apache2
apache2-doc
apt-doc
+ apt-listchanges
aptitude-doc-en
bash-doc
binutils-doc
+ bind9-doc
bwm-ng
chromium
cpio-doc
+ cloc
cron
debconf-doc
duplicity
gdb
gdb-doc
git-doc
+ git-email
gitk
glibc-doc
goaccess
ser daemon-reload
ser enable vpnmail.service
acme-tiny-wrapper mail.iankelling.org
+ # needed for li's local mail delivery. there might
+ # be a better way to do it that doesn't require disabling
+ # it during le verification, but whatever for now.
+ f=/etc/cron.daily/lets-encrypt-mail_iankelling_org
+ l="10.8.0.4 mail.iankelling.org"
+ tu /etc/hosts <<<"$l"
+ s sed -i '/^\s*sysv acme-tiny-wrapper/i sed -i /^10\.8\.0\.4/d /etc/hosts' $f
+ echo "echo $l >>/etc/hosts" | s tee -a $f
sgo openvpn
- tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
+ domain=cal.iankelling.org
+ acme-tiny-wrapper $domain
+ apache-site -f 10.8.0.4:5232 - $domain <<'EOF'
+#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
+ <Directory "/var/www/cal.iankelling.org/html">
+ Options +FollowSymLinks +Multiviews +Indexes
+ AllowOverride None
+ AuthType basic
+ AuthName "Authentication Required"
+ # setup one time, with root:www-data, 640
+ AuthUserFile "/etc/caldav-htpasswd"
+ Require valid-user
+ </Directory>
+EOF
+ # nginx version of above would be:
+ # auth_basic "Not currently available";
+ # auth_basic_user_file /etc/nginx/caldav/htpasswd;
+
+
+ ########## begin pump.io setup ##########
+
+ # once pump adds a logrotation script, turn off nologger,
+ # and add
+ # "logfile": "/var/log/pumpio/pumpio.log",
+ #
+ s dd of=/etc/pump.io.json <<'EOF'
+{
+ "secret": "SECRET_REPLACE_ME",
+ "driver": "mongodb",
+ "params": { "dbname": "pumpio" },
+ "noweb": false,
+ "site": "pump.iankelling.org",
+ "owner": "Ian Kelling",
+ "ownerURL": "https://iankelling.org/",
+ "port": 8001,
+ "urlPort": 443,
+ "hostname": "pump.iankelling.org",
+ "nologger": true,
+ "datadir": "/home/pumpio/pumpdata",
+ "enableUploads": true,
+ "debugClient": false,
+ "disableRegistration": true,
+ "noCDN": true,
+ "key": "/home/pumpio/pump.iankelling.org-domain.key",
+ "cert": "/home/pumpio/pump.iankelling.org-chained.pem",
+ "address": "localhost",
+ "sockjs": false
+}
+EOF
+ s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
+
+ # jessie\'s node is too old
+ # https://nodejs.org/en/download/package-manager/
+ curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
+ pi nodejs
+ cd /home/ian
+ rm -rf pump.io.git
+ git clone https://github.com/pump-io/pump.io.git
+ cd pump.io
+ # note: doing this or the npm install pump.io as root had problems.
+ npm install
+ npm run build
+ # normally, next command would be
+ # s npm install -g databank-mongodb
+ # but it\'s this until a bug in pump gets fixed
+ s npm install -g databank-mongodb@0.19.2
+ s useradd -m -s /bin/false pumpio
+ sudo -u pumpio mkdir -p /home/pumpio/pumpdata
+ # for testing browser when only listening to localhost,
+ # in the pump.io.json, set hostname localhost, urlPort 5233
+ #ssh -L 5233:localhost:5233 li
+ acme-tiny-wrapper -c /home/pumpio pump.iankelling.org
+
+ s mkdir -p /var/log/pumpio/
+ s chown pumpio:pumpio /var/log/pumpio/
+
+ apache-site -c /home/pumpio - pump.iankelling.org <<'EOF'
+# currently a bug in pump that we cant terminate ssl
+ SSLProxyEngine On
+ ProxyPreserveHost On
+ ProxyPass / https://127.0.0.1:8001/
+ ProxyPassReverse / https://127.0.0.1:8001/
+ # i have sockjs disabled per people suggesting that
+ # it won\'t work with apache right now.
