iankelling.org / git / distro-setup / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
various important fixes and improvements
[distro-setup] / distro-end
1 #!/bin/bash -l
2 # Copyright (C) 2016 Ian Kelling
3
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
7
8 # http://www.apache.org/licenses/LICENSE-2.0
9
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
15
16 errcatch
17
18 set -x
19
20 exec &> >(sudo tee -a /var/log/distro-end)
21 echo "$0: $(date): starting now)"
22
23 src="${BASH_SOURCE%/*}"
24
25 end_msg() {
26 = local y
27 IFS= read -r -d '' y ||:
28 end_msg_var+="$y"
29 }
30
31 spa() { # simple package add
32 simple_packages+=($@)
33 }
34
35 distro=$(distro-name)
36
37 pending_reboot=false
38 sed="sed --follow-symlinks"
39
40 # template
41 case $distro in
42 esac
43
44 pup
45
46 simple_packages=(
47 htop
48 mailutils
49 nmon
50 rdiff-backup
51 ruby
52 ruby-rest-client
53 tree
54 vim
55 wcd
56 )
57
58 case $HOSTNAME in
59 lj|li) : ;;
60 *)
61 # universal packages
62 # swh-plugins is for karaoke pulsaudio filter.
63 # mutagen for pithos
64 simple_packages+=(
65 apache2
66 apache2-doc
67 apt-doc
68 apt-listchanges
69 aptitude-doc-en
70 bash-doc
71 beets
72 beets-doc
73 binutils-doc
74 bind9-doc
75 bind9-utils
76 bwm-ng
77 chromium
78 cpio-doc
79 cloc
80 cron
81 debconf-doc
82 dirmngr
83 dnsutils
84 dnsmasq
85 dtrx
86 duplicity
87 eclipse
88 evince
89 fdupes
90 feh
91 filelight
92 flashrom
93 gawk-doc
94 gcc-doc
95 gdb
96 gdb-doc
97 geoip-bin
98 git-doc
99 git-email
100 gitk
101 glibc-doc
102 goaccess
103 gnome-screenshot
104 gnome-session-flashback
105 i3lock
106 inetutils-traceroute
107 iproute2-doc
108 jq
109 kid3-qt
110 kid3-cli
111 linux-doc
112 locate
113 lshw
114 make-doc
115 manpages
116 manpages-dev
117 meld
118 mps-youtube
119 mumble
120 nagstamon
121 nginx-doc
122 nmap
123 offlineimap
124 oathtool
125 p7zip
126 paprefs
127 parted-doc
128 pavucontrol
129 pdfgrep
130 perl-doc
131 pianobar
132 pidgin
133 pry
134 python-autopep8
135 python3-doc
136 python3-mutagen
137 qrencode
138 reportbug
139 $(aptitude show ruby | sed -rn 's/Depends: (.*)/\1/p')-doc
140 sqlite3-doc
141 squashfs-tools
142 swh-plugins
143 tar-doc
144 tcpdump
145 telnet
146 transmission-remote-gtk
147 vlc
148 whois
149 )
150 spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
151 ;;
152 esac
153
154
155 ########### begin section including li ################
156
157
158 case $distro in
159 fedora) spa unrar ;;
160 *) spa unrar-free ;;
161 esac
162
163
164 case $distro in
165 arch)
166 # ubuntu 14.04 uses b-cron,
167 # but its not maintained in arch.
168 # of the ones in the main repos, cronie is only one maintained.
169 # fcron appears abandoned software.
170 pi cronie
171 sgo cronie
172 ;;
173 *) : ;; # other distros come with cron.
174 esac
175
176
177 if isdeb; then
178 pi debian-goodies
179 fi
180
181
182 case $distro in
183 *) pi at ;;&
184 arch) sgo atd ;;
185 esac
186
187
188 case $distro in
189 debian) pi curl;;
190 arch) : ;;
191 # fedora: unknown
192 esac
193
194 case $distro in
195 # tk for gitk
196 arch) spa git tk ;;
197 *) spa git ;;
198 esac
199
200 case $distro in
201 arch) spa the_silver_searcher ;;
202 debian|ubuntu|trisquel) spa silversearcher-ag ;;
203 # fedora unknown
204 esac
205
206 case $distro in
207 debian|ubuntu|trisquel) spa ntp;;
208 arch)
209 pi ntp
210 sgo ntpd
211 ;;
212 # others unknown
213 esac
214
215
216 # no equivalent in other distros:
217 case $distro in
218 debian|ubuntu|trisquel)
219 pi aptitude
220 if ! dpkg -s apt-file &>/dev/null; then
221 # this condition is just a speed optimization
222 pi apt-file
223 s apt-file update
224 fi
225 # for debconf-get-selections
226 spa debconf-utils
227 ;;
228 esac
229
230 case $distro in
231 ubuntu|trisquel|debian) spa ack-grep ;;
232 arch|fedora) spa ack ;;
233 # fedora unknown
234 esac
235
236 case $distro in
237 arch|debian|ubuntu|trisquel)
238 spa bash-completion
239 ;;
240 # others unknown
241 esac
242
243
244
245
246
247 # disable motd junk.
248 case $distro in
249 debian)
250 # allows me to pipe with ssh -t, and gets rid of spam
251 # http://forums.debian.net/viewtopic.php?f=5&t=85822
252 # i'd rather disable the service than comment the init file
253 # this says disabling the service, it will still get restarted
254 # but this script doesn't do anything on restart, so it should be fine
255 s dd of=/var/run/motd.dynamic if=/dev/null
256 # stretch doesn't have initscripts pkg installed by default
257 if [[ $(debian-codename) == jessie ]]; then
258 s update-rc.d motd disable
259 fi
260 ;;
261 ubuntu|trisquel)
262 # this isn't a complete solution. It still shows me when updates are available,
263 # but it's no big deal.
264 s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
265 ;;
266 esac
267
268 # automatic updates
269 # reference:
270 # https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
271 # /etc/cron.daily/apt calls unattended-upgrades
272 # /usr/share/doc/unattended-upgrades# cat README.md
273 # /etc/apt/apt.conf.d/50unattended-upgrades
274 if isdebian; then
275 setup-debian-auto-update
276 fi
277
278 # we've got a few dependencies later on, so install them now.
279 pi "${simple_packages[@]}"
280 simple_packages=()
281
282
283 ### begin docker install ####
284 # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
285 pi software-properties-common apt-transport-https
286 curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
287 sudo add-apt-repository \
288 "deb [arch=amd64] https://download.docker.com/linux/debian \
289 $(lsb_release -cs) \
290 stable"
291 p update
292 pi docker-ce
293 sgo docker
294 ### end docker install ####
295
296
297 case $distro in
298 debian)
299 # note, need python-certbot-nginx for nginx, but it depends on nginx,
300 # and I'm not installing nginx by default right now
301 if isdebian-testing; then
302 pi --install-suggests certbot
303 else
304 pi --install-suggests -t jessie-backports certbot
305 fi
306 # make a version of the certbot timer that emails me.
