iankelling.org / git / distro-setup / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
lots of updates
[distro-setup] / distro-end
1 #!/bin/bash -l
2 # Copyright (C) 2016 Ian Kelling
3
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7
8 # http://www.apache.org/licenses/LICENSE-2.0
9
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 errcatch
17
18 set -x
19
20 exec &> >(sudo tee -a /var/log/distro-end)
21 echo "$0: $(date): starting now)"
22
23 src="${BASH_SOURCE%/*}"
24
25 end_msg() {
26 = local y
27 IFS= read -r -d '' y ||:
28 end_msg_var+="$y"
29 }
30
31 spa() { # simple package add
32 simple_packages+=($@)
33 }
34
35 distro=$(distro-name)
36
37 pending_reboot=false
38 sed="sed --follow-symlinks"
39
40 # template
41 case $distro in
42 esac
43
44 pup
45
46 simple_packages=(
47 htop
48 mailutils
49 nmon
50 rdiff-backup
51 ruby
52 ruby-rest-client
53 tree
54 vim
55 wcd
56 )
57
58 case $HOSTNAME in
59 lj|li) : ;;
60 *)
61 # universal packages
62 # swh-plugins is for karaoke pulsaudio filter.
63 # mutagen for pithos
64 # guvcview set webcam brightness to highest
65 # pidgin-otr, i went into pidgin pluggin settings and generated a key for some accounts
66 simple_packages+=(
67 apache2
68 apache2-doc
69 apt-doc
70 apt-listchanges
71 aptitude-doc-en
72 bash-doc
73 beets
74 beets-doc
75 binutils-doc
76 bind9-doc
77 bind9-utils
78 bwm-ng
79 chromium
80 cpio-doc
81 cloc
82 cpulimit
83 cron
84 debconf-doc
85 dirmngr
86 dnsutils
87 dnsmasq
88 dtrx
89 duplicity
90 eclipse
91 evince
92 fdupes
93 feh
94 filelight
95 flashrom
96 gawk-doc
97 gcc-doc
98 gdb
99 gdb-doc
100 geoip-bin
101 git-doc
102 git-email
103 gitk
104 glibc-doc
105 goaccess
106 gnome-screenshot
107 gnome-session-flashback
108 guvcview
109 i3lock
110 inetutils-traceroute
111 iproute2-doc
112 jq
113 kid3-qt
114 kid3-cli
115 linux-doc
116 locate
117 lshw
118 make-doc
119 manpages
120 manpages-dev
121 meld
122 mps-youtube
123 mumble
124 nagstamon
125 nginx-doc
126 nmap
127 offlineimap
128 oathtool
129 p7zip
130 paprefs
131 parted-doc
132 pavucontrol
133 pdfgrep
134 perl-doc
135 pianobar
136 pidgin
137 pidgin-otr
138 pry
139 python-autopep8
140 python3-doc
141 python3-mutagen
142 qrencode
143 reportbug
144 $(aptitude show ruby | sed -rn 's/Depends: (.*)/\1/p')-doc
145 sqlite3-doc
146 squashfs-tools
147 swh-plugins
148 tar-doc
149 tcpdump
150 telnet
151 transmission-remote-gtk
152 vlc
153 whois
154 wondershaper
155 )
156 spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
157 ;;
158 esac
159
160
161 ########### begin section including li ################
162
163
164 case $distro in
165 fedora) spa unrar ;;
166 *) spa unrar-free ;;
167 esac
168
169
170 case $distro in
171 arch)
172 # ubuntu 14.04 uses b-cron,
173 # but its not maintained in arch.
174 # of the ones in the main repos, cronie is only one maintained.
175 # fcron appears abandoned software.
176 pi cronie
177 sgo cronie
178 ;;
179 *) : ;; # other distros come with cron.
180 esac
181
182
183 if isdeb; then
184 pi debian-goodies
185 fi
186
187
188 case $distro in
189 *) pi at ;;&
190 arch) sgo atd ;;
191 esac
192
193
194 case $distro in
195 debian) pi curl;;
196 arch) : ;;
197 # fedora: unknown
198 esac
199
200 case $distro in
201 # tk for gitk
202 arch) spa git tk ;;
203 *) spa git ;;
204 esac
205
206 case $distro in
207 arch) spa the_silver_searcher ;;
208 debian|ubuntu|trisquel) spa silversearcher-ag ;;
209 # fedora unknown
210 esac
211
212 case $distro in
213 debian|ubuntu|trisquel) spa ntp;;
214 arch)
215 pi ntp
216 sgo ntpd
217 ;;
218 # others unknown
219 esac
220
221
222 # no equivalent in other distros:
223 case $distro in
224 debian|ubuntu|trisquel)
225 pi aptitude
226 if ! dpkg -s apt-file &>/dev/null; then
227 # this condition is just a speed optimization
228 pi apt-file
229 s apt-file update
230 fi
231 # for debconf-get-selections
232 spa debconf-utils
233 ;;
234 esac
235
236 case $distro in
237 ubuntu|trisquel|debian) spa ack-grep ;;
238 arch|fedora) spa ack ;;
239 # fedora unknown
240 esac
241
242 case $distro in
243 arch|debian|ubuntu|trisquel)
244 spa bash-completion
245 ;;
246 # others unknown
247 esac
248
249
250
251
252
253 # disable motd junk.
254 case $distro in
255 debian)
256 # allows me to pipe with ssh -t, and gets rid of spam
257 # http://forums.debian.net/viewtopic.php?f=5&t=85822
258 # i'd rather disable the service than comment the init file
259 # this says disabling the service, it will still get restarted
260 # but this script doesn't do anything on restart, so it should be fine
261 s dd of=/var/run/motd.dynamic if=/dev/null
262 # stretch doesn't have initscripts pkg installed by default
263 if [[ $(debian-codename) == jessie ]]; then
264 s update-rc.d motd disable
265 fi
266 ;;
267 ubuntu|trisquel)
268 # this isn't a complete solution. It still shows me when updates are available,
269 # but it's no big deal.
270 s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
271 ;;
272 esac
273
274 # automatic updates
275 # reference:
276 # https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
277 # /etc/cron.daily/apt calls unattended-upgrades
278 # /usr/share/doc/unattended-upgrades# cat README.md
279 # /etc/apt/apt.conf.d/50unattended-upgrades
280 if isdebian; then
281 setup-debian-auto-update
282 fi
283
284 # we've got a few dependencies later on, so install them now.
285 pi "${simple_packages[@]}"
286 simple_packages=()
287
288
289 ### begin docker install ####
290 # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
291 pi software-properties-common apt-transport-https
292 curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
293 sudo add-apt-repository \
294 "deb [arch=amd64] https://download.docker.com/linux/debian \
295 $(lsb_release -cs) \
296 stable"
297 p update
298 pi docker-ce
299 sgo docker
300 ### end docker install ####
301
302
303 case $distro in
304 debian)
305 # note, need python-certbot-nginx for nginx, but it depends on nginx,
306 # and I'm not installing nginx by default right now
307 if isdebian-testing; then
308 pi --install-suggests certbot
309 else
310 pi --install-suggests -t jessie-backports certbot
311 fi
312 # make a version of the certbot timer that emails me.
