apache2
apache2-doc
apt-doc
+ apt-listchanges
aptitude-doc-en
bash-doc
+ beets
+ beets-doc
binutils-doc
+ bind9-doc
bwm-ng
chromium
cpio-doc
+ cloc
cron
debconf-doc
duplicity
i3lock
iproute2-doc
jq
+ kid3-qt
+ kid3-cli
linux-doc
locate
make-doc
manpages-dev
meld
mumble
+ nginx-doc
nmap
offlineimap
p7zip
########### begin section including li ################
-case $distro in
- debian)
- if [[ `debian-archive` == testing ]]; then
- pi acme-tiny
- fi
-esac
-
case $distro in
fedora) spa unrar ;;
*) spa unrar-free ;;
# disable motd junk.
-case $(distro-name) in
+case $distro in
debian)
# allows me to pipe with ssh -t, and gets rid of spam
# http://forums.debian.net/viewtopic.php?f=5&t=85822
pi "${simple_packages[@]}"
simple_packages=()
+
+case $distro in
+ debian)
+ # note, need python-certbot-nginx for nginx, but it depends on nginx,
+ # and I'm not installing nginx by default right now
+ if isdebian-testing; then
+ pi --install-suggests certbot
+ else
+ pi --install-suggests -t jessie-backports certbot
+ fi
+ # make a version of the certbot timer that emails me.
+ x=/systemd/system/certbot
+ $sed -r -f - /lib$x.timer <<'EOF' |s dd of=/etc${x}mail.timer
+s,^Description.*,\0 mail version,
+EOF
+ $sed -r -f - /lib$x.service <<'EOF' |s dd of=/etc${x}mail.service
+s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
+EOF
+ ser daemon-reload
+ sgo certbotmail.timer
+
+ ;;
+ # todo: other distros unknown
+esac
+
# website setup
case $HOSTNAME in
lj|li)
EOF
ser daemon-reload
ser enable vpnmail.service
- acme-tiny-wrapper mail.iankelling.org
- # needed for li's local mail delivery. there might
- # be a better way to do it that doesn't require disabling
- # it during le verification, but whatever for now.
- f=/etc/cron.daily/lets-encrypt-mail_iankelling_org
- l="10.8.0.4 mail.iankelling.org"
- tu /etc/hosts <<<"$l"
- s sed -i '/^\s*sysv acme-tiny-wrapper/i sed -i /^10\.8\.0\.4/d /etc/hosts' $f
- echo "echo $l >>/etc/hosts" | s tee -a $f
+ # needed for li's local mail delivery.
+ tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
sgo openvpn
+ # setup let's encrypt cert
+ web-conf apache2 mail.iankelling.org
+ s rm /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
+ ser reload apache2
+
domain=cal.iankelling.org
- acme-tiny-wrapper $domain
- apache-site -f 10.8.0.4:5232 - $domain <<'EOF'
+ web-conf -f 10.8.0.4:5232 - apache2 $domain <<'EOF'
#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
<Directory "/var/www/cal.iankelling.org/html">
Options +FollowSymLinks +Multiviews +Indexes
"debugClient": false,
"disableRegistration": true,
"noCDN": true,
- "key": "/home/pumpio/pump.iankelling.org-domain.key",
- "cert": "/home/pumpio/pump.iankelling.org-chained.pem",
+ "key": "/home/pumpio/privkey.pem",
+ "cert": "/home/pumpio/fullchain.pem",
"address": "localhost",
"sockjs": false
}
# for testing browser when only listening to localhost,
# in the pump.io.json, set hostname localhost, urlPort 5233
#ssh -L 5233:localhost:5233 li
- acme-tiny-wrapper -c /home/pumpio pump.iankelling.org
s mkdir -p /var/log/pumpio/
s chown pumpio:pumpio /var/log/pumpio/
- apache-site -c /home/pumpio - pump.iankelling.org <<'EOF'
+ web-conf - apache2 pump.iankelling.org <<'EOF'
# currently a bug in pump that we cant terminate ssl
SSLProxyEngine On
ProxyPreserveHost On
</Location>
EOF
+ sudo -i <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
+EOF
+
s dd of=/etc/systemd/system/pump.service <<'EOF'
[Unit]
Description=pump.io
sgo pump
########## end pump.io setup ############
+
+ ############# begin setup mastodon ##############
+
+ # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
+ pi software-properties-common apt-transport-https
+ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
+ sudo add-apt-repository \
+ "deb [arch=amd64] https://download.docker.com/linux/debian \
+ $(lsb_release -cs) \
+ stable"
+ p update
+ pi docker-ce
+ sgo docker
+
+ curl -L https://github.com/docker/compose/releases/download/1.12.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
+ s chmod +x /usr/local/bin/docker-compose
+
+ # i subscrubed to https://github.com/docker/compose/releases.atom
+ # to deal with updates manually.
