X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=9f06366c8f3a1b0efde3830d45ea2d2484a74df4;hb=a83e91030893a823da5f057d6b848dbac7593f01;hp=cd3de8162f962c058b7c3b5f7c06c4777df25251;hpb=d314b216046098f4b520cc14946c5d7c00f2089a;p=distro-setup
diff --git a/distro-end b/distro-end
index cd3de81..9f06366 100755
--- a/distro-end
+++ b/distro-end
@@ -1,170 +1,81 @@
#!/bin/bash -l
# Copyright (C) 2016 Ian Kelling
-# This program is under GPL v. 3 or later, see
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
-set -x
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
-exec &> >(sudo tee -a /var/log/distro-end)
-echo "$0: $(date): starting now)"
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+### setup
+errcatch
src="${BASH_SOURCE%/*}"
+source $src/pkgs
+set -x
+exec &> >(sudo tee -a /var/log/distro-end)
+echo "$0: $(date): starting now)"
+# see example of usage to understand.
end_msg() {
- = local y
+ local y
IFS= read -r -d '' y ||:
end_msg_var+="$y"
}
-
spa() { # simple package add
simple_packages+=($@)
}
-
distro=$(distro-name)
-
pending_reboot=false
-
+sed="sed --follow-symlinks"
# template
case $distro in
esac
+#### initial packages
pup
-
-simple_packages=(
- mailutils
- nmon
- ruby
- ruby-rest-client
- tree
- vim
-)
-
-if [[ $HOSTNAME != lj && $HOSTNAME != lk ]]; then
- # universal packages
- simple_packages+=(
- apache2
- bwm-ng
- chromium
- duplicity
- evince
- fdupes
- filelight
- gdb
- gnome-screenshot
- jq
- locate
- meld
- offlineimap
- p7zip
- paprefs
- pavucontrol
- pdfgrep
- pianobar
- pidgin
- rdiff-backup
- slock
- squashfs-tools
- tcpdump
- transmission-remote-gtk
- vlc
- )
+if isdeb; then
+ pi aptitude
fi
+########### begin section including li ################
+pi ${p3[@]} $($src/distro-pkgs)
-
-########### begin section including lj ################
-
-
-case $distro in
- fedora) spa unrar ;;
- *) spa unrar-free ;;
-esac
-
+conflink
case $distro in
- arch)
- # ubuntu 14.04 uses b-cron,
- # but its not maintained in arch.
- # of the ones in the main repos, cronie is only one maintained.
- # fcron appears abandoned software.
- pi cronie
- sgo cronie
- ;;
- *) : ;; # other distros come with cron.
+ arch) sgo cronie ;;
esac
-
case $distro in
- debian|ubuntu)
- pi debian-goodies
- ;;
-esac
-
-
-case $distro in
- *) pi at ;;&
arch) sgo atd ;;
esac
case $distro in
- debian) pi curl;;
- arch) : ;;
- # fedora: unknown
-esac
-
-case $distro in
- # tk for gitk
- arch) spa git tk ;;
- *) spa git ;;
-esac
-
-case $distro in
- arch) spa the_silver_searcher ;;
- debian|ubuntu) spa silversearcher-ag ;;
- # fedora unknown
-esac
-
-case $distro in
- debian|ubuntu) spa ntp;;
- arch)
- pi ntp
- sgo ntpd
- ;;
- # others unknown
+ arch) sgo ntpd ;;
esac
# no equivalent in other distros:
case $distro in
- debian|ubuntu)
- pi apt-file aptitude
- s apt-file update
- # for debconf-get-selections
- spa debconf-utils
- ;;
-esac
-
-case $distro in
- ubuntu|debian) spa ack-grep ;;
- arch|fedora) spa ack ;;
- # fedora unknown
-esac
-
-case $distro in
- arch|debian|ubuntu)
- spa bash-completion
+ debian|trisquel|ubuntu)
+ if ! dpkg -s apt-file &>/dev/null; then
+ # this condition is just a speed optimization
+ pi apt-file
+ s apt-file update
+ fi
;;
