Compare commits

...

16 commits

Author SHA1 Message Date
7f5298a532 fix(redis-authentik): Remove loglevel restriction 2024-10-29 23:21:16 +01:00
efacb24865 fix(redis): Add setup step to set memory overcommit (fixes #73) 2024-10-29 22:45:50 +01:00
26074448a4 fix(matrix): Add missing macaroon key (fixes #71) 2024-10-29 22:25:36 +01:00
d34bbc123e fix(eturnal): Fix failed query on startup (fixes #72) 2024-10-29 20:34:39 +01:00
b7df942929 fix(setup): Add needed package for docker-compose install (#85) 2024-10-29 19:47:52 +01:00
5301ef0cb3 docs(setup): Add manual install of docker-compose (fixes #85) 2024-10-29 19:46:19 +01:00
87c39ae778 docs: Update some outdated docs, move backup config into setup 2024-10-29 19:26:50 +01:00
9baac4e669 docs(games): Fix link to used docker image and readme 2024-10-29 18:46:42 +01:00
ddda6b11b6 config: Add git town config 2024-10-29 18:46:42 +01:00
c190f0f29b chore(deps): update ghcr.io/dani-garcia/vaultwarden docker tag to v1.32.3 (#87)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [ghcr.io/dani-garcia/vaultwarden](https://github.com/dani-garcia/vaultwarden) | patch | `1.32.2-alpine` -> `1.32.3-alpine` |

---

### Release Notes

<details>
<summary>dani-garcia/vaultwarden (ghcr.io/dani-garcia/vaultwarden)</summary>

### [`v1.32.3`](https://github.com/dani-garcia/vaultwarden/releases/tag/1.32.3)

[Compare Source](https://github.com/dani-garcia/vaultwarden/compare/1.32.2...1.32.3)

#### Notable changes

-   Email template for org invites was updated again. The URL got HTML Encoded which resulted in a sometimes non-working URL ([#&#8203;5100](https://github.com/dani-garcia/vaultwarden/issues/5100))
-   Fixed SMTP issues with some providers which send erroneous response to `QUIT` messages (Like QQ) (Thanks to [@&#8203;paolobarbolini](https://github.com/paolobarbolini))
-   Fixed a long standing collection management issue where collections were not able to be managed via the **Password Manager** overview

#### What's Changed

-   Fix iOS sync by converting field types to int by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5081
-   Fix field type to actually be hidden by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5082
-   Fix org invite url being html encoded by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5100
-   Update Rust to 1.82.0 by [@&#8203;dfunkt](https://github.com/dfunkt) in https://github.com/dani-garcia/vaultwarden/pull/5099
-   Fix collection management and match some json output by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5095
-   Add `extension-refresh` feature flag by [@&#8203;dfunkt](https://github.com/dfunkt) in https://github.com/dani-garcia/vaultwarden/pull/5106
-   Hide user name on invite status by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5110
-   Add documentation for the `extension-refresh` feature flag by [@&#8203;dfunkt](https://github.com/dfunkt) in https://github.com/dani-garcia/vaultwarden/pull/5112
-   Update crates and fix Mail issue by [@&#8203;BlackDex](https://github.com/BlackDex) in https://github.com/dani-garcia/vaultwarden/pull/5125

**Full Changelog**: https://github.com/dani-garcia/vaultwarden/compare/1.32.2...1.32.3

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMzIuMSIsInVwZGF0ZWRJblZlciI6IjM4LjEzMi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Reviewed-on: #87
Co-authored-by: Renovate Bot <renovate@git.csprung.de>
Co-committed-by: Renovate Bot <renovate@git.csprung.de>
2024-10-29 18:17:07 +01:00
d617e9b698 chore(deps): update amir20/dozzle docker tag to v8.7.1 (#88)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [amir20/dozzle](https://github.com/amir20/dozzle) | minor | `v8.6.2` -> `v8.7.1` |