313 x=/systemd/system/certbot
314 $sed -r -f - /lib$x.timer <<'EOF' |s dd of=/etc${x}mail.timer
315 s,^Description.*,\0 mail version,
316 EOF
317 $sed -r -f - /lib$x.service <<'EOF' |s dd of=/etc${x}mail.service
318 s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
319 EOF
320 ser daemon-reload
321 sgo certbotmail.timer
322
323 ;;
324 # todo: other distros unknown
325 esac
326
327 # website setup
328 case $HOSTNAME in
329 lj|li)
330
331 case $HOSTNAME in
332 lj) domain=iank.bid; exit 0 ;;
333 li) domain=iankelling.org ;;
334 esac
335 /a/h/setup.sh $domain
336 /a/h/build.rb
337
338 sudo -E /a/bin/mediawiki-setup/mw-setup-script
339 #$src/phab-setup
340
341 pi-nostart mumble-server
342 s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
343
344 # do certificate to avoid warning about unsigned cert,
345 # which is overkill for my use, but hey, I'm cool, I know
346 # how to do this.
347 web-conf apache2 mumble.iankelling.org
348 s rm -f /etc/apache2/sites-enabled/mumble.iankelling.org
349 sudo -i <<'EOF'
350 export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
351 /a/bin/distro-setup/certbot-renew-hook
352 EOF
353
354 sgo mumble-server
355
356 vpn-server-setup -d
357 tee /etc/openvpn/client-config/mail <<'EOF'
358 ifconfig-push 10.8.0.4 255.255.255.0
359 EOF
360
361
362 sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
363 [Unit]
364 Description=Turns on iptables mail nat
365
366 [Service]
367 Type=oneshot
368 RemainAfterExit=yes
369 ExecStart=/a/bin/distro-setup/vpn-mail-forward start
370 ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
371
372 [Install]
373 WantedBy=openvpn.service
374 EOF
375 ser daemon-reload
376 ser enable vpnmail.service
377 # needed for li's local mail delivery.
378 tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
379 sgo openvpn
380 # setup let's encrypt cert
381 web-conf apache2 mail.iankelling.org
382 s rm /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
383 ser reload apache2
384
385 domain=cal.iankelling.org
386 web-conf -f 10.8.0.4:5232 - apache2 $domain <<'EOF'
387 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
388 # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
389 <Location />
390 Options +FollowSymLinks +Multiviews +Indexes
391 AllowOverride None
392 AuthType basic
393 AuthName "Authentication Required"
394 # setup one time, with root:www-data, 640
395 AuthUserFile "/etc/caldav-htpasswd"
396 Require valid-user
397 <Location />
398 EOF
399 # nginx version of above would be:
400 # auth_basic "Not currently available";
401 # auth_basic_user_file /etc/nginx/caldav/htpasswd;
402
403
404 ########## begin pump.io setup ##########
405
406 # once pump adds a logrotation script, turn off nologger,
407 # and add
408 # "logfile": "/var/log/pumpio/pumpio.log",
409 #
410 s dd of=/etc/pump.io.json <<'EOF'
411 {
412 "secret": "SECRET_REPLACE_ME",
413 "driver": "mongodb",
414 "params": { "dbname": "pumpio" },
415 "noweb": false,
416 "site": "pump.iankelling.org",
417 "owner": "Ian Kelling",
418 "ownerURL": "https://iankelling.org/",
419 "port": 8001,
420 "urlPort": 443,
421 "hostname": "pump.iankelling.org",
422 "nologger": true,
423 "datadir": "/home/pumpio/pumpdata",
424 "enableUploads": true,
425 "debugClient": false,
426 "disableRegistration": true,
427 "noCDN": true,
428 "key": "/home/pumpio/privkey.pem",
429 "cert": "/home/pumpio/fullchain.pem",
430 "address": "localhost",
431 "sockjs": false
432 }
433 EOF
434 s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
435
436 # jessie\'s node is too old
437 # https://nodejs.org/en/download/package-manager/
438 curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
439 pi nodejs
440 cd /home/ian
441 rm -rf pump.io.git
442 git clone https://github.com/pump-io/pump.io.git
443 cd pump.io
444 # note: doing this or the npm install pump.io as root had problems.
445 npm install
446 npm run build
447 # normally, next command would be
448 # s npm install -g databank-mongodb
449 # but it\'s this until a bug in pump gets fixed
450 s npm install -g databank-mongodb@0.19.2
451 s useradd -m -s /bin/false pumpio
452 sudo -u pumpio mkdir -p /home/pumpio/pumpdata
453 # for testing browser when only listening to localhost,
454 # in the pump.io.json, set hostname localhost, urlPort 5233
455 #ssh -L 5233:localhost:5233 li
456
457 s mkdir -p /var/log/pumpio/
458 s chown pumpio:pumpio /var/log/pumpio/
459
460 web-conf - apache2 pump.iankelling.org <<'EOF'
461 # currently a bug in pump that we cant terminate ssl
462 SSLProxyEngine On
463 ProxyPreserveHost On
464 ProxyPass / https://127.0.0.1:8001/
465 ProxyPassReverse / https://127.0.0.1:8001/
466 # i have sockjs disabled per people suggesting that
467 # it won\'t work with apache right now.
468 # not sure if it would work with this,
469 # but afaik, this is pointless atm.
470 <Location /main/realtime/sockjs/>
471 ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
472 ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
473 </Location>
474 EOF
475
476 sudo -i <<'EOF'
477 export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
478 /a/bin/distro-setup/certbot-renew-hook
479 EOF
480
481 s dd of=/etc/systemd/system/pump.service <<'EOF'
482 [Unit]
483 Description=pump.io
484 After=syslog.target network.target
485
486 [Service]
487 Type=simple
488 User=pumpio
489 Group=pumpio
490 ExecStart=/home/ian/pump.io/bin/pump
491 Environment=NODE_ENV=production
492 # failed to find databank-mongodb without this.
493 # I just looked at my environment variables took a guess.
494 Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
495
496 [Install]
497 WantedBy=multi-user.target
498 EOF
499 ser daemon-reload
500 sgo pump
501 ########## end pump.io setup ############
502
503
504 ############# begin setup mastodon ##############
505
506 # I'd like to try gnu social just cuz of gnu, but it's not being
507 # well maintained, for example, simple pull requests
508 # languishing:
509 # https://git.gnu.io/gnu/gnu-social/merge_requests/143
510 # and I submitted my own bugs, basic docs are broken
511 # https://git.gnu.io/gnu/gnu-social/issues/269
512
513 # note, docker required, but we installed it earlier
514
515 # i subscrubed to https://github.com/docker/compose/releases.atom
516 # to deal with updates manually. So far, it means just reving the
517 # version number, then restarting docker-compose with
518 # cd ~/mastodon
519 # docker-compose up -d
520 curl -L https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
521 s chmod +x /usr/local/bin/docker-compose
522
523
524 cd ~
525 i clone https://github.com/tootsuite/mastodon
526 cd mastodon
527 # subbed to atom feed to deal with updates
528 git checkout $(git tag | grep -v rc | tail -n1)
529
530 # per instructions, uncomment redis/postgres persistence in docker-compose.yml
531 sed -i 's/^#//' docker-compose.yml
532
533 cat >.env.production <<'EOF'
534 REDIS_HOST=redis
535 REDIS_PORT=6379
536 DB_HOST=db
537 DB_USER=postgres
538 DB_NAME=postgres
539 DB_PASS=
540 DB_PORT=5432
541
542 LOCAL_DOMAIN=mast.iankelling.org
543 LOCAL_HTTPS=true
544
545 SINGLE_USER_MODE=true
546
547 SMTP_SERVER=10.8.0.4
548 SMTP_PORT=25
549 SMTP_LOGIN=li
550 SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
551 SMTP_DOMAIN=mast.iankelling.org
552 SMTP_DELIVERY_METHOD=smtp
553 EOF
554
555 for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
556 printf "%s=%s" $key "$(docker-compose run --rm web rake secret)" >>.env.production
557 done
558 s cat /etc/mailpass| while read -r domain port pass; do
559 if [[ $domain == mail.iankelling.org ]]; then
560 printf "SMTP_PASSWORD=%s" "$pass" >>.env.production
561 break
562 fi
563 done
564
565
566
567 docker-compose run --rm web rails assets:precompile
568
569 # docker daemon takes care of starting on boot.
