test: initialize local apt repository for testing

This with the combination of `podman run --rm -v "$PWD:/tmp/shione" -it
debian:stable /bin/bash` allows me to quickly install packages to
validate that the installation process is valid. Post-deployment
failures/mis-configurations are another problem.

.gitignore

@@ -2,6 +2,7 @@
 **/debian/*-config
 **/debian/*.debhelper
 **/debian/debhelper-*
+**/files/etc/wireguard
 **/secrets
 *.build
 *.buildinfo
@@ -12,5 +13,5 @@
 *.postinst.debhelper
 *.substvars
 *.tar.xz
-**/files/etc/wireguard
+/build
 /debian/files

debian/cgit-config.postinst

@@ -1,12 +1,63 @@
 #!/bin/sh
-#
-# TODO: Handle "$1".
 
-set -e
+set -eu
 
 #DEBHELPER#
 
-# TODO: Setup git user and stuff.
+case "$1" in
+  install|upgrade)
 
-deb-systemd-helper enable fcgiwrap
-deb-systemd-invoke restart fcgiwrap
+  # Sane defaults:
+  git_home="${GIT_HOME:-/var/git}"
+  git_user="${GIT_USER:-git}"
+  git_name="${GIT_NAME:-git}"
+  git_group="${GIT_GROUP:-www-data}"
+
+  # create user to avoid running server as root
+  # 1. create group if not existing
+  if ! getent group | grep -q "^$git_group:" ; then
+     printf 'Adding group %s..\n' "$git_group"
+     addgroup --quiet --system "$git_group" 2>/dev/null
+     printf '..done\n'
+  fi
+
+  # 2. create homedir if not existing
+  if [ -d "$git_home" ]; then
+    # `/var` *must* exist.
+    mkdir -- "$git_home"
+  fi
+
+  # 3. create user if not existing
+  if ! getent passwd "$git_user"; then
+    printf  'Adding system user %s..\n' "$git_user"
+    # XXX: Do I really want a shell here?
+    adduser --quiet \
+            --system \
+            --ingroup "$git_group" \
+            --home "$git_home" \
+            --shell /bin/bash \
+            --disabled-password \
+            "$git_user"
+    printf '..done\n'
+  fi
+
+  # 4. adjust passwd entry
+  usermod \
+    -c "$git_name" \
+    -d "$git_home" \
+    -g "$git_group" \
+    "$git_user"
+
+  # 5. adjust file and directory permissions
+  if ! dpkg-statoverride --list "$git_home" >/dev/null
+  then
+      chown -R "$git_user":"$git_group" "$git_home"
+      chmod u=rwx,g=rxs,o= "$git_home"
+  fi
+
+  deb-systemd-helper enable fcgiwrap
+  deb-systemd-invoke restart fcgiwrap
+  deb-systemd-invoke restart nginx
+  ;;
+  # TODO: Handle remove, not that I need it yet though.
+esac

debian/control

@@ -27,7 +27,7 @@ Description: Shione nftables configuration.
 Package: nginx-config
 Architecture: all
 Multi-Arch: foreign
-Depends: ${misc:Depends}, nginx, certbot, python3-certbot-nginx
+Depends: ${misc:Depends}, nginx, certbot, libnginx-mod-http-fancyindex
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
 Description: Shione nginx configuration.
@@ -45,7 +45,7 @@ Description: Shione wireguard configuration.
 Package: cgit-config
 Architecture: all
 Multi-Arch: foreign
-Depends: ${misc:Depends}, nginx-config, cgit, fcgiwrap, python3-pygments python3-docutils python3-markdown
+Depends: ${misc:Depends}, nginx-config, cgit, fcgiwrap, python3-pygments, python3-docutils, python3-markdown
 Provides: ${diverted-files}
 Conflicts: ${diverted-files}
 Description: Shione cgit configuration.

debian/gbp.conf

@@ -4,5 +4,5 @@ upstream-branch=debian/bookworm
 debian-branch=debian/bookworm
 
 [buildpackage]
-export-dir = ../build-area-shione
+export-dir = ./build
 git-export = WC

debian/nftables-config.displace

@@ -1 +1 @@
-/etc/nftables.conf
+/etc/nftables.conf.shione

debian/nftables-config.displace-extension

@@ -0,0 +1 @@
+.shione

debian/nftables-config.install

@@ -1 +1 @@
-files/etc/nftables.conf /etc/
+files/etc/nftables.conf.shione /etc/

debian/nginx-config.hide

@@ -1 +1 @@
-/etc/nginx/sites-enables/defaut
+/etc/nginx/sites-enabled/default

debian/nginx-config.postinst

@@ -2,21 +2,31 @@
 #
 # TODO: Handle "$1".
 
