fi
cat >/etc/btrbk.conf <<EOF
-ssh_identity /root/.ssh/id_rsa
+ssh_identity /root/.ssh/home
# Just a guess that local7 is a good facility to pick.
# It's a bit odd that the transaction log has to be logged to
# a file or syslog, while other output is sent to std out.
EOF
done
#### end link bashrc repo for root ######
+
+# li needs the bind group before conflink
+if [[ $HOSTNAME == li ]]; then
+ getent group bind &>/dev/null || sudo groupadd -r bind
+fi
# this needs to be before installing pacserve so we have gpg conf.
conflink
if isdeb; then
- if isdebian-stable && has_x; then
- codename=$(debian-codename)
- s dd of=/etc/apt/sources.list.d/mozilla-iceweasel.list <<EOF
-deb http://mozilla.debian.net/ $codename-backports firefox-release
-deb-src http://mozilla.debian.net/ $codename-backports firefox-release
-EOF
- p update
- # take care of mozilla signing errors in previous command
- pi pkg-mozilla-archive-keyring
- p update
- else
- :
- # this would change stable to testing, but I set that up already.
- # It\'s just a no-op if its already testing.
- # sudo sed -ri 's!^( *[^ #]+ +[^ ]+ +)[[:alpha:]]+(.*)!\1testing\2!' /etc/apt/sources.list
- p update
- fi
+ codename=$(debian-codename)
+ ## ian: disabled. backports are not being published atm due to rust packaging issue
+ # if isdebian-stable && has_x; then
+ # s dd of=/etc/apt/sources.list.d/mozilla-iceweasel.list <<EOF
+ # deb http://mozilla.debian.net/ $codename-backports firefox-release
+ # deb-src http://mozilla.debian.net/ $codename-backports firefox-release
+ # EOF
+ # p update
+ # # take care of mozilla signing errors in previous command
+ # pi pkg-mozilla-archive-keyring
+ # fi
+ p update
+
fi
if isarch; then
fi
-# basic needed packages
+##### basic needed packages
+
+### begin setup for keyboard and redshift ###
case $(distro-name) in
- debian)
- if has_x; then
- if isdebian-stable; then
- pi firefox/$codename-backports
- else
- # for a while, firefox/unstable did not have
- # dependencies satisfied by testing packages, and i hit
- # a conflict, it wanted a newer libfontconfig1, but
- # emacs build-deps wanted an older one. In this case,
- # I switch to using firefox-esr. note: They seem
- # to release a new esr version every 9 months or so.
- pi firefox/unstable
- s dd of=/etc/apt/preferences.d/firefox <<'EOF'
-Package: firefox
-Pin: release a=unstable
-Pin-Priority: 500
-EOF
- fi
- fi
- # # no hosts have nonfree firmware anymore, yay. but leaving commented,
- # # as i might run into one for a little while still.
- # p=firmware-linux-nonfree
- # if apt-cache show $p &>/dev/null; then
- # pi $p
- # fi
- ;;&
- trisquel|ubuntu)
- if has_x; then
- pi abrowser
- fi
- ;;&
+
trisquel|ubuntu|debian)
if has_x; then
if isdebian-testing; then
fi
;;&
esac
-
if has_x; then
pi xbindkeys
fi
+### end setup for keyboard and redshift ###
+
+
pi cryptsetup lvm2
# enables trim for volume delete, other rare commands.
sudo $sed -ri 's/( *issue_discards\b).*/\1 = 1/' /etc/lvm/lvm.conf
fi
# we've got a few dependencies later on, so install them now.
-pi eatmydata
-s eatmydata apt-get -y install --purge --auto-remove "${simple_packages[@]}"
+pi eatmydata; PI_PREFIX=eatmydata
+pi "${simple_packages[@]}"
simple_packages=()
case $distro in
debian)
# note, need python-certbot-nginx for nginx, but it depends on nginx,
- # and I'm not installing nginx by default right now
- if isdebian-testing; then
- pi --install-suggests certbot
+ # and I'm not installing nginx by default right now.
