Compare commits
16 commits
renovate/p
...
main
Author | SHA1 | Date | |
---|---|---|---|
7f5298a532 | |||
efacb24865 | |||
26074448a4 | |||
d34bbc123e | |||
b7df942929 | |||
5301ef0cb3 | |||
87c39ae778 | |||
9baac4e669 | |||
ddda6b11b6 | |||
c190f0f29b | |||
d617e9b698 | |||
4143cb66d1 | |||
b888cf6771 | |||
52ca5ebfb0 | |||
080833641e | |||
851bad94b4 |
21 changed files with 207 additions and 44 deletions
|
@ -29,8 +29,8 @@ FORGEJO_SSH_PORT=
|
||||||
|
|
||||||
MATRIX_PG_PWD=
|
MATRIX_PG_PWD=
|
||||||
MATRIX_MAIL_FROM=
|
MATRIX_MAIL_FROM=
|
||||||
|
MATRIX_MACAROON_SECRET=
|
||||||
# MATRIX_REGISTRATION_SECRET=
|
# MATRIX_REGISTRATION_SECRET=
|
||||||
# MATRIX_MAROON_SECRET=
|
|
||||||
# MATRIX_FORM_SECRET=
|
# MATRIX_FORM_SECRET=
|
||||||
|
|
||||||
HEDGEDOC_PG_PWD=
|
HEDGEDOC_PG_PWD=
|
||||||
|
|
112
.git-branches.toml
Normal file
112
.git-branches.toml
Normal file
|
@ -0,0 +1,112 @@
|
||||||
|
# Git Town configuration file
|
||||||
|
#
|
||||||
|
# Run "git town config setup" to add additional entries
|
||||||
|
# to this file after updating Git Town.
|
||||||
|
#
|
||||||
|
# The "push-hook" setting determines whether Git Town
|
||||||
|
# permits or prevents Git hooks while pushing branches.
|
||||||
|
# Hooks are enabled by default. If your Git hooks are slow,
|
||||||
|
# you can disable them to speed up branch syncing.
|
||||||
|
#
|
||||||
|
# When disabled, Git Town pushes using the "--no-verify" switch.
|
||||||
|
# More info at https://www.git-town.com/preferences/push-hook.
|
||||||
|
push-hook = true
|
||||||
|
|
||||||
|
# Should Git Town push the new branches it creates
|
||||||
|
# immediately to origin even if they are empty?
|
||||||
|
#
|
||||||
|
# When enabled, you can run "git push" right away
|
||||||
|
# but creating new branches is slower and
|
||||||
|
# it triggers an unnecessary CI run on the empty branch.
|
||||||
|
#
|
||||||
|
# When disabled, many Git Town commands execute faster
|
||||||
|
# and Git Town will create the missing tracking branch
|
||||||
|
# on the first run of "git town sync".
|
||||||
|
push-new-branches = false
|
||||||
|
|
||||||
|
# The "create-prototype-branches" setting determines whether Git Town
|
||||||
|
# always creates prototype branches.
|
||||||
|
# Prototype branches sync only locally and don't create a tracking branch
|
||||||
|
# until they are proposed.
|
||||||
|
#
|
||||||
|
# More info at https://www.git-town.com/preferences/create-prototype-branches.
|
||||||
|
create-prototype-branches = false
|
||||||
|
|
||||||
|
# Which method should Git Town use to ship feature branches?
|
||||||
|
#
|
||||||
|
# Options:
|
||||||
|
#
|
||||||
|
# - api: merge the proposal on your code hosting platform via the code hosting API
|
||||||
|
# - fast-forward: in your local repo, fast-forward the parent branch to point to the commits on the feature branch
|
||||||
|
# - squash-merge: in your local repo, squash-merge the feature branch into its parent branch
|
||||||
|
#
|
||||||
|
# All options update proposals of child branches and remove the shipped branch locally and remotely.
|
||||||
|
ship-strategy = "squash-merge"
