# Note that the use of brackets around a tr range is ok here, (it's
# even required, for portability to Solaris 10's /usr/bin/tr), since
# the square bracket bytes happen to fall in the designated range.
- test $(git diff --cached --name-only --diff-filter=A -z $against |
- LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
+ test "$(git diff --cached --name-only --diff-filter=A -z $against |
+ LC_ALL=C tr -d '[ -~]\0' | wc -c)" != 0
then
cat <<EOF
Error: Attempt to add a non-ASCII file name.
local quotes others ret
quotes=2048,2068,2086,2206,2254
others=2029,2032,2033,2054,2164
- # Dont complain about sourced files if we aren't asking for them.
- if [[ $1 != -x ]]; then
- others+=,1091
- fi
- shellcheck -W 999 -e $quotes,$others "$@" || ret=$?
+ shellcheck -x -W 999 -e $quotes,$others "$@" || ret=$?
if (( ret >= 1 )); then
echo "A template comment to disable is now in clipboard. eg: # shellcheck disable=SC2206 # reason"
cbs "# shellcheck disable=SC"
return $ret
fi
}
-skx() {
- sk -x "$@"
-}
+
# sk with quotes. For checking scripts that we expect to take untrusted
# input in order to verify we quoted vars.
skq() {
# sk on all the files in current git repo (except those excluded)
skgit() {
local f toplevel orig_dir tmp skip pattern
- local -a ls_files excludes
+ local -a ls_files excludes sk_files
toplevel=$(git rev-parse --show-toplevel)
if [[ $PWD != "$toplevel" ]]; then
orig_dir=$PWD
fi
excludes=(
'disabled/*'
- # sourced from brc2
- beet-data
- # sourced from .bash_profile
- .bashrc
- )
- no_check_sourced=(
- .bash_profile
)
tmp=$(git ls-files | shuf)
mapfile -t ls_files <<<"$tmp"
fi
done
if $skip; then continue; fi
-
- check_source=-a
- for pattern in "${no_check_sourced[@]}"; do
- if [[ $f == "$pattern" ]]; then
- check_source=
- break
- fi
- done
if sk-p "$f"; then
- printf "================= %s\n" "$f"
- sk $check_source --color=always $f || [[ $? == 1 ]]
+ sk_files+=("$f")
fi
done
+ sk "${sk_files[@]}"
if [[ $orig_dir ]]; then
cd $orig_dir
fi
host-info-all() {
host-info-update
bindpushb8
+ ssh li.b8.nz conflink
wrt-setup
}
} | cedit /p/c/subdir_files/.ssh/config || [[ $? == 1 ]]
{
- echo "cat <<EOF"
+ # hack to please emacs parser
+ here_begin="cat <<EOF"
+ echo "$here_begin"
for host in ${!vpn_ips[@]}; do
ipsuf=${vpn_ips[$host]}
i_port=$(( 2200 + ipsuf ))
cat <<EOF
-config redirect
- option name ssh$host
- option src wan
- option src_dport $i_port
- option dest_port 22
- option dest_ip \$l.$ipsuf
- option dest lan
-config rule
- option src wan
- option target ACCEPT
- option dest_port $i_port
+ config redirect
+ option name ssh$host
+ option src wan
+ option src_dport $i_port
+ option dest_port 22
+ option dest_ip \$l.$ipsuf
+ option dest lan
+ config rule
+ option src wan
+ option target ACCEPT
+ option dest_port $i_port
EOF
done
echo "EOF"
sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf
for host in ${!vpn_ips[@]}; do
if [[ ${root_ips[$host]} ]]; then
- # root machines dont run transmission
+ # root machines dont actually need vpn, but
+ # the classification still helps with other
+ # configurations.
continue
fi
ipsuf=${vpn_ips[$host]}
wghole $host $ipsuf
+ sd /b/ds/machine_specific/li/filesystem/etc/openvpn/client-config-hole/$host <<EOF
+ifconfig-push 10.5.5.${vpn_ips[$host]} 255.255.255.0
+EOF
u /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service <<EOF
[Unit]
Description=OpenVPN tunnel for %I
echo checking for stray files:
initial_dir="$PWD"
- cd /a/bin/ds/machine_specific
- ngset
- files=( */filesystem/etc/systemd/system/openvpn-client-tr@.service )
- ngreset
- cd "$initial_dir"
- for f in "${files[@]}"; do
- host=${f%%/*}
- if [[ ! ${vpn_ips[$host]} ]]; then
- e rm /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service
- fi
- done
+ while read -r dir path; do
+ cd $dir
+ ngset
+ files=( */$path )
+ ngreset
+ cd "$initial_dir"
+ for f in "${files[@]}"; do
+ host=${f%%/*}
+ if [[ ! ${vpn_ips[$host]} ]]; then
+ e rm $dir/$f
+ fi
+ done
+ done <<'EOF'
+/a/bin/ds/machine_specific filesystem/etc/systemd/system/openvpn-client-tr@.service
+/p/c/machine_specific filesystem/etc/wireguard/wghole.conf
+EOF
- cd /p/c/machine_specific
- ngset
- files=( */filesystem/etc/wireguard/wghole.conf )
- ngreset
- cd $initial_dir
+ files=(/b/ds/machine_specific/li/filesystem/etc/openvpn/client-config-hole/* )
for f in "${files[@]}"; do
- host=${f%%/*}
+ host=${f##/*}
if [[ ! ${vpn_ips[$host]} ]]; then
- e rm /p/c/machine_specific/$host/filesystem/etc/wireguard/wghole.conf
+ e rm $f
+ e ssh root@li.b8.nz rm -f $f
fi
done
+
}
# usage host ipsuf [extrahost]
-Things I stopped using and will become broken over time, but better to
-have here than just in git history.
+Files I stopped using and will become broken over time, and then
+eventually git rmed, but still have filename here to help my memory.
