Error in config!

installation/podman.sh

@@ -34,3 +34,10 @@ rc-service local start
 # Allow ports >= 53 to be rootless bound, persistent
 echo "net.ipv4.ip_unprivileged_port_start=53" >> /etc/sysctl.d/podman.conf
 sysctl -p /etc/sysctl.d/podman.conf
+
+# Enable and start Podman socket
+echo 'podman_user="podman"' >> /etc/rc.conf
+
+rc-update add podman
+rc-service podman start
+chmod 666 /run/podman/podman.sock

services/adguard/update.sh

@@ -3,4 +3,3 @@ mkdir -p /var/containers/adguard
 cp -f $(pwd)/AdGuardHome.yaml /var/containers/adguard/AdGuardHome.yaml
 chmod +x /etc/init.d/adguard.service
 rc-update add adguard.service default
-rc-service adguard.service start

services/caddy/Caddyfile

@@ -1,63 +1,52 @@
 # https://hackviser.com/tactics/hardening/caddy
 {
-	auto_https disable_redirects
+    auto_https disable_redirects
 
-	# Do not write access logs to journald.
-	log {
-		exclude http.log.access
-	}
+    # Do not write access logs to journald.
+    log {
+        exclude http.log.access
+    }
 
-	# Write access logs to the logs volume in json
-	# format. Only keep logs for the last 30 days.
-	log access {
-		format json
-		output file /data/logs/access.log {
-			roll_keep_for 720h
-		}
-	}
+    # Write access logs to the logs volume in JSON format. Only keep logs for the last 30 days.
+    log access {
+        format json
+        output file /data/logs/access.log {
+            roll_keep_for 720h
+        }
+    }
 }
 
-# Block with default http config that accepts requests on
-# fd/3 and redirects to https.
+# Block with default HTTP config that redirects to HTTPS
 (https-redir) {
-	bind fd/3 {
-		protocols h1
-	}
-	redir https://{host}{uri} 308
+    bind 0.0.0.0:80  # Listen on port 80 (HTTP)
+    redir https://{host}{uri} 308
 }
 
-# Block with default https config that accepts requests on
-# fd/4 and fdgram/5.
+# Block with default HTTPS config that accepts requests on port 443 (HTTP/1, HTTP/2, and HTTP/3)
 (https) {
-	bind fd/4 {
-		protocols h1 h2
-	}
-	bind fdgram/5 {
-		protocols h3
-	}
+    bind 0.0.0.0:443  # Listen on port 443 (HTTPS)
 }
 
 # Block with compression configuration.
 (compression) {
-	encode zstd gzip
+    encode zstd gzip
 }
 
-# Block with headers that should be used by most
-# sites. Add HSTS and some other security headers.
+# Block with headers that should be used by most sites. Add HSTS and other security headers.
 # Remove the server header because without it caddy
 # leaks the backend server version.
 # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
 # https://scotthelme.co.uk/content-security-policy-an-introduction/
 (default-headers) {
-	header {
-		Strict-Transport-Security max-age=31536000; includeSubDomains; preload
-		X-Content-Type-Options nosniff
-		X-Frame-Options sameorigin
-		Content-Security-Policy default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline';
-		Referrer-Policy: same-origin
-		-Server
-		-X-Powered-By
-	}
+    header {
+        Strict-Transport-Security max-age=31536000; includeSubDomains; preload
+        X-Content-Type-Options nosniff
+        X-Frame-Options sameorigin
+        Content-Security-Policy default-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline';
+        Referrer-Policy: same-origin
+        -Server
+        -X-Powered-By
+    }
 }
 
 import *.caddy

services/caddy/install.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+chmod +x /etc/init.d/caddy.service
+rc-update add caddy.service default
+rc-service caddy.service start

services/caddy/update.sh

@@ -2,10 +2,7 @@
 mkdir -p /var/containers/caddy
 cp -f ./Caddyfile /var/containers/caddy/Caddyfile
 chown -R podman:podman /var/containers/caddy
-chmod +x /etc/init.d/caddy.service
-rc-update add caddy.service default
-rc-service caddy.service start
 
 if [ "$1" = "reload" ]; then
-  podman exec caddy caddy reload -c /etc/caddy/Caddyfile
+  su -c "podman exec caddy caddy reload -c /etc/caddy/Caddyfile" podman
 fi

services/firewall/rules.nft

@@ -76,11 +76,15 @@ table inet firewall {
     udp dport { 67, 68, 784 } accept
     tcp dport { 853 } accept
 
