Simplify systemd services, use volumes
This commit represents a large amount of work toward moving services to a more standard approach to storing data, and a simplification in how networks are managed.
This commit is contained in:
parent
318305be5b
commit
3254ead3a7
|
@ -1,7 +1,7 @@
|
|||
[Unit]
|
||||
Description=Container build for %I
|
||||
Wants=network-online.target container-environment@%i.service container-build@%i.path
|
||||
After=network-online.target container-environment@%i.service
|
||||
Wants=network-online.target container-environment@%i.service container-network@internal.service container-build@%i.path
|
||||
After=network-online.target container-environment@%i.service container-network@internal.service
|
||||
ConditionPathExists=/etc/container-service/%i/Containerfile
|
||||
|
||||
[Service]
|
||||
|
|
|
@ -1,12 +1,12 @@
|
|||
FROM docker.io/debian:stable-slim
|
||||
ARG VERSION=9.0
|
||||
|
||||
ENV BUILD_DEPS="build-essential git cmake python"
|
||||
RUN apt-get update -y && apt-get install -y --no-install-recommends \
|
||||
ca-certificates gettext libexpat1-dev libidn11-dev uuid-dev libsqlite3-dev libudns-dev \
|
||||
libbotan-2-dev ${BUILD_DEPS}
|
||||
|
||||
ARG BIBOUMI_VERSION=9.0
|
||||
RUN git clone --branch ${BIBOUMI_VERSION} --depth 1 https://lab.louiz.org/louiz/biboumi /biboumi && \
|
||||
RUN git clone --branch ${VERSION} --depth 1 https://lab.louiz.org/louiz/biboumi /biboumi && \
|
||||
mkdir /biboumi/build && cd /biboumi/build && \
|
||||
cmake .. -DCMAKE_INSTALL_PREFIX=/usr -DCMAKE_BUILD_TYPE=Release -DWITH_BOTAN=1 -DWITH_SQLITE3=1 \
|
||||
-DWITH_LIBIDN=1 -DWITHOUT_SYSTEMD=1 && \
|
||||
|
|
|
@ -5,10 +5,10 @@ After=container-build@%N.service prosody.service
|
|||
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/%N
|
||||
ExecStart=/bin/podman run --replace --pull never --net prosody --env-file /etc/container-service/%N/%N.env \
|
||||
--volume /var/lib/container-service/%N:/var/lib/%N:z \
|
||||
--name %N localhost/%N:latest
|
||||
ExecStart=/bin/podman run --replace --pull never --name %N --net internal \
|
||||
--env-file /etc/container-service/%N/%N.env \
|
||||
--volume %N:/var/lib/%N:z \
|
||||
localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
[Unit]
|
||||
Description=Reliable Discord-Client IRC Daemon
|
||||
Wants=container-build@%N.service container-network@prosody.service
|
||||
After=container-build@%N.service container-network@prosody.service
|
||||
Wants=container-build@%N.service
|
||||
After=container-build@%N.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/%N
|
||||
ExecStart=/bin/podman run --replace --pull never --net prosody --env-file /etc/container-service/%N/%N.env \
