X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=660d556ea2363d9220ab9859c09fc3d2b4403f97;hb=65351382939fa95fb1e05d7d83eb58d27c3c6133;hp=b044f5c798fe549e0a4c31a07aad5899cebb3844;hpb=d46190aff6f5dc65bd39524e3937dc5765895b42;p=distro-setup

diff --git a/distro-end b/distro-end
index b044f5c..660d556 100755
--- a/distro-end
+++ b/distro-end
@@ -22,8 +22,11 @@ echo "$0: $(date): starting now)"
 
 src="${BASH_SOURCE%/*}"
 
+source $src/pkgs
+
+# see example of usage to understand.
 end_msg() {
-    =    local y
+    local y
     IFS= read -r -d '' y  ||:
     end_msg_var+="$y"
 }
@@ -42,118 +45,16 @@ case $distro in
 esac
 
 pup
+if isdeb; then
+    pi aptitude
+fi
 
-simple_packages=(
-    htop
-    mailutils
-    nmon
-    rdiff-backup
-    ruby
-    ruby-rest-client
-    tree
-    vim
-    wcd
-)
+simple_packages=(${p3[@]})
 
 case $HOSTNAME in
     lj|li) : ;;
     *)
-        # universal packages
-        # swh-plugins is for karaoke pulsaudio filter.
-        # mutagen for pithos
-        # guvcview set webcam brightness to highest
-        # pidgin-otr, i went into pidgin pluggin settings and generated a key for some accounts
-        simple_packages+=(
-            apache2
-            apache2-doc
-            apt-doc
-            apt-listchanges
-            aptitude-doc-en
-            bash-doc
-            beets
-            beets-doc
-            binutils-doc
-            bind9-doc
-            bind9-utils
-            bwm-ng
-            chromium
-            cpio-doc
-            cloc
-            cpulimit
-            cron
-            debconf-doc
-            dirmngr
-            dnsutils
-            dnsmasq
-            dtrx
-            duplicity
-            eclipse
-            evince
-            fdupes
-            feh
-            filelight
-            flashrom
-            gawk-doc
-            gcc-doc
-            gdb
-            gdb-doc
-            geoip-bin
-            git-doc
-            git-email
-            gitk
-            glibc-doc
-            goaccess
-            gnome-screenshot
-            gnome-session-flashback
-            guvcview
-            i3lock
-            inetutils-traceroute
-            iperf3
-            iproute2-doc
-            jq
-            kid3-qt
-            kid3-cli
-            linux-doc
-            locate
-            lshw
-            make-doc
-            manpages
-            manpages-dev
-            meld
-            mps-youtube
-            mumble
-            nagstamon
-            nginx-doc
-            nmap
-            offlineimap
-            oathtool
-            p7zip
-            paprefs
-            parted-doc
-            pavucontrol
-            pdfgrep
-            perl-doc
-            pianobar
-            pidgin
-            pidgin-otr
-            pry
-            python-autopep8
-            python3-doc
-            python3-mutagen
-            qrencode
-            reportbug
-            $(aptitude show ruby | sed -rn 's/Depends: (.*)/\1/p')-doc
-            sqlite3-doc
-            squashfs-tools
-            swh-plugins
-            tar-doc
-            tcpdump
-            telnet
-            transmission-remote-gtk
-            vlc
-            whois
-            wondershaper
-        )
+        simple_packages+=(${p4[@]})
         spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
         ;;
 esac
@@ -161,12 +62,7 @@ esac
 
 ########### begin section including li ################
 
-
-case $distro in
-    fedora) spa unrar ;;
-    *) spa unrar-free ;;
-esac
-
+conflink
 
 case $distro in
     arch)
@@ -181,10 +77,6 @@ case $distro in
 esac
 
 
-if isdeb; then
-    pi debian-goodies
-fi
-
 
 case $distro in
     *) pi at ;;&
@@ -193,7 +85,7 @@ esac
 
 
 case $distro in
-    debian) pi curl;;
+    debian|trisquel|ubuntu) pi curl;;
     arch) : ;;
     # fedora: unknown
 esac
@@ -206,12 +98,12 @@ esac
 
 case $distro in
     arch) spa the_silver_searcher ;;
-    debian|ubuntu|trisquel) spa silversearcher-ag ;;
+    debian|trisquel|ubuntu) spa silversearcher-ag ;;
     # fedora unknown
 esac
 
 case $distro in
-    debian|ubuntu|trisquel) spa ntp;;
+    debian|trisquel|ubuntu) spa ntp;;
     arch)
         pi ntp
         sgo ntpd
@@ -222,7 +114,7 @@ esac
 
 # no equivalent in other distros:
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         pi aptitude
         if ! dpkg -s apt-file &>/dev/null; then
             # this condition is just a speed optimization
@@ -234,14 +126,9 @@ case $distro in
         ;;
 esac
 
-case $distro in
-    ubuntu|trisquel|debian) spa ack-grep ;;
-    arch|fedora) spa ack ;;
-    # fedora unknown
-esac
 
 case $distro in
-    arch|debian|ubuntu|trisquel)
+    arch|debian|trisquel|ubuntu)
         spa bash-completion
         ;;
     # others unknown
@@ -265,7 +152,7 @@ case $distro in
             s update-rc.d motd disable
         fi
         ;;
-    ubuntu|trisquel)
+    trisquel|ubuntu)
         # this isn't a complete solution. It still shows me when updates are available,
         # but it's no big deal.
         s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
@@ -283,47 +170,80 @@ if isdebian; then
 fi
 
 # we've got a few dependencies later on, so install them now.
-pi eatmydata
-s eatmydata apt-get -y install --purge --auto-remove "${simple_packages[@]}"
+pi eatmydata; PI_PREFIX=eatmydata
+pi "${simple_packages[@]}"
 simple_packages=()
 
 
 ### begin docker install ####
-# https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
-pi  software-properties-common apt-transport-https
-curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
-sudo add-apt-repository \
-     "deb [arch=amd64] https://download.docker.com/linux/debian \
-         $(lsb_release -cs) \
+
+if isdeb; then
+    # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
+    pi  software-properties-common apt-transport-https
+    curl -fsSL https://download.docker.com/linux/$(distro-name-compat)/gpg | sudo apt-key add -
+    sudo add-apt-repository \
+         "deb [arch=amd64] https://download.docker.com/linux/$(distro-name-compat) \
+         $(debian-codename-compat) \
          stable"
-p update
-pi docker-ce
-sgo docker
+    p update
+    pi docker-ce
+    sgo docker
+    # other distros unknown
+fi
 ###  end docker install ####
 
