iankelling.org / git / distro-setup / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
add mastodon server
[distro-setup] / distro-end
1 #!/bin/bash -l
2 # Copyright (C) 2016 Ian Kelling
3
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7
8 # http://www.apache.org/licenses/LICENSE-2.0
9
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 errcatch
17
18 set -x
19
20 exec &> >(sudo tee -a /var/log/distro-end)
21 echo "$0: $(date): starting now)"
22
23 src="${BASH_SOURCE%/*}"
24
25 end_msg() {
26 = local y
27 IFS= read -r -d '' y ||:
28 end_msg_var+="$y"
29 }
30
31 spa() { # simple package add
32 simple_packages+=($@)
33 }
34
35 distro=$(distro-name)
36
37 pending_reboot=false
38 sed="sed --follow-symlinks"
39
40 # template
41 case $distro in
42 esac
43
44 pup
45
46 simple_packages=(
47 htop
48 mailutils
49 nmon
50 rdiff-backup
51 ruby
52 ruby-rest-client
53 tree
54 vim
55 wcd
56 )
57
58 case $HOSTNAME in
59 lj|li) : ;;
60 *)
61 # universal packages
62 # swh-plugins is for karaoke pulsaudio filter.
63 # mutagen for pithos
64 simple_packages+=(
65 apache2
66 apache2-doc
67 apt-doc
68 aptitude-doc-en
69 bash-doc
70 binutils-doc
71 bwm-ng
72 chromium
73 cpio-doc
74 cron
75 debconf-doc
76 duplicity
77 eclipse
78 evince
79 fdupes
80 feh
81 filelight
82 gawk-doc
83 gcc-doc
84 gdb
85 gdb-doc
86 git-doc
87 git-email
88 gitk
89 glibc-doc
90 goaccess
91 gnome-screenshot
92 i3lock
93 iproute2-doc
94 jq
95 linux-doc
96 locate
97 make-doc
98 manpages
99 manpages-dev
100 meld
101 mumble
102 nmap
103 offlineimap
104 p7zip
105 paprefs
106 parted-doc
107 pavucontrol
108 pdfgrep
109 perl-doc
110 pianobar
111 pidgin
112 python3-doc
113 python3-mutagen
114 reportbug
115 sqlite3-doc
116 squashfs-tools
117 swh-plugins
118 tar-doc
119 tcpdump
120 transmission-remote-gtk
121 vlc
122 whois
123 )
124 spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
125 ;;
126 esac
127
128
129 ########### begin section including li ################
130
131
132 case $distro in
133 debian)
134 if [[ `debian-archive` == testing ]]; then
135 pi acme-tiny
136 fi
137 esac
138
139 case $distro in
140 fedora) spa unrar ;;
141 *) spa unrar-free ;;
142 esac
143
144
145 case $distro in
146 arch)
147 # ubuntu 14.04 uses b-cron,
148 # but its not maintained in arch.
149 # of the ones in the main repos, cronie is only one maintained.
150 # fcron appears abandoned software.
151 pi cronie
152 sgo cronie
153 ;;
154 *) : ;; # other distros come with cron.
155 esac
156
157
158 case $distro in
159 debian|ubuntu)
160 pi debian-goodies
161 ;;
162 esac
163
164
165 case $distro in
166 *) pi at ;;&
167 arch) sgo atd ;;
168 esac
169
170
171 case $distro in
172 debian) pi curl;;
173 arch) : ;;
174 # fedora: unknown
175 esac
176
177 case $distro in
178 # tk for gitk
179 arch) spa git tk ;;
180 *) spa git ;;
181 esac
182
183 case $distro in
184 arch) spa the_silver_searcher ;;
185 debian|ubuntu) spa silversearcher-ag ;;
186 # fedora unknown
187 esac
188
189 case $distro in
190 debian|ubuntu) spa ntp;;
191 arch)
192 pi ntp
193 sgo ntpd
194 ;;
195 # others unknown
196 esac
197
198
199 # no equivalent in other distros:
200 case $distro in
201 debian|ubuntu)
202 pi aptitude
203 if ! dpkg -s apt-file &>/dev/null; then
204 # this condition is just a speed optimization
205 pi apt-file
206 s apt-file update
207 fi
208 # for debconf-get-selections
209 spa debconf-utils
210 ;;
211 esac
212
213 case $distro in
214 ubuntu|debian) spa ack-grep ;;
215 arch|fedora) spa ack ;;
216 # fedora unknown
217 esac
218
219 case $distro in
220 arch|debian|ubuntu)
221 spa bash-completion
222 ;;
223 # others unknown
224 esac
225
226
227
228
229
230 # disable motd junk.
231 case $(distro-name) in
232 debian)
233 # allows me to pipe with ssh -t, and gets rid of spam
234 # http://forums.debian.net/viewtopic.php?f=5&t=85822
235 # i'd rather disable the service than comment the init file
236 # this says disabling the service, it will still get restarted
237 # but this script doesn't do anything on restart, so it should be fine
238 s dd of=/var/run/motd.dynamic if=/dev/null
239 # stretch doesn't have initscripts pkg installed by default
240 if [[ $(debian-codename) == jessie ]]; then
241 s update-rc.d motd disable
242 fi
243 ;;
244 ubuntu)
245 # this isn't a complete solution. It still shows me when updates are available,
246 # but it's no big deal.
247 s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
248 ;;
249 esac
250
251 # automatic updates
252 # reference:
253 # https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
254 # /etc/cron.daily/apt calls unattended-upgrades
255 # /usr/share/doc/unattended-upgrades# cat README.md
256 # /etc/apt/apt.conf.d/50unattended-upgrades
257 if isdebian; then
258 setup-debian-auto-update
259 fi
260
261 # we've got a few dependencies later on, so install them now.
262 pi "${simple_packages[@]}"
263 simple_packages=()
264
265 # website setup
266 case $HOSTNAME in
267 lj|li)
268
269 case $HOSTNAME in
270 lj) domain=iank.bid; exit 0 ;;
271 li) domain=iankelling.org ;;
272 esac
273 /a/h/setup.sh $domain
274 /a/h/build.rb
275
276 sudo -E /a/bin/mediawiki-setup/mw-setup-script
277 #$src/phab-setup
278
279 pi-nostart mumble-server
280 s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
281 sgo mumble-server
282
283 vpn-server-setup -d
284
285 sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
286 [Unit]
287 Description=Turns on iptables mail nat
288
289 [Service]
290 Type=oneshot
291 RemainAfterExit=yes
292 ExecStart=/a/bin/distro-setup/vpn-mail-forward start
293 ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
294
295 [Install]
296 WantedBy=openvpn.service
297 EOF
298 ser daemon-reload
299 ser enable vpnmail.service
300 acme-tiny-wrapper mail.iankelling.org
301 # needed for li's local mail delivery. there might
302 # be a better way to do it that doesn't require disabling
303 # it during le verification, but whatever for now.