+ # note python-certbot-apache is in suggests, but so is a doc package that brought in xorg
+ if [[ $(debian-codename) == jessie ]]; then
+ pi -t jessie-backports certbot python-certbot-apache
else
- pi --install-suggests -t jessie-backports certbot
+ pi certbot python-certbot-apache
fi
# make a version of the certbot timer that emails me.
x=/systemd/system/certbot
/a/h/build.rb
sudo -E /a/bin/mediawiki-setup/mw-setup-script
- #$src/phab-setup
pi-nostart mumble-server
s $sed -ri "s/^ *(serverpassword=).*/\1$(< /a/bin/bash_unpublished/mumble_pass)/" /etc/mumble-server.ini
sgo mumble-server
- vpn-server-setup -d
- tee /etc/openvpn/client-config/mail <<'EOF'
+ vpn-server-setup -rd
+ s tee /etc/openvpn/client-config/mail <<'EOF'
ifconfig-push 10.8.0.4 255.255.255.0
EOF
ser enable vpnmail.service
# needed for li's local mail delivery.
tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
- sgo openvpn
+ if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
+ vpn_service=openvpn-server@server
+ else
+ vpn_service=openvpn@server
+ fi
+ sgo $vpn_service
# setup let's encrypt cert
web-conf apache2 mail.iankelling.org
s rm /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
# setup one time, with root:www-data, 640
AuthUserFile "/etc/caldav-htpasswd"
Require valid-user
- <Location />
+ </Location>
EOF
# nginx version of above would be:
# auth_basic "Not currently available";
EOF
s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
- # jessie\'s node is too old
+ # stretch node is too old
# https://nodejs.org/en/download/package-manager/
curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash -
pi nodejs
cd /home/iank
- rm -rf pump.io.git
- git clone https://github.com/pump-io/pump.io.git
- cd pump.io
+ if [[ -e pump.io ]]; then
+ cd pump.io
+ git pull
+ else
+ git clone https://github.com/pump-io/pump.io.git
+ cd pump.io
+ fi
# note: doing this or the npm install pump.io as root had problems.
npm install
npm run build
# normally, next command would be
# s npm install -g databank-mongodb
# but it\'s this until a bug in pump gets fixed
+ # https://github.com/pump-io/pump.io/issues/1287
s npm install -g databank-mongodb@0.19.2
- s useradd -m -s /bin/false pumpio
+ if ! getent passwd pumpio &>/dev/null; then
+ s useradd -m -s /bin/false pumpio
+ fi
sudo -u pumpio mkdir -p /home/pumpio/pumpdata
# for testing browser when only listening to localhost,
# in the pump.io.json, set hostname localhost, urlPort 5233
############# begin setup mastodon ##############
+ # main doc is Docker-Guide.md in docs repo
+
# I'd like to try gnu social just cuz of gnu, but it's not being
# well maintained, for example, simple pull requests
# languishing:
cd ~
+ s rm -rf mastodon
i clone https://github.com/tootsuite/mastodon
cd mastodon
# subbed to atom feed to deal with updates
EOF
for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
- printf "%s=%s" $key "$(docker-compose run --rm web rake secret)" >>.env.production
+ # 1 minute 7 seconds to run this docker command
+ # to generate a secret. wtf, wtf, wtf, wtf
+ printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|tail -n1)" >>.env.production
done
+ found=false
s cat /etc/mailpass| while read -r domain port pass; do
if [[ $domain == mail.iankelling.org ]]; then
- printf "SMTP_PASSWORD=%s" "$pass" >>.env.production
+ found=true
+ printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production
break
fi
done
+ if ! $found; then
+ echo "$0: error, failed to find mailpass domain for mastadon"
+ exit 1
+ fi
-
-
+ docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production
+ logq docker-compose run --rm web rake db:migrate
docker-compose run --rm web rails assets:precompile
# docker daemon takes care of starting on boot.
if [[ $HOSTNAME == tp ]]; then
if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
- vpn_service=openvpn-server@.service
+ vpn_service=openvpn-server@server
else
vpn_service=openvpn@server
fi
# others unknown
esac
-
+s mkdir -p /nocow/user
+s chown $USER:$USER /nocow/user
case $distro in
debian)
- # no recommends because it wanted some other unstable package, something to
- # do with math or something, which I didn't want to deal with.
- p -y --no-install-recommends install python3-send2trash/unstable anki/unstable
+ case $(debian-codename) in
+ jessie)
+ pi anki
+ ;;
+ *)
+ pi debootstrap schroot
+ d=/nocow/user/schroot/anki
+ if [[ -e $d/bin ]]; then
+ s chroot $d apt-get update
+ s chroot $d apt-get -y dist-upgrade --purge --auto-remove
+ else
+
+ mkdir -p /nocow/user/schroot/anki
+ s debootstrap jessie $d http://deb.debian.org/debian/
+ s dd of=/etc/schroot/chroot.d/anki.conf <<EOF
+[anki]
+description=Anki on jessie
+type=directory
+directory=$d
+profile=desktop
+preserve-environment=true
+users=$USER
+EOF
+
+ s cp {,$d}/etc/locale.gen
+ s cp -P {,$d}/etc/localtime
+ cd
+ s schroot -c anki -- apt-get install -y anki locales mplayer
+ fi
+ ;;
+ esac
;;
trisquel|ubuntu)
pi anki
case $distro in
debian)
- s eatmydata apt-get -y install --purge --auto-remove task-mate-desktop
+ pi task-mate-desktop
# in settings, change scrolling to two-finger,
# because the default edge scroll doesn\'t work.
pu transmission-gtk
trisquel)
