X-Git-Url: https://iankelling.org/git/?a=blobdiff_plain;f=distro-end;h=f8419aa886069d35d5760902ceecf542cbd53ab5;hb=32a1673064cfd9eaa165b4ea62fa416f02f3dfd2;hp=81174b466a42b8e79f84b5116d2c85fbe94641d8;hpb=3f437c0f6c11356451d5d739875eee2d4603d7ca;p=distro-setup diff --git a/distro-end b/distro-end index 81174b4..f8419aa 100755 --- a/distro-end +++ b/distro-end @@ -1,796 +1,639 @@ #!/bin/bash -l -# Copyright (C) 2016 Ian Kelling +# Copyright (C) 2019 Ian Kelling +# SPDX-License-Identifier: AGPL-3.0-or-later -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at +### setup +source /a/bin/errhandle/err +src="$(readlink -f -- "${BASH_SOURCE[0]}")"; src=${src%/*} # directory of this file -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. +if [[ $EUID == 0 ]]; then + echo "$0: error: run as regular user" >&2 + exit 1 +fi -errcatch +_errcatch_cleanup() { + echo 1 >~/.local/distro-end +} -set -x +# shellcheck source=./pkgs +source $src/pkgs exec &> >(sudo tee -a /var/log/distro-end) echo "$0: $(date): starting now)" - -src="${BASH_SOURCE%/*}" - # see example of usage to understand. end_msg() { - local y - IFS= read -r -d '' y ||: - end_msg_var+="$y" + local y + IFS= read -r -d '' y ||: + end_msg_var+="$y" } - -spa() { # simple package add - simple_packages+=($@) +end() { + e "$end_msg_var" + echo 0 >~/.local/distro-end + if $pending_reboot; then + echo "$0: pending reboot and then finished. doing it now." + s reboot now + else + echo "$0: $(date): ending now)" + fi + exit 0 } - +pre="${0##*/}:" +s() { + printf "s %s\n" "$*" + SUDOD="$PWD" sudo -i "$@"; +} +sd() { + s dd of="$1" 2>/dev/null +} +m() { printf "$pre %s\n" "$*"; "$@"; } +e() { printf "$pre %s\n" "$*"; } +err() { echo "[$(date +'%Y-%m-%d %H:%M:%S%z')]: $0: $*" >&2; } distro=$(distro-name) - +codename=$(debian-codename) +codename_compat=$(debian-codename-compat) pending_reboot=false sed="sed --follow-symlinks" - # template case $distro in esac +#### initial packages pup -pi aptitude - -simple_packages=( - htop - iptables - mailutils - nmon - rdiff-backup - ruby - ruby-rest-client - tree - vim - wcd - wget -) +if isdeb; then + pi aptitude +fi -case $HOSTNAME in - lj|li) : ;; - *) - # universal packages - # swh-plugins is for karaoke pulsaudio filter. - # mutagen for pithos - # guvcview set webcam brightness to highest - # pidgin-otr, i went into pidgin pluggin settings and generated a key for some accounts - # xawtv has webcam cli control. v4lctl bright 80%; v4lctl list - # guvcview also adjusts webcam - simple_packages+=( - adb - apache2 - apache2-doc - apt-doc - apt-listchanges - aptitude-doc-en - bash-doc - beets - beets-doc - binutils-doc - bind9-doc - bind9utils - bwm-ng - cloc - cpulimit - cron - debootstrap - debconf-doc - dirmngr - dnsutils - dnsmasq - dtrx - duplicity - eclipse - evince - fdupes - feh - filelight - flashrom - gawk-doc - gcc-doc - gdb - gdb-doc - geoip-bin - git-doc - git-email - gitk - glibc-doc - goaccess - gnome-screenshot - guvcview - i3lock - inetutils-traceroute - iperf3 - iproute2-doc - jq - kid3-qt - kid3-cli - konsole - libreoffice - linphone - linux-doc - locate - lshw - make-doc - manpages - manpages-dev - mb2md - meld - mps-youtube - mpv - mumble - nagstamon - ncdu - nginx-doc - nmap - offlineimap - oathtool - opendkim-tools - p7zip - paprefs - parted-doc - pavucontrol - pdfgrep - perl-doc - pianobar - pidgin - pidgin-otr - pry - python-autopep8 - python3-doc - qrencode - reportbug - $(aptitude show ruby | sed -rn 's/Depends: (.