X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=2124a7c968f81d283cd2d7bf7afe35d7eec00969;hb=72c18f3a6a7f1ed0ca16af654a1f804ab96e1ff9;hp=54321bf0533bd51bed00e707a5ab022102c21eba;hpb=ce4cacd36c5b5babeea85d0f93771017e6169180;p=distro-setup diff --git a/distro-end b/distro-end index 54321bf..2124a7c 100755 --- a/distro-end +++ b/distro-end @@ -346,6 +346,7 @@ EOF # for ziva #p install --no-install-recommends minetest/buster libleveldb1d/buster libncursesw6/buster libtinfo6/buster doupdate=false + # shellcheck disable=SC2043 # in case we want more than 1 in the loop later. for n in bullseye; do f=/etc/apt/sources.list.d/$n.list t=$(mktemp) @@ -421,7 +422,7 @@ deb http://us.archive.ubuntu.com/ubuntu/ focal-updates main universe deb http://us.archive.ubuntu.com/ubuntu/ focal-security main universe EOF if ! diff -q $t $f; then - sudo dd if=$t of=$f 2>/dev/null + sudo dd if=$t of=$f status=none p update fi @@ -450,7 +451,7 @@ deb http://mirror.fsf.org/trisquel/ nabia-backports main deb-src http://mirror.fsf.org/trisquel/ nabia-backports main EOF if ! diff -q $t $f; then - sudo dd if=$t of=$f 2>/dev/null + sudo dd if=$t of=$f status=none p update fi @@ -495,7 +496,7 @@ deb http://mirror.fsf.org/trisquel/ aramo-backports main deb-src http://mirror.fsf.org/trisquel/ aramo-backports main EOF if ! diff -q $t $f; then - sudo dd if=$t of=$f 2>/dev/null + sudo dd if=$t of=$f status=none p update fi @@ -509,7 +510,7 @@ esac case $codename_compat in jammy) - s systemctl enable ssh-agent-iank + s systemctl enable --now ssh-agent-iank ;; esac @@ -609,23 +610,6 @@ sudo rm -f /etc/cron.d/unattended-upgrade-reboot /usr/local/bin/zelous-unattende # Pin-Priority: 500 # EOF -if [[ -e /etc/wireguard/wghole.conf ]]; then - reload=false - if [[ ! -e /etc/systemd/system/wg-quick@wghole.service.d/override.conf ]]; then - reload=true - fi - sudo mkdir -p /etc/systemd/system/wg-quick@wghole.service.d - sd /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF' -[Unit] -StartLimitIntervalSec=0 - -[Service] -Restart=on-failure -RestartSec=20 -EOF - if $reload; then ser daemon-reload; fi - sgo wg-quick@wghole -fi ###### begin website setup case $HOSTNAME in @@ -689,52 +673,47 @@ EOF client-to-client EOF - # sullivan d8 - sd /etc/openvpn/client-config-hole/sd8 <<'EOF' -ifconfig-push 10.5.5.41 255.255.255.0 -EOF - # hsieh d8 - sd /etc/openvpn/client-config-hole/hd8 <<'EOF' -ifconfig-push 10.5.5.42 255.255.255.0 -EOF - - sd /etc/openvpn/client-config-hole/onep9 <<'EOF' -ifconfig-push 10.5.5.14 255.255.255.0 + sd /etc/openvpn/client-config-hole/kd <<'EOF' +ifconfig-push 10.5.5.2 255.255.255.0 EOF - sd /etc/openvpn/client-config-hole/bo <<'EOF' -ifconfig-push 10.5.5.13 255.255.255.0 + sd /etc/openvpn/client-config-hole/tp <<'EOF' +ifconfig-push 10.5.5.3 255.255.255.0 EOF - sd /etc/openvpn/client-config-hole/sy <<'EOF' -ifconfig-push 10.5.5.12 255.255.255.0 + sd /etc/openvpn/client-config-hole/frodo <<'EOF' +ifconfig-push 10.5.5.5 255.255.255.0 EOF - sd /etc/openvpn/client-config-hole/kw <<'EOF' -ifconfig-push 10.5.5.9 255.255.255.0 + sd /etc/openvpn/client-config-hole/x2 <<'EOF' +ifconfig-push 10.5.5.7 255.255.255.0 EOF sd /etc/openvpn/client-config-hole/x3 <<'EOF' ifconfig-push 10.5.5.8 255.255.255.0 EOF - sd /etc/openvpn/client-config-hole/x2 <<'EOF' -ifconfig-push 10.5.5.7 255.255.255.0 -EOF - sd /etc/openvpn/client-config-hole/wclient <<'EOF' -ifconfig-push 10.5.5.6 255.255.255.0 + sd /etc/openvpn/client-config-hole/kw <<'EOF' +ifconfig-push 10.5.5.9 255.255.255.0 EOF - sd /etc/openvpn/client-config-hole/frodo <<'EOF' -ifconfig-push 10.5.5.5 255.255.255.0 + sd /etc/openvpn/client-config-hole/sy <<'EOF' +ifconfig-push 10.5.5.12 255.255.255.0 EOF - sd /etc/openvpn/client-config-hole/amy <<'EOF' -ifconfig-push 10.5.5.3 255.255.255.0 + sd /etc/openvpn/client-config-hole/bo <<'EOF' +ifconfig-push 10.5.5.13 255.255.255.0 EOF - sd /etc/openvpn/client-config-hole/kd <<'EOF' -ifconfig-push 10.5.5.2 255.255.255.0 + sd /etc/openvpn/client-config-hole/onep9 <<'EOF' +ifconfig-push 10.5.5.14 255.255.255.0 EOF + # todo: add x8? + - # for adding to current system: - #vpn-mk-client-cert -s "" -n hole 72.14.176.105 - # adding to remove system 107, - #vpn-mk-client-cert -s "" -n hole -c 10.2.0.107 -b hd8 iankelling.org + # for adding cert to system with /p + # + # host=frodo + #mkc /p/c/machine_specific/$host/filesystem/etc/openvpn/client + #vpn-mk-client-cert -b $host -n hole -r iankelling.org + #s chown -R iank:iank . + # + # example of adding to remote system 107, + # vpn-mk-client-cert -n hole -c 10.2.0.107 -b hd8 iankelling.org # - # for wireguard hole vpn + # for wireguard hole vpn, use function: # wghole # requested from linode via a support ticket. @@ -913,7 +892,7 @@ esac ### system76 things ### case $HOSTNAME in - sy|bo) + bo) # sy| sy doesnt seem to really need this. # note, i stored the initial popos packages at /a/bin/data/popos-pkgs if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html @@ -946,6 +925,7 @@ EOF fi ;; esac +### end system76 things ### case $distro in trisquel|ubuntu) @@ -1014,7 +994,7 @@ EOF ;; jammy) # not yet bothering with mate - pi lightdm-gtk-greeter + pi lightdm-gtk-greeter lightdm ;; esac @@ -1084,8 +1064,25 @@ esac # way to install suggests even if the main package is already # installed. reinstall doesn't work, uninstalling can cause removing # dependent packages. +# shellcheck disable=SC2046 # word splitting is intended pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distro-pkgs) +# schroot service will restart schroot sessions after reboot. +# I dont want that. +pi-nostart schroot + +# fix systemd unit failure. i dont know of any actual impact +# other than systemd showing in degraded state. So, we dont bother +# fixing the current state, let it fix on the next reboot. +# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a +tmp=$(systemctl cat binfmt-support.service | grep ^After=) +if [[ $tmp != *systemd-binfmt.service* ]]; then + s u /etc/systemd/system/binfmt-support.service.d/override.conf </dev/null; then # note, see bashrc for more documentation. @@ -1234,10 +1192,6 @@ if [[ -e /p/c/machine_specific/$HOSTNAME/filesystem/etc/openvpn/client/hole.crt sgo openvpn-client@hole fi -if [[ $HOSTNAME == frodo ]]; then - vpn-mk-client-cert -b frodo -n hole iankelling.org -fi - ############# begin syncthing setup ########### case $HOSTNAME in kd|frodo) @@ -1532,7 +1486,7 @@ case $HOSTNAME in ;; esac -mkdir -p $tdir +sudo mkdir -p $tdir # adapted from /var/lib/dpkg/info/transmission-daemon.postinst # 450 seems likely to be unused. we need to specify one or else @@ -1582,7 +1536,7 @@ ser stop transmission-daemon f=$tdir/transmission-daemon for d in $tdir/partial-torrents $tdir/torrents $f; do if [[ ! -d $d ]]; then - mkdir $d + sudo mkdir -p $d fi sudo chown -R debian-transmission:user2 $d done @@ -1831,10 +1785,13 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \ ########### misc stuff -if [[ $HOSTNAME != frodo ]]; then - # remove. i moved this into dns - echo | s cedit hole /etc/hosts ||: -fi +# pressing tab after sdf here: +# scp sdfbash: set +o noglob: command not found +# in t11, bash 5.1.16. this fixes it. +sudo sed -ri 's/([[:space:]]*)(\$reset)$/\1set +o noglob #$reset/' /usr/share/bash-completion/bash_completion + +rm -fv /home/iank/.mpv/watch_later +rm -rf /home/iank/.mpv if [[ ! -e ~/.local/bin/pip ]]; then tmp=$(mktemp) @@ -1843,6 +1800,57 @@ if [[ ! -e ~/.local/bin/pip ]]; then hash -r fi +## begin beets +# soo, apt install beets fails due to wanting a pip package, +# we find out why it wants this through +# apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances beets | less +# python-mediafile requires tox, which requires virtualenv, which requires pip. +# but, python-mediafile doesn't really require tox, it is specified in +# ./usr/lib/python3/dist-packages/mediafile-0.9.0.dist-info/METADATA +# as being required only