mirror of
https://github.com/deuill/coreos-home-server.git
synced 2024-09-21 13:40:45 +00:00
Alex Palaistras
e467b89e7f
This commit adds a new service for Gitea, exposing HTTP and SSH ports by default (SSH over 7920), and accepting authentication via the local SMTP server. No users are otherwise created by default, and administration is expected to happen either via CLI, or via a custom admin user.
250 lines
9.2 KiB
Plaintext
250 lines
9.2 KiB
Plaintext
variant: fcos
|
|
version: 1.3.0
|
|
ignition:
|
|
config:
|
|
merge:
|
|
- local: host/base/container.ign
|
|
- local: host/base/logging.ign
|
|
- local: service/redis/spec.ign
|
|
- local: service/mariadb/spec.ign
|
|
- local: service/nginx/spec.ign
|
|
- local: service/letsencrypt/spec.ign
|
|
- local: service/git/spec.ign
|
|
- local: service/dovecot/spec.ign
|
|
- local: service/postfix/spec.ign
|
|
- local: service/rspamd/spec.ign
|
|
- local: service/prosody/spec.ign
|
|
- local: service/biboumi/spec.ign
|
|
- local: service/radicale/spec.ign
|
|
- local: service/spectrum/spec.ign
|
|
- local: service/rss2email/spec.ign
|
|
- local: service/navidrome/spec.ign
|
|
- local: service/writefreely/spec.ign
|
|
- local: service/coturn/spec.ign
|
|
- local: service/rclone/spec.ign
|
|
- local: service/hugo/spec.ign
|
|
- local: service/prometheus/spec.ign
|
|
- local: service/grafana/spec.ign
|
|
- local: service/gitea/spec.ign
|
|
|
|
passwd:
|
|
users:
|
|
- name: core
|
|
# Add SSH keys here if wanted.
|
|
# ssh_authorized_keys:
|
|
# - ecdsa-sha2-nistp521 AAAAE2VjZH...
|
|
|
|
systemd:
|
|
units:
|
|
# Enable auto-login for 'core' user.
|
|
- name: serial-getty@ttyS0.service
|
|
dropins:
|
|
- name: autologin-core.conf
|
|
contents: |
|
|
[Service]
|
|
ExecStart=
|
|
ExecStart=-/usr/sbin/agetty --autologin core --noclear %I $TERM
|
|
TTYVTDisallocate=no
|
|
|
|
# Don't auto-update our CoreOS configuration.
|
|
- name: zincati.service
|
|
mask: true
|
|
- name: coreos-home-server-update.timer
|
|
mask: true
|
|
|
|
# Enable default web services.
|
|
- name: container-build@static.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: wait-for-nginx.conf
|
|
contents: |
|
|
[Unit]
|
|
After=container-build@nginx.service
|
|
|
|
- name: nginx-proxy-http@.service
|
|
dropins:
|
|
- name: use-localhost-cert.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=SSL_CERT_NAME=localhost
|
|
|
|
- name: nginx-serve-static@static.localhost.service
|
|
enabled: true
|
|
- name: nginx-proxy-http@static.localhost.service
|
|
enabled: true
|
|
|
|
- name: nginx-serve-php@php.localhost.service
|
|
enabled: true
|
|
- name: nginx-proxy-http@php.localhost.service
|
|
enabled: true
|
|
|
|
- name: nginx-serve-volume@git-serve.service
|
|
enabled: true
|
|
- name: nginx-proxy-http@git.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: git-volume-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=nginx-serve-volume-git-serve UPSTREAM_PORT=8080
|
|
|
|
- name: nginx-proxy-http@chat.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: prosody-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=prosody UPSTREAM_PORT=5280
|
|
|
|
- name: nginx-proxy-http@dav.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: radicale-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=radicale UPSTREAM_PORT=5232
|
|
|
|
- name: nginx-proxy-http@music.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: navidrome-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=navidrome UPSTREAM_PORT=4533
|
|
|
|
- name: nginx-proxy-http@writefreely.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: writefreely-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=writefreely UPSTREAM_PORT=8080
|
|
|
|
- name: nginx-proxy-http@metrics.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: grafana-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=grafana UPSTREAM_PORT=8080
|
|
|
|
- name: nginx-proxy-http@gitea.localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: gitea-upstream.conf
|
|
contents: |
|
|
[Service]
|
|
Environment=UPSTREAM_HOST=gitea UPSTREAM_PORT=8080
|
|
|
|
- name: letsencrypt-dns-register@localhost.service
|
|
enabled: true
|
|
dropins:
|
|
- name: use-local-files.conf
|
|
contents: |
|
|
[Service]
|
|
ExecStartPre=/bin/podman volume create letsencrypt
|
|
ExecStart=
|
|
ExecStart=/bin/sh -c "V=$(podman volume mount letsencrypt) && cp -Rv /etc/ssl/private/certificates $V"
|
|
ExecStartPost=/bin/podman volume unmount letsencrypt
|
|
|
|
storage:
|
|
files:
