Compare commits

...

10 commits

Author SHA1 Message Date
8a556f59d3
test: initialize local apt repository for testing
This with the combination of `podman run --rm -v "$PWD:/tmp/shione" -it
debian:stable /bin/bash` allows me to quickly install packages to
validate that the installation process is valid. Post-deployment
failures/mis-configurations are another problem.
2024-10-08 22:56:46 +02:00
cd8f0e853f
nginx: generate certificates for test targets
Podman will be used to test the generated Debian packages to ensure that
they work properly. However, this means that it is NOT shione and
therefore cannot solve letsencrypt challenge among many other things
that can only be done by shione. The goal is to have a staging area that
can mock the latter.
2024-10-08 22:53:57 +02:00
207bf43a8b
cgit: implement initial postinstall logic
Mainly creating `git` user if missing as well as restarting relevant
systemd services.
2024-10-08 22:53:01 +02:00
394d13aaaa
gitignore: ignore build ans wireguard directories 2024-10-08 22:52:10 +02:00
bf417c04a1
gbp: set build directory to ./build 2024-10-08 22:51:37 +02:00
52ec354da9
ssh: limit overall login attempts and interactions
Additionally also disable any unnecessary/unused features by default.
2024-10-08 22:49:47 +02:00
ceeba484f6
nginx: fix nginx default config path to be hidden 2024-10-08 22:49:01 +02:00
56a088c5db
nginx: drop letsencrypt conf in favor of mozilla ssl
`certbox` argument parsing and plugin management isn't very suitable
when it comes to automating nginx configuration through Debian
packaging. It is not possible to instruct it to *only* generate
letsencrypt ssl configuration for nginx which breaks the postinst
script. Also missing fancyindex dependency was added.
2024-10-08 22:42:54 +02:00
e43be67041
cgit: add missing comma in dependencies list 2024-10-08 22:38:32 +02:00
74ab982cf1
nftables: fix broken displace logic
It seems that my package was broken due to a somewhat misinterpretation
of `config-package-dev` documentation.
2024-10-08 22:35:31 +02:00
13 changed files with 150 additions and 27 deletions

3
.gitignore vendored
View file

@ -2,6 +2,7 @@
**/debian/*-config **/debian/*-config
**/debian/*.debhelper **/debian/*.debhelper
**/debian/debhelper-* **/debian/debhelper-*
**/files/etc/wireguard
**/secrets **/secrets
*.build *.build
*.buildinfo *.buildinfo
@ -12,5 +13,5 @@
*.postinst.debhelper *.postinst.debhelper
*.substvars *.substvars
*.tar.xz *.tar.xz
**/files/etc/wireguard /build
/debian/files /debian/files

View file

@ -1,12 +1,63 @@
#!/bin/sh #!/bin/sh
#
# TODO: Handle "$1".
set -e set -eu
#DEBHELPER# #DEBHELPER#
# TODO: Setup git user and stuff. case "$1" in
install|upgrade)
deb-systemd-helper enable fcgiwrap # Sane defaults:
deb-systemd-invoke restart fcgiwrap git_home="${GIT_HOME:-/var/git}"
git_user="${GIT_USER:-git}"
git_name="${GIT_NAME:-git}"
git_group="${GIT_GROUP:-www-data}"
# create user to avoid running server as root
# 1. create group if not existing
if ! getent group | grep -q "^$git_group:" ; then
printf 'Adding group %s..\n' "$git_group"
addgroup --quiet --system "$git_group" 2>/dev/null
printf '..done\n'
fi
# 2. create homedir if not existing
if [ -d "$git_home" ]; then
# `/var` *must* exist.
mkdir -- "$git_home"
fi
# 3. create user if not existing
if ! getent passwd "$git_user"; then
printf 'Adding system user %s..\n' "$git_user"
# XXX: Do I really want a shell here?
adduser --quiet \
--system \
--ingroup "$git_group" \
--home "$git_home" \
--shell /bin/bash \
--disabled-password \
"$git_user"
printf '..done\n'
fi
# 4. adjust passwd entry
usermod \
-c "$git_name" \
-d "$git_home" \
-g "$git_group" \
"$git_user"
# 5. adjust file and directory permissions
if ! dpkg-statoverride --list "$git_home" >/dev/null
then
chown -R "$git_user":"$git_group" "$git_home"
chmod u=rwx,g=rxs,o= "$git_home"
fi
deb-systemd-helper enable fcgiwrap
deb-systemd-invoke restart fcgiwrap
deb-systemd-invoke restart nginx
;;
# TODO: Handle remove, not that I need it yet though.
esac

4
debian/control vendored
View file

@ -27,7 +27,7 @@ Description: Shione nftables configuration.
Package: nginx-config Package: nginx-config
Architecture: all Architecture: all
Multi-Arch: foreign Multi-Arch: foreign
Depends: ${misc:Depends}, nginx, certbot, python3-certbot-nginx Depends: ${misc:Depends}, nginx, certbot, libnginx-mod-http-fancyindex
Provides: ${diverted-files} Provides: ${diverted-files}
Conflicts: ${diverted-files} Conflicts: ${diverted-files}
Description: Shione nginx configuration. Description: Shione nginx configuration.
@ -45,7 +45,7 @@ Description: Shione wireguard configuration.
Package: cgit-config Package: cgit-config
Architecture: all Architecture: all
Multi-Arch: foreign Multi-Arch: foreign
Depends: ${misc:Depends}, nginx-config, cgit, fcgiwrap, python3-pygments python3-docutils python3-markdown Depends: ${misc:Depends}, nginx-config, cgit, fcgiwrap, python3-pygments, python3-docutils, python3-markdown
Provides: ${diverted-files} Provides: ${diverted-files}
Conflicts: ${diverted-files} Conflicts: ${diverted-files}
Description: Shione cgit configuration. Description: Shione cgit configuration.

