From: Ian Kelling <ian@iankelling.org>
Date: Fri, 5 May 2017 15:50:26 +0000 (-0700)
Subject: various fixes and additions on desktop
X-Git-Url: https://iankelling.org/git/?p=distro-setup;a=commitdiff_plain;h=d5b079d53808b65478f6f8825a8c93e7da921840

various fixes and additions on desktop
---

diff --git a/certbot-renew-hook b/certbot-renew-hook
new file mode 100755
index 0000000..fb7a895
--- /dev/null
+++ b/certbot-renew-hook
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Copyright (C) 2017 Ian Kelling
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+d=/etc/letsencrypt/live/pump.iankelling.org
+if [[ $RENEWED_LINEAGE == $d ]]; then
+    install -m 640 -g pumpio $d/{privkey.pem,fullchain.pem} /home/pumpio
+fi
+exit 0
diff --git a/conflink b/conflink
index 7954a22..1fb519d 100755
--- a/conflink
+++ b/conflink
@@ -80,6 +80,9 @@ case $USER in
             # named[20823]: /etc/bind/db.iank.pw.jnl: create: permission denied
             s chgrp bind /etc/bind/bind-writable
         fi
+        if [[ -e /etc/davpass ]] && getent group www-data &>/dev/null; then
+            s chgrp www-data /etc/davpass
+        fi
         sudo -u traci "$BASH_SOURCE"
         ;;
     traci)
diff --git a/distro-begin b/distro-begin
index 9e35654..9f232c5 100755
--- a/distro-begin
+++ b/distro-begin
@@ -20,7 +20,7 @@
 
 # in case we need it,
 # to make ssh interactive shell run better, we run this first.
-sudo bash -c 'source /a/c/repos/bash/.bashrc && source /a/exe/ssh-emacs-setup'
+sudo bash -c 'source /a/c/.bashrc && source /a/exe/ssh-emacs-setup'
 
 
 # usage: $0 [-r] HOSTNAME
@@ -186,11 +186,20 @@ if [[ $EUID == 0 ]]; then
 fi
 
 
+#### begin link bashrc for root ######
+for x in /a/c/{.bashrc,brc,.bash_profile,.profile,.inputrc,path_add_function}; do
+    sudo -i <<EOF
+PATH="/a/exe:$PATH"
+lnf $x /root
+EOF
+done
+#### end link bashrc repo for root ######
 # this needs to be before installing pacserve so we have gpg conf.
 conflink
 
 set +x
 errallow
+source /etc/profile.d/environment.sh
 source ~/.bashrc
 $interactive || errcatch
 $interactive || set -x
@@ -283,7 +292,7 @@ s lnf /q/root/.editor-backups /q/root/.undo-tree-history \
 
 rootsshsync
 
-s lnf /a/c/.inputrc /a/c/.vim /a/c/.vimrc /a/c/.gvimrc /root
+s lnf /a/c/.vim /a/c/.vimrc /a/c/.gvimrc /root
 
 # machine is going away
 # if [[ $HOSTNAME == htpc ]]; then
diff --git a/distro-end b/distro-end
index 48be4f6..3d0566a 100755
--- a/distro-end
+++ b/distro-end
@@ -68,6 +68,8 @@ case $HOSTNAME in
             apt-listchanges
             aptitude-doc-en
             bash-doc
+            beets
+            beets-doc
             binutils-doc
             bind9-doc
             bwm-ng
@@ -95,6 +97,8 @@ case $HOSTNAME in
             i3lock
             iproute2-doc
             jq
+            kid3-qt
+            kid3-cli
             linux-doc
             locate
             make-doc
@@ -102,6 +106,7 @@ case $HOSTNAME in
             manpages-dev
             meld
             mumble
+            nginx-doc
             nmap
             offlineimap
             p7zip
@@ -261,10 +266,12 @@ simple_packages=()
 
