From ef3bbffe6d2a08ebd735ba4f09c7bd0fbea585a0 Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sat, 27 Apr 2024 23:04:36 -0400
Subject: [PATCH] shellcheck, remove old files

---
 .git_template/hooks/pre-commit       |   4 +-
 brc                                  |  31 +--
 brc2                                 |  73 +++---
 disabled/README                      |  18 +-
 disabled/bitcoin                     | 128 ---------
 disabled/home-vpn/README.sh          |  43 ---
 disabled/home-vpn/lan-dyn-dns-update |  48 ----
 disabled/home-vpn/vpn-client-connect |  39 ---
 disabled/kodi-setup                  |  95 -------
 disabled/maru-init                   |  78 ------
 disabled/mastodon                    | 128 ---------
 disabled/mastodon-upgrade            |  43 ---
 disabled/nagios                      | 124 ---------
 disabled/new-firefox                 |  62 -----
 disabled/offlineimap-sync            |  82 ------
 disabled/phabricator-setup           | 378 ---------------------------
 disabled/pump.io                     | 107 --------
 disabled/samba-setup                 |  68 -----
 disabled/small-backup                | 149 -----------
 distro-begin                         |   4 +-
 distro-end                           |  23 +-
 21 files changed, 79 insertions(+), 1646 deletions(-)
 delete mode 100644 disabled/bitcoin
 delete mode 100644 disabled/home-vpn/README.sh
 delete mode 100644 disabled/home-vpn/lan-dyn-dns-update
 delete mode 100755 disabled/home-vpn/vpn-client-connect
 delete mode 100644 disabled/kodi-setup
 delete mode 100755 disabled/maru-init
 delete mode 100644 disabled/mastodon
 delete mode 100755 disabled/mastodon-upgrade
 delete mode 100644 disabled/nagios
 delete mode 100644 disabled/new-firefox
 delete mode 100755 disabled/offlineimap-sync
 delete mode 100755 disabled/phabricator-setup
 delete mode 100644 disabled/pump.io
 delete mode 100644 disabled/samba-setup
 delete mode 100755 disabled/small-backup

diff --git a/.git_template/hooks/pre-commit b/.git_template/hooks/pre-commit
index f1cb270..7178d49 100755
--- a/.git_template/hooks/pre-commit
+++ b/.git_template/hooks/pre-commit
@@ -65,8 +65,8 @@ if [[ $allownonascii != true ]] &&
        # Note that the use of brackets around a tr range is ok here, (it's
        # even required, for portability to Solaris 10's /usr/bin/tr), since
        # the square bracket bytes happen to fall in the designated range.
-       test $(git diff --cached --name-only --diff-filter=A -z $against |
-                  LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0
+       test "$(git diff --cached --name-only --diff-filter=A -z $against |
+                  LC_ALL=C tr -d '[ -~]\0' | wc -c)" != 0
 then
     cat <<EOF
 Error: Attempt to add a non-ASCII file name.
diff --git a/brc b/brc
index d60af90..a5c645c 100644
--- a/brc
+++ b/brc
@@ -2447,20 +2447,14 @@ sk() {
   local quotes others ret
   quotes=2048,2068,2086,2206,2254
   others=2029,2032,2033,2054,2164
-  # Dont complain about sourced files if we aren't asking for them.
-  if [[ $1 != -x ]]; then
-    others+=,1091
-  fi
-  shellcheck -W 999 -e $quotes,$others "$@" || ret=$?
+  shellcheck -x -W 999 -e $quotes,$others "$@" || ret=$?
   if (( ret >= 1 )); then
     echo "A template comment to disable is now in clipboard. eg: # shellcheck disable=SC2206 # reason"
     cbs "# shellcheck disable=SC"
     return $ret
   fi
 }
-skx() {
-  sk -x "$@"
-}
+
 # sk with quotes. For checking scripts that we expect to take untrusted
 # input in order to verify we quoted vars.
 skq() {
@@ -2483,7 +2477,7 @@ skmodified() {
 # sk on all the files in current git repo (except those excluded)
 skgit() {
   local f toplevel orig_dir tmp skip pattern
-  local -a ls_files excludes
+  local -a ls_files excludes sk_files
   toplevel=$(git rev-parse --show-toplevel)
   if [[ $PWD != "$toplevel" ]]; then
     orig_dir=$PWD
@@ -2491,13 +2485,6 @@ skgit() {
   fi
   excludes=(
     'disabled/*'
-    # sourced from brc2
-    beet-data
-    # sourced from .bash_profile
-    .bashrc
-  )
-  no_check_sourced=(
-    .bash_profile
   )
   tmp=$(git ls-files | shuf)
   mapfile -t ls_files <<<"$tmp"
@@ -2510,19 +2497,11 @@ skgit() {
       fi
     done
     if $skip; then continue; fi
-
-    check_source=-a
-    for pattern in "${no_check_sourced[@]}"; do
-      if [[ $f == "$pattern" ]]; then
-        check_source=
-        break
-      fi
-    done
     if sk-p "$f"; then
-      printf "================= %s\n" "$f"
-      sk $check_source --color=always $f || [[ $? == 1 ]]
+      sk_files+=("$f")
     fi
   done
+  sk "${sk_files[@]}"
   if [[ $orig_dir ]]; then
     cd $orig_dir
   fi
diff --git a/brc2 b/brc2
index eae5aa9..de12005 100644
--- a/brc2
+++ b/brc2
@@ -2639,6 +2639,7 @@ wgkey() {
 host-info-all() {
   host-info-update
   bindpushb8
+  ssh li.b8.nz conflink
   wrt-setup
 }
 
@@ -2724,22 +2725,24 @@ EOF
   } | cedit /p/c/subdir_files/.ssh/config || [[ $? == 1 ]]
 
   {
-    echo "cat <<EOF"
+    # hack to please emacs parser
+    here_begin="cat <<EOF"
+    echo "$here_begin"
     for host in ${!vpn_ips[@]}; do
       ipsuf=${vpn_ips[$host]}
       i_port=$(( 2200 + ipsuf ))
       cat <<EOF
-config redirect
- option name ssh$host
- option src              wan
- option src_dport        $i_port
- option dest_port        22
- option dest_ip          \$l.$ipsuf
- option dest             lan
-config rule
- option src              wan
- option target           ACCEPT
- option dest_port        $i_port
+      config redirect
+      option name ssh$host
+      option src              wan
+      option src_dport        $i_port
+      option dest_port        22
+      option dest_ip          \$l.$ipsuf
+      option dest             lan
+      config rule
+      option src              wan
+      option target           ACCEPT
+      option dest_port        $i_port
 EOF
     done
     echo "EOF"
@@ -2752,11 +2755,16 @@ EOF
   sedi '/edits below here are made automatically/,$d' /p/c/machine_specific/li/filesystem/etc/wireguard/wgmail.conf
   for host in ${!vpn_ips[@]}; do
     if [[ ${root_ips[$host]} ]]; then
-      # root machines dont run transmission
+      # root machines dont actually need vpn, but
+      # the classification still helps with other
+      # configurations.
