iankelling.org / git / distro-setup / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
add rss2email, lump ff unstable upgrades with the rest
[distro-setup] / distro-end
1 #!/bin/bash -l
2 # Copyright (C) 2016 Ian Kelling
3
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7
8 # http://www.apache.org/licenses/LICENSE-2.0
9
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 errcatch
17
18 set -x
19
20 exec &> >(sudo tee -a /var/log/distro-end)
21 echo "$0: $(date): starting now)"
22
23 src="${BASH_SOURCE%/*}"
24
25 end_msg() {
26 = local y
27 IFS= read -r -d '' y ||:
28 end_msg_var+="$y"
29 }
30
31 spa() { # simple package add
32 simple_packages+=($@)
33 }
34
35 distro=$(distro-name)
36
37 pending_reboot=false
38 sed="sed --follow-symlinks"
39
40 # template
41 case $distro in
42 esac
43
44 pup
45
46 simple_packages=(
47 htop
48 mailutils
49 nmon
50 rdiff-backup
51 ruby
52 ruby-rest-client
53 tree
54 vim
55 wcd
56 )
57
58 case $HOSTNAME in
59 lj|li) : ;;
60 *)
61 # universal packages
62 # swh-plugins is for karaoke pulsaudio filter.
63 # mutagen for pithos
64 simple_packages+=(
65 apache2
66 apache2-doc
67 apt-doc
68 aptitude-doc-en
69 bash-doc
70 binutils-doc
71 bwm-ng
72 chromium
73 cpio-doc
74 cron
75 debconf-doc
76 duplicity
77 eclipse
78 evince
79 fdupes
80 feh
81 filelight
82 gawk-doc
83 gcc-doc
84 gdb
85 gdb-doc
86 git-doc
87 git-email
88 gitk
89 glibc-doc
90 goaccess
91 gnome-screenshot
92 i3lock
93 iproute2-doc
94 jq
95 linux-doc
96 locate
97 make-doc
98 manpages
99 manpages-dev
100 meld
101 mumble
102 nmap
103 offlineimap
104 p7zip
105 paprefs
106 parted-doc
107 pavucontrol
108 pdfgrep
109 perl-doc
110 pianobar
111 pidgin
112 python3-doc
113 python3-mutagen
114 reportbug
115 sqlite3-doc
116 squashfs-tools
117 swh-plugins
118 tar-doc
119 tcpdump
120 transmission-remote-gtk
121 vlc
122 whois
123 )
124 spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
125 ;;
126 esac
127
128
129 ########### begin section including li ################
130
131
132 case $distro in
133 debian)
134 if [[ `debian-archive` == testing ]]; then
135 pi acme-tiny
136 fi
137 esac
138
139 case $distro in
140 fedora) spa unrar ;;
141 *) spa unrar-free ;;
142 esac
143
144
145 case $distro in
146 arch)
147 # ubuntu 14.04 uses b-cron,
148 # but its not maintained in arch.
149 # of the ones in the main repos, cronie is only one maintained.
150 # fcron appears abandoned software.
151 pi cronie
152 sgo cronie
153 ;;
154 *) : ;; # other distros come with cron.
155 esac
156
157
158 case $distro in
159 debian|ubuntu)
160 pi debian-goodies
161 ;;
162 esac
163
164
165 case $distro in
166 *) pi at ;;&
167 arch) sgo atd ;;
168 esac
169
170
171 case $distro in
172 debian) pi curl;;
173 arch) : ;;
174 # fedora: unknown
175 esac
176
177 case $distro in
178 # tk for gitk
179 arch) spa git tk ;;
180 *) spa git ;;
181 esac
182
183 case $distro in
184 arch) spa the_silver_searcher ;;
185 debian|ubuntu) spa silversearcher-ag ;;
186 # fedora unknown
187 esac
188
189 case $distro in
190 debian|ubuntu) spa ntp;;
191 arch)
192 pi ntp
193 sgo ntpd
194 ;;
195 # others unknown
196 esac
197
198
199 # no equivalent in other distros:
200 case $distro in
201 debian|ubuntu)
202 pi aptitude
203 if ! dpkg -s apt-file &>/dev/null; then
204 # this condition is just a speed optimization
205 pi apt-file
206 s apt-file update
207 fi
208 # for debconf-get-selections
209 spa debconf-utils
210 ;;
211 esac
212
213 case $distro in
214 ubuntu|debian) spa ack-grep ;;
215 arch|fedora) spa ack ;;
216 # fedora unknown
217 esac
218
219 case $distro in
220 arch|debian|ubuntu)
221 spa bash-completion
222 ;;
223 # others unknown
224 esac
225
226
227
228
229
230 # disable motd junk.
231 case $(distro-name) in
232 debian)
233 # allows me to pipe with ssh -t, and gets rid of spam
234 # http://forums.debian.net/viewtopic.php?f=5&t=85822
235 # i'd rather disable the service than comment the init file
236 # this says disabling the service, it will still get restarted
237 # but this script doesn't do anything on restart, so it should be fine
238 s dd of=/var/run/motd.dynamic if=/dev/null
239 # stretch doesn't have initscripts pkg installed by default
240 if [[ $(debian-codename) == jessie ]]; then
241 s update-rc.d motd disable
242 fi
243 ;;
244 ubuntu)
245 # this isn't a complete solution. It still shows me when updates are available,
246 # but it's no big deal.
247 s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
248 ;;
249 esac
250
251 # automatic updates
252 # reference:
253 # https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
254 # /etc/cron.daily/apt calls unattended-upgrades
255 # /usr/share/doc/unattended-upgrades# cat README.md
256 # /etc/apt/apt.conf.d/50unattended-upgrades
257 if isdebian; then
258 setup-debian-auto-update
259 fi
260
261 # we've got a few dependencies later on, so install them now.
262 pi "${simple_packages[@]}"
263 simple_packages=()
264
265 # website setup
266 case $HOSTNAME in
267 lj|li)
268
269 case $HOSTNAME in
270 lj) domain=iank.bid; exit 0 ;;
271 li) domain=iankelling.org ;;
272 esac
273 /a/h/setup.sh $domain
274 /a/h/build.rb
275
276 sudo -E /a/bin/mediawiki-setup/mw-setup-script
277 #$src/phab-setup
278
279 pi-nostart mumble-server
280 s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
281 sgo mumble-server
282
283 vpn-server-setup -d
284
285 sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
286 [Unit]
287 Description=Turns on iptables mail nat
288
289 [Service]
290 Type=oneshot
291 RemainAfterExit=yes
292 ExecStart=/a/bin/distro-setup/vpn-mail-forward start
293 ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
294
295 [Install]
296 WantedBy=openvpn.service
297 EOF
298 ser daemon-reload
299 ser enable vpnmail.service
300 acme-tiny-wrapper mail.iankelling.org
301 # needed for li's local mail delivery. there might
302 # be a better way to do it that doesn't require disabling
303 # it during le verification, but whatever for now.
