X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=ce5179388e985c25805725907e76c65f319753b8;hb=3ca4714d6b02ff279a0c724415f3e0a3a6f49059;hp=4b73b8b920115caa9463c0be78ba7c9f77d30cab;hpb=95eb9558206f8287febab80dd3f51d168a3ca831;p=distro-setup

diff --git a/distro-end b/distro-end
index 4b73b8b..ce51793 100755
--- a/distro-end
+++ b/distro-end
@@ -43,7 +43,7 @@ end() {
 }
 pre="${0##*/}:"
 sudo() {
-  printf "$pre %s\n"  "$*"
+  printf "$pre sudo %s\n"  "$*"
   SUDOD="$PWD" command sudo "$@";
 }
 m() { printf "$pre %s\n"  "$*"; "$@"; }
@@ -155,10 +155,12 @@ esac
 # fi
 
 
+
+
 pi debootstrap
 ######### begin universal pinned packages ######
 case $(debian-codename) in
-  nabia|etiona|flidas)
+  etiona|flidas|nabia|aramo)
     sudo rm -fv /etc/apt/preferences.d/etiona-buster
     sd /etc/apt/preferences.d/trisquel-debian <<EOF
 Explanation: Debian* includes Debian + Debian Backports
@@ -340,29 +342,14 @@ EOF
 
 
     ;;&
-  nabia|etiona)
+  aramo|nabia|etiona)
     # for ziva
     #p install --no-install-recommends minetest/buster libleveldb1d/buster libncursesw6/buster libtinfo6/buster
     doupdate=false
-    for n in buster bullseye; do
+    for n in bullseye; do
       f=/etc/apt/sources.list.d/$n.list
       t=$(mktemp)
       case $n in
-        buster)
-          cat >$t <<'EOF'
-deb http://http.us.debian.org/debian buster main
-deb-src http://http.us.debian.org/debian buster main
-
-deb http://security.debian.org/ buster/updates main
-deb-src http://security.debian.org/ buster/updates main
-
-deb http://http.us.debian.org/debian buster-updates main
-deb-src http://http.us.debian.org/debian buster-updates main
-
-deb http://http.debian.net/debian buster-backports main
-deb-src http://http.debian.net/debian buster-backports main
-EOF
-          ;;
         bullseye)
           cat >$t <<'EOF'
 EOF
@@ -484,6 +471,34 @@ Pin: release n=bionic,o=Ubuntu
 Pin-Priority: -100
 EOF
 
+    ;;&
+  nabia)
+    sd /etc/apt/preferences.d/aramo-nabia <<'EOF'
+Package: *
+Pin: release n=aramo*,o=Trisquel
+Pin-Priority: -100
+EOF
+    f=/etc/apt/sources.list.d/aramo.list
+    t=$(mktemp)
+    cat >$t <<'EOF'
+deb http://mirror.fsf.org/trisquel/ aramo main
+deb-src http://mirror.fsf.org/trisquel/ aramo main
+
+deb http://mirror.fsf.org/trisquel/ aramo-updates main
+deb-src http://mirror.fsf.org/trisquel/ aramo-updates main
+
+deb http://archive.trisquel.info/trisquel/ aramo-security main
+deb-src http://archive.trisquel.info/trisquel/ aramo-security main
+
+# Uncomment this lines to enable the backports optional repository
+deb http://mirror.fsf.org/trisquel/ aramo-backports main
+deb-src http://mirror.fsf.org/trisquel/ aramo-backports main
+EOF
+    if ! diff -q $t $f; then
+      sudo dd if=$t of=$f 2>/dev/null
+      p update
+    fi
+
     ;;&
   *)
     if isdeb; then
@@ -492,7 +507,11 @@ EOF
     ;;
 esac
 
-
+case $codename_compat in
+  jammy)
+    s systemctl enable --now ssh-agent-iank
+    ;;
+esac
 
 case $codename_compat in
   focal)
@@ -533,6 +552,14 @@ EOF
 Package: chromium chromium-* libicu67 libjpeg62-turbo libjsoncpp24 libre2-9 libwebpmux3
 Pin: release o=Debian*,n=bullseye
 Pin-Priority: 500
+EOF
+    ;;
+  aramo)
+    # obs dependency not in trisquel
+    sd /etc/apt/preferences.d/obs <<EOF
+Package: libfdk-aac2
+Pin: release n=jammy,o=Ubuntu
+Pin-Priority: 500
 EOF
     ;;
 esac
@@ -582,23 +609,6 @@ sudo rm -f /etc/cron.d/unattended-upgrade-reboot /usr/local/bin/zelous-unattende
 # Pin-Priority: 500
 # EOF
 
