2 # Copyright (C) 2016 Ian Kelling
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.
20 exec &> >(sudo
tee -a /var
/log
/distro-end
)
21 echo "$0: $(date): starting now)"
23 src
="${BASH_SOURCE%/*}"
27 IFS
= read -r -d '' y ||
:
31 spa
() { # simple package add
38 sed="sed --follow-symlinks"
62 # swh-plugins is for karaoke pulsaudio filter.
104 gnome-session-flashback
139 $
(aptitude show ruby |
sed -rn 's/Depends: (.*)/\1/p')-doc
146 transmission-remote-gtk
150 spa $
(apt-cache search ruby
[.0-9]+-doc|
awk '{print $1}')
155 ########### begin section including li ################
166 # ubuntu 14.04 uses b-cron,
167 # but its not maintained in arch.
168 # of the ones in the main repos, cronie is only one maintained.
169 # fcron appears abandoned software.
173 *) : ;; # other distros come with cron.
201 arch
) spa the_silver_searcher
;;
202 debian|ubuntu|trisquel
) spa silversearcher-ag
;;
207 debian|ubuntu|trisquel
) spa ntp
;;
216 # no equivalent in other distros:
218 debian|ubuntu|trisquel
)
220 if ! dpkg
-s apt-file
&>/dev
/null
; then
221 # this condition is just a speed optimization
225 # for debconf-get-selections
231 ubuntu|trisquel|debian
) spa ack-grep
;;
232 arch|fedora
) spa ack
;;
237 arch|debian|ubuntu|trisquel
)
250 # allows me to pipe with ssh -t, and gets rid of spam
251 # http://forums.debian.net/viewtopic.php?f=5&t=85822
252 # i'd rather disable the service than comment the init file
253 # this says disabling the service, it will still get restarted
254 # but this script doesn't do anything on restart, so it should be fine
255 s
dd of
=/var
/run
/motd.dynamic
if=/dev
/null
256 # stretch doesn't have initscripts pkg installed by default
257 if [[ $
(debian-codename
) == jessie
]]; then
258 s update-rc.d motd disable
262 # this isn't a complete solution. It still shows me when updates are available,
263 # but it's no big deal.
264 s t
/etc
/update-motd.d
/10-help-text /etc
/update-motd.d
/00-header
270 # https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
271 # /etc/cron.daily/apt calls unattended-upgrades
272 # /usr/share/doc/unattended-upgrades# cat README.md
273 # /etc/apt/apt.conf.d/50unattended-upgrades
275 setup-debian-auto-update
278 # we've got a few dependencies later on, so install them now.
279 pi
"${simple_packages[@]}"
283 ### begin docker install ####
284 # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
285 pi software-properties-common apt-transport-https
286 curl
-fsSL https
://download.docker.com
/linux
/debian
/gpg | sudo apt-key add
-
287 sudo add-apt-repository \
288 "deb [arch=amd64] https://download.docker.com/linux/debian \
294 ### end docker install ####
299 # note, need python-certbot-nginx for nginx, but it depends on nginx,
300 # and I'm not installing nginx by default right now
301 if isdebian-testing
; then
302 pi
--install-suggests certbot
304 pi
--install-suggests -t jessie-backports certbot
306 # make a version of the certbot timer that emails me.
307 x
=/systemd
/system
/certbot
308 $sed -r -f - /lib
$x.timer
<<'EOF' |s dd of=/etc${x}mail.timer
309 s,^Description.*,\0 mail version,
311 $sed -r -f - /lib
$x.service
<<'EOF' |s dd of=/etc${x}mail.service
312 s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
315 sgo certbotmail.timer
318 # todo: other distros unknown
326 lj
) domain
=iank.bid
; exit 0 ;;
327 li
) domain
=iankelling.org
;;
329 /a
/h
/setup.sh
$domain
332 sudo
-E /a
/bin
/mediawiki-setup
/mw-setup-script
335 pi-nostart mumble-server
336 s
$sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc
/mumble-server.ini
338 # do certificate to avoid warning about unsigned cert,
339 # which is overkill for my use, but hey, I'm cool, I know
341 web-conf apache2 mumble.iankelling.org
342 s
rm -f /etc
/apache
2/sites-enabled
/mumble.iankelling.org
344 export RENEWED_LINEAGE=/etc/letsencrypt/live/mumble.iankelling.org
345 /a/bin/distro-setup/certbot-renew-hook
351 tee /etc
/openvpn
/client-config
/mail <<'EOF'
352 ifconfig-push 10.8.0.4 255.255.255.0
356 sudo
dd of
=/etc
/systemd
/system
/vpnmail.service
<<EOF
358 Description=Turns on iptables mail nat
363 ExecStart=/a/bin/distro-setup/vpn-mail-forward start
364 ExecStop=/a/bin/distro-setup/vpn-mail-forward stop
367 WantedBy=openvpn.service
370 ser
enable vpnmail.service
371 # needed for li's local mail delivery.