 case $distro in
     debian)
+        # note, need python-certbot-nginx for nginx, but it depends on nginx,
+        # and I'm not installing nginx by default right now
         if isdebian-testing; then
-            p install --install-suggests jessie-backports certbot python-certbot-nginx
+            pi --install-suggests certbot
         else
-            p install --install-suggests -t jessie-backports certbot python-certbot-nginx
+            pi --install-suggests -t jessie-backports certbot
         fi
         # make a version of the certbot timer that emails me.
         x=/systemd/system/certbot
@@ -272,7 +279,7 @@ case $distro in
 s,^Description.*,\0 mail version,
 EOF
         $sed -r -f - /lib$x.service <<'EOF' |s dd of=/etc${x}mail.service
-s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2,
+s,(ExecStart=)(/usr/bin/certbot),\1/a/bin/log-quiet/sysd-mail-once certbotmail \2 --renew-hook /a/bin/distro-setup/certbot-renew-hook,
 EOF
         ser daemon-reload
         sgo certbotmail.timer
@@ -317,9 +324,13 @@ EOF
         ser daemon-reload
         ser enable vpnmail.service
         # needed for li's local mail delivery.
-        l="10.8.0.4 mail.iankelling.org"
-        tu /etc/hosts <<<"$l"
+        tu /etc/hosts <<<"10.8.0.4 mail.iankelling.org"
         sgo openvpn
+        # setup let's encrypt cert
+        web-conf apache2 mail.iankelling.org
+        s rm /etc/apache2/sites-enabled/mail.iankelling.org{,-redir}.conf
+        ser reload apache2
+
         domain=cal.iankelling.org
         web-conf -f 10.8.0.4:5232 - apache2 $domain <<'EOF'
 #https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype
@@ -362,8 +373,8 @@ EOF
     "debugClient": false,
     "disableRegistration": true,
     "noCDN": true,
-    "key": "/home/pumpio/pump.iankelling.org-domain.key",
-    "cert": "/home/pumpio/pump.iankelling.org-chained.pem",
+    "key": "/home/pumpio/privkey.pem",
+    "cert": "/home/pumpio/fullchain.pem",
     "address":  "localhost",
     "sockjs": false
 }
@@ -394,7 +405,7 @@ EOF
         s mkdir -p /var/log/pumpio/
         s chown pumpio:pumpio /var/log/pumpio/
 
-        web-conf -c /home/pumpio - apache2 pump.iankelling.org <<'EOF'
+        web-conf - apache2 pump.iankelling.org <<'EOF'
 # currently a bug in pump that we cant terminate ssl
          SSLProxyEngine On
          ProxyPreserveHost On
@@ -410,6 +421,11 @@ EOF
          </Location>
 EOF
 
+        sudo -i <<'EOF'
+export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
+/a/bin/distro-setup/certbot-renew-hook
+EOF
+
         s dd of=/etc/systemd/system/pump.service <<'EOF'
 [Unit]
 Description=pump.io
@@ -436,7 +452,7 @@ EOF
         ############# begin setup mastodon ##############
 
         # https://store.docker.com/editions/community/docker-ce-server-debian?tab=description
-        pi  software-properties-common
+        pi  software-properties-common apt-transport-https
         curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
         sudo add-apt-repository \
              "deb [arch=amd64] https://download.docker.com/linux/debian \
@@ -445,8 +461,6 @@ EOF
         p update
         pi docker-ce
         sgo docker
-        # this may not be needed
-        ser start docker
 
         curl -L https://github.com/docker/compose/releases/download/1.12.0/docker-compose-`uname -s`-`uname -m` | s dd of=/usr/local/bin/docker-compose
         s chmod +x /usr/local/bin/docker-compose
@@ -733,43 +747,42 @@ esac
 
 ####### misc packages ###########
 
-if [[ $HOSTNAME == treetowl ]]; then
-    case $distro in
-        debian|ubuntu)
-            # note i had to do this, which is persistent:
-            # cd /i/k
-            # s chgrp debian-transmission torrents partial-torrents
-
-            # syslog says things like
-            # 'Failed to set receive buffer: requested 4194304, got 425984'
-            # google suggets giving it even more than that
-            tu /etc/sysctl.conf<<'EOF'
+case $distro in
+    debian|ubuntu)
+        # note i had to do this, which is persistent:
+        # cd /i/k
+        # s chgrp debian-transmission torrents partial-torrents
+
+        # syslog says things like
+        # 'Failed to set receive buffer: requested 4194304, got 425984'
+        # google suggets giving it even more than that
+        tu /etc/sysctl.conf<<'EOF'
 net.core.rmem_max = 67108864
 net.core.wmem_max = 16777216
 EOF
-            s sysctl -p
-
-            # some reason it doesn\'t seem to start automatically anyways
-            pi-nostart transmission-daemon
-
-            # the folder was moved here after an install around 02/2017.
-            # it contains runtime data,
-            # plus a simple symlink to the config file which it\'s
-            # not worth separating out.
-            s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
-            #
-            # config file documented here, and it\'s the same config
-            # for daemon vs client, so it\'s documented in the gui.
-            # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
-            #
-            # I originaly setup rpc-whitelist, but after using
-            # routing to a network namespace, it doesn\'t see the
-            # real source address, so it\'s disabled.
-            #
-            # Changed the cache-size to 256 mb, reduces disk use.
-            # It is a read & write cache.
-            #
-            s ruby <<'EOF'
+        s sysctl -p
+
+        # some reason it doesn\'t seem to start automatically anyways
+        pi-nostart transmission-daemon
+
+        # the folder was moved here after an install around 02/2017.
+        # it contains runtime data,
+        # plus a simple symlink to the config file which it\'s
+        # not worth separating out.
+        s lnf -T /i/transmission-daemon /var/lib/transmission-daemon/.config/transmission-daemon
+        #
+        # config file documented here, and it\'s the same config
+        # for daemon vs client, so it\'s documented in the gui.
+        # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
+        #
+        # I originaly setup rpc-whitelist, but after using
+        # routing to a network namespace, it doesn\'t see the
+        # real source address, so it\'s disabled.
+        #
+        # Changed the cache-size to 256 mb, reduces disk use.
+        # It is a read & write cache.
+        #
+        s ruby <<'EOF'
 require 'json'
 p = '/etc/transmission-daemon/settings.json'
 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
@@ -787,14 +800,11 @@ File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
 })) + "\n")
 EOF
 