 
+### begin certbot install ###
 case $distro in
     debian)
         # note, need python-certbot-nginx for nginx, but it depends on nginx,
-        # and I'm not installing nginx by default right now
-        if isdebian-testing; then
-            pi --install-suggests certbot
+        # and I'm not installing nginx by default right now.
+        # note python-certbot-apache is in suggests, but so is a doc package that brought in xorg
+        if [[ $(debian-codename) == jessie ]]; then
+            pi -t jessie-backports certbot python-certbot-apache
         else
-            pi --install-suggests -t jessie-backports certbot
+            pi certbot python-certbot-apache
         fi
-        # make a version of the certbot timer that emails me.
-        x=/systemd/system/certbot
-        $sed -r -f - /lib$x.timer <<'EOF' |s dd of=/etc${x}mail.timer
+        ;;
+    trisquel|ubuntu)
+        # not packaged in xenial or flidas
+        pi software-properties-common
+        # this fails with:
+        #
+        # gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported
+        # gpg: Total number processed: 1
+        # gpg:               imported: 1
+        # gpg: no valid OpenPGP data found.
+        # Failed to add key.
+        #
+        # but it seems to work fine, perhaps it's only failing on the second run.
+        s add-apt-repository -y ppa:certbot/certbot ||:
+        p update
+        pi python-certbot-apache
+        ;;
+    # todo: other distros unknown
+esac
+# make a version of the certbot timer that emails me.
+x=/systemd/system/certbot
+$sed -r -f - /lib$x.timer <<'EOF' |s dd of=/etc${x}mail.timer
 s,^Description.*,\0 mail version,
 EOF
-        $sed -r -f - /lib$x.service <<'EOF' |s dd of=/etc${x}mail.service
+$sed -r -f - /lib$x.service <<'EOF' |s dd of=/etc${x}mail.service
 s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
 EOF
-        ser daemon-reload
-        sgo certbotmail.timer
+ser daemon-reload
+sgo certbotmail.timer
+### end certbot install ###
+
 
+# dogcam setup
+case $HOSTNAME in
+    lj|li)
+        /a/bin/webcam/install-server
+        ;;
+    kw)
+        /a/bin/webcam/install-client
         ;;
-    # todo: other distros unknown
 esac
 
 # website setup
@@ -338,7 +258,6 @@ case $HOSTNAME in
         /a/h/build.rb
 
         sudo -E /a/bin/mediawiki-setup/mw-setup-script
-        #$src/phab-setup
 
         pi-nostart mumble-server
         s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
@@ -355,11 +274,23 @@ EOF
 
         sgo mumble-server
 
-        vpn-server-setup -d
-        tee /etc/openvpn/client-config/mail <<'EOF'
+        vpn-server-setup -rd
+        s tee /etc/openvpn/client-config/mail <<'EOF'
 ifconfig-push 10.8.0.4 255.255.255.0
 EOF
 
+        # it\'s strange. docker seems to make the default for forward
+        # be drop, but then I set it to accept and it\'s stuck that way,
+        # I dun know why. But, let\'s make sure we can forward anyways.
+        s DEBIAN_FRONTEND=noninteractive pi iptables-persistent
+        rm /etc/iptables/rules.v6
+        s tee /etc/iptables/rules.v4 <<'EOF'
+*filter
+-A FORWARD -i tun+ -o eth0 -j ACCEPT
+-A FORWARD -i eth0 -o tun+ -j ACCEPT
+COMMIT
+EOF
+
 
         sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
 [Unit]
@@ -378,7 +309,12 @@ EOF
         ser enable vpnmail.service
         # needed for li's local mail delivery.
         tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
-        sgo openvpn
+        if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
+            vpn_service=openvpn-server@server
+        else
+            vpn_service=openvpn@server
+        fi
+        sgo $vpn_service
         # setup let's encrypt cert
         web-conf apache2 mail.iankelling.org
         s rm /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
@@ -396,7 +332,7 @@ EOF
                 # setup one time, with root:www-data, 640
                 AuthUserFile "/etc/caldav-htpasswd"
                 Require valid-user
-        <Location />
+        </Location>
 EOF
         # nginx version of above would be:
         # auth_basic "Not currently available";
@@ -435,22 +371,29 @@ EOF
 EOF
         s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
 
-        # jessie\'s node is too old
+        # stretch node is too old
         # https://nodejs.org/en/download/package-manager/
-        curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
-        pi nodejs
+        curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
+        pi nodejs graphicsmagick mongodb
         cd /home/iank
-        rm -rf pump.io.git
-        git clone https://github.com/pump-io/pump.io.git
-        cd pump.io
+        if [[ -e pump.io ]]; then
+            cd pump.io
+            git pull
+        else
+            git clone https://github.com/pump-io/pump.io.git
+            cd pump.io
+        fi
         # note: doing this or the npm install pump.io as root had problems.
         npm install
         npm run build
         # normally, next command would be
-        # s npm install -g databank-mongodb
+        # s npm install -g   odb
         # but it\'s this until a bug in pump gets fixed
+        # https://github.com/pump-io/pump.io/issues/1287
         s npm install -g databank-mongodb@0.19.2
-        s useradd -m -s /bin/false pumpio
+        if ! getent passwd pumpio &>/dev/null; then
+            s useradd -m -s /bin/false pumpio
+        fi
         sudo -u pumpio mkdir -p /home/pumpio/pumpdata
         # for testing browser when only listening to localhost,
         # in the pump.io.json, set hostname localhost, urlPort 5233
@@ -505,6 +448,8 @@ EOF
 
         ############# begin setup mastodon ##############
 
+        # main doc is Docker-Guide.md in docs repo
+
         # I'd like to try gnu social just cuz of gnu, but it's not being
         # well maintained, for example, simple pull requests
         # languishing:
@@ -515,15 +460,19 @@ EOF
         # note, docker required, but we installed it earlier
 
         # i subscrubed to https://github.com/docker/compose/releases.atom
-        # to deal with updates manually. So far, it means just reving the
-        # version number, then restarting docker-compose with
-        # cd ~/mastodon
-        # docker-compose up -d
-        curl -L https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
+        # to see release notes.
+        # i had some problems upgrading. blew things away with
+        # docker-compose down
+        # docker rmi $(docker images -q)
+        # s reboot now
+        # when running docker-compose run, kernel stack traces are printed to the journal.
+        # things seem to succeed, google says nothing, so ignoring them.
+        curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
         s chmod +x /usr/local/bin/docker-compose
 
 
         cd ~
+        s rm -rf mastodon
         i clone https://github.com/tootsuite/mastodon
         cd mastodon
         # subbed to atom feed to deal with updates
@@ -546,7 +495,7 @@ LOCAL_HTTPS=true
 
