+++ /dev/null
-# connectivity: ifupdown seems necessary everyhwere, isc-dhcp-client
-# unpredictably so
-ifupdown
-isc-dhcp-client
-# git for the setup directory; cloning works with ca-certificates
-ca-certificates
-git
-# to avoid constant warnings about no locale being found
-locales
+++ /dev/null
-# needed to log in to server via ssh
-openssh-server
-# provides /etc/inputrc and understanding of ctrl+arrow key combos
-readline-common
-# provides systemd scripts that configure iptables via /etc/iptables/*
-iptables-persistent
-# this line is here because the shell "read" in install_for_target.sh ignores lines without final newline
\ No newline at end of file
+++ /dev/null
-#!/bin/sh
-set -e
-
-standard_repo="borg"
-config_file="${HOME}/.borgrepos"
-
-usage() {
- echo "Need operation as argument, one of:"
- echo "init"
- echo "store"
- echo "check"
- echo "export_keyfiles"
- echo "orgpush"
- echo "orgpull"
- false
-}
-
-read_pw() {
- if [ "${#SSH_AGENT_PID}" -eq 0 ]; then
- eval $(ssh-agent)
- echo "ssh-add"
- stty -echo
- ssh-add
- stty echo
- fi
- if [ "${#BORG_PASSPHRASE}" -eq 0 ]; then
- stty -echo
- printf "Borg passphrase: "
- read password
- stty echo
- printf "\n"
- export BORG_PASSPHRASE="${password}"
- fi
-}
-
-if [ ! -f "${config_file}" ]; then
- echo '# file read ends at last newline' >> "${config_file}"
-fi
-if [ "$#" -lt 1 ]; then
- usage
-fi
-first_arg="$1"
-shift
-if [ "${first_arg}" = "init" ]; then
- if [ ! "$#" -eq 1 ]; then
- echo "Need exactly one argument: target of form user@server"
- false
- fi
- target="$1"
- echo "Initializing: ${target}"
- borg init --verbose --encryption=keyfile "${target}:${standard_repo}"
- tmp_file="/tmp/new_borgrepos"
- echo "${target}" > "${tmp_file}"
- cat "${config_file}" >> "${tmp_file}"
- cp "${tmp_file}" "${config_file}"
-elif [ "${first_arg}" = "store" ]; then
- if [ ! "$#" -eq 2 ]; then
- echo "Need precisely two arguments: archive name and path to archive."
- false
- fi
- archive_name=$1
- shift
- to_backup="$@"
- read_pw
- cat "${config_file}" | while read line; do
- first_char=$(echo "${line}" | cut -c1)
- if [ "${first_char}" = "#" ]; then
- continue
- fi
- repo="${line}:${standard_repo}"
- archive="${repo}::${archive_name}-{utcnow:%Y-%m-%dT%H:%M}"
- echo "Creating archive: ${archive}"
- borg create --verbose --list "${archive}" "${to_backup}"
- done
-elif [ "${first_arg}" = "check" ]; then
- if [ ! "$#" -eq 0 ]; then
- echo "Need no arguments"
- false
- fi
- read_pw
- cat "${config_file}" | while read line; do
- first_char=$(echo "${line}" | cut -c1)
- if [ "${first_char}" = "#" ]; then
- continue
- fi
- repo="${line}:${standard_repo}"
- echo "Checking repo: ${repo}"
- borg check --verbose "${repo}"
- done
-elif [ "${first_arg}" = "export_keyfiles" ]; then
- if [ ! "$#" -eq 1 ]; then
- echo "Need output tar file name."
- false
- fi
- tar_target="${1}"
- tmp_dir="${HOME}/.borgtmp"
- keyfiles_dir="${tmp_dir}/borg_keyfiles"
- mkdir -p "${keyfiles_dir}"
- cat "${config_file}" | while read line; do
- first_char=$(echo "${line}" | cut -c1)
- if [ "${first_char}" = "#" ]; then
- continue
- fi
- repo="${line}:${standard_repo}"
- borg key export "${repo}" "${keyfiles_dir}/${line}"
- done
- cur_dir="$(pwd)"
- cd "${tmp_dir}"
- target=$(basename "${keyfiles_dir}")
- tar cf "${tar_target}" "${target}"
- mv "${tar_target}" "${cur_dir}"
- cd
- rm -rf "${tmp_dir}"
-elif [ "${first_arg}" = "orgpush" ]; then
- archive_name="orgdir"
- to_backup=~/org
- read_pw
- cat "${config_file}" | while read line; do
- first_char=$(echo "${line}" | cut -c1)
- if [ "${first_char}" = "#" ]; then
- continue
- fi
- repo="${line}:${standard_repo}"
- archive="${repo}::${archive_name}-{utcnow:%Y-%m-%dT%H:%M}"
- echo "Creating archive: ${archive}"
- borg create --verbose --list "${archive}" "${to_backup}" --exclude ~/org/.git
- done
-elif [ "${first_arg}" = "orgpull" ]; then
- archive_name="orgdir"
- read_pw
- cd /
- cat "${config_file}" | while read line; do
- first_char=$(echo "${line}" | cut -c1)
- if [ "${first_char}" = "#" ]; then
- continue
- fi
- repo="${line}:${standard_repo}"
- archive=$(borg list "${repo}" | grep "${orgdir}" | tail -1 | cut -f1 -d' ')
- echo "Pulling archive: ${archive}"
- borg extract --verbose "${repo}::${archive}"
- break
- done
-else
- usage
-fi
+++ /dev/null
-APT::AutoRemove::RecommendsImportant "false";
-APT::AutoRemove::SuggestsImportant "false";
-APT::Install-Recommends "false";
-APT::Install-Suggests "false";
+++ /dev/null
-deb http://deb.debian.org/debian stretch main contrib non-free
-deb http://deb.debian.org/debian-security/ stretch/updates main contrib non-free
-deb http://deb.debian.org/debian stretch-updates main contrib non-free
-deb http://ftp.debian.org/debian stretch-backports main contrib non-free
\ No newline at end of file
+++ /dev/null
-# This file lists locales that you wish to have built. You can find a list
-# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add
-# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change
-# this file, you need to rerun locale-gen.
-
-
-# aa_DJ ISO-8859-1
-# aa_DJ.UTF-8 UTF-8
-# aa_ER UTF-8
-# aa_ER@saaho UTF-8
-# aa_ET UTF-8
-# af_ZA ISO-8859-1
-# af_ZA.UTF-8 UTF-8
-# ak_GH UTF-8
-# am_ET UTF-8
-# an_ES ISO-8859-15
-# an_ES.UTF-8 UTF-8
-# anp_IN UTF-8
-# ar_AE ISO-8859-6
-# ar_AE.UTF-8 UTF-8
-# ar_BH ISO-8859-6
-# ar_BH.UTF-8 UTF-8
-# ar_DZ ISO-8859-6
-# ar_DZ.UTF-8 UTF-8
-# ar_EG ISO-8859-6
-# ar_EG.UTF-8 UTF-8
-# ar_IN UTF-8
-# ar_IQ ISO-8859-6
-# ar_IQ.UTF-8 UTF-8
-# ar_JO ISO-8859-6
-# ar_JO.UTF-8 UTF-8
-# ar_KW ISO-8859-6
-# ar_KW.UTF-8 UTF-8
-# ar_LB ISO-8859-6
-# ar_LB.UTF-8 UTF-8
-# ar_LY ISO-8859-6
-# ar_LY.UTF-8 UTF-8
-# ar_MA ISO-8859-6
-# ar_MA.UTF-8 UTF-8
-# ar_OM ISO-8859-6
-# ar_OM.UTF-8 UTF-8
-# ar_QA ISO-8859-6
-# ar_QA.UTF-8 UTF-8
-# ar_SA ISO-8859-6
-# ar_SA.UTF-8 UTF-8
-# ar_SD ISO-8859-6
-# ar_SD.UTF-8 UTF-8
-# ar_SS UTF-8
-# ar_SY ISO-8859-6
-# ar_SY.UTF-8 UTF-8
-# ar_TN ISO-8859-6
-# ar_TN.UTF-8 UTF-8
-# ar_YE ISO-8859-6
-# ar_YE.UTF-8 UTF-8
-# as_IN UTF-8
-# ast_ES ISO-8859-15
-# ast_ES.UTF-8 UTF-8
-# ayc_PE UTF-8
-# az_AZ UTF-8
-# be_BY CP1251
-# be_BY.UTF-8 UTF-8
-# be_BY@latin UTF-8
-# bem_ZM UTF-8
-# ber_DZ UTF-8
-# ber_MA UTF-8
-# bg_BG CP1251
-# bg_BG.UTF-8 UTF-8
-# bhb_IN.UTF-8 UTF-8
-# bho_IN UTF-8
-# bn_BD UTF-8
-# bn_IN UTF-8
-# bo_CN UTF-8
-# bo_IN UTF-8
-# br_FR ISO-8859-1
-# br_FR.UTF-8 UTF-8
-# br_FR@euro ISO-8859-15
-# brx_IN UTF-8
-# bs_BA ISO-8859-2
-# bs_BA.UTF-8 UTF-8
-# byn_ER UTF-8
-# ca_AD ISO-8859-15
-# ca_AD.UTF-8 UTF-8
-# ca_ES ISO-8859-1
-# ca_ES.UTF-8 UTF-8
-# ca_ES.UTF-8@valencia UTF-8
-# ca_ES@euro ISO-8859-15
-# ca_ES@valencia ISO-8859-15
-# ca_FR ISO-8859-15
-# ca_FR.UTF-8 UTF-8
-# ca_IT ISO-8859-15
-# ca_IT.UTF-8 UTF-8
-# ce_RU UTF-8
-# chr_US UTF-8
-# cmn_TW UTF-8
-# crh_UA UTF-8
-# cs_CZ ISO-8859-2
-# cs_CZ.UTF-8 UTF-8
-# csb_PL UTF-8
-# cv_RU UTF-8
-# cy_GB ISO-8859-14
-# cy_GB.UTF-8 UTF-8
-# da_DK ISO-8859-1
-# da_DK.UTF-8 UTF-8
-# de_AT ISO-8859-1
-# de_AT.UTF-8 UTF-8
-# de_AT@euro ISO-8859-15
-# de_BE ISO-8859-1
-# de_BE.UTF-8 UTF-8
-# de_BE@euro ISO-8859-15
-# de_CH ISO-8859-1
-# de_CH.UTF-8 UTF-8
-# de_DE ISO-8859-1
-# de_DE.UTF-8 UTF-8
-# de_DE@euro ISO-8859-15
-# de_IT ISO-8859-1
-# de_IT.UTF-8 UTF-8
-# de_LI.UTF-8 UTF-8
-# de_LU ISO-8859-1
-# de_LU.UTF-8 UTF-8
-# de_LU@euro ISO-8859-15
-# doi_IN UTF-8
-# dv_MV UTF-8
-# dz_BT UTF-8
-# el_CY ISO-8859-7
-# el_CY.UTF-8 UTF-8
-# el_GR ISO-8859-7
-# el_GR.UTF-8 UTF-8
-# en_AG UTF-8
-# en_AU ISO-8859-1
-# en_AU.UTF-8 UTF-8
-# en_BW ISO-8859-1
-# en_BW.UTF-8 UTF-8
-# en_CA ISO-8859-1
-# en_CA.UTF-8 UTF-8
-# en_DK ISO-8859-1
-# en_DK.ISO-8859-15 ISO-8859-15
-# en_DK.UTF-8 UTF-8
-# en_GB ISO-8859-1
-# en_GB.ISO-8859-15 ISO-8859-15
-# en_GB.UTF-8 UTF-8
-# en_HK ISO-8859-1
-# en_HK.UTF-8 UTF-8
-# en_IE ISO-8859-1
-# en_IE.UTF-8 UTF-8
-# en_IE@euro ISO-8859-15
-# en_IL UTF-8
-# en_IN UTF-8
-# en_NG UTF-8
-# en_NZ ISO-8859-1
-# en_NZ.UTF-8 UTF-8
-# en_PH ISO-8859-1
-# en_PH.UTF-8 UTF-8
-# en_SG ISO-8859-1
-# en_SG.UTF-8 UTF-8
-# en_US ISO-8859-1
-# en_US.ISO-8859-15 ISO-8859-15
-en_US.UTF-8 UTF-8
-# en_ZA ISO-8859-1
-# en_ZA.UTF-8 UTF-8
-# en_ZM UTF-8
-# en_ZW ISO-8859-1
-# en_ZW.UTF-8 UTF-8
-# eo UTF-8
-# es_AR ISO-8859-1
-# es_AR.UTF-8 UTF-8
-# es_BO ISO-8859-1
-# es_BO.UTF-8 UTF-8
-# es_CL ISO-8859-1
-# es_CL.UTF-8 UTF-8
-# es_CO ISO-8859-1
-# es_CO.UTF-8 UTF-8
-# es_CR ISO-8859-1
-# es_CR.UTF-8 UTF-8
-# es_CU UTF-8
-# es_DO ISO-8859-1
-# es_DO.UTF-8 UTF-8
-# es_EC ISO-8859-1
-# es_EC.UTF-8 UTF-8
-# es_ES ISO-8859-1
-# es_ES.UTF-8 UTF-8
-# es_ES@euro ISO-8859-15
-# es_GT ISO-8859-1
-# es_GT.UTF-8 UTF-8
-# es_HN ISO-8859-1
-# es_HN.UTF-8 UTF-8
-# es_MX ISO-8859-1
-# es_MX.UTF-8 UTF-8
-# es_NI ISO-8859-1
-# es_NI.UTF-8 UTF-8
-# es_PA ISO-8859-1
-# es_PA.UTF-8 UTF-8
-# es_PE ISO-8859-1
-# es_PE.UTF-8 UTF-8
-# es_PR ISO-8859-1
-# es_PR.UTF-8 UTF-8
-# es_PY ISO-8859-1
-# es_PY.UTF-8 UTF-8
-# es_SV ISO-8859-1
-# es_SV.UTF-8 UTF-8
-# es_US ISO-8859-1
-# es_US.UTF-8 UTF-8
-# es_UY ISO-8859-1
-# es_UY.UTF-8 UTF-8
-# es_VE ISO-8859-1
-# es_VE.UTF-8 UTF-8
-# et_EE ISO-8859-1
-# et_EE.ISO-8859-15 ISO-8859-15
-# et_EE.UTF-8 UTF-8
-# eu_ES ISO-8859-1
-# eu_ES.UTF-8 UTF-8
-# eu_ES@euro ISO-8859-15
-# eu_FR ISO-8859-1
-# eu_FR.UTF-8 UTF-8
-# eu_FR@euro ISO-8859-15
-# fa_IR UTF-8
-# ff_SN UTF-8
-# fi_FI ISO-8859-1
-# fi_FI.UTF-8 UTF-8
-# fi_FI@euro ISO-8859-15
-# fil_PH UTF-8
-# fo_FO ISO-8859-1
-# fo_FO.UTF-8 UTF-8
-# fr_BE ISO-8859-1
-# fr_BE.UTF-8 UTF-8
-# fr_BE@euro ISO-8859-15
-# fr_CA ISO-8859-1
-# fr_CA.UTF-8 UTF-8
-# fr_CH ISO-8859-1
-# fr_CH.UTF-8 UTF-8
-# fr_FR ISO-8859-1
-# fr_FR.UTF-8 UTF-8
-# fr_FR@euro ISO-8859-15
-# fr_LU ISO-8859-1
-# fr_LU.UTF-8 UTF-8
-# fr_LU@euro ISO-8859-15
-# fur_IT UTF-8
-# fy_DE UTF-8
-# fy_NL UTF-8
-# ga_IE ISO-8859-1
-# ga_IE.UTF-8 UTF-8
-# ga_IE@euro ISO-8859-15
-# gd_GB ISO-8859-15
-# gd_GB.UTF-8 UTF-8
-# gez_ER UTF-8
-# gez_ER@abegede UTF-8
-# gez_ET UTF-8
-# gez_ET@abegede UTF-8
-# gl_ES ISO-8859-1
-# gl_ES.UTF-8 UTF-8
-# gl_ES@euro ISO-8859-15
-# gu_IN UTF-8
-# gv_GB ISO-8859-1
-# gv_GB.UTF-8 UTF-8
-# ha_NG UTF-8
-# hak_TW UTF-8
-# he_IL ISO-8859-8
-# he_IL.UTF-8 UTF-8
-# hi_IN UTF-8
-# hne_IN UTF-8
-# hr_HR ISO-8859-2
-# hr_HR.UTF-8 UTF-8
-# hsb_DE ISO-8859-2
-# hsb_DE.UTF-8 UTF-8
-# ht_HT UTF-8
-# hu_HU ISO-8859-2
-# hu_HU.UTF-8 UTF-8
-# hy_AM UTF-8
-# hy_AM.ARMSCII-8 ARMSCII-8
-# ia_FR UTF-8
-# id_ID ISO-8859-1
-# id_ID.UTF-8 UTF-8
-# ig_NG UTF-8
-# ik_CA UTF-8
-# is_IS ISO-8859-1
-# is_IS.UTF-8 UTF-8
-# it_CH ISO-8859-1
-# it_CH.UTF-8 UTF-8
-# it_IT ISO-8859-1
-# it_IT.UTF-8 UTF-8
-# it_IT@euro ISO-8859-15
-# iu_CA UTF-8
-# ja_JP.EUC-JP EUC-JP
-# ja_JP.UTF-8 UTF-8
-# ka_GE GEORGIAN-PS
-# ka_GE.UTF-8 UTF-8
-# kk_KZ PT154
-# kk_KZ.RK1048 RK1048
-# kk_KZ.UTF-8 UTF-8
-# kl_GL ISO-8859-1
-# kl_GL.UTF-8 UTF-8
-# km_KH UTF-8
-# kn_IN UTF-8
-# ko_KR.EUC-KR EUC-KR
-# ko_KR.UTF-8 UTF-8
-# kok_IN UTF-8
-# ks_IN UTF-8
-# ks_IN@devanagari UTF-8
-# ku_TR ISO-8859-9
-# ku_TR.UTF-8 UTF-8
-# kw_GB ISO-8859-1
-# kw_GB.UTF-8 UTF-8
-# ky_KG UTF-8
-# lb_LU UTF-8
-# lg_UG ISO-8859-10
-# lg_UG.UTF-8 UTF-8
-# li_BE UTF-8
-# li_NL UTF-8
-# lij_IT UTF-8
-# ln_CD UTF-8
-# lo_LA UTF-8
-# lt_LT ISO-8859-13
-# lt_LT.UTF-8 UTF-8
-# lv_LV ISO-8859-13
-# lv_LV.UTF-8 UTF-8
-# lzh_TW UTF-8
-# mag_IN UTF-8
-# mai_IN UTF-8
-# mg_MG ISO-8859-15
-# mg_MG.UTF-8 UTF-8
-# mhr_RU UTF-8
-# mi_NZ ISO-8859-13
-# mi_NZ.UTF-8 UTF-8
-# mk_MK ISO-8859-5
-# mk_MK.UTF-8 UTF-8
-# ml_IN UTF-8
-# mn_MN UTF-8
-# mni_IN UTF-8
-# mr_IN UTF-8
-# ms_MY ISO-8859-1
-# ms_MY.UTF-8 UTF-8
-# mt_MT ISO-8859-3
-# mt_MT.UTF-8 UTF-8
-# my_MM UTF-8
-# nan_TW UTF-8
-# nan_TW@latin UTF-8
-# nb_NO ISO-8859-1
-# nb_NO.UTF-8 UTF-8
-# nds_DE UTF-8
-# nds_NL UTF-8
-# ne_NP UTF-8
-# nhn_MX UTF-8
-# niu_NU UTF-8
-# niu_NZ UTF-8
-# nl_AW UTF-8
-# nl_BE ISO-8859-1
-# nl_BE.UTF-8 UTF-8
-# nl_BE@euro ISO-8859-15
-# nl_NL ISO-8859-1
-# nl_NL.UTF-8 UTF-8
-# nl_NL@euro ISO-8859-15
-# nn_NO ISO-8859-1
-# nn_NO.UTF-8 UTF-8
-# nr_ZA UTF-8
-# nso_ZA UTF-8
-# oc_FR ISO-8859-1
-# oc_FR.UTF-8 UTF-8
-# om_ET UTF-8
-# om_KE ISO-8859-1
-# om_KE.UTF-8 UTF-8
-# or_IN UTF-8
-# os_RU UTF-8
-# pa_IN UTF-8
-# pa_PK UTF-8
-# pap_AW UTF-8
-# pap_CW UTF-8
-# pl_PL ISO-8859-2
-# pl_PL.UTF-8 UTF-8
-# ps_AF UTF-8
-# pt_BR ISO-8859-1
-# pt_BR.UTF-8 UTF-8
-# pt_PT ISO-8859-1
-# pt_PT.UTF-8 UTF-8
-# pt_PT@euro ISO-8859-15
-# quz_PE UTF-8
-# raj_IN UTF-8
-# ro_RO ISO-8859-2
-# ro_RO.UTF-8 UTF-8
-# ru_RU ISO-8859-5
-# ru_RU.CP1251 CP1251
-# ru_RU.KOI8-R KOI8-R
-# ru_RU.UTF-8 UTF-8
-# ru_UA KOI8-U
-# ru_UA.UTF-8 UTF-8
-# rw_RW UTF-8
-# sa_IN UTF-8
-# sat_IN UTF-8
-# sc_IT UTF-8
-# sd_IN UTF-8
-# sd_IN@devanagari UTF-8
-# se_NO UTF-8
-# sgs_LT UTF-8
-# shs_CA UTF-8
-# si_LK UTF-8
-# sid_ET UTF-8
-# sk_SK ISO-8859-2
-# sk_SK.UTF-8 UTF-8
-# sl_SI ISO-8859-2
-# sl_SI.UTF-8 UTF-8
-# so_DJ ISO-8859-1
-# so_DJ.UTF-8 UTF-8
-# so_ET UTF-8
-# so_KE ISO-8859-1
-# so_KE.UTF-8 UTF-8
-# so_SO ISO-8859-1
-# so_SO.UTF-8 UTF-8
-# sq_AL ISO-8859-1
-# sq_AL.UTF-8 UTF-8
-# sq_MK UTF-8
-# sr_ME UTF-8
-# sr_RS UTF-8
-# sr_RS@latin UTF-8
-# ss_ZA UTF-8
-# st_ZA ISO-8859-1
-# st_ZA.UTF-8 UTF-8
-# sv_FI ISO-8859-1
-# sv_FI.UTF-8 UTF-8
-# sv_FI@euro ISO-8859-15
-# sv_SE ISO-8859-1
-# sv_SE.ISO-8859-15 ISO-8859-15
-# sv_SE.UTF-8 UTF-8
-# sw_KE UTF-8
-# sw_TZ UTF-8
-# szl_PL UTF-8
-# ta_IN UTF-8
-# ta_LK UTF-8
-# tcy_IN.UTF-8 UTF-8
-# te_IN UTF-8
-# tg_TJ KOI8-T
-# tg_TJ.UTF-8 UTF-8
-# th_TH TIS-620
-# th_TH.UTF-8 UTF-8
-# the_NP UTF-8
-# ti_ER UTF-8
-# ti_ET UTF-8
-# tig_ER UTF-8
-# tk_TM UTF-8
-# tl_PH ISO-8859-1
-# tl_PH.UTF-8 UTF-8
-# tn_ZA UTF-8
-# tr_CY ISO-8859-9
-# tr_CY.UTF-8 UTF-8
-# tr_TR ISO-8859-9
-# tr_TR.UTF-8 UTF-8
-# ts_ZA UTF-8
-# tt_RU UTF-8
-# tt_RU@iqtelif UTF-8
-# ug_CN UTF-8
-# uk_UA KOI8-U
-# uk_UA.UTF-8 UTF-8
-# unm_US UTF-8
-# ur_IN UTF-8
-# ur_PK UTF-8
-# uz_UZ ISO-8859-1
-# uz_UZ.UTF-8 UTF-8
-# uz_UZ@cyrillic UTF-8
-# ve_ZA UTF-8
-# vi_VN UTF-8
-# wa_BE ISO-8859-1
-# wa_BE.UTF-8 UTF-8
-# wa_BE@euro ISO-8859-15
-# wae_CH UTF-8
-# wal_ET UTF-8
-# wo_SN UTF-8
-# xh_ZA ISO-8859-1
-# xh_ZA.UTF-8 UTF-8
-# yi_US CP1255
-# yi_US.UTF-8 UTF-8
-# yo_NG UTF-8
-# yue_HK UTF-8
-# zh_CN GB2312
-# zh_CN.GB18030 GB18030
-# zh_CN.GBK GBK
-# zh_CN.UTF-8 UTF-8
-# zh_HK BIG5-HKSCS
-# zh_HK.UTF-8 UTF-8
-# zh_SG GB2312
-# zh_SG.GBK GBK
-# zh_SG.UTF-8 UTF-8
-# zh_TW BIG5
-# zh_TW.EUC-TW EUC-TW
-# zh_TW.UTF-8 UTF-8
-# zu_ZA ISO-8859-1
-# zu_ZA.UTF-8 UTF-8
+++ /dev/null
-Europe/Berlin
+++ /dev/null
-# /etc/aliases
-
-# As per RFC 2142.
-mailer-daemon: plom
-postmaster: plom
-hostmaster: plom
-usenet: plom
-news: plom
-webmaster: plom
-www: plom
-ftp: plom
-abuse: plom
-noc: plom
-security: plom
-root: plom
-
-# Personal aliases.
-plomlompom: plom
-christian.heller: plom
-christian_heller: plom
-christianheller: plom
-c.heller: plom
-heller: plom
+++ /dev/null
-# This is only necessary when we use dovecot's LMTP mechanism to receive
-# mail from postfix.
-auth_username_format = %Ln
+++ /dev/null
-# Add sieve filtering.
-protocol lmtp {
- mail_plugins = $mail_plugins sieve
-}
+++ /dev/null
-mail_privileged_group = mail
\ No newline at end of file
+++ /dev/null
-service auth {
- unix_listener auth-userdb {
- }
-
- unix_listener /var/spool/postfix/private/auth {
- mode = 0660
- user = postfix
- group = postfix
- }
-}
-
-# We don't strictly need to provide a LMTP server to fetch mail from
-# postfix, but we do if we want to do sophisticated stuff like sieve
-# filtering on the way.
-service lmtp {
- inet_listener lmtp {
- address = 127.0.0.1
- port = 2424
- }
-}
+++ /dev/null
-ssl = required
+++ /dev/null
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
-# otherwise self-referential connections to local host will fail
--A INPUT -i lo -j ACCEPT
-# this enables ping etc.
--A INPUT -p icmp -j ACCEPT
-# tolerate any inbound connections requested by our server, no matter the port
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-# SSH
--A INPUT -p tcp --dport 22 -j ACCEPT
-# SMTP (allowing for STARTTLS); necessary for mail server to mail server banter
--A INPUT -p tcp --dport 25 -j ACCEPT
-# SMTPS, for mail server to mail user agent communication
--A INPUT -p tcp --dport 465 -j ACCEPT
-# IMAPS
--A INPUT -p tcp --dport 993 -j ACCEPT
-COMMIT
-# this last line is here because iptables-restore ignores the final command if no newline follows it
\ No newline at end of file
+++ /dev/null
-# mailutils by default uses the FQDN as the mail domain name, fix this
-address {
- email-domain REPLACE_maildomain_ECALPER;
-};
+++ /dev/null
-# This is a basic configuration that can easily be adapted to suit a standard
-# installation. For more advanced options, see opendkim.conf(5) and/or
-# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
-
-# Log to syslog
-Syslog yes
-# Required to use local socket with MTAs that access the socket as a non-
-# privileged user (e.g. Postfix)
-UMask 007
-
-# Sign for example.com with key in /etc/dkimkeys/dkim.key using
-# selector '2007' (e.g. 2007._domainkey.example.com)
-#Domain example.com
-#KeyFile /etc/dkimkeys/dkim.key
-#Selector 2007
-Domain REPLACE_Domain_ECALPER
-KeyFile /etc/dkimkeys/REPLACE_Selector_ECALPER.private
-Selector REPLACE_Selector_ECALPER
-
-# Commonly-used options; the commented-out versions show the defaults.
-#Canonicalization simple
-#Mode sv
-#SubDomains no
-#SubDomains yes
-Canonicalization relaxed/simple
-
-# Socket smtp://localhost
-#
-# ## Socket socketspec
-# ##
-# ## Names the socket where this filter should listen for milter connections
-# ## from the MTA. Required. Should be in one of these forms:
-# ##
-# ## inet:port@address to listen on a specific interface
-# ## inet:port to listen on all interfaces
-# ## local:/path/to/socket to listen on a UNIX domain socket
-#
-#Socket inet:8892@localhost
-#Socket local:/var/run/opendkim/opendkim.sock
-Socket inet:12301@localhost
-
-## PidFile filename
-### default (none)
-###
-### Name of the file where the filter should write its pid before beginning
-### normal operations.
-#
-PidFile /var/run/opendkim/opendkim.pid
-
-
-# Always oversign From (sign using actual From and a null From to prevent
-# malicious signatures header fields (From and/or others) between the signer
-# and the verifier. From is oversigned by default in the Debian pacakge
-# because it is often the identity key used by reputation systems and thus
-# somewhat security sensitive.
-OversignHeaders From
-
-## ResolverConfiguration filename
-## default (none)
-##
-## Specifies a configuration file to be passed to the Unbound library that
-## performs DNS queries applying the DNSSEC protocol. See the Unbound
-## documentation at http://unbound.net for the expected content of this file.
-## The results of using this and the TrustAnchorFile setting at the same
-## time are undefined.
-## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
-## unbound package
-
-# ResolverConfiguration /etc/unbound/unbound.conf
-
-## TrustAnchorFile filename
-## default (none)
-##
-## Specifies a file from which trust anchor data should be read when doing
-## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
-## at http://unbound.net for the expected format of this file.
-
-TrustAnchorFile /usr/share/dns/root.key
-
-## Userid userid
-### default (none)
-###
-### Change to user "userid" before starting normal operation? May include
-### a group ID as well, separated from the userid by a colon.
-#
-UserID opendkim
\ No newline at end of file
+++ /dev/null
-# See /usr/share/postfix/main.cf.dist for a commented, more complete version
-
-
-# Debian specific: Specifying a file name will cause the first
-# line of that file to be used as the name. The Debian default
-# is /etc/mailname.
-#myorigin = /etc/mailname
-
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-biff = no
-
-# appending .domain is the MUA's job.
-append_dot_mydomain = no
-
-# Uncomment the next line to generate "delayed mail" warnings
-#delay_warning_time = 4h
-
-readme_directory = no
-
-# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
-# fresh installs.
-compatibility_level = 2
-
-# TLS parameters (excluding smtpd_tls_(cert|key)_file for own adaption below)
-smtpd_use_tls=yes
-smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
-smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-
-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.
-
-smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myorigin = /etc/mailname
-myhostname = REPLACE_myhostname_ECALPER
-alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases
-mydestination = $myhostname localhost.$mydomain localhost REPLACE_mydomain_if_domainwide_ECALPER
-relayhost =
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_size_limit = 0
-recipient_delimiter = +
-inet_interfaces = all
-inet_protocols = all
-
-# plomlompom-specific adaptions to allow TLS and SASL via LetsEncrypt/Dovecot.
-smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem
-smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem
-smtpd_sasl_type = dovecot
-smtpd_sasl_path = private/auth
-
-# connect to opendkim
-smtpd_milters = inet:localhost:12301
-non_smtpd_milters = inet:localhost:12301
-
-# transport mail to dovecot; not strictly needed, as even without this
-# postfix will throw mail to /var/mail/USER to be found by dovecot for
-# serving via IMAP etc.; but using dovecot's LMTP server for delivery
-# allows us to do stuff like dovecot-side sieve filtering.
-mailbox_transport = lmtp:inet:127.0.0.1:2424
\ No newline at end of file
+++ /dev/null
-#
-# Postfix master process configuration file. For details on the format
-# of the file, see the master(5) manual page (command: "man 5 master" or
-# on-line: http://www.postfix.org/master.5.html).
-#
-# Do not forget to execute "postfix reload" after editing this file.
-#
-# ==========================================================================
-# service type private unpriv chroot wakeup maxproc command + args
-# (yes) (yes) (no) (never) (100)
-# ==========================================================================
-smtp inet n - y - - smtpd
-#smtp inet n - y - 1 postscreen
-#smtpd pass - - y - - smtpd
-#dnsblog unix - - y - 0 dnsblog
-#tlsproxy unix - - y - 0 tlsproxy
-#submission inet n - y - - smtpd
-# -o syslog_name=postfix/submission
-# -o smtpd_tls_security_level=encrypt
-# -o smtpd_sasl_auth_enable=yes
-# -o smtpd_reject_unlisted_recipient=no
-# -o smtpd_client_restrictions=$mua_client_restrictions
-# -o smtpd_helo_restrictions=$mua_helo_restrictions
-# -o smtpd_sender_restrictions=$mua_sender_restrictions
-# -o smtpd_recipient_restrictions=
-# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-# -o milter_macro_daemon_name=ORIGINATING
-smtps inet n - y - - smtpd
- -o syslog_name=postfix/smtps
- -o smtpd_tls_wrappermode=yes
- -o smtpd_sasl_auth_enable=yes
- -o smtpd_reject_unlisted_recipient=no
-# -o smtpd_client_restrictions=$mua_client_restrictions
-# -o smtpd_helo_restrictions=$mua_helo_restrictions
-# -o smtpd_sender_restrictions=$mua_sender_restrictions
-# -o smtpd_recipient_restrictions=
-# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-# -o milter_macro_daemon_name=ORIGINATING
-#628 inet n - y - - qmqpd
-pickup unix n - y 60 1 pickup
-cleanup unix n - y - 0 cleanup
-qmgr unix n - n 300 1 qmgr
-#qmgr unix n - n 300 1 oqmgr
-tlsmgr unix - - y 1000? 1 tlsmgr
-rewrite unix - - y - - trivial-rewrite
-bounce unix - - y - 0 bounce
-defer unix - - y - 0 bounce
-trace unix - - y - 0 bounce
-verify unix - - y - 1 verify
-flush unix n - y 1000? 0 flush
-proxymap unix - - n - - proxymap
-proxywrite unix - - n - 1 proxymap
-smtp unix - - y - - smtp
-relay unix - - y - - smtp
-# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
-showq unix n - y - - showq
-error unix - - y - - error
-retry unix - - y - - error
-discard unix - - y - - discard
-local unix - n n - - local
-virtual unix - n n - - virtual
-lmtp unix - - y - - lmtp
-anvil unix - - y - 1 anvil
-scache unix - - y - 1 scache
-#
-# ====================================================================
-# Interfaces to non-Postfix software. Be sure to examine the manual
-# pages of the non-Postfix software to find out what options it wants.
-#
-# Many of the following services use the Postfix pipe(8) delivery
-# agent. See the pipe(8) man page for information about ${recipient}
-# and other message envelope options.
-# ====================================================================
-#
-# maildrop. See the Postfix MAILDROP_README file for details.
-# Also specify in main.cf: maildrop_destination_recipient_limit=1
-#
-maildrop unix - n n - - pipe
- flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
-#
-# ====================================================================
-#
-# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
-#
-# Specify in cyrus.conf:
-# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
-#
-# Specify in main.cf one or more of the following:
-# mailbox_transport = lmtp:inet:localhost
-# virtual_transport = lmtp:inet:localhost
-#
-# ====================================================================
-#
-# Cyrus 2.1.5 (Amos Gouaux)
-# Also specify in main.cf: cyrus_destination_recipient_limit=1
-#
-#cyrus unix - n n - - pipe
-# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
-#
-# ====================================================================
-# Old example of delivery via Cyrus.
-#
-#old-cyrus unix - n n - - pipe
-# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
-#
-# ====================================================================
-#
-# See the Postfix UUCP_README file for configuration details.
-#
-uucp unix - n n - - pipe
- flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
-#
-# Other external delivery methods.
-#
-ifmail unix - n n - - pipe
- flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
-bsmtp unix - n n - - pipe
- flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
-scalemail-backend unix - n n - 2 pipe
- flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
-mailman unix - n n - - pipe
- flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
- ${nexthop} ${user}
-
+++ /dev/null
-[Unit]
-Description=Run plom's fetchmail
-
-[Service]
-Type=oneshot
-User=plom
-# fetchmail returns 1 when no new mail, we want to catch that
-ExecStart=/bin/sh -c 'fetchmail || [ $? -eq 1 ]'
+++ /dev/null
-[Unit]
-Description=Run pingmail check
-
-[Service]
-Type=oneshot
-User=plom
-ExecStart=/bin/sh -c '~/pingmail/pingmail check'
+++ /dev/null
-[Unit]
-Description=Run fetchmail once every minute
-
-[Timer]
-OnCalendar=*-*-* *:*:00
-
-[Install]
-WantedBy=timers.target
+++ /dev/null
-[Unit]
-Description=Run pingmail check once every hour
-
-[Timer]
-OnCalendar=*-*-* *:00:00
-
-[Install]
-WantedBy=timers.target
+++ /dev/null
-[Unit]
-Description=Pull website repo
-[Service]
-Type=oneshot
-User=plom
-ExecStart=/bin/sh -c '~/encrypter.sh'
+++ /dev/null
-[Unit]
-Description=Attempt encryption of old chatlogs once every minute.
-
-[Timer]
-OnCalendar=*-*-* *:*:00
-
-[Install]
-WantedBy=timers.target
\ No newline at end of file
+++ /dev/null
-# /etc/aliases
-postmaster: root
-root: plom@plomlompom.com
\ No newline at end of file
+++ /dev/null
-# See /usr/share/postfix/main.cf.dist for a commented, more complete version
-
-
-# Debian specific: Specifying a file name will cause the first
-# line of that file to be used as the name. The Debian default
-# is /etc/mailname.
-#myorigin = /etc/mailname
-
-smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
-biff = no
-
-# appending .domain is the MUA's job.
-append_dot_mydomain = no
-
-# Uncomment the next line to generate "delayed mail" warnings
-#delay_warning_time = 4h
-
-readme_directory = no
-
-# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
-# fresh installs.
-compatibility_level = 2
-
-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.
-
-smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
-myorigin = /etc/mailname
-myhostname = $myorigin
-alias_maps = hash:/etc/aliases
-alias_database = hash:/etc/aliases
-mydestination = $myhostname localhost.$mydomain localhost
-relayhost =
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-mailbox_size_limit = 0
-recipient_delimiter = +
-inet_interfaces = loopback-only
-inet_protocols = all
\ No newline at end of file
+++ /dev/null
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
-# otherwise self-referential connections to local host will fail
--A INPUT -i lo -j ACCEPT
-# tolerate any inbound connections requested by our server, no matter the port
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-# this enables ping etc.
--A INPUT -p icmp -j ACCEPT
-# SSH
--A INPUT -p tcp --dport 22 -j ACCEPT
-COMMIT
-# this last line is here because iptables-restore ignores the final command if no newline follows it
\ No newline at end of file
+++ /dev/null
-# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
-
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options override the
-# default value.
-
-Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin no # plomlompom's security rule
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# Expect .ssh/authorized_keys2 to be disregarded by default in future.
-#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin yes
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding yes
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation sandbox
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-# override default of no subsystems
-Subsystem sftp /usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-# X11Forwarding no
-# AllowTcpForwarding no
-# PermitTTY no
-# ForceCommand cvs server
-
-ClientAliveInterval 120
-PasswordAuthentication no # plomlompom's security rule
+++ /dev/null
-# /etc/cron.d/certbot: crontab entries for the certbot package
-#
-# Upstream recommends attempting renewal twice a day
-#
-# Eventually, this will be an opportunity to validate certificates
-# haven't been revoked, etc. Renewal will only occur if expiration
-# is within 30 days.
-SHELL=/bin/sh
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-
-# plomlompom added the --webroot -w /var/www/html/ so that renewal
-# works with nginx running, and the nginx reload post-hook so that
-# the new certificates are linked to by nginx. Note that by default
-# we rely on the systemd timer service file instead of this cronjob,
-# but since both are installed by the certbot package to serve which
-# ever of the two is used, we cautiously adapt both of them too.
-0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --webroot -w /var/www/html/ --post-hook "service nginx reload"
+++ /dev/null
-# path to git projects (<project>.git)
-$projectroot = "/var/public_repos";
-
-# directory to use for temp files
-# explicitely set by Debian so it's probably a good choice
-$git_temp = "/tmp";
-
-# git-diff-tree(1) options to use for generated patches
-# we don't want to to guess renames, so empty
-@diff_opts = ();
-
-# Base path for where to find the repos for cloning.
-@git_base_url_list = ('https://REPLACE_fqdn_ECALPER/repos/clone');
-
-# allow snapshots
-$feature{'snapshot'}{'default'} = ['zip', 'tgz'];
-
-# insert header for GDPR compliance
-$site_header = "/var/www/header.html"
+++ /dev/null
-*filter
-:INPUT DROP [0:0]
-:FORWARD DROP [0:0]
-:OUTPUT ACCEPT [0:0]
-# otherwise self-referential connections to local host will fail
--A INPUT -i lo -j ACCEPT
-# tolerate any inbound connections requested by our server, no matter the port
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-# this enables ping etc.
--A INPUT -p icmp -j ACCEPT
-# SSH
--A INPUT -p tcp --dport 22 -j ACCEPT
-# HTTP
--A INPUT -p tcp --dport 80 -j ACCEPT
-# HTTPS
--A INPUT -p tcp --dport 443 -j ACCEPT
-COMMIT
-# this last line is here because iptables-restore ignores the final command if no newline follows it
\ No newline at end of file
+++ /dev/null
-# system integration
-user www-data;
-worker_processes auto;
-pid /run/nginx.pid;
-
-# we need this for the xslt_stylesheet directive below
-#load_module modules/ngx_http_xslt_filter_module.so;
-
-# is expected even if empty
-events {
-}
-
-http {
- # define content-type headers
- types {
- text/html html htm shtml;
- text/css css;
- text/xml xml;
- text/plain txt sh rst md asc;
- application/xhtml+xml xhtml;
- application/pdf pdf;
- image/jpeg jpg jpeg;
- image/png png;
- }
- default_type application/octet_stream;
- charset utf-8;
-
- # logging deactivated due to GDPR
- #access_log /var/log/nginx/access.log;
- #error_log /var/log/nginx/error.log;
-
- # HTTP server: only enforce HTTPS
- server {
- listen 80;
- return 301 https://$host$request_uri;
- }
-
- # HTTPS server
- server {
- listen 443 ssl;
- server_name REPLACE_fqdn_ECALPER;
- ssl_certificate /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/privkey.pem;
- root /var/www/html/;
- index index.html index.htm index.nginx-debian.html;
-
- # serve /var/www/public_repos/* for HTTPS git cloning
- location ~ /repos/clone(/.*) {
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
- fastcgi_param GIT_HTTP_EXPORT_ALL "";
- fastcgi_param GIT_PROJECT_ROOT /var/public_repos;
- fastcgi_param PATH_INFO $1;
- fastcgi_pass unix:/var/run/fcgiwrap.socket;
- }
-
- # gitweb static files
- location /repos/static/ {
- alias /usr/share/gitweb/static/;
- }
-
- # gitweb; this needs packages fcgiwrap and gitweb
- location /repos/ {
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
- fastcgi_param GITWEB_CONFIG /etc/gitweb.conf;
- fastcgi_pass unix:/var/run/fcgiwrap.socket;
- }
-
- # login-protected IRC logs
- location ~ /irclogs/([^/]+)/ {
- auth_basic "$1 logs";
- auth_basic_user_file /var/www/irclogs_pw/$1;
- autoindex on;
- }
-
- ## entry for IRC logs
- #location /irclogs/ {
- # autoindex on;
- # autoindex_format xml;
- # xslt_stylesheet /var/www/autoindex.xslt;
- #}
- }
-}
+++ /dev/null
-[Unit]
-Description=Certbot
-Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
-Documentation=https://letsencrypt.readthedocs.io/en/latest/
-[Service]
-# plomlompom added the --webroot -w /var/www/html/ so that renewal
-# works with nginx running, and the nginx reload post-hook so that
-# the new certificates are linked to by nginx.
-Type=oneshot
-ExecStart=/usr/bin/certbot -q renew --webroot -w /var/www/html/ --post-hook "service nginx reload"
-PrivateTmp=true
\ No newline at end of file
+++ /dev/null
-[Unit]
-Description=plomlombot screen
-
-[Service]
-Type=simple
-User=plom
-ExecStart=/bin/sh -c '~/plomlombot_daemon.sh'
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Ensure we have a GPG target to encrypt to.
-if [ $# -lt 1 ]; then
- echo "Need public key ID as argument."
- false
-fi
-gpg_key="$1"
-
-config_tree_prefix="${HOME}/config/all_new_2018"
-apt -y install gnupg dirmngr
-keyservers='sks-keyservers.net/ keys.gnupg.net'
-set +e
-while true; do
- do_break=0
- for keyserver in $(echo "${keyservers}"); do
- su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
- if [ $? -eq "0" ]; then
- do_break=1
- break
- fi
- echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
- done
- if [ "${do_break}" -eq "1" ]; then
- break
- fi
-done
-set -e
-# TODO: We may remove dirmngr here if only this script installed it.
+++ /dev/null
-#!/bin/sh
-# Hard link files to those in argument-selected subdirectories of
-# linkable_etc_files//, e.g. link /etc/foo/bar to
-# linkable_etc_files/$1/etc/foo/bar and so on. Create directories as
-# necessary. We do the hard linking so files that should be readable to
-# non-root in /etc/ remain so despite having a path below /root/, as
-# symbolic links point into /root/ without making the targets readable
-# to non-root.
-# CAUTION: This removes original files at the affected paths.
-set -e
-
-config_tree_prefix="${HOME}/config/all_new_2018"
-linkable_files_dir="${config_tree_prefix}/linkable_etc_files"
-
-for target in "$@"; do
- cd "${linkable_files_dir}/${target}"
- for path in $(find . -type f); do
- linking=$(echo "${path}" | cut -c2-)
- linked=$(realpath "${path}")
- dir=$(dirname "${linking}")
- mkdir -p "${dir}"
- ln -f "${linked}" "${linking}"
- done
-done
+++ /dev/null
-#!/bin/sh
-# This script turns a fresh server with password-based root access to
-# one of only key-based access and only to new non-root account plom.
-#
-# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
-# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
-# contains the local ~/.ssh/id_rsa.pub, and also any old
-# /etc/ssh/sshd_config.
-#
-# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
-# configured sshd_config file in reach.
-set -e
-
-# Location auf a sshd_config with "PermitRootLogin no" and
-# "PasswordAuthentication no".
-config_tree_prefix="${HOME}/config/all_new_2018"
-linkable_files_dir="${config_tree_prefix}/linkable_etc_files/server"
-system_path_sshd_config='/etc/ssh/sshd_config'
-local_path_sshd_config="${linkable_files_dir}/${system_path_sshd_config}"
-
-# Ensure we have a server name as argument.
-if [ $# -eq 0 ]; then
- echo "Need server as argument."
- false
-fi
-server="$1"
-
-# Ask for root password only once, sshpass will re-use it then often.
-stty -echo
-printf "Server root password: "
-read PW_ROOT
-stty echo
-printf "\n"
-export SSHPASS="${PW_ROOT}"
-
-# Create user plom, and his ~/.ssh/authorized_keys based on the local
-# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
-# ownerships. Then disable root and pw login by copying over the
-# sshd_config and restart ssh daemon.
-#
-# This could be a line or two shorter by using ssh-copy-id, but that
-# would require setting a password for user plom otherwise not needed.
-sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys
-sshpass -e ssh root@"${server}" \
- 'useradd -m plom && '\
- 'mkdir /home/plom/.ssh && '\
- 'chown plom:plom /home/plom/.ssh && '\
- 'chown plom:plom /tmp/authorized_keys && '\
- 'chmod u=rw,go= /tmp/authorized_keys && '\
- 'mv /tmp/authorized_keys /home/plom/.ssh/'
-sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
-sshpass -e ssh root@"${server}" 'service ssh restart'
+++ /dev/null
-#!/bin/sh
-# Walks through the package names in the argument-selected files of
-# apt-mark/ and ensures the respective packages are installed.
-#
-# Ignores anything in an apt-mark/ file after the last newline.
-set -e
-
-config_tree_prefix="${HOME}/config/all_new_2018"
-aptmark_dir="${config_tree_prefix}/apt-mark"
-
-for target in "$@"; do
- path="${aptmark_dir}/${target}"
- cat "${path}" | while read line; do
- echo "$line"
- if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
- apt-get -y install "${line}"
- fi
- done
-done
+++ /dev/null
-#!/bin/sh
-# Certify current server with LetsEncrypt.
-# Uses hostname -f for the domain we want to certify.
-set -e
-
-# Ensure we have a mail address as argument.
-if [ $# -lt 1 ]; then
- echo "Need mail address as argument."
- false
-fi
-mail_address="$1"
-
-# We need certbot to get LetsEncrypt certificates.
-apt install -y certbot
-
-# If port 80 blocked by iptables, open it.
-set +e
-iptables -C INPUT -p tcp --dport 80 -j ACCEPT
-open_iptables="$?"
-set -e
-if [ "${open_iptables}" -eq "1" ]; then
- iptables -A INPUT -p tcp --dport 80 -j ACCEPT
-fi
-
-# Create new certificate and copy it to /etc/letsencrypt.
-certbot certonly --standalone --agree-tos -m "${mail_address}" -d "$(hostname -f)"
-
-# Remove iptables rule to open port 80 if we added it.
-if [ "${open_iptables}" -eq "1" ]; then
- iptables -D INPUT -p tcp --dport 80 -j ACCEPT
-fi
+++ /dev/null
-#!/bin/sh
-# Copy over LetsEncrypt certificates from another server.
-set -e
-
-# Ensure we have a server name as argument.
-if [ $# -lt 1 ]; then
- echo "Need server as argument."
- false
-fi
-server="$1"
-
-# Copy over.
-ssh -t plom@${server} 'su -c "cd /etc/ && tar cf letsencrypt.tar letsencrypt && chown plom:plom letsencrypt.tar && mv letsencrypt.tar /home/plom/"'
-scp plom@${server}:~/letsencrypt.tar .
-apt -y install certbot
-rmdir /etc/letsencrypt
-mv letsencrypt.tar /etc/
-cd /etc/
-tar xf letsencrypt.tar
-rm letsencrypt.tar
+++ /dev/null
-#!/bin/sh
-# Mirror directory tree from remote to local server, keeping the path.
-set -e
-
-if [ $# -lt 2 ]; then
- echo "Need server and directory as arguments."
- false
-fi
-server=$1
-dir=$2
-path_package=/tmp/delete.tar
-
-eval `ssh-agent`
-ssh-add
-cd
-ssh plom@"${server}" "cd \"${dir}\" && tar cf ${path_package} ."
-scp plom@"${server}":"${path_package}" "${path_package}"
-mkdir -p "${dir}"
-cd "${dir}"
-tar xf "${path_package}"
-cd
-rm "${path_package}"
-ssh plom@"${server}" rm "${path_package}"
+++ /dev/null
-#!/bin/sh
-# Do some of the steps necessary to SSH (key-based) with another server.
-set -e
-
-target="$1"
-
-# We need a public key to copy over, so generate it if not found.
-if [ ! -f ~/.ssh/id_rsa.pub ]; then
- ssh-keygen
-fi
-
-# Add target to ~/.ssh/known_hosts so we don't get
-# asked for permission at inopportune moments.
-ssh-keyscan -H "$target" >> ~/.ssh/known_hosts
-
-# Tell user what to do.
-echo "APPEND FOLLOWING TO TARGET'S ~/.ssh/authorized_keys:"
-cat ~/.ssh/id_rsa.pub
+++ /dev/null
-#!/bin/sh
-# This script removes all Debian packages that are not of Priority
-# "required" or not depended on by packages of priority "required"
-# or not listed in the argument-selected files of apt-mark/.
-set -e
-
-config_tree_prefix="${HOME}/config/all_new_2018"
-aptmark_dir="${config_tree_prefix}/apt-mark"
-
-dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted
-for target in "$@"; do
- path="${aptmark_dir}/${target}"
- cat "${path}" | while read line; do
- if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
- echo "${line}" >> /tmp/list_white_unsorted
- fi
- done
-done
-sort /tmp/list_white_unsorted > /tmp/list_white
-dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages
-sort /tmp/list_all_packages > /tmp/foo
-mv /tmp/foo /tmp/list_all_packages
-comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black
-apt-mark auto `cat /tmp/list_black`
-DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
-rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black
+++ /dev/null
-#!/bin/sh
-# Sets hostname and optionally FQDN.
-#
-# Calls hostname, writes to /etc/hostname and /etc/hosts. For /etc/hosts
-# writing follows recommendations from Debian manual at
-# <https://www.debian.org/doc/manuals/debian-reference/ch05.en.html>
-# (section "The hostname resolution") on how to map hostname and possibly
-# FQDN to a permanent IP if present (we assume here any non-private IP
-# and non-loopback IP returned by hostname -I to fulfill that criterion
-# on our systems) or to 127.0.1.1 if not. On the reasoning for separating
-# localhost and hostname mapping to different IPs, see
-# <https://unix.stackexchange.com/a/13087>.
-set -e
-
-hostname="$1"
-fqdn="$2"
-if [ "${hostname}" = "" ]; then
- echo "Need hostname as argument."
- false
-fi
-echo "${hostname}" > /etc/hostname
-hostname "${hostname}"
-
-final_ip="127.0.1.1"
-for ip in $(hostname -I); do
- range_1=$(echo "${ip}" | cut -d "." -f 1)
- range_2=$(echo "${ip}" | cut -d "." -f 2)
- if [ "${range_1}" -eq 127 ]; then
- continue
- elif [ "${range_1}" -eq 10 ]; then
- continue
- elif [ "${range_1}" -eq 172 ]; then
- if [ "${range_2}" -ge 16 ] && [ "${range_2}" -le 31 ]; then
- continue
- fi
- elif [ "${range_1}" -eq 192 ]; then
- if [ "${range_2}" -eq 168 ]; then
- continue
- fi
- fi
- final_ip="${ip}"
-done
-
-echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
-echo "${final_ip} ${fqdn} ${hostname}" >> /etc/hosts
+++ /dev/null
-#/bin/sh
-set -e
-
-# Check we have the necessary arguments.
-if [ $# -lt 2 ]; then
- echo "Give arguments of mail domain and DKIM selector."
- echo "Also, if hosting mail for entire domain, give third argument 'domainwide'."
- false
-fi
-mail_domain="$1"
-dkim_selector="$2"
-domainwide="$3"
-
-config_tree_prefix="${HOME}/config/all_new_2018"
-setup_scripts_dir="${config_tree_prefix}/setup_scripts"
-cd "${setup_scripts_dir}"
-
-# Set up DKIM key. Only keep opendkim-tools on system if pre-installed.
-mkdir -p /etc/dkimkeys/
-set +e
-dpkg -s opendkim-tools &> /dev/null
-preinstalled="$?"
-set -e
-if [ ! "${preinstalled}" -eq "0" ]; then
- apt install -y opendkim-tools
-fi
-opendkim-genkey -s "${dkim_selector}"
-mv "${dkim_selector}.private" /etc/dkimkeys/
-if [ ! "${preinstalled}" -eq "0" ]; then
- apt -y --purge autoremove opendkim-tools
-fi
-
-# Link and adapt mail-server-specific /etc/ files.
-./hardlink_etc.sh mail
-sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/mailutils.conf
-sed -i "s/REPLACE_Domain_ECALPER/${mail_domain}/g" /etc/opendkim.conf
-sed -i "s/REPLACE_Selector_ECALPER/${dkim_selector}/g" /etc/opendkim.conf
-sed -i "s/REPLACE_myhostname_ECALPER/$(hostname -f)/g" /etc/postfix/main.cf
-if [ "${domainwide}" = "domainwide" ]; then
- sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER/$mydomain/g' /etc/postfix/main.cf
-else
- sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER//g' /etc/postfix/main.cf
-fi
-# Since we re-set the iptables rules, we need to reload them.
-iptables-restore /etc/iptables/rules.v4
-
-# Some useful debconf selections.
-echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
-echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
-echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
-
-# The second line should not be necessary due to the first line, but for
-# some reason the installation forgets to set up /etc/mailname early
-# enough to not (when running newaliases) stumble over its absence.
-echo "postfix postfix/mailname string ${mail_domain}" | debconf-set-selections
-echo "${mail_domain}" > /etc/mailname
-
-# Everything should now be ready for installations. Note that we don't
-# strictly need dovecot-lmtpd, as postfix will deliver mail to /var/mail/USER
-# in any case, to be found by dovecot; we use it as a transport mechanism to
-# allow for sophisticated stuff like dovecot-side sieve filtering (installed
-# with dovecot-sieve).
-apt install -y -o Dpkg::Options::=--force-confold postfix dovecot-imapd dovecot-lmtpd dovecot-sieve opendkim
-cp "${config_tree_prefix}/user_files/dovecot.sieve" /home/plom/.dovecot.sieve
-chown plom:plom /home/plom/.dovecot.sieve
-
-# Pingmail setup.
-apt install -y mailutils
-cp "${config_tree_prefix}/user_files/pingmailrc" /home/plom/.pingmailrc
-chown plom:plom /home/plom/.pingmailrc
-su plom -c "cd && git clone https://plomlompom.com/repos/clone/pingmail.git"
-
-# In addition to our postfix server receiving mails, we funnel mails from a
-# POP3 account into dovecot via fetchmail. It might make sense to adapt the
-# ~/.dovecot.sieve to move mails targeted to the fetched mail account to their
-# own mbox.
-apt -y install fetchmail
-cp "${config_tree_prefix}/user_files/fetchmailrc" /home/plom/.fetchmailrc
-chown plom:plom /home/plom/.fetchmailrc
-chmod 0700 /home/plom/.fetchmailrc
-
-# Pingmail and fetchmail have some systemd timers waiting. To let systemd
-# know about them, do this.
-systemctl daemon-reload
-
-# Final advice to user.
-echo "TODO: Ensure MX entry for your system in your DNS configuration."
-echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration; something like 'v=spf1 mx -all' mapped to your host."
-echo "TODO: passwd plom for IMAPS login"
-echo "TODO: adapt /home/plom/.fetchmailrc and then do: systemctl start fetchmail.timer"
-echo "TODO: adapt /home/plom/.dovecot.sieve and /home/plom/.pingmailrc (sieve mail by pingmail target person into mbox defined in .pingmailrc), then run: systemctl start pingmail.timer"
-echo "TODO: Add the follow DMARK entry as TXT to your DNS configugration: 'v=DMARC1; p=none; rua=mailto:plom+dmarc@plomlompom.com;' mapped to _dmarc"
-echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):"
-cat "${dkim_selector}.txt"
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Ensure we have a GPG target to encrypt to.
-if [ $# -lt 1 ]; then
- echo "Need public key ID as argument."
- false
-fi
-gpg_key="$1"
-
-config_tree_prefix="${HOME}/config/all_new_2018"
-setup_scripts_dir="${config_tree_prefix}/setup_scripts"
-cd "${setup_scripts_dir}"
-
-# If anything strange happens, let root send mail to us.
-./setup_sendonly.sh
-
-# Apart from weechat, vim and screen will also be useful for everyday activity.
-apt -y install weechat screen vim
-
-# Link and copy over files.
-./hardlink_etc.sh play
-cp "${config_tree_prefix}/user_files/encrypter.sh" /home/plom/
-chown plom:plom /home/plom/encrypter.sh
-cp "${config_tree_prefix}/user_files/weechat-wrapper.sh" /home/plom/
-chown plom:plom /home/plom/weechat-wrapper.sh
-cp "${config_tree_prefix}/user_files/weechatrc" /home/plom/.weechatrc
-chown plom:plom /home/plom/.weechatrc
-apt -y install screen
-echo "$gpg_key" > /home/plom/.encrypt_target
-chown plom:plom /home/plom/.encrypt_target
-
-# Start encrypt_chatlogs job.
-./add_encryption_key.sh "${gpg_key}"
-systemctl daemon-reload
-systemctl start encrypt_chatlogs.timer
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Ensure we have a GPG target to encrypt to.
-if [ $# -lt 1 ]; then
- echo "Need public key ID as argument."
- false
-fi
-gpg_key="$1"
-
-config_tree_prefix="${HOME}/config/all_new_2018"
-irclogs_dir=/var/www/html/irclogs
-irclogs_pw_dir=/var/www/irclogs_pw
-
-./add_encryption_key.sh "${gpg_key}"
-apt -y install screen python3-venv
-cp "${config_tree_prefix}"/user_files/plomlombot_daemon.sh /home/plom/
-chown plom:plom /home/plom/plomlombot_daemon.sh
-su plom -c "cd && git clone /var/public_repos/plomlombot-irc"
-systemctl enable /etc/systemd/system/plomlombot.service
-service plomlombot start
-mkdir -p "${irclogs_dir}"
-chown -R plom:plom "${irclogs_dir}"
-mkdir -p "${irclogs_pw_dir}"
-chown -R plom:plom "${irclogs_pw_dir}"
-echo "Don't forget to add a file ~/.plomlombot with content such as:"
-echo "gpg_key ${gpg_key}"
-echo "bot: SCREEN_SESSION_NAME BOT_NAME #CHANNEL_NAME IRC_SERVER_NAME LOGS_USER LOGS_PW"
-echo "# file should end in newline or non-interpreted line such as this"
+++ /dev/null
-#!/bin/sh
-# This sets up the minimum of a mail server necessary to send out mails
-# to the world.
-set -e
-
-config_tree_prefix="${HOME}/config/all_new_2018"
-setup_scripts_dir="${config_tree_prefix}/setup_scripts"
-cd "${setup_scripts_dir}"
-
-./hardlink_etc.sh sendonly
-echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
-echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
-echo "$(hostname -f)" > /etc/mailname
-apt install -y postfix
+++ /dev/null
-#!/bin/sh
-# Next setup steps for a server whose login policy has just been set from
-# the outside via ./init_user_and_keybased_login.sh.
-set -e
-
-# Provide maximum input for set_hostname_and_fqdn.sh.
-if [ "$#" -ne 2 ]; then
- echo 'Need exactly two arguments (hostname, FQDN).'
- false
-fi
-hostname="$1"
-fqdn="$2"
-
-config_tree_prefix="${HOME}/config/all_new_2018"
-setup_scripts_dir="${config_tree_prefix}/setup_scripts"
-cd "${setup_scripts_dir}"
-
-# Adapt /etc/ to our needs by hardlinking into ./linkable_etc_files. This
-# will set basic configurations affecting following steps, such as setup
-# of APT and the locale selection, so needs to be right at the beginning.
-./hardlink_etc.sh all server
-
-# Set hostname and FQDN.
-./set_hostname_and_fqdn.sh "${hostname}" "${fqdn}"
-
-# Some debconf selections we don't want to get asked during coming
-# install actions.
-echo 'iptables-persistent iptables-persistent/autosave_v4 boolean false' | debconf-set-selections
-echo 'iptables-persistent iptables-persistent/autosave_v6 boolean false' | debconf-set-selections
-
-# Ensure package installation state as defined by what packages are
-# defined as required by Debian policy and by settings in ./apt-mark/.
-apt update
-./install_for_target.sh all server
-./purge_nonrequireds.sh all server
-
-# Ensure our desired locale is available.
-locale-gen
-
-# Only upgrade after reducing the system to the desired minimum, so that
-# we don't need to get more data than necessary.
-apt -y dist-upgrade
-
-# Set Berlin localtime.
-ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
-
-# If we have not yet set the shell for user plom, ensure it here. This
-# is mostly for convenience.
-usermod -s /bin/bash plom
-
-# We want to be able to use ALL our servers as borg backup destinations.
-apt -y install borgbackup
+++ /dev/null
-#!/bin/sh
-# Set up plomlompom.com web server.
-set -e
-
-config_tree_prefix="${HOME}/config/all_new_2018"
-setup_scripts_dir="${config_tree_prefix}/setup_scripts"
-cd "${setup_scripts_dir}"
-
-./hardlink_etc.sh web
-./setup_sendonly.sh
-sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/nginx/nginx.conf
-sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/gitweb.conf
-cd /var/
-rm -rf www
-git clone plom@core.plomlompom.com:repos/website www
-apt -y -o Dpkg::Options::=--force-confold install nginx gitweb fcgiwrap
-mkdir /var/public_repos
-chown plom:plom /var/public_repos
-iptables-restore /etc/iptables/rules.v4
+++ /dev/null
-require ["fileinto"];
-require ["mailbox"];
-if address :is "from" "foo@bar.com" {
- fileinto :create "foo";
-}
-if address :is :domain "to" "example.com" {
- fileinto :create "example.com";
-}
+++ /dev/null
-#!/bin/sh
-# Encrypt dated weechatlog files older than one day to GPG target defined in
-# ~/.encrypt_target
-set -e
-
-gpg_key=$(cat ~/.encrypt_target)
-cd ~/weechatlogs/irc/
-find . -regextype posix-egrep -regex '^.*/.*/.*\.[0-9]{4}-[0-9]{2}-[0-9]{2}\.weechatlog$' -type f -mtime +1 -exec gpg --recipient "${gpg_key}" --trust-model always --encrypt {} \; -exec rm {} \;
-
+++ /dev/null
-# remove "keep" if you're sure about your setup; it keeps mails on server from getting deleted
-poll mail.example.com protocol pop3 username "foo@example.com" password "PASSWORD" ssl keep
+++ /dev/null
-# place for test files whose modification times are used to track lifesigns
-testdir=$HOME'/.pingmail'
-
-# modification time is the last time a ping was sent or a lifetime received
-ping_touch=$testdir'/ping_touch'
-
-# modification time is when the count for sending checker a warning mail starts
-reminder_touch=$testdir'/reminder_touch'
-
-# how long to wait for lifesigns before sending a ping; double is time to wait
-# for a lifesign before sending a warning message to checker
-wait_time=86400
-
-# address of the checker, receives warning message after too long wait
-checker_address='bar@example.org'
-
-# address of the checked person, ping is sent here
-checked_address='foo@example.org'
-
-# content of ping message sent to checked person
-subj2checked='[pingmail] Ping!'
-msg2checked='Hi!\n
-\nThis is an automated mail ping from '$checker_address'.
-\nRespond to show that you are still alive!'
-
-# content of warning message sent to checker
-id_target='foo'
-subj2checker='[pingmail] No recent life signs from '$id_target
-reminder_time=`expr $wait_time \* 2`
-msg2checker='pingmail reporting in:\n
-\nNo life signs from '$id_target' for the last '$reminder_time' seconds.
-\nMaybe you should give them a call to check if they are okay.'
-
-# mail client command reading message body from stdin and subject from parameter
-mailclient_s='mail -s'
-
-# mailbox file to check for most recent life sign
-mbox=$HOME'/mail/foo'
-
-# to recursively search for most recent matches to $matchstring as lifesigns
-#maildir=$HOME'/mail'
-
-# pattern to search $maildir for recursively for lifesigns
-#checked_address_escaped=`echo $checked_address | sed 's/\./\\./g'`
-#matchstring='^From: .*('$checked_address_escaped'|alternate@example\.org)'
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Repeatedly parse config file for GPG key and bot screen configs.
-path=~/.plomlombot
-db_dir="${HOME}/plomlombot_db"
-irclogs_dir=/var/www/html/irclogs
-irclogs_pw_dir=/var/www/irclogs_pw
-while true; do
- if [ -f "${path}" ]; then
- cat "${path}" | while read line; do
- first_word=$(echo -n "${line}" | cut -d' ' -f1)
-
- # Read "bot:" line, start bot screen session from it if not yet existing,
- # set up irclogs dir if not yet existing.
- if [ "${first_word}" = "bot:" ]; then
- session_name=$(echo -n "${line}" | cut -d' ' -f2)
- bot_name=$(echo -n "${line}" | cut -d' ' -f3)
- channel_name=$(echo -n "${line}" | cut -d' ' -f4)
- shortened_channel_name="${channel_name}"
- first_char=$(echo -n "${channel_name}" | cut -c1)
- if [ "${first_char}" = "#" ]; then
- shortened_channel_name=$(echo -n "${channel_name}" | cut -c2-)
- fi
- server_name=$(echo -n "${line}" | cut -d' ' -f5)
- login_user=$(echo -n "${line}" | cut -d' ' -f6)
- login_pw=$(echo -n "${line}" | cut -d' ' -f7)
- set +e
- screen -S "${session_name}" -Q select . > /dev/null
- start_screen=$?
- set -e
- if [ "${start_screen}" -eq "1" ]; then
- cd ~/plomlombot-irc
- LANG="en_US.UTF-8" screen -d -m -S "${session_name}" ./run.sh -r 604800 -n "${bot_name}" -s "${server_name}" "${channel_name}"
- fi
- md5_server=$(echo -n "${server_name}" | md5sum | cut -d' ' -f1)
- md5_channel=$(echo -n "${channel_name}" | md5sum | cut -d' ' -f1)
- logs_dir="${db_dir}/${md5_server}/${md5_channel}/logs"
- # FIXME: Note the trouble we will have if we have the same channel
- # name on different servers …
- ln -sfn "${logs_dir}" "${irclogs_dir}/${shortened_channel_name}"
- echo "${login_user}":'{PLAIN}'"${login_pw}" > "${irclogs_pw_dir}/${shortened_channel_name}"
-
- # If "gpg" line, encrypt old raw logs to that GPG key.
- elif [ "${first_word}" = "gpg_key" ]; then
- key=$(echo -n "${line}" | cut -d' ' -f2)
- mkdir -p ~/plomlombot_db
- cd ~/plomlombot_db
- find . -path '*/*/raw_logs/*.txt' -mtime +1 -type f -exec gpg --recipient "${key}" --trust-model always --encrypt {} \; -exec rm {} \;
- fi
-
- done
- sleep 1
- fi
-done
+++ /dev/null
-#!/bin/sh
-
-# Enforce ~/.weechatrc as sole persistent weechat config file.
-#~/config/bin/simplemail.sh ~/config/mails/weechat_restart_reminder
-rm -rf ~/.weechat/
-WEECHATCONF=`tr '\n' ';' < ~/.weechatrc`
-weechat -r "$WEECHATCONF"
-rm -rf ~/.weechat/
+++ /dev/null
-/set logger.file.path ~/weechatlogs
-/set logger.file.flush_delay 0
-/set logger.mask.irc "irc/$server/$channel.%Y-%m-%d.weechatlog"
-/set weechat.bar.status.items "[time],[buffer_last_number],[buffer_plugin],buffer_number+:+buffer_name+(buffer_modes)+{buffer_nicklist_count}+buffer_zoom+buffer_filter,[lag],[hotlist],completion,scroll,[otr]"
-/set weechat.color.chat_nick_colors "lightcyan"
-/server add freenode irc.freenode.net -nicks=plimlompom,plimlomp0m,pliml0mp0m -realname="foo bar" -autojoin=#plomlompomtest
-/connect freenode
+++ /dev/null
----
-- hosts: all
- user: root
- become: yes
- tasks:
-
- - name: ensure directories for symlinks exist
- file: state=directory dest={{item}}
- with_lines: cat ~/config/ansible/files/dirs | sed -e 's/ *#.*$//'
- - name: symlink system files
- file: state=hard force=yes src={{item}} dest={{item|basename|regex_replace('___','/')}}
- with_fileglob: ~/config/ansible/files/system/*
- - name: set hostname for current session
- shell: hostname w530
-
- # Init package management.
- - name: update package lists
- apt: update_cache=yes
- - name: APT - dist-upgrade
- apt: upgrade=dist
-
- # Ensure power management.
- - name: ensure power management tools are installed
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark/power_management | sed -e 's/ *#.*$//'
- - name: start TLP
- shell: tlp start
-
- # Configure console.
- #
- # For some reason, some settings are only applied two reboots after this.
- - name: symlink console config files
- file: state=link force=yes src={{item}} dest={{item|basename|regex_replace('___','/')}}
- with_fileglob: ~/config/ansible/files/console/*
- - name: ensure locales and console-setup are installed
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark/console | sed -e 's/ *#.*$//'
- - name: generate en_US.UTF-8 locale
- locale_gen: name=en_US.UTF-8 state=present
- - name: run setupcon to apply console settings from /etc/default/
- command: setupcon
-
- # Miscellaneous.
- - name: Ensure dotfile symlinks
- file: state=link force=yes src={{item}} dest=~/.{{item|basename}}
- with_fileglob:
- - ~/config/dotfiles/minimal/*
- - ~/config/dotfiles/root/*
- - name: ensure ~/.vimbackups directory
- file: state=directory dest=~/.vimbackups
- - name: ensure man-db, manpages are installed
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark/man | sed -e 's/ *#.*$//'
- - name: set /etc/localtime
- file: state=link force=yes src=/usr/share/zoneinfo/Europe/Berlin dest=/etc/localtime
- - name: ensure various useful tools are installed – sudo, git, vim, less, openssh
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark/various_useful | sed -e 's/ *#.*$//'
- - name: ensure boot messages are not cleared on start up
- replace: dest=/etc/systemd/system/getty.target.wants/getty@tty1.service regexp='^TTYVTDisallocate=yes.*$' replace='TTYVTDisallocate=no'
-
- # Config user.
- - name: create user plom with sudo privileges and bash shell
- user: name=plom groups=sudo shell=/bin/bash
- - name: have config repo in user directory
- git: repo=https://github.com/plomlompom/config dest=/home/plom/config
- become_user: plom
- become_method: su
-
- # Ensure X window environment.
- - name: ensure minimal X window environment
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark/minimal_x | sed -e 's/ *#.*$//'
- - name: ensure 3d acceleration and optimus switch
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark/3d_acceleration | sed -e 's/ *#.*$//'
- - name: ensure user plom is in bumblebee group
- user: name=plom groups=bumblebee append=yes
- - name: ensure basic X tools
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark/basic_x_tools | sed -e 's/ *#.*$//'
-
- # Set up pentadactyl.
- - name: ensure browser environment
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark/browser_environment | sed -e 's/ *#.*$//'
-
- # Ensure wifi.
- - name: ensure wifi configuration
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark/wifi | sed -e 's/ *#.*$//'
-
- # Ensure audio/video consumption necessities.
- - name: ensure multimedia tools
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark/multimedia | sed -e 's/ *#.*$//'
-
- # Ensure hotkeys.
- #
- # For some reason, the brightness hotkeys still won't be available unless acpid is restarted (yes, after reboot).
- - name: ensure hotkeys
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark/hotkeys | sed -e 's/ *#.*$//'
-
- # Remove undesired packages
- - name: collect desired packages
- shell: cat files/apt-mark/* | sed -e 's/ *#.*$//' > /tmp/white_list_unsorted && sort /tmp/white_list_unsorted > /tmp/white_list_sorted
- - name: collect currently installed packages
- shell: dpkg-query -Wf '${Package}\n' > /tmp/all_unsorted && sort /tmp/all_unsorted > /tmp/all_sorted
- - name: create black list of packages to mark as automatically installed from the difference between the required packages and the packages currently installed
- shell: comm -3 /tmp/all_sorted /tmp/white_list_sorted > /tmp/list_black
- - name: mark all packages from black list as automatically installed
- shell: apt-mark auto $(cat /tmp/list_black)
- - name: mark all packages from white list as manually installed
- shell: apt-mark manual $(cat /tmp/white_list_unsorted)
- - name: purge all packages automatically installed that are not depended on
- shell: DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
+++ /dev/null
----
-- hosts: all
- user: root
- become: yes
- tasks:
-
- - name: ensure directories for symlinks exist
- file: state=directory dest={{item}}
- with_lines: cat ~/config/ansible/files/dirs_new | sed -e 's/ *#.*$//'
- - name: symlink system files
- file: state=hard force=yes src={{item}} dest={{item|basename|regex_replace('___','/')}}
- with_fileglob:
- - ~/config/ansible/files/system_new/minimal/*
- - ~/config/ansible/files/system_new/{{ system_name }}/*
- - name: set hostname for current session
- shell: hostname {{ system_name }}
-
- # Init package management.
- - name: add palemoon repo signing key
- apt_key:
- url: https://download.opensuse.org/repositories/home:stevenpusser/Debian_9.0/Release.key
- state: present
- - name: update package lists
- apt: update_cache=yes
- - name: APT - dist-upgrade
- apt: upgrade=dist
-
- # Ensure packages needed for disk encryption on startup (how does this work?)
- - name: ensure power management tools are installed
- apt: name={{item}} state=present
- with_lines:
- - cat ~/config/ansible/files/apt-mark_new/minimal/disk_encryption | sed -e 's/ *#.*$//'
-
- # Ensure power management.
- - name: ensure power management tools are installed
- apt: name={{item}} state=present
- with_lines:
- - cat ~/config/ansible/files/apt-mark_new/minimal/power_management | sed -e 's/ *#.*$//'
- - cat ~/config/ansible/files/apt-mark_new/X200s/power_management | sed -e 's/ *#.*$//'
- - name: start TLP
- shell: tlp start
-
- # Configure console.
- #
- # For some reason, some settings are only applied two reboots after this.
- - name: symlink console config files
- file: state=link force=yes src={{item}} dest={{item|basename|regex_replace('___','/')}}
- with_fileglob: ~/config/ansible/files/console/*
- - name: ensure locales and console-setup are installed
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/console | sed -e 's/ *#.*$//'
- - name: generate en_US.UTF-8 locale
- locale_gen: name=en_US.UTF-8 state=present
- - name: Touch keyboard config file so setupcon does not ignore it.
- command: touch /etc/default/keyboard
- - name: run setupcon to apply console settings from /etc/default/
- command: setupcon
-
- # Miscellaneous.
- - name: Ensure dotfile symlinks
- file: state=link force=yes src={{item}} dest=~/.{{item|basename}}
- with_fileglob:
- - ~/config/dotfiles/minimal/*
- - ~/config/dotfiles/root/*
- - name: ensure ~/.vimbackups directory
- file: state=directory dest=~/.vimbackups
- - name: ensure man-db, manpages are installed
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/man | sed -e 's/ *#.*$//'
- - name: set /etc/localtime
- file: state=link force=yes src=/usr/share/zoneinfo/Europe/Berlin dest=/etc/localtime
- - name: ensure various useful tools are installed – sudo, git, vim, less, openssh
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/various_useful | sed -e 's/ *#.*$//'
- - name: ensure boot messages are not cleared on start up
- replace: dest=/etc/systemd/system/getty.target.wants/getty@tty1.service regexp='^TTYVTDisallocate=yes.*$' replace='TTYVTDisallocate=no'
-
- # Config user.
- - name: create user plom with sudo privileges and bash shell
- user: name=plom groups=sudo shell=/bin/bash
- #- name: have config repo in user directory
- # git: repo=https://github.com/plomlompom/config dest=/home/plom/config
- # become_user: plom
- # become_method: su
-
- # Ensure X window environment.
- - name: ensure minimal X window environment
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/minimal_x | sed -e 's/ *#.*$//'
- - name: ensure 3d acceleration
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/3d_acceleration | sed -e 's/ *#.*$//'
- #- name: ensure optimus switch
- # apt: name={{item}} state=present
- # with_lines: cat ~/config/ansible/files/apt-mark_new/W530/3d_acceleration | sed -e 's/ *#.*$//'
- #- name: ensure user plom is in bumblebee group
- # user: name=plom groups=bumblebee append=yes
- - name: ensure basic X tools
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/basic_x_tools | sed -e 's/ *#.*$//'
-
- ## Set up browser environment.
- #- name: ensure qutebrowser
- # include: tasks/qutebrowser.yml
- - name: ensure browser environment
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/browser_environment | sed -e 's/ *#.*$//'
-
- # Ensure wifi.
- - name: ensure wifi configuration
- apt: name={{item}} state=present
- with_lines:
- - cat ~/config/ansible/files/apt-mark_new/minimal/wifi | sed -e 's/ *#.*$//'
- - cat ~/config/ansible/files/apt-mark_new/X200s/wifi | sed -e 's/ *#.*$//'
- #- name: ensure wicd
- # apt: name={{item}} state=present
- # with_lines: cat ~/config/ansible/files/apt-mark_new/W530/wicd | sed -e 's/ *#.*$//'
-
- # Ensure audio/video consumption necessities.
- - name: ensure multimedia tools
- apt: name={{item}} state=present
- with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/multimedia | sed -e 's/ *#.*$//'
- #- name: ensure multimedia tools
- # apt: name={{item}} state=present
- # with_lines: cat ~/config/ansible/files/apt-mark_new/W530/multimedia | sed -e 's/ *#.*$//'
-
- # Ensure hotkeys.
- #
- # For some reason, the brightness hotkeys still won't be available unless acpid is restarted (yes, after reboot).
- #- name: ensure hotkeys
- # apt: name={{item}} state=present
- # with_lines: cat ~/config/ansible/files/apt-mark/hotkeys | sed -e 's/ *#.*$//'
-
- # Remove undesired packages
- - name: collect desired packages
- shell: cat files/apt-mark_new/minimal/* files/apt-mark_new/{{ system_name }}/* | sed -e 's/ *#.*$//' > /tmp/white_list_unsorted && sort /tmp/white_list_unsorted > /tmp/white_list_sorted
- - name: collect currently installed packages
- shell: dpkg-query -Wf '${Package}\n' > /tmp/all_unsorted && sort /tmp/all_unsorted > /tmp/all_sorted
- - name: create black list of packages to mark as automatically installed from the difference between the required packages and the packages currently installed
- shell: comm -3 /tmp/all_sorted /tmp/white_list_sorted > /tmp/list_black
- - name: mark all packages from black list as automatically installed
- shell: apt-mark auto $(cat /tmp/list_black)
- - name: mark all packages from white list as manually installed
- shell: apt-mark manual $(cat /tmp/white_list_unsorted)
- - name: purge all packages automatically installed that are not depended on
- shell: DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
-
+++ /dev/null
-bumblebee-nvidia
-libgl1-mesa-dri # tested as necessary for OpenGL 3D acceleration to work
-libglu1-mesa # tested as necessary for OpenGL 3D acceleration to work
-linux-headers-amd64 # tested as necessary to build proper nvidia-driver module
-primus # bridge by which bumblebee will deliver Nvidia-renderend content to Intel card
+++ /dev/null
-i3
-i3status
-python3 # this is what the i3status wrapper is written in
-redshift
-suckless-tools # contains dmenu; not using virtual packages as that won't be marked manually installed
-xterm
-x11-xserver-utils # includes xrdb which applies .Xresources files
+++ /dev/null
-iceweasel
-vim-gtk # used by pentadactyl for text editing
-xul-ext-noscript
-xul-ext-pentadactyl
+++ /dev/null
-console-setup
-locales
+++ /dev/null
-base-files
-base-passwd
-bash
-bsdutils
-coreutils
-dash
-debconf
-debianutils
-diffutils
-dpkg
-e2fslibs
-e2fsprogs
-findutils
-gcc-6-base
-grep
-gzip
-hostname
-init-system-helpers
-libacl1
-libattr1
-libblkid1
-libc6
-libc-bin
-libcomerr2
-libfdisk1
-libgcc1
-liblzma5
-libmount1
-libpam0g
-libpam-modules
-libpam-modules-bin
-libpam-runtime
-libpcre3
-libselinux1
-libsepol1
-libsmartcols1
-libss2
-libtinfo5
-libuuid1
-login
-lsb-base
-mawk
-mount
-multiarch-support
-ncurses-base
-ncurses-bin
-passwd
-perl-base
-sed
-sensible-utils
-sysvinit-utils
-tar
-tzdata
-util-linux
-zlib1g
+++ /dev/null
-acpid # captures hotkey presses and triggers respective /etc/acpi/events/*
+++ /dev/null
-man-db
-manpages
+++ /dev/null
-ansible
-ifupdown # needed for internet connectivity
-isc-dhcp-client # needed for internet connectivity
+++ /dev/null
-libpam-systemd # needed to start X as non-root
-xinit # contains startx
-xserver-xorg-core
-xserver-xorg-input-evdev # supports all input devices the kernel knows about
+++ /dev/null
-alsa-utils
-eject
-ffmpeg # somehow this is needed to make youtube-dl grab 1080p versions of videos
-libdvd-pkg # decss stuff
-mpv
-youtube-dl # needed by mpv to directly work YouTube URLs
+++ /dev/null
-acpi-call-dkms # needed for tlp to access Thinkpad-specific features
-tlp
+++ /dev/null
-git
-less
-openssh-client
-sudo
-vim
+++ /dev/null
-firmware-iwlwifi # wifi driver
-wicd-cli # thanks to my own wicd_wrapper.sh should be enough for most stuff
-wicd-curses # although this currently is very buggy
-wicd-gtk # workaround for when wicd-curses fails
+++ /dev/null
-bumblebee-nvidia
-linux-headers-amd64 # tested as necessary to build proper nvidia-driver module
-primus # bridge by which bumblebee will deliver Nvidia-renderend content to Intel card
+++ /dev/null
-iceweasel
-vim-gtk # used by pentadactyl for text editing
-xul-ext-noscript
-xul-ext-pentadactyl
+++ /dev/null
-acpid # captures hotkey presses and triggers respective /etc/acpi/events/*
+++ /dev/null
-eject
-ffmpeg # somehow this is needed to make youtube-dl grab 1080p versions of videos
-libdvd-pkg # decss stuff
+++ /dev/null
-wicd-cli # thanks to my own wicd_wrapper.sh should be enough for most stuff
-wicd-curses # although this currently is very buggy
-wicd-gtk # workaround for when wicd-curses fails
+++ /dev/null
-alsa-utils
-ffmpeg # somehow this is needed to make youtube-dl grab 1080p versions of videos
-mpv
-youtube-dl # needed by mpv to directly work YouTube URLs
+++ /dev/null
-tp-smapi-dkms
-linux-headers-amd64
+++ /dev/null
-wpasupplicant
+++ /dev/null
-libglu1-mesa # tested as necessary for OpenGL 3D acceleration to work
-libgl1-mesa-dri # tested as necessary for OpenGL 3D acceleration to work
+++ /dev/null
-i3
-i3status
-python3 # this is what the i3status wrapper is written in
-redshift
-suckless-tools # contains dmenu; not using virtual packages as that won't be marked manually installed
-xterm
-x11-xserver-utils # includes xrdb which applies .Xresources files
+++ /dev/null
-console-setup
-locales
+++ /dev/null
-base-files
-base-passwd
-bash
-bsdutils
-coreutils
-dash
-debconf
-debianutils
-diffutils
-dpkg
-e2fslibs
-e2fsprogs
-findutils
-gcc-6-base
-grep
-gzip
-hostname
-init-system-helpers
-libacl1
-libattr1
-libblkid1
-libc6
-libc-bin
-libcomerr2
-libfdisk1
-libgcc1
-liblzma5
-libmount1
-libpam0g
-libpam-modules
-libpam-modules-bin
-libpam-runtime
-libpcre3
-libselinux1
-libsepol1
-libsmartcols1
-libss2
-libtinfo5
-libuuid1
-login
-lsb-base
-mawk
-mount
-multiarch-support
-ncurses-base
-ncurses-bin
-passwd
-perl-base
-sed
-sensible-utils
-sysvinit-utils
-tar
-tzdata
-util-linux
-zlib1g
+++ /dev/null
-cryptsetup
-udev
+++ /dev/null
-man-db
-manpages
+++ /dev/null
-ansible
-ifupdown # needed for internet connectivity
-isc-dhcp-client # needed for internet connectivity
+++ /dev/null
-libpam-systemd # needed to start X as non-root
-xinit # contains startx
-xserver-xorg-core
-xserver-xorg-input-evdev # supports all input devices the kernel knows about
+++ /dev/null
-alsa-utils
-mpv
-youtube-dl # needed by mpv to directly work YouTube URLs
+++ /dev/null
-acpi-call-dkms # needed for tlp to access Thinkpad-specific features
-tlp
+++ /dev/null
-git
-less
-openssh-client
-sudo
-vim
+++ /dev/null
-firmware-iwlwifi # wifi driver
+++ /dev/null
-CHARMAP="UTF-8"
-CODESET="Lat15"
-FONTFACE="Terminus"
-FONTSIZE="6x12"
+++ /dev/null
-# setting XKBMODEL to the questionable default seems to be necessary and works nicely
-# curiously, putting a comment on the same line as a variable setting seems to break things
-XKBMODEL="pc105"
-XKBLAYOUT="de"
+++ /dev/null
-/etc/wicd
-/etc/acpi/events
+++ /dev/null
-# This is the Optimus-specific configuration recommended by the "NVIDIA
-# Accelerated Linux Graphics Drivre README and Installation Guide", Chapter 32
-# "Offloading Graphics Display with RandR 1.4"
-# (<http://us.download.nvidia.com/XFree86/Linux-x86/346.35/README/randr14.html>)
-# with the "AllowEmptyInitialConfigratuion" added as described by
-# <http://us.download.nvidia.com/XFree86/Linux-x86/346.35/README/randr14.html>.
-
-Section "ServerLayout"
- Identifier "layout"
- Screen 0 "nvidia"
- Inactive "intel"
-EndSection
-
-Section "Device"
- Identifier "nvidia"
- Driver "nvidia"
- BusID "PCI:01:00:0"
- Option "AllowEmptyInitialConfiguration"
-EndSection
-
-Section "Screen"
- Identifier "nvidia"
- Device "nvidia"
-EndSection
-
-Section "Device"
- Identifier "intel"
- Driver "modesetting"
-EndSection
-
-Section "Screen"
- Identifier "intel"
- Device "intel"
-EndSection
+++ /dev/null
-event=video/brightnessdown
-action=/root/config/bin/w530_backlight.sh -
+++ /dev/null
-event=video/brightnessup
-action=/root/config/bin/w530_backlight.sh +
+++ /dev/null
-event=button/f20
-action=amixer set Mic toggle
+++ /dev/null
-event=button/mute
-action=amixer set Master toggle
+++ /dev/null
-event=button/volumedown
-action=amixer set Master 10-
+++ /dev/null
-event=button/volumeup
-action=amixer set Master 10+
+++ /dev/null
-APT::AutoRemove::RecommendsImportant "false";
-APT::AutoRemove::SuggestsImportant "false";
-APT::Install-Recommends "false";
-APT::Install-Suggests "false";
+++ /dev/null
-deb http://ftp.debian.org/debian/ stretch main contrib non-free
-deb http://ftp.debian.org/debian/ stretch-updates main contrib non-free
-deb http://ftp.debian.org/debian stretch-backports main contrib non-free
-deb http://security.debian.org/ stretch/updates main contrib non-free
+++ /dev/null
-# ------------------------------------------------------------------------------
-# tlp - Parameters for power save
-# See full explanation: http://linrunner.de/en/tlp/docs/tlp-configuration.html
-
-# Hint: some features are disabled by default, remove the leading # to enable
-# them.
