From 3e29146b01f5067b49933bc9514f415edd3f877b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Allen-Kristjan=20P=C3=A4ll?= Date: Fri, 13 Feb 2026 01:29:24 +0200 Subject: [PATCH] config.yaml: replace docker with podman --- Makefile | 5 +- config.yaml | 71 +++++++------------- files/caddy/Caddyfile | 18 +++++ files/caddy/etc/caddy/Caddyfile | 18 ----- files/etc/containers/policy.json | 8 +++ files/etc/containers/systemd/caddy.container | 13 ++++ files/etc/hosts | 39 ++++++++++- 7 files changed, 103 insertions(+), 69 deletions(-) create mode 100644 files/caddy/Caddyfile delete mode 100644 files/caddy/etc/caddy/Caddyfile create mode 100644 files/etc/containers/policy.json create mode 100644 files/etc/containers/systemd/caddy.container diff --git a/Makefile b/Makefile index e00f39c..d84cffa 100644 --- a/Makefile +++ b/Makefile @@ -36,10 +36,7 @@ config.json: config.yaml .files-list $(FILES) --ignition-file $${TEMPDIR}/config.json \ --keep-machine-id \ --keep-paths '/etc/ssh/ssh_host_.*' \ - --keep-paths '/home/core/caddy/' \ - --keep-paths '/home/core/matrixdotorg-synapse/' \ - --keep-paths '/home/core/matrixdotorg-matrix-appservice-irc' \ - --keep-paths '/home/core/postgresql/secret' \ + --keep-paths '/opt/caddy/data' \ --keep-paths '/var/log' && \ ssh -o ControlPath=/tmp/ssh_mux_%h_%p_%r akpella \ sudo systemctl reboot && \ diff --git a/config.yaml b/config.yaml index 6cd4f1f..8332b93 100644 --- a/config.yaml +++ b/config.yaml @@ -10,66 +10,47 @@ passwd: storage: directories: - - path: /home/core/caddy/data - - path: /home/core/caddy/etc/caddy - - path: /home/core/caddy/var/www/html - - path: /home/core/matrixdotorg-synapse/data - - path: /home/core/matrixdotorg-matrix-appservice-irc/data - - path: /home/core/postgresql + - path: /opt/caddy/etc/caddy + - path: /opt/caddy/data files: # /etc/hostname - path: /etc/hostname contents: inline: "akpella.fst.ee" - # /etc/systemd/network/00-eth0.network - - path: /etc/systemd/network/00-eth0.network - contents: - local: etc/systemd/network/00-eth0.network # /etc/hosts - path: /etc/hosts overwrite: true contents: local: etc/hosts - # /home/core/caddy/etc/caddy/Caddyfile - - path: /home/core/caddy/etc/caddy/Caddyfile - overwrite: true + # /etc/systemd/network/00-eth0.network + - path: /etc/systemd/network/00-eth0.network contents: - local: caddy/etc/caddy/Caddyfile - # /home/core/caddy/var/www/html/index.html - - path: /home/core/caddy/var/www/html/index.html - overwrite: true + local: etc/systemd/network/00-eth0.network + # /etc/flatcar/enabled-sysext.conf + - path: /etc/flatcar/enabled-sysext.conf + contents: + inline: | + podman + python + # /etc/containers/policy.json + - path: /etc/containers/policy.json + contents: + local: etc/containers/policy.json + # /etc/containers/systemd/caddy.container + - path: /etc/containers/systemd/caddy.container + contents: + local: etc/containers/systemd/caddy.container + # /opt/caddy/etc/caddy/Caddyfile + - path: /opt/caddy/etc/caddy/Caddyfile + contents: + local: caddy/Caddyfile + # /opt/caddy/var/www/html/index.html + - path: /opt/caddy/var/www/html/index.html contents: inline: |

no

systemd: units: - # docker-network-setup.service - - name: docker-network-setup.service + - name: caddy.service enabled: true - contents_local: docker-network-setup.service - # docker-matrixdotorg-synapse.service - - name: docker-matrixdotorg-synapse.service - enabled: true - contents_local: docker-matrixdotorg-synapse.service - # docker-caddy.service - - name: docker-caddy.service - enabled: true - contents_local: docker-caddy.service - # docker-matrixdotorg-matrix-appservice-irc.service - - name: docker-matrixdotorg-matrix-appservice-irc.service - enabled: false - contents_local: docker-matrixdotorg-matrix-appservice-irc.service - # generate-secrets.service - - name: generate-secrets.service - enabled: true - contents_local: generate-secrets.service - # docker-postgresql.service - - name: docker-postgresql.service - enabled: true - contents_local: docker-postgresql.service - # docker.service - - name: docker.service - dropins: - - name: docker.conf - contents_local: docker.conf diff --git a/files/caddy/Caddyfile b/files/caddy/Caddyfile new file mode 100644 index 0000000..6f67588 --- /dev/null +++ b/files/caddy/Caddyfile @@ -0,0 +1,18 @@ +{ + #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory + email akpall+akpella@fst.ee +} + +fst.ee { + root * /var/www/html + file_server +} + +#fst.ee:8448 { +# reverse_proxy /_matrix/* matrixdotorg-synapse:8008 +#} + +#matrix.fst.ee { +# reverse_proxy /_matrix/* matrixdotorg-synapse:8008 +# reverse_proxy /_synapse/client/* matrixdotorg-synapse:8008 +#} diff --git a/files/caddy/etc/caddy/Caddyfile b/files/caddy/etc/caddy/Caddyfile deleted file mode 100644 index 769f01b..0000000 --- a/files/caddy/etc/caddy/Caddyfile +++ /dev/null @@ -1,18 +0,0 @@ -{ - #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory - email akpall+akpella@fst.ee -} - -fst.ee { - root * /var/www/html - file_server -} - -fst.ee:8448 { - reverse_proxy /_matrix/* matrixdotorg-synapse:8008 -} - -matrix.fst.ee { - reverse_proxy /_matrix/* matrixdotorg-synapse:8008 - reverse_proxy /_synapse/client/* matrixdotorg-synapse:8008 -} diff --git a/files/etc/containers/policy.json b/files/etc/containers/policy.json new file mode 100644 index 0000000..0d1bdb1 --- /dev/null +++ b/files/etc/containers/policy.json @@ -0,0 +1,8 @@ +{ + "default": [{"type": "reject"}], + "transports": { + "docker": { + "docker.io/library/caddy": [{"type": "insecureAcceptAnything"}] + } + } +} diff --git a/files/etc/containers/systemd/caddy.container b/files/etc/containers/systemd/caddy.container new file mode 100644 index 0000000..c8c9f32 --- /dev/null +++ b/files/etc/containers/systemd/caddy.container @@ -0,0 +1,13 @@ +[Unit] +Description=Caddy 2 is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go. + +[Container] +Image=docker.io/library/caddy:latest +PublishPort=443:443 +PublishPort=80:80 +Volume=/opt/caddy/data:/data +Volume=/opt/caddy/etc/caddy:/etc/caddy +Volume=/opt/caddy/var/www/html:/var/www/html + +[Install] +WantedBy=multi-user.target diff --git a/files/etc/hosts b/files/etc/hosts index 4208f6f..41aa4f7 100644 --- a/files/etc/hosts +++ b/files/etc/hosts @@ -1,2 +1,37 @@ -127.0.0.1 localhost akpella.fst.ee -::1 localhost akpella.fst.ee +# /etc/hosts: Local Host Database +# +# This file describes a number of aliases-to-address mappings for the for +# local hosts that share this file. +# +# The format of lines in this file is: +# +# IP_ADDRESS canonical_hostname [aliases...] +# +#The fields can be separated by any number of spaces or tabs. +# +# In the presence of the domain name service or NIS, this file may not be +# consulted at all; see /etc/host.conf for the resolution order. +# + +# IPv4 and IPv6 localhost aliases +127.0.0.1 localhost akpella.fst.ee +::1 localhost akpella.fst.ee + +# +# Imaginary network. +#10.0.0.2 myname +#10.0.0.3 myfriend +# +# According to RFC 1918, you can use the following IP networks for private +# nets which will never be connected to the Internet: +# +# 10.0.0.0 - 10.255.255.255 +# 172.16.0.0 - 172.31.255.255 +# 192.168.0.0 - 192.168.255.255 +# +# In case you want to be able to connect directly to the Internet (i.e. not +# behind a NAT, ADSL router, etc...), you need real official assigned +# numbers. Do not try to invent your own network numbers but instead get one +# from your network provider (if any) or from your regional registry (ARIN, +# APNIC, LACNIC, RIPE NCC, or AfriNIC.) +#