# todo. dunno why, but original bootstrap of timezone is not sticking.
# fixed manually with:
# s dpkg-reconfigure tzdata
+# enter 12 then 11.
# for bootstrapping a new machine
# set the scrollback to unlimited in case something goes wrong
if [[ $EUID == 0 ]]; then
- echo "error: do not run as root"
- exit
+ if getent passwd ian; then
+ echo "$0: error: running as root. unprivileged user exists. use it."
+ exit 1
+ else
+ echo "$0: warning: running as root. I will setup users then exit"
+ fi
fi
-interactive=true # set this to true if running by hand in emacs
+interactive=false # set this to true if running by hand in emacs
[[ $- == *i* ]] || interactive=false
-
-
if ! $interactive; then
set -x
set -e -o pipefail
echo "$0: $(date): starting now)"
# headless=false # unused atm
-recompile=true
+recompile=false
# for copying to a new data fs
bootstrapfs=false # old flag, needs new look before using.
while [[ $1 == -* ]]; do
case $1 in
# avoid some of the longer compilation steps,
# when we need to rerun because we had an error
- -n) recompile=false; shift ;;
+ -r) recompile=true; shift ;;
esac
done
if [[ $1 ]]; then
- host=$1
-else
- host=$HOSTNAME
+ export HOSTNAME=$1
fi
-for f in iank-dev htpc treetowl x2 frodo tp; do
- eval "$f() { [[ $host == $f ]]; }"
+for f in iank-dev htpc treetowl x2 frodo tp lj lk; do
+ eval "$f() { [[ $HOSTNAME == $f ]]; }"
done
has_p() { iank-dev || x2 || frodo; }
+has_x() { ! lj && ! lk; }
encrypted() { has_p || tp; }
shopt -s extglob
sudo systemctl start keyscriptoff.service
fi
+
+/a/bin/install-myqueue
+
if iank-dev; then
desktop=$(ssh root@iankelling.org grep desktop /etc/hosts | grep -o "^.* ")
if $bootstrapfs; then
cp="scp $desktop:"
# for moving to a new hd, change $cp to move between filesystems
mkdir -p /a/bin
- chown -R ian:ian /a
+ chown -R ian:ian /a # probably needs to be removed
$cp/a/c /a
$cp/a/c/bin/{bash-programs-by-ian,distro-begin,distro-functions,input-setup.sh} /a/bin
echo -e \\n\\n\\n | ssh-keygen -t rsa
# todo, it would be nice to cut down on some of the output
-# output is below so shellcheck can verify sources
for x in /a/bin/bash-programs-by-ian/repos/{errhandle,tee-unique,lnf}/*-function; do
+ # output is below so shellcheck can verify sources
echo "# shellcheck source=$x";
# shellcheck source=/a/bin/bash-programs-by-ian/repos/errhandle/bash-trace-function
# shellcheck source=/a/bin/bash-programs-by-ian/repos/errhandle/errallow-function
set +e
$interactive || errcatch
+set +x
source /a/bin/distro-functions/src/identify-distros
+$interactive || set -x
echo path:$PATH
-
if isfedora; then
# comment out line disallowing calling sudo in scripts
sudo sed -i 's/^Defaults *requiretty/#\0 # ian commented/' /etc/sudoers
fi
+# already ran for pxe installs, but used for vps & updates
+distro=$(distro-name)
+case $distro in
+ ubuntu|debian)
+ sudo bash -c ". /a/bin/fai/fai-wrapper && /a/bin/fai/fai/config/scripts/GRUB_PC/11-ian"
+ ;;
+ *)
+ sudo bash -c ". /a/bin/fai-wrapper &&
+/a/bin/fai/fai/config/distro-install-common/end"
+ ;;
+esac
+
+
+if [[ $EUID == 0 ]]; then
+ echo "$0: running as root. exiting now that users are setup"
+ exit 0
+fi
# link files
+lnf-home() {
+ # $2 and opts are unused so far.
+ opts=()
+ while [[ $1 == -* ]]; do
+ opts+=($1)
+ shift
+ done
+ lnf ${opts[@]} "$1" /home/ian/$2
+ sudo -u traci -i <<EOF
+source /a/bin/bash-programs-by-ian/repos/lnf/lnf-function
+lnf ${opts[@]} "$1" /home/traci/$2
+EOF
+}
for x in /a/c/repos/bash/!(.git); do
- for homedir in /home/*; do
- sudo chown -R ian:ian $homedir
- lnf "$x" $homedir
- done
+ lnf-home "$x"
sudo -i <<EOF
source /a/bin/bash-programs-by-ian/repos/lnf/lnf-function
lnf $x /root
if isdebian; then
- # add contrib non-free to sources for main
- s sed -i 's/^\(deb.* main\).*/\1 contrib non-free/' /etc/apt/sources.list.d/*
-
+ codename=$(debian-codename)
# non-existent var, as Im not planning to use stable right now
if isdebian-stable; then
- code=$(debian-codename)
- s dd of=/etc/apt/sources.list.d/mozilla-iceweasel.list <<EOF
-deb http://mozilla.debian.net/ $code-backports firefox-release
-deb-src http://mozilla.debian.net/ $code-backports firefox-release
+ if has_x; then
+ s dd of=/etc/apt/sources.list.d/mozilla-iceweasel.list <<EOF
+deb http://mozilla.debian.net/ $codename-backports firefox-release
+deb-src http://mozilla.debian.net/ $codename-backports firefox-release
EOF
+ fi
# we change the mirror from the default, so we cant use tu
s dd of=/etc/apt/sources.list.d/main-backports.list <<EOF
-deb http://http.debian.net/debian $code-backports main contrib non-free
-deb-src http://http.debian.net/debian $code-backports main contrib non-free
+deb http://http.debian.net/debian $codename-backports main contrib non-free
+deb-src http://http.debian.net/debian $codename-backports main contrib non-free
EOF
p update
EOF
done
pi pacserve
- x=$(mktemp); pacman.conf-insert_pacserve >$x
+ x=$(mktemp); /a/opt/pacman.conf-insert_pacserve >$x
sudo dd of=/etc/pacman.conf if=$x; rm $x
sudo systemctl enable pacserve.service
sudo systemctl start pacserve.service
###### link files ###########
# convenient to just do all file linking in one place
-s lnf /a/sdx{,d} /
-
# if it wasn't set already, we could set hostname here
#echo treetowl | s dd of=/etc/hostname
#s hostname -F /etc/hostname
# todo: reconcile ~/.ssh/config work/home
s lnf -T /q/p /p
+s lnf -T /a/bin /b
+/a/bin/conflink
+
if has_p; then
lnf -T /p/offlineimap ~/Maildir
lnf -T /p/News ~/News
# don't use /* because I don't want to require it to be mounted
s lnf /q/root/.editor-backups /q/root/.undo-tree-history \
- /a/opt /a/c/.emacs.d ~/.unison /root
+ /a/opt /a/c/.emacs.d /root
fi
/a/bin/rootsshsync
# basic needed packages
case $(distro-name) in
debian)
- pi firefox$( isdebian-stable && e /$code-backports )
+ if has_x; then
+ if isdebian-stable; then
+ pi firefox/$codename-backports
+ else
+ pi firefox/unstable # has no unstable dependencies
+ fi
+ fi
# for hosts which require nonfree drivers
case $HOSTNAME in
tp|x2) : ;;
esac
;;&
ubuntu|debian)
- pi xmacro gtk-redshift xinput
+ if has_x; then
+ pi xmacro gtk-redshift xinput
+ fi
;;&
fedora)
p -y groupinstall development-tools c-development books admin-tools
- pi redshift-gtk
- # debian has this package patched to work, upstream is dead
- # tried using alien, pi alien, alien -r *.deb, rpm -Uhv *.rpm, got this error, so fuck it
- # file /usr/bin from install of xmacro-0.3pre_20000911-7.x86_64 conflicts with file from package filesystem-3.2-19.fc20.x86_64
- # http://packages.debian.org/source/sid/xmacro
- pi patch libXtst-devel wget man-pages # what is the ubuntu equivalent to man-pages?