|
||||
--volume /var/lib/container-service/%N:/var/lib/rdircd:z \
|
||||
--name %N localhost/%N:latest
|
||||
ExecStart=/bin/podman run --replace --pull never --name %N --net internal \
|
||||
--env-file /etc/container-service/%N/%N.env \
|
||||
--volume %N:/var/lib/rdircd:z \
|
||||
localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
|
||||
|
|
|
@ -62,8 +62,8 @@ protocols = imap lmtp sieve
|
|||
|
||||
# Enable SSL and STARTTLS.
|
||||
ssl = yes
|
||||
ssl_cert = </etc/ssl/private/${DOVECOT_HOST}/tls.crt
|
||||
ssl_key = </etc/ssl/private/${DOVECOT_HOST}/tls.key
|
||||
ssl_cert = </etc/ssl/private/certificates/${DOVECOT_HOST}.crt
|
||||
ssl_key = </etc/ssl/private/certificates/${DOVECOT_HOST}.key
|
||||
|
||||
protocol lmtp {
|
||||
mail_plugins = $mail_plugins sieve
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
[Unit]
|
||||
Description=Dovecot POP3/IMAP server
|
||||
Wants=container-build@%N.service container-network@mail.service container-network@internal.service mariadb.service rspamd.service
|
||||
After=container-build@%N.service container-network@mail.service container-network@internal.service mariadb.service rspamd.service
|
||||
Wants=container-build@%N.service mariadb.service rspamd.service
|
||||
After=container-build@%N.service mariadb.service rspamd.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStartPre=/bin/install --owner 5000 --group 5000 -d /var/lib/container-service/mail
|
||||
ExecStart=/bin/podman run --replace --pull never --net internal,mail,mariadb --env-file /etc/container-service/%N/%N.env \
|
||||
ExecStart=/bin/podman run --replace --pull never --name %N --net internal \
|
||||
--env-file /etc/container-service/%N/%N.env \
|
||||
--env-file /etc/container-service/rspamd/rspamd.env \
|
||||
--publish 143:143 --publish 993:993 \
|
||||
--volume /var/lib/container-service/mail:/var/mail:z \
|
||||
--volume %N:/var/mail:z \
|
||||
--volume letsencrypt:/etc/ssl/private:z \
|
||||
--volume /etc/container-service/%N/service/config:/etc/%N/conf.d:z \
|
||||
--volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \
|
||||
--name %N localhost/%N:latest
|
||||
localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
FROM docker.io/goacme/lego:v4.3.1
|
||||
FROM docker.io/goacme/lego:v4.4.0
|
||||
|
||||
RUN addgroup --system --gid 10000 letsencrypt
|
||||
RUN adduser --system --uid 10000 --ingroup letsencrypt --home /var/lib/letsencrypt letsencrypt
|
||||
|
|
|
@ -3,19 +3,16 @@ Description="Let's Encrypt DNS01 certificate register for %I"
|
|||
Wants=container-build@letsencrypt.service letsencrypt-dns-renew@%i.timer
|
||||
After=container-build@letsencrypt.service
|
||||
Before=letsencrypt-dns-renew@%i.timer
|
||||
ConditionPathExists=!/var/lib/container-service/letsencrypt/private/%i/tls.key
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
EnvironmentFile=/etc/container-service/letsencrypt/letsencrypt.env
|
||||
ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/letsencrypt
|
||||
ExecStart=/bin/podman run --replace --pull never --rm --env-file /etc/container-service/letsencrypt/letsencrypt.env \
|
||||
--volume /var/lib/container-service/letsencrypt:/var/lib/letsencrypt:z \
|
||||
--name letsencrypt-register-%i localhost/letsencrypt:latest --accept-tos --pem --path /var/lib/letsencrypt \
|
||||
--domains "%i" --server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} run
|
||||
ExecStartPost=/bin/install -d /var/lib/container-service/letsencrypt/private/%i
|
||||
ExecStartPost=/bin/install -m 0644 /var/lib/container-service/letsencrypt/certificates/%i.crt /var/lib/container-service/letsencrypt/private/%i/tls.crt
|
||||
ExecStartPost=/bin/install -m 0644 /var/lib/container-service/letsencrypt/certificates/%i.key /var/lib/container-service/letsencrypt/private/%i/tls.key
|
||||
ExecStart=/bin/podman run --replace --pull never --rm --name letsencrypt-register-%i \
|
||||
--env-file /etc/container-service/letsencrypt/letsencrypt.env \
|
||||
--volume letsencrypt:/var/lib/letsencrypt:z \
|
||||
localhost/letsencrypt:latest \
|
||||
--accept-tos --pem --path /var/lib/letsencrypt --domains "%i" \
|
||||
--server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} run
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
@ -2,17 +2,16 @@
|
|||
Description="Let's Encrypt DNS01 certificate renewal for %I"
|
||||
Wants=container-build@letsencrypt.service
|
||||
After=container-build@letsencrypt.service
|
||||
ConditionPathExists=/var/lib/container-service/letsencrypt/private/%i/tls.key
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
EnvironmentFile=/etc/container-service/letsencrypt/letsencrypt.env
|
||||
