+++ /dev/null
-#!/bin/sh
-# Hard link files to those in argument-selected subdirectories of
-# linkable_etc_files//, e.g. link /etc/foo/bar to
-# linkable_etc_files/$1/etc/foo/bar and so on. Create directories as
-# necessary. We do the hard linking so files that should be readable to
-# non-root in /etc/ remain so despite having a path below /root/, as
-# symbolic links point into /root/ without making the targets readable
-# to non-root.
-# CAUTION: This removes original files at the affected paths.
-set -e
-
-config_tree_prefix="${HOME}/config/all_new_2018/linkable_etc_files/"
-
-for target in "$@"; do
- cd "${config_tree_prefix}${target}"
- for path in $(find . -type f); do
- linking=$(echo "${path}" | cut -c2-)
- linked=$(realpath "${path}")
- dir=$(dirname "${linking}")
- mkdir -p "${dir}"
- ln -f "${linked}" "${linking}"
- done
-done
+++ /dev/null
-#!/bin/sh
-# This script turns a fresh server with password-based root access to
-# one of only key-based access and only to new non-root account plom.
-#
-# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
-# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
-# contains the local ~/.ssh/id_rsa.pub, and also any old
-# /etc/ssh/sshd_config.
-#
-# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
-# configured sshd_config file in reach.
-set -e
-
-# Location auf a sshd_config with "PermitRootLogin no" and
-# "PasswordAuthentication no".
-system_path_sshd_config='/etc/ssh/sshd_config'
-config_tree_prefix="${HOME}/config/all_new_2018/linkable_etc_files/server/"
-local_path_sshd_config="${config_tree_prefix}""${system_path_sshd_config}"
-
-# Ensure we have a server name as argument.
-if [ $# -eq 0 ]; then
- echo "Need server as argument."
- false
-fi
-server="$1"
-
-# Ask for root password only once, sshpass will re-use it then often.
-stty -echo
-printf "Server root password: "
-read PW_ROOT
-stty echo
-printf "\n"
-export SSHPASS="${PW_ROOT}"
-
-# Create user plom, and his ~/.ssh/authorized_keys based on the local
-# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
-# ownerships. Then disable root and pw login by copying over the
-# sshd_config and restart ssh daemon.
-#
-# This could be a line or two shorter by using ssh-copy-id, but that
-# would require setting a password for user plom otherwise not needed.
-sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys
-sshpass -e ssh root@"${server}" \
- 'useradd -m plom && '\
- 'mkdir /home/plom/.ssh && '\
- 'chown plom:plom /home/plom/.ssh && '\
- 'chown plom:plom /tmp/authorized_keys && '\
- 'chmod u=rw,go= /tmp/authorized_keys && '\
- 'mv /tmp/authorized_keys /home/plom/.ssh/'
-sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
-sshpass -e ssh root@"${server}" 'service ssh restart'
+++ /dev/null
-#!/bin/sh
-# Walks through the package names in the argument-selected files of
-# apt-mark/ and ensures the respective packages are installed.
-#
-# Ignores anything in an apt-mark/ file after the last newline.
-set -e
-
-config_tree_prefix="${HOME}/config/all_new_2018/apt-mark/"
-
-for target in "$@"; do
- path="${config_tree_prefix}${target}"
- cat "${path}" | while read line; do
- echo "$line"
- if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
- apt-get -y install "${line}"
- fi
- done
-done
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Ensure we have a mail address as argument.
-if [ $# -lt 1 ]; then
- echo "Need mail address as argument."
- false
-fi
-mail_address="$1"
-
-# We need certbot to get LetsEncrypt certificates.
-apt install -y certbot
-
-# If port 80 blocked by iptables, open it.
-set +e
-iptables -C INPUT -p tcp --dport 80 -j ACCEPT
-open_iptables="$?"
-set -e
-if [ "${open_iptables}" -eq "1" ]; then
- iptables -A INPUT -p tcp --dport 80 -j ACCEPT
-fi
-
-# Create new certificate and copy it to /etc/letsencrypt.
-certbot certonly --standalone --agree-tos -m "${mail_address}" -d "$(hostname -f)"
-
-# Remove iptables rule to open port 80 if we added it.
-if [ "${open_iptables}" -eq "1" ]; then
- iptables -D INPUT -p tcp --dport 80 -j ACCEPT
-fi
+++ /dev/null
-#!/bin/sh
-# Copy over LetsEncrypt certificates from another server.
-set -e
-
-# Ensure we have a server name as argument.
-if [ $# -lt 1 ]; then
- echo "Need server as argument."
- false
-fi
-server="$1"
-
-# Copy over.
-ssh -t plom@${server} 'su -c "cd /etc/ && tar cf letsencrypt.tar letsencrypt && chown plom:plom letsencrypt.tar && mv letsencrypt.tar /home/plom/"'
-scp plom@${server}:~/letsencrypt.tar .
