From 606da239dc572facca72a201ea86ec2c69bbb9e9 Mon Sep 17 00:00:00 2001
From: Alex Palaistras <alex@deuill.org>
Date: Sun, 28 Mar 2021 14:00:17 +0100
Subject: [PATCH] More fixes for Nginx-backed services

---
 Makefile                                      |   8 ++++----
 .../service/nginx/systemd/nginx-php@.service  |   2 +-
 .../nginx/systemd/nginx-static@.service       |   6 +++++-
 .../service/prosody/systemd/prosody.service   |   2 +-
 host/lhr01nuc/lhr01nuc.env.gpg                | Bin 2429 -> 2585 bytes
 5 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/Makefile b/Makefile
index ecf46b5..3f26ddc 100644
--- a/Makefile
+++ b/Makefile
@@ -31,9 +31,9 @@ deploy-%: $(TMPDIR)host/%/spec.ign
 deploy-virtual: $(TMPDIR)images/fedora-coreos-$(VERSION)-qemu.$(ARCH).qcow2.xz $(TMPDIR)host/$(HOST)/spec.ign
 	@printf "Preparing virtual environment...\n"
 	$Q $(VIRTINSTALL) --import --name="fcos-$(STREAM)-$(VERSION)-$(ARCH)" --os-variant=fedora32 \
-                      --graphics=none --vcpus=2 --memory=2048 \
-                      --disk="size=10,backing_store=$(TMPDIR)images/fedora-coreos-$(VERSION)-qemu.$(ARCH).qcow2" \
-                      --qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=$(TMPDIR)host/$(HOST)/spec.ign"
+	                  --graphics=none --vcpus=2 --memory=2048 \
+	                  --disk="size=10,backing_store=$(TMPDIR)images/fedora-coreos-$(VERSION)-qemu.$(ARCH).qcow2" \
+	                  --qemu-commandline="-fw_cfg name=opt/com.coreos/config,file=$(TMPDIR)host/$(HOST)/spec.ign"
 
 ## Stop and remove virtual environment for CoreOS.
 destroy-virtual:
@@ -94,7 +94,7 @@ $(TMPDIR)images/fedora-coreos-$(VERSION)-%:
 $(TMPDIR)make.depend: $(shell find $(ROOTDIR) -name '*.fcc' -type f 2>/dev/null)
 	@printf "# Automatic prerequisites for Fedora CoreOS configuration." > $@
 	@printf "$(foreach i,$^,\n$(patsubst $(ROOTDIR)%.fcc,$(TMPDIR)%.ign, \
-             $(i)): $(addprefix $(TMPDIR)config/, $(shell awk -F '[ ]+local:[ ]*' '/[ ]+local:/ {print $$2}' $(i))))" >> $@
+	         $(i)): $(addprefix $(TMPDIR)config/, $(shell awk -F '[ ]+local:[ ]*' '/[ ]+local:/ {print $$2}' $(i))))" >> $@
 
 # Show help if empty or invalid target has been given.
 .DEFAULT:
diff --git a/config/service/nginx/systemd/nginx-php@.service b/config/service/nginx/systemd/nginx-php@.service
index 70c4fed..24a7ab2 100644
--- a/config/service/nginx/systemd/nginx-php@.service
+++ b/config/service/nginx/systemd/nginx-php@.service
@@ -19,7 +19,7 @@ ExecStartPre=/bin/podman create --replace --pull never --pod %i \
                                 --name %i-nginx localhost/nginx:latest
 ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
 ExecStartPre=/bin/sh -c "podman cp /tmp/%i.conf %i-nginx:/etc/nginx/conf.d && rm -f /tmp/%i.conf"
-ExecStart=/bin/sh -c 'podman pod start %i && podman wait %i-php && podman attach --no-stdin %i-php'
+ExecStart=/bin/sh -c 'podman pod start %i && podman start --attach %i-php'
 ExecStop=/bin/podman pod stop --time 10 %i
