From 1db8eb22a5fac716fe6c459465ad3c3d7b2ac0ce Mon Sep 17 00:00:00 2001
From: Job79 <job@plabble.org>
Date: Wed, 1 May 2024 21:11:21 +0200
Subject: [PATCH] init

---
 news-postgres-backup.volume |  2 ++
 news-postgres.backup        |  6 ++++++
 news-postgres.container     | 24 ++++++++++++++++++++++++
 news-postgres.volume        |  0
 news.caddy                  |  6 ++++++
 news.container              | 29 +++++++++++++++++++++++++++++
 news.network                |  2 ++
 7 files changed, 69 insertions(+)
 create mode 100644 news-postgres-backup.volume
 create mode 100755 news-postgres.backup
 create mode 100644 news-postgres.container
 create mode 100644 news-postgres.volume
 create mode 100644 news.caddy
 create mode 100644 news.container
 create mode 100644 news.network

diff --git a/news-postgres-backup.volume b/news-postgres-backup.volume
new file mode 100644
index 0000000..9057088
--- /dev/null
+++ b/news-postgres-backup.volume
@@ -0,0 +1,2 @@
+[Volume]
+Label="backup=true"
diff --git a/news-postgres.backup b/news-postgres.backup
new file mode 100755
index 0000000..a78b35f
--- /dev/null
+++ b/news-postgres.backup
@@ -0,0 +1,6 @@
+#!/bin/sh
+# podman exec -it systemd-news-postgres psql -U postgres -f /backup/dump.sql
+
+echo 'news-postgres: creating backup'
+podman exec systemd-news-postgres pg_dumpall -U postgres -f /backup/dump.sql
+echo 'news-postgres: finished'
diff --git a/news-postgres.container b/news-postgres.container
new file mode 100644
index 0000000..f77c7ad
--- /dev/null
+++ b/news-postgres.container
@@ -0,0 +1,24 @@
+[Container]
+Image=docker.io/postgres:16-alpine
+AutoUpdate=registry
+Network=news.network
+
+# environment
+Secret=news-postgres-password,target=POSTGRES_PASSWORD,type=env
+
+# storage
+VolatileTmp=true
+Volume=news-postgres.volume:/var/lib/postgresql/data
+Volume=news-postgres-backup.volume:/backup
+
+# security
+ReadOnly=true
+NoNewPrivileges=true
+DropCapability=ALL
+AddCapability=CHOWN DAC_OVERRIDE FOWNER SETGID SETUID
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=multi-user.target default.target
diff --git a/news-postgres.volume b/news-postgres.volume
new file mode 100644
index 0000000..e69de29
diff --git a/news.caddy b/news.caddy
new file mode 100644
index 0000000..6992e9c
--- /dev/null
+++ b/news.caddy
@@ -0,0 +1,6 @@
+news.plabble.org {
+        reverse_proxy systemd-news:8080
+        encode zstd gzip
+	log access
+        import default-headers
+}
diff --git a/news.container b/news.container
new file mode 100644
index 0000000..99e47a6
--- /dev/null
+++ b/news.container
@@ -0,0 +1,29 @@
+[Container]
+Image=docker.io/miniflux/miniflux:latest
+AutoUpdate=registry
+Network=news.network
+
+# environment
+Environment=RUN_MIGRATIONS=1
+Environment=CREATE_ADMIN=1
+Environment=ADMIN_USERNAME=admin
+Secret=news-adminpass,target=ADMIN_PASSWORD,type=env
+Secret=news-connectionstr,target=DATABASE_URL,type=env
+
+# storage
+VolatileTmp=true
+
+# security
+ReadOnly=true
+NoNewPrivileges=true
+DropCapability=ALL
+AddCapability=CHOWN DAC_OVERRIDE FOWNER SETGID SETUID
+
+[Service]
+Restart=always
+
+[Unit]
+After=news-postgres.service
+
+[Install]
+WantedBy=multi-user.target default.target
diff --git a/news.network b/news.network
new file mode 100644
index 0000000..f227d61
--- /dev/null
+++ b/news.network
@@ -0,0 +1,2 @@
+[Network]
+Label="caddy=true"