forked from travier/fedora-coreos-matrix
-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.yaml
248 lines (224 loc) · 9.33 KB
/
config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
variant: fcos
version: 1.3.0
passwd:
users:
- name: core
ssh_authorized_keys:
- %%SSH_PUBKEY%%
systemd:
units:
- name: cgroups-v2-karg.service
enabled: true
contents: |
[Unit]
Description=Switch To cgroups v2 and disable Docker
# We run after `systemd-machine-id-commit.service` to ensure that
# `ConditionFirstBoot=true` services won't rerun on the next boot.
After=systemd-machine-id-commit.service
ConditionKernelCommandLine=systemd.unified_cgroup_hierarchy
ConditionPathExists=!/var/lib/cgroups-v2-karg.stamp
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/systemctl disable --now docker.socket
ExecStart=/bin/rpm-ostree kargs --delete=systemd.unified_cgroup_hierarchy
ExecStart=/bin/touch /var/lib/cgroups-v2-karg.stamp
ExecStart=/bin/systemctl --no-block reboot
[Install]
WantedBy=multi-user.target
- name: podmanpod.service
enabled: true
contents: |
[Unit]
Description=Creates a podman pod to run the matrix services.
After=cgroups-v2-karg.service network-online.target
Wants=After=cgroups-v2-karg.service network-online.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=sh -c 'podman pod exists matrix || podman pod create -n matrix -p 80:80 -p 443:443 -p 8448:8448'
[Install]
WantedBy=multi-user.target
- name: postgres.service
enabled: true
contents: |
[Unit]
Description=Run the database service for matrix
After=podmanpod.service network-online.target
Wants=network-online.target
Requires=podmanpod.service
[Service]
EnvironmentFile=/etc/postgresql_synapse
ExecStart=/bin/podman run --name=postgres \
--pull=always \
--read-only \
--pod=matrix \
--rm \
-e POSTGRES_USER=synapse \
-e POSTGRES_DB=synapse \
-e POSTGRES_INITDB_ARGS="--encoding='UTF8' --lc-collate='C' --lc-ctype='C'" \
-e POSTGRES_PASSWORD=$POSTGRES_PASSWORD \
-v /var/srv/matrix/postgres:/var/lib/postgresql/data:z \
docker.io/library/postgres:13 \
-c listen_addresses='*'
ExecStop=/bin/podman rm --force --ignore postgres
[Install]
WantedBy=multi-user.target
- name: synapse.service
enabled: true
contents: |
[Unit]
Description=Run the synapse service.
After=podmanpod.service network-online.target
Wants=network-online.target
Requires=podmanpod.service
[Service]
ExecStart=/bin/podman run --name=synapse \
--pull=always \
--read-only \
--pod=matrix \
--rm \
-v /var/srv/matrix/synapse:/data:z \
docker.io/matrixdotorg/synapse:latest
ExecStop=/bin/podman rm --force --ignore synapse
[Install]
WantedBy=multi-user.target
- name: nginx.service
enabled: true
contents: |
[Unit]
Description=Run the nginx server
After=podmanpod.service network-online.target certbot-firstboot.service
Wants=network-online.target
Requires=podmanpod.service certbot-firstboot.service
[Service]
ExecStartPre=/bin/podman pull docker.io/nginx:stable
ExecStart=/bin/podman run --name=nginx \
--pull=always \
--pod=matrix \
--rm \
--volume /var/srv/matrix/nginx/nginx.conf:/etc/nginx/nginx.conf:ro,z \
--volume /var/srv/matrix/nginx/dhparam:/etc/nginx/dhparam:ro,z \
--volume /var/srv/matrix/letsencrypt-webroot:/var/www:ro,z \
--volume /var/srv/matrix/letsencrypt-certs:/etc/letsencrypt:ro,z \
--volume /var/srv/matrix/well-known:/var/well-known:ro,z \
docker.io/nginx:stable
ExecStop=/bin/podman rm --force --ignore nginx
[Install]
WantedBy=multi-user.target
