X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=ba0b585482efd636a10dde0c64c5ba7060d110a7;hb=1f027ea146ea6c62002a8f67f831273a5c431b52;hp=e8e3ee031cf620ca9823a1c379a8d2cf9865a5b4;hpb=774fe9ab8c8d5c71614feda5a283b4a91fb3f145;p=distro-setup
diff --git a/distro-end b/distro-end
index e8e3ee0..ba0b585 100755
--- a/distro-end
+++ b/distro-end
@@ -1,12 +1,28 @@
#!/bin/bash
-# Copyright (C) 2019 Ian Kelling
-# SPDX-License-Identifier: AGPL-3.0-or-later
-# shellcheck source=/a/bin/ds/.bashrc
-export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]]; then . ~/.bashrc; fi
+# Setup Ian's computers
+# Copyright (C) 2024 Ian Kelling
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# shellcheck source=./brc
+source ~/brc
### setup
-source /a/bin/errhandle/err
+source /a/bin/bash-bear-trap/bash-bear
src="$(readlink -f -- "${BASH_SOURCE[0]}")"; src=${src%/*} # directory of this file
if [[ $EUID == 0 ]]; then
@@ -43,7 +59,7 @@ end() {
}
pre="${0##*/}:"
sudo() {
- printf "$pre %s\n" "$*"
+ printf "$pre sudo %s\n" "$*"
SUDOD="$PWD" command sudo "$@";
}
m() { printf "$pre %s\n" "$*"; "$@"; }
@@ -90,7 +106,6 @@ EOF
########### begin section including vps ################
pi ${p2[@]}
-
conflink
sudo rm -fv
@@ -124,260 +139,46 @@ esac
-
-# dogcam setup. not using atm
-# case $HOSTNAME in
-# lj|li)
-# /a/bin/webcam/install-server
-# ;;
-# kw)
-# /a/bin/webcam/install-client
-# ;;
-# esac
-
-
-## not actually using prometheus just yet
-# # office is not exposed to internet yet
-# if [[ $HOSTNAME != kw ]]; then
-# ## prometheus node exporter setup
-# web-conf -f 9100 -p 9101 apache2 $(hostname -f) <<'EOF'
-# #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
-# # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-#
-# AllowOverride None
-# AuthType basic
-# AuthName "Authentication Required"
-# # setup one time, with root:www-data, 640
-# AuthUserFile "/etc/prometheus-htpasswd"
-# Require valid-user
-#
-# EOF
-# fi
-
-
pi debootstrap
######### begin universal pinned packages ######
case $(debian-codename) in
- nabia|etiona|flidas)
+ etiona|flidas|nabia|aramo)
sudo rm -fv /etc/apt/preferences.d/etiona-buster
sd /etc/apt/preferences.d/trisquel-debian </dev/null </dev/null; then
- # moved to fai
- #sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
- sd /etc/apt/preferences.d/flidas-bionic <$t <$t <$t <<'EOF'
-deb http://http.us.debian.org/debian buster main
-deb-src http://http.us.debian.org/debian buster main
-
-deb http://security.debian.org/ buster/updates main
-deb-src http://security.debian.org/ buster/updates main
-
-deb http://http.us.debian.org/debian buster-updates main
-deb-src http://http.us.debian.org/debian buster-updates main
-
-deb http://http.debian.net/debian buster-backports main
-deb-src http://http.debian.net/debian buster-backports main
-EOF
- ;;
- bullseye)
- cat >$t <<'EOF'
-EOF
+ bookworm)
cat >$t </dev/null
