#!/bin/bash -l # Copyright (C) 2016 Ian Kelling # This program is under GPL v. 3 or later, see set -eE -o pipefail trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR set -x end_msg() { local y IFS= read -r -d '' y ||: end_msg_var+="$y" } distro=$(distro-name) # template case $distro in esac pup # universal packages x=( bwm-ng chromium duplicity fail2ban fdupes filelight gdb gnome-screenshot mailutils meld mpv offlineimap openvpn p7zip paprefs pavucontrol pianobar pidgin rdiff-backup slock smartmontools squashfs-tools tree virt-manager ) pi "${x[@]}" # things with no equivalent in other distros: case $distro in debian|ubuntu) # for gui bug reporting pi python-vte pi apt-file aptitude s apt-file update # for debconf-get-selections pi debconf-utils ;; esac ####### misc packages ########### case $distro in # tk for gitk arch) pi git tk ;; *) pi git ;; esac case $distro in arch) pi the_silver_searcher ;; debian|ubuntu) pi silversearcher-ag ;; # fedora unknown esac # printer case $distro in arch) pi cups ghostscript gsfonts # from arch wiki cups page pi hplip # from google s gpasswd -a $USER sys # from arch wiki sgo org.cups.cupsd.service # goto http://127.0.0.1:631 # administration tab, add new printer button. # In debian, I could use hte recommended driver, # in arch, I had to pick out the 6L driver. ;; debian|ubuntu) pi hplip ;; # other distros unknown esac case $distro in ubuntu|debian) pi ack-grep ;; arch|fedora) pi ack ;; # fedora unknown esac case $distro in ubuntu|debian) pi --no-install-recommends mairix notmuch ;; fedora|arch) pi mairix notmuch ;; esac case $distro in arch) pi nfs-utils ;; ubuntu|debian) pi nfs-client ;; esac case $distro in ubuntu|debian) pi par2 ;; arch|fedora) pi par2cmdline ;; esac # needed for my tex resume case $distro in ubuntu|debian) pi texlive-full ;; arch) pi texlive-most ;; # fedora unknown esac case $distro in ubuntu) # flash, unrar, codecs, ms fonts. # This has a manual prompt. pi ubuntu-restricted-extras ;; fedora) pi yum-utils # rpm fusion recommended codecs s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm" pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\ xine-lib-extras-freeworld ;; esac case $distro in # optional dep for firefox for h.264 video arch) pi gst-libav ;; # other distros, probably come by default esac case $distro in fedora|ubuntu|debian) pi gnupg-agent ;; arch) : ;; esac case $distro in fedora|ubuntu|debian) pi transmission ;; arch) pi transmission-gtk ;; esac case $distro in fedora) pi pinentry-gtk ;; *) : ;; # comes default or with other packages esac case $distro in arch) pi firefox pulseaudio;; *) : ;; # comes default or with other packages esac case $distro in arch|debian|ubuntu) pi bash-completion ;; # others unknown esac case $distro in arch) pi ttf-dejavu;; debian|ubuntu) pi fonts-dejavu ;; # others unknown esac case $distro in arch|debian|ubuntu) pi ntp;; # others unknown esac case $distro in arch) pi xorg-xev;; debian|ubuntu) pi x11-utils ;; # others unknown esac case $distro in arch) pi virt-install;; debian|ubuntu) pi virtinst ;; # others unknown esac case $distro in arch) pi cdrkit;; debian|ubuntu) pi genisoimage;; # others unknown esac case $distro in arch) pi spice-gtk3 ;; debian|ubuntu) pi spice-client-gtk;; # others unknown esac # general known for debian/ubuntu, not for fedora case $distro in arch) # cdrkit for cloud-init isos # dnsmasq for nat networking in libvirt # qemu for qemu-img, bind-tools for dig pi unzip wget xorg-xmodmap \ bridge-utils dnsmasq qemu bind-tools sgo ntpd # otherwise we get error about accessing kvm module. # seems like there might be a better way, but google was a bit vague. s sed -ri '/^ *user *=/d' /etc/libvirt/qemu.conf echo 'user = "root"' | s tee -a /etc/libvirt/qemu.conf # https://bbs.archlinux.org/viewtopic.php?id=206206 # # this should prolly go in the wiki sgo virtlogd.socket sgo virtlogd.service ;; esac case $distro in *) pi at ;;& arch) sgo atd ;; esac case $distro in arch) pi virtviewer ;; *) : ;; # other distros have it as a dependency afaik. esac case $distro in arch) # ubuntu 14.04 uses b-cron, # but it's not maintained in arch. # of the ones in the main repos, cronie is only one maintained. # fcron appears abandoned software. pi cronie sgo cronie ;; *) : ;; # other distros come with cron. esac case $distro in fedora) cabal install shellcheck ;; *) pi shellcheck ;; # unknown for older ubuntu esac case $distro in arch|debian|ubuntu) pi pumpa ;; # others unknown. do have a buildscript: # /a/bin/buildscripts/pumpa ;; esac case $distro in debian|ubuntu) pi android-tools-adb ;; arch) pi android-tools ;; # other distros unknown esac case $distro in fedora) pi unrar ;; *) pi unrar-free ;; esac # proprietary flash. going without for now # case $distro in # debian) # pi flashplugin-nonfree # esac case $distro in debian) pi curl ;; arch) : ;; # fedora: unknown esac case $distro in fedora) cd $(mktemp -d) wget http://tamacom.com/global/global-6.3.2.tar.gz ex global* cd global-6.3.2 # based on https://github.com/leoliu/ggtags ./configure --with-exuberant-ctags=/usr/bin/ctags make s make install s pip install pygments ;; *) pi global ;;& arch) pi python2-pygments ;; debian|ubuntu) pi python-pygments ;; esac # leave this for last so it doesn't do a bunch of other apps # which I want explicitly installed in case I switch DE's case $distro in debian) pi task-cinnamon-desktop # in settings, change scrolling to two-finger, # because the default edge scroll doesn\'t work. ;; # others unknown esac ######### end misc packages ######### # packages I once used before and liked, but don't want installed now for # various reasons: # python-sqlite is used for offlineimap # lxappearance python-sqlite dolphin paman dconf-editor ######## unfinished # todo, finish configuring smart. # mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T. # turn on smart. background on options: # first line, -a = test everyting on all devices. # -S on, turn on disk internal saving of vendor specific info, # from google, seems like this is usually already on and fairly standard. # -o on, turn on 4 hour period non-performance degrading testing. # short test daily 2-3am, extended tests Saturdays between 3-4am: sched="-s (S/../.././02|L/../../6/03)" s sed -i "s#^[[:space:]]*DEVICESCAN.*#\ DEVICESCAN -a -o on -S on -n standby,q $sched\ -m ian@iankelling.org -M exec /usr/local/bin/smart-notify#" /etc/smartd.conf # in the default configuration of at least ubuntu 14.04, resolvconf is # configured to order any nameservers associated with tun* or tap* # before the normal internet interfaces, which means they are always # consulted first. This is often slower and undesirable, ie. local dns # queries go from 0ms to 10+ or 100+ ms. To reverse the ordering, you # can do: #sudo sed -i '/tun\*\|tap\*/d' /etc/resolvconf/interface-order # however, this breaks dns lookup for hosts on the openvpn lan. # I can\'t figure out why hosts on the normal lan would not be # broken under the default ordering, except the host I was # testing with previously had an entry in /etc/hosts. ############# end unfinished case $distro in arch) # default is alsa, doesn\'t work with with pianobar s dd of=/etc/libao.conf <<'EOF' default_driver=pulse EOF ;; esac case $distro in arch|debian|ubuntu) pi btrbk ;; # others unknown esac if [[ $HOSTNAME == treetowl ]]; then pi fail2ban sgo fail2ban fi # disable motd junk. case $(distro-name) in debian) # allows me to pipe with ssh -t, and gets rid of spam # http://forums.debian.net/viewtopic.php?f=5&t=85822 # i'd rather disable the service than comment the init file # this says disabling the service, it will still get restarted # but this script doesn't do anything on restart, so it should be fine s dd of=/var/run/motd.dynamic if=/dev/null s update-rc.d motd disable ;; ubuntu) # this isn't a complete solution. It still shows me when updates are available, # but it's no big deal. s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header ;; esac # automatic updates # reference: # https://debian-handbook.info/browse/stable/sect.regular-upgrades.html # /etc/cron.daily/apt calls unattended-upgrades # /usr/share/doc/unattended-upgrades# cat README.md # /etc/apt/apt.conf.d/50unattended-upgrades if isdebian; then pi unattended-upgrades s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF' # this file was mostly just comments. APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1"; EOF { cat <<'EOF' Unattended-Upgrade::Mail "root"; Unattended-Upgrade::MailOnlyOnError "true"; Unattended-Upgrade::Remove-Unused-Dependencies "true"; Unattended-Upgrade::Origins-Pattern { # default is just upgrade main and security, not updates. EOF if isdebian-testing; then cat <<'EOF' # for stable, only do security updates. "origin=Debian,codename=${distro_codename},label=Debian-Security"; EOF cat <<'EOF' # These are stable packages only getting bugfixes