diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 92c44a8..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,11 +0,0 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - -version: 2 -updates: - - package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" diff --git a/.github/renovate-config.json5 b/.github/renovate-config.json5 new file mode 100644 index 0000000..4f5d0eb --- /dev/null +++ b/.github/renovate-config.json5 @@ -0,0 +1,16 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + "docker:enableMajor", + ":automergeBranch", + ":disableRateLimiting", + ":dependencyDashboard", + ":semanticCommits", + ":skipStatusChecks", + ":timezone(Europe/Paris)", + "github>auricom/ucore-custom//.github/renovate/customManagers.json5", + ], + "dependencyDashboardTitle": "Renovate Dashboard 🤖", + "suppressNotifications": ["prEditedNotification", "prIgnoreNotification"], +} \ No newline at end of file diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 0000000..46ecf84 --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,3 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json" +} \ No newline at end of file diff --git a/.github/renovate/customManagers.json5 b/.github/renovate/customManagers.json5 new file mode 100644 index 0000000..d2fc6a4 --- /dev/null +++ b/.github/renovate/customManagers.json5 @@ -0,0 +1,24 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "customManagers": [ + { + "customType": "regex", + "description": ["Process container versions"], + "fileMatch": ["(^|/)containers/.+\\.container$"], + "matchStrings": [ + "Image=(?[^:]+):(?[^\\s@]+)(@(?sha256:[0-9a-f]+))?" + ], + "datasourceTemplate": "docker", + "versioningTemplate": "docker" + }, + { + "customType": "regex", + "description": ["Process taskfile dependencies"], + "fileMatch": ["(^|/)Taskfile\\.ya?ml$"], + "matchStrings": [ + "datasource=(?\\S+) depName=(?\\S+)( repository=(?\\S+))?\\n.+: (&\\S+\\s)?(?\\S+)" + ], + "datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}" + } + ] +} \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8ea733a..cd202e8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,11 +1,10 @@ ---- -name: build-ublue-custom +name: build-ucore-custom on: pull_request: branches: - main schedule: - - cron: '05 10 * * *' # 10:05am UTC everyday + - cron: 07 47 * * * # approx 1.5 hours after ublue-os/ucore images publish push: branches: - main @@ -14,46 +13,82 @@ on: workflow_dispatch: env: - MY_IMAGE_NAME: "${{ github.event.repository.name }}" # the name of the image produced by this build, matches repo names - MY_IMAGE_DESC: "My Customized Universal Blue Image" - IMAGE_REGISTRY: "ghcr.io/${{ github.repository_owner }}" # do not edit + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} -jobs: - build_push: - name: Build and push image - runs-on: ubuntu-latest +concurrency: + group: ${{ github.workflow }}-${{ github.ref || github.run_id }} + cancel-in-progress: true +jobs: + push-ghcr: + name: custom image + runs-on: latest + # trunk-ignore(checkov/CKV2_GHA_1) permissions: contents: read packages: write id-token: write - + strategy: + fail-fast: false + matrix: + image_name: [ucore-minimal] + tag_name: [stable,stable-zfs] + include: + - tag_name: stable + is_latest_version: true + is_stable_version: true steps: - # Checkout push-to-registry action GitHub repository - - name: Checkout Push to Registry action + - name: Checkout uses: actions/checkout@v4 + - name: Maximize disk space + uses: ublue-os/remove-unwanted-software@v6 + + - name: Matrix Variables + shell: bash + run: | + export IMAGE_NAME=${{ matrix.image_name }} + echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV + + - name: Verify base image + uses: EyeCantCU/cosign-action/verify@v0.2.2 + with: + containers: ${{ env.IMAGE_NAME }}:${{ matrix.tag_name }} + - name: Generate tags id: generate-tags shell: bash run: | # Generate a timestamp