####### # installing new O/S, F11 at bios screen will get boot-menu to pick up UEFI - usbkey media # at least use /home from previous boot, also /srv/docker/container --> should move this to own disk/filesystem ###### # add nvidia/extra repo ... software-properties-gtk apt-get update # use previous install's conf export OD=/mnt/old_distro cp -f $OD/etc/sudoers.d/ddp /etc/sudoers.d ; # make sudo not ask for passwd for admin group chmod 440 /etc/sudoers.d/ddp #cp -f $OD/etc/rc.local /etc/rc.local ; # pwm fan control & start_vpn for pug AND emit_cards_up for mara cp -f $OD/etc/default/grub /etc/default/grub ; # GRUB_TIMEOUT=1, GRUB_BACKGROUND=/home/ddp/Pictures/star-for-grub.png ; GRUB_GFXMODE="auto" update-grub apt-get update # openssh-server - allows ssh into mara # mplayer - just for local video testing if needed # unrar - just for local use of unrar # nmap, net-tools, iftop, ethrool, gsmartcontrol, nethogs, lm_snsors, systat, iotop, hardinfo, smem, nvme-cli - all used for diagnostics local to mara # elinks, smbclient, mplayer, whois - local cmdline testing # mdadm - used for /export # ffmpeg, handbrake, imagemagick - local video, image manipulation # docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -> docker commands # tcl - jic ~/bin/* needs it (some probably do) # python3-venv - local python devel (used at times in PA or Book) # debconf* - meant to work with unattended apt installs, but didn't work perfectly on mara install to U24.04 # vim - for vimdiff apt install openssh-server unrar nmap net-tools iftop ethtool gsmartcontrol rclone \ nethogs lm-sensors sysstat iotop hardinfo smem nvme-cli elinks smbclient mplayer \ whois mdadm ffmpeg handbrake imagemagick docker-ce docker-ce-cli containerd.io \ docker-buildx-plugin docker-compose-plugin tcl python3-venv debconf debconf-utils vim # keep docker log files to a small size cp $OD/etc/docker/daemon.json /etc/docker/daemon.json sudo usermod -a ddp -G docker sudo usermod -a cam -G docker # get DNS up (never done this on a fresh install so not sure if port 53 is taken right now by systemd? AND not with adguard, try this if needed use belwo) # docker compose -f /srv/docker/config/docker-compose.yml up -d adguard ### DNS (pihole in container) echo "its likely /etc/hosts already contains 127.0.1.1 mara.ddp.net -- change this to 192.168.2.2" echo "if adguard is up, bound explictily to 192.168.2.2:53, systemd-resolved will work, and with the direct 192.168.2.2 in hosts, docker dns will work too" # needed restart to see that host mara.ddp.net does not hang for timeout systemctl restart systemd-resolved # get mara to use ldap for auth, etc. docker compose -f /srv/docker/config/docker-compose.yml up -d openldap # this will configure mara to use ldap for auth echo "seems this did not work unattended, I had to copy ldap master pwd (in the script below) by hand" echo "might need to click homedir create -> click ok on one choice" echo "since above though, I have made pam-auth-update not use interactive AND on second-run, the master password is not asked for -- so I moved it earlier in script- might work?" /home/ddp/bin/upgrade-script-common/ldap-conf # test: should output mandy's uid, etc. id mandy # this will get /export and /backup from $OD's fstab and copy them in /home/ddp/bin/upgrade-script-common/fix-fstab $OD # get the raid array back mdadm --assemble --scan mkdir /export mkdir /backup # this is needed now systemctl daemon-reload mount -a # update everything :^) apt-get -y dist-upgrade # check that docker group is 124 -- if it is different, the modify telegraf's # user: "root:124" to the new gid for telegraf to see container metrics grep docker /etc/group docker compose -f /srv/docker/config/docker-compose.yml up # fix noisy logs: cp $OD/etc/systemd/system/run-docker-.mount.d/10-silence.conf /etc/systemd/system/run-docker-.mount.d/10-silence.conf systemctl daemon-reload # mara (nfs server) apt-get -y install nfs-kernel-server portmap cp $OD/etc/default/nfs-common /etc/default cp $OD/etc/default/nfs-kernel-server /etc/default cp $OD/etc/modprobe.d/nfs-lockd.conf /etc/modprobe.d/ cp -f $OD/etc/exports /etc/exports # get firmware for hauppage tv tuner card add-apt-repository ppa:b-rad/kernel+mediatree+hauppauge apt-get install linux-firmware-hauppauge # mara (various) To note: upnp is off on the modem (so no internet), cp -f $OD/etc/exports /etc/exports # get firmware for hauppage tv tuner card add-apt-repository ppa:b-rad/kernel+mediatree+hauppauge apt-get install linux-firmware-hauppauge # mara (various) To note: upnp is off on the modem (so no internet), cp $OD/etc/modprobe.d/nfs-lockd.conf /etc/modprobe.d/ cp -f $OD/etc/exports /etc/exports # get firmware for hauppage tv tuner card add-apt-repository ppa:b-rad/kernel+mediatree+hauppauge apt-get install linux-firmware-hauppauge # mara (various) To note: upnp is off on the modem (so no internet), # but allowed from anything on 192.168 to 1900 (emby) and from 1900 on 192.168 (emby response) NW=192.168.0.0/21 NW_DOCKER=172.16.0.0/12 sudo ufw allow from ${NW} to any port 20 comment "ftp-data" sudo ufw allow from ${NW} to any port 21 comment "ftp" sudo ufw allow from ${NW} to any port 22 comment "ssh" sudo ufw allow from ${NW} to any port 53 comment "DNS" sudo ufw allow from ${NW} to any port 111 comment "portmap(nfs)" sudo ufw allow from ${NW} to any port 389 comment "ldap" sudo ufw allow from ${NW} to any port 445 comment "samba" sudo ufw allow from 192.168.4.6 to any proto tcp port 1024:65535 comment "UDP ALL for Sonos One (Mich)" sudo ufw allow from 192.168.4.6 to any proto udp port 1024:65535 comment "TCP ALL for Sonos One (Mich)" sudo ufw allow from 192.168.4.7 to any proto tcp port 1024:65535 comment "UDP ALL for Sonos Roam" sudo ufw allow from 192.168.4.7 to any proto udp port 1024:65535 comment "TCP ALL for Sonos Roam" sudo ufw allow from ${NW} to any port 1883 comment "mqtt/mosquitto broker" sudo ufw allow proto udp from ${NW} to any port 1900 comment "upnp/emby" sudo ufw allow proto udp from ${NW} to any port 1901 comment "upnp/sonos" sudo ufw allow proto udp from ${NW} port 1900 comment "upnp/response" sudo ufw allow from ${NW} to any port 2049 comment "nfs" sudo ufw allow proto tcp from ${NW} to any port 3306 comment "mysql" sudo ufw allow from ${NW} to any port 3483 comment "mass3" sudo ufw allow proto udp from ${NW} to any port 3610 comment "echonet poll - dining-ac" sudo ufw allow from ${NW} to any port 4045 comment "lockd(nfs)" sudo ufw allow from ${NW} to any port 4046 comment "statd(nfs)" sudo ufw allow from ${NW} to any port 4047 comment "mountd(nfs)" sudo ufw allow from ${NW} to any port 4047 comment "mountd(nfs)" sudo ufw allow from ${NW} to any port 4070 comment "sonos - spotify connect" sudo ufw allow from ${NW} to any port 5000 comment "pa dev port (Flask)" sudo ufw allow from ${NW} to any proto udp port 5353 comment "mDNS - used by esphome/hass" sudo ufw allow from ${NW} to any port 5678 comment "apache on mara now" sudo ufw allow proto udp from ${NW} to any port 5683 comment "coloT (shelly button)" sudo ufw allow from ${NW} to any port 6543 comment "myth" sudo ufw allow from ${NW} to any port 6544 comment "myth (api)" sudo ufw allow from ${NW} to any port 7000 comment "airplay" sudo ufw allow proto udp from ${NW} to any port 7777 comment "ark server - game port" sudo ufw allow from ${NW} to any port 8080 comment "traefik (dashboard)" sudo ufw allow from ${NW} to any port 8095 comment "mass" sudo ufw allow from ${NW} to any port 8096 comment "emby" sudo ufw