iankelling.org / git / distro-setup / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
various fixes, internal mail server
[distro-setup] / distro-end
1 #!/bin/bash -l
2 # Copyright (C) 2016 Ian Kelling
3
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7
8 # http://www.apache.org/licenses/LICENSE-2.0
9
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 errcatch
17
18 set -x
19
20 exec &> >(sudo tee -a /var/log/distro-end)
21 echo "$0: $(date): starting now)"
22
23 src="${BASH_SOURCE%/*}"
24
25 end_msg() {
26 = local y
27 IFS= read -r -d '' y ||:
28 end_msg_var+="$y"
29 }
30
31 spa() { # simple package add
32 simple_packages+=($@)
33 }
34
35 distro=$(distro-name)
36
37 pending_reboot=false
38
39 # template
40 case $distro in
41 esac
42
43 pup
44
45 simple_packages=(
46 htop
47 mailutils
48 nmon
49 rdiff-backup
50 ruby
51 ruby-rest-client
52 tree
53 vim
54 wcd
55 )
56
57 case $HOSTNAME in
58 lj|li) : ;;
59 *)
60 # universal packages
61 # swh-plugins is for karaoke pulsaudio filter.
62 # mutagen for pithos
63 simple_packages+=(
64 apache2
65 bwm-ng
66 chromium
67 debconf-doc
68 duplicity
69 eclipse
70 evince
71 fdupes
72 filelight
73 gcc-doc
74 gdb
75 gitk
76 goaccess
77 gnome-screenshot
78 i3lock
79 jq
80 linux-doc
81 locate
82 manpages
83 manpages-dev
84 meld
85 mumble
86 nmap
87 offlineimap
88 p7zip
89 paprefs
90 pavucontrol
91 pdfgrep
92 pianobar
93 pidgin
94 python3-mutagen
95 reportbug
96 squashfs-tools
97 swh-plugins
98 tcpdump
99 transmission-remote-gtk
100 vlc
101 )
102 ;;
103 esac
104
105
106
107 ########### begin section including li ################
108
109
110 case $distro in
111 debian)
112 if [[ `debian-archive` == testing ]]; then
113 pi acme-tiny
114 fi
115 esac
116
117 case $distro in
118 fedora) spa unrar ;;
119 *) spa unrar-free ;;
120 esac
121
122
123 case $distro in
124 arch)
125 # ubuntu 14.04 uses b-cron,
126 # but its not maintained in arch.
127 # of the ones in the main repos, cronie is only one maintained.
128 # fcron appears abandoned software.
129 pi cronie
130 sgo cronie
131 ;;
132 *) : ;; # other distros come with cron.
133 esac
134
135
136 case $distro in
137 debian|ubuntu)
138 pi debian-goodies
139 ;;
140 esac
141
142
143 case $distro in
144 *) pi at ;;&
145 arch) sgo atd ;;
146 esac
147
148
149 case $distro in
150 debian) pi curl;;
151 arch) : ;;
152 # fedora: unknown
153 esac
154
155 case $distro in
156 # tk for gitk
157 arch) spa git tk ;;
158 *) spa git ;;
159 esac
160
161 case $distro in
162 arch) spa the_silver_searcher ;;
163 debian|ubuntu) spa silversearcher-ag ;;
164 # fedora unknown
165 esac
166
167 case $distro in
168 debian|ubuntu) spa ntp;;
169 arch)
170 pi ntp
171 sgo ntpd
172 ;;
173 # others unknown
174 esac
175
176
177 # no equivalent in other distros:
178 case $distro in
179 debian|ubuntu)
180 pi apt-file aptitude
181 s apt-file update
182 # for debconf-get-selections
183 spa debconf-utils
184 ;;
185 esac
186
187 case $distro in
188 ubuntu|debian) spa ack-grep ;;
189 arch|fedora) spa ack ;;
190 # fedora unknown
191 esac
192
193 case $distro in
194 arch|debian|ubuntu)
195 spa bash-completion
196 ;;
197 # others unknown
198 esac
199
200
201
202
203
204 # disable motd junk.
205 case $(distro-name) in
206 debian)
207 # allows me to pipe with ssh -t, and gets rid of spam
208 # http://forums.debian.net/viewtopic.php?f=5&t=85822
209 # i'd rather disable the service than comment the init file
210 # this says disabling the service, it will still get restarted
211 # but this script doesn't do anything on restart, so it should be fine
212 s dd of=/var/run/motd.dynamic if=/dev/null
213 # stretch doesn't have initscripts pkg installed by default
214 if [[ $(debian-codename) == jessie ]]; then
215 s update-rc.d motd disable
216 fi
217 ;;
218 ubuntu)
219 # this isn't a complete solution. It still shows me when updates are available,
220 # but it's no big deal.
