X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-begin;h=a7622848af7171f3437c9f02dcba2c3eb2ef2f1a;hb=c2bf18a9e27233fc9b57450455969fc9e53508b8;hp=d870fe6af293a4a5929b31f1cf7d85d87325d3c5;hpb=e688da727d2f4620e52a26e77f190c65d6627e7e;p=distro-setup

diff --git a/distro-begin b/distro-begin
index d870fe6..a762284 100755
--- a/distro-begin
+++ b/distro-begin
@@ -1,36 +1,46 @@
 #!/bin/bash -l
 # Copyright (C) 2016 Ian Kelling
-# This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 
-# todo. dunno why, but original bootstrap of timezone is not sticking.
-# fixed manually with:
-# s dpkg-reconfigure tzdata
 
 
-# for bootstrapping a new machine
 
-# to make ssh run better, first run this:
-sudo bash -c 'source /a/c/repos/bash/.bashrc && source /a/bin/ssh-emacs-setup'
+# for bootstrapping a new machine
 
+# in case we need it,
+# to make ssh interactive shell run better, we run this first.
+sudo bash -c 'source /a/c/repos/bash/.bashrc && source /a/exe/ssh-emacs-setup'
 
-# see t.org for OS installer notes
 
-# usage: $0 [OPTIONS] HOSTNAME
+# usage: $0 [-r] HOSTNAME
 
 # tips:
 # run any sudo command first so your pass is cached
 # set the scrollback to unlimited in case something goes wrong
 
 if [[ $EUID == 0 ]]; then
-    echo "error: do not run as root"
-    exit
+    if getent passwd ian; then
+        echo "$0: error: running as root. unprivileged user exists. use it."
+        exit 1
+    else
+        echo "$0: warning: running as root. I will setup users then exit"
+    fi
 fi
 
-interactive=true  # set this to true if running by hand in emacs
+interactive=true  # set this to false to force set -x
 [[ $- == *i* ]] || interactive=false
 
-
-
 if ! $interactive; then
     set -x
     set -e -o pipefail
@@ -42,28 +52,28 @@ exec &> >(sudo tee -a /var/log/distro-begin)
 echo "$0: $(date): starting now)"
 
 # headless=false # unused atm
-recompile=true
+recompile=false
 # for copying to a new data fs
 bootstrapfs=false # old flag, needs new look before using.
 while [[ $1 == -* ]]; do
     case $1 in
-        # avoid some of the longer compilation steps,
-        # when we need to rerun because we had an error
-        -n) recompile=false; shift ;;
+        -r) recompile=true; shift ;;
     esac
 done
 
 if [[ $1 ]]; then
-    host=$1
-else
-    host=$HOSTNAME
+    export HOSTNAME=$1
 fi
 
-for f in iank-dev htpc treetowl x2 frodo tp; do
-    eval "$f() { [[ $host == $f ]]; }"
+for f in iank-dev htpc treetowl x2 frodo tp li lj demohost; do
+    eval "$f() { [[ $HOSTNAME == $f ]]; }"
 done
-has_p() { iank-dev || x2 || frodo; }
-encrypted() { has_p || tp; }
+has_p() { treetowl || x2 || frodo || tp || demohost; }
+has_x() { ! linode; }
+linode() { lj || li; }
+has_btrfs() { ! linode; }
+home_network() { ! linode; }
+encrypted() { has_p; }
 
 shopt -s extglob
 export GLOBIGNORE=*/.:*/..
@@ -72,6 +82,10 @@ umask 0002
 
 ####### end command line parsing
 
+PATH="/a/exe:$PATH"
+sed="sed --follow-symlinks"
+
+##### begin setup encryption scripts ######
 if encrypted; then
     # I tried making a service which was dependent on reboot.target,
     # but it happened too late in the shutdown process.
@@ -82,15 +96,16 @@ Description=Turn on automatic decryption of drives on boot
 # generally, I don't think targets order shutdown like they do startup.
 # So, I did systemd-analyze plot > something.svg, and picked a reliably started
 # service that happens late in the game.
-After=postfix.service
+After=ntp.service
 DefaultDependencies=no
+# not sure if needed, makes sure we shut down before reboot.target
 Conflicts=reboot.target
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 ExecStart=/bin/true
-ExecStop=/a/bin/keyscript-on
+ExecStop=/a/exe/keyscript-on
 
