}
pre="${0##*/}:"
sudo() {
- printf "$pre %s\n" "$*"
+ printf "$pre sudo %s\n" "$*"
SUDOD="$PWD" command sudo "$@";
}
m() { printf "$pre %s\n" "$*"; "$@"; }
########### begin section including vps ################
pi ${p2[@]}
-
conflink
sudo rm -fv
# fi
+
+
pi debootstrap
######### begin universal pinned packages ######
case $(debian-codename) in
- nabia|etiona|flidas)
+ etiona|flidas|nabia|aramo)
sudo rm -fv /etc/apt/preferences.d/etiona-buster
sd /etc/apt/preferences.d/trisquel-debian <<EOF
Explanation: Debian* includes Debian + Debian Backports
;;&
- nabia|etiona)
+ aramo|nabia|etiona)
# for ziva
#p install --no-install-recommends minetest/buster libleveldb1d/buster libncursesw6/buster libtinfo6/buster
doupdate=false
- for n in buster bullseye; do
+ # shellcheck disable=SC2043 # in case we want more than 1 in the loop later.
+ for n in bullseye; do
f=/etc/apt/sources.list.d/$n.list
t=$(mktemp)
case $n in
- buster)
- cat >$t <<'EOF'
-deb http://http.us.debian.org/debian buster main
-deb-src http://http.us.debian.org/debian buster main
-
-deb http://security.debian.org/ buster/updates main
-deb-src http://security.debian.org/ buster/updates main
-
-deb http://http.us.debian.org/debian buster-updates main
-deb-src http://http.us.debian.org/debian buster-updates main
-
-deb http://http.debian.net/debian buster-backports main
-deb-src http://http.debian.net/debian buster-backports main
-EOF
- ;;
bullseye)
cat >$t <<'EOF'
EOF
deb http://us.archive.ubuntu.com/ubuntu/ focal-security main universe
EOF
if ! diff -q $t $f; then
- sudo dd if=$t of=$f 2>/dev/null
+ sudo dd if=$t of=$f status=none
p update
fi
deb-src http://mirror.fsf.org/trisquel/ nabia-backports main
EOF
if ! diff -q $t $f; then
- sudo dd if=$t of=$f 2>/dev/null
+ sudo dd if=$t of=$f status=none
p update
fi
Pin-Priority: -100
EOF
+ ;;&
+ nabia)
+ sd /etc/apt/preferences.d/aramo-nabia <<'EOF'
+Package: *
+Pin: release n=aramo*,o=Trisquel
+Pin-Priority: -100
+EOF
+ f=/etc/apt/sources.list.d/aramo.list
+ t=$(mktemp)
+ cat >$t <<'EOF'
+deb http://mirror.fsf.org/trisquel/ aramo main
+deb-src http://mirror.fsf.org/trisquel/ aramo main
+
+deb http://mirror.fsf.org/trisquel/ aramo-updates main
+deb-src http://mirror.fsf.org/trisquel/ aramo-updates main
+
+deb http://archive.trisquel.info/trisquel/ aramo-security main
+deb-src http://archive.trisquel.info/trisquel/ aramo-security main
+
+# Uncomment this lines to enable the backports optional repository
+deb http://mirror.fsf.org/trisquel/ aramo-backports main
+deb-src http://mirror.fsf.org/trisquel/ aramo-backports main
+EOF
+ if ! diff -q $t $f; then
+ sudo dd if=$t of=$f status=none
+ p update
+ fi
+
;;&
*)
if isdeb; then
;;
esac
-
+case $codename_compat in
+ jammy)
+ s systemctl enable --now ssh-agent-iank
+ ;;
+esac
case $codename_compat in
focal)
Pin: release n=bionic
Pin-Priority: 500
EOF
-
+ ;;
+ nabia)
+ # note, to get the latest, it would be n=bullseye*
+ # but that has conflicting package versions, so this does the old one.
+ # I only use it for special rare purposes. Just keep in mind it is an
+ # outdated insecure version.
