From: Ian Kelling Date: Sun, 28 Apr 2024 03:04:36 +0000 (-0400) Subject: shellcheck, remove old files X-Git-Url: https://iankelling.org/git/?a=commitdiff_plain;h=ef3bbffe6d2a08ebd735ba4f09c7bd0fbea585a0;p=distro-setup shellcheck, remove old files --- diff --git a/.git_template/hooks/pre-commit b/.git_template/hooks/pre-commit index f1cb270..7178d49 100755 --- a/.git_template/hooks/pre-commit +++ b/.git_template/hooks/pre-commit @@ -65,8 +65,8 @@ if [[ $allownonascii != true ]] && # Note that the use of brackets around a tr range is ok here, (it's # even required, for portability to Solaris 10's /usr/bin/tr), since # the square bracket bytes happen to fall in the designated range. - test $(git diff --cached --name-only --diff-filter=A -z $against | - LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0 + test "$(git diff --cached --name-only --diff-filter=A -z $against | + LC_ALL=C tr -d '[ -~]\0' | wc -c)" != 0 then cat <= 1 )); then echo "A template comment to disable is now in clipboard. eg: # shellcheck disable=SC2206 # reason" cbs "# shellcheck disable=SC" return $ret fi } -skx() { - sk -x "$@" -} + # sk with quotes. For checking scripts that we expect to take untrusted # input in order to verify we quoted vars. skq() { @@ -2483,7 +2477,7 @@ skmodified() { # sk on all the files in current git repo (except those excluded) skgit() { local f toplevel orig_dir tmp skip pattern - local -a ls_files excludes + local -a ls_files excludes sk_files toplevel=$(git rev-parse --show-toplevel) if [[ $PWD != "$toplevel" ]]; then orig_dir=$PWD @@ -2491,13 +2485,6 @@ skgit() { fi excludes=( 'disabled/*' - # sourced from brc2 - beet-data - # sourced from .bash_profile - .bashrc - ) - no_check_sourced=( - .bash_profile ) tmp=$(git ls-files | shuf) mapfile -t ls_files <<<"$tmp" @@ -2510,19 +2497,11 @@ skgit() { fi done if $skip; then continue; fi - - check_source=-a - for pattern in "${no_check_sourced[@]}"; do - if [[ $f == "$pattern" ]]; then - check_source= - break - fi - done if sk-p "$f"; then - printf "================= %s\n" "$f" - sk $check_source --color=always $f || [[ $? == 1 ]] + sk_files+=("$f") fi done + sk "${sk_files[@]}" if [[ $orig_dir ]]; then cd $orig_dir fi diff --git a/brc2 b/brc2 index eae5aa9..de12005 100644 --- a/brc2 +++ b/brc2 @@ -2639,6 +2639,7 @@ wgkey() { host-info-all() { host-info-update bindpushb8 + ssh li.b8.nz conflink wrt-setup } @@ -2724,22 +2725,24 @@ EOF } | cedit /p/c/subdir_files/.ssh/config || [[ $? == 1 ]] { - echo "cat </etc/systemd/system/bitcoinjm.service - - d=jm; jm=d # being clever for succinctness - for s in d jm; do - s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \ - /etc/systemd/system/bitcoin${s}.service - done - - ser daemon-reload - - dir=/nocow/.bitcoin - s mkdir -p $dir - s chown -R bitcoin:bitcoin $dir - dir=/etc/bitcoin - s mkdir -p $dir - s chown -R root:bitcoin $dir - s chmod 750 $dir - - # pruning decreases the bitcoin dir to 2 gb, keeps - # just the recent blocks. can\'t do a few things like - # import a wallet dump. - # pruning works, but people had to do - # some manual stuff in joinmarket. I dun need the - # disk space, so not bothering yet, maybe in a year or so. - # https://github.com/JoinMarket-Org/joinmarket/issues/431 - #https://bitcoin.org/en/release/v0.12.0#wallet-pruning - #prune=550 - - f=$dir/bitcoin.conf - s dd of=$f </dev/null <&2' ERR - -x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} # directory of this file - -while read -r ip host; do - found=false - is_connected="grep -q "^CLIENT_LIST,$host," /run/openvpn-server/status-server.log" - if $is_connected; then continue; fi - if ! grep -q "^CLIENT_LIST,$host," /run/openvpn-server/status-server.log; then - cd $(mktemp -d); dir=$PWD - ssh wrt tar -C /etc -c hosts | tar -x - if grep -qFx "$ip $host" hosts; then continue; fi - # openvpn udpates its status file every 60 seconds by default - if (( $(stat -c%Y hosts) > EPOCHSECONDS + 60 )); then - sleep 60 - if $is_connected; then continue; fi - fi - ssh root@wrt.b8.nz cedit ovpn-$host <<<"$ip $host" || [[ $? == 1 ]] - fi -done &2' ERR - -x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} # directory of this file - -# see lan-dyn-dns-update. this is the corresponding script for on connect/disconnect from vpn - -d=/p/ovpn-ssh -ssh_cmd="ssh -F$d/.config -i$d/home root@wrt.b8.nz cedit ovpn-$X509_0_CN /etc/hosts" -case $script_type in - client-connect) $ssh_cmd <<<"$ifconfig_pool_remote_ip $X509_0_CN"|| [[ $? == 1 ]] - ;; - client-disconnect) - $ssh_cmd <<<$(grep -F $X509_0_CN lan-dns) || [[ $? == 1 ]] - ;; -esac diff --git a/disabled/kodi-setup b/disabled/kodi-setup deleted file mode 100644 index 7c61e88..0000000 --- a/disabled/kodi-setup +++ /dev/null @@ -1,95 +0,0 @@ -#!