X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=dde7a1026206449daf0f6affa9828b9424e3e84d;hb=69c1f384f54bba59a693c4ac9d61d8f7f3692269;hp=920de7f70a6a22405bd6c3535a03e23b70007d06;hpb=28d76e1e82027ad40d7ec48ff68839f1f035b7b1;p=distro-setup

diff --git a/distro-end b/distro-end
index 920de7f..dde7a10 100755
--- a/distro-end
+++ b/distro-end
@@ -35,6 +35,7 @@ spa() { # simple package add
 distro=$(distro-name)
 
 pending_reboot=false
+sed="sed --follow-symlinks"
 
 # template
 case $distro in
@@ -62,23 +63,37 @@ case $HOSTNAME in
         # mutagen for pithos
         simple_packages+=(
             apache2
+            apache2-doc
+            apt-doc
+            aptitude-doc-en
+            bash-doc
+            binutils-doc
             bwm-ng
             chromium
+            cpio-doc
+            cron
             debconf-doc
             duplicity
             eclipse
             evince
             fdupes
+            feh
             filelight
+            gawk-doc
             gcc-doc
             gdb
+            gdb-doc
+            git-doc
             gitk
+            glibc-doc
             goaccess
             gnome-screenshot
             i3lock
+            iproute2-doc
             jq
             linux-doc
             locate
+            make-doc
             manpages
             manpages-dev
             meld
@@ -87,23 +102,29 @@ case $HOSTNAME in
             offlineimap
             p7zip
             paprefs
+            parted-doc
             pavucontrol
             pdfgrep
+            perl-doc
             pianobar
             pidgin
+            python3-doc
             python3-mutagen
             reportbug
+            sqlite3-doc
             squashfs-tools
             swh-plugins
+            tar-doc
             tcpdump
             transmission-remote-gtk
             vlc
+            whois
         )
+        spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
         ;;
 esac
 
 
-
 ########### begin section including li ################
 
 
@@ -177,8 +198,12 @@ esac
 # no equivalent in other distros:
 case $distro in
     debian|ubuntu)
-        pi apt-file aptitude
-        s apt-file update
+        pi aptitude
+        if ! dpkg -s apt-file &>/dev/null; then
+            # this condition is just a speed optimization
+            pi apt-file
+            s apt-file update
+        fi
         # for debconf-get-selections
         spa debconf-utils
         ;;
@@ -251,7 +276,7 @@ case $HOSTNAME in
         #$src/phab-setup
 
         pi-nostart mumble-server
-        s sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
+        s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
         sgo mumble-server
 
         vpn-server-setup -d
@@ -263,8 +288,8 @@ Description=Turns on iptables mail nat
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25
-ExecStop=/sbin/iptables -t nat -D PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25
+ExecStart=/a/bin/distro-setup/vpn-mail-forward start
+ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
 
 [Install]
 WantedBy=openvpn.service
@@ -273,7 +298,25 @@ EOF
         ser enable vpnmail.service
         acme-tiny-wrapper mail.iankelling.org
         sgo openvpn
-        tu /etc/hosts <<<"mail.iankelling.org 10.8.0.4"
+        tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
+        domain=cal.iankelling.org
+        acme-tiny-wrapper $domain
+        apache-site -f 10.8.0.4:5232 - $domain <<'EOF'
+#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
+        <Directory "/var/www/cal.iankelling.org/html">
+                Options +FollowSymLinks +Multiviews +Indexes
+                AllowOverride None
+                AuthType basic
+                AuthName "Authentication Required"
+                # setup one time, with root:www-data, 640
+                AuthUserFile "/etc/caldav-htpasswd"
+                Require valid-user
+        </Directory>
+EOF
+        # nginx version of above would be:
+        # auth_basic "Not currently available";
+        # auth_basic_user_file /etc/nginx/caldav/htpasswd;
+
 
 
         echo "$0: $(date): ending now)"
@@ -284,14 +327,30 @@ esac
 
 ########### end section including li/lj ###############
 
+case $distro in
+    debian|ubuntu)
+        # suggests because we want the resolvconf package.
+        # todo: check other distros to make sure it's installed
+        pi-nostart --install-suggests openvpn
+        # pi-nostart does not disable
+        ser disable openvpn
+        ;;
+    *) pi openvpn;;
+esac
+
 if private-host; then
     vpn-mk-client-cert -n mail li
-    echo "ifconfig-push 10.8.0.4 255.255.255.0" | ssh root@li dd of=/etc/openvpn/client-config/$(openssl x509 -noout -subject -in mail.crt | sed -r 's/.*CN *= *([^,]+).*/\1/')
+    cn=$(s openssl x509 -noout -nameopt multiline -subject \
+           -in /etc/openvpn/client/mail.crt | \
+             sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
+    echo "ifconfig-push 10.8.0.4 255.255.255.0" | \
+        ssh root@li dd of=/etc/openvpn/client-config/"$cn"
 fi
 ser enable mailroute
 if [[ $HOSTNAME == treetowl ]]; then
-    # note, this will need to be changed when the mail host changes
+    # note, this will need to be changed when the mail/contacts host changes
     sgo openvpn-client@mail
+    /a/bin/distro-setup/radicale-setup
 fi
 