-    # Allow DNS from LAN and VPN
-    ip saddr { $lan_net, $vpn_net } udp dport 53 accept
-    ip6 saddr $lan_net6 udp dport 53 accept
-    ip saddr { $lan_net, $vpn_net } tcp dport 53 accept
-    ip6 saddr $lan_net6 tcp dport 53 accept
+    # Allow DNS (53), SMB (445, no netbios ports) from LAN and VPN
+    ip saddr { $lan_net, $vpn_net } udp dport { 53, 445 } accept
+    ip6 saddr $lan_net6 udp dport { 53, 445 } accept
+    ip saddr { $lan_net, $vpn_net } tcp dport { 53, 445 } accept
+    ip6 saddr $lan_net6 tcp dport { 53, 445 } accept
+
+    # Allow MongoDB from LAN and VPN
+    ip saddr { $lan_net, $vpn_net } tcp dport 27017 accept
+    ip6 saddr $lan_net6 tcp dport 27017 accept
 
     # Allow Minecraft server access from LAN and VPN
     ip saddr { $lan_net, $vpn_net } tcp dport 25565 accept

services/gitea/gitea-runner.service.toml

@@ -0,0 +1,31 @@
+user = "podman"
+capabilities = ["DAC_OVERRIDE"]
+
+[service]
+name = "gitea-runner"
+image = "docker.io/gitea/act_runner:latest"
+depend = ["gitea.service"]
+
+[environment]
+GITEA_INSTANCE_URL = "http://gitea:3000"
+GITEA_RUNNER_NAME = "Goofjes Runner"
+CONFIG_FILE = "/config/config.yaml"
+
+[[environment_secrets]]
+name = "GITEA_RUNNER_REGISTRATION_TOKEN"
+secret = "gitea-runner-registration-token"
+
+[[volumes]]
+source = "/var/containers/gitea/runner"
+target = "/config"
+
+[[mounts]]
+typ = "bind"
+source = "/tmp/storage-run-$(id -u)/podman/podman.sock"
+target = "/var/run/docker.sock"
+
+[[networks]]
+name = "gitea-net"
+
+[[networks]]
+name = "gitea-net"

services/gitea/gitea.caddy

@@ -0,0 +1,11 @@
+http://git.goofjes.nl {
+	import https-redir
+}
+
+https://git.goofjes.nl {
+	import https
+	import compression
+	import default-headers
+	log access
+	reverse_proxy gitea:3000
+}

services/gitea/install.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+chmod +x /etc/init.d/gitea.service
+chmod +x /etc/init.d/gitea-runner.service
+rc-update add gitea.service default
+rc-update add gitea-runner.service default
+
+# Create runner registration token secret
+cd /tmp
+su -c "openssl rand -hex 24 | podman secret create gitea-runner-registration-token -" podman

services/gitea/runner-config.yaml

@@ -0,0 +1,110 @@
+# Example configuration file, it's safe to copy this as the default config file without any modification.
+
+# You don't have to copy this file to your instance,
+# just run `./act_runner generate-config > config.yaml` to generate a config file.
+
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 1
+  # Extra environment variables to run jobs.
+  envs:
+    A_TEST_ENV_NAME_1: a_test_env_value_1
+    A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # The timeout for the runner to wait for running jobs to finish when shutting down.
+  # Any running jobs that haven't finished after this timeout will be cancelled.
+  shutdown_timeout: 0s
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The github_mirror of a runner is used to specify the mirror address of the github that pulls the action repository.
+  # It works when something like `uses: actions/checkout@v4` is used and DEFAULT_ACTIONS_URL is set to github,
+  # and github_mirror is not empty. In this case,
+  # it replaces https://github.com with the value here, which is useful for some special network environments.
+  github_mirror: ''
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: "macos-arm64:host" or "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
+  # Find more images provided by Gitea at https://gitea.com/docker.gitea.com/runner-images .
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `daemon`, will use labels in `.runner` file.
+  labels:
+    - "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
+    - "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
+    - "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: "gitea-net"
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
+  # If the path starts with '/', the '/' will be trimmed.
+  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+  # Pull docker image(s) even if already present
+  force_pull: true
+  # Rebuild docker image(s) even if already present
+  force_rebuild: false
+  # Always require a reachable docker daemon, even if not required by act_runner
+  require_docker: false
+  # Timeout to wait for the docker daemon to be reachable, if docker is required by require_docker or act_runner
+  docker_timeout: 0s
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

