diff --git a/packages/website/src/lib/Hero.svelte b/packages/website/src/lib/Hero.svelte index b068cca4..8b25a628 100644 --- a/packages/website/src/lib/Hero.svelte +++ b/packages/website/src/lib/Hero.svelte @@ -8,7 +8,7 @@

JadedBlueEyes

-
Finally, a website!
+
Working on it! Come back later :)
diff --git a/servers/config.bu b/servers/config.bu index 8c78a055..4b5b92b6 100644 --- a/servers/config.bu +++ b/servers/config.bu @@ -1,11 +1,26 @@ +# butane --pretty --strict main.bu -d . | save -f main.ign +# open main.ign | ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" core@176.126.240.240 -T "cat > main.ign" +# sudo coreos-installer install /dev/vda --ignition-file main.ign --save-partlabel * + variant: fcos version: 1.5.0 -ignition: - config: - replace: - source: https://jade-coreos-config.netlify.app/main.ign +# ignition: +# config: +# replace: +# source: https://jade-coreos-config.netlify.app/main.ign passwd: users: - name: core ssh_authorized_keys: - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqathM/KAjYvI4NzwDs4UJxVcMyv+xwYt0axPP7HzmZ \ No newline at end of file + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqathM/KAjYvI4NzwDs4UJxVcMyv+xwYt0axPP7HzmZ + +storage: + files: + - path: /etc/ssh/sshd_config.d/20-enable-passwords.conf + mode: 0644 + contents: + inline: | + # Fedora CoreOS disables SSH password login by default. + # Enable it. + # This file must sort before 40-disable-passwords.conf. + PasswordAuthentication yes \ No newline at end of file diff --git a/servers/containers/jade-website-frontend.container b/servers/containers/jade-website-frontend.container new file mode 100644 index 00000000..249a45a1 --- /dev/null +++ b/servers/containers/jade-website-frontend.container @@ -0,0 +1,27 @@ + + +[Unit] +Description=Website Frontend +Wants=network-online.target +After=network-online.target + +[Container] +ContainerName=jade-website-frontend +NoNewPrivileges=true +Image=oci-archive:/opt/images/jade-website-frontend +# Volume=/var/opt/thelounge:/var/opt/thelounge:z,U +AutoUpdate=local +Network=web.network + +Label="traefik.enable=true" +Label="traefik.http.routers.jade-website-frontend.rule=Host(`jade.ellis.link`)" +Label="traefik.http.routers.jade-website-frontend.entrypoints=https" + +Label="traefik.http.routers.jade-website-frontend.tls.certresolver=letsencrypt" + +[Service] +Restart=on-failure +TimeoutStartSec=900 + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/servers/containers/thelounge.container b/servers/containers/thelounge.container new file mode 100644 index 00000000..70a89b74 --- /dev/null +++ b/servers/containers/thelounge.container @@ -0,0 +1,28 @@ + + +[Unit] +Description=TheLounge (IRC web client) +Wants=network-online.target +After=network-online.target + +[Container] +ContainerName=thelounge +NoNewPrivileges=true +Image=ghcr.io/thelounge/thelounge:latest +Volume=/var/opt/thelounge:/var/opt/thelounge:z,U +AutoUpdate=registry +Network=web.network + +Label="traefik.enable=true" +Label="traefik.http.routers.thelounge.rule=Host(`thelounge.ellis.link`)" +Label="traefik.http.services.thelounge.loadbalancer.server.port=9000" +Label="traefik.http.routers.thelounge.entrypoints=https" + +Label="traefik.http.routers.thelounge.tls.certresolver=letsencrypt" + +[Service] +Restart=on-failure +TimeoutStartSec=900 + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/servers/containers/traefik.container b/servers/containers/traefik.container new file mode 100644 index 00000000..8866bcef --- /dev/null +++ b/servers/containers/traefik.container @@ -0,0 +1,36 @@ + + + +[Unit] +Description=traefik web server +Wants=network-online.target +After=network-online.target + +[Container] +ContainerName=traefik +PodmanArgs=--privileged +NoNewPrivileges=true +Image=docker.io/library/traefik:latest +PublishPort=80:80/tcp +PublishPort=443:443/tcp +PublishPort=443:443/udp +# PublishPort=8448:8448/tcp +ReadOnly=true +Volume=/run/podman/podman.sock:/var/run/docker.sock:z +Volume=/var/srv/traefik:/certificates:z +Volume=/etc/traefik:/etc/traefik:ro,z +# Volume=/var/srv/matrix/caddy/config:/config:z +# Volume=/var/srv/matrix/caddy/data:/data:z +# Volume=/var/srv/matrix/caddy/Caddyfile:/etc/caddy/Caddyfile:ro,z +AutoUpdate=registry +Network=web.network +# IP=10.89.1.10 + +Exec=traefik --configFile=/etc/traefik/config.toml + +[Service] +Restart=on-failure +TimeoutStartSec=900 + +[Install] +WantedBy=default.target \ No newline at end of file diff --git a/servers/containers/web.network b/servers/containers/web.network new file mode 100644 index 00000000..0d27f5ef --- /dev/null +++ b/servers/containers/web.network @@ -0,0 +1,7 @@ +[Network] +DisableDNS=false +Internal=false + +# Manual subnet to avoid issues with DNS resolution +Subnet=10.89.1.0/24 +Gateway=10.89.1.1 \ No newline at end of file diff --git a/servers/firewalld/zones/public.xml b/servers/firewalld/zones/public.xml new file mode 100644 index 00000000..46342f6b --- /dev/null +++ b/servers/firewalld/zones/public.xml @@ -0,0 +1,13 @@ + + + Public + For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. + + + + + + + + + \ No newline at end of file diff --git a/servers/main.bu b/servers/main.bu index b50efe57..7de5cb43 100644 --- a/servers/main.bu +++ b/servers/main.bu @@ -1,3 +1,5 @@ + #butane --pretty --strict main.bu -d . | save -f main.ign + variant: fcos version: 1.5.0 passwd: @@ -9,40 +11,118 @@ passwd: systemd: units: - # Installing Cockpit as a layered package with rpm-ostree - - name: rpm-ostree-install-cockpit.service + # Installing customisations as a layered package with rpm-ostree + # - name: rpm-ostree-install-packages.service + # enabled: true + # # cockpit-certificates cockpit-tailscale + # # cockpit-system cockpit-ostree cockpit-podman cockpit-storaged cockpit-networkmanager cockpit-ostree cockpit-selinux cockpit-kdump cockpit-sosreport cockpit-pcp + # # --disablerepo fedora-cisco-openh264 + # contents: | + # [Unit] + # Description=Layer packages with rpm-ostree + # Wants=network-online.target + # After=network-online.target + # # We run before `zincati.service` to avoid conflicting rpm-ostree + # # transactions. + # Before=zincati.service + # ConditionPathExists=!/var/lib/%N.stamp + + # [Service] + # Type=oneshot + # RemainAfterExit=yes + # # `--allow-inactive` ensures that rpm-ostree does not return an error + # # if the package is already installed. This is useful if the package is + # # added to the root image in a future Fedora CoreOS release as it will + # # prevent the service from failing. + # ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive fail2ban fail2ban-firewalld firewalld + # ExecStart=/bin/touch /var/lib/%N.stamp + + # [Install] + # WantedBy=multi-user.target + - name: podman.socket enabled: true - contents: | - [Unit] - Description=Layer Cockpit with rpm-ostree - Wants=network-online.target - After=network-online.target - # We run before `zincati.service` to avoid conflicting rpm-ostree - # transactions. - Before=zincati.service - ConditionPathExists=!