284 lines
10 KiB
Plaintext
284 lines
10 KiB
Plaintext
variant: fcos
|
|
version: 1.3.0
|
|
ignition:
|
|
config:
|
|
merge:
|
|
- local: host/base/spec.ign
|
|
- local: host/base/logging.ign
|
|
- local: service/redis/spec.ign
|
|
- local: service/mariadb/spec.ign
|
|
- local: service/nginx/spec.ign
|
|
- local: service/letsencrypt/spec.ign
|
|
- local: service/dovecot/spec.ign
|
|
- local: service/postfix/spec.ign
|
|
- local: service/rspamd/spec.ign
|
|
- local: service/prosody/spec.ign
|
|
- local: service/biboumi/spec.ign
|
|
- local: service/radicale/spec.ign
|
|
- local: service/rss2email/spec.ign
|
|
- local: service/navidrome/spec.ign
|
|
- local: service/coturn/spec.ign
|
|
- local: service/rclone/spec.ign
|
|
- local: service/hugo/spec.ign
|
|
- local: service/prometheus/spec.ign
|
|
- local: service/grafana/spec.ign
|
|
- local: service/gitea/spec.ign
|
|
- local: service/slidge/spec.ign
|
|
- local: service/lldap/spec.ign
|
|
- local: service/gotosocial/spec.ign
|
|
- local: service/shiori/spec.ign
|
|
|
|
passwd:
|
|
users:
|
|
- name: core
|
|
# Add SSH keys here if wanted.
|
|
# ssh_authorized_keys:
|
|
# - ecdsa-sha2-nistp521 AAAAE2VjZH...
|
|
|
|
systemd:
|
|
units:
|
|
# Enable auto-login for 'core' user.
|
|
- name: [email protected]
|
|
dropins:
|
|
- name: autologin-core.conf
|
|
contents: |
|
|
[Service]
|
|
ExecStart=
|
|
ExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM
|
|
TTYVTDisallocate=no
|
|
|
|
# Don't auto-update our CoreOS configuration.
|
|
- name: zincati.service
|
|
mask: true
|
|
- name: coreos-home-server-update.timer
|
|
mask: true
|
|
- name: podman-auto-update.timer
|
|
mask: true
|
|
|
|
# Enable default web services.
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: wait-for-nginx.conf
|
|
contents: |
|
|
[Unit]
|
|
[email protected]
|
|
|
|
- name: [email protected]
|
|
dropins:
|
|
- name: use-localhost-cert.conf
|
|
contents: |
|
|
[Unit]
|
|
[email protected]
|
|
[email protected]
|
|
|
|
[Service]
|
|
Environment=SSL_CERT_NAME=localhost
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: populate-volume.conf
|
|
contents: |
|
|
[Service]
|
|
ExecStartPre=/bin/podman volume create --ignore static.localhost
|
|
ExecStartPre=/bin/sh -c "V=$(podman volume mount static.localhost) && echo 'Hello World!' > $V/index.html"
|
|
ExecStartPost=/bin/podman volume unmount static.localhost
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: volume-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=nginx-serve-volume-static.localhost UPSTREAM_PORT=8080
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
- name: [email protected]
|
|
enabled: true
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: prosody-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=prosody UPSTREAM_PORT=5280
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: radicale-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=radicale UPSTREAM_PORT=5232
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: navidrome-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=navidrome UPSTREAM_PORT=4533
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: grafana-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=grafana UPSTREAM_PORT=8080
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: gitea-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=gitea UPSTREAM_PORT=8080
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: lldap-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=lldap UPSTREAM_PORT=8080
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: gotosocial-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=gotosocial UPSTREAM_PORT=8080
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: shiori-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=shiori UPSTREAM_PORT=8080
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: rclone-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=rclone-webdav UPSTREAM_PORT=8080
|
|
|
|
- name: [email protected]
|
|
enabled: true
|
|
dropins:
|
|
- name: use-local-files.conf
|
|
contents: |
|
|
[Service]
|
|
ExecStartPre=/bin/podman volume create --ignore letsencrypt-certificates
|
|
ExecStart=
|
|
ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt-certificates) && cp -Rv /etc/ssl/private/. $V && chown -R 10000:10000 $V"
|
|
ExecStartPost=/bin/podman volume unmount letsencrypt-certificates
|
|
|
|
storage:
|
|
files:
|
|
# Hostname for virtual host.
|
|
- path: /etc/hostname
|
|
mode: 0644
|
|
contents:
|
|
inline: coreos-virtual
|
|
|
|
# Load host-wide environment into default location.
|
|
- path: /etc/coreos-home-server/host.env
|
|
mode: 0600
|
|
contents:
|
|
local: virtual.env
|
|
|
|
# Tell systemd to not use a pager when printing information
|
|
- path: /etc/profile.d/systemd-pager.sh
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
export SYSTEMD_PAGER=cat
|
|
|
|
# Example sites for Nginx-PHP setup.
|
|
- path: /etc/coreos-home-server/php.localhost/Containerfile
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
FROM docker.io/php:7.4-fpm
|
|
RUN /bin/echo "<?php phpinfo();" > /srv/index.php
|
|
VOLUME /data /srv
|
|
|
|
- path: /etc/coreos-home-server/php.localhost/php.localhost.env
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
TEST_ENV=foobar
|
|
|
|
# Feed configuration for RSS2Email.
|
|
- path: /etc/coreos-home-server/rss2email/service/feeds/test@localhost/feeds.txt
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
https://feeds.bbci.co.uk/news/world/rss.xml
|
|
https://pluralistic.net/feed/
|
|
|
|
# Include pre-generated certificates for localhost domain, as we're not using Let's Encrypt in
|
|
# generating certificates for the virtual host.
|
|
- path: /etc/ssl/private/localhost/fullchain.pem
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIDLDCCAhSgAwIBAgIUGK5JYBMiDt7vXwpH6kXHyZGAfoAwDQYJKoZIhvcNAQEL
|
|
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIxMDkyNjEzMDEwNloXDTMxMDky
|
|
NDEzMDEwNlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
|
|
AAOCAQ8AMIIBCgKCAQEAuluuMpM6uSnACG7M2eW3BLgsJvj/xxvIPovJJOqkUZw/
|
|
4PTgmLCQD2/I79b7/IroJ2k0tr5t74IDYzrHDmSlQ5DrMdN9aseJRLwYl3xZJQIQ
|
|
gf8kxtjRg/9Kkfsku4TNDRm0ncF1HG/X5w//Aro+KsPzOcTR+adWQMFuS1DRsLXy
|
|
osdY/SZyzkOYye6+4ZKak8hUYr+wICgn+v6zVKr+Ly47XZ4m9MY6apCqo3COvOvV
|
|
vQMLi6+mocdCOCDgDSDPCt39X7ulZqnt27+BgLLoAeJ3xXxDzhkV8g7jKzMI9yPi
|
|
MhPQSRwfANpnJxUSJlHbQ+t5dgygD3ZEwP9nJBJpZQIDAQABo3YwdDAdBgNVHQ4E
|
|
FgQUKK6wT0EmwhIC+jxDhapX4yeXClswHwYDVR0jBBgwFoAUKK6wT0EmwhIC+jxD
|
|
hapX4yeXClswDwYDVR0TAQH/BAUwAwEB/zAhBgNVHREEGjAYgglsb2NhbGhvc3SC
|
|
CyoubG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAp8H+pK93S1ZTKzEw3kHHG
|
|