/bin/bash -# I, Ian Kelling, follow the GNU license recommendations at -# https://www.gnu.org/licenses/license-recommendations.en.html. They -# recommend that small programs, < 300 lines, be licensed under the -# Apache License 2.0. This file contains or is part of one or more small -# programs. If a small program grows beyond 300 lines, I plan to switch -# its license to GPL. - -# Copyright 2024 Ian Kelling - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# this is from distro-end -if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi - -pi kodi - -# based on https://wiki.debian.org/SecuringNFS -# but the quota stuff is either outdated or optional, -# i guessed that it was not needed and it worked fine. -s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF' -fs.nfs.nfs_callback_tcpport = 32764 -fs.nfs.nlm_tcpport = 32768 -fs.nfs.nlm_udpport = 32768 -EOF -s sysctl --system -s $sed -ri -f - /etc/default/nfs-common <<'EOF' -/^\s*STATDOPTS=/d -$a STATDOPTS="--port 32765 --outgoing-port 32766" -EOF - -s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF' -/^\s*RPCMOUNTDOPTS=/d -$a RPCMOUNTDOPTS="--manage-gids --port 32767" -EOF -ser restart nfs-kernel-server - -if [[ $HOSTNAME == kd ]]; then - # persistent one time steps for webdav: - # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml, - # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi - # htpasswd -c /p/c/filesystem/etc/davpass dav - # chmod 640 /p/c/filesystem/etc/davpass - # in conflink, set group to www-data. - # In kodi, i set the music source, server address: my domain, - # path: k/music. Then copied the file - # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting. - s a2enmod dav dav_fs - web-conf -r /a/c/playlists - apache2 dav.$HOME_DOMAIN <<'EOF' - - DAV On - AuthType Basic - AuthName "Authentication Required" - AuthUserFile "/etc/davpass" - Require valid-user - -# outside the standard /var/www, so use this: - Order allow,deny - Allow from all - -EOF - s mkdir -p /var/www/davlock - s chown www-data:www-data /var/www/davlock - s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.$HOME_DOMAIN.conf - ser reload apache2 - - teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)" - exportfs -ra - - # kodi uses sqlite by default, but supports mysql. - pi mariadb-server - - # see ofswiki.org for explanation. - dbpass="$(cat /p/mysql-root-pass)" - if ! echo exit|mysql -uroot "-p$dbpass"; then - echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation - fi - mysql -uroot "-p$dbpass" <&2' ERR - - -usage() { - cat <>/etc/sudoers -echo n5 >/etc/hostname -sed -i '/^127\.0\.1\.1/d' /etc/hosts -echo "127.0.1.1 n5.lan n5" >>/etc/hosts -hostname -F /etc/hostname - -kill $(pgrep -U maru) -usermod -l ian -m -d /home/ian maru -groupmod -n ian maru -useradd -m -s /bin/bash user2 -EOF - -# then do myunison n5, -# then do conflink. diff --git a/disabled/mastodon b/disabled/mastodon deleted file mode 100644 index 78b08f8..0000000 --- a/disabled/mastodon +++ /dev/null @@ -1,128 +0,0 @@ - ############# begin setup mastodon ############## - - # main doc is Docker-Guide.md in docs repo - - # I'd like to try gnu social just cuz of gnu, but it's not being - # well maintained, for example, simple pull requests - # languishing: - # https://git.gnu.io/gnu/gnu-social/merge_requests/143 - # and I submitted my own bugs, basic docs are broken - # https://git.gnu.io/gnu/gnu-social/issues/269 - - # note, docker required, but we installed it earlier - - # i subscrubed to https://github.com/docker/compose/releases.atom - # to see release notes. - # i had some problems upgrading. blew things away with - # docker-compose down - # docker rmi $(docker images -q) - # s reboot now - # when running docker-compose run, kernel stack traces are printed to the journal. - # things seem to succeed, google says nothing, so ignoring them. - curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-$(uname -s)-$(uname -m) | s dd of=/usr/local/bin/docker-compose - s chmod +x /usr/local/bin/docker-compose - - - cd ~ - s rm -rf mastodon - i clone https://github.com/tootsuite/mastodon - cd mastodon - # subbed to atom feed to deal with updates - git checkout $(git tag | grep -v rc | tail -n1) - - # per instructions, uncomment redis/postgres persistence in docker-compose.yml - sed -i 's/^#//' docker-compose.yml - - cat >.env.production <<'EOF' -REDIS_HOST=redis -REDIS_PORT=6379 -DB_HOST=db -DB_USER=postgres -DB_NAME=postgres -DB_PASS= -DB_PORT=5432 - -LOCAL_DOMAIN=mast.iankelling.org -LOCAL_HTTPS=true - -SINGLE_USER_MODE=true - -SMTP_SERVER=mail.iankelling.org -SMTP_PORT=25 -SMTP_LOGIN=li -SMTP_FROM_ADDRESS=notifications@mast.iankelling.org -SMTP_DOMAIN=mast.iankelling.org -SMTP_DELIVERY_METHOD=smtp -EOF - - for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do - # 1 minute 7 seconds to run this docker command - # to generate a secret, and it has ^M chars at the end. wtf. really dumb - printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|dos2unix|tail -n1)" >>.env.production - done - found=false - while read -r domain _ pass; do - if [[ $domain == mail.iankelling.org ]]; then - found=true - # remove the username part - pass="${pass#*:}" - printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production - break - fi - done < <(s cat /etc/mailpass) - if ! $found; then - echo "$0: error, failed to find mailpass domain for mastadon" - exit 1 - fi - - # docker compose makes an interface named like br-8f3e208558f2. we need mail to - # get routed to us. - if ! s /sbin/iptables -t nat -C PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25; then - s /sbin/iptables -t nat -A PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25 - fi - - docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production - logq docker-compose run --rm web rake db:migrate - docker-compose run --rm web rails assets:precompile - - # avatar failed to upload, did - # docker logs mastodon_web_1 - # google lead me to this - s chown -R 991:991 public/system - - # docker daemon takes care of starting on boot. - docker-compose up -d - - s a2enmod proxy_wstunnel headers - web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF' - ProxyPreserveHost On - RequestHeader set X-Forwarded-Proto "https" - ProxyPass /500.html ! - ProxyPass /oops.png ! - ProxyPass /api/v1/streaming/ ws://localhost:4000/ - ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/ - ErrorDocument 500 /500.html - ErrorDocument 501 /500.html - ErrorDocument 502 /500.html - ErrorDocument 503 /500.html - ErrorDocument 504 /500.html -EOF - - - ############### !!!!!!!!!!!!!!!!! - ############### manual steps: - - # only following a few people atm, so not bothering to figure out backups - # when mastodon has not documented it at all. - # - # fsf@status.fsf.org - # cwebber@toot.cat - # dbd@status.fsf.org - # johns@status.fsf.org - - # sign in page is at https://mast.iankelling.org/auth/sign_in - # register as iank, then - # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md - # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank - - ############# end setup mastodon ############## diff --git a/disabled/mastodon-upgrade b/disabled/mastodon-upgrade deleted file mode 100755 index c4a2950..0000000 --- a/disabled/mastodon-upgrade +++ /dev/null @@ -1,43 +0,0 @@ -#!/bin/bash -# I, Ian Kelling, follow the GNU license recommendations at -# https://www.gnu.org/licenses/license-recommendations.en.html. They -# recommend that small programs, < 300 lines, be licensed under the -# Apache License 2.0. This file contains or is part of one or more small -# programs. If a small program grows beyond 300 lines, I plan to switch -# its license to GPL. - -# Copyright 2024 Ian Kelling - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -set -eE -o pipefail -trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR - -# based on -# https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Docker-Guide.md - -if [[ $EUID == 0 ]]; then echo "$0: error, do not run as root"; exit 1; fi - -cd /home/iank/mastodon -git fetch -git stash -git checkout $(git tag | grep -v rc | tail -n1) -git stash pop -docker-compose build -# these 2 may not be needed in all upgrades, but -# simpler to just do them always. -docker-compose run --rm web rake db:migrate -docker-compose run --rm web rake assets:precompile -# restart the app -docker-compose up -d diff --git a/disabled/nagios b/disabled/nagios deleted file mode 100644 index f9f38eb..0000000 --- a/disabled/nagios +++ /dev/null @@ -1,124 +0,0 @@ -#!