#!/bin/bash
-# Copyright (C) 2019 Ian Kelling
-# SPDX-License-Identifier: AGPL-3.0-or-later
-# shellcheck source=/a/bin/ds/.bashrc
-export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]]; then . ~/.bashrc; fi
+# Setup Ian's computers
+# Copyright (C) 2024 Ian Kelling
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# shellcheck disable=SC2317 # false positive
+export LC_USEBASHRC=t
+source /a/bin/ds/.bashrc
### setup
-source /a/bin/errhandle/err
+source /a/bin/bash-bear-trap/bash-bear
src="$(readlink -f -- "${BASH_SOURCE[0]}")"; src=${src%/*} # directory of this file
if [[ $EUID == 0 ]]; then
}
pre="${0##*/}:"
sudo() {
- printf "$pre %s\n" "$*"
+ printf "$pre sudo %s\n" "$*"
SUDOD="$PWD" command sudo "$@";
}
m() { printf "$pre %s\n" "$*"; "$@"; }
########### begin section including vps ################
pi ${p2[@]}
-
conflink
sudo rm -fv
-
-# dogcam setup. not using atm
-# case $HOSTNAME in
-# lj|li)
-# /a/bin/webcam/install-server
-# ;;
-# kw)
-# /a/bin/webcam/install-client
-# ;;
-# esac
-
-
-## not actually using prometheus just yet
-# # office is not exposed to internet yet
-# if [[ $HOSTNAME != kw ]]; then
-# ## prometheus node exporter setup
-# web-conf -f 9100 -p 9101 apache2 $(hostname -f) <<'EOF'
-# #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
-# # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-# <Location />
-# AllowOverride None
-# AuthType basic
-# AuthName "Authentication Required"
-# # setup one time, with root:www-data, 640
-# AuthUserFile "/etc/prometheus-htpasswd"
-# Require valid-user
-# </Location>
-# EOF
-# fi
-
-
pi debootstrap
######### begin universal pinned packages ######
case $(debian-codename) in
- nabia|etiona|flidas)
+ etiona|flidas|nabia|aramo)
sudo rm -fv /etc/apt/preferences.d/etiona-buster
sd /etc/apt/preferences.d/trisquel-debian <<EOF
Explanation: Debian* includes Debian + Debian Backports
Package: *
Pin: release o=Debian*
Pin-Priority: -100
-EOF
- ;;&
- # needed for debootstrap scripts for fai since fai requires debian
- flidas)
- # moved to fai
- #curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg | s apt-key add -
- sd /etc/apt/preferences.d/flidas-xenial <<EOF
-Package: *
-Pin: release a=xenial
-Pin-Priority: -100
-
-Package: *
-Pin: release a=xenial-updates
-Pin-Priority: -100
-
-Package: *
-Pin: release a=xenial-security
-Pin-Priority: -100
-
-Package: firefox
-Pin: release n=xenial
-Pin-Priority: 500
-EOF
- sd /etc/apt/sources.list.d/xenial.list 2>/dev/null <<EOF
-deb http://us.archive.ubuntu.com/ubuntu/ xenial main
-deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main
-deb http://us.archive.ubuntu.com/ubuntu/ xenial-security main
-EOF
-
- if ! apt-key list | grep /C0B21F32 &>/dev/null; then
- # moved to fai
- #sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
- sd /etc/apt/preferences.d/flidas-bionic <<EOF
-Package: *
-Pin: release a=bionic
-Pin-Priority: -100
-
-Package: *
-Pin: release a=bionic-updates
-Pin-Priority: -100
-
-Package: *
-Pin: release a=bionic-security
-Pin-Priority: -100
-EOF
- fi
-
- # better to run btrfs-progs which matches our kernel version
- # (note, renamed from btrfs-tools)
- sd /etc/apt/preferences.d/btrfs-progs <<EOF
-Package: btrfs-progs libzstd1
-Pin: release a=bionic
-Pin-Priority: 1005
-
-Package: btrfs-progs libzstd1
-Pin: release a=bionic-updates
-Pin-Priority: 1005
-
-Package: btrfs-progs libzstd1
-Pin: release a=bionic-security
-Pin-Priority: 1005
-EOF
-
-
- t=$(mktemp)
- cat >$t <<EOF
-deb http://us.archive.ubuntu.com/ubuntu/ bionic main
-deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main
-deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main
-EOF
- f=/etc/apt/sources.list.d/bionic.list
- if ! diff -q $t $f; then
- sudo cp $t $f
- sudo chmod 644 $f
- m p update
- fi
-
- # no special reason, but its better for btrfs-progs to
- # be closer to our kernel version
- pi btrfs-progs
-
- if [[ ! -e /usr/share/debootstrap/scripts/xenial ]]; then
- t=$(mktemp -d)
- cd $t
- m aptitude download debootstrap/xenial
- m ex ./*
- sudo cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
- fi
-
- sd /etc/apt/preferences.d/flidas-etiona <<EOF
-Package: *
-Pin: release a=etiona
-Pin-Priority: -100
-
-Package: *
-Pin: release a=etiona-updates
-Pin-Priority: -100
-
-Package: *
-Pin: release a=etiona-security
-Pin-Priority: -100
-
-Package: *
-Pin: release a=etiona-backports
-Pin-Priority: -100
-EOF
-
- t=$(mktemp)
- cat >$t <<EOF
-deb http://mirror.fsf.org/trisquel/ etiona main
-deb http://mirror.fsf.org/trisquel/ etiona-updates main
-deb http://archive.trisquel.info/trisquel/ etiona-security main
-deb http://mirror.fsf.org/trisquel/ etiona-backports main
-EOF
- f=/etc/apt/sources.list.d/etiona.list
- if ! diff -q $t $f; then
- sudo cp $t $f
- n s chmod 644 $f
- m p update
- fi
-
- sd /etc/apt/preferences.d/debian-goodies <<EOF
-Package: debian-goodies
-Pin: release n=etiona
-Pin-Priority: 1005
-EOF
-
-
- # dont use buster because it causes dist-upgrade to think its downgrading
- # packages while really just reinstalling the same version.
- f=/etc/apt/apt.conf.d/01iank
- sudo rm -fv $f
- # # stupid buster uses some key algorithm not supported by flidas gpg that apt uses.
- # sd /etc/apt/apt.conf.d/01iank <<'EOF'
- # Acquire::AllowInsecureRepositories "true";
- # EOF
-
- f=/etc/apt/sources.list.d/buster.list
- sudo rm -fv $f
-
- # newer version needed for false positive in checkrestart.
- # I did buster at first, but other problem above with having
- # buster repos. not sure if the false positive exists in etiona.