+
+bitcoin
+home-vpn
+kodi-setup
+maru-init
+mastodon
+mastodon-upgrade
+nagios
+new-firefox # install newer version firefox
+offlineimap-sync
+phabricator-setup
+pump.io
+samba-setup
+small-backup # rdiff-backup my small files, before i used btrfs send
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-## bitcoin disabled. fees too high
-
-if [[ $HOSTNAME == frodo ]]; then
- case $distro in
- debian)
- if [[ `debian-archive` == testing ]]; then
- # has no unstable dependencies
- pi bitcoind/unstable
- src=/a/opt/bitcoin/contrib/init/bitcoind.service
- s cp $src /etc/systemd/system
- p=/etc/bitcoin/bitcoin
- dst=/etc/systemd/system/bitcoinjm.service
- # jm for joinmarket
- $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
- >/etc/systemd/system/bitcoinjm.service
-
- d=jm; jm=d # being clever for succinctness
- for s in d jm; do
- s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
- /etc/systemd/system/bitcoin${s}.service
- done
-
- ser daemon-reload
-
- dir=/nocow/.bitcoin
- s mkdir -p $dir
- s chown -R bitcoin:bitcoin $dir
- dir=/etc/bitcoin
- s mkdir -p $dir
- s chown -R root:bitcoin $dir
- s chmod 750 $dir
-
- # pruning decreases the bitcoin dir to 2 gb, keeps
- # just the recent blocks. can\'t do a few things like
- # import a wallet dump.
- # pruning works, but people had to do
- # some manual stuff in joinmarket. I dun need the
- # disk space, so not bothering yet, maybe in a year or so.
- # https://github.com/JoinMarket-Org/joinmarket/issues/431
- #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
- #prune=550
-
- f=$dir/bitcoin.conf
- s dd of=$f <<EOF
-server=1
-# necessary for joinmarket, not bad in general
-rpcpassword=$(openssl rand -base64 32)
-rpcuser=$(openssl rand -base64 32)
-EOF
-
- # dunno about sharing a wallet between multiple instances
- # manually did, wallet.dat symlinked in /nocow/.bitcoin
- sgo bitcoind
- fi
- ;;
- # other distros unknown
- esac
-
-
-
- ## disabling joinmarket, its too expensive
- ### begin joinmarket setup ###
-
- case $distro in
- debian)
- f=$dir/bitcoin.conf
- f2=$dir/bitcoinjm.conf
- s cp $f $f2
- s tee -a $f2 >/dev/null <<EOF
-# Joinmarket
-walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
-alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
-wallet=joinmarket.dat
-EOF
-
- ;;
- # other distros unknown
- esac
-
- pi libsodium-dev python-pip
- cd /a/opt/joinmarket
- # using develop branch, as it seems to be mostly bug fixes,
- # and this is quite new software.
- # note: python3 does not work.
- # has seg fault error due to some bug, but it still works
- pip install -r requirements.txt || [[ $? == 139 ]]
- # note, the target must exist ahead of time, or bitcoin
- # just overwrites the link, and it\'s not happy with an empty file,
- # so we have to create the wallet, then move and link it.
- s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
- s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
- # not technically needed, but seems cleaner not to have
- # symlinks be root owned unlike everything else
- s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
-
- for var in rpcuser rpcpassword; do
- u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
- # escape backslashes
- u="${u//\\/\\\\\\\\}"
- # escape commas
- u="${u//,/\\,}"
- sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
- done
- sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
- ### end joinmarket setup ###
-fi
+++ /dev/null
-# this was in distro-end.
-#
-# Disabled because basically I don't need a home vpn and prefer just
-# port forwarding as needed.
-
-### begin home vpn server setup
-
-
-# # this section done initially to make persistent keys.
-# # Also note, I temporarily set /etc/hosts so my host was
-# # b8.nz when running this, since the vpn client config
-# # generator assumes we need to go to that server to get
-# # server keys.
-# vpn-server-setup -rds
-# s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
-# s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
-# # kw = kgpe work machine.
-# for host in x2 x3 kw; do
-# vpn-mk-client-cert -b $host -n home b8.nz 1196
-# dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
-# mkdir -p $dir
-# s bash -c "cp /etc/openvpn/client/home* $dir"
-# # note: /etc/update-resolv-conf-home also exists for all systems with /p
-# done
-
-# key already exists, so this won't generate one, just the configs.
-# m vpn-server-setup -rds
-# sudo tee -a /etc/openvpn/server/server.conf <<'EOF'
-# push "dhcp-option DNS 10.0.0.1"
-# push "route 10.0.0.0 255.255.0.0"
-# client-connect /a/bin/distro-setup/vpn-client-connect
-# EOF
-# sudo sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
-
-# if [[ $HOSTNAME == tp ]]; then
-# if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
-# vpn_service=openvpn-server@server
-# else
-# vpn_service=openvpn@server
-# fi
-# sgo $vpn_service
-# fi
-### end vpn server setup
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# usage: I run this script on a timer to correct the dns on wrt for
-# clients where dns is updated dynamically by openvpn, in the case that
-# openvpn crashes or the computer running openvpn crashes.
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} # directory of this file
-
-while read -r ip host; do
- found=false
- is_connected="grep -q "^CLIENT_LIST,$host," /run/openvpn-server/status-server.log"
- if $is_connected; then continue; fi
- if ! grep -q "^CLIENT_LIST,$host," /run/openvpn-server/status-server.log; then
- cd $(mktemp -d); dir=$PWD
- ssh wrt tar -C /etc -c hosts | tar -x
- if grep -qFx "$ip $host" hosts; then continue; fi
- # openvpn udpates its status file every 60 seconds by default
- if (( $(stat -c%Y hosts) > EPOCHSECONDS + 60 )); then
- sleep 60
- if $is_connected; then continue; fi
- fi
- ssh root@wrt.b8.nz cedit ovpn-$host <<<"$ip $host" || [[ $? == 1 ]]
- fi
-done <lan-dns
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} # directory of this file
-
-# see lan-dyn-dns-update. this is the corresponding script for on connect/disconnect from vpn
-
-d=/p/ovpn-ssh
-ssh_cmd="ssh -F$d/.config -i$d/home root@wrt.b8.nz cedit ovpn-$X509_0_CN /etc/hosts"
-case $script_type in
- client-connect) $ssh_cmd <<<"$ifconfig_pool_remote_ip $X509_0_CN"|| [[ $? == 1 ]]
- ;;
- client-disconnect)
- $ssh_cmd <<<$(grep -F $X509_0_CN lan-dns) || [[ $? == 1 ]]
- ;;
-esac
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# this is from distro-end
-if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi
-
-pi kodi
-
-# based on https://wiki.debian.org/SecuringNFS
-# but the quota stuff is either outdated or optional,
-# i guessed that it was not needed and it worked fine.
