deuill/coreos-home-server
1
0
Fork 0
mirror of https://github.com/deuill/coreos-home-server.git synced 2024-09-21 05:30:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Set generic Podman defaults and per-service log IDs

Browse Source 
Defaults for Podman that were previous applied as command-line arguments
to all `podman run` or `podman create` invocations are now specified in
a dedicated configuration file.

Services are also better identified against their name rather than the
generic `podman` ID derived from the `ExecStart` invocations.
This commit is contained in:
Alex Palaistras 2021-08-28 19:16:29 +01:00
parent 6c28399c83
commit 79231c37f1
31 changed files with 67 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
config/common/container.bu
View File

@ -9,6 +9,11 @@ storage:
directories:
- path: /etc/coreos-home-server
mode: 0700
files:
- path: /etc/containers/containers.conf
mode: 0644
contents:
local: common/container/containers.conf
systemd:
units:
- name: container-build@.service

8
config/common/container/containers.conf Normal file
View File

@ -0,0 +1,8 @@
[engine]
# Don't attempt to pull images from remote repositories by default.
pull_policy = "never"
[network]
# The default 'podman' network does not have DNS resolution enabled; use a common internal
# network until multi-network DNS resolution becomes available (podman#8399).
default_network = "internal"

1
config/common/systemd/container-build@.service
View File

@ -6,6 +6,7 @@ ConditionPathExists=%E/coreos-home-server/%i/Containerfile
[Service]
Type=oneshot
SyslogIdentifier=%N
Environment=PODMAN_BUILD_OPTIONS=
ExecStart=/bin/podman build $PODMAN_BUILD_OPTIONS --file %E/coreos-home-server/%i/Containerfile --tag localhost/%i:latest %E/coreos-home-server/%i

1
config/common/systemd/container-environment@.service
View File

@ -5,6 +5,7 @@ ConditionPathExists=%E/coreos-home-server/%i/%i.env.template
[Service]
Type=oneshot
SyslogIdentifier=%N
EnvironmentFile=%E/coreos-home-server/host.env
ExecStart=/bin/sh -c 'envsubst < %E/coreos-home-server/%i/%i.env.template > %E/coreos-home-server/%i/%i.env'

1
config/common/systemd/container-network@.service
View File

@ -7,6 +7,7 @@ ConditionPathExists=!/etc/cni/net.d/%i.conflist
[Service]
Type=oneshot
RemainAfterExit=true
SyslogIdentifier=%N
ExecStart=/bin/podman network create %i
ExecStop=/bin/podman network rm %i

5
config/common/systemd/container-volume-backup@.service
View File

@ -3,11 +3,12 @@ Description=Backup for Container Volume %I
[Service]
Type=oneshot
SyslogIdentifier=%N
ExecStartPre=/bin/install --mode 0700 --directory %S/backups/coreos-home-server/%i
ExecStart=/bin/podman run --replace --pull never --rm --name %p-%i \
ExecStart=/bin/podman run --replace --rm --name %p-%i --entrypoint /bin/bash \
--volume %i:/data:z,ro \
--volume %S/backups/coreos-home-server/%i:/backups:z \
--entrypoint /bin/bash docker.io/debian:stable-slim \
docker.io/debian:stable-slim \
-c 'env name="%i-$(date +%%w%%H)" \
tar -cvpzf "/backups/${name}.tar.gz" -C /data . && \
ln --force "/backups/${name}.tar.gz" /backups/%i-latest.tar.gz'

5
config/common/systemd/container-volume-restore@.service
View File

@ -4,9 +4,10 @@ ConditionFileNotEmpty=%S/backups/coreos-home-server/%i/%i-latest.tar.gz
[Service]
Type=oneshot
ExecStart=/bin/podman run --replace --pull never --rm --name %p-%i --volume %i:/data:z \
SyslogIdentifier=%N
ExecStart=/bin/podman run --replace --rm --name %p-%i --volume %i:/data:z --entrypoint /bin/bash \
--volume %S/backups/coreos-home-server/%i:/backups:z,ro \
--entrypoint /bin/bash docker.io/debian:stable-slim \
docker.io/debian:stable-slim \
-c 'test -n "$(ls -A /data)" && echo "Volume %i is not empty, skipping." && exit 0; \
tar -xvpf "/backups/%i-latest.tar.gz" -C /data'

