Given that this setup is for a *home* server, we're forced to allow
peers for typical home IP ranges (such as `192.168.0.0/24`); however, we
should still not allow access to ranges for other containers or anything
else running in `localhost`.
Services will now have an additional set of security-oriented response
headers attached, and cache times re-jigged.
In addition, the `nginx-serve-static@` service has been removed in
favour of `nginx-serve-volume@`, which is simpler to set up and use.
Dovecot will, by default, have login processes run under a limited
`chroot` environment. However, this broke recently with the update to
Podman 4.4.1 and the removal of implicit `CAP_CHROOT` capabilities.
This commit re-adds these in place.
This commit moves away from `virsh`, which requires setup and a
persistent daemon, and is rather complex and opaque, and will now have
virtual hosts use QEMU directly. Port mappings are now also made
automatically, albeit on higher ports -- port 8022 for SSH, port 8080
for HTTP, port 8443 for HTTPS. More port mappings will be added in the
future, with direct mappings made where possible.
Slidge replaces Spectrum with immense improvement to bridging
capabilities, albeit with only experimental MUC support. Nevertheless,
the current state is sufficiently stable for a complete replacement.
This option has Dovecot only return directories in LIST commands, which
is a necessary workaround because of how our home and maildir locations
are the same, which sometimes has extraneous files (such as Sieve
scripts) appear in IMAP directory listings.
We should eventually move away from this unified location, but doing so
requires careful planning and migration.
This commit moves the `nginx-proxy-http` service back to separate
`UPSTREAM_HOST`, `UPSTREAM_PORT`, and `UPSTREAM_PATH` variables, which
allows for more granular configuration, e.g. `proxy_redirect` patterns.
Gitea and Gitlab allow for filtering push events based on the branch
name, so we assume that webhook payloads don't need to be filtered based
on the branch in these cases. Github doesn't allow for this sort of
filtering, so we have to specify a default branch to filter on.
