X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=dde7a1026206449daf0f6affa9828b9424e3e84d;hb=69c1f384f54bba59a693c4ac9d61d8f7f3692269;hp=13a4dd102c6c8d49b6993155d79cbf1362abe9ae;hpb=a9242586e509be25c1b3f746f6cdb45104c5e9f5;p=distro-setup

diff --git a/distro-end b/distro-end
index 13a4dd1..dde7a10 100755
--- a/distro-end
+++ b/distro-end
@@ -35,6 +35,7 @@ spa() { # simple package add
 distro=$(distro-name)
 
 pending_reboot=false
+sed="sed --follow-symlinks"
 
 # template
 case $distro in
@@ -51,6 +52,7 @@ simple_packages=(
     ruby-rest-client
     tree
     vim
+    wcd
 )
 
 case $HOSTNAME in
@@ -58,40 +60,71 @@ case $HOSTNAME in
     *)
         # universal packages
         # swh-plugins is for karaoke pulsaudio filter.
+        # mutagen for pithos
         simple_packages+=(
             apache2
+            apache2-doc
+            apt-doc
+            aptitude-doc-en
+            bash-doc
+            binutils-doc
             bwm-ng
             chromium
+            cpio-doc
+            cron
+            debconf-doc
             duplicity
+            eclipse
             evince
             fdupes
+            feh
             filelight
+            gawk-doc
+            gcc-doc
             gdb
+            gdb-doc
+            git-doc
+            gitk
+            glibc-doc
             goaccess
             gnome-screenshot
+            i3lock
+            iproute2-doc
             jq
+            linux-doc
             locate
+            make-doc
+            manpages
+            manpages-dev
             meld
+            mumble
             nmap
             offlineimap
             p7zip
             paprefs
+            parted-doc
             pavucontrol
             pdfgrep
+            perl-doc
             pianobar
             pidgin
-            slock
+            python3-doc
+            python3-mutagen
+            reportbug
+            sqlite3-doc
             squashfs-tools
             swh-plugins
+            tar-doc
             tcpdump
             transmission-remote-gtk
             vlc
+            whois
         )
+        spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
         ;;
 esac
 
 
-
 ########### begin section including li ################
 
 
@@ -165,8 +198,12 @@ esac
 # no equivalent in other distros:
 case $distro in
     debian|ubuntu)
-        pi apt-file aptitude
-        s apt-file update
+        pi aptitude
+        if ! dpkg -s apt-file &>/dev/null; then
+            # this condition is just a speed optimization
+            pi apt-file
+            s apt-file update
+        fi
         # for debconf-get-selections
         spa debconf-utils
         ;;
@@ -224,11 +261,12 @@ fi
 pi "${simple_packages[@]}"
 simple_packages=()
 
+# website setup
 case $HOSTNAME in
     lj|li)
 
         case $HOSTNAME in
-            lj) domain=iank.bid ;;
+            lj) domain=iank.bid; exit 0 ;;
             li) domain=iankelling.org ;;
         esac
         /a/h/setup.sh $domain
@@ -237,43 +275,167 @@ case $HOSTNAME in
         sudo -E /a/bin/mediawiki-setup/mw-setup-script
         #$src/phab-setup
 
+        pi-nostart mumble-server
+        s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
+        sgo mumble-server
+
+        vpn-server-setup -d
+
+        sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
+[Unit]
+Description=Turns on iptables mail nat
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/a/bin/distro-setup/vpn-mail-forward start
+ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
+
+[Install]
+WantedBy=openvpn.service
+EOF
+        ser daemon-reload
+        ser enable vpnmail.service
+        acme-tiny-wrapper mail.iankelling.org
+        sgo openvpn
+        tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
+        domain=cal.iankelling.org
+        acme-tiny-wrapper $domain
+        apache-site -f 10.8.0.4:5232 - $domain <<'EOF'
+#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
+        <Directory "/var/www/cal.iankelling.org/html">
+                Options +FollowSymLinks +Multiviews +Indexes
+                AllowOverride None
+                AuthType basic
+                AuthName "Authentication Required"
+                # setup one time, with root:www-data, 640
+                AuthUserFile "/etc/caldav-htpasswd"
+                Require valid-user
+        </Directory>
+EOF
+        # nginx version of above would be:
+        # auth_basic "Not currently available";
+        # auth_basic_user_file /etc/nginx/caldav/htpasswd;
+
+
+
         echo "$0: $(date): ending now)"
         exit 0
         ;;
 esac
 
