# SPDX-License-Identifier: GPL-3.0-or-later
-# shellcheck source=/a/bin/ds/.bashrc
-export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]]; then . ~/.bashrc; fi
+export LC_USEBASHRC=t
+source /a/bin/ds/.bashrc
### setup
source /a/bin/bash-bear-trap/bash-bear
t=$(mktemp)
case $n in
bookworm)
- cat >$t <<'EOF'
-EOF
cat >$t <<EOF
deb http://deb.debian.org/debian bookworm main
deb-src http://deb.debian.org/debian bookworm main
done
if $doupdate; then
tmpdir=$(mktemp -d)
- cd $tmpdir
- p download debian-archive-keyring
- s dpkg -i debian-archive-keyring
+ (
+ cd $tmpdir
+ # cant apt get the keyring without doing an update, can't update
+ # without the keyring, this is a stupid chicken and egg problem
+ # that apt should have some feature to solve, but doesn't as far
+ # as I know.
+ f=debian-archive-keyring_2023.3+deb12u1_all.deb
+ wget http://ftp.debian.org/debian/pool/main/d/debian-archive-keyring/$f
+ sudo dpkg -i $f
+ )
p update
- cd -
rm -rf $tmpdir
fi
client-to-client
EOF
-
- ngset
- files=(/etc/openvpn/client-config-hole/*)
- if (( ${#files[@]} >= 1 )); then
- rm -f ${files[@]}
- fi
- ngreset
- for host in ${!vpn_ips[@]}; do
- sd /etc/openvpn/client-config-hole/$host <<EOF
-ifconfig-push 10.5.5.${vpn_ips[$host]} 255.255.255.0
-EOF
- done
+ # note client-config files are setup in brc2 update-host-info
# for adding cert to system with /p
/c/roles/prom/files/simple/usr/local/bin/fsf-install-prometheus
# make it available for other machines
rsync -a /usr/local/bin/amtool /a/opt/bin
- web-conf -p 9091 -f 9090 - apache2 i.b8.nz <<'EOF'
+ web-conf -p 9091 -f 9090 - apache2 b8.nz <<'EOF'
<Location "/">
AuthType Basic
AuthName "basic_auth"
</Location>
EOF
- web-conf -p 9094 -f 9093 - apache2 i.b8.nz <<'EOF'
+ web-conf -p 9094 -f 9093 - apache2 b8.nz <<'EOF'
<Location "/">
AuthType Basic
AuthName "basic_auth"
# listen on the wireguard interface
*)
- wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
- # old filename. remove once all hosts are updated.
- s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
- web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
+ if [[ -e /etc/wireguard/wghole.conf ]]; then
+ wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
+ # old filename. remove once all hosts are updated.
+ s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
+ s bash -x web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
<Location "/">
AuthType Basic
AuthName "basic_auth"
Require valid-user
</Location>
EOF
- # For work, i think we will just use the firewall for hosts in the main data center, and
- # vpn for hosts outside it.
+ # For work, i think we will just use the firewall for hosts in the main data center, and
+ # vpn for hosts outside it.
- # TODO: figure out how to detect the ping failure and try again.
+ # TODO: figure out how to detect the ping failure and try again.
- # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
- s mkdir /etc/systemd/system/apache2.service.d
- sd /etc/systemd/system/apache2.service.d/restart.conf <<EOF
+ # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
+ s mkdir /etc/systemd/system/apache2.service.d
+ sd /etc/systemd/system/apache2.service.d/restart.conf <<EOF
[Unit]
After=wg-quick@wghole.service
StartLimitIntervalSec=0
RestartSec=30
EOF
+ fi
;;
esac
### end prometheus ###
-### begin nagios ###
-
-pi nagios-nrpe-server
-
-case $HOSTNAME in
- kd)
- # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345
- pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports
- s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf
-
- # to add a password for admin:
- # htdigest /etc/nagios4/htdigest.users Nagios4 iank
- # now using the same pass as prometheus
-
- # nagstamon auth settings, set to digest instead of basic.
-
- web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
-# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
-
-ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
-ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
-
-# Where the stylesheets (config files) reside
-Alias /nagios4/stylesheets /etc/nagios4/stylesheets
-
-# Where the HTML pages live
-Alias /nagios4 /usr/share/nagios4/htdocs
-
-<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
- Options FollowSymLinks
- DirectoryIndex index.php index.html
- AllowOverride AuthConfig
- #
- # The default Debian nagios4 install sets use_authentication=0 in
- # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
- # This is insecure. As a compromise this default apache2 configuration
- # only allows private IP addresses access.
- #
- # The <Files>...</Files> below shows how you can secure the nagios4
- # web site so anybody can view it, but only authenticated users can issue
- # commands (such as silence notifications). To do that replace the
- # "Require all granted" with "Require valid-user", and use htdigest
- # program from the apache2-utils package to add users to
- # /etc/nagios4/htdigest.users.
- #
- # A step up is to insist all users validate themselves by moving
- # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
- # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
- # can configure which people get to see a particular service from
- # within the nagios configuration.
- #
- AuthDigestDomain "Nagios4"
- AuthDigestProvider file
- AuthUserFile "/etc/nagios4-htdigest.users"
- AuthGroupFile "/etc/group"
- AuthName "Nagios4"
- AuthType Digest
- Require valid-user
-</DirectoryMatch>
-
-<Directory /usr/share/nagios4/htdocs>
- Options +ExecCGI
-</Directory>
-EOF
- ;;
-esac
-
-# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
-# notifications_enabled=1
-# note, the same variable exists in the correspdonding "define service {"
-
-# in the default config, we have these definitions
-
-# 11 define command {
-# 2 define contact {
-# 1 define contactgroup {
-# 9 define host {
-# 4 define hostgroup {
-# 23 define service {
-# 5 define timeperiod {
-
-
-# on klaxon
-
-# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
-# 76 define command
-# 11 define contact
-# 6 define contactgroup
-# 162 define host
-# 1 define hostextinfo
-# 16 define hostgroup
-# 3040 define service
-# 2 define servicedependency
-# 6 define timeperiod
-
-
-
-
-### end nagios ###
-
### begin bitcoin ###
case $HOSTNAME in
- sy|kd)
- sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-26.0/bin/*
+ sy|kd|so)
+ sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-27.0/bin/*
# Note: i leave it to system-status to start and stop bitcoin.
# note: the bitcoin user & group are setup in fai
sudo usermod -a -G bitcoin iank
### end gh ####
+
# remove trisquel banner. it is cool but takes up too much space.
sudo rm -f /etc/update-motd.d/01-banner