+
+ cd ~
+ i clone https://github.com/tootsuite/mastodon
+ cd mastodon
+ # https://github.com/tootsuite/mastodon/tree/v1.1.2
+ # subbed to atom feed to deal with updates
+ i co v1.1.2
+
+ # per instructions, uncomment redis/postgres persistence in docker-compose.yml
+ sed -i 's/^#//' docker-compose.yml
+
+ cat >.env.production <<'EOF'
+REDIS_HOST=redis
+REDIS_PORT=6379
+DB_HOST=db
+DB_USER=postgres
+DB_NAME=postgres
+DB_PASS=
+DB_PORT=5432
+
+LOCAL_DOMAIN=mast.iankelling.org
+LOCAL_HTTPS=true
+
+SINGLE_USER_MODE=true
+
+SMTP_SERVER=10.8.0.4
+SMTP_PORT=25
+SMTP_LOGIN=li
+SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
+SMTP_DOMAIN=mast.iankelling.org
+SMTP_DELIVERY_METHOD=smtp
+EOF
+
+ for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
+ printf "%s=%s" $key "$(docker-compose run --rm web rake secret)" >>.env.production
+ done
+ s cat /etc/mailpass| while read -r domain port pass; do
+ if [[ $domain == mail.iankelling.org ]]; then
+ printf "SMTP_PASSWORD=%s" "$pass" >>.env.production
+ break
+ fi
+ done
+
+
+
+ docker-compose run --rm web rails assets:precompile
+
+ # docker daemon takes care of starting on boot.
+ docker-compose up -d
+
+ s a2enmod proxy_wstunnel headers
+ web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF'
+ ProxyPreserveHost On
+ RequestHeader set X-Forwarded-Proto "https"
+ ProxyPass /500.html !
+ ProxyPass /oops.png !
+ ProxyPass /api/v1/streaming/ ws://localhost:4000/
+ ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
+ ErrorDocument 500 /500.html
+ ErrorDocument 501 /500.html
+ ErrorDocument 502 /500.html
+ ErrorDocument 503 /500.html
+ ErrorDocument 504 /500.html
+EOF
+
+
+ ############### !!!!!!!!!!!!!!!!!
+ ############### manual steps:
+
+ # only following 2 people atm, so not bothering to figure out backups
+ # when mastodon has not documented it at all.
+ #
+ # fsf@status.fsf.org
+ # cwebber@toot.cat
+ # dbd@status.fsf.org
+ # johns@status.fsf.org
+
+ # sign in page is at https://mast.iankelling.org/auth/sign_in
+ # register as iank, then
+ # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
+ # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
+
+ ############# end setup mastodon ##############
+
+ pi bind9
+
echo "$0: $(date): ending now)"
exit 0
;;
########### end section including li/lj ###############
-# pump.io periodic backup
+if [[ $HOSTNAME == treetowl ]]; then
+ # note, see bashrc for more documentation.
+ pi rss2email
+ s dd of=/etc/systemd/system/rss2email.service <<'EOF'
+[Unit]
+Description=rss2email
+After=multi-user.target
+
+[Service]
+User=ian
+Type=oneshot
+# about 24 hours of failures
+# it copies over its files without respecting symlinks, so
+# we pass options to use different location.
+ExecStart=/a/bin/log-quiet/sysd-mail-once -288 rss2email r2e -d /p/c/rss2email.json -c /p/c/rss2email.cfg run
+EOF
+ s dd of=/etc/systemd/system/rss2email.timer <<'EOF'
+[Unit]
+Description=rss2email
+
+[Timer]
+# for initial run. required.
+OnActiveSec=30
+# for subsequent runs.
