move container/ tree at root, del mkosi, add certbot

.env

@@ -1,2 +1,2 @@
-SYS=container/alpine-minirootfs-3.20.0-x86_64.tar.gz
-SFTPGO=container/sftpgo-2.6.0.tar.gz
+SYS=alpine-minirootfs-3.20.2-x86_64.tar.gz
+SFTPGO=sftpgo-v2.6.2.tar.gz

.gitignore

@@ -1,4 +1,19 @@
-/mkosi.passphrase
-/mkosi.passwd
-/mkosi.extra/root/.ssh/authorized_keys
-/mkosi.extra/usr/local/bin/sftpgo
+/*.tar.gz
+/letsencrypt-logs/letsencrypt.log*
+/letsencrypt-etc/live/*
+/letsencrypt-etc/archive/*
+/letsencrypt-etc/renewal/*.conf
+/servnest/ht/fs/*
+/servnest/ht/uri/ht.servnest.test/*
+/servnest/ht/uri/*
+/servnest/ns/*.zone
+/servnest/reg/servnest.test.zone
+/servnest/reg/test.servnest.test.zone
+/servnest/tor-config/*
+/sftpgo-logs/sftpgo.log
+/php-logs/error.log
+/nginx-logs/servnest-access.log
+/nginx-logs/error.log
+/apache-logs/error.log
+/letsencrypt-etc/accounts/acme-staging-v02.api.letsencrypt.org/directory/*/*.json
+/knot-sock/knot.pid

README.md

@@ -1,35 +1,15 @@
-# ServNest system images generator
 
-This is the sources to build system images of ServNest using mkosi 22. You can then use them with systemd-nspawn.
 
-This repository also contains configuration files and installation scripts inside `install` that may also be useful for the manual installation process, without mkosi.
-
-## Usage
-
-This generator allows to build images for both Arch Linux and Debian, you can replace `<sysid>` by either `sn-arch` or `sn-debian` in the following examples. Note that mkosi may require tools that are not available on your distribution.
-
-First:
-- Put the ServNest source code inside `mkosi.extra/srv/servnest/core/`
-- Put a SFTPGo binary compiled as bundle in `mkosi.extra/usr/local/bin/sftpgo` (`mkosi.extra/root/sftpgo.sh` is provided for this purpose)
-- Put your SSH public key in `mkosi.extra/root/.ssh/authorized_keys`
-
-You can generate a new image in `/var/lib/machines/<sysid>` by running `mkosi --force --image <sysid> build` from this repository (`--force` erases an already existing image).
-
-You need to copy `mkosi.nspawn` into `/etc/systemd/nspawn/<sysid>.nspawn` to allow the container to use network without restrictions.
-
-You can then boot the container:
-```shell
-machinectl start <sysid>
-machinectl shell <sysid>
+Set the following in `~/.config/containers/containers.conf` (or `/etc/containers/containers.conf`):
+```toml
+[containers]
+no_hosts=true
 ```
 
-The full explanation of the structure in this repository can be found on the mkosi manpage. Here is a summary of what mkosi will do in this repository:
-
-1. Load configuration from `mkosi.default` and `mkosi.default.d/<sysid>/mkosi.default`
-2. Install packages according to configuration
-3. Copy this repository to the container root
-4. Run `mkosi.postinst`, which runs specific scripts inside `install`, which do configuration (depending on the distribution)
-
-## License
-
-ServNest system images generator is ethical libre software: you can use, redistribute or modify it under the terms of the CNPL-NAv7+ as found in LICENSE.md or at <https://git.pixie.town/thufie/npl-builder>.
