code cleanup

[distro-setup] / distro-begin

#!/bin/bash -l
# Copyright (C) 2016 Ian Kelling
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# for setting up a new machine
# usage: $0 [-r] HOSTNAME

# tips:
# run any sudo command first so your pass is cached
# set the scrollback to unlimited in case something goes wrong


####### begin setup environment #######


### make ssh interactive shell run better. for when running line interactively line by line
sudo bash -c 'source /a/c/.bashrc && source /a/exe/ssh-emacs-setup'


##### setup error handling
interactive=true  # set this to false to force set -x
[[ $- == *i* ]] || interactive=false
if ! $interactive; then
    set -x
    set -e -o pipefail
fi
set -E
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
for x in /a/bin/errhandle/*-function; do
    source $x
done
set +e
$interactive || errcatch

### setup logging
exec &> >(sudo tee -a /var/log/distro-begin)
echo "$0: $(date): starting now)"


### sanity checking
if [[ $EUID == 0 ]]; then
    if getent passwd iank || getent passwd ian ; then
        echo "$0: error: running as root. unprivileged user exists. use it."
        exit 1
    else
        echo "$0: warning: running as root. I will setup users then exit"
    fi
fi


### arg parsing
recompile=false
while [[ $1 == -* ]]; do
    case $1 in
        -r) recompile=true; shift ;;
    esac
done
if [[ $1 ]]; then
    export HOSTNAME=$1
fi


##### variables/env setup
script_dir="$(readlink -f "$BASH_SOURCE")"; script_dir=${script_dir%/*}
source $script_dir/pkgs
set +x
source /a/bin/distro-functions/src/identify-distros
$interactive || set -x
for f in iank-dev htpc kd x2 frodo tp li lj demohost kw fz; do
    eval "$f() { [[ $HOSTNAME == $f ]]; }"
done
has_p() { ! linode; } # when tp is tracis, then not tp either
has_x() { ! linode; }
linode() { lj || li; }
has_btrfs() { ! linode; }
home_network() { ! linode; }
encrypted() { has_p; }
shopt -s extglob
export GLOBIGNORE=*/.:*/..
umask 022
PATH="/a/exe:$PATH"
sed="sed --follow-symlinks"

####### end setup environment #######




##### begin setup encryption scripts ######
if encrypted; then
    # I tried making a service which was dependent on reboot.target,
    # but it happened too late in the shutdown process.
    sudo dd of=/etc/systemd/system/keyscripton.service <<'EOF'
[Unit]
Description=Turn on automatic decryption of drives on boot
# tried using graphical.target, but it made my display manager restart before rebooting.
# generally, I don't think targets order shutdown like they do startup.
# So, I did systemd-analyze plot > something.svg, and picked a reliably started
# service that happens late in the game.
After=ntp.service
DefaultDependencies=no
# not sure if needed, makes sure we shut down before reboot.target
Conflicts=reboot.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecStop=/a/exe/keyscript-on

[Install]
WantedBy=keyscriptoff.service
EOF
    sudo systemctl daemon-reload # needed if the file was already there
    sudo systemctl stop keyscripton.service
    #    sudo systemctl start keyscripton.service
    sudo systemctl enable keyscripton.service

    sudo dd of=/etc/systemd/system/keyscriptoff.service <<'EOF'
[Unit]
Description=Turn off automatic decryption of drives on boot

[Service]
Type=oneshot
ExecStart=/a/exe/keyscript-off

[Install]
WantedBy=multi-user.target
EOF
    sudo systemctl daemon-reload # needed if the file was already there
    sudo systemctl enable keyscriptoff.service
    sudo systemctl start keyscriptoff.service
fi
##### end setup encryption scripts ######


# disabled until its fixed up
# install-myqueue

# todo, it would be nice to cut down on some of the output

##### fedora prereq/fundamental settings
if isfedora; then
    # comment out line disallowing calling sudo in scripts
    sudo $sed -i 's/^Defaults *requiretty/#\0 # ian commented/' /etc/sudoers
    # turn on magic sysrq commands
    echo 1 > sudo dd of=/proc/sys/kernel/sysrq
    echo "kernel.sysrq = 1" > /etc/sysctl.d/90-sysrq.conf
    # selinux is not user friendly. Like, you enable samba, but you haven't run the magic selinux commands so it doesn't work
    # and you have no idea why.
    sudo $sed -i 's/^\(SELINUX=\).*/\1disabled/' /etc/selinux/config
    selinuxenabled && sudo setenforce 0
fi


