X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=dde7a1026206449daf0f6affa9828b9424e3e84d;hb=69c1f384f54bba59a693c4ac9d61d8f7f3692269;hp=44be816d82fee63536c3a83adce2ad8bb5aa47a9;hpb=f7cd81f49aa5d7a4581db63bed053e66e692972e;p=distro-setup

diff --git a/distro-end b/distro-end
index 44be816..dde7a10 100755
--- a/distro-end
+++ b/distro-end
@@ -35,6 +35,7 @@ spa() { # simple package add
 distro=$(distro-name)
 
 pending_reboot=false
+sed="sed --follow-symlinks"
 
 # template
 case $distro in
@@ -51,6 +52,7 @@ simple_packages=(
     ruby-rest-client
     tree
     vim
+    wcd
 )
 
 case $HOSTNAME in
@@ -59,52 +61,70 @@ case $HOSTNAME in
         # universal packages
         # swh-plugins is for karaoke pulsaudio filter.
         # mutagen for pithos
-        # lib32stdc++6/default-jdk for android studio
-        # android site says it needs a bunch of packages for ubuntu,
-        # but I googled for debian, and someone says you just need one, plus the
-        # jdk
-        # https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
-        # see w.org for more android studio details
-        #
         simple_packages+=(
             apache2
+            apache2-doc
+            apt-doc
+            aptitude-doc-en
+            bash-doc
+            binutils-doc
             bwm-ng
             chromium
-            default-jdk
+            cpio-doc
+            cron
+            debconf-doc
             duplicity
+            eclipse
             evince
             fdupes
+            feh
             filelight
+            gawk-doc
+            gcc-doc
             gdb
+            gdb-doc
+            git-doc
             gitk
+            glibc-doc
             goaccess
             gnome-screenshot
+            i3lock
+            iproute2-doc
             jq
+            linux-doc
             locate
-            lib32stdc++6
+            make-doc
             manpages
+            manpages-dev
             meld
+            mumble
             nmap
             offlineimap
             p7zip
             paprefs
+            parted-doc
             pavucontrol
             pdfgrep
+            perl-doc
             pianobar
             pidgin
+            python3-doc
             python3-mutagen
-            slock
+            reportbug
+            sqlite3-doc
             squashfs-tools
             swh-plugins
+            tar-doc
             tcpdump
             transmission-remote-gtk
             vlc
+            whois
         )
+        spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
         ;;
 esac
 
 
-
 ########### begin section including li ################
 
 
@@ -178,8 +198,12 @@ esac
 # no equivalent in other distros:
 case $distro in
     debian|ubuntu)
-        pi apt-file aptitude
-        s apt-file update
+        pi aptitude
+        if ! dpkg -s apt-file &>/dev/null; then
+            # this condition is just a speed optimization
+            pi apt-file
+            s apt-file update
+        fi
         # for debconf-get-selections
         spa debconf-utils
         ;;
@@ -237,11 +261,12 @@ fi
 pi "${simple_packages[@]}"
 simple_packages=()
 
+# website setup
 case $HOSTNAME in
     lj|li)
 
         case $HOSTNAME in
-            lj) domain=iank.bid ;;
+            lj) domain=iank.bid; exit 0 ;;
             li) domain=iankelling.org ;;
         esac
         /a/h/setup.sh $domain
@@ -250,63 +275,167 @@ case $HOSTNAME in
         sudo -E /a/bin/mediawiki-setup/mw-setup-script
         #$src/phab-setup
 
+        pi-nostart mumble-server
+        s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
+        sgo mumble-server
+
+        vpn-server-setup -d
+
+        sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
+[Unit]
+Description=Turns on iptables mail nat
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/a/bin/distro-setup/vpn-mail-forward start
+ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
+
+[Install]
+WantedBy=openvpn.service
+EOF
+        ser daemon-reload
+        ser enable vpnmail.service
+        acme-tiny-wrapper mail.iankelling.org
+        sgo openvpn
+        tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
+        domain=cal.iankelling.org
+        acme-tiny-wrapper $domain
+        apache-site -f 10.8.0.4:5232 - $domain <<'EOF'
+#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
+        <Directory "/var/www/cal.iankelling.org/html">
+                Options +FollowSymLinks +Multiviews +Indexes
+                AllowOverride None
+                AuthType basic
+                AuthName "Authentication Required"
+                # setup one time, with root:www-data, 640
+                AuthUserFile "/etc/caldav-htpasswd"
+                Require valid-user
+        </Directory>
+EOF
+        # nginx version of above would be:
+        # auth_basic "Not currently available";
+        # auth_basic_user_file /etc/nginx/caldav/htpasswd;
+
+
+
         echo "$0: $(date): ending now)"
         exit 0
         ;;
 esac
 