-if [[ -e /etc/wireguard/wghole.conf ]]; then
-  reload=false
-  if [[ ! -e /etc/systemd/system/wg-quick@wghole.service.d/override.conf ]]; then
-    reload=true
-  fi
-  sudo mkdir -p /etc/systemd/system/wg-quick@wghole.service.d
-  sd /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
-[Unit]
-StartLimitIntervalSec=0
-
-[Service]
-Restart=on-failure
-RestartSec=20
-EOF
-  if $reload; then ser daemon-reload; fi
-  sgo wg-quick@wghole
-fi
 
 ###### begin website setup
 case $HOSTNAME in
@@ -784,14 +794,25 @@ EOF
 # https://radicale.org/2.1.html
 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
 # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-<Location /radicale/>
-  Options +FollowSymLinks +Multiviews +Indexes
+
+# this doesn't exactly fit with the documentation.
+# We need location / to do an auth, it cant be done outside,
+# in order to pass on X-Remote-User. And we need
+# the other location in order to remove the /radicale/ for
+# requests which have it. This could be done with a rewrite,
+# but i just get something working and call it a day.
+
+<Location "/">
   AllowOverride None
-  AuthType basic
+  AuthType Basic
   AuthName "Authentication Required"
   # setup one time, with root:www-data, 640
   AuthUserFile "/etc/caldav-htpasswd"
   Require valid-user
+  RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
+</Location>
+<Location "/radicale/">
+  Options +FollowSymLinks +Multiviews -Indexes
   RequestHeader    set X-Script-Name /radicale/
   RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
   ProxyPass  "http://10.8.0.4:5232/" retry=0
@@ -875,7 +896,7 @@ esac
 
 ### system76 things ###
 case $HOSTNAME in
-  sy|bo)
+  bo) # sy|  sy doesnt seem to really need this.
     # note, i stored the initial popos packages at /a/bin/data/popos-pkgs
     if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
       # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
@@ -908,6 +929,7 @@ EOF
     fi
     ;;
 esac
+### end system76 things ###
 
 case $distro in
   trisquel|ubuntu)
@@ -974,6 +996,10 @@ EOF
     # and choose lightdm.
     #
     ;;
+  jammy)
+    # not yet bothering with mate
+    pi lightdm-gtk-greeter lightdm
+    ;;
 esac
 
 
@@ -1044,6 +1070,22 @@ esac
 # dependent packages.
 pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distro-pkgs)
 
+# schroot service will restart schroot sessions after reboot.
+# I dont want that.
+pi-nostart schroot
+
+# fix systemd unit failure. i dont know of any actual impact
+# other than systemd showing in degraded state. So, we dont bother
+# fixing the current state, let it fix on the next reboot.
+# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a
+tmp=$(systemctl cat binfmt-support.service | grep ^After=)
+if [[ $tmp != *systemd-binfmt.service* ]]; then
+  s u /etc/systemd/system/binfmt-support.service.d/override.conf <<EOF
+[Unit]
+$tmp systemd-binfmt.service
+EOF
+fi
+
 
 # commented, not worth the hassle i think.
 #seru enable psd
@@ -1724,13 +1766,23 @@ pi --no-install-recommends kdeconnect
 # # I'm not seeing the icon, but the clipboard replication is working
 
 
-### model 01 arduino support ###
+### begin model 01 arduino support ###
 # https://github.com/keyboardio/Kaleidoscope/wiki/Install-Arduino-support-on-Linux
 # also built latest arduino in /a/opt/Arduino, (just cd build; ant build; ant run )
 # set arduino var in bashrc,
 # have system config file setup too.
 sudo adduser $USER dialout
 
+# as of 2022-05,
+# download arduino ide, extract in /a/opt, ignore the install script, run ./arduino,
+# toolbar, preferences, add board manager url:
+# https://raw.githubusercontent.com/keyboardio/boardsmanager/master/package_keyboardio_index.json
+# toolbar, board manager, add keyboardio
+# toolbar, select model01 board
+# toolbar, examples, model01, compile
+
+###
+
 # this is for the mail command too. update-alternatives is kind of misleading
 # since at least it's main commands pretend mail does not exist.
 # bsd's mail got pulled in on some dumb dependency, i dunno how.
@@ -1779,6 +1831,10 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
 
