From d314b216046098f4b520cc14946c5d7c00f2089a Mon Sep 17 00:00:00 2001
From: Ian Kelling <ian@iankelling.org>
Date: Sat, 18 Jun 2016 07:37:34 -0700
Subject: [PATCH] lots of updates, server support in progress

---
 distro-begin   | 357 ++++++++++---------
 distro-end     | 913 ++++++++++++++++++++++++++-----------------------
 dsfull         |  20 ++
 dsremote       |  15 +
 homepage-setup |  84 +++++
 phab-setup     | 343 +++++++++++++++++++
 postfix-setup  | 102 ++++++
 7 files changed, 1233 insertions(+), 601 deletions(-)
 create mode 100755 dsfull
 create mode 100755 dsremote
 create mode 100755 homepage-setup
 create mode 100755 phab-setup
 create mode 100755 postfix-setup

diff --git a/distro-begin b/distro-begin
index d870fe6..1857f61 100755
--- a/distro-begin
+++ b/distro-begin
@@ -5,6 +5,7 @@
 # todo. dunno why, but original bootstrap of timezone is not sticking.
 # fixed manually with:
 # s dpkg-reconfigure tzdata
+# enter 12 then 11.
 
 
 # for bootstrapping a new machine
@@ -22,15 +23,17 @@ sudo bash -c 'source /a/c/repos/bash/.bashrc && source /a/bin/ssh-emacs-setup'
 # set the scrollback to unlimited in case something goes wrong
 
 if [[ $EUID == 0 ]]; then
-    echo "error: do not run as root"
-    exit
+    if getent passwd ian; then
+        echo "$0: error: running as root. unprivileged user exists. use it."
+        exit 1
+    else
+        echo "$0: warning: running as root. I will setup users then exit"
+    fi
 fi
 
-interactive=true  # set this to true if running by hand in emacs
+interactive=false  # set this to true if running by hand in emacs
 [[ $- == *i* ]] || interactive=false
 
-
-
 if ! $interactive; then
     set -x
     set -e -o pipefail
@@ -42,27 +45,26 @@ exec &> >(sudo tee -a /var/log/distro-begin)
 echo "$0: $(date): starting now)"
 
 # headless=false # unused atm
-recompile=true
+recompile=false
 # for copying to a new data fs
 bootstrapfs=false # old flag, needs new look before using.
 while [[ $1 == -* ]]; do
     case $1 in
         # avoid some of the longer compilation steps,
         # when we need to rerun because we had an error
-        -n) recompile=false; shift ;;
+        -r) recompile=true; shift ;;
     esac
 done
 
 if [[ $1 ]]; then
-    host=$1
-else
-    host=$HOSTNAME
+    export HOSTNAME=$1
 fi
 
-for f in iank-dev htpc treetowl x2 frodo tp; do
-    eval "$f() { [[ $host == $f ]]; }"
+for f in iank-dev htpc treetowl x2 frodo tp lj lk; do
+    eval "$f() { [[ $HOSTNAME == $f ]]; }"
 done
 has_p() { iank-dev || x2 || frodo; }
+has_x() { ! lj && ! lk; }
 encrypted() { has_p || tp; }
 
 shopt -s extglob
@@ -116,6 +118,9 @@ EOF
     sudo systemctl start keyscriptoff.service
 fi
 
+
+/a/bin/install-myqueue
+
 if iank-dev; then
     desktop=$(ssh root@iankelling.org grep desktop /etc/hosts | grep -o "^.* ")
     if $bootstrapfs; then
@@ -123,7 +128,7 @@ if iank-dev; then
         cp="scp $desktop:"
         # for moving to a new hd, change $cp to move between filesystems
         mkdir -p /a/bin
-        chown -R ian:ian /a
+        chown -R ian:ian /a # probably needs to be removed
         $cp/a/c /a
         $cp/a/c/bin/{bash-programs-by-ian,distro-begin,distro-functions,input-setup.sh} /a/bin
         echo -e \\n\\n\\n | ssh-keygen -t rsa
@@ -134,8 +139,8 @@ fi
 # todo, it would be nice to cut down on some of the output
 
 
-# output is below so shellcheck can verify sources
 for x in /a/bin/bash-programs-by-ian/repos/{errhandle,tee-unique,lnf}/*-function; do
+    # output is below so shellcheck can verify sources
     echo "# shellcheck source=$x";
     # shellcheck source=/a/bin/bash-programs-by-ian/repos/errhandle/bash-trace-function
     # shellcheck source=/a/bin/bash-programs-by-ian/repos/errhandle/errallow-function
@@ -149,11 +154,12 @@ done
 
 set +e
 $interactive || errcatch
+set +x
 source /a/bin/distro-functions/src/identify-distros
+$interactive || set -x
 echo path:$PATH
 
 
-
 if isfedora; then
     # comment out line disallowing calling sudo in scripts
     sudo sed -i 's/^Defaults *requiretty/#\0 # ian commented/' /etc/sudoers
@@ -166,16 +172,43 @@ if isfedora; then
 fi
 
 
+# already ran for pxe installs, but used for vps & updates
+distro=$(distro-name)
+case $distro in
+    ubuntu|debian)
+        sudo bash -c ". /a/bin/fai/fai-wrapper && /a/bin/fai/fai/config/scripts/GRUB_PC/11-ian"
+        ;;
+    *)
+        sudo bash -c ". /a/bin/fai-wrapper &&
+/a/bin/fai/fai/config/distro-install-common/end"
+        ;;
+esac
+
+
+if [[ $EUID == 0 ]]; then
+    echo "$0: running as root. exiting now that users are setup"
+    exit 0
+fi
 
 
 # link files
 
+lnf-home() {
+    # $2 and opts are unused so far.
+    opts=()
+    while [[ $1 == -* ]]; do
+        opts+=($1)
+        shift
+    done
+    lnf ${opts[@]} "$1" /home/ian/$2
+    sudo -u traci -i <<EOF
+source /a/bin/bash-programs-by-ian/repos/lnf/lnf-function
+lnf ${opts[@]} "$1" /home/traci/$2
+EOF
+}
 
 for x in /a/c/repos/bash/!(.git); do
-    for homedir in /home/*; do
-        sudo chown -R ian:ian $homedir
-        lnf "$x" $homedir
-    done
+    lnf-home "$x"
     sudo -i <<EOF
 source /a/bin/bash-programs-by-ian/repos/lnf/lnf-function
 lnf $x /root
@@ -205,21 +238,20 @@ isfedora && tu /etc/sysctl.conf 'kernel.sysrq = 1'
 
 
 if isdebian; then
-    # add contrib non-free to sources for main
-    s sed -i 's/^\(deb.* main\).*/\1 contrib non-free/' /etc/apt/sources.list.d/*
-
+    codename=$(debian-codename)
     # non-existent var, as Im not planning to use stable right now
     if isdebian-stable; then
-        code=$(debian-codename)
-        s dd of=/etc/apt/sources.list.d/mozilla-iceweasel.list <<EOF
-deb http://mozilla.debian.net/ $code-backports firefox-release
-deb-src http://mozilla.debian.net/ $code-backports firefox-release
+        if has_x; then
+            s dd of=/etc/apt/sources.list.d/mozilla-iceweasel.list <<EOF
+deb http://mozilla.debian.net/ $codename-backports firefox-release
+deb-src http://mozilla.debian.net/ $codename-backports firefox-release
 EOF
+        fi
 
         # we change the mirror from the default, so we cant use tu
         s dd of=/etc/apt/sources.list.d/main-backports.list <<EOF
-deb http://http.debian.net/debian $code-backports main contrib non-free
-deb-src http://http.debian.net/debian $code-backports main contrib non-free
+deb http://http.debian.net/debian $codename-backports main contrib non-free
+deb-src http://http.debian.net/debian $codename-backports main contrib non-free
 EOF
 
         p update
@@ -265,7 +297,7 @@ keyserver-options auto-key-retrieve
 EOF
     done
     pi pacserve
-    x=$(mktemp); pacman.conf-insert_pacserve >$x
+    x=$(mktemp); /a/opt/pacman.conf-insert_pacserve >$x
     sudo dd of=/etc/pacman.conf if=$x; rm $x
     sudo systemctl enable pacserve.service
     sudo systemctl start pacserve.service
@@ -284,8 +316,6 @@ pi trash-cli
 ###### link files ###########
 # convenient to just do all file linking in one place
 
-s lnf /a/sdx{,d} /
-
 # if it wasn't set already, we could set hostname here
 #echo treetowl | s dd of=/etc/hostname
 #s hostname -F /etc/hostname
@@ -297,12 +327,15 @@ s lnf /a/sdx{,d} /
 
 # todo: reconcile ~/.ssh/config work/home
 s lnf -T /q/p /p
+s lnf -T /a/bin /b
+/a/bin/conflink
+
 if has_p; then
     lnf -T /p/offlineimap ~/Maildir
     lnf -T /p/News ~/News
     # don't use /* because I don't want to require it to be mounted
     s lnf /q/root/.editor-backups /q/root/.undo-tree-history \
-      /a/opt /a/c/.emacs.d ~/.unison /root
+      /a/opt /a/c/.emacs.d /root
 fi
 
