podman containers introduction

.env

@@ -0,0 +1,2 @@
+SYS=container/alpine-minirootfs-3.20.0-x86_64.tar.gz
+SFTPGO=container/sftpgo-2.6.0.tar.gz

base.yaml

@@ -0,0 +1,11 @@
+services:
+  base:
+    build:
+      args:
+        SYS: $SYS
+    cpus: '0.5'
+    mem_limit: 16mb
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL

compose.yaml

@@ -0,0 +1,112 @@
+name: servnest
+services:
+  tor:
+    extends:
+      file: base.yaml
+      service: base
+    build:
+      dockerfile: container/tor.Containerfile
+    volumes:
+      - ./container/tor-client/:/run/tor-client/:rw
+      - ./container/tor-control/:/run/tor-control/:rw
+      - ./container/nginx-onion-sock/:/run/nginx-onion/:rw
+      - ./mkosi.extra/srv/servnest/tor-keys/:/srv/servnest/tor-keys/:rw
+      - ./mkosi.extra/srv/servnest/tor-config/:/srv/servnest/tor-config/:ro
+      - ./mkosi.extra/install/torrc:/etc/tor/torrc:ro
+    mem_limit: 128m
+  sftpgo:
+    extends:
+      file: base.yaml
+      service: base
+    build:
+      dockerfile: container/sftpgo.Containerfile
+      args:
+        SFTPGO: $SFTPGO
+    ports:
+      - "[::1]:42022:42022/tcp"
+    links:
+      - nginx:servnest.test
+    volumes:
+      - ./mkosi.extra/srv/servnest/ht/fs/:/srv/servnest/ht/fs/:rw
+      - ./mkosi.extra/install/sftpgo.toml:/etc/sftpgo/sftpgo.toml:ro
+    mem_limit: 256mb
+  knot:
+    extends:
+      file: base.yaml
+      service: base
+    build:
+      dockerfile: container/knot.Containerfile
+    ports:
+      - "[::1]:42053:42053/udp"
+      - "[::1]:42053:42053/tcp"
+    volumes:
+      - ./container/knot-sock/:/run/knot/:rw
+      - ./mkosi.extra/srv/servnest/reg/:/srv/servnest/reg/:rw
+      - ./mkosi.extra/srv/servnest/ns/:/srv/servnest/ns/:rw
+  apache:
+    extends:
+      file: base.yaml
+      service: base
+    build:
+      dockerfile: container/apache.Containerfile
+    volumes:
+      - ./mkosi.extra/srv/servnest/ht/:/srv/servnest/ht/:ro
+      - ./mkosi.extra/install/http-messages/:/srv/servnest/ht/http-messages/:ro
+      - ./mkosi.extra/install/apache/:/etc/apache2/:ro
+  php:
+    extends:
+      file: base.yaml
+      service: base
+    build:
+      dockerfile: container/php.Containerfile
+    group_add:
+      - knot
+      - tor
+    links:
+      - nginx:servnest.test
+      - nginx:ht.servnest.test
+      - sftpgo:sftp.servnest.test
+    volumes:
+      - ./mkosi.extra/srv/servnest/core/:/srv/servnest/core/:ro
+      - ./mkosi.extra/srv/servnest/core/db/:/srv/servnest/core/db/:rw
+      - ./mkosi.extra/srv/servnest/reg/:/srv/servnest/reg/:rw
+      - ./mkosi.extra/srv/servnest/ns/:/srv/servnest/ns/:rw
+      - ./mkosi.extra/srv/servnest/acme/:/srv/servnest/acme/:rw
+      - ./mkosi.extra/srv/servnest/ht/fs/:/srv/servnest/ht/fs/:rw
+      - ./mkosi.extra/srv/servnest/ht/uri/:/srv/servnest/ht/uri/:rw
+      - ./mkosi.extra/srv/servnest/tor-config/:/srv/servnest/tor-config/:rw
+      - ./mkosi.extra/srv/servnest/tor-keys/:/srv/servnest/tor-keys/:rw
+      - ./container/php-sock/:/run/php-fpm/:rw
+      - ./container/tor-client/:/run/tor-client/:rw
+      - ./container/tor-control/:/run/tor-control/:rw
+      - ./container/knot-sock/:/run/knot/:rw
+      - ./mkosi.extra/install/php.ini:/etc/php82/conf.d/servnest.ini:ro
+      - ./mkosi.extra/install/php-fpm.conf:/etc/php83/php-fpm.d/servnest.conf:ro
+      - ./mkosi.extra/install/sudoers:/etc/sudoers.d/servnest:ro
+      - ./mkosi.extra/install/certbot.ini:/etc/letsencrypt/servnest.ini:ro
+      - ./mkosi.extra/install/certbot-deploy-hook.sh:/root/certbot-deploy-hook.sh:ro
+    mem_limit: 32mb
+    # For sudo
+    security_opt:
+      - no-new-privileges:false
+    cap_add:
+      - SETUID
+      - SETGID
+      - CHOWN
+  nginx:
+    extends:
+      file: base.yaml
+      service: base
+    build:
+      dockerfile: container/nginx.Containerfile
+    ports:
+      - "[::1]:42080:42080/tcp"
+      - "[::1]:42443:42443/tcp"
+    depends_on:
+      - apache
+    volumes:
+      - ./mkosi.extra/srv/servnest/core/:/srv/servnest/core/:ro
+      - ./mkosi.extra/srv/servnest/acme/:/srv/servnest/acme/:ro
+      - ./container/php-sock/:/run/php-fpm/:rw
+      - ./container/nginx-onion-sock/:/run/nginx-onion/:rw
+      - ./mkosi.extra/install/nginx/:/etc/nginx/:ro

