X-Git-Url: https://iankelling.org/git/?p=distro-setup;a=blobdiff_plain;f=distro-end;h=14cc2f52ddca1ff5d0ea158f9d7d55e7734ba47f;hp=54321bf0533bd51bed00e707a5ab022102c21eba;hb=HEAD;hpb=ce4cacd36c5b5babeea85d0f93771017e6169180

diff --git a/distro-end b/distro-end
index 54321bf..ba0b585 100755
--- a/distro-end
+++ b/distro-end
@@ -1,12 +1,28 @@
 #!/bin/bash
-# Copyright (C) 2019 Ian Kelling
-# SPDX-License-Identifier: AGPL-3.0-or-later
 
-# shellcheck source=/a/bin/ds/.bashrc
-export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]]; then . ~/.bashrc; fi
+# Setup Ian's computers
+# Copyright (C) 2024  Ian Kelling
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# shellcheck source=./brc
+source ~/brc
 
 ### setup
-source /a/bin/errhandle/err
+source /a/bin/bash-bear-trap/bash-bear
 src="$(readlink -f -- "${BASH_SOURCE[0]}")"; src=${src%/*} # directory of this file
 
 if [[ $EUID == 0 ]]; then
@@ -90,7 +106,6 @@ EOF
 ########### begin section including vps ################
 pi ${p2[@]}
 
-
 conflink
 
 sudo rm -fv
@@ -124,39 +139,6 @@ esac
 
 
 
-
-# dogcam setup. not using atm
-# case $HOSTNAME in
-#   lj|li)
-#     /a/bin/webcam/install-server
-#     ;;
-#   kw)
-#     /a/bin/webcam/install-client
-#     ;;
-# esac
-
-
-## not actually using prometheus just yet
-# # office is not exposed to internet yet
-# if [[ $HOSTNAME != kw ]]; then
-#   ## prometheus node exporter setup
-#   web-conf -f 9100 -p 9101 apache2 $(hostname -f) <<'EOF'
-# #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
-# # https://stackoverflow.com/questions/5011102/apache-reverse-proxy-with-basic-authentication
-# <Location />
-#    AllowOverride None
-#    AuthType basic
-#    AuthName "Authentication Required"
-#    # setup one time, with root:www-data, 640
-#    AuthUserFile "/etc/prometheus-htpasswd"
-#    Require valid-user
-# </Location>
-# EOF
-# fi
-
-
-
-
 pi debootstrap
 ######### begin universal pinned packages ######
 case $(debian-codename) in
@@ -167,204 +149,36 @@ Explanation: Debian* includes Debian + Debian Backports
 Package: *
 Pin: release o=Debian*
 Pin-Priority: -100
-EOF
-    ;;&
-  # needed for debootstrap scripts for fai since fai requires debian
-  flidas)
-    # moved to fai
-    #curl http://archive.ubuntu.com/ubuntu/project/ubuntu-archive-keyring.gpg | s apt-key add -
-    sd /etc/apt/preferences.d/flidas-xenial <<EOF
-Package: *
-Pin: release a=xenial
-Pin-Priority: -100
-
-Package: *
-Pin: release a=xenial-updates
-Pin-Priority: -100
-
-Package: *
-Pin: release a=xenial-security
-Pin-Priority: -100
-
-Package: firefox
-Pin: release n=xenial
-Pin-Priority: 500
-EOF
-    sd /etc/apt/sources.list.d/xenial.list 2>/dev/null <<EOF
-deb http://us.archive.ubuntu.com/ubuntu/ xenial main
-deb http://us.archive.ubuntu.com/ubuntu/ xenial-updates main
-deb http://us.archive.ubuntu.com/ubuntu/ xenial-security main
-EOF
-
-    if ! apt-key list | grep /C0B21F32 &>/dev/null; then
-      # moved to fai
-      #sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 3B4FE6ACC0B21F32
-      sd /etc/apt/preferences.d/flidas-bionic <<EOF
-Package: *
-Pin: release a=bionic
-Pin-Priority: -100
-
-Package: *
-Pin: release a=bionic-updates
-Pin-Priority: -100
-
-Package: *
-Pin: release a=bionic-security
-Pin-Priority: -100
-EOF
-    fi
-
-    # better to run btrfs-progs which matches our kernel version
-    # (note, renamed from btrfs-tools)
-    sd /etc/apt/preferences.d/btrfs-progs <<EOF
-Package: btrfs-progs libzstd1
-Pin: release a=bionic
-Pin-Priority: 1005
-
-Package: btrfs-progs libzstd1
-Pin: release a=bionic-updates
-Pin-Priority: 1005
-
-Package: btrfs-progs libzstd1
-Pin: release a=bionic-security
-Pin-Priority: 1005
-EOF
-
-
-    t=$(mktemp)
-    cat >$t <<EOF
-deb http://us.archive.ubuntu.com/ubuntu/ bionic main
-deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main
-deb http://us.archive.ubuntu.com/ubuntu/ bionic-security main
-EOF
-    f=/etc/apt/sources.list.d/bionic.list
-    if ! diff -q $t $f; then
-      sudo cp $t $f
-      sudo chmod 644 $f
-      m p update
-    fi
-
-    # no special reason, but its better for btrfs-progs to
-    # be closer to our kernel version
-    pi btrfs-progs
 
