X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=ed90a3f4446fb39bd5e344a322a8cf0c6d343ec9;hb=768363d8771edb9d9ed82425fa772d77b90139c0;hp=626eb48b5c8600df2ba50b899ca49db0ae00a5a0;hpb=f234193be4019bb40b50d2973632ce2469f4c0af;p=distro-setup

diff --git a/distro-end b/distro-end
index 626eb48..ed90a3f 100755
--- a/distro-end
+++ b/distro-end
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 # shellcheck source=/a/bin/ds/.bashrc
-export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi
+export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]]; then . ~/.bashrc; fi
 
 ### setup
 source /a/bin/errhandle/err
@@ -43,7 +43,7 @@ end() {
 }
 pre="${0##*/}:"
 sudo() {
-  printf "$pre %s\n"  "$*"
+  printf "$pre sudo %s\n"  "$*"
   SUDOD="$PWD" command sudo "$@";
 }
 m() { printf "$pre %s\n"  "$*"; "$@"; }
@@ -90,7 +90,6 @@ EOF
 ########### begin section including vps ################
 pi ${p2[@]}
 
-
 conflink
 
 sudo rm -fv
@@ -155,10 +154,12 @@ esac
 # fi
 
 
+
+
 pi debootstrap
 ######### begin universal pinned packages ######
 case $(debian-codename) in
-  nabia|etiona|flidas)
+  etiona|flidas|nabia|aramo)
     sudo rm -fv /etc/apt/preferences.d/etiona-buster
     sd /etc/apt/preferences.d/trisquel-debian <<EOF
 Explanation: Debian* includes Debian + Debian Backports
@@ -340,29 +341,15 @@ EOF
 
 
     ;;&
-  nabia|etiona)
+  aramo|nabia|etiona)
     # for ziva
     #p install --no-install-recommends minetest/buster libleveldb1d/buster libncursesw6/buster libtinfo6/buster
     doupdate=false
-    for n in buster bullseye; do
+    # shellcheck disable=SC2043 # in case we want more than 1 in the loop later.
+    for n in bullseye; do
       f=/etc/apt/sources.list.d/$n.list
       t=$(mktemp)
       case $n in
-        buster)
-          cat >$t <<'EOF'
-deb http://http.us.debian.org/debian buster main
-deb-src http://http.us.debian.org/debian buster main
-
-deb http://security.debian.org/ buster/updates main
-deb-src http://security.debian.org/ buster/updates main
-
-deb http://http.us.debian.org/debian buster-updates main
-deb-src http://http.us.debian.org/debian buster-updates main
-
-deb http://http.debian.net/debian buster-backports main
-deb-src http://http.debian.net/debian buster-backports main
-EOF
-          ;;
         bullseye)
           cat >$t <<'EOF'
 EOF
@@ -434,7 +421,7 @@ deb http://us.archive.ubuntu.com/ubuntu/ focal-updates main universe
 deb http://us.archive.ubuntu.com/ubuntu/ focal-security main universe
 EOF
     if ! diff -q $t $f; then
-      sudo dd if=$t of=$f 2>/dev/null
+      sudo dd if=$t of=$f status=none
       p update
     fi
 
@@ -463,7 +450,7 @@ deb http://mirror.fsf.org/trisquel/ nabia-backports main
 deb-src http://mirror.fsf.org/trisquel/ nabia-backports main
 EOF
     if ! diff -q $t $f; then
-      sudo dd if=$t of=$f 2>/dev/null
+      sudo dd if=$t of=$f status=none
       p update
     fi
 
@@ -484,6 +471,34 @@ Pin: release n=bionic,o=Ubuntu
 Pin-Priority: -100
 EOF
 
+    ;;&
+  nabia)
+    sd /etc/apt/preferences.d/aramo-nabia <<'EOF'
+Package: *
+Pin: release n=aramo*,o=Trisquel
+Pin-Priority: -100
+EOF
+    f=/etc/apt/sources.list.d/aramo.list
+    t=$(mktemp)
+    cat >$t <<'EOF'
+deb http://mirror.fsf.org/trisquel/ aramo main
+deb-src http://mirror.fsf.org/trisquel/ aramo main
+
+deb http://mirror.fsf.org/trisquel/ aramo-updates main
+deb-src http://mirror.fsf.org/trisquel/ aramo-updates main
+
+deb http://archive.trisquel.info/trisquel/ aramo-security main
+deb-src http://archive.trisquel.info/trisquel/ aramo-security main
+
+# Uncomment this lines to enable the backports optional repository
+deb http://mirror.fsf.org/trisquel/ aramo-backports main
+deb-src http://mirror.fsf.org/trisquel/ aramo-backports main
+EOF
+    if ! diff -q $t $f; then
+      sudo dd if=$t of=$f status=none
+      p update
+    fi
+
     ;;&
   *)
     if isdeb; then
@@ -492,7 +507,11 @@ EOF
     ;;
 esac
 
-
+case $codename_compat in
+  jammy)
+    s systemctl enable --now ssh-agent-iank
+    ;;
+esac
 
 case $codename_compat in
   focal)
@@ -523,7 +542,25 @@ Package: chromium-*
 Pin: release n=bionic
 Pin-Priority: 500
 EOF
-
+    ;;
+  nabia)
+    # note, to get the latest, it would be n=bullseye*
+    # but that has conflicting package versions, so this does the old one.
+    # I only use it for special rare purposes. Just keep in mind it is an
+    # outdated insecure version.
+    sd /etc/apt/preferences.d/chromium-bullseye <<EOF
+Package: chromium chromium-* libicu67 libjpeg62-turbo libjsoncpp24 libre2-9 libwebpmux3
+Pin: release o=Debian*,n=bullseye
+Pin-Priority: 500
+EOF
+    ;;
+  aramo)
+    # obs dependency not in trisquel
+    sd /etc/apt/preferences.d/obs <<EOF
+Package: libfdk-aac2
+Pin: release n=jammy,o=Ubuntu
+Pin-Priority: 500
+EOF
     ;;
 esac
 