ExecStart=/bin/podman run --replace --pull never --rm --env-file /etc/container-service/letsencrypt/letsencrypt.env \
|
||||
--volume /var/lib/container-service/letsencrypt:/var/lib/letsencrypt:z \
|
||||
--name letsencrypt-renew-%i localhost/letsencrypt:latest --pem --path /var/lib/letsencrypt \
|
||||
--domains "%i" --server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} renew
|
||||
ExecStartPost=/bin/install -m 0644 /var/lib/container-service/letsencrypt/certificates/%i.crt /var/lib/container-service/letsencrypt/private/%i/tls.crt
|
||||
ExecStartPost=/bin/install -m 0644 /var/lib/container-service/letsencrypt/certificates/%i.key /var/lib/container-service/letsencrypt/private/%i/tls.key
|
||||
ExecStart=/bin/podman run --replace --pull never --rm --name letsencrypt-renew-%i \
|
||||
--env-file /etc/container-service/letsencrypt/letsencrypt.env \
|
||||
--volume letsencrypt:/var/lib/letsencrypt:z \
|
||||
localhost/letsencrypt:latest \
|
||||
--pem --path /var/lib/letsencrypt --domains "%i" \
|
||||
--server ${ACME_SERVER} --email ${ACME_EMAIL} --dns ${ACME_DNS_PROVIDER} renew
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
@ -2,7 +2,9 @@
|
|||
Description="Let's Encrypt DNS01 scheduled certificate renewal for %I"
|
||||
|
||||
[Timer]
|
||||
OnUnitActiveSec=7d
|
||||
OnCalendar=weekly
|
||||
AccuracySec=1h
|
||||
Persistent=true
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
|
|
|
@ -7,13 +7,13 @@ ConditionPathExists=/etc/container-service/%i/service/%p.sql
|
|||
[Service]
|
||||
Type=oneshot
|
||||
PrivateTmp=true
|
||||
EnvironmentFile=-/etc/container-service/%i/%i.env
|
||||
EnvironmentFile=/etc/container-service/mariadb/mariadb.env
|
||||
ExecStartPre=/bin/sh -c 'envsubst < /etc/container-service/%i/service/%p.sql > /tmp/%p.sql'
|
||||
ExecStart=/bin/podman run --replace --pull never --rm --net mariadb --entrypoint mariadb --user root \
|
||||
--volume /tmp:/tmp --volume /var/lib/container-service/mariadb:/var/lib/mysql:z \
|
||||
--name mariadb-migrate-%i localhost/mariadb:latest \
|
||||
--host mariadb --password=${MYSQL_ROOT_PASSWORD} -e 'source /tmp/%p.sql'
|
||||
EnvironmentFile=-%E/container-service/%i/%i.env
|
||||
EnvironmentFile=%E/container-service/mariadb/mariadb.env
|
||||
ExecStartPre=/bin/sh -c 'envsubst < %E/container-service/%i/service/%p.sql > /tmp/%p.sql'
|
||||
ExecStart=/bin/podman run --replace --pull never --rm --name mariadb-migrate-%i --net internal \
|
||||
--volume mariadb:/var/lib/mysql:z --volume /tmp:/tmp \
|
||||
--entrypoint mariadb localhost/mariadb:latest \
|
||||
--host mariadb --user root --password=${MYSQL_ROOT_PASSWORD} -e 'source /tmp/%p.sql'
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
[Unit]
|
||||
Description=MariaDB SQL Database
|
||||
Wants=container-build@%N.service container-network@%N.service container-network@internal.service
|
||||
After=container-build@%N.service container-network@%N.service container-network@internal.service
|
||||
Wants=container-build@%N.service
|
||||
After=container-build@%N.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
EnvironmentFile=/etc/container-service/%N/%N.env
|
||||
ExecStartPre=/bin/install --owner 999 --group 999 -d /var/lib/container-service/%N
|
||||
ExecStart=/bin/podman run --replace --pull never --net internal,%N --env-file /etc/container-service/%N/%N.env \
|
||||
--volume /var/lib/container-service/%N:/var/lib/mysql:z \
|
||||
--name %N localhost/%N:latest
|
||||
ExecStartPost=/bin/podman run --replace --pull never --rm --net %N --entrypoint mariadb-admin \
|
||||
--volume /var/lib/container-service/%N:/var/lib/mysql:z \
|
||||
--name %N-wait localhost/%N:latest \
|
||||
ExecStart=/bin/podman run --replace --pull never --name %N --net internal \
|
||||
--env-file /etc/container-service/%N/%N.env \
|
||||
--volume %N:/var/lib/mysql:z \
|
||||
localhost/%N:latest
|
||||
ExecStartPost=/bin/podman run --replace --pull never --rm --name %N-wait --net internal \
|
||||
--volume %N:/var/lib/mysql:z \
|
||||
--entrypoint mariadb-admin localhost/%N:latest \
|
||||
--host mariadb --user root --password=${MYSQL_ROOT_PASSWORD} --wait=10 ping
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
|
|
|
@ -8,8 +8,8 @@ server {
|
|||
listen 443 ssl;
|
||||
server_name ${SERVER_NAME} ${SERVER_NAME_ALT};
|
||||
|
||||
ssl_certificate /etc/ssl/private/${SSL_CERT_NAME}/tls.crt;
|
||||
ssl_certificate_key /etc/ssl/private/${SSL_CERT_NAME}/tls.key;
|
||||
ssl_certificate /etc/ssl/private/certificates/${SSL_CERT_NAME}.crt;
|
||||
ssl_certificate_key /etc/ssl/private/certificates/${SSL_CERT_NAME}.key;
|
||||
|
||||
location / {
|
||||
proxy_set_header Host $host;
