Last active
March 9, 2026 21:14
-
-
Save pythoninthegrass/0bd8978be0e2f660a82cf7f771a844bf to your computer and use it in GitHub Desktop.
Synology shell config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #/etc/profile: system-wide .profile file for ash. | |
| # shellcheck disable=SC2155 | |
| umask 077 | |
| export PATH="/volume1/@appstore/git/bin:/opt/bin:/opt/sbin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/syno/sbin:/usr/syno/bin:/usr/local/sbin:/usr/local/bin" | |
| export PGDATA=/var/services/pgsql | |
| export TERMINFO=/usr/share/terminfo | |
| export TERM=${TERM:-cons25} | |
| export PAGER=more | |
| export LC_ALL=en_US.utf8 | |
| export LANG=en_US.utf8 | |
| # PS1="`hostname`> " | |
| PS1='\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' | |
| HISTFILE=/var/tmp/.bash_history | |
| HISTFILESIZE=100 | |
| HISTSIZE=100 | |
| stty -ixon | |
| bind '"\e[1~": beginning-of-line' &> /dev/null | |
| bind '"\e[4~": end-of-line' &> /dev/null | |
| test -d /home/linuxbrew/.linuxbrew && eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" | |
| export PATH=$(echo -n $PATH | awk -v RS=: -v ORS=: '!x[$0]++' | sed "s/\(.*\).\{1\}/\1/") | |
| export HOMEBREW_GIT_PATH=$(command -v git) | |
| export HOMEBREW_NO_INSTALL_CLEANUP=1 | |
| export HOMEBREW_CURL_PATH=/home/linuxbrew/.linuxbrew/bin/ghcr-curl | |
| # /home/linuxbrew/.linuxbrew/opt/fzf/install | |
| [ -f ~/.fzf.bash ] && source ~/.fzf.bash | |
| alias ..='cd ../' | |
| alias ...='cd ../../' | |
| alias ll='ls -la --color=auto' | |
| alias lzd='lazydocker' | |
| alias rsync='rsync -arvW --progress --stats --ignore-existing' # archive, recursive, verbose, whole-file | |
| unzip() { 7z x "$@" ; } | |
| ulimit -c unlimited |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # SOURCES | |
| # https://community.synology.com/enu/forum/1/post/153781 | |
| # shellcheck disable=SC2155 | |
| set -euo pipefail | |
| # fake /etc/os-release for homebrew | |
| if [[ ! -r /etc/os-release ]]; then | |
| sudo tee /etc/os-release > /dev/null <<'EOF' | |
| ID=synology | |
| ID_LIKE=linux | |
| EOF | |
| sudo chmod 644 /etc/os-release | |
| fi | |
| # fake ldd | |
| sudo tee /usr/bin/ldd > /dev/null <<'EOF' | |
| #!/bin/bash | |
| [[ $(/usr/lib/libc.so.6) =~ version\ ([0-9]\.[0-9]+) ]] && echo "ldd ${BASH_REMATCH[1]}" | |
| EOF | |
| sudo chmod 755 /usr/bin/ldd | |
| # bind mount to get around 2GB quota | |
| sudo mkdir -p /home | |
| sudo mount --bind /volume1/homes /home | |
| sudo chmod 755 /home # Insecure world writable dir ... in PATH, mode 040777 | |
| # Add SynoCommunity repo to DSM | |
| # https://synocommunity.com/ | |
| # Install git v2.40.1+ | |
| export PATH="/usr/local/bin:/volume1/@appstore/git/bin:$PATH" | |
| export HOMEBREW_GIT_PATH=$(command -v git) | |
| export HOMEBREW_NO_INSTALL_CLEANUP=1 | |
| # install linuxbrew | |
| if [[ $(command -v brew; echo $?) != 0 ]]; then | |
| NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" | |
| sudo chmod 755 -R /home/linuxbrew | |
| fi | |
| eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" | |
| # install ghcr-curl wrapper to work around DSM curl forwarding | |
| # Authorization headers on 307 redirects to the GHCR CDN | |
| GHCR_CURL_DST="/home/linuxbrew/.linuxbrew/bin/ghcr-curl" | |
| cp "$(dirname "$0")/ghcr-curl" "$GHCR_CURL_DST" | |
| chmod 755 "$GHCR_CURL_DST" | |
| export HOMEBREW_CURL_PATH="$GHCR_CURL_DST" | |
| # update git,gcc. and make | |
| # * gcc is a dependency for git | |
| brew install automake cmake git make | |
| # general tools | |
| brew install bat fd fzf gh htop just lazydocker nmap perl p7zip ripgrep tldr tree |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| : <<'EOF' | |
| Wrapper around curl that fixes GHCR bottle downloads on Synology DSM. | |
| DSM's system curl (7.86.0) forwards Authorization headers on 307 redirects | |