- # others unknown
esac
-
-
-
# disable motd junk.
-case $(distro-name) in
+case $distro in
debian)
# allows me to pipe with ssh -t, and gets rid of spam
# http://forums.debian.net/viewtopic.php?f=5&t=85822
@@ -172,9 +83,12 @@ case $(distro-name) in
# this says disabling the service, it will still get restarted
# but this script doesn't do anything on restart, so it should be fine
s dd of=/var/run/motd.dynamic if=/dev/null
- s update-rc.d motd disable
+ # stretch doesn't have initscripts pkg installed by default
+ if [[ $(debian-codename) == jessie ]]; then
+ s update-rc.d motd disable
+ fi
;;
- ubuntu)
+ trisquel|ubuntu)
# this isn't a complete solution. It still shows me when updates are available,
# but it's no big deal.
s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
@@ -188,159 +102,929 @@ esac
# /usr/share/doc/unattended-upgrades# cat README.md
# /etc/apt/apt.conf.d/50unattended-upgrades
if isdebian; then
- pi unattended-upgrades
- s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF'
-# this file was mostly just comments.
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Download-Upgradeable-Packages "1";
-APT::Periodic::AutocleanInterval "7";
-APT::Periodic::Unattended-Upgrade "1";
+ setup-debian-auto-update
+fi
+
+
+### begin docker install ####
+if isdeb; then
+ # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
+ pi software-properties-common apt-transport-https
+ curl -fsSL https://download.docker.com/linux/$(distro-name-compat)/gpg | sudo apt-key add -
+ sudo add-apt-repository \
+ "deb [arch=amd64] https://download.docker.com/linux/$(distro-name-compat) \
+ $(debian-codename-compat) \
+ stable"
+ p update
+ pi docker-ce
+ sgo docker
+ # other distros unknown
+fi
+### end docker install ####
+
+
+### begin certbot install ###
+case $distro in
+ debian)
+ # note, need python-certbot-nginx for nginx, but it depends on nginx,
+ # and I'm not installing nginx by default right now.
+ # note python-certbot-apache is in suggests, but so is a doc package that brought in xorg
+ if [[ $(debian-codename) == jessie ]]; then
+ pi -t jessie-backports certbot python-certbot-apache
+ else
+ pi certbot python-certbot-apache
+ fi
+ ;;
+ trisquel|ubuntu)
+ # not packaged in xenial or flidas
+ pi software-properties-common
+ # this fails with:
+ #
+ # gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported
+ # gpg: Total number processed: 1
+ # gpg: imported: 1
+ # gpg: no valid OpenPGP data found.
+ # Failed to add key.
+ #
+ # but it seems to work fine, perhaps it's only failing on the second run.
+ s add-apt-repository -y ppa:certbot/certbot ||:
+ p update
+ pi python-certbot-apache
+ ;;
+ # todo: other distros unknown
+esac
+# make a version of the certbot timer that emails me.
+x=/systemd/system/certbot
+$sed -r -f - /lib$x.timer <<'EOF' |s dd of=/etc${x}mail.timer
+s,^Description.*,\0 mail version,
+EOF
+$sed -r -f - /lib$x.service <<'EOF' |s dd of=/etc${x}mail.service
+s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
+EOF
+ser daemon-reload
+sgo certbotmail.timer
+### end certbot install ###
+
+
+# dogcam setup
+case $HOSTNAME in
+ lj|li)
+ /a/bin/webcam/install-server
+ ;;
+ kw)
+ /a/bin/webcam/install-client
+ ;;
+esac
+
+# website setup
+case $HOSTNAME in
+ lj|li)
+ case $HOSTNAME in
+ lj) domain=iank.bid; exit 0 ;;
+ li) domain=iankelling.org ;;
+ esac
+ /a/h/setup.sh $domain
+ /a/h/build.rb
+
+ sudo -E /a/bin/mediawiki-setup/mw-setup-script
+
+ pi-nostart mumble-server
+ s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
+
+ # do certificate to avoid warning about unsigned cert,
+ # which is overkill for my use, but hey, I'm cool, I know
+ # how to do this.
+ web-conf apache2 mumble.iankelling.org
+ s rm -f /etc/apache2/sites-enabled/mumble.iankelling.org
+ sudo -i <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
EOF
+ sgo mumble-server
- { cat <<'EOF'
-Unattended-Upgrade::Mail "root";
-Unattended-Upgrade::MailOnlyOnError "true";
-Unattended-Upgrade::Remove-Unused-Dependencies "true";
-Unattended-Upgrade::Origins-Pattern {
-# default is just upgrade main and security, not updates.
+ vpn-server-setup -rd
+ s tee /etc/openvpn/client-config/mail <<'EOF'
+ifconfig-push 10.8.0.4 255.255.255.0
EOF
- if isdebian-testing; then
- cat <<'EOF'
-# for testing, only do security updates.
