscreen
933
934 # these translate to these settings I think
935 # filter_acknowledged_hosts_services = True
936 # filter_all_unknown_services = True
937 # filter_all_warning_services = True
938 # filter_hosts_in_soft_state = True
939 # filter_hosts_services_maintenance = True
940 # filter_services_in_soft_state = True
941 # filter_services_on_down_hosts = True
942 # filter_services_on_hosts_in_maintenance = True
943 # filter_services_on_unreachable_hosts = True
944 # notify_if_up = False
945 # statusbar_floating = False
946 # fullscreen = True
947 # but i'm just going to rely on the webpage plus sms for now.
948
949
950 case $distro in
951 debian|trisquel|ubuntu)
952 # it asks if it should make users in it's group capture packets without root,
953 # which is arguably more secure than running wireshark as root. default is no,
954 # which is what i prefer, since I plan to use tcpdump to input to wireshark.
955 s DEBIAN_FRONTEND=noninteractive pi wireshark-gtk
956 ;;
957 # others unknown
958 esac
959
960 # /run and /dev/shm are listed as required for pulseaudio. All 4 in the group
961 # listed in the default config as suggested.
962 # /run/usr/1000 i noticed was missing for pulseaudio
963 # /run/user/0 just seemed like a not bad idea, given the above
964 tu /etc/schroot/desktop/fstab <<'EOF'
965 /run /run none rw,bind 0 0
966 /run/lock /run/lock none rw,bind 0 0
967 /dev/shm /dev/shm none rw,bind 0 0
968 /run/shm /run/shm none rw,bind 0 0
969 /run/user/1000 /run/user/1000 none rw,bind 0 0
970 /run/user/1001 /run/user/1001 none rw,bind 0 0
971 /run/user/0 /run/user/0 none rw,bind 0 0
972 EOF
973
974 mkschroot() {
975 distro=$1
976 shift
977 case $distro in
978 ubuntu)
979 repo=http://archive.ubuntu.com/ubuntu/
980 ;;
981 debian)
982 repo=http://deb.debian.org/debian/
983 ;;
984 esac
985 n=$1
986 shift
987 if schroot -l | grep -xFq chroot:$n; then
988 echo "$0: $n schroot already installed, skipping"
989 return 0
990 fi
991 apps=($@)
992 d=/nocow/schroot/$n
993 s dd of=/etc/schroot/chroot.d/$n.conf <<EOF
994 [$n]
995 description=$n
996 type=directory
997 directory=$d
998 profile=desktop
999 preserve-environment=true
1000 users=$USER,user2
1001 EOF
1002 if [[ -e $d/bin ]]; then
1003 s chroot $d apt-get update
1004 s chroot $d apt-get -y dist-upgrade --purge --auto-remove
1005 cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
1006 else
1007 s mkdir -p $d
1008
1009 s debootstrap $n $d $repo
1010 cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
1011 fi
1012 s cp -P {,$d}/etc/localtime
1013 }
1014 s dd of=/etc/systemd/system/schrootupdate.service <<'EOF'
1015 [Unit]
1016 Description=schrootupdate
1017 After=multi-user.target
1018
1019 [Service]
1020 Type=oneshot
1021 ExecStart=/a/bin/log-quiet/sysd-mail-once schrootupdate /a/bin/distro-setup/schrootupdate
1022 EOF
1023 s dd of=/etc/systemd/system/schrootupdate.timer <<'EOF'
1024 [Unit]
1025 Description=schrootupdate
1026
1027 [Timer]
1028 OnCalendar=*-*-* 04:20:00
1029
1030 [Install]
1031 WantedBy=timers.target
1032 EOF
1033 s systemctl daemon-reload
1034 sgo schrootupdate.timer
1035
1036
1037
1038 # for my roommate
1039 case $distro in
1040 trisquel)
1041 mkschroot debian stretch firefox-esr pulseaudio chromium
1042 ;;
1043 debian)
1044 pi chromium
1045 ;;
1046 esac
1047
1048 s mkdir -p /nocow/user
1049 s chown $USER:$USER /nocow/user
1050 pi anki
1051
1052
1053 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
1054 # 450 seems likely to be unused. we need to specify one or else
1055 # it won't be stable across installs.
