Compare commits
10 commits
bc1e6e4ca6
...
8a556f59d3
Author | SHA1 | Date | |
---|---|---|---|
8a556f59d3 | |||
cd8f0e853f | |||
207bf43a8b | |||
394d13aaaa | |||
bf417c04a1 | |||
52ec354da9 | |||
ceeba484f6 | |||
56a088c5db | |||
e43be67041 | |||
74ab982cf1 |
13 changed files with 150 additions and 27 deletions
3
.gitignore
vendored
3
.gitignore
vendored
|
@ -2,6 +2,7 @@
|
||||||
**/debian/*-config
|
**/debian/*-config
|
||||||
**/debian/*.debhelper
|
**/debian/*.debhelper
|
||||||
**/debian/debhelper-*
|
**/debian/debhelper-*
|
||||||
|
**/files/etc/wireguard
|
||||||
**/secrets
|
**/secrets
|
||||||
*.build
|
*.build
|
||||||
*.buildinfo
|
*.buildinfo
|
||||||
|
@ -12,5 +13,5 @@
|
||||||
*.postinst.debhelper
|
*.postinst.debhelper
|
||||||
*.substvars
|
*.substvars
|
||||||
*.tar.xz
|
*.tar.xz
|
||||||
**/files/etc/wireguard
|
/build
|
||||||
/debian/files
|
/debian/files
|
||||||
|
|
59
debian/cgit-config.postinst
vendored
59
debian/cgit-config.postinst
vendored
|
@ -1,12 +1,63 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
|
||||||
# TODO: Handle "$1".
|
|
||||||
|
|
||||||
set -e
|
set -eu
|
||||||
|
|
||||||
#DEBHELPER#
|
#DEBHELPER#
|
||||||
|
|
||||||
# TODO: Setup git user and stuff.
|
case "$1" in
|
||||||
|
install|upgrade)
|
||||||
|
|
||||||
|
# Sane defaults:
|
||||||
|
git_home="${GIT_HOME:-/var/git}"
|
||||||
|
git_user="${GIT_USER:-git}"
|
||||||
|
git_name="${GIT_NAME:-git}"
|
||||||
|
git_group="${GIT_GROUP:-www-data}"
|
||||||
|
|
||||||
|
# create user to avoid running server as root
|
||||||
|
# 1. create group if not existing
|
||||||
|
if ! getent group | grep -q "^$git_group:" ; then
|
||||||
|
printf 'Adding group %s..\n' "$git_group"
|
||||||
|
addgroup --quiet --system "$git_group" 2>/dev/null
|
||||||
|
printf '..done\n'
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 2. create homedir if not existing
|
||||||
|
if [ -d "$git_home" ]; then
|
||||||
|
# `/var` *must* exist.
|
||||||
|
mkdir -- "$git_home"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 3. create user if not existing
|
||||||
|
if ! getent passwd "$git_user"; then
|
||||||
|
printf 'Adding system user %s..\n' "$git_user"
|
||||||
|
# XXX: Do I really want a shell here?
|
||||||
|
adduser --quiet \
|
||||||
|
--system \
|
||||||
|
--ingroup "$git_group" \
|
||||||
|
--home "$git_home" \
|
||||||
|
--shell /bin/bash \
|
||||||
|
--disabled-password \
|
||||||
|
"$git_user"
|
||||||
|
printf '..done\n'
|
||||||
|
fi
|
||||||
|
|
||||||
|
# 4. adjust passwd entry
|
||||||
|
usermod \
|
||||||
|
-c "$git_name" \
|
||||||
|
-d "$git_home" \
|
||||||
|
-g "$git_group" \
|
||||||
|
"$git_user"
|
||||||
|
|
||||||
|
# 5. adjust file and directory permissions
|
||||||
|
if ! dpkg-statoverride --list "$git_home" >/dev/null
|
||||||
|
then
|
||||||
|
chown -R "$git_user":"$git_group" "$git_home"
|
||||||
|
chmod u=rwx,g=rxs,o= "$git_home"
|
||||||
|
fi
|
||||||
|
|
||||||
deb-systemd-helper enable fcgiwrap
|
deb-systemd-helper enable fcgiwrap
|
||||||
deb-systemd-invoke restart fcgiwrap
|
deb-systemd-invoke restart fcgiwrap
|
||||||
|
deb-systemd-invoke restart nginx
|
||||||
|
;;
|
||||||
|
# TODO: Handle remove, not that I need it yet though.
|
||||||
|
esac
|
||||||
|
|
4
debian/control
vendored
4
debian/control
vendored
|
@ -27,7 +27,7 @@ Description: Shione nftables configuration.
