Working self host!

packages/website/src/lib/Hero.svelte

@@ -8,7 +8,7 @@
     </div>
     <div class="content">
         <h1 class="title">JadedBlueEyes</h1>
-        <div class="description">Finally, a website!</div>
+        <div class="description">Working on it! Come back later :&rpar;</div>
     </div>
 </div>
 

servers/config.bu

@@ -1,11 +1,26 @@
+# butane --pretty --strict main.bu -d . | save -f main.ign
+# open main.ign | ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" core@176.126.240.240 -T "cat > main.ign"
+#  sudo coreos-installer install /dev/vda --ignition-file main.ign --save-partlabel *
+
 variant: fcos
 version: 1.5.0
-ignition:
+# ignition:
-  config:
+#   config:
-    replace:
+#     replace:
-      source: https://jade-coreos-config.netlify.app/main.ign
+#       source: https://jade-coreos-config.netlify.app/main.ign
 passwd:
   users:
     - name: core
       ssh_authorized_keys:
-        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqathM/KAjYvI4NzwDs4UJxVcMyv+xwYt0axPP7HzmZ
+        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqathM/KAjYvI4NzwDs4UJxVcMyv+xwYt0axPP7HzmZ
+
+storage:
+  files:
+    - path: /etc/ssh/sshd_config.d/20-enable-passwords.conf
+      mode: 0644
+      contents:
+        inline: |
+          # Fedora CoreOS disables SSH password login by default.
+          # Enable it.
+          # This file must sort before 40-disable-passwords.conf.
+          PasswordAuthentication yes

servers/containers/jade-website-frontend.container

@@ -0,0 +1,27 @@
+
+
+[Unit]
+Description=Website Frontend
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=jade-website-frontend
+NoNewPrivileges=true
+Image=oci-archive:/opt/images/jade-website-frontend
+# Volume=/var/opt/thelounge:/var/opt/thelounge:z,U
+AutoUpdate=local
+Network=web.network
+
+Label="traefik.enable=true"
+Label="traefik.http.routers.jade-website-frontend.rule=Host(`jade.ellis.link`)"
+Label="traefik.http.routers.jade-website-frontend.entrypoints=https"
+
+Label="traefik.http.routers.jade-website-frontend.tls.certresolver=letsencrypt"
+
+[Service]
+Restart=on-failure
+TimeoutStartSec=900
+
+[Install]
+WantedBy=default.target

servers/containers/thelounge.container

@@ -0,0 +1,28 @@
+
+
+[Unit]
+Description=TheLounge (IRC web client)
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=thelounge
+NoNewPrivileges=true
+Image=ghcr.io/thelounge/thelounge:latest
+Volume=/var/opt/thelounge:/var/opt/thelounge:z,U
+AutoUpdate=registry
+Network=web.network
+
+Label="traefik.enable=true"
+Label="traefik.http.routers.thelounge.rule=Host(`thelounge.ellis.link`)"
+Label="traefik.http.services.thelounge.loadbalancer.server.port=9000"
+Label="traefik.http.routers.thelounge.entrypoints=https"
+
+Label="traefik.http.routers.thelounge.tls.certresolver=letsencrypt"
+
+[Service]
+Restart=on-failure
+TimeoutStartSec=900
+
+[Install]
+WantedBy=default.target

servers/containers/traefik.container

@@ -0,0 +1,36 @@
+
+
+
+[Unit]
+Description=traefik web server
+Wants=network-online.target
+After=network-online.target
+
+[Container]
+ContainerName=traefik
+PodmanArgs=--privileged
+NoNewPrivileges=true
+Image=docker.io/library/traefik:latest
+PublishPort=80:80/tcp
+PublishPort=443:443/tcp
+PublishPort=443:443/udp
+# PublishPort=8448:8448/tcp
+ReadOnly=true
+Volume=/run/podman/podman.sock:/var/run/docker.sock:z
+Volume=/var/srv/traefik:/certificates:z
+Volume=/etc/traefik:/etc/traefik:ro,z
+# Volume=/var/srv/matrix/caddy/config:/config:z
+# Volume=/var/srv/matrix/caddy/data:/data:z
+# Volume=/var/srv/matrix/caddy/Caddyfile:/etc/caddy/Caddyfile:ro,z
+AutoUpdate=registry
+Network=web.network
+# IP=10.89.1.10
+
+Exec=traefik --configFile=/etc/traefik/config.toml 
+
+[Service]
+Restart=on-failure
+TimeoutStartSec=900
+
+[Install]
+WantedBy=default.target