|
||||
|
|
|
@ -194,6 +194,6 @@ tls_random_source = dev:/dev/urandom
|
|||
tls_ssl_options = no_ticket, no_compression
|
||||
|
||||
# Certificate file location.
|
||||
smtpd_tls_cert_file = /etc/ssl/private/${POSTFIX_HOST}/tls.crt
|
||||
smtpd_tls_key_file = /etc/ssl/private/${POSTFIX_HOST}/tls.key
|
||||
smtpd_tls_cert_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.crt
|
||||
smtpd_tls_key_file = /etc/ssl/private/certificates/${POSTFIX_HOST}.key
|
||||
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
||||
|
|
|
@ -1,16 +1,16 @@
|
|||
[Unit]
|
||||
Description=Postfix SMTP server
|
||||
Wants=container-build@%N.service container-network@mail.service container-network@internal.service dovecot.service
|
||||
After=container-build@%N.service container-network@mail.service container-network@internal.service dovecot.service
|
||||
Wants=container-build@%N.service dovecot.service
|
||||
After=container-build@%N.service dovecot.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStartPre=/bin/install --owner 5000 --group 5000 -d /var/lib/container-service/mail
|
||||
ExecStart=/bin/podman run --replace --pull never --net internal,mail --env-file /etc/container-service/%N/%N.env \
|
||||
ExecStart=/bin/podman run --replace --pull never --name %N --net internal \
|
||||
--env-file /etc/container-service/%N/%N.env \
|
||||
--publish 25:25 --publish 465:465 --publish 587:587 \
|
||||
--volume /var/lib/container-service/mail:/var/mail:z \
|
||||
--volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \
|
||||
--name %N localhost/%N:latest
|
||||
--volume dovecot:/var/mail:z \
|
||||
--volume letsencrypt:/etc/ssl/private:z \
|
||||
localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
FROM docker.io/debian:stable-slim
|
||||
ARG VERSION=0.11.8
|
||||
ARG VERSION=0.11.9
|
||||
|
||||
RUN apt-get update -y && apt-get install -y --no-install-recommends \
|
||||
curl mercurial gnupg ca-certificates apt-transport-https
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
VirtualHost(os.getenv("PROSODY_HOST"))
|
||||
http_host = os.getenv("PROSODY_HOST_EXTERNAL")
|
||||
http_external_url = "https://" .. os.getenv("PROSODY_HOST_EXTERNAL") .. "/"
|
||||
certificate = "/etc/ssl/private/" .. os.getenv("PROSODY_HOST") .. "/tls.crt"
|
||||
certificate = "/etc/ssl/private/certificates/" .. os.getenv("PROSODY_HOST") .. ".crt"
|
||||
authentication = "imap"
|
||||
auth_append_host = true
|
||||
|
||||
Component(os.getenv("PROSODY_HOST_EXTERNAL")) "muc"
|
||||
modules_enabled = {"muc_mam", "vcard_muc"}
|
||||
name = "The " .. os.getenv("PROSODY_HOST") .. " chat-room server"
|
||||
certificate = "/etc/ssl/private/" .. os.getenv("PROSODY_HOST_EXTERNAL") .. "/tls.crt"
|
||||
certificate = "/etc/ssl/private/certificates/" .. os.getenv("PROSODY_HOST_EXTERNAL") .. ".crt"
|
||||
restrict_room_creation = "local"
|
||||
max_history_messages = 100
|
||||
|
||||
|
|
|
@ -1,16 +1,17 @@
|
|||
[Unit]
|
||||
Description=Prosody XMPP server
|
||||