 ExecStopPost=/bin/podman pod rm --force %i
 
diff --git a/config/service/nginx/systemd/nginx-static@.service b/config/service/nginx/systemd/nginx-static@.service
index 059a9ae..8e14142 100644
--- a/config/service/nginx/systemd/nginx-static@.service
+++ b/config/service/nginx/systemd/nginx-static@.service
@@ -7,8 +7,12 @@ Before=nginx-ingress-http@%i.service
 [Service]
 Restart=always
 Environment=SERVER_NAME=%i
+Environment=SERVICE_DATA_DIRECTORY=/data
 Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template
-ExecStartPre=/bin/podman create --replace --pull never --net nginx-ingress --name %i localhost/%i:latest
+ExecStartPre=/bin/install -d /var/lib/container-service/%i
+ExecStartPre=/bin/podman create --replace --pull never --net nginx-ingress \
+                                --volume /var/lib/container-service/%i:${SERVICE_DATA_DIRECTORY}:z,shared \
+                                --name %i localhost/%i:latest
 ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
 ExecStartPre=/bin/sh -c "podman cp /tmp/%i.conf %i:/etc/nginx/conf.d && rm -f /tmp/%i.conf"
 ExecStart=/bin/podman start --attach %i
diff --git a/config/service/prosody/systemd/prosody.service b/config/service/prosody/systemd/prosody.service
index d694a00..56be302 100644
--- a/config/service/prosody/systemd/prosody.service
+++ b/config/service/prosody/systemd/prosody.service
@@ -6,7 +6,7 @@ After=container-build@%N.service container-network@%N.service mariadb.service po
 [Service]
 Restart=always
 ExecStartPre=/bin/install --owner 101 --group 102 -d /var/lib/container-service/%N
-ExecStart=/bin/podman run --replace --pull never --net mariadb,%N --env-file /etc/container-service/%N/%N.env \
+ExecStart=/bin/podman run --replace --pull never --net mariadb,nginx-ingress,%N --env-file /etc/container-service/%N/%N.env \
                           --publish 5222:5222 --publish 5269:5269 --publish 5347:5347 \
                           --volume /var/lib/container-service/%N:/var/lib/%N:z --volume /etc/container-service/%N/service/config:/etc/%N/conf.d:z \
                           --volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \
diff --git a/host/lhr01nuc/lhr01nuc.env.gpg b/host/lhr01nuc/lhr01nuc.env.gpg
index 92f39c0f535bbc0995d8b1c16c619ea1a5754844..55ad80e57d061b4fc389d2ce756a84c7423065c9 100644
GIT binary patch
literal 2585
zcmV+!3g-2N0t^E@y8KTiHb4#m5C20LzbRb{#x10m^2UtqJz$gXHLeyswe9}UFkj|g
z06~MjRmo|N8^xSyl(tG6%$G(>rH?akZ<RZ3dWlT%XTb;I4uJm2UgI&419%sYCai~9
zh1RTs%}~0O*pZ5@5%#8lqwd58j@w=SEBgdUr@vi^uafYew4Gh@bFxzcWp@m7D7a);
zktlN?T0zb)SEB$jbrPM;4&_N1AuV?G1uPu$jI9{$pIkf+qGPmslrC#JYiFBJC-k>i
zBjiK<c&-FhM6c6!w{@}cUy{;y45RcB!5-`#raCe#T`iX(Kjh{UUv~{8oBkt9nMhaa
z6k%<`Qy2A^0s7y)4<VKyk7APBpeSreO<DW8EEqPud=X$ko1wWvIwt^I8rT1q@Z1}v
zY-v$|TfUp_$V@ha__j27U3=nAF0ymV(?wBmI|AC*&FZphCHKM^t^|m*mL7Qm6!`~D
z?m-_iLgmLeRq8l!BEYce24d}rXT73XaHUwXDo4#Ybru|^fDj16?MWL)4{Q?Kui)=C
z62M`DXk5*Ib{#KSzsnT#1+|&jATL?Ln|eZ<k<3Xs6yojA@lZ5*`o;hNPnCJz_TXxv
z^%>~jdLCRy{`d3ka!3%9ljAd9tAAw*OoyTnbx7>K!Saz{(>lH%)23-FP<x(y_y40!
