update

3 files changed, 178 insertions, 2 deletions

diff --git a/config-mgmt-certbot.PKGBUILD b/config-mgmt-certbot.PKGBUILD
index 1bc650e..aeaca1d 100644
--- a/config-mgmt-certbot.PKGBUILD
+++ b/config-mgmt-certbot.PKGBUILD
@@ -1,5 +1,5 @@
 . ${BUILDFILE%/*}/common.sh
-pkgver=20161112
+pkgver=20170203
 
 package() {
 preamble
@@ -51,6 +51,7 @@ install -d etc/ssl/misc/certbot-get.d
 add-file -m755 etc/ssl/misc/certbot-get <<<'#!/bin/bash
 {
 	set -eu
+	cd /
 
 	# The first name listed should be the canonical host name
 	domains=(
diff --git a/config-mgmt-nshd.PKGBUILD b/config-mgmt-nshd.PKGBUILD
new file mode 100644
index 0000000..b3336e3
--- /dev/null
+++ b/config-mgmt-nshd.PKGBUILD
@@ -0,0 +1,61 @@
+. ${BUILDFILE%/*}/common.sh
+pkgver=20170203.3
+
+package() {
+preamble
+# #### Parabola hackers
+
+depends=(parabola-hackers-nshd openssh)
+
+# sshd is configured to force the use of keys (no password-based
+# login), and to use [parabola-hackers][] `ssh-list-authorized-keys`
+# in addition to checking `~/.ssh/authorized_keys`.
+# `ssh-list-authorized-keys` returns the authorized keys from the
+# [hackers.git][] checkout in `/var/lib/hackers-git` (the path to the
+# checkout is configured in `/etc/parabola-hackers.yml`).
+#
+# [parabola-hackers]: https://www.parabola.nu/packages/libre/x86_64/parabola-hackers/
+# [hackers.git]: https://git.parabola.nu/hackers.git/
+add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/ssh/sshd_config.holoscript <<EOF
+#!/bin/sh
+{
+	sed -e '/^#AuthorizedKeysCommand\s/     aAuthorizedKeysCommand /usr/lib/parabola-hackers/ssh-list-authorized-keys' \
+	    -e '/^#AuthorizedKeysCommandUser\s/ aAuthorizedKeysCommandUser nshd' \
+	    -e '/^#PasswordAuthentication\s/    aPasswordAuthentication no'
+} | awk '\$0==""||!x[\$0]++'
+EOF
+
+# NSS and PAM have been configured to use the ldap modules that are
+# part of [nss-pam-ldapd][].
+#
+# [nss-pam-ldapd]: https://www.parabola.nu/packages/community/x86_64/nss-pam-ldapd/
+add-file -m755 usr/share/holo/files/10-"$pkgname"/etc/nsswitch.conf.holoscript <<EOF
+#!/bin/sh
+sed 's/ ldap//' | sed -r '/^(passwd|group|shadow):/s/(files|compat)/files ldap/'
+EOF
+
+# However, instead of running the normal `nslcd` LDAP client daemon,
+# the system has ben configured to run the [parabola-hackers-nshd][]
+# `nshd` daemon, which reads user infomation from the same
+# `hackers.git` checkout (configured the same way).  This way we dn't
+# have to worry about keeping `/etc/passwd` in sync with
+# `hackers.git`.  To this end, PAM has also been configured to create
+# a users home directory when they log in if it doesn't already exist.
+# Because `hackers.git` doesn't store any password information, `nshd`
+# stores password hashes in `/etc/nshd/shadow`.
+#
+# [parabola-hackers-nshd]: https://www.parabola.nu/packages/libre/x86_64/parabola-hackers-nshd/
+add-unit etc/systemd/system/sockets.target.wants/nshd.socket
+add-unit etc/systemd/system/dbus.service.wants/nshd.service # (temporary [systemd bug workaround][])
+#
+# [sytemd bug workaround][]: https://projects.parabola.nu/packages/parabola-hackers.git/tree/nshd.service.in#n19
+
+# Sometimes after something fails in PAM, you get a "User not known to
+# the underlying authentication module" message.  For exaple, the
+# `pam_ldap.so.2` failed because you typed your password wrong, but
+# the PAM caller thinks `pam_ldap` failed because it didn't "own" the
+# user.  I think that it's just a bug in PAM's message selection.  But
+# (TODO) we should actually track it down.
+
+postamble
+}
diff --git a/config-service-repo.PKGBUILD b/config-service-repo.PKGBUILD
index 979958c..d66c122 100644
--- a/config-service-repo.PKGBUILD
+++ b/config-service-repo.PKGBUILD
@@ -1,5 +1,5 @@
 . ${BUILDFILE%/*}/common.sh
-pkgver=20161112
+pkgver=20170203.4
 
 provides=(pacman-mirrorlist)
 conflicts=(pacman-mirrorlist)
@@ -26,5 +26,119 @@ add-file etc/pacman.d/mirrorlist <<EOF
 Server = file:///srv/repo/main/\$repo/os/\$arch
 EOF
 
