fi
done
else # set default mountpoints
- if [[ $HOSTNAME == frodo ]]; then
- prospective_mps=(/i)
- else
- prospective_mps=(/a /q)
- if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
- prospective_mps+=(/o)
- fi
- fi
+ case $HOSTNAME in
+ frodo)
+ prospective_mps=(/i)
+ ;;
+ *)
+ prospective_mps=(/a /q)
+ if [[ $HOSTNAME == "$MAIL_HOST" ]]; then
+ prospective_mps+=(/o)
+ fi
+ ;;
+ esac
+ case ${targets[0]} in
+ kw|kww)
+ prospective_mps=(/a)
+ ;;
+ esac
+
for mp in ${prospective_mps[@]}; do # default mountpoints to sync
if [[ -e /nocow/btrfs-stale/$mp ]]; then
echo "$0: warning: $mp stale, not adding to default mountpoints"
ian|iank)
# p needs to go first so .ssh link is created, then config link inside it
m common-file-setup ${all_dirs[@]}
+
+ #### begin special extra stuff ####
+ install -d -m700 ~/gpg-agent-socket
if [[ -d /etc/bind/bind-writable ]]; then
# need bind writable dir for nsupdate, or else we get
# named[20823]: /etc/bind/db.iank.pw.jnl: create: permission denied
if [[ -e /etc/davpass ]] && getent group www-data &>/dev/null; then
s chgrp www-data /etc/davpass
fi
+ ##### end special extra stuff #####
+
+
+
m sudo -H -u traci "$BASH_SOURCE"
;;
traci)
fi
+
+###### begin arch aur wrapper ########
if isarch; then
#https://wiki.archlinux.org/index.php/Arch_User_Repository#Installing_packages
sudo pacman -S --noconfirm --needed base-devel jq
sudo systemctl enable pacserve.service
sudo systemctl start pacserve.service
+fi
+###### end arch aur wrapper ########
+
+pup
+
+
+###### begin trash cli install ######
+if isarch; then
# strange error if just installing trash-cli: "pyalpm requires python",
# so I see that it requires python2, and installing that manually fixes it.
- # I didn't see this on earlier installation, main thing which changed was
- # pacserve, so not sure if it's related.
+ # I didn\'t see this on earlier installation, main thing which changed was
+ # pacserve, so not sure if it\'s related.
pi python2
fi
-
-pup
pi trash-cli
+###### end trash cli install ######
-###### link files ###########
+######## begin fix evbug bug ######
+case $distro in
+ trisquel|ubuntu)
+ # noticed in flidas.
+ #https://bugs.launchpad.net/ubuntu/+source/module-init-tools/+bug/240553
+ sudo rmmod evbug ||: # might not be loaded yet
+ file=/etc/modprobe.d/blacklist.conf
+ line="blacklist evbug"
+ if ! grep -xFq "$line" $file; then
+ sudo tee -a $file &>/dev/null <<<"$line"
+ sudo depmod -a
+ sudo update-initramfs -u
+ fi
+ ;;
+esac
+######## end fix evbug bug ######
+
+
+
+###### begin link files ###########
# convenient to just do all file linking in one place
lnf -T /i/k/mboxes ~/mail
fi
+###### end link files ###########
+
##### basic needed packages
sudo systemctl enable fstrim.timer
fi
-dirs=(/mnt/{1,2,3,4,5,6,7,8,9})
+dirs=(/mnt/{1,2,3,4,5,6,7,8,9} /nocow/t)
s mkdir -p "${dirs[@]}"
s chown $USER:$USER "${dirs[@]}"
# mutagen for pithos
# guvcview set webcam brightness to highest
# pidgin-otr, i went into pidgin pluggin settings and generated a key for some accounts
+ # xawtv has webcam cli control. v4lctl bright 80%; v4lctl list
+ # guvcview also adjusts webcam
simple_packages+=(
apache2
apache2-doc
cloc
cpulimit
cron
+ debootstrap
debconf-doc
dirmngr
dnsutils
pry
python-autopep8
python3-doc
- python3-mutagen
qrencode
reportbug
$(aptitude show ruby | sed -rn 's/Depends: (.*)/\1/p')-doc
+ schroot
sqlite3-doc
squashfs-tools
swh-plugins
vlc
whois
wondershaper
+ xawtv
+ xbacklight
+ xprintidle
+ xscreensaver
)
spa $(apt-cache search ruby[.0-9]+-doc| awk '{print $1}')
;;
# todo: other distros unknown
esac
+# dogcam setup
+case $HOSTNAME in
+ lj|li)
+ /a/bin/webcam/install-server
+ ;;
+ kw)
+ /a/bin/webcam/install-client
+ ;;
+esac
+
# website setup
case $HOSTNAME in
lj|li)
ifconfig-push 10.8.0.4 255.255.255.0
EOF
+ # it\'s strange. docker seems to make the default for forward
+ # be drop, but then I set it to accept and it\'s stuck that way,
+ # I dun know why. But, let\'s make sure we can forward anyways.