304 f=/etc/cron.daily/lets-encrypt-mail_iankelling_org
305 l="10.8.0.4 mail.iankelling.org"
306 tu /etc/hosts <<<"$l"
307 s sed -i '/^\s*sysv acme-tiny-wrapper/i sed -i /^10\.8\.0\.4/d /etc/hosts' $f
308 echo "echo $l >>/etc/hosts" | s tee -a $f
309 sgo openvpn
310 domain=cal.iankelling.org
311 acme-tiny-wrapper $domain
312 apache-site -f 10.8.0.4:5232 - $domain <<'EOF'
313 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
314 <Directory "/var/www/cal.iankelling.org/html">
315 Options +FollowSymLinks +Multiviews +Indexes
316 AllowOverride None
317 AuthType basic
318 AuthName "Authentication Required"
319 # setup one time, with root:www-data, 640
320 AuthUserFile "/etc/caldav-htpasswd"
321 Require valid-user
322 </Directory>
323 EOF
324 # nginx version of above would be:
325 # auth_basic "Not currently available";
326 # auth_basic_user_file /etc/nginx/caldav/htpasswd;
327
328
329 ########## begin pump.io setup ##########
330
331 # once pump adds a logrotation script, turn off nologger,
332 # and add
333 # "logfile": "/var/log/pumpio/pumpio.log",
334 #
335 s dd of=/etc/pump.io.json <<'EOF'
336 {
337 "secret": "SECRET_REPLACE_ME",
338 "driver": "mongodb",
339 "params": { "dbname": "pumpio" },
340 "noweb": false,
341 "site": "pump.iankelling.org",
342 "owner": "Ian Kelling",
343 "ownerURL": "https://iankelling.org/",
344 "port": 8001,
345 "urlPort": 443,
346 "hostname": "pump.iankelling.org",
347 "nologger": true,
348 "datadir": "/home/pumpio/pumpdata",
349 "enableUploads": true,
350 "debugClient": false,
351 "disableRegistration": true,
352 "noCDN": true,
353 "key": "/home/pumpio/pump.iankelling.org-domain.key",
354 "cert": "/home/pumpio/pump.iankelling.org-chained.pem",
355 "address": "localhost",
356 "sockjs": false
357 }
358 EOF
359 s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
360
361 # jessie\'s node is too old
362 # https://nodejs.org/en/download/package-manager/
363 curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
364 pi nodejs
365 cd /home/ian
366 rm -rf pump.io.git
367 git clone https://github.com/pump-io/pump.io.git
368 cd pump.io
369 # note: doing this or the npm install pump.io as root had problems.
370 npm install
371 npm run build
372 # normally, next command would be
373 # s npm install -g databank-mongodb
374 # but it\'s this until a bug in pump gets fixed
375 s npm install -g databank-mongodb@0.19.2
376 s useradd -m -s /bin/false pumpio
377 sudo -u pumpio mkdir -p /home/pumpio/pumpdata
378 # for testing browser when only listening to localhost,
379 # in the pump.io.json, set hostname localhost, urlPort 5233
380 #ssh -L 5233:localhost:5233 li
381 acme-tiny-wrapper -c /home/pumpio pump.iankelling.org
382
383 s mkdir -p /var/log/pumpio/
384 s chown pumpio:pumpio /var/log/pumpio/
385
386 apache-site -c /home/pumpio - pump.iankelling.org <<'EOF'
387 # currently a bug in pump that we cant terminate ssl
388 SSLProxyEngine On
389 ProxyPreserveHost On
390 ProxyPass / https://127.0.0.1:8001/
391 ProxyPassReverse / https://127.0.0.1:8001/
392 # i have sockjs disabled per people suggesting that
393 # it won\'t work with apache right now.
394 # not sure if it would work with this,
395 # but afaik, this is pointless atm.
396 <Location /main/realtime/sockjs/>
397 ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
398 ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
399 </Location>
400 EOF
401
402 s dd of=/etc/systemd/system/pump.service <<'EOF'
403 [Unit]
404 Description=pump.io
405 After=syslog.target network.target
406
407 [Service]
408 Type=simple
409 User=pumpio
410 Group=pumpio
411 ExecStart=/home/ian/pump.io/bin/pump
412 Environment=NODE_ENV=production
413 # failed to find databank-mongodb without this.
414 # I just looked at my environment variables took a guess.
415 Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
416
417 [Install]
418 WantedBy=multi-user.target
419 EOF
420 ser daemon-reload
421 sgo pump
422 ########## end pump.io setup ############
423
424
425 ############# begin setup mastodon ##############
426
427 # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
428 pi software-properties-common
429 curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
430 sudo add-apt-repository \
431 "deb [arch=amd64] https://download.docker.com/linux/debian \
432 $(lsb_release -cs) \
433 stable"
434 p update
435 pi docker-ce
436 sgo docker
437 # this may not be needed
438 ser start docker
439
440 curl -L https://github.com/docker/compose/releases/download/1.12.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
441 s chmod +x /usr/local/bin/docker-compose
442
443 # i subscrubed to https://github.com/docker/compose/releases.atom
444 # to deal with updates manually.