-
-# Set to 0 to disable, 1 to enable TLP.
-TLP_ENABLE=1
-
-# Operation mode when no power supply can be detected: AC, BAT
-# Concerns some desktop and embedded hardware only.
-TLP_DEFAULT_MODE=AC
-
-# Seconds laptop mode has to wait after the disk goes idle before doing a sync.
-# Non-zero value enables, zero disables laptop mode.
-DISK_IDLE_SECS_ON_AC=0
-DISK_IDLE_SECS_ON_BAT=2
-
-# Dirty page values (timeouts in secs).
-MAX_LOST_WORK_SECS_ON_AC=15
-MAX_LOST_WORK_SECS_ON_BAT=60
-
-# Hint: CPU parameters below are disabled by default, remove the leading #
-# to enable them, otherwise kernel default values are used.
-
-# Select a CPU frequency scaling governor.
-# Intel Core i processor with intel_pstate driver:
-# powersave(*), performance
-# Older hardware with acpi-cpufreq driver:
-# ondemand(*), powersave, performance, conservative
-# (*) is recommended.
-# Hint: use tlp-stat -p to show the active driver and available governors.
-# Important:
-# You *must* disable your distribution's governor settings or conflicts will
-# occur. ondemand is sufficient for *almost all* workloads, you should know
-# what you're doing!
-#CPU_SCALING_GOVERNOR_ON_AC=powersave
-#CPU_SCALING_GOVERNOR_ON_BAT=powersave
-
-# Set the min/max frequency available for the scaling governor.
-# Possible values strongly depend on your CPU. For available frequencies see
-# the output of tlp-stat -p.
-#CPU_SCALING_MIN_FREQ_ON_AC=0
-#CPU_SCALING_MAX_FREQ_ON_AC=0
-#CPU_SCALING_MIN_FREQ_ON_BAT=0
-#CPU_SCALING_MAX_FREQ_ON_BAT=0
-
-# Set Intel P-state performance: 0..100 (%)
-# Limit the max/min P-state to control the power dissipation of the CPU.
-# Values are stated as a percentage of the available performance.
-# Requires an Intel Core i processor with intel_pstate driver.
-#CPU_MIN_PERF_ON_AC=0
-#CPU_MAX_PERF_ON_AC=100
-#CPU_MIN_PERF_ON_BAT=0
-#CPU_MAX_PERF_ON_BAT=30
-
-# Set the CPU "turbo boost" feature: 0=disable, 1=allow
-# Requires an Intel Core i processor.
-# Important:
-# - This may conflict with your distribution's governor settings
-# - A value of 1 does *not* activate boosting, it just allows it
-#CPU_BOOST_ON_AC=1
-#CPU_BOOST_ON_BAT=0
-
-# Minimize number of used CPU cores/hyper-threads under light load conditions
-SCHED_POWERSAVE_ON_AC=0
-SCHED_POWERSAVE_ON_BAT=1
-
-# Kernel NMI Watchdog:
-# 0=disable (default, saves power), 1=enable (for kernel debugging only)
-NMI_WATCHDOG=0
-
-# Change CPU voltages aka "undervolting" - Kernel with PHC patch required
-# Frequency voltage pairs are written to:
-# /sys/devices/system/cpu/cpu0/cpufreq/phc_controls
-# CAUTION: only use this, if you thoroughly understand what you are doing!
-#PHC_CONTROLS="F:V F:V F:V F:V"
-
-# Set CPU performance versus energy savings policy:
-# performance, normal, powersave
-# Requires kernel module msr and x86_energy_perf_policy from linux-tools
-ENERGY_PERF_POLICY_ON_AC=performance
-ENERGY_PERF_POLICY_ON_BAT=powersave
-
-# Hard disk devices; separate multiple devices with spaces (default: sda).
-# Devices can be specified by disk ID also (lookup with: tlp diskid).
-DISK_DEVICES="sda sdb"
-
-# Hard disk advanced power management level: 1..254, 255 (max saving, min, off)
-# Levels 1..127 may spin down the disk; 255 allowable on most drives.
-# Separate values for multiple disks with spaces. Use the special value 'keep'
-# to keep the hardware default for the particular disk.
-DISK_APM_LEVEL_ON_AC="254 254"
-DISK_APM_LEVEL_ON_BAT="128 128"
-
-# Hard disk spin down timeout:
-# 0: spin down disabled
-# 1..240: timeouts from 5s to 20min (in units of 5s)
-# 241..251: timeouts from 30min to 5.5 hours (in units of 30min)
-# See 'man hdparm' for details.
-# Separate values for multiple disks with spaces. Use the special value 'keep'
-# to keep the hardware default for the particular disk.
-#DISK_SPINDOWN_TIMEOUT_ON_AC="0 0"
-#DISK_SPINDOWN_TIMEOUT_ON_BAT="0 0"
-
-# Select IO scheduler for the disk devices: cfq, deadline, noop (Default: cfq);
-# Separate values for multiple disks with spaces. Use the special value 'keep'
-# to keep the kernel default scheduler for the particular disk.
-#DISK_IOSCHED="cfq cfq"
-
-# SATA aggressive link power management (ALPM):
-# min_power, medium_power, max_performance
-SATA_LINKPWR_ON_AC=max_performance
-SATA_LINKPWR_ON_BAT=min_power
-
-# Exclude SATA host devices from link power management.
-# Separate multiple hosts with spaces.
-#SATA_LINKPWR_BLACKLIST="host1"
-
-# Runtime Power Management for AHCI controllers and disks:
-# on=disable, auto=enable
-# EXPERIMENTAL ** WARNING: auto will most likely cause system lockups/data loss
-#AHCI_RUNTIME_PM_ON_AC=on
-#AHCI_RUNTIME_PM_ON_BAT=on
-
-# Seconds of inactivity before disk is suspended
-AHCI_RUNTIME_PM_TIMEOUT=15
-
-# PCI Express Active State Power Management (PCIe ASPM):
-# default, performance, powersave
-PCIE_ASPM_ON_AC=performance
-PCIE_ASPM_ON_BAT=powersave
-
-# Radeon graphics clock speed (profile method): low, mid, high, auto, default;
-# auto = mid on BAT, high on AC; default = use hardware defaults.
-# (Kernel >= 2.6.35 only, open-source radeon driver explicitly)
-RADEON_POWER_PROFILE_ON_AC=high
-RADEON_POWER_PROFILE_ON_BAT=low
-
-# Radeon dynamic power management method (DPM): battery, performance
-# (Kernel >= 3.11 only, requires boot option radeon.dpm=1)
-RADEON_DPM_STATE_ON_AC=performance
-RADEON_DPM_STATE_ON_BAT=battery
-
-# Radeon DPM performance level: auto, low, high; auto is recommended.
-RADEON_DPM_PERF_LEVEL_ON_AC=auto
-RADEON_DPM_PERF_LEVEL_ON_BAT=auto
-
-# WiFi power saving mode: on=enable, off=disable; not supported by all adapters.
-WIFI_PWR_ON_AC=off
-WIFI_PWR_ON_BAT=on
-
-# Disable wake on LAN: Y/N
-WOL_DISABLE=Y
-
-# Enable audio power saving for Intel HDA, AC97 devices (timeout in secs).
-# A value of 0 disables, >=1 enables power save.
-SOUND_POWER_SAVE_ON_AC=0
-SOUND_POWER_SAVE_ON_BAT=1
-
-# Disable controller too (HDA only): Y/N
-SOUND_POWER_SAVE_CONTROLLER=Y
-
-# Set to 1 to power off optical drive in UltraBay/MediaBay when running on
-# battery. A value of 0 disables this feature (Default).
-# Drive can be powered on again by releasing (and reinserting) the eject lever
-# or by pressing the disc eject button on newer models.
-# Note: an UltraBay/MediaBay hard disk is never powered off.
-BAY_POWEROFF_ON_BAT=0
-# Optical drive device to power off (default sr0).
-BAY_DEVICE="sr0"
-
-# Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable
-RUNTIME_PM_ON_AC=on
-RUNTIME_PM_ON_BAT=auto
-
-# Runtime PM for *all* PCI(e) bus devices, except blacklisted ones:
-# 0=disable, 1=enable
-RUNTIME_PM_ALL=1
-
-# Exclude PCI(e) device adresses the following list from Runtime PM
-# (separate with spaces). Use lspci to get the adresses (1st column).
-#RUNTIME_PM_BLACKLIST="bb:dd.f 11:22.3 44:55.6"
-
-# Exclude PCI(e) devices assigned to the listed drivers from Runtime PM
-# (should prevent accidential power on of hybrid graphics' discrete part).
-# Default is "radeon nouveau"; use "" to disable the feature completely.
-# Separate multiple drivers with spaces.
-RUNTIME_PM_DRIVER_BLACKLIST="radeon nouveau"
-
-# Set to 0 to disable, 1 to enable USB autosuspend feature.
-USB_AUTOSUSPEND=1
-
-# Exclude listed devices from USB autosuspend (separate with spaces).
-# Use lsusb to get the ids.
-# Note: input devices (usbhid) are excluded automatically (see below)
-#USB_BLACKLIST="1111:2222 3333:4444"
-
-# WWAN devices are excluded from USB autosuspend: 0=do not exclude / 1=exclude
-USB_BLACKLIST_WWAN=1
-
-# Include listed devices into USB autosuspend even if already excluded
-# by the driver or WWAN blacklists above (separate with spaces).
-# Use lsusb to get the ids.
-#USB_WHITELIST="1111:2222 3333:4444"
-
-# Set to 1 to disable autosuspend before shutdown, 0 to do nothing
-# (workaround for USB devices that cause shutdown problems).
-#USB_AUTOSUSPEND_DISABLE_ON_SHUTDOWN=1
-
-# Restore radio device state (Bluetooth, WiFi, WWAN) from previous shutdown
-# on system startup: 0=disable, 1=enable.
-# Hint: the parameters DEVICES_TO_DISABLE/ENABLE_ON_STARTUP/SHUTDOWN below
-# are ignored when this is enabled!
-RESTORE_DEVICE_STATE_ON_STARTUP=0
-
-# Radio devices to disable on startup: bluetooth, wifi, wwan.
-# Separate multiple devices with spaces.
-DEVICES_TO_DISABLE_ON_STARTUP="bluetooth wifi wwan"
-
-# Radio devices to enable on startup: bluetooth, wifi, wwan.
-# Separate multiple devices with spaces.
-#DEVICES_TO_ENABLE_ON_STARTUP="wifi"
-
-# Radio devices to disable on shutdown: bluetooth, wifi, wwan
-# (workaround for devices that are blocking shutdown).
-#DEVICES_TO_DISABLE_ON_SHUTDOWN="bluetooth wifi wwan"
-
-# Radio devices to enable on shutdown: bluetooth, wifi, wwan
-# (to prevent other operating systems from missing radios).
-#DEVICES_TO_ENABLE_ON_SHUTDOWN="wwan"
-
-# Radio devices to enable on AC: bluetooth, wifi, wwan
-#DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan"
-
-# Radio devices to disable on battery: bluetooth, wifi, wwan
-#DEVICES_TO_DISABLE_ON_BAT="bluetooth wifi wwan"
-
-# Radio devices to disable on battery when not in use (not connected):
-# bluetooth, wifi, wwan
-DEVICES_TO_DISABLE_ON_BAT_NOT_IN_USE="bluetooth wifi wwan"
-
-# Battery charge thresholds (ThinkPad only, tp-smapi or acpi-call kernel module
-# required). Charging starts when the remaining capacity falls below the
-# START_CHARGE_THRESH value and stops when exceeding the STOP_CHARGE_THRESH value.
-# Main / Internal battery (values in %)
-START_CHARGE_THRESH_BAT0=10
-STOP_CHARGE_THRESH_BAT0=95
-# Ultrabay / Slice / Replaceable battery (values in %)
-START_CHARGE_THRESH_BAT1=10
-STOP_CHARGE_THRESH_BAT1=95
-
-# ------------------------------------------------------------------------------
-# tlp-rdw - Parameters for the radio device wizard
-# Possible devices: bluetooth, wifi, wwan
-
-# Hints:
-# - Parameters are disabled by default, remove the leading # to enable them.
-# - Separate multiple radio devices with spaces.
-
-# Radio devices to disable on connect.
-#DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
-#DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"
-#DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"
-
-# Radio devices to enable on disconnect.
-#DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
-#DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT=""
-#DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT=""
-
-# Radio devices to enable/disable when docked.
-#DEVICES_TO_ENABLE_ON_DOCK=""
-#DEVICES_TO_DISABLE_ON_DOCK=""
-
-# Radio devices to enable/disable when undocked.
-#DEVICES_TO_ENABLE_ON_UNDOCK="wifi"
-#DEVICES_TO_DISABLE_ON_UNDOCK=""
+++ /dev/null
-127.0.0.1 localhost
-127.0.1.1 w530
-
-# The following lines are desirable for IPv6 capable hosts
-::1 localhost ip6-localhost ip6-loopback
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
+++ /dev/null
-# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
-# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).
-
-if [ "`id -u`" -eq 0 ]; then
- PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-else
- PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
-fi
-export PATH
-
-if [ "${PS1-}" ]; then
- if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then
- # The file bash.bashrc already sets the default PS1.
- # PS1='\h:\w\$ '
- if [ -f /etc/bash.bashrc ]; then
- . /etc/bash.bashrc
- fi
- else
- if [ "`id -u`" -eq 0 ]; then
- PS1='# '
- else
- PS1='$ '
- fi
- fi
-fi
-
-if [ -d /etc/profile.d ]; then
- for i in /etc/profile.d/*.sh; do
- if [ -r $i ]; then
- . $i
- fi
- done
- unset i
-fi
-export LC_ALL="en_US.UTF-8"
+++ /dev/null
-# This file is part of systemd.
-#
-# systemd is free software; you can redistribute it and/or modify it
-# under the terms of the GNU Lesser General Public License as published by
-# the Free Software Foundation; either version 2.1 of the License, or
-# (at your option) any later version.
-#
-# Entries in this file show the compile time defaults.
-# You can change settings by editing this file.
-# Defaults can be restored by simply deleting this file.
-#
-# See logind.conf(5) for details.
-
-[Login]
-#NAutoVTs=6
-#ReserveVT=6
-#KillUserProcesses=no
-#KillOnlyUsers=
-#KillExcludeUsers=root
-#InhibitDelayMaxSec=5
-#HandlePowerKey=poweroff
-#HandleSuspendKey=suspend
-#HandleHibernateKey=hibernate
-#HandleLidSwitch=suspend
-#HandleLidSwitchDocked=ignore
-#PowerKeyIgnoreInhibited=no
-#SuspendKeyIgnoreInhibited=no
-#HibernateKeyIgnoreInhibited=no
-#LidSwitchIgnoreInhibited=yes
-#HoldoffTimeoutSec=30s
-#IdleAction=ignore
-#IdleActionSec=30min
-#RuntimeDirectorySize=10%
-#RemoveIPC=yes
-#InhibitorsMax=8192
-#SessionsMax=8192
-#UserTasksMax=33%
-HandleLidSwitch=hibernate
+++ /dev/null
-Europe/Berlin
+++ /dev/null
-[Settings]
-backend = external
-wireless_interface = wlp3s0
-wired_interface = enp0s25
-wpa_driver = wext
-always_show_wired_interface = False
-use_global_dns = False
-global_dns_1 = None
-global_dns_2 = None
-global_dns_3 = None
-global_dns_dom = None
-global_search_dom = None
-auto_reconnect = True
-debug_mode = False
-wired_connect_mode = 1
-signal_display_type = 0
-should_verify_ap = 1
-dhcp_client = 0
-link_detect_tool = 0
-flush_tool = 0
-sudo_app = 0
-prefer_wired = False
-show_never_connect = True
-
+++ /dev/null
-# This is the Optimus-specific configuration recommended by the "NVIDIA
-# Accelerated Linux Graphics Driver README and Installation Guide", Chapter 32
-# "Offloading Graphics Display with RandR 1.4"
-# (<http://us.download.nvidia.com/XFree86/Linux-x86/346.35/README/randr14.html>)
-# with the "AllowEmptyInitialConfigratuion" added as described by
-# <http://us.download.nvidia.com/XFree86/Linux-x86/346.35/README/randr14.html>.
-
-Section "ServerLayout"
- Identifier "layout"
- Screen 0 "nvidia"
- Inactive "intel"
-EndSection
-
-Section "Device"
- Identifier "nvidia"
- Driver "nvidia"
- BusID "PCI:01:00:0"
- Option "AllowEmptyInitialConfiguration"
-EndSection
-
-Section "Screen"
- Identifier "nvidia"
- Device "nvidia"
-EndSection
-
-Section "Device"
- Identifier "intel"
- Driver "modesetting"
-EndSection
-
-Section "Screen"
- Identifier "intel"
- Device "intel"
-EndSection
+++ /dev/null
-127.0.0.1 localhost
-127.0.1.1 W530
-
-# The following lines are desirable for IPv6 capable hosts
-::1 localhost ip6-localhost ip6-loopback
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
+++ /dev/null
-[Settings]
-backend = external
-wireless_interface = wlp3s0
-wired_interface = enp0s25
-wpa_driver = wext
-always_show_wired_interface = False
-use_global_dns = False
-global_dns_1 = None
-global_dns_2 = None
-global_dns_3 = None
-global_dns_dom = None
-global_search_dom = None
-auto_reconnect = True
-debug_mode = False
-wired_connect_mode = 1
-signal_display_type = 0
-should_verify_ap = 1
-dhcp_client = 0
-link_detect_tool = 0
-flush_tool = 0
-sudo_app = 0
-prefer_wired = False
-show_never_connect = True
-
+++ /dev/null
-127.0.0.1 localhost
-127.0.1.1 X200s
-
-# The following lines are desirable for IPv6 capable hosts
-::1 localhost ip6-localhost ip6-loopback
-ff02::1 ip6-allnodes
-ff02::2 ip6-allrouters
+++ /dev/null
-APT::AutoRemove::RecommendsImportant "false";
-APT::AutoRemove::SuggestsImportant "false";
-APT::Install-Recommends "false";
-APT::Install-Suggests "false";
+++ /dev/null
-deb http://ftp.debian.org/debian/ stretch main contrib non-free
-deb http://ftp.debian.org/debian/ stretch-updates main contrib non-free
-deb http://ftp.debian.org/debian stretch-backports main contrib non-free
-deb http://security.debian.org/ stretch/updates main contrib non-free
+++ /dev/null
-deb http://download.opensuse.org/repositories/home:/stevenpusser/Debian_9.0/ /
+++ /dev/null
-# ------------------------------------------------------------------------------
-# tlp - Parameters for power save
-# See full explanation: http://linrunner.de/en/tlp/docs/tlp-configuration.html
-
-# Hint: some features are disabled by default, remove the leading # to enable
-# them.
-
-# Set to 0 to disable, 1 to enable TLP.
-TLP_ENABLE=1
-
-# Operation mode when no power supply can be detected: AC, BAT
-# Concerns some desktop and embedded hardware only.
-TLP_DEFAULT_MODE=AC
-
-# Seconds laptop mode has to wait after the disk goes idle before doing a sync.
-# Non-zero value enables, zero disables laptop mode.
-DISK_IDLE_SECS_ON_AC=0
-DISK_IDLE_SECS_ON_BAT=2
-
-# Dirty page values (timeouts in secs).
-MAX_LOST_WORK_SECS_ON_AC=15
-MAX_LOST_WORK_SECS_ON_BAT=60
-
-# Hint: CPU parameters below are disabled by default, remove the leading #
-# to enable them, otherwise kernel default values are used.
-
-# Select a CPU frequency scaling governor.
-# Intel Core i processor with intel_pstate driver:
-# powersave(*), performance
-# Older hardware with acpi-cpufreq driver:
-# ondemand(*), powersave, performance, conservative
-# (*) is recommended.
-# Hint: use tlp-stat -p to show the active driver and available governors.
-# Important:
-# You *must* disable your distribution's governor settings or conflicts will
-# occur. ondemand is sufficient for *almost all* workloads, you should know
-# what you're doing!
-#CPU_SCALING_GOVERNOR_ON_AC=powersave
-#CPU_SCALING_GOVERNOR_ON_BAT=powersave
-
-# Set the min/max frequency available for the scaling governor.
-# Possible values strongly depend on your CPU. For available frequencies see
-# the output of tlp-stat -p.
-#CPU_SCALING_MIN_FREQ_ON_AC=0
-#CPU_SCALING_MAX_FREQ_ON_AC=0
-#CPU_SCALING_MIN_FREQ_ON_BAT=0
-#CPU_SCALING_MAX_FREQ_ON_BAT=0
-
-# Set Intel P-state performance: 0..100 (%)
-# Limit the max/min P-state to control the power dissipation of the CPU.
-# Values are stated as a percentage of the available performance.
-# Requires an Intel Core i processor with intel_pstate driver.
-#CPU_MIN_PERF_ON_AC=0
-#CPU_MAX_PERF_ON_AC=100
-#CPU_MIN_PERF_ON_BAT=0
-#CPU_MAX_PERF_ON_BAT=30
-
-# Set the CPU "turbo boost" feature: 0=disable, 1=allow
-# Requires an Intel Core i processor.
-# Important:
-# - This may conflict with your distribution's governor settings
-# - A value of 1 does *not* activate boosting, it just allows it
-#CPU_BOOST_ON_AC=1
-#CPU_BOOST_ON_BAT=0
-
-# Minimize number of used CPU cores/hyper-threads under light load conditions
-SCHED_POWERSAVE_ON_AC=0
-SCHED_POWERSAVE_ON_BAT=1
-
-# Kernel NMI Watchdog:
-# 0=disable (default, saves power), 1=enable (for kernel debugging only)
-NMI_WATCHDOG=0
-
-# Change CPU voltages aka "undervolting" - Kernel with PHC patch required
-# Frequency voltage pairs are written to:
-# /sys/devices/system/cpu/cpu0/cpufreq/phc_controls
-# CAUTION: only use this, if you thoroughly understand what you are doing!
-#PHC_CONTROLS="F:V F:V F:V F:V"
-
-# Set CPU performance versus energy savings policy:
-# performance, normal, powersave
-# Requires kernel module msr and x86_energy_perf_policy from linux-tools
-ENERGY_PERF_POLICY_ON_AC=performance
-ENERGY_PERF_POLICY_ON_BAT=powersave
-
-# Hard disk devices; separate multiple devices with spaces (default: sda).
-# Devices can be specified by disk ID also (lookup with: tlp diskid).
-DISK_DEVICES="sda sdb"
-
-# Hard disk advanced power management level: 1..254, 255 (max saving, min, off)
-# Levels 1..127 may spin down the disk; 255 allowable on most drives.
-# Separate values for multiple disks with spaces. Use the special value 'keep'
-# to keep the hardware default for the particular disk.
-DISK_APM_LEVEL_ON_AC="254 254"
-DISK_APM_LEVEL_ON_BAT="128 128"
-
-# Hard disk spin down timeout:
-# 0: spin down disabled
-# 1..240: timeouts from 5s to 20min (in units of 5s)
-# 241..251: timeouts from 30min to 5.5 hours (in units of 30min)
-# See 'man hdparm' for details.
-# Separate values for multiple disks with spaces. Use the special value 'keep'
-# to keep the hardware default for the particular disk.
-#DISK_SPINDOWN_TIMEOUT_ON_AC="0 0"
-#DISK_SPINDOWN_TIMEOUT_ON_BAT="0 0"
-
-# Select IO scheduler for the disk devices: cfq, deadline, noop (Default: cfq);
-# Separate values for multiple disks with spaces. Use the special value 'keep'
-# to keep the kernel default scheduler for the particular disk.
-#DISK_IOSCHED="cfq cfq"
-
-# SATA aggressive link power management (ALPM):
-# min_power, medium_power, max_performance
-SATA_LINKPWR_ON_AC=max_performance
-SATA_LINKPWR_ON_BAT=min_power
-
-# Exclude SATA host devices from link power management.
-# Separate multiple hosts with spaces.
-#SATA_LINKPWR_BLACKLIST="host1"
-
-# Runtime Power Management for AHCI controllers and disks:
-# on=disable, auto=enable
-# EXPERIMENTAL ** WARNING: auto will most likely cause system lockups/data loss
-#AHCI_RUNTIME_PM_ON_AC=on
-#AHCI_RUNTIME_PM_ON_BAT=on
-
-# Seconds of inactivity before disk is suspended
-AHCI_RUNTIME_PM_TIMEOUT=15
-
-# PCI Express Active State Power Management (PCIe ASPM):
-# default, performance, powersave
-PCIE_ASPM_ON_AC=performance
-PCIE_ASPM_ON_BAT=powersave
-
-# Radeon graphics clock speed (profile method): low, mid, high, auto, default;
-# auto = mid on BAT, high on AC; default = use hardware defaults.
-# (Kernel >= 2.6.35 only, open-source radeon driver explicitly)
-RADEON_POWER_PROFILE_ON_AC=high
-RADEON_POWER_PROFILE_ON_BAT=low
-
-# Radeon dynamic power management method (DPM): battery, performance
-# (Kernel >= 3.11 only, requires boot option radeon.dpm=1)
-RADEON_DPM_STATE_ON_AC=performance
-RADEON_DPM_STATE_ON_BAT=battery
-
-# Radeon DPM performance level: auto, low, high; auto is recommended.
-RADEON_DPM_PERF_LEVEL_ON_AC=auto
-RADEON_DPM_PERF_LEVEL_ON_BAT=auto
-
-# WiFi power saving mode: on=enable, off=disable; not supported by all adapters.
-WIFI_PWR_ON_AC=off
-WIFI_PWR_ON_BAT=on
-
-# Disable wake on LAN: Y/N
-WOL_DISABLE=Y
-
-# Enable audio power saving for Intel HDA, AC97 devices (timeout in secs).
-# A value of 0 disables, >=1 enables power save.
-SOUND_POWER_SAVE_ON_AC=0
-SOUND_POWER_SAVE_ON_BAT=1
-
-# Disable controller too (HDA only): Y/N
-SOUND_POWER_SAVE_CONTROLLER=Y
-
-# Set to 1 to power off optical drive in UltraBay/MediaBay when running on
-# battery. A value of 0 disables this feature (Default).
-# Drive can be powered on again by releasing (and reinserting) the eject lever
-# or by pressing the disc eject button on newer models.
-# Note: an UltraBay/MediaBay hard disk is never powered off.
-BAY_POWEROFF_ON_BAT=0
-# Optical drive device to power off (default sr0).
-BAY_DEVICE="sr0"
-
-# Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable
-RUNTIME_PM_ON_AC=on
-RUNTIME_PM_ON_BAT=auto
-
-# Runtime PM for *all* PCI(e) bus devices, except blacklisted ones:
-# 0=disable, 1=enable
-RUNTIME_PM_ALL=1
-
-# Exclude PCI(e) device adresses the following list from Runtime PM
-# (separate with spaces). Use lspci to get the adresses (1st column).
-#RUNTIME_PM_BLACKLIST="bb:dd.f 11:22.3 44:55.6"
-
-# Exclude PCI(e) devices assigned to the listed drivers from Runtime PM
-# (should prevent accidential power on of hybrid graphics' discrete part).
-# Default is "radeon nouveau"; use "" to disable the feature completely.
-# Separate multiple drivers with spaces.
-RUNTIME_PM_DRIVER_BLACKLIST="radeon nouveau"
-
-# Set to 0 to disable, 1 to enable USB autosuspend feature.
-USB_AUTOSUSPEND=1
-
-# Exclude listed devices from USB autosuspend (separate with spaces).
-# Use lsusb to get the ids.
-# Note: input devices (usbhid) are excluded automatically (see below)
-#USB_BLACKLIST="1111:2222 3333:4444"
-
-# WWAN devices are excluded from USB autosuspend: 0=do not exclude / 1=exclude
-USB_BLACKLIST_WWAN=1
-
-# Include listed devices into USB autosuspend even if already excluded
-# by the driver or WWAN blacklists above (separate with spaces).
-# Use lsusb to get the ids.
-#USB_WHITELIST="1111:2222 3333:4444"
-
-# Set to 1 to disable autosuspend before shutdown, 0 to do nothing
-# (workaround for USB devices that cause shutdown problems).
-#USB_AUTOSUSPEND_DISABLE_ON_SHUTDOWN=1
-
-# Restore radio device state (Bluetooth, WiFi, WWAN) from previous shutdown
-# on system startup: 0=disable, 1=enable.
-# Hint: the parameters DEVICES_TO_DISABLE/ENABLE_ON_STARTUP/SHUTDOWN below
-# are ignored when this is enabled!
-RESTORE_DEVICE_STATE_ON_STARTUP=0
-
-# Radio devices to disable on startup: bluetooth, wifi, wwan.
-# Separate multiple devices with spaces.
-DEVICES_TO_DISABLE_ON_STARTUP="bluetooth wifi wwan"
-
-# Radio devices to enable on startup: bluetooth, wifi, wwan.
-# Separate multiple devices with spaces.
-#DEVICES_TO_ENABLE_ON_STARTUP="wifi"
-
-# Radio devices to disable on shutdown: bluetooth, wifi, wwan
-# (workaround for devices that are blocking shutdown).
-#DEVICES_TO_DISABLE_ON_SHUTDOWN="bluetooth wifi wwan"
-
-# Radio devices to enable on shutdown: bluetooth, wifi, wwan
-# (to prevent other operating systems from missing radios).
-#DEVICES_TO_ENABLE_ON_SHUTDOWN="wwan"
-
-# Radio devices to enable on AC: bluetooth, wifi, wwan
-#DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan"
-
-# Radio devices to disable on battery: bluetooth, wifi, wwan
-#DEVICES_TO_DISABLE_ON_BAT="bluetooth wifi wwan"
-
-# Radio devices to disable on battery when not in use (not connected):
-# bluetooth, wifi, wwan
-DEVICES_TO_DISABLE_ON_BAT_NOT_IN_USE="bluetooth wifi wwan"
-
-# Battery charge thresholds (ThinkPad only, tp-smapi or acpi-call kernel module
-# required). Charging starts when the remaining capacity falls below the
-# START_CHARGE_THRESH value and stops when exceeding the STOP_CHARGE_THRESH value.
-# Main / Internal battery (values in %)
-START_CHARGE_THRESH_BAT0=10
-STOP_CHARGE_THRESH_BAT0=95
-# Ultrabay / Slice / Replaceable battery (values in %)
-START_CHARGE_THRESH_BAT1=10
-STOP_CHARGE_THRESH_BAT1=95
-
-# ------------------------------------------------------------------------------
-# tlp-rdw - Parameters for the radio device wizard
-# Possible devices: bluetooth, wifi, wwan
-
-# Hints:
-# - Parameters are disabled by default, remove the leading # to enable them.
-# - Separate multiple radio devices with spaces.
-
-# Radio devices to disable on connect.
-#DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
-#DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"
-#DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"
-
-# Radio devices to enable on disconnect.
-#DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
-#DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT=""
-#DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT=""
-
-# Radio devices to enable/disable when docked.
-#DEVICES_TO_ENABLE_ON_DOCK=""
-#DEVICES_TO_DISABLE_ON_DOCK=""
-
-# Radio devices to enable/disable when undocked.
-#DEVICES_TO_ENABLE_ON_UNDOCK="wifi"
-#DEVICES_TO_DISABLE_ON_UNDOCK=""
+++ /dev/null
-# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
-# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).
-
-if [ "`id -u`" -eq 0 ]; then
- PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-else
- PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
-fi
-export PATH
-
-if [ "${PS1-}" ]; then
- if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then
- # The file bash.bashrc already sets the default PS1.
- # PS1='\h:\w\$ '
- if [ -f /etc/bash.bashrc ]; then
- . /etc/bash.bashrc
- fi
- else
- if [ "`id -u`" -eq 0 ]; then
- PS1='# '
- else
- PS1='$ '
- fi
- fi
-fi
-
-if [ -d /etc/profile.d ]; then
- for i in /etc/profile.d/*.sh; do
- if [ -r $i ]; then
- . $i
- fi
- done
- unset i
-fi
-export LC_ALL="en_US.UTF-8"
+++ /dev/null
-# This file is part of systemd.
-#
-# systemd is free software; you can redistribute it and/or modify it
-# under the terms of the GNU Lesser General Public License as published by
-# the Free Software Foundation; either version 2.1 of the License, or
-# (at your option) any later version.
-#
-# Entries in this file show the compile time defaults.
-# You can change settings by editing this file.
-# Defaults can be restored by simply deleting this file.
-#
-# See logind.conf(5) for details.
-
-[Login]
-#NAutoVTs=6
-#ReserveVT=6
-#KillUserProcesses=no
-#KillOnlyUsers=
-#KillExcludeUsers=root
-#InhibitDelayMaxSec=5
-#HandlePowerKey=poweroff
-#HandleSuspendKey=suspend
-#HandleHibernateKey=hibernate
-#HandleLidSwitch=suspend
-#HandleLidSwitchDocked=ignore
-#PowerKeyIgnoreInhibited=no
-#SuspendKeyIgnoreInhibited=no
-#HibernateKeyIgnoreInhibited=no
-#LidSwitchIgnoreInhibited=yes
-#HoldoffTimeoutSec=30s
-#IdleAction=ignore
-#IdleActionSec=30min
-#RuntimeDirectorySize=10%
-#RemoveIPC=yes
-#InhibitorsMax=8192
-#SessionsMax=8192
-#UserTasksMax=33%
-HandleLidSwitch=hibernate
+++ /dev/null
-Europe/Berlin
+++ /dev/null
-ansible-playbook -i 'localhost,' -c local config.yml
+++ /dev/null
-ansible-playbook -i 'localhost,' -e system_name=X200s -c local config_new.yml
+++ /dev/null
-ansible-playbook -i 'localhost,' -c local user.yml
+++ /dev/null
-ansible-playbook -i 'localhost,' -e system_name=X200s -c local user_new.yml
+++ /dev/null
----
-
-- name: collect officially required packages
- shell: dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted
-
-- name: add "ifupdown" and "isc-dhcp-client" (to keep internet connection afterwards) and "ansible" (to keep its modules available for continuing the configuration) to required packages
- shell: echo 'ifupdown' >> /tmp/list_white_unsorted && echo 'isc-dhcp-client' >> /tmp/list_white_unsorted && echo 'ansible' >> /tmp/list_white_unsorted && sort /tmp/list_white_unsorted > /tmp/list_white
-
-- name: collect currently installed packages
- shell: dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages && sort /tmp/list_all_packages > /tmp/foo && mv /tmp/foo /tmp/list_all_packages
-
-- name: create black list of packages to mark as automatically installed from the difference between the required packages and the packages currently installed
- shell: comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black
-
-- name: mark all packages from black list as automatically installed
- shell: apt-mark auto $(cat /tmp/list_black)
-
-- name: purge all packages automatically installed that are not depended on
- shell: DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
-
-- name: ensure flags directory exists
- file: path=flags state=directory
-
-- name: set initial_purge_happened flag, so that this whole process does not get repeated
- file: path=flags/initial_purge_happened state=touch
+++ /dev/null
----
-
-- name: Set qutebrowser, python3-pypeg2 facts.
- set_fact:
- qutebrowser_deb_url: https://github.com/qutebrowser/qutebrowser/releases/download/v0.11.0/qutebrowser_0.11.0-1_all.deb
- python3pypeg2_deb_url: https://qutebrowser.org/python3-pypeg2_2.15.2-1_all.deb
- qutebrowser_deb_path: /tmp/qutebrowser.deb
- python3pypeg2_deb_path: /tmp/python3-pypeg2.deb
-
-- name: Check if qutebrowser is installed.
- command: dpkg-query -W qutebrowser
- register: qutebrowser_debcheck
- failed_when: qutebrowser_debcheck.rc > 1
- changed_when: qutebrowser_debcheck.rc == 1
-
-- name: Check if qutebrowser-dependency python3-pypeg2 is installed.
- command: dpkg-query -W python3-pypeg2
- register: python3pypeg2_debcheck
- failed_when: python3pypeg2_debcheck.rc > 1
- changed_when: python3pypeg2_debcheck.rc == 1
- when: qutebrowser_debcheck.rc == 1
-
-- name: Download python3-pypeg2 package.
- get_url: url={{ python3pypeg2_deb_url }} dest={{ python3pypeg2_deb_path }}
- when: qutebrowser_debcheck.rc == 1 and python3pypeg2_debcheck.rc == 1
-
-- name: Download qutebrowser package.
- get_url: url={{ qutebrowser_deb_url }} dest={{ qutebrowser_deb_path }}
- when: qutebrowser_debcheck.rc == 1
-
-# We use command: apt as a workaround because the Ansible apt module installs
-# the Depends of the .deb marked as manual while we want them marked as auto.
-- name: Install python3-pypeg2 package,
- command: apt install --yes "{{ python3pypeg2_deb_path}}"
- when: qutebrowser_debcheck.rc == 1 and python3pypeg2_debcheck.rc == 1
-
-- name: Mark python3-pypeg2 package as automatically installed.
- command: apt-mark auto python3-pypeg2
- when: qutebrowser_debcheck.rc == 1 and python3pypeg2_debcheck.rc == 1
-
-# We use command: apt as a workaround because the Ansible apt module installs
-# the Depends of the .deb marked as manual while we want them marked as auto.
-- name: Install qutebrowser package.
- command: apt install --yes "{{ qutebrowser_deb_path}}"
- when: qutebrowser_debcheck.rc == 1
+++ /dev/null
-- hosts: all
- tasks:
-
- - name: ensure ~/.vimbackups directory
- file: state=directory dest=~/.vimbackups
- - name: Ensure dotfile symlinks
- file: state=link force=yes src={{item}} dest=~/.{{item|basename}}
- with_fileglob:
- - ~/config/dotfiles/minimal/*
- - ~/config/dotfiles/user/thinkpad/minimal/*
- - ~/config/dotfiles/user/thinkpad/W530/*
- - name: ensure ~/downloads directory
- file: state=directory dest=~/downloads
+++ /dev/null
-- hosts: all
- tasks:
-
- - name: ensure ~/.vimbackups directory
- file: state=directory dest=~/.vimbackups
- - name: Ensure dotfile symlinks
- file: state=link force=yes src={{item}} dest=~/.{{item|basename}}
- with_fileglob:
- - ~/config/dotfiles/minimal/*
- - ~/config/dotfiles/user/thinkpad/minimal/*
- - ~/config/dotfiles/user/thinkpad/{{ system_name }}/*
- - name: ensure ~/downloads directory
- file: state=directory dest=~/downloads
+++ /dev/null
-#!/usr/bin/env python3
-import lxml
-import argparse
-# use with `find status.plomlompom.com -type f -name "*.html" -exec ./archive_plomroma.py -f {} \;`
-
-parser = argparse.ArgumentParser(description="archive plom's self-hosted pleroma feed")
-parser.add_argument("-f", "--file", dest="file", required=True, help="HTML file to process")
-args = parser.parse_args()
-print("processing", args.file)
-
-def print_tree(node, level=0):
- tag = node.tag
- id = node.get("id")
- classes = node.get("class")
- text = (node.text or "").strip()
- attributes_info = []
- if id:
- attributes_info.append(f"id='{id}'")
- if classes:
- attributes_info.append(f"class='{classes}'")
- attr_str = " ".join(attributes_info)
- print(" " * level + f"<{tag} {attr_str}>", end="")
- if text:
- print(f" -> {text}")
- else:
- print()
- for child in node:
- print_tree(child, level + 1)
-
-with open(args.file, "r", encoding="utf-8") as file:
- content = file.read()
-from lxml import html
-tree = html.fromstring(content)
-
-atom_links = tree.xpath('/html/head/link[@rel="alternate"]')
-for atom_link in atom_links:
- atom_link.getparent().remove(atom_link)
-comments = tree.xpath('//comment()')
-for comment in comments:
- comment.getparent().remove(comment)
-forms = tree.xpath('//form')
-for form in forms:
- form.getparent().remove(form)
-
-
-def has_class(context, element, class_name):
- classes = element[0].get('class', '').split()
- return class_name in classes
-ns = lxml.etree.FunctionNamespace(None)
-ns['has-class'] = has_class
-matching_divs = tree.xpath('//div[has-class(., "activity") and .//div[has-class(., "p-author")] and .//bdi[has-class(., "p-name") and string()!="plomlompom"]]')
-imgs = tree.xpath('//img')
-for img in imgs:
- src = img.get('src')
- if src and not src.startswith('https://status.plomlompom.com/'):
- img.attrib.pop('src', None)
- alt = img.get('alt')
- if alt and not alt.startswith('../'):
- img.attrib.pop('alt', None)
- title = img.get('title')
- if title and not title.startswith('../'):
- img.attrib.pop('title', None)
-removal_notice = "[Removed foreign content for static archive, follow permalink on date to see original.]"
-for activity_div in matching_divs:
- details = activity_div.xpath('.//details[./div[has-class]]')
- for detail in details:
- new_div = lxml.etree.Element("div")
- new_div.text = removal_notice
- detail.getparent().replace(detail, new_div)
- e_contents = activity_div.xpath('.//div[has-class(., "e-content") or has-class(., "activity-content")]')
- for content in e_contents:
- content.clear()
- content.text = removal_notice
-
-header = """
-<p style="text-align: right;"><a href="https://plomlompom.com/contact.html">contact</a> / <a href="https://plomlompom.com/privacy.html">privacy</a></p>
-<p>plomroma (archived): This site is a static archive of a Pleroma instance formerly hosted by me, to preserve my own messages from that time. Foreign content has been removed, but may still be available via links.</p>
-<hr />
-"""
-tree.body.insert(0, html.fromstring(header))
-
-# print_tree(tree)
-with open(args.file, "w", encoding="utf-8") as file:
- file.write(html.tostring(tree, pretty_print=True, encoding="utf-8").decode("utf-8"))
-
-print("done")
--- /dev/null
+# connectivity: ifupdown seems necessary everyhwere, isc-dhcp-client
+# unpredictably so
+ifupdown
+isc-dhcp-client
+# git for the setup directory; cloning works with ca-certificates
+ca-certificates
+git
+# to avoid constant warnings about no locale being found
+locales
--- /dev/null
+# needed to log in to server via ssh
+openssh-server
+# provides /etc/inputrc and understanding of ctrl+arrow key combos
+readline-common
+# provides systemd scripts that configure iptables via /etc/iptables/*
+iptables-persistent
+# this line is here because the shell "read" in install_for_target.sh ignores lines without final newline
\ No newline at end of file
--- /dev/null
+#!/bin/sh
+set -e
+
+standard_repo="borg"
+config_file="${HOME}/.borgrepos"
+
+usage() {
+ echo "Need operation as argument, one of:"
+ echo "init"
+ echo "store"
+ echo "check"
+ echo "export_keyfiles"
+ echo "orgpush"
+ echo "orgpull"
+ false
+}
+
+read_pw() {
+ if [ "${#SSH_AGENT_PID}" -eq 0 ]; then
+ eval $(ssh-agent)
+ echo "ssh-add"
+ stty -echo
+ ssh-add
+ stty echo
+ fi
+ if [ "${#BORG_PASSPHRASE}" -eq 0 ]; then
+ stty -echo
+ printf "Borg passphrase: "
+ read password
+ stty echo
+ printf "\n"
+ export BORG_PASSPHRASE="${password}"
+ fi
+}
+
+if [ ! -f "${config_file}" ]; then
+ echo '# file read ends at last newline' >> "${config_file}"
+fi
+if [ "$#" -lt 1 ]; then
+ usage
+fi
+first_arg="$1"
+shift
+if [ "${first_arg}" = "init" ]; then
+ if [ ! "$#" -eq 1 ]; then
+ echo "Need exactly one argument: target of form user@server"
+ false
+ fi
+ target="$1"
+ echo "Initializing: ${target}"
+ borg init --verbose --encryption=keyfile "${target}:${standard_repo}"
+ tmp_file="/tmp/new_borgrepos"
+ echo "${target}" > "${tmp_file}"
+ cat "${config_file}" >> "${tmp_file}"
+ cp "${tmp_file}" "${config_file}"
+elif [ "${first_arg}" = "store" ]; then
+ if [ ! "$#" -eq 2 ]; then
+ echo "Need precisely two arguments: archive name and path to archive."
+ false
+ fi
+ archive_name=$1
+ shift
+ to_backup="$@"
+ read_pw
+ cat "${config_file}" | while read line; do
+ first_char=$(echo "${line}" | cut -c1)
+ if [ "${first_char}" = "#" ]; then
+ continue
+ fi
+ repo="${line}:${standard_repo}"
+ archive="${repo}::${archive_name}-{utcnow:%Y-%m-%dT%H:%M}"
+ echo "Creating archive: ${archive}"
+ borg create --verbose --list "${archive}" "${to_backup}"
+ done
+elif [ "${first_arg}" = "check" ]; then
+ if [ ! "$#" -eq 0 ]; then
+ echo "Need no arguments"
+ false
+ fi
+ read_pw
+ cat "${config_file}" | while read line; do
+ first_char=$(echo "${line}" | cut -c1)
+ if [ "${first_char}" = "#" ]; then
+ continue
+ fi
+ repo="${line}:${standard_repo}"
+ echo "Checking repo: ${repo}"
+ borg check --verbose "${repo}"
+ done
+elif [ "${first_arg}" = "export_keyfiles" ]; then
+ if [ ! "$#" -eq 1 ]; then
+ echo "Need output tar file name."
+ false
+ fi
+ tar_target="${1}"
+ tmp_dir="${HOME}/.borgtmp"
+ keyfiles_dir="${tmp_dir}/borg_keyfiles"
+ mkdir -p "${keyfiles_dir}"
+ cat "${config_file}" | while read line; do
+ first_char=$(echo "${line}" | cut -c1)
+ if [ "${first_char}" = "#" ]; then
+ continue
+ fi
+ repo="${line}:${standard_repo}"
+ borg key export "${repo}" "${keyfiles_dir}/${line}"
+ done
+ cur_dir="$(pwd)"
+ cd "${tmp_dir}"
+ target=$(basename "${keyfiles_dir}")
+ tar cf "${tar_target}" "${target}"
+ mv "${tar_target}" "${cur_dir}"
+ cd
+ rm -rf "${tmp_dir}"
+elif [ "${first_arg}" = "orgpush" ]; then
+ archive_name="orgdir"
+ to_backup=~/org
+ read_pw
+ cat "${config_file}" | while read line; do
+ first_char=$(echo "${line}" | cut -c1)
+ if [ "${first_char}" = "#" ]; then
+ continue
+ fi
+ repo="${line}:${standard_repo}"
+ archive="${repo}::${archive_name}-{utcnow:%Y-%m-%dT%H:%M}"
+ echo "Creating archive: ${archive}"
+ borg create --verbose --list "${archive}" "${to_backup}" --exclude ~/org/.git
+ done
+elif [ "${first_arg}" = "orgpull" ]; then
+ archive_name="orgdir"
+ read_pw
+ cd /
+ cat "${config_file}" | while read line; do
+ first_char=$(echo "${line}" | cut -c1)
+ if [ "${first_char}" = "#" ]; then
+ continue
+ fi
+ repo="${line}:${standard_repo}"
+ archive=$(borg list "${repo}" | grep "${orgdir}" | tail -1 | cut -f1 -d' ')
+ echo "Pulling archive: ${archive}"
+ borg extract --verbose "${repo}::${archive}"
+ break
+ done
+else
+ usage
+fi
--- /dev/null
+APT::AutoRemove::RecommendsImportant "false";
+APT::AutoRemove::SuggestsImportant "false";
+APT::Install-Recommends "false";
+APT::Install-Suggests "false";
--- /dev/null
+deb http://deb.debian.org/debian stretch main contrib non-free
+deb http://deb.debian.org/debian-security/ stretch/updates main contrib non-free
+deb http://deb.debian.org/debian stretch-updates main contrib non-free
+deb http://ftp.debian.org/debian stretch-backports main contrib non-free
\ No newline at end of file
--- /dev/null
+# This file lists locales that you wish to have built. You can find a list
+# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add
+# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change
+# this file, you need to rerun locale-gen.
+
+
+# aa_DJ ISO-8859-1
+# aa_DJ.UTF-8 UTF-8
+# aa_ER UTF-8
+# aa_ER@saaho UTF-8
+# aa_ET UTF-8
+# af_ZA ISO-8859-1
+# af_ZA.UTF-8 UTF-8
+# ak_GH UTF-8
+# am_ET UTF-8
+# an_ES ISO-8859-15
+# an_ES.UTF-8 UTF-8
+# anp_IN UTF-8
+# ar_AE ISO-8859-6
+# ar_AE.UTF-8 UTF-8
+# ar_BH ISO-8859-6
+# ar_BH.UTF-8 UTF-8
+# ar_DZ ISO-8859-6
+# ar_DZ.UTF-8 UTF-8
+# ar_EG ISO-8859-6
+# ar_EG.UTF-8 UTF-8
+# ar_IN UTF-8
+# ar_IQ ISO-8859-6
+# ar_IQ.UTF-8 UTF-8
+# ar_JO ISO-8859-6
+# ar_JO.UTF-8 UTF-8
+# ar_KW ISO-8859-6
+# ar_KW.UTF-8 UTF-8
+# ar_LB ISO-8859-6
+# ar_LB.UTF-8 UTF-8
+# ar_LY ISO-8859-6
+# ar_LY.UTF-8 UTF-8
+# ar_MA ISO-8859-6
+# ar_MA.UTF-8 UTF-8
+# ar_OM ISO-8859-6
+# ar_OM.UTF-8 UTF-8
+# ar_QA ISO-8859-6
+# ar_QA.UTF-8 UTF-8
+# ar_SA ISO-8859-6
+# ar_SA.UTF-8 UTF-8
+# ar_SD ISO-8859-6
+# ar_SD.UTF-8 UTF-8
+# ar_SS UTF-8
+# ar_SY ISO-8859-6
+# ar_SY.UTF-8 UTF-8
+# ar_TN ISO-8859-6
+# ar_TN.UTF-8 UTF-8
+# ar_YE ISO-8859-6
+# ar_YE.UTF-8 UTF-8
+# as_IN UTF-8
+# ast_ES ISO-8859-15
+# ast_ES.UTF-8 UTF-8
+# ayc_PE UTF-8
+# az_AZ UTF-8
+# be_BY CP1251
+# be_BY.UTF-8 UTF-8
+# be_BY@latin UTF-8
+# bem_ZM UTF-8
+# ber_DZ UTF-8
+# ber_MA UTF-8
+# bg_BG CP1251
+# bg_BG.UTF-8 UTF-8
+# bhb_IN.UTF-8 UTF-8
+# bho_IN UTF-8
+# bn_BD UTF-8
+# bn_IN UTF-8
+# bo_CN UTF-8
+# bo_IN UTF-8
+# br_FR ISO-8859-1
+# br_FR.UTF-8 UTF-8
+# br_FR@euro ISO-8859-15
+# brx_IN UTF-8
+# bs_BA ISO-8859-2
+# bs_BA.UTF-8 UTF-8
+# byn_ER UTF-8
+# ca_AD ISO-8859-15
+# ca_AD.UTF-8 UTF-8
+# ca_ES ISO-8859-1
+# ca_ES.UTF-8 UTF-8
+# ca_ES.UTF-8@valencia UTF-8
+# ca_ES@euro ISO-8859-15
+# ca_ES@valencia ISO-8859-15
+# ca_FR ISO-8859-15
+# ca_FR.UTF-8 UTF-8
+# ca_IT ISO-8859-15
+# ca_IT.UTF-8 UTF-8
+# ce_RU UTF-8
+# chr_US UTF-8
+# cmn_TW UTF-8
+# crh_UA UTF-8
+# cs_CZ ISO-8859-2
+# cs_CZ.UTF-8 UTF-8
+# csb_PL UTF-8
+# cv_RU UTF-8
+# cy_GB ISO-8859-14
+# cy_GB.UTF-8 UTF-8
+# da_DK ISO-8859-1
+# da_DK.UTF-8 UTF-8
+# de_AT ISO-8859-1
+# de_AT.UTF-8 UTF-8
+# de_AT@euro ISO-8859-15
+# de_BE ISO-8859-1
+# de_BE.UTF-8 UTF-8
+# de_BE@euro ISO-8859-15
+# de_CH ISO-8859-1
+# de_CH.UTF-8 UTF-8
+# de_DE ISO-8859-1
+# de_DE.UTF-8 UTF-8
+# de_DE@euro ISO-8859-15
+# de_IT ISO-8859-1
+# de_IT.UTF-8 UTF-8
+# de_LI.UTF-8 UTF-8
+# de_LU ISO-8859-1
+# de_LU.UTF-8 UTF-8
+# de_LU@euro ISO-8859-15
+# doi_IN UTF-8
+# dv_MV UTF-8
+# dz_BT UTF-8
+# el_CY ISO-8859-7
+# el_CY.UTF-8 UTF-8
+# el_GR ISO-8859-7
+# el_GR.UTF-8 UTF-8
+# en_AG UTF-8
+# en_AU ISO-8859-1
+# en_AU.UTF-8 UTF-8
+# en_BW ISO-8859-1
+# en_BW.UTF-8 UTF-8
+# en_CA ISO-8859-1
+# en_CA.UTF-8 UTF-8
+# en_DK ISO-8859-1
+# en_DK.ISO-8859-15 ISO-8859-15
+# en_DK.UTF-8 UTF-8
+# en_GB ISO-8859-1
+# en_GB.ISO-8859-15 ISO-8859-15
+# en_GB.UTF-8 UTF-8
+# en_HK ISO-8859-1
+# en_HK.UTF-8 UTF-8
+# en_IE ISO-8859-1
+# en_IE.UTF-8 UTF-8
+# en_IE@euro ISO-8859-15
+# en_IL UTF-8
+# en_IN UTF-8
+# en_NG UTF-8
+# en_NZ ISO-8859-1
+# en_NZ.UTF-8 UTF-8
+# en_PH ISO-8859-1
+# en_PH.UTF-8 UTF-8
+# en_SG ISO-8859-1
+# en_SG.UTF-8 UTF-8
+# en_US ISO-8859-1
+# en_US.ISO-8859-15 ISO-8859-15
+en_US.UTF-8 UTF-8
+# en_ZA ISO-8859-1
+# en_ZA.UTF-8 UTF-8
+# en_ZM UTF-8
+# en_ZW ISO-8859-1
+# en_ZW.UTF-8 UTF-8
+# eo UTF-8
+# es_AR ISO-8859-1
+# es_AR.UTF-8 UTF-8
+# es_BO ISO-8859-1
+# es_BO.UTF-8 UTF-8
+# es_CL ISO-8859-1
+# es_CL.UTF-8 UTF-8
+# es_CO ISO-8859-1
+# es_CO.UTF-8 UTF-8
+# es_CR ISO-8859-1
+# es_CR.UTF-8 UTF-8
+# es_CU UTF-8
+# es_DO ISO-8859-1
+# es_DO.UTF-8 UTF-8
+# es_EC ISO-8859-1
+# es_EC.UTF-8 UTF-8
+# es_ES ISO-8859-1
+# es_ES.UTF-8 UTF-8
+# es_ES@euro ISO-8859-15
+# es_GT ISO-8859-1
+# es_GT.UTF-8 UTF-8
+# es_HN ISO-8859-1
+# es_HN.UTF-8 UTF-8
+# es_MX ISO-8859-1
+# es_MX.UTF-8 UTF-8
+# es_NI ISO-8859-1
+# es_NI.UTF-8 UTF-8
+# es_PA ISO-8859-1
+# es_PA.UTF-8 UTF-8
+# es_PE ISO-8859-1
+# es_PE.UTF-8 UTF-8
+# es_PR ISO-8859-1
+# es_PR.UTF-8 UTF-8
+# es_PY ISO-8859-1
+# es_PY.UTF-8 UTF-8
+# es_SV ISO-8859-1
+# es_SV.UTF-8 UTF-8
+# es_US ISO-8859-1
+# es_US.UTF-8 UTF-8
+# es_UY ISO-8859-1
+# es_UY.UTF-8 UTF-8
+# es_VE ISO-8859-1
+# es_VE.UTF-8 UTF-8
+# et_EE ISO-8859-1
+# et_EE.ISO-8859-15 ISO-8859-15
+# et_EE.UTF-8 UTF-8
+# eu_ES ISO-8859-1
+# eu_ES.UTF-8 UTF-8
+# eu_ES@euro ISO-8859-15
+# eu_FR ISO-8859-1
+# eu_FR.UTF-8 UTF-8
+# eu_FR@euro ISO-8859-15
+# fa_IR UTF-8
+# ff_SN UTF-8
+# fi_FI ISO-8859-1
+# fi_FI.UTF-8 UTF-8
+# fi_FI@euro ISO-8859-15
+# fil_PH UTF-8
+# fo_FO ISO-8859-1
+# fo_FO.UTF-8 UTF-8
+# fr_BE ISO-8859-1
+# fr_BE.UTF-8 UTF-8
+# fr_BE@euro ISO-8859-15
+# fr_CA ISO-8859-1
+# fr_CA.UTF-8 UTF-8
+# fr_CH ISO-8859-1
+# fr_CH.UTF-8 UTF-8
+# fr_FR ISO-8859-1
+# fr_FR.UTF-8 UTF-8
+# fr_FR@euro ISO-8859-15
+# fr_LU ISO-8859-1
+# fr_LU.UTF-8 UTF-8
+# fr_LU@euro ISO-8859-15
+# fur_IT UTF-8
+# fy_DE UTF-8
+# fy_NL UTF-8
+# ga_IE ISO-8859-1
+# ga_IE.UTF-8 UTF-8
+# ga_IE@euro ISO-8859-15
+# gd_GB ISO-8859-15
+# gd_GB.UTF-8 UTF-8
+# gez_ER UTF-8
+# gez_ER@abegede UTF-8
+# gez_ET UTF-8
+# gez_ET@abegede UTF-8
+# gl_ES ISO-8859-1
+# gl_ES.UTF-8 UTF-8
+# gl_ES@euro ISO-8859-15
+# gu_IN UTF-8
+# gv_GB ISO-8859-1
+# gv_GB.UTF-8 UTF-8
+# ha_NG UTF-8
+# hak_TW UTF-8
+# he_IL ISO-8859-8
+# he_IL.UTF-8 UTF-8
+# hi_IN UTF-8
+# hne_IN UTF-8
+# hr_HR ISO-8859-2
+# hr_HR.UTF-8 UTF-8
+# hsb_DE ISO-8859-2
+# hsb_DE.UTF-8 UTF-8
+# ht_HT UTF-8
+# hu_HU ISO-8859-2
+# hu_HU.UTF-8 UTF-8
+# hy_AM UTF-8
+# hy_AM.ARMSCII-8 ARMSCII-8
+# ia_FR UTF-8
+# id_ID ISO-8859-1
+# id_ID.UTF-8 UTF-8
+# ig_NG UTF-8
+# ik_CA UTF-8
+# is_IS ISO-8859-1
+# is_IS.UTF-8 UTF-8
+# it_CH ISO-8859-1
+# it_CH.UTF-8 UTF-8
+# it_IT ISO-8859-1
+# it_IT.UTF-8 UTF-8
+# it_IT@euro ISO-8859-15
+# iu_CA UTF-8
+# ja_JP.EUC-JP EUC-JP
+# ja_JP.UTF-8 UTF-8
+# ka_GE GEORGIAN-PS
+# ka_GE.UTF-8 UTF-8
+# kk_KZ PT154
+# kk_KZ.RK1048 RK1048
+# kk_KZ.UTF-8 UTF-8
+# kl_GL ISO-8859-1
+# kl_GL.UTF-8 UTF-8
+# km_KH UTF-8
+# kn_IN UTF-8
+# ko_KR.EUC-KR EUC-KR
+# ko_KR.UTF-8 UTF-8
+# kok_IN UTF-8
+# ks_IN UTF-8
+# ks_IN@devanagari UTF-8
+# ku_TR ISO-8859-9
+# ku_TR.UTF-8 UTF-8
+# kw_GB ISO-8859-1
+# kw_GB.UTF-8 UTF-8
+# ky_KG UTF-8
+# lb_LU UTF-8
+# lg_UG ISO-8859-10
+# lg_UG.UTF-8 UTF-8
+# li_BE UTF-8
+# li_NL UTF-8
+# lij_IT UTF-8
+# ln_CD UTF-8
+# lo_LA UTF-8
+# lt_LT ISO-8859-13
+# lt_LT.UTF-8 UTF-8
+# lv_LV ISO-8859-13
+# lv_LV.UTF-8 UTF-8
+# lzh_TW UTF-8
+# mag_IN UTF-8
+# mai_IN UTF-8
+# mg_MG ISO-8859-15
+# mg_MG.UTF-8 UTF-8
+# mhr_RU UTF-8
+# mi_NZ ISO-8859-13
+# mi_NZ.UTF-8 UTF-8
+# mk_MK ISO-8859-5
+# mk_MK.UTF-8 UTF-8
+# ml_IN UTF-8
+# mn_MN UTF-8
+# mni_IN UTF-8
+# mr_IN UTF-8
+# ms_MY ISO-8859-1
+# ms_MY.UTF-8 UTF-8
+# mt_MT ISO-8859-3
+# mt_MT.UTF-8 UTF-8
+# my_MM UTF-8
+# nan_TW UTF-8
+# nan_TW@latin UTF-8
+# nb_NO ISO-8859-1
+# nb_NO.UTF-8 UTF-8
+# nds_DE UTF-8
+# nds_NL UTF-8
+# ne_NP UTF-8
+# nhn_MX UTF-8
+# niu_NU UTF-8
+# niu_NZ UTF-8
+# nl_AW UTF-8
+# nl_BE ISO-8859-1
+# nl_BE.UTF-8 UTF-8
+# nl_BE@euro ISO-8859-15
+# nl_NL ISO-8859-1
+# nl_NL.UTF-8 UTF-8
+# nl_NL@euro ISO-8859-15
+# nn_NO ISO-8859-1
+# nn_NO.UTF-8 UTF-8
+# nr_ZA UTF-8
+# nso_ZA UTF-8
+# oc_FR ISO-8859-1
+# oc_FR.UTF-8 UTF-8
+# om_ET UTF-8
+# om_KE ISO-8859-1
+# om_KE.UTF-8 UTF-8
+# or_IN UTF-8
+# os_RU UTF-8
+# pa_IN UTF-8
+# pa_PK UTF-8
+# pap_AW UTF-8
+# pap_CW UTF-8
+# pl_PL ISO-8859-2
+# pl_PL.UTF-8 UTF-8
+# ps_AF UTF-8
+# pt_BR ISO-8859-1
+# pt_BR.UTF-8 UTF-8
+# pt_PT ISO-8859-1
+# pt_PT.UTF-8 UTF-8
+# pt_PT@euro ISO-8859-15
+# quz_PE UTF-8
+# raj_IN UTF-8
+# ro_RO ISO-8859-2
+# ro_RO.UTF-8 UTF-8
+# ru_RU ISO-8859-5
+# ru_RU.CP1251 CP1251
+# ru_RU.KOI8-R KOI8-R
+# ru_RU.UTF-8 UTF-8
+# ru_UA KOI8-U
+# ru_UA.UTF-8 UTF-8
+# rw_RW UTF-8
+# sa_IN UTF-8
+# sat_IN UTF-8
+# sc_IT UTF-8
+# sd_IN UTF-8
+# sd_IN@devanagari UTF-8
+# se_NO UTF-8
+# sgs_LT UTF-8
+# shs_CA UTF-8
+# si_LK UTF-8
+# sid_ET UTF-8
+# sk_SK ISO-8859-2
+# sk_SK.UTF-8 UTF-8
+# sl_SI ISO-8859-2
+# sl_SI.UTF-8 UTF-8
+# so_DJ ISO-8859-1
+# so_DJ.UTF-8 UTF-8
+# so_ET UTF-8
+# so_KE ISO-8859-1
+# so_KE.UTF-8 UTF-8
+# so_SO ISO-8859-1
+# so_SO.UTF-8 UTF-8
+# sq_AL ISO-8859-1
+# sq_AL.UTF-8 UTF-8
+# sq_MK UTF-8
+# sr_ME UTF-8
+# sr_RS UTF-8
+# sr_RS@latin UTF-8
+# ss_ZA UTF-8
+# st_ZA ISO-8859-1
+# st_ZA.UTF-8 UTF-8
+# sv_FI ISO-8859-1
+# sv_FI.UTF-8 UTF-8
+# sv_FI@euro ISO-8859-15
+# sv_SE ISO-8859-1
+# sv_SE.ISO-8859-15 ISO-8859-15
+# sv_SE.UTF-8 UTF-8
+# sw_KE UTF-8
+# sw_TZ UTF-8
+# szl_PL UTF-8
+# ta_IN UTF-8
+# ta_LK UTF-8
+# tcy_IN.UTF-8 UTF-8
+# te_IN UTF-8
+# tg_TJ KOI8-T
+# tg_TJ.UTF-8 UTF-8
+# th_TH TIS-620
+# th_TH.UTF-8 UTF-8
+# the_NP UTF-8
+# ti_ER UTF-8
+# ti_ET UTF-8
+# tig_ER UTF-8
+# tk_TM UTF-8
+# tl_PH ISO-8859-1
+# tl_PH.UTF-8 UTF-8
+# tn_ZA UTF-8
+# tr_CY ISO-8859-9
+# tr_CY.UTF-8 UTF-8
+# tr_TR ISO-8859-9
+# tr_TR.UTF-8 UTF-8
+# ts_ZA UTF-8
+# tt_RU UTF-8
+# tt_RU@iqtelif UTF-8
+# ug_CN UTF-8
+# uk_UA KOI8-U
+# uk_UA.UTF-8 UTF-8
+# unm_US UTF-8
+# ur_IN UTF-8
+# ur_PK UTF-8
+# uz_UZ ISO-8859-1
+# uz_UZ.UTF-8 UTF-8
+# uz_UZ@cyrillic UTF-8
+# ve_ZA UTF-8
+# vi_VN UTF-8
+# wa_BE ISO-8859-1
+# wa_BE.UTF-8 UTF-8
+# wa_BE@euro ISO-8859-15
+# wae_CH UTF-8
+# wal_ET UTF-8
+# wo_SN UTF-8
+# xh_ZA ISO-8859-1
+# xh_ZA.UTF-8 UTF-8
+# yi_US CP1255
+# yi_US.UTF-8 UTF-8
+# yo_NG UTF-8
+# yue_HK UTF-8
+# zh_CN GB2312
+# zh_CN.GB18030 GB18030
+# zh_CN.GBK GBK
+# zh_CN.UTF-8 UTF-8
+# zh_HK BIG5-HKSCS
+# zh_HK.UTF-8 UTF-8
+# zh_SG GB2312
+# zh_SG.GBK GBK
+# zh_SG.UTF-8 UTF-8
+# zh_TW BIG5
+# zh_TW.EUC-TW EUC-TW
+# zh_TW.UTF-8 UTF-8
+# zu_ZA ISO-8859-1
+# zu_ZA.UTF-8 UTF-8
--- /dev/null
+Europe/Berlin
--- /dev/null
+# /etc/aliases
+
+# As per RFC 2142.
+mailer-daemon: plom
+postmaster: plom
+hostmaster: plom
+usenet: plom
+news: plom
+webmaster: plom
+www: plom
+ftp: plom
+abuse: plom
+noc: plom
+security: plom
+root: plom
+
+# Personal aliases.
+plomlompom: plom
+christian.heller: plom
+christian_heller: plom
+christianheller: plom
+c.heller: plom
+heller: plom
--- /dev/null
+# This is only necessary when we use dovecot's LMTP mechanism to receive
+# mail from postfix.
+auth_username_format = %Ln
--- /dev/null
+# Add sieve filtering.
+protocol lmtp {
+ mail_plugins = $mail_plugins sieve
+}
--- /dev/null
+mail_privileged_group = mail
\ No newline at end of file
--- /dev/null
+service auth {
+ unix_listener auth-userdb {
+ }
+
+ unix_listener /var/spool/postfix/private/auth {
+ mode = 0660
+ user = postfix
+ group = postfix
+ }
+}
+
+# We don't strictly need to provide a LMTP server to fetch mail from
+# postfix, but we do if we want to do sophisticated stuff like sieve
+# filtering on the way.
+service lmtp {
+ inet_listener lmtp {
+ address = 127.0.0.1
+ port = 2424
+ }
+}
--- /dev/null
+ssl = required
--- /dev/null
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+# otherwise self-referential connections to local host will fail
+-A INPUT -i lo -j ACCEPT
+# this enables ping etc.
+-A INPUT -p icmp -j ACCEPT
+# tolerate any inbound connections requested by our server, no matter the port
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# SSH
+-A INPUT -p tcp --dport 22 -j ACCEPT
+# SMTP (allowing for STARTTLS); necessary for mail server to mail server banter
+-A INPUT -p tcp --dport 25 -j ACCEPT
+# SMTPS, for mail server to mail user agent communication
+-A INPUT -p tcp --dport 465 -j ACCEPT
+# IMAPS
+-A INPUT -p tcp --dport 993 -j ACCEPT
+COMMIT
+# this last line is here because iptables-restore ignores the final command if no newline follows it
\ No newline at end of file
--- /dev/null
+# mailutils by default uses the FQDN as the mail domain name, fix this
+address {
+ email-domain REPLACE_maildomain_ECALPER;
+};
--- /dev/null
+# This is a basic configuration that can easily be adapted to suit a standard
+# installation. For more advanced options, see opendkim.conf(5) and/or
+# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
+
+# Log to syslog
+Syslog yes
+# Required to use local socket with MTAs that access the socket as a non-
+# privileged user (e.g. Postfix)
+UMask 007
+
+# Sign for example.com with key in /etc/dkimkeys/dkim.key using
+# selector '2007' (e.g. 2007._domainkey.example.com)
+#Domain example.com
+#KeyFile /etc/dkimkeys/dkim.key
+#Selector 2007
+Domain REPLACE_Domain_ECALPER
+KeyFile /etc/dkimkeys/REPLACE_Selector_ECALPER.private
+Selector REPLACE_Selector_ECALPER
+
+# Commonly-used options; the commented-out versions show the defaults.
+#Canonicalization simple
+#Mode sv
+#SubDomains no
+#SubDomains yes
+Canonicalization relaxed/simple
+
+# Socket smtp://localhost
+#
+# ## Socket socketspec
+# ##
+# ## Names the socket where this filter should listen for milter connections
+# ## from the MTA. Required. Should be in one of these forms:
+# ##
+# ## inet:port@address to listen on a specific interface
+# ## inet:port to listen on all interfaces
+# ## local:/path/to/socket to listen on a UNIX domain socket
+#
+#Socket inet:8892@localhost
+#Socket local:/var/run/opendkim/opendkim.sock
+Socket inet:12301@localhost
+
+## PidFile filename
+### default (none)
+###
+### Name of the file where the filter should write its pid before beginning
+### normal operations.
+#
+PidFile /var/run/opendkim/opendkim.pid
+
+
+# Always oversign From (sign using actual From and a null From to prevent
+# malicious signatures header fields (From and/or others) between the signer
+# and the verifier. From is oversigned by default in the Debian pacakge
+# because it is often the identity key used by reputation systems and thus
+# somewhat security sensitive.
+OversignHeaders From
+
+## ResolverConfiguration filename
+## default (none)
+##
+## Specifies a configuration file to be passed to the Unbound library that
+## performs DNS queries applying the DNSSEC protocol. See the Unbound
+## documentation at http://unbound.net for the expected content of this file.
+## The results of using this and the TrustAnchorFile setting at the same
+## time are undefined.
+## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
+## unbound package
+
+# ResolverConfiguration /etc/unbound/unbound.conf
+
+## TrustAnchorFile filename
+## default (none)
+##
+## Specifies a file from which trust anchor data should be read when doing
+## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
+## at http://unbound.net for the expected format of this file.
+
+TrustAnchorFile /usr/share/dns/root.key
+
+## Userid userid
+### default (none)
+###
+### Change to user "userid" before starting normal operation? May include
+### a group ID as well, separated from the userid by a colon.
+#
+UserID opendkim
\ No newline at end of file
--- /dev/null
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific: Specifying a file name will cause the first
+# line of that file to be used as the name. The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+# TLS parameters (excluding smtpd_tls_(cert|key)_file for own adaption below)
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myorigin = /etc/mailname
+myhostname = REPLACE_myhostname_ECALPER
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = $myhostname localhost.$mydomain localhost REPLACE_mydomain_if_domainwide_ECALPER
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all
+
+# plomlompom-specific adaptions to allow TLS and SASL via LetsEncrypt/Dovecot.
+smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+
+# connect to opendkim
+smtpd_milters = inet:localhost:12301
+non_smtpd_milters = inet:localhost:12301
+
+# transport mail to dovecot; not strictly needed, as even without this
+# postfix will throw mail to /var/mail/USER to be found by dovecot for
+# serving via IMAP etc.; but using dovecot's LMTP server for delivery
+# allows us to do stuff like dovecot-side sieve filtering.
+mailbox_transport = lmtp:inet:127.0.0.1:2424
\ No newline at end of file
--- /dev/null
+#
+# Postfix master process configuration file. For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type private unpriv chroot wakeup maxproc command + args
+# (yes) (yes) (no) (never) (100)
+# ==========================================================================
+smtp inet n - y - - smtpd
+#smtp inet n - y - 1 postscreen
+#smtpd pass - - y - - smtpd
+#dnsblog unix - - y - 0 dnsblog
+#tlsproxy unix - - y - 0 tlsproxy
+#submission inet n - y - - smtpd
+# -o syslog_name=postfix/submission
+# -o smtpd_tls_security_level=encrypt
+# -o smtpd_sasl_auth_enable=yes
+# -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+smtps inet n - y - - smtpd
+ -o syslog_name=postfix/smtps
+ -o smtpd_tls_wrappermode=yes
+ -o smtpd_sasl_auth_enable=yes
+ -o smtpd_reject_unlisted_recipient=no
+# -o smtpd_client_restrictions=$mua_client_restrictions
+# -o smtpd_helo_restrictions=$mua_helo_restrictions
+# -o smtpd_sender_restrictions=$mua_sender_restrictions
+# -o smtpd_recipient_restrictions=
+# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+# -o milter_macro_daemon_name=ORIGINATING
+#628 inet n - y - - qmqpd
+pickup unix n - y 60 1 pickup
+cleanup unix n - y - 0 cleanup
+qmgr unix n - n 300 1 qmgr
+#qmgr unix n - n 300 1 oqmgr
+tlsmgr unix - - y 1000? 1 tlsmgr
+rewrite unix - - y - - trivial-rewrite
+bounce unix - - y - 0 bounce
+defer unix - - y - 0 bounce
+trace unix - - y - 0 bounce
+verify unix - - y - 1 verify
+flush unix n - y 1000? 0 flush
+proxymap unix - - n - - proxymap
+proxywrite unix - - n - 1 proxymap
+smtp unix - - y - - smtp
+relay unix - - y - - smtp
+# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq unix n - y - - showq
+error unix - - y - - error
+retry unix - - y - - error
+discard unix - - y - - discard
+local unix - n n - - local
+virtual unix - n n - - virtual
+lmtp unix - - y - - lmtp
+anvil unix - - y - 1 anvil
+scache unix - - y - 1 scache
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent. See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+maildrop unix - n n - - pipe
+ flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+# mailbox_transport = lmtp:inet:localhost
+# virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus unix - n n - - pipe
+# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix - n n - - pipe
+# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+uucp unix - n n - - pipe
+ flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# Other external delivery methods.
+#
+ifmail unix - n n - - pipe
+ flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+bsmtp unix - n n - - pipe
+ flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
+scalemail-backend unix - n n - 2 pipe
+ flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
+mailman unix - n n - - pipe
+ flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+ ${nexthop} ${user}
+
--- /dev/null
+[Unit]
+Description=Run plom's fetchmail
+
+[Service]
+Type=oneshot
+User=plom
+# fetchmail returns 1 when no new mail, we want to catch that
+ExecStart=/bin/sh -c 'fetchmail || [ $? -eq 1 ]'
--- /dev/null
+[Unit]
+Description=Run pingmail check
+
+[Service]
+Type=oneshot
+User=plom
+ExecStart=/bin/sh -c '~/pingmail/pingmail check'
--- /dev/null
+[Unit]
+Description=Run fetchmail once every minute
+
+[Timer]
+OnCalendar=*-*-* *:*:00
+
+[Install]
+WantedBy=timers.target
--- /dev/null
+[Unit]
+Description=Run pingmail check once every hour
+
+[Timer]
+OnCalendar=*-*-* *:00:00
+
+[Install]
+WantedBy=timers.target
--- /dev/null
+[Unit]
+Description=Pull website repo
+[Service]
+Type=oneshot
+User=plom
+ExecStart=/bin/sh -c '~/encrypter.sh'
--- /dev/null
+[Unit]
+Description=Attempt encryption of old chatlogs once every minute.
+
+[Timer]
+OnCalendar=*-*-* *:*:00
+
+[Install]
+WantedBy=timers.target
\ No newline at end of file
--- /dev/null
+# /etc/aliases
+postmaster: root
+root: plom@plomlompom.com
\ No newline at end of file
--- /dev/null
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+
+
+# Debian specific: Specifying a file name will cause the first
+# line of that file to be used as the name. The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myorigin = /etc/mailname
+myhostname = $myorigin
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = $myhostname localhost.$mydomain localhost
+relayhost =
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = loopback-only
+inet_protocols = all
\ No newline at end of file
--- /dev/null
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+# otherwise self-referential connections to local host will fail
+-A INPUT -i lo -j ACCEPT
+# tolerate any inbound connections requested by our server, no matter the port
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# this enables ping etc.
+-A INPUT -p icmp -j ACCEPT
+# SSH
+-A INPUT -p tcp --dport 22 -j ACCEPT
+COMMIT
+# this last line is here because iptables-restore ignores the final command if no newline follows it
\ No newline at end of file
--- /dev/null
+# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no # plomlompom's security rule
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin yes
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
+
+ClientAliveInterval 120
+PasswordAuthentication no # plomlompom's security rule
--- /dev/null
+# /etc/cron.d/certbot: crontab entries for the certbot package
+#
+# Upstream recommends attempting renewal twice a day
+#
+# Eventually, this will be an opportunity to validate certificates
+# haven't been revoked, etc. Renewal will only occur if expiration
+# is within 30 days.
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+# plomlompom added the --webroot -w /var/www/html/ so that renewal
+# works with nginx running, and the nginx reload post-hook so that
+# the new certificates are linked to by nginx. Note that by default
+# we rely on the systemd timer service file instead of this cronjob,
+# but since both are installed by the certbot package to serve which
+# ever of the two is used, we cautiously adapt both of them too.
+0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --webroot -w /var/www/html/ --post-hook "service nginx reload"
--- /dev/null
+# path to git projects (<project>.git)
+$projectroot = "/var/public_repos";
+
+# directory to use for temp files
+# explicitely set by Debian so it's probably a good choice
+$git_temp = "/tmp";
+
+# git-diff-tree(1) options to use for generated patches
+# we don't want to to guess renames, so empty
+@diff_opts = ();
+
+# Base path for where to find the repos for cloning.
+@git_base_url_list = ('https://REPLACE_fqdn_ECALPER/repos/clone');
+
+# allow snapshots
+$feature{'snapshot'}{'default'} = ['zip', 'tgz'];
+
+# insert header for GDPR compliance
+$site_header = "/var/www/header.html"
--- /dev/null
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT ACCEPT [0:0]
+# otherwise self-referential connections to local host will fail
+-A INPUT -i lo -j ACCEPT
+# tolerate any inbound connections requested by our server, no matter the port
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+# this enables ping etc.
+-A INPUT -p icmp -j ACCEPT
+# SSH
+-A INPUT -p tcp --dport 22 -j ACCEPT
+# HTTP
+-A INPUT -p tcp --dport 80 -j ACCEPT
+# HTTPS
+-A INPUT -p tcp --dport 443 -j ACCEPT
+COMMIT
+# this last line is here because iptables-restore ignores the final command if no newline follows it
\ No newline at end of file
--- /dev/null
+# system integration
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+
+# we need this for the xslt_stylesheet directive below
+#load_module modules/ngx_http_xslt_filter_module.so;
+
+# is expected even if empty
+events {
+}
+
+http {
+ # define content-type headers
+ types {
+ text/html html htm shtml;
+ text/css css;
+ text/xml xml;
+ text/plain txt sh rst md asc;
+ application/xhtml+xml xhtml;
+ application/pdf pdf;
+ image/jpeg jpg jpeg;
+ image/png png;
+ }
+ default_type application/octet_stream;
+ charset utf-8;
+
+ # logging deactivated due to GDPR
+ #access_log /var/log/nginx/access.log;
+ #error_log /var/log/nginx/error.log;
+
+ # HTTP server: only enforce HTTPS
+ server {
+ listen 80;
+ return 301 https://$host$request_uri;
+ }
+
+ # HTTPS server
+ server {
+ listen 443 ssl;
+ server_name REPLACE_fqdn_ECALPER;
+ ssl_certificate /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/privkey.pem;
+ root /var/www/html/;
+ index index.html index.htm index.nginx-debian.html;
+
+ # serve /var/www/public_repos/* for HTTPS git cloning
+ location ~ /repos/clone(/.*) {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+ fastcgi_param GIT_HTTP_EXPORT_ALL "";
+ fastcgi_param GIT_PROJECT_ROOT /var/public_repos;
+ fastcgi_param PATH_INFO $1;
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ }
+
+ # gitweb static files
+ location /repos/static/ {
+ alias /usr/share/gitweb/static/;
+ }
+
+ # gitweb; this needs packages fcgiwrap and gitweb
+ location /repos/ {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
+ fastcgi_param GITWEB_CONFIG /etc/gitweb.conf;
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ }
+
+ # login-protected IRC logs
+ location ~ /irclogs/([^/]+)/ {
+ auth_basic "$1 logs";
+ auth_basic_user_file /var/www/irclogs_pw/$1;
+ autoindex on;
+ }
+
+ ## entry for IRC logs
+ #location /irclogs/ {
+ # autoindex on;
+ # autoindex_format xml;
+ # xslt_stylesheet /var/www/autoindex.xslt;
+ #}
+ }
+}
--- /dev/null
+[Unit]
+Description=Certbot
+Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
+Documentation=https://letsencrypt.readthedocs.io/en/latest/
+[Service]
+# plomlompom added the --webroot -w /var/www/html/ so that renewal
+# works with nginx running, and the nginx reload post-hook so that
+# the new certificates are linked to by nginx.
+Type=oneshot
+ExecStart=/usr/bin/certbot -q renew --webroot -w /var/www/html/ --post-hook "service nginx reload"
+PrivateTmp=true
\ No newline at end of file
--- /dev/null
+[Unit]
+Description=plomlombot screen
+
+[Service]
+Type=simple
+User=plom
+ExecStart=/bin/sh -c '~/plomlombot_daemon.sh'
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+#!/bin/sh
+set -e
+
+# Ensure we have a GPG target to encrypt to.
+if [ $# -lt 1 ]; then
+ echo "Need public key ID as argument."
+ false
+fi
+gpg_key="$1"
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+apt -y install gnupg dirmngr
+keyservers='sks-keyservers.net/ keys.gnupg.net'
+set +e
+while true; do
+ do_break=0
+ for keyserver in $(echo "${keyservers}"); do
+ su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
+ if [ $? -eq "0" ]; then
+ do_break=1
+ break
+ fi
+ echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
+ done
+ if [ "${do_break}" -eq "1" ]; then
+ break
+ fi
+done
+set -e
+# TODO: We may remove dirmngr here if only this script installed it.
--- /dev/null
+#!/bin/sh
+# Hard link files to those in argument-selected subdirectories of
+# linkable_etc_files//, e.g. link /etc/foo/bar to
+# linkable_etc_files/$1/etc/foo/bar and so on. Create directories as
+# necessary. We do the hard linking so files that should be readable to
+# non-root in /etc/ remain so despite having a path below /root/, as
+# symbolic links point into /root/ without making the targets readable
+# to non-root.
+# CAUTION: This removes original files at the affected paths.
+set -e
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+linkable_files_dir="${config_tree_prefix}/linkable_etc_files"
+
+for target in "$@"; do
+ cd "${linkable_files_dir}/${target}"
+ for path in $(find . -type f); do
+ linking=$(echo "${path}" | cut -c2-)
+ linked=$(realpath "${path}")
+ dir=$(dirname "${linking}")
+ mkdir -p "${dir}"
+ ln -f "${linked}" "${linking}"
+ done
+done
--- /dev/null
+#!/bin/sh
+# This script turns a fresh server with password-based root access to
+# one of only key-based access and only to new non-root account plom.
+#
+# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
+# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
+# contains the local ~/.ssh/id_rsa.pub, and also any old
+# /etc/ssh/sshd_config.
+#
+# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
+# configured sshd_config file in reach.
+set -e
+
+# Location auf a sshd_config with "PermitRootLogin no" and
+# "PasswordAuthentication no".
+config_tree_prefix="${HOME}/config/all_new_2018"
+linkable_files_dir="${config_tree_prefix}/linkable_etc_files/server"
+system_path_sshd_config='/etc/ssh/sshd_config'
+local_path_sshd_config="${linkable_files_dir}/${system_path_sshd_config}"
+
+# Ensure we have a server name as argument.
+if [ $# -eq 0 ]; then
+ echo "Need server as argument."
+ false
+fi
+server="$1"
+
+# Ask for root password only once, sshpass will re-use it then often.
+stty -echo
+printf "Server root password: "
+read PW_ROOT
+stty echo
+printf "\n"
+export SSHPASS="${PW_ROOT}"
+
+# Create user plom, and his ~/.ssh/authorized_keys based on the local
+# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
+# ownerships. Then disable root and pw login by copying over the
+# sshd_config and restart ssh daemon.
+#
+# This could be a line or two shorter by using ssh-copy-id, but that
+# would require setting a password for user plom otherwise not needed.
+sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys
+sshpass -e ssh root@"${server}" \
+ 'useradd -m plom && '\
+ 'mkdir /home/plom/.ssh && '\
+ 'chown plom:plom /home/plom/.ssh && '\
+ 'chown plom:plom /tmp/authorized_keys && '\
+ 'chmod u=rw,go= /tmp/authorized_keys && '\
+ 'mv /tmp/authorized_keys /home/plom/.ssh/'
+sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
+sshpass -e ssh root@"${server}" 'service ssh restart'
--- /dev/null
+#!/bin/sh
+# Walks through the package names in the argument-selected files of
+# apt-mark/ and ensures the respective packages are installed.
+#
+# Ignores anything in an apt-mark/ file after the last newline.
+set -e
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+aptmark_dir="${config_tree_prefix}/apt-mark"
+
+for target in "$@"; do
+ path="${aptmark_dir}/${target}"
+ cat "${path}" | while read line; do
+ echo "$line"
+ if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
+ apt-get -y install "${line}"
+ fi
+ done
+done
--- /dev/null
+#!/bin/sh
+# Certify current server with LetsEncrypt.
+# Uses hostname -f for the domain we want to certify.
+set -e
+
+# Ensure we have a mail address as argument.
+if [ $# -lt 1 ]; then
+ echo "Need mail address as argument."
+ false
+fi
+mail_address="$1"
+
+# We need certbot to get LetsEncrypt certificates.
+apt install -y certbot
+
+# If port 80 blocked by iptables, open it.
+set +e
+iptables -C INPUT -p tcp --dport 80 -j ACCEPT
+open_iptables="$?"
+set -e
+if [ "${open_iptables}" -eq "1" ]; then
+ iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+fi
+
+# Create new certificate and copy it to /etc/letsencrypt.
+certbot certonly --standalone --agree-tos -m "${mail_address}" -d "$(hostname -f)"
+
+# Remove iptables rule to open port 80 if we added it.
+if [ "${open_iptables}" -eq "1" ]; then
+ iptables -D INPUT -p tcp --dport 80 -j ACCEPT
+fi
--- /dev/null
+#!/bin/sh
+# Copy over LetsEncrypt certificates from another server.
+set -e
+
+# Ensure we have a server name as argument.
+if [ $# -lt 1 ]; then
+ echo "Need server as argument."
+ false
+fi
+server="$1"
+
+# Copy over.
+ssh -t plom@${server} 'su -c "cd /etc/ && tar cf letsencrypt.tar letsencrypt && chown plom:plom letsencrypt.tar && mv letsencrypt.tar /home/plom/"'
+scp plom@${server}:~/letsencrypt.tar .
+apt -y install certbot
+rmdir /etc/letsencrypt
+mv letsencrypt.tar /etc/
+cd /etc/
+tar xf letsencrypt.tar
+rm letsencrypt.tar
--- /dev/null
+#!/bin/sh
+# Mirror directory tree from remote to local server, keeping the path.
+set -e
+
+if [ $# -lt 2 ]; then
+ echo "Need server and directory as arguments."
+ false
+fi
+server=$1
+dir=$2
+path_package=/tmp/delete.tar
+
+eval `ssh-agent`
+ssh-add
+cd
+ssh plom@"${server}" "cd \"${dir}\" && tar cf ${path_package} ."
+scp plom@"${server}":"${path_package}" "${path_package}"
+mkdir -p "${dir}"
+cd "${dir}"
+tar xf "${path_package}"
+cd
+rm "${path_package}"
+ssh plom@"${server}" rm "${path_package}"
--- /dev/null
+#!/bin/sh
+# Do some of the steps necessary to SSH (key-based) with another server.
+set -e
+
+target="$1"
+
+# We need a public key to copy over, so generate it if not found.
+if [ ! -f ~/.ssh/id_rsa.pub ]; then
+ ssh-keygen
+fi
+
+# Add target to ~/.ssh/known_hosts so we don't get
+# asked for permission at inopportune moments.
+ssh-keyscan -H "$target" >> ~/.ssh/known_hosts
+
+# Tell user what to do.
+echo "APPEND FOLLOWING TO TARGET'S ~/.ssh/authorized_keys:"
+cat ~/.ssh/id_rsa.pub
--- /dev/null
+#!/bin/sh
+# This script removes all Debian packages that are not of Priority
+# "required" or not depended on by packages of priority "required"
+# or not listed in the argument-selected files of apt-mark/.
+set -e
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+aptmark_dir="${config_tree_prefix}/apt-mark"
+
+dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted
+for target in "$@"; do
+ path="${aptmark_dir}/${target}"
+ cat "${path}" | while read line; do
+ if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
+ echo "${line}" >> /tmp/list_white_unsorted
+ fi
+ done
+done
+sort /tmp/list_white_unsorted > /tmp/list_white
+dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages
+sort /tmp/list_all_packages > /tmp/foo
+mv /tmp/foo /tmp/list_all_packages
+comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black
+apt-mark auto `cat /tmp/list_black`
+DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
+rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black
--- /dev/null
+#!/bin/sh
+# Sets hostname and optionally FQDN.