| to pkg-containers.githubusercontent.com. The CDN rejects requests with | |
| Bearer tokens, causing "curl: (7)" errors on all GHCR bottle downloads. | |
| For GHCR blob URLs, this wrapper: | |
| 1. Fetches the redirect URL (without following it) using -w '%{redirect_url}' | |
| 2. Downloads from the redirect URL without the Authorization header | |
| All other URLs pass through to real curl unchanged. | |
| EOF | |
| set -euo pipefail | |
| # Allow override for testing; default to system curl | |
| CURL="${GHCR_CURL_REAL_CURL:-/usr/bin/curl}" | |
| # Scan args for a GHCR blob URL | |
| ghcr_blob_url="" | |
| for arg in "$@"; do | |
| if [[ "$arg" =~ ^https://ghcr\.io/v2/.*/blobs/sha256: ]]; then | |
| ghcr_blob_url="$arg" | |
| break | |
| fi | |
| done | |
| # If no GHCR blob URL found, pass through to real curl unchanged | |
| if [[ -z "$ghcr_blob_url" ]]; then | |
| exec "$CURL" "$@" | |
| fi | |
| # Collect auth headers and non-URL, non-auth args separately | |
| auth_args=() | |
| passthrough_args=() | |
| skip_next=false | |
| for arg in "$@"; do | |
| if $skip_next; then | |
| # This is the value following -H; check if it's an Authorization header | |
| if [[ "$arg" == Authorization:* ]]; then | |
| auth_args+=(-H "$arg") | |
| else | |
| passthrough_args+=(-H "$arg") | |
| fi | |
| skip_next=false | |
| continue | |
| fi | |
| # -H / --header with value in the next argument | |
| if [[ "$arg" == "-H" || "$arg" == "--header" ]]; then | |
| skip_next=true | |
| continue | |
| fi | |
| # -H"Value" (no space) form | |
| if [[ "$arg" == -H* ]]; then | |
| header_val="${arg#-H}" | |
| if [[ "$header_val" == Authorization:* ]]; then | |
| auth_args+=(-H "$header_val") | |
| else | |
| passthrough_args+=(-H "$header_val") | |
| fi | |
| continue | |
| fi | |
| # --header=Value form | |
| if [[ "$arg" == --header=* ]]; then | |
| header_val="${arg#--header=}" | |
| if [[ "$header_val" == Authorization:* ]]; then | |
| auth_args+=(-H "$header_val") | |
| else | |
| passthrough_args+=(--header "$header_val") | |
| fi | |
| continue | |
| fi | |
| # Skip the GHCR blob URL from passthrough (we handle it separately) | |
| if [[ "$arg" == "$ghcr_blob_url" ]]; then | |
| continue | |
| fi | |
| passthrough_args+=("$arg") | |
| done | |
| # Step 1: Get redirect URL without following it. | |
| # Only pass auth headers — no passthrough args (they may include -L which | |
| # would cause curl to follow the redirect, defeating the purpose). | |
| redirect_url=$("$CURL" -sS -o /dev/null -w '%{redirect_url}' \ | |
| "${auth_args[@]}" "$ghcr_blob_url") | |
| if [[ -z "$redirect_url" ]]; then | |
| # No redirect — fall back to normal curl | |
| exec "$CURL" "$@" | |
| fi | |
| # Step 2: Download from redirect URL without Authorization header | |
| exec "$CURL" "${passthrough_args[@]}" "$redirect_url" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Tests for ghcr-curl wrapper script | |
| # Validates that GHCR blob URLs get two-step download treatment | |
| # and all other URLs pass through to system curl unchanged. | |
| set -euo pipefail | |
| SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" | |
| WRAPPER="${SCRIPT_DIR}/ghcr-curl" | |
| TMPDIR="$(mktemp -d)" | |
| trap 'rm -rf "$TMPDIR"' EXIT | |
| PASS=0 | |
| FAIL=0 | |
| pass() { PASS=$((PASS + 1)); echo " PASS: $1"; } | |
| fail() { FAIL=$((FAIL + 1)); echo " FAIL: $1"; } | |
| # Create a mock curl that logs its invocations | |
| # The redirect-extraction step uses: -sS -o /dev/null -w '%{redirect_url}' | |
| # The mock detects this and returns a redirect URL on stdout. | |
| MOCK_CURL="${TMPDIR}/curl" | |
| cat > "$MOCK_CURL" <<'MOCK' | |
| #!/usr/bin/env bash | |
| # Log all arguments to a file for inspection | |
| echo "$@" >> "${GHCR_CURL_TEST_LOG}" | |