+OnUnitInactiveSec=300
+
+[Install]
+WantedBy=timers.target
+EOF
+ s systemctl daemon-reload
+ sgo rss2email.timer
+fi
+
+######### begin pump.io periodic backup #############
if [[ $HOSTNAME == treetowl ]]; then
s dd of=/etc/systemd/system/pumpbackup.service <<'EOF'
[Unit]
Type=oneshot
ExecStart=/a/bin/log-quiet/sysd-mail-once pump-backup /a/bin/distro-setup/pump-backup
EOF
-
s dd of=/etc/systemd/system/pumpbackup.timer <<'EOF'
[Unit]
Description=pump li backup hourly
s systemctl daemon-reload
sgo pumpbackup.timer
fi
+######### end pump.io periodic backup #############
case $distro in
debian|ubuntu)
if [[ $HOSTNAME == treetowl ]]; then
+ ############# begin syncthing setup ###########
+
# It\'s simpler to just worry about running it in one place for now.
# I assume it would work to clone it\'s config to another non-phone
# and just run it in one place instead of the normal having a
#
# Note, the other thing i did was port forward port 22000,
# per https://docs.syncthing.net/users/firewall.html
+
+ ############# end syncthing setup ###########
fi
####### misc packages ###########
-if [[ $HOSTNAME == treetowl ]]; then
- case $distro in
- debian|ubuntu)
- # note i had to do this, which is persistent:
- # cd /i/k
- # s chgrp debian-transmission torrents partial-torrents
-
- # syslog says things like
- # 'Failed to set receive buffer: requested 4194304, got 425984'
- # google suggets giving it even more than that
- tu /etc/sysctl.conf<<'EOF'
+case $distro in
+ debian|ubuntu)
+ # note i had to do this, which is persistent:
+ # cd /i/k
+ # s chgrp debian-transmission torrents partial-torrents
+
+ # syslog says things like
+ # 'Failed to set receive buffer: requested 4194304, got 425984'
+ # google suggets giving it even more than that
+ tu /etc/sysctl.conf<<'EOF'
net.core.rmem_max = 67108864
net.core.wmem_max = 16777216
EOF
- s sysctl -p
-
- # some reason it doesn\'t seem to start automatically anyways
- pi-nostart transmission-daemon
-
- # the folder was moved here after an install around 02/2017.
- # it contains runtime data,
- # plus a simple symlink to the config file which it\'s
- # not worth separating out.
- s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
- #
- # config file documented here, and it\'s the same config
- # for daemon vs client, so it\'s documented in the gui.
- # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
- #
- # I originaly setup rpc-whitelist, but after using
- # routing to a network namespace, it doesn\'t see the
- # real source address, so it\'s disabled.
- #
- # Changed the cache-size to 256 mb, reduces disk use.
- # It is a read & write cache.
- #
- s ruby <<'EOF'
+ s sysctl -p
+
+ # some reason it doesn\'t seem to start automatically anyways
+ pi-nostart transmission-daemon
+
+ # the folder was moved here after an install around 02/2017.
+ # it contains runtime data,
+ # plus a simple symlink to the config file which it\'s
+ # not worth separating out.
+ s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
+ #
+ # config file documented here, and it\'s the same config
+ # for daemon vs client, so it\'s documented in the gui.
+ # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
+ #
+ # I originaly setup rpc-whitelist, but after using
+ # routing to a network namespace, it doesn\'t see the
+ # real source address, so it\'s disabled.
+ #
+ # Changed the cache-size to 256 mb, reduces disk use.
+ # It is a read & write cache.
+ #
+ s ruby <<'EOF'
require 'json'
p = '/etc/transmission-daemon/settings.json'
File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
})) + "\n")
EOF
- # make sure its not enabled, not sure if this is needed
- ser disable transmission-daemon
- sgo transmission-daemon-nn
- ;;
- # todo: others unknown
- esac
-fi
-
+ # make sure its not enabled, not sure if this is needed
+ ser disable transmission-daemon
+ ;;
+ # todo: others unknown
+esac
# adapted from /var/lib/dpkg/info/transmission-daemon.postinst
if ! getent passwd debian-transmission > /dev/null; then
case $distro in
;;
esac
fi
+if [[ $HOSTNAME == treetowl ]]; then
+ sgo transmission-daemon-nn
+fi
-# dunno why it\'s there, but get rid of it
-case $HOSTNAME in
- li|lj) s rm -rf /home/linode ;;
-esac
-
-# arch had a default config,
-# debian had nothing until you start it.
-# With a little trial an error, here is a minimal config
-# taken from the generated one, plus changes that the
-# settings ui does, without a bunch of ui crap settings.
-#
-# only settings I set were
-# hostname
-# auto-connect
-# password
+######### begin transmission client setup ######
-# the password is randomly generated on first run
-rpc_pass=$(s ruby <<'EOF'
+if [[ -e /p/transmission-rpc-pass ]]; then
+ # arch had a default config,
+ # debian had nothing until you start it.