307 x=/systemd/system/certbot
308 $sed -r -f - /lib$x.timer <<'EOF' |s dd of=/etc${x}mail.timer
309 s,^Description.*,\0 mail version,
310 EOF
311 $sed -r -f - /lib$x.service <<'EOF' |s dd of=/etc${x}mail.service
312 s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
313 EOF
314 ser daemon-reload
315 sgo certbotmail.timer
316
317 ;;
318 # todo: other distros unknown
319 esac
320
321 # website setup
322 case $HOSTNAME in
323 lj|li)
324
325 case $HOSTNAME in
326 lj) domain=iank.bid; exit 0 ;;
327 li) domain=iankelling.org ;;
328 esac
329 /a/h/setup.sh $domain
330 /a/h/build.rb
331
332 sudo -E /a/bin/mediawiki-setup/mw-setup-script
333 #$src/phab-setup
334
335 pi-nostart mumble-server
336 s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
337
338 # do certificate to avoid warning about unsigned cert,
339 # which is overkill for my use, but hey, I'm cool, I know
340 # how to do this.
341 web-conf apache2 mumble.iankelling.org
342 s rm -f /etc/apache2/sites-enabled/mumble.iankelling.org
343 sudo -i <<'EOF'
344 export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
345 /a/bin/distro-setup/certbot-renew-hook
346 EOF
347
348 sgo mumble-server
349
350 vpn-server-setup -d
351 tee /etc/openvpn/client-config/mail <<'EOF'
352 ifconfig-push 10.8.0.4 255.255.255.0
353 EOF
354
355
356 sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
357 [Unit]
358 Description=Turns on iptables mail nat
359
360 [Service]
361 Type=oneshot
362 RemainAfterExit=yes
363 ExecStart=/a/bin/distro-setup/vpn-mail-forward start
364 ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
365
366 [Install]
367 WantedBy=openvpn.service
368 EOF
369 ser daemon-reload
370 ser enable vpnmail.service
371 # needed for li's local mail delivery.
372 tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
373 sgo openvpn
374 # setup let's encrypt cert
375 web-conf apache2 mail.iankelling.org
376 s rm /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
377 ser reload apache2
378
379 domain=cal.iankelling.org
380 web-conf -f 10.8.0.4:5232 - apache2 $domain <<'EOF'
381 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
382 # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
383 <Location />
384 Options +FollowSymLinks +Multiviews +Indexes
385 AllowOverride None
386 AuthType basic
387 AuthName "Authentication Required"
388 # setup one time, with root:www-data, 640
389 AuthUserFile "/etc/caldav-htpasswd"
390 Require valid-user
391 <Location />
392 EOF
393 # nginx version of above would be:
394 # auth_basic "Not currently available";
395 # auth_basic_user_file /etc/nginx/caldav/htpasswd;
396
397
398 ########## begin pump.io setup ##########
399
400 # once pump adds a logrotation script, turn off nologger,
401 # and add
402 # "logfile": "/var/log/pumpio/pumpio.log",
403 #
404 s dd of=/etc/pump.io.json <<'EOF'
405 {
406 "secret": "SECRET_REPLACE_ME",
407 "driver": "mongodb",
408 "params": { "dbname": "pumpio" },
409 "noweb": false,
410 "site": "pump.iankelling.org",
411 "owner": "Ian Kelling",
412 "ownerURL": "https://iankelling.org/",
413 "port": 8001,
414 "urlPort": 443,
415 "hostname": "pump.iankelling.org",
416 "nologger": true,
417 "datadir": "/home/pumpio/pumpdata",
418 "enableUploads": true,
419 "debugClient": false,
420 "disableRegistration": true,
421 "noCDN": true,
422 "key": "/home/pumpio/privkey.pem",
423 "cert": "/home/pumpio/fullchain.pem",
424 "address": "localhost",
425 "sockjs": false
426 }
427 EOF
428 s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
429
430 # jessie\'s node is too old
431 # https://nodejs.org/en/download/package-manager/
432 curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
433 pi nodejs
434 cd /home/ian
435 rm -rf pump.io.git
436 git clone https://github.com/pump-io/pump.io.git
437 cd pump.io
438 # note: doing this or the npm install pump.io as root had problems.
439 npm install
440 npm run build
441 # normally, next command would be
442 # s npm install -g databank-mongodb
443 # but it\'s this until a bug in pump gets fixed
444 s npm install -g databank-mongodb@0.19.2
445 s useradd -m -s /bin/false pumpio
446 sudo -u pumpio mkdir -p /home/pumpio/pumpdata
447 # for testing browser when only listening to localhost,
448 # in the pump.io.json, set hostname localhost, urlPort 5233
449 #ssh -L 5233:localhost:5233 li
450
451 s mkdir -p /var/log/pumpio/
452 s chown pumpio:pumpio /var/log/pumpio/
453
454 web-conf - apache2 pump.iankelling.org <<'EOF'
455 # currently a bug in pump that we cant terminate ssl
456 SSLProxyEngine On
457 ProxyPreserveHost On
458 ProxyPass / https://127.0.0.1:8001/
459 ProxyPassReverse / https://127.0.0.1:8001/
460 # i have sockjs disabled per people suggesting that
461 # it won\'t work with apache right now.
462 # not sure if it would work with this,
463 # but afaik, this is pointless atm.
464 <Location /main/realtime/sockjs/>
465 ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
466 ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
467 </Location>
468 EOF
469
470 sudo -i <<'EOF'
471 export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
472 /a/bin/distro-setup/certbot-renew-hook
473 EOF
474
475 s dd of=/etc/systemd/system/pump.service <<'EOF'
476 [Unit]
477 Description=pump.io
478 After=syslog.target network.target
479
480 [Service]
481 Type=simple
482 User=pumpio
483 Group=pumpio
484 ExecStart=/home/ian/pump.io/bin/pump
485 Environment=NODE_ENV=production
486 # failed to find databank-mongodb without this.
487 # I just looked at my environment variables took a guess.
488 Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
489
490 [Install]
491 WantedBy=multi-user.target
492 EOF
493 ser daemon-reload
494 sgo pump
495 ########## end pump.io setup ############
496
497
498 ############# begin setup mastodon ##############
499
500 # I'd like to try gnu social just cuz of gnu, but it's not being
501 # well maintained, for example, simple pull requests
502 # languishing:
503 # https://git.gnu.io/gnu/gnu-social/merge_requests/143
504 # and I submitted my own bugs, basic docs are broken
505 # https://git.gnu.io/gnu/gnu-social/issues/269
506
507 # note, docker required, but we installed it earlier
508
509 # i subscrubed to https://github.com/docker/compose/releases.atom
510 # to deal with updates manually. So far, it means just reving the
511 # version number, then restarting docker-compose with
512 # cd ~/mastodon
513 # docker-compose up -d
514 curl -L https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
515 s chmod +x /usr/local/bin/docker-compose
516
517
518 cd ~
519 i clone https://github.com/tootsuite/mastodon
520 cd mastodon
521 # subbed to atom feed to deal with updates
522 git checkout $(git tag | grep -v rc | tail -n1)
523
524 # per instructions, uncomment redis/postgres persistence in docker-compose.yml
525 sed -i 's/^#//' docker-compose.yml
526
527 cat >.env.production <<'EOF'
528 REDIS_HOST=redis
529 REDIS_PORT=6379
530 DB_HOST=db
531 DB_USER=postgres
532 DB_NAME=postgres
533 DB_PASS=
534 DB_PORT=5432
535
536 LOCAL_DOMAIN=mast.iankelling.org
537 LOCAL_HTTPS=true
538
539 SINGLE_USER_MODE=true
540
541 SMTP_SERVER=10.8.0.4
542 SMTP_PORT=25
543 SMTP_LOGIN=li
544 SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
545 SMTP_DOMAIN=mast.iankelling.org
546 SMTP_DELIVERY_METHOD=smtp
547 EOF
548
549 for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
550 printf "%s=%s" $key "$(docker-compose run --rm web rake secret)" >>.env.production
551 done
552 s cat /etc/mailpass| while read -r domain port pass; do
553 if [[ $domain == mail.iankelling.org ]]; then
554 printf "SMTP_PASSWORD=%s" "$pass" >>.env.production
555 break
556 fi
557 done
558
559
560
561 docker-compose run --rm web rails assets:precompile
562
563 # docker daemon takes care of starting on boot.
