WiP

base/Makefile

@@ -1,5 +1,5 @@
 TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
+include $(TOP_LEVEL_DIR)/common.mk
 SYSTEMD_MAIN_UNIT_NAMES += var-lib-virtiofs-data.mount
 SYSTEMD_MAIN_UNIT_NAMES += rpm-ostree-install-qemu-guest-agent.service
 SYSTEMD_MAIN_UNIT_NAMES += install-fastfetch.service

Makefile.common → common.mk

@@ -93,12 +93,12 @@ TARGET_EXAMPLES_SYSCTLD_FILES = $(patsubst sysctl.d/examples/%, $(TARGET_CHROOT)
 TARGET_EXAMPLES_PROFILED_FILES = $(patsubst profile.d/examples/%, $(TARGET_CHROOT)/etc/profile.d/%, $(EXAMPLES_PROFILED_FILES))
 
 # All configuration files to be installed
-TARGET_FILES = $(addprefix $(TARGET_CHROOT)/etc/containers/systemd/, $(QUADLETS_FILES)) \
+TARGET_FILES += $(addprefix $(TARGET_CHROOT)/etc/containers/systemd/, $(QUADLETS_FILES)) \
 				$(addprefix $(TARGET_CHROOT)/etc/systemd/system/, $(SYSTEMD_FILES)) \
 				$(TARGET_CONFIG_FILES) $(TARGET_TMPFILESD_FILES) $(TARGET_SYSCTLD_FILES) $(TARGET_PROFILED_FILES)
 
 # All example configuration files to be installed
-TARGET_EXAMPLE_FILES = $(TARGET_EXAMPLES_CONFIG_FILES) $(TARGET_EXAMPLES_TMPFILESD_FILES) $(TARGET_EXAMPLES_SYSCTLD_FILES) $(TARGET_EXAMPLES_PROFILED_FILES)
+TARGET_EXAMPLE_FILES += $(TARGET_EXAMPLES_CONFIG_FILES) $(TARGET_EXAMPLES_TMPFILESD_FILES) $(TARGET_EXAMPLES_SYSCTLD_FILES) $(TARGET_EXAMPLES_PROFILED_FILES)
 
 # Dependencies on other projects
 # List here the names of other projects (directories at the top-level) that this project depends on.
@@ -115,9 +115,9 @@ DEPENDENCIES_IGNITION_FILES := $(shell for dep in base $(DEPENDENCIES); do echo
 PROJECT_UID ?= 0
 PROJECT_GID ?= 0
 
-# Function to reverse a list of words
-# Usage: $(call reverse,word1 word2 word3)
-reverse = $(let first rest,$1,$(if $(rest),$(call reverse,$(rest)) )$(first))
+# Source Makefiles providing hooks to extend this Makefile.
+HOOKS := $(wildcard $(TOP_LEVEL_DIR)/*/hooks.mk)
+include $(HOOKS)
 
 # Ensure that the Makefile is not run from the top-level directory and that it is run as root.
 pre-requisites::
@@ -203,7 +203,7 @@ $(TARGET_CHROOT)/var/lib/quadlets/$(PROJECT_NAME):
 install-config: $(TARGET_FILES) $(TARGET_CHROOT)/var/lib/quadlets/$(PROJECT_NAME)
 
 # Copy all example configuration files provided by this project.
-install-examples: $(TARGET_EXAMPLE_FILES) $(TARGET_CHROOT)/var/lib/quadlets/$(PROJECT_NAME)
+install-examples: $(TARGET_EXAMPLE_FILES)
 
 # Copy all quadlets and systemd files provided by this project.
 install-files: install-files-pre install-config install-examples
@@ -274,9 +274,10 @@ install-pre::
 # This target can be extended by Makefiles sourcing this one.
 install-post::
 
-# Uninstall all quadlets and systemd units installed by this project.
+# All files to be removed during uninstallation, sorted in reverse order to remove files before their parent directories.
+uninstall: FILES_TO_REMOVE := $(shell echo $(TARGET_FILES) $(TARGET_EXAMPLE_FILES) | tr ' ' '\n' | sort -ur | tr '\n' ' ')
 
-uninstall: FILES_TO_REMOVE := $(call reverse,$(TARGET_EXAMPLE_FILES) $(TARGET_FILES))
+# Uninstall all quadlets and systemd units installed by this project.
 uninstall: pre-requisites uninstall-pre
 	@run() { echo $$*; "$$@"; }; \
 	set -Eeuo pipefail; \
@@ -478,7 +479,7 @@ clean: clean-pre pre-requisites
 			echo "Aborted."; exit 1; \
 		fi; \
 	fi
-	rm -rf /var/lib/quadlets/$(PROJECT_NAME)/ /var/run/quadlets/$(PROJECT_NAME)/ /etc/quadlets/$(PROJECT_NAME)/
+	rm -rf /var/lib/quadlets/$(PROJECT_NAME)/ /run/quadlets/$(PROJECT_NAME)/ /etc/quadlets/$(PROJECT_NAME)/
 	$(MAKE) clean-post
 