-    if [[ ! -e /usr/share/debootstrap/scripts/xenial ]]; then
-      t=$(mktemp -d)
-      cd $t
-      m aptitude download debootstrap/xenial
-      m ex ./*
-      sudo cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
-    fi
-
-    sd /etc/apt/preferences.d/flidas-etiona <<EOF
-Package: *
-Pin: release a=etiona
-Pin-Priority: -100
-
-Package: *
-Pin: release a=etiona-updates
-Pin-Priority: -100
-
-Package: *
-Pin: release a=etiona-security
-Pin-Priority: -100
-
-Package: *
-Pin: release a=etiona-backports
-Pin-Priority: -100
-EOF
-
-    t=$(mktemp)
-    cat >$t <<EOF
-deb http://mirror.fsf.org/trisquel/ etiona main
-deb http://mirror.fsf.org/trisquel/ etiona-updates main
-deb http://archive.trisquel.info/trisquel/ etiona-security main
-deb http://mirror.fsf.org/trisquel/ etiona-backports main
-EOF
-    f=/etc/apt/sources.list.d/etiona.list
-    if ! diff -q $t $f; then
-      sudo cp $t $f
-      n s chmod 644 $f
-      m p update
-    fi
-
-    sd /etc/apt/preferences.d/debian-goodies <<EOF
-Package: debian-goodies
-Pin: release n=etiona
-Pin-Priority: 1005
-EOF
-
-
-    # dont use buster because it causes dist-upgrade to think its downgrading
-    # packages while really just reinstalling the same version.
-    f=/etc/apt/apt.conf.d/01iank
-    sudo rm -fv $f
-    #         # stupid buster uses some key algorithm not supported by flidas gpg that apt uses.
-    #         sd /etc/apt/apt.conf.d/01iank <<'EOF'
-    # Acquire::AllowInsecureRepositories "true";
-    # EOF
-
-    f=/etc/apt/sources.list.d/buster.list
-    sudo rm -fv $f
-
-    # newer version needed for false positive in checkrestart.
-    # I did buster at first, but other problem above with having
-    # buster repos. not sure if the false positive exists in etiona.
-    pi debian-goodies
-
-    sd /etc/apt/preferences.d/shellcheck <<EOF
-Package: shellcheck
-Pin: release a=etiona
-Pin-Priority: 1005
-
-Package: shellcheck
-Pin: release a=etiona-updates
-Pin-Priority: 1005
-
-Package: shellcheck
-Pin: release a=etiona-security
-Pin-Priority: 1005
-EOF
-
-    sd /etc/apt/preferences.d/bash <<EOF
-Package: bash
-Pin: release a=etiona
-Pin-Priority: 1005
-
-Package: bash
-Pin: release a=etiona-updates
-Pin-Priority: 1005
-
-Package: bash
-Pin: release a=etiona-security
-Pin-Priority: 1005
+Explanation: ubuntu's version is outdated
+Package: debian-archive-keyring
+Pin: release o=Debian*
+Pin-Priority: 1000
 EOF
-
-
     ;;&
+
   aramo|nabia|etiona)
     # for ziva
     #p install --no-install-recommends minetest/buster libleveldb1d/buster libncursesw6/buster libtinfo6/buster
     doupdate=false
-    for n in bullseye; do
+    # shellcheck disable=SC2043 # in case we want more than 1 in the loop later.
+    for n in bookworm; do
       f=/etc/apt/sources.list.d/$n.list
       t=$(mktemp)
       case $n in
-        bullseye)
-          cat >$t <<'EOF'
-EOF
+        bookworm)
           cat >$t <<EOF
-deb http://deb.debian.org/debian bullseye main
-deb-src http://deb.debian.org/debian bullseye main
+deb http://deb.debian.org/debian bookworm main
+deb-src http://deb.debian.org/debian bookworm main
 
-deb http://deb.debian.org/debian-security/ bullseye-security main
-deb-src http://deb.debian.org/debian-security/ bullseye-security main
+deb http://deb.debian.org/debian-security/ bookworm-security main
+deb-src http://deb.debian.org/debian-security/ bookworm-security main
 
-deb http://deb.debian.org/debian bullseye-updates main
-deb-src http://deb.debian.org/debian bullseye-updates main
+deb http://deb.debian.org/debian bookworm-updates main
+deb-src http://deb.debian.org/debian bookworm-updates main
 
-deb http://http.debian.net/debian bullseye-backports main
-deb-src http://http.debian.net/debian bullseye-backports main
+deb http://http.debian.net/debian bookworm-backports main
+deb-src http://http.debian.net/debian bookworm-backports main
 EOF
           ;;
       esac
@@ -376,15 +190,25 @@ EOF
       fi
     done
     if $doupdate; then
-      curl -s https://ftp-master.debian.org/keys/archive-key-10-security.asc | sudo apt-key add -
-      curl -s https://ftp-master.debian.org/keys/archive-key-10.asc | sudo apt-key add -
+      tmpdir=$(mktemp -d)
+      (
+        cd $tmpdir
+        # cant apt get the keyring without doing an update, can't update
+        # without the keyring, this is a stupid chicken and egg problem
+        # that apt should have some feature to solve, but doesn't as far
+        # as I know.
+        f=debian-archive-keyring_2023.3+deb12u1_all.deb
+        wget http://ftp.debian.org/debian/pool/main/d/debian-archive-keyring/$f
+        sudo dpkg -i $f
+      )
       p update
+      rm -rf $tmpdir
     fi
 