570 docker-compose up -d
571
572 s a2enmod proxy_wstunnel headers
573 web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF'
574 ProxyPreserveHost On
575 RequestHeader set X-Forwarded-Proto "https"
576 ProxyPass /500.html !
577 ProxyPass /oops.png !
578 ProxyPass /api/v1/streaming/ ws://localhost:4000/
579 ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
580 ErrorDocument 500 /500.html
581 ErrorDocument 501 /500.html
582 ErrorDocument 502 /500.html
583 ErrorDocument 503 /500.html
584 ErrorDocument 504 /500.html
585 EOF
586
587
588 ############### !!!!!!!!!!!!!!!!!
589 ############### manual steps:
590
591 # only following 2 people atm, so not bothering to figure out backups
592 # when mastodon has not documented it at all.
593 #
594 # fsf@status.fsf.org
595 # cwebber@toot.cat
596 # dbd@status.fsf.org
597 # johns@status.fsf.org
598
599 # sign in page is at https://mast.iankelling.org/auth/sign_in
600 # register as iank, then
601 # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
602 # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
603
604 ############# end setup mastodon ##############
605
606 # we use nsupdate to update the ip of home
607 pi bind9
608
609 echo "$0: $(date): ending now)"
610 exit 0
611 ;;
612 esac
613
614
615 ########### end section including li/lj ###############
616
617 if [[ $HOSTNAME == treetowl ]]; then
618
619 # vpn-server setup via:
620
621 vpn-server-setup -r -d
622 s tee -a /etc/openvpn/server/server.conf <<'EOF'
623 push "dhcp-option DNS 192.168.1.1"
624 push "route 192.168.1.0 255.255.255.0"
625 client-connect /a/bin/distro-setup/vpn-client-connect
626 EOF
627 s sed -i --follow-symlinks 's/10.8./10.9./g' /etc/openvpn/server/server.conf
628 ser restart openvpn-server@server
629 vpn-mk-client-cert -s /etc/update-resolv-conf-home -c x2 -n home b8.nz
630 dir=/p/c/machine_specific/x2/filesystem/etc/openvpn/client
631 mkdir -p $dir
632 # background: We have these files locally, but we\'d have to duplicate the logic
633 # in vpn-mk-client-cert to get them, and this is just simpler.
634 scp root@x2:/etc/openvpn/client/home* $dir
635
636
637
638 # note, see bashrc for more documentation.
639 pi rss2email
640 s dd of=/etc/systemd/system/rss2email.service <<'EOF'
641 [Unit]
642 Description=rss2email
643 After=multi-user.target
644
645 [Service]
646 User=ian
647 Type=oneshot
648 # about 24 hours of failures
649 # it copies over its files without respecting symlinks, so
650 # we pass options to use different location.
651 ExecStart=/a/bin/log-quiet/sysd-mail-once -288 rss2email r2e -d /p/c/rss2email.json -c /p/c/rss2email.cfg run
652 EOF
653 s dd of=/etc/systemd/system/rss2email.timer <<'EOF'
654 [Unit]
655 Description=rss2email
656
657 [Timer]
658 # for initial run. required.
659 OnActiveSec=30
660 # for subsequent runs.
661 OnUnitInactiveSec=300
662
663 [Install]
664 WantedBy=timers.target
665 EOF
666 s systemctl daemon-reload
667 sgo rss2email.timer
668 fi
669
670 ######### begin pump.io periodic backup #############
671 if [[ $HOSTNAME == treetowl ]]; then
672 s dd of=/etc/systemd/system/pumpbackup.service <<'EOF'
673 [Unit]
674 Description=pump li backup
675 After=multi-user.target
676
677 [Service]
678 User=ian
679 Type=oneshot
680 ExecStart=/a/bin/log-quiet/sysd-mail-once pump-backup /a/bin/distro-setup/pump-backup
681 EOF
682 s dd of=/etc/systemd/system/pumpbackup.timer <<'EOF'
683 [Unit]
684 Description=pump li backup hourly
685
686 [Timer]
687 OnCalendar=hourly
688
689 [Install]
690 WantedBy=timers.target
691 EOF
692 s systemctl daemon-reload
693 sgo pumpbackup.timer
694 fi
695 ######### end pump.io periodic backup #############
696
697 case $distro in
698 debian|ubuntu|trisquel)
699 # suggests because we want the resolvconf package.
700 # todo: check other distros to make sure it\'s installed
701 pi-nostart --install-suggests openvpn
702 # pi-nostart does not disable
703 ser disable openvpn
704 ;;
705 *) pi openvpn;;
706 esac
707
708 /a/bin/distro-setup/radicale-setup
709
710 ## android studio setup
711 # this contains the setting for android sdk to point to
712 # /a/opt/androidsdk, which is asked upon first run
713 lnf /a/opt/.AndroidStudio2.2 ~
714 # android site says it needs a bunch of packages for ubuntu,
715 # but I googled for debian, and someone says you just need lib32stdc++6 plus the
716 # jdk
717 # https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
718 # see w.org for more android studio details
719 spa lib32stdc++6 default-jdk
720
721
722 if [[ $HOSTNAME == treetowl ]]; then
723 ############# begin syncthing setup ###########
724
725 # It\'s simpler to just worry about running it in one place for now.
726 # I assume it would work to clone it\'s config to another non-phone
727 # and just run it in one place instead of the normal having a
728 # separate config. I lean toward using the same config, since btrfs
729 # syncs between comps.
730 case $distro in
731 arch) pi syncthing ;;
732 ubuntu|trisquel|debian)
733 # testing has relatively up to date packages
734 if ! isdebian-testing; then
735 # based on error when doing apt-get update:
736 # E: The method driver /usr/lib/apt/methods/https could not be found.
737 pi apt-transport-https
738 # google led me here:
739 # https://apt.syncthing.net/
740 curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
741 s="deb http://apt.syncthing.net/ syncthing release"
742 if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != $s ]]; then
743 echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
744 p update
745 fi
746 fi
747 pi syncthing
748 ;;
749 esac
750 lnf -T /w/syncthing /home/ian/.config/syncthing
751 sgo syncthing@ian # runs as ian
752
753 # these things persist in ~/.config/syncthing, which I save in
754 # /w/syncthing (not in /p, because syncthing should continue to
755 # run on home server even when using laptop as primary device)
756 # open http://localhost:8384/
757 # change listen address from default to tcp://:22001,
758 # this is because we do port forward so it doesn\'t have to use
759 # some external server, but the syncthing is broken for port forward,
760 # you get a message, something "like connected to myself, this should not happen"
761 # when connecting to other local devices, so I bump the port up by 1,
762 # based on
763 # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
764 # Without this, it was being stuck syncing at 0%.
765 # Set gui username and password.