+ # not sure if it would work with this,
+ # but afaik, this is pointless atm.
+ <Location /main/realtime/sockjs/>
+ ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
+ ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
+ </Location>
+EOF
+
+ s dd of=/etc/systemd/system/pump.service <<'EOF'
+[Unit]
+Description=pump.io
+After=syslog.target network.target
+[Service]
+Type=simple
+User=pumpio
+Group=pumpio
+ExecStart=/home/ian/pump.io/bin/pump
+Environment=NODE_ENV=production
+# failed to find databank-mongodb without this.
+# I just looked at my environment variables took a guess.
+Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ ser daemon-reload
+ sgo pump
+ ########## end pump.io setup ############
+
+
+ ############# begin setup mastodon ##############
+
+ # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
+ pi software-properties-common
+ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
+ sudo add-apt-repository \
+ "deb [arch=amd64] https://download.docker.com/linux/debian \
+ $(lsb_release -cs) \
+ stable"
+ p update
+ pi docker-ce
+ sgo docker
+ # this may not be needed
+ ser start docker
+
+ curl -L https://github.com/docker/compose/releases/download/1.12.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
+ s chmod +x /usr/local/bin/docker-compose
+
+ # i subscrubed to https://github.com/docker/compose/releases.atom
+ # to deal with updates manually.
+
+ cd ~
+ i clone https://github.com/tootsuite/mastodon
+ cd mastodon
+ # https://github.com/tootsuite/mastodon/tree/v1.1.2
+ # subbed to atom feed to deal with updates
+ i co v1.1.2
+
+ # per instructions, uncomment redis/postgres persistence in docker-compose.yml
+ sed -i 's/^#//' docker-compose.yml
+
+ cat >.env.production <<'EOF'
+REDIS_HOST=redis
+REDIS_PORT=6379
+DB_HOST=db
+DB_USER=postgres
+DB_NAME=postgres
+DB_PASS=
+DB_PORT=5432
+
+LOCAL_DOMAIN=mast.iankelling.org
+LOCAL_HTTPS=true
+
+SINGLE_USER_MODE=true
+
+SMTP_SERVER=10.8.0.4
+SMTP_PORT=25
+SMTP_LOGIN=li
+SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
+SMTP_DOMAIN=mast.iankelling.org
+SMTP_DELIVERY_METHOD=smtp
+EOF
+
+ for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
+ printf "%s=%s" $key "$(docker-compose run --rm web rake secret)" >>.env.production
+ done
+ s cat /etc/mailpass| while read -r domain port pass; do
+ if [[ $domain == mail.iankelling.org ]]; then
+ printf "SMTP_PASSWORD=%s" "$pass" >>.env.production
+ break
+ fi
+ done
+
+
+
+ docker-compose run --rm web rails assets:precompile
+
+ # docker daemon takes care of starting on boot.
+ docker-compose up -d
+
+ acme-tiny-wrapper mast.iankelling.org
+ s a2enmod proxy_wstunnel headers
+ apache-site -f 3000 - mast.iankelling.org <<'EOF'
+ ProxyPreserveHost On
+ RequestHeader set X-Forwarded-Proto "https"
+ ProxyPass /500.html !
+ ProxyPass /oops.png !
+ ProxyPass /api/v1/streaming/ ws://localhost:4000/
+ ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
+ ErrorDocument 500 /500.html
+ ErrorDocument 501 /500.html
+ ErrorDocument 502 /500.html
+ ErrorDocument 503 /500.html
+ ErrorDocument 504 /500.html
+EOF
+
+
+ ############### !!!!!!!!!!!!!!!!!