-s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF'
-fs.nfs.nfs_callback_tcpport = 32764
-fs.nfs.nlm_tcpport = 32768
-fs.nfs.nlm_udpport = 32768
-EOF
-s sysctl --system
-s $sed -ri -f - /etc/default/nfs-common <<'EOF'
-/^\s*STATDOPTS=/d
-$a STATDOPTS="--port 32765 --outgoing-port 32766"
-EOF
-
-s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF'
-/^\s*RPCMOUNTDOPTS=/d
-$a RPCMOUNTDOPTS="--manage-gids --port 32767"
-EOF
-ser restart nfs-kernel-server
-
-if [[ $HOSTNAME == kd ]]; then
- # persistent one time steps for webdav:
- # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml,
- # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi
- # htpasswd -c /p/c/filesystem/etc/davpass dav
- # chmod 640 /p/c/filesystem/etc/davpass
- # in conflink, set group to www-data.
- # In kodi, i set the music source, server address: my domain,
- # path: k/music. Then copied the file
- # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting.
- s a2enmod dav dav_fs
- web-conf -r /a/c/playlists - apache2 dav.$HOME_DOMAIN <<'EOF'
-<Directory /a/c/playlists>
- DAV On
- AuthType Basic
- AuthName "Authentication Required"
- AuthUserFile "/etc/davpass"
- Require valid-user
-
-# outside the standard /var/www, so use this:
- Order allow,deny
- Allow from all
-</Directory>
-EOF
- s mkdir -p /var/www/davlock
- s chown www-data:www-data /var/www/davlock
- s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.$HOME_DOMAIN.conf
- ser reload apache2
-
- teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)"
- exportfs -ra
-
- # kodi uses sqlite by default, but supports mysql.
- pi mariadb-server
-
- # see ofswiki.org for explanation.
- dbpass="$(cat /p/mysql-root-pass)"
- if ! echo exit|mysql -uroot "-p$dbpass"; then
- echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
- fi
- mysql -uroot "-p$dbpass" <<EOF
-GRANT ALL PRIVILEGES ON *.* TO 'kodi' IDENTIFIED BY '$(</p/mysql-kodi-pass)';
-EOF
- s sed -ri 's/^(\s*bind-address\s*=).*/\1 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
- ser restart mariadb
-
-fi
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Copyright (C) 2017 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-
-usage() {
- cat <<EOF
-Usage: ${0##*/}
-Initial setup for maru debian for nexus 5.
-
-We do this separately because it's constrained for space much more than
-any other host. The maru debian takes up about 1.5G. We start with about
-6.8G free. We want to keep a few gigs free to take pictures and
-movies. I should really trade this in for a 32GB version.
-
--h|--help Print help and exit.
-EOF
- exit $1
-}
-
-case $1 in
- *) usage ;;
-esac
-
-
-scp $(readlink -f $(which rootsshsync)) maru-init maru@n5:
-ssh -t maru@n5 ./rootsshsync
-
-ssh root@n5 bash <<'EOF'
-echo "ian ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
-echo n5 >/etc/hostname
-sed -i '/^127\.0\.1\.1/d' /etc/hosts
-echo "127.0.1.1 n5.lan n5" >>/etc/hosts
-hostname -F /etc/hostname
-
-kill $(pgrep -U maru)
-usermod -l ian -m -d /home/ian maru
-groupmod -n ian maru
-useradd -m -s /bin/bash user2
-EOF
-
-# then do myunison n5,
-# then do conflink.
+++ /dev/null
- ############# begin setup mastodon ##############
-
- # main doc is Docker-Guide.md in docs repo
-
- # I'd like to try gnu social just cuz of gnu, but it's not being
- # well maintained, for example, simple pull requests
- # languishing:
- # https://git.gnu.io/gnu/gnu-social/merge_requests/143
- # and I submitted my own bugs, basic docs are broken
- # https://git.gnu.io/gnu/gnu-social/issues/269
-
- # note, docker required, but we installed it earlier
-
- # i subscrubed to https://github.com/docker/compose/releases.atom
- # to see release notes.
- # i had some problems upgrading. blew things away with
- # docker-compose down
- # docker rmi $(docker images -q)
- # s reboot now
- # when running docker-compose run, kernel stack traces are printed to the journal.
- # things seem to succeed, google says nothing, so ignoring them.
- curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-$(uname -s)-$(uname -m) | s dd of=/usr/local/bin/docker-compose
- s chmod +x /usr/local/bin/docker-compose
-
-
- cd ~
- s rm -rf mastodon
- i clone https://github.com/tootsuite/mastodon
- cd mastodon
- # subbed to atom feed to deal with updates
- git checkout $(git tag | grep -v rc | tail -n1)
-
- # per instructions, uncomment redis/postgres persistence in docker-compose.yml
- sed -i 's/^#//' docker-compose.yml
-
- cat >.env.production <<'EOF'
-REDIS_HOST=redis
-REDIS_PORT=6379
-DB_HOST=db
-DB_USER=postgres
-DB_NAME=postgres
-DB_PASS=
-DB_PORT=5432
-
-LOCAL_DOMAIN=mast.iankelling.org
-LOCAL_HTTPS=true
-
-SINGLE_USER_MODE=true
-
-SMTP_SERVER=mail.iankelling.org
-SMTP_PORT=25
-SMTP_LOGIN=li
-SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
-SMTP_DOMAIN=mast.iankelling.org
-SMTP_DELIVERY_METHOD=smtp
-EOF
-
- for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
- # 1 minute 7 seconds to run this docker command
- # to generate a secret, and it has ^M chars at the end. wtf. really dumb
- printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|dos2unix|tail -n1)" >>.env.production
- done
- found=false
- while read -r domain _ pass; do
- if [[ $domain == mail.iankelling.org ]]; then
- found=true
- # remove the username part
- pass="${pass#*:}"
- printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production
- break
- fi
- done < <(s cat /etc/mailpass)
- if ! $found; then
- echo "$0: error, failed to find mailpass domain for mastadon"
- exit 1
- fi
-
- # docker compose makes an interface named like br-8f3e208558f2. we need mail to
- # get routed to us.