372 tu
/etc
/hosts
<<<"10.8.0.4 mail.iankelling.org"
374 # setup let's encrypt cert
375 web-conf apache2 mail.iankelling.org
376 s rm /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
379 domain=cal.iankelling.org
380 web-conf -f 10.8.0.4:5232 - apache2 $domain <<'EOF'
381 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
382 # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
384 Options +FollowSymLinks +Multiviews +Indexes
387 AuthName "Authentication Required"
388 # setup one time, with root:www-data, 640
389 AuthUserFile "/etc/caldav-htpasswd"
393 # nginx version of above would be:
394 # auth_basic "Not currently available";
395 # auth_basic_user_file /etc/nginx/caldav/htpasswd;
398 ########## begin pump.io setup ##########
400 # once pump adds a logrotation script, turn off nologger,
402 # "logfile": "/var/log/pumpio/pumpio.log",
404 s dd of=/etc/pump.io.json <<'EOF'
406 "secret": "SECRET_REPLACE_ME",
408 "params": { "dbname": "pumpio" },
410 "site": "pump.iankelling.org",
411 "owner": "Ian Kelling",
412 "ownerURL": "https://iankelling.org/",
415 "hostname": "pump.iankelling.org",
417 "datadir": "/home/pumpio/pumpdata",
418 "enableUploads": true,
419 "debugClient": false,
420 "disableRegistration": true,
422 "key": "/home/pumpio/privkey.pem",
423 "cert": "/home/pumpio/fullchain.pem",
424 "address": "localhost",
428 s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
430 # jessie\'s node is too old
431 # https://nodejs.org/en/download/package-manager/
432 curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
436 git clone https://github.com/pump-io/pump.io.git
438 # note: doing this or the npm install pump.io as root had problems.
441 # normally, next command would be
442 # s npm install -g databank-mongodb
443 # but it\'s this until a bug in pump gets fixed
444 s npm install -g databank-mongodb@0.19.2
445 s useradd -m -s /bin/false pumpio
446 sudo -u pumpio mkdir -p /home/pumpio/pumpdata
447 # for testing browser when only listening to localhost,
448 # in the pump.io.json, set hostname localhost, urlPort 5233
449 #ssh -L 5233:localhost:5233 li
451 s mkdir -p /var/log/pumpio/
452 s chown pumpio:pumpio /var/log/pumpio/
454 web-conf - apache2 pump.iankelling.org <<'EOF'
455 # currently a bug in pump that we cant terminate ssl
458 ProxyPass / https://127.0.0.1:8001/
459 ProxyPassReverse / https://127.0.0.1:8001/
460 # i have sockjs disabled per people suggesting that
461 # it won\'t work with apache right now.
462 # not sure if it would work with this,
463 # but afaik, this is pointless atm.
464 <Location /main/realtime/sockjs/>
465 ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
466 ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
471 export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
472 /a/bin/distro-setup/certbot-renew-hook
475 s dd of=/etc/systemd/system/pump.service <<'EOF'
478 After=syslog.target network.target
484 ExecStart=/home/ian/pump.io/bin/pump
485 Environment=NODE_ENV=production
486 # failed to find databank-mongodb without this.
487 # I just looked at my environment variables took a guess.
488 Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
491 WantedBy=multi-user.target
495 ########## end pump.io setup ############
498 ############# begin setup mastodon ##############
500 # I'd like to try gnu social just cuz of gnu, but it's not being
501 # well maintained, for example, simple pull requests
503 # https://git.gnu.io/gnu/gnu-social/merge_requests/143
504 # and I submitted my own bugs, basic docs are broken
505 # https://git.gnu.io/gnu/gnu-social/issues/269
507 # note, docker required, but we installed it earlier
509 # i subscrubed to https://github.com/docker/compose/releases.atom
510 # to deal with updates manually. So far, it means just reving the
511 # version number, then restarting docker-compose with
513 # docker-compose up -d
514 curl -L https://github.com/docker/compose/releases/download/1.13.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
515 s chmod +x /usr/local/bin/docker-compose
519 i clone https://github.com/tootsuite/mastodon
521 # subbed to atom feed to deal with updates
522 git checkout $(git tag | grep -v rc | tail -n1)
524 # per instructions, uncomment redis/postgres persistence in docker-compose.yml
525 sed -i 's/^#//' docker-compose.yml
527 cat >.env.production <<'EOF'
536 LOCAL_DOMAIN=mast.iankelling.org
539 SINGLE_USER_MODE=true
544 SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
545 SMTP_DOMAIN=mast.iankelling.org
546 SMTP_DELIVERY_METHOD=smtp
549 for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
550 printf "%s=%s" $key "$(docker-compose run --rm web rake secret)" >>.env.production
552 s cat /etc/mailpass| while read -r domain port pass; do
553 if [[ $domain == mail.iankelling.org ]]; then
554 printf "SMTP_PASSWORD=%s" "$pass" >>.env.production
561 docker-compose run --rm web rails assets:precompile
563 # docker daemon takes care of starting on boot.
566 s a2enmod proxy_wstunnel headers
567 web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF'
569 RequestHeader set X-Forwarded-Proto "https"
570 ProxyPass /500.html !
571 ProxyPass /oops.png !
572 ProxyPass /api/v1/streaming/ ws://localhost:4000/
573 ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
574 ErrorDocument 500 /500.html
575 ErrorDocument 501 /500.html
576 ErrorDocument 502 /500.html
577 ErrorDocument 503 /500.html
578 ErrorDocument 504 /500.html
582 ############### !!!!!!!!!!!!!!!!!
583 ############### manual steps:
585 # only following 2 people atm, so not bothering to figure out backups
586 # when mastodon has not documented it at all.