 /a/bin/rootsshsync
@@ -323,7 +356,13 @@ fi
 # basic needed packages
 case $(distro-name) in
     debian)
-        pi  firefox$( isdebian-stable && e /$code-backports )
+        if has_x; then
+            if isdebian-stable; then
+                pi firefox/$codename-backports
+            else
+                pi firefox/unstable # has no unstable dependencies
+            fi
+        fi
         # for hosts which require nonfree drivers
         case $HOSTNAME in
             tp|x2) : ;;
@@ -333,37 +372,44 @@ case $(distro-name) in
         esac
         ;;&
     ubuntu|debian)
-        pi xmacro gtk-redshift xinput
+        if has_x; then
+            pi xmacro gtk-redshift xinput
+        fi
         ;;&
     fedora)
         p -y groupinstall development-tools c-development books admin-tools
-        pi redshift-gtk
-        # debian has this package patched to work, upstream is dead
-        # tried using alien, pi alien, alien -r *.deb, rpm -Uhv *.rpm, got this error, so fuck it
-        # file /usr/bin from install of xmacro-0.3pre_20000911-7.x86_64 conflicts with file from package filesystem-3.2-19.fc20.x86_64
-        # http://packages.debian.org/source/sid/xmacro
-        pi patch libXtst-devel wget man-pages # what is the ubuntu equivalent to man-pages?
-        cd $(mktemp -d)
-        wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911.orig.tar.gz
-        wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911-6.diff.gz
-        ex *.gz
-        patch -p0 < xmacro_0.3pre-20000911-6.diff
-        cd xmacro-0.3pre-20000911.orig
-        make
-        sleep 1 # not sure why the following command couldn\'t find, so trying this
-        # no make install target
-        s cp -f xmacroplay xmacrorec xmacrorec2 /usr/local/bin
+        pi wget man-pages
+        if has_x; then
+            pi redshift-gtk
+            # debian has this package patched to work, upstream is dead
+            # tried using alien, pi alien, alien -r *.deb, rpm -Uhv *.rpm, got this error, so fuck it
+            # file /usr/bin from install of xmacro-0.3pre_20000911-7.x86_64 conflicts with file from package filesystem-3.2-19.fc20.x86_64
+            # http://packages.debian.org/source/sid/xmacro
+            pi patch libXtst-devel
+            cd $(mktemp -d)
+            wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911.orig.tar.gz
+            wget http://ftp.de.debian.org/debian/pool/main/x/xmacro/xmacro_0.3pre-20000911-6.diff.gz
+            ex *.gz
+            patch -p0 < xmacro_0.3pre-20000911-6.diff
+            cd xmacro-0.3pre-20000911.orig
+            make
+            sleep 1 # not sure why the following command couldn\'t find, so trying this
+            # no make install target
+            s cp -f xmacroplay xmacrorec xmacrorec2 /usr/local/bin
+        fi
         ;;&
     arch)
-        # libxtst is missing dep https://aur.archlinux.org/packages/xmacro/#news
-        pi xorg-server redshift xorg-xinput pkgfile libxtst xmacro
         # like apt-cache
+        pi pkgfile
         s pkgfile --update
-
-        # background:
-        # https://aur.archlinux.org/packages/xkbset/#comment-545419
-        cert=$(mktemp)
-        cat >$cert <<'EOF'
+        if has_x; then
+            # libxtst is missing dep https://aur.archlinux.org/packages/xmacro/#news
+            pi xorg-server redshift xorg-xinput libxtst xmacro
+
+            # background:
+            # https://aur.archlinux.org/packages/xkbset/#comment-545419
+            cert=$(mktemp)
+            cat >$cert <<'EOF'
 -----BEGIN CERTIFICATE-----
 MIIJADCCB+igAwIBAgIRAIVAhZ0TMbQ5jTm0koI8X6YwDQYJKoZIhvcNAQELBQAw
 djELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk1JMRIwEAYDVQQHEwlBbm4gQXJib3Ix
@@ -484,19 +530,22 @@ L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
 jjxDah2nGN59PRbxYvnKkKj9
 -----END CERTIFICATE-----
 EOF
-        cat /etc/ssl/certs/ca-certificates.crt >> $cert
-        CURL_CA_BUNDLE=$cert pi xkbset
+            cat /etc/ssl/certs/ca-certificates.crt >> $cert
+            CURL_CA_BUNDLE=$cert pi xkbset
+        fi
 
         ;;&
     ubuntu|debian|fedora)
-        pi xkbset
+        if has_x; then
+            pi xkbset
+        fi
         ;;&
 esac
 
-
-pi xbindkeys cryptsetup
-
-pi lvm2
+if has_x; then
+    pi xbindkeys
+fi
+pi cryptsetup lvm2
 # enables trim for volume delete, other rare commands.
 sudo sed -ri 's/( *issue_discards\b).*/\1 = 1/' /etc/lvm/lvm.conf
 
@@ -541,6 +590,7 @@ frodo:/k  /kfrodo  nfs  defaults  0 0
 EOF
 fi
 
+s mkdir -p /q/i/{w,k}
 for dir in /{i,w,k}; do
     if mountpoint $dir; then continue; fi
     s mkdir -p $dir
@@ -557,11 +607,12 @@ s chown root:ian /q
 s chmod 755 /q
 
 
-/a/bin/conflink
-
+#  it comes with stretch and arch, but not jessie.
 # propogate /etc/udev/hwdb.d
-s systemd-hwdb update
-ser restart systemd-udev-trigger
+if which systemd-hwdb; then
+    s systemd-hwdb update
+    ser restart systemd-udev-trigger
+fi
 
 # work desktop doesnt need gpg stuff, but it doesnt hurt
 s dd of=/etc/profile.d/environment.sh <<'EOF'
@@ -570,7 +621,7 @@ s dd of=/etc/profile.d/environment.sh <<'EOF'
 if [ -f $HOME/path_add-function ]; then
     . $HOME/path_add-function
     path_add /usr/sbin /usr/local/sbin /sbin
-    path_add /a/bin /a/opt/bin $HOME/.cabal/bin
+    path_add /a/exe /a/opt/bin $HOME/.cabal/bin
 
     if [ -r /etc/alternatives/java_sdk ]; then
         export JAVA_HOME=/etc/alternatives/java_sdk
@@ -629,122 +680,92 @@ EOF
 
 
 
-# emacs dependency.
-# dunno why debian installed postfix with yum-builddep emacs
-# but I will just explicitly install it here since
-# I use it for sending mail in emacs.
-if private-host; then
-    relayhost="[mail.messagingengine.com]:587"
-else
-    # ses initially suggests port 25, but I had problems connecting to that.
-    relayhost="[email-smtp.us-west-2.amazonaws.com]:587"
-fi
-if isdeb; then
-    s debconf-set-selections<<EOF
-postfix postfix/main_mailer_type select Satellite system
-postfix postfix/mailname string $host
-postfix postfix/relayhost string $relayhost
-EOF
-
-    pi postfix
-else
-    pi postfix
-    # Settings from reading the output when installing on debian,
-    # then seeing which were different in a default install on arch.
-    # I assume the same works for fedora.
-    postconfin <<EOF
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_size_limit = 0
-relayhost = $relayhost
-inet_interfaces = loopback-only
-EOF
+/a/bin/postfix-setup
 
-    s systemctl enable postfix
-    s systemctl start postfix
+if isubuntu; then
+    # disable crash report annoying crap
+    s dd of=/etc/default/apport <<<'enabled=0'
 fi
 
+if has_x; then
+    if isarch; then
+        # install so it's build dependencies don't get removed.
 
