more

6 files changed, 128 insertions, 34 deletions

diff --git a/Makefile b/Makefile
index db4f325..ce976fa 100644
--- a/Makefile
+++ b/Makefile
@@ -21,6 +21,8 @@ $(foreach p,$(patsubst %.PKGBUILD,%,$(pkgbuilds)), \
 	repo-add $*.db.tar.gz $(filter %.pkg.tar.xz,$^)
 	touch --no-create --no-dereference $*.db $*.db.tar.gz $*.files $*.files.tar.gz
 
+.var.pkgfiles: $(pkgbuilds)
+
 .var.%: FORCE
 	@printf '%s' '$(subst ','\\'',$($*))' | sed 's/^/#/' | ./write-ifchanged $@
 -include $(wildcard .var.*)
diff --git a/config-certbot.PKGBUILD b/config-certbot.PKGBUILD
index caff71c..77b6e56 100644
--- a/config-certbot.PKGBUILD
+++ b/config-certbot.PKGBUILD
@@ -1,5 +1,5 @@
 . ${BUILDFILE%/*}/common.sh
-pkgver=20160713.4
+pkgver=20160713.5
 
 depends=(certbot)
 
@@ -22,20 +22,18 @@ cd "$pkgdir"
 # add this domain as a Subject Alternative Name".  You have to re-run
 # the same (long) command to get the cert, but with the domain added.
 # So, I've encapsulated this into the script
-# `/etc/ssl/misc/certbot-get`.  Edit the array of domains at the top
-# of the script, then run it.
+# `/etc/ssl/misc/certbot-get`.  Edit `/etc/ssl/misc/certbot-get.d/` to
+# manipulate the list of domains, then run the script.
 add-file -m755 etc/ssl/misc/certbot-get <<<'#!/bin/bash
-
-# The first name listed should be the canonical host name
-domains=(
-	winston.parabola.nu
-	{git,projects}.{parabola.nu,parabolagnulinux.org}
-)
-
-########################################################################
 {
 	set -eu
 
+	# The first name listed should be the canonical host name
+	domains=(
+		$(hostname -f)
+		$(find -L "$0.d" -type f -executable -exec {} \;)
+	)
+
 	if [[ "`whoami`" != '\''keys'\'' ]]; then
 		>&2 printf '\''%q: This script must be run as user `%s'\''\'\'''\''\n'\'' "$0" keys
 		exit 1
@@ -45,11 +43,10 @@ domains=(
 
 		Our "\`${0##*/}\`" script is used to '\''*add*'\'' or
 		'\''*remove*'\'' certificates\; use '\''`certbot renew`'\'' to
-		renew them.  To use "${0##*/}," edit the
-		'\''hostnames=()'\'' list of domains at the beginning of the
-		script, '\''then'\'' run it to get a new certificate with a
-		new Subject Alternative Name field matching the new
-		list of domains.
+		renew them.  To use "${0##*/}," edit "\`${0##*/}.d/\`" to
+		manipulate the list of domains, '\''then'\'' run it to get a
+		new certificate with a new Subject Alternative Name field
+		matching the new list of domains.
 