services/gitea/service.toml

@@ -0,0 +1,41 @@
+user = "podman"
+capabilities = ["NET_BIND_SERVICE", "DAC_OVERRIDE"]
+
+[service]
+name = "gitea"
+image = "docker.gitea.com/gitea:latest-rootless"
+depend = ["postgres.service"]
+
+[environment]
+GITEA__database__DB_TYPE = "postgres"
+GITEA__database__HOST = "postgres:5432"
+GITEA__database__NAME = "gitea"
+GITEA__database__USER = "admin"
+GITEA__database__PASSWD = "welcome123"
+GITEA_RUNNER_REGISTRATION_TOKEN_FILE = "/run/secrets/gitea-runner-registration-token"
+GITEA_CUSTOM = "/etc/gitea/custom"
+
+[[secrets]]
+key = "gitea-runner-registration-token"
+
+[[networks]]
+name = "gitea-net"
+group = "caddy"
+
+[[networks]]
+name = "gitea-net"
+group = "postgres"
+
+[[mounts]]
+typ = "bind"
+source = "/etc/localtime"
+target = "/etc/localtime"
+read_only = true
+
+[[volumes]]
+source = "/var/containers/gitea/data"
+target = "/var/lib/gitea"
+
+[[volumes]]
+source = "/var/containers/gitea/config"
+target = "/etc/gitea"

services/gitea/update.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+mkdir -p /var/containers/gitea/data
+mkdir -p /var/containers/gitea/config
+mkdir -p /var/containers/gitea/config/custom
+mkdir -p /var/containers/gitea/runner
+
+cp -f ./runner-config.yaml /var/containers/gitea/runner/config.yaml
+cp -f ./custom /var/containers/gitea/config/custom
+
+chown -R podman:podman /var/containers/gitea
+
+# Create gitea database if it doesn't exist; using PostgreSQL
+cd /tmp
+su -c "podman exec -it postgres psql -U admin -c 'CREATE DATABASE gitea;'" podman

services/immich/immich-ml.service.toml

@@ -0,0 +1,19 @@
+user = "podman"
+
+[service]
+name = "immich_machine_learning"
+hostname = "immich-machine-learning"
+image = "ghcr.io/immich-app/immich-machine-learning:release"
+
+[[networks]]
+name = "immich"
+group = "caddy"
+
+[[volumes]]
+source = "immich-ml-data"
+target = "/cache"
+
+[environment]
+DB_USERNAME = "immich"
+DB_PASSWORD = "EBYUcFlxwocGSL2"
+DB_DATABASE_NAME = "immich"

services/immich/immich-postgres.service.toml

@@ -0,0 +1,20 @@
+user = "podman"
+
+[service]
+name = "immich_postgres"
+hostname = "database"
+image = "ghcr.io/immich-app/postgres:14-vectorchord0.4.3-pgvectors0.2.0@sha256:41eacbe83eca995561fe43814fd4891e16e39632806253848efaf04d3c8a8b84"
+
+[[networks]]
+name = "immich"
+group = "caddy"
+
+[[volumes]]
+source = "/mnt/ssd/immich-postgres"
+target = "/var/lib/postgresql/data"
+
+[environment]
+POSTGRES_USER = "immich"
+POSTGRES_PASSWORD = "EBYUcFlxwocGSL2"
+POSTGRES_DB = "immich"
+POSTGRES_INITDB_ARGS = "--data-checksums"