 SINGLE_USER_MODE=true
 
-SMTP_SERVER=10.8.0.4
+SMTP_SERVER=mail.iankelling.org
 SMTP_PORT=25
 SMTP_LOGIN=li
 SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
@@ -555,19 +504,40 @@ SMTP_DELIVERY_METHOD=smtp
 EOF
 
         for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
-            printf "%s=%s" $key "$(docker-compose run --rm web rake secret)" >>.env.production
+            # 1 minute 7 seconds to run this docker command
+            # to generate a secret, and it has ^M chars at the end. wtf. really dumb
+            printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|dos2unix|tail -n1)" >>.env.production
         done
-        s cat /etc/mailpass| while read -r domain port pass; do
+        found=false
+        while read -r domain port pass; do
             if [[ $domain == mail.iankelling.org ]]; then
-                printf "SMTP_PASSWORD=%s" "$pass" >>.env.production
+                found=true
+                # remove the username part
+                pass="${pass#*:}"
+                printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production
                 break
             fi
-        done
-
+        done < <(s cat /etc/mailpass)
+        if ! $found; then
+            echo "$0: error, failed to find mailpass domain for mastadon"
+            exit 1
+        fi
 
+        # docker compose makes an interface named like br-8f3e208558f2. we need mail to
+        # get routed to us.
+        if ! s /sbin/iptables -t nat -C PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25; then
+            s /sbin/iptables -t nat -A PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25
+        fi
 
+        docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production
+        logq docker-compose run --rm web rake db:migrate
         docker-compose run --rm web rails assets:precompile
 
+        # avatar failed to upload, did
+        # docker logs mastodon_web_1
+        # google lead me to this
+        s chown -R 991:991 public/system
+
         # docker daemon takes care of starting on boot.
         docker-compose up -d
 
@@ -608,34 +578,144 @@ EOF
         # we use nsupdate to update the ip of home
         pi bind9
 
+        pi znc
+        # znc config generated by doing
+        # znc --makeconf
+        # selected port is also used in erc config
+        # comma separated channel list worked.
+        # while figuring things out, running znc -D for debug in foreground.
+        # to exit and save config:
+        # /msg *status shutdown
+        # configed auth on freenode by following
+        # https://wiki.znc.in/Sasl
+        # created the system service after, and had to do
+        # mv /home/iank/.znc/* /var/lib/znc
+        # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf
+        # and made a copy of the config files into /p/c
+        # added LoadModule = log -sanitize to the top level
+        # to get into the web interface,
+        # cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
+        # then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site.
+        # i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart.
+        # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it.
+        # todo: figure out how to make playback in erc happe.n
+        s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already
+        chmod 700 /var/lib/znc
+        s chown -R znc:znc /var/lib/znc/config
+        s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF'
+[Unit]
+Description=ZNC, an advanced IRC bouncer
+After=network-online.target
+
+[Service]
+ExecStart=/usr/bin/znc -f --datadir=/var/lib/znc
+User=znc
+
+[Install]
+WantedBy=multi-user.target
+EOF
+        ser daemon-reload
+        sgo znc
+
         echo "$0: $(date): ending now)"
         exit 0
         ;;
 esac
 
 
+# needed for checkrestart
+if isdeb; then
+    spa debian-goodies
+fi
+
+
+
 ########### end section including li/lj ###############
 
-if [[ $HOSTNAME == treetowl ]]; then
+case $distro in
+    debian) spa gnome-session-flashback ;;
+    # flidas is missing dependency gnome-panel. others unknown
+esac
+
+
+
+case $distro in
+    trisquel|ubuntu|debian) spa ack-grep ;;
+    arch|fedora) spa ack ;;
+    # fedora unknown
+esac
+
 
-    # vpn-server setup via:
 
-    vpn-server-setup -r -d
-    s tee -a /etc/openvpn/server/server.conf <<'EOF'
+case $distro in
+    debian)
+        pi chromium ;;
+    xenial|ubuntu)
+        wget -qO - https://downloads.iridiumbrowser.de/ubuntu/iridium-release-sign-01.pub|sudo apt-key add -
+        cat <<EOF | sudo tee /etc/apt/sources.list.d/iridium-browser.list
+deb [arch=amd64] https://downloads.iridiumbrowser.de/deb/ stable main
+#deb-src https://downloads.iridiumbrowser.de/deb/ stable main
+EOF
+        p update
+        pi iridium-browser
+        ;;
+esac
+
+case $distro in
+    debian)
+        spa cpio-doc ;;
+    # not packaged in flidas. others unknown. gfdl nonfree issue
+esac
+
+
+
+
+case $distro in
+    fedora) spa unrar ;;
+    *) spa unrar-free ;;
+esac
+
+
+### begin home vpn server setup
+
+
+# # this section done initially to make persistent keys.
+# # Also note, I temporarily set /etc/hosts so my host was
+# # b8.nz when running this, since the vpn client config
+# # generator assumes we need to go to that server to get
+# # server keys.
+# vpn-server-setup -rds
+# s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
+# s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
+# # kw = kgpe work machine.
+# for host in x2 kw; do
+# vpn-mk-client-cert -b $host -n home b8.nz 1196
+# dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
+# mkdir -p $dir
+# s bash -c "cp /etc/openvpn/client/home* $dir"
+#     # note: /etc/update-resolv-conf-home also exists for all systems with /p
+# done
+
+# key already exists, so this won't generate one, just the configs.
+vpn-server-setup -rds
+s tee -a /etc/openvpn/server/server.conf <<'EOF'
 push "dhcp-option DNS 192.168.1.1"
 push "route 192.168.1.0 255.255.255.0"
 client-connect /a/bin/distro-setup/vpn-client-connect
 EOF
-    s sed -i --follow-symlinks 's/10.8./10.9./g' /etc/openvpn/server/server.conf
-    ser restart openvpn-server@server
-    vpn-mk-client-cert -s /etc/update-resolv-conf-home -c x2 -n home b8.nz
-    dir=/p/c/machine_specific/x2/filesystem/etc/openvpn/client
-    mkdir -p $dir
-    # background: We have these files locally, but we\'d have to duplicate the logic
-    # in vpn-mk-client-cert to get them, and this is just simpler.
-    scp root@x2:/etc/openvpn/client/home* $dir
+s sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
 
+if [[ $HOSTNAME == tp ]]; then
+    if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
+        vpn_service=openvpn-server@server
+    else
+        vpn_service=openvpn@server
+    fi
+    sgo $vpn_service
+fi
+### end vpn server setup
 