+```shell
+wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-minirootfs-3.20.2-x86_64.tar.gz
+wget https://github.com/drakkan/sftpgo/archive/refs/tags/v2.6.2.tar.gz -o sftpgo-v2.6.2.tar.gz
+sha256sum -c sha256sums
+podman-compose up --build
+podman-compose exec php php /srv/servnest/core/jobs/check.php
+```

base.yaml

@@ -9,3 +9,5 @@ services:
       - no-new-privileges:true
     cap_drop:
       - ALL
+    read_only: true
+    restart: "always"

compose.yaml

@@ -5,21 +5,22 @@ services:
       file: base.yaml
       service: base
     build:
-      dockerfile: container/tor.Containerfile
+      dockerfile: tor.Containerfile
     volumes:
-      - ./container/tor-client/:/run/tor-client/:rw
-      - ./container/tor-control/:/run/tor-control/:rw
-      - ./container/nginx-onion-sock/:/run/nginx-onion/:rw
-      - ./mkosi.extra/srv/servnest/tor-keys/:/srv/servnest/tor-keys/:rw
-      - ./mkosi.extra/srv/servnest/tor-config/:/srv/servnest/tor-config/:ro
-      - ./mkosi.extra/install/torrc:/etc/tor/torrc:ro
+      - ./tor-client/:/run/tor-client/:rw
+      - ./tor-control/:/run/tor-control/:rw
+      - ./nginx-onion-sock/:/run/nginx-onion/:rw
+      - ./servnest/tor-keys/:/srv/servnest/tor-keys/:rw
+      - ./servnest/tor-config/:/srv/servnest/tor-config/:ro
+      - ./install/torrc:/etc/tor/torrc:ro
     mem_limit: 128m
+    read_only: false
   sftpgo:
     extends:
       file: base.yaml
       service: base
     build:
-      dockerfile: container/sftpgo.Containerfile
+      dockerfile: sftpgo.Containerfile
       args:
         SFTPGO: $SFTPGO
     ports:
@@ -27,38 +28,41 @@ services:
     links:
       - nginx:servnest.test
     volumes:
-      - ./mkosi.extra/srv/servnest/ht/fs/:/srv/servnest/ht/fs/:rw
-      - ./mkosi.extra/install/sftpgo.toml:/etc/sftpgo/sftpgo.toml:ro
+      - ./sftpgo-logs/:/var/log/sftpgo/:rw
+      - ./servnest/ht/fs/:/srv/servnest/ht/fs/:rw
+      - ./install/sftpgo.toml:/etc/sftpgo/sftpgo.toml:ro
     mem_limit: 256mb
   knot:
     extends:
       file: base.yaml
       service: base
     build:
-      dockerfile: container/knot.Containerfile
+      dockerfile: knot.Containerfile
     ports:
       - "[::1]:42053:42053/udp"
       - "[::1]:42053:42053/tcp"
     volumes:
-      - ./container/knot-sock/:/run/knot/:rw
-      - ./mkosi.extra/srv/servnest/reg/:/srv/servnest/reg/:rw
-      - ./mkosi.extra/srv/servnest/ns/:/srv/servnest/ns/:rw
+      - ./knot-sock/:/run/knot/:rw
+      - ./servnest/reg/:/srv/servnest/reg/:rw
+      - ./servnest/ns/:/srv/servnest/ns/:rw
+    read_only: false
   apache:
     extends:
       file: base.yaml
       service: base
     build:
-      dockerfile: container/apache.Containerfile
+      dockerfile: apache.Containerfile
     volumes:
-      - ./mkosi.extra/srv/servnest/ht/:/srv/servnest/ht/:ro
-      - ./mkosi.extra/install/http-messages/:/srv/servnest/ht/http-messages/:ro
-      - ./mkosi.extra/install/apache/:/etc/apache2/:ro
+      - ./apache-logs/:/var/log/apache2/:rw
+      - ./servnest/ht/:/srv/servnest/ht/:ro
+      - ./install/http-messages/:/srv/servnest/ht/http-messages/:ro
+      - ./install/apache/:/etc/apache2/:ro
   php:
     extends:
       file: base.yaml
       service: base
     build:
-      dockerfile: container/php.Containerfile
+      dockerfile: php.Containerfile
     group_add:
       - knot
       - tor
