+### begin nagios ###
+
+pi nagios-nrpe-server
+
+case $HOSTNAME in
+ kd)
+ # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345
+ pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports
+ s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ # to add a password for admin:
+ # htdigest /etc/nagios4/htdigest.users Nagios4 iank
+ # now using the same pass as prometheus
+
+ # nagstamon auth settings, set to digest instead of basic.
+
+ web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
+# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+# Where the stylesheets (config files) reside
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+
+# Where the HTML pages live
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+ Options FollowSymLinks
+ DirectoryIndex index.php index.html
+ AllowOverride AuthConfig
+ #
+ # The default Debian nagios4 install sets use_authentication=0 in
+ # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+ # This is insecure. As a compromise this default apache2 configuration
+ # only allows private IP addresses access.
+ #
+ # The <Files>...</Files> below shows how you can secure the nagios4
+ # web site so anybody can view it, but only authenticated users can issue
+ # commands (such as silence notifications). To do that replace the
+ # "Require all granted" with "Require valid-user", and use htdigest
+ # program from the apache2-utils package to add users to
+ # /etc/nagios4/htdigest.users.
+ #
+ # A step up is to insist all users validate themselves by moving
+ # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
+ # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+ # can configure which people get to see a particular service from
+ # within the nagios configuration.
+ #
+ AuthDigestDomain "Nagios4"
+ AuthDigestProvider file
+ AuthUserFile "/etc/nagios4-htdigest.users"
+ AuthGroupFile "/etc/group"
+ AuthName "Nagios4"
+ AuthType Digest
+ Require valid-user
+</DirectoryMatch>
+
+<Directory /usr/share/nagios4/htdocs>
+ Options +ExecCGI
+</Directory>
+EOF
+ ;;
+esac
+
+# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
+# notifications_enabled=1
+# note, the same variable exists in the correspdonding "define service {"
+
+# in the default config, we have these definitions
+
+# 11 define command {
+# 2 define contact {
+# 1 define contactgroup {
+# 9 define host {
+# 4 define hostgroup {
+# 23 define service {
+# 5 define timeperiod {
+
+
+# on klaxon
+
+# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
+# 76 define command
+# 11 define contact
+# 6 define contactgroup
+# 162 define host
+# 1 define hostextinfo
+# 16 define hostgroup
+# 3040 define service
+# 2 define servicedependency
+# 6 define timeperiod
+
+
+
+
+### end nagios ###
+
+### begin bitcoin ###
+
+case $HOSTNAME in
+ sy|kd)
+ sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-26.0/bin/*
+ # Note: i leave it to system-status to start and stop bitcoin.
+ # note: the bitcoin user & group are setup in fai
+ sudo usermod -a -G bitcoin iank
+ # todo: make bitcoin have a stable uid/gid
+ sudo mkdir -p /var/lib/bitcoind
+ sudo chown bitcoin:bitcoin /var/lib/bitcoind
+ # 710 comes from the upstream bitcoin unit file
+ sudo chmod 710 /var/lib/bitcoind
+ # note, there exists
+ # /a/bin/ds/disabled/bitcoin
+ ;;
+esac
+
+### end bitcoin
+
+### begin live streaming ###
+
+# comparing nginx rtmp to icecast
+# `mpv --cache=no` had about 2.5 sec latency vs 4 seconds.
+# Then I discovered this command which had about .5 sec latency:
+#ffplay -f live_flv -fast -x 1280 -y 720 -fflags nobuffer -flags low_delay -strict experimental -vf "setpts=N/60/TB" -af "asetpts=N/60/TB" -noframedrop -i rtmp://url_here
+## a lot of those args arent needed, here is what I ended up with:
+# #ffplay -f live_flv -fflags nobuffer -flags low_delay -i rtmp://localhost/live
+#
+# A problem with rtmp is that it doesn't support vp8/vp9, requiring the partly patent encumbered h264.
+# Looking at alternative protocols: dash & hls are both high latency, I tested dash with the nginx-rtmp
+# module and got about 5 seconds of latency, web results imply that is normal.
+#
+# Webrtc is what jitsi & bbb use, but an annoying thing is that
+# generally requires a web browser with javascript, or some special
+# client, and afaik, it has a smaller limit on number of clients.
+#
+# Another option is to try rtp/rtsp, there are some servers here:
+# https://en.wikipedia.org/wiki/Real-Time_Streaming_Protocol
+
+
+## reference for setting up rtmp
+# pi nginx libnginx-mod-rtmp
+# cat >/etc/nginx/modules-enabled/rtmp.conf <<'EOF'
+## based on https://opensource.com/article/19/1/basic-live-video-streaming-server#comments
+## and https://github.com/arut/nginx-rtmp-module/wiki/Directives
+
+# rtmp {
+# allow publish 127.0.0.1;
+# deny publish all;
+# server {
+# listen 1935;
+# application live {
+# live on;
+# record off;
+# }
+# }
+# }
+# EOF
+
+### end live streaming ###
+
+### begin gh ####
+
+# from https://raw.githubusercontent.com/cli/cli/trunk/docs/install_linux.md
+# One time setup afterwards:
+# gh auth login
+#
+# When it gets to the page where it asks to authorize github, the button
+# is grayed out. You can just open browser dev tools, inspect the
+# button, remove disabled="", then click it and it works.
+#
+# Auth token gets saved into /p/c/subdir_files/.local/share/keyrings/
+#
+# initial config goes to /home/iank/.config/gh
+curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+ && sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
+ && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+ && sudo apt update \
+ && sudo apt install gh -y
+
+### end gh ####
+
+# remove trisquel banner. it is cool but takes up too much space.
+sudo rm -f /etc/update-motd.d/01-banner
+
+case $HOSTNAME in
+ kw|x3)
+ sd /etc/cups/client.conf <<'EOF'
+ServerName printserver1.office.fsf.org
+EOF
+ ;;
+esac
+