- cd $(mktemp -d)
- wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911.orig.tar.gz
- wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911-6.diff.gz
- ex *.gz
- patch -p0 < xmacro_0.3pre-20000911-6.diff
- cd xmacro-0.3pre-20000911.orig
- make
- sleep 1 # not sure why the following command couldn\'t find, so trying this
- # no make install target
- s cp -f xmacroplay xmacrorec xmacrorec2 /usr/local/bin
+ pi wget man-pages
+ if has_x; then
+ pi redshift-gtk
+ # debian has this package patched to work, upstream is dead
+ # tried using alien, pi alien, alien -r *.deb, rpm -Uhv *.rpm, got this error, so fuck it
+ # file /usr/bin from install of xmacro-0.3pre_20000911-7.x86_64 conflicts with file from package filesystem-3.2-19.fc20.x86_64
+ # http://packages.debian.org/source/sid/xmacro
+ pi patch libXtst-devel
+ cd $(mktemp -d)
+ wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911.orig.tar.gz
+ wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911-6.diff.gz
+ ex *.gz
+ patch -p0 < xmacro_0.3pre-20000911-6.diff
+ cd xmacro-0.3pre-20000911.orig
+ make
+ sleep 1 # not sure why the following command couldn\'t find, so trying this
+ # no make install target
+ s cp -f xmacroplay xmacrorec xmacrorec2 /usr/local/bin
+ fi
;;&
arch)
- # libxtst is missing dep https://aur.archlinux.org/packages/xmacro/#news
- pi xorg-server redshift xorg-xinput pkgfile libxtst xmacro
# like apt-cache
+ pi pkgfile
s pkgfile --update
-
- # background:
- # https://aur.archlinux.org/packages/xkbset/#comment-545419
- cert=$(mktemp)
- cat >$cert <<'EOF'
+ if has_x; then
+ # libxtst is missing dep https://aur.archlinux.org/packages/xmacro/#news
+ pi xorg-server redshift xorg-xinput libxtst xmacro
+
+ # background:
+ # https://aur.archlinux.org/packages/xkbset/#comment-545419
+ cert=$(mktemp)
+ cat >$cert <<'EOF'
-----BEGIN CERTIFICATE-----
MIIJADCCB+igAwIBAgIRAIVAhZ0TMbQ5jTm0koI8X6YwDQYJKoZIhvcNAQELBQAw
djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----
EOF
- cat /etc/ssl/certs/ca-certificates.crt >> $cert
- CURL_CA_BUNDLE=$cert pi xkbset
+ cat /etc/ssl/certs/ca-certificates.crt >> $cert
+ CURL_CA_BUNDLE=$cert pi xkbset
+ fi
;;&
ubuntu|debian|fedora)
- pi xkbset
+ if has_x; then
+ pi xkbset
+ fi
;;&
esac
-
-pi xbindkeys cryptsetup
-
-pi lvm2
+if has_x; then
+ pi xbindkeys
+fi
+pi cryptsetup lvm2
# enables trim for volume delete, other rare commands.
sudo sed -ri 's/( *issue_discards\b).*/\1 = 1/' /etc/lvm/lvm.conf
EOF
fi
+s mkdir -p /q/i/{w,k}
for dir in /{i,w,k}; do
if mountpoint $dir; then continue; fi
s mkdir -p $dir
s chmod 755 /q
-/a/bin/conflink
-
+# it comes with stretch and arch, but not jessie.
# propogate /etc/udev/hwdb.d
-s systemd-hwdb update
-ser restart systemd-udev-trigger
+if which systemd-hwdb; then
+ s systemd-hwdb update
+ ser restart systemd-udev-trigger
+fi
# work desktop doesnt need gpg stuff, but it doesnt hurt
s dd of=/etc/profile.d/environment.sh <<'EOF'
if [ -f $HOME/path_add-function ]; then
. $HOME/path_add-function
path_add /usr/sbin /usr/local/sbin /sbin
- path_add /a/bin /a/opt/bin $HOME/.cabal/bin
+ path_add /a/exe /a/opt/bin $HOME/.cabal/bin
if [ -r /etc/alternatives/java_sdk ]; then
export JAVA_HOME=/etc/alternatives/java_sdk
-# emacs dependency.
-# dunno why debian installed postfix with yum-builddep emacs
-# but I will just explicitly install it here since
-# I use it for sending mail in emacs.
-if private-host; then
- relayhost="[mail.messagingengine.com]:587"
-else
- # ses initially suggests port 25, but I had problems connecting to that.
- relayhost="[email-smtp.us-west-2.amazonaws.com]:587"
-fi
-if isdeb; then
- s debconf-set-selections<<EOF
-postfix postfix/main_mailer_type select Satellite system
-postfix postfix/mailname string $host
-postfix postfix/relayhost string $relayhost
-EOF
-
- pi postfix
-else
- pi postfix
- # Settings from reading the output when installing on debian,
- # then seeing which were different in a default install on arch.
- # I assume the same works for fedora.
- postconfin <<EOF
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_size_limit = 0
-relayhost = $relayhost
-inet_interfaces = loopback-only
-EOF
+/a/bin/postfix-setup
- s systemctl enable postfix
- s systemctl start postfix
+if isubuntu; then
+ # disable crash report annoying crap
+ s dd of=/etc/default/apport <<<'enabled=0'
fi
+if has_x; then
+ if isarch; then
+ # install so it's build dependencies don't get removed.
-if isarch; then
- # install so it's build dependencies don't get removed.
-
- # emacs git build is currently broken
- if false; then
- x=$(mktemp -d)
- pushd $x
- aurex emacs-git
- makepkg -si --noconfirm
- popd
- rm -rf $x
- else
- pi emacs
- fi
- pi hunspell hunspell-en
-else
- # to disable emacs git build,
- # s apt-get install emacs
- if $recompile; then
- /a/bin/buildscripts/emacs -u
+ # emacs git build is currently broken
+ if false; then
+ x=$(mktemp -d)
+ pushd $x
+ aurex emacs-git
+ makepkg -si --noconfirm
+ popd
+ rm -rf $x
+ else
+ pi emacs
+ fi
+ pi hunspell hunspell-en
else
- /a/bin/buildscripts/emacs -r
+ # to disable emacs git build,
+ # s apt-get install emacs
+ if $recompile; then
+ /a/bin/buildscripts/emacs -u
+ else
+ /a/bin/buildscripts/emacs -r
+ fi
fi
-fi
-# todo, figure this out for arch if we ever try out gnome.
-if ! isarch; then
- # install for multiple display managers in case we use one
- if isdeb; then
- dir=/etc/gdm3
- elif isfedora; then
- # fedora didn\'t have the 3.
- dir=/etc/gdm
- fi
- s mkdir -p $dir/PostLogin
- s command cp /a/bin/desktop-20-autostart.sh $dir/PostLogin/Default
- s mkdir /etc/lightdm/lightdm.conf.d
- s dd of=/etc/lightdm/lightdm.conf.d/12-ian.conf <<'EOF'
+ # todo, figure this out for arch if we ever try out gnome.
+ if ! isarch; then
+ # install for multiple display managers in case we use one
+ if isdeb; then
+ dir=/etc/gdm3
+ elif isfedora; then
+ # fedora didn\'t have the 3.