221 s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
222 ;;
223 esac
224
225 # automatic updates
226 # reference:
227 # https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
228 # /etc/cron.daily/apt calls unattended-upgrades
229 # /usr/share/doc/unattended-upgrades# cat README.md
230 # /etc/apt/apt.conf.d/50unattended-upgrades
231 if isdebian; then
232 setup-debian-auto-update
233 fi
234
235 # we've got a few dependencies later on, so install them now.
236 pi "${simple_packages[@]}"
237 simple_packages=()
238
239 # website setup
240 case $HOSTNAME in
241 lj|li)
242
243 case $HOSTNAME in
244 lj) domain=iank.bid; exit 0 ;;
245 li) domain=iankelling.org ;;
246 esac
247 /a/h/setup.sh $domain
248 /a/h/build.rb
249
250 sudo -E /a/bin/mediawiki-setup/mw-setup-script
251 #$src/phab-setup
252
253 pi-nostart mumble-server
254 s sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
255 sgo mumble-server
256
257 vpn-server-setup -d
258
259 sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
260 [Unit]
261 Description=Turns on iptables mail nat
262
263 [Service]
264 Type=oneshot
265 RemainAfterExit=yes
266 ExecStart=/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25
267 ExecStop=/sbin/iptables -t nat -D PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25
268
269 [Install]
270 WantedBy=openvpn.service
271 EOF
272 ser daemon-reload
273 ser enable vpnmail.service
274 acme-tiny-wrapper mail.iankelling.org
275 sgo openvpn
276
277
278 echo "$0: $(date): ending now)"
279 exit 0
280 ;;
281 esac
282
283
284 ########### end section including li/lj ###############
285
286 if private-host; then
287 vpn-mk-client-cert -n mail li
288 echo "ifconfig-push 10.8.0.4 255.255.255.0" | ssh root@li dd of=/etc/openvpn/client-config/$(openssl x509 -noout -subject -in mail.crt | sed -r 's/.*CN *= *([^,]+).*/\1/')
289 fi
290 ser enable mailroute
291 if [[ $HOSTNAME == treetowl ]]; then
292 # note, this will need to be changed when the mail host changes
293 sgo openvpn-client@mail
294 fi
295
296 ## android studio setup
297 # this contains the setting for android sdk to point to
298 # /a/opt/androidsdk, which is asked upon first run
299 lnf /a/opt/.AndroidStudio2.2 ~
300 # android site says it needs a bunch of packages for ubuntu,
301 # but I googled for debian, and someone says you just need lib32stdc++6 plus the
302 # jdk
303 # https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
304 # see w.org for more android studio details
305 spa lib32stdc++6 default-jdk
306
307
308 case $distro in
309 arch) pi syncthing ;;
310 ubuntu|debian)
311 # testing has relatively up to date packages
312 if ! isdebian-testing; then
313 # based on error when doing apt-get update:
314 # E: The method driver /usr/lib/apt/methods/https could not be found.
315 pi apt-transport-https
316 # google led me here:
317 # https://apt.syncthing.net/
318 curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
319 s="deb http://apt.syncthing.net/ syncthing release"
320 if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != $s ]]; then
321 echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
322 p update
323 fi
324 fi
325 pi syncthing
326 ;;
327 esac
328 # installed via f-droid
329 # top right, actions, device id
330 #
331 # for installing on a remote comp:
332 # ssh -L 8384:localhost:8384 -N frodo
333 # went to http://localhost:8384/
334 #
335 # add folder to sync phone,
336 # staggered file versioning would be my normal choice, but choose
337 # trash can versioning for sake of space on phone, with
338 # clean out after 7 days.
339 #
340 # did:
341 # ser start syncthing@ian
342 # then on phone, add device, hit bar code icon,
343 # install bar code scanner.
344
345
346 # no equivalent in other distros:
347 case $distro in
348 debian|ubuntu)
349 # for gui bug reporting
350 spa python-vte
351 ;;
352 esac
353
354
355 ####### misc packages ###########
356
357 if [[ $HOSTNAME == treetowl ]]; then
358 case $distro in
359 debian|ubuntu)
360 # note i had to do this, which is persistent:
361 # cd /i/k
362 # s chgrp debian-transmission torrents partial-torrents
363
364 # syslog says things like
365 # 'Failed to set receive buffer: requested 4194304, got 425984'
366 # google suggets giving it even more than that
367 tu /etc/sysctl.conf<<'EOF'
368 net.core.rmem_max = 67108864
369 net.core.wmem_max = 16777216
370 EOF
371 s sysctl -p
372
373 # some reason it doesn't seem to start automatically anyways
374 pi-nostart transmission-daemon
375 #
376 # config file documented here, and it's the same config
377 # for daemon vs client, so it's documented in the gui.
378 # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
379 #
380 # I originaly setup rpc-whitelist, but after using
381 # routing to a network namespace, it doesn't see the
382 # real source address, so it's disabled.