|
||||||
|
|
||||||
|
# Should "git town ship" delete the tracking branch?
|
||||||
|
# You want to disable this if your code hosting platform
|
||||||
|
# (GitHub, GitLab, etc) deletes head branches when
|
||||||
|
# merging pull requests through its UI.
|
||||||
|
ship-delete-tracking-branch = false
|
||||||
|
|
||||||
|
# Should "git town sync" sync tags with origin?
|
||||||
|
sync-tags = false
|
||||||
|
|
||||||
|
# Should "git town sync" also fetch updates from the upstream remote?
|
||||||
|
#
|
||||||
|
# If an "upstream" remote exists, and this setting is enabled,
|
||||||
|
# "git town sync" will also update the local main branch
|
||||||
|
# with commits from the main branch at the upstream remote.
|
||||||
|
#
|
||||||
|
# This is useful if the repository you work on is a fork,
|
||||||
|
# and you want to keep it in sync with the repo it was forked from.
|
||||||
|
sync-upstream = false
|
||||||
|
|
||||||
|
[branches]
|
||||||
|
|
||||||
|
# The main branch is the branch from which you cut new feature branches,
|
||||||
|
# and into which you ship feature branches when they are done.
|
||||||
|
# This branch is often called "main", "master", or "development".
|
||||||
|
main = "main"
|
||||||
|
|
||||||
|
# Perennial branches are long-lived branches.
|
||||||
|
# They are never shipped and have no ancestors.
|
||||||
|
# Typically, perennial branches have names like
|
||||||
|
# "development", "staging", "qa", "production", etc.
|
||||||
|
#
|
||||||
|
# See also the "perennial-regex" setting.
|
||||||
|
perennials = []
|
||||||
|
|
||||||
|
# All branches whose name matches this regular expression
|
||||||
|
# are also considered perennial branches.
|
||||||
|
#
|
||||||
|
# If you are not sure, leave this empty.
|
||||||
|
perennial-regex = ""
|
||||||
|
|
||||||
|
[hosting]
|
||||||
|
|
||||||
|
# Knowing the type of code hosting platform allows Git Town
|
||||||
|
# to open browser URLs and talk to the code hosting API.
|
||||||
|
# Most people can leave this on "auto-detect".
|
||||||
|
# Only change this if your code hosting server uses as custom URL.
|
||||||
|
# platform = ""
|
||||||
|
|
||||||
|
# When using SSH identities, define the hostname
|
||||||
|
# of your source code repository. Only change this
|
||||||
|
# if the auto-detection does not work for you.
|
||||||
|
# origin-hostname = ""
|
||||||
|
|
||||||
|
[sync-strategy]
|
||||||
|
|
||||||
|
# How should Git Town synchronize feature branches?
|
||||||
|
# Feature branches are short-lived branches cut from
|
||||||
|
# the main branch and shipped back into the main branch.
|
||||||
|
# Typically you develop features and bug fixes on them,
|
||||||
|
# hence their name.
|
||||||
|
feature-branches = "rebase"
|
||||||
|
|
||||||
|
# How should Git Town synchronize perennial branches?
|
||||||
|
# Perennial branches have no parent branch.
|
||||||
|
# The only updates they receive are additional commits
|
||||||
|
# made to their tracking branch somewhere else.
|
||||||
|
perennial-branches = "rebase"
|
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -3,7 +3,7 @@
|
||||||
.vscode
|
.vscode
|
||||||
|
|
||||||
# templates
|
# templates
|
||||||
backup/config.yaml
|
setup/backup/config.yaml
|
||||||
services/fail2ban/jail.local
|
services/fail2ban/jail.local
|
||||||
services/forgejo/app.ini
|
services/forgejo/app.ini
|
||||||
services/matrix/config/homeserver.yaml
|
services/matrix/config/homeserver.yaml
|
||||||
|
|
32
README.md
32
README.md
|
@ -14,17 +14,19 @@ SOFTWARE.