-if isarch; then
-    # install so it's build dependencies don't get removed.
-
-    # emacs git build is currently broken
-    if false; then
-        x=$(mktemp -d)
-        pushd $x
-        aurex emacs-git
-        makepkg -si --noconfirm
-        popd
-        rm -rf $x
-    else
-        pi emacs
-    fi
-    pi hunspell hunspell-en
-else
-    # to disable emacs git build,
-    # s apt-get install emacs
-    if $recompile; then
-        /a/bin/buildscripts/emacs -u
+        # emacs git build is currently broken
+        if false; then
+            x=$(mktemp -d)
+            pushd $x
+            aurex emacs-git
+            makepkg -si --noconfirm
+            popd
+            rm -rf $x
+        else
+            pi emacs
+        fi
+        pi hunspell hunspell-en
     else
-        /a/bin/buildscripts/emacs -r
+        # to disable emacs git build,
+        # s apt-get install emacs
+        if $recompile; then
+            /a/bin/buildscripts/emacs -u
+        else
+            /a/bin/buildscripts/emacs -r
+        fi
     fi
-fi
 
-# todo, figure this out for arch if we ever try out gnome.
-if ! isarch; then
-    # install for multiple display managers in case we use one
-    if isdeb; then
-        dir=/etc/gdm3
-    elif isfedora; then
-        # fedora didn\'t have the 3.
-        dir=/etc/gdm
-    fi
-    s mkdir -p $dir/PostLogin
-    s command cp /a/bin/desktop-20-autostart.sh $dir/PostLogin/Default
-    s mkdir /etc/lightdm/lightdm.conf.d
-    s dd of=/etc/lightdm/lightdm.conf.d/12-ian.conf <<'EOF'
+    # todo, figure this out for arch if we ever try out gnome.
+    if ! isarch; then
+        # install for multiple display managers in case we use one
+        if isdeb; then
+            dir=/etc/gdm3
+        elif isfedora; then
+            # fedora didn\'t have the 3.
+            dir=/etc/gdm
+        fi
+        s mkdir -p $dir/PostLogin
+        s command cp /a/bin/desktop-20-autostart.sh $dir/PostLogin/Default
+        s mkdir /etc/lightdm/lightdm.conf.d
+        s dd of=/etc/lightdm/lightdm.conf.d/12-ian.conf <<'EOF'
 [SeatDefaults]
 session-setup-script=/a/bin/desktop-20-autostart.sh
 EOF
-fi
-
-if isubuntu; then
-    # disable crash report annoying crap
-    s dd of=/etc/default/apport <<<'enabled=0'
-fi
+    fi
 
 
-pi ghc sakura
-# todo, also note for work comp, scp opt/org-mode bin/build-scripts
+    pi ghc sakura
+    # todo, also note for work comp, scp opt/org-mode bin/build-scripts
 
-# use the package manger version to install the cabal version
-pi cabal-install
-cabal update
-PATH="$PATH:$HOME/.cabal/bin"
+    # use the package manger version to install the cabal version
+    pi cabal-install
+    cabal update
+    PATH="$PATH:$HOME/.cabal/bin"
 
-# todo, on older ubuntu I used cabal xmonad + xfce,
-# see /a/bin/old-unused/xmonad-cabal.sh
+    # todo, on older ubuntu I used cabal xmonad + xfce,
+    # see /a/bin/old-unused/xmonad-cabal.sh
 
-# trying out the distro's versions newer distros
-pi xmonad
-if isarch; then
-    # for displaying error messages.
-    # optional dependency in arch, standard elsewhere.
-    pi xorg-xmessage xmonad-contrib xorg-xsetroot xorg-xinit
+    # trying out the distros versions newer distros
+    pi xmonad
+    if isarch; then
+        # for displaying error messages.
+        # optional dependency in arch, standard elsewhere.
+        pi xorg-xmessage xmonad-contrib xorg-xsetroot xorg-xinit
 
-    # https://wiki.archlinux.org/index.php/Xinitrc
-    for homedir in /home/*; do
-        cp /etc/X11/xinit/xinitrc $homedir/.xinitrc
-        sed -ri '/^ *twm\b/,$d' $homedir/.xinitrc
-        echo "source /a/bin/xinitrc" | tee -a $homedir/.xinitrc
-    done
-else
-    pi suckless-tools
-fi
-pi dmenu
+        # https://wiki.archlinux.org/index.php/Xinitrc
+        for homedir in /home/*; do
+            cp /etc/X11/xinit/xinitrc $homedir/.xinitrc
+            sed -ri '/^ *twm\b/,$d' $homedir/.xinitrc
+            echo "source /a/bin/xinitrc" | tee -a $homedir/.xinitrc
+        done
+    else
+        pi suckless-tools
+    fi
+    pi dmenu
 
-if isdeb && (tp || x2); then
-    pi task-laptop
+    if isdeb && (tp || x2); then
+        pi task-laptop
+    fi
 fi
 
-sudo chown -R traci:traci /home/traci
+# the first pup command can kill off our /etc/
+/a/bin/ssh-emacs-setup
 echo "$0: $(date): ending now"
diff --git a/distro-end b/distro-end
index a30963f..cd3de81 100755
--- a/distro-end
+++ b/distro-end
@@ -9,12 +9,18 @@ set -x
 exec &> >(sudo tee -a /var/log/distro-end)
 echo "$0: $(date): starting now)"
 
+src="${BASH_SOURCE%/*}"
+
 end_msg() {
     =    local y
     IFS= read -r -d '' y  ||:
     end_msg_var+="$y"
 }
 
+spa() { # simple package add
+    simple_packages+=($@)
+}
+
 distro=$(distro-name)
 
 pending_reboot=false
@@ -25,47 +31,229 @@ esac
 
 pup
 
-# universal packages
 simple_packages=(
-    bwm-ng
-    chromium
-    duplicity
-    evince
-    fdupes
-    filelight
-    gdb
-    gnome-screenshot
     mailutils
-    meld
-    mpv
     nmon
-    offlineimap
-    p7zip
-    paprefs
-    pavucontrol
-    pianobar
-    pidgin
-    rdiff-backup
-    slock
-    smartmontools
-    squashfs-tools
-    tcpdump
-    transmission-remote-gtk
+    ruby
+    ruby-rest-client
     tree
     vim
 )
 
-spa() { # simple package add
-    simple_packages+=($@)
-}
+if [[ $HOSTNAME != lj && $HOSTNAME != lk ]]; then
+    # universal packages
+    simple_packages+=(
+        apache2
+        bwm-ng
+        chromium
+        duplicity
+        evince
+        fdupes
+        filelight
+        gdb
+        gnome-screenshot
+        jq
+        locate
+        meld
+        offlineimap
+        p7zip
+        paprefs
+        pavucontrol
+        pdfgrep
+        pianobar
+        pidgin
+        rdiff-backup
+        slock
+        squashfs-tools
+        tcpdump
+        transmission-remote-gtk
+        vlc
+    )
+fi
+
+
+
+########### begin section including lj ################
+
+
+case $distro in
+    fedora) spa unrar ;;
+    *) spa unrar-free ;;
+esac
+
+
+case $distro in
+    arch)
+        # ubuntu 14.04 uses b-cron,
+        # but its not maintained in arch.
+        # of the ones in the main repos, cronie is only one maintained.
+        # fcron appears abandoned software.
+        pi cronie
+        sgo cronie
+        ;;
+    *) : ;; # other distros come with cron.
+esac
+
+
+case $distro in
+    debian|ubuntu)
+        pi debian-goodies
+        ;;
+esac
+
+
+case $distro in
+    *) pi at ;;&
+    arch) sgo atd ;;
+esac
 
 
 case $distro in
-    debian) pi curl ;;
+    debian) pi curl;;
     arch) : ;;
     # fedora: unknown
 esac
 
+case $distro in
+    # tk for gitk
+    arch) spa git tk ;;
+    *) spa git ;;
+esac
+
+case $distro in
+    arch) spa the_silver_searcher ;;
+    debian|ubuntu) spa silversearcher-ag ;;
+    # fedora unknown
+esac
+
+case $distro in
+    debian|ubuntu) spa ntp;;
+    arch)
+        pi ntp
+        sgo ntpd
+        ;;
+    # others unknown
+esac
+
+
+# no equivalent in other distros:
+case $distro in
+    debian|ubuntu)
+        pi apt-file aptitude
+        s apt-file update
+        # for debconf-get-selections
+        spa debconf-utils
+        ;;
+esac
+
+case $distro in
+    ubuntu|debian) spa ack-grep ;;
+    arch|fedora) spa ack ;;
+    # fedora unknown
+esac
+
+case $distro in
+    arch|debian|ubuntu)
+        spa bash-completion
+        ;;
+    # others unknown
+esac
+
+
+
+
+
+# disable motd junk.
+case $(distro-name) in
+    debian)
+        # allows me to pipe with ssh -t, and gets rid of spam
+        # http://forums.debian.net/viewtopic.php?f=5&t=85822
+        # i'd rather disable the service than comment the init file
+        # this says disabling the service, it will still get restarted
+        # but this script doesn't do anything on restart, so it should be fine
+        s dd of=/var/run/motd.dynamic if=/dev/null
+        s update-rc.d motd disable
+        ;;
+    ubuntu)
+        # this isn't a complete solution. It still shows me when updates are available,
+        # but it's no big deal.
+        s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
+        ;;
+esac
+
+# automatic updates
+# reference:
+# https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
+# /etc/cron.daily/apt calls unattended-upgrades
+# /usr/share/doc/unattended-upgrades# cat README.md
+# /etc/apt/apt.conf.d/50unattended-upgrades
+if isdebian; then
+    pi unattended-upgrades
+    s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF'
+# this file was mostly just comments.
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";
+EOF
+
+
+    { cat  <<'EOF'
+Unattended-Upgrade::Mail "root";
+Unattended-Upgrade::MailOnlyOnError "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Origins-Pattern {
+# default is just upgrade main and security, not updates.
+EOF
+      if isdebian-testing; then
+          cat <<'EOF'
+# for testing, only do security updates.
+       "origin=Debian,codename=${distro_codename},label=Debian-Security";
+EOF
+      else
+          cat <<'EOF'
+# These are stable packages only getting bugfixes anyways.
+       "origin=*";
+EOF
+      fi
+      cat <<'EOF'
+};
+EOF
+    } | s dd of=/etc/apt/apt.conf.d/50unattended-upgrades
+
+
+    echo $- > /tmp/x
+fi
+
+# cron
+/a/bin/crons/all
+
+
+case $HOSTNAME in
+    lj|lk)
+
+        pi "${simple_packages[@]}"
+        $src/homepage-setup
+        $src/
+
+#         start=' *<source lang="bash"> *'
+#         end=' *<\/source> *'
+#         ruby <<'EOF' | sed -rn "/^$start$/,/^$end$/{s/^$start|$end$/# \0/;p}" | bash
+# require 'json'
+# puts JSON.parse(`curl 'https://ofswiki.org/w/api.php?\
+# action=query&titles=Mediawiki_Setup_Guide&prop=revisions&rvprop=content&\
+# format=json'`.chomp)['query']['pages'].values[0]['revisions'][0]['*']
+# EOF
+#         nginx-site iankelling.org
+
+        echo "$0: $(date): ending now)"
+        exit 0
+        ;;
+esac
+
+########### end section including lj ###############
+
+
 case $distro in
     arch) pi syncthing ;;
     ubuntu|debian)
@@ -97,29 +285,17 @@ esac
 # install bar code scanner.
 