@@ -67,25 +71,29 @@ services:
       - nginx:ht.servnest.test
       - sftpgo:sftp.servnest.test
     volumes:
-      - ./mkosi.extra/srv/servnest/core/:/srv/servnest/core/:ro
-      - ./mkosi.extra/srv/servnest/core/db/:/srv/servnest/core/db/:rw
-      - ./mkosi.extra/srv/servnest/reg/:/srv/servnest/reg/:rw
-      - ./mkosi.extra/srv/servnest/ns/:/srv/servnest/ns/:rw
-      - ./mkosi.extra/srv/servnest/acme/:/srv/servnest/acme/:rw
-      - ./mkosi.extra/srv/servnest/ht/fs/:/srv/servnest/ht/fs/:rw
-      - ./mkosi.extra/srv/servnest/ht/uri/:/srv/servnest/ht/uri/:rw
-      - ./mkosi.extra/srv/servnest/tor-config/:/srv/servnest/tor-config/:rw
-      - ./mkosi.extra/srv/servnest/tor-keys/:/srv/servnest/tor-keys/:rw
-      - ./container/php-sock/:/run/php-fpm/:rw
-      - ./container/tor-client/:/run/tor-client/:rw
-      - ./container/tor-control/:/run/tor-control/:rw
-      - ./container/knot-sock/:/run/knot/:rw
-      - ./mkosi.extra/install/php.ini:/etc/php82/conf.d/servnest.ini:ro
-      - ./mkosi.extra/install/php-fpm.conf:/etc/php83/php-fpm.d/servnest.conf:ro
-      - ./mkosi.extra/install/sudoers:/etc/sudoers.d/servnest:ro
-      - ./mkosi.extra/install/certbot.ini:/etc/letsencrypt/servnest.ini:ro
-      - ./mkosi.extra/install/certbot-deploy-hook.sh:/root/certbot-deploy-hook.sh:ro
-    mem_limit: 32mb
+      - ./php-logs/:/var/log/php83/:rw
+      - ./servnest/core/:/srv/servnest/core/:ro
+      - ./servnest/core/db/:/srv/servnest/core/db/:rw
+      - ./servnest/reg/:/srv/servnest/reg/:rw
+      - ./servnest/ns/:/srv/servnest/ns/:rw
+      - ./servnest/acme/:/srv/servnest/acme/:rw
+      - ./servnest/ht/fs/:/srv/servnest/ht/fs/:rw
+      - ./servnest/ht/uri/:/srv/servnest/ht/uri/:rw
+      - ./servnest/tor-config/:/srv/servnest/tor-config/:rw
+      - ./servnest/tor-keys/:/srv/servnest/tor-keys/:rw
+      - ./php-sock/:/run/php-fpm/:rw
+      - ./tor-client/:/run/tor-client/:rw
+      - ./tor-control/:/run/tor-control/:rw
+      - ./knot-sock/:/run/knot/:rw
+      - ./install/php.ini:/etc/php82/conf.d/servnest.ini:ro
+      - ./install/php-fpm.conf:/etc/php83/php-fpm.d/servnest.conf:ro
+      - ./install/sudoers:/etc/sudoers.d/servnest:ro
+      - ./letsencrypt-etc/:/etc/letsencrypt/:rw
+      - ./letsencrypt-varlib/:/var/lib/letsencrypt/:rw
+      - ./letsencrypt-logs/:/var/log/letsencrypt/:rw
+      - ./install/certbot.ini:/etc/letsencrypt/servnest.ini:ro
+      - ./install/certbot-deploy-hook.sh:/root/certbot-deploy-hook.sh:ro
+    mem_limit: 256mb
     # For sudo
     security_opt:
       - no-new-privileges:false
@@ -98,15 +106,19 @@ services:
       file: base.yaml
       service: base
     build:
-      dockerfile: container/nginx.Containerfile
+      dockerfile: nginx.Containerfile
     ports:
       - "[::1]:42080:42080/tcp"
       - "[::1]:42443:42443/tcp"
     depends_on:
       - apache
     volumes:
-      - ./mkosi.extra/srv/servnest/core/:/srv/servnest/core/:ro
-      - ./mkosi.extra/srv/servnest/acme/:/srv/servnest/acme/:ro
-      - ./container/php-sock/:/run/php-fpm/:rw
-      - ./container/nginx-onion-sock/:/run/nginx-onion/:rw
-      - ./mkosi.extra/install/nginx/:/etc/nginx/:ro
+      - ./nginx-logs/:/var/lib/nginx/logs/:rw
+      - ./nginx-tmp/:/var/lib/nginx/tmp/:rw
+      - ./servnest/core/:/srv/servnest/core/:ro
+      - ./servnest/acme/:/srv/servnest/acme/:ro