@@ -572,9 +609,6 @@ sudo rm -f /etc/cron.d/unattended-upgrade-reboot /usr/local/bin/zelous-unattende
 # Pin-Priority: 500
 # EOF
 
-if [[ -e /etc/wireguard/wghole.conf ]]; then
-  sgo wg-quick@wghole
-fi
 
 ###### begin website setup
 case $HOSTNAME in
@@ -584,7 +618,22 @@ case $HOSTNAME in
     if [[ ! -e $f ]]; then
       dnsb8
     fi
+
+    s /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter -l 127.0.0.1
+
+    # ex for exporter
+    web-conf -p 9101 -f 9100 - apache2 ${HOSTNAME}ex.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-export-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-export-htpasswd"
+Require valid-user
+</Location>
+EOF
     ;;&
+
   bk)
     sgo wg-quick@wgmail
 
@@ -622,50 +671,36 @@ EOF
 client-to-client
 EOF
 
-    # sullivan d8
-    sd /etc/openvpn/client-config-hole/sd8 <<'EOF'
-ifconfig-push 10.5.5.41 255.255.255.0
-EOF
-    # hsieh d8
-    sd /etc/openvpn/client-config-hole/hd8 <<'EOF'
-ifconfig-push 10.5.5.42 255.255.255.0
-EOF
 
-    sd /etc/openvpn/client-config-hole/onep9 <<'EOF'
-ifconfig-push 10.5.5.14 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/sy <<'EOF'
-ifconfig-push 10.5.5.12 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/kw <<'EOF'
-ifconfig-push 10.5.5.9 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/x3 <<'EOF'
-ifconfig-push 10.5.5.8 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/x2 <<'EOF'
-ifconfig-push 10.5.5.7 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/wclient <<'EOF'
-ifconfig-push 10.5.5.6 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/frodo <<'EOF'
-ifconfig-push 10.5.5.5 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/amy <<'EOF'
-ifconfig-push 10.5.5.3 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/kd <<'EOF'
-ifconfig-push 10.5.5.2 255.255.255.0
+    ngset
+    files=(/etc/openvpn/client-config-hole/*)
+    if (( ${#files[@]} >= 1 )); then
+      rm -f ${files[@]}
+    fi
+    ngreset
+    for host in ${!vpn_ips[@]}; do
+      sd /etc/openvpn/client-config-hole/$host <<EOF
+ifconfig-push 10.5.5.${vpn_ips[$host]} 255.255.255.0
 EOF
+    done
+
 
-    # for adding to current system:
-    #vpn-mk-client-cert -s "" -n hole 72.14.176.105
-    # adding to remove system 107,
-    #vpn-mk-client-cert -s "" -n hole -c 10.2.0.107 -b hd8 iankelling.org
+    # for adding cert to system with /p
     #
-    # for wireguard hole vpn
+    # host=frodo
+    #mkc /p/c/machine_specific/$host/filesystem/etc/openvpn/client
+    #vpn-mk-client-cert -b $host -n hole -r  iankelling.org
+    #s chown -R iank:iank .
+    #
+    # example of adding to remote system 107,
+    # vpn-mk-client-cert -n hole -c 10.2.0.107 -b hd8 iankelling.org
+    #
+    # for wireguard hole vpn, use function:
     # wghole
+    # eg:
+    # wghole bo 28
+    # if it is going to want to connect to transmission-daemon on ok
+    # wghole bo 28 10.174.2.2/32
 
     # requested from linode via a support ticket.
     # https://www.linode.com/docs/networking/an-overview-of-ipv6-on-linode/
@@ -715,7 +750,7 @@ EOF
 
 
     # needed for li's local mail delivery.
-    tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
+    tu /etc/hosts <<<"10.8.0.4 mx.iankelling.org"
 
     # wgmail handles this.
     #sgo vpn-mail-forward.service
@@ -725,6 +760,13 @@ EOF
 
     # setup let's encrypt cert
     m web-conf apache2 mail.iankelling.org
+    # TODO, i expanded the above cert manually to mx.iankelling.org, this should be captured
+    # in the automation here. We use mail.iankelling.org as our ehlo name when sending mail
+    # but our mx record is mx.iankelling.org. Initially I was just using mail.iankelling.org,
+    # but the problem is I want multiple ips to be able to identify as mail.iankelling.org,
+    # but a subset to be mx.iankelling.org. Afaik, there is no problem with having
+    # our mail cert be for mail.iankelling.org, and have people connect to mx.ian...,
+    # but it doesn't make logical sense to do this.
     sudo rm -fv /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
     ser reload apache2
 
