···

       
1
       
1
       
+
       
### Terraform template

     

       
2
       
2
       
+
       
# Local .terraform directories

     

       
3
       
3
       
+
       
**/.terraform/*

     

       
4
       
4
       
+
       


     

       
5
       
5
       
+
       
# .tfstate files

     

       
6
       
6
       
+
       
*.tfstate

     

       
7
       
7
       
+
       
*.tfstate.*

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
# Crash log files

     

       
10
       
10
       
+
       
crash.log

     

       
11
       
11
       
+
       
crash.*.log

     

       
12
       
12
       
+
       


     

       
13
       
13
       
+
       
# Exclude all .tfvars files, which are likely to contain sensitive data, such as

     

       
14
       
14
       
+
       
# password, private keys, and other secrets. These should not be part of version

     

       
15
       
15
       
+
       
# control as they are data points which are potentially sensitive and subject

     

       
16
       
16
       
+
       
# to change depending on the environment.

     

       
17
       
17
       
+
       
*.tfvars

     

       
18
       
18
       
+
       
*.tfvars.json

     

       
19
       
19
       
+
       


     

       
20
       
20
       
+
       
# Ignore override files as they are usually used to override resources locally and so

     

       
21
       
21
       
+
       
# are not checked in

     

       
22
       
22
       
+
       
override.tf

     

       
23
       
23
       
+
       
override.tf.json

     

       
24
       
24
       
+
       
*_override.tf

     

       
25
       
25
       
+
       
*_override.tf.json

     

       
26
       
26
       
+
       


     

       
27
       
27
       
+
       
# Ignore transient lock info files created by terraform apply

     

       
28
       
28
       
+
       
.terraform.tfstate.lock.info

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
# Include override files you do wish to add to version control using negated pattern

     

       
31
       
31
       
+
       
# !example_override.tf

     

       
32
       
32
       
+
       


     

       
33
       
33
       
+
       
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan

     

       
34
       
34
       
+
       
# example: *tfplan*

     

       
35
       
35
       
+
       


     

       
36
       
36
       
+
       
# Ignore CLI configuration files

     

       
37
       
37
       
+
       
.terraformrc

     

       
38
       
38
       
+
       
terraform.rc

     

       
39
       
39
       
+
       


     

       
40
       
40
       
+
       
# JetBrains

     

       
41
       
41
       
+
       
.idea/

     

       
42
       
42
       
+
       


     

       
43
       
43
       
+
       
# Bitwarden Secrets Manager

     

       
44
       
44
       
+
       
.bitwarden/

     

       
45
       
45
       
+
       


     

       
46
       
46
       
+
       
# Fedora CoreOS image

     

       
47
       
47
       
+
       
fedora-coreos.qcow2.img
     

···

       
1
       
1
       
+
       
# This file is maintained automatically by "tofu init".

     

       
2
       
2
       
+
       
# Manual edits may be lost in future updates.

     

       
3
       
3
       
+
       


     

       
4
       
4
       
+
       
provider "registry.opentofu.org/bpg/proxmox" {

     

       
5
       
5
       
+
       
  version     = "0.71.0"

     

       
6
       
6
       
+
       
  constraints = "0.71.0"

     

       
7
       
7
       
+
       
  hashes = [

     

       
8
       
8
       
+
       
    "h1:SYI+oUlQMl17eiCjN1eqDxSryCSM2KNSV4jPAI+OPA8=",

     

       
9
       
9
       
+
       
    "zh:17349fbd8a4bb2254cf63bde47b3ef451977de9619dd9b4a22d765350ebe2534",

     

       
10
       
10
       
+
       
    "zh:1d4f43063e9c6a37106cd362da142e9555baed4635b25bccfdd15236b592661d",

     

       
11
       
11
       
+
       
    "zh:410adc1eb2ae06153875da9ab0ca30d35331b325735a207accf8f39d3e5e7c99",

     

       
12
       
12
       
+
       
    "zh:471c85f21f8b944370e3da47d307477beb671a192ffe24556cb7bfdf314b846b",

     

       
13
       
13
       
+
       
    "zh:6af532cad44b90c78c64c938c6d8e3bca1f119ca06d6001c2ec0747df3bd6d73",

     

       
14
       
14
       
+
       
    "zh:6ea1675e542e496753e2458254c8bdb1140a2b8c8b7b94127278f6f271809ffa",

     

       
15
       
15
       
+
       
    "zh:bd21a53fd63021453204348f5ab4b3cef380ac2b1b4a83ddcdd41e2e94dcf30f",

     

       
16
       
16
       
+
       
    "zh:c206b23b337cfcea9ad3bce901a076310ca4dce5b6d9335cbf8b141f67e83be3",

     

       
17
       
17
       
+
       
    "zh:cd1f24e7f991716af25b66ede9c58977240beb750477f940e3ba14fc4f63a8ce",

     

       
18
       
18
       
+
       
    "zh:cf12a04f3e51b83d01746c3a6cba47a5b3c2d1123d216d8989e742657d119b17",

     

       
19
       
19
       
+
       
    "zh:ebf5ae64aa7a9807886d219862a1a5024fdad76d3bc56c8aad719bc4506c5893",

     

       
20
       
20
       
+
       
    "zh:f26e0763dbe6a6b2195c94b44696f2110f7f55433dc142839be16b9697fa5597",

     

       
21
       
21
       
+
       
    "zh:fcabd481fb507b47611533eb4d0db30ff182d95c64cd8707cc62eb12a1f0a8d2",

     

       
22
       
22
       
+
       
    "zh:fef0e97e8ce1efcd4abda83aee48fdeba9fd9e7d57599dd6044bbc41cf9c32bb",

     

       
23
       
23
       
+
       
    "zh:ff155828a40181b821b9affaa8af0273f05515407376a2d4a323d8442ffadc04",

     

       
24
       
24
       
+
       
  ]

     

       
25
       
25
       
+
       
}

     

       
26
       
26
       
+
       


     

       
27
       
27
       
+
       
provider "registry.opentofu.org/hashicorp/local" {

     

       
28
       
28
       
+
       
  version     = "2.5.2"

     

       
29
       
29
       
+
       
  constraints = "2.5.2"

     

       
30
       
30
       
+
       
  hashes = [

     

       
31
       
31
       
+
       
    "h1:BUewjbhAQWuGHH36SozCTuESFJhbiHMaCFLnVVNZ1Es=",

     

       
32
       
32
       
+
       
    "zh:25b95b76ceaa62b5c95f6de2fa6e6242edbf51e7fc6c057b7f7101aa4081f64f",

     

       
33
       
33
       
+
       
    "zh:3c974fdf6b42ca6f93309cf50951f345bfc5726ec6013b8832bcd3be0eb3429e",

     

       
34
       
34
       
+
       
    "zh:5de843bf6d903f5cca97ce1061e2e06b6441985c68d013eabd738a9e4b828278",

     

       
35
       
35
       
+
       
    "zh:86beead37c7b4f149a54d2ae633c99ff92159c748acea93ff0f3603d6b4c9f4f",

     

       
36
       
36
       
+
       
    "zh:8e52e81d3dc50c3f79305d257da7fde7af634fed65e6ab5b8e214166784a720e",

     

       
37
       
37
       
+
       
    "zh:9882f444c087c69559873b2d72eec406a40ede21acb5ac334d6563bf3a2387df",

     

       
38
       
38
       
+
       
    "zh:a4484193d110da4a06c7bffc44cc6b61d3b5e881cd51df2a83fdda1a36ea25d2",

     

       
39
       
39
       
+
       
    "zh:a53342426d173e29d8ee3106cb68abecdf4be301a3f6589e4e8d42015befa7da",

     

