ddp/bin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d8cfbdc5be9afc0336fba961607a304c7b59da40
bin/mara-ubuntu-upgrade-script

239 lines
11 KiB
Plaintext
Raw Blame History

#######
# installing new O/S, F11 at bios screen will get boot-menu to pick up UEFI - usbkey media
# at least use /home from previous boot, also /srv/docker/container --> should move this to own disk/filesystem
######
# add nvidia/extra repo ...
software-properties-gtk
apt-get update
# use previous install's conf
export OD=/mnt/old_distro
cp -f $OD/etc/sudoers.d/ddp /etc/sudoers.d ; # make sudo not ask for passwd for admin group
chmod 440 /etc/sudoers.d/ddp
#cp -f $OD/etc/rc.local /etc/rc.local ; # pwm fan control & start_vpn for pug AND emit_cards_up for mara
cp -f $OD/etc/default/grub /etc/default/grub ; # GRUB_TIMEOUT=1, GRUB_BACKGROUND=/home/ddp/Pictures/star-for-grub.png ; GRUB_GFXMODE="auto"
update-grub
apt-get update
# openssh-server - allows ssh into mara
# mplayer - just for local video testing if needed
# unrar - just for local use of unrar
# nmap, net-tools, iftop, ethrool, gsmartcontrol, nethogs, lm_snsors, systat, iotop, hardinfo, smem, nvme-cli - all used for diagnostics local to mara
# elinks, smbclient, mplayer, whois - local cmdline testing
# mdadm - used for /export
# ffmpeg, handbrake, imagemagick - local video, image manipulation
# docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -> docker commands
# tcl - jic ~/bin/* needs it (some probably do)
# python3-venv - local python devel (used at times in PA or Book)
# debconf* - meant to work with unattended apt installs, but didn't work perfectly on mara install to U24.04
# vim - for vimdiff
apt install openssh-server unrar nmap net-tools iftop ethtool gsmartcontrol rclone \
nethogs lm-sensors sysstat iotop hardinfo smem nvme-cli elinks smbclient mplayer \
whois mdadm ffmpeg handbrake imagemagick docker-ce docker-ce-cli containerd.io \
docker-buildx-plugin docker-compose-plugin tcl python3-venv debconf debconf-utils vim
# keep docker log files to a small size
cp $OD/etc/docker/daemon.json /etc/docker/daemon.json
sudo usermod -a ddp -G docker
sudo usermod -a cam -G docker
# get DNS up (never done this on a fresh install so not sure if port 53 is taken right now by systemd? AND not with adguard, try this if needed use belwo)
# docker compose -f /srv/docker/config/docker-compose.yml up -d adguard
### DNS (pihole in container)
echo "its likely /etc/hosts already contains 127.0.1.1 mara.ddp.net -- change this to 192.168.2.2"
echo "if adguard is up, bound explictily to 192.168.2.2:53, systemd-resolved will work, and with the direct 192.168.2.2 in hosts, docker dns will work too"
# needed restart to see that host mara.ddp.net does not hang for timeout
systemctl restart systemd-resolved
# get mara to use ldap for auth, etc.
docker compose -f /srv/docker/config/docker-compose.yml up -d openldap
# this will configure mara to use ldap for auth
echo "seems this did not work unattended, I had to copy ldap master pwd (in the script below) by hand"
echo "might need to click homedir create -> click ok on one choice"
echo "since above though, I have made pam-auth-update not use interactive AND on second-run, the master password is not asked for -- so I moved it earlier in script- might work?"