-            # make sure its not enabled, not sure if this is needed
-            ser disable transmission-daemon
-            sgo transmission-daemon-nn
-            ;;
-        # todo: others unknown
-    esac
-fi
-
+        # make sure its not enabled, not sure if this is needed
+        ser disable transmission-daemon
+        ;;
+    # todo: others unknown
+esac
 # adapted from /var/lib/dpkg/info/transmission-daemon.postinst
 if ! getent passwd debian-transmission > /dev/null; then
     case $distro in
@@ -817,37 +827,41 @@ if ! getent passwd debian-transmission > /dev/null; then
             ;;
     esac
 fi
+if [[ $HOSTNAME == treetowl ]]; then
+    sgo transmission-daemon-nn
+fi
 
-# dunno why it\'s there, but get rid of it
-case $HOSTNAME in
-    li|lj) s rm -rf /home/linode ;;
-esac
-
-# arch had a default config,
-# debian had nothing until you start it.
-# With a little trial an error, here is a minimal config
-# taken from the generated one, plus changes that the
-# settings ui does, without a bunch of ui crap settings.
-#
-# only settings I set were
-# hostname
-# auto-connect
-# password
 
+######### begin transmission client setup ######
 
-# the password is randomly generated on first run
-rpc_pass=$(s ruby <<'EOF'
+if [[ -e /p/transmission-rpc-pass ]]; then
+    # arch had a default config,
+    # debian had nothing until you start it.
+    # With a little trial an error, here is a minimal config
+    # taken from the generated one, plus changes that the
+    # settings ui does, without a bunch of ui crap settings.
+    #
+    # only settings I set were
+    # hostname
+    # auto-connect
+    # password
+
+    # the password is randomly generated on first run, i copied it out
+    # so it could be used by other hosts.
+    s ruby <<'EOF'
 require 'json'
 p = '/etc/transmission-daemon/settings.json'
-puts JSON.parse(File.read(p))["rpc-password"]
+s = JSON.parse(File.read(p))
+s["rpc-password"] = File.read("/p/transmission-rpc-pass").chomp
+File.write p, JSON.pretty_generate(s)
 EOF
-        )
 
-for f in /home/*; do
-    d=$f/.config/transmission-remote-gtk
-    u=${f##*/}
-    s -u $u mkdir -p $d
-    s -u $u dd of=$d/config.json <<EOF
+    rpc_pass=$(</p/transmission-rpc-pass)
+    for f in /home/*; do
+        d=$f/.config/transmission-remote-gtk
+        u=${f##*/}
+        s -u $u mkdir -p $d
+        s -u $u dd of=$d/config.json <<EOF
 {
   "profiles" : [
     {
@@ -876,7 +890,14 @@ for f in /home/*; do
   "add-options-dialog" : false
 }
 EOF
-done
+    done
+fi
+
+# dunno why it\'s there, but get rid of it
+case $HOSTNAME in
+    li|lj) s rm -rf /home/linode ;;
+esac
+
 
 pi wget
 case $HOSTNAME in
@@ -1231,6 +1252,7 @@ esac
 
 
 
+
 # note this failed running at the beginning of this file,
 # because no systemd user instance was running.
 # Doing systemd --user resulted in
@@ -1541,6 +1563,81 @@ EOF
         ;;
 esac
 