445
446 cd ~
447 i clone https://github.com/tootsuite/mastodon
448 cd mastodon
449 # https://github.com/tootsuite/mastodon/tree/v1.1.2
450 # subbed to atom feed to deal with updates
451 i co v1.1.2
452
453 # per instructions, uncomment redis/postgres persistence in docker-compose.yml
454 sed -i 's/^#//' docker-compose.yml
455
456 cat >.env.production <<'EOF'
457 REDIS_HOST=redis
458 REDIS_PORT=6379
459 DB_HOST=db
460 DB_USER=postgres
461 DB_NAME=postgres
462 DB_PASS=
463 DB_PORT=5432
464
465 LOCAL_DOMAIN=mast.iankelling.org
466 LOCAL_HTTPS=true
467
468 SINGLE_USER_MODE=true
469
470 SMTP_SERVER=10.8.0.4
471 SMTP_PORT=25
472 SMTP_LOGIN=li
473 SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
474 SMTP_DOMAIN=mast.iankelling.org
475 SMTP_DELIVERY_METHOD=smtp
476 EOF
477
478 for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
479 printf "%s=%s" $key "$(docker-compose run --rm web rake secret)" >>.env.production
480 done
481 s cat /etc/mailpass| while read -r domain port pass; do
482 if [[ $domain == mail.iankelling.org ]]; then
483 printf "SMTP_PASSWORD=%s" "$pass" >>.env.production
484 break
485 fi
486 done
487
488
489
490 docker-compose run --rm web rails assets:precompile
491
492 # docker daemon takes care of starting on boot.
493 docker-compose up -d
494
495 acme-tiny-wrapper mast.iankelling.org
496 s a2enmod proxy_wstunnel headers
497 apache-site -f 3000 - mast.iankelling.org <<'EOF'
498 ProxyPreserveHost On
499 RequestHeader set X-Forwarded-Proto "https"
500 ProxyPass /500.html !
501 ProxyPass /oops.png !
502 ProxyPass /api/v1/streaming/ ws://localhost:4000/
503 ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
504 ErrorDocument 500 /500.html
505 ErrorDocument 501 /500.html
506 ErrorDocument 502 /500.html
507 ErrorDocument 503 /500.html
508 ErrorDocument 504 /500.html
509 EOF
510
511
512 ############### !!!!!!!!!!!!!!!!!
513 ############### manual steps:
514
515 # only following 2 people atm, so not bothering to figure out backups
516 # when mastodon has not documented it at all.
517 #
518 # fsf@status.fsf.org
519 # cwebber@toot.cat
520 # dbd@status.fsf.org
521 # johns@status.fsf.org
522
523 # sign in page is at https://mast.iankelling.org/auth/sign_in
524 # register as iank, then
525 # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
526 # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
527
528 ############# end setup mastodon ##############
529
530 echo "$0: $(date): ending now)"
531 exit 0
532 ;;
533 esac
534
535
536 ########### end section including li/lj ###############
537
538 # pump.io periodic backup
539 if [[ $HOSTNAME == treetowl ]]; then
540 s dd of=/etc/systemd/system/pumpbackup.service <<'EOF'
541 [Unit]
542 Description=pump li backup
543 After=multi-user.target
544
545 [Service]
546 User=ian
547 Type=oneshot
548 ExecStart=/a/bin/log-quiet/sysd-mail-once pump-backup /a/bin/distro-setup/pump-backup
549 EOF
550
551 s dd of=/etc/systemd/system/pumpbackup.timer <<'EOF'
552 [Unit]
553 Description=pump li backup hourly
554
555 [Timer]
556 OnCalendar=hourly
557
558 [Install]
559 WantedBy=timers.target
560 EOF
561 s systemctl daemon-reload
562 sgo pumpbackup.timer
563 fi
564
565 case $distro in
566 debian|ubuntu)
567 # suggests because we want the resolvconf package.
568 # todo: check other distros to make sure it\'s installed
569 pi-nostart --install-suggests openvpn
570 # pi-nostart does not disable
571 ser disable openvpn
572 ;;
573 *) pi openvpn;;
574 esac
575
576 if private-host; then
577 vpn-mk-client-cert -n mail li
578 cn=$(s openssl x509 -noout -nameopt multiline -subject \
579 -in /etc/openvpn/client/mail.crt | \
580 sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
581 echo "ifconfig-push 10.8.0.4 255.255.255.0" | \
582 ssh root@li dd of=/etc/openvpn/client-config/"$cn"
583 fi
584 ser enable mailroute
585 if [[ $HOSTNAME == treetowl ]]; then
586 # note, this will need to be changed when the mail/contacts host changes
587 sgo openvpn-client@mail
588 /a/bin/distro-setup/radicale-setup
589 fi
590
591 ## android studio setup
592 # this contains the setting for android sdk to point to
593 # /a/opt/androidsdk, which is asked upon first run
594 lnf /a/opt/.AndroidStudio2.2 ~
595 # android site says it needs a bunch of packages for ubuntu,
596 # but I googled for debian, and someone says you just need lib32stdc++6 plus the
597 # jdk
598 # https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
599 # see w.org for more android studio details
600 spa lib32stdc++6 default-jdk
601
602
603 if [[ $HOSTNAME == treetowl ]]; then
604 # It\'s simpler to just worry about running it in one place for now.
605 # I assume it would work to clone it\'s config to another non-phone
606 # and just run it in one place instead of the normal having a
607 # separate config. I lean toward using the same config, since btrfs
608 # syncs between comps.
609 case $distro in
610 arch) pi syncthing ;;
611 ubuntu|debian)
612 # testing has relatively up to date packages
613 if ! isdebian-testing; then
614 # based on error when doing apt-get update:
615 # E: The method driver /usr/lib/apt/methods/https could not be found.
616 pi apt-transport-https
617 # google led me here:
618 # https://apt.syncthing.net/
619 curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
620 s="deb http://apt.syncthing.net/ syncthing release"
621 if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != $s ]]; then
622 echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
623 p update
624 fi
625 fi
626 pi syncthing
627 ;;
628 esac
629 lnf -T /w/syncthing /home/ian/.config/syncthing
630 sgo syncthing@ian # runs as ian
631
632 # these things persist in ~/.config/syncthing, which I save in
633 # /w/syncthing (not in /p, because syncthing should continue to
634 # run on home server even when using laptop as primary device)
635 # open http://localhost:8384/
636 # change listen address from default to tcp://:22001,
637 # this is because we do port forward so it doesn\'t have to use
638 # some external server, but the syncthing is broken for port forward,
639 # you get a message, something "like connected to myself, this should not happen"
640 # when connecting to other local devices, so I bump the port up by 1,
641 # based on
642 # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
643 # Without this, it was being stuck syncing at 0%.
644 # Set gui username and password.
645 #
646 # install syncthing via f-droid,
647 # folder setting, turn off master folder (makes it read only).