- pi debian-goodies
-
- sd /etc/apt/preferences.d/shellcheck <<EOF
-Package: shellcheck
-Pin: release a=etiona
-Pin-Priority: 1005
-
-Package: shellcheck
-Pin: release a=etiona-updates
-Pin-Priority: 1005
-
-Package: shellcheck
-Pin: release a=etiona-security
-Pin-Priority: 1005
-EOF
-
- sd /etc/apt/preferences.d/bash <<EOF
-Package: bash
-Pin: release a=etiona
-Pin-Priority: 1005
-
-Package: bash
-Pin: release a=etiona-updates
-Pin-Priority: 1005
-Package: bash
-Pin: release a=etiona-security
-Pin-Priority: 1005
+Explanation: ubuntu's version is outdated
+Package: debian-archive-keyring
+Pin: release o=Debian*
+Pin-Priority: 1000
EOF
-
-
;;&
- nabia|etiona)
+
+ aramo|nabia|etiona)
# for ziva
#p install --no-install-recommends minetest/buster libleveldb1d/buster libncursesw6/buster libtinfo6/buster
doupdate=false
- for n in buster bullseye; do
+ # shellcheck disable=SC2043 # in case we want more than 1 in the loop later.
+ for n in bookworm; do
f=/etc/apt/sources.list.d/$n.list
t=$(mktemp)
case $n in
- buster)
- cat >$t <<'EOF'
-deb http://http.us.debian.org/debian buster main
-deb-src http://http.us.debian.org/debian buster main
-
-deb http://security.debian.org/ buster/updates main
-deb-src http://security.debian.org/ buster/updates main
-
-deb http://http.us.debian.org/debian buster-updates main
-deb-src http://http.us.debian.org/debian buster-updates main
-
-deb http://http.debian.net/debian buster-backports main
-deb-src http://http.debian.net/debian buster-backports main
-EOF
- ;;
- bullseye)
- cat >$t <<'EOF'
-EOF
+ bookworm)
cat >$t <<EOF
-deb http://deb.debian.org/debian bullseye main
-deb-src http://deb.debian.org/debian bullseye main
+deb http://deb.debian.org/debian bookworm main
+deb-src http://deb.debian.org/debian bookworm main
-deb http://deb.debian.org/debian-security/ bullseye-security main
-deb-src http://deb.debian.org/debian-security/ bullseye-security main
+deb http://deb.debian.org/debian-security/ bookworm-security main
+deb-src http://deb.debian.org/debian-security/ bookworm-security main
-deb http://deb.debian.org/debian bullseye-updates main
-deb-src http://deb.debian.org/debian bullseye-updates main
+deb http://deb.debian.org/debian bookworm-updates main
+deb-src http://deb.debian.org/debian bookworm-updates main
-deb http://http.debian.net/debian bullseye-backports main
-deb-src http://http.debian.net/debian bullseye-backports main
+deb http://http.debian.net/debian bookworm-backports main
+deb-src http://http.debian.net/debian bookworm-backports main
EOF
;;
esac
fi
done
if $doupdate; then
- curl -s https://ftp-master.debian.org/keys/archive-key-10-security.asc | sudo apt-key add -
- curl -s https://ftp-master.debian.org/keys/archive-key-10.asc | sudo apt-key add -
+ tmpdir=$(mktemp -d)
+ (
+ cd $tmpdir
+ # cant apt get the keyring without doing an update, can't update
+ # without the keyring, this is a stupid chicken and egg problem
+ # that apt should have some feature to solve, but doesn't as far
+ # as I know.
+ f=debian-archive-keyring_2023.3+deb12u1_all.deb
+ wget http://ftp.debian.org/debian/pool/main/d/debian-archive-keyring/$f
+ sudo dpkg -i $f
+ )
p update
+ rm -rf $tmpdir
fi
- if [[ ! -e /usr/share/debootstrap/scripts/bullseye ]]; then
- t=$(mktemp -d)
- cd $t
- m aptitude download debootstrap/bullseye
- m ex ./*
- sudo cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
+ if [[ ! -e /usr/share/debootstrap/scripts/noble ]]; then
+ # noble debootstrap as of 2024-07-05. not going to bother
+ # adding a whole repo for one package which doesn't seem to generally change within a single distro version.
+ sudo dpkg -i /a/opt/debootstrap_1.0.134ubuntu1_all.deb
fi
;;&
deb http://us.archive.ubuntu.com/ubuntu/ focal-security main universe
EOF
if ! diff -q $t $f; then
- sudo dd if=$t of=$f 2>/dev/null
+ sudo dd if=$t of=$f status=none
p update
fi
deb-src http://mirror.fsf.org/trisquel/ nabia-backports main
EOF
if ! diff -q $t $f; then
- sudo dd if=$t of=$f 2>/dev/null
+ sudo dd if=$t of=$f status=none
p update
fi
Pin-Priority: -100
EOF
+ ;;&
+ nabia)
+ sd /etc/apt/preferences.d/aramo-nabia <<'EOF'
+Package: *
+Pin: release n=aramo*,o=Trisquel
+Pin-Priority: -100
+EOF
+ f=/etc/apt/sources.list.d/aramo.list
+ t=$(mktemp)
+ cat >$t <<'EOF'
+deb http://mirror.fsf.org/trisquel/ aramo main
+deb-src http://mirror.fsf.org/trisquel/ aramo main
+
+deb http://mirror.fsf.org/trisquel/ aramo-updates main
+deb-src http://mirror.fsf.org/trisquel/ aramo-updates main
+
+deb http://archive.trisquel.info/trisquel/ aramo-security main
+deb-src http://archive.trisquel.info/trisquel/ aramo-security main
+
+# Uncomment this lines to enable the backports optional repository
+deb http://mirror.fsf.org/trisquel/ aramo-backports main
+deb-src http://mirror.fsf.org/trisquel/ aramo-backports main
+EOF
+ if ! diff -q $t $f; then
+ sudo dd if=$t of=$f status=none
+ p update
+ fi
+
;;&
*)
if isdeb; then
;;
esac
-
+case $codename_compat in
+ jammy|noble)
+ s systemctl enable --now ssh-agent-iank
+ ;;
+esac
case $codename_compat in
focal)
Pin: release n=bionic
Pin-Priority: 500
EOF
-
+ ;;
+ nabia)
+ # note, to get the latest, it would be n=bullseye*
+ # but that has conflicting package versions, so this does the old one.
+ # I only use it for special rare purposes. Just keep in mind it is an
+ # outdated insecure version.
+ sd /etc/apt/preferences.d/chromium-bullseye <<EOF
+Package: chromium chromium-* libicu67 libjpeg62-turbo libjsoncpp24 libre2-9 libwebpmux3
+Pin: release o=Debian*,n=bullseye
+Pin-Priority: 500
+EOF
+ ;;
+ aramo)
+ # obs dependency not in trisquel
+ sd /etc/apt/preferences.d/obs <<EOF
+Package: libfdk-aac2
+Pin: release n=jammy,o=Ubuntu
+Pin-Priority: 500
+EOF
;;
esac
##### begin automatic upgrades (after checkrestart has been installed) ####
# if apt-config-auto-update is installed,
# it also has similar config, in a file 10something,
-# but i think his overrides it since its higher number.