services/immich/immich-redis.service.toml

@@ -0,0 +1,13 @@
+user = "podman"
+
+[service]
+name = "immich_redis"
+hostname = "redis"
+image = "docker.io/valkey/valkey:8-bookworm@sha256:fea8b3e67b15729d4bb70589eb03367bab9ad1ee89c876f54327fc7c6e618571"
+
+[[networks]]
+name = "immich"
+group = "caddy"
+
+[service.healthcheck]
+cmd = "redis-cli ping || exit 1"

services/immich/immich-server.service.toml

@@ -0,0 +1,25 @@
+user = "podman"
+
+[service]
+name = "immich_server"
+image = "ghcr.io/immich-app/immich-server:release"
+depend = ["immich_redis.service", "immich_postgres.service"]
+
+[[networks]]
+name = "immich"
+group = "caddy"
+
+[[mounts]]
+typ = "bind"
+source = "/etc/localtime"
+target = "/etc/localtime"
+readonly = true
+
+[[volumes]]
+source = "/mnt/ssd/immich"
+target = "/data"
+
+[environment]
+DB_USERNAME = "immich"
+DB_PASSWORD = "EBYUcFlxwocGSL2"
+DB_DATABASE_NAME = "immich"

services/immich/immich.caddy

@@ -0,0 +1,11 @@
+http://photos.goofjes.nl {
+	import https-redir
+}
+
+https://photos.goofjes.nl {
+	import https
+	import compression
+	import default-headers
+	log access
+	reverse_proxy immich_server:2283
+}

services/immich/install.sh

@@ -0,0 +1,6 @@
+#!/bin/sh
+chmod +x /etc/init.d/immich*.service
+rc-update add immich_server.service default
+rc-update add immich_redis.service default
+rc-update add immich_machine_learning.service default
+rc-update add immich_postgres.service default

services/immich/restart.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# Only allow 'start' or 'stop' as the first argument
+if [[ "$1" != "start" && "$1" != "stop" && "$1" != "restart" ]]; then
+  echo "Usage: $0 {start|stop|restart}"
+  exit 1
+fi
+
+# List of OpenRC services (without .service suffix)
+services=(
+  immich_machine_learning
+  immich_postgres
+  immich_redis
+  immich_server
+)
+
+for service in "${services[@]}"; do
+  echo "$1 $service..."
+  rc-service "$service.service" $1
+
+  # Optional: check if command was successful
+  if [ $? -eq 0 ]; then
+    echo "$service ${1}ed successfully."
+  else
+    echo "Failed to $1 $service."
+  fi
+done

services/immich/update.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+if [ "$1" = "reload" ]; then
+    rc-service immich_redis.service restart
+    rc-service immich_postgres.service restart
+    rc-service immich_machine_learning.service restart
+    rc-service immich_server.service restart
+fi

services/jellyfin/install.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+chown -R podman:podman /mnt/ssd/jellyfin
+chmod -R 775 /mnt/ssd/jellyfin
+
+chmod +x /etc/init.d/jellyfin.service
+rc-update add jellyfin.service default
+
+# If you encounter the following error: Error: statfs /mnt/ssd/jellyfin: no such file or directory
+# Please run "podman system migrate"...

services/jellyfin/jellyfin.caddy

@@ -0,0 +1,11 @@
+http://watch.goofjes.nl {
+	import https-redir
+}
+
+https://watch.goofjes.nl {
+	import https
+	import compression
+	import default-headers
+	log access
+	reverse_proxy jellyfin.container:8096
+}

services/jellyfin/service.toml

@@ -0,0 +1,23 @@
+user = "podman"
+
+[service]
+name = "jellyfin"
+hostname = "jellyfin.container"
+image = "jellyfin/jellyfin"
+
+[[volumes]]
+source = "/mnt/ssd/jellyfin/config"
+target = "/config"
+
+[[volumes]]
+source = "/mnt/ssd/jellyfin/cache"
+target = "/cache"
+
+[[mounts]]
+typ = "bind"
+source = "/mnt/ssd/jellyfin/media"
+target = "/media"
+
+[[networks]]
+name = "jellyfin-net"
+group = "caddy"

services/minecraft/update.sh

@@ -1,6 +1,4 @@
 #!/bin/sh
-mkdir -p /var/containers/minecraft
-chmod +x /etc/init.d/minecraft.service
 
