X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=d72adea591e501549cfd1669e4fd6c210dd31fd0;hb=a7f9b883055cb1c4056469d498c7bc6564670c37;hp=00827b638485bc4986817920e371e1aee378856a;hpb=b857462732e15f455e41f26e3048a390d7b399c0;p=distro-setup

diff --git a/distro-end b/distro-end
index 00827b6..d72adea 100755
--- a/distro-end
+++ b/distro-end
@@ -116,8 +116,12 @@ if isdeb; then
          $(debian-codename-compat) \
          stable"
   p update
-  pi docker-ce
-  sgo docker
+  # docker eats up a fair amount of cpu when doing nothing, so don't enable it unless
+  # we really need it.
+  pi-nostart docker-ce
+  case $HOSTNAME in
+    li|lj)  sgo docker ;;
+  esac
   # other distros unknown
 fi
 ###  end docker install ####
@@ -303,6 +307,7 @@ EOF
       git clone https://github.com/pump-io/pump.io.git
       cd pump.io
     fi
+    # note: these 2 commands seem
     # note: doing this or the npm install pump.io as root had problems.
     npm install
     npm run build
@@ -312,7 +317,7 @@ EOF
     # https://github.com/pump-io/pump.io/issues/1287
     s npm install -g databank-mongodb@0.19.2
     if ! getent passwd pumpio &>/dev/null; then
-      s useradd -m -s /bin/false pumpio
+      s useradd -Um -s /bin/false pumpio
     fi
     sudo -u pumpio mkdir -p /home/pumpio/pumpdata
     # for testing browser when only listening to localhost,
@@ -481,7 +486,7 @@ EOF
     ############### !!!!!!!!!!!!!!!!!
     ############### manual steps:
 
-    # only following 2 people atm, so not bothering to figure out backups
+    # only following a few people atm, so not bothering to figure out backups
     # when mastodon has not documented it at all.
     #
     # fsf@status.fsf.org
@@ -508,21 +513,39 @@ EOF
     # to exit and save config:
     # /msg *status shutdown
     # configed auth on freenode by following
-    # https://wiki.znc.in/Sasl
+    # https://wiki.znc.in/Sasl:
+    # /msg *sasl RequireAuth yes
+    # /msg *sasl Mechanism PLAIN
+    # /msg *sasl Set ident_name password
     # created the system service after, and had to do
     # mv /home/iank/.znc/* /var/lib/znc
     # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf
     # and made a copy of the config files into /p/c
-    # added LoadModule = log -sanitize to the top level
+    # /msg *status LoadMod --type=global log -sanitize
     # to get into the web interface,
     # cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
     # then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site.
+    # https://iankelling.org:12533/
     # i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart.
     # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it.
-    # todo: figure out how to make playback in erc happe.n
+    # /msg *status LoadMod --type=network perform
+    # /msg *perform add PRIVMSG ChanServ :invite #fsf-office
+    # /msg *perform add JOIN #fsf-office
+    #
+    # i set  Buffer = 500
+    # also ran /znc LoadMod clearbufferonmsg
+    # it would be nice if erc supported erc query buffers by doing
+    # /msg *status clearbuffer <name of the query/receiver
+    # on killing the,
+    # an example seems to be here:	https://github.com/zenspider/elisp/blob/master/rwd-irc.el
+    # if that was the case i could remove the module clearbufferonmsg
+    # alo would be nice if erc supported
+    # https://wiki.znc.in/self-message
+    # https://wiki.znc.in/Query_buffers                                                \
+      #
     s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already
     chmod 700 /var/lib/znc
-    s chown -R znc:znc /var/lib/znc/config
+    s chown -R znc:znc /var/lib/znc
     s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF'
 [Unit]
 Description=ZNC, an advanced IRC bouncer
@@ -556,7 +579,11 @@ case $distro in
       s add-apt-repository -y ppa:ansible/ansible
       p update
     fi
-    pi ansible
+    s pip install --upgrade pip
+    # newer 2.7 versions have a bug that incorrectly detects trisquel version. fixed once 2.8 arrives
+    # in 2019
+    pip install --user ansible=2.7.4
+    #pi ansible
     ;;
 esac
 