|
||||||
|
|
||||||
## Repo Structure
|
## Repo Structure
|
||||||
|
|
||||||
- `./services` Service definitions
|
- `./services` **Service definitions**
|
||||||
One subfolder per service with:
|
- One subfolder per service with:
|
||||||
- `docker-compose.yml` for this service and its direct dependencies (e.g. db)
|
- `docker-compose.yml` for this service and its direct dependencies (e.g. databases or workers)
|
||||||
- Additional config files, possibly as template (see below)
|
- Additional config files, possibly as template (see below)
|
||||||
- `./setup` Host setup
|
- `./setup` **Host setup**
|
||||||
Setup information about a possible alpine host system
|
- Setup information about a possible alpine host system
|
||||||
- `./tasks` Task definitions
|
- `./tasks` **Task definitions**
|
||||||
- `common.yml`: Base tasks used by other tasks
|
|
||||||
- `compose.yml`: Container related tasks e.g. starting, updating, or reading logs
|
- `compose.yml`: Container related tasks e.g. starting, updating, or reading logs
|
||||||
- `hot.yml`: Tasks related to host system maintenance
|
- `dev.yml`: Useful tasks during development, e.g. adding locally signed certificates into running containers
|
||||||
|
- `host.yml`: Tasks related to host system maintenance
|
||||||
|
- `manage.yml`: Tasks about managing the list of enabled services
|
||||||
- `services.yml`: Tasks for specific services
|
- `services.yml`: Tasks for specific services
|
||||||
|
- `utils.yml`: Utility tasks, mainly used as part of other tasks
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
|
@ -42,6 +44,10 @@ Copy from `.env.sample` and fill in your values.
|
||||||
|
|
||||||
## Deploy
|
## Deploy
|
||||||
|
|
||||||
|
Enable services with `./task mgmt:enable <service directory name>` and check enabled services with `./task mgmt:ls-enable`.
|
||||||
|
|
||||||
|
Then run
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
./task compose:up
|
./task compose:up
|
||||||
```
|
```
|
||||||
|
@ -59,6 +65,12 @@ Filename pattern: `*.template.*`
|
||||||
Files matching the pattern are copied with the ".template." infix removed (e.g. forgejo.template.ini -> forgejo.ini).
|
Files matching the pattern are copied with the ".template." infix removed (e.g. forgejo.template.ini -> forgejo.ini).
|
||||||
Variables are replaced using shell substitution syntax (`${VARIABLE_NAME_HERE}`) using the current environment and values from `.env`.
|
Variables are replaced using shell substitution syntax (`${VARIABLE_NAME_HERE}`) using the current environment and values from `.env`.
|
||||||
|
|
||||||
|
_Note:_ Variables cannot contain other variables, only one level of template is possible.
|
||||||
|
|
||||||
## Host Setup
|
## Host Setup
|
||||||
|
|
||||||
A possible alpine based host setup is described in [alpine-setup](./setup/alpine-setup.md).
|
A possible alpine based host setup is described in [/setup](./setup/README.md).
|
||||||
|
|
||||||
|
## Backup
|
||||||
|
|
||||||
|
Notes on backup and a possible config using borgmatic can be found in [/setup/backup](./setup/backup/README.md)
|
||||||
|
|
|
@ -1,13 +1,17 @@
|
||||||
{
|
{
|
||||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||||