 # Plugin list:
 # - FastAsyncWorldEdit (https://ci.athion.net/job/FastAsyncWorldEdit/)
@@ -14,7 +12,12 @@ chmod +x /etc/init.d/minecraft.service
 # - Multiverse Inventories (Hangar)
 # - KeepChunks (Hangar)
 
-cp -rf ./config /var/containers/minecraft
-cp -rf ./plugins /var/containers/minecraft/plugins
+if [ "$1" = "install" ]; then
+    mkdir -p /var/containers/minecraft
+    chmod +x /etc/init.d/minecraft.service
 
-chown -R podman:podman /var/containers/minecraft
+    cp -r ./config /var/containers/minecraft
+    cp -r ./plugins /var/containers/minecraft/plugins
+
+    chown -R podman:podman /var/containers/minecraft
+fi

services/numberchords/api.service.toml

@@ -0,0 +1,40 @@
+user = "podman"
+
+[service]
+name = "numberchords-api"
+hostname = "nc-api"
+image = "git.plabble.org/maurice/numberchords-api"
+network = "nc-test"
+depend = ["numberchords-db.service"]
+
+[environment]
+ASPNETCORE_ENVIRONMENT = "Test"
+# "NC_Security__OtherIssuerKeys__identity.numberchords.com__AuthPublicKey" = ""
+
+[[secrets]]
+key = "connection_string"
+target = "Database__ConnectionString"
+
+[[secrets]]
+key = "api_secret_key"
+target = "Security__AuthSecretKey"
+
+[[secrets]]
+key = "api_private_key"
+target = "Security__AuthPrivateKey"
+
+[[secrets]]
+key = "mollie_api_key"
+target = "Payment__MollieApiKey"
+
+[[secrets]]
+key = "smtp_username"
+target = "Email__SmtpUsername"
+
+[[secrets]]
+key = "smtp_password"
+target = "Email__SmtpPassword"
+
+[[networks]]
+name = "nc-test"
+group = "caddy"

services/numberchords/database.service.toml

@@ -0,0 +1,28 @@
+user = "podman"
+
+[service]
+name = "numberchords-db"
+hostname = "nc-db"
+image = "mongodb/mongodb-community-server:latest"
+network = "nc-test"
+
+[[volumes]]
+source = "nc_database_test"
+target = "/data/db"
+create = true
+
+[[environment_secrets]]
+name = "MONGO_INITDB_ROOT_USERNAME"
+secret = "mongo_username"
+
+[[environment_secrets]]
+name = "MONGO_INITDB_ROOT_PASSWORD"
+secret = "mongo_password"
+
+[[ports]]
+host = 27017
+container = 27017
+
+[[networks]]
+name = "nc-test"
+group = "caddy"

services/numberchords/identity.service.toml

@@ -0,0 +1,31 @@
+user = "podman"
+
+[service]
+name = "numberchords-identity"
+hostname = "nc-identity"
+image = "git.plabble.org/maurice/numberchords-identity"
+network = "nc-test"
+depend = ["numberchords-db.service"]
+
+[environment]
+ASPNETCORE_ENVIRONMENT = "Test"
+
+[[secrets]]
+key = "connection_string"
+target = "Database__ConnectionString"
+
+[[secrets]]
+key = "id_secret_key"
+target = "Security__AuthSecretKey"
+
+[[secrets]]
+key = "id_private_key"
+target = "Security__AuthPrivateKey"
+
+[[secrets]]
+key = "api_secret_key"
+target = "Security__OtherIssuerKeys__api-test.numberchords.com__AuthSecretKey"
+
+[[networks]]
+name = "nc-test"
+group = "caddy"

services/numberchords/install.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+chmod +x /etc/init.d/numberchords-api.service
+chmod +x /etc/init.d/numberchords-db.service
+chmod +x /etc/init.d/numberchords-identity.service
+chmod +x /etc/init.d/numberchords-web.service
+rc-update add numberchords-api.service default
+rc-update add numberchords-db.service default
+rc-update add numberchords-identity.service default
+rc-update add numberchords-web.service default