-apt -y install certbot
-rmdir /etc/letsencrypt
-mv letsencrypt.tar /etc/
-cd /etc/
-tar xf letsencrypt.tar
-rm letsencrypt.tar
+++ /dev/null
-#!/bin/sh
-set -e
-
-if [ $# -lt 2 ]; then
- echo "Need server and directory as arguments."
- false
-fi
-server=$1
-dir=$2
-path_package=/tmp/delete.tar
-
-eval `ssh-agent`
-ssh-add
-cd
-ssh plom@"${server}" "cd \"${dir}\" && tar cf ${path_package} ."
-scp plom@"${server}":"${path_package}" "${path_package}"
-mkdir -p "${dir}"
-cd "${dir}"
-tar xf "${path_package}"
-cd
-rm "${path_package}"
-ssh plom@"${server}" rm "${path_package}"
+++ /dev/null
-#!/bin/sh
-# Do some of the steps necessary to SSH (key-based) with another server.
-set -e
-
-target="$1"
-
-# We need a public key to copy over, so generate it if not found.
-if [ ! -f ~/.ssh/id_rsa.pub ]; then
- ssh-keygen
-fi
-
-# Add target to ~/.ssh/known_hosts so we don't get
-# asked for permission at inopportune moments.
-ssh-keyscan -H "$target" >> ~/.ssh/known_hosts
-
-# Tell user what to do.
-echo "APPEND FOLLOWING TO TARGET'S ~/.ssh/authorized_keys:"
-cat ~/.ssh/id_rsa.pub
+++ /dev/null
-#!/bin/sh
-# This script removes all Debian packages that are not of Priority
-# "required" or not depended on by packages of priority "required"
-# or not listed in the argument-selected files of apt-mark/.
-set -e
-
-config_tree_prefix="${HOME}/config/all_new_2018/apt-mark/"
-
-dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted
-for target in "$@"; do
- path="${config_tree_prefix}${target}"
- cat "${path}" | while read line; do
- if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
- echo "${line}" >> /tmp/list_white_unsorted
- fi
- done
-done
-sort /tmp/list_white_unsorted > /tmp/list_white
-dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages
-sort /tmp/list_all_packages > /tmp/foo
-mv /tmp/foo /tmp/list_all_packages
-comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black
-apt-mark auto `cat /tmp/list_black`
-DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
-rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black
+++ /dev/null
-#!/bin/sh
-# Sets hostname and optionally FQDN.
-#
-# Calls hostname, writes to /etc/hostname and /etc/hosts. For /etc/hosts
-# writing follows recommendations from Debian manual at
-# <https://www.debian.org/doc/manuals/debian-reference/ch05.en.html>
-# (section "The hostname resolution") on how to map hostname and possibly
-# FQDN to a permanent IP if present (we assume here any non-private IP
-# and non-loopback IP returned by hostname -I to fulfill that criterion
-# on our systems) or to 127.0.1.1 if not. On the reasoning for separating
-# localhost and hostname mapping to different IPs, see
-# <https://unix.stackexchange.com/a/13087>.
-set -e
-
-hostname="$1"
-fqdn="$2"
-if [ "${hostname}" = "" ]; then
- echo "Need hostname as argument."
- false
-fi
-echo "${hostname}" > /etc/hostname
-hostname "${hostname}"
-
-final_ip="127.0.1.1"
-for ip in $(hostname -I); do
- range_1=$(echo "${ip}" | cut -d "." -f 1)
- range_2=$(echo "${ip}" | cut -d "." -f 2)
- if [ "${range_1}" -eq 127 ]; then
- continue
- elif [ "${range_1}" -eq 10 ]; then
- continue
- elif [ "${range_1}" -eq 172 ]; then
- if [ "${range_2}" -ge 16 ] && [ "${range_2}" -le 31 ]; then
- continue
- fi
- elif [ "${range_1}" -eq 192 ]; then
- if [ "${range_2}" -eq 168 ]; then
- continue
- fi
- fi
- final_ip="${ip}"
-done
-
-echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
-echo "${final_ip} ${fqdn} ${hostname}" >> /etc/hosts
+++ /dev/null
-#/bin/sh
-set -e
-
-if [ $# -lt 2 ]; then
- echo "Give arguments of mail domain and DKIM selector."
- echo "Also, if hosting mail for entire domain, give third argument 'domainwide'."
- false
-fi
-mail_domain="$1"
-dkim_selector="$2"
-domainwide="$3"
-
-# Set up DKIM key if necessary.
-mkdir -p /etc/dkimkeys/
-add_dkim_record=0
-if [ ! -f "/etc/dkimkeys/${dkim_selector}.private" ]; then
- add_dkim_record=1
- set +e
- dpkg -s opendkim-tools &> /dev/null
- preinstalled="$?"