 # All phony targets

gitea/Makefile

@@ -0,0 +1,12 @@
+##
+## Makefile for Gitea quadlet
+##
+
+DEPENDENCIES = postgresql traefik
+
+# Gitea quadlet is mapped to the 10009 user (gitea) and 10000 group (itix-svc)
+PROJECT_UID = 10009
+PROJECT_GID = 10000
+
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/common.mk

gitea/config/examples/app.ini

@@ -0,0 +1,114 @@
+APP_NAME = Gitea
+RUN_USER = git
+RUN_MODE = prod
+
+[oauth2]
+; OAuth2 authentication secret for access and refresh tokens, change this a unique string
+;JWT_SECRET = 
+
+[security]
+; Secret used to validate communication within Gitea binary. random at every install if no uri set.
+;INTERNAL_TOKEN = 
+INSTALL_LOCK   = true
+; Global secret key. random at every install.
+;SECRET_KEY     = 
+
+[database]
+DB_TYPE  = postgres
+HOST     = 127.0.0.1:5432
+NAME     = gitea
+USER     = gitea
+PASSWD   = gitea
+SSL_MODE = disable
+CHARSET  = utf8
+; SQL logs are rarely helpful unless we specifically ask for them
+LOG_SQL  = false
+
+[server]
+APP_DATA_PATH           = /data
+SSH_DOMAIN              = gitea
+DOMAIN                  = gitea
+HTTP_PORT               = 3000
+ROOT_URL                = http://gitea/
+DISABLE_SSH             = false
+START_SSH_SERVER        = true
+LFS_START_SERVER        = true
+; LFS authentication secret, change this to a unique string
+;LFS_JWT_SECRET          = 
+OFFLINE_MODE            = true
+PROTOCOL                = http
+BUILTIN_SSH_SERVER_USER = git
+SSH_LISTEN_PORT         = 2222
+SSH_PORT                = 22
+ENABLE_PPROF            = false
+
+[mailer]
+;ENABLED = true
+;HOST    = smtp.gmail.com:587
+;FROM    = 
+;USER    = 
+;PASSWD  = 
+
+[service]
+REGISTER_EMAIL_CONFIRM            = true
+ENABLE_NOTIFY_MAIL                = true
+DISABLE_REGISTRATION              = false
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+;NO_REPLY_ADDRESS                  = itix.fr
+
+[picture]
+DISABLE_GRAVATAR        = true
+ENABLE_FEDERATED_AVATAR = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = false
+ENABLE_OPENID_SIGNUP = false
+
+[session]
+PROVIDER = file
+
+[log]
+MODE              = console
+LEVEL             = warn
+ENABLE_ACCESS_LOG = true
+COLORIZE          = false
+STDERR            = true
+ROUTER            = console
+
+[log.sublogger.access]
+MODE      = file
+ROOT_PATH = /data/log
+
+[log.sublogger.macaron]
+MODE      = file
+FILE_NAME = /dev/null
+
+[log.console]
+MODE     = console
+COLORIZE = false
+STDERR   = true
+
+[cron]
+ENABLED      = true
+RUN_AT_START = true
+
+[cron.update_mirrors]
+SCHEDULE = @every 24h
+
+[mirror]
+DEFAULT_INTERVAL = 24h
+MIN_INTERVAL     = 30m
+
+[app_name]
+APP_NAME = Gitea
+
+[repository]
+ROOT = /data/git/gitea-repositories
+
+[metrics]
+ENABLED = false

gitea/fcos.bu

@@ -0,0 +1,13 @@
+variant: fcos
+version: 1.4.0
+ignition:
+  config:
+    merge:
+    - local: base.ign
+    - local: traefik.ign
+    - local: traefik-examples.ign
+    - local: postgresql.ign
+    - local: postgresql-examples.ign
+    - local: gitea.ign
+    - local: gitea-examples.ign
+    - local: local.ign

gitea/gitea.container

@@ -0,0 +1,53 @@
+[Unit]
+Description=Gitea
+Documentation=https://docs.gitea.com/
+After=network.target var-lib-virtiofs-data.mount
+Requires=var-lib-virtiofs-data.mount
+
+# Only start if Gitea has been configured
+ConditionPathExists=/etc/quadlets/gitea/config.env
+
+# Start/stop this unit when the target is started/stopped
+PartOf=gitea.target
+
+[Container]
+ContainerName=gitea
+Image=docker.gitea.com/gitea:latest
+AutoUpdate=registry
+
+# Network configuration
+Network=host
+
+# No need for root privileges
+User=10009
+Group=10000
+Environment=USER_UID=10009
+Environment=USER_GID=10000
+AddCapability=CAP_NET_BIND_SERVICE
+
+# Override default command to start Gitea
+Entrypoint=/usr/local/bin/gitea
+Exec=-c /etc/gitea/app.ini web
+
+# Volume mounts
+Volume=/var/lib/virtiofs/data/gitea:/data:z
+Volume=/etc/quadlets/gitea/app.ini:/etc/gitea/app.ini:Z
+
+# Health check
+HealthCmd=curl -sSf http://127.0.0.1:3000/
+HealthInterval=30s
+HealthTimeout=10s
+HealthStartPeriod=10s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=10
+TimeoutStartSec=120
+TimeoutStopSec=30
+
+# Wait for PostgreSQL to be ready on localhost
+ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/5432; then echo "Waiting for PostgreSQL to be available..."; sleep 5; else exit 0; fi; done; exit 1'
+
+[Install]
+WantedBy=gitea.target