- if ! s /sbin/iptables -t nat -C PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25; then
- s /sbin/iptables -t nat -A PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25
- fi
-
- docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production
- logq docker-compose run --rm web rake db:migrate
- docker-compose run --rm web rails assets:precompile
-
- # avatar failed to upload, did
- # docker logs mastodon_web_1
- # google lead me to this
- s chown -R 991:991 public/system
-
- # docker daemon takes care of starting on boot.
- docker-compose up -d
-
- s a2enmod proxy_wstunnel headers
- web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF'
- ProxyPreserveHost On
- RequestHeader set X-Forwarded-Proto "https"
- ProxyPass /500.html !
- ProxyPass /oops.png !
- ProxyPass /api/v1/streaming/ ws://localhost:4000/
- ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
- ErrorDocument 500 /500.html
- ErrorDocument 501 /500.html
- ErrorDocument 502 /500.html
- ErrorDocument 503 /500.html
- ErrorDocument 504 /500.html
-EOF
-
-
- ############### !!!!!!!!!!!!!!!!!
- ############### manual steps:
-
- # only following a few people atm, so not bothering to figure out backups
- # when mastodon has not documented it at all.
- #
- # fsf@status.fsf.org
- # cwebber@toot.cat
- # dbd@status.fsf.org
- # johns@status.fsf.org
-
- # sign in page is at https://mast.iankelling.org/auth/sign_in
- # register as iank, then
- # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
- # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
-
- ############# end setup mastodon ##############
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-# based on
-# https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Docker-Guide.md
-
-if [[ $EUID == 0 ]]; then echo "$0: error, do not run as root"; exit 1; fi
-
-cd /home/iank/mastodon
-git fetch
-git stash
-git checkout $(git tag | grep -v rc | tail -n1)
-git stash pop
-docker-compose build
-# these 2 may not be needed in all upgrades, but
-# simpler to just do them always.
-docker-compose run --rm web rake db:migrate
-docker-compose run --rm web rake assets:precompile
-# restart the app
-docker-compose up -d
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# this was part of distro-end
-
-### begin nagios ###
-
-pi nagios-nrpe-server
-
-case $HOSTNAME in
- kd)
- # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345
- pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports
- s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf
-
- # to add a password for admin:
- # htdigest /etc/nagios4/htdigest.users Nagios4 iank
- # now using the same pass as prometheus
-
- # nagstamon auth settings, set to digest instead of basic.
-
- web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
-# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
-
-ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
-ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
-
-# Where the stylesheets (config files) reside
-Alias /nagios4/stylesheets /etc/nagios4/stylesheets
-
-# Where the HTML pages live
-Alias /nagios4 /usr/share/nagios4/htdocs
-
-<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
- Options FollowSymLinks
- DirectoryIndex index.php index.html
- AllowOverride AuthConfig
- #
- # The default Debian nagios4 install sets use_authentication=0 in
- # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
- # This is insecure. As a compromise this default apache2 configuration
- # only allows private IP addresses access.
- #
- # The <Files>...</Files> below shows how you can secure the nagios4
- # web site so anybody can view it, but only authenticated users can issue
- # commands (such as silence notifications). To do that replace the
- # "Require all granted" with "Require valid-user", and use htdigest
- # program from the apache2-utils package to add users to
- # /etc/nagios4/htdigest.users.
- #
- # A step up is to insist all users validate themselves by moving
- # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
- # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
- # can configure which people get to see a particular service from
- # within the nagios configuration.
- #
- AuthDigestDomain "Nagios4"
- AuthDigestProvider file
- AuthUserFile "/etc/nagios4-htdigest.users"
- AuthGroupFile "/etc/group"
- AuthName "Nagios4"
- AuthType Digest
- Require valid-user
-</DirectoryMatch>
-
-<Directory /usr/share/nagios4/htdocs>
- Options +ExecCGI
-</Directory>
-EOF
- ;;
-esac
-
-# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
-# notifications_enabled=1
-# note, the same variable exists in the correspdonding "define service {"
-
-# in the default config, we have these definitions
-
-# 11 define command {
-# 2 define contact {
-# 1 define contactgroup {
-# 9 define host {
-# 4 define hostgroup {
-# 23 define service {
-# 5 define timeperiod {
-
-
-# on klaxon
-
-# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
-# 76 define command
-# 11 define contact
-# 6 define contactgroup
-# 162 define host
-# 1 define hostextinfo
-# 16 define hostgroup
-# 3040 define service
-# 2 define servicedependency
-# 6 define timeperiod
-
-
-
-
-### end nagios ###
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# not caring enough about having a new firefox at the moment, so
-# disabled.
-
-# this was just under the comment "basic needed packages" in
-# distro-begin.
-
-case $(distro-name) in
- debian)
- if has_x; then
- if isdebian-stable; then
- pi firefox/$codename-backports
- else
- # for a while, firefox/unstable did not have
- # dependencies satisfied by testing packages, and i hit
- # a conflict, it wanted a newer libfontconfig1, but
- # emacs build-deps wanted an older one. In this case,
- # I switch to using firefox-esr. note: They seem
- # to release a new esr version every 9 months or so.
- pi firefox/unstable
- s dd of=/etc/apt/preferences.d/firefox <<'EOF'
-Package: firefox
-Pin: release a=unstable
-Pin-Priority: 500
-EOF
- fi
- fi
- # # no hosts have nonfree firmware anymore, yay. but leaving commented,
- # # as i might run into one for a little while still.