+ sudo dd if=$t of=$f status=none
p update
fi
@@ -463,7 +274,7 @@ deb http://mirror.fsf.org/trisquel/ nabia-backports main
deb-src http://mirror.fsf.org/trisquel/ nabia-backports main
EOF
if ! diff -q $t $f; then
- sudo dd if=$t of=$f 2>/dev/null
+ sudo dd if=$t of=$f status=none
p update
fi
@@ -484,6 +295,34 @@ Pin: release n=bionic,o=Ubuntu
Pin-Priority: -100
EOF
+ ;;&
+ nabia)
+ sd /etc/apt/preferences.d/aramo-nabia <<'EOF'
+Package: *
+Pin: release n=aramo*,o=Trisquel
+Pin-Priority: -100
+EOF
+ f=/etc/apt/sources.list.d/aramo.list
+ t=$(mktemp)
+ cat >$t <<'EOF'
+deb http://mirror.fsf.org/trisquel/ aramo main
+deb-src http://mirror.fsf.org/trisquel/ aramo main
+
+deb http://mirror.fsf.org/trisquel/ aramo-updates main
+deb-src http://mirror.fsf.org/trisquel/ aramo-updates main
+
+deb http://archive.trisquel.info/trisquel/ aramo-security main
+deb-src http://archive.trisquel.info/trisquel/ aramo-security main
+
+# Uncomment this lines to enable the backports optional repository
+deb http://mirror.fsf.org/trisquel/ aramo-backports main
+deb-src http://mirror.fsf.org/trisquel/ aramo-backports main
+EOF
+ if ! diff -q $t $f; then
+ sudo dd if=$t of=$f status=none
+ p update
+ fi
+
;;&
*)
if isdeb; then
@@ -492,7 +331,11 @@ EOF
;;
esac
-
+case $codename_compat in
+ jammy)
+ s systemctl enable --now ssh-agent-iank
+ ;;
+esac
case $codename_compat in
focal)
@@ -533,6 +376,14 @@ EOF
Package: chromium chromium-* libicu67 libjpeg62-turbo libjsoncpp24 libre2-9 libwebpmux3
Pin: release o=Debian*,n=bullseye
Pin-Priority: 500
+EOF
+ ;;
+ aramo)
+ # obs dependency not in trisquel
+ sd /etc/apt/preferences.d/obs <
- Options +FollowSymLinks +Multiviews +Indexes
+
+# this doesn't exactly fit with the documentation.
+# We need location / to do an auth, it cant be done outside,
+# in order to pass on X-Remote-User. And we need
+# the other location in order to remove the /radicale/ for
+# requests which have it. This could be done with a rewrite,
+# but i just get something working and call it a day.
+
+
AllowOverride None
- AuthType basic
+ AuthType Basic
AuthName "Authentication Required"
# setup one time, with root:www-data, 640
AuthUserFile "/etc/caldav-htpasswd"
Require valid-user
+ RequestHeader set X-Remote-User expr=%{REMOTE_USER}
+
+
+ Options +FollowSymLinks +Multiviews -Indexes
RequestHeader set X-Script-Name /radicale/
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
ProxyPass "http://10.8.0.4:5232/" retry=0
@@ -866,6 +710,16 @@ EOF
end
;;
esac
+
+case $HOSTNAME in
+ bk)
+ pi icecast2
+ # todo, save the config
+ /etc/cron.daily/stream-cert
+ web-conf -c /etc/cert-live.fsf.org -p 443 -f 8000 apache2 live.fsf.org
+ ;;
+esac
+
###### end website setup
########### end section including li/lj ###############
@@ -875,7 +729,7 @@ esac
### system76 things ###
case $HOSTNAME in
- sy|bo)
+ bo) # sy| sy doesnt seem to really need this.
