+ arch) sgo atd ;;
+esac
+
+
+case $distro in
+ arch) sgo ntpd ;;
+esac
+
+
+# no equivalent in other distros:
+if isdeb && ! dpkg -s -- "$@" | grep -Fx "Status: install ok installed" &> /dev/null; then
+ # this condition is just a speed optimization
+ pi apt-file
+ s apt-file update
+fi
+
+
+# disable motd junk.
+case $distro in
+ debian)
+ # allows me to pipe with ssh -t, and gets rid of spam
+ # http://forums.debian.net/viewtopic.php?f=5&t=85822
+ # i'd rather disable the service than comment the init file
+ # this says disabling the service, it will still get restarted
+ # but this script doesn't do anything on restart, so it should be fine
+ s dd of=/var/run/motd.dynamic if=/dev/null
+ ;;
+ trisquel|ubuntu)
+ # this isn't a complete solution. It still shows me when updates are available,
+ # but it's no big deal.
+ s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
+ ;;
+esac
+
+
+### begin docker install ####
+if isdeb; then
+ # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
+ pi software-properties-common apt-transport-https
+ curl -fsSL https://download.docker.com/linux/$(distro-name-compat)/gpg | sudo apt-key add -
+ url=https://download.docker.com/linux/$(distro-name-compat)
+ l="deb [arch=amd64] $url $codename_compat stable"
+
+ if ! grep -xFq "$l" /etc/apt/sources.list{,.d/*.list}; then
+ sudo add-apt-repository "$l"
+ p update
+ fi
+ # docker eats up a fair amount of cpu when doing nothing, so don't enable it unless
+ # we really need it.
+ pi-nostart docker-ce
+ # and docker is even more crap, it ignores that it shouldnt start
+ ser stop docker
+ ser disable docker
+ case $HOSTNAME in
+ li|lj) sgo docker ;;
+ esac
+fi
+### end docker install ####
+
+
+
+### begin certbot install ###
+if [[ $distro == debian ]]; then
+ # note, need python-certbot-nginx for nginx, but it depends on nginx,
+ # and I'm not installing nginx by default right now.
+ pi certbot python-certbot-apache
+elif [[ $codename_compat == xenial ]]; then
+ # not packaged in xenial or flidas
+ pi software-properties-common
+ l="deb http://ppa.launchpad.net/certbot/certbot/ubuntu xenial main"
+ if ! grep -xFq "$l" /etc/apt/sources.list{,.d/*.list}; then
+ s add-apt-repository -y ppa:certbot/certbot ||:
+ p update
+ fi
+ pi python-certbot-apache
+else
+ die "distro unknown for certbot"
+fi
+# make a version of the certbot timer that emails me.
+x=/systemd/system/certbot
+$sed -r -f - /lib$x.timer <<'EOF' |s dd of=/etc${x}mail.timer
+s,^Description.*,\0 mail version,
+EOF
+$sed -r -f - /lib$x.service <<'EOF' |s dd of=/etc${x}mail.service
+s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
+EOF
+ser daemon-reload
+sgo certbotmail.timer
+### end certbot install ###
+
+
+# dogcam setup. not using atm
+# case $HOSTNAME in
+# lj|li)
+# /a/bin/webcam/install-server
+# ;;
+# kw)
+# /a/bin/webcam/install-client
+# ;;
+# esac
+
+pi ${p1[@]}
+
+##### begin automatic upgrades ####
+
+s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF'
+# this file was mostly just comments.
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
+EOF
+
+s dd of=/etc/apt/apt.conf.d/50unattended-upgrades <<EOF
+# fyi: default file has comments about available options,
+# you may want to read that.
+Unattended-Upgrade::Mail "root";
+Unattended-Upgrade::MailOnlyOnError "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Origins-Pattern {
+ # default is just security updates.
+ "origin=*";
+};
+EOF
+
+# Setup reboots when running outdated stuff, unattended upgrades happen
+# at 6 am + rand(60 min).