+ sd /etc/apt/preferences.d/chromium-bullseye <<EOF
+Package: chromium chromium-* libicu67 libjpeg62-turbo libjsoncpp24 libre2-9 libwebpmux3
+Pin: release o=Debian*,n=bullseye
+Pin-Priority: 500
+EOF
+ ;;
+ aramo)
+ # obs dependency not in trisquel
+ sd /etc/apt/preferences.d/obs <<EOF
+Package: libfdk-aac2
+Pin: release n=jammy,o=Ubuntu
+Pin-Priority: 500
+EOF
;;
esac
# Pin-Priority: 500
# EOF
-if [[ -e /etc/wireguard/wghole.conf ]]; then
- sgo wg-quick@wghole
-fi
###### begin website setup
case $HOSTNAME in
if [[ ! -e $f ]]; then
dnsb8
fi
+
+ s /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter -l 127.0.0.1
+
+ # ex for exporter
+ web-conf -p 9101 -f 9100 - apache2 ${HOSTNAME}ex.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-export-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-export-htpasswd"
+Require valid-user
+</Location>
+EOF
;;&
+
bk)
sgo wg-quick@wgmail
client-to-client
EOF
- # sullivan d8
- sd /etc/openvpn/client-config-hole/sd8 <<'EOF'
-ifconfig-push 10.5.5.41 255.255.255.0
-EOF
- # hsieh d8
- sd /etc/openvpn/client-config-hole/hd8 <<'EOF'
-ifconfig-push 10.5.5.42 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/onep9 <<'EOF'
-ifconfig-push 10.5.5.14 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/bo <<'EOF'
-ifconfig-push 10.5.5.13 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/sy <<'EOF'
-ifconfig-push 10.5.5.12 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/kw <<'EOF'
-ifconfig-push 10.5.5.9 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/x3 <<'EOF'
-ifconfig-push 10.5.5.8 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/x2 <<'EOF'
-ifconfig-push 10.5.5.7 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/wclient <<'EOF'
-ifconfig-push 10.5.5.6 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/frodo <<'EOF'
-ifconfig-push 10.5.5.5 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/amy <<'EOF'
-ifconfig-push 10.5.5.3 255.255.255.0
-EOF
- sd /etc/openvpn/client-config-hole/kd <<'EOF'
-ifconfig-push 10.5.5.2 255.255.255.0
+ ngset
+ files=(/etc/openvpn/client-config-hole/*)
+ if (( ${#files[@]} >= 1 )); then
+ rm -f ${files[@]}
+ fi
+ ngreset
+ for host in ${!vpn_ips[@]}; do
+ sd /etc/openvpn/client-config-hole/$host <<EOF
+ifconfig-push 10.5.5.${vpn_ips[$host]} 255.255.255.0
EOF
+ done
+
- # for adding to current system:
- #vpn-mk-client-cert -s "" -n hole 72.14.176.105
- # adding to remove system 107,
- #vpn-mk-client-cert -s "" -n hole -c 10.2.0.107 -b hd8 iankelling.org
+ # for adding cert to system with /p
+ #
+ # host=frodo
+ #mkc /p/c/machine_specific/$host/filesystem/etc/openvpn/client
+ #vpn-mk-client-cert -b $host -n hole -r iankelling.org
+ #s chown -R iank:iank .
#
- # for wireguard hole vpn
+ # example of adding to remote system 107,
+ # vpn-mk-client-cert -n hole -c 10.2.0.107 -b hd8 iankelling.org
+ #
+ # for wireguard hole vpn, use function:
# wghole
+ # eg:
+ # wghole bo 28
+ # if it is going to want to connect to transmission-daemon on ok
+ # wghole bo 28 10.174.2.2/32
# requested from linode via a support ticket.
# https://www.linode.com/docs/networking/an-overview-of-ipv6-on-linode/
# https://radicale.org/2.1.html
#https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
# https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-<Location /radicale/>
- Options +FollowSymLinks +Multiviews +Indexes
+
+# this doesn't exactly fit with the documentation.