+
 ########### end section including li/lj ###############
 
+case $distro in
+    debian|ubuntu)
+        # suggests because we want the resolvconf package.
+        # todo: check other distros to make sure it's installed
+        pi-nostart --install-suggests openvpn
+        # pi-nostart does not disable
+        ser disable openvpn
+        ;;
+    *) pi openvpn;;
+esac
+
+if private-host; then
+    vpn-mk-client-cert -n mail li
+    cn=$(s openssl x509 -noout -nameopt multiline -subject \
+           -in /etc/openvpn/client/mail.crt | \
+             sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
+    echo "ifconfig-push 10.8.0.4 255.255.255.0" | \
+        ssh root@li dd of=/etc/openvpn/client-config/"$cn"
+fi
+ser enable mailroute
+if [[ $HOSTNAME == treetowl ]]; then
+    # note, this will need to be changed when the mail/contacts host changes
+    sgo openvpn-client@mail
+    /a/bin/distro-setup/radicale-setup
+fi
+
+## android studio setup
+# this contains the setting for android sdk to point to
+# /a/opt/androidsdk, which is asked upon first run
+lnf /a/opt/.AndroidStudio2.2 ~
+# android site says it needs a bunch of packages for ubuntu,
+# but I googled for debian, and someone says you just need lib32stdc++6 plus the
+# jdk
+# https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
+# see w.org for more android studio details
+spa lib32stdc++6 default-jdk
 
-if [[ $HOSTNAME == frodo ]]; then
+
+if [[ $HOSTNAME == treetowl ]]; then
+    # It\'s simpler to just worry about running it in one place for now.
+    # I assume it would work to clone it\'s config to another non-phone
+    # and just run it in one place instead of the normal having a
+    # separate config.  I lean toward using the same config, since btrfs
+    # syncs between comps.
     case $distro in
-        ubunut|debian)
-            pi libsqlite3-dev
-            cd /a/opt/duperemove
-            make clean
-            make
-            s make install
+        arch) pi syncthing ;;
+        ubuntu|debian)
+            # testing has relatively up to date packages
+            if ! isdebian-testing; then
+                # based on error when doing apt-get update:
+                # E: The method driver /usr/lib/apt/methods/https could not be found.
+                pi apt-transport-https
+                # google led me here:
+                # https://apt.syncthing.net/
+                curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
+                s="deb http://apt.syncthing.net/ syncthing release"
+                if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != $s ]]; then
+                    echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
+                    p update
+                fi
+            fi
+            pi syncthing
             ;;
-        #others unknown
     esac
+    lnf -T /w/syncthing /home/ian/.config/syncthing
+    sgo syncthing@ian # runs as ian
+
+    # these things persist in ~/.config/syncthing, which I save in
+    # /w/syncthing (not in /p, because syncthing should continue to
+    # run on home server even when using laptop as primary device)
+    # open http://localhost:8384/
+    # change listen address from default to tcp://:22001,
+    # this is because we do port forward so it doesn\'t have to use
+    # some external server, but the syncthing is broken for port forward,
+    # you get a message, something "like connected to myself, this should not happen"
+    # when connecting to other local devices, so I bump the port up by 1,
+    # based on
+    # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
+    # Without this, it was being stuck syncing at 0%.
+    # Set gui username and password.
+    #
+    # install syncthing via f-droid,
+    # folder setting, turn off master folder (makes it read only).
+    # on phone, add device, click bar code icon
+    # on dekstop, top right, actions, device id
+    # after adding, notification will appear on desktop to confirm
+    #
+    # syncing folder. from phone to desktop: select desktop in the
+    # folder on phone's sync options, notification will appear in
+    # desktop's web ui within a minute. For the reverse, the
+    # notification will appear in android's notifications, you have to
+    # swipe down and tap it to add the folder. It won't appear in the
+    # syncthing ui, which would be intuitive, but don't wait for it
+    # there.
+    #
+    # On phone, set settings to run syncthing all the time, and
+    # show no notification.
+    #
+    # Folder versioning would make sense if I didn\'t already use btrfs
+    # for backups. I would choose staggered, or trash can for more space.
+    #
+    # if needed to install on a remote comp:
+    # ssh -L 8384:localhost:8384 -N frodo
+    # open http://localhost:8384/
+    #
+    # Note, the other thing i did was port forward port 22000,
+    # per https://docs.syncthing.net/users/firewall.html
 fi
 