- name: certbot-firstboot.service
enabled: true
contents: |
[Unit]
Description=Run certbot to get certificates from Let's Encrypt
ConditionPathExists=!/var/srv/matrix/letsencrypt-certs/archive
After=podmanpod.service network-online.target nginx-http.service
Wants=network-online.target
Requires=podmanpod.service nginx-http.service
[Service]
Type=oneshot
ExecStart=/bin/podman run --name=certbot \
--pod=matrix \
--rm \
--cap-drop all \
--volume /var/srv/matrix/letsencrypt-webroot:/var/lib/letsencrypt:rw,z \
--volume /var/srv/matrix/letsencrypt-certs:/etc/letsencrypt:rw,z \
docker.io/certbot/certbot:latest \
--agree-tos --webroot certonly
[Install]
WantedBy=multi-user.target
- name: nginx-http.service
enabled: true
contents: |
[Unit]
Description=Run the nginx HTTP server for Let's Encrypt bootstrap
After=podmanpod.service network-online.target
Wants=network-online.target
Requires=podmanpod.service
[Service]
# Pull the image in ExecStartPre for more accurate startup dependency tracking
ExecStartPre=/bin/podman pull docker.io/nginx:stable
ExecStart=/bin/podman run --name=nginx-http \
--pod=matrix \
--rm \
--volume /var/srv/matrix/letsencrypt-webroot:/var/www:ro,z \
--volume /var/srv/matrix/nginx-http/nginx.conf:/etc/nginx/nginx.conf:ro,z \
docker.io/nginx:stable
ExecStop=/bin/podman rm --force --ignore nginx-http
[Install]
WantedBy=multi-user.target
- name: element-web.service
enabled: true
contents: |
[Unit]
Description=Run the element-web container
After=podmanpod.service network-online.target
Wants=network-online.target
Requires=podmanpod.service
[Service]
ExecStart=/bin/podman run --name=element-web \
--pull=always \
--pod=matrix \
--rm \
--volume /var/srv/matrix/element-web/nginx.conf:/etc/nginx/nginx.conf:ro,z \
--volume /var/srv/matrix/element-web/config.json:/app/config.json:ro,z \
docker.io/vectorim/element-web:latest
ExecStop=/bin/podman rm --force --ignore element-web
[Install]
WantedBy=multi-user.target
- name: certbot.timer
enabled: true
contents: |
[Unit]
Description=Weekly check for Let's Encrypt's certificates renewal
[Timer]
OnCalendar=Sun *-*-* 02:00:00
Persistent=true
[Install]
WantedBy=timers.target
- name: certbot.service
enabled: false
contents: |
[Unit]
Description=Let's Encrypt certificate renewal
ConditionPathExists=/var/srv/matrix/letsencrypt-certs/archive
After=podmanpod.service network-online.target nginx-http.service
Wants=network-online.target
Requires=podmanpod.service nginx-http.service
[Service]
Type=oneshot
ExecStart=/bin/podman run --name=certbot \
--pod=matrix \
--rm \
--cap-drop all \
--volume /var/srv/matrix/letsencrypt-webroot:/var/lib/letsencrypt:rw,z \
--volume /var/srv/matrix/letsencrypt-certs:/etc/letsencrypt:rw,z \
docker.io/certbot/certbot:latest \
renew
ExecStartPost=/bin/systemctl restart --no-block nginx.service
storage:
directories:
- path: /var/srv/matrix
mode: 0700
- path: /var/srv/matrix/synapse/media_store
mode: 0777
- path: /var/srv/matrix/postgres
- path: /var/srv/matrix/letsencrypt-webroot
trees:
- local: synapse
path: /var/srv/matrix/synapse
- local: nginx
path: /var/srv/matrix/nginx
- local: nginx-http
path: /var/srv/matrix/nginx-http
- local: letsencrypt-certs
path: /var/srv/matrix/letsencrypt-certs
- local: well-known
path: /var/srv/matrix/well-known
- local: element-web
path: /var/srv/matrix/element-web
files:
- path: /etc/postgresql_synapse
contents:
local: postgresql_synapse
mode: 0700