+ dir=/etc/gdm
+ fi
+ s mkdir -p $dir/PostLogin
+ s command cp /a/bin/desktop-20-autostart.sh $dir/PostLogin/Default
+ s mkdir /etc/lightdm/lightdm.conf.d
+ s dd of=/etc/lightdm/lightdm.conf.d/12-ian.conf <<'EOF'
[SeatDefaults]
session-setup-script=/a/bin/desktop-20-autostart.sh
EOF
-fi
-
-if isubuntu; then
- # disable crash report annoying crap
- s dd of=/etc/default/apport <<<'enabled=0'
-fi
+ fi
-pi ghc sakura
-# todo, also note for work comp, scp opt/org-mode bin/build-scripts
+ pi ghc sakura
+ # todo, also note for work comp, scp opt/org-mode bin/build-scripts
-# use the package manger version to install the cabal version
-pi cabal-install
-cabal update
-PATH="$PATH:$HOME/.cabal/bin"
+ # use the package manger version to install the cabal version
+ pi cabal-install
+ cabal update
+ PATH="$PATH:$HOME/.cabal/bin"
-# todo, on older ubuntu I used cabal xmonad + xfce,
-# see /a/bin/old-unused/xmonad-cabal.sh
+ # todo, on older ubuntu I used cabal xmonad + xfce,
+ # see /a/bin/old-unused/xmonad-cabal.sh
-# trying out the distro's versions newer distros
-pi xmonad
-if isarch; then
- # for displaying error messages.
- # optional dependency in arch, standard elsewhere.
- pi xorg-xmessage xmonad-contrib xorg-xsetroot xorg-xinit
+ # trying out the distros versions newer distros
+ pi xmonad
+ if isarch; then
+ # for displaying error messages.
+ # optional dependency in arch, standard elsewhere.
+ pi xorg-xmessage xmonad-contrib xorg-xsetroot xorg-xinit
- # https://wiki.archlinux.org/index.php/Xinitrc
- for homedir in /home/*; do
- cp /etc/X11/xinit/xinitrc $homedir/.xinitrc
- sed -ri '/^ *twm\b/,$d' $homedir/.xinitrc
- echo "source /a/bin/xinitrc" | tee -a $homedir/.xinitrc
- done
-else
- pi suckless-tools
-fi
-pi dmenu
+ # https://wiki.archlinux.org/index.php/Xinitrc
+ for homedir in /home/*; do
+ cp /etc/X11/xinit/xinitrc $homedir/.xinitrc
+ sed -ri '/^ *twm\b/,$d' $homedir/.xinitrc
+ echo "source /a/bin/xinitrc" | tee -a $homedir/.xinitrc
+ done
+ else
+ pi suckless-tools
+ fi
+ pi dmenu
-if isdeb && (tp || x2); then
- pi task-laptop
+ if isdeb && (tp || x2); then
+ pi task-laptop
+ fi
fi
-sudo chown -R traci:traci /home/traci
+# the first pup command can kill off our /etc/
+/a/bin/ssh-emacs-setup
echo "$0: $(date): ending now"
exec &> >(sudo tee -a /var/log/distro-end)
echo "$0: $(date): starting now)"
+src="${BASH_SOURCE%/*}"
+
end_msg() {
= local y
IFS= read -r -d '' y ||:
end_msg_var+="$y"
}
+spa() { # simple package add
+ simple_packages+=($@)
+}
+
distro=$(distro-name)
pending_reboot=false
pup
-# universal packages
simple_packages=(
- bwm-ng
- chromium
- duplicity
- evince
- fdupes
- filelight
- gdb
- gnome-screenshot
mailutils
- meld
- mpv
nmon
- offlineimap
- p7zip
- paprefs
- pavucontrol
- pianobar
- pidgin
- rdiff-backup
- slock
- smartmontools
- squashfs-tools
- tcpdump
- transmission-remote-gtk
+ ruby
+ ruby-rest-client
tree
vim
)
-spa() { # simple package add
- simple_packages+=($@)
-}
+if [[ $HOSTNAME != lj && $HOSTNAME != lk ]]; then
+ # universal packages
+ simple_packages+=(
+ apache2
+ bwm-ng
+ chromium
+ duplicity
+ evince
+ fdupes
+ filelight
+ gdb
+ gnome-screenshot
+ jq
+ locate
+ meld
+ offlineimap
+ p7zip
+ paprefs
+ pavucontrol
+ pdfgrep
+ pianobar
+ pidgin
+ rdiff-backup
+ slock
+ squashfs-tools
+ tcpdump
+ transmission-remote-gtk
+ vlc
+ )
+fi
+
+
+
+########### begin section including lj ################
+
+
+case $distro in
+ fedora) spa unrar ;;
+ *) spa unrar-free ;;
+esac
+
+
+case $distro in
+ arch)
+ # ubuntu 14.04 uses b-cron,
+ # but its not maintained in arch.
+ # of the ones in the main repos, cronie is only one maintained.
+ # fcron appears abandoned software.
+ pi cronie
+ sgo cronie
+ ;;
+ *) : ;; # other distros come with cron.
+esac
+
+
+case $distro in
+ debian|ubuntu)
+ pi debian-goodies
+ ;;
+esac
+
+
+case $distro in
+ *) pi at ;;&
+ arch) sgo atd ;;
+esac
case $distro in
- debian) pi curl ;;
+ debian) pi curl;;
arch) : ;;
# fedora: unknown
esac
+case $distro in
+ # tk for gitk
+ arch) spa git tk ;;
+ *) spa git ;;
+esac
+
+case $distro in
+ arch) spa the_silver_searcher ;;
+ debian|ubuntu) spa silversearcher-ag ;;
+ # fedora unknown
+esac
+
+case $distro in
+ debian|ubuntu) spa ntp;;
+ arch)
+ pi ntp
+ sgo ntpd
+ ;;
+ # others unknown
+esac
+
+
+# no equivalent in other distros:
+case $distro in
+ debian|ubuntu)
+ pi apt-file aptitude
+ s apt-file update
+ # for debconf-get-selections
+ spa debconf-utils
+ ;;
+esac
+
+case $distro in
+ ubuntu|debian) spa ack-grep ;;
+ arch|fedora) spa ack ;;
+ # fedora unknown
+esac
+
+case $distro in
+ arch|debian|ubuntu)
+ spa bash-completion
+ ;;
+ # others unknown
+esac
+
+
+
+
+
+# disable motd junk.
+case $(distro-name) in
+ debian)
+ # allows me to pipe with ssh -t, and gets rid of spam
+ # http://forums.debian.net/viewtopic.php?f=5&t=85822
+ # i'd rather disable the service than comment the init file
+ # this says disabling the service, it will still get restarted
+ # but this script doesn't do anything on restart, so it should be fine
+ s dd of=/var/run/motd.dynamic if=/dev/null
+ s update-rc.d motd disable
+ ;;
+ ubuntu)
+ # this isn't a complete solution. It still shows me when updates are available,
+ # but it's no big deal.
+ s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
+ ;;
+esac
+
+# automatic updates
+# reference:
+# https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
+# /etc/cron.daily/apt calls unattended-upgrades
+# /usr/share/doc/unattended-upgrades# cat README.md
+# /etc/apt/apt.conf.d/50unattended-upgrades
+if isdebian; then
+ pi unattended-upgrades
+ s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF'
+# this file was mostly just comments.
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
+EOF
+
+
+ { cat <<'EOF'
+Unattended-Upgrade::Mail "root";
+Unattended-Upgrade::MailOnlyOnError "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Origins-Pattern {
+# default is just upgrade main and security, not updates.
+EOF
+ if isdebian-testing; then
+ cat <<'EOF'
+# for testing, only do security updates.
+ "origin=Debian,codename=${distro_codename},label=Debian-Security";
+EOF
+ else
+ cat <<'EOF'
+# These are stable packages only getting bugfixes anyways.
