From: Christian Heller <>
Date: Sat, 15 Dec 2018 18:15:04 +0000 (+0100)
Subject: Change directory structure and between-script path references.

Change directory structure and between-script path references.

-# Hard link files to those in argument-selected subdirectories of
-# linkable_etc_files//, e.g. link /etc/foo/bar to
-# linkable_etc_files/$1/etc/foo/bar and so on. Create directories as
-# necessary. We do the hard linking so files that should be readable to
-# non-root in /etc/ remain so despite having a path below /root/, as
-# symbolic links point into /root/ without making the targets readable
-# to non-root.
-# CAUTION: This removes original files at the affected paths.
-set -e
-for target in "$@"; do
-    cd "${config_tree_prefix}${target}"
-    for path in $(find . -type f); do
-        linking=$(echo "${path}" | cut -c2-)
-        linked=$(realpath "${path}")
-        dir=$(dirname "${linking}")
-        mkdir -p "${dir}"
-        ln -f "${linked}" "${linking}"
-    done
-# This script turns a fresh server with password-based root access to
-# one of only key-based access and only to new non-root account plom.
-# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
-# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
-# contains the local ~/.ssh/, and also any old
-# /etc/ssh/sshd_config.
-# Dependencies: ssh, scp, sshpass, ~/.ssh/, properly
-# configured sshd_config file in reach.
-set -e
-# Location auf a sshd_config with "PermitRootLogin no" and
-# "PasswordAuthentication no".
-# Ensure we have a server name as argument.
-if [ $# -eq 0 ]; then
-    echo "Need server as argument."
-    false
-# Ask for root password only once, sshpass will re-use it then often.
-stty -echo
-printf "Server root password: "
-read PW_ROOT
-stty echo
-printf "\n"
-export SSHPASS="${PW_ROOT}"
-# Create user plom, and his ~/.ssh/authorized_keys based on the local
-# ~/.ssh/; ensure the result has proper permissions and
-# ownerships. Then disable root and pw login by copying over the
-# sshd_config and restart ssh daemon.
-# This could be a line or two shorter by using ssh-copy-id, but that
-# would require setting a password for user plom otherwise not needed.
-sshpass -e scp ~/.ssh/ root@"${server}":/tmp/authorized_keys
-sshpass -e ssh root@"${server}" \
-        'useradd -m plom && '\
-        'mkdir /home/plom/.ssh && '\
-        'chown plom:plom /home/plom/.ssh && '\
-        'chown plom:plom /tmp/authorized_keys && '\
-        'chmod u=rw,go= /tmp/authorized_keys && '\
-        'mv /tmp/authorized_keys /home/plom/.ssh/'
-sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
-sshpass -e ssh root@"${server}" 'service ssh restart'
-# Walks through the package names in the argument-selected files of
-# apt-mark/ and ensures the respective packages are installed.
-# Ignores anything in an apt-mark/ file after the last newline.
-set -e
-for target in "$@"; do
-    path="${config_tree_prefix}${target}"
-    cat "${path}" | while read line; do
-        echo "$line"
-        if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
-            apt-get -y install "${line}"
-        fi
-    done
-set -e
-# Ensure we have a mail address as argument.
-if [ $# -lt 1 ]; then
-    echo "Need mail address as argument."
-    false
-# We need certbot to get LetsEncrypt certificates.
-apt install -y certbot
-# If port 80 blocked by iptables, open it.
-set +e
-iptables -C INPUT -p tcp --dport 80 -j ACCEPT
-set -e
-if [ "${open_iptables}" -eq "1" ]; then
-    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
-# Create new certificate and copy it to /etc/letsencrypt.
-certbot certonly --standalone --agree-tos -m "${mail_address}" -d "$(hostname -f)"
-# Remove iptables rule to open port 80 if we added it.
-if [ "${open_iptables}" -eq "1" ]; then
-    iptables -D INPUT -p tcp --dport 80 -j ACCEPT
-# Copy over LetsEncrypt certificates from another server.
-set -e
-# Ensure we have a server name as argument.
-if [ $# -lt 1 ]; then
-    echo "Need server as argument."
-    false
-# Copy over.
-ssh -t plom@${server} 'su -c "cd /etc/ && tar cf letsencrypt.tar letsencrypt && chown plom:plom letsencrypt.tar && mv letsencrypt.tar /home/plom/"'
-scp plom@${server}:~/letsencrypt.tar .
