X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;ds=sidebyside;f=distro-end;h=91c7a832ebd0b5e5af1d9b2eae1bbe08d172b200;hb=7cc6197f74e97cb522894046718712cd03d3d385;hp=cd3de8162f962c058b7c3b5f7c06c4777df25251;hpb=d314b216046098f4b520cc14946c5d7c00f2089a;p=distro-setup
diff --git a/distro-end b/distro-end
index cd3de81..91c7a83 100755
--- a/distro-end
+++ b/distro-end
@@ -1,392 +1,1338 @@
#!/bin/bash -l
# Copyright (C) 2016 Ian Kelling
-# This program is under GPL v. 3 or later, see
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
-set -x
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
-exec &> >(sudo tee -a /var/log/distro-end)
-echo "$0: $(date): starting now)"
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+### setup
+source /a/bin/errhandle/err
src="${BASH_SOURCE%/*}"
+source $src/pkgs
+set -x
+exec &> >(sudo tee -a /var/log/distro-end)
+echo "$0: $(date): starting now)"
+# see example of usage to understand.
end_msg() {
- = local y
- IFS= read -r -d '' y ||:
- end_msg_var+="$y"
+ local y
+ IFS= read -r -d '' y ||:
+ end_msg_var+="$y"
}
-
spa() { # simple package add
- simple_packages+=($@)
+ simple_packages+=($@)
}
-
distro=$(distro-name)
-
pending_reboot=false
-
+sed="sed --follow-symlinks"
# template
case $distro in
esac
+#### initial packages
pup
-
-simple_packages=(
- mailutils
- nmon
- ruby
- ruby-rest-client
- tree
- vim
-)
-
-if [[ $HOSTNAME != lj && $HOSTNAME != lk ]]; then
- # universal packages
- simple_packages+=(
- apache2
- bwm-ng
- chromium
- duplicity
- evince
- fdupes
- filelight
- gdb
- gnome-screenshot
- jq
- locate
- meld
- offlineimap
- p7zip
- paprefs
- pavucontrol
- pdfgrep
- pianobar
- pidgin
- rdiff-backup
- slock
- squashfs-tools
- tcpdump
- transmission-remote-gtk
- vlc
- )
+if isdeb; then
+ pi aptitude
fi
+########### begin section including li ################
+pi ${p3[@]} $($src/distro-pkgs)
-
-########### begin section including lj ################
-
+conflink
case $distro in
- fedora) spa unrar ;;
- *) spa unrar-free ;;
+ arch) sgo cronie ;;
esac
-
case $distro in
- arch)
- # ubuntu 14.04 uses b-cron,
- # but its not maintained in arch.
- # of the ones in the main repos, cronie is only one maintained.
- # fcron appears abandoned software.
- pi cronie
- sgo cronie
- ;;
- *) : ;; # other distros come with cron.
+ arch) sgo atd ;;
esac
case $distro in
- debian|ubuntu)
- pi debian-goodies
- ;;
+ arch) sgo ntpd ;;
esac
+# no equivalent in other distros:
case $distro in
- *) pi at ;;&
- arch) sgo atd ;;
+ debian|trisquel|ubuntu)
+ if ! dpkg -s apt-file &>/dev/null; then
+ # this condition is just a speed optimization
+ pi apt-file
+ s apt-file update
+ fi
+ ;;
esac
-
+# disable motd junk.
case $distro in
- debian) pi curl;;
- arch) : ;;
- # fedora: unknown
+ debian)
+ # allows me to pipe with ssh -t, and gets rid of spam
+ # http://forums.debian.net/viewtopic.php?f=5&t=85822
+ # i'd rather disable the service than comment the init file
+ # this says disabling the service, it will still get restarted
+ # but this script doesn't do anything on restart, so it should be fine
+ s dd of=/var/run/motd.dynamic if=/dev/null
+ # stretch doesn't have initscripts pkg installed by default
+ if [[ $(debian-codename) == jessie ]]; then
+ s update-rc.d motd disable
+ fi
+ ;;
+ trisquel|ubuntu)
+ # this isn't a complete solution. It still shows me when updates are available,
+ # but it's no big deal.