       
40
       
40
       
+
       
    "zh:d25ef2aef6a9004363fc6db80305d30673fc1f7dd0b980d41d863b12dacd382a",

     

       
41
       
41
       
+
       
    "zh:fa2d522fb323e2121f65b79709fd596514b293d816a1d969af8f72d108888e4c",

     

       
42
       
42
       
+
       
  ]

     

       
43
       
43
       
+
       
}

     

       
44
       
44
       
+
       


     

       
45
       
45
       
+
       
provider "registry.opentofu.org/hashicorp/null" {

     

       
46
       
46
       
+
       
  version     = "3.2.3"

     

       
47
       
47
       
+
       
  constraints = "3.2.3"

     

       
48
       
48
       
+
       
  hashes = [

     

       
49
       
49
       
+
       
    "h1:ZD7F/BQPzRy/smJgSwnDs0vrqstk71sx2p0qtUcc/iU=",

     

       
50
       
50
       
+
       
    "zh:1d57d25084effd3fdfd902eca00020b34b1fb020253b84d7dd471301606015ac",

     

       
51
       
51
       
+
       
    "zh:65b7f9799b88464d9c2ec529713b7f52ea744275b61a8dc86cdedab1b2dcb933",

     

       
52
       
52
       
+
       
    "zh:80d3e9c95b7b4ae7c54005cd127cae82e5c53d2b7023ef24c147337bac9dadd9",

     

       
53
       
53
       
+
       
    "zh:841b60c07683e4bf456799ccd718896fdafdcc2c49252ae09967f2e74d8c8a03",

     

       
54
       
54
       
+
       
    "zh:8fa1c592a9c78222e35713c6edb3f1f818a4c6f3524a30a209f0a7e919827b68",

     

       
55
       
55
       
+
       
    "zh:bb795cc1429e09466840c09d39a28edf1db5070b1ec76822fc1173906a264572",

     

       
56
       
56
       
+
       
    "zh:da1784818a89bea29dfe660632f0060a7a843e4e564d74435fbeca002b0f7d2a",

     

       
57
       
57
       
+
       
    "zh:f409bf21b1cdaa6dac47cd79806f3d93f67e9507fe4dbf33b0165335f53bc2e1",

     

       
58
       
58
       
+
       
    "zh:fbea7a1ff84b430ba9594698e93196d81d03e4036de3d1cafccb2a96d5b38581",

     

       
59
       
59
       
+
       
    "zh:fbf0c84663a7e85881388d7d71ac862184f05fbf2d17ecf76bc5d3d7503ea260",

     

       
60
       
60
       
+
       
  ]

     

       
61
       
61
       
+
       
}

     

       
62
       
62
       
+
       


     

       
63
       
63
       
+
       
provider "registry.opentofu.org/maxlaverse/bitwarden" {

     

       
64
       
64
       
+
       
  version     = "0.13.0"

     

       
65
       
65
       
+
       
  constraints = "0.13.0"

     

       
66
       
66
       
+
       
  hashes = [

     

       
67
       
67
       
+
       
    "h1:cQJu6KCKHp32XpNJ3k3rre1NRG/Xyb3B81OvrtH0Gqs=",

     

       
68
       
68
       
+
       
    "zh:055ccac1783ea875112b16592f6d6a0be265ab18b42553965077f1ac8dcf720d",

     

       
69
       
69
       
+
       
    "zh:0e4c218199296bcf06d540ce6b017804233458a7e73ca1eecf886123079b9ed5",

     

       
70
       
70
       
+
       
    "zh:0e85ed93f3a0047a77012b1bd8dbcb4dca6dd1690a2ac9c071e6fb917ab8dbd6",

     

       
71
       
71
       
+
       
    "zh:2ffbce321f69bdad6510b0e9382031c127ab54b9e2f986b9ae6009ebd26cd6ff",

     

       
72
       
72
       
+
       
    "zh:31139f4ba2d5c052294bd9169c0372c3b03de62db1a49bae8f86450660cd5ce0",

     

       
73
       
73
       
+
       
    "zh:3e28c57d9a8eba0b03f1f8ff56ed12b0fc570622040e517d57404766b98327f4",

     

       
74
       
74
       
+
       
    "zh:6a23689b1a1003c1f2ddd2c40f73b00b71b111fd8affbc23166bfc6d0c109411",

     

       
75
       
75
       
+
       
    "zh:785c9b91e6e13b63afca73c694186e16a0fa8a24420a120d733e46a841b2e38c",

     

       
76
       
76
       
+
       
    "zh:7e23c36b8d9875d7f0b93355d4bb816444eac6f9a022b2943192714e6dc58f46",

     

       
77
       
77
       
+
       
    "zh:b565e3ceb4d6d6bce62914bd3c9ac2cbbe963f730473b2cee8d338941bf0a935",

     

       
78
       
78
       
+
       
    "zh:b74969471bc69814c9c1705a0c145c654d976293049e69dc400d59a8aea9d3d1",

     

       
79
       
79
       
+
       
    "zh:f1a3237ada5d276fc48bd49db40b2a2b7291ac1544a751cd8fb1f15ea7ff1db2",

     

       
80
       
80
       
+
       
    "zh:f4e469f814aef71d9da864df4033ed3b0af11b2b797f1cfd38324d92c2cf717d",

     

       
81
       
81
       
+
       
    "zh:fefab6a96dea8f0f52eda8a4b4436f949e4c97db076b674521b89c95cd6193fe",

     

       
82
       
82
       
+
       
  ]

     

       
83
       
83
       
+
       
}

     

       
84
       
84
       
+
       


     

       
85
       
85
       
+
       
provider "registry.opentofu.org/poseidon/ct" {

     

       
86
       
86
       
+
       
  version     = "0.13.0"

     

       
87
       
87
       
+
       
  constraints = "0.13.0"

     

       
88
       
88
       
+
       
  hashes = [

     

       
89
       
89
       
+
       
    "h1:jZusJZjbV+TZ2lxKaVopvRRrKDWAb2Sq1AUEtgI2xIE=",

     

       
90
       
90
       
+
       
    "zh:24d86adcba92ad0f13870d5e0d217c395aa90ff1e9234fe0c9b7c6eb65abb3a8",

     

       
91
       
91
       
+
       
    "zh:317eeadf92d220fe546be624a9002190edeb623ac76ae7f6a93abd9fe1be65fd",

     

       
92
       
92
       
+
       
    "zh:361dbff802ccbd94b87c9d77c0d9db9bdf4d5d408f8cf05e4dae203e60b310ca",

     

       
93
       
93
       
+
       
    "zh:3b25cb8a0327886aa30c273561ecea3315cc4d729677cd6528ed1339486475da",

     

       
94
       
94
       
+
       
    "zh:63455a68fee4ba0c9b131eb7e267eb17707184c55a5feb9e2bad2d9de5889d6a",

     

       
95
       
95
       
+
       
  ]

     

       
96
       
96
       
+
       
}

     

···

       
1
       
1
       
+
       
                                 Apache License

     

       
2
       
2
       
+
       
                           Version 2.0, January 2004

     

       
3
       
3
       
+
       
                        http://www.apache.org/licenses/

     

       
4
       
4
       
+
       


     

       
5
       
5
       
+
       
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

     

       
6
       
6
       
+
       


     

       
7
       
7
       
+
       
   1. Definitions.

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
      "License" shall mean the terms and conditions for use, reproduction,

     

       
10
       
10
       
+
       
      and distribution as defined by Sections 1 through 9 of this document.

