diff options
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | mkosi.default | 28 | ||||
| -rw-r--r-- | mkosi.extra/etc/apt/apt.conf.d/20auto-upgrades | 9 | ||||
| -rw-r--r-- | mkosi.extra/etc/apt/apt.conf.d/50unattended-upgrades | 34 | ||||
| -rw-r--r-- | mkosi.extra/etc/systemd/system/ffsync.service | 24 | ||||
| -rw-r--r-- | mkosi.nspawn | 14 | ||||
| -rwxr-xr-x | mkosi.postinst | 34 |
7 files changed, 145 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3dff6a2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +# mkosi cache +mkosi.cache/* diff --git a/mkosi.default b/mkosi.default new file mode 100644 index 0000000..400164f --- /dev/null +++ b/mkosi.default @@ -0,0 +1,28 @@ +[Distribution] +Distribution=ubuntu +Release=bionic +Repositories=main,universe +Mirror=http://no.archive.ubuntu.com + +[Output] +Format=directory +Output=/var/lib/machines/ffsync + +[Packages] +WithNetwork=yes +Packages= + unattended-upgrades + ca-certificates + locales + git + postgresql-server-dev-all + python + python-dev + python-pip + python-setuptools + python-virtualenv + libstdc++6 + libffi-dev + g++ + sudo + make diff --git a/mkosi.extra/etc/apt/apt.conf.d/20auto-upgrades b/mkosi.extra/etc/apt/apt.conf.d/20auto-upgrades new file mode 100644 index 0000000..4c725ab --- /dev/null +++ b/mkosi.extra/etc/apt/apt.conf.d/20auto-upgrades @@ -0,0 +1,9 @@ +APT::Periodic::Unattended-Upgrade "1"; + +APT::Periodic::Update-Package-Lists "1"; + + +APT::Periodic::AutocleanInterval "7"; + + + diff --git a/mkosi.extra/etc/apt/apt.conf.d/50unattended-upgrades b/mkosi.extra/etc/apt/apt.conf.d/50unattended-upgrades new file mode 100644 index 0000000..768347b --- /dev/null +++ b/mkosi.extra/etc/apt/apt.conf.d/50unattended-upgrades @@ -0,0 +1,34 @@ +// Unattended-Upgrade::Origins-Pattern controls which packages are +// upgraded. +Unattended-Upgrade::Origins-Pattern { + "origin=Ubuntu,archive=${distro_codename}-security"; + "o=Ubuntu,a=${distro_codename}"; + "o=Ubuntu,a=${distro_codename}-updates"; + "o=Ubuntu,a=${distro_codename}-proposed-updates"; + "o=Ubuntu,n=${distro_codename}-backports"; + }; + +// List of packages to not update (regexp are supported) +Unattended-Upgrade::Package-Blacklist { +}; + + +// Split the upgrade into the smallest possible chunks so that +// they can be interrupted with SIGUSR1. This makes the upgrade +// a bit slower but it has the benefit that shutdown while a upgrade +// is running is possible (with a small delay) +Unattended-Upgrade::MinimalSteps "true"; + + +// Do automatic removal of new unused dependencies after the upgrade +// (equivalent to apt-get autoremove) +Unattended-Upgrade::Remove-Unused-Dependencies "true"; + + +// Do upgrade application even if it requires restart after upgrade +// I.e. "XB-Upgrade-Requires: app-restart" is set in the debian/control file +Unattended-Upgrade::IgnoreAppsRequireRestart "true"; + +// Automatically run "dpkg --force-confold --configure -a". +Unattended-Upgrade::AutoFixInterruptedDpkg "true"; + diff --git a/mkosi.extra/etc/systemd/system/ffsync.service b/mkosi.extra/etc/systemd/system/ffsync.service new file mode 100644 index 0000000..d1ede04 --- /dev/null +++ b/mkosi.extra/etc/systemd/system/ffsync.service @@ -0,0 +1,24 @@ +[Unit] +Description=ffsync +Requires=network.target +After=network.target + +Type=simple +[Service] +ExecStart=/app/local/bin/gunicorn --paste /ffsync/syncserver.ini +SyslogIdentifier=ffsync +PrivateTmp=true +ProtectSystem=strict +ProtectHome=true +ProtectKernelTunables=true +ProtectControlGroups=true +ProtectKernelModules=true +InaccessiblePaths=/etc /home /opt /srv /var/local /var/mail +RemoveIPC=true +User=app +Group=app +WorkingDirectory=/data +#Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/mkosi.nspawn b/mkosi.nspawn new file mode 100644 index 0000000..69ad9e9 --- /dev/null +++ b/mkosi.nspawn @@ -0,0 +1,14 @@ +[Exec] +Hostname=ffsync +ResolvConf=copy-host +Timezone=copy +PrivateUsers=pick +NoNewPrivileges=yes + +[Files] +PrivateUsersChown=yes +BindReadOnly=/etc/ffsync/syncserver.ini:/ffsync/syncserver.ini + +[Network] +VirtualEthernet=no + diff --git a/mkosi.postinst b/mkosi.postinst new file mode 100755 index 0000000..e04f0be --- /dev/null +++ b/mkosi.postinst @@ -0,0 +1,34 @@ +#!/bin/sh +set -ex +export DEBIAN_FRONTEND=noninteractive + +# motd +chmod 644 /etc/update-motd.d/* +systemctl mask motd-news.service +systemctl mask motd-news.timer + +# Add update- and security-repositories, and perform upgrade +RELEASE=$(grep DISTRIB_CODENAME /etc/lsb-release | awk -F'=' '{print $2}') +echo "deb http://no.archive.ubuntu.com ${RELEASE}-security main universe" >> /etc/apt/sources.list +echo "deb http://no.archive.ubuntu.com ${RELEASE}-updates main universe" >> /etc/apt/sources.list +apt update && apt --yes full-upgrade && apt --yes autoremove + +# locales +sed -i 's/# en_IE.UTF-8 UTF-8/en_IE.UTF-8 UTF-8/' /etc/locale.gen +locale-gen + +groupadd --system app +useradd --system --home-dir /app --gid app --shell /usr/sbin/nologin app + +git clone https://github.com/mozilla-services/syncserver /app +mkdir /data +chown -R app:app /app /data +cd /app + +sudo -u app -H make build + +./local/bin/pip install psycopg2 + +systemctl enable ffsync.service + + |