+if [[ $HOSTNAME == tp ]]; then
 
     # note, see bashrc for more documentation.
     pi rss2email
@@ -670,7 +750,7 @@ EOF
 fi
 
 ######### begin  pump.io periodic backup #############
-if [[ $HOSTNAME == treetowl ]]; then
+if [[ $HOSTNAME == frodo ]]; then
     s dd of=/etc/systemd/system/pumpbackup.service <<'EOF'
 [Unit]
 Description=pump li backup
@@ -697,8 +777,9 @@ fi
 #########  end  pump.io periodic backup #############
 
 case $distro in
-    debian|ubuntu|trisquel)
-        # suggests because we want the resolvconf package.
+    debian|trisquel|ubuntu)
+        # suggests because we want the resolvconf package. however, i install it earlier
+        # as well, so this is redundant.
         # todo: check other distros to make sure it\'s installed
         pi-nostart --install-suggests openvpn
         # pi-nostart does not disable
@@ -721,7 +802,7 @@ lnf /a/opt/.AndroidStudio2.2 ~
 spa lib32stdc++6 default-jdk
 
 
-if [[ $HOSTNAME == treetowl ]]; then
+if [[ $HOSTNAME == frodo ]]; then
     ############# begin syncthing setup ###########
 
     # It\'s simpler to just worry about running it in one place for now.
@@ -731,7 +812,7 @@ if [[ $HOSTNAME == treetowl ]]; then
     # syncs between comps.
     case $distro in
         arch) pi syncthing ;;
-        ubuntu|trisquel|debian)
+        trisquel|ubuntu|debian)
             # testing has relatively up to date packages
             if ! isdebian-testing; then
                 # based on error when doing apt-get update:
@@ -750,6 +831,7 @@ if [[ $HOSTNAME == treetowl ]]; then
             ;;
     esac
     lnf -T /w/syncthing /home/iank/.config/syncthing
+    ser daemon-reload # syncthing likely not properly packaged
     sgo syncthing@iank # runs as iank
 
     # these things persist in ~/.config/syncthing, which I save in
@@ -767,7 +849,7 @@ if [[ $HOSTNAME == treetowl ]]; then
     # Set gui username and password.
     #
     # install syncthing via f-droid,
-    # folder setting, turn off master folder (makes it read only).
+    # folder setting, turn off send only.
     # on phone, add device, click bar code icon
     # on dekstop, top right, actions, device id
     # after adding, notification will appear on desktop to confirm
@@ -778,7 +860,8 @@ if [[ $HOSTNAME == treetowl ]]; then
     # notification will appear in android\'s notifications, you have to
     # swipe down and tap it to add the folder. It won\'t appear in the
     # syncthing ui, which would be intuitive, but don\'t wait for it
-    # there.
+    # there. The notification may not work, instead open the web gui
+    # from in the app, there should be a notification within there.
     #
     # On phone, set settings to run syncthing all the time, and
     # show no notification.
@@ -800,14 +883,58 @@ fi
 
 # no equivalent in other distros:
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         # for gui bug reporting
         spa python-vte
         ;;
 esac
 
 
-####### misc packages ###########
+####### begin misc packages ###########
+
+reset-sakura
+sudo -u traci -i reset-sakura
+reset-konsole
+sudo -u traci -i reset-konsole
+reset-xscreensaver
+# this is packaged, but i see it's gotten a fair amount of development lately,
+# so install from cabal. the options are needed to get over incompatible xmonad library versions
+# but that stuff is in the global namespace, and it seems they don't conflict in practice.
+pi libxss-dev # dependency based on build failure
+cabal update
+cabal install --upgrade-dependencies  --force-reinstalls arbtt
+lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
+
+if [[ ! -e ~/.linphonerc && -e /p/.linphonerc-initial ]]; then
+    cp /p/.linphonerc-initial ~/.linphonerc
+fi
+
+
+### begin spd install
+pi libswitch-perl libdigest-md5-file-perl libgnupg-interface-perl
+t=$(mktemp)
+wget -O $t http://mirror.fsf.org/fsfsys-trisquel/fsfsys-trisquel/pool/main/s/spd-perl/spd-perl_0.2-1_amd64.deb
+s dpkg -i $t
+rm $t
+# this guesses at the appropriate directory, adjust if needed
+x=(/usr/lib/x86_64-linux-gnu/perl/5.*)
+sudo ln -sf ../../../perl/5.18.2/SPD/ $x
+# newer distro had gpg2 as default, older one, flidas, need to make it that way
+x=$(which gpg2)
+if [[ $x ]]; then
+    s lnf -T $x /usr/local/bin/gpg
+fi
+### end spd install
+
+
+if [[ $HOSTNAME == kw ]]; then
+    cat <<'EOF'
+NOTE: after this finishes, i did
+s nmtui-connect
+# remove br from auto:
+s vim /etc/network/interfaces
+EOF
+fi
 
 # nagstamon setting which were set through the ui
 # in filters tab:
@@ -820,10 +947,26 @@ esac
 # services on unreachable osts
 # hosts in soft state
 # services in soft state
-# in display tab: icon in systray.
+# in display tab: fullscreen
+
+# these translate to these settings I think
+# filter_acknowledged_hosts_services = True
+# filter_all_unknown_services = True
+# filter_all_warning_services = True
+# filter_hosts_in_soft_state = True
+# filter_hosts_services_maintenance = True
+# filter_services_in_soft_state = True
+# filter_services_on_down_hosts = True
+# filter_services_on_hosts_in_maintenance = True
+# filter_services_on_unreachable_hosts = True
+# notify_if_up = False
+# statusbar_floating = False
+# fullscreen = True
+# but i'm just going to rely on the webpage plus sms for now.
+
 
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         # it asks if it should make users in it's group capture packets without root,
         # which is arguably more secure than running wireshark as root. default is no,
         # which is what i prefer, since I plan to use tcpdump to input to wireshark.
@@ -832,18 +975,98 @@ case $distro in
     # others unknown
 esac
 