container/README.md

@@ -0,0 +1,27 @@
+
+
+~/.config/containers/containers.conf:
+```toml
+[containers]
+no_hosts=true
+```
+
+```shell
+wget https://dl-cdn.alpinelinux.org/alpine/v3.20/releases/x86_64/alpine-minirootfs-3.20.0-x86_64.tar.gz
+podman build -f php.Dockerfile
+podman-compose up --build
+
+```shell
+#docker buildx build nginx -t nginx
+clear && docker compose up --force-recreate --build -d --remove-orphans && docker compose logs
+#docker exec -it dcfe0b3360e2 ash
+docker compose exec nginx ash
+```
+
+In `/etc/docker/daemon.json`:
+`/sbin/ip route|awk '/default/ { print $3 }'`
+```json
+{
+	"dns": ["::1"]
+}
+```

container/apache.Containerfile

@@ -0,0 +1,8 @@
+FROM scratch
+ARG SYS
+ADD $SYS /
+RUN apk upgrade -U
+RUN apk add apache2 apache2-brotli
+RUN chown apache: /var/log/apache2/ /run/apache2/
+USER apache
+CMD ["httpd", "-D", "FOREGROUND"]

container/knot.Containerfile

@@ -0,0 +1,10 @@
+FROM scratch
+ARG SYS
+ADD $SYS /
+RUN apk upgrade -U
+RUN apk add knot
+COPY mkosi.extra/install/knot.conf /
+RUN mkdir /run/knot /var/log/knot/ && chown -R knot:knot /run/knot/ /var/log/knot/
+USER knot
+RUN knotc conf-import /knot.conf
+CMD ["knotd", "--confdb", "/var/lib/knot/confdb/"]

container/nginx.Containerfile

@@ -0,0 +1,13 @@
+FROM scratch
+ARG SYS
+ADD $SYS /
+RUN apk upgrade -U
+RUN apk add nginx nginx-mod-http-headers-more openssl
+RUN openssl req -quiet -subj '/' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.key -out /etc/ssl/certs/servnest.crt \
+	&& openssl req -quiet -subj '/CN=servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/servnest.test.key -out /etc/ssl/certs/servnest.test.crt \
+	&& openssl req -quiet -subj '/CN=ht.servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/ht.servnest.test.key -out /etc/ssl/certs/ht.servnest.test.crt \
+	&& openssl req -quiet -subj '/CN=*.ht.servnest.test' -new -newkey RSA:3072 -days 3650 -nodes -x509 -keyout /etc/ssl/private/wildcard.ht.servnest.test.key -out /etc/ssl/certs/wildcard.ht.servnest.test.crt
+RUN chmod -R u=rwX,g=rX,o= /etc/ssl/
+RUN chown -R root:nginx /etc/ssl/
+USER nginx
+CMD ["nginx", "-g", "daemon off;"]