+
+########### begin kodi setup ############
+pi kodi
+
+# based on https://wiki.debian.org/SecuringNFS
+# but the quota stuff is either outdated or optional,
+# i guessed that it was not needed and it worked fine.
+s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF'
+fs.nfs.nfs_callback_tcpport = 32764
+fs.nfs.nlm_tcpport = 32768
+fs.nfs.nlm_udpport = 32768
+EOF
+s sysctl --system
+s $sed -ri -f - /etc/default/nfs-common <<'EOF'
+/^\s*STATDOPTS=/d
+$a STATDOPTS="--port 32765 --outgoing-port 32766"
+EOF
+
+s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF'
+/^\s*RPCMOUNTDOPTS=/d
+$a RPCMOUNTDOPTS="--manage-gids --port 32767"
+EOF
+ser restart nfs-kernel-server
+
+if [[ $HOSTNAME == treetowl ]]; then
+    # persistent one time steps for webdav:
+    # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml,
+    # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi
+    # htpasswd -c /p/c/filesystem/etc/davpass dav
+    # chmod 640 /p/c/filesystem/etc/davpass
+    # in conflink, set group to www-data.
+    # In kodi, i set the music source, server address: my domain,
+    # path: k/music. Then copied the file
+    # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting.
+    s a2enmod dav dav_fs
+    web-conf -r /a/c/playlists - apache2 dav.iank.pw <<'EOF'
+<Directory /a/c/playlists>
+    DAV On
+  AuthType Basic
+  AuthName "Authentication Required"
+  AuthUserFile "/etc/davpass"
+  Require valid-user
+
+# outside the standard /var/www, so use this:
+  Order allow,deny
+  Allow from all
+</Directory>
+EOF
+    s mkdir -p /var/www/davlock
+    s chown www-data:www-data /var/www/davlock
+    s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.iank.pw.conf
+    ser reload apache2
+
+    teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)"
+    exportfs -ra
+
+    # kodi uses sqlite by default, but supports mysql.
+    pi mariadb-server
+
+    # see ofswiki.org for explanation.
+    dbpass="$(cat /p/mysql-root-pass)"
+    if ! echo exit|mysql -uroot "-p$dbpass"; then
+        echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
+    fi
+    mysql -uroot "-p$dbpass" <<EOF
+GRANT ALL PRIVILEGES ON *.* TO 'kodi' IDENTIFIED BY '$(</p/mysql-kodi-pass)';
+EOF
+    s sed -ri 's/^(\s*bind-address\s*=).*/\1 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
+    ser restart mariadb
+
+fi
+
+###########  end kodi setup ############
+
+
 if [[ $HOSTNAME == treetowl ]]; then
     # nohide = export filesystems mounted deeper than the export point
     # fsid=0 makes this export the "root" export
diff --git a/mail-setup b/mail-setup
index d7901e7..19676b2 100755
--- a/mail-setup
+++ b/mail-setup
@@ -538,9 +538,9 @@ if [[ -e $f ]]; then
 fi
 if [[ $HOSTNAME == $MAIL_HOST ]]; then
     local_mx=mail.iankelling.org
-    rsync_common="rsync -ogt --chown=root:Debian-exim --chmod=640 root@li:/p/c/machine_specific/li/webservercerts/$local_mx-"
-    ${rsync_common}chained.pem /etc/exim4/exim.crt
-    ${rsync_common}domain.key /etc/exim4/exim.key
+    rsync_common="rsync -ogtL --chown=root:Debian-exim --chmod=640 root@li:/etc/letsencrypt/live/$local_mx/"
+    ${rsync_common}fullchain.pem /etc/exim4/exim.crt
+    ${rsync_common}privkey.pem /etc/exim4/exim.key
 fi
 EOF
     chmod 755 $f
@@ -552,7 +552,7 @@ After=multi-user.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/local/bin/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
+ExecStart=/a/bin/log-quiet/sysd-mail-once mailcert /usr/local/bin/mail-cert-cron
 EOF
 
     cat >/etc/systemd/system/mailcert.timer <<'EOF'
@@ -771,7 +771,7 @@ dir=/nocow/$type
 sdir=/var/spool/$type
 # we only do this if our system has $dir
 if [[ -e $dir && $(readlink -f $sdir) != $dir ]]; then
-    systectl stop $type
+    systemctl stop $type
     if [[ ! -e $dir && -d $sdir ]]; then
         mv $sdir $dir
     fi