# mate-indicator-applet and beyond are msc things I noticed diffing a
# standard install with mine.
- s eatmydata apt-get -y install --purge --auto-remove xorg lightdm mate-desktop-environment mate-desktop-environment-extras mate-indicator-applet anacron
+ pi xorg lightdm mate-desktop-environment mate-desktop-environment-extras mate-indicator-applet anacron
;;
# others unknown
esac
case $distro in
arch) spa apg ;;
-
- # already in debian jessie
+ # already in debian
esac
# limitations under the License.
# set to oppsite if the order is flipped.
-k2flip=false
+k2flip=true
if $k2flip; then
k2inorder=false
else
# switch to easy or hard pass which is the same as luks
f=/q/root/shadow/traci
-[[ $HOSTNAME != tp ]] || usermod -p "$(cat $f)" iank
+[[ $HOSTNAME != tpnew ]] || usermod -p "$(cat $f)" iank
echo "$0: finished. $(date)"
fi
# switch to easy or hard login pass which is the same as luks
f=/q/root/shadow/traci-simple
-[[ $HOSTNAME != tp ]] || usermod -p "$(cat $f)" iank
+[[ $HOSTNAME != tpnew ]] || usermod -p "$(cat $f)" iank
echo "$0: finished. $(date)"
if (( $# != 1 )); then
usage 1
fi
+
+start() {
+ iptables_op=-A
+ ip_op=add
+ # systemd around stretch release time, would wait until openvpn actually connected,
+ # so this was unnecessary, but now it returns immediately.
+ found=false
+ for ((i=1; i<=30; i++)); do
+ tun_dev=$(ip a show to 10.8.0.4/24 | sed -rn '1s/^\S+\s+([^:]+).*/\1/p')
+ if [[ $tun_dev == tun* ]]; then
+ found=true
+ break
+ fi
+ sleep 1
+ done
+ if ! $found; then
+ echo "$0: error: timeout waiting for valid tun_dev, currently:$tun_dev"
+ exit 1
+ fi
+ e() { "$@"; }
+ _errcatch_cleanup=stop
+ modify
+}
+stop() {
+ iptables_op=-D
+ ip_op=del
+ tun_dev=$(iptables -t nat -S | sed -rn "s/^-A POSTROUTING -o (tun[[:digit:]]+) -m mark --mark 0x1 -j SNAT --to-source 10.8.0.4$/\1/p"|head -n1) || printf "failed to find tun device.\n"
+ e() { "$@" || printf "maybe ok failure: %s\n" "$*"; }
+ modify
+}
+
+show() {
+ e() { printf "${0##*/}: %s\n" "$*"; "$@"; }
+ e iptables -t mangle -S
+ e iptables -t nat -S
+ e ip rule
+ e ip route show table 1
+ exit 0
+}
+
+
+modify() {
+ # match source or dest port. note, when we send to a port, it picks a random high port as
+ # the source.
+ for port in 25 143; do # smtp and imap.
+ e iptables -t mangle $iptables_op \
+ OUTPUT -m tcp -p tcp -m multiport --ports $port -j MARK --set-mark 0x1
+ e iptables -t mangle $iptables_op \
+ OUTPUT -m tcp -p tcp -m multiport --ports $port -j MARK --set-mark 0x0 \
+ -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+ # note, we could have used a custom chain and returned instead of setting the mark again.
+ # in case anyone was ever curious, the inverse of private ips is: #0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/5,168.0.0.0/6,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3
+
+ done
+ e iptables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 10.8.0.4
+ e ip rule $ip_op fwmark 1 table 1
+ # note, this rule does not persist when the tun interface is deleted
+ #e ip route $ip_op default via 10.8.0.1 table 1
+
+ exit 0
+}
+
case $1 in
- start)
- iptables_op=-A
- ip_op=add
- # systemd around stretch release time, would wait until openvpn actually connected,
- # so this was unnecessary, but now it returns immediately.