1
config/common/systemd/container-volume@.service
View File

@ -5,6 +5,7 @@ After=container-volume-restore@%i.service
[Service]
Type=oneshot
SyslogIdentifier=%N
ExecStart=/bin/sh -c 'podman volume exists %i || podman volume create %i'
[Install]

3
config/service/biboumi/systemd/biboumi.service
View File

@ -6,9 +6,10 @@ After=container-build@%N.service container-volume@%N.service prosody.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --sdnotify=conmon \
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon \
--env-file %E/coreos-home-server/%N/%N.env \
--volume %N:/var/lib/%N:z \
localhost/%N:latest

3
config/service/discord-ircd/systemd/discord-ircd.service
View File

@ -6,9 +6,10 @@ After=container-build@%N.service container-volume@%N.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --sdnotify=conmon \
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon \
--env-file %E/coreos-home-server/%N/%N.env \
--volume %N:/var/lib/rdircd:z \
localhost/%N:latest

3
config/service/dovecot/systemd/dovecot.service
View File

@ -6,9 +6,10 @@ After=container-build@%N.service container-volume@%N.service mariadb.service rsp
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --sdnotify=conmon \
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon \
--env-file %E/coreos-home-server/%N/%N.env \
--env-file %E/coreos-home-server/rspamd/rspamd.env \
--publish 143:143 --publish 993:993 \

1
config/service/git/systemd/git-ssh-ed25519@.service
View File

@ -6,6 +6,7 @@ After=git.service
[Service]
Type=oneshot
RemainAfterExit=true
SyslogIdentifier=%N
ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
ExecStart=/bin/podman exec git sh -c "echo 'ssh-ed25519 %I' > /var/lib/git/.ssh/authorized_keys.d/%i"

1
config/service/git/systemd/git-ssh-github@.service
View File

@ -6,6 +6,7 @@ After=git.service
[Service]
Type=oneshot
RemainAfterExit=true
SyslogIdentifier=%N
ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
ExecStartPre=/usr/bin/curl --silent --fail -o /tmp/%N.key https://github.com/%i.keys

3
config/service/git/systemd/git-ssh-pubkey@.service
View File

@ -1,5 +1,5 @@
[Unit]
Description=Git SSH authentication via public key file /%I
Description=Git SSH Authentication via Public Key File /%I
Wants=git.service
After=git.service
ConditionFileNotEmpty=/%I
@ -7,6 +7,7 @@ ConditionFileNotEmpty=/%I
[Service]
Type=oneshot
RemainAfterExit=true
SyslogIdentifier=%N
ExecStartPre=/bin/podman exec git install --owner 10000 --group 10000 --mode 0700 -d /var/lib/git/.ssh
ExecStartPre=/bin/podman exec git install -d /var/lib/git/.ssh/authorized_keys.d
ExecStart=/bin/podman cp /%I git:/var/lib/git/.ssh/authorized_keys.d/%i

4
config/service/git/systemd/git.service
View File

@ -6,10 +6,10 @@ After=container-build@%N.service container-volume@%N.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --pull never --net internal --name %N --sdnotify=conmon \
--cap-add AUDIT_WRITE \
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon --cap-add AUDIT_WRITE \
--publish 468:22 \
--volume %N:/var/lib/git:z \
--volume %N-ssh:/etc/ssh/keys:z \

3
config/service/letsencrypt/systemd/letsencrypt-dns-register@.service
View File

@ -6,8 +6,9 @@ Before=letsencrypt-dns-renew@%i.timer
[Service]
Type=oneshot
SyslogIdentifier=%N
EnvironmentFile=%E/coreos-home-server/letsencrypt/letsencrypt.env
ExecStart=/bin/podman run --replace --pull never --rm --name letsencrypt-register-%i \
ExecStart=/bin/podman run --replace --rm --name letsencrypt-register-%i \
--env-file %E/coreos-home-server/letsencrypt/letsencrypt.env \
--volume letsencrypt:/var/lib/letsencrypt:z \
localhost/letsencrypt:latest \

3
config/service/letsencrypt/systemd/letsencrypt-dns-renew@.service
View File

@ -5,8 +5,9 @@ After=container-build@letsencrypt.service
[Service]
Type=oneshot
SyslogIdentifier=%N
EnvironmentFile=%E/coreos-home-server/letsencrypt/letsencrypt.env
ExecStart=/bin/podman run --replace --pull never --rm --name letsencrypt-renew-%i \
ExecStart=/bin/podman run --replace --rm --name letsencrypt-renew-%i \
--env-file %E/coreos-home-server/letsencrypt/letsencrypt.env \
--volume letsencrypt:/var/lib/letsencrypt:z \
localhost/letsencrypt:latest \

