X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=ce5179388e985c25805725907e76c65f319753b8;hb=3ca4714d6b02ff279a0c724415f3e0a3a6f49059;hp=b1b7a9f30f2c69866fb2749e96b3878689c427b5;hpb=802e885e3e7fa3857f8bc4f54c261d5ca76f2454;p=distro-setup

diff --git a/distro-end b/distro-end
index b1b7a9f..ce51793 100755
--- a/distro-end
+++ b/distro-end
@@ -43,7 +43,7 @@ end() {
 }
 pre="${0##*/}:"
 sudo() {
-  printf "$pre %s\n"  "$*"
+  printf "$pre sudo %s\n"  "$*"
   SUDOD="$PWD" command sudo "$@";
 }
 m() { printf "$pre %s\n"  "$*"; "$@"; }
@@ -155,10 +155,12 @@ esac
 # fi
 
 
+
+
 pi debootstrap
 ######### begin universal pinned packages ######
 case $(debian-codename) in
-  nabia|etiona|flidas)
+  etiona|flidas|nabia|aramo)
     sudo rm -fv /etc/apt/preferences.d/etiona-buster
     sd /etc/apt/preferences.d/trisquel-debian <<EOF
 Explanation: Debian* includes Debian + Debian Backports
@@ -340,29 +342,14 @@ EOF
 
 
     ;;&
-  nabia|etiona)
+  aramo|nabia|etiona)
     # for ziva
     #p install --no-install-recommends minetest/buster libleveldb1d/buster libncursesw6/buster libtinfo6/buster
     doupdate=false
-    for n in buster bullseye; do
+    for n in bullseye; do
       f=/etc/apt/sources.list.d/$n.list
       t=$(mktemp)
       case $n in
-        buster)
-          cat >$t <<'EOF'
-deb http://http.us.debian.org/debian buster main
-deb-src http://http.us.debian.org/debian buster main
-
-deb http://security.debian.org/ buster/updates main
-deb-src http://security.debian.org/ buster/updates main
-
-deb http://http.us.debian.org/debian buster-updates main
-deb-src http://http.us.debian.org/debian buster-updates main
-
-deb http://http.debian.net/debian buster-backports main
-deb-src http://http.debian.net/debian buster-backports main
-EOF
-          ;;
         bullseye)
           cat >$t <<'EOF'
 EOF
@@ -484,6 +471,34 @@ Pin: release n=bionic,o=Ubuntu
 Pin-Priority: -100
 EOF
 
+    ;;&
+  nabia)
+    sd /etc/apt/preferences.d/aramo-nabia <<'EOF'
+Package: *
+Pin: release n=aramo*,o=Trisquel
+Pin-Priority: -100
+EOF
+    f=/etc/apt/sources.list.d/aramo.list
+    t=$(mktemp)
+    cat >$t <<'EOF'
+deb http://mirror.fsf.org/trisquel/ aramo main
+deb-src http://mirror.fsf.org/trisquel/ aramo main
+
+deb http://mirror.fsf.org/trisquel/ aramo-updates main
+deb-src http://mirror.fsf.org/trisquel/ aramo-updates main
+
+deb http://archive.trisquel.info/trisquel/ aramo-security main
+deb-src http://archive.trisquel.info/trisquel/ aramo-security main
+
+# Uncomment this lines to enable the backports optional repository
+deb http://mirror.fsf.org/trisquel/ aramo-backports main
+deb-src http://mirror.fsf.org/trisquel/ aramo-backports main
+EOF
+    if ! diff -q $t $f; then
+      sudo dd if=$t of=$f 2>/dev/null
+      p update
+    fi
+
     ;;&
   *)
     if isdeb; then
@@ -492,7 +507,11 @@ EOF
     ;;
 esac
 
-
+case $codename_compat in
+  jammy)
+    s systemctl enable --now ssh-agent-iank
+    ;;
+esac
 
 case $codename_compat in
   focal)
@@ -525,9 +544,21 @@ Pin-Priority: 500
 EOF
     ;;
   nabia)
+    # note, to get the latest, it would be n=bullseye*
+    # but that has conflicting package versions, so this does the old one.
+    # I only use it for special rare purposes. Just keep in mind it is an
+    # outdated insecure version.
     sd /etc/apt/preferences.d/chromium-bullseye <<EOF
 Package: chromium chromium-* libicu67 libjpeg62-turbo libjsoncpp24 libre2-9 libwebpmux3
-Pin: release o=Debian*,n=bullseye*
+Pin: release o=Debian*,n=bullseye
+Pin-Priority: 500
+EOF
+    ;;
+  aramo)
+    # obs dependency not in trisquel
+    sd /etc/apt/preferences.d/obs <<EOF
+Package: libfdk-aac2
+Pin: release n=jammy,o=Ubuntu
 Pin-Priority: 500
 EOF
     ;;
@@ -578,23 +609,6 @@ sudo rm -f /etc/cron.d/unattended-upgrade-reboot /usr/local/bin/zelous-unattende
 # Pin-Priority: 500
 # EOF
 