 
-# things with no equivalent in other distros:
+# no equivalent in other distros:
 case $distro in
     debian|ubuntu)
         # for gui bug reporting
         spa python-vte
-        pi apt-file aptitude
-        s apt-file update
-        # for debconf-get-selections
-        spa debconf-utils
         ;;
 esac
 
 
 ####### misc packages ###########
 
-case $distro in
-    ubuntu|debian)
-        spa spacefm-gtk3 ;;
-    arch)
-        spa spacefm ;;
-esac
-
-
 
 if [[ $HOSTNAME == frodo ]]; then
     case $distro in
@@ -138,7 +314,7 @@ EOF
             s sysctl -p
 
             # some reason it doesn't seem to start automatically anyways
-            pi-nostart tranmission-daemon
+            pi-nostart transmission-daemon
             # config file documented here, and it's the same config
             # for daemon vs client, so it's documented in the gui.
             # https://trac.transmissionbt.com/wiki/EditConfigFiles#Options
@@ -146,14 +322,14 @@ EOF
 require 'json'
 p = '/etc/transmission-daemon/settings.json'
 File.write(p, JSON.pretty_generate(JSON.parse(File.read(p)).merge({
-'rpc-whitelist': '127.0.0.1,192.168.1.*',
-'rpc-authentication-required': false,
-'incomplete-dir': '/i/k/partial-torrents',
-'download-dir': '/i/k/torrents',
-"speed-limit-up": 700,
-"speed-limit-up-enabled": true,
-"ratio-limit": 1.4000,
-"ratio-limit-enabled": true,
+'rpc-whitelist' => '127.0.0.1,192.168.1.*',
+'rpc-authentication-required' => false,
+'incomplete-dir' => '/i/k/partial-torrents',
+'download-dir' => '/i/k/torrents',
+"speed-limit-up" => 700,
+"speed-limit-up-enabled" => true,
+"ratio-limit" => 1.4000,
+"ratio-limit-enabled" => true,
 })) + "\n")
 EOF
             sgo transmission-daemon
@@ -236,235 +412,143 @@ done
 case $distro in
     debian|ubuntu)
         pi-nostart openvpn
-        # pi-nostart this doesn't seem to be good enough?
+        # pi-nostart this doesnt seem to be good enough?
         ser disable openvpn@client
         ser disable openvpn
         ;;
-        *) pi openvpn ;;
-    esac
-
-    case $HOSTNAME in
-        tp|frodo)
-            case $distro in
-                debian|ubuntu)
-                    log=$(mktemp)
-                    cd /a/opt
-                    wget -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
-                    set +e
-                    s dpkg -i google-chrome-stable_current_amd64.deb &> $log
-                    code=$?
-                    set -e
-                    case $code in
-                        1)
-                            if grep '^dpkg: dependency problems prevent configuration of' \
-                                    $log &>/dev/null; then
-                                s apt-get -fy install
-                            else
-                                exit 1
-                            fi
-                            ;;
-                        0) : ;;
-                        *) exit $code
-                    esac
-                    ;;
-                arch)
-                    pi google-chrome
-                    ;;
-            esac
-            ;;
-    esac
-
-    case $distro in
-        # ubuntu unknown. probably the same as debian, just check if the
-        # init scripts come with the package.
-        debian)
-            # copied from arch, but moved to etc
-            s dd of=/etc/systemd/user/synergys.service <<'EOF'
-[Unit]
-Description=Synergy Server Daemon
-After=network.target
-
-[Service]
-User=%i
-ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
-Restart=on-failure
-
-[Install]
-WantedBy=multi-user.target
-EOF
-            s dd of=/etc/systemd/user/synergys.socket <<'EOF'
-[Unit]
-Conflicts=synergys@.service
-
-[Socket]
-ListenStream=24800
-Accept=false
-
-[Install]
-WantedBy=sockets.target
-EOF
-            ;;&
-        *)
-            pi synergy
-            # taken from arch wiki.
-            s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
-[Unit]
-Description=Synergy Client
-After=network.target
-
-[Service]
-User=%i
-ExecStart=/usr/bin/synergyc --no-daemon treetowl
-Restart=on-failure
-# per man systemd.unit, StartLimitInterval, by default we
-# restart more than 5 times in 10 seconds.
-# And this param defaults too 200 miliseconds.
-RestartSec=3s
-
-[Install]
-WantedBy=multi-user.target
-EOF
-            case $HOSTNAME in
-                frodo)
-                    sgo synergyc@ian
-                    systemctl --user start synergys
-                    systemctl --user enable synergys
-                    ;;
-                treetowl) systemctl --user enable synergys ;;
-            esac
-            ;;
-    esac
-
-    case $distro in
-        # tk for gitk
-        arch) spa git tk ;;
-        *) spa git ;;
-    esac
-
-    case $distro in
-        arch) spa the_silver_searcher ;;
-        debian|ubuntu) spa silversearcher-ag ;;
-        # fedora unknown
-    esac
+    *) pi openvpn ;;
+esac
 
-    # printer
-    case $distro in
-        arch)
-            pi cups ghostscript gsfonts # from arch wiki cups page
-            pi hplip # from google
-            s gpasswd -a $USER sys # from arch wiki
-            sgo org.cups.cupsd.service
-            # goto http://127.0.0.1:631
-            # administration tab, add new printer button.
-            # In debian, I could use hte recommended driver,
-            # in arch, I had to pick out the 6L driver.
-            ;;
-        debian|ubuntu)
-            spa hplip
-            ;;
-        # other distros unknown
-    esac
+pi wget
+case $HOSTNAME in
+    tp|frodo)
+        case $distro in
+            debian|ubuntu)
+                log=$(mktemp)
+                cd /a/opt
+                wget -N https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
+                set +e
+                s dpkg -i google-chrome-stable_current_amd64.deb &> $log
+                code=$?
+                set -e
+                case $code in
+                    1)
+                        if grep '^dpkg: dependency problems prevent configuration of' \
+                                $log &>/dev/null; then
+                            s apt-get -fy install
+                        else
+                            exit 1
+                        fi
+                        ;;
+                    0) : ;;
+                    *) exit $code
+                esac
+                ;;
+            arch)
+                pi google-chrome
+                ;;
+        esac
+        ;;
+esac
 
+# printer
+case $distro in
+    arch)
+        pi cups ghostscript gsfonts # from arch wiki cups page
+        pi hplip # from google
+        s gpasswd -a $USER sys # from arch wiki
+        sgo org.cups.cupsd.service
+        # goto http://127.0.0.1:631
+        # administration tab, add new printer button.
+        # In debian, I could use hte recommended driver,
+        # in arch, I had to pick out the 6L driver.
+        ;;
+    debian|ubuntu)
+        spa hplip
+        ;;
+    # other distros unknown
+esac
 
-    case $distro in
-        ubuntu|debian) spa ack-grep ;;
-        arch|fedora) spa ack ;;
-        # fedora unknown
-    esac
-    case $distro in
-        ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
-        fedora|arch) spa mairix notmuch ;;
-    esac
-    case $distro in
-        arch) spa nfs-utils ;;
-        ubuntu|debian) spa nfs-client ;;
-    esac
-    case $distro in
-        ubuntu|debian) spa par2 ;;
-        arch|fedora) spa par2cmdline ;;
-    esac
 
-    # needed for my tex resume
-    case $distro in
-        ubuntu|debian) spa texlive-full ;;
-        arch) spa texlive-most ;;
-        # fedora unknown
-    esac
+case $distro in
+    ubuntu|debian) pi --no-install-recommends mairix notmuch ;;
+    fedora|arch) spa mairix notmuch ;;
+esac
+case $distro in
+    arch) spa nfs-utils ;;
+    ubuntu|debian) spa nfs-client ;;
+esac
+case $distro in
+    ubuntu|debian) spa par2 ;;
+    arch|fedora) spa par2cmdline ;;
+esac
 