"extends": ["config:recommended"],
|
"extends": [
|
||||||
|
"config:recommended"
|
||||||
|
],
|
||||||
"ignorePaths": [
|
"ignorePaths": [
|
||||||
"tasks/**"
|
"tasks/**"
|
||||||
],
|
],
|
||||||
"packageRules": [
|
"packageRules": [
|
||||||
{
|
{
|
||||||
"matchPackagePatterns": ["^woodpeckerci/"],
|
"groupName": "woodpeckerci",
|
||||||
"groupName": "woodpeckerci"
|
"matchPackageNames": [
|
||||||
|
"/^woodpeckerci//"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
|
@ -95,6 +95,6 @@ services:
|
||||||
image: redis:7-alpine
|
image: redis:7-alpine
|
||||||
container_name: redis-authentik
|
container_name: redis-authentik
|
||||||
restart: "${RESTART:-no}"
|
restart: "${RESTART:-no}"
|
||||||
command: --save 60 1 --loglevel warning
|
command: --save 60 1
|
||||||
networks:
|
networks:
|
||||||
- authentik
|
- authentik
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
|
|
||||||
services:
|
services:
|
||||||
dozzle:
|
dozzle:
|
||||||
image: amir20/dozzle:v8.6.2
|
image: amir20/dozzle:v8.7.1
|
||||||
container_name: dozzle
|
container_name: dozzle
|
||||||
restart: "${RESTART:-no}"
|
restart: "${RESTART:-no}"
|
||||||
domainname: ${BASE_DOMAIN}
|
domainname: ${BASE_DOMAIN}
|
||||||
|
|
|
@ -111,7 +111,7 @@ DEFAULT_TRUST_MODEL = committer
|
||||||
JWT_SECRET = ${FORGEJO_JWT_SECRET}
|
JWT_SECRET = ${FORGEJO_JWT_SECRET}
|
||||||
|
|
||||||
[webhook]
|
[webhook]
|
||||||
ALLOWED_HOST_LIST = *.${BASE_DOMAIN}
|
ALLOWED_HOST_LIST = *
|
||||||
|
|
||||||
[actions]
|
[actions]
|
||||||
ENABLED = false
|
ENABLED = false
|
||||||
|
|
|
@ -1,16 +1,15 @@
|
||||||
version: "3.7"
|
version: "3.7"
|
||||||
|
|
||||||
# https://github.com/imagegenius/docker-amp/pkgs/container/amp
|
# https://hub.docker.com/r/mitchtalmadge/amp-dockerized
|
||||||
|
# https://github.com/MitchTalmadge/AMP-dockerized
|
||||||
|
|
||||||
services:
|
services:
|
||||||
games:
|
games:
|
||||||
image: ghcr.io/imagegenius/amp:2.5.1-ubuntu
|
image: mitchtalmadge/amp-dockerized:v22
|
||||||
container_name: games
|
container_name: games
|
||||||
restart: "${RESTART:-no}"
|
restart: "${RESTART:-no}"
|
||||||
domainname: ${BASE_DOMAIN}
|
domainname: ${BASE_DOMAIN}
|
||||||
mac_address: 02:42:AC:D7:11:9C # Please see the README about this field.
|
mac_address: 02:42:AC:D7:11:9C # Please see the README about this field.
|
||||||
labels:
|
|
||||||
com.centurylinklabs.watchtower.enable: false
|
|
||||||
expose:
|
expose:
|
||||||
- "8080" # expose amp web ui port for proxy
|
- "8080" # expose amp web ui port for proxy
|
||||||
ports:
|
ports:
|
||||||
|
@ -18,11 +17,10 @@ services:
|
||||||
- 2223:2223 # AMP FTP
|
- 2223:2223 # AMP FTP
|
||||||
environment:
|
environment:
|
||||||
- TZ=${TIMEZONE}
|
- TZ=${TIMEZONE}
|
||||||
- LICENCE=${MINECRAFT_AMP_LICENSE}
|
- AMP_LICENCE=${MINECRAFT_AMP_LICENSE}
|
||||||
- MODULE=ADS
|
- AMP_MODULE=ADS
|
||||||
- JAVA_VERSIONS=8
|
|
||||||
volumes:
|
volumes:
|
||||||
- ${BASE_DIR:-/srv}/games:/config
|
- ${BASE_DIR:-/srv}/games:/home/amp/.ampdata
|
||||||
networks:
|
networks:
|
||||||
- proxy
|
- proxy
|
||||||
- mail
|
- mail
|
||||||
|
|
|
@ -91,7 +91,7 @@ registration_shared_secret: '${MATRIX_REGISTRATION_SECRET}'
