X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=5092ce74aec71089abbae1b4f52875c00fecd17b;hb=563cc41a1f3ddb95bedf595cc249f53aea6629c1;hp=e8e3ee031cf620ca9823a1c379a8d2cf9865a5b4;hpb=774fe9ab8c8d5c71614feda5a283b4a91fb3f145;p=distro-setup diff --git a/distro-end b/distro-end index e8e3ee0..5092ce7 100755 --- a/distro-end +++ b/distro-end @@ -43,7 +43,7 @@ end() { } pre="${0##*/}:" sudo() { - printf "$pre %s\n" "$*" + printf "$pre sudo %s\n" "$*" SUDOD="$PWD" command sudo "$@"; } m() { printf "$pre %s\n" "$*"; "$@"; } @@ -155,10 +155,12 @@ esac # fi + + pi debootstrap ######### begin universal pinned packages ###### case $(debian-codename) in - nabia|etiona|flidas) + etiona|flidas|nabia|aramo) sudo rm -fv /etc/apt/preferences.d/etiona-buster sd /etc/apt/preferences.d/trisquel-debian <$t <<'EOF' -deb http://http.us.debian.org/debian buster main -deb-src http://http.us.debian.org/debian buster main - -deb http://security.debian.org/ buster/updates main -deb-src http://security.debian.org/ buster/updates main - -deb http://http.us.debian.org/debian buster-updates main -deb-src http://http.us.debian.org/debian buster-updates main - -deb http://http.debian.net/debian buster-backports main -deb-src http://http.debian.net/debian buster-backports main -EOF - ;; bullseye) cat >$t <<'EOF' EOF @@ -484,6 +471,34 @@ Pin: release n=bionic,o=Ubuntu Pin-Priority: -100 EOF + ;;& + nabia) + sd /etc/apt/preferences.d/aramo-nabia <<'EOF' +Package: * +Pin: release n=aramo*,o=Trisquel +Pin-Priority: -100 +EOF + f=/etc/apt/sources.list.d/aramo.list + t=$(mktemp) + cat >$t <<'EOF' +deb http://mirror.fsf.org/trisquel/ aramo main +deb-src http://mirror.fsf.org/trisquel/ aramo main + +deb http://mirror.fsf.org/trisquel/ aramo-updates main +deb-src http://mirror.fsf.org/trisquel/ aramo-updates main + +deb http://archive.trisquel.info/trisquel/ aramo-security main +deb-src http://archive.trisquel.info/trisquel/ aramo-security main + +# Uncomment this lines to enable the backports optional repository +deb http://mirror.fsf.org/trisquel/ aramo-backports main +deb-src http://mirror.fsf.org/trisquel/ aramo-backports main +EOF + if ! diff -q $t $f; then + sudo dd if=$t of=$f 2>/dev/null + p update + fi + ;;& *) if isdeb; then @@ -492,7 +507,11 @@ EOF ;; esac - +case $codename_compat in + jammy) + s systemctl enable --now ssh-agent-iank + ;; +esac case $codename_compat in focal) @@ -533,6 +552,14 @@ EOF Package: chromium chromium-* libicu67 libjpeg62-turbo libjsoncpp24 libre2-9 libwebpmux3 Pin: release o=Debian*,n=bullseye Pin-Priority: 500 +EOF + ;; + aramo) + # obs dependency not in trisquel + sd /etc/apt/preferences.d/obs < - Options +FollowSymLinks +Multiviews +Indexes + +# this doesn't exactly fit with the documentation. +# We need location / to do an auth, it cant be done outside, +# in order to pass on X-Remote-User. And we need +# the other location in order to remove the /radicale/ for +# requests which have it. This could be done with a rewrite, +# but i just get something working and call it a day. + + AllowOverride None - AuthType basic + AuthType Basic AuthName "Authentication Required" # setup one time, with root:www-data, 640 AuthUserFile "/etc/caldav-htpasswd" Require valid-user + RequestHeader set X-Remote-User expr=%{REMOTE_USER} + + + Options +FollowSymLinks +Multiviews -Indexes RequestHeader set X-Script-Name /radicale/ RequestHeader set X-Remote-User expr=%{REMOTE_USER} ProxyPass "http://10.8.0.4:5232/" retry=0 @@ -875,7 +891,7 @@ esac ### system76 things ### case $HOSTNAME in - sy|bo) + bo) # sy| sy doesnt seem to really need this. # note, i stored the initial popos packages at /a/bin/data/popos-pkgs if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html @@ -908,6 +924,7 @@ EOF fi ;; esac +### end system76 things ### case $distro in trisquel|ubuntu) @@ -974,6 +991,10 @@ EOF # and choose lightdm. # ;; + jammy) + # not yet bothering with mate + pi lightdm-gtk-greeter lightdm + ;; esac @@ -1044,6 +1065,22 @@ esac # dependent packages. pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distro-pkgs) +# schroot service will restart schroot sessions after reboot. +# I dont want that. +pi-nostart schroot + +# fix systemd unit failure. i dont know of any actual impact +# other than systemd showing in degraded state. So, we dont bother +# fixing the current state, let it fix on the next reboot. +# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a +tmp=$(systemctl cat binfmt-support.service | grep ^After=) +if [[ $tmp != *systemd-binfmt.service* ]]; then + s u /etc/systemd/system/binfmt-support.service.d/override.conf </dev/null; then # note, see bashrc for more documentation. @@ -1192,10 +1190,6 @@ if [[ -e /p/c/machine_specific/$HOSTNAME/filesystem/etc/openvpn/client/hole.crt sgo openvpn-client@hole fi -if [[ $HOSTNAME == frodo ]]; then - vpn-mk-client-cert -b frodo -n hole iankelling.org -fi - ############# begin syncthing setup ########### case $HOSTNAME in kd|frodo) @@ -1490,7 +1484,7 @@ case $HOSTNAME in ;; esac -mkdir -p $tdir +sudo mkdir -p $tdir # adapted from /var/lib/dpkg/info/transmission-daemon.postinst # 450 seems likely to be unused. we need to specify one or else @@ -1540,7 +1534,7 @@ ser stop transmission-daemon f=$tdir/transmission-daemon for d in $tdir/partial-torrents $tdir/torrents $f; do if [[ ! -d $d ]]; then - mkdir $d + sudo mkdir -p $d fi sudo chown -R debian-transmission:user2 $d done @@ -1789,10 +1783,13 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \ ########### misc stuff -if [[ $HOSTNAME != frodo ]]; then - # remove. i moved this into dns - echo | s cedit hole /etc/hosts ||: -fi +# pressing tab after sdf here: +# scp sdfbash: set +o noglob: command not found +# in t11, bash 5.1.16. this fixes it. +sudo sed -ri 's/([[:space:]]*)(\$reset)$/\1set +o noglob #$reset/' /usr/share/bash-completion/bash_completion + +rm -fv /home/iank/.mpv/watch_later +rm -rf /home/iank/.mpv if [[ ! -e ~/.local/bin/pip ]]; then tmp=$(mktemp) @@ -1801,6 +1798,51 @@ if [[ ! -e ~/.local/bin/pip ]]; then hash -r fi +## begin beets +# soo, apt install beets fails due to wanting a pip package, +# we find out why it wants this through +# apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances beets | less +# python-mediafile requires tox, which requires virtualenv, which requires pip. +# but, python-mediafile doesn't really require tox, it is specified in +# ./usr/lib/python3/dist-packages/mediafile-0.9.0.dist-info/METADATA +# as being required only for testing, but the debian package +# included it anyways, due to a mistake or bad tooling or something. +# I don't plan to use tox, so, according to https://serverfault.com/a/251091, +# we can create and install a dummy package by: +# +# "equivs-control , edit the file produced to provide the right +# dependency and have a nice name, then run equivs-build and +# finally dpkg -i the resulting .deb file" + +mkct +# edited from output of equivs-control tox +cat >tox <<'EOF' +Section: python +Priority: optional +Standards-Version: 3.9.2 +Package: tox +Description: tox-dummy +EOF +equivs-build tox +sudo dpkg -i tox_1.0_all.deb +rm -rf ./tox* +pi beets python3-discogs-client + + +# notes about barrier +# run barrier, do the gui config, +# setup the 2 screens, using hostnames for the new screen. +# save the server config +# $HOME/.local/share/barrier/.barrier.conf +# per the man page. +# +# ssl errors, resolved via advice here: https://github.com/debauchee/barrier/issues/231 +# BARRIER_SSL_PATH=~/.local/share/barrier/SSL/ +# mkdir -p "${BARRIER_SSL_PATH}" +# openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ${BARRIER_SSL_PATH}/Barrier.pem -out ${BARRIER_SSL_PATH}/Barrier.pem +# ran on both machines. +# When pressing start in the gui, the cli options used are printed to the console, +# they are useful. So on server, just run barriers, client run barrierc SERVER_IP ### begin timetrap setup if mountpoint /p &>/dev/null; then @@ -1863,13 +1905,13 @@ sudo fc-cache pi desktop-file-utils m /a/bin/distro-setup/mymimes - -# stop autopoping windows when i plug in an android phone. -# dbus-launch makes this work within an ssh connection, otherwise you get this message, -# with still 0 exit code. -# dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY -m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false - +if type -p dbus-launch >/dev/null; then + # stop autopoping windows when i plug in an android phone. + # dbus-launch makes this work within an ssh connection, otherwise you get this message, + # with still 0 exit code. + # dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY + m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false +fi # on grub upgrade, we get prompts unless we do this devs=() @@ -1907,9 +1949,9 @@ esac case $HOSTNAME in kd) - /a/bin/buildscripts/prometheus # Font awesome is needed for the alertmanager ui. pi prometheus-alertmanager prometheus prometheus-node-exporter fonts-font-awesome + /a/bin/buildscripts/prometheus web-conf -p 9091 -f 9090 - apache2 i.b8.nz <<'EOF' AuthType Basic @@ -1934,11 +1976,14 @@ EOF # by default, the alertmanager web ui is not enabled