X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=1b25a55eced2a26e3dd6e5a74903af810ca14adf;hb=c831645901a69a13197d07de05b5ec2720af91cf;hp=00827b638485bc4986817920e371e1aee378856a;hpb=b857462732e15f455e41f26e3048a390d7b399c0;p=distro-setup

diff --git a/distro-end b/distro-end
index 00827b6..1b25a55 100755
--- a/distro-end
+++ b/distro-end
@@ -14,7 +14,7 @@
 # limitations under the License.
 
 ### setup
-errcatch
+source /a/bin/errhandle/err
 src="${BASH_SOURCE%/*}"
 source $src/pkgs
 
@@ -73,7 +73,6 @@ case $distro in
     ;;
 esac
 
-
 # disable motd junk.
 case $distro in
   debian)
@@ -111,13 +110,22 @@ if isdeb; then
   # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
   pi  software-properties-common apt-transport-https
   curl -fsSL https://download.docker.com/linux/$(distro-name-compat)/gpg | sudo apt-key add -
-  sudo add-apt-repository \
-       "deb [arch=amd64] https://download.docker.com/linux/$(distro-name-compat) \
-         $(debian-codename-compat) \
-         stable"
-  p update
-  pi docker-ce
-  sgo docker
+  url=https://download.docker.com/linux/$(distro-name-compat)
+  l="deb [arch=amd64] $url $(debian-codename-compat) stable"
+
+  if ! grep -xFq "$l" /etc/apt/sources.list{,.d/*.list}; then
+    sudo add-apt-repository "$l"
+    p update
+  fi
+  # docker eats up a fair amount of cpu when doing nothing, so don't enable it unless
+  # we really need it.
+  pi-nostart docker-ce
+  # and docker is even more crap, it ignores that it shouldnt start
+  ser stop docker
+  ser disable docker
+  case $HOSTNAME in
+    li|lj)  sgo docker ;;
+  esac
   # other distros unknown
 fi
 ###  end docker install ####
@@ -138,8 +146,11 @@ case $distro in
   trisquel|ubuntu)
     # not packaged in xenial or flidas
     pi software-properties-common
-    s add-apt-repository -y ppa:certbot/certbot ||:
-    p update
+    l="deb http://ppa.launchpad.net/certbot/certbot/ubuntu xenial main"
+    if ! grep -xFq "$l" /etc/apt/sources.list{,.d/*.list}; then
+      s add-apt-repository -y ppa:certbot/certbot ||:
+      p update
+    fi
     pi python-certbot-apache
     ;;
   # todo: other distros unknown
@@ -157,15 +168,17 @@ sgo certbotmail.timer
 ### end certbot install ###
 
 
-# dogcam setup
-case $HOSTNAME in
-  lj|li)
-    /a/bin/webcam/install-server
-    ;;
-  kw)
-    /a/bin/webcam/install-client
-    ;;
-esac
+# dogcam setup. not using atm
+# case $HOSTNAME in
+#   lj|li)
+#     /a/bin/webcam/install-server
+#     ;;
+#   kw)
+#     /a/bin/webcam/install-client
+#     ;;
+# esac
+
+pi ${p1[@]}
 
 # website setup
 case $HOSTNAME in
@@ -303,6 +316,7 @@ EOF
       git clone https://github.com/pump-io/pump.io.git
       cd pump.io
     fi
+    # note: these 2 commands seem
     # note: doing this or the npm install pump.io as root had problems.
     npm install
     npm run build
@@ -312,7 +326,7 @@ EOF
     # https://github.com/pump-io/pump.io/issues/1287
     s npm install -g databank-mongodb@0.19.2
     if ! getent passwd pumpio &>/dev/null; then
-      s useradd -m -s /bin/false pumpio
+      s useradd -Um -s /bin/false pumpio
     fi
     sudo -u pumpio mkdir -p /home/pumpio/pumpdata
     # for testing browser when only listening to localhost,
@@ -481,7 +495,7 @@ EOF
     ############### !!!!!!!!!!!!!!!!!
     ############### manual steps:
 