/bin/bash -# I, Ian Kelling, follow the GNU license recommendations at -# https://www.gnu.org/licenses/license-recommendations.en.html. They -# recommend that small programs, < 300 lines, be licensed under the -# Apache License 2.0. This file contains or is part of one or more small -# programs. If a small program grows beyond 300 lines, I plan to switch -# its license to GPL. - -# Copyright 2024 Ian Kelling - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# this was part of distro-end - -### begin nagios ### - -pi nagios-nrpe-server - -case $HOSTNAME in - kd) - # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345 - pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports - s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf - - # to add a password for admin: - # htdigest /etc/nagios4/htdigest.users Nagios4 iank - # now using the same pass as prometheus - - # nagstamon auth settings, set to digest instead of basic. - - web-conf -p 3005 - apache2 i.b8.nz <<'EOF' -# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf - -ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4 -ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4 - -# Where the stylesheets (config files) reside -Alias /nagios4/stylesheets /etc/nagios4/stylesheets - -# Where the HTML pages live -Alias /nagios4 /usr/share/nagios4/htdocs - - - Options FollowSymLinks - DirectoryIndex index.php index.html - AllowOverride AuthConfig - # - # The default Debian nagios4 install sets use_authentication=0 in - # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication. - # This is insecure. As a compromise this default apache2 configuration - # only allows private IP addresses access. - # - # The ... below shows how you can secure the nagios4 - # web site so anybody can view it, but only authenticated users can issue - # commands (such as silence notifications). To do that replace the - # "Require all granted" with "Require valid-user", and use htdigest - # program from the apache2-utils package to add users to - # /etc/nagios4/htdigest.users. - # - # A step up is to insist all users validate themselves by moving - # the stanza's in the .. into the . - # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you - # can configure which people get to see a particular service from - # within the nagios configuration. - # - AuthDigestDomain "Nagios4" - AuthDigestProvider file - AuthUserFile "/etc/nagios4-htdigest.users" - AuthGroupFile "/etc/group" - AuthName "Nagios4" - AuthType Digest - Require valid-user - - - - Options +ExecCGI - -EOF - ;; -esac - -# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example: -# notifications_enabled=1 -# note, the same variable exists in the correspdonding "define service {" - -# in the default config, we have these definitions - -# 11 define command { -# 2 define contact { -# 1 define contactgroup { -# 9 define host { -# 4 define hostgroup { -# 23 define service { -# 5 define timeperiod { - - -# on klaxon - -# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c -# 76 define command -# 11 define contact -# 6 define contactgroup -# 162 define host -# 1 define hostextinfo -# 16 define hostgroup -# 3040 define service -# 2 define servicedependency -# 6 define timeperiod - - - - -### end nagios ### diff --git a/disabled/new-firefox b/disabled/new-firefox deleted file mode 100644 index 7aa6144..0000000 --- a/disabled/new-firefox +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/bash -# I, Ian Kelling, follow the GNU license recommendations at -# https://www.gnu.org/licenses/license-recommendations.en.html. They -# recommend that small programs, < 300 lines, be licensed under the -# Apache License 2.0. This file contains or is part of one or more small -# programs. If a small program grows beyond 300 lines, I plan to switch -# its license to GPL. - -# Copyright 2024 Ian Kelling - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# not caring enough about having a new firefox at the moment, so -# disabled. - -# this was just under the comment "basic needed packages" in -# distro-begin. - -case $(distro-name) in - debian) - if has_x; then - if isdebian-stable; then - pi firefox/$codename-backports - else - # for a while, firefox/unstable did not have - # dependencies satisfied by testing packages, and i hit - # a conflict, it wanted a newer libfontconfig1, but - # emacs build-deps wanted an older one. In this case, - # I switch to using firefox-esr. note: They seem - # to release a new esr version every 9 months or so. - pi firefox/unstable - s dd of=/etc/apt/preferences.d/firefox <<'EOF' -Package: firefox -Pin: release a=unstable -Pin-Priority: 500 -EOF - fi - fi - # # no hosts have nonfree firmware anymore, yay. but leaving commented, - # # as i might run into one for a little while still. - # p=firmware-linux-nonfree - # if apt-cache show $p &>/dev/null; then - # pi $p - # fi - ;;& - trisquel|ubuntu) - if has_x; then - pi abrowser - fi - ;; -esac diff --git a/disabled/offlineimap-sync b/disabled/offlineimap-sync deleted file mode 100755 index 059f546..0000000 --- a/disabled/offlineimap-sync +++ /dev/null @@ -1,82 +0,0 @@ -#!