*)/\1/p')-doc - schroot - sqlite3-doc - squashfs-tools - swh-plugins - tar-doc - tcpdump - telnet - transmission-remote-gtk - vlc - whois - wondershaper - xawtv - xbacklight - xprintidle - xscreensaver - xscreensaver-data-extra - xscreensaver-gl - xscreensaver-gl-extra - ) - spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') - ;; -esac +# avoid prompts +s debconf-set-selections </dev/null; then - # this condition is just a speed optimization - pi apt-file - s apt-file update - fi - # for debconf-get-selections - spa debconf-utils - ;; -esac +# dogcam setup. not using atm +# case $HOSTNAME in +# lj|li) +# /a/bin/webcam/install-server +# ;; +# kw) +# /a/bin/webcam/install-client +# ;; +# esac -case $distro in - arch|debian|trisquel|ubuntu) - spa bash-completion - ;; - # others unknown -esac +## not actually using prometheus just yet +# # office is not exposed to internet yet +# if [[ $HOSTNAME != kw ]]; then +# ## prometheus node exporter setup +# web-conf -f 9100 -p 9101 apache2 $(hostname -f) <<'EOF' +# #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype +# # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication +# +# AllowOverride None +# AuthType basic +# AuthName "Authentication Required" +# # setup one time, with root:www-data, 640 +# AuthUserFile "/etc/prometheus-htpasswd" +# Require valid-user +# +# EOF +# fi +######### begin flidas pinned packages ###### +case $(debian-codename) in + # needed for debootstrap scripts for fai since fai requires debian + flidas) + curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg | s apt-key add - + sd /etc/apt/preferences.d/flidas-xenial </dev/null </dev/null; then + s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32 + sd /etc/apt/preferences.d/flidas-bionic <$t <$t < - Options +FollowSymLinks +Multiviews +Indexes - AllowOverride None - AuthType basic - AuthName "Authentication Required" - # setup one time, with root:www-data, 640 - AuthUserFile "/etc/caldav-htpasswd" - Require valid-user - + + # dont use buster because it causes dist-upgrade to think its downgrading + # packages while really just reinstalling the same version. + f=/etc/apt/apt.conf.d/01iank + s rm -fv $f + # # stupid buster uses some key algorithm not supported by flidas gpg that apt uses. + # sd /etc/apt/apt.conf.d/01iank <<'EOF' + # Acquire::AllowInsecureRepositories "true"; + # EOF + + f=/etc/apt/sources.list.d/buster.list + s rm -fv $f + # t=$(mktemp) + # cat >$t </dev/null; then - s useradd -m -s /bin/false pumpio - fi - sudo -u pumpio mkdir -p /home/pumpio/pumpdata - # for testing browser when only listening to localhost, - # in the pump.io.json, set hostname localhost, urlPort 5233 - #ssh -L 5233:localhost:5233 li - - s mkdir -p /var/log/pumpio/ - s chown pumpio:pumpio /var/log/pumpio/ - - web-conf - apache2 pump.iankelling.org <<'EOF' -# currently a bug in pump that we cant terminate ssl - SSLProxyEngine On - ProxyPreserveHost On - ProxyPass / https://127.0.0.1:8001/ - ProxyPassReverse / https://127.0.0.1:8001/ - # i have sockjs disabled per people suggesting that - # it won\'t work with apache right now. - # not sure if it would work with this, - # but afaik, this is pointless atm. - - ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/ - ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/ - + + + ;; + *) + if isdeb; then + pi debian-goodies shellcheck + fi + ;; +esac +######### end flidas pinned packages ###### + +##### begin automatic upgrades (after checkrestart has been installed) #### +sd /etc/apt/apt.conf.d/10periodic <<'EOF' +# this file was mostly just comments. +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Download-Upgradeable-Packages "1"; +APT::Periodic::AutocleanInterval "7"; +APT::Periodic::Unattended-Upgrade "1"; EOF - sudo -i <<'EOF' -export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org -/a/bin/distro-setup/certbot-renew-hook +sd /etc/apt/apt.conf.d/50unattended-upgrades <.env.production <<'EOF' -REDIS_HOST=redis -REDIS_PORT=6379 -DB_HOST=db -DB_USER=postgres -DB_NAME=postgres -DB_PASS= -DB_PORT=5432 - -LOCAL_DOMAIN=mast.iankelling.org -LOCAL_HTTPS=true - -SINGLE_USER_MODE=true - -SMTP_SERVER=mail.iankelling.org -SMTP_PORT=25 -SMTP_LOGIN=li -SMTP_FROM_ADDRESS=notifications@mast.iankelling.org -SMTP_DOMAIN=mast.iankelling.org -SMTP_DELIVERY_METHOD=smtp +##### end automatic upgrades #### + + + +###### begin website setup +case $HOSTNAME in + li|l2) + pi bind9 + f=/var/lib/bind/db.b8.nz + if [[ ! -e $f ]]; then + ser stop bind9 + s rm -fv $f.jnl + s install -m 644 -o bind -g bind /p/c/machine_specific/linode/bind-initial/db.b8.nz $f + ser restart bind9 + fi + ;;& + l2) + # setup let's encrypt cert + m web-conf apache2 l2.b8.nz + s rm -fv /etc/apache2/sites-enabled/l2.b8.nz{,-redir}.conf + ser reload apache2 + s lnf -T /etc/letsencrypt/live/l2.b8.nz/fullchain.pem /etc/exim4/exim.crt + if [[ ! -L /etc/exim4/exim.key ]]; then + s lnf -T /etc/letsencrypt/live/l2.b8.nz/privkey.pem /etc/exim4/exim.key + mail-setup + fi + end + ;; + li) + + case $HOSTNAME in + li) + m /a/h/setup.sh iankelling.org + ;; + *) + # allow symlinks on other hosts so i can host files in arbitrary paths + m /a/h/setup.sh -s + ;; + esac + m /a/h/build.rb + + # start mumble only when im going to use it, since i dont use it much + pi-nostart mumble-server + s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini + + # do certificate to avoid warning about unsigned cert, + # which is overkill for my use, but hey, I'm cool, I know + # how to do this. + m web-conf apache2 mumble.iankelling.org + s rm -fv /etc/apache2/sites-enabled/mumble.iankelling.org + s <<'EOF' +export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org +/a/bin/distro-setup/certbot-renew-hook EOF - for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do - # 1 minute 7 seconds to run this docker command - # to generate a secret, and it has ^M chars at the end. wtf. really dumb - printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|dos2unix|tail -n1)" >>.env.production - done - found=false - while read -r domain port pass; do - if [[ $domain == mail.iankelling.org ]]; then - found=true - # remove the username part - pass="${pass#*:}" - printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production - break - fi - done < <(s cat /etc/mailpass) - if ! $found; then - echo "$0: error, failed to find mailpass domain for mastadon" - exit 1 - fi - - # docker compose makes an interface named like br-8f3e208558f2. we need mail to - # get routed to us. - if ! s /sbin/iptables -t nat -C PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25; then - s /sbin/iptables -t nat -A PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25 - fi - - docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production - logq docker-compose run --rm web rake db:migrate - docker-compose run --rm web rails assets:precompile - - # avatar failed to upload, did - # docker logs mastodon_web_1 - # google lead me to this - s chown -R 991:991 public/system - - # docker daemon takes care of starting on boot. - docker-compose up -d - - s a2enmod proxy_wstunnel headers - web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF' - ProxyPreserveHost On - RequestHeader set X-Forwarded-Proto "https" - ProxyPass /500.html ! - ProxyPass /oops.png ! - ProxyPass /api/v1/streaming/ ws://localhost:4000/ - ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/ - ErrorDocument 500 /500.html - ErrorDocument 501 /500.html - ErrorDocument 502 /500.html - ErrorDocument 503 /500.html - ErrorDocument 504 /500.html + + # requested from linode via a support ticket. + # https://www.linode.com/docs/networking/an-overview-of-ipv6-on-linode/ + # ipv6 stuff pieced together + # via slightly wrong information from + # https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh + # https://community.openvpn.net/openvpn/wiki/IPv6 + # and man openvpn + + m vpn-server-setup -rd 2600:3c00:e000:280::1/64 2600:3c00::f03c:91ff:feb4:0bf3 + s tee /etc/openvpn/client-config/mail <<'EOF' +ifconfig-push 