2 # Copyright (C) 2016 Ian Kelling
3 # This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
5 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
13 grep -E '^[^#]debian.*\stesting\s+main\s*$' /etc
/apt
/sources.list
&>/dev
/null
49 # things with no equivalent in other distros:
52 # for gui bug reporting
56 # for debconf-get-selections
62 ####### misc packages ###########
72 arch
) pi the_silver_searcher
;;
79 pi cups ghostscript gsfonts
# from arch wiki cups page
80 pi hplip
# from google
81 s gpasswd
-a $USER sys
# from arch wiki
82 sgo org.cups.cupsd.service
83 # goto http://127.0.0.1:631
84 # administration tab, add new printer button.
85 # In debian, I could use hte recommended driver,
86 # in arch, I had to pick out the 6L driver.
88 # other distros unknown
93 ubuntu|debian
) pi ack-grep nfs-client
;;
94 arch|fedora
) pi ack
;;
98 ubuntu|debian
) pi
--no-install-recommends mairix notmuch
;;
99 fedora|arch
) pi mairix notmuch
;;
102 arch
) pi nfs-utils
;;
103 ubuntu|debian
) pi nfs-client
;;
106 ubuntu|debian
) pi par2
;;
107 arch|fedora
) pi par2cmdline
;;
110 arch|fedora
) pi unison
;;
111 # deb/ubuntu, it depends what version they have.
112 # arch and fedora have unison240 and unison-240-compat respectively,
113 # but that failed to sync with an ubuntu 12.04 which had unson 2.40,
114 # so I installed it manually, but hopefully never have to use it on 12.04 again.
116 # wget http://caml.inria.fr/pub/distrib/ocaml-4.02/ocaml-4.02.3.tar.gz
121 # wget http://www.seas.upenn.edu/~bcpierce/unison//download/releases/stable/unison-2.48.3.tar.gz
123 # s cp unison /usr/local/bin
126 # needed for my tex resume
128 ubuntu|debian
) pi texlive-full
;;
129 arch
) pi texlive-most
;;
135 # flash, unrar, codecs, ms fonts.
136 # This has a manual prompt.
137 pi ubuntu-restricted-extras
141 # rpm fusion recommended codecs
142 s su
-c 'yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm'
143 pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
144 xine-lib-extras-freeworld
148 # optional dep for firefox for h.264 video
149 arch
) pi gst-libav
;;
150 # other distros, probably come by default
154 fedora|ubuntu|debian
) pi gnupg-agent
;;
160 fedora|ubuntu|debian
) pi transmission
;;
161 arch
) pi transmission-gtk
;;
166 fedora
) pi pinentry-gtk
;;
167 *) : ;; # comes default or with other packages
171 arch
) pi firefox pulseaudio
;;
172 *) : ;; # comes default or with other packages
175 # general others are unknown bucket
178 # cdrkit for cloud-init isos
179 # dnsmasq for nat networking in libvirt
180 # qemu for qemu-img, bind-tools for dig
181 pi ttf-dejavu bash-completion
unzip ntp wget xorg-xev xorg-xmodmap \
182 virt-install bridge-utils cdrkit dnsmasq qemu spice-gtk3 bind-tools
184 s
sed -ri '/^ *user *=/d' /etc
/libvirt
/qemu.conf
185 # otherwise we get error about accessing kvm module.
186 # seems like there might be a better way, but google was a bit vague.
187 echo 'user = "root"' | s
tee -a /etc
/libvirt
/qemu.conf
188 # https://bbs.archlinux.org/viewtopic.php?id=206206
189 # # this should prolly go in the wiki
201 arch
) pi virtviewer
;;
202 *) : ;; # other distros have it as a dependency afaik.
208 # ubuntu 14.04 uses b-cron,
209 # but it's not maintained in arch.
210 # of the ones in the main repos, cronie is only one maintained.
211 # fcron appears abandoned software.
215 *) : ;; # other distros come with cron.