+      - ./letsencrypt-etc/live/:/etc/letsencrypt/live/:ro
+      - ./letsencrypt-etc/archive/:/etc/letsencrypt/archive/:ro
+      - ./php-sock/:/run/php-fpm/:rw
+      - ./nginx-onion-sock/:/run/nginx-onion/:rw
+      - ./install/nginx/:/etc/nginx/:ro

container/README.md

@@ -1,27 +0,0 @@
-
-
-~/.config/containers/containers.conf:
-```toml
-[containers]
-no_hosts=true
-```
-
-```shell
-wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-minirootfs-3.20.0-x86_64.tar.gz
-podman build -f php.Dockerfile
-podman-compose up --build
-
-```shell
-#docker buildx build nginx -t nginx
-clear && docker compose up --force-recreate --build -d --remove-orphans && docker compose logs
-#docker exec -it dcfe0b3360e2 ash
-docker compose exec nginx ash
-```
-
-In `/etc/docker/daemon.json`:
-`/sbin/ip route|awk '/default/ { print $3 }'`
-```json
-{
-	"dns": ["::1"]
-}
-```

install/certbot.ini

@@ -3,7 +3,7 @@ non-interactive
 agree-tos
 no-eff-email
 ; Set your email address
-email = "address@invalid"
+email = "address@test.org"
 
 webroot
 webroot-path = "/srv/servnest/acme"

install/nginx/sites/dns.conf

@@ -5,8 +5,8 @@ server {
 	listen 0.0.0.0:42443 ssl default_server;
 	http2 on;
 
-	ssl_certificate /etc/ssl/certs/${ssl_server_name}.crt;
-	ssl_certificate_key /etc/ssl/private/${ssl_server_name}.key;
+	ssl_certificate /etc/letsencrypt/live/${ssl_server_name}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/${ssl_server_name}/privkey.pem;
 
 	include inc/serve-static.conf;
 }

knot.Containerfile

@@ -3,7 +3,7 @@ ARG SYS
 ADD $SYS /
 RUN apk upgrade -U
 RUN apk add knot
-COPY mkosi.extra/install/knot.conf /
+COPY install/knot.conf /
 RUN mkdir /run/knot /var/log/knot/ && chown -R knot:knot /run/knot/ /var/log/knot/
 USER knot
 RUN knotc conf-import /knot.conf

mkosi.conf

@@ -1,29 +0,0 @@
-[Output]
-Format = directory
-CacheDirectory = ../mkosi.cache/
-OutputDirectory = /var/lib/machines
-
-[Content]
-Autologin = yes
-Hostname = servnest.test
-WithDocs = yes
-Packages =
-	iproute2
-	tor
-	torsocks
-	openssl
-	certbot
-	nginx
-	php-fpm
-	knot
-	sudo
-	git
-	sqlite3
-	knot-resolver
-	man-db
-	curl
-	lsof
-	tree
-	vim
-	htop
-	ncdu

mkosi.extra/etc/apt/sources.list

@@ -1,6 +0,0 @@
-#deb https://deb.debian.org/debian testing main
-#deb https://deb.debian.org/debian-security/ testing-security main
-
-deb https://deb.debian.org/debian bookworm main
-deb https://deb.debian.org/debian-security/ bookworm-security main
-deb https://deb.debian.org/debian bookworm-updates main

mkosi.extra/etc/hosts

@@ -1,8 +0,0 @@
-::1 servnest.test
-::1 ns1.servnest.test
-::1 ns2.servnest.test
-::1 sftp.servnest.test
-::1 ht.servnest.test
-::1 test1.ht.servnest.test
-::1 test2.ht.servnest.test
-::1 test3.ht.servnest.test

mkosi.extra/etc/knot-resolver/kresd.conf

@@ -1,19 +0,0 @@
-net.listen('127.0.0.50', 53, { kind = 'dns', freebind = true })
-
--- Load useful modules
-modules = {
-	'hints > iterate',  -- Allow loading /etc/hosts or custom root hints
-	'stats',            -- Track internal statistics
-	'predict',          -- Prefetch expiring/frequent records
-}
-
--- Forward requests to those resolvers over TLS
-policy.TLS_FORWARD({
-	-- UncensoredDNS <https://blog.uncensoreddns.org/>
-	{'2a01:3a0:53:53::', hostname='unicast.uncensoreddns.org'},
-	{'89.233.43.71',     hostname='unicast.uncensoreddns.org'},
-	{'2001:67c:28a4::',  hostname='anycast.uncensoreddns.org'},