 [Install]
 WantedBy=keyscriptoff.service
@@ -106,7 +121,7 @@ Description=Turn off automatic decryption of drives on boot
 
 [Service]
 Type=oneshot
-ExecStart=/a/bin/keyscript-off
+ExecStart=/a/exe/keyscript-off
 
 [Install]
 WantedBy=multi-user.target
@@ -115,79 +130,80 @@ EOF
     sudo systemctl enable keyscriptoff.service
     sudo systemctl start keyscriptoff.service
 fi
+##### end setup encryption scripts ######
 
-if iank-dev; then
-    desktop=$(ssh root@iankelling.org grep desktop /etc/hosts | grep -o "^.* ")
-    if $bootstrapfs; then
-        # for bootstrapping at a new job:
-        cp="scp $desktop:"
-        # for moving to a new hd, change $cp to move between filesystems
-        mkdir -p /a/bin
-        chown -R ian:ian /a
-        $cp/a/c /a
-        $cp/a/c/bin/{bash-programs-by-ian,distro-begin,distro-functions,input-setup.sh} /a/bin
-        echo -e \\n\\n\\n | ssh-keygen -t rsa
-    fi
-fi
+
+install-myqueue
 
 # this script has been designed to be idempotent
 # todo, it would be nice to cut down on some of the output
 
 
-# output is below so shellcheck can verify sources
-for x in /a/bin/bash-programs-by-ian/repos/{errhandle,tee-unique,lnf}/*-function; do
-    echo "# shellcheck source=$x";
-    # shellcheck source=/a/bin/bash-programs-by-ian/repos/errhandle/bash-trace-function
-    # shellcheck source=/a/bin/bash-programs-by-ian/repos/errhandle/errallow-function
-    # shellcheck source=/a/bin/bash-programs-by-ian/repos/errhandle/errcatch-function
-    # shellcheck source=/a/bin/bash-programs-by-ian/repos/errhandle/errexit-function
-    # shellcheck source=/a/bin/bash-programs-by-ian/repos/tee-unique/teeu-function
-    # shellcheck source=/a/bin/bash-programs-by-ian/repos/lnf/lnf-function
+for x in /a/bin/errhandle/*-function; do
     source $x
 done
 
 
 set +e
 $interactive || errcatch
+set +x
 source /a/bin/distro-functions/src/identify-distros
-echo path:$PATH
-
-
+$interactive || set -x
 
 if isfedora; then
     # comment out line disallowing calling sudo in scripts
-    sudo sed -i 's/^Defaults *requiretty/#\0 # ian commented/' /etc/sudoers
+    sudo $sed -i 's/^Defaults *requiretty/#\0 # ian commented/' /etc/sudoers
     # turn on magic sysrq commands for this boot cycle
     echo 1 > sudo dd of=/proc/sys/kernel/sysrq
     # selinux is not user friendly. Like, you enable samba, but you haven't run the magic selinux commands so it doesn't work
     # and you have no idea why.
-    sudo sed -i 's/^\(SELINUX=\).*/\1disabled/' /etc/selinux/config
+    sudo $sed -i 's/^\(SELINUX=\).*/\1disabled/' /etc/selinux/config
     selinuxenabled && sudo setenforce 0
 fi
 
 
+# already ran for pxe installs, but used for vps & updates
+distro=$(distro-name)
+case $distro in
+    ubuntu|debian)
+        sudo bash -c ". /a/bin/fai/fai-wrapper && /a/bin/fai/fai/config/scripts/GRUB_PC/11-ian"
+        ;;
+    *)
+        sudo bash -c ". /a/bin/fai/fai-wrapper &&
+/a/bin/fai/fai/config/distro-install-common/end"
+        ;;
+esac
 
+if linode; then
+    sudo $sed -i '/^127\.0\.1\.1/d' /etc/hosts
+    echo "127.0.1.1 $HOSTNAME.lan $HOSTNAME" | sudo tee -a /etc/hosts
+fi
 