---

### Release Notes

<details>
<summary>amir20/dozzle (amir20/dozzle)</summary>

### [`v8.7.1`](https://github.com/amir20/dozzle/releases/tag/v8.7.1)

[Compare Source](https://github.com/amir20/dozzle/compare/v8.7.0...v8.7.1)

#####    🐞 Bug Fixes

-   Fix base ANSI convertor colors  -  by [@&#8203;amir20](https://github.com/amir20) and **Jérémy Touati** in https://github.com/amir20/dozzle/issues/3353 [<samp>(c6339)</samp>](https://github.com/amir20/dozzle/commit/c6339eff)

#####     [View changes on GitHub](https://github.com/amir20/dozzle/compare/v8.7.0...v8.7.1)

### [`v8.7.0`](https://github.com/amir20/dozzle/releases/tag/v8.7.0)

[Compare Source](https://github.com/amir20/dozzle/compare/v8.6.2...v8.7.0)

#####    🚀 Features

-   Updates logo  -  by [@&#8203;amir20](https://github.com/amir20) in https://github.com/amir20/dozzle/issues/3340 [<samp>(96fbe)</samp>](https://github.com/amir20/dozzle/commit/96fbee9e)

#####    🐞 Bug Fixes

-   Fixes timeout flag  -  by [@&#8203;amir20](https://github.com/amir20) in https://github.com/amir20/dozzle/issues/3345 [<samp>(36a5d)</samp>](https://github.com/amir20/dozzle/commit/36a5d7e6)
-   Limit default SQL log entries to 100  -  by [@&#8203;yubiuser](https://github.com/yubiuser) in https://github.com/amir20/dozzle/issues/3346 [<samp>(cd63b)</samp>](https://github.com/amir20/dozzle/commit/cd63b5de)
-   Unfound fields are shown by default instead of hidden  -  by [@&#8203;amir20](https://github.com/amir20) in https://github.com/amir20/dozzle/issues/3342 [<samp>(c1d31)</samp>](https://github.com/amir20/dozzle/commit/c1d31313)
-   Fixes toggle all when fields have not been set for JSON  -  by [@&#8203;amir20](https://github.com/amir20) in https://github.com/amir20/dozzle/issues/3349 [<samp>(cce2e)</samp>](https://github.com/amir20/dozzle/commit/cce2e8a8)
-   **deps**: Update all non-major dependencies  -  in https://github.com/amir20/dozzle/issues/3348 [<samp>(00da1)</samp>](https://github.com/amir20/dozzle/commit/00da15c2)

#####     [View changes on GitHub](https://github.com/amir20/dozzle/compare/v8.6.2...v8.7.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4xMzIuMSIsInVwZGF0ZWRJblZlciI6IjM4LjEzMi4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Reviewed-on: #88
Co-authored-by: Renovate Bot <renovate@git.csprung.de>
Co-committed-by: Renovate Bot <renovate@git.csprung.de>
2024-10-29 18:16:46 +01:00
4143cb66d1 fix(forgejo): Fix allowed webhook hosts 2024-10-27 00:43:03 +02:00
b888cf6771 fix(games): Change to amp-dockerized to fix license missing issue (#74) (#86)
Reviewed-on: #86
2024-10-26 16:49:22 +02:00
52ca5ebfb0 feat(task): Add temp sudo convenience task 2024-10-26 16:33:21 +02:00
080833641e fix(proxy,forgejo): Limit login redirect to GET request 2024-10-26 00:23:57 +02:00
851bad94b4 chore(config): migrate renovate config (#84)
The Renovate config in this repository needs migrating. Typically this is because one or more configuration options you are using have been renamed.

  You don't need to merge this PR right away, because Renovate will continue to migrate these fields internally each time it runs. But later some of these fields may be fully deprecated and the migrations removed. So it's a good idea to merge this migration PR soon.

🔕 **Ignore**: Close this PR and you won't be reminded about config migration again, but one day your current config may no longer be valid.

 Got questions? Does something look wrong to you? Please don't hesitate to [request help here](https://github.com/renovatebot/renovate/discussions).