+# We need location / to do an auth, it cant be done outside,
+# in order to pass on X-Remote-User. And we need
+# the other location in order to remove the /radicale/ for
+# requests which have it. This could be done with a rewrite,
+# but i just get something working and call it a day.
+
+<Location "/">
AllowOverride None
- AuthType basic
+ AuthType Basic
AuthName "Authentication Required"
# setup one time, with root:www-data, 640
AuthUserFile "/etc/caldav-htpasswd"
Require valid-user
+ RequestHeader set X-Remote-User expr=%{REMOTE_USER}
+</Location>
+<Location "/radicale/">
+ Options +FollowSymLinks +Multiviews -Indexes
RequestHeader set X-Script-Name /radicale/
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
ProxyPass "http://10.8.0.4:5232/" retry=0
# https://wiki.znc.in/self-message
# https://wiki.znc.in/Query_buffers \
#
+ # for geekshed, there was no sasl support as far as I can tell,
+ # so I set to msg nickserv to identify upon connect.
if ! getent passwd znc > /dev/null; then
sudo useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc
fi
end
;;
esac
+
+case $HOSTNAME in
+ bk)
+ pi icecast2
+ # todo, save the config
+ /etc/cron.daily/stream-cert
+ web-conf -c /etc/cert-live.fsf.org -p 443 -f 8000 apache2 live.fsf.org
+ ;;
+esac
+
###### end website setup
########### end section including li/lj ###############
### system76 things ###
case $HOSTNAME in
- sy|bo)
+ bo) # sy| sy doesnt seem to really need this.
# note, i stored the initial popos packages at /a/bin/data/popos-pkgs
if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
# https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
# Pin: release o=LP-PPA-system76-dev-stable
# Pin-Priority: 1001
# EOF
+ #
+ # TODO: I had to uninstall linux-image-generic-hwe-20.04 because of a conflict
+ # about linux-firmware. Should probably install it to begin with in fai if
+ # i'm going to use.
pi system76-driver system76-firmware
# if you get a notice about a firmware update, the notifier on i3
# is too dumb to do anything when you click it. so to see
fi
;;
esac
+### end system76 things ###
case $distro in
trisquel|ubuntu)
# and choose lightdm.
#
;;
+ jammy)
+ # not yet bothering with mate
+ pi lightdm-gtk-greeter lightdm
+ ;;
esac
# way to install suggests even if the main package is already
# installed. reinstall doesn't work, uninstalling can cause removing
# dependent packages.
+# shellcheck disable=SC2046 # word splitting is intended
pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distro-pkgs)
+# schroot service will restart schroot sessions after reboot.
+# I dont want that.
+pi-nostart schroot
+
+# fix systemd unit failure. i dont know of any actual impact
+# other than systemd showing in degraded state. So, we dont bother
+# fixing the current state, let it fix on the next reboot.
+# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a
+tmp=$(systemctl cat binfmt-support.service | grep ^After=)
+if [[ $tmp != *systemd-binfmt.service* ]]; then
+ s u /etc/systemd/system/binfmt-support.service.d/override.conf <<EOF
+[Unit]
+$tmp systemd-binfmt.service
+EOF
+fi
+
# commented, not worth the hassle i think.
#seru enable psd
# esac
-### begin home vpn server setup
-
-
-# # this section done initially to make persistent keys.
-# # Also note, I temporarily set /etc/hosts so my host was
-# # b8.nz when running this, since the vpn client config
-# # generator assumes we need to go to that server to get
-# # server keys.
-# vpn-server-setup -rds
-# s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
-# s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
-# # kw = kgpe work machine.
-# for host in x2 x3 kw; do
-# vpn-mk-client-cert -b $host -n home b8.nz 1196
-# dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
-# mkdir -p $dir
-# s bash -c "cp /etc/openvpn/client/home* $dir"
-# # note: /etc/update-resolv-conf-home also exists for all systems with /p
-# done
-
-# key already exists, so this won't generate one, just the configs.