- # p=firmware-linux-nonfree
- # if apt-cache show $p &>/dev/null; then
- # pi $p
- # fi
- ;;&
- trisquel|ubuntu)
- if has_x; then
- pi abrowser
- fi
- ;;
-esac
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-# mail-route can get messed up a bit randomly, I don't know why.
-#/b/ds/mail-route up |& /b/log-quiet/log-once -1 mail-route
-
-for f in $(awk '$1 == "localfolders" {print $NF}' ~/.offlineimaprc); do
- mkdir -p $f
- chmod 700 $f
-done
-
-offlineimap -u quiet
-shopt -s nullglob
-
-if grep -qP '^ *accounts.*fsf' ~/.offlineimaprc; then
- if [[ ! -e /nocow/user/.mufsf ]]; then
- mkdir -p /nocow/user/.mufsf
- chmod 700 /nocow/user/.mufsf
- mu index --maildir=/nocow/user/fsfmd
- fi
-fi
-
-omv() { # offlineimap mv. move mail files within $src_base/$1 to /m/md/$2
- src="$1"
- dst="$2"
- found_files=false
- for x in new cur; do
- files=($src_base/"$src"/$x/*)
- if [[ $files ]]; then
- found_files=true
- mv "${files[@]}" /m/md/"$dst"/$x
- fi
- done
-}
-
-src_base=/m/offlineimap
-omv "Sent Items" "Sent"
-omv INBOX offlineimaptmp
-src_base=/m/md
-if $found_files; then
- sieve-filter -eW ~/sieve/main.sieve offlineimaptmp &>/dev/null
- # the default folder is INBOX for anything leftover
- omv offlineimaptmp INBOX
- # remove messages from remote host
- offlineimap -u quiet
- # this makes us sit and wait when we want to use mu and this is running in a cronjob.
- # todo: emacs updates the index much faster. what command is it running? I'd like
- # to just run that
- # looks like it might be mu index --lazy-check, but that still takes like 10 seconds,
- # figure out if that is the same speed, or if we can make it faster.
- #mu index &>/dev/null ||:
-fi
-
-
-# delete based on http://deflexion.com/2006/05/imap-way-of-deleting-message
-sieve-filter -eW -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf.sieve INBOX delete &>>/tmp/fsfsieve.log
-
-# to test new rules, update fsf-test.sieve, run these commands, then copy new fsf-test.sieve to fsf.sieve
-# sieve-filter -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf-test.sieve INBOX &>/tmp/testfsfsieve.log
-# sed -rn '/^Performed actions:/{n;n;p}' /tmp/testfsfsieve.log | sort -u
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Copyright (C) 2016 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-
-# Automated phabricator setup. Not currently using it,
-# but it worked last time I tried it.
-
-if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi
-
-set -x
-
-
-# lj is test server
-case $HOSTNAME in
- lj)
- domain=phab.iank.bid
- alt_domain=fastmail.wiki
- ;;
- lk)
- domain=phab.iankelling.org
- alt_domain=iankellingusercontent.org
- ;;
-esac
-
-
-pass=`cat /p/c/machine_specific/$HOSTNAME/phabricator_admin`
-webroot=/usr/share/phabricator/webroot
-user=iank
-name="Ian Kelling"
-email=ian@iankelling.org
-ssh_port=222
-
-fbin() { bin=$1; shift; sudo /usr/share/phabricator/bin/$bin "$@"; }
-fsetd() { fbin config set --database "$@"; }
-
-# phabricator complained about wanting arcanist first
-pi arcanist/unstable mercurial
-
-# duplicated in mediawiki setup. todo fix that.
-s DEBIAN_FRONTEND=noninteractive pi mysql-server
-cd # mysql_secure_installation writes some temp files to the current dir,
-# so we need to make sure it's writable.
-if echo exit|mysql -u root -p"$dbpass"; then
- echo -e "$dbpass\nn\n\n\n\n" | mysql_secure_installation
-else
- echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
-fi
-
-mysql -u root -p$dbpass <<EOF
-grant all privileges on \`phabricator\\_%\`.* to 'phabricator'@localhost identified by '$pass';
-EOF
-
-phab-sel() {
- s debconf-set-selections<<EOF
-phabricator phabricator/pwd_check password $pass
-phabricator phabricator/phabricator_mysql_pwd password $pass
-phabricator phabricator/webserver select None
-phabricator phabricator/phabricator_mysql_user string phabricator
-phabricator phabricator/mysql_host string localhost
-# Domain name or subdomain name used by phabricator:
-phabricator phabricator/domain_name string $domain
-EOF
-}
-phab-sel
-
-pi phabricator/unstable
-
-# debian sets http, but we want https
-s sed -i --follow-symlinks 's/http:/https:/' /usr/share/phabricator/conf/local/local.json
-
-
-acme-tiny-wrapper $domain
-acme-tiny-wrapper $alt_domain
-
-for x in $domain $alt_domain; do
- web-conf -r $webroot - $x <<EOF
-RewriteEngine on
-RewriteRule ^/rsrc/(.*) - [L,QSA]
-RewriteRule ^/favicon.ico - [L,QSA]
-RewriteRule ^/php5-fcgi - [L]
-RewriteRule ^(.*)\$ /index.php?__path__=\$1 [B,L,QSA]
-<Directory "$webroot">
- Require all granted
-</Directory>
-EOF
-done
-
-
-# Before I figured out how to setup the admin in the script,
-# this would limit the site to localhost,
-# and access it through an ssh tunnel until its secure.
-#phab-site -p 127.0.0.1:443
-
-# settings are stored in conf/local/local.json.
-# some settings could also be stored in the database with
-# --database arg. database has higher priority than
-# the config file.
-
-# if you need to restart phabricator, just ser restart apache2
-# https://secure.phabricator.com/book/phabricator/article/restarting/
-
-# to reset things, you can do.
-# fbin storage destroy; pu phabricator; phab-sel; pi phabricator/unstable
-# # but under debian, prolly better to purge, cause db gets created on install
-
-
-# On first run went to the website, registered manually, then
-# went through the gui setup items to get the configuration below.
-
-
-#expect "*"
-#sleep 1
-
-# expect's exits with 0 by default on timeout of an expect command.