+#
+# Calls hostname, writes to /etc/hostname and /etc/hosts. For /etc/hosts
+# writing follows recommendations from Debian manual at
+# <https://www.debian.org/doc/manuals/debian-reference/ch05.en.html>
+# (section "The hostname resolution") on how to map hostname and possibly
+# FQDN to a permanent IP if present (we assume here any non-private IP
+# and non-loopback IP returned by hostname -I to fulfill that criterion
+# on our systems) or to 127.0.1.1 if not. On the reasoning for separating
+# localhost and hostname mapping to different IPs, see
+# <https://unix.stackexchange.com/a/13087>.
+set -e
+
+hostname="$1"
+fqdn="$2"
+if [ "${hostname}" = "" ]; then
+ echo "Need hostname as argument."
+ false
+fi
+echo "${hostname}" > /etc/hostname
+hostname "${hostname}"
+
+final_ip="127.0.1.1"
+for ip in $(hostname -I); do
+ range_1=$(echo "${ip}" | cut -d "." -f 1)
+ range_2=$(echo "${ip}" | cut -d "." -f 2)
+ if [ "${range_1}" -eq 127 ]; then
+ continue
+ elif [ "${range_1}" -eq 10 ]; then
+ continue
+ elif [ "${range_1}" -eq 172 ]; then
+ if [ "${range_2}" -ge 16 ] && [ "${range_2}" -le 31 ]; then
+ continue
+ fi
+ elif [ "${range_1}" -eq 192 ]; then
+ if [ "${range_2}" -eq 168 ]; then
+ continue
+ fi
+ fi
+ final_ip="${ip}"
+done
+
+echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
+echo "${final_ip} ${fqdn} ${hostname}" >> /etc/hosts
--- /dev/null
+#/bin/sh
+set -e
+
+# Check we have the necessary arguments.
+if [ $# -lt 2 ]; then
+ echo "Give arguments of mail domain and DKIM selector."
+ echo "Also, if hosting mail for entire domain, give third argument 'domainwide'."
+ false
+fi
+mail_domain="$1"
+dkim_selector="$2"
+domainwide="$3"
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+
+# Set up DKIM key. Only keep opendkim-tools on system if pre-installed.
+mkdir -p /etc/dkimkeys/
+set +e
+dpkg -s opendkim-tools &> /dev/null
+preinstalled="$?"
+set -e
+if [ ! "${preinstalled}" -eq "0" ]; then
+ apt install -y opendkim-tools
+fi
+opendkim-genkey -s "${dkim_selector}"
+mv "${dkim_selector}.private" /etc/dkimkeys/
+if [ ! "${preinstalled}" -eq "0" ]; then
+ apt -y --purge autoremove opendkim-tools
+fi
+
+# Link and adapt mail-server-specific /etc/ files.
+./hardlink_etc.sh mail
+sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/mailutils.conf
+sed -i "s/REPLACE_Domain_ECALPER/${mail_domain}/g" /etc/opendkim.conf
+sed -i "s/REPLACE_Selector_ECALPER/${dkim_selector}/g" /etc/opendkim.conf
+sed -i "s/REPLACE_myhostname_ECALPER/$(hostname -f)/g" /etc/postfix/main.cf
+if [ "${domainwide}" = "domainwide" ]; then
+ sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER/$mydomain/g' /etc/postfix/main.cf
+else
+ sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER//g' /etc/postfix/main.cf
+fi
+# Since we re-set the iptables rules, we need to reload them.
+iptables-restore /etc/iptables/rules.v4
+
+# Some useful debconf selections.
+echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
+echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
+echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
+
+# The second line should not be necessary due to the first line, but for
+# some reason the installation forgets to set up /etc/mailname early
+# enough to not (when running newaliases) stumble over its absence.
+echo "postfix postfix/mailname string ${mail_domain}" | debconf-set-selections
+echo "${mail_domain}" > /etc/mailname
+
+# Everything should now be ready for installations. Note that we don't
+# strictly need dovecot-lmtpd, as postfix will deliver mail to /var/mail/USER
+# in any case, to be found by dovecot; we use it as a transport mechanism to
+# allow for sophisticated stuff like dovecot-side sieve filtering (installed
+# with dovecot-sieve).
+apt install -y -o Dpkg::Options::=--force-confold postfix dovecot-imapd dovecot-lmtpd dovecot-sieve opendkim
+cp "${config_tree_prefix}/user_files/dovecot.sieve" /home/plom/.dovecot.sieve
+chown plom:plom /home/plom/.dovecot.sieve
+
+# Pingmail setup.
+apt install -y mailutils
+cp "${config_tree_prefix}/user_files/pingmailrc" /home/plom/.pingmailrc
+chown plom:plom /home/plom/.pingmailrc
+su plom -c "cd && git clone https://plomlompom.com/repos/clone/pingmail.git"
+
+# In addition to our postfix server receiving mails, we funnel mails from a
+# POP3 account into dovecot via fetchmail. It might make sense to adapt the
+# ~/.dovecot.sieve to move mails targeted to the fetched mail account to their
+# own mbox.
+apt -y install fetchmail
+cp "${config_tree_prefix}/user_files/fetchmailrc" /home/plom/.fetchmailrc
+chown plom:plom /home/plom/.fetchmailrc
+chmod 0700 /home/plom/.fetchmailrc
+
+# Pingmail and fetchmail have some systemd timers waiting. To let systemd
+# know about them, do this.
+systemctl daemon-reload
+
+# Final advice to user.
+echo "TODO: Ensure MX entry for your system in your DNS configuration."
+echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration; something like 'v=spf1 mx -all' mapped to your host."
+echo "TODO: passwd plom for IMAPS login"
+echo "TODO: adapt /home/plom/.fetchmailrc and then do: systemctl start fetchmail.timer"
+echo "TODO: adapt /home/plom/.dovecot.sieve and /home/plom/.pingmailrc (sieve mail by pingmail target person into mbox defined in .pingmailrc), then run: systemctl start pingmail.timer"
+echo "TODO: Add the follow DMARK entry as TXT to your DNS configugration: 'v=DMARC1; p=none; rua=mailto:plom+dmarc@plomlompom.com;' mapped to _dmarc"
+echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):"
+cat "${dkim_selector}.txt"
--- /dev/null
+#!/bin/sh
+set -e
+
+# Ensure we have a GPG target to encrypt to.
+if [ $# -lt 1 ]; then
+ echo "Need public key ID as argument."
+ false
+fi
+gpg_key="$1"
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+
+# If anything strange happens, let root send mail to us.
+./setup_sendonly.sh
+
+# Apart from weechat, vim and screen will also be useful for everyday activity.
+apt -y install weechat screen vim
+
+# Link and copy over files.
+./hardlink_etc.sh play
+cp "${config_tree_prefix}/user_files/encrypter.sh" /home/plom/
+chown plom:plom /home/plom/encrypter.sh
+cp "${config_tree_prefix}/user_files/weechat-wrapper.sh" /home/plom/
+chown plom:plom /home/plom/weechat-wrapper.sh
+cp "${config_tree_prefix}/user_files/weechatrc" /home/plom/.weechatrc
+chown plom:plom /home/plom/.weechatrc
+apt -y install screen
+echo "$gpg_key" > /home/plom/.encrypt_target
+chown plom:plom /home/plom/.encrypt_target
+
+# Start encrypt_chatlogs job.
+./add_encryption_key.sh "${gpg_key}"
+systemctl daemon-reload
+systemctl start encrypt_chatlogs.timer
--- /dev/null
+#!/bin/sh
+set -e
+
+# Ensure we have a GPG target to encrypt to.
+if [ $# -lt 1 ]; then
+ echo "Need public key ID as argument."
+ false
+fi
+gpg_key="$1"
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+irclogs_dir=/var/www/html/irclogs
+irclogs_pw_dir=/var/www/irclogs_pw
+
+./add_encryption_key.sh "${gpg_key}"
+apt -y install screen python3-venv
+cp "${config_tree_prefix}"/user_files/plomlombot_daemon.sh /home/plom/
+chown plom:plom /home/plom/plomlombot_daemon.sh
+su plom -c "cd && git clone /var/public_repos/plomlombot-irc"
+systemctl enable /etc/systemd/system/plomlombot.service
+service plomlombot start
+mkdir -p "${irclogs_dir}"
+chown -R plom:plom "${irclogs_dir}"
+mkdir -p "${irclogs_pw_dir}"
+chown -R plom:plom "${irclogs_pw_dir}"
+echo "Don't forget to add a file ~/.plomlombot with content such as:"
+echo "gpg_key ${gpg_key}"
+echo "bot: SCREEN_SESSION_NAME BOT_NAME #CHANNEL_NAME IRC_SERVER_NAME LOGS_USER LOGS_PW"
+echo "# file should end in newline or non-interpreted line such as this"
--- /dev/null
+#!/bin/sh
+# This sets up the minimum of a mail server necessary to send out mails
+# to the world.
+set -e
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+
+./hardlink_etc.sh sendonly
+echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
+echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
+echo "$(hostname -f)" > /etc/mailname
+apt install -y postfix
--- /dev/null
+#!/bin/sh
+# Next setup steps for a server whose login policy has just been set from
+# the outside via ./init_user_and_keybased_login.sh.
+set -e
+
+# Provide maximum input for set_hostname_and_fqdn.sh.
+if [ "$#" -ne 2 ]; then
+ echo 'Need exactly two arguments (hostname, FQDN).'
+ false
+fi
+hostname="$1"
+fqdn="$2"
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+
+# Adapt /etc/ to our needs by hardlinking into ./linkable_etc_files. This
+# will set basic configurations affecting following steps, such as setup
+# of APT and the locale selection, so needs to be right at the beginning.
+./hardlink_etc.sh all server
+
+# Set hostname and FQDN.
+./set_hostname_and_fqdn.sh "${hostname}" "${fqdn}"
+
+# Some debconf selections we don't want to get asked during coming
+# install actions.
+echo 'iptables-persistent iptables-persistent/autosave_v4 boolean false' | debconf-set-selections
+echo 'iptables-persistent iptables-persistent/autosave_v6 boolean false' | debconf-set-selections
+
+# Ensure package installation state as defined by what packages are
+# defined as required by Debian policy and by settings in ./apt-mark/.
+apt update
+./install_for_target.sh all server
+./purge_nonrequireds.sh all server
+
+# Ensure our desired locale is available.
+locale-gen
+
+# Only upgrade after reducing the system to the desired minimum, so that
+# we don't need to get more data than necessary.
+apt -y dist-upgrade
+
+# Set Berlin localtime.
+ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
+
+# If we have not yet set the shell for user plom, ensure it here. This
+# is mostly for convenience.
+usermod -s /bin/bash plom
+
+# We want to be able to use ALL our servers as borg backup destinations.
+apt -y install borgbackup
--- /dev/null
+#!/bin/sh
+# Set up plomlompom.com web server.
+set -e
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+
+./hardlink_etc.sh web
+./setup_sendonly.sh
+sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/nginx/nginx.conf
+sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/gitweb.conf
+cd /var/
+rm -rf www
+git clone plom@core.plomlompom.com:repos/website www
+apt -y -o Dpkg::Options::=--force-confold install nginx gitweb fcgiwrap
+mkdir /var/public_repos
+chown plom:plom /var/public_repos
+iptables-restore /etc/iptables/rules.v4
--- /dev/null
+require ["fileinto"];
+require ["mailbox"];
+if address :is "from" "foo@bar.com" {
+ fileinto :create "foo";
+}
+if address :is :domain "to" "example.com" {
+ fileinto :create "example.com";
+}
--- /dev/null
+#!/bin/sh
+# Encrypt dated weechatlog files older than one day to GPG target defined in
+# ~/.encrypt_target
+set -e
+
+gpg_key=$(cat ~/.encrypt_target)
+cd ~/weechatlogs/irc/
+find . -regextype posix-egrep -regex '^.*/.*/.*\.[0-9]{4}-[0-9]{2}-[0-9]{2}\.weechatlog$' -type f -mtime +1 -exec gpg --recipient "${gpg_key}" --trust-model always --encrypt {} \; -exec rm {} \;
+
--- /dev/null
+# remove "keep" if you're sure about your setup; it keeps mails on server from getting deleted
+poll mail.example.com protocol pop3 username "foo@example.com" password "PASSWORD" ssl keep
--- /dev/null
+# place for test files whose modification times are used to track lifesigns
+testdir=$HOME'/.pingmail'
+
+# modification time is the last time a ping was sent or a lifetime received
+ping_touch=$testdir'/ping_touch'
+
+# modification time is when the count for sending checker a warning mail starts
+reminder_touch=$testdir'/reminder_touch'
+
+# how long to wait for lifesigns before sending a ping; double is time to wait
+# for a lifesign before sending a warning message to checker
+wait_time=86400
+
+# address of the checker, receives warning message after too long wait
+checker_address='bar@example.org'
+
+# address of the checked person, ping is sent here
+checked_address='foo@example.org'
+
+# content of ping message sent to checked person
+subj2checked='[pingmail] Ping!'
+msg2checked='Hi!\n
+\nThis is an automated mail ping from '$checker_address'.
+\nRespond to show that you are still alive!'
+
+# content of warning message sent to checker
+id_target='foo'
+subj2checker='[pingmail] No recent life signs from '$id_target
+reminder_time=`expr $wait_time \* 2`
+msg2checker='pingmail reporting in:\n
+\nNo life signs from '$id_target' for the last '$reminder_time' seconds.
+\nMaybe you should give them a call to check if they are okay.'
+
+# mail client command reading message body from stdin and subject from parameter
+mailclient_s='mail -s'
+
+# mailbox file to check for most recent life sign
+mbox=$HOME'/mail/foo'
+
+# to recursively search for most recent matches to $matchstring as lifesigns
+#maildir=$HOME'/mail'
+
+# pattern to search $maildir for recursively for lifesigns
+#checked_address_escaped=`echo $checked_address | sed 's/\./\\./g'`
+#matchstring='^From: .*('$checked_address_escaped'|alternate@example\.org)'
--- /dev/null
+#!/bin/sh
+set -e
+
+# Repeatedly parse config file for GPG key and bot screen configs.
+path=~/.plomlombot
+db_dir="${HOME}/plomlombot_db"
+irclogs_dir=/var/www/html/irclogs
+irclogs_pw_dir=/var/www/irclogs_pw
+while true; do
+ if [ -f "${path}" ]; then
+ cat "${path}" | while read line; do
+ first_word=$(echo -n "${line}" | cut -d' ' -f1)
+
+ # Read "bot:" line, start bot screen session from it if not yet existing,
+ # set up irclogs dir if not yet existing.
+ if [ "${first_word}" = "bot:" ]; then
+ session_name=$(echo -n "${line}" | cut -d' ' -f2)
+ bot_name=$(echo -n "${line}" | cut -d' ' -f3)
+ channel_name=$(echo -n "${line}" | cut -d' ' -f4)
+ shortened_channel_name="${channel_name}"
+ first_char=$(echo -n "${channel_name}" | cut -c1)
+ if [ "${first_char}" = "#" ]; then
+ shortened_channel_name=$(echo -n "${channel_name}" | cut -c2-)
+ fi
+ server_name=$(echo -n "${line}" | cut -d' ' -f5)
+ login_user=$(echo -n "${line}" | cut -d' ' -f6)
+ login_pw=$(echo -n "${line}" | cut -d' ' -f7)
+ set +e
+ screen -S "${session_name}" -Q select . > /dev/null
+ start_screen=$?
+ set -e
+ if [ "${start_screen}" -eq "1" ]; then
+ cd ~/plomlombot-irc
+ LANG="en_US.UTF-8" screen -d -m -S "${session_name}" ./run.sh -r 604800 -n "${bot_name}" -s "${server_name}" "${channel_name}"
+ fi
+ md5_server=$(echo -n "${server_name}" | md5sum | cut -d' ' -f1)
+ md5_channel=$(echo -n "${channel_name}" | md5sum | cut -d' ' -f1)
+ logs_dir="${db_dir}/${md5_server}/${md5_channel}/logs"
+ # FIXME: Note the trouble we will have if we have the same channel
+ # name on different servers …
+ ln -sfn "${logs_dir}" "${irclogs_dir}/${shortened_channel_name}"
+ echo "${login_user}":'{PLAIN}'"${login_pw}" > "${irclogs_pw_dir}/${shortened_channel_name}"
+
+ # If "gpg" line, encrypt old raw logs to that GPG key.
+ elif [ "${first_word}" = "gpg_key" ]; then
+ key=$(echo -n "${line}" | cut -d' ' -f2)
+ mkdir -p ~/plomlombot_db
+ cd ~/plomlombot_db
+ find . -path '*/*/raw_logs/*.txt' -mtime +1 -type f -exec gpg --recipient "${key}" --trust-model always --encrypt {} \; -exec rm {} \;
+ fi
+
+ done
+ sleep 1
+ fi
+done
--- /dev/null
+#!/bin/sh
+
+# Enforce ~/.weechatrc as sole persistent weechat config file.
+#~/config/bin/simplemail.sh ~/config/mails/weechat_restart_reminder
+rm -rf ~/.weechat/
+WEECHATCONF=`tr '\n' ';' < ~/.weechatrc`
+weechat -r "$WEECHATCONF"
+rm -rf ~/.weechat/
--- /dev/null
+/set logger.file.path ~/weechatlogs
+/set logger.file.flush_delay 0
+/set logger.mask.irc "irc/$server/$channel.%Y-%m-%d.weechatlog"
+/set weechat.bar.status.items "[time],[buffer_last_number],[buffer_plugin],buffer_number+:+buffer_name+(buffer_modes)+{buffer_nicklist_count}+buffer_zoom+buffer_filter,[lag],[hotlist],completion,scroll,[otr]"
+/set weechat.color.chat_nick_colors "lightcyan"
+/server add freenode irc.freenode.net -nicks=plimlompom,plimlomp0m,pliml0mp0m -realname="foo bar" -autojoin=#plomlompomtest
+/connect freenode
--- /dev/null
+---
+- hosts: all
+ user: root
+ become: yes
+ tasks:
+
+ - name: ensure directories for symlinks exist
+ file: state=directory dest={{item}}
+ with_lines: cat ~/config/ansible/files/dirs | sed -e 's/ *#.*$//'
+ - name: symlink system files
+ file: state=hard force=yes src={{item}} dest={{item|basename|regex_replace('___','/')}}
+ with_fileglob: ~/config/ansible/files/system/*
+ - name: set hostname for current session
+ shell: hostname w530
+
+ # Init package management.
+ - name: update package lists
+ apt: update_cache=yes
+ - name: APT - dist-upgrade
+ apt: upgrade=dist
+
+ # Ensure power management.
+ - name: ensure power management tools are installed
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark/power_management | sed -e 's/ *#.*$//'
+ - name: start TLP
+ shell: tlp start
+
+ # Configure console.
+ #
+ # For some reason, some settings are only applied two reboots after this.
+ - name: symlink console config files
+ file: state=link force=yes src={{item}} dest={{item|basename|regex_replace('___','/')}}
+ with_fileglob: ~/config/ansible/files/console/*
+ - name: ensure locales and console-setup are installed
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark/console | sed -e 's/ *#.*$//'
+ - name: generate en_US.UTF-8 locale
+ locale_gen: name=en_US.UTF-8 state=present
+ - name: run setupcon to apply console settings from /etc/default/
+ command: setupcon
+
+ # Miscellaneous.
+ - name: Ensure dotfile symlinks
+ file: state=link force=yes src={{item}} dest=~/.{{item|basename}}
+ with_fileglob:
+ - ~/config/dotfiles/minimal/*
+ - ~/config/dotfiles/root/*
+ - name: ensure ~/.vimbackups directory
+ file: state=directory dest=~/.vimbackups
+ - name: ensure man-db, manpages are installed
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark/man | sed -e 's/ *#.*$//'
+ - name: set /etc/localtime
+ file: state=link force=yes src=/usr/share/zoneinfo/Europe/Berlin dest=/etc/localtime
+ - name: ensure various useful tools are installed – sudo, git, vim, less, openssh
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark/various_useful | sed -e 's/ *#.*$//'
+ - name: ensure boot messages are not cleared on start up
+ replace: dest=/etc/systemd/system/getty.target.wants/getty@tty1.service regexp='^TTYVTDisallocate=yes.*$' replace='TTYVTDisallocate=no'
+
+ # Config user.
+ - name: create user plom with sudo privileges and bash shell
+ user: name=plom groups=sudo shell=/bin/bash
+ - name: have config repo in user directory
+ git: repo=https://github.com/plomlompom/config dest=/home/plom/config
+ become_user: plom
+ become_method: su
+
+ # Ensure X window environment.
+ - name: ensure minimal X window environment
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark/minimal_x | sed -e 's/ *#.*$//'
+ - name: ensure 3d acceleration and optimus switch
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark/3d_acceleration | sed -e 's/ *#.*$//'
+ - name: ensure user plom is in bumblebee group
+ user: name=plom groups=bumblebee append=yes
+ - name: ensure basic X tools
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark/basic_x_tools | sed -e 's/ *#.*$//'
+
+ # Set up pentadactyl.
+ - name: ensure browser environment
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark/browser_environment | sed -e 's/ *#.*$//'
+
+ # Ensure wifi.
+ - name: ensure wifi configuration
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark/wifi | sed -e 's/ *#.*$//'
+
+ # Ensure audio/video consumption necessities.
+ - name: ensure multimedia tools
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark/multimedia | sed -e 's/ *#.*$//'
+
+ # Ensure hotkeys.
+ #
+ # For some reason, the brightness hotkeys still won't be available unless acpid is restarted (yes, after reboot).
+ - name: ensure hotkeys
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark/hotkeys | sed -e 's/ *#.*$//'
+
+ # Remove undesired packages
+ - name: collect desired packages
+ shell: cat files/apt-mark/* | sed -e 's/ *#.*$//' > /tmp/white_list_unsorted && sort /tmp/white_list_unsorted > /tmp/white_list_sorted
+ - name: collect currently installed packages
+ shell: dpkg-query -Wf '${Package}\n' > /tmp/all_unsorted && sort /tmp/all_unsorted > /tmp/all_sorted
+ - name: create black list of packages to mark as automatically installed from the difference between the required packages and the packages currently installed
+ shell: comm -3 /tmp/all_sorted /tmp/white_list_sorted > /tmp/list_black
+ - name: mark all packages from black list as automatically installed
+ shell: apt-mark auto $(cat /tmp/list_black)
+ - name: mark all packages from white list as manually installed
+ shell: apt-mark manual $(cat /tmp/white_list_unsorted)
+ - name: purge all packages automatically installed that are not depended on
+ shell: DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
--- /dev/null
+---
+- hosts: all
+ user: root
+ become: yes
+ tasks:
+
+ - name: ensure directories for symlinks exist
+ file: state=directory dest={{item}}
+ with_lines: cat ~/config/ansible/files/dirs_new | sed -e 's/ *#.*$//'
+ - name: symlink system files
+ file: state=hard force=yes src={{item}} dest={{item|basename|regex_replace('___','/')}}
+ with_fileglob:
+ - ~/config/ansible/files/system_new/minimal/*
+ - ~/config/ansible/files/system_new/{{ system_name }}/*
+ - name: set hostname for current session
+ shell: hostname {{ system_name }}
+
+ # Init package management.
+ - name: add palemoon repo signing key
+ apt_key:
+ url: https://download.opensuse.org/repositories/home:stevenpusser/Debian_9.0/Release.key
+ state: present
+ - name: update package lists
+ apt: update_cache=yes
+ - name: APT - dist-upgrade
+ apt: upgrade=dist
+
+ # Ensure packages needed for disk encryption on startup (how does this work?)
+ - name: ensure power management tools are installed
+ apt: name={{item}} state=present
+ with_lines:
+ - cat ~/config/ansible/files/apt-mark_new/minimal/disk_encryption | sed -e 's/ *#.*$//'
+
+ # Ensure power management.
+ - name: ensure power management tools are installed
+ apt: name={{item}} state=present
+ with_lines:
+ - cat ~/config/ansible/files/apt-mark_new/minimal/power_management | sed -e 's/ *#.*$//'
+ - cat ~/config/ansible/files/apt-mark_new/X200s/power_management | sed -e 's/ *#.*$//'
+ - name: start TLP
+ shell: tlp start
+
+ # Configure console.
+ #
+ # For some reason, some settings are only applied two reboots after this.
+ - name: symlink console config files
+ file: state=link force=yes src={{item}} dest={{item|basename|regex_replace('___','/')}}
+ with_fileglob: ~/config/ansible/files/console/*
+ - name: ensure locales and console-setup are installed
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/console | sed -e 's/ *#.*$//'
+ - name: generate en_US.UTF-8 locale
+ locale_gen: name=en_US.UTF-8 state=present
+ - name: Touch keyboard config file so setupcon does not ignore it.
+ command: touch /etc/default/keyboard
+ - name: run setupcon to apply console settings from /etc/default/
+ command: setupcon
+
+ # Miscellaneous.
+ - name: Ensure dotfile symlinks
+ file: state=link force=yes src={{item}} dest=~/.{{item|basename}}
+ with_fileglob:
+ - ~/config/dotfiles/minimal/*
+ - ~/config/dotfiles/root/*
+ - name: ensure ~/.vimbackups directory
+ file: state=directory dest=~/.vimbackups
+ - name: ensure man-db, manpages are installed
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/man | sed -e 's/ *#.*$//'
+ - name: set /etc/localtime
+ file: state=link force=yes src=/usr/share/zoneinfo/Europe/Berlin dest=/etc/localtime
+ - name: ensure various useful tools are installed – sudo, git, vim, less, openssh
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/various_useful | sed -e 's/ *#.*$//'
+ - name: ensure boot messages are not cleared on start up
+ replace: dest=/etc/systemd/system/getty.target.wants/getty@tty1.service regexp='^TTYVTDisallocate=yes.*$' replace='TTYVTDisallocate=no'
+
+ # Config user.
+ - name: create user plom with sudo privileges and bash shell
+ user: name=plom groups=sudo shell=/bin/bash
+ #- name: have config repo in user directory
+ # git: repo=https://github.com/plomlompom/config dest=/home/plom/config
+ # become_user: plom
+ # become_method: su
+
+ # Ensure X window environment.
+ - name: ensure minimal X window environment
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/minimal_x | sed -e 's/ *#.*$//'
+ - name: ensure 3d acceleration
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/3d_acceleration | sed -e 's/ *#.*$//'
+ #- name: ensure optimus switch
+ # apt: name={{item}} state=present
+ # with_lines: cat ~/config/ansible/files/apt-mark_new/W530/3d_acceleration | sed -e 's/ *#.*$//'
+ #- name: ensure user plom is in bumblebee group
+ # user: name=plom groups=bumblebee append=yes
+ - name: ensure basic X tools
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/basic_x_tools | sed -e 's/ *#.*$//'
+
+ ## Set up browser environment.
+ #- name: ensure qutebrowser
+ # include: tasks/qutebrowser.yml
+ - name: ensure browser environment
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/browser_environment | sed -e 's/ *#.*$//'
+
+ # Ensure wifi.
+ - name: ensure wifi configuration
+ apt: name={{item}} state=present
+ with_lines:
+ - cat ~/config/ansible/files/apt-mark_new/minimal/wifi | sed -e 's/ *#.*$//'
+ - cat ~/config/ansible/files/apt-mark_new/X200s/wifi | sed -e 's/ *#.*$//'
+ #- name: ensure wicd
+ # apt: name={{item}} state=present
+ # with_lines: cat ~/config/ansible/files/apt-mark_new/W530/wicd | sed -e 's/ *#.*$//'
+
+ # Ensure audio/video consumption necessities.
+ - name: ensure multimedia tools
+ apt: name={{item}} state=present
+ with_lines: cat ~/config/ansible/files/apt-mark_new/minimal/multimedia | sed -e 's/ *#.*$//'
+ #- name: ensure multimedia tools
+ # apt: name={{item}} state=present
+ # with_lines: cat ~/config/ansible/files/apt-mark_new/W530/multimedia | sed -e 's/ *#.*$//'
+
+ # Ensure hotkeys.
+ #
+ # For some reason, the brightness hotkeys still won't be available unless acpid is restarted (yes, after reboot).
+ #- name: ensure hotkeys
+ # apt: name={{item}} state=present
+ # with_lines: cat ~/config/ansible/files/apt-mark/hotkeys | sed -e 's/ *#.*$//'
+
+ # Remove undesired packages
+ - name: collect desired packages
+ shell: cat files/apt-mark_new/minimal/* files/apt-mark_new/{{ system_name }}/* | sed -e 's/ *#.*$//' > /tmp/white_list_unsorted && sort /tmp/white_list_unsorted > /tmp/white_list_sorted
+ - name: collect currently installed packages
+ shell: dpkg-query -Wf '${Package}\n' > /tmp/all_unsorted && sort /tmp/all_unsorted > /tmp/all_sorted
+ - name: create black list of packages to mark as automatically installed from the difference between the required packages and the packages currently installed
+ shell: comm -3 /tmp/all_sorted /tmp/white_list_sorted > /tmp/list_black
+ - name: mark all packages from black list as automatically installed
+ shell: apt-mark auto $(cat /tmp/list_black)
+ - name: mark all packages from white list as manually installed
+ shell: apt-mark manual $(cat /tmp/white_list_unsorted)
+ - name: purge all packages automatically installed that are not depended on
+ shell: DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
+
--- /dev/null
+bumblebee-nvidia
+libgl1-mesa-dri # tested as necessary for OpenGL 3D acceleration to work
+libglu1-mesa # tested as necessary for OpenGL 3D acceleration to work
+linux-headers-amd64 # tested as necessary to build proper nvidia-driver module
+primus # bridge by which bumblebee will deliver Nvidia-renderend content to Intel card
--- /dev/null
+i3
+i3status
+python3 # this is what the i3status wrapper is written in
+redshift
+suckless-tools # contains dmenu; not using virtual packages as that won't be marked manually installed
+xterm
+x11-xserver-utils # includes xrdb which applies .Xresources files
--- /dev/null
+iceweasel
+vim-gtk # used by pentadactyl for text editing
+xul-ext-noscript
+xul-ext-pentadactyl
--- /dev/null
+console-setup
+locales
--- /dev/null
+base-files
+base-passwd
+bash
+bsdutils
+coreutils
+dash
+debconf
+debianutils
+diffutils
+dpkg
+e2fslibs
+e2fsprogs
+findutils
+gcc-6-base
+grep
+gzip
+hostname
+init-system-helpers
+libacl1
+libattr1
+libblkid1
+libc6
+libc-bin
+libcomerr2
+libfdisk1
+libgcc1
+liblzma5
+libmount1
+libpam0g
+libpam-modules
+libpam-modules-bin
+libpam-runtime
+libpcre3
+libselinux1
+libsepol1
+libsmartcols1
+libss2
+libtinfo5
+libuuid1
+login
+lsb-base
+mawk
+mount
+multiarch-support
+ncurses-base
+ncurses-bin
+passwd
+perl-base
+sed
+sensible-utils
+sysvinit-utils
+tar
+tzdata
+util-linux
+zlib1g
--- /dev/null
+acpid # captures hotkey presses and triggers respective /etc/acpi/events/*
--- /dev/null
+man-db
+manpages
--- /dev/null
+ansible
+ifupdown # needed for internet connectivity
+isc-dhcp-client # needed for internet connectivity
--- /dev/null
+libpam-systemd # needed to start X as non-root
+xinit # contains startx
+xserver-xorg-core
+xserver-xorg-input-evdev # supports all input devices the kernel knows about
--- /dev/null
+alsa-utils
+eject
+ffmpeg # somehow this is needed to make youtube-dl grab 1080p versions of videos
+libdvd-pkg # decss stuff
+mpv
+youtube-dl # needed by mpv to directly work YouTube URLs
--- /dev/null
+acpi-call-dkms # needed for tlp to access Thinkpad-specific features
+tlp
--- /dev/null
+git
+less
+openssh-client
+sudo
+vim
--- /dev/null
+firmware-iwlwifi # wifi driver
+wicd-cli # thanks to my own wicd_wrapper.sh should be enough for most stuff
+wicd-curses # although this currently is very buggy
+wicd-gtk # workaround for when wicd-curses fails
--- /dev/null
+bumblebee-nvidia
+linux-headers-amd64 # tested as necessary to build proper nvidia-driver module
+primus # bridge by which bumblebee will deliver Nvidia-renderend content to Intel card
--- /dev/null
+iceweasel
+vim-gtk # used by pentadactyl for text editing
+xul-ext-noscript
+xul-ext-pentadactyl
--- /dev/null
+acpid # captures hotkey presses and triggers respective /etc/acpi/events/*
--- /dev/null
+eject
+ffmpeg # somehow this is needed to make youtube-dl grab 1080p versions of videos
+libdvd-pkg # decss stuff
--- /dev/null
+wicd-cli # thanks to my own wicd_wrapper.sh should be enough for most stuff
+wicd-curses # although this currently is very buggy
+wicd-gtk # workaround for when wicd-curses fails
--- /dev/null
+alsa-utils
+ffmpeg # somehow this is needed to make youtube-dl grab 1080p versions of videos
+mpv
+youtube-dl # needed by mpv to directly work YouTube URLs
--- /dev/null
+tp-smapi-dkms
+linux-headers-amd64
--- /dev/null
+wpasupplicant
--- /dev/null
+libglu1-mesa # tested as necessary for OpenGL 3D acceleration to work
+libgl1-mesa-dri # tested as necessary for OpenGL 3D acceleration to work
--- /dev/null
+i3
+i3status
+python3 # this is what the i3status wrapper is written in
+redshift
+suckless-tools # contains dmenu; not using virtual packages as that won't be marked manually installed
+xterm
+x11-xserver-utils # includes xrdb which applies .Xresources files
--- /dev/null
+console-setup
+locales
--- /dev/null
+base-files
+base-passwd
+bash
+bsdutils
+coreutils
+dash
+debconf
+debianutils
+diffutils
+dpkg
+e2fslibs
+e2fsprogs
+findutils
+gcc-6-base
+grep
+gzip
+hostname
+init-system-helpers
+libacl1
+libattr1
+libblkid1
+libc6
+libc-bin
+libcomerr2
+libfdisk1
+libgcc1
+liblzma5
+libmount1
+libpam0g
+libpam-modules
+libpam-modules-bin
+libpam-runtime
+libpcre3
+libselinux1
+libsepol1
+libsmartcols1
+libss2
+libtinfo5
+libuuid1
+login
+lsb-base
+mawk
+mount
+multiarch-support
+ncurses-base
+ncurses-bin
+passwd
+perl-base
+sed
+sensible-utils
+sysvinit-utils
+tar
+tzdata
+util-linux
+zlib1g
--- /dev/null
+cryptsetup
+udev
--- /dev/null
+man-db
+manpages
--- /dev/null
+ansible
+ifupdown # needed for internet connectivity
+isc-dhcp-client # needed for internet connectivity
--- /dev/null
+libpam-systemd # needed to start X as non-root
+xinit # contains startx
+xserver-xorg-core
+xserver-xorg-input-evdev # supports all input devices the kernel knows about
--- /dev/null
+alsa-utils
+mpv
+youtube-dl # needed by mpv to directly work YouTube URLs
--- /dev/null
+acpi-call-dkms # needed for tlp to access Thinkpad-specific features
+tlp
--- /dev/null
+git
+less
+openssh-client
+sudo
+vim
--- /dev/null
+firmware-iwlwifi # wifi driver
--- /dev/null
+CHARMAP="UTF-8"
+CODESET="Lat15"
+FONTFACE="Terminus"
+FONTSIZE="6x12"
--- /dev/null
+# setting XKBMODEL to the questionable default seems to be necessary and works nicely
+# curiously, putting a comment on the same line as a variable setting seems to break things
+XKBMODEL="pc105"
+XKBLAYOUT="de"
--- /dev/null
+/etc/wicd
+/etc/acpi/events
--- /dev/null
+# This is the Optimus-specific configuration recommended by the "NVIDIA
+# Accelerated Linux Graphics Drivre README and Installation Guide", Chapter 32
+# "Offloading Graphics Display with RandR 1.4"
+# (<http://us.download.nvidia.com/XFree86/Linux-x86/346.35/README/randr14.html>)
+# with the "AllowEmptyInitialConfigratuion" added as described by
+# <http://us.download.nvidia.com/XFree86/Linux-x86/346.35/README/randr14.html>.
+
+Section "ServerLayout"
+ Identifier "layout"
+ Screen 0 "nvidia"
+ Inactive "intel"
+EndSection
+
+Section "Device"
+ Identifier "nvidia"
+ Driver "nvidia"
+ BusID "PCI:01:00:0"
+ Option "AllowEmptyInitialConfiguration"
+EndSection
+
+Section "Screen"
+ Identifier "nvidia"
+ Device "nvidia"
+EndSection
+
+Section "Device"
+ Identifier "intel"
+ Driver "modesetting"
+EndSection
+
+Section "Screen"
+ Identifier "intel"
+ Device "intel"
+EndSection
--- /dev/null
+event=video/brightnessdown
+action=/root/config/bin/w530_backlight.sh -
--- /dev/null
+event=video/brightnessup
+action=/root/config/bin/w530_backlight.sh +
--- /dev/null
+event=button/f20
+action=amixer set Mic toggle
--- /dev/null
+event=button/mute
+action=amixer set Master toggle
--- /dev/null
+event=button/volumedown
+action=amixer set Master 10-
--- /dev/null
+event=button/volumeup
+action=amixer set Master 10+
--- /dev/null
+APT::AutoRemove::RecommendsImportant "false";
+APT::AutoRemove::SuggestsImportant "false";
+APT::Install-Recommends "false";
+APT::Install-Suggests "false";
--- /dev/null
+deb http://ftp.debian.org/debian/ stretch main contrib non-free
+deb http://ftp.debian.org/debian/ stretch-updates main contrib non-free
+deb http://ftp.debian.org/debian stretch-backports main contrib non-free
+deb http://security.debian.org/ stretch/updates main contrib non-free
--- /dev/null
+# ------------------------------------------------------------------------------
+# tlp - Parameters for power save
+# See full explanation: http://linrunner.de/en/tlp/docs/tlp-configuration.html
+
+# Hint: some features are disabled by default, remove the leading # to enable
+# them.
+
+# Set to 0 to disable, 1 to enable TLP.
+TLP_ENABLE=1
+
+# Operation mode when no power supply can be detected: AC, BAT
+# Concerns some desktop and embedded hardware only.
+TLP_DEFAULT_MODE=AC
+
+# Seconds laptop mode has to wait after the disk goes idle before doing a sync.
+# Non-zero value enables, zero disables laptop mode.
+DISK_IDLE_SECS_ON_AC=0
+DISK_IDLE_SECS_ON_BAT=2
+
+# Dirty page values (timeouts in secs).
+MAX_LOST_WORK_SECS_ON_AC=15
+MAX_LOST_WORK_SECS_ON_BAT=60
+
+# Hint: CPU parameters below are disabled by default, remove the leading #
+# to enable them, otherwise kernel default values are used.
+
+# Select a CPU frequency scaling governor.
+# Intel Core i processor with intel_pstate driver:
+# powersave(*), performance
+# Older hardware with acpi-cpufreq driver:
+# ondemand(*), powersave, performance, conservative
+# (*) is recommended.
+# Hint: use tlp-stat -p to show the active driver and available governors.
+# Important:
+# You *must* disable your distribution's governor settings or conflicts will
+# occur. ondemand is sufficient for *almost all* workloads, you should know
+# what you're doing!
+#CPU_SCALING_GOVERNOR_ON_AC=powersave
+#CPU_SCALING_GOVERNOR_ON_BAT=powersave
+
+# Set the min/max frequency available for the scaling governor.
+# Possible values strongly depend on your CPU. For available frequencies see
+# the output of tlp-stat -p.
+#CPU_SCALING_MIN_FREQ_ON_AC=0
+#CPU_SCALING_MAX_FREQ_ON_AC=0
+#CPU_SCALING_MIN_FREQ_ON_BAT=0
+#CPU_SCALING_MAX_FREQ_ON_BAT=0
+
+# Set Intel P-state performance: 0..100 (%)
+# Limit the max/min P-state to control the power dissipation of the CPU.
+# Values are stated as a percentage of the available performance.
+# Requires an Intel Core i processor with intel_pstate driver.
+#CPU_MIN_PERF_ON_AC=0
+#CPU_MAX_PERF_ON_AC=100
+#CPU_MIN_PERF_ON_BAT=0
+#CPU_MAX_PERF_ON_BAT=30
+
+# Set the CPU "turbo boost" feature: 0=disable, 1=allow
+# Requires an Intel Core i processor.
+# Important:
+# - This may conflict with your distribution's governor settings
+# - A value of 1 does *not* activate boosting, it just allows it
+#CPU_BOOST_ON_AC=1
+#CPU_BOOST_ON_BAT=0
+
+# Minimize number of used CPU cores/hyper-threads under light load conditions
+SCHED_POWERSAVE_ON_AC=0
+SCHED_POWERSAVE_ON_BAT=1
+
+# Kernel NMI Watchdog:
+# 0=disable (default, saves power), 1=enable (for kernel debugging only)
+NMI_WATCHDOG=0
+
+# Change CPU voltages aka "undervolting" - Kernel with PHC patch required
+# Frequency voltage pairs are written to:
+# /sys/devices/system/cpu/cpu0/cpufreq/phc_controls
+# CAUTION: only use this, if you thoroughly understand what you are doing!
+#PHC_CONTROLS="F:V F:V F:V F:V"
+
+# Set CPU performance versus energy savings policy:
+# performance, normal, powersave
+# Requires kernel module msr and x86_energy_perf_policy from linux-tools
+ENERGY_PERF_POLICY_ON_AC=performance
+ENERGY_PERF_POLICY_ON_BAT=powersave
+
+# Hard disk devices; separate multiple devices with spaces (default: sda).
+# Devices can be specified by disk ID also (lookup with: tlp diskid).
+DISK_DEVICES="sda sdb"
+
+# Hard disk advanced power management level: 1..254, 255 (max saving, min, off)
+# Levels 1..127 may spin down the disk; 255 allowable on most drives.
+# Separate values for multiple disks with spaces. Use the special value 'keep'
+# to keep the hardware default for the particular disk.
+DISK_APM_LEVEL_ON_AC="254 254"
+DISK_APM_LEVEL_ON_BAT="128 128"
+
+# Hard disk spin down timeout:
+# 0: spin down disabled
+# 1..240: timeouts from 5s to 20min (in units of 5s)
+# 241..251: timeouts from 30min to 5.5 hours (in units of 30min)
+# See 'man hdparm' for details.
+# Separate values for multiple disks with spaces. Use the special value 'keep'
+# to keep the hardware default for the particular disk.
+#DISK_SPINDOWN_TIMEOUT_ON_AC="0 0"
+#DISK_SPINDOWN_TIMEOUT_ON_BAT="0 0"
+
+# Select IO scheduler for the disk devices: cfq, deadline, noop (Default: cfq);
+# Separate values for multiple disks with spaces. Use the special value 'keep'
+# to keep the kernel default scheduler for the particular disk.
+#DISK_IOSCHED="cfq cfq"
+
+# SATA aggressive link power management (ALPM):
+# min_power, medium_power, max_performance
+SATA_LINKPWR_ON_AC=max_performance
+SATA_LINKPWR_ON_BAT=min_power
+
+# Exclude SATA host devices from link power management.
+# Separate multiple hosts with spaces.
+#SATA_LINKPWR_BLACKLIST="host1"
+
+# Runtime Power Management for AHCI controllers and disks:
+# on=disable, auto=enable
+# EXPERIMENTAL ** WARNING: auto will most likely cause system lockups/data loss
+#AHCI_RUNTIME_PM_ON_AC=on
+#AHCI_RUNTIME_PM_ON_BAT=on
+
+# Seconds of inactivity before disk is suspended
+AHCI_RUNTIME_PM_TIMEOUT=15
+
+# PCI Express Active State Power Management (PCIe ASPM):
+# default, performance, powersave
+PCIE_ASPM_ON_AC=performance
+PCIE_ASPM_ON_BAT=powersave
+
+# Radeon graphics clock speed (profile method): low, mid, high, auto, default;
+# auto = mid on BAT, high on AC; default = use hardware defaults.
+# (Kernel >= 2.6.35 only, open-source radeon driver explicitly)
+RADEON_POWER_PROFILE_ON_AC=high
+RADEON_POWER_PROFILE_ON_BAT=low
+
+# Radeon dynamic power management method (DPM): battery, performance
+# (Kernel >= 3.11 only, requires boot option radeon.dpm=1)
+RADEON_DPM_STATE_ON_AC=performance
+RADEON_DPM_STATE_ON_BAT=battery
+
+# Radeon DPM performance level: auto, low, high; auto is recommended.
+RADEON_DPM_PERF_LEVEL_ON_AC=auto
+RADEON_DPM_PERF_LEVEL_ON_BAT=auto
+
+# WiFi power saving mode: on=enable, off=disable; not supported by all adapters.
+WIFI_PWR_ON_AC=off
+WIFI_PWR_ON_BAT=on
+
+# Disable wake on LAN: Y/N
+WOL_DISABLE=Y
+
+# Enable audio power saving for Intel HDA, AC97 devices (timeout in secs).
+# A value of 0 disables, >=1 enables power save.
+SOUND_POWER_SAVE_ON_AC=0
+SOUND_POWER_SAVE_ON_BAT=1
+
+# Disable controller too (HDA only): Y/N
+SOUND_POWER_SAVE_CONTROLLER=Y
+
+# Set to 1 to power off optical drive in UltraBay/MediaBay when running on
+# battery. A value of 0 disables this feature (Default).
+# Drive can be powered on again by releasing (and reinserting) the eject lever
+# or by pressing the disc eject button on newer models.
+# Note: an UltraBay/MediaBay hard disk is never powered off.
+BAY_POWEROFF_ON_BAT=0
+# Optical drive device to power off (default sr0).
+BAY_DEVICE="sr0"
+
+# Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable
+RUNTIME_PM_ON_AC=on
+RUNTIME_PM_ON_BAT=auto
+
+# Runtime PM for *all* PCI(e) bus devices, except blacklisted ones:
+# 0=disable, 1=enable
+RUNTIME_PM_ALL=1
+
+# Exclude PCI(e) device adresses the following list from Runtime PM
+# (separate with spaces). Use lspci to get the adresses (1st column).
+#RUNTIME_PM_BLACKLIST="bb:dd.f 11:22.3 44:55.6"
+
+# Exclude PCI(e) devices assigned to the listed drivers from Runtime PM
+# (should prevent accidential power on of hybrid graphics' discrete part).
+# Default is "radeon nouveau"; use "" to disable the feature completely.
+# Separate multiple drivers with spaces.
+RUNTIME_PM_DRIVER_BLACKLIST="radeon nouveau"
+
+# Set to 0 to disable, 1 to enable USB autosuspend feature.
+USB_AUTOSUSPEND=1
+
+# Exclude listed devices from USB autosuspend (separate with spaces).
+# Use lsusb to get the ids.
+# Note: input devices (usbhid) are excluded automatically (see below)
+#USB_BLACKLIST="1111:2222 3333:4444"
+
+# WWAN devices are excluded from USB autosuspend: 0=do not exclude / 1=exclude
+USB_BLACKLIST_WWAN=1
+
+# Include listed devices into USB autosuspend even if already excluded
+# by the driver or WWAN blacklists above (separate with spaces).
+# Use lsusb to get the ids.
+#USB_WHITELIST="1111:2222 3333:4444"
+
+# Set to 1 to disable autosuspend before shutdown, 0 to do nothing
+# (workaround for USB devices that cause shutdown problems).
+#USB_AUTOSUSPEND_DISABLE_ON_SHUTDOWN=1
+
+# Restore radio device state (Bluetooth, WiFi, WWAN) from previous shutdown
+# on system startup: 0=disable, 1=enable.
+# Hint: the parameters DEVICES_TO_DISABLE/ENABLE_ON_STARTUP/SHUTDOWN below
+# are ignored when this is enabled!
+RESTORE_DEVICE_STATE_ON_STARTUP=0
+
+# Radio devices to disable on startup: bluetooth, wifi, wwan.
+# Separate multiple devices with spaces.
+DEVICES_TO_DISABLE_ON_STARTUP="bluetooth wifi wwan"
+
+# Radio devices to enable on startup: bluetooth, wifi, wwan.
+# Separate multiple devices with spaces.
+#DEVICES_TO_ENABLE_ON_STARTUP="wifi"
+
+# Radio devices to disable on shutdown: bluetooth, wifi, wwan
+# (workaround for devices that are blocking shutdown).
+#DEVICES_TO_DISABLE_ON_SHUTDOWN="bluetooth wifi wwan"
+
+# Radio devices to enable on shutdown: bluetooth, wifi, wwan
+# (to prevent other operating systems from missing radios).
+#DEVICES_TO_ENABLE_ON_SHUTDOWN="wwan"
+
+# Radio devices to enable on AC: bluetooth, wifi, wwan
+#DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan"
+
+# Radio devices to disable on battery: bluetooth, wifi, wwan
+#DEVICES_TO_DISABLE_ON_BAT="bluetooth wifi wwan"
+
+# Radio devices to disable on battery when not in use (not connected):
+# bluetooth, wifi, wwan
+DEVICES_TO_DISABLE_ON_BAT_NOT_IN_USE="bluetooth wifi wwan"
+
+# Battery charge thresholds (ThinkPad only, tp-smapi or acpi-call kernel module
+# required). Charging starts when the remaining capacity falls below the
+# START_CHARGE_THRESH value and stops when exceeding the STOP_CHARGE_THRESH value.
+# Main / Internal battery (values in %)
+START_CHARGE_THRESH_BAT0=10
+STOP_CHARGE_THRESH_BAT0=95
+# Ultrabay / Slice / Replaceable battery (values in %)
+START_CHARGE_THRESH_BAT1=10
+STOP_CHARGE_THRESH_BAT1=95
+
+# ------------------------------------------------------------------------------
+# tlp-rdw - Parameters for the radio device wizard
+# Possible devices: bluetooth, wifi, wwan
+
+# Hints:
+# - Parameters are disabled by default, remove the leading # to enable them.
+# - Separate multiple radio devices with spaces.
+
+# Radio devices to disable on connect.
+#DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
+#DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"
+#DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"
+
+# Radio devices to enable on disconnect.
+#DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
+#DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT=""
+#DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT=""
+
+# Radio devices to enable/disable when docked.
+#DEVICES_TO_ENABLE_ON_DOCK=""
+#DEVICES_TO_DISABLE_ON_DOCK=""
+
+# Radio devices to enable/disable when undocked.
+#DEVICES_TO_ENABLE_ON_UNDOCK="wifi"
+#DEVICES_TO_DISABLE_ON_UNDOCK=""
--- /dev/null
+127.0.0.1 localhost
+127.0.1.1 w530
+
+# The following lines are desirable for IPv6 capable hosts
+::1 localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
--- /dev/null
+# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
+# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).
+
+if [ "`id -u`" -eq 0 ]; then
+ PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+ PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
+fi
+export PATH
+
+if [ "${PS1-}" ]; then
+ if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then
+ # The file bash.bashrc already sets the default PS1.
+ # PS1='\h:\w\$ '
+ if [ -f /etc/bash.bashrc ]; then
+ . /etc/bash.bashrc
+ fi
+ else
+ if [ "`id -u`" -eq 0 ]; then
+ PS1='# '
+ else
+ PS1='$ '
+ fi
+ fi
+fi
+
+if [ -d /etc/profile.d ]; then
+ for i in /etc/profile.d/*.sh; do
+ if [ -r $i ]; then
+ . $i
+ fi
+ done
+ unset i
+fi
+export LC_ALL="en_US.UTF-8"
--- /dev/null
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+#
+# Entries in this file show the compile time defaults.
+# You can change settings by editing this file.
+# Defaults can be restored by simply deleting this file.
+#
+# See logind.conf(5) for details.
+
+[Login]
+#NAutoVTs=6
+#ReserveVT=6
+#KillUserProcesses=no
+#KillOnlyUsers=
+#KillExcludeUsers=root
+#InhibitDelayMaxSec=5
+#HandlePowerKey=poweroff
+#HandleSuspendKey=suspend
+#HandleHibernateKey=hibernate
+#HandleLidSwitch=suspend
+#HandleLidSwitchDocked=ignore
+#PowerKeyIgnoreInhibited=no
+#SuspendKeyIgnoreInhibited=no
+#HibernateKeyIgnoreInhibited=no
+#LidSwitchIgnoreInhibited=yes
+#HoldoffTimeoutSec=30s
+#IdleAction=ignore
+#IdleActionSec=30min
+#RuntimeDirectorySize=10%
+#RemoveIPC=yes
+#InhibitorsMax=8192
+#SessionsMax=8192
+#UserTasksMax=33%
+HandleLidSwitch=hibernate
--- /dev/null
+Europe/Berlin
--- /dev/null
+[Settings]
+backend = external
+wireless_interface = wlp3s0
+wired_interface = enp0s25
+wpa_driver = wext
+always_show_wired_interface = False
+use_global_dns = False
+global_dns_1 = None
+global_dns_2 = None
+global_dns_3 = None
+global_dns_dom = None
+global_search_dom = None
+auto_reconnect = True
+debug_mode = False
+wired_connect_mode = 1
+signal_display_type = 0
+should_verify_ap = 1
+dhcp_client = 0
+link_detect_tool = 0
+flush_tool = 0
+sudo_app = 0
+prefer_wired = False
+show_never_connect = True
+
--- /dev/null
+# This is the Optimus-specific configuration recommended by the "NVIDIA
+# Accelerated Linux Graphics Driver README and Installation Guide", Chapter 32
+# "Offloading Graphics Display with RandR 1.4"
+# (<http://us.download.nvidia.com/XFree86/Linux-x86/346.35/README/randr14.html>)
+# with the "AllowEmptyInitialConfigratuion" added as described by
+# <http://us.download.nvidia.com/XFree86/Linux-x86/346.35/README/randr14.html>.
+
+Section "ServerLayout"
+ Identifier "layout"
+ Screen 0 "nvidia"
+ Inactive "intel"
+EndSection
+
+Section "Device"
+ Identifier "nvidia"
+ Driver "nvidia"
+ BusID "PCI:01:00:0"
+ Option "AllowEmptyInitialConfiguration"
+EndSection
+
+Section "Screen"
+ Identifier "nvidia"
+ Device "nvidia"
+EndSection
+
+Section "Device"
+ Identifier "intel"
+ Driver "modesetting"
+EndSection
+
+Section "Screen"
+ Identifier "intel"
+ Device "intel"
+EndSection
--- /dev/null
+127.0.0.1 localhost
+127.0.1.1 W530
+
+# The following lines are desirable for IPv6 capable hosts
+::1 localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
--- /dev/null
+[Settings]
+backend = external
+wireless_interface = wlp3s0
+wired_interface = enp0s25
+wpa_driver = wext
+always_show_wired_interface = False
+use_global_dns = False
+global_dns_1 = None
+global_dns_2 = None
+global_dns_3 = None
+global_dns_dom = None
+global_search_dom = None
+auto_reconnect = True
+debug_mode = False
+wired_connect_mode = 1
+signal_display_type = 0
+should_verify_ap = 1
+dhcp_client = 0
+link_detect_tool = 0
+flush_tool = 0
+sudo_app = 0
+prefer_wired = False
+show_never_connect = True
+
--- /dev/null
+127.0.0.1 localhost
+127.0.1.1 X200s
+
+# The following lines are desirable for IPv6 capable hosts
+::1 localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
--- /dev/null
+APT::AutoRemove::RecommendsImportant "false";
+APT::AutoRemove::SuggestsImportant "false";
+APT::Install-Recommends "false";
+APT::Install-Suggests "false";
--- /dev/null
+deb http://ftp.debian.org/debian/ stretch main contrib non-free
+deb http://ftp.debian.org/debian/ stretch-updates main contrib non-free
+deb http://ftp.debian.org/debian stretch-backports main contrib non-free
+deb http://security.debian.org/ stretch/updates main contrib non-free
--- /dev/null
+deb http://download.opensuse.org/repositories/home:/stevenpusser/Debian_9.0/ /
--- /dev/null
+# ------------------------------------------------------------------------------
+# tlp - Parameters for power save
+# See full explanation: http://linrunner.de/en/tlp/docs/tlp-configuration.html
+
+# Hint: some features are disabled by default, remove the leading # to enable
+# them.
+
+# Set to 0 to disable, 1 to enable TLP.
+TLP_ENABLE=1
+
+# Operation mode when no power supply can be detected: AC, BAT
+# Concerns some desktop and embedded hardware only.
+TLP_DEFAULT_MODE=AC
+
+# Seconds laptop mode has to wait after the disk goes idle before doing a sync.
+# Non-zero value enables, zero disables laptop mode.
+DISK_IDLE_SECS_ON_AC=0
+DISK_IDLE_SECS_ON_BAT=2
+
+# Dirty page values (timeouts in secs).
+MAX_LOST_WORK_SECS_ON_AC=15
+MAX_LOST_WORK_SECS_ON_BAT=60
+
+# Hint: CPU parameters below are disabled by default, remove the leading #
+# to enable them, otherwise kernel default values are used.
+
+# Select a CPU frequency scaling governor.
+# Intel Core i processor with intel_pstate driver:
+# powersave(*), performance
+# Older hardware with acpi-cpufreq driver:
+# ondemand(*), powersave, performance, conservative
+# (*) is recommended.
+# Hint: use tlp-stat -p to show the active driver and available governors.
+# Important:
+# You *must* disable your distribution's governor settings or conflicts will
+# occur. ondemand is sufficient for *almost all* workloads, you should know
+# what you're doing!
+#CPU_SCALING_GOVERNOR_ON_AC=powersave
+#CPU_SCALING_GOVERNOR_ON_BAT=powersave
+
+# Set the min/max frequency available for the scaling governor.
+# Possible values strongly depend on your CPU. For available frequencies see
+# the output of tlp-stat -p.
+#CPU_SCALING_MIN_FREQ_ON_AC=0
+#CPU_SCALING_MAX_FREQ_ON_AC=0
+#CPU_SCALING_MIN_FREQ_ON_BAT=0
+#CPU_SCALING_MAX_FREQ_ON_BAT=0
+
+# Set Intel P-state performance: 0..100 (%)
+# Limit the max/min P-state to control the power dissipation of the CPU.
+# Values are stated as a percentage of the available performance.
+# Requires an Intel Core i processor with intel_pstate driver.
+#CPU_MIN_PERF_ON_AC=0
+#CPU_MAX_PERF_ON_AC=100
+#CPU_MIN_PERF_ON_BAT=0
+#CPU_MAX_PERF_ON_BAT=30
+
+# Set the CPU "turbo boost" feature: 0=disable, 1=allow
+# Requires an Intel Core i processor.
+# Important:
+# - This may conflict with your distribution's governor settings
+# - A value of 1 does *not* activate boosting, it just allows it
+#CPU_BOOST_ON_AC=1
+#CPU_BOOST_ON_BAT=0
+
+# Minimize number of used CPU cores/hyper-threads under light load conditions
+SCHED_POWERSAVE_ON_AC=0
+SCHED_POWERSAVE_ON_BAT=1
+
+# Kernel NMI Watchdog:
+# 0=disable (default, saves power), 1=enable (for kernel debugging only)
+NMI_WATCHDOG=0
+
+# Change CPU voltages aka "undervolting" - Kernel with PHC patch required
+# Frequency voltage pairs are written to:
+# /sys/devices/system/cpu/cpu0/cpufreq/phc_controls
+# CAUTION: only use this, if you thoroughly understand what you are doing!
+#PHC_CONTROLS="F:V F:V F:V F:V"
+
+# Set CPU performance versus energy savings policy:
+# performance, normal, powersave
+# Requires kernel module msr and x86_energy_perf_policy from linux-tools
+ENERGY_PERF_POLICY_ON_AC=performance
+ENERGY_PERF_POLICY_ON_BAT=powersave
+
+# Hard disk devices; separate multiple devices with spaces (default: sda).
+# Devices can be specified by disk ID also (lookup with: tlp diskid).
+DISK_DEVICES="sda sdb"
+
+# Hard disk advanced power management level: 1..254, 255 (max saving, min, off)
+# Levels 1..127 may spin down the disk; 255 allowable on most drives.
+# Separate values for multiple disks with spaces. Use the special value 'keep'
+# to keep the hardware default for the particular disk.
+DISK_APM_LEVEL_ON_AC="254 254"
+DISK_APM_LEVEL_ON_BAT="128 128"
+
+# Hard disk spin down timeout:
+# 0: spin down disabled
+# 1..240: timeouts from 5s to 20min (in units of 5s)
+# 241..251: timeouts from 30min to 5.5 hours (in units of 30min)
+# See 'man hdparm' for details.
+# Separate values for multiple disks with spaces. Use the special value 'keep'
+# to keep the hardware default for the particular disk.
+#DISK_SPINDOWN_TIMEOUT_ON_AC="0 0"
+#DISK_SPINDOWN_TIMEOUT_ON_BAT="0 0"
+
+# Select IO scheduler for the disk devices: cfq, deadline, noop (Default: cfq);
+# Separate values for multiple disks with spaces. Use the special value 'keep'
+# to keep the kernel default scheduler for the particular disk.
+#DISK_IOSCHED="cfq cfq"
+
+# SATA aggressive link power management (ALPM):
+# min_power, medium_power, max_performance
+SATA_LINKPWR_ON_AC=max_performance
+SATA_LINKPWR_ON_BAT=min_power
+
+# Exclude SATA host devices from link power management.
+# Separate multiple hosts with spaces.
+#SATA_LINKPWR_BLACKLIST="host1"
+
+# Runtime Power Management for AHCI controllers and disks:
+# on=disable, auto=enable
+# EXPERIMENTAL ** WARNING: auto will most likely cause system lockups/data loss
+#AHCI_RUNTIME_PM_ON_AC=on
+#AHCI_RUNTIME_PM_ON_BAT=on
+
+# Seconds of inactivity before disk is suspended
+AHCI_RUNTIME_PM_TIMEOUT=15
+
+# PCI Express Active State Power Management (PCIe ASPM):
+# default, performance, powersave
+PCIE_ASPM_ON_AC=performance
+PCIE_ASPM_ON_BAT=powersave
+
+# Radeon graphics clock speed (profile method): low, mid, high, auto, default;
+# auto = mid on BAT, high on AC; default = use hardware defaults.
+# (Kernel >= 2.6.35 only, open-source radeon driver explicitly)
+RADEON_POWER_PROFILE_ON_AC=high
+RADEON_POWER_PROFILE_ON_BAT=low
+
+# Radeon dynamic power management method (DPM): battery, performance
+# (Kernel >= 3.11 only, requires boot option radeon.dpm=1)
+RADEON_DPM_STATE_ON_AC=performance
+RADEON_DPM_STATE_ON_BAT=battery
+
+# Radeon DPM performance level: auto, low, high; auto is recommended.
+RADEON_DPM_PERF_LEVEL_ON_AC=auto
+RADEON_DPM_PERF_LEVEL_ON_BAT=auto
+
+# WiFi power saving mode: on=enable, off=disable; not supported by all adapters.
+WIFI_PWR_ON_AC=off
+WIFI_PWR_ON_BAT=on
+
+# Disable wake on LAN: Y/N
+WOL_DISABLE=Y
+
+# Enable audio power saving for Intel HDA, AC97 devices (timeout in secs).
+# A value of 0 disables, >=1 enables power save.
+SOUND_POWER_SAVE_ON_AC=0
+SOUND_POWER_SAVE_ON_BAT=1
+
+# Disable controller too (HDA only): Y/N
+SOUND_POWER_SAVE_CONTROLLER=Y
+
+# Set to 1 to power off optical drive in UltraBay/MediaBay when running on
+# battery. A value of 0 disables this feature (Default).
+# Drive can be powered on again by releasing (and reinserting) the eject lever
+# or by pressing the disc eject button on newer models.
+# Note: an UltraBay/MediaBay hard disk is never powered off.
+BAY_POWEROFF_ON_BAT=0
+# Optical drive device to power off (default sr0).
+BAY_DEVICE="sr0"
+
+# Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable
+RUNTIME_PM_ON_AC=on
+RUNTIME_PM_ON_BAT=auto
+
+# Runtime PM for *all* PCI(e) bus devices, except blacklisted ones:
+# 0=disable, 1=enable
+RUNTIME_PM_ALL=1
+
+# Exclude PCI(e) device adresses the following list from Runtime PM
+# (separate with spaces). Use lspci to get the adresses (1st column).
+#RUNTIME_PM_BLACKLIST="bb:dd.f 11:22.3 44:55.6"
+
+# Exclude PCI(e) devices assigned to the listed drivers from Runtime PM
+# (should prevent accidential power on of hybrid graphics' discrete part).
+# Default is "radeon nouveau"; use "" to disable the feature completely.
+# Separate multiple drivers with spaces.
+RUNTIME_PM_DRIVER_BLACKLIST="radeon nouveau"
+
+# Set to 0 to disable, 1 to enable USB autosuspend feature.
+USB_AUTOSUSPEND=1
+
+# Exclude listed devices from USB autosuspend (separate with spaces).
+# Use lsusb to get the ids.
+# Note: input devices (usbhid) are excluded automatically (see below)
+#USB_BLACKLIST="1111:2222 3333:4444"
+
+# WWAN devices are excluded from USB autosuspend: 0=do not exclude / 1=exclude
+USB_BLACKLIST_WWAN=1
+
+# Include listed devices into USB autosuspend even if already excluded
+# by the driver or WWAN blacklists above (separate with spaces).
+# Use lsusb to get the ids.
+#USB_WHITELIST="1111:2222 3333:4444"
+
+# Set to 1 to disable autosuspend before shutdown, 0 to do nothing
+# (workaround for USB devices that cause shutdown problems).
+#USB_AUTOSUSPEND_DISABLE_ON_SHUTDOWN=1
+
+# Restore radio device state (Bluetooth, WiFi, WWAN) from previous shutdown
+# on system startup: 0=disable, 1=enable.
+# Hint: the parameters DEVICES_TO_DISABLE/ENABLE_ON_STARTUP/SHUTDOWN below
+# are ignored when this is enabled!
+RESTORE_DEVICE_STATE_ON_STARTUP=0
+
+# Radio devices to disable on startup: bluetooth, wifi, wwan.
+# Separate multiple devices with spaces.
+DEVICES_TO_DISABLE_ON_STARTUP="bluetooth wifi wwan"
+
+# Radio devices to enable on startup: bluetooth, wifi, wwan.
+# Separate multiple devices with spaces.
+#DEVICES_TO_ENABLE_ON_STARTUP="wifi"
+
+# Radio devices to disable on shutdown: bluetooth, wifi, wwan
+# (workaround for devices that are blocking shutdown).
+#DEVICES_TO_DISABLE_ON_SHUTDOWN="bluetooth wifi wwan"
+
+# Radio devices to enable on shutdown: bluetooth, wifi, wwan
+# (to prevent other operating systems from missing radios).
+#DEVICES_TO_ENABLE_ON_SHUTDOWN="wwan"
+
+# Radio devices to enable on AC: bluetooth, wifi, wwan
+#DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan"
+
+# Radio devices to disable on battery: bluetooth, wifi, wwan
+#DEVICES_TO_DISABLE_ON_BAT="bluetooth wifi wwan"
+
+# Radio devices to disable on battery when not in use (not connected):
+# bluetooth, wifi, wwan
+DEVICES_TO_DISABLE_ON_BAT_NOT_IN_USE="bluetooth wifi wwan"
+
+# Battery charge thresholds (ThinkPad only, tp-smapi or acpi-call kernel module
+# required). Charging starts when the remaining capacity falls below the
+# START_CHARGE_THRESH value and stops when exceeding the STOP_CHARGE_THRESH value.
+# Main / Internal battery (values in %)
+START_CHARGE_THRESH_BAT0=10
+STOP_CHARGE_THRESH_BAT0=95
+# Ultrabay / Slice / Replaceable battery (values in %)
+START_CHARGE_THRESH_BAT1=10
+STOP_CHARGE_THRESH_BAT1=95
+
+# ------------------------------------------------------------------------------
+# tlp-rdw - Parameters for the radio device wizard
+# Possible devices: bluetooth, wifi, wwan
+
+# Hints:
+# - Parameters are disabled by default, remove the leading # to enable them.
+# - Separate multiple radio devices with spaces.
+
+# Radio devices to disable on connect.
+#DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
+#DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"
+#DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"
+
+# Radio devices to enable on disconnect.
+#DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
+#DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT=""
+#DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT=""
+
+# Radio devices to enable/disable when docked.
+#DEVICES_TO_ENABLE_ON_DOCK=""
+#DEVICES_TO_DISABLE_ON_DOCK=""
+
+# Radio devices to enable/disable when undocked.
+#DEVICES_TO_ENABLE_ON_UNDOCK="wifi"
+#DEVICES_TO_DISABLE_ON_UNDOCK=""
--- /dev/null
+# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
+# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).
+
+if [ "`id -u`" -eq 0 ]; then
+ PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+else
+ PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
+fi
+export PATH
+
+if [ "${PS1-}" ]; then
+ if [ "${BASH-}" ] && [ "$BASH" != "/bin/sh" ]; then
+ # The file bash.bashrc already sets the default PS1.
+ # PS1='\h:\w\$ '
+ if [ -f /etc/bash.bashrc ]; then
+ . /etc/bash.bashrc
+ fi
+ else
+ if [ "`id -u`" -eq 0 ]; then
+ PS1='# '
+ else
+ PS1='$ '
+ fi
+ fi
+fi
+
+if [ -d /etc/profile.d ]; then
+ for i in /etc/profile.d/*.sh; do
+ if [ -r $i ]; then
+ . $i
+ fi
+ done
+ unset i
+fi
+export LC_ALL="en_US.UTF-8"
--- /dev/null
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+#
+# Entries in this file show the compile time defaults.
+# You can change settings by editing this file.
+# Defaults can be restored by simply deleting this file.
+#
+# See logind.conf(5) for details.
+
+[Login]
+#NAutoVTs=6
+#ReserveVT=6
+#KillUserProcesses=no
+#KillOnlyUsers=
+#KillExcludeUsers=root
+#InhibitDelayMaxSec=5
+#HandlePowerKey=poweroff
+#HandleSuspendKey=suspend
+#HandleHibernateKey=hibernate
+#HandleLidSwitch=suspend
+#HandleLidSwitchDocked=ignore
+#PowerKeyIgnoreInhibited=no
+#SuspendKeyIgnoreInhibited=no
+#HibernateKeyIgnoreInhibited=no
+#LidSwitchIgnoreInhibited=yes
+#HoldoffTimeoutSec=30s
+#IdleAction=ignore
+#IdleActionSec=30min
+#RuntimeDirectorySize=10%
+#RemoveIPC=yes
+#InhibitorsMax=8192
+#SessionsMax=8192
+#UserTasksMax=33%
+HandleLidSwitch=hibernate
--- /dev/null
+Europe/Berlin
--- /dev/null
+ansible-playbook -i 'localhost,' -c local config.yml
--- /dev/null
+ansible-playbook -i 'localhost,' -e system_name=X200s -c local config_new.yml
--- /dev/null
+ansible-playbook -i 'localhost,' -c local user.yml
--- /dev/null
+ansible-playbook -i 'localhost,' -e system_name=X200s -c local user_new.yml
--- /dev/null
+---
+
+- name: collect officially required packages
+ shell: dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted
+
+- name: add "ifupdown" and "isc-dhcp-client" (to keep internet connection afterwards) and "ansible" (to keep its modules available for continuing the configuration) to required packages
+ shell: echo 'ifupdown' >> /tmp/list_white_unsorted && echo 'isc-dhcp-client' >> /tmp/list_white_unsorted && echo 'ansible' >> /tmp/list_white_unsorted && sort /tmp/list_white_unsorted > /tmp/list_white
+
+- name: collect currently installed packages
+ shell: dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages && sort /tmp/list_all_packages > /tmp/foo && mv /tmp/foo /tmp/list_all_packages
+
+- name: create black list of packages to mark as automatically installed from the difference between the required packages and the packages currently installed
+ shell: comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black
+
+- name: mark all packages from black list as automatically installed
+ shell: apt-mark auto $(cat /tmp/list_black)
+
+- name: purge all packages automatically installed that are not depended on
+ shell: DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
+
+- name: ensure flags directory exists
+ file: path=flags state=directory
+
+- name: set initial_purge_happened flag, so that this whole process does not get repeated
+ file: path=flags/initial_purge_happened state=touch
--- /dev/null
+---
+
+- name: Set qutebrowser, python3-pypeg2 facts.
+ set_fact:
+ qutebrowser_deb_url: https://github.com/qutebrowser/qutebrowser/releases/download/v0.11.0/qutebrowser_0.11.0-1_all.deb
+ python3pypeg2_deb_url: https://qutebrowser.org/python3-pypeg2_2.15.2-1_all.deb
+ qutebrowser_deb_path: /tmp/qutebrowser.deb
+ python3pypeg2_deb_path: /tmp/python3-pypeg2.deb
+
+- name: Check if qutebrowser is installed.
+ command: dpkg-query -W qutebrowser
+ register: qutebrowser_debcheck
+ failed_when: qutebrowser_debcheck.rc > 1
+ changed_when: qutebrowser_debcheck.rc == 1
+
+- name: Check if qutebrowser-dependency python3-pypeg2 is installed.
+ command: dpkg-query -W python3-pypeg2
+ register: python3pypeg2_debcheck
+ failed_when: python3pypeg2_debcheck.rc > 1
+ changed_when: python3pypeg2_debcheck.rc == 1
+ when: qutebrowser_debcheck.rc == 1
+
+- name: Download python3-pypeg2 package.
+ get_url: url={{ python3pypeg2_deb_url }} dest={{ python3pypeg2_deb_path }}
+ when: qutebrowser_debcheck.rc == 1 and python3pypeg2_debcheck.rc == 1
+
+- name: Download qutebrowser package.
+ get_url: url={{ qutebrowser_deb_url }} dest={{ qutebrowser_deb_path }}
+ when: qutebrowser_debcheck.rc == 1
+
+# We use command: apt as a workaround because the Ansible apt module installs
+# the Depends of the .deb marked as manual while we want them marked as auto.
+- name: Install python3-pypeg2 package,
+ command: apt install --yes "{{ python3pypeg2_deb_path}}"
+ when: qutebrowser_debcheck.rc == 1 and python3pypeg2_debcheck.rc == 1
+
+- name: Mark python3-pypeg2 package as automatically installed.
+ command: apt-mark auto python3-pypeg2
+ when: qutebrowser_debcheck.rc == 1 and python3pypeg2_debcheck.rc == 1
+
+# We use command: apt as a workaround because the Ansible apt module installs
+# the Depends of the .deb marked as manual while we want them marked as auto.
+- name: Install qutebrowser package.
+ command: apt install --yes "{{ qutebrowser_deb_path}}"
+ when: qutebrowser_debcheck.rc == 1
--- /dev/null
+- hosts: all
+ tasks:
+
+ - name: ensure ~/.vimbackups directory
+ file: state=directory dest=~/.vimbackups
+ - name: Ensure dotfile symlinks
+ file: state=link force=yes src={{item}} dest=~/.{{item|basename}}
+ with_fileglob:
+ - ~/config/dotfiles/minimal/*
+ - ~/config/dotfiles/user/thinkpad/minimal/*
+ - ~/config/dotfiles/user/thinkpad/W530/*
+ - name: ensure ~/downloads directory
+ file: state=directory dest=~/downloads
--- /dev/null
+- hosts: all
+ tasks:
+
+ - name: ensure ~/.vimbackups directory
+ file: state=directory dest=~/.vimbackups
+ - name: Ensure dotfile symlinks
+ file: state=link force=yes src={{item}} dest=~/.{{item|basename}}
+ with_fileglob:
+ - ~/config/dotfiles/minimal/*
+ - ~/config/dotfiles/user/thinkpad/minimal/*
+ - ~/config/dotfiles/user/thinkpad/{{ system_name }}/*
+ - name: ensure ~/downloads directory
+ file: state=directory dest=~/downloads
--- /dev/null
+#!/usr/bin/env python3
+import lxml
+import argparse
+# use with `find status.plomlompom.com -type f -name "*.html" -exec ./archive_plomroma.py -f {} \;`
+
+parser = argparse.ArgumentParser(description="archive plom's self-hosted pleroma feed")
+parser.add_argument("-f", "--file", dest="file", required=True, help="HTML file to process")
+args = parser.parse_args()
+print("processing", args.file)
+
+def print_tree(node, level=0):
+ tag = node.tag
+ id = node.get("id")
+ classes = node.get("class")
+ text = (node.text or "").strip()
+ attributes_info = []
+ if id:
+ attributes_info.append(f"id='{id}'")
+ if classes:
+ attributes_info.append(f"class='{classes}'")
+ attr_str = " ".join(attributes_info)
+ print(" " * level + f"<{tag} {attr_str}>", end="")
+ if text:
+ print(f" -> {text}")
+ else:
+ print()
+ for child in node:
+ print_tree(child, level + 1)
+
+with open(args.file, "r", encoding="utf-8") as file:
+ content = file.read()
+from lxml import html
+tree = html.fromstring(content)
+
+atom_links = tree.xpath('/html/head/link[@rel="alternate"]')
+for atom_link in atom_links:
+ atom_link.getparent().remove(atom_link)
+comments = tree.xpath('//comment()')
+for comment in comments:
+ comment.getparent().remove(comment)
+forms = tree.xpath('//form')
+for form in forms:
+ form.getparent().remove(form)
+
+
+def has_class(context, element, class_name):
+ classes = element[0].get('class', '').split()
+ return class_name in classes
+ns = lxml.etree.FunctionNamespace(None)
+ns['has-class'] = has_class
+matching_divs = tree.xpath('//div[has-class(., "activity") and .//div[has-class(., "p-author")] and .//bdi[has-class(., "p-name") and string()!="plomlompom"]]')
+imgs = tree.xpath('//img')
+for img in imgs:
+ src = img.get('src')
+ if src and not src.startswith('https://status.plomlompom.com/'):
+ img.attrib.pop('src', None)
+ alt = img.get('alt')
+ if alt and not alt.startswith('../'):
+ img.attrib.pop('alt', None)
+ title = img.get('title')
+ if title and not title.startswith('../'):
+ img.attrib.pop('title', None)
+removal_notice = "[Removed foreign content for static archive, follow permalink on date to see original.]"
+for activity_div in matching_divs:
+ details = activity_div.xpath('.//details[./div[has-class]]')
+ for detail in details:
+ new_div = lxml.etree.Element("div")
+ new_div.text = removal_notice
+ detail.getparent().replace(detail, new_div)
+ e_contents = activity_div.xpath('.//div[has-class(., "e-content") or has-class(., "activity-content")]')
+ for content in e_contents:
+ content.clear()
+ content.text = removal_notice
+
+header = """
+<p style="text-align: right;"><a href="https://plomlompom.com/contact.html">contact</a> / <a href="https://plomlompom.com/privacy.html">privacy</a></p>
+<p>plomroma (archived): This site is a static archive of a Pleroma instance formerly hosted by me, to preserve my own messages from that time. Foreign content has been removed, but may still be available via links.</p>
+<hr />
+"""
+tree.body.insert(0, html.fromstring(header))
+
+# print_tree(tree)
+with open(args.file, "w", encoding="utf-8") as file:
+ file.write(html.tostring(tree, pretty_print=True, encoding="utf-8").decode("utf-8"))
+
+print("done")
--- /dev/null
+#!/bin/sh
+cd ~/plomlombot-irc
+./run.sh -r 604800 -n broiler_in "#nodrama.de"
--- /dev/null
+#!/bin/sh
+cd ~/plomlombot-irc
+./run.sh -r 604800 -n hubbabubba "#freakazoid"
--- /dev/null
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+# Inspired by http://code.stapelberg.de/git/i3status/tree/contrib/wrapper.py
+
+import sys
+import json
+import subprocess
+
+def print_nonbuffered(message):
+ sys.stdout.write(message)
+ sys.stdout.flush()
+
+if __name__ == '__main__':
+ print_nonbuffered(sys.stdin.readline())
+ print_nonbuffered(sys.stdin.readline())
+ while True:
+ line, prefix = sys.stdin.readline(), ''
+ if line.startswith(','):
+ line, prefix = line[1:], ','
+ j = json.loads(line)
+ if '1' == subprocess.getoutput('xset q | grep LED')[65]:
+ j.insert(len(j), {'full_text' : 'CAPS',
+ 'separator_block_width': 40,
+ 'color': '#FF0000'})
+ print_nonbuffered(prefix+json.dumps(j))
--- /dev/null
+#!/bin/sh
+
+set -e
+set -x
+
+~/letsencrypt/letsencrypt-auto certonly --standalone -d dump.plomlompom.com
+~/letsencrypt/letsencrypt-auto certonly --standalone -d htwtxt.plomlompom.com
--- /dev/null
+#!/bin/sh
+
+eth_interface=enp0s25
+wifi_interface=wls1
+
+ensure_wifi_on() {
+ if [ ! "$(wifi)" = "wifi = on" ]; then
+ #wifi on
+ ip link set "$wifi_interface" up
+ fi
+}
+
+if ! echo "${1}"; then
+ echo 'No command given.'
+ print_usage
+ exit 1
+elif [ "${1}" = 'eth_connect' ]; then
+ ip link set "$eth_interface" up
+ dhclient "$eth_interface"
+
+elif [ "${1}" = 'eth_disconnect' ]; then
+ ip link set "$eth_interface" down
+
+elif [ "${1}" = 'wifi_scan' ]; then
+ ensure_wifi_on
+ ip link set "$wifi_interface" up
+ iw dev "$wifi_interface" scan | grep SSID
+
+elif [ "${1}" = 'wifi_connect_open' ]; then
+ ensure_wifi_on
+ iw dev "$wifi_interface" connect "${2}"
+ dhclient "$wifi_interface"
+ #ip route delete default
+ #ip route add default via 192.168.1.1 dev wls1
+
+elif [ "${1}" = 'wifi_connect_wep_ascii' ]; then
+ ensure_wifi_on
+ iw dev "$wifi_interface" connect "${2}" key 0:"${3}"
+ dhclient "$wifi_interface"
+
+elif [ "${1}" = 'wifi_connect_wep_hex' ]; then
+ ensure_wifi_on
+ iw dev "$wifi_interface" connect "${2}" key d:0:"${3}"
+ dhclient "$wifi_interface"
+
+elif [ "${1}" = 'wifi_connect_wpa' ]; then
+ ensure_wifi_on
+ wpa_passphrase "${2}" "${3}" > /tmp/wpa_supplicant.conf
+ wpa_supplicant -B -i "$wifi_interface" -c /tmp/wpa_supplicant.conf
+ dhclient "$wifi_interface"
+
+elif [ "${1}" = 'wifi_disconnect' ]; then
+ ip link set "$wifi_interface" down
+
+else
+ echo 'Available commands:'
+ echo ' eth_connect'
+ echo ' eth_disconnect'
+ echo ' wifi_scan'
+ echo ' wifi_connect_open SSID'
+ echo ' wifi_connect_wep_ascii SSID KEY'
+ echo ' wifi_connect_wep_hex SSID KEY'
+ echo ' wifi_connect_wpa SSID KEY'
+ echo ' wifi_disconnect'
+fi
--- /dev/null
+#!/bin/sh
+cd ~/plomlombot-irc
+./run.sh -r 604800 -n botlomplom "#zrolaps"
--- /dev/null
+#!/bin/sh
+
+service nginx stop
+~/letsencrypt/letsencrypt-auto renew
+service nginx restart
--- /dev/null
+#!/bin/sh
+set -e
+selector=$1
+file=$2
+
+if [ ! -n "$selector" ]; then
+ cat << EOF
+Usage: $0 SELECTOR [KEYFILE] - set up DKIM system and configuration
+
+If existing KEYFILE is given, set up DKIM to use SELECTOR and apply key from
+KEYFILE.
+
+If existing KEYFILE is not given, generate KEYFILE and DNS TXT file for
+SELECTOR.
+EOF
+ exit
+fi
+
+if [ ! "$(id -u)" -eq "0" ]; then
+ echo "Must be run as root."
+ exit 1
+fi
+
+set -x
+apt-get -y install opendkim
+
+if [ ! -n "$file" ]; then
+ apt-get -y install opendkim-tools
+ opendkim-genkey -d plomlompom.com -s $selector
+ apt-get -y --purge autoremove opendkim-tools
+ set +x
+ echo
+ echo 'Generated key file at '$selector'.private.'
+ echo 'Also generated '$selector'.txt, APPLY its content below to your DNS' \
+ 'record.'
+ echo 'AFTER the waiting time for DNS propagation RERUN this script with' \
+ 'the key file as SECOND parameter (still use selector as first one).'
+ echo
+ cat $selector.txt
+else
+ if [ ! -f "$file" ]; then
+ set +x
+ echo
+ echo "Keyfile $file does not exist."
+ exit 1
+ fi
+ cp ~/config/systemfiles/opendkim.conf /etc/opendkim.conf
+ sed -r -i 's/^#Selector .*$/Selector '$selector'/' /etc/opendkim.conf
+ mkdir -p /etc/opendkim
+ if [ -f /etc/opendkim/dkim.key ]; then
+ cp /etc/opendkim/dkim.key /etc/opendkim/dkim.key~
+ fi
+ cp $file /etc/opendkim/dkim.key
+ cp ~/config/systemfiles/main.cf /etc/postfix/main.cf
+ cat >> /etc/postfix/main.cf << EOF
+
+# Use opendkim at given port as mail filter.
+non_smtpd_milters = inet:localhost:12301
+EOF
+ service opendkim restart
+ service postfix restart
+ set +x
+ echo
+ echo 'Ensure the DKIM TXT entry in your DNS record matches!'
+fi
--- /dev/null
+#!/bin/sh
+set -x
+set -e
+key=$1
+cert=$2
+
+if [ ! "$(id -u)" -eq "0" ]; then
+ echo "Must be run as root."
+ exit 1
+fi
+
+key_target=/etc/postfix/key.pem
+if [ ! -n "$key" ]; then
+ if [ ! -f "${key_target}" ]; then
+ (umask 077; openssl genrsa -out "${key_target}" 2048)
+ fi
+else
+ cp "$key" "${key_target}"
+fi
+
+fqdn=$(postconf -h myhostname)
+cert_target=/etc/postfix/cert.pem
+if [ ! -n "$cert" ]; then
+ if [ ! -f "${cert_target}" ]; then
+ openssl req -new -key "${key_target}" -x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert_target}"
+ fi
+else
+ cp "$cert" "${cert_target}"
+fi
+
+cat >> /etc/postfix/main.cf << EOF
+
+# Enable server-side STARTTLS.
+smtpd_tls_cert_file = /etc/postfix/cert.pem
+smtpd_tls_key_file = /etc/postfix/key.pem
+smtpd_tls_security_level = may
+EOF
+service postfix restart
--- /dev/null
+#!/bin/sh
+#
+# This mails to user plom the message in the file named by the first parameter,
+# decoded with the first line as subject and everything below the second line
+# as the message body.
+
+subject=`head -1 $1`
+body=`tail -n +3 $1`
+echo "$body" | mutt -s "$subject" plom
--- /dev/null
+#!/bin/sh
+#
+# This mails to plom@plomlompom.com the message in the file named by the first
+# parameter, decoded with the first line as subject and everything below the
+# second line as the message body.
+
+subject=`head -1 $1`
+body=`tail -n +3 $1`
+echo "$body" | mutt -s "$subject" plom@plomlompom.com
--- /dev/null
+#!/bin/sh
+$GOPATH/bin/htwtxt \
+ --contact 'see http://www.plomlompom.de/' \
+ --mailport 587 \
+ --mailserver smtp.gmail.com \
+ --mailuser christian.heller@gmail.com \
+ --port 8000 \
+ --signup
--- /dev/null
+#!/bin/sh
+
+set -x
+set -e
+
+dir_minimal=~/config/dotfiles/minimal
+dir_user_prefix=~/config/dotfiles/user
+dir_user_minimal=$dir_user_prefix/minimal
+dir_user_machine=$dir_user_prefix/$1/minimal
+if [ "$3" = "" ]; then
+ dir_user_variety=$dir_user_prefix/$1/$2
+else
+ dir_user_variety=$dir_user_prefix/$1/$2/minimal
+fi
+dir_user_subvariety=$dir_user_prefix/$1/$2/$3
+dir_root=~/config/dotfiles/root
+homedir=`echo ~`
+find ~ -lname $homedir'/config/*' -delete
+for file in `ls $dir_minimal`; do
+ ln -fs $dir_minimal/$file ~/.$file
+done
+if [ "$(id -u)" -eq "0" ]; then
+ for file in `ls $dir_root`; do
+ ln -fs $dir_root/$file ~/.$file
+ done
+else
+ for file in `ls $dir_user_minimal`; do
+ ln -fs $dir_user_minimal/$file ~/.$file
+ done
+ for file in `ls $dir_user_machine`; do
+ ln -fs $dir_user_machine/$file ~/.$file
+ done
+ for file in `ls $dir_user_variety`; do
+ ln -fs $dir_user_variety/$file ~/.$file
+ done
+ if [ ! "$3" = "" ]; then
+ for file in `ls $dir_user_subvariety`; do
+ ln -fs $dir_user_subvariety/$file ~/.$file
+ done
+ fi
+fi
--- /dev/null
+#!/bin/sh
+
+# A very primitive backlight setter with a hardcoded backlight path, to replace
+# xbacklight which currently does not work on my system.
+
+if ! echo "${1}" | egrep -q '^[0-9]+$' && ! [ "${1}" = "+" -o "${1}" = "-" ]; then
+ echo 'Argument must be a number, or "+", or "-".'
+ exit 1
+fi
+backlight_dir=/sys/class/backlight/intel_backlight
+max_brightness=$(cat "${backlight_dir}"/max_brightness)
+target="${backlight_dir}"/brightness
+if [ "${1}" = "+" -o "${1}" = "-" ]; then
+ fract=$(expr "${max_brightness}" / 20)
+ cur_brightness=$(cat "${backlight_dir}"/brightness)
+ brightness=$(expr "${cur_brightness}" "${1}" "${fract}")
+ if [ "${brightness}" -gt "${max_brightness}" ]; then
+ brightness="${max_brightness}"
+ elif [ "${brightness}" -lt "0" ]; then
+ brightness=0
+ fi
+ sudo sh -c 'echo '"${brightness}"' > '"${target}"
+ exit 0
+fi
+percentage=${1}
+if [ "${percentage}" = '100' ]; then
+ sudo sh -c 'echo '"${max_brightness}"' > '"${target}"
+else
+ fract=$(expr "${max_brightness}" / 100)
+ brightness=$(expr "${percentage}" \* "${fract}")
+ sudo sh -c 'echo '"${brightness}"' > '"${target}"
+fi
--- /dev/null
+#!/bin/sh
+
+# Undo bumblebee setup.
+sudo service bumblebeed stop
+sudo modprobe nvidia-drm
+sudo update-alternatives --set glx /usr/lib/nvidia
+
+# Use special xorg.conf and pass NVIDIA_DIRECT directive to .xinitrc.
