+
+###### begin website setup
+case $HOSTNAME in
+ li|l2)
+ pi bind9
+ f=/var/lib/bind/db.b8.nz
+ if [[ ! -e $f ]]; then
+ ser stop bind9
+ s rm -fv $f.jnl
+ s install -m 644 -o bind -g bind /p/c/machine_specific/linode/bind-initial/db.b8.nz $f
+ ser restart bind9
+ fi
+ ;;&
+ l2)
+ # setup let's encrypt cert
+ m web-conf apache2 l2.b8.nz
+ s rm -fv /etc/apache2/sites-enabled/l2.b8.nz{,-redir}.conf
+ ser reload apache2
+ s lnf -T /etc/letsencrypt/live/l2.b8.nz/fullchain.pem /etc/exim4/exim.crt
+ if [[ ! -L /etc/exim4/exim.key ]]; then
+ s lnf -T /etc/letsencrypt/live/l2.b8.nz/privkey.pem /etc/exim4/exim.key
+ mail-setup
+ fi
+ end
+ ;;
+ li)
+
+ case $HOSTNAME in
+ li)
+ m /a/h/setup.sh iankelling.org
+ ;;
+ *)
+ # allow symlinks on other hosts so i can host files in arbitrary paths
+ m /a/h/setup.sh -s
+ ;;
+ esac
+ m /a/h/build.rb
+
+ # start mumble only when im going to use it, since i dont use it much
+ pi-nostart mumble-server
+ s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
+
+ # do certificate to avoid warning about unsigned cert,
+ # which is overkill for my use, but hey, I'm cool, I know
+ # how to do this.
+ m web-conf apache2 mumble.iankelling.org
+ s rm -fv /etc/apache2/sites-enabled/mumble.iankelling.org
+ s <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
+EOF
+
+
+ # requested from linode via a support ticket.
+ # https://www.linode.com/docs/networking/an-overview-of-ipv6-on-linode/
+ # ipv6 stuff pieced together
+ # via slightly wrong information from
+ # https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh
+ # https://community.openvpn.net/openvpn/wiki/IPv6
+ # and man openvpn
+
+ m vpn-server-setup -rd 2600:3c00:e000:280::1/64 2600:3c00::f03c:91ff:feb4:0bf3
+ s tee /etc/openvpn/client-config/mail <<'EOF'
+ifconfig-push 10.8.0.4 255.255.255.0
+ifconfig-ipv6-push 2600:3c00:e000:280::2/64
+EOF
+
+ if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
+ vpn_service=openvpn-server@server
+ else
+ vpn_service=openvpn@server
+ fi
+
+ sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
+[Unit]
+Description=Turns on iptables mail nat
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/a/bin/distro-setup/vpn-mail-forward start
+ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
+
+[Install]
+WantedBy=$vpn_service.service
+EOF
+ ser daemon-reload
+ m sgo vpnmail.service
+ # needed for li's local mail delivery.
+ tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
+ m sgo $vpn_service
+ # setup let's encrypt cert
+ m web-conf apache2 mail.iankelling.org
+ s rm -fv /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
+ ser reload apache2
+
+ domain=cal.iankelling.org
+ web-conf -f 10.8.0.4:5232 - apache2 $domain <<'EOF'
+#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
+# https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
+<Location />
+ Options +FollowSymLinks +Multiviews +Indexes
+ AllowOverride None
+ AuthType basic
+ AuthName "Authentication Required"
+ # setup one time, with root:www-data, 640
+ AuthUserFile "/etc/caldav-htpasswd"
+ Require valid-user
+</Location>
+EOF
+ # nginx version of above would be:
+ # auth_basic "Not currently available";
+ # auth_basic_user_file /etc/nginx/caldav/htpasswd;
+
+
+
+ ###### begin znc setup #####
+ pi znc
+
+ # https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart after cert change.
+ # to get into the web interface,
+ # then use non-main browser or else it doebsn't allow it based on ocsp stapling from my main site.
+ # https://iankelling.org:12533/
+ sudo -i <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
+EOF
+
+ # znc config generated by doing
+ # znc --makeconf
+ # selected port is also used in erc config
+ # comma separated channel list worked.
+ # while figuring things out, running znc -D for debug in foreground.
+ # to exit and save config:
+ # /msg *status shutdown
+ # configed auth on freenode by following
+ # https://wiki.znc.in/Sasl:
+ # /msg *sasl RequireAuth yes
+ # /msg *sasl Mechanism PLAIN
+ # /msg *sasl Set ident_name password
+ # created the system service after, and had to do
+ # mv /home/iank/.znc/* /var/lib/znc
+ # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf
+ # and made a copy of the config files into /p/c
+ # /msg *status LoadMod --type=global log -sanitize
+ # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it.
+ # /msg *status LoadMod --type=network perform
+ # /msg *perform add PRIVMSG ChanServ :invite #fsf-office
+ # /msg *perform add JOIN #fsf-office
+ #
+ # i set Buffer = 500
+ # also ran /znc LoadMod clearbufferonmsg
+ # it would be nice if erc supported erc query buffers by doing
+ # /msg *status clearbuffer <name of the query/receiver
+ # on killing the,
+ # an example seems to be here: https://github.com/zenspider/elisp/blob/master/rwd-irc.el
+ # if that was the case i could remove the module clearbufferonmsg
+ # also would be nice if erc supported
+ # https://wiki.znc.in/self-message
+ # https://wiki.znc.in/Query_buffers \
+ #
+ s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already
+ s chmod 700 /var/lib/znc
+ s chown -R znc:znc /var/lib/znc
+ # Avoid restarting if possible, reconnecting to irc is annoying.
+ # The unit file was made active with conflink.
+ if [[ $(ser is-active znc) != active ]]; then
+ m sgo znc
+ fi
+ ###### stop znc setup #####
+
+ end