     

       
11
       
11
       
+
       


     

       
12
       
12
       
+
       
      "Licensor" shall mean the copyright owner or entity authorized by

     

       
13
       
13
       
+
       
      the copyright owner that is granting the License.

     

       
14
       
14
       
+
       


     

       
15
       
15
       
+
       
      "Legal Entity" shall mean the union of the acting entity and all

     

       
16
       
16
       
+
       
      other entities that control, are controlled by, or are under common

     

       
17
       
17
       
+
       
      control with that entity. For the purposes of this definition,

     

       
18
       
18
       
+
       
      "control" means (i) the power, direct or indirect, to cause the

     

       
19
       
19
       
+
       
      direction or management of such entity, whether by contract or

     

       
20
       
20
       
+
       
      otherwise, or (ii) ownership of fifty percent (50%) or more of the

     

       
21
       
21
       
+
       
      outstanding shares, or (iii) beneficial ownership of such entity.

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
      "You" (or "Your") shall mean an individual or Legal Entity

     

       
24
       
24
       
+
       
      exercising permissions granted by this License.

     

       
25
       
25
       
+
       


     

       
26
       
26
       
+
       
      "Source" form shall mean the preferred form for making modifications,

     

       
27
       
27
       
+
       
      including but not limited to software source code, documentation

     

       
28
       
28
       
+
       
      source, and configuration files.

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
      "Object" form shall mean any form resulting from mechanical

     

       
31
       
31
       
+
       
      transformation or translation of a Source form, including but

     

       
32
       
32
       
+
       
      not limited to compiled object code, generated documentation,

     

       
33
       
33
       
+
       
      and conversions to other media types.

     

       
34
       
34
       
+
       


     

       
35
       
35
       
+
       
      "Work" shall mean the work of authorship, whether in Source or

     

       
36
       
36
       
+
       
      Object form, made available under the License, as indicated by a

     

       
37
       
37
       
+
       
      copyright notice that is included in or attached to the work

     

       
38
       
38
       
+
       
      (an example is provided in the Appendix below).

     

       
39
       
39
       
+
       


     

       
40
       
40
       
+
       
      "Derivative Works" shall mean any work, whether in Source or Object

     

       
41
       
41
       
+
       
      form, that is based on (or derived from) the Work and for which the

     

       
42
       
42
       
+
       
      editorial revisions, annotations, elaborations, or other modifications

     

       
43
       
43
       
+
       
      represent, as a whole, an original work of authorship. For the purposes

     

       
44
       
44
       
+
       
      of this License, Derivative Works shall not include works that remain

     

       
45
       
45
       
+
       
      separable from, or merely link (or bind by name) to the interfaces of,

     

       
46
       
46
       
+
       
      the Work and Derivative Works thereof.

     

       
47
       
47
       
+
       


     

       
48
       
48
       
+
       
      "Contribution" shall mean any work of authorship, including

     

       
49
       
49
       
+
       
      the original version of the Work and any modifications or additions

     

       
50
       
50
       
+
       
      to that Work or Derivative Works thereof, that is intentionally

     

       
51
       
51
       
+
       
      submitted to Licensor for inclusion in the Work by the copyright owner

     

       
52
       
52
       
+
       
      or by an individual or Legal Entity authorized to submit on behalf of

     

       
53
       
53
       
+
       
      the copyright owner. For the purposes of this definition, "submitted"

     

       
54
       
54
       
+
       
      means any form of electronic, verbal, or written communication sent

     

       
55
       
55
       
+
       
      to the Licensor or its representatives, including but not limited to

     

       
56
       
56
       
+
       
      communication on electronic mailing lists, source code control systems,

     

       
57
       
57
       
+
       
      and issue tracking systems that are managed by, or on behalf of, the

     

       
58
       
58
       
+
       
      Licensor for the purpose of discussing and improving the Work, but

     

       
59
       
59
       
+
       
      excluding communication that is conspicuously marked or otherwise

     

       
60
       
60
       
+
       
      designated in writing by the copyright owner as "Not a Contribution."

     

       
61
       
61
       
+
       


     

       
62
       
62
       
+
       
      "Contributor" shall mean Licensor and any individual or Legal Entity

     

       
63
       
63
       
+
       
      on behalf of whom a Contribution has been received by Licensor and

     

       
64
       
64
       
+
       
      subsequently incorporated within the Work.

     

       
65
       
65
       
+
       


     

       
66
       
66
       
+
       
   2. Grant of Copyright License. Subject to the terms and conditions of

     

       
67
       
67
       
+
       
      this License, each Contributor hereby grants to You a perpetual,

     

       
68
       
68
       
+
       
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable

     

       
69
       
69
       
+
       
      copyright license to reproduce, prepare Derivative Works of,

     

       
70
       
70
       
+
       
      publicly display, publicly perform, sublicense, and distribute the

     

       
71
       
71
       
+
       
      Work and such Derivative Works in Source or Object form.

     

       
72
       
72
       
+
       


     

       
73
       
73
       
+
       
   3. Grant of Patent License. Subject to the terms and conditions of

     

       
74
       
74
       
+
       
      this License, each Contributor hereby grants to You a perpetual,

     

       
75
       
75
       
+
       
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable

     

       
76
       
76
       
+
       
      (except as stated in this section) patent license to make, have made,

     

       
77
       
77
       
+
       
      use, offer to sell, sell, import, and otherwise transfer the Work,

     

       
78
       
78
       
+
       
      where such license applies only to those patent claims licensable

     

       
79
       
79
       
+
       
      by such Contributor that are necessarily infringed by their

     

       
80
       
80
       
+
       
      Contribution(s) alone or by combination of their Contribution(s)

     

       
81
       
81
       
+
       
      with the Work to which such Contribution(s) was submitted. If You

     

       
82
       
82
       
+
       
      institute patent litigation against any entity (including a

     

       
83
       
83
       
+
       
      cross-claim or counterclaim in a lawsuit) alleging that the Work

     

       
84
       
84
       
+
       
      or a Contribution incorporated within the Work constitutes direct

     

       
85
       
85
       
+
       
      or contributory patent infringement, then any patent licenses

     

       
86
       
86
       
+
       
      granted to You under this License for that Work shall terminate

     

       
87
       
87
       
+
       
      as of the date such litigation is filed.

     

       
88
       
88
       
+
       


     

       
89
       
89
       
+
       
   4. Redistribution. You may reproduce and distribute copies of the

     

       
90
       
90
       
+
       
      Work or Derivative Works thereof in any medium, with or without

     

       
91
       
91
       
+
       
      modifications, and in Source or Object form, provided that You

     

       
92
       
92
       
+
       
      meet the following conditions:

     

       
93
       
93
       
+
       


     

       
94
       
94
       
+
       
      (a) You must give any other recipients of the Work or

     

       
95
       
95
       
+
       
          Derivative Works a copy of this License; and

     

       
96
       
96
       
+
       


     

       
97
       
97
       
+
       
      (b) You must cause any modified files to carry prominent notices

     

       
98
       
98
       
+
       
          stating that You changed the files; and

     

       
99
       
99
       
+
       


     

       
100
       
100
       
+
       
      (c) You must retain, in the Source form of any Derivative Works

     

       
101
       
101
       
+
       
          that You distribute, all copyright, patent, trademark, and

     

       
102
       
102
       
+
       
          attribution notices from the Source form of the Work,

     

       
103
       
103
       
+
       
          excluding those notices that do not pertain to any part of

     

       
104
       
104
       
+
       
          the Derivative Works; and

     

       
105
       
105
       
+
       


     

       
106
       
106
       
+
       
      (d) If the Work includes a "NOTICE" text file as part of its

     

       
107
       
107
       
+
       
          distribution, then any Derivative Works that You distribute must

     