564 docker-compose up -d
565
566 s a2enmod proxy_wstunnel headers
567 web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF'
568 ProxyPreserveHost On
569 RequestHeader set X-Forwarded-Proto "https"
570 ProxyPass /500.html !
571 ProxyPass /oops.png !
572 ProxyPass /api/v1/streaming/ ws://localhost:4000/
573 ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
574 ErrorDocument 500 /500.html
575 ErrorDocument 501 /500.html
576 ErrorDocument 502 /500.html
577 ErrorDocument 503 /500.html
578 ErrorDocument 504 /500.html
579 EOF
580
581
582 ############### !!!!!!!!!!!!!!!!!
583 ############### manual steps:
584
585 # only following 2 people atm, so not bothering to figure out backups
586 # when mastodon has not documented it at all.
587 #
588 # fsf@status.fsf.org
589 # cwebber@toot.cat
590 # dbd@status.fsf.org
591 # johns@status.fsf.org
592
593 # sign in page is at https://mast.iankelling.org/auth/sign_in
594 # register as iank, then
595 # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
596 # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
597
598 ############# end setup mastodon ##############
599
600 # we use nsupdate to update the ip of home
601 pi bind9
602
603 echo "$0: $(date): ending now)"
604 exit 0
605 ;;
606 esac
607
608
609 ########### end section including li/lj ###############
610
611 if [[ $HOSTNAME == treetowl ]]; then
612 # note, see bashrc for more documentation.
613 pi rss2email
614 s dd of=/etc/systemd/system/rss2email.service <<'EOF'
615 [Unit]
616 Description=rss2email
617 After=multi-user.target
618
619 [Service]
620 User=ian
621 Type=oneshot
622 # about 24 hours of failures
623 # it copies over its files without respecting symlinks, so
624 # we pass options to use different location.
625 ExecStart=/a/bin/log-quiet/sysd-mail-once -288 rss2email r2e -d /p/c/rss2email.json -c /p/c/rss2email.cfg run
626 EOF
627 s dd of=/etc/systemd/system/rss2email.timer <<'EOF'
628 [Unit]
629 Description=rss2email
630
631 [Timer]
632 # for initial run. required.
633 OnActiveSec=30
634 # for subsequent runs.
635 OnUnitInactiveSec=300
636
637 [Install]
638 WantedBy=timers.target
639 EOF
640 s systemctl daemon-reload
641 sgo rss2email.timer
642 fi
643
644 ######### begin pump.io periodic backup #############
645 if [[ $HOSTNAME == treetowl ]]; then
646 s dd of=/etc/systemd/system/pumpbackup.service <<'EOF'
647 [Unit]
648 Description=pump li backup
649 After=multi-user.target
650
651 [Service]
652 User=ian
653 Type=oneshot
654 ExecStart=/a/bin/log-quiet/sysd-mail-once pump-backup /a/bin/distro-setup/pump-backup
655 EOF
656 s dd of=/etc/systemd/system/pumpbackup.timer <<'EOF'
657 [Unit]
658 Description=pump li backup hourly
659
660 [Timer]
661 OnCalendar=hourly
662
663 [Install]
664 WantedBy=timers.target
665 EOF
666 s systemctl daemon-reload
667 sgo pumpbackup.timer
668 fi
669 ######### end pump.io periodic backup #############
670
671 case $distro in
672 debian|ubuntu|trisquel)
673 # suggests because we want the resolvconf package.
674 # todo: check other distros to make sure it\'s installed
675 pi-nostart --install-suggests openvpn
676 # pi-nostart does not disable
677 ser disable openvpn
678 ;;
679 *) pi openvpn;;
680 esac
681
682 /a/bin/distro-setup/radicale-setup
683
684 ## android studio setup
685 # this contains the setting for android sdk to point to
686 # /a/opt/androidsdk, which is asked upon first run
687 lnf /a/opt/.AndroidStudio2.2 ~
688 # android site says it needs a bunch of packages for ubuntu,
689 # but I googled for debian, and someone says you just need lib32stdc++6 plus the
690 # jdk
691 # https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
692 # see w.org for more android studio details
693 spa lib32stdc++6 default-jdk
694
695
696 if [[ $HOSTNAME == treetowl ]]; then
697 ############# begin syncthing setup ###########
698
699 # It\'s simpler to just worry about running it in one place for now.
700 # I assume it would work to clone it\'s config to another non-phone
701 # and just run it in one place instead of the normal having a
702 # separate config. I lean toward using the same config, since btrfs
703 # syncs between comps.
704 case $distro in
705 arch) pi syncthing ;;
706 ubuntu|trisquel|debian)
707 # testing has relatively up to date packages
708 if ! isdebian-testing; then
709 # based on error when doing apt-get update:
710 # E: The method driver /usr/lib/apt/methods/https could not be found.
711 pi apt-transport-https
712 # google led me here:
713 # https://apt.syncthing.net/
714 curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
715 s="deb http://apt.syncthing.net/ syncthing release"
716 if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != $s ]]; then
717 echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
718 p update
719 fi
720 fi
721 pi syncthing
722 ;;
723 esac
724 lnf -T /w/syncthing /home/ian/.config/syncthing
725 sgo syncthing@ian # runs as ian
726
727 # these things persist in ~/.config/syncthing, which I save in
728 # /w/syncthing (not in /p, because syncthing should continue to
729 # run on home server even when using laptop as primary device)
730 # open http://localhost:8384/
731 # change listen address from default to tcp://:22001,
732 # this is because we do port forward so it doesn\'t have to use
733 # some external server, but the syncthing is broken for port forward,
734 # you get a message, something "like connected to myself, this should not happen"
735 # when connecting to other local devices, so I bump the port up by 1,
736 # based on
737 # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
738 # Without this, it was being stuck syncing at 0%.
739 # Set gui username and password.
740 #
741 # install syncthing via f-droid,
742 # folder setting, turn off master folder (makes it read only).
743 # on phone, add device, click bar code icon
744 # on dekstop, top right, actions, device id
745 # after adding, notification will appear on desktop to confirm
746 #
747 # syncing folder. from phone to desktop: select desktop in the
748 # folder on phone\'s sync options, notification will appear in
749 # desktop\'s web ui within a minute. For the reverse, the
750 # notification will appear in android\'s notifications, you have to
751 # swipe down and tap it to add the folder. It won\'t appear in the
752 # syncthing ui, which would be intuitive, but don\'t wait for it
753 # there.
754 #
755 # On phone, set settings to run syncthing all the time, and
756 # show no notification.