304 f=/etc/cron.daily/lets-encrypt-mail_iankelling_org
305 l="10.8.0.4 mail.iankelling.org"
306 tu /etc/hosts <<<"$l"
307 s sed -i '/^\s*sysv acme-tiny-wrapper/i sed -i /^10\.8\.0\.4/d /etc/hosts' $f
308 echo "echo $l >>/etc/hosts" | s tee -a $f
309 sgo openvpn
310 domain=cal.iankelling.org
311 acme-tiny-wrapper $domain
312 apache-site -f 10.8.0.4:5232 - $domain <<'EOF'
313 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
314 <Directory "/var/www/cal.iankelling.org/html">
315 Options +FollowSymLinks +Multiviews +Indexes
316 AllowOverride None
317 AuthType basic
318 AuthName "Authentication Required"
319 # setup one time, with root:www-data, 640
320 AuthUserFile "/etc/caldav-htpasswd"
321 Require valid-user
322 </Directory>
323 EOF
324 # nginx version of above would be:
325 # auth_basic "Not currently available";
326 # auth_basic_user_file /etc/nginx/caldav/htpasswd;
327
328
329 ########## begin pump.io setup ##########
330
331 # once pump adds a logrotation script, turn off nologger,
332 # and add
333 # "logfile": "/var/log/pumpio/pumpio.log",
334 #
335 s dd of=/etc/pump.io.json <<'EOF'
336 {
337 "secret": "SECRET_REPLACE_ME",
338 "driver": "mongodb",
339 "params": { "dbname": "pumpio" },
340 "noweb": false,
341 "site": "pump.iankelling.org",
342 "owner": "Ian Kelling",
343 "ownerURL": "https://iankelling.org/",
344 "port": 8001,
345 "urlPort": 443,
346 "hostname": "pump.iankelling.org",
347 "nologger": true,
348 "datadir": "/home/pumpio/pumpdata",
349 "enableUploads": true,
350 "debugClient": false,
351 "disableRegistration": true,
352 "noCDN": true,
353 "key": "/home/pumpio/pump.iankelling.org-domain.key",
354 "cert": "/home/pumpio/pump.iankelling.org-chained.pem",
355 "address": "localhost",
356 "sockjs": false
357 }
358 EOF
359 s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
360
361 # jessie\'s node is too old
362 # https://nodejs.org/en/download/package-manager/
363 curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
364 pi nodejs
365 cd /home/ian
366 rm -rf pump.io.git
367 git clone https://github.com/pump-io/pump.io.git
368 cd pump.io
369 # note: doing this or the npm install pump.io as root had problems.
370 npm install
371 npm run build
372 # normally, next command would be
373 # s npm install -g databank-mongodb
374 # but it\'s this until a bug in pump gets fixed
375 s npm install -g databank-mongodb@0.19.2
376 s useradd -m -s /bin/false pumpio
377 sudo -u pumpio mkdir -p /home/pumpio/pumpdata
378 # for testing browser when only listening to localhost,
379 # in the pump.io.json, set hostname localhost, urlPort 5233
380 #ssh -L 5233:localhost:5233 li
381 acme-tiny-wrapper -c /home/pumpio pump.iankelling.org
382
383 s mkdir -p /var/log/pumpio/
384 s chown pumpio:pumpio /var/log/pumpio/
385
386 apache-site -c /home/pumpio - pump.iankelling.org <<'EOF'
387 # currently a bug in pump that we cant terminate ssl
388 SSLProxyEngine On
389 ProxyPreserveHost On
390 ProxyPass / https://127.0.0.1:8001/
391 ProxyPassReverse / https://127.0.0.1:8001/
392 # i have sockjs disabled per people suggesting that
393 # it won\'t work with apache right now.
394 # not sure if it would work with this,
395 # but afaik, this is pointless atm.
396 <Location /main/realtime/sockjs/>
397 ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
398 ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
399 </Location>
400 EOF
401
402 s dd of=/etc/systemd/system/pump.service <<'EOF'
403 [Unit]
404 Description=pump.io
405 After=syslog.target network.target
406
407 [Service]
408 Type=simple
409 User=pumpio
410 Group=pumpio
411 ExecStart=/home/ian/pump.io/bin/pump
412 Environment=NODE_ENV=production
413 # failed to find databank-mongodb without this.
414 # I just looked at my environment variables took a guess.
415 Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
416
417 [Install]
418 WantedBy=multi-user.target
419 EOF
420 ser daemon-reload
421 sgo pump
422 ########## end pump.io setup ############
423
424
425 ############# begin setup mastodon ##############
426
427 # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
428 pi software-properties-common
429 curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
430 sudo add-apt-repository \
431 "deb [arch=amd64] https://download.docker.com/linux/debian \
432 $(lsb_release -cs) \
433 stable"
434 p update
435 pi docker-ce
436 sgo docker
437 # this may not be needed
438 ser start docker
439
440 curl -L https://github.com/docker/compose/releases/download/1.12.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
441 s chmod +x /usr/local/bin/docker-compose
442
443 # i subscrubed to https://github.com/docker/compose/releases.atom
444 # to deal with updates manually.
445
446 cd ~
447 i clone https://github.com/tootsuite/mastodon
448 cd mastodon
449 # https://github.com/tootsuite/mastodon/tree/v1.1.2
450 # subbed to atom feed to deal with updates
451 i co v1.1.2
452
453 # per instructions, uncomment redis/postgres persistence in docker-compose.yml
454 sed -i 's/^#//' docker-compose.yml
455
456 cat >.env.production <<'EOF'
457 REDIS_HOST=redis
458 REDIS_PORT=6379
459 DB_HOST=db
460 DB_USER=postgres
461 DB_NAME=postgres
462 DB_PASS=
463 DB_PORT=5432
464
465 LOCAL_DOMAIN=mast.iankelling.org
466 LOCAL_HTTPS=true
467
468 SINGLE_USER_MODE=true
469
470 SMTP_SERVER=10.8.0.4
471 SMTP_PORT=25
472 SMTP_LOGIN=li
473 SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
474 SMTP_DOMAIN=mast.iankelling.org
475 SMTP_DELIVERY_METHOD=smtp
476 EOF
477
478 for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
479 printf "%s=%s" $key "$(docker-compose run --rm web rake secret)" >>.env.production
480 done
481 s cat /etc/mailpass| while read -r domain port pass; do
482 if [[ $domain == mail.iankelling.org ]]; then
483 printf "SMTP_PASSWORD=%s" "$pass" >>.env.production
484 break
485 fi
486 done
487
488
489
490 docker-compose run --rm web rails assets:precompile
491
492 # docker daemon takes care of starting on boot.
