tenseleyflow/shithub / 5372ec0

+# SPDX-License-Identifier: AGPL-3.0-or-later

+#

+# shithub-specific exclusions. Drops into /etc/aide/aide.conf.d/.

+# Everything here uses AIDE's "!" prefix to UN-watch paths that

+# the upstream Debian config would otherwise track.

+#

+# We exclude paths whose churn is by-design — keeping them in the

+# baseline would generate so much noise that real intrusion signals

+# would drown. The stuff we DO want flagged: /etc, /usr/local/bin,

+# /usr/lib/systemd/system, /root/.ssh, package-managed binaries,

+# sshd_config — all of which the upstream config already covers.

+

+# ── Application data (repos, by design write-heavy)

+!/data

+!/var/lib/shithub

+!/var/lib/shithub-ssh

+

+# ── Database files + WAL (Postgres rewrites these constantly)

+!/var/lib/postgresql

+

+# ── Source checkout (fetch+reset on every deploy)

+!/root/src/shithub

+

+# ── Caddy state (cert renewals, access log)

+!/var/lib/caddy

+!/var/log/caddy

+

+# ── shithub-specific log dir

+!/var/log/shithub

+

+# ── AIDE's own metadata (don't recurse into our own DB)

+!/var/lib/aide

+

+# ── Restore-drill scratch (mktemp paths under /tmp already excluded

+#    by upstream, but the share dir holds the live script + sql)

+!/usr/local/share/shithub

+

+# ── Backup workdir (nightly pg_dump lands here before rclone copy;

+#    file count + content change every night by design)

+!/var/backups/shithub

+

+# ── shithub-deploy artifacts on the app droplet

+!/tmp/shithubd-new