gitea/gitea.target

@@ -0,0 +1,13 @@
+[Unit]
+Description=Gitea Service Target
+Documentation=man:systemd.target(5)
+Requires=postgresql.target gitea.service
+After=postgresql.target gitea.service
+
+# Allow isolation - can stop/start this target independently
+AllowIsolate=yes
+# Only start if Gitea has been configured
+ConditionPathExists=/etc/quadlets/gitea/config.env
+
+[Install]
+WantedBy=multi-user.target

gitea/other/postgresql/gitea.sql

@@ -0,0 +1,5 @@
+-- Initialization script for Gitea database and user
+CREATE USER gitea WITH PASSWORD 'gitea';
+CREATE DATABASE gitea OWNER gitea;
+GRANT ALL PRIVILEGES ON DATABASE gitea TO gitea;
+ALTER ROLE gitea SET client_encoding TO 'utf8';

gitea/other/traefik/gitea.yaml

@@ -0,0 +1,16 @@
+http:
+  routers:
+    gitea:
+      rule: "Host(`gitea`)"
+      entryPoints:
+      - http
+      #- https
+      middlewares:
+      service: "gitea"
+      #tls:
+      #  certResolver: le
+  services:
+    gitea:
+      loadBalancer:
+        servers:
+        - url: "http://127.0.0.1:3000"

gitea/overlay.bu

@@ -0,0 +1,9 @@
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+  - name: gitea
+    uid: 10009
+    gecos: Gitea
+    home_dir: /var/lib/quadlets/gitea
+    primary_group: itix-svc

gitea/tmpfiles.d/gitea.conf

@@ -0,0 +1 @@
+d$ /var/lib/virtiofs/data/gitea 0700 10009 10000 -

keycloak/Makefile

@@ -0,0 +1,13 @@
+##
+## Makefile for Keycloak quadlet
+##
+
+DEPENDENCIES = postgresql traefik
+
+# Keycloak quadlet is mapped to the 10007 user (keycloak) and 10000 group (itix-svc)
+PROJECT_UID = 10007
+PROJECT_GID = 10000
+
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/common.mk
+

keycloak/config/container/Containerfile

@@ -0,0 +1,13 @@
+FROM quay.io/keycloak/keycloak:latest AS builder
+ENV KC_DB=postgres \
+    KC_HEALTH_ENABLED=true \
+    KC_METRICS_ENABLED=true \
+    KC_HTTP_ENABLED=true \
+    KC_HTTP_ACCESS_LOG_ENABLED=true
+WORKDIR /opt/keycloak
+RUN /opt/keycloak/bin/kc.sh build
+
+FROM quay.io/keycloak/keycloak:latest
+COPY --from=builder /opt/keycloak/ /opt/keycloak/
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
+CMD ["start --optimized"]

keycloak/config/examples/config.env

@@ -0,0 +1,18 @@
+# See https://www.keycloak.org/server/all-config for all available configuration options
+KC_DB=postgres
+KC_DB_URL_DATABASE=keycloak
+KC_DB_URL_HOST=127.0.0.1
+KC_DB_URL_PORT=5432
+KC_DB_USERNAME=keycloak
+KC_DB_PASSWORD=keycloak
+KC_HOSTNAME=http://keycloak
+KC_HEALTH_ENABLED=true
+KC_METRICS_ENABLED=true
+KC_BOOTSTRAP_ADMIN_USERNAME=admin
+KC_BOOTSTRAP_ADMIN_PASSWORD=keycloak
+KC_HTTP_ENABLED=true
+KC_HTTP_PORT=8080
+KC_HTTP_HOST=127.0.0.1
+KC_HTTP_ACCESS_LOG_ENABLED=true
+KC_PROXY_HEADERS=xforwarded
+KC_PROXY_TRUSTED_ADDRESSES=127.0.0.1

keycloak/fcos.bu

@@ -0,0 +1,13 @@
+variant: fcos
+version: 1.4.0
+ignition:
+  config:
+    merge:
+    - local: base.ign
+    - local: traefik.ign
+    - local: traefik-examples.ign
+    - local: postgresql.ign
+    - local: postgresql-examples.ign
+    - local: keycloak.ign
+    - local: keycloak-examples.ign
+    - local: local.ign

keycloak/keycloak-build.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Keycloak Container image build timer
+Documentation=https://www.keycloak.org/server/containers
+PartOf=keycloak.target
+
+[Timer]
+OnCalendar=weekly
+Persistent=true
+
+[Install]
+WantedBy=keycloak.target