591 # johns@status.fsf.org
593 # sign in page is at https://mast.iankelling.org/auth/sign_in
594 # register as iank, then
595 # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
596 # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
598 ############# end setup mastodon ##############
600 # we use nsupdate to update the ip of home
603 echo "$0: $(date): ending now)"
609 ########### end section including li/lj ###############
611 if [[ $HOSTNAME == treetowl ]]; then
612 # note, see bashrc for more documentation.
614 s dd of=/etc/systemd/system/rss2email.service <<'EOF'
616 Description=rss2email
617 After=multi-user.target
622 # about 24 hours of failures
623 # it copies over its files without respecting symlinks, so
624 # we pass options to use different location.
625 ExecStart=/a/bin/log-quiet/sysd-mail-once -288 rss2email r2e -d /p/c/rss2email.json -c /p/c/rss2email.cfg run
627 s dd of=/etc/systemd/system/rss2email.timer <<'EOF'
629 Description=rss2email
632 # for initial run. required.
634 # for subsequent runs.
635 OnUnitInactiveSec=300
638 WantedBy=timers.target
640 s systemctl daemon-reload
644 ######### begin pump.io periodic backup #############
645 if [[ $HOSTNAME == treetowl ]]; then
646 s dd of=/etc/systemd/system/pumpbackup.service <<'EOF'
648 Description=pump li backup
649 After=multi-user.target
654 ExecStart=/a/bin/log-quiet/sysd-mail-once pump-backup /a/bin/distro-setup/pump-backup
656 s dd of=/etc/systemd/system/pumpbackup.timer <<'EOF'
658 Description=pump li backup hourly
664 WantedBy=timers.target
666 s systemctl daemon-reload
669 ######### end pump.io periodic backup #############
672 debian|ubuntu|trisquel)
673 # suggests because we want the resolvconf package.
674 # todo: check other distros to make sure it\'s installed
675 pi-nostart --install-suggests openvpn
676 # pi-nostart does not disable
682 /a/bin/distro-setup/radicale-setup
684 ## android studio setup
685 # this contains the setting for android sdk to point to
686 # /a/opt/androidsdk, which is asked upon first run
687 lnf /a/opt/.AndroidStudio2.2 ~
688 # android site says it needs a bunch of packages for ubuntu,
689 # but I googled for debian, and someone says you just need lib32stdc++6 plus the
691 # https://pid7007blog.blogspot.com/2015/07/installing-android-studio-in-debian-8.html
692 # see w.org for more android studio details
693 spa lib32stdc++6 default-jdk
696 if [[ $HOSTNAME == treetowl ]]; then
697 ############# begin syncthing setup ###########
699 # It\'s simpler to just worry about running it in one place for now.
700 # I assume it would work to clone it\'s config to another non-phone
701 # and just run it in one place instead of the normal having a
702 # separate config. I lean toward using the same config, since btrfs
703 # syncs between comps.
705 arch) pi syncthing ;;
706 ubuntu|trisquel|debian)
707 # testing has relatively up to date packages
708 if ! isdebian-testing; then
709 # based on error when doing apt-get update:
710 # E: The method driver /usr/lib/apt/methods/https could not be found.
711 pi apt-transport-https
712 # google led me here:
713 # https://apt.syncthing.net/
714 curl -s https://syncthing.net/release-key.txt | sudo apt-key add -
715 s="deb http://apt.syncthing.net/ syncthing release"
716 if [[ $(cat /etc/apt/sources.list.d/syncthing.list) != $s ]]; then
717 echo "$s" | s dd of=/etc/apt/sources.list.d/syncthing.list
724 lnf -T /w/syncthing /home/ian/.config/syncthing
725 sgo syncthing@ian # runs as ian
727 # these things persist in ~/.config/syncthing, which I save in
728 # /w/syncthing (not in /p, because syncthing should continue to
729 # run on home server even when using laptop as primary device)
730 # open http://localhost:8384/
731 # change listen address from default to tcp://:22001,
732 # this is because we do port forward so it doesn\'t have to use
733 # some external server, but the syncthing is broken for port forward,
734 # you get a message, something "like connected to myself, this should not happen"
735 # when connecting to other local devices, so I bump the port up by 1,
737 # https://forum.syncthing.net/t/connected-to-myself-should-not-happen/1763/19.
738 # Without this, it was being stuck syncing at 0%.
739 # Set gui username and password.
741 # install syncthing via f-droid,
742 # folder setting, turn off master folder (makes it read only).
743 # on phone, add device, click bar code icon
744 # on dekstop, top right, actions, device id
745 # after adding, notification will appear on desktop to confirm
747 # syncing folder. from phone to desktop: select desktop in the
748 # folder on phone\'s sync options, notification will appear in
749 # desktop\'s web ui within a minute. For the reverse, the
750 # notification will appear in android\'s notifications, you have to
751 # swipe down and tap it to add the folder. It won\'t appear in the
752 # syncthing ui, which would be intuitive, but don\'t wait for it
755 # On phone, set settings to run syncthing all the time, and
756 # show no notification.
758 # Folder versioning would make sense if I didn\'t already use btrfs
759 # for backups. I would choose staggered, or trash can for more space.