383 #
384 # Changed the cache-size to 128 mb, reduces disk use.
385 # It is a read & write cache.
386 #
387 # todo: setup a password.
388 s ruby <<'EOF'
389 require 'json'
390 p = '/etc/transmission-daemon/settings.json'
391 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
392 'rpc-whitelist-enabled' => false,
393 'rpc-authentication-required' => false,
394 'incomplete-dir' => '/k/partial-torrents',
395 'incomplete-dir-enabled' => true,
396 'download-dir' => '/i/k/torrents',
397 "speed-limit-up" => 800,
398 "speed-limit-up-enabled" => true,
399 "peer-port" => 61486,
400 "cache-size-mb" => 128,
401 "ratio-limit" => 1.4000,
402 "ratio-limit-enabled" => false,
403 "pidfile": "/var/lib/transmission-daemon/transmission-daemon.pid",
404 })) + "\n")
405 EOF
406
407 # make sure its not enabled, not sure if this is needed
408 ser disable transmission-daemon
409 sgo transmission-daemon-nn
410 ;;
411 # todo: others unknown
412 esac
413 fi
414
415 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
416 if ! getent passwd debian-transmission > /dev/null; then
417 case $distro in
418 arch)
419 s useradd \
420 --system \
421 --create-home \
422 --home-dir /var/lib/transmission-daemon \
423 --shell /bin/false \
424 debian-transmission
425 ;;
426 *)
427 s adduser --quiet \
428 --system \
429 --group \
430 --no-create-home \
431 --disabled-password \
432 --home /var/lib/transmission-daemon \
433 debian-transmission
434 ;;
435 esac
436 fi
437
438 # dunno why it's there, but get rid of it
439 case $HOSTNAME in
440 li|lj) s rm -rf /home/linode ;;
441 esac
442
443 # arch had a default config,
444 # debian had nothing until you start it.
445 # With a little trial an error, here is a minimal config
446 # taken from the generated one, plus changes that the
447 # settings ui does, without a bunch of ui crap settings.
448 #
449 # only settings I set were
450 # hostname
451 # auto-connect
452 for f in /home/*; do
453 d=$f/.config/transmission-remote-gtk
454 u=${f##*/}
455 s -u $u mkdir -p $d
456 s -u $u dd of=$d/config.json <<'EOF'
457 {
458 "profiles" : [
459 {
460 "profile-name" : "Default",
461 "hostname" : "treetowl",
462 "rpc-url-path" : "/transmission/rpc",
463 "username" : "",
464 "password" : "",
465 "auto-connect" : true,
466 "ssl" : false,
467 "timeout" : 40,
468 "retries" : 3,
469 "update-active-only" : false,
470 "activeonly-fullsync-enabled" : false,
471 "activeonly-fullsync-every" : 2,
472 "update-interval" : 3,
473 "min-update-interval" : 3,
474 "session-update-interval" : 60,
475 "exec-commands" : [
476 ],
477 "destinations" : [
478 ]
479 }
480 ],
481 "profile-id" : 0,
482 "add-options-dialog" : false
483 }
484 EOF
485 done
486
487 case $distro in
488 debian|ubuntu)
489 # suggests because we want the resolvconf package.
490 # todo: check other distros to make sure it's installed
491 pi-nostart --install-suggests openvpn
492 # pi-nostart this doesnt seem to be good enough?
493 ser disable openvpn@client
494 ser disable openvpn
495 ;;
496 *) pi openvpn;;
497 esac
498
499 pi wget
500 case $HOSTNAME in
501 tp|frodo)
502 case $distro in
503 debian|ubuntu)
504 log=$(mktemp)
505 cd /a/opt
506 wget -nv -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
507 errallow
508 set -o pipefail
509 s dpkg -i google-chrome-stable_current_amd64.deb |& tee $log
510 code=$?
511 errcatch
512 case $code in
513 0) : ;;
514 *)
515 # previously I had a more specific search, but dpkg
516 # changed it's output as of 7/2016
517 if grep 'dependency problems' \
518 $log &>/dev/null; then
519 s apt-get -fy install
520 else
521 exit 1
522 fi
523 ;;
524 esac
525 ;;
526 arch)
527 pi google-chrome
528 ;;
529 esac
530 ;;
531 esac
532
533 # printer
534 case $distro in
535 arch)
536 pi cups ghostscript gsfonts # from arch wiki cups page
537 pi hplip # from google
538 s gpasswd -a $USER sys # from arch wiki
539 sgo org.cups.cupsd.service
540 # goto http://127.0.0.1:631
541 # administration tab, add new printer button.
542 # In debian, I could use hte recommended driver,
543 # in arch, I had to pick out the 6L driver.