@@ -590,7 +617,7 @@ esac
 # s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
 # s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
 # # kw = kgpe work machine.
-# for host in x2 kw; do
+# for host in x2 x3 kw; do
 # vpn-mk-client-cert -b $host -n home b8.nz 1196
 # dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
 # mkdir -p $dir
@@ -601,8 +628,8 @@ esac
 # key already exists, so this won't generate one, just the configs.
 vpn-server-setup -rds
 s tee -a /etc/openvpn/server/server.conf <<'EOF'
-push "dhcp-option DNS 192.168.1.1"
-push "route 192.168.1.0 255.255.255.0"
+push "dhcp-option DNS 10.0.0.1"
+push "route 10.0.0.0 255.255.0.0"
 client-connect /a/bin/distro-setup/vpn-client-connect
 EOF
 s sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
@@ -784,18 +811,21 @@ fi
 
 ####### begin misc packages ###########
 
+# sakura config is owned by ian
 reset-sakura
-sudo -u traci -i reset-sakura
 reset-konsole
 sudo -u traci -i reset-konsole
+# traci xscreensaver we don't want to reset
 reset-xscreensaver
-# this is packaged, but i see it's gotten a fair amount of development lately,
-# so install from cabal. the options are needed to get over incompatible xmonad library versions
-# but that stuff is in the global namespace, and it seems they don't conflict in practice.
-pi libxss-dev # dependency based on build failure
-cabal update
-cabal install --upgrade-dependencies  --force-reinstalls arbtt
-lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
+
+
+# this would install from cabal for newer / consistent version across os, but it screws up xmonad, so disabled for now.
+# this is also in primary-setup
+# pi libxss-dev # dependency based on build failure
+# cabal update
+# cabal install --upgrade-dependencies  --force-reinstalls arbtt
+# also, i assume syncing this between machines somehow messed thin
+#lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
 
 primary-setup
 
@@ -870,6 +900,40 @@ case $distro in
   # others unknown
 esac
 
+case $(debian-codename) in
+  # needed for debootstrap scripts for fai since fai requires debian
+  flidas)
+    s dd of=/etc/apt/preferences.d/flidas-xenial <<EOF
+Package: *
+Pin: release a=xenial
+Pin-Priority: -100
+
+Package: *
+Pin: release a=xenial-updates
+Pin-Priority: -100
+
+Package: *
+Pin: release a=xenial-security
+Pin-Priority: -100
+EOF
+    s dd of=/etc/apt/sources.list.d/xenial.list 2>/dev/null <<EOF
+deb http://us.archive.ubuntu.com/ubuntu/ xenial main
+deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main
+deb http://us.archive.ubuntu.com/ubuntu/ xenial-security main
+EOF
+    curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg | s apt-key add -
+    p update
+
+    t=$(mktemp -d)
+    cd $t
+    aptitude download debootstrap
+    ex *
+    ex data.tar.gz
+    s cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
+
+    ;;
+esac
+
 # /run and /dev/shm are listed as required for pulseaudio. All 4 in the group
 # listed in the default config as suggested.
 # /run/usr/1000 i noticed was missing for pulseaudio
@@ -885,6 +949,16 @@ tu /etc/schroot/desktop/fstab <<'EOF'
 EOF
 
 mkschroot() {
+  distro=$1
+  shift
+  case $distro in
+    ubuntu)
+      repo=http://archive.ubuntu.com/ubuntu/
+      ;;
+    debian)
+      repo=http://deb.debian.org/debian/
+      ;;
+  esac
   n=$1
   shift
   apps=($@)
@@ -904,7 +978,8 @@ EOF
     cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
   else
     s mkdir -p $d
-    s debootstrap $n $d http://deb.debian.org/debian/
+
+    s debootstrap $n $d $repo
     cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
   fi
   s cp -P {,$d}/etc/localtime
@@ -937,23 +1012,13 @@ sgo schrootupdate.timer
 # for my roommate
 case $distro in
   trisquel)
-    mkschroot stretch firefox-esr pulseaudio chromium
+    mkschroot debian stretch firefox-esr pulseaudio chromium
     ;;
 esac
 
 s mkdir -p /nocow/user
 s chown $USER:$USER /nocow/user
 case $distro in
-  debian)
-    case $(debian-codename) in
-      jessie)
-        pi anki
-        ;;
-      *)
-        mkschroot jessie anki pulsaudio mplayer
-        ;;
-    esac
-    ;;
   trisquel|ubuntu)
     pi anki
     ;;
@@ -1053,6 +1118,12 @@ if ! getent passwd debian-transmission > /dev/null; then
 fi
 