#### rerun my fai-time scripts
# already ran for pxe installs, but used for vps & updates
distro=$(distro-name)
case $distro in
    ubuntu|debian|trisquel)
        sudo bash -c ". /a/bin/fai/fai-wrapper && /a/bin/fai/fai/config/scripts/GRUB_PC/11-iank"
        ;;
    *)
        sudo bash -c ". /a/bin/fai/fai-wrapper &&
/a/bin/fai/fai/config/distro-install-common/end"
        ;;
esac

###### setup hostname
sudo $sed -i '/^127\.0\.1\.1/d' /etc/hosts
echo "127.0.1.1 $HOSTNAME.b8.nz $HOSTNAME" | sudo tee -a /etc/hosts


##### exit first stage if running as root
if [[ $EUID == 0 ]]; then
    echo "$0: running as root. exiting now that users are setup"
    exit 0
fi


#### setup bash for root
for x in /a/c/{.bashrc,brc,.bash_profile,.profile,.inputrc,path_add_function}; do
    sudo -i <<EOF
PATH="/a/exe:$PATH"
lnf $x /root
EOF
done

###### do conflink
# li needs the bind group before conflink
if [[ $HOSTNAME == li ]]; then
    getent group bind &>/dev/null || sudo groupadd -r bind
fi
# this needs to be before installing pacserve so we have gpg conf.
conflink

###### bash environment setup
set +x
errallow
source /etc/profile.d/environment.sh
source ~/.bashrc
$interactive || errcatch
$interactive || set -x


#### setup passwordless sudo
tu /etc/sudoers <<EOF
$USER  ALL=(ALL)  NOPASSWD: ALL
Defaults  env_keep += SUDOD
# makes ubuntu be like debian
# https://unix.stackexchange.com/a/91572
Defaults always_set_home
# default setting is to have  minimum umask of 0022
# This lets us have user-specific umasks which are more permissive.
# I did this for transmission and set it's umask gecos on install,
# see there for more info.
Defaults !umask
EOF


#### setup firefox backport
## ian: disabled. backports are not being published atm due to rust packaging issue
# if isdeb; then
#     codename=$(debian-codename)
#         if isdebian-stable && has_x; then
#             s dd of=/etc/apt/sources.list.d/mozilla-iceweasel.list <<EOF
#     deb http://mozilla.debian.net/ $codename-backports firefox-release
#     deb-src http://mozilla.debian.net/ $codename-backports firefox-release
# EOF
#             p update
#             # take care of mozilla signing errors in previous command
#             pi pkg-mozilla-archive-keyring
#         fi
#     p update
# fi


######  arch aur wrapper setup
if isarch; then
    #https://wiki.archlinux.org/index.php/Arch_User_Repository#Installing_packages
    sudo pacman -S --noconfirm --needed base-devel jq
    # pacaur seems to be the best, although it + cower has a few minor bugs,
    # its design goals seem good, so, going for it.

    aurpi() {
        for p in "$@"; do
            tempdir=$(mktemp -d)
            pushd $tempdir
            aurex "$p"
            makepkg -sri --skippgpcheck --noconfirm
            popd
            rm -rf $tempdir
        done
    }
    aurpi cower pacaur

    pi pacserve

    x=$(mktemp); /usr/bin/pacman.conf-insert_pacserve >$x
    sudo dd of=/etc/pacman.conf if=$x; rm $x
    sudo systemctl enable pacserve.service
    sudo systemctl start pacserve.service

fi

#### update all packages
pup


###### p1 packages install ######
if isarch; then
    # requirement for trash-cli.
    # background: strange error if just installing trash-cli: "pyalpm requires python",
    # so I see that it requires python2, and installing that manually fixes it.
    # I didn\'t see this on earlier installation, main thing which changed was
    # pacserve, so not sure if it\'s related.
    pi python2
fi
pi ${p1[@]}


######## fix evbug bug ######
case $distro in
    trisquel|ubuntu)
        # noticed in flidas.
        #https://bugs.launchpad.net/ubuntu/+source/module-init-tools/+bug/240553
        #https://wiki.debian.org/KernelModuleBlacklisting
        #common advice when searching is to use /etc/modprobe.d/blacklist.conf,
        #but that file won't work and will get automatically reverted
        sudo rmmod evbug ||: # might not be loaded yet
        file=/etc/modprobe.d/evbug.conf
        line="blacklist evbug"
        if ! grep -xFq "$line" $file; then
            sudo dd of=$file 2>/dev/null <<<"$line"
            sudo depmod -a
            sudo update-initramfs -u
        fi
        ;;
esac


###### link files
# convenient to just do all file linking in one place
s lnf -T /a/bin /b
s lnf -T /nocow/t /t
if has_p; then
    lnf -T /p/News ~/News
fi
s lnf /q/root/.editor-backups /q/root/.undo-tree-history \
  /a/opt /a/c/.emacs.d $HOME/mw_vars /k/backup /root
rootsshsync
s lnf /a/c/.vim /a/c/.vimrc /a/c/.gvimrc /root
if has_p; then
    # for dovecot
    lnf -T /i/k/mboxes ~/mail
fi