+# but i think this overrides it since its higher number.
# This file was part of the automatic-updates package,
-# and it has a configu option to not get new package lists,
+# and it has a config option to not get new package lists,
# which seems pretty stupid to me, you cant actually upgrade
# anything if you dont have the new package list.
sd /etc/apt/apt.conf.d/20auto-upgrades <<'EOF'
+# note: man apt.conf says
+# /usr/share/doc/apt/examples/configure-index.gz is a configuration file showing
+# example values for all possible options.
+# but that is a incorrect.
+# Periodic and other options are only documented in
+# /usr/lib/apt/apt.systemd.daily
+# That filename can be found through poking around in apt daily cronjob.
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
-APT::Periodic::AutocleanInterval "7";
+# 0 means disabled. I used to set this to 7, however, trisquel doesn't
+# have an archive of old package versions, so I want to
+# keep around old versions so I can easily downgrade.
+APT::Periodic::AutocleanInterval "0";
+# daily expire old files /var/cache/apt if it gets above this MB
+APT::Periodic::MaxSize "50000";
APT::Periodic::Unattended-Upgrade "1";
EOF
# Pin-Priority: 500
# EOF
-if [[ -e /etc/wireguard/wghole.conf ]]; then
- sgo wg-quick@wghole
-fi
###### begin website setup
case $HOSTNAME in
if [[ ! -e $f ]]; then
dnsb8
fi
+
+ sudo /a/f/ans/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter -l 127.0.0.1
+
+ # ex for exporter
+ web-conf -p 9101 -f 9100 - apache2 ${HOSTNAME}ex.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-export-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-export-htpasswd"
+Require valid-user
+</Location>
+EOF
;;&
+
bk)
sgo wg-quick@wgmail
;;
li)
+ p build-dep eggdrop
+ if [[ ! -L ~/eggdrop/eggdrop ]]; then
+ cd
+ git clone https://github.com/eggheads/eggdrop eggdrop-src
+ cd eggdrop-src
+ ./configure
+ make config
+ make
+ make install
+ fi
+
+ # dunno if this is really needed. it was part of the documented eggdrop systemd install script
+ sudo loginctl enable-linger
+ systemctl --user enable fsysbot
+ systemctl --user start fsysbot
+
m /a/h/setup.sh iankelling.org
# start mumble only when im going to use it, since i dont use it much
client-to-client
EOF
- # sullivan d8
- sd /etc/openvpn/client-config-hole/sd8 <<'EOF'
-ifconfig-push 10.5.5.41 255.255.255.0
-EOF
- # hsieh d8
- sd /etc/openvpn/client-config-hole/hd8 <<'EOF'
-ifconfig-push 10.5.5.42 255.255.255.0
-EOF
+ # note client-config files are setup in brc2 update-host-info
- sd /etc/openvpn/client-config-hole/onep9 <<'EOF'
-ifconfig-push 10.5.5.14 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/bo <<'EOF'
-ifconfig-push 10.5.5.13 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/sy <<'EOF'
-ifconfig-push 10.5.5.12 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/kw <<'EOF'
-ifconfig-push 10.5.5.9 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/x3 <<'EOF'
-ifconfig-push 10.5.5.8 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/x2 <<'EOF'
-ifconfig-push 10.5.5.7 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/wclient <<'EOF'
-ifconfig-push 10.5.5.6 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/frodo <<'EOF'
-ifconfig-push 10.5.5.5 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/amy <<'EOF'
-ifconfig-push 10.5.5.3 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/kd <<'EOF'
-ifconfig-push 10.5.5.2 255.255.255.0
-EOF
- # for adding to current system:
- #vpn-mk-client-cert -s "" -n hole 72.14.176.105
- # adding to remove system 107,
- #vpn-mk-client-cert -s "" -n hole -c 10.2.0.107 -b hd8 iankelling.org
+ # for adding cert to system with /p
+ #
+ # host=frodo
+ #mkc /p/c/machine_specific/$host/filesystem/etc/openvpn/client
+ #vpn-mk-client-cert -b $host -n hole -r iankelling.org
+ #s chown -R iank:iank .
#
- # for wireguard hole vpn
+ # example of adding to remote system 107,
+ # vpn-mk-client-cert -n hole -c 10.2.0.107 -b hd8 iankelling.org
+ #
+ # for wireguard hole vpn, use function:
# wghole
+ # eg:
+ # wghole bo 28
+ # if it is going to want to connect to transmission-daemon on ok
+ # wghole bo 28 10.174.2.2/32
# requested from linode via a support ticket.
# https://www.linode.com/docs/networking/an-overview-of-ipv6-on-linode/
# https://radicale.org/2.1.html
#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
# https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-<Location /radicale/>
- Options +FollowSymLinks +Multiviews +Indexes
+
+# this doesn't exactly fit with the documentation.
+# We need location / to do an auth, it cant be done outside,
+# in order to pass on X-Remote-User. And we need
+# the other location in order to remove the /radicale/ for
+# requests which have it. This could be done with a rewrite,
+# but i just get something working and call it a day.
+
+<Location "/">
AllowOverride None
- AuthType basic
+ AuthType Basic
AuthName "Authentication Required"
# setup one time, with root:www-data, 640
AuthUserFile "/etc/caldav-htpasswd"
Require valid-user
+ RequestHeader set X-Remote-User expr=%{REMOTE_USER}
+</Location>
+<Location "/radicale/">
+ Options +FollowSymLinks +Multiviews -Indexes
RequestHeader set X-Script-Name /radicale/
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
ProxyPass "http://10.8.0.4:5232/" retry=0
# https://wiki.znc.in/self-message
# https://wiki.znc.in/Query_buffers \
#
+ # for geekshed, there was no sasl support as far as I can tell,
+ # so I set to msg nickserv to identify upon connect.
if ! getent passwd znc > /dev/null; then
sudo useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc
fi
end
;;
esac
+
+case $HOSTNAME in
+ bk)
+ pi icecast2
+ # todo, save the config
+ /etc/cron.daily/stream-cert
+ web-conf -c /etc/cert-live.fsf.org -p 443 -f 8000 apache2 live.fsf.org
+ ;;
+esac
+
###### end website setup
########### end section including li/lj ###############
### system76 things ###
case $HOSTNAME in
- sy|bo)
+ bo) # sy| sy doesnt seem to really need this.