/bin/bash -# I, Ian Kelling, follow the GNU license recommendations at -# https://www.gnu.org/licenses/license-recommendations.en.html. They -# recommend that small programs, < 300 lines, be licensed under the -# Apache License 2.0. This file contains or is part of one or more small -# programs. If a small program grows beyond 300 lines, I plan to switch -# its license to GPL. - -# Copyright 2024 Ian Kelling - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -set -eE -o pipefail -trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR -# mail-route can get messed up a bit randomly, I don't know why. -#/b/ds/mail-route up |& /b/log-quiet/log-once -1 mail-route - -for f in $(awk '$1 == "localfolders" {print $NF}' ~/.offlineimaprc); do - mkdir -p $f - chmod 700 $f -done - -offlineimap -u quiet -shopt -s nullglob - -if grep -qP '^ *accounts.*fsf' ~/.offlineimaprc; then - if [[ ! -e /nocow/user/.mufsf ]]; then - mkdir -p /nocow/user/.mufsf - chmod 700 /nocow/user/.mufsf - mu index --maildir=/nocow/user/fsfmd - fi -fi - -omv() { # offlineimap mv. move mail files within $src_base/$1 to /m/md/$2 - src="$1" - dst="$2" - found_files=false - for x in new cur; do - files=($src_base/"$src"/$x/*) - if [[ $files ]]; then - found_files=true - mv "${files[@]}" /m/md/"$dst"/$x - fi - done -} - -src_base=/m/offlineimap -omv "Sent Items" "Sent" -omv INBOX offlineimaptmp -src_base=/m/md -if $found_files; then - sieve-filter -eW ~/sieve/main.sieve offlineimaptmp &>/dev/null - # the default folder is INBOX for anything leftover - omv offlineimaptmp INBOX - # remove messages from remote host - offlineimap -u quiet - # this makes us sit and wait when we want to use mu and this is running in a cronjob. - # todo: emacs updates the index much faster. what command is it running? I'd like - # to just run that - # looks like it might be mu index --lazy-check, but that still takes like 10 seconds, - # figure out if that is the same speed, or if we can make it faster. - #mu index &>/dev/null ||: -fi - - -# delete based on http://deflexion.com/2006/05/imap-way-of-deleting-message -sieve-filter -eW -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf.sieve INBOX delete &>>/tmp/fsfsieve.log - -# to test new rules, update fsf-test.sieve, run these commands, then copy new fsf-test.sieve to fsf.sieve -# sieve-filter -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf-test.sieve INBOX &>/tmp/testfsfsieve.log -# sed -rn '/^Performed actions:/{n;n;p}' /tmp/testfsfsieve.log | sort -u diff --git a/disabled/phabricator-setup b/disabled/phabricator-setup deleted file mode 100755 index a2c25a3..0000000 --- a/disabled/phabricator-setup +++ /dev/null @@ -1,378 +0,0 @@ -#!/bin/bash -# I, Ian Kelling, follow the GNU license recommendations at -# https://www.gnu.org/licenses/license-recommendations.en.html. They -# recommend that small programs, < 300 lines, be licensed under the -# Apache License 2.0. This file contains or is part of one or more small -# programs. If a small program grows beyond 300 lines, I plan to switch -# its license to GPL. - -# Copyright 2024 Ian Kelling - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -# Copyright (C) 2016 Ian Kelling - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - - -# Automated phabricator setup. Not currently using it, -# but it worked last time I tried it. - -if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi - -set -x - - -# lj is test server -case $HOSTNAME in - lj) - domain=phab.iank.bid - alt_domain=fastmail.wiki - ;; - lk) - domain=phab.iankelling.org - alt_domain=iankellingusercontent.org - ;; -esac - - -pass=`cat /p/c/machine_specific/$HOSTNAME/phabricator_admin` -webroot=/usr/share/phabricator/webroot -user=iank -name="Ian Kelling" -email=ian@iankelling.org -ssh_port=222 - -fbin() { bin=$1; shift; sudo /usr/share/phabricator/bin/$bin "$@"; } -fsetd() { fbin