various fixes and updates

[distro-setup] / distro-end

#!/bin/bash -l
# Copyright (C) 2016 Ian Kelling
# This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
set -eE -o pipefail
trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR

set -x

end_msg() {
    local y
    IFS= read -r -d '' y  ||:
    end_msg_var+="$y"
}

distro=$(distro-name)


# template
case $distro in
esac

pup

# universal packages
x=(
    bwm-ng
    chromium
    duplicity
    fail2ban
    fdupes
    filelight
    gdb
    gnome-screenshot
    mailutils
    meld
    mpv
    offlineimap
    openvpn
    p7zip
    paprefs
    pavucontrol
    pianobar
    pidgin
    rdiff-backup
    slock
    smartmontools
    squashfs-tools
    tree
    virt-manager
)

pi "${x[@]}"

# things with no equivalent in other distros:
case $distro in
    debian|ubuntu)
        # for gui bug reporting
        pi python-vte
        pi apt-file aptitude
        s apt-file update
        # for debconf-get-selections
        pi debconf-utils
        ;;
esac


####### misc packages ###########


case $distro in
    # tk for gitk
    arch) pi git tk ;;
    *) pi git ;;
esac

case $distro in
    arch) pi the_silver_searcher ;;
    debian|ubuntu) pi silversearcher-ag ;;
    # fedora unknown
esac

# printer
case $distro in
    arch)
        pi cups ghostscript gsfonts # from arch wiki cups page
        pi hplip # from google
        s gpasswd -a $USER sys # from arch wiki
        sgo org.cups.cupsd.service
        # goto http://127.0.0.1:631
        # administration tab, add new printer button.
        # In debian, I could use hte recommended driver,
        # in arch, I had to pick out the 6L driver.
        ;;
    debian|ubuntu)
        pi hplip
        ;;
    # other distros unknown
esac


case $distro in
    ubuntu|debian) pi ack-grep ;;
    arch|fedora) pi ack ;;
    # fedora unknown
esac
case $distro in
    ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
    fedora|arch) pi mairix notmuch ;;
esac
case $distro in
    arch) pi nfs-utils ;;
    ubuntu|debian) pi nfs-client ;;
esac
case $distro in
    ubuntu|debian) pi par2 ;;
    arch|fedora) pi par2cmdline ;;
esac

# needed for my tex resume
case $distro in
    ubuntu|debian) pi texlive-full ;;
    arch) pi texlive-most ;;
    # fedora unknown
esac

case $distro in
    ubuntu)
        # flash, unrar, codecs, ms fonts.
        # This has a manual prompt.
        pi ubuntu-restricted-extras
        ;;
    fedora)
        pi yum-utils
        # rpm fusion recommended codecs
        s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
        pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
           xine-lib-extras-freeworld
        ;;
esac

case $distro in
    # optional dep for firefox for h.264 video
    arch) pi gst-libav ;;
    # other distros, probably come by default
esac

case $distro in
    fedora|ubuntu|debian) pi gnupg-agent ;;
    arch) : ;;
esac


case $distro in
    fedora|ubuntu|debian) pi transmission ;;
    arch) pi transmission-gtk ;;
esac


case $distro in
    fedora) pi pinentry-gtk ;;
    *) : ;; # comes default or with other packages
esac

case $distro in
    arch) pi firefox pulseaudio;;
    *) : ;; # comes default or with other packages
esac

case $distro in
    arch|debian|ubuntu)
        pi bash-completion
        ;;
    # others unknown
esac


case $distro in
    arch) pi ttf-dejavu;;
    debian|ubuntu) pi fonts-dejavu ;;
    # others unknown
esac

case $distro in
    arch|debian|ubuntu) pi ntp;;
    # others unknown
esac

case $distro in
    arch) pi xorg-xev;;
    debian|ubuntu) pi x11-utils ;;
    # others unknown
esac

case $distro in
    arch) pi virt-install;;
    debian|ubuntu) pi virtinst ;;
    # others unknown
esac

case $distro in
    arch) pi cdrkit;;
    debian|ubuntu) pi genisoimage;;
    # others unknown
esac

case $distro in
    arch) pi spice-gtk3 ;;
    debian|ubuntu) pi spice-client-gtk;;
    # others unknown
esac

# general known for debian/ubuntu, not for fedora
case $distro in
    arch)
        # cdrkit for cloud-init isos
        # dnsmasq for nat networking in libvirt
        # qemu for qemu-img, bind-tools for dig
        pi unzip wget xorg-xmodmap \
           bridge-utils dnsmasq qemu bind-tools
        sgo ntpd
        # otherwise we get error about accessing kvm module.
        # seems like there might be a better way, but google was a bit vague.
        s sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf
        echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf
        # https://bbs.archlinux.org/viewtopic.php?id=206206
        # # this should prolly go in the wiki
        sgo virtlogd.socket
        sgo virtlogd.service
        ;;
esac