1056 if ! getent passwd debian-transmission > /dev/null; then
1057 s groupadd -g 450 debian-transmission
1058 case $distro in
1059 arch)
1060 s useradd \
1061 --system \
1062 --create-home \
1063 --gid 450 \
1064 --uid 450 \
1065 --home-dir /var/lib/transmission-daemon \
1066 --shell /bin/false \
1067 debian-transmission
1068 ;;
1069 *)
1070 s adduser --quiet \
1071 --gid 450 \
1072 --uid 450 \
1073 --system \
1074 --no-create-home \
1075 --disabled-password \
1076 --home /var/lib/transmission-daemon \
1077 debian-transmission
1078 ;;
1079 esac
1080 fi
1081 # We want group writable stuff from transmission.
1082 # However, after setting this, I learn that transmission sets it's
1083 # own umask based on it's settings file. Well, no harm leaving this
1084 # so it's set right from the beginning.
1085 s chfn debian-transmission -o umask=0002
1086
1087 case $distro in
1088 debian|trisquel|ubuntu)
1089 # note i had to do this, which is persistent:
1090 # cd /i/k
1091 # s chgrp debian-transmission torrents partial-torrents
1092
1093 # syslog says things like
1094 # 'Failed to set receive buffer: requested 4194304, got 425984'
1095 # google suggets giving it even more than that
1096 tu /etc/sysctl.conf<<'EOF'
1097 net.core.rmem_max = 67108864
1098 net.core.wmem_max = 16777216
1099 EOF
1100 s sysctl -p
1101
1102 # some reason it doesn\'t seem to start automatically anyways
1103 pi-nostart transmission-daemon
1104 # be extra sure its not started
1105 ser disable transmission-daemon
1106 ser stop transmission-daemon
1107
1108 # the folder was moved here after an install around 02/2017.
1109 # it contains runtime data,
1110 # plus a simple symlink to the config file which it\'s
1111 # not worth separating out.
1112 # between comps, the uid can change
1113 f=/i/transmission-daemon
1114 s lnf -T $f /var/lib/transmission-daemon/.config/transmission-daemon
1115 if [[ -e $f ]]; then
1116 s chown -R debian-transmission:debian-transmission $f
1117 fi
1118 for f in /i/k/partial-torrents /i/k/torrents; do
1119 if [[ -e $f ]]; then
1120 s chown -R debian-transmission:user2 $f
1121 fi
1122 done
1123 s chown -R debian-transmission:debian-transmission /var/lib/transmission-daemon
1124 #
1125 # config file documented here, and it\'s the same config
1126 # for daemon vs client, so it\'s documented in the gui.
1127 # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
1128 #
1129 # I originaly setup rpc-whitelist, but after using
1130 # routing to a network namespace, it doesn\'t see the
1131 # real source address, so it\'s disabled.
1132 #
1133 # Changed the cache-size to 256 mb, reduces disk use.
1134 # It is a read & write cache.