|
||||||
# the registration_shared_secret is used, if one is given; otherwise,
|
# the registration_shared_secret is used, if one is given; otherwise,
|
||||||
# a secret key is derived from the signing key.
|
# a secret key is derived from the signing key.
|
||||||
#
|
#
|
||||||
macaroon_secret_key: '${MATRIX_MAROON_SECRET}'
|
macaroon_secret_key: '${MATRIX_MACAROON_SECRET}'
|
||||||
|
|
||||||
# a secret which is used to calculate HMACs for form values, to stop
|
# a secret which is used to calculate HMACs for form values, to stop
|
||||||
# falsification of values. Must be specified for the User Consent
|
# falsification of values. Must be specified for the User Consent
|
||||||
|
|
|
@ -99,6 +99,7 @@ services:
|
||||||
- ETURNAL_SECRET=${ETURNAL_SECRET}
|
- ETURNAL_SECRET=${ETURNAL_SECRET}
|
||||||
- ETURNAL_RELAY_MIN_PORT=50000
|
- ETURNAL_RELAY_MIN_PORT=50000
|
||||||
- ETURNAL_RELAY_MAX_PORT=50050
|
- ETURNAL_RELAY_MAX_PORT=50050
|
||||||
|
- STUN_SERVICE=false
|
||||||
ports:
|
ports:
|
||||||
- 3478:3478 # STUN/TURN non-TLS
|
- 3478:3478 # STUN/TURN non-TLS
|
||||||
- 3478:3478/udp # STUN/TURN non-TLS
|
- 3478:3478/udp # STUN/TURN non-TLS
|
||||||
|
|
|
@ -94,6 +94,7 @@ git.{$BASE_DOMAIN} {
|
||||||
|
|
||||||
# Auto redirect the login to SSO provider. Add `?direct=1` for local login.
|
# Auto redirect the login to SSO provider. Add `?direct=1` for local login.
|
||||||
@login {
|
@login {
|
||||||
|
method GET
|
||||||
path /user/login
|
path /user/login
|
||||||
not query direct=1
|
not query direct=1
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,7 +9,7 @@ networks:
|
||||||
|
|
||||||
services:
|
services:
|
||||||
vaultwarden:
|
vaultwarden:
|
||||||
image: ghcr.io/dani-garcia/vaultwarden:1.32.2-alpine
|
image: ghcr.io/dani-garcia/vaultwarden:1.32.3-alpine
|
||||||
container_name: vaultwarden
|
container_name: vaultwarden
|
||||||
restart: "${RESTART:-no}"
|
restart: "${RESTART:-no}"
|
||||||
domainname: ${BASE_DOMAIN}
|
domainname: ${BASE_DOMAIN}
|
||||||
|
|
|
@ -23,25 +23,25 @@ setup-alpine
|
||||||
- apk mirror: `f` (detect automatically)
|
- apk mirror: `f` (detect automatically)
|
||||||
- add user to your liking
|
- add user to your liking
|
||||||
- SSH server: `openssh`
|
- SSH server: `openssh`
|
||||||
- Select disk: `sda`
|
- Select disk: `sda` (depending on your system)
|
||||||
- Disk Setup: `lvm`, then `sys`
|
- Disk Setup: `lvm`, then `sys`
|
||||||
- Erase disk: `y`
|
- Erase disk: `y`
|
||||||
|
|
||||||
**Setup lvm before reboot!**
|
**Setup lvm (see next step) before reboot!**
|
||||||
|
|
||||||
### LVM
|
### LVM
|
||||||
|
|
||||||
https://wiki.archlinux.org/title/LVM
|
https://wiki.archlinux.org/title/LVM
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
# install some needed packages
|
# install some needed packages (only installed in live system)
|
||||||
apk add lvm2-extra e2fsprogs-extra device-mapper
|
apk add lvm2-extra e2fsprogs-extra device-mapper
|
||||||
# list existing LVs
|
# list existing LVs
|
||||||
lvs
|
lvs
|
||||||
# resize existing and create missing LVs
|
# resize existing and create missing LVs
|
||||||
lvresize -L <SIZE>G [-r] /dev/vg0/<LV>
|
lvresize -L <SIZE>G [-r] /dev/vg0/<LV>
|
||||||
lvcreate -L <SIZE>G -n <LV NAME> vg0
|
lvcreate -L <SIZE>G -n <LV NAME> vg0
|
||||||
lvcreate -l 100%FREE -n lv_srv vg0
|
lvcreate -l 100%FREE -n <LV NAME> vg0
|
||||||
# init filesystem for each newly created LV
|
# init filesystem for each newly created LV
|
||||||
mkfs.ext4 /dev/vg0/<LV>
|
mkfs.ext4 /dev/vg0/<LV>
|
||||||
```
|
```
|
||||||
|
@ -51,8 +51,8 @@ LV LSize Mount
|
||||||
lv_root 8.00g /
|
lv_root 8.00g /
|
||||||
lv_logs 4.00g /var/log
|
lv_logs 4.00g /var/log
|
||||||
lv_containers 20.00g /var/lib/containers
|
lv_containers 20.00g /var/lib/containers
|
||||||
lv_srv =REST /srv
|
|
||||||
lv_swap =RAM swap
|
lv_swap =RAM swap
|
||||||
|
lv_srv =REST /srv
|
||||||
```
|
```
|
||||||
|
|
||||||
## Reboot into installed system
|
## Reboot into installed system
|
||||||
|
@ -91,18 +91,20 @@ sudo -i # use only for setup, it's not good practice to use a root shell!