-# link files
 
+if [[ $EUID == 0 ]]; then
+    echo "$0: running as root. exiting now that users are setup"
+    exit 0
+fi
 
-for x in /a/c/repos/bash/!(.git); do
-    for homedir in /home/*; do
-        sudo chown -R ian:ian $homedir
-        lnf "$x" $homedir
-    done
+
+#### begin link bashrc repo for all users ######
+for x in /a/c/repos/bash/!(.git|..|.); do
+    lnf "$x" /home/ian
+    sudo -u traci -i <<EOF
+PATH="/a/exe:$PATH"
+lnf "$x" /home/traci
+EOF
     sudo -i <<EOF
-source /a/bin/bash-programs-by-ian/repos/lnf/lnf-function
+PATH="/a/exe:$PATH"
 lnf $x /root
 EOF
 done
+#### end link bashrc repo for all users ######
 
-echo path:$PATH
 
 set +x
 errallow
 source ~/.bashrc
-echo path:$PATH
 $interactive || errcatch
 $interactive || set -x
 
@@ -203,25 +219,16 @@ EOF
 isfedora && tu /etc/sysctl.conf 'kernel.sysrq = 1'
 
 
+# this needs to be before installing pacserve so we have gpg conf.
+conflink
 
 if isdebian; then
-    # add contrib non-free to sources for main
-    s sed -i 's/^\(deb.* main\).*/\1 contrib non-free/' /etc/apt/sources.list.d/*
-
-    # non-existent var, as Im not planning to use stable right now
-    if isdebian-stable; then
-        code=$(debian-codename)
+    codename=$(debian-codename)
+    if isdebian-stable && has_x; then
         s dd of=/etc/apt/sources.list.d/mozilla-iceweasel.list <<EOF
-deb http://mozilla.debian.net/ $code-backports firefox-release
-deb-src http://mozilla.debian.net/ $code-backports firefox-release
+deb http://mozilla.debian.net/ $codename-backports firefox-release
+deb-src http://mozilla.debian.net/ $codename-backports firefox-release
 EOF
-
-        # we change the mirror from the default, so we cant use tu
-        s dd of=/etc/apt/sources.list.d/main-backports.list <<EOF
-deb http://http.debian.net/debian $code-backports main contrib non-free
-deb-src http://http.debian.net/debian $code-backports main contrib non-free
-EOF
-
         p update
         # take care of mozilla signing errors in previous command
         pi pkg-mozilla-archive-keyring
@@ -253,19 +260,9 @@ if isarch; then
     }
     aurpi cower pacaur
 
-    # for aur, automatically dl & add gpg keys.
-    # Just the keyserver-options line goes in dirmngr.conf once
-    # this bug is fixed: https://bugs.gnupg.org/gnupg/issue2147
-    for homedir in /home/*; do
-        # this creates ~/.gnupg. addgnupghome is kinda broken on arch.
-        HOME=$homedir gpg -k
-        teeu $homedir/.gnupg/gpg.conf <<EOF
-$(grep -o '^ *keyserver .*' $homedir/.gnupg/dirmngr.conf)
-keyserver-options auto-key-retrieve
-EOF
-    done
     pi pacserve
-    x=$(mktemp); pacman.conf-insert_pacserve >$x
+
+    x=$(mktemp); /usr/bin/pacman.conf-insert_pacserve >$x
     sudo dd of=/etc/pacman.conf if=$x; rm $x
     sudo systemctl enable pacserve.service
     sudo systemctl start pacserve.service
@@ -284,28 +281,24 @@ pi trash-cli
 ###### link files ###########
 # convenient to just do all file linking in one place
 
-s lnf /a/sdx{,d} /
-
 # if it wasn't set already, we could set hostname here
 #echo treetowl | s dd of=/etc/hostname
 #s hostname -F /etc/hostname
 #HOSTNAME=$(hostname)
 
-#########################################
-# NOTE: only /a needs to be mounted for creating links!
-###########################################
 