+ # With a little trial an error, here is a minimal config
+ # taken from the generated one, plus changes that the
+ # settings ui does, without a bunch of ui crap settings.
+ #
+ # only settings I set were
+ # hostname
+ # auto-connect
+ # password
+
+ # the password is randomly generated on first run, i copied it out
+ # so it could be used by other hosts.
+ s ruby <<'EOF'
require 'json'
p = '/etc/transmission-daemon/settings.json'
-puts JSON.parse(File.read(p))["rpc-password"]
+s = JSON.parse(File.read(p))
+s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
+File.write p, JSON.pretty_generate(s)
EOF
- )
-for f in /home/*; do
- d=$f/.config/transmission-remote-gtk
- u=${f##*/}
- s -u $u mkdir -p $d
- s -u $u dd of=$d/config.json <<EOF
+ rpc_pass=$(</p/transmission-rpc-pass)
+ for f in /home/*; do
+ d=$f/.config/transmission-remote-gtk
+ u=${f##*/}
+ s -u $u mkdir -p $d
+ s -u $u dd of=$d/config.json <<EOF
{
"profiles" : [
{
"add-options-dialog" : false
}
EOF
-done
+ done
+fi
+
+# dunno why it\'s there, but get rid of it
+case $HOSTNAME in
+ li|lj) s rm -rf /home/linode ;;
+esac
+
pi wget
case $HOSTNAME in
+
# note this failed running at the beginning of this file,
# because no systemd user instance was running.
# Doing systemd --user resulted in
;;
esac
+
+########### begin kodi setup ############
+pi kodi
+
+# based on https://wiki.debian.org/SecuringNFS
+# but the quota stuff is either outdated or optional,
+# i guessed that it was not needed and it worked fine.
+s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF'
+fs.nfs.nfs_callback_tcpport = 32764
+fs.nfs.nlm_tcpport = 32768
+fs.nfs.nlm_udpport = 32768
+EOF
+s sysctl --system
+s $sed -ri -f - /etc/default/nfs-common <<'EOF'
+/^\s*STATDOPTS=/d
+$a STATDOPTS="--port 32765 --outgoing-port 32766"
+EOF
+
+s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF'
+/^\s*RPCMOUNTDOPTS=/d
+$a RPCMOUNTDOPTS="--manage-gids --port 32767"
+EOF
+ser restart nfs-kernel-server
+
+if [[ $HOSTNAME == treetowl ]]; then
+ # persistent one time steps for webdav:
+ # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml,
+ # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi
+ # htpasswd -c /p/c/filesystem/etc/davpass dav
+ # chmod 640 /p/c/filesystem/etc/davpass
+ # in conflink, set group to www-data.
+ # In kodi, i set the music source, server address: my domain,
+ # path: k/music. Then copied the file
+ # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting.
+ s a2enmod dav dav_fs
+ web-conf -r /a/c/playlists - apache2 dav.iank.pw <<'EOF'
+<Directory /a/c/playlists>
+ DAV On
+ AuthType Basic
+ AuthName "Authentication Required"
+ AuthUserFile "/etc/davpass"
+ Require valid-user
+
+# outside the standard /var/www, so use this:
+ Order allow,deny
+ Allow from all
+</Directory>
+EOF
+ s mkdir -p /var/www/davlock
+ s chown www-data:www-data /var/www/davlock
+ s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.iank.pw.conf
+ ser reload apache2
+
+ teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)"
+ exportfs -ra
+
+ # kodi uses sqlite by default, but supports mysql.
+ pi mariadb-server
+
+ # see ofswiki.org for explanation.
+ dbpass="$(cat /p/mysql-root-pass)"
+ if ! echo exit|mysql -uroot "-p$dbpass"; then
+ echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
+ fi
+ mysql -uroot "-p$dbpass" <<EOF
+GRANT ALL PRIVILEGES ON *.* TO 'kodi' IDENTIFIED BY '$(</p/mysql-kodi-pass)';
+EOF
+ s sed -ri 's/^(\s*bind-address\s*=).*/\1 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
+ ser restart mariadb
+
+fi
+
+########### end kodi setup ############
+
+
if [[ $HOSTNAME == treetowl ]]; then
# nohide = export filesystems mounted deeper than the export point
# fsid=0 makes this export the "root" export
iankelling.org / git / distro-setup / blobdiff