| # If called with -w '%{redirect_url}', simulate returning a redirect URL | |
| for arg in "$@"; do | |
| if [[ "$arg" == "%{redirect_url}" ]]; then | |
| printf "https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:abc123?token=cdn-token" | |
| exit 0 | |
| fi | |
| done | |
| echo "mock-download-output" | |
| exit 0 | |
| MOCK | |
| chmod +x "$MOCK_CURL" | |
| export GHCR_CURL_TEST_LOG="${TMPDIR}/curl_log" | |
| export GHCR_CURL_REAL_CURL="$MOCK_CURL" | |
| echo "=== ghcr-curl wrapper tests ===" | |
| # --- Test 1: Non-GHCR URLs pass through unchanged --- | |
| echo "" | |
| echo "Test 1: Non-GHCR URLs pass through to real curl" | |
| > "$GHCR_CURL_TEST_LOG" | |
| output=$("$WRAPPER" -fsSL https://example.com/file.tar.gz 2>&1) | |
| invocations=$(wc -l < "$GHCR_CURL_TEST_LOG" | tr -d ' ') | |
| if [[ "$invocations" == "1" ]]; then | |
| logged=$(cat "$GHCR_CURL_TEST_LOG") | |
| if [[ "$logged" == *"-fsSL"* ]] && [[ "$logged" == *"https://example.com/file.tar.gz"* ]]; then | |
| pass "non-GHCR URL passed through with original args" | |
| else | |
| fail "non-GHCR URL args not preserved: $logged" | |
| fi | |
| else | |
| fail "expected 1 curl invocation, got $invocations" | |
| fi | |
| # --- Test 2: GHCR blob URL triggers two-step download --- | |
| echo "" | |
| echo "Test 2: GHCR blob URL triggers two-step download" | |
| > "$GHCR_CURL_TEST_LOG" | |
| output=$("$WRAPPER" -fsSL -H "Authorization: Bearer ghp_token123" \ | |
| "https://ghcr.io/v2/homebrew/core/ripgrep/blobs/sha256:abc123def456" 2>&1) | |
| invocations=$(wc -l < "$GHCR_CURL_TEST_LOG" | tr -d ' ') | |
| if [[ "$invocations" == "2" ]]; then | |
| first=$(sed -n '1p' "$GHCR_CURL_TEST_LOG") | |
| second=$(sed -n '2p' "$GHCR_CURL_TEST_LOG") | |
| # First call should extract redirect URL (uses -w '%{redirect_url}') | |
| if [[ "$first" == *"%{redirect_url}"* ]] && [[ "$first" == *"ghcr.io/v2/"* ]]; then | |
| pass "first call extracts redirect URL from GHCR" | |
| else | |
| fail "first call should use -w redirect_url: $first" | |
| fi | |
| # First call should include the Authorization header | |
| if [[ "$first" == *"Authorization: Bearer"* ]]; then | |
| pass "first call includes Authorization header" | |
| else | |
| fail "first call missing Authorization header: $first" | |
| fi | |
| # First call should NOT include passthrough args like -fsSL | |
| if [[ "$first" != *"-fsSL"* ]]; then | |
| pass "first call excludes passthrough args" | |
| else | |
| fail "first call should not include passthrough args: $first" | |
| fi | |
| # Second call should hit the CDN redirect URL | |
| if [[ "$second" == *"pkg-containers.githubusercontent.com"* ]]; then | |
| pass "second call follows redirect to CDN" | |
| else | |
| fail "second call should use CDN URL: $second" | |
| fi | |
| # Second call should NOT include Authorization header | |
| if [[ "$second" != *"Authorization"* ]]; then | |
| pass "second call omits Authorization header" | |
| else | |
| fail "second call should not have Authorization header: $second" | |
| fi | |
| # Second call SHOULD include passthrough args like -fsSL | |
| if [[ "$second" == *"-fsSL"* ]]; then | |
| pass "second call includes passthrough args" | |
| else | |
| fail "second call should include passthrough args: $second" | |
| fi | |
| else | |
| fail "expected 2 curl invocations for GHCR URL, got $invocations" | |
| fi | |
| # --- Test 2b: GHCR blob URL with --header (long form, as brew uses) --- | |
| echo "" | |
| echo "Test 2b: GHCR blob URL with --header long form" | |
| > "$GHCR_CURL_TEST_LOG" | |
| output=$("$WRAPPER" --disable --fail --progress-bar --silent --retry 3 \ | |
| --header "Accept-Language: en" \ | |
| --header "Authorization: Bearer QQ==" \ | |
| --remote-time \ | |
| --output /tmp/test-bottle.tar.gz.incomplete \ | |
| --location \ | |
| "https://ghcr.io/v2/homebrew/core/ripgrep/blobs/sha256:abc123def456" 2>&1) | |