+ ############### manual steps:
+
+ # only following 2 people atm, so not bothering to figure out backups
+ # when mastodon has not documented it at all.
+ #
+ # fsf@status.fsf.org
+ # cwebber@toot.cat
+ # dbd@status.fsf.org
+ # johns@status.fsf.org
+
+ # sign in page is at https://mast.iankelling.org/auth/sign_in
+ # register as iank, then
+ # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
+ # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
+
+ ############# end setup mastodon ##############
+
+ pi bind9
echo "$0: $(date): ending now)"
exit 0
########### end section including li/lj ###############
+if [[ $HOSTNAME == treetowl ]]; then
+ # note, see bashrc for more documentation.
+ pi rss2email
+ s dd of=/etc/systemd/system/rss2email.service <<'EOF'
+[Unit]
+Description=rss2email
+After=multi-user.target
+
+[Service]
+User=ian
+Type=oneshot
+# about 24 hours of failures
+ExecStart=/a/bin/log-quiet/sysd-mail-once -288 rss2email r2e run
+EOF
+ s dd of=/etc/systemd/system/rss2email.timer <<'EOF'
+[Unit]
+Description=rss2email
+
+[Timer]
+# for initial run. required.
+OnActiveSec=30
+# for subsequent runs.
+OnUnitInactiveSec=300
+
+[Install]
+WantedBy=timers.target
+EOF
+ s systemctl daemon-reload
+ sgo rss2email.timer
+fi
+
+######### begin pump.io periodic backup #############
+if [[ $HOSTNAME == treetowl ]]; then
+ s dd of=/etc/systemd/system/pumpbackup.service <<'EOF'
+[Unit]
+Description=pump li backup
+After=multi-user.target
+
+[Service]
+User=ian
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once pump-backup /a/bin/distro-setup/pump-backup
+EOF
+ s dd of=/etc/systemd/system/pumpbackup.timer <<'EOF'
+[Unit]
+Description=pump li backup hourly
+
+[Timer]
+OnCalendar=hourly
+
+[Install]
+WantedBy=timers.target
+EOF
+ s systemctl daemon-reload
+ sgo pumpbackup.timer
+fi
+######### end pump.io periodic backup #############
+
case $distro in
debian|ubuntu)
# suggests because we want the resolvconf package.
- # todo: check other distros to make sure it's installed
+ # todo: check other distros to make sure it\'s installed
pi-nostart --install-suggests openvpn
# pi-nostart does not disable
ser disable openvpn
if [[ $HOSTNAME == treetowl ]]; then
# note, this will need to be changed when the mail/contacts host changes
sgo openvpn-client@mail
- /a/bin/distro-setup/radicale-setup.sh
+ /a/bin/distro-setup/radicale-setup
fi
## android studio setup
if [[ $HOSTNAME == treetowl ]]; then
+ ############# begin syncthing setup ###########
+
# It\'s simpler to just worry about running it in one place for now.
# I assume it would work to clone it\'s config to another non-phone
# and just run it in one place instead of the normal having a
pi syncthing
;;
esac
+ lnf -T /w/syncthing /home/ian/.config/syncthing
sgo syncthing@ian # runs as ian
# these things persist in ~/.config/syncthing, which I save in
- # /p/c/machine_specific
+ # /w/syncthing (not in /p, because syncthing should continue to
+ # run on home server even when using laptop as primary device)