-    case $distro in
-        ubuntu)
-            # flash, unrar, codecs, ms fonts.
-            # This has a manual prompt.
-            spa ubuntu-restricted-extras
-            ;;
-        fedora)
-            pi yum-utils
-            # rpm fusion recommended codecs
-            s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
-            pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
-               xine-lib-extras-freeworld
-            ;;
-    esac
+# needed for my tex resume
+case $distro in
+    ubuntu|debian) spa texlive-full ;;
+    arch) spa texlive-most ;;
+    # fedora unknown
+esac
 
-    case $distro in
-        # optional dep for firefox for h.264 video
-        arch) spa gst-libav ;;
-        # other distros, probably come by default
-    esac
+case $distro in
+    ubuntu)
+        # flash, unrar, codecs, ms fonts.
+        # This has a manual prompt.
+        spa ubuntu-restricted-extras
+        ;;
+    fedora)
+        pi yum-utils
+        # rpm fusion recommended codecs
+        s su -c "yum localinstall -y --nogpgcheck http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
+        pi gstreamer-plugins-ugly gstreamer-plugins-bad gstreamer-ffmpeg\
+           xine-lib-extras-freeworld
+        ;;
+esac
 
-    case $distro in
-        fedora|ubuntu|debian) spa gnupg-agent ;;
-        arch) : ;;
-    esac
+case $distro in
+    # optional dep for firefox for h.264 video
+    arch) spa gst-libav ;;
+    # other distros, probably come by default
+esac
 
+case $distro in
+    fedora|ubuntu|debian) spa gnupg-agent ;;
+    arch) : ;;
+esac
 
-    case $distro in
-        fedora) spa pinentry-gtk ;;
-        *) : ;; # comes default or with other packages
-    esac
 
-    case $distro in
-        arch) spa firefox pulseaudio;;
-        *) : ;; # comes default or with other packages
-    esac
+case $distro in
+    fedora) spa pinentry-gtk ;;
+    *) : ;; # comes default or with other packages
+esac
 
-    case $distro in
-        arch|debian|ubuntu)
-            spa bash-completion
-            ;;
-        # others unknown
-    esac
+case $distro in
+    arch) spa firefox pulseaudio;;
+    *) : ;; # comes default or with other packages
+esac
 
 
-    case $distro in
-        arch) spa ttf-dejavu;;
-        debian|ubuntu) spa fonts-dejavu ;;
-        # others unknown
-    esac
+case $distro in
+    arch) spa ttf-dejavu;;
+    debian|ubuntu) spa fonts-dejavu ;;
+    # others unknown
+esac
 
-    case $distro in
-        debian|ubuntu) spa ntp;;
-        arch)
-            pi ntp
-            sgo ntpd
-            ;;
-        # others unknown
-    esac
 
-    case $distro in
-        arch) spa xorg-xev;;
-        debian|ubuntu) spa x11-utils ;;
-        # others unknown
-    esac
+case $distro in
+    arch) spa xorg-xev;;
+    debian|ubuntu) spa x11-utils ;;
+    # others unknown
+esac
 
-    case $distro in
-        arch) pi virt-install;;&
-        debian|ubuntu) pi virtinst ;;&
-        *) pi virt-manager ;; # creates the libvirt group in debian at least
-        # others unknown
-    esac
-    # allow user to run vms, from debian handbook
-    for x in ian traci; do s usermod -a -G libvirt $x; done
+case $distro in
+    arch) pi virt-install;;&
+    debian|ubuntu) pi virtinst ;;&
+    *) pi virt-manager ;; # creates the libvirt group in debian at least
+    # others unknown
+esac
+# allow user to run vms, from debian handbook
+for x in ian traci; do s usermod -a -G libvirt,kvm $x; done
 # bridge networking as user fails. google lead here, but it doesn't work:
 # oh well, I give up.
 # http://wiki.qemu.org/Features-Done/HelperNetworking
@@ -496,7 +580,7 @@ case $distro in
         # dnsmasq & ebtables for nat networking in libvirt
         # qemu for qemu-img, bind-tools for dig
         # dmidecode just because syslog complains
-        pi unzip wget xorg-xmodmap dmidecode ebtables\
+        pi unzip xorg-xmodmap dmidecode ebtables\
            bridge-utils dnsmasq qemu bind-tools
         # otherwise we get error about accessing kvm module.
         # seems like there might be a better way, but google was a bit vague.
@@ -512,11 +596,6 @@ case $distro in
         ;;
 esac
 
-case $distro in
-    *) pi at ;;&
-    arch) sgo atd ;;
-esac
-
 case $distro in
     arch) pi virtviewer ;;
     *) : ;; # other distros have it as a dependency afaik.
@@ -524,19 +603,6 @@ esac
 
 
 
-case $distro in
-    arch)
-        # ubuntu 14.04 uses b-cron,
-        # but it's not maintained in arch.
-        # of the ones in the main repos, cronie is only one maintained.
-        # fcron appears abandoned software.
-        pi cronie
-        sgo cronie
-        ;;
-                            *) : ;; # other distros come with cron.
-esac
-
-
 case $distro in
     fedora) cabal install shellcheck ;;
     *) spa shellcheck ;;
@@ -552,15 +618,19 @@ esac
 
 
 case $distro in
-    debian|ubuntu) spa android-tools-adb ;;
+    debian|ubuntu) spa android-tools-adb/unstable ;;
     arch) spa android-tools ;;
     # other distros unknown
 esac
 
-
 case $distro in
-    fedora) spa unrar ;;
-    *) spa unrar-free ;;
+    debian)
+        if [[ `debian-archive`  == testing ]]; then
+            # has no unstable dependencies
+            spa bitcoin-qt/unstable
+        fi
+        ;;
+    # other distros unknown
 esac
 
 
@@ -596,13 +666,12 @@ case $distro in
 esac
 
 
-# leave this for last so it doesn't do a bunch of other apps
-# which I want explicitly installed in case I switch DE's
 case $distro in
     debian)
         pi task-cinnamon-desktop
         # in settings, change scrolling to two-finger,
         # because the default edge scroll doesn\'t work.
+        pu transmission-gtk
         ;;
     # others unknown
 esac
@@ -613,7 +682,75 @@ case $distro in
     # already in debian jessie
 esac
 
-pi "${simple_packages[@]}"
+
+
+
+# note this failed running at the beginning of this file,
+# because no systemd user instance was running.
+# Doing systemd --user resulted in
+# Trying to run as user instance, but $XDG_RUNTIME_DIR is not set
+case $distro in
+    # ubuntu unknown. probably the same as debian, just check if the
+    # init scripts come with the package.
+    debian)
+        # copied from arch, but moved to etc
+        s dd of=/etc/systemd/user/synergys.service <<'EOF'
+[Unit]
+Description=Synergy Server Daemon
+After=network.target
+
+[Service]
+User=%i
+ExecStart=/usr/bin/synergys --no-daemon --config /etc/synergy.conf
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+EOF
+        s dd of=/etc/systemd/user/synergys.socket <<'EOF'
+[Unit]
+Conflicts=synergys@.service
+
+[Socket]
+ListenStream=24800
+Accept=false
+
+[Install]
+WantedBy=sockets.target
+EOF
+        ;;&
+    *)
+        pi synergy
+        # taken from arch wiki.
+        s dd of=/etc/systemd/system/synergyc@.service <<'EOF'
+[Unit]
+Description=Synergy Client
+After=network.target
+
+[Service]
+User=%i
+ExecStart=/usr/bin/synergyc --no-daemon treetowl
+Restart=on-failure
+# per man systemd.unit, StartLimitInterval, by default we
+# restart more than 5 times in 10 seconds.
+# And this param defaults too 200 miliseconds.
+RestartSec=3s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+        case $HOSTNAME in
+            frodo)
+                ser enable synergyc@ian
+                ser start synergyc@ian ||: # X might not be running yet
+                systemctl --user start synergys ||:
+                systemctl --user enable synergys
+                ;;
+            treetowl) systemctl --user enable synergys ;;
+        esac
+        ;;
+esac
+
 
 ######### end misc packages #########
 
@@ -628,6 +765,8 @@ pi "${simple_packages[@]}"
 ######## unfinished
 
 # todo, finish configuring smart.
+
+pi smartmontools
 # mostly from https://wiki.archlinux.org/index.php/S.M.A.R.T.
 # turn on smart. background on options:
 # first line, -a = test everyting on all devices.
@@ -656,21 +795,32 @@ DEVICESCAN -a -o on -S on -n standby,q $sched\
 
 ########### misc stuff
 
-if [[ $HOSTNAME == frodo ]]; then
-    tu /etc/exports <<'EOF'
-/k 192.168.1.0/24(rw,nohide,no_subtree_check,insecure)
-EOF
-    s exportfs -ra
-fi
 