-########### end section including li/lj ###############
 
+########### end section including li/lj ###############
 
 case $distro in
-    arch) pi syncthing ;;
-    ubuntu|debian)
-        # google led me here:
-        # https://apt.syncthing.net/
-        curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
-        s="deb http://apt.syncthing.net/ syncthing release"
-        if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != $s ]]; then
-            echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
-            p update
-        fi
-        pi syncthing
+    debian|ubuntu)
+        # suggests because we want the resolvconf package.
+        # todo: check other distros to make sure it's installed
+        pi-nostart --install-suggests openvpn
+        # pi-nostart does not disable
+        ser disable openvpn
         ;;
+    *) pi openvpn;;
 esac
-# installed via f-droid
-# top right, actions, device id
-#
-# for installing on a remote comp:
-# ssh -L 8384:localhost:8384 -N frodo
-# went to http://localhost:8384/
-#
-# add folder to sync phone,
-# staggered file versioning would be my normal choice, but choose
-# trash can versioning for sake of space on phone, with
-# clean out after 7 days.
-#
-# did ser syncthing@ian start
-# then on phone, add device, hit bar code icon,
-# install bar code scanner.
+
+if private-host; then
+    vpn-mk-client-cert -n mail li
+    cn=$(s openssl x509 -noout -nameopt multiline -subject \
+           -in /etc/openvpn/client/mail.crt | \
+             sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
+    echo "ifconfig-push 10.8.0.4 255.255.255.0" | \
+        ssh root@li dd of=/etc/openvpn/client-config/"$cn"
+fi
+ser enable mailroute
+if [[ $HOSTNAME == treetowl ]]; then
+    # note, this will need to be changed when the mail/contacts host changes
+    sgo openvpn-client@mail
+    /a/bin/distro-setup/radicale-setup
+fi
+
+## android studio setup
+# this contains the setting for android sdk to point to
+# /a/opt/androidsdk, which is asked upon first run
+lnf /a/opt/.AndroidStudio2.2 ~
+# android site says it needs a bunch of packages for ubuntu,
+# but I googled for debian, and someone says you just need lib32stdc++6 plus the
+# jdk
+# https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
+# see w.org for more android studio details
+spa lib32stdc++6 default-jdk
+
+
+if [[ $HOSTNAME == treetowl ]]; then
+    # It\'s simpler to just worry about running it in one place for now.
+    # I assume it would work to clone it\'s config to another non-phone
+    # and just run it in one place instead of the normal having a
+    # separate config.  I lean toward using the same config, since btrfs
+    # syncs between comps.
+    case $distro in
+        arch) pi syncthing ;;
+        ubuntu|debian)
+            # testing has relatively up to date packages
+            if ! isdebian-testing; then
+                # based on error when doing apt-get update:
+                # E: The method driver /usr/lib/apt/methods/https could not be found.
+                pi apt-transport-https
+                # google led me here:
+                # https://apt.syncthing.net/
+                curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
+                s="deb http://apt.syncthing.net/ syncthing release"
+                if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != $s ]]; then
+                    echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
+                    p update
+                fi
+            fi
+            pi syncthing
+            ;;
+    esac
+    lnf -T /w/syncthing /home/ian/.config/syncthing
+    sgo syncthing@ian # runs as ian
+
+    # these things persist in ~/.config/syncthing, which I save in
+    # /w/syncthing (not in /p, because syncthing should continue to
+    # run on home server even when using laptop as primary device)
+    # open http://localhost:8384/
+    # change listen address from default to tcp://:22001,
+    # this is because we do port forward so it doesn\'t have to use
+    # some external server, but the syncthing is broken for port forward,
+    # you get a message, something "like connected to myself, this should not happen"
+    # when connecting to other local devices, so I bump the port up by 1,
+    # based on
+    # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
+    # Without this, it was being stuck syncing at 0%.
+    # Set gui username and password.
+    #
+    # install syncthing via f-droid,
+    # folder setting, turn off master folder (makes it read only).
+    # on phone, add device, click bar code icon
+    # on dekstop, top right, actions, device id
+    # after adding, notification will appear on desktop to confirm
+    #
+    # syncing folder. from phone to desktop: select desktop in the
+    # folder on phone's sync options, notification will appear in
+    # desktop's web ui within a minute. For the reverse, the
+    # notification will appear in android's notifications, you have to
+    # swipe down and tap it to add the folder. It won't appear in the
+    # syncthing ui, which would be intuitive, but don't wait for it
+    # there.
+    #
+    # On phone, set settings to run syncthing all the time, and
+    # show no notification.
+    #
+    # Folder versioning would make sense if I didn\'t already use btrfs
+    # for backups. I would choose staggered, or trash can for more space.
+    #
+    # if needed to install on a remote comp:
+    # ssh -L 8384:localhost:8384 -N frodo
+    # open http://localhost:8384/
+    #
+    # Note, the other thing i did was port forward port 22000,
+    # per https://docs.syncthing.net/users/firewall.html
+fi
+
 