       
108
       
108
       
+
       
          include a readable copy of the attribution notices contained

     

       
109
       
109
       
+
       
          within such NOTICE file, excluding those notices that do not

     

       
110
       
110
       
+
       
          pertain to any part of the Derivative Works, in at least one

     

       
111
       
111
       
+
       
          of the following places: within a NOTICE text file distributed

     

       
112
       
112
       
+
       
          as part of the Derivative Works; within the Source form or

     

       
113
       
113
       
+
       
          documentation, if provided along with the Derivative Works; or,

     

       
114
       
114
       
+
       
          within a display generated by the Derivative Works, if and

     

       
115
       
115
       
+
       
          wherever such third-party notices normally appear. The contents

     

       
116
       
116
       
+
       
          of the NOTICE file are for informational purposes only and

     

       
117
       
117
       
+
       
          do not modify the License. You may add Your own attribution

     

       
118
       
118
       
+
       
          notices within Derivative Works that You distribute, alongside

     

       
119
       
119
       
+
       
          or as an addendum to the NOTICE text from the Work, provided

     

       
120
       
120
       
+
       
          that such additional attribution notices cannot be construed

     

       
121
       
121
       
+
       
          as modifying the License.

     

       
122
       
122
       
+
       


     

       
123
       
123
       
+
       
      You may add Your own copyright statement to Your modifications and

     

       
124
       
124
       
+
       
      may provide additional or different license terms and conditions

     

       
125
       
125
       
+
       
      for use, reproduction, or distribution of Your modifications, or

     

       
126
       
126
       
+
       
      for any such Derivative Works as a whole, provided Your use,

     

       
127
       
127
       
+
       
      reproduction, and distribution of the Work otherwise complies with

     

       
128
       
128
       
+
       
      the conditions stated in this License.

     

       
129
       
129
       
+
       


     

       
130
       
130
       
+
       
   5. Submission of Contributions. Unless You explicitly state otherwise,

     

       
131
       
131
       
+
       
      any Contribution intentionally submitted for inclusion in the Work

     

       
132
       
132
       
+
       
      by You to the Licensor shall be under the terms and conditions of

     

       
133
       
133
       
+
       
      this License, without any additional terms or conditions.

     

       
134
       
134
       
+
       
      Notwithstanding the above, nothing herein shall supersede or modify

     

       
135
       
135
       
+
       
      the terms of any separate license agreement you may have executed

     

       
136
       
136
       
+
       
      with Licensor regarding such Contributions.

     

       
137
       
137
       
+
       


     

       
138
       
138
       
+
       
   6. Trademarks. This License does not grant permission to use the trade

     

       
139
       
139
       
+
       
      names, trademarks, service marks, or product names of the Licensor,

     

       
140
       
140
       
+
       
      except as required for reasonable and customary use in describing the

     

       
141
       
141
       
+
       
      origin of the Work and reproducing the content of the NOTICE file.

     

       
142
       
142
       
+
       


     

       
143
       
143
       
+
       
   7. Disclaimer of Warranty. Unless required by applicable law or

     

       
144
       
144
       
+
       
      agreed to in writing, Licensor provides the Work (and each

     

       
145
       
145
       
+
       
      Contributor provides its Contributions) on an "AS IS" BASIS,

     

       
146
       
146
       
+
       
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or

     

       
147
       
147
       
+
       
      implied, including, without limitation, any warranties or conditions

     

       
148
       
148
       
+
       
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A

     

       
149
       
149
       
+
       
      PARTICULAR PURPOSE. You are solely responsible for determining the

     

       
150
       
150
       
+
       
      appropriateness of using or redistributing the Work and assume any

     

       
151
       
151
       
+
       
      risks associated with Your exercise of permissions under this License.

     

       
152
       
152
       
+
       


     

       
153
       
153
       
+
       
   8. Limitation of Liability. In no event and under no legal theory,

     

       
154
       
154
       
+
       
      whether in tort (including negligence), contract, or otherwise,

     

       
155
       
155
       
+
       
      unless required by applicable law (such as deliberate and grossly

     

       
156
       
156
       
+
       
      negligent acts) or agreed to in writing, shall any Contributor be

     

       
157
       
157
       
+
       
      liable to You for damages, including any direct, indirect, special,

     

       
158
       
158
       
+
       
      incidental, or consequential damages of any character arising as a

     

       
159
       
159
       
+
       
      result of this License or out of the use or inability to use the

     

       
160
       
160
       
+
       
      Work (including but not limited to damages for loss of goodwill,

     

       
161
       
161
       
+
       
      work stoppage, computer failure or malfunction, or any and all

     

       
162
       
162
       
+
       
      other commercial damages or losses), even if such Contributor

     

       
163
       
163
       
+
       
      has been advised of the possibility of such damages.

     

       
164
       
164
       
+
       


     

       
165
       
165
       
+
       
   9. Accepting Warranty or Additional Liability. While redistributing

     

       
166
       
166
       
+
       
      the Work or Derivative Works thereof, You may choose to offer,

     

       
167
       
167
       
+
       
      and charge a fee for, acceptance of support, warranty, indemnity,

     

       
168
       
168
       
+
       
      or other liability obligations and/or rights consistent with this

     

       
169
       
169
       
+
       
      License. However, in accepting such obligations, You may act only

     

       
170
       
170
       
+
       
      on Your own behalf and on Your sole responsibility, not on behalf

     

       
171
       
171
       
+
       
      of any other Contributor, and only if You agree to indemnify,

     

       
172
       
172
       
+
       
      defend, and hold each Contributor harmless for any liability

     

       
173
       
173
       
+
       
      incurred by, or claims asserted against, such Contributor by reason

     

       
174
       
174
       
+
       
      of your accepting any such warranty or additional liability.

     

       
175
       
175
       
+
       


     

       
176
       
176
       
+
       
   END OF TERMS AND CONDITIONS

     

       
177
       
177
       
+
       


     

       
178
       
178
       
+
       
   APPENDIX: How to apply the Apache License to your work.

     

       
179
       
179
       
+
       


     

       
180
       
180
       
+
       
      To apply the Apache License to your work, attach the following

     

       
181
       
181
       
+
       
      boilerplate notice, with the fields enclosed by brackets "[]"

     

       
182
       
182
       
+
       
      replaced with your own identifying information. (Don't include

     

       
183
       
183
       
+
       
      the brackets!)  The text should be enclosed in the appropriate

     

       
184
       
184
       
+
       
      comment syntax for the file format. We also recommend that a

     

       
185
       
185
       
+
       
      file or class name and description of purpose be included on the

     

       
186
       
186
       
+
       
      same "printed page" as the copyright notice for easier

     

       
187
       
187
       
+
       
      identification within third-party archives.

     

       
188
       
188
       
+
       


     

       
189
       
189
       
+
       
   Copyright [yyyy] [name of copyright owner]

     

       
190
       
190
       
+
       


     

       
191
       
191
       
+
       
   Licensed under the Apache License, Version 2.0 (the "License");

     

       
192
       
192
       
+
       
   you may not use this file except in compliance with the License.

     

       
193
       
193
       
+
       
   You may obtain a copy of the License at

     

       
194
       
194
       
+
       


     

       
195
       
195
       
+
       
       http://www.apache.org/licenses/LICENSE-2.0

     

       
196
       
196
       
+
       


     

       
197
       
197
       
+
       
   Unless required by applicable law or agreed to in writing, software

     

       
198
       
198
       
+
       
   distributed under the License is distributed on an "AS IS" BASIS,

     

       
199
       
199
       
+
       
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

     

       
200
       
200
       
+
       
   See the License for the specific language governing permissions and

     

       
201
       
201
       
+
       
   limitations under the License.

