variant: fcos version: 1.3.0 ignition: config: merge: - local: host/base/spec.ign - local: host/base/logging.ign - local: service/redis/spec.ign - local: service/mariadb/spec.ign - local: service/nginx/spec.ign - local: service/letsencrypt/spec.ign - local: service/dovecot/spec.ign - local: service/postfix/spec.ign - local: service/rspamd/spec.ign - local: service/prosody/spec.ign - local: service/biboumi/spec.ign - local: service/radicale/spec.ign - local: service/rss2email/spec.ign - local: service/navidrome/spec.ign - local: service/coturn/spec.ign - local: service/rclone/spec.ign - local: service/hugo/spec.ign - local: service/prometheus/spec.ign - local: service/grafana/spec.ign - local: service/gitea/spec.ign - local: service/slidge/spec.ign - local: service/lldap/spec.ign - local: service/gotosocial/spec.ign - local: service/shiori/spec.ign passwd: users: - name: core # Add SSH keys here if wanted. # ssh_authorized_keys: # - ecdsa-sha2-nistp521 AAAAE2VjZH... systemd: units: # Enable auto-login for 'core' user. - name: serial-getty@ttyS0.service dropins: - name: autologin-core.conf contents: | [Service] ExecStart= ExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM TTYVTDisallocate=no # Don't auto-update our CoreOS configuration. - name: zincati.service mask: true - name: coreos-home-server-update.timer mask: true - name: podman-auto-update.timer mask: true # Enable default web services. - name: container-build@static.localhost.service enabled: true dropins: - name: wait-for-nginx.conf contents: | [Unit] After=container-build@nginx.service - name: nginx-proxy-http@.service dropins: - name: use-localhost-cert.conf contents: | [Unit] Wants=letsencrypt-dns-register@localhost.service After=letsencrypt-dns-register@localhost.service [Service] Environment=SSL_CERT_NAME=localhost - name: nginx-serve-volume@static.localhost.service enabled: true dropins: - name: populate-volume.conf contents: | [Service] ExecStartPre=/bin/podman volume create --ignore static.localhost ExecStartPre=/bin/sh -c "V=$(podman volume mount static.localhost) && echo 'Hello World!' > $V/index.html" ExecStartPost=/bin/podman volume unmount static.localhost - name: nginx-proxy-http@static.localhost.service enabled: true dropins: - name: volume-upstream.conf contents: | [Service] Environment=UPSTREAM_HOST=nginx-serve-volume-static.localhost UPSTREAM_PORT=8080 - name: nginx-serve-php@php.localhost.service enabled: true - name: nginx-proxy-http@php.localhost.service enabled: true - name: nginx-proxy-http@chat.localhost.service enabled: true dropins: - name: prosody-upstream.conf contents: | [Service] Environment=UPSTREAM_HOST=prosody UPSTREAM_PORT=5280 - name: nginx-proxy-http@dav.localhost.service enabled: true dropins: - name: radicale-upstream.conf contents: | [Service] Environment=UPSTREAM_HOST=radicale UPSTREAM_PORT=5232 - name: nginx-proxy-http@music.localhost.service enabled: true dropins: - name: navidrome-upstream.conf contents: | [Service] Environment=UPSTREAM_HOST=navidrome UPSTREAM_PORT=4533 - name: nginx-proxy-http@metrics.localhost.service enabled: true dropins: - name: grafana-upstream.conf contents: | [Service] Environment=UPSTREAM_HOST=grafana UPSTREAM_PORT=8080 - name: nginx-proxy-http@gitea.localhost.service enabled: true dropins: - name: gitea-upstream.conf contents: | [Service] Environment=UPSTREAM_HOST=gitea UPSTREAM_PORT=8080 - name: nginx-proxy-http@lldap.localhost.service enabled: true dropins: - name: lldap-upstream.conf contents: | [Service] Environment=UPSTREAM_HOST=lldap UPSTREAM_PORT=8080 - name: nginx-proxy-http@social.localhost.service enabled: true dropins: - name: gotosocial-upstream.conf contents: | [Service] Environment=UPSTREAM_HOST=gotosocial UPSTREAM_PORT=8080 - name: nginx-proxy-http@bookmarks.localhost.service enabled: true dropins: - name: shiori-upstream.conf contents: | [Service] Environment=UPSTREAM_HOST=shiori UPSTREAM_PORT=8080 - name: nginx-proxy-http@webdav.localhost.service enabled: true dropins: - name: rclone-upstream.conf contents: | [Service] Environment=UPSTREAM_HOST=rclone-webdav UPSTREAM_PORT=8080 - name: letsencrypt-dns-register@localhost.service enabled: true dropins: - name: use-local-files.conf contents: | [Service] ExecStartPre=/bin/podman volume create --ignore letsencrypt-certificates ExecStart= ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt-certificates) && cp -Rv /etc/ssl/private/. $V && chown -R 10000:10000 $V" ExecStartPost=/bin/podman volume unmount letsencrypt-certificates storage: files: # Hostname for virtual host. - path: /etc/hostname mode: 0644 contents: inline: coreos-virtual # Load host-wide environment into default location. - path: /etc/coreos-home-server/host.env mode: 0600 contents: local: virtual.env # Tell systemd to not use a pager when printing information - path: /etc/profile.d/systemd-pager.sh mode: 0644 contents: inline: | export SYSTEMD_PAGER=cat # Example sites for Nginx-PHP setup. - path: /etc/coreos-home-server/php.localhost/Containerfile mode: 0644 contents: inline: | FROM docker.io/php:7.4-fpm RUN /bin/echo " /srv/index.php VOLUME /data /srv - path: /etc/coreos-home-server/php.localhost/php.localhost.env mode: 0644 contents: inline: | TEST_ENV=foobar # Feed configuration for RSS2Email. - path: /etc/coreos-home-server/rss2email/service/feeds/test@localhost/feeds.txt mode: 0644 contents: inline: | https://feeds.bbci.co.uk/news/world/rss.xml https://pluralistic.net/feed/ # Include pre-generated certificates for localhost domain, as we're not using Let's Encrypt in # generating certificates for the virtual host. - path: /etc/ssl/private/localhost/fullchain.pem mode: 0644 contents: inline: | -----BEGIN CERTIFICATE----- MIIDLDCCAhSgAwIBAgIUGK5JYBMiDt7vXwpH6kXHyZGAfoAwDQYJKoZIhvcNAQEL BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIxMDkyNjEzMDEwNloXDTMxMDky NDEzMDEwNlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAuluuMpM6uSnACG7M2eW3BLgsJvj/xxvIPovJJOqkUZw/ 4PTgmLCQD2/I79b7/IroJ2k0tr5t74IDYzrHDmSlQ5DrMdN9aseJRLwYl3xZJQIQ gf8kxtjRg/9Kkfsku4TNDRm0ncF1HG/X5w//Aro+KsPzOcTR+adWQMFuS1DRsLXy osdY/SZyzkOYye6+4ZKak8hUYr+wICgn+v6zVKr+Ly47XZ4m9MY6apCqo3COvOvV vQMLi6+mocdCOCDgDSDPCt39X7ulZqnt27+BgLLoAeJ3xXxDzhkV8g7jKzMI9yPi MhPQSRwfANpnJxUSJlHbQ+t5dgygD3ZEwP9nJBJpZQIDAQABo3YwdDAdBgNVHQ4E FgQUKK6wT0EmwhIC+jxDhapX4yeXClswHwYDVR0jBBgwFoAUKK6wT0EmwhIC+jxD hapX4yeXClswDwYDVR0TAQH/BAUwAwEB/zAhBgNVHREEGjAYgglsb2NhbGhvc3SC CyoubG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAp8H+pK93S1ZTKzEw3kHHG feoP2yjAkGaPM9R/pIDVmf5vz8Q6i6bVhkjZTygdn+8JfWOEtzDFzy/x/pfpmmwv kEGCXN9ng/xJeV/OvW1zc+I31uaFS3JyrmfOoOENhLFe9obf439PFgb7zk1AptCh R8290tSQ13f5/lbUT0h3jfzCv9hblIV0T/2uIicyOONsWBCOg0JV93YrwOdRjMAx D2VKHadJ4I7seMAgANBFG4NQEUIUlUxGwUc6tZ3pr93dFWkfE+IxE6YBg5Xkuux4 eAu/TcqROsjnQwQ9Qw4d2FA1C27JIvS6ysOJxJQmVtpZUdfK2hVoeKJvMPnkENOp -----END CERTIFICATE----- - path: /etc/ssl/private/localhost/privkey.pem mode: 0644 contents: inline: | -----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC6W64ykzq5KcAI bszZ5bcEuCwm+P/HG8g+i8kk6qRRnD/g9OCYsJAPb8jv1vv8iugnaTS2vm3vggNj OscOZKVDkOsx031qx4lEvBiXfFklAhCB/yTG2NGD/0qR+yS7hM0NGbSdwXUcb9fn D/8Cuj4qw/M5xNH5p1ZAwW5LUNGwtfKix1j9JnLOQ5jJ7r7hkpqTyFRiv7AgKCf6 /rNUqv4vLjtdnib0xjpqkKqjcI6869W9AwuLr6ahx0I4IOANIM8K3f1fu6Vmqe3b v4GAsugB4nfFfEPOGRXyDuMrMwj3I+IyE9BJHB8A2mcnFRImUdtD63l2DKAPdkTA /2ckEmllAgMBAAECggEBAKsd3eEgoY4+EM9tdfoqXRgfSKNsheg80WzlDAgy0DkD oQAdulFZ5p3WBgp8PBtTLQJrLvUR/H4swpGN+hN0RO+6lMvGp2Wx3JBZqrcGfhBm SeQj9JAFrLRoaP+MPNlWgrYhwWANsEwxQm0vmffWLZk1HhQQbsGvbpq9Qloz1qdL hx7ub5S69vzCxOaGjqJRlqdHvk90U34w6uM1qBOZ2phxOtsB14Gt3+YDs6khSqAv m2/0+Ac6nHKq9TxanrNRS8ZMBpEoiYMoc5F0uY+y876baNKCAeyfLuKd3tePJTvt lko0uGNbyWzqk/z/hjsqVeD50IONUMN/pkUEX0xQ10ECgYEA8vl2rDg1kcZJLSBy neIySYau7r/tq9VEMRKCDPYwrEWf5jdQxQvIuIwre1E79LjCqgzQe3yQCGduC4bS LVaFX2hv3oncLMYQ3BP1p+YNqojZOQUFJcfALslr8W+iMH8E8JGnOjwAJMYXtPIQ 830HwiQfidVVx8ExEZMVlJ0nMJECgYEAxFk5ie+WDPKUvo1hVw0H7/xMSm8xp181 7aAIYR+qg5c0ncQx8yF1McXO42YK6Y2uw6jyX1cP6crpANJHBgAsczSW9v2X2sM6 AhQw8KE7oCLbBbaFGC962UHTf7Hq4oV5rdI386DxgELRXEetPcBvBhB+8WVcjMqt Cz0mHVhzVZUCgYEAhnUsifN1GZ18Iz/gjaR+JZgluDN35+5WFT3jwB6BIuRIr1KP HOv/gLj42v5CSpPwDcCXoq502mG6USCjsLk/h2O4/JKXyCM3c0KMYAR8LZIbe2Ve yuB2Zq3KUUpwm5u+9Q31V9GaVr9UoSqP3N6k63eoCFOJa8hqSgp2F867wDECgYBP OR0RPb1SbhJ8LDlpUVWxjCAQLHthZ/YvcdHPtmIrhDfzrDTnP8m0knaepA6lG8i3 I5TfyRYfpAKNlUqY7jsBJOgAsmOyHfFq41C31qZjP40V6gYbsxSjUn8O1+/JBEgL TXXL9FVdBhjJXhZVgy6IyOEfb2F/YUue7EZTstueXQKBgQCfOaEUfal/OTQuXQJv EWNsF22liJb4eVRnWNpFeivJSB/FmIJT+iC+wtZlhcaImF3JlimaB1mpwfrTubVX /jRFWp956tGRs/ydXm91SGBclY2z4B4dd8PPxCT4iYsJizx9uFBShrXsc1+fgEZu r+W+05piqLykrqRCuB0X4Dlx+A== -----END PRIVATE KEY-----