- set -e
- if [ ! "${preinstalled}" -eq "0" ]; then
- apt install -y opendkim-tools
- fi
- opendkim-genkey -s "${dkim_selector}"
- mv "${dkim_selector}.private" /etc/dkimkeys/
- if [ ! "${preinstalled}" -eq "0" ]; then
- apt -y --purge autoremove opendkim-tools
- fi
-fi
-
-# Link and adapt mail-server-specific /etc/ files.
-./hardlink_etc.sh mail
-sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/mailutils.conf
-sed -i "s/REPLACE_Domain_ECALPER/${mail_domain}/g" /etc/opendkim.conf
-sed -i "s/REPLACE_Selector_ECALPER/${dkim_selector}/g" /etc/opendkim.conf
-sed -i "s/REPLACE_myhostname_ECALPER/$(hostname -f)/g" /etc/postfix/main.cf
-if [ "${domainwide}" = "domainwide" ]; then
- sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER/$mydomain/g' /etc/postfix/main.cf
-else
- sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER//g' /etc/postfix/main.cf
-fi
-# Since we re-set the iptables rules, we need to reload them.
-iptables-restore /etc/iptables/rules.v4
-
-# Some useful debconf selections.
-echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
-echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
-echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
-
-# The second line should not be necessary due to the first line, but for
-# some reason the installation forgets to set up /etc/mailname early
-# enough to not (when running newaliases) stumble over its absence.
-echo "postfix postfix/mailname string ${mail_domain}" | debconf-set-selections
-echo "${mail_domain}" > /etc/mailname
-
-# Everything should now be ready for installations. Note that we don't
-# strictly need dovecot-lmtpd, as postfix will deliver mail to /var/mail/USER
-# in any case, to be found by dovecot; we use it as a transport mechanism to
-# allow for sophisticated stuff like dovecot-side sieve filtering (installed
-# with dovecot-sieve).
-apt install -y -o Dpkg::Options::=--force-confold postfix dovecot-imapd dovecot-lmtpd dovecot-sieve opendkim
-echo "TODO: Ensure MX entry for your system in your DNS configuration."
-echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration; something like 'v=spf1 mx -all' mapped to your host."
-if [ "${add_dkim_record}" -eq "1" ]; then
- echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):"
- cat "${dkim_selector}.txt"
-fi
-echo "TODO: passwd plom"
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Ensure we have a GPG target to encrypt to.
-if [ $# -lt 1 ]; then
- echo "Need public key ID as argument."
- false
-fi
-gpg_key="$1"
-
-./hardlink_etc.sh play
-config_tree_prefix="${HOME}/config/all_new_2018/"
-apt -y install weechat screen vim
-cp "${config_tree_prefix}user_files/encrypter.sh" /home/plom/
-chown plom:plom /home/plom/encrypter.sh
-cp "${config_tree_prefix}user_files/weechat-wrapper.sh" /home/plom/
-chown plom:plom /home/plom/weechat-wrapper.sh
-cp "${config_tree_prefix}user_files/weechatrc" /home/plom/.weechatrc
-chown plom:plom /home/plom/.weechatrc
-apt -y install screen gnupg dirmngr
-keyservers='sks-keyservers.net/ keys.gnupg.net'
-set +e
-while true; do
- do_break=0
- for keyserver in $(echo "${keyservers}"); do
- su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
- if [ $? -eq "0" ]; then
- do_break=1
- break
- fi
- echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
- done
- if [ "${do_break}" -eq "1" ]; then
- break
- fi
-done
-set -e
-echo "$gpg_key" > /home/plom/.encrypt_target
-chown plom:plom /home/plom/.encrypt_target
-# TODO: We may remove dirmngr here if only this script installed it.
-systemctl daemon-reload
-systemctl start encrypt_chatlogs.timer
+++ /dev/null
-#!/bin/sh
-set -e
-
-# Ensure we have a GPG target to encrypt to.
-if [ $# -lt 1 ]; then
- echo "Need public key ID as argument."
- false
-fi
-gpg_key="$1"
-
-config_tree_prefix="${HOME}/config/all_new_2018/"
-irclogs_dir=/var/www/html/irclogs
-irclogs_pw_dir=/var/www/irclogs_pw
-cp "${config_tree_prefix}"/user_files/plomlombot_daemon.sh /home/plom/
-chown plom:plom /home/plom/plomlombot_daemon.sh
-apt -y install screen python3-venv gnupg dirmngr
-keyservers='sks-keyservers.net/ keys.gnupg.net'
-set +e
-while true; do
- do_break=0
- for keyserver in $(echo "${keyservers}"); do
- su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
- if [ $? -eq "0" ]; then
- do_break=1
- break
- fi
- echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
- done
- if [ "${do_break}" -eq "1" ]; then
- break
- fi
-done
-set -e
-# TODO: We may remove dirmngr here if only this script installed it.