     

···

       
1
       
1
       
+
       
# Experimental Homelab

     

       
2
       
2
       
+
       


     

       
3
       
3
       
+
       
- Uses immutable, atomic OS provisioned on Proxmox VE node as base.

     

       
4
       
4
       
+
       
- Uses rootless Podman instead of rootful Docker.

     

       
5
       
5
       
+
       
- Uses Quadlets systemd-like containers instead of Docker Compose.

     

       
6
       
6
       
+
       
- VM can be fully removed and restored within 3 minutes, including containers autostart.

     

       
7
       
7
       
+
       
- Source IP is preserved using [systemd socket activation](https://github.com/eriksjolund/podman-networking-docs?tab=readme-ov-file#socket-activation-systemd-user-service) mechanism.

     

       
8
       
8
       
+
       
- Native network performance for the reason above.

     

       
9
       
9
       
+
       
- Stores Podman and applications data on dedicated iSCSI disk.

     

       
10
       
10
       
+
       
- Stores media and downloads on NFS share.

     

       
11
       
11
       
+
       
- SELinux support.

     

       
12
       
12
       
+
       


     

       
13
       
13
       
+
       
## Future plans

     

       
14
       
14
       
+
       


     

       
15
       
15
       
+
       
I would like to switch to Flatcar Linux, but for now it doesn't include `i915` kernel driver

     

       
16
       
16
       
+
       
which is a dealbreaker for me now. But it's [already merged](https://github.com/flatcar/scripts/pull/2349)

     

       
17
       
17
       
+
       
and will be soon available in Alpha channel.
     

···

       
1
       
1
       
+
       
variant: fcos

     

       
2
       
2
       
+
       
version: 1.5.0

     

       
3
       
3
       
+
       


     

       
4
       
4
       
+
       
passwd:

     

       
5
       
5
       
+
       
  users:

     

       
6
       
6
       
+
       
    - name: core

     

       
7
       
7
       
+
       
      ssh_authorized_keys:

     

       
8
       
8
       
+
       
        - ${ssh_key}

     

       
9
       
9
       
+
       


     

       
10
       
10
       
+
       
storage:

     

       
11
       
11
       
+
       
  directories:

     

       
12
       
12
       
+
       
    - path: /var/home/core/.config

     

       
13
       
13
       
+
       
      user:

     

       
14
       
14
       
+
       
        name: core

     

       
15
       
15
       
+
       
      group:

     

       
16
       
16
       
+
       
        name: core

     

       
17
       
17
       
+
       


     

       
18
       
18
       
+
       
    # Quadlets dir

     

       
19
       
19
       
+
       
    - path: /var/home/core/.config/containers

     

       
20
       
20
       
+
       
      user:

     

       
21
       
21
       
+
       
        name: core

     

       
22
       
22
       
+
       
      group:

     

       
23
       
23
       
+
       
        name: core

     

       
24
       
24
       
+
       
    - path: /var/home/core/.config/containers/systemd

     

       
25
       
25
       
+
       
      user:

     

       
26
       
26
       
+
       
        name: core

     

       
27
       
27
       
+
       
      group:

     

       
28
       
28
       
+
       
        name: core

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
    # Systemd user dir

     

       
31
       
31
       
+
       
    - path: /var/home/core/.config/systemd

     

       
32
       
32
       
+
       
      user:

     

       
33
       
33
       
+
       
        name: core

     

       
34
       
34
       
+
       
      group:

     

       
35
       
35
       
+
       
        name: core

     

       
36
       
36
       
+
       
    - path: /var/home/core/.config/systemd/user

     

       
37
       
37
       
+
       
      user:

     

       
38
       
38
       
+
       
        name: core

     

       
39
       
39
       
+
       
      group:

     

       
40
       
40
       
+
       
        name: core

     

       
41
       
41
       
+
       


     

       
42
       
42
       
+
       
  links:

     

       
43
       
43
       
+
       
    # Enable Podman socket for Traefik

     

       
44
       
44
       
+
       
    - path: /var/home/core/.config/systemd/user/timers.target.wants/podman.socket

     

       
45
       
45
       
+
       
      target: /usr/lib/systemd/user/podman.socket

     

       
46
       
46
       
+
       
      user:

     

       
47
       
47
       
+
       
        name: core

     

       
48
       
48
       
+
       
      group:

     

       
49
       
49
       
+
       
        name: core

     

       
50
       
50
       
+
       


     

       
51
       
51
       
+
       
    # Enable http and https sockets for traefik

     

       
52
       
52
       
+
       
    - path: /var/home/core/.config/systemd/user/timers.target.wants/http.socket

     

       
53
       
53
       
+
       
      target: /var/home/core/.config/systemd/user/http.socket

     

       
54
       
54
       
+
       
      user:

     

       
55
       
55
       
+
       
        name: core

     

       
56
       
56
       
+
       
      group:

     

       
57
       
57
       
+
       
        name: core

     

       
58
       
58
       
+
       
    - path: /var/home/core/.config/systemd/user/timers.target.wants/https.socket

     

       
59
       
59
       
+
       
      target: /var/home/core/.config/systemd/user/https.socket

     

       
60
       
60
       
+
       
      user:

     

       
61
       
61
       
+
       
        name: core

     

       
62
       
62
       
+
       
      group:

     

       
63
       
63
       
+
       
        name: core

     

       
64
       
64
       
+
       


     

       
65
       
65
       
+
       
    # Enable Podman auto updates

     

       
66
       
66
       
+
       
    - path: /var/home/core/.config/systemd/user/timers.target.wants/podman-auto-update.timer

     

       
67
       
67
       
+
       
      target: /usr/lib/systemd/user/podman-auto-update.timer

     

       
68
       
68
       
+
       
      user:

     

       
69
       
69
       
+
       
        name: core

     

       
70
       
70
       
+
       
      group:

     

       
71
       
71
       
+
       
        name: core

     

       
72
       
72
       
+
       


     

       
73
       
73
       
+
       
  files:

     

       
74
       
74
       
+
       
    # Shared network for all published services

     

       
75
       
75
       
+
       
    - path: /var/home/core/.config/containers/systemd/reverse-proxy.network

     

       
76
       
76
       
+
       
      contents:

     

       
77
       
77
       
+
       
        inline: |

     

       
78
       
78
       
+
       
          [Network]

     

       
79
       
79
       
+
       
      user:

     

       
80
       
80
       
+
       
        name: core

     

       
81
       
81
       
+
       
      group:

     

       
82
       
82
       
+
       
        name: core

     

       
83
       
83
       
+
       


     

       
84
       
84
       
+
       
    # http and https sockets for traefik

     

       
85
       
85
       
+
       
    - path: /var/home/core/.config/systemd/user/http.socket

     

       
86
       
86
       
+
       
      contents:

     

       
87
       
87
       
+
       
        inline: |

     

       
88
       
88
       
+
       
          [Socket]

     

       
89
       
89
       
+
       
          ListenStream=${ip}:8080

     

       
90
       
90
       
+
       
          FileDescriptorName=web

     

       
91
       
91
       
+
       
          Service=traefik.service

     

       
92
       
92
       
+
       


     

       
93
       
93
       
+
       
          [Install]

     

       
94
       
94
       
+
       
          WantedBy=sockets.target

     

       
95
       
95
       
+
       
      user:

     

       
96
       
96
       
+
       
        name: core

     

       
97
       
97
       
+
       
      group:

     

       
98
       
98
       
+
       
        name: core

     

       
99
       
99
       
+
       
    - path: /var/home/core/.config/systemd/user/https.socket

     