-# m vpn-server-setup -rds
-# sudo tee -a /etc/openvpn/server/server.conf <<'EOF'
-# push "dhcp-option DNS 10.0.0.1"
-# push "route 10.0.0.0 255.255.0.0"
-# client-connect /a/bin/distro-setup/vpn-client-connect
-# EOF
-# sudo sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
-
-# if [[ $HOSTNAME == tp ]]; then
-# if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
-# vpn_service=openvpn-server@server
-# else
-# vpn_service=openvpn@server
-# fi
-# sgo $vpn_service
-# fi
-### end vpn server setup
-
##### rss2email
if mountpoint /p &>/dev/null; then
# note, see bashrc for more documentation.
sgo openvpn-client@hole
fi
-if [[ $HOSTNAME == frodo ]]; then
- vpn-mk-client-cert -b frodo -n hole iankelling.org
-fi
-
############# begin syncthing setup ###########
case $HOSTNAME in
kd|frodo)
####### begin misc packages ###########
+case $HOSTNAME in
+ kd)
+ ln -sfT /d/p/profanity ~/.local/share/profanity
+ ln -sfT /d/p/profanity-config ~/.config/profanity
+ source /a/bin/bash_unpublished/source-state
+ if [[ $HOSTNAME == "$HOST2" ]]; then
+ systemctl --now enable profanity
+ fi
+ ;;
+ *)
+
+ ln -sfT /p/profanity ~/.local/share/profanity
+ ln -sfT /p/profanity-config ~/.config/profanity
+ ;;
+esac
+
# template
case $codename in
flidas)
# cabal update
# cabal install --upgrade-dependencies --force-reinstalls arbtt
# also, i assume syncing this between machines somehow messed up the data.
-if mountpoint /p &>/dev/null; then
- case $codename in
- etiona|nabia)
- pi arbtt
- # same as seru enable arbtt, but works over ssh when systemctl --user causes error:
- # Failed to connect to bus: No such file or directory
- lnf -T /a/bin/ds/subdir_files/.config/systemd/user/arbtt.service /home/iank/.config/systemd/user/default.target.wants/arbtt.service
- # allow failure
- seru start arbtt ||:
- ;;
- esac
-fi
+
+## not using arbtt for now
+# if mountpoint /p &>/dev/null; then
+# case $codename in
+# etiona|nabia)
+# pi arbtt
+# # same as seru enable arbtt, but works over ssh when systemctl --user causes error:
+# # Failed to connect to bus: No such file or directory
+# lnf -T /a/bin/ds/subdir_files/.config/systemd/user/arbtt.service /home/iank/.config/systemd/user/default.target.wants/arbtt.service
+# # allow failure
+# seru start arbtt ||:
+# ;;
+# esac
+# fi
+rm -fv /home/iank/.config/systemd/user/default.target.wants/arbtt.service
m primary-setup
/run/user/0 /run/user/0 none rw,bind 0 0
EOF
+# todo: consider if this should use the new sysd-prom-fail
sd /etc/systemd/system/schrootupdate.service <<'EOF'
[Unit]
Description=schrootupdate
Description=schrootupdate
[Timer]
-OnCalendar=*-*-* 04:20:00
+OnCalendar=*-*-* 04:20:00 America/New_York
[Install]
WantedBy=timers.target
EOF
s schroot -c flidas locale-gen
s schroot -c flidas update-locale LANG=en_US.UTF-8
+
+ m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/testing.list/TESTING_NONFREE debian unstable debootstrap
+ sudo cp -a /nocow/schroot/unstable/usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
+
+ m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/impish.list/IMPISH ubuntu impish
+
;;
esac
;;
;;
