# SPDX-License-Identifier: AGPL-3.0-or-later
#
# shithub-specific exclusions. Drops into /etc/aide/aide.conf.d/.
# Everything here uses AIDE's "!" prefix to UN-watch paths that
# the upstream Debian config would otherwise track.
#
# We exclude paths whose churn is by-design — keeping them in the
# baseline would generate so much noise that real intrusion signals
# would drown. The stuff we DO want flagged: /etc, /usr/local/bin,
# /usr/lib/systemd/system, /root/.ssh, package-managed binaries,
# sshd_config — all of which the upstream config already covers.

# ── Application data (repos, by design write-heavy)
!/data
!/var/lib/shithub
!/var/lib/shithub-ssh

# ── Database files + WAL (Postgres rewrites these constantly)
!/var/lib/postgresql

# ── Source checkout (fetch+reset on every deploy)
!/root/src/shithub

# ── Caddy state (cert renewals, access log)
!/var/lib/caddy
!/var/log/caddy

# ── Postgres server logs. The Debian aide-common config ships a
# rule for postgresql-15 only; Ubuntu 24 runs postgresql-16 whose
# log file matches a generic /var/log/* pattern that fires on every
# query the server logs. Pure noise.
!/var/log/postgresql

# ── sysstat collector. /var/log/sysstat/sa<DD> is rewritten every
# 10 minutes by the sa1 cron, so an aide check in between always
# sees a different file. Excluded outright.
!/var/log/sysstat

# ── shithub-specific log dir
!/var/log/shithub

# ── AIDE's own metadata (don't recurse into our own DB)
!/var/lib/aide

# ── Restore-drill scratch (mktemp paths under /tmp already excluded
#    by upstream, but the share dir holds the live script + sql)
!/usr/local/share/shithub

# ── Backup workdir (nightly pg_dump lands here before rclone copy;
#    file count + content change every night by design)
!/var/backups/shithub

# ── shithub-deploy artifacts on the app droplet
!/tmp/shithubd-new