766 #
767 # install syncthing via f-droid,
768 # folder setting, turn off master folder (makes it read only).
769 # on phone, add device, click bar code icon
770 # on dekstop, top right, actions, device id
771 # after adding, notification will appear on desktop to confirm
772 #
773 # syncing folder. from phone to desktop: select desktop in the
774 # folder on phone\'s sync options, notification will appear in
775 # desktop\'s web ui within a minute. For the reverse, the
776 # notification will appear in android\'s notifications, you have to
777 # swipe down and tap it to add the folder. It won\'t appear in the
778 # syncthing ui, which would be intuitive, but don\'t wait for it
779 # there.
780 #
781 # On phone, set settings to run syncthing all the time, and
782 # show no notification.
783 #
784 # Folder versioning would make sense if I didn\'t already use btrfs
785 # for backups. I would choose staggered, or trash can for more space.
786 #
787 # if needed to install on a remote comp:
788 # ssh -L 8384:localhost:8384 -N frodo
789 # open http://localhost:8384/
790 #
791 # Note, the other thing i did was port forward port 22000,
792 # per https://docs.syncthing.net/users/firewall.html
793
794 ############# end syncthing setup ###########
795 fi
796
797
798
799 # no equivalent in other distros:
800 case $distro in
801 debian|ubuntu|trisquel)
802 # for gui bug reporting
803 spa python-vte
804 ;;
805 esac
806
807
808 ####### misc packages ###########
809
810 # nagstamon setting which were set through the ui
811 # in filters tab:
812 # all unknown sources
813 # all warning services
814 # acknowledged hosts & services
815 # hosts & services down for maintenence
816 # services on down hosts
817 # services on hosts in maintenece
818 # services on unreachable osts
819 # hosts in soft state
820 # services in soft state
821 # in display tab: icon in systray.
822
823 case $distro in
824 debian|ubuntu|trisquel)
825 # it asks if it should make users in it's group capture packets without root,
826 # which is arguably more secure than running wireshark as root. default is no,
827 # which is what i prefer, since I plan to use tcpdump to input to wireshark.
828 s DEBIAN_FRONTEND=noninteractive pi wireshark-gtk
829 ;;
830 # others unknown
831 esac
832
833
834 case $distro in
835 debian|ubuntu|trisquel)
836 # no recommends because it wanted some other unstable package, something to
837 # do with math or something, which I didn't want to deal with.
838 p -y --no-install-recommends install python3-send2trash/unstable anki/unstable
839 ;;
840 # others unknown
841 esac
842
843 case $distro in
844 debian|ubuntu|trisquel)
845 # note i had to do this, which is persistent:
846 # cd /i/k
847 # s chgrp debian-transmission torrents partial-torrents
848
849 # syslog says things like
850 # 'Failed to set receive buffer: requested 4194304, got 425984'
851 # google suggets giving it even more than that
852 tu /etc/sysctl.conf<<'EOF'
853 net.core.rmem_max = 67108864
854 net.core.wmem_max = 16777216
855 EOF
856 s sysctl -p
857
858 # some reason it doesn\'t seem to start automatically anyways
859 pi-nostart transmission-daemon
860
861 # the folder was moved here after an install around 02/2017.
862 # it contains runtime data,
863 # plus a simple symlink to the config file which it\'s
864 # not worth separating out.
865 s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
866 #
867 # config file documented here, and it\'s the same config
868 # for daemon vs client, so it\'s documented in the gui.
869 # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
870 #
871 # I originaly setup rpc-whitelist, but after using
872 # routing to a network namespace, it doesn\'t see the
873 # real source address, so it\'s disabled.
874 #
875 # Changed the cache-size to 256 mb, reduces disk use.
876 # It is a read & write cache.
877 #
878 s ruby <<'EOF'
879 require 'json'
880 p = '/etc/transmission-daemon/settings.json'
881 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
882 'rpc-whitelist-enabled' => false,
883 'rpc-authentication-required' => false,
884 'incomplete-dir' => '/i/k/partial-torrents',
885 'incomplete-dir-enabled' => true,
886 'download-dir' => '/i/k/torrents',
887 "speed-limit-up" => 800,
888 "speed-limit-up-enabled" => true,
889 "peer-port" => 61486,
890 "cache-size-mb" => 256,
891 "ratio-limit" => 5.0,
892 "ratio-limit-enabled" => true,
893 })) + "\n")
894 EOF
895
896 # make sure its not enabled, not sure if this is needed
897 ser disable transmission-daemon
898 ;;
899 # todo: others unknown
900 esac
901 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
902 if ! getent passwd debian-transmission > /dev/null; then
903 case $distro in
904 arch)
905 s useradd \
906 --system \
907 --create-home \
908 --home-dir /var/lib/transmission-daemon \
909 --shell /bin/false \
910 debian-transmission
911 ;;
912 *)
913 s adduser --quiet \
914 --system \
915 --group \
916 --no-create-home \
917 --disabled-password \
918 --home /var/lib/transmission-daemon \
919 debian-transmission
920 ;;
921 esac
922 fi
923 if [[ $HOSTNAME == treetowl ]]; then
924 sgo transmission-daemon-nn
925 fi
926
927
928 ######### begin transmission client setup ######
929
930 if [[ -e /p/transmission-rpc-pass ]]; then
931 # arch had a default config,
932 # debian had nothing until you start it.
933 # With a little trial an error, here is a minimal config
934 # taken from the generated one, plus changes that the
935 # settings ui does, without a bunch of ui crap settings.
936 #
937 # only settings I set were
938 # hostname
939 # auto-connect
940 # password
941
942 # the password is randomly generated on first run, i copied it out
943 # so it could be used by other hosts.
944 s ruby <<'EOF'
945 require 'json'
946 p = '/etc/transmission-daemon/settings.json'
947 s = JSON.parse(File.read(p))
948 s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
949 File.write p, JSON.pretty_generate(s)
950 EOF
951
952 rpc_pass=$(</p/transmission-rpc-pass)
953 for f in /home/*; do
954 d=$f/.config/transmission-remote-gtk
955 u=${f##*/}
956 s -u $u mkdir -p $d
957 s -u $u dd of=$d/config.json <<EOF
958 {
959 "profiles" : [
960 {
961 "profile-name" : "Default",
962 "hostname" : "transmission.b8.nz",
963 "rpc-url-path" : "/transmission/rpc",
964 "username" : "",
965 "password" : "$rpc_pass",
966 "auto-connect" : true,
967 "ssl" : false,
968 "timeout" : 40,
969 "retries" : 3,
970 "update-active-only" : false,
971 "activeonly-fullsync-enabled" : false,
972 "activeonly-fullsync-every" : 2,
973 "update-interval" : 3,
974 "min-update-interval" : 3,
975 "session-update-interval" : 60,
976 "exec-commands" : [
977 ],
978 "destinations" : [
979 ]
980 }
981 ],
982 "profile-id" : 0,
983 "add-options-dialog" : false
984 }
985 EOF
986 done
987 fi
988
989 # dunno why it\'s there, but get rid of it
990 case $HOSTNAME in
991 li|lj) s rm -rf /home/linode ;;
992 esac
993
994
995 pi wget
996 case $HOSTNAME in
997 tp|frodo)
998 case $distro in
999 debian|ubuntu|trisquel)
1000 log=$(mktemp)
1001 cd /a/opt
1002 wget -nv -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
1003 errallow
1004 set -o pipefail
1005 s dpkg -i google-chrome-stable_current_amd64.deb |& tee $log
1006 code=$?
