local fullpath
fullpath="$(readlink -f "$path")"
if [[ -f $path || $(dirname "$fullpath") == "$below" ]]; then
- m lnf -T "$path" "$HOME/${path#"$root/"}"
+ lnf -T "$path" "$HOME/${path#"$root/"}"
elif [[ -d "$path" ]]; then
subdir-link-r "$root" "$path"
fi
common-file-setup() {
- local dir fs x f reload_systemd
- local -a restart_services
+ local dir fs f reload_systemd
+ local -a link_glob
+ local -A restart_services
reload_systemd=false
- # note, i ran chmod -R g-s on the filesystem dirs
- # so i could keep permissions of secret files
+
for dir in "$@"; do
- fs=$dir/filesystem
- if [[ -e $fs && $user =~ ^iank?$ ]]; then
- # we dont want t, instead c for checksum.
- # That way we dont set times on directories.
- # -a = -rlptgoD
- # -A is acls, implies -p
- cmd=( s rsync -rclgoDiSAX --chmod=Dg-s --chown=root:root
- --exclude=/etc/dovecot/users
- --exclude='/etc/exim4/passwd*'
- --exclude='/etc/exim4/*.pem'
- $fs/ / )
- echo "${cmd[@]@Q}"
- "${cmd[@]}" | tee $tmpf
- while read -r line; do
- file="${line:12}"
- case $file in
- etc/prometheus/rules/iank.yml|etc/prometheus/prometheus.yml)
- case $HOSTNAME in
- kd)
- if systemctl is-active prometheus &>/dev/null; then
- v s systemctl reload prometheus
- fi
- ;;
- esac
- ;;
- etc/systemd/system/*)
- reload_systemd=true
- ;;
- etc/dnsmasq.d/*)
- restart_services+=(dnsmasq)
- ;;
- etc/systemd/resolved.conf.d/*)
- restart_services+=(systemd-resolved)
- ;;
- esac
- # Previously did this with tar, but it doesn't
- # update directory permissions.
- #
- # S = do spare files efficiently
- # A = preserve acls
- # X = preserve extended attributes
- # i = itemize
- done <$tmpf
- fi
if ! $fast && [[ -e $dir/subdir_files ]]; then
- m subdir-link-r $dir/subdir_files
+ subdir-link-r $dir/subdir_files
fi
- local x=( $dir/!(binds|subdir_files|filesystem|machine_specific|..|.|.#*) )
- (( ${#x[@]} >= 1 )) || continue
- m lnf ${x[@]} ~
+ link_glob=( $dir/!(binds|subdir_files|filesystem|machine_specific|..|.|.#*) )
+ (( ${#link_glob[@]} >= 1 )) || continue
+ lnf ${link_glob[@]} ~
done
- if $reload_systemd; then
- v s systemctl daemon-reload
+
+}
+
+old-files-cleanup() {
+ # old files 2022-03
+ for t in systemstatus epanicclean btrfsmaintstop dynamicipupdate; do
+ f=/etc/systemd/system/$t.timer
+ if [[ -e $f ]]; then
+ v systemctl stop $t.timer
+ v systemctl disable $t.timer
+ s rm -fv $f
+ reload_systemd=true
+ fi
+ done
+ # old 2022-04
+ if [[ -e /etc/cron.daily/check-lets-encrypt-ssl-settings ]]; then
+ s rm -f /etc/cron.daily/check-lets-encrypt-ssl-settings
+ fi
+ # conversion from whole folder subdir to individual files.
+ if [[ -L /home/iank/.config/copyq ]]; then
+ rm -fv /home/iank/.config/copyq
fi
- for service in ${restart_services[@]}; do
- if systemctl is-active $service >/dev/null; then
- v s systemctl restart $service
+
+}
+
+find-maybe() {
+ local path
+ local -a paths
+ for path in "${find_paths[@]}"; do
+ if [[ -e $path ]]; then
+ paths+=( "$path" )
fi
done
+ if (( ${#paths[@]} >= 1 )); then
+ s find "${paths[@]}" "$@"
+ fi
}
#### end function definitions, begin main script ####
c_dirs=(/a/c{,/machine_specific/$HOSTNAME})
+
case $user in
iank)
- # old files 2022-03
- for t in systemstatus epanicclean btrfsmaintstop dynamicipupdate; do
- f=/etc/systemd/system/$t.timer
- if [[ -e $f ]]; then
- v systemctl stop $t.timer
- v systemctl disable $t.timer
- s rm -fv $f
- reload_systemd=true
- fi
- done
- # old 2022-04
- if [[ -e /etc/cron.daily/check-lets-encrypt-ssl-settings ]]; then
- m s rm -f /etc/cron.daily/check-lets-encrypt-ssl-settings
- fi
- # conversion from whole folder subdir to individual files.