       
100
       
100
       
+
       
      contents:

     

       
101
       
101
       
+
       
        inline: |

     

       
102
       
102
       
+
       
          [Socket]

     

       
103
       
103
       
+
       
          ListenStream=${ip}:8443

     

       
104
       
104
       
+
       
          FileDescriptorName=websecure

     

       
105
       
105
       
+
       
          Service=traefik.service

     

       
106
       
106
       
+
       


     

       
107
       
107
       
+
       
          [Install]

     

       
108
       
108
       
+
       
          WantedBy=sockets.target

     

       
109
       
109
       
+
       
      user:

     

       
110
       
110
       
+
       
        name: core

     

       
111
       
111
       
+
       
      group:

     

       
112
       
112
       
+
       
        name: core

     

       
113
       
113
       
+
       


     

       
114
       
114
       
+
       
    - path: /etc/containers/storage.conf

     

       
115
       
115
       
+
       
      contents:

     

       
116
       
116
       
+
       
        inline: |

     

       
117
       
117
       
+
       
          [storage]

     

       
118
       
118
       
+
       
          driver = "overlay"

     

       
119
       
119
       
+
       
          rootless_storage_path = "/var/mnt/docker/$USER"

     

       
120
       
120
       
+
       


     

       
121
       
121
       
+
       
    # Quadlets block

     

       
122
       
122
       
+
       
%{ for name, content in quadlets ~}

     

       
123
       
123
       
+
       
    - path: /var/home/core/.config/containers/systemd/${name}.container

     

       
124
       
124
       
+
       
      contents:

     

       
125
       
125
       
+
       
        inline: |

     

       
126
       
126
       
+
       
          ${indent(10, content)}

     

       
127
       
127
       
+
       
      user:

     

       
128
       
128
       
+
       
        name: core

     

       
129
       
129
       
+
       
      group:

     

       
130
       
130
       
+
       
        name: core

     

       
131
       
131
       
+
       
%{ endfor ~}

     

       
132
       
132
       
+
       


     

       
133
       
133
       
+
       
    # Enable linger so containers can continue to run even after core user logouts

     

       
134
       
134
       
+
       
    - path: /var/lib/systemd/linger/core

     

       
135
       
135
       
+
       


     

       
136
       
136
       
+
       
    # Set machine hostname

     

       
137
       
137
       
+
       
    - path: /etc/hostname

     

       
138
       
138
       
+
       
      contents:

     

       
139
       
139
       
+
       
        inline: ${hostname}

     

       
140
       
140
       
+
       


     

       
141
       
141
       
+
       
    # Configure iSCSI target

     

       
142
       
142
       
+
       
    - path: /etc/iscsi/iscsid.conf

     

       
143
       
143
       
+
       
      overwrite: true

     

       
144
       
144
       
+
       
      contents:

     

       
145
       
145
       
+
       
        inline: |

     

       
146
       
146
       
+
       
          node.startup = automatic

     

       
147
       
147
       
+
       
          isns.address = ${truenas_ip}

     

       
148
       
148
       
+
       
          isns.port = 3260

     

       
149
       
149
       
+
       


     

       
150
       
150
       
+
       
    # Import Step CA root certificate

     

       
151
       
151
       
+
       
    - path: /etc/pki/ca-trust/source/anchors/step-online-ca.pem

     

       
152
       
152
       
+
       
      contents:

     

       
153
       
153
       
+
       
        inline: |

     

       
154
       
154
       
+
       
          ${indent(10, root_ca)}

     

       
155
       
155
       
+
       


     

       
156
       
156
       
+
       
    # Enable zram swap

     

       
157
       
157
       
+
       
    - path: /etc/systemd/zram-generator.conf

     

       
158
       
158
       
+
       
      contents:

     

       
159
       
159
       
+
       
        inline: |

     

       
160
       
160
       
+
       
          [zram0]

     

       
161
       
161
       
+
       


     

       
162
       
162
       
+
       
systemd:

     

       
163
       
163
       
+
       
  units:

     

       
164
       
164
       
+
       
    - name: install-additional-software.service

     

       
165
       
165
       
+
       
      enabled: true

     

       
166
       
166
       
+
       
      contents: |

     

       
167
       
167
       
+
       
        [Unit]

     

       
168
       
168
       
+
       
        Description=Additional software installer

     

       
169
       
169
       
+
       
        Wants=network-online.target

     

       
170
       
170
       
+
       
        After=network-online.target

     

       
171
       
171
       
+
       
        Before=zincati.service

     

       
172
       
172
       
+
       
        ConditionPathExists=!/var/lib/%N.stamp

     

       
173
       
173
       
+
       


     

       
174
       
174
       
+
       
        [Service]

     

       
175
       
175
       
+
       
        Type=oneshot

     

       
176
       
176
       
+
       
        RemainAfterExit=yes

     

       
177
       
177
       
+
       
        ExecStart=/usr/bin/rpm-ostree install --allow-inactive --assumeyes --reboot qemu-guest-agent unzip intel-gpu-tools podman-compose

     

       
178
       
178
       
+
       
        ExecStart=/bin/touch /var/lib/%N.stamp

     

       
179
       
179
       
+
       


     

       
180
       
180
       
+
       
        [Install]

     

       
181
       
181
       
+
       
        WantedBy=multi-user.target

     

       
182
       
182
       
+
       


     

       
183
       
183
       
+
       
    - name: iscsi.service

     

       
184
       
184
       
+
       
      enabled: true

     

       
185
       
185
       
+
       


     

       
186
       
186
       
+
       
    - name: attach-iscsi-disk.service

     

       
187
       
187
       
+
       
      enabled: true

     

       
188
       
188
       
+
       
      contents: |

     

       
189
       
189
       
+
       
        [Unit]

     

       
190
       
190
       
+
       
        Description=Attach iSCSI disk

     

       
191
       
191
       
+
       
        ConditionFirstBoot=yes

     

       
192
       
192
       
+
       
        Wants=network-online.target

     

       
193
       
193
       
+
       
        After=network-online.target iscsi.service

     

       
194
       
194
       
+
       


     

       
195
       
195
       
+
       
        [Service]

     

       
196
       
196
       
+
       
        Type=oneshot

     

       
197
       
197
       
+
       
        RemainAfterExit=yes

     

       
198
       
198
       
+
       
        ExecStart=/usr/sbin/iscsiadm -m discovery -t sendtargets -p ${truenas_ip}

     

       
199
       
199
       
+
       
        ExecStart=/usr/sbin/iscsiadm -m node -T ${truenas_iqn} -p ${truenas_ip} --login

     

       
200
       
200
       
+
       
        ExecStart=/usr/sbin/lvmdevices --adddev /dev/sda

     

       
201
       
201
       
+
       
        ExecStart=/usr/sbin/vgchange -ay

     

       
202
       
202
       
+
       


     

       
203
       
203
       
+
       
        [Install]

     

       
204
       
204
       
+
       
        WantedBy=multi-user.target

     

       
205
       
205
       
+
       


     

       
206
       
206
       
+
       
    - name: var-mnt-docker.mount

     

       
207
       
207
       
+
       
      enabled: true

     

       
208
       
208
       
+
       
      contents: |

     

       
209
       
209
       
+
       
        [Unit]

     

       
210
       
210
       
+
       
        Description=Mount docker directory

     

       
211
       
211
       
+
       
        Before=remote-fs.target

     

       
212
       
212
       
+
       
        Wants=network-online.target iscsi.service

     

       
213
       
213
       
+
       


     

       
214
       
214
       
+
       
        [Mount]

     

       
215
       
215
       
+
       
        What=/dev/vg0/lv0

     