container/php.Containerfile

@@ -0,0 +1,35 @@
+FROM scratch
+ARG SYS
+ADD $SYS /
+RUN apk upgrade -U
+RUN apk add \
+	php83 \
+	php83-fpm \
+	php83-curl \
+	php83-gettext \
+	php83-opcache \
+	php83-pdo \
+	php83-pdo_sqlite \
+	php83-session \
+	php83-sodium \
+	certbot \
+	sudo \
+	openssh-client-common \
+	sshpass \
+	openssh-client \
+	knot \
+	knot-utils \
+	shadow \
+	sqlite \
+	gettext
+#RUN cp /srv/servnest/core/config.template.ini /srv/servnest/core/config.ini
+#RUN sqlite3 /srv/servnest/core/db/servnest.db < /srv/servnest/core/db/schema.sql
+#RUN echo "UPDATE params SET value = '$(openssl rand -hex 16)' WHERE name = 'username_salt';" | sqlite3 /srv/servnest/core/db/servnest.db
+#RUN msgfmt /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.po -o /srv/servnest/core/locales/fr/C/LC_MESSAGES/messages.mo
+RUN rm /etc/php83/php-fpm.d/www.conf
+RUN useradd -U -r --uid 500 servnest
+RUN useradd -U -r --uid 505 sftpgo
+RUN useradd -U -r --uid 506 tor
+RUN chown servnest: /var/log/php83/
+USER servnest:knot
+CMD ["php-fpm83", "--nodaemonize"]

container/sftpgo.Containerfile

@@ -0,0 +1,21 @@
+FROM scratch
+ARG SYS
+ADD $SYS /
+RUN apk upgrade -U
+RUN apk add go openssh-keygen bash shadow
+ARG SFTPGO
+ADD $SFTPGO /
+WORKDIR /sftpgo-2.6.0/
+RUN cp -r openapi ./internal/bundle/openapi && \
+	cp -r templates ./internal/bundle/templates && \
+	cp -r static ./internal/bundle/static
+RUN go build -tags nogcs,nos3,noazblob,nobolt,nomysql,nopgsql,nosqlite,noportable,nometrics,bundle -o /usr/local/bin/sftpgo && strip /usr/local/bin/sftpgo
+RUN mkdir /etc/sftpgo/ && ssh-keygen -f /etc/sftpgo/ed25519 -t ed25519 -N "" -C ""
+RUN touch /etc/sftpgo/banner.txt
+RUN ["/bin/bash", "-c", "fp=($(ssh-keygen -l -f /etc/sftpgo/ed25519)) && echo ${fp[1]} > /etc/sftpgo/ed25519.fp"]
+RUN ssh-keygen -lv -f /etc/sftpgo/ed25519 | tail -n +2 > /etc/sftpgo/ed25519.asciiart
+RUN useradd -U -r --uid 500 servnest
+RUN useradd -U -r --uid 505 sftpgo
+RUN mkdir /var/log/sftpgo/ && chown sftpgo: /var/log/sftpgo/ && chmod -R u=rwX,g=rX,o= /etc/sftpgo/ && chown -R root:sftpgo /etc/sftpgo/
+USER sftpgo
+CMD ["sftpgo", "serve", "--config-file", "/etc/sftpgo/sftpgo.toml", "--log-level", "warn", "--log-max-age", "1", "--log-file-path", "/var/log/sftpgo/sftpgo.log"]

container/tor.Containerfile

@@ -0,0 +1,8 @@
+FROM scratch
+ARG SYS
+ADD $SYS /
+RUN apk upgrade -U
+RUN apk add shadow && useradd -U -r --uid 506 tor
+RUN apk add tor && chmod 700 /var/lib/tor
+USER tor
+CMD ["tor", "--hush"]

mkosi.extra/etc/resolv.conf

@@ -1 +0,0 @@
-nameserver 127.0.0.50

mkosi.extra/install/apache/errors.conf

@@ -1,6 +1,6 @@
-Alias /http-messages/ "/http-messages/"
+Alias /http-messages/ "/srv/servnest/ht/http-messages/"
 
-<Directory "/http-messages/">
+<Directory "/srv/servnest/ht/http-messages/">
 	Require all granted
 	Options Multiviews
 	AddLanguage fr fr

mkosi.extra/install/apache/httpd.conf

@@ -1,31 +1,31 @@
-ServerRoot "/etc/httpd"
+ServerRoot "/etc/apache2"
 
-User apache
-Group apache
-ChrootDir "/srv/servnest/ht"
+#User apache
+#Group apache
+#ChrootDir "/srv/servnest/ht"
 Suexec Off
 