 ########### misc stuff
 
+rm -fv /home/iank/.mpv/watch_later
+rm -rf /home/iank/.mpv
+
+
 if [[ $HOSTNAME != frodo ]]; then
   # remove. i moved this into dns
   echo | s cedit hole /etc/hosts ||:
@@ -1897,9 +1953,9 @@ esac
 
 case $HOSTNAME in
   kd)
-    /a/bin/buildscripts/prometheus
     # Font awesome is needed for the alertmanager ui.
     pi prometheus-alertmanager prometheus prometheus-node-exporter fonts-font-awesome
+    /a/bin/buildscripts/prometheus
     web-conf -p 9091 -f 9090 - apache2 i.b8.nz <<'EOF'
 <Location "/">
 AuthType Basic
@@ -1924,11 +1980,14 @@ EOF
 
     # by default, the alertmanager web ui is not enabled other than a page
     # that suggests to use the amtool cli. that tool is good, but you cant
-    # silence things nearly as fast.
+    # silence things nearly as easily as with the gui.
     if [[ ! -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then
-      sudo chroot /nocow/schroot/bullseye prometheus-alertmanager
-      sudo chroot /nocow/schroot/bullseye /usr/share/prometheus/alertmanager/generate-ui.sh
-      sudo rsync -avih /nocow/schroot/bullseye/usr/share/prometheus/alertmanager/ui/ /usr/share/prometheus/alertmanager/ui
+      # default script didnt work, required some changes to get elm 19.1,
+      # which is a dependency of the latest alertmanager. I modified
+      # and copied it into /b/ds. In future, might need some other
+      # solution.
+      #sudo /usr/share/prometheus/alertmanager/generate-ui.sh
+      sudo /b/ds/generate-ui.sh
       ser restart prometheus-alertmanager
     fi
 
@@ -1949,6 +2008,7 @@ case $HOSTNAME in
   # either use iptables or, in
   # /etc/default/prometheus-node-exporter
   # listen on the wireguard interface
+
   *)
     wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
     # old filename. remove once all hosts are updated.
@@ -1985,6 +2045,98 @@ esac
 
 ### end prometheus ###
 
+### begin nagios ###
+
+pi nagios4
+s rm /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+# to add a password for admin:
+# htdigest /etc/nagios4/htdigest.users Nagios4 iank
+# now using the same pass as prometheus
+
+# nagstamon auth settings, set to digest instead of basic.
+
+web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
+# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+# Where the stylesheets (config files) reside
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+
+# Where the HTML pages live
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+    Options FollowSymLinks
+    DirectoryIndex index.php index.html
+    AllowOverride AuthConfig
+    #
+    # The default Debian nagios4 install sets use_authentication=0 in
+    # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+    # This is insecure.  As a compromise this default apache2 configuration
+    # only allows private IP addresses access.
+    #
+    # The <Files>...</Files> below shows how you can secure the nagios4
+    # web site so anybody can view it, but only authenticated users can issue
+    # commands (such as silence notifications).  To do that replace the
+    # "Require all granted" with "Require valid-user", and use htdigest
+    # program from the apache2-utils package to add users to
+    # /etc/nagios4/htdigest.users.
+    #
+    # A step up is to insist all users validate themselves by moving
+    # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
+    # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+    # can configure which people get to see a particular service from
+    # within the nagios configuration.
+    #
+	AuthDigestDomain "Nagios4"
+	AuthDigestProvider file
+	AuthUserFile	"/etc/nagios4/htdigest.users"
+	AuthGroupFile	"/etc/group"
+	AuthName	"Nagios4"
+	AuthType	Digest
+	Require	valid-user
+</DirectoryMatch>
+
+<Directory /usr/share/nagios4/htdocs>
+    Options	+ExecCGI
+</Directory>
+EOF
+
+
+# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
+# notifications_enabled=1
+# note, the same variable exists in the correspdonding "define service {"
+
+# in the default config, we have these definitions
+
+# 11 define command {
+#  2 define contact {
+#  1 define contactgroup {
+#  9 define host {
+#  4 define hostgroup {
+# 23 define service {
+#  5 define timeperiod {
+
+
+# on klaxon
+
+# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
+#      76 define command
+#      11 define contact
+#       6 define contactgroup
+#     162 define host
+#       1 define hostextinfo
+#      16 define hostgroup
+#    3040 define service
+#       2 define servicedependency
+#       6 define timeperiod
+
+
+### end nagios ###
+
 
 end_msg <<'EOF'
 In mate settings settings, change scrolling to two-finger,