-    if [[ ! -e /usr/share/debootstrap/scripts/bullseye ]]; then
+    if [[ ! -e /usr/share/debootstrap/scripts/bookworm ]]; then
       t=$(mktemp -d)
       cd $t
-      m aptitude download debootstrap/bullseye
+      m aptitude download debootstrap/bookworm
       m ex ./*
       sudo cp ./usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
     fi
@@ -421,7 +245,7 @@ deb http://us.archive.ubuntu.com/ubuntu/ focal-updates main universe
 deb http://us.archive.ubuntu.com/ubuntu/ focal-security main universe
 EOF
     if ! diff -q $t $f; then
-      sudo dd if=$t of=$f 2>/dev/null
+      sudo dd if=$t of=$f status=none
       p update
     fi
 
@@ -450,7 +274,7 @@ deb http://mirror.fsf.org/trisquel/ nabia-backports main
 deb-src http://mirror.fsf.org/trisquel/ nabia-backports main
 EOF
     if ! diff -q $t $f; then
-      sudo dd if=$t of=$f 2>/dev/null
+      sudo dd if=$t of=$f status=none
       p update
     fi
 
@@ -495,7 +319,7 @@ deb http://mirror.fsf.org/trisquel/ aramo-backports main
 deb-src http://mirror.fsf.org/trisquel/ aramo-backports main
 EOF
     if ! diff -q $t $f; then
-      sudo dd if=$t of=$f 2>/dev/null
+      sudo dd if=$t of=$f status=none
       p update
     fi
 
@@ -509,7 +333,7 @@ esac
 
 case $codename_compat in
   jammy)
-    s systemctl enable ssh-agent-iank
+    s systemctl enable --now ssh-agent-iank
     ;;
 esac
 
@@ -569,15 +393,27 @@ esac
 ##### begin automatic upgrades (after checkrestart has been installed) ####
 # if apt-config-auto-update is installed,
 # it also has similar config, in a file 10something,
-# but i think his overrides it since its higher number.
+# but i think this overrides it since its higher number.
 # This file was part of the automatic-updates package,
-# and it has a configu option to not get new package lists,
+# and it has a config option to not get new package lists,
 # which seems pretty stupid to me, you cant actually upgrade
 # anything if you dont have the new package list.
 sd /etc/apt/apt.conf.d/20auto-upgrades <<'EOF'
+# note: man apt.conf says
+# /usr/share/doc/apt/examples/configure-index.gz is a configuration file showing
+# example values for all possible options.
+# but that is a incorrect.
+# Periodic and other options are only documented in
+# /usr/lib/apt/apt.systemd.daily
+# That filename can be found through poking around in apt daily cronjob.
 APT::Periodic::Update-Package-Lists "1";
 APT::Periodic::Download-Upgradeable-Packages "1";
-APT::Periodic::AutocleanInterval "7";
+# 0 means disabled. I used to set this to 7, however, trisquel doesn't
+# have an archive of old package versions, so I want to
+# keep around old versions so I can easily downgrade.
+APT::Periodic::AutocleanInterval "0";
+# daily expire old files /var/cache/apt if it gets above this MB
+APT::Periodic::MaxSize "50000";
 APT::Periodic::Unattended-Upgrade "1";
 EOF
 
@@ -609,23 +445,6 @@ sudo rm -f /etc/cron.d/unattended-upgrade-reboot /usr/local/bin/zelous-unattende
 # Pin-Priority: 500
 # EOF
 
-if [[ -e /etc/wireguard/wghole.conf ]]; then
-  reload=false
-  if [[ ! -e /etc/systemd/system/wg-quick@wghole.service.d/override.conf ]]; then
-    reload=true
-  fi
-  sudo mkdir -p /etc/systemd/system/wg-quick@wghole.service.d
-  sd /etc/systemd/system/wg-quick@wghole.service.d/override.conf <<'EOF'
-[Unit]
-StartLimitIntervalSec=0
-
-[Service]
-Restart=on-failure
-RestartSec=20
-EOF
-  if $reload; then ser daemon-reload; fi
-  sgo wg-quick@wghole
-fi
 
 ###### begin website setup
 case $HOSTNAME in
@@ -636,8 +455,7 @@ case $HOSTNAME in
       dnsb8
     fi
 
-    pi prometheus-node-exporter
-    /a/bin/buildscripts/prom-node-exporter -l
+    sudo /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter -l 127.0.0.1
 
     # ex for exporter
     web-conf -p 9101 -f 9100 - apache2 ${HOSTNAME}ex.b8.nz <<'EOF'
@@ -668,6 +486,22 @@ EOF
     ;;
   li)
 
+    p build-dep eggdrop
+    if [[ ! -L ~/eggdrop/eggdrop ]]; then
+      cd
+      git clone https://github.com/eggheads/eggdrop eggdrop-src
+      cd eggdrop-src
+      ./configure
+      make config
+      make
+      make install
+    fi
+
+    # dunno if this is really needed. it was part of the documented eggdrop systemd install script
+    sudo loginctl enable-linger
+    systemctl --user enable fsysbot
+    systemctl --user start fsysbot
+
     m /a/h/setup.sh iankelling.org
 
     # start mumble only when im going to use it, since i dont use it much
@@ -689,53 +523,25 @@ EOF
 client-to-client
 EOF
 
-    # sullivan d8
-    sd /etc/openvpn/client-config-hole/sd8 <<'EOF'
-ifconfig-push 10.5.5.41 255.255.255.0
-EOF
-    # hsieh d8
-    sd /etc/openvpn/client-config-hole/hd8 <<'EOF'
-ifconfig-push 10.5.5.42 255.255.255.0
-EOF
+    # note client-config files are setup in brc2 update-host-info
 