-LoadModule unixd_module /usr/lib/httpd/modules/mod_unixd.so
-LoadModule mpm_event_module /usr/lib/httpd/modules/mod_mpm_event.so
-LoadModule authz_core_module /usr/lib/httpd/modules/mod_authz_core.so
-LoadModule vhost_alias_module /usr/lib/httpd/modules/mod_vhost_alias.so
+LoadModule unixd_module /usr/lib/apache2/mod_unixd.so
+LoadModule mpm_event_module /usr/lib/apache2/mod_mpm_event.so
+LoadModule authz_core_module /usr/lib/apache2/mod_authz_core.so
+LoadModule vhost_alias_module /usr/lib/apache2/mod_vhost_alias.so
 
-LoadModule mime_module /usr/lib/httpd/modules/mod_mime.so
-LoadModule headers_module /usr/lib/httpd/modules/mod_headers.so
-LoadModule dir_module /usr/lib/httpd/modules/mod_dir.so
-LoadModule expires_module /usr/lib/httpd/modules/mod_expires.so
-LoadModule filter_module /usr/lib/httpd/modules/mod_filter.so
-LoadModule brotli_module /usr/lib/httpd/modules/mod_brotli.so
-LoadModule deflate_module /usr/lib/httpd/modules/mod_deflate.so
-LoadModule autoindex_module /usr/lib/httpd/modules/mod_autoindex.so
-LoadModule alias_module /usr/lib/httpd/modules/mod_alias.so
-LoadModule negotiation_module /usr/lib/httpd/modules/mod_negotiation.so
+LoadModule mime_module /usr/lib/apache2/mod_mime.so
+LoadModule headers_module /usr/lib/apache2/mod_headers.so
+LoadModule dir_module /usr/lib/apache2/mod_dir.so
+LoadModule expires_module /usr/lib/apache2/mod_expires.so
+LoadModule filter_module /usr/lib/apache2/mod_filter.so
+LoadModule brotli_module /usr/lib/apache2/mod_brotli.so
+LoadModule deflate_module /usr/lib/apache2/mod_deflate.so
+LoadModule autoindex_module /usr/lib/apache2/mod_autoindex.so
+LoadModule alias_module /usr/lib/apache2/mod_alias.so
+LoadModule negotiation_module /usr/lib/apache2/mod_negotiation.so
 
 <Directory "/">
 	Require all denied
 </Directory>
 
-ErrorLog "/var/log/httpd/error.log"
+ErrorLog "/var/log/apache2/error.log"
 
 Define compress "text/plain text/html text/markdown text/gemini text/css text/javascript text/csv application/json application/ld+json application/manifest+json application/xml application/xhtml+xml application/atom+xml application/atomcat+xml application/atomsvc+xml application/rss+xml application/mathml+xml application/emotionml+xml font/ttf font/otf"
 # brotli
@@ -43,20 +43,22 @@ LimitInternalRecursion 5
 
 ServerTokens ProductOnly
 
+ServerName localhost
+
 Include errors.conf
 
-Define interface "[::1]:42999"
+Define interface "0.0.0.0:42999"
 
 Listen ${interface}
 
 <VirtualHost ${interface}>
-	VirtualDocumentRoot "/uri/%0"
+	VirtualDocumentRoot "/srv/servnest/ht/uri/%0"
 
 	AccessFileName ".htaccess"
 
 	DirectoryIndex index.html index.md index.gmi
 
-	<Directory "/uri/*/">
+	<Directory "/srv/servnest/ht/uri/*/">
 		Require all granted
 
 		AllowOverride Nonfatal=All

mkosi.extra/install/knot.conf

@@ -2,12 +2,12 @@ server:
     version: "Knot"
     nsid: ""
     rundir: "/run/knot"
-    user: "knot:knot"
-    listen: [ "::1@42053", "127.0.0.1@42053" ]
+#    user: "knot:knot"
+    listen: [ "::1@42053", "127.0.0.1@42053", "/run/knot/dns.sock" ]
 
 log:
-  - target: "syslog"
-    any: "debug"
+  - target: stderr
+    any: warning
 
 database:
     storage: "/var/lib/knot"

mkosi.extra/install/nginx/inc/apache-proxy.conf

@@ -1,4 +1,4 @@
-proxy_pass http://[::1]:42999;
+proxy_pass http://apache:42999;
 proxy_ignore_client_abort on;
 proxy_http_version 1.1;
 proxy_set_header Host $host;

mkosi.extra/install/nginx/nginx.conf

@@ -1,6 +1,6 @@
 load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so";
 worker_processes auto;
-user nginx nginx;
+#user nginx nginx;
 pcre_jit on;
 