761 # if needed to install on a remote comp:
762 # ssh -L 8384:localhost:8384 -N frodo
763 # open http://localhost:8384/
765 # Note, the other thing i did was port forward port 22000,
766 # per https://docs.syncthing.net/users/firewall.html
768 ############# end syncthing setup ###########
773 # no equivalent in other distros:
775 debian|ubuntu|trisquel)
776 # for gui bug reporting
782 ####### misc packages ###########
784 # nagstamon setting which were set through the ui
786 # all unknown sources
787 # all warning services
788 # acknowledged hosts & services
789 # hosts & services down for maintenence
790 # services on down hosts
791 # services on hosts in maintenece
792 # services on unreachable osts
793 # hosts in soft state
794 # services in soft state
795 # in display tab: icon in systray.
798 debian|ubuntu|trisquel)
799 # it asks if it should make users in it's group capture packets without root,
800 # which is arguably more secure than running wireshark as root. default is no,
801 # which is what i prefer, since I plan to use tcpdump to input to wireshark.
802 s DEBIAN_FRONTEND=noninteractive pi wireshark-gtk
809 debian|ubuntu|trisquel)
810 # no recommends because it wanted some other unstable package, something to
811 # do with math or something, which I didn't want to deal with.
812 p -y --no-install-recommends install python3-send2trash/unstable anki/unstable
818 debian|ubuntu|trisquel)
819 # note i had to do this, which is persistent:
821 # s chgrp debian-transmission torrents partial-torrents
823 # syslog says things like
824 # 'Failed to set receive buffer: requested 4194304, got 425984'
825 # google suggets giving it even more than that
826 tu /etc/sysctl.conf<<'EOF'
827 net.core.rmem_max = 67108864
828 net.core.wmem_max = 16777216
832 # some reason it doesn\'t seem to start automatically anyways
833 pi-nostart transmission-daemon
835 # the folder was moved here after an install around 02/2017.
836 # it contains runtime data,
837 # plus a simple symlink to the config file which it\'s
838 # not worth separating out.
839 s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
841 # config file documented here, and it\'s the same config
842 # for daemon vs client, so it\'s documented in the gui.
843 # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
845 # I originaly setup rpc-whitelist, but after using
846 # routing to a network namespace, it doesn\'t see the
847 # real source address, so it\'s disabled.
849 # Changed the cache-size to 256 mb, reduces disk use.
850 # It is a read & write cache.
854 p = '/etc/transmission-daemon/settings.json'
855 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
856 'rpc-whitelist-enabled' => false,
857 'rpc-authentication-required' => false,
858 'incomplete-dir' => '/i/k/partial-torrents',
859 'incomplete-dir-enabled' => true,
860 'download-dir' => '/i/k/torrents',
861 "speed-limit-up" => 800,
862 "speed-limit-up-enabled" => true,
863 "peer-port" => 61486,
864 "cache-size-mb" => 256,
865 "ratio-limit" => 5.0,
866 "ratio-limit-enabled" => true,
870 # make sure its not enabled, not sure if this is needed
871 ser disable transmission-daemon
873 # todo: others unknown
875 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
876 if ! getent passwd debian-transmission > /dev/null; then
882 --home-dir /var/lib/transmission-daemon \
891 --disabled-password \
892 --home /var/lib/transmission-daemon \
897 if [[ $HOSTNAME == treetowl ]]; then
898 sgo transmission-daemon-nn
902 ######### begin transmission client setup ######
904 if [[ -e /p/transmission-rpc-pass ]]; then
905 # arch had a default config,
906 # debian had nothing until you start it.
907 # With a little trial an error, here is a minimal config
908 # taken from the generated one, plus changes that the
909 # settings ui does, without a bunch of ui crap settings.
911 # only settings I set were
916 # the password is randomly generated on first run, i copied it out
917 # so it could be used by other hosts.
920 p = '/etc/transmission-daemon/settings.json'
921 s = JSON.parse(File.read(p))
922 s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
923 File.write p, JSON.pretty_generate(s)
926 rpc_pass=$(</p/transmission-rpc-pass)
928 d=$f/.config/transmission-remote-gtk
931 s -u $u dd of=$d/config.json <<EOF
935 "profile-name" : "Default",
936 "hostname" : "transmission",
937 "rpc-url-path" : "/transmission/rpc",
939 "password" : "$rpc_pass",
940 "auto-connect" : true,
944 "update-active-only" : false,
945 "activeonly-fullsync-enabled" : false,
946 "activeonly-fullsync-every" : 2,
947 "update-interval" : 3,
948 "min-update-interval" : 3,
949 "session-update-interval" : 60,
957 "add-options-dialog" : false
963 # dunno why it\'s there, but get rid of it
965 li|lj) s rm -rf /home/linode ;;
973 debian|ubuntu|trisquel)
976 wget -nv -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
979 s dpkg -i google-chrome-stable_current_amd64.deb |& tee $log
985 # previously I had a more specific search, but dpkg
986 # changed it\'s output as of 7/2016
987 if grep 'dependency problems' \
988 $log &>/dev/null; then
989 s apt-get -fy install
1006 pi cups ghostscript gsfonts # from arch wiki cups page
1007 pi hplip # from google
1008 s gpasswd -a $USER sys # from arch wiki
1009 sgo org.cups.cupsd.service
1010 # goto http://127.0.0.1:631
1011 # administration tab, add new printer button.
1012 # In debian, I could use hte recommended driver,
1013 # in arch, I had to pick out the 6L driver.