-# todo: reconcile ~/.ssh/config work/home
-s lnf -T /q/p /p
+s lnf -T /a/bin /b
+
 if has_p; then
     lnf -T /p/offlineimap ~/Maildir
     lnf -T /p/News ~/News
     # don't use /* because I don't want to require it to be mounted
-    s lnf /q/root/.editor-backups /q/root/.undo-tree-history \
-      /a/opt /a/c/.emacs.d ~/.unison /root
 fi
 
-/a/bin/rootsshsync
+s lnf /q/root/.editor-backups /q/root/.undo-tree-history \
+  /a/opt /a/c/.emacs.d $HOME/mw_vars /k/backup /root
+
+rootsshsync
 
 s lnf /a/c/.inputrc /a/c/.vim /a/c/.vimrc /a/c/.gvimrc /root
 
@@ -323,47 +316,73 @@ fi
 # basic needed packages
 case $(distro-name) in
     debian)
-        pi  firefox$( isdebian-stable && e /$code-backports )
+        if has_x; then
+            if isdebian-stable; then
+                pi firefox/$codename-backports
+            else
+                # for a while, firefox/unstable did not have
+                # dependencies satisfied by testing packages, and i hit
+                # a conflict, it wanted a newer libfontconfig1, but
+                # emacs build-deps wanted an older one. In this case,
+                # I switch to using firefox-esr. note: They seem
+                # to release a new esr version every 9 months or so.
+                pi firefox/unstable
+            fi
+        fi
         # for hosts which require nonfree drivers
-        case $HOSTNAME in
-            tp|x2) : ;;
-            *) pi linux-image-amd64 firmware-linux-nonfree \
-                  firmware-linux-free linux-headers-amd64
-               ;;
-        esac
+        # i previously had extra packages listed here linux-image-amd64
+        # firmware-linux-free linux-headers-amd64, but I
+        # don\'t see any reason why. seems to work in testing without.
+        # remove this note if it continues to work.
+        p=firmware-linux-nonfree
+        if apt-cache show $p &>/dev/null; then
+            pi $p
+        fi
         ;;&
     ubuntu|debian)
-        pi xmacro gtk-redshift xinput
+        if has_x; then
+            if isdebian-stable; then
+                pi xmacro
+            else
+                pi xmacro/unstable # has no unstable deps
+            fi
+            pi gtk-redshift xinput
+        fi
         ;;&
     fedora)
         p -y groupinstall development-tools c-development books admin-tools
-        pi redshift-gtk
-        # debian has this package patched to work, upstream is dead
-        # tried using alien, pi alien, alien -r *.deb, rpm -Uhv *.rpm, got this error, so fuck it
-        # file /usr/bin from install of xmacro-0.3pre_20000911-7.x86_64 conflicts with file from package filesystem-3.2-19.fc20.x86_64
-        # http://packages.debian.org/source/sid/xmacro
-        pi patch libXtst-devel wget man-pages # what is the ubuntu equivalent to man-pages?
-        cd $(mktemp -d)
-        wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911.orig.tar.gz
-        wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911-6.diff.gz
-        ex *.gz
-        patch -p0 < xmacro_0.3pre-20000911-6.diff
-        cd xmacro-0.3pre-20000911.orig
-        make
-        sleep 1 # not sure why the following command couldn\'t find, so trying this
-        # no make install target
-        s cp -f xmacroplay xmacrorec xmacrorec2 /usr/local/bin
+        pi wget man-pages
+        if has_x; then
+            pi redshift-gtk
+            # debian has this package patched to work, upstream is dead
+            # tried using alien, pi alien, alien -r *.deb, rpm -Uhv *.rpm, got this error, so fuck it
+            # file /usr/bin from install of xmacro-0.3pre_20000911-7.x86_64 conflicts with file from package filesystem-3.2-19.fc20.x86_64
+            # http://packages.debian.org/source/sid/xmacro
+            pi patch libXtst-devel
+            cd $(mktemp -d)
+            wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911.orig.tar.gz
+            wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911-6.diff.gz
+            ex *.gz
+            patch -p0 < xmacro_0.3pre-20000911-6.diff
+            cd xmacro-0.3pre-20000911.orig
+            make
+            sleep 1 # not sure why the following command couldn\'t find, so trying this
+            # no make install target
+            s cp -f xmacroplay xmacrorec xmacrorec2 /usr/local/bin
+        fi
         ;;&
     arch)
-        # libxtst is missing dep https://aur.archlinux.org/packages/xmacro/#news
-        pi xorg-server redshift xorg-xinput pkgfile libxtst xmacro
         # like apt-cache
+        pi pkgfile
         s pkgfile --update
-
-        # background:
-        # https://aur.archlinux.org/packages/xkbset/#comment-545419
-        cert=$(mktemp)
-        cat >$cert <<'EOF'
+        if has_x; then
+            # libxtst is missing dep https://aur.archlinux.org/packages/xmacro/#news
+            pi xorg-server redshift xorg-xinput libxtst xmacro
+
+            # background:
+            # https://aur.archlinux.org/packages/xkbset/#comment-545419
+            cert=$(mktemp)
+            cat >$cert <<'EOF'
 -----BEGIN CERTIFICATE-----
 MIIJADCCB+igAwIBAgIRAIVAhZ0TMbQ5jTm0koI8X6YwDQYJKoZIhvcNAQELBQAw
 djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
@@ -484,21 +503,33 @@ L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
 jjxDah2nGN59PRbxYvnKkKj9
 -----END CERTIFICATE-----
 EOF
-        cat /etc/ssl/certs/ca-certificates.crt >> $cert
-        CURL_CA_BUNDLE=$cert pi xkbset
+            cat /etc/ssl/certs/ca-certificates.crt >> $cert
+            CURL_CA_BUNDLE=$cert pi xkbset
+        fi
 