+NVIDIA_DIRECT=1 startx -- -config xorg.conf.forced_nvidia
+
+# Recreate bumblebee setup.
+sudo service bumblebeed start
+sudo update-alternatives --auto glx
--- /dev/null
+#!/bin/sh
+
+# Enforce ~/.weechatrc as sole persistent weechat config file.
+~/config/bin/simplemail.sh ~/config/mails/weechat_restart_reminder
+rm -rf ~/.weechat/
+WEECHATCONF=`tr '\n' ';' < ~/.weechatrc`
+weechat -r "$WEECHATCONF"
+rm -rf ~/.weechat/
--- /dev/null
+#!/bin/sh
+
+check_wifi_id_set() {
+ if ! echo "${1}" | egrep -q '^[0-9]+$'; then
+ echo 'Wifi identifier must be integer.'
+ exit 1
+ fi
+}
+
+ensure_wifi_on() {
+ if [ ! "$(wifi)" = "wifi = on" ]; then
+ sudo wifi on
+ fi
+}
+
+print_usage() {
+ echo 'Available commands:'
+ echo ' eth_connect'
+ echo ' eth_disconnect'
+ echo ' wifi_scan'
+ echo ' wifi_info WIFI_ID'
+ echo ' wifi_set_wpa WIFI_ID KEY'
+ echo ' wifi_connect WIFI_ID'
+ echo ' wifi_disconnect'
+}
+
+if ! echo "${1}"; then
+ echo 'No command given.'
+ print_usage
+ exit 1
+elif [ "${1}" = 'eth_connect' ]; then
+ wicd-cli --wired --connect
+
+elif [ "${1}" = 'eth_disconnect' ]; then
+ wicd-cli --wired --disconnect
+
+elif [ "${1}" = 'wifi_scan' ]; then
+ ensure_wifi_on
+ wicd-cli --wireless --scan
+ wicd-cli --wireless --list-networks
+
+elif [ "${1}" = 'wifi_info' ]; then
+ check_wifi_id_set "${2}"
+ wicd-cli --wireless --network="${2}" --network-details
+
+elif [ "${1}" = 'wifi_set_wpa' ]; then
+ check_wifi_id_set "${2}"
+ if ! echo "${3}" ; then
+ echo 'No key set.'
+ exit 1
+ fi
+ wicd-cli --wireless --network="${2}" --network-property=enctype --set-to=wpa
+ wicd-cli --wireless --network="${2}" --network-property=key --set-to="${3}"
+
+elif [ "${1}" = 'wifi_connect' ]; then
+ ensure_wifi_on
+ check_wifi_id_set "${2}"
+ wicd-cli --wireless --network="${2}" --connect
+
+elif [ "${1}" = 'wifi_disconnect' ]; then
+ wicd-cli --wireless --disconnect
+
+else
+ echo 'Unknown command.'
+ print_usage
+ exit 1
+fi
--- /dev/null
+#!/bin/sh
+cd ~/plomlombot-irc
+./run.sh -r 604800 -n histomat "#freie-gesellschaft"
--- /dev/null
+# connectivity: ifupdown seems necessary everyhwere, isc-dhcp-client
+# unpredictably so
+ifupdown
+isc-dhcp-client
+# git for the setup directory; cloning works with ca-certificates
+ca-certificates
+git
+# to avoid constant warnings about no locale being found
+locales
+# extremely useful for basic network debugging; missed these more than once in an emergency
+netcat
+iputils-ping
--- /dev/null
+# so that grub learns about kernel updates
+grub-pc
--- /dev/null
+wget
+# for blog and zettel
+pandoc
+# for blog
+html2text
+uuid-runtime
+python3
+# for url_catcher daemon
+python3-venv
+build-essential
+python3-dev
+screen
+postfix
--- /dev/null
+# for wifi
+firmware-ralink
+#
--- /dev/null
+# smtp server
+postfix
+# opendkim
+opendkim
+opendkim-tools
+# for pingmail
+mailutils
+# ssl
+certbot
+# IMAPS
+pwgen
+dovecot-imapd
+# sieve filtering
+dovecot-lmtpd
+dovecot-sieve
+# to funnel mail from additional server
+fetchmail
--- /dev/null
+# because it contains ifconfig
+net-tools
--- /dev/null
+ffmpeg
+postgresql
+postgresql-contrib
+openssl
+redis-server
+python-dev
+# only needed for setup
+g++
+make
+git
+curl
+unzip
+libncurses5
+pwgen
+wget
--- /dev/null
+weechat
+screen
+gnupg
+dirmngr
--- /dev/null
+# Pleroma DB
+postgresql
+postgresql-contrib
+# only needed for setup
+pwgen
--- /dev/null
+# only needed for setup
+curl
+unzip
+libncurses5
--- /dev/null
+# only needed for setup
+build-essential
+wget
+gnupg
--- /dev/null
+# needed for rtorrent config setup
+curl
+# needed for torrenting
+rtorrent
+# needed for torrenting session
+screen
+# needed for upload/download
+rsync
--- /dev/null
+# so we can login at all …
+openssh-server
+# firewalling
+nftables
+# We want to be able to use ALL our servers as borg backup destinations.
+borgbackup
--- /dev/null
+# for wifi
+firmware-iwlwifi
+# for tlp
+tlp
+tp-smapi-dkms
+linux-headers-amd64
+#
--- /dev/null
+# to avoid booting problems with encrypted LVM, see <https://askubuntu.com/a/1105848>
+cryptsetup-initramfs
+lvm2
+# this provides setupcon which reads /etc/default/console-setup
+console-setup
+# without this, systemd-logind won't run, and so not detect lid close for hibernation
+dbus
+# for wifi
+wicd-curses
+wicd-gtk
+# for X to start at all
+xserver-xorg-video-intel
+# X input: keyboard and touchpad
+xserver-xorg-input-evdev
+xserver-xorg-input-synaptics
+# for startx
+xinit
+# for xrdb
+x11-xserver-utils
+# for startx to run for non-root user
+libpam-systemd
+# window environment
+i3
+i3status
+suckless-tools
+xterm
+# to get sleepy at night
+redshift
+# for alsamixer
+alsa-utils
+# for xterm and browser unicode display
+ttf-unifont
+# also useful
+vim
+sudo
+less
+man-db
+manpages
+procps
+# firefox dependencies
+libdbus-glib-1-2
+libgtk-3-0
+# firefox installation dependencies (remove later?)
+curl
+python3
+bzip2
+wget
+jq
+unzip
+# to mount encrypted USB stick and use its contents
+pmount
+cryptsetup
+openssh-client
+# for syncing
+borgbackup
+# emacs
+emacs25
+emacs-common-non-dfsg
+emacs-el
+elpa-ledger
+ledger
+elpa-elfeed
+# mail setup
+isync
+notmuch
+elpa-notmuch
+pinentry-gtk2
+# to mount Android phone
+go-mtpfs
+# to use HP Deskjet F380 scanner from GIMP
+sane-utils
+libsane-hpaio
+xsane
+# to use HP Deskjet F380 printer
+cups
+hplip
+#
--- /dev/null
+nginx-light
+# for SSL
+certbot
+python3-certbot-nginx
--- /dev/null
+# for gitweb
+gitweb
+fcgiwrap
+# for plomlombot
+gnupg
+dirmngr
+python3-venv
+screen
--- /dev/null
+APT::AutoRemove::RecommendsImportant "false";
+APT::AutoRemove::SuggestsImportant "false";
+APT::Install-Recommends "false";
+APT::Install-Suggests "false";
--- /dev/null
+deb http://deb.debian.org/debian buster main contrib non-free
+deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free
+deb http://deb.debian.org/debian buster-updates main contrib non-free
+deb http://ftp.debian.org/debian buster-backports main contrib non-free
--- /dev/null
+LANG="en_US.UTF-8"
--- /dev/null
+# This file lists locales that you wish to have built. You can find a list
+# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add
+# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change
+# this file, you need to rerun locale-gen.
+
+
+# aa_DJ ISO-8859-1
+# aa_DJ.UTF-8 UTF-8
+# aa_ER UTF-8
+# aa_ER@saaho UTF-8
+# aa_ET UTF-8
+# af_ZA ISO-8859-1
+# af_ZA.UTF-8 UTF-8
+# ak_GH UTF-8
+# am_ET UTF-8
+# an_ES ISO-8859-15
+# an_ES.UTF-8 UTF-8
+# anp_IN UTF-8
+# ar_AE ISO-8859-6
+# ar_AE.UTF-8 UTF-8
+# ar_BH ISO-8859-6
+# ar_BH.UTF-8 UTF-8
+# ar_DZ ISO-8859-6
+# ar_DZ.UTF-8 UTF-8
+# ar_EG ISO-8859-6
+# ar_EG.UTF-8 UTF-8
+# ar_IN UTF-8
+# ar_IQ ISO-8859-6
+# ar_IQ.UTF-8 UTF-8
+# ar_JO ISO-8859-6
+# ar_JO.UTF-8 UTF-8
+# ar_KW ISO-8859-6
+# ar_KW.UTF-8 UTF-8
+# ar_LB ISO-8859-6
+# ar_LB.UTF-8 UTF-8
+# ar_LY ISO-8859-6
+# ar_LY.UTF-8 UTF-8
+# ar_MA ISO-8859-6
+# ar_MA.UTF-8 UTF-8
+# ar_OM ISO-8859-6
+# ar_OM.UTF-8 UTF-8
+# ar_QA ISO-8859-6
+# ar_QA.UTF-8 UTF-8
+# ar_SA ISO-8859-6
+# ar_SA.UTF-8 UTF-8
+# ar_SD ISO-8859-6
+# ar_SD.UTF-8 UTF-8
+# ar_SS UTF-8
+# ar_SY ISO-8859-6
+# ar_SY.UTF-8 UTF-8
+# ar_TN ISO-8859-6
+# ar_TN.UTF-8 UTF-8
+# ar_YE ISO-8859-6
+# ar_YE.UTF-8 UTF-8
+# as_IN UTF-8
+# ast_ES ISO-8859-15
+# ast_ES.UTF-8 UTF-8
+# ayc_PE UTF-8
+# az_AZ UTF-8
+# be_BY CP1251
+# be_BY.UTF-8 UTF-8
+# be_BY@latin UTF-8
+# bem_ZM UTF-8
+# ber_DZ UTF-8
+# ber_MA UTF-8
+# bg_BG CP1251
+# bg_BG.UTF-8 UTF-8
+# bhb_IN.UTF-8 UTF-8
+# bho_IN UTF-8
+# bn_BD UTF-8
+# bn_IN UTF-8
+# bo_CN UTF-8
+# bo_IN UTF-8
+# br_FR ISO-8859-1
+# br_FR.UTF-8 UTF-8
+# br_FR@euro ISO-8859-15
+# brx_IN UTF-8
+# bs_BA ISO-8859-2
+# bs_BA.UTF-8 UTF-8
+# byn_ER UTF-8
+# ca_AD ISO-8859-15
+# ca_AD.UTF-8 UTF-8
+# ca_ES ISO-8859-1
+# ca_ES.UTF-8 UTF-8
+# ca_ES.UTF-8@valencia UTF-8
+# ca_ES@euro ISO-8859-15
+# ca_ES@valencia ISO-8859-15
+# ca_FR ISO-8859-15
+# ca_FR.UTF-8 UTF-8
+# ca_IT ISO-8859-15
+# ca_IT.UTF-8 UTF-8
+# ce_RU UTF-8
+# chr_US UTF-8
+# cmn_TW UTF-8
+# crh_UA UTF-8
+# cs_CZ ISO-8859-2
+# cs_CZ.UTF-8 UTF-8
+# csb_PL UTF-8
+# cv_RU UTF-8
+# cy_GB ISO-8859-14
+# cy_GB.UTF-8 UTF-8
+# da_DK ISO-8859-1
+# da_DK.UTF-8 UTF-8
+# de_AT ISO-8859-1
+# de_AT.UTF-8 UTF-8
+# de_AT@euro ISO-8859-15
+# de_BE ISO-8859-1
+# de_BE.UTF-8 UTF-8
+# de_BE@euro ISO-8859-15
+# de_CH ISO-8859-1
+# de_CH.UTF-8 UTF-8
+# de_DE ISO-8859-1
+# de_DE.UTF-8 UTF-8
+# de_DE@euro ISO-8859-15
+# de_IT ISO-8859-1
+# de_IT.UTF-8 UTF-8
+# de_LI.UTF-8 UTF-8
+# de_LU ISO-8859-1
+# de_LU.UTF-8 UTF-8
+# de_LU@euro ISO-8859-15
+# doi_IN UTF-8
+# dv_MV UTF-8
+# dz_BT UTF-8
+# el_CY ISO-8859-7
+# el_CY.UTF-8 UTF-8
+# el_GR ISO-8859-7
+# el_GR.UTF-8 UTF-8
+# en_AG UTF-8
+# en_AU ISO-8859-1
+# en_AU.UTF-8 UTF-8
+# en_BW ISO-8859-1
+# en_BW.UTF-8 UTF-8
+# en_CA ISO-8859-1
+# en_CA.UTF-8 UTF-8
+# en_DK ISO-8859-1
+# en_DK.ISO-8859-15 ISO-8859-15
+# en_DK.UTF-8 UTF-8
+# en_GB ISO-8859-1
+# en_GB.ISO-8859-15 ISO-8859-15
+# en_GB.UTF-8 UTF-8
+# en_HK ISO-8859-1
+# en_HK.UTF-8 UTF-8
+# en_IE ISO-8859-1
+# en_IE.UTF-8 UTF-8
+# en_IE@euro ISO-8859-15
+# en_IL UTF-8
+# en_IN UTF-8
+# en_NG UTF-8
+# en_NZ ISO-8859-1
+# en_NZ.UTF-8 UTF-8
+# en_PH ISO-8859-1
+# en_PH.UTF-8 UTF-8
+# en_SG ISO-8859-1
+# en_SG.UTF-8 UTF-8
+# en_US ISO-8859-1
+# en_US.ISO-8859-15 ISO-8859-15
+en_US.UTF-8 UTF-8
+# en_ZA ISO-8859-1
+# en_ZA.UTF-8 UTF-8
+# en_ZM UTF-8
+# en_ZW ISO-8859-1
+# en_ZW.UTF-8 UTF-8
+# eo UTF-8
+# es_AR ISO-8859-1
+# es_AR.UTF-8 UTF-8
+# es_BO ISO-8859-1
+# es_BO.UTF-8 UTF-8
+# es_CL ISO-8859-1
+# es_CL.UTF-8 UTF-8
+# es_CO ISO-8859-1
+# es_CO.UTF-8 UTF-8
+# es_CR ISO-8859-1
+# es_CR.UTF-8 UTF-8
+# es_CU UTF-8
+# es_DO ISO-8859-1
+# es_DO.UTF-8 UTF-8
+# es_EC ISO-8859-1
+# es_EC.UTF-8 UTF-8
+# es_ES ISO-8859-1
+# es_ES.UTF-8 UTF-8
+# es_ES@euro ISO-8859-15
+# es_GT ISO-8859-1
+# es_GT.UTF-8 UTF-8
+# es_HN ISO-8859-1
+# es_HN.UTF-8 UTF-8
+# es_MX ISO-8859-1
+# es_MX.UTF-8 UTF-8
+# es_NI ISO-8859-1
+# es_NI.UTF-8 UTF-8
+# es_PA ISO-8859-1
+# es_PA.UTF-8 UTF-8
+# es_PE ISO-8859-1
+# es_PE.UTF-8 UTF-8
+# es_PR ISO-8859-1
+# es_PR.UTF-8 UTF-8
+# es_PY ISO-8859-1
+# es_PY.UTF-8 UTF-8
+# es_SV ISO-8859-1
+# es_SV.UTF-8 UTF-8
+# es_US ISO-8859-1
+# es_US.UTF-8 UTF-8
+# es_UY ISO-8859-1
+# es_UY.UTF-8 UTF-8
+# es_VE ISO-8859-1
+# es_VE.UTF-8 UTF-8
+# et_EE ISO-8859-1
+# et_EE.ISO-8859-15 ISO-8859-15
+# et_EE.UTF-8 UTF-8
+# eu_ES ISO-8859-1
+# eu_ES.UTF-8 UTF-8
+# eu_ES@euro ISO-8859-15
+# eu_FR ISO-8859-1
+# eu_FR.UTF-8 UTF-8
+# eu_FR@euro ISO-8859-15
+# fa_IR UTF-8
+# ff_SN UTF-8
+# fi_FI ISO-8859-1
+# fi_FI.UTF-8 UTF-8
+# fi_FI@euro ISO-8859-15
+# fil_PH UTF-8
+# fo_FO ISO-8859-1
+# fo_FO.UTF-8 UTF-8
+# fr_BE ISO-8859-1
+# fr_BE.UTF-8 UTF-8
+# fr_BE@euro ISO-8859-15
+# fr_CA ISO-8859-1
+# fr_CA.UTF-8 UTF-8
+# fr_CH ISO-8859-1
+# fr_CH.UTF-8 UTF-8
+# fr_FR ISO-8859-1
+# fr_FR.UTF-8 UTF-8
+# fr_FR@euro ISO-8859-15
+# fr_LU ISO-8859-1
+# fr_LU.UTF-8 UTF-8
+# fr_LU@euro ISO-8859-15
+# fur_IT UTF-8
+# fy_DE UTF-8
+# fy_NL UTF-8
+# ga_IE ISO-8859-1
+# ga_IE.UTF-8 UTF-8
+# ga_IE@euro ISO-8859-15
+# gd_GB ISO-8859-15
+# gd_GB.UTF-8 UTF-8
+# gez_ER UTF-8
+# gez_ER@abegede UTF-8
+# gez_ET UTF-8
+# gez_ET@abegede UTF-8
+# gl_ES ISO-8859-1
+# gl_ES.UTF-8 UTF-8
+# gl_ES@euro ISO-8859-15
+# gu_IN UTF-8
+# gv_GB ISO-8859-1
+# gv_GB.UTF-8 UTF-8
+# ha_NG UTF-8
+# hak_TW UTF-8
+# he_IL ISO-8859-8
+# he_IL.UTF-8 UTF-8
+# hi_IN UTF-8
+# hne_IN UTF-8
+# hr_HR ISO-8859-2
+# hr_HR.UTF-8 UTF-8
+# hsb_DE ISO-8859-2
+# hsb_DE.UTF-8 UTF-8
+# ht_HT UTF-8
+# hu_HU ISO-8859-2
+# hu_HU.UTF-8 UTF-8
+# hy_AM UTF-8
+# hy_AM.ARMSCII-8 ARMSCII-8
+# ia_FR UTF-8
+# id_ID ISO-8859-1
+# id_ID.UTF-8 UTF-8
+# ig_NG UTF-8
+# ik_CA UTF-8
+# is_IS ISO-8859-1
+# is_IS.UTF-8 UTF-8
+# it_CH ISO-8859-1
+# it_CH.UTF-8 UTF-8
+# it_IT ISO-8859-1
+# it_IT.UTF-8 UTF-8
+# it_IT@euro ISO-8859-15
+# iu_CA UTF-8
+# ja_JP.EUC-JP EUC-JP
+# ja_JP.UTF-8 UTF-8
+# ka_GE GEORGIAN-PS
+# ka_GE.UTF-8 UTF-8
+# kk_KZ PT154
+# kk_KZ.RK1048 RK1048
+# kk_KZ.UTF-8 UTF-8
+# kl_GL ISO-8859-1
+# kl_GL.UTF-8 UTF-8
+# km_KH UTF-8
+# kn_IN UTF-8
+# ko_KR.EUC-KR EUC-KR
+# ko_KR.UTF-8 UTF-8
+# kok_IN UTF-8
+# ks_IN UTF-8
+# ks_IN@devanagari UTF-8
+# ku_TR ISO-8859-9
+# ku_TR.UTF-8 UTF-8
+# kw_GB ISO-8859-1
+# kw_GB.UTF-8 UTF-8
+# ky_KG UTF-8
+# lb_LU UTF-8
+# lg_UG ISO-8859-10
+# lg_UG.UTF-8 UTF-8
+# li_BE UTF-8
+# li_NL UTF-8
+# lij_IT UTF-8
+# ln_CD UTF-8
+# lo_LA UTF-8
+# lt_LT ISO-8859-13
+# lt_LT.UTF-8 UTF-8
+# lv_LV ISO-8859-13
+# lv_LV.UTF-8 UTF-8
+# lzh_TW UTF-8
+# mag_IN UTF-8
+# mai_IN UTF-8
+# mg_MG ISO-8859-15
+# mg_MG.UTF-8 UTF-8
+# mhr_RU UTF-8
+# mi_NZ ISO-8859-13
+# mi_NZ.UTF-8 UTF-8
+# mk_MK ISO-8859-5
+# mk_MK.UTF-8 UTF-8
+# ml_IN UTF-8
+# mn_MN UTF-8
+# mni_IN UTF-8
+# mr_IN UTF-8
+# ms_MY ISO-8859-1
+# ms_MY.UTF-8 UTF-8
+# mt_MT ISO-8859-3
+# mt_MT.UTF-8 UTF-8
+# my_MM UTF-8
+# nan_TW UTF-8
+# nan_TW@latin UTF-8
+# nb_NO ISO-8859-1
+# nb_NO.UTF-8 UTF-8
+# nds_DE UTF-8
+# nds_NL UTF-8
+# ne_NP UTF-8
+# nhn_MX UTF-8
+# niu_NU UTF-8
+# niu_NZ UTF-8
+# nl_AW UTF-8
+# nl_BE ISO-8859-1
+# nl_BE.UTF-8 UTF-8
+# nl_BE@euro ISO-8859-15
+# nl_NL ISO-8859-1
+# nl_NL.UTF-8 UTF-8
+# nl_NL@euro ISO-8859-15
+# nn_NO ISO-8859-1
+# nn_NO.UTF-8 UTF-8
+# nr_ZA UTF-8
+# nso_ZA UTF-8
+# oc_FR ISO-8859-1
+# oc_FR.UTF-8 UTF-8
+# om_ET UTF-8
+# om_KE ISO-8859-1
+# om_KE.UTF-8 UTF-8
+# or_IN UTF-8
+# os_RU UTF-8
+# pa_IN UTF-8
+# pa_PK UTF-8
+# pap_AW UTF-8
+# pap_CW UTF-8
+# pl_PL ISO-8859-2
+# pl_PL.UTF-8 UTF-8
+# ps_AF UTF-8
+# pt_BR ISO-8859-1
+# pt_BR.UTF-8 UTF-8
+# pt_PT ISO-8859-1
+# pt_PT.UTF-8 UTF-8
+# pt_PT@euro ISO-8859-15
+# quz_PE UTF-8
+# raj_IN UTF-8
+# ro_RO ISO-8859-2
+# ro_RO.UTF-8 UTF-8
+# ru_RU ISO-8859-5
+# ru_RU.CP1251 CP1251
+# ru_RU.KOI8-R KOI8-R
+# ru_RU.UTF-8 UTF-8
+# ru_UA KOI8-U
+# ru_UA.UTF-8 UTF-8
+# rw_RW UTF-8
+# sa_IN UTF-8
+# sat_IN UTF-8
+# sc_IT UTF-8
+# sd_IN UTF-8
+# sd_IN@devanagari UTF-8
+# se_NO UTF-8
+# sgs_LT UTF-8
+# shs_CA UTF-8
+# si_LK UTF-8
+# sid_ET UTF-8
+# sk_SK ISO-8859-2
+# sk_SK.UTF-8 UTF-8
+# sl_SI ISO-8859-2
+# sl_SI.UTF-8 UTF-8
+# so_DJ ISO-8859-1
+# so_DJ.UTF-8 UTF-8
+# so_ET UTF-8
+# so_KE ISO-8859-1
+# so_KE.UTF-8 UTF-8
+# so_SO ISO-8859-1
+# so_SO.UTF-8 UTF-8
+# sq_AL ISO-8859-1
+# sq_AL.UTF-8 UTF-8
+# sq_MK UTF-8
+# sr_ME UTF-8
+# sr_RS UTF-8
+# sr_RS@latin UTF-8
+# ss_ZA UTF-8
+# st_ZA ISO-8859-1
+# st_ZA.UTF-8 UTF-8
+# sv_FI ISO-8859-1
+# sv_FI.UTF-8 UTF-8
+# sv_FI@euro ISO-8859-15
+# sv_SE ISO-8859-1
+# sv_SE.ISO-8859-15 ISO-8859-15
+# sv_SE.UTF-8 UTF-8
+# sw_KE UTF-8
+# sw_TZ UTF-8
+# szl_PL UTF-8
+# ta_IN UTF-8
+# ta_LK UTF-8
+# tcy_IN.UTF-8 UTF-8
+# te_IN UTF-8
+# tg_TJ KOI8-T
+# tg_TJ.UTF-8 UTF-8
+# th_TH TIS-620
+# th_TH.UTF-8 UTF-8
+# the_NP UTF-8
+# ti_ER UTF-8
+# ti_ET UTF-8
+# tig_ER UTF-8
+# tk_TM UTF-8
+# tl_PH ISO-8859-1
+# tl_PH.UTF-8 UTF-8
+# tn_ZA UTF-8
+# tr_CY ISO-8859-9
+# tr_CY.UTF-8 UTF-8
+# tr_TR ISO-8859-9
+# tr_TR.UTF-8 UTF-8
+# ts_ZA UTF-8
+# tt_RU UTF-8
+# tt_RU@iqtelif UTF-8
+# ug_CN UTF-8
+# uk_UA KOI8-U
+# uk_UA.UTF-8 UTF-8
+# unm_US UTF-8
+# ur_IN UTF-8
+# ur_PK UTF-8
+# uz_UZ ISO-8859-1
+# uz_UZ.UTF-8 UTF-8
+# uz_UZ@cyrillic UTF-8
+# ve_ZA UTF-8
+# vi_VN UTF-8
+# wa_BE ISO-8859-1
+# wa_BE.UTF-8 UTF-8
+# wa_BE@euro ISO-8859-15
+# wae_CH UTF-8
+# wal_ET UTF-8
+# wo_SN UTF-8
+# xh_ZA ISO-8859-1
+# xh_ZA.UTF-8 UTF-8
+# yi_US CP1255
+# yi_US.UTF-8 UTF-8
+# yo_NG UTF-8
+# yue_HK UTF-8
+# zh_CN GB2312
+# zh_CN.GB18030 GB18030
+# zh_CN.GBK GBK
+# zh_CN.UTF-8 UTF-8
+# zh_HK BIG5-HKSCS
+# zh_HK.UTF-8 UTF-8
+# zh_SG GB2312
+# zh_SG.GBK GBK
+# zh_SG.UTF-8 UTF-8
+# zh_TW BIG5
+# zh_TW.EUC-TW EUC-TW
+# zh_TW.UTF-8 UTF-8
+# zu_ZA ISO-8859-1
+# zu_ZA.UTF-8 UTF-8
--- /dev/null
+Europe/Berlin
--- /dev/null
+server {
+ listen 443 ssl;
+ server_name REPLACE_fqdn_ECALPER;
+ ssl_certificate /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/privkey.pem;
+ root /var/www-dump/;
+
+ location /dump/ {
+ autoindex on;
+ }
+
+ location /geheim/ {
+ auth_basic "geheim geheim";
+ auth_basic_user_file /var/www-dump/password_geheim;
+ autoindex on;
+ }
+
+ location /zettel/ {
+ # rewrite non-suffixed filenames to .html ones
+ rewrite ^(/zettel/(.*/)*[^./]+)$ $1.html;
+ autoindex on;
+ }
+
+ location /uwsgi/ {
+ include uwsgi_params;
+ uwsgi_pass 127.0.0.1:3031;
+ }
+}
--- /dev/null
+[Unit]
+Description=url_catcher screen
+
+[Service]
+Type=forking
+User=plom
+# The LC_ALL fixes submission failing on some articles.
+ExecStart=/bin/sh -c 'LC_ALL=en_US.UTF8 cd ~/url-catcher && screen -d -m ./run.sh'
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+# This file is part of systemd.
+#
+# See logind.conf(5) for details.
+
+[Login]
+# Note that with the standard Buster kernel this won't work due to
+# <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919227>.
+HandleLidSwitch=hibernate
--- /dev/null
+# /etc/aliases
+# maps whom what is sent to
+
+# As per RFC 2142.
+mailer-daemon: plom
+postmaster: plom
+hostmaster: plom
+usenet: plom
+news: plom
+webmaster: plom
+www: plom
+ftp: plom
+abuse: plom
+noc: plom
+security: plom
+root: plom
+
+# Personal aliases.
+plomlompom: plom
+christian.heller: plom
+christian_heller: plom
+christianheller: plom
+c.heller: plom
+heller: plom
--- /dev/null
+# This is only necessary when we use dovecot's LMTP mechanism to receive
+# mail from postfix.
+auth_username_format = %Ln
+
+# Add sieve filtering.
+protocol lmtp {
+ mail_plugins = $mail_plugins sieve
+}
+
+# We don't strictly need to provide a LMTP server to fetch mail from
+# postfix, but we do if we want to do sophisticated stuff like sieve
+# filtering on the way.
+service lmtp {
+ inet_listener lmtp {
+ address = 127.0.0.1
+ port = 2424
+ }
+}
--- /dev/null
+service auth {
+ unix_listener auth-userdb {
+ }
+
+ unix_listener /var/spool/postfix/private/auth {
+ mode = 0660
+ user = postfix
+ group = postfix
+ }
+}
--- /dev/null
+# mailutils by default uses the FQDN as the mail domain name, fix this
+address {
+ email-domain REPLACE_maildomain_ECALPER;
+};
--- /dev/null
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+ chain input {
+ type filter hook input priority 0; policy drop;
+ iif lo accept comment "accept localhost traffic"
+ ct state invalid drop comment "drop invalid connections"
+ ct state established, related accept comment "accept traffic originated from us"
+ tcp dport 22 accept comment "accept SSH on default port"
+ tcp dport 25 accept comment "accept SMTP (allowing for STARTTLS); necessary for mail server to mail server banter, i.e. for receiving mails"
+ tcp dport 80 accept comment "accept HTTP; necessary for Certbot HTTP challenge"
+ tcp dport 465 accept comment "accept SMTPS; for mail user agent to mail server, i.e. for sending mails"
+ tcp dport 993 accept comment "accept IMAPS; for reading/downloading mails"
+ ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
+ }
+ chain forward {
+ type filter hook forward priority 0; policy drop;
+ }
+ chain output {
+ type filter hook output priority 0; policy accept;
+ }
+}
--- /dev/null
+[Unit]
+Description=Run plom's fetchmail
+
+[Service]
+Type=oneshot
+User=plom
+# fetchmail returns 1 when no new mail, we want to catch that
+ExecStart=/bin/sh -c 'fetchmail || [ $? -eq 1 ]'
--- /dev/null
+[Unit]
+Description=Run fetchmail once every minute
+
+[Timer]
+OnCalendar=minutely
+
+[Install]
+WantedBy=timers.target
--- /dev/null
+[Unit]
+Description=Run pingmail check
+
+[Service]
+Type=oneshot
+User=plom
+ExecStart=/bin/sh -c '~/pingmail/pingmail check'
--- /dev/null
+[Unit]
+Description=Run pingmail check once every hour
+
+[Timer]
+OnCalendar=*-*-* *:00:00
+
+[Install]
+WantedBy=timers.target
--- /dev/null
+deb http://deb.debian.org/debian stretch main contrib non-free
+deb http://deb.debian.org/debian-security/ stretch/updates main contrib non-free
+deb http://deb.debian.org/debian stretch-updates main contrib non-free
+deb http://ftp.debian.org/debian stretch-backports main contrib non-free
--- /dev/null
+[Unit]
+Description=Attempt encryption of old chat logs
+[Service]
+Type=oneshot
+User=plom
+ExecStart=/bin/sh -c '~/weechatlogs_encrypter.sh'
--- /dev/null
+[Unit]
+Description=Attempt encryption of old chatlogs once every minute.
+
+[Timer]
+OnCalendar=*-*-* *:*:00
+
+[Install]
+WantedBy=timers.target
\ No newline at end of file
--- /dev/null
+<div style="margin: 1em;">
+ <p>Privacy: Visitor IP addresses are anonymized in the logs.</p>
+ <p>Contact: See <a href="https://plomlompom.com/contact.html">plomlompom.com contact page</a>.</p>
+</div>
--- /dev/null
+User-agent: *
+Disallow:
--- /dev/null
+This is <a href="https://plomlompom.com">plomlompom</a>'s personal single-user Pleroma instance.
--- /dev/null
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+ chain input {
+ type filter hook input priority 0; policy drop;
+ iif lo accept comment "accept localhost traffic"
+ ct state invalid drop comment "drop invalid connections"
+ ct state established, related accept comment "accept traffic originated from us"
+ tcp dport 22 accept comment "accept SSH on default port"
+ ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
+ }
+ chain forward {
+ type filter hook forward priority 0; policy drop;
+ }
+ chain output {
+ type filter hook output priority 0; policy accept;
+ }
+}
--- /dev/null
+# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no # plomlompom's security rule
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin yes
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
+
+ClientAliveInterval 120
+PasswordAuthentication no # plomlompom's security rule
--- /dev/null
+# ------------------------------------------------------------------------------
+# tlp - Parameters for power saving
+# See full explanation: http://linrunner.de/en/tlp/docs/tlp-configuration.html
+
+# Hint: some features are disabled by default, remove the leading # to enable
+# them.
+
+# Set to 0 to disable, 1 to enable TLP.
+TLP_ENABLE=1
+
+# Operation mode when no power supply can be detected: AC, BAT.
+# Concerns some desktop and embedded hardware only.
+TLP_DEFAULT_MODE=AC
+
+# Operation mode select: 0=depend on power source, 1=always use TLP_DEFAULT_MODE
+# Hint: use in conjunction with TLP_DEFAULT_MODE=BAT for BAT settings on AC.
+TLP_PERSISTENT_DEFAULT=0
+
+# Seconds laptop mode has to wait after the disk goes idle before doing a sync.
+# Non-zero value enables, zero disables laptop mode.
+DISK_IDLE_SECS_ON_AC=0
+DISK_IDLE_SECS_ON_BAT=2
+
+# Dirty page values (timeouts in secs).
+MAX_LOST_WORK_SECS_ON_AC=15
+MAX_LOST_WORK_SECS_ON_BAT=60
+
+# Hint: CPU parameters below are disabled by default, remove the leading #
+# to enable them, otherwise kernel default values are used.
+
+# Select a CPU frequency scaling governor.
+# Intel Core i processor with intel_pstate driver:
+# powersave(*), performance.
+# Older hardware with acpi-cpufreq driver:
+# ondemand(*), powersave, performance, conservative, schedutil.
+# (*) is recommended.
+# Hint: use tlp-stat -p to show the active driver and available governors.
+# Important:
+# powersave for intel_pstate and ondemand for acpi-cpufreq are power
+# efficient for *almost all* workloads and therefore kernel and most
+# distributions have chosen them as defaults. If you still want to change,
+# you should know what you're doing! You *must* disable your distribution's
+# governor settings or conflicts will occur.
+#CPU_SCALING_GOVERNOR_ON_AC=powersave
+#CPU_SCALING_GOVERNOR_ON_BAT=powersave
+
+# Set the min/max frequency available for the scaling governor.
+# Possible values strongly depend on your CPU. For available frequencies see
+# the output of tlp-stat -p.
+#CPU_SCALING_MIN_FREQ_ON_AC=0
+#CPU_SCALING_MAX_FREQ_ON_AC=0
+#CPU_SCALING_MIN_FREQ_ON_BAT=0
+#CPU_SCALING_MAX_FREQ_ON_BAT=0
+
+# Set energy performance hints (HWP) for Intel P-state governor:
+# performance, balance_performance, default, balance_power, power
+# Values are given in order of increasing power saving.
+# Note: Intel Skylake or newer CPU and Kernel >= 4.10 required.
+CPU_HWP_ON_AC=balance_performance
+CPU_HWP_ON_BAT=balance_power
+
+# Set Intel P-state performance: 0..100 (%).
+# Limit the max/min P-state to control the power dissipation of the CPU.
+# Values are stated as a percentage of the available performance.
+# Requires an Intel Core i processor with intel_pstate driver.
+#CPU_MIN_PERF_ON_AC=0
+#CPU_MAX_PERF_ON_AC=100
+#CPU_MIN_PERF_ON_BAT=0
+#CPU_MAX_PERF_ON_BAT=30
+
+# Set the CPU "turbo boost" feature: 0=disable, 1=allow
+# Requires an Intel Core i processor.
+# Important:
+# - This may conflict with your distribution's governor settings
+# - A value of 1 does *not* activate boosting, it just allows it
+#CPU_BOOST_ON_AC=1
+#CPU_BOOST_ON_BAT=0
+
+# Minimize number of used CPU cores/hyper-threads under light load conditions:
+# 0=disable, 1=enable.
+SCHED_POWERSAVE_ON_AC=0
+SCHED_POWERSAVE_ON_BAT=1
+
+# Kernel NMI Watchdog:
+# 0=disable (default, saves power), 1=enable (for kernel debugging only).
+NMI_WATCHDOG=0
+
+# Change CPU voltages aka "undervolting" - Kernel with PHC patch required.
+# Frequency voltage pairs are written to:
+# /sys/devices/system/cpu/cpu0/cpufreq/phc_controls
+# CAUTION: only use this, if you thoroughly understand what you are doing!
+#PHC_CONTROLS="F:V F:V F:V F:V"
+
+# Set CPU performance versus energy savings policy:
+# performance, balance-performance, default, balance-power, power.
+# Values are given in order of increasing power saving.
+# Requires kernel module msr and x86_energy_perf_policy from linux-tools.
+ENERGY_PERF_POLICY_ON_AC=performance
+ENERGY_PERF_POLICY_ON_BAT=power
+
+# Disk devices; separate multiple devices with spaces (default: sda).
+# Devices can be specified by disk ID also (lookup with: tlp diskid).
+DISK_DEVICES="sda sdb"
+
+# Disk advanced power management level: 1..254, 255 (max saving, min, off).
+# Levels 1..127 may spin down the disk; 255 allowable on most drives.
+# Separate values for multiple disks with spaces. Use the special value 'keep'
+# to keep the hardware default for the particular disk.
+DISK_APM_LEVEL_ON_AC="254 254"
+DISK_APM_LEVEL_ON_BAT="128 128"
+
+# Hard disk spin down timeout:
+# 0: spin down disabled
+# 1..240: timeouts from 5s to 20min (in units of 5s)
+# 241..251: timeouts from 30min to 5.5 hours (in units of 30min)
+# See 'man hdparm' for details.
+# Separate values for multiple disks with spaces. Use the special value 'keep'
+# to keep the hardware default for the particular disk.
+#DISK_SPINDOWN_TIMEOUT_ON_AC="0 0"
+#DISK_SPINDOWN_TIMEOUT_ON_BAT="0 0"
+
+# Select IO scheduler for the disk devices: cfq, deadline, noop (Default: cfq).
+# Separate values for multiple disks with spaces. Use the special value 'keep'
+# to keep the kernel default scheduler for the particular disk.
+#DISK_IOSCHED="cfq cfq"
+
+# AHCI link power management (ALPM) for disk devices:
+# min_power, med_power_with_dipm(*), medium_power, max_performance.
+# (*) Kernel >= 4.15 required, then recommended.
+# Multiple values separated with spaces are tried sequentially until success.
+SATA_LINKPWR_ON_AC="med_power_with_dipm max_performance"
+SATA_LINKPWR_ON_BAT="med_power_with_dipm min_power"
+
+# Exclude host devices from AHCI link power management.
+# Separate multiple hosts with spaces.
+#SATA_LINKPWR_BLACKLIST="host1"
+
+# Runtime Power Management for AHCI host and disks devices:
+# on=disable, auto=enable.
+# EXPERIMENTAL ** WARNING: auto will most likely cause system lockups/data loss.
+#AHCI_RUNTIME_PM_ON_AC=on
+#AHCI_RUNTIME_PM_ON_BAT=on
+
+# Seconds of inactivity before disk is suspended.
+AHCI_RUNTIME_PM_TIMEOUT=15
+
+# PCI Express Active State Power Management (PCIe ASPM):
+# default, performance, powersave.
+PCIE_ASPM_ON_AC=performance
+PCIE_ASPM_ON_BAT=powersave
+
+# Radeon graphics clock speed (profile method): low, mid, high, auto, default;
+# auto = mid on BAT, high on AC; default = use hardware defaults.
+RADEON_POWER_PROFILE_ON_AC=high
+RADEON_POWER_PROFILE_ON_BAT=low
+
+# Radeon dynamic power management method (DPM): battery, performance.
+RADEON_DPM_STATE_ON_AC=performance
+RADEON_DPM_STATE_ON_BAT=battery
+
+# Radeon DPM performance level: auto, low, high; auto is recommended.
+RADEON_DPM_PERF_LEVEL_ON_AC=auto
+RADEON_DPM_PERF_LEVEL_ON_BAT=auto
+
+# WiFi power saving mode: on=enable, off=disable; not supported by all adapters.
+WIFI_PWR_ON_AC=off
+WIFI_PWR_ON_BAT=on
+
+# Disable wake on LAN: Y/N.
+WOL_DISABLE=Y
+
+# Enable audio power saving for Intel HDA, AC97 devices (timeout in secs).
+# A value of 0 disables, >=1 enables power saving (recommended: 1).
+SOUND_POWER_SAVE_ON_AC=0
+SOUND_POWER_SAVE_ON_BAT=1
+
+# Disable controller too (HDA only): Y/N.
+SOUND_POWER_SAVE_CONTROLLER=Y
+
+# Power off optical drive in UltraBay/MediaBay: 0=disable, 1=enable.
+# Drive can be powered on again by releasing (and reinserting) the eject lever
+# or by pressing the disc eject button on newer models.
+# Note: an UltraBay/MediaBay hard disk is never powered off.
+BAY_POWEROFF_ON_AC=0
+BAY_POWEROFF_ON_BAT=0
+# Optical drive device to power off (default sr0).
+BAY_DEVICE="sr0"
+
+# Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable.
+RUNTIME_PM_ON_AC=on
+RUNTIME_PM_ON_BAT=auto
+
+# Exclude PCI(e) device adresses the following list from Runtime PM
+# (separate with spaces). Use lspci to get the adresses (1st column).
+#RUNTIME_PM_BLACKLIST="bb:dd.f 11:22.3 44:55.6"
+
+# Exclude PCI(e) devices assigned to the listed drivers from Runtime PM.
+# Default when unconfigured is "amdgpu nouveau nvidia radeon" which
+# prevents accidential power-on of dGPU in hybrid graphics setups.
+# Use "" to disable the feature completely.
+# Separate multiple drivers with spaces.
+#RUNTIME_PM_DRIVER_BLACKLIST="amdgpu nouveau nvidia radeon"
+
+# Set to 0 to disable, 1 to enable USB autosuspend feature.
+USB_AUTOSUSPEND=1
+
+# Exclude listed devices from USB autosuspend (separate with spaces).
+# Use lsusb to get the ids.
+# Note: input devices (usbhid) are excluded automatically
+#USB_BLACKLIST="1111:2222 3333:4444"
+
+# Bluetooth devices are excluded from USB autosuspend:
+# 0=do not exclude, 1=exclude.
+USB_BLACKLIST_BTUSB=0
+
+# Phone devices are excluded from USB autosuspend:
+# 0=do not exclude, 1=exclude (enable charging).
+USB_BLACKLIST_PHONE=0
+
+# Printers are excluded from USB autosuspend:
+# 0=do not exclude, 1=exclude.
+USB_BLACKLIST_PRINTER=1
+
+# WWAN devices are excluded from USB autosuspend:
+# 0=do not exclude, 1=exclude.
+USB_BLACKLIST_WWAN=1
+
+# Include listed devices into USB autosuspend even if already excluded
+# by the blacklists above (separate with spaces).
+# Use lsusb to get the ids.
+#USB_WHITELIST="1111:2222 3333:4444"
+
+# Set to 1 to disable autosuspend before shutdown, 0 to do nothing
+# (workaround for USB devices that cause shutdown problems).
+#USB_AUTOSUSPEND_DISABLE_ON_SHUTDOWN=1
+
+# Restore radio device state (Bluetooth, WiFi, WWAN) from previous shutdown
+# on system startup: 0=disable, 1=enable.
+# Hint: the parameters DEVICES_TO_DISABLE/ENABLE_ON_STARTUP/SHUTDOWN below
+# are ignored when this is enabled!
+RESTORE_DEVICE_STATE_ON_STARTUP=0
+
+# Radio devices to disable on startup: bluetooth, wifi, wwan.
+# Separate multiple devices with spaces.
+#DEVICES_TO_DISABLE_ON_STARTUP="bluetooth wifi wwan"
+
+# Radio devices to enable on startup: bluetooth, wifi, wwan.
+# Separate multiple devices with spaces.
+#DEVICES_TO_ENABLE_ON_STARTUP="wifi"
+
+# Radio devices to disable on shutdown: bluetooth, wifi, wwan.
+# (workaround for devices that are blocking shutdown).
+#DEVICES_TO_DISABLE_ON_SHUTDOWN="bluetooth wifi wwan"
+
+# Radio devices to enable on shutdown: bluetooth, wifi, wwan.
+# (to prevent other operating systems from missing radios).
+#DEVICES_TO_ENABLE_ON_SHUTDOWN="wwan"
+
+# Radio devices to enable on AC: bluetooth, wifi, wwan.
+#DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan"
+
+# Radio devices to disable on battery: bluetooth, wifi, wwan.
+#DEVICES_TO_DISABLE_ON_BAT="bluetooth wifi wwan"
+
+# Radio devices to disable on battery when not in use (not connected):
+# bluetooth, wifi, wwan.
+#DEVICES_TO_DISABLE_ON_BAT_NOT_IN_USE="bluetooth wifi wwan"
+
+# Battery charge thresholds (ThinkPad only, tp-smapi or acpi-call kernel module
+# required). Charging starts when the remaining capacity falls below the
+# START_CHARGE_THRESH value and stops when exceeding the STOP_CHARGE_THRESH value.
+# Main / Internal battery (values in %)
+START_CHARGE_THRESH_BAT0=75
+STOP_CHARGE_THRESH_BAT0=80
+# Ultrabay / Slice / Replaceable battery (values in %)
+#START_CHARGE_THRESH_BAT1=75
+#STOP_CHARGE_THRESH_BAT1=80
+
+# Restore charge thresholds when AC is unplugged: 0=disable, 1=enable.
+#RESTORE_THRESHOLDS_ON_BAT=1
+
+# ------------------------------------------------------------------------------
+# tlp-rdw - Parameters for the radio device wizard
+# Possible devices: bluetooth, wifi, wwan.
+
+# Hints:
+# - Parameters are disabled by default, remove the leading # to enable them
+# - Separate multiple radio devices with spaces
+
+# Radio devices to disable on connect.
+#DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
+#DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"
+#DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"
+
+# Radio devices to enable on disconnect.
+#DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
+#DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT=""
+#DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT=""
+
+# Radio devices to enable/disable when docked.
+#DEVICES_TO_ENABLE_ON_DOCK=""
+#DEVICES_TO_DISABLE_ON_DOCK=""
+
+# Radio devices to enable/disable when undocked.
+#DEVICES_TO_ENABLE_ON_UNDOCK="wifi"
+#DEVICES_TO_DISABLE_ON_UNDOCK=""
--- /dev/null
+# This file is part of systemd.
+#
+# See logind.conf(5) for details.
+
+[Login]
+HandleLidSwitch=hibernate
--- /dev/null
+# Printer configuration file for CUPS v2.2.10
+# Written by cupsd
+# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
+<Printer HP_Deskjet_F300_series>
+UUID urn:uuid:e856a26d-66f8-327a-4dca-0d8a09f87a25
+Info HP Deskjet F300 series
+Location
+MakeModel HP Deskjet f300 Series, hpcups 3.18.12
+DeviceURI hp:/usb/Deskjet_F300_series?serial=CN63VB21TM04KH
+State Idle
+Type 36892
+Accepting Yes
+Shared No
+JobSheets none none
+QuotaPeriod 0
+PageLimit 0
+KLimit 0
+OpPolicy default
+ErrorPolicy retry-job
+</Printer>
--- /dev/null
+CHARMAP="UTF-8"
+CODESET="Lat15"
+FONTFACE="Terminus"
+FONTSIZE="6x12"
--- /dev/null
+not quite blank
--- /dev/null
+// We set up AutoConfig according to <https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig>, see firefox.cfg comments on why we need it
+pref("general.config.filename", "firefox.cfg");
+pref("general.config.obscure_value", 0);
+
--- /dev/null
+// do not put any code into this first line, as it gets ignored by Firefox
+
+// we zero extensions.autoDisableScopes so our pre-installed extensions activate by default
+pref("extensions.autoDisableScopes", 0);
+
+// we turn off annoying setup popups and pages; these settings are the result more of trial and error than thorough understanding by me, so more research might be warranted to discipline them
+pref("startup.homepage_welcome_url", "file:///opt/firefox/blank.html");
+pref("browser.startup.homepage", "file:///opt/firefox/blank.html");
+pref("browser.startup.blankWindow", true);
+pref("datareporting.policy.firstRunURL", "");
+pref("browser.shell.checkDefaultBrowser", false);
+pref("datareporting.policy.dataSubmissionPolicyBypassNotification", true);
+
+// use socks proxy by default
+pref("network.proxy.type", 1);
+pref("network.proxy.socks", "localhost");
+pref("network.proxy.socks_port", 9999);
+pref("network.proxy.remote_dns", true);
--- /dev/null
+[Desktop Entry]
+Name=Firefox
+Exec=/usr/local/bin/firefox %u
--- /dev/null
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+ chain input {
+ type filter hook input priority 0; policy drop;
+ iif lo accept comment "accept localhost traffic"
+ ct state invalid drop comment "drop invalid connections"
+ ct state established, related accept comment "accept traffic originated from us"
+ tcp dport 22 accept comment "accept SSH on default port"
+ tcp dport 80 accept comment "accept HTTP on default port"
+ tcp dport 443 accept comment "accept HTTPS on default port"
+ ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
+ }
+ chain forward {
+ type filter hook forward priority 0; policy drop;
+ }
+ chain output {
+ type filter hook output priority 0; policy accept;
+ }
+}
--- /dev/null
+# system integration
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+# is expected even if empty
+events {
+}
+
+http {
+ # define content-type headers
+ include /etc/nginx/mime.types;
+ charset utf-8;
+
+ # Some standard optimizations, i.e. Debian default. Explained in
+ # <https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765>
+ # Not that I understand it all …
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+
+ # logging deactivated due to GDPR
+ #access_log /var/log/nginx/access.log;
+ #error_log /var/log/nginx/error.log;
+ access_log off;
+ error_log off;
+
+ # virtual hosts: sites-enabled is the Debian way, conf.d the NGINX default
+ include /etc/nginx/conf.d/*.conf;
+ include /etc/nginx/sites-enabled/*;
+
+ # Redirect all HTTP requests to HTTPS.
+ server {
+ listen 80;
+ return 301 https://$host$request_uri;
+ }
+}
--- /dev/null
+# path to git projects (<project>.git)
+$projectroot = "/var/repos";
+
+# don't show repos without git-daemon-export-ok file
+$export_ok = "git-daemon-export-ok";
+
+# directory to use for temp files
+# explicitely set by Debian so it's probably a good choice
+$git_temp = "/tmp";
+
+# git-diff-tree(1) options to use for generated patches
+# we don't want to to guess renames, so empty
+@diff_opts = ();
+
+# Base path for where to find the repos for cloning.
+@git_base_url_list = ('https://REPLACE_fqdn_ECALPER/repos/clone');
+
+# allow snapshots
+$feature{'snapshot'}{'default'} = ['zip', 'tgz'];
+
+# insert header for GDPR compliance
+$site_header = "/var/www/header.html"
--- /dev/null
+server {
+ listen 443 ssl;
+ server_name REPLACE_fqdn_ECALPER;
+ ssl_certificate /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/privkey.pem;
+ root /var/www/html/;
+ index index.html index.htm index.nginx-debian.html;
+
+ # serve /var/repos/* for HTTPS git cloning
+ location ~ /repos/clone(/.*) {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
+ # Commented out so only repos are served that contain a
+ # git-daemon-export-ok file.
+ # fastcgi_param GIT_HTTP_EXPORT_ALL "";
+ fastcgi_param GIT_PROJECT_ROOT /var/repos;
+ fastcgi_param PATH_INFO $1;
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ }
+
+ # gitweb static files
+ location /repos/static/ {
+ alias /usr/share/gitweb/static/;
+ }
+
+ # gitweb; this needs packages fcgiwrap and gitweb
+ location /repos/ {
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
+ fastcgi_param GITWEB_CONFIG /etc/gitweb.conf;
+ fastcgi_pass unix:/var/run/fcgiwrap.socket;
+ }
+
+ # login-protected IRC logs
+ location ~ ^/irclogs/([^/]+)/ {
+ auth_basic "$1 logs";
+ auth_basic_user_file /var/www/irclogs_pw/$1;
+ autoindex on;
+ }
+}
--- /dev/null
+[Unit]
+Description=plomlombot screen
+
+[Service]
+Type=simple
+User=plom
+ExecStart=/bin/sh -c '~/plomlombot_daemon.sh'
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+[Settings]
+backend = external
+wireless_interface = wls1
+wired_interface = enp0s25
+wpa_driver = wext
+always_show_wired_interface = False
+use_global_dns = False
+global_dns_1 = None
+global_dns_2 = None
+global_dns_3 = None
+global_dns_dom = None
+global_search_dom = None
+auto_reconnect = True
+debug_mode = 0
+wired_connect_mode = 1
+signal_display_type = 0
+should_verify_ap = 1
+dhcp_client = 0
+link_detect_tool = 0
+flush_tool = 0
+sudo_app = 0
+prefer_wired = False
+show_never_connect = True
+
--- /dev/null
+[Settings]
+backend = external
+wireless_interface = wlp3s0
+wired_interface = enp0s25
+wpa_driver = wext
+always_show_wired_interface = False
+use_global_dns = False
+global_dns_1 = None
+global_dns_2 = None
+global_dns_3 = None
+global_dns_dom = None
+global_search_dom = None
+auto_reconnect = True
+debug_mode = 0
+wired_connect_mode = 1
+signal_display_type = 0
+should_verify_ap = 1
+dhcp_client = 0
+link_detect_tool = 0
+flush_tool = 0
+sudo_app = 0
+prefer_wired = False
+show_never_connect = True
+
--- /dev/null
+# plomlompom's i3 status bar configuration
+
+# Activate colors; set update interval of one second.
+general {
+ colors = true
+ interval = 1
+}
+
+# Selection / order of status elements.
+order += "disk /"
+order += "disk /home/"
+order += "wireless wlp2s0"
+order += "ethernet enp1s0"
+order += "battery 0"
+order += "cpu_usage"
+order += "load"
+order += "cpu_temperature 0"
+order += "time"
+order += "volume master"
+
+# How much space is left in / ?
+disk "/" {
+ format = "/: %avail of %total"
+ separator_block_width = 25
+}
+
+# How much space is left in /home/ ?
+disk "/home/" {
+ format = "/home: %avail of %total"
+ separator_block_width = 25
+}
+
+# WLAN status: show IP and connection quality or "down".
+wireless wlp2s0 {
+ format_up = "w: (%quality at %essid) %ip"
+ format_down = "w: down"
+ separator_block_width = 10
+}
+
+# Ethernet status: show IP or "down".
+ethernet enp1s0 {
+ format_up = "e: %ip"
+ format_down = "e: down"
+ separator_block_width = 25
+}
+
+# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
+battery 0 {
+ format = "b: %status %percentage %remaining"
+ separator_block_width = 25
+}
+
+# Show CPU usage.
+cpu_usage {
+ format = "cpu: %usage"
+ separator_block_width = 10
+}
+
+# Show system load during last 1/5/15 minutes.
+load {
+ format = "%1min %5min %15min"
+ separator_block_width = 25
+}
+
+# Show CPU temperature in degrees of celsius.
+cpu_temperature 0 {
+ format = "%degrees °C"
+ separator_block_width = 25
+}
+
+# Show date/time/timezone as "year-month-day hour:minute:second
+# timezone_numeric/timezone_alphabetic".
+time {
+ format = "%Y-%m-%d %H:%M:%S %z/%Z"
+ separator_block_width = 25
+}
+
+volume master {
+ format = "♪: %volume"
+ format_muted = "♪: muted (%volume)"
+ separator_block_width = 25
+}
--- /dev/null
+# Settings for interactive shells.
+
+# Fancy colors for ls.
+alias ls="ls --color=auto"
+
+# Use vim as default editor for anything.
+export VISUAL=vim
+export EDITOR=$VISUAL
+
+# Colored prompt with username, hostname, date/time, directory.
+colornumber=7 # Default to white if no color set via colornumber dotfile.
+colornumber_file=~/.shell_prompt_color
+if [ -f $colornumber_file ]; then
+ colornumber=`cat $colornumber_file`
+fi
+tput_color="$(tput setaf $colornumber)$(tput bold)"
+tput_reset="$(tput sgr0)"
+# Bash confuses the line length when not told to not count escape sequences.
+if [ ! "$BASH" = "" ]; then
+ tput_color="\[$tput_color\]"
+ tput_reset="\[$tput_reset\]"
+fi
+PS1="${tput_color}["\$\(date\ +%Y-%m-%d/%H:%M:%S/%Z\)" $(whoami)@$(hostname):"\$\(pwd\)"]$ $tput_reset"
+PS2="${tput_color}> $tput_reset"
+PS3="${tput_color}select: $tput_reset"
+PS4="${tput_color}+ $tput_reset"
--- /dev/null
+! otherwise various applications will assume merely 8 colors
+XTerm.termName: xterm-256color
+
+! font
+! actually, "mono" is already the default for faceName (it will
+! pick whatever fc-match mono delivers), but we need to set _some_
+! faceName to trigger XTerm activating TrueType fonts
+! (XTerm*fontRender by itself won't do the trick), and we want
+! TrueType fonts because, well, they scale better, and XTerm lets them
+! fall back on alternatives (hi there ttf-unifont) when a Unicode
+! glyph is not found
+XTerm*faceName: mono
+
+! white on black
+XTerm*reverseVideo: on
+
+! blink screen instead of sound
+XTerm*visualBell: on
+
+! proper ALT as META key treatment
+XTerm*eightBitInput: false
+
+! font sizes
+XTerm*faceSize: 8
+XTerm*faceSize1: 4
+XTerm*faceSize2: 5
+XTerm*faceSize3: 6
+XTerm*faceSize4: 8
+XTerm*faceSize5: 14
+XTerm*faceSize6: 25
+
+! colors
+! black
+XTerm*color0: #202020
+XTerm*color8: #3F3F3F
+! red
+XTerm*color1: #A82020
+XTerm*color9: #E82020
+! green
+XTerm*color2: #20A820
+XTerm*color10: #20E820
+! yellow
+XTerm*color3: #A8A820
+XTerm*color11: #E8E820
+! blue
+XTerm*color4: #3F3FFF
+XTerm*color12: #9F9FFF
+! magenta
+XTerm*color5: #A83FFF
+XTerm*color13: #E89FFF
+! cyan
+XTerm*color6: #3FA8FF
+XTerm*color14: #9FE8FF
+! white
+XTerm*color7: #A8A8A8
+XTerm*color15: #E8E8E8
--- /dev/null
+plom@plomlompom.com
+plom@mail.plomlompom.com
+plom@play.plomlompom.com
+# file read ends at last newline
--- /dev/null
+# plomlompom's i3-wm configuration
+
+# Font for i3 text
+font pango:Terminus 8px
+
+# Force "tabbed" as default layout for new windows.
+workspace_layout tabbed
+
+# Make the Windows key the modifier key for all i3-wm actions.
+set $mod Mod4
+floating_modifier $mod
+
+# Launch xterm.
+bindsym $mod+Return exec xterm
+
+# Launch programs via dmenu.
+bindsym $mod+d exec dmenu_run
+bindsym $mod+x exec dmenu_run
+
+# Kill window.
+bindsym $mod+Shift+Q kill
+
+# Move focus between windows.
+bindsym $mod+Left focus left
+bindsym $mod+Down focus down
+bindsym $mod+Up focus up
+bindsym $mod+Right focus right
+
+# Don't move focus with mouse.
+focus_follows_mouse no
+
+# Move windows.
+bindsym $mod+Shift+Left move left
+bindsym $mod+Shift+Down move down
+bindsym $mod+Shift+Up move up
+bindsym $mod+Shift+Right move right
+
+# Resize windows
+bindsym $mod+h resize shrink width 1 px or 1 ppt
+bindsym $mod+l resize grow width 1 px or 1 ppt
+bindsym $mod+j resize shrink height
+bindsym $mod+k resize grow height
+
+# Toggle fullscreen for focused window.
+bindsym $mod+f fullscreen
+
+# Toggle floating of window, focus on floating or tabbed windows.
+bindsym $mod+Shift+space floating toggle
+bindsym $mod+space focus mode_toggle
+
+# Switch to workspace x.
+bindsym $mod+1 workspace 1
+bindsym $mod+2 workspace 2
+bindsym $mod+3 workspace 3
+bindsym $mod+4 workspace 4
+bindsym $mod+5 workspace 5
+bindsym $mod+6 workspace 6
+bindsym $mod+7 workspace 7
+bindsym $mod+8 workspace 8
+bindsym $mod+9 workspace 9
+bindsym $mod+0 workspace 10
+
+# Move window to workspace x.
+bindsym $mod+Shift+exclam move workspace 1
+bindsym $mod+Shift+quotedbl move workspace 2
+bindsym $mod+Shift+section move workspace 3
+bindsym $mod+Shift+dollar move workspace 4
+bindsym $mod+Shift+percent move workspace 5
+bindsym $mod+Shift+ampersand move workspace 6
+bindsym $mod+Shift+slash move workspace 7
+bindsym $mod+Shift+parenleft move workspace 8
+bindsym $mod+Shift+parenright move workspace 9
+bindsym $mod+Shift+equal move workspace 10
+
+# Reload i3 config file, restart (keeping sesion) i3, exit i3.
+bindsym $mod+Shift+C reload
+bindsym $mod+Shift+R restart
+bindsym $mod+Shift+P exit
+
+# Select "i3status" as i3 status bar.
+bar {
+ status_command i3status
+}
--- /dev/null
+;; general layout
+;; ==============
+
+;; need no stinkin emacs help screen as start up, and no menu bar
+(setq inhibit-startup-screen t)
+(menu-bar-mode -1)
+
+;; highlight cursor line, parentheses
+(global-hl-line-mode 1)
+(show-paren-mode 1)
+
+;; show line numbers, use separator space
+(global-linum-mode)
+(setq linum-format "%d ")
+
+;; count cursor column, row in mode line
+(setq column-number-mode t)
+
+;; settings to make GUI tolerable
+(if window-system
+ (progn
+ (add-to-list 'default-frame-alist '(foreground-color . "white"))
+ (add-to-list 'default-frame-alist '(background-color . "black"))
+ (set-face-attribute 'default nil :height 80)
+ (scroll-bar-mode -1)
+ (setq visible-bell t)
+ (setq linum-format "%d")))
+
+;; use as default browser what XDG offers
+(setq-default browse-url-browser-function 'browse-url-xdg-open)
+
+
+
+;; general keybindings
+;; ===================
+
+;; create and use a minimal global map using just the self-insert command
+;; bindings and a selection of some to me very common keystrokes
+(setq minimal-map (make-sparse-keymap))
+(substitute-key-definition 'self-insert-command 'self-insert-command
+ minimal-map global-map)
+(use-global-map minimal-map)
+(global-set-key (kbd "DEL") 'backward-delete-char-untabify)
+(global-set-key (kbd "RET") 'newline)
+(global-set-key (kbd "TAB") 'indent-for-tab-command)
+(global-set-key (kbd "<up>") 'previous-line)
+(global-set-key (kbd "<down>") 'next-line)
+(global-set-key (kbd "<left>") 'left-char)
+(global-set-key (kbd "<right>") 'right-char)
+(global-set-key (kbd "<prior>") 'scroll-down-command)
+(global-set-key (kbd "<next>") 'scroll-up-command)
+(global-set-key (kbd "M-x") 'execute-extended-command)
+(global-set-key (kbd "C-g") 'keyboard-quit)
+;(global-set-key (kbd "<f3>") 'kmacro-start-macro-or-insert-counter)
+;(global-set-key (kbd "<f4>") 'kmacro-end-or-call-macro)
+;; note how to switch back to the original map: (use-global-map global-map)
+(setq shr-map (make-sparse-keymap)) ; got annoying in elfeed-show on URLs
+
+
+
+;; minibuffer
+;; ==========
+
+;; incremental minibuffer completion
+(icomplete-mode 1)
+
+
+
+;; text editing
+;; ============
+
+;; tabs are evil
+(setq-default indent-tabs-mode nil)
+(setq-default tab-width 4)
+(setq indent-line-function 'insert-tab)
+
+;; show trailing whitespace
+(setq-default show-trailing-whitespace 1)
+
+;; on save, ask whether to ensure text file's last line ends in a
+;; newline character
+(setq require-final-newline 1)
+
+;; use dedicated directory for version-controlled, endless backups;
+;; never delete old versions
+(setq make-backup-files t
+ backup-directory-alist `(("." . "~/.emacs_backups"))
+ backup-by-copying t
+ version-control t
+ delete-old-versions 1) ;; neither t nor nil: never delete
+
+
+;; package management
+;; ==================
+
+;; where we get packages from
+(setq package-archives '(("gnu" . "https://elpa.gnu.org/packages/")
+ ("melpa-unstable" . "https://melpa.org/packages/")
+ ("melpa-stable" . "https://stable.melpa.org/packages/")))
+
+;; ensure certain packages are installed (actually, we use Debian repos here)
+;; credit to <https://stackoverflow.com/a/10093312>
+;(setq package-list '(elfeed ledger-mode))
+;(package-initialize)
+;(dolist (package package-list)
+; (unless (package-installed-p package)
+; (package-install package)))
+
+
+
+;;; window management
+;;; =================
+;
+;;; track window configurations to allow window config undo
+;(winner-mode 1)
+
+
+
+;; mail setup
+;; ==========
+
+(setq send-mail-function 'smtpmail-send-it)
+(setq smtpmail-smtp-server "mail.plomlompom.com")
+(setq smtpmail-smtp-service 465)
+(setq smtpmail-stream-type 'ssl)
+(setq smtpmail-smtp-user "plom")
+(setq mml-secure-openpgp-encrypt-to-self t)
+(add-hook 'message-setup-hook 'mml-secure-sign-pgpmime)
+
+;(setq gnutls-log-level 0)
+
+;; if we don't set this, we get this warning:
+;; gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
+;; has been lowered to 256 bits and this may allow decryption of the session data
+(setq gnutls-min-prime-bits 1024)
+
+;; there is a WEIRD bug somewhere in /network-stream-open-tls/ that disappears the
+;; stream process, seemingly unless the /message/ function is called at the right
+;; place (earliest in /nsm-verify-connection/ right before the "cond" there, latest
+;; in /network-stream-get-response/ right after "(goto-char start)"; this works
+;; unless /inhibit_message/ is set, indicating that writing to the *Messages*
+;; buffer is not relevant, but maybe writing to the echo area is); activing the
+;; gnutls logging is just a hack to achieve such calls to /message/ in the
+;; /network-stream-open-tls/ flow.
+(setq gnutls-log-level 1) ; miraculously makes smtpmail work
+
+;; constructs From: domain if mail composer directly called (from without
+;; notmuch), but we don't actually intend to do that
+;(setq mail-host-address "plomlompom.com")
+
+;; otherwise notmuch becomes extremely slow in some cases
+(setq-default notmuch-show-indent-content nil)
+
+;; this only works if we use notmuch-mua-send instead of message-send
+(setq notmuch-fcc-dirs '(("plom@plomlompom.com" . "maildir/Sent")))
+
+;; this gets rid of "i-did-not-set--mail-host-address--so-tickle-me"
+;; in the message ID
+(setq mail-host-address "plomlompom.com")
+
+;; notmuch saved searches
+(setq notmuch-saved-searches
+ '((:name "inbox" :query "tag:unread and folder:inbox")
+ (:name "all" :query "tag:unread not folder:maildir/Trash")
+ (:name "plomlompom.de" :query "tag:unread and folder:maildir/plomlompom.de")
+ (:name "nebenan" :query "tag:unread and folder:maildir/nebenan")
+ (:name "reflect-info" :query "tag:unread and folder:maildir/reflect-info")
+ (:name "gmail" :query "tag:unread and folder:maildir/gmail.com")
+ (:name "mutter" :query "tag:unread and folder:maildir/mutter")))
+
+
+
+;; org mode
+;; ========
+
+;; unsure why, but to re-set the key map, we not only have to explicitely do it
+;; only after org-mode loading, but also have to explicitely overwrite the
+;; C-c keybinding; TODO: investigate
+(with-eval-after-load 'org
+ (setq org-mode-map (make-sparse-keymap))
+ (define-key org-mode-map (kbd "C-c") nil)
+ (define-key org-mode-map (kbd "TAB") 'org-cycle)
+ (define-key org-mode-map (kbd "<backtab>") 'org-shifttab))
+
+;; don't truncate lines by default
+(setq org-startup-truncated nil)
+
+;; basic org-capture config
+(setq org-capture-templates
+ '(("x" "test" plain (file "~/org/notes.org") "%T: %?")))
+(add-hook 'org-capture-mode-hook 'evil-insert-state)
+
+;; agenda view on startup
+(load-library "find-lisp")
+(setq org-agenda-files (find-lisp-find-files "~/org" "\.org$"))
+(setq org-agenda-span 90)
+(setq org-agenda-use-time-grid nil)
+(add-hook 'emacs-startup-hook (lambda ()
+ (org-agenda-list)
+ (switch-to-buffer "*Org Agenda*")
+ (other-window 1)))
+
+;;; for calendar, use ISO date style
+;(setq calendar-date-style 'iso)
+;(setq diary-number-of-entries 7)
+;(diary)
+;(setq org-agenda-time-grid '((today require-timed remove-match)
+; #("----------------" 0 16 (org-heading t))
+; (0 200 400 600 800 1000 1200
+; 1400 1600 1800 2000 2200)))
+
+;; empty org-agenda-mode keybindings
+(add-hook 'org-agenda-mode-hook
+ (lambda ()
+ (setq org-agenda-mode-map (make-sparse-keymap))))
+(add-hook 'org-agenda-mode-hook
+ (lambda ()
+ (use-local-map (make-sparse-keymap))))
+
+;; org-publish-all
+(setq org-publish-project-alist
+ '(
+ ("website"
+ :base-directory "~/org/web/"
+ :base-extension "org"
+ :publishing-directory "~/html/"
+ :recursive t
+ :publishing-function org-html-publish-to-html
+ :headline-levels 4 ; Just the default for this project.
+ :auto-preamble t
+ )))
+
+;; use [ki:] syntax to hide stuff from exports
+(defun classify-information (text backend info)
+ "Replaces '[ki:WHATEVER]' with '[klassifizierte Information]'."
+ (replace-regexp-in-string "\\[ki:[^\]]*\]" "[klassifizierte Information]" text))
+(add-hook 'org-export-filter-plain-text-functions 'classify-information)
+
+;; add HTML validator link to exports
+(setq org-html-validation-link "<a href=\"https://validator.w3.org/check?uri=referer\">Validate</a>")
+
+
+
+;;; Info mode
+;;; =========
+
+(setq Info-mode-map (make-sparse-keymap))
+(define-key Info-mode-map (kbd "RET") 'Info-follow-nearest-node)
+(define-key Info-mode-map (kbd "u") 'Info-up)
+(define-key Info-mode-map (kbd "TAB") 'Info-next-reference)
+(define-key Info-mode-map (kbd "<backtab>") 'Info-prev-reference)
+(define-key Info-mode-map (kbd "H") 'Info-history-back)
+(define-key Info-mode-map (kbd "L") 'Info-history-forward)
+(define-key Info-mode-map (kbd "I") 'Info-goto-node)
+(define-key Info-mode-map (kbd "i") 'Info-index)
+
+
+
+;; help mode
+;; =========
+
+(setq help-mode-map (make-sparse-keymap))
+(define-key help-mode-map (kbd "TAB") 'forward-button)
+(define-key help-mode-map (kbd "RET") 'help-follow)
+(define-key help-mode-map (kbd "<backtab>") 'backward-button)
+
+
+
+;; elfeed
+;; ======
+
+(require 'elfeed) ; needed so we can set the font faces
+(set-face-background 'elfeed-search-title-face "magenta")
+(set-face-background 'elfeed-search-unread-count-face "magenta")
+(setq elfeed-feeds
+ '("https://capsurvival.blogspot.com/feeds/posts/default"
+ "https://jungle.world/rss.xml"
+ "http://news.dieweltistgarnichtso.net/bin/index.xml"
+ "https://taz.de/!s=&ExportStatus=Intern&SuchRahmen=Online;rss/"
+ "http://www.tagesschau.de/xml/atom"))
+(setq elfeed-search-mode-map (make-sparse-keymap))
+(define-key elfeed-search-mode-map (kbd "RET") 'elfeed-search-show-entry)
+(defun elfeed-search-mark-as-read() (interactive)
+ (elfeed-search-untag-all 'unread))
+(define-key elfeed-search-mode-map (kbd "r") 'elfeed-search-mark-as-read)
+(define-key elfeed-search-mode-map (kbd "R") 'elfeed-search-tag-all-unread)
+(define-key elfeed-search-mode-map (kbd "f") 'elfeed-search-live-filter)
+(define-key elfeed-search-mode-map (kbd "u") 'elfeed-update)
+(setq elfeed-show-mode-map (make-sparse-keymap))
+(define-key elfeed-show-mode-map (kbd "u") 'elfeed)
+(define-key elfeed-show-mode-map (kbd "TAB") 'shr-next-link)
+(define-key elfeed-show-mode-map (kbd "<backtab>") 'shr-previous-link)
+(define-key elfeed-show-mode-map (kbd "a") 'elfeed-show-prev)
+(define-key elfeed-show-mode-map (kbd "d") 'elfeed-show-next)
+(define-key elfeed-show-mode-map (kbd "y") 'shr-copy-url)
+(define-key elfeed-show-mode-map (kbd "RET") 'shr-browse-url)
+
+
+
+;; eww
+;; ===
+
+(setq eww-mode-map (make-sparse-keymap))
+(define-key eww-mode-map (kbd "TAB") 'shr-next-link)
+(define-key eww-mode-map (kbd "<backtab>") 'shr-previous-link)
+(define-key eww-mode-map (kbd "H") 'eww-back-url)
+(define-key eww-mode-map (kbd "L") 'eww-forward-url)
+
+
+
+;; ledger
+;; ======
+(setq ledger-mode-map (make-sparse-keymap))
+(define-key ledger-mode-map (kbd "TAB") 'ledger-magic-tab)
+
+
+
+;;; plomvi mode
+;;; ===========
+
+(defvar plomvi-return-combo (kbd "C-c"))
+(load "~/public_repos/plomvi.el/plomvi.el")
+(plomvi-global-mode 1)
--- /dev/null
+[user]
+ email = c.heller@plomlompom.de
+ name = Christian Heller
--- /dev/null
+IMAPAccount plom
+# Address to connect to
+Host mail.plomlompom.com
+User plom
+# For some reason, mbsync doesn't accept a PassCmd output beyond 79 chars,
+# therefore the pw in ~/.authinfo should not be longer than that.
+PassCmd "cat ~/.authinfo | cut -d' ' -f8-"
+SSLType IMAPS
+AuthMechs LOGIN
+
+IMAPStore core-remote
+Account plom
+
+MaildirStore core-local
+# The trailing "/" is important
+Path ~/mail/maildir/
+Inbox ~/mail/inbox/
+
+Channel core
+Master :core-remote:
+Slave :core-local:
+Patterns *
+# Automatically create missing mailboxes, both locally and on the server
+Create Both
+# Save the synchronization state files in the relevant directory
+SyncState *
+# If a mail is marked T ("Trashed") or deleted, remove it for real everywhere
+Expunge Both
--- /dev/null
+[database]
+path=/home/plom/mail
+[search]
+exclude_tags=deleted;spam;
+# the fields below set the From: if the mail composer is called from
+# within notmuch
+[user]
+name=Christian Heller
+primary_email=plom@plomlompom.com
--- /dev/null
+sanitize tridactyllocal tridactylsync
+guiset statuspanel top-right
+guiset tabs autohide
+set newtab file:///opt/firefox/blank.html
+autocmd DocStart www.reddit.com urlmodify -t www.reddit old.reddit
+bind / fillcmdline find
+bind n findnext 1
+bind N findnext -1
+set findcase insensitive
+bind j scrollline 3
+bind k scrollline -3
+set hintuppercase false
+set searchengine duckduckgo
--- /dev/null
+# X init configuration
+
+# Set keymap.
+setxkbmap de
+
+# Map CapsLock to Compose key.
+xmodmap -e "clear Lock"
+xmodmap -e "keycode 66 = Multi_key"
+
+# Load xterm settings
+xrdb -merge ~/.Xresources
+
+# Redshift to Berlin, Germany.
+redshift -rl 53:13 &
+
+# Launch window manager.
+i3
--- /dev/null
+#!/bin/sh
+set -e
+
+basedir="/home/plom/mail/maildir/"
+# Ensure directories exist for all "dir:*" tags.
+for tag in $(notmuch search --output=tags '*'); do
+ if [ ! $(echo "${tag}" | cut -c-4) = "dir:" ]; then
+ continue
+ fi
+ target_dir="${basedir}"$(echo "${tag}" | cut -c5-)"/cur/"
+ if [ ! -d "${target_dir}" ]; then
+ echo "Directory ${target_dir} does not exist."
+ exit 1
+ fi
+done
+
+# Ensure all "dir:*"-tagged mails are in proper directories,
+# remove all "dir:*" tags.
+for tag in $(notmuch search --output=tags '*'); do
+ if [ ! $(echo "${tag}" | cut -c-4) = "dir:" ]; then
+ continue
+ fi
+ target_dir="${basedir}"$(echo "${tag}" | cut -c5-)"/cur/"
+ for f in $(notmuch search --output=files tag:"${tag}"); do
+ new_name=$(basename "${f}" | sed -e 's/,U=[0-9]*//')
+ target_path="${target_dir}${new_name}"
+ if [ ! "${target_path}" = "${f}" ]; then
+ echo "Moving ${f} to ${target_path}."
+ mv "${f}" "${target_path}"
+ fi
+ done
+ notmuch tag -"${tag}" tag:"${tag}"
+done
+
+# Remove all "deleted"-tagged files from maildirs.
+notmuch search --output=files tag:deleted | while read f; do
+ echo "Deleting ${f}"
+ rm "${f}"
+done
+
+# Sync changes back to server and update notmuch index.
+mbsync -a
+notmuch new
--- /dev/null
+# List of repos we want cloned in ~/public_repos
+config
+pingmail.git
+plomlombot-irc.git
+plomrogue
+plomrogue2-experiments
+plomvi.el
--- /dev/null
+# plomlompom's i3 status bar configuration
+
+# Activate colors; set update interval of one second.
+general {
+ colors = true
+ interval = 1
+}
+
+# Selection / order of status elements.
+order += "disk /"
+order += "disk /home/"
+order += "wireless wlp3s0"
+order += "ethernet enp0s25"
+order += "battery 0"
+order += "cpu_usage"
+order += "load"
+order += "cpu_temperature 0"
+order += "time"
+order += "volume master"
+
+# How much space is left in / ?
+disk "/" {
+ format = "/: %avail available of %total"
+ separator_block_width = 25
+}
+
+# How much space is left in /home ?
+disk "/home/" {
+ format = "/home: %avail available of %total"
+ separator_block_width = 25
+}
+
+# WLAN status: show IP and connection quality or "down".
+wireless wlp3s0 {
+ format_up = "w: (%quality at %essid) %ip"
+ format_down = "w: down"
+ separator_block_width = 10
+}
+
+# Ethernet status: show IP or "down".
+ethernet enp0s25 {
+ format_up = "e: %ip"
+ format_down = "e: down"
+ separator_block_width = 25
+}
+
+# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
+battery 0 {
+ format = "b: %status %percentage %remaining"
+ separator_block_width = 25
+}
+
+# Show CPU usage.
+cpu_usage {
+ format = "cpu: %usage"
+ separator_block_width = 10
+}
+
+# Show system load during last 1/5/15 minutes.
+load {
+ format = "%1min %5min %15min"
+ separator_block_width = 25
+}
+
+# Show CPU temperature in degrees of celsius.
+cpu_temperature 0 {
+ format = "%degrees °C"
+ separator_block_width = 25
+}
+
+# Show date/time/timezone as "year-month-day hour:minute:second
+# timezone_numeric/timezone_alphabetic".
+time {
+ format = "%Y-%m-%d %H:%M:%S %z/%Z"
+ separator_block_width = 25
+}
+
+volume master {
+ format = "♪: %volume"
+ format_muted = "♪: muted (%volume)"
+ separator_block_width = 25
+}
--- /dev/null
+# plomlompom's i3 status bar configuration
+
+# Activate colors; set update interval of one second.
+general {
+ colors = true
+ interval = 1
+}
+
+# Selection / order of status elements.
+order += "disk /"
+order += "disk /home/"
+order += "wireless wls1"
+order += "ethernet enp0s25"
+order += "battery 0"
+order += "cpu_usage"
+order += "load"
+order += "cpu_temperature 0"
+order += "time"
+order += "volume master"
+
+# How much space is left in / ?
+disk "/" {
+ format = "/: %avail available of %total"
+ separator_block_width = 25
+}
+
+# How much space is left in /home ?
+disk "/home/" {
+ format = "/home: %avail available of %total"
+ separator_block_width = 25
+}
+
+# WLAN status: show IP and connection quality or "down".
+wireless wls1 {
+ format_up = "w: (%quality at %essid) %ip"
+ format_down = "w: down"
+ separator_block_width = 10
+}
+
+# Ethernet status: show IP or "down".
+ethernet enp0s25 {
+ format_up = "e: %ip"
+ format_down = "e: down"
+ separator_block_width = 25
+}
+
+# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
+battery 0 {
+ format = "b: %status %percentage %remaining"
+ separator_block_width = 25
+}
+
+# Show CPU usage.
+cpu_usage {
+ format = "cpu: %usage"
+ separator_block_width = 10
+}
+
+# Show system load during last 1/5/15 minutes.
+load {
+ format = "%1min %5min %15min"
+ separator_block_width = 25
+}
+
+# Show CPU temperature in degrees of celsius.
+cpu_temperature 0 {
+ format = "%degrees °C"
+ separator_block_width = 25
+}
+
+# Show date/time/timezone as "year-month-day hour:minute:second
+# timezone_numeric/timezone_alphabetic".
+time {
+ format = "%Y-%m-%d %H:%M:%S %z/%Z"
+ separator_block_width = 25
+}
+
+volume master {
+ format = "♪: %volume"
+ format_muted = "♪: muted (%volume)"
+ separator_block_width = 25
+}
--- /dev/null
+# plomlompom's i3 status bar configuration
+
+# Activate colors; set update interval of one second.
+general {
+ colors = true
+ interval = 1
+}
+
+# Selection / order of status elements.
+order += "disk /"
+order += "disk /home/"
+order += "wireless wlp3s0"
+order += "ethernet enp0s25"
+order += "battery 0"
+order += "cpu_usage"
+order += "load"
+order += "cpu_temperature 0"
+order += "time"
+order += "volume master"
+
+# How much space is left in / ?
+disk "/" {
+ format = "/: %avail available of %total"
+ separator_block_width = 25
+}
+
+# How much space is left in /home ?
+disk "/home/" {
+ format = "/home: %avail available of %total"
+ separator_block_width = 25
+}
+
+# WLAN status: show IP and connection quality or "down".
+wireless wlp3s0 {
+ format_up = "w: (%quality at %essid) %ip"
+ format_down = "w: down"
+ separator_block_width = 10
+}
+
+# Ethernet status: show IP or "down".
+ethernet enp0s25 {
+ format_up = "e: %ip"
+ format_down = "e: down"
+ separator_block_width = 25
+}
+
+# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
+battery 0 {
+ format = "b: %status %percentage %remaining"
+ separator_block_width = 25
+}
+
+# Show CPU usage.
+cpu_usage {
+ format = "cpu: %usage"
+ separator_block_width = 10
+}
+
+# Show system load during last 1/5/15 minutes.
+load {
+ format = "%1min %5min %15min"
+ separator_block_width = 25
+}
+
+# Show CPU temperature in degrees of celsius.
+cpu_temperature 0 {
+ format = "%degrees °C"
+ separator_block_width = 25
+}
+
+# Show date/time/timezone as "year-month-day hour:minute:second
+# timezone_numeric/timezone_alphabetic".
+time {
+ format = "%Y-%m-%d %H:%M:%S %z/%Z"
+ separator_block_width = 25
+}
+
+volume master {
+ format = "♪: %volume"
+ format_muted = "♪: muted (%volume)"
+ separator_block_width = 25
+}
--- /dev/null
+
+# plomlompom customizations
+Domain REPLACE_maildomain_ECALPER
+KeyFile /etc/dkimkeys/REPLACE_selector_ECALPER.private
+Selector REPLACE_selector_ECALPER
+Socket inet:8892@localhost
--- /dev/null
+
+##########################################
+# below this: customizations by plomlompom
+
+config :pleroma, :instance,
+ registrations_open: false,
+ safe_dm_mentions: true,
+ cleanup_attachments: true
+
+config :pleroma, :frontend_configurations,
+ pleroma_fe: %{
+ showInstanceSpecificPanel: true,
+ background: "/pixel.png",
+ logo: "/pixel.png"
+ }
+
+config :pleroma, :chat,
+ enabled: false
+
+config :pleroma, Pleroma.Captcha,
+ enabled: false
+
+config :pleroma, :static_fe,
+ enabled: true
--- /dev/null
+
+# TLS certs
+smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem
+
+# OpenDKIM milter
+non_smtpd_milters = inet:localhost:8892
+smtpd_milters = inet:localhost:8892
+
+# transport mail to dovecot; not strictly needed, as even without this
+# postfix will throw mail to /var/mail/USER to be found by dovecot for
+# serving via IMAP etc.; but using dovecot's LMTP server for delivery
+# allows us to do stuff like dovecot-side sieve filtering.
+mailbox_transport = lmtp:inet:127.0.0.1:2424
+
+# to authenticate on SMTP, we need a SASL mechanism; we talk to dovecot
+# for this, since it provides one
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+smtpd_sasl_auth_enable = yes
+
+# we append mail domain here for if it is different than $myhostname
+mydestination = $myhostname localhost.$mydomain localhost REPLACE_maildomain_ECALPER
--- /dev/null
+
+# Run SMTPS on port 465, enforce TLS there.
+smtps inet n - y - - smtpd
+ -o smtpd_tls_wrappermode=yes
--- /dev/null
+#!/bin/sh
+blog_dir=~/blog
+export GIT_DIR=$(pwd)
+export GIT_WORK_TREE="$blog_dir"
+git checkout -f
+cd "$GIT_WORK_TREE"
+redo
+git add metadata/author metadata/url metadata/title metadata/*.tmpl metadata/automatic_metadata captchas/linkable/*
+count=$(ls -1 metadata/*.automatic_metadata 2>/dev/null | wc -l)
+if [ "$count" != 0 ]; then
+ git add metadata/*.automatic_metadata
+fi
+status=$(git status -s)
+n_updates=$(printf "$status" | grep -vE '^\?\?' | wc -l)
+if [ "$n_updates" -gt 0 ]; then
+ git commit -a -m 'Update metadata'
+fi
--- /dev/null
+require ["fileinto"];
+require ["mailbox"];
+if address :is "from" "foo@bar.com" {
+ fileinto :create "foo";
+}
+if address :is :domain "to" "example.com" {
+ fileinto :create "example.com";
+}
--- /dev/null
+<!DOCTYPE html>
+<meta charset="UTF-8">
+<a href="blog">Zum Blog?</a>
--- /dev/null
+# remove "keep" if you're sure about your setup; it keeps mails on server from getting deleted
+poll mail.example.com protocol pop3 username "foo@example.com" password "PASSWORD" ssl keep
--- /dev/null
+listen:
+ hostname: 'localhost'
+ port: 9000
+
+# Correspond to your reverse proxy server_name/listen configuration
+webserver:
+ https: true
+ hostname: 'example.com'
+ port: 443
+
+rates_limit:
+ api:
+ # 50 attempts in 10 seconds
+ window: 10 seconds
+ max: 50
+ login:
+ # 15 attempts in 5 min
+ window: 5 minutes
+ max: 15
+ signup:
+ # 2 attempts in 5 min (only succeeded attempts are taken into account)
+ window: 5 minutes
+ max: 2
+ ask_send_email:
+ # 3 attempts in 5 min
+ window: 5 minutes
+ max: 3
+
+# Proxies to trust to get real client IP
+# If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
+# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
+trust_proxy:
+ - 'loopback'
+
+# Your database name will be "peertube"+database.suffix
+database:
+ password: 'peertube'
+ hostname: 'localhost'
+ port: 5432
+ suffix: '_prod'
+ username: 'peertube'
+ pool:
+ max: 5
+
+# Redis server for short time storage
+# You can also specify a 'socket' path to a unix socket but first need to
+# comment out hostname and port
+redis:
+ hostname: 'localhost'
+ port: 6379
+ auth: null
+ db: 0
+
+# SMTP server to send emails
+smtp:
+ hostname: null
+ port: 465 # If you use StartTLS: 587
+ username: null
+ password: null
+ tls: true # If you use StartTLS: false
+ disable_starttls: false
+ ca_file: null # Used for self signed certificates
+ from_address: 'admin@example.com'
+
+email:
+ body:
+ signature: "PeerTube"
+ subject:
+ prefix: "[PeerTube]"
+
+# From the project root directory
+storage:
+ tmp: '/var/www/peertube/storage/tmp/' # Use to download data (imports etc), store uploaded files before processing...
