13 changed files with 27 additions and 150 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,7 +2,6 @@
 **/debian/*-config
 **/debian/*.debhelper
 **/debian/debhelper-*
-**/files/etc/wireguard
 **/secrets
 *.build
 *.buildinfo
@ -13,5 +12,5 @@
 *.postinst.debhelper
 *.substvars
 *.tar.xz
-/build
+**/files/etc/wireguard
 /debian/files
--- a/debian/cgit-config.postinst
+++ b/debian/cgit-config.postinst
@ -1,63 +1,12 @@
 #!/bin/sh
+#
+# TODO: Handle "$1".

-set -eu
+set -e

 #DEBHELPER#

-case "$1" in
-  install|upgrade)
+# TODO: Setup git user and stuff.

-  # Sane defaults:
-  git_home="${GIT_HOME:-/var/git}"
-  git_user="${GIT_USER:-git}"
-  git_name="${GIT_NAME:-git}"
-  git_group="${GIT_GROUP:-www-data}"
-
-  # create user to avoid running server as root
-  # 1. create group if not existing
-  if ! getent group | grep -q "^$git_group:" ; then
-     printf 'Adding group %s..\n' "$git_group"
-     addgroup --quiet --system "$git_group" 2>/dev/null
-     printf '..done\n'
-  fi
-
-  # 2. create homedir if not existing
-  if [ -d "$git_home" ]; then
-    # `/var` *must* exist.
-    mkdir -- "$git_home"
-  fi
-
-  # 3. create user if not existing
-  if ! getent passwd "$git_user"; then
-    printf  'Adding system user %s..\n' "$git_user"
-    # XXX: Do I really want a shell here?
-    adduser --quiet \
-            --system \
-            --ingroup "$git_group" \
-            --home "$git_home" \
-            --shell /bin/bash \
-            --disabled-password \
-            "$git_user"
-    printf '..done\n'
-  fi
-
-  # 4. adjust passwd entry
-  usermod \
-    -c "$git_name" \
-    -d "$git_home" \
-    -g "$git_group" \
-    "$git_user"
-
-  # 5. adjust file and directory permissions
-  if ! dpkg-statoverride --list "$git_home" >/dev/null
-  then
-      chown -R "$git_user":"$git_group" "$git_home"
-      chmod u=rwx,g=rxs,o= "$git_home"
-  fi
-
-  deb-systemd-helper enable fcgiwrap
-  deb-systemd-invoke restart fcgiwrap
-  deb-systemd-invoke restart nginx
-  ;;
-  # TODO: Handle remove, not that I need it yet though.
-esac
+deb-systemd-helper enable fcgiwrap
+deb-systemd-invoke restart fcgiwrap
--- a/debian/control
+++ b/debian/control
@ -27,7 +27,7 @@ Description: Shione nftables configuration.
 Package: nginx-config
 Architecture: all
 Multi-Arch: foreign
-Depends: ${misc:Depends}, nginx, certbot, libnginx-mod-http-fancyindex
+Depends: ${misc:Depends}, nginx, certbot, python3-certbot-nginx
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
 Description: Shione nginx configuration.
@ -45,7 +45,7 @@ Description: Shione wireguard configuration.
 Package: cgit-config
 Architecture: all
 Multi-Arch: foreign
-Depends: ${misc:Depends}, nginx-config, cgit, fcgiwrap, python3-pygments, python3-docutils, python3-markdown
+Depends: ${misc:Depends}, nginx-config, cgit, fcgiwrap, python3-pygments python3-docutils python3-markdown
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
 Description: Shione cgit configuration.
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@ -4,5 +4,5 @@ upstream-branch=debian/bookworm
 debian-branch=debian/bookworm

 [buildpackage]
-export-dir = ./build
+export-dir = ../build-area-shione
 git-export = WC
--- a/debian/nftables-config.displace
+++ b/debian/nftables-config.displace
@ -1 +1 @@
-/etc/nftables.conf.shione
+/etc/nftables.conf
--- a/debian/nftables-config.displace-extension
+++ b/debian/nftables-config.displace-extension
@ -1 +0,0 @@
-.shione
--- a/debian/nftables-config.install
+++ b/debian/nftables-config.install
@ -1 +1 @@
-files/etc/nftables.conf.shione /etc/
+files/etc/nftables.conf /etc/
--- a/debian/nginx-config.hide
+++ b/debian/nginx-config.hide
@ -1 +1 @@
-/etc/nginx/sites-enabled/default
+/etc/nginx/sites-enables/defaut
--- a/debian/nginx-config.postinst
+++ b/debian/nginx-config.postinst
@ -2,31 +2,21 @@
 #
 # TODO: Handle "$1".