1135 #
1136 s ruby <<'EOF'
1137 require 'json'
1138 p = '/etc/transmission-daemon/settings.json'
1139 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
1140 'rpc-whitelist-enabled' => false,
1141 'rpc-authentication-required' => false,
1142 'incomplete-dir' => '/i/k/partial-torrents',
1143 'incomplete-dir-enabled' => true,
1144 'download-dir' => '/i/k/torrents',
1145 "speed-limit-up" => 800,
1146 "speed-limit-up-enabled" => true,
1147 "peer-port" => 61486,
1148 "cache-size-mb" => 256,
1149 "ratio-limit" => 5.0,
1150 "ratio-limit-enabled" => true,
1151 })) + "\n")
1152 EOF
1153
1154 ;;
1155 # todo: others unknown
1156 esac
1157
1158
1159
1160 # trisquel 8 = openvpn, debian stretch = openvpn-client
1161 vpn_ser=openvpn-client
1162 if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
1163 vpn_ser=openvpn
1164 fi
1165
1166 s dd of=/etc/systemd/system/transmission-daemon-nn.service <<EOF
1167 [Unit]
1168 Description=Transmission BitTorrent Daemon netns
1169 After=network.target
1170 Requires=${vpn_ser}-nn@client.service
1171 After=${vpn_ser}-nn@client.service
1172 JoinsNamespaceOf=${vpn_ser}-nn@client.service
1173
1174 [Service]
1175 #User=debian-transmission
1176 # notify type doesn't work with sudo
1177 #Type=notify
1178 ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/client sudo -u debian-transmission /usr/bin/transmission-daemon -f --log-error
1179 ExecReload=/bin/kill -s HUP \$MAINPID
1180 PrivateNetwork=true
1181 Nice=19
1182
1183 [Install]
1184 WantedBy=multi-user.target
1185 EOF
1186 ser daemon-reload
1187
1188 if [[ $HOSTNAME == frodo ]]; then
1189 sgo transmission-daemon-nn
1190 fi
1191
1192
1193 ######### begin transmission client setup ######
1194
1195 if [[ -e /p/transmission-rpc-pass ]]; then
1196 # arch had a default config,
1197 # debian had nothing until you start it.
1198 # With a little trial an error, here is a minimal config
1199 # taken from the generated one, plus changes that the
1200 # settings ui does, without a bunch of ui crap settings.
1201 #
1202 # only settings I set were
1203 # hostname
1204 # auto-connect
1205 # password
1206
1207 # the password is randomly generated on first run, i copied it out
1208 # so it could be used by other hosts.
1209 s ruby <<'EOF'
1210 require 'json'
1211 p = '/etc/transmission-daemon/settings.json'
1212 s = JSON.parse(File.read(p))
1213 s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
1214 # default is 0022 (18 in decimal)
1215 s["umask"] = 2
1216 File.write p, JSON.pretty_generate(s)
1217 EOF
1218
1219 rpc_pass=$(</p/transmission-rpc-pass)
1220 for f in /home/*; do
1221 u=${f##*/}
1222 if [[ ! $(id -u $u) -ge 1000 ]]; then
1223 continue
1224 fi
1225 d=$f/.config/transmission-remote-gtk
1226 s -u $u mkdir -p $d
1227 s -u $u dd of=$d/config.json <<EOF
1228 {
1229 "profiles" : [
1230 {
1231 "profile-name" : "Default",
1232 "hostname" : "transmission.b8.nz",
1233 "rpc-url-path" : "/transmission/rpc",
1234 "username" : "",
1235 "password" : "$rpc_pass",
1236 "auto-connect" : true,
1237 "ssl" : false,
1238 "timeout" : 40,
1239 "retries" : 3,
1240 "update-active-only" : false,
1241 "activeonly-fullsync-enabled" : false,
1242 "activeonly-fullsync-every" : 2,
1243 "update-interval" : 3,
1244 "min-update-interval" : 3,
1245 "session-update-interval" : 60,
1246 "exec-commands" : [
1247 ],
1248 "destinations" : [
1249 ]
1250 }
1251 ],
1252 "profile-id" : 0,
1253 "add-options-dialog" : false
1254 }
1255 EOF
1256 done
1257 fi
1258 ######### end transmission client setup ######
1259
1260 # dunno why it\'s there, but get rid of it
1261 case $HOSTNAME in
1262 li|lj) s rm -rf /home/linode ;;
1263 esac
1264
1265
1266 ### printer setup
1267 case $distro in
1268 arch)
1269 pi cups ghostscript gsfonts # from arch wiki cups page
1270 pi hplip # from google
1271 s gpasswd -a $USER sys # from arch wiki
1272 sgo org.cups.cupsd.service
1273 ;;
1274 debian|trisquel|ubuntu)
1275 pi cups
1276 s gpasswd -a $USER lpadmin # based on ubuntu wiki
1277 spa hplip
1278 ;;
1279 # other distros unknown
1280 esac
1281 # goto http://127.0.0.1:631
1282 # administration tab, add new printer button.