-case $distro in
-    arch) pi syncthing ;;
-    ubuntu|debian)
-        # testing has relatively up to date packages
-        if ! isdebian-testing; then
-            # based on error when doing apt-get update:
-            # E: The method driver /usr/lib/apt/methods/https could not be found.
-            pi apt-transport-https
-            # google led me here:
-            # https://apt.syncthing.net/
-            curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
-            s="deb http://apt.syncthing.net/ syncthing release"
-            if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != $s ]]; then
-                echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
-                p update
-            fi
-        fi
-        pi syncthing
-        ;;
-esac
-# installed via f-droid
-# top right, actions, device id
-#
-# for installing on a remote comp:
-# ssh -L 8384:localhost:8384 -N frodo
-# went to http://localhost:8384/
-#
-# add folder to sync phone,
-# staggered file versioning would be my normal choice, but choose
-# trash can versioning for sake of space on phone, with
-# clean out after 7 days.
-#
-# did:
-# ser start syncthing@ian
-# then on phone, add device, hit bar code icon,
-# install bar code scanner.
 
 
 # no equivalent in other distros:
@@ -320,7 +449,6 @@ esac
 
 ####### misc packages ###########
 
-
 if [[ $HOSTNAME == treetowl ]]; then
     case $distro in
         debian|ubuntu)
@@ -339,29 +467,47 @@ EOF
 
             # some reason it doesn't seem to start automatically anyways
             pi-nostart transmission-daemon
+
+            # the folder was moved here after an install around 02/2017.
+            # it contains runtime data,
+            # plus a simple symlink to the config file which it's
+            # not worth separating out.
+            s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
+            #
             # config file documented here, and it's the same config
             # for daemon vs client, so it's documented in the gui.
             # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
+            #
+            # I originaly setup rpc-whitelist, but after using
+            # routing to a network namespace, it doesn't see the
+            # real source address, so it's disabled.
+            #
+            # Changed the cache-size to 256 mb, reduces disk use.
+            # It is a read & write cache.
+            #
             s ruby <<'EOF'
 require 'json'
 p = '/etc/transmission-daemon/settings.json'
 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
-'rpc-whitelist' => '127.0.0.1,192.168.1.*',
+'rpc-whitelist-enabled' => false,
 'rpc-authentication-required' => false,
 'incomplete-dir' => '/i/k/partial-torrents',
+'incomplete-dir-enabled' => true,
 'download-dir' => '/i/k/torrents',
-"speed-limit-up" => 700,
+"speed-limit-up" => 800,
 "speed-limit-up-enabled" => true,
-"ratio-limit" => 1.4000,
+"peer-port" => 61486,
+"cache-size-mb" => 256,
+"ratio-limit" => 5.0,
 "ratio-limit-enabled" => true,
 })) + "\n")
 EOF
-            sgo transmission-daemon
-            ;;
-        arch)
-            # todo, setup it's config file & daemon
-            pi transmission-cli
+
+            # make sure its not enabled, not sure if this is needed
+            ser disable transmission-daemon
+            sgo transmission-daemon-nn
             ;;
+        # todo: others unknown
     esac
 fi
 
@@ -402,19 +548,30 @@ esac
 # only settings I set were
 # hostname
 # auto-connect
+# password
+
+
+# the password is randomly generated on first run
+rpc_pass=$(s ruby <<'EOF'
+require 'json'
+p = '/etc/transmission-daemon/settings.json'
+puts JSON.parse(File.read(p))["rpc-password"]
+EOF
+        )
+
 for f in /home/*; do
     d=$f/.config/transmission-remote-gtk
     u=${f##*/}
     s -u $u mkdir -p $d
-    s -u $u dd of=$d/config.json <<'EOF'
+    s -u $u dd of=$d/config.json <<EOF
 {
   "profiles" : [
     {
       "profile-name" : "Default",
-      "hostname" : "treetowl",
+      "hostname" : "transmission",
       "rpc-url-path" : "/transmission/rpc",
       "username" : "",
-      "password" : "",
+      "password" : "$rpc_pass",
       "auto-connect" : true,
       "ssl" : false,
       "timeout" : 40,
@@ -437,17 +594,6 @@ for f in /home/*; do
 EOF
 done
 