-apt -y install certbot
-rmdir /etc/letsencrypt
-mv letsencrypt.tar /etc/
-cd /etc/
-tar xf letsencrypt.tar
-rm letsencrypt.tar
-set -e
-if [ $# -lt 2 ]; then
-    echo "Need server and directory as arguments."
-    false
-eval `ssh-agent`
-ssh plom@"${server}" "cd \"${dir}\" && tar cf ${path_package} ."
-scp plom@"${server}":"${path_package}" "${path_package}"
-mkdir -p "${dir}"
-cd "${dir}"
-tar xf "${path_package}"
-rm "${path_package}"
-ssh plom@"${server}" rm "${path_package}"
-# Do some of the steps necessary to SSH (key-based) with another server.
-set -e
-# We need a public key to copy over, so generate it if not found.
-if [ ! -f ~/.ssh/ ]; then
-    ssh-keygen
-# Add target to ~/.ssh/known_hosts so we don't get
-# asked for permission at inopportune moments.
-ssh-keyscan -H "$target" >> ~/.ssh/known_hosts
-# Tell user what to do.
-echo "APPEND FOLLOWING TO TARGET'S ~/.ssh/authorized_keys:"
-cat ~/.ssh/
-# This script removes all Debian packages that are not of Priority
-# "required" or not depended on by packages of priority "required"
-# or not listed in the argument-selected files of apt-mark/.
-set -e
-dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted
-for target in "$@"; do
-    path="${config_tree_prefix}${target}"
-    cat "${path}" | while read line; do
-        if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
-            echo "${line}" >> /tmp/list_white_unsorted
-        fi
-    done
-sort /tmp/list_white_unsorted > /tmp/list_white
-dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages
-sort /tmp/list_all_packages > /tmp/foo
-mv /tmp/foo /tmp/list_all_packages
-comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black
-apt-mark auto `cat /tmp/list_black`
-DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
-rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black
-# Sets hostname and optionally FQDN.
-# Calls hostname, writes to /etc/hostname and /etc/hosts. For /etc/hosts
-# writing follows recommendations from Debian manual at
-# <>
-# (section "The hostname resolution") on how to map hostname and possibly
-# FQDN to a permanent IP if present (we assume here any non-private IP
-# and non-loopback IP returned by hostname -I to fulfill that criterion
-# on our systems) or to if not. On the reasoning for separating
-# localhost and hostname mapping to different IPs, see
-# <>.
-set -e
-if [ "${hostname}" = "" ]; then
-    echo "Need hostname as argument."
-    false
-echo "${hostname}" > /etc/hostname
-hostname "${hostname}"
-for ip in $(hostname -I); do
-    range_1=$(echo "${ip}" | cut -d "." -f 1)
-    range_2=$(echo "${ip}" | cut -d "." -f 2)
-    if [ "${range_1}" -eq 127 ]; then
-        continue
-    elif [ "${range_1}" -eq 10 ]; then
-        continue
-    elif [ "${range_1}" -eq 172 ]; then
-        if [ "${range_2}" -ge 16 ] && [ "${range_2}" -le 31 ]; then
-            continue
-        fi
-    elif [ "${range_1}" -eq 192 ]; then
-        if [ "${range_2}" -eq 168 ]; then
-            continue
-        fi
-    fi
-    final_ip="${ip}"
-echo " localhost.localdomain localhost" > /etc/hosts
-echo "${final_ip} ${fqdn} ${hostname}" >> /etc/hosts
-set -e
-if [ $# -lt 2 ]; then
-    echo "Give arguments of mail domain and DKIM selector."
-    echo "Also, if hosting mail for entire domain, give third argument 'domainwide'."
-    false
-# Set up DKIM key if necessary.
-mkdir -p /etc/dkimkeys/
-if [ ! -f "/etc/dkimkeys/${dkim_selector}.private" ]; then
-    add_dkim_record=1
-    set +e
-    dpkg -s opendkim-tools &> /dev/null
-    preinstalled="$?"
-    set -e
-    if [ ! "${preinstalled}" -eq "0" ]; then
-        apt install -y opendkim-tools
-    fi
-    opendkim-genkey -s "${dkim_selector}"
-    mv "${dkim_selector}.private" /etc/dkimkeys/
-    if [ ! "${preinstalled}" -eq "0" ]; then
-        apt -y --purge autoremove opendkim-tools
-    fi
-# Link and adapt mail-server-specific /etc/ files.