6
config/service/mariadb/systemd/mariadb-migrate@.service
View File

@ -6,14 +6,14 @@ ConditionPathExists=%E/coreos-home-server/%i/service/%p.sql
[Service]
Type=oneshot
SyslogIdentifier=%N
EnvironmentFile=-%E/coreos-home-server/%i/%i.env
EnvironmentFile=%E/coreos-home-server/mariadb/mariadb.env
ExecStartPre=/bin/install --mode 0700 --directory /tmp/%N
ExecStartPre=/bin/sh -c 'envsubst < %E/coreos-home-server/%i/service/%p.sql > /tmp/%N/migrate.sql'
ExecStartPre=/bin/podman create --replace --pull never --rm --name mariadb-migrate-%i --net internal \
ExecStartPre=/bin/podman create --replace --rm --name mariadb-migrate-%i --entrypoint mariadb \
--volume mariadb:/var/lib/mysql:z \
--entrypoint mariadb localhost/mariadb:latest \
--host mariadb --user root --password=${MYSQL_ROOT_PASSWORD} --wait -e 'source /migrate.sql'
localhost/mariadb:latest --host mariadb --user root --password=${MYSQL_ROOT_PASSWORD} --wait -e 'source /migrate.sql'
ExecStartPre=/bin/podman cp /tmp/%N/migrate.sql mariadb-migrate-%i:/migrate.sql
ExecStart=/bin/podman start --attach mariadb-migrate-%i
ExecStartPost=/bin/podman rm --ignore --force mariadb-migrate-%i

4
config/service/mariadb/systemd/mariadb.service
View File

@ -6,10 +6,10 @@ After=container-build@%N.service container-volume@%N.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
EnvironmentFile=%E/coreos-home-server/%N/%N.env
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --sdnotify=conmon \
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon \
--env-file %E/coreos-home-server/%N/%N.env \
--volume %N:/var/lib/mysql:z \
localhost/%N:latest

1
config/service/nginx/systemd/nginx-proxy-http@.service
View File

@ -6,6 +6,7 @@ After=nginx.service %i.service
[Service]
Type=oneshot
RemainAfterExit=true
SyslogIdentifier=%N
Environment=SERVER_NAME=%i SSL_CERT_NAME=%i UPSTREAM_HOST=%i UPSTREAM_PORT=8080
Environment=NGINX_CONF=%E/coreos-home-server/nginx/service/%p.conf.template
ExecStart=/bin/sh -c "envsubst '$SERVER_NAME $SERVER_NAME_ALT $SSL_CERT_NAME $UPSTREAM_HOST $UPSTREAM_PORT' \

7
config/service/nginx/systemd/nginx-serve-php@.service
View File

@ -7,19 +7,18 @@ Before=nginx-proxy-http@%i.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
Environment=SERVER_NAME=%i SERVICE_DATA_DIRECTORY=/data
Environment=NGINX_CONF=%E/coreos-home-server/nginx/service/%p.conf.template
ExecStartPre=/bin/podman pod create --replace --name %i --net internal
ExecStartPre=/bin/podman create --replace --pull never --name %i-php --pod %i --sdnotify=conmon \
ExecStartPre=/bin/podman create --replace --name %i-php --pod %i --sdnotify=conmon \
--env-file %E/coreos-home-server/%i/%i.env \
--volume %i:${SERVICE_DATA_DIRECTORY}:z,rshared \
localhost/%i:latest
ExecStartPre=/bin/podman init %i-php
ExecStartPre=/bin/podman create --replace --pull never --name %i-nginx --pod %i \
--volumes-from=%i-php:z,ro \
localhost/nginx:latest
ExecStartPre=/bin/podman create --replace --name %i-nginx --pod %i --volumes-from=%i-php:z,ro localhost/nginx:latest
ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
ExecStartPre=/bin/sh -c 'podman cp /tmp/%i.conf %i-nginx:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%i.conf'
ExecStart=/bin/sh -c 'podman pod start %i && podman start --attach %i-php'