       continue
     fi
     ipsuf=${vpn_ips[$host]}
     wghole $host $ipsuf
+    sd /b/ds/machine_specific/li/filesystem/etc/openvpn/client-config-hole/$host <<EOF
+ifconfig-push 10.5.5.${vpn_ips[$host]} 255.255.255.0
+EOF
     u /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service <<EOF
 [Unit]
 Description=OpenVPN tunnel for %I
@@ -2842,29 +2850,32 @@ EOF
   echo checking for stray files:
 
   initial_dir="$PWD"
-  cd /a/bin/ds/machine_specific
-  ngset
-  files=( */filesystem/etc/systemd/system/openvpn-client-tr@.service )
-  ngreset
-  cd "$initial_dir"
-  for f in "${files[@]}"; do
-    host=${f%%/*}
-    if [[ ! ${vpn_ips[$host]} ]]; then
-      e rm /a/bin/ds/machine_specific/$host/filesystem/etc/systemd/system/openvpn-client-tr@.service
-    fi
-  done
+  while read -r dir path; do
+    cd $dir
+    ngset
+    files=( */$path )
+    ngreset
+    cd "$initial_dir"
+    for f in "${files[@]}"; do
+      host=${f%%/*}
+      if [[ ! ${vpn_ips[$host]} ]]; then
+        e rm $dir/$f
+      fi
+    done
+  done <<'EOF'
+/a/bin/ds/machine_specific filesystem/etc/systemd/system/openvpn-client-tr@.service
+/p/c/machine_specific filesystem/etc/wireguard/wghole.conf
+EOF
 
-  cd /p/c/machine_specific
-  ngset
-  files=( */filesystem/etc/wireguard/wghole.conf )
-  ngreset
-  cd $initial_dir
+  files=(/b/ds/machine_specific/li/filesystem/etc/openvpn/client-config-hole/* )
   for f in "${files[@]}"; do
-    host=${f%%/*}
+    host=${f##/*}
     if [[ ! ${vpn_ips[$host]} ]]; then
-      e rm /p/c/machine_specific/$host/filesystem/etc/wireguard/wghole.conf
+      e rm $f
+      e ssh root@li.b8.nz rm -f $f
     fi
   done
+
 }
 
 # usage host ipsuf [extrahost]
diff --git a/disabled/README b/disabled/README
index 5fc6ca7..dfe3f20 100644
--- a/disabled/README
+++ b/disabled/README
@@ -1,2 +1,16 @@
-Things I stopped using and will become broken over time, but better to
-have here than just in git history.
+Files I stopped using and will become broken over time, and then
+eventually git rmed, but still have filename here to help my memory.
+
+bitcoin
+home-vpn
+kodi-setup
+maru-init
+mastodon
+mastodon-upgrade
+nagios
+new-firefox # install newer version firefox
+offlineimap-sync
+phabricator-setup
+pump.io
+samba-setup
+small-backup # rdiff-backup my small files, before i used btrfs send
diff --git a/disabled/bitcoin b/disabled/bitcoin
deleted file mode 100644
index b014483..0000000
--- a/disabled/bitcoin
+++ /dev/null
@@ -1,128 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-## bitcoin disabled. fees too high
-
-if [[ $HOSTNAME == frodo ]]; then
-        case $distro in
-            debian)
-                if [[ `debian-archive`  == testing ]]; then
-                    # has no unstable dependencies
-                    pi bitcoind/unstable
-                    src=/a/opt/bitcoin/contrib/init/bitcoind.service
-                    s cp $src /etc/systemd/system
-                    p=/etc/bitcoin/bitcoin
-                    dst=/etc/systemd/system/bitcoinjm.service
-                    # jm for joinmarket
-                    $sed -r "/^\s*ExecStart/s,${p}.conf,${p}jm.conf," $src \
-                             >/etc/systemd/system/bitcoinjm.service
-
-                    d=jm; jm=d # being clever for succinctness
-                    for s in d jm; do
-                        s $sed -ri "/^\s*\[Unit\]/a Conflicts=bitcoin${!s}.service" \
-                              /etc/systemd/system/bitcoin${s}.service
-                    done
-
-                    ser daemon-reload
-
-                    dir=/nocow/.bitcoin
-                    s mkdir -p $dir
-                    s chown -R bitcoin:bitcoin $dir
-                    dir=/etc/bitcoin
-                    s mkdir -p $dir
-                    s chown -R root:bitcoin $dir
-                    s chmod 750 $dir
-
-                    # pruning decreases the bitcoin dir to 2 gb, keeps
-                    # just the recent blocks. can\'t do a few things like
-                    # import a wallet dump.
-                    # pruning works, but people had to do
-                    # some manual stuff in joinmarket. I dun need the
-                    # disk space, so not bothering yet, maybe in a year or so.
-                    # https://github.com/JoinMarket-Org/joinmarket/issues/431
-                    #https://bitcoin.org/en/release/v0.12.0#wallet-pruning
-                    #prune=550
-
-                    f=$dir/bitcoin.conf
-                    s dd of=$f <<EOF
-server=1
-# necessary for joinmarket, not bad in general
-rpcpassword=$(openssl rand -base64 32)
-rpcuser=$(openssl rand -base64 32)
-EOF
-
-                    # dunno about sharing a wallet between multiple instances
-                    # manually did, wallet.dat symlinked in /nocow/.bitcoin
-                    sgo bitcoind
-                fi
-                ;;
-            # other distros unknown
-        esac
-
-
-
-        ## disabling joinmarket, its too expensive
-        ### begin joinmarket setup ###
-
-        case $distro in
-            debian)
-                f=$dir/bitcoin.conf
-                f2=$dir/bitcoinjm.conf
-                s cp $f $f2
-                s tee -a $f2 >/dev/null <<EOF
-# Joinmarket
-walletnotify=curl -sI --connect-timeout 1 http://localhost:62602/walletnotify?%s
-alertnotify=curl -sI --connect-timeout 1 http://localhost:62602/alertnotify?%s
-wallet=joinmarket.dat
-EOF
-
-                ;;
-            # other distros unknown
-        esac
-
-        pi libsodium-dev python-pip
-        cd /a/opt/joinmarket
-        # using develop branch, as it seems to be mostly bug fixes,
-        # and this is quite new software.
-        # note: python3 does not work.
-        # has seg fault error due to some bug, but it still works
-        pip install -r requirements.txt || [[ $? == 139 ]]
-        # note, the target must exist ahead of time, or bitcoin
-        # just overwrites the link, and it\'s not happy with an empty file,
-        # so we have to create the wallet, then move and link it.
-        s lnf -T /q/bitcoin/wallet.dat /nocow/.bitcoin/wallet.dat
-        s lnf -T /q/bitcoin/joinmarket.dat /nocow/.bitcoin/joinmarket.dat
-        # not technically needed, but seems cleaner not to have
-        # symlinks be root owned unlike everything else
-        s chown -h bitcoin:bitcoin /nocow/.bitcoin/*
-
-        for var in rpcuser rpcpassword; do
-            u="$(s sed -rn "s/^$var=(.*)/\1/p" /etc/bitcoin/bitcoin.conf)"
-            # escape backslashes
-            u="${u//\\/\\\\\\\\}"
-            # escape commas
-            u="${u//,/\\,}"
-            sed -ri "s,^(rpc_${var#rpc}\s*=).*,\1 $u," joinmarket.cfg
-        done
-        sed -ri "s/^\s*(blockchain_source\s*=).*/\1 bitcoin-rpc/" joinmarket.cfg
-        ### end joinmarket setup ###
-fi
diff --git a/disabled/home-vpn/README.sh b/disabled/home-vpn/README.sh
deleted file mode 100644
index bded195..0000000
--- a/disabled/home-vpn/README.sh
+++ /dev/null
@@ -1,43 +0,0 @@
-# this was in distro-end.
-#
-# Disabled because basically I don't need a home vpn and prefer just
-# port forwarding as needed.
-
-### begin home vpn server setup
-
-
-# # this section done initially to make persistent keys.
-# # Also note, I temporarily set /etc/hosts so my host was
-# # b8.nz when running this, since the vpn client config
-# # generator assumes we need to go to that server to get
-# # server keys.
-# vpn-server-setup -rds
-# s cp -r --parents /etc/openvpn/easy-rsa/keys /p/c/filesystem
-# s chown -R 1000:1000 /p/c/filesystem/etc/openvpn/easy-rsa/keys
-# # kw = kgpe work machine.
-# for host in x2 x3 kw; do
-# vpn-mk-client-cert -b $host -n home b8.nz 1196
-# dir=/p/c/machine_specific/$host/filesystem/etc/openvpn/client
-# mkdir -p $dir
-# s bash -c "cp /etc/openvpn/client/home* $dir"
-#     # note: /etc/update-resolv-conf-home also exists for all systems with /p
-# done
-
-# key already exists, so this won't generate one, just the configs.