220 fedora
) cabal
install shellcheck
;;
222 # unknown for older ubuntu
227 arch|arch
) pi pumpa
;;
228 *) /a
/bin
/buildscripts
/pumpa
;;
233 ubuntu
) pi android-tools-adb
;;
234 arch
) pi android-tools
;;
235 # other distros unknown
245 # proprietary flash. going without for now
248 # pi flashplugin-nonfree
261 wget http
://tamacom.com
/global
/global-6.3
.2.
tar.gz
264 # based on https://github.com/leoliu/ggtags
265 .
/configure
--with-exuberant-ctags=/usr
/bin
/ctags
268 s pip
install pygments
271 pi global python2-pygments
276 ######### end misc packages #########
280 # packages I once used before and liked, but don't want installed now for
282 # python-sqlite is used for offlineimap
283 # lxappearance python-sqlite dolphin paman dconf-editor
285 # todo, finish configuring smart.
286 # mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
287 # turn on smart. background on options:
288 # first line, -a = test everyting on all devices.
289 # -S on, turn on disk internal saving of vendor specific info,
290 # from google, seems like this is usually already on and fairly standard.
291 # -o on, turn on 4 hour period non-performance degrading testing.
292 # short test daily 2-3am, extended tests Saturdays between 3-4am:
293 sched
="-s (S/../.././02|L/../../6/03)"
294 s
sed -i "s#^[[:space:]]*DEVICESCAN.*#\
295 DEVICESCAN -a -o on -S on -n standby,q $sched\
296 -m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc
/smartd.conf
298 # in the default configuration of at least ubuntu 14.04, resolvconf is
299 # configured to order any nameservers associated with tun* or tap*
300 # before the normal internet interfaces, which means they are always
301 # consulted first. This is often slower and undesirable, ie. local dns
302 # queries go from 0ms to 10+ or 100+ ms. To reverse the ordering, you
304 #sudo sed -i '/tun\*\|tap\*/d' /etc/resolvconf/interface-order
305 # however, this breaks dns lookup for hosts on the openvpn lan.
306 # I can\'t figure out why hosts on the normal lan would not be
307 # broken under the default ordering, except the host I was
308 # testing with previously had an entry in /etc/hosts.
313 # default is alsa, doesn\'t work with with pianobar
314 s
dd of
=/etc
/libao.conf
<<'EOF'
321 if [[ $HOSTNAME == treetowl
]]; then
327 s systemctl
enable fail2ban
328 s systemctl start fail2ban
334 case $
(distro-name
) in
336 # allows me to pipe with ssh -t, and gets rid of spam
337 # http://forums.debian.net/viewtopic.php?f=5&t=85822
338 # i'd rather disable the service than comment the init file
339 # this says disabling the service, it will still get restarted
340 # but this script doesn't do anything on restart, so it should be fine
341 s
dd of
=/var
/run
/motd.dynamic
if=/dev
/null
342 s update-rc.d motd disable
345 # this isn't a complete solution. It still shows me when updates are available,
346 # but it's no big deal.
347 s t
/etc
/update-motd.d
/10-help-text /etc
/update-motd.d
/00-header
353 # https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
354 # /etc/cron.daily/apt calls unattended-upgrades
355 # /usr/share/doc/unattended-upgrades# cat README.md
356 # /etc/apt/apt.conf.d/50unattended-upgrades
358 pi unattended-upgrade
359 s
dd of
=/etc
/apt
/apt.conf.d
/10periodic
<<'EOF'
360 APT::Periodic::Update-Package-Lists "1";
361 APT::Periodic::Download-Upgradeable-Packages "1";
362 APT::Periodic::AutocleanInterval "7";
363 APT::Periodic::Unattended-Upgrade "1";
366 Unattended-Upgrade::Mail "root";
367 Unattended-Upgrade::MailOnlyOnError "true";
368 Unattended-Upgrade::Remove-Unused-Dependencies "true";
370 if ! is_debian_testing
; then
372 # default is just upgrade main and security, not updates.