-if [[ `debian-archive` == stable ]]; then
-    s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
+case $distro in
+    debian|ubuntu)
+        case `debian-archive` in
+            stable)
+                s dd of=/etc/apt/preferences.d/unison-gtk <<'EOF'
 Explanation: Allow unison-gtk to be upgraded
 Package: unison-gtk
 Pin: release a=unstable
 Pin-Priority: 500
 EOF
-fi
+                # dont think using testing is needed since I figured out how to
+                # deal with mismatching unison compilers, but I dont
+                # see any reason to revert it, since it only installs
+                # a single package which is primarily a single binary
+                pi unison-gtk/testing unison/testing
+                ;;
+            testing)
+                piunison unison-gtk
+                ;;
+        esac
+        ;;
+    arch)
+        pi unison gtk2
+        ;;
+esac
 
 case $distro in
     arch)
@@ -681,11 +831,11 @@ EOF
         ;;
 esac
 
-
-case $distro in
-    arch|debian|ubuntu) pi btrbk ;;
-    # others unknown
-esac
+# not using it atm, and for jessie, it depends on a higher version of btrfs-tools
+# case $distro in
+#     arch|debian|ubuntu) pi btrbk ;;
+#     # others unknown
+# esac
 
 if [[ $HOSTNAME == treetowl ]] && [[ `debian-archive` != testing ]]; then
     # fail2 ban is broken, with a workaround, per
@@ -697,128 +847,6 @@ fi
 
 
 
-# disable motd junk.
-case $(distro-name) in
-    debian)
-        # allows me to pipe with ssh -t, and gets rid of spam
-        # http://forums.debian.net/viewtopic.php?f=5&t=85822
-        # i'd rather disable the service than comment the init file
-        # this says disabling the service, it will still get restarted
-        # but this script doesn't do anything on restart, so it should be fine
-        s dd of=/var/run/motd.dynamic if=/dev/null
-        s update-rc.d motd disable
-        ;;
-    ubuntu)
-        # this isn't a complete solution. It still shows me when updates are available,
-        # but it's no big deal.
-        s t /etc/update-motd.d/10-help-text /etc/update-motd.d/00-header
-        ;;
-esac
-
-# automatic updates
-# reference:
-# https://debian-handbook.info/browse/stable/sect.regular-upgrades.html
-# /etc/cron.daily/apt calls unattended-upgrades
-# /usr/share/doc/unattended-upgrades# cat README.md
-# /etc/apt/apt.conf.d/50unattended-upgrades
-if isdebian; then
-    pi unattended-upgrades
-    s dd of=/etc/apt/apt.conf.d/10periodic <<'EOF'
-# this file was mostly just comments.
-APT::Periodic::Update-Package-Lists "1";
-APT::Periodic::Download-Upgradeable-Packages "1";
-APT::Periodic::AutocleanInterval "7";
-APT::Periodic::Unattended-Upgrade "1";
-EOF
-    { cat  <<'EOF'
-Unattended-Upgrade::Mail "root";
-Unattended-Upgrade::MailOnlyOnError "true";
-Unattended-Upgrade::Remove-Unused-Dependencies "true";
-Unattended-Upgrade::Origins-Pattern {
-# default is just upgrade main and security, not updates.
-EOF
-      if isdebian-testing; then
-          cat <<'EOF'
-# for testing, only do security updates.
-       "origin=Debian,codename=${distro_codename},label=Debian-Security";
-EOF
-      else
-          cat <<'EOF'
-# These are stable packages only getting bugfixes anyways.
-       "origin=*";
-EOF
-          cat <<'EOF'
-};
-EOF
-      fi
-    } | s dd of=/etc/apt/apt.conf.d/50unattended-upgrades
-    echo $- > /tmp/x
-fi
-
-
-
-######### begin  postfix ########
-# based on,http://www.postfix.org/qmgr.8.html and my notes in gnus
-# originally tried moving specific directories under /var/spool/postfix,
-# but postfix didn't like that
-if [[ ! -L /var/spool/postfix ]]; then
-    ser stop postfix
-    n=/q/postfix-`distro-name``debian-archive`
-    if [[ -e $n ]]; then
-        echo "$0: warning: $n already exists before we do the link, removing it"
-        rm -rf $n
-    fi
-    s mv /var/spool/postfix $n
-    s lnf -T $n /var/spool/postfix
-    ser start postfix
-    journalctl -n 20 | cat
-fi
-
-
-# This also works instead of ~/.forward
-# s sed -i '/^root/d' /etc/aliases ||:
-#echo "root: $HOSTNAME@bog.mm.st" | s tee -a /etc/aliases
-# this can't be a symlink and has permission restrictions
-# it might work in /etc/aliases, but this seems more proper.
-
-if s grep amazonaws /etc/postfix/sasl_passwd &>/dev/null; then
-    forward=$HOSTNAME@sallymae.club
-else
-    forward=$HOSTNAME@bog.mm.st
-fi
-e $forward > ~/.forward
-e $forward | s tee /root/.forward
-s newaliases
-
-# if I wanted the from address to be renamed and sent to a different address,
-# echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical
-# sudo postmap hash:/etc/postfix/recipient_canonical
-# sudo service postfix reload
-
-
-# i'm assuming mail just won't work on systems without the sasl_passwd.
-postconfin <<'EOF'
-smtp_sasl_auth_enable = yes
-smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
-smtp_sasl_security_options = noanonymous
-smtp_tls_security_level = secure
-message_size_limit =  20480000
-smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
-EOF
-# ^ I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
-
-s postmap hash:/etc/postfix/sasl_passwd
-# offlineimap uses this too, it is much easier to use one location than to
-# condition it's config and postfix's config
-case $distro in
-    fedora) s lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt ;;
-    *) :
-esac
-
-s service postfix reload
-sgo postfix
-
-############ end postfix #######
 
 
 case $distro in
@@ -911,7 +939,14 @@ EOF
         ;;
 esac
 
-if [[ -e /i/video ]]; then
+if [[ $HOSTNAME == frodo ]]; then
+    tu /etc/exports <<'EOF'
+/k 192.168.1.0/24(rw,nohide,no_subtree_check,insecure)
+EOF
+    s exportfs -rav
+fi
+
+if [[ -e /k/video ]]; then
     # nohide = export filesystems mounted deeper than the export point
     # fsid=0 makes this export the "root" export
     # not documented in the man page, but this means
@@ -923,11 +958,6 @@ if [[ -e /i/video ]]; then
 fi
 
 
-# cron
-f=/a/bin/$HOSTNAME-crontab
-if [[ -e $f ]]; then
-    $f
-fi
 
 e "$end_msg_var"
 
@@ -1028,9 +1058,9 @@ case $distro in
 
 s /etc/init.d/samba start
 ;;
-    arch)
-        sgo samba
-        ;;
+                        arch)
+                            sgo samba
+                            ;;
 esac
 
 tu /etc/hosts <<< "127.0.1.1 $(hostname).lan $(hostname)"
@@ -1048,9 +1078,26 @@ if [[ $idev != $rootdev ]]; then
     mountpoint /mnt/iroot || s mount /mnt/iroot
 fi
 
-# Do this again because it occasionally has changes and
-# it can be run outside initial isntall.
-s /a/bin/fai/fai/config/distro-install-common/end
+
+######### begin stuff belonging at the end    ##########
+
+
+# Apps we want to override others for default file handler:
+# simplest way in debian is to just install them last.
+simple_packages+=(
+    mpv
+)
+
+case $distro in
+    ubuntu|debian)
+        spa spacefm-gtk3 ;;
+    arch)
+        spa spacefm ;;
+esac
+
+
+pi "${simple_packages[@]}"
+
 