-# m vpn-server-setup -rds
-# sudo tee -a /etc/openvpn/server/server.conf <<'EOF'
-# push "dhcp-option DNS 10.0.0.1"
-# push "route 10.0.0.0 255.255.0.0"
-# client-connect /a/bin/distro-setup/vpn-client-connect
-# EOF
-# sudo sed -i --follow-symlinks 's/10.8./10.9./g;s/^\s*port\s.*/port 1196/' /etc/openvpn/server/server.conf
-
-# if [[ $HOSTNAME == tp ]]; then
-#   if [[ -e /lib/systemd/system/openvpn-server@.service ]]; then
-#     vpn_service=openvpn-server@server
-#   else
-#     vpn_service=openvpn@server
-#   fi
-#   sgo $vpn_service
-# fi
-### end vpn server setup
diff --git a/disabled/home-vpn/lan-dyn-dns-update b/disabled/home-vpn/lan-dyn-dns-update
deleted file mode 100644
index 0f17eb1..0000000
--- a/disabled/home-vpn/lan-dyn-dns-update
+++ /dev/null
@@ -1,48 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# usage: I run this script on a timer to correct the dns on wrt for
-# clients where dns is updated dynamically by openvpn, in the case that
-# openvpn crashes or the computer running openvpn crashes.
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} # directory of this file
-
-while read -r ip host; do
-    found=false
-    is_connected="grep -q "^CLIENT_LIST,$host," /run/openvpn-server/status-server.log"
-    if $is_connected; then continue; fi
-    if ! grep -q "^CLIENT_LIST,$host," /run/openvpn-server/status-server.log; then
-        cd $(mktemp -d); dir=$PWD
-        ssh wrt tar -C /etc -c hosts | tar -x
-        if grep -qFx "$ip $host" hosts; then continue; fi
-        # openvpn udpates its status file every 60 seconds by default
-        if (( $(stat -c%Y hosts) > EPOCHSECONDS + 60 )); then
-            sleep 60
-            if $is_connected; then continue; fi
-        fi
-        ssh root@wrt.b8.nz cedit ovpn-$host <<<"$ip $host" || [[ $? == 1 ]]
-    fi
-done <lan-dns
diff --git a/disabled/home-vpn/vpn-client-connect b/disabled/home-vpn/vpn-client-connect
deleted file mode 100755
index 09ac0b9..0000000
--- a/disabled/home-vpn/vpn-client-connect
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-x="$(readlink -f "$BASH_SOURCE")"; cd ${x%/*} # directory of this file
-
-# see lan-dyn-dns-update. this is the corresponding script for on connect/disconnect from vpn
-
-d=/p/ovpn-ssh
-ssh_cmd="ssh -F$d/.config -i$d/home root@wrt.b8.nz cedit ovpn-$X509_0_CN /etc/hosts"
-case $script_type in
-    client-connect) $ssh_cmd <<<"$ifconfig_pool_remote_ip $X509_0_CN"|| [[ $? == 1 ]]
-        ;;
-    client-disconnect)
-        $ssh_cmd <<<$(grep -F $X509_0_CN lan-dns) || [[ $? == 1 ]]
-        ;;
-esac
diff --git a/disabled/kodi-setup b/disabled/kodi-setup
deleted file mode 100644
index 7c61e88..0000000
--- a/disabled/kodi-setup
+++ /dev/null
@@ -1,95 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# this is from distro-end
-if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi
-
-pi kodi
-
-# based on https://wiki.debian.org/SecuringNFS
-# but the quota stuff is either outdated or optional,
-# i guessed that it was not needed and it worked fine.
-s dd of=/etc/sysctl.d/nfs-static-ports.conf <<'EOF'
-fs.nfs.nfs_callback_tcpport = 32764
-fs.nfs.nlm_tcpport = 32768
-fs.nfs.nlm_udpport = 32768
-EOF
-s sysctl --system
-s $sed -ri -f - /etc/default/nfs-common <<'EOF'
-/^\s*STATDOPTS=/d
-$a STATDOPTS="--port 32765 --outgoing-port 32766"
-EOF
-
-s $sed -ri -f - /etc/default/nfs-kernel-server <<'EOF'
-/^\s*RPCMOUNTDOPTS=/d
-$a RPCMOUNTDOPTS="--manage-gids --port 32767"
-EOF
-ser restart nfs-kernel-server
-
-if [[ $HOSTNAME == kd ]]; then
-    # persistent one time steps for webdav:
-    # create persistent password, put it in ~/.kodi/userdata/advancedsettings.xml,
-    # per http://kodi.wiki/view/MySQL/Sync_other_parts_of_Kodi
-    # htpasswd -c /p/c/filesystem/etc/davpass dav
-    # chmod 640 /p/c/filesystem/etc/davpass
-    # in conflink, set group to www-data.
-    # In kodi, i set the music source, server address: my domain,
-    # path: k/music. Then copied the file
-    # /p/c/subdir_files/.kodi/userdata/sources.xml to save that setting.
-    s a2enmod dav dav_fs
-    web-conf -r /a/c/playlists - apache2 dav.$HOME_DOMAIN <<'EOF'
-<Directory /a/c/playlists>
-    DAV On
-  AuthType Basic
-  AuthName "Authentication Required"
-  AuthUserFile "/etc/davpass"
-  Require valid-user
-
-# outside the standard /var/www, so use this:
-  Order allow,deny
-  Allow from all
-</Directory>
-EOF
-    s mkdir -p /var/www/davlock
-    s chown www-data:www-data /var/www/davlock
-    s sed -i "1i DavLockDB /var/www/davlock/davlock" /etc/apache2/sites-enabled/dav.$HOME_DOMAIN.conf
-    ser reload apache2
-
-    teeu /etc/exports "/k/music *(ro,nohide,async,no_subtree_check,insecure)"
-    exportfs -ra
-
-    # kodi uses sqlite by default, but supports mysql.
-    pi mariadb-server
-
-    # see ofswiki.org for explanation.
-    dbpass="$(cat /p/mysql-root-pass)"
-    if ! echo exit|mysql -uroot "-p$dbpass"; then
-        echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
-    fi
-    mysql -uroot "-p$dbpass" <<EOF
-GRANT ALL PRIVILEGES ON *.* TO 'kodi' IDENTIFIED BY '$(</p/mysql-kodi-pass)';
-EOF
-    s sed -ri 's/^(\s*bind-address\s*=).*/\1 0.0.0.0/' /etc/mysql/mariadb.conf.d/50-server.cnf
-    ser restart mariadb
-
-fi
diff --git a/disabled/maru-init b/disabled/maru-init
deleted file mode 100755
index 172b247..0000000
--- a/disabled/maru-init
+++ /dev/null
@@ -1,78 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Copyright (C) 2017 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-
-usage() {
-    cat <<EOF
-Usage: ${0##*/}
-Initial setup for maru debian for nexus 5.
-
-We do this separately because it's constrained for space much more than
-any other host. The maru debian takes up about 1.5G. We start with about
-6.8G free. We want to keep a few gigs free to take pictures and
-movies. I should really trade this in for a 32GB version.
-
--h|--help  Print help and exit.