-    sd /etc/openvpn/client-config-hole/onep9 <<'EOF'
-ifconfig-push 10.5.5.14 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/bo <<'EOF'
-ifconfig-push 10.5.5.13 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/sy <<'EOF'
-ifconfig-push 10.5.5.12 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/kw <<'EOF'
-ifconfig-push 10.5.5.9 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/x3 <<'EOF'
-ifconfig-push 10.5.5.8 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/x2 <<'EOF'
-ifconfig-push 10.5.5.7 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/wclient <<'EOF'
-ifconfig-push 10.5.5.6 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/frodo <<'EOF'
-ifconfig-push 10.5.5.5 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/amy <<'EOF'
-ifconfig-push 10.5.5.3 255.255.255.0
-EOF
-    sd /etc/openvpn/client-config-hole/kd <<'EOF'
-ifconfig-push 10.5.5.2 255.255.255.0
-EOF
 
-    # for adding to current system:
-    #vpn-mk-client-cert -s "" -n hole 72.14.176.105
-    # adding to remove system 107,
-    #vpn-mk-client-cert -s "" -n hole -c 10.2.0.107 -b hd8 iankelling.org
+    # for adding cert to system with /p
     #
-    # for wireguard hole vpn
+    # host=frodo
+    #mkc /p/c/machine_specific/$host/filesystem/etc/openvpn/client
+    #vpn-mk-client-cert -b $host -n hole -r  iankelling.org
+    #s chown -R iank:iank .
+    #
+    # example of adding to remote system 107,
+    # vpn-mk-client-cert -n hole -c 10.2.0.107 -b hd8 iankelling.org
+    #
+    # for wireguard hole vpn, use function:
     # wghole
+    # eg:
+    # wghole bo 28
+    # if it is going to want to connect to transmission-daemon on ok
+    # wghole bo 28 10.174.2.2/32
 
     # requested from linode via a support ticket.
     # https://www.linode.com/docs/networking/an-overview-of-ipv6-on-linode/
@@ -904,6 +710,16 @@ EOF
     end
     ;;
 esac
+
+case $HOSTNAME in
+  bk)
+    pi icecast2
+    # todo, save the config
+    /etc/cron.daily/stream-cert
+    web-conf -c /etc/cert-live.fsf.org -p 443 -f 8000 apache2 live.fsf.org
+    ;;
+esac
+
 ###### end website setup
 
 ########### end section including li/lj ###############
@@ -913,7 +729,7 @@ esac
 
 ### system76 things ###
 case $HOSTNAME in
-  sy|bo)
+  bo) # sy|  sy doesnt seem to really need this.
     # note, i stored the initial popos packages at /a/bin/data/popos-pkgs
     if [[ ! -e /etc/apt/sources.list.d/system76.list ]]; then
       # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
@@ -946,10 +762,40 @@ EOF
     fi
     ;;
 esac
+### end system76 things ###
 
 case $distro in
   trisquel|ubuntu)
 
+
+    ## one time setup thing I did
+    # c /a/opt/obs-cmd/
+    # cargo build --release
+    # cp target/release/obs-cmd ../bin
+    #
+    ## in obs, tools -> websocket server settings -> generate/copy password
+    #
+    # note: obs-studio on gnu does not support webrtc, it seems mainly because
+    # libdatachannel is not packaged. If it was, it would just need to do
+    # apt source obs-studio, obs-studio-30.1.1/debian/rules set -DENABLE_WEBRTC=ON
+    #
+    # I did manage to build libdatachannel following its instructions, then make install,
+    # then obs failed due to nvidia. found those options to disable with
+    # rg 'option\(ENABLE' | gr nv, then build obs like so:
+    #
+    # cmake -DLINUX_PORTABLE=ON -DCMAKE_INSTALL_PREFIX="${HOME}/obs-studio-portable" -DENABLE_BROWSER=OFF -DENABLE_AJA=OFF -DENABLE_NEW_MPEGTS_OUTPUT=OFF -DENABLE_WEBRTC=ON -DCMAKE_POSITION_INDEPENDENT_CODE=ON -DENABLE_NVVFX=OFF -DENABLE_NVAFX=OFF -DENABLE_NATIVE_NVENC=OFF  ..
+    #
+    #
+    #
+    # however, I didn't end up trying it out.
+    #
+    # note, in terminal source, i setup a transform so it would show the
+    # bottom 1080p section of the terminal instead of the top if the
+    # screen was bigger. click like 2 times in the preview so the red
+    # lines show up, right click, edit transform (or ctrl-e). bounding
+    # box type: scale to width of bounds. alignment in bounding box:
+    # bottom left. bounding box size 1920 x 1080.
+
     # ppa:obsproject/obs-studio
     if [[ ! -s /etc/apt/sources.list.d/obs.list ]]; then
       # https://blog.zackad.dev/en/2017/08/17/add-ppa-simple-way.html
@@ -961,6 +807,7 @@ EOF
       p update
     fi
     ;;
+
 esac
 
 case $codename_compat in
@@ -1014,7 +861,7 @@ EOF
     ;;
   jammy)
     # not yet bothering with mate
-    pi lightdm-gtk-greeter
+    pi lightdm-gtk-greeter lightdm
     ;;
 esac
 