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

Reviewed-on: #84
Co-authored-by: Renovate Bot <renovate@git.csprung.de>
Co-committed-by: Renovate Bot <renovate@git.csprung.de>
2024-10-25 23:56:33 +02:00
21 changed files with 207 additions and 44 deletions

View file

@ -29,8 +29,8 @@ FORGEJO_SSH_PORT=
MATRIX_PG_PWD= MATRIX_PG_PWD=
MATRIX_MAIL_FROM= MATRIX_MAIL_FROM=
MATRIX_MACAROON_SECRET=
# MATRIX_REGISTRATION_SECRET= # MATRIX_REGISTRATION_SECRET=
# MATRIX_MAROON_SECRET=
# MATRIX_FORM_SECRET= # MATRIX_FORM_SECRET=
HEDGEDOC_PG_PWD= HEDGEDOC_PG_PWD=

112
.git-branches.toml Normal file
View file

@ -0,0 +1,112 @@
# Git Town configuration file
#
# Run "git town config setup" to add additional entries
# to this file after updating Git Town.
#
# The "push-hook" setting determines whether Git Town
# permits or prevents Git hooks while pushing branches.
# Hooks are enabled by default. If your Git hooks are slow,
# you can disable them to speed up branch syncing.
#
# When disabled, Git Town pushes using the "--no-verify" switch.
# More info at https://www.git-town.com/preferences/push-hook.
push-hook = true
# Should Git Town push the new branches it creates
# immediately to origin even if they are empty?
#
# When enabled, you can run "git push" right away
# but creating new branches is slower and
# it triggers an unnecessary CI run on the empty branch.
#
# When disabled, many Git Town commands execute faster
# and Git Town will create the missing tracking branch
# on the first run of "git town sync".
push-new-branches = false
# The "create-prototype-branches" setting determines whether Git Town
# always creates prototype branches.
# Prototype branches sync only locally and don't create a tracking branch
# until they are proposed.
#
# More info at https://www.git-town.com/preferences/create-prototype-branches.
create-prototype-branches = false
# Which method should Git Town use to ship feature branches?
#
# Options:
#
# - api: merge the proposal on your code hosting platform via the code hosting API
# - fast-forward: in your local repo, fast-forward the parent branch to point to the commits on the feature branch
# - squash-merge: in your local repo, squash-merge the feature branch into its parent branch
#
# All options update proposals of child branches and remove the shipped branch locally and remotely.
ship-strategy = "squash-merge"
# Should "git town ship" delete the tracking branch?
# You want to disable this if your code hosting platform
# (GitHub, GitLab, etc) deletes head branches when
# merging pull requests through its UI.
ship-delete-tracking-branch = false
# Should "git town sync" sync tags with origin?
sync-tags = false
# Should "git town sync" also fetch updates from the upstream remote?
#
# If an "upstream" remote exists, and this setting is enabled,
# "git town sync" will also update the local main branch
# with commits from the main branch at the upstream remote.
#
# This is useful if the repository you work on is a fork,
# and you want to keep it in sync with the repo it was forked from.
sync-upstream = false
[branches]
# The main branch is the branch from which you cut new feature branches,
# and into which you ship feature branches when they are done.
# This branch is often called "main", "master", or "development".
main = "main"
# Perennial branches are long-lived branches.
# They are never shipped and have no ancestors.
# Typically, perennial branches have names like
# "development", "staging", "qa", "production", etc.
#
# See also the "perennial-regex" setting.
perennials = []
# All branches whose name matches this regular expression
# are also considered perennial branches.
#
# If you are not sure, leave this empty.
perennial-regex = ""
[hosting]
# Knowing the type of code hosting platform allows Git Town
# to open browser URLs and talk to the code hosting API.
# Most people can leave this on "auto-detect".
# Only change this if your code hosting server uses as custom URL.
# platform = ""
# When using SSH identities, define the hostname
# of your source code repository. Only change this
# if the auto-detection does not work for you.
# origin-hostname = ""
[sync-strategy]
# How should Git Town synchronize feature branches?
# Feature branches are short-lived branches cut from
# the main branch and shipped back into the main branch.
# Typically you develop features and bug fixes on them,
# hence their name.
feature-branches = "rebase"
# How should Git Town synchronize perennial branches?
# Perennial branches have no parent branch.
# The only updates they receive are additional commits
# made to their tracking branch somewhere else.
perennial-branches = "rebase"