|
||||||
Package: nginx-config
|
Package: nginx-config
|
||||||
Architecture: all
|
Architecture: all
|
||||||
Multi-Arch: foreign
|
Multi-Arch: foreign
|
||||||
Depends: ${misc:Depends}, nginx, certbot, python3-certbot-nginx
|
Depends: ${misc:Depends}, nginx, certbot, libnginx-mod-http-fancyindex
|
||||||
Provides: ${diverted-files}
|
Provides: ${diverted-files}
|
||||||
Conflicts: ${diverted-files}
|
Conflicts: ${diverted-files}
|
||||||
Description: Shione nginx configuration.
|
Description: Shione nginx configuration.
|
||||||
|
@ -45,7 +45,7 @@ Description: Shione wireguard configuration.
|
||||||
Package: cgit-config
|
Package: cgit-config
|
||||||
Architecture: all
|
Architecture: all
|
||||||
Multi-Arch: foreign
|
Multi-Arch: foreign
|
||||||
Depends: ${misc:Depends}, nginx-config, cgit, fcgiwrap, python3-pygments python3-docutils python3-markdown
|
Depends: ${misc:Depends}, nginx-config, cgit, fcgiwrap, python3-pygments, python3-docutils, python3-markdown
|
||||||
Provides: ${diverted-files}
|
Provides: ${diverted-files}
|
||||||
Conflicts: ${diverted-files}
|
Conflicts: ${diverted-files}
|
||||||
Description: Shione cgit configuration.
|
Description: Shione cgit configuration.
|
||||||
|
|
2
debian/gbp.conf
vendored
2
debian/gbp.conf
vendored
|
@ -4,5 +4,5 @@ upstream-branch=debian/bookworm
|
||||||
debian-branch=debian/bookworm
|
debian-branch=debian/bookworm
|
||||||
|
|
||||||
[buildpackage]
|
[buildpackage]
|
||||||
export-dir = ../build-area-shione
|
export-dir = ./build
|
||||||
git-export = WC
|
git-export = WC
|
||||||
|
|
2
debian/nftables-config.displace
vendored
2
debian/nftables-config.displace
vendored
|
@ -1 +1 @@
|
||||||
/etc/nftables.conf
|
/etc/nftables.conf.shione
|
||||||
|
|
1
debian/nftables-config.displace-extension
vendored
Normal file
1
debian/nftables-config.displace-extension
vendored
Normal file
|
@ -0,0 +1 @@
|
||||||
|
.shione
|
2
debian/nftables-config.install
vendored
2
debian/nftables-config.install
vendored
|
@ -1 +1 @@
|
||||||
files/etc/nftables.conf /etc/
|
files/etc/nftables.conf.shione /etc/
|
||||||
|
|
2
debian/nginx-config.hide
vendored
2
debian/nginx-config.hide
vendored
|
@ -1 +1 @@
|
||||||
/etc/nginx/sites-enables/defaut
|
/etc/nginx/sites-enabled/default
|
||||||
|
|
20
debian/nginx-config.postinst
vendored
20
debian/nginx-config.postinst
vendored
|
@ -2,21 +2,31 @@
|
||||||
#
|
#
|
||||||
# TODO: Handle "$1".
|
# TODO: Handle "$1".
|
||||||
|
|
||||||
set -e
|
set -eu
|
||||||
|
|
||||||
#DEBHELPER#
|
#DEBHELPER#
|
||||||
|
|
||||||
# `certbot` *must* be installed by this package.
|
# `certbot` *must* be installed by this package.
|
||||||
|
if [ "$(hostname)" = shione ]; then
|
||||||
certbot \
|
certbot \
|
||||||
--nginx \
|
|
||||||
--agree-tos \
|
--agree-tos \
|
||||||
--redirect \
|
|
||||||
--hsts \
|
|
||||||
--staple-ocsp \
|
|
||||||
--email renken+letsencrypt@shione.net \
|
--email renken+letsencrypt@shione.net \
|
||||||
-d shione.net \
|
-d shione.net \
|
||||||
-d www.shione.net \
|
-d www.shione.net \
|
||||||
-d git.shione.net
|
-d git.shione.net
|
||||||
|
else
|
||||||
|
out=/etc/letsencrypt/live/shione.net
|
||||||
|
|
||||||
|
mkdir -p -- "$out"