+ s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
+ ;;
esac
-case $distro in
- # tk for gitk
- arch) spa git tk ;;
- *) spa git ;;
-esac
+# automatic updates
+# reference:
+# https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
+# /etc/cron.daily/apt calls unattended-upgrades
+# /usr/share/doc/unattended-upgrades# cat README.md
+# /etc/apt/apt.conf.d/50unattended-upgrades
+if isdebian; then
+ setup-debian-auto-update
+fi
-case $distro in
- arch) spa the_silver_searcher ;;
- debian|ubuntu) spa silversearcher-ag ;;
- # fedora unknown
-esac
-case $distro in
- debian|ubuntu) spa ntp;;
- arch)
- pi ntp
- sgo ntpd
- ;;
- # others unknown
-esac
+### begin docker install ####
+if isdeb; then
+ # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
+ pi software-properties-common apt-transport-https
+ curl -fsSL https://download.docker.com/linux/$(distro-name-compat)/gpg | sudo apt-key add -
+ url=https://download.docker.com/linux/$(distro-name-compat)
+ l="deb [arch=amd64] $url $(debian-codename-compat) stable"
+
+ if ! grep -xFq "$l" /etc/apt/sources.list{,.d/*.list}; then
+ sudo add-apt-repository "$l"
+ p update
+ fi
+ # docker eats up a fair amount of cpu when doing nothing, so don't enable it unless
+ # we really need it.
+ pi-nostart docker-ce
+ # and docker is even more crap, it ignores that it shouldnt start
+ ser stop docker
+ ser disable docker
+ case $HOSTNAME in
+ li|lj) sgo docker ;;
+ esac
+ # other distros unknown
+fi
+### end docker install ####
-# no equivalent in other distros:
-case $distro in
- debian|ubuntu)
- pi apt-file aptitude
- s apt-file update
- # for debconf-get-selections
- spa debconf-utils
- ;;
-esac
+### begin certbot install ###
case $distro in
- ubuntu|debian) spa ack-grep ;;
- arch|fedora) spa ack ;;
- # fedora unknown
+ debian)
+ # note, need python-certbot-nginx for nginx, but it depends on nginx,
+ # and I'm not installing nginx by default right now.
+ # note python-certbot-apache is in suggests, but so is a doc package that brought in xorg
+ if [[ $(debian-codename) == jessie ]]; then
+ pi -t jessie-backports certbot python-certbot-apache
+ else
+ pi certbot python-certbot-apache
+ fi
+ ;;
+ trisquel|ubuntu)
+ # not packaged in xenial or flidas
+ pi software-properties-common
+ l="deb http://ppa.launchpad.net/certbot/certbot/ubuntu xenial main"
+ if ! grep -xFq "$l" /etc/apt/sources.list{,.d/*.list}; then
+ s add-apt-repository -y ppa:certbot/certbot ||:
+ p update
+ fi
+ pi python-certbot-apache
+ ;;
+ # todo: other distros unknown
esac
+# make a version of the certbot timer that emails me.
+x=/systemd/system/certbot
+$sed -r -f - /lib$x.timer <<'EOF' |s dd of=/etc${x}mail.timer
+s,^Description.*,\0 mail version,
+EOF
+$sed -r -f - /lib$x.service <<'EOF' |s dd of=/etc${x}mail.service
+s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
+EOF
+ser daemon-reload
+sgo certbotmail.timer
+### end certbot install ###
+
+
+# dogcam setup. not using atm
+# case $HOSTNAME in
+# lj|li)
+# /a/bin/webcam/install-server
+# ;;
+# kw)
+# /a/bin/webcam/install-client
+# ;;
+# esac
-case $distro in
- arch|debian|ubuntu)
- spa bash-completion
- ;;
- # others unknown
-esac
+pi ${p1[@]}
+##### begin automatic upgrades ####
+# this makes it so we upgrade everything
+debconf-set-selections <<'EOF'
+unattended-upgrades unattended-upgrades/origins_pattern string "codename=${distro_codename}";
+EOF
+dpkg-reconfigure -u -fnoninteractive unattended-upgrades
+
+# Setup daily reboots, so all unattended upgrades go into affect
+# unattended upgrades happen at 6 am + rand(60 min).
+echo '20 7 * * * root /usr/local/bin/zelous-unattended-reboot' >/etc/cron.d/unattended-upgrade-reboot
+##### end automatic upgrades ####
+
+
+## prometheus node exporter setup
+web-conf -f 9100 -p 9101 apache2 $(hostname -f) <<'EOF'
+#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
+# https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
+
+ AllowOverride None
+ AuthType basic
+ AuthName "Authentication Required"
+ # setup one time, with root:www-data, 640
+ AuthUserFile "/etc/prometheus-htpasswd"
+ Require valid-user
+
+EOF
+# website setup
+case $HOSTNAME in
+ lj|li)
+ case $HOSTNAME in
+ lj) domain=iank.bid; exit 0 ;;
+ li) domain=iankelling.org ;;
+ esac
+ /a/h/setup.sh $domain
+ /a/h/build.rb
+
+ sudo -E /a/bin/mediawiki-setup/mw-setup-script
+
+ pi-nostart mumble-server
+ s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
+
+ # do certificate to avoid warning about unsigned cert,
+ # which is overkill for my use, but hey, I'm cool, I know
+ # how to do this.