1015 debian|ubuntu|trisquel)
1018 # other distros unknown
1023 ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
1024 fedora|arch) spa mairix notmuch ;;
1027 arch) spa nfs-utils ;;
1028 ubuntu|debian) spa nfs-client ;;
1031 ubuntu|debian) spa par2 ;;
1032 arch|fedora) spa par2cmdline ;;
1035 # needed for my tex resume
1037 ubuntu|debian) spa texlive-full ;;
1038 arch) spa texlive-most ;;
1044 # flash, unrar, codecs, ms fonts.
1045 # This has a manual prompt.
1046 spa ubuntu-restricted-extras
1050 # rpm fusion recommended codecs
1051 s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
1052 pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
1053 xine-lib-extras-freeworld
1058 # optional dep for firefox for h.264 video
1059 arch) spa gst-libav ;;
1060 # other distros, probably come by default
1064 fedora|ubuntu|trisquel|debian) spa gnupg-agent ;;
1070 fedora) spa pinentry-gtk ;;
1071 *) : ;; # comes default or with other packages
1075 arch) spa firefox pulseaudio;;
1076 *) : ;; # comes default or with other packages
1081 arch) spa ttf-dejavu;;
1082 debian|ubuntu|trisquel) spa fonts-dejavu ;;
1088 arch) spa xorg-xev;;
1089 debian|ubuntu|trisquel) spa x11-utils ;;
1094 arch) pi virt-install;;&
1095 debian|ubuntu|trisquel) pi virtinst ;;&
1096 *) pi virt-manager ;; # creates the libvirt group in debian at least
1099 # allow user to run vms, from debian handbook
1100 for x in ian traci; do s usermod -a -G libvirt,kvm $x; done
1101 # bridge networking as user fails. google lead here, but it doesn\'t work:
1102 # oh well, I give up.
1103 # http://wiki.qemu.org/Features-Done/HelperNetworking
1105 # f=/etc/qemu/bridge.conf
1106 # s dd of=$f <<'EOF'
1109 # #s chown root:qemu $f # debian has somethig like qemu-libvirt. equivalent?
1115 debian|ubuntu|trisquel) spa genisoimage;;
1120 arch) spa spice-gtk3 ;;
1121 debian|ubuntu|trisquel) spa spice-client-gtk;;
1125 # general known for debian/ubuntu, not for fedora
1128 debian|ubuntu|trisquel)
1130 # a bit of googling, and added settings to bashrc
1131 go get -u github.com/mvdan/fdroidcl/cmd/fdroidcl
1139 # cdrkit for cloud-init isos
1140 # dnsmasq & ebtables for nat networking in libvirt
1141 # qemu for qemu-img, bind-tools for dig
1142 # dmidecode just because syslog complains
1143 pi unzip xorg-xmodmap dmidecode ebtables\
1144 bridge-utils dnsmasq qemu bind-tools
1145 # otherwise we get error about accessing kvm module.
1146 # seems like there might be a better way, but google was a bit vague.
1147 s $sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf
1148 echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
1149 # https://bbs.archlinux.org/viewtopic.php?id=206206
1150 # # this should prolly go in the wiki
1152 # guessing this is not needed
1153 #sgo virtlogd.service
1160 arch) pi virtviewer ;;
1161 *) : ;; # other distros have it as a dependency afaik.
1167 fedora) cabal install shellcheck ;;
1168 *) spa shellcheck ;;
1169 # unknown for older ubuntu
1174 arch|debian|ubuntu|trisquel) spa pumpa ;;
1175 # others unknown. do have a buildscript:
1176 # /a/bin/buildscripts/pumpa ;;
1182 debian|ubuntu|trisquel) spa android-tools-adbd/unstable ;;
1183 arch) spa android-tools ;;
1184 # other distros unknown
1187 if [[ $HOSTNAME == treetowl ]]; then
1190 if [[ `debian-archive` == testing ]]; then
1191 # has no unstable dependencies
1192 pi bitcoind/unstable
1193 src=/a/opt/bitcoin/contrib/init/bitcoind.service
1194 s cp $src /etc/systemd/system
1195 p=/etc/bitcoin/bitcoin
1196 dst=/etc/systemd/system/bitcoinjm.service
1198 $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
1199 >/etc/systemd/system/bitcoinjm.service
1201 d=jm; jm=d # being clever for succinctness
1203 s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
1204 /etc/systemd/system/bitcoin${s}.service
1211 s chown -R bitcoin:bitcoin $dir
1214 s chown -R root:bitcoin $dir
1217 # pruning decreases the bitcoin dir to 2 gb, keeps
1218 # just the recent blocks. can\'t do a few things like
1219 # import a wallet dump.
1220 # pruning works, but people had to do
1221 # some manual stuff in joinmarket. I dun need the
1222 # disk space, so not bothering yet, maybe in a year or so.
1223 # https://github.com/JoinMarket-Org/joinmarket/issues/431
1224 #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
1230 rpcpassword=$(openssl rand -base64 32)
1231 rpcuser=$(openssl rand -base64 32)
1235 f2=$dir/bitcoinjm.conf
1237 s tee -a $f2 >/dev/null <<EOF
1239 walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
1240 alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
1241 wallet=joinmarket.dat
1243 # dunno about sharing a wallet between multiple instances
1244 # manually did, wallet.dat symlinked in /nocow/.bitcoin
1248 # other distros unknown
1250 pi libsodium-dev python-pip
1251 cd /a/opt/joinmarket
1252 # using develop branch, as it seems to be mostly bug fixes,
1253 # and this is quite new software.