-set -eu
+set -e

 #DEBHELPER#

 # `certbot` *must* be installed by this package.
-if [ "$(hostname)" = shione ]; then
-	certbot \
-		--agree-tos \
-		--email renken+letsencrypt@shione.net \
-		-d shione.net \
-		-d www.shione.net \
-		-d git.shione.net
-else
-	out=/etc/letsencrypt/live/shione.net
-
-	mkdir -p -- "$out"
-	openssl genrsa \
-		>"$out"/privkey.pem
-	openssl req \
-		-new \
-		-x509 \
-		-key /etc/letsencrypt/live/shione.net/privkey.pem \
-		-subj '/CN=shione.net/O=shione.net./C=FR' \
-		>/etc/letsencrypt/live/shione.net/fullchain.pem
-fi
+certbot \
+	--nginx \
+	--agree-tos \
+	--redirect \
+	--hsts \
+	--staple-ocsp \
+	--email renken+letsencrypt@shione.net \
+	-d shione.net \
+	-d www.shione.net \
+	-d git.shione.net

 # Apply new nginx configuration.
 deb-systemd-invoke restart nginx
--- a/files/etc/nftables.conf.shione
+++ b/files/etc/nftables.conf.shione
--- a/files/etc/nginx/sites-available/shione.net
+++ b/files/etc/nginx/sites-available/shione.net
@ -20,21 +20,14 @@
 #
 # `fancyindex` is from `nginx-extras`.
 server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
+        listen 80 default_server;
+        listen [::]:80 default_server;

-    location / {
-        return 301 https://$host$request_uri;
-    }
-}
-
-server {
        # SSL configuration
        #
        # Partially generated by https://ssl-config.mozilla.org/.
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
-
        #
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
@ -50,6 +43,7 @@ server {
        ssl_certificate /etc/letsencrypt/live/shione.net/fullchain.pem;
        # managed by Certbot.
        ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem;
+        include /etc/letsencrypt/options-ssl-nginx.conf;

        # OCSP stapling
        ssl_stapling on;
--- a/files/etc/ssh/sshd_config.d/custom.conf
+++ b/files/etc/ssh/sshd_config.d/custom.conf
@ -1,20 +1,3 @@
-# Authentication
-LoginGraceTime 2m
-PermitRootLogin prohibit-password
-StrictModes yes
-MaxAuthTries 6
-MaxSessions 10
-
 # To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication no
 PermitEmptyPasswords no
-
-# Kerberos options
-KerberosAuthentication no
-
-# GSSAPI options
-GSSAPIAuthentication no
-
-# TODO: Confirm that this is not overridden by the global configuration file?
-# X11 is not installed on this machine anyway.
-X11Forwarding no
--- a/init.sh
+++ b/init.sh
@ -1,37 +0,0 @@
-#!/bin/sh
-
-set -eux
-
-apt update
-apt install -y apt-utils
-
-mkdir -p -- /var/shione/debian/pool/main
-cp -- /tmp/shione/build/*.deb /var/shione/debian/pool/main
-
-# XXX: Stolen from `local-apt-repository` which did not work for me for some reason.
-debs_dir_path=/var/shione/debian
-deb_repo_path=/var/lib/local-apt-repository
-mkdir -p -- "$deb_repo_path"
-
-# Relative paths work better than absolute
-cd -- "$deb_repo_path"
-apt-ftparchive packages ../../../"$debs_dir_path" >"$deb_repo_path"/Packages
-apt-ftparchive sources ../../../"$debs_dir_path" >"$deb_repo_path"/Sources
-
-apt-ftparchive \
-        -o "APT::FTPArchive::Release::Origin=local-apt-repository-shione" \
-        -o "APT::FTPArchive::Release::Description=Local repository created by a minimal version of local-apt-repository" \
-        release "$deb_repo_path" > "$deb_repo_path"/Release
-
-<<-EOF cat -- >/etc/apt/sources.list.d/local-apt-repository.list
-# This enables the local repositories provided by local-apt-repository
-#
-# We do not use cryptographic signatures, as they are read from local system
-# anyways.
-deb [trusted=yes] file:///var/lib/local-apt-repository/ ./
-deb-src [trusted=yes] file:///var/lib/local-apt-repository/ ./
-EOF
-
-apt update
-
-apt install -y nftables-config