+/usr/local/bin/log-once checkrestart
+
+# old names, too verbose
+s rm -f /etc/cron.d/unattended-upgrade-reboot /usr/local/bin/zelous-unattended-reboot
+
+s dd of=/etc/cron.d/myupgrade <<'EOF'
+20 7 * * * root /usr/local/bin/myupgrade | /usr/local/bin/log-once -1 myupgrade
+0 * * * * root /usr/local/bin/mycheckrestart | /usr/local/bin/log-once -1 mycheckrestart
+EOF
+##### end automatic upgrades ####
+
+# office is not exposed to internet yet
+if [[ $(hostname -f) != *.office.fsf.org ]]; then
+ ## prometheus node exporter setup
+ web-conf -f 9100 -p 9101 apache2 $(hostname -f) <<'EOF'
+#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
+# https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
+<Location />
+ AllowOverride None
+ AuthType basic
+ AuthName "Authentication Required"
+ # setup one time, with root:www-data, 640
+ AuthUserFile "/etc/prometheus-htpasswd"
+ Require valid-user
+</Location>
+EOF
+fi
+
+# website setup
+case $HOSTNAME in
+ lj|li)
+ case $HOSTNAME in
+ lj) domain=iank.bid; exit 0 ;;
+ li) domain=iankelling.org ;;
+ esac
+ /a/h/setup.sh $domain
+ /a/h/build.rb
+
+ sudo -E /a/bin/mediawiki-setup/mw-setup-script
+
+ pi-nostart mumble-server
+ s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
+
+ # do certificate to avoid warning about unsigned cert,
+ # which is overkill for my use, but hey, I'm cool, I know
+ # how to do this.
+ web-conf apache2 mumble.iankelling.org
+ s rm -f /etc/apache2/sites-enabled/mumble.iankelling.org
+ sudo -i <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
+EOF
+
+ sgo mumble-server
+
+ vpn-server-setup -rd
+ s tee /etc/openvpn/client-config/mail <<'EOF'
+ifconfig-push 10.8.0.4 255.255.255.0
+EOF
+
+ # it\'s strange. docker seems to make the default for forward
+ # be drop, but then I set it to accept and it\'s stuck that way,
+ # I dun know why. But, let\'s make sure we can forward anyways.
+ s DEBIAN_FRONTEND=noninteractive pi iptables-persistent
+ rm /etc/iptables/rules.v6
+ s tee /etc/iptables/rules.v4 <<'EOF'
+*filter
+-A FORWARD -i tun+ -o eth0 -j ACCEPT
+-A FORWARD -i eth0 -o tun+ -j ACCEPT
+COMMIT
+EOF
+
+
+ sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
+[Unit]
+Description=Turns on iptables mail nat
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/a/bin/distro-setup/vpn-mail-forward start
+ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
+
+[Install]
+WantedBy=openvpn.service
+EOF
+ ser daemon-reload
+ ser enable vpnmail.service
+ # needed for li's local mail delivery.
+ tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
+ if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
+ vpn_service=openvpn-server@server
+ else
+ vpn_service=openvpn@server
+ fi
+ sgo $vpn_service
+ # setup let's encrypt cert
+ web-conf apache2 mail.iankelling.org
+ s rm /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
+ ser reload apache2
+
+ domain=cal.iankelling.org
+ web-conf -f 10.8.0.4:5232 - apache2 $domain <<'EOF'
+#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
+# https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
+ <Location />
+ Options +FollowSymLinks +Multiviews +Indexes
+ AllowOverride None
+ AuthType basic
+ AuthName "Authentication Required"
+ # setup one time, with root:www-data, 640
+ AuthUserFile "/etc/caldav-htpasswd"
+ Require valid-user
+ </Location>
+EOF
+ # nginx version of above would be:
+ # auth_basic "Not currently available";
+ # auth_basic_user_file /etc/nginx/caldav/htpasswd;
+
+
+ ########## begin pump.io setup ##########
+
+ # once pump adds a logrotation script, turn off nologger,
+ # and add
+ # "logfile": "/var/log/pumpio/pumpio.log",
+ #
+ s dd of=/etc/pump.io.json <<'EOF'
+{
+ "secret": "SECRET_REPLACE_ME",
+ "driver": "mongodb",
+ "params": { "dbname": "pumpio" },
+ "noweb": false,
+ "site": "pump.iankelling.org",
+ "owner": "Ian Kelling",
+ "ownerURL": "https://iankelling.org/",
+ "port": 8001,
+ "urlPort": 443,
+ "hostname": "pump.iankelling.org",
+ "nologger": true,
+ "datadir": "/home/pumpio/pumpdata",
+ "enableUploads": true,
+ "debugClient": false,
+ "disableRegistration": true,
+ "noCDN": true,
+ "key": "/home/pumpio/privkey.pem",
+ "cert": "/home/pumpio/fullchain.pem",
+ "address": "localhost",
+ "sockjs": false
+}
+EOF
+ s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
+
+ # stretch node is too old
+ # https://nodejs.org/en/download/package-manager/
+ curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
+ pi nodejs graphicsmagick mongodb
+ cd /home/iank
+ if [[ -e pump.io ]]; then
+ cd pump.io
+ git pull
+ else
+ git clone https://github.com/pump-io/pump.io.git
+ cd pump.io
+ fi
+ # note: these 2 commands seem
+ # note: doing this or the npm install pump.io as root had problems.