648 # on phone, add device, click bar code icon
649 # on dekstop, top right, actions, device id
650 # after adding, notification will appear on desktop to confirm
651 #
652 # syncing folder. from phone to desktop: select desktop in the
653 # folder on phone\'s sync options, notification will appear in
654 # desktop\'s web ui within a minute. For the reverse, the
655 # notification will appear in android\'s notifications, you have to
656 # swipe down and tap it to add the folder. It won\'t appear in the
657 # syncthing ui, which would be intuitive, but don\'t wait for it
658 # there.
659 #
660 # On phone, set settings to run syncthing all the time, and
661 # show no notification.
662 #
663 # Folder versioning would make sense if I didn\'t already use btrfs
664 # for backups. I would choose staggered, or trash can for more space.
665 #
666 # if needed to install on a remote comp:
667 # ssh -L 8384:localhost:8384 -N frodo
668 # open http://localhost:8384/
669 #
670 # Note, the other thing i did was port forward port 22000,
671 # per https://docs.syncthing.net/users/firewall.html
672 fi
673
674
675
676 # no equivalent in other distros:
677 case $distro in
678 debian|ubuntu)
679 # for gui bug reporting
680 spa python-vte
681 ;;
682 esac
683
684
685 ####### misc packages ###########
686
687 if [[ $HOSTNAME == treetowl ]]; then
688 case $distro in
689 debian|ubuntu)
690 # note i had to do this, which is persistent:
691 # cd /i/k
692 # s chgrp debian-transmission torrents partial-torrents
693
694 # syslog says things like
695 # 'Failed to set receive buffer: requested 4194304, got 425984'
696 # google suggets giving it even more than that
697 tu /etc/sysctl.conf<<'EOF'
698 net.core.rmem_max = 67108864
699 net.core.wmem_max = 16777216
700 EOF
701 s sysctl -p
702
703 # some reason it doesn\'t seem to start automatically anyways
704 pi-nostart transmission-daemon
705
706 # the folder was moved here after an install around 02/2017.
707 # it contains runtime data,
708 # plus a simple symlink to the config file which it\'s
709 # not worth separating out.
710 s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
711 #
712 # config file documented here, and it\'s the same config
713 # for daemon vs client, so it\'s documented in the gui.
714 # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
715 #
716 # I originaly setup rpc-whitelist, but after using
717 # routing to a network namespace, it doesn\'t see the
718 # real source address, so it\'s disabled.
719 #
720 # Changed the cache-size to 256 mb, reduces disk use.
721 # It is a read & write cache.
722 #
723 s ruby <<'EOF'
724 require 'json'
725 p = '/etc/transmission-daemon/settings.json'
726 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
727 'rpc-whitelist-enabled' => false,
728 'rpc-authentication-required' => false,
729 'incomplete-dir' => '/i/k/partial-torrents',
730 'incomplete-dir-enabled' => true,
731 'download-dir' => '/i/k/torrents',
732 "speed-limit-up" => 800,
733 "speed-limit-up-enabled" => true,
734 "peer-port" => 61486,
735 "cache-size-mb" => 256,
736 "ratio-limit" => 5.0,
737 "ratio-limit-enabled" => true,
738 })) + "\n")
739 EOF
740
741 # make sure its not enabled, not sure if this is needed
742 ser disable transmission-daemon
743 sgo transmission-daemon-nn
744 ;;
745 # todo: others unknown
746 esac
747 fi
748
749 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
750 if ! getent passwd debian-transmission > /dev/null; then
751 case $distro in
752 arch)
753 s useradd \
754 --system \
755 --create-home \
756 --home-dir /var/lib/transmission-daemon \
757 --shell /bin/false \
758 debian-transmission
759 ;;
760 *)
761 s adduser --quiet \
762 --system \
763 --group \
764 --no-create-home \
765 --disabled-password \
766 --home /var/lib/transmission-daemon \
767 debian-transmission
768 ;;
769 esac
770 fi
771
772 # dunno why it\'s there, but get rid of it
773 case $HOSTNAME in
774 li|lj) s rm -rf /home/linode ;;
775 esac
776
777 # arch had a default config,
778 # debian had nothing until you start it.
779 # With a little trial an error, here is a minimal config
780 # taken from the generated one, plus changes that the
781 # settings ui does, without a bunch of ui crap settings.
782 #
783 # only settings I set were
784 # hostname
785 # auto-connect
786 # password
787
788
789 # the password is randomly generated on first run
790 rpc_pass=$(s ruby <<'EOF'
791 require 'json'
792 p = '/etc/transmission-daemon/settings.json'
793 puts JSON.parse(File.read(p))["rpc-password"]
794 EOF
795 )
796
797 for f in /home/*; do
798 d=$f/.config/transmission-remote-gtk
799 u=${f##*/}
800 s -u $u mkdir -p $d
801 s -u $u dd of=$d/config.json <<EOF
802 {
803 "profiles" : [
804 {
805 "profile-name" : "Default",
806 "hostname" : "transmission",
807 "rpc-url-path" : "/transmission/rpc",
808 "username" : "",
809 "password" : "$rpc_pass",
810 "auto-connect" : true,
811 "ssl" : false,
812 "timeout" : 40,
813 "retries" : 3,
814 "update-active-only" : false,
815 "activeonly-fullsync-enabled" : false,
816 "activeonly-fullsync-every" : 2,
817 "update-interval" : 3,
818 "min-update-interval" : 3,
819 "session-update-interval" : 60,
820 "exec-commands" : [
821 ],
822 "destinations" : [
823 ]
824 }
825 ],
826 "profile-id" : 0,
827 "add-options-dialog" : false
828 }
829 EOF
830 done
831
832 pi wget
833 case $HOSTNAME in
834 tp|frodo)
835 case $distro in
836 debian|ubuntu)
837 log=$(mktemp)
838 cd /a/opt
839 wget -nv -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
840 errallow
841 set -o pipefail
842 s dpkg -i google-chrome-stable_current_amd64.deb |& tee $log
843 code=$?
844 errcatch
845 case $code in
846 0) : ;;
847 *)
848 # previously I had a more specific search, but dpkg
849 # changed it\'s output as of 7/2016
850 if grep 'dependency problems' \
851 $log &>/dev/null; then
852 s apt-get -fy install
853 else
854 exit 1
855 fi
856 ;;
857 esac
858 ;;
859 arch)
860 pi google-chrome
861 ;;
862 esac
863 ;;
864 esac
865
866 # printer
867 case $distro in
868 arch)
869 pi cups ghostscript gsfonts # from arch wiki cups page
870 pi hplip # from google
871 s gpasswd -a $USER sys # from arch wiki
872 sgo org.cups.cupsd.service
873 # goto http://127.0.0.1:631
874 # administration tab, add new printer button.