@@ -734,14 +776,25 @@ EOF
 # https://radicale.org/2.1.html
 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
 # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-<Location /radicale/>
-  Options +FollowSymLinks +Multiviews +Indexes
+
+# this doesn't exactly fit with the documentation.
+# We need location / to do an auth, it cant be done outside,
+# in order to pass on X-Remote-User. And we need
+# the other location in order to remove the /radicale/ for
+# requests which have it. This could be done with a rewrite,
+# but i just get something working and call it a day.
+
+<Location "/">
   AllowOverride None
-  AuthType basic
+  AuthType Basic
   AuthName "Authentication Required"
   # setup one time, with root:www-data, 640
   AuthUserFile "/etc/caldav-htpasswd"
   Require valid-user
+  RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
+</Location>
+<Location "/radicale/">
+  Options +FollowSymLinks +Multiviews -Indexes
   RequestHeader    set X-Script-Name /radicale/
   RequestHeader    set X-Remote-User expr=%{REMOTE_USER}
   ProxyPass  "http://10.8.0.4:5232/" retry=0
@@ -798,6 +851,8 @@ EOF
     # https://wiki.znc.in/self-message
     # https://wiki.znc.in/Query_buffers                                                \
       #
+    # for geekshed, there was no sasl support as far as I can tell,
+    # so I set to msg nickserv to identify upon connect.
     if ! getent passwd znc > /dev/null; then
       sudo useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc
     fi
@@ -814,6 +869,16 @@ EOF
     end
     ;;
 esac
+
+case $HOSTNAME in
+  bk)
+    pi icecast2
+    # todo, save the config
+    /etc/cron.daily/stream-cert
+    web-conf -c /etc/cert-live.fsf.org -p 443 -f 8000 apache2 live.fsf.org
+    ;;
+esac
+
 ###### end website setup
 
 ########### end section including li/lj ###############
@@ -823,7 +888,7 @@ esac
 
 ### system76 things ###
 case $HOSTNAME in
-  sy)
+  bo) # sy|  sy doesnt seem to really need this.
     # note, i stored the initial popos packages at /a/bin/data/popos-pkgs
     if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
       # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
@@ -831,7 +896,8 @@ case $HOSTNAME in
 deb http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
 deb-src http://ppa.launchpad.net/system76-dev/stable/ubuntu $codename_compat main
 EOF
-      s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5D1F3A80254F6AFBA254FED5ACD442D1C8B7748B
+      # ubuntu keyserver is prone to intermittent failures
+      trysleep 4 15 s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 5D1F3A80254F6AFBA254FED5ACD442D1C8B7748B
       p update
       # https://support.system76.com/articles/install-ubuntu/
       # but i'm hoping this is not needed
@@ -840,7 +906,11 @@ EOF
       # Pin: release o=LP-PPA-system76-dev-stable
       # Pin-Priority: 1001
       # EOF
-      pi system76-driver system76-firmware-cli
+      #
+      # TODO: I had to uninstall linux-image-generic-hwe-20.04 because of a conflict
+      # about linux-firmware. Should probably install it to begin with in fai if
+      # i'm going to use.
+      pi system76-driver system76-firmware
       # if you get a notice about a firmware update, the notifier on i3
       # is too dumb to do anything when you click it. so to see
       # a changelog, cd to
@@ -851,18 +921,19 @@ EOF
     fi
     ;;
 esac
+### end system76 things ###
 
 case $distro in
   trisquel|ubuntu)
 
     # ppa:obsproject/obs-studio
-    if [[ ! -d /etc/apt/sources.list.d/obs.list ]]; then
+    if [[ ! -s /etc/apt/sources.list.d/obs.list ]]; then
       # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
       sd /etc/apt/sources.list.d/obs.list <<EOF
 deb http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
 deb-src http://ppa.launchpad.net/obsproject/obs-studio/ubuntu $codename_compat main
 EOF
-      s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC7345F522079769F5BBE987EFC71127F425E228
+      trysleep 4 15 s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC7345F522079769F5BBE987EFC71127F425E228
       p update
     fi
     ;;
@@ -895,8 +966,6 @@ case $codename_compat in
     # stop that.
     if id -u gdm &>/dev/null; then
       sudo -u gdm dbus-launch gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type 'nothing'
-      m systemctl --user stop gvfs-daemon
-      m systemctl --user disable gvfs-daemon
     fi
     ;;&
   focal)
@@ -919,6 +988,10 @@ EOF
     # and choose lightdm.
     #
     ;;
+  jammy)
+    # not yet bothering with mate
+    pi lightdm-gtk-greeter lightdm
+    ;;
 esac
 
 
@@ -987,8 +1060,25 @@ esac
 # way to install suggests even if the main package is already
 # installed. reinstall doesn't work, uninstalling can cause removing
 # dependent packages.
+# shellcheck disable=SC2046 # word splitting is intended
 pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distro-pkgs)
 
+# schroot service will restart schroot sessions after reboot.
+# I dont want that.
+pi-nostart schroot
+
+# fix systemd unit failure. i dont know of any actual impact
+# other than systemd showing in degraded state. So, we dont bother
+# fixing the current state, let it fix on the next reboot.
+# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a
+tmp=$(systemctl cat binfmt-support.service | grep ^After=)
+if [[ $tmp != *systemd-binfmt.service* ]]; then
+  s u /etc/systemd/system/binfmt-support.service.d/override.conf <<EOF
+[Unit]
+$tmp systemd-binfmt.service
+EOF
+fi
+
 
 # commented, not worth the hassle i think.
 #seru enable psd
@@ -1021,45 +1111,6 @@ sudo rm -fv /etc/apt/sources.list.d/iridium-browser.list
 # esac
 