-./ mail
-sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/mailutils.conf
-sed -i "s/REPLACE_Domain_ECALPER/${mail_domain}/g" /etc/opendkim.conf
-sed -i "s/REPLACE_Selector_ECALPER/${dkim_selector}/g" /etc/opendkim.conf
-sed -i "s/REPLACE_myhostname_ECALPER/$(hostname -f)/g" /etc/postfix/
-if [ "${domainwide}" = "domainwide" ]; then
-    sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER/$mydomain/g' /etc/postfix/
-    sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER//g' /etc/postfix/
-# Since we re-set the iptables rules, we need to reload them.
-iptables-restore /etc/iptables/rules.v4
-# Some useful debconf selections.
-echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
-echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
-echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
-# The second line should not be necessary due to the first line, but for
-# some reason the installation forgets to set up /etc/mailname early
-# enough to not (when running newaliases) stumble over its absence.
-echo "postfix postfix/mailname string ${mail_domain}" | debconf-set-selections
-echo "${mail_domain}" > /etc/mailname
-# Everything should now be ready for installations. Note that we don't
-# strictly need dovecot-lmtpd, as postfix will deliver mail to /var/mail/USER
-# in any case, to be found by dovecot; we use it as a transport mechanism to
-# allow for sophisticated stuff like dovecot-side sieve filtering (installed
-# with dovecot-sieve).
-apt install -y -o Dpkg::Options::=--force-confold postfix dovecot-imapd dovecot-lmtpd dovecot-sieve opendkim
-echo "TODO: Ensure MX entry for your system in your DNS configuration."
-echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration; something like 'v=spf1 mx -all' mapped to your host."
-if [ "${add_dkim_record}" -eq "1" ]; then
-    echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):"
-    cat "${dkim_selector}.txt"
-echo "TODO: passwd plom"
-set -e
-# Ensure we have a GPG target to encrypt to.
-if [ $# -lt 1 ]; then
-    echo "Need public key ID as argument."
-    false
-./ play
-apt -y install weechat screen vim
-cp "${config_tree_prefix}user_files/" /home/plom/
-chown plom:plom /home/plom/
-cp "${config_tree_prefix}user_files/" /home/plom/
-chown plom:plom /home/plom/
-cp "${config_tree_prefix}user_files/weechatrc" /home/plom/.weechatrc
-chown plom:plom /home/plom/.weechatrc
-apt -y install screen gnupg dirmngr
-set +e
-while true; do
-    do_break=0
-    for keyserver in $(echo "${keyservers}"); do
-        su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
-        if [ $? -eq "0" ]; then
-            do_break=1
-            break
-        fi
-        echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
-    done
-    if [ "${do_break}" -eq "1" ]; then
-        break
-    fi
-set -e
-echo "$gpg_key" > /home/plom/.encrypt_target
-chown plom:plom /home/plom/.encrypt_target
-# TODO: We may remove dirmngr here if only this script installed it.
-systemctl daemon-reload
-systemctl start encrypt_chatlogs.timer
-set -e
-# Ensure we have a GPG target to encrypt to.
-if [ $# -lt 1 ]; then
-    echo "Need public key ID as argument."
-    false
-cp "${config_tree_prefix}"/user_files/ /home/plom/
-chown plom:plom /home/plom/
-apt -y install screen python3-venv gnupg dirmngr
-set +e
-while true; do
-    do_break=0
-    for keyserver in $(echo "${keyservers}"); do
-        su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
-        if [ $? -eq "0" ]; then
-            do_break=1
-            break
-        fi
-        echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
-    done
-    if [ "${do_break}" -eq "1" ]; then
-        break
-    fi
-set -e
-# TODO: We may remove dirmngr here if only this script installed it.
