13 changed files with 27 additions and 150 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,7 +2,6 @@
 **/debian/*-config
 **/debian/*.debhelper
 **/debian/debhelper-*
 **/files/etc/wireguard
 **/secrets
 *.build
 *.buildinfo
@ -13,5 +12,5 @@
 *.postinst.debhelper
 *.substvars
 *.tar.xz
-/build
+**/files/etc/wireguard
 /debian/files
--- a/debian/cgit-config.postinst
+++ b/debian/cgit-config.postinst
@ -1,63 +1,12 @@
 #!/bin/sh
 #
 # TODO: Handle "$1".
-set -eu
+set -e
 #DEBHELPER#
-case "$1" in
+# TODO: Setup git user and stuff.
  install|upgrade)
-  # Sane defaults:
+deb-systemd-helper enable fcgiwrap
-  git_home="${GIT_HOME:-/var/git}"
+deb-systemd-invoke restart fcgiwrap
  git_user="${GIT_USER:-git}"
  git_name="${GIT_NAME:-git}"
  git_group="${GIT_GROUP:-www-data}"
  # create user to avoid running server as root
  # 1. create group if not existing
  if ! getent group | grep -q "^$git_group:" ; then
     printf 'Adding group %s..\n' "$git_group"
     addgroup --quiet --system "$git_group" 2>/dev/null
     printf '..done\n'
  fi
  # 2. create homedir if not existing
  if [ -d "$git_home" ]; then
    # `/var` *must* exist.
    mkdir -- "$git_home"
  fi
  # 3. create user if not existing
  if ! getent passwd "$git_user"; then
    printf  'Adding system user %s..\n' "$git_user"
    # XXX: Do I really want a shell here?
    adduser --quiet \
            --system \
            --ingroup "$git_group" \
            --home "$git_home" \
            --shell /bin/bash \
            --disabled-password \
            "$git_user"
    printf '..done\n'
  fi
  # 4. adjust passwd entry
  usermod \
    -c "$git_name" \
    -d "$git_home" \
    -g "$git_group" \
    "$git_user"
  # 5. adjust file and directory permissions
  if ! dpkg-statoverride --list "$git_home" >/dev/null
  then
      chown -R "$git_user":"$git_group" "$git_home"
      chmod u=rwx,g=rxs,o= "$git_home"
  fi
  deb-systemd-helper enable fcgiwrap
  deb-systemd-invoke restart fcgiwrap
  deb-systemd-invoke restart nginx
  ;;
  # TODO: Handle remove, not that I need it yet though.
 esac
--- a/debian/control
+++ b/debian/control
@ -27,7 +27,7 @@ Description: Shione nftables configuration.
 Package: nginx-config
 Architecture: all
 Multi-Arch: foreign
-Depends: ${misc:Depends}, nginx, certbot, libnginx-mod-http-fancyindex
+Depends: ${misc:Depends}, nginx, certbot, python3-certbot-nginx
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
 Description: Shione nginx configuration.
@ -45,7 +45,7 @@ Description: Shione wireguard configuration.
 Package: cgit-config
 Architecture: all
 Multi-Arch: foreign
-Depends: ${misc:Depends}, nginx-config, cgit, fcgiwrap, python3-pygments, python3-docutils, python3-markdown
+Depends: ${misc:Depends}, nginx-config, cgit, fcgiwrap, python3-pygments python3-docutils python3-markdown
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
 Description: Shione cgit configuration.
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@ -4,5 +4,5 @@ upstream-branch=debian/bookworm
 debian-branch=debian/bookworm
 [buildpackage]