# note, i stored the initial popos packages at /a/bin/data/popos-pkgs
if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
# https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
@@ -908,10 +762,40 @@ EOF
fi
;;
esac
+### end system76 things ###
case $distro in
trisquel|ubuntu)
+
+ ## one time setup thing I did
+ # c /a/opt/obs-cmd/
+ # cargo build --release
+ # cp target/release/obs-cmd ../bin
+ #
+ ## in obs, tools -> websocket server settings -> generate/copy password
+ #
+ # note: obs-studio on gnu does not support webrtc, it seems mainly because
+ # libdatachannel is not packaged. If it was, it would just need to do
+ # apt source obs-studio, obs-studio-30.1.1/debian/rules set -DENABLE_WEBRTC=ON
+ #
+ # I did manage to build libdatachannel following its instructions, then make install,
+ # then obs failed due to nvidia. found those options to disable with
+ # rg 'option\(ENABLE' | gr nv, then build obs like so:
+ #
+ # cmake -DLINUX_PORTABLE=ON -DCMAKE_INSTALL_PREFIX="${HOME}/obs-studio-portable" -DENABLE_BROWSER=OFF -DENABLE_AJA=OFF -DENABLE_NEW_MPEGTS_OUTPUT=OFF -DENABLE_WEBRTC=ON -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DENABLE_NVVFX=OFF -DENABLE_NVAFX=OFF -DENABLE_NATIVE_NVENC=OFF ..
+ #
+ #
+ #
+ # however, I didn't end up trying it out.
+ #
+ # note, in terminal source, i setup a transform so it would show the
+ # bottom 1080p section of the terminal instead of the top if the
+ # screen was bigger. click like 2 times in the preview so the red
+ # lines show up, right click, edit transform (or ctrl-e). bounding
+ # box type: scale to width of bounds. alignment in bounding box:
+ # bottom left. bounding box size 1920 x 1080.
+
# ppa:obsproject/obs-studio
if [[ ! -s /etc/apt/sources.list.d/obs.list ]]; then
# https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
@@ -923,6 +807,7 @@ EOF
p update
fi
;;
+
esac
case $codename_compat in
@@ -974,6 +859,10 @@ EOF
# and choose lightdm.
#
;;
+ jammy)
+ # not yet bothering with mate
+ pi lightdm-gtk-greeter lightdm
+ ;;
esac
@@ -1042,8 +931,25 @@ esac
# way to install suggests even if the main package is already
# installed. reinstall doesn't work, uninstalling can cause removing
# dependent packages.
+# shellcheck disable=SC2046 # word splitting is intended
pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distro-pkgs)
+# schroot service will restart schroot sessions after reboot.
+# I dont want that.
+pi-nostart schroot
+
+# fix systemd unit failure. i dont know of any actual impact
+# other than systemd showing in degraded state. So, we dont bother
+# fixing the current state, let it fix on the next reboot.
+# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a
+tmp=$(systemctl cat binfmt-support.service | grep ^After=)
+if [[ $tmp != *systemd-binfmt.service* ]]; then
+ s u /etc/systemd/system/binfmt-support.service.d/override.conf </dev/null; then
# note, see bashrc for more documentation.
@@ -1192,10 +1059,6 @@ if [[ -e /p/c/machine_specific/$HOSTNAME/filesystem/etc/openvpn/client/hole.crt
sgo openvpn-client@hole
fi
-if [[ $HOSTNAME == frodo ]]; then
- vpn-mk-client-cert -b frodo -n hole iankelling.org
-fi
-
############# begin syncthing setup ###########
case $HOSTNAME in
kd|frodo)
@@ -1285,6 +1148,24 @@ fi
####### begin misc packages ###########
+# old location, 2023.
+sudo rm -fv /etc/systemd/system/profanity.service
+case $HOSTNAME in
+ kd)
+ ln -sfT /d/p/profanity ~/.local/share/profanity
+ ln -sfT /d/p/profanity-config ~/.config/profanity
+ source /a/bin/bash_unpublished/source-state
+ if [[ $HOSTNAME == "$HOST2" || ! -e /p/profanity-here ]]; then
+ systemctl --user --now enable profanity
+ fi
+ ;;
+ *)
+
+ ln -sfT /p/profanity ~/.local/share/profanity
+ ln -sfT /p/profanity-config ~/.config/profanity
+ ;;
+esac
+
# template
case $codename in
flidas)
@@ -1439,32 +1320,8 @@ sgo schrootupdate.timer
# for my roommate
case $distro in
trisquel)
- m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/bullseye.list/BULLSEYE_FREE \
- debian bullseye firefox-esr pulseaudio chromium anki
- case $(debian-codename) in
- etiona|nabia)
- # we have a lot of t8 stuff, useful to have
- m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/flidas.list/FLIDAS \
- trisquel flidas
- tu /nocow/schroot/flidas/etc/sudoers </dev/null && \
! systemctl is-active transmission-daemon; then
tmp=$(mktemp)