875 # In debian, I could use hte recommended driver,
876 # in arch, I had to pick out the 6L driver.
877 ;;
878 debian|ubuntu)
879 spa hplip
880 ;;
881 # other distros unknown
882 esac
883
884
885 case $distro in
886 ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
887 fedora|arch) spa mairix notmuch ;;
888 esac
889 case $distro in
890 arch) spa nfs-utils ;;
891 ubuntu|debian) spa nfs-client ;;
892 esac
893 case $distro in
894 ubuntu|debian) spa par2 ;;
895 arch|fedora) spa par2cmdline ;;
896 esac
897
898 # needed for my tex resume
899 case $distro in
900 ubuntu|debian) spa texlive-full ;;
901 arch) spa texlive-most ;;
902 # fedora unknown
903 esac
904
905 case $distro in
906 ubuntu)
907 # flash, unrar, codecs, ms fonts.
908 # This has a manual prompt.
909 spa ubuntu-restricted-extras
910 ;;
911 fedora)
912 pi yum-utils
913 # rpm fusion recommended codecs
914 s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
915 pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
916 xine-lib-extras-freeworld
917 ;;
918 esac
919
920 case $distro in
921 # optional dep for firefox for h.264 video
922 arch) spa gst-libav ;;
923 # other distros, probably come by default
924 esac
925
926 case $distro in
927 fedora|ubuntu|debian) spa gnupg-agent ;;
928 arch) : ;;
929 esac
930
931
932 case $distro in
933 fedora) spa pinentry-gtk ;;
934 *) : ;; # comes default or with other packages
935 esac
936
937 case $distro in
938 arch) spa firefox pulseaudio;;
939 *) : ;; # comes default or with other packages
940 esac
941
942
943 case $distro in
944 arch) spa ttf-dejavu;;
945 debian|ubuntu) spa fonts-dejavu ;;
946 # others unknown
947 esac
948
949
950 case $distro in
951 arch) spa xorg-xev;;
952 debian|ubuntu) spa x11-utils ;;
953 # others unknown
954 esac
955
956 case $distro in
957 arch) pi virt-install;;&
958 debian|ubuntu) pi virtinst ;;&
959 *) pi virt-manager ;; # creates the libvirt group in debian at least
960 # others unknown
961 esac
962 # allow user to run vms, from debian handbook
963 for x in ian traci; do s usermod -a -G libvirt,kvm $x; done
964 # bridge networking as user fails. google lead here, but it doesn\'t work:
965 # oh well, I give up.
966 # http://wiki.qemu.org/Features-Done/HelperNetworking
967 # s mkdir /etc/qemu
968 # f=/etc/qemu/bridge.conf
969 # s dd of=$f <<'EOF'
970 # allow br0
971 # EOF
972 # #s chown root:qemu $f # debian has somethig like qemu-libvirt. equivalent?
973 # s chmod 640 $f
974
975
976 case $distro in
977 arch) spa cdrkit;;
978 debian|ubuntu) spa genisoimage;;
979 # others unknown
980 esac
981
982 case $distro in
983 arch) spa spice-gtk3 ;;
984 debian|ubuntu) spa spice-client-gtk;;
985 # others unknown
986 esac
987
988 # general known for debian/ubuntu, not for fedora
989
990 case $distro in
991 debian|ubuntu)
992 pi golang-go
993 # a bit of googling, and added settings to bashrc
994 go get -u github.com/mvdan/fdroidcl/cmd/fdroidcl
995 ;;
996 # others unknown
997 esac
998
999
1000 case $distro in
1001 arch)
1002 # cdrkit for cloud-init isos
1003 # dnsmasq & ebtables for nat networking in libvirt
1004 # qemu for qemu-img, bind-tools for dig
1005 # dmidecode just because syslog complains
1006 pi unzip xorg-xmodmap dmidecode ebtables\
1007 bridge-utils dnsmasq qemu bind-tools
1008 # otherwise we get error about accessing kvm module.
1009 # seems like there might be a better way, but google was a bit vague.
1010 s $sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf
1011 echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
1012 # https://bbs.archlinux.org/viewtopic.php?id=206206
1013 # # this should prolly go in the wiki
1014 sgo virtlogd.socket
1015 # guessing this is not needed
1016 #sgo virtlogd.service
1017 sgo libvirtd
1018
1019 ;;
1020 esac
1021
1022 case $distro in
1023 arch) pi virtviewer ;;
1024 *) : ;; # other distros have it as a dependency afaik.
1025 esac
1026
1027
1028
1029 case $distro in
1030 fedora) cabal install shellcheck ;;
1031 *) spa shellcheck ;;
1032 # unknown for older ubuntu
1033 esac
1034
1035
1036 case $distro in
1037 arch|debian|ubuntu) spa pumpa ;;
1038 # others unknown. do have a buildscript:
1039 # /a/bin/buildscripts/pumpa ;;
1040 esac
1041
1042
1043 case $distro in
1044 debian|ubuntu) spa android-tools-adbd/unstable ;;
1045 arch) spa android-tools ;;
1046 # other distros unknown
1047 esac
1048
1049 if [[ $HOSTNAME == treetowl ]]; then
1050 case $distro in
1051 debian)
1052 if [[ `debian-archive` == testing ]]; then
1053 # has no unstable dependencies
1054 pi bitcoind/unstable
1055 src=/a/opt/bitcoin/contrib/init/bitcoind.service
1056 s cp $src /etc/systemd/system
1057 p=/etc/bitcoin/bitcoin
1058 dst=/etc/systemd/system/bitcoinjm.service
1059 # jm for joinmarket
1060 $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
1061 >/etc/systemd/system/bitcoinjm.service
1062
1063 d=jm; jm=d # being clever for succinctness
1064 for s in d jm; do
1065 s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
1066 /etc/systemd/system/bitcoin${s}.service
1067 done
1068
1069 ser daemon-reload
1070
1071 dir=/nocow/.bitcoin
1072 s mkdir -p $dir
1073 s chown -R bitcoin:bitcoin $dir
1074 dir=/etc/bitcoin
1075 s mkdir -p $dir
1076 s chown -R root:bitcoin $dir
1077 s chmod 750 $dir
1078
1079 # pruning decreases the bitcoin dir to 2 gb, keeps
1080 # just the recent blocks. can\'t do a few things like
1081 # import a wallet dump.