feoP2yjAkGaPM9R/pIDVmf5vz8Q6i6bVhkjZTygdn+8JfWOEtzDFzy/x/pfpmmwv
|
|
kEGCXN9ng/xJeV/OvW1zc+I31uaFS3JyrmfOoOENhLFe9obf439PFgb7zk1AptCh
|
|
R8290tSQ13f5/lbUT0h3jfzCv9hblIV0T/2uIicyOONsWBCOg0JV93YrwOdRjMAx
|
|
D2VKHadJ4I7seMAgANBFG4NQEUIUlUxGwUc6tZ3pr93dFWkfE+IxE6YBg5Xkuux4
|
|
eAu/TcqROsjnQwQ9Qw4d2FA1C27JIvS6ysOJxJQmVtpZUdfK2hVoeKJvMPnkENOp
|
|
-----END CERTIFICATE-----
|
|
- path: /etc/ssl/private/localhost/privkey.pem
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
-----BEGIN PRIVATE KEY-----
|
|
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC6W64ykzq5KcAI
|
|
bszZ5bcEuCwm+P/HG8g+i8kk6qRRnD/g9OCYsJAPb8jv1vv8iugnaTS2vm3vggNj
|
|
OscOZKVDkOsx031qx4lEvBiXfFklAhCB/yTG2NGD/0qR+yS7hM0NGbSdwXUcb9fn
|
|
D/8Cuj4qw/M5xNH5p1ZAwW5LUNGwtfKix1j9JnLOQ5jJ7r7hkpqTyFRiv7AgKCf6
|
|
/rNUqv4vLjtdnib0xjpqkKqjcI6869W9AwuLr6ahx0I4IOANIM8K3f1fu6Vmqe3b
|
|
v4GAsugB4nfFfEPOGRXyDuMrMwj3I+IyE9BJHB8A2mcnFRImUdtD63l2DKAPdkTA
|
|
/2ckEmllAgMBAAECggEBAKsd3eEgoY4+EM9tdfoqXRgfSKNsheg80WzlDAgy0DkD
|
|
oQAdulFZ5p3WBgp8PBtTLQJrLvUR/H4swpGN+hN0RO+6lMvGp2Wx3JBZqrcGfhBm
|
|
SeQj9JAFrLRoaP+MPNlWgrYhwWANsEwxQm0vmffWLZk1HhQQbsGvbpq9Qloz1qdL
|
|
hx7ub5S69vzCxOaGjqJRlqdHvk90U34w6uM1qBOZ2phxOtsB14Gt3+YDs6khSqAv
|
|
m2/0+Ac6nHKq9TxanrNRS8ZMBpEoiYMoc5F0uY+y876baNKCAeyfLuKd3tePJTvt
|
|
lko0uGNbyWzqk/z/hjsqVeD50IONUMN/pkUEX0xQ10ECgYEA8vl2rDg1kcZJLSBy
|
|
neIySYau7r/tq9VEMRKCDPYwrEWf5jdQxQvIuIwre1E79LjCqgzQe3yQCGduC4bS
|
|
LVaFX2hv3oncLMYQ3BP1p+YNqojZOQUFJcfALslr8W+iMH8E8JGnOjwAJMYXtPIQ
|
|
830HwiQfidVVx8ExEZMVlJ0nMJECgYEAxFk5ie+WDPKUvo1hVw0H7/xMSm8xp181
|
|
7aAIYR+qg5c0ncQx8yF1McXO42YK6Y2uw6jyX1cP6crpANJHBgAsczSW9v2X2sM6
|
|
AhQw8KE7oCLbBbaFGC962UHTf7Hq4oV5rdI386DxgELRXEetPcBvBhB+8WVcjMqt
|
|
Cz0mHVhzVZUCgYEAhnUsifN1GZ18Iz/gjaR+JZgluDN35+5WFT3jwB6BIuRIr1KP
|
|
HOv/gLj42v5CSpPwDcCXoq502mG6USCjsLk/h2O4/JKXyCM3c0KMYAR8LZIbe2Ve
|
|
yuB2Zq3KUUpwm5u+9Q31V9GaVr9UoSqP3N6k63eoCFOJa8hqSgp2F867wDECgYBP
|
|
OR0RPb1SbhJ8LDlpUVWxjCAQLHthZ/YvcdHPtmIrhDfzrDTnP8m0knaepA6lG8i3
|
|
I5TfyRYfpAKNlUqY7jsBJOgAsmOyHfFq41C31qZjP40V6gYbsxSjUn8O1+/JBEgL
|
|
TXXL9FVdBhjJXhZVgy6IyOEfb2F/YUue7EZTstueXQKBgQCfOaEUfal/OTQuXQJv
|
|
EWNsF22liJb4eVRnWNpFeivJSB/FmIJT+iC+wtZlhcaImF3JlimaB1mpwfrTubVX
|
|
/jRFWp956tGRs/ydXm91SGBclY2z4B4dd8PPxCT4iYsJizx9uFBShrXsc1+fgEZu
|
|
r+W+05piqLykrqRCuB0X4Dlx+A==
|
|
-----END PRIVATE KEY-----
|