+# /run and /dev/shm are listed as required for pulseaudio. All 4 in the group
+# listed in the default config as suggested.
+# /run/usr/1000 i noticed was missing for pulseaudio
+# /run/user/0 just seemed like a not bad idea, given the above
+tu /etc/schroot/desktop/fstab <<'EOF'
+/run           /run            none    rw,bind         0       0
+/run/lock      /run/lock       none    rw,bind         0       0
+/dev/shm       /dev/shm        none    rw,bind         0       0
+/run/shm       /run/shm        none    rw,bind         0       0
+/run/user/1000 /run/user/1000  none    rw,bind         0       0
+/run/user/1001 /run/user/1001  none    rw,bind         0       0
+/run/user/0    /run/user/0     none    rw,bind         0       0
+EOF
+
+mkschroot() {
+    n=$1
+    shift
+    apps=($@)
+    d=/nocow/schroot/$n
+    s dd of=/etc/schroot/chroot.d/$n.conf <<EOF
+[$n]
+description=$n
+type=directory
+directory=$d
+profile=desktop
+preserve-environment=true
+users=$USER,traci
+EOF
+    if [[ -e $d/bin ]]; then
+        s chroot $d apt-get update
+        s chroot $d apt-get -y dist-upgrade --purge --auto-remove
+        cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
+    else
+        s mkdir -p $d
+        s debootstrap $n $d http://deb.debian.org/debian/
+        cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
+    fi
+    s cp -P {,$d}/etc/localtime
+}
+s dd of=/etc/systemd/system/schrootupdate.service <<'EOF'
+[Unit]
+Description=schrootupdate
+After=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once schrootupdate /a/bin/distro-setup/schrootupdate
+EOF
+s dd of=/etc/systemd/system/schrootupdate.timer <<'EOF'
+[Unit]
+Description=schrootupdate
+
+[Timer]
+OnCalendar=*-*-* 04:20:00
 
+[Install]
+WantedBy=timers.target
+EOF
+s systemctl daemon-reload
+sgo schrootupdate.timer
+
+
+
+
+# for my roommate
+case $distro in
+    trisquel)
+        mkschroot stretch firefox-esr pulseaudio chromium
+        ;;
+esac
+
+s mkdir -p /nocow/user
+s chown $USER:$USER /nocow/user
 case $distro in
-    debian|ubuntu|trisquel)
-        # no recommends because it wanted some other unstable package, something to
-        # do with math or something, which I didn't want to deal with.
-        p -y --no-install-recommends install python3-send2trash/unstable anki/unstable
+    debian)
+        case $(debian-codename) in
+            jessie)
+                pi anki
+                ;;
+            *)
+                mkschroot jessie anki pulsaudio mplayer
+                ;;
+        esac
+        ;;
+    trisquel|ubuntu)
+        pi anki
         ;;
     # others unknown
 esac
 
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         # note i had to do this, which is persistent:
         # cd /i/k
         # s chgrp debian-transmission torrents partial-torrents
@@ -864,7 +1087,18 @@ EOF
         # it contains runtime data,
         # plus a simple symlink to the config file which it\'s
         # not worth separating out.
-        s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
+        # between comps, the uid can change
+        f=/i/transmission-daemon
+        s lnf -T $f /var/lib/transmission-daemon/.config/transmission-daemon
+        if [[ -e $f ]]; then
+            s chown -R debian-transmission:debian-transmission $f
+        fi
+        for f in /i/k/partial-torrents /i/k/torrents; do
+            if [[ -e $f ]]; then
+                s chown -R debian-transmission:traci $f
+            fi
+        done
+        s chown -R debian-transmission:debian-transmission /var/lib/transmission-daemon
         #
         # config file documented here, and it\'s the same config
         # for daemon vs client, so it\'s documented in the gui.
@@ -922,6 +1156,36 @@ if ! getent passwd debian-transmission > /dev/null; then
             ;;
     esac
 fi
+
+
+# trisquel 8 = openvpn, debian stretch = openvpn-client
+vpn_ser=openvpn-client
+if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
+    vpn_ser=openvpn
+fi
+
+s dd of=/etc/systemd/system/transmission-daemon-nn.service <<EOF
+[Unit]
+Description=Transmission BitTorrent Daemon netns
+After=network.target
+Requires=${vpn_ser}-nn@client.service
+After=${vpn_ser}-nn@client.service
+JoinsNamespaceOf=${vpn_ser}-nn@client.service
+
+[Service]
+#User=debian-transmission
+# notify type doesn't work with sudo
+#Type=notify
+ExecStart=/usr/bin/nsenter --mount=/root/mount_namespaces/client sudo -u debian-transmission /usr/bin/transmission-daemon -f --log-error
+ExecReload=/bin/kill -s HUP \$MAINPID
+PrivateNetwork=true
+Nice=19
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ser daemon-reload
+
 if [[ $HOSTNAME == frodo ]]; then
     sgo transmission-daemon-nn
 fi
@@ -994,40 +1258,6 @@ case $HOSTNAME in
 esac
 
 
-pi wget
-case $HOSTNAME in
-    tp|frodo)
-        case $distro in
-            debian|ubuntu|trisquel)
-                log=$(mktemp)
-                cd /a/opt
-                wget -nv -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
-                errallow
-                set -o pipefail
-                s dpkg -i google-chrome-stable_current_amd64.deb |& tee $log
-                code=$?
-                errcatch
-                case $code in
-                    0) : ;;
-                    *)
-                        # previously I had a more specific search, but dpkg
-                        # changed it\'s output as of 7/2016
-                        if grep 'dependency problems' \
-                                $log &>/dev/null; then
-                            s apt-get -fy install
-                        else
-                            exit 1
-                        fi
-                        ;;
-                esac
-                ;;
-            arch)
-                pi google-chrome
-                ;;
-        esac
-        ;;
-esac
-
 # printer
 case $distro in
     arch)
@@ -1040,7 +1270,7 @@ case $distro in
         # In debian, I could use hte recommended driver,
         # in arch, I had to pick out the 6L driver.
         ;;
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         spa hplip
         ;;
     # other distros unknown
@@ -1048,39 +1278,25 @@ esac
 
 
 case $distro in
-    ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
+    trisquel|ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
     fedora|arch) spa mairix notmuch ;;
 esac
 case $distro in
     arch) spa nfs-utils ;;
-    ubuntu|debian) spa nfs-client ;;
+    trisquel|ubuntu|debian) spa nfs-client ;;
 esac
 case $distro in
-    ubuntu|debian) spa par2 ;;
+    trisquel|ubuntu|debian) spa par2 ;;
     arch|fedora) spa par2cmdline ;;
 esac
 
 # needed for my tex resume
 case $distro in
-    ubuntu|debian) spa texlive-full ;;
+    trisquel|ubuntu|debian) spa texlive-full ;;
     arch) spa texlive-most ;;
     # fedora unknown
 esac
 
-case $distro in
-    ubuntu)
-        # flash, unrar, codecs, ms fonts.
-        # This has a manual prompt.
-        spa ubuntu-restricted-extras
-        ;;
-    fedora)
-        pi yum-utils
-        # rpm fusion recommended codecs
-        s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
-        pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
-           xine-lib-extras-freeworld
-        ;;
-esac
 
 case $distro in
     # optional dep for firefox for h.264 video
@@ -1089,7 +1305,7 @@ case $distro in
 esac
 
 case $distro in
-    fedora|ubuntu|trisquel|debian) spa gnupg-agent ;;
+    fedora|trisquel|ubuntu|debian) spa gnupg-agent ;;
     arch) : ;;
 esac
 