- if [[ -L /home/iank/.config/copyq ]]; then
- rm -fv /home/iank/.config/copyq
- fi
+
+ old-files-cleanup
/a/bin/ds/install-my-scripts
- files=(/p/c/machine_specific/*/filesystem/etc/ssh/*_key
- /p/c/machine_specific/*/filesystem/etc/openvpn/client/*.key
- /p/c/filesystem/etc/openvpn/client/*.key
- /p/c/filesystem/etc/openvpn/easy-rsa/keys/*.key
- )
- if [[ -e ${files[0]} ]]; then
- chmod 600 ${files[@]}
+
+ # setup permissions in /p/c to be user only except some filesystem files
+ if [[ -e /p/c ]]; then
+ chmod -R g-s,u=rwX,go= /p/c
fi
+ find_paths=(/p/c/filesystem /p/c/machine_specific/*/filesystem /p/c/user-specific)
+ find-maybe -type d \! -name wireguard \! -path '*/moddata/*' \! -name moddata -exec chmod go+rX '{}' +
+
+ find_paths=(/p/c/filesystem/etc/ssh /p/c/machine_specific/*/filesystem/etc/ssh)
+ find-maybe -type f -name '*.pub' -exec chmod go+rX '{}' +
+
+ # note: intentionally letting a few files have more restrictive
+ # permissions than needed: a few openvpn files, some pub wireguard
+ # keys.
+ std_perm_paths=(
+ etc/udev/hwdb.d/01-ian.hwdb
+ etc/prometheus/alertmanager.yml
+ etc/debbugs/
+ usr/
+ etc/apt/preferences.d
+ )
+
+ for path in ${std_perm_paths[@]}; do
+ find_paths=(/p/c/filesystem/$path /p/c/machine_specific/*/filesystem/$path)
+ find-maybe -type f -exec chmod go+rX '{}' +
+ done
+
# p needs to go first so .ssh link is created, then config link inside it
- m common-file-setup ${all_dirs[@]}
+ common-file-setup ${all_dirs[@]}
+
+ rsync_args=()
+ for dir in ${all_dirs[@]}; do
+ fs=$dir/filesystem
+ if [[ -r $fs ]]; then
+ rsync_args+=($fs/)
+ fi
+ done
+
+ cmd=( s rsync -rclgoDiSAX --chown=root:root
+ --exclude=/etc/dovecot/users
+ --exclude='/etc/exim4/passwd*'
+ --exclude='/etc/exim4/*.pem'
+ ${rsync_args[@]} / )
+ echo "${cmd[@]@Q}"
+ "${cmd[@]}" | tee $tmpf
+
+ while read -r line; do
+ file="${line:12}"
+ case $file in
+ etc/prometheus/rules/iank.yml|etc/prometheus/prometheus.yml)
+ case $HOSTNAME in
+ kd)
+ if systemctl is-active prometheus &>/dev/null; then
+ v s systemctl reload prometheus
+ fi
+ ;;
+ esac
+ ;;
+ etc/systemd/system/*)
+ reload_systemd=true
+ ;;
+ etc/dnsmasq.d/*)
+ restart_services[dnsmasq]=t
+ ;;
+ etc/systemd/resolved.conf.d/*)
+ restart_services[systemd-resolved]=t
+ ;;
+ esac
+ # Previously did this with tar, but it doesn't
+ # update directory permissions.
+ #
+ # S = do spare files efficiently
+ # A = preserve acls
+ # X = preserve extended attributes
+ # i = itemize
+ done <$tmpf
+
+ if $reload_systemd; then
+ v s systemctl daemon-reload
+ fi
+ for service in ${!restart_services[@]}; do
+ if systemctl is-active $service >/dev/null; then
+ v s systemctl restart $service
+ fi
+ done
#### begin special extra stuff ####
install -d -m700 ~/gpg-agent-socket
- f=/var/lib/bind
- if [[ -e $f ]]; then
- # reset to the original permissions.