# note, i stored the initial popos packages at /a/bin/data/popos-pkgs
if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
# https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
# Pin: release o=LP-PPA-system76-dev-stable
# Pin-Priority: 1001
# EOF
- pi system76-driver system76-firmware
+ #
+ # fwupdmgr get-updates
+ # says I have 3 "devices with no available firmware updates"
+ # if there were updates, install with: s fwupdmgr update
+
+ check_downgrade=false
+ if [[ ! -e /etc/apt/preferences.d/system76-apt-preferences ]]; then
+ check_downgrade=true
+ fi
+ # note this installs a kernel
+ pi system76-firmware system76-driver
+ pi-nostart fwupd
+ # some other service starts it. note: this still needs testing.
+ ser mask fwupd
+ if $check_downgrade && [[ -e /etc/apt/preferences.d/system76-apt-preferences ]]; then
+ # driver installs a preferences file to give s76 packages
+ # priority so we may need to downgrade here.
+ pup --allow-downgrades
+ fi
+ # system76-driver: on a modern kernel, it seems to mainly just do
+ # some power settings, I haven't looked entirely through it. Of
+ # its recommended packages, system76-power is the only one I
+ # haven't looked at, the others do nothing for laptops i
+ # have. they have models hardcoded in source, so you can just grep
+ # for it. pkx package; caf | less. I'm rather annoyed that
+ # com.system76.PowerDaemon.service is regularly taking up the
+ # most power. I wonder what it is actually doing, it really
+ # doesn't say, just has cryptic messages when I turn on
+ # debug logs, and has no documentation. Similar deal with
+ # system76-driver.service.
+ #
# if you get a notice about a firmware update, the notifier on i3
- # is too dumb to do anything when you click it. so to see
- # a changelog, cd to
+ # is too dumb to do anything when you click it.
+ #
+ # To see current version: cat /sys/class/dmi/id/bios_version
+ # ref: https://support.system76.com/articles/transition-firmware/
+ #
+ # to manually get new firmware,
+ # system76-firmware-cli schedule --open
+ # to see a changelog, cd to
# /var/cache/system76-firmware-daemon
# extract the xz files there, one will contain a changelog.
# then to install an update:
fi
;;
esac
+### end system76 things ###
case $distro in
trisquel|ubuntu)
- # ppa:obsproject/obs-studio
- if [[ ! -s /etc/apt/sources.list.d/obs.list ]]; then
- # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
- sd /etc/apt/sources.list.d/obs.list <<EOF
+
+ ## one time setup thing I did
+ # c /a/opt/obs-cmd/
+ # cargo build --release
+ # cp target/release/obs-cmd ../bin
+ #
+ ## in obs, tools -> websocket server settings -> generate/copy password
+ #
+ # note: obs-studio on gnu does not support webrtc, it seems mainly because
+ # libdatachannel is not packaged. If it was, it would just need to do
+ # apt source obs-studio, obs-studio-30.1.1/debian/rules set -DENABLE_WEBRTC=ON
+ #
+ # I did manage to build libdatachannel following its instructions, then make install,
+ # then obs failed due to nvidia. found those options to disable with
+ # rg 'option\(ENABLE' | gr nv, then build obs like so:
+ #
+ # cmake -DLINUX_PORTABLE=ON -DCMAKE_INSTALL_PREFIX="${HOME}/obs-studio-portable" -DENABLE_BROWSER=OFF -DENABLE_AJA=OFF -DENABLE_NEW_MPEGTS_OUTPUT=OFF -DENABLE_WEBRTC=ON -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DENABLE_NVVFX=OFF -DENABLE_NVAFX=OFF -DENABLE_NATIVE_NVENC=OFF ..
+ #
+ #
+ #
+ # however, I didn't end up trying it out.
+ #
+ # note, in terminal source, i setup a transform so it would show the
+ # bottom 1080p section of the terminal instead of the top if the
+ # screen was bigger. click like 2 times in the preview so the red
+ # lines show up, right click, edit transform (or ctrl-e). bounding
+ # box type: scale to width of bounds. alignment in bounding box:
+ # bottom left. bounding box size 1920 x 1080.
+
+ # as of 2024-06, noble repo doesn't exist yet
+ if [[ $codename_compat != noble ]]; then
+ # ppa:obsproject/obs-studio
+ if [[ ! -s /etc/apt/sources.list.d/obs.list ]]; then
+ # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
+ sd /etc/apt/sources.list.d/obs.list <<EOF
deb http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
deb-src http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
EOF
- trysleep 4 15 s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC7345F522079769F5BBE987EFC71127F425E228
- p update
+ trysleep 4 15 s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC7345F522079769F5BBE987EFC71127F425E228
+ p update
+ fi
fi
;;
+
esac
case $codename_compat in
# and choose lightdm.
#
;;
+ jammy)
+ # not yet bothering with mate
+ pi lightdm-gtk-greeter lightdm
+ case $HOSTNAME in
+ sy|bo)
+ # todo: try removing this. also, see if system76-driver fixes this.
+
+ # on newer laptop, this config makes xorg load an intel module
+ # in Xorg.0.log and display nothing. background:
+ #
+ # I dropped lightdm as I was trying to figure this out, why xorg was
+ # displaying nothing. I did a diff of a working Xorg.0.log from a
+ # popos is, which is in ~/.local/share/xorg/Xorg.0.log if it runs as
+ # a regular user. I noticed 2 differences, on the failing one it was
+ # loading the intel xorg module. On the successful one, it had a
+ # line systemd-logind: got fd for /dev/dri/card1 226:1, on the
+ # failing one it had a line about systemd-logind not knowing the
+ # seat or session or something. There was no search results about
+ # that, switching to xinit made that go away. Note: gpg-agent seems
+ # to be working ok as an ssh agent. xsession has an option
+ # use-ssh-agent but perhaps it decides to leave gpg agent in charge.
+ cat >/etc/X11/xorg.conf.d/20-intel.conf <<'EOF'
+# iank:
+# https://forums.linuxmint.com/viewtopic.php?f=208&t=224942#p1197049
+# prevents konsole from being borderline unusable on system76 intel graphics + i3
+Section "Device"
+ Identifier "Intel Graphics"
+ Driver "intel"
+ Option "TearFree" "true"
+EndSection
+EOF
+ ;;
+ esac
+ ;;
+ noble)
+ pi xinit
+ ;;
esac
esac
;;
ubuntu)
+ case $codename in
+ noble)
+ if pcheck ubuntu-system-adjustments; then
+ # mint firefox has a dependency which is totally not really
+ # needed, just some mint branding and maybe a random firefox
+ # setting.