-    # only following 2 people atm, so not bothering to figure out backups
+    # only following a few people atm, so not bothering to figure out backups
     # when mastodon has not documented it at all.
     #
     # fsf@status.fsf.org
@@ -508,21 +522,39 @@ EOF
     # to exit and save config:
     # /msg *status shutdown
     # configed auth on freenode by following
-    # https://wiki.znc.in/Sasl
+    # https://wiki.znc.in/Sasl:
+    # /msg *sasl RequireAuth yes
+    # /msg *sasl Mechanism PLAIN
+    # /msg *sasl Set ident_name password
     # created the system service after, and had to do
     # mv /home/iank/.znc/* /var/lib/znc
     # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf
     # and made a copy of the config files into /p/c
-    # added LoadModule = log -sanitize to the top level
+    # /msg *status LoadMod --type=global log -sanitize
     # to get into the web interface,
     # cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
     # then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site.
+    # https://iankelling.org:12533/
     # i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart.
     # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it.
-    # todo: figure out how to make playback in erc happe.n
+    # /msg *status LoadMod --type=network perform
+    # /msg *perform add PRIVMSG ChanServ :invite #fsf-office
+    # /msg *perform add JOIN #fsf-office
+    #
+    # i set  Buffer = 500
+    # also ran /znc LoadMod clearbufferonmsg
+    # it would be nice if erc supported erc query buffers by doing
+    # /msg *status clearbuffer <name of the query/receiver
+    # on killing the,
+    # an example seems to be here:	https://github.com/zenspider/elisp/blob/master/rwd-irc.el
+    # if that was the case i could remove the module clearbufferonmsg
+    # alo would be nice if erc supported
+    # https://wiki.znc.in/self-message
+    # https://wiki.znc.in/Query_buffers                                                \
+      #
     s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already
     chmod 700 /var/lib/znc
-    s chown -R znc:znc /var/lib/znc/config
+    s chown -R znc:znc /var/lib/znc
     s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF'
 [Unit]
 Description=ZNC, an advanced IRC bouncer
@@ -545,22 +577,19 @@ esac
 
 ########### end section including li/lj ###############
 
-pi ${p4[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
-
-
-case $distro in
-  trisquel|ubuntu)
-    l="deb http://ppa.launchpad.net/ansible/ansible/ubuntu xenial main"
-    f=/etc/apt/sources.list.d/ansible-ubuntu-ansible-xenial.list
-    if ! grep -qF "$l" $f; then
-      s add-apt-repository -y ppa:ansible/ansible
-      p update
-    fi
-    pi ansible
-    ;;
-esac
+# depends gcc is a way to install suggests. this is apparently the only
+# way to install suggests even if the main package is already
+# installed. reinstall doesn't work, uninstalling can cause removing
+# dependent packages.
+pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $(apt-cache depends gcc|grep -i suggests:| awk '{print $2}')
 
+if ! type pip; then
+  x=$(mktemp)
+  wget -O$x https://bootstrap.pypa.io/get-pip.py
+  python3 $x --user
+fi
 
+sgo fsf-vpn-dns-cleanup
 
 
 case $distro in
@@ -568,11 +597,17 @@ case $distro in
     pi chromium ;;
   trisquel|ubuntu)
     wget -qO - https://downloads.iridiumbrowser.de/ubuntu/iridium-release-sign-01.pub|sudo apt-key add -
-    cat <<EOF | sudo tee /etc/apt/sources.list.d/iridium-browser.list
+    t=$(mktemp)
+    cat >$t <<EOF
 deb [arch=amd64] https://downloads.iridiumbrowser.de/deb/ stable main
 #deb-src https://downloads.iridiumbrowser.de/deb/ stable main
 EOF
-    p update
+    f=/etc/apt/sources.list.d/iridium-browser.list
+    if ! diff -q $t $f; then
+      s cp $t $f
+      s chmod 644 $f
+      p update
+    fi
     pi iridium-browser
     ;;
 esac
@@ -590,7 +625,7 @@ esac
 # s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
 # s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
 # # kw = kgpe work machine.
-# for host in x2 kw; do
+# for host in x2 x3 kw; do
 # vpn-mk-client-cert -b $host -n home b8.nz 1196
 # dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
 # mkdir -p $dir
@@ -601,8 +636,8 @@ esac
 # key already exists, so this won't generate one, just the configs.
 vpn-server-setup -rds
 s tee -a /etc/openvpn/server/server.conf <<'EOF'
-push "dhcp-option DNS 192.168.1.1"
-push "route 192.168.1.0 255.255.255.0"
+push "dhcp-option DNS 10.0.0.1"
+push "route 10.0.0.0 255.255.0.0"
 client-connect /a/bin/distro-setup/vpn-client-connect
 EOF
 s sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
@@ -680,10 +715,9 @@ fi
 