       
216
       
216
       
+
       
        Where=/var/mnt/docker

     

       
217
       
217
       
+
       
        Type=xfs

     

       
218
       
218
       
+
       
        Options=_netdev

     

       
219
       
219
       
+
       


     

       
220
       
220
       
+
       
        [Install]

     

       
221
       
221
       
+
       
        WantedBy=remote-fs.target

     

       
222
       
222
       
+
       


     

       
223
       
223
       
+
       
    - name: podman-fix-selinux-context.service

     

       
224
       
224
       
+
       
      enabled: true

     

       
225
       
225
       
+
       
      contents: |

     

       
226
       
226
       
+
       
        [Unit]

     

       
227
       
227
       
+
       
        Description=Fix SELinux context for Podman storage

     

       
228
       
228
       
+
       
        Requires=var-mnt-docker.mount

     

       
229
       
229
       
+
       
        After=var-mnt-docker.mount

     

       
230
       
230
       
+
       
        ConditionPathExists=!/var/lib/%N.stamp

     

       
231
       
231
       
+
       


     

       
232
       
232
       
+
       
        [Service]

     

       
233
       
233
       
+
       
        Type=oneshot

     

       
234
       
234
       
+
       
        RemainAfterExit=yes

     

       
235
       
235
       
+
       
        ExecStart=/usr/bin/chcon -R -t container_file_t /var/mnt/docker/core

     

       
236
       
236
       
+
       
        ExecStart=/bin/touch /var/lib/%N.stamp

     

       
237
       
237
       
+
       


     

       
238
       
238
       
+
       
        [Install]

     

       
239
       
239
       
+
       
        WantedBy=multi-user.target

     

       
240
       
240
       
+
       


     

       
241
       
241
       
+
       
    - name: var-mnt-media.mount

     

       
242
       
242
       
+
       
      enabled: true

     

       
243
       
243
       
+
       
      contents: |

     

       
244
       
244
       
+
       
        [Unit]

     

       
245
       
245
       
+
       
        Description=Mount media directory

     

       
246
       
246
       
+
       
        Before=remote-fs.target

     

       
247
       
247
       
+
       


     

       
248
       
248
       
+
       
        [Mount]

     

       
249
       
249
       
+
       
        What=${truenas_ip}:/mnt/spool/media

     

       
250
       
250
       
+
       
        Where=/var/mnt/media

     

       
251
       
251
       
+
       
        Type=nfs

     

       
252
       
252
       
+
       


     

       
253
       
253
       
+
       
        [Install]

     

       
254
       
254
       
+
       
        WantedBy=remote-fs.target

     

       
255
       
255
       
+
       


     

       
256
       
256
       
+
       
    - name: var-mnt-personal.mount

     

       
257
       
257
       
+
       
      enabled: true

     

       
258
       
258
       
+
       
      contents: |

     

       
259
       
259
       
+
       
        [Unit]

     

       
260
       
260
       
+
       
        Description=Mount personal directory

     

       
261
       
261
       
+
       
        Before=remote-fs.target

     

       
262
       
262
       
+
       


     

       
263
       
263
       
+
       
        [Mount]

     

       
264
       
264
       
+
       
        What=${truenas_ip}:/mnt/spool/personal

     

       
265
       
265
       
+
       
        Where=/var/mnt/personal

     

       
266
       
266
       
+
       
        Type=nfs

     

       
267
       
267
       
+
       


     

       
268
       
268
       
+
       
        [Install]

     

       
269
       
269
       
+
       
        WantedBy=remote-fs.target

     

       
270
       
270
       
+
       


     

       
271
       
271
       
+
       
kernel_arguments:

     

       
272
       
272
       
+
       
  should_exist:

     

       
273
       
273
       
+
       
    - pcie_aspm.policy=powersupersave ip=${ip}::${gateway}:${mask}::enp6s18:none:${nameserver}

     

···

       
1
       
1
       
+
       
resource "null_resource" "fcos_qcow2" {

     

       
2
       
2
       
+
       
  provisioner "local-exec" {

     

       
3
       
3
       
+
       
    command = "mv $(docker run --security-opt label=disable --pull=always --rm -v .:/data -w /data quay.io/coreos/coreos-installer:release download -p qemu -f qcow2.xz -s stable -a x86_64 -d) fedora-coreos.qcow2.img"

     

       
4
       
4
       
+
       
    interpreter = ["PowerShell", "-Command"]

     

       
5
       
5
       
+
       
  }

     

       
6
       
6
       
+
       


     

       
7
       
7
       
+
       
  provisioner "local-exec" {

     

       
8
       
8
       
+
       
    when    = destroy

     

       
9
       
9
       
+
       
    command = "rm -f fedora-coreos.qcow2.img"

     

       
10
       
10
       
+
       
    interpreter = ["PowerShell", "-Command"]

     

       
11
       
11
       
+
       
  }

     

       
12
       
12
       
+
       
}

     

       
13
       
13
       
+
       


     

       
14
       
14
       
+
       
resource "proxmox_virtual_environment_file" "fcos_qcow2" {

     

       
15
       
15
       
+
       
  content_type = "iso"

     

       
16
       
16
       
+
       
  datastore_id = "local"

     

       
17
       
17
       
+
       
  node_name    = "pve"

     

       
18
       
18
       
+
       


     

       
19
       
19
       
+
       
  depends_on = [null_resource.fcos_qcow2]

     

       
20
       
20
       
+
       


     

       
21
       
21
       
+
       
  source_file {

     

       
22
       
22
       
+
       
    path = "fedora-coreos.qcow2.img"

     

       
23
       
23
       
+
       
  }

     

       
24
       
24
       
+
       
}

     

···

       
1
       
1
       
+
       
locals {

     

       
2
       
2
       
+
       
  butane_config = merge(var.fcos_config, {

     

       
3
       
3
       
+
       
    quadlets = local.quadlets

     

       
4
       
4
       
+
       
  })

     

       
5
       
5
       
+
       


     

       
6
       
6
       
+
       
  # Get a list of all files in the specified directory

     

       
7
       
7
       
+
       
  quadlet_paths = fileset(path.module, "quadlets/*")

     

       
8
       
8
       
+
       
  quadlets = {

     

       
9
       
9
       
+
       
    for path in local.quadlet_paths :

     

       
10
       
10
       
+
       
    replace(basename(path), ".container.tftpl", "") => templatefile(path, var.quadlets_config)

     

       
11
       
11
       
+
       
  }

     

       
12
       
12
       
+
       


     

       
13
       
13
       
+
       
  # Bitwarden Secret Manager Secret IDs

     

       
14
       
14
       
+
       
  secrets = {

     

       
15
       
15
       
+
       
    traefik-cf-dns-api-token           = "e9e0f0f0-abc8-4bde-b05f-b292018179bb"

     

       
16
       
16
       
+
       
    oauth2-proxy-cookie-secret         = "289c0832-27c2-463b-97b7-b29200a8cebd"

     

       
17
       
17
       
+
       
    oauth2-proxy-client-secret         = "afdb8ef2-a3d4-4a17-b839-b29200ab6f87"

     

       
18
       
18
       
+
       
    pocket-id-maxmind-license-key      = "08c549a4-bf48-4998-8cb0-b29200ac845d"

     

       
19
       
19
       
+
       
    actual-budget-openid-client-secret = "5754702b-d9d5-4127-b5ab-b29200abdd6a"

     

       
20
       
20
       
+
       
    open-webui-oauth-client-secret     = "b595040b-a23a-44af-8bff-b29200ad6258"

     

       
21
       
21
       
+
       
  }

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
  init_script_path = "${path.module}/scripts/init_fcos.sh.tftpl"