493 docker-compose up -d
494
495 acme-tiny-wrapper mast.iankelling.org
496 s a2enmod proxy_wstunnel headers
497 apache-site -f 3000 - mast.iankelling.org <<'EOF'
498 ProxyPreserveHost On
499 RequestHeader set X-Forwarded-Proto "https"
500 ProxyPass /500.html !
501 ProxyPass /oops.png !
502 ProxyPass /api/v1/streaming/ ws://localhost:4000/
503 ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
504 ErrorDocument 500 /500.html
505 ErrorDocument 501 /500.html
506 ErrorDocument 502 /500.html
507 ErrorDocument 503 /500.html
508 ErrorDocument 504 /500.html
509 EOF
510
511
512 ############### !!!!!!!!!!!!!!!!!
513 ############### manual steps:
514
515 # only following 2 people atm, so not bothering to figure out backups
516 # when mastodon has not documented it at all.
517 #
518 # fsf@status.fsf.org
519 # cwebber@toot.cat
520 # dbd@status.fsf.org
521 # johns@status.fsf.org
522
523 # sign in page is at https://mast.iankelling.org/auth/sign_in
524 # register as iank, then
525 # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
526 # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
527
528 ############# end setup mastodon ##############
529
530 echo "$0: $(date): ending now)"
531 exit 0
532 ;;
533 esac
534
535
536 ########### end section including li/lj ###############
537
538 if [[ $HOSTNAME == treetowl ]]; then
539 # note, see bashrc for more documentation.
540 pi rss2email
541 s dd of=/etc/systemd/system/rss2email.service <<'EOF'
542 [Unit]
543 Description=rss2email
544 After=multi-user.target
545
546 [Service]
547 User=ian
548 Type=oneshot
549 # about 24 hours of failures
550 ExecStart=/a/bin/log-quiet/sysd-mail-once -288 rss2email r2e run
551 EOF
552 s dd of=/etc/systemd/system/rss2email.timer <<'EOF'
553 [Unit]
554 Description=rss2email
555
556 [Timer]
557 OnUnitInactiveSec=300
558
559 [Install]
560 WantedBy=timers.target
561 EOF
562 s systemctl daemon-reload
563 sgo rss2email.timer
564 fi
565
566 ######### begin pump.io periodic backup #############
567 if [[ $HOSTNAME == treetowl ]]; then
568 s dd of=/etc/systemd/system/pumpbackup.service <<'EOF'
569 [Unit]
570 Description=pump li backup
571 After=multi-user.target
572
573 [Service]
574 User=ian
575 Type=oneshot
576 ExecStart=/a/bin/log-quiet/sysd-mail-once pump-backup /a/bin/distro-setup/pump-backup
577 EOF
578 s dd of=/etc/systemd/system/pumpbackup.timer <<'EOF'
579 [Unit]
580 Description=pump li backup hourly
581
582 [Timer]
583 OnCalendar=hourly
584
585 [Install]
586 WantedBy=timers.target
587 EOF
588 s systemctl daemon-reload
589 sgo pumpbackup.timer
590 fi
591 ######### end pump.io periodic backup #############
592
593 case $distro in
594 debian|ubuntu)
595 # suggests because we want the resolvconf package.
596 # todo: check other distros to make sure it\'s installed
597 pi-nostart --install-suggests openvpn
598 # pi-nostart does not disable
599 ser disable openvpn
600 ;;
601 *) pi openvpn;;
602 esac
603
604 if private-host; then
605 vpn-mk-client-cert -n mail li
606 cn=$(s openssl x509 -noout -nameopt multiline -subject \
607 -in /etc/openvpn/client/mail.crt | \
608 sed -rn 's/^\s*commonName\s*=\s*(.*)/\1/p')
609 echo "ifconfig-push 10.8.0.4 255.255.255.0" | \
610 ssh root@li dd of=/etc/openvpn/client-config/"$cn"
611 fi
612 ser enable mailroute
613 if [[ $HOSTNAME == treetowl ]]; then
614 # note, this will need to be changed when the mail/contacts host changes
615 sgo openvpn-client@mail
616 /a/bin/distro-setup/radicale-setup
617 fi
618
619 ## android studio setup
620 # this contains the setting for android sdk to point to
621 # /a/opt/androidsdk, which is asked upon first run
622 lnf /a/opt/.AndroidStudio2.2 ~
623 # android site says it needs a bunch of packages for ubuntu,
624 # but I googled for debian, and someone says you just need lib32stdc++6 plus the
625 # jdk
626 # https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
627 # see w.org for more android studio details
628 spa lib32stdc++6 default-jdk
629
630
631 if [[ $HOSTNAME == treetowl ]]; then
632 ############# begin syncthing setup ###########
633
634 # It\'s simpler to just worry about running it in one place for now.
635 # I assume it would work to clone it\'s config to another non-phone
636 # and just run it in one place instead of the normal having a
637 # separate config. I lean toward using the same config, since btrfs
638 # syncs between comps.
639 case $distro in
640 arch) pi syncthing ;;
641 ubuntu|debian)
642 # testing has relatively up to date packages
643 if ! isdebian-testing; then
644 # based on error when doing apt-get update:
645 # E: The method driver /usr/lib/apt/methods/https could not be found.
646 pi apt-transport-https
647 # google led me here:
648 # https://apt.syncthing.net/
649 curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
650 s="deb http://apt.syncthing.net/ syncthing release"
651 if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != $s ]]; then
652 echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
653 p update
654 fi
655 fi
656 pi syncthing
657 ;;
658 esac
659 lnf -T /w/syncthing /home/ian/.config/syncthing
660 sgo syncthing@ian # runs as ian
661
662 # these things persist in ~/.config/syncthing, which I save in
663 # /w/syncthing (not in /p, because syncthing should continue to
664 # run on home server even when using laptop as primary device)
665 # open http://localhost:8384/
666 # change listen address from default to tcp://:22001,
667 # this is because we do port forward so it doesn\'t have to use
668 # some external server, but the syncthing is broken for port forward,
669 # you get a message, something "like connected to myself, this should not happen"
670 # when connecting to other local devices, so I bump the port up by 1,
671 # based on
672 # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
673 # Without this, it was being stuck syncing at 0%.