-if [[ -e /etc/wireguard/wghole.conf ]]; then
-  reload=false
-  if [[ ! -e /etc/systemd/system/wg-quick@wghole.service.d/override.conf ]]; then
-    reload=true
-  fi
-  sudo mkdir -p /etc/systemd/system/wg-quick@wghole.service.d
-  sd /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
-[Unit]
-StartLimitIntervalSec=0
-
-[Service]
-Restart=on-failure
-RestartSec=20
-EOF
-  if $reload; then ser daemon-reload; fi
-  sgo wg-quick@wghole
-fi
 
 ###### begin website setup
 case $HOSTNAME in
@@ -606,6 +620,7 @@ case $HOSTNAME in
     fi
 
     pi prometheus-node-exporter
+    /a/bin/buildscripts/prom-node-exporter -l
 
     # ex for exporter
     web-conf -p 9101 -f 9100 - apache2 ${HOSTNAME}ex.b8.nz <<'EOF'
@@ -779,14 +794,25 @@ EOF
 # https://radicale.org/2.1.html
 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
 # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-<Location /radicale/>
-  Options +FollowSymLinks +Multiviews +Indexes
+
+# this doesn't exactly fit with the documentation.
+# We need location / to do an auth, it cant be done outside,
+# in order to pass on X-Remote-User. And we need
+# the other location in order to remove the /radicale/ for
+# requests which have it. This could be done with a rewrite,
+# but i just get something working and call it a day.
+
+<Location "/">
   AllowOverride None
-  AuthType basic
+  AuthType Basic
   AuthName "Authentication Required"
   # setup one time, with root:www-data, 640
   AuthUserFile "/etc/caldav-htpasswd"
   Require valid-user
+  RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
+</Location>
+<Location "/radicale/">
+  Options +FollowSymLinks +Multiviews -Indexes
   RequestHeader    set X-Script-Name /radicale/
   RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
   ProxyPass  "http://10.8.0.4:5232/" retry=0
@@ -843,6 +869,8 @@ EOF
     # https://wiki.znc.in/self-message
     # https://wiki.znc.in/Query_buffers                                                \
       #
+    # for geekshed, there was no sasl support as far as I can tell,
+    # so I set to msg nickserv to identify upon connect.
     if ! getent passwd znc > /dev/null; then
       sudo useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc
     fi
@@ -868,7 +896,7 @@ esac
 
 ### system76 things ###
 case $HOSTNAME in
-  sy|bo)
+  bo) # sy|  sy doesnt seem to really need this.
     # note, i stored the initial popos packages at /a/bin/data/popos-pkgs
     if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
       # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
@@ -901,6 +929,7 @@ EOF
     fi
     ;;
 esac
+### end system76 things ###
 
 case $distro in
   trisquel|ubuntu)
@@ -967,6 +996,10 @@ EOF
     # and choose lightdm.
     #
     ;;
+  jammy)
+    # not yet bothering with mate
+    pi lightdm-gtk-greeter lightdm
+    ;;
 esac
 
 
@@ -1037,6 +1070,22 @@ esac
 # dependent packages.
 pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distro-pkgs)
 
+# schroot service will restart schroot sessions after reboot.
+# I dont want that.
+pi-nostart schroot
+
+# fix systemd unit failure. i dont know of any actual impact
+# other than systemd showing in degraded state. So, we dont bother
+# fixing the current state, let it fix on the next reboot.
+# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a
+tmp=$(systemctl cat binfmt-support.service | grep ^After=)
+if [[ $tmp != *systemd-binfmt.service* ]]; then
+  s u /etc/systemd/system/binfmt-support.service.d/override.conf <<EOF
+[Unit]
+$tmp systemd-binfmt.service
+EOF
+fi
+
 