-	{'91.239.100.100',   hostname='anycast.uncensoreddns.org'},
-})
-
-cache.size = 100 * MB

mkosi.extra/etc/knot/knot-primary.conf

@@ -1,55 +0,0 @@
-server:
-    version: "Knot"
-    nsid: ""
-    rundir: "/run/knot"
-    user: "knot:knot"
-    automatic-acl: "on"
-    listen: [ "2001:db8::1@42053", "203.0.113.1@42053" ]
-
-log:
-  - target: "syslog"
-    any: "debug"
-
-database:
-    storage: "/var/lib/knot"
-
-key:
-  - id: "primary-to-secondary."
-    algorithm: "hmac-sha256"
-    secret: "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGH" # keymgr -t primary-to-secondary hmac-sha256
-
-remote:
-  - id: "secondary"
-    address: [ "2001:db8::2@53", "203.0.113.2@53" ]
-    key: "primary-to-secondary."
-
-policy:
-  - id: "servnest"
-    algorithm: "ed25519"
-    nsec3: "on"
-    nsec3-iterations: 10
-
-template:
-  - id: "servnest"
-    storage: "/srv/servnest/ns"
-    file: "%s.zone"
-    zonefile-load: "whole"
-    journal-content: "all"
-    dnssec-signing: "on"
-    dnssec-policy: "servnest"
-    catalog-role: "member"
-    catalog-zone: "servnest.test.invalid."
-
-zone:
-  - domain: "servnest.test.invalid."
-    notify: "secondary"
-    zonefile-load: "whole"
-    journal-content: "all"
-    catalog-role: "generate"
-
-  - domain: "servnest.test."
-    template: "servnest"
-    storage: "/srv/servnest/reg"
-  - domain: "test.servnest.test."
-    template: "servnest"
-    storage: "/srv/servnest/reg"

mkosi.extra/etc/knot/knot-secondary.conf

@@ -1,36 +0,0 @@
-server:
-    version: "Knot"
-    nsid: ""
-    rundir: "/run/knot"
-    user: "knot:knot"
-    automatic-acl: "on"
-    listen: [ "2001:db8::2@53", "203.0.113.2@53" ]
-
-log:
-  - target: "syslog"
-    any: "debug"
-
-database:
-    storage: "/var/lib/knot"
-
-key:
-  - id: "primary-to-secondary."
-    algorithm: "hmac-sha256"
-    secret: "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGH"
-
-remote:
-  - id: "primary"
-    address: [ "2001:db8::1@53", "203.0.113.1@53" ]
-    key: "primary-to-secondary."
-
-template:
-  - id: "servnest"
-    storage: "/var/lib/knot"
-    file: "%s.zone"
-    master: "primary"
-
-zone:
-  - domain: "servnest.test.invalid."
-    master: "primary"
-    catalog-role: interpret
-    catalog-template: "servnest"

mkosi.extra/etc/pacman.d/mirrorlist

@@ -1,3 +0,0 @@
-Server = https://mirrors.celianvdb.fr/archlinux/$repo/os/$arch
-Server = https://mirror.sysa.tech/archlinux/$repo/os/$arch
-Server = https://mirror.wormhole.eu/archlinux/$repo/os/$arch

mkosi.extra/etc/ssh/sshd_config

@@ -1,61 +0,0 @@
-LogLevel INFO
-AllowUsers root
-Subsystem sftp internal-sftp
-UsePAM yes
-
-# Network
-
-AddressFamily any
-ListenAddress [::1]
-ListenAddress 127.0.0.1
-Port 42022
-
-# Cryptography
-
-HostKey /etc/ssh/ed25519
-
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
-HostKeyAlgorithms ssh-ed25519
-KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
-MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
-
-# Sessions
-
-PermitRootLogin prohibit-password
-StrictModes yes
-MaxAuthTries 6
-MaxSessions 1
-MaxStartups 3:20:200
-LoginGraceTime 3m
-PrintMotd yes
-
-# Disable everything
-
-PermitTTY no
-PermitTunnel no
-
-AllowTcpForwarding no
-X11Forwarding no
-AllowAgentForwarding no
-AllowStreamLocalForwarding no
-DisableForwarding yes # Disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal.