757 #
758 # Folder versioning would make sense if I didn\'t already use btrfs
759 # for backups. I would choose staggered, or trash can for more space.
760 #
761 # if needed to install on a remote comp:
762 # ssh -L 8384:localhost:8384 -N frodo
763 # open http://localhost:8384/
764 #
765 # Note, the other thing i did was port forward port 22000,
766 # per https://docs.syncthing.net/users/firewall.html
767
768 ############# end syncthing setup ###########
769 fi
770
771
772
773 # no equivalent in other distros:
774 case $distro in
775 debian|ubuntu|trisquel)
776 # for gui bug reporting
777 spa python-vte
778 ;;
779 esac
780
781
782 ####### misc packages ###########
783
784 # nagstamon setting which were set through the ui
785 # in filters tab:
786 # all unknown sources
787 # all warning services
788 # acknowledged hosts & services
789 # hosts & services down for maintenence
790 # services on down hosts
791 # services on hosts in maintenece
792 # services on unreachable osts
793 # hosts in soft state
794 # services in soft state
795 # in display tab: icon in systray.
796
797 case $distro in
798 debian|ubuntu|trisquel)
799 # it asks if it should make users in it's group capture packets without root,
800 # which is arguably more secure than running wireshark as root. default is no,
801 # which is what i prefer, since I plan to use tcpdump to input to wireshark.
802 s DEBIAN_FRONTEND=noninteractive pi wireshark-gtk
803 ;;
804 # others unknown
805 esac
806
807
808 case $distro in
809 debian|ubuntu|trisquel)
810 # no recommends because it wanted some other unstable package, something to
811 # do with math or something, which I didn't want to deal with.
812 p -y --no-install-recommends install python3-send2trash/unstable anki/unstable
813 ;;
814 # others unknown
815 esac
816
817 case $distro in
818 debian|ubuntu|trisquel)
819 # note i had to do this, which is persistent:
820 # cd /i/k
821 # s chgrp debian-transmission torrents partial-torrents
822
823 # syslog says things like
824 # 'Failed to set receive buffer: requested 4194304, got 425984'
825 # google suggets giving it even more than that
826 tu /etc/sysctl.conf<<'EOF'
827 net.core.rmem_max = 67108864
828 net.core.wmem_max = 16777216
829 EOF
830 s sysctl -p
831
832 # some reason it doesn\'t seem to start automatically anyways
833 pi-nostart transmission-daemon
834
835 # the folder was moved here after an install around 02/2017.
836 # it contains runtime data,
837 # plus a simple symlink to the config file which it\'s
838 # not worth separating out.
839 s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
840 #
841 # config file documented here, and it\'s the same config
842 # for daemon vs client, so it\'s documented in the gui.
843 # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
844 #
845 # I originaly setup rpc-whitelist, but after using
846 # routing to a network namespace, it doesn\'t see the
847 # real source address, so it\'s disabled.
848 #
849 # Changed the cache-size to 256 mb, reduces disk use.
850 # It is a read & write cache.
851 #
852 s ruby <<'EOF'
853 require 'json'
854 p = '/etc/transmission-daemon/settings.json'
855 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
856 'rpc-whitelist-enabled' => false,
857 'rpc-authentication-required' => false,
858 'incomplete-dir' => '/i/k/partial-torrents',
859 'incomplete-dir-enabled' => true,
860 'download-dir' => '/i/k/torrents',
861 "speed-limit-up" => 800,
862 "speed-limit-up-enabled" => true,
863 "peer-port" => 61486,
864 "cache-size-mb" => 256,
865 "ratio-limit" => 5.0,
866 "ratio-limit-enabled" => true,
867 })) + "\n")
868 EOF
869
870 # make sure its not enabled, not sure if this is needed
871 ser disable transmission-daemon
872 ;;
873 # todo: others unknown
874 esac
875 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
876 if ! getent passwd debian-transmission > /dev/null; then
877 case $distro in
878 arch)
879 s useradd \
880 --system \
881 --create-home \
882 --home-dir /var/lib/transmission-daemon \
883 --shell /bin/false \
884 debian-transmission
885 ;;
886 *)
887 s adduser --quiet \
888 --system \
889 --group \
890 --no-create-home \
891 --disabled-password \
892 --home /var/lib/transmission-daemon \
893 debian-transmission
894 ;;
895 esac
896 fi
897 if [[ $HOSTNAME == treetowl ]]; then
898 sgo transmission-daemon-nn
899 fi
900
901
902 ######### begin transmission client setup ######
903
904 if [[ -e /p/transmission-rpc-pass ]]; then
905 # arch had a default config,
906 # debian had nothing until you start it.
907 # With a little trial an error, here is a minimal config
908 # taken from the generated one, plus changes that the
909 # settings ui does, without a bunch of ui crap settings.
910 #
911 # only settings I set were
912 # hostname
913 # auto-connect
914 # password
915
916 # the password is randomly generated on first run, i copied it out
917 # so it could be used by other hosts.
918 s ruby <<'EOF'
919 require 'json'
920 p = '/etc/transmission-daemon/settings.json'
921 s = JSON.parse(File.read(p))
922 s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
923 File.write p, JSON.pretty_generate(s)
924 EOF
925
926 rpc_pass=$(</p/transmission-rpc-pass)
927 for f in /home/*; do
928 d=$f/.config/transmission-remote-gtk
929 u=${f##*/}
930 s -u $u mkdir -p $d
931 s -u $u dd of=$d/config.json <<EOF
932 {
933 "profiles" : [
934 {
935 "profile-name" : "Default",
936 "hostname" : "transmission",
937 "rpc-url-path" : "/transmission/rpc",
938 "username" : "",
939 "password" : "$rpc_pass",
940 "auto-connect" : true,
941 "ssl" : false,
942 "timeout" : 40,
943 "retries" : 3,
944 "update-active-only" : false,
945 "activeonly-fullsync-enabled" : false,
946 "activeonly-fullsync-every" : 2,
947 "update-interval" : 3,
948 "min-update-interval" : 3,
949 "session-update-interval" : 60,
950 "exec-commands" : [
951 ],
952 "destinations" : [
953 ]
954 }
955 ],
956 "profile-id" : 0,
957 "add-options-dialog" : false
958 }
959 EOF
960 done
961 fi
962
963 # dunno why it\'s there, but get rid of it
964 case $HOSTNAME in
965 li|lj) s rm -rf /home/linode ;;
966 esac
967
968
969 pi wget
970 case $HOSTNAME in
971 tp|frodo)
972 case $distro in
973 debian|ubuntu|trisquel)
974 log=$(mktemp)
975 cd /a/opt
976 wget -nv -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
977 errallow
978 set -o pipefail
979 s dpkg -i google-chrome-stable_current_amd64.deb |& tee $log
980 code=$?
981 errcatch
982 case $code in
983 0) : ;;
984 *)
985 # previously I had a more specific search, but dpkg
986 # changed it\'s output as of 7/2016
987 if grep 'dependency problems' \
988 $log &>/dev/null; then
989 s apt-get -fy install
990 else
991 exit 1
992 fi
993 ;;
994 esac
995 ;;
996 arch)
997 pi google-chrome
998 ;;
999 esac
1000 ;;
1001 esac
1002
1003 # printer
1004 case $distro in
1005 arch)
1006 pi cups ghostscript gsfonts # from arch wiki cups page
1007 pi hplip # from google
1008 s gpasswd -a $USER sys # from arch wiki
1009 sgo org.cups.cupsd.service
1010 # goto http://127.0.0.1:631
1011 # administration tab, add new printer button.