 # commented, not worth the hassle i think.
 #seru enable psd
@@ -1302,18 +1351,21 @@ m reset-xscreensaver
 # cabal update
 # cabal install --upgrade-dependencies  --force-reinstalls arbtt
 # also, i assume syncing this between machines somehow messed up the data.
-if mountpoint /p &>/dev/null; then
-  case $codename in
-    etiona|nabia)
-      pi arbtt
-      # same as seru enable arbtt, but works over ssh when systemctl --user causes error:
-      # Failed to connect to bus: No such file or directory
-      lnf -T  /a/bin/ds/subdir_files/.config/systemd/user/arbtt.service /home/iank/.config/systemd/user/default.target.wants/arbtt.service
-      # allow failure
-      seru start arbtt ||:
-      ;;
-  esac
-fi
+
+## not using arbtt for now
+# if mountpoint /p &>/dev/null; then
+#   case $codename in
+#     etiona|nabia)
+#       pi arbtt
+#       # same as seru enable arbtt, but works over ssh when systemctl --user causes error:
+#       # Failed to connect to bus: No such file or directory
+#       lnf -T  /a/bin/ds/subdir_files/.config/systemd/user/arbtt.service /home/iank/.config/systemd/user/default.target.wants/arbtt.service
+#       # allow failure
+#       seru start arbtt ||:
+#       ;;
+#   esac
+# fi
+rm -fv /home/iank/.config/systemd/user/default.target.wants/arbtt.service
 
 
 m primary-setup
@@ -1401,6 +1453,7 @@ tu /etc/schroot/desktop/fstab <<'EOF'
 /run/user/0    /run/user/0     none    rw,bind         0       0
 EOF
 
+# todo: consider if this should use the new sysd-prom-fail
 sd /etc/systemd/system/schrootupdate.service <<'EOF'
 [Unit]
 Description=schrootupdate
@@ -1548,23 +1601,30 @@ sudo chown -R debian-transmission:debian-transmission /var/lib/transmission-daem
 #
 # Changed the cache-size to 256 mb, reduces disk use.
 # It is a read & write cache.
-sudo ruby <<EOF
+if ! systemctl is-active transmission-daemon-nn &>/dev/null && \
+    ! systemctl is-active transmission-daemon; then
+  tmp=$(mktemp)
+  command sudo ruby <<EOF >$tmp
 require 'json'
 p = '/etc/transmission-daemon/settings.json'
-File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
-'rpc-whitelist-enabled' => false,
-'rpc-authentication-required' => false,
-'incomplete-dir' => '$tdir/partial-torrents',
-'incomplete-dir-enabled' => true,
-'download-dir' => '$tdir/torrents',
-"speed-limit-up" => 800,
-"speed-limit-up-enabled" => true,
-"peer-port" => 61486,
-"cache-size-mb" => 256,
-"ratio-limit" => 5.0,
-"ratio-limit-enabled" => false,
-})) + "\n")
+s = {
+  'rpc-whitelist-enabled' => false,
+  'rpc-authentication-required' => false,
+  'incomplete-dir' => '$tdir/partial-torrents',
+  'incomplete-dir-enabled' => true,
+  'download-dir' => '$tdir/torrents',
+  "speed-limit-up" => 800,
+  "speed-limit-up-enabled" => true,
+  "peer-port" => 61486,
+  "cache-size-mb" => 256,
+  "ratio-limit" => 5.0,
+  "ratio-limit-enabled" => false,
+}
+puts(JSON.pretty_generate(JSON.parse(File.read(p)).merge(s)))
 EOF
+  cat $tmp | sudo dd of=/etc/transmission-daemon/settings.json
+
+fi
 
 ####### end transmission
 
@@ -1706,13 +1766,23 @@ pi --no-install-recommends kdeconnect
 # # I'm not seeing the icon, but the clipboard replication is working
 
 
-### model 01 arduino support ###
+### begin model 01 arduino support ###
 # https://github.com/keyboardio/Kaleidoscope/wiki/Install-Arduino-support-on-Linux
 # also built latest arduino in /a/opt/Arduino, (just cd build; ant build; ant run )
 # set arduino var in bashrc,
 # have system config file setup too.
 sudo adduser $USER dialout
 
+# as of 2022-05,
+# download arduino ide, extract in /a/opt, ignore the install script, run ./arduino,
+# toolbar, preferences, add board manager url:
+# https://raw.githubusercontent.com/keyboardio/boardsmanager/master/package_keyboardio_index.json
+# toolbar, board manager, add keyboardio
+# toolbar, select model01 board
+# toolbar, examples, model01, compile
+
+###
+
 # this is for the mail command too. update-alternatives is kind of misleading
 # since at least it's main commands pretend mail does not exist.
 # bsd's mail got pulled in on some dumb dependency, i dunno how.
@@ -1761,6 +1831,10 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
 
 ########### misc stuff
 
+rm -fv /home/iank/.mpv/watch_later
+rm -rf /home/iank/.mpv
+
+
 if [[ $HOSTNAME != frodo ]]; then
   # remove. i moved this into dns
   echo | s cedit hole /etc/hosts ||:
@@ -1879,10 +1953,9 @@ esac
 
 case $HOSTNAME in
   kd)
-    # ive got these + a needed dependency pinned to bullseye, just to get
-    # versions more in line with the main docs.
     # Font awesome is needed for the alertmanager ui.
     pi prometheus-alertmanager prometheus prometheus-node-exporter fonts-font-awesome
+    /a/bin/buildscripts/prometheus
     web-conf -p 9091 -f 9090 - apache2 i.b8.nz <<'EOF'
 <Location "/">
 AuthType Basic
@@ -1893,13 +1966,28 @@ AuthUserFile "/etc/prometheus-htpasswd"
 Require valid-user
 </Location>
 EOF
+
+    web-conf -p 9094 -f 9093 - apache2 i.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-htpasswd"
+Require valid-user
+</Location>
+EOF
+
     # by default, the alertmanager web ui is not enabled other than a page
     # that suggests to use the amtool cli. that tool is good, but you cant
-    # silence things nearly as fast.
+    # silence things nearly as easily as with the gui.
     if [[ ! -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then
-      sudo chroot /nocow/schroot/bullseye prometheus-alertmanager
-      sudo chroot /nocow/schroot/bullseye /usr/share/prometheus/alertmanager/generate-ui.sh
-      sudo rsync -avih /nocow/schroot/bullseye/usr/share/prometheus/alertmanager/ui/ /usr/share/prometheus/alertmanager/ui
+      # default script didnt work, required some changes to get elm 19.1,
+      # which is a dependency of the latest alertmanager. I modified
+      # and copied it into /b/ds. In future, might need some other
+      # solution.
+      #sudo /usr/share/prometheus/alertmanager/generate-ui.sh
+      sudo /b/ds/generate-ui.sh
       ser restart prometheus-alertmanager
     fi
 
@@ -1920,6 +2008,7 @@ case $HOSTNAME in
   # either use iptables or, in
   # /etc/default/prometheus-node-exporter
   # listen on the wireguard interface
+
   *)
     wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
     # old filename. remove once all hosts are updated.
@@ -1935,8 +2024,7 @@ Require valid-user
 </Location>
 EOF
     # For work, i think we will just use the firewall for hosts in the main data center, and
-    # apache/nginx + tls + basic auth outside of it. or consider stunnel.
-
+    # vpn for hosts outside it.
 
     # TODO: figure out how to detect the ping failure and try again.
 
@@ -1957,6 +2045,98 @@ esac
 
 ### end prometheus ###
 
+### begin nagios ###
+
+pi nagios4
+s rm /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+# to add a password for admin:
+# htdigest /etc/nagios4/htdigest.users Nagios4 iank
+# now using the same pass as prometheus
+
+# nagstamon auth settings, set to digest instead of basic.
+
+web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
+# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+# Where the stylesheets (config files) reside
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+
+# Where the HTML pages live
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+    Options FollowSymLinks
+    DirectoryIndex index.php index.html
+    AllowOverride AuthConfig
+    #
+    # The default Debian nagios4 install sets use_authentication=0 in
+    # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+    # This is insecure.  As a compromise this default apache2 configuration
+    # only allows private IP addresses access.
+    #
+    # The <Files>...</Files> below shows how you can secure the nagios4
+    # web site so anybody can view it, but only authenticated users can issue
+    # commands (such as silence notifications).  To do that replace the
+    # "Require all granted" with "Require valid-user", and use htdigest
+    # program from the apache2-utils package to add users to
+    # /etc/nagios4/htdigest.users.
+    #
+    # A step up is to insist all users validate themselves by moving
+    # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
+    # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+    # can configure which people get to see a particular service from
+    # within the nagios configuration.
+    #
+	AuthDigestDomain "Nagios4"
+	AuthDigestProvider file
+	AuthUserFile	"/etc/nagios4/htdigest.users"
+	AuthGroupFile	"/etc/group"
+	AuthName	"Nagios4"
+	AuthType	Digest
+	Require	valid-user
+</DirectoryMatch>
+
+<Directory /usr/share/nagios4/htdocs>
+    Options	+ExecCGI
+</Directory>
+EOF
+
+
+# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
+# notifications_enabled=1
+# note, the same variable exists in the correspdonding "define service {"
+
+# in the default config, we have these definitions
+
+# 11 define command {
+#  2 define contact {
+#  1 define contactgroup {
+#  9 define host {
+#  4 define hostgroup {
+# 23 define service {
+#  5 define timeperiod {
+
+
+# on klaxon
+
+# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
+#      76 define command
+#      11 define contact
+#       6 define contactgroup
+#     162 define host
+#       1 define hostextinfo
+#      16 define hostgroup
+#    3040 define service
+#       2 define servicedependency
+#       6 define timeperiod
+
+
+### end nagios ###
+
 
 end_msg <<'EOF'
 In mate settings settings, change scrolling to two-finger,