 events {

mkosi.extra/install/nginx/sites/dns.conf

@@ -1,8 +1,9 @@
 # Dedicated DNS+TLS access
 
 server {
-	listen [::1]:42443 ssl http2 default_server;
-	listen 127.0.0.1:42443 ssl http2 default_server;
+	listen [::]:42443 ssl default_server;
+	listen 0.0.0.0:42443 ssl default_server;
+	http2 on;
 
 	ssl_certificate /etc/ssl/certs/${ssl_server_name}.crt;
 	ssl_certificate_key /etc/ssl/private/${ssl_server_name}.key;

mkosi.extra/install/nginx/sites/interface.conf

@@ -2,8 +2,9 @@
 
 log_format servnest '|$time_local| [$ip_start]@$server_name $status $body_bytes_sent "$request"';
 server {
-	listen [::1]:42443 ssl http2;
-	listen 127.0.0.1:42443 ssl http2;
+	listen [::]:42443 ssl;
+	listen 0.0.0.0:42443 ssl;
+	http2 on;
 	server_name servnest.test;
 
 	root /srv/servnest/core;
@@ -25,10 +26,6 @@ server {
 		alias /srv/servnest/core/css;
 	}
 
-	location /docs {
-		alias /srv/servnest/docs;
-	}
-
 	access_log /var/log/nginx/servnest-access.log servnest if=$loggable;
 
 	# For a public server, these should point to a Let's Encrypt-trusted key pair

mkosi.extra/install/nginx/sites/no-tls.conf

@@ -1,8 +1,8 @@
 # This server block should listen on port 80 to warn users they tried to make an unsecure connection
 
 server {
-	listen [::1]:42080 default_server;
-	listen 127.0.0.1:42080 default_server;
+	listen [::]:42080 default_server;
+	listen 0.0.0.0:42080 default_server;
 
 	location / {
 		return 403; # Don't allow unsecure HTTP requests

mkosi.extra/install/nginx/sites/onion.conf

@@ -1,6 +1,6 @@
 # Dedicated Onion service access
 server {
-	listen [::1]:9080 default_server;
+	listen unix:/run/nginx-onion/socket default_server;
 
 	include inc/serve-static.conf;
 }

mkosi.extra/install/nginx/sites/sftpgo-auth.conf

@@ -1,7 +1,7 @@
 # This server block and the PHP script it maps make ServNest authentication available to the SFTPGo external authenticator
 
 server {
-	listen [::1]:8055; # It's meant to stay a private IP
+	listen 0.0.0.0:8055; # It's meant to stay private
 
 	root /srv/servnest/core;
 

mkosi.extra/install/nginx/sites/subdomain.conf

@@ -1,8 +1,9 @@
 # Subdomain access
 
 server {
-	listen [::1]:42443 ssl http2;
-	listen 127.0.0.1:42443 ssl http2;
+	listen [::]:42443 ssl;
+	listen 0.0.0.0:42443 ssl;
+	http2 on;
 	server_name *.ht.servnest.test;
 
 	ssl_certificate /etc/ssl/certs/wildcard.ht.servnest.test.crt;

mkosi.extra/install/nginx/sites/subpath.conf

@@ -1,8 +1,9 @@
 # Subpath access
 
 server {
-	listen [::1]:42443 ssl http2;
-	listen 127.0.0.1:42443 ssl http2;
+	listen [::]:42443 ssl;
+	listen 0.0.0.0:42443 ssl;
+	http2 on;
 	server_name ht.servnest.test;
 
 	ssl_certificate /etc/ssl/certs/ht.servnest.test.crt;

mkosi.extra/install/php-fpm.conf

@@ -2,13 +2,13 @@
 
 [servnest]
 
-user = servnest
-group = knot
+;user = servnest
+;group = knot
 
 listen = /run/php-fpm/servnest.sock
-listen.owner = nginx
-listen.group = nginx
-listen.mode = 0600
+;listen.owner = nginx
+;listen.group = nginx
+listen.mode = 0666
 
 pm = dynamic
 pm.max_children = 5

mkosi.extra/install/php.ini

@@ -1,11 +1,11 @@
-error_log = syslog
+#error_log = syslog
 
-extension = pdo_sqlite
-extension = sqlite3
-extension = gettext
+#extension = pdo_sqlite
+#extension = sqlite3
+#extension = gettext
 # Only required for the check.php script
-extension = curl
+#extension = curl
 
