;;
esac
-
# disable motd junk.
case $distro in
debian)
$(debian-codename-compat) \
stable"
p update
- pi docker-ce
- sgo docker
+ # docker eats up a fair amount of cpu when doing nothing, so don't enable it unless
+ # we really need it.
+ pi-nostart docker-ce
+ # and docker is even more crap, it ignores that it shouldnt start
+ ser stop docker
+ ser disable docker
+ case $HOSTNAME in
+ li|lj) sgo docker ;;
+ esac
# other distros unknown
fi
### end docker install ####
;;
esac
+pi ${p1[@]}
+
# website setup
case $HOSTNAME in
lj|li)
git clone https://github.com/pump-io/pump.io.git
cd pump.io
fi
+ # note: these 2 commands seem
# note: doing this or the npm install pump.io as root had problems.
npm install
npm run build
# https://github.com/pump-io/pump.io/issues/1287
s npm install -g databank-mongodb@0.19.2
if ! getent passwd pumpio &>/dev/null; then
- s useradd -m -s /bin/false pumpio
+ s useradd -Um -s /bin/false pumpio
fi
sudo -u pumpio mkdir -p /home/pumpio/pumpdata
# for testing browser when only listening to localhost,
############### !!!!!!!!!!!!!!!!!
############### manual steps:
- # only following 2 people atm, so not bothering to figure out backups
+ # only following a few people atm, so not bothering to figure out backups
# when mastodon has not documented it at all.
#
# fsf@status.fsf.org
# to exit and save config:
# /msg *status shutdown
# configed auth on freenode by following
- # https://wiki.znc.in/Sasl
+ # https://wiki.znc.in/Sasl:
+ # /msg *sasl RequireAuth yes
+ # /msg *sasl Mechanism PLAIN
+ # /msg *sasl Set ident_name password
# created the system service after, and had to do
# mv /home/iank/.znc/* /var/lib/znc
# sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf
# and made a copy of the config files into /p/c
- # added LoadModule = log -sanitize to the top level
+ # /msg *status LoadMod --type=global log -sanitize
# to get into the web interface,
# cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
# then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site.
+ # https://iankelling.org:12533/
# i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart.
# todo: in config file AllowWeb = true should be false. better security if that is off unless we need it.
- # todo: figure out how to make playback in erc happe.n
+ # /msg *status LoadMod --type=network perform
+ # /msg *perform add PRIVMSG ChanServ :invite #fsf-office
+ # /msg *perform add JOIN #fsf-office
+ #
+ # i set Buffer = 500
+ # also ran /znc LoadMod clearbufferonmsg
+ # it would be nice if erc supported erc query buffers by doing
+ # /msg *status clearbuffer <name of the query/receiver
+ # on killing the,
+ # an example seems to be here: https://github.com/zenspider/elisp/blob/master/rwd-irc.el
+ # if that was the case i could remove the module clearbufferonmsg
+ # alo would be nice if erc supported
+ # https://wiki.znc.in/self-message
+ # https://wiki.znc.in/Query_buffers \
+ #
s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already
chmod 700 /var/lib/znc
- s chown -R znc:znc /var/lib/znc/config
+ s chown -R znc:znc /var/lib/znc
s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF'
[Unit]
Description=ZNC, an advanced IRC bouncer
########### end section including li/lj ###############
-pi ${p4[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
+# depends gcc is a way to install suggests. this is apparently the only
+# way to install suggests even if the main package is already
+# installed. reinstall doesn't work, uninstalling can cause removing
+# dependent packages.
+pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $(apt-cache depends gcc|grep -i suggests:| awk '{print $2}')
+sgo fsf-vpn-dns-cleanup
case $distro in
trisquel|ubuntu)
s add-apt-repository -y ppa:ansible/ansible
p update
fi
- pi ansible
+ s pip install --upgrade pip
+ # newer 2.7 versions have a bug that incorrectly detects trisquel version. fixed once 2.8 arrives
+ # in 2019
+ pip install --user ansible=2.7.4
+ #pi ansible
;;