1254 # note: python3 does not work.
1255 # has seg fault error due to some bug, but it still works
1256 pip install -r requirements.txt || [[ $? == 139 ]]
1257 # note, the target must exist ahead of time, or bitcoin
1258 # just overwrites the link, and it\'s not happy with an empty file,
1259 # so we have to create the wallet, then move and link it.
1260 s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
1261 s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
1262 # not technically needed, but seems cleaner not to have
1263 # symlinks be root owned unlike everything else
1264 s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
1266 for var in rpcuser rpcpassword; do
1267 u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
1268 # escape backslashes
1269 u="${u//\\/\\\\\\\\}"
1272 sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
1274 sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
1283 wget http://tamacom.com/global/global-6.3.2.tar.gz
1286 # based on https://github.com/leoliu/ggtags
1287 ./configure --with-exuberant-ctags=/usr/bin/ctags
1290 s pip install pygments
1298 debian|ubuntu|trisquel)
1306 pi task-cinnamon-desktop
1307 # in settings, change scrolling to two-finger,
1308 # because the default edge scroll doesn\'t work.
1317 # already in debian jessie
1324 # note this failed running at the beginning of this file,
1325 # because no systemd user instance was running.
1326 # Doing systemd --user resulted in
1327 # Trying to run as user instance, but $XDG_RUNTIME_DIR is not set
1329 if isdebian-testing; then
1330 # as of 7/2016, has no unstable deps, and is not in testing anymore.
1337 # # ubuntu unknown. probably the same as debian, just check if the
1338 # # init scripts come with the package.
1340 # # copied from arch, but moved to etc
1341 # s dd of=/etc/systemd/user/synergys.service <<'EOF'
1343 # Description=Synergy Server Daemon
1344 # After=network.target
1348 # ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
1349 # Restart=on-failure
1352 # WantedBy=multi-user.target
1354 # s dd of=/etc/systemd/user/synergys.socket <<'EOF'
1356 # Conflicts=synergys@.service
1359 # ListenStream=24800
1363 # WantedBy=sockets.target
1365 # # had this fail with 'Failed to connect to bus: No such file or directory'
1366 # # then when I tried it manually, it worked fine...
1367 # if ! systemctl --user daemon-reload; then
1369 # echo retrying systemd user daemon reload
1370 # systemctl --user daemon-reload
1374 # # taken from arch wiki.
1375 # s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
1377 # Description=Synergy Client
1378 # After=network.target
1382 # ExecStart=/usr/bin/synergyc --no-daemon frodo
1383 # Restart=on-failure
1384 # # per man systemd.unit, StartLimitInterval, by default we
1385 # # restart more than 5 times in 10 seconds.
1386 # # And this param defaults too 200 miliseconds.
1390 # WantedBy=multi-user.target
1392 # s systemctl daemon-reload
1395 # ser enable synergyc@ian
1396 # ser start synergyc@ian ||: # X might not be running yet
1399 # systemctl --user start synergys ||:
1400 # systemctl --user enable synergys
1408 ### kdeconnect for gnome. started in /a/bin/distro-setup/desktop-20-autostart.sh
1409 pi libgtk-3-dev python3-requests-oauthlib valac cmake python-nautilus
1410 cd /a/opt/indicator-kdeconnect
1413 cmake .. -DCMAKE_INSTALL_PREFIX=/usr
1418 ######### end misc packages #########
1421 # packages I once used before and liked, but don\'t want installed now for
1423 # python-sqlite is used for offlineimap
1424 # lxappearance python-sqlite dolphin paman dconf-editor
1430 # todo, finish configuring smart.
1433 # mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
1434 # turn on smart. background on options:
1435 # first line, -a = test everyting on all devices.
1436 # -S on, turn on disk internal saving of vendor specific info,
1437 # from google, seems like this is usually already on and fairly standard.
1438 # -o on, turn on 4 hour period non-performance degrading testing.
1439 # short test daily 2-3am, extended tests Saturdays between 3-4am:
1440 sched="-s (S/../.././02|L/../../6/03)"
1441 s sed -i --follow-symlinks "s#^[[:space:]]*DEVICESCAN.*#\
1442 DEVICESCAN -a -o on -S on -n standby,q $sched \
1443 -m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc/smartd.conf
1445 # in the default configuration of at least ubuntu 14.04, resolvconf is
1446 # configured to order any nameservers associated with tun* or tap*
1447 # before the normal internet interfaces, which means they are always
1448 # consulted first. This is often slower and undesirable, ie. local dns
1449 # queries go from 0ms to 10+ or 100+ ms. To reverse the ordering, you
1451 #sudo sed -i --follow-symlinks '/tun\*\|tap\*/d' /etc/resolvconf/interface-order
1452 # however, this breaks dns lookup for hosts on the openvpn lan.
1453 # I can\'t figure out why hosts on the normal lan would not be
1454 # broken under the default ordering, except the host I was
1455 # testing with previously had an entry in /etc/hosts.