+ avatars: '/var/www/peertube/storage/avatars/'
+ videos: '/var/www/peertube/storage/videos/'
+ streaming_playlists: '/var/www/peertube/storage/streaming-playlists/'
+ redundancy: '/var/www/peertube/storage/redundancy/'
+ logs: '/var/www/peertube/storage/logs/'
+ previews: '/var/www/peertube/storage/previews/'
+ thumbnails: '/var/www/peertube/storage/thumbnails/'
+ torrents: '/var/www/peertube/storage/torrents/'
+ captions: '/var/www/peertube/storage/captions/'
+ cache: '/var/www/peertube/storage/cache/'
+ plugins: '/var/www/peertube/storage/plugins/'
+
+log:
+ level: 'info' # debug/info/warning/error
+ rotation:
+ enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
+ maxFileSize: 12MB
+ maxFiles: 20
+ anonymizeIP: true
+
+search:
+ # Add ability to fetch remote videos/actors by their URI, that may not be federated with your instance
+ # If enabled, the associated group will be able to "escape" from the instance follows
+ # That means they will be able to follow channels, watch videos, list videos of non followed instances
+ remote_uri:
+ users: true
+ anonymous: false
+
+trending:
+ videos:
+ interval_days: 7 # Compute trending videos for the last x days
+
+# Cache remote videos on your server, to help other instances to broadcast the video
+# You can define multiple caches using different sizes/strategies
+# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
+redundancy:
+ videos:
+ check_interval: '1 hour' # How often you want to check new videos to cache
+ strategies: # Just uncomment strategies you want
+# -
+# size: '10GB'
+# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
+# min_lifetime: '48 hours'
+# strategy: 'most-views' # Cache videos that have the most views
+# -
+# size: '10GB'
+# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
+# min_lifetime: '48 hours'
+# strategy: 'trending' # Cache trending videos
+# -
+# size: '10GB'
+# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
+# min_lifetime: '48 hours'
+# strategy: 'recently-added' # Cache recently added videos
+# min_views: 10 # Having at least x views
+
+csp:
+ enabled: false
+ report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
+ report_uri:
+
+tracker:
+ # If you disable the tracker, you disable the P2P aspect of PeerTube
+ enabled: true
+ # Only handle requests on your videos.
+ # If you set this to false it means you have a public tracker.
+ # Then, it is possible that clients overload your instance with external torrents
+ private: true
+ # Reject peers that do a lot of announces (could improve privacy of TCP/UDP peers)
+ reject_too_many_announces: false
+
+history:
+ videos:
+ # If you want to limit users videos history
+ # -1 means there is no limitations
+ # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
+ max_age: -1
+
+views:
+ videos:
+ # PeerTube creates a database entry every hour for each video to track views over a period of time
+ # This is used in particular by the Trending page
+ # PeerTube could remove old remote video views if you want to reduce your database size (video view counter will not be altered)
+ # -1 means no cleanup
+ # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
+ remote:
+ max_age: -1
+
+plugins:
+ # The website PeerTube will ask for available PeerTube plugins and themes
+ # This is an unmoderated plugin index, so only install plugins/themes you trust
+ index:
+ enabled: true
+ check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions
+ url: 'https://packages.joinpeertube.org'
+
+
+###############################################################################
+#
+# From this point, all the following keys can be overridden by the web interface
+# (local-production.json file). If you need to change some values, prefer to
+# use the web interface because the configuration will be automatically
+# reloaded without any need to restart PeerTube.
+#
+# /!\ If you already have a local-production.json file, the modification of the
+# following keys will have no effect /!\.
+#
+###############################################################################
+
+cache:
+ previews:
+ size: 500 # Max number of previews you want to cache
+ captions:
+ size: 500 # Max number of video captions/subtitles you want to cache
+
+admin:
+ # Used to generate the root user at first startup
+ # And to receive emails from the contact form
+ email: 'admin@example.com'
+
+contact_form:
+ enabled: true
+
+signup:
+ enabled: false
+ limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
+ requires_email_verification: false
+ filters:
+ cidr: # You can specify CIDR ranges to whitelist (empty = no filtering) or blacklist
+ whitelist: []
+ blacklist: []
+
+user:
+ # Default value of maximum video BYTES the user can upload (does not take into account transcoded files).
+ # -1 == unlimited
+ video_quota: -1
+ video_quota_daily: -1
+
+# If enabled, the video will be transcoded to mp4 (x264) with "faststart" flag
+# In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions.
+# Please, do not disable transcoding since many uploaded videos will not work
+transcoding:
+ enabled: true
+ # Allow your users to upload .mkv, .mov, .avi, .flv videos
+ allow_additional_extensions: true
+ # If a user uploads an audio file, PeerTube will create a video by merging the preview file and the audio file
+ allow_audio_files: true
+ threads: 1
+ resolutions: # Only created if the original video has a higher resolution, uses more storage!
+ 0p: false # audio-only (creates mp4 without video stream, always created when enabled)
+ 240p: true
+ 360p: true
+ 480p: true
+ 720p: true
+ 1080p: true
+ 2160p: false
+
+ # Generate videos in a WebTorrent format (what we do since the first PeerTube release)
+ # If you also enabled the hls format, it will multiply videos storage by 2
+ # If disabled, breaks federation with PeerTube instances < 2.1
+ webtorrent:
+ enabled: true
+
+ # /!\ Requires ffmpeg >= 4.1
+ # Generate HLS playlists and fragmented MP4 files. Better playback than with WebTorrent:
+ # * Resolution change is smoother
+ # * Faster playback in particular with long videos
+ # * More stable playback (less bugs/infinite loading)
+ # If you also enabled the webtorrent format, it will multiply videos storage by 2
+ hls:
+ enabled: true
+
+import:
+ # Add ability for your users to import remote videos (from YouTube, torrent...)
+ videos:
+ http: # Classic HTTP or all sites supported by youtube-dl https://rg3.github.io/youtube-dl/supportedsites.html
+ enabled: false
+ # You can use an HTTP/HTTPS/SOCKS proxy with youtube-dl
+ proxy:
+ enabled: false
+ url: ""
+ torrent: # Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file)
+ enabled: false
+
+auto_blacklist:
+ # New videos automatically blacklisted so moderators can review before publishing
+ videos:
+ of_users:
+ enabled: false
+
+# Instance settings
+instance:
+ name: 'PlomTube'
+ short_description: ''
+ description: 'Personal PeerTube instance by plomlompom (see https://plomlompom.com) for his own videos.' # Support markdown
+ terms: '**Privacy**: Videos here are streamed via the BitTorrent protocol, which might expose your IP to other peers – see the "P2P & Privacy" section [here](/about/peertube). Internally, site visits are logged by the PeerTube software, but with IPs anonymized. **Contact**: See https://plomlompom.com/contact.html' # Support markdown
+ code_of_conduct: '' # Supports markdown
+
+ # Who moderates the instance? What is the policy regarding NSFW videos? Political videos? etc
+ moderation_information: '' # Supports markdown
+
+ # Why did you create this instance?
+ creation_reason: ''
+
+ # Who is behind the instance? A single person? A non profit?
+ administrator: ''
+
+ # How long do you plan to maintain this instance?
+ maintenance_lifetime: ''
+
+ # How will you pay the PeerTube instance server? With your own funds? With users donations? Advertising?
+ business_model: ''
+
+ # If you want to explain on what type of hardware your PeerTube instance runs
+ # Example: "2 vCore, 2GB RAM..."
+ hardware_information: '' # Supports Markdown
+
+ # What are the main languages of your instance? To interact with your users for example
+ # Uncomment or add the languages you want
+ # List of supported languages: https://peertube.cpy.re/api/v1/videos/languages
+ languages:
+# - en
+# - es
+# - fr
+
+ # You can specify the main categories of your instance (dedicated to music, gaming or politics etc)
+ # Uncomment or add the category ids you want
+ # List of supported categories: https://peertube.cpy.re/api/v1/videos/categories
+ categories:
+# - 1 # Music
+# - 2 # Films
+# - 3 # Vehicles
+# - 4 # Art
+# - 5 # Sports
+# - 6 # Travels
+# - 7 # Gaming
+# - 8 # People
+# - 9 # Comedy
+# - 10 # Entertainment
+# - 11 # News & Politics
+# - 12 # How To
+# - 13 # Education
+# - 14 # Activism
+# - 15 # Science & Technology
+# - 16 # Animals
+# - 17 # Kids
+# - 18 # Food
+
+ default_client_route: '/videos/trending'
+
+ # Whether or not the instance is dedicated to NSFW content
+ # Enabling it will allow other administrators to know that you are mainly federating sensitive content
+ # Moreover, the NSFW checkbox on video upload will be automatically checked by default
+ is_nsfw: false
+ # By default, "do_not_list" or "blur" or "display" NSFW videos
+ # Could be overridden per user with a setting
+ default_nsfw_policy: 'do_not_list'
+
+ customizations:
+ javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
+ css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
+ # Robot.txt rules. To disallow robots to crawl your instance and disallow indexation of your site, add '/' to "Disallow:'
+ robots: |
+ User-agent: *
+ Disallow:
+ # Security.txt rules. To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string.
+ securitytxt:
+ "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
+
+services:
+ # Cards configuration to format video in Twitter
+ twitter:
+ username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
+ # If true, a video player will be embedded in the Twitter feed on PeerTube video share
+ # If false, we use an image link card that will redirect on your PeerTube instance
+ # Change it to "true", and then test on https://cards-dev.twitter.com/validator to see if you are whitelisted
+ whitelisted: false
+
+followers:
+ instance:
+ # Allow or not other instances to follow yours
+ enabled: true
+ # Whether or not an administrator must manually validate a new follower
+ manual_approval: false
+
+followings:
+ instance:
+ # If you want to automatically follow back new instance followers
+ # If this option is enabled, use the mute feature instead of deleting followings
+ # /!\ Don't enable this if you don't have a reactive moderation team /!\
+ auto_follow_back:
+ enabled: false
+
+ # If you want to automatically follow instances of the public index
+ # If this option is enabled, use the mute feature instead of deleting followings
+ # /!\ Don't enable this if you don't have a reactive moderation team /!\
+ auto_follow_index:
+ enabled: false
+ index_url: 'https://instances.joinpeertube.org'
+
+theme:
+ default: 'default'
--- /dev/null
+# place for test files whose modification times are used to track lifesigns
+testdir=$HOME'/.pingmail'
+
+# modification time is the last time a ping was sent or a lifetime received
+ping_touch=$testdir'/ping_touch'
+
+# modification time is when the count for sending checker a warning mail starts
+reminder_touch=$testdir'/reminder_touch'
+
+# how long to wait for lifesigns before sending a ping; double is time to wait
+# for a lifesign before sending a warning message to checker
+wait_time=86400
+
+# address of the checker, receives warning message after too long wait
+checker_address='bar@example.org'
+
+# address of the checked person, ping is sent here
+checked_address='foo@example.org'
+
+# content of ping message sent to checked person
+subj2checked='[pingmail] Ping!'
+msg2checked='Hi!\n
+\nThis is an automated mail ping from '$checker_address'.
+\nRespond to show that you are still alive!'
+
+# content of warning message sent to checker
+id_target='foo'
+subj2checker='[pingmail] No recent life signs from '$id_target
+reminder_time=`expr $wait_time \* 2`
+msg2checker='pingmail reporting in:\n
+\nNo life signs from '$id_target' for the last '$reminder_time' seconds.
+\nMaybe you should give them a call to check if they are okay.'
+
+# mail client command reading message body from stdin and subject from parameter
+mailclient_s='mail -s'
+
+# mailbox file to check for most recent life sign
+mbox=$HOME'/mail/foo'
+
+# to recursively search for most recent matches to $matchstring as lifesigns
+#maildir=$HOME'/mail'
+
+# pattern to search $maildir for recursively for lifesigns
+#checked_address_escaped=`echo $checked_address | sed 's/\./\\./g'`
+#matchstring='^From: .*('$checked_address_escaped'|alternate@example\.org)'
--- /dev/null
+<div style="margin: 1em;">
+ <p>Privacy: Visitor IP addresses are anonymized in the logs.</p>
+ <p>Contact: See <a href="https://plomlompom.com/contact.html">plomlompom.com contact page</a>.</p>
+</div>
--- /dev/null
+User-agent: *
+Disallow:
--- /dev/null
+This is <a href="https://plomlompom.com">plomlompom</a>'s personal single-user Pleroma instance.
--- /dev/null
+#!/bin/sh
+set -e
+
+# Repeatedly parse config file for GPG key and bot screen configs.
+path=~/.plomlombot
+db_dir="${HOME}/plomlombot_db"
+irclogs_dir=/var/www/html/irclogs
+irclogs_pw_dir=/var/www/irclogs_pw
+hostname_mod_epoch=$(stat -c%Y /etc/hostname)
+while true; do
+ if [ -f "${path}" ]; then
+ cat "${path}" | while read line; do
+ first_word=$(echo -n "${line}" | cut -d' ' -f1)
+
+ # Read "bot:" line, start bot screen session from it if not yet existing,
+ # set up irclogs dir if not yet existing.
+ if [ "${first_word}" = "bot:" ]; then
+ session_name=$(echo -n "${line}" | cut -d' ' -f2)
+ bot_name=$(echo -n "${line}" | cut -d' ' -f3)
+ channel_name=$(echo -n "${line}" | cut -d' ' -f4)
+ shortened_channel_name="${channel_name}"
+ first_char=$(echo -n "${channel_name}" | cut -c1)
+ if [ "${first_char}" = "#" ]; then
+ shortened_channel_name=$(echo -n "${channel_name}" | cut -c2-)
+ fi
+ server_name=$(echo -n "${line}" | cut -d' ' -f5)
+ login_user=$(echo -n "${line}" | cut -d' ' -f6)
+ login_pw=$(echo -n "${line}" | cut -d' ' -f7)
+ add_option=$(echo -n "${line}" | cut -d' ' -f8-)
+ set +e
+ screen -S "${session_name}" -Q select . > /dev/null
+ start_screen=$?
+ set -e
+ if [ "${start_screen}" -eq "1" ]; then
+ cd ~/plomlombot-irc
+ LANG="en_US.UTF-8" screen -d -m -S "${session_name}" ./run.sh -r 604800 -n "${bot_name}" -s "${server_name}" -c "${channel_name}" ${add_option}
+ fi
+ md5_server=$(echo -n "${server_name}" | md5sum | cut -d' ' -f1)
+ md5_channel=$(echo -n "${channel_name}" | md5sum | cut -d' ' -f1)
+ logs_dir="${db_dir}/${md5_server}/${md5_channel}/logs"
+ # FIXME: Note the trouble we will have if we have the same channel
+ # name on different servers …
+ ln -sfn "${logs_dir}" "${irclogs_dir}/${shortened_channel_name}"
+ echo "${login_user}":'{PLAIN}'"${login_pw}" > "${irclogs_pw_dir}/${shortened_channel_name}"
+
+ # If "gpg_key" line, encrypt old raw logs to that GPG key.
+ elif [ "${first_word}" = "gpg_key" ]; then
+ key=$(echo -n "${line}" | cut -d' ' -f2)
+ mkdir -p ~/plomlombot_db
+ cd ~/plomlombot_db
+ # Dirty hack: To avoid trouble with GPG key expiration, fake
+ # system to something reasonbly old (younger than key creation,
+ # older than expiration) by taking the mod datetime of
+ # /etc/hostname, which should have last be changed when the
+ # system was set up.
+ find . -path '*/*/raw_logs/*.txt' -mtime +1 -type f -exec gpg --recipient "${key}" --trust-model always --faked-system-time="${hostname_mod_epoch}" --encrypt {} \; -exec rm {} \;
+ fi
+
+ done
+ sleep 1
+ fi
+done
--- /dev/null
+#!/bin/sh
+GIT_WORK_TREE=/home/plom/plomlombot-irc git checkout -f
--- /dev/null
+{
+ "translations": {
+ "wrongCaptcha": "Captcha leider falsch.",
+ "invalidURL": "Falsch formatierte URL.",
+ "recordedURL": "URL aufgezeichnet (wird gesichtet und bei Angemessenheit dem Artikel angefügt): ",
+ "pleaseWait": "Zu viele Versuche von dieser IP. So viele Sekunden warten: "
+ },
+ "mailConfig": {
+ "to": "plom+url_catcher@plomlompom.com",
+ "from": "plom+url_catcher@plomlompom.com"
+ },
+ "slowdownReset": 3600
+}
--- /dev/null
+#!/bin/sh
+GIT_WORK_TREE=/var/www git checkout -f
--- /dev/null
+#!/bin/sh
+
+# Enforce ~/.weechatrc as sole persistent weechat config file.
+rm -rf ~/.weechat/
+WEECHATCONF=`tr '\n' ';' < ~/.weechatrc`
+weechat -r "$WEECHATCONF"
+rm -rf ~/.weechat/
--- /dev/null
+#!/bin/sh
+# Encrypt dated weechatlog files older than one day to GPG target defined in
+# ~/.encrypt_target
+set -e
+
+gpg_key=$(cat ~/.encrypt_target)
+cd ~/weechatlogs/irc/
+
+# Dirty hack: To avoid trouble with GPG key expiration, fake
+# system to something reasonbly old (younger than key creation,
+# older than expiration) by taking the mod datetime of
+# /etc/hostname, which should have last be changed when the
+# system was set up.
+hostname_mod_epoch=$(stat -c%Y /etc/hostname)
+find . -regextype posix-egrep -regex '^.*/.*/.*\.[0-9]{4}-[0-9]{2}-[0-9]{2}\.weechatlog$' -type f -mtime +1 -exec gpg --recipient "${gpg_key}" --trust-model always --faked-system-time="${hostname_mod_epoch}" --encrypt {} \; -exec rm {} \;
+
--- /dev/null
+/set logger.file.path ~/weechatlogs
+/set logger.file.flush_delay 0
+/set logger.mask.irc "irc/$server/$channel.%Y-%m-%d.weechatlog"
+/set weechat.bar.status.items "[time],[buffer_last_number],[buffer_plugin],buffer_number+:+buffer_name+(buffer_modes)+{buffer_nicklist_count}+buffer_zoom+buffer_filter,[lag],[hotlist],completion,scroll,[otr]"
+/set weechat.color.chat_nick_colors "lightcyan"
+/server add freenode irc.freenode.net -nicks=plimlompom,plimlomp0m,pliml0mp0m -realname="foo bar" -autojoin=#plomlompomtest
+/connect freenode
+/bar hide buflist
--- /dev/null
+#!/bin/sh
+ZETTELDIR=/home/plom/zettel
+GIT_WORK_TREE=$ZETTELDIR git checkout -f
+cd $ZETTELDIR
+redo
--- /dev/null
+#!/bin/sh
+set -e
+set -x
+
+if [ "$#" -lt 3 ]; then
+ echo 'Need at least three arguments: service name, DB name, and backup directory names.'
+ false
+fi
+app="$1"
+db_name="$2"
+shift 2
+
+cd /tmp
+rm -rf "${app}_backup"
+mkdir "${app}_backup"
+chmod 777 "${app}_backup"
+
+service "${app}" stop
+
+su postgres -lc "pg_dump -d ${db_name} --format=custom -f /tmp/${app}_backup/${db_name}.pgdump"
+for target in "$@"; do
+ mkdir -p $(dirname "${app}_backup${target}")
+ cp -a "${target}" "${app}_backup${target}"
+done
+
+tar cf "${app}_backup.tar" "${app}_backup"
+rm -rf "${app}_backup"
+chown plom:plom "${app}_backup.tar"
+mv "${app}_backup.tar" /home/plom
--- /dev/null
+#!/bin/sh
+# Copy files in argument-selected subdirectories of $1 to subdirectories
+# of $2 (which may be an empty string), e.g. with $1 of "etc_files", $2
+# of "" and $3 of "all", copy files below etc_files/all such as
+# etc_files/all/etc/foo/bar to equivalent locations below / such as
+# /etc/foo/bar. Create directories as necessary. Multiple arguments after
+# $3 are possible.
+#
+# CAUTION: This removes original files at the affected paths.
+set -e
+
+if [ "$#" -lt 3 ]; then
+ echo 'Need arguments: source root, target root, modules.'
+ false
+fi
+source_root="$1"
+target_root="$2"
+shift 2
+
+for target_module in "$@"; do
+ mkdir -p "${source_root}/${target_module}"
+ cd "${source_root}/${target_module}"
+ for path in $(find . -type f); do
+ target_path="${target_root}"$(echo "${path}" | cut -c2-)
+ source_path=$(realpath "${path}")
+ dir=$(dirname "${target_path}")
+ mkdir -p "${dir}"
+ cp "${source_path}" "${target_path}"
+ done
+done
--- /dev/null
+#!/bin/sh
+# This script turns a fresh server with password-based root access to
+# one of only key-based access and only to new non-root account plom.
+#
+# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
+# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
+# contains the local ~/.ssh/id_rsa.pub, and also any old
+# /etc/ssh/sshd_config.
+#
+# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
+# configured sshd_config file in reach.
+set -e
+
+# Location auf a sshd_config with "PermitRootLogin no" and
+# "PasswordAuthentication no".
+config_tree_prefix="${HOME}/public_repos/config/buster"
+linkable_files_dir="${config_tree_prefix}/etc_files/server"
+system_path_sshd_config='/etc/ssh/sshd_config'
+local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}"
+
+# Ensure we have a server name as argument.
+if [ $# -eq 0 ]; then
+ echo "Need server as argument."
+ false
+fi
+server="$1"
+
+# Ask for root password only once, sshpass will re-use it then often.
+stty -echo
+printf "(Old) server root password: "
+read PW_ROOT
+stty echo
+printf "\n"
+export SSHPASS="${PW_ROOT}"
+
+# This will be used to log-in as root from plom account.
+echo 'Asking for new root password.'
+ssh root@"${server}" "passwd"
+
+# Create user plom, and his ~/.ssh/authorized_keys based on the local
+# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
+# ownerships. Then disable root and pw login by copying over the
+# sshd_config and restart ssh daemon.
+#
+# This could be a line or two shorter by using ssh-copy-id, but that
+# would require setting a password for user plom otherwise not needed.
+sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys
+sshpass -e ssh root@"${server}" \
+ 'useradd -m plom && '\
+ 'mkdir /home/plom/.ssh && '\
+ 'chown plom:plom /home/plom/.ssh && '\
+ 'chown plom:plom /tmp/authorized_keys && '\
+ 'chmod u=rw,go= /tmp/authorized_keys && '\
+ 'mv /tmp/authorized_keys /home/plom/.ssh/'
+sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
+sshpass -e ssh root@"${server}" 'service ssh restart'
--- /dev/null
+#!/bin/sh
+set -e
+
+# Location auf a sshd_config with "PermitRootLogin no" and
+# "PasswordAuthentication no".
+config_tree_prefix="${HOME}/public_repos/config/buster"
+linkable_files_dir="${config_tree_prefix}/etc_files/server"
+system_path_sshd_config='/etc/ssh/sshd_config'
+local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}"
+
+# Ensure we have a server name as argument.
+if [ $# -eq 0 ]; then
+ echo "Need server as argument."
+ false
+fi
+server="$1"
+
+# So we're only asked once …
+eval $(ssh-agent)
+ssh-add
+
+# This will be used to log-in as root from plom account.
+echo 'Asking for new root password.'
+ssh root@"${server}" "passwd"
+
+# Set up plom's ~/.ssh/authorized_keys from root's.
+ssh root@"${server}" 'useradd -m plom'
+ssh root@"${server}" 'mkdir /home/plom/.ssh'
+ssh root@"${server}" 'chown plom:plom /home/plom/.ssh'
+ssh root@"${server}" 'cp /root/.ssh/authorized_keys /home/plom/.ssh/'
+ssh root@"${server}" 'chown plom:plom /home/plom/.ssh/authorized_keys'
+
+# Set up SSH config and remove direct SSH login to root.
+scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
+ssh root@"${server}" 'rm -rf /root/.ssh && service ssh restart'
--- /dev/null
+#!/bin/sh
+# Walks through the package names in the argument-selected files of
+# apt-mark/ and ensures the respective packages are installed.
+#
+# Ignores anything in an apt-mark/ file after the last newline.
+set -e
+
+config_tree_prefix="${HOME}/config/buster"
+aptmark_dir="${config_tree_prefix}/apt-mark"
+
+for target in "$@"; do
+ path="${aptmark_dir}/${target}"
+ # TODO: continue if file at $path not found, to get rid of dummy files
+ cat "${path}" | while read line; do
+ echo "$line"
+ if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
+ DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::=--force-confold install "${line}"
+ fi
+ done
+done
--- /dev/null
+#!/bin/sh
+set -e
+set -x
+
+if [ "$#" -lt 2 ]; then
+ echo 'Need two arguments: old server IP, and service name.'
+ false
+fi
+if [ ! "$2" = "pleroma_otp" ] && [ ! "$2" = "pleroma_source" ] && [ ! "$2" = "peertube" ]; then
+ echo "Need legal service name (pleroma_otp or pleroma_source or peertube)."
+ false
+fi
+server_ip="$1"
+app="$2"
+service="$2"
+if [ "${app}" = "pleroma_otp" ]; then
+ db_name="pleroma"
+ dirs="/var/lib/pleroma/uploads /etc/pleroma"
+ service=pleroma
+elif [ "${app}" = "pleroma_source" ]; then
+ db_name="pleroma"
+ dirs="/var/lib/pleroma/uploads /opt/pleroma/config"
+ service=pleroma
+elif [ "${app}" = "peertube" ]; then
+ db_name="peertube_prod"
+ dirs="/var/www/peertube/storage /var/www/peertube/config"
+fi
+
+config_tree_prefix="${HOME}/config/buster"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+
+cd "${setup_scripts_dir}"
+./prepare_to_meet_server.sh "${server_ip}"
+read -p'Hit Enter when you are done.' ignore
+eval $(ssh-agent) && ssh-add
+echo 'Enter password for root on target server next.'
+ssh plom@"${server_ip}" "su -lc \"cd config/buster/setup_scripts && git pull && ./backup_app.sh ${service} ${db_name} ${dirs}\""
+scp plom@"${server_ip}":~/${service}_backup.tar /home/plom/${service}_backup.tar
+./restore_app.sh "${app}" "${db_name}"
--- /dev/null
+#!/bin/sh
+set -e
+
+if [ "$#" -ne 1 ]; then
+ echo 'Need old server IP.'
+ false
+fi
+old_server="$1"
+config_tree_prefix="${HOME}/config/buster"
+cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
+chown plom:plom /home/plom/prepare_to_meet_server.sh
+su -lc "./prepare_to_meet_server.sh ${old_server}" plom
+read -p'Hit Enter when you are done.' ignore
+rm /home/plom/prepare_to_meet_server.sh
+cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
+su -lc "./mirror_dir.sh ${old_server} /home/plom/borg" plom
+rm /home/plom/mirror_dir.sh
--- /dev/null
+#!/bin/sh
+# Mirror directory tree from remote to local server, keeping the path.
+set -e
+
+if [ $# -lt 2 ]; then
+ echo "Need server and directory as arguments."
+ false
+fi
+server=$1
+dir=$2
+path_package=/tmp/delete.tar
+
+eval `ssh-agent`
+ssh-add
+cd
+ssh plom@"${server}" "cd \"${dir}\" && tar cf ${path_package} ."
+scp plom@"${server}":"${path_package}" "${path_package}"
+mkdir -p "${dir}"
+cd "${dir}"
+tar xf "${path_package}"
+cd
+rm "${path_package}"
+ssh plom@"${server}" rm "${path_package}"
--- /dev/null
+#!/bin/sh
+# Do some of the steps necessary to SSH (key-based) with another server.
+set -e
+
+if [ "$#" -ne 1 ]; then
+ echo 'Need server IP as argument.'
+ false
+fi
+target="$1"
+
+# We need a public key to copy over, so generate it if not found.
+if [ ! -f ~/.ssh/id_rsa.pub ]; then
+ ssh-keygen -N ""
+fi
+
+# Add target to ~/.ssh/known_hosts so we don't get
+# asked for permission at inopportune moments.
+ssh-keyscan -H "$target" >> ~/.ssh/known_hosts
+
+# Tell user what to do.
+echo "APPEND FOLLOWING TO TARGET'S ~/.ssh/authorized_keys:"
+cat ~/.ssh/id_rsa.pub
--- /dev/null
+#!/bin/sh
+# This script removes all Debian packages that are not of Priority
+# "required" or not depended on by packages of priority "required"
+# or not listed in the argument-selected files of apt-mark/.
+set -e
+
+config_tree_prefix="${HOME}/config/buster"
+aptmark_dir="${config_tree_prefix}/apt-mark"
+
+dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted
+for target in "$@"; do
+ path="${aptmark_dir}/${target}"
+ cat "${path}" | while read line; do
+ if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
+ echo "${line}" >> /tmp/list_white_unsorted
+ fi
+ done
+done
+sort /tmp/list_white_unsorted > /tmp/list_white
+dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages
+sort /tmp/list_all_packages > /tmp/foo
+mv /tmp/foo /tmp/list_all_packages
+comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black
+apt-mark auto `cat /tmp/list_black`
+DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
+rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black
+
+# Somehow, auto-mounts get undone by all of this, so re-mount /etc/fstab.
+# TODO: Find out why.
+mount -a
--- /dev/null
+#!/bin/sh
+set -e
+set -x
+
+if [ "$#" -lt 2 ]; then
+ echo 'Need two arguments: service name and DB name.'
+ false
+fi
+if [ ! "$1" = "pleroma_otp" ] && [ ! "$1" = "pleroma_source" ] && [ ! "$1" = "peertube" ]; then
+ echo "Need legal service name (pleroma_otp or pleroma_source or peertube)."
+ false
+fi
+app="$1"
+db_name="$2"
+service="$1"
+if [ "${app}" = "pleroma_source" ] || [ "${app}" = "pleroma_otp" ]; then
+ service=pleroma
+fi
+
+service "${service}" stop
+
+mv "/home/plom/${service}_backup.tar" /tmp/
+cd /tmp
+tar xf "${service}_backup.tar"
+
+su postgres -c "pg_restore -c -1 -d ${db_name} ${service}_backup/${db_name}.pgdump"
+rm "${service}_backup/${db_name}.pgdump"
+
+cd "${service}_backup"
+for path in $(find . -type f); do
+ if [ "${app}" = "pleroma_source" ]; then
+ if [ "${path}" = './opt/pleroma/config/prod.secret.exs' ]; then
+ continue # skip file that contains passwords
+ fi
+ fi
+ target_path=$(echo "${path}" | cut -c2-)
+ source_path=$(realpath "${path}")
+ dir=$(dirname "${target_path}")
+ mkdir -p "${dir}"
+ cp -a "${source_path}" "${target_path}"
+done
+
+# TODO: Horrible hack, improve.
+if [ "${app}" = "pleroma_otp" ]; then
+ db_pw=$(cat /etc/pleroma/config.exs | grep password | sed 's/[ ]*password\: *//g' | sed 's/,//g' | sed 's/"//g')
+elif [ "${app}" = "peertube" ]; then
+ db_pw=$(cat /var/www/peertube/config/production.yaml | grep password | head -1 | sed "s/[ ]*password\: *//g" | sed "s/'//g")
+fi
+if [ "${app}" = "pleroma_otp" ] || [ "${app}" = "peertube" ]; then
+ su postgres -lc "psql -c \"ALTER USER ${service} WITH PASSWORD '${db_pw}';\""
+fi
+
+service "${service}" start
--- /dev/null
+#!/bin/sh
+# Sets hostname and optionally FQDN.
+#
+# Calls hostname, writes to /etc/hostname and /etc/hosts. For /etc/hosts
+# writing follows recommendations from Debian manual at
+# <https://www.debian.org/doc/manuals/debian-reference/ch05.en.html>
+# (section "The hostname resolution") on how to map hostname and possibly
+# FQDN to a permanent IP if present (we assume here any non-private IP
+# and non-loopback IP returned by hostname -I to fulfill that criterion
+# on our systems) or to 127.0.1.1 if not. On the reasoning for separating
+# localhost and hostname mapping to different IPs, see
+# <https://unix.stackexchange.com/a/13087>.
+#
+# Ignores IPv6s.
+set -e
+
+hostname="$1"
+fqdn="$2"
+if [ "${hostname}" = "" ]; then
+ echo "Need hostname as argument."
+ false
+fi
+echo "${hostname}" > /etc/hostname
+hostname "${hostname}"
+
+final_ip="127.0.1.1"
+for ip in $(hostname -I); do
+ if [ $(echo "${ip}" | grep ':' | wc -l) -eq 1 ]; then
+ continue
+ fi
+ range_1=$(echo "${ip}" | cut -d "." -f 1)
+ range_2=$(echo "${ip}" | cut -d "." -f 2)
+ if [ "${range_1}" -eq 127 ]; then
+ continue
+ elif [ "${range_1}" -eq 10 ]; then
+ continue
+ elif [ "${range_1}" -eq 172 ]; then
+ if [ "${range_2}" -ge 16 ] && [ "${range_2}" -le 31 ]; then
+ continue
+ fi
+ elif [ "${range_1}" -eq 192 ]; then
+ if [ "${range_2}" -eq 168 ]; then
+ continue
+ fi
+ fi
+ final_ip="${ip}"
+done
+
+echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
+echo "${final_ip} ${fqdn} ${hostname}" >> /etc/hosts
--- /dev/null
+#!/bin/sh
+set -e
+
+# Provide maximum input for set_hostname_and_fqdn.sh.
+if [ "$#" -lt 2 ]; then
+ echo 'Need at least two arguments (hostname, FQDN).'
+ false
+fi
+hostname="$1"
+fqdn="$2"
+shift 2
+
+config_tree_prefix="${HOME}/config/buster"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+
+# Adapt /etc/ to our needs by copying from ./etc_files. This will set
+# basic configurations affecting following steps, such as setup of APT
+# and the locale selection, so needs to be right at the beginning.
+./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" all "$@"
+
+# Set hostname and FQDN.
+./set_hostname_and_fqdn.sh "${hostname}" "${fqdn}"
+
+# Ensure package installation state as defined by what packages are
+# defined as required by Debian policy and by settings in ./apt-mark/.
+apt update
+./install_for_target.sh all "$@"
+./purge_nonrequireds.sh all "$@"
+
+# Ensure our desired locale is available.
+locale-gen
+
+# Only upgrade after reducing the system to the desired minimum, so that
+# we don't need to get more data than necessary.
+apt -y dist-upgrade
+
+# Set Berlin localtime.
+ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
--- /dev/null
+#!/bin/sh
+set -e
+
+if [ "$#" -ne 1 ]; then
+ echo 'Need exactly one argument (system name).'
+ false
+fi
+if [ ! "$1" = "eeepc" ] && [ ! "$1" = "x200s" ] && [ ! "$1" = "x220" ] && [ ! "$1" = "w530" ]; then
+ echo "Need legal system name."
+ false
+fi
+system_name="$1"
+
+# Set up system without user environment.
+config_tree_prefix="${HOME}/config/buster"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+if [ "$1" = "x200s" ] || [ "$1" = "x220" ] || [ "$1" = "w530" ]; then
+ ./setup.sh "${system_name}" "" user desktop thinkpad "${system_name}"
+else
+ ./setup.sh "${system_name}" "" user desktop "${system_name}"
+fi
+# For hibernation on lid switch to work, we need a newer kernel on the EeePC,
+# see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919227>.
+if [ "${system_name}" = "eeepc" ]; then
+ apt -y install -t buster-backports linux-image-amd64
+fi
+
+# Set up printer.
+lpadmin -p 'HP_Deskjet_F300_series' -m 'drv:///hpcups.drv/hp-deskjet_f300_series.ppd' -o 'OutputMode=NormalGray' -E
+service cups restart
+
+# Install Firefox directly from Mozilla.
+firefox_release="68.4.1esr"
+firefox_filename="firefox-${firefox_release}.tar.bz2"
+url_firefox="https://ftp.mozilla.org/pub/firefox/releases/${firefox_release}/linux-x86_64/en-US/${firefox_filename}"
+wget "${url_firefox}"
+mv "${firefox_filename}" /opt/
+cd /opt/
+tar xf "${firefox_filename}"
+rm "${firefox_filename}"
+ln -s /opt/firefox/firefox /usr/local/bin/
+update-alternatives --install /usr/bin/x-www-browser x-www-browser /opt/firefox/firefox 200
+update-alternatives --set x-www-browser /opt/firefox/firefox
+
+# Install Firefox plugins.
+# See <https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Distribution_options/Sideloading_add-ons>
+extensions_dir="/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/"
+mkdir -p "${extensions_dir}"
+umatrix_version="1.4.0"
+umatrix_xpi="uMatrix.firefox.xpi"
+url_umatrix="https://github.com/gorhill/uMatrix/releases/download/${umatrix_version}/${umatrix_xpi}"
+wget "${url_umatrix}"
+name=$(unzip -p "${umatrix_xpi}" manifest.json | jq -r .applications.gecko.id)
+mv "${umatrix_xpi}" "${name}".xpi
+tridactyl_version="1.17.1pre3355"
+tridactyl_xpi="tridactyl_beta-${tridactyl_version}-an+fx.xpi"
+url_tridactyl="https://tridactyl.cmcaine.co.uk/betas/${tridactyl_xpi}"
+wget "${url_tridactyl}"
+name=$(unzip -p "${tridactyl_xpi}" manifest.json | jq -r .applications.gecko.id)
+mv "${tridactyl_xpi}" "${name}.xpi"
+mv *.xpi "${extensions_dir}"
+
+# Set up user environments.
+secrets_dev="sdb"
+source_dir_secrets="/media/${secrets_dev}/to_usb"
+target_dir_secrets="/home/plom/tmp_secrets"
+cd "${setup_scripts_dir}"
+./copy_dirtree.sh "${config_tree_prefix}/home_files" "/root" minimal root
+set +e
+HOME_DIR_EXISTS=$([ ! -d "/home/plom" ]; echo $?)
+set -e
+adduser --disabled-password --gecos "" plom
+usermod -a -G sudo plom
+passwd plom
+if [ "${HOME_DIR_EXISTS}" -eq 0 ]; then
+ echo "Put secrets drive into slot for /dev/${secrets_dev}."
+ while [ ! -e /dev/"${secrets_dev}" ]; do
+ sleep 1
+ done
+ stty -echo
+ printf "Secrets passphrase: "
+ read secrets_pass
+ stty echo
+ echo "" # newline so user knows their input return was accepted
+ echo "${secrets_pass}" | pmount /dev/"${secrets_dev}"
+ cp -a "${source_dir_secrets}" "${target_dir_secrets}"
+ chown -R plom:plom "${target_dir_secrets}"
+ pumount "${secrets_dev}"
+ echo "You can remove /dev/${secrets_dev} now."
+ cp setup_home.sh /home/plom
+ chown plom:plom /home/plom/setup_home.sh
+ SECRETS_PASS="${secrets_pass}" su -c "cd && ./setup_home.sh ${system_name}" plom
+fi
--- /dev/null
+#!/bin/sh
+set -e
+
+if [ "$#" -ne 4 ]; then
+ echo 'Need domain name and mail and old server and repos source ("local" or "remote"?).'
+ false
+fi
+if [ ! "$4" = "local" ] && [ ! "$4" = "remote" ]; then
+ echo "Need legal repo source name."
+ false
+fi
+domain="$1"
+mail="$2"
+old_server="$3"
+repos_source="$4"
+
+read -p"Only continue if hostname is not domain of url_catcher's target mail address, else abort!" ignore
+
+# Install configs, set up firewall.
+echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
+echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
+config_tree_prefix="${HOME}/config/buster"
+./install_for_target.sh web dumpsite
+./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web dumpsite
+nft -f /etc/nftables.conf
+
+# Set up letsencrypt certificate. TODO: Is it auto-renewed?
+ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
+certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
+rm /etc/nginx/sites-enabled/default
+
+# Set up connection to old dump server.
+cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
+chown plom:plom /home/plom/prepare_to_meet_server.sh
+su -lc "./prepare_to_meet_server.sh ${old_server}" plom
+read -p'Hit Enter when you are done.' ignore
+rm /home/plom/prepare_to_meet_server.sh
+
+# Set up dump dirs.
+mkdir /var/www-dump
+chown plom:plom /var/www-dump
+dump_dir=dump
+geheim_dir=geheim
+su -lc "ln -s /home/plom/${dump_dir} /var/www-dump/${dump_dir}" plom
+su -lc "ln -s /home/plom/${geheim_dir} /var/www-dump/${geheim_dir}" plom
+cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
+su -lc "./mirror_dir.sh ${old_server} /home/plom/${dump_dir}" plom
+su -lc "./mirror_dir.sh ${old_server} /home/plom/${geheim_dir}" plom
+su -lc "scp plom@${old_server}:/var/www-dump/password_geheim ~" plom
+mv /home/plom/password_geheim /var/www-dump/password_geheim
+rm /home/plom/mirror_dir.sh
+
+# Set up redo.
+wget http://news.dieweltistgarnichtso.net/bin/archives/redo-sh.tar.gz
+tar -moxzf redo-sh.tar.gz -C /usr/local
+
+# Set up zettel.
+su -lc "git clone --mirror ${old_server}:zettel.git" plom
+cp "${config_tree_prefix}/other_files/zettel_hook_post-receive" /home/plom/zettel.git/hooks/post-receive
+su -lc "git clone ~/zettel.git && cd zettel && redo" plom
+su -lc "ln -s /home/plom/zettel /var/www-dump/zettel" plom
+# NOTE: Locally, to update content, clone zettel.git, not zettel.
+
+# Set up redo blog.
+su -lc "git clone --mirror ${old_server}:blog.git" plom
+cp "${config_tree_prefix}/other_files/blog_hook_post-receive" /home/plom/blog.git/hooks/post-receive
+su -lc "git clone ~/blog.git" plom
+# TODO: set up like plomlombot repo (with post-recieve hook)?
+if [ "$repo_source" = "local"]; then
+ su -lc "git clone /var/repos/redo-blog" plom
+else
+ su -lc "git clone https://plomlompom.com/repos/clone/redo-blog" plom
+fi
+su -lc "cd redo-blog && ./add_dir.sh ~/blog" plom
+su -lc "cd blog && redo" plom
+su -lc "ln -s /home/plom/blog/public /var/www-dump/blog" plom
+# NOTE: Locally, to update content, clone blog.git, not blog.
+
+# Set up url catcher.
+# TODO: set up like plomlombot repo (with post-recieve hook)?
+if [ "$repo_source" = "local"]; then
+ su -lc "git clone /var/repos/url-catcher" plom
+else
+ su -lc "git clone https://plomlompom.com/repos/clone/url-catcher" plom
+fi
+su -lc "cd url-catcher && ln -s ../blog/captchas/linkable/ captchas" plom
+cp "${config_tree_prefix}/other_files/url-catcher_customizations.json" /home/plom/url-catcher/customizations.json
+systemctl enable url_catcher.service
+service url_catcher start
+cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
+su -lc "./mirror_dir.sh ${old_server} /home/plom/url-catcher/ips" plom
+su -lc "./mirror_dir.sh ${old_server} /home/plom/url-catcher/lists" plom
+rm /home/plom/mirror_dir.sh
+
+# Set up index.html
+cp "${config_tree_prefix}/other_files/dumpsite_index.html" /var/www-dump/index.html
+
+# Prepare NGINX.
+sed -i "s/REPLACE_fqdn_ECALPER/${domain}/g" /etc/nginx/sites-available/dumpsite.nginx
+ln -s /etc/nginx/sites-available/dumpsite.nginx /etc/nginx/sites-enabled/dumpsite.nginx
+
+service nginx restart
--- /dev/null
+#!/bin/sh
+set -e
+
+if [ "$#" -ne 1 ]; then
+ echo 'Need exactly one argument (system name).'
+ false
+fi
+if [ ! "$1" = "eeepc" ] && [ ! "$1" = "x200s" ]&& [ ! "$1" = "x220" ]; then
+ echo "Need legal system name."
+ false
+fi
+system_name="$1"
+
+public_repos_dir="${HOME}/public_repos"
+config_tree_prefix="${public_repos_dir}/config"
+path_borgscript="${config_tree_prefix}/all_new_2018/borg.sh"
+config_tree_buster="${config_tree_prefix}/buster"
+setup_scripts_dir="${config_tree_buster}/setup_scripts"
+repos_list_file="${public_repos_dir}/repos"
+dir_secrets="${HOME}/tmp_secrets"
+borgkeys_dir=~/.config/borg/keys
+borgrepos_file=~/.borgrepos
+ssh_dir=~/.ssh
+authinfo_file=.authinfo
+maildir=~/mail/maildir
+
+ensure_repo() {
+ repo_name="${1}"
+ if [ ! -d "${public_repos_dir}/${repo_name}" ]; then
+ cd "${public_repos_dir}"
+ git clone plom@plomlompom.com:/var/repos/${repo_name}
+ fi
+}
+
+# Set up iniitial non-public parts of infrastructure: SSH authentication.
+cd "${dir_secrets}"
+mkdir -p "${ssh_dir}"
+echo "Setting up .ssh"
+cp id_rsa ~/.ssh
+stty -echo
+ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
+stty echo
+eval $(ssh-agent)
+ssh-add
+ssh-keyscan -H "plomlompom.com" >> ~/.ssh/known_hosts
+
+# Clone config to copy dotfiles etc. from it.
+cd
+mkdir -p "${public_repos_dir}"
+ensure_repo config
+cd "${setup_scripts_dir}"
+./copy_dirtree.sh "${config_tree_buster}/home_files" "${HOME}" minimal user "${system_name}"
+
+# Set up native messenger for tridactyl.
+version='ef9f02d0da258f68d7faf8898707f6d83d90d07a'
+curl -fsSl "https://raw.githubusercontent.com/tridactyl/tridactyl/${version}/native/install.sh" | bash
+
+# Set up further non-public parts of infrastructure.
+cd "${dir_secrets}"
+script -c 'gpg --import secret_keys.asc' /dev/null
+tar xf borg_keyfiles.tar
+mkdir -p "${borgkeys_dir}"
+mv borg_keyfiles/* "${borgkeys_dir}"
+# .authinfo may not be present on every secrets drive yet
+if [ -f "${authinfo_file}" ]; then
+ cp "${authinfo_file}" ~
+fi
+cd
+rm -rf "${dir_secrets}"
+
+# Sync org dir via borgbackup. For this we need the borgbackup servers
+# in our .ssh/known_hosts file.
+cat "${borgrepos_file}" | while read line; do
+ first_char=$(echo "${line}" | cut -c1)
+ if [ "${first_char}" = "#" ]; then
+ continue
+ fi
+ server=$(echo "${line}" | sed 's/.*@//')
+ ssh-keyscan "${server}" >> "${ssh_dir}"/known_hosts
+done
+BORG_PASSPHRASE="${SECRETS_PASS}" "${path_borgscript}" orgpull
+
+# Fill ~/public_repos.
+cat "${repos_list_file}" | while read line; do
+ first_char=$(echo "${line}" | cut -c1)
+ if [ "${first_char}" = "#" ]; then
+ continue
+ fi
+ ensure_repo "${line}"
+done
+
+# Set up e-mail system. Note that we only do mbsync if the imap pass file
+# is found. It may not be present on every secrets drive yet, so we have to
+# deal with the possibility of it being absent at this point.
+mkdir -p "${maildir}" # expected by mbsync/isync
+if [ -f "${HOME}/${authinfo_file}" ]; then
+ mbsync -a
+ notmuch new
+fi
+
+# Final note on how to integrate tridactyl.
+echo "TODO: As tridactyl user, don't forget to do :source on the first Firefox run, wait a little while (Tridactyl needs to walk through all commands in the .tridactylrc) and then re-start."
--- /dev/null
+#!/bin/sh
+set -e
+
+# Check we have the necessary arguments.
+if [ "$#" -lt 1 ]; then
+ echo 'Need mail for letsencrypt, mail domain, and optionally old server IP.'
+ false
+fi
+mail="$1"
+mail_domain="$2"
+old_server="$3"
+
+read -p'You sure you entered the correct mail domain? (not the server domain, but what comes after the @ in your mail addresses) If not, abort here!' ignore
+
+config_tree_prefix="${HOME}/config/buster"
+echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
+echo "postfix postfix/mailname string ${mail_domain}" | debconf-set-selections
+./install_for_target.sh mail
+./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" mail
+nft -f /etc/nftables.conf
+
+# Rebuild aliases DB from /etc/aliases
+newaliases
+
+# Update config files without overwriting defaults.
+cat "${config_tree_prefix}/other_files/append_postfix_main.cf" >> /etc/postfix/main.cf
+cat "${config_tree_prefix}/other_files/append_postfix_master.cf" >> /etc/postfix/master.cf
+cat "${config_tree_prefix}/other_files/append_opendkim.conf" >> /etc/opendkim.conf
+
+# Set up letsencrypt certificate. We need this for STARTTLS on port
+# 25/SMTP (some mail servers refuse delivering mails here if no
+# STARTTLS available) and transport-layer TLS on port 465 (for
+# user-to-server SMTPS)
+# TODO: Is it auto-renewed?
+certbot certonly --standalone --agree-tos --no-eff-email -m "${mail}" -d "$(hostname -f)"
+
+# For if FQDN != mail domain name.
+sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/mailutils.conf
+sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/postfix/main.cf
+
+# OpenDKIM setup.
+selector=$(hostname)$(date +%Y%m%d)
+opendkim-genkey -d "${mail_domain}" -D /etc/dkimkeys -s "${selector}"
+sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/opendkim.conf
+sed -i "s/REPLACE_selector_ECALPER/${selector}/g" /etc/opendkim.conf
+
+# Dovecot sieve filtering via LMTP. Without this, mail only gets
+# delivered to /var/mail/…, with it /var/mail/… remains the fallback
+# inbox, but all else is sieve-filtered to ~/mail/.
+cp "${config_tree_prefix}/other_files/dovecot.sieve" /home/plom/.dovecot.sieve
+chown plom:plom /home/plom/.dovecot.sieve
+
+# In addition to our postfix server receiving mails, we funnel mails from a
+# POP3 account into dovecot via fetchmail. It might make sense to adapt the
+# ~/.dovecot.sieve to move mails targeted to the fetched mail account to their
+# own mbox.
+cp "${config_tree_prefix}/other_files/fetchmailrc" /home/plom/.fetchmailrc
+chown plom:plom /home/plom/.fetchmailrc
+chmod 0700 /home/plom/.fetchmailrc
+
+# Pingmail setup.
+cp "${config_tree_prefix}/other_files/pingmailrc" /home/plom/.pingmailrc
+chown plom:plom /home/plom/.pingmailrc
+su -lc "cd && git clone https://plomlompom.com/repos/clone/pingmail" plom
+
+# To allow IMAPS access.
+echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
+echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
+password=$(pwgen -s 100 1)
+echo "plom:${password}" | chpasswd
+
+# Get old mail data, shutdown old postfix server.
+if [ "${old_server}" != "" ]; then
+ cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
+ su -lc "./prepare_to_meet_server.sh ${old_server}" plom
+ read -p'Hit Enter when you are done.' ignore
+ rm /home/plom/prepare_to_meet_server.sh
+ su -lc "scp plom@${old_server}:.dovecot.sieve ~" plom
+ su -lc "scp plom@${old_server}:.fetchmailrc ~" plom
+ su -lc "scp plom@${old_server}:.pingmailrc ~" plom
+ su -lc "ssh -t plom@${old_server} \"su -lc 'service postfix stop'\"" plom
+ su -lc "ssh plom@${old_server} \"su -lc 'systemctl disable fetchmail_old_account.timer'\"" plom
+ su -lc "ssh plom@${old_server} \"su -lc 'service fetchmail_old_account stop'\"" plom
+ #su -lc "ssh -t plom@${old_server} \"su -lc 'service fetchmail stop'\"" plom
+ cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
+ su -lc "./mirror_dir.sh ${old_server} /home/plom/mail" plom
+ rm /home/plom/mirror_dir.sh
+ touch /var/mail/plom
+ chown plom:mail /var/mail/plom
+ chmod 0600 /var/mail/plom
+ su -lc "scp plom@${old_server}:/var/mail/plom /var/mail/plom" plom
+fi
+
+# Start everything anew to ensure new configurations.
+service opendkim restart
+service postfix restart
+service dovecot restart
+
+# Pingmail and fetchmail have some systemd timers waiting. To let systemd
+# know about them, do this.
+systemctl daemon-reload
+systemctl enable --now fetchmail_old_account.timer
+systemctl enable --now pingmail.timer
+
+# Final advice to user.
+echo "To put into DNS:"
+cat "/etc/dkimkeys/${selector}.txt"
+echo "If subdomain, append .subdomain to _domainkeys!"
+echo "Also ensure DMARC record of 'v=DMARC1; p=none; rua=mailto:plom+dmarc@plomlompom.com;' as TXT entry at _dmarc or, if subdomain, _dmarc.subdomain"
+echo "Also ensure SPF record of 'v=spf1 mx -all' as TXT entry at @ or subdomain"
+echo "Also ensure reverse DNS lookup for our IP points to $(hostname -f)"
+echo "Also ensure MX record of priority 10 for @ or subdomain pointing to $(hostname -f)"
+echo "IMAPS password for user plom is: ${password}"
+echo "Also don't forget borgbackup migration …"
+
+# todo just for proper mail /sending/:
+# * how to check IP safety
+# https://talosintelligence.com/reputation_center/lookup?search=$IP
+# http://www.anti-abuse.org/multi-rbl-check-results/?host=
+# https://www.dnsbl.info/dnsbl-database-check.php
+# note that none of these catch the IPs that gmx etc. reject
--- /dev/null
+#!/bin/sh
+set -e
+
+# Heavily inspired by
+# <https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md>
+# and
+# <https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/dependencies.md>
+
+if [ "$#" -ne 2 ]; then
+ echo 'Need domain name, mail_address as arguments.'
+ false
+fi
+domain="$1"
+mail="$2"
+
+# Install dependencies, set up firewall.
+config_tree_prefix="${HOME}/config/buster"
+./install_for_target.sh web peertube
+./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web
+nft -f /etc/nftables.conf
+
+# Get NodeJS. See
+# <https://github.com/nodesource/distributions/blob/master/README.md>
+curl -sL https://deb.nodesource.com/setup_10.x | bash -
+apt-get install -y nodejs
+
+# Get Yarn. See
+# <https://classic.yarnpkg.com/en/docs/install#debian-stable>
+curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
+echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
+apt update && apt install yarn
+
+systemctl start redis postgresql
+
+# Prepare user and DB.
+useradd -m -d /var/www/peertube -s /bin/bash -p peertube peertube
+db_pw=$(pwgen -s 100 1)
+su postgres -lc "psql -c \"CREATE USER peertube WITH PASSWORD '${db_pw}';\""
+su -l postgres -c 'createdb -O peertube -E UTF8 -T template0 peertube_prod'
+su -l postgres -c 'psql -c "CREATE EXTENSION pg_trgm;" peertube_prod'
+su -l postgres -c 'psql -c "CREATE EXTENSION unaccent;" peertube_prod'
+
+# Install and configure PeerTube from latest version.
+VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag_name | cut -d '"' -f 4) && echo "Latest Peertube version is $VERSION"
+cd /var/www/peertube && su -l peertube -c "mkdir config storage versions && cd versions"
+su -l peertube -c "wget -q 'https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip'"
+su -l peertube -c "unzip peertube-${VERSION}.zip && rm peertube-${VERSION}.zip"
+su -l peertube -c "ln -s peertube-${VERSION} ./peertube-latest"
+su -l peertube -c "cd peertube-latest && yarn install --production --pure-lockfile"
+
+# Configure PeerTube.
+cp "${config_tree_prefix}/other_files/peertube_production.yaml" /var/www/peertube/config/production.yaml
+chown peertube:peertube /var/www/peertube/config/production.yaml
+sed -i "s/admin\@example\.com/${mail}/g" config/production.yaml
+sed -i "s/example\.com/${domain}/g" config/production.yaml
+sed -i "s/password: 'peertube'/password: '${db_pw}'/g" config/production.yaml
+
+# Set up letsencrypt certificate. TODO: Is it auto-renewed?
+ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
+certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
+rm /etc/nginx/sites-enabled/default
+
+# Configure NGINX.
+cp /var/www/peertube/peertube-latest/support/nginx/peertube /etc/nginx/sites-available/peertube
+sed -i "s/peertube.example.com/${domain}/g" /etc/nginx/sites-available/peertube
+sed -i -E 's/^([[:space:]]*)(access_log|error_log)([[:space:]])/\1# \2\3/g' /etc/nginx/sites-available/peertube
+ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
+
+# Configure systemd and start PeerTube through it.
+cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/
+systemctl daemon-reload
+systemctl enable peertube
+systemctl start peertube
+
+# Restart NGINX.
+service nginx restart
--- /dev/null
+#!/bin/sh
+set -e
+set -x
+
+if [ "$#" -lt 1 ]; then
+ echo "Need public key ID and optionally old server IP."
+ false
+fi
+gpg_key="$1"
+old_server="$2"
+
+config_tree_prefix="${HOME}/config/buster"
+./install_for_target.sh play
+./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" play
+cp "${config_tree_prefix}/other_files/weechatrc" /home/plom/.weechatrc
+cp "${config_tree_prefix}/other_files/weechat-wrapper.sh" /home/plom/
+cp "${config_tree_prefix}/other_files/weechatlogs_encrypter.sh" /home/plom/
+chown plom:plom /home/plom/*weechat*
+chown plom:plom /home/plom/.weechatrc
+echo "${gpg_key}" > /home/plom/.encrypt_target
+chown plom:plom /home/plom/.encrypt_target
+
+# TODO refactor with setup_website.sh
+# Add encryption key.
+keyservers='sks-keyservers.net/ keys.gnupg.net'
+set +e
+while true; do
+ do_break=0
+ for keyserver in $(echo "${keyservers}"); do
+ su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
+ if [ $? -eq "0" ]; then
+ do_break=1
+ break
+ fi
+ echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
+ done
+ if [ "${do_break}" -eq "1" ]; then
+ break
+ fi
+done
+set -e
+
+if [ "${old_server}" != "" ]; then
+ cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
+ su -lc "./prepare_to_meet_server.sh ${old_server}" plom
+ read -p'Hit Enter when you are done.' ignore
+ rm /home/plom/prepare_to_meet_server.sh
+ su -lc "scp plom@${old_server}:.ssh/authorized_keys .ssh/authorized_keys" plom
+ su -lc "scp plom@${old_server}:.weechatrc ~" plom
+ cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
+ su -lc "./mirror_dir.sh ${old_server} /home/plom/weechatlogs" plom
+ rm /home/plom/mirror_dir.sh
+fi
+
+systemctl enable --now encrypt_chatlogs.timer
--- /dev/null
+#!/bin/sh
+set -e
+# Heavily inspired by <https://docs.pleroma.social/otp_en.html>
+
+if [ "$#" -ne 2 ]; then
+ echo 'Need domain name, mail_address as arguments.'
+ false
+fi
+domain="$1"
+mail="$2"
+
+# Install dependencies, set up firewall.
+config_tree_prefix="${HOME}/config/buster"
+./install_for_target.sh web pleroma pleroma_otp
+./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web pleroma
+nft -f /etc/nftables.conf
+
+# Set up letsencrypt certificate. TODO: Is it auto-renewed?
+ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
+certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
+rm /etc/nginx/sites-enabled/default
+
+# Prepare user.
+adduser --system --shell /bin/false --home /opt/pleroma pleroma
+
+# Download and unzip latest stable release, set up Pleroma dirs.
+export FLAVOUR='amd64'
+su pleroma -s $SHELL -lc "
+curl 'https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=$FLAVOUR' -o /tmp/pleroma.zip
+unzip /tmp/pleroma.zip -d /tmp/
+"
+su pleroma -s $SHELL -lc "
+mv /tmp/release/* /opt/pleroma
+rmdir /tmp/release
+rm /tmp/pleroma.zip
+"
+mkdir -p /var/lib/pleroma/uploads
+chown -R pleroma /var/lib/pleroma
+mkdir -p /etc/pleroma
+chown -R pleroma /etc/pleroma
+
+# Configure and set up DB.
+su pleroma -s $SHELL -lc "./bin/pleroma_ctl instance gen \
+--output /etc/pleroma/config.exs \
+--output-psql /tmp/setup_db.psql \
+--domain ${domain} \
+--instance-name plom-roma \
+--admin-email ${mail} \
+--notify-email ${mail} \
+--dbhost localhost \
+--dbname pleroma \
+--dbuser pleroma \
+--db-configurable N \
+--rum N \
+--indexable Y \
+--uploads-dir /var/lib/pleroma/uploads \
+--static-dir /var/lib/pleroma/static \
+--listen-ip 127.0.0.1 \
+--listen-port 4000 \
+--dbpass $(pwgen -s 100 1)"
+su postgres -s $SHELL -lc "psql -f /tmp/setup_db.psql"
+su pleroma -s $SHELL -lc "./bin/pleroma_ctl migrate"
+
+# Since the OTP release does not support .secret.exs configuration
+# files, we hack our own alternative by simply appending custom
+# configurations to /etc/config.exs.
+cat "${config_tree_prefix}/other_files/append_pleroma_config" >> /etc/pleroma/config.exs
+
+# Single-pixel picture hack for removing Pleroma FE images.
+cp "${config_tree_prefix}/other_files/pixel.png" /var/lib/pleroma/static/
+chown pleroma:nogroup /var/lib/pleroma/static/pixel.png
+
+# Info panel and TOS.
+#mkdir -p /var/lib/pleroma/static/instance
+#mkdir -p /var/lib/pleroma/static/static
+#cp "${config_tree_prefix}/other_files/pleroma_panel.html" /var/lib/pleroma/static/instance/panel.html
+#cp "${config_tree_prefix}/other_files/pleroma_terms-of-service.html" /var/lib/pleroma/static/static/terms-of-service.html
+#cp "${config_tree_prefix}/other_files/pleroma_robots.txt" /var/lib/pleroma/static/robots.txt
+
+# Hack to fix <https://git.pleroma.social/pleroma/pleroma/issues/1616>
+curl https://git.pleroma.social/pleroma/pleroma/-/raw/4271cfb81a8983f5ec6a878cab1fb3fbd164245d/priv/static/static/static-fe.css?inline=false >> /var/lib/pleroma/static/static/static-fe.css
+
+# Prepare NGINX config for Pleroma.
+cp /opt/pleroma/installation/pleroma.nginx /etc/nginx/sites-available/pleroma.nginx
+sed -i "s/example\.tld/${domain}/g" /etc/nginx/sites-available/pleroma.nginx
+ln -s /etc/nginx/sites-available/pleroma.nginx /etc/nginx/sites-enabled/pleroma.nginx
+
+# Systemd integration.
+cp /opt/pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service
+systemctl start pleroma
+systemctl enable pleroma
+
+# Only restart NGINX with Pleroma running.
+service nginx restart
--- /dev/null
+#!/bin/sh
+set -e
+set -x
+# Heavily inspired by <https://docs-develop.pleroma.social/backend/installation/debian_based_en/>
+
+if [ "$#" -ne 2 ]; then
+ echo 'Need domain name, mail_address as arguments.'
+ false
+fi
+domain="$1"
+mail="$2"
+
+# Install dependencies, configs, set up firewall.
+config_tree_prefix="${HOME}/config/buster"
+./install_for_target.sh web pleroma pleroma_source
+./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web pleroma
+nft -f /etc/nftables.conf
+
+# Prepare user.
+adduser --system --group --shell /bin/false --home /var/lib/pleroma pleroma
+
+# Setup Erlang.
+wget -P /tmp/ https://packages.erlang-solutions.com/erlang-solutions_1.0_all.deb
+dpkg -i /tmp/erlang-solutions_1.0_all.deb
+apt update
+apt -y install elixir erlang-dev erlang-tools erlang-parsetools erlang-eldap erlang-ssh erlang-xmerl
+
+mkdir -p /opt/pleroma
+chown -R pleroma:pleroma /opt/pleroma
+su pleroma -s $SHELL -lc 'git clone -b develop https://git.pleroma.social/pleroma/pleroma /opt/pleroma'
+su pleroma -s $SHELL -lc 'mix local.hex --force'
+su pleroma -s $SHELL -lc 'mix local.rebar --force'
+su pleroma -s $SHELL -lc "cd /opt/pleroma &&\
+mix deps.get &&\
+mix pleroma.instance gen \
+--output config/generated_config.exs \
+--output-psql /tmp/setup_db.psql \
+--domain ${domain} \
+--instance-name plomroma \
+--admin-email ${mail} \
+--notify-email ${mail} \
+--dbhost localhost \
+--dbname pleroma \
+--dbuser pleroma \
+--db-configurable N \
+--rum N \
+--indexable Y \
+--uploads-dir /var/lib/pleroma/uploads \
+--static-dir /var/lib/pleroma/static \
+--listen-ip 127.0.0.1 \
+--listen-port 4000 \
+--dbpass $(pwgen -s 100 1) &&\
+mv config/{generated_config.exs,prod.secret.exs}"
+su postgres -s $SHELL -lc 'psql -f /tmp/setup_db.psql'
+su pleroma -s $SHELL -lc 'cd /opt/pleroma && MIX_ENV=prod mix ecto.migrate'
+
+# Add our own plom.exs and import it to prod.secret.exs
+echo '' >> /opt/pleroma/config/prod.secret.exs
+echo 'import_config "plom.exs"' >> /opt/pleroma/config/prod.secret.exs
+echo 'import Config' > /opt/pleroma/config/plom.exs
+cat "${config_tree_prefix}/other_files/append_pleroma_config" >> /opt/pleroma/config/plom.exs
+
+# Single-pixel picture hack for removing Pleroma FE images.
+cp "${config_tree_prefix}/other_files/pixel.png" /var/lib/pleroma/static/
+chown pleroma:nogroup /var/lib/pleroma/static/pixel.png
+
+# Info panel and TOS.
+#mkdir -p /var/lib/pleroma/static/instance
+#mkdir -p /var/lib/pleroma/static/static
+#cp "${config_tree_prefix}/other_files/pleroma_panel.html" /var/lib/pleroma/static/instance/panel.html
+#cp "${config_tree_prefix}/other_files/pleroma_terms-of-service.html" /var/lib/pleroma/static/static/terms-of-service.html
+#cp "${config_tree_prefix}/other_files/pleroma_robots.txt" /var/lib/pleroma/static/robots.txt
+
+# Upload directory. For some reason this does not exist yet here.
+mkdir -p /var/lib/pleroma/uploads
+chown pleroma:nogroup /var/lib/pleroma/uploads
+
+# Set up letsencrypt certificate. TODO: Is it auto-renewed?
+ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
+certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
+rm /etc/nginx/sites-enabled/default
+
+# Prepare NGINX config for Pleroma.
+cp /opt/pleroma/installation/pleroma.nginx /etc/nginx/sites-available/pleroma.nginx
+sed -i "s/example\.tld/${domain}/g" /etc/nginx/sites-available/pleroma.nginx
+ln -s /etc/nginx/sites-available/pleroma.nginx /etc/nginx/sites-enabled/pleroma.nginx
+
+# Systemd integration.
+cp /opt/pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service
+systemctl start pleroma
+systemctl enable pleroma
+
+# Only restart NGINX with Pleroma running.
+service nginx restart
--- /dev/null
+#!/bin/sh
+set -e
+
+./install_for_target.sh seedbox
+
+# As according to <https://rtorrent-docs.readthedocs.io/en/latest/cookbook.html#modernized-configuration-template>
+su -lc "curl -Ls 'https://raw.githubusercontent.com/wiki/rakshasa/rtorrent/CONFIG-Template.md' | grep -A9999 '^######' | grep -B9999 '^### END' | sed -re \"s:/home/USERNAME:\$HOME:\" >~/.rtorrent.rc" plom
+su -lc "mkdir ~/rtorrent" plom
+
+# As according to <https://unix.stackexchange.com/a/475485>
+chmod u+s /usr/bin/screen
+chmod 755 /var/run/screen
--- /dev/null
+#!/bin/sh
+# Next setup steps for a server whose login policy has just been set from
+# the outside via ./init_user_and_keybased_login.sh.
+set -e
+
+# Provide maximum input for set_hostname_and_fqdn.sh.
+if [ "$#" -lt 2 ]; then
+ echo 'Need exactly two arguments (hostname, FQDN).'
+ false
+fi
+hostname="$1"
+fqdn="$2"
+additional_arg="$3"
+
+# Set up system without user environment.
+config_tree_prefix="${HOME}/config/buster"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+./setup.sh "${hostname}" "${fqdn}" server "${additional_arg}"
+
+# If we have not yet set the shell for user plom, ensure it here. This
+# is mostly for convenience.
+usermod -s /bin/bash plom
+
+# Enable firewall.
+systemctl enable nftables.service
--- /dev/null
+#!/bin/sh
+set -e
+
+if [ "$#" -ne 4 ] && [ "$#" -ne 5 ]; then
+ echo 'Need domain name and mail and key ID and init state and possibly old server IP as argument.'
+ false
+fi
+if [ ! "$4" = "copy" ] && [ ! "$4" = "new" ] && [ ! "$4" = "upgrade" ]; then
+ echo "Need init state to be either 'copy' or 'new' or 'upgrade'"
+ false
+fi
+if [ ! "$4" = "new" ] && [ "$#" -ne 5 ]; then
+ echo "With init state != 'new' need fifth argument old server IP."
+ false
+fi
+domain="$1"
+mail="$2"
+gpg_key="$3"
+init_state="$4"
+old_server="$5"
+
+# NOTE: init_state=upgrade is for migration from older stretch server setup
+
+# Install configs, set up firewall.
+config_tree_prefix="${HOME}/config/buster"
+./install_for_target.sh web website
+./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web website
+nft -f /etc/nftables.conf
+
+# Set up letsencrypt certificate. TODO: Is it auto-renewed?
+ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
+certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
+rm /etc/nginx/sites-enabled/default
+
+# Set up connection to old server.
+if [ ! "${init_state}" = "new" ]; then
+ cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
+ chown plom:plom /home/plom/prepare_to_meet_server.sh
+ su -lc "./prepare_to_meet_server.sh ${old_server}" plom
+ read -p'Hit Enter when you are done.' ignore
+ rm /home/plom/prepare_to_meet_server.sh
+fi
+
+# Set up repos dir.
+# To use this dir, "git clone --mirror" repo source paths into it as user plom.
+# As user plom, touch git-daemon-export-ok files into it to make the repo
+# publically available.
+if [ "${init_state}" = "new" ]; then
+ mkdir /var/repos
+ chown plom:plom /var/repos
+else
+ cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
+ chmod a+w /var
+ if [ "${init_state}" = "copy" ]; then
+ su -lc "./mirror_dir.sh ${old_server} /var/repos" plom
+ else
+ su -lc "./mirror_dir.sh ${old_server} /var/public_repos" plom
+ fi
+ chmod a-w /var
+ rm /home/plom/mirror_dir.sh
+fi
+
+# Prepare NGINX and GitWeb config.
+sed -i "s/REPLACE_fqdn_ECALPER/${domain}/g" /etc/gitweb.conf
+sed -i "s/REPLACE_fqdn_ECALPER/${domain}/g" /etc/nginx/sites-available/website.nginx
+ln -s /etc/nginx/sites-available/website.nginx /etc/nginx/sites-enabled/website.nginx
+
+# Set up website. TODO: use non-/var/www dir for better separation to dump site
+rm -rf /var/www
+mkdir /var/www
+chown plom:plom /var/www
+if [ "${init_state}" = "upgrade" ]; then
+ # This assumes the old core.plomlompom.com filesystem hierarchy.
+ su -lc "cd /var/repos && git clone --mirror plom@core.plomlompom.com:repos/website" plom
+elif [ "${init_state}" = "new" ]; then
+ su -lc "cd /var/repos && git init --bare website.git" plom
+fi
+cp "${config_tree_prefix}/other_files/website_hook_post-receive" /var/repos/website.git/hooks/post-receive
+su -lc 'cd /var/www && git clone /var/repos/website.git .' plom
+
+# Add encryption key.
+keyservers='sks-keyservers.net/ keys.gnupg.net'
+set +e
+while true; do
+ do_break=0
+ for keyserver in $(echo "${keyservers}"); do
+ su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
+ if [ $? -eq "0" ]; then
+ do_break=1
+ break
+ fi
+ echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
+ done
+ if [ "${do_break}" -eq "1" ]; then
+ break
+ fi
+done
+set -e
+
+# Set up plomlombot.
+irclogs_dir=/var/www/html/irclogs
+irclogs_pw_dir=/var/www/irclogs_pw
+mkdir -p "${irclogs_dir}"
+chown -R plom:plom "${irclogs_dir}"
+mkdir -p "${irclogs_pw_dir}"
+chown -R plom:plom "${irclogs_pw_dir}"
+if [ "${init_state}" = "new" ]; then
+ # Handle the case that the repo is in the old pre-buster server setup –
+ # even then, the URL should be the same.
+ su -lc "cd /var/repos && git clone --mirror https://plomlompom.com/repos/clone/plomlombot-irc" plom
+ su -lc "touch /var/repos/plomlombot-irc.git/git-daemon-export-ok" plom
+ cp "${config_tree_prefix}/other_files/plomlombot_hook_post-receive" /var/repos/plomlombot-irc.git/hooks/post-receive
+fi
+su -lc "git clone /var/repos/plomlombot-irc.git" plom
+cp "${config_tree_prefix}/other_files/plomlombot_daemon.sh" /home/plom/
+chown plom:plom /home/plom/plomlombot_daemon.sh
+if [ "${init_state}" = "new" ]; then
+ echo 'bot: plomlombog plomlombog #plomlomtest irc.freenode.net foo bar' >> /home/plom/.plomlombot
+ chown plom:plom /home/plom/.plomlombot
+else
+ cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
+ su -lc "./mirror_dir.sh ${old_server} /home/plom/plomlombot_db" plom
+ rm /home/plom/mirror_dir.sh
+ su -lc "scp plom@${old_server}:.plomlombot ~" plom
+ su -lc "ssh plom@${old_server} \"su -lc 'service plomlombot stop'\"" plom
+fi
+systemctl enable plomlombot.service
+service plomlombot start
+
+# In the above step, we might have created a root-owned /var/www/html –
+# fix this here.
+chown -R plom:plom /var/www/html
+
+# TODO:
+# - rename /home/plom/public_repos to /home/plom/repos
+
+service nginx restart
--- /dev/null
+#!/bin/sh
+set -e
+set -x
+
+# Heavily inspired by <https://docs-develop.pleroma.social/backend/administration/updating/>
+su pleroma -s $SHELL -lc 'cd /opt/pleroma && git pull && mix deps.get'
+service pleroma stop
+su pleroma -s $SHELL -lc 'MIX_ENV=prod cd /opt/pleroma && mix ecto.migrate'
+service pleroma start
--- /dev/null
+#!/bin/sh
+set -e
+
+# Heavily inspired by
+# <https://docs.joinpeertube.org/#/install-any-os?id=upgrade>
+
+# backup DB
+SQL_BACKUP_PATH="backup/sql-peertube_prod-$(date -Im).bak"
+cd /var/www/peertube/
+su peertube -c 'mkdir -p backup'
+su postgres -c "pg_dump -F c peertube_prod" | su peertube -c "tee ${SQL_BACKUP_PATH}" > /dev/null
+
+# Get new PeerTube version.
+VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag_name | cut -d '"' -f 4) && echo "Latest Peertube version is $VERSION"
+cd /var/www/peertube/versions
+su peertube -c "wget -q \"https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip\""
+su peertube -c "unzip -o peertube-${VERSION}.zip && rm peertube-${VERSION}.zip"
+
+# Yarn new PeerTube.
+su -l peertube -c "cd /var/www/peertube/versions/peertube-${VERSION} && yarn install --production --pure-lockfile"
+
+# Copy new default.yaml (TODO: find out what it does)
+su peertube -c "cp /var/www/peertube/versions/peertube-${VERSION}/config/default.yaml /var/www/peertube/config/default.yaml"
+
+set +e
+echo
+echo "Check differences between new and old production.yaml[.example]"
+diff /var/www/peertube/versions/peertube-${VERSION}/config/production.yaml.example /var/www/peertube/config/production.yaml
+echo
+set -e
+
+# Link new PeerTube as latest one.
+cd /var/www/peertube
+unlink ./peertube-latest
+su peertube -c "ln -s versions/peertube-${VERSION} ./peertube-latest"
+
+set +e
+echo
+echo "Check differences between new and old NGINX files"
+cd /var/www/peertube/versions
+diff "$(ls --sort=t | head -2 | tail -1)/support/nginx/peertube" "$(ls --sort=t | head -1)/support/nginx/peertube"
+echo
+echo "Check differences between new and old systemd unit files"
+diff "$(ls --sort=t | head -2 | tail -1)/support/systemd/peertube.service" "$(ls --sort=t | head -1)/support/systemd/peertube.service"
+echo
+set -e
+
+service peertube restart
--- /dev/null
+# Bash as a non-login shell in non-POSIX-mode does not read in the startup
+# script at the path in $ENV. This forces it to still read in the ~/.shinit
+# startup script for non-login shells.
+
+. ~/.shinit
+
+export NVM_DIR="$HOME/.nvm"
+[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm
+[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion" # This loads nvm bash_completion
--- /dev/null
+[user]
+ name = Christian Heller
+ email = c.heller@plomlompom.de
--- /dev/null
+# Initialization for login shells.
+
+# Tell interactive shells to look in ~/.shinit for setup.
+ENV=$HOME/.shinit
+export ENV
+. $ENV
+
+export PATH="$HOME/.cargo/bin:$PATH"
--- /dev/null
+# Settings for interactive shells.
+
+# Ensure shell truly is interactive to avoid confusing non-interactive shells.
+if [[ $- == *i* ]]; then
+
+ # Fancy colors for ls.
+ alias ls="ls --color=auto"
+
+ # Use vim as default editor for anything.
+ export VISUAL=vim
+ export EDITOR=$VISUAL
+
+ # Colored prompt with username, hostname, date/time, directory.
+ colornumber=7 # Default to white if no color set via colornumber dotfile.
+ colornumber_file=~/.shinit_color
+ if [ -f $colornumber_file ]; then
+ colornumber=`cat $colornumber_file`
+ fi
+ tput_color="$(tput setaf $colornumber)$(tput bold)"
+ tput_reset="$(tput sgr0)"
+ # Bash confuses the line length when not told to not count escape sequences.
+ if [ ! "$BASH" = "" ]; then
+ tput_color="\[$tput_color\]"
+ tput_reset="\[$tput_reset\]"
+ fi
+ PS1="${tput_color}["\$\(date\ +%Y-%m-%d/%H:%M:%S/%Z\)" $USER@$(hostname):"\$\(pwd\)"]$ $tput_reset"
+ PS2="${tput_color}> $tput_reset"
+ PS3="${tput_color}select: $tput_reset"
+ PS4="${tput_color}+ $tput_reset"
+
+ # Add local additions.
+ local_shinit_file=~/.shinit_add
+ if [ -f $local_shinit_file ]; then
+ . $local_shinit_file
+ fi
+
+fi
--- /dev/null
+" Activate syntax highlighting.
+syntax on
+filetype plugin on
+
+" Number lines.
+set number
+
+"" Don't add unsolicited final newline.
+"set binary
+
+" Indentation rules (tabs to 4 spaces).
+set expandtab
+set shiftwidth=2
+set softtabstop=2
+
+" Backups.
+set backup
+set backupdir=~/.vimbackups
+let myvar = strftime("%Y-%m-%d_%H-%M-%S")
+let myvar = "set backupext=_". myvar
+execute myvar
+
+" Keep syntax highlighting healthy.
+autocmd BufEnter * :syntax sync fromstart
+
+" Mark the 80-th column.
+set colorcolumn=80
+
+" Source additions
+source ~/.vimrc_add
--- /dev/null
+DEFAULT="$HOME/mail/new_inbox/"
+logfile "$HOME/.mailfilter.log"
+
+if ( /^To: .*heller@talon\.one.*/:D || /^Subject: .*Talon*/:D )
+{
+ DIR="$HOME/mail/talonone/"
+ `mkdir -p $DIR/{cur,new,tmp}`
+ to $DIR
+}
+
+if ( /^Subject: Postfix SMTP server: errors from /:D && \
+ /^From: Mail Delivery System <MAILER-DAEMON@plomlompom\.com>/:D && \
+ /^To: Postmaster <postmaster@plomlompom\.com>/:D )
+{
+ DIR="$HOME/mail/new_postfix_smtp_server_errors_from/"
+ `mkdir -p $DIR/{cur,new,tmp}`
+ to $DIR
+}
+
+if ( /^From: \"Nebenan\.de\" \<noreply@nebenan\.de\>/:D )
+{
+ DIR="$HOME/mail/nebenan_de/"
+ `mkdir -p $DIR/{cur,new,tmp}`
+ to $DIR
+}
--- /dev/null
+# plomlompom's mutt configuration file
+
+# Define mailboxes.
+set mbox_type=Maildir
+set folder=/home/plom/mail
+set spoolfile=$folder/inbox
+set mbox=$folder/archive
+set record=$folder/sent
+set postponed=$folder/postponed
+
+# Move read messages from $spoolfile to $mbox.
+set move=yes
+
+# Macro to a mailboxes view built from all folders below ~/mail.
+macro index,pager y <change-folder>?<toggle-mailboxes>
+mailboxes `ls /home/plom/mail | sed -e 's/^/=/' | tr "\n" " "`
+
+# What goes into the default header display.
+ignore *
+unignore from: subject to cc date
+
+# Force some variables for From: and Message-ID: generation.
+set realname="Christian Heller"
+
+# Allow me to reply myself.
+set reply_self = yes
+
+# Only scroll in the current message, not across messages.
+set pager_stop = yes
+
+# Sort message top-down new-old.
+set sort=reverse-date
+
+# Ensure visibility of attachments. The second line handles (in an ugly way) the
+# issue of mails that use the content-type of multipart/alternative wrongly, by
+# omitting from the text/plain alternative relevant multimedia files attached to
+# the multipart/related alternative that contains text/html and said files. This
+# will in certain cases make the pager default to displaying the HTML variant of
+# a mail when a plain text one is available, but this is preferable to hiding
+# potentially important attachments.
+set index_format="%4C %Z %?X?[%X]& ? %{%b %d} %-15.15L (%?l?%4l&%4c?) %s"
+alternative_order multipart/related text/plain text/html
+
+# Defaults from /usr/share/doc/mutt/examples/gpg.rc
+set pgp_decode_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f"
+set pgp_verify_command="gpg --status-fd=2 --no-verbose --quiet --batch --output - --verify %s %f"
+set pgp_decrypt_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f"
+set pgp_sign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f"
+set pgp_clearsign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f"
+set pgp_encrypt_only_command="/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f"
+set pgp_encrypt_sign_command="/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"
+set pgp_import_command="gpg --no-verbose --import %f"
+set pgp_export_command="gpg --no-verbose --export --armor %r"
+set pgp_verify_key_command="gpg --verbose --batch --fingerprint --check-sigs %r"
+set pgp_list_pubring_command="gpg --no-verbose --batch --quiet --with-colons --list-keys %r"
+set pgp_list_secring_command="gpg --no-verbose --batch --quiet --with-colons --list-secret-keys %r"
+set pgp_good_sign="^\\[GNUPG:\\] GOODSIG"
+
+# Further stuff from http://codesorcery.net/old/mutt/mutt-gnupg-howto
+set pgp_autosign=yes
+set pgp_sign_as=0x98F64A5F
+set pgp_replyencrypt=yes
+set pgp_timeout=1800
+
+# Promoting my public key.
+my_hdr X-PGP-Key: https://dump.plomlompom.com/dump/plomlompom.asc
--- /dev/null
+# plomlompom's getmail configuration
+
+# Where and how to get mail from.
+[retriever]
+type = SimplePOP3SSLRetriever
+server = mail.klostein.com
+username = c.heller@plomlompom.de
+
+# Let procmail take charge of incoming mail. Use user-defined rc file.
+[destination]
+type = MDA_external
+path = /usr/bin/procmail
+arguments = ("-m", "/home/plom/.procmailrc")
+
+# Delete retrieved mail from server.
+[options]
+delete = false
--- /dev/null
+# plomlompom's procmail configuration
+
+MAILDIR=/home/plom/mail
+DEFAULT=$MAILDIR/inbox/
+
+:0
+* ^To: Bisdahin <termin@bisdahin.de>
+bisdahin/
+
+:0
+* ^From: Doodle <mailer@doodle.com>
+doodle/
+
+:0
+* ^From: FetLife <donotreply@fetlifemail\.com>
+fetlife/
+
+:0
+* ^From: Flattr <no-reply@flattr.com>
+flattr/
+
+:0
+* ^From: noreply@statusnetondemand.net
+identica/
+
+:0
+* ^From: .*@linkedin\.com
+linkedin/
+
+:0
+* ^To: .*forum@detrans.de
+ML-detrans/
+
+:0
+* ^To: .*liste-ff-medien@gruene-jugend.de
+ML-gj-medien/
+
+:0
+* ^To: wann-klettern-wir@googlegroups\.com
+ML-klettern/
+
+:0
+* ^Subject: \[schildower-kreis-info\]
+schildower_kreis/
+
+:0
+* ^Subject: .*\[reflect-info\]
+reflect-info/
+
+:0
+* ^To: .*st-berlin@smjg.org
+ML-smjg-berlin/
+
+:0
+* ^Subject: Logwatch for plomlompom\.com \(Linux\)
+serverlogs/
+
+:0
+* ^Subject: ***SPAM***
+spam-suspect/
+
+:0
+* ^Subject: .*talon.*
+talonone/
+
+:0
+* ^From: Twitter
+twitter/
+
+:0
+* ^From: Computerspielemuseum
+computerspielemuseum/
--- /dev/null
+# Server-specific .shinit additions.
+
+# Wrapper for weechat to force local config file on it anew on each run.
+alias weechat="~/config/bin/weechat-wrapper.sh"
--- /dev/null
+/set logger.file.path ~/weechatlogs
+/set logger.file.flush_delay 0
+/script install otr.py
+/set weechat.bar.status.items "[time],[buffer_last_number],[buffer_plugin],buffer_number+:+buffer_name+(buffer_modes)+{buffer_nicklist_count}+buffer_zoom+buffer_filter,[lag],[hotlist],completion,scroll,[otr]"
+/set weechat.color.chat_nick_colors "lightcyan"
+/server add localhost localhost
+/connect localhost
+/server del freenode
+/server add freenode irc.freenode.net -nicks=plomlompom,plomlomp0m,ploml0mp0m,pl0ml0mp0m -realname="Christian Heller" -autojoin=#nodrama.de,#twitter.de,#freie-gesellschaft,#zrolaps,#twtxt,#freakazoid,#nodrama.finance,#unordentlich
+/server add rizon irc.rizon.net -nicks=AlfredEdel,AlfredEde1,A1fredEdel,A1fredEde1 -autojoin=#8chan-deutsch,#mememagic -username=foo
+/server add quakenet irc.quakenet.org -nicks=plomlompom,plomlomp0m,ploml0mp0m,pl0ml0mp0m -realname="Christian Heller" -autojoin=#rgrd
+/connect freenode
+/connect rizon
--- /dev/null
+# Server-specific .shinit additions.
+
+# Golang dev environment
+export GOPATH=~/gopath
--- /dev/null
+! font size
+XTerm*faceSize: 8
+xterm*VT100*faceSize1: 7
+xterm*VT100*faceSize2: 8
+xterm*VT100*faceSize3: 9
+xterm*VT100*faceSize4: 10
+xterm*VT100*faceSize5: 12
+xterm*VT100*faceSize6: 15
+
+! black
+*color0: #202020
+*color8: #3F3F3F
+
+! red
+*color1: #A82020
+*color9: #E82020
+
+! green
+*color2: #20A820
+*color10: #20E820
+
+! yellow
+*color3: #A8A820
+*color11: #E8E820
+
+! blue
+*color4: #3F3FFF
+*color12: #9F9FFF
+
+! magenta
+*color5: #A83FFF
+*color13: #E89FFF
+
+! cyan
+*color6: #3FA8FF
+*color14: #9FE8FF
+
+! white
+*color7: #A8A8A8
+*color15: #E8E8E8
--- /dev/null
+# plomlompom's i3 status bar configuration
+
+# Activate colors; set update interval of one second.
+general {
+ colors = true
+ interval = 1
+}
+
+# Selection / order of status elements.
+order += "disk /"
+order += "disk /home"
+order += "wireless wlp3s0"
+order += "ethernet enp0s25"
+order += "battery 0"
+order += "cpu_usage"
+order += "load"
+order += "cpu_temperature 0"
+order += "cpu_temperature 1"
+order += "time"
+order += "volume master"
+
+# How much space is left in / ?
+disk "/" {
+ format = "/: %avail available of %total"
+ separator_block_width = 10
+}
+
+# How much space is left in /home ?
+disk "/home" {
+ format = "/home: %avail available of %total"
+ separator_block_width = 40
+}
+
+
+# WLAN status: show IP and connection quality or "down".
+wireless wlp3s0 {
+ format_up = "w: (%quality at %essid) %ip"
+ format_down = "w: down"
+ separator_block_width = 10
+}
+
+# Ethernet status: show IP or "down".
+ethernet enp0s25 {
+ format_up = "e: %ip"
+ format_down = "e: down"
+ separator_block_width = 40
+}
+
+# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
+battery 0 {
+ format = "b: %status %percentage %remaining"
+ separator_block_width = 40
+}
+
+# Show CPU usage.
+cpu_usage {
+ format = "cpu: %usage"
+ separator_block_width = 10
+}
+
+# Show system load during last 1/5/15 minutes.
+load {
+ format = "%1min %5min %15min"
+ separator_block_width = 40
+}
+
+# Show CPU temperature in degrees of celsius.
+cpu_temperature 0 {
+ format = "%degrees °C"
+ separator_block_width = 10
+}
+cpu_temperature 1 {
+ format = "%degrees °C"
+ separator_block_width = 40
+}
+
+# Show date/time/timezone as "year-month-day hour:minute:second
+# timezone_numeric/timezone_alphabetic".
+time {
+ format = "%Y-%m-%d %H:%M:%S %z/%Z"
+ separator_block_width = 40
+}
+
+volume master {
+ format = "♪: %volume"
+ format_muted = "♪: muted (%volume)"
+ separator_block_width = 40
+}
--- /dev/null
+! font size
+XTerm*faceSize: 8
+
+! black
+*color0: #000000
+*color8: #3F3F3F
+
+! red
+*color1: #BF0000
+*color9: #FF0000
+
+! green
+*color2: #00BF00
+*color10: #00FF00
+
+! yellow
+*color3: #BFBF00
+*color11: #FFFF00
+
+! blue
+*color4: #3F3FFF
+*color12: #9F9FFF
+
+! magenta
+*color5: #BF3FFF
+*color13: #FFF9FF
+
+! cyan
+*color6: #3FBFFF
+*color14: #9FFFFF
+
+! white
+*color7: #BFBFBF
+*color15: #FFFFFF
--- /dev/null
+# plomlompom's i3 status bar configuration
+
+# Activate colors; set update interval of one second.
+general {
+ colors = true
+ interval = 1
+}
+
+# Selection / order of status elements.
+order += "disk /"
+order += "disk /home"
+order += "wireless wls1"
+order += "ethernet enp0s25"
+order += "battery 0"
+order += "cpu_temperature 0"
+order += "load"
+order += "time"
+
+# How much space is left in / ?
+disk "/" {
+ format = "%free"
+}
+
+# How much space is left in /home ?
+disk "/home" {
+ format = "%free"
+}
+
+
+# WLAN status: show IP and connection quality or "down".