keycloak/keycloak.build

@@ -0,0 +1,10 @@
+[Unit]
+Description=Keycloak Container image build
+Documentation=https://www.keycloak.org/server/containers
+Wants=network-online.target
+After=network-online.target
+
+[Build]
+File=/etc/quadlets/keycloak/container/Containerfile
+ImageTag=localhost/keycloak:latest
+SetWorkingDirectory=/etc/quadlets/keycloak/container

keycloak/keycloak.container

@@ -0,0 +1,44 @@
+[Unit]
+Description=Keycloak Service
+Documentation=https://www.keycloak.org/server/containers
+After=network.target keycloak-build.service
+Wants=keycloak-build.service
+
+# Only start if Keycloak has been configured
+ConditionPathExists=/etc/quadlets/keycloak/config.env
+
+# Start/stop this unit when the target is started/stopped
+PartOf=keycloak.target
+
+[Container]
+ContainerName=keycloak
+Image=localhost/keycloak:latest
+AutoUpdate=local
+
+# Network configuration
+Network=host
+
+# Keycloak specific commands
+Exec=start --optimized
+
+# Health check
+HealthCmd=curl -sSf http://127.0.0.1:8080/health
+HealthInterval=30s
+HealthTimeout=10s
+HealthStartPeriod=10s
+HealthRetries=3
+
+# Configuration file
+EnvironmentFile=/etc/quadlets/keycloak/config.env
+
+[Service]
+Restart=always
+RestartSec=10
+TimeoutStartSec=120
+TimeoutStopSec=30
+
+# Wait for PostgreSQL to be ready on localhost
+ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/5432; then echo "Waiting for PostgreSQL to be available..."; sleep 5; else exit 0; fi; done; exit 1'
+
+[Install]
+WantedBy=keycloak.target

keycloak/keycloak.target

@@ -0,0 +1,11 @@
+[Unit]
+Description=Keycloak Service Target
+Documentation=man:systemd.target(5)
+Requires=postgresql.target keycloak.service keycloak-build.timer
+After=postgresql.target keycloak.service keycloak-build.timer
+
+# Allow isolation - can stop/start this target independently
+AllowIsolate=yes
+
+[Install]
+WantedBy=multi-user.target

keycloak/other/postgresql/keycloak.sql

@@ -0,0 +1,5 @@
+-- Initialization script for Keycloak database and user
+CREATE USER keycloak WITH PASSWORD 'keycloak';
+CREATE DATABASE keycloak OWNER keycloak;
+GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;
+ALTER ROLE keycloak SET client_encoding TO 'utf8';

keycloak/other/traefik/keycloak.yaml

@@ -0,0 +1,16 @@
+http:
+  routers:
+    keycloak:
+      rule: "Host(`keycloak`)"
+      entryPoints:
+      - http
+      #- https
+      middlewares:
+      service: "keycloak"
+      #tls:
+      #  certResolver: le
+  services:
+    keycloak:
+      loadBalancer:
+        servers:
+        - url: "http://127.0.0.1:8080"

keycloak/overlay.bu

@@ -0,0 +1,9 @@
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+  - name: keycloak
+    uid: 10007
+    gecos: Keycloak
+    home_dir: /var/lib/quadlets/keycloak
+    primary_group: itix-svc

lego/Makefile

@@ -8,6 +8,6 @@ PROJECT_GID = 10000
 
 # Include common Makefile
 TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
+include $(TOP_LEVEL_DIR)/common.mk
 
 

miniflux/Makefile

@@ -0,0 +1,13 @@
+##
+## Makefile for Miniflux quadlet
+##
+
+DEPENDENCIES = postgresql traefik
+
+# Miniflux quadlet is mapped to the 10010 user (miniflux) and 10000 group (itix-svc)
+PROJECT_UID = 10010
+PROJECT_GID = 10000
+
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/common.mk
+

miniflux/config/examples/miniflux.conf

@@ -0,0 +1,9 @@
+DATABASE_URL=postgres://miniflux:miniflux@localhost/miniflux?sslmode=disable
+PORT=8080
+#HTTPS=1
+BASE_URL=http://miniflux/
+RUN_MIGRATIONS=1
+CREATE_ADMIN=1
+ADMIN_USERNAME=admin
+ADMIN_PASSWORD=miniflux
+HTTP_CLIENT_TIMEOUT=120

miniflux/fcos.bu

@@ -0,0 +1,13 @@
+variant: fcos
+version: 1.4.0
+ignition:
+  config:
+    merge:
+    - local: base.ign
+    - local: traefik.ign
+    - local: traefik-examples.ign
+    - local: postgresql.ign
+    - local: postgresql-examples.ign
+    - local: miniflux.ign
+    - local: miniflux-examples.ign
+    - local: local.ign

