From 6dfd126a852460ba90268784bf801fab8feaea79 Mon Sep 17 00:00:00 2001
From: theraw <me@julio.al>
Date: Tue, 9 Jun 2026 03:10:11 +0000
Subject: [PATCH] package update

---
 .gitea/workflows/build-publish.yml | 29 +++++++++---------
 build/deb/postinst                 | 48 ++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+), 14 deletions(-)
 create mode 100755 build/deb/postinst

diff --git a/.gitea/workflows/build-publish.yml b/.gitea/workflows/build-publish.yml
index 4958f00..cf86631 100644
--- a/.gitea/workflows/build-publish.yml
+++ b/.gitea/workflows/build-publish.yml
@@ -61,16 +61,22 @@ jobs:
               local pkg_dir="/opt/${pkg_name}_${VERSION}_${ARCH}"
               local deb_dir="${pkg_dir}/DEBIAN"
 
-              mkdir -p "${pkg_dir}/usr/sbin" "${pkg_dir}/nginx" \
-                       "${pkg_dir}/etc/systemd/system" "${pkg_dir}/var/log/nginx" \
+              mkdir -p "${pkg_dir}/usr/sbin" \
+                       "${pkg_dir}/etc/systemd/system" \
                        "${pkg_dir}/usr/lib" \
-                       "${pkg_dir}/hostdata/default/public_html" \
-                       "${pkg_dir}/usr/nginx_lua"
+                       "${pkg_dir}/usr/nginx_lua" \
+                       "${pkg_dir}/usr/share/twiy/defaults/nginx" \
+                       "${pkg_dir}/usr/share/twiy/defaults/hostdata"
 
               cp /usr/sbin/nginx "${pkg_dir}/usr/sbin/"
-              cp -R /nginx/* "${pkg_dir}/nginx/" || true
+              # Pristine configs + default site go into a defaults stash, NOT the
+              # live /nginx and /hostdata trees. postinst seeds them from here
+              # without clobbering local edits (writes <file>.new when a target
+              # already exists). The live files stay untracked by dpkg, so an
+              # upgrade never overwrites a customised config.
+              cp -R /nginx/.          "${pkg_dir}/usr/share/twiy/defaults/nginx/"    || true
+              cp -R /hostdata/default "${pkg_dir}/usr/share/twiy/defaults/hostdata/" || true
               cp "${unit_src}"  "${pkg_dir}/etc/systemd/system/nginx.service"
-              cp -R /hostdata/default "${pkg_dir}/hostdata/" || true
               cp -R /usr/nginx_lua "${pkg_dir}/usr/" || true
 
               for d in /usr/local/aws-lc /usr/local/LuaJIT /usr/local/modsecurity /usr/local/zlib-ng; do
@@ -89,14 +95,9 @@ jobs:
                   "${pkg_name}" "${VERSION}" "${ARCH}" "${conflicts}" "${conflicts}" "${pkg_name}" "${TARGET}" \
                   > "${deb_dir}/control"
 
-              printf '%s\n' '#!/bin/bash' \
-                  'useradd -r -s /bin/false nginx 2>/dev/null || true' \
-                  'install -d -o nginx -g nginx -m 0755 /var/log/nginx' \
-                  'chown -R nginx:nginx /var/log/nginx /nginx 2>/dev/null || true' \
-                  'systemctl daemon-reload 2>/dev/null || true' \
-                  'systemctl enable nginx.service 2>/dev/null || true' \
-                  'systemctl restart nginx.service 2>/dev/null || true' \
-                  'exit 0' > "${deb_dir}/postinst"
+              # Shared maintainer script: seeds /nginx + /hostdata from the
+              # defaults stash without overwriting files the admin already has.
+              cp "${REPO_ROOT}/build/deb/postinst" "${deb_dir}/postinst"
               chmod 755 "${deb_dir}/postinst"
 
               dpkg-deb --build "${pkg_dir}"
diff --git a/build/deb/postinst b/build/deb/postinst
new file mode 100755
index 0000000..4a40bc7
--- /dev/null
+++ b/build/deb/postinst
@@ -0,0 +1,48 @@
+#!/bin/sh
+# postinst — shared by the twiy and twiy-raweb packages.
+#
+# Pristine configs and the default site ship under /usr/share/twiy/defaults
+# (owned/tracked by dpkg), NOT under the live /nginx and /hostdata trees. We
+# seed the live trees from the stash here:
+#   - target missing  -> install the packaged copy
+#   - target present  -> leave it untouched; drop our copy as <file>.new
+# Because dpkg does not track the live files, an install or upgrade never
+# overwrites a config the admin has edited (e.g. you get nginx.conf.new, not a
+# clobbered nginx.conf).
+
+set -e
+
+# nginx runtime user (idempotent).
+useradd -r -s /bin/false nginx 2>/dev/null || true
+
+seed_tree() {
+    stash="$1"
+    target="$2"
+    [ -d "$stash" ] || return 0
+    find "$stash" -type f | while IFS= read -r src; do
+        rel=${src#$stash/}
+        dst="$target/$rel"
+        install -d "$(dirname "$dst")"
+        if [ -e "$dst" ]; then
+            cp -p "$src" "$dst.new"   # keep admin's file; offer ours as .new
+        else
+            cp -p "$src" "$dst"
+        fi
+    done
+}
+
+seed_tree /usr/share/twiy/defaults/nginx    /nginx
+seed_tree /usr/share/twiy/defaults/hostdata /hostdata
+
+# Empty include dirs referenced by nginx.conf (`include conf.d/*;`) that ship
+# with no files of their own.
+install -d /nginx/conf.d /nginx/config
+install -d -o nginx -g nginx -m 0755 /var/log/nginx
+
+chown -R nginx:nginx /var/log/nginx /nginx 2>/dev/null || true
+
+systemctl daemon-reload  2>/dev/null || true
+systemctl enable  nginx.service 2>/dev/null || true
+systemctl restart nginx.service 2>/dev/null || true
+
+exit 0