case $distro in
    *) pi at ;;&
    arch) sgo atd ;;
esac

case $distro in
    arch) pi virtviewer ;;
    *) : ;; # other distros have it as a dependency afaik.
esac



case $distro in
    arch)
        # ubuntu 14.04 uses b-cron,
        # but it's not maintained in arch.
        # of the ones in the main repos, cronie is only one maintained.
        # fcron appears abandoned software.
        pi cronie
        sgo cronie
        ;;
    *) : ;; # other distros come with cron.
esac


case $distro in
    fedora) cabal install shellcheck ;;
    *) pi shellcheck ;;
    # unknown for older ubuntu
esac


case $distro in
    arch|debian|ubuntu) pi pumpa ;;
    # others unknown. do have a buildscript:
    # /a/bin/buildscripts/pumpa ;;
esac


case $distro in
    debian|ubuntu) pi android-tools-adb ;;
    arch) pi android-tools ;;
    # other distros unknown
esac


case $distro in
    fedora) pi unrar ;;
    *) pi unrar-free ;;
esac


# proprietary flash. going without for now
# case $distro in
#     debian)
#         pi flashplugin-nonfree
# esac

case $distro in
    debian) pi curl ;;
    arch) : ;;
    # fedora: unknown
esac


case $distro in
    fedora)
        cd $(mktemp -d)
        wget http://tamacom.com/global/global-6.3.2.tar.gz
        ex global*
        cd global-6.3.2
        # based on https://github.com/leoliu/ggtags
        ./configure --with-exuberant-ctags=/usr/bin/ctags
        make
        s make install
        s pip install pygments
        ;;
    *)
        pi global
        ;;&
    arch)
        pi  python2-pygments
        ;;
    debian|ubuntu)
        pi python-pygments
        ;;
esac


# leave this for last so it doesn't do a bunch of other apps
# which I want explicitly installed in case I switch DE's
case $distro in
    debian)
        pi task-cinnamon-desktop
        # in settings, change scrolling to two-finger,
        # because the default edge scroll doesn\'t work.
        ;;
    # others unknown
esac

######### end misc packages #########


# packages I once used before and liked, but don't want installed now for
# various reasons:
# python-sqlite is used for offlineimap
# lxappearance python-sqlite dolphin paman dconf-editor



######## unfinished

# todo, finish configuring smart.
# mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
# turn on smart. background on options:
# first line, -a = test everyting on all devices.
# -S on, turn on disk internal saving of vendor specific info,
# from google, seems like this is usually already on and fairly standard.
# -o on, turn on 4 hour period non-performance degrading testing.
# short test daily 2-3am, extended tests Saturdays between 3-4am:
sched="-s (S/../.././02|L/../../6/03)"
s sed -i "s#^[[:space:]]*DEVICESCAN.*#\
DEVICESCAN -a -o on -S on -n standby,q $sched\
-m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc/smartd.conf

# in the default configuration of at least ubuntu 14.04, resolvconf is
# configured to order any nameservers associated with tun* or tap*
# before the normal internet interfaces, which means they are always
# consulted first. This is often slower and undesirable, ie. local dns
# queries go from 0ms to 10+ or 100+ ms. To reverse the ordering, you
# can do:
#sudo sed -i '/tun\*\|tap\*/d' /etc/resolvconf/interface-order
# however, this breaks dns lookup for hosts on the openvpn lan.
# I can\'t figure out why hosts on the normal lan would not be
# broken under the default ordering, except the host I was
# testing with previously had an entry in /etc/hosts.

############# end unfinished

case $distro in
    arch)
        # default is alsa, doesn\'t work with with pianobar
        s dd of=/etc/libao.conf <<'EOF'
default_driver=pulse
EOF
        ;;
esac


case $distro in
    arch|debian|ubuntu) pi btrbk ;;
    # others unknown
esac

if [[ $HOSTNAME == treetowl ]]; then
    pi fail2ban
    sgo fail2ban
fi



# disable motd junk.
case $(distro-name) in
    debian)
        # allows me to pipe with ssh -t, and gets rid of spam
        # http://forums.debian.net/viewtopic.php?f=5&t=85822
        # i'd rather disable the service than comment the init file
        # this says disabling the service, it will still get restarted
        # but this script doesn't do anything on restart, so it should be fine
        s dd of=/var/run/motd.dynamic if=/dev/null
        s update-rc.d motd disable
        ;;
    ubuntu)
        # this isn't a complete solution. It still shows me when updates are available,
        # but it's no big deal.
        s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
        ;;
esac

# automatic updates
# reference:
# https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
# /etc/cron.daily/apt calls unattended-upgrades
# /usr/share/doc/unattended-upgrades# cat README.md
# /etc/apt/apt.conf.d/50unattended-upgrades
if isdebian; then
    pi unattended-upgrades
    s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF'
# this file was mostly just comments.
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
EOF
    { cat  <<'EOF'
Unattended-Upgrade::Mail "root";
Unattended-Upgrade::MailOnlyOnError "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Origins-Pattern {
# default is just upgrade main and security, not updates.
EOF
      if isdebian-testing; then
          cat <<'EOF'
# for stable, only do security updates.
       "origin=Debian,codename=${distro_codename},label=Debian-Security";
EOF
          cat <<'EOF'
# These are stable packages only getting bugfixes anyways.
       "origin=*";
EOF
          cat <<'EOF'
};
EOF
      fi
    } | s dd of=/etc/apt/apt.conf.d/50unattended-upgrades
    echo $- > /tmp/x
fi