+ "origin=*";
+EOF
+ fi
+ cat <<'EOF'
+};
+EOF
+ } | s dd of=/etc/apt/apt.conf.d/50unattended-upgrades
+
+
+ echo $- > /tmp/x
+fi
+
+# cron
+/a/bin/crons/all
+
+
+case $HOSTNAME in
+ lj|lk)
+
+ pi "${simple_packages[@]}"
+ $src/homepage-setup
+ $src/
+
+# start=' *<source lang="bash"> *'
+# end=' *<\/source> *'
+# ruby <<'EOF' | sed -rn "/^$start$/,/^$end$/{s/^$start|$end$/# \0/;p}" | bash
+# require 'json'
+# puts JSON.parse(`curl 'https://ofswiki.org/w/api.php?\
+# action=query&titles=Mediawiki_Setup_Guide&prop=revisions&rvprop=content&\
+# format=json'`.chomp)['query']['pages'].values[0]['revisions'][0]['*']
+# EOF
+# nginx-site iankelling.org
+
+ echo "$0: $(date): ending now)"
+ exit 0
+ ;;
+esac
+
+########### end section including lj ###############
+
+
case $distro in
arch) pi syncthing ;;
ubuntu|debian)
# install bar code scanner.
-# things with no equivalent in other distros:
+# no equivalent in other distros:
case $distro in
debian|ubuntu)
# for gui bug reporting
spa python-vte
- pi apt-file aptitude
- s apt-file update
- # for debconf-get-selections
- spa debconf-utils
;;
esac
####### misc packages ###########
-case $distro in
- ubuntu|debian)
- spa spacefm-gtk3 ;;
- arch)
- spa spacefm ;;
-esac
-
-
if [[ $HOSTNAME == frodo ]]; then
case $distro in
s sysctl -p
# some reason it doesn't seem to start automatically anyways
- pi-nostart tranmission-daemon
+ pi-nostart transmission-daemon
# config file documented here, and it's the same config
# for daemon vs client, so it's documented in the gui.
# https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
require 'json'
p = '/etc/transmission-daemon/settings.json'
File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
-'rpc-whitelist': '127.0.0.1,192.168.1.*',
-'rpc-authentication-required': false,
-'incomplete-dir': '/i/k/partial-torrents',
-'download-dir': '/i/k/torrents',
-"speed-limit-up": 700,
-"speed-limit-up-enabled": true,
-"ratio-limit": 1.4000,
-"ratio-limit-enabled": true,
+'rpc-whitelist' => '127.0.0.1,192.168.1.*',
+'rpc-authentication-required' => false,
+'incomplete-dir' => '/i/k/partial-torrents',
+'download-dir' => '/i/k/torrents',
+"speed-limit-up" => 700,
+"speed-limit-up-enabled" => true,
+"ratio-limit" => 1.4000,
+"ratio-limit-enabled" => true,
})) + "\n")
EOF
sgo transmission-daemon
case $distro in
debian|ubuntu)
pi-nostart openvpn
- # pi-nostart this doesn't seem to be good enough?
+ # pi-nostart this doesnt seem to be good enough?
ser disable openvpn@client
ser disable openvpn
;;
- *) pi openvpn ;;
- esac
-
- case $HOSTNAME in
- tp|frodo)
- case $distro in
- debian|ubuntu)
- log=$(mktemp)
- cd /a/opt
- wget -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
- set +e
- s dpkg -i google-chrome-stable_current_amd64.deb &> $log
- code=$?
- set -e
- case $code in
- 1)
- if grep '^dpkg: dependency problems prevent configuration of' \
- $log &>/dev/null; then
- s apt-get -fy install
- else
- exit 1
- fi
- ;;
- 0) : ;;
- *) exit $code
- esac
- ;;
- arch)
- pi google-chrome
- ;;
- esac
- ;;
- esac
-
- case $distro in
- # ubuntu unknown. probably the same as debian, just check if the
- # init scripts come with the package.
- debian)
- # copied from arch, but moved to etc
- s dd of=/etc/systemd/user/synergys.service <<'EOF'
-[Unit]
-Description=Synergy Server Daemon
-After=network.target
-
-[Service]
-User=%i
-ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
-EOF
- s dd of=/etc/systemd/user/synergys.socket <<'EOF'
-[Unit]
-Conflicts=synergys@.service
-
-[Socket]
-ListenStream=24800
-Accept=false
-
-[Install]
-WantedBy=sockets.target
-EOF
- ;;&
- *)
- pi synergy
- # taken from arch wiki.
- s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
-[Unit]
-Description=Synergy Client
-After=network.target
-
-[Service]
-User=%i
-ExecStart=/usr/bin/synergyc --no-daemon treetowl
-Restart=on-failure
-# per man systemd.unit, StartLimitInterval, by default we
-# restart more than 5 times in 10 seconds.
-# And this param defaults too 200 miliseconds.
-RestartSec=3s
-
-[Install]
-WantedBy=multi-user.target
-EOF
- case $HOSTNAME in
- frodo)
- sgo synergyc@ian
- systemctl --user start synergys
- systemctl --user enable synergys
- ;;
- treetowl) systemctl --user enable synergys ;;
- esac
- ;;
- esac
-
- case $distro in
- # tk for gitk
- arch) spa git tk ;;
- *) spa git ;;
- esac
-
- case $distro in
- arch) spa the_silver_searcher ;;
- debian|ubuntu) spa silversearcher-ag ;;
- # fedora unknown
- esac
+ *) pi openvpn ;;
+esac
- # printer
- case $distro in
- arch)
- pi cups ghostscript gsfonts # from arch wiki cups page
- pi hplip # from google
- s gpasswd -a $USER sys # from arch wiki
- sgo org.cups.cupsd.service
- # goto http://127.0.0.1:631
- # administration tab, add new printer button.
- # In debian, I could use hte recommended driver,
- # in arch, I had to pick out the 6L driver.
- ;;
- debian|ubuntu)
- spa hplip
- ;;
- # other distros unknown
- esac
+pi wget
+case $HOSTNAME in
+ tp|frodo)
+ case $distro in
+ debian|ubuntu)
+ log=$(mktemp)
+ cd /a/opt
+ wget -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
+ set +e
+ s dpkg -i google-chrome-stable_current_amd64.deb &> $log
+ code=$?
+ set -e
+ case $code in
+ 1)
+ if grep '^dpkg: dependency problems prevent configuration of' \
+ $log &>/dev/null; then
+ s apt-get -fy install
+ else
+ exit 1
+ fi
+ ;;
+ 0) : ;;
+ *) exit $code
+ esac
+ ;;
+ arch)
+ pi google-chrome
+ ;;
+ esac
+ ;;
+esac
+# printer
+case $distro in
+ arch)
+ pi cups ghostscript gsfonts # from arch wiki cups page
+ pi hplip # from google
+ s gpasswd -a $USER sys # from arch wiki
+ sgo org.cups.cupsd.service
+ # goto http://127.0.0.1:631
+ # administration tab, add new printer button.
+ # In debian, I could use hte recommended driver,
+ # in arch, I had to pick out the 6L driver.
+ ;;
+ debian|ubuntu)
+ spa hplip
+ ;;
+ # other distros unknown
+esac
- case $distro in
- ubuntu|debian) spa ack-grep ;;
- arch|fedora) spa ack ;;
- # fedora unknown
- esac
- case $distro in
- ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
- fedora|arch) spa mairix notmuch ;;
- esac
- case $distro in
- arch) spa nfs-utils ;;
- ubuntu|debian) spa nfs-client ;;
- esac
- case $distro in
- ubuntu|debian) spa par2 ;;
- arch|fedora) spa par2cmdline ;;
- esac
- # needed for my tex resume
- case $distro in
- ubuntu|debian) spa texlive-full ;;
- arch) spa texlive-most ;;
- # fedora unknown
- esac
+case $distro in
+ ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
+ fedora|arch) spa mairix notmuch ;;
+esac
+case $distro in
+ arch) spa nfs-utils ;;
+ ubuntu|debian) spa nfs-client ;;
+esac
+case $distro in
+ ubuntu|debian) spa par2 ;;
+ arch|fedora) spa par2cmdline ;;
+esac
- case $distro in
- ubuntu)
- # flash, unrar, codecs, ms fonts.
- # This has a manual prompt.