+ npm install
+ npm run build
+ # normally, next command would be
+ # s npm install -g odb
+ # but it\'s this until a bug in pump gets fixed
+ # https://github.com/pump-io/pump.io/issues/1287
+ s npm install -g databank-mongodb@0.19.2
+ if ! getent passwd pumpio &>/dev/null; then
+ s useradd -Um -s /bin/false pumpio
+ fi
+ sudo -u pumpio mkdir -p /home/pumpio/pumpdata
+ # for testing browser when only listening to localhost,
+ # in the pump.io.json, set hostname localhost, urlPort 5233
+ #ssh -L 5233:localhost:5233 li
+
+ s mkdir -p /var/log/pumpio/
+ s chown pumpio:pumpio /var/log/pumpio/
+
+ web-conf - apache2 pump.iankelling.org <<'EOF'
+# currently a bug in pump that we cant terminate ssl
+ SSLProxyEngine On
+ ProxyPreserveHost On
+ ProxyPass / https://127.0.0.1:8001/
+ ProxyPassReverse / https://127.0.0.1:8001/
+ # i have sockjs disabled per people suggesting that
+ # it won\'t work with apache right now.
+ # not sure if it would work with this,
+ # but afaik, this is pointless atm.
+ <Location /main/realtime/sockjs/>
+ ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
+ ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
+ </Location>
+EOF
+
+ sudo -i <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
+EOF
+
+ s dd of=/etc/systemd/system/pump.service <<'EOF'
+[Unit]
+Description=pump.io
+After=syslog.target network.target mongodb.service
+Requires=mongodb.service
+
+[Service]
+Type=simple
+User=pumpio
+Group=pumpio
+ExecStart=/home/iank/pump.io/bin/pump
+Environment=NODE_ENV=production
+# failed to find databank-mongodb without this.
+# I just looked at my environment variables took a guess.
+Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ ser daemon-reload
+ sgo pump
+ ########## end pump.io setup ############
+
+
+ ############# begin setup mastodon ##############
+
+ # main doc is Docker-Guide.md in docs repo
+
+ # I'd like to try gnu social just cuz of gnu, but it's not being
+ # well maintained, for example, simple pull requests
+ # languishing:
+ # https://git.gnu.io/gnu/gnu-social/merge_requests/143
+ # and I submitted my own bugs, basic docs are broken
+ # https://git.gnu.io/gnu/gnu-social/issues/269
+
+ # note, docker required, but we installed it earlier
+
+ # i subscrubed to https://github.com/docker/compose/releases.atom
+ # to see release notes.
+ # i had some problems upgrading. blew things away with
+ # docker-compose down
+ # docker rmi $(docker images -q)
+ # s reboot now
+ # when running docker-compose run, kernel stack traces are printed to the journal.
+ # things seem to succeed, google says nothing, so ignoring them.
+ curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-$(uname -s)-$(uname -m) | s dd of=/usr/local/bin/docker-compose
+ s chmod +x /usr/local/bin/docker-compose
+
+
+ cd ~
+ s rm -rf mastodon
+ i clone https://github.com/tootsuite/mastodon
+ cd mastodon
+ # subbed to atom feed to deal with updates
+ git checkout $(git tag | grep -v rc | tail -n1)
+
+ # per instructions, uncomment redis/postgres persistence in docker-compose.yml
+ sed -i 's/^#//' docker-compose.yml
+
+ cat >.env.production <<'EOF'
+REDIS_HOST=redis
+REDIS_PORT=6379
+DB_HOST=db
+DB_USER=postgres
+DB_NAME=postgres
+DB_PASS=
+DB_PORT=5432
+
+LOCAL_DOMAIN=mast.iankelling.org
+LOCAL_HTTPS=true
+
+SINGLE_USER_MODE=true
+
+SMTP_SERVER=mail.iankelling.org
+SMTP_PORT=25
+SMTP_LOGIN=li
+SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
+SMTP_DOMAIN=mast.iankelling.org
+SMTP_DELIVERY_METHOD=smtp
+EOF
+
+ for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
+ # 1 minute 7 seconds to run this docker command
+ # to generate a secret, and it has ^M chars at the end. wtf. really dumb
+ printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|dos2unix|tail -n1)" >>.env.production
+ done
+ found=false
+ while read -r domain _ pass; do
+ if [[ $domain == mail.iankelling.org ]]; then
+ found=true
+ # remove the username part
+ pass="${pass#*:}"
+ printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production
+ break
+ fi
+ done < <(s cat /etc/mailpass)
+ if ! $found; then
+ echo "$0: error, failed to find mailpass domain for mastadon"
+ exit 1
+ fi
+
+ # docker compose makes an interface named like br-8f3e208558f2. we need mail to
+ # get routed to us.
+ if ! s /sbin/iptables -t nat -C PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25; then
+ s /sbin/iptables -t nat -A PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25
+ fi
+
+ docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production
+ logq docker-compose run --rm web rake db:migrate
+ docker-compose run --rm web rails assets:precompile
+
+ # avatar failed to upload, did
+ # docker logs mastodon_web_1
+ # google lead me to this
+ s chown -R 991:991 public/system
+
+ # docker daemon takes care of starting on boot.
+ docker-compose up -d
+
+ s a2enmod proxy_wstunnel headers
+ web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF'
+ ProxyPreserveHost On
+ RequestHeader set X-Forwarded-Proto "https"
+ ProxyPass /500.html !
+ ProxyPass /oops.png !
+ ProxyPass /api/v1/streaming/ ws://localhost:4000/
+ ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
+ ErrorDocument 500 /500.html
+ ErrorDocument 501 /500.html
+ ErrorDocument 502 /500.html
+ ErrorDocument 503 /500.html
+ ErrorDocument 504 /500.html
+EOF
+
+
+ ############### !!!!!!!!!!!!!!!!!
+ ############### manual steps:
+
+ # only following a few people atm, so not bothering to figure out backups
+ # when mastodon has not documented it at all.
+ #
+ # fsf@status.fsf.org
+ # cwebber@toot.cat
+ # dbd@status.fsf.org
+ # johns@status.fsf.org
+
+ # sign in page is at https://mast.iankelling.org/auth/sign_in
+ # register as iank, then
+ # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
+ # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
+
+ ############# end setup mastodon ##############
+
+ # we use nsupdate to update the ip of home
+ pi bind9
+
+ pi znc
+ # znc config generated by doing
+ # znc --makeconf
+ # selected port is also used in erc config
+ # comma separated channel list worked.
+ # while figuring things out, running znc -D for debug in foreground.
+ # to exit and save config:
+ # /msg *status shutdown
+ # configed auth on freenode by following
+ # https://wiki.znc.in/Sasl:
+ # /msg *sasl RequireAuth yes
+ # /msg *sasl Mechanism PLAIN
+ # /msg *sasl Set ident_name password
+ # created the system service after, and had to do
+ # mv /home/iank/.znc/* /var/lib/znc
+ # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf
+ # and made a copy of the config files into /p/c
+ # /msg *status LoadMod --type=global log -sanitize
+ # to get into the web interface,
+ # cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
+ # then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site.
+ # https://iankelling.org:12533/
+ # i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart.
+ # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it.