1007 errcatch
1008 case $code in
1009 0) : ;;
1010 *)
1011 # previously I had a more specific search, but dpkg
1012 # changed it\'s output as of 7/2016
1013 if grep 'dependency problems' \
1014 $log &>/dev/null; then
1015 s apt-get -fy install
1016 else
1017 exit 1
1018 fi
1019 ;;
1020 esac
1021 ;;
1022 arch)
1023 pi google-chrome
1024 ;;
1025 esac
1026 ;;
1027 esac
1028
1029 # printer
1030 case $distro in
1031 arch)
1032 pi cups ghostscript gsfonts # from arch wiki cups page
1033 pi hplip # from google
1034 s gpasswd -a $USER sys # from arch wiki
1035 sgo org.cups.cupsd.service
1036 # goto http://127.0.0.1:631
1037 # administration tab, add new printer button.
1038 # In debian, I could use hte recommended driver,
1039 # in arch, I had to pick out the 6L driver.
1040 ;;
1041 debian|ubuntu|trisquel)
1042 spa hplip
1043 ;;
1044 # other distros unknown
1045 esac
1046
1047
1048 case $distro in
1049 ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
1050 fedora|arch) spa mairix notmuch ;;
1051 esac
1052 case $distro in
1053 arch) spa nfs-utils ;;
1054 ubuntu|debian) spa nfs-client ;;
1055 esac
1056 case $distro in
1057 ubuntu|debian) spa par2 ;;
1058 arch|fedora) spa par2cmdline ;;
1059 esac
1060
1061 # needed for my tex resume
1062 case $distro in
1063 ubuntu|debian) spa texlive-full ;;
1064 arch) spa texlive-most ;;
1065 # fedora unknown
1066 esac
1067
1068 case $distro in
1069 ubuntu)
1070 # flash, unrar, codecs, ms fonts.
1071 # This has a manual prompt.
1072 spa ubuntu-restricted-extras
1073 ;;
1074 fedora)
1075 pi yum-utils
1076 # rpm fusion recommended codecs
1077 s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
1078 pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
1079 xine-lib-extras-freeworld
1080 ;;
1081 esac
1082
1083 case $distro in
1084 # optional dep for firefox for h.264 video
1085 arch) spa gst-libav ;;
1086 # other distros, probably come by default
1087 esac
1088
1089 case $distro in
1090 fedora|ubuntu|trisquel|debian) spa gnupg-agent ;;
1091 arch) : ;;
1092 esac
1093
1094
1095 case $distro in
1096 fedora) spa pinentry-gtk ;;
1097 *) : ;; # comes default or with other packages
1098 esac
1099
1100 case $distro in
1101 arch) spa firefox pulseaudio;;
1102 *) : ;; # comes default or with other packages
1103 esac
1104
1105
1106 case $distro in
1107 arch) spa ttf-dejavu;;
1108 debian|ubuntu|trisquel) spa fonts-dejavu ;;
1109 # others unknown
1110 esac
1111
1112
1113 case $distro in
1114 arch) spa xorg-xev;;
1115 debian|ubuntu|trisquel) spa x11-utils ;;
1116 # others unknown
1117 esac
1118
1119 case $distro in
1120 arch) pi virt-install;;&
1121 debian|ubuntu|trisquel) pi virtinst ;;&
1122 *) pi virt-manager ;; # creates the libvirt group in debian at least
1123 # others unknown
1124 esac
1125 # allow user to run vms, from debian handbook
1126 for x in ian traci; do s usermod -a -G libvirt,kvm $x; done
1127 # bridge networking as user fails. google lead here, but it doesn\'t work:
1128 # oh well, I give up.
1129 # http://wiki.qemu.org/Features-Done/HelperNetworking
1130 # s mkdir /etc/qemu
1131 # f=/etc/qemu/bridge.conf
1132 # s dd of=$f <<'EOF'
1133 # allow br0
1134 # EOF
1135 # #s chown root:qemu $f # debian has somethig like qemu-libvirt. equivalent?
1136 # s chmod 640 $f
1137
1138
1139 case $distro in
1140 arch) spa cdrkit;;
1141 debian|ubuntu|trisquel) spa genisoimage;;
1142 # others unknown
1143 esac
1144
1145 case $distro in
1146 arch) spa spice-gtk3 ;;
1147 debian|ubuntu|trisquel) spa spice-client-gtk;;
1148 # others unknown
1149 esac
1150
1151 # general known for debian/ubuntu, not for fedora
1152
1153 case $distro in
1154 debian|ubuntu|trisquel)
1155 pi golang-go
1156 # a bit of googling, and added settings to bashrc
1157 go get -u github.com/mvdan/fdroidcl/cmd/fdroidcl
1158 ;;
1159 # others unknown
1160 esac
1161
1162
1163 case $distro in
1164 arch)
1165 # cdrkit for cloud-init isos
1166 # dnsmasq & ebtables for nat networking in libvirt
1167 # qemu for qemu-img, bind-tools for dig
1168 # dmidecode just because syslog complains
1169 pi unzip xorg-xmodmap dmidecode ebtables\
1170 bridge-utils dnsmasq qemu bind-tools
1171 # otherwise we get error about accessing kvm module.
1172 # seems like there might be a better way, but google was a bit vague.
1173 s $sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf
1174 echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
1175 # https://bbs.archlinux.org/viewtopic.php?id=206206
1176 # # this should prolly go in the wiki
1177 sgo virtlogd.socket
1178 # guessing this is not needed
1179 #sgo virtlogd.service
1180 sgo libvirtd
1181
1182 ;;
1183 esac
1184
1185 case $distro in
1186 arch) pi virtviewer ;;
1187 *) : ;; # other distros have it as a dependency afaik.
1188 esac
1189
1190
1191
1192 case $distro in
1193 fedora) cabal install shellcheck ;;
1194 *) spa shellcheck ;;
1195 # unknown for older ubuntu
1196 esac
1197
1198
1199 case $distro in
1200 arch|debian|ubuntu|trisquel) spa pumpa ;;
1201 # others unknown. do have a buildscript:
1202 # /a/bin/buildscripts/pumpa ;;
1203 esac
1204
1205
1206 case $distro in
1207 debian) pi adb ;;
1208 debian|ubuntu|trisquel) spa android-tools-adbd/unstable ;;
1209 arch) spa android-tools ;;
1210 # other distros unknown
1211 esac
1212
1213 if [[ $HOSTNAME == treetowl ]]; then
1214 case $distro in
1215 debian)
1216 if [[ `debian-archive` == testing ]]; then
1217 # has no unstable dependencies
1218 pi bitcoind/unstable
1219 src=/a/opt/bitcoin/contrib/init/bitcoind.service
1220 s cp $src /etc/systemd/system
1221 p=/etc/bitcoin/bitcoin
1222 dst=/etc/systemd/system/bitcoinjm.service
1223 # jm for joinmarket
1224 $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
1225 >/etc/systemd/system/bitcoinjm.service
1226
1227 d=jm; jm=d # being clever for succinctness
1228 for s in d jm; do
1229 s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
1230 /etc/systemd/system/bitcoin${s}.service
1231 done
1232
1233 ser daemon-reload
1234
1235 dir=/nocow/.bitcoin
1236 s mkdir -p $dir
1237 s chown -R bitcoin:bitcoin $dir
1238 dir=/etc/bitcoin
1239 s mkdir -p $dir
1240 s chown -R root:bitcoin $dir
1241 s chmod 750 $dir
1242
1243 # pruning decreases the bitcoin dir to 2 gb, keeps
1244 # just the recent blocks. can\'t do a few things like
1245 # import a wallet dump.