|
|
# Hostname for virtual host.
|
|
- path: /etc/hostname
|
|
mode: 0644
|
|
contents:
|
|
inline: coreos-virtual
|
|
|
|
# Load host-wide environment into default location.
|
|
- path: /etc/coreos-home-server/host.env
|
|
mode: 0600
|
|
contents:
|
|
local: virtual.env
|
|
|
|
# Tell systemd to not use a pager when printing information
|
|
- path: /etc/profile.d/systemd-pager.sh
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
export SYSTEMD_PAGER=cat
|
|
|
|
# Example sites for static and PHP setups.
|
|
- path: /etc/coreos-home-server/static.localhost/Containerfile
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
FROM localhost/nginx:latest
|
|
RUN /bin/echo "Hello Static World!" > /srv/index.html
|
|
|
|
- path: /etc/coreos-home-server/php.localhost/Containerfile
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
FROM docker.io/php:7.4-fpm
|
|
RUN /bin/echo "<?php phpinfo();" > /srv/index.php
|
|
VOLUME /data /srv
|
|
|
|
- path: /etc/coreos-home-server/php.localhost/php.localhost.env
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
TEST_ENV=foobar
|
|
|
|
# Include pre-generated certificates for localhost domain, as we're not using Let's Encrypt in
|
|
# generating certificates for the virtual host.
|
|
- path: /etc/ssl/private/certificates/localhost.crt
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIDLDCCAhSgAwIBAgIUGK5JYBMiDt7vXwpH6kXHyZGAfoAwDQYJKoZIhvcNAQEL
|
|
BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIxMDkyNjEzMDEwNloXDTMxMDky
|
|
NDEzMDEwNlowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
|
|
AAOCAQ8AMIIBCgKCAQEAuluuMpM6uSnACG7M2eW3BLgsJvj/xxvIPovJJOqkUZw/
|
|
4PTgmLCQD2/I79b7/IroJ2k0tr5t74IDYzrHDmSlQ5DrMdN9aseJRLwYl3xZJQIQ
|
|
gf8kxtjRg/9Kkfsku4TNDRm0ncF1HG/X5w//Aro+KsPzOcTR+adWQMFuS1DRsLXy
|
|
osdY/SZyzkOYye6+4ZKak8hUYr+wICgn+v6zVKr+Ly47XZ4m9MY6apCqo3COvOvV
|
|
vQMLi6+mocdCOCDgDSDPCt39X7ulZqnt27+BgLLoAeJ3xXxDzhkV8g7jKzMI9yPi
|
|
MhPQSRwfANpnJxUSJlHbQ+t5dgygD3ZEwP9nJBJpZQIDAQABo3YwdDAdBgNVHQ4E
|
|
FgQUKK6wT0EmwhIC+jxDhapX4yeXClswHwYDVR0jBBgwFoAUKK6wT0EmwhIC+jxD
|
|
hapX4yeXClswDwYDVR0TAQH/BAUwAwEB/zAhBgNVHREEGjAYgglsb2NhbGhvc3SC
|
|
CyoubG9jYWxob3N0MA0GCSqGSIb3DQEBCwUAA4IBAQAp8H+pK93S1ZTKzEw3kHHG
|
|
feoP2yjAkGaPM9R/pIDVmf5vz8Q6i6bVhkjZTygdn+8JfWOEtzDFzy/x/pfpmmwv