         ;;&
     ubuntu|debian|fedora)
-        pi xkbset
+        if has_x; then
+            if isdebian-stable; then
+                pi xkbset
+            else
+                # xkbset was in testing for quite a while, dunno
+                # why it\'s not anymore. Sometime I should check and
+                # see if it\'s back in testing, but the unstable package
+                # doesn\'t upgrade anything form testing, and it\'s tiny
+                # so I\'m not bothering to automate it.
+                pi xkbset/unstable
+            fi
+        fi
         ;;&
 esac
 
-
-pi xbindkeys cryptsetup
-
-pi lvm2
+if has_x; then
+    pi xbindkeys
+fi
+pi cryptsetup lvm2
 # enables trim for volume delete, other rare commands.
-sudo sed -ri 's/( *issue_discards\b).*/\1 = 1/' /etc/lvm/lvm.conf
+sudo $sed -ri 's/( *issue_discards\b).*/\1 = 1/' /etc/lvm/lvm.conf
 
 if encrypted; then
     if isdeb; then
@@ -512,42 +543,107 @@ dirs=(/mnt/{1,2,3,4,5,6,7,8,9})
 s mkdir -p "${dirs[@]}"
 s chown ian:ian  "${dirs[@]}"
 
-if [[ $HOSTNAME == treetowl ]]; then
-    tu /etc/fstab <<'EOF'
-UUID=3f7b31cd-f299-40b4-a86b-7604282e2715 /i btrfs  noatime    0 2
-EOF
-else
-    tu /etc/fstab <<'EOF'
-/q/i  /i  none  bind  0 0
-EOF
-fi
 
 tu /etc/fstab <<'EOF'
-/i/w  /w  none  bind  0 0
-/i/k  /k  none  bind  0 0
+/i/w  /w  none  bind,noauto  0 0
+/i/k  /k  none  bind,noauto  0 0
 EOF
 
-if ! mountpoint /kfrodo; then
-    s mkdir -p /kfrodo
-    s chown ian:traci /kfrodo
+
+if ! mountpoint /kr; then
+    s mkdir -p /kr
+    s chown ian:traci /kr
 fi
-if [[ $HOSTNAME == frodo ]]; then
-    tu /etc/fstab <<'EOF'
-/k  /kfrodo  none  bind  0 0
+
+if home_network; then
+    if [[ $HOSTNAME == treetowl ]]; then
+        tu /etc/fstab <<'EOF'
+/k  /kr  none  bind,noauto  0 0
 EOF
-else
-    tu /etc/fstab <<'EOF'
-frodo:/k  /kfrodo  nfs  defaults  0 0
+    else
+        tu /etc/fstab <<'EOF'
+treetowl:/k  /kr  nfs  noauto  0 0
 EOF
+    fi
 fi
 