1246 # pruning works, but people had to do
1247 # some manual stuff in joinmarket. I dun need the
1248 # disk space, so not bothering yet, maybe in a year or so.
1249 # https://github.com/JoinMarket-Org/joinmarket/issues/431
1250 #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
1251 #prune=550
1252
1253 f=$dir/bitcoin.conf
1254 s dd of=$f <<EOF
1255 server=1
1256 rpcpassword=$(openssl rand -base64 32)
1257 rpcuser=$(openssl rand -base64 32)
1258 EOF
1259
1260
1261 f2=$dir/bitcoinjm.conf
1262 s cp $f $f2
1263 s tee -a $f2 >/dev/null <<EOF
1264 # Joinmarket
1265 walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
1266 alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
1267 wallet=joinmarket.dat
1268 EOF
1269 # dunno about sharing a wallet between multiple instances
1270 # manually did, wallet.dat symlinked in /nocow/.bitcoin
1271 sgo bitcoind
1272 fi
1273 ;;
1274 # other distros unknown
1275 esac
1276 pi libsodium-dev python-pip
1277 cd /a/opt/joinmarket
1278 # using develop branch, as it seems to be mostly bug fixes,
1279 # and this is quite new software.
1280 # note: python3 does not work.
1281 # has seg fault error due to some bug, but it still works
1282 pip install -r requirements.txt || [[ $? == 139 ]]
1283 # note, the target must exist ahead of time, or bitcoin
1284 # just overwrites the link, and it\'s not happy with an empty file,
1285 # so we have to create the wallet, then move and link it.
1286 s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
1287 s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
1288 # not technically needed, but seems cleaner not to have
1289 # symlinks be root owned unlike everything else
1290 s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
1291
1292 for var in rpcuser rpcpassword; do
1293 u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
1294 # escape backslashes
1295 u="${u//\\/\\\\\\\\}"
1296 # escape commas
1297 u="${u//,/\\,}"
1298 sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
1299 done
1300 sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
1301
1302 fi
1303
1304
1305
1306 case $distro in
1307 fedora)
1308 cd $(mktemp -d)
1309 wget http://tamacom.com/global/global-6.3.2.tar.gz
1310 ex global*
1311 cd global-6.3.2
1312 # based on https://github.com/leoliu/ggtags
1313 ./configure --with-exuberant-ctags=/usr/bin/ctags
1314 make
1315 s make install
1316 s pip install pygments
1317 ;;
1318 *)
1319 pi global
1320 ;;&
1321 arch)
1322 pi python2-pygments
1323 ;;
1324 debian|ubuntu|trisquel)
1325 pi python-pygments
1326 ;;
1327 esac
1328
1329
1330 case $distro in
1331 debian)
1332 pi task-cinnamon-desktop
1333 # in settings, change scrolling to two-finger,
1334 # because the default edge scroll doesn\'t work.
1335 pu transmission-gtk
1336 ;;
1337 # others unknown
1338 esac
1339
1340 case $distro in
1341 arch) spa apg ;;
1342
1343 # already in debian jessie
1344 esac
1345
1346
1347
1348
1349
1350 # note this failed running at the beginning of this file,
1351 # because no systemd user instance was running.
1352 # Doing systemd --user resulted in
1353 # Trying to run as user instance, but $XDG_RUNTIME_DIR is not set
1354
1355 if isdebian-testing; then
1356 # as of 7/2016, has no unstable deps, and is not in testing anymore.
1357 pi synergy/unstable
1358 else
1359 pi synergy
1360 fi
1361
1362 # case $distro in
1363 # # ubuntu unknown. probably the same as debian, just check if the
1364 # # init scripts come with the package.
1365 # debian)
1366 # # copied from arch, but moved to etc
1367 # s dd of=/etc/systemd/user/synergys.service <<'EOF'
1368 # [Unit]
1369 # Description=Synergy Server Daemon
1370 # After=network.target
1371
1372 # [Service]
1373 # User=%i
1374 # ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
1375 # Restart=on-failure
1376
1377 # [Install]
1378 # WantedBy=multi-user.target
1379 # EOF
1380 # s dd of=/etc/systemd/user/synergys.socket <<'EOF'
1381 # [Unit]
1382 # Conflicts=synergys@.service
1383
1384 # [Socket]
1385 # ListenStream=24800
1386 # Accept=false
1387
1388 # [Install]
1389 # WantedBy=sockets.target
1390 # EOF
1391 # # had this fail with 'Failed to connect to bus: No such file or directory'
1392 # # then when I tried it manually, it worked fine...
1393 # if ! systemctl --user daemon-reload; then
1394 # sleep 2
1395 # echo retrying systemd user daemon reload
1396 # systemctl --user daemon-reload
1397 # fi
1398 # ;;&
1399 # *)
1400 # # taken from arch wiki.
1401 # s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
1402 # [Unit]
1403 # Description=Synergy Client
1404 # After=network.target
1405
1406 # [Service]
1407 # User=%i
1408 # ExecStart=/usr/bin/synergyc --no-daemon frodo
1409 # Restart=on-failure
1410 # # per man systemd.unit, StartLimitInterval, by default we
1411 # # restart more than 5 times in 10 seconds.
1412 # # And this param defaults too 200 miliseconds.
1413 # RestartSec=3s
1414
1415 # [Install]
1416 # WantedBy=multi-user.target
1417 # EOF
1418 # s systemctl daemon-reload
1419 # case $HOSTNAME in
1420 # x2|treetowl)
1421 # ser enable synergyc@ian
1422 # ser start synergyc@ian ||: # X might not be running yet
1423 # ;;
1424 # frodo)
1425 # systemctl --user start synergys ||:
1426 # systemctl --user enable synergys
1427 # ;;
1428 # esac
1429 # ;;
1430 # esac
1431
1432
1433
1434 ### kdeconnect for gnome. started in /a/bin/distro-setup/desktop-20-autostart.sh
1435 pi libgtk-3-dev python3-requests-oauthlib valac cmake python-nautilus
1436 cd /a/opt/indicator-kdeconnect
1437 mkdir -p build
1438 cd build
1439 cmake .. -DCMAKE_INSTALL_PREFIX=/usr
1440 make
1441 sudo make install
1442
1443
1444 ######### end misc packages #########
1445
1446
1447 # packages I once used before and liked, but don\'t want installed now for
1448 # various reasons:
1449 # python-sqlite is used for offlineimap
1450 # lxappearance python-sqlite dolphin paman dconf-editor
1451
1452
1453
1454 ######## unfinished
1455
1456 # todo, finish configuring smart.
1457
1458 pi smartmontools
1459 # mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
1460 # turn on smart. background on options:
1461 # first line, -a = test everyting on all devices.
1462 # -S on, turn on disk internal saving of vendor specific info,
1463 # from google, seems like this is usually already on and fairly standard.
1464 # -o on, turn on 4 hour period non-performance degrading testing.