 # Optional
 expose_php = Off
-zend_extension = opcache
+#zend_extension = opcache

mkosi.extra/install/sftpgo.toml

@@ -23,17 +23,17 @@ login_banner_file = "/etc/sftpgo/banner.txt"
 enabled_ssh_commands = []
 
 [[sftpd.bindings]]
-address = "[::1]"
-port = 2022
+address = "[::]"
+port = 42022
 
-[[sftpd.bindings]]
-address = "127.0.0.1"
-port = 2022
+#[[sftpd.bindings]]
+#address = "0.0.0.0"
+#port = 42022
 
 [data_provider]
 driver = "memory"
 users_base_dir = "/srv/servnest/ht"
-external_auth_hook = "http://[::1]:8055/sftpgo-auth.php"
+external_auth_hook = "http://servnest.test:8055/sftpgo-auth.php"
 external_auth_scope = 3
 naming_rules = 1
 

mkosi.extra/install/sudoers

@@ -1,8 +1,7 @@
-servnest ALL=(root)   NOPASSWD: /usr/bin/systemctl  reload tor
-servnest ALL=(root)   NOPASSWD: /usr/bin/chgrp     ^--no-dereference -- sftpgo /srv/servnest/ht/fs/[0-9a-f]{64}$
-servnest ALL=(root)   NOPASSWD: /usr/bin/certbot   ^--config /etc/letsencrypt/servnest\.ini certonly --domain ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}( --test-cert)?$
-servnest ALL=(root)   NOPASSWD: /usr/bin/certbot   ^--config /etc/letsencrypt/servnest\.ini delete --quiet --cert-name ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$
-servnest ALL=(tor)    NOPASSWD: /usr/bin/cat       ^-- /srv/servnest/tor-keys/[0-9a-f]{64}/[a-zA-Z0-9_-]{1,64}/hostname$
-servnest ALL=(tor)    NOPASSWD: /usr/bin/mkdir     ^--mode=0700 -- /srv/servnest/tor-keys/[0-9a-f]{64}$
-servnest ALL=(tor)    NOPASSWD: /usr/bin/rm        ^-r -- /srv/servnest/tor-keys/[0-9a-f]{64}(/[a-zA-Z0-9_-]{1,64})?$
-servnest ALL=(sftpgo) NOPASSWD: /usr/bin/rm        ^-r -- /srv/servnest/ht/fs/[0-9a-f]{64}$
+servnest ALL=(root)   NOPASSWD: /bin/chgrp       ^--no-dereference -- sftpgo /srv/servnest/ht/fs/[0-9a-f]{64}$
+servnest ALL=(root)   NOPASSWD: /usr/bin/certbot ^--config /etc/letsencrypt/servnest\.ini certonly --domain ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}( --test-cert)?$
+servnest ALL=(root)   NOPASSWD: /usr/bin/certbot ^--config /etc/letsencrypt/servnest\.ini delete --quiet --cert-name ([a-z0-9_-]{1,63}\.){1,126}[a-z0-9]{1,63}$
+servnest ALL=(tor)    NOPASSWD: /bin/cat         ^-- /srv/servnest/tor-keys/[0-9a-f]{64}/[a-zA-Z0-9_-]{1,64}/hostname$
+servnest ALL=(tor)    NOPASSWD: /bin/mkdir       ^--mode=0700 -- /srv/servnest/tor-keys/[0-9a-f]{64}$
+servnest ALL=(tor)    NOPASSWD: /bin/rm          ^-r -- /srv/servnest/tor-keys/[0-9a-f]{64}(/[a-zA-Z0-9_-]{1,64})?$
+servnest ALL=(sftpgo) NOPASSWD: /bin/rm          ^-r -- /srv/servnest/ht/fs/[0-9a-f]{64}$

mkosi.extra/install/torrc

@@ -1,5 +1,6 @@
-User tor
-SocksPort 0
+#User tor
 DataDirectory /var/lib/tor
+SocksPort unix:/run/tor-client/socket WorldWritable
+ControlPort unix:/run/tor-control/dir/socket GroupWritable
 
 %include /srv/servnest/tor-config/*

mkosi.extra/root/sftpgo-src

@@ -0,0 +1 @@
+Subproject commit a6a92f0d69b8cf5e72e38ffa5e693057aa2dc776

mkosi.extra/srv/servnest/core

@@ -1 +1 @@
-Subproject commit 0496feb8fb7dd1c76449426ecdb3fc6f9ae8bcbf
+Subproject commit d9ff87a833eb70ae342aa9b0f15237f4c1d2fe8b