z5rpms%jwdH(s{M5!Vc2w0dLx4;E3HZ8;aJ<{^p4R<y;r8A5#NZx8#UDp$eq6;#ILK
z6Y~XD-W~J1dy7GeaG5D9V3g6Zh!7bWOImP5P{P>`0EoC=UXb|sFSi_`9+Tj#H&Qzo
zg0iA@{OFTJIR}Hw=p?597!BPvs6V#qJ;)XT=d{2UV@6<&)>`m{%RI<i`Fs1T&kNLE
ztJFuDn@okUc#9?idr~C0bw)D(XB5L@`Po8qAK`hs7K#`cBNFlQ5zs9$c2Mc54xf8S
zOXh^ocqEX^12TpAsXXObWhQVfw39~hs~{iwkfKb{siD8@-Vc3;EGd*i&DC`Ots6!>
z*~Hufp0^4CS^j9edlkVW>re`Dlyc}7@dQ3Z(Og3zU6MQ(2b^*L;20Dl#$XZU%o}vN
zrGCv6IkC2=sVaMo*HYhDtT`V!)vh7uQb}IQv2nz+z&k5|cEye+SVOhB&-&uMAFJN5
z-m~)b^;AeRm76`57Hc9;)D1L=&MGjJzTKj-*OsPuNKb_o;$NNFY$eV?ZCUo;G|C>x
z$^M7^doww#yteYg{iRn+yrb=L>*X54PsW4S4w|wM%g^#luVt=F+m26O0}gFu*dT5@
z&&TMRz-h*~#PI$nOHK$Ae>Hf1cb00aqH;d=Du93uZa~Zq1d}Jt!!ZTKl>Aej7_2H8
z#m@3GCETB%!kjaWoPnEHyA};VV?m#0r*9w_7P2)&RxQc9J99P?NLwPNop$@)#G>o}
zIPL`tIbOHw{=2IaG#{&)i|iF$8^f9kk(CrU2|<@<lMJSQ%EaQii`*&byyla{oX~?p
z@e1?iqT`uX0H_VvU!P|ryU|Ehx)a6ZMnBd4e_?(GE~QR5**f^h<?mwe5>=vv$Pv|}
zj*SJI{F-z!;D)Xs3jD>6W)Tu~U==%aq0hIsFi$~UtJ{;LG1zs=GMtaY2ML&);Zuzi
z((hz#;oEs(H+z+s>}uB|wdY1>f3gDRx!agYwFVn+Nea_@Bm5kh+)OJa6bViM#pp8N
za*xLOjN7ZZLPbxYsO)EzcH4GL?kGx-@oz(5%g7xdVXAftWmW@tPy8G5ouUpNEzeoK
zCy9@cghiJpDcYvqqM)S>s*dLKN#GMLqS8+hGd^c%$a|MyR_rM1o&w?d1|UW7F#K7K
z&5md^MofjE;#a)Cyw)$0w80Gvw@l0T;Not)w)!xE-201RMr#CWwgmFvB9dC|m=S?S
zBQ*nm_kQxexwKY9xD(8cu=K^zswZ$T&PkztHN^|f=MJL$)4WF8e%C7(+s@fFuF_sn
z({Crvqylv9j*9OePhj8AW#oPPkWNSB7sl|hT&YTotSh-xvTlxad?uQQm3#G{zxV|#
z%Mw7)d-(dL8jX|e8WoQ$BXGdr(mq4#=P92>kFRo4b)U;st52__8*&4$FMCTOq<$20
z&(&At=8@oMm>b2jmuN3|>cM&(*6zumo7|UU{W3I`rBvIv?&jgEXm$Nq-LVY|)Kp(7
zz;eoW!m?bB2oZih`keTCICwBlm&B$gT@Lhj(hc;lGve9mz-lapCs`_|3isMVQa$oo
z4NM@uF9*)g?Ox<}8iq$pMUR4g%@0>%Zne1)kd=cwuL46DYp_QN4%XGajVmY2(6M2T
zE%$qhxx$h%3Ij=0y_!T0747=yA<|(JuM+&PgM9%<k+E9>yEt~&Y5^fAFSfgPs>^Fz
zw{Y%h07RcYD_W?6F>3ToOYI$G*@cGYjHZl<a3-$God-y9ecQFBk(gnXsulz)fE4y`
zgJw=s(xvZu4az<7Ze_Sd<W4WX{e<pb4u+F$PwatWG6T-EXfDc5v>NAAeClB^#4M~5
zSuK2!oBju&c`U~ShiVybwZCCV>GCi}<oh1-Dky*?@XYz#q6)CyhygF0Z+N5fd*!P1
zM0$EHOjJ#Nu}%ym_Co3RR3fW3ME?eSQO7=~#f%`0NYL%(Z=bnnF8Se&!IekCE>ot8