-
-PermitUserRC no
-PermitUserEnvironment no
-IgnoreRhosts yes
-AuthorizedKeysFile none
-
-AuthenticationMethods none
-PubkeyAuthentication no
-PasswordAuthentication no
-KbdInteractiveAuthentication no
-PermitEmptyPasswords no
-ChallengeResponseAuthentication no
-
-# Enable what is necessary
-
-Match User root
-	PermitTTY yes
-	PubkeyAuthentication yes
-	AuthenticationMethods publickey
-	AuthorizedKeysFile .ssh/authorized_keys

mkosi.extra/etc/systemd/resolved.conf.d/dot.conf

@@ -1,6 +0,0 @@
-[Resolve]
-DNS=2a01:e0a:5d6:6de0:acab:3:3:3#dot.antopie.org 82.66.61.19#dot.antopie.org
-DNSOverTLS=yes
-DNSSEC=yes
-Cache=yes
-ResolveUnicastSingleLabel=yes

mkosi.extra/etc/tmpfiles.d/servnest.conf

@@ -1,3 +0,0 @@
-d /run/servnest   0555 root  root  - -
-d /run/knot       0755 knot  knot  - -
-d /run/php-fpm    0755 nginx nginx - -

mkosi.extra/root/sftpgo-src

@@ -1 +0,0 @@
-Subproject commit a6a92f0d69b8cf5e72e38ffa5e693057aa2dc776

mkosi.extra/root/sftpgo.sh

@@ -1,25 +0,0 @@
-#!/usr/bin/env bash
-source /etc/os-release
-
-set -euo pipefail
-
-# Download latest release
-if [[ ! -d "sftpgo-src" ]]; then
-	git clone https://github.com/drakkan/sftpgo sftpgo-src
-fi
-cd sftpgo-src
-git checkout main
-git pull origin HEAD
-git checkout $(git tag | tail -n 1)
-
-# Prepare
-cp -r openapi ./internal/bundle/openapi
-cp -r templates ./internal/bundle/templates
-cp -r static ./internal/bundle/static
-
-# Build
-go build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,nosqlite,noportable,nometrics,bundle -o sftpgo
-strip /usr/local/bin/sftpgo
-
-# Install
-mv sftpgo /usr/local/bin/

mkosi.extra/srv/servnest/reg/servnest.test.zone

@@ -1,10 +0,0 @@
-servnest.test.      10800 SOA  ns1.servnest.test. admin.servnest.test. 0 21600 7200 3628800 3600
-servnest.test.      86400 NS   ns1.servnest.test.
-servnest.test.      10800 A    127.0.0.1
-servnest.test.      10800 AAAA ::1
-servnest.test.      86400 CAA  0 issue ";"
-test.servnest.test. 86400 NS   ns1.servnest.test.
-ns1.servnest.test.  10800 A    127.0.0.1
-ns1.servnest.test.  10800 AAAA ::1
-ht.servnest.test.   10800 A    127.0.0.1
-ht.servnest.test.   10800 AAAA ::1

mkosi.extra/srv/servnest/reg/test.servnest.test.zone

@@ -1,4 +0,0 @@
-test.servnest.test.     10800 SOA  ns1.servnest.test. admin.servnest.test. 0 21600 7200 3628800 3600
-test.servnest.test.     86400 NS   ns1.servnest.test.