674 # Set gui username and password.
675 #
676 # install syncthing via f-droid,
677 # folder setting, turn off master folder (makes it read only).
678 # on phone, add device, click bar code icon
679 # on dekstop, top right, actions, device id
680 # after adding, notification will appear on desktop to confirm
681 #
682 # syncing folder. from phone to desktop: select desktop in the
683 # folder on phone\'s sync options, notification will appear in
684 # desktop\'s web ui within a minute. For the reverse, the
685 # notification will appear in android\'s notifications, you have to
686 # swipe down and tap it to add the folder. It won\'t appear in the
687 # syncthing ui, which would be intuitive, but don\'t wait for it
688 # there.
689 #
690 # On phone, set settings to run syncthing all the time, and
691 # show no notification.
692 #
693 # Folder versioning would make sense if I didn\'t already use btrfs
694 # for backups. I would choose staggered, or trash can for more space.
695 #
696 # if needed to install on a remote comp:
697 # ssh -L 8384:localhost:8384 -N frodo
698 # open http://localhost:8384/
699 #
700 # Note, the other thing i did was port forward port 22000,
701 # per https://docs.syncthing.net/users/firewall.html
702
703 ############# end syncthing setup ###########
704 fi
705
706
707
708 # no equivalent in other distros:
709 case $distro in
710 debian|ubuntu)
711 # for gui bug reporting
712 spa python-vte
713 ;;
714 esac
715
716
717 ####### misc packages ###########
718
719 if [[ $HOSTNAME == treetowl ]]; then
720 case $distro in
721 debian|ubuntu)
722 # note i had to do this, which is persistent:
723 # cd /i/k
724 # s chgrp debian-transmission torrents partial-torrents
725
726 # syslog says things like
727 # 'Failed to set receive buffer: requested 4194304, got 425984'
728 # google suggets giving it even more than that
729 tu /etc/sysctl.conf<<'EOF'
730 net.core.rmem_max = 67108864
731 net.core.wmem_max = 16777216
732 EOF
733 s sysctl -p
734
735 # some reason it doesn\'t seem to start automatically anyways
736 pi-nostart transmission-daemon
737
738 # the folder was moved here after an install around 02/2017.
739 # it contains runtime data,
740 # plus a simple symlink to the config file which it\'s
741 # not worth separating out.
742 s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
743 #
744 # config file documented here, and it\'s the same config
745 # for daemon vs client, so it\'s documented in the gui.
746 # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
747 #
748 # I originaly setup rpc-whitelist, but after using
749 # routing to a network namespace, it doesn\'t see the
750 # real source address, so it\'s disabled.
751 #
752 # Changed the cache-size to 256 mb, reduces disk use.
753 # It is a read & write cache.
754 #
755 s ruby <<'EOF'
756 require 'json'
757 p = '/etc/transmission-daemon/settings.json'
758 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
759 'rpc-whitelist-enabled' => false,
760 'rpc-authentication-required' => false,
761 'incomplete-dir' => '/i/k/partial-torrents',
762 'incomplete-dir-enabled' => true,
763 'download-dir' => '/i/k/torrents',
764 "speed-limit-up" => 800,
765 "speed-limit-up-enabled" => true,
766 "peer-port" => 61486,
767 "cache-size-mb" => 256,
768 "ratio-limit" => 5.0,
769 "ratio-limit-enabled" => true,
770 })) + "\n")
771 EOF
772
773 # make sure its not enabled, not sure if this is needed
774 ser disable transmission-daemon
775 sgo transmission-daemon-nn
776 ;;
777 # todo: others unknown
778 esac
779 fi
780
781 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
782 if ! getent passwd debian-transmission > /dev/null; then
783 case $distro in
784 arch)
785 s useradd \
786 --system \
787 --create-home \
788 --home-dir /var/lib/transmission-daemon \
789 --shell /bin/false \
790 debian-transmission
791 ;;
792 *)
793 s adduser --quiet \
794 --system \
795 --group \
796 --no-create-home \
797 --disabled-password \
798 --home /var/lib/transmission-daemon \
799 debian-transmission
800 ;;
801 esac
802 fi
803
804 # dunno why it\'s there, but get rid of it
805 case $HOSTNAME in
806 li|lj) s rm -rf /home/linode ;;
807 esac
808
809 # arch had a default config,
810 # debian had nothing until you start it.
811 # With a little trial an error, here is a minimal config
812 # taken from the generated one, plus changes that the
813 # settings ui does, without a bunch of ui crap settings.
814 #
815 # only settings I set were
816 # hostname
817 # auto-connect
818 # password
819
820
821 # the password is randomly generated on first run
822 rpc_pass=$(s ruby <<'EOF'
823 require 'json'
824 p = '/etc/transmission-daemon/settings.json'
825 puts JSON.parse(File.read(p))["rpc-password"]
826 EOF
827 )
828
829 for f in /home/*; do
830 d=$f/.config/transmission-remote-gtk
831 u=${f##*/}
832 s -u $u mkdir -p $d
833 s -u $u dd of=$d/config.json <<EOF
834 {
835 "profiles" : [
836 {
837 "profile-name" : "Default",
838 "hostname" : "transmission",
839 "rpc-url-path" : "/transmission/rpc",
840 "username" : "",
841 "password" : "$rpc_pass",
842 "auto-connect" : true,
843 "ssl" : false,
844 "timeout" : 40,
845 "retries" : 3,
846 "update-active-only" : false,
847 "activeonly-fullsync-enabled" : false,
848 "activeonly-fullsync-every" : 2,
849 "update-interval" : 3,
850 "min-update-interval" : 3,
851 "session-update-interval" : 60,
852 "exec-commands" : [
853 ],
854 "destinations" : [
855 ]
856 }
857 ],
858 "profile-id" : 0,
859 "add-options-dialog" : false
860 }
861 EOF
862 done
863
864 pi wget
865 case $HOSTNAME in
866 tp|frodo)
867 case $distro in
868 debian|ubuntu)
869 log=$(mktemp)
870 cd /a/opt
871 wget -nv -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
872 errallow
873 set -o pipefail
874 s dpkg -i google-chrome-stable_current_amd64.deb |& tee $log
875 code=$?