# open http://localhost:8384/
# change listen address from default to tcp://:22001,
# this is because we do port forward so it doesn\'t have to use
# after adding, notification will appear on desktop to confirm
#
# syncing folder. from phone to desktop: select desktop in the
- # folder on phone's sync options, notification will appear in
- # desktop's web ui within a minute. For the reverse, the
- # notification will appear in android's notifications, you have to
- # swipe down and tap it to add the folder. It won't appear in the
- # syncthing ui, which would be intuitive, but don't wait for it
+ # folder on phone\'s sync options, notification will appear in
+ # desktop\'s web ui within a minute. For the reverse, the
+ # notification will appear in android\'s notifications, you have to
+ # swipe down and tap it to add the folder. It won\'t appear in the
+ # syncthing ui, which would be intuitive, but don\'t wait for it
# there.
#
# On phone, set settings to run syncthing all the time, and
#
# Note, the other thing i did was port forward port 22000,
# per https://docs.syncthing.net/users/firewall.html
+
+ ############# end syncthing setup ###########
fi
EOF
s sysctl -p
- # some reason it doesn't seem to start automatically anyways
+ # some reason it doesn\'t seem to start automatically anyways
pi-nostart transmission-daemon
# the folder was moved here after an install around 02/2017.
# it contains runtime data,
- # plus a simple symlink to the config file which it's
+ # plus a simple symlink to the config file which it\'s
# not worth separating out.
- s lnf -T /q/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
+ s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
#
- # config file documented here, and it's the same config
- # for daemon vs client, so it's documented in the gui.
+ # config file documented here, and it\'s the same config
+ # for daemon vs client, so it\'s documented in the gui.
# https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
#
# I originaly setup rpc-whitelist, but after using
- # routing to a network namespace, it doesn't see the
- # real source address, so it's disabled.
+ # routing to a network namespace, it doesn\'t see the
+ # real source address, so it\'s disabled.
#
# Changed the cache-size to 256 mb, reduces disk use.
# It is a read & write cache.
esac
fi
-# dunno why it's there, but get rid of it
+# dunno why it\'s there, but get rid of it
case $HOSTNAME in
li|lj) s rm -rf /home/linode ;;
esac
esac
# allow user to run vms, from debian handbook
for x in ian traci; do s usermod -a -G libvirt,kvm $x; done
-# bridge networking as user fails. google lead here, but it doesn't work:
+# bridge networking as user fails. google lead here, but it doesn\'t work:
# oh well, I give up.
# http://wiki.qemu.org/Features-Done/HelperNetworking
# s mkdir /etc/qemu
esac
# general known for debian/ubuntu, not for fedora
+
+case $distro in
+ debian|ubuntu)
+ pi golang-go
+ # a bit of googling, and added settings to bashrc
+ go get -u github.com/mvdan/fdroidcl/cmd/fdroidcl
+ ;;
+ # others unknown
+esac
+
+
case $distro in
arch)
# cdrkit for cloud-init isos
d=jm; jm=d # being clever for succinctness
for s in d jm; do
s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
- /etc/systemd/system/bitcoin${s}.service
+ /etc/systemd/system/bitcoin${s}.service
done
ser daemon-reload
# has seg fault error due to some bug, but it still works
pip install -r requirements.txt || [[ $? == 139 ]]
# note, the target must exist ahead of time, or bitcoin
- # just overwrites the link, and it's not happy with an empty file,
+ # just overwrites the link, and it\'s not happy with an empty file,
# so we have to create the wallet, then move and link it.
s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
-
-# proprietary flash. going without for now
-# case $distro in
-# debian)
-# pi flashplugin-nonfree
-# esac
-
-
-
case $distro in
fedora)
cd $(mktemp -d)
######### end misc packages #########
-# packages I once used before and liked, but don't want installed now for
+# packages I once used before and liked, but don\'t want installed now for
# various reasons:
# python-sqlite is used for offlineimap
# lxappearance python-sqlite dolphin paman dconf-editor
color-scheme 2
# tip: copy access.log files to a stretch host directory, then run
-# jessie's goaccess is too old for some options, and it's
+# jessie's goaccess is too old for some options, and it\'s
# not easily installed from a testing.
# goaccess --ignore-crawlers -f <(cat *) -a -o html > x.html
EOF