-EOF
-    exit $1
-}
-
-case $1 in
-    *) usage ;;
-esac
-
-
-scp $(readlink -f $(which rootsshsync)) maru-init maru@n5:
-ssh -t maru@n5 ./rootsshsync
-
-ssh root@n5 bash <<'EOF'
-echo "ian  ALL=(ALL)  NOPASSWD: ALL" >>/etc/sudoers
-echo n5 >/etc/hostname
-sed -i '/^127\.0\.1\.1/d' /etc/hosts
-echo "127.0.1.1 n5.lan n5" >>/etc/hosts
-hostname -F /etc/hostname
-
-kill $(pgrep -U maru)
-usermod -l ian -m -d /home/ian maru
-groupmod -n ian maru
-useradd -m -s /bin/bash user2
-EOF
-
-# then do myunison n5,
-# then do conflink.
diff --git a/disabled/mastodon b/disabled/mastodon
deleted file mode 100644
index 78b08f8..0000000
--- a/disabled/mastodon
+++ /dev/null
@@ -1,128 +0,0 @@
-    ############# begin setup mastodon ##############
-
-    # main doc is Docker-Guide.md in docs repo
-
-    # I'd like to try gnu social just cuz of gnu, but it's not being
-    # well maintained, for example, simple pull requests
-    # languishing:
-    # https://git.gnu.io/gnu/gnu-social/merge_requests/143
-    # and I submitted my own bugs, basic docs are broken
-    # https://git.gnu.io/gnu/gnu-social/issues/269
-
-    # note, docker required, but we installed it earlier
-
-    # i subscrubed to https://github.com/docker/compose/releases.atom
-    # to see release notes.
-    # i had some problems upgrading. blew things away with
-    # docker-compose down
-    # docker rmi $(docker images -q)
-    # s reboot now
-    # when running docker-compose run, kernel stack traces are printed to the journal.
-    # things seem to succeed, google says nothing, so ignoring them.
-    curl -L https://github.com/docker/compose/releases/download/1.18.0/docker-compose-$(uname -s)-$(uname -m) | s dd of=/usr/local/bin/docker-compose
-    s chmod +x /usr/local/bin/docker-compose
-
-
-    cd ~
-    s rm -rf mastodon
-    i clone https://github.com/tootsuite/mastodon
-    cd mastodon
-    # subbed to atom feed to deal with updates
-    git checkout $(git tag | grep -v rc | tail -n1)
-
-    # per instructions, uncomment redis/postgres persistence in docker-compose.yml
-    sed -i 's/^#//' docker-compose.yml
-
-    cat >.env.production <<'EOF'
-REDIS_HOST=redis
-REDIS_PORT=6379
-DB_HOST=db
-DB_USER=postgres
-DB_NAME=postgres
-DB_PASS=
-DB_PORT=5432
-
-LOCAL_DOMAIN=mast.iankelling.org
-LOCAL_HTTPS=true
-
-SINGLE_USER_MODE=true
-
-SMTP_SERVER=mail.iankelling.org
-SMTP_PORT=25
-SMTP_LOGIN=li
-SMTP_FROM_ADDRESS=notifications@mast.iankelling.org
-SMTP_DOMAIN=mast.iankelling.org
-SMTP_DELIVERY_METHOD=smtp
-EOF
-
-    for key in PAPERCLIP_SECRET SECRET_KEY_BASE OTP_SECRET; do
-      # 1 minute 7 seconds to run this docker command
-      # to generate a secret, and it has ^M chars at the end. wtf. really dumb
-      printf "%s=%s\n" $key "$(docker-compose run --rm web rake secret|dos2unix|tail -n1)" >>.env.production
-    done
-    found=false
-    while read -r domain _ pass; do
-      if [[ $domain == mail.iankelling.org ]]; then
-        found=true
-        # remove the username part
-        pass="${pass#*:}"
-        printf "SMTP_PASSWORD=%s\n" "$pass" >>.env.production
-        break
-      fi
-    done < <(s cat /etc/mailpass)
-    if ! $found; then
-      echo "$0: error, failed to find mailpass domain for mastadon"
-      exit 1
-    fi
-
-    # docker compose makes an interface named like br-8f3e208558f2. we need mail to
-    # get routed to us.
-    if ! s /sbin/iptables -t nat -C PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25; then
-      s /sbin/iptables -t nat -A PREROUTING -i br-+ -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.8.0.4:25
-    fi
-
-    docker-compose run --rm web rake mastodon:webpush:generate_vapid_key | grep -E '^VAPID_PUBLIC_KEY=|^VAPID_PRIVATE_KEY=' >> .env.production
-    logq docker-compose run --rm web rake db:migrate
-    docker-compose run --rm web rails assets:precompile
-
-    # avatar failed to upload, did
-    # docker logs mastodon_web_1
-    # google lead me to this
-    s chown -R 991:991 public/system
-
-    # docker daemon takes care of starting on boot.
-    docker-compose up -d
-
-    s a2enmod proxy_wstunnel headers
-    web-conf -f 3000 - apache2 mast.iankelling.org <<'EOF'
-   ProxyPreserveHost On
-   RequestHeader set X-Forwarded-Proto "https"
-   ProxyPass /500.html !
-   ProxyPass /oops.png !
-   ProxyPass /api/v1/streaming/ ws://localhost:4000/
-   ProxyPassReverse /api/v1/streaming/ ws://localhost:4000/
-   ErrorDocument 500 /500.html
-   ErrorDocument 501 /500.html
-   ErrorDocument 502 /500.html
-   ErrorDocument 503 /500.html
-   ErrorDocument 504 /500.html
-EOF
-
-
-    ############### !!!!!!!!!!!!!!!!!
-    ############### manual steps:
-
-    # only following a few people atm, so not bothering to figure out backups
-    # when mastodon has not documented it at all.
-    #
-    # fsf@status.fsf.org
-    # cwebber@toot.cat
-    # dbd@status.fsf.org
-    # johns@status.fsf.org
-
-    # sign in page is at https://mast.iankelling.org/auth/sign_in
-    # register as iank, then
-    # https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Administration-guide.md
-    # docker-compose run --rm web bundle exec rails mastodon:make_admin USERNAME=iank
-
-    ############# end setup mastodon ##############
diff --git a/disabled/mastodon-upgrade b/disabled/mastodon-upgrade
deleted file mode 100755
index c4a2950..0000000
--- a/disabled/mastodon-upgrade
+++ /dev/null
@@ -1,43 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
-# based on
-# https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Docker-Guide.md
-
-if [[ $EUID == 0 ]]; then echo "$0: error, do not run as root"; exit 1; fi
-
-cd /home/iank/mastodon
-git fetch
-git stash
-git checkout $(git tag | grep -v rc | tail -n1)
-git stash pop
-docker-compose build
-# these 2 may not be needed in all upgrades, but
-# simpler to just do them always.
-docker-compose run --rm web rake db:migrate
-docker-compose run --rm web rake assets:precompile
-# restart the app
-docker-compose up -d
diff --git a/disabled/nagios b/disabled/nagios
deleted file mode 100644
index f9f38eb..0000000
--- a/disabled/nagios
+++ /dev/null
@@ -1,124 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# this was part of distro-end
-
-### begin nagios ###
-
-pi nagios-nrpe-server
-
-case $HOSTNAME in
-  kd)
-    # the backport is for this bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=800345
-    pi nagios4 nagios-nrpe-plugin monitoring-plugins-basic/bullseye-backports
-    s rm -fv /etc/apache2/conf-enabled/nagios4-cgi.conf
-
-    # to add a password for admin:
-    # htdigest /etc/nagios4/htdigest.users Nagios4 iank
-    # now using the same pass as prometheus
-
-    # nagstamon auth settings, set to digest instead of basic.
-
-    web-conf -p 3005 - apache2 i.b8.nz <<'EOF'
-# adapted from /etc/apache2/conf-enabled/nagios4-cgi.conf
-
-ScriptAlias /cgi-bin/nagios4 /usr/lib/cgi-bin/nagios4
-ScriptAlias /nagios4/cgi-bin /usr/lib/cgi-bin/nagios4
-
-# Where the stylesheets (config files) reside
-Alias /nagios4/stylesheets /etc/nagios4/stylesheets
-
-# Where the HTML pages live
-Alias /nagios4 /usr/share/nagios4/htdocs
-
-<DirectoryMatch (/usr/share/nagios4/htdocs|/usr/lib/cgi-bin/nagios4|/etc/nagios4/stylesheets)>
-    Options FollowSymLinks
-    DirectoryIndex index.php index.html
-    AllowOverride AuthConfig
-    #
-    # The default Debian nagios4 install sets use_authentication=0 in
-    # /etc/nagios4/cgi.cfg, which turns off nagos's internal authentication.