zXyNeHg`VTwmTEiKeoCWLwxaU<rXY{>cIIbbV<BD!pDn=M3`A{O;Js@>rB?j~XVEFb
zCGII{u6(>ObNB@jOvy6&rPbjm0SBL?d#UAM@=|;{iH}u5<5@Ox8Otwe;0_x0|CJ&F
z(zB^qQuT`;fB4KmW?hGg@G^ysciDP+@gOA9TmX3%3-whcRK;_OEvV+1%WIzkxLz#=
z|BD}RhEW(@Ma*&NCW9@kiSts)N2@4i3AEw`5vEM-V)n1vqjJ-f?1?)%Ud!Jd2F~M=
zL+xjS?JM$!$u#s!Q{|7OY8}MY_OVemnjvRZxK2MPsA2U^EIQx=URgoDVix%!rH#49
zI0BSN5Jy6se0**0yY%v0@mpiw7g^JglX`1tp~^J8uV*S%?;0AZ_;NDtEQ1bRjt>HU
zvZ6-M3X4t?j_ND@hLkM?boE0YBcZp?nrlUT`FP#OcGQZaJ+9fw`*drFQIqmEpZOnu
z40Q)>82;NIOW=_~yXaVA8j$v2;)PSWB+zL@r=>w9esbmHWh}92REPSkf?mU8Q(iMw
zd?3Q^h9^(&^~itqSynega!i86v+z#Mo#=3Q*#CN$Eut38Y)EduH#qW^eygtQ<8J*p
zgzWOqre?B=K7P_9!wNEBN3LTs8u)@hXiT8Y98>#N4KJjB5^E-h^AiYq9lS}xY^=Sw
vb(6<;z)_k-h~nmhFW_F%l0j$|2F|-(+L;ooljRZc?~&A32cVijdb87ve%=k=

literal 2429
zcmV-@34->80t^E@y8KTiHb4#m5B(gR65kPPeWw74miOa@eykdE+VEV24H^bzqUz{P
z0zn;uFrB`P{7)}O#|~u}>M0lBnSk1CShcO^6ZfMtyj;${PH9>Mc{=l0E3SoP!H^{+
z8)^LAilMrZ0?pV5I+Dyn@O$NI0%xZy7UN`QN2vyoHl^&`99x^2K0UXwro7YyBKqdL
zsiIjLL&>n6va~=zIcCaCw5ZJA$h$7A#0c?nnmMU1{I$D}@-)_ZUlC~19Avdq7g&pf
zq-a|i7Gm--^0-iP+O#^uuRx-{($ulg_^a8oTm%L`?W~T(6gHb0$ZxkoP26wGP~XDh
z{j+oKCDqJAgJ;XnnvBLjD?$ZK9MimUB{Ot*zMzB6ij4ZGZ^xZSL;Em#=%IK(4%@*P
zV@7&AmwD;QhFVBl+X*7V*Flhy*rSI7pEgfppL?0Xq8t7rQ;4skOj#2irw&x-2~8W0
zZ+Gt<!1S`urCKgsEomqmNGVUGkzohw>$61-k^{zBH8-x~d!HuDAeOQ;b5*UX7N|k2
zj3}LQi`SU8(O<DG(hhdM!4TC*-JiTua$?+_a}n5;pQ>|ABk(pv<FOsCb-f^ox68ZO
ztr5*KU6rS2&NPlvpJfEAE<P1)-Zv;h&&W91Cf66!0brGzC}Z}HQI*%NA;lWMDRkQN
z4J9EMZ7xMopyY|j$I{a30Wve8yuJ&)$Wsz;*70D=_&+|#%jmKK-IU$4zGBm-9~O7f
zN!QbU&bP&rS@BBDv$s(swBKakLRixm7Y6toC&h1GW5gX<i&WxLvyEGgiIkT0Pe`vG
zSY-F5$>}}Enk=xci|gM`f?5V3HGBg}2U%~VODOkt;#lE8NA?~6x+QQu3e%6wM|h#C
zKXZq_^ma@DYKJjN=B1@c>ZbbXwdZ@<fC6$?1Aig=tO^egTX)Pu>Q{yYQL_SGEL5&e
z;cS{WJ*ecN6+al4TiI|3@-w$`Xf!;jwdFATV&R#_Xs&reEe))wR3z)E*Hp!dw-pXg
z@?fN)jlmUq_Tn$radr3A1tq1H-X)p0?3mC3_>-htxXE{urM|vT%-jBUu2=_vqqmdW
z*<Y)kDRiE;9d;`xU|fc84ZW#lc)NLs6OG0ifV`wtQE3zr%JG5Vf-LhuL?K{zbQ$Ov
z3XXplyKX;^Ew!O6)pCK^0Ny4pK*-~X32Y`jKC-y{%>%Kt_rUmy9BInAhojbo0y$$l