1283 # In debian, I could use hte recommended driver,
1284 # in arch, I had to pick out the 6L driver.
1285
1286
1287 # allow user to run vms, from debian handbook
1288 for x in iank user2; do s usermod -a -G libvirt,kvm $x; done
1289 # bridge networking as user fails. google lead here, but it doesn\'t work:
1290 # oh well, I give up.
1291 # http://wiki.qemu.org/Features-Done/HelperNetworking
1292 # s mkdir /etc/qemu
1293 # f=/etc/qemu/bridge.conf
1294 # s dd of=$f <<'EOF'
1295 # allow br0
1296 # EOF
1297 # #s chown root:qemu $f # debian has somethig like qemu-libvirt. equivalent?
1298 # s chmod 640 $f
1299
1300 # general known for debian/ubuntu, not for fedora
1301
1302 case $distro in
1303 debian|trisquel|ubuntu)
1304 if ! type -p go &>/dev/null; then
1305 cd $(mktemp -d)
1306 # just the latest stable at the time of writing
1307 # TODO, maybe put this all into a build script,
1308 # and do some automatic updates
1309 wget -q https://dl.google.com/go/go1.12.4.linux-amd64.tar.gz
1310 s tar -C /usr/local -xzf go1.12.4.linux-amd64.tar.gz
1311 rm -f ./*
1312 fi
1313 go get -u mvdan.cc/fdroidcl
1314 # a bit of googling, and added settings to bashrc
1315 ;;
1316 esac
1317
1318 case $distro in
1319 arch)
1320 pi virt-install
1321 # otherwise we get error about accessing kvm module.
1322 # seems like there might be a better way, but google was a bit vague.
1323 s $sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf
1324 echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
1325 # guessing this is not needed
1326 #sgo virtlogd.service
1327
1328 # iank: disabed as im not using libvirt usually
1329 # # https://bbs.archlinux.org/viewtopic.php?id=206206
1330 # # # this should prolly go in the wiki
1331 # sgo virtlogd.socket
1332 # sgo libvirtd
1333 ;;
1334 debian|trisquel|ubuntu)
1335 pi-nostart virtinst virt-manager
1336 ;;
1337
1338 esac
1339
1340
1341 case $distro in
1342 fedora)
1343 cd $(mktemp -d)
1344 wget ftp://ftp.gnu.org/pub/gnu/global/global-6.5.7.tar.gz
1345 ex global*
1346 cd global-6.5.7
1347 # based on https://github.com/leoliu/ggtags
1348 ./configure --with-exuberant-ctags=/usr/bin/ctags
1349 make
1350 s make install
1351 pip install pygments
1352 ;;
1353 *)
1354 pi global
1355 ;;&
1356 arch)
1357 pi python2-pygments
1358 ;;
1359 debian|trisquel|ubuntu)
1360 pi python-pygments
1361 ;;
1362 esac
1363
1364
1365
1366 # removed synergy since ive not used it in a long time
1367
1368
1369 pi --no-install-recommends kdeconnect
1370 ### kdeconnect for gnome. started in /a/bin/distro-setup/desktop-20-autostart.sh
1371 ### but gnome + xmonad not working in flidas, so i disabled it
1372 # pi libgtk-3-dev python3-requests-oauthlib valac cmake python-nautilus libappindicator3-dev
1373 # cd /a/opt/indicator-kdeconnect
1374 # mkdir -p build
1375 # cd build
1376 # cmake .. -DCMAKE_INSTALL_PREFIX=/usr
1377 # make
1378 # sudo make install
1379 # # we can start it manually with /usr/lib/x86_64-linux-gnu/libexec/kdeconnectd
1380 # # it seems, according to
1381 # # /etc/xdg/autostart/kdeconnectd.desktop
1382 # # I'm not seeing the icon, but the clipboard replication is working
1383
1384
1385 ### model 01 arduino support ###
1386 # https://github.com/keyboardio/Kaleidoscope/wiki/Install-Arduino-support-on-Linux
1387 # also built latest arduino in /a/opt/Arduino, (just cd build; ant build; ant run )
1388 # set arduino var in bashrc,
1389 # have system config file setup too.