876 errcatch
877 case $code in
878 0) : ;;
879 *)
880 # previously I had a more specific search, but dpkg
881 # changed it\'s output as of 7/2016
882 if grep 'dependency problems' \
883 $log &>/dev/null; then
884 s apt-get -fy install
885 else
886 exit 1
887 fi
888 ;;
889 esac
890 ;;
891 arch)
892 pi google-chrome
893 ;;
894 esac
895 ;;
896 esac
897
898 # printer
899 case $distro in
900 arch)
901 pi cups ghostscript gsfonts # from arch wiki cups page
902 pi hplip # from google
903 s gpasswd -a $USER sys # from arch wiki
904 sgo org.cups.cupsd.service
905 # goto http://127.0.0.1:631
906 # administration tab, add new printer button.
907 # In debian, I could use hte recommended driver,
908 # in arch, I had to pick out the 6L driver.
909 ;;
910 debian|ubuntu)
911 spa hplip
912 ;;
913 # other distros unknown
914 esac
915
916
917 case $distro in
918 ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
919 fedora|arch) spa mairix notmuch ;;
920 esac
921 case $distro in
922 arch) spa nfs-utils ;;
923 ubuntu|debian) spa nfs-client ;;
924 esac
925 case $distro in
926 ubuntu|debian) spa par2 ;;
927 arch|fedora) spa par2cmdline ;;
928 esac
929
930 # needed for my tex resume
931 case $distro in
932 ubuntu|debian) spa texlive-full ;;
933 arch) spa texlive-most ;;
934 # fedora unknown
935 esac
936
937 case $distro in
938 ubuntu)
939 # flash, unrar, codecs, ms fonts.
940 # This has a manual prompt.
941 spa ubuntu-restricted-extras
942 ;;
943 fedora)
944 pi yum-utils
945 # rpm fusion recommended codecs
946 s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
947 pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
948 xine-lib-extras-freeworld
949 ;;
950 esac
951
952 case $distro in
953 # optional dep for firefox for h.264 video
954 arch) spa gst-libav ;;
955 # other distros, probably come by default
956 esac
957
958 case $distro in
959 fedora|ubuntu|debian) spa gnupg-agent ;;
960 arch) : ;;
961 esac
962
963
964 case $distro in
965 fedora) spa pinentry-gtk ;;
966 *) : ;; # comes default or with other packages
967 esac
968
969 case $distro in
970 arch) spa firefox pulseaudio;;
971 *) : ;; # comes default or with other packages
972 esac
973
974
975 case $distro in
976 arch) spa ttf-dejavu;;
977 debian|ubuntu) spa fonts-dejavu ;;
978 # others unknown
979 esac
980
981
982 case $distro in
983 arch) spa xorg-xev;;
984 debian|ubuntu) spa x11-utils ;;
985 # others unknown
986 esac
987
988 case $distro in
989 arch) pi virt-install;;&
990 debian|ubuntu) pi virtinst ;;&
991 *) pi virt-manager ;; # creates the libvirt group in debian at least
992 # others unknown
993 esac
994 # allow user to run vms, from debian handbook
995 for x in ian traci; do s usermod -a -G libvirt,kvm $x; done
996 # bridge networking as user fails. google lead here, but it doesn\'t work:
997 # oh well, I give up.
998 # http://wiki.qemu.org/Features-Done/HelperNetworking
999 # s mkdir /etc/qemu
1000 # f=/etc/qemu/bridge.conf
1001 # s dd of=$f <<'EOF'
1002 # allow br0
1003 # EOF
1004 # #s chown root:qemu $f # debian has somethig like qemu-libvirt. equivalent?
1005 # s chmod 640 $f
1006
1007
1008 case $distro in
1009 arch) spa cdrkit;;
1010 debian|ubuntu) spa genisoimage;;
1011 # others unknown
1012 esac
1013
1014 case $distro in
1015 arch) spa spice-gtk3 ;;
1016 debian|ubuntu) spa spice-client-gtk;;
1017 # others unknown
1018 esac
1019
1020 # general known for debian/ubuntu, not for fedora
1021
1022 case $distro in
1023 debian|ubuntu)
1024 pi golang-go
1025 # a bit of googling, and added settings to bashrc
1026 go get -u github.com/mvdan/fdroidcl/cmd/fdroidcl
1027 ;;
1028 # others unknown
1029 esac
1030
1031
1032 case $distro in
1033 arch)
1034 # cdrkit for cloud-init isos
1035 # dnsmasq & ebtables for nat networking in libvirt
1036 # qemu for qemu-img, bind-tools for dig
1037 # dmidecode just because syslog complains
1038 pi unzip xorg-xmodmap dmidecode ebtables\
1039 bridge-utils dnsmasq qemu bind-tools
1040 # otherwise we get error about accessing kvm module.
1041 # seems like there might be a better way, but google was a bit vague.
1042 s $sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf
1043 echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
1044 # https://bbs.archlinux.org/viewtopic.php?id=206206
1045 # # this should prolly go in the wiki
1046 sgo virtlogd.socket
1047 # guessing this is not needed
1048 #sgo virtlogd.service
1049 sgo libvirtd
1050
1051 ;;
1052 esac
1053
1054 case $distro in
1055 arch) pi virtviewer ;;
1056 *) : ;; # other distros have it as a dependency afaik.
1057 esac
1058
1059
1060
1061 case $distro in
1062 fedora) cabal install shellcheck ;;
1063 *) spa shellcheck ;;
1064 # unknown for older ubuntu
1065 esac
1066
1067
1068 case $distro in
1069 arch|debian|ubuntu) spa pumpa ;;
1070 # others unknown. do have a buildscript:
1071 # /a/bin/buildscripts/pumpa ;;
1072 esac
1073
1074
1075 case $distro in
1076 debian|ubuntu) spa android-tools-adbd/unstable ;;
1077 arch) spa android-tools ;;
1078 # other distros unknown
1079 esac
1080
1081 if [[ $HOSTNAME == treetowl ]]; then
1082 case $distro in
1083 debian)
1084 if [[ `debian-archive` == testing ]]; then
1085 # has no unstable dependencies
1086 pi bitcoind/unstable
1087 src=/a/opt/bitcoin/contrib/init/bitcoind.service
1088 s cp $src /etc/systemd/system
1089 p=/etc/bitcoin/bitcoin
1090 dst=/etc/systemd/system/bitcoinjm.service
1091 # jm for joinmarket
1092 $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
1093 >/etc/systemd/system/bitcoinjm.service
1094
1095 d=jm; jm=d # being clever for succinctness
1096 for s in d jm; do
1097 s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
1098 /etc/systemd/system/bitcoin${s}.service
1099 done
1100
1101 ser daemon-reload
1102
1103 dir=/nocow/.bitcoin
1104 s mkdir -p $dir
1105 s chown -R bitcoin:bitcoin $dir
1106 dir=/etc/bitcoin
1107 s mkdir -p $dir
1108 s chown -R root:bitcoin $dir
1109 s chmod 750 $dir
1110
1111 # pruning decreases the bitcoin dir to 2 gb, keeps
1112 # just the recent blocks. can\'t do a few things like
1113 # import a wallet dump.
1114 # pruning works, but people had to do
1115 # some manual stuff in joinmarket. I dun need the
1116 # disk space, so not bothering yet, maybe in a year or so.
1117 # https://github.com/JoinMarket-Org/joinmarket/issues/431
1118 #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
1119 #prune=550
1120
1121 f=$dir/bitcoin.conf
1122 s dd of=$f <<EOF
1123 server=1
1124 rpcpassword=$(openssl rand -base64 32)
1125 rpcuser=$(openssl rand -base64 32)
1126 EOF
1127
1128
1129 f2=$dir/bitcoinjm.conf
1130 s cp $f $f2
1131 s tee -a $f2 >/dev/null <<EOF
1132 # Joinmarket
1133 walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
1134 alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
1135 wallet=joinmarket.dat
1136 EOF
1137 # dunno about sharing a wallet between multiple instances
1138 # manually did, wallet.dat symlinked in /nocow/.bitcoin
1139 sgo bitcoind
1140 fi
1141 ;;
1142 # other distros unknown
1143 esac
1144 pi libsodium-dev python-pip
1145 cd /a/opt/joinmarket
1146 # using develop branch, as it seems to be mostly bug fixes,
1147 # and this is quite new software.
1148 # note: python3 does not work.
1149 # has seg fault error due to some bug, but it still works
1150 pip install -r requirements.txt || [[ $? == 139 ]]
1151 # note, the target must exist ahead of time, or bitcoin
1152 # just overwrites the link, and it\'s not happy with an empty file,
1153 # so we have to create the wallet, then move and link it.
1154 s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
1155 s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
1156 # not technically needed, but seems cleaner not to have
1157 # symlinks be root owned unlike everything else
1158 s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
1159
1160 for var in rpcuser rpcpassword; do
1161 u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
1162 # escape backslashes
1163 u="${u//\\/\\\\\\\\}"
1164 # escape commas
1165 u="${u//,/\\,}"
1166 sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
1167 done
1168 sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
1169
1170 fi
1171
1172
1173
1174 case $distro in
1175 fedora)
1176 cd $(mktemp -d)
1177 wget http://tamacom.com/global/global-6.3.2.tar.gz
1178 ex global*
1179 cd global-6.3.2
1180 # based on https://github.com/leoliu/ggtags
1181 ./configure --with-exuberant-ctags=/usr/bin/ctags
1182 make
1183 s make install
1184 s pip install pygments
1185 ;;
1186 *)
1187 pi global
1188 ;;&
1189 arch)
1190 pi python2-pygments
1191 ;;
1192 debian|ubuntu)
1193 pi python-pygments
1194 ;;
1195 esac
1196
1197
1198 case $distro in
1199 debian)
1200 pi task-cinnamon-desktop
1201 # in settings, change scrolling to two-finger,
1202 # because the default edge scroll doesn\'t work.
1203 pu transmission-gtk
1204 ;;
1205 # others unknown
1206 esac
1207
1208 case $distro in
1209 arch) spa apg ;;
1210
1211 # already in debian jessie
1212 esac
1213
1214
1215
1216
1217 # note this failed running at the beginning of this file,
1218 # because no systemd user instance was running.
1219 # Doing systemd --user resulted in
1220 # Trying to run as user instance, but $XDG_RUNTIME_DIR is not set
1221
1222 if isdebian-testing; then
1223 # as of 7/2016, has no unstable deps, and is not in testing anymore.
1224 pi synergy/unstable
1225 else
1226 pi synergy
1227 fi
1228
1229 # case $distro in
1230 # # ubuntu unknown. probably the same as debian, just check if the
1231 # # init scripts come with the package.
1232 # debian)
1233 # # copied from arch, but moved to etc
1234 # s dd of=/etc/systemd/user/synergys.service <<'EOF'
1235 # [Unit]
1236 # Description=Synergy Server Daemon
1237 # After=network.target
1238
1239 # [Service]
1240 # User=%i
1241 # ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
1242 # Restart=on-failure
1243
1244 # [Install]
1245 # WantedBy=multi-user.target
1246 # EOF
1247 # s dd of=/etc/systemd/user/synergys.socket <<'EOF'
1248 # [Unit]
1249 # Conflicts=synergys@.service
1250
1251 # [Socket]
1252 # ListenStream=24800
1253 # Accept=false
1254
1255 # [Install]
1256 # WantedBy=sockets.target
1257 # EOF
1258 # # had this fail with 'Failed to connect to bus: No such file or directory'
1259 # # then when I tried it manually, it worked fine...
1260 # if ! systemctl --user daemon-reload; then
1261 # sleep 2
1262 # echo retrying systemd user daemon reload
1263 # systemctl --user daemon-reload
1264 # fi
1265 # ;;&
1266 # *)
1267 # # taken from arch wiki.
1268 # s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
1269 # [Unit]
1270 # Description=Synergy Client
1271 # After=network.target
1272
1273 # [Service]
1274 # User=%i
1275 # ExecStart=/usr/bin/synergyc --no-daemon frodo
1276 # Restart=on-failure
1277 # # per man systemd.unit, StartLimitInterval, by default we
1278 # # restart more than 5 times in 10 seconds.
1279 # # And this param defaults too 200 miliseconds.
1280 # RestartSec=3s
1281
1282 # [Install]
1283 # WantedBy=multi-user.target
1284 # EOF
1285 # s systemctl daemon-reload
1286 # case $HOSTNAME in
1287 # x2|treetowl)
1288 # ser enable synergyc@ian
1289 # ser start synergyc@ian ||: # X might not be running yet
1290 # ;;
1291 # frodo)
1292 # systemctl --user start synergys ||:
1293 # systemctl --user enable synergys
1294 # ;;
1295 # esac
1296 # ;;
1297 # esac
1298
1299
1300 ######### end misc packages #########
1301
1302
1303 # packages I once used before and liked, but don\'t want installed now for
1304 # various reasons:
1305 # python-sqlite is used for offlineimap
1306 # lxappearance python-sqlite dolphin paman dconf-editor
1307
1308
1309
1310 ######## unfinished
1311
1312 # todo, finish configuring smart.