@@ -1101,26 +1317,27 @@ esac
 
 case $distro in
     arch) spa firefox pulseaudio;;
-    *) : ;; # comes default or with other packages
+    trisquel) spa abrowser ;;
+    *) : ;; # comes default or with other packages, or uknown
 esac
 
 
 case $distro in
     arch) spa ttf-dejavu;;
-    debian|ubuntu|trisquel) spa fonts-dejavu ;;
+    debian|trisquel|ubuntu) spa fonts-dejavu ;;
     # others unknown
 esac
 
 
 case $distro in
     arch) spa xorg-xev;;
-    debian|ubuntu|trisquel) spa x11-utils ;;
+    debian|trisquel|ubuntu) spa x11-utils ;;
     # others unknown
 esac
 
 case $distro in
     arch) pi virt-install;;&
-    debian|ubuntu|trisquel) pi virtinst ;;&
+    debian|trisquel|ubuntu) pi virtinst ;;&
     *) pi virt-manager ;; # creates the libvirt group in debian at least
     # others unknown
 esac
@@ -1140,20 +1357,20 @@ for x in iank traci; do s usermod -a -G libvirt,kvm $x; done
 
 case $distro in
     arch) spa cdrkit;;
-    debian|ubuntu|trisquel) spa genisoimage;;
+    debian|trisquel|ubuntu) spa genisoimage;;
     # others unknown
 esac
 
 case $distro in
     arch) spa spice-gtk3 ;;
-    debian|ubuntu|trisquel) spa spice-client-gtk;;
+    debian|trisquel|ubuntu) spa spice-client-gtk;;
     # others unknown
 esac
 
 # general known for debian/ubuntu, not for fedora
 
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         pi golang-go
         # a bit of googling, and added settings to bashrc
         go get -u github.com/mvdan/fdroidcl/cmd/fdroidcl
@@ -1199,7 +1416,7 @@ esac
 
 
 case $distro in
-    arch|debian|ubuntu|trisquel) spa pumpa ;;
+    arch|debian|trisquel|ubuntu) spa pumpa ;;
     # others unknown. do have a buildscript:
     # /a/bin/buildscripts/pumpa ;;
 esac
@@ -1207,123 +1424,21 @@ esac
 
 case $distro in
     debian) pi adb ;;
-    debian|ubuntu|trisquel) spa android-tools-adbd/unstable ;;
+    debian|trisquel|ubuntu) spa android-tools-adbd ;;
+    # todo: not sure this is needed anymore, or if trisqel etc works even
+    #    debian) spa android-tools-adbd/unstable ;;
     arch) spa android-tools ;;
     # other distros unknown
 esac
 
-if [[ $HOSTNAME == treetowl ]]; then
-    case $distro in
-        debian)
-            if [[ `debian-archive`  == testing ]]; then
-                # has no unstable dependencies
-                pi bitcoind/unstable
-                src=/a/opt/bitcoin/contrib/init/bitcoind.service
-                s cp $src /etc/systemd/system
-                p=/etc/bitcoin/bitcoin
-                dst=/etc/systemd/system/bitcoinjm.service
-                # jm for joinmarket
-                $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
-                     >/etc/systemd/system/bitcoinjm.service
-
-                d=jm; jm=d # being clever for succinctness
-                for s in d jm; do
-                    s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
-                      /etc/systemd/system/bitcoin${s}.service
-                done
-
-                ser daemon-reload
-
-                dir=/nocow/.bitcoin
-                s mkdir -p $dir
-                s chown -R bitcoin:bitcoin $dir
-                dir=/etc/bitcoin
-                s mkdir -p $dir
-                s chown -R root:bitcoin $dir
-                s chmod 750 $dir
-
-                # pruning decreases the bitcoin dir to 2 gb, keeps
-                # just the recent blocks. can\'t do a few things like
-                # import a wallet dump.
-                # pruning works, but people had to do
-                # some manual stuff in joinmarket. I dun need the
-                # disk space, so not bothering yet, maybe in a year or so.
-                # https://github.com/JoinMarket-Org/joinmarket/issues/431
-                #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
-                #prune=550
-
-                f=$dir/bitcoin.conf
-                s dd of=$f <<EOF
-server=1
-# necessary for joinmarket, not bad in general
-rpcpassword=$(openssl rand -base64 32)
-rpcuser=$(openssl rand -base64 32)
-EOF
-
-                # dunno about sharing a wallet between multiple instances
-                # manually did, wallet.dat symlinked in /nocow/.bitcoin
-                sgo bitcoind
-            fi
-            ;;
-        # other distros unknown
-    esac
-
-#     ## disabling joinmarket, its too expensive
-#     ### begin joinmarket setup ###
-
-#     case $distro in
-#         debian)
-#             f=$dir/bitcoin.conf
-#             f2=$dir/bitcoinjm.conf
-#             s cp $f $f2
-#             s tee -a $f2 >/dev/null <<EOF
-# # Joinmarket
-# walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
-# alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
-# wallet=joinmarket.dat
-# EOF
-
-#             ;;
-#         # other distros unknown
-#     esac
-
-#     pi libsodium-dev python-pip
-#     cd /a/opt/joinmarket
-#     # using develop branch, as it seems to be mostly bug fixes,
-#     # and this is quite new software.
-#     # note: python3 does not work.
-#     # has seg fault error due to some bug, but it still works
-#     pip install -r requirements.txt || [[ $? == 139 ]]
-#     # note, the target must exist ahead of time, or bitcoin
-#     # just overwrites the link, and it\'s not happy with an empty file,
-#     # so we have to create the wallet, then move and link it.
-#     s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
-#     s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
-#     # not technically needed, but seems cleaner not to have
-#     # symlinks be root owned unlike everything else
-#     s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
-
-#     for var in rpcuser rpcpassword; do
-#         u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
-#         # escape backslashes
-#         u="${u//\\/\\\\\\\\}"
-#         # escape commas
-#         u="${u//,/\\,}"
-#         sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
-#     done
-#     sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
-#     ### end joinmarket setup ###
-
-
-fi
 
 
 case $distro in
     fedora)
         cd $(mktemp -d)
-        wget http://tamacom.com/global/global-6.3.2.tar.gz
+        wget ftp://ftp.gnu.org/pub/gnu/global/global-6.5.7.tar.gz
         ex global*
-        cd global-6.3.2
+        cd global-6.5.7
         # based on https://github.com/leoliu/ggtags
         ./configure --with-exuberant-ctags=/usr/bin/ctags
         make
@@ -1336,7 +1451,7 @@ case $distro in
     arch)
         pi  python2-pygments
         ;;
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         pi python-pygments
         ;;
 esac
@@ -1344,18 +1459,22 @@ esac
 
 case $distro in
     debian)
-        pi task-cinnamon-desktop
+        pi task-mate-desktop
         # in settings, change scrolling to two-finger,
         # because the default edge scroll doesn\'t work.
         pu transmission-gtk
         ;;
+    trisquel)
+        # mate-indicator-applet and beyond are msc things I noticed diffing a
+        # standard install with mine.
+        pi xorg lightdm mate-desktop-environment mate-desktop-environment-extras mate-indicator-applet anacron
+        ;;
     # others unknown
 esac
 
 case $distro in
     arch) spa apg  ;;
-
-    # already in debian jessie
+    # already in debian
 esac
 