@@ -1084,8 +931,25 @@ esac
 # way to install suggests even if the main package is already
 # installed. reinstall doesn't work, uninstalling can cause removing
 # dependent packages.
+# shellcheck disable=SC2046 # word splitting is intended
 pi ${pall[@]} $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}') $($src/distro-pkgs)
 
+# schroot service will restart schroot sessions after reboot.
+# I dont want that.
+pi-nostart schroot
+
+# fix systemd unit failure. i dont know of any actual impact
+# other than systemd showing in degraded state. So, we dont bother
+# fixing the current state, let it fix on the next reboot.
+# https://gitlab.com/cjwatson/binfmt-support/-/commit/54f0e1af8a
+tmp=$(systemctl cat binfmt-support.service | grep ^After=)
+if [[ $tmp != *systemd-binfmt.service* ]]; then
+  s u /etc/systemd/system/binfmt-support.service.d/override.conf <<EOF
+[Unit]
+$tmp systemd-binfmt.service
+EOF
+fi
+
 
 # commented, not worth the hassle i think.
 #seru enable psd
@@ -1118,45 +982,6 @@ sudo rm -fv /etc/apt/sources.list.d/iridium-browser.list
 # esac
 
 
-### begin home vpn server setup
-
-
-# # this section done initially to make persistent keys.
-# # Also note, I temporarily set /etc/hosts so my host was
-# # b8.nz when running this, since the vpn client config
-# # generator assumes we need to go to that server to get
-# # server keys.
-# vpn-server-setup -rds
-# s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
-# s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
-# # kw = kgpe work machine.
-# for host in x2 x3 kw; do
-# vpn-mk-client-cert -b $host -n home b8.nz 1196
-# dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
-# mkdir -p $dir
-# s bash -c "cp /etc/openvpn/client/home* $dir"
-#     # note: /etc/update-resolv-conf-home also exists for all systems with /p
-# done
-
-# key already exists, so this won't generate one, just the configs.
-# m vpn-server-setup -rds
-# sudo tee -a /etc/openvpn/server/server.conf <<'EOF'
-# push "dhcp-option DNS 10.0.0.1"
-# push "route 10.0.0.0 255.255.0.0"
-# client-connect /a/bin/distro-setup/vpn-client-connect
-# EOF
-# sudo sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
-
-# if [[ $HOSTNAME == tp ]]; then
-#   if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
-#     vpn_service=openvpn-server@server
-#   else
-#     vpn_service=openvpn@server
-#   fi
-#   sgo $vpn_service
-# fi
-### end vpn server setup
-
 ##### rss2email
 if mountpoint /p &>/dev/null; then
   # note, see bashrc for more documentation.
@@ -1234,10 +1059,6 @@ if [[ -e /p/c/machine_specific/$HOSTNAME/filesystem/etc/openvpn/client/hole.crt
   sgo openvpn-client@hole
 fi
 
-if [[ $HOSTNAME == frodo ]]; then
-  vpn-mk-client-cert -b frodo -n hole iankelling.org
-fi
-
 ############# begin syncthing setup ###########
 case $HOSTNAME in
   kd|frodo)
@@ -1327,6 +1148,24 @@ fi
 
 ####### begin misc packages ###########
 
+# old location, 2023.
+sudo rm -fv /etc/systemd/system/profanity.service
+case $HOSTNAME in
+  kd)
+    ln -sfT /d/p/profanity ~/.local/share/profanity
+    ln -sfT /d/p/profanity-config ~/.config/profanity
+    source /a/bin/bash_unpublished/source-state
+    if [[ $HOSTNAME == "$HOST2" || ! -e /p/profanity-here ]]; then
+      systemctl --user --now enable profanity
+    fi
+    ;;
+  *)
+
+    ln -sfT /p/profanity ~/.local/share/profanity
+    ln -sfT /p/profanity-config ~/.config/profanity
+    ;;
+esac
+
 # template
 case $codename in
   flidas)
@@ -1481,32 +1320,8 @@ sgo schrootupdate.timer
 # for my roommate
 case $distro in
   trisquel)
-    m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/bullseye.list/BULLSEYE_FREE \
-      debian bullseye firefox-esr pulseaudio chromium anki
-    case $(debian-codename) in
-      etiona|nabia)
-        # we have a lot of t8 stuff, useful to have
-        m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/flidas.list/FLIDAS \
-          trisquel flidas
-        tu /nocow/schroot/flidas/etc/sudoers <<EOF
-$USER  ALL=(ALL)  NOPASSWD: ALL
-Defaults  env_keep += SUDOD
-Defaults always_set_home
-Defaults !umask
-EOF
-        sd /nocow/schroot/flidas//etc/locale.gen <<'EOF'
-en_US.UTF-8 UTF-8
-EOF
-        s schroot -c flidas locale-gen
-        s schroot -c flidas update-locale LANG=en_US.UTF-8
-
-        m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/testing.list/TESTING_NONFREE debian unstable debootstrap
-        sudo cp -a /nocow/schroot/unstable/usr/share/debootstrap/scripts/* /usr/share/debootstrap/scripts
-
-        m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/impish.list/IMPISH ubuntu impish
-
-        ;;
-    esac
+    m mkschroot -s /a/bin/fai/fai/config/files/etc/apt/sources.list.d/bookworm.list/BOOKWORM_FREE \
+      debian bookworm firefox-esr pulseaudio chromium
     ;;
   debian)
     pi chromium
@@ -1532,7 +1347,7 @@ case $HOSTNAME in
     ;;
 esac
 