/var/lib/%N.stamp - - [Service] - Type=oneshot - RemainAfterExit=yes - # `--allow-inactive` ensures that rpm-ostree does not return an error - # if the package is already installed. This is useful if the package is - # added to the root image in a future Fedora CoreOS release as it will - # prevent the service from failing. - ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive cockpit-system cockpit-ostree cockpit-podman cockpit-storaged cockpit-networkmanager cockpit-ostree cockpit-selinux cockpit-kdump cockpit-certificates cockpit-sosreport cockpit-tailscale cockpit-pcp - ExecStart=/bin/touch /var/lib/%N.stamp - - [Install] - WantedBy=multi-user.target - + - name: podman.service + enabled: true + # - name: firewalld.service + # enabled: true + # - name: pmlogger.service + # enabled: true + # - name: fail2ban.service + # enabled: true + # - name: cockpit.service + # enabled: true storage: + directories: + - path: /var/opt/thelounge + - path: /var/srv/traefik + # - path: /etc/firewalld + # mode: 0750 + # See: https://docs.fedoraproject.org/en-US/fedora-coreos/storage/ + # filesystems: + # - device: /dev/disk/by-partlabel/var + # label: var + # format: xfs + # wipe_filesystem: false + # path: /var + # with_mount_unit: true + trees: + - local: containers + path: /etc/containers/systemd + - local: traefik + path: /etc/traefik + # - local: images + # path: /var/opt/images files: - - path: /etc/ssh/sshd_config.d/20-enable-passwords.conf + - path: /etc/hostname + mode: 0644 + contents: + inline: jade-personal1 + # - path: /etc/ssh/sshd_config.d/20-enable-passwords.conf + # mode: 0644 + # contents: + # inline: | + # # Fedora CoreOS disables SSH password login by default. + # # Enable it. + # # This file must sort before 40-disable-passwords.conf. + # PasswordAuthentication yes + - path: /etc/zincati/config.d/55-updates-strategy.toml + contents: + inline: | + [updates] + strategy = "periodic" + [[updates.periodic.window]] + days = [ "Sat", "Sun" ] + start_time = "22:30" + length_minutes = 60 + + - path: /etc/systemd/zram-generator.conf mode: 0644 contents: inline: | - # Fedora CoreOS disables SSH password login by default. - # Enable it. - # This file must sort before 40-disable-passwords.conf. - PasswordAuthentication yes \ No newline at end of file + # This config file enables a /dev/zram0 device with the default settings + [zram0] + # - path: /etc/yum.repos.d/fedora-cisco-openh264.repo + # contents: + # inline: | + # [fedora-cisco-openh264] + # name=Fedora $releasever openh264 (From Cisco) - $basearch + # metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-$releasever&arch=$basearch + # type=rpm + # enabled=0 + # metadata_expire=14d + # repo_gpgcheck=0 + # gpgcheck=1 + # gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch + # skip_if_unavailable=True + + # [fedora-cisco-openh264-debuginfo] + # name=Fedora $releasever openh264 (From Cisco) - $basearch - Debug + # metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-$releasever&arch=$basearch + # type=rpm + # enabled=0 + # metadata_expire=14d + # repo_gpgcheck=0 + # gpgcheck=1 + # gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch + # skip_if_unavailable=True \ No newline at end of file diff --git a/servers/traefik/config.toml b/servers/traefik/config.toml new file mode 100644 index 00000000..7e62c0dc --- /dev/null +++ b/servers/traefik/config.toml @@ -0,0 +1,25 @@ +[log] +level = "DEBUG" +# [ping] + +[providers.docker] +exposedbydefault = false +[entrypoints.http] +address = ":80" +[entrypoints.https] +address = ":443" + +[certificatesresolvers.letsencrypt.acme] +email = 'jade@ellis.link' +storage = "/certificates/acme.json" + +# - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true" +# - "--certificatesresolvers.letsencrypt.acme.httpChallenge.entryPoint=http" +tlschallenge = true + +[entrypoints.http.http.redirections.entryPoint] +to="https" +scheme = "https" + +[entryPoints.traefik] +address = ":9000" \ No newline at end of file