1390 sudo adduser $USER dialout
1391 case $distro in
1392 arch)
1393 sudo usermod -a -G uucp $USER
1394 ;;
1395 esac
1396
1397 # this is for the mail command too. update-alternatives is kind of misleading
1398 # since at least it's main commands pretend mail does not exist.
1399 # bsd's mail got pulled in on some dumb dependency, i dunno how.
1400 s update-alternatives --set mailx /usr/bin/mail.mailutils
1401
1402 ######### end misc packages #########
1403
1404
1405 # packages I once used before and liked, but don\'t want installed now for
1406 # various reasons:
1407 # python-sqlite is used for offlineimap
1408 # lxappearance python-sqlite dolphin paman dconf-editor
1409
1410
1411
1412 ######## unfinished
1413
1414 # todo, finish configuring smart.
1415
1416 pi smartmontools
1417 # mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
1418 # turn on smart. background on options:
1419 # first line, -a = test everyting on all devices.
1420 # -S on, turn on disk internal saving of vendor specific info,
1421 # from google, seems like this is usually already on and fairly standard.
1422 # -o on, turn on 4 hour period non-performance degrading testing.
1423 # short test daily 2-3am, extended tests Saturdays between 3-4am:
1424 sched="-s (S/../.././02|L/../../6/03)"
1425 s sed -i --follow-symlinks "s#^[[:space:]]*DEVICESCAN.*#\
1426 DEVICESCAN -a -o on -S on -n standby,q $sched \
1427 -m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc/smartd.conf
1428
1429 # in the default configuration of at least ubuntu 14.04, resolvconf is
1430 # configured to order any nameservers associated with tun* or tap*
1431 # before the normal internet interfaces, which means they are always
1432 # consulted first. This is often slower and undesirable, ie. local dns
1433 # queries go from 0ms to 10+ or 100+ ms. To reverse the ordering, you
1434 # can do:
1435 #sudo sed -i --follow-symlinks '/tun\*\|tap\*/d' /etc/resolvconf/interface-order
1436 # however, this breaks dns lookup for hosts on the openvpn lan.
1437 # I can\'t figure out why hosts on the normal lan would not be
1438 # broken under the default ordering, except the host I was
1439 # testing with previously had an entry in /etc/hosts.
1440
1441 ############# end unfinished
1442
1443 ########### misc stuff
1444
1445 # make networkmanager use resolvconf instead of its own dnsmasq which
1446 # conflicts with the normal dnsmasq package.
1447 f=/etc/NetworkManager/NetworkManager.conf
1448 m=$(md5sum $f)
1449 s sed -ri '/ *\[main\]/,/^ *\[[^]]+\]/{/^\s*dns[[:space:]=]/d}' $f
1450 if [[ $m != $(md5sum $f) ]]; then
1451 srestart NetworkManager
1452 fi
1453
1454 # make my /etc/fonts/conf.d/ get used.
1455 # I have a new sans-serif font there because the default one
1456 # displays l and I as the same char, grrrrr.
1457 s fc-cache
1458
1459 /a/bin/distro-setup/mymimes
1460
1461
1462 sgo dynamicipupdate
1463
1464
1465 # stop autopoping windows when i plug in an android phone.