- spa ubuntu-restricted-extras
- ;;
- fedora)
- pi yum-utils
- # rpm fusion recommended codecs
- s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
- pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
- xine-lib-extras-freeworld
- ;;
- esac
+# needed for my tex resume
+case $distro in
+ ubuntu|debian) spa texlive-full ;;
+ arch) spa texlive-most ;;
+ # fedora unknown
+esac
- case $distro in
- # optional dep for firefox for h.264 video
- arch) spa gst-libav ;;
- # other distros, probably come by default
- esac
+case $distro in
+ ubuntu)
+ # flash, unrar, codecs, ms fonts.
+ # This has a manual prompt.
+ spa ubuntu-restricted-extras
+ ;;
+ fedora)
+ pi yum-utils
+ # rpm fusion recommended codecs
+ s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
+ pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
+ xine-lib-extras-freeworld
+ ;;
+esac
- case $distro in
- fedora|ubuntu|debian) spa gnupg-agent ;;
- arch) : ;;
- esac
+case $distro in
+ # optional dep for firefox for h.264 video
+ arch) spa gst-libav ;;
+ # other distros, probably come by default
+esac
+case $distro in
+ fedora|ubuntu|debian) spa gnupg-agent ;;
+ arch) : ;;
+esac
- case $distro in
- fedora) spa pinentry-gtk ;;
- *) : ;; # comes default or with other packages
- esac
- case $distro in
- arch) spa firefox pulseaudio;;
- *) : ;; # comes default or with other packages
- esac
+case $distro in
+ fedora) spa pinentry-gtk ;;
+ *) : ;; # comes default or with other packages
+esac
- case $distro in
- arch|debian|ubuntu)
- spa bash-completion
- ;;
- # others unknown
- esac
+case $distro in
+ arch) spa firefox pulseaudio;;
+ *) : ;; # comes default or with other packages
+esac
- case $distro in
- arch) spa ttf-dejavu;;
- debian|ubuntu) spa fonts-dejavu ;;
- # others unknown
- esac
+case $distro in
+ arch) spa ttf-dejavu;;
+ debian|ubuntu) spa fonts-dejavu ;;
+ # others unknown
+esac
- case $distro in
- debian|ubuntu) spa ntp;;
- arch)
- pi ntp
- sgo ntpd
- ;;
- # others unknown
- esac
- case $distro in
- arch) spa xorg-xev;;
- debian|ubuntu) spa x11-utils ;;
- # others unknown
- esac
+case $distro in
+ arch) spa xorg-xev;;
+ debian|ubuntu) spa x11-utils ;;
+ # others unknown
+esac
- case $distro in
- arch) pi virt-install;;&
- debian|ubuntu) pi virtinst ;;&
- *) pi virt-manager ;; # creates the libvirt group in debian at least
- # others unknown
- esac
- # allow user to run vms, from debian handbook
- for x in ian traci; do s usermod -a -G libvirt $x; done
+case $distro in
+ arch) pi virt-install;;&
+ debian|ubuntu) pi virtinst ;;&
+ *) pi virt-manager ;; # creates the libvirt group in debian at least
+ # others unknown
+esac
+# allow user to run vms, from debian handbook
+for x in ian traci; do s usermod -a -G libvirt,kvm $x; done
# bridge networking as user fails. google lead here, but it doesn't work:
# oh well, I give up.
# http://wiki.qemu.org/Features-Done/HelperNetworking
# dnsmasq & ebtables for nat networking in libvirt
# qemu for qemu-img, bind-tools for dig
# dmidecode just because syslog complains
- pi unzip wget xorg-xmodmap dmidecode ebtables\
+ pi unzip xorg-xmodmap dmidecode ebtables\
bridge-utils dnsmasq qemu bind-tools
# otherwise we get error about accessing kvm module.
# seems like there might be a better way, but google was a bit vague.
;;
esac
-case $distro in
- *) pi at ;;&
- arch) sgo atd ;;
-esac
-
case $distro in
arch) pi virtviewer ;;
*) : ;; # other distros have it as a dependency afaik.
-case $distro in
- arch)
- # ubuntu 14.04 uses b-cron,
- # but it's not maintained in arch.
- # of the ones in the main repos, cronie is only one maintained.
- # fcron appears abandoned software.
- pi cronie
- sgo cronie
- ;;
- *) : ;; # other distros come with cron.
-esac
-
-
case $distro in
fedora) cabal install shellcheck ;;
*) spa shellcheck ;;
case $distro in
- debian|ubuntu) spa android-tools-adb ;;
+ debian|ubuntu) spa android-tools-adb/unstable ;;
arch) spa android-tools ;;
# other distros unknown
esac
-
case $distro in
- fedora) spa unrar ;;
- *) spa unrar-free ;;
+ debian)
+ if [[ `debian-archive` == testing ]]; then
+ # has no unstable dependencies
+ spa bitcoin-qt/unstable
+ fi
+ ;;
+ # other distros unknown
esac
esac
-# leave this for last so it doesn't do a bunch of other apps
-# which I want explicitly installed in case I switch DE's
case $distro in
debian)
pi task-cinnamon-desktop
# in settings, change scrolling to two-finger,
# because the default edge scroll doesn\'t work.
+ pu transmission-gtk
;;
# others unknown
esac
# already in debian jessie
esac
-pi "${simple_packages[@]}"
+
+
+
+# note this failed running at the beginning of this file,
+# because no systemd user instance was running.
+# Doing systemd --user resulted in
+# Trying to run as user instance, but $XDG_RUNTIME_DIR is not set
+case $distro in
+ # ubuntu unknown. probably the same as debian, just check if the
+ # init scripts come with the package.
+ debian)
+ # copied from arch, but moved to etc
+ s dd of=/etc/systemd/user/synergys.service <<'EOF'
+[Unit]
+Description=Synergy Server Daemon
+After=network.target
+
+[Service]
+User=%i
+ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ s dd of=/etc/systemd/user/synergys.socket <<'EOF'
+[Unit]
+Conflicts=synergys@.service
+
+[Socket]
+ListenStream=24800
+Accept=false
+
+[Install]
+WantedBy=sockets.target
+EOF
+ ;;&
+ *)
+ pi synergy
+ # taken from arch wiki.
+ s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
+[Unit]
+Description=Synergy Client
+After=network.target
+
+[Service]
+User=%i
+ExecStart=/usr/bin/synergyc --no-daemon treetowl
+Restart=on-failure
+# per man systemd.unit, StartLimitInterval, by default we
+# restart more than 5 times in 10 seconds.
+# And this param defaults too 200 miliseconds.
+RestartSec=3s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ case $HOSTNAME in
+ frodo)
+ ser enable synergyc@ian
+ ser start synergyc@ian ||: # X might not be running yet
+ systemctl --user start synergys ||:
+ systemctl --user enable synergys
+ ;;
+ treetowl) systemctl --user enable synergys ;;
+ esac
+ ;;
+esac
+
######### end misc packages #########
######## unfinished
# todo, finish configuring smart.
+
+pi smartmontools
# mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
# turn on smart. background on options:
# first line, -a = test everyting on all devices.
########### misc stuff
-if [[ $HOSTNAME == frodo ]]; then
- tu /etc/exports <<'EOF'
-/k 192.168.1.0/24(rw,nohide,no_subtree_check,insecure)
-EOF
- s exportfs -ra
-fi
-if [[ `debian-archive` == stable ]]; then
- s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
+case $distro in
+ debian|ubuntu)
+ case `debian-archive` in
+ stable)
+ s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
Explanation: Allow unison-gtk to be upgraded
Package: unison-gtk
Pin: release a=unstable
Pin-Priority: 500
EOF
-fi
+ # dont think using testing is needed since I figured out how to
+ # deal with mismatching unison compilers, but I dont
+ # see any reason to revert it, since it only installs
+ # a single package which is primarily a single binary
+ pi unison-gtk/testing unison/testing
+ ;;
+ testing)
+ piunison unison-gtk
+ ;;
+ esac
+ ;;
+ arch)
+ pi unison gtk2
+ ;;
+esac
case $distro in
arch)
;;
esac
-
-case $distro in
- arch|debian|ubuntu) pi btrbk ;;
- # others unknown
-esac
+# not using it atm, and for jessie, it depends on a higher version of btrfs-tools
+# case $distro in
+# arch|debian|ubuntu) pi btrbk ;;
+# # others unknown
+# esac
if [[ $HOSTNAME == treetowl ]] && [[ `debian-archive` != testing ]]; then
# fail2 ban is broken, with a workaround, per
-# disable motd junk.