miniflux/miniflux.container

@@ -0,0 +1,48 @@
+[Unit]
+Description=Miniflux RSS Reader
+Documentation=https://github.com/miniflux/v2
+After=network.target 
+
+# Only start if Miniflux has been configured
+ConditionPathExists=/etc/quadlets/miniflux/miniflux.conf
+
+# Start/stop this unit when the target is started/stopped
+PartOf=miniflux.target
+
+[Container]
+ContainerName=miniflux
+Image=ghcr.io/miniflux/miniflux:latest
+AutoUpdate=registry
+
+# Network configuration
+Network=host
+
+# No need for root privileges
+User=10010
+Group=10000
+
+# Command and arguments
+Entrypoint=/usr/bin/miniflux
+Exec=-c /etc/miniflux/miniflux.conf
+
+# Volume mounts
+Volume=/etc/quadlets/miniflux/miniflux.conf:/etc/miniflux/miniflux.conf:ro,z
+
+# Health check
+HealthCmd=/usr/bin/miniflux -healthcheck auto
+HealthInterval=30s
+HealthTimeout=10s
+HealthStartPeriod=10s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=10
+TimeoutStartSec=120
+TimeoutStopSec=30
+
+# Wait for PostgreSQL to be ready on localhost
+ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/5432; then echo "Waiting for PostgreSQL to be available..."; sleep 5; else exit 0; fi; done; exit 1'
+
+[Install]
+WantedBy=miniflux.target

miniflux/miniflux.target

@@ -0,0 +1,13 @@
+[Unit]
+Description=Miniflux Service Target
+Documentation=man:systemd.target(5)
+Requires=postgresql.target miniflux.service
+After=postgresql.target miniflux.service
+
+# Allow isolation - can stop/start this target independently
+AllowIsolate=yes
+# Only start if Miniflux has been configured
+ConditionPathExists=/etc/quadlets/miniflux/miniflux.conf
+
+[Install]
+WantedBy=multi-user.target

miniflux/other/postgresql/miniflux.sql

@@ -0,0 +1,5 @@
+-- Initialization script for Miniflux database and user
+CREATE USER miniflux WITH PASSWORD 'miniflux';
+CREATE DATABASE miniflux OWNER miniflux;
+GRANT ALL PRIVILEGES ON DATABASE miniflux TO miniflux;
+ALTER ROLE miniflux SET client_encoding TO 'utf8';

miniflux/other/traefik/miniflux.yaml

@@ -0,0 +1,16 @@
+http:
+  routers:
+    miniflux:
+      rule: "Host(`miniflux`)"
+      entryPoints:
+      - http
+      #- https
+      middlewares:
+      service: "miniflux"
+      #tls:
+      #  certResolver: le
+  services:
+    miniflux:
+      loadBalancer:
+        servers:
+        - url: "http://127.0.0.1:8080"

miniflux/overlay.bu

@@ -0,0 +1,9 @@
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+  - name: miniflux
+    uid: 10010
+    gecos: Miniflux
+    home_dir: /var/lib/quadlets/miniflux
+    primary_group: itix-svc

nextcloud/Makefile

@@ -8,37 +8,32 @@ DEPENDENCIES = postgresql traefik
 PROJECT_UID = 10008
 PROJECT_GID = 10000
 
-TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
-
-.PHONY: test test-set-nextcloud-major
-
-NEXTCLOUD_MAJOR_START ?= 25
-NEXTCLOUD_MAJOR_LAST ?= 31
-test-set-nextcloud-major:
-	sed -i 's/^NEXTCLOUD_MAJOR=.*/NEXTCLOUD_MAJOR=$(NEXTCLOUD_MAJOR_START)/' config/examples/config.env
-
+# Additional Nextcloud directories and files
+TARGET_FILES += $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/redis
 $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/redis:
 	install -m 0700 -o $(PROJECT_UID) -g $(PROJECT_GID) -d $@
 
+TARGET_FILES += $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/data
+TARGET_FILES += $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/config
 $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/data $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/config:
 	install -m 0700 -o $(PROJECT_UID) -g $(PROJECT_GID) -d $@
 
 $(TARGET_CHROOT)/etc/quadlets/nextcloud/www.conf: config/www.conf
 	install -m 0755 -o $(PROJECT_UID) -g $(PROJECT_GID) -D $< $@
 
+TARGET_FILES += $(TARGET_CHROOT)/etc/quadlets/nextcloud/collabora-seccomp-profile.json
 $(TARGET_CHROOT)/etc/quadlets/nextcloud/collabora-seccomp-profile.json:
 	curl -sSfL -o $@ https://raw.githubusercontent.com/CollaboraOnline/online/refs/heads/main/docker/cool-seccomp-profile.json
 
-install-config: $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/redis $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/data $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/config $(TARGET_CHROOT)/etc/quadlets/nextcloud/collabora-seccomp-profile.json
-
-install-examples: $(TARGET_CHROOT)/etc/quadlets/postgresql/init.d/nextcloud.sql $(TARGET_CHROOT)/etc/quadlets/traefik/conf.d/nextcloud.yaml $(TARGET_CHROOT)/etc/quadlets/traefik/conf.d/collabora.yaml
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/common.mk
 
-$(TARGET_CHROOT)/etc/quadlets/postgresql/init.d/nextcloud.sql: other/nextcloud.sql
-	install -m 0600 -o 10004 -g 10000 $< $@
+.PHONY: test test-set-nextcloud-major
 