@@ -1599,6 +1458,9 @@ esac
######### begin transmission client setup ######
+# to connect from a remote client, trans-remote-route in brc2
+
+
if [[ -e /p/transmission-rpc-pass ]]; then
# arch had a default config,
# debian had nothing until you start it.
@@ -1640,7 +1502,7 @@ EOF
"profiles" : [
{
"profile-name" : "Default",
- "hostname" : "10.173.0.2",
+ "hostname" : "10.174.2.2",
"rpc-url-path" : "/transmission/rpc",
"username" : "",
"password" : "$rpc_pass",
@@ -1691,9 +1553,11 @@ sudo gpasswd -a $USER lpadmin # based on ubuntu wiki
# general known for debian/ubuntu, not for fedora
m /a/bin/buildscripts/go
+# only needed for rg. cargo takes up 11 gigs, filled up the disk on je.
m /a/bin/buildscripts/rust
m /a/bin/buildscripts/misc
-m /a/bin/buildscripts/pithosfly
+
+#m /a/bin/buildscripts/pithosfly
#m /a/bin/buildscripts/alacritty
#m /a/bin/buildscripts/kitty
@@ -1789,10 +1653,18 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
########### misc stuff
-if [[ $HOSTNAME != frodo ]]; then
- # remove. i moved this into dns
- echo | s cedit hole /etc/hosts ||:
-fi
+
+xdg-settings set default-web-browser abrowser.desktop
+# see current with:
+# xdg-settings get default-web-browser
+
+# pressing tab after sdf here:
+# scp sdfbash: set +o noglob: command not found
+# in t11, bash 5.1.16. this fixes it.
+sudo sed -ri 's/([[:space:]]*)(\$reset)$/\1set +o noglob #$reset/' /usr/share/bash-completion/bash_completion
+
+rm -fv /home/iank/.mpv/watch_later
+rm -rf /home/iank/.mpv
if [[ ! -e ~/.local/bin/pip ]]; then
tmp=$(mktemp)
@@ -1801,6 +1673,61 @@ if [[ ! -e ~/.local/bin/pip ]]; then
hash -r
fi
+## begin beets
+# soo, apt install beets fails due to wanting a pip package,
+# we find out why it wants this through
+# apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances beets | less
+# python-mediafile requires tox, which requires virtualenv, which requires pip.
+# but, python-mediafile doesn't really require tox, it is specified in
+# ./usr/lib/python3/dist-packages/mediafile-0.9.0.dist-info/METADATA
+# as being required only for testing, but the debian package
+# included it anyways, due to a mistake or bad tooling or something.
+# I don't plan to use tox, so, according to https://serverfault.com/a/251091,
+# we can create and install a dummy package by:
+#
+# "equivs-control , edit the file produced to provide the right
+# dependency and have a nice name, then run equivs-build and
+# finally dpkg -i the resulting .deb file"
+# as of 2023-02, the tox dependency was removed in debian unstable, so
+# this hack will probably go away in t12.
+
+if pcheck beets; then
+ tmpdir="$(mktemp -d)"
+ cd "$tmpdir"
+ # edited from output of equivs-control tox
+ cat >tox <<'EOF'
+Section: python
+Priority: optional
+Standards-Version: 3.9.2
+Package: tox
+Description: tox-dummy
+EOF
+ equivs-build tox
+ sudo dpkg -i tox_1.0_all.deb
+ rm -rf ./tox*
+ pi beets python3-discogs-client
+ cd
+ rm -r "$tmpdir"
+fi
+
+# get rid of annoying message
+s sed -ri "s/^([[:space:]]*ui.print_\('Playing)/#\1/" /usr/share/beets/beetsplug/play.py
+
+
+# notes about barrier
+# run barrier, do the gui config,
+# setup the 2 screens, using hostnames for the new screen.