-case $(distro-name) in
- debian)
- # allows me to pipe with ssh -t, and gets rid of spam
- # http://forums.debian.net/viewtopic.php?f=5&t=85822
- # i'd rather disable the service than comment the init file
- # this says disabling the service, it will still get restarted
- # but this script doesn't do anything on restart, so it should be fine
- s dd of=/var/run/motd.dynamic if=/dev/null
- s update-rc.d motd disable
- ;;
- ubuntu)
- # this isn't a complete solution. It still shows me when updates are available,
- # but it's no big deal.
- s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
- ;;
-esac
-
-# automatic updates
-# reference:
-# https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
-# /etc/cron.daily/apt calls unattended-upgrades
-# /usr/share/doc/unattended-upgrades# cat README.md
-# /etc/apt/apt.conf.d/50unattended-upgrades
-if isdebian; then
- pi unattended-upgrades
- s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF'
-# this file was mostly just comments.
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Download-Upgradeable-Packages "1";
-APT::Periodic::AutocleanInterval "7";
-APT::Periodic::Unattended-Upgrade "1";
-EOF
- { cat <<'EOF'
-Unattended-Upgrade::Mail "root";
-Unattended-Upgrade::MailOnlyOnError "true";
-Unattended-Upgrade::Remove-Unused-Dependencies "true";
-Unattended-Upgrade::Origins-Pattern {
-# default is just upgrade main and security, not updates.
-EOF
- if isdebian-testing; then
- cat <<'EOF'
-# for testing, only do security updates.
- "origin=Debian,codename=${distro_codename},label=Debian-Security";
-EOF
- else
- cat <<'EOF'
-# These are stable packages only getting bugfixes anyways.
- "origin=*";
-EOF
- cat <<'EOF'
-};
-EOF
- fi
- } | s dd of=/etc/apt/apt.conf.d/50unattended-upgrades
- echo $- > /tmp/x
-fi
-
-
-
-######### begin postfix ########
-# based on,http://www.postfix.org/qmgr.8.html and my notes in gnus
-# originally tried moving specific directories under /var/spool/postfix,
-# but postfix didn't like that
-if [[ ! -L /var/spool/postfix ]]; then
- ser stop postfix
- n=/q/postfix-`distro-name``debian-archive`
- if [[ -e $n ]]; then
- echo "$0: warning: $n already exists before we do the link, removing it"
- rm -rf $n
- fi
- s mv /var/spool/postfix $n
- s lnf -T $n /var/spool/postfix
- ser start postfix
- journalctl -n 20 | cat
-fi
-
-
-# This also works instead of ~/.forward
-# s sed -i '/^root/d' /etc/aliases ||:
-#echo "root: $HOSTNAME@bog.mm.st" | s tee -a /etc/aliases
-# this can't be a symlink and has permission restrictions
-# it might work in /etc/aliases, but this seems more proper.
-
-if s grep amazonaws /etc/postfix/sasl_passwd &>/dev/null; then
- forward=$HOSTNAME@sallymae.club
-else
- forward=$HOSTNAME@bog.mm.st
-fi
-e $forward > ~/.forward
-e $forward | s tee /root/.forward
-s newaliases
-
-# if I wanted the from address to be renamed and sent to a different address,
-# echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical
-# sudo postmap hash:/etc/postfix/recipient_canonical
-# sudo service postfix reload
-
-
-# i'm assuming mail just won't work on systems without the sasl_passwd.
-postconfin <<'EOF'
-smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
-smtp_sasl_security_options = noanonymous
-smtp_tls_security_level = secure
-message_size_limit = 20480000
-smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
-EOF
-# ^ I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
-
-s postmap hash:/etc/postfix/sasl_passwd
-# offlineimap uses this too, it is much easier to use one location than to
-# condition it's config and postfix's config
-case $distro in
- fedora) s lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt ;;
- *) :
-esac
-
-s service postfix reload
-sgo postfix
-
-############ end postfix #######
case $distro in
;;
esac
-if [[ -e /i/video ]]; then
+if [[ $HOSTNAME == frodo ]]; then
+ tu /etc/exports <<'EOF'
+/k 192.168.1.0/24(rw,nohide,no_subtree_check,insecure)
+EOF
+ s exportfs -rav
+fi
+
+if [[ -e /k/video ]]; then
# nohide = export filesystems mounted deeper than the export point
# fsid=0 makes this export the "root" export
# not documented in the man page, but this means
fi
-# cron
-f=/a/bin/$HOSTNAME-crontab
-if [[ -e $f ]]; then
- $f
-fi
e "$end_msg_var"
s /etc/init.d/samba start
;;
- arch)
- sgo samba
- ;;
+ arch)
+ sgo samba
+ ;;
esac
tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
mountpoint /mnt/iroot || s mount /mnt/iroot
fi
-# Do this again because it occasionally has changes and
-# it can be run outside initial isntall.
-s /a/bin/fai/fai/config/distro-install-common/end
+
+######### begin stuff belonging at the end ##########
+
+
+# Apps we want to override others for default file handler:
+# simplest way in debian is to just install them last.
+simple_packages+=(
+ mpv
+)
+
+case $distro in
+ ubuntu|debian)
+ spa spacefm-gtk3 ;;
+ arch)
+ spa spacefm ;;
+esac
+
+
+pi "${simple_packages[@]}"
+
if $pending_reboot; then
echo "$0: pending reboot and then finished. doing it now."
--- /dev/null
+#!/bin/bash -l
+# Copyright (C) 2016 Ian Kelling
+# This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+host=$1
+
+if [[ ! $host || $host == -h ]]; then
+ echo "$0: error: expected 1 arg of hostname"
+ exit 1
+fi
+
+set -x
+ssh $host sudo reboot ||:
+pxe-server fai $host
+while ! ssh $host :; do
+ sleep 5
+done
+dsremote $host
--- /dev/null
+#!/bin/bash -l
+
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+host=$1
+
+if [[ ! $host || $host == -h ]]; then
+ echo "$0: error: expected 1 arg of hostname"
+ exit 1
+fi
+
+rlu $host /a/bin/distro-setup/
+ssh $host /a/bin/distro-begin
+ssh $host /a/bin/distro-end
--- /dev/null
+#!/bin/bash -l
+# Copyright (C) 2016 Ian Kelling
+# This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
+
+# lj is test server
+case $HOSTNAME in
+ lj)
+ domain=iankelling.org
+ ;;
+ lk)
+ domain=iank.bid
+ ;;
+esac
+
+
+# debian has the package gitweb, which seems to mainly
+# have some example apache config, and a minimal gitweb config.
+# I'll just use the config as example and not use the package.
+# It's example apache config seems to say we can use cgi or cgid,
+# and googling cgid it seems a newer faster alternative.
+s a2enmod cgid
+
+s dd of=/etc/gitweb.conf <<EOF
+\$projectroot = "$gitroot";
+# not documented at https://git-scm.com/docs/gitweb.conf,
+# but it's in the debian conf, so use it.
+# directory to use for temp files.
+\$git_temp = "/tmp";
+EOF
+
+
+git_root=/a/bin/githtml
+
+
+apache-site - $domain <<EOF
+# to run python script on my site:
+<Directory /var/www/$domain/html>
+ # to run python scripts with cgi
+ Options +ExecCGI
+ AddHandler cgi-script .py
+</Directory>
+
+
+# All below is for gitweb + git-http-web.
+# A simple builtin way to have a read only git website.
+# I didn't find any significantly better alternatives out there.