1012 # In debian, I could use hte recommended driver,
1013 # in arch, I had to pick out the 6L driver.
1014 ;;
1015 debian|ubuntu|trisquel)
1016 spa hplip
1017 ;;
1018 # other distros unknown
1019 esac
1020
1021
1022 case $distro in
1023 ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
1024 fedora|arch) spa mairix notmuch ;;
1025 esac
1026 case $distro in
1027 arch) spa nfs-utils ;;
1028 ubuntu|debian) spa nfs-client ;;
1029 esac
1030 case $distro in
1031 ubuntu|debian) spa par2 ;;
1032 arch|fedora) spa par2cmdline ;;
1033 esac
1034
1035 # needed for my tex resume
1036 case $distro in
1037 ubuntu|debian) spa texlive-full ;;
1038 arch) spa texlive-most ;;
1039 # fedora unknown
1040 esac
1041
1042 case $distro in
1043 ubuntu)
1044 # flash, unrar, codecs, ms fonts.
1045 # This has a manual prompt.
1046 spa ubuntu-restricted-extras
1047 ;;
1048 fedora)
1049 pi yum-utils
1050 # rpm fusion recommended codecs
1051 s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
1052 pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
1053 xine-lib-extras-freeworld
1054 ;;
1055 esac
1056
1057 case $distro in
1058 # optional dep for firefox for h.264 video
1059 arch) spa gst-libav ;;
1060 # other distros, probably come by default
1061 esac
1062
1063 case $distro in
1064 fedora|ubuntu|trisquel|debian) spa gnupg-agent ;;
1065 arch) : ;;
1066 esac
1067
1068
1069 case $distro in
1070 fedora) spa pinentry-gtk ;;
1071 *) : ;; # comes default or with other packages
1072 esac
1073
1074 case $distro in
1075 arch) spa firefox pulseaudio;;
1076 *) : ;; # comes default or with other packages
1077 esac
1078
1079
1080 case $distro in
1081 arch) spa ttf-dejavu;;
1082 debian|ubuntu|trisquel) spa fonts-dejavu ;;
1083 # others unknown
1084 esac
1085
1086
1087 case $distro in
1088 arch) spa xorg-xev;;
1089 debian|ubuntu|trisquel) spa x11-utils ;;
1090 # others unknown
1091 esac
1092
1093 case $distro in
1094 arch) pi virt-install;;&
1095 debian|ubuntu|trisquel) pi virtinst ;;&
1096 *) pi virt-manager ;; # creates the libvirt group in debian at least
1097 # others unknown
1098 esac
1099 # allow user to run vms, from debian handbook
1100 for x in ian traci; do s usermod -a -G libvirt,kvm $x; done
1101 # bridge networking as user fails. google lead here, but it doesn\'t work:
1102 # oh well, I give up.
1103 # http://wiki.qemu.org/Features-Done/HelperNetworking
1104 # s mkdir /etc/qemu
1105 # f=/etc/qemu/bridge.conf
1106 # s dd of=$f <<'EOF'
1107 # allow br0
1108 # EOF
1109 # #s chown root:qemu $f # debian has somethig like qemu-libvirt. equivalent?
1110 # s chmod 640 $f
1111
1112
1113 case $distro in
1114 arch) spa cdrkit;;
1115 debian|ubuntu|trisquel) spa genisoimage;;
1116 # others unknown
1117 esac
1118
1119 case $distro in
1120 arch) spa spice-gtk3 ;;
1121 debian|ubuntu|trisquel) spa spice-client-gtk;;
1122 # others unknown
1123 esac
1124
1125 # general known for debian/ubuntu, not for fedora
1126
1127 case $distro in
1128 debian|ubuntu|trisquel)
1129 pi golang-go
1130 # a bit of googling, and added settings to bashrc
1131 go get -u github.com/mvdan/fdroidcl/cmd/fdroidcl
1132 ;;
1133 # others unknown
1134 esac
1135
1136
1137 case $distro in
1138 arch)
1139 # cdrkit for cloud-init isos
1140 # dnsmasq & ebtables for nat networking in libvirt
1141 # qemu for qemu-img, bind-tools for dig
1142 # dmidecode just because syslog complains
1143 pi unzip xorg-xmodmap dmidecode ebtables\
1144 bridge-utils dnsmasq qemu bind-tools
1145 # otherwise we get error about accessing kvm module.
1146 # seems like there might be a better way, but google was a bit vague.
1147 s $sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf
1148 echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
1149 # https://bbs.archlinux.org/viewtopic.php?id=206206
1150 # # this should prolly go in the wiki
1151 sgo virtlogd.socket
1152 # guessing this is not needed
1153 #sgo virtlogd.service
1154 sgo libvirtd
1155
1156 ;;
1157 esac
1158
1159 case $distro in
1160 arch) pi virtviewer ;;
1161 *) : ;; # other distros have it as a dependency afaik.
1162 esac
1163
1164
1165
1166 case $distro in
1167 fedora) cabal install shellcheck ;;
1168 *) spa shellcheck ;;
1169 # unknown for older ubuntu
1170 esac
1171
1172
1173 case $distro in
1174 arch|debian|ubuntu|trisquel) spa pumpa ;;
1175 # others unknown. do have a buildscript:
1176 # /a/bin/buildscripts/pumpa ;;
1177 esac
1178
1179
1180 case $distro in
1181 debian) pi adb ;;
1182 debian|ubuntu|trisquel) spa android-tools-adbd/unstable ;;
1183 arch) spa android-tools ;;
1184 # other distros unknown
1185 esac
1186
1187 if [[ $HOSTNAME == treetowl ]]; then
1188 case $distro in
1189 debian)
1190 if [[ `debian-archive` == testing ]]; then
1191 # has no unstable dependencies
1192 pi bitcoind/unstable
1193 src=/a/opt/bitcoin/contrib/init/bitcoind.service
1194 s cp $src /etc/systemd/system
1195 p=/etc/bitcoin/bitcoin
1196 dst=/etc/systemd/system/bitcoinjm.service
1197 # jm for joinmarket
1198 $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
1199 >/etc/systemd/system/bitcoinjm.service
1200
1201 d=jm; jm=d # being clever for succinctness
1202 for s in d jm; do
1203 s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
1204 /etc/systemd/system/bitcoin${s}.service
1205 done
1206
1207 ser daemon-reload
1208
1209 dir=/nocow/.bitcoin
1210 s mkdir -p $dir
1211 s chown -R bitcoin:bitcoin $dir
1212 dir=/etc/bitcoin
1213 s mkdir -p $dir
1214 s chown -R root:bitcoin $dir
1215 s chmod 750 $dir
1216
1217 # pruning decreases the bitcoin dir to 2 gb, keeps
1218 # just the recent blocks. can\'t do a few things like
1219 # import a wallet dump.
1220 # pruning works, but people had to do
1221 # some manual stuff in joinmarket. I dun need the
1222 # disk space, so not bothering yet, maybe in a year or so.