-su plom -c "cd && git clone /var/public_repos/plomlombot-irc"
-systemctl enable /etc/systemd/system/plomlombot.service
-service plomlombot start
-mkdir -p "${irclogs_dir}"
-chown -R plom:plom "${irclogs_dir}"
-mkdir -p "${irclogs_pw_dir}"
-chown -R plom:plom "${irclogs_pw_dir}"
-echo "Don't forget to add a file ~/.plomlombot with content such as:"
-echo "gpg_key ${gpg_key}"
-echo "# file should end in newline or non-interpreted line such as this"
+# Hard link files to those in argument-selected subdirectories of
+# linkable_etc_files//, e.g. link /etc/foo/bar to
+# linkable_etc_files/$1/etc/foo/bar and so on. Create directories as
+# necessary. We do the hard linking so files that should be readable to
+# non-root in /etc/ remain so despite having a path below /root/, as
+# symbolic links point into /root/ without making the targets readable
+# to non-root.
+# CAUTION: This removes original files at the affected paths.
+set -e
+for target in "$@"; do
+    cd "${linkable_files_dir}/${target}"
+    for path in $(find . -type f); do
+        linking=$(echo "${path}" | cut -c2-)
+        linked=$(realpath "${path}")
+        dir=$(dirname "${linking}")
+        mkdir -p "${dir}"
+        ln -f "${linked}" "${linking}"
+    done
+# This script turns a fresh server with password-based root access to
+# one of only key-based access and only to new non-root account plom.
+# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
+# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
+# contains the local ~/.ssh/, and also any old
+# /etc/ssh/sshd_config.
+# Dependencies: ssh, scp, sshpass, ~/.ssh/, properly
+# configured sshd_config file in reach.
+set -e
+# Location auf a sshd_config with "PermitRootLogin no" and
+# "PasswordAuthentication no".
+# Ensure we have a server name as argument.
+if [ $# -eq 0 ]; then
+    echo "Need server as argument."
+    false
+# Ask for root password only once, sshpass will re-use it then often.
+stty -echo
+printf "Server root password: "
+read PW_ROOT
+stty echo
+printf "\n"
+export SSHPASS="${PW_ROOT}"
+# Create user plom, and his ~/.ssh/authorized_keys based on the local
+# ~/.ssh/; ensure the result has proper permissions and
+# ownerships. Then disable root and pw login by copying over the
+# sshd_config and restart ssh daemon.
+# This could be a line or two shorter by using ssh-copy-id, but that
+# would require setting a password for user plom otherwise not needed.
+sshpass -e scp ~/.ssh/ root@"${server}":/tmp/authorized_keys
+sshpass -e ssh root@"${server}" \
+        'useradd -m plom && '\
+        'mkdir /home/plom/.ssh && '\
+        'chown plom:plom /home/plom/.ssh && '\
+        'chown plom:plom /tmp/authorized_keys && '\
+        'chmod u=rw,go= /tmp/authorized_keys && '\
+        'mv /tmp/authorized_keys /home/plom/.ssh/'
+sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
+sshpass -e ssh root@"${server}" 'service ssh restart'
+# Walks through the package names in the argument-selected files of
+# apt-mark/ and ensures the respective packages are installed.
+# Ignores anything in an apt-mark/ file after the last newline.
+set -e
+for target in "$@"; do
+    path="${aptmark_dir}/${target}"
+    cat "${path}" | while read line; do
+        echo "$line"
+        if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
+            apt-get -y install "${line}"
+        fi
+    done
+# Certify current server with LetsEncrypt.
+# Uses hostname -f for the domain we want to certify.
+set -e
+# Ensure we have a mail address as argument.
+if [ $# -lt 1 ]; then
+    echo "Need mail address as argument."
+    false
+# We need certbot to get LetsEncrypt certificates.
+apt install -y certbot
+# If port 80 blocked by iptables, open it.
+set +e
+iptables -C INPUT -p tcp --dport 80 -j ACCEPT
+set -e
+if [ "${open_iptables}" -eq "1" ]; then
+    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+# Create new certificate and copy it to /etc/letsencrypt.
+certbot certonly --standalone --agree-tos -m "${mail_address}" -d "$(hostname -f)"
+# Remove iptables rule to open port 80 if we added it.
+if [ "${open_iptables}" -eq "1" ]; then
+    iptables -D INPUT -p tcp --dport 80 -j ACCEPT
+# Copy over LetsEncrypt certificates from another server.
+set -e
+# Ensure we have a server name as argument.
+if [ $# -lt 1 ]; then
+    echo "Need server as argument."
+    false
+# Copy over.