1082 # pruning works, but people had to do
1083 # some manual stuff in joinmarket. I dun need the
1084 # disk space, so not bothering yet, maybe in a year or so.
1085 # https://github.com/JoinMarket-Org/joinmarket/issues/431
1086 #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
1087 #prune=550
1088
1089 f=$dir/bitcoin.conf
1090 s dd of=$f <<EOF
1091 server=1
1092 rpcpassword=$(openssl rand -base64 32)
1093 rpcuser=$(openssl rand -base64 32)
1094 EOF
1095
1096
1097 f2=$dir/bitcoinjm.conf
1098 s cp $f $f2
1099 s tee -a $f2 >/dev/null <<EOF
1100 # Joinmarket
1101 walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
1102 alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
1103 wallet=joinmarket.dat
1104 EOF
1105 # dunno about sharing a wallet between multiple instances
1106 # manually did, wallet.dat symlinked in /nocow/.bitcoin
1107 sgo bitcoind
1108 fi
1109 ;;
1110 # other distros unknown
1111 esac
1112 pi libsodium-dev python-pip
1113 cd /a/opt/joinmarket
1114 # using develop branch, as it seems to be mostly bug fixes,
1115 # and this is quite new software.
1116 # note: python3 does not work.
1117 # has seg fault error due to some bug, but it still works
1118 pip install -r requirements.txt || [[ $? == 139 ]]
1119 # note, the target must exist ahead of time, or bitcoin
1120 # just overwrites the link, and it\'s not happy with an empty file,
1121 # so we have to create the wallet, then move and link it.
1122 s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
1123 s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
1124 # not technically needed, but seems cleaner not to have
1125 # symlinks be root owned unlike everything else
1126 s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
1127
1128 for var in rpcuser rpcpassword; do
1129 u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
1130 # escape backslashes
1131 u="${u//\\/\\\\\\\\}"
1132 # escape commas
1133 u="${u//,/\\,}"
1134 sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
1135 done
1136 sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
1137
1138 fi
1139
1140
1141
1142 case $distro in
1143 fedora)
1144 cd $(mktemp -d)
1145 wget http://tamacom.com/global/global-6.3.2.tar.gz
1146 ex global*
1147 cd global-6.3.2
1148 # based on https://github.com/leoliu/ggtags
1149 ./configure --with-exuberant-ctags=/usr/bin/ctags
1150 make
1151 s make install
1152 s pip install pygments
1153 ;;
1154 *)
1155 pi global
1156 ;;&
1157 arch)
1158 pi python2-pygments
1159 ;;
1160 debian|ubuntu)
1161 pi python-pygments
1162 ;;
1163 esac
1164
1165
1166 case $distro in
1167 debian)
1168 pi task-cinnamon-desktop
1169 # in settings, change scrolling to two-finger,
1170 # because the default edge scroll doesn\'t work.
1171 pu transmission-gtk
1172 ;;
1173 # others unknown
1174 esac
1175
1176 case $distro in
1177 arch) spa apg ;;
1178
1179 # already in debian jessie
1180 esac
1181
1182
1183
1184
1185 # note this failed running at the beginning of this file,
1186 # because no systemd user instance was running.
1187 # Doing systemd --user resulted in
1188 # Trying to run as user instance, but $XDG_RUNTIME_DIR is not set
1189
1190 if isdebian-testing; then
1191 # as of 7/2016, has no unstable deps, and is not in testing anymore.
1192 pi synergy/unstable
1193 else
1194 pi synergy
1195 fi
1196
1197 # case $distro in
1198 # # ubuntu unknown. probably the same as debian, just check if the
1199 # # init scripts come with the package.
1200 # debian)
1201 # # copied from arch, but moved to etc
1202 # s dd of=/etc/systemd/user/synergys.service <<'EOF'
1203 # [Unit]
1204 # Description=Synergy Server Daemon
1205 # After=network.target
1206
1207 # [Service]
1208 # User=%i
1209 # ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
1210 # Restart=on-failure
1211
1212 # [Install]
1213 # WantedBy=multi-user.target
1214 # EOF
1215 # s dd of=/etc/systemd/user/synergys.socket <<'EOF'
1216 # [Unit]
1217 # Conflicts=synergys@.service
1218
1219 # [Socket]
1220 # ListenStream=24800
1221 # Accept=false
1222
1223 # [Install]
1224 # WantedBy=sockets.target
1225 # EOF
1226 # # had this fail with 'Failed to connect to bus: No such file or directory'
1227 # # then when I tried it manually, it worked fine...
1228 # if ! systemctl --user daemon-reload; then
1229 # sleep 2
1230 # echo retrying systemd user daemon reload
1231 # systemctl --user daemon-reload
1232 # fi
1233 # ;;&
1234 # *)
1235 # # taken from arch wiki.
1236 # s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
1237 # [Unit]
1238 # Description=Synergy Client
1239 # After=network.target
1240
1241 # [Service]
1242 # User=%i
1243 # ExecStart=/usr/bin/synergyc --no-daemon frodo
1244 # Restart=on-failure
1245 # # per man systemd.unit, StartLimitInterval, by default we
1246 # # restart more than 5 times in 10 seconds.
1247 # # And this param defaults too 200 miliseconds.
1248 # RestartSec=3s
1249
1250 # [Install]
1251 # WantedBy=multi-user.target
1252 # EOF
1253 # s systemctl daemon-reload
1254 # case $HOSTNAME in
1255 # x2|treetowl)
1256 # ser enable synergyc@ian
1257 # ser start synergyc@ian ||: # X might not be running yet
1258 # ;;
1259 # frodo)
1260 # systemctl --user start synergys ||:
1261 # systemctl --user enable synergys
1262 # ;;
1263 # esac
1264 # ;;
1265 # esac
1266
1267
1268 ######### end misc packages #########
1269
1270
1271 # packages I once used before and liked, but don\'t want installed now for
1272 # various reasons:
1273 # python-sqlite is used for offlineimap
1274 # lxappearance python-sqlite dolphin paman dconf-editor
1275
1276
1277
1278 ######## unfinished
1279
1280 # todo, finish configuring smart.