/home/ddp/bin/upgrade-script-common/ldap-conf
# test: should output mandy's uid, etc.
id mandy
# this will get /export and /backup from $OD's fstab and copy them in
/home/ddp/bin/upgrade-script-common/fix-fstab $OD
# get the raid array back
mdadm --assemble --scan
mkdir /export
mkdir /backup
# this is needed now
systemctl daemon-reload
mount -a
# update everything :^)
apt-get -y dist-upgrade
# check that docker group is 124 -- if it is different, the modify telegraf's
# user: "root:124" to the new gid for telegraf to see container metrics
grep docker /etc/group
docker compose -f /srv/docker/config/docker-compose.yml up
# fix noisy logs:
cp $OD/etc/systemd/system/run-docker-.mount.d/10-silence.conf /etc/systemd/system/run-docker-.mount.d/10-silence.conf
systemctl daemon-reload
# mara (nfs server)
apt-get -y install nfs-kernel-server portmap
cp $OD/etc/default/nfs-common /etc/default
cp $OD/etc/default/nfs-kernel-server /etc/default
cp $OD/etc/modprobe.d/nfs-lockd.conf /etc/modprobe.d/
cp -f $OD/etc/exports /etc/exports
# get firmware for hauppage tv tuner card
add-apt-repository ppa:b-rad/kernel+mediatree+hauppauge
apt-get install linux-firmware-hauppauge
# mara (various) To note: upnp is off on the modem (so no internet),
cp -f $OD/etc/exports /etc/exports
# get firmware for hauppage tv tuner card
add-apt-repository ppa:b-rad/kernel+mediatree+hauppauge
apt-get install linux-firmware-hauppauge
# mara (various) To note: upnp is off on the modem (so no internet),
cp $OD/etc/modprobe.d/nfs-lockd.conf /etc/modprobe.d/
cp -f $OD/etc/exports /etc/exports
# get firmware for hauppage tv tuner card
add-apt-repository ppa:b-rad/kernel+mediatree+hauppauge
apt-get install linux-firmware-hauppauge
# mara (various) To note: upnp is off on the modem (so no internet),
# but allowed from anything on 192.168 to 1900 (emby) and from 1900 on 192.168 (emby response)
NW=192.168.0.0/21
NW_DOCKER=172.16.0.0/12
sudo ufw allow from ${NW} to any port 20 comment "ftp-data"
sudo ufw allow from ${NW} to any port 21 comment "ftp"
sudo ufw allow from ${NW} to any port 22 comment "ssh"
sudo ufw allow from ${NW} to any port 53 comment "DNS"
sudo ufw allow from ${NW} to any port 111 comment "portmap(nfs)"
sudo ufw allow from ${NW} to any port 389 comment "ldap"
sudo ufw allow from ${NW} to any port 445 comment "samba"
sudo ufw allow from 192.168.4.6 to any proto tcp port 1024:65535 comment "UDP ALL for Sonos One (Mich)"
sudo ufw allow from 192.168.4.6 to any proto udp port 1024:65535 comment "TCP ALL for Sonos One (Mich)"
sudo ufw allow from 192.168.4.7 to any proto tcp port 1024:65535 comment "UDP ALL for Sonos Roam"
sudo ufw allow from 192.168.4.7 to any proto udp port 1024:65535 comment "TCP ALL for Sonos Roam"
sudo ufw allow from ${NW} to any port 1883 comment "mqtt/mosquitto broker"
sudo ufw allow proto udp from ${NW} to any port 1900 comment "upnp/emby"
sudo ufw allow proto udp from ${NW} to any port 1901 comment "upnp/sonos"
sudo ufw allow proto udp from ${NW} port 1900 comment "upnp/response"
sudo ufw allow from ${NW} to any port 2049 comment "nfs"
sudo ufw allow proto tcp from ${NW} to any port 3306 comment "mysql"
sudo ufw allow from ${NW} to any port 3483 comment "mass3"
sudo ufw allow proto udp from ${NW} to any port 3610 comment "echonet poll - dining-ac"
sudo ufw allow from ${NW} to any port 4045 comment "lockd(nfs)"
sudo ufw allow from ${NW} to any port 4046 comment "statd(nfs)"
sudo ufw allow from ${NW} to any port 4047 comment "mountd(nfs)"
sudo ufw allow from ${NW} to any port 4047 comment "mountd(nfs)"
sudo ufw allow from ${NW} to any port 4070 comment "sonos - spotify connect"
sudo ufw allow from ${NW} to any port 5000 comment "pa dev port (Flask)"
sudo ufw allow from ${NW} to any proto udp port 5353 comment "mDNS - used by esphome/hass"
sudo ufw allow from ${NW} to any port 5678 comment "apache on mara now"
sudo ufw allow proto udp from ${NW} to any port 5683 comment "coloT (shelly button)"
sudo ufw allow from ${NW} to any port 6543 comment "myth"
sudo ufw allow from ${NW} to any port 6544 comment "myth (api)"
sudo ufw allow from ${NW} to any port 7000 comment "airplay"
sudo ufw allow proto udp from ${NW} to any port 7777 comment "ark server - game port"
sudo ufw allow from ${NW} to any port 8080 comment "traefik (dashboard)"
sudo ufw allow from ${NW} to any port 8095 comment "mass"
sudo ufw allow from ${NW} to any port 8096 comment "emby"
sudo ufw allow from ${NW} to any port 8097 comment "mass2"
sudo ufw allow from ${NW} to any port 8123 comment "hass"
sudo ufw allow from ${NW} to any port 6052 comment "esphome dashboard"
sudo ufw allow from ${NW} to any port 27015 comment "ark server - steam port"
sudo ufw allow from ${NW} to any proto tcp port 30000:30010 comment "ftps passive mara"
sudo ufw allow from ${NW} to any port 40021 comment "ftps mara"
sudo ufw allow from ${NW} to any port 42222 comment "ssh - up high for gitea"
sudo ufw allow from ${NW} to any proto tcp port 10090:10092 comment "vsftpd-passive"
#sudo ufw deny 1900 comment "block UPnP"
# mail
sudo ufw allow proto tcp to any port 25 comment "open to world: mail/smtp for mail.depaoli.id.au"
sudo ufw allow proto tcp to any port 80,443,465,587,993 comment "open to world: 80 (lets enc renewal), webmail/others (443), smtps-ssl (465), smtps (587), imaps (993)"
