diff --git a/config/service/biboumi/systemd/biboumi.service b/config/service/biboumi/systemd/biboumi.service index 5ba2cae..c99095d 100644 --- a/config/service/biboumi/systemd/biboumi.service +++ b/config/service/biboumi/systemd/biboumi.service @@ -6,11 +6,11 @@ After=container-build@%N.service prosody.service [Service] Restart=always ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/%N -ExecStartPre=/bin/podman create --replace --pull never --net prosody --env-file /etc/container-service/%N/%N.env \ - --volume /var/lib/container-service/%N:/var/lib/%N:z \ - --name %N localhost/%N:latest -ExecStart=/bin/podman start --attach %N +ExecStart=/bin/podman run --replace --pull never --net prosody --env-file /etc/container-service/%N/%N.env \ + --volume /var/lib/container-service/%N:/var/lib/%N:z \ + --name %N localhost/%N:latest ExecStop=/bin/podman stop --time 10 %N +ExecStopPost=/bin/podman rm --force %N [Install] WantedBy=multi-user.target diff --git a/config/service/discord-ircd/systemd/discord-ircd.service b/config/service/discord-ircd/systemd/discord-ircd.service index 3ba7dea..d311d41 100644 --- a/config/service/discord-ircd/systemd/discord-ircd.service +++ b/config/service/discord-ircd/systemd/discord-ircd.service @@ -6,11 +6,11 @@ After=container-build@%N.service container-network@prosody.service [Service] Restart=always ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/%N -ExecStartPre=/bin/podman create --replace --pull never --net prosody --env-file /etc/container-service/%N/%N.env \ - --volume /var/lib/container-service/%N:/var/lib/rdircd:z \ - --name %N localhost/%N:latest -ExecStart=/bin/podman start --attach %N +ExecStart=/bin/podman run --replace --pull never --net prosody --env-file /etc/container-service/%N/%N.env \ + --volume /var/lib/container-service/%N:/var/lib/rdircd:z \ + --name %N localhost/%N:latest ExecStop=/bin/podman stop --time 10 %N +ExecStopPost=/bin/podman rm --force %N [Install] WantedBy=multi-user.target diff --git a/config/service/dovecot/systemd/dovecot.service b/config/service/dovecot/systemd/dovecot.service index 1128bbd..3c7af01 100644 --- a/config/service/dovecot/systemd/dovecot.service +++ b/config/service/dovecot/systemd/dovecot.service @@ -6,15 +6,15 @@ After=container-build@%N.service container-network@mail.service container-networ [Service] Restart=always ExecStartPre=/bin/install --owner 5000 --group 5000 -d /var/lib/container-service/mail -ExecStartPre=/bin/podman create --replace --pull never --net internal,mail,mariadb --env-file /etc/container-service/%N/%N.env \ - --env-file /etc/container-service/rspamd/rspamd.env \ - --publish 143:143 --publish 993:993 \ - --volume /var/lib/container-service/mail:/var/mail:z \ - --volume /etc/container-service/%N/service/config:/etc/%N/conf.d:z \ - --volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \ - --name %N localhost/%N:latest -ExecStart=/bin/podman start --attach %N +ExecStart=/bin/podman run --replace --pull never --net internal,mail,mariadb --env-file /etc/container-service/%N/%N.env \ + --env-file /etc/container-service/rspamd/rspamd.env \ + --publish 143:143 --publish 993:993 \ + --volume /var/lib/container-service/mail:/var/mail:z \ + --volume /etc/container-service/%N/service/config:/etc/%N/conf.d:z \ + --volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \ + --name %N localhost/%N:latest ExecStop=/bin/podman stop --time 10 %N +ExecStopPost=/bin/podman rm --force %N [Install] WantedBy=multi-user.target diff --git a/config/service/git/systemd/git-ssh-ed25519@.service