-# You can modify this, but it was simpler to use an irregular code to detect
-# actual success.
-sudo expect -d <<EOF
-# The expect lines use shell type globbing. They are not actually
-# needed, but they make the script likely to fail if the questions
-# content changes drastically, and make the script self documenting.
-
-# adds a short delay after each send for more reliable operation
-# (reference: comment in any autoexpect generated script)
-set force_conservative 0
-spawn "/usr/share/phabricator/bin/accountadmin"
-# If we've already set our user, detect different prompt and exit
-# expect basics: when the last alternative matches, there is no need
-# to specify an action, we just continue.
-expect {
- timeout {exit 1}
- -nocase "enter a username" exit
- -nocase "y/n"
-}
-send "y\r"
-expect -nocase timeout {exit 1} "username"
-send "$user\r"
-expect -nocase timeout {exit 1} "create*y/n"
-send "y\r"
-expect -nocase timeout {exit 1} "name"
-send "$name\r"
-expect -nocase timeout {exit 1} "email"
-send "$email\r"
-expect -nocase timeout {exit 1} "password"
-send "$pass\r"
-expect -nocase timeout {exit 1} "bot"
-send "n\r"
-expect -nocase timeout {exit 1} "admin"
-send "y\r"
-expect -nocase timeout {exit 1} "save"
-send "y\r"
-expect eof
-exit
-EOF
-
-
-
-# this tipped me over to using a debian package
-# https://secure.phabricator.com/T4181
-
-fsetd auth.require-approval false
-
-# phabricator recommends going from 16 to at least 32
-sudo sed -ri 's/(^\s*max_allowed_packet)[[:space:]=].*/\1 = 100M/' /etc/mysql/my.cnf
-
-
-setini() {
- key="$1" value="$2" section="$3" file="$4"
- sudo sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*$key[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file"
-}
-
-setd() { setini "$@" mysqld /etc/mysql/my.cnf; }
-
-# error instead of data corruption:
-setd sql_mode STRICT_ALL_TABLES
-setd ft_stopword_file /usr/share/phabricator/resources/sql/stopwords.txt
-setd ft_min_word_len 3
-# mysql full text search for word1 word2 will and them instead of or them:
-setd ft_boolean_syntax "' |-><()~*:\"\"&^'"
-# default is 128M. recommended starting point is 40% of ram.
-setd innodb_buffer_pool_size 1600M
-
-# this files stopwork, and min_word_len
-mysql -u root -p$dbpass <<'EOF'
-REPAIR TABLE phabricator_search.search_documentfield;
-EOF
-
-fsetd pygments.enabled true
-fbin config set security.alternate-file-domain https://$alt_domain
-
-setini opcache.validate_timestamps '"0"' opcache /etc/php5/apache2/php.ini
-setini post_max_size 100M PHP /etc/php5/apache2/php.ini
-
-fsetd metamta.default-address phabricator@$domain
-fsetd metamta.domain $domain
-
-
-ser restart mysql
-
-# Not sure if this is needed. while developing this script, mysql went down
-# for a bit and the daemons died.
-
-
-# todo, setup inbound email:
-# https://secure.phabricator.com/book/phabricator/article/configuring_inbound_email/
-
-
-# https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/
-# unmatchable password, allows login only via ssh, sudo, etc.
-# this is standard.
-# I tried having no home dir, (-d /nonexistent),
-# but I got an error message on test sshing,
-sudo useradd -p '*' -m --system -s /bin/sh vcs || [[ $? == 9 ]]
-
-# you'd think the debian package would set this. todo: check on a fresh
-# machine
-fbin config set phd.user phabricator
-fbin config set diffusion.ssh-user vcs
-
-option="ALL=(phabricator) SETENV: NOPASSWD:"
-www_files=$(which git hg|sed ':a;N;s/\n/, /;ta')
-vcs_files=$(which git git-upload-pack git-receive-pack hg|sed ':a;N;s/\n/, /;ta')
-[[ $www_files && $vcs_files ]] || exit 1
-www_files="$www_files, /usr/lib/git-core/git-http-backend"
-sudo dd of=/etc/sudoers.d/phabricator <<EOF
-www-data $option $www_files
-vcs $option $vcs_files
-EOF
-
-# Found this due to red x in the ui after setting up a test repo.
-# todo: debian package should do this for us. see also:
-# https://phab.iank.bid/config/edit/environment.append-paths/
-sudo lnf /usr/lib/git-core/git-http-backend /usr/share/phabricator/support/bin
-
-fbin config set diffusion.allow-http-auth true
-
-# couldn't find a really appropriate place for it. It needs parent dir
-# permissions to be root:root.
-file=/usr/share/phabricator-local-ssh-hook.sh
-# from /usr/share/phabricator/resources/sshd/phabricator-ssh-hook.sh
-sudo dd of=$file <<'EOF'
-#!/bin/sh
-# For debugging, you can temporarily do:
-# exec >/tmp/plog 2>&1
-# This script executes as the vcs user
-if [ "$1" != vcs ]; then exit 1; fi
-exec "/usr/share/phabricator/bin/ssh-auth" $@
-EOF
-sudo chmod 755 $file
-
-sudo dd of=/etc/ssh/sshd_config.phabricator <<EOF
-AuthorizedKeysCommand $file
-AuthorizedKeysCommandUser vcs
-AllowUsers vcs
-
-Port $ssh_port
-Protocol 2
-PermitRootLogin no
-AllowAgentForwarding no
-AllowTcpForwarding no
-PrintMotd no
-PrintLastLog no
-PasswordAuthentication no
-AuthorizedKeysFile none
-
-PidFile /var/run/sshd-phabricator.pid
-EOF
-
-sudo dd of=/etc/systemd/system/phabricator-ssh.service <<'EOF'
-[Unit]
-Description=OpenBSD Secure Shell server for phabricator repos
-After=network.target auditd.service
-ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
-
-[Service]
-ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator
-ExecReload=/bin/kill -HUP $MAINPID
-KillMode=process
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-sudo systemctl daemon-reload
-
-# got this error upon ssh, figured out a solution.