+ web-conf apache2 mumble.iankelling.org
+ s rm -f /etc/apache2/sites-enabled/mumble.iankelling.org
+ sudo -i <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
+EOF
+ sgo mumble-server
-# disable motd junk.
-case $(distro-name) in
- debian)
- # allows me to pipe with ssh -t, and gets rid of spam
- # http://forums.debian.net/viewtopic.php?f=5&t=85822
- # i'd rather disable the service than comment the init file
- # this says disabling the service, it will still get restarted
- # but this script doesn't do anything on restart, so it should be fine
- s dd of=/var/run/motd.dynamic if=/dev/null
- s update-rc.d motd disable
- ;;
- ubuntu)
- # this isn't a complete solution. It still shows me when updates are available,
- # but it's no big deal.
- s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
- ;;
-esac
+ vpn-server-setup -rd
+ s tee /etc/openvpn/client-config/mail <<'EOF'
+ifconfig-push 10.8.0.4 255.255.255.0
+EOF
-# automatic updates
-# reference:
-# https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
-# /etc/cron.daily/apt calls unattended-upgrades
-# /usr/share/doc/unattended-upgrades# cat README.md
-# /etc/apt/apt.conf.d/50unattended-upgrades
-if isdebian; then
- pi unattended-upgrades
- s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF'
-# this file was mostly just comments.
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Download-Upgradeable-Packages "1";
-APT::Periodic::AutocleanInterval "7";
-APT::Periodic::Unattended-Upgrade "1";
+ # it\'s strange. docker seems to make the default for forward
+ # be drop, but then I set it to accept and it\'s stuck that way,
+ # I dun know why. But, let\'s make sure we can forward anyways.
+ s DEBIAN_FRONTEND=noninteractive pi iptables-persistent
+ rm /etc/iptables/rules.v6
+ s tee /etc/iptables/rules.v4 <<'EOF'
+*filter
+-A FORWARD -i tun+ -o eth0 -j ACCEPT
+-A FORWARD -i eth0 -o tun+ -j ACCEPT
+COMMIT
+EOF
+
+
+ sudo dd of=/etc/systemd/system/vpnmail.service <
+ Options +FollowSymLinks +Multiviews +Indexes
+ AllowOverride None
+ AuthType basic
+ AuthName "Authentication Required"
+ # setup one time, with root:www-data, 640
+ AuthUserFile "/etc/caldav-htpasswd"
+ Require valid-user
+
EOF
+ # nginx version of above would be:
+ # auth_basic "Not currently available";
+ # auth_basic_user_file /etc/nginx/caldav/htpasswd;
- { cat <<'EOF'
-Unattended-Upgrade::Mail "root";
-Unattended-Upgrade::MailOnlyOnError "true";
-Unattended-Upgrade::Remove-Unused-Dependencies "true";
-Unattended-Upgrade::Origins-Pattern {
-# default is just upgrade main and security, not updates.
+ ########## begin pump.io setup ##########
+
+ # once pump adds a logrotation script, turn off nologger,
+ # and add
+ # "logfile": "/var/log/pumpio/pumpio.log",
+ #
+ s dd of=/etc/pump.io.json <<'EOF'
+{
+ "secret": "SECRET_REPLACE_ME",
+ "driver": "mongodb",
+ "params": { "dbname": "pumpio" },
+ "noweb": false,
+ "site": "pump.iankelling.org",
+ "owner": "Ian Kelling",
+ "ownerURL": "https://iankelling.org/",
+ "port": 8001,
+ "urlPort": 443,
+ "hostname": "pump.iankelling.org",
+ "nologger": true,
+ "datadir": "/home/pumpio/pumpdata",
+ "enableUploads": true,
+ "debugClient": false,
+ "disableRegistration": true,
+ "noCDN": true,
+ "key": "/home/pumpio/privkey.pem",
+ "cert": "/home/pumpio/fullchain.pem",
+ "address": "localhost",
+ "sockjs": false
+}
+EOF
+ s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
+
+ # stretch node is too old
+ # https://nodejs.org/en/download/package-manager/
+ curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
+ pi nodejs graphicsmagick mongodb
+ cd /home/iank
+ if [[ -e pump.io ]]; then
+ cd pump.io
+ git pull
+ else
+ git clone https://github.com/pump-io/pump.io.git
+ cd pump.io
+ fi
+ # note: these 2 commands seem
+ # note: doing this or the npm install pump.io as root had problems.