esac
# s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
# s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
# # kw = kgpe work machine.
-# for host in x2 kw; do
+# for host in x2 x3 kw; do
# vpn-mk-client-cert -b $host -n home b8.nz 1196
# dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
# mkdir -p $dir
# key already exists, so this won't generate one, just the configs.
vpn-server-setup -rds
s tee -a /etc/openvpn/server/server.conf <<'EOF'
-push "dhcp-option DNS 192.168.1.1"
-push "route 192.168.1.0 255.255.255.0"
+push "dhcp-option DNS 10.0.0.1"
+push "route 10.0.0.0 255.255.0.0"
client-connect /a/bin/distro-setup/vpn-client-connect
EOF
s sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
case $distro in
debian|trisquel|ubuntu)
- # suggests because we want the resolvconf package. however, i install it earlier
- # as well, so this is redundant.
+ # suggests resolvconf package. installing it here is redundant, but make sure anyways.
# todo: check other distros to make sure it\'s installed
- pi-nostart --install-suggests openvpn
+ pi-nostart openvpn resolvconf
# pi-nostart does not disable
ser disable openvpn
;;
####### begin misc packages ###########
+# sakura config is owned by ian
reset-sakura
-sudo -u traci -i reset-sakura
reset-konsole
sudo -u traci -i reset-konsole
+# traci xscreensaver we don't want to reset
reset-xscreensaver
-# this is packaged, but i see it's gotten a fair amount of development lately,
-# so install from cabal. the options are needed to get over incompatible xmonad library versions
-# but that stuff is in the global namespace, and it seems they don't conflict in practice.
-pi libxss-dev # dependency based on build failure
-cabal update
-cabal install --upgrade-dependencies --force-reinstalls arbtt
-lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
+
+
+# this would install from cabal for newer / consistent version across os, but it screws up xmonad, so disabled for now.
+# this is also in primary-setup
+# pi libxss-dev # dependency based on build failure
+# cabal update
+# cabal install --upgrade-dependencies --force-reinstalls arbtt
+# also, i assume syncing this between machines somehow messed thin
+#lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
primary-setup
# others unknown
esac
+case $(debian-codename) in
+ # needed for debootstrap scripts for fai since fai requires debian
+ flidas)
+ curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg | s apt-key add -
+ s dd of=/etc/apt/preferences.d/flidas-xenial <<EOF
+Package: *
+Pin: release a=xenial
+Pin-Priority: -100
+
+Package: *
+Pin: release a=xenial-updates
+Pin-Priority: -100
+
+Package: *
+Pin: release a=xenial-security
+Pin-Priority: -100
+EOF
+ s dd of=/etc/apt/sources.list.d/xenial.list 2>/dev/null <<EOF
+deb http://us.archive.ubuntu.com/ubuntu/ xenial main
+deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main
+deb http://us.archive.ubuntu.com/ubuntu/ xenial-security main
+EOF
+
+ s apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
+ s dd of=/etc/apt/preferences.d/flidas-bionic <<EOF
+Package: *
+Pin: release a=bionic
+Pin-Priority: -100
+
+Package: *
+Pin: release a=bionic-updates
+Pin-Priority: -100
+
+Package: *
+Pin: release a=bionic-security
+Pin-Priority: -100
+EOF
+
+ # better to run btrfs-progs which matches our kernel version
+ # (note, renamed from btrfs-tools)
+ s dd of=/etc/apt/preferences.d/btrfs-progs <<EOF
+Package: btrfs-progs libzstd1
+Pin: release a=bionic
+Pin-Priority: 1005
+
+Package: *
+Pin: release a=bionic-updates
+Pin-Priority: 1005
+
+Package: *
+Pin: release a=bionic-security
+Pin-Priority: 1005
+EOF
+
+
+ # this will be needed if we want to pin something, generally useful for investigating
+ s dd of=/etc/apt/sources.list.d/bionic.list 2>/dev/null <<EOF
+deb http://us.archive.ubuntu.com/ubuntu/ bionic main
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main
+deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main
+EOF
+
+
+ p update
+
+ pi btrfs-progs
+
+ t=$(mktemp -d)
+ cd $t
+ aptitude download debootstrap/xenial
+ ex *
+ ex data.tar.gz
+ s cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
+
+ ;;