Wants=container-build@%N.service container-network@%N.service mariadb.service postfix.service
|
||||
After=container-build@%N.service container-network@%N.service mariadb.service postfix.service
|
||||
Wants=container-build@%N.service mariadb.service dovecot.service
|
||||
After=container-build@%N.service mariadb.service dovecot.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStartPre=/bin/install --owner 101 --group 102 -d /var/lib/container-service/%N
|
||||
ExecStart=/bin/podman run --replace --pull never --net mariadb,nginx-ingress,%N --env-file /etc/container-service/%N/%N.env \
|
||||
ExecStart=/bin/podman run --replace --pull never --name %N --net internal \
|
||||
--env-file /etc/container-service/%N/%N.env \
|
||||
--publish 5222:5222 --publish 5269:5269 --publish 5347:5347 \
|
||||
--volume /var/lib/container-service/%N:/var/lib/%N:z --volume /etc/container-service/%N/service/config:/etc/%N/conf.d:z \
|
||||
--volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \
|
||||
--name %N localhost/%N:latest
|
||||
--volume %N:/var/lib/%N:z \
|
||||
--volume letsencrypt:/etc/ssl/private:z \
|
||||
--volume /etc/container-service/%N/service/config:/etc/%N/conf.d:z \
|
||||
localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
|
||||
|
|
|
@ -5,11 +5,10 @@ After=container-build@%N.service dovecot.service
|
|||
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStartPre=/bin/install --owner 15232 --group 15232 -d /var/lib/container-service/%N
|
||||
ExecStart=/bin/podman run --replace --pull never --net mail,nginx-ingress \
|
||||
ExecStart=/bin/podman run --replace --pull never --name %N --net internal \
|
||||
--env-file /etc/container-service/%N/%N.env \
|
||||
--volume /var/lib/container-service/%N:/var/lib/%N:z \
|
||||
--name %N localhost/%N:latest
|
||||
--volume %N:/var/lib/%N:z \
|
||||
localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
FROM docker.io/redis:6.0-alpine
|
||||
FROM docker.io/redis:6.2
|
||||
|
||||
USER redis
|
||||
CMD ["redis-server", "--appendonly", "yes"]
|
||||
COPY container/config /etc/redis
|
||||
CMD ["redis-server", "/etc/redis/redis.conf"]
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
# Enable persistence via append-only file.
|
||||
appendonly yes
|
|
@ -1,14 +1,11 @@
|
|||
[Unit]
|
||||
Description=Redis Key-Value Store
|
||||
Wants=container-build@%N.service container-network@%N.service container-network@internal.service
|
||||
After=container-build@%N.service container-network@%N.service container-network@internal.service
|
||||
Wants=container-build@%N.service
|
||||
After=container-build@%N.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStartPre=/bin/install --owner 999 --group 1000 -d /var/lib/container-service/%N
|
||||
ExecStart=/bin/podman run --replace --pull never --net internal,%N \
|
||||
--volume /var/lib/container-service/%N:/data:z \
|
||||
--name %N localhost/%N:latest
|
||||
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --volume %N:/data:z localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