 case $distro in
   debian|trisquel|ubuntu)
-    # suggests because we want the resolvconf package. however, i install it earlier
-    # as well, so this is redundant.
+    # suggests resolvconf package. installing it here is redundant, but make sure anyways.
     # todo: check other distros to make sure it\'s installed
-    pi-nostart --install-suggests openvpn
+    pi-nostart openvpn resolvconf
     # pi-nostart does not disable
     ser disable openvpn
     ;;
@@ -784,18 +818,21 @@ fi
 
 ####### begin misc packages ###########
 
+# sakura config is owned by ian
 reset-sakura
-sudo -u traci -i reset-sakura
 reset-konsole
 sudo -u traci -i reset-konsole
+# traci xscreensaver we don't want to reset
 reset-xscreensaver
-# this is packaged, but i see it's gotten a fair amount of development lately,
-# so install from cabal. the options are needed to get over incompatible xmonad library versions
-# but that stuff is in the global namespace, and it seems they don't conflict in practice.
-pi libxss-dev # dependency based on build failure
-cabal update
-cabal install --upgrade-dependencies  --force-reinstalls arbtt
-lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
+
+
+# this would install from cabal for newer / consistent version across os, but it screws up xmonad, so disabled for now.
+# this is also in primary-setup
+# pi libxss-dev # dependency based on build failure
+# cabal update
+# cabal install --upgrade-dependencies  --force-reinstalls arbtt
+# also, i assume syncing this between machines somehow messed thin
+#lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
 
 primary-setup
 
@@ -870,6 +907,88 @@ case $distro in
   # others unknown
 esac
 
+case $(debian-codename) in
+  # needed for debootstrap scripts for fai since fai requires debian
+  flidas)
+    curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg | s apt-key add -
+    s dd of=/etc/apt/preferences.d/flidas-xenial <<EOF
+Package: *
+Pin: release a=xenial
+Pin-Priority: -100
+
+Package: *
+Pin: release a=xenial-updates
+Pin-Priority: -100
+
+Package: *
+Pin: release a=xenial-security
+Pin-Priority: -100
+EOF
+    s dd of=/etc/apt/sources.list.d/xenial.list 2>/dev/null <<EOF
+deb http://us.archive.ubuntu.com/ubuntu/ xenial main
+deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main
+deb http://us.archive.ubuntu.com/ubuntu/ xenial-security main
+EOF
+
+    s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+    s dd of=/etc/apt/preferences.d/flidas-bionic <<EOF
+Package: *
+Pin: release a=bionic
+Pin-Priority: -100
+
+Package: *
+Pin: release a=bionic-updates
+Pin-Priority: -100
+
+Package: *
+Pin: release a=bionic-security
+Pin-Priority: -100
+EOF
+
+    # better to run btrfs-progs which matches our kernel version
+    # (note, renamed from btrfs-tools)
+    s dd of=/etc/apt/preferences.d/btrfs-progs <<EOF
+Package: btrfs-progs libzstd1
+Pin: release a=bionic
+Pin-Priority: 1005
+
+Package: btrfs-progs libzstd1
+Pin: release a=bionic-updates
+Pin-Priority: 1005
+
+Package: btrfs-progs libzstd1
+Pin: release a=bionic-security
+Pin-Priority: 1005
+EOF
+
+
+    t=$(mktemp)
+    cat >$t <<EOF
+deb http://us.archive.ubuntu.com/ubuntu/ bionic main
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main
+EOF
+    f=/etc/apt/sources.list.d/bionic.list
+    if ! diff -q $t $f; then
+      s cp $t $f
+      s chmod 644 $f
+      p update
+    fi
+
+    # no special reason, but its better for btrfs-progs to
+    # be closer to our kernel version
+    pi btrfs-progs
+
+    t=$(mktemp -d)
+    cd $t
+    aptitude download debootstrap/xenial
+    ex *
+    ex data.tar.gz
+    s cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
+
+    ;;
+esac
+
 # /run and /dev/shm are listed as required for pulseaudio. All 4 in the group
 # listed in the default config as suggested.
 # /run/usr/1000 i noticed was missing for pulseaudio
@@ -885,8 +1004,22 @@ tu /etc/schroot/desktop/fstab <<'EOF'
 EOF
 