| invocations=$(wc -l < "$GHCR_CURL_TEST_LOG" | tr -d ' ') | |
| if [[ "$invocations" == "2" ]]; then | |
| first=$(sed -n '1p' "$GHCR_CURL_TEST_LOG") | |
| second=$(sed -n '2p' "$GHCR_CURL_TEST_LOG") | |
| # First call should include auth | |
| if [[ "$first" == *"Authorization: Bearer"* ]]; then | |
| pass "long-form: first call includes Authorization header" | |
| else | |
| fail "long-form: first call missing Authorization header: $first" | |
| fi | |
| # First call should NOT include --location or --output | |
| if [[ "$first" != *"--location"* ]] && [[ "$first" != *"--output"* ]]; then | |
| pass "long-form: first call excludes passthrough args" | |
| else | |
| fail "long-form: first call should not include passthrough args: $first" | |
| fi | |
| # Second call should NOT include Authorization | |
| if [[ "$second" != *"Authorization"* ]]; then | |
| pass "long-form: second call omits Authorization header" | |
| else | |
| fail "long-form: second call should not have Authorization: $second" | |
| fi | |
| # Second call should include --output and --location | |
| if [[ "$second" == *"--output"* ]] && [[ "$second" == *"/tmp/test-bottle.tar.gz.incomplete"* ]]; then | |
| pass "long-form: second call includes --output with path" | |
| else | |
| fail "long-form: second call missing --output: $second" | |
| fi | |
| # Second call should include non-auth --header (Accept-Language) | |
| if [[ "$second" == *"Accept-Language: en"* ]]; then | |
| pass "long-form: second call includes non-auth headers" | |
| else | |
| fail "long-form: second call missing non-auth headers: $second" | |
| fi | |
| else | |
| fail "long-form: expected 2 curl invocations, got $invocations" | |
| fi | |
| # --- Test 3: Non-GHCR URL with auth header passes through unchanged --- | |
| echo "" | |
| echo "Test 3: Non-GHCR URL with auth header passes through unchanged" | |
| > "$GHCR_CURL_TEST_LOG" | |
| output=$("$WRAPPER" -H "Authorization: Bearer token" https://api.github.com/repos 2>&1) | |
| invocations=$(wc -l < "$GHCR_CURL_TEST_LOG" | tr -d ' ') | |
| if [[ "$invocations" == "1" ]]; then | |
| logged=$(cat "$GHCR_CURL_TEST_LOG") | |
| if [[ "$logged" == *"Authorization: Bearer token"* ]] && [[ "$logged" == *"api.github.com"* ]]; then | |
| pass "non-GHCR URL with auth passes through unchanged" | |
| else | |
| fail "args not preserved: $logged" | |
| fi | |
| else | |
| fail "expected 1 curl invocation, got $invocations" | |
| fi | |
| # --- Test 4: GHCR non-blob URL passes through unchanged --- | |
| echo "" | |
| echo "Test 4: GHCR non-blob URL (e.g. manifest) passes through unchanged" | |
| > "$GHCR_CURL_TEST_LOG" | |
| output=$("$WRAPPER" -fsSL "https://ghcr.io/v2/homebrew/core/ripgrep/manifests/latest" 2>&1) | |
| invocations=$(wc -l < "$GHCR_CURL_TEST_LOG" | tr -d ' ') | |
| if [[ "$invocations" == "1" ]]; then | |
| pass "GHCR non-blob URL passes through unchanged" | |
| else | |
| fail "expected 1 curl invocation for non-blob GHCR URL, got $invocations" | |
| fi | |
| # --- Test 5: Wrapper handles args with no URL gracefully --- | |
| echo "" | |
| echo "Test 5: Wrapper handles args with no URL gracefully (e.g. --version)" | |
| > "$GHCR_CURL_TEST_LOG" | |
| output=$("$WRAPPER" --version 2>&1) | |
| invocations=$(wc -l < "$GHCR_CURL_TEST_LOG" | tr -d ' ') | |
| if [[ "$invocations" == "1" ]]; then | |
| logged=$(cat "$GHCR_CURL_TEST_LOG") | |
| if [[ "$logged" == *"--version"* ]]; then | |
| pass "non-URL args pass through unchanged" | |
| else | |
| fail "args not preserved: $logged" | |
| fi | |
| else | |
| fail "expected 1 curl invocation, got $invocations" | |
| fi | |
| # --- Summary --- | |
| echo "" | |
| echo "=== Results: $PASS passed, $FAIL failed ===" | |
| [[ "$FAIL" -eq 0 ]] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment