iankelling.org / git / distro-setup / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
move some stuff to frodo, rename user to iank, fixes
[distro-setup] / distro-end
1 #!/bin/bash -l
2 # Copyright (C) 2016 Ian Kelling
3
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7
8 # http://www.apache.org/licenses/LICENSE-2.0
9
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 errcatch
17
18 set -x
19
20 exec &> >(sudo tee -a /var/log/distro-end)
21 echo "$0: $(date): starting now)"
22
23 src="${BASH_SOURCE%/*}"
24
25 end_msg() {
26 = local y
27 IFS= read -r -d '' y ||:
28 end_msg_var+="$y"
29 }
30
31 spa() { # simple package add
32 simple_packages+=($@)
33 }
34
35 distro=$(distro-name)
36
37 pending_reboot=false
38 sed="sed --follow-symlinks"
39
40 # template
41 case $distro in
42 esac
43
44 pup
45
46 simple_packages=(
47 htop
48 mailutils
49 nmon
50 rdiff-backup
51 ruby
52 ruby-rest-client
53 tree
54 vim
55 wcd
56 )
57
58 case $HOSTNAME in
59 lj|li) : ;;
60 *)
61 # universal packages
62 # swh-plugins is for karaoke pulsaudio filter.
63 # mutagen for pithos
64 # guvcview set webcam brightness to highest
65 # pidgin-otr, i went into pidgin pluggin settings and generated a key for some accounts
66 simple_packages+=(
67 apache2
68 apache2-doc
69 apt-doc
70 apt-listchanges
71 aptitude-doc-en
72 bash-doc
73 beets
74 beets-doc
75 binutils-doc
76 bind9-doc
77 bind9-utils
78 bwm-ng
79 chromium
80 cpio-doc
81 cloc
82 cpulimit
83 cron
84 debconf-doc
85 dirmngr
86 dnsutils
87 dnsmasq
88 dtrx
89 duplicity
90 eclipse
91 evince
92 fdupes
93 feh
94 filelight
95 flashrom
96 gawk-doc
97 gcc-doc
98 gdb
99 gdb-doc
100 geoip-bin
101 git-doc
102 git-email
103 gitk
104 glibc-doc
105 goaccess
106 gnome-screenshot
107 gnome-session-flashback
108 guvcview
109 i3lock
110 inetutils-traceroute
111 iperf3
112 iproute2-doc
113 jq
114 kid3-qt
115 kid3-cli
116 linux-doc
117 locate
118 lshw
119 make-doc
120 manpages
121 manpages-dev
122 meld
123 mps-youtube
124 mumble
125 nagstamon
126 nginx-doc
127 nmap
128 offlineimap
129 oathtool
130 p7zip
131 paprefs
132 parted-doc
133 pavucontrol
134 pdfgrep
135 perl-doc
136 pianobar
137 pidgin
138 pidgin-otr
139 pry
140 python-autopep8
141 python3-doc
142 python3-mutagen
143 qrencode
144 reportbug
145 $(aptitude show ruby | sed -rn 's/Depends: (.*)/\1/p')-doc
146 sqlite3-doc
147 squashfs-tools
148 swh-plugins
149 tar-doc
150 tcpdump
151 telnet
152 transmission-remote-gtk
153 vlc
154 whois
155 wondershaper
156 )
157 spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
158 ;;
159 esac
160
161
162 ########### begin section including li ################
163
164
165 case $distro in
166 fedora) spa unrar ;;
167 *) spa unrar-free ;;
168 esac
169
170
171 case $distro in
172 arch)
173 # ubuntu 14.04 uses b-cron,
174 # but its not maintained in arch.
175 # of the ones in the main repos, cronie is only one maintained.
176 # fcron appears abandoned software.
177 pi cronie
178 sgo cronie
179 ;;
180 *) : ;; # other distros come with cron.
181 esac
182
183
184 if isdeb; then
185 pi debian-goodies
186 fi
187
188
189 case $distro in
190 *) pi at ;;&
191 arch) sgo atd ;;
192 esac
193
194
195 case $distro in
196 debian) pi curl;;
197 arch) : ;;
198 # fedora: unknown
199 esac
200
201 case $distro in
202 # tk for gitk
203 arch) spa git tk ;;
204 *) spa git ;;
205 esac
206
207 case $distro in
208 arch) spa the_silver_searcher ;;
209 debian|ubuntu|trisquel) spa silversearcher-ag ;;
210 # fedora unknown
211 esac
212
213 case $distro in
214 debian|ubuntu|trisquel) spa ntp;;
215 arch)
216 pi ntp
217 sgo ntpd
218 ;;
219 # others unknown
220 esac
221
222
223 # no equivalent in other distros:
224 case $distro in
225 debian|ubuntu|trisquel)
226 pi aptitude
227 if ! dpkg -s apt-file &>/dev/null; then
228 # this condition is just a speed optimization
229 pi apt-file
230 s apt-file update
231 fi
232 # for debconf-get-selections
233 spa debconf-utils
234 ;;
235 esac
236
237 case $distro in
238 ubuntu|trisquel|debian) spa ack-grep ;;
239 arch|fedora) spa ack ;;
240 # fedora unknown
241 esac
242
243 case $distro in
244 arch|debian|ubuntu|trisquel)
245 spa bash-completion
246 ;;
247 # others unknown
248 esac
249
250
251
252
253
254 # disable motd junk.
255 case $distro in
256 debian)
257 # allows me to pipe with ssh -t, and gets rid of spam
258 # http://forums.debian.net/viewtopic.php?f=5&t=85822
259 # i'd rather disable the service than comment the init file
260 # this says disabling the service, it will still get restarted
261 # but this script doesn't do anything on restart, so it should be fine
262 s dd of=/var/run/motd.dynamic if=/dev/null
263 # stretch doesn't have initscripts pkg installed by default
264 if [[ $(debian-codename) == jessie ]]; then
265 s update-rc.d motd disable
266 fi
267 ;;
268 ubuntu|trisquel)
269 # this isn't a complete solution. It still shows me when updates are available,
270 # but it's no big deal.
271 s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
272 ;;
273 esac
274
275 # automatic updates
276 # reference:
277 # https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
278 # /etc/cron.daily/apt calls unattended-upgrades
279 # /usr/share/doc/unattended-upgrades# cat README.md
280 # /etc/apt/apt.conf.d/50unattended-upgrades
281 if isdebian; then
282 setup-debian-auto-update
283 fi
284
285 # we've got a few dependencies later on, so install them now.
286 pi eatmydata
287 s eatmydata apt-get -y install --purge --auto-remove "${simple_packages[@]}"
288 simple_packages=()
289
290
291 ### begin docker install ####
292 # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
293 pi software-properties-common apt-transport-https
294 curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
295 sudo add-apt-repository \
296 "deb [arch=amd64] https://download.docker.com/linux/debian \
297 $(lsb_release -cs) \
298 stable"
299 p update
300 pi docker-ce
301 sgo docker
302 ### end docker install ####
303
304
305 case $distro in
306 debian)
307 # note, need python-certbot-nginx for nginx, but it depends on nginx,
308 # and I'm not installing nginx by default right now
309 if isdebian-testing; then
310 pi --install-suggests certbot
311 else
312 pi --install-suggests -t jessie-backports certbot
313 fi
314 # make a version of the certbot timer that emails me.