544 ;;
545 debian|ubuntu)
546 spa hplip
547 ;;
548 # other distros unknown
549 esac
550
551
552 case $distro in
553 ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
554 fedora|arch) spa mairix notmuch ;;
555 esac
556 case $distro in
557 arch) spa nfs-utils ;;
558 ubuntu|debian) spa nfs-client ;;
559 esac
560 case $distro in
561 ubuntu|debian) spa par2 ;;
562 arch|fedora) spa par2cmdline ;;
563 esac
564
565 # needed for my tex resume
566 case $distro in
567 ubuntu|debian) spa texlive-full ;;
568 arch) spa texlive-most ;;
569 # fedora unknown
570 esac
571
572 case $distro in
573 ubuntu)
574 # flash, unrar, codecs, ms fonts.
575 # This has a manual prompt.
576 spa ubuntu-restricted-extras
577 ;;
578 fedora)
579 pi yum-utils
580 # rpm fusion recommended codecs
581 s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
582 pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
583 xine-lib-extras-freeworld
584 ;;
585 esac
586
587 case $distro in
588 # optional dep for firefox for h.264 video
589 arch) spa gst-libav ;;
590 # other distros, probably come by default
591 esac
592
593 case $distro in
594 fedora|ubuntu|debian) spa gnupg-agent ;;
595 arch) : ;;
596 esac
597
598
599 case $distro in
600 fedora) spa pinentry-gtk ;;
601 *) : ;; # comes default or with other packages
602 esac
603
604 case $distro in
605 arch) spa firefox pulseaudio;;
606 *) : ;; # comes default or with other packages
607 esac
608
609
610 case $distro in
611 arch) spa ttf-dejavu;;
612 debian|ubuntu) spa fonts-dejavu ;;
613 # others unknown
614 esac
615
616
617 case $distro in
618 arch) spa xorg-xev;;
619 debian|ubuntu) spa x11-utils ;;
620 # others unknown
621 esac
622
623 case $distro in
624 arch) pi virt-install;;&
625 debian|ubuntu) pi virtinst ;;&
626 *) pi virt-manager ;; # creates the libvirt group in debian at least
627 # others unknown
628 esac
629 # allow user to run vms, from debian handbook
630 for x in ian traci; do s usermod -a -G libvirt,kvm $x; done
631 # bridge networking as user fails. google lead here, but it doesn't work:
632 # oh well, I give up.
633 # http://wiki.qemu.org/Features-Done/HelperNetworking
634 # s mkdir /etc/qemu
635 # f=/etc/qemu/bridge.conf
636 # s dd of=$f <<'EOF'
637 # allow br0
638 # EOF
639 # #s chown root:qemu $f # debian has somethig like qemu-libvirt. equivalent?
640 # s chmod 640 $f
641
642
643 case $distro in
644 arch) spa cdrkit;;
645 debian|ubuntu) spa genisoimage;;
646 # others unknown
647 esac
648
649 case $distro in
650 arch) spa spice-gtk3 ;;
651 debian|ubuntu) spa spice-client-gtk;;
652 # others unknown
653 esac
654
655 # general known for debian/ubuntu, not for fedora
656 case $distro in
657 arch)
658 # cdrkit for cloud-init isos
659 # dnsmasq & ebtables for nat networking in libvirt
660 # qemu for qemu-img, bind-tools for dig
661 # dmidecode just because syslog complains
662 pi unzip xorg-xmodmap dmidecode ebtables\
663 bridge-utils dnsmasq qemu bind-tools
664 # otherwise we get error about accessing kvm module.
665 # seems like there might be a better way, but google was a bit vague.
666 s sed -ri --follow-symlinks '/^ *user *=/d' /etc/libvirt/qemu.conf
667 echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
668 # https://bbs.archlinux.org/viewtopic.php?id=206206
669 # # this should prolly go in the wiki
670 sgo virtlogd.socket
671 # guessing this is not needed
672 #sgo virtlogd.service
673 sgo libvirtd
674
675 ;;
676 esac
677
678 case $distro in
679 arch) pi virtviewer ;;
680 *) : ;; # other distros have it as a dependency afaik.
681 esac
682
683
684
685 case $distro in
686 fedora) cabal install shellcheck ;;
687 *) spa shellcheck ;;
688 # unknown for older ubuntu
689 esac
690
691
692 case $distro in
693 arch|debian|ubuntu) spa pumpa ;;
694 # others unknown. do have a buildscript:
695 # /a/bin/buildscripts/pumpa ;;
696 esac
697
698
699 case $distro in
700 debian|ubuntu) spa android-tools-adbd/unstable ;;
701 arch) spa android-tools ;;
702 # other distros unknown
703 esac
704
705 case $distro in
706 debian)
707 if [[ `debian-archive` == testing ]]; then
708 # has no unstable dependencies
709 spa bitcoin-qt/unstable
710 fi
711 s cp /a/opt/bitcoin/contrib/init/bitcoind.service /etc/systemd/system
712 ser daemon-reload
713
714 dir=/nocow/.bitcoin
715 s mkdir -p $dir
716 s chown -R bitcoin:bitcoin $dir
717 dir=/etc/bitcoin
718 s mkdir -p $dir
719 s chown -R root:bitcoin $dir
720 s chmod 750 $dir
721 f=$dir/bitcon.conf
722
723 # pruning decreases the bitcoin dir to 2 gb, keeps
724 # just the recent blocks. can't do a few things like
725 # import a wallet dump.