-    # This is insecure.  As a compromise this default apache2 configuration
-    # only allows private IP addresses access.
-    #
-    # The <Files>...</Files> below shows how you can secure the nagios4
-    # web site so anybody can view it, but only authenticated users can issue
-    # commands (such as silence notifications).  To do that replace the
-    # "Require all granted" with "Require valid-user", and use htdigest
-    # program from the apache2-utils package to add users to
-    # /etc/nagios4/htdigest.users.
-    #
-    # A step up is to insist all users validate themselves by moving
-    # the stanza's in the <Files>..<Files> into the <DirectoryMatch>.
-    # Then by setting use_authentication=1 in /etc/nagios4/cgi.cfg you
-    # can configure which people get to see a particular service from
-    # within the nagios configuration.
-    #
-	AuthDigestDomain "Nagios4"
-	AuthDigestProvider file
-	AuthUserFile	"/etc/nagios4-htdigest.users"
-	AuthGroupFile	"/etc/group"
-	AuthName	"Nagios4"
-	AuthType	Digest
-	Require	valid-user
-</DirectoryMatch>
-
-<Directory /usr/share/nagios4/htdocs>
-    Options	+ExecCGI
-</Directory>
-EOF
-    ;;
-esac
-
-# when you alter a service through the web, it changes vars in /var/lib/nagios4/status.dat. for example:
-# notifications_enabled=1
-# note, the same variable exists in the correspdonding "define service {"
-
-# in the default config, we have these definitions
-
-# 11 define command {
-#  2 define contact {
-#  1 define contactgroup {
-#  9 define host {
-#  4 define hostgroup {
-# 23 define service {
-#  5 define timeperiod {
-
-
-# on klaxon
-
-# klaxon:/etc/nagios3 # grep -rho '^ *define [^{ ]*' | sort | uniq -c
-#      76 define command
-#      11 define contact
-#       6 define contactgroup
-#     162 define host
-#       1 define hostextinfo
-#      16 define hostgroup
-#    3040 define service
-#       2 define servicedependency
-#       6 define timeperiod
-
-
-
-
-### end nagios ###
diff --git a/disabled/new-firefox b/disabled/new-firefox
deleted file mode 100644
index 7aa6144..0000000
--- a/disabled/new-firefox
+++ /dev/null
@@ -1,62 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# not caring enough about having a new firefox at the moment, so
-# disabled.
-
-# this was just under the comment "basic needed packages" in
-# distro-begin.
-
-case $(distro-name) in
-    debian)
-        if has_x; then
-            if isdebian-stable; then
-                pi firefox/$codename-backports
-            else
-                # for a while, firefox/unstable did not have
-                # dependencies satisfied by testing packages, and i hit
-                # a conflict, it wanted a newer libfontconfig1, but
-                # emacs build-deps wanted an older one. In this case,
-                # I switch to using firefox-esr. note: They seem
-                # to release a new esr version every 9 months or so.
-                pi firefox/unstable
-                s dd of=/etc/apt/preferences.d/firefox <<'EOF'
-Package: firefox
-Pin: release a=unstable
-Pin-Priority: 500
-EOF
-            fi
-        fi
-        # # no hosts have nonfree firmware anymore, yay. but leaving commented,
-        # # as i might run into one for a little while still.
-        # p=firmware-linux-nonfree
-        # if apt-cache show $p &>/dev/null; then
-        #     pi $p
-        # fi
-        ;;&
-    trisquel|ubuntu)
-        if has_x; then
-            pi abrowser
-        fi
-        ;;
-esac
diff --git a/disabled/offlineimap-sync b/disabled/offlineimap-sync
deleted file mode 100755
index 059f546..0000000
--- a/disabled/offlineimap-sync
+++ /dev/null
@@ -1,82 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-# mail-route can get messed up a bit randomly, I don't know why.
-#/b/ds/mail-route up |& /b/log-quiet/log-once -1 mail-route
-
-for f in $(awk '$1 == "localfolders" {print $NF}' ~/.offlineimaprc); do
-  mkdir -p $f
-  chmod 700 $f
-done
-
-offlineimap -u quiet
-shopt -s nullglob
-
-if grep -qP '^ *accounts.*fsf' ~/.offlineimaprc; then
-  if [[ ! -e /nocow/user/.mufsf ]]; then
-    mkdir -p /nocow/user/.mufsf
-    chmod 700 /nocow/user/.mufsf
-    mu index --maildir=/nocow/user/fsfmd
-  fi
-fi
-
-omv() { # offlineimap mv. move mail files within $src_base/$1 to /m/md/$2
-  src="$1"
-  dst="$2"
-  found_files=false
-  for x in new cur; do
-    files=($src_base/"$src"/$x/*)
-    if [[ $files ]]; then
-      found_files=true
-      mv "${files[@]}" /m/md/"$dst"/$x
-    fi
-  done
-}
-
-src_base=/m/offlineimap
-omv "Sent Items" "Sent"
-omv INBOX offlineimaptmp
-src_base=/m/md
-if $found_files; then
-  sieve-filter -eW ~/sieve/main.sieve offlineimaptmp &>/dev/null
-  # the default folder is INBOX for anything leftover
-  omv offlineimaptmp INBOX
-  # remove messages from remote host
-  offlineimap -u quiet
-  # this makes us sit and wait when we want to use mu and this is running in a cronjob.
-  # todo: emacs updates the index much faster. what command is it running? I'd like
-  # to just run that
-  # looks like it might be mu index --lazy-check, but that still takes like 10 seconds,
-  # figure out if that is the same speed, or if we can make it faster.
-  #mu index &>/dev/null ||:
-fi
-
-
-# delete based on http://deflexion.com/2006/05/imap-way-of-deleting-message
-sieve-filter -eW -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf.sieve INBOX delete &>>/tmp/fsfsieve.log
-
-# to test new rules, update fsf-test.sieve, run these commands, then copy new fsf-test.sieve to fsf.sieve
-# sieve-filter -o mail_location=maildir:/nocow/user/fsfmd:LAYOUT=fs:INBOX=/nocow/user/fsfmd/INBOX ~/sieve/fsf-test.sieve INBOX &>/tmp/testfsfsieve.log
-# sed -rn '/^Performed actions:/{n;n;p}' /tmp/testfsfsieve.log | sort -u
diff --git a/disabled/phabricator-setup b/disabled/phabricator-setup
deleted file mode 100755
index a2c25a3..0000000
--- a/disabled/phabricator-setup
+++ /dev/null
@@ -1,378 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# Copyright (C) 2016 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-
-# Automated phabricator setup. Not currently using it,
-# but it worked last time I tried it.
-
-if [[ -s ~/.bashrc ]];then . ~/.bashrc;fi
-
-set -x
-
-
-# lj is test server
-case $HOSTNAME in
-    lj)
-        domain=phab.iank.bid
-        alt_domain=fastmail.wiki
-        ;;
-    lk)
-        domain=phab.iankelling.org
-        alt_domain=iankellingusercontent.org
-        ;;
-esac
-
-
-pass=`cat /p/c/machine_specific/$HOSTNAME/phabricator_admin`
-webroot=/usr/share/phabricator/webroot
-user=iank
-name="Ian Kelling"
-email=ian@iankelling.org
-ssh_port=222
-
-fbin() { bin=$1; shift; sudo /usr/share/phabricator/bin/$bin "$@"; }
-fsetd() { fbin config set --database "$@"; }
-
-# phabricator complained about wanting arcanist first
-pi arcanist/unstable mercurial
-
-# duplicated in mediawiki setup. todo fix that.
-s DEBIAN_FRONTEND=noninteractive pi mysql-server
-cd  # mysql_secure_installation writes some temp files to the current dir,
-# so we need to make sure it's writable.