+ # /msg *status LoadMod --type=network perform
+ # /msg *perform add PRIVMSG ChanServ :invite #fsf-office
+ # /msg *perform add JOIN #fsf-office
+ #
+ # i set Buffer = 500
+ # also ran /znc LoadMod clearbufferonmsg
+ # it would be nice if erc supported erc query buffers by doing
+ # /msg *status clearbuffer <name of the query/receiver
+ # on killing the,
+ # an example seems to be here: https://github.com/zenspider/elisp/blob/master/rwd-irc.el
+ # if that was the case i could remove the module clearbufferonmsg
+ # alo would be nice if erc supported
+ # https://wiki.znc.in/self-message
+ # https://wiki.znc.in/Query_buffers \
+ #
+ s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already
+ chmod 700 /var/lib/znc
+ s chown -R znc:znc /var/lib/znc
+ s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF'
+[Unit]
+Description=ZNC, an advanced IRC bouncer
+After=network-online.target
+
+[Service]
+ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
+User=znc
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ ser daemon-reload
+ sgo znc
+
+ echo "$0: $(date): ending now)"
+ exit 0
+ ;;
+esac
+
+########### end section including li/lj ###############
+
+
+case $(debian-codename) in
+ # needed for debootstrap scripts for fai since fai requires debian
+ flidas)
+ curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg | s apt-key add -
+ s dd of=/etc/apt/preferences.d/flidas-xenial <<EOF
+Package: *
+Pin: release a=xenial
+Pin-Priority: -100
+
+Package: *
+Pin: release a=xenial-updates
+Pin-Priority: -100
+
+Package: *
+Pin: release a=xenial-security
+Pin-Priority: -100
+EOF
+ s dd of=/etc/apt/sources.list.d/xenial.list 2>/dev/null <<EOF
+deb http://us.archive.ubuntu.com/ubuntu/ xenial main
+deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main
+deb http://us.archive.ubuntu.com/ubuntu/ xenial-security main
+EOF
+
+ s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+ s dd of=/etc/apt/preferences.d/flidas-bionic <<EOF
+Package: *
+Pin: release a=bionic
+Pin-Priority: -100
+
+Package: *
+Pin: release a=bionic-updates
+Pin-Priority: -100
+
+Package: *
+Pin: release a=bionic-security
+Pin-Priority: -100
+EOF
+
+ # better to run btrfs-progs which matches our kernel version
+ # (note, renamed from btrfs-tools)
+ s dd of=/etc/apt/preferences.d/btrfs-progs <<EOF
+Package: btrfs-progs libzstd1
+Pin: release a=bionic
+Pin-Priority: 1005
+
+Package: btrfs-progs libzstd1
+Pin: release a=bionic-updates
+Pin-Priority: 1005
+
+Package: btrfs-progs libzstd1
+Pin: release a=bionic-security
+Pin-Priority: 1005
+EOF
+
+
+ t=$(mktemp)
+ cat >$t <<EOF
+deb http://us.archive.ubuntu.com/ubuntu/ bionic main
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main
+EOF
+ f=/etc/apt/sources.list.d/bionic.list
+ if ! diff -q $t $f; then
+ s cp $t $f
+ s chmod 644 $f
+ p update
+ fi
+
+ # no special reason, but its better for btrfs-progs to
+ # be closer to our kernel version
+ pi btrfs-progs
+
+ t=$(mktemp -d)
+ cd $t
+ aptitude download debootstrap/xenial
+ ex ./*
+ s cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
+
+ s dd of=/etc/apt/preferences.d/flidas-etiona <<EOF
+Package: *
+Pin: release a=etiona
+Pin-Priority: -100
+
+Package: *
+Pin: release a=etiona-updates
+Pin-Priority: -100
+
+Package: *
+Pin: release a=etiona-security
+Pin-Priority: -100
+
+Package: *
+Pin: release a=etiona-backports
+Pin-Priority: -100
+EOF
+
+ t=$(mktemp)
+ cat >$t <<EOF
+deb http://mirror.fsf.org/trisquel/ etiona main
+deb http://mirror.fsf.org/trisquel/ etiona-updates main
+deb http://archive.trisquel.info/trisquel/ etiona-security main
+deb http://mirror.fsf.org/trisquel/ etiona-backports main
+EOF
+ f=/etc/apt/sources.list.d/etiona.list
+ if ! diff -q $t $f; then
+ s cp $t $f
+ s chmod 644 $f
+ p update
+ fi
+
+ s dd of=/etc/apt/preferences.d/debian-goodies <<EOF
+Package: debian-goodies
+Pin: release n=buster
+Pin-Priority: 1005
+EOF
+
+
+ s dd of=/etc/apt/preferences.d/flidas-buster <<EOF
+Package: *
+Pin: release n=buster
+Pin-Priority: -100
+EOF
+
+ # stupid buster uses some key algorithm not supported by flidas gpg that apt uses.