 
 # no equivalent in other distros:
@@ -287,8 +449,7 @@ esac
 
 ####### misc packages ###########
 
-
-if [[ $HOSTNAME == frodo ]]; then
+if [[ $HOSTNAME == treetowl ]]; then
     case $distro in
         debian|ubuntu)
             # note i had to do this, which is persistent:
@@ -306,29 +467,47 @@ EOF
 
             # some reason it doesn't seem to start automatically anyways
             pi-nostart transmission-daemon
+
+            # the folder was moved here after an install around 02/2017.
+            # it contains runtime data,
+            # plus a simple symlink to the config file which it's
+            # not worth separating out.
+            s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
+            #
             # config file documented here, and it's the same config
             # for daemon vs client, so it's documented in the gui.
             # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
+            #
+            # I originaly setup rpc-whitelist, but after using
+            # routing to a network namespace, it doesn't see the
+            # real source address, so it's disabled.
+            #
+            # Changed the cache-size to 256 mb, reduces disk use.
+            # It is a read & write cache.
+            #
             s ruby <<'EOF'
 require 'json'
 p = '/etc/transmission-daemon/settings.json'
 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
-'rpc-whitelist' => '127.0.0.1,192.168.1.*',
+'rpc-whitelist-enabled' => false,
 'rpc-authentication-required' => false,
 'incomplete-dir' => '/i/k/partial-torrents',
+'incomplete-dir-enabled' => true,
 'download-dir' => '/i/k/torrents',
-"speed-limit-up" => 700,
+"speed-limit-up" => 800,
 "speed-limit-up-enabled" => true,
-"ratio-limit" => 1.4000,
+"peer-port" => 61486,
+"cache-size-mb" => 256,
+"ratio-limit" => 5.0,
 "ratio-limit-enabled" => true,
 })) + "\n")
 EOF
-            sgo transmission-daemon
-            ;;
-        arch)
-            # todo, setup it's config file & daemon
-            pi transmission-cli
+
+            # make sure its not enabled, not sure if this is needed
+            ser disable transmission-daemon
+            sgo transmission-daemon-nn
             ;;
+        # todo: others unknown
     esac
 fi
 
@@ -369,19 +548,30 @@ esac
 # only settings I set were
 # hostname
 # auto-connect
+# password
+
+
+# the password is randomly generated on first run
+rpc_pass=$(s ruby <<'EOF'
+require 'json'
+p = '/etc/transmission-daemon/settings.json'
+puts JSON.parse(File.read(p))["rpc-password"]
+EOF
+        )
+
 for f in /home/*; do
     d=$f/.config/transmission-remote-gtk
     u=${f##*/}
     s -u $u mkdir -p $d
-    s -u $u dd of=$d/config.json <<'EOF'
+    s -u $u dd of=$d/config.json <<EOF
 {
   "profiles" : [
     {
       "profile-name" : "Default",
-      "hostname" : "frodo",
+      "hostname" : "transmission",
       "rpc-url-path" : "/transmission/rpc",
       "username" : "",
-      "password" : "",
+      "password" : "$rpc_pass",
       "auto-connect" : true,
       "ssl" : false,
       "timeout" : 40,
@@ -404,17 +594,6 @@ for f in /home/*; do
 EOF
 done
 