services/numberchords/numberchords.caddy

@@ -0,0 +1,47 @@
+http://test.numberchords.com {
+    import https-redir
+}
+
+http://test.cijferakkoorden.nl {
+    import https-redir
+}
+
+http://api-test.numberchords.com {
+    import https-redir
+}
+
+http://identity-test.numberchords.com {
+    import https-redir
+}
+
+https://test.numberchords.com {
+    import https
+	import compression
+	import default-headers
+	log access
+    reverse_proxy nc-web:3000
+}
+
+https://test.cijferakkoorden.nl {
+    import https
+	import compression
+	import default-headers
+	log access
+    reverse_proxy nc-web:3000
+}
+
+https://api-test.numberchords.com {
+    import https
+	import compression
+	import default-headers
+	log access
+    reverse_proxy nc-api:8080
+}
+
+https://identity-test.numberchords.com {
+    import https
+	import compression
+	import default-headers
+	log access
+    reverse_proxy nc-identity:8080
+}

services/numberchords/secrets.md

@@ -0,0 +1,12 @@
+# Set these secrets:
+
+- `connection_string`: MongoDB connection string
+- `api_secret_key`: 32-byte base64 secret
+- `api_private_key`: 32-byte base64 secret
+- `id_secret_key`: 32-byte base64 secret
+- `id_private_key`: 32-byte base64 secret
+- `mollie_api_key`: Mollie API key
+- `smtp_username`: SMTP email account username
+- `smtp_password`: SMTP email account password
+- `mongo_username`: MongoDB root username
+- `mongo_password`: MongoDB root password

services/numberchords/web.service.toml

@@ -0,0 +1,25 @@
+user = "podman"
+
+[service]
+name = "numberchords-web"
+hostname = "nc-web"
+image = "git.plabble.org/maurice/numberchords-web"
+network = "nc-test"
+depend = ["numberchords-api.service", "numberchords-identity.service"]
+
+[environment]
+PRIVATE_DATABASE_NAME = "numberchords-test"
+PRIVATE_DEFAULT_AUDIENCE="api-test.numberchords.com"
+PROTOCOL_HEADER="x-forwarded-proto"
+HOST_HEADER="x-forwarded-host"
+BODY_SIZE_LIMIT="10000000"
+PRIVATE_BASE_URL="http://nc-api:8080"
+PRIVATE_IDENTITY_BASE_URL="http://nc-identity:8080"
+
+[[environment_secrets]]
+name = "PRIVATE_CONNECTION_STRING"
+secret = "connection_string"
+
+[[networks]]
+name = "nc-test"
+group = "caddy"

services/postgres/install.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+chmod +x /etc/init.d/postgres.service
+rc-update add postgres.service default
+rc-service postgres.service start

services/postgres/service.toml

@@ -0,0 +1,12 @@
+user = "podman"
+
+[service]
+name = "postgres"
+image = "postgres:18-alpine"
+
+[environment]
+POSTGRES_USER = "admin"
+POSTGRES_PASSWORD = "welcome123"
+
+[[networks]]
+group = "postgres"

services/samba/install.sh

@@ -0,0 +1,24 @@
+#!/bin/sh
+apk add samba
+
+mkdir -p /mnt/shared
+chmod 0777 /mnt/shared
+
+cat << EOF > /etc/samba/smb.conf
+[global]
+    workgroup = GOOFJES
+    server string = Goofjes Samba
+    server role = standalone server
+    
+[shared]
+    path = /mnt/shared
+    follow symlinks = yes
+    wide links = yes
+    browseable = yes
+    writable = yes
+EOF
+
+rc-update add samba
+rc-service samba start
+
+echo "Use smbpasswd -a <username> to add users to SAMBA."

services/ssd/install.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+cat << EOF >> /etc/fstab
+LABEL=Golvies	/mnt/ssd	ext4	defaults 0 0
+EOF
+
+mkdir -p /mnt/ssd
+mount -a

update.sh

@@ -24,7 +24,7 @@ for service in "./services"/*/; do
   for caddyfile in *.caddy; do
     [ -e "$caddyfile" ] || continue
     CADDY_NAME="${caddyfile%.caddy}"
-    cp -f "./$caddyfile" "/var/containers/caddy/$CADDY_NAME"
+    cp -f "./$caddyfile" "/var/containers/caddy/$CADDY_NAME.caddy"
   done
 
   cd "$base_dir"