config set --database "$@"; } - -# phabricator complained about wanting arcanist first -pi arcanist/unstable mercurial - -# duplicated in mediawiki setup. todo fix that. -s DEBIAN_FRONTEND=noninteractive pi mysql-server -cd # mysql_secure_installation writes some temp files to the current dir, -# so we need to make sure it's writable. -if echo exit|mysql -u root -p"$dbpass"; then - echo -e "$dbpass\nn\n\n\n\n" | mysql_secure_installation -else - echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation -fi - -mysql -u root -p$dbpass < - Require all granted - -EOF -done - - -# Before I figured out how to setup the admin in the script, -# this would limit the site to localhost, -# and access it through an ssh tunnel until its secure. -#phab-site -p 127.0.0.1:443 - -# settings are stored in conf/local/local.json. -# some settings could also be stored in the database with -# --database arg. database has higher priority than -# the config file. - -# if you need to restart phabricator, just ser restart apache2 -# https://secure.phabricator.com/book/phabricator/article/restarting/ - -# to reset things, you can do. -# fbin storage destroy; pu phabricator; phab-sel; pi phabricator/unstable -# # but under debian, prolly better to purge, cause db gets created on install - - -# On first run went to the website, registered manually, then -# went through the gui setup items to get the configuration below. - - -#expect "*" -#sleep 1 - -# expect's exits with 0 by default on timeout of an expect command. -# You can modify this, but it was simpler to use an irregular code to detect -# actual success. -sudo expect -d <<()~*:\"\"&^'" -# default is 128M. recommended starting point is 40% of ram. -setd innodb_buffer_pool_size 1600M - -# this files stopwork, and min_word_len -mysql -u root -p$dbpass <<'EOF' -REPAIR TABLE phabricator_search.search_documentfield; -EOF - -fsetd pygments.enabled true -fbin config set security.alternate-file-domain https://$alt_domain - -setini opcache.validate_timestamps '"0"' opcache /etc/php5/apache2/php.ini -setini post_max_size 100M PHP /etc/php5/apache2/php.ini - -fsetd metamta.default-address phabricator@$domain -fsetd metamta.domain $domain - - -ser restart mysql - -# Not sure if this is needed. while developing this script, mysql went down -# for a bit and the daemons died. - - -# todo, setup inbound email: -# https://secure.phabricator.com/book/phabricator/article/configuring_inbound_email/ - - -# https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/ -# unmatchable password, allows login only via ssh, sudo, etc. -# this is standard. -# I tried having no home dir, (-d /nonexistent), -# but I got an error message on test sshing, -sudo useradd -p '*' -m --system -s /bin/sh vcs || [[ $? == 9 ]] - -# you'd think the debian package would set this. todo: check on a fresh -# machine -fbin config set phd.user phabricator -fbin config set diffusion.ssh-user vcs - -option="ALL=(phabricator) SETENV: NOPASSWD:" -www_files=$(which git hg|sed ':a;N;s/\n/, /;ta') -vcs_files=$(which git git-upload-pack git-receive-pack hg|sed ':a;N;s/\n/, /;ta') -[[ $www_files && $vcs_files ]] || exit 1 -www_files="$www_files, /usr/lib/git-core/git-http-backend" -sudo dd of=/etc/sudoers.d/phabricator </tmp/plog 2>&1 -# This script executes as the vcs user -if [ "$1" != vcs ]; then exit 1; fi -exec "/usr/share/phabricator/bin/ssh-auth" $@ -EOF -sudo chmod 755 $file - -sudo dd of=/etc/ssh/sshd_config.phabricator </src/aphront/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:306] -# arcanist(), phabricator(), phutil() - -s usermod -a -G vcs www-data -s usermod -a -G vcs iank -s usermod -a -G vcs phabricator -s chown root:vcs /usr/share/phabricator/conf/local/local.json -fbin config set diffusion.ssh-port $ssh_port - -fsetd policy.allow-public true - -sgo phabricator-ssh - -ser restart apache2 -sgo phabricator - - -# todo, finish next steps here: -# notably, backup/restore -# https://secure.phabricator.com/book/phabricator/article/configuration_guide/ - - -fbin auth recover iank - -cat </dev/null; then - s useradd -Um -s /bin/false pumpio - fi - sudo -u pumpio mkdir -p /home/pumpio/pumpdata - # for testing browser when only listening to localhost, - # in the pump.io.json, set hostname localhost, urlPort 5233 - #ssh -L 5233:localhost:5233 li - - s mkdir -p /var/log/pumpio/ - s chown pumpio:pumpio /var/log/pumpio/ - - web-conf - apache2 pump.iankelling.org <<'EOF' -# currently a bug in pump that we cant terminate ssl - SSLProxyEngine On - ProxyPreserveHost On - ProxyPass / https://127.0.0.1:8001/ - ProxyPassReverse / https://127.0.0.1:8001/ - # i have sockjs disabled per people suggesting that - # it won\'t work with apache right now. - # not sure if it would work with this, - # but afaik, this is pointless atm. - - ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/ - ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/ - -EOF - - sudo -i <<'EOF' -export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org -/a/bin/distro-setup/certbot-renew-hook -EOF - - s dd of=/etc/systemd/system/pump.service <<'EOF' -[Unit] -Description=pump.io -After=syslog.target network.target mongodb.service -Requires=mongodb.service - -[Service] -Type=simple -User=pumpio -Group=pumpio -ExecStart=/home/iank/pump.io/bin/pump -Environment=NODE_ENV=production -# failed to find databank-mongodb without this. -# I just looked at my environment variables took a guess. -Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript - -[Install] -WantedBy=multi-user.target -EOF - ser daemon-reload - sgo pump - ########## end pump.io setup ############ diff --git a/disabled/samba-setup b/disabled/samba-setup deleted file mode 100644 index 11c5ebe..0000000 --- a/disabled/samba-setup +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash -# I, Ian Kelling, follow the GNU license recommendations at -# https://www.gnu.org/licenses/license-recommendations.en.html. They -# recommend that small programs, < 300 lines, be licensed under the -# Apache License 2.0. This file contains or is part of one or more small -# programs. If a small program grows beyond 300 lines, I plan to switch -# its license to GPL. - -# Copyright 2024 Ian Kelling - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# this is from distro-end - -if [[ $HOSTNAME == kd ]]; then - pi samba - # note samba re-reads it\'s config every 1 minute - case $distro in - arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;; - esac - - # add 2 lines after workgroup option - s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf - s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf - s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/' /etc/samba/smb.conf - # remove default homes section. not sharing that. - s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf - - if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then - s tee -a /etc/samba/smb.conf <<'EOF' -[public] - guest ok = yes - read only = no - path = /kr -EOF - fi - - case $distro in - debian|trisquel|ubuntu) - # systemd claims it generates units from /etc/init.d, but it - # clearly doesn\'t in debian. I have no idea how they are - # related. fuck debian right now. It\'s not documented. samba - # has a systemd init file linked to /dev/null. There\'s this - # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which - # claims samba\'s sub-services will be started automatically by - # systemd... it didn\'t on install, wonder if it will on - # boot. It clued me in how to start it manually though. Nothing - # in /usr/share/doc/samba, debian admin guide says nothing about - # any of this. (this is in debian testing as of 4/2016). - - s /etc/init.d/samba start - ;; - arch) - sgo samba - ;; - esac -fi diff --git a/disabled/small-backup b/disabled/small-backup deleted file mode 100755 index 4db412e..0000000 --- a/disabled/small-backup +++ /dev/null @@ -1,149 +0,0 @@ -#!/bin/bash -# I, Ian Kelling, follow the GNU license recommendations at -# https://www.gnu.org/licenses/license-recommendations.en.html. They -# recommend that small programs, < 300 lines, be licensed under the -# Apache License 2.0. This file contains or is part of one or more small -# programs. If a small program grows beyond 300 lines, I plan to switch -# its license to GPL. - -# Copyright 2024 Ian Kelling - -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at - -# http://www.apache.org/licenses/LICENSE-2.0 - -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - - -# for duplicity source build -PATH="$PATH:/usr/local/bin" - -# [--retry] interval_name [max_age] -# takes 2 arguments specifying the name of the subfolder, -# and optionally, the max age of the backup - -# this script setup by adding a user crontab. see t.org for the script -# it's also setup to email me only when it fails, and only for daily or weekly runs - -# uncomment for debugging, prints