##### install xinput
if has_x; then
    case $(distro-name) in
        trisquel|ubuntu|debian)
            pi xinput
            ;;
        fedora)
            pi xinput_calibrator
            ;;
        arch)
            pi xorg-xinput
            ;;
    esac

    #### install redshift
    case $(distro-name) in
        trisquel|ubuntu|debian)
            # recommends gets us geoclue (for darkening automatically at night i assume),
            # which recommends modemmanager, which is annoying to fix for the model01 keyboard.
            pi --no-install-recommends gtk-redshift
            ;;&
        fedora)
            pi redshift-gtk
            ;;&
        arch)
            pi redshift
            ;;&
    esac
fi


#### arch specific early packages
case $(distro-name) in
    arch)
        # pkgfile is like apt-cache
        pi pkgfile
        s pkgfile --update
        ;;
esac

#### fedora specific packages
case $(distro-name) in
    fedora)
        # todo, this could probably come later
        p -y groupinstall development-tools c-development books admin-tools
        pi man-pages
        ;;
    # other distros unknown
esac

#### enable trim
# enable trim for volume delete, other rare commands
sudo $sed -ri 's/( *issue_discards\b).*/\1 = 1/' /etc/lvm/lvm.conf
if encrypted; then
    if isdeb; then
        sudo cp /usr/share/doc/util-linux/examples/fstrim.{service,timer} /etc/systemd/system
    fi
    # does weekly trim
    sudo systemctl enable fstrim.timer
fi

##### make extra dirs
dirs=(/mnt/{1,2,3,4,5,6,7,8,9} /nocow/t)
s mkdir -p "${dirs[@]}"
s chown $USER:$USER  "${dirs[@]}"

###### setup /i
tu /etc/fstab <<'EOF'
/i/w  /w  none  bind,noauto  0 0
/i/k  /k  none  bind,noauto  0 0
EOF
if ! mountpoint /kr; then
    s mkdir -p /kr
    s chown $USER:traci /kr
fi
if home_network; then
    if [[ $HOSTNAME == frodo ]]; then
        tu /etc/fstab <<'EOF'
/k  /kr  none  bind,noauto  0 0
EOF
    else
        tu /etc/fstab <<'EOF'
frodo:/k  /kr  nfs  noauto  0 0
EOF
    fi
fi
s mkdir -p /q /i/{w,k}
for dir in /{i,w,k}; do
    if mountpoint $dir; then continue; fi # already mounted
    s mkdir -p $dir
    s chown $USER:$USER $dir
done
# not needed for all hosts, but rather just keep it uniform
s mkdir -p /mnt/iroot
# debian auto mounting of multi-disk encrypted btrfs is busted.  It is
# in jessie, and in stretch as of 11/26/2016 I have 4 disks in cryptab,
# based on 3 of those, it creates .device units for /dev/mapper/dev...
# then waits endlessly for them on bootup, after the /dev/mapper disks
# have already been created and exist. todo: create a simple repro
# for this in a vm and report it upstream.
if has_btrfs || home_network; then
    pi nfs-common
    s dd of=/root/imount <<'EOF'
#!/bin/bash
[[ $EUID == 0 ]] || exec sudo -E "$BASH_SOURCE" "$@"
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
for dir in /i /mnt/iroot /k /kr /w; do
    if ! mountpoint $dir &>/dev/null && \
            awk '{print $2}' /etc/fstab | grep -xF $dir &>/dev/null; then
        if awk '{print $3}' /etc/fstab | grep -xF nfs &>/dev/null; then
            mount $dir || echo "warning: failed to mount nfs on $dir"
        else
            mount $dir
        fi
    fi
done
EOF
    s chmod +x /root/imount

    s dd of=/etc/systemd/system/imount.service <<EOF
[Unit]
Description=Mount /i and related mountpoints
Before=syncthing@$USER.service

[Service]
Type=oneshot
ExecStart=/root/imount

[Install]
RequiredBy=syncthing@$USER.service
# note /kr needs networking, this target is the simplest way to
# time it when the network should be up, but not do something
# dumb like delay startup until the network is up. It happens
# at some time after network.target
WantedBy=multi-user.target
EOF
    sudo systemctl daemon-reload # needed if the file was already there
    sudo systemctl enable imount.service
    sudo systemctl start imount.service
fi