+ s dd of=/etc/apt/apt.conf.d/01iank <<'EOF'
+Acquire::AllowInsecureRepositories "true";
+EOF
+
+ t=$(mktemp)
+ cat >$t <<EOF
+deb http://http.us.debian.org/debian buster main
+deb-src http://http.us.debian.org/debian buster main
+
+deb http://security.debian.org/ buster/updates main
+deb-src http://security.debian.org/ buster/updates main
+
+deb http://http.us.debian.org/debian buster-updates main
+deb-src http://http.us.debian.org/debian buster-updates main
+EOF
+ f=/etc/apt/sources.list.d/buster.list
+ if ! diff -q $t $f; then
+ s cp $t $f
+ s chmod 644 $f
+ p update
+ fi
+
+ # newer version needed for false positive in checkrestart
+ p install -y --allow-unauthenticated debian-goodies
+
+ s dd of=/etc/apt/preferences.d/shellcheck <<EOF
+Package: shellcheck
+Pin: release a=etiona
+Pin-Priority: 1005
+
+Package: shellcheck
+Pin: release a=etiona-updates
+Pin-Priority: 1005
+
+Package: shellcheck
+Pin: release a=etiona-security
+Pin-Priority: 1005
+EOF
+
+
+ ;;
+esac
+
+
+# TODO: some of the X programs can be removed from pall when using wayland
+
+# depends gcc is a way to install suggests. this is apparently the only
+# way to install suggests even if the main package is already
+# installed. reinstall doesn't work, uninstalling can cause removing
+# dependent packages.
+pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $(apt-cache depends gcc|grep -i suggests:| awk '{print $2}') $($src/distro-pkgs)
+
+if ! type pip; then
+ x=$(mktemp)
+ wget -O$x https://bootstrap.pypa.io/get-pip.py
+ python3 $x --user
+fi
+
+sgo fsf-vpn-dns-cleanup
+
+
+# website is dead june 14 2019
+s rm -f /etc/apt/sources.list.d/iridium-browser.list
+# case $distro in
+# debian)
+# pi chromium ;;
+# trisquel|ubuntu)
+# wget -qO - https://downloads.iridiumbrowser.de/ubuntu/iridium-release-sign-01.pub|sudo apt-key add -
+# t=$(mktemp)
+# cat >$t <<EOF
+# deb [arch=amd64] https://downloads.iridiumbrowser.de/deb/ stable main
+# #deb-src https://downloads.iridiumbrowser.de/deb/ stable main
+# EOF
+# f=/etc/apt/sources.list.d/iridium-browser.list
+# if ! diff -q $t $f; then
+# s cp $t $f
+# s chmod 644 $f
+# p update
+# fi
+# pi iridium-browser
+# ;;
+# esac
+
+
+### begin home vpn server setup
+
+
+# # this section done initially to make persistent keys.
+# # Also note, I temporarily set /etc/hosts so my host was
+# # b8.nz when running this, since the vpn client config
+# # generator assumes we need to go to that server to get
+# # server keys.
+# vpn-server-setup -rds
+# s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
+# s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
+# # kw = kgpe work machine.
+# for host in x2 x3 kw; do
+# vpn-mk-client-cert -b $host -n home b8.nz 1196
+# dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
+# mkdir -p $dir
+# s bash -c "cp /etc/openvpn/client/home* $dir"
+# # note: /etc/update-resolv-conf-home also exists for all systems with /p
+# done
+
+# key already exists, so this won't generate one, just the configs.