anyways. "origin=*"; EOF cat <<'EOF' }; EOF fi } | s dd of=/etc/apt/apt.conf.d/50unattended-upgrades echo $- > /tmp/x fi ######### begin postfix ######## # based on,http://www.postfix.org/qmgr.8.html and my notes in gnus # originally tried moving specific directories under /var/spool/postfix, # but postfix didn't like that if [[ ! -L /var/spool/postfix ]]; then ser stop postfix if [[ -e /q/postfix ]]; then echo "$0: error: /q/postfix exists but not the link to it" fi s mv /var/spool/postfix /q s lnf /q/postfix /var/spool ser start postfix journalctl -n 20 fi # This also works instead of ~/.forward # s sed -i '/^root/d' /etc/aliases ||: #echo "root: $HOSTNAME@bog.mm.st" | s tee -a /etc/aliases # this can't be a symlink and has permission restrictions # it might work in /etc/aliases, but this seems more proper. if s grep amazonaws /etc/postfix/sasl_passwd &>/dev/null; then forward=x@sallymae.club else forward=$HOSTNAME@bog.mm.st fi e $forward > ~/.forward e $forward | s tee /root/.forward s newaliases # if I wanted the from address to be renamed and sent to a different address, # echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical # sudo postmap hash:/etc/postfix/recipient_canonical # sudo service postfix reload # i'm assuming mail just won't work on systems without the sasl_passwd. postconfin <<'EOF' smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_security_level = secure message_size_limit = 20480000 smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt EOF # ^ I ran into a log file not sending cuz of size. double from 10 to 20 meg limit s postmap hash:/etc/postfix/sasl_passwd # offlineimap uses this too, it is much easier to use one location than to # condition it's config and postfix's config case $distro in fedora) s lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt ;; *) : esac s service postfix reload sgo postfix ############ end postfix ####### case $distro in debian|ubuntu) s gpasswd -a ian adm ;; #needed for reading logs esac # tor case $distro in # based on # https://www.torproject.org/docs/rpms.html.en # https://www.torproject.org/docs/debian.html.en # todo: figure out if the running service needs to be restarted upon updates # todo on fedora: setup non-dev packages fedora) s dd of=/etc/yum.repos.d/torproject.repo <<'EOF' [tor] name=Tor experimental repo enabled=1 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/$basearch/ gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc [tor-source] name=Tor experimental source repo enabled=1 autorefresh=0 baseurl=http://deb.torproject.org/torproject.org/rpm/tor-testing/fc/20/SRPMS gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc EOF # to be secure, take a look at the fingerprint reported from the following install, and see if it matches from the link above: # 3B9E EEB9 7B1E 827B CF0A 0D96 8AF5 653C 5AC0 01F1 sgo tor /a/bin/buildscripts/tor-browser ;; ubuntu) tu /etc/apt/sources.list "deb http://deb.torproject.org/torproject.org $(debian-codename) main" gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add - p update pi deb.torproject.org-keyring pi tor /a/bin/buildscripts/tor-browser ;; debian) pi tor /a/bin/buildscripts/tor-browser ;; arch) pi tor tor-browser-en sgo tor ;; # ubuntu unknown esac # nfs server case $distro in fedora) end_msg <<'EOF' fedora todo: disable the firewall or find a way to automate it. there's an unused section in t.org for tramikssion firewall setup fedora manual config for nfs: s firewall-config change to permanent configuration check the box for nfs was hard to figure this out, not sure if this is all needed, but unblock these too mountd: udp/tcp 20048 portmapper, in firewall-config its called rpc-bind: udp/tcp 111 troubleshooting, unblock things in rpcinfo -p make sure to reload the firewall to load the persistent configuration EOF pi nfs-utils sgo nfs-server ;; debian|ubuntu) pi nfs-server ;; arch) pi nfs-utils sgo rpcbind sgo nfs-server ;; esac if [[ -e /i/video ]]; then # nohide = export filesystems mounted deeper than the export point # fsid=0 makes this export the "root" export # not documented in the man page, but this means # 1. it can be mounted with a shorthand of server:/ # 2. exports that are subdirectories of this one will automatically be mounted tu /etc/exports '/i/video 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)' s exportfs -rav showmount -e localhost fi # cron f=/a/bin/$HOSTNAME-crontab if [[ -e $f ]]; then $f fi e "$end_msg_var"