servnest-containers/README.md

# [ServNest](https://servnest.niv.re/) setup with Compose

## Use with Podman

### Preparation

Set the following in `~/.config/containers/containers.conf` (or `/etc/containers/containers.conf`):
```toml
[containers]
no_hosts=true
```

```shell
./reset.sh # (re)initialize data
cp data/reg/servnest.test.zone.default data/reg/servnest.test.zone
cp data/reg/test.servnest.test.zone.default data/reg/test.servnest.test.zone
./upstream.sh # download and verify upstream software
git clone https://code.antopie.org/servnest/sernvest/ core
sqlite3 core/db/servnest.db < core/db/schema.sql
echo "UPDATE params SET value = '$(openssl rand -hex 16)' WHERE name = 'username_salt';" | sqlite3 core/db/servnest.db
msgfmt core/locales/fr/C/LC_MESSAGES/messages.po -o core/locales/fr/C/LC_MESSAGES/messages.mo
cp core/config.template.ini core/config.ini
mkdir data/ht/uri/ht.servnest.test
./permissions.sh
```

### Build

Add `--no-cache` after `build` to update packages.

```shell
# build base images
podman-compose -f compose.yaml -f base.yaml build alpine
podman-compose -f compose.yaml -f base.yaml build php
# build every other service images
podman-compose build
```

### TLS certificates

```shell
podman-compose run -u root core certbot register
podman-compose run -u root core certbot register --test-cert
podman-compose run -u root core cat /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/regr.json
podman-compose run -u root core find /etc/letsencrypt/accounts/ -name regr.json -exec cat {} \;
# Set CAA records for servnest.test and ht.servnest.test
podman-compose exec -u root core certbot certonly --config "/etc/letsencrypt/servnest.ini" -d "servnest.test"
podman-compose exec -u root core certbot certonly --config "/etc/letsencrypt/servnest.ini" -d "ht.servnest.test"
podman-compose exec -u root core certbot certonly --config "/etc/letsencrypt/servnest-dns.ini" -d "*.ht.servnest.test" --cert-name "*.ht.servnest.test"
# Update certificates paths in conf/nginx/
```

### Run

Optionally, to enable the `knot-secondary` service, uncomment `notify:` lines in `knot.conf`, then:
```shell
podman-compose --profile=secondary up knot knot-secondary # generate QUIC keys
./setup-xoq.sh # setup mutual XFR over QUIC
```

```shell
podman-compose --podman-run-args="--replace" up --detach # start containers
podman-compose logs # get logs
```

### Test

```shell
podman-compose exec core sh -c 'php$PHP_VERSION /srv/servnest/core/jobs/check.php'
```

#### Test without public IP

Before running `check.php`:

- Set [`local_only_check`](https://servnest.niv.re/back/configuration#local_only_check) to `false` in `config.ini`.
- Add the following configuration to `/etc/hosts` on the host system:
```
::1 servnest.test
::1 ht.servnest.test
::1 sftp.servnest.test
```
- For `ht`, the subdomain and dedicated site tests will fail anyway.

### Bugs

When running `up`, the only expected error messages are:
> [sftpgo] | WRN provider initialized but data loading failed: stat sftpgo.db: no such file or directory
> [tor]    | [warn] You are running Tor as root. You don't need to, and you probably shouldn't.

Podman Compose 1.2.0 randomly fails to start some services (see [issue 921](https://github.com/containers/podman-compose/issues/921)). The workaround is to retry multiple times.

### Delete old images

```shell
podman images prune
```

### Reset

```shell
podman container rm --all
podman image rm --all
podman rm $(podman container list --external -q)
docker rm $(docker ps -qa)
docker image rm -f $(docker image list -q)
```

## Use with rootless Docker

```shell
export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock
```

Then use the instructions for Podman but replace `podman` with `docker` in command names.

## License

This project is published under the Cooperative Nonviolent Public License No Attributions, version 7 or any later version (<abbr>CNPL-NAv7+</abbr>), as found in [`LICENSE.md`](LICENSE.md) or at <https://git.pixie.town/thufie/npl-builder>.