1465 # short test daily 2-3am, extended tests Saturdays between 3-4am:
1466 sched="-s (S/../.././02|L/../../6/03)"
1467 s sed -i --follow-symlinks "s#^[[:space:]]*DEVICESCAN.*#\
1468 DEVICESCAN -a -o on -S on -n standby,q $sched \
1469 -m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc/smartd.conf
1470
1471 # in the default configuration of at least ubuntu 14.04, resolvconf is
1472 # configured to order any nameservers associated with tun* or tap*
1473 # before the normal internet interfaces, which means they are always
1474 # consulted first. This is often slower and undesirable, ie. local dns
1475 # queries go from 0ms to 10+ or 100+ ms. To reverse the ordering, you
1476 # can do:
1477 #sudo sed -i --follow-symlinks '/tun\*\|tap\*/d' /etc/resolvconf/interface-order
1478 # however, this breaks dns lookup for hosts on the openvpn lan.
1479 # I can\'t figure out why hosts on the normal lan would not be
1480 # broken under the default ordering, except the host I was
1481 # testing with previously had an entry in /etc/hosts.
1482
1483 ############# end unfinished
1484
1485 ########### misc stuff
1486
1487 devs=()
1488 for dev in $(s btrfs fi show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
1489 devs+=($(devbyid $dev),)
1490 done
1491 devs[-1]=${devs[-1]%,} # jonied by commas
1492
1493 # on grub upgrade, we get prompts unless we do this
1494 s debconf-set-selections <<EOF
1495 grub-pc grub-pc/install_devices multiselect ${devs[*]}
1496 EOF
1497
1498
1499 # the wiki backup script from ofswiki.org uses generic paths
1500 s lnf /p/c/machine_specific/li/mw_vars /root
1501 s lnf /k/backup/wiki_backup /root
1502
1503 s cedit /etc/goaccess.conf <<'EOF' || [[ $? == 1 ]]
1504 # all things found from looking around the default config
1505 # copied existing NCSA Combined Log Format with Virtual Host, plus %L
1506 log-format %^:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u" %D
1507 time-format %H:%M:%S
1508 date-format %d/%b/%Y
1509 log-file /var/log/apache2/access.log
1510 color-scheme 2
1511
1512 # tip: copy access.log files to a stretch host directory, then run
1513 # jessie's goaccess is too old for some options, and it\'s
1514 # not easily installed from a testing.
1515 # goaccess --ignore-crawlers -f <(cat *) -a -o html > x.html
1516 EOF
1517
1518
1519 case $distro in
1520 debian|ubuntu|trisquel)
1521 case `debian-archive` in
1522 stable)
1523 s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
1524 Explanation: Allow unison-gtk to be upgraded
1525 Package: unison-gtk
1526 Pin: release a=testing
1527 Pin-Priority: 500
1528 EOF
1529 # dont think using testing is needed since I figured out how to
1530 # deal with mismatching unison compilers, but I dont
1531 # see any reason to revert it, since it only installs
1532 # a single package which is primarily a single binary
1533 ;;
1534 esac
1535 pi unison/testing
1536 pi unison-gtk/testing # after to make it the default unison
1537 ;;
1538 arch)
1539 pi unison gtk2
1540 ;;
1541 esac
1542
1543 case $distro in
1544 arch)
1545 # default is alsa, doesn\'t work with with pianobar
1546 s dd of=/etc/libao.conf <<'EOF'
1547 default_driver=pulse
1548 EOF
1549 ;;
1550 esac
1551
1552 # note, for jessie, it depends on a higher version of btrfs-tools.
1553 #
1554 # # disabled due to my patch being in btrbk
1555 # case $distro in
1556 # arch|debian|ubuntu|trisquel) pi btrbk ;;
1557 # # others unknown
1558 # esac
1559 cd /a/opt/btrbk
1560 s make install
1561 spa pv # for progress bar when running interactively.
1562 if [[ $HOSTNAME == treetowl ]]; then
1563 # backup/sync manually on others hosts for now.
1564 sgo btrbk.timer
1565 # note: to see when it was last run,
1566 # ser list-timers
1567 fi
1568
1569 if [[ $HOSTNAME == treetowl ]] && [[ `debian-archive` != testing ]]; then
1570 # fail2 ban is broken, with a workaround, per
1571 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171
1572 # ill wait a while to see if it gets fixed
1573 pi fail2ban
1574 sgo fail2ban
1575 fi
1576
1577
1578
1579
1580
1581 case $distro in
1582 debian|ubuntu|trisquel) s gpasswd -a ian adm ;; #needed for reading logs
1583 esac
1584
1585 # tor
1586 case $distro in
1587 # based on
1588 # https://www.torproject.org/docs/rpms.html.en
1589 # https://www.torproject.org/docs/debian.html.en
1590 # todo: figure out if the running service needs to be restarted upon updates
1591
1592
1593 # todo on fedora: setup non-dev packages
1594 fedora)
1595 s dd of=/etc/yum.repos.d/torproject.repo <<'EOF'
1596 [tor]
1597 name=Tor experimental repo
1598 enabled=1
1599 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/
1600 gpgcheck=1
1601 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1602
1603 [tor-source]
1604 name=Tor experimental source repo
1605 enabled=1
1606 autorefresh=0
1607 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS
1608 gpgcheck=1
1609 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1610 EOF
1611
1612 # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above:
1613 # 3B9E EEB9 7B1E 827B CF0A 0D96 8AF5 653C 5AC0 01F1
1614 sgo tor
1615 /a/bin/buildscripts/tor-browser
1616 ;;
1617 ubuntu)
1618 tu /etc/apt/sources.list "deb http://deb.torproject.org/torproject.org $(debian-codename) main"
1619 gpg --keyserver keys.gnupg.net --recv 886DDD89
1620 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
1621 p update
1622 pi deb.torproject.org-keyring
1623 pi tor
1624 /a/bin/buildscripts/tor-browser
1625 ;;
1626 debian)
1627 pi tor
1628 /a/bin/buildscripts/tor-browser
1629 ;;
1630 arch)
1631 pi tor tor-browser-en
1632 sgo tor
1633 ;;
1634 # ubuntu unknown
1635 esac
1636
1637 # nfs server
1638 case $distro in
1639 fedora)
1640 end_msg <<'EOF'
1641 fedora todo: disable the firewall or find a way to automate it.
1642 there's an unused section in t.org for tramikssion firewall setup
1643
1644 fedora manual config for nfs:
1645 s firewall-config
1646 change to permanent configuration
1647 check the box for nfs
1648 was hard to figure this out, not sure if this is all needed, but
1649 unblock these too
1650 mountd: udp/tcp 20048
1651 portmapper, in firewall-config its called rpc-bind: udp/tcp 111
1652 troubleshooting, unblock things in rpcinfo -p
1653 make sure to reload the firewall to load the persistent configuration
1654
1655
1656 EOF
1657 pi nfs-utils
1658 sgo nfs-server
1659 ;;
1660 debian|ubuntu|trisquel)
1661 pi nfs-server
1662 ;;
1663 arch)
1664 pi nfs-utils || pending_reboot=true
1665 sgo rpcbind
1666 # this failed until I rebooted
1667 sgo nfs-server
1668 ;;
1669 esac
1670
1671
1672 ########### begin kodi setup ############
1673 pi kodi
1674
1675 # based on https://wiki.debian.org/SecuringNFS
1676 # but the quota stuff is either outdated or optional,
1677 # i guessed that it was not needed and it worked fine.
