mirror of
https://github.com/deuill/coreos-home-server.git
synced 2024-09-21 13:40:45 +00:00
Alex Palaistras
f877a72e83
This commit contains a fairly large diff for a fairly small change: moving the `config/common` directory to `host/base` to better reflect its intended use, and promoting `config/service` to the root directory. These changes unlock some improvements in `coreos-home-server-update` processes, which will (assuming `/etc/coreos-home-server/base` exists) keep host-wide systemd services in sync in addition to service-specific ones. Changes have been make to the `Makefile` and a few other places where `config/common` was referenced, but most of this work is renames that are not intended to break compatibility with new or running servers.
224 lines
8.5 KiB
Plaintext
224 lines
8.5 KiB
Plaintext
variant: fcos
|
|
version: 1.3.0
|
|
ignition:
|
|
config:
|
|
merge:
|
|
- local: host/base/container.ign
|
|
- local: host/base/logging.ign
|
|
- local: service/redis/spec.ign
|
|
- local: service/mariadb/spec.ign
|
|
- local: service/nginx/spec.ign
|
|
- local: service/letsencrypt/spec.ign
|
|
- local: service/git/spec.ign
|
|
- local: service/dovecot/spec.ign
|
|
- local: service/postfix/spec.ign
|
|
- local: service/rspamd/spec.ign
|
|
- local: service/prosody/spec.ign
|
|
- local: service/biboumi/spec.ign
|
|
- local: service/radicale/spec.ign
|
|
- local: service/spectrum/spec.ign
|
|
- local: service/rss2email/spec.ign
|
|
- local: service/navidrome/spec.ign
|
|
- local: service/writefreely/spec.ign
|
|
- local: service/coturn/spec.ign
|
|
|
|
passwd:
|
|
users:
|
|
- name: core
|
|
# Add SSH keys here if wanted.
|
|
# ssh_authorized_keys:
|
|
# - ecdsa-sha2-nistp521 AAAAE2VjZH...
|
|
|
|
systemd:
|
|
units:
|
|
# Enable auto-login for 'core' user.
|
|
- name: serial-getty@ttyS0.service
|
|
dropins:
|
|
- name: autologin-core.conf
|
|
contents: |
|
|
[Service]
|
|
ExecStart=
|
|
ExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM
|
|
TTYVTDisallocate=no
|
|
|
|
# Don't auto-update our CoreOS configuration.
|
|
- name: zincati.service
|
|
mask: true
|
|
- name: coreos-home-server-update.timer
|
|
mask: true
|
|
|
|
# Enable default web services.
|
|
- name: container-build@static.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: wait-for-nginx.conf
|
|
contents: |
|
|
[Unit]
|
|
After=container-build@nginx.service
|
|
|
|
- name: nginx-proxy-http@.service
|
|
dropins:
|
|
- name: use-localhost-cert.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=SSL_CERT_NAME=localhost
|
|
|
|
- name: nginx-serve-static@static.localhost.service
|
|
enabled: true
|
|
- name: nginx-proxy-http@static.localhost.service
|
|
enabled: true
|
|
|
|
- name: nginx-serve-php@php.localhost.service
|
|
enabled: true
|
|
- name: nginx-proxy-http@php.localhost.service
|
|
enabled: true
|
|
|
|
- name: nginx-serve-volume@git-serve.service
|
|
enabled: true
|
|
- name: nginx-proxy-http@git.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: git-volume-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=nginx-serve-volume-git-serve UPSTREAM_PORT=8080
|
|
|
|
- name: nginx-proxy-http@dav.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: radicale-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=radicale UPSTREAM_PORT=5232
|
|
|
|
- name: nginx-proxy-http@music.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: navidrome-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=navidrome UPSTREAM_PORT=4533
|
|
|
|
- name: nginx-proxy-http@writefreely.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: writefreely-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=writefreely UPSTREAM_PORT=8080
|
|
|
|
- name: letsencrypt-dns-register@localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: use-local-files.conf
|
|
contents: |
|
|
[Service]
|
|
ExecStart=
|
|
ExecStart=/bin/podman create --replace --pull never --name letsencrypt-register-%i \
|
|
--volume letsencrypt:/var/lib/letsencrypt:z \
|
|
--entrypoint true localhost/letsencrypt:latest
|
|
ExecStartPost=/bin/podman init letsencrypt-register-%i
|
|
ExecStartPost=/bin/podman cp /etc/ssl/private/certificates/ letsencrypt-register-%i:/var/lib/letsencrypt
|
|
ExecStartPost=/bin/podman rm letsencrypt-register-%i
|
|
|
|
storage:
|
|
files:
|
|
# Hostname for virtual host.
|
|
- path: /etc/hostname
|
|
mode: 0644
|
|
contents:
|
|
inline: coreos-virtual
|
|
|
|
# Load host-wide environment into default location.
|
|
- path: /etc/coreos-home-server/host.env
|
|
mode: 0600
|
|
contents:
|
|
local: virtual.env
|
|
|
|
# Tell systemd to not use a pager when printing information
|
|
- path: /etc/profile.d/systemd-pager.sh
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
export SYSTEMD_PAGER=cat
|
|
|
|
# Example sites for static and PHP setups.
|
|
- path: /etc/coreos-home-server/static.localhost/Containerfile
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
FROM localhost/nginx:latest
|
|
RUN /bin/echo "Hello Static World!" > /srv/index.html
|
|
|
|
- path: /etc/coreos-home-server/php.localhost/Containerfile
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
FROM docker.io/php:7.4-fpm
|
|
RUN /bin/echo "<?php phpinfo();" > /srv/index.php
|
|
VOLUME /data /srv
|
|
|
|
- path: /etc/coreos-home-server/php.localhost/php.localhost.env
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
TEST_ENV=foobar
|
|
|
|
# Include pre-generated certificates for localhost domain, as we're not using Let's Encrypt in
|
|
# generating certificates for the virtual host.
|
|
- path: /etc/ssl/private/certificates/localhost.crt
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIDLDCCAhSgAwIBAgIUGK5JYBMiDt7vXwpH6kXHyZGAfoAwDQYJKoZIhvcNAQEL
|
|
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIxMDkyNjEzMDEwNloXDTMxMDky
|
|
NDEzMDEwNlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
|
|
AAOCAQ8AMIIBCgKCAQEAuluuMpM6uSnACG7M2eW3BLgsJvj/xxvIPovJJOqkUZw/
|
|
4PTgmLCQD2/I79b7/IroJ2k0tr5t74IDYzrHDmSlQ5DrMdN9aseJRLwYl3xZJQIQ
|
|
gf8kxtjRg/9Kkfsku4TNDRm0ncF1HG/X5w//Aro+KsPzOcTR+adWQMFuS1DRsLXy
|
|
osdY/SZyzkOYye6+4ZKak8hUYr+wICgn+v6zVKr+Ly47XZ4m9MY6apCqo3COvOvV
|
|
vQMLi6+mocdCOCDgDSDPCt39X7ulZqnt27+BgLLoAeJ3xXxDzhkV8g7jKzMI9yPi
|
|
MhPQSRwfANpnJxUSJlHbQ+t5dgygD3ZEwP9nJBJpZQIDAQABo3YwdDAdBgNVHQ4E
|
|
FgQUKK6wT0EmwhIC+jxDhapX4yeXClswHwYDVR0jBBgwFoAUKK6wT0EmwhIC+jxD
|
|
hapX4yeXClswDwYDVR0TAQH/BAUwAwEB/zAhBgNVHREEGjAYgglsb2NhbGhvc3SC
|
|
CyoubG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAp8H+pK93S1ZTKzEw3kHHG
|
|
feoP2yjAkGaPM9R/pIDVmf5vz8Q6i6bVhkjZTygdn+8JfWOEtzDFzy/x/pfpmmwv