-$(TARGET_CHROOT)/etc/quadlets/traefik/conf.d/nextcloud.yaml $(TARGET_CHROOT)/etc/quadlets/traefik/conf.d/collabora.yaml: $(TARGET_CHROOT)/etc/quadlets/traefik/conf.d/%.yaml: other/traefik-%.yaml
-	install -m 0644 -o 10001 -g 10000 $< $@
+NEXTCLOUD_MAJOR_START ?= 25
+NEXTCLOUD_MAJOR_LAST ?= 31
+test-set-nextcloud-major:
+	sed -i 's/^NEXTCLOUD_MAJOR=.*/NEXTCLOUD_MAJOR=$(NEXTCLOUD_MAJOR_START)/' config/examples/config.env
 
 test: 
 	@run() { echo $$*; "$$@"; }; \

nextcloud/other/traefik-collabora.yaml → nextcloud/other/traefik/collabora.yaml

@@ -4,8 +4,11 @@ http:
       rule: "Host(`collabora`)"
       entryPoints:
       - http
+      #- https
       middlewares:
       service: "collabora"
+      #tls:
+      #  certResolver: le
   services:
     collabora:
       loadBalancer:

nextcloud/other/traefik-nextcloud.yaml → nextcloud/other/traefik/nextcloud.yaml

@@ -4,8 +4,11 @@ http:
       rule: "Host(`nextcloud`)"
       entryPoints:
       - http
+      #- https
       middlewares:
       service: "nextcloud"
+      #tls:
+      #  certResolver: le
   services:
     nextcloud:
       loadBalancer:

nginx/Makefile

@@ -1,5 +1,5 @@
 TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
+include $(TOP_LEVEL_DIR)/common.mk
 
 .PHONY: test
 

postgresql/Makefile

@@ -6,9 +6,13 @@
 PROJECT_UID = 10004
 PROJECT_GID = 10000
 
+TARGET_FILES += $(TARGET_CHROOT)/etc/quadlets/postgresql/init.d
+$(TARGET_CHROOT)/etc/quadlets/postgresql/init.d:
+	install -m 0755 -o $(PROJECT_UID) -g $(PROJECT_GID) -D -d $@
+
 # Include common Makefile
 TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
+include $(TOP_LEVEL_DIR)/common.mk
 
 .PHONY: test test-set-pgmajor install-config
 
@@ -17,11 +21,6 @@ PG_MAJOR_LAST ?= 18
 test-set-pgmajor:
 	sed -i 's/^PG_MAJOR=.*/PG_MAJOR=$(PG_MAJOR_START)/' config/examples/config.env
 
-$(TARGET_CHROOT)/etc/quadlets/postgresql/init.d:
-	install -m 0755 -o $(PROJECT_UID) -g $(PROJECT_GID) -D -d $@
-
-install-config: $(TARGET_CHROOT)/etc/quadlets/postgresql/init.d
-
 # Integration tests for PostgreSQL quadlet: backup, restore + major version upgrade (14 to 18)
 test: uninstall clean test-set-pgmajor install
 	@echo "Running PostgreSQL integration tests..."; \

postgresql/hooks.mk

@@ -0,0 +1,5 @@
+# PostgreSQL initialization scripts
+TARGET_POSTGRESQL_FILES = $(patsubst other/postgresql/%, $(TARGET_CHROOT)/etc/quadlets/postgresql/init.d/%, $(wildcard other/postgresql/*))
+TARGET_EXAMPLE_FILES += $(TARGET_POSTGRESQL_FILES)
+$(TARGET_CHROOT)/etc/quadlets/postgresql/init.d/%.sql: other/postgresql/%.sql
+	install -m 0600 -o 10004 -g 10000 $< $@

qemu-user-static/Makefile

@@ -1,2 +1,2 @@
 TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
+include $(TOP_LEVEL_DIR)/common.mk

restic-server/Makefile

@@ -9,14 +9,6 @@ PROJECT_UID = 10022
 PROJECT_GID = 10000
 
 TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
+include $(TOP_LEVEL_DIR)/common.mk
 
 SYSTEMD_MAIN_UNIT_NAMES += restic-server.service
-
-TARGET_TRAEFIK_FILES = $(patsubst other/traefik/%, $(TARGET_CHROOT)/etc/quadlets/traefik/conf.d/%, $(wildcard other/traefik/*))
-
-install-examples: $(TARGET_TRAEFIK_FILES)
-
-$(TARGET_CHROOT)/etc/quadlets/traefik/conf.d/%: other/traefik/%
-	install -m 0644 -o 10001 -g 10000 $< $@
-

samba/Makefile

@@ -1,5 +1,5 @@
 TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
+include $(TOP_LEVEL_DIR)/common.mk
 