+esac
+
# /run and /dev/shm are listed as required for pulseaudio. All 4 in the group
# listed in the default config as suggested.
# /run/usr/1000 i noticed was missing for pulseaudio
EOF
mkschroot() {
+ distro=$1
+ shift
+ case $distro in
+ ubuntu)
+ repo=http://archive.ubuntu.com/ubuntu/
+ ;;
+ debian)
+ repo=http://deb.debian.org/debian/
+ ;;
+ esac
n=$1
shift
apps=($@)
cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
else
s mkdir -p $d
- s debootstrap $n $d http://deb.debian.org/debian/
+
+ s debootstrap $n $d $repo
cd; s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
fi
s cp -P {,$d}/etc/localtime
# for my roommate
case $distro in
trisquel)
- mkschroot stretch firefox-esr pulseaudio chromium
+ mkschroot debian stretch firefox-esr pulseaudio chromium
;;
esac
s mkdir -p /nocow/user
s chown $USER:$USER /nocow/user
case $distro in
- debian)
- case $(debian-codename) in
- jessie)
- pi anki
- ;;
- *)
- mkschroot jessie anki pulsaudio mplayer
- ;;
- esac
- ;;
trisquel|ubuntu)
pi anki
;;
fi
+# We want group writable stuff from transmission.
+# However, after setting this, I learn that transmission sets it's
+# own umask based on it's settings file. Well, no harm leaving this
+# so it's set right from the beginning.
+s chfn debian-transmission -o umask=0002
+
# trisquel 8 = openvpn, debian stretch = openvpn-client
vpn_ser=openvpn-client
if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
p = '/etc/transmission-daemon/settings.json'
s = JSON.parse(File.read(p))
s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
+# default is 0022 (18 in decimal)
+s["umask"] = 2
File.write p, JSON.pretty_generate(s)
EOF
sgo org.cups.cupsd.service
;;
debian|trisquel|ubuntu)
+ pi cups
s gpasswd -a $USER lpadmin # based on ubuntu wiki
spa hplip
;;
# in arch, I had to pick out the 6L driver.
-case $distro in
- trisquel|ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
- fedora|arch) spa mairix notmuch ;;
-esac
-
# allow user to run vms, from debian handbook
for x in iank traci; do s usermod -a -G libvirt,kvm $x; done
# bridge networking as user fails. google lead here, but it doesn\'t work:
# EOF
# s systemctl daemon-reload
# case $HOSTNAME in
-# x2|tp)
+# x2|x3|tp)
# ser enable synergyc@iank
# ser start synergyc@iank ||: # X might not be running yet
# ;;
########### misc stuff
+# make networkmanager use resolvconf instead of its own dnsmasq which
+# conflicts with the normal dnsmasq package.
+f=/etc/NetworkManager/NetworkManager.conf
+m=$(md5sum $f)
+s sed -ri '/ *\[main\]/,/^ *\[[^]]+\]/{/^\s*dns[[:space:]=]/d}' $f
+if [[ $m != $(md5sum $f) ]]; then
+ srestart NetworkManager
+fi
+
+# make my /etc/fonts/conf.d/ get used.
+# I have a new sans-serif font there because the default one
+# displays l and I as the same char, grrrrr.
+s fc-cache
/a/bin/distro-setup/mymimes
;;
esac
-
+# networkmanager has this nasty behavior on flidas: if the machine
+# crashes with dnsmasq running, on subsequent boot, it adds an entry to
+# resolvconf for 127.0.0.1 in some stupid attempt to restore
+# nameservers.
+# This can be manually fixed by stoping dnsmasq,
+# then based on whats in /run/dnsmasq/, i see we can run
+# s resolvconf -d NetworkManager
+# oh ya, and stoping NetworkManager leaves this crap behind without cleaning it up.
+ser stop NetworkManager
+ser disable NetworkManager
if [[ $HOSTNAME == frodo ]]; then
# 1. it can be mounted with a shorthand of server:/
# 2. exports that are subdirectories of this one will automatically be mounted
tu /etc/exports <<'EOF'
-/k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
+/k 10.0.0.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
EOF
s exportfs -rav
fi
iankelling.org / git / distro-setup / blobdiff