|
|
kEGCXN9ng/xJeV/OvW1zc+I31uaFS3JyrmfOoOENhLFe9obf439PFgb7zk1AptCh
|
|
R8290tSQ13f5/lbUT0h3jfzCv9hblIV0T/2uIicyOONsWBCOg0JV93YrwOdRjMAx
|
|
D2VKHadJ4I7seMAgANBFG4NQEUIUlUxGwUc6tZ3pr93dFWkfE+IxE6YBg5Xkuux4
|
|
eAu/TcqROsjnQwQ9Qw4d2FA1C27JIvS6ysOJxJQmVtpZUdfK2hVoeKJvMPnkENOp
|
|
-----END CERTIFICATE-----
|
|
- path: /etc/ssl/private/certificates/localhost.key
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
-----BEGIN PRIVATE KEY-----
|
|
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC6W64ykzq5KcAI
|
|
bszZ5bcEuCwm+P/HG8g+i8kk6qRRnD/g9OCYsJAPb8jv1vv8iugnaTS2vm3vggNj
|
|
OscOZKVDkOsx031qx4lEvBiXfFklAhCB/yTG2NGD/0qR+yS7hM0NGbSdwXUcb9fn
|
|
D/8Cuj4qw/M5xNH5p1ZAwW5LUNGwtfKix1j9JnLOQ5jJ7r7hkpqTyFRiv7AgKCf6
|
|
/rNUqv4vLjtdnib0xjpqkKqjcI6869W9AwuLr6ahx0I4IOANIM8K3f1fu6Vmqe3b
|
|
v4GAsugB4nfFfEPOGRXyDuMrMwj3I+IyE9BJHB8A2mcnFRImUdtD63l2DKAPdkTA
|
|
/2ckEmllAgMBAAECggEBAKsd3eEgoY4+EM9tdfoqXRgfSKNsheg80WzlDAgy0DkD
|
|
oQAdulFZ5p3WBgp8PBtTLQJrLvUR/H4swpGN+hN0RO+6lMvGp2Wx3JBZqrcGfhBm
|
|
SeQj9JAFrLRoaP+MPNlWgrYhwWANsEwxQm0vmffWLZk1HhQQbsGvbpq9Qloz1qdL
|
|
hx7ub5S69vzCxOaGjqJRlqdHvk90U34w6uM1qBOZ2phxOtsB14Gt3+YDs6khSqAv
|
|
m2/0+Ac6nHKq9TxanrNRS8ZMBpEoiYMoc5F0uY+y876baNKCAeyfLuKd3tePJTvt
|
|
lko0uGNbyWzqk/z/hjsqVeD50IONUMN/pkUEX0xQ10ECgYEA8vl2rDg1kcZJLSBy
|
|
neIySYau7r/tq9VEMRKCDPYwrEWf5jdQxQvIuIwre1E79LjCqgzQe3yQCGduC4bS
|
|
LVaFX2hv3oncLMYQ3BP1p+YNqojZOQUFJcfALslr8W+iMH8E8JGnOjwAJMYXtPIQ
|
|
830HwiQfidVVx8ExEZMVlJ0nMJECgYEAxFk5ie+WDPKUvo1hVw0H7/xMSm8xp181
|
|
7aAIYR+qg5c0ncQx8yF1McXO42YK6Y2uw6jyX1cP6crpANJHBgAsczSW9v2X2sM6
|
|
AhQw8KE7oCLbBbaFGC962UHTf7Hq4oV5rdI386DxgELRXEetPcBvBhB+8WVcjMqt
|
|
Cz0mHVhzVZUCgYEAhnUsifN1GZ18Iz/gjaR+JZgluDN35+5WFT3jwB6BIuRIr1KP
|
|
HOv/gLj42v5CSpPwDcCXoq502mG6USCjsLk/h2O4/JKXyCM3c0KMYAR8LZIbe2Ve
|
|
yuB2Zq3KUUpwm5u+9Q31V9GaVr9UoSqP3N6k63eoCFOJa8hqSgp2F867wDECgYBP
|
|
OR0RPb1SbhJ8LDlpUVWxjCAQLHthZ/YvcdHPtmIrhDfzrDTnP8m0knaepA6lG8i3
|
|
I5TfyRYfpAKNlUqY7jsBJOgAsmOyHfFq41C31qZjP40V6gYbsxSjUn8O1+/JBEgL
|
|
TXXL9FVdBhjJXhZVgy6IyOEfb2F/YUue7EZTstueXQKBgQCfOaEUfal/OTQuXQJv
|
|
EWNsF22liJb4eVRnWNpFeivJSB/FmIJT+iC+wtZlhcaImF3JlimaB1mpwfrTubVX
|
|
/jRFWp956tGRs/ydXm91SGBclY2z4B4dd8PPxCT4iYsJizx9uFBShrXsc1+fgEZu
|
|
r+W+05piqLykrqRCuB0X4Dlx+A==
|
|
-----END PRIVATE KEY-----
|