 $(TARGET_CHROOT)/etc/quadlets/samba/smb.conf.d:
 	install -d -m 0700 -o $(PROJECT_UID) -g $(PROJECT_GID) -D $< $@

samba/hooks.mk

@@ -0,0 +1,5 @@
+# Samba configuration files
+TARGET_SAMBA_FILES = $(patsubst other/samba/%, $(TARGET_CHROOT)/etc/quadlets/samba/smb.conf.d/%, $(wildcard other/samba/*))
+TARGET_EXAMPLE_FILES += $(TARGET_SAMBA_FILES)
+$(TARGET_CHROOT)/etc/quadlets/samba/smb.conf.d/%: other/samba/%
+	install -m 0644 -o root -g root $< $@

seedbox/Makefile

@@ -2,23 +2,12 @@
 ## Makefile for Seedbox quadlet
 ##
 
-DEPENDENCIES = traefik
+DEPENDENCIES = traefik samba
 
 # Seedbox quadlet is mapped to the 10017 user (seedbox) and 10000 group (itix-svc)
 PROJECT_UID = 10017
 PROJECT_GID = 10000
 
 TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
-
-TARGET_TRAEFIK_FILES = $(patsubst other/traefik/%, $(TARGET_CHROOT)/etc/quadlets/traefik/conf.d/%, $(wildcard other/traefik/*))
-TARGET_SAMBA_FILES = $(patsubst other/samba/%, $(TARGET_CHROOT)/etc/quadlets/samba/smb.conf.d/%, $(wildcard other/samba/*))
-
-install-examples: $(TARGET_TRAEFIK_FILES) $(TARGET_SAMBA_FILES)
-
-$(TARGET_CHROOT)/etc/quadlets/samba/smb.conf.d/%: other/samba/%
-	install -m 0644 -o root -g root $< $@
-
-$(TARGET_CHROOT)/etc/quadlets/traefik/conf.d/%: other/traefik/%
-	install -m 0644 -o 10001 -g 10000 $< $@
+include $(TOP_LEVEL_DIR)/common.mk
 

traefik/Makefile

@@ -7,5 +7,5 @@ PROJECT_UID = 10001
 PROJECT_GID = 10000
 
 TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
+include $(TOP_LEVEL_DIR)/common.mk
 

traefik/config/examples/conf.d/ping.yaml

@@ -7,7 +7,6 @@ http:
       service: "ping@internal"
       middlewares:
       - localhost-only
-  services: {}
   middlewares:
     localhost-only:
       ipAllowList:

traefik/hooks.mk

@@ -0,0 +1,5 @@
+# Traefik configuration files
+TARGET_TRAEFIK_FILES = $(patsubst other/traefik/%, $(TARGET_CHROOT)/etc/quadlets/traefik/conf.d/%, $(wildcard other/traefik/*))
+TARGET_EXAMPLE_FILES += $(TARGET_TRAEFIK_FILES)
+$(TARGET_CHROOT)/etc/quadlets/traefik/conf.d/%: other/traefik/%
+	install -m 0644 -o 10001 -g 10000 $< $@

vaultwarden/Makefile

@@ -0,0 +1,13 @@
+##
+## Makefile for Vaultwarden quadlet
+##
+
+DEPENDENCIES = postgresql traefik
+
+# Vaultwarden quadlet is mapped to the 10020 user (vaultwarden) and 10000 group (itix-svc)
+PROJECT_UID = 10020
+PROJECT_GID = 10000
+
+TOP_LEVEL_DIR := ..
+include $(TOP_LEVEL_DIR)/common.mk
+

vaultwarden/config/examples/config.env

@@ -0,0 +1,47 @@
+# Vaultwarden Configuration File
+# See https://github.com/dani-garcia/vaultwarden/blob/main/.env.template for more details
+
+# Public URL where Vaultwarden will be accessible
+DOMAIN=http://vaultwarden
+
+# Listening address and port
+ROCKET_ADDRESS=127.0.0.1
+ROCKET_PORT=8080
+
+# Database configuration
+DATABASE_URL=postgresql://vaultwarden:vaultwarden@localhost:5432/vaultwarden
+
+# Folder to store data (attachments, icons, etc.)
+DATA_FOLDER=/data
+
+# Generated using the following command:
+# echo -n 'Ch4ng3M3!' | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4
+ADMIN_TOKEN=$argon2id$v=19$m=65540,t=3,p=4$cnV0dFVjODhCcDRyR2E1azNRM2NNTDAvamxNUzJpdklrVkpaRmQ5Sm95WT0$mS2zqCE1fTOYSEg0q8pffD2C/6cFctTZQXVxlZ5Of8E
+
+# Features
+SIGNUPS_ALLOWED=true
+INVITATIONS_ALLOWED=false
+
+# Email (SMTP) Configuration
+#SMTP_HOST=smtp.gmail.com
+#SMTP_FROM=
+#SMTP_PORT=587
+#SMTP_SECURITY=starttls
+#SMTP_USERNAME=
+#SMTP_PASSWORD=
+
+# Enable Mobile Push Notifications
+# Get a key from https://bitwarden.com/host/
+#PUSH_ENABLED=true
+#PUSH_INSTALLATION_ID=
+#PUSH_INSTALLATION_KEY=
+#PUSH_RELAY_URI=https://api.bitwarden.eu
+#PUSH_IDENTITY_URI=https://identity.bitwarden.eu
+
+# Logging Configuration
+LOG_LEVEL=info
+EXTENDED_LOGGING=true
+
+# Performance Configuration
+#ROCKET_WORKERS=10
+#ROCKET_LIMITS={json=10485760}