for testing, but the debian package +# included it anyways, due to a mistake or bad tooling or something. +# I don't plan to use tox, so, according to https://serverfault.com/a/251091, +# we can create and install a dummy package by: +# +# "equivs-control , edit the file produced to provide the right +# dependency and have a nice name, then run equivs-build and +# finally dpkg -i the resulting .deb file" +# as of 2023-02, the tox dependency was removed in debian unstable, so +# this hack will probably go away in t12. + +if pcheck beets; then + tmpdir="$(mktemp -d)" + cd "$tmpdir" + # edited from output of equivs-control tox + cat >tox <<'EOF' +Section: python +Priority: optional +Standards-Version: 3.9.2 +Package: tox +Description: tox-dummy +EOF + equivs-build tox + sudo dpkg -i tox_1.0_all.deb + rm -rf ./tox* + pi beets python3-discogs-client + cd + rm -r "$tmpdir" +fi + +# notes about barrier +# run barrier, do the gui config, +# setup the 2 screens, using hostnames for the new screen. +# save the server config +# $HOME/.local/share/barrier/.barrier.conf +# per the man page. +# +# ssl errors, resolved via advice here: https://github.com/debauchee/barrier/issues/231 +# BARRIER_SSL_PATH=~/.local/share/barrier/SSL/ +# mkdir -p "${BARRIER_SSL_PATH}" +# openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ${BARRIER_SSL_PATH}/Barrier.pem -out ${BARRIER_SSL_PATH}/Barrier.pem +# ran on both machines. +# When pressing start in the gui, the cli options used are printed to the console, +# they are useful. So on server, just run barriers, client run barrierc SERVER_IP ### begin timetrap setup if mountpoint /p &>/dev/null; then @@ -1905,13 +1913,13 @@ sudo fc-cache pi desktop-file-utils m /a/bin/distro-setup/mymimes - -# stop autopoping windows when i plug in an android phone. -# dbus-launch makes this work within an ssh connection, otherwise you get this message, -# with still 0 exit code. -# dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY -m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false - +if type -p dbus-launch >/dev/null; then + # stop autopoping windows when i plug in an android phone. + # dbus-launch makes this work within an ssh connection, otherwise you get this message, + # with still 0 exit code. + # dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY + m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false +fi # on grub upgrade, we get prompts unless we do this devs=() @@ -1947,11 +1955,19 @@ esac ### begin prometheus ### + +# cleanup old files. 2023-02 +x=(/var/lib/prometheus/node-exporter/*.premerge) +if [[ -e ${x[0]} ]]; then + s rm /var/lib/prometheus/node-exporter/* +fi + +pi prometheus-node-exporter-collectors case $HOSTNAME in kd) - /a/bin/buildscripts/prometheus # Font awesome is needed for the alertmanager ui. - pi prometheus-alertmanager prometheus prometheus-node-exporter fonts-font-awesome + pi prometheus-alertmanager prometheus fonts-font-awesome + /a/bin/buildscripts/prometheus web-conf -p 9091 -f 9090 - apache2 i.b8.nz <<'EOF' AuthType Basic @@ -1976,31 +1992,35 @@ EOF # by default, the alertmanager web ui is not enabled other than a page # that suggests to use the amtool cli. that tool is good, but you cant - # silence things nearly as fast. + # silence things nearly as easily as with the gui. if [[ ! -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then - sudo chroot /nocow/schroot/bullseye prometheus-alertmanager - sudo chroot /nocow/schroot/bullseye /usr/share/prometheus/alertmanager/generate-ui.sh - sudo rsync -avih /nocow/schroot/bullseye/usr/share/prometheus/alertmanager/ui/ /usr/share/prometheus/alertmanager/ui + # default script didnt work, required some changes to get elm 19.1, + # which is a dependency of the latest alertmanager. I modified + # and copied it into /b/ds. In future, might need some other + # solution. + #sudo /usr/share/prometheus/alertmanager/generate-ui.sh + sudo /b/ds/generate-ui.sh ser