1281
1282 pi smartmontools
1283 # mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
1284 # turn on smart. background on options:
1285 # first line, -a = test everyting on all devices.
1286 # -S on, turn on disk internal saving of vendor specific info,
1287 # from google, seems like this is usually already on and fairly standard.
1288 # -o on, turn on 4 hour period non-performance degrading testing.
1289 # short test daily 2-3am, extended tests Saturdays between 3-4am:
1290 sched="-s (S/../.././02|L/../../6/03)"
1291 s sed -i --follow-symlinks "s#^[[:space:]]*DEVICESCAN.*#\
1292 DEVICESCAN -a -o on -S on -n standby,q $sched \
1293 -m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc/smartd.conf
1294
1295 # in the default configuration of at least ubuntu 14.04, resolvconf is
1296 # configured to order any nameservers associated with tun* or tap*
1297 # before the normal internet interfaces, which means they are always
1298 # consulted first. This is often slower and undesirable, ie. local dns
1299 # queries go from 0ms to 10+ or 100+ ms. To reverse the ordering, you
1300 # can do:
1301 #sudo sed -i --follow-symlinks '/tun\*\|tap\*/d' /etc/resolvconf/interface-order
1302 # however, this breaks dns lookup for hosts on the openvpn lan.
1303 # I can\'t figure out why hosts on the normal lan would not be
1304 # broken under the default ordering, except the host I was
1305 # testing with previously had an entry in /etc/hosts.
1306
1307 ############# end unfinished
1308
1309 ########### misc stuff
1310
1311 devs=()
1312 for dev in $(s btrfs fi show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
1313 devs+=($(devbyid $dev),)
1314 done
1315 devs[-1]=${devs[-1]%,} # jonied by commas
1316
1317 # on grub upgrade, we get prompts unless we do this
1318 s debconf-set-selections <<EOF
1319 grub-pc grub-pc/install_devices multiselect ${devs[*]}
1320 EOF
1321
1322
1323 # the wiki backup script from ofswiki.org uses generic paths
1324 s lnf /p/c/machine_specific/li/mw_vars /root
1325 s lnf /k/backup/wiki_backup /root
1326
1327 s cedit /etc/goaccess.conf <<'EOF' || [[ $? == 1 ]]
1328 # all things found from looking around the default config
1329 # copied existing NCSA Combined Log Format with Virtual Host, plus %L
1330 log-format %^:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u" %D
1331 time-format %H:%M:%S
1332 date-format %d/%b/%Y
1333 log-file /var/log/apache2/access.log
1334 color-scheme 2
1335
1336 # tip: copy access.log files to a stretch host directory, then run
1337 # jessie's goaccess is too old for some options, and it\'s
1338 # not easily installed from a testing.
1339 # goaccess --ignore-crawlers -f <(cat *) -a -o html > x.html
1340 EOF
1341
1342
1343 case $distro in
1344 debian|ubuntu)
1345 case `debian-archive` in
1346 stable)
1347 s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
1348 Explanation: Allow unison-gtk to be upgraded
1349 Package: unison-gtk
1350 Pin: release a=testing
1351 Pin-Priority: 500
1352 EOF
1353 # dont think using testing is needed since I figured out how to
1354 # deal with mismatching unison compilers, but I dont
1355 # see any reason to revert it, since it only installs
1356 # a single package which is primarily a single binary
1357 ;;
1358 esac
1359 pi unison/testing
1360 pi unison-gtk/testing # after to make it the default unison
1361 ;;
1362 arch)
1363 pi unison gtk2
1364 ;;
1365 esac
1366
1367 case $distro in
1368 arch)
1369 # default is alsa, doesn\'t work with with pianobar
1370 s dd of=/etc/libao.conf <<'EOF'
1371 default_driver=pulse
1372 EOF
1373 ;;
1374 esac
1375
1376 # note, for jessie, it depends on a higher version of btrfs-tools.
1377 #
1378 # # disabled due to my patch being in btrbk
1379 # case $distro in
1380 # arch|debian|ubuntu) pi btrbk ;;
1381 # # others unknown
1382 # esac
1383 cd /a/opt/btrbk
1384 s make install
1385 spa pv # for progress bar when running interactively.
1386 if [[ $HOSTNAME == treetowl ]]; then
1387 # backup/sync manually on others hosts for now.
1388 sgo btrbk.timer
1389 # note: to see when it was last run,
1390 # ser list-timers
1391 fi
1392
1393 if [[ $HOSTNAME == treetowl ]] && [[ `debian-archive` != testing ]]; then
1394 # fail2 ban is broken, with a workaround, per
1395 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171
1396 # ill wait a while to see if it gets fixed
1397 pi fail2ban
1398 sgo fail2ban
1399 fi
1400
1401
1402
1403
1404
1405 case $distro in
1406 debian|ubuntu) s gpasswd -a ian adm ;; #needed for reading logs
1407 esac
1408
1409 # tor
1410 case $distro in
1411 # based on
1412 # https://www.torproject.org/docs/rpms.html.en
1413 # https://www.torproject.org/docs/debian.html.en
1414 # todo: figure out if the running service needs to be restarted upon updates
1415
1416
1417 # todo on fedora: setup non-dev packages
1418 fedora)
1419 s dd of=/etc/yum.repos.d/torproject.repo <<'EOF'
1420 [tor]
1421 name=Tor experimental repo
1422 enabled=1
1423 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/
1424 gpgcheck=1
1425 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1426
1427 [tor-source]
1428 name=Tor experimental source repo
1429 enabled=1
1430 autorefresh=0
1431 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS
1432 gpgcheck=1
1433 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1434 EOF
1435
1436 # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above:
1437 # 3B9E EEB9 7B1E 827B CF0A 0D96 8AF5 653C 5AC0 01F1
1438 sgo tor
1439 /a/bin/buildscripts/tor-browser
1440 ;;
1441 ubuntu)
1442 tu /etc/apt/sources.list "deb http://deb.torproject.org/torproject.org $(debian-codename) main"
1443 gpg --keyserver keys.gnupg.net --recv 886DDD89
1444 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
1445 p update
1446 pi deb.torproject.org-keyring
1447 pi tor
1448 /a/bin/buildscripts/tor-browser
1449 ;;
1450 debian)
1451 pi tor
1452 /a/bin/buildscripts/tor-browser
1453 ;;
1454 arch)
1455 pi tor tor-browser-en
1456 sgo tor
1457 ;;
1458 # ubuntu unknown
1459 esac
1460
1461 # nfs server
1462 case $distro in
1463 fedora)
1464 end_msg <<'EOF'
1465 fedora todo: disable the firewall or find a way to automate it.