-case $distro in
-    debian|ubuntu)
-        pi-nostart openvpn
-        # pi-nostart this doesnt seem to be good enough?
-        ser disable openvpn@client
-        ser disable openvpn
-        ;;
-    # suggests because we want the resolvconf package
-    *) pi --install-suggests openvpn;;
-esac
-
 pi wget
 case $HOSTNAME in
     tp|frodo)
@@ -465,7 +611,7 @@ case $HOSTNAME in
                     0) : ;;
                     *)
                         # previously I had a more specific search, but dpkg
-                        # changed it's output as of 7/2016
+                        # changed it\'s output as of 7/2016
                         if grep 'dependency problems' \
                                 $log &>/dev/null; then
                             s apt-get -fy install
@@ -473,13 +619,13 @@ case $HOSTNAME in
                             exit 1
                         fi
                         ;;
-esac
-;;
-arch)
-    pi google-chrome
-    ;;
-esac
-;;
+                esac
+                ;;
+            arch)
+                pi google-chrome
+                ;;
+        esac
+        ;;
 esac
 
 # printer
@@ -615,7 +761,7 @@ case $distro in
            bridge-utils dnsmasq qemu bind-tools
         # otherwise we get error about accessing kvm module.
         # seems like there might be a better way, but google was a bit vague.
-        s sed -ri --follow-symlinks '/^ *user *=/d' /etc/libvirt/qemu.conf
+        s $sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf
         echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
         # https://bbs.archlinux.org/viewtopic.php?id=206206
         # # this should prolly go in the wiki
@@ -649,20 +795,103 @@ esac
 
 
 case $distro in
-    debian|ubuntu) spa android-tools-adb/unstable ;;
+    debian|ubuntu) spa android-tools-adbd/unstable ;;
     arch) spa android-tools ;;
     # other distros unknown
 esac
 
-case $distro in
-    debian)
-        if [[ `debian-archive`  == testing ]]; then
-            # has no unstable dependencies
-            spa bitcoin-qt/unstable
-        fi
-        ;;
-    # other distros unknown
-esac
+if [[ $HOSTNAME == treetowl ]]; then
+    case $distro in
+        debian)
+            if [[ `debian-archive`  == testing ]]; then
+                # has no unstable dependencies
+                pi bitcoind/unstable
+                src=/a/opt/bitcoin/contrib/init/bitcoind.service
+                s cp $src /etc/systemd/system
+                p=/etc/bitcoin/bitcoin
+                dst=/etc/systemd/system/bitcoinjm.service
+                # jm for joinmarket
+                $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
+                     >/etc/systemd/system/bitcoinjm.service
+
+                d=jm; jm=d # being clever for succinctness
+                for s in d jm; do
+                    s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
+                         /etc/systemd/system/bitcoin${s}.service
+                done
+
+                ser daemon-reload
+
+                dir=/nocow/.bitcoin
+                s mkdir -p $dir
+                s chown -R bitcoin:bitcoin $dir
+                dir=/etc/bitcoin
+                s mkdir -p $dir
+                s chown -R root:bitcoin $dir
+                s chmod 750 $dir
+
+                # pruning decreases the bitcoin dir to 2 gb, keeps
+                # just the recent blocks. can\'t do a few things like
+                # import a wallet dump.
+                # pruning works, but people had to do
+                # some manual stuff in joinmarket. I dun need the
+                # disk space, so not bothering yet, maybe in a year or so.
+                # https://github.com/JoinMarket-Org/joinmarket/issues/431
+                #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
+                #prune=550
+
+                f=$dir/bitcoin.conf
+                s dd of=$f <<EOF
+server=1
+rpcpassword=$(openssl rand -base64 32)
+rpcuser=$(openssl rand -base64 32)
+EOF
+
+
+                f2=$dir/bitcoinjm.conf
+                s cp $f $f2
+                s tee -a $f2 >/dev/null <<EOF
+# Joinmarket
+walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
+alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
+wallet=joinmarket.dat
+EOF
+                # dunno about sharing a wallet between multiple instances
+                # manually did, wallet.dat symlinked in /nocow/.bitcoin
+                sgo bitcoind
+            fi
+            ;;
+        # other distros unknown
+    esac
+    pi libsodium-dev python-pip
+    cd /a/opt/joinmarket
+    # using develop branch, as it seems to be mostly bug fixes,
+    # and this is quite new software.
+    # note: python3 does not work.
+    # has seg fault error due to some bug, but it still works
+    pip install -r requirements.txt || [[ $? == 139 ]]
+    # note, the target must exist ahead of time, or bitcoin
+    # just overwrites the link, and it's not happy with an empty file,
+    # so we have to create the wallet, then move and link it.
+    s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
+    s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
+    # not technically needed, but seems cleaner not to have
+    # symlinks be root owned unlike everything else
+    s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
+
+    for var in rpcuser rpcpassword; do
+        u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
+        # escape backslashes
+        u="${u//\\/\\\\\\\\}"
+        # escape commas
+        u="${u//,/\\,}"
+        sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
+    done
+    sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
+
+fi
+
+
 