# Create base directories.
|
||||
mkdir -m 755 -p /run/rspamd
|
||||
chown rspamd:rspamd /run/rspamd
|
||||
chown -R rspamd:rspamd /run/rspamd /var/lib/rspamd
|
||||
|
||||
# Run rspamd in the foreground.
|
||||
/usr/bin/rspamd -f -u rspamd -g rspamd
|
||||
|
|
|
@ -1,12 +1,14 @@
|
|||
[Unit]
|
||||
Description=DKIM key for %I
|
||||
Wants=rspamd.service
|
||||
After=rspamd.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStartPre=/bin/install -d /var/lib/container-service/rspamd/dkim
|
||||
ExecStart=/bin/openssl genrsa -out /var/lib/container-service/rspamd/dkim/%i.dkim.key 1024
|
||||
ExecStartPost=/bin/chmod 644 /var/lib/container-service/rspamd/dkim/%i.dkim.key
|
||||
ExecStartPost=/bin/sh -c 'echo "Public DKIM key:"; openssl rsa -in /var/lib/container-service/rspamd/dkim/%i.dkim.key -pubout -outform der 2> /dev/null | openssl base64 -A'
|
||||
ExecStartPre=/bin/podman exec rspamd install -d /var/lib/rspamd/dkim
|
||||
ExecStart=/bin/podman exec rspamd openssl genrsa -out /var/lib/rspamd/dkim/%i.dkim.key 1024
|
||||
ExecStartPost=/bin/podman exec rspamd chmod 644 /var/lib/rspamd/dkim/%i.dkim.key
|
||||
ExecStartPost=/bin/podman exec rspamd sh -c 'echo "Public DKIM key:"; openssl rsa -in /var/lib/container-service/rspamd/dkim/%i.dkim.key -pubout -outform der 2> /dev/null | openssl base64 -A'
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
@ -1,15 +1,14 @@
|
|||
[Unit]
|
||||
Description=Rspamd spam filtering system
|
||||
Wants=container-build@%N.service container-network@mail.service container-network@internal.service redis.service
|
||||
After=container-build@%N.service container-network@mail.service container-network@internal.service redis.service
|
||||
Wants=container-build@%N.service redis.service
|
||||
After=container-build@%N.service redis.service
|
||||
|
||||
[Service]
|
||||
Restart=always
|
||||
ExecStartPre=/bin/install --owner 11332 --group 11332 -d /var/lib/container-service/%N
|
||||
ExecStart=/bin/podman run --replace --pull never --net internal,mail,redis --env-file /etc/container-service/%N/%N.env \
|
||||
--publish 11332:11332 --publish 11334:11334 \
|
||||
--volume /var/lib/container-service/%N:/var/lib/%N:z \
|
||||
--name %N localhost/%N:latest
|
||||
ExecStart=/bin/podman run --replace --pull never --name %N --net internal \
|
||||
--env-file /etc/container-service/%N/%N.env \
|
||||
--volume %N:/var/lib/%N:z \
|
||||
localhost/%N:latest
|
||||
ExecStop=/bin/podman stop --time 10 %N
|
||||
ExecStopPost=/bin/podman rm --force %N
|
||||
|
||||
|
|
|
@ -51,7 +51,7 @@ systemd:
|
|||
dropins:
|
||||
- name: wait-for-service.conf
|
||||
contents: |
|
||||
[Service]
|
||||
[Unit]
|
||||
After=nginx-static@static.localhost.service
|
||||
- name: use-localhost-cert.conf
|
||||
contents: |
|
||||
|
@ -72,6 +72,20 @@ systemd:
|
|||
[Service]
|
||||
Environment=SSL_CERT_NAME=localhost
|
||||
|
||||
- name: letsencrypt-dns-register@localhost.service
|
||||
enabled: true
|
||||
dropins:
|
||||
- name: use-local-files.conf
|
||||
contents: |
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/bin/podman create --replace --name letsencrypt-register-%i \
|
||||
--volume letsencrypt:/var/lib/letsencrypt:z \
|
||||
--entrypoint true localhost/letsencrypt:latest
|
||||
ExecStartPost=/bin/podman init letsencrypt-register-%i
|
||||
ExecStartPost=/bin/podman cp /etc/ssl/private/certificates/ letsencrypt-register-%i:/var/lib/letsencrypt
|
||||
ExecStartPost=/bin/podman rm letsencrypt-register-%i
|
||||
|
||||
storage:
|
||||
files:
|
||||
# Hostname for virtual host.
|
||||
|
@ -117,7 +131,7 @@ storage:
|
|||
|
||||
# Include pre-generated certificates for localhost domain, as we're not using Let's Encrypt in
|
||||
# generating certificates for the virtual host.
|
||||
- path: /var/lib/container-service/letsencrypt/private/localhost/tls.crt
|
||||
- path: /etc/ssl/private/certificates/localhost.crt
|
||||
mode: 0644
|
||||
contents:
|
||||
inline: |
|
||||
|
@ -140,7 +154,7 @@ storage:
|
|||
NlbOWu19BUaupdkc8nOAmDZPzSzZkc/qpiDeq9pE86KcfadgM3RElXOKXkL5TvlZ
|
||||
7g==
|
||||
-----END CERTIFICATE-----
|
||||
- path: /var/lib/container-service/letsencrypt/private/localhost/tls.key
|
||||
- path: /etc/ssl/private/certificates/localhost.key
|
||||
mode: 0644
|
||||
contents:
|
||||
inline: |
|
||||
|
|
Loading…
Reference in New Issue