-if echo exit|mysql -u root -p"$dbpass"; then
-    echo -e "$dbpass\nn\n\n\n\n" | mysql_secure_installation
-else
-    echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
-fi
-
-mysql -u root -p$dbpass <<EOF
-grant all privileges on \`phabricator\\_%\`.* to 'phabricator'@localhost identified by '$pass';
-EOF
-
-phab-sel() {
-    s debconf-set-selections<<EOF
-phabricator	phabricator/pwd_check	password	$pass
-phabricator	phabricator/phabricator_mysql_pwd	password	$pass
-phabricator	phabricator/webserver	select	None
-phabricator	phabricator/phabricator_mysql_user	string	phabricator
-phabricator	phabricator/mysql_host	string	localhost
-# Domain name or subdomain name used by phabricator:
-phabricator	phabricator/domain_name	string	$domain
-EOF
-}
-phab-sel
-
-pi phabricator/unstable
-
-# debian sets http, but we want https
-s sed -i --follow-symlinks 's/http:/https:/' /usr/share/phabricator/conf/local/local.json
-
-
-acme-tiny-wrapper $domain
-acme-tiny-wrapper $alt_domain
-
-for x in $domain $alt_domain; do
-    web-conf -r $webroot - $x <<EOF
-RewriteEngine on
-RewriteRule ^/rsrc/(.*)     -                       [L,QSA]
-RewriteRule ^/favicon.ico   -                       [L,QSA]
-RewriteRule ^/php5-fcgi     -                       [L]
-RewriteRule ^(.*)\$          /index.php?__path__=\$1  [B,L,QSA]
-<Directory "$webroot">
-    Require all granted
-</Directory>
-EOF
-done
-
-
-# Before I figured out how to setup the admin in the script,
-# this would limit the site to localhost,
-# and access it through an ssh tunnel until its secure.
-#phab-site -p 127.0.0.1:443
-
-# settings are stored in conf/local/local.json.
-# some settings could also be stored in the database with
-# --database arg. database has higher priority than
-# the config file.
-
-# if you need to restart phabricator, just ser restart apache2
-# https://secure.phabricator.com/book/phabricator/article/restarting/
-
-# to reset things, you can do.
-# fbin storage destroy; pu phabricator; phab-sel; pi phabricator/unstable
-# # but under debian, prolly better to purge, cause db gets created on install
-
-
-# On first run went to the website, registered manually, then
-# went through the gui setup items to get the configuration below.
-
-
-#expect "*"
-#sleep 1
-
-# expect's exits with 0 by default on timeout of an expect command.
-# You can modify this, but it was simpler to use an irregular code to detect
-# actual success.
-sudo expect -d <<EOF
-# The expect lines use shell type globbing. They are not actually
-# needed, but they make the script likely to fail if the questions
-# content changes drastically, and make the script self documenting.
-
-# adds a short delay after each send for more reliable operation
-# (reference: comment in any autoexpect generated script)
-set force_conservative 0
-spawn "/usr/share/phabricator/bin/accountadmin"
-# If we've already set our user, detect different prompt and exit
-# expect basics: when the last alternative matches, there is no need
-# to specify an action, we just continue.
-expect {
-  timeout {exit 1}
-  -nocase "enter a username" exit
-  -nocase "y/n"
-}
-send "y\r"
-expect -nocase timeout {exit 1} "username"
-send "$user\r"
-expect -nocase timeout {exit 1} "create*y/n"
-send "y\r"
-expect -nocase timeout {exit 1} "name"
-send "$name\r"
-expect -nocase timeout {exit 1} "email"
-send "$email\r"
-expect -nocase timeout {exit 1} "password"
-send "$pass\r"
-expect -nocase timeout {exit 1} "bot"
-send "n\r"
-expect -nocase timeout {exit 1} "admin"
-send "y\r"
-expect -nocase timeout {exit 1} "save"
-send "y\r"
-expect eof
-exit
-EOF
-
-
-
-# this tipped me over to using a debian package
-# https://secure.phabricator.com/T4181
-
-fsetd auth.require-approval false
-
-# phabricator recommends going from 16 to at least 32
-sudo sed -ri 's/(^\s*max_allowed_packet)[[:space:]=].*/\1 = 100M/' /etc/mysql/my.cnf
-
-
-setini() {
-    key="$1" value="$2" section="$3" file="$4"
-    sudo sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*$key[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file"
-}
-
-setd() { setini "$@" mysqld /etc/mysql/my.cnf; }
-
-# error instead of data corruption:
-setd sql_mode STRICT_ALL_TABLES
-setd ft_stopword_file /usr/share/phabricator/resources/sql/stopwords.txt
-setd ft_min_word_len 3
-# mysql full text search for word1 word2 will and them instead of or them:
-setd ft_boolean_syntax "' |-><()~*:\"\"&^'"
-# default is 128M. recommended starting point is 40% of ram.
-setd innodb_buffer_pool_size 1600M
-
-# this files stopwork, and min_word_len
-mysql -u root -p$dbpass <<'EOF'
-REPAIR TABLE phabricator_search.search_documentfield;
-EOF
-
-fsetd pygments.enabled true
-fbin config set security.alternate-file-domain https://$alt_domain
-
-setini opcache.validate_timestamps '"0"' opcache /etc/php5/apache2/php.ini
-setini post_max_size 100M PHP /etc/php5/apache2/php.ini
-
-fsetd metamta.default-address phabricator@$domain
-fsetd metamta.domain $domain
-
-
-ser restart mysql
-
-# Not sure if this is needed. while developing this script, mysql went down
-# for a bit and the daemons died.
-
-
-# todo, setup inbound email:
-# https://secure.phabricator.com/book/phabricator/article/configuring_inbound_email/
-
-
-# https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/
-# unmatchable password, allows login only via ssh, sudo, etc.
-# this is standard.
-# I tried having no home dir, (-d /nonexistent),
-# but I got an error message on test sshing,
-sudo useradd -p '*' -m --system -s /bin/sh vcs ||  [[ $? == 9 ]]
-
-# you'd think the debian package would set this. todo: check on a fresh
-# machine
-fbin config set phd.user phabricator
-fbin config set diffusion.ssh-user vcs
-
-option="ALL=(phabricator) SETENV: NOPASSWD:"
-www_files=$(which git hg|sed ':a;N;s/\n/, /;ta')
-vcs_files=$(which git git-upload-pack git-receive-pack hg|sed ':a;N;s/\n/, /;ta')
-[[ $www_files && $vcs_files ]] || exit 1
-www_files="$www_files, /usr/lib/git-core/git-http-backend"
-sudo dd of=/etc/sudoers.d/phabricator <<EOF
-www-data $option $www_files
-vcs $option $vcs_files
-EOF
-
-# Found this due to red x in the ui after setting up a test repo.
-# todo: debian package should do this for us. see also:
-# https://phab.iank.bid/config/edit/environment.append-paths/
-sudo lnf /usr/lib/git-core/git-http-backend /usr/share/phabricator/support/bin
-
-fbin config set diffusion.allow-http-auth true
-
-# couldn't find a really appropriate place for it. It needs parent dir
-# permissions to be root:root.
-file=/usr/share/phabricator-local-ssh-hook.sh
-# from /usr/share/phabricator/resources/sshd/phabricator-ssh-hook.sh
-sudo dd of=$file <<'EOF'
-#!/bin/sh
-# For debugging, you can temporarily do:
-# exec >/tmp/plog 2>&1
-# This script executes as the vcs user
-if [ "$1" != vcs ]; then exit 1; fi
-exec "/usr/share/phabricator/bin/ssh-auth" $@
-EOF
-sudo chmod 755 $file
-
-sudo dd of=/etc/ssh/sshd_config.phabricator <<EOF
-AuthorizedKeysCommand $file
-AuthorizedKeysCommandUser vcs
-AllowUsers vcs
-
-Port $ssh_port
-Protocol 2
-PermitRootLogin no
-AllowAgentForwarding no
-AllowTcpForwarding no
-PrintMotd no
-PrintLastLog no
-PasswordAuthentication no
-AuthorizedKeysFile none
-
-PidFile /var/run/sshd-phabricator.pid
-EOF
-
-sudo dd of=/etc/systemd/system/phabricator-ssh.service <<'EOF'
-[Unit]
-Description=OpenBSD Secure Shell server for phabricator repos
-After=network.target auditd.service
-ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
-
-[Service]
-ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator
-ExecReload=/bin/kill -HUP $MAINPID
-KillMode=process
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
-sudo systemctl daemon-reload
-
-# got this error upon ssh, figured out a solution.