esac
-mkdir -p $tdir
+sudo mkdir -p $tdir
# adapted from /var/lib/dpkg/info/transmission-daemon.postinst
# 450 seems likely to be unused. we need to specify one or else
f=$tdir/transmission-daemon
for d in $tdir/partial-torrents $tdir/torrents $f; do
if [[ ! -d $d ]]; then
- mkdir $d
+ sudo mkdir -p $d
fi
sudo chown -R debian-transmission:user2 $d
done
#
# Changed the cache-size to 256 mb, reduces disk use.
# It is a read & write cache.
-sudo ruby <<EOF
+#
+# just fyi: default rpc port is 9091
+if ! systemctl is-active transmission-daemon-nn &>/dev/null && \
+ ! systemctl is-active transmission-daemon; then
+ tmp=$(mktemp)
+ command sudo ruby <<EOF >$tmp
require 'json'
p = '/etc/transmission-daemon/settings.json'
-File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
-'rpc-whitelist-enabled' => false,
-'rpc-authentication-required' => false,
-'incomplete-dir' => '$tdir/partial-torrents',
-'incomplete-dir-enabled' => true,
-'download-dir' => '$tdir/torrents',
-"speed-limit-up" => 800,
-"speed-limit-up-enabled" => true,
-"peer-port" => 61486,
-"cache-size-mb" => 256,
-"ratio-limit" => 5.0,
-"ratio-limit-enabled" => false,
-})) + "\n")
+s = {
+ 'rpc-whitelist-enabled' => false,
+ 'rpc-authentication-required' => false,
+ 'incomplete-dir' => '$tdir/partial-torrents',
+ 'incomplete-dir-enabled' => true,
+ 'download-dir' => '$tdir/torrents',
+ "speed-limit-up" => 800,
+ "speed-limit-up-enabled" => true,
+ "peer-port" => 61486,
+ "cache-size-mb" => 256,
+ "ratio-limit" => 5.0,
+ "ratio-limit-enabled" => false,
+}
+puts(JSON.pretty_generate(JSON.parse(File.read(p)).merge(s)))
EOF
+ cat $tmp | sudo dd of=/etc/transmission-daemon/settings.json
+
+fi
####### end transmission
######### begin transmission client setup ######
+# to connect from a remote client, trans-remote-route in brc2
+
+
if [[ -e /p/transmission-rpc-pass ]]; then
# arch had a default config,
# debian had nothing until you start it.
"profiles" : [
{
"profile-name" : "Default",
- "hostname" : "10.173.0.2",
+ "hostname" : "10.174.2.2",
"rpc-url-path" : "/transmission/rpc",
"username" : "",
"password" : "$rpc_pass",
# general known for debian/ubuntu, not for fedora
m /a/bin/buildscripts/go
+# only needed for rg. cargo takes up 11 gigs, filled up the disk on je.
m /a/bin/buildscripts/rust
m /a/bin/buildscripts/misc
m /a/bin/buildscripts/pithosfly
#m /a/bin/buildscripts/alacritty
-m /a/bin/buildscripts/kitty
+#m /a/bin/buildscripts/kitty
pi-nostart virtinst virt-manager
soff libvirtd
# # I'm not seeing the icon, but the clipboard replication is working
-### model 01 arduino support ###
+### begin model 01 arduino support ###
# https://github.com/keyboardio/Kaleidoscope/wiki/Install-Arduino-support-on-Linux
# also built latest arduino in /a/opt/Arduino, (just cd build; ant build; ant run )
# set arduino var in bashrc,
# have system config file setup too.
sudo adduser $USER dialout
+# as of 2022-05,
+# download arduino ide, extract in /a/opt, ignore the install script, run ./arduino,
+# toolbar, preferences, add board manager url:
+# https://raw.githubusercontent.com/keyboardio/boardsmanager/master/package_keyboardio_index.json
+# toolbar, board manager, add keyboardio
+# toolbar, select model01 board
+# toolbar, examples, model01, compile
+
+###
+
# this is for the mail command too. update-alternatives is kind of misleading
# since at least it's main commands pretend mail does not exist.
# bsd's mail got pulled in on some dumb dependency, i dunno how.
########### misc stuff
-if [[ $HOSTNAME != frodo ]]; then
- # remove. i moved this into dns
- echo | s cedit hole /etc/hosts ||:
-fi
+# pressing tab after sdf here:
+# scp sdfbash: set +o noglob: command not found
+# in t11, bash 5.1.16. this fixes it.