-test.servnest.test.     10800 A    127.0.0.1
-test.servnest.test.     10800 AAAA ::1

mkosi.extra/usr/lib/tmpfiles.d/php-fpm.conf

@@ -1 +0,0 @@
-

mkosi.finalize.chroot

@@ -1,17 +0,0 @@
-#!/usr/bin/bash
-set -euo pipefail
-
-source /etc/os-release
-export OS=$ID
-
-if [[ $OS = "arch" ]]; then
-	systemctl enable sshd
-	systemctl enable knot
-	systemctl enable nginx
-	systemctl enable httpd
-	systemctl enable tor
-	systemctl enable php-fpm
-fi
-
-systemctl enable kresd@0
-systemctl enable sftpgo

mkosi.images/sn-arch.conf

@@ -1,27 +0,0 @@
-[Output]
-ImageId = sn-arch
-
-[Distribution]
-Distribution = arch
-
-
-
-
-[Content]
-Packages =
-	systemd
-	pacman
-	archlinux-keyring
-	apache
-	nginx-mod-headers-more
-	certbot-nginx
-	php-sqlite
-	php-sodium
-	go
-	openssh
-	iputils
-	gettext
-	which
-	sshpass
-	sed
-	coreutils

mkosi.images/sn-debian.conf

@@ -1,23 +0,0 @@
-[Output]
-ImageId = sn-debian
-
-[Distribution]
-Distribution = debian
-Release = bookworm
-
-[Content]
-Packages =
-	dbus
-	apt-transport-tor
-	apache2
-	libnginx-mod-http-headers-more-filter
-	python3-certbot-nginx
-	knot-dnsutils
-	knot-dnssecutils
-	php-sqlite3
-	openssh-server
-	iputils-ping
-	gettext
-	php-curl
-	sshpass
-	less

mkosi.nspawn

@@ -1,3 +0,0 @@
-[Network]
-Private=no
-VirtualEthernet=no

mkosi.postinst.chroot

@@ -1,25 +0,0 @@
-#!/usr/bin/bash
-set -euo pipefail
-
-source /etc/os-release
-export OS=$ID
-
-# Generate OpenSSH server key pair
-ssh-keygen -f /etc/ssh/ed25519 -t ed25519 -N ""
-ssh-keygen -lvf /etc/ssh/ed25519 > /etc/ssh/ed25519.fp
-
-source /install/install.sh
-
-chown $sftpgo: /usr/local/bin/sftpgo
-chmod u=rx,g=,o= /usr/local/bin/sftpgo
-
-if [[ $OS = "arch" ]]; then
-	pacman-key --init
-	pacman-key --populate
-fi
-
-# Enable testing option
-sed -i 's/local_only_check = false/local_only_check = true/' /srv/servnest/core/config.ini
-
-chmod    u=rwX,g=rX,o=rX /        /etc /etc/tor/torrc
-chmod -R u=rwX,g=rX,o=rX /etc/php /etc/knot-resolver

nginx.Containerfile

@@ -2,6 +2,7 @@ FROM scratch
 ARG SYS
 ADD $SYS /
 RUN apk upgrade -U
+RUN apk add shadow && useradd -U -r --uid 501 nginx
 RUN apk add nginx nginx-mod-http-headers-more openssl
 RUN openssl req -quiet -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.key -out /etc/ssl/certs/servnest.crt \
 	&& openssl req -quiet -subj '/CN=servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.test.key -out /etc/ssl/certs/servnest.test.crt \

php.Containerfile

@@ -13,6 +13,7 @@ RUN apk add \
 	php83-session \
 	php83-sodium \
 	certbot \
+	bash \
 	sudo \
 	openssh-client-common \
 	sshpass \
@@ -28,8 +29,8 @@ RUN apk add \
 #RUN msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo
 RUN rm /etc/php83/php-fpm.d/www.conf
 RUN useradd -U -r --uid 500 servnest
+RUN useradd -U -r --uid 501 nginx
 RUN useradd -U -r --uid 505 sftpgo
 RUN useradd -U -r --uid 506 tor
-RUN chown servnest: /var/log/php83/
 USER servnest:knot
 CMD ["php-fpm83", "--nodaemonize"]