-set -e
+set -eu
 
 #DEBHELPER#
 
 # `certbot` *must* be installed by this package.
-certbot \
-	--nginx \
-	--agree-tos \
-	--redirect \
-	--hsts \
-	--staple-ocsp \
-	--email renken+letsencrypt@shione.net \
-	-d shione.net \
-	-d www.shione.net \
-	-d git.shione.net
+if [ "$(hostname)" = shione ]; then
+	certbot \
+		--agree-tos \
+		--email renken+letsencrypt@shione.net \
+		-d shione.net \
+		-d www.shione.net \
+		-d git.shione.net
+else
+	out=/etc/letsencrypt/live/shione.net
+
+	mkdir -p -- "$out"
+	openssl genrsa \
+		>"$out"/privkey.pem
+	openssl req \
+		-new \
+		-x509 \
+		-key /etc/letsencrypt/live/shione.net/privkey.pem \
+		-subj '/CN=shione.net/O=shione.net./C=FR' \
+		>/etc/letsencrypt/live/shione.net/fullchain.pem
+fi
 
 # Apply new nginx configuration.
 deb-systemd-invoke restart nginx

files/etc/nginx/sites-available/shione.net

@@ -20,14 +20,21 @@
 #
 # `fancyindex` is from `nginx-extras`.
 server {
-        listen 80 default_server;
-        listen [::]:80 default_server;
+    listen 80 default_server;
+    listen [::]:80 default_server;
 
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
         # SSL configuration
         #
         # Partially generated by https://ssl-config.mozilla.org/.
         listen 443 ssl default_server;
         listen [::]:443 ssl default_server;
+
         #
         # Note: You should disable gzip for SSL traffic.
         # See: https://bugs.debian.org/773332
@@ -43,7 +50,6 @@ server {
         ssl_certificate /etc/letsencrypt/live/shione.net/fullchain.pem;
         # managed by Certbot.
         ssl_certificate_key /etc/letsencrypt/live/shione.net/privkey.pem;
-        include /etc/letsencrypt/options-ssl-nginx.conf;
 
         # OCSP stapling
         ssl_stapling on;

files/etc/ssh/sshd_config.d/custom.conf

@@ -1,3 +1,20 @@
+# Authentication
+LoginGraceTime 2m
+PermitRootLogin prohibit-password
+StrictModes yes
+MaxAuthTries 6
+MaxSessions 10
+
 # To disable tunneled clear text passwords, change to no here!
 PasswordAuthentication no
 PermitEmptyPasswords no
+
+# Kerberos options
+KerberosAuthentication no
+
+# GSSAPI options
+GSSAPIAuthentication no
+
+# TODO: Confirm that this is not overridden by the global configuration file?
+# X11 is not installed on this machine anyway.
+X11Forwarding no

init.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+
+set -eux
+
+apt update
+apt install -y apt-utils
+
+mkdir -p -- /var/shione/debian/pool/main
+cp -- /tmp/shione/build/*.deb /var/shione/debian/pool/main
+
+# XXX: Stolen from `local-apt-repository` which did not work for me for some reason.
+debs_dir_path=/var/shione/debian
+deb_repo_path=/var/lib/local-apt-repository
+mkdir -p -- "$deb_repo_path"
+
+# Relative paths work better than absolute
+cd -- "$deb_repo_path"
+apt-ftparchive packages ../../../"$debs_dir_path" >"$deb_repo_path"/Packages
+apt-ftparchive sources ../../../"$debs_dir_path" >"$deb_repo_path"/Sources
+
+apt-ftparchive \
+        -o "APT::FTPArchive::Release::Origin=local-apt-repository-shione" \
+        -o "APT::FTPArchive::Release::Description=Local repository created by a minimal version of local-apt-repository" \
+        release "$deb_repo_path" > "$deb_repo_path"/Release
+
+<<-EOF cat -- >/etc/apt/sources.list.d/local-apt-repository.list
+# This enables the local repositories provided by local-apt-repository
+#
+# We do not use cryptographic signatures, as they are read from local system
+# anyways.
+deb [trusted=yes] file:///var/lib/local-apt-repository/ ./
+deb-src [trusted=yes] file:///var/lib/local-apt-repository/ ./
+EOF
+
+apt update
+
+apt install -y nftables-config