2
.gitignore vendored
View file

@ -3,7 +3,7 @@
.vscode .vscode
# templates # templates
backup/config.yaml setup/backup/config.yaml
services/fail2ban/jail.local services/fail2ban/jail.local
services/forgejo/app.ini services/forgejo/app.ini
services/matrix/config/homeserver.yaml services/matrix/config/homeserver.yaml

View file

@ -14,17 +14,19 @@ SOFTWARE.
## Repo Structure ## Repo Structure
- `./services` Service definitions - `./services` **Service definitions**
One subfolder per service with: - One subfolder per service with:
- `docker-compose.yml` for this service and its direct dependencies (e.g. db) - `docker-compose.yml` for this service and its direct dependencies (e.g. databases or workers)
- Additional config files, possibly as template (see below) - Additional config files, possibly as template (see below)
- `./setup` Host setup - `./setup` **Host setup**
Setup information about a possible alpine host system - Setup information about a possible alpine host system
- `./tasks` Task definitions - `./tasks` **Task definitions**
- `common.yml`: Base tasks used by other tasks
- `compose.yml`: Container related tasks e.g. starting, updating, or reading logs - `compose.yml`: Container related tasks e.g. starting, updating, or reading logs
- `hot.yml`: Tasks related to host system maintenance - `dev.yml`: Useful tasks during development, e.g. adding locally signed certificates into running containers
- `host.yml`: Tasks related to host system maintenance
- `manage.yml`: Tasks about managing the list of enabled services
- `services.yml`: Tasks for specific services - `services.yml`: Tasks for specific services
- `utils.yml`: Utility tasks, mainly used as part of other tasks
## Requirements ## Requirements
@ -42,6 +44,10 @@ Copy from `.env.sample` and fill in your values.
## Deploy ## Deploy
Enable services with `./task mgmt:enable <service directory name>` and check enabled services with `./task mgmt:ls-enable`.
Then run
```sh ```sh
./task compose:up ./task compose:up
``` ```
@ -59,6 +65,12 @@ Filename pattern: `*.template.*`
Files matching the pattern are copied with the ".template." infix removed (e.g. forgejo.template.ini -> forgejo.ini). Files matching the pattern are copied with the ".template." infix removed (e.g. forgejo.template.ini -> forgejo.ini).
Variables are replaced using shell substitution syntax (`${VARIABLE_NAME_HERE}`) using the current environment and values from `.env`. Variables are replaced using shell substitution syntax (`${VARIABLE_NAME_HERE}`) using the current environment and values from `.env`.
_Note:_ Variables cannot contain other variables, only one level of template is possible.
## Host Setup ## Host Setup
A possible alpine based host setup is described in [alpine-setup](./setup/alpine-setup.md). A possible alpine based host setup is described in [/setup](./setup/README.md).
## Backup
Notes on backup and a possible config using borgmatic can be found in [/setup/backup](./setup/backup/README.md)

View file

@ -1,13 +1,17 @@
{ {
"$schema": "https://docs.renovatebot.com/renovate-schema.json", "$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": ["config:recommended"], "extends": [
"config:recommended"
],
"ignorePaths": [ "ignorePaths": [
"tasks/**" "tasks/**"
], ],
"packageRules": [ "packageRules": [
{ {
"matchPackagePatterns": ["^woodpeckerci/"], "groupName": "woodpeckerci",
"groupName": "woodpeckerci" "matchPackageNames": [
"/^woodpeckerci//"
]
} }
] ]
} }