+ tmpdir="$(mktemp -d)"
+ # it puts the deb in .., so use a subdir to stay contained
+ mkdir $tmpdir/sub
+ cd "$tmpdir/sub"
+ # edited from output of equivs-control ubuntu-system-adjustments
+ cat >ubuntu-system-adjustments <<'EOF'
+Section: misc
+Priority: optional
+Version: 2030
+Standards-Version: 3.9.2
+Package: ubuntu-system-adjustments
+Description: ubuntu-system-adjustments-dummy
+EOF
+ equivs-build ubuntu-system-adjustments
+ sudo dpkg -i ../ubuntu-system-adjustments_2030_all.deb
+ cd
+ rm -r "$tmpdir"
+ fi
+ ;;
+ esac
pi firefox
;;
debian)
esac
+case $codename_compat in
+ aramo|buster)
+ # https://wiki.archlinux.org/title/bluetooth
+ pi pavucontrol paprefs pulseaudio-module-bluetooth pulsemixer
+ ;;
+ noble|bookworm)
+ pi pipewire-audio
+ # having pipewire installed prevents the recommends in these from installing pulse
+ pi pulsemixer pavucontrol
+ ;;
+esac
+
+
# TODO: some of the X programs can be removed from pall when using wayland
# depends gcc is a way to install suggests. this is apparently the only
# way to install suggests even if the main package is already
# installed. reinstall doesn't work, uninstalling can cause removing
# dependent packages.
+# shellcheck disable=SC2046 # word splitting is intended
pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distro-pkgs)
+# schroot service will restart schroot sessions after reboot.
+# I dont want that.
+pi-nostart schroot
+
+## note: this bug doesn't exist in t12+
+# fix systemd unit failure. i dont know of any actual impact
+# other than systemd showing in degraded state. So, we dont bother
+# fixing the current state, let it fix on the next reboot.
+# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a
+if pcheck binfmt-support; then
+ tmp=$(systemctl cat binfmt-support.service | grep ^After=)
+ if [[ $tmp != *systemd-binfmt.service* ]]; then
+ s u /etc/systemd/system/binfmt-support.service.d/override.conf <<EOF
+[Unit]
+$tmp systemd-binfmt.service
+EOF
+ fi
+fi
# commented, not worth the hassle i think.
#seru enable psd
# esac
-### begin home vpn server setup
-
-
-# # this section done initially to make persistent keys.
-# # Also note, I temporarily set /etc/hosts so my host was
-# # b8.nz when running this, since the vpn client config
-# # generator assumes we need to go to that server to get
-# # server keys.
-# vpn-server-setup -rds
-# s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
-# s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
-# # kw = kgpe work machine.
-# for host in x2 x3 kw; do
-# vpn-mk-client-cert -b $host -n home b8.nz 1196
-# dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
-# mkdir -p $dir
-# s bash -c "cp /etc/openvpn/client/home* $dir"
-# # note: /etc/update-resolv-conf-home also exists for all systems with /p
-# done
-
-# key already exists, so this won't generate one, just the configs.
-# m vpn-server-setup -rds
-# sudo tee -a /etc/openvpn/server/server.conf <<'EOF'
-# push "dhcp-option DNS 10.0.0.1"
-# push "route 10.0.0.0 255.255.0.0"
-# client-connect /a/bin/distro-setup/vpn-client-connect
-# EOF
-# sudo sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
-
-# if [[ $HOSTNAME == tp ]]; then
-# if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
-# vpn_service=openvpn-server@server
-# else
-# vpn_service=openvpn@server
-# fi
-# sgo $vpn_service
-# fi
-### end vpn server setup
-
##### rss2email
if mountpoint /p &>/dev/null; then
# note, see bashrc for more documentation.
sgo openvpn-client@hole
fi
-if [[ $HOSTNAME == frodo ]]; then
- vpn-mk-client-cert -b frodo -n hole iankelling.org
-fi
-
############# begin syncthing setup ###########
case $HOSTNAME in
kd|frodo)
####### begin misc packages ###########
+# old location, 2023.
+sudo rm -fv /etc/systemd/system/profanity.service
+case $HOSTNAME in
+ kd)
+ # i dunno why i put it here
+ ln -sfT /d/p/profanity ~/.local/share/profanity
+ ln -sfT /d/p/profanity-config ~/.config/profanity
+ source /a/bin/bash_unpublished/source-state
+ if [[ $HOSTNAME == "$HOST2" || ! -e /p/profanity-here ]]; then
+ systemctl --user --now enable profanity
+ fi
+ ;;
+ *)
+
+ ln -sfT /p/profanity ~/.local/share/profanity
+ ln -sfT /p/profanity-config ~/.config/profanity
+ ;;
+esac
+
# template
case $codename in
flidas)
# cabal update
# cabal install --upgrade-dependencies --force-reinstalls arbtt
# also, i assume syncing this between machines somehow messed up the data.
-if mountpoint /p &>/dev/null; then
- case $codename in
- etiona|nabia)
- pi arbtt
- # same as seru enable arbtt, but works over ssh when systemctl --user causes error:
- # Failed to connect to bus: No such file or directory
- lnf -T /a/bin/ds/subdir_files/.config/systemd/user/arbtt.service /home/iank/.config/systemd/user/default.target.wants/arbtt.service
- # allow failure
- seru start arbtt ||:
- ;;
- esac
-fi
+
+## not using arbtt for now
+# if mountpoint /p &>/dev/null; then
+# case $codename in
+# etiona|nabia)
+# pi arbtt
+# # same as seru enable arbtt, but works over ssh when systemctl --user causes error:
+# # Failed to connect to bus: No such file or directory
+# lnf -T /a/bin/ds/subdir_files/.config/systemd/user/arbtt.service /home/iank/.config/systemd/user/default.target.wants/arbtt.service
+# # allow failure
+# seru start arbtt ||:
+# ;;
+# esac
+# fi
+rm -fv /home/iank/.config/systemd/user/default.target.wants/arbtt.service
m primary-setup
# it asks if it should make users in it's group capture packets without root,
# which is arguably more secure than running wireshark as root. default is no,
# which is what i prefer, since I plan to use tcpdump to input to wireshark.
-s DEBIAN_FRONTEND=noninteractive pi wireshark-gtk
+# note: t10 called this wireshark-gtk, i don't care about t10 anymore.