-case $distro in
-    debian|ubuntu)
-        pi-nostart openvpn
-        # pi-nostart this doesnt seem to be good enough?
-        ser disable openvpn@client
-        ser disable openvpn
-        ;;
-    # suggests because we want the resolvconf package
-    *) pi --install-suggests openvpn;;
-esac
-
 pi wget
 case $HOSTNAME in
     tp|frodo)
@@ -432,7 +611,7 @@ case $HOSTNAME in
                     0) : ;;
                     *)
                         # previously I had a more specific search, but dpkg
-                        # changed it's output as of 7/2016
+                        # changed it\'s output as of 7/2016
                         if grep 'dependency problems' \
                                 $log &>/dev/null; then
                             s apt-get -fy install
@@ -440,13 +619,13 @@ case $HOSTNAME in
                             exit 1
                         fi
                         ;;
-esac
-;;
-arch)
-    pi google-chrome
-    ;;
-esac
-;;
+                esac
+                ;;
+            arch)
+                pi google-chrome
+                ;;
+        esac
+        ;;
 esac
 
 # printer
@@ -582,7 +761,7 @@ case $distro in
            bridge-utils dnsmasq qemu bind-tools
         # otherwise we get error about accessing kvm module.
         # seems like there might be a better way, but google was a bit vague.
-        s sed -ri --follow-symlinks '/^ *user *=/d' /etc/libvirt/qemu.conf
+        s $sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf
         echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
         # https://bbs.archlinux.org/viewtopic.php?id=206206
         # # this should prolly go in the wiki
@@ -616,20 +795,103 @@ esac
 
 
 case $distro in
-    debian|ubuntu) spa android-tools-adb/unstable ;;
+    debian|ubuntu) spa android-tools-adbd/unstable ;;
     arch) spa android-tools ;;
     # other distros unknown
 esac
 
-case $distro in
-    debian)
-        if [[ `debian-archive`  == testing ]]; then
-            # has no unstable dependencies
-            spa bitcoin-qt/unstable
-        fi
-        ;;
-    # other distros unknown
-esac
+if [[ $HOSTNAME == treetowl ]]; then
+    case $distro in
+        debian)
+            if [[ `debian-archive`  == testing ]]; then
+                # has no unstable dependencies
+                pi bitcoind/unstable
+                src=/a/opt/bitcoin/contrib/init/bitcoind.service
+                s cp $src /etc/systemd/system
+                p=/etc/bitcoin/bitcoin
+                dst=/etc/systemd/system/bitcoinjm.service
+                # jm for joinmarket
+                $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
+                     >/etc/systemd/system/bitcoinjm.service
+
+                d=jm; jm=d # being clever for succinctness
+                for s in d jm; do
+                    s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
+                         /etc/systemd/system/bitcoin${s}.service
+                done
+
+                ser daemon-reload
+
+                dir=/nocow/.bitcoin
+                s mkdir -p $dir
+                s chown -R bitcoin:bitcoin $dir
+                dir=/etc/bitcoin
+                s mkdir -p $dir
+                s chown -R root:bitcoin $dir
+                s chmod 750 $dir
+
+                # pruning decreases the bitcoin dir to 2 gb, keeps
+                # just the recent blocks. can\'t do a few things like
+                # import a wallet dump.
+                # pruning works, but people had to do
+                # some manual stuff in joinmarket. I dun need the
+                # disk space, so not bothering yet, maybe in a year or so.
+                # https://github.com/JoinMarket-Org/joinmarket/issues/431
+                #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
+                #prune=550
+
+                f=$dir/bitcoin.conf
+                s dd of=$f <<EOF
+server=1
+rpcpassword=$(openssl rand -base64 32)
+rpcuser=$(openssl rand -base64 32)
+EOF
+
+
+                f2=$dir/bitcoinjm.conf
+                s cp $f $f2
+                s tee -a $f2 >/dev/null <<EOF
+# Joinmarket
+walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
+alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
+wallet=joinmarket.dat
+EOF
+                # dunno about sharing a wallet between multiple instances
+                # manually did, wallet.dat symlinked in /nocow/.bitcoin
+                sgo bitcoind
+            fi
+            ;;
+        # other distros unknown
+    esac
+    pi libsodium-dev python-pip
+    cd /a/opt/joinmarket
+    # using develop branch, as it seems to be mostly bug fixes,
+    # and this is quite new software.
+    # note: python3 does not work.
+    # has seg fault error due to some bug, but it still works
+    pip install -r requirements.txt || [[ $? == 139 ]]
+    # note, the target must exist ahead of time, or bitcoin
+    # just overwrites the link, and it's not happy with an empty file,
+    # so we have to create the wallet, then move and link it.
+    s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
+    s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
+    # not technically needed, but seems cleaner not to have
+    # symlinks be root owned unlike everything else
+    s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
+
+    for var in rpcuser rpcpassword; do
+        u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
+        # escape backslashes
+        u="${u//\\/\\\\\\\\}"
+        # escape commas
+        u="${u//,/\\,}"
+        sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
+    done
+    sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
+
+fi
+
+
 