 ## android studio setup
@@ -332,10 +391,12 @@ if [[ $HOSTNAME == treetowl ]]; then
             pi syncthing
             ;;
     esac
+    lnf -T /w/syncthing /home/ian/.config/syncthing
     sgo syncthing@ian # runs as ian
 
     # these things persist in ~/.config/syncthing, which I save in
-    # /p/c/machine_specific
+    # /w/syncthing (not in /p, because syncthing should continue to
+    # run on home server even when using laptop as primary device)
     # open http://localhost:8384/
     # change listen address from default to tcp://:22001,
     # this is because we do port forward so it doesn\'t have to use
@@ -353,8 +414,16 @@ if [[ $HOSTNAME == treetowl ]]; then
     # on dekstop, top right, actions, device id
     # after adding, notification will appear on desktop to confirm
     #
-    # add folder to sync phone, notification will appear on desktop
-    # to set folder location.
+    # syncing folder. from phone to desktop: select desktop in the
+    # folder on phone's sync options, notification will appear in
+    # desktop's web ui within a minute. For the reverse, the
+    # notification will appear in android's notifications, you have to
+    # swipe down and tap it to add the folder. It won't appear in the
+    # syncthing ui, which would be intuitive, but don't wait for it
+    # there.
+    #
+    # On phone, set settings to run syncthing all the time, and
+    # show no notification.
     #
     # Folder versioning would make sense if I didn\'t already use btrfs
     # for backups. I would choose staggered, or trash can for more space.
@@ -398,6 +467,12 @@ EOF
 
             # some reason it doesn't seem to start automatically anyways
             pi-nostart transmission-daemon
+
+            # the folder was moved here after an install around 02/2017.
+            # it contains runtime data,
+            # plus a simple symlink to the config file which it's
+            # not worth separating out.
+            s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
             #
             # config file documented here, and it's the same config
             # for daemon vs client, so it's documented in the gui.
@@ -407,26 +482,24 @@ EOF
             # routing to a network namespace, it doesn't see the
             # real source address, so it's disabled.
             #
-            # Changed the cache-size to 128 mb, reduces disk use.
+            # Changed the cache-size to 256 mb, reduces disk use.
             # It is a read & write cache.
             #
-            # todo: setup a password.
             s ruby <<'EOF'
 require 'json'
 p = '/etc/transmission-daemon/settings.json'
 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
 'rpc-whitelist-enabled' => false,
 'rpc-authentication-required' => false,
-'incomplete-dir' => '/k/partial-torrents',
+'incomplete-dir' => '/i/k/partial-torrents',
 'incomplete-dir-enabled' => true,
 'download-dir' => '/i/k/torrents',
 "speed-limit-up" => 800,
 "speed-limit-up-enabled" => true,
 "peer-port" => 61486,
-"cache-size-mb" => 128,
-"ratio-limit" => 1.4000,
-"ratio-limit-enabled" => false,
-"pidfile": "/var/lib/transmission-daemon/transmission-daemon.pid",
+"cache-size-mb" => 256,
+"ratio-limit" => 5.0,
+"ratio-limit-enabled" => true,
 })) + "\n")
 EOF
 
@@ -434,8 +507,8 @@ EOF
             ser disable transmission-daemon
             sgo transmission-daemon-nn
             ;;
-    # todo: others unknown
-esac
+        # todo: others unknown
+    esac
 fi
 
 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
@@ -475,19 +548,30 @@ esac
 # only settings I set were
 # hostname
 # auto-connect
+# password
+
+
+# the password is randomly generated on first run
+rpc_pass=$(s ruby <<'EOF'
+require 'json'
+p = '/etc/transmission-daemon/settings.json'
+puts JSON.parse(File.read(p))["rpc-password"]
+EOF
+        )
+
 for f in /home/*; do
     d=$f/.config/transmission-remote-gtk
     u=${f##*/}
     s -u $u mkdir -p $d
-    s -u $u dd of=$d/config.json <<'EOF'
+    s -u $u dd of=$d/config.json <<EOF
 {
   "profiles" : [
     {
       "profile-name" : "Default",
-      "hostname" : "treetowl",
+      "hostname" : "transmission",
       "rpc-url-path" : "/transmission/rpc",
       "username" : "",
-      "password" : "",
+      "password" : "$rpc_pass",
       "auto-connect" : true,
       "ssl" : false,
       "timeout" : 40,
@@ -510,18 +594,6 @@ for f in /home/*; do
 EOF
 done
 