+add-file -m755 etc/ssl/misc/certbot-get.d/10-repo <<EOF
+#!/bin/bash
+echo {repo,repomirror}.{parabola.nu,parabolagnulinux.org}
+EOF
+
+add-file -m644 etc/nginx/sites/server-repo_parabola_nu.conf <<EOF
+# -*- Mode: nginx; nginx-indent-level: 8; indent-tabs-mode: t -*-
+
+server {
+	server_name repo.parabola.nu;
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	error_log  /var/log/nginx/nginx.http.repo_parabola_nu.error.log  error;
+	access_log /var/log/nginx/nginx.http.repo_parabola_nu.access.log specific;
+
+	if (\$args !~* noredirect) {
+		return 302 https://repomirror.parabola.nu\$uri;
+	}
+
+	index /.fancyindex/index.php;
+	location = /.fancyindex/index.php {
+		include uwsgi_params;
+		uwsgi_modifier1 14; # Standard PHP request
+		uwsgi_pass unix:/run/uwsgi/repo.sock;
+	}
+	location / {
+		root /srv/repo;
+		try_files /main\$uri /http\$uri @union;
+	}
+	location @union {}
+}
+EOF
+
+add-file -m644 etc/uwsgi/repo.ini <<EOF
+[uwsgi]
+master = true
+processes = 4
+
+uid = nobody
+gid = http
+
+plugins = php
+
+php-set = open_basedir=/srv/http/repo.parabola.nu
+EOF
+
+add-unit etc/systemd/system/sockets.target.wants/uwsgi@repo.socket
+
+add-file -m644 etc/nginx/sites/server-repomirror_parabola_nu.conf <<EOF
+# -*- Mode: nginx; nginx-indent-level: 8; indent-tabs-mode: t -*-
+
+server {
+	server_name repomirror.parabola.nu;
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	error_log  /var/log/nginx/nginx.http.repomirror_parabola_nu.error.log  error;
+	access_log /var/log/nginx/nginx.http.repomirror_parabola_nu.access.log specific;
+
+	location / {
+		root /srv/http/repo.parabola.nu;
+
+		include uwsgi_params;
+		uwsgi_param SCRIPT_NAME /srv/http/repo.parabola.nu/.fancyindex/mirror.php;
+		uwsgi_modifier1 14; # Standard PHP request
+		uwsgi_pass unix:/run/uwsgi/repomirror.sock;
+	}
+}
+EOF
+
+add-file -m644 etc/uwsgi/repomirror.ini <<EOF
+[uwsgi]
+master = true
+processes = 4
+
+uid = nobody
+gid = http
+
+plugins = php
+
+php-app = /srv/http/repo.parabola.nu/.fancyindex/mirror.php
+php-set = open_basedir=/srv/http/repo.parabola.nu:/srv/repo/http
+EOF
+
+add-unit etc/systemd/system/sockets.target.wants/uwsgi@repomirror.socket
+
+add-file -m644 etc/systemd/system/rsyncd@.service.d/user.conf <<EOF
+[Service]
+User=nobody
+EOF
+
+add-file -m644 etc/systemd/system/rsyncd.socket.d/port.conf <<EOF
+[Socket]
+# 873 is filtered
+ListenStream=
+ListenStream=875
+EOF
+
+add-unit etc/systemd/system/sockets.target.wants/rsyncd.socket
+
+add-file -m644 usr/share/holo/files/10-"$pkgname"/etc/rsyncd.conf <<EOF
+# The uid, port, et c. are configured in the systemd units.
+
+[repos]
+        path = /srv/repo/main
+        comment = Parabola repos
+        ignore nonreadable = yes
+
+[abs]
+        path = /srv/repo/db-import-archlinux-src/abslibre
+        comment = Arch Build System Libre
+EOF
+
 postamble
 }