z1_<OMZ8HR?0Y&zdSE1;q27o2LM#n&)Ie5Pgh>1EFMe=|Rh;aMTwW|J2E>4J7(l+6Q
znY9aAZxRWfOAh9JmlhFPuWfYZL?)mr(rsuODoTyDd}9GoW_D0@#;avc=lz$)@vMd2
z_1|6tJkiL1#`{raHe!y^6RHqO5An{v8rGDl6zt9EYe_pr6ULb=%w@MexZHC!o$t+r
zIaUTFw07(}hyug*(ooNEnYP6@WzgPA5me0I1Tb2L<ii^ay9~VJNL#pB$`uh%Z9_0)
zt}pw*dMxrMPg}Wt6uS*f-c>3L!G&Ue42YNr%PcDb$;3ic0(peGfqfoVD0`9&AO+RC
z<?WP>ZA%p)^d{k)vBmgVdX(&#Y^S*WUw=xeR45+vEtS%-72C)WZp2$vVc)ez#n^TI
zL>AQ)tV>bU@=k=hN4SP3<99Ic9Ktl~N+}AB$&~uoSX@soD(M3R3%&A>6u@_W0s%di
zxGz5fxnH~gI=$R2Zy3r*G5`4?n=?qkzpIU7u6Z^c7D|P<_sHa3__t#YCg0?bP5nvz
zDJBvb3{g*{RXVcR+0htf$Q7zx;KMC6kDyi@=@zuF?5u4#dsh{*Ft(CzD25>w1RLK%
z$|KlXFcjjuT0&+DW1>xn@+~77FVX^N7*_R$Ms%gzHaDmRX7uFg-U(+@p|19IbCNW^
z5i{MgT1fia6%D*z-yQi*Z<;G)<&*^4><R(NmO4Pnap0)xNu{vhM2_&VD$OZbmBaaf
z$$XVC80n#o+!U{&BHY2!;fpj)F+q0ZMjeqMZOa=lSn3$}^S=_ockThwJABIb_nV*S
z=>yhd{ooNtw(l!DhG|Den!PsT)QsL*_06SKIS9ikZ+!n7v}8^+H`Dv$^imNRgi5=k
zG!AZ|bnz6LGn#^S`WZ#NYWm!KY3+?(vD(pGm1O|@;rYxey@WOfa4Uu64Ms$!^R_X&
zHLW6zQh%i66R!iB_ZO|RE<U4zILuW4o<A3boC?*}5(T+JW|6C&Z&>P+g|=L)A<I6#
ze6XR{$(wxJLUx?5In#>xfA+7EC6>&eTz;w3NLsCQY%B$rv~vhp)M@Tav4ssDE>#8I
z>2O0rBx9UQCz5x=kG@|W7!`QXJB5Yx<BIOz8L@`}xQzfA2%g38M*ZsOLCVjZB#+&<
zagosM%Rx&8i2b!u<avyUK2$8<hC{2v*JUEt67~NXdLz+Y?gR3;5OwmA(s<D=KsV(F
zIx*8i&=g4S2;fJ~VBCILyw5Cptl;Axm5dk#{9i1DX?ELCU(7sDYZ<`)%J`Uc4M=~Y
ziAXXl`@Nbeu^mYaaZGLioWhH)@N9&~VDkr?Vvcxj)kDghrkkj;j!`xL2FS3);ueLH
z5H_2mB-FvAghVIw4tT3<=nx5@h;?jsgot2-Yk~cdKKIOlzg2v}nTo!3P0evHTMa90
z7N6q#^O8j>URB^M=g0nxuGN!;psc9gYf=76nKIpZI|fh%!1<<8`VRq3B*3YD)>1YT
zgp^R!YXRo~76iGPv@z)Y>l1sac{A8hjvQ2Z0rPMQIa1$IOEvrJ!h&~EwS+qPS_%JW
zPke0j#6S{qNl=HN*jr|FLdIv8=*|3aB6Ho=BiZLLrF1SQc-_~Z$l~PEiLOV$Slx<{
z+Ur}S^zj|Dfzy|2h)E~<U`0SyeA8$ew}hAou_@B8GfTd~+QVH4GTR!n#LXB%1;1~G
zJTQ5w`vw=!{lVhtAmw0UT!~PW#?N6-$V0Cyvtq}-fN#m#PDfhF#8g}~#tGkran9T+
zpkeP>G5jfbFIRd7Fza%p{_oz*U<#<&Mnk*qYu#eT+~kBz8Rp1QHIjk(_}j>_t~fwy
z=~72I0&w8%ZU$+1P9hI_=^%MZgQd3x%a${e2ebaQ^z%7Jdreu$bf3G4TS21bP2niq
v4}m39aJ6A=rNfR1DDJ7~Gaxf+yLetVgPwN&a&lVqLG*PGSmHestjFD3lkUC`