 
-### begin home vpn server setup
-
-
-# # this section done initially to make persistent keys.
-# # Also note, I temporarily set /etc/hosts so my host was
-# # b8.nz when running this, since the vpn client config
-# # generator assumes we need to go to that server to get
-# # server keys.
-# vpn-server-setup -rds
-# s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
-# s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
-# # kw = kgpe work machine.
-# for host in x2 x3 kw; do
-# vpn-mk-client-cert -b $host -n home b8.nz 1196
-# dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
-# mkdir -p $dir
-# s bash -c "cp /etc/openvpn/client/home* $dir"
-#     # note: /etc/update-resolv-conf-home also exists for all systems with /p
-# done
-
-# key already exists, so this won't generate one, just the configs.
-# m vpn-server-setup -rds
-# sudo tee -a /etc/openvpn/server/server.conf <<'EOF'
-# push "dhcp-option DNS 10.0.0.1"
-# push "route 10.0.0.0 255.255.0.0"
-# client-connect /a/bin/distro-setup/vpn-client-connect
-# EOF
-# sudo sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
-
-# if [[ $HOSTNAME == tp ]]; then
-#   if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
-#     vpn_service=openvpn-server@server
-#   else
-#     vpn_service=openvpn@server
-#   fi
-#   sgo $vpn_service
-# fi
-### end vpn server setup
-
 ##### rss2email
 if mountpoint /p &>/dev/null; then
   # note, see bashrc for more documentation.
@@ -1137,85 +1188,111 @@ if [[ -e /p/c/machine_specific/$HOSTNAME/filesystem/etc/openvpn/client/hole.crt
   sgo openvpn-client@hole
 fi
 
-if [[ $HOSTNAME == frodo ]]; then
-  vpn-mk-client-cert -b frodo -n hole iankelling.org
-fi
-
 ############# begin syncthing setup ###########
-if [[ $HOSTNAME == frodo ]]; then
-  # It\'s simpler to just worry about running it in one place for now.
-  # I assume it would work to clone it\'s config to another non-phone
-  # and just run it in one place instead of the normal having a
-  # separate config.  I lean toward using the same config, since btrfs
-  # syncs between comps.
-  # testing has relatively up to date packages
-  if ! isdebian-testing; then
-    # based on error when doing apt-get update:
-    # E: The method driver /usr/lib/apt/methods/https could not be found.
-    pi apt-transport-https
-    # google led me here:
-    # https://apt.syncthing.net/
-    curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
-    s="deb http://apt.syncthing.net/ syncthing release"
+case $HOSTNAME in
+  kd|frodo)
+    f=/usr/share/keyrings/syncthing-archive-keyring.gpg
+    if [[ ! -e $f ]]; then
+      s curl -s -o $f https://syncthing.net/release-key.gpg
+    fi
+    s="deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable"
     if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != "$s" ]]; then
       echo "$s" | sd /etc/apt/sources.list.d/syncthing.list
       p update
     fi
-  fi
-  pi syncthing
-  m lnf -T /w/syncthing /home/iank/.config/syncthing
-  ser daemon-reload # syncthing likely not properly packaged
-  sgo syncthing@iank # runs as iank
-
-  # these things persist in ~/.config/syncthing, which I save in
-  # /w/syncthing (not in /p, because syncthing should continue to
-  # run on home server even when using laptop as primary device)
-  # open http://localhost:8384/
-  # change listen address from default to tcp://:22001,
-  # this is because we do port forward so it doesn\'t have to use
-  # some external server, but the syncthing is broken for port forward,
-  # you get a message, something "like connected to myself, this should not happen"
-  # when connecting to other local devices, so I bump the port up by 1,
-  # based on
-  # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
-  # Without this, it was being stuck syncing at 0%.
-  # Set gui username and password.
-  #
-  # install syncthing via f-droid,
-  # folder setting, turn off send only.
-  # on phone, add device, click bar code icon
-  # on dekstop, top right, actions, device id
-  # after adding, notification will appear on desktop to confirm
-  #
-  # syncing folder. from phone to desktop: select desktop in the
-  # folder on phone\'s sync options, notification will appear in
-  # desktop\'s web ui within a minute. For the reverse, the
-  # notification will appear in android\'s notifications, you have to
-  # swipe down and tap it to add the folder. It won\'t appear in the
-  # syncthing ui, which would be intuitive, but don\'t wait for it
-  # there. The notification may not work, instead open the web gui
-  # from in the app, there should be a notification within there.
-  #
-  # On phone, set settings to run syncthing all the time, and
-  # show no notification.
-  #
-  # Folder versioning would make sense if I didn\'t already use btrfs
-  # for backups. I would choose staggered, or trash can for more space.
-  #
-  # if needed to install on a remote comp:
-  # ssh -L 8384:localhost:8384 -N frodo
-  # open http://localhost:8384/
-  #
-  # Note, the other thing i did was port forward port 22000,
-  # per https://docs.syncthing.net/users/firewall.html
+    pi syncthing
+    ;;&
+  frodo)
+    m lnf -T /w/syncthing /home/iank/.config/syncthing
+    ser daemon-reload # syncthing likely not properly packaged
+    sgo syncthing@iank # runs as iank
+    ;;
+  kd)
 