+ npm install
+ npm run build
+ # normally, next command would be
+ # s npm install -g odb
+ # but it\'s this until a bug in pump gets fixed
+ # https://github.com/pump-io/pump.io/issues/1287
+ s npm install -g databank-mongodb@0.19.2
+ if ! getent passwd pumpio &>/dev/null; then
+ s useradd -Um -s /bin/false pumpio
+ fi
+ sudo -u pumpio mkdir -p /home/pumpio/pumpdata
+ # for testing browser when only listening to localhost,
+ # in the pump.io.json, set hostname localhost, urlPort 5233
+ #ssh -L 5233:localhost:5233 li
+
+ s mkdir -p /var/log/pumpio/
+ s chown pumpio:pumpio /var/log/pumpio/
+
+ web-conf - apache2 pump.iankelling.org <<'EOF'
+# currently a bug in pump that we cant terminate ssl
+ SSLProxyEngine On
+ ProxyPreserveHost On
+ ProxyPass / https://127.0.0.1:8001/
+ ProxyPassReverse / https://127.0.0.1:8001/
+ # i have sockjs disabled per people suggesting that
+ # it won\'t work with apache right now.
+ # not sure if it would work with this,
+ # but afaik, this is pointless atm.
+
+ ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
+ ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
+
+EOF
+
+ sudo -i <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
EOF
- if isdebian-testing; then
- cat <<'EOF'
-# for testing, only do security updates.
- "origin=Debian,codename=${distro_codename},label=Debian-Security";
+
+ s dd of=/etc/systemd/system/pump.service <<'EOF'
+[Unit]
+Description=pump.io
+After=syslog.target network.target mongodb.service
+Requires=mongodb.service
+
+[Service]
+Type=simple
+User=pumpio
+Group=pumpio
+ExecStart=/home/iank/pump.io/bin/pump
+Environment=NODE_ENV=production
+# failed to find databank-mongodb without this.
+# I just looked at my environment variables took a guess.
+Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
+
+[Install]
+WantedBy=multi-user.target
EOF
- else
- cat <<'EOF'
-# These are stable packages only getting bugfixes anyways.
- "origin=*";
+ ser daemon-reload
+ sgo pump
+ ########## end pump.io setup ############
+
+
+ ############# begin setup mastodon ##############
+
+ # main doc is Docker-Guide.md in docs repo
+
+ # I'd like to try gnu social just cuz of gnu, but it's not being
+ # well maintained, for example, simple pull requests
+ # languishing:
+ # https://git.gnu.io/gnu/gnu-social/merge_requests/143
+ # and I submitted my own bugs, basic docs are broken
+ # https://git.gnu.io/gnu/gnu-social/issues/269
+
+ # note, docker required, but we installed it earlier
+
+ # i subscrubed to https://github.com/docker/compose/releases.atom
+ # to see release notes.
+ # i had some problems upgrading. blew things away with
+ # docker-compose down
+ # docker rmi $(docker images -q)
+ # s reboot now
+ # when running docker-compose run, kernel stack traces are printed to the journal.
+ # things seem to succeed, google says nothing, so ignoring them.
+ curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
+ s chmod +x /usr/local/bin/docker-compose
+
+
+ cd ~
+ s rm -rf mastodon
+ i clone https://github.com/tootsuite/mastodon
+ cd mastodon
+ # subbed to atom feed to deal with updates
+ git checkout $(git tag | grep -v rc | tail -n1)
+
+ # per instructions, uncomment redis/postgres persistence in docker-compose.yml
+ sed -i 's/^#//' docker-compose.yml
+
+ cat >.env.production <<'EOF'
+REDIS_HOST=redis
+REDIS_PORT=6379
+DB_HOST=db
+DB_USER=postgres
+DB_NAME=postgres
+DB_PASS=
+DB_PORT=5432
+
+LOCAL_DOMAIN=mast.iankelling.org
+LOCAL_HTTPS=true
+
+SINGLE_USER_MODE=true
+
+SMTP_SERVER=mail.iankelling.org
+SMTP_PORT=25
+SMTP_LOGIN=li
+SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
+SMTP_DOMAIN=mast.iankelling.org
+SMTP_DELIVERY_METHOD=smtp
EOF
+
+ for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
+ # 1 minute 7 seconds to run this docker command
+ # to generate a secret, and it has ^M chars at the end. wtf. really dumb
+ printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|dos2unix|tail -n1)" >>.env.production
+ done
+ found=false
+ while read -r domain port pass; do
+ if [[ $domain == mail.iankelling.org ]]; then
+ found=true
+ # remove the username part
+ pass="${pass#*:}"
+ printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production
+ break
fi
- cat <<'EOF'
-};
+ done < <(s cat /etc/mailpass)
+ if ! $found; then
+ echo "$0: error, failed to find mailpass domain for mastadon"
+ exit 1
+ fi
+
+ # docker compose makes an interface named like br-8f3e208558f2. we need mail to
+ # get routed to us.