-su plom -c "cd && git clone /var/public_repos/plomlombot-irc"
-systemctl enable /etc/systemd/system/plomlombot.service
-service plomlombot start
-mkdir -p "${irclogs_dir}"
-chown -R plom:plom "${irclogs_dir}"
-mkdir -p "${irclogs_pw_dir}"
-chown -R plom:plom "${irclogs_pw_dir}"
-echo "Don't forget to add a file ~/.plomlombot with content such as:"
-echo "gpg_key ${gpg_key}"
-echo "bot: SCREEN_SESSION_NAME BOT_NAME #CHANNEL_NAME IRC_SERVER_NAME LOGS_USER LOGS_PW"
-echo "# file should end in newline or non-interpreted line such as this"
--- /dev/null
+#!/bin/sh
+# Hard link files to those in argument-selected subdirectories of
+# linkable_etc_files//, e.g. link /etc/foo/bar to
+# linkable_etc_files/$1/etc/foo/bar and so on. Create directories as
+# necessary. We do the hard linking so files that should be readable to
+# non-root in /etc/ remain so despite having a path below /root/, as
+# symbolic links point into /root/ without making the targets readable
+# to non-root.
+# CAUTION: This removes original files at the affected paths.
+set -e
+
+config_tree_prefix="${HOME}/config/all_new_2018/linkable_etc_files"
+linkable_files_dir="${config_tree_prefix}/linkable_etc_files"
+
+for target in "$@"; do
+ cd "${linkable_files_dir}/${target}"
+ for path in $(find . -type f); do
+ linking=$(echo "${path}" | cut -c2-)
+ linked=$(realpath "${path}")
+ dir=$(dirname "${linking}")
+ mkdir -p "${dir}"
+ ln -f "${linked}" "${linking}"
+ done
+done
--- /dev/null
+#!/bin/sh
+# This script turns a fresh server with password-based root access to
+# one of only key-based access and only to new non-root account plom.
+#
+# CAUTION: This is optimized for a *fresh* setup. It will overwrite any
+# pre-existing ~/.ssh/authorized_keys of user plom with one that solely
+# contains the local ~/.ssh/id_rsa.pub, and also any old
+# /etc/ssh/sshd_config.
+#
+# Dependencies: ssh, scp, sshpass, ~/.ssh/id_rsa.pub, properly
+# configured sshd_config file in reach.
+set -e
+
+# Location auf a sshd_config with "PermitRootLogin no" and
+# "PasswordAuthentication no".
+config_tree_prefix="${HOME}/config/all_new_2018"
+linkable_files_dir="${config_tree_prefix}/linkable_etc_files/server"
+system_path_sshd_config='/etc/ssh/sshd_config'
+local_path_sshd_config="${linkable_files_dir}/${system_path_sshd_config}"
+
+# Ensure we have a server name as argument.
+if [ $# -eq 0 ]; then
+ echo "Need server as argument."
+ false
+fi
+server="$1"
+
+# Ask for root password only once, sshpass will re-use it then often.
+stty -echo
+printf "Server root password: "
+read PW_ROOT
+stty echo
+printf "\n"
+export SSHPASS="${PW_ROOT}"
+
+# Create user plom, and his ~/.ssh/authorized_keys based on the local
+# ~/.ssh/id_rsa.pub; ensure the result has proper permissions and
+# ownerships. Then disable root and pw login by copying over the
+# sshd_config and restart ssh daemon.
+#
+# This could be a line or two shorter by using ssh-copy-id, but that
+# would require setting a password for user plom otherwise not needed.
+sshpass -e scp ~/.ssh/id_rsa.pub root@"${server}":/tmp/authorized_keys
+sshpass -e ssh root@"${server}" \
+ 'useradd -m plom && '\
+ 'mkdir /home/plom/.ssh && '\
+ 'chown plom:plom /home/plom/.ssh && '\
+ 'chown plom:plom /tmp/authorized_keys && '\
+ 'chmod u=rw,go= /tmp/authorized_keys && '\
+ 'mv /tmp/authorized_keys /home/plom/.ssh/'
+sshpass -e scp "${local_path_sshd_config}" root@"${server}":"${system_path_sshd_config}"
+sshpass -e ssh root@"${server}" 'service ssh restart'
--- /dev/null
+#!/bin/sh
+# Walks through the package names in the argument-selected files of
+# apt-mark/ and ensures the respective packages are installed.
+#
+# Ignores anything in an apt-mark/ file after the last newline.