servers/containers/web.network

@@ -0,0 +1,7 @@
+[Network]
+DisableDNS=false
+Internal=false
+
+# Manual subnet to avoid issues with DNS resolution
+Subnet=10.89.1.0/24
+Gateway=10.89.1.1

servers/firewalld/zones/public.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<zone>
+  <short>Public</short>
+  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
+  <service name="ssh"/>
+  <service name="mdns"/>
+  <service name="dhcpv6-client"/>
+  <service name="http"/>
+  <service name="https"/>
+  <port port="9090" protocol="tcp"/>
+  <port port="9000" protocol="tcp"/>
+  <forward/>
+</zone>

servers/main.bu

@@ -1,3 +1,5 @@
+ #butane --pretty --strict main.bu -d . | save -f main.ign
+
 variant: fcos
 version: 1.5.0
 passwd:
@@ -9,40 +11,118 @@ passwd:
 
 systemd:
   units:
-    # Installing Cockpit as a layered package with rpm-ostree
+    # Installing customisations as a layered package with rpm-ostree
-    - name: rpm-ostree-install-cockpit.service
+    # - name: rpm-ostree-install-packages.service
+    #   enabled: true
+    #   # cockpit-certificates cockpit-tailscale 
+    #   # cockpit-system cockpit-ostree cockpit-podman cockpit-storaged cockpit-networkmanager cockpit-ostree cockpit-selinux cockpit-kdump  cockpit-sosreport cockpit-pcp
+    #   #  --disablerepo fedora-cisco-openh264 
+    #   contents: |
+    #     [Unit]
+    #     Description=Layer packages with rpm-ostree
+    #     Wants=network-online.target
+    #     After=network-online.target
+    #     # We run before `zincati.service` to avoid conflicting rpm-ostree
+    #     # transactions.
+    #     Before=zincati.service
+    #     ConditionPathExists=!/var/lib/%N.stamp
+
+    #     [Service]
+    #     Type=oneshot
+    #     RemainAfterExit=yes
+    #     # `--allow-inactive` ensures that rpm-ostree does not return an error
+    #     # if the package is already installed. This is useful if the package is
+    #     # added to the root image in a future Fedora CoreOS release as it will
+    #     # prevent the service from failing.
+    #     ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive fail2ban fail2ban-firewalld firewalld
+    #     ExecStart=/bin/touch /var/lib/%N.stamp
+
+    #     [Install]
+    #     WantedBy=multi-user.target
+    - name: podman.socket
       enabled: true
-      contents: |
+    - name: podman.service
-        [Unit]
+      enabled: true
-        Description=Layer Cockpit with rpm-ostree
+    # - name: firewalld.service
-        Wants=network-online.target
+    #   enabled: true
-        After=network-online.target
+    # - name: pmlogger.service
-        # We run before `zincati.service` to avoid conflicting rpm-ostree
+    #   enabled: true
-        # transactions.
+    # - name: fail2ban.service
-        Before=zincati.service
+    #   enabled: true
-        ConditionPathExists=!/var/lib/%N.stamp
+    # - name: cockpit.service
-
+    #   enabled: true
-        [Service]
-        Type=oneshot
-        RemainAfterExit=yes
-        # `--allow-inactive` ensures that rpm-ostree does not return an error
-        # if the package is already installed. This is useful if the package is
-        # added to the root image in a future Fedora CoreOS release as it will
-        # prevent the service from failing.
-        ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive cockpit-system cockpit-ostree cockpit-podman cockpit-storaged cockpit-networkmanager cockpit-ostree cockpit-selinux cockpit-kdump cockpit-certificates cockpit-sosreport cockpit-tailscale cockpit-pcp
-        ExecStart=/bin/touch /var/lib/%N.stamp
-
-        [Install]
-        WantedBy=multi-user.target
-
 