726 # pruning works, but people had to do
727 # some manual stuff in joinmarket. I dun need the
728 # disk space, so not bothering yet, maybe in a year or so.
729 # https://github.com/JoinMarket-Org/joinmarket/issues/431
730 #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
731 #prune=550
732
733 s dd of=$f <<EOF
734 rpcbind=127.0.0.1
735 server=1
736 rpcpassword=$(openssl rand -base64 32)
737 rpcuser=$(openssl rand -base64 32)
738
739 # Joinmarket
740 walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
741 alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
742 EOF
743 ;;
744 # other distros unknown
745 esac
746 if [[ $HOSTNAME == treetowl ]]; then
747 pi libsodium-dev python3-pip
748 cd /a/opt/joinmarket
749 # using develop branch, as it seems to be mostly bug fixes,
750 # and this is quite new software.
751 # note: python3 does not work.
752 pip install -r requirements.txt
753 # we need bitcoin.conf in the data dir according to
754 # https://github.com/JoinMarket-Org/joinmarket/wiki/Running-JoinMarket-with-Bitcoin-Core-full-node
755 # following the example .service script, I don\'t have it there,
756 # and I generate it, so lets just symlink it.
757 sudo -u bitcoin ln -sf /etc/bitcoin/bitcoin.conf /nocow/.bitcoin
758
759 # one time, manually did python wallet-tool.py generate.
760 # The "wallet" is just a key which deterministically generates addresses.
761 # One time: move the wallet, then link to it.
762 # ln -s /p/joinmarket/wallet.json wallets
763 #
764 # see wallet addresses via:
765 # python wallet-tool.py wallet.json
766 # send to the first 3 mixing depth 0 addresses.
767 # depths are like "identities", to separate out association with
768 # each other. the big hash in that output is the depth/branch id,
769 # ignore it afaik.
770 #
771 # after sending btc to wallet from a 3rd party service, check that
772 # at least 20% of utxo of each transaction was sent to you,
773 # btc listtransactions 10 0 true
774 # btc getrawtransaction TXID 1
775 #
776 # to view status, do
777 # python wallet-tool.py wallet.json history
778 #
779 # to help make other people,
780 # python yield-generator-basic.py wallet.json
781
782 for var in rpcuser rpcpassword; do
783 u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
784 # escape backslashes
785 u="${u//\\/\\\\\\\\}"
786 # escape commas
787 u="${u//,/\\,}"
788 sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
789 done
790 sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
791
792 # dunno about sharing a wallet between multiple instances
793 # manually did, wallet.dat symlinked in /nocow/.bitcoin
794 sgo bitcoind
795 fi
796
797
798
799
800 # proprietary flash. going without for now
801 # case $distro in
802 # debian)
803 # pi flashplugin-nonfree
804 # esac
805
806
807
808 case $distro in
809 fedora)
810 cd $(mktemp -d)
811 wget http://tamacom.com/global/global-6.3.2.tar.gz
812 ex global*
813 cd global-6.3.2
814 # based on https://github.com/leoliu/ggtags
815 ./configure --with-exuberant-ctags=/usr/bin/ctags
816 make
817 s make install
818 s pip install pygments
819 ;;
820 *)
821 pi global
822 ;;&
823 arch)
824 pi python2-pygments
825 ;;
826 debian|ubuntu)
827 pi python-pygments
828 ;;
829 esac
830
831
832 case $distro in
833 debian)
834 pi task-cinnamon-desktop
835 # in settings, change scrolling to two-finger,
836 # because the default edge scroll doesn\'t work.
837 pu transmission-gtk
838 ;;
839 # others unknown
840 esac
841
842 case $distro in
843 arch) spa apg ;;
844
845 # already in debian jessie
846 esac
847
848
849
850
851 # note this failed running at the beginning of this file,
852 # because no systemd user instance was running.
853 # Doing systemd --user resulted in
854 # Trying to run as user instance, but $XDG_RUNTIME_DIR is not set
855
856 if isdebian-testing; then
857 # as of 7/2016, has no unstable deps, and is not in testing anymore.
858 pi synergy/unstable
859 else
860 pi synergy
861 fi
862
863 # case $distro in
864 # # ubuntu unknown. probably the same as debian, just check if the
865 # # init scripts come with the package.