 if $pending_reboot; then
     echo "$0: pending reboot and then finished. doing it now."
diff --git a/dsfull b/dsfull
new file mode 100755
index 0000000..69185d9
--- /dev/null
+++ b/dsfull
@@ -0,0 +1,20 @@
+#!/bin/bash -l
+# Copyright (C) 2016 Ian Kelling
+# This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+host=$1
+
+if [[ ! $host || $host == -h ]]; then
+    echo "$0: error: expected 1 arg of hostname"
+    exit 1
+fi
+
+set -x
+ssh $host sudo reboot ||:
+pxe-server fai $host
+while ! ssh $host :; do
+      sleep 5
+done
+dsremote $host
diff --git a/dsremote b/dsremote
new file mode 100755
index 0000000..173f48b
--- /dev/null
+++ b/dsremote
@@ -0,0 +1,15 @@
+#!/bin/bash -l
+
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+host=$1
+
+if [[ ! $host || $host == -h ]]; then
+    echo "$0: error: expected 1 arg of hostname"
+    exit 1
+fi
+
+rlu $host /a/bin/distro-setup/
+ssh $host /a/bin/distro-begin
+ssh $host /a/bin/distro-end
diff --git a/homepage-setup b/homepage-setup
new file mode 100755
index 0000000..091a50a
--- /dev/null
+++ b/homepage-setup
@@ -0,0 +1,84 @@
+#!/bin/bash -l
+# Copyright (C) 2016 Ian Kelling
+# This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
+
+# lj is test server
+case $HOSTNAME in
+    lj)
+        domain=iankelling.org
+        ;;
+    lk)
+        domain=iank.bid
+        ;;
+esac
+
+
+# debian has the package gitweb, which seems to mainly
+# have some example apache config, and a minimal gitweb config.
+# I'll just use the config as example and not use the package.
+# It's example apache config seems to say we can use cgi or cgid,
+# and googling cgid it seems a newer faster alternative.
+s a2enmod cgid
+
+s dd of=/etc/gitweb.conf <<EOF
+\$projectroot = "$gitroot";
+# not documented at https://git-scm.com/docs/gitweb.conf,
+# but it's in the debian conf, so use it.
+# directory to use for temp files.
+\$git_temp = "/tmp";
+EOF
+
+
+git_root=/a/bin/githtml
+
+
+apache-site - $domain <<EOF
+# to run python script on my site:
+<Directory /var/www/$domain/html>
+  # to run python scripts with cgi
+  Options +ExecCGI
+  AddHandler cgi-script .py
+</Directory>
+
+
+# All below is for gitweb + git-http-web.
+# A simple builtin way to have a read only git website.
+# I didn't find any significantly better alternatives out there.
+SetEnv GIT_PROJECT_ROOT $gitroot
+SetEnv GIT_HTTP_EXPORT_ALL
+
+# note: cgi scripts can go anywhere into the filesystem,
+# so there is no need to do a directory block for $gitroot
+
+# fot git-http-web
+<Directory /usr/lib/git-core>
+        AllowOverride None
+        Require all granted
+</Directory>
+
+<Directory /usr/share/gitweb>
+  Options +FollowSymLinks +ExecCGI
+  AddHandler cgi-script .cgi
+</Directory>
+
+# from  man-git-http-backend, so git-http-web ang gitweb can both be used.
+# it is instead of this:
+# #ScriptAlias / /usr/lib/git-core/git-http-backend/
+ScriptAliasMatch \\
+       "(?x)^/git/(.*/(HEAD | \\
+                       info/refs | \\
+                       objects/(info/[^/]+ | \\
+                                [0-9a-f]{2}/[0-9a-f]{38} | \\
+                                pack/pack-[0-9a-f]{40}\\.(pack|idx)) | \\
+                       git-(upload|receive)-pack))\$" \\
+       /usr/lib/git-core/git-http-backend/\$1
+
+
+
+# man-git-http-backend claims we should do this, but
+# it causes no css/images to be displayed. Instead,
+# just stick with the standard gitweb example directive
+# from debian.
+#ScriptAlias /git /usr/share/gitweb/gitweb.cgi/
+Alias /git /usr/share/gitweb
+EOF
diff --git a/phab-setup b/phab-setup
new file mode 100755
index 0000000..e654246
--- /dev/null
+++ b/phab-setup
@@ -0,0 +1,343 @@
+#!/bin/bash -l
+# Copyright (C) 2016 Ian Kelling
+# This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?"' ERR
+
+set -x
+
+
+# lj is test server
+case $HOSTNAME in
+    lj)
+        domain=phab.iank.bid
+        alt_domain=fastmail.wiki
+        ;;
+    lk)
+        domain=phab.iankelling.org
+        alt_domain=iankellingusercontent.org
+        ;;
+esac
+
+
+pass=`cat /p/c/machine_specific/$HOSTNAME/phabricator_admin`
+webroot=/usr/share/phabricator/webroot
+user=iank
+name="Ian Kelling"
+email=ian@iankelling.org
+ssh_port=222
+
+fbin() { bin=$1; shift; sudo /usr/share/phabricator/bin/$bin "$@"; }
+fsetd() { fbin config set --database "$@"; }
+
+# phabricator complained about wanting arcanist first
+pi arcanist/unstable mercurial
+
+for x in /a/bin/bash_unpublished/*; do source $x; done
+
+# duplicated in mediawiki setup. todo fix that.
+s DEBIAN_FRONTEND=noninteractive pi mysql-server
+cd  # mysql_secure_installation writes some temp files to the current dir,
+# so we need to make sure it's writable.
+if echo exit|mysql -u root -p"$dbpass"; then
+    echo -e "$dbpass\nn\n\n\n\n" | mysql_secure_installation
+else
+    echo -e "\n\n$dbpass\n$dbpass\n\n\n\n\n" | mysql_secure_installation
+fi
+
+mysql -u root -p$dbpass <<EOF
+grant all privileges on \`phabricator\\_%\`.* to 'phabricator'@localhost identified by '$pass';
+EOF
+
+phab-sel() {
+    s debconf-set-selections<<EOF
+phabricator	phabricator/pwd_check	password	$pass
+phabricator	phabricator/phabricator_mysql_pwd	password	$pass
+phabricator	phabricator/webserver	select	None
+phabricator	phabricator/phabricator_mysql_user	string	phabricator
+phabricator	phabricator/mysql_host	string	localhost
+# Domain name or subdomain name used by phabricator:
+phabricator	phabricator/domain_name	string	$domain
+EOF
+}
+phab-sel
+
+pi phabricator/unstable
+
+# debian sets http, but we want https
+s sed -i 's/http:/https:/' /usr/share/phabricator/conf/local/local.json
+
+
+acme-tiny-wrapper $domain
+acme-tiny-wrapper $alt_domain
+
+for x in $domain $alt_domain; do
+    apache-site -r $webroot - $x <<EOF
+RewriteEngine on
+RewriteRule ^/rsrc/(.*)     -                       [L,QSA]
+RewriteRule ^/favicon.ico   -                       [L,QSA]
+RewriteRule ^/php5-fcgi     -                       [L]
+RewriteRule ^(.*)\$          /index.php?__path__=\$1  [B,L,QSA]
+<Directory "$webroot">
+    Require all granted
+</Directory>
+EOF
+done
+
+
+# Before I figured out how to setup the admin in the script,
+# this would limit the site to localhost,
+# and access it through an ssh tunnel until its secure.
+#phab-site -p 127.0.0.1:443
+
+# settings are stored in conf/local/local.json.
+# some settings could also be stored in the database with
+# --database arg. database has higher priority than
+# the config file.
+
+# if you need to restart phabricator, just ser restart apache2
+# https://secure.phabricator.com/book/phabricator/article/restarting/
+
+# to reset things, you can do.
+# fbin storage destroy; pu phabricator; phab-sel; pi phabricator/unstable
+# # but under debian, prolly better to purge, cause db gets created on install
+
+
+# On first run went to the website, registered manually, then
+# went through the gui setup items to get the configuration below.
+
+
+#expect "*"
+#sleep 1
+
+# expect's exits with 0 by default on timeout of an expect command.
+# You can modify this, but it was simpler to use an irregular code to detect
+# actual success.
+sudo expect -d <<EOF
+# The expect lines use shell type globbing. They are not actually
+# needed, but they make the script likely to fail if the questions
+# content changes drastically, and make the script self documenting.
+
+# adds a short delay after each send for more reliable operation
+# (reference: comment in any autoexpect generated script)
+set force_conservative 0
+spawn "/usr/share/phabricator/bin/accountadmin"
+# If we've already set our user, detect different prompt and exit
+# expect basics: when the last alternative matches, there is no need
+# to specify an action, we just continue.
+expect {
+  timeout {exit 1}
+  -nocase "enter a username" exit
+  -nocase "y/n"
+}
+send "y\r"
+expect -nocase timeout {exit 1} "username"
+send "$user\r"
+expect -nocase timeout {exit 1} "create*y/n"
+send "y\r"
+expect -nocase timeout {exit 1} "name"
+send "$name\r"
+expect -nocase timeout {exit 1} "email"
+send "$email\r"
+expect -nocase timeout {exit 1} "password"
+send "$pass\r"
+expect -nocase timeout {exit 1} "bot"
+send "n\r"
+expect -nocase timeout {exit 1} "admin"
+send "y\r"
+expect -nocase timeout {exit 1} "save"
+send "y\r"
+expect eof
+exit
+EOF
+
+
+
+# this tipped me over to using a debian package
+# https://secure.phabricator.com/T4181
+
+fsetd auth.require-approval false
+
+# phabricator recommends going from 16 to at least 32
+sudo sed -ri 's/(^\s*max_allowed_packet)[[:space:]=].*/\1 = 100M/' /etc/mysql/my.cnf
+
+
+setini() {
+    key="$1" value="$2" section="$3" file="$4"
+    sudo sed -ri "/ *\[$section\]/,/^ *\[[^]]+\]/{/^\s*$key[[:space:]=]/d};/ *\[$section\]/a $key = $value" "$file"