# docker networks (not sure this is possible or needed without the static route)?
sudo ufw allow from ${NW_DOCKER} comment "allow docker networks to talk back to mara"
sudo ufw enable
sudo reboot; # this should be it for a basic working mara
# update copy of restic for backup/restore:
sudo su - restic
~/bin/restic self-update ; # needed as the version in the repo was quite old
exit
# need this to reset capability for restic to see all files and back them up
sudo setcap cap_dac_read_search=+ep ~restic/bin/restic
# fix up wake-on-lan
/home/ddp/bin/upgrade-script-common/wol
# cron's for docker and backups (and need keys/authorized to allow backups to
# read from protected parts of mara with sudo, and then as root login as ddp to
# borric
cp -f $OD/etc/crontab /etc
sudo cp /home/ddp/.ssh/id_ecdsa* /root/.ssh/
sudo cp /home/ddp/.ssh/authorized_keys /root/.ssh/
# get rid of big/useless packages so every apt update is faster
/home/ddp/bin/upgrade-script-common/delete-pkgs
# UPS (powerpanel) - could get newer version?
dpkg -i /home/ddp/installed/debs/PPL*deb
echo "BE CAREFUL, I had awful trouble getting this enabled to work on boot"
# check that this is enabled and running.
sudo systemctl status pwrstatd
### if not, try update-rc.d pwrstatd defaults, and then systemctl enable again?
# to force lowbatt condition to shutdown too, and set shutdown timer to 10mins, not 1 min, shutdown/lowbatt scripts runtimes to 1 min (to note, ups claims 22 mins runtime)
cp -f $OD/etc/pwrstatd.conf /etc/
# test ups...
sudo /usr/sbin/pwrstat -status
# femon for dvb debugging
#apt-get -y install dvb-apps
### tv headend
#sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 379CE192D401AB61
#echo "deb https://dl.bintray.com/tvheadend/deb xenial stable" | sudo tee -a /etc/apt/sources.list
#sudo apt update
#sudo apt-get install tvheadend
# hack to stop systemd-sleep?
systemctl mask sleep.target suspend.target hibernate.target hybrid-sleep.target
# odd issue/slowness? in udev as this is trying to deal with mythtv/firewire, I have no firewire, so ditch it:
#sudo rm /usr/lib/udev/rules.d/41-mythtv-permissions.rules
### TODO:
# put this into container for dev, or at least only install pip with apt, the rest via pip install as ddp
# python/flask...
#apt-get -y install python3-pip python3-psycopg2 libpq-dev gunicorn mediainfo cmake libgl1-mesa-glx libglib2.0-0 python3-ldap
# do this as ddp:
#pip3 install flask flask_login flask-ldap3-login sqlalchemy flask-sqlalchemy SQLAlchemy-serializer marshmallow-sqlalchemy flask-marshmallow flask-wtf flask-bootstrap pymediainfo ExifRead opencv-python datetime pytz dlib face_recognition Werkzeug flask-compress
# rclone (copy file to google drive - used to make offiste backup for vaultwarden)
# follow this: https://rclone.org/drive/#making-your-own-client-id
rclone config
# when you create rclone config, don't choose SA over interactive?
Reference in New Issue View Git Blame Copy Permalink