|
||||||
|
openssl genrsa \
|
||||||
|
>"$out"/privkey.pem
|
||||||
|
openssl req \
|
||||||
|
-new \
|
||||||
|
-x509 \
|
||||||
|
-key /etc/letsencrypt/live/shione.net/privkey.pem \
|
||||||
|
-subj '/CN=shione.net/O=shione.net./C=FR' \
|
||||||
|
>/etc/letsencrypt/live/shione.net/fullchain.pem
|
||||||
|
fi
|
||||||
|
|
||||||
# Apply new nginx configuration.
|
# Apply new nginx configuration.
|
||||||
deb-systemd-invoke restart nginx
|
deb-systemd-invoke restart nginx
|
||||||
|
|
|
@ -23,11 +23,18 @@ server {
|
||||||
listen 80 default_server;
|
listen 80 default_server;
|
||||||
listen [::]:80 default_server;
|
listen [::]:80 default_server;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
# SSL configuration
|
# SSL configuration
|
||||||
#
|
#
|
||||||
# Partially generated by https://ssl-config.mozilla.org/.
|
# Partially generated by https://ssl-config.mozilla.org/.
|
||||||
listen 443 ssl default_server;
|
listen 443 ssl default_server;
|
||||||
listen [::]:443 ssl default_server;
|
listen [::]:443 ssl default_server;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Note: You should disable gzip for SSL traffic.
|
# Note: You should disable gzip for SSL traffic.
|
||||||
# See: https://bugs.debian.org/773332
|
# See: https://bugs.debian.org/773332
|
||||||
|
@ -43,7 +50,6 @@ server {
|
||||||
ssl_certificate /etc/letsencrypt/live/shione.net/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/shione.net/fullchain.pem;
|
||||||
# managed by Certbot.
|
# managed by Certbot.
|
||||||
ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem;
|
||||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
|
||||||
|
|
||||||
# OCSP stapling
|
# OCSP stapling
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
|
|
|
@ -1,3 +1,20 @@
|
||||||
|
# Authentication
|
||||||
|
LoginGraceTime 2m
|
||||||
|
PermitRootLogin prohibit-password
|
||||||
|
StrictModes yes
|
||||||
|
MaxAuthTries 6
|
||||||
|
MaxSessions 10
|
||||||
|
|
||||||
# To disable tunneled clear text passwords, change to no here!
|
# To disable tunneled clear text passwords, change to no here!
|
||||||
PasswordAuthentication no
|
PasswordAuthentication no
|
||||||
PermitEmptyPasswords no
|
PermitEmptyPasswords no
|
||||||
|
|
||||||
|
# Kerberos options
|
||||||
|
KerberosAuthentication no
|
||||||
|
|
||||||
|
# GSSAPI options
|
||||||
|
GSSAPIAuthentication no
|
||||||
|
|
||||||
|
# TODO: Confirm that this is not overridden by the global configuration file?
|
||||||
|
# X11 is not installed on this machine anyway.
|
||||||
|
X11Forwarding no
|
||||||
|
|
37
init.sh
Executable file
37
init.sh
Executable file
|
@ -0,0 +1,37 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
set -eux
|
||||||
|
|
||||||
|
apt update
|
||||||
|
apt install -y apt-utils
|
||||||
|
|
||||||
|
mkdir -p -- /var/shione/debian/pool/main
|
||||||
|
cp -- /tmp/shione/build/*.deb /var/shione/debian/pool/main
|
||||||
|
|
||||||
|
# XXX: Stolen from `local-apt-repository` which did not work for me for some reason.
|
||||||
|
debs_dir_path=/var/shione/debian
|
||||||
|
deb_repo_path=/var/lib/local-apt-repository
|
||||||
|
mkdir -p -- "$deb_repo_path"
|
||||||
|
|
||||||
|
# Relative paths work better than absolute
|
||||||
|
cd -- "$deb_repo_path"
|
||||||
|
apt-ftparchive packages ../../../"$debs_dir_path" >"$deb_repo_path"/Packages
|
||||||
|
apt-ftparchive sources ../../../"$debs_dir_path" >"$deb_repo_path"/Sources
|
||||||
|
|
||||||
|
apt-ftparchive \
|
||||||
|
-o "APT::FTPArchive::Release::Origin=local-apt-repository-shione" \
|
||||||
|
-o "APT::FTPArchive::Release::Description=Local repository created by a minimal version of local-apt-repository" \
|
||||||
|
release "$deb_repo_path" > "$deb_repo_path"/Release
|
||||||
|
|
||||||
|
<<-EOF cat -- >/etc/apt/sources.list.d/local-apt-repository.list
|
||||||
|
# This enables the local repositories provided by local-apt-repository
|
||||||
|
#
|
||||||
|
# We do not use cryptographic signatures, as they are read from local system
|
||||||
|
# anyways.
|
||||||
|
deb [trusted=yes] file:///var/lib/local-apt-repository/ ./
|
||||||
|
deb-src [trusted=yes] file:///var/lib/local-apt-repository/ ./
|
||||||
|
EOF
|
||||||
|
|
||||||
|
apt update
|
||||||
|
|
||||||
|
apt install -y nftables-config
|
Loading…
Reference in a new issue