315 x=/systemd/system/certbot
316 $sed -r -f - /lib$x.timer <<'EOF' |s dd of=/etc${x}mail.timer
317 s,^Description.*,\0 mail version,
318 EOF
319 $sed -r -f - /lib$x.service <<'EOF' |s dd of=/etc${x}mail.service
320 s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
321 EOF
322 ser daemon-reload
323 sgo certbotmail.timer
324
325 ;;
326 # todo: other distros unknown
327 esac
328
329 # website setup
330 case $HOSTNAME in
331 lj|li)
332
333 case $HOSTNAME in
334 lj) domain=iank.bid; exit 0 ;;
335 li) domain=iankelling.org ;;
336 esac
337 /a/h/setup.sh $domain
338 /a/h/build.rb
339
340 sudo -E /a/bin/mediawiki-setup/mw-setup-script
341 #$src/phab-setup
342
343 pi-nostart mumble-server
344 s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
345
346 # do certificate to avoid warning about unsigned cert,
347 # which is overkill for my use, but hey, I'm cool, I know
348 # how to do this.
349 web-conf apache2 mumble.iankelling.org
350 s rm -f /etc/apache2/sites-enabled/mumble.iankelling.org
351 sudo -i <<'EOF'
352 export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
353 /a/bin/distro-setup/certbot-renew-hook
354 EOF
355
356 sgo mumble-server
357
358 vpn-server-setup -d
359 tee /etc/openvpn/client-config/mail <<'EOF'
360 ifconfig-push 10.8.0.4 255.255.255.0
361 EOF
362
363
364 sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
365 [Unit]
366 Description=Turns on iptables mail nat
367
368 [Service]
369 Type=oneshot
370 RemainAfterExit=yes
371 ExecStart=/a/bin/distro-setup/vpn-mail-forward start
372 ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
373
374 [Install]
375 WantedBy=openvpn.service
376 EOF
377 ser daemon-reload
378 ser enable vpnmail.service
379 # needed for li's local mail delivery.
380 tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
381 sgo openvpn
382 # setup let's encrypt cert
383 web-conf apache2 mail.iankelling.org
384 s rm /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
385 ser reload apache2
386
387 domain=cal.iankelling.org
388 web-conf -f 10.8.0.4:5232 - apache2 $domain <<'EOF'
389 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
390 # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
391 <Location />
392 Options +FollowSymLinks +Multiviews +Indexes
393 AllowOverride None
394 AuthType basic
395 AuthName "Authentication Required"
396 # setup one time, with root:www-data, 640
397 AuthUserFile "/etc/caldav-htpasswd"
398 Require valid-user
399 <Location />
400 EOF
401 # nginx version of above would be:
402 # auth_basic "Not currently available";
403 # auth_basic_user_file /etc/nginx/caldav/htpasswd;
404
405
406 ########## begin pump.io setup ##########
407
408 # once pump adds a logrotation script, turn off nologger,
409 # and add
410 # "logfile": "/var/log/pumpio/pumpio.log",
411 #
412 s dd of=/etc/pump.io.json <<'EOF'
413 {
414 "secret": "SECRET_REPLACE_ME",
415 "driver": "mongodb",
416 "params": { "dbname": "pumpio" },
417 "noweb": false,
418 "site": "pump.iankelling.org",
419 "owner": "Ian Kelling",
420 "ownerURL": "https://iankelling.org/",
421 "port": 8001,
422 "urlPort": 443,
423 "hostname": "pump.iankelling.org",
424 "nologger": true,
425 "datadir": "/home/pumpio/pumpdata",
426 "enableUploads": true,
427 "debugClient": false,
428 "disableRegistration": true,
429 "noCDN": true,
430 "key": "/home/pumpio/privkey.pem",
431 "cert": "/home/pumpio/fullchain.pem",
432 "address": "localhost",
433 "sockjs": false
434 }
435 EOF
436 s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
437
438 # jessie\'s node is too old
439 # https://nodejs.org/en/download/package-manager/
440 curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
441 pi nodejs
442 cd /home/iank
443 rm -rf pump.io.git
444 git clone https://github.com/pump-io/pump.io.git
445 cd pump.io
446 # note: doing this or the npm install pump.io as root had problems.
447 npm install
448 npm run build
449 # normally, next command would be
450 # s npm install -g databank-mongodb
451 # but it\'s this until a bug in pump gets fixed
452 s npm install -g databank-mongodb@0.19.2
453 s useradd -m -s /bin/false pumpio
454 sudo -u pumpio mkdir -p /home/pumpio/pumpdata
455 # for testing browser when only listening to localhost,
456 # in the pump.io.json, set hostname localhost, urlPort 5233
457 #ssh -L 5233:localhost:5233 li
458
459 s mkdir -p /var/log/pumpio/
460 s chown pumpio:pumpio /var/log/pumpio/
461
462 web-conf - apache2 pump.iankelling.org <<'EOF'
463 # currently a bug in pump that we cant terminate ssl
464 SSLProxyEngine On
465 ProxyPreserveHost On
466 ProxyPass / https://127.0.0.1:8001/
467 ProxyPassReverse / https://127.0.0.1:8001/
468 # i have sockjs disabled per people suggesting that
469 # it won\'t work with apache right now.
470 # not sure if it would work with this,
471 # but afaik, this is pointless atm.
472 <Location /main/realtime/sockjs/>
473 ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
474 ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
475 </Location>
476 EOF
477
478 sudo -i <<'EOF'
479 export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
480 /a/bin/distro-setup/certbot-renew-hook
481 EOF
482
483 s dd of=/etc/systemd/system/pump.service <<'EOF'
484 [Unit]
485 Description=pump.io
486 After=syslog.target network.target
487
488 [Service]
489 Type=simple
490 User=pumpio
491 Group=pumpio
492 ExecStart=/home/iank/pump.io/bin/pump
493 Environment=NODE_ENV=production
494 # failed to find databank-mongodb without this.
495 # I just looked at my environment variables took a guess.
496 Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
497
498 [Install]
499 WantedBy=multi-user.target
500 EOF
501 ser daemon-reload
502 sgo pump
503 ########## end pump.io setup ############
504
505
506 ############# begin setup mastodon ##############
507
508 # I'd like to try gnu social just cuz of gnu, but it's not being
509 # well maintained, for example, simple pull requests
510 # languishing:
511 # https://git.gnu.io/gnu/gnu-social/merge_requests/143
512 # and I submitted my own bugs, basic docs are broken
513 # https://git.gnu.io/gnu/gnu-social/issues/269
514
515 # note, docker required, but we installed it earlier
516
517 # i subscrubed to https://github.com/docker/compose/releases.atom
518 # to deal with updates manually. So far, it means just reving the
519 # version number, then restarting docker-compose with
520 # cd ~/mastodon
521 # docker-compose up -d
522 curl -L https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
523 s chmod +x /usr/local/bin/docker-compose
524
525
526 cd ~
527 i clone https://github.com/tootsuite/mastodon
528 cd mastodon
529 # subbed to atom feed to deal with updates
530 git checkout $(git tag | grep -v rc | tail -n1)
531
532 # per instructions, uncomment redis/postgres persistence in docker-compose.yml
533 sed -i 's/^#//' docker-compose.yml
534
535 cat >.env.production <<'EOF'
536 REDIS_HOST=redis
537 REDIS_PORT=6379
538 DB_HOST=db
539 DB_USER=postgres
540 DB_NAME=postgres
541 DB_PASS=
542 DB_PORT=5432
543
544 LOCAL_DOMAIN=mast.iankelling.org
545 LOCAL_HTTPS=true
546
547 SINGLE_USER_MODE=true
548
549 SMTP_SERVER=10.8.0.4
550 SMTP_PORT=25
551 SMTP_LOGIN=li
552 SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
553 SMTP_DOMAIN=mast.iankelling.org
554 SMTP_DELIVERY_METHOD=smtp
555 EOF
556
557 for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
558 printf "%s=%s" $key "$(docker-compose run --rm web rake secret)" >>.env.production
559 done
560 s cat /etc/mailpass| while read -r domain port pass; do
561 if [[ $domain == mail.iankelling.org ]]; then
562 printf "SMTP_PASSWORD=%s" "$pass" >>.env.production
563 break
564 fi
565 done
566
567
568
569 docker-compose run --rm web rails assets:precompile
570
571 # docker daemon takes care of starting on boot.
572 docker-compose up -d
573
574 s a2enmod proxy_wstunnel headers
575 web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF'
576 ProxyPreserveHost On
577 RequestHeader set X-Forwarded-Proto "https"
578 ProxyPass /500.html !
579 ProxyPass /oops.png !
580 ProxyPass /api/v1/streaming/ ws://localhost:4000/
581 ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
582 ErrorDocument 500 /500.html
583 ErrorDocument 501 /500.html
584 ErrorDocument 502 /500.html
585 ErrorDocument 503 /500.html
586 ErrorDocument 504 /500.html
587 EOF
588
589
590 ############### !!!!!!!!!!!!!!!!!
591 ############### manual steps:
592
593 # only following 2 people atm, so not bothering to figure out backups
594 # when mastodon has not documented it at all.
595 #
596 # fsf@status.fsf.org
597 # cwebber@toot.cat
598 # dbd@status.fsf.org
599 # johns@status.fsf.org
600
601 # sign in page is at https://mast.iankelling.org/auth/sign_in
602 # register as iank, then
603 # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
604 # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
605
606 ############# end setup mastodon ##############
607
608 # we use nsupdate to update the ip of home
609 pi bind9
610
611 echo "$0: $(date): ending now)"
612 exit 0
613 ;;
614 esac
615
616
617 ########### end section including li/lj ###############
618
619 if [[ $HOSTNAME == treetowl ]]; then
620
621 # vpn-server setup via:
622
623 vpn-server-setup -r -d
624 s tee -a /etc/openvpn/server/server.conf <<'EOF'
625 push "dhcp-option DNS 192.168.1.1"
626 push "route 192.168.1.0 255.255.255.0"
627 client-connect /a/bin/distro-setup/vpn-client-connect
628 EOF
629 s sed -i --follow-symlinks 's/10.8./10.9./g' /etc/openvpn/server/server.conf
630 ser restart openvpn-server@server
631 vpn-mk-client-cert -s /etc/update-resolv-conf-home -c x2 -n home b8.nz
632 dir=/p/c/machine_specific/x2/filesystem/etc/openvpn/client
633 mkdir -p $dir
634 # background: We have these files locally, but we\'d have to duplicate the logic
635 # in vpn-mk-client-cert to get them, and this is just simpler.
636 scp root@x2:/etc/openvpn/client/home* $dir
637
638
639
640 # note, see bashrc for more documentation.
641 pi rss2email
642 s dd of=/etc/systemd/system/rss2email.service <<'EOF'
643 [Unit]
644 Description=rss2email
645 After=multi-user.target
646
647 [Service]
648 User=iank
649 Type=oneshot
650 # about 24 hours of failures
651 # it copies over its files without respecting symlinks, so
652 # we pass options to use different location.
653 ExecStart=/a/bin/log-quiet/sysd-mail-once -288 rss2email r2e -d /p/c/rss2email.json -c /p/c/rss2email.cfg run
654 EOF
655 s dd of=/etc/systemd/system/rss2email.timer <<'EOF'
656 [Unit]
657 Description=rss2email
658
659 [Timer]
660 # for initial run. required.
661 OnActiveSec=30
662 # for subsequent runs.
663 OnUnitInactiveSec=300
664
665 [Install]
666 WantedBy=timers.target
667 EOF
668 s systemctl daemon-reload
669 sgo rss2email.timer
670 fi
671
672 ######### begin pump.io periodic backup #############
673 if [[ $HOSTNAME == treetowl ]]; then
674 s dd of=/etc/systemd/system/pumpbackup.service <<'EOF'
675 [Unit]
676 Description=pump li backup
677 After=multi-user.target
678
679 [Service]
680 User=iank
681 Type=oneshot
682 ExecStart=/a/bin/log-quiet/sysd-mail-once pump-backup /a/bin/distro-setup/pump-backup
683 EOF
684 s dd of=/etc/systemd/system/pumpbackup.timer <<'EOF'
685 [Unit]
686 Description=pump li backup hourly
687
688 [Timer]
689 OnCalendar=hourly
690
691 [Install]
692 WantedBy=timers.target
693 EOF
694 s systemctl daemon-reload
695 sgo pumpbackup.timer
696 fi
697 ######### end pump.io periodic backup #############
698
699 case $distro in
700 debian|ubuntu|trisquel)
701 # suggests because we want the resolvconf package.
702 # todo: check other distros to make sure it\'s installed
703 pi-nostart --install-suggests openvpn
704 # pi-nostart does not disable
705 ser disable openvpn
706 ;;
707 *) pi openvpn;;
708 esac
709
710 /a/bin/distro-setup/radicale-setup
711
712 ## android studio setup
713 # this contains the setting for android sdk to point to
714 # /a/opt/androidsdk, which is asked upon first run
715 lnf /a/opt/.AndroidStudio2.2 ~
716 # android site says it needs a bunch of packages for ubuntu,
717 # but I googled for debian, and someone says you just need lib32stdc++6 plus the
718 # jdk
719 # https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
720 # see w.org for more android studio details
721 spa lib32stdc++6 default-jdk
722
723
724 if [[ $HOSTNAME == treetowl ]]; then
725 ############# begin syncthing setup ###########
726
727 # It\'s simpler to just worry about running it in one place for now.
728 # I assume it would work to clone it\'s config to another non-phone
729 # and just run it in one place instead of the normal having a
730 # separate config. I lean toward using the same config, since btrfs
731 # syncs between comps.
732 case $distro in
733 arch) pi syncthing ;;
734 ubuntu|trisquel|debian)
735 # testing has relatively up to date packages
736 if ! isdebian-testing; then
737 # based on error when doing apt-get update:
738 # E: The method driver /usr/lib/apt/methods/https could not be found.
739 pi apt-transport-https
740 # google led me here:
741 # https://apt.syncthing.net/
742 curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
743 s="deb http://apt.syncthing.net/ syncthing release"
744 if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != $s ]]; then
745 echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
746 p update
747 fi
748 fi
749 pi syncthing
750 ;;
751 esac
752 lnf -T /w/syncthing /home/iank/.config/syncthing
753 sgo syncthing@iank # runs as iank
754
755 # these things persist in ~/.config/syncthing, which I save in
756 # /w/syncthing (not in /p, because syncthing should continue to
757 # run on home server even when using laptop as primary device)
758 # open http://localhost:8384/
759 # change listen address from default to tcp://:22001,
760 # this is because we do port forward so it doesn\'t have to use
761 # some external server, but the syncthing is broken for port forward,
762 # you get a message, something "like connected to myself, this should not happen"
763 # when connecting to other local devices, so I bump the port up by 1,
764 # based on
765 # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
766 # Without this, it was being stuck syncing at 0%.
767 # Set gui username and password.
768 #
769 # install syncthing via f-droid,
770 # folder setting, turn off master folder (makes it read only).
771 # on phone, add device, click bar code icon
772 # on dekstop, top right, actions, device id
773 # after adding, notification will appear on desktop to confirm
774 #
775 # syncing folder. from phone to desktop: select desktop in the
776 # folder on phone\'s sync options, notification will appear in
777 # desktop\'s web ui within a minute. For the reverse, the
778 # notification will appear in android\'s notifications, you have to
779 # swipe down and tap it to add the folder. It won\'t appear in the
780 # syncthing ui, which would be intuitive, but don\'t wait for it
781 # there.
782 #
783 # On phone, set settings to run syncthing all the time, and
784 # show no notification.
785 #
786 # Folder versioning would make sense if I didn\'t already use btrfs
787 # for backups. I would choose staggered, or trash can for more space.
788 #
789 # if needed to install on a remote comp:
790 # ssh -L 8384:localhost:8384 -N frodo
791 # open http://localhost:8384/
792 #
793 # Note, the other thing i did was port forward port 22000,
794 # per https://docs.syncthing.net/users/firewall.html
795
796 ############# end syncthing setup ###########
797 fi
798
799
800
801 # no equivalent in other distros:
802 case $distro in
803 debian|ubuntu|trisquel)
804 # for gui bug reporting
805 spa python-vte
806 ;;
807 esac
808
809
810 ####### misc packages ###########
811
812 # nagstamon setting which were set through the ui
813 # in filters tab:
814 # all unknown sources
815 # all warning services
816 # acknowledged hosts & services
817 # hosts & services down for maintenence
818 # services on down hosts
819 # services on hosts in maintenece
820 # services on unreachable osts
821 # hosts in soft state
822 # services in soft state
823 # in display tab: icon in systray.
824
825 case $distro in
826 debian|ubuntu|trisquel)
827 # it asks if it should make users in it's group capture packets without root,
828 # which is arguably more secure than running wireshark as root. default is no,
829 # which is what i prefer, since I plan to use tcpdump to input to wireshark.
830 s DEBIAN_FRONTEND=noninteractive pi wireshark-gtk
831 ;;
832 # others unknown
833 esac
834
835
836 case $distro in
837 debian|ubuntu|trisquel)
838 # no recommends because it wanted some other unstable package, something to
839 # do with math or something, which I didn't want to deal with.
840 p -y --no-install-recommends install python3-send2trash/unstable anki/unstable
841 ;;
842 # others unknown
843 esac
844
845 case $distro in
846 debian|ubuntu|trisquel)
847 # note i had to do this, which is persistent:
848 # cd /i/k
849 # s chgrp debian-transmission torrents partial-torrents
850
851 # syslog says things like
852 # 'Failed to set receive buffer: requested 4194304, got 425984'
853 # google suggets giving it even more than that
854 tu /etc/sysctl.conf<<'EOF'
855 net.core.rmem_max = 67108864
856 net.core.wmem_max = 16777216
857 EOF
858 s sysctl -p
859
860 # some reason it doesn\'t seem to start automatically anyways
861 pi-nostart transmission-daemon
862
863 # the folder was moved here after an install around 02/2017.
864 # it contains runtime data,
865 # plus a simple symlink to the config file which it\'s
866 # not worth separating out.
867 s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
868 #
869 # config file documented here, and it\'s the same config
870 # for daemon vs client, so it\'s documented in the gui.
871 # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
872 #
873 # I originaly setup rpc-whitelist, but after using
874 # routing to a network namespace, it doesn\'t see the
875 # real source address, so it\'s disabled.
876 #
877 # Changed the cache-size to 256 mb, reduces disk use.
878 # It is a read & write cache.
879 #
880 s ruby <<'EOF'
881 require 'json'
882 p = '/etc/transmission-daemon/settings.json'
883 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
884 'rpc-whitelist-enabled' => false,
885 'rpc-authentication-required' => false,
886 'incomplete-dir' => '/i/k/partial-torrents',
887 'incomplete-dir-enabled' => true,
888 'download-dir' => '/i/k/torrents',
889 "speed-limit-up" => 800,
890 "speed-limit-up-enabled" => true,
891 "peer-port" => 61486,
892 "cache-size-mb" => 256,
893 "ratio-limit" => 5.0,
894 "ratio-limit-enabled" => true,
895 })) + "\n")
896 EOF
897
898 # make sure its not enabled, not sure if this is needed
899 ser disable transmission-daemon
900 ;;
901 # todo: others unknown
902 esac
903 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
904 if ! getent passwd debian-transmission > /dev/null; then
905 case $distro in
906 arch)
907 s useradd \
908 --system \
909 --create-home \
910 --home-dir /var/lib/transmission-daemon \
911 --shell /bin/false \
912 debian-transmission
913 ;;
914 *)
915 s adduser --quiet \
916 --system \
917 --group \
918 --no-create-home \
919 --disabled-password \
920 --home /var/lib/transmission-daemon \
921 debian-transmission
922 ;;
923 esac
924 fi
925 if [[ $HOSTNAME == frodo ]]; then
926 sgo transmission-daemon-nn
927 fi
928
929
930 ######### begin transmission client setup ######
931
932 if [[ -e /p/transmission-rpc-pass ]]; then
933 # arch had a default config,
934 # debian had nothing until you start it.
935 # With a little trial an error, here is a minimal config
936 # taken from the generated one, plus changes that the
937 # settings ui does, without a bunch of ui crap settings.
938 #
939 # only settings I set were
940 # hostname
941 # auto-connect
942 # password
943
944 # the password is randomly generated on first run, i copied it out
945 # so it could be used by other hosts.
946 s ruby <<'EOF'
947 require 'json'
948 p = '/etc/transmission-daemon/settings.json'
949 s = JSON.parse(File.read(p))
950 s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
951 File.write p, JSON.pretty_generate(s)
952 EOF
953
954 rpc_pass=$(</p/transmission-rpc-pass)
955 for f in /home/*; do
956 d=$f/.config/transmission-remote-gtk
957 u=${f##*/}
958 s -u $u mkdir -p $d
959 s -u $u dd of=$d/config.json <<EOF
960 {
961 "profiles" : [
962 {
963 "profile-name" : "Default",
964 "hostname" : "transmission.b8.nz",
965 "rpc-url-path" : "/transmission/rpc",
966 "username" : "",
967 "password" : "$rpc_pass",
968 "auto-connect" : true,
969 "ssl" : false,
970 "timeout" : 40,
971 "retries" : 3,
972 "update-active-only" : false,
973 "activeonly-fullsync-enabled" : false,
974 "activeonly-fullsync-every" : 2,
975 "update-interval" : 3,
976 "min-update-interval" : 3,
977 "session-update-interval" : 60,
978 "exec-commands" : [
979 ],
980 "destinations" : [
981 ]
982 }
983 ],
984 "profile-id" : 0,
985 "add-options-dialog" : false
986 }
987 EOF
988 done
989 fi
990
991 # dunno why it\'s there, but get rid of it
992 case $HOSTNAME in
993 li|lj) s rm -rf /home/linode ;;
994 esac
995
996
997 pi wget
998 case $HOSTNAME in
999 tp|frodo)
1000 case $distro in
1001 debian|ubuntu|trisquel)
1002 log=$(mktemp)
1003 cd /a/opt
1004 wget -nv -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
1005 errallow
1006 set -o pipefail
1007 s dpkg -i google-chrome-stable_current_amd64.deb |& tee $log
1008 code=$?
1009 errcatch
1010 case $code in
1011 0) : ;;
1012 *)
1013 # previously I had a more specific search, but dpkg
1014 # changed it\'s output as of 7/2016
1015 if grep 'dependency problems' \
1016 $log &>/dev/null; then
1017 s apt-get -fy install
1018 else
1019 exit 1
1020 fi
1021 ;;
1022 esac
1023 ;;
1024 arch)
1025 pi google-chrome
1026 ;;
1027 esac
1028 ;;
1029 esac
1030
1031 # printer
1032 case $distro in
1033 arch)
1034 pi cups ghostscript gsfonts # from arch wiki cups page
1035 pi hplip # from google
1036 s gpasswd -a $USER sys # from arch wiki
1037 sgo org.cups.cupsd.service
1038 # goto http://127.0.0.1:631
1039 # administration tab, add new printer button.
1040 # In debian, I could use hte recommended driver,
1041 # in arch, I had to pick out the 6L driver.
1042 ;;
1043 debian|ubuntu|trisquel)
1044 spa hplip
1045 ;;
1046 # other distros unknown
1047 esac
1048
1049
1050 case $distro in
1051 ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
1052 fedora|arch) spa mairix notmuch ;;
1053 esac
1054 case $distro in
1055 arch) spa nfs-utils ;;
1056 ubuntu|debian) spa nfs-client ;;
1057 esac
1058 case $distro in
1059 ubuntu|debian) spa par2 ;;
1060 arch|fedora) spa par2cmdline ;;
1061 esac
1062
1063 # needed for my tex resume
1064 case $distro in
1065 ubuntu|debian) spa texlive-full ;;
1066 arch) spa texlive-most ;;
1067 # fedora unknown
1068 esac
1069
1070 case $distro in
1071 ubuntu)
1072 # flash, unrar, codecs, ms fonts.
1073 # This has a manual prompt.
1074 spa ubuntu-restricted-extras
1075 ;;
1076 fedora)
1077 pi yum-utils
1078 # rpm fusion recommended codecs
1079 s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
1080 pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
1081 xine-lib-extras-freeworld
1082 ;;
1083 esac
1084
1085 case $distro in
1086 # optional dep for firefox for h.264 video
1087 arch) spa gst-libav ;;
1088 # other distros, probably come by default
1089 esac
1090
1091 case $distro in
1092 fedora|ubuntu|trisquel|debian) spa gnupg-agent ;;
1093 arch) : ;;
1094 esac
1095
1096
1097 case $distro in
1098 fedora) spa pinentry-gtk ;;
1099 *) : ;; # comes default or with other packages
1100 esac
1101
1102 case $distro in
1103 arch) spa firefox pulseaudio;;
1104 *) : ;; # comes default or with other packages
1105 esac
1106
1107
1108 case $distro in
1109 arch) spa ttf-dejavu;;
1110 debian|ubuntu|trisquel) spa fonts-dejavu ;;
1111 # others unknown
1112 esac
1113
1114
1115 case $distro in
1116 arch) spa xorg-xev;;
1117 debian|ubuntu|trisquel) spa x11-utils ;;
1118 # others unknown
1119 esac
1120
1121 case $distro in
1122 arch) pi virt-install;;&
1123 debian|ubuntu|trisquel) pi virtinst ;;&
1124 *) pi virt-manager ;; # creates the libvirt group in debian at least
1125 # others unknown
1126 esac
1127 # allow user to run vms, from debian handbook
1128 for x in iank traci; do s usermod -a -G libvirt,kvm $x; done
1129 # bridge networking as user fails. google lead here, but it doesn\'t work:
1130 # oh well, I give up.
1131 # http://wiki.qemu.org/Features-Done/HelperNetworking
1132 # s mkdir /etc/qemu
1133 # f=/etc/qemu/bridge.conf
1134 # s dd of=$f <<'EOF'
1135 # allow br0
1136 # EOF
1137 # #s chown root:qemu $f # debian has somethig like qemu-libvirt. equivalent?
1138 # s chmod 640 $f
1139
1140
1141 case $distro in
1142 arch) spa cdrkit;;
1143 debian|ubuntu|trisquel) spa genisoimage;;
1144 # others unknown
1145 esac
1146
1147 case $distro in
1148 arch) spa spice-gtk3 ;;
1149 debian|ubuntu|trisquel) spa spice-client-gtk;;
1150 # others unknown
1151 esac
1152
1153 # general known for debian/ubuntu, not for fedora
1154
1155 case $distro in
1156 debian|ubuntu|trisquel)
1157 pi golang-go
1158 # a bit of googling, and added settings to bashrc
1159 go get -u github.com/mvdan/fdroidcl/cmd/fdroidcl
1160 ;;
1161 # others unknown
1162 esac
1163
1164
1165 case $distro in
1166 arch)
1167 # cdrkit for cloud-init isos
1168 # dnsmasq & ebtables for nat networking in libvirt
1169 # qemu for qemu-img, bind-tools for dig
1170 # dmidecode just because syslog complains
1171 pi unzip xorg-xmodmap dmidecode ebtables\
1172 bridge-utils dnsmasq qemu bind-tools
1173 # otherwise we get error about accessing kvm module.
1174 # seems like there might be a better way, but google was a bit vague.
1175 s $sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf
1176 echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
1177 # https://bbs.archlinux.org/viewtopic.php?id=206206
1178 # # this should prolly go in the wiki
1179 sgo virtlogd.socket
1180 # guessing this is not needed
1181 #sgo virtlogd.service
1182 sgo libvirtd
1183
1184 ;;
1185 esac
1186
1187 case $distro in
1188 arch) pi virtviewer ;;
1189 *) : ;; # other distros have it as a dependency afaik.
1190 esac
1191
1192
1193
1194 case $distro in
1195 fedora) cabal install shellcheck ;;
1196 *) spa shellcheck ;;
1197 # unknown for older ubuntu
1198 esac
1199
1200
1201 case $distro in
1202 arch|debian|ubuntu|trisquel) spa pumpa ;;
1203 # others unknown. do have a buildscript:
1204 # /a/bin/buildscripts/pumpa ;;
1205 esac
1206
1207
1208 case $distro in
1209 debian) pi adb ;;
1210 debian|ubuntu|trisquel) spa android-tools-adbd/unstable ;;
1211 arch) spa android-tools ;;
1212 # other distros unknown
1213 esac
1214
1215 if [[ $HOSTNAME == treetowl ]]; then
1216 case $distro in
1217 debian)
1218 if [[ `debian-archive` == testing ]]; then
1219 # has no unstable dependencies
1220 pi bitcoind/unstable
1221 src=/a/opt/bitcoin/contrib/init/bitcoind.service
1222 s cp $src /etc/systemd/system
1223 p=/etc/bitcoin/bitcoin
1224 dst=/etc/systemd/system/bitcoinjm.service
1225 # jm for joinmarket
1226 $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
1227 >/etc/systemd/system/bitcoinjm.service
1228
1229 d=jm; jm=d # being clever for succinctness
1230 for s in d jm; do
1231 s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
1232 /etc/systemd/system/bitcoin${s}.service
1233 done
1234
1235 ser daemon-reload
1236
1237 dir=/nocow/.bitcoin
1238 s mkdir -p $dir
1239 s chown -R bitcoin:bitcoin $dir
1240 dir=/etc/bitcoin
1241 s mkdir -p $dir
1242 s chown -R root:bitcoin $dir
1243 s chmod 750 $dir
1244
1245 # pruning decreases the bitcoin dir to 2 gb, keeps
1246 # just the recent blocks. can\'t do a few things like
1247 # import a wallet dump.
1248 # pruning works, but people had to do
1249 # some manual stuff in joinmarket. I dun need the
1250 # disk space, so not bothering yet, maybe in a year or so.
1251 # https://github.com/JoinMarket-Org/joinmarket/issues/431
1252 #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
1253 #prune=550
1254
1255 f=$dir/bitcoin.conf
1256 s dd of=$f <<EOF
1257 server=1
1258 # necessary for joinmarket, not bad in general
1259 rpcpassword=$(openssl rand -base64 32)
1260 rpcuser=$(openssl rand -base64 32)
1261 EOF
1262
1263 # dunno about sharing a wallet between multiple instances
1264 # manually did, wallet.dat symlinked in /nocow/.bitcoin
1265 sgo bitcoind
1266 fi
1267 ;;
1268 # other distros unknown
1269 esac
1270
1271 # ## disabling joinmarket, its too expensive
1272 # ### begin joinmarket setup ###
1273
1274 # case $distro in
1275 # debian)
1276 # f=$dir/bitcoin.conf
1277 # f2=$dir/bitcoinjm.conf
1278 # s cp $f $f2
1279 # s tee -a $f2 >/dev/null <<EOF
1280 # # Joinmarket
1281 # walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
1282 # alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
1283 # wallet=joinmarket.dat
1284 # EOF
1285
1286 # ;;
1287 # # other distros unknown
1288 # esac
1289
1290 # pi libsodium-dev python-pip
1291 # cd /a/opt/joinmarket
1292 # # using develop branch, as it seems to be mostly bug fixes,
1293 # # and this is quite new software.
1294 # # note: python3 does not work.
1295 # # has seg fault error due to some bug, but it still works
1296 # pip install -r requirements.txt || [[ $? == 139 ]]
1297 # # note, the target must exist ahead of time, or bitcoin
1298 # # just overwrites the link, and it\'s not happy with an empty file,
1299 # # so we have to create the wallet, then move and link it.
1300 # s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
1301 # s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
1302 # # not technically needed, but seems cleaner not to have
1303 # # symlinks be root owned unlike everything else
1304 # s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
1305
1306 # for var in rpcuser rpcpassword; do
1307 # u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
1308 # # escape backslashes
1309 # u="${u//\\/\\\\\\\\}"
1310 # # escape commas
1311 # u="${u//,/\\,}"
1312 # sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
1313 # done
1314 # sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
1315 # ### end joinmarket setup ###
1316
1317
1318 fi
1319
1320
1321 case $distro in
1322 fedora)
1323 cd $(mktemp -d)
1324 wget http://tamacom.com/global/global-6.3.2.tar.gz
1325 ex global*
1326 cd global-6.3.2
1327 # based on https://github.com/leoliu/ggtags
1328 ./configure --with-exuberant-ctags=/usr/bin/ctags
1329 make
1330 s make install
1331 s pip install pygments
1332 ;;
1333 *)
1334 pi global
1335 ;;&
1336 arch)
1337 pi python2-pygments
1338 ;;
1339 debian|ubuntu|trisquel)
1340 pi python-pygments
1341 ;;
1342 esac
1343
1344
1345 case $distro in
1346 debian)
1347 pi task-cinnamon-desktop
1348 # in settings, change scrolling to two-finger,
1349 # because the default edge scroll doesn\'t work.
1350 pu transmission-gtk
1351 ;;
1352 # others unknown
1353 esac
1354
1355 case $distro in
1356 arch) spa apg ;;
1357
1358 # already in debian jessie
1359 esac
1360
1361
1362
1363
1364
1365 # note this failed running at the beginning of this file,
1366 # because no systemd user instance was running.
1367 # Doing systemd --user resulted in
1368 # Trying to run as user instance, but $XDG_RUNTIME_DIR is not set
1369
1370 if isdebian-testing; then
1371 # as of 7/2016, has no unstable deps, and is not in testing anymore.
1372 pi synergy/unstable
1373 else
1374 pi synergy
1375 fi
1376
1377 # case $distro in
1378 # # ubuntu unknown. probably the same as debian, just check if the
1379 # # init scripts come with the package.
1380 # debian)
1381 # # copied from arch, but moved to etc
1382 # s dd of=/etc/systemd/user/synergys.service <<'EOF'
1383 # [Unit]
1384 # Description=Synergy Server Daemon
1385 # After=network.target
1386
1387 # [Service]
1388 # User=%i
1389 # ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
1390 # Restart=on-failure
1391
1392 # [Install]
1393 # WantedBy=multi-user.target
1394 # EOF
1395 # s dd of=/etc/systemd/user/synergys.socket <<'EOF'
1396 # [Unit]
1397 # Conflicts=synergys@.service
1398
1399 # [Socket]
1400 # ListenStream=24800
1401 # Accept=false
1402
1403 # [Install]
1404 # WantedBy=sockets.target
1405 # EOF
1406 # # had this fail with 'Failed to connect to bus: No such file or directory'
1407 # # then when I tried it manually, it worked fine...
1408 # if ! systemctl --user daemon-reload; then
1409 # sleep 2
1410 # echo retrying systemd user daemon reload
1411 # systemctl --user daemon-reload
1412 # fi
1413 # ;;&
1414 # *)
1415 # # taken from arch wiki.
1416 # s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
1417 # [Unit]
1418 # Description=Synergy Client
1419 # After=network.target
1420
1421 # [Service]
1422 # User=%i
1423 # ExecStart=/usr/bin/synergyc --no-daemon frodo
1424 # Restart=on-failure
1425 # # per man systemd.unit, StartLimitInterval, by default we
1426 # # restart more than 5 times in 10 seconds.
1427 # # And this param defaults too 200 miliseconds.
1428 # RestartSec=3s
1429
1430 # [Install]
1431 # WantedBy=multi-user.target
1432 # EOF
1433 # s systemctl daemon-reload
1434 # case $HOSTNAME in
1435 # x2|treetowl)
1436 # ser enable synergyc@iank
1437 # ser start synergyc@iank ||: # X might not be running yet
1438 # ;;
1439 # frodo)
1440 # systemctl --user start synergys ||:
1441 # systemctl --user enable synergys
1442 # ;;
1443 # esac
1444 # ;;
1445 # esac
1446
1447
1448
1449 ### kdeconnect for gnome. started in /a/bin/distro-setup/desktop-20-autostart.sh
1450 pi libgtk-3-dev python3-requests-oauthlib valac cmake python-nautilus
1451 cd /a/opt/indicator-kdeconnect
1452 mkdir -p build
1453 cd build
1454 cmake .. -DCMAKE_INSTALL_PREFIX=/usr
1455 make
1456 sudo make install
1457
1458
1459 ######### end misc packages #########
1460
1461
1462 # packages I once used before and liked, but don\'t want installed now for
1463 # various reasons:
1464 # python-sqlite is used for offlineimap
1465 # lxappearance python-sqlite dolphin paman dconf-editor
1466
1467
1468
1469 ######## unfinished
1470
1471 # todo, finish configuring smart.
1472
1473 pi smartmontools
1474 # mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
1475 # turn on smart. background on options:
1476 # first line, -a = test everyting on all devices.
1477 # -S on, turn on disk internal saving of vendor specific info,
1478 # from google, seems like this is usually already on and fairly standard.
1479 # -o on, turn on 4 hour period non-performance degrading testing.
1480 # short test daily 2-3am, extended tests Saturdays between 3-4am:
1481 sched="-s (S/../.././02|L/../../6/03)"
1482 s sed -i --follow-symlinks "s#^[[:space:]]*DEVICESCAN.*#\
1483 DEVICESCAN -a -o on -S on -n standby,q $sched \
1484 -m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc/smartd.conf
1485
1486 # in the default configuration of at least ubuntu 14.04, resolvconf is
1487 # configured to order any nameservers associated with tun* or tap*
1488 # before the normal internet interfaces, which means they are always
1489 # consulted first. This is often slower and undesirable, ie. local dns
1490 # queries go from 0ms to 10+ or 100+ ms. To reverse the ordering, you
1491 # can do:
1492 #sudo sed -i --follow-symlinks '/tun\*\|tap\*/d' /etc/resolvconf/interface-order
1493 # however, this breaks dns lookup for hosts on the openvpn lan.
1494 # I can\'t figure out why hosts on the normal lan would not be
1495 # broken under the default ordering, except the host I was
1496 # testing with previously had an entry in /etc/hosts.
1497
1498 ############# end unfinished
1499
1500 ########### misc stuff
1501
1502 devs=()
1503 for dev in $(s btrfs fi show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
1504 devs+=($(devbyid $dev),)
1505 done
1506 devs[-1]=${devs[-1]%,} # jonied by commas
1507
1508 # on grub upgrade, we get prompts unless we do this
1509 s debconf-set-selections <<EOF
1510 grub-pc grub-pc/install_devices multiselect ${devs[*]}
1511 EOF
1512
1513
1514 # the wiki backup script from ofswiki.org uses generic paths
1515 s lnf /p/c/machine_specific/li/mw_vars /root
1516 s lnf /k/backup/wiki_backup /root
1517
1518 s cedit /etc/goaccess.conf <<'EOF' || [[ $? == 1 ]]
1519 # all things found from looking around the default config
1520 # copied existing NCSA Combined Log Format with Virtual Host, plus %L
1521 log-format %^:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u" %D
1522 time-format %H:%M:%S
1523 date-format %d/%b/%Y
1524 log-file /var/log/apache2/access.log
1525 color-scheme 2
1526
1527 # tip: copy access.log files to a stretch host directory, then run
1528 # jessie's goaccess is too old for some options, and it\'s
1529 # not easily installed from a testing.
1530 # goaccess --ignore-crawlers -f <(cat *) -a -o html > x.html
1531 EOF
1532
1533
1534 case $distro in
1535 debian|ubuntu|trisquel)
1536 case `debian-archive` in
1537 stable)
1538 s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
1539 Explanation: Allow unison-gtk to be upgraded
1540 Package: unison-gtk
1541 Pin: release a=testing
1542 Pin-Priority: 500
1543 EOF
1544 # dont think using testing is needed since I figured out how to
1545 # deal with mismatching unison compilers, but I dont
1546 # see any reason to revert it, since it only installs
1547 # a single package which is primarily a single binary
1548 ;;
1549 esac
1550 pi unison/testing
1551 pi unison-gtk/testing # after to make it the default unison
1552 ;;
1553 arch)
1554 pi unison gtk2
1555 ;;
1556 esac
1557
1558 case $distro in
1559 arch)
1560 # default is alsa, doesn\'t work with with pianobar
1561 s dd of=/etc/libao.conf <<'EOF'
1562 default_driver=pulse
1563 EOF
1564 ;;
1565 esac
1566
1567 # note, for jessie, it depends on a higher version of btrfs-tools.
1568 #
1569 # # disabled due to my patch being in btrbk
1570 # case $distro in
1571 # arch|debian|ubuntu|trisquel) pi btrbk ;;
1572 # # others unknown
1573 # esac
1574 cd /a/opt/btrbk
1575 s make install
1576 spa pv # for progress bar when running interactively.
1577 if [[ $HOSTNAME == treetowl ]]; then
1578 # backup/sync manually on others hosts for now.
1579 sgo btrbk.timer
1580 # note: to see when it was last run,
1581 # ser list-timers
1582 fi
1583
1584
1585
1586
1587 case $distro in
1588 debian|ubuntu|trisquel) s gpasswd -a iank adm ;; #needed for reading logs
1589 esac
1590
1591 # tor
1592 case $distro in
1593 # based on
1594 # https://www.torproject.org/docs/rpms.html.en
1595 # https://www.torproject.org/docs/debian.html.en
1596 # todo: figure out if the running service needs to be restarted upon updates
1597
1598
1599 # todo on fedora: setup non-dev packages
1600 fedora)
1601 s dd of=/etc/yum.repos.d/torproject.repo <<'EOF'
1602 [tor]
1603 name=Tor experimental repo
1604 enabled=1
1605 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/
1606 gpgcheck=1
1607 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1608
1609 [tor-source]
1610 name=Tor experimental source repo
1611 enabled=1
1612 autorefresh=0
1613 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS
1614 gpgcheck=1
1615 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1616 EOF
1617
1618 # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above:
1619 # 3B9E EEB9 7B1E 827B CF0A 0D96 8AF5 653C 5AC0 01F1
1620 sgo tor
1621 /a/bin/buildscripts/tor-browser
1622 ;;
1623 ubuntu)
1624 tu /etc/apt/sources.list "deb http://deb.torproject.org/torproject.org $(debian-codename) main"
1625 gpg --keyserver keys.gnupg.net --recv 886DDD89
1626 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
1627 p update
1628 pi deb.torproject.org-keyring
1629 pi tor
1630 /a/bin/buildscripts/tor-browser
1631 ;;
1632 debian)
1633 pi tor
1634 /a/bin/buildscripts/tor-browser
1635 ;;
1636 arch)
1637 pi tor tor-browser-en
1638 sgo tor
1639 ;;
1640 # ubuntu unknown
1641 esac
1642
1643 # nfs server
1644 case $distro in
1645 fedora)
1646 end_msg <<'EOF'
1647 fedora todo: disable the firewall or find a way to automate it.
1648 there's an unused section in t.org for tramikssion firewall setup
1649
1650 fedora manual config for nfs:
1651 s firewall-config
1652 change to permanent configuration
1653 check the box for nfs
1654 was hard to figure this out, not sure if this is all needed, but
1655 unblock these too
1656 mountd: udp/tcp 20048
1657 portmapper, in firewall-config its called rpc-bind: udp/tcp 111
1658 troubleshooting, unblock things in rpcinfo -p
1659 make sure to reload the firewall to load the persistent configuration
1660
1661
1662 EOF
1663 pi nfs-utils
1664 sgo nfs-server
1665 ;;
1666 debian|ubuntu|trisquel)
1667 pi nfs-server
1668 ;;
1669 arch)
1670 pi nfs-utils || pending_reboot=true
1671 sgo rpcbind
1672 # this failed until I rebooted
1673 sgo nfs-server
1674 ;;
1675 esac
1676
1677
1678 ########### begin kodi setup ############
1679 pi kodi
1680
1681 # based on https://wiki.debian.org/SecuringNFS
1682 # but the quota stuff is either outdated or optional,
1683 # i guessed that it was not needed and it worked fine.
1684 s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF'
1685 fs.nfs.nfs_callback_tcpport = 32764
1686 fs.nfs.nlm_tcpport = 32768
1687 fs.nfs.nlm_udpport = 32768
1688 EOF
1689 s sysctl --system
1690 s $sed -ri -f - /etc/default/nfs-common <<'EOF'
1691 /^\s*STATDOPTS=/d
1692 $a STATDOPTS="--port 32765 --outgoing-port 32766"
1693 EOF
1694
1695 s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF'
1696 /^\s*RPCMOUNTDOPTS=/d
1697 $a RPCMOUNTDOPTS="--manage-gids --port 32767"
1698 EOF
1699 ser restart nfs-kernel-server
1700
1701 if [[ $HOSTNAME == treetowl ]]; then
1702 # persistent one time steps for webdav:
1703 # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml,
1704 # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi
1705 # htpasswd -c /p/c/filesystem/etc/davpass dav
1706 # chmod 640 /p/c/filesystem/etc/davpass
1707 # in conflink, set group to www-data.
1708 # In kodi, i set the music source, server address: my domain,
1709 # path: k/music. Then copied the file
1710 # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting.
1711 s a2enmod dav dav_fs
1712 web-conf -r /a/c/playlists - apache2 dav.$HOME_DOMAIN <<'EOF'
1713 <Directory /a/c/playlists>
1714 DAV On
1715 AuthType Basic
1716 AuthName "Authentication Required"
1717 AuthUserFile "/etc/davpass"
1718 Require valid-user
1719
1720 # outside the standard /var/www, so use this:
1721 Order allow,deny
1722 Allow from all
1723 </Directory>
1724 EOF
1725 s mkdir -p /var/www/davlock
1726 s chown www-data:www-data /var/www/davlock
1727 s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.$HOME_DOMAIN.conf
1728 ser reload apache2
1729
1730 teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)"
1731 exportfs -ra
1732
1733 # kodi uses sqlite by default, but supports mysql.
1734 pi mariadb-server
1735
1736 # see ofswiki.org for explanation.
1737 dbpass="$(cat /p/mysql-root-pass)"
1738 if ! echo exit|mysql -uroot "-p$dbpass"; then
1739 echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
1740 fi
1741 mysql -uroot "-p$dbpass" <<EOF
1742 GRANT ALL PRIVILEGES ON *.* TO 'kodi' IDENTIFIED BY '$(</p/mysql-kodi-pass)';
1743 EOF
1744 s sed -ri 's/^(\s*bind-address\s*=).*/\1 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
1745 ser restart mariadb
1746
1747 fi
1748
1749 ########### end kodi setup ############
1750
1751
1752 if [[ $HOSTNAME == treetowl ]]; then
1753 # nohide = export filesystems mounted deeper than the export point
1754 # fsid=0 makes this export the "root" export
1755 # not documented in the man page, but this means
1756 # 1. it can be mounted with a shorthand of server:/
1757 # 2. exports that are subdirectories of this one will automatically be mounted
1758 tu /etc/exports <<'EOF'
1759 /k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
1760 EOF
1761 s exportfs -rav
1762 fi
1763
1764
1765 e "$end_msg_var"
1766
1767
1768 # persistent virtual machines
1769
1770 case $distro in
1771 debian|ubuntu|trisquel)
1772 pi libosinfo-bin;
1773 ;;
1774 esac
1775
1776 # distro may not know about win 10 yet.
1777 variant=win7
1778 if ! virt-install --os-variant list &>/dev/null; then # we are using a newer virt-install
1779 for v in 10 8.1 8; do
1780 if osinfo-query os | gr "^\s*win${v/./\\.}\s" &>/dev/null; then
1781 variant=win$v
1782 break
1783 fi
1784 done
1785 fi
1786
1787 if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
1788
1789 # created account with
1790 # win10vmian@outlook.com, and easy to remember password
1791 # win 10 virtio, makes disk way way way faster
1792 # wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
1793 # https://wiki.archlinux.org/index.php/QEMU#Change_Existing_Windows_VM_to_use_virtio
1794 # for installing virtio after initial install instead of with initial iso:
1795 # qemu-img create -f qcow2 fake.qcow2 1G
1796 # --disk=/a/images/virtio-win.iso,device=cdrom \
1797 # --disk=/a/images/fake.qcow2,bus=virtio
1798 # Also,
1799 # went to device manager, saw 2 pci devices with yellow !,
1800 # did search for drivers, pick cdrom location, done.
1801 #
1802 # from http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html.
1803 # google said there was a control panel option for it, but
1804 # that turned out to be a lie.
1805 # Put this in a .bat file and run as administrator to turn off
1806 # hyberboot which fucks things up.
1807 # REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_dWORD /D 0 /F
1808 # power settings, turn off display: never
1809 # run "control userpasswords2", turn on automatic login.
1810 # note: when changing devices, I just undefine, the create the vm again.
1811
1812 if [[ -e /nocow/user/vms/win10.qcow2 ]]; then
1813 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1814 --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
1815 -n win10 --import --os-variant $variant --cpu host-model-only
1816
1817 s virsh destroy win10
1818 fi
1819
1820 if [[ -e /nocow/user/vms/win7.qcow2 ]]; then
1821 # this one hasn\'t had the virtio fix done yet.
1822 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1823 --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
1824 -n win7 --import --os-variant win7 --cpu host-model-only
1825 s virsh destroy win7
1826 # had a problem with --cpu host, so trying out
1827 # --cpu host-model-only
1828 fi
1829 fi
1830
1831
1832 if [[ $HOSTNAME == treetowl ]]; then
1833 pi samba
1834 # note samba re-reads it\'s config every 1 minute
1835 case $distro in
1836 arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
1837 esac
1838
1839 # add 2 lines after workgroup option
1840 s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
1841 s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
1842 s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/' /etc/samba/smb.conf
1843 # remove default homes section. not sharing that.
1844 s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
1845
1846 if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
1847 s tee -a /etc/samba/smb.conf <<'EOF'
1848 [public]
1849 guest ok = yes
1850 read only = no
1851 path = /kr
1852 EOF
1853 fi
1854
1855 case $distro in
1856 debian|ubuntu|trisquel)
1857 # systemd claims it generates units from /etc/init.d, but it
1858 # clearly doesn\'t in debian. I have no idea how they are
1859 # related. fuck debian right now. It\'s not documented. samba
1860 # has a systemd init file linked to /dev/null. There\'s this
1861 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
1862 # claims samba\'s sub-services will be started automatically by
1863 # systemd... it didn\'t on install, wonder if it will on
1864 # boot. It clued me in how to start it manually though. Nothing
1865 # in /usr/share/doc/samba, debian admin guide says nothing about
1866 # any of this. (this is in debian testing as of 4/2016).
1867
1868 s /etc/init.d/samba start
1869 ;;
1870 arch)
1871 sgo samba
1872 ;;
1873 esac
1874 fi
1875
1876 tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
1877
1878
1879 ######### begin stuff belonging at the end ##########
1880
1881
1882 # Apps we want to override others for default file handler:
1883 # simplest way in debian is to just install them last.
1884 simple_packages+=(
1885 mpv
1886 )
1887
1888 case $distro in
1889 ubuntu|debian)
1890 spa spacefm-gtk3 ;;
1891 arch)
1892 spa spacefm ;;
1893 esac
1894
1895
1896 pi "${simple_packages[@]}"
1897
1898
1899 if $pending_reboot; then
1900 echo "$0: pending reboot and then finished. doing it now."
1901 s reboot now
1902 else
1903 echo "$0: $(date): ending now)"
1904 fi
~16k lines of my .bashrc + lots of my configs