+SetEnv GIT_PROJECT_ROOT $gitroot
+SetEnv GIT_HTTP_EXPORT_ALL
+
+# note: cgi scripts can go anywhere into the filesystem,
+# so there is no need to do a directory block for $gitroot
+
+# fot git-http-web
+<Directory /usr/lib/git-core>
+ AllowOverride None
+ Require all granted
+</Directory>
+
+<Directory /usr/share/gitweb>
+ Options +FollowSymLinks +ExecCGI
+ AddHandler cgi-script .cgi
+</Directory>
+
+# from man-git-http-backend, so git-http-web ang gitweb can both be used.
+# it is instead of this:
+# #ScriptAlias / /usr/lib/git-core/git-http-backend/
+ScriptAliasMatch \\
+ "(?x)^/git/(.*/(HEAD | \\
+ info/refs | \\
+ objects/(info/[^/]+ | \\
+ [0-9a-f]{2}/[0-9a-f]{38} | \\
+ pack/pack-[0-9a-f]{40}\\.(pack|idx)) | \\
+ git-(upload|receive)-pack))\$" \\
+ /usr/lib/git-core/git-http-backend/\$1
+
+
+
+# man-git-http-backend claims we should do this, but
+# it causes no css/images to be displayed. Instead,
+# just stick with the standard gitweb example directive
+# from debian.
+#ScriptAlias /git /usr/share/gitweb/gitweb.cgi/
+Alias /git /usr/share/gitweb
+EOF
--- /dev/null
+#!/bin/bash -l
+# Copyright (C) 2016 Ian Kelling
+# This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
+
+set -x
+
+
+# lj is test server
+case $HOSTNAME in
+ lj)
+ domain=phab.iank.bid
+ alt_domain=fastmail.wiki
+ ;;
+ lk)
+ domain=phab.iankelling.org
+ alt_domain=iankellingusercontent.org
+ ;;
+esac
+
+
+pass=`cat /p/c/machine_specific/$HOSTNAME/phabricator_admin`
+webroot=/usr/share/phabricator/webroot
+user=iank
+name="Ian Kelling"
+email=ian@iankelling.org
+ssh_port=222
+
+fbin() { bin=$1; shift; sudo /usr/share/phabricator/bin/$bin "$@"; }
+fsetd() { fbin config set --database "$@"; }
+
+# phabricator complained about wanting arcanist first
+pi arcanist/unstable mercurial
+
+for x in /a/bin/bash_unpublished/*; do source $x; done
+
+# duplicated in mediawiki setup. todo fix that.
+s DEBIAN_FRONTEND=noninteractive pi mysql-server
+cd # mysql_secure_installation writes some temp files to the current dir,
+# so we need to make sure it's writable.
+if echo exit|mysql -u root -p"$dbpass"; then
+ echo -e "$dbpass\nn\n\n\n\n" | mysql_secure_installation
+else
+ echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
+fi
+
+mysql -u root -p$dbpass <<EOF
+grant all privileges on \`phabricator\\_%\`.* to 'phabricator'@localhost identified by '$pass';
+EOF
+
+phab-sel() {
+ s debconf-set-selections<<EOF
+phabricator phabricator/pwd_check password $pass
+phabricator phabricator/phabricator_mysql_pwd password $pass
+phabricator phabricator/webserver select None
+phabricator phabricator/phabricator_mysql_user string phabricator
+phabricator phabricator/mysql_host string localhost
+# Domain name or subdomain name used by phabricator:
+phabricator phabricator/domain_name string $domain
+EOF
+}
+phab-sel
+
+pi phabricator/unstable
+
+# debian sets http, but we want https
+s sed -i 's/http:/https:/' /usr/share/phabricator/conf/local/local.json
+
+
+acme-tiny-wrapper $domain
+acme-tiny-wrapper $alt_domain
+
+for x in $domain $alt_domain; do
+ apache-site -r $webroot - $x <<EOF
+RewriteEngine on
+RewriteRule ^/rsrc/(.*) - [L,QSA]
+RewriteRule ^/favicon.ico - [L,QSA]
+RewriteRule ^/php5-fcgi - [L]
+RewriteRule ^(.*)\$ /index.php?__path__=\$1 [B,L,QSA]
+<Directory "$webroot">
+ Require all granted
+</Directory>
+EOF
+done
+
+
+# Before I figured out how to setup the admin in the script,
+# this would limit the site to localhost,
+# and access it through an ssh tunnel until its secure.
+#phab-site -p 127.0.0.1:443
+
+# settings are stored in conf/local/local.json.
+# some settings could also be stored in the database with
+# --database arg. database has higher priority than
+# the config file.
+
+# if you need to restart phabricator, just ser restart apache2
+# https://secure.phabricator.com/book/phabricator/article/restarting/
+
+# to reset things, you can do.
+# fbin storage destroy; pu phabricator; phab-sel; pi phabricator/unstable
+# # but under debian, prolly better to purge, cause db gets created on install
+
+
+# On first run went to the website, registered manually, then
+# went through the gui setup items to get the configuration below.
+
+
+#expect "*"
+#sleep 1
+
+# expect's exits with 0 by default on timeout of an expect command.
+# You can modify this, but it was simpler to use an irregular code to detect
+# actual success.
+sudo expect -d <<EOF
+# The expect lines use shell type globbing. They are not actually
+# needed, but they make the script likely to fail if the questions
+# content changes drastically, and make the script self documenting.
+
+# adds a short delay after each send for more reliable operation
+# (reference: comment in any autoexpect generated script)
+set force_conservative 0
+spawn "/usr/share/phabricator/bin/accountadmin"
+# If we've already set our user, detect different prompt and exit
+# expect basics: when the last alternative matches, there is no need
+# to specify an action, we just continue.
+expect {
+ timeout {exit 1}
+ -nocase "enter a username" exit
+ -nocase "y/n"
+}
+send "y\r"
+expect -nocase timeout {exit 1} "username"
+send "$user\r"
+expect -nocase timeout {exit 1} "create*y/n"
+send "y\r"
+expect -nocase timeout {exit 1} "name"
+send "$name\r"
+expect -nocase timeout {exit 1} "email"
+send "$email\r"
+expect -nocase timeout {exit 1} "password"
+send "$pass\r"
+expect -nocase timeout {exit 1} "bot"
+send "n\r"
+expect -nocase timeout {exit 1} "admin"
+send "y\r"
+expect -nocase timeout {exit 1} "save"
+send "y\r"
+expect eof
+exit
+EOF
+
+
+
+# this tipped me over to using a debian package
+# https://secure.phabricator.com/T4181
+
+fsetd auth.require-approval false
+
+# phabricator recommends going from 16 to at least 32
+sudo sed -ri 's/(^\s*max_allowed_packet)[[:space:]=].*/\1 = 100M/' /etc/mysql/my.cnf
+
+
+setini() {
+ key="$1" value="$2" section="$3" file="$4"
+ sudo sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*$key[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file"
+}
+
+setd() { setini "$@" mysqld /etc/mysql/my.cnf; }
+
+# error instead of data corruption:
+setd sql_mode STRICT_ALL_TABLES
+setd ft_stopword_file /usr/share/phabricator/resources/sql/stopwords.txt
+setd ft_min_word_len 3
+# mysql full text search for word1 word2 will and them instead of or them:
+setd ft_boolean_syntax "' |-><()~*:\"\"&^'"
+# default is 128M. recommended starting point is 40% of ram.
+setd innodb_buffer_pool_size 1600M
+
+# this files stopwork, and min_word_len
+mysql -u root -p$dbpass <<'EOF'
+REPAIR TABLE phabricator_search.search_documentfield;
+EOF
+
+fsetd pygments.enabled true
+fbin config set security.alternate-file-domain https://$alt_domain
+
+setini opcache.validate_timestamps '"0"' opcache /etc/php5/apache2/php.ini
+setini post_max_size 100M PHP /etc/php5/apache2/php.ini
+
+fsetd metamta.default-address phabricator@$domain
+fsetd metamta.domain $domain
+
+
+ser restart mysql
+
+# Not sure if this is needed. while developing this script, mysql went down
+# for a bit and the daemons died.