-mkdir -p $tdir
+sudo mkdir -p $tdir
 
 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
 # 450 seems likely to be unused. we need to specify one or else
@@ -1582,7 +1397,7 @@ ser stop transmission-daemon
 f=$tdir/transmission-daemon
 for d in $tdir/partial-torrents $tdir/torrents $f; do
   if [[ ! -d $d ]]; then
-    mkdir $d
+    sudo mkdir -p $d
   fi
   sudo chown -R debian-transmission:user2 $d
 done
@@ -1601,6 +1416,8 @@ sudo chown -R debian-transmission:debian-transmission /var/lib/transmission-daem
 #
 # Changed the cache-size to 256 mb, reduces disk use.
 # It is a read & write cache.
+#
+# just fyi: default rpc port is 9091
 if ! systemctl is-active transmission-daemon-nn &>/dev/null && \
     ! systemctl is-active transmission-daemon; then
   tmp=$(mktemp)
@@ -1641,6 +1458,9 @@ esac
 
 ######### begin transmission client setup ######
 
+# to connect from a remote client, trans-remote-route in brc2
+
+
 if [[ -e /p/transmission-rpc-pass ]]; then
   # arch had a default config,
   # debian had nothing until you start it.
@@ -1682,7 +1502,7 @@ EOF
   "profiles" : [
       {
       "profile-name" : "Default",
-      "hostname" : "10.173.0.2",
+      "hostname" : "10.174.2.2",
       "rpc-url-path" : "/transmission/rpc",
       "username" : "",
       "password" : "$rpc_pass",
@@ -1733,9 +1553,11 @@ sudo gpasswd -a $USER lpadmin # based on ubuntu wiki
 # general known for debian/ubuntu, not for fedora
 
 m /a/bin/buildscripts/go
+# only needed for rg. cargo takes up 11 gigs, filled up the disk on je.
 m /a/bin/buildscripts/rust
 m /a/bin/buildscripts/misc
-m /a/bin/buildscripts/pithosfly
+
+#m /a/bin/buildscripts/pithosfly
 #m /a/bin/buildscripts/alacritty
 #m /a/bin/buildscripts/kitty
 
@@ -1831,10 +1653,18 @@ DEVICESCAN -a -o on -S on -n standby,q $sched \
 
 ########### misc stuff
 
-if [[ $HOSTNAME != frodo ]]; then
-  # remove. i moved this into dns
-  echo | s cedit hole /etc/hosts ||:
-fi
+
+xdg-settings set default-web-browser abrowser.desktop
+# see current with:
+# xdg-settings get default-web-browser
+
+# pressing tab after sdf here:
+# scp sdfbash: set +o noglob: command not found
+# in t11, bash 5.1.16. this fixes it.
+sudo sed -ri 's/([[:space:]]*)(\$reset)$/\1set +o noglob #$reset/' /usr/share/bash-completion/bash_completion
+
+rm -fv /home/iank/.mpv/watch_later
+rm -rf /home/iank/.mpv
 
 if [[ ! -e ~/.local/bin/pip ]]; then
   tmp=$(mktemp)
@@ -1843,6 +1673,61 @@ if [[ ! -e ~/.local/bin/pip ]]; then
   hash -r
 fi
 
+## begin beets
+# soo, apt install beets fails due to wanting a pip package,
+# we find out why it wants this through
+# apt-cache depends --recurse --no-recommends --no-suggests --no-conflicts --no-breaks --no-replaces --no-enhances beets | less
+# python-mediafile requires tox, which requires virtualenv, which requires pip.
+# but, python-mediafile doesn't really require tox, it is specified in
+# ./usr/lib/python3/dist-packages/mediafile-0.9.0.dist-info/METADATA
+# as being required only for testing, but the debian package
+# included it anyways, due to a mistake or bad tooling or something.
+# I don't plan to use tox, so, according to https://serverfault.com/a/251091,
+# we can create and install a dummy package by:
+#
+# "equivs-control <name>, edit the file produced to provide the right
+# dependency and have a nice name, then run equivs-build <name> and
+# finally dpkg -i the resulting .deb file"
+# as of 2023-02, the tox dependency was removed in debian unstable, so
+# this hack will probably go away in t12.
+
+if pcheck beets; then
+  tmpdir="$(mktemp -d)"
+  cd "$tmpdir"
+  # edited from output of equivs-control tox
+  cat >tox <<'EOF'
+Section: python
+Priority: optional
+Standards-Version: 3.9.2
+Package: tox
+Description: tox-dummy
+EOF
+  equivs-build tox
+  sudo dpkg -i tox_1.0_all.deb
+  rm -rf ./tox*
+  pi beets python3-discogs-client
+  cd
+  rm -r "$tmpdir"
+fi
+
+# get rid of annoying message
+s sed -ri "s/^([[:space:]]*ui.print_\('Playing)/#\1/" /usr/share/beets/beetsplug/play.py
+
+
+# notes about barrier
+# run barrier, do the gui config,
+# setup the 2 screens, using hostnames for the new screen.
+# save the server config
+# $HOME/.local/share/barrier/.barrier.conf
+# per the man page.
+#
+# ssl errors, resolved via advice here: https://github.com/debauchee/barrier/issues/231
+# BARRIER_SSL_PATH=~/.local/share/barrier/SSL/
+# mkdir -p "${BARRIER_SSL_PATH}"
+# openssl req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:4096 -keyout ${BARRIER_SSL_PATH}/Barrier.pem -out ${BARRIER_SSL_PATH}/Barrier.pem
+# ran on both machines.
+# When pressing start in the gui, the cli options used are printed to the console,
+# they are useful. So on server, just run barriers, client run barrierc SERVER_IP
 
 ### begin timetrap setup
 if mountpoint /p &>/dev/null; then
@@ -1905,13 +1790,13 @@ sudo fc-cache
 pi desktop-file-utils
 m /a/bin/distro-setup/mymimes
 
-
-# stop autopoping windows when i plug in an android phone.
-# dbus-launch makes this work within an ssh connection, otherwise you get this message,
-# with still 0 exit code.
-# dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
-m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
-
+if type -p dbus-launch >/dev/null; then
+  # stop autopoping windows when i plug in an android phone.
+  # dbus-launch makes this work within an ssh connection, otherwise you get this message,
+  # with still 0 exit code.
+  # dconf-WARNING **: failed to commit changes to dconf: Cannot autolaunch D-Bus without X11 $DISPLAY
+  m dbus-launch gsettings set org.gnome.desktop.media-handling automount-open false
+fi
 
 # on grub upgrade, we get prompts unless we do this
 devs=()
@@ -1936,23 +1821,21 @@ sgo dynamicipupdate
 if grep -xFq $HOSTNAME /a/bin/ds/machine_specific/btrbk.hosts; then
   sgo btrbk.timer
 fi
-# note: to see when it was last run,
+
+# note: to see when a timer was last run,
 # ser list-timers
 
-case $HOSTNAME in
-  kd)
-    sgo btrbkrust.timer
-    ;;
-esac
 
 ### begin prometheus ###
 
 case $HOSTNAME in
   kd)
-    /a/bin/buildscripts/prometheus
     # Font awesome is needed for the alertmanager ui.
-    pi prometheus-alertmanager prometheus prometheus-node-exporter fonts-font-awesome
-    web-conf -p 9091 -f 9090 - apache2 i.b8.nz <<'EOF'
+    pi prometheus-alertmanager prometheus fonts-font-awesome
+    /c/roles/prom/files/simple/usr/local/bin/fsf-install-prometheus
+    # make it available for other machines
+    rsync -a /usr/local/bin/amtool /a/opt/bin
+    web-conf -p 9091 -f 9090 - apache2 b8.nz <<'EOF'
 <Location "/">
 AuthType Basic
 AuthName "basic_auth"
@@ -1963,7 +1846,7 @@ Require valid-user
 </Location>
 EOF
 
-    web-conf -p 9094 -f 9093 - apache2 i.b8.nz <<'EOF'
+    web-conf -p 9094 -f 9093 - apache2 b8.nz <<'EOF'
 <Location "/">
 AuthType Basic
 AuthName "basic_auth"
@@ -1976,36 +1859,48 @@ EOF
 
     # by default, the alertmanager web ui is not enabled other than a page
     # that suggests to use the amtool cli. that tool is good, but you cant
-    # silence things nearly as fast.
+    # silence things nearly as easily as with the gui.
     if [[ ! -e /usr/share/prometheus/alertmanager/ui/index.html ]]; then
-      sudo chroot /nocow/schroot/bullseye prometheus-alertmanager
-      sudo chroot /nocow/schroot/bullseye /usr/share/prometheus/alertmanager/generate-ui.sh
-      sudo rsync -avih /nocow/schroot/bullseye/usr/share/prometheus/alertmanager/ui/ /usr/share/prometheus/alertmanager/ui
+      # default script didnt work, required some changes to get elm 19.1,
+      # which is a dependency of the latest alertmanager. I modified
+      # and copied it into /b/ds. In future, might need some other
+      # solution.
+      #sudo /usr/share/prometheus/alertmanager/generate-ui.sh
+      sudo /b/ds/generate-ui.sh
       ser restart prometheus-alertmanager
     fi
 
+    s /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter -l 127.0.0.1
+
     for ser in prometheus-node-exporter prometheus-alertmanager prometheus; do
       sysd-prom-fail-install $ser
     done
 
     ;;
   *)
-    pi prometheus-node-exporter
+    s /c/roles/prom_export/files/simple/usr/local/bin/fsf-install-node-exporter
     ;;
 esac
 
+# cleanup old files. 2023-02
+x=(/var/lib/prometheus/node-exporter/*.premerge)
+if [[ -e ${x[0]} ]]; then
+  s rm /var/lib/prometheus/node-exporter/*
+fi
+
+
 case $HOSTNAME in
-  # frodo needs upgrade first.
-  frodo) : ;;
   # todo, for limiting node exporter http,
   # either use iptables or, in
   # /etc/default/prometheus-node-exporter
   # listen on the wireguard interface
+
   *)
-    wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
-    # old filename. remove once all hosts are updated.
-    s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
-    web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
+    if [[ -e /etc/wireguard/wghole.conf ]]; then
+      wgip=$(command sudo sed -rn 's,^ *Address *= *([^/]+).*,\1,p' /etc/wireguard/wghole.conf)
+      # old filename. remove once all hosts are updated.
+      s rm -fv /etc/apache2/sites-enabled/${HOSTNAME}wg.b8.nz.conf
+      web-conf -i -a $wgip -p 9101 -f 9100 - apache2 ${HOSTNAME}wg.b8.nz <<'EOF'
 <Location "/">
 AuthType Basic
 AuthName "basic_auth"
@@ -2015,14 +1910,14 @@ AuthUserFile "/etc/prometheus-export-htpasswd"
 Require valid-user
 </Location>
 EOF
-    # For work, i think we will just use the firewall for hosts in the main data center, and
-    # vpn for hosts outside it.
+      # For work, i think we will just use the firewall for hosts in the main data center, and
+      # vpn for hosts outside it.
 