+set -e
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+aptmark_dir="${config_tree_prefix}/apt-mark"
+
+for target in "$@"; do
+ path="${aptmark_dir}/${target}"
+ cat "${path}" | while read line; do
+ echo "$line"
+ if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
+ apt-get -y install "${line}"
+ fi
+ done
+done
--- /dev/null
+#!/bin/sh
+# Certify current server with LetsEncrypt.
+# Uses hostname -f for the domain we want to certify.
+set -e
+
+# Ensure we have a mail address as argument.
+if [ $# -lt 1 ]; then
+ echo "Need mail address as argument."
+ false
+fi
+mail_address="$1"
+
+# We need certbot to get LetsEncrypt certificates.
+apt install -y certbot
+
+# If port 80 blocked by iptables, open it.
+set +e
+iptables -C INPUT -p tcp --dport 80 -j ACCEPT
+open_iptables="$?"
+set -e
+if [ "${open_iptables}" -eq "1" ]; then
+ iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+fi
+
+# Create new certificate and copy it to /etc/letsencrypt.
+certbot certonly --standalone --agree-tos -m "${mail_address}" -d "$(hostname -f)"
+
+# Remove iptables rule to open port 80 if we added it.
+if [ "${open_iptables}" -eq "1" ]; then
+ iptables -D INPUT -p tcp --dport 80 -j ACCEPT
+fi
--- /dev/null
+#!/bin/sh
+# Copy over LetsEncrypt certificates from another server.
+set -e
+
+# Ensure we have a server name as argument.
+if [ $# -lt 1 ]; then
+ echo "Need server as argument."
+ false
+fi
+server="$1"
+
+# Copy over.
+ssh -t plom@${server} 'su -c "cd /etc/ && tar cf letsencrypt.tar letsencrypt && chown plom:plom letsencrypt.tar && mv letsencrypt.tar /home/plom/"'
+scp plom@${server}:~/letsencrypt.tar .
+apt -y install certbot
+rmdir /etc/letsencrypt
+mv letsencrypt.tar /etc/
+cd /etc/
+tar xf letsencrypt.tar
+rm letsencrypt.tar
--- /dev/null
+#!/bin/sh
+# Mirror directory tree from remote to local server, keeping the path.
+set -e
+
+if [ $# -lt 2 ]; then
+ echo "Need server and directory as arguments."
+ false
+fi
+server=$1
+dir=$2
+path_package=/tmp/delete.tar
+
+eval `ssh-agent`
+ssh-add
+cd
+ssh plom@"${server}" "cd \"${dir}\" && tar cf ${path_package} ."
+scp plom@"${server}":"${path_package}" "${path_package}"
+mkdir -p "${dir}"
+cd "${dir}"
+tar xf "${path_package}"
+cd
+rm "${path_package}"
+ssh plom@"${server}" rm "${path_package}"
--- /dev/null
+#!/bin/sh
+# Do some of the steps necessary to SSH (key-based) with another server.
+set -e
+
+target="$1"
+
+# We need a public key to copy over, so generate it if not found.
+if [ ! -f ~/.ssh/id_rsa.pub ]; then
+ ssh-keygen
+fi
+
+# Add target to ~/.ssh/known_hosts so we don't get
+# asked for permission at inopportune moments.
+ssh-keyscan -H "$target" >> ~/.ssh/known_hosts
+
+# Tell user what to do.
+echo "APPEND FOLLOWING TO TARGET'S ~/.ssh/authorized_keys:"
+cat ~/.ssh/id_rsa.pub
--- /dev/null
+#!/bin/sh
+# This script removes all Debian packages that are not of Priority
+# "required" or not depended on by packages of priority "required"
+# or not listed in the argument-selected files of apt-mark/.
+set -e
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+aptmark_dir="${config_tree_prefix}/apt-mark"
+
+dpkg-query -Wf '${Package} ${Priority}\n' | grep ' required' | sed 's/ required//' > /tmp/list_white_unsorted
+for target in "$@"; do
+ path="${aptmark_dir}/${target}"
+ cat "${path}" | while read line; do
+ if [ ! $(echo "${line}" | cut -c1) = "#" ]; then
+ echo "${line}" >> /tmp/list_white_unsorted
+ fi
+ done
+done
+sort /tmp/list_white_unsorted > /tmp/list_white
+dpkg-query -Wf '${Package}\n' > /tmp/list_all_packages
+sort /tmp/list_all_packages > /tmp/foo
+mv /tmp/foo /tmp/list_all_packages
+comm -3 /tmp/list_all_packages /tmp/list_white > /tmp/list_black
+apt-mark auto `cat /tmp/list_black`
+DEBIAN_FRONTEND=noninteractive apt-get -y --purge autoremove
+rm /tmp/list_all_packages /tmp/list_white_unsorted /tmp/list_white /tmp/list_black
--- /dev/null
+#!/bin/sh
+# Sets hostname and optionally FQDN.
