Services will now have an additional set of security-oriented response
headers attached, and cache times re-jigged.
In addition, the `nginx-serve-static@` service has been removed in
favour of `nginx-serve-volume@`, which is simpler to set up and use.
Slidge replaces Spectrum with immense improvement to bridging
capabilities, albeit with only experimental MUC support. Nevertheless,
the current state is sufficiently stable for a complete replacement.
This commit moves the `nginx-proxy-http` service back to separate
`UPSTREAM_HOST`, `UPSTREAM_PORT`, and `UPSTREAM_PATH` variables, which
allows for more granular configuration, e.g. `proxy_redirect` patterns.
This commit switches Hugo to a webhook-based building process, with
support for Github, Gitlab, and Gitea hooks (including local versions of
Gitea) initially. In addition, Hugo-based sites are now intended to be
served under a single volume, with ingress configuration pointing to
sub-paths into the volume.
Documentation for webhook setup and NGINX proxy configuration is still
underway, and will be filled in later.
This commit unifies the `UPSTREAM_HOST` and `UPSTREAM_PORT` environment
variables to a new `UPSTREAM_ENDPOINT` variable, making additional
customizations (such as a `proxy_pass` to a sub-path) possible.
This commit extends our `coreos-home-server-update` script with support
for updating host directories with configuration collected across
multiple remote directories of the same name. This will, essentially,
allow for extending systemd services with custom configuration, as
sometimes required of base systemd service files.
This sets the stage for moving common authentication from IMAP/Dovecot
to LDAP, which allows for more control over user information, as well as
a basic form of RBAC.
No services are currently set up to support LDAP -- support will follow
soon after this commit.
This commit removes host configuration that is only useful for my own
personal use-cases, and leaves base and virtual hosts, which are more
commonly useful. It is intended that additional hosts are tracked as
either submodules or subtrees, as required by individual use-cases.
This commit adds a new service for Gitea, exposing HTTP and SSH ports by
default (SSH over 7920), and accepting authentication via the local SMTP
server. No users are otherwise created by default, and administration is
expected to happen either via CLI, or via a custom admin user.
Container volume backup logic has been moved to a (largely equivalent)
external script, allowing for future expansion of functionality. In
addition, a `rclone-pull@` service has been added and set up as a default
dependency for the `container-volume-restore@` service, allowing for
automatic set up of servers based on latest remote backups.
This commit adds two services, `grafana` and `prometheus`, and sets up
some existing services (`dovecot` and `prosody`) to expose metrics into
Grafana. In addition, systemd services have been added to facilitate
registering metrics for services into Prometheus, as well as
automatically provisioning Grafana dashboards based on static JSON
representations.
This work will continue to evolve as more services gain proper Grafana
dashboards, and Loki is also integrated for access to the systemd
journal.
By default, a `hugo-build-local@.service` systemd service is included,
for building Hugo-based sites as stored in a local Git repository (as
served by the `git` service), and into a volume (which is intended to be
served by the `nginx-serve-volume` service).
This brings a number of changes and improvements, and moves from MariaDB
to SQLite for storage, which requires manual migration for pre-existing
deployments using `prosody-migrator`.
Pointers to the latest backup are useful for restore operations, but
should be ignored in all other cases, and thus are more appropriately
handled as symbolic links.
This commit adds a new systemd service, `rclone-sync@.service`,
templated against the absolute path of a directory to keep in sync with
a (presumably) remote store.
Support for Backblaze B2 endpoints has been set up by default, but the
specific remote type can be configured via the `RCLONE_REMOTE_TYPE` host
variable. In addition, a default-passthrough remote that encrypts data
against a static password and salt has been defined under the `crypt`
name, and can also be used as the `RCLONE_DEST` of choice.
We no longer copy service directories into `/etc/coreos-home-server` if
these have not had their respective `spec.bu` files included; these
directories are not needed in these cases, and would be erroneously
considered as eligible in subsequent `coreos-home-server-update`
invocations.
Container volume backups will now be skipped if no changes have been
made in source files against the latest backup. In addition the default
timer has been changed for performing backups once a day, at 02:00,
likely a time where there's less traffic on the server.
This commit contains a fairly large diff for a fairly small change:
moving the `config/common` directory to `host/base` to better reflect
its intended use, and promoting `config/service` to the root directory.
These changes unlock some improvements in `coreos-home-server-update`
processes, which will (assuming `/etc/coreos-home-server/base` exists)
keep host-wide systemd services in sync in addition to service-specific
ones.
Changes have been make to the `Makefile` and a few other places where
`config/common` was referenced, but most of this work is renames that
are not intended to break compatibility with new or running servers.
Most importantly, this helps make WebRTC calls in XMPP more reliable
when either (or both) endpoints are behind NAT (as is the case with most
mobile devices), and avoids depending on a third-party service.
Default configuration has been applied in the virtual environment file;
this allows for setting up most host-dependent configuration easily.
This service allows for easy serving of static content in a volume,
typically HTML files in directory structures mapping to the navigation
structure for the content served.
This commit integrates WriteFreely as a systemd service, set up as a
single-user instance by default (as is probably appropriate for a
home-server setup); a default administrator is set up, and whoever
is managing the home-server is expected to update the username and
password after first login.
Though WriteFreely expects to have a hostname set up for the instance,
we do not listen on any specific hostname by default. It is expected,
rather, that the `nginx-proxy-http` service is used with a drop-in for
using the correct `writefreely` upstream.
Configuration for this will continue to evolve as required.
Navidrome is a Subsonic/Airsonic-compatible music server with a built-in
web interface, and can be used as a quasi-self-hosted-Spotify-alternative.
By default, music files are read from an empty `navidrome-music` volume,
which is expected to be populated via whatever external means are
available to the server. The workflow here might be improved in the
future.
The `discord-ircd` service has been removed as of a few commits ago, but
references to this were not removed entirely. In addition, we now mask,
not disable, the `coreos-home-server-update` timer to ensure this cannot
be re-enabled spuriously.
This also updates the Ignition compilation dependency resolution to
ignore local file references that have been commented out, and masks the
timer for updating CoreOS configuration in virtual environments, to
avoid overriding any changes made locally.
This is a basic implementation on top of the venerable `rss2email`
script, and is intended to be driven by a timer and the
`rss2email-subscribe` service, which manages the subscribed feeds.
Previous experiments in using the RAID array as simple storage, with an
implied installation to a secondary medium (an SSD on port 5) failed,
and a simpler alternative has been reached.
System files are moved to `/etc/coreos-home-server` to be unambiguous
in relation to other, pre-installed system files. Long-running services
are also now defined as `Type=notify`, which helps improve ordering and
dependencies.
Naming for services has been consolidated to `nginx-proxy` and
`nginx-serve`, and issues with resolving underlying containers in the
case of restarts have been fixed by way of resolver configuration.
This commit represents a large amount of work toward moving services to
a more standard approach to storing data, and a simplification in how
networks are managed.