other than a page # that suggests to use the amtool cli. that tool is good, but you cant - # silence things nearly as fast. + # silence things nearly as easily as with the gui. if [[ ! -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then - sudo chroot /nocow/schroot/bullseye prometheus-alertmanager - sudo chroot /nocow/schroot/bullseye /usr/share/prometheus/alertmanager/generate-ui.sh - sudo rsync -avih /nocow/schroot/bullseye/usr/share/prometheus/alertmanager/ui/ /usr/share/prometheus/alertmanager/ui + # default script didnt work, required some changes to get elm 19.1, + # which is a dependency of the latest alertmanager. I modified + # and copied it into /b/ds. In future, might need some other + # solution. + #sudo /usr/share/prometheus/alertmanager/generate-ui.sh + sudo /b/ds/generate-ui.sh ser restart prometheus-alertmanager fi @@ -1953,12 +1998,11 @@ EOF esac case $HOSTNAME in - # frodo needs upgrade first. - frodo) : ;; # todo, for limiting node exporter http, # either use iptables or, in # /etc/default/prometheus-node-exporter # listen on the wireguard interface + *) wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf) # old filename. remove once all hosts are updated. @@ -1995,6 +2039,117 @@ esac ### end prometheus ### +### begin nagios ### + +case $HOSTNAME in + kd) + pi nagios4 + s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf + + # to add a password for admin: + # htdigest /etc/nagios4/htdigest.users Nagios4 iank + # now using the same pass as prometheus + + # nagstamon auth settings, set to digest instead of basic. + + web-conf -p 3005 - apache2 i.b8.nz <<'EOF' +# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf + +ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4 +ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4 + +# Where the stylesheets (config files) reside +Alias /nagios4/stylesheets /etc/nagios4/stylesheets + +# Where the HTML pages live +Alias /nagios4 /usr/share/nagios4/htdocs + + + Options FollowSymLinks + DirectoryIndex index.php index.html + AllowOverride AuthConfig + # + # The default Debian nagios4 install sets use_authentication=0 in + # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication. + # This is insecure. As a compromise this default apache2 configuration + # only allows private IP addresses access. + # + # The ... below shows how you can secure the nagios4 + # web site so anybody can view it, but only authenticated users can issue + # commands (such as silence notifications). To do that replace the + # "Require all granted" with "Require valid-user", and use htdigest + # program from the apache2-utils package to add users to + # /etc/nagios4/htdigest.users. + # + # A step up is to insist all users validate themselves by moving + # the stanza's in the .. into the . + # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you + # can configure which people get to see a particular service from + # within the nagios configuration. + # + AuthDigestDomain "Nagios4" + AuthDigestProvider file + AuthUserFile "/etc/nagios4/htdigest.users" + AuthGroupFile "/etc/group" + AuthName "Nagios4" + AuthType Digest + Require valid-user + + + + Options +ExecCGI + +EOF + ;; +esac + +# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example: +# notifications_enabled=1 +# note, the same variable exists in the correspdonding "define service {" + +# in the default config, we have these definitions + +# 11 define command { +# 2 define contact { +# 1 define contactgroup { +# 9 define host { +# 4 define hostgroup { +# 23 define service { +# 5 define timeperiod { + + +# on klaxon + +# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c +# 76 define command +# 11 define contact +# 6 define contactgroup +# 162 define host +# 1 define hostextinfo +# 16 define hostgroup +# 3040 define service +# 2 define servicedependency +# 6 define timeperiod + + +### end nagios ### + +### begin bitcoin ### + +case $HOSTNAME in + sy) + f=$dir/bitcoin.conf + sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-23.0/bin/* + sgo bitcoind + sudo usermod -a -G bitcoin iank + sudo ln -s /q/wallets /var/lib/bitcoind + # note, there exists + # /a/bin/ds/disabled/bitcoin + ;; +esac + +### end bitcoin + end_msg <<'EOF' In mate settings settings, change scrolling to two-finger, @@ -2030,7 +2185,7 @@ lnf -T /a/opt ~/src pi tor m /a/bin/buildscripts/tor-browser # one root command needed to install -s ln -sf /a/opt/tor-browser_en-US/Browser/start-tor-browser /usr/local/bin +s ln -sf /a/opt/tor-browser/Browser/start-tor-browser /usr/local/bin # nfs server