View file

@ -95,6 +95,6 @@ services:
image: redis:7-alpine image: redis:7-alpine
container_name: redis-authentik container_name: redis-authentik
restart: "${RESTART:-no}" restart: "${RESTART:-no}"
command: --save 60 1 --loglevel warning command: --save 60 1
networks: networks:
- authentik - authentik

View file

@ -3,7 +3,7 @@
services: services:
dozzle: dozzle:
image: amir20/dozzle:v8.6.2 image: amir20/dozzle:v8.7.1
container_name: dozzle container_name: dozzle
restart: "${RESTART:-no}" restart: "${RESTART:-no}"
domainname: ${BASE_DOMAIN} domainname: ${BASE_DOMAIN}

View file

@ -111,7 +111,7 @@ DEFAULT_TRUST_MODEL = committer
JWT_SECRET = ${FORGEJO_JWT_SECRET} JWT_SECRET = ${FORGEJO_JWT_SECRET}
[webhook] [webhook]
ALLOWED_HOST_LIST = *.${BASE_DOMAIN} ALLOWED_HOST_LIST = *
[actions] [actions]
ENABLED = false ENABLED = false

View file

@ -1,16 +1,15 @@
version: "3.7" version: "3.7"
# https://github.com/imagegenius/docker-amp/pkgs/container/amp # https://hub.docker.com/r/mitchtalmadge/amp-dockerized
# https://github.com/MitchTalmadge/AMP-dockerized
services: services:
games: games:
image: ghcr.io/imagegenius/amp:2.5.1-ubuntu image: mitchtalmadge/amp-dockerized:v22
container_name: games container_name: games
restart: "${RESTART:-no}" restart: "${RESTART:-no}"
domainname: ${BASE_DOMAIN} domainname: ${BASE_DOMAIN}
mac_address: 02:42:AC:D7:11:9C # Please see the README about this field. mac_address: 02:42:AC:D7:11:9C # Please see the README about this field.
labels:
com.centurylinklabs.watchtower.enable: false
expose: expose:
- "8080" # expose amp web ui port for proxy - "8080" # expose amp web ui port for proxy
ports: ports:
@ -18,11 +17,10 @@ services:
- 2223:2223 # AMP FTP - 2223:2223 # AMP FTP
environment: environment:
- TZ=${TIMEZONE} - TZ=${TIMEZONE}
- LICENCE=${MINECRAFT_AMP_LICENSE} - AMP_LICENCE=${MINECRAFT_AMP_LICENSE}
- MODULE=ADS - AMP_MODULE=ADS
- JAVA_VERSIONS=8
volumes: volumes:
- ${BASE_DIR:-/srv}/games:/config - ${BASE_DIR:-/srv}/games:/home/amp/.ampdata
networks: networks:
- proxy - proxy
- mail - mail

View file

@ -91,7 +91,7 @@ registration_shared_secret: '${MATRIX_REGISTRATION_SECRET}'
# the registration_shared_secret is used, if one is given; otherwise, # the registration_shared_secret is used, if one is given; otherwise,
# a secret key is derived from the signing key. # a secret key is derived from the signing key.
# #
macaroon_secret_key: '${MATRIX_MAROON_SECRET}' macaroon_secret_key: '${MATRIX_MACAROON_SECRET}'
# a secret which is used to calculate HMACs for form values, to stop # a secret which is used to calculate HMACs for form values, to stop
# falsification of values. Must be specified for the User Consent # falsification of values. Must be specified for the User Consent

View file

@ -99,6 +99,7 @@ services:
- ETURNAL_SECRET=${ETURNAL_SECRET} - ETURNAL_SECRET=${ETURNAL_SECRET}
- ETURNAL_RELAY_MIN_PORT=50000 - ETURNAL_RELAY_MIN_PORT=50000
- ETURNAL_RELAY_MAX_PORT=50050 - ETURNAL_RELAY_MAX_PORT=50050
- STUN_SERVICE=false
ports: ports:
- 3478:3478 # STUN/TURN non-TLS - 3478:3478 # STUN/TURN non-TLS
- 3478:3478/udp # STUN/TURN non-TLS - 3478:3478/udp # STUN/TURN non-TLS