 mkschroot() {
+  distro=$1
+  shift
+  case $distro in
+    ubuntu)
+      repo=http://archive.ubuntu.com/ubuntu/
+      ;;
+    debian)
+      repo=http://deb.debian.org/debian/
+      ;;
+  esac
   n=$1
   shift
+  if schroot -l | grep -xFq chroot:$n; then
+    echo "$0: $n schroot already installed, skipping"
+    return 0
+  fi
   apps=($@)
   d=/nocow/schroot/$n
   s dd of=/etc/schroot/chroot.d/$n.conf <<EOF
@@ -904,7 +1037,8 @@ EOF
     cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
   else
     s mkdir -p $d
-    s debootstrap $n $d http://deb.debian.org/debian/
+
+    s debootstrap $n $d $repo
     cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
   fi
   s cp -P {,$d}/etc/localtime
@@ -937,29 +1071,54 @@ sgo schrootupdate.timer
 # for my roommate
 case $distro in
   trisquel)
-    mkschroot stretch firefox-esr pulseaudio chromium
+    mkschroot debian stretch firefox-esr pulseaudio chromium
     ;;
 esac
 
 s mkdir -p /nocow/user
 s chown $USER:$USER /nocow/user
 case $distro in
-  debian)
-    case $(debian-codename) in
-      jessie)
-        pi anki
-        ;;
-      *)
-        mkschroot jessie anki pulsaudio mplayer
-        ;;
-    esac
-    ;;
   trisquel|ubuntu)
     pi anki
     ;;
   # others unknown
 esac
 
+
+# adapted from /var/lib/dpkg/info/transmission-daemon.postinst
+# 450 seems likely to be unused. we need to specify one or else
+# it won't be stable across installs.
+if ! getent passwd debian-transmission > /dev/null; then
+  s groupadd -g 450 debian-transmission
+  case $distro in
+    arch)
+      s useradd \
+        --system \
+        --create-home \
+        --gid 450 \
+        --uid 450 \
+        --home-dir /var/lib/transmission-daemon \
+        --shell /bin/false \
+        debian-transmission
+      ;;
+    *)
+      s adduser --quiet \
+        --gid 450 \
+        --uid 450 \
+        --system \
+        --no-create-home \
+        --disabled-password \
+        --home /var/lib/transmission-daemon \
+        debian-transmission
+      ;;
+  esac
+fi
+# We want group writable stuff from transmission.
+# However, after setting this, I learn that transmission sets it's
+# own umask based on it's settings file. Well, no harm leaving this
+# so it's set right from the beginning.
+s chfn debian-transmission -o umask=0002
+
 case $distro in
   debian|trisquel|ubuntu)
     # note i had to do this, which is persistent:
@@ -977,6 +1136,9 @@ EOF
 
     # some reason it doesn\'t seem to start automatically anyways
     pi-nostart transmission-daemon
+    # be extra sure its not started
+    ser disable transmission-daemon
+    ser stop transmission-daemon
 
     # the folder was moved here after an install around 02/2017.
     # it contains runtime data,
@@ -1024,33 +1186,10 @@ File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
 })) + "\n")
 EOF
 
-    # make sure its not enabled, not sure if this is needed
-    ser disable transmission-daemon
     ;;
   # todo: others unknown
 esac
-# adapted from /var/lib/dpkg/info/transmission-daemon.postinst
-if ! getent passwd debian-transmission > /dev/null; then
-  case $distro in
-    arch)
-      s useradd \
-        --system \
-        --create-home \
-        --home-dir /var/lib/transmission-daemon \
-        --shell /bin/false \
-        debian-transmission
-      ;;
-    *)
-      s adduser --quiet \
-        --system \
-        --group \
-        --no-create-home \
-        --disabled-password \
-        --home /var/lib/transmission-daemon \
-        debian-transmission
-      ;;
-  esac
-fi
+
 
 
 # trisquel 8 = openvpn, debian stretch = openvpn-client
@@ -1107,6 +1246,8 @@ require 'json'
 p = '/etc/transmission-daemon/settings.json'
 s = JSON.parse(File.read(p))
 s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
+# default is 0022 (18 in decimal)
+s["umask"] = 2
 File.write p, JSON.pretty_generate(s)
 EOF
 
@@ -1163,6 +1304,7 @@ case $distro in
     sgo org.cups.cupsd.service
     ;;
   debian|trisquel|ubuntu)
+    pi cups
     s gpasswd -a $USER lpadmin # based on ubuntu wiki
     spa hplip
     ;;
@@ -1174,11 +1316,6 @@ esac
 # in arch, I had to pick out the 6L driver.
 