+wireless wls1 {
+ format_up = "W: (%quality at %essid) %ip"
+ format_down = "W: down"
+}
+
+# Ethernet status: show IP or "down".
+ethernet enp0s25 {
+ format_up = "E: %ip"
+ format_down = "E: down"
+}
+
+# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
+battery 0 {
+ format = "%status %percentage %remaining"
+}
+
+# Show CPU temperature in degrees of celsius.
+cpu_temperature 0 {
+ format = "T: %degrees °C"
+}
+
+# Show system load during last 1/5/15 minutes.
+load {
+ format = "L: %1min %5min %15min"
+}
+
+# Show date/time/timezone as "year-month-day hour:minute:second
+# timezone_numeric/timezone_alphabetic".
+time {
+
+ format = "%Y-%m-%d %H:%M:%S %z/%Z"
+}
--- /dev/null
+! font
+XTerm*faceName: -misc-fixed-medium-r-normal--13-120-75-75-C-70-iso10646-1
+XTerm*reverseVideo: on
+XTerm*visualBell: on
+
+! proper ALT as META key treatment
+XTerm*eightBitInput: false
--- /dev/null
+# plomlompom's i3-wm configuration
+
+# Font for i3 text
+font pango:Terminus 11px
+#font -misc-fixed-medium-r-normal--13-120-75-75-C-70-iso10646-1
+
+# Force "tabbed" as default layout for new windows.
+workspace_layout tabbed
+
+# Make the Windows key the modifier key for all i3-wm actions.
+set $mod Mod4
+floating_modifier $mod
+
+# Launch xterm.
+bindsym $mod+Return exec xterm -r
+
+# Launch programs via dmenu.
+bindsym $mod+d exec dmenu_run
+bindsym $mod+x exec dmenu_run
+
+# Kill window.
+bindsym $mod+Shift+Q kill
+
+# Move focus between windows.
+bindsym $mod+Left focus left
+bindsym $mod+Down focus down
+bindsym $mod+Up focus up
+bindsym $mod+Right focus right
+
+# Don't move focus with mouse.
+focus_follows_mouse no
+
+# Move windows.
+bindsym $mod+Shift+Left move left
+bindsym $mod+Shift+Down move down
+bindsym $mod+Shift+Up move up
+bindsym $mod+Shift+Right move right
+
+# Resize windows
+bindsym $mod+h resize shrink width 1 px or 1 ppt
+bindsym $mod+l resize grow width 1 px or 1 ppt
+bindsym $mod+j resize shrink height
+bindsym $mod+k resize grow height
+
+# Toggle fullscreen for focused window.
+bindsym $mod+f fullscreen
+
+# Toggle floating of window, focus on floating or tabbed windows.
+bindsym $mod+Shift+space floating toggle
+bindsym $mod+space focus mode_toggle
+
+# Switch to workspace x.
+bindsym $mod+1 workspace 1
+bindsym $mod+2 workspace 2
+bindsym $mod+3 workspace 3
+bindsym $mod+4 workspace 4
+bindsym $mod+5 workspace 5
+bindsym $mod+6 workspace 6
+bindsym $mod+7 workspace 7
+bindsym $mod+8 workspace 8
+bindsym $mod+9 workspace 9
+bindsym $mod+0 workspace 10
+
+# Move window to workspace x.
+bindsym $mod+Shift+exclam move workspace 1
+bindsym $mod+Shift+quotedbl move workspace 2
+bindsym $mod+Shift+section move workspace 3
+bindsym $mod+Shift+dollar move workspace 4
+bindsym $mod+Shift+percent move workspace 5
+bindsym $mod+Shift+ampersand move workspace 6
+bindsym $mod+Shift+slash move workspace 7
+bindsym $mod+Shift+parenleft move workspace 8
+bindsym $mod+Shift+parenright move workspace 9
+bindsym $mod+Shift+equal move workspace 10
+
+# Reload i3 config file, restart (keeping sesion) i3, exit i3.
+bindsym $mod+Shift+C reload
+bindsym $mod+Shift+R restart
+bindsym $mod+Shift+P exit
+
+# Select "i3status" as i3 status bar.
+bar {
+ status_command i3status | ~/config/bin/i3status_wrapper.py
+}
--- /dev/null
+set! browser.startup.page=3
+set! privacy.donottrackheader.enabled=true
+set! network.cookie.lifetimePolicy=2
+set! browser.formfill.enable=false
+set! browser.block.target_new_window=true
+set! browser.download.lastDir=~/downloads
+"set! javascript.enabled=false
+"set! permissions.default.image=2
+set! general.useragent.override=foo
+set! signon.rememberSignons=false
+set! network.proxy.socks=localhost
+set! network.proxy.socks_port=9999
+set! network.proxy.type=1
+set go=CMsbr
+set showtabline=never
+highlight Hint -append font: "Droid Sans Mono"; margin: 0em; padding: 0.1em; padding-right: 0.2em;
+command plom open http://www.plomlompom.de/PlomWiki/plomwiki.php?title=Start
+set fc=ignore
+set ds=duckduckgo
+set visualbell
--- /dev/null
+" source ~/.vimrc_vimgo
--- /dev/null
+# X init configuration
+
+# Set keymap.
+setxkbmap de
+
+# Read in X configuration.
+xrdb -merge ~/.Xresources
+xrdb -merge ~/.Xresources-local
+
+# Redshift to Berlin, Germany.
+redshift -rl 53:13 &
+
+# Enforce QWERTZ. (Why twice?)
+setxkbmap de
+
+# Use CapsLock as Ctrl, against the Emacs pinky.
+setxkbmap -option caps:ctrl_modifier
+
+# Set up compose key.
+xmodmap ~/.Xmodmap
+
+# Optionally, for certain Optimus systems with a first GPU connected to the
+# display and a second (NVidia) GPU providing 3D acceleration, use the first GPU
+# as sink for the second. This may confuse DPI settings, so re-set those.
+if [ "${NVIDIA_DIRECT}" ]; then
+ xrandr --setprovideroutputsource modesetting NVIDIA-0
+ xrandr --auto
+ xrandr --dpi 96
+fi
+
+# Launch window manager.
+i3 -c ~/.i3
--- /dev/null
+#!/bin/sh
+set -x
+set -e
+
+if [ ! "$1" = "thinkpad" ] && [ ! "$1" = "server" ]; then
+ echo "Need argument."
+ false
+fi
+if [ "$1" = "thinkpad" ] && [ ! "$2" = "X200s" ] && [ ! "$2" = "T450s" ]; then
+ echo "Need Thinkpad type."
+ false
+fi
+if [ "$1" = "server" ] && [ ! "$2" = "personal" ] && [ ! "$2" = "public" ]; then
+ echo "Need server purpose."
+ false
+fi
+if [ "$2" = "personal" ] && [ ! "$3" = "test.plomlompom.com" ] && \
+ [ ! "$3" = "plomlompom.com" ]; then
+ echo "Need server domain"
+ false
+fi
+
+# Some important variables
+if [ "$3" = "plomlompom.com" ]; then
+ hostname="plomlompom"
+elif [ "$3" = "test.plomlompom.com" ]; then
+ hostname="test.plomlompom"
+elif [ "$2" = "public" ]; then
+ hostname="htwtxt.plomlompom"
+elif [ "$2" = "X200s" ]; then
+ hostname="X200s"
+elif [ "$2" = "T450s" ]; then
+ hostname="T450s"
+fi
+
+if [ "$1" = "server" ]; then
+ # Set root pw.
+ passwd
+fi
+
+# Post-installation reduction.
+dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed \
+ 's/ required//' > list_white_unsorted
+echo 'ifupdown' >> list_white_unsorted
+echo 'isc-dhcp-client' >> list_white_unsorted
+sort list_white_unsorted > list_white
+dpkg-query -Wf '${Package}\n' > list_all_packages
+sort list_all_packages > foo
+mv foo list_all_packages
+comm -3 list_all_packages list_white > list_black
+apt-mark auto `cat list_black`
+echo 'APT::AutoRemove::RecommendsImportant "false";' > /etc/apt/apt.conf.d/99mindeps
+echo 'APT::AutoRemove::SuggestsImportant "false";' >> /etc/apt/apt.conf.d/99mindeps
+DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
+rm list_all_packages list_white_unsorted list_white list_black
+echo 'APT::Install-Recommends "false";' >> /etc/apt/apt.conf.d/99mindeps
+echo 'APT::Install-Suggests "false";' >> /etc/apt/apt.conf.d/99mindeps
+
+# Set hostname and FQDN.
+echo $hostname > /etc/hostname
+hostname $hostname
+if [ "$1" = "server" ]; then
+ echo '127.0.0.1 localhost' > /etc/hosts
+ ip=`hostname -I | cut -d " " -f 1`
+ echo "$ip $hostname.com $hostname" >> /etc/hosts
+
+ # Call dhclient on startup.
+ cat > /etc/systemd/system/dhclient.service << EOF
+[Unit]
+Description=Ethernet connection
+
+[Service]
+ExecStart=/sbin/dhclient eth0
+
+[Install]
+WantedBy=multi-user.target
+EOF
+ systemctl enable /etc/systemd/system/dhclient.service
+fi
+
+# Package management config, system upgrade.
+echo 'deb http://ftp.debian.org/debian/ jessie main contrib non-free' \
+ > /etc/apt/sources.list
+echo 'deb http://security.debian.org/ jessie/updates main contrib non-free' \
+ >> /etc/apt/sources.list
+echo 'deb http://ftp.debian.org/debian/ jessie-updates main contrib non-free' \
+ >> /etc/apt/sources.list
+if [ "$1" = "thinkpad" ] || [ "$2" = "public" ]; then
+ echo 'deb http://ftp.debian.org/debian/ jessie-backports main contrib' \
+' non-free' >> /etc/apt/sources.list
+ echo 'deb http://ftp.debian.org/debian/ testing main contrib non-free' \
+ >> /etc/apt/sources.list
+ echo 'deb http://security.debian.org/ testing/updates main contrib' \
+' non-free' >> /etc/apt/sources.list
+ echo 'deb http://ftp.debian.org/debian/ testing-updates main contrib' \
+' non-free' >> /etc/apt/sources.list
+ echo 'APT::Default-Release "stable";' \
+ >> /etc/apt/apt.conf.d/99defaultrelease
+fi
+if [ "$1" = "thinkpad" ]; then
+ dhclient eth0
+fi
+apt-get update
+apt-get -y dist-upgrade
+
+# Set up manuals.
+apt-get -y install man-db manpages less
+
+if [ "$1" = "thinkpad" ]; then
+ # Power management as per <http://thinkwiki.de/TLP_-_Linux_Stromsparen>.
+ echo '' >> /etc/apt/sources.list
+ echo 'deb http://repo.linrunner.de/debian jessie main' \
+ >> /etc/apt/sources.list
+ apt-key adv --keyserver pool.sks-keyservers.net --recv-keys CD4E8809
+ apt-get update
+ apt-get -y install linux-headers-amd64 tlp tp-smapi-dkms
+ sed -i 's/^#START_CHARGE_THRESH_BAT0/START_CHARGE_THRESH_BAT0=10 '\
+'#START_CHARGE_THRESH_BAT0/' /etc/default/tlp
+ sed -i 's/^#STOP_CHARGE_THRESH_BAT0/STOP_CHARGE_THRESH_BAT0=95 '\
+'#STOP_CHARGE_THRESH_BAT0/' /etc/default/tlp
+ sed -i 's/^#START_CHARGE_THRESH_BAT1/START_CHARGE_THRESH_BAT0=10 '\
+'#START_CHARGE_THRESH_BAT1/' /etc/default/tlp
+ sed -i 's/^#STOP_CHARGE_THRESH_BAT1/STOP_CHARGE_THRESH_BAT0=95 '\
+'#STOP_CHARGE_THRESH_BAT1/' /etc/default/tlp
+ sed -i 's/^#DEVICES_TO_DISABLE_ON_STARTUP/DEVICES_TO_DISABLE_ON_STARTUP='\
+'"bluetooth wifi wwan" #DEVICES_TO_DISABLE_ON_STARTUP/' /etc/default/tlp
+ tlp start
+fi
+
+# Don't clear boot messages on start up.
+sed -i 's/^TTYVTDisallocate=yes$/TTYVTDisallocate=no/g' \
+ /etc/systemd/system/getty.target.wants/getty\@tty1.service
+
+# Set up timezone.
+echo 'Europe/Berlin' > /etc/timezone
+cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime
+
+# Locale config.
+apt-get -y install locales
+echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen
+locale-gen
+
+if [ "$1" = "thinkpad" ]; then
+ # Console config.
+ DEBIAN_FRONTEND=nointeractive apt-get -y install console-setup
+ echo 'ACTIVE_CONSOLES="/dev/tty[1-6]"' > /etc/default/console-setup
+ echo 'CHARMAP="UTF-8"' >> /etc/default/console-setup
+ echo 'CODESET="Lat15"' >> /etc/default/console-setup
+ echo 'FONTFACE="TerminusBold"' >> /etc/default/console-setup
+ echo 'FONTSIZE="8x16"' >> /etc/default/console-setup
+ echo 'export LC_ALL="en_US.UTF-8"' >> /etc/profile
+ sed -i 's/^XKBLAYOUT/XKBLAYOUT="de" # XKBLAYOUT/g' /etc/default/keyboard
+ service keyboard-setup restart
+fi
+
+# Clone git repository.
+apt-get -y install ca-certificates
+apt-get -y install git
+git clone http://github.com/plomlompom/config
+config/bin/symlink.sh
+
+# Add user. Remove old user's config/ if it exists.
+useradd -m -s /bin/bash plom
+rm -rf /home/plom/config
+su - plom -c 'git clone http://github.com/plomlompom/config /home/plom/config'
+su plom -c '/home/plom/config/bin/symlink.sh '$1' '$2' '$3
+
+# Allow user to sudo.
+if [ "$1" = "thinkpad" ]; then
+ apt-get -y install sudo
+ adduser plom sudo
+fi
+
+# Set up editor.
+mkdir -p .vimbackups
+su plom -c 'mkdir -p /home/plom/.vimbackups/'
+apt-get -y install vim
+
+if [ "$1" = "server" ]; then
+ # Set up ssh-guard.
+ apt-get -y install sshguard rsyslog
+
+ # Set up openssh-server.
+ apt-get -y install openssh-server
+
+ # Set up mail system.
+ su plom -c 'mkdir -p /home/plom/mail/'
+ su plom -c 'mkdir -p /home/plom/mail/inbox/{cur,new,tmp}'
+ su plom -c 'mkdir -p /home/plom/mail/new_inbox/{cur,new,tmp}'
+ sed -i 's/^delete = true$/delete = false/g' \
+ /home/plom/config/dotfiles/user/server/personal/minimal/getmail/getmailrc
+ DEBIAN_FRONTEND=noninteractive apt-get -y install mutt postfix maildrop
+ cp config/systemfiles/main.cf /etc/postfix/main.cf
+ sed -i 's/HOSTNAME/'$hostname.com'/g' /etc/postfix/main.cf
+ cp config/systemfiles/aliases /etc/aliases
+ newaliases
+ service postfix restart
+ if [ "$2" = "personal" ]; then
+ apt-get -y install getmail4 procmail
+ fi
+
+ # Set up regular system update reminder.
+ apt-get -y install cron
+ su plom -c "echo '0 18 * * 0 ~/config/bin/simplemail.sh '\
+ '~/config/mails/update_reminder' | crontab -"
+
+ if [ "$2" = "personal" ]; then
+ # Set up screen/weechat/OTR/bitlbee. Make bitlbee listen only locally.
+ apt-get -y install screen weechat-plugins python-potr bitlbee
+ sed -i 's/^# DaemonInterface/DaemonInterface = 127.0.0.1 '\
+'# DaemonInterface/' /etc/bitlbee/bitlbee.conf
+ sedtest=`grep -E '^DaemonInterface = 127.0.0.1 #' \
+ /etc/bitlbee/bitlbee.conf | wc -l | cut -d ' ' -f 1`
+ if [ 0 -eq $sedtest ]; then
+ false
+ fi
+ cp config/systemfiles/weechat.service \
+ /etc/systemd/system/weechat.service
+ systemctl enable /etc/systemd/system/weechat.service
+
+ # Send instructions mail.
+ config/bin/simplemail.sh config/mails/server_postinstall_finished
+
+ elif [ "$2" = "public" ]; then
+
+ # Set up htwtxt and environment.
+ apt-get -y install screen
+ apt-get -y -t jessie-backports install golang
+ su - plom -c 'git clone https://github.com/plomlompom/htwtxt $GOPATH/src/htwtxt'
+ su - plom -c 'go get htwtxt'
+ path=`su - plom -c 'echo $GOPATH/bin/htwtxt'`
+ su - plom -c 'mkdir -p ~/htwtxt'
+ cp config/systemfiles/htwtxt_restart_reminder.service \
+ /etc/systemd/system/htwtxt_restart_reminder.service
+ systemctl enable /etc/systemd/system/htwtxt_restart_reminder.service
+
+ # Set up nginx and letsencrypt.
+ apt-get -y install nginx
+ cp config/systemfiles/nginx.conf /etc/nginx/nginx.conf
+ cd ~
+ git clone https://github.com/letsencrypt/letsencrypt
+ echo '0 18 * * 0 ~/config/bin/renew_certs.sh' | crontab -
+
+ # Set up plomlombot.
+ apt-get -y install python3 python3-venv python3-pip
+ su - plom -c 'cd && git clone http://github.com/plomlompom/plomlombot-irc'
+ su - plom -c 'mkdir -p ~/plomlombot_db'
+ cp config/systemfiles/plomlombot.service \
+ /etc/systemd/system/plomlombot.service
+ systemctl enable /etc/systemd/system/plomlombot.service
+
+ # Set up plomlombot logging infrastructure.
+ mkdir -p /var/www/html/irclogs/
+ ln -s /home/plom/plomlombot_db/6f322d574618816aa2d6d1ceb4fd2551/3c0248e76a1de3a6ee5bf3421f7379b0/logs/ /var/www/html/irclogs/zrolaps
+ touch /var/www/password_irclogs_zrolaps
+ ln -s /home/plom/plomlombot_db/6f322d574618816aa2d6d1ceb4fd2551/657eea42f86866f2954d39f92a6c71ff/logs/ /var/www/html/irclogs/nodrama.de
+ touch /var/www/password_irclogs_nodrama_de
+ ln -s /home/plom/plomlombot_db/6f322d574618816aa2d6d1ceb4fd2551/a083c5d5efca3734294fa656692990b6/logs/ /var/www/html/irclogs/freakazoid
+ touch /var/www/password_irclogs_freakazoid
+
+ # Set up other web-served directories.
+ su - plom -c 'mkdir -p /home/plom/dump'
+ ln -s /home/plom/dump/ /var/www/html/dump
+ su - plom -c 'mkdir -p /home/plom/geheim'
+ ln -s /home/plom/geheim/ /var/www/html/geheim
+ su - plom -c 'mkdir -p /home/plom/lesekreis'
+ ln -s /home/plom/geheim/ /var/www/html/lesekreis
+ su - plom -c 'mkdir -p /home/plom/zettel'
+ ln -s /home/plom/zettel/ /var/www/html/zettel
+ su - plom -c 'git init --bare /home/plom/zettel.git'
+ su - plom -c 'cp ~/config/systemfiles/post-update ~/zettel.git/hooks/'
+ su - plom -c 'chmod a+x /home/plom/zettel.git/hooks/post-update'
+
+ # Install website generator tools
+ apt-get -y install pandoc wget
+ wget http://news.dieweltistgarnichtso.net/bin/archives/redo-sh.tar.gz
+ tar -oxzf redo-sh.tar.gz -C /usr/local
+ rm redo-sh.tar.gz
+ apt-get --purge autoremove wget
+ fi
+
+elif [ "$1" = "thinkpad" ]; then
+ # Set up networking (wifi!).
+ apt-get -y install firmware-iwlwifi
+ DEBIAN_FRONTEND=noninteractive apt-get -y install wicd-curses
+ sed -i 's/^wired_interface = .*$/wired_interface = eth0/g' \
+ /etc/wicd/manager-settings.conf
+ sed -i 's/^wireless_interface = .*$/wireless_interface = wlan0/g' \
+ /etc/wicd/manager-settings.conf
+ systemctl restart wicd
+
+ # Set up hibernation on lid close.
+ echo 'HandleLidSwitch=hibernate' >> /etc/systemd/logind.conf
+
+ # Set up sound.
+ usermod -aG audio plom
+ apt-get -y install alsa-utils
+ if [ "$2" = "X200s" ]; then
+ amixer -c 0 sset Master playback 100% unmute
+ elif [ "$2" = "T450s" ]; then
+ amixer -c 1 sset Master playback 100% unmute
+ # Re-order souncards so the commonly used one is the first one.
+ echo 'options snd_hda_intel index=1,0' >> /etc/modprobe.d/sound.conf
+ fi
+
+ # Set up window system, i3, redshift.
+ apt-get -y install xserver-xorg xinit xterm i3 i3status dmenu redshift
+
+ # Set up OpenGL and hardware acceleration.
+ if [ "$2" = "X200s" ]; then
+ apt-get -y install i965-va-driver
+ elif [ "$2" = "T450s" ]; then
+ apt-get -y -t jessie-backports install xserver-xorg-video-intel
+ fi
+ apt-get -y install libgl1-mesa-dri
+ usermod -aG video plom
+
+ # Install xrandr.
+ apt-get -y install x11-xserver-utils
+
+ # Set up pentadactyl.
+ apt-get -y install iceweasel xul-ext-noscript
+ apt-get -y -t jessie-backports install xul-ext-pentadactyl
+ apt-get -y install vim-gtk
+ su plom -c 'mkdir -p /home/plom/downloads/'
+
+ # Set up openssh-client.
+ apt-get -y install openssh-client
+fi
+
+# Set password for user.
+passwd plom
+
+# Clean up.
+rm jessie_postinstall.sh
+
+# Finalize everything with a reboot.
+echo "You may reboot now with the 'reboot' command unless there's more to do."
--- /dev/null
+[SYSADMIN] [HTWTXT] Restart reminder
+
+The virtual server hosting the htwtxt server was restarted, so the htwtxt server
+itself needs to be restarted too, via (in screen) its
+~/config/bin/start_htwtxt.sh.
--- /dev/null
+[SYSADMIN] Server post-installation TODO
+
+The server post-installation script seems to have run successfully. Remember to
+perform the following tasks:
+
+- once when mail system set-up seems stable, in
+ config/dotfiles_user_server/getmail/getmailrc, set [options] delete = true
+
+- ensure the following DNS TXT record for @: v=spf1 mx -all
+
+- run (as root) config/bin/setup_opendkim.sh $selector to set up system for DKIM
+ key signing, with a second parameter $keyfile if a key already exists; without
+ second parameter, this will generate a new key and print the DNS record to add
+
+- run (as root) config/bin/setup_starttls.sh to set up server-side STARTTLS for
+ mail; optionally run with paths to 1) a key file and 2) a cert file as
+ arguments if those exist to re-use existing ones
+
+- in the screen weechat/bitlbee session (run "screen -dr"), switch to the
+ &bitlbee channel, register with a password ("register", "/oper . [password]"),
+ and set up Jabber account with password ("account add jabber
+ plomlompom@jabber.ccc.de", "/oper . [password]"), then activate it ("account
+ on")
--- /dev/null
+[SYSADMIN] System updating reminder
+
+This is your regular reminder to run:
+
+apt-get update
+apt-get upgrade
+apt-get dist-upgrade
--- /dev/null
+[SYSADMIN] weechat restarted, re-identify!
+
+Your weechat was restarted, so don't forget to re-identify on freenode to
+nickserv via "/msg nickserv identify [password]", and on bitlbee by joining
+&bitlbee, "identify", "/oper . [password]", and "account on".
--- /dev/null
+some stuff I need to incorporate later on:
+
+the blog post-update git hook:
+
+
+
+#!/bin/sh
+blog_dir=~/blog
+export GIT_DIR=$(pwd)
+export GIT_WORK_TREE="$blog_dir"
+git checkout -f
+cd "$GIT_WORK_TREE"
+redo
+git add metadata/author metadata/url metadata/title metadata/*.tmpl metadata/automatic_metadata captchas/linkable/*
+count=$(ls -1 metadata/*.automatic_metadata 2>/dev/null | wc -l)
+if [ "$count" != 0 ]; then
+ git add metadata/*.automatic_metadata
+fi
+status=$(git status -s)
+n_updates=$(printf "$status" | grep -vE '^\?\?' | wc -l)
+if [ "$n_updates" -gt 0 ]; then
+ git commit -a -m 'Update metadata'
+fi
+
+
+furthermore, the url_catcher virtualenv run.sh script needs this (to compile uwsgi):
+
+apt-get install python3.4-dev
+
+
+also, these:
+
+# /etc/systemd/system/url_catcher.service
+
+[Unit]
+Description=URL catcher
+
+[Service]
+Type=forking
+User=plom
+ExecStart=/bin/sh -c 'LC_ALL=en_US.UTF8 screen -d -m ~/url_catcher.sh'
+
+[Install]
+WantedBy=multi-user.target
+
+
+
+and url_catcher.sh:
+
+#!/bin/sh
+
+cd ~
+cd url-catcher
+./run.sh
--- /dev/null
+# for minetest sound to work
+[alsa]
+mmap = false
--- /dev/null
+# using hdmi0 for TV stereo, hdmi1 for a 5.1 speaker set-up
+# unfortunately, a non-square speaker number creates some noise
+# therefore for hdmi1 we declare 8 speakers, but re-map them to 6 speakers
+pcm.hdmi0 {
+ type hw
+ card 0
+}
+pcm.hdmi1 {
+ type route
+ slave {
+ pcm "hw:1,0"
+ channels 8
+ }
+ ttable {
+ 0.0 = 1
+ 1.1 = 1
+ 2.2 = 1
+ 3.3 = 1
+ 4.4 = 1
+ 5.5 = 1
+ 6.0 = 0.5
+ 6.2 = 0.5
+ 7.1 = 0.5
+ 7.3 = 0.5
+ }
+}
+
+# upmix stereo to 5.1 – so we can watch stereo YouTube on all speakers
+# with this: $ chromium-browser --alsa-output-device=stereo51
+# (numbers taken from <https://www.volkerschatz.com/noise/alsa.html>)
+pcm.stereo51 {
+ type route
+ slave {
+ pcm "hw:1,0"
+ channels 8
+ }
+ ttable {
+ 0.0 = 1
+ 0.2 = -0.6
+ 0.3 = -0.39
+ 0.4 = 0.5
+ 0.5 = 0.5
+ 1.1 = 1
+ 1.2 = -0.6
+ 1.3 = -0.39
+ 1.4 = 0.5
+ 1.5 = 0.5
+ }
+}
+
+# default to hdmi0, overwrite with AUDIO_HDMI=1 env prefix
+pcm.!default {
+ type plug
+ slave.pcm {
+ @func concat
+ strings [
+ "hdmi"
+ {
+ @func getenv
+ vars [ AUDIO_HDMI ]
+ default "0"
+ }
+ ]
+ }
+}
+ctl.!default {
+ type hw
+ card {
+ @func getenv
+ vars [ AUDIO_HDMI ]
+ default 0
+ }
+}
--- /dev/null
+# for whatever reason, emulationstation gets some strange screen flicker issues
+# if the second display is activated, so ensure it is only started with that off
+alias emulationstation="xrandr --output HDMI-2 --off && emulationstation"
+
+# since the second HDMI only outputs sound with video, we have to ensure it's
+# activated with xrandr if we want to use it for surround sound setup
+alias mpv51="xrandr --output HDMI-2 --auto && AUDIO_HDMI=1 mpv --alsa-ignore-chmap '--audio-channels=5.1(alsa)'"
+alias chromium-upmix="xrandr --output HDMI-2 --auto && chromium-browser --alsa-output-device=stereo51"
+alias alsamixer51="AUDIO_HDMI=1 alsamixer"
+# see vlc -H why these
+alias vlc51="xrandr --output HDMI-2 --auto && vlc --alsa-audio-device=hdmi1 --alsa-audio-channels=4199"
--- /dev/null
+#!/bin/sh
+
+set -e
+set -x
+
+url=$1
+
+ensure_line() {
+ add_string="$1"
+ file="$2"
+ test=`grep "$add_string" "$file" | wc -l`
+ if [ $test -lt 1 ]; then
+ echo "$add_string" >> "$file"
+ fi
+}
+
+filename=temp_golang_binary
+
+if [ "$url" = "" ]; then
+ echo 'Need URL of current go package'
+ exit 1
+fi
+sudo rm -rf /usr/local/go
+sudo apt-get -y install wget
+wget -O $filename $url
+sudo tar -C /usr/local -xzf $filename
+rm $filename
+ensure_line 'export PATH=$PATH:/usr/local/go/bin' ~/.shinit_add
+ensure_line 'export GOPATH=~/gopath' ~/.shinit_add
+sudo apt-get -y install vim-pathogen
+rm -rf ~/.vim/bundle/vim-go
+git clone https://github.com/fatih/vim-go.git ~/.vim/bundle/vim-go
+ensure_line 'source ~/.vimrc_vimgo' ~/.vimrc_add
+cat << EOF > ~/.vimrc_vimgo
+" vim-go: Make vim-go run.
+call pathogen#infect()
+let g:go_disable_autoinstall = 0
+" vim-go: Highlight
+let g:go_highlight_functions = 1
+let g:go_highlight_methods = 1
+let g:go_highlight_structs = 1
+let g:go_highlight_operators = 1
+let g:go_highlight_build_constraints = 1
+EOF
--- /dev/null
+# needed for rtorrent config setup
+curl
+# needed for torrenting
+rtorrent
+# needed for torrenting session
+screen
+# needed for upload/download
+rsync
--- /dev/null
+# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options override the
+# default value.
+
+Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
+#HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin no # plomlompom's security rule
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# Expect .ssh/authorized_keys2 to be disregarded by default in future.
+#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin yes
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation sandbox
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# PermitTTY no
+# ForceCommand cvs server
+
+ClientAliveInterval 120
+PasswordAuthentication no # plomlompom's security rule
--- /dev/null
+#!/bin/sh
+# This script turns a fresh server with password-based root access into
+# one of only key-based access and only to new non-root account plom.
+#
+# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
+# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
+# contains the local ~/.ssh/id_rsa.pub, and also any old
+# /etc/ssh/sshd_config.
+#
+# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
+# configured sshd_config file in reach.
+set -e
+
+# Location of an sshd_config with "PermitRootLogin no" and
+# "PasswordAuthentication no".
+config_tree_prefix="${HOME}/public_repos/config/stretch"
+linkable_files_dir="${config_tree_prefix}/etc_files/server"
+system_path_sshd_config='/etc/ssh/sshd_config'
+local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}"
+
+# Ensure we have a server name as argument.
+if [ $# -eq 0 ]; then
+ echo "Need server as argument."
+ false
+fi
+server="$1"
+
+# This will be used to log-in as root from plom account.
+echo 'First, enter the old root password; then enter new password twice.'
+ssh root@"${server}" "passwd"
+
+# Save root password for sshpass
+stty -echo
+printf "Re-enter new server root password: "
+read PW_ROOT
+stty echo
+printf "\n"
+export SSHPASS="${PW_ROOT}"
+
+# Create user plom, and his ~/.ssh/authorized_keys based on the local
+# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
+# ownerships. Then disable root and pw login by copying over the
+# sshd_config and restart ssh daemon.
+#
+# This could be a line or two shorter by using ssh-copy-id, but that
+# would require setting a password for user plom otherwise not needed.
+sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys
+sshpass -e ssh root@"${server}" \
+ 'useradd -m plom && '\
+ 'mkdir /home/plom/.ssh && '\
+ 'chown plom:plom /home/plom/.ssh && '\
+ 'chown plom:plom /tmp/authorized_keys && '\
+ 'chmod u=rw,go= /tmp/authorized_keys && '\
+ 'mv /tmp/authorized_keys /home/plom/.ssh/'
+sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
+sshpass -e ssh root@"${server}" 'service ssh restart'
--- /dev/null
+#!/bin/sh
+# Walks through the package names in the argument-selected files of
+# apt-mark/ and ensures the respective packages are installed.
+#
+# Ignores anything in an apt-mark/ file after the last newline.
+set -e
+
+config_tree_prefix="${HOME}/config/stretch"
+aptmark_dir="${config_tree_prefix}/apt-mark"
+
+for target in "$@"; do
+ path="${aptmark_dir}/${target}"
+ # TODO: continue if file at $path not found, to get rid of dummy files
+ cat "${path}" | while read line; do
+ echo "$line"
+ if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
+ DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::=--force-confold install "${line}"
+ fi
+ done
+done
--- /dev/null
+#!/bin/sh
+set -e
+
+./install_for_target.sh seedbox
+
+# As according to <https://rtorrent-docs.readthedocs.io/en/latest/cookbook.html#modernized-configuration-template>
+su -lc "curl -Ls 'https://raw.githubusercontent.com/wiki/rakshasa/rtorrent/CONFIG-Template.md' | grep -A9999 '^######' | grep -B9999 '^### END' | sed -re \"s:/home/USERNAME:\$HOME:\" >~/.rtorrent.rc" plom
+su -lc "echo 'pieces.hash.on_completion.set = no' >> ~/.rtorrent.rc" plom
+su -lc "mkdir ~/rtorrent" plom
+
+# As according to <https://unix.stackexchange.com/a/475485>
+chmod u+s /usr/bin/screen
+chmod 755 /var/run/screen
--- /dev/null
+# /etc/aliases
+
+# As per RFC 2142.
+mailer-daemon: plom
+postmaster: plom
+hostmaster: plom
+usenet: plom
+news: plom
+webmaster: plom
+www: plom
+ftp: plom
+abuse: plom
+noc: plom
+security: plom
+root: plom
+
+# Personal aliases.
+plomlompom: plom
+christian.heller: plom
+christian_heller: plom
+christianheller: plom
+c.heller: plom
+heller: plom
--- /dev/null
+# /etc/systemd/system/weechat.service
+
+[Unit]
+Description=htwtxt restart reminder
+
+[Service]
+Type=forking
+User=plom
+ExecStart=/bin/sh -c '~/config/bin/simplemail_out.sh ~/config/mails/htwtxt_restart'
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+# /etc/postfix/main.cf
+
+# Use maildrop as MDA.
+mailbox_command = /usr/bin/maildrop
+
+# Restrictive relaying policy.
+smtpd_relay_restrictions = permit_mynetworks defer_unauth_destination
+
+# What domains to receive mail for: names of local server.
+mydestination = HOSTNAME, localhost
+
+# What clients to relay mail from: only local server.
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+
+# Paranoid maximum error notification.
+notify_classes=2bounce, bounce, data, delay, policy, protocol, resource, software
--- /dev/null
+# system integration
+user www-data;
+pid /run/nginx.pid;
+
+# is expected even if empty
+events {
+}
+
+http {
+ # define content-type headers
+ types {
+ text/html html htm shtml;
+ text/css css;
+ text/xml xml;
+ text/plain txt sh rst md;
+ application/xhtml+xml xhtml;
+ application/pdf pdf;
+ image/jpeg jpg jpeg;
+ image/png png;
+ }
+ default_type application/octet_stream;
+ charset utf-8;
+
+ # logging
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log;
+
+ # enforce https
+ server {
+ listen 80;
+ return 301 https://$host$request_uri;
+ }
+
+ # IRC logs
+ server {
+ listen 443 ssl;
+ server_name dump.plomlompom.com;
+ ssl_certificate /etc/letsencrypt/live/dump.plomlompom.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/dump.plomlompom.com/privkey.pem;
+ root /var/www/html/;
+ location /zettel/ {
+ # rewrite non-suffixed filenames to .html ones
+ rewrite ^(/zettel/(.*/)*[^./]+)$ $1.html;
+ autoindex on;
+ }
+ location /dump/ {
+ autoindex on;
+ }
+ location /geheim/ {
+ auth_basic "geheim geheim";
+ auth_basic_user_file /var/www/password_geheim;
+ autoindex on;
+ }
+ location /irclogs/zrolaps/ {
+ auth_basic "#zrolaps logs";
+ auth_basic_user_file /var/www/password_irclogs_zrolaps;
+ autoindex on;
+ }
+ location /irclogs/nodrama.de/ {
+ auth_basic "#nodrama.de logs";
+ auth_basic_user_file /var/www/password_irclogs_nodrama_de;
+ autoindex on;
+ }
+ location /irclogs/freakazoid/ {
+ auth_basic "#freakazoid logs";
+ auth_basic_user_file /var/www/password_irclogs_freakazoid;
+ autoindex on;
+ }
+ location /lesekreis/ {
+ auth_basic "Quellen Lesekreis";
+ auth_basic_user_file /var/www/password_lesekreis;
+ autoindex on;
+ }
+ location /uwsgi/ {
+ include uwsgi_params;
+ uwsgi_pass 127.0.0.1:3031;
+ }
+ }
+
+ # htwtxt
+ server {
+ listen 443 ssl;
+ server_name htwtxt.plomlompom.com;
+ ssl_certificate /etc/letsencrypt/live/htwtxt.plomlompom.com/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/htwtxt.plomlompom.com/privkey.pem;
+ location / {
+ proxy_pass http://127.0.0.1:8000;
+ }
+ }
+}
--- /dev/null
+# The domain for which mails are signed.
+Domain plomlompom.com
+
+# Location of the private key to sign mails with.
+KeyFile /etc/opendkim/dkim.key
+
+# Identifies the signing key; useful when replacing it.
+#Selector keyname
+
+# Canonicalize the body strictly for signing, but the header (more legitimately
+# subject to reformatting by forwarding servers) less so.
+Canonicalization relaxed/simple
+
+# Invalidate the signature of mails to which additional From fields were added
+# after the signing. (See RFC for details on how this works.)
+OversignHeaders From
+
+# Where to communicate with the MTA.
+Socket inet:12301@localhost
+
+# Don't act as root.
+UserID opendkim:opendkim
--- /dev/null
+# /etc/systemd/system/plomlombot.service
+
+[Unit]
+Description=plomlombot screen
+
+[Service]
+Type=forking
+User=plom
+ExecStart=/bin/sh -c 'LC_ALL=en_US.UTF8 screen -d -m ~/config/bin/plomlombot.sh && screen -d -m ~/config/bin/broiler_in.sh && screen -d -m ~/config/bin/hubbabubba.sh && screen -d -m ~/config/bin/zinskritik.sh'
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+#!/bin/sh
+ZETTELDIR=/home/plom/zettel
+GIT_WORK_TREE=$ZETTELDIR git checkout -f
+cd $ZETTELDIR
+redo
--- /dev/null
+# /etc/systemd/system/weechat.service
+
+[Unit]
+Description=weechat screen
+
+[Service]
+Type=forking
+User=plom
+ExecStart=/bin/sh -c 'LC_ALL=en_US.UTF8 screen -d -m ~/config/bin/weechat-wrapper.sh'
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+#!/bin/sh
+set -e
+
+if [ "$#" -ne 1 ]; then
+ echo "Need exactly one argument: public key ID."
+ false
+fi
+gpg_key="$1"
+keyservers='keyserver.ubuntu.com pgp.surf.nl pgp.rediris.es'
+set +e
+for keyserver in $(echo "${keyservers}"); do
+ gpg --no-tty --keyserver $keyserver --send-key "${gpg_key}"
+done
+set -e
+++ /dev/null
-#!/bin/sh
-cd ~/plomlombot-irc
-./run.sh -r 604800 -n broiler_in "#nodrama.de"
+++ /dev/null
-#!/bin/sh
-cd ~/plomlombot-irc
-./run.sh -r 604800 -n hubbabubba "#freakazoid"
+++ /dev/null
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
-# Inspired by http://code.stapelberg.de/git/i3status/tree/contrib/wrapper.py
-
-import sys
-import json
-import subprocess
-
-def print_nonbuffered(message):
- sys.stdout.write(message)
- sys.stdout.flush()
-
-if __name__ == '__main__':
- print_nonbuffered(sys.stdin.readline())
- print_nonbuffered(sys.stdin.readline())
- while True:
- line, prefix = sys.stdin.readline(), ''
- if line.startswith(','):
- line, prefix = line[1:], ','
- j = json.loads(line)
- if '1' == subprocess.getoutput('xset q | grep LED')[65]:
- j.insert(len(j), {'full_text' : 'CAPS',
- 'separator_block_width': 40,
- 'color': '#FF0000'})
- print_nonbuffered(prefix+json.dumps(j))
+++ /dev/null
-#!/bin/sh
-
-set -e
-set -x
-
-~/letsencrypt/letsencrypt-auto certonly --standalone -d dump.plomlompom.com
-~/letsencrypt/letsencrypt-auto certonly --standalone -d htwtxt.plomlompom.com
+++ /dev/null
-#!/bin/sh
-
-eth_interface=enp0s25
-wifi_interface=wls1
-
-ensure_wifi_on() {
- if [ ! "$(wifi)" = "wifi = on" ]; then
- #wifi on
- ip link set "$wifi_interface" up
- fi
-}
-
-if ! echo "${1}"; then
- echo 'No command given.'
- print_usage
- exit 1
-elif [ "${1}" = 'eth_connect' ]; then
- ip link set "$eth_interface" up
- dhclient "$eth_interface"
-
-elif [ "${1}" = 'eth_disconnect' ]; then
- ip link set "$eth_interface" down
-
-elif [ "${1}" = 'wifi_scan' ]; then
- ensure_wifi_on
- ip link set "$wifi_interface" up
- iw dev "$wifi_interface" scan | grep SSID
-
-elif [ "${1}" = 'wifi_connect_open' ]; then
- ensure_wifi_on
- iw dev "$wifi_interface" connect "${2}"
- dhclient "$wifi_interface"
- #ip route delete default
- #ip route add default via 192.168.1.1 dev wls1
-
-elif [ "${1}" = 'wifi_connect_wep_ascii' ]; then
- ensure_wifi_on
- iw dev "$wifi_interface" connect "${2}" key 0:"${3}"
- dhclient "$wifi_interface"
-
-elif [ "${1}" = 'wifi_connect_wep_hex' ]; then
- ensure_wifi_on
- iw dev "$wifi_interface" connect "${2}" key d:0:"${3}"
- dhclient "$wifi_interface"
-
-elif [ "${1}" = 'wifi_connect_wpa' ]; then
- ensure_wifi_on
- wpa_passphrase "${2}" "${3}" > /tmp/wpa_supplicant.conf
- wpa_supplicant -B -i "$wifi_interface" -c /tmp/wpa_supplicant.conf
- dhclient "$wifi_interface"
-
-elif [ "${1}" = 'wifi_disconnect' ]; then
- ip link set "$wifi_interface" down
-
-else
- echo 'Available commands:'
- echo ' eth_connect'
- echo ' eth_disconnect'
- echo ' wifi_scan'
- echo ' wifi_connect_open SSID'
- echo ' wifi_connect_wep_ascii SSID KEY'
- echo ' wifi_connect_wep_hex SSID KEY'
- echo ' wifi_connect_wpa SSID KEY'
- echo ' wifi_disconnect'
-fi
+++ /dev/null
-#!/bin/sh
-cd ~/plomlombot-irc
-./run.sh -r 604800 -n botlomplom "#zrolaps"
+++ /dev/null
-#!/bin/sh
-
-service nginx stop
-~/letsencrypt/letsencrypt-auto renew
-service nginx restart
+++ /dev/null
-#!/bin/sh
-set -e
-selector=$1
-file=$2
-
-if [ ! -n "$selector" ]; then
- cat << EOF
-Usage: $0 SELECTOR [KEYFILE] - set up DKIM system and configuration
-
-If existing KEYFILE is given, set up DKIM to use SELECTOR and apply key from
-KEYFILE.
-
-If existing KEYFILE is not given, generate KEYFILE and DNS TXT file for
-SELECTOR.
-EOF
- exit
-fi
-
-if [ ! "$(id -u)" -eq "0" ]; then
- echo "Must be run as root."
- exit 1
-fi
-
-set -x
-apt-get -y install opendkim
-
-if [ ! -n "$file" ]; then
- apt-get -y install opendkim-tools
- opendkim-genkey -d plomlompom.com -s $selector
- apt-get -y --purge autoremove opendkim-tools
- set +x
- echo
- echo 'Generated key file at '$selector'.private.'
- echo 'Also generated '$selector'.txt, APPLY its content below to your DNS' \
- 'record.'
- echo 'AFTER the waiting time for DNS propagation RERUN this script with' \
- 'the key file as SECOND parameter (still use selector as first one).'
- echo
- cat $selector.txt
-else
- if [ ! -f "$file" ]; then
- set +x
- echo
- echo "Keyfile $file does not exist."
- exit 1
- fi
- cp ~/config/systemfiles/opendkim.conf /etc/opendkim.conf
- sed -r -i 's/^#Selector .*$/Selector '$selector'/' /etc/opendkim.conf
- mkdir -p /etc/opendkim
- if [ -f /etc/opendkim/dkim.key ]; then
- cp /etc/opendkim/dkim.key /etc/opendkim/dkim.key~
- fi
- cp $file /etc/opendkim/dkim.key
- cp ~/config/systemfiles/main.cf /etc/postfix/main.cf
- cat >> /etc/postfix/main.cf << EOF
-
-# Use opendkim at given port as mail filter.
-non_smtpd_milters = inet:localhost:12301
-EOF
- service opendkim restart
- service postfix restart
- set +x
- echo
- echo 'Ensure the DKIM TXT entry in your DNS record matches!'
-fi
+++ /dev/null
-#!/bin/sh
-set -x
-set -e
-key=$1
-cert=$2
-
-if [ ! "$(id -u)" -eq "0" ]; then
- echo "Must be run as root."
- exit 1
-fi
-
-key_target=/etc/postfix/key.pem
-if [ ! -n "$key" ]; then
- if [ ! -f "${key_target}" ]; then
- (umask 077; openssl genrsa -out "${key_target}" 2048)
- fi
-else
- cp "$key" "${key_target}"
-fi
-
-fqdn=$(postconf -h myhostname)
-cert_target=/etc/postfix/cert.pem
-if [ ! -n "$cert" ]; then
- if [ ! -f "${cert_target}" ]; then
- openssl req -new -key "${key_target}" -x509 -subj "/CN=${fqdn}" -days 3650 -out "${cert_target}"
- fi
-else
- cp "$cert" "${cert_target}"
-fi
-
-cat >> /etc/postfix/main.cf << EOF
-
-# Enable server-side STARTTLS.
-smtpd_tls_cert_file = /etc/postfix/cert.pem
-smtpd_tls_key_file = /etc/postfix/key.pem
-smtpd_tls_security_level = may
-EOF
-service postfix restart
+++ /dev/null
-#!/bin/sh
-#
-# This mails to user plom the message in the file named by the first parameter,
-# decoded with the first line as subject and everything below the second line
-# as the message body.
-
-subject=`head -1 $1`
-body=`tail -n +3 $1`
-echo "$body" | mutt -s "$subject" plom
+++ /dev/null
-#!/bin/sh
-#
-# This mails to plom@plomlompom.com the message in the file named by the first
-# parameter, decoded with the first line as subject and everything below the
-# second line as the message body.
-
-subject=`head -1 $1`
-body=`tail -n +3 $1`
-echo "$body" | mutt -s "$subject" plom@plomlompom.com
+++ /dev/null
-#!/bin/sh
-$GOPATH/bin/htwtxt \
- --contact 'see http://www.plomlompom.de/' \
- --mailport 587 \
- --mailserver smtp.gmail.com \
- --mailuser christian.heller@gmail.com \
- --port 8000 \
- --signup
+++ /dev/null
-#!/bin/sh
-
-set -x
-set -e
-
-dir_minimal=~/config/dotfiles/minimal
-dir_user_prefix=~/config/dotfiles/user
-dir_user_minimal=$dir_user_prefix/minimal
-dir_user_machine=$dir_user_prefix/$1/minimal
-if [ "$3" = "" ]; then
- dir_user_variety=$dir_user_prefix/$1/$2
-else
- dir_user_variety=$dir_user_prefix/$1/$2/minimal
-fi
-dir_user_subvariety=$dir_user_prefix/$1/$2/$3
-dir_root=~/config/dotfiles/root
-homedir=`echo ~`
-find ~ -lname $homedir'/config/*' -delete
-for file in `ls $dir_minimal`; do
- ln -fs $dir_minimal/$file ~/.$file
-done
-if [ "$(id -u)" -eq "0" ]; then
- for file in `ls $dir_root`; do
- ln -fs $dir_root/$file ~/.$file
- done
-else
- for file in `ls $dir_user_minimal`; do
- ln -fs $dir_user_minimal/$file ~/.$file
- done
- for file in `ls $dir_user_machine`; do
- ln -fs $dir_user_machine/$file ~/.$file
- done
- for file in `ls $dir_user_variety`; do
- ln -fs $dir_user_variety/$file ~/.$file
- done
- if [ ! "$3" = "" ]; then
- for file in `ls $dir_user_subvariety`; do
- ln -fs $dir_user_subvariety/$file ~/.$file
- done
- fi
-fi
+++ /dev/null
-#!/bin/sh
-
-# A very primitive backlight setter with a hardcoded backlight path, to replace
-# xbacklight which currently does not work on my system.
-
-if ! echo "${1}" | egrep -q '^[0-9]+$' && ! [ "${1}" = "+" -o "${1}" = "-" ]; then
- echo 'Argument must be a number, or "+", or "-".'
- exit 1
-fi
-backlight_dir=/sys/class/backlight/intel_backlight
-max_brightness=$(cat "${backlight_dir}"/max_brightness)
-target="${backlight_dir}"/brightness
-if [ "${1}" = "+" -o "${1}" = "-" ]; then
- fract=$(expr "${max_brightness}" / 20)
- cur_brightness=$(cat "${backlight_dir}"/brightness)
- brightness=$(expr "${cur_brightness}" "${1}" "${fract}")
- if [ "${brightness}" -gt "${max_brightness}" ]; then
- brightness="${max_brightness}"
- elif [ "${brightness}" -lt "0" ]; then
- brightness=0
- fi
- sudo sh -c 'echo '"${brightness}"' > '"${target}"
- exit 0
-fi
-percentage=${1}
-if [ "${percentage}" = '100' ]; then
- sudo sh -c 'echo '"${max_brightness}"' > '"${target}"
-else
- fract=$(expr "${max_brightness}" / 100)
- brightness=$(expr "${percentage}" \* "${fract}")
- sudo sh -c 'echo '"${brightness}"' > '"${target}"
-fi
+++ /dev/null
-#!/bin/sh
-
-# Undo bumblebee setup.
-sudo service bumblebeed stop
-sudo modprobe nvidia-drm
-sudo update-alternatives --set glx /usr/lib/nvidia
-
-# Use special xorg.conf and pass NVIDIA_DIRECT directive to .xinitrc.
-NVIDIA_DIRECT=1 startx -- -config xorg.conf.forced_nvidia
-
-# Recreate bumblebee setup.
-sudo service bumblebeed start
-sudo update-alternatives --auto glx
+++ /dev/null
-#!/bin/sh
-
-# Enforce ~/.weechatrc as sole persistent weechat config file.
-~/config/bin/simplemail.sh ~/config/mails/weechat_restart_reminder
-rm -rf ~/.weechat/
-WEECHATCONF=`tr '\n' ';' < ~/.weechatrc`
-weechat -r "$WEECHATCONF"
-rm -rf ~/.weechat/
+++ /dev/null
-#!/bin/sh
-
-check_wifi_id_set() {
- if ! echo "${1}" | egrep -q '^[0-9]+$'; then
- echo 'Wifi identifier must be integer.'
- exit 1
- fi
-}
-
-ensure_wifi_on() {
- if [ ! "$(wifi)" = "wifi = on" ]; then
- sudo wifi on
- fi
-}
-
-print_usage() {
- echo 'Available commands:'
- echo ' eth_connect'
- echo ' eth_disconnect'
- echo ' wifi_scan'
- echo ' wifi_info WIFI_ID'
- echo ' wifi_set_wpa WIFI_ID KEY'
- echo ' wifi_connect WIFI_ID'
- echo ' wifi_disconnect'
-}
-
-if ! echo "${1}"; then
- echo 'No command given.'
- print_usage
- exit 1
-elif [ "${1}" = 'eth_connect' ]; then
- wicd-cli --wired --connect
-
-elif [ "${1}" = 'eth_disconnect' ]; then
- wicd-cli --wired --disconnect
-
-elif [ "${1}" = 'wifi_scan' ]; then
- ensure_wifi_on
- wicd-cli --wireless --scan
- wicd-cli --wireless --list-networks
-
-elif [ "${1}" = 'wifi_info' ]; then
- check_wifi_id_set "${2}"
- wicd-cli --wireless --network="${2}" --network-details
-
-elif [ "${1}" = 'wifi_set_wpa' ]; then
- check_wifi_id_set "${2}"
- if ! echo "${3}" ; then
- echo 'No key set.'
- exit 1
- fi
- wicd-cli --wireless --network="${2}" --network-property=enctype --set-to=wpa
- wicd-cli --wireless --network="${2}" --network-property=key --set-to="${3}"
-
-elif [ "${1}" = 'wifi_connect' ]; then
- ensure_wifi_on
- check_wifi_id_set "${2}"
- wicd-cli --wireless --network="${2}" --connect
-
-elif [ "${1}" = 'wifi_disconnect' ]; then
- wicd-cli --wireless --disconnect
-
-else
- echo 'Unknown command.'
- print_usage
- exit 1
-fi
+++ /dev/null
-#!/bin/sh
-cd ~/plomlombot-irc
-./run.sh -r 604800 -n histomat "#freie-gesellschaft"
+++ /dev/null
-# connectivity: ifupdown seems necessary everyhwere, isc-dhcp-client
-# unpredictably so
-ifupdown
-isc-dhcp-client
-# git for the setup directory; cloning works with ca-certificates
-ca-certificates
-git
-# to avoid constant warnings about no locale being found
-locales
-# extremely useful for basic network debugging; missed these more than once in an emergency
-netcat
-iputils-ping
+++ /dev/null
-# so that grub learns about kernel updates
-grub-pc
+++ /dev/null
-wget
-# for blog and zettel
-pandoc
-# for blog
-html2text
-uuid-runtime
-python3
-# for url_catcher daemon
-python3-venv
-build-essential
-python3-dev
-screen
-postfix
+++ /dev/null
-# for wifi
-firmware-ralink
-#
+++ /dev/null
-# smtp server
-postfix
-# opendkim
-opendkim
-opendkim-tools
-# for pingmail
-mailutils
-# ssl
-certbot
-# IMAPS
-pwgen
-dovecot-imapd
-# sieve filtering
-dovecot-lmtpd
-dovecot-sieve
-# to funnel mail from additional server
-fetchmail
+++ /dev/null
-# because it contains ifconfig
-net-tools
+++ /dev/null
-ffmpeg
-postgresql
-postgresql-contrib
-openssl
-redis-server
-python-dev
-# only needed for setup
-g++
-make
-git
-curl
-unzip
-libncurses5
-pwgen
-wget
+++ /dev/null
-weechat
-screen
-gnupg
-dirmngr
+++ /dev/null
-# Pleroma DB
-postgresql
-postgresql-contrib
-# only needed for setup
-pwgen
+++ /dev/null
-# only needed for setup
-curl
-unzip
-libncurses5
+++ /dev/null
-# only needed for setup
-build-essential
-wget
-gnupg
+++ /dev/null
-# needed for rtorrent config setup
-curl
-# needed for torrenting
-rtorrent
-# needed for torrenting session
-screen
-# needed for upload/download
-rsync
+++ /dev/null
-# so we can login at all …
-openssh-server
-# firewalling
-nftables
-# We want to be able to use ALL our servers as borg backup destinations.
-borgbackup
+++ /dev/null
-# for wifi
-firmware-iwlwifi
-# for tlp
-tlp
-tp-smapi-dkms
-linux-headers-amd64
-#
+++ /dev/null
-# to avoid booting problems with encrypted LVM, see <https://askubuntu.com/a/1105848>
-cryptsetup-initramfs
-lvm2
-# this provides setupcon which reads /etc/default/console-setup
-console-setup
-# without this, systemd-logind won't run, and so not detect lid close for hibernation
-dbus
-# for wifi
-wicd-curses
-wicd-gtk
-# for X to start at all
-xserver-xorg-video-intel
-# X input: keyboard and touchpad
-xserver-xorg-input-evdev
-xserver-xorg-input-synaptics
-# for startx
-xinit
-# for xrdb
-x11-xserver-utils
-# for startx to run for non-root user
-libpam-systemd
-# window environment
-i3
-i3status
-suckless-tools
-xterm
-# to get sleepy at night
-redshift
-# for alsamixer
-alsa-utils
-# for xterm and browser unicode display
-ttf-unifont
-# also useful
-vim
-sudo
-less
-man-db
-manpages
-procps
-# firefox dependencies
-libdbus-glib-1-2
-libgtk-3-0
-# firefox installation dependencies (remove later?)
-curl
-python3
-bzip2
-wget
-jq
-unzip
-# to mount encrypted USB stick and use its contents
-pmount
-cryptsetup
-openssh-client
-# for syncing
-borgbackup
-# emacs
-emacs25
-emacs-common-non-dfsg
-emacs-el
-elpa-ledger
-ledger
-elpa-elfeed
-# mail setup
-isync
-notmuch
-elpa-notmuch
-pinentry-gtk2
-# to mount Android phone
-go-mtpfs
-# to use HP Deskjet F380 scanner from GIMP
-sane-utils
-libsane-hpaio
-xsane
-# to use HP Deskjet F380 printer
-cups
-hplip
-#
+++ /dev/null
-nginx-light
-# for SSL
-certbot
-python3-certbot-nginx
+++ /dev/null
-# for gitweb
-gitweb
-fcgiwrap
-# for plomlombot
-gnupg
-dirmngr
-python3-venv
-screen
+++ /dev/null
-APT::AutoRemove::RecommendsImportant "false";
-APT::AutoRemove::SuggestsImportant "false";
-APT::Install-Recommends "false";
-APT::Install-Suggests "false";
+++ /dev/null
-deb http://deb.debian.org/debian buster main contrib non-free
-deb http://deb.debian.org/debian-security/ buster/updates main contrib non-free
-deb http://deb.debian.org/debian buster-updates main contrib non-free
-deb http://ftp.debian.org/debian buster-backports main contrib non-free
+++ /dev/null
-LANG="en_US.UTF-8"
+++ /dev/null
-# This file lists locales that you wish to have built. You can find a list
-# of valid supported locales at /usr/share/i18n/SUPPORTED, and you can add
-# user defined locales to /usr/local/share/i18n/SUPPORTED. If you change
-# this file, you need to rerun locale-gen.
-
-
-# aa_DJ ISO-8859-1
-# aa_DJ.UTF-8 UTF-8
-# aa_ER UTF-8
-# aa_ER@saaho UTF-8
-# aa_ET UTF-8
-# af_ZA ISO-8859-1
-# af_ZA.UTF-8 UTF-8
-# ak_GH UTF-8
-# am_ET UTF-8
-# an_ES ISO-8859-15
-# an_ES.UTF-8 UTF-8
-# anp_IN UTF-8
-# ar_AE ISO-8859-6
-# ar_AE.UTF-8 UTF-8
-# ar_BH ISO-8859-6
-# ar_BH.UTF-8 UTF-8
-# ar_DZ ISO-8859-6
-# ar_DZ.UTF-8 UTF-8
-# ar_EG ISO-8859-6
-# ar_EG.UTF-8 UTF-8
-# ar_IN UTF-8
-# ar_IQ ISO-8859-6
-# ar_IQ.UTF-8 UTF-8
-# ar_JO ISO-8859-6
-# ar_JO.UTF-8 UTF-8
-# ar_KW ISO-8859-6
-# ar_KW.UTF-8 UTF-8
-# ar_LB ISO-8859-6
-# ar_LB.UTF-8 UTF-8
-# ar_LY ISO-8859-6
-# ar_LY.UTF-8 UTF-8
-# ar_MA ISO-8859-6
-# ar_MA.UTF-8 UTF-8
-# ar_OM ISO-8859-6
-# ar_OM.UTF-8 UTF-8
-# ar_QA ISO-8859-6
-# ar_QA.UTF-8 UTF-8
-# ar_SA ISO-8859-6
-# ar_SA.UTF-8 UTF-8
-# ar_SD ISO-8859-6
-# ar_SD.UTF-8 UTF-8
-# ar_SS UTF-8
-# ar_SY ISO-8859-6
-# ar_SY.UTF-8 UTF-8
-# ar_TN ISO-8859-6
-# ar_TN.UTF-8 UTF-8
-# ar_YE ISO-8859-6
-# ar_YE.UTF-8 UTF-8
-# as_IN UTF-8
-# ast_ES ISO-8859-15
-# ast_ES.UTF-8 UTF-8
-# ayc_PE UTF-8
-# az_AZ UTF-8
-# be_BY CP1251
-# be_BY.UTF-8 UTF-8
-# be_BY@latin UTF-8
-# bem_ZM UTF-8
-# ber_DZ UTF-8
-# ber_MA UTF-8
-# bg_BG CP1251
-# bg_BG.UTF-8 UTF-8
-# bhb_IN.UTF-8 UTF-8
-# bho_IN UTF-8
-# bn_BD UTF-8
-# bn_IN UTF-8
-# bo_CN UTF-8
-# bo_IN UTF-8
-# br_FR ISO-8859-1
-# br_FR.UTF-8 UTF-8
-# br_FR@euro ISO-8859-15
-# brx_IN UTF-8
-# bs_BA ISO-8859-2
-# bs_BA.UTF-8 UTF-8
-# byn_ER UTF-8
-# ca_AD ISO-8859-15
-# ca_AD.UTF-8 UTF-8
-# ca_ES ISO-8859-1
-# ca_ES.UTF-8 UTF-8
-# ca_ES.UTF-8@valencia UTF-8
-# ca_ES@euro ISO-8859-15
-# ca_ES@valencia ISO-8859-15
-# ca_FR ISO-8859-15
-# ca_FR.UTF-8 UTF-8
-# ca_IT ISO-8859-15
-# ca_IT.UTF-8 UTF-8
-# ce_RU UTF-8
-# chr_US UTF-8
-# cmn_TW UTF-8
-# crh_UA UTF-8
-# cs_CZ ISO-8859-2
-# cs_CZ.UTF-8 UTF-8
-# csb_PL UTF-8
-# cv_RU UTF-8
-# cy_GB ISO-8859-14
-# cy_GB.UTF-8 UTF-8
-# da_DK ISO-8859-1
-# da_DK.UTF-8 UTF-8
-# de_AT ISO-8859-1
-# de_AT.UTF-8 UTF-8
-# de_AT@euro ISO-8859-15
-# de_BE ISO-8859-1
-# de_BE.UTF-8 UTF-8
-# de_BE@euro ISO-8859-15
-# de_CH ISO-8859-1
-# de_CH.UTF-8 UTF-8
-# de_DE ISO-8859-1
-# de_DE.UTF-8 UTF-8
-# de_DE@euro ISO-8859-15
-# de_IT ISO-8859-1
-# de_IT.UTF-8 UTF-8
-# de_LI.UTF-8 UTF-8
-# de_LU ISO-8859-1
-# de_LU.UTF-8 UTF-8
-# de_LU@euro ISO-8859-15
-# doi_IN UTF-8
-# dv_MV UTF-8
-# dz_BT UTF-8
-# el_CY ISO-8859-7
-# el_CY.UTF-8 UTF-8
-# el_GR ISO-8859-7
-# el_GR.UTF-8 UTF-8
-# en_AG UTF-8
-# en_AU ISO-8859-1
-# en_AU.UTF-8 UTF-8
-# en_BW ISO-8859-1
-# en_BW.UTF-8 UTF-8
-# en_CA ISO-8859-1
-# en_CA.UTF-8 UTF-8
-# en_DK ISO-8859-1
-# en_DK.ISO-8859-15 ISO-8859-15
-# en_DK.UTF-8 UTF-8
-# en_GB ISO-8859-1
-# en_GB.ISO-8859-15 ISO-8859-15
-# en_GB.UTF-8 UTF-8
-# en_HK ISO-8859-1
-# en_HK.UTF-8 UTF-8
-# en_IE ISO-8859-1
-# en_IE.UTF-8 UTF-8
-# en_IE@euro ISO-8859-15
-# en_IL UTF-8
-# en_IN UTF-8
-# en_NG UTF-8
-# en_NZ ISO-8859-1
-# en_NZ.UTF-8 UTF-8
-# en_PH ISO-8859-1
-# en_PH.UTF-8 UTF-8
-# en_SG ISO-8859-1
-# en_SG.UTF-8 UTF-8
-# en_US ISO-8859-1
-# en_US.ISO-8859-15 ISO-8859-15
-en_US.UTF-8 UTF-8
-# en_ZA ISO-8859-1
-# en_ZA.UTF-8 UTF-8
-# en_ZM UTF-8
-# en_ZW ISO-8859-1
-# en_ZW.UTF-8 UTF-8
-# eo UTF-8
-# es_AR ISO-8859-1
-# es_AR.UTF-8 UTF-8
-# es_BO ISO-8859-1
-# es_BO.UTF-8 UTF-8
-# es_CL ISO-8859-1
-# es_CL.UTF-8 UTF-8
-# es_CO ISO-8859-1
-# es_CO.UTF-8 UTF-8
-# es_CR ISO-8859-1
-# es_CR.UTF-8 UTF-8
-# es_CU UTF-8
-# es_DO ISO-8859-1
-# es_DO.UTF-8 UTF-8
-# es_EC ISO-8859-1
-# es_EC.UTF-8 UTF-8
-# es_ES ISO-8859-1
-# es_ES.UTF-8 UTF-8
-# es_ES@euro ISO-8859-15
-# es_GT ISO-8859-1
-# es_GT.UTF-8 UTF-8
-# es_HN ISO-8859-1
-# es_HN.UTF-8 UTF-8
-# es_MX ISO-8859-1
-# es_MX.UTF-8 UTF-8
-# es_NI ISO-8859-1
-# es_NI.UTF-8 UTF-8
-# es_PA ISO-8859-1
-# es_PA.UTF-8 UTF-8
-# es_PE ISO-8859-1
-# es_PE.UTF-8 UTF-8
-# es_PR ISO-8859-1
-# es_PR.UTF-8 UTF-8
-# es_PY ISO-8859-1
-# es_PY.UTF-8 UTF-8
-# es_SV ISO-8859-1
-# es_SV.UTF-8 UTF-8
-# es_US ISO-8859-1
-# es_US.UTF-8 UTF-8
-# es_UY ISO-8859-1
-# es_UY.UTF-8 UTF-8
-# es_VE ISO-8859-1
-# es_VE.UTF-8 UTF-8
-# et_EE ISO-8859-1
-# et_EE.ISO-8859-15 ISO-8859-15
-# et_EE.UTF-8 UTF-8
-# eu_ES ISO-8859-1
-# eu_ES.UTF-8 UTF-8
-# eu_ES@euro ISO-8859-15
-# eu_FR ISO-8859-1
-# eu_FR.UTF-8 UTF-8
-# eu_FR@euro ISO-8859-15
-# fa_IR UTF-8
-# ff_SN UTF-8
-# fi_FI ISO-8859-1
-# fi_FI.UTF-8 UTF-8
-# fi_FI@euro ISO-8859-15
-# fil_PH UTF-8
-# fo_FO ISO-8859-1
-# fo_FO.UTF-8 UTF-8
-# fr_BE ISO-8859-1
-# fr_BE.UTF-8 UTF-8
-# fr_BE@euro ISO-8859-15
-# fr_CA ISO-8859-1
-# fr_CA.UTF-8 UTF-8
-# fr_CH ISO-8859-1
-# fr_CH.UTF-8 UTF-8
-# fr_FR ISO-8859-1
-# fr_FR.UTF-8 UTF-8
-# fr_FR@euro ISO-8859-15
-# fr_LU ISO-8859-1
-# fr_LU.UTF-8 UTF-8
-# fr_LU@euro ISO-8859-15
-# fur_IT UTF-8
-# fy_DE UTF-8
-# fy_NL UTF-8
-# ga_IE ISO-8859-1
-# ga_IE.UTF-8 UTF-8
-# ga_IE@euro ISO-8859-15
-# gd_GB ISO-8859-15
-# gd_GB.UTF-8 UTF-8
-# gez_ER UTF-8
-# gez_ER@abegede UTF-8
-# gez_ET UTF-8
-# gez_ET@abegede UTF-8
-# gl_ES ISO-8859-1
-# gl_ES.UTF-8 UTF-8
-# gl_ES@euro ISO-8859-15
-# gu_IN UTF-8
-# gv_GB ISO-8859-1
-# gv_GB.UTF-8 UTF-8
-# ha_NG UTF-8
-# hak_TW UTF-8
-# he_IL ISO-8859-8
-# he_IL.UTF-8 UTF-8
-# hi_IN UTF-8
-# hne_IN UTF-8
-# hr_HR ISO-8859-2
-# hr_HR.UTF-8 UTF-8
-# hsb_DE ISO-8859-2
-# hsb_DE.UTF-8 UTF-8
-# ht_HT UTF-8
-# hu_HU ISO-8859-2
-# hu_HU.UTF-8 UTF-8
-# hy_AM UTF-8
-# hy_AM.ARMSCII-8 ARMSCII-8
-# ia_FR UTF-8
-# id_ID ISO-8859-1
-# id_ID.UTF-8 UTF-8
-# ig_NG UTF-8
-# ik_CA UTF-8
-# is_IS ISO-8859-1
-# is_IS.UTF-8 UTF-8
-# it_CH ISO-8859-1
-# it_CH.UTF-8 UTF-8
-# it_IT ISO-8859-1
-# it_IT.UTF-8 UTF-8
-# it_IT@euro ISO-8859-15
-# iu_CA UTF-8
-# ja_JP.EUC-JP EUC-JP
-# ja_JP.UTF-8 UTF-8
-# ka_GE GEORGIAN-PS
-# ka_GE.UTF-8 UTF-8
-# kk_KZ PT154
-# kk_KZ.RK1048 RK1048
-# kk_KZ.UTF-8 UTF-8
-# kl_GL ISO-8859-1
-# kl_GL.UTF-8 UTF-8
-# km_KH UTF-8
-# kn_IN UTF-8
-# ko_KR.EUC-KR EUC-KR
-# ko_KR.UTF-8 UTF-8
-# kok_IN UTF-8
-# ks_IN UTF-8
-# ks_IN@devanagari UTF-8
-# ku_TR ISO-8859-9
-# ku_TR.UTF-8 UTF-8
-# kw_GB ISO-8859-1
-# kw_GB.UTF-8 UTF-8
-# ky_KG UTF-8
-# lb_LU UTF-8
-# lg_UG ISO-8859-10
-# lg_UG.UTF-8 UTF-8
-# li_BE UTF-8
-# li_NL UTF-8
-# lij_IT UTF-8
-# ln_CD UTF-8
-# lo_LA UTF-8
-# lt_LT ISO-8859-13
-# lt_LT.UTF-8 UTF-8
-# lv_LV ISO-8859-13
-# lv_LV.UTF-8 UTF-8
-# lzh_TW UTF-8
-# mag_IN UTF-8
-# mai_IN UTF-8
-# mg_MG ISO-8859-15
-# mg_MG.UTF-8 UTF-8
-# mhr_RU UTF-8
-# mi_NZ ISO-8859-13
-# mi_NZ.UTF-8 UTF-8
-# mk_MK ISO-8859-5
-# mk_MK.UTF-8 UTF-8
-# ml_IN UTF-8
-# mn_MN UTF-8
-# mni_IN UTF-8
-# mr_IN UTF-8
-# ms_MY ISO-8859-1
-# ms_MY.UTF-8 UTF-8
-# mt_MT ISO-8859-3
-# mt_MT.UTF-8 UTF-8
-# my_MM UTF-8
-# nan_TW UTF-8
-# nan_TW@latin UTF-8
-# nb_NO ISO-8859-1
-# nb_NO.UTF-8 UTF-8
-# nds_DE UTF-8
-# nds_NL UTF-8
-# ne_NP UTF-8
-# nhn_MX UTF-8
-# niu_NU UTF-8
-# niu_NZ UTF-8
-# nl_AW UTF-8
-# nl_BE ISO-8859-1
-# nl_BE.UTF-8 UTF-8
-# nl_BE@euro ISO-8859-15
-# nl_NL ISO-8859-1
-# nl_NL.UTF-8 UTF-8
-# nl_NL@euro ISO-8859-15
-# nn_NO ISO-8859-1
-# nn_NO.UTF-8 UTF-8
-# nr_ZA UTF-8
-# nso_ZA UTF-8
-# oc_FR ISO-8859-1
-# oc_FR.UTF-8 UTF-8
-# om_ET UTF-8
-# om_KE ISO-8859-1
-# om_KE.UTF-8 UTF-8
-# or_IN UTF-8
-# os_RU UTF-8
-# pa_IN UTF-8
-# pa_PK UTF-8
-# pap_AW UTF-8
-# pap_CW UTF-8
-# pl_PL ISO-8859-2
-# pl_PL.UTF-8 UTF-8
-# ps_AF UTF-8
-# pt_BR ISO-8859-1
-# pt_BR.UTF-8 UTF-8
-# pt_PT ISO-8859-1
-# pt_PT.UTF-8 UTF-8
-# pt_PT@euro ISO-8859-15
-# quz_PE UTF-8
-# raj_IN UTF-8
-# ro_RO ISO-8859-2
-# ro_RO.UTF-8 UTF-8
-# ru_RU ISO-8859-5
-# ru_RU.CP1251 CP1251
-# ru_RU.KOI8-R KOI8-R
-# ru_RU.UTF-8 UTF-8
-# ru_UA KOI8-U
-# ru_UA.UTF-8 UTF-8
-# rw_RW UTF-8
-# sa_IN UTF-8
-# sat_IN UTF-8
-# sc_IT UTF-8
-# sd_IN UTF-8
-# sd_IN@devanagari UTF-8
-# se_NO UTF-8
-# sgs_LT UTF-8
-# shs_CA UTF-8
-# si_LK UTF-8
-# sid_ET UTF-8
-# sk_SK ISO-8859-2
-# sk_SK.UTF-8 UTF-8
-# sl_SI ISO-8859-2
-# sl_SI.UTF-8 UTF-8
-# so_DJ ISO-8859-1
-# so_DJ.UTF-8 UTF-8
-# so_ET UTF-8
-# so_KE ISO-8859-1
-# so_KE.UTF-8 UTF-8
-# so_SO ISO-8859-1
-# so_SO.UTF-8 UTF-8
-# sq_AL ISO-8859-1
-# sq_AL.UTF-8 UTF-8
-# sq_MK UTF-8
-# sr_ME UTF-8
-# sr_RS UTF-8
-# sr_RS@latin UTF-8
-# ss_ZA UTF-8
-# st_ZA ISO-8859-1
-# st_ZA.UTF-8 UTF-8
-# sv_FI ISO-8859-1
-# sv_FI.UTF-8 UTF-8
-# sv_FI@euro ISO-8859-15
-# sv_SE ISO-8859-1
-# sv_SE.ISO-8859-15 ISO-8859-15
-# sv_SE.UTF-8 UTF-8
-# sw_KE UTF-8
-# sw_TZ UTF-8
-# szl_PL UTF-8
-# ta_IN UTF-8
-# ta_LK UTF-8
-# tcy_IN.UTF-8 UTF-8
-# te_IN UTF-8
-# tg_TJ KOI8-T
-# tg_TJ.UTF-8 UTF-8
-# th_TH TIS-620
-# th_TH.UTF-8 UTF-8
-# the_NP UTF-8
-# ti_ER UTF-8
-# ti_ET UTF-8
-# tig_ER UTF-8
-# tk_TM UTF-8
-# tl_PH ISO-8859-1
-# tl_PH.UTF-8 UTF-8
-# tn_ZA UTF-8
-# tr_CY ISO-8859-9
-# tr_CY.UTF-8 UTF-8
-# tr_TR ISO-8859-9
-# tr_TR.UTF-8 UTF-8
-# ts_ZA UTF-8
-# tt_RU UTF-8
-# tt_RU@iqtelif UTF-8
-# ug_CN UTF-8
-# uk_UA KOI8-U
-# uk_UA.UTF-8 UTF-8
-# unm_US UTF-8
-# ur_IN UTF-8
-# ur_PK UTF-8
-# uz_UZ ISO-8859-1
-# uz_UZ.UTF-8 UTF-8
-# uz_UZ@cyrillic UTF-8
-# ve_ZA UTF-8
-# vi_VN UTF-8
-# wa_BE ISO-8859-1
-# wa_BE.UTF-8 UTF-8
-# wa_BE@euro ISO-8859-15
-# wae_CH UTF-8
-# wal_ET UTF-8
-# wo_SN UTF-8
-# xh_ZA ISO-8859-1
-# xh_ZA.UTF-8 UTF-8
-# yi_US CP1255
-# yi_US.UTF-8 UTF-8
-# yo_NG UTF-8
-# yue_HK UTF-8
-# zh_CN GB2312
-# zh_CN.GB18030 GB18030
-# zh_CN.GBK GBK
-# zh_CN.UTF-8 UTF-8
-# zh_HK BIG5-HKSCS
-# zh_HK.UTF-8 UTF-8
-# zh_SG GB2312
-# zh_SG.GBK GBK
-# zh_SG.UTF-8 UTF-8
-# zh_TW BIG5
-# zh_TW.EUC-TW EUC-TW
-# zh_TW.UTF-8 UTF-8
-# zu_ZA ISO-8859-1
-# zu_ZA.UTF-8 UTF-8
+++ /dev/null
-Europe/Berlin
+++ /dev/null
-server {
- listen 443 ssl;
- server_name REPLACE_fqdn_ECALPER;
- ssl_certificate /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/privkey.pem;
- root /var/www-dump/;
-
- location /dump/ {
- autoindex on;
- }
-
- location /geheim/ {
- auth_basic "geheim geheim";
- auth_basic_user_file /var/www-dump/password_geheim;
- autoindex on;
- }
-
- location /zettel/ {
- # rewrite non-suffixed filenames to .html ones
- rewrite ^(/zettel/(.*/)*[^./]+)$ $1.html;
- autoindex on;
- }
-
- location /uwsgi/ {
- include uwsgi_params;
- uwsgi_pass 127.0.0.1:3031;
- }
-}
+++ /dev/null
-[Unit]
-Description=url_catcher screen
-
-[Service]
-Type=forking
-User=plom
-# The LC_ALL fixes submission failing on some articles.
-ExecStart=/bin/sh -c 'LC_ALL=en_US.UTF8 cd ~/url-catcher && screen -d -m ./run.sh'
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
+++ /dev/null
-# This file is part of systemd.
-#
-# See logind.conf(5) for details.
-
-[Login]
-# Note that with the standard Buster kernel this won't work due to
-# <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919227>.
-HandleLidSwitch=hibernate
+++ /dev/null
-# /etc/aliases
-# maps whom what is sent to
-
-# As per RFC 2142.
-mailer-daemon: plom
-postmaster: plom
-hostmaster: plom
-usenet: plom
-news: plom
-webmaster: plom
-www: plom
-ftp: plom
-abuse: plom
-noc: plom
-security: plom
-root: plom
-
-# Personal aliases.
-plomlompom: plom
-christian.heller: plom
-christian_heller: plom
-christianheller: plom
-c.heller: plom
-heller: plom
+++ /dev/null
-# This is only necessary when we use dovecot's LMTP mechanism to receive
-# mail from postfix.
-auth_username_format = %Ln
-
-# Add sieve filtering.
-protocol lmtp {
- mail_plugins = $mail_plugins sieve
-}
-
-# We don't strictly need to provide a LMTP server to fetch mail from
-# postfix, but we do if we want to do sophisticated stuff like sieve
-# filtering on the way.
-service lmtp {
- inet_listener lmtp {
- address = 127.0.0.1
- port = 2424
- }
-}
+++ /dev/null
-service auth {
- unix_listener auth-userdb {
- }
-
- unix_listener /var/spool/postfix/private/auth {
- mode = 0660
- user = postfix
- group = postfix
- }
-}
+++ /dev/null
-# mailutils by default uses the FQDN as the mail domain name, fix this
-address {
- email-domain REPLACE_maildomain_ECALPER;
-};
+++ /dev/null
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-table inet filter {
- chain input {
- type filter hook input priority 0; policy drop;
- iif lo accept comment "accept localhost traffic"
- ct state invalid drop comment "drop invalid connections"
- ct state established, related accept comment "accept traffic originated from us"
- tcp dport 22 accept comment "accept SSH on default port"
- tcp dport 25 accept comment "accept SMTP (allowing for STARTTLS); necessary for mail server to mail server banter, i.e. for receiving mails"
- tcp dport 80 accept comment "accept HTTP; necessary for Certbot HTTP challenge"
- tcp dport 465 accept comment "accept SMTPS; for mail user agent to mail server, i.e. for sending mails"
- tcp dport 993 accept comment "accept IMAPS; for reading/downloading mails"
- ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
- }
- chain forward {
- type filter hook forward priority 0; policy drop;
- }
- chain output {
- type filter hook output priority 0; policy accept;
- }
-}
+++ /dev/null
-[Unit]
-Description=Run plom's fetchmail
-
-[Service]
-Type=oneshot
-User=plom
-# fetchmail returns 1 when no new mail, we want to catch that
-ExecStart=/bin/sh -c 'fetchmail || [ $? -eq 1 ]'
+++ /dev/null
-[Unit]
-Description=Run fetchmail once every minute
-
-[Timer]
-OnCalendar=minutely
-
-[Install]
-WantedBy=timers.target
+++ /dev/null
-[Unit]
-Description=Run pingmail check
-
-[Service]
-Type=oneshot
-User=plom
-ExecStart=/bin/sh -c '~/pingmail/pingmail check'
+++ /dev/null
-[Unit]
-Description=Run pingmail check once every hour
-
-[Timer]
-OnCalendar=*-*-* *:00:00
-
-[Install]
-WantedBy=timers.target
+++ /dev/null
-deb http://deb.debian.org/debian stretch main contrib non-free
-deb http://deb.debian.org/debian-security/ stretch/updates main contrib non-free
-deb http://deb.debian.org/debian stretch-updates main contrib non-free
-deb http://ftp.debian.org/debian stretch-backports main contrib non-free
+++ /dev/null
-[Unit]
-Description=Attempt encryption of old chat logs
-[Service]
-Type=oneshot
-User=plom
-ExecStart=/bin/sh -c '~/weechatlogs_encrypter.sh'
+++ /dev/null
-[Unit]
-Description=Attempt encryption of old chatlogs once every minute.
-
-[Timer]
-OnCalendar=*-*-* *:*:00
-
-[Install]
-WantedBy=timers.target
\ No newline at end of file
+++ /dev/null
-<div style="margin: 1em;">
- <p>Privacy: Visitor IP addresses are anonymized in the logs.</p>
- <p>Contact: See <a href="https://plomlompom.com/contact.html">plomlompom.com contact page</a>.</p>
-</div>
+++ /dev/null
-User-agent: *
-Disallow:
+++ /dev/null
-This is <a href="https://plomlompom.com">plomlompom</a>'s personal single-user Pleroma instance.
+++ /dev/null
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-table inet filter {
- chain input {
- type filter hook input priority 0; policy drop;
- iif lo accept comment "accept localhost traffic"
- ct state invalid drop comment "drop invalid connections"
- ct state established, related accept comment "accept traffic originated from us"
- tcp dport 22 accept comment "accept SSH on default port"
- ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
- }
- chain forward {
- type filter hook forward priority 0; policy drop;
- }
- chain output {
- type filter hook output priority 0; policy accept;
- }
-}
+++ /dev/null
-# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options override the
-# default value.
-
-Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin no # plomlompom's security rule
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# Expect .ssh/authorized_keys2 to be disregarded by default in future.
-#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin yes
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding yes
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-# override default of no subsystems
-Subsystem sftp /usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-# X11Forwarding no
-# AllowTcpForwarding no
-# PermitTTY no
-# ForceCommand cvs server
-
-ClientAliveInterval 120
-PasswordAuthentication no # plomlompom's security rule
+++ /dev/null
-# ------------------------------------------------------------------------------
-# tlp - Parameters for power saving
-# See full explanation: http://linrunner.de/en/tlp/docs/tlp-configuration.html
-
-# Hint: some features are disabled by default, remove the leading # to enable
-# them.
-
-# Set to 0 to disable, 1 to enable TLP.
-TLP_ENABLE=1
-
-# Operation mode when no power supply can be detected: AC, BAT.
-# Concerns some desktop and embedded hardware only.
-TLP_DEFAULT_MODE=AC
-
-# Operation mode select: 0=depend on power source, 1=always use TLP_DEFAULT_MODE
-# Hint: use in conjunction with TLP_DEFAULT_MODE=BAT for BAT settings on AC.
-TLP_PERSISTENT_DEFAULT=0
-
-# Seconds laptop mode has to wait after the disk goes idle before doing a sync.
-# Non-zero value enables, zero disables laptop mode.
-DISK_IDLE_SECS_ON_AC=0
-DISK_IDLE_SECS_ON_BAT=2
-
-# Dirty page values (timeouts in secs).
-MAX_LOST_WORK_SECS_ON_AC=15
-MAX_LOST_WORK_SECS_ON_BAT=60
-
-# Hint: CPU parameters below are disabled by default, remove the leading #
-# to enable them, otherwise kernel default values are used.
-
-# Select a CPU frequency scaling governor.
-# Intel Core i processor with intel_pstate driver:
-# powersave(*), performance.
-# Older hardware with acpi-cpufreq driver:
-# ondemand(*), powersave, performance, conservative, schedutil.
-# (*) is recommended.
-# Hint: use tlp-stat -p to show the active driver and available governors.
-# Important:
-# powersave for intel_pstate and ondemand for acpi-cpufreq are power
-# efficient for *almost all* workloads and therefore kernel and most
-# distributions have chosen them as defaults. If you still want to change,
-# you should know what you're doing! You *must* disable your distribution's
-# governor settings or conflicts will occur.
-#CPU_SCALING_GOVERNOR_ON_AC=powersave
-#CPU_SCALING_GOVERNOR_ON_BAT=powersave
-
-# Set the min/max frequency available for the scaling governor.
-# Possible values strongly depend on your CPU. For available frequencies see
-# the output of tlp-stat -p.
-#CPU_SCALING_MIN_FREQ_ON_AC=0
-#CPU_SCALING_MAX_FREQ_ON_AC=0
-#CPU_SCALING_MIN_FREQ_ON_BAT=0
-#CPU_SCALING_MAX_FREQ_ON_BAT=0
-
-# Set energy performance hints (HWP) for Intel P-state governor:
-# performance, balance_performance, default, balance_power, power
-# Values are given in order of increasing power saving.
-# Note: Intel Skylake or newer CPU and Kernel >= 4.10 required.
-CPU_HWP_ON_AC=balance_performance
-CPU_HWP_ON_BAT=balance_power
-
-# Set Intel P-state performance: 0..100 (%).
-# Limit the max/min P-state to control the power dissipation of the CPU.
-# Values are stated as a percentage of the available performance.
-# Requires an Intel Core i processor with intel_pstate driver.
-#CPU_MIN_PERF_ON_AC=0
-#CPU_MAX_PERF_ON_AC=100
-#CPU_MIN_PERF_ON_BAT=0
-#CPU_MAX_PERF_ON_BAT=30
-
-# Set the CPU "turbo boost" feature: 0=disable, 1=allow
-# Requires an Intel Core i processor.
-# Important:
-# - This may conflict with your distribution's governor settings
-# - A value of 1 does *not* activate boosting, it just allows it
-#CPU_BOOST_ON_AC=1
-#CPU_BOOST_ON_BAT=0
-
-# Minimize number of used CPU cores/hyper-threads under light load conditions:
-# 0=disable, 1=enable.
-SCHED_POWERSAVE_ON_AC=0
-SCHED_POWERSAVE_ON_BAT=1
-
-# Kernel NMI Watchdog:
-# 0=disable (default, saves power), 1=enable (for kernel debugging only).
-NMI_WATCHDOG=0
-
-# Change CPU voltages aka "undervolting" - Kernel with PHC patch required.
-# Frequency voltage pairs are written to:
-# /sys/devices/system/cpu/cpu0/cpufreq/phc_controls
-# CAUTION: only use this, if you thoroughly understand what you are doing!
-#PHC_CONTROLS="F:V F:V F:V F:V"
-
-# Set CPU performance versus energy savings policy:
-# performance, balance-performance, default, balance-power, power.
-# Values are given in order of increasing power saving.
-# Requires kernel module msr and x86_energy_perf_policy from linux-tools.
-ENERGY_PERF_POLICY_ON_AC=performance
-ENERGY_PERF_POLICY_ON_BAT=power
-
-# Disk devices; separate multiple devices with spaces (default: sda).
-# Devices can be specified by disk ID also (lookup with: tlp diskid).
-DISK_DEVICES="sda sdb"
-
-# Disk advanced power management level: 1..254, 255 (max saving, min, off).
-# Levels 1..127 may spin down the disk; 255 allowable on most drives.
-# Separate values for multiple disks with spaces. Use the special value 'keep'
-# to keep the hardware default for the particular disk.
-DISK_APM_LEVEL_ON_AC="254 254"
-DISK_APM_LEVEL_ON_BAT="128 128"
-
-# Hard disk spin down timeout:
-# 0: spin down disabled
-# 1..240: timeouts from 5s to 20min (in units of 5s)
-# 241..251: timeouts from 30min to 5.5 hours (in units of 30min)
-# See 'man hdparm' for details.
-# Separate values for multiple disks with spaces. Use the special value 'keep'
-# to keep the hardware default for the particular disk.
-#DISK_SPINDOWN_TIMEOUT_ON_AC="0 0"
-#DISK_SPINDOWN_TIMEOUT_ON_BAT="0 0"
-
-# Select IO scheduler for the disk devices: cfq, deadline, noop (Default: cfq).
-# Separate values for multiple disks with spaces. Use the special value 'keep'
-# to keep the kernel default scheduler for the particular disk.
-#DISK_IOSCHED="cfq cfq"
-
-# AHCI link power management (ALPM) for disk devices:
-# min_power, med_power_with_dipm(*), medium_power, max_performance.
-# (*) Kernel >= 4.15 required, then recommended.
-# Multiple values separated with spaces are tried sequentially until success.
-SATA_LINKPWR_ON_AC="med_power_with_dipm max_performance"
-SATA_LINKPWR_ON_BAT="med_power_with_dipm min_power"
-
-# Exclude host devices from AHCI link power management.
-# Separate multiple hosts with spaces.
-#SATA_LINKPWR_BLACKLIST="host1"
-
-# Runtime Power Management for AHCI host and disks devices:
-# on=disable, auto=enable.
-# EXPERIMENTAL ** WARNING: auto will most likely cause system lockups/data loss.
-#AHCI_RUNTIME_PM_ON_AC=on
-#AHCI_RUNTIME_PM_ON_BAT=on
-
-# Seconds of inactivity before disk is suspended.
