}
pre="${0##*/}:"
sudo() {
- printf "$pre %s\n" "$*"
+ printf "$pre sudo %s\n" "$*"
SUDOD="$PWD" command sudo "$@";
}
m() { printf "$pre %s\n" "$*"; "$@"; }
# fi
+
+
pi debootstrap
######### begin universal pinned packages ######
case $(debian-codename) in
- nabia|etiona|flidas)
+ etiona|flidas|nabia|aramo)
sudo rm -fv /etc/apt/preferences.d/etiona-buster
sd /etc/apt/preferences.d/trisquel-debian <<EOF
Explanation: Debian* includes Debian + Debian Backports
;;&
- nabia|etiona)
+ aramo|nabia|etiona)
# for ziva
#p install --no-install-recommends minetest/buster libleveldb1d/buster libncursesw6/buster libtinfo6/buster
doupdate=false
- for n in buster bullseye; do
+ for n in bullseye; do
f=/etc/apt/sources.list.d/$n.list
t=$(mktemp)
case $n in
- buster)
- cat >$t <<'EOF'
-deb http://http.us.debian.org/debian buster main
-deb-src http://http.us.debian.org/debian buster main
-
-deb http://security.debian.org/ buster/updates main
-deb-src http://security.debian.org/ buster/updates main
-
-deb http://http.us.debian.org/debian buster-updates main
-deb-src http://http.us.debian.org/debian buster-updates main
-
-deb http://http.debian.net/debian buster-backports main
-deb-src http://http.debian.net/debian buster-backports main
-EOF
- ;;
bullseye)
cat >$t <<'EOF'
EOF
Pin-Priority: -100
EOF
+ ;;&
+ nabia)
+ sd /etc/apt/preferences.d/aramo-nabia <<'EOF'
+Package: *
+Pin: release n=aramo*,o=Trisquel
+Pin-Priority: -100
+EOF
+ f=/etc/apt/sources.list.d/aramo.list
+ t=$(mktemp)
+ cat >$t <<'EOF'
+deb http://mirror.fsf.org/trisquel/ aramo main
+deb-src http://mirror.fsf.org/trisquel/ aramo main
+
+deb http://mirror.fsf.org/trisquel/ aramo-updates main
+deb-src http://mirror.fsf.org/trisquel/ aramo-updates main
+
+deb http://archive.trisquel.info/trisquel/ aramo-security main
+deb-src http://archive.trisquel.info/trisquel/ aramo-security main
+
+# Uncomment this lines to enable the backports optional repository
+deb http://mirror.fsf.org/trisquel/ aramo-backports main
+deb-src http://mirror.fsf.org/trisquel/ aramo-backports main
+EOF
+ if ! diff -q $t $f; then
+ sudo dd if=$t of=$f 2>/dev/null
+ p update
+ fi
+
;;&
*)
if isdeb; then
;;
esac
-
+case $codename_compat in
+ jammy)
+ s systemctl enable --now ssh-agent-iank
+ ;;
+esac
case $codename_compat in
focal)
EOF
;;
nabia)
+ # note, to get the latest, it would be n=bullseye*
+ # but that has conflicting package versions, so this does the old one.
+ # I only use it for special rare purposes. Just keep in mind it is an
+ # outdated insecure version.
sd /etc/apt/preferences.d/chromium-bullseye <<EOF
Package: chromium chromium-* libicu67 libjpeg62-turbo libjsoncpp24 libre2-9 libwebpmux3
-Pin: release o=Debian*,n=bullseye*
+Pin: release o=Debian*,n=bullseye
+Pin-Priority: 500
+EOF
+ ;;
+ aramo)
+ # obs dependency not in trisquel
+ sd /etc/apt/preferences.d/obs <<EOF
+Package: libfdk-aac2
+Pin: release n=jammy,o=Ubuntu
Pin-Priority: 500
EOF
;;
# Pin-Priority: 500
# EOF
-if [[ -e /etc/wireguard/wghole.conf ]]; then
- reload=false
- if [[ ! -e /etc/systemd/system/wg-quick@wghole.service.d/override.conf ]]; then
- reload=true
- fi
- sudo mkdir -p /etc/systemd/system/wg-quick@wghole.service.d
- sd /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
-[Unit]
-StartLimitIntervalSec=0
-
-[Service]
-Restart=on-failure
-RestartSec=20
-EOF
- if $reload; then ser daemon-reload; fi
- sgo wg-quick@wghole
-fi
###### begin website setup
case $HOSTNAME in
fi
pi prometheus-node-exporter
+ /a/bin/buildscripts/prom-node-exporter -l
# ex for exporter
web-conf -p 9101 -f 9100 - apache2 ${HOSTNAME}ex.b8.nz <<'EOF'
# https://radicale.org/2.1.html
#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
# https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-<Location /radicale/>
- Options +FollowSymLinks +Multiviews +Indexes
+
+# this doesn't exactly fit with the documentation.
+# We need location / to do an auth, it cant be done outside,
+# in order to pass on X-Remote-User. And we need
+# the other location in order to remove the /radicale/ for
+# requests which have it. This could be done with a rewrite,
+# but i just get something working and call it a day.
