Given that this setup is for a *home* server, we're forced to allow
peers for typical home IP ranges (such as `192.168.0.0/24`); however, we
should still not allow access to ranges for other containers or anything
else running in `localhost`.
Services will now have an additional set of security-oriented response
headers attached, and cache times re-jigged.
In addition, the `nginx-serve-static@` service has been removed in
favour of `nginx-serve-volume@`, which is simpler to set up and use.
Dovecot will, by default, have login processes run under a limited
`chroot` environment. However, this broke recently with the update to
Podman 4.4.1 and the removal of implicit `CAP_CHROOT` capabilities.
This commit re-adds these in place.
Slidge replaces Spectrum with immense improvement to bridging
capabilities, albeit with only experimental MUC support. Nevertheless,
the current state is sufficiently stable for a complete replacement.
This option has Dovecot only return directories in LIST commands, which
is a necessary workaround because of how our home and maildir locations
are the same, which sometimes has extraneous files (such as Sieve
scripts) appear in IMAP directory listings.
We should eventually move away from this unified location, but doing so
requires careful planning and migration.
This commit moves the `nginx-proxy-http` service back to separate
`UPSTREAM_HOST`, `UPSTREAM_PORT`, and `UPSTREAM_PATH` variables, which
allows for more granular configuration, e.g. `proxy_redirect` patterns.
Gitea and Gitlab allow for filtering push events based on the branch
name, so we assume that webhook payloads don't need to be filtered based
on the branch in these cases. Github doesn't allow for this sort of
filtering, so we have to specify a default branch to filter on.
This commit switches Hugo to a webhook-based building process, with
support for Github, Gitlab, and Gitea hooks (including local versions of
Gitea) initially. In addition, Hugo-based sites are now intended to be
served under a single volume, with ingress configuration pointing to
sub-paths into the volume.
Documentation for webhook setup and NGINX proxy configuration is still
underway, and will be filled in later.
This commit unifies the `UPSTREAM_HOST` and `UPSTREAM_PORT` environment
variables to a new `UPSTREAM_ENDPOINT` variable, making additional
customizations (such as a `proxy_pass` to a sub-path) possible.
Users in the `prosody_user` and `prosody_admin` groups will be granted
access to Prosody (as regular users and administrators, respectively),
making this a more flexible solution compared to IMAP.
New Gitea installations will now use LDAP authentication, typically
provided by the included `lldap` service, over SMTP authentication, as
this is is more flexible.
This sets the stage for moving common authentication from IMAP/Dovecot
to LDAP, which allows for more control over user information, as well as
a basic form of RBAC.
No services are currently set up to support LDAP -- support will follow
soon after this commit.
This commit adds a new service for Gitea, exposing HTTP and SSH ports by
default (SSH over 7920), and accepting authentication via the local SMTP
server. No users are otherwise created by default, and administration is
expected to happen either via CLI, or via a custom admin user.
Container volume backup logic has been moved to a (largely equivalent)
external script, allowing for future expansion of functionality. In
addition, a `rclone-pull@` service has been added and set up as a default
dependency for the `container-volume-restore@` service, allowing for
automatic set up of servers based on latest remote backups.
This commit updates Postfix to the latest version available for Debian
Bullseye, and switches the Docker entrypoint from an internal to a
publicly documented command, which is guaranteed to work in the future.
In addition to changes made when Git repositories update, Hugo is able
to watch for timed changes to content (say, for content that has a
publication date in the future) and build these automatically.
This commit switches from a plain `hugo build` to a `hugo watch` process
to facilitate these use-cases.
These were prepared as import-able dashboards, which prepares common
options as variables to be provided by the user, and thus is not
compatible with automated provisioning.
Users and groups used within Podman containers are usually assigned UID
and GID 10000. Files for these containers are sometimes served by Nginx,
and may be given permissions that restrict access to those outside the
group, but which are intended to be served nonetheless.
This commit adds the pre-defined `nginx` user to a `nginx-shared` group
with GID 10000, which will then allow access to these files as needed.
This enables the `web_directory` and `web_url` options for Spectrum,
which has media shared by legacy protocol buddies be re-hosted by
Spectrum, and shared by a dedicated volume.
This, in turn, is served by the `nginx-serve-volume@spectrum-media`
service, which is intended to be proxied under the same host used for
Prosody. Documentation for the integration will be added in future
commits.
This commit adds basic Grafana dashboards for Dovecot and Prosody, to be
automatically deployed alongside the relevant services (if Grafana
itself is enabled).
As the former does not do exactly what it says it does in documentation.
Also, we decrease the default scrape interval for Prometheus from 1m to
30s to improve granularity of data.
This adds basic metric definitions across a number of different events,
to be expanded upon as needed in the future. Several metrics are given
additional vectors with low cardinality.
This commit adds two services, `grafana` and `prometheus`, and sets up
some existing services (`dovecot` and `prosody`) to expose metrics into
Grafana. In addition, systemd services have been added to facilitate
registering metrics for services into Prometheus, as well as
automatically provisioning Grafana dashboards based on static JSON
representations.
This work will continue to evolve as more services gain proper Grafana
dashboards, and Loki is also integrated for access to the systemd
journal.
By default, a `hugo-build-local@.service` systemd service is included,
for building Hugo-based sites as stored in a local Git repository (as
served by the `git` service), and into a volume (which is intended to be
served by the `nginx-serve-volume` service).
Direct TLS connections for clients allow for faster connection
establishment, and disabling HTTPS in Prosody fixes use of components
which expect to be exposed via a reverse proxy (such as Nginx).
This extends SSL/TLS configuration for client connections to allow for a
set of additional ciphers over the current "intermediate" set of
defaults applied, in support of older clients.
This brings a number of changes and improvements, and moves from MariaDB
to SQLite for storage, which requires manual migration for pre-existing
deployments using `prosody-migrator`.
Symbolic links are now synchronized verbatim (i.e. the links themselves,
not their destinations) to allow for restoring our pattern of linking to
the latest backup file.
In addition, the destination remote and path can now be configured
individually in drop-in files, but still default to the encrypted
remote.
This commit adds a new systemd service, `rclone-sync@.service`,
templated against the absolute path of a directory to keep in sync with
a (presumably) remote store.
Support for Backblaze B2 endpoints has been set up by default, but the
specific remote type can be configured via the `RCLONE_REMOTE_TYPE` host
variable. In addition, a default-passthrough remote that encrypts data
against a static password and salt has been defined under the `crypt`
name, and can also be used as the `RCLONE_DEST` of choice.
We no longer copy service directories into `/etc/coreos-home-server` if
these have not had their respective `spec.bu` files included; these
directories are not needed in these cases, and would be erroneously
considered as eligible in subsequent `coreos-home-server-update`
invocations.
This commit contains a fairly large diff for a fairly small change:
moving the `config/common` directory to `host/base` to better reflect
its intended use, and promoting `config/service` to the root directory.
These changes unlock some improvements in `coreos-home-server-update`
processes, which will (assuming `/etc/coreos-home-server/base` exists)
keep host-wide systemd services in sync in addition to service-specific
ones.
Changes have been make to the `Makefile` and a few other places where
`config/common` was referenced, but most of this work is renames that
are not intended to break compatibility with new or running servers.