10.8.0.4 255.255.255.0 +ifconfig-ipv6-push 2600:3c00:e000:280::2/64 EOF + if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then + vpn_service=openvpn-server@server + else + vpn_service=openvpn@server + fi - ############### !!!!!!!!!!!!!!!!! - ############### manual steps: - - # only following 2 people atm, so not bothering to figure out backups - # when mastodon has not documented it at all. - # - # fsf@status.fsf.org - # cwebber@toot.cat - # dbd@status.fsf.org - # johns@status.fsf.org - - # sign in page is at https://mast.iankelling.org/auth/sign_in - # register as iank, then - # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md - # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank - - ############# end setup mastodon ############## - - # we use nsupdate to update the ip of home - pi bind9 - - pi znc - # znc config generated by doing - # znc --makeconf - # selected port is also used in erc config - # comma separated channel list worked. - # while figuring things out, running znc -D for debug in foreground. - # to exit and save config: - # /msg *status shutdown - # configed auth on freenode by following - # https://wiki.znc.in/Sasl - # created the system service after, and had to do - # mv /home/iank/.znc/* /var/lib/znc - # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf - # and made a copy of the config files into /p/c - # added LoadModule = log -sanitize to the top level - # to get into the web interface, - # cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem - # then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site. - # i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart. - # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it. - # todo: figure out how to make playback in erc happe.n - s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already - chmod 700 /var/lib/znc - s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF' + sudo dd of=/etc/systemd/system/vpnmail.service < + Options +FollowSymLinks +Multiviews +Indexes + AllowOverride None + AuthType basic + AuthName "Authentication Required" + # setup one time, with root:www-data, 640 + AuthUserFile "/etc/caldav-htpasswd" + Require valid-user + +EOF + # nginx version of above would be: + # auth_basic "Not currently available"; + # auth_basic_user_file /etc/nginx/caldav/htpasswd; -# needed for checkrestart -if isdeb; then - spa debian-goodies -fi + ###### begin znc setup ##### + pi znc + # https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart after cert change. + # to get into the web interface, + # then use non-main browser or else it doebsn't allow it based on ocsp stapling from my main site. + # https://iankelling.org:12533/ + sudo -i <<'EOF' +export RENEWED_LINEAGE=/etc/letsencrypt/live/iankelling.org +/a/bin/distro-setup/certbot-renew-hook +EOF -########### end section including li/lj ############### + # znc config generated by doing + # znc --makeconf + # selected port is also used in erc config + # comma separated channel list worked. + # while figuring things out, running znc -D for debug in foreground. + # to exit and save config: + # /msg *status shutdown + # configed auth on freenode by following + # https://wiki.znc.in/Sasl: + # /msg *sasl RequireAuth yes + # /msg *sasl Mechanism PLAIN + # /msg *sasl Set ident_name password + # created the system service after, and had to do + # mv /home/iank/.znc/* /var/lib/znc + # sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf + # and made a copy of the config files into /p/c + # /msg *status LoadMod --type=global log -sanitize + # todo: in config file AllowWeb = true should be false. better security if that is off unless we need it. + # /msg *status LoadMod --type=network perform + # /msg *perform add PRIVMSG ChanServ :invite #fsf-office + # /msg *perform add JOIN #fsf-office + # + # i set