+ s DEBIAN_FRONTEND=noninteractive pi iptables-persistent
+ rm /etc/iptables/rules.v6
+ s tee /etc/iptables/rules.v4 <<'EOF'
+*filter
+-A FORWARD -i tun+ -o eth0 -j ACCEPT
+-A FORWARD -i eth0 -o tun+ -j ACCEPT
+COMMIT
+EOF
+
+
sudo dd of=/etc/systemd/system/vpnmail.service <<EOF
[Unit]
;;
esac
lnf -T /w/syncthing /home/iank/.config/syncthing
+ ser daemon-reload # syncthing likely not properly packaged
sgo syncthing@iank # runs as iank
# these things persist in ~/.config/syncthing, which I save in
esac
-####### misc packages ###########
+####### begin misc packages ###########
+
+
+if [[ $HOSTNAME == kw ]]; then
+ cat <<'EOF'
+NOTE: after this finishes, i did
+s nmtui-connect
+# remove br from auto:
+s vim /etc/network/interfaces
+EOF
+fi
# nagstamon setting which were set through the ui
# in filters tab:
# others unknown
esac
+# /run and /dev/shm are listed as required for pulseaudio. All 4 in the group
+# listed in the default config as suggested.
+# /run/usr/1000 i noticed was missing for pulseaudio
+# /run/user/0 just seemed like a not bad idea, given the above
+tu /etc/schroot/desktop/fstab <<'EOF'
+/run /run none rw,bind 0 0
+/run/lock /run/lock none rw,bind 0 0
+/dev/shm /dev/shm none rw,bind 0 0
+/run/shm /run/shm none rw,bind 0 0
+/run/user/1000 /run/user/1000 none rw,bind 0 0
+/run/user/0 /run/user/0 none rw,bind 0 0
+EOF
+
+mkschroot() {
+ n=$1
+ shift
+ apps=($@)
+ d=/nocow/schroot/$n
+ if [[ -e $d/bin ]]; then
+ s chroot $d apt-get update
+ s chroot $d apt-get -y dist-upgrade --purge --auto-remove
+ s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
+ else
+ s mkdir -p $d
+ s debootstrap $n $d http://deb.debian.org/debian/
+ s dd of=/etc/schroot/chroot.d/$n.conf <<EOF
+[$n]
+description=$n
+type=directory
+directory=$d
+profile=desktop
+preserve-environment=true
+users=$USER
+EOF
+
+ s cp -P {,$d}/etc/localtime
+ cd #schroot fails if our current directory is not in the chroot
+ s schroot -c $n -- apt-get install --allow-unauthenticated -y ${apps[@]}
+ fi
+}
+
+# for my roommate
+case $distro in
+ trisquel)
+ mkschroot stretch firefox-esr pulseaudio chromium
+ ;;
+esac
+
s mkdir -p /nocow/user
s chown $USER:$USER /nocow/user
case $distro in
pi anki
;;
*)
- pi debootstrap schroot
- d=/nocow/user/schroot/anki