+    # 1003 just happens to be what was on my system
+    if ! getent passwd ziva; then
+      s groupadd -g 1003 ziva
+      # syncthing state / config / db are all in ~/.config/syncthing
+      s useradd -g 1003 -u 1003 -d /d/ziva-home -c ziva -s /bin/bash ziva
+    fi
+    sgo syncthing@ziva
+    ;;
+esac
+
+# user for short term use dropping of privileges
+
+if ! getent group zu &>/dev/null; then
+  s groupadd -g 1023 zu
+fi
+if ! getent passwd zu &>/dev/null; then
+  s useradd -g 1023 -u 1023 -c zu -s /bin/bash zu
 fi
+
+
+# these things persist in ~/.config/syncthing, which I save in
+# /w/syncthing (not in /p, because syncthing should continue to
+# run on home server even when using laptop as primary device)
+# open http://localhost:8384/
+# change listen address from default to tcp://:22001,
+# this is because we do port forward so it doesn\'t have to use
+# some external server, but the syncthing is broken for port forward,
+# you get a message, something "like connected to myself, this should not happen"
+# when connecting to other local devices, so I bump the port up by 1,
+# based on
+# https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
+# Without this, it was being stuck syncing at 0%.
+# Set gui username and password.
+#
+# install syncthing via f-droid,
+# folder setting, turn off send only.
+# on phone, add device, click bar code icon
+# on dekstop, top right, actions, device id
+# after adding, notification will appear on desktop to confirm
+#
+# syncing folder. from phone to desktop: select desktop in the
+# folder on phone\'s sync options, notification will appear in
+# desktop\'s web ui within a minute. For the reverse, the
+# notification will appear in android\'s notifications, you have to
+# swipe down and tap it to add the folder. It won\'t appear in the
+# syncthing ui, which would be intuitive, but don\'t wait for it
+# there. The notification may not work, instead open the web gui
+# from in the app, there should be a notification within there.
+#
+# On phone, set settings to run syncthing all the time, and
+# show no notification.
+#
+# Folder versioning would make sense if I didn\'t already use btrfs
+# for backups. I would choose staggered, or trash can for more space.
+#
+# if needed to install on a remote comp:
+# ssh -L 8384:localhost:8384 -N frodo
+# open http://localhost:8384/
+#
+# Note, the other thing i did was port forward port 22000,
+# per https://docs.syncthing.net/users/firewall.html
+
 #############  end syncthing setup ###########
 
 
 
 ####### begin misc packages ###########
 
+case $HOSTNAME in
+  kd)
+    ln -sfT /d/p/profanity ~/.local/share/profanity
+    ln -sfT /d/p/profanity-config ~/.config/profanity
+    source /a/bin/bash_unpublished/source-state
+    if [[ $HOSTNAME == "$HOST2" ]]; then
+      systemctl --now enable profanity
+    fi
+    ;;
+  *)
+
+    ln -sfT /p/profanity ~/.local/share/profanity
+    ln -sfT /p/profanity-config ~/.config/profanity
+    ;;
+esac
+
 # template
 case $codename in
   flidas)
@@ -1240,18 +1317,21 @@ m reset-xscreensaver
 # cabal update
 # cabal install --upgrade-dependencies  --force-reinstalls arbtt
 # also, i assume syncing this between machines somehow messed up the data.
-if mountpoint /p &>/dev/null; then
-  case $codename in
-    etiona|nabia)
-      pi arbtt
-      # same as seru enable arbtt, but works over ssh when systemctl --user causes error:
-      # Failed to connect to bus: No such file or directory
-      lnf -T  /a/bin/ds/subdir_files/.config/systemd/user/arbtt.service /home/iank/.config/systemd/user/default.target.wants/arbtt.service
-      # allow failure
-      seru start arbtt ||:
-      ;;
-  esac
-fi
+
+## not using arbtt for now
+# if mountpoint /p &>/dev/null; then
+#   case $codename in
+#     etiona|nabia)
+#       pi arbtt
+#       # same as seru enable arbtt, but works over ssh when systemctl --user causes error:
+#       # Failed to connect to bus: No such file or directory
+#       lnf -T  /a/bin/ds/subdir_files/.config/systemd/user/arbtt.service /home/iank/.config/systemd/user/default.target.wants/arbtt.service
+#       # allow failure
+#       seru start arbtt ||:
+#       ;;
+#   esac
+# fi
+rm -fv /home/iank/.config/systemd/user/default.target.wants/arbtt.service
 
 
 m primary-setup
@@ -1339,6 +1419,7 @@ tu /etc/schroot/desktop/fstab <<'EOF'
 /run/user/0    /run/user/0     none    rw,bind         0       0
 EOF
 
+# todo: consider if this should use the new sysd-prom-fail
 sd /etc/systemd/system/schrootupdate.service <<'EOF'
 [Unit]
 Description=schrootupdate
@@ -1353,7 +1434,7 @@ sd /etc/systemd/system/schrootupdate.timer <<'EOF'
 Description=schrootupdate
 
 [Timer]
-OnCalendar=*-*-* 04:20:00
+OnCalendar=*-*-* 04:20:00 America/New_York
 
 [Install]
 WantedBy=timers.target
@@ -1384,6 +1465,12 @@ en_US.UTF-8 UTF-8
 EOF
         s schroot -c flidas locale-gen
         s schroot -c flidas update-locale LANG=en_US.UTF-8
+
+        m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/testing.list/TESTING_NONFREE debian unstable debootstrap
+        sudo cp -a /nocow/schroot/unstable/usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
+
+        m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/impish.list/IMPISH ubuntu impish
+
         ;;
     esac
     ;;
@@ -1411,7 +1498,7 @@ case $HOSTNAME in
     ;;
 esac
 