1223 # https://github.com/JoinMarket-Org/joinmarket/issues/431
1224 #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
1225 #prune=550
1226
1227 f=$dir/bitcoin.conf
1228 s dd of=$f <<EOF
1229 server=1
1230 rpcpassword=$(openssl rand -base64 32)
1231 rpcuser=$(openssl rand -base64 32)
1232 EOF
1233
1234
1235 f2=$dir/bitcoinjm.conf
1236 s cp $f $f2
1237 s tee -a $f2 >/dev/null <<EOF
1238 # Joinmarket
1239 walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
1240 alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
1241 wallet=joinmarket.dat
1242 EOF
1243 # dunno about sharing a wallet between multiple instances
1244 # manually did, wallet.dat symlinked in /nocow/.bitcoin
1245 sgo bitcoind
1246 fi
1247 ;;
1248 # other distros unknown
1249 esac
1250 pi libsodium-dev python-pip
1251 cd /a/opt/joinmarket
1252 # using develop branch, as it seems to be mostly bug fixes,
1253 # and this is quite new software.
1254 # note: python3 does not work.
1255 # has seg fault error due to some bug, but it still works
1256 pip install -r requirements.txt || [[ $? == 139 ]]
1257 # note, the target must exist ahead of time, or bitcoin
1258 # just overwrites the link, and it\'s not happy with an empty file,
1259 # so we have to create the wallet, then move and link it.
1260 s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
1261 s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
1262 # not technically needed, but seems cleaner not to have
1263 # symlinks be root owned unlike everything else
1264 s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
1265
1266 for var in rpcuser rpcpassword; do
1267 u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
1268 # escape backslashes
1269 u="${u//\\/\\\\\\\\}"
1270 # escape commas
1271 u="${u//,/\\,}"
1272 sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
1273 done
1274 sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
1275
1276 fi
1277
1278
1279
1280 case $distro in
1281 fedora)
1282 cd $(mktemp -d)
1283 wget http://tamacom.com/global/global-6.3.2.tar.gz
1284 ex global*
1285 cd global-6.3.2
1286 # based on https://github.com/leoliu/ggtags
1287 ./configure --with-exuberant-ctags=/usr/bin/ctags
1288 make
1289 s make install
1290 s pip install pygments
1291 ;;
1292 *)
1293 pi global
1294 ;;&
1295 arch)
1296 pi python2-pygments
1297 ;;
1298 debian|ubuntu|trisquel)
1299 pi python-pygments
1300 ;;
1301 esac
1302
1303
1304 case $distro in
1305 debian)
1306 pi task-cinnamon-desktop
1307 # in settings, change scrolling to two-finger,
1308 # because the default edge scroll doesn\'t work.
1309 pu transmission-gtk
1310 ;;
1311 # others unknown
1312 esac
1313
1314 case $distro in
1315 arch) spa apg ;;
1316
1317 # already in debian jessie
1318 esac
1319
1320
1321
1322
1323
1324 # note this failed running at the beginning of this file,
1325 # because no systemd user instance was running.
1326 # Doing systemd --user resulted in
1327 # Trying to run as user instance, but $XDG_RUNTIME_DIR is not set
1328
1329 if isdebian-testing; then
1330 # as of 7/2016, has no unstable deps, and is not in testing anymore.
1331 pi synergy/unstable
1332 else
1333 pi synergy
1334 fi
1335
1336 # case $distro in
1337 # # ubuntu unknown. probably the same as debian, just check if the
1338 # # init scripts come with the package.
1339 # debian)
1340 # # copied from arch, but moved to etc
1341 # s dd of=/etc/systemd/user/synergys.service <<'EOF'
1342 # [Unit]
1343 # Description=Synergy Server Daemon
1344 # After=network.target
1345
1346 # [Service]
1347 # User=%i
1348 # ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
1349 # Restart=on-failure
1350
1351 # [Install]
1352 # WantedBy=multi-user.target
1353 # EOF
1354 # s dd of=/etc/systemd/user/synergys.socket <<'EOF'
1355 # [Unit]
1356 # Conflicts=synergys@.service
1357
1358 # [Socket]
1359 # ListenStream=24800
1360 # Accept=false
1361
1362 # [Install]
1363 # WantedBy=sockets.target
1364 # EOF
1365 # # had this fail with 'Failed to connect to bus: No such file or directory'
1366 # # then when I tried it manually, it worked fine...
1367 # if ! systemctl --user daemon-reload; then
1368 # sleep 2
1369 # echo retrying systemd user daemon reload
1370 # systemctl --user daemon-reload
1371 # fi
1372 # ;;&
1373 # *)
1374 # # taken from arch wiki.
1375 # s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
1376 # [Unit]
1377 # Description=Synergy Client
1378 # After=network.target
1379
1380 # [Service]
1381 # User=%i
1382 # ExecStart=/usr/bin/synergyc --no-daemon frodo
1383 # Restart=on-failure
1384 # # per man systemd.unit, StartLimitInterval, by default we
1385 # # restart more than 5 times in 10 seconds.
1386 # # And this param defaults too 200 miliseconds.
1387 # RestartSec=3s
1388
1389 # [Install]
1390 # WantedBy=multi-user.target
1391 # EOF
1392 # s systemctl daemon-reload
1393 # case $HOSTNAME in
1394 # x2|treetowl)
1395 # ser enable synergyc@ian
1396 # ser start synergyc@ian ||: # X might not be running yet
1397 # ;;
1398 # frodo)
1399 # systemctl --user start synergys ||:
1400 # systemctl --user enable synergys
1401 # ;;
1402 # esac
1403 # ;;
1404 # esac
1405
1406
1407
1408 ### kdeconnect for gnome. started in /a/bin/distro-setup/desktop-20-autostart.sh
1409 pi libgtk-3-dev python3-requests-oauthlib valac cmake python-nautilus
1410 cd /a/opt/indicator-kdeconnect
1411 mkdir -p build
1412 cd build
1413 cmake .. -DCMAKE_INSTALL_PREFIX=/usr
1414 make
1415 sudo make install
1416
1417
1418 ######### end misc packages #########
1419
1420
1421 # packages I once used before and liked, but don\'t want installed now for
1422 # various reasons:
1423 # python-sqlite is used for offlineimap
1424 # lxappearance python-sqlite dolphin paman dconf-editor
1425
1426
1427
1428 ######## unfinished
1429
1430 # todo, finish configuring smart.
1431
1432 pi smartmontools
1433 # mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
1434 # turn on smart. background on options:
1435 # first line, -a = test everyting on all devices.
1436 # -S on, turn on disk internal saving of vendor specific info,
1437 # from google, seems like this is usually already on and fairly standard.
1438 # -o on, turn on 4 hour period non-performance degrading testing.
1439 # short test daily 2-3am, extended tests Saturdays between 3-4am:
1440 sched="-s (S/../.././02|L/../../6/03)"
1441 s sed -i --follow-symlinks "s#^[[:space:]]*DEVICESCAN.*#\
1442 DEVICESCAN -a -o on -S on -n standby,q $sched \
1443 -m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc/smartd.conf
1444
1445 # in the default configuration of at least ubuntu 14.04, resolvconf is
1446 # configured to order any nameservers associated with tun* or tap*
1447 # before the normal internet interfaces, which means they are always
1448 # consulted first. This is often slower and undesirable, ie. local dns
1449 # queries go from 0ms to 10+ or 100+ ms. To reverse the ordering, you
1450 # can do:
1451 #sudo sed -i --follow-symlinks '/tun\*\|tap\*/d' /etc/resolvconf/interface-order
1452 # however, this breaks dns lookup for hosts on the openvpn lan.