##### setup /nocow.
# a nocow dir that is common to multiple distros installed on the same system
dir=/nocow
if has_btrfs; then
    if ! mountpoint $dir; then
        subvol=/mnt/root/nocow
        if [[ ! -e $subvol ]]; then
            s btrfs subvolume create $subvol
            s chown root:1000 $subvol
            s chattr +C $subvol
        fi

        first_root_crypt=$(awk '$2 == "/" {print $1}' /etc/mtab)
        tu /etc/fstab <<EOF
$first_root_crypt  /nocow  btrfs  noatime,subvol=nocow  0 0
EOF
        s mkdir -p $dir
        s chown $USER:$USER $dir
        s mount $dir
    fi
else
    sudo mkdir -p $dir
fi


###### fix mouse on jessie
#  it comes with stretch and arch, but not jessie.
# propogate /etc/udev/hwdb.d
if which systemd-hwdb; then
    s systemd-hwdb update
    ser restart systemd-udev-trigger
fi


##### setup email
if isdeb; then
    mail-setup exim4
else
    # todo: probably broken
    mail-setup postfix
fi

#### ubuntu nicety
if isubuntu; then
    # disable crash report annoying dialogs.
    s dd of=/etc/default/apport <<<'enabled=0'
fi

###### setup time zone
# fai sets this an old way that doesn't work for stretch.
# no harm in setting it universally here.
# using debconf-set-selection, the area gets reset to ETC
# on my linode test machine after doing a dpkg-reconfigure, or a reinstall,
# so we are using expect :(
# I got a random error when running this, so I added a sleep
# rather than trying to write a whole detect and wait loop.
# E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)
# E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?
sleep 1
# todo: this is not idempotent, it fails when running twice, due to prepopulated values.
# check into unsetting them using debconf-set-selection.
s apt-get -y install --no-install-recommends expect
s expect <<EOF ||:
set force_conservative 0
spawn dpkg-reconfigure tzdata -freadline
expect -nocase timeout {exit 1} "Geographic area:"
send "\02512\r"
expect -nocase timeout {exit 1} "Time zone:"
send "\0255\r"
expect eof
exit
EOF


##### install  emacs
if has_x; then
    if isarch; then
        # emacs git build was broken last time i checked,
        x=$(mktemp -d)
        pushd $x
        aurex emacs-git
        makepkg -si --noconfirm
        popd
        rm -rf $x
        pi hunspell hunspell-en
    else
        if $recompile; then
            /a/bin/buildscripts/emacs
        else
            /a/bin/buildscripts/emacs --no-r || /a/bin/buildscripts/emacs
        fi
    fi
fi

##### install laptop hardware packages
if tp || x2; then
    case $distro in
        debian)
            pi task-laptop
            ;;
        ubuntu|trisquel)
            # the exact packages that task-laptop would install, since ubuntu
            # doesn\'t have this virtual in practice package.
            pi avahi-autoipd bluetooth powertop iw wireless-tools wpasupplicant
            ;;
        # todo: other distros unknown
    esac
fi


##### install xmonad
if has_x; then
    pi ${p2[@]}
    # note: on older ubuntu I used cabal xmonad + xfce, using cabal versin
    # see /w/archive/programming/xmonad-cabal.sh
    if isarch; then
        # xorg-xmessage for displaying error messages.
        # optional dependency in arch, standard elsewhere.
        pi xorg-server xorg-xmessage xmonad-contrib xorg-xsetroot xorg-xinit
    else
        pi suckless-tools
    fi
fi


##### setup X autostart
if has_x; then
    if isarch; then
        # https://wiki.archlinux.org/index.php/Xinitrc
        for homedir in /home/*; do
            cp /etc/X11/xinit/xinitrc $homedir/.xinitrc
            $sed -ri '/^ *twm\b/,$d' $homedir/.xinitrc
            tee -a $homedir/.xinitrc <<'EOF'
/a/bin/desktop-20-autostart.sh
xsetroot -cursor_name left_ptr
exec xmonad
EOF
        done
        else
        # todo, figure this out for arch if we ever try out gnome.
        # install for multiple display managers in case we use one
        if isdeb; then
            dir=/etc/gdm3
        elif isfedora; then
            # fedora didn\'t have the 3.
            dir=/etc/gdm
        fi
        s mkdir -p $dir/PostLogin
        s command cp /a/bin/distro-setup/desktop-20-autostart.sh $dir/PostLogin/Default
        s mkdir /etc/lightdm/lightdm.conf.d
        s dd of=/etc/lightdm/lightdm.conf.d/12-iank.conf <<'EOF'
[SeatDefaults]
session-setup-script=/a/bin/distro-setup/desktop-20-autostart.sh
EOF
    fi
fi


#### refix interactive ssh terminal
# the first pup command can kill off our /etc/ mod, so rerun this
/a/exe/ssh-emacs-setup


echo "$0: $(date): ending now"
exit 0