 
@@ -1432,7 +1551,7 @@ fi
 # EOF
 #         s systemctl daemon-reload
 #         case $HOSTNAME in
-#             x2|treetowl)
+#             x2|tp)
 #                 ser enable synergyc@iank
 #                 ser start synergyc@iank ||: # X might not be running yet
 #                 ;;
@@ -1445,16 +1564,38 @@ fi
 # esac
 
 
-
+pi --no-install-recommends kdeconnect-plasma
 ### kdeconnect for gnome. started in /a/bin/distro-setup/desktop-20-autostart.sh
-pi libgtk-3-dev python3-requests-oauthlib valac cmake python-nautilus
+### but gnome + xmonad not working in flidas, so i disabled it
+pi libgtk-3-dev python3-requests-oauthlib valac cmake python-nautilus libappindicator3-dev
 cd /a/opt/indicator-kdeconnect
 mkdir -p build
 cd build
 cmake .. -DCMAKE_INSTALL_PREFIX=/usr
 make
 sudo make install
+# we can start it manually with /usr/lib/x86_64-linux-gnu/libexec/kdeconnectd
+# it seems, according to
+# /etc/xdg/autostart/kdeconnectd.desktop
+# I'm not seeing the icon, but the clipboard replication is working
+
+
+### model 01 arduino support ###
+# https://github.com/keyboardio/Kaleidoscope/wiki/Install-Arduino-support-on-Linux
+# also built latest arduino in /a/opt/Arduino, (just cd build; ant build; ant run )
+# set arduino var in bashrc,
+# have system config file setup too.
+sudo adduser $USER dialout
+case $distro in
+    arch)
+        sudo usermod -a -G uucp $USER
+        ;;
+esac
 
+# this is for the mail command too. update-alternatives is kind of misleading
+# since at least it's main commands pretend mail does not exist.
+# bsd's mail got pulled in on some dumb dependency, i dunno how.
+s update-alternatives --set mailx /usr/bin/mail.mailutils
 
 ######### end misc packages #########
 
@@ -1499,17 +1640,31 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
 
 ########### misc stuff
 
+
+/a/bin/distro-setup/mymimes
+
+
+# stop autopoping windows when i plug in an android phone.
+# dbus-launch makes this work within an ssh connection, otherwise you get this message,
+# with still 0 exit code.
+# dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
+dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
+
+
+# on grub upgrade, we get prompts unless we do this
 devs=()
 for dev in $(s btrfs fi show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
     devs+=($(devbyid $dev),)
 done
 devs[-1]=${devs[-1]%,} # jonied by commas
-
-# on grub upgrade, we get prompts unless we do this
 s debconf-set-selections <<EOF
-grub-pc	grub-pc/install_devices	multiselect ${devs[*]}
+grub-pc grub-pc/install_devices multiselect ${devs[*]}
 EOF
 
+# btrfs maintenance
+sgo btrfsmaint.timer
+sgo btrfsmaintstop.timer
+
 
 # the wiki backup script from ofswiki.org uses generic paths
 s lnf /p/c/machine_specific/li/mw_vars /root
@@ -1532,27 +1687,16 @@ EOF
 
 
 case $distro in
-    debian|ubuntu|trisquel)
-        case `debian-archive` in
-            stable)
-                s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
-Explanation: Allow unison-gtk to be upgraded
-Package: unison-gtk
-Pin: release a=testing
-Pin-Priority: 500
-EOF
-                # dont think using testing is needed since I figured out how to
-                # deal with mismatching unison compilers, but I dont
-                # see any reason to revert it, since it only installs
-                # a single package which is primarily a single binary
-                ;;
-        esac
-        pi unison/testing
-        pi unison-gtk/testing # after to make it the default unison
-        ;;
-    arch)
-        pi unison gtk2
+    trisquel|ubuntu|debian)
+        # unison-gtk second, i want it to be default, not sure if that works
+        # with spa. note, I used to install from testing repo when using stable,
+        # but it shouldn't be needed since I wrote a script to handle mismatching
+        # compilers.
+        spa unison unison-gtk
         ;;
+arch)
+    spa unison gtk2
+    ;;
 esac
 
 case $distro in
@@ -1568,24 +1712,26 @@ esac
 #
 # # disabled due to my patch being in btrbk
 # case $distro in
-#     arch|debian|ubuntu|trisquel) pi btrbk ;;
+#     arch|debian|trisquel|ubuntu) pi btrbk ;;
 #     # others unknown
 # esac
 cd /a/opt/btrbk
 s make install
 spa pv # for progress bar when running interactively.
-if [[ $HOSTNAME == treetowl ]]; then
-    # backup/sync manually on others hosts for now.
-    sgo btrbk.timer
-    # note: to see when it was last run,
-    # ser list-timers
-fi
+
+# ian: temporarily disabled while hosts are in flux.
+# if [[ $HOSTNAME == tp ]]; then
+#     # backup/sync manually on others hosts for now.
+#     sgo btrbk.timer
+#     # note: to see when it was last run,
+#     # ser list-timers
+# fi
 
 
 
 
 case $distro in
-    debian|ubuntu|trisquel) s gpasswd -a iank adm ;; #needed for reading logs
+    debian|trisquel|ubuntu) s gpasswd -a iank adm ;; #needed for reading logs
 esac
 
 # tor
@@ -1663,7 +1809,7 @@ EOF
         pi nfs-utils
         sgo nfs-server
         ;;
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         pi nfs-server
         ;;
     arch)
@@ -1675,81 +1821,9 @@ EOF
 esac
 