 
-case $distro in
-  trisquel|ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
-  fedora|arch) spa mairix notmuch ;;
-esac
-
 # allow user to run vms, from debian handbook
 for x in iank traci; do s usermod -a -G libvirt,kvm $x; done
 # bridge networking as user fails. google lead here, but it doesn\'t work:
@@ -1196,8 +1333,17 @@ for x in iank traci; do s usermod -a -G libvirt,kvm $x; done
 
 case $distro in
   debian|trisquel|ubuntu)
+    if ! type -p go &>/dev/null; then
+      cd $(mktemp -d)
+      # just the latest stable at the time of writing
+      # TODO, maybe put this all into a build script,
+      # and do some automatic updates
+      wget -q https://dl.google.com/go/go1.12.4.linux-amd64.tar.gz
+      s tar -C /usr/local -xzf go1.12.4.linux-amd64.tar.gz
+      rm -f *
+    fi
+    go get -u mvdan.cc/fdroidcl
     # a bit of googling, and added settings to bashrc
-    go get -u github.com/mvdan/fdroidcl/cmd/fdroidcl
     ;;
 esac
 
@@ -1227,7 +1373,7 @@ case $distro in
     ./configure --with-exuberant-ctags=/usr/bin/ctags
     make
     s make install
-    s pip install pygments
+    pip install pygments
     ;;
   *)
     pi global
@@ -1313,7 +1459,7 @@ fi
 # EOF
 #         s systemctl daemon-reload
 #         case $HOSTNAME in
-#             x2|tp)
+#             x2|x3|tp)
 #                 ser enable synergyc@iank
 #                 ser start synergyc@iank ||: # X might not be running yet
 #                 ;;
@@ -1402,10 +1548,26 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
 
 ########### misc stuff
 
+# make networkmanager use resolvconf instead of its own dnsmasq which
+# conflicts with the normal dnsmasq package.
+f=/etc/NetworkManager/NetworkManager.conf
+m=$(md5sum $f)
+s sed -ri '/ *\[main\]/,/^ *\[[^]]+\]/{/^\s*dns[[:space:]=]/d}' $f
+if [[ $m != $(md5sum $f) ]]; then
+  srestart NetworkManager
+fi
+
+# make my /etc/fonts/conf.d/ get used.
+# I have a new sans-serif font there because the default one
+# displays l and I as the same char, grrrrr.
+s fc-cache
 
 /a/bin/distro-setup/mymimes
 
 
+sgo dynamicipupdate
+
+
 # stop autopoping windows when i plug in an android phone.
 # dbus-launch makes this work within an ssh connection, otherwise you get this message,
 # with still 0 exit code.
@@ -1592,7 +1754,16 @@ EOF
     ;;
 esac
 
-
+# networkmanager has this nasty behavior on flidas: if the machine
+# crashes with dnsmasq running, on subsequent boot, it adds an entry to
+# resolvconf for 127.0.0.1 in some stupid attempt to restore
+# nameservers.
+# This can be manually fixed by stoping dnsmasq,
+# then based on whats in /run/dnsmasq/, i see we can run
+# s resolvconf -d NetworkManager
+# oh ya, and stoping NetworkManager leaves this crap behind without cleaning it up.
+ser stop NetworkManager
+ser disable NetworkManager
 
 
 if [[ $HOSTNAME == frodo ]]; then
@@ -1602,7 +1773,7 @@ if [[ $HOSTNAME == frodo ]]; then
   # 1. it can be mounted with a shorthand of server:/
   # 2. exports that are subdirectories of this one will automatically be mounted
   tu /etc/exports <<'EOF'
-/k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
+/k 10.0.0.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
 EOF
   s exportfs -rav
 fi