+s DEBIAN_FRONTEND=noninteractive pi wireshark
# /run and /dev/shm are listed as required for pulseaudio. All 4 in the group
# listed in the default config as suggested.
# /run/usr/1000 i noticed was missing for pulseaudio
# /run/user/0 just seemed like a not bad idea, given the above
+#
+# /root gives us our bashrc, making various things a lot more
+# convenient
tu /etc/schroot/desktop/fstab <<'EOF'
+/root /root none rw,bind 0 0
/p /p none rw,bind 0 0
/a /a none rw,bind 0 0
/run /run none rw,bind 0 0
/run/user/0 /run/user/0 none rw,bind 0 0
EOF
+# todo: consider if this should use the new sysd-prom-fail
sd /etc/systemd/system/schrootupdate.service <<'EOF'
[Unit]
Description=schrootupdate
Description=schrootupdate
[Timer]
-OnCalendar=*-*-* 04:20:00
+OnCalendar=*-*-* 04:20:00 America/New_York
[Install]
WantedBy=timers.target
-# for my roommate
+# for testing firefox specific issues
case $distro in
- trisquel)
- m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/bullseye.list/BULLSEYE_FREE \
- debian bullseye firefox-esr pulseaudio chromium anki
- case $(debian-codename) in
- etiona|nabia)
- # we have a lot of t8 stuff, useful to have
- m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/flidas.list/FLIDAS \
- trisquel flidas
- tu /nocow/schroot/flidas/etc/sudoers <<EOF
-$USER ALL=(ALL) NOPASSWD: ALL
-Defaults env_keep += SUDOD
-Defaults always_set_home
-Defaults !umask
-EOF
- sd /nocow/schroot/flidas//etc/locale.gen <<'EOF'
-en_US.UTF-8 UTF-8
-EOF
- s schroot -c flidas locale-gen
- s schroot -c flidas update-locale LANG=en_US.UTF-8
- ;;
- esac
+ trisquel|ubuntu)
+ m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/bookworm.list/BOOKWORM_FREE \
+ debian bookworm chromium fonts-noto-color-emoji
;;
debian)
- pi chromium
+ # fonts are for emojis, which tend to get used as buttons on the web.
+ pi chromium fonts-noto-color-emoji
;;
esac
;;
esac
-mkdir -p $tdir
+sudo mkdir -p $tdir
# adapted from /var/lib/dpkg/info/transmission-daemon.postinst
# 450 seems likely to be unused. we need to specify one or else
f=$tdir/transmission-daemon
for d in $tdir/partial-torrents $tdir/torrents $f; do
if [[ ! -d $d ]]; then
- mkdir $d
+ sudo mkdir -p $d
fi
sudo chown -R debian-transmission:user2 $d
done
#
# Changed the cache-size to 256 mb, reduces disk use.
# It is a read & write cache.
-sudo ruby <<EOF
+#
+# just fyi: default rpc port is 9091
+if ! systemctl is-active transmission-daemon-nn &>/dev/null && \
+ ! systemctl is-active transmission-daemon; then
+ tmp=$(mktemp)
+ command sudo ruby <<EOF >$tmp
require 'json'
p = '/etc/transmission-daemon/settings.json'
-File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
-'rpc-whitelist-enabled' => false,
-'rpc-authentication-required' => false,
-'incomplete-dir' => '$tdir/partial-torrents',
-'incomplete-dir-enabled' => true,
-'download-dir' => '$tdir/torrents',
-"speed-limit-up" => 800,
-"speed-limit-up-enabled" => true,
-"peer-port" => 61486,
-"cache-size-mb" => 256,
-"ratio-limit" => 5.0,
-"ratio-limit-enabled" => false,
-})) + "\n")
+s = {
+ 'rpc-whitelist-enabled' => false,
+ 'rpc-authentication-required' => false,
+ 'incomplete-dir' => '$tdir/partial-torrents',
+ 'incomplete-dir-enabled' => true,
+ 'download-dir' => '$tdir/torrents',
+ "speed-limit-up" => 800,
+ "speed-limit-up-enabled" => true,
+ "peer-port" => 61486,
+ "cache-size-mb" => 256,
+ "ratio-limit" => 5.0,
+ "ratio-limit-enabled" => false,
+}
+puts(JSON.pretty_generate(JSON.parse(File.read(p)).merge(s)))
EOF
+ cat $tmp | sudo dd of=/etc/transmission-daemon/settings.json
+
+fi
####### end transmission
######### begin transmission client setup ######
+# to connect from a remote client, trans-remote-route in brc2
+
+
if [[ -e /p/transmission-rpc-pass ]]; then
# arch had a default config,
# debian had nothing until you start it.
"profiles" : [
{
"profile-name" : "Default",
- "hostname" : "10.173.0.2",
+ "hostname" : "10.174.2.2",
"rpc-url-path" : "/transmission/rpc",
"username" : "",
"password" : "$rpc_pass",
# general known for debian/ubuntu, not for fedora
m /a/bin/buildscripts/go
+# only needed for rg. cargo takes up 11 gigs, filled up the disk on je.
m /a/bin/buildscripts/rust
m /a/bin/buildscripts/misc
-m /a/bin/buildscripts/pithosfly
+
+#m /a/bin/buildscripts/pithosfly
#m /a/bin/buildscripts/alacritty
-m /a/bin/buildscripts/kitty
+#m /a/bin/buildscripts/kitty
pi-nostart virtinst virt-manager
soff libvirtd
pi --no-install-recommends kdeconnect
-### kdeconnect for gnome. started in /a/bin/distro-setup/desktop-20-autostart.sh
-### but gnome + xmonad not working in flidas, so i disabled it
-# pi libgtk-3-dev python3-requests-oauthlib valac cmake python-nautilus libappindicator3-dev
-# cd /a/opt/indicator-kdeconnect
-# mkdir -p build
-# cd build
-# cmake .. -DCMAKE_INSTALL_PREFIX=/usr
-# make
-# sudo make install
-# # we can start it manually with /usr/lib/x86_64-linux-gnu/libexec/kdeconnectd
-# # it seems, according to
-# # /etc/xdg/autostart/kdeconnectd.desktop
-# # I'm not seeing the icon, but the clipboard replication is working
-
-
-### model 01 arduino support ###
+
+
+### begin model 01 arduino support ###
# https://github.com/keyboardio/Kaleidoscope/wiki/Install-Arduino-support-on-Linux
# also built latest arduino in /a/opt/Arduino, (just cd build; ant build; ant run )
# set arduino var in bashrc,
# have system config file setup too.
sudo adduser $USER dialout
+# as of 2022-05,
+# download arduino ide, extract in /a/opt, ignore the install script, run ./arduino,
+# toolbar, preferences, add board manager url:
+# https://raw.githubusercontent.com/keyboardio/boardsmanager/master/package_keyboardio_index.json
+# toolbar, board manager, add keyboardio
+# toolbar, select model01 board
+# toolbar, examples, model01, compile
+
+###
+
# this is for the mail command too. update-alternatives is kind of misleading
# since at least it's main commands pretend mail does not exist.
# bsd's mail got pulled in on some dumb dependency, i dunno how.
########### misc stuff
-if [[ $HOSTNAME != frodo ]]; then
- # remove. i moved this into dns
- echo | s cedit hole /etc/hosts ||:
-fi
-if [[ ! -e ~/.local/bin/pip ]]; then
- tmp=$(mktemp)
- wget -O$tmp https://bootstrap.pypa.io/get-pip.py
- python3 $tmp --user
- hash -r
-fi
+# see current with:
+# xdg-settings get default-web-browser
+# not sure this is needed.
+#
+# These are some old files that made xdg-open open firefox from a chroot.
