Previous experiments in using the RAID array as simple storage, with an
implied installation to a secondary medium (an SSD on port 5) failed,
and a simpler alternative has been reached.
The SMTPS (465) And Submission (587) ports expect encryption, either
implicitly (i.e. via direct TLS connection) or explicitly (i.e. via
STARTTLS), but this was not enforced previously. Port 25 remains
configured for opportunistic encryption, but will still not allow for
authentication over unencrypted transports.
Partial updates require that source files have appropriate timestamps,
which Git does not set in any special way by default. Thus, before
attempting to update files in-place, we set source timestamps based on
last commit time, which is the effective update time in any case.
This partially reverts default network configuration, which will now
implicitly create the specified network without the ability to set
default plugins.
Templated services are also no longer enabled by default, but expect to
be enabled as part of concrete patterns.
Defaults for Podman that were previous applied as command-line arguments
to all `podman run` or `podman create` invocations are now specified in
a dedicated configuration file.
Services are also better identified against their name rather than the
generic `podman` ID derived from the `ExecStart` invocations.
This includes setting the Debian base image to a specific release rather
than the generic `stable` version, which can cause issues when assuming
package versions or external repository status.
This commit implements three new services, specifically:
- The `container-volume` service, which applies to a specific volume
name and ensures this exists. This is mainly useful as a dependency
to other services, as Podman will create named volumes itself if
needed.
- The `container-volume-backup` service, which creates a `tar.gz`
snapshot of the given volume's contents in `/var/lib/backups`.
- The `container-volume-restore` service, which populates an empty
volume from a pre-existing file in `/var/lib/backups`, presumably
created by `container-volume-backup`.
These are then be used to automatically create volume snapshots every 12
hours, rolling over every 7 days.
System files are moved to `/etc/coreos-home-server` to be unambiguous
in relation to other, pre-installed system files. Long-running services
are also now defined as `Type=notify`, which helps improve ordering and
dependencies.
The fixes here include typos, removals of deprecated paths, fixes for
first-boot-only systemd targets and related MariaDB migrate machinery,
better logging for Postfix, and an increase in the default request body
size for the default NGINX ingress.
Naming for services has been consolidated to `nginx-proxy` and
`nginx-serve`, and issues with resolving underlying containers in the
case of restarts have been fixed by way of resolver configuration.
And introduce a `purge` target, intended to supplant the current `clean`
target, in allowing the latter to be used to clean Butane configuration
without removing any cached images.
This commit represents a large amount of work toward moving services to
a more standard approach to storing data, and a simplification in how
networks are managed.
This will help make subsequent synchronization with hosts easier, as
systemd files and potential dropins are guarnateed to exist under a
certain hierarchy that can be dropped as-is into host configuration
directories.