-mkdir -p $tdir
+sudo mkdir -p $tdir
 
 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
 # 450 seems likely to be unused. we need to specify one or else
@@ -1461,7 +1548,7 @@ ser stop transmission-daemon
 f=$tdir/transmission-daemon
 for d in $tdir/partial-torrents $tdir/torrents $f; do
   if [[ ! -d $d ]]; then
-    mkdir $d
+    sudo mkdir -p $d
   fi
   sudo chown -R debian-transmission:user2 $d
 done
@@ -1480,23 +1567,32 @@ sudo chown -R debian-transmission:debian-transmission /var/lib/transmission-daem
 #
 # Changed the cache-size to 256 mb, reduces disk use.
 # It is a read & write cache.
-sudo ruby <<EOF
+#
+# just fyi: default rpc port is 9091
+if ! systemctl is-active transmission-daemon-nn &>/dev/null && \
+    ! systemctl is-active transmission-daemon; then
+  tmp=$(mktemp)
+  command sudo ruby <<EOF >$tmp
 require 'json'
 p = '/etc/transmission-daemon/settings.json'
-File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
-'rpc-whitelist-enabled' => false,
-'rpc-authentication-required' => false,
-'incomplete-dir' => '$tdir/partial-torrents',
-'incomplete-dir-enabled' => true,
-'download-dir' => '$tdir/torrents',
-"speed-limit-up" => 800,
-"speed-limit-up-enabled" => true,
-"peer-port" => 61486,
-"cache-size-mb" => 256,
-"ratio-limit" => 5.0,
-"ratio-limit-enabled" => false,
-})) + "\n")
+s = {
+  'rpc-whitelist-enabled' => false,
+  'rpc-authentication-required' => false,
+  'incomplete-dir' => '$tdir/partial-torrents',
+  'incomplete-dir-enabled' => true,
+  'download-dir' => '$tdir/torrents',
+  "speed-limit-up" => 800,
+  "speed-limit-up-enabled" => true,
+  "peer-port" => 61486,
+  "cache-size-mb" => 256,
+  "ratio-limit" => 5.0,
+  "ratio-limit-enabled" => false,
+}
+puts(JSON.pretty_generate(JSON.parse(File.read(p)).merge(s)))
 EOF
+  cat $tmp | sudo dd of=/etc/transmission-daemon/settings.json
+
+fi
 
 ####### end transmission
 
@@ -1513,6 +1609,9 @@ esac
 
 ######### begin transmission client setup ######
 
+# to connect from a remote client, trans-remote-route in brc2
+
+
 if [[ -e /p/transmission-rpc-pass ]]; then
   # arch had a default config,
   # debian had nothing until you start it.
@@ -1554,7 +1653,7 @@ EOF
   "profiles" : [
       {
       "profile-name" : "Default",
-      "hostname" : "10.173.0.2",
+      "hostname" : "10.174.2.2",
       "rpc-url-path" : "/transmission/rpc",
       "username" : "",
       "password" : "$rpc_pass",
@@ -1605,10 +1704,12 @@ sudo gpasswd -a $USER lpadmin # based on ubuntu wiki
 # general known for debian/ubuntu, not for fedora
 
 m /a/bin/buildscripts/go
+# only needed for rg. cargo takes up 11 gigs, filled up the disk on je.
 m /a/bin/buildscripts/rust
 m /a/bin/buildscripts/misc
 m /a/bin/buildscripts/pithosfly
-m /a/bin/buildscripts/alacritty
+#m /a/bin/buildscripts/alacritty
+#m /a/bin/buildscripts/kitty
 
 pi-nostart virtinst virt-manager
 soff libvirtd
@@ -1637,13 +1738,23 @@ pi --no-install-recommends kdeconnect
 # # I'm not seeing the icon, but the clipboard replication is working
 
 
-### model 01 arduino support ###
+### begin model 01 arduino support ###
 # https://github.com/keyboardio/Kaleidoscope/wiki/Install-Arduino-support-on-Linux
 # also built latest arduino in /a/opt/Arduino, (just cd build; ant build; ant run )
 # set arduino var in bashrc,
 # have system config file setup too.
 sudo adduser $USER dialout
 
+# as of 2022-05,
+# download arduino ide, extract in /a/opt, ignore the install script, run ./arduino,
+# toolbar, preferences, add board manager url:
+# https://raw.githubusercontent.com/keyboardio/boardsmanager/master/package_keyboardio_index.json
+# toolbar, board manager, add keyboardio
+# toolbar, select model01 board
+# toolbar, examples, model01, compile
+
+###
+
 # this is for the mail command too. update-alternatives is kind of misleading
 # since at least it's main commands pretend mail does not exist.
 # bsd's mail got pulled in on some dumb dependency, i dunno how.
@@ -1692,13 +1803,13 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
 
 ########### misc stuff
 
-if [[ $HOSTNAME != frodo ]]; then
-  s cedit hole /etc/hosts <<EOF ||:
-10.5.5.3 amy amy.b8.nz
-10.5.5.5 frodo frodo.b8.nz
-10.5.5.6 wclient wclient.b8.nz
-EOF
-fi
+# pressing tab after sdf here:
+# scp sdfbash: set +o noglob: command not found
+# in t11, bash 5.1.16. this fixes it.
+sudo sed -ri 's/([[:space:]]*)(\$reset)$/\1set +o noglob #$reset/' /usr/share/bash-completion/bash_completion
+
+rm -fv /home/iank/.mpv/watch_later
+rm -rf /home/iank/.mpv
 
 if [[ ! -e ~/.local/bin/pip ]]; then
   tmp=$(mktemp)
@@ -1707,6 +1818,61 @@ if [[ ! -e ~/.local/bin/pip ]]; then
   hash -r
 fi
 