866 # debian)
867 # # copied from arch, but moved to etc
868 # s dd of=/etc/systemd/user/synergys.service <<'EOF'
869 # [Unit]
870 # Description=Synergy Server Daemon
871 # After=network.target
872
873 # [Service]
874 # User=%i
875 # ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
876 # Restart=on-failure
877
878 # [Install]
879 # WantedBy=multi-user.target
880 # EOF
881 # s dd of=/etc/systemd/user/synergys.socket <<'EOF'
882 # [Unit]
883 # Conflicts=synergys@.service
884
885 # [Socket]
886 # ListenStream=24800
887 # Accept=false
888
889 # [Install]
890 # WantedBy=sockets.target
891 # EOF
892 # # had this fail with 'Failed to connect to bus: No such file or directory'
893 # # then when I tried it manually, it worked fine...
894 # if ! systemctl --user daemon-reload; then
895 # sleep 2
896 # echo retrying systemd user daemon reload
897 # systemctl --user daemon-reload
898 # fi
899 # ;;&
900 # *)
901 # # taken from arch wiki.
902 # s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
903 # [Unit]
904 # Description=Synergy Client
905 # After=network.target
906
907 # [Service]
908 # User=%i
909 # ExecStart=/usr/bin/synergyc --no-daemon frodo
910 # Restart=on-failure
911 # # per man systemd.unit, StartLimitInterval, by default we
912 # # restart more than 5 times in 10 seconds.
913 # # And this param defaults too 200 miliseconds.
914 # RestartSec=3s
915
916 # [Install]
917 # WantedBy=multi-user.target
918 # EOF
919 # s systemctl daemon-reload
920 # case $HOSTNAME in
921 # x2|treetowl)
922 # ser enable synergyc@ian
923 # ser start synergyc@ian ||: # X might not be running yet
924 # ;;
925 # frodo)
926 # systemctl --user start synergys ||:
927 # systemctl --user enable synergys
928 # ;;
929 # esac
930 # ;;
931 # esac
932
933
934 ######### end misc packages #########
935
936
937 # packages I once used before and liked, but don't want installed now for
938 # various reasons:
939 # python-sqlite is used for offlineimap
940 # lxappearance python-sqlite dolphin paman dconf-editor
941
942
943
944 ######## unfinished
945
946 # todo, finish configuring smart.
947
948 pi smartmontools
949 # mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
950 # turn on smart. background on options:
951 # first line, -a = test everyting on all devices.
952 # -S on, turn on disk internal saving of vendor specific info,
953 # from google, seems like this is usually already on and fairly standard.
954 # -o on, turn on 4 hour period non-performance degrading testing.
955 # short test daily 2-3am, extended tests Saturdays between 3-4am:
956 sched="-s (S/../.././02|L/../../6/03)"
957 s sed -i --follow-symlinks "s#^[[:space:]]*DEVICESCAN.*#\
958 DEVICESCAN -a -o on -S on -n standby,q $sched \
959 -m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc/smartd.conf
960
961 # in the default configuration of at least ubuntu 14.04, resolvconf is
962 # configured to order any nameservers associated with tun* or tap*
963 # before the normal internet interfaces, which means they are always
964 # consulted first. This is often slower and undesirable, ie. local dns
965 # queries go from 0ms to 10+ or 100+ ms. To reverse the ordering, you
966 # can do:
967 #sudo sed -i --follow-symlinks '/tun\*\|tap\*/d' /etc/resolvconf/interface-order
968 # however, this breaks dns lookup for hosts on the openvpn lan.
969 # I can\'t figure out why hosts on the normal lan would not be
970 # broken under the default ordering, except the host I was
971 # testing with previously had an entry in /etc/hosts.
972
973 ############# end unfinished
974
975 ########### misc stuff
976
977
978 # the wiki backup script from ofswiki.org uses generic paths
979 s lnf /p/c/machine_specific/li/mw_vars /root
980 s lnf /k/backup/wiki_backup /root
981
982 s cedit /etc/goaccess.conf <<'EOF' || [[ $? == 1 ]]
983 # all things found from looking around the default config
984 # copied existing NCSA Combined Log Format with Virtual Host, plus %L
985 log-format %^:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u" %D
986 time-format %H:%M:%S
987 date-format %d/%b/%Y
988 log-file /var/log/apache2/access.log
989 color-scheme 2
990
991 # tip: copy access.log files to a stretch host directory, then run
992 # jessie's goaccess is too old for some options, and it's
993 # not easily installed from a testing.
994 # goaccess --ignore-crawlers -f <(cat *) -a -o html > x.html
995 EOF
996
997
998 if [[ $HOSTNAME == treetowl ]] && ! sudo test -e /etc/openvpn/client.key; then
999 /a/bin/vpn-setup/vpn-mk-client-cert dopub
1000 # route lan traffic from inside the network namespace.