+#
+# Calls hostname, writes to /etc/hostname and /etc/hosts. For /etc/hosts
+# writing follows recommendations from Debian manual at
+# <https://www.debian.org/doc/manuals/debian-reference/ch05.en.html>
+# (section "The hostname resolution") on how to map hostname and possibly
+# FQDN to a permanent IP if present (we assume here any non-private IP
+# and non-loopback IP returned by hostname -I to fulfill that criterion
+# on our systems) or to 127.0.1.1 if not. On the reasoning for separating
+# localhost and hostname mapping to different IPs, see
+# <https://unix.stackexchange.com/a/13087>.
+set -e
+
+hostname="$1"
+fqdn="$2"
+if [ "${hostname}" = "" ]; then
+ echo "Need hostname as argument."
+ false
+fi
+echo "${hostname}" > /etc/hostname
+hostname "${hostname}"
+
+final_ip="127.0.1.1"
+for ip in $(hostname -I); do
+ range_1=$(echo "${ip}" | cut -d "." -f 1)
+ range_2=$(echo "${ip}" | cut -d "." -f 2)
+ if [ "${range_1}" -eq 127 ]; then
+ continue
+ elif [ "${range_1}" -eq 10 ]; then
+ continue
+ elif [ "${range_1}" -eq 172 ]; then
+ if [ "${range_2}" -ge 16 ] && [ "${range_2}" -le 31 ]; then
+ continue
+ fi
+ elif [ "${range_1}" -eq 192 ]; then
+ if [ "${range_2}" -eq 168 ]; then
+ continue
+ fi
+ fi
+ final_ip="${ip}"
+done
+
+echo "127.0.0.1 localhost.localdomain localhost" > /etc/hosts
+echo "${final_ip} ${fqdn} ${hostname}" >> /etc/hosts
--- /dev/null
+#/bin/sh
+set -e
+
+if [ $# -lt 2 ]; then
+ echo "Give arguments of mail domain and DKIM selector."
+ echo "Also, if hosting mail for entire domain, give third argument 'domainwide'."
+ false
+fi
+mail_domain="$1"
+dkim_selector="$2"
+domainwide="$3"
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+
+# Set up DKIM key if necessary.
+mkdir -p /etc/dkimkeys/
+add_dkim_record=0
+if [ ! -f "/etc/dkimkeys/${dkim_selector}.private" ]; then
+ add_dkim_record=1
+ set +e
+ dpkg -s opendkim-tools &> /dev/null
+ preinstalled="$?"
+ set -e
+ if [ ! "${preinstalled}" -eq "0" ]; then
+ apt install -y opendkim-tools
+ fi
+ opendkim-genkey -s "${dkim_selector}"
+ mv "${dkim_selector}.private" /etc/dkimkeys/
+ if [ ! "${preinstalled}" -eq "0" ]; then
+ apt -y --purge autoremove opendkim-tools
+ fi
+fi
+
+# Link and adapt mail-server-specific /etc/ files.
+./hardlink_etc.sh mail
+sed -i "s/REPLACE_maildomain_ECALPER/${mail_domain}/g" /etc/mailutils.conf
+sed -i "s/REPLACE_Domain_ECALPER/${mail_domain}/g" /etc/opendkim.conf
+sed -i "s/REPLACE_Selector_ECALPER/${dkim_selector}/g" /etc/opendkim.conf
+sed -i "s/REPLACE_myhostname_ECALPER/$(hostname -f)/g" /etc/postfix/main.cf
+if [ "${domainwide}" = "domainwide" ]; then
+ sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER/$mydomain/g' /etc/postfix/main.cf
+else
+ sed -i 's/REPLACE_mydomain_if_domainwide_ECALPER//g' /etc/postfix/main.cf
+fi
+# Since we re-set the iptables rules, we need to reload them.
+iptables-restore /etc/iptables/rules.v4
+
+# Some useful debconf selections.
+echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
+echo "ssl_cert = </etc/letsencrypt/live/$(hostname -f)/fullchain.pem" > /etc/dovecot/conf.d/99-ssl-certs.conf
+echo "ssl_key = </etc/letsencrypt/live/$(hostname -f)/privkey.pem" >> /etc/dovecot/conf.d/99-ssl-certs.conf
+
+# The second line should not be necessary due to the first line, but for
+# some reason the installation forgets to set up /etc/mailname early
+# enough to not (when running newaliases) stumble over its absence.
+echo "postfix postfix/mailname string ${mail_domain}" | debconf-set-selections
+echo "${mail_domain}" > /etc/mailname
+
+# Everything should now be ready for installations. Note that we don't
+# strictly need dovecot-lmtpd, as postfix will deliver mail to /var/mail/USER
+# in any case, to be found by dovecot; we use it as a transport mechanism to
+# allow for sophisticated stuff like dovecot-side sieve filtering (installed
+# with dovecot-sieve).
