This improves cacheability of layers by consolidating instructions
across different container builds. Future work will involve installing
from an external binary repository.
This makes container builds more consistent, and therefore more
cacheable in relation to other containers.
In addition, certificates and keys are now copied to two separate
volumes, one containing all certificates (for use in services like
`nginx`, which may require unfettered access to certificates) and one
containing certificates only for a specific domain, for use in most
other cases.
Container builds using the `container-build@` systemd service will
generally tag any container image built with the `latest` tag, which is
then referred to pervasively in container executions.
However, this tag is overwritten when building new images, and, combined
with how `podman auto-update` will prune old image digests, may cause us
to lack the ability to roll back, automatically or otherwise.
This commit sets a `previous` tag on container re-builds, which should
only generally happen when source files change (due to the `ExecCondition`)
present on the service, which in turn should ensure that images are not
spuriously tagged as such.
This sets the `MARIADB_AUTO_UPGRADE` environment variable, used by the
base MariaDB image in applying schema changes, as generally necessary
when performing minor or major upgrades.
Previously, we'd use the Debian-provided `turnserver` user, which is no
longer available in source builds; we now create and use a dedicated
`coturn` user for more consistency with other services.
Calls to `curl` will now use the `--fail` option, in addition to
`--silent` and `--show-error`, in an effort to catch issues with server
or client-side errors.
This commit adds an `ExecCondition` directive on the `container-build@`
service, used as a pre-requisite for all other Podman-based services,
skipping `podman build` invocations unless local `Containerfile` or any
files in the `container` sub-directories have changed.
Container builds are responsible for the majority of time taken during
boot, even with cache in place; this will help alleviate pressure and
hopefully speed up boot considerably.
Containers for Prometheus and Grafana can take longer to start due to
migrations on large databases etc., which in turn can cause systemd to
kill these mid-execution.
