Initial commit

installation/basic.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+echo "Basic setup"
+
+# Enable community repo
+sed -i 's|^#\(http.*/community\)$|\1|' /etc/apk/repositories
+apk update
+
+# Cron jobs
+rc-update add crond
+cat << EOF > /etc/periodic/daily/chrony
+#!/bin/sh
+chronyc makestep
+EOF
+
+# Allow local.d services
+rc-update add local default
+rc-service local start

installation/firewall.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+echo "Setting up firewall..."
+
+apk add -u awall # important -u flag!
+apk add ip6tables iptables
+modprobe -v ip_tables
+modprobe -v ip6_tables
+modprobe -v iptable_nat #if NAT is used
+
+# Register services
+rc-update add iptables
+rc-update add ip6tables
+rc-service iptables start
+rc-service ip6tables start

installation/podman.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+echo "Installing Podman..."
+
+apk add podman iptables podman-compose
+rc-update add cgroups
+rc-service cgroups start
+
+# Rootless mode
+adduser -D podman
+modprobe tun
+echo tun >> /etc/modules
+echo podman:100000:65536 > /etc/subuid
+echo podman:100000:65536 > /etc/subgid
+doas su -c "podman system migrate" podman
+
+# Get rid of podman compose docker warning
+touch /etc/containers/nodocker
+
+# Fix shared mount with local service
+cat << EOF > /etc/local.d/mount-rshared.start
+#!/bin/sh 
+mount --make-rshared /
+EOF
+
+chmod +x /etc/local.d/mount-rshared.start
+
+# Allow ports >= 53 to be rootless bound
+sysctl net.ipv4.ip_unprivileged_port_start=53