b/config/service/git/systemd/git-ssh-ed25519@.service index edaba5e..5a8ec5c 100644 --- a/config/service/git/systemd/git-ssh-ed25519@.service +++ b/config/service/git/systemd/git-ssh-ed25519@.service @@ -12,8 +12,8 @@ ExecStart=/bin/sh -c "echo 'ssh-ed25519 %I' > ${GIT_HOME}/.ssh/authorized_keys.d ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys" ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys ExecStop=/bin/rm -f ${GIT_HOME}/.ssh/authorized_keys.d/%i -ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys" -ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys +ExecStopPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys" +ExecStopPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys [Install] WantedBy=multi-user.target diff --git a/config/service/git/systemd/git-ssh-pubkey@.service b/config/service/git/systemd/git-ssh-pubkey@.service index c34fc67..7e18af5 100644 --- a/config/service/git/systemd/git-ssh-pubkey@.service +++ b/config/service/git/systemd/git-ssh-pubkey@.service @@ -12,8 +12,8 @@ ExecStart=/bin/install -m 0600 -D %I ${GIT_HOME}/.ssh/authorized_keys.d/%i ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys" ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys ExecStop=/bin/rm -f ${GIT_HOME}/.ssh/authorized_keys.d/%i -ExecStartPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys" -ExecStartPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys +ExecStopPost=/bin/sh -c "cat ${GIT_HOME}/.ssh/authorized_keys.d/* > /tmp/authorized_keys" +ExecStopPost=/bin/install --owner 10000 --group 10000 -m 0600 /tmp/authorized_keys ${GIT_HOME}/.ssh/authorized_keys [Install] WantedBy=multi-user.target diff --git a/config/service/git/systemd/git.service b/config/service/git/systemd/git.service index b185dab..4ecdd4c 100644 --- a/config/service/git/systemd/git.service +++ b/config/service/git/systemd/git.service @@ -6,13 +6,12 @@ After=container-build@%N.service container-network@%N.service container-network@ [Service] Restart=always ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/%N -ExecStartPre=/bin/podman create --replace --pull never --net internal,%N \ - --cap-add AUDIT_WRITE \ - --publish 468:22 \ - --volume /var/lib/container-service/%N:/home/git:z \ - --name %N localhost/%N:latest -ExecStart=/bin/podman start --attach %N +ExecStart=/bin/podman run --replace --pull never --net internal,%N --cap-add AUDIT_WRITE \ + --publish 468:22 \ + --volume /var/lib/container-service/%N:/home/git:z \ + --name %N localhost/%N:latest ExecStop=/bin/podman stop --time 10 %N +ExecStopPost=/bin/podman rm --force %N [Install] WantedBy=multi-user.target diff --git a/config/service/mariadb/systemd/mariadb.service b/config/service/mariadb/systemd/mariadb.service index 533256c..0b7f531 100644 --- a/config/service/mariadb/systemd/mariadb.service +++ b/config/service/mariadb/systemd/mariadb.service @@ -7,15 +7,15 @@ After=container-build@%N.service container-network@%N.service container-network@ Restart=always EnvironmentFile=/etc/container-service/%N/%N.env ExecStartPre=/bin/install --owner 999 --group 999 -d /var/lib/container-service/%N -ExecStartPre=/bin/podman create --replace --pull never --net internal,%N --env-file /etc/container-service/%N/%N.env \ - --volume /var/lib/container-service/%N:/var/lib/mysql:z \ - --name %N localhost/%N:latest -ExecStart=/bin/podman start --attach %N +ExecStart=/bin/podman run --replace --pull never --net internal,%N --env-file /etc/container-service/%N/%N.env \ + --volume /var/lib/container-service/%N:/var/lib/mysql:z \ + --name %N localhost/%N:latest ExecStartPost=/bin/podman run --replace --pull never --rm --net %N --entrypoint mariadb-admin \ --volume /var/lib/container-service/%N:/var/lib/mysql:z \ --name %N-wait localhost/%N:latest \ --host mariadb --user root --password=${MYSQL_ROOT_PASSWORD} --wait=10 ping ExecStop=/bin/podman stop --time 10 %N +ExecStopPost=/bin/podman rm --force %N [Install] WantedBy=multi-user.target diff --git a/config/service/nginx/systemd/nginx-ingress.service b/config/service/nginx/systemd/nginx-ingress.service index 252749a..11e6819 100644 --- a/config/service/nginx/systemd/nginx-ingress.service +++ b/config/service/nginx/systemd/nginx-ingress.service @@ -7,13 +7,13 @@ After=container-build@nginx.service container-network@%N.service Restart=always ExecStartPre=/bin/install --owner 10000 --group 10000 -d /var/lib/container-service/letsencrypt/private ExecStartPre=/bin/install -d /var/lib/container-service/%N/conf.d -ExecStartPre=/bin/podman create --replace --pull never --net %N \ - --publish 80:80 --publish 443:443 \ - --volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \ - --volume /var/lib/container-service/%N/conf.d:/etc/nginx/conf.d:z \ - --name %N localhost/nginx:latest -ExecStart=/bin/podman start --attach %N +ExecStart=/bin/podman run --replace --pull never --net %N \ + --publish 80:80 --publish 443:443 \ + --volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \ + --volume /var/lib/container-service/%N/conf.d:/etc/nginx/conf.d:z \ + --name %N localhost/nginx:latest ExecStop=/bin/podman stop --time 10 %N +ExecStopPost=/bin/podman rm --force %N ExecReload=/bin/podman exec %N nginx -s reload [Install] diff --git a/config/service/nginx/systemd/nginx-php@.service b/config/service/nginx/systemd/nginx-php@.service index c4dc1fe..70c4fed 100644 --- a/config/service/nginx/systemd/nginx-php@.service +++ b/config/service/nginx/systemd/nginx-php@.service @@ -7,21 +7,21 @@ Before=nginx-ingress-http@%i.service [Service] Restart=always Environment=SERVER_NAME=%i +Environment=SERVICE_DATA_DIRECTORY=/data Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template ExecStartPre=/bin/install --owner 33 --group 33 -d /var/lib/container-service/%i -ExecStartPre=/bin/podman pod create --replace --net mariadb,nginx-ingress --name %i -ExecStartPre=/bin/podman create --replace --pull never --pod %i \ - --env-file /etc/container-service/%i/%i.env \ - --volume /var/lib/container-service/%i:/data:z \ +ExecStartPre=/bin/podman pod create --replace --net internal,nginx-ingress --name %i +ExecStartPre=/bin/podman create --replace --pull never --pod %i --env-file /etc/container-service/%i/%i.env \ + --volume /var/lib/container-service/%i:${SERVICE_DATA_DIRECTORY}:z,shared \ --name %i-php localhost/%i:latest ExecStartPre=/bin/podman create --replace --pull never --pod %i \ --volumes-from=%i-php:z,ro \ --name %i-nginx localhost/nginx:latest ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf" -ExecStartPre=/bin/podman cp /tmp/%i.conf %i-nginx:/etc/nginx/conf.d -ExecStartPre=/bin/rm -f /tmp/%i.conf +ExecStartPre=/bin/sh -c "podman cp /tmp/%i.conf %i-nginx:/etc/nginx/conf.d && rm -f /tmp/%i.conf" ExecStart=/bin/sh -c 'podman pod start %i && podman wait %i-php && podman attach --no-stdin %i-php' ExecStop=/bin/podman pod stop --time 10 %i +ExecStopPost=/bin/podman pod rm --force %i [Install] Alias=%i.service diff --git a/config/service/nginx/systemd/nginx-static@.service b/config/service/nginx/systemd/nginx-static@.service index 49285b4..059a9ae 100644 --- a/config/service/nginx/systemd/nginx-static@.service +++ b/config/service/nginx/systemd/nginx-static@.service @@ -10,10 +10,10 @@ Environment=SERVER_NAME=%i Environment=NGINX_CONF=/etc/container-service/nginx/service/%p.conf.template ExecStartPre=/bin/podman create --replace --pull never --net nginx-ingress --name %i localhost/%i:latest ExecStartPre=/bin/sh -c "envsubst '$SERVER_NAME' < ${NGINX_CONF} > /tmp/%i.conf" -ExecStartPre=/bin/podman cp /tmp/%i.conf %i:/etc/nginx/conf.d -ExecStartPre=/bin/rm -f /tmp/%i.conf +ExecStartPre=/bin/sh -c "podman cp /tmp/%i.conf %i:/etc/nginx/conf.d && rm -f /tmp/%i.conf" ExecStart=/bin/podman start --attach %i ExecStop=/bin/podman stop --time 10 %i +ExecStopPost=/bin/podman rm --force %i [Install] Alias=%i.service diff --git a/config/service/postfix/systemd/postfix.service b/config/service/postfix/systemd/postfix.service index 529658a..7c5d5a0 100644 --- a/config/service/postfix/systemd/postfix.service +++ b/config/service/postfix/systemd/postfix.service @@ -6,13 +6,13 @@ After=container-build@%N.service container-network@mail.service container-networ [Service] Restart=always ExecStartPre=/bin/install --owner 5000 --group 5000 -d /var/lib/container-service/mail -ExecStartPre=/bin/podman create --replace --pull never --net internal,mail --env-file /etc/container-service/%N/%N.env \ - --publish 25:25 --publish 465:465 --publish 587:587 \ - --volume /var/lib/container-service/mail:/var/mail:z \ - --volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \ - --name %N localhost/%N:latest -ExecStart=/bin/podman start --attach %N +ExecStart=/bin/podman run --replace --pull never --net internal,mail --env-file /etc/container-service/%N/%N.env \ + --publish 25:25 --publish 465:465 --publish 587:587 \ + --volume /var/lib/container-service/mail:/var/mail:z \ + --volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \ + --name %N localhost/%N:latest ExecStop=/bin/podman stop --time 10 %N +ExecStopPost=/bin/podman rm --force %N [Install] WantedBy=multi-user.target diff --git a/config/service/prosody/systemd/prosody.service b/config/service/prosody/systemd/prosody.service index a5aa59d..d694a00 100644 --- a/config/service/prosody/systemd/prosody.service +++ b/config/service/prosody/systemd/prosody.service @@ -6,13 +6,13 @@ After=container-build@%N.service container-network@%N.service mariadb.service po [Service] Restart=always ExecStartPre=/bin/install --owner 101 --group 102 -d /var/lib/container-service/%N -ExecStartPre=/bin/podman create --replace --pull never --net mariadb,%N --env-file /etc/container-service/%N/%N.env \ - --publish 5222:5222 --publish 5269:5269 --publish 5347:5347 \ - --volume /var/lib/container-service/%N:/var/lib/%N:z --volume /etc/container-service/%N/service/config:/etc/%N/conf.d:z \ - --volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \ - --name %N localhost/%N:latest -ExecStart=/bin/podman start --attach %N +ExecStart=/bin/podman run --replace --pull never --net mariadb,%N --env-file /etc/container-service/%N/%N.env \ + --publish 5222:5222 --publish 5269:5269 --publish 5347:5347 \ + --volume /var/lib/container-service/%N:/var/lib/%N:z --volume /etc/container-service/%N/service/config:/etc/%N/conf.d:z \ + --volume /var/lib/container-service/letsencrypt/private:/etc/ssl/private:z \ + --name %N localhost/%N:latest ExecStop=/bin/podman stop --time 10 %N +ExecStopPost=/bin/podman rm --force %N [Install] WantedBy=multi-user.target diff --git a/config/service/radicale/systemd/radicale.service b/config/service/radicale/systemd/radicale.service