+# save the server config
+# $HOME/.local/share/barrier/.barrier.conf
+# per the man page.
+#
+# ssl errors, resolved via advice here: https://github.com/debauchee/barrier/issues/231
+# BARRIER_SSL_PATH=~/.local/share/barrier/SSL/
+# mkdir -p "${BARRIER_SSL_PATH}"
+# openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ${BARRIER_SSL_PATH}/Barrier.pem -out ${BARRIER_SSL_PATH}/Barrier.pem
+# ran on both machines.
+# When pressing start in the gui, the cli options used are printed to the console,
+# they are useful. So on server, just run barriers, client run barrierc SERVER_IP
### begin timetrap setup
if mountpoint /p &>/dev/null; then
@@ -1863,13 +1790,13 @@ sudo fc-cache
pi desktop-file-utils
m /a/bin/distro-setup/mymimes
-
-# stop autopoping windows when i plug in an android phone.
-# dbus-launch makes this work within an ssh connection, otherwise you get this message,
-# with still 0 exit code.
-# dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
-m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
-
+if type -p dbus-launch >/dev/null; then
+ # stop autopoping windows when i plug in an android phone.
+ # dbus-launch makes this work within an ssh connection, otherwise you get this message,
+ # with still 0 exit code.
+ # dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
+ m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
+fi
# on grub upgrade, we get prompts unless we do this
devs=()
@@ -1894,23 +1821,21 @@ sgo dynamicipupdate
if grep -xFq $HOSTNAME /a/bin/ds/machine_specific/btrbk.hosts; then
sgo btrbk.timer
fi
-# note: to see when it was last run,
+
+# note: to see when a timer was last run,
# ser list-timers
-case $HOSTNAME in
- kd)
- sgo btrbkrust.timer
- ;;
-esac
### begin prometheus ###
case $HOSTNAME in
kd)
- /a/bin/buildscripts/prometheus
# Font awesome is needed for the alertmanager ui.
- pi prometheus-alertmanager prometheus prometheus-node-exporter fonts-font-awesome
- web-conf -p 9091 -f 9090 - apache2 i.b8.nz <<'EOF'
+ pi prometheus-alertmanager prometheus fonts-font-awesome
+ /c/roles/prom/files/simple/usr/local/bin/fsf-install-prometheus
+ # make it available for other machines
+ rsync -a /usr/local/bin/amtool /a/opt/bin
+ web-conf -p 9091 -f 9090 - apache2 b8.nz <<'EOF'
AuthType Basic
AuthName "basic_auth"
@@ -1921,7 +1846,7 @@ Require valid-user
EOF
- web-conf -p 9094 -f 9093 - apache2 i.b8.nz <<'EOF'
+ web-conf -p 9094 -f 9093 - apache2 b8.nz <<'EOF'
AuthType Basic
AuthName "basic_auth"
@@ -1934,36 +1859,48 @@ EOF
# by default, the alertmanager web ui is not enabled other than a page
# that suggests to use the amtool cli. that tool is good, but you cant
- # silence things nearly as fast.
+ # silence things nearly as easily as with the gui.
if [[ ! -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then
- sudo chroot /nocow/schroot/bullseye prometheus-alertmanager
- sudo chroot /nocow/schroot/bullseye /usr/share/prometheus/alertmanager/generate-ui.sh
- sudo rsync -avih /nocow/schroot/bullseye/usr/share/prometheus/alertmanager/ui/ /usr/share/prometheus/alertmanager/ui
+ # default script didnt work, required some changes to get elm 19.1,
+ # which is a dependency of the latest alertmanager. I modified
+ # and copied it into /b/ds. In future, might need some other
+ # solution.