-case $distro in
-    debian|ubuntu)
-        # suggests because we want the resolvconf package.
-        # todo: check other distros to make sure it's installed
-        pi-nostart --install-suggests openvpn
-        # pi-nostart this doesnt seem to be good enough?
-        ser disable openvpn@client
-        ser disable openvpn
-        ;;
-    *) pi openvpn;;
-esac
-
 pi wget
 case $HOSTNAME in
     tp|frodo)
@@ -689,7 +761,7 @@ case $distro in
            bridge-utils dnsmasq qemu bind-tools
         # otherwise we get error about accessing kvm module.
         # seems like there might be a better way, but google was a bit vague.
-        s sed -ri --follow-symlinks '/^ *user *=/d' /etc/libvirt/qemu.conf
+        s $sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf
         echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
         # https://bbs.archlinux.org/viewtopic.php?id=206206
         # # this should prolly go in the wiki
@@ -728,82 +800,84 @@ case $distro in
     # other distros unknown
 esac
 
-case $distro in
-    debian)
-        if [[ `debian-archive`  == testing ]]; then
-            # has no unstable dependencies
-            spa bitcoin-qt/unstable
-        fi
-        s cp /a/opt/bitcoin/contrib/init/bitcoind.service /etc/systemd/system
-        ser daemon-reload
-
-        dir=/nocow/.bitcoin
-        s mkdir -p $dir
-        s chown -R bitcoin:bitcoin $dir
-        dir=/etc/bitcoin
-        s mkdir -p $dir
-        s chown -R root:bitcoin $dir
-        s chmod 750 $dir
-        f=$dir/bitcon.conf
-
-        # pruning decreases the bitcoin dir to 2 gb, keeps
-        # just the recent blocks. can't do a few things like
-        # import a wallet dump.
-        # pruning works, but people had to do
-        # some manual stuff in joinmarket. I dun need the
-        # disk space, so not bothering yet, maybe in a year or so.
-        # https://github.com/JoinMarket-Org/joinmarket/issues/431
-        #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
-        #prune=550
-
-        s dd of=$f <<EOF
-rpcbind=127.0.0.1
+if [[ $HOSTNAME == treetowl ]]; then
+    case $distro in
+        debian)
+            if [[ `debian-archive`  == testing ]]; then
+                # has no unstable dependencies
+                pi bitcoind/unstable
+                src=/a/opt/bitcoin/contrib/init/bitcoind.service
+                s cp $src /etc/systemd/system
+                p=/etc/bitcoin/bitcoin
+                dst=/etc/systemd/system/bitcoinjm.service
+                # jm for joinmarket
+                $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
+                     >/etc/systemd/system/bitcoinjm.service
+
+                d=jm; jm=d # being clever for succinctness
+                for s in d jm; do
+                    s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
+                         /etc/systemd/system/bitcoin${s}.service
+                done
+
+                ser daemon-reload
+
+                dir=/nocow/.bitcoin
+                s mkdir -p $dir
+                s chown -R bitcoin:bitcoin $dir
+                dir=/etc/bitcoin
+                s mkdir -p $dir
+                s chown -R root:bitcoin $dir
+                s chmod 750 $dir
+
+                # pruning decreases the bitcoin dir to 2 gb, keeps
+                # just the recent blocks. can\'t do a few things like
+                # import a wallet dump.
+                # pruning works, but people had to do
+                # some manual stuff in joinmarket. I dun need the
+                # disk space, so not bothering yet, maybe in a year or so.
+                # https://github.com/JoinMarket-Org/joinmarket/issues/431
+                #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
+                #prune=550
+
+                f=$dir/bitcoin.conf
+                s dd of=$f <<EOF
 server=1
 rpcpassword=$(openssl rand -base64 32)
 rpcuser=$(openssl rand -base64 32)
+EOF
 