- "origin=Debian,codename=${distro_codename},label=Debian-Security";
+
+ # it\'s strange. docker seems to make the default for forward
+ # be drop, but then I set it to accept and it\'s stuck that way,
+ # I dun know why. But, let\'s make sure we can forward anyways.
+ s DEBIAN_FRONTEND=noninteractive pi iptables-persistent
+ rm /etc/iptables/rules.v6
+ s tee /etc/iptables/rules.v4 <<'EOF'
+*filter
+-A FORWARD -i tun+ -o eth0 -j ACCEPT
+-A FORWARD -i eth0 -o tun+ -j ACCEPT
+COMMIT
EOF
- else
- cat <<'EOF'
-# These are stable packages only getting bugfixes anyways.
- "origin=*";
+
+
+ sudo dd of=/etc/systemd/system/vpnmail.service <
+ Options +FollowSymLinks +Multiviews +Indexes
+ AllowOverride None
+ AuthType basic
+ AuthName "Authentication Required"
+ # setup one time, with root:www-data, 640
+ AuthUserFile "/etc/caldav-htpasswd"
+ Require valid-user
+
EOF
- } | s dd of=/etc/apt/apt.conf.d/50unattended-upgrades
+ # nginx version of above would be:
+ # auth_basic "Not currently available";
+ # auth_basic_user_file /etc/nginx/caldav/htpasswd;
- echo $- > /tmp/x
-fi
+ ########## begin pump.io setup ##########
-# cron
-/a/bin/crons/all
+ # once pump adds a logrotation script, turn off nologger,
+ # and add
+ # "logfile": "/var/log/pumpio/pumpio.log",
+ #
+ s dd of=/etc/pump.io.json <<'EOF'
+{
+ "secret": "SECRET_REPLACE_ME",
+ "driver": "mongodb",
+ "params": { "dbname": "pumpio" },
+ "noweb": false,
+ "site": "pump.iankelling.org",
+ "owner": "Ian Kelling",
+ "ownerURL": "https://iankelling.org/",
+ "port": 8001,
+ "urlPort": 443,
+ "hostname": "pump.iankelling.org",
+ "nologger": true,
+ "datadir": "/home/pumpio/pumpdata",
+ "enableUploads": true,
+ "debugClient": false,
+ "disableRegistration": true,
+ "noCDN": true,
+ "key": "/home/pumpio/privkey.pem",
+ "cert": "/home/pumpio/fullchain.pem",
+ "address": "localhost",
+ "sockjs": false
+}
+EOF
+ s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
+
+ # stretch node is too old
+ # https://nodejs.org/en/download/package-manager/
+ curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
+ pi nodejs graphicsmagick mongodb
+ cd /home/iank
+ if [[ -e pump.io ]]; then
+ cd pump.io
+ git pull
+ else
+ git clone https://github.com/pump-io/pump.io.git
+ cd pump.io
+ fi
+ # note: doing this or the npm install pump.io as root had problems.
+ npm install
+ npm run build
+ # normally, next command would be
+ # s npm install -g odb
+ # but it\'s this until a bug in pump gets fixed
+ # https://github.com/pump-io/pump.io/issues/1287
+ s npm install -g databank-mongodb@0.19.2
+ if ! getent passwd pumpio &>/dev/null; then
+ s useradd -m -s /bin/false pumpio
+ fi
+ sudo -u pumpio mkdir -p /home/pumpio/pumpdata
+ # for testing browser when only listening to localhost,
+ # in the pump.io.json, set hostname localhost, urlPort 5233
+ #ssh -L 5233:localhost:5233 li
+
+ s mkdir -p /var/log/pumpio/
+ s chown pumpio:pumpio /var/log/pumpio/
+
+ web-conf - apache2 pump.iankelling.org <<'EOF'
+# currently a bug in pump that we cant terminate ssl
+ SSLProxyEngine On
+ ProxyPreserveHost On
+ ProxyPass / https://127.0.0.1:8001/
+ ProxyPassReverse / https://127.0.0.1:8001/
+ # i have sockjs disabled per people suggesting that
+ # it won\'t work with apache right now.
+ # not sure if it would work with this,
+ # but afaik, this is pointless atm.
+
+ ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
+ ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
+
+EOF
+ sudo -i <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
+EOF
-case $HOSTNAME in
- lj|lk)
-
- pi "${simple_packages[@]}"
- $src/homepage-setup
- $src/
-
-# start=' *