|
|
kEGCXN9ng/xJeV/OvW1zc+I31uaFS3JyrmfOoOENhLFe9obf439PFgb7zk1AptCh
|
|
R8290tSQ13f5/lbUT0h3jfzCv9hblIV0T/2uIicyOONsWBCOg0JV93YrwOdRjMAx
|
|
D2VKHadJ4I7seMAgANBFG4NQEUIUlUxGwUc6tZ3pr93dFWkfE+IxE6YBg5Xkuux4
|
|
eAu/TcqROsjnQwQ9Qw4d2FA1C27JIvS6ysOJxJQmVtpZUdfK2hVoeKJvMPnkENOp
|
|
-----END CERTIFICATE-----
|
|
- path: /etc/ssl/private/certificates/localhost.key
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
-----BEGIN PRIVATE KEY-----
|
|
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC6W64ykzq5KcAI
|
|
bszZ5bcEuCwm+P/HG8g+i8kk6qRRnD/g9OCYsJAPb8jv1vv8iugnaTS2vm3vggNj
|
|
OscOZKVDkOsx031qx4lEvBiXfFklAhCB/yTG2NGD/0qR+yS7hM0NGbSdwXUcb9fn
|
|
D/8Cuj4qw/M5xNH5p1ZAwW5LUNGwtfKix1j9JnLOQ5jJ7r7hkpqTyFRiv7AgKCf6
|
|
/rNUqv4vLjtdnib0xjpqkKqjcI6869W9AwuLr6ahx0I4IOANIM8K3f1fu6Vmqe3b
|
|
v4GAsugB4nfFfEPOGRXyDuMrMwj3I+IyE9BJHB8A2mcnFRImUdtD63l2DKAPdkTA
|
|
/2ckEmllAgMBAAECggEBAKsd3eEgoY4+EM9tdfoqXRgfSKNsheg80WzlDAgy0DkD
|
|
oQAdulFZ5p3WBgp8PBtTLQJrLvUR/H4swpGN+hN0RO+6lMvGp2Wx3JBZqrcGfhBm
|
|
SeQj9JAFrLRoaP+MPNlWgrYhwWANsEwxQm0vmffWLZk1HhQQbsGvbpq9Qloz1qdL
|
|
hx7ub5S69vzCxOaGjqJRlqdHvk90U34w6uM1qBOZ2phxOtsB14Gt3+YDs6khSqAv
|
|
m2/0+Ac6nHKq9TxanrNRS8ZMBpEoiYMoc5F0uY+y876baNKCAeyfLuKd3tePJTvt
|
|
lko0uGNbyWzqk/z/hjsqVeD50IONUMN/pkUEX0xQ10ECgYEA8vl2rDg1kcZJLSBy
|
|
neIySYau7r/tq9VEMRKCDPYwrEWf5jdQxQvIuIwre1E79LjCqgzQe3yQCGduC4bS
|
|
LVaFX2hv3oncLMYQ3BP1p+YNqojZOQUFJcfALslr8W+iMH8E8JGnOjwAJMYXtPIQ
|
|
830HwiQfidVVx8ExEZMVlJ0nMJECgYEAxFk5ie+WDPKUvo1hVw0H7/xMSm8xp181
|
|
7aAIYR+qg5c0ncQx8yF1McXO42YK6Y2uw6jyX1cP6crpANJHBgAsczSW9v2X2sM6
|
|
AhQw8KE7oCLbBbaFGC962UHTf7Hq4oV5rdI386DxgELRXEetPcBvBhB+8WVcjMqt
|
|
Cz0mHVhzVZUCgYEAhnUsifN1GZ18Iz/gjaR+JZgluDN35+5WFT3jwB6BIuRIr1KP
|
|
HOv/gLj42v5CSpPwDcCXoq502mG6USCjsLk/h2O4/JKXyCM3c0KMYAR8LZIbe2Ve
|
|
yuB2Zq3KUUpwm5u+9Q31V9GaVr9UoSqP3N6k63eoCFOJa8hqSgp2F867wDECgYBP
|
|
OR0RPb1SbhJ8LDlpUVWxjCAQLHthZ/YvcdHPtmIrhDfzrDTnP8m0knaepA6lG8i3
|
|
I5TfyRYfpAKNlUqY7jsBJOgAsmOyHfFq41C31qZjP40V6gYbsxSjUn8O1+/JBEgL
|
|
TXXL9FVdBhjJXhZVgy6IyOEfb2F/YUue7EZTstueXQKBgQCfOaEUfal/OTQuXQJv
|
|
EWNsF22liJb4eVRnWNpFeivJSB/FmIJT+iC+wtZlhcaImF3JlimaB1mpwfrTubVX
|
|
/jRFWp956tGRs/ydXm91SGBclY2z4B4dd8PPxCT4iYsJizx9uFBShrXsc1+fgEZu
|
|
r+W+05piqLykrqRCuB0X4Dlx+A==
|
|
-----END PRIVATE KEY-----
|