1313
1314 pi smartmontools
1315 # mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
1316 # turn on smart. background on options:
1317 # first line, -a = test everyting on all devices.
1318 # -S on, turn on disk internal saving of vendor specific info,
1319 # from google, seems like this is usually already on and fairly standard.
1320 # -o on, turn on 4 hour period non-performance degrading testing.
1321 # short test daily 2-3am, extended tests Saturdays between 3-4am:
1322 sched="-s (S/../.././02|L/../../6/03)"
1323 s sed -i --follow-symlinks "s#^[[:space:]]*DEVICESCAN.*#\
1324 DEVICESCAN -a -o on -S on -n standby,q $sched \
1325 -m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc/smartd.conf
1326
1327 # in the default configuration of at least ubuntu 14.04, resolvconf is
1328 # configured to order any nameservers associated with tun* or tap*
1329 # before the normal internet interfaces, which means they are always
1330 # consulted first. This is often slower and undesirable, ie. local dns
1331 # queries go from 0ms to 10+ or 100+ ms. To reverse the ordering, you
1332 # can do:
1333 #sudo sed -i --follow-symlinks '/tun\*\|tap\*/d' /etc/resolvconf/interface-order
1334 # however, this breaks dns lookup for hosts on the openvpn lan.
1335 # I can\'t figure out why hosts on the normal lan would not be
1336 # broken under the default ordering, except the host I was
1337 # testing with previously had an entry in /etc/hosts.
1338
1339 ############# end unfinished
1340
1341 ########### misc stuff
1342
1343 devs=()
1344 for dev in $(s btrfs fi show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
1345 devs+=($(devbyid $dev),)
1346 done
1347 devs[-1]=${devs[-1]%,} # jonied by commas
1348
1349 # on grub upgrade, we get prompts unless we do this
1350 s debconf-set-selections <<EOF
1351 grub-pc grub-pc/install_devices multiselect ${devs[*]}
1352 EOF
1353
1354
1355 # the wiki backup script from ofswiki.org uses generic paths
1356 s lnf /p/c/machine_specific/li/mw_vars /root
1357 s lnf /k/backup/wiki_backup /root
1358
1359 s cedit /etc/goaccess.conf <<'EOF' || [[ $? == 1 ]]
1360 # all things found from looking around the default config
1361 # copied existing NCSA Combined Log Format with Virtual Host, plus %L
1362 log-format %^:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u" %D
1363 time-format %H:%M:%S
1364 date-format %d/%b/%Y
1365 log-file /var/log/apache2/access.log
1366 color-scheme 2
1367
1368 # tip: copy access.log files to a stretch host directory, then run
1369 # jessie's goaccess is too old for some options, and it\'s
1370 # not easily installed from a testing.
1371 # goaccess --ignore-crawlers -f <(cat *) -a -o html > x.html
1372 EOF
1373
1374
1375 case $distro in
1376 debian|ubuntu)
1377 case `debian-archive` in
1378 stable)
1379 s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
1380 Explanation: Allow unison-gtk to be upgraded
1381 Package: unison-gtk
1382 Pin: release a=testing
1383 Pin-Priority: 500
1384 EOF
1385 # dont think using testing is needed since I figured out how to
1386 # deal with mismatching unison compilers, but I dont
1387 # see any reason to revert it, since it only installs
1388 # a single package which is primarily a single binary
1389 ;;
1390 esac
1391 pi unison/testing
1392 pi unison-gtk/testing # after to make it the default unison
1393 ;;
1394 arch)
1395 pi unison gtk2
1396 ;;
1397 esac
1398
1399 case $distro in
1400 arch)
1401 # default is alsa, doesn\'t work with with pianobar
1402 s dd of=/etc/libao.conf <<'EOF'
1403 default_driver=pulse
1404 EOF
1405 ;;
1406 esac
1407
1408 # note, for jessie, it depends on a higher version of btrfs-tools.
1409 #
1410 # # disabled due to my patch being in btrbk
1411 # case $distro in
1412 # arch|debian|ubuntu) pi btrbk ;;
1413 # # others unknown
1414 # esac
1415 cd /a/opt/btrbk
1416 s make install
1417 spa pv # for progress bar when running interactively.
1418 if [[ $HOSTNAME == treetowl ]]; then
1419 # backup/sync manually on others hosts for now.
1420 sgo btrbk.timer
1421 # note: to see when it was last run,
1422 # ser list-timers
1423 fi
1424
1425 if [[ $HOSTNAME == treetowl ]] && [[ `debian-archive` != testing ]]; then
1426 # fail2 ban is broken, with a workaround, per
1427 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171
1428 # ill wait a while to see if it gets fixed
1429 pi fail2ban
1430 sgo fail2ban
1431 fi
1432
1433
1434
1435
1436
1437 case $distro in
1438 debian|ubuntu) s gpasswd -a ian adm ;; #needed for reading logs
1439 esac
1440
1441 # tor
1442 case $distro in
1443 # based on
1444 # https://www.torproject.org/docs/rpms.html.en
1445 # https://www.torproject.org/docs/debian.html.en
1446 # todo: figure out if the running service needs to be restarted upon updates
1447
1448
1449 # todo on fedora: setup non-dev packages
1450 fedora)
1451 s dd of=/etc/yum.repos.d/torproject.repo <<'EOF'
1452 [tor]
1453 name=Tor experimental repo
1454 enabled=1
1455 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/
1456 gpgcheck=1
1457 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1458
1459 [tor-source]
1460 name=Tor experimental source repo
1461 enabled=1
1462 autorefresh=0
1463 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS
1464 gpgcheck=1
1465 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1466 EOF
1467
1468 # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above:
1469 # 3B9E EEB9 7B1E 827B CF0A 0D96 8AF5 653C 5AC0 01F1
1470 sgo tor
1471 /a/bin/buildscripts/tor-browser
1472 ;;
1473 ubuntu)
1474 tu /etc/apt/sources.list "deb http://deb.torproject.org/torproject.org $(debian-codename) main"
1475 gpg --keyserver keys.gnupg.net --recv 886DDD89
1476 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
1477 p update
1478 pi deb.torproject.org-keyring
1479 pi tor
1480 /a/bin/buildscripts/tor-browser
1481 ;;
1482 debian)
1483 pi tor
1484 /a/bin/buildscripts/tor-browser
1485 ;;
1486 arch)
1487 pi tor tor-browser-en
1488 sgo tor
1489 ;;
1490 # ubuntu unknown
1491 esac
1492
1493 # nfs server
1494 case $distro in
1495 fedora)
1496 end_msg <<'EOF'
1497 fedora todo: disable the firewall or find a way to automate it.