allow from ${NW} to any port 8097 comment "mass2" sudo ufw allow from ${NW} to any port 8123 comment "hass" sudo ufw allow from ${NW} to any port 6052 comment "esphome dashboard" sudo ufw allow from ${NW} to any port 27015 comment "ark server - steam port" sudo ufw allow from ${NW} to any proto tcp port 30000:30010 comment "ftps passive mara" sudo ufw allow from ${NW} to any port 40021 comment "ftps mara" sudo ufw allow from ${NW} to any port 42222 comment "ssh - up high for gitea" sudo ufw allow from ${NW} to any proto tcp port 10090:10092 comment "vsftpd-passive" #sudo ufw deny 1900 comment "block UPnP" # mail sudo ufw allow proto tcp to any port 25 comment "open to world: mail/smtp for mail.depaoli.id.au" sudo ufw allow proto tcp to any port 80,443,465,587,993 comment "open to world: 80 (lets enc renewal), webmail/others (443), smtps-ssl (465), smtps (587), imaps (993)" # docker networks (not sure this is possible or needed without the static route)? sudo ufw allow from ${NW_DOCKER} comment "allow docker networks to talk back to mara" sudo ufw enable sudo reboot; # this should be it for a basic working mara # update copy of restic for backup/restore: sudo su - restic ~/bin/restic self-update ; # needed as the version in the repo was quite old exit # need this to reset capability for restic to see all files and back them up sudo setcap cap_dac_read_search=+ep ~restic/bin/restic # fix up wake-on-lan /home/ddp/bin/upgrade-script-common/wol # cron's for docker and backups (and need keys/authorized to allow backups to # read from protected parts of mara with sudo, and then as root login as ddp to # borric cp -f $OD/etc/crontab /etc sudo cp /home/ddp/.ssh/id_ecdsa* /root/.ssh/ sudo cp /home/ddp/.ssh/authorized_keys /root/.ssh/ # get rid of big/useless packages so every apt update is faster /home/ddp/bin/upgrade-script-common/delete-pkgs # UPS (powerpanel) - could get newer version? dpkg -i /home/ddp/installed/debs/PPL*deb echo "BE CAREFUL, I had awful trouble getting this enabled to work on boot" # check that this is enabled and running. sudo systemctl status pwrstatd ### if not, try update-rc.d pwrstatd defaults, and then systemctl enable again? # to force lowbatt condition to shutdown too, and set shutdown timer to 10mins, not 1 min, shutdown/lowbatt scripts runtimes to 1 min (to note, ups claims 22 mins runtime) cp -f $OD/etc/pwrstatd.conf /etc/ # test ups... sudo /usr/sbin/pwrstat -status # femon for dvb debugging #apt-get -y install dvb-apps ### tv headend #sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 379CE192D401AB61 #echo "deb https://dl.bintray.com/tvheadend/deb xenial stable" | sudo tee -a /etc/apt/sources.list #sudo apt update #sudo apt-get install tvheadend # hack to stop systemd-sleep? systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target # odd issue/slowness? in udev as this is trying to deal with mythtv/firewire, I have no firewire, so ditch it: #sudo rm /usr/lib/udev/rules.d/41-mythtv-permissions.rules ### TODO: # put this into container for dev, or at least only install pip with apt, the rest via pip install as ddp # python/flask... #apt-get -y install python3-pip python3-psycopg2 libpq-dev gunicorn mediainfo cmake libgl1-mesa-glx libglib2.0-0 python3-ldap # do this as ddp: #pip3 install flask flask_login flask-ldap3-login sqlalchemy flask-sqlalchemy SQLAlchemy-serializer marshmallow-sqlalchemy flask-marshmallow flask-wtf flask-bootstrap pymediainfo ExifRead opencv-python datetime pytz dlib face_recognition Werkzeug flask-compress # rclone (copy file to google drive - used to make offiste backup for vaultwarden) # follow this: https://rclone.org/drive/#making-your-own-client-id rclone config # when you create rclone config, don't choose SA over interactive?