+ #sudo /usr/share/prometheus/alertmanager/generate-ui.sh
+ sudo /b/ds/generate-ui.sh
ser restart prometheus-alertmanager
fi
+ s /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter -l 127.0.0.1
+
for ser in prometheus-node-exporter prometheus-alertmanager prometheus; do
sysd-prom-fail-install $ser
done
;;
*)
- pi prometheus-node-exporter
+ s /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter
;;
esac
+# cleanup old files. 2023-02
+x=(/var/lib/prometheus/node-exporter/*.premerge)
+if [[ -e ${x[0]} ]]; then
+ s rm /var/lib/prometheus/node-exporter/*
+fi
+
+
case $HOSTNAME in
- # frodo needs upgrade first.
- frodo) : ;;
# todo, for limiting node exporter http,
# either use iptables or, in
# /etc/default/prometheus-node-exporter
# listen on the wireguard interface
+
*)
- wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
- # old filename. remove once all hosts are updated.
- s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
- web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
+ if [[ -e /etc/wireguard/wghole.conf ]]; then
+ wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
+ # old filename. remove once all hosts are updated.
+ s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
+ web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
AuthType Basic
AuthName "basic_auth"
@@ -1973,14 +1910,14 @@ AuthUserFile "/etc/prometheus-export-htpasswd"
Require valid-user
EOF
- # For work, i think we will just use the firewall for hosts in the main data center, and
- # vpn for hosts outside it.
+ # For work, i think we will just use the firewall for hosts in the main data center, and
+ # vpn for hosts outside it.
- # TODO: figure out how to detect the ping failure and try again.
+ # TODO: figure out how to detect the ping failure and try again.
- # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
- s mkdir /etc/systemd/system/apache2.service.d
- sd /etc/systemd/system/apache2.service.d/restart.conf </etc/nginx/modules-enabled/rtmp.conf <<'EOF'
+## based on https://opensource.com/article/19/1/basic-live-video-streaming-server#comments
+## and https://github.com/arut/nginx-rtmp-module/wiki/Directives
+
+# rtmp {
+# allow publish 127.0.0.1;
+# deny publish all;
+# server {
+# listen 1935;
+# application live {
+# live on;
+# record off;
+# }
+# }
+# }
+# EOF
+
+### end live streaming ###
+
+### begin gh ####
+
+# from https://raw.githubusercontent.com/cli/cli/trunk/docs/install_linux.md
+# One time setup afterwards:
+# gh auth login
+#
+# When it gets to the page where it asks to authorize github, the button
+# is grayed out. You can just open browser dev tools, inspect the
+# button, remove disabled="", then click it and it works.
+#
+# Auth token gets saved into /p/c/subdir_files/.local/share/keyrings/
+#
+# initial config goes to /home/iank/.config/gh
+curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+ && sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
+ && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+ && sudo apt update \
+ && sudo apt install gh -y
+
+### end gh ####
+
+
+# remove trisquel banner. it is cool but takes up too much space.
+sudo rm -f /etc/update-motd.d/01-banner
+
+case $HOSTNAME in
+ kw|x3)
+ sd /etc/cups/client.conf <<'EOF'
+ServerName printserver1.office.fsf.org
+EOF
+ ;;
+esac
+
end_msg <<'EOF'
In mate settings settings, change scrolling to two-finger,
@@ -2030,8 +2063,15 @@ lnf -T /a/opt ~/src
pi tor
m /a/bin/buildscripts/tor-browser
# one root command needed to install
-s ln -sf /a/opt/tor-browser_en-US/Browser/start-tor-browser /usr/local/bin
+s ln -sf /a/opt/tor-browser/Browser/start-tor-browser /usr/local/bin
+
+case $HOSTNAME in
+ kd)
+ web-conf -p 4500 -f 4533 -e ian@iankelling.org apache2 b8.nz
+ sgo navidrome
+ ;;
+esac
# nfs server
pi-nostart nfs-kernel-server