-export-dir = ./build
+export-dir = ../build-area-shione
 git-export = WC
--- a/debian/nftables-config.displace
+++ b/debian/nftables-config.displace
@ -1 +1 @@
-/etc/nftables.conf.shione
+/etc/nftables.conf
--- a/debian/nftables-config.displace-extension
+++ b/debian/nftables-config.displace-extension
@ -1 +0,0 @@
 .shione
--- a/debian/nftables-config.install
+++ b/debian/nftables-config.install
@ -1 +1 @@
-files/etc/nftables.conf.shione /etc/
+files/etc/nftables.conf /etc/
--- a/debian/nginx-config.hide
+++ b/debian/nginx-config.hide
@ -1 +1 @@
-/etc/nginx/sites-enabled/default
+/etc/nginx/sites-enables/defaut
--- a/debian/nginx-config.postinst
+++ b/debian/nginx-config.postinst
@ -2,31 +2,21 @@
 #
 # TODO: Handle "$1".
-set -eu
+set -e
 #DEBHELPER#
 # `certbot` *must* be installed by this package.
-if [ "$(hostname)" = shione ]; then
+certbot \
-	certbot \
+	--nginx \
-		--agree-tos \
+	--agree-tos \
-		--email renken+letsencrypt@shione.net \
+	--redirect \
-		-d shione.net \
+	--hsts \
-		-d www.shione.net \
+	--staple-ocsp \
-		-d git.shione.net
+	--email renken+letsencrypt@shione.net \
-else
+	-d shione.net \
-	out=/etc/letsencrypt/live/shione.net
+	-d www.shione.net \
-
+	-d git.shione.net
 	mkdir -p -- "$out"
 	openssl genrsa \
 		>"$out"/privkey.pem
 	openssl req \
 		-new \
 		-x509 \
 		-key /etc/letsencrypt/live/shione.net/privkey.pem \
 		-subj '/CN=shione.net/O=shione.net./C=FR' \
 		>/etc/letsencrypt/live/shione.net/fullchain.pem
 fi
 # Apply new nginx configuration.
 deb-systemd-invoke restart nginx
--- a/files/etc/nftables.conf.shione
+++ b/files/etc/nftables.conf.shione
--- a/files/etc/nginx/sites-available/shione.net
+++ b/files/etc/nginx/sites-available/shione.net
@ -20,21 +20,14 @@
 #
 # `fancyindex` is from `nginx-extras`.
 server {
-    listen 80 default_server;
+        listen 80 default_server;
-    listen [::]:80 default_server;
+        listen [::]:80 default_server;
    location / {
        return 301 https://$host$request_uri;
    }
 }
 server {
        # SSL configuration
        #
        # Partially generated by https://ssl-config.mozilla.org/.
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
@ -50,6 +43,7 @@ server {
        ssl_certificate /etc/letsencrypt/live/shione.net/fullchain.pem;
        # managed by Certbot.
        ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        # OCSP stapling
        ssl_stapling on;
--- a/files/etc/ssh/sshd_config.d/custom.conf
+++ b/files/etc/ssh/sshd_config.d/custom.conf
@ -1,20 +1,3 @@
 # Authentication
 LoginGraceTime 2m
 PermitRootLogin prohibit-password
 StrictModes yes
 MaxAuthTries 6
 MaxSessions 10
 # To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication no
 PermitEmptyPasswords no
 # Kerberos options
 KerberosAuthentication no
 # GSSAPI options
 GSSAPIAuthentication no
 # TODO: Confirm that this is not overridden by the global configuration file?
 # X11 is not installed on this machine anyway.
 X11Forwarding no
--- a/init.sh
+++ b/init.sh
@ -1,37 +0,0 @@
 #!/bin/sh
 set -eux
 apt update
 apt install -y apt-utils
 mkdir -p -- /var/shione/debian/pool/main
 cp -- /tmp/shione/build/*.deb /var/shione/debian/pool/main
 # XXX: Stolen from `local-apt-repository` which did not work for me for some reason.
 debs_dir_path=/var/shione/debian
 deb_repo_path=/var/lib/local-apt-repository
 mkdir -p -- "$deb_repo_path"
 # Relative paths work better than absolute
 cd -- "$deb_repo_path"
 apt-ftparchive packages ../../../"$debs_dir_path" >"$deb_repo_path"/Packages
 apt-ftparchive sources ../../../"$debs_dir_path" >"$deb_repo_path"/Sources
 apt-ftparchive \
        -o "APT::FTPArchive::Release::Origin=local-apt-repository-shione" \
        -o "APT::FTPArchive::Release::Description=Local repository created by a minimal version of local-apt-repository" \
        release "$deb_repo_path" > "$deb_repo_path"/Release
 <<-EOF cat -- >/etc/apt/sources.list.d/local-apt-repository.list
 # This enables the local repositories provided by local-apt-repository
 #
 # We do not use cryptographic signatures, as they are read from local system
 # anyways.
 deb [trusted=yes] file:///var/lib/local-apt-repository/ ./
 deb-src [trusted=yes] file:///var/lib/local-apt-repository/ ./
 EOF
 apt update
 apt install -y nftables-config
`@ -1 +1 @@`
	`files/etc/nftables.conf.shione /etc/`	`files/etc/nftables.conf /etc/`
`@ -1 +1 @@`
	`/etc/nginx/sites-enabled/default`	`/etc/nginx/sites-enables/defaut`