1453 # I can\'t figure out why hosts on the normal lan would not be
1454 # broken under the default ordering, except the host I was
1455 # testing with previously had an entry in /etc/hosts.
1456
1457 ############# end unfinished
1458
1459 ########### misc stuff
1460
1461 devs=()
1462 for dev in $(s btrfs fi show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
1463 devs+=($(devbyid $dev),)
1464 done
1465 devs[-1]=${devs[-1]%,} # jonied by commas
1466
1467 # on grub upgrade, we get prompts unless we do this
1468 s debconf-set-selections <<EOF
1469 grub-pc grub-pc/install_devices multiselect ${devs[*]}
1470 EOF
1471
1472
1473 # the wiki backup script from ofswiki.org uses generic paths
1474 s lnf /p/c/machine_specific/li/mw_vars /root
1475 s lnf /k/backup/wiki_backup /root
1476
1477 s cedit /etc/goaccess.conf <<'EOF' || [[ $? == 1 ]]
1478 # all things found from looking around the default config
1479 # copied existing NCSA Combined Log Format with Virtual Host, plus %L
1480 log-format %^:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u" %D
1481 time-format %H:%M:%S
1482 date-format %d/%b/%Y
1483 log-file /var/log/apache2/access.log
1484 color-scheme 2
1485
1486 # tip: copy access.log files to a stretch host directory, then run
1487 # jessie's goaccess is too old for some options, and it\'s
1488 # not easily installed from a testing.
1489 # goaccess --ignore-crawlers -f <(cat *) -a -o html > x.html
1490 EOF
1491
1492
1493 case $distro in
1494 debian|ubuntu|trisquel)
1495 case `debian-archive` in
1496 stable)
1497 s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
1498 Explanation: Allow unison-gtk to be upgraded
1499 Package: unison-gtk
1500 Pin: release a=testing
1501 Pin-Priority: 500
1502 EOF
1503 # dont think using testing is needed since I figured out how to
1504 # deal with mismatching unison compilers, but I dont
1505 # see any reason to revert it, since it only installs
1506 # a single package which is primarily a single binary
1507 ;;
1508 esac
1509 pi unison/testing
1510 pi unison-gtk/testing # after to make it the default unison
1511 ;;
1512 arch)
1513 pi unison gtk2
1514 ;;
1515 esac
1516
1517 case $distro in
1518 arch)
1519 # default is alsa, doesn\'t work with with pianobar
1520 s dd of=/etc/libao.conf <<'EOF'
1521 default_driver=pulse
1522 EOF
1523 ;;
1524 esac
1525
1526 # note, for jessie, it depends on a higher version of btrfs-tools.
1527 #
1528 # # disabled due to my patch being in btrbk
1529 # case $distro in
1530 # arch|debian|ubuntu|trisquel) pi btrbk ;;
1531 # # others unknown
1532 # esac
1533 cd /a/opt/btrbk
1534 s make install
1535 spa pv # for progress bar when running interactively.
1536 if [[ $HOSTNAME == treetowl ]]; then
1537 # backup/sync manually on others hosts for now.
1538 sgo btrbk.timer
1539 # note: to see when it was last run,
1540 # ser list-timers
1541 fi
1542
1543 if [[ $HOSTNAME == treetowl ]] && [[ `debian-archive` != testing ]]; then
1544 # fail2 ban is broken, with a workaround, per
1545 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171
1546 # ill wait a while to see if it gets fixed
1547 pi fail2ban
1548 sgo fail2ban
1549 fi
1550
1551
1552
1553
1554
1555 case $distro in
1556 debian|ubuntu|trisquel) s gpasswd -a ian adm ;; #needed for reading logs
1557 esac
1558
1559 # tor
1560 case $distro in
1561 # based on
1562 # https://www.torproject.org/docs/rpms.html.en
1563 # https://www.torproject.org/docs/debian.html.en
1564 # todo: figure out if the running service needs to be restarted upon updates
1565
1566
1567 # todo on fedora: setup non-dev packages
1568 fedora)
1569 s dd of=/etc/yum.repos.d/torproject.repo <<'EOF'
1570 [tor]
1571 name=Tor experimental repo
1572 enabled=1
1573 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/
1574 gpgcheck=1
1575 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1576
1577 [tor-source]
1578 name=Tor experimental source repo
1579 enabled=1
1580 autorefresh=0
1581 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS
1582 gpgcheck=1
1583 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1584 EOF
1585
1586 # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above:
1587 # 3B9E EEB9 7B1E 827B CF0A 0D96 8AF5 653C 5AC0 01F1
1588 sgo tor
1589 /a/bin/buildscripts/tor-browser
1590 ;;
1591 ubuntu)
1592 tu /etc/apt/sources.list "deb http://deb.torproject.org/torproject.org $(debian-codename) main"
1593 gpg --keyserver keys.gnupg.net --recv 886DDD89
1594 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
1595 p update
1596 pi deb.torproject.org-keyring
1597 pi tor
1598 /a/bin/buildscripts/tor-browser
1599 ;;
1600 debian)
1601 pi tor
1602 /a/bin/buildscripts/tor-browser
1603 ;;
1604 arch)
1605 pi tor tor-browser-en
1606 sgo tor
1607 ;;
1608 # ubuntu unknown
1609 esac
1610
1611 # nfs server
1612 case $distro in
1613 fedora)
1614 end_msg <<'EOF'
1615 fedora todo: disable the firewall or find a way to automate it.
1616 there's an unused section in t.org for tramikssion firewall setup
1617
1618 fedora manual config for nfs:
1619 s firewall-config
1620 change to permanent configuration
1621 check the box for nfs
1622 was hard to figure this out, not sure if this is all needed, but
1623 unblock these too
1624 mountd: udp/tcp 20048
1625 portmapper, in firewall-config its called rpc-bind: udp/tcp 111
1626 troubleshooting, unblock things in rpcinfo -p
1627 make sure to reload the firewall to load the persistent configuration
1628
1629
1630 EOF
1631 pi nfs-utils
1632 sgo nfs-server
1633 ;;
1634 debian|ubuntu|trisquel)
1635 pi nfs-server
1636 ;;
1637 arch)
1638 pi nfs-utils || pending_reboot=true
1639 sgo rpcbind
1640 # this failed until I rebooted
1641 sgo nfs-server
1642 ;;
1643 esac
1644
1645
1646 ########### begin kodi setup ############
1647 pi kodi
1648
1649 # based on https://wiki.debian.org/SecuringNFS
1650 # but the quota stuff is either outdated or optional,
1651 # i guessed that it was not needed and it worked fine.
