+####### begin misc packages ###########
+
+# sakura config is owned by ian
+reset-sakura
+reset-konsole
+sudo -u traci -i reset-konsole
+# traci xscreensaver we don't want to reset
+reset-xscreensaver
+
+
+# this would install from cabal for newer / consistent version across os, but it screws up xmonad, so disabled for now.
+# this is also in primary-setup
+# pi libxss-dev # dependency based on build failure
+# cabal update
+# cabal install --upgrade-dependencies --force-reinstalls arbtt
+# also, i assume syncing this between machines somehow messed thin
+#lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
+
+primary-setup
+
+if [[ ! -e ~/.linphonerc && -e /p/.linphonerc-initial ]]; then
+ cp /p/.linphonerc-initial ~/.linphonerc
+fi
+
+
+### begin spd install
+pi libswitch-perl libdigest-md5-file-perl libgnupg-interface-perl
+t=$(mktemp)
+wget -O $t http://mirror.fsf.org/fsfsys-trisquel/fsfsys-trisquel/pool/main/s/spd-perl/spd-perl_0.2-1_amd64.deb
+s dpkg -i $t
+rm $t
+# this guesses at the appropriate directory, adjust if needed
+x=(/usr/lib/x86_64-linux-gnu/perl/5.*)
+sudo ln -sf ../../../perl/5.18.2/SPD/ $x
+# newer distro had gpg2 as default, older one, flidas, need to make it that way
+x=$(which gpg2)
+if [[ $x ]]; then
+ s mkdir -p /usr/local/spdhackfix
+ s lnf -T $x /usr/local/spdhackfix/gpg
+fi
+### end spd install
+
+
+if [[ $HOSTNAME == kw ]]; then
+ cat <<'EOF'
+NOTE: after this finishes, i did
+s nmtui-connect
+# remove br from auto:
+s vim /etc/network/interfaces
+EOF
+fi
+
+# nagstamon setting which were set through the ui
+# in filters tab:
+# all unknown sources
+# all warning services
+# acknowledged hosts & services
+# hosts & services down for maintenence
+# services on down hosts
+# services on hosts in maintenece
+# services on unreachable osts
+# hosts in soft state
+# services in soft state
+# in display tab: fullscreen
+
+# these translate to these settings I think
+# filter_acknowledged_hosts_services = True
+# filter_all_unknown_services = True
+# filter_all_warning_services = True
+# filter_hosts_in_soft_state = True
+# filter_hosts_services_maintenance = True
+# filter_services_in_soft_state = True
+# filter_services_on_down_hosts = True
+# filter_services_on_hosts_in_maintenance = True
+# filter_services_on_unreachable_hosts = True
+# notify_if_up = False
+# statusbar_floating = False
+# fullscreen = True
+# but i'm just going to rely on the webpage plus sms for now.
+
+
+case $distro in
+ debian|trisquel|ubuntu)
+ # it asks if it should make users in it's group capture packets without root,
+ # which is arguably more secure than running wireshark as root. default is no,
+ # which is what i prefer, since I plan to use tcpdump to input to wireshark.
+ s DEBIAN_FRONTEND=noninteractive pi wireshark-gtk
+ ;;
+ # others unknown
+esac
+
+case $(debian-codename) in
+ # needed for debootstrap scripts for fai since fai requires debian
+ flidas)
+ curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg | s apt-key add -
+ s dd of=/etc/apt/preferences.d/flidas-xenial <<EOF
+Package: *
+Pin: release a=xenial
+Pin-Priority: -100
+
+Package: *
+Pin: release a=xenial-updates
+Pin-Priority: -100
+
+Package: *
+Pin: release a=xenial-security
+Pin-Priority: -100
+EOF
+ s dd of=/etc/apt/sources.list.d/xenial.list 2>/dev/null <<EOF
+deb http://us.archive.ubuntu.com/ubuntu/ xenial main
+deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main
+deb http://us.archive.ubuntu.com/ubuntu/ xenial-security main
+EOF
+
+ s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+ s dd of=/etc/apt/preferences.d/flidas-bionic <<EOF
+Package: *
+Pin: release a=bionic
+Pin-Priority: -100
+
+Package: *
+Pin: release a=bionic-updates
+Pin-Priority: -100
+
+Package: *
+Pin: release a=bionic-security
+Pin-Priority: -100
+EOF
+
+ # better to run btrfs-progs which matches our kernel version
+ # (note, renamed from btrfs-tools)
+ s dd of=/etc/apt/preferences.d/btrfs-progs <<EOF
+Package: btrfs-progs libzstd1
+Pin: release a=bionic
+Pin-Priority: 1005
+
+Package: btrfs-progs libzstd1
+Pin: release a=bionic-updates
+Pin-Priority: 1005
+
+Package: btrfs-progs libzstd1
+Pin: release a=bionic-security
+Pin-Priority: 1005
+EOF
+
+
+ t=$(mktemp)
+ cat >$t <<EOF
+deb http://us.archive.ubuntu.com/ubuntu/ bionic main
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main
+EOF
+ f=/etc/apt/sources.list.d/bionic.list
+ if ! diff -q $t $f; then
+ s cp $t $f
+ s chmod 644 $f
+ p update
+ fi
+
+ # no special reason, but its better for btrfs-progs to
+ # be closer to our kernel version
+ pi btrfs-progs
+
+ t=$(mktemp -d)
+ cd $t
+ aptitude download debootstrap/xenial
+ ex *
+ ex data.tar.gz
+ s cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
+
+ ;;
+esac
+
+# /run and /dev/shm are listed as required for pulseaudio. All 4 in the group
+# listed in the default config as suggested.
+# /run/usr/1000 i noticed was missing for pulseaudio
+# /run/user/0 just seemed like a not bad idea, given the above
+tu /etc/schroot/desktop/fstab <<'EOF'
+/run /run none rw,bind 0 0
+/run/lock /run/lock none rw,bind 0 0
+/dev/shm /dev/shm none rw,bind 0 0
+/run/shm /run/shm none rw,bind 0 0
+/run/user/1000 /run/user/1000 none rw,bind 0 0
+/run/user/1001 /run/user/1001 none rw,bind 0 0
+/run/user/0 /run/user/0 none rw,bind 0 0
+EOF
+
+mkschroot() {
+ distro=$1
+ shift
+ case $distro in
+ ubuntu)
+ repo=http://archive.ubuntu.com/ubuntu/
+ ;;
+ debian)
+ repo=http://deb.debian.org/debian/
+ ;;
+ esac
+ n=$1
+ shift
+ if schroot -l | grep -xFq chroot:$n; then
+ echo "$0: $n schroot already installed, skipping"
+ return 0
+ fi
+ apps=($@)
+ d=/nocow/schroot/$n
+ s dd of=/etc/schroot/chroot.d/$n.conf <<EOF
+[$n]
+description=$n
+type=directory
+directory=$d
+profile=desktop
+preserve-environment=true
+users=$USER,traci
+EOF
+ if [[ -e $d/bin ]]; then
+ s chroot $d apt-get update
+ s chroot $d apt-get -y dist-upgrade --purge --auto-remove
+ cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
+ else
+ s mkdir -p $d
+
+ s debootstrap $n $d $repo
+ cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
+ fi
+ s cp -P {,$d}/etc/localtime
+}
+s dd of=/etc/systemd/system/schrootupdate.service <<'EOF'
+[Unit]
+Description=schrootupdate
+After=multi-user.target