+ssh -t plom@${server} 'su -c "cd /etc/ && tar cf letsencrypt.tar letsencrypt && chown plom:plom letsencrypt.tar && mv letsencrypt.tar /home/plom/"'
+scp plom@${server}:~/letsencrypt.tar .
+apt -y install certbot
+rmdir /etc/letsencrypt
+mv letsencrypt.tar /etc/
+cd /etc/
+tar xf letsencrypt.tar
+rm letsencrypt.tar
+# Mirror directory tree from remote to local server, keeping the path.
+set -e
+if [ $# -lt 2 ]; then
+    echo "Need server and directory as arguments."
+    false
+eval `ssh-agent`
+ssh plom@"${server}" "cd \"${dir}\" && tar cf ${path_package} ."
+scp plom@"${server}":"${path_package}" "${path_package}"
+mkdir -p "${dir}"
+cd "${dir}"
+tar xf "${path_package}"
+rm "${path_package}"
+ssh plom@"${server}" rm "${path_package}"
+# Do some of the steps necessary to SSH (key-based) with another server.
+set -e
+# We need a public key to copy over, so generate it if not found.
+if [ ! -f ~/.ssh/ ]; then
+    ssh-keygen
+# Add target to ~/.ssh/known_hosts so we don't get
+# asked for permission at inopportune moments.
+ssh-keyscan -H "$target" >> ~/.ssh/known_hosts
+# Tell user what to do.
+echo "APPEND FOLLOWING TO TARGET'S ~/.ssh/authorized_keys:"
+cat ~/.ssh/
+# This script removes all Debian packages that are not of Priority
+# "required" or not depended on by packages of priority "required"
+# or not listed in the argument-selected files of apt-mark/.
+set -e
+dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted
+for target in "$@"; do
+    path="${aptmark_dir}/${target}"
+    cat "${path}" | while read line; do
+        if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
+            echo "${line}" >> /tmp/list_white_unsorted
+        fi
+    done
+sort /tmp/list_white_unsorted > /tmp/list_white
+dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages
+sort /tmp/list_all_packages > /tmp/foo
+mv /tmp/foo /tmp/list_all_packages
+comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black
+apt-mark auto `cat /tmp/list_black`
+DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
+rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black
+# Sets hostname and optionally FQDN.
+# Calls hostname, writes to /etc/hostname and /etc/hosts. For /etc/hosts
+# writing follows recommendations from Debian manual at
+# <>
+# (section "The hostname resolution") on how to map hostname and possibly
+# FQDN to a permanent IP if present (we assume here any non-private IP
+# and non-loopback IP returned by hostname -I to fulfill that criterion
+# on our systems) or to if not. On the reasoning for separating
+# localhost and hostname mapping to different IPs, see
+# <>.
+set -e
+if [ "${hostname}" = "" ]; then
+    echo "Need hostname as argument."
+    false
+echo "${hostname}" > /etc/hostname
+hostname "${hostname}"
+for ip in $(hostname -I); do
+    range_1=$(echo "${ip}" | cut -d "." -f 1)
+    range_2=$(echo "${ip}" | cut -d "." -f 2)
+    if [ "${range_1}" -eq 127 ]; then
+        continue
+    elif [ "${range_1}" -eq 10 ]; then
+        continue
+    elif [ "${range_1}" -eq 172 ]; then
+        if [ "${range_2}" -ge 16 ] && [ "${range_2}" -le 31 ]; then
+            continue
+        fi
+    elif [ "${range_1}" -eq 192 ]; then
+        if [ "${range_2}" -eq 168 ]; then
+            continue
+        fi
+    fi
+    final_ip="${ip}"
+echo " localhost.localdomain localhost" > /etc/hosts
+echo "${final_ip} ${fqdn} ${hostname}" >> /etc/hosts
+set -e
+if [ $# -lt 2 ]; then
+    echo "Give arguments of mail domain and DKIM selector."
+    echo "Also, if hosting mail for entire domain, give third argument 'domainwide'."
+    false
+cd "${setup_scripts_dir}"
+# Set up DKIM key if necessary.
+mkdir -p /etc/dkimkeys/
+if [ ! -f "/etc/dkimkeys/${dkim_selector}.private" ]; then
+    add_dkim_record=1
+    set +e
+    dpkg -s opendkim-tools &> /dev/null
+    preinstalled="$?"