-# [2016-06-10 06:40:15] EXCEPTION: (AphrontInvalidCredentialsQueryException) #1045: Access denied for user 'root'@'localhost' (using password: NO) at [<phutil>/src/aphront/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:306]
-# arcanist(), phabricator(), phutil()
-
-s usermod -a -G vcs www-data
-s usermod -a -G vcs iank
-s usermod -a -G vcs phabricator
-s chown root:vcs /usr/share/phabricator/conf/local/local.json
-fbin config set diffusion.ssh-port $ssh_port
-
-fsetd policy.allow-public true
-
-sgo phabricator-ssh
-
-ser restart apache2
-sgo phabricator
-
-
-# todo, finish next steps here:
-# notably, backup/restore
-# https://secure.phabricator.com/book/phabricator/article/configuration_guide/
-
-
-fbin auth recover iank
-
-cat <<EOF
-# go to link above, then
-# https://$domain/auth/config/new/
-# and add username/pass auth provider.
-EOF
-
-
-
-# beginnings of automating those last manual steps:
-
-
-# for setting the auto provider, we can use the api.
-#arc set-config default https://$domain
-#
-# but first we have to generate an api key by getting
-# https://phab.iank.bid/conduit/login/
-# to do that, we've got to login to the url login.
-# We've got to post to a url on the login page,
-# then record 2 cookies: phuser and phsid
-# It also does a 302 for us to do 2 more pages related to auth/login.
-
-# we need to post to the right url (didn't record it, with these params)
-#allowLogin:"1"
-#allowRegistration:"1"
-#allowLink:"1"
-#allowUnlink:"1"
-
-
-#Serve over HTTP
-#
-#
-# phabricator/ $ ./bin/repository edit rT --as iank --local-path ...
-
-#
+++ /dev/null
- ########## begin pump.io setup ##########
-
- # once pump adds a logrotation script, turn off nologger,
- # and add
- # "logfile": "/var/log/pumpio/pumpio.log",
- #
- s dd of=/etc/pump.io.json <<'EOF'
-{
- "secret": "SECRET_REPLACE_ME",
- "driver": "mongodb",
- "params": { "dbname": "pumpio" },
- "noweb": false,
- "site": "pump.iankelling.org",
- "owner": "Ian Kelling",
- "ownerURL": "https://iankelling.org/",
- "port": 8001,
- "urlPort": 443,
- "hostname": "pump.iankelling.org",
- "nologger": true,
- "datadir": "/home/pumpio/pumpdata",
- "enableUploads": true,
- "debugClient": false,
- "disableRegistration": true,
- "noCDN": true,
- "key": "/home/pumpio/privkey.pem",
- "cert": "/home/pumpio/fullchain.pem",
- "address": "localhost",
- "sockjs": false
-}
-EOF
- s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
-
- # stretch node is too old
- # https://nodejs.org/en/download/package-manager/
- curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
- pi nodejs graphicsmagick mongodb
- cd /home/iank
- if [[ -e pump.io ]]; then
- cd pump.io
- git pull
- else
- git clone https://github.com/pump-io/pump.io.git
- cd pump.io
- fi
- # note: these 2 commands seem
- # note: doing this or the npm install pump.io as root had problems.
- npm install
- npm run build
- # normally, next command would be
- # s npm install -g odb
- # but it\'s this until a bug in pump gets fixed
- # https://github.com/pump-io/pump.io/issues/1287
- s npm install -g databank-mongodb@0.19.2
- if ! getent passwd pumpio &>/dev/null; then
- s useradd -Um -s /bin/false pumpio
- fi
- sudo -u pumpio mkdir -p /home/pumpio/pumpdata
- # for testing browser when only listening to localhost,
- # in the pump.io.json, set hostname localhost, urlPort 5233
- #ssh -L 5233:localhost:5233 li
-
- s mkdir -p /var/log/pumpio/
- s chown pumpio:pumpio /var/log/pumpio/
-
- web-conf - apache2 pump.iankelling.org <<'EOF'
-# currently a bug in pump that we cant terminate ssl
- SSLProxyEngine On
- ProxyPreserveHost On
- ProxyPass / https://127.0.0.1:8001/
- ProxyPassReverse / https://127.0.0.1:8001/
- # i have sockjs disabled per people suggesting that
- # it won\'t work with apache right now.
- # not sure if it would work with this,
- # but afaik, this is pointless atm.
- <Location /main/realtime/sockjs/>
- ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
- ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
- </Location>
-EOF
-
- sudo -i <<'EOF'
-export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
-/a/bin/distro-setup/certbot-renew-hook
-EOF
-
- s dd of=/etc/systemd/system/pump.service <<'EOF'
-[Unit]
-Description=pump.io
-After=syslog.target network.target mongodb.service
-Requires=mongodb.service
-
-[Service]
-Type=simple
-User=pumpio
-Group=pumpio
-ExecStart=/home/iank/pump.io/bin/pump
-Environment=NODE_ENV=production
-# failed to find databank-mongodb without this.
-# I just looked at my environment variables took a guess.
-Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
-
-[Install]
-WantedBy=multi-user.target
-EOF
- ser daemon-reload
- sgo pump
- ########## end pump.io setup ############
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# this is from distro-end
-
-if [[ $HOSTNAME == kd ]]; then
- pi samba
- # note samba re-reads it\'s config every 1 minute
- case $distro in
- arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
- esac
-
- # add 2 lines after workgroup option
- s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
- s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
- s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/' /etc/samba/smb.conf
- # remove default homes section. not sharing that.
- s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
-
- if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
- s tee -a /etc/samba/smb.conf <<'EOF'
-[public]
- guest ok = yes
- read only = no
- path = /kr
-EOF
- fi
-
- case $distro in
- debian|trisquel|ubuntu)
- # systemd claims it generates units from /etc/init.d, but it
- # clearly doesn\'t in debian. I have no idea how they are
- # related. fuck debian right now. It\'s not documented. samba
- # has a systemd init file linked to /dev/null. There\'s this
- # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
- # claims samba\'s sub-services will be started automatically by
- # systemd... it didn\'t on install, wonder if it will on
- # boot. It clued me in how to start it manually though. Nothing
- # in /usr/share/doc/samba, debian admin guide says nothing about
- # any of this. (this is in debian testing as of 4/2016).