all commands to stdout -#set -x - -set -E -#trap 'echo trapped error from \"$BASH_COMMAND\" returned $? line $LINENO; accumulated_errors=true' ERR -trap 'echo trapped err: $?; accumulated_errors=true' ERR - -exec 3>&1 4>&2 -exec &>> /tmp/small-backup.log - -echo "BEGIN: $(date): args $*" - - -# only works with a single letter, ie 2D, not 2D12h -half-time() { - local time_word - local letter=${1##*[0-9]} - case $letter in - s) time_wrod=second ;; - m) time_word=minute ;; - h) time_word=hour ;; - D) time_word=day ;; - W) time_word=week ;; - M) time_word=month ;; - Y) time_word=year ;; - esac - echo "${1%%$letter} $time_word" - local x=$(date +%s -d "${1%%$letter} $time_word") - local y=$(date +%s) -} - - -if [[ $1 == --retry ]]; then - shift - x=0 - while pid=( $(pidof -o %PPID -x ${0##*/}) ) && (( ${#pid[@]} > 1 )) && (( x < 20 )); do - x=$(( x + 1 )) - sleep 30 - done - if [[ $x == 20 ]]; then - ps -F ${pid[@]} - echo timeout error: existing ${0##*/} running for over 5 minutes >&2 - exit 1 - fi -else - if pid=( $(pidof -o %PPID -x ${0##*/}) ) && (( ${#pid[@]} > 1 )); then - echo ps -F ${pid[@]} - ps -F ${pid[@]} - echo error: existing ${0##*/} running >&2 - exit 1 - fi -fi - -interval=$1 -max_age=$2 -full_backup_arg="" -if [[ $max_age ]]; then - full_backup_arg="--full-if-older-than $(half-time $max_age)" -fi - -rbackup () { - - local d=$1 - shift - local dest=root@li::/root/rdiff-backups/${d##*/}/${interval} - - c="rdiff-backup $* --create-full-path $d $dest" - echo "$c"; $c - - if [[ $max_age ]]; then - c="rdiff-backup --force --remove-older-than $max_age $dest" - echo "$c"; $c - - fi -} - - -rbackup /a/bin --exclude /a/bin/fai-basefiles -rbackup /a/c - -# this is populated after input_setup.sh is run on login - -ssh root@li mkdir -p /root/duplicity-backups/p/$interval -source /p/duplicity/gpg_agent_env -duplicity_dest=rsync://root@li//root/duplicity-backups/p/$interval - -x=(/p/*) -if ((${#x[@]} > 1)); then - set -x - # archive-dir is sort of a persistent cache - duplicity --use-agent \ - --encrypt-sign-key E969C67B \ - --include-globbing-filelist /p/duplicity/filelist \ - --archive-dir /p/duplicity/archive \ - --tempdir /p/tmp \ - $full_backup_arg /p $duplicity_dest - if [[ $max_age ]]; then - duplicity --use-agent \ - remove-all-but-n-full 2 --force $duplicity_dest - fi - set +x -fi -# example restore command. We only need to make the first argument be a url for it to know it to do restore -# the archive-dir and tempdir args are not needed -# duplicity --use-agent --encrypt-sign-key E969C67B --archive-dir /p/duplicity/archive --tempdir /p/tmp ssh://root@li//root/duplicity-backups/p/weekly /p/duptest - - -echo END - -# to restore duplicity. see man for additional options -# duplicity --use-agent restore ... -if [[ $accumulated_error ]]; then - eccho "tail -n 50 of /tmp/small-backup.log:" - tail -n 50 /tmp/small-backup.log - exit 1 -fi diff --git a/distro-begin b/distro-begin index e97c6c3..59e50d5 100755 --- a/distro-begin +++ b/distro-begin @@ -310,8 +310,8 @@ set +x err-allow source /etc/profile.d/environment.sh export LC_USEBASHRC=t -# shellcheck source=./.bashrc -source ~/.bashrc +# shellcheck source=./brc +source ~/brc err-catch $interactive || set -x diff --git a/distro-end b/distro-end index f81baa3..8da4a26 100755 --- a/distro-end +++ b/distro-end @@ -18,8 +18,8 @@ # SPDX-License-Identifier: GPL-3.0-or-later -# shellcheck source=/a/bin/ds/.bashrc -export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]]; then . ~/.bashrc; fi +# shellcheck source=./brc +source ~/brc ### setup source /a/bin/bash-bear-trap/bash-bear @@ -191,16 +191,17 @@ EOF done if $doupdate; then tmpdir=$(mktemp -d) - cd $tmpdir - # cant apt get the keyring without doing an update, can't update - # without the keyring, this is a stupid chicken and egg problem - # that apt should have some feature to solve, but doesn't as far - # as I know. - f=debian-archive-keyring_2023.3+deb12u1_all.deb - wget http://ftp.debian.org/debian/pool/main/d/debian-archive-keyring/$f - sudo dpkg -i $f + ( + cd $tmpdir + # cant apt get the keyring without doing an update, can't update + # without the keyring, this is a stupid chicken and egg problem + # that apt should have some feature to solve, but doesn't as far + # as I know. + f=debian-archive-keyring_2023.3+deb12u1_all.deb + wget http://ftp.debian.org/debian/pool/main/d/debian-archive-keyring/$f + sudo dpkg -i $f + ) p update - cd - rm -rf $tmpdir fi