+rm -f ~/.local/share/applications/{firefox,chromium}*
+case $distro in
+ trisquel)
+ xdg-settings set default-web-browser abrowser.desktop
+ ;;
+ ubuntu)
+ xdg-settings set default-web-browser firefox.desktop
+ ;;
+esac
+
+
+# pressing tab after sdf here:
+# scp sdfbash: set +o noglob: command not found
+# in t11, bash 5.1.16. this fixes it.
+sudo sed -ri 's/([[:space:]]*)(\$reset)$/\1set +o noglob #$reset/' /usr/share/bash-completion/bash_completion
+
+rm -fv /home/iank/.mpv/watch_later
+rm -rf /home/iank/.mpv
+
+# apparently pip is deprecated in debian. try venv or pipx.
+## begin u24 message upon pip install
+# If you wish to install a non-Debian-packaged Python package,
+# create a virtual environment using python3 -m venv path/to/venv.
+# Then use path/to/venv/bin/python and path/to/venv/bin/pip. Make
+# sure you have python3-full installed.
+
+# If you wish to install a non-Debian packaged Python application,
+# it may be easiest to use pipx install xyz, which will manage a
+# virtual environment for you. Make sure you have pipx installed.
+
+# See /usr/share/doc/python3.12/README.venv for more information.
+## end
+
+# if [[ ! -e ~/.local/bin/pip ]]; then
+# tmp=$(mktemp)
+# wget -O$tmp https://bootstrap.pypa.io/get-pip.py
+# python3 $tmp --user
+# hash -r
+# fi
+
+
+## begin beets
+# soo, apt install beets fails due to wanting a pip package,
+# we find out why it wants this through
+# apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances beets | less
+# python-mediafile requires tox, which requires virtualenv, which requires pip.
+# but, python-mediafile doesn't really require tox, it is specified in
+# ./usr/lib/python3/dist-packages/mediafile-0.9.0.dist-info/METADATA
+# as being required only for testing, but the debian package
+# included it anyways, due to a mistake or bad tooling or something.
+# I don't plan to use tox, so, according to https://serverfault.com/a/251091,
+# we can create and install a dummy package by:
+#
+# "equivs-control <name>, edit the file produced to provide the right
+# dependency and have a nice name, then run equivs-build <name> and
+# finally dpkg -i the resulting .deb file"
+# as of 2023-02, the tox dependency was removed in debian unstable, so
+# this hack will probably go away in t12.
+
+case $(debian-codename) in
+ aramo)
+ if pcheck tox; then
+ tmpdir="$(mktemp -d)"
+ cd "$tmpdir"
+ # edited from output of equivs-control tox
+ cat >tox <<'EOF'
+Section: python
+Priority: optional
+Standards-Version: 3.9.2
+Package: tox
+Description: tox-dummy
+EOF
+ equivs-build tox
+ sudo dpkg -i tox_1.0_all.deb
+ rm -rf ./tox*
+ pi beets
+ cd
+ rm -r "$tmpdir"
+ fi
+ ;;
+esac
+# get rid of annoying message
+s sed -ri "s/^([[:space:]]*ui.print_\('Playing)/#\1/" /usr/share/beets/beetsplug/play.py
+
+
+# notes about barrier
+# run barrier, do the gui config,
+# setup the 2 screens, using hostnames for the new screen.
+# save the server config
+# $HOME/.local/share/barrier/.barrier.conf
+# per the man page.
+#
+# ssl errors, resolved via advice here: https://github.com/debauchee/barrier/issues/231
+# BARRIER_SSL_PATH=~/.local/share/barrier/SSL/
+# mkdir -p "${BARRIER_SSL_PATH}"
+# openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ${BARRIER_SSL_PATH}/Barrier.pem -out ${BARRIER_SSL_PATH}/Barrier.pem
+# ran on both machines.
+# When pressing start in the gui, the cli options used are printed to the console,
+# they are useful. So on server, just run barriers, client run barrierc SERVER_IP
### begin timetrap setup
if mountpoint /p &>/dev/null; then
pi desktop-file-utils
m /a/bin/distro-setup/mymimes
-
-sgo dynamicipupdate.timer
-
-
-# stop autopoping windows when i plug in an android phone.
-# dbus-launch makes this work within an ssh connection, otherwise you get this message,
-# with still 0 exit code.
-# dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
-m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
-
+if type -p dbus-launch >/dev/null; then
+ # stop autopoping windows when i plug in an android phone.
+ # dbus-launch makes this work within an ssh connection, otherwise you get this message,
+ # with still 0 exit code.
+ # dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
+ m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
+fi
# on grub upgrade, we get prompts unless we do this
devs=()
grub-pc grub-pc/install_devices multiselect ${devs[*]}
EOF
-# btrfs maintenance
-sgo btrfsmaint.timer
-sgo btrfsmaintstop.timer
-sgo systemstatus.timer
+sysd-prom-fail-install dynamicipupdate
+sysd-prom-fail-install systemstatus
+sysd-prom-fail-install btrfsmaintstop
+sgo btrfsmaint.timer
+sgo btrfsmaintstop
+sgo systemstatus
+sgo dynamicipupdate
if grep -xFq $HOSTNAME /a/bin/ds/machine_specific/btrbk.hosts; then
sgo btrbk.timer
fi
-# note: to see when it was last run,
+
+# note: to see when a timer was last run,
# ser list-timers
+
+### begin ansible
+
+## commented because fsf relies on using an old ansible for now.
+# if [[ ! -e /etc/apt/sources.list.d/ansible-ubuntu-ansible-$codename_compat.sources ]]; then
+# s add-apt-repository --yes --update ppa:ansible/ansible
+# pi ansible
+# fi
+
+### end ansible
+
+### begin prometheus ###
+
case $HOSTNAME in
kd)
- sgo btrbkrust.timer
+ # Font awesome is needed for the alertmanager ui.
+ pi prometheus-alertmanager prometheus fonts-font-awesome
+ /a/f/ans/roles/prom/files/simple/usr/local/bin/fsf-install-prometheus
+
+ # make it available for other machines
+ rsync -a /usr/local/bin/amtool /a/opt/bin
+ web-conf -p 9091 -f 9090 - apache2 b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-htpasswd"
+Require valid-user
+</Location>
+EOF
+
+ web-conf -p 9094 -f 9093 - apache2 b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-htpasswd"
+Require valid-user
+</Location>
+EOF
+
+ # by default, the alertmanager web ui is not enabled other than a page
+ # that suggests to use the amtool cli. that tool is good, but you cant
+ # silence things nearly as easily as with the gui.
+ if [[ ! -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then
+ # default script didnt work, required some changes to get elm 19.1,
+ # which is a dependency of the latest alertmanager. I modified
+ # and copied it into /b/ds. In future, might need some other
+ # solution.