+## begin beets
+# soo, apt install beets fails due to wanting a pip package,
+# we find out why it wants this through
+# apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances beets | less
+# python-mediafile requires tox, which requires virtualenv, which requires pip.
+# but, python-mediafile doesn't really require tox, it is specified in
+# ./usr/lib/python3/dist-packages/mediafile-0.9.0.dist-info/METADATA
+# as being required only for testing, but the debian package
+# included it anyways, due to a mistake or bad tooling or something.
+# I don't plan to use tox, so, according to https://serverfault.com/a/251091,
+# we can create and install a dummy package by:
+#
+# "equivs-control <name>, edit the file produced to provide the right
+# dependency and have a nice name, then run equivs-build <name> and
+# finally dpkg -i the resulting .deb file"
+# as of 2023-02, the tox dependency was removed in debian unstable, so
+# this hack will probably go away in t12.
+
+if pcheck beets; then
+  tmpdir="$(mktemp -d)"
+  cd "$tmpdir"
+  # edited from output of equivs-control tox
+  cat >tox <<'EOF'
+Section: python
+Priority: optional
+Standards-Version: 3.9.2
+Package: tox
+Description: tox-dummy
+EOF
+  equivs-build tox
+  sudo dpkg -i tox_1.0_all.deb
+  rm -rf ./tox*
+  pi beets python3-discogs-client
+  cd
+  rm -r "$tmpdir"
+fi
+
+# get rid of annoying message
+s sed -ri "s/^([[:space:]]*ui.print_\('Playing)/#\1/" /usr/share/beets/beetsplug/play.py
+
+
+# notes about barrier
+# run barrier, do the gui config,
+# setup the 2 screens, using hostnames for the new screen.
+# save the server config
+# $HOME/.local/share/barrier/.barrier.conf
+# per the man page.
+#
+# ssl errors, resolved via advice here: https://github.com/debauchee/barrier/issues/231
+# BARRIER_SSL_PATH=~/.local/share/barrier/SSL/
+# mkdir -p "${BARRIER_SSL_PATH}"
+# openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ${BARRIER_SSL_PATH}/Barrier.pem -out ${BARRIER_SSL_PATH}/Barrier.pem
+# ran on both machines.
+# When pressing start in the gui, the cli options used are printed to the console,
+# they are useful. So on server, just run barriers, client run barrierc SERVER_IP
 
 ### begin timetrap setup
 if mountpoint /p &>/dev/null; then
@@ -1769,17 +1935,13 @@ sudo fc-cache
 pi desktop-file-utils
 m /a/bin/distro-setup/mymimes
 
-
-sgo dynamicipupdate.timer
-sgo epanicclean.timer
-
-
-# stop autopoping windows when i plug in an android phone.
-# dbus-launch makes this work within an ssh connection, otherwise you get this message,
-# with still 0 exit code.
-# dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
-m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
-
+if type -p dbus-launch >/dev/null; then
+  # stop autopoping windows when i plug in an android phone.
+  # dbus-launch makes this work within an ssh connection, otherwise you get this message,
+  # with still 0 exit code.
+  # dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
+  m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
+fi
 
 # on grub upgrade, we get prompts unless we do this
 devs=()
@@ -1791,25 +1953,262 @@ sudo debconf-set-selections <<EOF
 grub-pc grub-pc/install_devices multiselect ${devs[*]}
 EOF
 
-# btrfs maintenance
-sgo btrfsmaint.timer
-sgo btrfsmaintstop.timer
 
-sgo systemstatus.timer
+sysd-prom-fail-install dynamicipupdate
+sysd-prom-fail-install systemstatus
+sysd-prom-fail-install btrfsmaintstop
+sgo btrfsmaint.timer
+sgo btrfsmaintstop
+sgo systemstatus
+sgo dynamicipupdate
 
 
 if grep -xFq $HOSTNAME /a/bin/ds/machine_specific/btrbk.hosts; then
   sgo btrbk.timer
 fi
-# note: to see when it was last run,
+
+# note: to see when a timer was last run,
 # ser list-timers
 
+
+### begin prometheus ###
+
 case $HOSTNAME in
   kd)
-    sgo btrbkrust.timer
+    # Font awesome is needed for the alertmanager ui.
+    pi prometheus-alertmanager prometheus fonts-font-awesome
+    /c/roles/prom/files/simple/usr/local/bin/fsf-install-prometheus
+    # make it available for other machines
+    rsync -a /usr/local/bin/amtool /a/opt/bin
+    web-conf -p 9091 -f 9090 - apache2 i.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-htpasswd"
+Require valid-user
+</Location>
+EOF
+
+    web-conf -p 9094 -f 9093 - apache2 i.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-htpasswd"
+Require valid-user
+</Location>
+EOF
+
+    # by default, the alertmanager web ui is not enabled other than a page
+    # that suggests to use the amtool cli. that tool is good, but you cant
+    # silence things nearly as easily as with the gui.
+    if [[ ! -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then
+      # default script didnt work, required some changes to get elm 19.1,
+      # which is a dependency of the latest alertmanager. I modified
+      # and copied it into /b/ds. In future, might need some other
+      # solution.
+      #sudo /usr/share/prometheus/alertmanager/generate-ui.sh
+      sudo /b/ds/generate-ui.sh
+      ser restart prometheus-alertmanager
+    fi
+
+    s /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter -l 127.0.0.1
+
+    for ser in prometheus-node-exporter prometheus-alertmanager prometheus; do
+      sysd-prom-fail-install $ser
+    done
+
+    ;;
+  *)
+    s /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter
     ;;
 esac
 