+vpn-server-setup -rds
+s tee -a /etc/openvpn/server/server.conf <<'EOF'
+push "dhcp-option DNS 10.0.0.1"
+push "route 10.0.0.0 255.255.0.0"
+client-connect /a/bin/distro-setup/vpn-client-connect
+EOF
+s sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
+
+if [[ $HOSTNAME == tp ]]; then
+ if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
+ vpn_service=openvpn-server@server
+ else
+ vpn_service=openvpn@server
+ fi
+ sgo $vpn_service
+fi
+### end vpn server setup
+
+
+##### rss2email
+# note, see bashrc for more documentation.
+pi rss2email
+s dd of=/etc/systemd/system/rss2email.service <<'EOF'
+[Unit]
+Description=rss2email
+After=multi-user.target
+
+[Service]
+User=iank
+Type=oneshot
+# about 24 hours of failures
+# it copies over its files without respecting symlinks, so
+# we pass options to use different location.
+ExecStart=/a/bin/log-quiet/sysd-mail-once -288 rss2email r2e -d /p/c/rss2email.json -c /p/c/rss2email.cfg run
+EOF
+s dd of=/etc/systemd/system/rss2email.timer <<'EOF'
+[Unit]
+Description=rss2email
+
+[Timer]
+# for initial run. required.
+OnActiveSec=30
+# for subsequent runs.
+OnUnitInactiveSec=300
+
+[Install]
+WantedBy=timers.target
+EOF
+s systemctl daemon-reload
+
+
+######### begin pump.io periodic backup #############
+if [[ $HOSTNAME == frodo ]]; then
+ s dd of=/etc/systemd/system/pumpbackup.service <<'EOF'
+[Unit]
+Description=pump li backup
+After=multi-user.target
+
+[Service]
+User=iank
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once pump-backup /a/bin/distro-setup/pump-backup
+EOF
+ s dd of=/etc/systemd/system/pumpbackup.timer <<'EOF'
+[Unit]
+Description=pump li backup hourly
+
+[Timer]
+OnCalendar=hourly
+
+[Install]
+WantedBy=timers.target
+EOF
+ s systemctl daemon-reload
+ sgo pumpbackup.timer
+fi
+######### end pump.io periodic backup #############
+
+
+######### begin irc periodic backup #############
+if [[ $HOSTNAME == frodo ]]; then
+ s dd of=/etc/systemd/system/ircbackup.service <<'EOF'
+[Unit]
+Description=irc li backup
+After=multi-user.target
+
+[Service]
+User=iank
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once irc-backup rsync -rlptDhSAX --delete root@iankelling.org:/var/lib/znc/moddata/log/iank/freenode/ /k/irclogs
+EOF
+ s dd of=/etc/systemd/system/ircbackup.timer <<'EOF'
+[Unit]
+Description=irc li backup hourly
+
+[Timer]
+OnCalendar=hourly
+
+[Install]
+WantedBy=timers.target
+EOF
+ s systemctl daemon-reload
+ sgo ircbackup.timer
+fi
+
+
+######### end irc periodic backup #############
+
+
+# https://github.com/jlebon/textern
+cd /a/opt/textern
+make native-install USER=1
+
+case $distro in
+ debian|trisquel|ubuntu)
+ # suggests resolvconf package. installing it here is redundant, but make sure anyways.
+ # todo: check other distros to make sure it\'s installed
+ pi-nostart openvpn resolvconf
+ # pi-nostart does not disable
+ ser disable openvpn
+ ;;
+ *) pi openvpn;;
+esac
+
+/a/bin/distro-setup/radicale-setup
+
+## android studio setup
+# this contains the setting for android sdk to point to
+# /a/opt/androidsdk, which is asked upon first run
+lnf /a/opt/.AndroidStudio2.2 ~
+# android site says it needs a bunch of packages for ubuntu,
+# but I googled for debian, and someone says you just need lib32stdc++6 plus the
+# jdk
+# https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
+# see w.org for more android studio details
+spa lib32stdc++6 default-jdk
+
+
+############# begin syncthing setup ###########
+if [[ $HOSTNAME == frodo ]]; then
+ # It\'s simpler to just worry about running it in one place for now.
+ # I assume it would work to clone it\'s config to another non-phone
+ # and just run it in one place instead of the normal having a
+ # separate config. I lean toward using the same config, since btrfs
+ # syncs between comps.
+ case $distro in