+s mkdir -p /q /i/{w,k}
 for dir in /{i,w,k}; do
-    if mountpoint $dir; then continue; fi
+    if mountpoint $dir; then continue; fi # already mounted
     s mkdir -p $dir
     s chown ian:ian $dir
-    s mount $dir
 done
 
+# not needed for all hosts, but rather just keep it uniform
+s mkdir -p /mnt/iroot
+
+# debian auto mounting of multi-disk encrypted btrfs is busted.  It is
+# in jessie, and in stretch as of 11/26/2016 I have 4 disks in cryptab,
+# based on 3 of those, it creates .device units for /dev/mapper/dev...
+# then waits endlessly for them on bootup, after the /dev/mapper disks
+# have already been created and exist. todo: create a simple repro
+# for this in a vm and report it upstream.
+if has_btrfs || home_network; then
+    pi nfs-common
+    s dd of=/root/imount <<'EOF'
+#!/bin/bash
+[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+for dir in /i /mnt/iroot /k /kr /w; do
+    if ! mountpoint $dir &>/dev/null && \
+            awk '{print $2}' /etc/fstab | grep -xF $dir &>/dev/null; then
+        if awk '{print $3}' /etc/fstab | grep -xF nfs &>/dev/null; then
+            mount $dir || echo "warning: failed to mount nfs on $dir"
+        else
+            mount $dir
+        fi
+    fi
+done
+EOF
+    s chmod +x /root/imount
+
+    s dd of=/etc/systemd/system/imount.service <<'EOF'
+[Unit]
+Description=Mount /i and related mountpoints
+
+[Service]
+Type=oneshot
+ExecStart=/root/imount
+
+[Install]
+# note /kr needs networking, this target is the simplest way to
+# time it when the network should be up, but not do something
+# dumb like delay startup until the network is up. It happens
+# at some time after network.target
+WantedBy=multi-user.target
+EOF
+    sudo systemctl daemon-reload # needed if the file was already there
+    sudo systemctl enable imount.service
+    sudo systemctl start imount.service
+fi
+
+dir=/nocow
+if has_btrfs; then
+    if ! mountpoint $dir; then
+        subvol=/mnt/root/nocow
+        if [[ ! -e $subvol ]]; then
+            s btrfs subvolume create $subvol
+            s chown root:1000 $subvol
+            s chattr +C $subvol
+        fi
+
+        first_root_crypt=$(awk '$2 == "/" {print $1}' /etc/mtab)
+        tu /etc/fstab <<EOF
+$first_root_crypt  /nocow  btrfs  noatime,subvol=nocow  0 0
+EOF
+        s mkdir -p $dir
+        s chown ian:ian $dir
+        s mount $dir
+    fi
+else
+    sudo mkdir -p $dir
+fi
 
 # ssh and probably some other things care about parent directory
 # ownership, and ssh doesn\'t allow any group writable parent
@@ -557,20 +653,22 @@ s chown root:ian /q
 s chmod 755 /q
 
 
-/a/bin/conflink
-
+#  it comes with stretch and arch, but not jessie.
 # propogate /etc/udev/hwdb.d
-s systemd-hwdb update
-ser restart systemd-udev-trigger
+if which systemd-hwdb; then
+    s systemd-hwdb update
+    ser restart systemd-udev-trigger
+fi
 
 # work desktop doesnt need gpg stuff, but it doesnt hurt
 s dd of=/etc/profile.d/environment.sh <<'EOF'
-# IAN: EDIT THIS FROM /a/bin/distro-begin
+# IAN: EDIT THIS FROM /a/bin/distro-setup/distro-begin
+export ACME_TINY_WRAPPER_CERT_DIR=/p/c/machine_specific/$HOSTNAME/webservercerts
 
 if [ -f $HOME/path_add-function ]; then
     . $HOME/path_add-function
     path_add /usr/sbin /usr/local/sbin /sbin
-    path_add /a/bin /a/opt/bin $HOME/.cabal/bin
+    path_add /a/exe /a/opt/bin $HOME/.cabal/bin
 
     if [ -r /etc/alternatives/java_sdk ]; then
         export JAVA_HOME=/etc/alternatives/java_sdk
@@ -628,123 +726,128 @@ umask 002
 EOF
 