- while true; do
- tun_dev=$(ip a show to 10.8.0.4/24 | sed -rn '1s/^\S+\s+([^:]+).*/\1/p')
- if [[ $tun_dev == tun* ]]; then
- break
- fi
- echo "$0: waiting for tun_dev, found: $tun_dev"
- sleep 4
- done
- e() { "$@"; }
- ;;
- stop)
- iptables_op=-D
- ip_op=del
- tun_dev=$(iptables -t nat -S | sed -rn "s/^-A POSTROUTING -o (tun[[:digit:]]+) -m mark --mark 0x1 -j SNAT --to-source 10.8.0.4$/\1/p"|head -n1) || printf "failed to find tun device.\n"
- e() { "$@" || printf "maybe ok failure: %s\n" "$*"; }
- ;;
- show)
- e() { printf "${0##*/}: %s\n" "$*"; "$@"; }
- e iptables -t mangle -S
- e iptables -t nat -S
- e ip rule
- e ip route show table 1
- exit 0
- ;;
- *)
- usage 1
- ;;
+ start|stop|show) $1 ;;
+ *) usage 1 ;;
esac
-# note, something like this does not work for packets which
+# background: something like this does not work for packets which
# exim is replying to. I don't know why.
#iptables -t mangle -A OUTPUT -m owner --uid-owner Debian-exim -j MARK --set-mark 0x1
-
-# match source or dest port. when we send to 25, it picks a random high port as
-# the source.
-
-for port in 25 143; do # smtp and imap.
- e iptables -t mangle $iptables_op \
- OUTPUT -m tcp -p tcp -m multiport --ports $port -j MARK --set-mark 0x1
- e iptables -t mangle $iptables_op \
- OUTPUT -m tcp -p tcp -m multiport --ports $port -j MARK --set-mark 0x0 \
- -d 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
- # note, we could have used a custom chain and returned instead of setting the mark again.
- # in case anyone was ever curious, the inverse of private ips is: #0.0.0.0/5,8.0.0.0/7,11.0.0.0/8,12.0.0.0/6,16.0.0.0/4,32.0.0.0/3,64.0.0.0/2,128.0.0.0/3,160.0.0.0/5,168.0.0.0/6,172.0.0.0/12,172.32.0.0/11,172.64.0.0/10,172.128.0.0/9,173.0.0.0/8,174.0.0.0/7,176.0.0.0/4,192.0.0.0/9,192.128.0.0/11,192.160.0.0/13,192.169.0.0/16,192.170.0.0/15,192.172.0.0/14,192.176.0.0/12,192.192.0.0/10,193.0.0.0/8,194.0.0.0/7,196.0.0.0/6,200.0.0.0/5,208.0.0.0/4,224.0.0.0/3
-
-done
-e iptables -t nat $iptables_op POSTROUTING -o $tun_dev -m mark --mark 0x1 -j SNAT --to-source 10.8.0.4
-e ip rule $ip_op fwmark 1 table 1
-# note, this rule does not persist when the tun interface is deleted
-e ip route $ip_op default via 10.8.0.1 table 1
-
-exit 0
# apg -m 50 -x 70 -n 1 -a 1 -M CLN >$f
# s sed -i "/^$user:/d" /p/c/filesystem/etc/exim4/passwd
# echo "$user:$(mkpasswd -m sha-512 -s <$f)" >>/p/c/filesystem/etc/exim4/passwd
-# echo "mail.iankelling.org:$user:$(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
+# echo "mail.iankelling.org $user $(<$f)" >> /p/c/machine_specific/$user/filesystem/etc/mailpass
# # then run this script, or part of it which uses /etc/mailpass
# # dovecot password, i just need 1 as I\'m the only user
if [[ -e /p/c/filesystem ]]; then
# to put the hostname in the known hosts
- ssh -o StrictHostKeyChecking=no li.iankelling.org :
+ ssh -o StrictHostKeyChecking=no root@li.iankelling.org :
/a/exe/vpn-mk-client-cert -b mail -n mail li.iankelling.org
fi
# would be unused in that config type.
cat >$exim_main_dir/000_localmacros <<EOF
# i don't have ipv6 setup for my tunnel yet.
-diable_ipv6 = true
+disable_ipv6 = true
MAIN_TLS_ENABLE = true
/a/exe/lnf $dest /root
else
dest=/root/.ssh
- mkdir -p /root/.ssh
- chmod 700 /root/.ssh
+ mkdir -p $dest
+ chmod 700 $dest
fi
+
+user_ssh_dir=$(eval echo ~${SUDO_USER:-$USER})/.ssh
+
+# remove broken links, or else rsync has error about them.
+find $user_ssh_dir -xtype l -exec rm '{}' \;
# -t times, so it won't rewrite the file every time,
# -L resolve links
-rsync -rtL --delete $(eval echo ~${SUDO_USER:-$USER})/.ssh/ $dest
+rsync -rtL --delete $user_ssh_dir/ $dest
chown -R root:root /root/.ssh
iankelling.org / git / distro-setup / commitdiff