+
+
+# todo, setup inbound email:
+# https://secure.phabricator.com/book/phabricator/article/configuring_inbound_email/
+
+
+# https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/
+# unmatchable password, allows login only via ssh, sudo, etc.
+# this is standard.
+# I tried having no home dir, (-d /nonexistent),
+# but I got an error message on test sshing,
+sudo useradd -p '*' -m --system -s /bin/sh vcs || [[ $? == 9 ]]
+
+# you'd think the debian package would set this. todo: check on a fresh
+# machine
+fbin config set phd.user phabricator
+fbin config set diffusion.ssh-user vcs
+
+option="ALL=(phabricator) SETENV: NOPASSWD:"
+www_files=$(which git hg|sed ':a;N;s/\n/, /;ta')
+vcs_files=$(which git git-upload-pack git-receive-pack hg|sed ':a;N;s/\n/, /;ta')
+[[ $www_files && $vcs_files ]] || exit 1
+www_files="$www_files, /usr/lib/git-core/git-http-backend"
+sudo dd of=/etc/sudoers.d/phabricator <<EOF
+www-data $option $www_files
+vcs $option $vcs_files
+EOF
+
+# Found this due to red x in the ui after setting up a test repo.
+# todo: debian package should do this for us. see also:
+# https://phab.iank.bid/config/edit/environment.append-paths/
+sudo lnf /usr/lib/git-core/git-http-backend /usr/share/phabricator/support/bin
+
+fbin config set diffusion.allow-http-auth true
+
+# couldn't find a really appropriate place for it. It needs parent dir
+# permissions to be root:root.
+file=/usr/share/phabricator-local-ssh-hook.sh
+# from /usr/share/phabricator/resources/sshd/phabricator-ssh-hook.sh
+sudo dd of=$file <<'EOF'
+#!/bin/sh
+# For debugging, you can temporarily do:
+# exec >/tmp/plog 2>&1
+# This script executes as the vcs user
+if [ "$1" != vcs ]; then exit 1; fi
+exec "/usr/share/phabricator/bin/ssh-auth" $@
+EOF
+sudo chmod 755 $file
+
+sudo dd of=/etc/ssh/sshd_config.phabricator <<EOF
+AuthorizedKeysCommand $file
+AuthorizedKeysCommandUser vcs
+AllowUsers vcs
+
+Port $ssh_port
+Protocol 2
+PermitRootLogin no
+AllowAgentForwarding no
+AllowTcpForwarding no
+PrintMotd no
+PrintLastLog no
+PasswordAuthentication no
+AuthorizedKeysFile none
+
+PidFile /var/run/sshd-phabricator.pid
+EOF
+
+sudo dd of=/etc/systemd/system/phabricator-ssh.service <<'EOF'
+[Unit]
+Description=OpenBSD Secure Shell server for phabricator repos
+After=network.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+sudo systemctl daemon-reload
+
+# got this error upon ssh, figured out a solution.
+# [2016-06-10 06:40:15] EXCEPTION: (AphrontInvalidCredentialsQueryException) #1045: Access denied for user 'root'@'localhost' (using password: NO) at [<phutil>/src/aphront/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:306]
+# arcanist(), phabricator(), phutil()
+
+s usermod -a -G vcs www-data
+s usermod -a -G vcs ian
+s usermod -a -G vcs phabricator
+s chown root:vcs /usr/share/phabricator/conf/local/local.json
+fbin config set diffusion.ssh-port $ssh_port
+
+fsetd policy.allow-public true
+
+sgo phabricator-ssh
+
+ser restart apache2
+sgo phabricator
+
+
+# todo, finish next steps here:
+# notably, backup/restore
+# https://secure.phabricator.com/book/phabricator/article/configuration_guide/
+
+
+fbin auth recover iank
+
+cat <<EOF
+# go to link above, then
+# https://$domain/auth/config/new/
+# and add username/pass auth provider.
+EOF
+
+
+
+# beginnings of automating those last manual steps:
+
+
+# for setting the auto provider, we can use the api.
+#arc set-config default https://$domain
+#
+# but first we have to generate an api key by getting
+# https://phab.iank.bid/conduit/login/
+# to do that, we've got to login to the url login.
+# We've got to post to a url on the login page,
+# then record 2 cookies: phuser and phsid
+# It also does a 302 for us to do 2 more pages related to auth/login.
+
+# we need to post to the right url (didn't record it, with these params)
+#allowLogin:"1"
+#allowRegistration:"1"
+#allowLink:"1"
+#allowUnlink:"1"
+
+
+#Serve over HTTP
+#
+#
+# phabricator/ $ ./bin/repository edit rT --as iank --local-path ...
+
+#
--- /dev/null
+#!/bin/bash -l
+# Copyright (C) 2016 Ian Kelling
+# This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+# dunno why debian installed postfix with builddep emacs
+# but I will just explicitly install it here since
+# I use it for sending mail in emacs.
+if private-host; then
+ relayhost="[mail.messagingengine.com]:587"
+else
+ # ses initially suggests port 25, but I had problems connecting to that.
+ relayhost="[email-smtp.us-west-2.amazonaws.com]:587"
+fi
+if isdeb; then
+ s debconf-set-selections<<EOF
+postfix postfix/main_mailer_type select Satellite system
+postfix postfix/mailname string $host
+postfix postfix/relayhost string $relayhost
+EOF
+
+ pi postfix
+else
+ pi postfix
+ # Settings from reading the output when installing on debian,
+ # then seeing which were different in a default install on arch.
+ # I assume the same works for fedora.
+ postconfin <<EOF
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+relayhost = $relayhost
+inet_interfaces = loopback-only
+EOF
+
+ s systemctl enable postfix
+ s systemctl start postfix
+fi
+
+
+# note, previously, the rest of setup was done separately.
+
+
+# based on,http://www.postfix.org/qmgr.8.html and my notes in gnus
+# originally tried moving specific directories under /var/spool/postfix,
+# but postfix didn't like that
+if [[ ! -L /var/spool/postfix ]]; then
+ ser stop postfix
+ n=/q/postfix-`distro-name``debian-archive`
+ if [[ -e $n ]]; then
+ echo "$0: warning: $n already exists before we do the link, removing it"
+ s rm -rf $n
+ fi
+ s mv /var/spool/postfix $n
+ s lnf -T $n /var/spool/postfix
+ ser start postfix
+ s journalctl -n 20 | cat # sudo as we may not have journal reading rights yet
+fi
+
+
+# This also works instead of ~/.forward
+# s sed -i '/^root/d' /etc/aliases ||:
+#echo "root: $HOSTNAME@$SOME_DOMAIN" | s tee -a /etc/aliases
+# this can't be a symlink and has permission restrictions
+# it might work in /etc/aliases, but this seems more proper.
+
+if s grep amazonaws /etc/postfix/sasl_passwd &>/dev/null; then
+ forward=$HOSTNAME@$PERSONAL_DOMAIN
+else
+ forward=$HOSTNAME@$IMPERSONAL_DOMAIN
+fi
+e $forward > ~/.forward
+e $forward | s tee /root/.forward
+s newaliases
+
+# if I wanted the from address to be renamed and sent to a different address,
+# echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical
+# sudo postmap hash:/etc/postfix/recipient_canonical
+# sudo service postfix reload
+
+
+# i'm assuming mail just won't work on systems without the sasl_passwd.
+postconfin <<'EOF'
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+smtp_sasl_security_options = noanonymous
+smtp_tls_security_level = secure
+message_size_limit = 20480000
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+EOF
+# ^ I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
+
+s postmap hash:/etc/postfix/sasl_passwd
+# offlineimap uses this too, it is much easier to use one location than to
+# condition it's config and postfix's config
+case $distro in
+ fedora) s lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt ;;
+ *) :
+esac
+
+s service postfix reload
+sgo postfix
iankelling.org / git / distro-setup / commitdiff