for creating an image version history TIMESTAMP="$(date +%Y%m%d)" + VARIANT="${{ matrix.tag_name }}" + COMMIT_TAGS=() BUILD_TAGS=() # Have tags for tracking builds during pull request SHA_SHORT="${GITHUB_SHA::7}" - COMMIT_TAGS+=("pr-${{ github.event.number }}") - COMMIT_TAGS+=("${SHA_SHORT}") + COMMIT_TAGS+=("pr-${{ github.event.number }}-${VARIANT}") + COMMIT_TAGS+=("${SHA_SHORT}-${VARIANT}") + + if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ + [[ "${{ matrix.is_stable_version }}" == "true" ]]; then + COMMIT_TAGS+=("pr-${{ github.event.number }}") + COMMIT_TAGS+=("${SHA_SHORT}") + fi + + BUILD_TAGS=("${VARIANT}") # Append matching timestamp tags to keep a version history for TAG in "${BUILD_TAGS[@]}"; do BUILD_TAGS+=("${TAG}-${TIMESTAMP}") done - BUILD_TAGS+=("${TIMESTAMP}") - BUILD_TAGS+=("latest") + if [[ "${{ matrix.is_latest_version }}" == "true" ]] && \ + [[ "${{ matrix.is_stable_version }}" == "true" ]]; then + BUILD_TAGS+=("${TIMESTAMP}") + BUILD_TAGS+=("latest") + fi if [[ "${{ github.event_name }}" == "pull_request" ]]; then echo "Generated the following commit tags: " @@ -73,18 +108,24 @@ jobs: echo "alias_tags=${alias_tags[*]}" >> $GITHUB_OUTPUT + - name: Get current version + id: labels + run: | + ver=$(skopeo inspect docker://ghcr.io/ublue-os/${{ env.IMAGE_NAME }}:${{ matrix.tag_name }} | jq -r '.Labels["org.opencontainers.image.version"]') + echo "IMAGE_NAME_VERSION=$ver" >> $GITHUB_ENV + # Build metadata - name: Image Metadata uses: docker/metadata-action@v5 id: meta with: images: | - ${{ env.MY_IMAGE_NAME }} - + ${{ env.IMAGE_NAME }} labels: | - io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md - org.opencontainers.image.description=${{ env.MY_IMAGE_DESC }} - org.opencontainers.image.title=${{ env.MY_IMAGE_NAME }} + org.opencontainers.image.title=${{ env.IMAGE_NAME }} + org.opencontainers.image.version=${{ env.IMAGE_NAME_VERSION }} + org.opencontainers.image.description=Custom ${{ matrix.image_name }} + io.artifacthub.package.readme-url=https://raw.githubusercontent.com/auricom/ublue-custom/main/README.md # Build image using Buildah action - name: Build Image @@ -95,9 +136,12 @@ jobs: ./Containerfile # Postfix image name with -custom to make it a little more descriptive # Syntax: https://docs.github.com/en/actions/learn-github-actions/expressions#format - image: ${{ env.MY_IMAGE_NAME }} + image: ${{ env.IMAGE_NAME }} tags: | ${{ steps.generate-tags.outputs.alias_tags }} + build-args: | + IMAGE_NAME=${{ matrix.image_name }} + IMAGE_TAG=${{ matrix.tag_name }} labels: ${{ steps.meta.outputs.labels }} oci: false @@ -109,14 +153,8 @@ jobs: with: string: ${{ env.IMAGE_REGISTRY }} - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Push Image to GHCR + # Push the image to GHCR (Image Registry) + - name: Push To GHCR uses: redhat-actions/push-to-registry@v2 id: push env: @@ -128,19 +166,19 @@ jobs: registry: ${{ steps.registry_case.outputs.lowercase }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} - extra-args: | - --disable-content-trust - # This section is optional and only needs to be enabled in you plan on distributing - # your project to others to consume. You will need to create a public and private key - # using Cosign and save the private key as a repository secret in Github for this workflow - # to consume. For more details, review the image signing section of the README. + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} # Sign container - - uses: sigstore/cosign-installer@v3.5.0 + - uses: sigstore/cosign-installer@v3.4.0 if: github.event_name != 'pull_request' - - name: Sign container image + - name: Sign container image with keypair if: github.event_name != 'pull_request' run: | cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} @@ -148,3 +186,27 @@ jobs: TAGS: ${{ steps.push.outputs.digest }} COSIGN_EXPERIMENTAL: false COSIGN_PRIVATE_KEY: ${{ secrets.SIGNING_SECRET }} + + - name: Verify keypair signature + if: github.event_name != 'pull_request' + run: | + cosign verify \ + --key cosign.pub \ + ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}:${{ matrix.tag_name }} + + - name: Sign container image with OIDC + if: github.event_name != 'pull_request' + run: cosign sign -y ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}:${{ matrix.tag_name }} + + - name: Verify OIDC signature + if: github.event_name != 'pull_request' + run: | + cosign verify \ + --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ + --certificate-identity-regexp "${{ github.server_url }}/${{ github.repository }}" \ + ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}:${{ matrix.tag_name }} + + - name: Echo outputs + if: github.event_name != 'pull_request' + run: | + echo "${{ toJSON(steps.push.outputs) }}" \ No newline at end of file diff --git a/Containerfile b/Containerfile index 5d08ad5..3ace982 100644 --- a/Containerfile +++ b/Containerfile @@ -1,59 +1,20 @@ -## 1. BUILD ARGS -# These allow changing the produced image by passing different build args to adjust -# the source from which your image is built. -# Build args can be provided on the commandline when building locally with: -# podman build -f Containerfile --build-arg FEDORA_VERSION=40 -t local-image - -# SOURCE_IMAGE arg can be anything from ublue upstream which matches your desired version: -# See list here: https://github.com/orgs/ublue-os/packages?repo_name=main -# - "silverblue" -# - "kinoite" -# - "sericea" -# - "onyx" -# - "lazurite" -# - "vauxite" -# - "base" -# -# "aurora", "bazzite", "bluefin" or "ucore" may also be used but have different suffixes. -ARG SOURCE_IMAGE="silverblue" - -## SOURCE_SUFFIX arg should include a hyphen and the appropriate suffix name -# These examples all work for silverblue/kinoite/sericea/onyx/lazurite/vauxite/base -# - "-main" -# - "-nvidia" -# - "-asus" -# - "-asus-nvidia" -# - "-surface" -# - "-surface-nvidia" -# -# aurora, bazzite and bluefin each have unique suffixes. Please check the specific image. -# ucore has the following possible suffixes -# - stable -# - stable-nvidia -# - stable-zfs -# - stable-nvidia-zfs -# - (and the above with testing rather than stable) -ARG SOURCE_SUFFIX="-main" - -## SOURCE_TAG arg must be a version built for the specific image: eg, 39, 40, gts, latest -ARG SOURCE_TAG="latest" +### 1. BUILD ARGS +## IMAGE_NAME arg can be anything from ublue upstream: silverblue, kinoite, sericea, vauxite, mate, lxqt, base +ARG IMAGE_NAME="${IMAGE_NAME:-ucore-minimal}" +## FEDORA_VERSION arg must be a version built by ublue: 39 or 40 as of today (stable for ucore) +ARG IMAGE_TAG="${IMAGE_TAG:-stable-zfs}" ### 2. SOURCE IMAGE ## this is a standard Containerfile FROM using the build ARGs above to select the right upstream image -FROM ghcr.io/ublue-os/${SOURCE_IMAGE}${SOURCE_SUFFIX}:${SOURCE_TAG} +FROM ghcr.io/ublue-os/${IMAGE_NAME}:${IMAGE_TAG} +ENV UCORE_UPSTREAM_IMAGE_TAG=${IMAGE_TAG} +COPY usr /usr +COPY scripts /tmp/ ### 3. MODIFICATIONS -## make modifications desired in your image and install packages by modifying the build.sh script -## the following RUN directive does all the things required to run "build.sh" as recommended. - -COPY build.sh /tmp/build.sh - -RUN mkdir -p /var/lib/alternatives && \ - /tmp/build.sh && \ - ostree container commit -## NOTES: -# - /var/lib/alternatives is required to prevent failure with some RPM installs -# - All RUN commands must end with ostree container commit -# see: https://coreos.github.io/rpm-ostree/container/#using-ostree-container-commit +## make modifications desired in your image and install packages here, a few examples follow +RUN /tmp/install.sh && \ + /tmp/post-install.sh && \ + ostree container commit \ No newline at end of file diff --git a/build.sh b/build.sh deleted file mode 100755 index 0ca1678..0000000 --- a/build.