|
|
#!/bin/bash
set -eux
## Certificate DST_Root_CA-X3 expired, it needs to be removed ## from list of available certificates. Debian <10 have the issue. ## ## Fixing: https://www.reddit.com/r/sysadmin/comments/pzags0/lets_encrypts_dst_root_ca_x3_expired_yesterday/ ## see also: https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/?guccounter=1
modified_certificate= mkdir -p /usr/local/share/ca-certificates/custom for certfile_name in isrgrootx1:ISRG_Root_X1 isrg-root-x2 lets-encrypt-r3; do certfile=${certfile_name%%:*} name=${certfile_name#*:} echo "Checking $certfile for $name" if ! [ -e "/usr/local/share/ca-certificates/custom/$certfile".crt ] && ! [ -e "/etc/ssl/certs/$name.pem" ]; then wget --no-check-certificate https://letsencrypt.org/certs/"$certfile".pem \
-O "/usr/local/share/ca-certificates/custom/$certfile".crt modified_certificate=1 fi done
if grep "^mozilla/DST_Root_CA_X3.crt" /etc/ca-certificates.conf 2>/dev/null 2>&1; then sed -ri 's%^(mozilla/DST_Root_CA_X3.crt)%!\1%g' /etc/ca-certificates.conf fi
if [ -n "$modified_certificate" ]; then update-ca-certificates fi
## We can now do the ``apt-get update`` safely...
apt:update() { tried=() backup=
while ! out=$(apt-get update 2>&1); do echo "Failed to 'apt-get update', looking for fixes..." old_tried_length="${#tried[@]}" failed_fetch=$(printf "%s" "$out" | egrep "^E: Failed to fetch .*404\s+Not Found") failed_release=$(printf "%s" "$out" | egrep "^[EW]: The repository '.*' (does (no longer|not) have|no longer has) a Release file.$") changed_release=$(printf "%s" "$out" | egrep "^[EW]: Repository '.*' changed its 'Suite' value from .* to .*$") if [[ " ${tried[*]} " != *" stretch-updates-fix "* ]] && [[ "$failed_fetch" == *" http://archive.debian.org/dists/stretch/updates/"* ]]; then tried+=("stretch-updates-fix") [ -z "$backup" ] && { backup=1 echo "Backup old /etc/apt/sources.list" cp -v /etc/apt/sources.list{,.myc-update} } echo "Applying stretch-updates-fix" sed -ri 's%^(\s*deb(-src)? http://archive.debian.org/? stretch/updates .*)$%# \1%g' /etc/apt/sources.list fi
for distrib in stretch buster; do for variant in "$distrib"{,-{updates,backports},/updates}; do if [[ " ${tried[*]} " != *" ${variant}-archive-fix "* ]] && [[ "$failed_release" == *"'http://deb.debian.org/debian $variant "* ]]; then tried+=("${variant}-archive-fix") [ -z "$backup" ] && { backup=1 echo "Backup old /etc/apt/sources.list" cp -v /etc/apt/sources.list{,.myc-update} } echo "Applying ${variant}-archive-fix" sed -ri 's,http://(deb|security).debian.org/debian '"$variant"',http://archive.debian.org/debian '"$variant"',g' \
/etc/apt/sources.list #s,^(deb(-src)? http://deb.debian.org/debian '"$variant"'),#\1,' \ fi if [[ " ${tried[*]} " != *" ${variant}-archive-comment-out "* ]] && [[ "$failed_fetch" == *" http://archive.debian.org/debian/dists/$variant/"* ]]; then tried+=("${variant}-archive-comment-out") [ -z "$backup" ] && { backup=1 echo "Backup old /etc/apt/sources.list" cp -v /etc/apt/sources.list{,.myc-update} } echo "Applying ${variant}-archive-comment-out" sed -ri 's,^(deb(-src)? http://archive.debian.org/debian '"$variant"'),#\1,g' \
/etc/apt/sources.list fi done if [[ " ${tried[*]} " != *" ${variant}-security-comment-out "* ]] && [[ "$failed_release" == *"'http://security.debian.org $distrib/updates "* ]]; then tried+=("${distrib}-comment-out") [ -z "$backup" ] && { backup=1 echo "Backup old /etc/apt/sources.list" cp -v /etc/apt/sources.list{,.myc-update} } echo "Applying $distrib}-comment-out" sed -ri 's,^(deb(-src)? http://security.debian.org/ '"$distrib/updates"'),#\1,g' \
/etc/apt/sources.list fi done
if [[ " ${tried[*]} " != *" change-release-fix "* ]] && [[ "$changed_release" == *"'http://deb.debian.org/debian "* ]]; then tried+=("change-release-fix") echo "Applying change-release-fix" apt-get update --allow-releaseinfo-change </dev/null || true fi
if [[ "$old_tried_length" == "${#tried[@]}" ]]; then echo "Failing 'apt-get update'. Couldn't fix it automatically. Stopping." if [ -n "$backup" ]; then mv -v /etc/apt/sources.list{,.myc-update-fix} mv -v /etc/apt/sources.list{.myc-update,} fi printf "%s\n" "$out" | sed -r 's/^/ | /g' return 1 fi done echo "Successful 'apt-get update'." }
apt:update || exit 1
apt-get -y install bash-completion wget bzip2 git-core \
less tmux mosh \
sudo git vim file gawk </dev/null
if ! apt-get -y python-software-properties </dev/null; then if ! apt-get -y software-properties-common </dev/null; then echo "Couldn't install package, but you probably don't need it." fi fi
type -p lsb_release >/dev/null 2>&1 || apt-get install -y lsb-release </dev/null
case $(lsb_release -is) in Ubuntu) apt-get install -y language-pack-en </dev/null ;; Debian) if ! type -p locale-gen >/dev/null && [ -x /usr/sbin/locale-gen ]; then echo "Your shell is incorrectly set as your PATH doesn't contain '/usr/sbin'." >&2 echo "This probably happens because you've incorrectly entered root environment" >&2 echo "Please use 'sudo -i' or 'su -' to enter a root shell from another user." >&2 echo " ref: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918754" exit 1 fi sed -ri 's/^\s*#\s*(en_US\.UTF-?8.*)\s*$/\1/g' /etc/locale.gen locale-gen
## Debian11 doesn't have a 'python' executable but only a ## 'python3' executable some python script don't care about ## the version, they just want a 'python' executable. if ! type -p python >/dev/null 2>&1; then if py3=$(type -p python3); then echo "No 'python' available in \$PATH, but 'python3' found, using it." >&2 ln -svf "$py3" /usr/local/bin/python fi fi ;; esac
YQ_VERSION=4.35.2 if ! type -p "yq" 2>/dev/null || ! version_line=$(yq --version) || [[ "${version_line}" != *"${YQ_VERSION}" ]]; then wget "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_amd64" \
-O /usr/local/bin/yq && chmod +x /usr/local/bin/yq fi
|