- if [[ -e $d/bin ]]; then
- s chroot $d apt-get update
- s chroot $d apt-get -y dist-upgrade --purge --auto-remove
- else
-
- mkdir -p /nocow/user/schroot/anki
- s debootstrap jessie $d http://deb.debian.org/debian/
- s dd of=/etc/schroot/chroot.d/anki.conf <<EOF
-[anki]
-description=Anki on jessie
-type=directory
-directory=$d
-profile=desktop
-preserve-environment=true
-users=$USER
-EOF
-
- s cp {,$d}/etc/locale.gen
- s cp -P {,$d}/etc/localtime
- cd
- s schroot -c anki -- apt-get install -y anki locales mplayer
- fi
+ mkschroot jessie anki pulsaudio mplayer
;;
esac
;;
exec &>/var/log/keyscript-off.log
echo "$0: starting. $(date)"
fi
-
sed="sed --follow-symlinks"
+if [[ $HOSTNAME == kw ]]; then
+ exit 0
+fi
+
if [[ $($sed -rn 's/^ID=(.*)/\1/p' /etc/os-release) == arch ]]; then
if grep -q '^\s*FILES=' /etc/mkinitcpio.conf; then
$sed -ri 's/^\s*FILES=/#\0/' /etc/mkinitcpio.conf # comment out
e iptables -t nat -S
e ip rule
e ip route show table 1
+
+ tun_dev=$(ip a show to 10.8.0.4/24 | sed -rn '1s/^\S+\s+([^:]+).*/\1/p')
+ if [[ $tun_dev == tun* ]]; then
+ e sysctl net.ipv4.conf.$tun_dev.rp_filter
+ else
+ echo "$0: note, no tun device found"
+ fi
exit 0
}
e iptables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 10.8.0.4
e ip rule $ip_op fwmark 1 table 1
# note, this rule does not persist when the tun interface is deleted
- #e ip route $ip_op default via 10.8.0.1 table 1
+ e ip route $ip_op default via 10.8.0.1 table 1
+
+ # on debian this is 0 (no filter), on ubuntu it\'s 1, which is no good. 0 or 2 both work fine.
+ # 2 drops it if the packet is not routable, martian address, or my default route is screwed up,
+ # so, eh, might as well. some rhel docs recommend using it.
+ e sysctl net.ipv4.conf.$tun_dev.rp_filter=2
exit 0
}
#!/bin/bash
+set -x
+
# Copyright (C) 2016 Ian Kelling
# Licensed under the Apache License, Version 2.0 (the "License");
# # host -t txt _dmarc.gmail.com
# # yahoo: p=reject, hotmail: p=none, gmail: p=none, fastmail none for legacy reasons
# # there were articles claiming gmail would be changing
-# # to p=reject, in early 2017, which didn't happen. I see no sources on them. It's
+# # to p=reject, in early 2017, which didn\'t happen. I see no sources on them. It\'s