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -set -ouex pipefail - -RELEASE="$(rpm -E %fedora)" - - -### Install packages - -# Packages can be installed from any enabled yum repo on the image. -# RPMfusion repos are available by default in ublue main images -# List of rpmfusion packages can be found here: -# https://mirrors.rpmfusion.org/mirrorlist?path=free/fedora/updates/39/x86_64/repoview/index.html&protocol=https&redirect=1 - -# this installs a package from fedora repos -rpm-ostree install screen - -# this would install a package from rpmfusion -# rpm-ostree install vlc - -#### Example for enabling a System Unit File - -systemctl enable podman.socket diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 0000000..4a1c07f --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE/tZcxAuuK/qIKSMWfr5Rux5yRXHC +V8y2Xx4XGkqXyp3yVh5QXzhKe9k7bbTBwF4nhJp5XvlQfmPKu6Ohn1cknA== +-----END PUBLIC KEY----- \ No newline at end of file diff --git a/scripts/apps/zrepl.sh b/scripts/apps/zrepl.sh new file mode 100755 index 0000000..cd8905d --- /dev/null +++ b/scripts/apps/zrepl.sh @@ -0,0 +1,11 @@ +#!/usr/bin/bash + +set -ouex pipefail + +# renovate: datasource=github-releases depName=zrepl/zrepl +ZREPL_VERSION=v0.6.1 + +RELEASE_INFO=$(curl -s "https://api.github.com/repos/zrepl/zrepl/releases/tags/$ZREPL_VERSION") +ASSET_FILENAME=$(echo "$RELEASE_INFO" | grep -oP '"browser_download_url": "\K[^"]+' | grep 'x86_64\.rpm$') + +rpm-ostree install "${ASSET_FILENAME}" \ No newline at end of file diff --git a/scripts/install.sh b/scripts/install.sh new file mode 100755 index 0000000..ce10862 --- /dev/null +++ b/scripts/install.sh @@ -0,0 +1,25 @@ +#!/bin/sh + +set -ouex pipefail + + +# renovate: datasource=github-releases depName=getsops/sops +SOPS_VERSION=v3.8.1 + +# ensure that RPM post-install don't break with alternatives reqs +mkdir -p /var/lib/alternatives + +rpm-ostree install \ + age \ + fish \ + fzf \ + go-task + +rpm-ostree install "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION#v}.x86_64.rpm" + +if [[ -x "/usr/sbin/zpool" ]]; then + rpm-ostree install \ + nfs-utils \ + samba + /tmp/apps/zrepl.sh +fi \ No newline at end of file diff --git a/scripts/post-install.sh b/scripts/post-install.sh new file mode 100755 index 0000000..195be39 --- /dev/null +++ b/scripts/post-install.sh @@ -0,0 +1,28 @@ +#!/bin/sh + +set -ouex pipefail + +# pre-enabled services +systemctl enable cockpit.service +systemctl enable node-exporter.service +systemctl enable podman.socket +systemctl enable podman-exporter.service + +if [[ -x "/usr/sbin/zpool" ]]; then + # ZFS + echo zfs > /etc/modules-load.d/zfs.conf + systemctl enable zrepl.service + + # NFS + # firewall-cmd --permanent --zone=FedoraServer --add-service=nfs + systemctl enable nfs-server.service + + # Samba + # firewall-cmd --permanent --zone=FedoraServer --add-service=samba + systemctl enable smb.service + + # Firewall / SELinux + restorecon -R /mnt/vol1 + # firewall-cmd --reload + semanage fcontext --add --type "public_content_rw_t" "/mnt/vol1(/.*)?" +fi \ No newline at end of file diff --git a/usr/etc/exports.d/local.conf b/usr/etc/exports.d/local.conf new file mode 100644 index 0000000..b8e10ab --- /dev/null +++ b/usr/etc/exports.d/local.conf @@ -0,0 +1,10 @@ +/mnt/vol1/backups 192.168.8.0/22(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000) +/mnt/vol1/downloads 192.168.8.0/22(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000) +/mnt/vol1/home/claude 192.168.8.0/22(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000) +/mnt/vol1/home/helene 192.168.8.0/22(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000) +/mnt/vol1/music 192.168.8.0/22(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000) +/mnt/vol1/music_transcoded 192.168.8.0/22(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000) +/mnt/vol1/photo 