 
 # proprietary flash. going without for now
@@ -695,71 +957,75 @@ else
     pi synergy
 fi
 
-case $distro in
-    # ubuntu unknown. probably the same as debian, just check if the
-    # init scripts come with the package.
-    debian)
-        # copied from arch, but moved to etc
-        s dd of=/etc/systemd/user/synergys.service <<'EOF'
-[Unit]
-Description=Synergy Server Daemon
-After=network.target
-
-[Service]
-User=%i
-ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
-EOF
-        s dd of=/etc/systemd/user/synergys.socket <<'EOF'
-[Unit]
-Conflicts=synergys@.service
-
-[Socket]
-ListenStream=24800
-Accept=false
-
-[Install]
-WantedBy=sockets.target
-EOF
-        # had this fail with 'Failed to connect to bus: No such file or directory'
-        # then when I tried it manually, it worked fine...
-        systemctl --user daemon-reload
-        ;;&
-    *)
-        # taken from arch wiki.
-        s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
-[Unit]
-Description=Synergy Client
-After=network.target
+# case $distro in
+#     # ubuntu unknown. probably the same as debian, just check if the
+#     # init scripts come with the package.
+#     debian)
+#         # copied from arch, but moved to etc
+#         s dd of=/etc/systemd/user/synergys.service <<'EOF'
+# [Unit]
+# Description=Synergy Server Daemon
+# After=network.target
+
+# [Service]
+# User=%i
+# ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
+# Restart=on-failure
+
+# [Install]
+# WantedBy=multi-user.target
+# EOF
+#         s dd of=/etc/systemd/user/synergys.socket <<'EOF'
+# [Unit]
+# Conflicts=synergys@.service
 
-[Service]
-User=%i
-ExecStart=/usr/bin/synergyc --no-daemon frodo
-Restart=on-failure
-# per man systemd.unit, StartLimitInterval, by default we
-# restart more than 5 times in 10 seconds.
-# And this param defaults too 200 miliseconds.
-RestartSec=3s
+# [Socket]
+# ListenStream=24800
+# Accept=false
 
-[Install]
-WantedBy=multi-user.target
-EOF
-        s systemctl daemon-reload
-        case $HOSTNAME in
-            x2|treetowl)
-                ser enable synergyc@ian
-                ser start synergyc@ian ||: # X might not be running yet
-                ;;
-            frodo)
-                systemctl --user start synergys ||:
-                systemctl --user enable synergys
-                ;;
-        esac
-        ;;
-esac
+# [Install]
+# WantedBy=sockets.target
+# EOF
+#         # had this fail with 'Failed to connect to bus: No such file or directory'
+#         # then when I tried it manually, it worked fine...
+#         if ! systemctl --user daemon-reload; then
+#             sleep 2
+#             echo retrying systemd user daemon reload
+#             systemctl --user daemon-reload
+#         fi
+#         ;;&
+#     *)
+#         # taken from arch wiki.
+#         s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
+# [Unit]
+# Description=Synergy Client
+# After=network.target
+
+# [Service]
+# User=%i
+# ExecStart=/usr/bin/synergyc --no-daemon frodo
+# Restart=on-failure
+# # per man systemd.unit, StartLimitInterval, by default we
+# # restart more than 5 times in 10 seconds.
+# # And this param defaults too 200 miliseconds.
+# RestartSec=3s
+
+# [Install]
+# WantedBy=multi-user.target
+# EOF
+#         s systemctl daemon-reload
+#         case $HOSTNAME in
+#             x2|treetowl)
+#                 ser enable synergyc@ian
+#                 ser start synergyc@ian ||: # X might not be running yet
+#                 ;;
+#             frodo)
+#                 systemctl --user start synergys ||:
+#                 systemctl --user enable synergys
+#                 ;;
+#         esac
+#         ;;
+# esac
 