vaultwarden/fcos.bu

@@ -0,0 +1,13 @@
+variant: fcos
+version: 1.4.0
+ignition:
+  config:
+    merge:
+    - local: base.ign
+    - local: traefik.ign
+    - local: traefik-examples.ign
+    - local: postgresql.ign
+    - local: postgresql-examples.ign
+    - local: vaultwarden.ign
+    - local: vaultwarden-examples.ign
+    - local: local.ign

vaultwarden/other/postgresql/vaultwarden.sql

@@ -0,0 +1,5 @@
+-- Initialization script for Vaultwarden database and user
+CREATE USER vaultwarden WITH PASSWORD 'vaultwarden';
+CREATE DATABASE vaultwarden OWNER vaultwarden;
+GRANT ALL PRIVILEGES ON DATABASE vaultwarden TO vaultwarden;
+ALTER ROLE vaultwarden SET client_encoding TO 'utf8';

vaultwarden/other/traefik/vaultwarden.yaml

@@ -0,0 +1,16 @@
+http:
+  routers:
+    vaultwarden:
+      rule: "Host(`vaultwarden`)"
+      entryPoints:
+      - http
+      #- https
+      middlewares:
+      service: "vaultwarden"
+      #tls:
+      #  certResolver: le
+  services:
+    vaultwarden:
+      loadBalancer:
+        servers:
+        - url: "http://127.0.0.1:8080"

vaultwarden/overlay.bu

@@ -0,0 +1,9 @@
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+  - name: vaultwarden
+    uid: 10020
+    gecos: Vaultwarden
+    home_dir: /var/lib/quadlets/vaultwarden
+    primary_group: itix-svc

vaultwarden/tmpfiles.d/vaultwarden.conf

@@ -0,0 +1 @@
+d$ /var/lib/virtiofs/data/vaultwarden 0700 10020 10000 -

vaultwarden/vaultwarden.container

@@ -0,0 +1,48 @@
+[Unit]
+Description=Vaultwarden
+Documentation=https://github.com/dani-garcia/vaultwarden
+After=network.target var-lib-virtiofs-data.mount
+Requires=var-lib-virtiofs-data.mount
+
+# Only start if Vaultwarden has been configured
+ConditionPathExists=/etc/quadlets/vaultwarden/config.env
+
+# Start/stop this unit when the target is started/stopped
+PartOf=vaultwarden.target
+
+[Container]
+ContainerName=vaultwarden
+Image=quay.io/vaultwarden/server:latest-alpine
+AutoUpdate=registry
+
+# No need for root privileges
+User=10020
+Group=10000
+
+# Network configuration
+Network=host
+
+# Environment file
+EnvironmentFile=/etc/quadlets/vaultwarden/config.env
+
+# Volume mounts
+Volume=/var/lib/virtiofs/data/vaultwarden:/data:z
+
+# Health check
+HealthCmd=curl -sSf http://127.0.0.1:8080/
+HealthInterval=30s
+HealthTimeout=10s
+HealthStartPeriod=10s
+HealthRetries=3
+
+[Service]
+Restart=always
+RestartSec=10
+TimeoutStartSec=120
+TimeoutStopSec=30
+
+# Wait for PostgreSQL to be ready on localhost
+ExecStartPre=/bin/sh -c 'exec 2>/dev/null; for try in $(seq 0 12); do if ! /bin/true 5<> /dev/tcp/127.0.0.1/5432; then echo "Waiting for PostgreSQL to be available..."; sleep 5; else exit 0; fi; done; exit 1'
+
+[Install]
+WantedBy=vaultwarden.target

vaultwarden/vaultwarden.target

@@ -0,0 +1,13 @@
+[Unit]
+Description=Vaultwarden Service Target
+Documentation=man:systemd.target(5)
+Requires=postgresql.target vaultwarden.service
+After=postgresql.target vaultwarden.service
+
+# Allow isolation - can stop/start this target independently
+AllowIsolate=yes
+# Only start if Vaultwarden has been configured
+ConditionPathExists=/etc/quadlets/vaultwarden/config.env
+
+[Install]
+WantedBy=multi-user.target

vmagent/Makefile

@@ -8,7 +8,7 @@ PROJECT_GID = 10000
 
 # Include common Makefile
 TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
+include $(TOP_LEVEL_DIR)/common.mk
 
 SYSTEMD_MAIN_UNIT_NAMES += vmagent.service
 

vsftpd/Makefile

@@ -10,6 +10,6 @@ PROJECT_GID = 10000
 
 # Include common Makefile
 TOP_LEVEL_DIR := ..
-include $(TOP_LEVEL_DIR)/Makefile.common
+include $(TOP_LEVEL_DIR)/common.mk