192.168.8.0/22(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000) +/mnt/vol1/piracy 192.168.8.0/22(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000) +/mnt/vol1/shared-documents 192.168.8.0/22(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000) +/mnt/vol1/video 192.168.8.0/22(rw,sync,no_subtree_check,all_squash,anonuid=1000,anongid=1000) \ No newline at end of file diff --git a/usr/etc/samba/smb.conf b/usr/etc/samba/smb.conf new file mode 100644 index 0000000..7dd24d3 --- /dev/null +++ b/usr/etc/samba/smb.conf @@ -0,0 +1,5 @@ +[photo] + path = /mnt/vol1/photo + writable = yes + browseable = yes + public = yes diff --git a/usr/etc/traefik/traefik.yaml b/usr/etc/traefik/traefik.yaml new file mode 100644 index 0000000..e69de29 diff --git a/usr/etc/zrepl/zrepl.yml b/usr/etc/zrepl/zrepl.yml new file mode 100644 index 0000000..6f3b8cb --- /dev/null +++ b/usr/etc/zrepl/zrepl.yml @@ -0,0 +1,42 @@ +global: + logging: + - type: syslog + format: human + level: warn + monitoring: + - type: prometheus + listen: ':9811' +jobs: +- name: snap_default + type: snap + filesystems: { + "/mnt/vol1<": true, + "/mnt/vol1/apps/minio<": false, + "/mnt/vol1/video<": false, + } + snapshotting: + type: periodic + interval: 60m + prefix: zrepl_snap_default_ + timestamp_format: dense + pruning: + keep: + - type: grid + regex: "^zrepl_.*" + grid: 1x1h(keep=all) | 24x1h | 35x1d | 6x30d +- name: snap_minio + type: snap + filesystems: { + "/mnt/vol1/apps/minio<": true, + "/mnt/vol1/video<": true, + } + snapshotting: + type: periodic + interval: 60m + prefix: zrepl_snap_14d_ + timestamp_format: dense + pruning: + keep: + - type: grid + regex: "^zrepl_snap_minio_.*" + grid: 1x1h(keep=all) | 24x1h | 17x1d diff --git a/usr/lib/systemd/system/node-exporter.service b/usr/lib/systemd/system/node-exporter.service new file mode 100644 index 0000000..c9fb6d9 --- /dev/null +++ b/usr/lib/systemd/system/node-exporter.service @@ -0,0 +1,36 @@ +[Unit] +Description=Node-Exporter Container +After=network-online.target +Wants=network-online.target +RequiresMountsFor=%t/containers +RequiresMountsFor=/ + +[X-Container] +Image=quay.io/prometheus/node-exporter:latest +ContainerName=node-exporter +Environment=NAME=node-exporter + +#flag for autoupdates +Label=io.containers.autoupdate=registry + +Volume=/:/host:ro,rslave +PodmanArgs=--pid host --privileged +Exec=--path.rootfs=/host +Network=host + +[Service] +Restart=always +Environment=PODMAN_SYSTEMD_UNIT=%n +KillMode=mixed +ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=%t/%N.cid +ExecStopPost=-rm -f %t/%N.cid +Delegate=yes +Type=notify +NotifyAccess=all +SyslogIdentifier=%N +ExecStart=/usr/bin/podman run --name=ws --cidfile=%t/%N.cid --replace --rm --cgroups=split --sdnotify=conmon -d -v /:/host --env NAME=ws --label io.containers.autoupdate=registry --pid host --privileged quay.io/cockpit/ws:latest /container/label-run +TimeoutStartSec=900 +RestartSec=3 + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/usr/lib/systemd/system/podman-exporter.service b/usr/lib/systemd/system/podman-exporter.service new file mode 100644 index 0000000..ae2348e --- /dev/null +++ b/usr/lib/systemd/system/podman-exporter.service @@ -0,0 +1,39 @@ +[Unit] +Description=Podman-Exporter Container +After=network-online.target +Wants=network-online.target +RequiresMountsFor=%t/containers +RequiresMountsFor=/run/podman/podman.sock + +[X-Container] +Image=quay.io/navidys/prometheus-podman-exporter:latest +ContainerName=node-exporter +Environment=NAME=node-exporter +Environment=CONTAINER_HOST=unix:///run/podman/podman.sock + +#flag for autoupdates +Label=io.containers.autoupdate=registry + +Volume=/run/podman/podman.sock:/run/podman/podman.sock +PodmanArgs=--pid host --privileged +Exec=--collector.enhance-metrics +Network=host +SecurityLabelDisable=true +User=root + +[Service] +Restart=always +Environment=PODMAN_SYSTEMD_UNIT=%n +KillMode=mixed +ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=%t/%N.cid +ExecStopPost=-rm -f %t/%N.cid +Delegate=yes +Type=notify +NotifyAccess=all +SyslogIdentifier=%N +ExecStart=/usr/bin/podman run --name=ws --cidfile=%t/%N.cid --replace --rm --cgroups=split --sdnotify=conmon -d -v /:/host --env NAME=ws --label io.containers.autoupdate=registry --pid host --privileged quay.io/cockpit/ws:latest /container/label-run +TimeoutStartSec=900 +RestartSec=3 + +[Install] +WantedBy=default.target diff --git a/usr/lib/systemd/system/traefik.service b/usr/lib/systemd/system/traefik.service new file mode 100644 index 0000000..7d8c20b --- /dev/null +++ b/usr/lib/systemd/system/traefik.service @@ -0,0 +1,35 @@ +[Unit] +Description=Traefik Container +After=network-online.target +Wants=network-online.target +RequiresMountsFor=%t/containers +RequiresMountsFor=/ + +[X-Container] +Image=docker.io/library/traefik:v3.0.0@sha256:7996bdae8aaa70eaacf2978b6c949de5b68c0a24ddc3e40c06344ecc88cfaea3 +ContainerName=traefik +Environment=NAME=traefik +EnvironmentFile=/usr/etc/traefik/traefik.sops.env + +Volume=/usr/etc/traefik/traefik.yaml:/etc/traefik/traefik.yaml:ro +Volume=/usr/share/treaefik:/data +Network=host +AddCapability=NET_BIND_SERVICE +SecurityLabelType=container_runtime_t + +[Service] +Restart=always +Environment=PODMAN_SYSTEMD_UNIT=%n +KillMode=mixed +ExecStopPost=-/usr/bin/podman rm -f -i --cidfile=%t/%N.cid +ExecStopPost=-rm -f %t/%N.cid +Delegate=yes +Type=notify +NotifyAccess=all +SyslogIdentifier=%N +ExecStart=/usr/bin/podman run --name=ws --cidfile=%t/%N.cid --replace --rm --cgroups=split --sdnotify=conmon -d -v /:/host --env NAME=ws --label io.containers.autoupdate=registry --pid host --privileged quay.io/cockpit/ws:latest /container/label-run +TimeoutStartSec=900 +RestartSec=3 + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/usr/share/containers/systemd/minio.container b/usr/share/containers/systemd/minio.container new file mode 100644 index 0000000..658bdb6 --- /dev/null +++ b/usr/share/containers/systemd/minio.container @@ -0,0 +1,35 @@ +[Unit] +Description=A minio server container for local S3 compatible storage +After=local-fs.target network-online.target prometheus.service +SourcePath=/var/home/core/.config/containers/systemd/system/minio.container +RequiresMountsFor=%t/containers + +[X-Container] +ContainerName=minio +Image=docker.io/minio/minio:latest +Exec=server --console-address ":9001" +Environment=MINIO_ROOT_USER=admin +Environment=MINIO_ROOT_PASSWORD=password +Environment=MINIO_VOLUMES=/data +Environment=MINIO_PROMETHEUS_URL='http://prometheus:9090' +Environment=MINIO_PROMETHEUS_AUTH_TYPE='public' +Environment=MINIO_PROMETHEUS_JOB_ID='minio-job' +PublishPort=9000:9000 +PublishPort=9001:9001 +Volume=%h/.local/share/minio-data:/data:Z + +[Service] +TimeoutStartSec=900 +ExecStartPre=-mkdir -p %h/.local/share/minio-data +Environment=PODMAN_SYSTEMD_UNIT=%n +KillMode=mixed +ExecStop=/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid +ExecStopPost=-/usr/bin/podman rm -v -f -i --cidfile=%t/%N.cid +Delegate=yes +Type=notify +NotifyAccess=all +SyslogIdentifier=%N +ExecStart=/usr/bin/podman run --name=minio --cidfile=%t/%N.cid --replace --rm --cgroups=split --sdnotify=conmon -d -v %h/.local/share/minio-data:/data:Z --publish 9000:9000 --publish 9001:9001 --env MINIO_PROMETHEUS_AUTH_TYPE=public --env MINIO_PROMETHEUS_JOB_ID=minio-job --env MINIO_PROMETHEUS_URL=http://prometheus:9090 --env MINIO_ROOT_PASSWORD=password --env MINIO_ROOT_USER=admin --env MINIO_VOLUMES=/data docker.io/minio/minio:latest server --console-address :9001 + +[Install] +WantedBy=multi-user.target diff --git a/usr/share/traefik/.gitignore b/usr/share/traefik/.gitignore new file mode 100644 index 0000000..f4c3747 --- /dev/null +++ b/usr/share/traefik/.gitignore @@ -0,0 +1,2 @@ +/* +!.gitignore \ No newline at end of file