-# [2016-06-10 06:40:15] EXCEPTION: (AphrontInvalidCredentialsQueryException) #1045: Access denied for user 'root'@'localhost' (using password: NO) at [<phutil>/src/aphront/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:306]
-# arcanist(), phabricator(), phutil()
-
-s usermod -a -G vcs www-data
-s usermod -a -G vcs iank
-s usermod -a -G vcs phabricator
-s chown root:vcs /usr/share/phabricator/conf/local/local.json
-fbin config set diffusion.ssh-port $ssh_port
-
-fsetd policy.allow-public true
-
-sgo phabricator-ssh
-
-ser restart apache2
-sgo phabricator
-
-
-# todo, finish next steps here:
-# notably, backup/restore
-# https://secure.phabricator.com/book/phabricator/article/configuration_guide/
-
-
-fbin auth recover iank
-
-cat <<EOF
-# go to link above, then
-# https://$domain/auth/config/new/
-# and add username/pass auth provider.
-EOF
-
-
-
-# beginnings of automating those last manual steps:
-
-
-# for setting the auto provider, we can use the api.
-#arc set-config default https://$domain
-#
-# but first we have to generate an api key by getting
-# https://phab.iank.bid/conduit/login/
-# to do that, we've got to login to the url login.
-# We've got to post to a url on the login page,
-# then record 2 cookies: phuser and phsid
-# It also does a 302 for us to do 2 more pages related to auth/login.
-
-# we need to post to the right url (didn't record it, with these params)
-#allowLogin:"1"
-#allowRegistration:"1"
-#allowLink:"1"
-#allowUnlink:"1"
-
-
-#Serve over HTTP
-#
-#
-# phabricator/ $ ./bin/repository edit rT --as iank --local-path ...
-
-#
diff --git a/disabled/pump.io b/disabled/pump.io
deleted file mode 100644
index ebb10b9..0000000
--- a/disabled/pump.io
+++ /dev/null
@@ -1,107 +0,0 @@
-    ########## begin pump.io setup ##########
-
-    # once pump adds a logrotation script, turn off nologger,
-    # and add
-    #        "logfile": "/var/log/pumpio/pumpio.log",
-    #
-    s dd of=/etc/pump.io.json <<'EOF'
-{
-    "secret":  "SECRET_REPLACE_ME",
-    "driver":  "mongodb",
-    "params":  { "dbname": "pumpio" },
-    "noweb":  false,
-    "site":  "pump.iankelling.org",
-    "owner":  "Ian Kelling",
-    "ownerURL":  "https://iankelling.org/",
-    "port":  8001,
-    "urlPort": 443,
-    "hostname":  "pump.iankelling.org",
-    "nologger": true,
-    "datadir": "/home/pumpio/pumpdata",
-    "enableUploads": true,
-    "debugClient": false,
-    "disableRegistration": true,
-    "noCDN": true,
-    "key": "/home/pumpio/privkey.pem",
-    "cert": "/home/pumpio/fullchain.pem",
-    "address":  "localhost",
-    "sockjs": false
-}
-EOF
-    s sed -i "s#SECRET_REPLACE_ME#$(cat /p/c/machine_specific/li/pump-secret)#" /etc/pump.io.json
-
-    # stretch node is too old
-    # https://nodejs.org/en/download/package-manager/
-    curl -sL https://deb.nodesource.com/setup_8.x | sudo -E bash -
-    pi nodejs graphicsmagick mongodb
-    cd /home/iank
-    if [[ -e pump.io ]]; then
-      cd pump.io
-      git pull
-    else
-      git clone https://github.com/pump-io/pump.io.git
-      cd pump.io
-    fi
-    # note: these 2 commands seem
-    # note: doing this or the npm install pump.io as root had problems.
-    npm install
-    npm run build
-    # normally, next command would be
-    # s npm install -g   odb
-    # but it\'s this until a bug in pump gets fixed
-    # https://github.com/pump-io/pump.io/issues/1287
-    s npm install -g databank-mongodb@0.19.2
-    if ! getent passwd pumpio &>/dev/null; then
-      s useradd -Um -s /bin/false pumpio
-    fi
-    sudo -u pumpio mkdir -p /home/pumpio/pumpdata
-    # for testing browser when only listening to localhost,
-    # in the pump.io.json, set hostname localhost, urlPort 5233
-    #ssh -L 5233:localhost:5233 li
-
-    s mkdir -p /var/log/pumpio/
-    s chown pumpio:pumpio /var/log/pumpio/
-
-    web-conf - apache2 pump.iankelling.org <<'EOF'
-# currently a bug in pump that we cant terminate ssl
-         SSLProxyEngine On
-         ProxyPreserveHost On
-         ProxyPass /  https://127.0.0.1:8001/
-         ProxyPassReverse /  https://127.0.0.1:8001/
-         # i have sockjs disabled per people suggesting that
-         # it won\'t work with apache right now.
-         # not sure if it would work with this,
-         # but afaik, this is pointless atm.
-         <Location /main/realtime/sockjs/>
-             ProxyPass wss://127.0.0.1:8001/main/realtime/sockjs/
-             ProxyPassReverse wss://127.0.0.1:8001/main/realtime/sockjs/
-         </Location>
-EOF
-
-    sudo -i <<'EOF'
-export RENEWED_LINEAGE=/etc/letsencrypt/live/pump.iankelling.org
-/a/bin/distro-setup/certbot-renew-hook
-EOF
-
-    s dd of=/etc/systemd/system/pump.service <<'EOF'
-[Unit]
-Description=pump.io
-After=syslog.target network.target mongodb.service
-Requires=mongodb.service
-
-[Service]
-Type=simple
-User=pumpio
-Group=pumpio
-ExecStart=/home/iank/pump.io/bin/pump
-Environment=NODE_ENV=production
-# failed to find databank-mongodb without this.
-# I just looked at my environment variables took a guess.
-Environment=NODE_PATH=/usr/lib/nodejs:/usr/lib/node_modules:/usr/share/javascript
-
-[Install]
-WantedBy=multi-user.target
-EOF
-    ser daemon-reload
-    sgo pump
-    ########## end pump.io setup ############
diff --git a/disabled/samba-setup b/disabled/samba-setup
deleted file mode 100644
index 11c5ebe..0000000
--- a/disabled/samba-setup
+++ /dev/null
@@ -1,68 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# this is from distro-end
-
-if [[ $HOSTNAME == kd ]]; then
-    pi samba
-    # note samba re-reads it\'s config every 1 minute
-    case $distro in
-        arch) s cp /etc/samba/smb.conf.default /etc/samba/smb.conf ;;
-    esac
-
-    # add 2 lines after workgroup option
-    s sed -ri --follow-symlinks '/^\s*encrypt passwords\s*=/d' /etc/samba/smb.conf
-    s sed -ri --follow-symlinks '/^\s*map to guest\s*=/d' /etc/samba/smb.conf
-    s sed -i --follow-symlinks 's/\(\s*workgroup\s*=\).*/\1 WORKGROUP\n\tencrypt passwords = yes\n\tmap to guest = bad password/'  /etc/samba/smb.conf
-    # remove default homes section. not sharing that.