+
+<Location "/">
AllowOverride None
- AuthType basic
+ AuthType Basic
AuthName "Authentication Required"
# setup one time, with root:www-data, 640
AuthUserFile "/etc/caldav-htpasswd"
Require valid-user
+ RequestHeader set X-Remote-User expr=%{REMOTE_USER}
+</Location>
+<Location "/radicale/">
+ Options +FollowSymLinks +Multiviews -Indexes
RequestHeader set X-Script-Name /radicale/
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
ProxyPass "http://10.8.0.4:5232/" retry=0
### system76 things ###
case $HOSTNAME in
- sy|bo)
+ bo) # sy| sy doesnt seem to really need this.
# note, i stored the initial popos packages at /a/bin/data/popos-pkgs
if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
# https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
fi
;;
esac
+### end system76 things ###
case $distro in
trisquel|ubuntu)
# and choose lightdm.
#
;;
+ jammy)
+ # not yet bothering with mate
+ pi lightdm-gtk-greeter lightdm
+ ;;
esac
# dependent packages.
pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distro-pkgs)
+# schroot service will restart schroot sessions after reboot.
+# I dont want that.
+pi-nostart schroot
+
+# fix systemd unit failure. i dont know of any actual impact
+# other than systemd showing in degraded state. So, we dont bother
+# fixing the current state, let it fix on the next reboot.
+# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a
+tmp=$(systemctl cat binfmt-support.service | grep ^After=)
+if [[ $tmp != *systemd-binfmt.service* ]]; then
+ s u /etc/systemd/system/binfmt-support.service.d/override.conf <<EOF
+[Unit]
+$tmp systemd-binfmt.service
+EOF
+fi
+
# commented, not worth the hassle i think.
#seru enable psd
# cabal update
# cabal install --upgrade-dependencies --force-reinstalls arbtt
# also, i assume syncing this between machines somehow messed up the data.
-if mountpoint /p &>/dev/null; then
- case $codename in
- etiona|nabia)
- pi arbtt
- # same as seru enable arbtt, but works over ssh when systemctl --user causes error:
- # Failed to connect to bus: No such file or directory
- lnf -T /a/bin/ds/subdir_files/.config/systemd/user/arbtt.service /home/iank/.config/systemd/user/default.target.wants/arbtt.service
- # allow failure
- seru start arbtt ||:
- ;;
- esac
-fi
+
+## not using arbtt for now
+# if mountpoint /p &>/dev/null; then
+# case $codename in
+# etiona|nabia)
+# pi arbtt
+# # same as seru enable arbtt, but works over ssh when systemctl --user causes error:
+# # Failed to connect to bus: No such file or directory
+# lnf -T /a/bin/ds/subdir_files/.config/systemd/user/arbtt.service /home/iank/.config/systemd/user/default.target.wants/arbtt.service
+# # allow failure
+# seru start arbtt ||:
+# ;;
+# esac
+# fi
+rm -fv /home/iank/.config/systemd/user/default.target.wants/arbtt.service
m primary-setup
/run/user/0 /run/user/0 none rw,bind 0 0
EOF
+# todo: consider if this should use the new sysd-prom-fail
sd /etc/systemd/system/schrootupdate.service <<'EOF'
[Unit]
Description=schrootupdate
# # I'm not seeing the icon, but the clipboard replication is working
-### model 01 arduino support ###
+### begin model 01 arduino support ###
# https://github.com/keyboardio/Kaleidoscope/wiki/Install-Arduino-support-on-Linux
# also built latest arduino in /a/opt/Arduino, (just cd build; ant build; ant run )
# set arduino var in bashrc,
# have system config file setup too.
sudo adduser $USER dialout
+# as of 2022-05,
+# download arduino ide, extract in /a/opt, ignore the install script, run ./arduino,
+# toolbar, preferences, add board manager url:
+# https://raw.githubusercontent.com/keyboardio/boardsmanager/master/package_keyboardio_index.json
+# toolbar, board manager, add keyboardio
+# toolbar, select model01 board
+# toolbar, examples, model01, compile
+
+###
+
# this is for the mail command too. update-alternatives is kind of misleading
# since at least it's main commands pretend mail does not exist.
# bsd's mail got pulled in on some dumb dependency, i dunno how.
########### misc stuff
+rm -fv /home/iank/.mpv/watch_later
+rm -rf /home/iank/.mpv
+
+
if [[ $HOSTNAME != frodo ]]; then
# remove. i moved this into dns
echo | s cedit hole /etc/hosts ||:
case $HOSTNAME in
kd)
- # ive got these + a needed dependency pinned to bullseye, just to get
- # versions more in line with the main docs.