1466 there's an unused section in t.org for tramikssion firewall setup
1467
1468 fedora manual config for nfs:
1469 s firewall-config
1470 change to permanent configuration
1471 check the box for nfs
1472 was hard to figure this out, not sure if this is all needed, but
1473 unblock these too
1474 mountd: udp/tcp 20048
1475 portmapper, in firewall-config its called rpc-bind: udp/tcp 111
1476 troubleshooting, unblock things in rpcinfo -p
1477 make sure to reload the firewall to load the persistent configuration
1478
1479
1480 EOF
1481 pi nfs-utils
1482 sgo nfs-server
1483 ;;
1484 debian|ubuntu)
1485 pi nfs-server
1486 ;;
1487 arch)
1488 pi nfs-utils || pending_reboot=true
1489 sgo rpcbind
1490 # this failed until I rebooted
1491 sgo nfs-server
1492 ;;
1493 esac
1494
1495 if [[ $HOSTNAME == treetowl ]]; then
1496 # nohide = export filesystems mounted deeper than the export point
1497 # fsid=0 makes this export the "root" export
1498 # not documented in the man page, but this means
1499 # 1. it can be mounted with a shorthand of server:/
1500 # 2. exports that are subdirectories of this one will automatically be mounted
1501 tu /etc/exports <<'EOF'
1502 /k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
1503 EOF
1504 s exportfs -rav
1505 fi
1506
1507
1508 e "$end_msg_var"
1509
1510
1511 # persistent virtual machines
1512
1513 case $distro in
1514 debian|ubuntu)
1515 pi libosinfo-bin;
1516 ;;
1517 esac
1518
1519 # distro may not know about win 10 yet.
1520 variant=win7
1521 if ! virt-install --os-variant list &>/dev/null; then # we are using a newer virt-install
1522 for v in 10 8.1 8; do
1523 if osinfo-query os | gr "^\s*win${v/./\\.}\s" &>/dev/null; then
1524 variant=win$v
1525 break
1526 fi
1527 done
1528 fi
1529
1530 if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
1531
1532 # created account with
1533 # win10vmian@outlook.com, and easy to remember password
1534 # win 10 virtio, makes disk way way way faster
1535 # wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
1536 # https://wiki.archlinux.org/index.php/QEMU#Change_Existing_Windows_VM_to_use_virtio
1537 # for installing virtio after initial install instead of with initial iso:
1538 # qemu-img create -f qcow2 fake.qcow2 1G
1539 # --disk=/a/images/virtio-win.iso,device=cdrom \
1540 # --disk=/a/images/fake.qcow2,bus=virtio
1541 # Also,
1542 # went to device manager, saw 2 pci devices with yellow !,
1543 # did search for drivers, pick cdrom location, done.
1544 #
1545 # from http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html.
1546 # google said there was a control panel option for it, but
1547 # that turned out to be a lie.
1548 # Put this in a .bat file and run as administrator to turn off
1549 # hyberboot which fucks things up.
1550 # REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_dWORD /D 0 /F
1551 # power settings, turn off display: never
1552 # run "control userpasswords2", turn on automatic login.
1553 # note: when changing devices, I just undefine, the create the vm again.
1554
1555 if [[ -e /nocow/user/vms/win10.qcow2 ]]; then
1556 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1557 --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
1558 -n win10 --import --os-variant $variant --cpu host-model-only
1559
1560 s virsh destroy win10
1561 fi
1562
1563 if [[ -e /nocow/user/vms/win7.qcow2 ]]; then
1564 # this one hasn\'t had the virtio fix done yet.
1565 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1566 --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
1567 -n win7 --import --os-variant win7 --cpu host-model-only
1568 s virsh destroy win7
1569 # had a problem with --cpu host, so trying out
1570 # --cpu host-model-only
1571 fi
1572 fi
1573
1574
1575 if [[ $HOSTNAME == treetowl ]]; then
1576 pi samba
1577 # note samba re-reads it\'s config every 1 minute
1578 case $distro in
1579 arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
1580 esac
1581
1582 # add 2 lines after workgroup option
1583 s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
1584 s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
1585 s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/' /etc/samba/smb.conf
1586 # remove default homes section. not sharing that.
1587 s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
1588
1589 if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
1590 s tee -a /etc/samba/smb.conf <<'EOF'
1591 [public]
1592 guest ok = yes
1593 read only = no
1594 path = /kr
1595 EOF
1596 fi
1597
1598 case $distro in
1599 debian|ubuntu)
1600 # systemd claims it generates units from /etc/init.d, but it
1601 # clearly doesn\'t in debian. I have no idea how they are
1602 # related. fuck debian right now. It\'s not documented. samba
1603 # has a systemd init file linked to /dev/null. There\'s this
1604 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
1605 # claims samba\'s sub-services will be started automatically by
1606 # systemd... it didn\'t on install, wonder if it will on
1607 # boot. It clued me in how to start it manually though. Nothing
1608 # in /usr/share/doc/samba, debian admin guide says nothing about
1609 # any of this. (this is in debian testing as of 4/2016).
1610
1611 s /etc/init.d/samba start
1612 ;;
1613 arch)
1614 sgo samba
1615 ;;
1616 esac
1617 fi
1618
1619 tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
1620
1621
1622 ######### begin stuff belonging at the end ##########
1623
1624
1625 # Apps we want to override others for default file handler:
1626 # simplest way in debian is to just install them last.
1627 simple_packages+=(
1628 mpv
1629 )
1630
1631 case $distro in
1632 ubuntu|debian)
1633 spa spacefm-gtk3 ;;
1634 arch)
1635 spa spacefm ;;
1636 esac
1637
1638
1639 pi "${simple_packages[@]}"
1640
1641
1642 if $pending_reboot; then
1643 echo "$0: pending reboot and then finished. doing it now."
1644 s reboot now
1645 else
1646 echo "$0: $(date): ending now)"
1647 fi
~16k lines of my .bashrc + lots of my configs