1652 s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF'
1653 fs.nfs.nfs_callback_tcpport = 32764
1654 fs.nfs.nlm_tcpport = 32768
1655 fs.nfs.nlm_udpport = 32768
1656 EOF
1657 s sysctl --system
1658 s $sed -ri -f - /etc/default/nfs-common <<'EOF'
1659 /^\s*STATDOPTS=/d
1660 $a STATDOPTS="--port 32765 --outgoing-port 32766"
1661 EOF
1662
1663 s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF'
1664 /^\s*RPCMOUNTDOPTS=/d
1665 $a RPCMOUNTDOPTS="--manage-gids --port 32767"
1666 EOF
1667 ser restart nfs-kernel-server
1668
1669 if [[ $HOSTNAME == treetowl ]]; then
1670 # persistent one time steps for webdav:
1671 # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml,
1672 # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi
1673 # htpasswd -c /p/c/filesystem/etc/davpass dav
1674 # chmod 640 /p/c/filesystem/etc/davpass
1675 # in conflink, set group to www-data.
1676 # In kodi, i set the music source, server address: my domain,
1677 # path: k/music. Then copied the file
1678 # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting.
1679 s a2enmod dav dav_fs
1680 web-conf -r /a/c/playlists - apache2 dav.$HOME_DOMAIN <<'EOF'
1681 <Directory /a/c/playlists>
1682 DAV On
1683 AuthType Basic
1684 AuthName "Authentication Required"
1685 AuthUserFile "/etc/davpass"
1686 Require valid-user
1687
1688 # outside the standard /var/www, so use this:
1689 Order allow,deny
1690 Allow from all
1691 </Directory>
1692 EOF
1693 s mkdir -p /var/www/davlock
1694 s chown www-data:www-data /var/www/davlock
1695 s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.$HOME_DOMAIN.conf
1696 ser reload apache2
1697
1698 teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)"
1699 exportfs -ra
1700
1701 # kodi uses sqlite by default, but supports mysql.
1702 pi mariadb-server
1703
1704 # see ofswiki.org for explanation.
1705 dbpass="$(cat /p/mysql-root-pass)"
1706 if ! echo exit|mysql -uroot "-p$dbpass"; then
1707 echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
1708 fi
1709 mysql -uroot "-p$dbpass" <<EOF
1710 GRANT ALL PRIVILEGES ON *.* TO 'kodi' IDENTIFIED BY '$(</p/mysql-kodi-pass)';
1711 EOF
1712 s sed -ri 's/^(\s*bind-address\s*=).*/\1 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
1713 ser restart mariadb
1714
1715 fi
1716
1717 ########### end kodi setup ############
1718
1719
1720 if [[ $HOSTNAME == treetowl ]]; then
1721 # nohide = export filesystems mounted deeper than the export point
1722 # fsid=0 makes this export the "root" export
1723 # not documented in the man page, but this means
1724 # 1. it can be mounted with a shorthand of server:/
1725 # 2. exports that are subdirectories of this one will automatically be mounted
1726 tu /etc/exports <<'EOF'
1727 /k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
1728 EOF
1729 s exportfs -rav
1730 fi
1731
1732
1733 e "$end_msg_var"
1734
1735
1736 # persistent virtual machines
1737
1738 case $distro in
1739 debian|ubuntu|trisquel)
1740 pi libosinfo-bin;
1741 ;;
1742 esac
1743
1744 # distro may not know about win 10 yet.
1745 variant=win7
1746 if ! virt-install --os-variant list &>/dev/null; then # we are using a newer virt-install
1747 for v in 10 8.1 8; do
1748 if osinfo-query os | gr "^\s*win${v/./\\.}\s" &>/dev/null; then
1749 variant=win$v
1750 break
1751 fi
1752 done
1753 fi
1754
1755 if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
1756
1757 # created account with
1758 # win10vmian@outlook.com, and easy to remember password
1759 # win 10 virtio, makes disk way way way faster
1760 # wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
1761 # https://wiki.archlinux.org/index.php/QEMU#Change_Existing_Windows_VM_to_use_virtio
1762 # for installing virtio after initial install instead of with initial iso:
1763 # qemu-img create -f qcow2 fake.qcow2 1G
1764 # --disk=/a/images/virtio-win.iso,device=cdrom \
1765 # --disk=/a/images/fake.qcow2,bus=virtio
1766 # Also,
1767 # went to device manager, saw 2 pci devices with yellow !,
1768 # did search for drivers, pick cdrom location, done.
1769 #
1770 # from http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html.
1771 # google said there was a control panel option for it, but
1772 # that turned out to be a lie.
1773 # Put this in a .bat file and run as administrator to turn off
1774 # hyberboot which fucks things up.
1775 # REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_dWORD /D 0 /F
1776 # power settings, turn off display: never
1777 # run "control userpasswords2", turn on automatic login.
1778 # note: when changing devices, I just undefine, the create the vm again.
1779
1780 if [[ -e /nocow/user/vms/win10.qcow2 ]]; then
1781 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1782 --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
1783 -n win10 --import --os-variant $variant --cpu host-model-only
1784
1785 s virsh destroy win10
1786 fi
1787
1788 if [[ -e /nocow/user/vms/win7.qcow2 ]]; then
1789 # this one hasn\'t had the virtio fix done yet.
1790 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1791 --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
1792 -n win7 --import --os-variant win7 --cpu host-model-only
1793 s virsh destroy win7
1794 # had a problem with --cpu host, so trying out
1795 # --cpu host-model-only
1796 fi
1797 fi
1798
1799
1800 if [[ $HOSTNAME == treetowl ]]; then
1801 pi samba
1802 # note samba re-reads it\'s config every 1 minute
1803 case $distro in
1804 arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
1805 esac
1806
1807 # add 2 lines after workgroup option
1808 s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
1809 s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
1810 s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/' /etc/samba/smb.conf
1811 # remove default homes section. not sharing that.
1812 s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
1813
1814 if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
1815 s tee -a /etc/samba/smb.conf <<'EOF'
1816 [public]
1817 guest ok = yes
1818 read only = no
1819 path = /kr
1820 EOF
1821 fi
1822
1823 case $distro in
1824 debian|ubuntu|trisquel)
1825 # systemd claims it generates units from /etc/init.d, but it
1826 # clearly doesn\'t in debian. I have no idea how they are
1827 # related. fuck debian right now. It\'s not documented. samba
1828 # has a systemd init file linked to /dev/null. There\'s this
1829 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
1830 # claims samba\'s sub-services will be started automatically by
1831 # systemd... it didn\'t on install, wonder if it will on
1832 # boot. It clued me in how to start it manually though. Nothing
1833 # in /usr/share/doc/samba, debian admin guide says nothing about
1834 # any of this. (this is in debian testing as of 4/2016).
1835
1836 s /etc/init.d/samba start
1837 ;;
1838 arch)
1839 sgo samba
1840 ;;
1841 esac
1842 fi
1843
1844 tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
1845
1846
1847 ######### begin stuff belonging at the end ##########
1848
1849
1850 # Apps we want to override others for default file handler:
1851 # simplest way in debian is to just install them last.
1852 simple_packages+=(
1853 mpv
1854 )
1855
1856 case $distro in
1857 ubuntu|debian)
1858 spa spacefm-gtk3 ;;
1859 arch)
1860 spa spacefm ;;
1861 esac
1862
1863
1864 pi "${simple_packages[@]}"
1865
1866
1867 if $pending_reboot; then
1868 echo "$0: pending reboot and then finished. doing it now."
1869 s reboot now
1870 else
1871 echo "$0: $(date): ending now)"
1872 fi
~16k lines of my .bashrc + lots of my configs