+}
+
+setd() { setini "$@" mysqld /etc/mysql/my.cnf; }
+
+# error instead of data corruption:
+setd sql_mode STRICT_ALL_TABLES
+setd ft_stopword_file /usr/share/phabricator/resources/sql/stopwords.txt
+setd ft_min_word_len 3
+# mysql full text search for word1 word2 will and them instead of or them:
+setd ft_boolean_syntax "' |-><()~*:\"\"&^'"
+# default is 128M. recommended starting point is 40% of ram.
+setd innodb_buffer_pool_size 1600M
+
+# this files stopwork, and min_word_len
+mysql -u root -p$dbpass <<'EOF'
+REPAIR TABLE phabricator_search.search_documentfield;
+EOF
+
+fsetd pygments.enabled true
+fbin config set security.alternate-file-domain https://$alt_domain
+
+setini opcache.validate_timestamps '"0"' opcache /etc/php5/apache2/php.ini
+setini post_max_size 100M PHP /etc/php5/apache2/php.ini
+
+fsetd metamta.default-address phabricator@$domain
+fsetd metamta.domain $domain
+
+
+ser restart mysql
+
+# Not sure if this is needed. while developing this script, mysql went down
+# for a bit and the daemons died.
+
+
+# todo, setup inbound email:
+# https://secure.phabricator.com/book/phabricator/article/configuring_inbound_email/
+
+
+# https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/
+# unmatchable password, allows login only via ssh, sudo, etc.
+# this is standard.
+# I tried having no home dir, (-d /nonexistent),
+# but I got an error message on test sshing,
+sudo useradd -p '*' -m --system -s /bin/sh vcs ||  [[ $? == 9 ]]
+
+# you'd think the debian package would set this. todo: check on a fresh
+# machine
+fbin config set phd.user phabricator
+fbin config set diffusion.ssh-user vcs
+
+option="ALL=(phabricator) SETENV: NOPASSWD:"
+www_files=$(which git hg|sed ':a;N;s/\n/, /;ta')
+vcs_files=$(which git git-upload-pack git-receive-pack hg|sed ':a;N;s/\n/, /;ta')
+[[ $www_files && $vcs_files ]] || exit 1
+www_files="$www_files, /usr/lib/git-core/git-http-backend"
+sudo dd of=/etc/sudoers.d/phabricator <<EOF
+www-data $option $www_files
+vcs $option $vcs_files
+EOF
+
+# Found this due to red x in the ui after setting up a test repo.
+# todo: debian package should do this for us. see also:
+# https://phab.iank.bid/config/edit/environment.append-paths/
+sudo lnf /usr/lib/git-core/git-http-backend /usr/share/phabricator/support/bin
+
+fbin config set diffusion.allow-http-auth true
+
+# couldn't find a really appropriate place for it. It needs parent dir
+# permissions to be root:root.
+file=/usr/share/phabricator-local-ssh-hook.sh
+# from /usr/share/phabricator/resources/sshd/phabricator-ssh-hook.sh
+sudo dd of=$file <<'EOF'
+#!/bin/sh
+# For debugging, you can temporarily do:
+# exec >/tmp/plog 2>&1
+# This script executes as the vcs user
+if [ "$1" != vcs ]; then exit 1; fi
+exec "/usr/share/phabricator/bin/ssh-auth" $@
+EOF
+sudo chmod 755 $file
+
+sudo dd of=/etc/ssh/sshd_config.phabricator <<EOF
+AuthorizedKeysCommand $file
+AuthorizedKeysCommandUser vcs
+AllowUsers vcs
+
+Port $ssh_port
+Protocol 2
+PermitRootLogin no
+AllowAgentForwarding no
+AllowTcpForwarding no
+PrintMotd no
+PrintLastLog no
+PasswordAuthentication no
+AuthorizedKeysFile none
+
+PidFile /var/run/sshd-phabricator.pid
+EOF
+
+sudo dd of=/etc/systemd/system/phabricator-ssh.service <<'EOF'
+[Unit]
+Description=OpenBSD Secure Shell server for phabricator repos
+After=network.target auditd.service
+ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
+
+[Service]
+ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_config.phabricator
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+sudo systemctl daemon-reload
+
+# got this error upon ssh, figured out a solution.
+# [2016-06-10 06:40:15] EXCEPTION: (AphrontInvalidCredentialsQueryException) #1045: Access denied for user 'root'@'localhost' (using password: NO) at [<phutil>/src/aphront/storage/connection/mysql/AphrontBaseMySQLDatabaseConnection.php:306]
+# arcanist(), phabricator(), phutil()
+
+s usermod -a -G vcs www-data
+s usermod -a -G vcs ian
+s usermod -a -G vcs phabricator
+s chown root:vcs /usr/share/phabricator/conf/local/local.json
+fbin config set diffusion.ssh-port $ssh_port
+
+fsetd policy.allow-public true
+
+sgo phabricator-ssh
+
+ser restart apache2
+sgo phabricator
+
+
+# todo, finish next steps here:
+# notably, backup/restore
+# https://secure.phabricator.com/book/phabricator/article/configuration_guide/
+
+
+fbin auth recover iank
+
+cat <<EOF
+# go to link above, then
+# https://$domain/auth/config/new/
+# and add username/pass auth provider.
+EOF
+
+
+
+# beginnings of automating those last manual steps:
+
+
+# for setting the auto provider, we can use the api.
+#arc set-config default https://$domain
+#
+# but first we have to generate an api key by getting
+# https://phab.iank.bid/conduit/login/
+# to do that, we've got to login to the url login.
+# We've got to post to a url on the login page,
+# then record 2 cookies: phuser and phsid
+# It also does a 302 for us to do 2 more pages related to auth/login.
+
+# we need to post to the right url (didn't record it, with these params)
+#allowLogin:"1"
+#allowRegistration:"1"
+#allowLink:"1"
+#allowUnlink:"1"
+
+
+#Serve over HTTP
+#
+#
+# phabricator/ $ ./bin/repository edit rT --as iank --local-path ...
+
+#
diff --git a/postfix-setup b/postfix-setup
new file mode 100755
index 0000000..2c8fe5e
--- /dev/null
+++ b/postfix-setup
@@ -0,0 +1,102 @@
+#!/bin/bash -l
+# Copyright (C) 2016 Ian Kelling
+# This program is under GPL v. 3 or later, see <http://www.gnu.org/licenses/>
+set -eE -o pipefail
+trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
+
+# dunno why debian installed postfix with builddep emacs
+# but I will just explicitly install it here since
+# I use it for sending mail in emacs.
+if private-host; then
+    relayhost="[mail.messagingengine.com]:587"
+else
+    # ses initially suggests port 25, but I had problems connecting to that.
+    relayhost="[email-smtp.us-west-2.amazonaws.com]:587"
+fi
+if isdeb; then
+    s debconf-set-selections<<EOF
+postfix postfix/main_mailer_type select Satellite system
+postfix postfix/mailname string $host
+postfix postfix/relayhost string $relayhost
+EOF
+
+    pi postfix
+else
+    pi postfix
+    # Settings from reading the output when installing on debian,
+    # then seeing which were different in a default install on arch.
+    # I assume the same works for fedora.
+    postconfin <<EOF
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+relayhost = $relayhost
+inet_interfaces = loopback-only
+EOF
+
+    s systemctl enable postfix
+    s systemctl start postfix
+fi
+
+
+# note, previously, the rest of setup was done separately.
+
+
+# based on,http://www.postfix.org/qmgr.8.html and my notes in gnus
+# originally tried moving specific directories under /var/spool/postfix,
+# but postfix didn't like that
+if [[ ! -L /var/spool/postfix ]]; then
+    ser stop postfix
+    n=/q/postfix-`distro-name``debian-archive`
+    if [[ -e $n ]]; then
+        echo "$0: warning: $n already exists before we do the link, removing it"
+        s rm -rf $n
+    fi
+    s mv /var/spool/postfix $n
+    s lnf -T $n /var/spool/postfix
+    ser start postfix
+    s journalctl -n 20 | cat # sudo as we may not have journal reading rights yet
+fi
+
+
+# This also works instead of ~/.forward
+# s sed -i '/^root/d' /etc/aliases ||:
+#echo "root: $HOSTNAME@$SOME_DOMAIN" | s tee -a /etc/aliases
+# this can't be a symlink and has permission restrictions
+# it might work in /etc/aliases, but this seems more proper.
+
+if s grep amazonaws /etc/postfix/sasl_passwd &>/dev/null; then
+    forward=$HOSTNAME@$PERSONAL_DOMAIN
+else
+    forward=$HOSTNAME@$IMPERSONAL_DOMAIN
+fi
+e $forward > ~/.forward
+e $forward | s tee /root/.forward
+s newaliases
+
+# if I wanted the from address to be renamed and sent to a different address,
+# echo "sdx@localhost development@localhost" | sudo dd of=/etc/postfix/recipient_canonical
+# sudo postmap hash:/etc/postfix/recipient_canonical
+# sudo service postfix reload
+
+
+# i'm assuming mail just won't work on systems without the sasl_passwd.
+postconfin <<'EOF'
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+smtp_sasl_security_options = noanonymous
+smtp_tls_security_level = secure
+message_size_limit =  20480000
+smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
+EOF
+# ^ I ran into a log file not sending cuz of size. double from 10 to 20 meg limit
+
+s postmap hash:/etc/postfix/sasl_passwd
+# offlineimap uses this too, it is much easier to use one location than to
+# condition it's config and postfix's config
+case $distro in
+    fedora) s lnf -T ca-certificates.crt /etc/ssl/ca-bundle.trust.crt ;;
+    *) :
+esac
+
+s service postfix reload
+sgo postfix
-- 
2.30.2