restart prometheus-alertmanager fi + /a/bin/buildscripts/prom-node-exporter -l + for ser in prometheus-node-exporter prometheus-alertmanager prometheus; do sysd-prom-fail-install $ser done ;; *) - pi prometheus-node-exporter + /a/bin/buildscripts/prom-node-exporter ;; esac case $HOSTNAME in - # frodo needs upgrade first. - frodo) : ;; # todo, for limiting node exporter http, # either use iptables or, in # /etc/default/prometheus-node-exporter # listen on the wireguard interface + *) wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf) # old filename. remove once all hosts are updated. @@ -2037,6 +2057,117 @@ esac ### end prometheus ### +### begin nagios ### + +case $HOSTNAME in + kd) + pi nagios4 + s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf + + # to add a password for admin: + # htdigest /etc/nagios4/htdigest.users Nagios4 iank + # now using the same pass as prometheus + + # nagstamon auth settings, set to digest instead of basic. + + web-conf -p 3005 - apache2 i.b8.nz <<'EOF' +# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf + +ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4 +ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4 + +# Where the stylesheets (config files) reside +Alias /nagios4/stylesheets /etc/nagios4/stylesheets + +# Where the HTML pages live +Alias /nagios4 /usr/share/nagios4/htdocs + + + Options FollowSymLinks + DirectoryIndex index.php index.html + AllowOverride AuthConfig + # + # The default Debian nagios4 install sets use_authentication=0 in + # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication. + # This is insecure. As a compromise this default apache2 configuration + # only allows private IP addresses access. + # + # The ... below shows how you can secure the nagios4 + # web site so anybody can view it, but only authenticated users can issue + # commands (such as silence notifications). To do that replace the + # "Require all granted" with "Require valid-user", and use htdigest + # program from the apache2-utils package to add users to + # /etc/nagios4/htdigest.users. + # + # A step up is to insist all users validate themselves by moving + # the stanza's in the .. into the . + # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you + # can configure which people get to see a particular service from + # within the nagios configuration. + # + AuthDigestDomain "Nagios4" + AuthDigestProvider file + AuthUserFile "/etc/nagios4/htdigest.users" + AuthGroupFile "/etc/group" + AuthName "Nagios4" + AuthType Digest + Require valid-user + + + + Options +ExecCGI + +EOF + ;; +esac + +# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example: +# notifications_enabled=1 +# note, the same variable exists in the correspdonding "define service {" + +# in the default config, we have these definitions + +# 11 define command { +# 2 define contact { +# 1 define contactgroup { +# 9 define host { +# 4 define hostgroup { +# 23 define service { +# 5 define timeperiod { + + +# on klaxon + +# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c +# 76 define command +# 11 define contact +# 6 define contactgroup +# 162 define host +# 1 define hostextinfo +# 16 define hostgroup +# 3040 define service +# 2 define servicedependency +# 6 define timeperiod + + +### end nagios ### + +### begin bitcoin ### + +case $HOSTNAME in + sy) + f=$dir/bitcoin.conf + sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-23.0/bin/* + sgo bitcoind + sudo usermod -a -G bitcoin iank + sudo ln -s /q/wallets /var/lib/bitcoind + # note, there exists + # /a/bin/ds/disabled/bitcoin + ;; +esac + +### end bitcoin + end_msg <<'EOF' In mate settings settings, change scrolling to two-finger, @@ -2072,7 +2203,7 @@ lnf -T /a/opt ~/src pi tor m /a/bin/buildscripts/tor-browser # one root command needed to install -s ln -sf /a/opt/tor-browser_en-US/Browser/start-tor-browser /usr/local/bin +s ln -sf /a/opt/tor-browser/Browser/start-tor-browser /usr/local/bin # nfs server