 
 ######### end misc packages #########
@@ -786,7 +1052,7 @@ pi smartmontools
 # short test daily 2-3am, extended tests Saturdays between 3-4am:
 sched="-s (S/../.././02|L/../../6/03)"
 s sed -i --follow-symlinks "s#^[[:space:]]*DEVICESCAN.*#\
-DEVICESCAN -a -o on -S on -n standby,q $sched\
+DEVICESCAN -a -o on -S on -n standby,q $sched \
 -m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc/smartd.conf
 
 # in the default configuration of at least ubuntu 14.04, resolvconf is
@@ -805,21 +1071,36 @@ DEVICESCAN -a -o on -S on -n standby,q $sched\
 
 ########### misc stuff
 
+devs=()
+for dev in $(s btrfs fi show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
+    devs+=($(devbyid $dev),)
+done
+devs[-1]=${devs[-1]%,} # jonied by commas
+
+# on grub upgrade, we get prompts unless we do this
+s debconf-set-selections <<EOF
+grub-pc	grub-pc/install_devices	multiselect ${devs[*]}
+EOF
+
+
+# the wiki backup script from ofswiki.org uses generic paths
+s lnf /p/c/machine_specific/li/mw_vars /root
+s lnf /k/backup/wiki_backup /root
 
-s cedit /etc/goaccess.conf <<'EOF'
+s cedit /etc/goaccess.conf <<'EOF' || [[ $? == 1 ]]
 # all things found from looking around the default config
 # copied existing NCSA Combined Log Format with Virtual Host, plus %L
-log-format %^:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u" %L
+log-format %^:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u" %D
 time-format %H:%M:%S
 date-format %d/%b/%Y
 log-file /var/log/apache2/access.log
 color-scheme 2
-EOF
-
 
-if [[ $HOSTNAME == frodo ]] && ! sudo test -e /etc/openvpn/client.key; then
-    /a/bin/vpn-setup/vpn-mk-client-cert dopub
-fi
+# tip: copy access.log files to a stretch host directory, then run
+# jessie's goaccess is too old for some options, and it's
+# not easily installed from a testing.
+# goaccess --ignore-crawlers -f <(cat *) -a -o html > x.html
+EOF
 
 
 case $distro in
@@ -829,7 +1110,7 @@ case $distro in
                 s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
 Explanation: Allow unison-gtk to be upgraded
 Package: unison-gtk
-Pin: release a=unstable
+Pin: release a=testing
 Pin-Priority: 500
 EOF
                 # dont think using testing is needed since I figured out how to
@@ -855,11 +1136,22 @@ EOF
         ;;
 esac
 
-# not using it atm, and for jessie, it depends on a higher version of btrfs-tools
+# note, for jessie, it depends on a higher version of btrfs-tools.
+#
+# # disabled due to my patch being in btrbk
 # case $distro in
 #     arch|debian|ubuntu) pi btrbk ;;
 #     # others unknown
 # esac
+cd /a/opt/btrbk
+s make install
+spa pv # for progress bar when running interactively.
+if [[ $HOSTNAME == treetowl ]]; then
+    # backup/sync manually on others hosts for now.
+    sgo btrbk.timer
+    # note: to see when it was last run,
+    # ser list-timers
+fi
 
 if [[ $HOSTNAME == treetowl ]] && [[ `debian-archive` != testing ]]; then
     # fail2 ban is broken, with a workaround, per
@@ -963,26 +1255,19 @@ EOF
         ;;
 esac
 
-if [[ $HOSTNAME == frodo ]]; then
-    tu /etc/exports <<'EOF'
-/k 192.168.1.0/24(rw,nohide,no_subtree_check,insecure)
-EOF
-    s exportfs -rav
-fi
-
-if [[ -e /k/video ]]; then
+if [[ $HOSTNAME == treetowl ]]; then
     # nohide = export filesystems mounted deeper than the export point
     # fsid=0 makes this export the "root" export
     # not documented in the man page, but this means
     # 1. it can be mounted with a shorthand of server:/
     # 2. exports that are subdirectories of this one will automatically be mounted
-    tu /etc/exports '/i/video 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)'
+    tu /etc/exports <<'EOF'
+/k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
+EOF
     s exportfs -rav
-    showmount -e localhost
 fi
 
 
-
 e "$end_msg_var"
 
 
@@ -1030,81 +1315,73 @@ if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
     # run "control userpasswords2", turn on automatic login.
     # note: when changing devices, I just undefine, the create the vm again.
 