Buffer = 500 + # also ran /znc LoadMod clearbufferonmsg + # it would be nice if erc supported erc query buffers by doing + # /msg *status clearbuffer $t < /dev/null; then + s groupadd -g 450 debian-transmission + s adduser --quiet \ + --gid 450 \ + --uid 450 \ + --system \ + --no-create-home \ + --disabled-password \ + --home /var/lib/transmission-daemon \ + debian-transmission +fi +# We want group writable stuff from transmission. +# However, after setting this, I learn that transmission sets it's +# own umask based on it's settings file. Well, no harm leaving this +# so it's set right from the beginning. +s chfn debian-transmission -o umask=0002 + +# note i had to do this, which is persistent: +# cd /i/k +# s chgrp debian-transmission torrents partial-torrents + +# syslog says things like +# 'Failed to set receive buffer: requested 4194304, got 425984' +# google suggets giving it even more than that +tu /etc/sysctl.conf<<'EOF' net.core.rmem_max = 67108864 net.core.wmem_max = 16777216 EOF - s sysctl -p - - # some reason it doesn\'t seem to start automatically anyways - pi-nostart transmission-daemon - - # the folder was moved here after an install around 02/2017. - # it contains runtime data, - # plus a simple symlink to the config file which it\'s - # not worth separating out. - # between comps, the uid can change - f=/i/transmission-daemon - s lnf -T $f /var/lib/transmission-daemon/.config/transmission-daemon - if [[ -e $f ]]; then - s chown -R debian-transmission:debian-transmission $f - fi - for f in /i/k/partial-torrents /i/k/torrents; do - if [[ -e $f ]]; then - s chown -R debian-transmission:traci $f - fi - done - s chown -R debian-transmission:debian-transmission /var/lib/transmission-daemon - # - # config file documented here, and it\'s the same config - # for daemon vs client, so it\'s documented in the gui. - # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options - # - # I originaly setup rpc-whitelist, but after using - # routing to a network namespace, it doesn\'t see the - # real source address, so it\'s disabled. - # - # Changed the cache-size to 256 mb, reduces disk use. - # It is a read & write cache. - # - s ruby <<'EOF' +s sysctl -p + +# some reason it doesn\'t seem to start automatically anyways +pi-nostart transmission-daemon +# be extra sure its not started +ser disable transmission-daemon +ser stop transmission-daemon + +# the folder was moved here after an install around 02/2017. +# it contains runtime data, +# plus a simple symlink to the config file which it\'s +# not worth separating out. +# between comps, the uid can change +f=$tdir/transmission-daemon +mkdir -p $f +s lnf -T $f /var/lib/transmission-daemon/.config/transmission-daemon +s lnf -T /etc/transmission-daemon/settings.json $f/settings.json +s chown -R debian-transmission:debian-transmission $f +for f in $tdir/partial-torrents $tdir/torrents; do + if [[ -e $f ]]; then + s chown -R debian-transmission:user2 $f + fi +done +s chown -R debian-transmission:debian-transmission /var/lib/transmission-daemon +# +# config file documented here, and it\'s the same config +# for daemon vs client, so it\'s documented in the gui. +# https://trac.transmissionbt.com/wiki/EditConfigFiles#Options +# +# I originaly setup rpc-whitelist, but after using +# routing to a network namespace, it doesn\'t see the +# real source address, so it\'s disabled. +# +# Changed the cache-size to 256 mb, reduces disk use. +# It is a read & write cache. +s ruby < false, 'rpc-authentication-required' => false, -'incomplete-dir' => '/i/k/partial-torrents', +'incomplete-dir' => '$tdir/partial-torrents', 'incomplete-dir-enabled' => true, -'download-dir' => '/i/k/torrents', +'download-dir' => '$tdir/torrents', "speed-limit-up" => 800, "speed-limit-up-enabled" => true, "peer-port" => 61486, @@ -1245,43 +1124,17 @@ File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({ "ratio-limit-enabled" => true, })) + "\n") EOF +####### end transmission - # make sure its not enabled, not sure if this is needed - ser disable transmission-daemon - ;; - # todo: others unknown -esac -# adapted from /var/lib/dpkg/info/transmission-daemon.postinst -if ! getent passwd debian-transmission > /dev/null; then - case $distro in - arch) - s useradd \ - --system \ - --create-home \ - --home-dir /var/lib/transmission-daemon \ - --shell /bin/false \ - debian-transmission - ;; - *) - s adduser --quiet \ - --system \ - --group \ - --no-create-home \ - --disabled-password \ - --home /var/lib/transmission-daemon \ - debian-transmission - ;; - esac -fi # trisquel 8 = openvpn, debian stretch = openvpn-client vpn_ser=openvpn-client if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then - vpn_ser=openvpn + vpn_ser=openvpn fi -s dd of=/etc/systemd/system/transmission-daemon-nn.service </dev/null) || continue + if [[ ! $uid -ge 1000 ]]; then + continue + fi + d=$f/.config/transmission-remote-gtk + s -u $u mkdir -p $d + s -u $u dd of=$d/config.json < x.html +end_msg <<'EOF' +In mate settings settings, change scrolling to two-finger, +because the default edge scroll doesn\'t work. Originally found this in debian. EOF +# Remove dep that came in with desktop to fix associations. +m pu transmission-gtk -case $distro in - trisquel|ubuntu|debian) - # unison-gtk second, i want it to be default, not sure if that works - # with spa. note, I used to install from testing repo when using stable, - # but it shouldn't be needed since I wrote a script to handle mismatching - # compilers. - spa unison unison-gtk - ;; -arch) - spa unison gtk2 - ;; -esac +s gpasswd -a iank adm #needed for reading logs -case $distro in - arch) - # default is alsa, doesn\'t work with with pianobar - s dd of=/etc/libao.conf <<'EOF' -default_driver=pulse -EOF - ;; -esac - -# note, for jessie, it depends on a higher version of btrfs-tools. -# -# # disabled due to my patch being in btrbk -# case $distro in -# arch|debian|trisquel|ubuntu) pi btrbk ;; -# # others unknown -# esac -cd /a/opt/btrbk -s make install -spa pv # for progress bar when running interactively. - -# ian: temporarily disabled while hosts are in flux. -# if [[ $HOSTNAME == tp ]]; then -# # backup/sync manually on others hosts for now. -# sgo btrbk.timer -# # note: to see when it was last run, -# # ser list-timers -# fi +m /a/bin/buildscripts/pithosfly +# # Based on guix manual instructions, also added code to profile. +# # disabled since i'm not using it now. +# pi nscd +# if ! type -p guix >/dev/null; then +# cd $(mktemp -d) +# wget https://git.savannah.gnu.org/cgit/guix.git/plain/etc/guix-install.sh +# # added some stuff to envonment.sh for profile based on +# # manual instructions +# # wget https://sv.gnu.org/people/viewgpg.php?user_id=15145 -qO - | gpg --import - +# # echo is to get past prompt +# yes | sudo -E HOME=$HOME bash guix-install.sh || [[ $? == 141 ]] +# guix install glibc-utf8-locales +# guix package --install guile +# fi -case $distro in - debian|trisquel|ubuntu) s gpasswd -a iank adm ;; #needed for reading logs -esac -# tor -case $distro in - # based on - # https://www.torproject.org/docs/rpms.html.en - # https://www.torproject.org/docs/debian.html.en - # todo: figure out if the running service needs to be restarted upon updates - - - # todo on fedora: setup non-dev packages - fedora) - s dd of=/etc/yum.repos.d/torproject.repo <<'EOF' -[tor] -name=Tor experimental repo -enabled=1 -baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/ -gpgcheck=1 -gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc - -[tor-source] -name=Tor experimental source repo -enabled=1 -autorefresh=0 -baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS -gpgcheck=1 -gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc -EOF - - # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above: - # 3B9E EEB9 7B1E 827B CF0A 0D96 8AF5 653C 5AC0 01F1 - sgo tor - /a/bin/buildscripts/tor-browser - ;; - ubuntu) - tu /etc/apt/sources.list "deb http://deb.torproject.org/torproject.org $(debian-codename) main" - gpg --keyserver keys.gnupg.net --recv 886DDD89 - gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - - p update - pi deb.torproject.org-keyring - pi tor - /a/bin/buildscripts/tor-browser - ;; - debian) - pi tor - /a/bin/buildscripts/tor-browser - ;; - arch) - pi tor tor-browser-en - sgo tor - ;; - # ubuntu unknown -esac +pi tor +m /a/bin/buildscripts/tor-browser # nfs server -case $distro in - fedora) - end_msg <<'EOF' -fedora todo: disable the firewall or find a way to automate it. -there's an unused section in t.org for tramikssion firewall setup - -fedora manual config for nfs: -s firewall-config -change to permanent configuration -check the box for nfs -was hard to figure this out, not sure if this is all needed, but -unblock these too -mountd: udp/tcp 20048 -portmapper, in firewall-config its called rpc-bind: udp/tcp 111 -troubleshooting, unblock things in rpcinfo -p -make sure to reload the firewall to load the persistent configuration - - -EOF - pi nfs-utils - sgo nfs-server - ;; - debian|trisquel|ubuntu) - pi nfs-server - ;; - arch) - pi nfs-utils || pending_reboot=true - sgo rpcbind - # this failed until I rebooted - sgo nfs-server - ;; -esac - +pi-nostart nfs-kernel-server +# networkmanager has this nasty behavior on flidas: if the machine +# crashes with dnsmasq running, on subsequent boot, it adds an entry to +# resolvconf for 127.0.0.1 in some stupid attempt to restore +# nameservers. +# This can be manually fixed by stoping dnsmasq, +# then based on whats in /run/dnsmasq/, i see we can run +# s resolvconf -d NetworkManager +# oh ya, and stoping NetworkManager leaves this crap behind without cleaning it up. +ser disable NetworkManager if [[ $HOSTNAME == frodo ]]; then - # nohide = export filesystems mounted deeper than the export point - # fsid=0 makes this export the "root" export - # not documented in the man page, but this means - # 1. it can be mounted with a shorthand of server:/ - # 2. exports that are subdirectories of this one will automatically be mounted - tu /etc/exports <<'EOF' -/k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure) + # nohide = export filesystems mounted deeper than the export point + # fsid=0 makes this export the "root" export + # not documented in the man page, but this means + # 1. it can be mounted with a shorthand of server:/ + # 2. exports that are subdirectories of this one will automatically be mounted + tu /etc/exports <<'EOF' +/k 10.0.0.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure) EOF - s exportfs -rav + s exportfs -rav fi -e "$end_msg_var" -# persistent virtual machines -case $distro in - debian|trisquel|ubuntu) - pi libosinfo-bin; - ;; -esac + # if I was going to create a persistent vm, i might do it like this: # variant=something # from: virt-install --os-variant list # s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \ - # --disk=/a/images/some_name.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \ - # -n some_name --import --os-variant $variant --cpu host-model-only + # --disk=/a/images/some_name.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \ + # -n some_name --import --os-variant $variant --cpu host-model-only ######### begin stuff belonging at the end ########## - -case $distro in - ubuntu|debian) - spa spacefm-gtk3 ;; - arch) - spa spacefm ;; -esac - - -pi "${simple_packages[@]}" - - -if $pending_reboot; then - echo "$0: pending reboot and then finished. doing it now." - s reboot now -else - echo "$0: $(date): ending now)" -fi -exit 0 +end