+apt install -y -o Dpkg::Options::=--force-confold postfix dovecot-imapd dovecot-lmtpd dovecot-sieve opendkim
+echo "TODO: Ensure MX entry for your system in your DNS configuration."
+echo "TODO: Ensure a proper SPF entry for this system in your DNS configuration; something like 'v=spf1 mx -all' mapped to your host."
+if [ "${add_dkim_record}" -eq "1" ]; then
+ echo "TODO: Add the following DKIM entry to your DNS configuration (possibly with slightly changed host entry – if your mail domain includes a subdomain, append that with a dot):"
+ cat "${dkim_selector}.txt"
+fi
+echo "TODO: passwd plom"
--- /dev/null
+#!/bin/sh
+set -e
+
+# Ensure we have a GPG target to encrypt to.
+if [ $# -lt 1 ]; then
+ echo "Need public key ID as argument."
+ false
+fi
+gpg_key="$1"
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+
+config_tree_prefix="${HOME}/config/all_new_2018/"
+./hardlink_etc.sh play
+apt -y install weechat screen vim
+cp "${config_tree_prefix}user_files/encrypter.sh" /home/plom/
+chown plom:plom /home/plom/encrypter.sh
+cp "${config_tree_prefix}user_files/weechat-wrapper.sh" /home/plom/
+chown plom:plom /home/plom/weechat-wrapper.sh
+cp "${config_tree_prefix}user_files/weechatrc" /home/plom/.weechatrc
+chown plom:plom /home/plom/.weechatrc
+apt -y install screen gnupg dirmngr
+keyservers='sks-keyservers.net/ keys.gnupg.net'
+set +e
+while true; do
+ do_break=0
+ for keyserver in $(echo "${keyservers}"); do
+ su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
+ if [ $? -eq "0" ]; then
+ do_break=1
+ break
+ fi
+ echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
+ done
+ if [ "${do_break}" -eq "1" ]; then
+ break
+ fi
+done
+set -e
+echo "$gpg_key" > /home/plom/.encrypt_target
+chown plom:plom /home/plom/.encrypt_target
+# TODO: We may remove dirmngr here if only this script installed it.
+systemctl daemon-reload
+systemctl start encrypt_chatlogs.timer
--- /dev/null
+#!/bin/sh
+set -e
+
+# Ensure we have a GPG target to encrypt to.
+if [ $# -lt 1 ]; then
+ echo "Need public key ID as argument."
+ false
+fi
+gpg_key="$1"
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+irclogs_dir=/var/www/html/irclogs
+irclogs_pw_dir=/var/www/irclogs_pw
+cp "${config_tree_prefix}"/user_files/plomlombot_daemon.sh /home/plom/
+chown plom:plom /home/plom/plomlombot_daemon.sh
+apt -y install screen python3-venv gnupg dirmngr
+keyservers='sks-keyservers.net/ keys.gnupg.net'
+set +e
+while true; do
+ do_break=0
+ for keyserver in $(echo "${keyservers}"); do
+ su plom -c "gpg --no-tty --keyserver $keyserver --recv-key ${gpg_key}"
+ if [ $? -eq "0" ]; then
+ do_break=1
+ break
+ fi
+ echo "Attempt with keyserver ${keyserver} unsuccessful, trying other."
+ done
+ if [ "${do_break}" -eq "1" ]; then
+ break
+ fi
+done
+set -e
+# TODO: We may remove dirmngr here if only this script installed it.
+su plom -c "cd && git clone /var/public_repos/plomlombot-irc"
+systemctl enable /etc/systemd/system/plomlombot.service
+service plomlombot start
+mkdir -p "${irclogs_dir}"
+chown -R plom:plom "${irclogs_dir}"
+mkdir -p "${irclogs_pw_dir}"
+chown -R plom:plom "${irclogs_pw_dir}"
+echo "Don't forget to add a file ~/.plomlombot with content such as:"
+echo "gpg_key ${gpg_key}"
+echo "bot: SCREEN_SESSION_NAME BOT_NAME #CHANNEL_NAME IRC_SERVER_NAME LOGS_USER LOGS_PW"
+echo "# file should end in newline or non-interpreted line such as this"
--- /dev/null
+#!/bin/sh
+# This sets up the minimum of a mail server necessary to send out mails
+# to the world.
+set -e
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+
+./hardlink_etc.sh sendonly
+echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
+echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
+echo "$(hostname -f)" > /etc/mailname
+apt install -y postfix
--- /dev/null
+#!/bin/sh
+# Next setup steps for a server whose login policy has just been set from
+# the outside via ./init_user_and_keybased_login.sh.