+# cleanup old files. 2023-02
+x=(/var/lib/prometheus/node-exporter/*.premerge)
+if [[ -e ${x[0]} ]]; then
+  s rm /var/lib/prometheus/node-exporter/*
+fi
+
+
+case $HOSTNAME in
+  # todo, for limiting node exporter http,
+  # either use iptables or, in
+  # /etc/default/prometheus-node-exporter
+  # listen on the wireguard interface
+
+  *)
+    wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
+    # old filename. remove once all hosts are updated.
+    s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
+    web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-export-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-export-htpasswd"
+Require valid-user
+</Location>
+EOF
+    # For work, i think we will just use the firewall for hosts in the main data center, and
+    # vpn for hosts outside it.
+
+    # TODO: figure out how to detect the ping failure and try again.
+
+    # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
+    s mkdir /etc/systemd/system/apache2.service.d
+    sd /etc/systemd/system/apache2.service.d/restart.conf <<EOF
+[Unit]
+After=wg-quick@wghole.service
+StartLimitIntervalSec=0
+
+[Service]
+Restart=always
+RestartSec=30
+EOF
+
+    ;;
+esac
+
+### end prometheus ###
+
+### begin nagios ###
+
+pi nagios-nrpe-server
+
+case $HOSTNAME in
+  kd)
+    # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345
+    pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports
+    s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+    # to add a password for admin:
+    # htdigest /etc/nagios4/htdigest.users Nagios4 iank
+    # now using the same pass as prometheus
+
+    # nagstamon auth settings, set to digest instead of basic.
+
+    web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
+# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+# Where the stylesheets (config files) reside
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+
+# Where the HTML pages live
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+    Options FollowSymLinks
+    DirectoryIndex index.php index.html
+    AllowOverride AuthConfig
+    #
+    # The default Debian nagios4 install sets use_authentication=0 in
+    # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+    # This is insecure.  As a compromise this default apache2 configuration
+    # only allows private IP addresses access.
+    #
+    # The <Files>...</Files> below shows how you can secure the nagios4
+    # web site so anybody can view it, but only authenticated users can issue
+    # commands (such as silence notifications).  To do that replace the
+    # "Require all granted" with "Require valid-user", and use htdigest
+    # program from the apache2-utils package to add users to
+    # /etc/nagios4/htdigest.users.
+    #
+    # A step up is to insist all users validate themselves by moving
+    # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
+    # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+    # can configure which people get to see a particular service from
+    # within the nagios configuration.
+    #
+	AuthDigestDomain "Nagios4"
+	AuthDigestProvider file
+	AuthUserFile	"/etc/nagios4-htdigest.users"
+	AuthGroupFile	"/etc/group"
+	AuthName	"Nagios4"
+	AuthType	Digest
+	Require	valid-user
+</DirectoryMatch>
+
+<Directory /usr/share/nagios4/htdocs>
+    Options	+ExecCGI
+</Directory>
+EOF
+    ;;
+esac
+
+# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
+# notifications_enabled=1
+# note, the same variable exists in the correspdonding "define service {"
+
+# in the default config, we have these definitions
+
+# 11 define command {
+#  2 define contact {
+#  1 define contactgroup {
+#  9 define host {
+#  4 define hostgroup {
+# 23 define service {
+#  5 define timeperiod {
+
+
+# on klaxon
+
+# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
+#      76 define command
+#      11 define contact
+#       6 define contactgroup
+#     162 define host
+#       1 define hostextinfo
+#      16 define hostgroup
+#    3040 define service
+#       2 define servicedependency
+#       6 define timeperiod
+
+
+
+
+### end nagios ###
+
+### begin bitcoin ###
+
+case $HOSTNAME in
+  sy|kd)
+    sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-24.0.1/bin/*
+    sgo bitcoind
+    # note: the bitcoin user & group are setup in fai
+    sudo usermod -a -G bitcoin iank
+    # todo: make bitcoin have a stable uid/gid
+    if [[ ! $(readlink -f /var/lib/bitcoind/wallets) == /q/wallets ]]; then
+      mkdir -p /var/lib/bitcoind
+      chown bitcoin:bitcoin /var/lib/bitcoind
+      # 710 comes from the upstream bitcoin unit file
+      chmod 710 /var/lib/bitcoind
+      s lnf /q/wallets /var/lib/bitcoind
+      sudo chown -h bitcoin:bitcoin /var/lib/bitcoind/wallets
+    fi
+    # note, there exists
+    # /a/bin/ds/disabled/bitcoin
+    ;;
+esac
+
+### end bitcoin
+
+case $HOSTNAME in
+  kw|x3)
+    sd /etc/cups/client.conf <<'EOF'
+ServerName printserver1.office.fsf.org
+EOF
+    ;;
+esac
+
+
 end_msg <<'EOF'
 In mate settings settings, change scrolling to two-finger,
 because the default edge scroll doesn\'t work. Originally found this in debian.
@@ -1844,12 +2243,13 @@ lnf -T /a/opt ~/src
 pi tor
 m /a/bin/buildscripts/tor-browser
 # one root command needed to install
-s ln -sf /a/opt/tor-browser_en-US/Browser/start-tor-browser /usr/local/bin
+s ln -sf /a/opt/tor-browser/Browser/start-tor-browser /usr/local/bin
 
 
 # nfs server
 pi-nostart nfs-kernel-server
 
+# todo, this is old, probably needs removing
 if [[ $HOSTNAME == tp ]]; then
   sd /etc/wireguard/wg0.conf <<EOF
 [Interface]