+    set -e
+    if [ ! "${preinstalled}" -eq "0" ]; then
+        apt install -y opendkim-tools
+    fi
+    opendkim-genkey -s "${dkim_selector}"
+    mv "${dkim_selector}.private" /etc/dkimkeys/
+    if [ ! "${preinstalled}" -eq "0" ]; then
+        apt -y --purge autoremove opendkim-tools
+    fi
+# Link and adapt mail-server-specific /etc/ files.
+./ mail
+sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/mailutils.conf
+sed -i "s/REPLACE_Domain_ECALPER/${mail_domain}/g" /etc/opendkim.conf
+sed -i "s/REPLACE_Selector_ECALPER/${dkim_selector}/g" /etc/opendkim.conf
+sed -i "s/REPLACE_myhostname_ECALPER/$(hostname -f)/g" /etc/postfix/
+if [ "${domainwide}" = "domainwide" ]; then
+    sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER/$mydomain/g' /etc/postfix/
+    sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER//g' /etc/postfix/
+# Since we re-set the iptables rules, we need to reload them.
+iptables-restore /etc/iptables/rules.v4
+# Some useful debconf selections.
+echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
+echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
+echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
+# The second line should not be necessary due to the first line, but for
+# some reason the installation forgets to set up /etc/mailname early
+# enough to not (when running newaliases) stumble over its absence.
+echo "postfix postfix/mailname string ${mail_domain}" | debconf-set-selections
+echo "${mail_domain}" > /etc/mailname
+# Everything should now be ready for installations. Note that we don't
+# strictly need dovecot-lmtpd, as postfix will deliver mail to /var/mail/USER
+# in any case, to be found by dovecot; we use it as a transport mechanism to
+# allow for sophisticated stuff like dovecot-side sieve filtering (installed
+# with dovecot-sieve).
+apt install -y -o Dpkg::Options::=--force-confold postfix dovecot-imapd dovecot-lmtpd dovecot-sieve opendkim
+echo "TODO: Ensure MX entry for your system in your DNS configuration."
+echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration; something like 'v=spf1 mx -all' mapped to your host."
+if [ "${add_dkim_record}" -eq "1" ]; then
+    echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):"
+    cat "${dkim_selector}.txt"
+echo "TODO: passwd plom"
+set -e
+# Ensure we have a GPG target to encrypt to.
+if [ $# -lt 1 ]; then
+    echo "Need public key ID as argument."
+    false
+cd "${setup_scripts_dir}"
+./ play
+apt -y install weechat screen vim
+cp "${config_tree_prefix}user_files/" /home/plom/
+chown plom:plom /home/plom/
+cp "${config_tree_prefix}user_files/" /home/plom/
+chown plom:plom /home/plom/
+cp "${config_tree_prefix}user_files/weechatrc" /home/plom/.weechatrc
+chown plom:plom /home/plom/.weechatrc
+apt -y install screen gnupg dirmngr
+set +e
+while true; do
+    do_break=0
+    for keyserver in $(echo "${keyservers}"); do
+        su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
+        if [ $? -eq "0" ]; then
+            do_break=1
+            break
+        fi
+        echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
+    done
+    if [ "${do_break}" -eq "1" ]; then
+        break
+    fi
+set -e
+echo "$gpg_key" > /home/plom/.encrypt_target
+chown plom:plom /home/plom/.encrypt_target
+# TODO: We may remove dirmngr here if only this script installed it.
+systemctl daemon-reload
+systemctl start encrypt_chatlogs.timer
+set -e
+# Ensure we have a GPG target to encrypt to.
+if [ $# -lt 1 ]; then
+    echo "Need public key ID as argument."
+    false
+cp "${config_tree_prefix}"/user_files/ /home/plom/
+chown plom:plom /home/plom/
+apt -y install screen python3-venv gnupg dirmngr
+set +e
+while true; do
+    do_break=0
+    for keyserver in $(echo "${keyservers}"); do
+        su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
+        if [ $? -eq "0" ]; then
+            do_break=1
+            break
+        fi
+        echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
+    done
+    if [ "${do_break}" -eq "1" ]; then
+        break
+    fi
+set -e
+# TODO: We may remove dirmngr here if only this script installed it.