 
-
-# emacs dependency.
-# dunno why debian installed postfix with yum-builddep emacs
-# but I will just explicitly install it here since
-# I use it for sending mail in emacs.
-if private-host; then
-    relayhost="[mail.messagingengine.com]:587"
+if isdeb; then
+    # I\'ve had problems with postfix on debian:
+    # on stretch, a startup ordering issue caused all mail to fail.
+    # postfix changed defaults to only use ipv6 dns, causing all my mail to fail.
+    # exim4 is default on debian, so I assume it would
+    # be packaged better to avoid these types of things.
+    # I haven\'t gotten around to getting a non-debian exim
+    # setup.
+    mail-setup exim4
 else
-    # ses initially suggests port 25, but I had problems connecting to that.
-    relayhost="[email-smtp.us-west-2.amazonaws.com]:587"
+    mail-setup postfix
 fi
-if isdeb; then
-    s debconf-set-selections<<EOF
-postfix postfix/main_mailer_type select Satellite system
-postfix postfix/mailname string $host
-postfix postfix/relayhost string $relayhost
-EOF
 
-    pi postfix
-else
-    pi postfix
-    # Settings from reading the output when installing on debian,
-    # then seeing which were different in a default install on arch.
-    # I assume the same works for fedora.
-    postconfin <<EOF
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_size_limit = 0
-relayhost = $relayhost
-inet_interfaces = loopback-only
+if isubuntu; then
+    # disable crash report annoying crap
+    s dd of=/etc/default/apport <<<'enabled=0'
+fi
+
+# fai sets this an old way that doesn't work for stretch.
+# no harm in setting it universally here.
+# using debconf-set-selection, the area gets reset to ETC
+# on my linode test machine after doing a dpkg-reconfigure, or a reinstall,
+# so we are using expect :(
+# I got a random error when running this, so I added a sleep
+# rather than trying to write a whole detect and wait loop.
+# E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)
+# E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?
+sleep 1
+s apt-get -y install --no-install-recommends expect
+s expect <<EOF
+set force_conservative 0
+spawn dpkg-reconfigure tzdata -freadline
+expect -nocase timeout {exit 1} "Geographic area:"
+send "12\r"
+expect -nocase timeout {exit 1} "Time zone:"
+send "11\r"
+expect eof
+exit
 EOF
 
-    s systemctl enable postfix
-    s systemctl start postfix
-fi
 
+if has_x; then
+    if isarch; then
+        # install so it's build dependencies don't get removed.
 
-if isarch; then
-    # install so it's build dependencies don't get removed.
-
-    # emacs git build is currently broken
-    if false; then
-        x=$(mktemp -d)
-        pushd $x
-        aurex emacs-git
-        makepkg -si --noconfirm
-        popd
-        rm -rf $x
-    else
-        pi emacs
-    fi
-    pi hunspell hunspell-en
-else
-    # to disable emacs git build,
-    # s apt-get install emacs
-    if $recompile; then
-        /a/bin/buildscripts/emacs -u
+        # emacs git build is currently broken
+        if false; then
+            x=$(mktemp -d)
+            pushd $x
+            aurex emacs-git
+            makepkg -si --noconfirm
+            popd
+            rm -rf $x
+        else
+            pi emacs
+        fi
+        pi hunspell hunspell-en
     else
-        /a/bin/buildscripts/emacs -r
+        if $recompile; then
+            /a/bin/buildscripts/emacs
+        else
+            /a/bin/buildscripts/emacs --no-r || /a/bin/buildscripts/emacs
+        fi
     fi
-fi
 
-# todo, figure this out for arch if we ever try out gnome.
-if ! isarch; then
-    # install for multiple display managers in case we use one
-    if isdeb; then
-        dir=/etc/gdm3
-    elif isfedora; then
-        # fedora didn\'t have the 3.
-        dir=/etc/gdm
-    fi
-    s mkdir -p $dir/PostLogin
-    s command cp /a/bin/desktop-20-autostart.sh $dir/PostLogin/Default
-    s mkdir /etc/lightdm/lightdm.conf.d
-    s dd of=/etc/lightdm/lightdm.conf.d/12-ian.conf <<'EOF'
+    # todo, figure this out for arch if we ever try out gnome.
+    if ! isarch; then
+        # install for multiple display managers in case we use one
+        if isdeb; then
+            dir=/etc/gdm3
+        elif isfedora; then
+            # fedora didn\'t have the 3.
+            dir=/etc/gdm
+        fi
+        s mkdir -p $dir/PostLogin
+        s command cp /a/bin/distro-setup/desktop-20-autostart.sh $dir/PostLogin/Default
+        s mkdir /etc/lightdm/lightdm.conf.d
+        s dd of=/etc/lightdm/lightdm.conf.d/12-ian.conf <<'EOF'
 [SeatDefaults]
-session-setup-script=/a/bin/desktop-20-autostart.sh
+session-setup-script=/a/bin/distro-setup/desktop-20-autostart.sh
 EOF
-fi
-
-if isubuntu; then
-    # disable crash report annoying crap
-    s dd of=/etc/default/apport <<<'enabled=0'
-fi
-
-
-pi ghc sakura
-# todo, also note for work comp, scp opt/org-mode bin/build-scripts
-
-# use the package manger version to install the cabal version
-pi cabal-install
-cabal update
-PATH="$PATH:$HOME/.cabal/bin"
+    fi
 
-# todo, on older ubuntu I used cabal xmonad + xfce,
-# see /a/bin/old-unused/xmonad-cabal.sh
 
-# trying out the distro's versions newer distros
-pi xmonad
-if isarch; then
-    # for displaying error messages.
-    # optional dependency in arch, standard elsewhere.
-    pi xorg-xmessage xmonad-contrib xorg-xsetroot xorg-xinit
-
-    # https://wiki.archlinux.org/index.php/Xinitrc
-    for homedir in /home/*; do
-        cp /etc/X11/xinit/xinitrc $homedir/.xinitrc
-        sed -ri '/^ *twm\b/,$d' $homedir/.xinitrc
-        echo "source /a/bin/xinitrc" | tee -a $homedir/.xinitrc
-    done
-else
-    pi suckless-tools
-fi
-pi dmenu
+    pi ghc sakura
+    # todo, also note for work comp, scp opt/org-mode bin/build-scripts
+
+    # use the package manger version to install the cabal version
+    pi cabal-install
+    cabal update
+    PATH="$PATH:$HOME/.cabal/bin"
+
+    # todo, on older ubuntu I used cabal xmonad + xfce,
+    # see /a/bin/old-unused/xmonad-cabal.sh
+
+    # trying out the distros versions newer distros
+    pi xmonad
+    if isarch; then
+        # for displaying error messages.
+        # optional dependency in arch, standard elsewhere.
+        pi xorg-xmessage xmonad-contrib xorg-xsetroot xorg-xinit
+
+        # https://wiki.archlinux.org/index.php/Xinitrc
+        for homedir in /home/*; do
+            cp /etc/X11/xinit/xinitrc $homedir/.xinitrc
+            $sed -ri '/^ *twm\b/,$d' $homedir/.xinitrc
+            tee -a $homedir/.xinitrc <<'EOF'
+/a/bin/desktop-20-autostart.sh
+xsetroot -cursor_name left_ptr
+exec xmonad
+EOF
+        done
+    else
+        pi suckless-tools
+    fi
+    pi dmenu
 
-if isdeb && (tp || x2); then
-    pi task-laptop
+    if isdeb && (tp || x2); then
+        pi task-laptop
+    fi
 fi
 
-sudo chown -R traci:traci /home/traci
+# the first pup command can kill off our /etc/ mod, so rerun this
+/a/exe/ssh-emacs-setup
 echo "$0: $(date): ending now"