View file

@ -94,6 +94,7 @@ git.{$BASE_DOMAIN} {
# Auto redirect the login to SSO provider. Add `?direct=1` for local login. # Auto redirect the login to SSO provider. Add `?direct=1` for local login.
@login { @login {
method GET
path /user/login path /user/login
not query direct=1 not query direct=1
} }

View file

@ -9,7 +9,7 @@ networks:
services: services:
vaultwarden: vaultwarden:
image: ghcr.io/dani-garcia/vaultwarden:1.32.2-alpine image: ghcr.io/dani-garcia/vaultwarden:1.32.3-alpine
container_name: vaultwarden container_name: vaultwarden
restart: "${RESTART:-no}" restart: "${RESTART:-no}"
domainname: ${BASE_DOMAIN} domainname: ${BASE_DOMAIN}

View file

@ -23,25 +23,25 @@ setup-alpine
- apk mirror: `f` (detect automatically) - apk mirror: `f` (detect automatically)
- add user to your liking - add user to your liking
- SSH server: `openssh` - SSH server: `openssh`
- Select disk: `sda` - Select disk: `sda` (depending on your system)
- Disk Setup: `lvm`, then `sys` - Disk Setup: `lvm`, then `sys`
- Erase disk: `y` - Erase disk: `y`
**Setup lvm before reboot!** **Setup lvm (see next step) before reboot!**
### LVM ### LVM
https://wiki.archlinux.org/title/LVM https://wiki.archlinux.org/title/LVM
```sh ```sh
# install some needed packages # install some needed packages (only installed in live system)
apk add lvm2-extra e2fsprogs-extra device-mapper apk add lvm2-extra e2fsprogs-extra device-mapper
# list existing LVs # list existing LVs
lvs lvs
# resize existing and create missing LVs # resize existing and create missing LVs
lvresize -L <SIZE>G [-r] /dev/vg0/<LV> lvresize -L <SIZE>G [-r] /dev/vg0/<LV>
lvcreate -L <SIZE>G -n <LV NAME> vg0 lvcreate -L <SIZE>G -n <LV NAME> vg0
lvcreate -l 100%FREE -n lv_srv vg0 lvcreate -l 100%FREE -n <LV NAME> vg0
# init filesystem for each newly created LV # init filesystem for each newly created LV
mkfs.ext4 /dev/vg0/<LV> mkfs.ext4 /dev/vg0/<LV>
``` ```
@ -51,8 +51,8 @@ LV LSize Mount
lv_root 8.00g / lv_root 8.00g /
lv_logs 4.00g /var/log lv_logs 4.00g /var/log
lv_containers 20.00g /var/lib/containers lv_containers 20.00g /var/lib/containers
lv_srv =REST /srv
lv_swap =RAM swap lv_swap =RAM swap
lv_srv =REST /srv
``` ```
## Reboot into installed system ## Reboot into installed system
@ -91,18 +91,20 @@ sudo -i # use only for setup, it's not good practice to use a root shell!
### Installed Packages ### Installed Packages
Enable community repo (uncomment line):
```sh ```sh
vi /etc/apk/repositories vi /etc/apk/repositories
``` ```
Uncomment community repo Install needed packages. Check and adjust to your needs.
```sh ```sh
apk update && apk upgrade && apk add \ apk update && apk upgrade && apk add \
gettext \ gettext \
awall \ awall \
curl \
docker \ docker \
docker-compose \
docker-zsh-completion \ docker-zsh-completion \
git \ git \
htop \ htop \
@ -112,9 +114,6 @@ apk update && apk upgrade && apk add \
tree \ tree \
wireguard-tools \ wireguard-tools \
zsh \ zsh \
# currently not available in alpine 3.18:
docker-compose-zsh-completion \
``` ```
### zsh ### zsh
@ -192,13 +191,24 @@ https://wiki.alpinelinux.org/wiki/Docker
https://docs.docker.com/engine/logging/drivers/local/ https://docs.docker.com/engine/logging/drivers/local/
```sh ```sh
mkdir /etc/docker mkdir -p /etc/docker
cd /etc/docker cd /etc/docker
ln -vs /opt/container-server/setup/docker/daemon.json . ln -vs /opt/container-server/setup/docker/daemon.json .
rc-update add docker rc-update add docker
service docker start service docker start
``` ```
### docker-compose
https://docs.docker.com/compose/install/standalone/
docker-compose in system packages or pip is outdated, we need to install it manually
```sh
curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
```
### mta ### mta
Allow system to send mail Allow system to send mail
@ -213,7 +223,7 @@ Set outgoing mail server to localhost
Link the crons: Link the crons:
```sh ```sh
mkdir -p /etc/periodic/constantly/ mkdir -p /etc/periodic/always/
for part in /opt/container-server/setup/cron/*; do for part in /opt/container-server/setup/cron/*; do
ln -vs $part/* /etc/periodic/${part##*/}/ ln -vs $part/* /etc/periodic/${part##*/}/
done done
@ -225,7 +235,7 @@ crontab -e
``` ```
Add first line: `MAILTO=cron@<your domain>` Add first line: `MAILTO=cron@<your domain>`
Add following cron entry: `* * * * * run-parts /etc/periodic/constantly` Add following cron entry: `* * * * * run-parts /etc/periodic/always`
### cgroup mode ### cgroup mode
@ -237,3 +247,13 @@ reboot
``` ```
Set `rc_cgroup_mode="unified` Set `rc_cgroup_mode="unified`
### memory overcommit
https://redis.io/docs/latest/develop/get-started/faq/#background-saving-fails-with-a-fork-error-on-linux
https://www.kernel.org/doc/Documentation/vm/overcommit-accounting
```sh
cd /etc/sysctl.d
ln -vs /opt/container-server/setup/sysctl.d/* .
```

