This changes a pristine Debian (or possibly Ubuntu or Cygwin (at least the chj-perllib target works)) install in ways that I like, including software installs and configuration modifications.
Currently uses cryptographic signatures without exception to ensure code integrity.
Note: you can get a script here that runs the same as the following. How it is meant to be used is, you check out chjize on your developer machine, and then when you want to install chjize on another machine you copy over the script and then run it instead of copying these instructions.
As root:
apt-get update
apt-get install -y git make gnupg
mkdir -p /opt/chj
cd /opt/chj
git clone https://github.com/pflanze/chjize.git
cd chjize/
You can verify via signed git tags that you've got the pristine source (note that most rules import the key to gpg, too, and as the key is included in the repository, this means that if you got a trusted checkout of this repository then this verification step can be skipped; it will properly check signatures of other repositories it fetches in any case):
gpg --import cj-key.asc
gpg --import cj-key-2.asc
version=r$(git tag -l | grep ^r | sed s/^r// | LANG=C sort -rn | head -1)
git checkout -b local "$version"
tmpout=$(mktemp)
tmperr=$(mktemp)
git tag -v "$version" > "$tmpout" 2> "$tmperr" || { cat "$tmpout" "$tmperr"; false; }
cat "$tmpout" "$tmperr"
# Check that the above command gives "Good signature", and (if warning) shows
# my fingerprint 7312F47D9436FBF8C3F80CF2748247966F366AE9 if you don't have
# a trust path to the key (which is signed by my older key A54A1D7CA1F94C866AC81A1F0FA5B21104EDB072
# (A54A 1D7C A1F9 4C86 6AC8.*1A1F 0FA5 B211 04ED B072), which you can google)
if grep -q WARNING "$tmperr"; then grep "7312 F47D 9436 FBF8 C3F8 0CF2 7482 4796 6F36 6AE9" "$tmperr"; fi
# You can also do the more paranoid verification of running the
# script lines shown in the tag (the lines starting with a `$`),
# and verifying that you get the same output as shown:
sumsSig=$(perl -we 'local $/; $a=<STDIN>; $a=~ s{.*\n\$[^\n]*sha256sum\n}{}s; print $a' < "$tmpout")
sumsLocal=$(git ls-files -z | xargs -0 --no-run-if-empty -s 129023 -n 129023 sha256sum)
if ! diff <(echo "$sumsSig") <(echo "$sumsLocal"); then echo "check failure"; false; fi
Once you trust that the source is mine, run:
PATH=/opt/chj/chjize/bin:$PATH
chjize -h
for the list of available targets (the same as shown
below). To e.g. only install my software
into /opt/chj (and dependences, see targets.mk or the
graph below), run:
chjize chj
Unlike Ansible, this caches which actions were already done, and is thus more efficient when asking the same target repeatedly (even across runs). If an action for some reason really should be re-run, unlink the file with the same name as the target.
The moduser target, or mod-user script, sets up bash startup files
so that PATH is set so that chjize is found automatically.
Chjize may work with parallel builds (chjize -j2 and higher
numbers), since we're now using wrappers around apt-get and apt
(in bin/) that use waiting locks.
To set up servers, some more client side automation is desirable. For an example (just a recipe) see client-side-todo.
(Note: these are copied from targets.mk via chjize README.md.)
Install dependencies to run the graph target.
Import cj-key.asc into the keyring of the current user.
Upgrade the system (via dist-upgrade), necessary on a fresh instance on typical cloud hostings like Amazon's.
Install some fonts, amongst them Inconsolata for urxvt.
Install rxvt-unicode and trim it down for security and simplicity.
Install my preferred Debian packages that are command-line only.
Install my preferred Debian packages requiring X11.
Install the Perl packages from Debian needed for chj-bin.
Install the Perl packages from Debian needed for fperl.
Install Debian packages around image processing (like optipng, gimp, mat2)
Install g++.
Packages for development in C++.
Check out git-sign; used by most other targets.
Install (via symlink)
chj-perllib. These depend
on fperl now, thus that is installed as well.
Install chj-bin.
Install GNU Emacs via APT.
Install debian-emacs.
Checkout chj-emacs. Does not run make in it.
Install emacs, including cloning chj-emacs in /opt/chj and
running make which installs further Debian packages (including
GHC, currently); you still also need to run make per user in
.chj-emacs after mod-user to get the local checkouts and
symlinks, though.
Install wget from Debian
Install vscode from a binary off GitHub, WARNING: just hashed once
on first retrieval. HACK, unfinished: needs slim-desktop or
similar to be installed or add exact dependencies to the action, or
run apt-get -f install for fixing it up.
Install fastrandom.
Install cj-git-patchtool.
Automatically configure some (English and German speaking) locales.
Automatically configure debconf to be in Noninteractive mode (run this to avoid other targets waiting for inputs; also, it will be the only mode that works with -j2).
Check out the last tagged versions of various repositories into
/opt/chj (uses signed tags via git-sign to ensure you get what I
signed)
Chj including parts requiring X11
Check out Xfce4 .config files, which are used by chjize-xfce-setup.
Xfce4 desktop, local. Comes with
/opt/chj/chjize/bin/chjize-xfce-setup to configure Xfce4 the way I
like (optionally run afterwards--see message emitted by this target
for some more detail). NOTE: better do not use this target directly,
but rather use xfce4_load_profile or one of the ..-desktop ones.
Same as xfce-local, but tries to avoid installing the xserver packages.
Set up Debian so that a graphical login will read the ~/.profile
file (which they stopped doing at some point, dunno why); currently
only implemented for Xfce.