5
config/service/nginx/systemd/nginx-serve-static@.service
View File

@ -7,13 +7,12 @@ Before=nginx-proxy-http@%i.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
Environment=SERVER_NAME=%i SERVICE_DATA_DIRECTORY=/data
Environment=NGINX_CONF=%E/coreos-home-server/nginx/service/%p.conf.template
ExecStartPre=/bin/podman create --replace --pull never --name %i --net internal --sdnotify=conmon \
--volume %i:${SERVICE_DATA_DIRECTORY}:z,ro \
localhost/%i:latest
ExecStartPre=/bin/podman create --replace --name %i --sdnotify=conmon --volume %i:${SERVICE_DATA_DIRECTORY}:z,ro localhost/%i:latest
ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf"
ExecStartPre=/bin/sh -c 'podman cp /tmp/%i.conf %i:/etc/nginx/conf.d/%i.conf && rm -f /tmp/%i.conf'
ExecStart=/bin/podman start --attach %i

3
config/service/nginx/systemd/nginx.service
View File

@ -6,9 +6,10 @@ After=container-build@%N.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --sdnotify=conmon \
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon \
--publish 80:80 --publish 443:443 \
--volume nginx-conf:/etc/nginx/conf.d:z \
--volume letsencrypt:/etc/ssl/private:z,rshared,ro \

3
config/service/postfix/systemd/postfix.service
View File

@ -6,9 +6,10 @@ After=container-build@%N.service dovecot.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --sdnotify=conmon \
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon \
--env-file %E/coreos-home-server/%N/%N.env \
--publish 25:25 --publish 465:465 --publish 587:587 \
--volume dovecot:/var/mail:z \

3
config/service/prosody/systemd/prosody.service
View File

@ -6,9 +6,10 @@ After=container-build@%N.service container-volume@%N.service mariadb.service dov
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --sdnotify=conmon \
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon \
--env-file %E/coreos-home-server/%N/%N.env \
--publish 5222:5222 --publish 5269:5269 --publish 5347:5347 \
--volume %N:/var/lib/%N:z \

3
config/service/radicale/systemd/radicale.service
View File

@ -6,9 +6,10 @@ After=container-build@%N.service container-volume@%N.service dovecot.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --sdnotify=conmon \
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon \
--env-file %E/coreos-home-server/%N/%N.env \
--volume %N:/var/lib/%N:z \
localhost/%N:latest

3
config/service/redis/Containerfile
View File

@ -1,5 +1,6 @@
FROM docker.io/redis:6.2
USER redis
COPY container/config /etc/redis
USER redis
CMD ["redis-server", "/etc/redis/redis.conf"]

5
config/service/redis/systemd/redis.service
View File

@ -6,11 +6,10 @@ After=container-build@%N.service container-volume@%N.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --sdnotify=conmon \
--volume %N:/data:z \
localhost/%N:latest
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon --volume %N:/data:z localhost/%N:latest
ExecStop=/bin/podman stop --ignore --time 10 %N
ExecStopPost=/bin/podman rm --ignore --force %N

1
config/service/rspamd/systemd/rspamd-dkim-generate@.service
View File

@ -5,6 +5,7 @@ After=rspamd.service
[Service]
Type=oneshot
SyslogIdentifier=%N
ExecStartPre=/bin/podman exec rspamd install -d /var/lib/rspamd/dkim
ExecStart=/bin/podman exec rspamd openssl genrsa -out /var/lib/rspamd/dkim/%i.dkim.key 1024
ExecStartPost=/bin/podman exec rspamd chmod 644 /var/lib/rspamd/dkim/%i.dkim.key

3
config/service/rspamd/systemd/rspamd.service
View File

@ -6,9 +6,10 @@ After=container-build@%N.service container-volume@%N.service redis.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --sdnotify=conmon \
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon \
--env-file %E/coreos-home-server/%N/%N.env \
--volume %N:/var/lib/%N:z \
localhost/%N:latest

3
config/service/spectrum/systemd/spectrum.service
View File

@ -6,9 +6,10 @@ After=container-build@%N.service container-volume@%N.service prosody.service
[Service]
Type=notify
NotifyAccess=all
SyslogIdentifier=%N
Restart=on-failure
Environment=PODMAN_SYSTEMD_UNIT=%n
ExecStart=/bin/podman run --replace --pull never --name %N --net internal --sdnotify=conmon \
ExecStart=/bin/podman run --replace --name %N --sdnotify=conmon \
--env-file %E/coreos-home-server/%N/%N.env \
--volume %N:/var/lib/spectrum2:z \
localhost/%N:latest