View file

@ -26,6 +26,8 @@ Therefore, all database containers SHOULD follow a common naming folder scheme.
## Borgmatic ## Borgmatic
https://torsion.org/borgmatic/
Create a repo on your backup server, e.g. https://www.borgbase.com Create a repo on your backup server, e.g. https://www.borgbase.com
### Install ### Install
@ -36,6 +38,8 @@ apk add borgmatic
### Config ### Config
See config file for excluded dirs
```sh ```sh
ln -vs /opt/container-server/backup/config.yaml /etc/borgmatic/config.yaml ln -vs /opt/container-server/setup/backup/config.yaml /etc/borgmatic/config.yaml
``` ```

View file

@ -31,7 +31,7 @@ checks:
check_last: 3 check_last: 3
before_backup: before_backup:
- /opt/container-server/backup/prepare-backup.sh - /opt/container-server/setup/backup/prepare-backup.sh
after_backup: after_backup:
- /opt/container-server/backup/cleanup-backup.sh - /opt/container-server/setup/backup/cleanup-backup.sh

View file

@ -0,0 +1 @@
vm.overcommit_memory = 1

View file

@ -28,3 +28,13 @@ tasks:
cmds: cmds:
- mkdir -p /usr/local/share/zsh/site-functions - mkdir -p /usr/local/share/zsh/site-functions
- wget -O /usr/local/share/zsh/site-functions/_task https://raw.githubusercontent.com/go-task/task/master/completion/zsh/_task - wget -O /usr/local/share/zsh/site-functions/_task https://raw.githubusercontent.com/go-task/task/master/completion/zsh/_task
allow-sudo:
desc: Allow sudo without password for 10s to allow sshfs mounting
cmds:
- "echo '%wheel ALL=(ALL:ALL) NOPASSWD: ALL' > /etc/sudoers.d/nopasswd"
- echo passwordless sudo is enabled for 10s
- sleep 10
- rm /etc/sudoers.d/nopasswd
- ls /etc/sudoers.d
- echo passwordless sudo is disabled