 
-########### begin kodi setup ############
-pi kodi
-
-# based on https://wiki.debian.org/SecuringNFS
-# but the quota stuff is either outdated or optional,
-# i guessed that it was not needed and it worked fine.
-s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF'
-fs.nfs.nfs_callback_tcpport = 32764
-fs.nfs.nlm_tcpport = 32768
-fs.nfs.nlm_udpport = 32768
-EOF
-s sysctl --system
-s $sed -ri -f - /etc/default/nfs-common <<'EOF'
-/^\s*STATDOPTS=/d
-$a STATDOPTS="--port 32765 --outgoing-port 32766"
-EOF
-
-s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF'
-/^\s*RPCMOUNTDOPTS=/d
-$a RPCMOUNTDOPTS="--manage-gids --port 32767"
-EOF
-ser restart nfs-kernel-server
-
-if [[ $HOSTNAME == treetowl ]]; then
-    # persistent one time steps for webdav:
-    # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml,
-    # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi
-    # htpasswd -c /p/c/filesystem/etc/davpass dav
-    # chmod 640 /p/c/filesystem/etc/davpass
-    # in conflink, set group to www-data.
-    # In kodi, i set the music source, server address: my domain,
-    # path: k/music. Then copied the file
-    # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting.
-    s a2enmod dav dav_fs
-    web-conf -r /a/c/playlists - apache2 dav.$HOME_DOMAIN <<'EOF'
-<Directory /a/c/playlists>
-    DAV On
-  AuthType Basic
-  AuthName "Authentication Required"
-  AuthUserFile "/etc/davpass"
-  Require valid-user
-
-# outside the standard /var/www, so use this:
-  Order allow,deny
-  Allow from all
-</Directory>
-EOF
-    s mkdir -p /var/www/davlock
-    s chown www-data:www-data /var/www/davlock
-    s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.$HOME_DOMAIN.conf
-    ser reload apache2
-
-    teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)"
-    exportfs -ra
-
-    # kodi uses sqlite by default, but supports mysql.
-    pi mariadb-server
-
-    # see ofswiki.org for explanation.
-    dbpass="$(cat /p/mysql-root-pass)"
-    if ! echo exit|mysql -uroot "-p$dbpass"; then
-        echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
-    fi
-    mysql -uroot "-p$dbpass" <<EOF
-GRANT ALL PRIVILEGES ON *.* TO 'kodi' IDENTIFIED BY '$(</p/mysql-kodi-pass)';
-EOF
-    s sed -ri 's/^(\s*bind-address\s*=).*/\1 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
-    ser restart mariadb
-
-fi
-
-###########  end kodi setup ############
 
 
-if [[ $HOSTNAME == treetowl ]]; then
+if [[ $HOSTNAME == frodo ]]; then
     # nohide = export filesystems mounted deeper than the export point
     # fsid=0 makes this export the "root" export
     # not documented in the man page, but this means
@@ -1766,125 +1840,22 @@ e "$end_msg_var"
 
 
 # persistent virtual machines
-
 case $distro in
-    debian|ubuntu|trisquel)
+    debian|trisquel|ubuntu)
         pi libosinfo-bin;
         ;;
 esac
-
-# distro may not know about win 10 yet.
-variant=win7
-if ! virt-install --os-variant list &>/dev/null; then # we are using a newer virt-install
-    for v in 10 8.1 8; do
-        if osinfo-query os | gr "^\s*win${v/./\\.}\s" &>/dev/null; then
-            variant=win$v
-            break
-        fi
-    done
-fi
-
-if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
-
-    # created account with
-    # win10vmian@outlook.com, and easy to remember password
-    # win 10 virtio, makes disk way way way faster
-    # wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
-    # https://wiki.archlinux.org/index.php/QEMU#Change_Existing_Windows_VM_to_use_virtio
-    # for installing virtio after initial install instead of with initial iso:
-    # qemu-img create -f qcow2 fake.qcow2 1G
-    #    --disk=/a/images/virtio-win.iso,device=cdrom \
-        #          --disk=/a/images/fake.qcow2,bus=virtio
-    #  Also,
-    #   went to device manager, saw 2 pci devices with yellow !,
-    #   did search for drivers, pick  cdrom location, done.
-    #
-    # from http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html.
-    # google said there was a control panel option for it, but
-    # that turned out to be a lie.
-    # Put this in a .bat file and run as administrator to turn off
-    # hyberboot which fucks things up.
-    # REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_dWORD /D 0 /F
-    # power settings, turn off display: never
-    # run "control userpasswords2", turn on automatic login.
-    # note: when changing devices, I just undefine, the create the vm again.
-
-    if [[ -e /nocow/user/vms/win10.qcow2 ]]; then
-        s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
-          --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
-          -n win10 --import --os-variant $variant --cpu host-model-only
-
-        s virsh destroy win10
-    fi
-
-    if [[ -e /nocow/user/vms/win7.qcow2 ]]; then
-        # this one hasn\'t had the virtio fix done yet.
-        s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
-          --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
-          -n win7 --import --os-variant win7 --cpu host-model-only
-        s virsh destroy win7
-        # had a problem with --cpu host, so trying out
-        # --cpu host-model-only
-    fi
-fi
+# if I was going to create a persistent vm, i might do it like this:
+# variant=something  # from: virt-install --os-variant list
+# s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
+    #   --disk=/a/images/some_name.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
+    #   -n some_name --import --os-variant $variant --cpu host-model-only
 
 
-if [[ $HOSTNAME == treetowl ]]; then
-    pi samba
-    # note samba re-reads it\'s config every 1 minute
-    case $distro in
-        arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
-    esac
-
-    # add 2 lines after workgroup option
-    s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
-    s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
-    s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/'  /etc/samba/smb.conf
-    # remove default homes section. not sharing that.
-    s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
-
-    if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
-        s tee -a /etc/samba/smb.conf <<'EOF'
-[public]
-      guest ok = yes
-      read only = no
-      path = /kr
-EOF
-    fi
-
-    case $distro in
-        debian|ubuntu|trisquel)
-            # systemd claims it generates units from /etc/init.d, but it
-            # clearly doesn\'t in debian. I have no idea how they are
-            # related. fuck debian right now. It\'s not documented.  samba
-            # has a systemd init file linked to /dev/null.  There\'s this
-            # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
-            # claims samba\'s sub-services will be started automatically by
-            # systemd... it didn\'t on install, wonder if it will on
-            # boot. It clued me in how to start it manually though. Nothing
-            # in /usr/share/doc/samba, debian admin guide says nothing about
-            # any of this. (this is in debian testing as of 4/2016).
-
-            s /etc/init.d/samba start
-            ;;
-        arch)
-            sgo samba
-            ;;
-    esac
-fi
-
-tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
-
 
 ######### begin stuff belonging at the end    ##########
 
 
-# Apps we want to override others for default file handler:
-# simplest way in debian is to just install them last.
-simple_packages+=(
-    mpv
-)
-
 case $distro in
     ubuntu|debian)
         spa spacefm-gtk3 ;;
@@ -1902,3 +1873,4 @@ if $pending_reboot; then
 else
     echo "$0: $(date): ending now)"
 fi
+exit 0