 		$'\''\n\n'\''Are you sure that you are ready to run this?
 		It will eat into the "Let'\''s Encrypt" usage limit.
diff --git a/config-service-git.PKGBUILD b/config-service-git.PKGBUILD
new file mode 100644
index 0000000..607c519
--- /dev/null
+++ b/config-service-git.PKGBUILD
@@ -0,0 +1,75 @@
+. ${BUILDFILE%/*}/common.sh
+pkgver=20160713.2
+
+depends=(git cgit uwsgi-plugin-cgi config-uwsgi)
+
+package() {
+cd "$pkgdir"
+
+add-file -m755 etc/ssl/misc/certbot-get.d/10-git <<EOF
+#!/bin/bash
+echo git.{parabola.nu,parabolagnulinux.org}
+EOF
+
+# Metadata about all of the git repositories, as well as most of the
+# setup, lives in the git-meta.git repository. The git user has a
+# cron-job to update this repository every hour.
+install -d etc/cron.spool
+add-file -m600 -o git -g git etc/cron.spool/git <<EOF
+MAILTO=maintenance@lists.parabola.nu
+PATH=/srv/git/.local/bin:/bin
+#min	hour	dom	mon	dow	cmd
+0	*	*	*	*	chronic bash -c "update-gitmeta 'Update from cron' 2>&1"
+EOF
+
+
+# ## transport: git protocol
+
+add-unit etc/systemd/system/sockets.target.wants/git-daemon.socket
+
+# ## transport: HTTPS
+
+# The git web interface is cgit, which is managed by uWSGI speaking
+# uwsgi/modifier1=9, which is the variant of the uwsgi protocol for
+# CGI requests.
+add-file etc/nginx/sites/server-git.parabola.nu.conf <<EOF
+# -*- Mode: nginx; nginx-indent-level: 8; indent-tabs-mode: t -*-
+
+server {
+	server_name git.parabola.nu;
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	error_log  /var/log/nginx/nginx.http.git.parabola.nu.error.log  error;
+	access_log /var/log/nginx/nginx.http.git.parabola.nu.access.log specific;
+
+	location / {
+		try_files \$uri @cgit;
+	}
+
+	location @cgit {
+		uwsgi_pass unix:/run/uwsgi/git.sock;
+		uwsgi_modifier1 9; # Standard CGI request
+		include uwsgi_params;
+	}
+}
+EOF
+
+# uwsgi/git.ini sets CGIT_CONFIG=/srv/http/git.parabola.nu/cgitrc.
+add-file etc/uwsgi/git.ini <<EOF
+[uwsgi]
+master = true
+processes = 1
+
+uid = http
+gid = http
+
+plugins = cgi
+env = CGIT_CONFIG=/srv/http/git.parabola.nu/cgitrc
+cgi =             /srv/http/git.parabola.nu/cgit.cgi
+EOF
+
+add-unit etc/systemd/system/sockets.target.wants/uwsgi@git.socket
+
+backup=($(find "$pkgdir" -type f -printf '%P\n'))
+}
diff --git a/config-service-projects.PKGBUILD b/config-service-projects.PKGBUILD
new file mode 100644
index 0000000..71cd152
--- /dev/null
+++ b/config-service-projects.PKGBUILD
@@ -0,0 +1,27 @@
+. ${BUILDFILE%/*}/common.sh
+pkgver=20160713.1
+
+depends=(git cgit uwsgi-plugin-cgi config-uwsgi)
+
+package() {
+cd "$pkgdir"
+
+add-file -m755 etc/ssl/misc/certbot-get.d/10-projects <<EOF
+#!/bin/bash
+echo projects.{parabola.nu,parabolagnulinux.org}
+EOF
+
+add-file etc/nginx/sites/server-projects.parabola.nu.conf <<EOF
+# -*- Mode: nginx; nginx-indent-level: 8; indent-tabs-mode: t -*-
+
+server {
+	server_name projects.parabola.nu;
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	location / { return 301 https://git.parabola.nu\$request_uri; }
+}
+EOF
+
+backup=($(find "$pkgdir" -type f -printf '%P\n'))
+}
diff --git a/config-timedate-utc.PKGBUILD b/config-timedate-utc.PKGBUILD
deleted file mode 100644
index 628e33d..0000000
--- a/config-timedate-utc.PKGBUILD
+++ /dev/null
@@ -1,16 +0,0 @@
-. ${BUILDFILE%/*}/common.sh
-pkgver=20160713.4
-
-package() {
-cd "$pkgdir"
-
-# Consider UTC to be the timezone, since we have admins all
-# over the place.
-install -d etc
-ln -s ../usr/share/zoneinfo/UTC etc/localtime
-
-# Use timesyncd NTP client daemon.
-add-unit etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service
-
-backup=($(find "$pkgdir" -type f -printf '%P\n'))
-}
diff --git a/config-winston-base.PKGBUILD b/config-winston-base.PKGBUILD
index e7ac9b8..00b41ae 100644
--- a/config-winston-base.PKGBUILD
+++ b/config-winston-base.PKGBUILD
@@ -1,5 +1,5 @@
 . ${BUILDFILE%/*}/common.sh
-pkgver=20160713.6
+pkgver=20160713.8
 
 depends=(linux-libre-lts grub haveged irqbalance netctl)
 conflicts=(linux-libre)
@@ -33,8 +33,17 @@ add-unit etc/systemd/system/multi-user.target.wants/haveged.service
 add-unit etc/systemd/system/multi-user.target.wants/irqbalance.service
 
 ln -s ../usr/lib/os-release etc/os-release
+install -d ssl/certs
+ln -s ../../ca-certificates/extracted/tls-ca-bundle.pem ssl/certs/ca-certificates.crt
 
-# ## Networking
+# ## timedate
+
+ln -s ../usr/share/zoneinfo/Iceland etc/localtime
+
+# Use timesyncd NTP client daemon.
+add-unit etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service
+
+# ## networking
 
 # `/etc/udev/rules.d/80-net-setup-link.rules` is a symlink to
 # `/dev/null`, which disables new-style [predictable network interface