# Font awesome is needed for the alertmanager ui.
pi prometheus-alertmanager prometheus prometheus-node-exporter fonts-font-awesome
+ /a/bin/buildscripts/prometheus
web-conf -p 9091 -f 9090 - apache2 i.b8.nz <<'EOF'
<Location "/">
AuthType Basic
Require valid-user
</Location>
EOF
+
+ web-conf -p 9094 -f 9093 - apache2 i.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-htpasswd"
+Require valid-user
+</Location>
+EOF
+
# by default, the alertmanager web ui is not enabled other than a page
# that suggests to use the amtool cli. that tool is good, but you cant
- # silence things nearly as fast.
+ # silence things nearly as easily as with the gui.
if [[ ! -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then
- sudo chroot /nocow/schroot/bullseye prometheus-alertmanager
- sudo chroot /nocow/schroot/bullseye /usr/share/prometheus/alertmanager/generate-ui.sh
- sudo rsync -avih /nocow/schroot/bullseye/usr/share/prometheus/alertmanager/ui/ /usr/share/prometheus/alertmanager/ui
+ # default script didnt work, required some changes to get elm 19.1,
+ # which is a dependency of the latest alertmanager. I modified
+ # and copied it into /b/ds. In future, might need some other
+ # solution.
+ #sudo /usr/share/prometheus/alertmanager/generate-ui.sh
+ sudo /b/ds/generate-ui.sh
ser restart prometheus-alertmanager
fi
sysd-prom-fail-install $ser
done
- ## get upstream because it has the react ui, which has localtime, and general better usability.
- ## begin get latest upstream prometheus ###
- cd /a/opt/promdl
- url=$(curl -s https://api.github.com/repos/prometheus/prometheus/releases/latest | jq -r '.assets[].browser_download_url | match(".*linux-amd64.tar.gz$").string')
- f=${url##*/}
- if [[ -e $f ]]; then
- timestamp=$(stat -c %Y $f)
- else
- timestamp=0
- fi
- m wget -nv -N $url
- new_timestamp=$(stat -c %Y $f)
- if [[ $timestamp != $new_timestamp || ! -e /usr/local/bin/prometheus ]]; then
- ngset
- to_rm=( !($f) )
- ngreset
- if (( ${#to_rm[@]} )); then
- rm -rf ${to_rm[@]}
- fi
- m ex $f
- dir=${f%.tar.gz}
- s install $dir/prometheus $dir/promtool /usr/local/bin
- fi
- ## end get latest upstream prometheus ###
-
;;
*)
pi prometheus-node-exporter
# either use iptables or, in
# /etc/default/prometheus-node-exporter
# listen on the wireguard interface
+
*)
wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
# old filename. remove once all hosts are updated.
</Location>
EOF
# For work, i think we will just use the firewall for hosts in the main data center, and
- # apache/nginx + tls + basic auth outside of it. or consider stunnel.
-
+ # vpn for hosts outside it.
# TODO: figure out how to detect the ping failure and try again.
### end prometheus ###
+### begin nagios ###
+
+pi nagios4
+s rm /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+# to add a password for admin:
+# htdigest /etc/nagios4/htdigest.users Nagios4 iank
+# now using the same pass as prometheus
+
+# nagstamon auth settings, set to digest instead of basic.
+
+web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
+# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+# Where the stylesheets (config files) reside
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+
+# Where the HTML pages live
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+ Options FollowSymLinks
+ DirectoryIndex index.php index.html
+ AllowOverride AuthConfig
+ #
+ # The default Debian nagios4 install sets use_authentication=0 in
+ # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+ # This is insecure. As a compromise this default apache2 configuration
+ # only allows private IP addresses access.
+ #
+ # The <Files>...</Files> below shows how you can secure the nagios4
+ # web site so anybody can view it, but only authenticated users can issue
+ # commands (such as silence notifications). To do that replace the
+ # "Require all granted" with "Require valid-user", and use htdigest
+ # program from the apache2-utils package to add users to
+ # /etc/nagios4/htdigest.users.
+ #
+ # A step up is to insist all users validate themselves by moving
+ # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
+ # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+ # can configure which people get to see a particular service from
+ # within the nagios configuration.
+ #
+ AuthDigestDomain "Nagios4"
+ AuthDigestProvider file
+ AuthUserFile "/etc/nagios4/htdigest.users"
+ AuthGroupFile "/etc/group"
+ AuthName "Nagios4"
+ AuthType Digest
+ Require valid-user
+</DirectoryMatch>
+
+<Directory /usr/share/nagios4/htdocs>
+ Options +ExecCGI
+</Directory>
+EOF
+
+
+# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
+# notifications_enabled=1
+# note, the same variable exists in the correspdonding "define service {"
+
+# in the default config, we have these definitions
+
+# 11 define command {
+# 2 define contact {
+# 1 define contactgroup {
+# 9 define host {
+# 4 define hostgroup {
+# 23 define service {
+# 5 define timeperiod {
+
+
+# on klaxon
+
+# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
+# 76 define command
+# 11 define contact
+# 6 define contactgroup
+# 162 define host
+# 1 define hostextinfo
+# 16 define hostgroup
+# 3040 define service
+# 2 define servicedependency
+# 6 define timeperiod
+
+
+### end nagios ###
+
end_msg <<'EOF'
In mate settings settings, change scrolling to two-finger,