+ if ! s /sbin/iptables -t nat -C PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25; then
+ s /sbin/iptables -t nat -A PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25
+ fi
+
+ docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production
+ logq docker-compose run --rm web rake db:migrate
+ docker-compose run --rm web rails assets:precompile
+
+ # avatar failed to upload, did
+ # docker logs mastodon_web_1
+ # google lead me to this
+ s chown -R 991:991 public/system
+
+ # docker daemon takes care of starting on boot.
+ docker-compose up -d
+
+ s a2enmod proxy_wstunnel headers
+ web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF'
+ ProxyPreserveHost On
+ RequestHeader set X-Forwarded-Proto "https"
+ ProxyPass /500.html !
+ ProxyPass /oops.png !
+ ProxyPass /api/v1/streaming/ ws://localhost:4000/
+ ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
+ ErrorDocument 500 /500.html
+ ErrorDocument 501 /500.html
+ ErrorDocument 502 /500.html
+ ErrorDocument 503 /500.html
+ ErrorDocument 504 /500.html
EOF
- } | s dd of=/etc/apt/apt.conf.d/50unattended-upgrades
- echo $- > /tmp/x
+ ############### !!!!!!!!!!!!!!!!!
+ ############### manual steps:
+
+ # only following a few people atm, so not bothering to figure out backups
+ # when mastodon has not documented it at all.
+ #
+ # fsf@status.fsf.org
+ # cwebber@toot.cat
+ # dbd@status.fsf.org
+ # johns@status.fsf.org
+
+ # sign in page is at https://mast.iankelling.org/auth/sign_in
+ # register as iank, then
+ # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
+ # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
+
+ ############# end setup mastodon ##############
+
+ # we use nsupdate to update the ip of home
+ pi bind9
+
+ pi znc
+ # znc config generated by doing
+ # znc --makeconf
+ # selected port is also used in erc config
+ # comma separated channel list worked.
+ # while figuring things out, running znc -D for debug in foreground.
+ # to exit and save config:
+ # /msg *status shutdown
+ # configed auth on freenode by following
+ # https://wiki.znc.in/Sasl:
+ # /msg *sasl RequireAuth yes
+ # /msg *sasl Mechanism PLAIN
+ # /msg *sasl Set ident_name password
+ # created the system service after, and had to do
+ # mv /home/iank/.znc/* /var/lib/znc
+ # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf
+ # and made a copy of the config files into /p/c
+ # /msg *status LoadMod --type=global log -sanitize
+ # to get into the web interface,
+ # cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
+ # then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site.
+ # https://iankelling.org:12533/
+ # i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart.
+ # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it.
+ # /msg *status LoadMod --type=network perform
+ # /msg *perform add PRIVMSG ChanServ :invite #fsf-office
+ # /msg *perform add JOIN #fsf-office
+ #
+ # i set Buffer = 500
+ # also ran /znc LoadMod clearbufferonmsg
+ # it would be nice if erc supported erc query buffers by doing
+ # /msg *status clearbuffer /dev/null <<'EOF'
+[Unit]
+Description=ZNC, an advanced IRC bouncer
+After=network-online.target
+
+[Service]
+ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
+User=znc
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ ser daemon-reload
+ sgo znc
+
+ echo "$0: $(date): ending now)"
+ exit 0
+ ;;
+esac
+
+########### end section including li/lj ###############
+
+# depends gcc is a way to install suggests. this is apparently the only
+# way to install suggests even if the main package is already
+# installed. reinstall doesn't work, uninstalling can cause removing
+# dependent packages.
+pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $(apt-cache depends gcc|grep -i suggests:| awk '{print $2}')
+
+if ! type pip; then
+ x=$(mktemp)
+ wget -O$x https://bootstrap.pypa.io/get-pip.py
+ python3 $x --user
fi
-# cron
-/a/bin/crons/all
+sgo fsf-vpn-dns-cleanup
-case $HOSTNAME in
- lj|lk)
-
- pi "${simple_packages[@]}"
- $src/homepage-setup
- $src/
-
-# start=' *