-AHCI_RUNTIME_PM_TIMEOUT=15
-
-# PCI Express Active State Power Management (PCIe ASPM):
-# default, performance, powersave.
-PCIE_ASPM_ON_AC=performance
-PCIE_ASPM_ON_BAT=powersave
-
-# Radeon graphics clock speed (profile method): low, mid, high, auto, default;
-# auto = mid on BAT, high on AC; default = use hardware defaults.
-RADEON_POWER_PROFILE_ON_AC=high
-RADEON_POWER_PROFILE_ON_BAT=low
-
-# Radeon dynamic power management method (DPM): battery, performance.
-RADEON_DPM_STATE_ON_AC=performance
-RADEON_DPM_STATE_ON_BAT=battery
-
-# Radeon DPM performance level: auto, low, high; auto is recommended.
-RADEON_DPM_PERF_LEVEL_ON_AC=auto
-RADEON_DPM_PERF_LEVEL_ON_BAT=auto
-
-# WiFi power saving mode: on=enable, off=disable; not supported by all adapters.
-WIFI_PWR_ON_AC=off
-WIFI_PWR_ON_BAT=on
-
-# Disable wake on LAN: Y/N.
-WOL_DISABLE=Y
-
-# Enable audio power saving for Intel HDA, AC97 devices (timeout in secs).
-# A value of 0 disables, >=1 enables power saving (recommended: 1).
-SOUND_POWER_SAVE_ON_AC=0
-SOUND_POWER_SAVE_ON_BAT=1
-
-# Disable controller too (HDA only): Y/N.
-SOUND_POWER_SAVE_CONTROLLER=Y
-
-# Power off optical drive in UltraBay/MediaBay: 0=disable, 1=enable.
-# Drive can be powered on again by releasing (and reinserting) the eject lever
-# or by pressing the disc eject button on newer models.
-# Note: an UltraBay/MediaBay hard disk is never powered off.
-BAY_POWEROFF_ON_AC=0
-BAY_POWEROFF_ON_BAT=0
-# Optical drive device to power off (default sr0).
-BAY_DEVICE="sr0"
-
-# Runtime Power Management for PCI(e) bus devices: on=disable, auto=enable.
-RUNTIME_PM_ON_AC=on
-RUNTIME_PM_ON_BAT=auto
-
-# Exclude PCI(e) device adresses the following list from Runtime PM
-# (separate with spaces). Use lspci to get the adresses (1st column).
-#RUNTIME_PM_BLACKLIST="bb:dd.f 11:22.3 44:55.6"
-
-# Exclude PCI(e) devices assigned to the listed drivers from Runtime PM.
-# Default when unconfigured is "amdgpu nouveau nvidia radeon" which
-# prevents accidential power-on of dGPU in hybrid graphics setups.
-# Use "" to disable the feature completely.
-# Separate multiple drivers with spaces.
-#RUNTIME_PM_DRIVER_BLACKLIST="amdgpu nouveau nvidia radeon"
-
-# Set to 0 to disable, 1 to enable USB autosuspend feature.
-USB_AUTOSUSPEND=1
-
-# Exclude listed devices from USB autosuspend (separate with spaces).
-# Use lsusb to get the ids.
-# Note: input devices (usbhid) are excluded automatically
-#USB_BLACKLIST="1111:2222 3333:4444"
-
-# Bluetooth devices are excluded from USB autosuspend:
-# 0=do not exclude, 1=exclude.
-USB_BLACKLIST_BTUSB=0
-
-# Phone devices are excluded from USB autosuspend:
-# 0=do not exclude, 1=exclude (enable charging).
-USB_BLACKLIST_PHONE=0
-
-# Printers are excluded from USB autosuspend:
-# 0=do not exclude, 1=exclude.
-USB_BLACKLIST_PRINTER=1
-
-# WWAN devices are excluded from USB autosuspend:
-# 0=do not exclude, 1=exclude.
-USB_BLACKLIST_WWAN=1
-
-# Include listed devices into USB autosuspend even if already excluded
-# by the blacklists above (separate with spaces).
-# Use lsusb to get the ids.
-#USB_WHITELIST="1111:2222 3333:4444"
-
-# Set to 1 to disable autosuspend before shutdown, 0 to do nothing
-# (workaround for USB devices that cause shutdown problems).
-#USB_AUTOSUSPEND_DISABLE_ON_SHUTDOWN=1
-
-# Restore radio device state (Bluetooth, WiFi, WWAN) from previous shutdown
-# on system startup: 0=disable, 1=enable.
-# Hint: the parameters DEVICES_TO_DISABLE/ENABLE_ON_STARTUP/SHUTDOWN below
-# are ignored when this is enabled!
-RESTORE_DEVICE_STATE_ON_STARTUP=0
-
-# Radio devices to disable on startup: bluetooth, wifi, wwan.
-# Separate multiple devices with spaces.
-#DEVICES_TO_DISABLE_ON_STARTUP="bluetooth wifi wwan"
-
-# Radio devices to enable on startup: bluetooth, wifi, wwan.
-# Separate multiple devices with spaces.
-#DEVICES_TO_ENABLE_ON_STARTUP="wifi"
-
-# Radio devices to disable on shutdown: bluetooth, wifi, wwan.
-# (workaround for devices that are blocking shutdown).
-#DEVICES_TO_DISABLE_ON_SHUTDOWN="bluetooth wifi wwan"
-
-# Radio devices to enable on shutdown: bluetooth, wifi, wwan.
-# (to prevent other operating systems from missing radios).
-#DEVICES_TO_ENABLE_ON_SHUTDOWN="wwan"
-
-# Radio devices to enable on AC: bluetooth, wifi, wwan.
-#DEVICES_TO_ENABLE_ON_AC="bluetooth wifi wwan"
-
-# Radio devices to disable on battery: bluetooth, wifi, wwan.
-#DEVICES_TO_DISABLE_ON_BAT="bluetooth wifi wwan"
-
-# Radio devices to disable on battery when not in use (not connected):
-# bluetooth, wifi, wwan.
-#DEVICES_TO_DISABLE_ON_BAT_NOT_IN_USE="bluetooth wifi wwan"
-
-# Battery charge thresholds (ThinkPad only, tp-smapi or acpi-call kernel module
-# required). Charging starts when the remaining capacity falls below the
-# START_CHARGE_THRESH value and stops when exceeding the STOP_CHARGE_THRESH value.
-# Main / Internal battery (values in %)
-START_CHARGE_THRESH_BAT0=75
-STOP_CHARGE_THRESH_BAT0=80
-# Ultrabay / Slice / Replaceable battery (values in %)
-#START_CHARGE_THRESH_BAT1=75
-#STOP_CHARGE_THRESH_BAT1=80
-
-# Restore charge thresholds when AC is unplugged: 0=disable, 1=enable.
-#RESTORE_THRESHOLDS_ON_BAT=1
-
-# ------------------------------------------------------------------------------
-# tlp-rdw - Parameters for the radio device wizard
-# Possible devices: bluetooth, wifi, wwan.
-
-# Hints:
-# - Parameters are disabled by default, remove the leading # to enable them
-# - Separate multiple radio devices with spaces
-
-# Radio devices to disable on connect.
-#DEVICES_TO_DISABLE_ON_LAN_CONNECT="wifi wwan"
-#DEVICES_TO_DISABLE_ON_WIFI_CONNECT="wwan"
-#DEVICES_TO_DISABLE_ON_WWAN_CONNECT="wifi"
-
-# Radio devices to enable on disconnect.
-#DEVICES_TO_ENABLE_ON_LAN_DISCONNECT="wifi wwan"
-#DEVICES_TO_ENABLE_ON_WIFI_DISCONNECT=""
-#DEVICES_TO_ENABLE_ON_WWAN_DISCONNECT=""
-
-# Radio devices to enable/disable when docked.
-#DEVICES_TO_ENABLE_ON_DOCK=""
-#DEVICES_TO_DISABLE_ON_DOCK=""
-
-# Radio devices to enable/disable when undocked.
-#DEVICES_TO_ENABLE_ON_UNDOCK="wifi"
-#DEVICES_TO_DISABLE_ON_UNDOCK=""
+++ /dev/null
-# This file is part of systemd.
-#
-# See logind.conf(5) for details.
-
-[Login]
-HandleLidSwitch=hibernate
+++ /dev/null
-# Printer configuration file for CUPS v2.2.10
-# Written by cupsd
-# DO NOT EDIT THIS FILE WHEN CUPSD IS RUNNING
-<Printer HP_Deskjet_F300_series>
-UUID urn:uuid:e856a26d-66f8-327a-4dca-0d8a09f87a25
-Info HP Deskjet F300 series
-Location
-MakeModel HP Deskjet f300 Series, hpcups 3.18.12
-DeviceURI hp:/usb/Deskjet_F300_series?serial=CN63VB21TM04KH
-State Idle
-Type 36892
-Accepting Yes
-Shared No
-JobSheets none none
-QuotaPeriod 0
-PageLimit 0
-KLimit 0
-OpPolicy default
-ErrorPolicy retry-job
-</Printer>
+++ /dev/null
-CHARMAP="UTF-8"
-CODESET="Lat15"
-FONTFACE="Terminus"
-FONTSIZE="6x12"
+++ /dev/null
-not quite blank
+++ /dev/null
-// We set up AutoConfig according to <https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig>, see firefox.cfg comments on why we need it
-pref("general.config.filename", "firefox.cfg");
-pref("general.config.obscure_value", 0);
-
+++ /dev/null
-// do not put any code into this first line, as it gets ignored by Firefox
-
-// we zero extensions.autoDisableScopes so our pre-installed extensions activate by default
-pref("extensions.autoDisableScopes", 0);
-
-// we turn off annoying setup popups and pages; these settings are the result more of trial and error than thorough understanding by me, so more research might be warranted to discipline them
-pref("startup.homepage_welcome_url", "file:///opt/firefox/blank.html");
-pref("browser.startup.homepage", "file:///opt/firefox/blank.html");
-pref("browser.startup.blankWindow", true);
-pref("datareporting.policy.firstRunURL", "");
-pref("browser.shell.checkDefaultBrowser", false);
-pref("datareporting.policy.dataSubmissionPolicyBypassNotification", true);
-
-// use socks proxy by default
-pref("network.proxy.type", 1);
-pref("network.proxy.socks", "localhost");
-pref("network.proxy.socks_port", 9999);
-pref("network.proxy.remote_dns", true);
+++ /dev/null
-[Desktop Entry]
-Name=Firefox
-Exec=/usr/local/bin/firefox %u
+++ /dev/null
-#!/usr/sbin/nft -f
-
-flush ruleset
-
-table inet filter {
- chain input {
- type filter hook input priority 0; policy drop;
- iif lo accept comment "accept localhost traffic"
- ct state invalid drop comment "drop invalid connections"
- ct state established, related accept comment "accept traffic originated from us"
- tcp dport 22 accept comment "accept SSH on default port"
- tcp dport 80 accept comment "accept HTTP on default port"
- tcp dport 443 accept comment "accept HTTPS on default port"
- ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging"
- }
- chain forward {
- type filter hook forward priority 0; policy drop;
- }
- chain output {
- type filter hook output priority 0; policy accept;
- }
-}
+++ /dev/null
-# system integration
-user www-data;
-worker_processes auto;
-pid /run/nginx.pid;
-include /etc/nginx/modules-enabled/*.conf;
-
-# is expected even if empty
-events {
-}
-
-http {
- # define content-type headers
- include /etc/nginx/mime.types;
- charset utf-8;
-
- # Some standard optimizations, i.e. Debian default. Explained in
- # <https://thoughts.t37.net/nginx-optimization-understanding-sendfile-tcp-nodelay-and-tcp-nopush-c55cdd276765>
- # Not that I understand it all …
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
-
- # logging deactivated due to GDPR
- #access_log /var/log/nginx/access.log;
- #error_log /var/log/nginx/error.log;
- access_log off;
- error_log off;
-
- # virtual hosts: sites-enabled is the Debian way, conf.d the NGINX default
- include /etc/nginx/conf.d/*.conf;
- include /etc/nginx/sites-enabled/*;
-
- # Redirect all HTTP requests to HTTPS.
- server {
- listen 80;
- return 301 https://$host$request_uri;
- }
-}
+++ /dev/null
-# path to git projects (<project>.git)
-$projectroot = "/var/repos";
-
-# don't show repos without git-daemon-export-ok file
-$export_ok = "git-daemon-export-ok";
-
-# directory to use for temp files
-# explicitely set by Debian so it's probably a good choice
-$git_temp = "/tmp";
-
-# git-diff-tree(1) options to use for generated patches
-# we don't want to to guess renames, so empty
-@diff_opts = ();
-
-# Base path for where to find the repos for cloning.
-@git_base_url_list = ('https://REPLACE_fqdn_ECALPER/repos/clone');
-
-# allow snapshots
-$feature{'snapshot'}{'default'} = ['zip', 'tgz'];
-
-# insert header for GDPR compliance
-$site_header = "/var/www/header.html"
+++ /dev/null
-server {
- listen 443 ssl;
- server_name REPLACE_fqdn_ECALPER;
- ssl_certificate /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/REPLACE_fqdn_ECALPER/privkey.pem;
- root /var/www/html/;
- index index.html index.htm index.nginx-debian.html;
-
- # serve /var/repos/* for HTTPS git cloning
- location ~ /repos/clone(/.*) {
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend;
- # Commented out so only repos are served that contain a
- # git-daemon-export-ok file.
- # fastcgi_param GIT_HTTP_EXPORT_ALL "";
- fastcgi_param GIT_PROJECT_ROOT /var/repos;
- fastcgi_param PATH_INFO $1;
- fastcgi_pass unix:/var/run/fcgiwrap.socket;
- }
-
- # gitweb static files
- location /repos/static/ {
- alias /usr/share/gitweb/static/;
- }
-
- # gitweb; this needs packages fcgiwrap and gitweb
- location /repos/ {
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME /usr/share/gitweb/gitweb.cgi;
- fastcgi_param GITWEB_CONFIG /etc/gitweb.conf;
- fastcgi_pass unix:/var/run/fcgiwrap.socket;
- }
-
- # login-protected IRC logs
- location ~ ^/irclogs/([^/]+)/ {
- auth_basic "$1 logs";
- auth_basic_user_file /var/www/irclogs_pw/$1;
- autoindex on;
- }
-}
+++ /dev/null
-[Unit]
-Description=plomlombot screen
-
-[Service]
-Type=simple
-User=plom
-ExecStart=/bin/sh -c '~/plomlombot_daemon.sh'
-Restart=always
-
-[Install]
-WantedBy=multi-user.target
+++ /dev/null
-[Settings]
-backend = external
-wireless_interface = wls1
-wired_interface = enp0s25
-wpa_driver = wext
-always_show_wired_interface = False
-use_global_dns = False
-global_dns_1 = None
-global_dns_2 = None
-global_dns_3 = None
-global_dns_dom = None
-global_search_dom = None
-auto_reconnect = True
-debug_mode = 0
-wired_connect_mode = 1
-signal_display_type = 0
-should_verify_ap = 1
-dhcp_client = 0
-link_detect_tool = 0
-flush_tool = 0
-sudo_app = 0
-prefer_wired = False
-show_never_connect = True
-
+++ /dev/null
-[Settings]
-backend = external
-wireless_interface = wlp3s0
-wired_interface = enp0s25
-wpa_driver = wext
-always_show_wired_interface = False
-use_global_dns = False
-global_dns_1 = None
-global_dns_2 = None
-global_dns_3 = None
-global_dns_dom = None
-global_search_dom = None
-auto_reconnect = True
-debug_mode = 0
-wired_connect_mode = 1
-signal_display_type = 0
-should_verify_ap = 1
-dhcp_client = 0
-link_detect_tool = 0
-flush_tool = 0
-sudo_app = 0
-prefer_wired = False
-show_never_connect = True
-
+++ /dev/null
-# plomlompom's i3 status bar configuration
-
-# Activate colors; set update interval of one second.
-general {
- colors = true
- interval = 1
-}
-
-# Selection / order of status elements.
-order += "disk /"
-order += "disk /home/"
-order += "wireless wlp2s0"
-order += "ethernet enp1s0"
-order += "battery 0"
-order += "cpu_usage"
-order += "load"
-order += "cpu_temperature 0"
-order += "time"
-order += "volume master"
-
-# How much space is left in / ?
-disk "/" {
- format = "/: %avail of %total"
- separator_block_width = 25
-}
-
-# How much space is left in /home/ ?
-disk "/home/" {
- format = "/home: %avail of %total"
- separator_block_width = 25
-}
-
-# WLAN status: show IP and connection quality or "down".
-wireless wlp2s0 {
- format_up = "w: (%quality at %essid) %ip"
- format_down = "w: down"
- separator_block_width = 10
-}
-
-# Ethernet status: show IP or "down".
-ethernet enp1s0 {
- format_up = "e: %ip"
- format_down = "e: down"
- separator_block_width = 25
-}
-
-# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
-battery 0 {
- format = "b: %status %percentage %remaining"
- separator_block_width = 25
-}
-
-# Show CPU usage.
-cpu_usage {
- format = "cpu: %usage"
- separator_block_width = 10
-}
-
-# Show system load during last 1/5/15 minutes.
-load {
- format = "%1min %5min %15min"
- separator_block_width = 25
-}
-
-# Show CPU temperature in degrees of celsius.
-cpu_temperature 0 {
- format = "%degrees °C"
- separator_block_width = 25
-}
-
-# Show date/time/timezone as "year-month-day hour:minute:second
-# timezone_numeric/timezone_alphabetic".
-time {
- format = "%Y-%m-%d %H:%M:%S %z/%Z"
- separator_block_width = 25
-}
-
-volume master {
- format = "♪: %volume"
- format_muted = "♪: muted (%volume)"
- separator_block_width = 25
-}
+++ /dev/null
-# Settings for interactive shells.
-
-# Fancy colors for ls.
-alias ls="ls --color=auto"
-
-# Use vim as default editor for anything.
-export VISUAL=vim
-export EDITOR=$VISUAL
-
-# Colored prompt with username, hostname, date/time, directory.
-colornumber=7 # Default to white if no color set via colornumber dotfile.
-colornumber_file=~/.shell_prompt_color
-if [ -f $colornumber_file ]; then
- colornumber=`cat $colornumber_file`
-fi
-tput_color="$(tput setaf $colornumber)$(tput bold)"
-tput_reset="$(tput sgr0)"
-# Bash confuses the line length when not told to not count escape sequences.
-if [ ! "$BASH" = "" ]; then
- tput_color="\[$tput_color\]"
- tput_reset="\[$tput_reset\]"
-fi
-PS1="${tput_color}["\$\(date\ +%Y-%m-%d/%H:%M:%S/%Z\)" $(whoami)@$(hostname):"\$\(pwd\)"]$ $tput_reset"
-PS2="${tput_color}> $tput_reset"
-PS3="${tput_color}select: $tput_reset"
-PS4="${tput_color}+ $tput_reset"
+++ /dev/null
-! otherwise various applications will assume merely 8 colors
-XTerm.termName: xterm-256color
-
-! font
-! actually, "mono" is already the default for faceName (it will
-! pick whatever fc-match mono delivers), but we need to set _some_
-! faceName to trigger XTerm activating TrueType fonts
-! (XTerm*fontRender by itself won't do the trick), and we want
-! TrueType fonts because, well, they scale better, and XTerm lets them
-! fall back on alternatives (hi there ttf-unifont) when a Unicode
-! glyph is not found
-XTerm*faceName: mono
-
-! white on black
-XTerm*reverseVideo: on
-
-! blink screen instead of sound
-XTerm*visualBell: on
-
-! proper ALT as META key treatment
-XTerm*eightBitInput: false
-
-! font sizes
-XTerm*faceSize: 8
-XTerm*faceSize1: 4
-XTerm*faceSize2: 5
-XTerm*faceSize3: 6
-XTerm*faceSize4: 8
-XTerm*faceSize5: 14
-XTerm*faceSize6: 25
-
-! colors
-! black
-XTerm*color0: #202020
-XTerm*color8: #3F3F3F
-! red
-XTerm*color1: #A82020
-XTerm*color9: #E82020
-! green
-XTerm*color2: #20A820
-XTerm*color10: #20E820
-! yellow
-XTerm*color3: #A8A820
-XTerm*color11: #E8E820
-! blue
-XTerm*color4: #3F3FFF
-XTerm*color12: #9F9FFF
-! magenta
-XTerm*color5: #A83FFF
-XTerm*color13: #E89FFF
-! cyan
-XTerm*color6: #3FA8FF
-XTerm*color14: #9FE8FF
-! white
-XTerm*color7: #A8A8A8
-XTerm*color15: #E8E8E8
+++ /dev/null
-plom@plomlompom.com
-plom@mail.plomlompom.com
-plom@play.plomlompom.com
-# file read ends at last newline
+++ /dev/null
-# plomlompom's i3-wm configuration
-
-# Font for i3 text
-font pango:Terminus 8px
-
-# Force "tabbed" as default layout for new windows.
-workspace_layout tabbed
-
-# Make the Windows key the modifier key for all i3-wm actions.
-set $mod Mod4
-floating_modifier $mod
-
-# Launch xterm.
-bindsym $mod+Return exec xterm
-
-# Launch programs via dmenu.
-bindsym $mod+d exec dmenu_run
-bindsym $mod+x exec dmenu_run
-
-# Kill window.
-bindsym $mod+Shift+Q kill
-
-# Move focus between windows.
-bindsym $mod+Left focus left
-bindsym $mod+Down focus down
-bindsym $mod+Up focus up
-bindsym $mod+Right focus right
-
-# Don't move focus with mouse.
-focus_follows_mouse no
-
-# Move windows.
-bindsym $mod+Shift+Left move left
-bindsym $mod+Shift+Down move down
-bindsym $mod+Shift+Up move up
-bindsym $mod+Shift+Right move right
-
-# Resize windows
-bindsym $mod+h resize shrink width 1 px or 1 ppt
-bindsym $mod+l resize grow width 1 px or 1 ppt
-bindsym $mod+j resize shrink height
-bindsym $mod+k resize grow height
-
-# Toggle fullscreen for focused window.
-bindsym $mod+f fullscreen
-
-# Toggle floating of window, focus on floating or tabbed windows.
-bindsym $mod+Shift+space floating toggle
-bindsym $mod+space focus mode_toggle
-
-# Switch to workspace x.
-bindsym $mod+1 workspace 1
-bindsym $mod+2 workspace 2
-bindsym $mod+3 workspace 3
-bindsym $mod+4 workspace 4
-bindsym $mod+5 workspace 5
-bindsym $mod+6 workspace 6
-bindsym $mod+7 workspace 7
-bindsym $mod+8 workspace 8
-bindsym $mod+9 workspace 9
-bindsym $mod+0 workspace 10
-
-# Move window to workspace x.
-bindsym $mod+Shift+exclam move workspace 1
-bindsym $mod+Shift+quotedbl move workspace 2
-bindsym $mod+Shift+section move workspace 3
-bindsym $mod+Shift+dollar move workspace 4
-bindsym $mod+Shift+percent move workspace 5
-bindsym $mod+Shift+ampersand move workspace 6
-bindsym $mod+Shift+slash move workspace 7
-bindsym $mod+Shift+parenleft move workspace 8
-bindsym $mod+Shift+parenright move workspace 9
-bindsym $mod+Shift+equal move workspace 10
-
-# Reload i3 config file, restart (keeping sesion) i3, exit i3.
-bindsym $mod+Shift+C reload
-bindsym $mod+Shift+R restart
-bindsym $mod+Shift+P exit
-
-# Select "i3status" as i3 status bar.
-bar {
- status_command i3status
-}
+++ /dev/null
-;; general layout
-;; ==============
-
-;; need no stinkin emacs help screen as start up, and no menu bar
-(setq inhibit-startup-screen t)
-(menu-bar-mode -1)
-
-;; highlight cursor line, parentheses
-(global-hl-line-mode 1)
-(show-paren-mode 1)
-
-;; show line numbers, use separator space
-(global-linum-mode)
-(setq linum-format "%d ")
-
-;; count cursor column, row in mode line
-(setq column-number-mode t)
-
-;; settings to make GUI tolerable
-(if window-system
- (progn
- (add-to-list 'default-frame-alist '(foreground-color . "white"))
- (add-to-list 'default-frame-alist '(background-color . "black"))
- (set-face-attribute 'default nil :height 80)
- (scroll-bar-mode -1)
- (setq visible-bell t)
- (setq linum-format "%d")))
-
-;; use as default browser what XDG offers
-(setq-default browse-url-browser-function 'browse-url-xdg-open)
-
-
-
-;; general keybindings
-;; ===================
-
-;; create and use a minimal global map using just the self-insert command
-;; bindings and a selection of some to me very common keystrokes
-(setq minimal-map (make-sparse-keymap))
-(substitute-key-definition 'self-insert-command 'self-insert-command
- minimal-map global-map)
-(use-global-map minimal-map)
-(global-set-key (kbd "DEL") 'backward-delete-char-untabify)
-(global-set-key (kbd "RET") 'newline)
-(global-set-key (kbd "TAB") 'indent-for-tab-command)
-(global-set-key (kbd "<up>") 'previous-line)
-(global-set-key (kbd "<down>") 'next-line)
-(global-set-key (kbd "<left>") 'left-char)
-(global-set-key (kbd "<right>") 'right-char)
-(global-set-key (kbd "<prior>") 'scroll-down-command)
-(global-set-key (kbd "<next>") 'scroll-up-command)
-(global-set-key (kbd "M-x") 'execute-extended-command)
-(global-set-key (kbd "C-g") 'keyboard-quit)
-;(global-set-key (kbd "<f3>") 'kmacro-start-macro-or-insert-counter)
-;(global-set-key (kbd "<f4>") 'kmacro-end-or-call-macro)
-;; note how to switch back to the original map: (use-global-map global-map)
-(setq shr-map (make-sparse-keymap)) ; got annoying in elfeed-show on URLs
-
-
-
-;; minibuffer
-;; ==========
-
-;; incremental minibuffer completion
-(icomplete-mode 1)
-
-
-
-;; text editing
-;; ============
-
-;; tabs are evil
-(setq-default indent-tabs-mode nil)
-(setq-default tab-width 4)
-(setq indent-line-function 'insert-tab)
-
-;; show trailing whitespace
-(setq-default show-trailing-whitespace 1)
-
-;; on save, ask whether to ensure text file's last line ends in a
-;; newline character
-(setq require-final-newline 1)
-
-;; use dedicated directory for version-controlled, endless backups;
-;; never delete old versions
-(setq make-backup-files t
- backup-directory-alist `(("." . "~/.emacs_backups"))
- backup-by-copying t
- version-control t
- delete-old-versions 1) ;; neither t nor nil: never delete
-
-
-;; package management
-;; ==================
-
-;; where we get packages from
-(setq package-archives '(("gnu" . "https://elpa.gnu.org/packages/")
- ("melpa-unstable" . "https://melpa.org/packages/")
- ("melpa-stable" . "https://stable.melpa.org/packages/")))
-
-;; ensure certain packages are installed (actually, we use Debian repos here)
-;; credit to <https://stackoverflow.com/a/10093312>
-;(setq package-list '(elfeed ledger-mode))
-;(package-initialize)
-;(dolist (package package-list)
-; (unless (package-installed-p package)
-; (package-install package)))
-
-
-
-;;; window management
-;;; =================
-;
-;;; track window configurations to allow window config undo
-;(winner-mode 1)
-
-
-
-;; mail setup
-;; ==========
-
-(setq send-mail-function 'smtpmail-send-it)
-(setq smtpmail-smtp-server "mail.plomlompom.com")
-(setq smtpmail-smtp-service 465)
-(setq smtpmail-stream-type 'ssl)
-(setq smtpmail-smtp-user "plom")
-(setq mml-secure-openpgp-encrypt-to-self t)
-(add-hook 'message-setup-hook 'mml-secure-sign-pgpmime)
-
-;(setq gnutls-log-level 0)
-
-;; if we don't set this, we get this warning:
-;; gnutls.c: [1] Note that the security level of the Diffie-Hellman key exchange
-;; has been lowered to 256 bits and this may allow decryption of the session data
-(setq gnutls-min-prime-bits 1024)
-
-;; there is a WEIRD bug somewhere in /network-stream-open-tls/ that disappears the
-;; stream process, seemingly unless the /message/ function is called at the right
-;; place (earliest in /nsm-verify-connection/ right before the "cond" there, latest
-;; in /network-stream-get-response/ right after "(goto-char start)"; this works
-;; unless /inhibit_message/ is set, indicating that writing to the *Messages*
-;; buffer is not relevant, but maybe writing to the echo area is); activing the
-;; gnutls logging is just a hack to achieve such calls to /message/ in the
-;; /network-stream-open-tls/ flow.
-(setq gnutls-log-level 1) ; miraculously makes smtpmail work
-
-;; constructs From: domain if mail composer directly called (from without
-;; notmuch), but we don't actually intend to do that
-;(setq mail-host-address "plomlompom.com")
-
-;; otherwise notmuch becomes extremely slow in some cases
-(setq-default notmuch-show-indent-content nil)
-
-;; this only works if we use notmuch-mua-send instead of message-send
-(setq notmuch-fcc-dirs '(("plom@plomlompom.com" . "maildir/Sent")))
-
-;; this gets rid of "i-did-not-set--mail-host-address--so-tickle-me"
-;; in the message ID
-(setq mail-host-address "plomlompom.com")
-
-;; notmuch saved searches
-(setq notmuch-saved-searches
- '((:name "inbox" :query "tag:unread and folder:inbox")
- (:name "all" :query "tag:unread not folder:maildir/Trash")
- (:name "plomlompom.de" :query "tag:unread and folder:maildir/plomlompom.de")
- (:name "nebenan" :query "tag:unread and folder:maildir/nebenan")
- (:name "reflect-info" :query "tag:unread and folder:maildir/reflect-info")
- (:name "gmail" :query "tag:unread and folder:maildir/gmail.com")
- (:name "mutter" :query "tag:unread and folder:maildir/mutter")))
-
-
-
-;; org mode
-;; ========
-
-;; unsure why, but to re-set the key map, we not only have to explicitely do it
-;; only after org-mode loading, but also have to explicitely overwrite the
-;; C-c keybinding; TODO: investigate
-(with-eval-after-load 'org
- (setq org-mode-map (make-sparse-keymap))
- (define-key org-mode-map (kbd "C-c") nil)
- (define-key org-mode-map (kbd "TAB") 'org-cycle)
- (define-key org-mode-map (kbd "<backtab>") 'org-shifttab))
-
-;; don't truncate lines by default
-(setq org-startup-truncated nil)
-
-;; basic org-capture config
-(setq org-capture-templates
- '(("x" "test" plain (file "~/org/notes.org") "%T: %?")))
-(add-hook 'org-capture-mode-hook 'evil-insert-state)
-
-;; agenda view on startup
-(load-library "find-lisp")
-(setq org-agenda-files (find-lisp-find-files "~/org" "\.org$"))
-(setq org-agenda-span 90)
-(setq org-agenda-use-time-grid nil)
-(add-hook 'emacs-startup-hook (lambda ()
- (org-agenda-list)
- (switch-to-buffer "*Org Agenda*")
- (other-window 1)))
-
-;;; for calendar, use ISO date style
-;(setq calendar-date-style 'iso)
-;(setq diary-number-of-entries 7)
-;(diary)
-;(setq org-agenda-time-grid '((today require-timed remove-match)
-; #("----------------" 0 16 (org-heading t))
-; (0 200 400 600 800 1000 1200
-; 1400 1600 1800 2000 2200)))
-
-;; empty org-agenda-mode keybindings
-(add-hook 'org-agenda-mode-hook
- (lambda ()
- (setq org-agenda-mode-map (make-sparse-keymap))))
-(add-hook 'org-agenda-mode-hook
- (lambda ()
- (use-local-map (make-sparse-keymap))))
-
-;; org-publish-all
-(setq org-publish-project-alist
- '(
- ("website"
- :base-directory "~/org/web/"
- :base-extension "org"
- :publishing-directory "~/html/"
- :recursive t
- :publishing-function org-html-publish-to-html
- :headline-levels 4 ; Just the default for this project.
- :auto-preamble t
- )))
-
-;; use [ki:] syntax to hide stuff from exports
-(defun classify-information (text backend info)
- "Replaces '[ki:WHATEVER]' with '[klassifizierte Information]'."
- (replace-regexp-in-string "\\[ki:[^\]]*\]" "[klassifizierte Information]" text))
-(add-hook 'org-export-filter-plain-text-functions 'classify-information)
-
-;; add HTML validator link to exports
-(setq org-html-validation-link "<a href=\"https://validator.w3.org/check?uri=referer\">Validate</a>")
-
-
-
-;;; Info mode
-;;; =========
-
-(setq Info-mode-map (make-sparse-keymap))
-(define-key Info-mode-map (kbd "RET") 'Info-follow-nearest-node)
-(define-key Info-mode-map (kbd "u") 'Info-up)
-(define-key Info-mode-map (kbd "TAB") 'Info-next-reference)
-(define-key Info-mode-map (kbd "<backtab>") 'Info-prev-reference)
-(define-key Info-mode-map (kbd "H") 'Info-history-back)
-(define-key Info-mode-map (kbd "L") 'Info-history-forward)
-(define-key Info-mode-map (kbd "I") 'Info-goto-node)
-(define-key Info-mode-map (kbd "i") 'Info-index)
-
-
-
-;; help mode
-;; =========
-
-(setq help-mode-map (make-sparse-keymap))
-(define-key help-mode-map (kbd "TAB") 'forward-button)
-(define-key help-mode-map (kbd "RET") 'help-follow)
-(define-key help-mode-map (kbd "<backtab>") 'backward-button)
-
-
-
-;; elfeed
-;; ======
-
-(require 'elfeed) ; needed so we can set the font faces
-(set-face-background 'elfeed-search-title-face "magenta")
-(set-face-background 'elfeed-search-unread-count-face "magenta")
-(setq elfeed-feeds
- '("https://capsurvival.blogspot.com/feeds/posts/default"
- "https://jungle.world/rss.xml"
- "http://news.dieweltistgarnichtso.net/bin/index.xml"
- "https://taz.de/!s=&ExportStatus=Intern&SuchRahmen=Online;rss/"
- "http://www.tagesschau.de/xml/atom"))
-(setq elfeed-search-mode-map (make-sparse-keymap))
-(define-key elfeed-search-mode-map (kbd "RET") 'elfeed-search-show-entry)
-(defun elfeed-search-mark-as-read() (interactive)
- (elfeed-search-untag-all 'unread))
-(define-key elfeed-search-mode-map (kbd "r") 'elfeed-search-mark-as-read)
-(define-key elfeed-search-mode-map (kbd "R") 'elfeed-search-tag-all-unread)
-(define-key elfeed-search-mode-map (kbd "f") 'elfeed-search-live-filter)
-(define-key elfeed-search-mode-map (kbd "u") 'elfeed-update)
-(setq elfeed-show-mode-map (make-sparse-keymap))
-(define-key elfeed-show-mode-map (kbd "u") 'elfeed)
-(define-key elfeed-show-mode-map (kbd "TAB") 'shr-next-link)
-(define-key elfeed-show-mode-map (kbd "<backtab>") 'shr-previous-link)
-(define-key elfeed-show-mode-map (kbd "a") 'elfeed-show-prev)
-(define-key elfeed-show-mode-map (kbd "d") 'elfeed-show-next)
-(define-key elfeed-show-mode-map (kbd "y") 'shr-copy-url)
-(define-key elfeed-show-mode-map (kbd "RET") 'shr-browse-url)
-
-
-
-;; eww
-;; ===
-
-(setq eww-mode-map (make-sparse-keymap))
-(define-key eww-mode-map (kbd "TAB") 'shr-next-link)
-(define-key eww-mode-map (kbd "<backtab>") 'shr-previous-link)
-(define-key eww-mode-map (kbd "H") 'eww-back-url)
-(define-key eww-mode-map (kbd "L") 'eww-forward-url)
-
-
-
-;; ledger
-;; ======
-(setq ledger-mode-map (make-sparse-keymap))
-(define-key ledger-mode-map (kbd "TAB") 'ledger-magic-tab)
-
-
-
-;;; plomvi mode
-;;; ===========
-
-(defvar plomvi-return-combo (kbd "C-c"))
-(load "~/public_repos/plomvi.el/plomvi.el")
-(plomvi-global-mode 1)
+++ /dev/null
-[user]
- email = c.heller@plomlompom.de
- name = Christian Heller
+++ /dev/null
-IMAPAccount plom
-# Address to connect to
-Host mail.plomlompom.com
-User plom
-# For some reason, mbsync doesn't accept a PassCmd output beyond 79 chars,
-# therefore the pw in ~/.authinfo should not be longer than that.
-PassCmd "cat ~/.authinfo | cut -d' ' -f8-"
-SSLType IMAPS
-AuthMechs LOGIN
-
-IMAPStore core-remote
-Account plom
-
-MaildirStore core-local
-# The trailing "/" is important
-Path ~/mail/maildir/
-Inbox ~/mail/inbox/
-
-Channel core
-Master :core-remote:
-Slave :core-local:
-Patterns *
-# Automatically create missing mailboxes, both locally and on the server
-Create Both
-# Save the synchronization state files in the relevant directory
-SyncState *
-# If a mail is marked T ("Trashed") or deleted, remove it for real everywhere
-Expunge Both
+++ /dev/null
-[database]
-path=/home/plom/mail
-[search]
-exclude_tags=deleted;spam;
-# the fields below set the From: if the mail composer is called from
-# within notmuch
-[user]
-name=Christian Heller
-primary_email=plom@plomlompom.com
+++ /dev/null
-sanitize tridactyllocal tridactylsync
-guiset statuspanel top-right
-guiset tabs autohide
-set newtab file:///opt/firefox/blank.html
-autocmd DocStart www.reddit.com urlmodify -t www.reddit old.reddit
-bind / fillcmdline find
-bind n findnext 1
-bind N findnext -1
-set findcase insensitive
-bind j scrollline 3
-bind k scrollline -3
-set hintuppercase false
-set searchengine duckduckgo
+++ /dev/null
-# X init configuration
-
-# Set keymap.
-setxkbmap de
-
-# Map CapsLock to Compose key.
-xmodmap -e "clear Lock"
-xmodmap -e "keycode 66 = Multi_key"
-
-# Load xterm settings
-xrdb -merge ~/.Xresources
-
-# Redshift to Berlin, Germany.
-redshift -rl 53:13 &
-
-# Launch window manager.
-i3
+++ /dev/null
-#!/bin/sh
-set -e
-
-basedir="/home/plom/mail/maildir/"
-# Ensure directories exist for all "dir:*" tags.
-for tag in $(notmuch search --output=tags '*'); do
- if [ ! $(echo "${tag}" | cut -c-4) = "dir:" ]; then
- continue
- fi
- target_dir="${basedir}"$(echo "${tag}" | cut -c5-)"/cur/"
- if [ ! -d "${target_dir}" ]; then
- echo "Directory ${target_dir} does not exist."
- exit 1
- fi
-done
-
-# Ensure all "dir:*"-tagged mails are in proper directories,
-# remove all "dir:*" tags.
-for tag in $(notmuch search --output=tags '*'); do
- if [ ! $(echo "${tag}" | cut -c-4) = "dir:" ]; then
- continue
- fi
- target_dir="${basedir}"$(echo "${tag}" | cut -c5-)"/cur/"
- for f in $(notmuch search --output=files tag:"${tag}"); do
- new_name=$(basename "${f}" | sed -e 's/,U=[0-9]*//')
- target_path="${target_dir}${new_name}"
- if [ ! "${target_path}" = "${f}" ]; then
- echo "Moving ${f} to ${target_path}."
- mv "${f}" "${target_path}"
- fi
- done
- notmuch tag -"${tag}" tag:"${tag}"
-done
-
-# Remove all "deleted"-tagged files from maildirs.
-notmuch search --output=files tag:deleted | while read f; do
- echo "Deleting ${f}"
- rm "${f}"
-done
-
-# Sync changes back to server and update notmuch index.
-mbsync -a
-notmuch new
+++ /dev/null
-# List of repos we want cloned in ~/public_repos
-config
-pingmail.git
-plomlombot-irc.git
-plomrogue
-plomrogue2-experiments
-plomvi.el
+++ /dev/null
-# plomlompom's i3 status bar configuration
-
-# Activate colors; set update interval of one second.
-general {
- colors = true
- interval = 1
-}
-
-# Selection / order of status elements.
-order += "disk /"
-order += "disk /home/"
-order += "wireless wlp3s0"
-order += "ethernet enp0s25"
-order += "battery 0"
-order += "cpu_usage"
-order += "load"
-order += "cpu_temperature 0"
-order += "time"
-order += "volume master"
-
-# How much space is left in / ?
-disk "/" {
- format = "/: %avail available of %total"
- separator_block_width = 25
-}
-
-# How much space is left in /home ?
-disk "/home/" {
- format = "/home: %avail available of %total"
- separator_block_width = 25
-}
-
-# WLAN status: show IP and connection quality or "down".
-wireless wlp3s0 {
- format_up = "w: (%quality at %essid) %ip"
- format_down = "w: down"
- separator_block_width = 10
-}
-
-# Ethernet status: show IP or "down".
-ethernet enp0s25 {
- format_up = "e: %ip"
- format_down = "e: down"
- separator_block_width = 25
-}
-
-# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
-battery 0 {
- format = "b: %status %percentage %remaining"
- separator_block_width = 25
-}
-
-# Show CPU usage.
-cpu_usage {
- format = "cpu: %usage"
- separator_block_width = 10
-}
-
-# Show system load during last 1/5/15 minutes.
-load {
- format = "%1min %5min %15min"
- separator_block_width = 25
-}
-
-# Show CPU temperature in degrees of celsius.
-cpu_temperature 0 {
- format = "%degrees °C"
- separator_block_width = 25
-}
-
-# Show date/time/timezone as "year-month-day hour:minute:second
-# timezone_numeric/timezone_alphabetic".
-time {
- format = "%Y-%m-%d %H:%M:%S %z/%Z"
- separator_block_width = 25
-}
-
-volume master {
- format = "♪: %volume"
- format_muted = "♪: muted (%volume)"
- separator_block_width = 25
-}
+++ /dev/null
-# plomlompom's i3 status bar configuration
-
-# Activate colors; set update interval of one second.
-general {
- colors = true
- interval = 1
-}
-
-# Selection / order of status elements.
-order += "disk /"
-order += "disk /home/"
-order += "wireless wls1"
-order += "ethernet enp0s25"
-order += "battery 0"
-order += "cpu_usage"
-order += "load"
-order += "cpu_temperature 0"
-order += "time"
-order += "volume master"
-
-# How much space is left in / ?
-disk "/" {
- format = "/: %avail available of %total"
- separator_block_width = 25
-}
-
-# How much space is left in /home ?
-disk "/home/" {
- format = "/home: %avail available of %total"
- separator_block_width = 25
-}
-
-# WLAN status: show IP and connection quality or "down".
-wireless wls1 {
- format_up = "w: (%quality at %essid) %ip"
- format_down = "w: down"
- separator_block_width = 10
-}
-
-# Ethernet status: show IP or "down".
-ethernet enp0s25 {
- format_up = "e: %ip"
- format_down = "e: down"
- separator_block_width = 25
-}
-
-# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
-battery 0 {
- format = "b: %status %percentage %remaining"
- separator_block_width = 25
-}
-
-# Show CPU usage.
-cpu_usage {
- format = "cpu: %usage"
- separator_block_width = 10
-}
-
-# Show system load during last 1/5/15 minutes.
-load {
- format = "%1min %5min %15min"
- separator_block_width = 25
-}
-
-# Show CPU temperature in degrees of celsius.
-cpu_temperature 0 {
- format = "%degrees °C"
- separator_block_width = 25
-}
-
-# Show date/time/timezone as "year-month-day hour:minute:second
-# timezone_numeric/timezone_alphabetic".
-time {
- format = "%Y-%m-%d %H:%M:%S %z/%Z"
- separator_block_width = 25
-}
-
-volume master {
- format = "♪: %volume"
- format_muted = "♪: muted (%volume)"
- separator_block_width = 25
-}
+++ /dev/null
-# plomlompom's i3 status bar configuration
-
-# Activate colors; set update interval of one second.
-general {
- colors = true
- interval = 1
-}
-
-# Selection / order of status elements.
-order += "disk /"
-order += "disk /home/"
-order += "wireless wlp3s0"
-order += "ethernet enp0s25"
-order += "battery 0"
-order += "cpu_usage"
-order += "load"
-order += "cpu_temperature 0"
-order += "time"
-order += "volume master"
-
-# How much space is left in / ?
-disk "/" {
- format = "/: %avail available of %total"
- separator_block_width = 25
-}
-
-# How much space is left in /home ?
-disk "/home/" {
- format = "/home: %avail available of %total"
- separator_block_width = 25
-}
-
-# WLAN status: show IP and connection quality or "down".
-wireless wlp3s0 {
- format_up = "w: (%quality at %essid) %ip"
- format_down = "w: down"
- separator_block_width = 10
-}
-
-# Ethernet status: show IP or "down".
-ethernet enp0s25 {
- format_up = "e: %ip"
- format_down = "e: down"
- separator_block_width = 25
-}
-
-# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
-battery 0 {
- format = "b: %status %percentage %remaining"
- separator_block_width = 25
-}
-
-# Show CPU usage.
-cpu_usage {
- format = "cpu: %usage"
- separator_block_width = 10
-}
-
-# Show system load during last 1/5/15 minutes.
-load {
- format = "%1min %5min %15min"
- separator_block_width = 25
-}
-
-# Show CPU temperature in degrees of celsius.
-cpu_temperature 0 {
- format = "%degrees °C"
- separator_block_width = 25
-}
-
-# Show date/time/timezone as "year-month-day hour:minute:second
-# timezone_numeric/timezone_alphabetic".
-time {
- format = "%Y-%m-%d %H:%M:%S %z/%Z"
- separator_block_width = 25
-}
-
-volume master {
- format = "♪: %volume"
- format_muted = "♪: muted (%volume)"
- separator_block_width = 25
-}
+++ /dev/null
-
-# plomlompom customizations
-Domain REPLACE_maildomain_ECALPER
-KeyFile /etc/dkimkeys/REPLACE_selector_ECALPER.private
-Selector REPLACE_selector_ECALPER
-Socket inet:8892@localhost
+++ /dev/null
-
-##########################################
-# below this: customizations by plomlompom
-
-config :pleroma, :instance,
- registrations_open: false,
- safe_dm_mentions: true,
- cleanup_attachments: true
-
-config :pleroma, :frontend_configurations,
- pleroma_fe: %{
- showInstanceSpecificPanel: true,
- background: "/pixel.png",
- logo: "/pixel.png"
- }
-
-config :pleroma, :chat,
- enabled: false
-
-config :pleroma, Pleroma.Captcha,
- enabled: false
-
-config :pleroma, :static_fe,
- enabled: true
+++ /dev/null
-
-# TLS certs
-smtpd_tls_cert_file=/etc/letsencrypt/live/${myhostname}/fullchain.pem
-smtpd_tls_key_file=/etc/letsencrypt/live/${myhostname}/privkey.pem
-
-# OpenDKIM milter
-non_smtpd_milters = inet:localhost:8892
-smtpd_milters = inet:localhost:8892
-
-# transport mail to dovecot; not strictly needed, as even without this
-# postfix will throw mail to /var/mail/USER to be found by dovecot for
-# serving via IMAP etc.; but using dovecot's LMTP server for delivery
-# allows us to do stuff like dovecot-side sieve filtering.
-mailbox_transport = lmtp:inet:127.0.0.1:2424
-
-# to authenticate on SMTP, we need a SASL mechanism; we talk to dovecot
-# for this, since it provides one
-smtpd_sasl_type = dovecot
-smtpd_sasl_path = private/auth
-smtpd_sasl_auth_enable = yes
-
-# we append mail domain here for if it is different than $myhostname
-mydestination = $myhostname localhost.$mydomain localhost REPLACE_maildomain_ECALPER
+++ /dev/null
-
-# Run SMTPS on port 465, enforce TLS there.
-smtps inet n - y - - smtpd
- -o smtpd_tls_wrappermode=yes
+++ /dev/null
-#!/bin/sh
-blog_dir=~/blog
-export GIT_DIR=$(pwd)
-export GIT_WORK_TREE="$blog_dir"
-git checkout -f
-cd "$GIT_WORK_TREE"
-redo
-git add metadata/author metadata/url metadata/title metadata/*.tmpl metadata/automatic_metadata captchas/linkable/*
-count=$(ls -1 metadata/*.automatic_metadata 2>/dev/null | wc -l)
-if [ "$count" != 0 ]; then
- git add metadata/*.automatic_metadata
-fi
-status=$(git status -s)
-n_updates=$(printf "$status" | grep -vE '^\?\?' | wc -l)
-if [ "$n_updates" -gt 0 ]; then
- git commit -a -m 'Update metadata'
-fi
+++ /dev/null
-require ["fileinto"];
-require ["mailbox"];
-if address :is "from" "foo@bar.com" {
- fileinto :create "foo";
-}
-if address :is :domain "to" "example.com" {
- fileinto :create "example.com";
-}
+++ /dev/null
-<!DOCTYPE html>
-<meta charset="UTF-8">
-<a href="blog">Zum Blog?</a>
+++ /dev/null
-# remove "keep" if you're sure about your setup; it keeps mails on server from getting deleted
-poll mail.example.com protocol pop3 username "foo@example.com" password "PASSWORD" ssl keep
+++ /dev/null
-listen:
- hostname: 'localhost'
- port: 9000
-
-# Correspond to your reverse proxy server_name/listen configuration
-webserver:
- https: true
- hostname: 'example.com'
- port: 443
-
-rates_limit:
- api:
- # 50 attempts in 10 seconds
- window: 10 seconds
- max: 50
- login:
- # 15 attempts in 5 min
- window: 5 minutes
- max: 15
- signup:
- # 2 attempts in 5 min (only succeeded attempts are taken into account)
- window: 5 minutes
- max: 2
- ask_send_email:
- # 3 attempts in 5 min
- window: 5 minutes
- max: 3
-
-# Proxies to trust to get real client IP
-# If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
-# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
-trust_proxy:
- - 'loopback'
-
-# Your database name will be "peertube"+database.suffix
-database:
- password: 'peertube'
- hostname: 'localhost'
- port: 5432
- suffix: '_prod'
- username: 'peertube'
- pool:
- max: 5
-
-# Redis server for short time storage
-# You can also specify a 'socket' path to a unix socket but first need to
-# comment out hostname and port
-redis:
- hostname: 'localhost'
- port: 6379
- auth: null
- db: 0
-
-# SMTP server to send emails
-smtp:
- hostname: null
- port: 465 # If you use StartTLS: 587
- username: null
- password: null
- tls: true # If you use StartTLS: false
- disable_starttls: false
- ca_file: null # Used for self signed certificates
- from_address: 'admin@example.com'
-
-email:
- body:
- signature: "PeerTube"
- subject:
- prefix: "[PeerTube]"
-
-# From the project root directory
-storage:
- tmp: '/var/www/peertube/storage/tmp/' # Use to download data (imports etc), store uploaded files before processing...
- avatars: '/var/www/peertube/storage/avatars/'
- videos: '/var/www/peertube/storage/videos/'
- streaming_playlists: '/var/www/peertube/storage/streaming-playlists/'
- redundancy: '/var/www/peertube/storage/redundancy/'
- logs: '/var/www/peertube/storage/logs/'
- previews: '/var/www/peertube/storage/previews/'
- thumbnails: '/var/www/peertube/storage/thumbnails/'
- torrents: '/var/www/peertube/storage/torrents/'
- captions: '/var/www/peertube/storage/captions/'
- cache: '/var/www/peertube/storage/cache/'
- plugins: '/var/www/peertube/storage/plugins/'
-
-log:
- level: 'info' # debug/info/warning/error
- rotation:
- enabled : true # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
- maxFileSize: 12MB
- maxFiles: 20
- anonymizeIP: true
-
-search:
- # Add ability to fetch remote videos/actors by their URI, that may not be federated with your instance
- # If enabled, the associated group will be able to "escape" from the instance follows
- # That means they will be able to follow channels, watch videos, list videos of non followed instances
- remote_uri:
- users: true
- anonymous: false
-
-trending:
- videos:
- interval_days: 7 # Compute trending videos for the last x days
-
-# Cache remote videos on your server, to help other instances to broadcast the video
-# You can define multiple caches using different sizes/strategies
-# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
-redundancy:
- videos:
- check_interval: '1 hour' # How often you want to check new videos to cache
- strategies: # Just uncomment strategies you want
-# -
-# size: '10GB'
-# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
-# min_lifetime: '48 hours'
-# strategy: 'most-views' # Cache videos that have the most views
-# -
-# size: '10GB'
-# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
-# min_lifetime: '48 hours'
-# strategy: 'trending' # Cache trending videos
-# -
-# size: '10GB'
-# # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
-# min_lifetime: '48 hours'
-# strategy: 'recently-added' # Cache recently added videos
-# min_views: 10 # Having at least x views
-
-csp:
- enabled: false
- report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
- report_uri:
-
-tracker:
- # If you disable the tracker, you disable the P2P aspect of PeerTube
- enabled: true
- # Only handle requests on your videos.
- # If you set this to false it means you have a public tracker.
- # Then, it is possible that clients overload your instance with external torrents
- private: true
- # Reject peers that do a lot of announces (could improve privacy of TCP/UDP peers)
- reject_too_many_announces: false
-
-history:
- videos:
- # If you want to limit users videos history
- # -1 means there is no limitations
- # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
- max_age: -1
-
-views:
- videos:
- # PeerTube creates a database entry every hour for each video to track views over a period of time
- # This is used in particular by the Trending page
- # PeerTube could remove old remote video views if you want to reduce your database size (video view counter will not be altered)
- # -1 means no cleanup
- # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
- remote:
- max_age: -1
-
-plugins:
- # The website PeerTube will ask for available PeerTube plugins and themes
- # This is an unmoderated plugin index, so only install plugins/themes you trust
- index:
- enabled: true
- check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions
- url: 'https://packages.joinpeertube.org'
-
-
-###############################################################################
-#
-# From this point, all the following keys can be overridden by the web interface
-# (local-production.json file). If you need to change some values, prefer to
-# use the web interface because the configuration will be automatically
-# reloaded without any need to restart PeerTube.
-#
-# /!\ If you already have a local-production.json file, the modification of the
-# following keys will have no effect /!\.
-#
-###############################################################################
-
-cache:
- previews:
- size: 500 # Max number of previews you want to cache
- captions:
- size: 500 # Max number of video captions/subtitles you want to cache
-
-admin:
- # Used to generate the root user at first startup
- # And to receive emails from the contact form
- email: 'admin@example.com'
-
-contact_form:
- enabled: true
-
-signup:
- enabled: false
- limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
- requires_email_verification: false
- filters:
- cidr: # You can specify CIDR ranges to whitelist (empty = no filtering) or blacklist
- whitelist: []
- blacklist: []
-
-user:
- # Default value of maximum video BYTES the user can upload (does not take into account transcoded files).
- # -1 == unlimited
- video_quota: -1
- video_quota_daily: -1
-
-# If enabled, the video will be transcoded to mp4 (x264) with "faststart" flag
-# In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions.
-# Please, do not disable transcoding since many uploaded videos will not work
-transcoding:
- enabled: true
- # Allow your users to upload .mkv, .mov, .avi, .flv videos
- allow_additional_extensions: true
- # If a user uploads an audio file, PeerTube will create a video by merging the preview file and the audio file
- allow_audio_files: true
- threads: 1
- resolutions: # Only created if the original video has a higher resolution, uses more storage!
- 0p: false # audio-only (creates mp4 without video stream, always created when enabled)
- 240p: true
- 360p: true
- 480p: true
- 720p: true
- 1080p: true
- 2160p: false
-
- # Generate videos in a WebTorrent format (what we do since the first PeerTube release)
- # If you also enabled the hls format, it will multiply videos storage by 2
- # If disabled, breaks federation with PeerTube instances < 2.1
- webtorrent:
- enabled: true
-
- # /!\ Requires ffmpeg >= 4.1
- # Generate HLS playlists and fragmented MP4 files. Better playback than with WebTorrent:
- # * Resolution change is smoother
- # * Faster playback in particular with long videos
- # * More stable playback (less bugs/infinite loading)
- # If you also enabled the webtorrent format, it will multiply videos storage by 2
- hls:
- enabled: true
-
-import:
- # Add ability for your users to import remote videos (from YouTube, torrent...)
- videos:
- http: # Classic HTTP or all sites supported by youtube-dl https://rg3.github.io/youtube-dl/supportedsites.html
- enabled: false
- # You can use an HTTP/HTTPS/SOCKS proxy with youtube-dl
- proxy:
- enabled: false
- url: ""
- torrent: # Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file)
- enabled: false
-
-auto_blacklist:
- # New videos automatically blacklisted so moderators can review before publishing
- videos:
- of_users:
- enabled: false
-
-# Instance settings
-instance:
- name: 'PlomTube'
- short_description: ''
- description: 'Personal PeerTube instance by plomlompom (see https://plomlompom.com) for his own videos.' # Support markdown
- terms: '**Privacy**: Videos here are streamed via the BitTorrent protocol, which might expose your IP to other peers – see the "P2P & Privacy" section [here](/about/peertube). Internally, site visits are logged by the PeerTube software, but with IPs anonymized. **Contact**: See https://plomlompom.com/contact.html' # Support markdown
- code_of_conduct: '' # Supports markdown
-
- # Who moderates the instance? What is the policy regarding NSFW videos? Political videos? etc
- moderation_information: '' # Supports markdown
-
- # Why did you create this instance?
- creation_reason: ''
-
- # Who is behind the instance? A single person? A non profit?
- administrator: ''
-
- # How long do you plan to maintain this instance?
- maintenance_lifetime: ''
-
- # How will you pay the PeerTube instance server? With your own funds? With users donations? Advertising?
- business_model: ''
-
- # If you want to explain on what type of hardware your PeerTube instance runs
- # Example: "2 vCore, 2GB RAM..."
- hardware_information: '' # Supports Markdown
-
- # What are the main languages of your instance? To interact with your users for example
- # Uncomment or add the languages you want
- # List of supported languages: https://peertube.cpy.re/api/v1/videos/languages
- languages:
-# - en
-# - es
-# - fr
-
- # You can specify the main categories of your instance (dedicated to music, gaming or politics etc)
- # Uncomment or add the category ids you want
- # List of supported categories: https://peertube.cpy.re/api/v1/videos/categories
- categories:
-# - 1 # Music
-# - 2 # Films
-# - 3 # Vehicles
-# - 4 # Art
-# - 5 # Sports
-# - 6 # Travels
-# - 7 # Gaming
-# - 8 # People
-# - 9 # Comedy
-# - 10 # Entertainment
-# - 11 # News & Politics
-# - 12 # How To
-# - 13 # Education
-# - 14 # Activism
-# - 15 # Science & Technology
-# - 16 # Animals
-# - 17 # Kids
-# - 18 # Food
-
- default_client_route: '/videos/trending'
-
- # Whether or not the instance is dedicated to NSFW content
- # Enabling it will allow other administrators to know that you are mainly federating sensitive content
- # Moreover, the NSFW checkbox on video upload will be automatically checked by default
- is_nsfw: false
- # By default, "do_not_list" or "blur" or "display" NSFW videos
- # Could be overridden per user with a setting
- default_nsfw_policy: 'do_not_list'
-
- customizations:
- javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
- css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
- # Robot.txt rules. To disallow robots to crawl your instance and disallow indexation of your site, add '/' to "Disallow:'
- robots: |
- User-agent: *
- Disallow:
- # Security.txt rules. To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string.
- securitytxt:
- "# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:"
-
-services:
- # Cards configuration to format video in Twitter
- twitter:
- username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
- # If true, a video player will be embedded in the Twitter feed on PeerTube video share
- # If false, we use an image link card that will redirect on your PeerTube instance
- # Change it to "true", and then test on https://cards-dev.twitter.com/validator to see if you are whitelisted
- whitelisted: false
-
-followers:
- instance:
- # Allow or not other instances to follow yours
- enabled: true
- # Whether or not an administrator must manually validate a new follower
- manual_approval: false
-
-followings:
- instance:
- # If you want to automatically follow back new instance followers
- # If this option is enabled, use the mute feature instead of deleting followings
- # /!\ Don't enable this if you don't have a reactive moderation team /!\
- auto_follow_back:
- enabled: false
-
- # If you want to automatically follow instances of the public index
- # If this option is enabled, use the mute feature instead of deleting followings
- # /!\ Don't enable this if you don't have a reactive moderation team /!\
- auto_follow_index:
- enabled: false
- index_url: 'https://instances.joinpeertube.org'
-
-theme:
- default: 'default'
+++ /dev/null
-# place for test files whose modification times are used to track lifesigns
-testdir=$HOME'/.pingmail'
-
-# modification time is the last time a ping was sent or a lifetime received
-ping_touch=$testdir'/ping_touch'
-
-# modification time is when the count for sending checker a warning mail starts
-reminder_touch=$testdir'/reminder_touch'
-
-# how long to wait for lifesigns before sending a ping; double is time to wait
-# for a lifesign before sending a warning message to checker
-wait_time=86400
-
-# address of the checker, receives warning message after too long wait
-checker_address='bar@example.org'
-
-# address of the checked person, ping is sent here
-checked_address='foo@example.org'
-
-# content of ping message sent to checked person
-subj2checked='[pingmail] Ping!'
-msg2checked='Hi!\n
-\nThis is an automated mail ping from '$checker_address'.
-\nRespond to show that you are still alive!'
-
-# content of warning message sent to checker
-id_target='foo'
-subj2checker='[pingmail] No recent life signs from '$id_target
-reminder_time=`expr $wait_time \* 2`
-msg2checker='pingmail reporting in:\n
-\nNo life signs from '$id_target' for the last '$reminder_time' seconds.
-\nMaybe you should give them a call to check if they are okay.'
-
-# mail client command reading message body from stdin and subject from parameter
-mailclient_s='mail -s'
-
-# mailbox file to check for most recent life sign
-mbox=$HOME'/mail/foo'
-
-# to recursively search for most recent matches to $matchstring as lifesigns
-#maildir=$HOME'/mail'
-
-# pattern to search $maildir for recursively for lifesigns
-#checked_address_escaped=`echo $checked_address | sed 's/\./\\./g'`
-#matchstring='^From: .*('$checked_address_escaped'|alternate@example\.org)'
+++ /dev/null
-<div style="margin: 1em;">
- <p>Privacy: Visitor IP addresses are anonymized in the logs.</p>
- <p>Contact: See <a href="https://plomlompom.com/contact.html">plomlompom.com contact page</a>.</p>
-</div>
+++ /dev/null
-User-agent: *
-Disallow:
+++ /dev/null
-This is <a href="https://plomlompom.com">plomlompom</a>'s personal single-user Pleroma instance.
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Repeatedly parse config file for GPG key and bot screen configs.
-path=~/.plomlombot
-db_dir="${HOME}/plomlombot_db"
-irclogs_dir=/var/www/html/irclogs
-irclogs_pw_dir=/var/www/irclogs_pw
-hostname_mod_epoch=$(stat -c%Y /etc/hostname)
-while true; do
- if [ -f "${path}" ]; then
- cat "${path}" | while read line; do
- first_word=$(echo -n "${line}" | cut -d' ' -f1)
-
- # Read "bot:" line, start bot screen session from it if not yet existing,
- # set up irclogs dir if not yet existing.
- if [ "${first_word}" = "bot:" ]; then
- session_name=$(echo -n "${line}" | cut -d' ' -f2)
- bot_name=$(echo -n "${line}" | cut -d' ' -f3)
- channel_name=$(echo -n "${line}" | cut -d' ' -f4)
- shortened_channel_name="${channel_name}"
- first_char=$(echo -n "${channel_name}" | cut -c1)
- if [ "${first_char}" = "#" ]; then
- shortened_channel_name=$(echo -n "${channel_name}" | cut -c2-)
- fi
- server_name=$(echo -n "${line}" | cut -d' ' -f5)
- login_user=$(echo -n "${line}" | cut -d' ' -f6)
- login_pw=$(echo -n "${line}" | cut -d' ' -f7)
- add_option=$(echo -n "${line}" | cut -d' ' -f8-)
- set +e
- screen -S "${session_name}" -Q select . > /dev/null
- start_screen=$?
- set -e
- if [ "${start_screen}" -eq "1" ]; then
- cd ~/plomlombot-irc
- LANG="en_US.UTF-8" screen -d -m -S "${session_name}" ./run.sh -r 604800 -n "${bot_name}" -s "${server_name}" -c "${channel_name}" ${add_option}
- fi
- md5_server=$(echo -n "${server_name}" | md5sum | cut -d' ' -f1)
- md5_channel=$(echo -n "${channel_name}" | md5sum | cut -d' ' -f1)
- logs_dir="${db_dir}/${md5_server}/${md5_channel}/logs"
- # FIXME: Note the trouble we will have if we have the same channel
- # name on different servers …
- ln -sfn "${logs_dir}" "${irclogs_dir}/${shortened_channel_name}"
- echo "${login_user}":'{PLAIN}'"${login_pw}" > "${irclogs_pw_dir}/${shortened_channel_name}"
-
- # If "gpg_key" line, encrypt old raw logs to that GPG key.
- elif [ "${first_word}" = "gpg_key" ]; then
- key=$(echo -n "${line}" | cut -d' ' -f2)
- mkdir -p ~/plomlombot_db
- cd ~/plomlombot_db
- # Dirty hack: To avoid trouble with GPG key expiration, fake
- # system to something reasonbly old (younger than key creation,
- # older than expiration) by taking the mod datetime of
- # /etc/hostname, which should have last be changed when the
- # system was set up.
- find . -path '*/*/raw_logs/*.txt' -mtime +1 -type f -exec gpg --recipient "${key}" --trust-model always --faked-system-time="${hostname_mod_epoch}" --encrypt {} \; -exec rm {} \;
- fi
-
- done
- sleep 1
- fi
-done
+++ /dev/null
-#!/bin/sh
-GIT_WORK_TREE=/home/plom/plomlombot-irc git checkout -f
+++ /dev/null
-{
- "translations": {
- "wrongCaptcha": "Captcha leider falsch.",
- "invalidURL": "Falsch formatierte URL.",
- "recordedURL": "URL aufgezeichnet (wird gesichtet und bei Angemessenheit dem Artikel angefügt): ",
- "pleaseWait": "Zu viele Versuche von dieser IP. So viele Sekunden warten: "
- },
- "mailConfig": {
- "to": "plom+url_catcher@plomlompom.com",
- "from": "plom+url_catcher@plomlompom.com"
- },
- "slowdownReset": 3600
-}
+++ /dev/null
-#!/bin/sh
-GIT_WORK_TREE=/var/www git checkout -f
+++ /dev/null
-#!/bin/sh
-
-# Enforce ~/.weechatrc as sole persistent weechat config file.
-rm -rf ~/.weechat/
-WEECHATCONF=`tr '\n' ';' < ~/.weechatrc`
-weechat -r "$WEECHATCONF"
-rm -rf ~/.weechat/
+++ /dev/null
-#!/bin/sh
-# Encrypt dated weechatlog files older than one day to GPG target defined in
-# ~/.encrypt_target
-set -e
-
-gpg_key=$(cat ~/.encrypt_target)
-cd ~/weechatlogs/irc/
-
-# Dirty hack: To avoid trouble with GPG key expiration, fake
-# system to something reasonbly old (younger than key creation,
-# older than expiration) by taking the mod datetime of
-# /etc/hostname, which should have last be changed when the
-# system was set up.
-hostname_mod_epoch=$(stat -c%Y /etc/hostname)
-find . -regextype posix-egrep -regex '^.*/.*/.*\.[0-9]{4}-[0-9]{2}-[0-9]{2}\.weechatlog$' -type f -mtime +1 -exec gpg --recipient "${gpg_key}" --trust-model always --faked-system-time="${hostname_mod_epoch}" --encrypt {} \; -exec rm {} \;
-
+++ /dev/null
-/set logger.file.path ~/weechatlogs
-/set logger.file.flush_delay 0
-/set logger.mask.irc "irc/$server/$channel.%Y-%m-%d.weechatlog"
-/set weechat.bar.status.items "[time],[buffer_last_number],[buffer_plugin],buffer_number+:+buffer_name+(buffer_modes)+{buffer_nicklist_count}+buffer_zoom+buffer_filter,[lag],[hotlist],completion,scroll,[otr]"
-/set weechat.color.chat_nick_colors "lightcyan"
-/server add freenode irc.freenode.net -nicks=plimlompom,plimlomp0m,pliml0mp0m -realname="foo bar" -autojoin=#plomlompomtest
-/connect freenode
-/bar hide buflist
+++ /dev/null
-#!/bin/sh
-ZETTELDIR=/home/plom/zettel
-GIT_WORK_TREE=$ZETTELDIR git checkout -f
-cd $ZETTELDIR
-redo
+++ /dev/null
-#!/bin/sh
-set -e
-set -x
-
-if [ "$#" -lt 3 ]; then
- echo 'Need at least three arguments: service name, DB name, and backup directory names.'
- false
-fi
-app="$1"
-db_name="$2"
-shift 2
-
-cd /tmp
-rm -rf "${app}_backup"
-mkdir "${app}_backup"
-chmod 777 "${app}_backup"
-
-service "${app}" stop
-
-su postgres -lc "pg_dump -d ${db_name} --format=custom -f /tmp/${app}_backup/${db_name}.pgdump"
-for target in "$@"; do
- mkdir -p $(dirname "${app}_backup${target}")
- cp -a "${target}" "${app}_backup${target}"
-done
-
-tar cf "${app}_backup.tar" "${app}_backup"
-rm -rf "${app}_backup"
-chown plom:plom "${app}_backup.tar"
-mv "${app}_backup.tar" /home/plom
+++ /dev/null
-#!/bin/sh
-# Copy files in argument-selected subdirectories of $1 to subdirectories
-# of $2 (which may be an empty string), e.g. with $1 of "etc_files", $2
-# of "" and $3 of "all", copy files below etc_files/all such as
-# etc_files/all/etc/foo/bar to equivalent locations below / such as
-# /etc/foo/bar. Create directories as necessary. Multiple arguments after
-# $3 are possible.
-#
-# CAUTION: This removes original files at the affected paths.
-set -e
-
-if [ "$#" -lt 3 ]; then
- echo 'Need arguments: source root, target root, modules.'
- false
-fi
-source_root="$1"
-target_root="$2"
-shift 2
-
-for target_module in "$@"; do
- mkdir -p "${source_root}/${target_module}"
- cd "${source_root}/${target_module}"
- for path in $(find . -type f); do
- target_path="${target_root}"$(echo "${path}" | cut -c2-)
- source_path=$(realpath "${path}")
- dir=$(dirname "${target_path}")
- mkdir -p "${dir}"
- cp "${source_path}" "${target_path}"
- done
-done
+++ /dev/null
-#!/bin/sh
-# This script turns a fresh server with password-based root access to
-# one of only key-based access and only to new non-root account plom.
-#
-# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
-# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
-# contains the local ~/.ssh/id_rsa.pub, and also any old
-# /etc/ssh/sshd_config.
-#
-# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
-# configured sshd_config file in reach.
-set -e
-
-# Location auf a sshd_config with "PermitRootLogin no" and
-# "PasswordAuthentication no".
-config_tree_prefix="${HOME}/public_repos/config/buster"
-linkable_files_dir="${config_tree_prefix}/etc_files/server"
-system_path_sshd_config='/etc/ssh/sshd_config'
-local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}"
-
-# Ensure we have a server name as argument.
-if [ $# -eq 0 ]; then
- echo "Need server as argument."
- false
-fi
-server="$1"
-
-# Ask for root password only once, sshpass will re-use it then often.
-stty -echo
-printf "(Old) server root password: "
-read PW_ROOT
-stty echo
-printf "\n"
-export SSHPASS="${PW_ROOT}"
-
-# This will be used to log-in as root from plom account.
-echo 'Asking for new root password.'
-ssh root@"${server}" "passwd"
-
-# Create user plom, and his ~/.ssh/authorized_keys based on the local
-# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
-# ownerships. Then disable root and pw login by copying over the
-# sshd_config and restart ssh daemon.
-#
-# This could be a line or two shorter by using ssh-copy-id, but that
-# would require setting a password for user plom otherwise not needed.
-sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys
-sshpass -e ssh root@"${server}" \
- 'useradd -m plom && '\
- 'mkdir /home/plom/.ssh && '\
- 'chown plom:plom /home/plom/.ssh && '\
- 'chown plom:plom /tmp/authorized_keys && '\
- 'chmod u=rw,go= /tmp/authorized_keys && '\
- 'mv /tmp/authorized_keys /home/plom/.ssh/'
-sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
-sshpass -e ssh root@"${server}" 'service ssh restart'
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Location auf a sshd_config with "PermitRootLogin no" and
-# "PasswordAuthentication no".
-config_tree_prefix="${HOME}/public_repos/config/buster"
-linkable_files_dir="${config_tree_prefix}/etc_files/server"
-system_path_sshd_config='/etc/ssh/sshd_config'
-local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}"
-
-# Ensure we have a server name as argument.
-if [ $# -eq 0 ]; then
- echo "Need server as argument."
- false
-fi
-server="$1"
-
-# So we're only asked once …
-eval $(ssh-agent)
-ssh-add
-
-# This will be used to log-in as root from plom account.
-echo 'Asking for new root password.'
-ssh root@"${server}" "passwd"
-
-# Set up plom's ~/.ssh/authorized_keys from root's.
-ssh root@"${server}" 'useradd -m plom'
-ssh root@"${server}" 'mkdir /home/plom/.ssh'
-ssh root@"${server}" 'chown plom:plom /home/plom/.ssh'
-ssh root@"${server}" 'cp /root/.ssh/authorized_keys /home/plom/.ssh/'
-ssh root@"${server}" 'chown plom:plom /home/plom/.ssh/authorized_keys'
-
-# Set up SSH config and remove direct SSH login to root.
-scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
-ssh root@"${server}" 'rm -rf /root/.ssh && service ssh restart'
+++ /dev/null
-#!/bin/sh
-# Walks through the package names in the argument-selected files of
-# apt-mark/ and ensures the respective packages are installed.
-#
-# Ignores anything in an apt-mark/ file after the last newline.
-set -e
-
-config_tree_prefix="${HOME}/config/buster"
-aptmark_dir="${config_tree_prefix}/apt-mark"
-
-for target in "$@"; do
- path="${aptmark_dir}/${target}"
- # TODO: continue if file at $path not found, to get rid of dummy files
- cat "${path}" | while read line; do
- echo "$line"
- if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
- DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::=--force-confold install "${line}"
- fi
- done
-done
+++ /dev/null
-#!/bin/sh
-set -e
-set -x
-
-if [ "$#" -lt 2 ]; then
- echo 'Need two arguments: old server IP, and service name.'
- false
-fi
-if [ ! "$2" = "pleroma_otp" ] && [ ! "$2" = "pleroma_source" ] && [ ! "$2" = "peertube" ]; then
- echo "Need legal service name (pleroma_otp or pleroma_source or peertube)."
- false
-fi
-server_ip="$1"
-app="$2"
-service="$2"
-if [ "${app}" = "pleroma_otp" ]; then
- db_name="pleroma"
- dirs="/var/lib/pleroma/uploads /etc/pleroma"
- service=pleroma
-elif [ "${app}" = "pleroma_source" ]; then
- db_name="pleroma"
- dirs="/var/lib/pleroma/uploads /opt/pleroma/config"
- service=pleroma
-elif [ "${app}" = "peertube" ]; then
- db_name="peertube_prod"
- dirs="/var/www/peertube/storage /var/www/peertube/config"
-fi
-
-config_tree_prefix="${HOME}/config/buster"
-setup_scripts_dir="${config_tree_prefix}/setup_scripts"
-
-cd "${setup_scripts_dir}"
-./prepare_to_meet_server.sh "${server_ip}"
-read -p'Hit Enter when you are done.' ignore
-eval $(ssh-agent) && ssh-add
-echo 'Enter password for root on target server next.'
-ssh plom@"${server_ip}" "su -lc \"cd config/buster/setup_scripts && git pull && ./backup_app.sh ${service} ${db_name} ${dirs}\""
-scp plom@"${server_ip}":~/${service}_backup.tar /home/plom/${service}_backup.tar
-./restore_app.sh "${app}" "${db_name}"
+++ /dev/null
-#!/bin/sh
-set -e
-
-if [ "$#" -ne 1 ]; then
- echo 'Need old server IP.'
- false
-fi
-old_server="$1"
-config_tree_prefix="${HOME}/config/buster"
-cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
-chown plom:plom /home/plom/prepare_to_meet_server.sh
-su -lc "./prepare_to_meet_server.sh ${old_server}" plom
-read -p'Hit Enter when you are done.' ignore
-rm /home/plom/prepare_to_meet_server.sh
-cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
-su -lc "./mirror_dir.sh ${old_server} /home/plom/borg" plom
-rm /home/plom/mirror_dir.sh
+++ /dev/null
-#!/bin/sh
-# Mirror directory tree from remote to local server, keeping the path.
-set -e
-
-if [ $# -lt 2 ]; then
- echo "Need server and directory as arguments."
- false
-fi
-server=$1
-dir=$2
-path_package=/tmp/delete.tar
-
-eval `ssh-agent`
-ssh-add
-cd
-ssh plom@"${server}" "cd \"${dir}\" && tar cf ${path_package} ."
-scp plom@"${server}":"${path_package}" "${path_package}"
-mkdir -p "${dir}"
-cd "${dir}"
-tar xf "${path_package}"
-cd
-rm "${path_package}"
-ssh plom@"${server}" rm "${path_package}"
+++ /dev/null
-#!/bin/sh
-# Do some of the steps necessary to SSH (key-based) with another server.
-set -e
-
-if [ "$#" -ne 1 ]; then
- echo 'Need server IP as argument.'
- false
-fi
-target="$1"
-
-# We need a public key to copy over, so generate it if not found.
-if [ ! -f ~/.ssh/id_rsa.pub ]; then
- ssh-keygen -N ""
-fi
-
-# Add target to ~/.ssh/known_hosts so we don't get
-# asked for permission at inopportune moments.
-ssh-keyscan -H "$target" >> ~/.ssh/known_hosts
-
-# Tell user what to do.
-echo "APPEND FOLLOWING TO TARGET'S ~/.ssh/authorized_keys:"
-cat ~/.ssh/id_rsa.pub
+++ /dev/null
-#!/bin/sh
-# This script removes all Debian packages that are not of Priority
-# "required" or not depended on by packages of priority "required"
-# or not listed in the argument-selected files of apt-mark/.
-set -e
-
-config_tree_prefix="${HOME}/config/buster"
-aptmark_dir="${config_tree_prefix}/apt-mark"
-
-dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted
-for target in "$@"; do
- path="${aptmark_dir}/${target}"
- cat "${path}" | while read line; do
- if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
- echo "${line}" >> /tmp/list_white_unsorted
- fi
- done
-done
-sort /tmp/list_white_unsorted > /tmp/list_white
-dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages
-sort /tmp/list_all_packages > /tmp/foo
-mv /tmp/foo /tmp/list_all_packages
-comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black
-apt-mark auto `cat /tmp/list_black`
-DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
-rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black
-
-# Somehow, auto-mounts get undone by all of this, so re-mount /etc/fstab.
-# TODO: Find out why.
-mount -a
+++ /dev/null
-#!/bin/sh
-set -e
-set -x
-
-if [ "$#" -lt 2 ]; then
- echo 'Need two arguments: service name and DB name.'
- false
-fi
-if [ ! "$1" = "pleroma_otp" ] && [ ! "$1" = "pleroma_source" ] && [ ! "$1" = "peertube" ]; then
- echo "Need legal service name (pleroma_otp or pleroma_source or peertube)."
- false
-fi
-app="$1"
-db_name="$2"
-service="$1"
-if [ "${app}" = "pleroma_source" ] || [ "${app}" = "pleroma_otp" ]; then
- service=pleroma
-fi
-
-service "${service}" stop
-
-mv "/home/plom/${service}_backup.tar" /tmp/
-cd /tmp
-tar xf "${service}_backup.tar"
-
-su postgres -c "pg_restore -c -1 -d ${db_name} ${service}_backup/${db_name}.pgdump"
-rm "${service}_backup/${db_name}.pgdump"
-
-cd "${service}_backup"
-for path in $(find . -type f); do
- if [ "${app}" = "pleroma_source" ]; then
- if [ "${path}" = './opt/pleroma/config/prod.secret.exs' ]; then
- continue # skip file that contains passwords
- fi
- fi
- target_path=$(echo "${path}" | cut -c2-)
- source_path=$(realpath "${path}")
- dir=$(dirname "${target_path}")
- mkdir -p "${dir}"
- cp -a "${source_path}" "${target_path}"
-done
-
-# TODO: Horrible hack, improve.
-if [ "${app}" = "pleroma_otp" ]; then
- db_pw=$(cat /etc/pleroma/config.exs | grep password | sed 's/[ ]*password\: *//g' | sed 's/,//g' | sed 's/"//g')
-elif [ "${app}" = "peertube" ]; then
- db_pw=$(cat /var/www/peertube/config/production.yaml | grep password | head -1 | sed "s/[ ]*password\: *//g" | sed "s/'//g")
-fi
-if [ "${app}" = "pleroma_otp" ] || [ "${app}" = "peertube" ]; then
- su postgres -lc "psql -c \"ALTER USER ${service} WITH PASSWORD '${db_pw}';\""
-fi
-
-service "${service}" start
+++ /dev/null
-#!/bin/sh
-# Sets hostname and optionally FQDN.
-#
-# Calls hostname, writes to /etc/hostname and /etc/hosts. For /etc/hosts
-# writing follows recommendations from Debian manual at
-# <https://www.debian.org/doc/manuals/debian-reference/ch05.en.html>
-# (section "The hostname resolution") on how to map hostname and possibly
-# FQDN to a permanent IP if present (we assume here any non-private IP
-# and non-loopback IP returned by hostname -I to fulfill that criterion
-# on our systems) or to 127.0.1.1 if not. On the reasoning for separating
-# localhost and hostname mapping to different IPs, see
-# <https://unix.stackexchange.com/a/13087>.
-#
-# Ignores IPv6s.
-set -e
-
-hostname="$1"
-fqdn="$2"
-if [ "${hostname}" = "" ]; then
- echo "Need hostname as argument."
- false
-fi
-echo "${hostname}" > /etc/hostname
-hostname "${hostname}"
-
-final_ip="127.0.1.1"
-for ip in $(hostname -I); do
- if [ $(echo "${ip}" | grep ':' | wc -l) -eq 1 ]; then
- continue
- fi
- range_1=$(echo "${ip}" | cut -d "." -f 1)
- range_2=$(echo "${ip}" | cut -d "." -f 2)
- if [ "${range_1}" -eq 127 ]; then
- continue
- elif [ "${range_1}" -eq 10 ]; then
- continue
- elif [ "${range_1}" -eq 172 ]; then
- if [ "${range_2}" -ge 16 ] && [ "${range_2}" -le 31 ]; then
- continue
- fi
- elif [ "${range_1}" -eq 192 ]; then
- if [ "${range_2}" -eq 168 ]; then
- continue
- fi
- fi
- final_ip="${ip}"
-done
-
-echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
-echo "${final_ip} ${fqdn} ${hostname}" >> /etc/hosts
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Provide maximum input for set_hostname_and_fqdn.sh.
-if [ "$#" -lt 2 ]; then
- echo 'Need at least two arguments (hostname, FQDN).'
- false
-fi
-hostname="$1"
-fqdn="$2"
-shift 2
-
-config_tree_prefix="${HOME}/config/buster"
-setup_scripts_dir="${config_tree_prefix}/setup_scripts"
-cd "${setup_scripts_dir}"
-
-# Adapt /etc/ to our needs by copying from ./etc_files. This will set
-# basic configurations affecting following steps, such as setup of APT
-# and the locale selection, so needs to be right at the beginning.
-./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" all "$@"
-
-# Set hostname and FQDN.
-./set_hostname_and_fqdn.sh "${hostname}" "${fqdn}"
-
-# Ensure package installation state as defined by what packages are
-# defined as required by Debian policy and by settings in ./apt-mark/.
-apt update
-./install_for_target.sh all "$@"
-./purge_nonrequireds.sh all "$@"
-
-# Ensure our desired locale is available.
-locale-gen
-
-# Only upgrade after reducing the system to the desired minimum, so that
-# we don't need to get more data than necessary.
-apt -y dist-upgrade
-
-# Set Berlin localtime.
-ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
+++ /dev/null
-#!/bin/sh
-set -e
-
-if [ "$#" -ne 1 ]; then
- echo 'Need exactly one argument (system name).'
- false
-fi
-if [ ! "$1" = "eeepc" ] && [ ! "$1" = "x200s" ] && [ ! "$1" = "x220" ] && [ ! "$1" = "w530" ]; then
- echo "Need legal system name."
- false
-fi
-system_name="$1"
-
-# Set up system without user environment.
-config_tree_prefix="${HOME}/config/buster"
-setup_scripts_dir="${config_tree_prefix}/setup_scripts"
-cd "${setup_scripts_dir}"
-if [ "$1" = "x200s" ] || [ "$1" = "x220" ] || [ "$1" = "w530" ]; then
- ./setup.sh "${system_name}" "" user desktop thinkpad "${system_name}"
-else
- ./setup.sh "${system_name}" "" user desktop "${system_name}"
-fi
-# For hibernation on lid switch to work, we need a newer kernel on the EeePC,
-# see <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=919227>.
-if [ "${system_name}" = "eeepc" ]; then
- apt -y install -t buster-backports linux-image-amd64
-fi
-
-# Set up printer.
-lpadmin -p 'HP_Deskjet_F300_series' -m 'drv:///hpcups.drv/hp-deskjet_f300_series.ppd' -o 'OutputMode=NormalGray' -E
-service cups restart
-
-# Install Firefox directly from Mozilla.
-firefox_release="68.4.1esr"
-firefox_filename="firefox-${firefox_release}.tar.bz2"
-url_firefox="https://ftp.mozilla.org/pub/firefox/releases/${firefox_release}/linux-x86_64/en-US/${firefox_filename}"
-wget "${url_firefox}"
-mv "${firefox_filename}" /opt/
-cd /opt/
-tar xf "${firefox_filename}"
-rm "${firefox_filename}"
-ln -s /opt/firefox/firefox /usr/local/bin/
-update-alternatives --install /usr/bin/x-www-browser x-www-browser /opt/firefox/firefox 200
-update-alternatives --set x-www-browser /opt/firefox/firefox
-
-# Install Firefox plugins.
-# See <https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Distribution_options/Sideloading_add-ons>
-extensions_dir="/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/"
-mkdir -p "${extensions_dir}"
-umatrix_version="1.4.0"
-umatrix_xpi="uMatrix.firefox.xpi"
-url_umatrix="https://github.com/gorhill/uMatrix/releases/download/${umatrix_version}/${umatrix_xpi}"
-wget "${url_umatrix}"
-name=$(unzip -p "${umatrix_xpi}" manifest.json | jq -r .applications.gecko.id)
-mv "${umatrix_xpi}" "${name}".xpi
-tridactyl_version="1.17.1pre3355"
-tridactyl_xpi="tridactyl_beta-${tridactyl_version}-an+fx.xpi"
-url_tridactyl="https://tridactyl.cmcaine.co.uk/betas/${tridactyl_xpi}"
-wget "${url_tridactyl}"
-name=$(unzip -p "${tridactyl_xpi}" manifest.json | jq -r .applications.gecko.id)
-mv "${tridactyl_xpi}" "${name}.xpi"
-mv *.xpi "${extensions_dir}"
-
-# Set up user environments.
-secrets_dev="sdb"
-source_dir_secrets="/media/${secrets_dev}/to_usb"
-target_dir_secrets="/home/plom/tmp_secrets"
-cd "${setup_scripts_dir}"
-./copy_dirtree.sh "${config_tree_prefix}/home_files" "/root" minimal root
-set +e
-HOME_DIR_EXISTS=$([ ! -d "/home/plom" ]; echo $?)
-set -e
-adduser --disabled-password --gecos "" plom
-usermod -a -G sudo plom
-passwd plom
-if [ "${HOME_DIR_EXISTS}" -eq 0 ]; then
- echo "Put secrets drive into slot for /dev/${secrets_dev}."
- while [ ! -e /dev/"${secrets_dev}" ]; do
- sleep 1
- done
- stty -echo
- printf "Secrets passphrase: "
- read secrets_pass
- stty echo
- echo "" # newline so user knows their input return was accepted
- echo "${secrets_pass}" | pmount /dev/"${secrets_dev}"
- cp -a "${source_dir_secrets}" "${target_dir_secrets}"
- chown -R plom:plom "${target_dir_secrets}"
- pumount "${secrets_dev}"
- echo "You can remove /dev/${secrets_dev} now."
- cp setup_home.sh /home/plom
- chown plom:plom /home/plom/setup_home.sh
- SECRETS_PASS="${secrets_pass}" su -c "cd && ./setup_home.sh ${system_name}" plom
-fi
+++ /dev/null
-#!/bin/sh
-set -e
-
-if [ "$#" -ne 4 ]; then
- echo 'Need domain name and mail and old server and repos source ("local" or "remote"?).'
- false
-fi
-if [ ! "$4" = "local" ] && [ ! "$4" = "remote" ]; then
- echo "Need legal repo source name."
- false
-fi
-domain="$1"
-mail="$2"
-old_server="$3"
-repos_source="$4"
-
-read -p"Only continue if hostname is not domain of url_catcher's target mail address, else abort!" ignore
-
-# Install configs, set up firewall.
-echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
-echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
-config_tree_prefix="${HOME}/config/buster"
-./install_for_target.sh web dumpsite
-./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web dumpsite
-nft -f /etc/nftables.conf
-
-# Set up letsencrypt certificate. TODO: Is it auto-renewed?
-ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
-certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
-rm /etc/nginx/sites-enabled/default
-
-# Set up connection to old dump server.
-cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
-chown plom:plom /home/plom/prepare_to_meet_server.sh
-su -lc "./prepare_to_meet_server.sh ${old_server}" plom
-read -p'Hit Enter when you are done.' ignore
-rm /home/plom/prepare_to_meet_server.sh
-
-# Set up dump dirs.
-mkdir /var/www-dump
-chown plom:plom /var/www-dump
-dump_dir=dump
-geheim_dir=geheim
-su -lc "ln -s /home/plom/${dump_dir} /var/www-dump/${dump_dir}" plom
-su -lc "ln -s /home/plom/${geheim_dir} /var/www-dump/${geheim_dir}" plom
-cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
-su -lc "./mirror_dir.sh ${old_server} /home/plom/${dump_dir}" plom
-su -lc "./mirror_dir.sh ${old_server} /home/plom/${geheim_dir}" plom
-su -lc "scp plom@${old_server}:/var/www-dump/password_geheim ~" plom
-mv /home/plom/password_geheim /var/www-dump/password_geheim
-rm /home/plom/mirror_dir.sh
-
-# Set up redo.