######### begin  postfix ########
# based on,http://www.postfix.org/qmgr.8.html and my notes in gnus
# originally tried moving specific directories under /var/spool/postfix,
# but postfix didn't like that
if [[ ! -L /var/spool/postfix ]]; then
    ser stop postfix
    if [[ -e /q/postfix ]]; then
        echo "$0: error: /q/postfix exists but not the link to it"
    fi
    s mv /var/spool/postfix /q
    s lnf /q/postfix /var/spool
    ser start postfix
    journalctl -n 20
fi


# This also works instead of ~/.forward
# s sed -i '/^root/d' /etc/aliases ||:
#echo "root: $HOSTNAME@bog.mm.st" | s tee -a /etc/aliases
# this can't be a symlink and has permission restrictions
# it might work in /etc/aliases, but this seems more proper.

if s grep amazonaws /etc/postfix/sasl_passwd &>/dev/null; then
    forward=x@sallymae.club
else
    forward=$HOSTNAME@bog.mm.st
fi
e $forward > ~/.forward
e $forward | s tee /root/.forward
s newaliases

# if I wanted the from address to be renamed and sent to a different address,
# echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical
# sudo postmap hash:/etc/postfix/recipient_canonical
# sudo service postfix reload


# i'm assuming mail just won't work on systems without the sasl_passwd.
postconfin <<'EOF'
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = secure
message_size_limit =  20480000
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
EOF
# ^ I ran into a log file not sending cuz of size. double from 10 to 20 meg limit

s postmap hash:/etc/postfix/sasl_passwd
# offlineimap uses this too, it is much easier to use one location than to
# condition it's config and postfix's config
case $distro in
    fedora) s lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt ;;
    *) :
esac

s service postfix reload
sgo postfix

############ end postfix #######


case $distro in
    debian|ubuntu) s gpasswd -a ian adm ;; #needed for reading logs
esac

# tor
case $distro in
    # based on
    # https://www.torproject.org/docs/rpms.html.en
    # https://www.torproject.org/docs/debian.html.en
    # todo: figure out if the running service needs to be restarted upon updates


    # todo on fedora: setup non-dev packages
    fedora)
        s dd of=/etc/yum.repos.d/torproject.repo <<'EOF'
[tor]
name=Tor experimental repo
enabled=1
baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/
gpgcheck=1
gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc

[tor-source]
name=Tor experimental source repo
enabled=1
autorefresh=0
baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS
gpgcheck=1
gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc
EOF

        # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above:
        # 3B9E EEB9 7B1E 827B CF0A  0D96 8AF5 653C 5AC0 01F1
        sgo tor
        /a/bin/buildscripts/tor-browser
        ;;
    ubuntu)
        tu /etc/apt/sources.list "deb http://deb.torproject.org/torproject.org $(debian-codename) main"
        gpg --keyserver keys.gnupg.net --recv 886DDD89
        gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
        p update
        pi deb.torproject.org-keyring
        pi tor
        /a/bin/buildscripts/tor-browser
        ;;
    debian)
        pi tor
        /a/bin/buildscripts/tor-browser
        ;;
    arch)
        pi tor tor-browser-en
        sgo tor
        ;;
    # ubuntu unknown
esac

# nfs server
case $distro in
    fedora)
        end_msg <<'EOF'
fedora todo: disable the firewall or find a way to automate it.
there's an unused section in t.org for tramikssion firewall setup

fedora manual config for nfs:
s firewall-config
change to permanent configuration
check the box for nfs
was hard to figure this out, not sure if this is all needed, but
unblock these too
mountd: udp/tcp 20048
portmapper, in firewall-config its called rpc-bind: udp/tcp 111
troubleshooting, unblock things in rpcinfo -p
make sure to reload the firewall to load the persistent configuration


EOF
        pi nfs-utils
        sgo nfs-server
        ;;
    debian|ubuntu)
        pi nfs-server
        ;;
    arch)
        pi nfs-utils
        sgo rpcbind
        sgo nfs-server
        ;;
esac

if [[ -e /i/video ]]; then
    # nohide = export filesystems mounted deeper than the export point
    # fsid=0 makes this export the "root" export
    # not documented in the man page, but this means
    # 1. it can be mounted with a shorthand of server:/
    # 2. exports that are subdirectories of this one will automatically be mounted
    tu /etc/exports '/i/video 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)'
    s exportfs -rav
    showmount -e localhost
fi


# cron
f=/a/bin/$HOSTNAME-crontab
if [[ -e $f ]]; then
    $f
fi

e "$end_msg_var"