-    # TODO: figure out how to detect the ping failure and try again.
+      # TODO: figure out how to detect the ping failure and try again.
 
-    # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
-    s mkdir /etc/systemd/system/apache2.service.d
-    sd /etc/systemd/system/apache2.service.d/restart.conf <<EOF
+      # Binding to the wg interface, it might go down, so always restart, and wait for it on boot.
+      s mkdir /etc/systemd/system/apache2.service.d
+      sd /etc/systemd/system/apache2.service.d/restart.conf <<EOF
 [Unit]
 After=wg-quick@wghole.service
 StartLimitIntervalSec=0
@@ -2032,11 +1927,107 @@ Restart=always
 RestartSec=30
 EOF
 
+    fi
     ;;
 esac
 
 ### end prometheus ###
 
+### begin bitcoin ###
+
+case $HOSTNAME in
+  sy|kd|so)
+    sudo install -m 0755 -o root -g root -t /usr/bin /a/opt/bitcoin-27.0/bin/*
+    # Note: i leave it to system-status to start and stop bitcoin.
+    # note: the bitcoin user & group are setup in fai
+    sudo usermod -a -G bitcoin iank
+    # todo: make bitcoin have a stable uid/gid
+    sudo mkdir -p /var/lib/bitcoind
+    sudo chown bitcoin:bitcoin /var/lib/bitcoind
+    # 710 comes from the upstream bitcoin unit file
+    sudo chmod 710 /var/lib/bitcoind
+    # note, there exists
+    # /a/bin/ds/disabled/bitcoin
+    ;;
+esac
+
+### end bitcoin
+
+### begin live streaming ###
+
+# comparing nginx rtmp to icecast
+# `mpv --cache=no` had about 2.5 sec latency vs 4 seconds.
+# Then I discovered this command which had about .5 sec latency:
+#ffplay -f live_flv -fast -x 1280 -y 720 -fflags nobuffer -flags low_delay -strict experimental -vf "setpts=N/60/TB" -af "asetpts=N/60/TB" -noframedrop -i rtmp://url_here
+## a lot of those args arent needed, here is what I ended up with:
+# #ffplay -f live_flv -fflags nobuffer -flags low_delay -i rtmp://localhost/live
+#
+# A problem with rtmp is that it doesn't support vp8/vp9, requiring the partly patent encumbered h264.
+# Looking at alternative protocols: dash & hls are both high latency, I tested dash with the nginx-rtmp
+# module and got about 5 seconds of latency, web results imply that is normal.
+#
+# Webrtc is what jitsi & bbb use, but an annoying thing is that
+# generally requires a web browser with javascript, or some special
+# client, and afaik, it has a smaller limit on number of clients.
+#
+# Another option is to try rtp/rtsp, there are some servers here:
+# https://en.wikipedia.org/wiki/Real-Time_Streaming_Protocol
+
+
+## reference for setting up rtmp
+# pi nginx libnginx-mod-rtmp
+# cat >/etc/nginx/modules-enabled/rtmp.conf <<'EOF'
+## based on https://opensource.com/article/19/1/basic-live-video-streaming-server#comments
+## and https://github.com/arut/nginx-rtmp-module/wiki/Directives
+
+# rtmp {
+#     allow publish 127.0.0.1;
+#     deny publish all;
+#     server {
+#         listen 1935;
+#         application live {
+#             live on;
+#             record off;
+#         }
+#     }
+# }
+# EOF
+
+### end live streaming ###
+
+### begin gh ####
+
+# from https://raw.githubusercontent.com/cli/cli/trunk/docs/install_linux.md
+# One time setup afterwards:
+# gh auth login
+#
+# When it gets to the page where it asks to authorize github, the button
+# is grayed out. You can just open browser dev tools, inspect the
+# button, remove disabled="", then click it and it works.
+#
+# Auth token gets saved into /p/c/subdir_files/.local/share/keyrings/
+#
+# initial config goes to /home/iank/.config/gh
+curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+  && sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
+  && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
+  && sudo apt update \
+  && sudo apt install gh -y
+
+### end gh ####
+
+
+# remove trisquel banner. it is cool but takes up too much space.
+sudo rm -f /etc/update-motd.d/01-banner
+
+case $HOSTNAME in
+  kw|x3)
+    sd /etc/cups/client.conf <<'EOF'
+ServerName printserver1.office.fsf.org
+EOF
+    ;;
+esac
+
 
 end_msg <<'EOF'
 In mate settings settings, change scrolling to two-finger,
@@ -2072,9 +2063,16 @@ lnf -T /a/opt ~/src
 pi tor
 m /a/bin/buildscripts/tor-browser
 # one root command needed to install
-s ln -sf /a/opt/tor-browser_en-US/Browser/start-tor-browser /usr/local/bin
+s ln -sf /a/opt/tor-browser/Browser/start-tor-browser /usr/local/bin
 
 
+case $HOSTNAME in
+  kd)
+    web-conf -p 4500 -f 4533 -e ian@iankelling.org apache2 b8.nz
+    sgo navidrome
+    ;;
+esac
+
 # nfs server
 pi-nostart nfs-kernel-server