 
 # proprietary flash. going without for now
@@ -842,6 +1071,21 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
 
 ########### misc stuff
 
+devs=()
+for dev in $(s btrfs fi show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
+    devs+=($(devbyid $dev),)
+done
+devs[-1]=${devs[-1]%,} # jonied by commas
+
+# on grub upgrade, we get prompts unless we do this
+s debconf-set-selections <<EOF
+grub-pc	grub-pc/install_devices	multiselect ${devs[*]}
+EOF
+
+
+# the wiki backup script from ofswiki.org uses generic paths
+s lnf /p/c/machine_specific/li/mw_vars /root
+s lnf /k/backup/wiki_backup /root
 
 s cedit /etc/goaccess.conf <<'EOF' || [[ $? == 1 ]]
 # all things found from looking around the default config
@@ -859,11 +1103,6 @@ color-scheme 2
 EOF
 
 
-if [[ $HOSTNAME == treetowl ]] && ! sudo test -e /etc/openvpn/client.key; then
-    /a/bin/vpn-setup/vpn-mk-client-cert dopub
-fi
-
-
 case $distro in
     debian|ubuntu)
         case `debian-archive` in
@@ -871,7 +1110,7 @@ case $distro in
                 s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
 Explanation: Allow unison-gtk to be upgraded
 Package: unison-gtk
-Pin: release a=unstable
+Pin: release a=testing
 Pin-Priority: 500
 EOF
                 # dont think using testing is needed since I figured out how to
@@ -897,13 +1136,22 @@ EOF
         ;;
 esac
 
-# note, for jessie, it depends on a higher version of btrfs-tools
+# note, for jessie, it depends on a higher version of btrfs-tools.
+#
+# # disabled due to my patch being in btrbk
 # case $distro in
 #     arch|debian|ubuntu) pi btrbk ;;
 #     # others unknown
 # esac
 cd /a/opt/btrbk
 s make install
+spa pv # for progress bar when running interactively.
+if [[ $HOSTNAME == treetowl ]]; then
+    # backup/sync manually on others hosts for now.
+    sgo btrbk.timer
+    # note: to see when it was last run,
+    # ser list-timers
+fi
 
 if [[ $HOSTNAME == treetowl ]] && [[ `debian-archive` != testing ]]; then
     # fail2 ban is broken, with a workaround, per
@@ -1067,20 +1315,23 @@ if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
     # run "control userpasswords2", turn on automatic login.
     # note: when changing devices, I just undefine, the create the vm again.
 
-    s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
-      --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
-      -n win10 --import --os-variant $variant --cpu host-model-only
+    if [[ -e /nocow/user/vms/win10.qcow2 ]]; then
+        s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
+          --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
+          -n win10 --import --os-variant $variant --cpu host-model-only
 
-    s virsh destroy win10
-
-    # this one hasn\'t had the virtio fix done yet.
-    s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
-      --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
-      -n win7 --import --os-variant win7 --cpu host-model-only
-    s virsh destroy win7
-    # had a problem with --cpu host, so trying out
-    # --cpu host-model-only
+        s virsh destroy win10
+    fi
 
+    if [[ -e /nocow/user/vms/win7.qcow2 ]]; then
+        # this one hasn\'t had the virtio fix done yet.
+        s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
+          --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
+          -n win7 --import --os-variant win7 --cpu host-model-only
+        s virsh destroy win7
+        # had a problem with --cpu host, so trying out
+        # --cpu host-model-only
+    fi
 fi