+ #sudo /usr/share/prometheus/alertmanager/generate-ui.sh
+ sudo /b/ds/generate-ui.sh
+ ser restart prometheus-alertmanager
+ fi
+
+ s /a/f/ans/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter -l 127.0.0.1
+
+ for ser in prometheus-node-exporter prometheus-alertmanager prometheus; do
+ sysd-prom-fail-install $ser
+ done
+
+ ;;
+ *)
+ s /a/f/ans/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter
+ ;;
+esac
+
+# user specific file isn't installed until the user exists
+if [[ ! -e /etc/prometheus/ssl/prom_node_key.pem ]]; then
+ conflink
+fi
+
+
+case $HOSTNAME in
+ # todo, for limiting node exporter http,
+ # either use iptables or, in
+ # /etc/default/prometheus-node-exporter
+ # listen on the wireguard interface
+
+ *)
+ if [[ -e /etc/wireguard/wghole.conf ]]; then
+ wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
+ # old filename. remove once all hosts are updated.
+ s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
+ s bash -x web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-export-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-export-htpasswd"
+Require valid-user
+</Location>
+EOF
+ # For work, i think we will just use the firewall for hosts in the main data center, and
+ # vpn for hosts outside it.
+
+ # TODO: figure out how to detect the ping failure and try again.
+
+ # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
+ s mkdir /etc/systemd/system/apache2.service.d
+ sd /etc/systemd/system/apache2.service.d/restart.conf <<EOF
+[Unit]
+After=wg-quick@wghole.service
+StartLimitIntervalSec=0
+
+[Service]
+Restart=always
+RestartSec=30
+EOF
+
+ fi
;;
esac
+### end prometheus ###
+
+# disabled
+# ### begin bitcoin ###
+
+# case $HOSTNAME in
+# sy|kd|so)
+# sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-27.0/bin/*
+# # Note: i leave it to system-status to start and stop bitcoin.
+# # note: the bitcoin user & group are setup in fai
+# sudo usermod -a -G bitcoin iank
+# # todo: make bitcoin have a stable uid/gid
+# sudo mkdir -p /var/lib/bitcoind
+# sudo chown bitcoin:bitcoin /var/lib/bitcoind
+# # 710 comes from the upstream bitcoin unit file
+# sudo chmod 710 /var/lib/bitcoind
+# # note, there exists
+# # /a/bin/ds/disabled/bitcoin
+# ;;
+# esac
+
+# ### end bitcoin
+
+### begin live streaming ###
+
+# comparing nginx rtmp to icecast
+# `mpv --cache=no` had about 2.5 sec latency vs 4 seconds.
+# Then I discovered this command which had about .5 sec latency:
+#ffplay -f live_flv -fast -x 1280 -y 720 -fflags nobuffer -flags low_delay -strict experimental -vf "setpts=N/60/TB" -af "asetpts=N/60/TB" -noframedrop -i rtmp://url_here
+## a lot of those args arent needed, here is what I ended up with:
+# #ffplay -f live_flv -fflags nobuffer -flags low_delay -i rtmp://localhost/live
+#
+# A problem with rtmp is that it doesn't support vp8/vp9, requiring the partly patent encumbered h264.
+# Looking at alternative protocols: dash & hls are both high latency, I tested dash with the nginx-rtmp
+# module and got about 5 seconds of latency, web results imply that is normal.
+#
+# Webrtc is what jitsi & bbb use, but an annoying thing is that
+# generally requires a web browser with javascript, or some special
+# client, and afaik, it has a smaller limit on number of clients.
+#
+# Another option is to try rtp/rtsp, there are some servers here:
+# https://en.wikipedia.org/wiki/Real-Time_Streaming_Protocol
+
+
+## reference for setting up rtmp
+# pi nginx libnginx-mod-rtmp
+# cat >/etc/nginx/modules-enabled/rtmp.conf <<'EOF'
+## based on https://opensource.com/article/19/1/basic-live-video-streaming-server#comments
+## and https://github.com/arut/nginx-rtmp-module/wiki/Directives
+
+# rtmp {
+# allow publish 127.0.0.1;
+# deny publish all;
+# server {
+# listen 1935;
+# application live {
+# live on;
+# record off;
+# }
+# }
+# }
+# EOF
+
+### end live streaming ###
+
+### begin gh ####
+
+# from https://raw.githubusercontent.com/cli/cli/trunk/docs/install_linux.md
+# One time setup afterwards:
+# gh auth login
+#
+# When it gets to the page where it asks to authorize github, the button
+# is grayed out. You can just open browser dev tools, inspect the
+# button, remove disabled="", then click it and it works.
+#
+# Auth token gets saved into /p/c/subdir_files/.local/share/keyrings/
+#
+# initial config goes to /home/iank/.config/gh
+curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+ && sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
+ && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+ && sudo apt update \
+ && sudo apt install gh -y
+
+### end gh ####
+
+
+##### begin docker install
+if ! pcheck "$@"; then
+ # https://docs.docker.com/engine/install/ubuntu/
+ # Add Docker's official GPG key:
+ sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
+ sudo chmod a+r /etc/apt/keyrings/docker.asc
+
+ # Add the repository to Apt sources:
+ echo \
+ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
+ $(debian-codename-compat) stable" | \
+ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+
+ p update
+
+
+ # docker eats up a fair amount of cpu when doing nothing, so don't enable it unless
+ # we really need it.
+ pi-nostart docker-ce
+
+fi
+##### end docker install #####
+
+# remove trisquel banner. it is cool but takes up too much space.
+sudo rm -f /etc/update-motd.d/01-banner
+
+case $HOSTNAME in
+ kw|x3)
+ sd /etc/cups/client.conf <<'EOF'
+ServerName printserver1.office.fsf.org
+EOF
+ ;;
+esac
+
+
end_msg <<'EOF'
In mate settings settings, change scrolling to two-finger,
because the default edge scroll doesn\'t work. Originally found this in debian.
pi tor
m /a/bin/buildscripts/tor-browser
# one root command needed to install
-s ln -sf /a/opt/tor-browser_en-US/Browser/start-tor-browser /usr/local/bin
+s ln -sf /a/opt/tor-browser/Browser/start-tor-browser /usr/local/bin
+case $HOSTNAME in
+ kd)
+ web-conf -p 4500 -f 4533 -e ian@iankelling.org apache2 b8.nz
+ sgo navidrome
+ ;;
+esac
+
# nfs server
pi-nostart nfs-kernel-server
+# todo, this is old, probably needs removing
if [[ $HOSTNAME == tp ]]; then
sd /etc/wireguard/wg0.conf <<EOF
[Interface]
sudo exportfs -rav
fi
+case $codename_compat in
+ noble)
+ # this fails on startup. i don't use resolvconf, so it is totally pointless.
+ soff unbound-resolvconf.service
+ ;;
+esac
+
+hiup
# if I was going to create a persistent vm, i might do it like this:
# variant=something # from: virt-install --os-variant list