# # expected to cause problems
# # with a few old mailing lists, copying theirs for now.
#
inet_protocols = ipv4
EOF
# msg_size_limit: I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
- # inet_protocols: without this, I've had postfix try an ipv6 lookup then gives
+ # inet_protocols: without this, I\'ve had postfix try an ipv6 lookup then gives
# up and fail forever. snippet from syslog: type=AAAA: Host not found, try again
mkdir -p $exim_main_dir
+
+ #### begin mail cert setup ###
+ f=/usr/local/bin/mail-cert-cron
+ cat >$f <<'EOF'
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+[[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"
+
+f=/a/bin/bash_unpublished/source-semi-priv
+if [[ -e $f ]]; then
+ source $f
+fi
+if [[ $HOSTNAME == $MAIL_HOST ]]; then
+ local_mx=mail.iankelling.org
+ rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/"
+ ${rsync_common}fullchain.pem /etc/exim4/exim.crt
+ ${rsync_common}privkey.pem /etc/exim4/exim.key
+fi
+EOF
+ chmod 755 $f
+
+ cat >/etc/systemd/system/mailcert.service <<'EOF'
+[Unit]
+Description=Mail cert rsync
+After=multi-user.target
+
+[Service]
+Type=oneshot
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
+EOF
+
+ cat >/etc/systemd/system/mailcert.timer <<'EOF'
+[Unit]
+Description=Run mail-cert once a day
+
+[Timer]
+OnCalendar=daily
+
+[Install]
+WantedBy=timers.target
+EOF
+ systemctl daemon-reload
+ systemctl start mailcert
+ systemctl restart mailcert.timer
+ systemctl enable mailcert.timer
+
+ ##### end mailcert setup #####
+
+
+
if [[ $HOSTNAME == $MAIL_HOST ]]; then
debconf-set-selections <<EOF
/^\s*mail_location\s*=/d
EOF
- cat >/etc/dovecot/conf.d/20-lmtp.conf <<'EOF'
+ cat >/etc/dovecot/conf.d/20-lmtp.conf <<EOF
protocol lmtp {
#per https://wiki2.dovecot.org/Pigeonhole/Sieve/Configuration
- mail_plugins = $mail_plugins sieve
+ mail_plugins = \$mail_plugins sieve
# default was
- #mail_plugins = $mail_plugins
+ #mail_plugins = \$mail_plugins
# For a normal setup with exim, we need something like this, which
# removes the domain part
# A normal way to do this, which I did at first is to have
# a router in exim almost at the end, eg 950,
#local_catchall:
-# debug_print = "R: catchall for $local_part@$domain"
+# debug_print = "R: catchall for \$local_part@\$domain"
# driver = redirect
# domains = +local_domains
-# data = ian
+# data = $u
# based on
# http://blog.alteholz.eu/2015/04/exim4-and-catchall-email-address/
# with superflous options removed.
# which makes filtering into mailboxes a little less robust or more complicated,
# so I've done it this way instead. it also requires
# modifying the local router in exim.
- auth_username_format = ian
+ auth_username_format = $u
}
EOF
ExecStart=/a/bin/distro-setup/spamd-dns-fix
EOF
# 2017-09, debian closed the bug on this saying upstream had fixed it.
- # remove this when i'm using the newer package, ie, debian 10, or maybe
+ # remove this when i\'m using the newer package, ie, debian 10, or maybe
# ubuntu 18.04.
cat >/etc/systemd/system/spamddnsfix.timer <<'EOF'
[Unit]
##### end spamassassin config
- f=/usr/local/bin/mail-cert-cron
- cat >$f <<'EOF'
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-[[ $EUID == 0 ]] || exec sudo "$BASH_SOURCE" "$@"
-
-f=/a/bin/bash_unpublished/source-semi-priv
-if [[ -e $f ]]; then
- source $f
-fi
-if [[ $HOSTNAME == $MAIL_HOST ]]; then
- local_mx=mail.iankelling.org
- rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/"
- ${rsync_common}fullchain.pem /etc/exim4/exim.crt
- ${rsync_common}privkey.pem /etc/exim4/exim.key
-fi
-EOF
- chmod 755 $f
-
- cat >/etc/systemd/system/mailcert.service <<'EOF'
-[Unit]
-Description=Mail cert rsync
-After=multi-user.target
-
-[Service]
-Type=oneshot
-ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
-EOF
-
- cat >/etc/systemd/system/mailcert.timer <<'EOF'
-[Unit]
-Description=Run mail-cert once a day
-
-[Timer]
-OnCalendar=daily
-
-[Install]
-WantedBy=timers.target
-EOF
- systemctl daemon-reload
- systemctl start mailcert
- systemctl restart mailcert.timer
- systemctl enable mailcert.timer
-
-
-
sed -r s/^\\S+:/$b:/ 600_exim4-config_userforward >175_$b
systemctl restart exim4
- fi # end if exim4
+fi #### end if exim4
- # /etc/alias setup is debian specific, and
- # exim config sets up an /etc/alias from root to the postmaster, which i
- # config to ian, as long as there exists an entry for root, or there was
- # no preexisting aliases file. based on the postinst file. postfix
- # won't set up a root to $postmaster alias if it's already installed.
- # Since postfix is not the greatest, just set it ourselves.
