initial import

bin/closehome.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+_LUKS=chome
+_MOUNT=/home
+
+# mount
+if mountpoint -q ${_MOUNT}; then
+  sudo umount ${_MOUNT}
+  if mountpoint -q ${_MOUNT}; then
+    echo "umount failed"
+    exit 1
+  fi
+fi
+# LUKS
+if [[ -e /dev/mapper/${_LUKS} ]]; then
+  sudo cryptsetup luksClose ${_LUKS}
+  if [[ -e /dev/mapper/${_LUKS} ]]; then
+    echo "luksClose failed"
+    exit 1
+  fi
+fi

bin/d11add.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# run after a Debian minimal install w/SSH server
+
+apt-get update
+
+echo "iptables-persistent iptables-persistent/autosave_v4 boolean true" | debconf-set-selections
+echo "iptables-persistent iptables-persistent/autosave_v6 boolean true" | debconf-set-selections
+echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" | debconf-set-selections
+
+apt-get install \
+  aptitude bc binutils build-essential cryptsetup curl dnsmasq dnsutils \
+  dosfstools exfatprogs gdisk git gpg iptables-persistent keyutils lm-sensors \
+  mutt ncat net-tools parted pigz pinentry-tty psmisc rclone rsync sqlite3 \
+  strace sudo tmux unattended-upgrades unzip vim-nox whois zip
+
+apt-get install --no-install-recommends smem
+
+systemctl disable bluetooth.service remote-fs.target rsync.service
+systemctl enable unattended-upgrades netfilter-persistent

bin/debup.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+
+echo "Clearing journald > 30 days"
+sudo journalctl --vacuum-time=30d
+
+echo "Applying system upgrades"
+sudo apt-get update
+sudo apt-get autoclean
+sudo apt-get upgrade
+
+## rclone in LTS is too old
+function upgrade_rclone() {
+  echo "Checking rclone..."
+  # get installed version
+  _LOCAL=$(dpkg-query --showformat='${Version}' --show rclone)
+
+  # get latest version, strip leading "v" (v1.55.1 -> 1.55.1)
+  _REMOTE=$(curl -s "https://api.github.com/repos/rclone/rclone/releases/latest" | grep -Po '"tag_name": "\K.*?(?=")')
+  _REMOTE=${_REMOTE#v}
+
+  # bash doesn't see versions as numbers, but as strings
+  if [[ "${_LOCAL}" != "${_REMOTE}" ]]; then
+    echo "Upgrading rclone - installed ${_LOCAL}, latest ${_REMOTE}"
+    curl -o /tmp/rclone-latest.deb \
+      "https://downloads.rclone.org/rclone-current-linux-amd64.deb"
+    if [[ $? -eq 0 ]]; then
+      sudo apt-get install /tmp/rclone-latest.deb
+      rm -f /tmp/rclone-latest.deb
+    fi
+  else
+    echo "Installed rclone is the latest - ${_LOCAL}"
+  fi
+}
+
+upgrade_rclone

bin/localbak.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+#
+# ensure pinentry-tty is installed
+
+DTS=$(date "+%Y%m%d%H%M")
+TGZ="bkp/syslocal-${DTS}.tgz"
+TGT="remote:"
+
+cd "${HOME}" || exit 1
+[[ -d system ]] || exit 1
+[[ -d bkp ]] || exit 1
+
+echo "Creating ${TGZ} ..."
+tar -czf "${TGZ}" system/*
+echo "Encrypting ${TGZ} ..."
+gpg -c "${TGZ}"
+echo "Removing unencrypted ${TGZ} ..."
+rm -v "${TGZ}"
+echo "Syncing backups..."
+rclone -PL sync bkp/ "${TGT}"

bin/openhome.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+#
+# /dev/sda2 -> /home
+# installed packages: cryptsetup keyutils
+# loaded modules: dm_crypt
+#
+# prep/test:
+#  cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/sda2
+#  cryptsetup luksOpen /dev/sda2 chome
+#  mkfs.ext4 -E lazy_itable_init=0,lazy_journal_init=0 /dev/mapper/chome
+#  touch /home/.undermnt
+#  mount /dev/mapper/chome /home
+#  umount /home
+#  cryptsetup luksClose cdata
+
+_DEV=/dev/sda2
+_LUKS=chome
+_MOUNT=/home
+
+# LUKS
+if [[ ! -e /dev/mapper/${_LUKS} ]]; then
+  sudo cryptsetup luksOpen ${_DEV} ${_LUKS}
+fi
+# mount
+if [[ ! -e /dev/mapper/${_LUKS} ]]; then
+  echo "luksOpen failed"
+  exit 1
+else
+  if ! mountpoint -q ${_MOUNT}; then
+    sudo mount /dev/mapper/${_LUKS} ${_MOUNT}
+  fi
+fi
+# verify
+if mountpoint -q ${_MOUNT}; then
+  df -h ${_MOUNT}
+else
+  echo "mount failed"
+fi