1466 # dbus-launch makes this work within an ssh connection, otherwise you get this message,
1467 # with still 0 exit code.
1468 # dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
1469 dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
1470
1471
1472 # on grub upgrade, we get prompts unless we do this
1473 devs=()
1474 for dev in $(s btrfs fil show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
1475 devs+=("$(devbyid $dev),")
1476 done
1477 devs[-1]=${devs[-1]%,} # jonied by commas
1478 s debconf-set-selections <<EOF
1479 grub-pc grub-pc/install_devices multiselect ${devs[*]}
1480 EOF
1481
1482 # btrfs maintenance
1483 sgo btrfsmaint.timer
1484 sgo btrfsmaintstop.timer
1485
1486
1487 # the wiki backup script from ofswiki.org uses generic paths
1488 s lnf /p/c/machine_specific/li/mw_vars /root
1489 s lnf /k/backup/wiki_backup /root
1490
1491
1492 case $distro in
1493 trisquel|ubuntu|debian)
1494 # unison-gtk second, i want it to be default, not sure if that works
1495 # with spa. note, I used to install from testing repo when using stable,
1496 # but it shouldn't be needed since I wrote a script to handle mismatching
1497 # compilers.
1498 spa unison unison-gtk
1499 ;;
1500 arch)
1501 spa unison gtk2
1502 ;;
1503 esac
1504
1505 case $distro in
1506 arch)
1507 # default is alsa, doesn\'t work with with pianobar
1508 s dd of=/etc/libao.conf <<'EOF'
1509 default_driver=pulse
1510 EOF
1511 ;;
1512 esac
1513
1514 # # disabled due to my patch being in btrbk
1515 # case $distro in
1516 # arch|debian|trisquel|ubuntu) pi btrbk ;;
1517 # # others unknown
1518 # esac
1519 cd /a/opt/btrbk
1520 s make install
1521
1522 sgo btrbk.timer
1523 # note: to see when it was last run,
1524 # ser list-timers
1525
1526
1527 end_msg <<'EOF'
1528 In mate settings settings, change scrolling to two-finger,
1529 because the default edge scroll doesn\'t work. Originally found this in debian.
1530 EOF
1531
1532 case $distro in
1533 debian)
1534 # remove dep that came in with desktop
1535 pu transmission-gtk
1536 ;;
1537 esac
1538
1539
1540 case $distro in
1541 debian|trisquel|ubuntu) s gpasswd -a iank adm ;; #needed for reading logs
1542 esac
1543
1544 /a/bin/buildscripts/pithosfly
1545
1546
1547 # based on guix manual instructions, also added code to profile
1548 pi nscd
1549 if ! type -p guix >/dev/null; then
1550 cd $(mktemp -d)
1551 wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh
1552 # added some stuff to envonment.sh for profile based on
1553 # manual instructions
1554 # wget https://sv.gnu.org/people/viewgpg.php?user_id=15145 -qO - | gpg --import -
1555 # echo is to get past prompt
1556 yes | sudo -E HOME=$HOME bash guix-install.sh || [[ $? == 141 ]]
1557 guix install glibc-utf8-locales
1558 guix package --install guile
1559 fi
1560
1561 # install rust.
