forgejo migration

etc/apparmor.d/var.xyzzy.bin.forgejo

@@ -0,0 +1,44 @@
+#include <tunables/global>
+
+/var/xyzzy/bin/forgejo* flags=(complain) {
+  #include <abstractions/base>
+  #include <abstractions/nameservice>
+  #include <abstractions/user-tmp>
+
+  /dev/tty rw,
+  /etc/gitconfig r,
+  /etc/machine-id r,
+  /etc/mime.types r,
+  /proc/sys/net/core/somaxconn r,
+  /proc/version r,
+  /sys/devices/system/cpu/online r,
+  /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  /usr/bin/basename mrix,
+  /usr/bin/bash mrix,
+  /usr/bin/cat mrix,
+  /usr/bin/dash mrix,
+  /usr/bin/env rix,
+  /usr/bin/git mrix,
+  /usr/bin/gzip mrix,
+  /usr/lib/git-core/git mrix,
+  /usr/share/git-core/templates r,
+  /usr/share/mime/globs2 r,
+
+  /var/xyzzy/backup/* rw,
+  /var/xyzzy/bin/forgejo* mrix,
+  /var/xyzzy/etc/forgejo/app.ini r,
+  /var/xyzzy/etc/forgejo/internal_token r,
+  /var/xyzzy/etc/forgejo/jwt_secret r,
+  /var/xyzzy/etc/forgejo/lfs_jwt_secret r,
+  /var/xyzzy/forge/** r,
+  /var/xyzzy/forge/data/repositories/*/*.git/hooks/* mrix,
+  /var/xyzzy/forge/data/repositories/*/*.git/hooks/*.d/* mrix,
+
+  owner /proc/*/cpuset r,
+  owner /var/xyzzy/git/.gitconfig rw,
+  owner /var/xyzzy/git/.gitconfig.lock rw,
+  owner /var/xyzzy/git/.ssh/* rw,
+  owner /var/xyzzy/forge/data/** rwkl,
+  owner /var/xyzzy/forge/log/* rw,
+
+}