 
+# We want group writable stuff from transmission.
+# However, after setting this, I learn that transmission sets it's
+# own umask based on it's settings file. Well, no harm leaving this
+# so it's set right from the beginning.
+s chfn debian-transmission -o umask=0002
+
 # trisquel 8 = openvpn, debian stretch = openvpn-client
 vpn_ser=openvpn-client
 if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
@@ -1107,6 +1178,8 @@ require 'json'
 p = '/etc/transmission-daemon/settings.json'
 s = JSON.parse(File.read(p))
 s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
+# default is 0022 (18 in decimal)
+s["umask"] = 2
 File.write p, JSON.pretty_generate(s)
 EOF
 
@@ -1163,6 +1236,7 @@ case $distro in
     sgo org.cups.cupsd.service
     ;;
   debian|trisquel|ubuntu)
+    pi cups
     s gpasswd -a $USER lpadmin # based on ubuntu wiki
     spa hplip
     ;;
@@ -1174,11 +1248,6 @@ esac
 # in arch, I had to pick out the 6L driver.
 
 
-case $distro in
-  trisquel|ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
-  fedora|arch) spa mairix notmuch ;;
-esac
-
 # allow user to run vms, from debian handbook
 for x in iank traci; do s usermod -a -G libvirt,kvm $x; done
 # bridge networking as user fails. google lead here, but it doesn\'t work:
@@ -1313,7 +1382,7 @@ fi
 # EOF
 #         s systemctl daemon-reload
 #         case $HOSTNAME in
-#             x2|tp)
+#             x2|x3|tp)
 #                 ser enable synergyc@iank
 #                 ser start synergyc@iank ||: # X might not be running yet
 #                 ;;
@@ -1402,6 +1471,19 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
 
 ########### misc stuff
 
+# make networkmanager use resolvconf instead of its own dnsmasq which
+# conflicts with the normal dnsmasq package.
+f=/etc/NetworkManager/NetworkManager.conf
+m=$(md5sum $f)
+s sed -ri '/ *\[main\]/,/^ *\[[^]]+\]/{/^\s*dns[[:space:]=]/d}' $f
+if [[ $m != $(md5sum $f) ]]; then
+  srestart NetworkManager
+fi
+
+# make my /etc/fonts/conf.d/ get used.
+# I have a new sans-serif font there because the default one
+# displays l and I as the same char, grrrrr.
+s fc-cache
 
 /a/bin/distro-setup/mymimes
 
@@ -1592,7 +1674,16 @@ EOF
     ;;
 esac
 
-
+# networkmanager has this nasty behavior on flidas: if the machine
+# crashes with dnsmasq running, on subsequent boot, it adds an entry to
+# resolvconf for 127.0.0.1 in some stupid attempt to restore
+# nameservers.
+# This can be manually fixed by stoping dnsmasq,
+# then based on whats in /run/dnsmasq/, i see we can run
+# s resolvconf -d NetworkManager
+# oh ya, and stoping NetworkManager leaves this crap behind without cleaning it up.
+ser stop NetworkManager
+ser disable NetworkManager
 
 
 if [[ $HOSTNAME == frodo ]]; then
@@ -1602,7 +1693,7 @@ if [[ $HOSTNAME == frodo ]]; then
   # 1. it can be mounted with a shorthand of server:/
   # 2. exports that are subdirectories of this one will automatically be mounted
   tu /etc/exports <<'EOF'
-/k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
+/k 10.0.0.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
 EOF
   s exportfs -rav
 fi