1562 curl https://sh.rustup.rs -sSf | bash -s -- -y
1563 # todo: update this. updates in rust are stupidly complicate
1564 if ! which rg &>/dev/null; then
1565 cargo install ripgrep
1566 fi
1567
1568 #### tor
1569 case $distro in
1570 # based on
1571 # https://www.torproject.org/docs/rpms.html.en
1572 # https://www.torproject.org/docs/debian.html.en
1573 # todo: figure out if the running service needs to be restarted upon updates
1574 # todo on fedora: setup non-dev packages
1575 fedora)
1576 s dd of=/etc/yum.repos.d/torproject.repo <<'EOF'
1577 [tor]
1578 name=Tor experimental repo
1579 enabled=1
1580 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/
1581 gpgcheck=1
1582 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1583
1584 [tor-source]
1585 name=Tor experimental source repo
1586 enabled=1
1587 autorefresh=0
1588 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS
1589 gpgcheck=1
1590 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1591 EOF
1592
1593 # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above:
1594 # 3B9E EEB9 7B1E 827B CF0A 0D96 8AF5 653C 5AC0 01F1
1595 sgo tor
1596 /a/bin/buildscripts/tor-browser
1597 ;;
1598 ubuntu)
1599 tu /etc/apt/sources.list "deb http://deb.torproject.org/torproject.org $(debian-codename) main"
1600 gpg --keyserver keys.gnupg.net --recv 886DDD89
1601 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
1602 p update
1603 pi deb.torproject.org-keyring
1604 pi tor
1605 /a/bin/buildscripts/tor-browser
1606 ;;
1607 debian)
1608 pi tor
1609 /a/bin/buildscripts/tor-browser
1610 ;;
1611 arch)
1612 pi tor tor-browser-en
1613 sgo tor
1614 ;;
1615 # ubuntu unknown
1616 esac
1617
1618 # nfs server
1619 case $distro in
1620 fedora)
1621 end_msg <<'EOF'
1622 fedora todo: disable the firewall or find a way to automate it.
1623 there's an unused section in t.org for tramikssion firewall setup
1624
1625 fedora manual config for nfs:
1626 s firewall-config
1627 change to permanent configuration
1628 check the box for nfs
1629 was hard to figure this out, not sure if this is all needed, but
1630 unblock these too
1631 mountd: udp/tcp 20048
1632 portmapper, in firewall-config its called rpc-bind: udp/tcp 111
1633 troubleshooting, unblock things in rpcinfo -p
1634 make sure to reload the firewall to load the persistent configuration
1635
1636
1637 EOF
1638 pi nfs-utils
1639 ;;
1640 debian|trisquel|ubuntu)
1641 pi-nostart nfs-server
1642 ;;
1643 arch)
1644 pi nfs-utils || pending_reboot=true
1645 ;;
1646 esac
1647
1648 # networkmanager has this nasty behavior on flidas: if the machine
1649 # crashes with dnsmasq running, on subsequent boot, it adds an entry to
1650 # resolvconf for 127.0.0.1 in some stupid attempt to restore
1651 # nameservers.
1652 # This can be manually fixed by stoping dnsmasq,
1653 # then based on whats in /run/dnsmasq/, i see we can run
1654 # s resolvconf -d NetworkManager
1655 # oh ya, and stoping NetworkManager leaves this crap behind without cleaning it up.
1656 ser stop NetworkManager
1657 ser disable NetworkManager
1658
1659
1660 if [[ $HOSTNAME == frodo ]]; then
1661 # nohide = export filesystems mounted deeper than the export point
1662 # fsid=0 makes this export the "root" export
1663 # not documented in the man page, but this means
1664 # 1. it can be mounted with a shorthand of server:/
1665 # 2. exports that are subdirectories of this one will automatically be mounted
1666 tu /etc/exports <<'EOF'
1667 /k 10.0.0.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
1668 EOF
1669 s exportfs -rav
1670 fi
1671
1672
1673 e "$end_msg_var"
1674
1675
1676
1677 # if I was going to create a persistent vm, i might do it like this:
1678 # variant=something # from: virt-install --os-variant list
1679 # s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1680 # --disk=/a/images/some_name.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
1681 # -n some_name --import --os-variant $variant --cpu host-model-only
1682
1683
1684
1685 ######### begin stuff belonging at the end ##########
1686
1687 echo 0 >~/.local/distro-end
1688 if $pending_reboot; then
1689 echo "$0: pending reboot and then finished. doing it now."
1690 s reboot now
1691 else
1692 echo "$0: $(date): ending now)"
1693 fi
1694 exit 0