-    s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
-      --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
-      -n win10 --import --os-variant $variant --cpu host-model-only
-
-    s virsh destroy win10
-
-    # this one hasn\'t had the virtio fix done yet.
-    s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
-      --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
-      -n win7 --import --os-variant win7 --cpu host-model-only
-    s virsh destroy win7
-    # had a problem with --cpu host, so trying out
-    # --cpu host-model-only
-
+    if [[ -e /nocow/user/vms/win10.qcow2 ]]; then
+        s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
+          --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
+          -n win10 --import --os-variant $variant --cpu host-model-only
+
+        s virsh destroy win10
+    fi
+
+    if [[ -e /nocow/user/vms/win7.qcow2 ]]; then
+        # this one hasn\'t had the virtio fix done yet.
+        s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
+          --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
+          -n win7 --import --os-variant win7 --cpu host-model-only
+        s virsh destroy win7
+        # had a problem with --cpu host, so trying out
+        # --cpu host-model-only
+    fi
 fi
 
 
-pi samba
-# note samba re-reads it's config every 1 minute
-case $distro in
-    arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
-esac
+if [[ $HOSTNAME == treetowl ]]; then
+    pi samba
+    # note samba re-reads it\'s config every 1 minute
+    case $distro in
+        arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
+    esac
 
-# add 2 lines after workgroup option
-s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
-s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
-s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/'  /etc/samba/smb.conf
-# remove default homes section. not sharing that.
-s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
+    # add 2 lines after workgroup option
+    s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
+    s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
+    s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/'  /etc/samba/smb.conf
+    # remove default homes section. not sharing that.
+    s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
 
-if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
-    s tee -a /etc/samba/smb.conf <<'EOF'
+    if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
+        s tee -a /etc/samba/smb.conf <<'EOF'
 [public]
       guest ok = yes
       read only = no
-      path = /kfrodo
+      path = /kr
 EOF
-fi
+    fi
 
-case $distro in
-    debian|ubuntu)
-        # systemd claims it generates units from /etc/init.d, but it
-        # clearly doesn\'t in debian. I have no idea how they are
-        # related. fuck debian right now. It\'s not documented.  samba
-        # has a systemd init file linked to /dev/null.  There\'s this
-        # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
-        # claims samba\'s sub-services will be started automatically by
-        # systemd... it didn\'t on install, wonder if it will on
-        # boot. It clued me in how to start it manually though. Nothing
-        # in /usr/share/doc/samba, debian admin guide says nothing about
-        # any of this. (this is in debian testing as of 4/2016).
-
-        s /etc/init.d/samba start
-        ;;
-    arch)
-        sgo samba
-        ;;
-esac
+    case $distro in
+        debian|ubuntu)
+            # systemd claims it generates units from /etc/init.d, but it
+            # clearly doesn\'t in debian. I have no idea how they are
+            # related. fuck debian right now. It\'s not documented.  samba
+            # has a systemd init file linked to /dev/null.  There\'s this
+            # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
+            # claims samba\'s sub-services will be started automatically by
+            # systemd... it didn\'t on install, wonder if it will on
+            # boot. It clued me in how to start it manually though. Nothing
+            # in /usr/share/doc/samba, debian admin guide says nothing about
+            # any of this. (this is in debian testing as of 4/2016).
+
+            s /etc/init.d/samba start
+            ;;
+        arch)
+            sgo samba
+            ;;
+    esac
+fi
 
 tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
 
 
-
-rootdev=$(mount | sed -rn 's#^(\S+) on / .*#\1#p')
-s mkdir /mnt/root
-tu /etc/fstab <<< "$rootdev  /mnt/root  btrfs  noatime,subvolid=0  0 0"
-mountpoint /mnt/root || s mount /mnt/root
-idev=$(mount | sed -rn 's#^(\S+) on /i .*#\1#p')
-if [[ $idev != $rootdev ]]; then
-    s mkdir /mnt/iroot
-    tu /etc/fstab <<< "$idev  /mnt/iroot  btrfs  noatime,subvolid=0  0 0"
-    mountpoint /mnt/iroot || s mount /mnt/iroot
-fi
-
-
 ######### begin stuff belonging at the end    ##########