1457 ############# end unfinished
1459 ########### misc stuff
1462 for dev in $(s btrfs fi show /boot | sed -nr 's#.*path\s+(\S+)$#\1#p'); do
1463 devs+=($(devbyid $dev),)
1465 devs[-1]=${devs[-1]%,} # jonied by commas
1467 # on grub upgrade, we get prompts unless we do this
1468 s debconf-set-selections <<EOF
1469 grub-pc grub-pc/install_devices multiselect ${devs[*]}
1473 # the wiki backup script from ofswiki.org uses generic paths
1474 s lnf /p/c/machine_specific/li/mw_vars /root
1475 s lnf /k/backup/wiki_backup /root
1477 s cedit /etc/goaccess.conf <<'EOF' || [[ $? == 1 ]]
1478 # all things found from looking around the default config
1479 # copied existing NCSA Combined Log Format with Virtual Host, plus %L
1480 log-format %^:%^ %h %^[%d:%t %^] "%r" %s %b "%R" "%u" %D
1481 time-format %H:%M:%S
1482 date-format %d/%b/%Y
1483 log-file /var/log/apache2/access.log
1486 # tip: copy access.log files to a stretch host directory, then run
1487 # jessie's goaccess is too old for some options, and it\'s
1488 # not easily installed from a testing.
1489 # goaccess --ignore-crawlers -f <(cat *) -a -o html > x.html
1494 debian|ubuntu|trisquel)
1495 case `debian-archive` in
1497 s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
1498 Explanation: Allow unison-gtk to be upgraded
1500 Pin: release a=testing
1503 # dont think using testing is needed since I figured out how to
1504 # deal with mismatching unison compilers, but I dont
1505 # see any reason to revert it, since it only installs
1506 # a single package which is primarily a single binary
1510 pi unison-gtk/testing # after to make it the default unison
1519 # default is alsa, doesn\'t work with with pianobar
1520 s dd of=/etc/libao.conf <<'EOF'
1521 default_driver=pulse
1526 # note, for jessie, it depends on a higher version of btrfs-tools.
1528 # # disabled due to my patch being in btrbk
1530 # arch|debian|ubuntu|trisquel) pi btrbk ;;
1535 spa pv # for progress bar when running interactively.
1536 if [[ $HOSTNAME == treetowl ]]; then
1537 # backup/sync manually on others hosts for now.
1539 # note: to see when it was last run,
1543 if [[ $HOSTNAME == treetowl ]] && [[ `debian-archive` != testing ]]; then
1544 # fail2 ban is broken, with a workaround, per
1545 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770171
1546 # ill wait a while to see if it gets fixed
1556 debian|ubuntu|trisquel) s gpasswd -a ian adm ;; #needed for reading logs
1562 # https://www.torproject.org/docs/rpms.html.en
1563 # https://www.torproject.org/docs/debian.html.en
1564 # todo: figure out if the running service needs to be restarted upon updates
1567 # todo on fedora: setup non-dev packages
1569 s dd of=/etc/yum.repos.d/torproject.repo <<'EOF'
1571 name=Tor experimental repo
1573 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/
1575 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1578 name=Tor experimental source repo
1581 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS
1583 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
1586 # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above:
1587 # 3B9E EEB9 7B1E 827B CF0A 0D96 8AF5 653C 5AC0 01F1
1589 /a/bin/buildscripts/tor-browser
1592 tu /etc/apt/sources.list "deb http://deb.torproject.org/torproject.org $(debian-codename) main"
1593 gpg --keyserver keys.gnupg.net --recv 886DDD89
1594 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
1596 pi deb.torproject.org-keyring
1598 /a/bin/buildscripts/tor-browser
1602 /a/bin/buildscripts/tor-browser
1605 pi tor tor-browser-en
1615 fedora todo: disable the firewall or find a way to automate it.
1616 there's an unused section in t.org for tramikssion firewall setup
1618 fedora manual config for nfs:
1620 change to permanent configuration
1621 check the box for nfs
1622 was hard to figure this out, not sure if this is all needed, but
1624 mountd: udp/tcp 20048
1625 portmapper, in firewall-config its called rpc-bind: udp/tcp 111
1626 troubleshooting, unblock things in rpcinfo -p
1627 make sure to reload the firewall to load the persistent configuration
1634 debian|ubuntu|trisquel)
1638 pi nfs-utils || pending_reboot=true
1640 # this failed until I rebooted
1646 ########### begin kodi setup ############
1649 # based on https://wiki.debian.org/SecuringNFS
1650 # but the quota stuff is either outdated or optional,
1651 # i guessed that it was not needed and it worked fine.
1652 s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF'
1653 fs.nfs.nfs_callback_tcpport = 32764
1654 fs.nfs.nlm_tcpport = 32768
1655 fs.nfs.nlm_udpport = 32768
1658 s $sed -ri -f - /etc/default/nfs-common <<'EOF'
1660 $a STATDOPTS="--port 32765 --outgoing-port 32766"
1663 s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF'
1664 /^\s*RPCMOUNTDOPTS=/d
1665 $a RPCMOUNTDOPTS="--manage-gids --port 32767"
1667 ser restart nfs-kernel-server
1669 if [[ $HOSTNAME == treetowl ]]; then
1670 # persistent one time steps for webdav:
1671 # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml,
1672 # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi
1673 # htpasswd -c /p/c/filesystem/etc/davpass dav
1674 # chmod 640 /p/c/filesystem/etc/davpass
1675 # in conflink, set group to www-data.
1676 # In kodi, i set the music source, server address: my domain,
1677 # path: k/music. Then copied the file
1678 # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting.