+su plom -c "cd && git clone /var/public_repos/plomlombot-irc"
+systemctl enable /etc/systemd/system/plomlombot.service
+service plomlombot start
+mkdir -p "${irclogs_dir}"
+chown -R plom:plom "${irclogs_dir}"
+mkdir -p "${irclogs_pw_dir}"
+chown -R plom:plom "${irclogs_pw_dir}"
+echo "Don't forget to add a file ~/.plomlombot with content such as:"
+echo "gpg_key ${gpg_key}"
+echo "# file should end in newline or non-interpreted line such as this"
+# This sets up the minimum of a mail server necessary to send out mails
+# to the world.
+set -e
+cd "${setup_scripts_dir}"
+./ sendonly
+echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
+echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
+echo "$(hostname -f)" > /etc/mailname
+apt install -y postfix
+# Next setup steps for a server whose login policy has just been set from
+# the outside via ./
+set -e
+# Provide maximum input for
+if [ "$#" -ne 2 ]; then
+    echo 'Need exactly two arguments (hostname, FQDN).'
+    false
+cd "${setup_scripts_dir}"
+# Adapt /etc/ to our needs by hardlinking into ./linkable_etc_files. This
+# will set basic configurations affecting following steps, such as setup
+# of APT and the locale selection, so needs to be right at the beginning.
+./ all server
+# Set hostname and FQDN.
+./ "${hostname}" "${fqdn}"
+# Some debconf selections we don't want to get asked during coming
+# install actions.
+echo 'iptables-persistent iptables-persistent/autosave_v4 boolean false' | debconf-set-selections
+echo 'iptables-persistent iptables-persistent/autosave_v6 boolean false' | debconf-set-selections
+# Ensure package installation state as defined by what packages are
+# defined as required by Debian policy and by settings in ./apt-mark/.
+apt update
+./ all server
+./ all server
+# Only upgrade after reducing the system to the desired minimum, so that
+# we don't need to get more data than necessary.
+apt -y dist-upgrade
+# Set Berlin localtime.
+ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
+# If we have not yet set the shell for user plom, ensure it here. This
+# is mostly for convenience.
+usermod -s /bin/bash plom
+# Set up web server.
+set -e
+cd "${setup_scripts_dir}"
+./ web
+sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/nginx/nginx.conf
+sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/gitweb.conf
+cd /var/
+rm -rf www
+git clone www
+apt -y -o Dpkg::Options::=--force-confold install nginx gitweb fcgiwrap
+mkdir /var/public_repos
+chown plom:plom /var/public_repos
+iptables-restore /etc/iptables/rules.v4
-# This sets up the minimum of a mail server necessary to send out mails
-# to the world.
-set -e
-./ sendonly
-echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
-echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
-echo "$(hostname -f)" > /etc/mailname
-apt install -y postfix
-# Next setup steps for a server whose login policy has just been set from
-# the outside via ./
-set -e
-# Provide maximum input for
-if [ "$#" -ne 2 ]; then
-    echo 'Need exactly two arguments (hostname, FQDN).'
-    false
-# Adapt /etc/ to our needs by hardlinking into ./linkable_etc_files. This
-# will set basic configurations affecting following steps, such as setup
-# of APT and the locale selection, so needs to be right at the beginning.
-./ all server
-# Set hostname and FQDN.
-./ "${hostname}" "${fqdn}"
-# Some debconf selections we don't want to get asked during coming
-# install actions.
-echo 'iptables-persistent iptables-persistent/autosave_v4 boolean false' | debconf-set-selections
-echo 'iptables-persistent iptables-persistent/autosave_v6 boolean false' | debconf-set-selections
-# Ensure package installation state as defined by what packages are
-# defined as required by Debian policy and by settings in ./apt-mark/.
-apt update
-./ all server
-./ all server
-# Only upgrade after reducing the system to the desired minimum, so that
-# we don't need to get more data than necessary.
-apt -y dist-upgrade
-# Set Berlin localtime.
-ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
-# If we have not yet set the shell for user plom, ensure it here. This
-# is mostly for convenience.
-usermod -s /bin/bash plom
-set -e
-./ web
-sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/nginx/nginx.conf
-sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/gitweb.conf
-cd /var/
-rm -rf www
-git clone www
-apt -y -o Dpkg::Options::=--force-confold install nginx gitweb fcgiwrap
-mkdir /var/public_repos
-chown plom:plom /var/public_repos
-iptables-restore /etc/iptables/rules.v4