1001 tu /etc/openvpn/client.conf "route 192.168.1.0 255.255.255.0 net_gateway"
1002 fi
1003
1004
1005 case $distro in
1006 debian|ubuntu)
1007 case `debian-archive` in
1008 stable)
1009 s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
1010 Explanation: Allow unison-gtk to be upgraded
1011 Package: unison-gtk
1012 Pin: release a=unstable
1013 Pin-Priority: 500
1014 EOF
1015 # dont think using testing is needed since I figured out how to
1016 # deal with mismatching unison compilers, but I dont
1017 # see any reason to revert it, since it only installs
1018 # a single package which is primarily a single binary
1019 ;;
1020 esac
1021 pi unison/testing
1022 pi unison-gtk/testing # after to make it the default unison
1023 ;;
1024 arch)
1025 pi unison gtk2
1026 ;;
1027 esac
1028
1029 case $distro in
1030 arch)
1031 # default is alsa, doesn\'t work with with pianobar
1032 s dd of=/etc/libao.conf <<'EOF'
1033 default_driver=pulse
1034 EOF
1035 ;;
1036 esac
1037
1038 # note, for jessie, it depends on a higher version of btrfs-tools.
1039 #
1040 # # disabled due to my patch being in btrbk
1041 # case $distro in
1042 # arch|debian|ubuntu) pi btrbk ;;
1043 # # others unknown
1044 # esac
1045 cd /a/opt/btrbk
1046 s make install
1047 spa pv # for progress bar when running interactively.
1048 if [[ $HOSTNAME == treetowl ]]; then
1049 # backup/sync manually on others hosts for now.
1050 sgo btrbk.timer
1051 # note: to see when it was last run,
1052 # ser list-timers
1053 fi
1054
1055 if [[ $HOSTNAME == treetowl ]] && [[ `debian-archive` != testing ]]; then
1056 # fail2 ban is broken, with a workaround, per
1057 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171
1058 # ill wait a while to see if it gets fixed
1059 pi fail2ban
1060 sgo fail2ban
1061 fi
1062
1063
1064
1065
1066
1067 case $distro in
1068 debian|ubuntu) s gpasswd -a ian adm ;; #needed for reading logs
1069 esac
1070
1071 # tor
1072 case $distro in
1073 # based on
1074 # https://www.torproject.org/docs/rpms.html.en
1075 # https://www.torproject.org/docs/debian.html.en
1076 # todo: figure out if the running service needs to be restarted upon updates
1077
1078
1079 # todo on fedora: setup non-dev packages
1080 fedora)
1081 s dd of=/etc/yum.repos.d/torproject.repo <<'EOF'
1082 [tor]
1083 name=Tor experimental repo
1084 enabled=1
1085 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/
1086 gpgcheck=1
1087 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1088
1089 [tor-source]
1090 name=Tor experimental source repo
1091 enabled=1
1092 autorefresh=0
1093 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS
1094 gpgcheck=1
1095 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1096 EOF
1097
1098 # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above:
1099 # 3B9E EEB9 7B1E 827B CF0A 0D96 8AF5 653C 5AC0 01F1
1100 sgo tor
1101 /a/bin/buildscripts/tor-browser
1102 ;;
1103 ubuntu)
1104 tu /etc/apt/sources.list "deb http://deb.torproject.org/torproject.org $(debian-codename) main"
1105 gpg --keyserver keys.gnupg.net --recv 886DDD89
1106 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
1107 p update
1108 pi deb.torproject.org-keyring
1109 pi tor
1110 /a/bin/buildscripts/tor-browser
1111 ;;
1112 debian)
1113 pi tor
1114 /a/bin/buildscripts/tor-browser
1115 ;;
1116 arch)
1117 pi tor tor-browser-en
1118 sgo tor
1119 ;;
1120 # ubuntu unknown
1121 esac
1122
1123 # nfs server
1124 case $distro in
1125 fedora)
1126 end_msg <<'EOF'
1127 fedora todo: disable the firewall or find a way to automate it.
1128 there's an unused section in t.org for tramikssion firewall setup
1129
1130 fedora manual config for nfs:
1131 s firewall-config
1132 change to permanent configuration
1133 check the box for nfs
1134 was hard to figure this out, not sure if this is all needed, but
1135 unblock these too
1136 mountd: udp/tcp 20048
1137 portmapper, in firewall-config its called rpc-bind: udp/tcp 111
1138 troubleshooting, unblock things in rpcinfo -p
1139 make sure to reload the firewall to load the persistent configuration
1140
1141
1142 EOF
1143 pi nfs-utils
1144 sgo nfs-server
1145 ;;
1146 debian|ubuntu)
1147 pi nfs-server
1148 ;;
1149 arch)
1150 pi nfs-utils || pending_reboot=true
1151 sgo rpcbind
1152 # this failed until I rebooted
1153 sgo nfs-server
1154 ;;
1155 esac
1156
1157 if [[ $HOSTNAME == treetowl ]]; then
1158 # nohide = export filesystems mounted deeper than the export point
1159 # fsid=0 makes this export the "root" export
1160 # not documented in the man page, but this means
1161 # 1. it can be mounted with a shorthand of server:/
1162 # 2. exports that are subdirectories of this one will automatically be mounted
1163 tu /etc/exports <<'EOF'
1164 /k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
1165 EOF
1166 s exportfs -rav
1167 fi
1168
1169
1170 e "$end_msg_var"
1171
1172
1173 # persistent virtual machines
1174
1175 case $distro in
1176 debian|ubuntu)
1177 pi libosinfo-bin;
1178 ;;
1179 esac
1180
1181 # distro may not know about win 10 yet.