2
debian/gbp.conf vendored
View file

@ -4,5 +4,5 @@ upstream-branch=debian/bookworm
debian-branch=debian/bookworm debian-branch=debian/bookworm
[buildpackage] [buildpackage]
export-dir = ../build-area-shione export-dir = ./build
git-export = WC git-export = WC

View file

@ -1 +1 @@
/etc/nftables.conf /etc/nftables.conf.shione

View file

@ -0,0 +1 @@
.shione

View file

@ -1 +1 @@
files/etc/nftables.conf /etc/ files/etc/nftables.conf.shione /etc/

View file

@ -1 +1 @@
/etc/nginx/sites-enables/defaut /etc/nginx/sites-enabled/default

View file

@ -2,21 +2,31 @@
# #
# TODO: Handle "$1". # TODO: Handle "$1".
set -e set -eu
#DEBHELPER# #DEBHELPER#
# `certbot` *must* be installed by this package. # `certbot` *must* be installed by this package.
certbot \ if [ "$(hostname)" = shione ]; then
--nginx \ certbot \
--agree-tos \ --agree-tos \
--redirect \
--hsts \
--staple-ocsp \
--email renken+letsencrypt@shione.net \ --email renken+letsencrypt@shione.net \
-d shione.net \ -d shione.net \
-d www.shione.net \ -d www.shione.net \
-d git.shione.net -d git.shione.net
else
out=/etc/letsencrypt/live/shione.net
mkdir -p -- "$out"
openssl genrsa \
>"$out"/privkey.pem
openssl req \
-new \
-x509 \
-key /etc/letsencrypt/live/shione.net/privkey.pem \
-subj '/CN=shione.net/O=shione.net./C=FR' \
>/etc/letsencrypt/live/shione.net/fullchain.pem
fi
# Apply new nginx configuration. # Apply new nginx configuration.
deb-systemd-invoke restart nginx deb-systemd-invoke restart nginx

View file

@ -23,11 +23,18 @@ server {
listen 80 default_server; listen 80 default_server;
listen [::]:80 default_server; listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
}
server {
# SSL configuration # SSL configuration
# #
# Partially generated by https://ssl-config.mozilla.org/. # Partially generated by https://ssl-config.mozilla.org/.
listen 443 ssl default_server; listen 443 ssl default_server;
listen [::]:443 ssl default_server; listen [::]:443 ssl default_server;
# #
# Note: You should disable gzip for SSL traffic. # Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332 # See: https://bugs.debian.org/773332
@ -43,7 +50,6 @@ server {
ssl_certificate /etc/letsencrypt/live/shione.net/fullchain.pem; ssl_certificate /etc/letsencrypt/live/shione.net/fullchain.pem;
# managed by Certbot. # managed by Certbot.
ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
# OCSP stapling # OCSP stapling
ssl_stapling on; ssl_stapling on;

View file

@ -1,3 +1,20 @@
# Authentication
LoginGraceTime 2m
PermitRootLogin prohibit-password
StrictModes yes
MaxAuthTries 6
MaxSessions 10
# To disable tunneled clear text passwords, change to no here! # To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no PasswordAuthentication no
PermitEmptyPasswords no PermitEmptyPasswords no
# Kerberos options
KerberosAuthentication no
# GSSAPI options
GSSAPIAuthentication no
# TODO: Confirm that this is not overridden by the global configuration file?
# X11 is not installed on this machine anyway.
X11Forwarding no

37
init.sh Executable file
View file

@ -0,0 +1,37 @@
#!/bin/sh
set -eux
apt update
apt install -y apt-utils
mkdir -p -- /var/shione/debian/pool/main
cp -- /tmp/shione/build/*.deb /var/shione/debian/pool/main
# XXX: Stolen from `local-apt-repository` which did not work for me for some reason.
debs_dir_path=/var/shione/debian
deb_repo_path=/var/lib/local-apt-repository
mkdir -p -- "$deb_repo_path"
# Relative paths work better than absolute
cd -- "$deb_repo_path"
apt-ftparchive packages ../../../"$debs_dir_path" >"$deb_repo_path"/Packages
apt-ftparchive sources ../../../"$debs_dir_path" >"$deb_repo_path"/Sources
apt-ftparchive \
-o "APT::FTPArchive::Release::Origin=local-apt-repository-shione" \
-o "APT::FTPArchive::Release::Description=Local repository created by a minimal version of local-apt-repository" \
release "$deb_repo_path" > "$deb_repo_path"/Release
<<-EOF cat -- >/etc/apt/sources.list.d/local-apt-repository.list
# This enables the local repositories provided by local-apt-repository
#
# We do not use cryptographic signatures, as they are read from local system
# anyways.
deb [trusted=yes] file:///var/lib/local-apt-repository/ ./
deb-src [trusted=yes] file:///var/lib/local-apt-repository/ ./
EOF
apt update
apt install -y nftables-config