git clone https://github.com/pump-io/pump.io.git
cd pump.io
fi
+ # note: these 2 commands seem
# note: doing this or the npm install pump.io as root had problems.
npm install
npm run build
# https://github.com/pump-io/pump.io/issues/1287
s npm install -g databank-mongodb@0.19.2
if ! getent passwd pumpio &>/dev/null; then
- s useradd -m -s /bin/false pumpio
+ s useradd -Um -s /bin/false pumpio
fi
sudo -u pumpio mkdir -p /home/pumpio/pumpdata
# for testing browser when only listening to localhost,
# to exit and save config:
# /msg *status shutdown
# configed auth on freenode by following
- # https://wiki.znc.in/Sasl
+ # https://wiki.znc.in/Sasl:
+ # /msg *sasl RequireAuth yes
+ # /msg *sasl Mechanism PLAIN
+ # /msg *sasl Set ident_name password
# created the system service after, and had to do
# mv /home/iank/.znc/* /var/lib/znc
# sed -i 's,/home/iank/.znc/,/var/lib/znc,' /var/lib/znc/config/znc.conf
# and made a copy of the config files into /p/c
- # added LoadModule = log -sanitize to the top level
+ # /msg *status LoadMod --type=global log -sanitize
# to get into the web interface,
# cat /etc/letsencrypt/live/iankelling.org/{privkey,cert,chain}.pem > /var/lib/znc/znc.pem
# then use non-main browser or else it doesn't allow it based on ocsp stapling from my main site.
+ # https://iankelling.org:12533/
# i'm going to figure out how to automate this when it expires. i know i can hook a script into the renewal. https://wiki.znc.in/FAQ seems to imply that znc doesn\'t need restart.
# todo: in config file AllowWeb = true should be false. better security if that is off unless we need it.
- # todo: figure out how to make playback in erc happe.n
+ # /msg *status LoadMod --type=network perform
+ # /msg *perform add PRIVMSG ChanServ :invite #fsf-office
+ # /msg *perform add JOIN #fsf-office
+ #
+ # i set Buffer = 500
+ # also ran /znc LoadMod clearbufferonmsg
+ # it would be nice if erc supported erc query buffers by doing
+ # /msg *status clearbuffer <name of the query/receiver
+ # on killing the,
+ # an example seems to be here: https://github.com/zenspider/elisp/blob/master/rwd-irc.el
+ # if that was the case i could remove the module clearbufferonmsg
+ # alo would be nice if erc supported
+ # https://wiki.znc.in/self-message
+ # https://wiki.znc.in/Query_buffers \
+ #
s useradd --create-home -d /var/lib/znc --system --shell /sbin/nologin --comment "Account to run ZNC daemon" --user-group znc || [[ $? == 9 ]] # 9 if it exists already
chmod 700 /var/lib/znc
- s chown -R znc:znc /var/lib/znc/config
+ s chown -R znc:znc /var/lib/znc
s dd of=/etc/systemd/system/znc.service 2>/dev/null <<'EOF'
[Unit]
Description=ZNC, an advanced IRC bouncer
# key already exists, so this won't generate one, just the configs.
vpn-server-setup -rds
s tee -a /etc/openvpn/server/server.conf <<'EOF'
-push "dhcp-option DNS 192.168.1.1"
-push "route 192.168.1.0 255.255.255.0"
+push "dhcp-option DNS 10.0.0.1"
+push "route 10.0.0.0 255.255.0.0"
client-connect /a/bin/distro-setup/vpn-client-connect
EOF
s sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
reset-konsole
sudo -u traci -i reset-konsole
reset-xscreensaver
-# this is packaged, but i see it's gotten a fair amount of development lately,
-# so install from cabal. the options are needed to get over incompatible xmonad library versions
-# but that stuff is in the global namespace, and it seems they don't conflict in practice.
-pi libxss-dev # dependency based on build failure
-cabal update
-cabal install --upgrade-dependencies --force-reinstalls arbtt
-lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
+
+
+# this would install from cabal for newer / consistent version across os, but it screws up xmonad, so disabled for now.
+# this is also in primary-setup
+# pi libxss-dev # dependency based on build failure
+# cabal update
+# cabal install --upgrade-dependencies --force-reinstalls arbtt
+# also, i assume syncing this between machines somehow messed thin
+#lnf -T /m/arbtt-capture.log ~/.arbtt/capture.log
primary-setup
fi
+# We want group writable stuff from transmission.
+# However, after setting this, I learn that transmission sets it's
+# own umask based on it's settings file. Well, no harm leaving this
+# so it's set right from the beginning.
+s chfn debian-transmission -o umask=0002
+
# trisquel 8 = openvpn, debian stretch = openvpn-client
vpn_ser=openvpn-client
if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
p = '/etc/transmission-daemon/settings.json'
s = JSON.parse(File.read(p))
s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
+# default is 0022 (18 in decimal)
+s["umask"] = 2
File.write p, JSON.pretty_generate(s)
EOF
# 1. it can be mounted with a shorthand of server:/
# 2. exports that are subdirectories of this one will automatically be mounted
tu /etc/exports <<'EOF'
-/k 192.168.1.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
+/k 10.0.0.0/24(rw,fsid=0,nohide,no_root_squash,async,no_subtree_check,insecure)
EOF
s exportfs -rav
fi
+# note, transmission specific thing here is to
+# allow one extra port for transmission-remote, but thats no big deal,
+# might as well use this in general for openvpn-nn
+
# format from iptables-save. [0:0] are comments of packet-count/byte-count
# which I removed
*filter
# from ip route, we can deduce that traffic goes to the
# local 10.8.0.x tun0, then to the normal interface.
# For the normal interface, we allow only some ports:
-# dns, vpn, transmission-remote.
+# dns for root user, vpn, and transmission-remote.
# dns is only used to resolve the vpn server ip on initial
# connection.
# rules are mirror on input and output, just for extra safety,
-A OUTPUT -p tcp -m tcp --dport 53 -m owner --uid-owner root -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
+# transmission-remote
-A OUTPUT -p tcp -m tcp --sport 9091 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9091 -j ACCEPT
iankelling.org / git / distro-setup / commitdiff