-
- s /etc/init.d/samba start
- ;;
- arch)
- sgo samba
- ;;
- esac
-fi
+++ /dev/null
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-# http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# for duplicity source build
-PATH="$PATH:/usr/local/bin"
-
-# [--retry] interval_name [max_age]
-# takes 2 arguments specifying the name of the subfolder,
-# and optionally, the max age of the backup
-
-# this script setup by adding a user crontab. see t.org for the script
-# it's also setup to email me only when it fails, and only for daily or weekly runs
-
-# uncomment for debugging, prints all commands to stdout
-#set -x
-
-set -E
-#trap 'echo trapped error from \"$BASH_COMMAND\" returned $? line $LINENO; accumulated_errors=true' ERR
-trap 'echo trapped err: $?; accumulated_errors=true' ERR
-
-exec 3>&1 4>&2
-exec &>> /tmp/small-backup.log
-
-echo "BEGIN: $(date): args $*"
-
-
-# only works with a single letter, ie 2D, not 2D12h
-half-time() {
- local time_word
- local letter=${1##*[0-9]}
- case $letter in
- s) time_wrod=second ;;
- m) time_word=minute ;;
- h) time_word=hour ;;
- D) time_word=day ;;
- W) time_word=week ;;
- M) time_word=month ;;
- Y) time_word=year ;;
- esac
- echo "${1%%$letter} $time_word"
- local x=$(date +%s -d "${1%%$letter} $time_word")
- local y=$(date +%s)
-}
-
-
-if [[ $1 == --retry ]]; then
- shift
- x=0
- while pid=( $(pidof -o %PPID -x ${0##*/}) ) && (( ${#pid[@]} > 1 )) && (( x < 20 )); do
- x=$(( x + 1 ))
- sleep 30
- done
- if [[ $x == 20 ]]; then
- ps -F ${pid[@]}
- echo timeout error: existing ${0##*/} running for over 5 minutes >&2
- exit 1
- fi
-else
- if pid=( $(pidof -o %PPID -x ${0##*/}) ) && (( ${#pid[@]} > 1 )); then
- echo ps -F ${pid[@]}
- ps -F ${pid[@]}
- echo error: existing ${0##*/} running >&2
- exit 1
- fi
-fi
-
-interval=$1
-max_age=$2
-full_backup_arg=""
-if [[ $max_age ]]; then
- full_backup_arg="--full-if-older-than $(half-time $max_age)"
-fi
-
-rbackup () {
-
- local d=$1
- shift
- local dest=root@li::/root/rdiff-backups/${d##*/}/${interval}
-
- c="rdiff-backup $* --create-full-path $d $dest"
- echo "$c"; $c
-
- if [[ $max_age ]]; then
- c="rdiff-backup --force --remove-older-than $max_age $dest"
- echo "$c"; $c
-
- fi
-}
-
-
-rbackup /a/bin --exclude /a/bin/fai-basefiles
-rbackup /a/c
-
-# this is populated after input_setup.sh is run on login
-
-ssh root@li mkdir -p /root/duplicity-backups/p/$interval
-source /p/duplicity/gpg_agent_env
-duplicity_dest=rsync://root@li//root/duplicity-backups/p/$interval
-
-x=(/p/*)
-if ((${#x[@]} > 1)); then
- set -x
- # archive-dir is sort of a persistent cache
- duplicity --use-agent \
- --encrypt-sign-key E969C67B \
- --include-globbing-filelist /p/duplicity/filelist \
- --archive-dir /p/duplicity/archive \
- --tempdir /p/tmp \
- $full_backup_arg /p $duplicity_dest
- if [[ $max_age ]]; then
- duplicity --use-agent \
- remove-all-but-n-full 2 --force $duplicity_dest
- fi
- set +x
-fi
-# example restore command. We only need to make the first argument be a url for it to know it to do restore
-# the archive-dir and tempdir args are not needed
-# duplicity --use-agent --encrypt-sign-key E969C67B --archive-dir /p/duplicity/archive --tempdir /p/tmp ssh://root@li//root/duplicity-backups/p/weekly /p/duptest
-
-
-echo END
-
-# to restore duplicity. see man for additional options
-# duplicity --use-agent restore ...
-if [[ $accumulated_error ]]; then
- eccho "tail -n 50 of /tmp/small-backup.log:"
- tail -n 50 /tmp/small-backup.log
- exit 1
-fi
err-allow
source /etc/profile.d/environment.sh
export LC_USEBASHRC=t
-# shellcheck source=./.bashrc
-source ~/.bashrc
+# shellcheck source=./brc
+source ~/brc
err-catch
$interactive || set -x
# SPDX-License-Identifier: GPL-3.0-or-later
-# shellcheck source=/a/bin/ds/.bashrc
-export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]]; then . ~/.bashrc; fi
+# shellcheck source=./brc
+source ~/brc
### setup
source /a/bin/bash-bear-trap/bash-bear
done
if $doupdate; then
tmpdir=$(mktemp -d)
- cd $tmpdir
- # cant apt get the keyring without doing an update, can't update
- # without the keyring, this is a stupid chicken and egg problem
- # that apt should have some feature to solve, but doesn't as far
- # as I know.
- f=debian-archive-keyring_2023.3+deb12u1_all.deb
- wget http://ftp.debian.org/debian/pool/main/d/debian-archive-keyring/$f
- sudo dpkg -i $f
+ (
+ cd $tmpdir
+ # cant apt get the keyring without doing an update, can't update
+ # without the keyring, this is a stupid chicken and egg problem
+ # that apt should have some feature to solve, but doesn't as far
+ # as I know.
+ f=debian-archive-keyring_2023.3+deb12u1_all.deb
+ wget http://ftp.debian.org/debian/pool/main/d/debian-archive-keyring/$f
+ sudo dpkg -i $f
+ )
p update
- cd -
rm -rf $tmpdir
fi
iankelling.org / git / distro-setup / commitdiff