373 # If it's not testing, just upgrade everything.
374 # These are stable packages only getting bugfixes anyways.
375 Unattended-Upgrade::Origins-Pattern {
380 } >/etc
/apt
/apt.conf.d
/50unattended
-upgrades
385 ######### begin postfix ########
386 # based on,http://www.postfix.org/qmgr.8.html and my notes in gnus
387 # originally tried moving specific directories under /var/spool/postfix,
388 # but postfix didn't like that
389 if [[ ! -L /var
/spool
/postfix
]]; then
392 s
mv /var
/spool
/postfix
/q
393 s lnf
/q
/postfix
/var
/spool
398 # send mail to a better place than /var/mail/ian
399 s
sed -i '/^root/d' /etc
/aliases ||
:
400 echo "root: $HOSTNAME@bog.mm.st" | s
tee -a /etc
/aliases
401 # this can't be a symlink and has permission restrictions
402 # it might work in /etc/aliases, but this seems more proper.
403 e
"$HOSTNAME@bog.mm.st" > ~
/.forward
406 # i'm assuming mail just won't work on systems without the sasl_passwd.
408 smtp_sasl_auth_enable = yes
409 smtp_sasl_password_maps = hash:/q/root/sasl_passwd
410 smtp_sasl_security_options = noanonymous
411 smtp_tls_security_level = secure
412 message_size_limit = 20480000
413 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
415 # ^ I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
417 # offlineimap uses this too, it is much easier to use one location than to
418 # condition it's config and postfix's config
420 fedora
) s lnf
-T ca-certificates.crt
/etc
/ssl
/ca-bundle.trust.crt
;;
427 ############ end postfix #######
431 debian|ubuntu
) s gpasswd
-a ian adm
;; #needed for reading logs
437 # https://www.torproject.org/docs/rpms.html.en
438 # https://www.torproject.org/docs/debian.html.en
439 # todo: figure out if the running service needs to be restarted upon updates
442 # todo on fedora: setup non-dev packages
444 s
dd of
=/etc
/yum.repos.d
/torproject.repo
<<'EOF'
446 name=Tor experimental repo
448 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/
450 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
453 name=Tor experimental source repo
456 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS
458 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
461 # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above:
462 # 3B9E EEB9 7B1E 827B CF0A 0D96 8AF5 653C 5AC0 01F1
464 /a
/bin
/buildscripts
/tor-browser
467 tu
/etc
/apt
/sources.list
'deb http://deb.torproject.org/torproject.org trusty main'
468 gpg
--keyserver keys.gnupg.net
--recv 886DDD89
469 gpg
--export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add
-
471 pi deb.torproject.org-keyring
473 /a
/bin
/buildscripts
/tor-browser
476 pi tor tor-browser-en
485 read -r -d '' fedora_end_msg
<<'EOF'
486 fedora todo: disable the firewall or find a way to automate it.
487 there's an unused section in t.org for tramikssion firewall setup
489 fedora manual config for nfs:
491 change to permanent configuration
492 check the box for nfs
493 was hard to figure this out, not sure if this is all needed, but
495 mountd: udp/tcp 20048
496 portmapper, in firewall-config its called rpc-bind: udp/tcp 111
497 troubleshooting, unblock things in rpcinfo -p
498 make sure to reload the firewall to load the persistent configuration
514 # nohide = export filesystems mounted deeper than the export point
515 # fsid=0 makes this export the "root" export
516 # not documented in the man page, but this means
517 # 1. it can be mounted with a shorthand of server:/
518 # 2. exports that are subdirectories of this one will automatically be mounted
519 tu
/etc
/exports
'/i/video 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)'
521 showmount
-e localhost
526 f
=/a
/bin
/$HOSTNAME-crontab
532 if [[ ${distro}_end_msg
]]; then
533 echo ${distro}_end_msg