1182 variant=win7
1183 if ! virt-install --os-variant list &>/dev/null; then # we are using a newer virt-install
1184 for v in 10 8.1 8; do
1185 if osinfo-query os | gr "^\s*win${v/./\\.}\s" &>/dev/null; then
1186 variant=win$v
1187 break
1188 fi
1189 done
1190 fi
1191
1192 if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
1193
1194 # created account with
1195 # win10vmian@outlook.com, and easy to remember password
1196 # win 10 virtio, makes disk way way way faster
1197 # wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
1198 # https://wiki.archlinux.org/index.php/QEMU#Change_Existing_Windows_VM_to_use_virtio
1199 # for installing virtio after initial install instead of with initial iso:
1200 # qemu-img create -f qcow2 fake.qcow2 1G
1201 # --disk=/a/images/virtio-win.iso,device=cdrom \
1202 # --disk=/a/images/fake.qcow2,bus=virtio
1203 # Also,
1204 # went to device manager, saw 2 pci devices with yellow !,
1205 # did search for drivers, pick cdrom location, done.
1206 #
1207 # from http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html.
1208 # google said there was a control panel option for it, but
1209 # that turned out to be a lie.
1210 # Put this in a .bat file and run as administrator to turn off
1211 # hyberboot which fucks things up.
1212 # REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_dWORD /D 0 /F
1213 # power settings, turn off display: never
1214 # run "control userpasswords2", turn on automatic login.
1215 # note: when changing devices, I just undefine, the create the vm again.
1216
1217 if [[ -e /a/images/win10.qcow2 ]]; then
1218 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1219 --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
1220 -n win10 --import --os-variant $variant --cpu host-model-only
1221
1222 s virsh destroy win10
1223 fi
1224
1225 if [[ -e /a/images/win7.qcow2 ]]; then
1226 # this one hasn\'t had the virtio fix done yet.
1227 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1228 --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
1229 -n win7 --import --os-variant win7 --cpu host-model-only
1230 s virsh destroy win7
1231 # had a problem with --cpu host, so trying out
1232 # --cpu host-model-only
1233 fi
1234 fi
1235
1236
1237 if [[ $HOSTNAME == treetowl ]]; then
1238 pi samba
1239 # note samba re-reads it\'s config every 1 minute
1240 case $distro in
1241 arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
1242 esac
1243
1244 # add 2 lines after workgroup option
1245 s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
1246 s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
1247 s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/' /etc/samba/smb.conf
1248 # remove default homes section. not sharing that.
1249 s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
1250
1251 if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
1252 s tee -a /etc/samba/smb.conf <<'EOF'
1253 [public]
1254 guest ok = yes
1255 read only = no
1256 path = /kr
1257 EOF
1258 fi
1259
1260 case $distro in
1261 debian|ubuntu)
1262 # systemd claims it generates units from /etc/init.d, but it
1263 # clearly doesn\'t in debian. I have no idea how they are
1264 # related. fuck debian right now. It\'s not documented. samba
1265 # has a systemd init file linked to /dev/null. There\'s this
1266 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
1267 # claims samba\'s sub-services will be started automatically by
1268 # systemd... it didn\'t on install, wonder if it will on
1269 # boot. It clued me in how to start it manually though. Nothing
1270 # in /usr/share/doc/samba, debian admin guide says nothing about
1271 # any of this. (this is in debian testing as of 4/2016).
1272
1273 s /etc/init.d/samba start
1274 ;;
1275 arch)
1276 sgo samba
1277 ;;
1278 esac
1279 fi
1280
1281 tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
1282
1283
1284 ######### begin stuff belonging at the end ##########
1285
1286
1287 # Apps we want to override others for default file handler:
1288 # simplest way in debian is to just install them last.
1289 simple_packages+=(
1290 mpv
1291 )
1292
1293 case $distro in
1294 ubuntu|debian)
1295 spa spacefm-gtk3 ;;
1296 arch)
1297 spa spacefm ;;
1298 esac
1299
1300
1301 pi "${simple_packages[@]}"
1302
1303
1304 if $pending_reboot; then
1305 echo "$0: pending reboot and then finished. doing it now."
1306 s reboot now
1307 else
1308 echo "$0: $(date): ending now)"
1309 fi
~16k lines of my .bashrc + lots of my configs