-wget http://news.dieweltistgarnichtso.net/bin/archives/redo-sh.tar.gz
-tar -moxzf redo-sh.tar.gz -C /usr/local
-
-# Set up zettel.
-su -lc "git clone --mirror ${old_server}:zettel.git" plom
-cp "${config_tree_prefix}/other_files/zettel_hook_post-receive" /home/plom/zettel.git/hooks/post-receive
-su -lc "git clone ~/zettel.git && cd zettel && redo" plom
-su -lc "ln -s /home/plom/zettel /var/www-dump/zettel" plom
-# NOTE: Locally, to update content, clone zettel.git, not zettel.
-
-# Set up redo blog.
-su -lc "git clone --mirror ${old_server}:blog.git" plom
-cp "${config_tree_prefix}/other_files/blog_hook_post-receive" /home/plom/blog.git/hooks/post-receive
-su -lc "git clone ~/blog.git" plom
-# TODO: set up like plomlombot repo (with post-recieve hook)?
-if [ "$repo_source" = "local"]; then
- su -lc "git clone /var/repos/redo-blog" plom
-else
- su -lc "git clone https://plomlompom.com/repos/clone/redo-blog" plom
-fi
-su -lc "cd redo-blog && ./add_dir.sh ~/blog" plom
-su -lc "cd blog && redo" plom
-su -lc "ln -s /home/plom/blog/public /var/www-dump/blog" plom
-# NOTE: Locally, to update content, clone blog.git, not blog.
-
-# Set up url catcher.
-# TODO: set up like plomlombot repo (with post-recieve hook)?
-if [ "$repo_source" = "local"]; then
- su -lc "git clone /var/repos/url-catcher" plom
-else
- su -lc "git clone https://plomlompom.com/repos/clone/url-catcher" plom
-fi
-su -lc "cd url-catcher && ln -s ../blog/captchas/linkable/ captchas" plom
-cp "${config_tree_prefix}/other_files/url-catcher_customizations.json" /home/plom/url-catcher/customizations.json
-systemctl enable url_catcher.service
-service url_catcher start
-cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
-su -lc "./mirror_dir.sh ${old_server} /home/plom/url-catcher/ips" plom
-su -lc "./mirror_dir.sh ${old_server} /home/plom/url-catcher/lists" plom
-rm /home/plom/mirror_dir.sh
-
-# Set up index.html
-cp "${config_tree_prefix}/other_files/dumpsite_index.html" /var/www-dump/index.html
-
-# Prepare NGINX.
-sed -i "s/REPLACE_fqdn_ECALPER/${domain}/g" /etc/nginx/sites-available/dumpsite.nginx
-ln -s /etc/nginx/sites-available/dumpsite.nginx /etc/nginx/sites-enabled/dumpsite.nginx
-
-service nginx restart
+++ /dev/null
-#!/bin/sh
-set -e
-
-if [ "$#" -ne 1 ]; then
- echo 'Need exactly one argument (system name).'
- false
-fi
-if [ ! "$1" = "eeepc" ] && [ ! "$1" = "x200s" ]&& [ ! "$1" = "x220" ]; then
- echo "Need legal system name."
- false
-fi
-system_name="$1"
-
-public_repos_dir="${HOME}/public_repos"
-config_tree_prefix="${public_repos_dir}/config"
-path_borgscript="${config_tree_prefix}/all_new_2018/borg.sh"
-config_tree_buster="${config_tree_prefix}/buster"
-setup_scripts_dir="${config_tree_buster}/setup_scripts"
-repos_list_file="${public_repos_dir}/repos"
-dir_secrets="${HOME}/tmp_secrets"
-borgkeys_dir=~/.config/borg/keys
-borgrepos_file=~/.borgrepos
-ssh_dir=~/.ssh
-authinfo_file=.authinfo
-maildir=~/mail/maildir
-
-ensure_repo() {
- repo_name="${1}"
- if [ ! -d "${public_repos_dir}/${repo_name}" ]; then
- cd "${public_repos_dir}"
- git clone plom@plomlompom.com:/var/repos/${repo_name}
- fi
-}
-
-# Set up iniitial non-public parts of infrastructure: SSH authentication.
-cd "${dir_secrets}"
-mkdir -p "${ssh_dir}"
-echo "Setting up .ssh"
-cp id_rsa ~/.ssh
-stty -echo
-ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
-stty echo
-eval $(ssh-agent)
-ssh-add
-ssh-keyscan -H "plomlompom.com" >> ~/.ssh/known_hosts
-
-# Clone config to copy dotfiles etc. from it.
-cd
-mkdir -p "${public_repos_dir}"
-ensure_repo config
-cd "${setup_scripts_dir}"
-./copy_dirtree.sh "${config_tree_buster}/home_files" "${HOME}" minimal user "${system_name}"
-
-# Set up native messenger for tridactyl.
-version='ef9f02d0da258f68d7faf8898707f6d83d90d07a'
-curl -fsSl "https://raw.githubusercontent.com/tridactyl/tridactyl/${version}/native/install.sh" | bash
-
-# Set up further non-public parts of infrastructure.
-cd "${dir_secrets}"
-script -c 'gpg --import secret_keys.asc' /dev/null
-tar xf borg_keyfiles.tar
-mkdir -p "${borgkeys_dir}"
-mv borg_keyfiles/* "${borgkeys_dir}"
-# .authinfo may not be present on every secrets drive yet
-if [ -f "${authinfo_file}" ]; then
- cp "${authinfo_file}" ~
-fi
-cd
-rm -rf "${dir_secrets}"
-
-# Sync org dir via borgbackup. For this we need the borgbackup servers
-# in our .ssh/known_hosts file.
-cat "${borgrepos_file}" | while read line; do
- first_char=$(echo "${line}" | cut -c1)
- if [ "${first_char}" = "#" ]; then
- continue
- fi
- server=$(echo "${line}" | sed 's/.*@//')
- ssh-keyscan "${server}" >> "${ssh_dir}"/known_hosts
-done
-BORG_PASSPHRASE="${SECRETS_PASS}" "${path_borgscript}" orgpull
-
-# Fill ~/public_repos.
-cat "${repos_list_file}" | while read line; do
- first_char=$(echo "${line}" | cut -c1)
- if [ "${first_char}" = "#" ]; then
- continue
- fi
- ensure_repo "${line}"
-done
-
-# Set up e-mail system. Note that we only do mbsync if the imap pass file
-# is found. It may not be present on every secrets drive yet, so we have to
-# deal with the possibility of it being absent at this point.
-mkdir -p "${maildir}" # expected by mbsync/isync
-if [ -f "${HOME}/${authinfo_file}" ]; then
- mbsync -a
- notmuch new
-fi
-
-# Final note on how to integrate tridactyl.
-echo "TODO: As tridactyl user, don't forget to do :source on the first Firefox run, wait a little while (Tridactyl needs to walk through all commands in the .tridactylrc) and then re-start."
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Check we have the necessary arguments.
-if [ "$#" -lt 1 ]; then
- echo 'Need mail for letsencrypt, mail domain, and optionally old server IP.'
- false
-fi
-mail="$1"
-mail_domain="$2"
-old_server="$3"
-
-read -p'You sure you entered the correct mail domain? (not the server domain, but what comes after the @ in your mail addresses) If not, abort here!' ignore
-
-config_tree_prefix="${HOME}/config/buster"
-echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
-echo "postfix postfix/mailname string ${mail_domain}" | debconf-set-selections
-./install_for_target.sh mail
-./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" mail
-nft -f /etc/nftables.conf
-
-# Rebuild aliases DB from /etc/aliases
-newaliases
-
-# Update config files without overwriting defaults.
-cat "${config_tree_prefix}/other_files/append_postfix_main.cf" >> /etc/postfix/main.cf
-cat "${config_tree_prefix}/other_files/append_postfix_master.cf" >> /etc/postfix/master.cf
-cat "${config_tree_prefix}/other_files/append_opendkim.conf" >> /etc/opendkim.conf
-
-# Set up letsencrypt certificate. We need this for STARTTLS on port
-# 25/SMTP (some mail servers refuse delivering mails here if no
-# STARTTLS available) and transport-layer TLS on port 465 (for
-# user-to-server SMTPS)
-# TODO: Is it auto-renewed?
-certbot certonly --standalone --agree-tos --no-eff-email -m "${mail}" -d "$(hostname -f)"
-
-# For if FQDN != mail domain name.
-sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/mailutils.conf
-sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/postfix/main.cf
-
-# OpenDKIM setup.
-selector=$(hostname)$(date +%Y%m%d)
-opendkim-genkey -d "${mail_domain}" -D /etc/dkimkeys -s "${selector}"
-sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/opendkim.conf
-sed -i "s/REPLACE_selector_ECALPER/${selector}/g" /etc/opendkim.conf
-
-# Dovecot sieve filtering via LMTP. Without this, mail only gets
-# delivered to /var/mail/…, with it /var/mail/… remains the fallback
-# inbox, but all else is sieve-filtered to ~/mail/.
-cp "${config_tree_prefix}/other_files/dovecot.sieve" /home/plom/.dovecot.sieve
-chown plom:plom /home/plom/.dovecot.sieve
-
-# In addition to our postfix server receiving mails, we funnel mails from a
-# POP3 account into dovecot via fetchmail. It might make sense to adapt the
-# ~/.dovecot.sieve to move mails targeted to the fetched mail account to their
-# own mbox.
-cp "${config_tree_prefix}/other_files/fetchmailrc" /home/plom/.fetchmailrc
-chown plom:plom /home/plom/.fetchmailrc
-chmod 0700 /home/plom/.fetchmailrc
-
-# Pingmail setup.
-cp "${config_tree_prefix}/other_files/pingmailrc" /home/plom/.pingmailrc
-chown plom:plom /home/plom/.pingmailrc
-su -lc "cd && git clone https://plomlompom.com/repos/clone/pingmail" plom
-
-# To allow IMAPS access.
-echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
-echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
-password=$(pwgen -s 100 1)
-echo "plom:${password}" | chpasswd
-
-# Get old mail data, shutdown old postfix server.
-if [ "${old_server}" != "" ]; then
- cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
- su -lc "./prepare_to_meet_server.sh ${old_server}" plom
- read -p'Hit Enter when you are done.' ignore
- rm /home/plom/prepare_to_meet_server.sh
- su -lc "scp plom@${old_server}:.dovecot.sieve ~" plom
- su -lc "scp plom@${old_server}:.fetchmailrc ~" plom
- su -lc "scp plom@${old_server}:.pingmailrc ~" plom
- su -lc "ssh -t plom@${old_server} \"su -lc 'service postfix stop'\"" plom
- su -lc "ssh plom@${old_server} \"su -lc 'systemctl disable fetchmail_old_account.timer'\"" plom
- su -lc "ssh plom@${old_server} \"su -lc 'service fetchmail_old_account stop'\"" plom
- #su -lc "ssh -t plom@${old_server} \"su -lc 'service fetchmail stop'\"" plom
- cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
- su -lc "./mirror_dir.sh ${old_server} /home/plom/mail" plom
- rm /home/plom/mirror_dir.sh
- touch /var/mail/plom
- chown plom:mail /var/mail/plom
- chmod 0600 /var/mail/plom
- su -lc "scp plom@${old_server}:/var/mail/plom /var/mail/plom" plom
-fi
-
-# Start everything anew to ensure new configurations.
-service opendkim restart
-service postfix restart
-service dovecot restart
-
-# Pingmail and fetchmail have some systemd timers waiting. To let systemd
-# know about them, do this.
-systemctl daemon-reload
-systemctl enable --now fetchmail_old_account.timer
-systemctl enable --now pingmail.timer
-
-# Final advice to user.
-echo "To put into DNS:"
-cat "/etc/dkimkeys/${selector}.txt"
-echo "If subdomain, append .subdomain to _domainkeys!"
-echo "Also ensure DMARC record of 'v=DMARC1; p=none; rua=mailto:plom+dmarc@plomlompom.com;' as TXT entry at _dmarc or, if subdomain, _dmarc.subdomain"
-echo "Also ensure SPF record of 'v=spf1 mx -all' as TXT entry at @ or subdomain"
-echo "Also ensure reverse DNS lookup for our IP points to $(hostname -f)"
-echo "Also ensure MX record of priority 10 for @ or subdomain pointing to $(hostname -f)"
-echo "IMAPS password for user plom is: ${password}"
-echo "Also don't forget borgbackup migration …"
-
-# todo just for proper mail /sending/:
-# * how to check IP safety
-# https://talosintelligence.com/reputation_center/lookup?search=$IP
-# http://www.anti-abuse.org/multi-rbl-check-results/?host=
-# https://www.dnsbl.info/dnsbl-database-check.php
-# note that none of these catch the IPs that gmx etc. reject
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Heavily inspired by
-# <https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/production.md>
-# and
-# <https://github.com/Chocobozzz/PeerTube/blob/develop/support/doc/dependencies.md>
-
-if [ "$#" -ne 2 ]; then
- echo 'Need domain name, mail_address as arguments.'
- false
-fi
-domain="$1"
-mail="$2"
-
-# Install dependencies, set up firewall.
-config_tree_prefix="${HOME}/config/buster"
-./install_for_target.sh web peertube
-./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web
-nft -f /etc/nftables.conf
-
-# Get NodeJS. See
-# <https://github.com/nodesource/distributions/blob/master/README.md>
-curl -sL https://deb.nodesource.com/setup_10.x | bash -
-apt-get install -y nodejs
-
-# Get Yarn. See
-# <https://classic.yarnpkg.com/en/docs/install#debian-stable>
-curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
-echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
-apt update && apt install yarn
-
-systemctl start redis postgresql
-
-# Prepare user and DB.
-useradd -m -d /var/www/peertube -s /bin/bash -p peertube peertube
-db_pw=$(pwgen -s 100 1)
-su postgres -lc "psql -c \"CREATE USER peertube WITH PASSWORD '${db_pw}';\""
-su -l postgres -c 'createdb -O peertube -E UTF8 -T template0 peertube_prod'
-su -l postgres -c 'psql -c "CREATE EXTENSION pg_trgm;" peertube_prod'
-su -l postgres -c 'psql -c "CREATE EXTENSION unaccent;" peertube_prod'
-
-# Install and configure PeerTube from latest version.
-VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag_name | cut -d '"' -f 4) && echo "Latest Peertube version is $VERSION"
-cd /var/www/peertube && su -l peertube -c "mkdir config storage versions && cd versions"
-su -l peertube -c "wget -q 'https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip'"
-su -l peertube -c "unzip peertube-${VERSION}.zip && rm peertube-${VERSION}.zip"
-su -l peertube -c "ln -s peertube-${VERSION} ./peertube-latest"
-su -l peertube -c "cd peertube-latest && yarn install --production --pure-lockfile"
-
-# Configure PeerTube.
-cp "${config_tree_prefix}/other_files/peertube_production.yaml" /var/www/peertube/config/production.yaml
-chown peertube:peertube /var/www/peertube/config/production.yaml
-sed -i "s/admin\@example\.com/${mail}/g" config/production.yaml
-sed -i "s/example\.com/${domain}/g" config/production.yaml
-sed -i "s/password: 'peertube'/password: '${db_pw}'/g" config/production.yaml
-
-# Set up letsencrypt certificate. TODO: Is it auto-renewed?
-ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
-certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
-rm /etc/nginx/sites-enabled/default
-
-# Configure NGINX.
-cp /var/www/peertube/peertube-latest/support/nginx/peertube /etc/nginx/sites-available/peertube
-sed -i "s/peertube.example.com/${domain}/g" /etc/nginx/sites-available/peertube
-sed -i -E 's/^([[:space:]]*)(access_log|error_log)([[:space:]])/\1# \2\3/g' /etc/nginx/sites-available/peertube
-ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/peertube
-
-# Configure systemd and start PeerTube through it.
-cp /var/www/peertube/peertube-latest/support/systemd/peertube.service /etc/systemd/system/
-systemctl daemon-reload
-systemctl enable peertube
-systemctl start peertube
-
-# Restart NGINX.
-service nginx restart
+++ /dev/null
-#!/bin/sh
-set -e
-set -x
-
-if [ "$#" -lt 1 ]; then
- echo "Need public key ID and optionally old server IP."
- false
-fi
-gpg_key="$1"
-old_server="$2"
-
-config_tree_prefix="${HOME}/config/buster"
-./install_for_target.sh play
-./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" play
-cp "${config_tree_prefix}/other_files/weechatrc" /home/plom/.weechatrc
-cp "${config_tree_prefix}/other_files/weechat-wrapper.sh" /home/plom/
-cp "${config_tree_prefix}/other_files/weechatlogs_encrypter.sh" /home/plom/
-chown plom:plom /home/plom/*weechat*
-chown plom:plom /home/plom/.weechatrc
-echo "${gpg_key}" > /home/plom/.encrypt_target
-chown plom:plom /home/plom/.encrypt_target
-
-# TODO refactor with setup_website.sh
-# Add encryption key.
-keyservers='sks-keyservers.net/ keys.gnupg.net'
-set +e
-while true; do
- do_break=0
- for keyserver in $(echo "${keyservers}"); do
- su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
- if [ $? -eq "0" ]; then
- do_break=1
- break
- fi
- echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
- done
- if [ "${do_break}" -eq "1" ]; then
- break
- fi
-done
-set -e
-
-if [ "${old_server}" != "" ]; then
- cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
- su -lc "./prepare_to_meet_server.sh ${old_server}" plom
- read -p'Hit Enter when you are done.' ignore
- rm /home/plom/prepare_to_meet_server.sh
- su -lc "scp plom@${old_server}:.ssh/authorized_keys .ssh/authorized_keys" plom
- su -lc "scp plom@${old_server}:.weechatrc ~" plom
- cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
- su -lc "./mirror_dir.sh ${old_server} /home/plom/weechatlogs" plom
- rm /home/plom/mirror_dir.sh
-fi
-
-systemctl enable --now encrypt_chatlogs.timer
+++ /dev/null
-#!/bin/sh
-set -e
-# Heavily inspired by <https://docs.pleroma.social/otp_en.html>
-
-if [ "$#" -ne 2 ]; then
- echo 'Need domain name, mail_address as arguments.'
- false
-fi
-domain="$1"
-mail="$2"
-
-# Install dependencies, set up firewall.
-config_tree_prefix="${HOME}/config/buster"
-./install_for_target.sh web pleroma pleroma_otp
-./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web pleroma
-nft -f /etc/nftables.conf
-
-# Set up letsencrypt certificate. TODO: Is it auto-renewed?
-ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
-certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
-rm /etc/nginx/sites-enabled/default
-
-# Prepare user.
-adduser --system --shell /bin/false --home /opt/pleroma pleroma
-
-# Download and unzip latest stable release, set up Pleroma dirs.
-export FLAVOUR='amd64'
-su pleroma -s $SHELL -lc "
-curl 'https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=$FLAVOUR' -o /tmp/pleroma.zip
-unzip /tmp/pleroma.zip -d /tmp/
-"
-su pleroma -s $SHELL -lc "
-mv /tmp/release/* /opt/pleroma
-rmdir /tmp/release
-rm /tmp/pleroma.zip
-"
-mkdir -p /var/lib/pleroma/uploads
-chown -R pleroma /var/lib/pleroma
-mkdir -p /etc/pleroma
-chown -R pleroma /etc/pleroma
-
-# Configure and set up DB.
-su pleroma -s $SHELL -lc "./bin/pleroma_ctl instance gen \
---output /etc/pleroma/config.exs \
---output-psql /tmp/setup_db.psql \
---domain ${domain} \
---instance-name plom-roma \
---admin-email ${mail} \
---notify-email ${mail} \
---dbhost localhost \
---dbname pleroma \
---dbuser pleroma \
---db-configurable N \
---rum N \
---indexable Y \
---uploads-dir /var/lib/pleroma/uploads \
---static-dir /var/lib/pleroma/static \
---listen-ip 127.0.0.1 \
---listen-port 4000 \
---dbpass $(pwgen -s 100 1)"
-su postgres -s $SHELL -lc "psql -f /tmp/setup_db.psql"
-su pleroma -s $SHELL -lc "./bin/pleroma_ctl migrate"
-
-# Since the OTP release does not support .secret.exs configuration
-# files, we hack our own alternative by simply appending custom
-# configurations to /etc/config.exs.
-cat "${config_tree_prefix}/other_files/append_pleroma_config" >> /etc/pleroma/config.exs
-
-# Single-pixel picture hack for removing Pleroma FE images.
-cp "${config_tree_prefix}/other_files/pixel.png" /var/lib/pleroma/static/
-chown pleroma:nogroup /var/lib/pleroma/static/pixel.png
-
-# Info panel and TOS.
-#mkdir -p /var/lib/pleroma/static/instance
-#mkdir -p /var/lib/pleroma/static/static
-#cp "${config_tree_prefix}/other_files/pleroma_panel.html" /var/lib/pleroma/static/instance/panel.html
-#cp "${config_tree_prefix}/other_files/pleroma_terms-of-service.html" /var/lib/pleroma/static/static/terms-of-service.html
-#cp "${config_tree_prefix}/other_files/pleroma_robots.txt" /var/lib/pleroma/static/robots.txt
-
-# Hack to fix <https://git.pleroma.social/pleroma/pleroma/issues/1616>
-curl https://git.pleroma.social/pleroma/pleroma/-/raw/4271cfb81a8983f5ec6a878cab1fb3fbd164245d/priv/static/static/static-fe.css?inline=false >> /var/lib/pleroma/static/static/static-fe.css
-
-# Prepare NGINX config for Pleroma.
-cp /opt/pleroma/installation/pleroma.nginx /etc/nginx/sites-available/pleroma.nginx
-sed -i "s/example\.tld/${domain}/g" /etc/nginx/sites-available/pleroma.nginx
-ln -s /etc/nginx/sites-available/pleroma.nginx /etc/nginx/sites-enabled/pleroma.nginx
-
-# Systemd integration.
-cp /opt/pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service
-systemctl start pleroma
-systemctl enable pleroma
-
-# Only restart NGINX with Pleroma running.
-service nginx restart
+++ /dev/null
-#!/bin/sh
-set -e
-set -x
-# Heavily inspired by <https://docs-develop.pleroma.social/backend/installation/debian_based_en/>
-
-if [ "$#" -ne 2 ]; then
- echo 'Need domain name, mail_address as arguments.'
- false
-fi
-domain="$1"
-mail="$2"
-
-# Install dependencies, configs, set up firewall.
-config_tree_prefix="${HOME}/config/buster"
-./install_for_target.sh web pleroma pleroma_source
-./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web pleroma
-nft -f /etc/nftables.conf
-
-# Prepare user.
-adduser --system --group --shell /bin/false --home /var/lib/pleroma pleroma
-
-# Setup Erlang.
-wget -P /tmp/ https://packages.erlang-solutions.com/erlang-solutions_1.0_all.deb
-dpkg -i /tmp/erlang-solutions_1.0_all.deb
-apt update
-apt -y install elixir erlang-dev erlang-tools erlang-parsetools erlang-eldap erlang-ssh erlang-xmerl
-
-mkdir -p /opt/pleroma
-chown -R pleroma:pleroma /opt/pleroma
-su pleroma -s $SHELL -lc 'git clone -b develop https://git.pleroma.social/pleroma/pleroma /opt/pleroma'
-su pleroma -s $SHELL -lc 'mix local.hex --force'
-su pleroma -s $SHELL -lc 'mix local.rebar --force'
-su pleroma -s $SHELL -lc "cd /opt/pleroma &&\
-mix deps.get &&\
-mix pleroma.instance gen \
---output config/generated_config.exs \
---output-psql /tmp/setup_db.psql \
---domain ${domain} \
---instance-name plomroma \
---admin-email ${mail} \
---notify-email ${mail} \
---dbhost localhost \
---dbname pleroma \
---dbuser pleroma \
---db-configurable N \
---rum N \
---indexable Y \
---uploads-dir /var/lib/pleroma/uploads \
---static-dir /var/lib/pleroma/static \
---listen-ip 127.0.0.1 \
---listen-port 4000 \
---dbpass $(pwgen -s 100 1) &&\
-mv config/{generated_config.exs,prod.secret.exs}"
-su postgres -s $SHELL -lc 'psql -f /tmp/setup_db.psql'
-su pleroma -s $SHELL -lc 'cd /opt/pleroma && MIX_ENV=prod mix ecto.migrate'
-
-# Add our own plom.exs and import it to prod.secret.exs
-echo '' >> /opt/pleroma/config/prod.secret.exs
-echo 'import_config "plom.exs"' >> /opt/pleroma/config/prod.secret.exs
-echo 'import Config' > /opt/pleroma/config/plom.exs
-cat "${config_tree_prefix}/other_files/append_pleroma_config" >> /opt/pleroma/config/plom.exs
-
-# Single-pixel picture hack for removing Pleroma FE images.
-cp "${config_tree_prefix}/other_files/pixel.png" /var/lib/pleroma/static/
-chown pleroma:nogroup /var/lib/pleroma/static/pixel.png
-
-# Info panel and TOS.
-#mkdir -p /var/lib/pleroma/static/instance
-#mkdir -p /var/lib/pleroma/static/static
-#cp "${config_tree_prefix}/other_files/pleroma_panel.html" /var/lib/pleroma/static/instance/panel.html
-#cp "${config_tree_prefix}/other_files/pleroma_terms-of-service.html" /var/lib/pleroma/static/static/terms-of-service.html
-#cp "${config_tree_prefix}/other_files/pleroma_robots.txt" /var/lib/pleroma/static/robots.txt
-
-# Upload directory. For some reason this does not exist yet here.
-mkdir -p /var/lib/pleroma/uploads
-chown pleroma:nogroup /var/lib/pleroma/uploads
-
-# Set up letsencrypt certificate. TODO: Is it auto-renewed?
-ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
-certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
-rm /etc/nginx/sites-enabled/default
-
-# Prepare NGINX config for Pleroma.
-cp /opt/pleroma/installation/pleroma.nginx /etc/nginx/sites-available/pleroma.nginx
-sed -i "s/example\.tld/${domain}/g" /etc/nginx/sites-available/pleroma.nginx
-ln -s /etc/nginx/sites-available/pleroma.nginx /etc/nginx/sites-enabled/pleroma.nginx
-
-# Systemd integration.
-cp /opt/pleroma/installation/pleroma.service /etc/systemd/system/pleroma.service
-systemctl start pleroma
-systemctl enable pleroma
-
-# Only restart NGINX with Pleroma running.
-service nginx restart
+++ /dev/null
-#!/bin/sh
-set -e
-
-./install_for_target.sh seedbox
-
-# As according to <https://rtorrent-docs.readthedocs.io/en/latest/cookbook.html#modernized-configuration-template>
-su -lc "curl -Ls 'https://raw.githubusercontent.com/wiki/rakshasa/rtorrent/CONFIG-Template.md' | grep -A9999 '^######' | grep -B9999 '^### END' | sed -re \"s:/home/USERNAME:\$HOME:\" >~/.rtorrent.rc" plom
-su -lc "mkdir ~/rtorrent" plom
-
-# As according to <https://unix.stackexchange.com/a/475485>
-chmod u+s /usr/bin/screen
-chmod 755 /var/run/screen
+++ /dev/null
-#!/bin/sh
-# Next setup steps for a server whose login policy has just been set from
-# the outside via ./init_user_and_keybased_login.sh.
-set -e
-
-# Provide maximum input for set_hostname_and_fqdn.sh.
-if [ "$#" -lt 2 ]; then
- echo 'Need exactly two arguments (hostname, FQDN).'
- false
-fi
-hostname="$1"
-fqdn="$2"
-additional_arg="$3"
-
-# Set up system without user environment.
-config_tree_prefix="${HOME}/config/buster"
-setup_scripts_dir="${config_tree_prefix}/setup_scripts"
-cd "${setup_scripts_dir}"
-./setup.sh "${hostname}" "${fqdn}" server "${additional_arg}"
-
-# If we have not yet set the shell for user plom, ensure it here. This
-# is mostly for convenience.
-usermod -s /bin/bash plom
-
-# Enable firewall.
-systemctl enable nftables.service
+++ /dev/null
-#!/bin/sh
-set -e
-
-if [ "$#" -ne 4 ] && [ "$#" -ne 5 ]; then
- echo 'Need domain name and mail and key ID and init state and possibly old server IP as argument.'
- false
-fi
-if [ ! "$4" = "copy" ] && [ ! "$4" = "new" ] && [ ! "$4" = "upgrade" ]; then
- echo "Need init state to be either 'copy' or 'new' or 'upgrade'"
- false
-fi
-if [ ! "$4" = "new" ] && [ "$#" -ne 5 ]; then
- echo "With init state != 'new' need fifth argument old server IP."
- false
-fi
-domain="$1"
-mail="$2"
-gpg_key="$3"
-init_state="$4"
-old_server="$5"
-
-# NOTE: init_state=upgrade is for migration from older stretch server setup
-
-# Install configs, set up firewall.
-config_tree_prefix="${HOME}/config/buster"
-./install_for_target.sh web website
-./copy_dirtree.sh "${config_tree_prefix}/etc_files" "" web website
-nft -f /etc/nftables.conf
-
-# Set up letsencrypt certificate. TODO: Is it auto-renewed?
-ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
-certbot --nginx --agree-tos --redirect --no-eff-email -m "${mail}" -d "${domain}"
-rm /etc/nginx/sites-enabled/default
-
-# Set up connection to old server.
-if [ ! "${init_state}" = "new" ]; then
- cp "${config_tree_prefix}/setup_scripts/prepare_to_meet_server.sh" /home/plom/
- chown plom:plom /home/plom/prepare_to_meet_server.sh
- su -lc "./prepare_to_meet_server.sh ${old_server}" plom
- read -p'Hit Enter when you are done.' ignore
- rm /home/plom/prepare_to_meet_server.sh
-fi
-
-# Set up repos dir.
-# To use this dir, "git clone --mirror" repo source paths into it as user plom.
-# As user plom, touch git-daemon-export-ok files into it to make the repo
-# publically available.
-if [ "${init_state}" = "new" ]; then
- mkdir /var/repos
- chown plom:plom /var/repos
-else
- cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
- chmod a+w /var
- if [ "${init_state}" = "copy" ]; then
- su -lc "./mirror_dir.sh ${old_server} /var/repos" plom
- else
- su -lc "./mirror_dir.sh ${old_server} /var/public_repos" plom
- fi
- chmod a-w /var
- rm /home/plom/mirror_dir.sh
-fi
-
-# Prepare NGINX and GitWeb config.
-sed -i "s/REPLACE_fqdn_ECALPER/${domain}/g" /etc/gitweb.conf
-sed -i "s/REPLACE_fqdn_ECALPER/${domain}/g" /etc/nginx/sites-available/website.nginx
-ln -s /etc/nginx/sites-available/website.nginx /etc/nginx/sites-enabled/website.nginx
-
-# Set up website. TODO: use non-/var/www dir for better separation to dump site
-rm -rf /var/www
-mkdir /var/www
-chown plom:plom /var/www
-if [ "${init_state}" = "upgrade" ]; then
- # This assumes the old core.plomlompom.com filesystem hierarchy.
- su -lc "cd /var/repos && git clone --mirror plom@core.plomlompom.com:repos/website" plom
-elif [ "${init_state}" = "new" ]; then
- su -lc "cd /var/repos && git init --bare website.git" plom
-fi
-cp "${config_tree_prefix}/other_files/website_hook_post-receive" /var/repos/website.git/hooks/post-receive
-su -lc 'cd /var/www && git clone /var/repos/website.git .' plom
-
-# Add encryption key.
-keyservers='sks-keyservers.net/ keys.gnupg.net'
-set +e
-while true; do
- do_break=0
- for keyserver in $(echo "${keyservers}"); do
- su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
- if [ $? -eq "0" ]; then
- do_break=1
- break
- fi
- echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
- done
- if [ "${do_break}" -eq "1" ]; then
- break
- fi
-done
-set -e
-
-# Set up plomlombot.
-irclogs_dir=/var/www/html/irclogs
-irclogs_pw_dir=/var/www/irclogs_pw
-mkdir -p "${irclogs_dir}"
-chown -R plom:plom "${irclogs_dir}"
-mkdir -p "${irclogs_pw_dir}"
-chown -R plom:plom "${irclogs_pw_dir}"
-if [ "${init_state}" = "new" ]; then
- # Handle the case that the repo is in the old pre-buster server setup –
- # even then, the URL should be the same.
- su -lc "cd /var/repos && git clone --mirror https://plomlompom.com/repos/clone/plomlombot-irc" plom
- su -lc "touch /var/repos/plomlombot-irc.git/git-daemon-export-ok" plom
- cp "${config_tree_prefix}/other_files/plomlombot_hook_post-receive" /var/repos/plomlombot-irc.git/hooks/post-receive
-fi
-su -lc "git clone /var/repos/plomlombot-irc.git" plom
-cp "${config_tree_prefix}/other_files/plomlombot_daemon.sh" /home/plom/
-chown plom:plom /home/plom/plomlombot_daemon.sh
-if [ "${init_state}" = "new" ]; then
- echo 'bot: plomlombog plomlombog #plomlomtest irc.freenode.net foo bar' >> /home/plom/.plomlombot
- chown plom:plom /home/plom/.plomlombot
-else
- cp "${config_tree_prefix}/setup_scripts/mirror_dir.sh" /home/plom/
- su -lc "./mirror_dir.sh ${old_server} /home/plom/plomlombot_db" plom
- rm /home/plom/mirror_dir.sh
- su -lc "scp plom@${old_server}:.plomlombot ~" plom
- su -lc "ssh plom@${old_server} \"su -lc 'service plomlombot stop'\"" plom
-fi
-systemctl enable plomlombot.service
-service plomlombot start
-
-# In the above step, we might have created a root-owned /var/www/html –
-# fix this here.
-chown -R plom:plom /var/www/html
-
-# TODO:
-# - rename /home/plom/public_repos to /home/plom/repos
-
-service nginx restart
+++ /dev/null
-#!/bin/sh
-set -e
-set -x
-
-# Heavily inspired by <https://docs-develop.pleroma.social/backend/administration/updating/>
-su pleroma -s $SHELL -lc 'cd /opt/pleroma && git pull && mix deps.get'
-service pleroma stop
-su pleroma -s $SHELL -lc 'MIX_ENV=prod cd /opt/pleroma && mix ecto.migrate'
-service pleroma start
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Heavily inspired by
-# <https://docs.joinpeertube.org/#/install-any-os?id=upgrade>
-
-# backup DB
-SQL_BACKUP_PATH="backup/sql-peertube_prod-$(date -Im).bak"
-cd /var/www/peertube/
-su peertube -c 'mkdir -p backup'
-su postgres -c "pg_dump -F c peertube_prod" | su peertube -c "tee ${SQL_BACKUP_PATH}" > /dev/null
-
-# Get new PeerTube version.
-VERSION=$(curl -s https://api.github.com/repos/chocobozzz/peertube/releases/latest | grep tag_name | cut -d '"' -f 4) && echo "Latest Peertube version is $VERSION"
-cd /var/www/peertube/versions
-su peertube -c "wget -q \"https://github.com/Chocobozzz/PeerTube/releases/download/${VERSION}/peertube-${VERSION}.zip\""
-su peertube -c "unzip -o peertube-${VERSION}.zip && rm peertube-${VERSION}.zip"
-
-# Yarn new PeerTube.
-su -l peertube -c "cd /var/www/peertube/versions/peertube-${VERSION} && yarn install --production --pure-lockfile"
-
-# Copy new default.yaml (TODO: find out what it does)
-su peertube -c "cp /var/www/peertube/versions/peertube-${VERSION}/config/default.yaml /var/www/peertube/config/default.yaml"
-
-set +e
-echo
-echo "Check differences between new and old production.yaml[.example]"
-diff /var/www/peertube/versions/peertube-${VERSION}/config/production.yaml.example /var/www/peertube/config/production.yaml
-echo
-set -e
-
-# Link new PeerTube as latest one.
-cd /var/www/peertube
-unlink ./peertube-latest
-su peertube -c "ln -s versions/peertube-${VERSION} ./peertube-latest"
-
-set +e
-echo
-echo "Check differences between new and old NGINX files"
-cd /var/www/peertube/versions
-diff "$(ls --sort=t | head -2 | tail -1)/support/nginx/peertube" "$(ls --sort=t | head -1)/support/nginx/peertube"
-echo
-echo "Check differences between new and old systemd unit files"
-diff "$(ls --sort=t | head -2 | tail -1)/support/systemd/peertube.service" "$(ls --sort=t | head -1)/support/systemd/peertube.service"
-echo
-set -e
-
-service peertube restart
+++ /dev/null
-# Bash as a non-login shell in non-POSIX-mode does not read in the startup
-# script at the path in $ENV. This forces it to still read in the ~/.shinit
-# startup script for non-login shells.
-
-. ~/.shinit
-
-export NVM_DIR="$HOME/.nvm"
-[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh" # This loads nvm
-[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion" # This loads nvm bash_completion
+++ /dev/null
-[user]
- name = Christian Heller
- email = c.heller@plomlompom.de
+++ /dev/null
-# Initialization for login shells.
-
-# Tell interactive shells to look in ~/.shinit for setup.
-ENV=$HOME/.shinit
-export ENV
-. $ENV
-
-export PATH="$HOME/.cargo/bin:$PATH"
+++ /dev/null
-# Settings for interactive shells.
-
-# Ensure shell truly is interactive to avoid confusing non-interactive shells.
-if [[ $- == *i* ]]; then
-
- # Fancy colors for ls.
- alias ls="ls --color=auto"
-
- # Use vim as default editor for anything.
- export VISUAL=vim
- export EDITOR=$VISUAL
-
- # Colored prompt with username, hostname, date/time, directory.
- colornumber=7 # Default to white if no color set via colornumber dotfile.
- colornumber_file=~/.shinit_color
- if [ -f $colornumber_file ]; then
- colornumber=`cat $colornumber_file`
- fi
- tput_color="$(tput setaf $colornumber)$(tput bold)"
- tput_reset="$(tput sgr0)"
- # Bash confuses the line length when not told to not count escape sequences.
- if [ ! "$BASH" = "" ]; then
- tput_color="\[$tput_color\]"
- tput_reset="\[$tput_reset\]"
- fi
- PS1="${tput_color}["\$\(date\ +%Y-%m-%d/%H:%M:%S/%Z\)" $USER@$(hostname):"\$\(pwd\)"]$ $tput_reset"
- PS2="${tput_color}> $tput_reset"
- PS3="${tput_color}select: $tput_reset"
- PS4="${tput_color}+ $tput_reset"
-
- # Add local additions.
- local_shinit_file=~/.shinit_add
- if [ -f $local_shinit_file ]; then
- . $local_shinit_file
- fi
-
-fi
+++ /dev/null
-" Activate syntax highlighting.
-syntax on
-filetype plugin on
-
-" Number lines.
-set number
-
-"" Don't add unsolicited final newline.
-"set binary
-
-" Indentation rules (tabs to 4 spaces).
-set expandtab
-set shiftwidth=2
-set softtabstop=2
-
-" Backups.
-set backup
-set backupdir=~/.vimbackups
-let myvar = strftime("%Y-%m-%d_%H-%M-%S")
-let myvar = "set backupext=_". myvar
-execute myvar
-
-" Keep syntax highlighting healthy.
-autocmd BufEnter * :syntax sync fromstart
-
-" Mark the 80-th column.
-set colorcolumn=80
-
-" Source additions
-source ~/.vimrc_add
+++ /dev/null
-DEFAULT="$HOME/mail/new_inbox/"
-logfile "$HOME/.mailfilter.log"
-
-if ( /^To: .*heller@talon\.one.*/:D || /^Subject: .*Talon*/:D )
-{
- DIR="$HOME/mail/talonone/"
- `mkdir -p $DIR/{cur,new,tmp}`
- to $DIR
-}
-
-if ( /^Subject: Postfix SMTP server: errors from /:D && \
- /^From: Mail Delivery System <MAILER-DAEMON@plomlompom\.com>/:D && \
- /^To: Postmaster <postmaster@plomlompom\.com>/:D )
-{
- DIR="$HOME/mail/new_postfix_smtp_server_errors_from/"
- `mkdir -p $DIR/{cur,new,tmp}`
- to $DIR
-}
-
-if ( /^From: \"Nebenan\.de\" \<noreply@nebenan\.de\>/:D )
-{
- DIR="$HOME/mail/nebenan_de/"
- `mkdir -p $DIR/{cur,new,tmp}`
- to $DIR
-}
+++ /dev/null
-# plomlompom's mutt configuration file
-
-# Define mailboxes.
-set mbox_type=Maildir
-set folder=/home/plom/mail
-set spoolfile=$folder/inbox
-set mbox=$folder/archive
-set record=$folder/sent
-set postponed=$folder/postponed
-
-# Move read messages from $spoolfile to $mbox.
-set move=yes
-
-# Macro to a mailboxes view built from all folders below ~/mail.
-macro index,pager y <change-folder>?<toggle-mailboxes>
-mailboxes `ls /home/plom/mail | sed -e 's/^/=/' | tr "\n" " "`
-
-# What goes into the default header display.
-ignore *
-unignore from: subject to cc date
-
-# Force some variables for From: and Message-ID: generation.
-set realname="Christian Heller"
-
-# Allow me to reply myself.
-set reply_self = yes
-
-# Only scroll in the current message, not across messages.
-set pager_stop = yes
-
-# Sort message top-down new-old.
-set sort=reverse-date
-
-# Ensure visibility of attachments. The second line handles (in an ugly way) the
-# issue of mails that use the content-type of multipart/alternative wrongly, by
-# omitting from the text/plain alternative relevant multimedia files attached to
-# the multipart/related alternative that contains text/html and said files. This
-# will in certain cases make the pager default to displaying the HTML variant of
-# a mail when a plain text one is available, but this is preferable to hiding
-# potentially important attachments.
-set index_format="%4C %Z %?X?[%X]& ? %{%b %d} %-15.15L (%?l?%4l&%4c?) %s"
-alternative_order multipart/related text/plain text/html
-
-# Defaults from /usr/share/doc/mutt/examples/gpg.rc
-set pgp_decode_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f"
-set pgp_verify_command="gpg --status-fd=2 --no-verbose --quiet --batch --output - --verify %s %f"
-set pgp_decrypt_command="gpg --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f"
-set pgp_sign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f"
-set pgp_clearsign_command="gpg --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f"
-set pgp_encrypt_only_command="/usr/lib/mutt/pgpewrap gpg --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust -- -r %r -- %f"
-set pgp_encrypt_sign_command="/usr/lib/mutt/pgpewrap gpg %?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"
-set pgp_import_command="gpg --no-verbose --import %f"
-set pgp_export_command="gpg --no-verbose --export --armor %r"
-set pgp_verify_key_command="gpg --verbose --batch --fingerprint --check-sigs %r"
-set pgp_list_pubring_command="gpg --no-verbose --batch --quiet --with-colons --list-keys %r"
-set pgp_list_secring_command="gpg --no-verbose --batch --quiet --with-colons --list-secret-keys %r"
-set pgp_good_sign="^\\[GNUPG:\\] GOODSIG"
-
-# Further stuff from http://codesorcery.net/old/mutt/mutt-gnupg-howto
-set pgp_autosign=yes
-set pgp_sign_as=0x98F64A5F
-set pgp_replyencrypt=yes
-set pgp_timeout=1800
-
-# Promoting my public key.
-my_hdr X-PGP-Key: https://dump.plomlompom.com/dump/plomlompom.asc
+++ /dev/null
-# plomlompom's getmail configuration
-
-# Where and how to get mail from.
-[retriever]
-type = SimplePOP3SSLRetriever
-server = mail.klostein.com
-username = c.heller@plomlompom.de
-
-# Let procmail take charge of incoming mail. Use user-defined rc file.
-[destination]
-type = MDA_external
-path = /usr/bin/procmail
-arguments = ("-m", "/home/plom/.procmailrc")
-
-# Delete retrieved mail from server.
-[options]
-delete = false
+++ /dev/null
-# plomlompom's procmail configuration
-
-MAILDIR=/home/plom/mail
-DEFAULT=$MAILDIR/inbox/
-
-:0
-* ^To: Bisdahin <termin@bisdahin.de>
-bisdahin/
-
-:0
-* ^From: Doodle <mailer@doodle.com>
-doodle/
-
-:0
-* ^From: FetLife <donotreply@fetlifemail\.com>
-fetlife/
-
-:0
-* ^From: Flattr <no-reply@flattr.com>
-flattr/
-
-:0
-* ^From: noreply@statusnetondemand.net
-identica/
-
-:0
-* ^From: .*@linkedin\.com
-linkedin/
-
-:0
-* ^To: .*forum@detrans.de
-ML-detrans/
-
-:0
-* ^To: .*liste-ff-medien@gruene-jugend.de
-ML-gj-medien/
-
-:0
-* ^To: wann-klettern-wir@googlegroups\.com
-ML-klettern/
-
-:0
-* ^Subject: \[schildower-kreis-info\]
-schildower_kreis/
-
-:0
-* ^Subject: .*\[reflect-info\]
-reflect-info/
-
-:0
-* ^To: .*st-berlin@smjg.org
-ML-smjg-berlin/
-
-:0
-* ^Subject: Logwatch for plomlompom\.com \(Linux\)
-serverlogs/
-
-:0
-* ^Subject: ***SPAM***
-spam-suspect/
-
-:0
-* ^Subject: .*talon.*
-talonone/
-
-:0
-* ^From: Twitter
-twitter/
-
-:0
-* ^From: Computerspielemuseum
-computerspielemuseum/
+++ /dev/null
-# Server-specific .shinit additions.
-
-# Wrapper for weechat to force local config file on it anew on each run.
-alias weechat="~/config/bin/weechat-wrapper.sh"
+++ /dev/null
-/set logger.file.path ~/weechatlogs
-/set logger.file.flush_delay 0
-/script install otr.py
-/set weechat.bar.status.items "[time],[buffer_last_number],[buffer_plugin],buffer_number+:+buffer_name+(buffer_modes)+{buffer_nicklist_count}+buffer_zoom+buffer_filter,[lag],[hotlist],completion,scroll,[otr]"
-/set weechat.color.chat_nick_colors "lightcyan"
-/server add localhost localhost
-/connect localhost
-/server del freenode
-/server add freenode irc.freenode.net -nicks=plomlompom,plomlomp0m,ploml0mp0m,pl0ml0mp0m -realname="Christian Heller" -autojoin=#nodrama.de,#twitter.de,#freie-gesellschaft,#zrolaps,#twtxt,#freakazoid,#nodrama.finance,#unordentlich
-/server add rizon irc.rizon.net -nicks=AlfredEdel,AlfredEde1,A1fredEdel,A1fredEde1 -autojoin=#8chan-deutsch,#mememagic -username=foo
-/server add quakenet irc.quakenet.org -nicks=plomlompom,plomlomp0m,ploml0mp0m,pl0ml0mp0m -realname="Christian Heller" -autojoin=#rgrd
-/connect freenode
-/connect rizon
+++ /dev/null
-# Server-specific .shinit additions.
-
-# Golang dev environment
-export GOPATH=~/gopath
+++ /dev/null
-! font size
-XTerm*faceSize: 8
-xterm*VT100*faceSize1: 7
-xterm*VT100*faceSize2: 8
-xterm*VT100*faceSize3: 9
-xterm*VT100*faceSize4: 10
-xterm*VT100*faceSize5: 12
-xterm*VT100*faceSize6: 15
-
-! black
-*color0: #202020
-*color8: #3F3F3F
-
-! red
-*color1: #A82020
-*color9: #E82020
-
-! green
-*color2: #20A820
-*color10: #20E820
-
-! yellow
-*color3: #A8A820
-*color11: #E8E820
-
-! blue
-*color4: #3F3FFF
-*color12: #9F9FFF
-
-! magenta
-*color5: #A83FFF
-*color13: #E89FFF
-
-! cyan
-*color6: #3FA8FF
-*color14: #9FE8FF
-
-! white
-*color7: #A8A8A8
-*color15: #E8E8E8
+++ /dev/null
-# plomlompom's i3 status bar configuration
-
-# Activate colors; set update interval of one second.
-general {
- colors = true
- interval = 1
-}
-
-# Selection / order of status elements.
-order += "disk /"
-order += "disk /home"
-order += "wireless wlp3s0"
-order += "ethernet enp0s25"
-order += "battery 0"
-order += "cpu_usage"
-order += "load"
-order += "cpu_temperature 0"
-order += "cpu_temperature 1"
-order += "time"
-order += "volume master"
-
-# How much space is left in / ?
-disk "/" {
- format = "/: %avail available of %total"
- separator_block_width = 10
-}
-
-# How much space is left in /home ?
-disk "/home" {
- format = "/home: %avail available of %total"
- separator_block_width = 40
-}
-
-
-# WLAN status: show IP and connection quality or "down".
-wireless wlp3s0 {
- format_up = "w: (%quality at %essid) %ip"
- format_down = "w: down"
- separator_block_width = 10
-}
-
-# Ethernet status: show IP or "down".
-ethernet enp0s25 {
- format_up = "e: %ip"
- format_down = "e: down"
- separator_block_width = 40
-}
-
-# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
-battery 0 {
- format = "b: %status %percentage %remaining"
- separator_block_width = 40
-}
-
-# Show CPU usage.
-cpu_usage {
- format = "cpu: %usage"
- separator_block_width = 10
-}
-
-# Show system load during last 1/5/15 minutes.
-load {
- format = "%1min %5min %15min"
- separator_block_width = 40
-}
-
-# Show CPU temperature in degrees of celsius.
-cpu_temperature 0 {
- format = "%degrees °C"
- separator_block_width = 10
-}
-cpu_temperature 1 {
- format = "%degrees °C"
- separator_block_width = 40
-}
-
-# Show date/time/timezone as "year-month-day hour:minute:second
-# timezone_numeric/timezone_alphabetic".
-time {
- format = "%Y-%m-%d %H:%M:%S %z/%Z"
- separator_block_width = 40
-}
-
-volume master {
- format = "♪: %volume"
- format_muted = "♪: muted (%volume)"
- separator_block_width = 40
-}
+++ /dev/null
-! font size
-XTerm*faceSize: 8
-
-! black
-*color0: #000000
-*color8: #3F3F3F
-
-! red
-*color1: #BF0000
-*color9: #FF0000
-
-! green
-*color2: #00BF00
-*color10: #00FF00
-
-! yellow
-*color3: #BFBF00
-*color11: #FFFF00
-
-! blue
-*color4: #3F3FFF
-*color12: #9F9FFF
-
-! magenta
-*color5: #BF3FFF
-*color13: #FFF9FF
-
-! cyan
-*color6: #3FBFFF
-*color14: #9FFFFF
-
-! white
-*color7: #BFBFBF
-*color15: #FFFFFF
+++ /dev/null
-# plomlompom's i3 status bar configuration
-
-# Activate colors; set update interval of one second.
-general {
- colors = true
- interval = 1
-}
-
-# Selection / order of status elements.
-order += "disk /"
-order += "disk /home"
-order += "wireless wls1"
-order += "ethernet enp0s25"
-order += "battery 0"
-order += "cpu_temperature 0"
-order += "load"
-order += "time"
-
-# How much space is left in / ?
-disk "/" {
- format = "%free"
-}
-
-# How much space is left in /home ?
-disk "/home" {
- format = "%free"
-}
-
-
-# WLAN status: show IP and connection quality or "down".
-wireless wls1 {
- format_up = "W: (%quality at %essid) %ip"
- format_down = "W: down"
-}
-
-# Ethernet status: show IP or "down".
-ethernet enp0s25 {
- format_up = "E: %ip"
- format_down = "E: down"
-}
-
-# Battery status: show FULL/CHARGING/BATTERY, storage, time left.
-battery 0 {
- format = "%status %percentage %remaining"
-}
-
-# Show CPU temperature in degrees of celsius.
-cpu_temperature 0 {
- format = "T: %degrees °C"
-}
-
-# Show system load during last 1/5/15 minutes.
-load {
- format = "L: %1min %5min %15min"
-}
-
-# Show date/time/timezone as "year-month-day hour:minute:second
-# timezone_numeric/timezone_alphabetic".
-time {
-
- format = "%Y-%m-%d %H:%M:%S %z/%Z"
-}
+++ /dev/null
-! font
-XTerm*faceName: -misc-fixed-medium-r-normal--13-120-75-75-C-70-iso10646-1
-XTerm*reverseVideo: on
-XTerm*visualBell: on
-
-! proper ALT as META key treatment
-XTerm*eightBitInput: false
+++ /dev/null
-# plomlompom's i3-wm configuration
-
-# Font for i3 text
-font pango:Terminus 11px
-#font -misc-fixed-medium-r-normal--13-120-75-75-C-70-iso10646-1
-
-# Force "tabbed" as default layout for new windows.
-workspace_layout tabbed
-
-# Make the Windows key the modifier key for all i3-wm actions.
-set $mod Mod4
-floating_modifier $mod
-
-# Launch xterm.
-bindsym $mod+Return exec xterm -r
-
-# Launch programs via dmenu.
-bindsym $mod+d exec dmenu_run
-bindsym $mod+x exec dmenu_run
-
-# Kill window.
-bindsym $mod+Shift+Q kill
-
-# Move focus between windows.
-bindsym $mod+Left focus left
-bindsym $mod+Down focus down
-bindsym $mod+Up focus up
-bindsym $mod+Right focus right
-
-# Don't move focus with mouse.
-focus_follows_mouse no
-
-# Move windows.
-bindsym $mod+Shift+Left move left
-bindsym $mod+Shift+Down move down
-bindsym $mod+Shift+Up move up
-bindsym $mod+Shift+Right move right
-
-# Resize windows
-bindsym $mod+h resize shrink width 1 px or 1 ppt
-bindsym $mod+l resize grow width 1 px or 1 ppt
-bindsym $mod+j resize shrink height
-bindsym $mod+k resize grow height
-
-# Toggle fullscreen for focused window.
-bindsym $mod+f fullscreen
-
-# Toggle floating of window, focus on floating or tabbed windows.
-bindsym $mod+Shift+space floating toggle
-bindsym $mod+space focus mode_toggle
-
-# Switch to workspace x.
-bindsym $mod+1 workspace 1
-bindsym $mod+2 workspace 2
-bindsym $mod+3 workspace 3
-bindsym $mod+4 workspace 4
-bindsym $mod+5 workspace 5
-bindsym $mod+6 workspace 6
-bindsym $mod+7 workspace 7
-bindsym $mod+8 workspace 8
-bindsym $mod+9 workspace 9
-bindsym $mod+0 workspace 10
-
-# Move window to workspace x.
-bindsym $mod+Shift+exclam move workspace 1
-bindsym $mod+Shift+quotedbl move workspace 2
-bindsym $mod+Shift+section move workspace 3
-bindsym $mod+Shift+dollar move workspace 4
-bindsym $mod+Shift+percent move workspace 5
-bindsym $mod+Shift+ampersand move workspace 6
-bindsym $mod+Shift+slash move workspace 7
-bindsym $mod+Shift+parenleft move workspace 8
-bindsym $mod+Shift+parenright move workspace 9
-bindsym $mod+Shift+equal move workspace 10
-
-# Reload i3 config file, restart (keeping sesion) i3, exit i3.
-bindsym $mod+Shift+C reload
-bindsym $mod+Shift+R restart
-bindsym $mod+Shift+P exit
-
-# Select "i3status" as i3 status bar.
-bar {
- status_command i3status | ~/config/bin/i3status_wrapper.py
-}
+++ /dev/null
-set! browser.startup.page=3
-set! privacy.donottrackheader.enabled=true
-set! network.cookie.lifetimePolicy=2
-set! browser.formfill.enable=false
-set! browser.block.target_new_window=true
-set! browser.download.lastDir=~/downloads
-"set! javascript.enabled=false
-"set! permissions.default.image=2
-set! general.useragent.override=foo
-set! signon.rememberSignons=false
-set! network.proxy.socks=localhost
-set! network.proxy.socks_port=9999
-set! network.proxy.type=1
-set go=CMsbr
-set showtabline=never
-highlight Hint -append font: "Droid Sans Mono"; margin: 0em; padding: 0.1em; padding-right: 0.2em;
-command plom open http://www.plomlompom.de/PlomWiki/plomwiki.php?title=Start
-set fc=ignore
-set ds=duckduckgo
-set visualbell
+++ /dev/null
-" source ~/.vimrc_vimgo
+++ /dev/null
-# X init configuration
-
-# Set keymap.
-setxkbmap de
-
-# Read in X configuration.
-xrdb -merge ~/.Xresources
-xrdb -merge ~/.Xresources-local
-
-# Redshift to Berlin, Germany.
-redshift -rl 53:13 &
-
-# Enforce QWERTZ. (Why twice?)
-setxkbmap de
-
-# Use CapsLock as Ctrl, against the Emacs pinky.
-setxkbmap -option caps:ctrl_modifier
-
-# Set up compose key.
-xmodmap ~/.Xmodmap
-
-# Optionally, for certain Optimus systems with a first GPU connected to the
-# display and a second (NVidia) GPU providing 3D acceleration, use the first GPU
-# as sink for the second. This may confuse DPI settings, so re-set those.
-if [ "${NVIDIA_DIRECT}" ]; then
- xrandr --setprovideroutputsource modesetting NVIDIA-0
- xrandr --auto
- xrandr --dpi 96
-fi
-
-# Launch window manager.
-i3 -c ~/.i3
+++ /dev/null
-#!/bin/sh
-set -x
-set -e
-
-if [ ! "$1" = "thinkpad" ] && [ ! "$1" = "server" ]; then
- echo "Need argument."
- false
-fi
-if [ "$1" = "thinkpad" ] && [ ! "$2" = "X200s" ] && [ ! "$2" = "T450s" ]; then
- echo "Need Thinkpad type."
- false
-fi
-if [ "$1" = "server" ] && [ ! "$2" = "personal" ] && [ ! "$2" = "public" ]; then
- echo "Need server purpose."
- false
-fi
-if [ "$2" = "personal" ] && [ ! "$3" = "test.plomlompom.com" ] && \
- [ ! "$3" = "plomlompom.com" ]; then
- echo "Need server domain"
- false
-fi
-
-# Some important variables
-if [ "$3" = "plomlompom.com" ]; then
- hostname="plomlompom"
-elif [ "$3" = "test.plomlompom.com" ]; then
- hostname="test.plomlompom"
-elif [ "$2" = "public" ]; then
- hostname="htwtxt.plomlompom"
-elif [ "$2" = "X200s" ]; then
- hostname="X200s"
-elif [ "$2" = "T450s" ]; then
- hostname="T450s"
-fi
-
-if [ "$1" = "server" ]; then
- # Set root pw.
- passwd
-fi
-
-# Post-installation reduction.
-dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed \
- 's/ required//' > list_white_unsorted
-echo 'ifupdown' >> list_white_unsorted
-echo 'isc-dhcp-client' >> list_white_unsorted
-sort list_white_unsorted > list_white
-dpkg-query -Wf '${Package}\n' > list_all_packages
-sort list_all_packages > foo
-mv foo list_all_packages
-comm -3 list_all_packages list_white > list_black
-apt-mark auto `cat list_black`
-echo 'APT::AutoRemove::RecommendsImportant "false";' > /etc/apt/apt.conf.d/99mindeps
-echo 'APT::AutoRemove::SuggestsImportant "false";' >> /etc/apt/apt.conf.d/99mindeps
-DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
-rm list_all_packages list_white_unsorted list_white list_black
-echo 'APT::Install-Recommends "false";' >> /etc/apt/apt.conf.d/99mindeps
-echo 'APT::Install-Suggests "false";' >> /etc/apt/apt.conf.d/99mindeps
-
-# Set hostname and FQDN.
-echo $hostname > /etc/hostname
-hostname $hostname
-if [ "$1" = "server" ]; then
- echo '127.0.0.1 localhost' > /etc/hosts
- ip=`hostname -I | cut -d " " -f 1`
- echo "$ip $hostname.com $hostname" >> /etc/hosts
-
- # Call dhclient on startup.
- cat > /etc/systemd/system/dhclient.service << EOF
-[Unit]
-Description=Ethernet connection
-
-[Service]
-ExecStart=/sbin/dhclient eth0
-
-[Install]
-WantedBy=multi-user.target
-EOF
- systemctl enable /etc/systemd/system/dhclient.service
-fi
-
-# Package management config, system upgrade.
-echo 'deb http://ftp.debian.org/debian/ jessie main contrib non-free' \
- > /etc/apt/sources.list
-echo 'deb http://security.debian.org/ jessie/updates main contrib non-free' \
- >> /etc/apt/sources.list
-echo 'deb http://ftp.debian.org/debian/ jessie-updates main contrib non-free' \
- >> /etc/apt/sources.list
-if [ "$1" = "thinkpad" ] || [ "$2" = "public" ]; then
- echo 'deb http://ftp.debian.org/debian/ jessie-backports main contrib' \
-' non-free' >> /etc/apt/sources.list
- echo 'deb http://ftp.debian.org/debian/ testing main contrib non-free' \
- >> /etc/apt/sources.list
- echo 'deb http://security.debian.org/ testing/updates main contrib' \
-' non-free' >> /etc/apt/sources.list
- echo 'deb http://ftp.debian.org/debian/ testing-updates main contrib' \
-' non-free' >> /etc/apt/sources.list
- echo 'APT::Default-Release "stable";' \
- >> /etc/apt/apt.conf.d/99defaultrelease
-fi
-if [ "$1" = "thinkpad" ]; then
- dhclient eth0
-fi
-apt-get update
-apt-get -y dist-upgrade
-
-# Set up manuals.
-apt-get -y install man-db manpages less
-
-if [ "$1" = "thinkpad" ]; then
- # Power management as per <http://thinkwiki.de/TLP_-_Linux_Stromsparen>.
- echo '' >> /etc/apt/sources.list
- echo 'deb http://repo.linrunner.de/debian jessie main' \
- >> /etc/apt/sources.list
- apt-key adv --keyserver pool.sks-keyservers.net --recv-keys CD4E8809
- apt-get update
- apt-get -y install linux-headers-amd64 tlp tp-smapi-dkms
- sed -i 's/^#START_CHARGE_THRESH_BAT0/START_CHARGE_THRESH_BAT0=10 '\
-'#START_CHARGE_THRESH_BAT0/' /etc/default/tlp
- sed -i 's/^#STOP_CHARGE_THRESH_BAT0/STOP_CHARGE_THRESH_BAT0=95 '\
-'#STOP_CHARGE_THRESH_BAT0/' /etc/default/tlp
- sed -i 's/^#START_CHARGE_THRESH_BAT1/START_CHARGE_THRESH_BAT0=10 '\
-'#START_CHARGE_THRESH_BAT1/' /etc/default/tlp
- sed -i 's/^#STOP_CHARGE_THRESH_BAT1/STOP_CHARGE_THRESH_BAT0=95 '\
-'#STOP_CHARGE_THRESH_BAT1/' /etc/default/tlp
- sed -i 's/^#DEVICES_TO_DISABLE_ON_STARTUP/DEVICES_TO_DISABLE_ON_STARTUP='\
-'"bluetooth wifi wwan" #DEVICES_TO_DISABLE_ON_STARTUP/' /etc/default/tlp
- tlp start
-fi
-
-# Don't clear boot messages on start up.
-sed -i 's/^TTYVTDisallocate=yes$/TTYVTDisallocate=no/g' \
- /etc/systemd/system/getty.target.wants/getty\@tty1.service
-
-# Set up timezone.
-echo 'Europe/Berlin' > /etc/timezone
-cp /usr/share/zoneinfo/Europe/Berlin /etc/localtime
-
-# Locale config.
-apt-get -y install locales
-echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen
-locale-gen
-
-if [ "$1" = "thinkpad" ]; then
- # Console config.
- DEBIAN_FRONTEND=nointeractive apt-get -y install console-setup
- echo 'ACTIVE_CONSOLES="/dev/tty[1-6]"' > /etc/default/console-setup
- echo 'CHARMAP="UTF-8"' >> /etc/default/console-setup
- echo 'CODESET="Lat15"' >> /etc/default/console-setup
- echo 'FONTFACE="TerminusBold"' >> /etc/default/console-setup
- echo 'FONTSIZE="8x16"' >> /etc/default/console-setup
- echo 'export LC_ALL="en_US.UTF-8"' >> /etc/profile
- sed -i 's/^XKBLAYOUT/XKBLAYOUT="de" # XKBLAYOUT/g' /etc/default/keyboard
- service keyboard-setup restart
-fi
-
-# Clone git repository.
-apt-get -y install ca-certificates
-apt-get -y install git
-git clone http://github.com/plomlompom/config
-config/bin/symlink.sh
-
-# Add user. Remove old user's config/ if it exists.
-useradd -m -s /bin/bash plom
-rm -rf /home/plom/config
-su - plom -c 'git clone http://github.com/plomlompom/config /home/plom/config'
-su plom -c '/home/plom/config/bin/symlink.sh '$1' '$2' '$3
-
-# Allow user to sudo.
-if [ "$1" = "thinkpad" ]; then
- apt-get -y install sudo
- adduser plom sudo
-fi
-
-# Set up editor.
-mkdir -p .vimbackups
-su plom -c 'mkdir -p /home/plom/.vimbackups/'
-apt-get -y install vim
-
-if [ "$1" = "server" ]; then
- # Set up ssh-guard.
- apt-get -y install sshguard rsyslog
-
- # Set up openssh-server.
- apt-get -y install openssh-server
-
- # Set up mail system.
- su plom -c 'mkdir -p /home/plom/mail/'
- su plom -c 'mkdir -p /home/plom/mail/inbox/{cur,new,tmp}'
- su plom -c 'mkdir -p /home/plom/mail/new_inbox/{cur,new,tmp}'
- sed -i 's/^delete = true$/delete = false/g' \
- /home/plom/config/dotfiles/user/server/personal/minimal/getmail/getmailrc
- DEBIAN_FRONTEND=noninteractive apt-get -y install mutt postfix maildrop
- cp config/systemfiles/main.cf /etc/postfix/main.cf
- sed -i 's/HOSTNAME/'$hostname.com'/g' /etc/postfix/main.cf
- cp config/systemfiles/aliases /etc/aliases
- newaliases
- service postfix restart
- if [ "$2" = "personal" ]; then
- apt-get -y install getmail4 procmail
- fi
-
- # Set up regular system update reminder.
- apt-get -y install cron
- su plom -c "echo '0 18 * * 0 ~/config/bin/simplemail.sh '\
- '~/config/mails/update_reminder' | crontab -"
-
- if [ "$2" = "personal" ]; then
- # Set up screen/weechat/OTR/bitlbee. Make bitlbee listen only locally.
- apt-get -y install screen weechat-plugins python-potr bitlbee
- sed -i 's/^# DaemonInterface/DaemonInterface = 127.0.0.1 '\
-'# DaemonInterface/' /etc/bitlbee/bitlbee.conf
- sedtest=`grep -E '^DaemonInterface = 127.0.0.1 #' \
- /etc/bitlbee/bitlbee.conf | wc -l | cut -d ' ' -f 1`
- if [ 0 -eq $sedtest ]; then
- false
- fi
- cp config/systemfiles/weechat.service \
- /etc/systemd/system/weechat.service
- systemctl enable /etc/systemd/system/weechat.service
-
- # Send instructions mail.
- config/bin/simplemail.sh config/mails/server_postinstall_finished
-
- elif [ "$2" = "public" ]; then
-
- # Set up htwtxt and environment.
- apt-get -y install screen
- apt-get -y -t jessie-backports install golang
- su - plom -c 'git clone https://github.com/plomlompom/htwtxt $GOPATH/src/htwtxt'
- su - plom -c 'go get htwtxt'
- path=`su - plom -c 'echo $GOPATH/bin/htwtxt'`
- su - plom -c 'mkdir -p ~/htwtxt'
- cp config/systemfiles/htwtxt_restart_reminder.service \
- /etc/systemd/system/htwtxt_restart_reminder.service
- systemctl enable /etc/systemd/system/htwtxt_restart_reminder.service
-
- # Set up nginx and letsencrypt.
- apt-get -y install nginx
- cp config/systemfiles/nginx.conf /etc/nginx/nginx.conf
- cd ~
- git clone https://github.com/letsencrypt/letsencrypt
- echo '0 18 * * 0 ~/config/bin/renew_certs.sh' | crontab -
-
- # Set up plomlombot.
- apt-get -y install python3 python3-venv python3-pip
- su - plom -c 'cd && git clone http://github.com/plomlompom/plomlombot-irc'
- su - plom -c 'mkdir -p ~/plomlombot_db'
- cp config/systemfiles/plomlombot.service \
- /etc/systemd/system/plomlombot.service
- systemctl enable /etc/systemd/system/plomlombot.service
-
- # Set up plomlombot logging infrastructure.
- mkdir -p /var/www/html/irclogs/
- ln -s /home/plom/plomlombot_db/6f322d574618816aa2d6d1ceb4fd2551/3c0248e76a1de3a6ee5bf3421f7379b0/logs/ /var/www/html/irclogs/zrolaps
- touch /var/www/password_irclogs_zrolaps
- ln -s /home/plom/plomlombot_db/6f322d574618816aa2d6d1ceb4fd2551/657eea42f86866f2954d39f92a6c71ff/logs/ /var/www/html/irclogs/nodrama.de
- touch /var/www/password_irclogs_nodrama_de
- ln -s /home/plom/plomlombot_db/6f322d574618816aa2d6d1ceb4fd2551/a083c5d5efca3734294fa656692990b6/logs/ /var/www/html/irclogs/freakazoid
- touch /var/www/password_irclogs_freakazoid
-
- # Set up other web-served directories.
- su - plom -c 'mkdir -p /home/plom/dump'
- ln -s /home/plom/dump/ /var/www/html/dump
- su - plom -c 'mkdir -p /home/plom/geheim'
- ln -s /home/plom/geheim/ /var/www/html/geheim
- su - plom -c 'mkdir -p /home/plom/lesekreis'
- ln -s /home/plom/geheim/ /var/www/html/lesekreis
- su - plom -c 'mkdir -p /home/plom/zettel'
- ln -s /home/plom/zettel/ /var/www/html/zettel
- su - plom -c 'git init --bare /home/plom/zettel.git'
- su - plom -c 'cp ~/config/systemfiles/post-update ~/zettel.git/hooks/'
- su - plom -c 'chmod a+x /home/plom/zettel.git/hooks/post-update'
-
- # Install website generator tools
- apt-get -y install pandoc wget
- wget http://news.dieweltistgarnichtso.net/bin/archives/redo-sh.tar.gz
- tar -oxzf redo-sh.tar.gz -C /usr/local
- rm redo-sh.tar.gz
- apt-get --purge autoremove wget
- fi
-
-elif [ "$1" = "thinkpad" ]; then
- # Set up networking (wifi!).
- apt-get -y install firmware-iwlwifi
- DEBIAN_FRONTEND=noninteractive apt-get -y install wicd-curses
- sed -i 's/^wired_interface = .*$/wired_interface = eth0/g' \
- /etc/wicd/manager-settings.conf
- sed -i 's/^wireless_interface = .*$/wireless_interface = wlan0/g' \
- /etc/wicd/manager-settings.conf
- systemctl restart wicd
-
- # Set up hibernation on lid close.
- echo 'HandleLidSwitch=hibernate' >> /etc/systemd/logind.conf
-
- # Set up sound.
- usermod -aG audio plom
- apt-get -y install alsa-utils
- if [ "$2" = "X200s" ]; then
- amixer -c 0 sset Master playback 100% unmute
- elif [ "$2" = "T450s" ]; then
- amixer -c 1 sset Master playback 100% unmute
- # Re-order souncards so the commonly used one is the first one.
- echo 'options snd_hda_intel index=1,0' >> /etc/modprobe.d/sound.conf
- fi
-
- # Set up window system, i3, redshift.
- apt-get -y install xserver-xorg xinit xterm i3 i3status dmenu redshift
-
- # Set up OpenGL and hardware acceleration.
- if [ "$2" = "X200s" ]; then
- apt-get -y install i965-va-driver
- elif [ "$2" = "T450s" ]; then
- apt-get -y -t jessie-backports install xserver-xorg-video-intel
- fi
- apt-get -y install libgl1-mesa-dri
- usermod -aG video plom
-
- # Install xrandr.
- apt-get -y install x11-xserver-utils
-
- # Set up pentadactyl.
- apt-get -y install iceweasel xul-ext-noscript
- apt-get -y -t jessie-backports install xul-ext-pentadactyl
- apt-get -y install vim-gtk
- su plom -c 'mkdir -p /home/plom/downloads/'
-
- # Set up openssh-client.
- apt-get -y install openssh-client
-fi
-
-# Set password for user.
-passwd plom
-
-# Clean up.
-rm jessie_postinstall.sh
-
-# Finalize everything with a reboot.
-echo "You may reboot now with the 'reboot' command unless there's more to do."
+++ /dev/null
-[SYSADMIN] [HTWTXT] Restart reminder
-
-The virtual server hosting the htwtxt server was restarted, so the htwtxt server
-itself needs to be restarted too, via (in screen) its
-~/config/bin/start_htwtxt.sh.
+++ /dev/null
-[SYSADMIN] Server post-installation TODO
-
-The server post-installation script seems to have run successfully. Remember to
-perform the following tasks:
-
-- once when mail system set-up seems stable, in
- config/dotfiles_user_server/getmail/getmailrc, set [options] delete = true
-
-- ensure the following DNS TXT record for @: v=spf1 mx -all
-
-- run (as root) config/bin/setup_opendkim.sh $selector to set up system for DKIM
- key signing, with a second parameter $keyfile if a key already exists; without
- second parameter, this will generate a new key and print the DNS record to add
-
-- run (as root) config/bin/setup_starttls.sh to set up server-side STARTTLS for
- mail; optionally run with paths to 1) a key file and 2) a cert file as
- arguments if those exist to re-use existing ones
-
-- in the screen weechat/bitlbee session (run "screen -dr"), switch to the
- &bitlbee channel, register with a password ("register", "/oper . [password]"),
- and set up Jabber account with password ("account add jabber
- plomlompom@jabber.ccc.de", "/oper . [password]"), then activate it ("account
- on")
+++ /dev/null
-[SYSADMIN] System updating reminder
-
-This is your regular reminder to run:
-
-apt-get update
-apt-get upgrade
-apt-get dist-upgrade
+++ /dev/null
-[SYSADMIN] weechat restarted, re-identify!
-
-Your weechat was restarted, so don't forget to re-identify on freenode to
-nickserv via "/msg nickserv identify [password]", and on bitlbee by joining
-&bitlbee, "identify", "/oper . [password]", and "account on".
+++ /dev/null
-some stuff I need to incorporate later on:
-
-the blog post-update git hook:
-
-
-
-#!/bin/sh
-blog_dir=~/blog
-export GIT_DIR=$(pwd)
-export GIT_WORK_TREE="$blog_dir"
-git checkout -f
-cd "$GIT_WORK_TREE"
-redo
-git add metadata/author metadata/url metadata/title metadata/*.tmpl metadata/automatic_metadata captchas/linkable/*
-count=$(ls -1 metadata/*.automatic_metadata 2>/dev/null | wc -l)
-if [ "$count" != 0 ]; then
- git add metadata/*.automatic_metadata
-fi
-status=$(git status -s)
-n_updates=$(printf "$status" | grep -vE '^\?\?' | wc -l)
-if [ "$n_updates" -gt 0 ]; then
- git commit -a -m 'Update metadata'
-fi
-
-
-furthermore, the url_catcher virtualenv run.sh script needs this (to compile uwsgi):
-
-apt-get install python3.4-dev
-
-
-also, these:
-
-# /etc/systemd/system/url_catcher.service
-
-[Unit]
-Description=URL catcher
-
-[Service]
-Type=forking
-User=plom
-ExecStart=/bin/sh -c 'LC_ALL=en_US.UTF8 screen -d -m ~/url_catcher.sh'
-
-[Install]
-WantedBy=multi-user.target
-
-
-
-and url_catcher.sh:
-
-#!/bin/sh
-
-cd ~
-cd url-catcher
-./run.sh
+++ /dev/null
-# for minetest sound to work
-[alsa]
-mmap = false
+++ /dev/null
-# using hdmi0 for TV stereo, hdmi1 for a 5.1 speaker set-up
-# unfortunately, a non-square speaker number creates some noise
-# therefore for hdmi1 we declare 8 speakers, but re-map them to 6 speakers
-pcm.hdmi0 {
- type hw
- card 0
-}
-pcm.hdmi1 {
- type route
- slave {
- pcm "hw:1,0"
- channels 8
- }
- ttable {
- 0.0 = 1
- 1.1 = 1
- 2.2 = 1
- 3.3 = 1
- 4.4 = 1
- 5.5 = 1
- 6.0 = 0.5
- 6.2 = 0.5
- 7.1 = 0.5
- 7.3 = 0.5
- }
-}
-
-# upmix stereo to 5.1 – so we can watch stereo YouTube on all speakers
-# with this: $ chromium-browser --alsa-output-device=stereo51
-# (numbers taken from <https://www.volkerschatz.com/noise/alsa.html>)
-pcm.stereo51 {
- type route
- slave {
- pcm "hw:1,0"
- channels 8
- }
- ttable {
- 0.0 = 1
- 0.2 = -0.6
- 0.3 = -0.39
- 0.4 = 0.5
- 0.5 = 0.5
- 1.1 = 1
- 1.2 = -0.6
- 1.3 = -0.39
- 1.4 = 0.5
- 1.5 = 0.5
- }
-}
-
-# default to hdmi0, overwrite with AUDIO_HDMI=1 env prefix
-pcm.!default {
- type plug
- slave.pcm {
- @func concat
- strings [
- "hdmi"
- {
- @func getenv
- vars [ AUDIO_HDMI ]
- default "0"
- }
- ]
- }
-}
-ctl.!default {
- type hw
- card {
- @func getenv
- vars [ AUDIO_HDMI ]
- default 0
- }
-}
+++ /dev/null
-# for whatever reason, emulationstation gets some strange screen flicker issues
-# if the second display is activated, so ensure it is only started with that off
-alias emulationstation="xrandr --output HDMI-2 --off && emulationstation"
-
-# since the second HDMI only outputs sound with video, we have to ensure it's
-# activated with xrandr if we want to use it for surround sound setup
-alias mpv51="xrandr --output HDMI-2 --auto && AUDIO_HDMI=1 mpv --alsa-ignore-chmap '--audio-channels=5.1(alsa)'"
-alias chromium-upmix="xrandr --output HDMI-2 --auto && chromium-browser --alsa-output-device=stereo51"
-alias alsamixer51="AUDIO_HDMI=1 alsamixer"
-# see vlc -H why these
-alias vlc51="xrandr --output HDMI-2 --auto && vlc --alsa-audio-device=hdmi1 --alsa-audio-channels=4199"
+++ /dev/null
-#!/bin/sh
-
-set -e
-set -x
-
-url=$1
-
-ensure_line() {
- add_string="$1"
- file="$2"
- test=`grep "$add_string" "$file" | wc -l`
- if [ $test -lt 1 ]; then
- echo "$add_string" >> "$file"
- fi
-}
-
-filename=temp_golang_binary
-
-if [ "$url" = "" ]; then
- echo 'Need URL of current go package'
- exit 1
-fi
-sudo rm -rf /usr/local/go
-sudo apt-get -y install wget
-wget -O $filename $url
-sudo tar -C /usr/local -xzf $filename
-rm $filename
-ensure_line 'export PATH=$PATH:/usr/local/go/bin' ~/.shinit_add
-ensure_line 'export GOPATH=~/gopath' ~/.shinit_add
-sudo apt-get -y install vim-pathogen
-rm -rf ~/.vim/bundle/vim-go
-git clone https://github.com/fatih/vim-go.git ~/.vim/bundle/vim-go
-ensure_line 'source ~/.vimrc_vimgo' ~/.vimrc_add
-cat << EOF > ~/.vimrc_vimgo
-" vim-go: Make vim-go run.
-call pathogen#infect()
-let g:go_disable_autoinstall = 0
-" vim-go: Highlight
-let g:go_highlight_functions = 1
-let g:go_highlight_methods = 1
-let g:go_highlight_structs = 1
-let g:go_highlight_operators = 1
-let g:go_highlight_build_constraints = 1
-EOF
+++ /dev/null
-# needed for rtorrent config setup
-curl
-# needed for torrenting
-rtorrent
-# needed for torrenting session
-screen
-# needed for upload/download
-rsync
+++ /dev/null
-# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
-
-# This is the sshd server system-wide configuration file. See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented. Uncommented options override the
-# default value.
-
-Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-#HostKey /etc/ssh/ssh_host_ecdsa_key
-#HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-#LogLevel INFO
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin no # plomlompom's security rule
-#StrictModes yes
-#MaxAuthTries 6
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# Expect .ssh/authorized_keys2 to be disregarded by default in future.
-#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication. Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin yes
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding yes
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#UsePrivilegeSeparation sandbox
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-# override default of no subsystems
-Subsystem sftp /usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-# X11Forwarding no
-# AllowTcpForwarding no
-# PermitTTY no
-# ForceCommand cvs server
-
-ClientAliveInterval 120
-PasswordAuthentication no # plomlompom's security rule
+++ /dev/null
-#!/bin/sh
-# This script turns a fresh server with password-based root access into
-# one of only key-based access and only to new non-root account plom.
-#
-# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
-# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
-# contains the local ~/.ssh/id_rsa.pub, and also any old
-# /etc/ssh/sshd_config.
-#
-# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
-# configured sshd_config file in reach.
-set -e
-
-# Location of an sshd_config with "PermitRootLogin no" and
-# "PasswordAuthentication no".
-config_tree_prefix="${HOME}/public_repos/config/stretch"
-linkable_files_dir="${config_tree_prefix}/etc_files/server"
-system_path_sshd_config='/etc/ssh/sshd_config'
-local_path_sshd_config="${linkable_files_dir}${system_path_sshd_config}"
-
-# Ensure we have a server name as argument.
-if [ $# -eq 0 ]; then
- echo "Need server as argument."
- false
-fi
-server="$1"
-
-# This will be used to log-in as root from plom account.
-echo 'First, enter the old root password; then enter new password twice.'
-ssh root@"${server}" "passwd"
-
-# Save root password for sshpass
-stty -echo
-printf "Re-enter new server root password: "
-read PW_ROOT
-stty echo
-printf "\n"
-export SSHPASS="${PW_ROOT}"
-
-# Create user plom, and his ~/.ssh/authorized_keys based on the local
-# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
-# ownerships. Then disable root and pw login by copying over the
-# sshd_config and restart ssh daemon.
-#
-# This could be a line or two shorter by using ssh-copy-id, but that
-# would require setting a password for user plom otherwise not needed.
-sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys
-sshpass -e ssh root@"${server}" \
- 'useradd -m plom && '\
- 'mkdir /home/plom/.ssh && '\
- 'chown plom:plom /home/plom/.ssh && '\
- 'chown plom:plom /tmp/authorized_keys && '\
- 'chmod u=rw,go= /tmp/authorized_keys && '\
- 'mv /tmp/authorized_keys /home/plom/.ssh/'
-sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
-sshpass -e ssh root@"${server}" 'service ssh restart'
+++ /dev/null
-#!/bin/sh
-# Walks through the package names in the argument-selected files of
-# apt-mark/ and ensures the respective packages are installed.
-#
-# Ignores anything in an apt-mark/ file after the last newline.
-set -e
-
-config_tree_prefix="${HOME}/config/stretch"
-aptmark_dir="${config_tree_prefix}/apt-mark"
-
-for target in "$@"; do
- path="${aptmark_dir}/${target}"
- # TODO: continue if file at $path not found, to get rid of dummy files
- cat "${path}" | while read line; do
- echo "$line"
- if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
- DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::=--force-confold install "${line}"
- fi
- done
-done
+++ /dev/null
-#!/bin/sh
-set -e
-
-./install_for_target.sh seedbox
-
-# As according to <https://rtorrent-docs.readthedocs.io/en/latest/cookbook.html#modernized-configuration-template>
-su -lc "curl -Ls 'https://raw.githubusercontent.com/wiki/rakshasa/rtorrent/CONFIG-Template.md' | grep -A9999 '^######' | grep -B9999 '^### END' | sed -re \"s:/home/USERNAME:\$HOME:\" >~/.rtorrent.rc" plom
-su -lc "echo 'pieces.hash.on_completion.set = no' >> ~/.rtorrent.rc" plom
-su -lc "mkdir ~/rtorrent" plom
-
-# As according to <https://unix.stackexchange.com/a/475485>
-chmod u+s /usr/bin/screen
-chmod 755 /var/run/screen
+++ /dev/null
-# /etc/aliases
-
-# As per RFC 2142.
-mailer-daemon: plom
-postmaster: plom
-hostmaster: plom
-usenet: plom
-news: plom
-webmaster: plom
-www: plom
-ftp: plom
-abuse: plom
-noc: plom
-security: plom
-root: plom
-
-# Personal aliases.
-plomlompom: plom
-christian.heller: plom
-christian_heller: plom
-christianheller: plom
-c.heller: plom
-heller: plom
+++ /dev/null
-# /etc/systemd/system/weechat.service
-
-[Unit]
-Description=htwtxt restart reminder
-
-[Service]
-Type=forking
-User=plom
-ExecStart=/bin/sh -c '~/config/bin/simplemail_out.sh ~/config/mails/htwtxt_restart'
-
-[Install]
-WantedBy=multi-user.target
+++ /dev/null
-# /etc/postfix/main.cf
-
-# Use maildrop as MDA.
-mailbox_command = /usr/bin/maildrop
-
-# Restrictive relaying policy.
-smtpd_relay_restrictions = permit_mynetworks defer_unauth_destination
-
-# What domains to receive mail for: names of local server.
-mydestination = HOSTNAME, localhost
-
-# What clients to relay mail from: only local server.
-mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
-
-# Paranoid maximum error notification.
-notify_classes=2bounce, bounce, data, delay, policy, protocol, resource, software
+++ /dev/null
-# system integration
-user www-data;
-pid /run/nginx.pid;
-
-# is expected even if empty
-events {
-}
-
-http {
- # define content-type headers
- types {
- text/html html htm shtml;
- text/css css;
- text/xml xml;
- text/plain txt sh rst md;
- application/xhtml+xml xhtml;
- application/pdf pdf;
- image/jpeg jpg jpeg;
- image/png png;
- }
- default_type application/octet_stream;
- charset utf-8;
-
- # logging
- access_log /var/log/nginx/access.log;
- error_log /var/log/nginx/error.log;
-
- # enforce https
- server {
- listen 80;
- return 301 https://$host$request_uri;
- }
-
- # IRC logs
- server {
- listen 443 ssl;
- server_name dump.plomlompom.com;
- ssl_certificate /etc/letsencrypt/live/dump.plomlompom.com/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/dump.plomlompom.com/privkey.pem;
- root /var/www/html/;
- location /zettel/ {
- # rewrite non-suffixed filenames to .html ones
- rewrite ^(/zettel/(.*/)*[^./]+)$ $1.html;
- autoindex on;
- }
- location /dump/ {
- autoindex on;
- }
- location /geheim/ {
- auth_basic "geheim geheim";
- auth_basic_user_file /var/www/password_geheim;
- autoindex on;
- }
- location /irclogs/zrolaps/ {
- auth_basic "#zrolaps logs";
- auth_basic_user_file /var/www/password_irclogs_zrolaps;
- autoindex on;
- }
- location /irclogs/nodrama.de/ {
- auth_basic "#nodrama.de logs";
- auth_basic_user_file /var/www/password_irclogs_nodrama_de;
- autoindex on;
- }
- location /irclogs/freakazoid/ {
- auth_basic "#freakazoid logs";
- auth_basic_user_file /var/www/password_irclogs_freakazoid;
- autoindex on;
- }
- location /lesekreis/ {
- auth_basic "Quellen Lesekreis";
- auth_basic_user_file /var/www/password_lesekreis;
- autoindex on;
- }
- location /uwsgi/ {
- include uwsgi_params;
- uwsgi_pass 127.0.0.1:3031;
- }
- }
-
- # htwtxt
- server {
- listen 443 ssl;
- server_name htwtxt.plomlompom.com;
- ssl_certificate /etc/letsencrypt/live/htwtxt.plomlompom.com/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/htwtxt.plomlompom.com/privkey.pem;
- location / {
- proxy_pass http://127.0.0.1:8000;
- }
- }
-}
+++ /dev/null
-# The domain for which mails are signed.
-Domain plomlompom.com
-
-# Location of the private key to sign mails with.
-KeyFile /etc/opendkim/dkim.key
-
-# Identifies the signing key; useful when replacing it.
-#Selector keyname
-
-# Canonicalize the body strictly for signing, but the header (more legitimately
-# subject to reformatting by forwarding servers) less so.
-Canonicalization relaxed/simple
-
-# Invalidate the signature of mails to which additional From fields were added
-# after the signing. (See RFC for details on how this works.)
-OversignHeaders From
-
-# Where to communicate with the MTA.
-Socket inet:12301@localhost
-
-# Don't act as root.
-UserID opendkim:opendkim
+++ /dev/null
-# /etc/systemd/system/plomlombot.service
-
-[Unit]
-Description=plomlombot screen
-
-[Service]
-Type=forking
-User=plom
-ExecStart=/bin/sh -c 'LC_ALL=en_US.UTF8 screen -d -m ~/config/bin/plomlombot.sh && screen -d -m ~/config/bin/broiler_in.sh && screen -d -m ~/config/bin/hubbabubba.sh && screen -d -m ~/config/bin/zinskritik.sh'
-
-[Install]
-WantedBy=multi-user.target
+++ /dev/null
-#!/bin/sh
-ZETTELDIR=/home/plom/zettel
-GIT_WORK_TREE=$ZETTELDIR git checkout -f
-cd $ZETTELDIR
-redo
+++ /dev/null
-# /etc/systemd/system/weechat.service
-
-[Unit]
-Description=weechat screen
-
-[Service]
-Type=forking
-User=plom
-ExecStart=/bin/sh -c 'LC_ALL=en_US.UTF8 screen -d -m ~/config/bin/weechat-wrapper.sh'
-
-[Install]
-WantedBy=multi-user.target
+++ /dev/null
-#!/bin/sh
-set -e
-
-if [ "$#" -ne 1 ]; then
- echo "Need exactly one argument: public key ID."
- false
-fi
-gpg_key="$1"
-keyservers='keyserver.ubuntu.com pgp.surf.nl pgp.rediris.es'
-set +e
-for keyserver in $(echo "${keyservers}"); do
- gpg --no-tty --keyserver $keyserver --send-key "${gpg_key}"
-done
-set -e
projects / config / commitdiff