|
||||||
|
|
||||||
### Installed Packages
|
### Installed Packages
|
||||||
|
|
||||||
|
Enable community repo (uncomment line):
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
vi /etc/apk/repositories
|
vi /etc/apk/repositories
|
||||||
```
|
```
|
||||||
|
|
||||||
Uncomment community repo
|
Install needed packages. Check and adjust to your needs.
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
apk update && apk upgrade && apk add \
|
apk update && apk upgrade && apk add \
|
||||||
gettext \
|
gettext \
|
||||||
awall \
|
awall \
|
||||||
|
curl \
|
||||||
docker \
|
docker \
|
||||||
docker-compose \
|
|
||||||
docker-zsh-completion \
|
docker-zsh-completion \
|
||||||
git \
|
git \
|
||||||
htop \
|
htop \
|
||||||
|
@ -112,9 +114,6 @@ apk update && apk upgrade && apk add \
|
||||||
tree \
|
tree \
|
||||||
wireguard-tools \
|
wireguard-tools \
|
||||||
zsh \
|
zsh \
|
||||||
|
|
||||||
# currently not available in alpine 3.18:
|
|
||||||
docker-compose-zsh-completion \
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### zsh
|
### zsh
|
||||||
|
@ -192,13 +191,24 @@ https://wiki.alpinelinux.org/wiki/Docker
|
||||||
https://docs.docker.com/engine/logging/drivers/local/
|
https://docs.docker.com/engine/logging/drivers/local/
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
mkdir /etc/docker
|
mkdir -p /etc/docker
|
||||||
cd /etc/docker
|
cd /etc/docker
|
||||||
ln -vs /opt/container-server/setup/docker/daemon.json .
|
ln -vs /opt/container-server/setup/docker/daemon.json .
|
||||||
rc-update add docker
|
rc-update add docker
|
||||||
service docker start
|
service docker start
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### docker-compose
|
||||||
|
|
||||||
|
https://docs.docker.com/compose/install/standalone/
|
||||||
|
|
||||||
|
docker-compose in system packages or pip is outdated, we need to install it manually
|
||||||
|
|
||||||
|
```sh
|
||||||
|
curl -SL https://github.com/docker/compose/releases/latest/download/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose
|
||||||
|
chmod +x /usr/local/bin/docker-compose
|
||||||
|
```
|
||||||
|
|
||||||
### mta
|
### mta
|
||||||
|
|
||||||
Allow system to send mail
|
Allow system to send mail
|
||||||
|
@ -213,7 +223,7 @@ Set outgoing mail server to localhost
|
||||||
|
|
||||||
Link the crons:
|
Link the crons:
|
||||||
```sh
|
```sh
|
||||||
mkdir -p /etc/periodic/constantly/
|
mkdir -p /etc/periodic/always/
|
||||||
for part in /opt/container-server/setup/cron/*; do
|
for part in /opt/container-server/setup/cron/*; do
|
||||||
ln -vs $part/* /etc/periodic/${part##*/}/
|
ln -vs $part/* /etc/periodic/${part##*/}/
|
||||||
done
|
done
|
||||||
|
@ -225,7 +235,7 @@ crontab -e
|
||||||
```
|
```
|
||||||
|
|
||||||
Add first line: `MAILTO=cron@<your domain>`
|
Add first line: `MAILTO=cron@<your domain>`
|
||||||
Add following cron entry: `* * * * * run-parts /etc/periodic/constantly`
|
Add following cron entry: `* * * * * run-parts /etc/periodic/always`
|
||||||
|
|
||||||
### cgroup mode
|
### cgroup mode
|
||||||
|
|
||||||
|
@ -237,3 +247,13 @@ reboot
|
||||||
```
|
```
|
||||||
|
|
||||||
Set `rc_cgroup_mode="unified`
|
Set `rc_cgroup_mode="unified`
|
||||||
|
|
||||||
|
### memory overcommit
|
||||||
|
|
||||||
|
https://redis.io/docs/latest/develop/get-started/faq/#background-saving-fails-with-a-fork-error-on-linux
|
||||||
|
https://www.kernel.org/doc/Documentation/vm/overcommit-accounting
|
||||||
|
|
||||||
|
```sh
|
||||||
|
cd /etc/sysctl.d
|
||||||
|
ln -vs /opt/container-server/setup/sysctl.d/* .