1678 s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF'
1679 fs.nfs.nfs_callback_tcpport = 32764
1680 fs.nfs.nlm_tcpport = 32768
1681 fs.nfs.nlm_udpport = 32768
1682 EOF
1683 s sysctl --system
1684 s $sed -ri -f - /etc/default/nfs-common <<'EOF'
1685 /^\s*STATDOPTS=/d
1686 $a STATDOPTS="--port 32765 --outgoing-port 32766"
1687 EOF
1688
1689 s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF'
1690 /^\s*RPCMOUNTDOPTS=/d
1691 $a RPCMOUNTDOPTS="--manage-gids --port 32767"
1692 EOF
1693 ser restart nfs-kernel-server
1694
1695 if [[ $HOSTNAME == treetowl ]]; then
1696 # persistent one time steps for webdav:
1697 # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml,
1698 # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi
1699 # htpasswd -c /p/c/filesystem/etc/davpass dav
1700 # chmod 640 /p/c/filesystem/etc/davpass
1701 # in conflink, set group to www-data.
1702 # In kodi, i set the music source, server address: my domain,
1703 # path: k/music. Then copied the file
1704 # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting.
1705 s a2enmod dav dav_fs
1706 web-conf -r /a/c/playlists - apache2 dav.$HOME_DOMAIN <<'EOF'
1707 <Directory /a/c/playlists>
1708 DAV On
1709 AuthType Basic
1710 AuthName "Authentication Required"
1711 AuthUserFile "/etc/davpass"
1712 Require valid-user
1713
1714 # outside the standard /var/www, so use this:
1715 Order allow,deny
1716 Allow from all
1717 </Directory>
1718 EOF
1719 s mkdir -p /var/www/davlock
1720 s chown www-data:www-data /var/www/davlock
1721 s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.$HOME_DOMAIN.conf
1722 ser reload apache2
1723
1724 teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)"
1725 exportfs -ra
1726
1727 # kodi uses sqlite by default, but supports mysql.
1728 pi mariadb-server
1729
1730 # see ofswiki.org for explanation.
1731 dbpass="$(cat /p/mysql-root-pass)"
1732 if ! echo exit|mysql -uroot "-p$dbpass"; then
1733 echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
1734 fi
1735 mysql -uroot "-p$dbpass" <<EOF
1736 GRANT ALL PRIVILEGES ON *.* TO 'kodi' IDENTIFIED BY '$(</p/mysql-kodi-pass)';
1737 EOF
1738 s sed -ri 's/^(\s*bind-address\s*=).*/\1 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
1739 ser restart mariadb
1740
1741 fi
1742
1743 ########### end kodi setup ############
1744
1745
1746 if [[ $HOSTNAME == treetowl ]]; then
1747 # nohide = export filesystems mounted deeper than the export point
1748 # fsid=0 makes this export the "root" export
1749 # not documented in the man page, but this means
1750 # 1. it can be mounted with a shorthand of server:/
1751 # 2. exports that are subdirectories of this one will automatically be mounted
1752 tu /etc/exports <<'EOF'
1753 /k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
1754 EOF
1755 s exportfs -rav
1756 fi
1757
1758
1759 e "$end_msg_var"
1760
1761
1762 # persistent virtual machines
1763
1764 case $distro in
1765 debian|ubuntu|trisquel)
1766 pi libosinfo-bin;
1767 ;;
1768 esac
1769
1770 # distro may not know about win 10 yet.
1771 variant=win7
1772 if ! virt-install --os-variant list &>/dev/null; then # we are using a newer virt-install
1773 for v in 10 8.1 8; do
1774 if osinfo-query os | gr "^\s*win${v/./\\.}\s" &>/dev/null; then
1775 variant=win$v
1776 break
1777 fi
1778 done
1779 fi
1780
1781 if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
1782
1783 # created account with
1784 # win10vmian@outlook.com, and easy to remember password
1785 # win 10 virtio, makes disk way way way faster
1786 # wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
1787 # https://wiki.archlinux.org/index.php/QEMU#Change_Existing_Windows_VM_to_use_virtio
1788 # for installing virtio after initial install instead of with initial iso:
1789 # qemu-img create -f qcow2 fake.qcow2 1G
1790 # --disk=/a/images/virtio-win.iso,device=cdrom \
1791 # --disk=/a/images/fake.qcow2,bus=virtio
1792 # Also,
1793 # went to device manager, saw 2 pci devices with yellow !,
1794 # did search for drivers, pick cdrom location, done.
1795 #
1796 # from http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html.
1797 # google said there was a control panel option for it, but
1798 # that turned out to be a lie.
1799 # Put this in a .bat file and run as administrator to turn off
1800 # hyberboot which fucks things up.
1801 # REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_dWORD /D 0 /F
1802 # power settings, turn off display: never
1803 # run "control userpasswords2", turn on automatic login.
1804 # note: when changing devices, I just undefine, the create the vm again.
1805
1806 if [[ -e /nocow/user/vms/win10.qcow2 ]]; then
1807 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1808 --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
1809 -n win10 --import --os-variant $variant --cpu host-model-only
1810
1811 s virsh destroy win10
1812 fi
1813
1814 if [[ -e /nocow/user/vms/win7.qcow2 ]]; then
1815 # this one hasn\'t had the virtio fix done yet.
1816 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1817 --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
1818 -n win7 --import --os-variant win7 --cpu host-model-only
1819 s virsh destroy win7
1820 # had a problem with --cpu host, so trying out
1821 # --cpu host-model-only
1822 fi
1823 fi
1824
1825
1826 if [[ $HOSTNAME == treetowl ]]; then
1827 pi samba
1828 # note samba re-reads it\'s config every 1 minute
1829 case $distro in
1830 arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
1831 esac
1832
1833 # add 2 lines after workgroup option
1834 s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
1835 s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
1836 s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/' /etc/samba/smb.conf
1837 # remove default homes section. not sharing that.
1838 s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
1839
1840 if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
1841 s tee -a /etc/samba/smb.conf <<'EOF'
1842 [public]
1843 guest ok = yes
1844 read only = no
1845 path = /kr
1846 EOF
1847 fi
1848
1849 case $distro in
1850 debian|ubuntu|trisquel)
1851 # systemd claims it generates units from /etc/init.d, but it
1852 # clearly doesn\'t in debian. I have no idea how they are
1853 # related. fuck debian right now. It\'s not documented. samba
1854 # has a systemd init file linked to /dev/null. There\'s this
1855 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
1856 # claims samba\'s sub-services will be started automatically by
1857 # systemd... it didn\'t on install, wonder if it will on
1858 # boot. It clued me in how to start it manually though. Nothing
1859 # in /usr/share/doc/samba, debian admin guide says nothing about
1860 # any of this. (this is in debian testing as of 4/2016).
1861
1862 s /etc/init.d/samba start
1863 ;;
1864 arch)
1865 sgo samba
1866 ;;
1867 esac
1868 fi
1869
1870 tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
1871
1872
1873 ######### begin stuff belonging at the end ##########
1874
1875
1876 # Apps we want to override others for default file handler:
1877 # simplest way in debian is to just install them last.
1878 simple_packages+=(
1879 mpv
1880 )
1881
1882 case $distro in
1883 ubuntu|debian)
1884 spa spacefm-gtk3 ;;
1885 arch)
1886 spa spacefm ;;
1887 esac
1888
1889
1890 pi "${simple_packages[@]}"
1891
1892
1893 if $pending_reboot; then
1894 echo "$0: pending reboot and then finished. doing it now."
1895 s reboot now
1896 else
1897 echo "$0: $(date): ending now)"
1898 fi
~16k lines of my .bashrc + lots of my configs