 storage:
+  directories:
+    - path: /var/opt/thelounge
+    - path: /var/srv/traefik
+    # - path: /etc/firewalld
+    #   mode: 0750
+  # See: https://docs.fedoraproject.org/en-US/fedora-coreos/storage/
+  # filesystems:
+  #   - device: /dev/disk/by-partlabel/var
+  #     label: var
+  #     format: xfs
+  #     wipe_filesystem: false
+  #     path: /var
+  #     with_mount_unit: true
+  trees:
+  - local: containers
+    path: /etc/containers/systemd
+  - local: traefik
+    path: /etc/traefik
+  # - local: images
+  #   path: /var/opt/images
   files:
-    - path: /etc/ssh/sshd_config.d/20-enable-passwords.conf
+    - path: /etc/hostname
+      mode: 0644
+      contents:
+        inline: jade-personal1
+    # - path: /etc/ssh/sshd_config.d/20-enable-passwords.conf
+    #   mode: 0644
+    #   contents:
+    #     inline: |
+    #       # Fedora CoreOS disables SSH password login by default.
+    #       # Enable it.
+    #       # This file must sort before 40-disable-passwords.conf.
+    #       PasswordAuthentication yes
+    - path: /etc/zincati/config.d/55-updates-strategy.toml
+      contents:
+        inline: |
+          [updates]
+          strategy = "periodic"
+          [[updates.periodic.window]]
+          days = [ "Sat", "Sun" ]
+          start_time = "22:30"
+          length_minutes = 60
+
+    - path: /etc/systemd/zram-generator.conf
       mode: 0644
       contents:
         inline: |
-          # Fedora CoreOS disables SSH password login by default.
+          # This config file enables a /dev/zram0 device with the default settings
-          # Enable it.
+          [zram0]
-          # This file must sort before 40-disable-passwords.conf.
+    # - path: /etc/yum.repos.d/fedora-cisco-openh264.repo
-          PasswordAuthentication yes
+      # contents:
+      #   inline: |
+      #     [fedora-cisco-openh264]
+      #     name=Fedora $releasever openh264 (From Cisco) - $basearch
+      #     metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-$releasever&arch=$basearch
+      #     type=rpm
+      #     enabled=0
+      #     metadata_expire=14d
+      #     repo_gpgcheck=0
+      #     gpgcheck=1
+      #     gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
+      #     skip_if_unavailable=True
+
+      #     [fedora-cisco-openh264-debuginfo]
+      #     name=Fedora $releasever openh264 (From Cisco) - $basearch - Debug
+      #     metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-$releasever&arch=$basearch
+      #     type=rpm
+      #     enabled=0
+      #     metadata_expire=14d
+      #     repo_gpgcheck=0
+      #     gpgcheck=1
+      #     gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
+      #     skip_if_unavailable=True

servers/traefik/config.toml

@@ -0,0 +1,25 @@
+[log]
+level = "DEBUG"
+# [ping]
+
+[providers.docker]
+exposedbydefault = false
+[entrypoints.http]
+address = ":80"
+[entrypoints.https]
+address = ":443"
+
+[certificatesresolvers.letsencrypt.acme]
+email = 'jade@ellis.link'
+storage = "/certificates/acme.json"
+
+# - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
+# - "--certificatesresolvers.letsencrypt.acme.httpChallenge.entryPoint=http"
+tlschallenge = true
+
+[entrypoints.http.http.redirections.entryPoint]
+to="https" 
+scheme = "https"
+
+[entryPoints.traefik]
+address = ":9000"