Modify the /root, /etc/skel, and if present /home/chris
directories to use a checkout of
chj-home; it should safely
store previous versions of your files in the Git repository that's
at this place before checking out my versions, see them via gitk --all. This also sets up emacs to work nicely with Gambit, see
below. Note: if there is a .git directory in those directories
before, it will ask whether to continue by first moving those to
/root/.trash/.
If you want to modify a particular user's home without affecting the
other users, instead run /opt/chj/chjize/bin/mod-user as that user
(in its home dir)
Module::Locate has no signature on CPAN, thus I forked, verified
and signed it myself.
Test::Pod::Snippets, has a CPAN signature but for ease of checking
I forked, verified and signed it myself. Depends on
libpod-parser-perl from fperl-perl-debian.
fperl-noinstall and the necessary dependencies to run its test
suite. Run the test suite.
Install the Functional Perl library
and its dependencies. Currently installs dependencies only from
Debian, and Functional Perl itself via Git and checks the signature,
thus is secure and won't ask questions (assuming
debconf-noninteractive was run). Does not actually run make install, thus Programs using functional-perl need to use lib /opt/functional-perl/lib;! For a full installation, use the fperl
target.
This is the fperl-noinstall target but also does run make install. (This still does not access CPAN, and thus is still
secure.)
Install a patched version of the Gambit Scheme system.
Install cj-qemucontrol.
Install dnsmasq from Debian. (Used by serve-dhcp from
chj-bin.)
Install Qemu, cj-qemucontrol, dnsmasq, and run
qemu-adduser to create the user specified in
$QEMU_USER or the default qemu if not given, and give it the
necessary permissions.
Desktop things still needed in a chroot (via chrootlogin tool from
chj-bin) running inside a deskop which is installed on the
host. (Note: does not include system any more!)
Xfce4, desktop packages. (Does not include cj-unattended-upgrades anymore!)
slim-desktop, but also setup for real hardware desktops/laptops (not VPSs or VMs).
linux-perf and perhaps in the future other performance benchmarking tooling.
Install and configure a local dns resolver (unbound).
Install mercurial, and hg-fast-export from either Debian or upstream source.
Install earlyoom (and, todo: configure it)
Security relevant actions, like divert cupsd so it never runs by accident.
Ensure basic system readyness for any system.
fail2ban, with some config tweaks for stricter SSH blocking
SSH service
Server side VNC setup, to be used via client side VNC setup. Currently assumes a single user will be used to run the VNC server as (hard codes ports).
Server with VNC and Xfce4 desktop plus common chj packages. Note the message about finishing the setup.
Create and activate (including adding to fstab) a swap file if none is already active. Size is automatically chosen to be the same as the RAM size or enough to give a total of RAM+swap of 3 GB.
Enable swap if there is less than 3 GB of RAM available. (Only
provides 3 GB of virtual memory if there is at least 1 GB of RAM!
But with 512 MB of RAM Gambit compilation would be swapping so much
that more swap wouldn't be helpful anyway, so leave it at just what
the swap target provides.)
Remove sudo (often provided by images) since it's a security
issue. Since this will lock you out from acting as root unless you
have enabled corresponding access, you have to set
SUDO_FORCE_REMOVE=yes before running this target or it will
fail. If instead you want to keep sudo installed, set NOSUDO=no.
Runs the nosudo target except it will force removal even without
SUDO_FORCE_REMOVE=yes if it can ensure that the root login can be
used: either since root was not logged in via sudo, or, it is an ssh
login, in which case the authorized_keys are copied to the root
account--NOTE that this still will you lock out if you actually log
in via password instead of a key! Still is a NOP if NOSUDO=no is
set.
Set x-terminal-emulator in Debian's alternatives system to
/opt/chj/bin/term, which uses urxvt.
Install Firefox from Debian.
Install Gimp from Debian.
Install unison from Debian (console version).
Install guix from Debian. Upgrades system to Debian Bullseye!
Create a new user for co-working ($COWORKING_USER, coworking by
default); run .chj-home/init, giving it $CHJIZE_FULL_EMAIL as
fullname/email input if present; copy ssh keys from root to it.
Check out and build lili as the
schemen user.
Allow coworking user (again, ${COWORKING_USER-coworking}) to log
into the root account via ssh root@localhost (as a sudo
replacement).
Full set up of a user with Xfce desktop, various programs (like
chj-bin/fperl/emacs, Firefox, Gimp, Unison), and VNC server for
co-working. Requires VNC passwd file, run on your desktop: scp .vncclient-passwords/passwd root@$server:/opt/chj/chjize/tmp/. Set
the CHJIZE_FULL_EMAIL env var to the email address with full name
if you want the coworking user to be set up with it (default is
empty strings).
Set up for Scheme mentoring: coworking target (see there for
details), plus Scheme.
slim-desktop, but then remove xorg and xserver-xorg packages. This
is a horrible HACK for cases where they should never be installed in
the first place but I can't figure out why they are.
Packages for compilation/installation of programs in Rust (e.g. chj-rustbin)
Packages for development in Rust
Packages for development (including what cj50 needs, and valgrind, but excluding documentation packages like pandoc)
Packages for development including those requiring X11
Packages for "documentation development": pandoc, and debianpackages.
Check out chj-rustbin.
Install chj-rustbin.
Set up cj-unattended-upgrades on a server (no claws-mail installation).
Set up cj-unattended-upgrades on a desktop, which includes claws-mail.
The targets meant to be used manually are shown in green (not used by other targets) and blue (used by others).