+
+                f2=$dir/bitcoinjm.conf
+                s cp $f $f2
+                s tee -a $f2 >/dev/null <<EOF
 # Joinmarket
 walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
 alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
+wallet=joinmarket.dat
 EOF
-        ;;
-                        # other distros unknown
-esac
-if [[ $HOSTNAME == treetowl ]]; then
-    pi libsodium-dev python3-pip
+                # dunno about sharing a wallet between multiple instances
+                # manually did, wallet.dat symlinked in /nocow/.bitcoin
+                sgo bitcoind
+            fi
+            ;;
+        # other distros unknown
+    esac
+    pi libsodium-dev python-pip
     cd /a/opt/joinmarket
     # using develop branch, as it seems to be mostly bug fixes,
     # and this is quite new software.
     # note: python3 does not work.
-    pip install -r requirements.txt
-    # we need bitcoin.conf in the data dir according to
-    # https://github.com/JoinMarket-Org/joinmarket/wiki/Running-JoinMarket-with-Bitcoin-Core-full-node
-    # following the example .service script, I don\'t have it there,
-    # and I generate it, so lets just symlink it.
-    sudo -u bitcoin ln -sf /etc/bitcoin/bitcoin.conf /nocow/.bitcoin
-
-    # one time, manually did python wallet-tool.py generate.
-    # The "wallet" is just a key which deterministically generates addresses.
-    # One time: move the wallet, then link to it.
-    # ln -s /p/joinmarket/wallet.json wallets
-    #
-    # see wallet addresses via:
-    # python wallet-tool.py wallet.json
-    # send to the first 3 mixing depth 0 addresses.
-    # depths are like "identities", to separate out association with
-    # each other. the big hash in that output is the depth/branch id,
-    # ignore it afaik.
-    #
-    # after sending btc to wallet from a 3rd party service, check that
-    # at least 20% of utxo of each transaction was sent to you,
-    # btc listtransactions 10 0 true
-    # btc getrawtransaction TXID 1
-    #
-    # to view status, do
-    # python wallet-tool.py wallet.json history
-    #
-    # to help make other people,
-    # python yield-generator-basic.py wallet.json
+    # has seg fault error due to some bug, but it still works
+    pip install -r requirements.txt || [[ $? == 139 ]]
+    # note, the target must exist ahead of time, or bitcoin
+    # just overwrites the link, and it's not happy with an empty file,
+    # so we have to create the wallet, then move and link it.
+    s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
+    s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
+    # not technically needed, but seems cleaner not to have
+    # symlinks be root owned unlike everything else
+    s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
 
     for var in rpcuser rpcpassword; do
         u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
@@ -815,9 +889,6 @@ if [[ $HOSTNAME == treetowl ]]; then
     done
     sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
 
-    # dunno about sharing a wallet between multiple instances
-    # manually did, wallet.dat symlinked in /nocow/.bitcoin
-    sgo bitcoind
 fi
 
 
@@ -1000,6 +1071,17 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
 
 ########### misc stuff
 
+devs=()
+for dev in $(s btrfs fi show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
+    devs+=($(devbyid $dev),)
+done
+devs[-1]=${devs[-1]%,} # jonied by commas
+
+# on grub upgrade, we get prompts unless we do this
+s debconf-set-selections <<EOF
+grub-pc	grub-pc/install_devices	multiselect ${devs[*]}
+EOF
+
 
 # the wiki backup script from ofswiki.org uses generic paths
 s lnf /p/c/machine_specific/li/mw_vars /root
@@ -1021,13 +1103,6 @@ color-scheme 2
 EOF
 
 
-if [[ $HOSTNAME == treetowl ]] && ! sudo test -e /etc/openvpn/client.key; then
-    /a/bin/vpn-setup/vpn-mk-client-cert dopub
-    # route lan traffic from inside the network namespace.
-    tu /etc/openvpn/client.conf "route 192.168.1.0 255.255.255.0 net_gateway"
-fi
-
-
 case $distro in
     debian|ubuntu)
         case `debian-archive` in
@@ -1035,7 +1110,7 @@ case $distro in
                 s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
 Explanation: Allow unison-gtk to be upgraded
 Package: unison-gtk
-Pin: release a=unstable
+Pin: release a=testing
 Pin-Priority: 500
 EOF
                 # dont think using testing is needed since I figured out how to
@@ -1240,7 +1315,7 @@ if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
     # run "control userpasswords2", turn on automatic login.
     # note: when changing devices, I just undefine, the create the vm again.
 
-    if [[ -e /a/images/win10.qcow2 ]]; then
+    if [[ -e /nocow/user/vms/win10.qcow2 ]]; then
         s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
           --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
           -n win10 --import --os-variant $variant --cpu host-model-only
@@ -1248,7 +1323,7 @@ if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
         s virsh destroy win10
     fi
 
-    if [[ -e /a/images/win7.qcow2 ]]; then
+    if [[ -e /nocow/user/vms/win7.qcow2 ]]; then
         # this one hasn\'t had the virtio fix done yet.
         s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
           --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \