#!/bin/bash -l
-# Copyright (C) 2016 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
+# Copyright (C) 2019 Ian Kelling
+# SPDX-License-Identifier: AGPL-3.0-or-later
### setup
source /a/bin/errhandle/err
src="$(readlink -f -- "${BASH_SOURCE[0]}")"; src=${src%/*} # directory of this file
+if [[ $EUID == 0 ]]; then
+ echo "$0: error: run as regular user" >&2
+ exit 1
+fi
+
+_errcatch_cleanup() {
+ echo 1 >~/.local/distro-end
+}
+
# shellcheck source=./pkgs
source $src/pkgs
trisquel|ubuntu)
# this isn't a complete solution. It still shows me when updates are available,
# but it's no big deal.
- s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
+ s rm -f /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
;;
esac
li)
pi bind9
-
+ f=/var/lib/bind/db.b8.nz
+ if [[ ! -e $f ]]; then
+ ser stop bind9
+ rm -f $f.jnl
+ install -m 644 -o bind -g bind /p/c/machine_specific/li/bind-initial/db.b8.nz $f
+ ser restart bind9
+ fi
case $HOSTNAME in
li) domain=iankelling.org ;;
EOF
- vpn-server-setup -rd
+ # requested from linode via a support ticket.
+ # https://www.linode.com/docs/networking/an-overview-of-ipv6-on-linode/
+ # ipv6 stuff pieced together
+ # via slightly wrong information from
+ # https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh
+ # https://community.openvpn.net/openvpn/wiki/IPv6
+ # and man openvpn
+
+ vpn-server-setup -rd 2600:3c00:e000:280::1/64 2600:3c00::f03c:91ff:feb4:0bf3
s tee /etc/openvpn/client-config/mail <<'EOF'
ifconfig-push 10.8.0.4 255.255.255.0
+ifconfig-ipv6-push 2600:3c00:e000:280::2/64
EOF
if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
s dd of=/etc/apt/preferences.d/debian-goodies <<EOF
Package: debian-goodies
-Pin: release n=buster
+Pin: release n=etiona
Pin-Priority: 1005
EOF
Package: *
Pin: release n=buster
Pin-Priority: -100
-EOF
- # stupid buster uses some key algorithm not supported by flidas gpg that apt uses.
- s dd of=/etc/apt/apt.conf.d/01iank <<'EOF'
-Acquire::AllowInsecureRepositories "true";
+Package: *
+Pin: release n=buster-updates
+Pin-Priority: -100
EOF
- t=$(mktemp)
- cat >$t <<EOF
-deb http://http.us.debian.org/debian buster main
-deb-src http://http.us.debian.org/debian buster main
-
-deb http://security.debian.org/ buster/updates main
-deb-src http://security.debian.org/ buster/updates main
+ # dont use buster because it causes dist-upgrade to think its downgrading
+ # packages while really just reinstalling the same version.
+ f=/etc/apt/apt.conf.d/01iank
+ rm -f $f
+# # stupid buster uses some key algorithm not supported by flidas gpg that apt uses.
+# s dd of=/etc/apt/apt.conf.d/01iank <<'EOF'
+# Acquire::AllowInsecureRepositories "true";
+# EOF
-deb http://http.us.debian.org/debian buster-updates main
-deb-src http://http.us.debian.org/debian buster-updates main
-EOF
f=/etc/apt/sources.list.d/buster.list
- if ! diff -q $t $f; then
- s cp $t $f
- s chmod 644 $f
- p update
- fi
+ rm -f $f
+# t=$(mktemp)
+# cat >$t <<EOF
+# deb http://http.us.debian.org/debian buster main
+# deb-src http://http.us.debian.org/debian buster main
- # newer version needed for false positive in checkrestart
+# deb http://security.debian.org/ buster/updates main
+# deb-src http://security.debian.org/ buster/updates main
+
+# deb http://http.us.debian.org/debian buster-updates main
+# deb-src http://http.us.debian.org/debian buster-updates main
+# EOF
+# if ! diff -q $t $f; then
+# s cp $t $f
+# s chmod 644 $f
+# p update
+# fi
+
+ # newer version needed for false positive in checkrestart.
+ # I did buster at first, but other problem above with having
+ # buster repos. not sure if the false positive exists in etiona.
p install -y --allow-unauthenticated debian-goodies
s dd of=/etc/apt/preferences.d/shellcheck <<EOF
Pin-Priority: 1005
EOF
+ s dd of=/etc/apt/preferences.d/bash <<EOF
+Package: bash
+Pin: release a=etiona
+Pin-Priority: 1005
+
+Package: bash
+Pin: release a=etiona-updates
+Pin-Priority: 1005
+
+Package: bash
+Pin: release a=etiona-security
+Pin-Priority: 1005
+EOF
+
;;
*)
s dd of=/etc/apt/apt.conf.d/50unattended-upgrades <<EOF
# fyi: default file has comments about available options,
-# you may want to read that.
+# you may want to read that, do pkx unattended-upgrades
Unattended-Upgrade::Mail "root";
Unattended-Upgrade::MailOnlyOnError "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Origins-Pattern {
- # default is just security updates.
- "origin=*";
+ # default is just security updates. this list found from reading
+ # match_whitelist_string() in `which unattended-upgrades`
+ "o=*,l=*,a=*,c=*,site=*,n=*";
};
EOF
######### begin stuff belonging at the end ##########
-
+echo 0 >~/.local/distro-end
if $pending_reboot; then
echo "$0: pending reboot and then finished. doing it now."
s reboot now