+set -e
+
+# Provide maximum input for set_hostname_and_fqdn.sh.
+if [ "$#" -ne 2 ]; then
+ echo 'Need exactly two arguments (hostname, FQDN).'
+ false
+fi
+hostname="$1"
+fqdn="$2"
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+
+# Adapt /etc/ to our needs by hardlinking into ./linkable_etc_files. This
+# will set basic configurations affecting following steps, such as setup
+# of APT and the locale selection, so needs to be right at the beginning.
+./hardlink_etc.sh all server
+
+# Set hostname and FQDN.
+./set_hostname_and_fqdn.sh "${hostname}" "${fqdn}"
+
+# Some debconf selections we don't want to get asked during coming
+# install actions.
+echo 'iptables-persistent iptables-persistent/autosave_v4 boolean false' | debconf-set-selections
+echo 'iptables-persistent iptables-persistent/autosave_v6 boolean false' | debconf-set-selections
+
+# Ensure package installation state as defined by what packages are
+# defined as required by Debian policy and by settings in ./apt-mark/.
+apt update
+./install_for_target.sh all server
+./purge_nonrequireds.sh all server
+
+# Only upgrade after reducing the system to the desired minimum, so that
+# we don't need to get more data than necessary.
+apt -y dist-upgrade
+
+# Set Berlin localtime.
+ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
+
+# If we have not yet set the shell for user plom, ensure it here. This
+# is mostly for convenience.
+usermod -s /bin/bash plom
--- /dev/null
+#!/bin/sh
+# Set up plomlompom.com web server.
+set -e
+
+config_tree_prefix="${HOME}/config/all_new_2018"
+setup_scripts_dir="${config_tree_prefix}/setup_scripts"
+cd "${setup_scripts_dir}"
+
+./hardlink_etc.sh web
+sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/nginx/nginx.conf
+sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/gitweb.conf
+cd /var/
+rm -rf www
+git clone plom@core.plomlompom.com:repos/website www
+apt -y -o Dpkg::Options::=--force-confold install nginx gitweb fcgiwrap
+mkdir /var/public_repos
+chown plom:plom /var/public_repos
+iptables-restore /etc/iptables/rules.v4
+++ /dev/null
-#!/bin/sh
-# This sets up the minimum of a mail server necessary to send out mails
-# to the world.
-set -e
-
-./hardlink_etc.sh sendonly
-echo "postfix postfix/main_mailer_type string 'Internet Site'" | debconf-set-selections
-echo "postfix postfix/mailname string $(hostname -f)" | debconf-set-selections
-echo "$(hostname -f)" > /etc/mailname
-apt install -y postfix
+++ /dev/null
-#!/bin/sh
-# Next setup steps for a server whose login policy has just been set from
-# the outside via ./init_user_and_keybased_login.sh.
-set -e
-
-# Provide maximum input for set_hostname_and_fqdn.sh.
-if [ "$#" -ne 2 ]; then
- echo 'Need exactly two arguments (hostname, FQDN).'
- false
-fi
-hostname="$1"
-fqdn="$2"
-
-# Adapt /etc/ to our needs by hardlinking into ./linkable_etc_files. This
-# will set basic configurations affecting following steps, such as setup
-# of APT and the locale selection, so needs to be right at the beginning.
-./hardlink_etc.sh all server
-
-# Set hostname and FQDN.
-./set_hostname_and_fqdn.sh "${hostname}" "${fqdn}"
-
-# Some debconf selections we don't want to get asked during coming
-# install actions.
-echo 'iptables-persistent iptables-persistent/autosave_v4 boolean false' | debconf-set-selections
-echo 'iptables-persistent iptables-persistent/autosave_v6 boolean false' | debconf-set-selections
-
-# Ensure package installation state as defined by what packages are
-# defined as required by Debian policy and by settings in ./apt-mark/.
-apt update
-./install_for_target.sh all server
-./purge_nonrequireds.sh all server
-
-# Only upgrade after reducing the system to the desired minimum, so that
-# we don't need to get more data than necessary.
-apt -y dist-upgrade
-
-# Set Berlin localtime.
-ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime
-
-# If we have not yet set the shell for user plom, ensure it here. This
-# is mostly for convenience.
-usermod -s /bin/bash plom
+++ /dev/null
-#!/bin/sh
-set -e
-
-./hardlink_etc.sh web
-sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/nginx/nginx.conf
-sed -i "s/REPLACE_fqdn_ECALPER/$(hostname -f)/g" /etc/gitweb.conf
-cd /var/
-rm -rf www
-git clone plom@core.plomlompom.com:repos/website www
-apt -y -o Dpkg::Options::=--force-confold install nginx gitweb fcgiwrap
-mkdir /var/public_repos
-chown plom:plom /var/public_repos
-iptables-restore /etc/iptables/rules.v4