This commit updates the default resolver configuration for Nginx servers
to not attempt to resolve IPv6 addresses, and only holds resolved IPs
for a maximum of 60 seconds, in order to avoid issues with stale cache.
Our previous setup did not ensure that the default server was actually
the default (though doing this for port 443 remains an open question).
In addition, we now have Nginx close the connection immediately rather
than respond with a 204.
This commit integrates WriteFreely as a systemd service, set up as a
single-user instance by default (as is probably appropriate for a
home-server setup); a default administrator is set up, and whoever
is managing the home-server is expected to update the username and
password after first login.
Though WriteFreely expects to have a hostname set up for the instance,
we do not listen on any specific hostname by default. It is expected,
rather, that the `nginx-proxy-http` service is used with a drop-in for
using the correct `writefreely` upstream.
Configuration for this will continue to evolve as required.
Navidrome is a Subsonic/Airsonic-compatible music server with a built-in
web interface, and can be used as a quasi-self-hosted-Spotify-alternative.
By default, music files are read from an empty `navidrome-music` volume,
which is expected to be populated via whatever external means are
available to the server. The workflow here might be improved in the
future.
This commit enables FTS via Xapian, and exposes the port required for
ManagedSieve integration with Dovecot; additionally, bugs in the
integration of LMTP with RSpamd have been fixed.
In support of these changes, configuration files that were previously
split into container-based and service-based are now consolidated, and
we now ensure that only our own container-based configuration is used
when running Dovecot.
The `discord-ircd` service has been removed as of a few commits ago, but
references to this were not removed entirely. In addition, we now mask,
not disable, the `coreos-home-server-update` timer to ensure this cannot
be re-enabled spuriously.
Components being registered typically require a full restart of the
service, as a simple configuration reload does not handle on-the-fly
activation of any new components or modules.
Fortunately, a separate method exists for doing so, and our
`prosody-component-register` will now use this method in registering
components without a full restart of the underlying service.
This also updates the Ignition compilation dependency resolution to
ignore local file references that have been commented out, and masks the
timer for updating CoreOS configuration in virtual environments, to
avoid overriding any changes made locally.
This allows for registering external components for Prosody as needed,
and enables us to create templated Spectrum services for each supported
protocol.
Configuration has been updated for Biboumi to allow for automated
registration against Prosody as well.
This is a basic implementation on top of the venerable `rss2email`
script, and is intended to be driven by a timer and the
`rss2email-subscribe` service, which manages the subscribed feeds.
Commands for updating timestamps of source files based on `git commit`
times need to run in the correct directory for the git repository in
question; this isn't always the same as the initially cloned repository.
Previous experiments in using the RAID array as simple storage, with an
implied installation to a secondary medium (an SSD on port 5) failed,
and a simpler alternative has been reached.
The SMTPS (465) And Submission (587) ports expect encryption, either
implicitly (i.e. via direct TLS connection) or explicitly (i.e. via
STARTTLS), but this was not enforced previously. Port 25 remains
configured for opportunistic encryption, but will still not allow for
authentication over unencrypted transports.
Partial updates require that source files have appropriate timestamps,
which Git does not set in any special way by default. Thus, before
attempting to update files in-place, we set source timestamps based on
last commit time, which is the effective update time in any case.
This partially reverts default network configuration, which will now
implicitly create the specified network without the ability to set
default plugins.
Templated services are also no longer enabled by default, but expect to
be enabled as part of concrete patterns.
Defaults for Podman that were previous applied as command-line arguments
to all `podman run` or `podman create` invocations are now specified in
a dedicated configuration file.
Services are also better identified against their name rather than the
generic `podman` ID derived from the `ExecStart` invocations.