+sudo sed -ri 's/([[:space:]]*)(\$reset)$/\1set +o noglob #$reset/' /usr/share/bash-completion/bash_completion
+
+rm -fv /home/iank/.mpv/watch_later
+rm -rf /home/iank/.mpv
if [[ ! -e ~/.local/bin/pip ]]; then
tmp=$(mktemp)
hash -r
fi
+## begin beets
+# soo, apt install beets fails due to wanting a pip package,
+# we find out why it wants this through
+# apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances beets | less
+# python-mediafile requires tox, which requires virtualenv, which requires pip.
+# but, python-mediafile doesn't really require tox, it is specified in
+# ./usr/lib/python3/dist-packages/mediafile-0.9.0.dist-info/METADATA
+# as being required only for testing, but the debian package
+# included it anyways, due to a mistake or bad tooling or something.
+# I don't plan to use tox, so, according to https://serverfault.com/a/251091,
+# we can create and install a dummy package by:
+#
+# "equivs-control <name>, edit the file produced to provide the right
+# dependency and have a nice name, then run equivs-build <name> and
+# finally dpkg -i the resulting .deb file"
+# as of 2023-02, the tox dependency was removed in debian unstable, so
+# this hack will probably go away in t12.
+
+if pcheck beets; then
+ tmpdir="$(mktemp -d)"
+ cd "$tmpdir"
+ # edited from output of equivs-control tox
+ cat >tox <<'EOF'
+Section: python
+Priority: optional
+Standards-Version: 3.9.2
+Package: tox
+Description: tox-dummy
+EOF
+ equivs-build tox
+ sudo dpkg -i tox_1.0_all.deb
+ rm -rf ./tox*
+ pi beets python3-discogs-client
+ cd
+ rm -r "$tmpdir"
+fi
+
+# get rid of annoying message
+s sed -ri "s/^([[:space:]]*ui.print_\('Playing)/#\1/" /usr/share/beets/beetsplug/play.py
+
+
+# notes about barrier
+# run barrier, do the gui config,
+# setup the 2 screens, using hostnames for the new screen.
+# save the server config
+# $HOME/.local/share/barrier/.barrier.conf
+# per the man page.
+#
+# ssl errors, resolved via advice here: https://github.com/debauchee/barrier/issues/231
+# BARRIER_SSL_PATH=~/.local/share/barrier/SSL/
+# mkdir -p "${BARRIER_SSL_PATH}"
+# openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ${BARRIER_SSL_PATH}/Barrier.pem -out ${BARRIER_SSL_PATH}/Barrier.pem
+# ran on both machines.
+# When pressing start in the gui, the cli options used are printed to the console,
+# they are useful. So on server, just run barriers, client run barrierc SERVER_IP
### begin timetrap setup
if mountpoint /p &>/dev/null; then
pi desktop-file-utils
m /a/bin/distro-setup/mymimes
-
-sgo dynamicipupdate.timer
-
-
-# stop autopoping windows when i plug in an android phone.
-# dbus-launch makes this work within an ssh connection, otherwise you get this message,
-# with still 0 exit code.
-# dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
-m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
-
+if type -p dbus-launch >/dev/null; then
+ # stop autopoping windows when i plug in an android phone.
+ # dbus-launch makes this work within an ssh connection, otherwise you get this message,
+ # with still 0 exit code.
+ # dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
+ m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
+fi
# on grub upgrade, we get prompts unless we do this
devs=()
grub-pc grub-pc/install_devices multiselect ${devs[*]}
EOF
-# btrfs maintenance
-sgo btrfsmaint.timer
-sgo btrfsmaintstop.timer
-sgo systemstatus.timer
+sysd-prom-fail-install dynamicipupdate
+sysd-prom-fail-install systemstatus
+sysd-prom-fail-install btrfsmaintstop
+sgo btrfsmaint.timer
+sgo btrfsmaintstop
+sgo systemstatus
+sgo dynamicipupdate
if grep -xFq $HOSTNAME /a/bin/ds/machine_specific/btrbk.hosts; then
sgo btrbk.timer
fi
-# note: to see when it was last run,
+
+# note: to see when a timer was last run,
# ser list-timers
+
+### begin prometheus ###
+
+case $HOSTNAME in
+ kd)
+ # Font awesome is needed for the alertmanager ui.
+ pi prometheus-alertmanager prometheus fonts-font-awesome
+ /c/roles/prom/files/simple/usr/local/bin/fsf-install-prometheus
+ # make it available for other machines
+ rsync -a /usr/local/bin/amtool /a/opt/bin
+ web-conf -p 9091 -f 9090 - apache2 i.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-htpasswd"
+Require valid-user
+</Location>
+EOF
+
+ web-conf -p 9094 -f 9093 - apache2 i.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-htpasswd"
+Require valid-user
+</Location>
+EOF
+
+ # by default, the alertmanager web ui is not enabled other than a page
+ # that suggests to use the amtool cli. that tool is good, but you cant
+ # silence things nearly as easily as with the gui.
+ if [[ ! -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then
+ # default script didnt work, required some changes to get elm 19.1,
+ # which is a dependency of the latest alertmanager. I modified
+ # and copied it into /b/ds. In future, might need some other
+ # solution.
+ #sudo /usr/share/prometheus/alertmanager/generate-ui.sh
+ sudo /b/ds/generate-ui.sh
+ ser restart prometheus-alertmanager
+ fi
+
+ s /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter -l 127.0.0.1
+
+ for ser in prometheus-node-exporter prometheus-alertmanager prometheus; do
+ sysd-prom-fail-install $ser
+ done
+
+ ;;
+ *)
+ s /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter
+ ;;
+esac
+
+# cleanup old files. 2023-02
+x=(/var/lib/prometheus/node-exporter/*.premerge)
+if [[ -e ${x[0]} ]]; then
+ s rm /var/lib/prometheus/node-exporter/*
+fi
+
+
+case $HOSTNAME in
+ # todo, for limiting node exporter http,
+ # either use iptables or, in
+ # /etc/default/prometheus-node-exporter
+ # listen on the wireguard interface
+
+ *)
+ wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
+ # old filename. remove once all hosts are updated.
+ s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
+ web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
+<Location "/">
+AuthType Basic
+AuthName "basic_auth"
+# created with
+# htpasswd -c prometheus-export-htpasswd USERNAME
+AuthUserFile "/etc/prometheus-export-htpasswd"
+Require valid-user
+</Location>
+EOF
+ # For work, i think we will just use the firewall for hosts in the main data center, and
+ # vpn for hosts outside it.
+
+ # TODO: figure out how to detect the ping failure and try again.
+
+ # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
+ s mkdir /etc/systemd/system/apache2.service.d
+ sd /etc/systemd/system/apache2.service.d/restart.conf <<EOF
+[Unit]
+After=wg-quick@wghole.service
+StartLimitIntervalSec=0
+
+[Service]
+Restart=always
+RestartSec=30
+EOF
+
+ ;;
+esac
+
+### end prometheus ###
+
+### begin nagios ###
+
+pi nagios-nrpe-server
+
case $HOSTNAME in
kd)
- sgo btrbkrust.timer
+ # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345
+ pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports
+ s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ # to add a password for admin:
+ # htdigest /etc/nagios4/htdigest.users Nagios4 iank
+ # now using the same pass as prometheus
+
+ # nagstamon auth settings, set to digest instead of basic.
+
+ web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
+# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
+
+ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
+ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
+
+# Where the stylesheets (config files) reside
+Alias /nagios4/stylesheets /etc/nagios4/stylesheets
+
+# Where the HTML pages live
+Alias /nagios4 /usr/share/nagios4/htdocs
+
+<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
+ Options FollowSymLinks
+ DirectoryIndex index.php index.html
+ AllowOverride AuthConfig
+ #
+ # The default Debian nagios4 install sets use_authentication=0 in
+ # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
+ # This is insecure. As a compromise this default apache2 configuration
+ # only allows private IP addresses access.
+ #
+ # The <Files>...</Files> below shows how you can secure the nagios4
+ # web site so anybody can view it, but only authenticated users can issue
+ # commands (such as silence notifications). To do that replace the
+ # "Require all granted" with "Require valid-user", and use htdigest
+ # program from the apache2-utils package to add users to
+ # /etc/nagios4/htdigest.users.
+ #
+ # A step up is to insist all users validate themselves by moving
+ # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
+ # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
+ # can configure which people get to see a particular service from
+ # within the nagios configuration.
+ #
+ AuthDigestDomain "Nagios4"
+ AuthDigestProvider file
+ AuthUserFile "/etc/nagios4-htdigest.users"
+ AuthGroupFile "/etc/group"
+ AuthName "Nagios4"
+ AuthType Digest
+ Require valid-user
+</DirectoryMatch>
+
+<Directory /usr/share/nagios4/htdocs>
+ Options +ExecCGI
+</Directory>
+EOF
+ ;;
+esac
+
+# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
+# notifications_enabled=1
+# note, the same variable exists in the correspdonding "define service {"
+
+# in the default config, we have these definitions
+
+# 11 define command {
+# 2 define contact {
+# 1 define contactgroup {
+# 9 define host {
+# 4 define hostgroup {
+# 23 define service {
+# 5 define timeperiod {
+
+
+# on klaxon
+
+# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
+# 76 define command
+# 11 define contact
+# 6 define contactgroup
+# 162 define host
+# 1 define hostextinfo
+# 16 define hostgroup
+# 3040 define service
+# 2 define servicedependency
+# 6 define timeperiod
+
+
+
+
+### end nagios ###
+
+### begin bitcoin ###
+
+case $HOSTNAME in
+ sy|kd)
+ sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-24.0.1/bin/*
+ sgo bitcoind
+ # note: the bitcoin user & group are setup in fai
+ sudo usermod -a -G bitcoin iank
+ # todo: make bitcoin have a stable uid/gid
+ if [[ ! $(readlink -f /var/lib/bitcoind/wallets) == /q/wallets ]]; then
+ mkdir -p /var/lib/bitcoind
+ chown bitcoin:bitcoin /var/lib/bitcoind
+ # 710 comes from the upstream bitcoin unit file
+ chmod 710 /var/lib/bitcoind
+ s lnf /q/wallets /var/lib/bitcoind
+ sudo chown -h bitcoin:bitcoin /var/lib/bitcoind/wallets
+ fi
+ # note, there exists
+ # /a/bin/ds/disabled/bitcoin
+ ;;
+esac
+
+### end bitcoin
+
+case $HOSTNAME in
+ kw|x3)
+ sd /etc/cups/client.conf <<'EOF'
+ServerName printserver1.office.fsf.org
+EOF
;;
esac
+
end_msg <<'EOF'
In mate settings settings, change scrolling to two-finger,
because the default edge scroll doesn\'t work. Originally found this in debian.
pi tor
m /a/bin/buildscripts/tor-browser
# one root command needed to install
-s ln -sf /a/opt/tor-browser_en-US/Browser/start-tor-browser /usr/local/bin
+s ln -sf /a/opt/tor-browser/Browser/start-tor-browser /usr/local/bin
# nfs server
pi-nostart nfs-kernel-server
+# todo, this is old, probably needs removing
if [[ $HOSTNAME == tp ]]; then
sd /etc/wireguard/wg0.conf <<EOF
[Interface]
iankelling.org / git / distro-setup / blobdiff