- m s chgrp -R bind $f
- m s chmod g+w $f
- fi
- # shellcheck disable=SC2016 # obviously expected
- s bash -c 'shopt -s nullglob; for f in /etc/bind/*.key /etc/bind/*.private /etc/bind/key.*; do chgrp bind $f; done'
if [[ -e /etc/caldav-htpasswd ]] && getent group www-data &>/dev/null; then
s chgrp www-data /etc/caldav-htpasswd
fi
- if [[ -e /var/lib/znc ]] && getent group znc; then
- s chown -R znc:znc /var/lib/znc
- fi
if [[ -e /p/c/user-specific/prometheus ]]; then
if getent passwd prometheus &>/dev/null; then
- v s rsync -clpgoDiSAX --chmod=Dg-s --chown=root:prometheus /p/c/user-specific/prometheus/prometheus-pass /etc
- v s rsync -clpgoDiSAX --chmod=Dg-s --chown=root:prometheus /p/c/user-specific/prometheus/prometheus/ssl/* /etc/prometheus/ssl
+ v s rsync -clpgoDiSAX --chmod=g+r --chown=root:prometheus /p/c/user-specific/prometheus/prometheus-pass /etc
+ v s rsync -clpgoDiSAX --chmod=g+r --chown=root:prometheus /p/c/user-specific/prometheus/prometheus/ssl/* /etc/prometheus/ssl
fi
fi
if [[ -e /p/c/user-specific/www-data ]]; then
if getent passwd www-data &>/dev/null; then
- v s rsync -clpgoDiSAX --chmod=Dg-s --chown=root:www-data /p/c/user-specific/www-data/* /etc
+ v s rsync -clpgoDiSAX --chmod=g+r --chown=root:www-data /p/c/user-specific/www-data/* /etc
fi
fi
+ if [[ -e /p/c/user-specific/znc ]]; then
+ if getent group znc &>/dev/null; then
+ v s rsync -rclpgoDiSAX --chown=znc:znc /p/c/user-specific/znc/ /var/lib/znc
+ fi
+ fi
+
+ # These files would naturally be world readable, but I see no point
+ # in bothering to write the code to do that.
+ # "var/lib/bind/db.*"
+ # "var/lib/bind/*.key"
+ # "var/lib/bind/dsset-*"
+ if [[ -e /p/c/user-specific/bind ]]; then
+ if getent group bind &>/dev/null; then
+ v s rsync -clpgoDiSAX --chmod=g+r --chown=root:bind /p/c/user-specific/bind/etc/* /etc/bind
+ v s rsync -clpgoDiSAX --chmod=g+r --chown=root:bind /p/c/user-specific/bind/var/lib/bind/* /var/lib/bind
+ fi
+ fi
+
+ # this folder strangely requires ownership as icecast2 (and icecast2 group is icecast without the 2).
+ if [[ -d /etc/icecast2 && -e /p/c/user-specific/icecast ]]; then
+ v s rsync -clgoDiSAX --chmod=g+r --chown=root:icecast /p/c/user-specific/icecast2/icecast.xml /etc/icecast2
+ fi
+
# disabled
# if [[ -d /var/lib/bitcoind && -d /p/c/user-specific/bitcoin ]]; then
- # s rsync -clpgoDiSAX --chmod=Dg-s --chown=bitcoin:bitcoin /p/c/user-specific/bitcoin/settings.json /var/lib/bitcoind
- # s rsync -rclpgoDiSAX --chmod=Dg-s --chown=root:bitcoin /p/c/user-specific/bitcoin/bitcoin /etc
+ # s rsync -clpgoDiSAX --chown=bitcoin:bitcoin /p/c/user-specific/bitcoin/settings.json /var/lib/bitcoind
+ # s rsync -rclpgoDiSAX --chown=root:bitcoin /p/c/user-specific/bitcoin/bitcoin /etc
# fi
-
- # this folder strangely requires ownership as icecast2
- if [[ -d /etc/icecast2 && -f /p/c/icecast.xml ]]; then
- m s rsync -rclgoDiSAX --chmod=0644 --chown=root:root /p/c/icecast.xml /etc/icecast2
- fi
##### end special extra stuff #####
if ! $fast; then
- m s -H -u user2 "${BASH_SOURCE[0]}"
+ s -H -u user2 "${BASH_SOURCE[0]}"
fi
mkdir -p ~/.local
;;
user2)
- m common-file-setup ${c_dirs[@]}
+ common-file-setup ${c_dirs[@]}
;;
*)
echo "$0: error: unexpected user"; exit 1
iankelling.org / git / distro-setup / commitdiff