-    s sed -ri --follow-symlinks '/^\s*\[homes\]/,/\s*\[/d' /etc/samba/smb.conf
-
-    if ! grep -xF '[public]' /etc/samba/smb.conf &>/dev/null; then
-        s tee -a /etc/samba/smb.conf <<'EOF'
-[public]
-      guest ok = yes
-      read only = no
-      path = /kr
-EOF
-    fi
-
-    case $distro in
-        debian|trisquel|ubuntu)
-            # systemd claims it generates units from /etc/init.d, but it
-            # clearly doesn\'t in debian. I have no idea how they are
-            # related. fuck debian right now. It\'s not documented.  samba
-            # has a systemd init file linked to /dev/null.  There\'s this
-            # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769714 which
-            # claims samba\'s sub-services will be started automatically by
-            # systemd... it didn\'t on install, wonder if it will on
-            # boot. It clued me in how to start it manually though. Nothing
-            # in /usr/share/doc/samba, debian admin guide says nothing about
-            # any of this. (this is in debian testing as of 4/2016).
-
-            s /etc/init.d/samba start
-            ;;
-        arch)
-            sgo samba
-            ;;
-    esac
-fi
diff --git a/disabled/small-backup b/disabled/small-backup
deleted file mode 100755
index 4db412e..0000000
--- a/disabled/small-backup
+++ /dev/null
@@ -1,149 +0,0 @@
-#!/bin/bash
-# I, Ian Kelling, follow the GNU license recommendations at
-# https://www.gnu.org/licenses/license-recommendations.en.html. They
-# recommend that small programs, < 300 lines, be licensed under the
-# Apache License 2.0. This file contains or is part of one or more small
-# programs. If a small program grows beyond 300 lines, I plan to switch
-# its license to GPL.
-
-# Copyright 2024 Ian Kelling
-
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-
-#     http://www.apache.org/licenses/LICENSE-2.0
-
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-
-# for duplicity source build
-PATH="$PATH:/usr/local/bin"
-
-# [--retry] interval_name [max_age]
-# takes 2 arguments specifying the name of the subfolder,
-# and optionally, the max age of the backup
-
-# this script setup by adding a user crontab. see t.org for the script
-# it's also setup to email me only when it fails, and only for daily or weekly runs
-
-# uncomment for debugging, prints all commands to stdout
-#set -x
-
-set -E
-#trap 'echo trapped error from \"$BASH_COMMAND\" returned $? line $LINENO; accumulated_errors=true' ERR
-trap 'echo trapped err: $?; accumulated_errors=true' ERR
-
-exec 3>&1 4>&2
-exec &>> /tmp/small-backup.log
-
-echo "BEGIN: $(date): args $*"
-
-
-# only works with a single letter, ie 2D, not 2D12h
-half-time() {
-    local time_word
-    local letter=${1##*[0-9]}
-    case $letter in
-        s) time_wrod=second ;;
-        m) time_word=minute ;;
-        h) time_word=hour ;;
-        D) time_word=day ;;
-        W) time_word=week ;;
-        M) time_word=month ;;
-        Y) time_word=year ;;
-    esac
-    echo "${1%%$letter} $time_word"
-    local x=$(date +%s -d "${1%%$letter} $time_word")
-    local y=$(date +%s)
-}
-
-
-if [[ $1 == --retry ]]; then
-    shift
-    x=0
-    while pid=( $(pidof -o %PPID -x ${0##*/}) ) && (( ${#pid[@]} > 1 )) && (( x < 20 )); do
-        x=$(( x + 1 ))
-        sleep 30
-    done
-    if [[ $x == 20 ]]; then
-        ps -F ${pid[@]}
-        echo timeout error: existing ${0##*/} running for over 5 minutes >&2
-        exit 1
-    fi
-else
-    if pid=( $(pidof -o %PPID -x ${0##*/}) ) && (( ${#pid[@]} > 1 )); then
-        echo ps -F ${pid[@]}
-        ps -F ${pid[@]}
-        echo error: existing ${0##*/} running >&2
-        exit 1
-    fi
-fi
-
-interval=$1
-max_age=$2
-full_backup_arg=""
-if [[ $max_age ]]; then
-    full_backup_arg="--full-if-older-than $(half-time $max_age)"
-fi
-
-rbackup () {
-
-    local d=$1
-    shift
-    local dest=root@li::/root/rdiff-backups/${d##*/}/${interval}
-
-    c="rdiff-backup $* --create-full-path $d $dest"
-    echo "$c"; $c
-
-    if [[ $max_age ]]; then
-        c="rdiff-backup --force --remove-older-than $max_age $dest"
-        echo "$c"; $c
-
-    fi
-}
-
-
-rbackup /a/bin --exclude /a/bin/fai-basefiles
-rbackup /a/c
-
-# this is populated after input_setup.sh is run on login
-
-ssh root@li mkdir -p /root/duplicity-backups/p/$interval
-source /p/duplicity/gpg_agent_env
-duplicity_dest=rsync://root@li//root/duplicity-backups/p/$interval
-
-x=(/p/*)
-if ((${#x[@]} > 1)); then
-    set -x
-    # archive-dir is sort of a persistent cache
-    duplicity --use-agent \
-              --encrypt-sign-key E969C67B \
-              --include-globbing-filelist /p/duplicity/filelist \
-              --archive-dir /p/duplicity/archive \
-              --tempdir /p/tmp \
-              $full_backup_arg /p $duplicity_dest
-    if [[ $max_age ]]; then
-        duplicity --use-agent \
-                  remove-all-but-n-full 2 --force $duplicity_dest
-    fi
-    set +x
-fi
-# example restore command. We only need to make the first argument be a url for it to know it to do restore
-# the archive-dir and tempdir args are not needed
-# duplicity --use-agent --encrypt-sign-key E969C67B --archive-dir /p/duplicity/archive --tempdir /p/tmp ssh://root@li//root/duplicity-backups/p/weekly /p/duptest
-
-
-echo END
-
-# to restore duplicity. see man for additional options
-# duplicity --use-agent restore ...
-if [[ $accumulated_error ]]; then
-    eccho "tail -n 50 of /tmp/small-backup.log:"
-    tail -n 50 /tmp/small-backup.log
-    exit 1
-fi
diff --git a/distro-begin b/distro-begin
index e97c6c3..59e50d5 100755
--- a/distro-begin
+++ b/distro-begin
@@ -310,8 +310,8 @@ set +x
 err-allow
 source /etc/profile.d/environment.sh
 export LC_USEBASHRC=t
-# shellcheck source=./.bashrc
-source ~/.bashrc
+# shellcheck source=./brc
+source ~/brc
 err-catch
 $interactive || set -x
 
diff --git a/distro-end b/distro-end
index f81baa3..8da4a26 100755
--- a/distro-end
+++ b/distro-end
@@ -18,8 +18,8 @@
 
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# shellcheck source=/a/bin/ds/.bashrc
-export LC_USEBASHRC=t; if [[ -s ~/.bashrc ]]; then . ~/.bashrc; fi
+# shellcheck source=./brc
+source ~/brc
 
 ### setup
 source /a/bin/bash-bear-trap/bash-bear
@@ -191,16 +191,17 @@ EOF
     done
     if $doupdate; then
       tmpdir=$(mktemp -d)
-      cd $tmpdir
-      # cant apt get the keyring without doing an update, can't update
-      # without the keyring, this is a stupid chicken and egg problem
-      # that apt should have some feature to solve, but doesn't as far
-      # as I know.
-      f=debian-archive-keyring_2023.3+deb12u1_all.deb
-      wget http://ftp.debian.org/debian/pool/main/d/debian-archive-keyring/$f
-      sudo dpkg -i $f
+      (
+        cd $tmpdir
+        # cant apt get the keyring without doing an update, can't update
+        # without the keyring, this is a stupid chicken and egg problem
+        # that apt should have some feature to solve, but doesn't as far
+        # as I know.
+        f=debian-archive-keyring_2023.3+deb12u1_all.deb
+        wget http://ftp.debian.org/debian/pool/main/d/debian-archive-keyring/$f
+        sudo dpkg -i $f
+      )
       p update
-      cd -
       rm -rf $tmpdir
     fi
 
-- 
2.30.2