|
||||||
|
```
|
|
@ -26,6 +26,8 @@ Therefore, all database containers SHOULD follow a common naming folder scheme.
|
||||||
|
|
||||||
## Borgmatic
|
## Borgmatic
|
||||||
|
|
||||||
|
https://torsion.org/borgmatic/
|
||||||
|
|
||||||
Create a repo on your backup server, e.g. https://www.borgbase.com
|
Create a repo on your backup server, e.g. https://www.borgbase.com
|
||||||
|
|
||||||
### Install
|
### Install
|
||||||
|
@ -36,6 +38,8 @@ apk add borgmatic
|
||||||
|
|
||||||
### Config
|
### Config
|
||||||
|
|
||||||
|
See config file for excluded dirs
|
||||||
|
|
||||||
```sh
|
```sh
|
||||||
ln -vs /opt/container-server/backup/config.yaml /etc/borgmatic/config.yaml
|
ln -vs /opt/container-server/setup/backup/config.yaml /etc/borgmatic/config.yaml
|
||||||
```
|
```
|
|
@ -31,7 +31,7 @@ checks:
|
||||||
check_last: 3
|
check_last: 3
|
||||||
|
|
||||||
before_backup:
|
before_backup:
|
||||||
- /opt/container-server/backup/prepare-backup.sh
|
- /opt/container-server/setup/backup/prepare-backup.sh
|
||||||
|
|
||||||
after_backup:
|
after_backup:
|
||||||
- /opt/container-server/backup/cleanup-backup.sh
|
- /opt/container-server/setup/backup/cleanup-backup.sh
|
1
setup/sysctl.d/redis-memory-overcommit.conf
Normal file
1
setup/sysctl.d/redis-memory-overcommit.conf
Normal file
|
@ -0,0 +1 @@
|
||||||
|
vm.overcommit_memory = 1
|
|
@ -28,3 +28,13 @@ tasks:
|
||||||
cmds:
|
cmds:
|
||||||
- mkdir -p /usr/local/share/zsh/site-functions
|
- mkdir -p /usr/local/share/zsh/site-functions
|
||||||
- wget -O /usr/local/share/zsh/site-functions/_task https://raw.githubusercontent.com/go-task/task/master/completion/zsh/_task
|
- wget -O /usr/local/share/zsh/site-functions/_task https://raw.githubusercontent.com/go-task/task/master/completion/zsh/_task
|
||||||
|
|
||||||
|
allow-sudo:
|
||||||
|
desc: Allow sudo without password for 10s to allow sshfs mounting
|
||||||
|
cmds:
|
||||||
|
- "echo '%wheel ALL=(ALL:ALL) NOPASSWD: ALL' > /etc/sudoers.d/nopasswd"
|
||||||
|
- echo passwordless sudo is enabled for 10s
|
||||||
|
- sleep 10
|
||||||
|
- rm /etc/sudoers.d/nopasswd
|
||||||
|
- ls /etc/sudoers.d
|
||||||
|
- echo passwordless sudo is disabled
|
||||||
|
|
Loading…
Reference in a new issue