1679 s a2enmod dav dav_fs
1680 web-conf -r /a/c/playlists - apache2 dav.$HOME_DOMAIN <<'EOF'
1681 <Directory /a/c/playlists>
1684 AuthName "Authentication Required"
1685 AuthUserFile "/etc/davpass"
1688 # outside the standard /var/www, so use this:
1693 s mkdir -p /var/www/davlock
1694 s chown www-data:www-data /var/www/davlock
1695 s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.$HOME_DOMAIN.conf
1698 teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)"
1701 # kodi uses sqlite by default, but supports mysql.
1704 # see ofswiki.org for explanation.
1705 dbpass="$(cat /p/mysql-root-pass)"
1706 if ! echo exit|mysql -uroot "-p$dbpass"; then
1707 echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
1709 mysql -uroot "-p$dbpass" <<EOF
1710 GRANT ALL PRIVILEGES ON *.* TO 'kodi' IDENTIFIED BY '$(</p/mysql-kodi-pass)';
1712 s sed -ri 's/^(\s*bind-address\s*=).*/\1 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
1717 ########### end kodi setup ############
1720 if [[ $HOSTNAME == treetowl ]]; then
1721 # nohide = export filesystems mounted deeper than the export point
1722 # fsid=0 makes this export the "root" export
1723 # not documented in the man page, but this means
1724 # 1. it can be mounted with a shorthand of server:/
1725 # 2. exports that are subdirectories of this one will automatically be mounted
1726 tu /etc/exports <<'EOF'
1727 /k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
1736 # persistent virtual machines
1739 debian|ubuntu|trisquel)
1744 # distro may not know about win 10 yet.
1746 if ! virt-install --os-variant list &>/dev/null; then # we are using a newer virt-install
1747 for v in 10 8.1 8; do
1748 if osinfo-query os | gr "^\s*win${v/./\\.}\s" &>/dev/null; then
1755 if ! s virsh list --all --name | grep -xF win10 &>/dev/null; then
1757 # created account with
1758 # win10vmian@outlook.com, and easy to remember password
1759 # win 10 virtio, makes disk way way way faster
1760 # wget https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso
1761 # https://wiki.archlinux.org/index.php/QEMU#Change_Existing_Windows_VM_to_use_virtio
1762 # for installing virtio after initial install instead of with initial iso:
1763 # qemu-img create -f qcow2 fake.qcow2 1G
1764 # --disk=/a/images/virtio-win.iso,device=cdrom \
1765 # --disk=/a/images/fake.qcow2,bus=virtio
1767 # went to device manager, saw 2 pci devices with yellow !,
1768 # did search for drivers, pick cdrom location, done.
1770 # from http://www.tenforums.com/tutorials/4189-fast-startup-turn-off-windows-10-a.html.
1771 # google said there was a control panel option for it, but
1772 # that turned out to be a lie.
1773 # Put this in a .bat file and run as administrator to turn off
1774 # hyberboot which fucks things up.
1775 # REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power" /V HiberbootEnabled /T REG_dWORD /D 0 /F
1776 # power settings, turn off display: never
1777 # run "control userpasswords2", turn on automatic login.
1778 # note: when changing devices, I just undefine, the create the vm again.
1780 if [[ -e /nocow/user/vms/win10.qcow2 ]]; then
1781 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1782 --disk=/a/images/win10.qcow2,bus=virtio --vcpus 2 -r 4096 -w bridge=br0 \
1783 -n win10 --import --os-variant $variant --cpu host-model-only
1785 s virsh destroy win10
1788 if [[ -e /nocow/user/vms/win7.qcow2 ]]; then
1789 # this one hasn\'t had the virtio fix done yet.
1790 s virt-install --noautoconsole --graphics spice,listen=0.0.0.0 \
1791 --disk=/a/images/win7.qcow2 --vcpus 2 -r 4096 -w bridge=br0 \
1792 -n win7 --import --os-variant win7 --cpu host-model-only
1793 s virsh destroy win7
1794 # had a problem with --cpu host, so trying out
1795 # --cpu host-model-only
1800 if [[ $HOSTNAME == treetowl ]]; then
1802 # note samba re-reads it\'s config every 1 minute
1804 arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
1807 # add 2 lines after workgroup option
1808 s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
1809 s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
1810 s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/' /etc/samba/smb.conf
1811 # remove default homes section. not sharing that.
1812 s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
1814 if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
1815 s tee -a /etc/samba/smb.conf <<'EOF'
1824 debian|ubuntu|trisquel)
1825 # systemd claims it generates units from /etc/init.d, but it
1826 # clearly doesn\'t in debian. I have no idea how they are
1827 # related. fuck debian right now. It\'s not documented. samba
1828 # has a systemd init file linked to /dev/null. There\'s this
1829 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
1830 # claims samba\'s sub-services will be started automatically by
1831 # systemd... it didn\'t on install, wonder if it will on
1832 # boot. It clued me in how to start it manually though. Nothing
1833 # in /usr/share/doc/samba, debian admin guide says nothing about
1834 # any of this. (this is in debian testing as of 4/2016).
1836 s /etc/init.d/samba start
1844 tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
1847 ######### begin stuff belonging at the end ##########
1850 # Apps we want to override others for default file handler:
1851 # simplest way in debian is to just install them last.
1864 pi "${simple_packages[@]}"
1867 if $pending_reboot; then
1868 echo "$0: pending reboot and then finished. doing it now."
1871 echo "$0: $(date): ending now)"