index e24764d..e35d716 100644 --- a/config/service/radicale/systemd/radicale.service +++ b/config/service/radicale/systemd/radicale.service @@ -6,12 +6,12 @@ After=container-build@%N.service dovecot.service [Service] Restart=always ExecStartPre=/bin/install --owner 15232 --group 15232 -d /var/lib/container-service/%N -ExecStartPre=/bin/podman create --replace --pull never --net mail --env-file /etc/container-service/%N/%N.env \ - --publish 5232:5232 \ - --volume /var/lib/container-service/%N:/var/lib/%N:z \ - --name %N localhost/%N:latest -ExecStart=/bin/podman start --attach %N +ExecStart=/bin/podman run --replace --pull never --net mail --env-file /etc/container-service/%N/%N.env \ + --publish 5232:5232 \ + --volume /var/lib/container-service/%N:/var/lib/%N:z \ + --name %N localhost/%N:latest ExecStop=/bin/podman stop --time 10 %N +ExecStopPost=/bin/podman rm --force %N [Install] WantedBy=multi-user.target diff --git a/config/service/redis/systemd/redis.service b/config/service/redis/systemd/redis.service index 363ec03..c88332d 100644 --- a/config/service/redis/systemd/redis.service +++ b/config/service/redis/systemd/redis.service @@ -6,11 +6,11 @@ After=container-build@%N.service container-network@%N.service container-network@ [Service] Restart=always ExecStartPre=/bin/install --owner 999 --group 1000 -d /var/lib/container-service/%N -ExecStartPre=/bin/podman create --replace --pull never --net internal,%N \ - --volume /var/lib/container-service/%N:/data:z \ - --name %N localhost/%N:latest -ExecStart=/bin/podman start --attach %N +ExecStart=/bin/podman run --replace --pull never --net internal,%N \ + --volume /var/lib/container-service/%N:/data:z \ + --name %N localhost/%N:latest ExecStop=/bin/podman stop --time 10 %N +ExecStopPost=/bin/podman rm --force %N [Install] WantedBy=multi-user.target diff --git a/config/service/rspamd/systemd/rspamd.service b/config/service/rspamd/systemd/rspamd.service index fe64fdd..7636475 100644 --- a/config/service/rspamd/systemd/rspamd.service +++ b/config/service/rspamd/systemd/rspamd.service @@ -6,12 +6,12 @@ After=container-build@%N.service container-network@mail.service container-networ [Service] Restart=always ExecStartPre=/bin/install --owner 11332 --group 11332 -d /var/lib/container-service/%N -ExecStartPre=/bin/podman create --replace --pull never --net internal,mail,redis --env-file /etc/container-service/%N/%N.env \ - --publish 11332:11332 --publish 11334:11334 \ - --volume /var/lib/container-service/%N:/var/lib/%N:z \ - --name %N localhost/%N:latest -ExecStart=/bin/podman start --attach %N +ExecStart=/bin/podman run --replace --pull never --net internal,mail,redis --env-file /etc/container-service/%N/%N.env \ + --publish 11332:11332 --publish 11334:11334 \ + --volume /var/lib/container-service/%N:/var/lib/%N:z \ + --name %N localhost/%N:latest ExecStop=/bin/podman stop --time 10 %N +ExecStopPost=/bin/podman rm --force %N [Install] WantedBy=multi-user.target diff --git a/host/lhr01nuc/lhr01nuc.env.gpg b/host/lhr01nuc/lhr01nuc.env.gpg index 94e4c9b..92f39c0 100644 Binary files a/host/lhr01nuc/lhr01nuc.env.gpg and b/host/lhr01nuc/lhr01nuc.env.gpg differ diff --git a/host/lhr01nuc/spec.fcc b/host/lhr01nuc/spec.fcc index 689800b..73908fd 100644 --- a/host/lhr01nuc/spec.fcc +++ b/host/lhr01nuc/spec.fcc @@ -15,6 +15,7 @@ ignition: - local: service/rspamd/spec.ign - local: service/prosody/spec.ign - local: service/biboumi/spec.ign + - local: service/discord-ircd/spec.ign - local: service/radicale/spec.ign - local: private/spec.ign