1498 there's an unused section in t.org for tramikssion firewall setup
1499
1500 fedora manual config for nfs:
1501 s firewall-config
1502 change to permanent configuration
1503 check the box for nfs
1504 was hard to figure this out, not sure if this is all needed, but
1505 unblock these too
1506 mountd: udp/tcp 20048
1507 portmapper, in firewall-config its called rpc-bind: udp/tcp 111
1508 troubleshooting, unblock things in rpcinfo -p
1509 make sure to reload the firewall to load the persistent configuration
1510
1511
1512 EOF
1513 pi nfs-utils
1514 sgo nfs-server
1515 ;;
1516 debian|ubuntu)
1517 pi nfs-server
1518 ;;
1519 arch)
1520 pi nfs-utils || pending_reboot=true
1521 sgo rpcbind
1522 # this failed until I rebooted
1523 sgo nfs-server
1524 ;;
1525 esac
1526
1527 if [[ $HOSTNAME == treetowl ]]; then
1528 # nohide = export filesystems mounted deeper than the export point
1529 # fsid=0 makes this export the "root" export
1530 # not documented in the man page, but this means
1531 # 1. it can be mounted with a shorthand of server:/
1532 # 2. exports that are subdirectories of this one will automatically be mounted
1533 tu /etc/exports <<'EOF'
1534 /k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
1535 EOF
1536 s exportfs -rav
1537 fi
1538
1539
1540 e "$end_msg_var"
1541
1542
1543 # persistent virtual machines
1544
1545 case $distro in
1546 debian|ubuntu)
1547 pi libosinfo-bin;
1548 ;;
1549 esac
1550
1551 # distro may not know about win 10 yet.
1552 variant=win7
1553 if ! virt-install --os-variant list &>/dev/null; then # we are using a newer virt-install
1554 for v in 10 8.1 8; do
1555 if osinfo-query os | gr "^\s*win${v/./\\.}\s" &>/dev/null; then
1556 variant=win$v
1557 break
1558 fi
1559 done
1560 fi
1561
1562 if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
1563
1564 # created account with
1565 # win10vmian@outlook.com, and easy to remember password
1566 # win 10 virtio, makes disk way way way faster
1567 # wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
1568 # https://wiki.archlinux.org/index.php/QEMU#Change_Existing_Windows_VM_to_use_virtio
1569 # for installing virtio after initial install instead of with initial iso:
1570 # qemu-img create -f qcow2 fake.qcow2 1G
1571 # --disk=/a/images/virtio-win.iso,device=cdrom \
1572 # --disk=/a/images/fake.qcow2,bus=virtio
1573 # Also,
1574 # went to device manager, saw 2 pci devices with yellow !,
1575 # did search for drivers, pick cdrom location, done.
1576 #
1577 # from http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html.
1578 # google said there was a control panel option for it, but
1579 # that turned out to be a lie.
1580 # Put this in a .bat file and run as administrator to turn off
1581 # hyberboot which fucks things up.
1582 # REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_dWORD /D 0 /F
1583 # power settings, turn off display: never
1584 # run "control userpasswords2", turn on automatic login.
1585 # note: when changing devices, I just undefine, the create the vm again.
1586
1587 if [[ -e /nocow/user/vms/win10.qcow2 ]]; then
1588 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1589 --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
1590 -n win10 --import --os-variant $variant --cpu host-model-only
1591
1592 s virsh destroy win10
1593 fi
1594
1595 if [[ -e /nocow/user/vms/win7.qcow2 ]]; then
1596 # this one hasn\'t had the virtio fix done yet.
1597 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1598 --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
1599 -n win7 --import --os-variant win7 --cpu host-model-only
1600 s virsh destroy win7
1601 # had a problem with --cpu host, so trying out
1602 # --cpu host-model-only
1603 fi
1604 fi
1605
1606
1607 if [[ $HOSTNAME == treetowl ]]; then
1608 pi samba
1609 # note samba re-reads it\'s config every 1 minute
1610 case $distro in
1611 arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
1612 esac
1613
1614 # add 2 lines after workgroup option
1615 s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
1616 s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
1617 s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/' /etc/samba/smb.conf
1618 # remove default homes section. not sharing that.
1619 s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
1620
1621 if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
1622 s tee -a /etc/samba/smb.conf <<'EOF'
1623 [public]
1624 guest ok = yes
1625 read only = no
1626 path = /kr
1627 EOF
1628 fi
1629
1630 case $distro in
1631 debian|ubuntu)
1632 # systemd claims it generates units from /etc/init.d, but it
1633 # clearly doesn\'t in debian. I have no idea how they are
1634 # related. fuck debian right now. It\'s not documented. samba
1635 # has a systemd init file linked to /dev/null. There\'s this
1636 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
1637 # claims samba\'s sub-services will be started automatically by
1638 # systemd... it didn\'t on install, wonder if it will on
1639 # boot. It clued me in how to start it manually though. Nothing
1640 # in /usr/share/doc/samba, debian admin guide says nothing about
1641 # any of this. (this is in debian testing as of 4/2016).
1642
1643 s /etc/init.d/samba start
1644 ;;
1645 arch)
1646 sgo samba
1647 ;;
1648 esac
1649 fi
1650
1651 tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
1652
1653
1654 ######### begin stuff belonging at the end ##########
1655
1656
1657 # Apps we want to override others for default file handler:
1658 # simplest way in debian is to just install them last.
1659 simple_packages+=(
1660 mpv
1661 )
1662
1663 case $distro in
1664 ubuntu|debian)
1665 spa spacefm-gtk3 ;;
1666 arch)
1667 spa spacefm ;;
1668 esac
1669
1670
1671 pi "${simple_packages[@]}"
1672
1673
1674 if $pending_reboot; then
1675 echo "$0: pending reboot and then finished. doing it now."
1676 s reboot now
1677 else
1678 echo "$0: $(date): ending now)"
1679 fi
~16k lines of my .bashrc + lots of my configs