- if [[ $postmaster != root ]]; then
- sed -i --follow-symlinks -f - /etc/aliases <<EOF
+# /etc/alias setup is debian specific, and
+# exim config sets up an /etc/alias from root to the postmaster, which i
+# config to ian, as long as there exists an entry for root, or there was
+# no preexisting aliases file. based on the postinst file. postfix
+# won\'t set up a root to $postmaster alias if it\'s already installed.
+# Since postfix is not the greatest, just set it ourselves.
+if [[ $postmaster != root ]]; then
+ sed -i --follow-symlinks -f - /etc/aliases <<EOF
\$a root: $postmaster
/^root:/d
EOF
- newaliases
- fi
+ newaliases
+fi
# put spool dir in directory that spans multiple distros.
# based on http://www.postfix.org/qmgr.8.html and my notes in gnus
#
-# todo: I'm suspicious of uids for Debian-exim being the same across
+# todo: I\'m suspicious of uids for Debian-exim being the same across
# distros. It would be good to test this.
dir=/nocow/$type
sdir=/var/spool/$type
if e umount -R $dir; then
unmounted+=($dir)
else
- echo "$0: failed to umount $dir"
- # lsof will fail if it finds no pids
- if ! e timeout 4 lsof $dir; then
- umount_ret=false
- ret=1
- continue
+ if pids=$(timeout 4 lsof -t $dir); then
+ timeout 4 lsof -w $dir
+ kill $pids
fi
- pids=$(lsof -t $dir) ||:
- kill $pids
+
+ # fuser will find open sockets that lsof won't, for example from gpg-agent.
+ # note: -v shows kernel processes, which then doesn't return true when we want
+ if timeout 4 fuser -m $dir &>/dev/null; then
+ fuser -TERM -mvk $dir
+ fi
+
sleep .5
if e umount -R $dir; then
unmounted+=($dir)
else
+ echo "$0: failed to umount $dir"
umount_ret=false
ret=1
continue
# created password file with:
# htpasswd -c /etc/davpass dav
+vpn_ser=openvpn-client
+if [[ ! -e /lib/systemd/system/openvpn-client@.service ]]; then
+ vpn_ser=openvpn
+fi
+
d=/etc/systemd/system/radicale.service.d
mkdir -p $d
-sudo dd of=$d/override.conf <<'EOF'
+sudo dd of=$d/override.conf <<EOF
[Unit]
# this unit is configured to start and stop whenever openvpn-client@mail.service
# does
After=network.target
-BindsTo=openvpn-client@mail.service
-After=openvpn-client@mail.service
+BindsTo=$vpn_ser@mail.service
+After=$vpn_ser@mail.service
[Install]
RequiredBy=openvpn-client@mail.service
##### begin command line parsing ########
update_wrt=true # default
-long_opt=foo # default
temp=$(getopt -l help wh "$@") || usage 1
eval set -- "$temp"
while true; do
mail-setup "$old_shell"
sudo dd of=/etc/btrbk.conf <<'EOF'
-ssh_identity /root/.ssh/id_rsa
+ssh_identity /root/.ssh/home
# Just a guess that local7 is a good facility to pick.
# It's a bit odd that the transaction log has to be logged to
# a file or syslog, while other output is sent to std out.
EOF
-sudo btrbk --progress run
+sudo btrbk run
$new_shell mount-latest-subvol
-mail-setup
+mail-setup "$new_shell"
if $restore_new_btrbk; then
$new_shell sudo systemctl start btrbk.timer
# see lan-dyn-dns-update. this is the corresponding script for on connect/disconnect from vpn
d=/p/ovpn-ssh
-ssh_cmd="ssh -F$d/.config -i$d/id_rsa root@wrt.b8.nz cedit ovpn-$X509_0_CN /etc/hosts"
+ssh_cmd="ssh -F$d/.config -i$d/home root@wrt.b8.nz cedit ovpn-$X509_0_CN /etc/hosts"
case $script_type in
client-connect) $ssh_cmd <<<"$ifconfig_pool_remote_ip $X509_0_CN"|| [[ $? == 1 ]]
;;
iankelling.org / git / distro-setup / commitdiff