     

       
24
       
24
       
+
       
}

     

       
25
       
25
       
+
       


     

       
26
       
26
       
+
       
data "ct_config" "fcos_ignition" {

     

       
27
       
27
       
+
       
  content = templatefile("${path.module}/butane/fcos.yml.tftpl", local.butane_config)

     

       
28
       
28
       
+
       
  strict = true

     

       
29
       
29
       
+
       
}

     

       
30
       
30
       
+
       


     

       
31
       
31
       
+
       
resource "proxmox_virtual_environment_vm" "fcos" {

     

       
32
       
32
       
+
       
  node_name = "pve"

     

       
33
       
33
       
+
       
  name      = "fcos"

     

       
34
       
34
       
+
       
  description = "Managed by OpenTofu"

     

       
35
       
35
       
+
       


     

       
36
       
36
       
+
       
  # Use modern platform

     

       
37
       
37
       
+
       
  machine = "q35"

     

       
38
       
38
       
+
       
  bios    = "ovmf"

     

       
39
       
39
       
+
       


     

       
40
       
40
       
+
       
  startup {

     

       
41
       
41
       
+
       
    order = 11

     

       
42
       
42
       
+
       
  }

     

       
43
       
43
       
+
       


     

       
44
       
44
       
+
       
  cpu {

     

       
45
       
45
       
+
       
    cores = 4

     

       
46
       
46
       
+
       
  }

     

       
47
       
47
       
+
       


     

       
48
       
48
       
+
       
  memory {

     

       
49
       
49
       
+
       
    dedicated = 16384

     

       
50
       
50
       
+
       
    floating  = 16384

     

       
51
       
51
       
+
       
  }

     

       
52
       
52
       
+
       


     

       
53
       
53
       
+
       
  efi_disk {

     

       
54
       
54
       
+
       
    datastore_id = "local-zfs"

     

       
55
       
55
       
+
       
    type         = "4m"

     

       
56
       
56
       
+
       
  }

     

       
57
       
57
       
+
       


     

       
58
       
58
       
+
       
  disk {

     

       
59
       
59
       
+
       
    interface    = "virtio0"

     

       
60
       
60
       
+
       
    datastore_id = "local-zfs"

     

       
61
       
61
       
+
       
    file_id      = proxmox_virtual_environment_file.fcos_qcow2.id

     

       
62
       
62
       
+
       
    size         = 32

     

       
63
       
63
       
+
       
  }

     

       
64
       
64
       
+
       


     

       
65
       
65
       
+
       
  tpm_state {

     

       
66
       
66
       
+
       
    datastore_id = "local-zfs"

     

       
67
       
67
       
+
       
  }

     

       
68
       
68
       
+
       


     

       
69
       
69
       
+
       
  network_device {

     

       
70
       
70
       
+
       
    bridge = "vmbr0"

     

       
71
       
71
       
+
       
    vlan_id = 100

     

       
72
       
72
       
+
       
    mac_address = var.fcos_config.mac_address

     

       
73
       
73
       
+
       
  }

     

       
74
       
74
       
+
       


     

       
75
       
75
       
+
       
  # Linux 6.x

     

       
76
       
76
       
+
       
  operating_system {

     

       
77
       
77
       
+
       
    type = "l26"

     

       
78
       
78
       
+
       
  }

     

       
79
       
79
       
+
       


     

       
80
       
80
       
+
       
  # Intel A380 video

     

       
81
       
81
       
+
       
  hostpci {

     

       
82
       
82
       
+
       
    device = "hostpci0"

     

       
83
       
83
       
+
       
    id     = "0000:03:00.0"

     

       
84
       
84
       
+
       
    pcie   = true

     

       
85
       
85
       
+
       
    rombar = true

     

       
86
       
86
       
+
       
  }

     

       
87
       
87
       
+
       


     

       
88
       
88
       
+
       
  # Intel A380 audio

     

       
89
       
89
       
+
       
  hostpci {

     

       
90
       
90
       
+
       
    device = "hostpci1"

     

       
91
       
91
       
+
       
    id     = "0000:04:00.0"

     

       
92
       
92
       
+
       
    pcie   = true

     

       
93
       
93
       
+
       
    rombar = true

     

       
94
       
94
       
+
       
  }

     

       
95
       
95
       
+
       


     

       
96
       
96
       
+
       
  agent {

     

       
97
       
97
       
+
       
    enabled = true

     

       
98
       
98
       
+
       
  }

     

       
99
       
99
       
+
       


     

       
100
       
100
       
+
       
  kvm_arguments = "-fw_cfg 'name=opt/com.coreos/config,string=${replace(data.ct_config.fcos_ignition.rendered, ",", ",,")}'"

     

       
101
       
101
       
+
       
}

     

       
102
       
102
       
+
       


     

       
103
       
103
       
+
       
resource "null_resource" "fcos_provision_secrets" {

     

       
104
       
104
       
+
       
  depends_on = [proxmox_virtual_environment_vm.fcos]

     

       
105
       
105
       
+
       


     

       
106
       
106
       
+
       
  triggers = {

     

       
107
       
107
       
+
       
    checksum = sha256(file(local.init_script_path))

     

       
108
       
108
       
+
       
  }

     

       
109
       
109
       
+
       


     

       
110
       
110
       
+
       
  connection {

     

       
111
       
111
       
+
       
    type = "ssh"

     

       
112
       
112
       
+
       
    user = "core"

     

       
113
       
113
       
+
       
    agent = true

     

       
114
       
114
       
+
       
    host = var.fcos_config.ip

     

       
115
       
115
       
+
       
  }

     

       
116
       
116
       
+
       


     

       
117
       
117
       
+
       
  provisioner "file" {

     

       
118
       
118
       
+
       
    destination = "/tmp/init.sh"

     

       
119
       
119
       
+
       
    content = templatefile(local.init_script_path, {

     

       
120
       
120
       
+
       
      bws_access_token: var.bws_access_token

     

       
121
       
121
       
+
       
      quadlets: local.quadlets

     

       
122
       
122
       
+
       
      secrets: local.secrets

     

       
123
       
123
       
+
       
    })

     

       
124
       
124
       
+
       
  }

     

       
125
       
125
       
+
       


     

       
126
       
126
       
+
       
  provisioner "remote-exec" {

     

       
127
       
127
       
+
       
    inline = ["sh /tmp/init.sh"]

     

       
128
       
128
       
+
       
    on_failure = fail

     

       
129
       
129
       
+
       
  }

     

       
130
       
130
       
+
       
}
     

···

       
1
       
1
       
+
       
terraform {

     

       
2
       
2
       
+
       
  required_providers {

     

       
3
       
3
       
+
       
    proxmox = {

     

       
4
       
4
       
+
       
      source  = "bpg/proxmox"

     

       
5
       
5
       
+
       
      version = "0.71.0"

     

       
6
       
6
       
+
       
    }

     

       
7
       
7
       
+
       
    bitwarden = {

     

       
8
       
8
       
+
       
      source = "maxlaverse/bitwarden"

     

       
9
       
9
       
+
       
      version = "0.13.0"

     

       
10
       
10
       
+
       
    }

     

       
11
       
11
       
+
       
    ct = {

     

       
12
       
12
       
+
       
      source  = "poseidon/ct"

     

       
13
       
13
       
+
       
      version = "0.13.0"

     

       
14
       
14
       
+
       
    }

     

       
15
       
15
       
+
       
    null = {

     

       
16
       
16
       
+
       
      source  = "hashicorp/null"

     

       
17
       
17
       
+
       
      version = "3.2.3"

     

       
18
       
18
       
+
       
    }

     

       
19
       
19
       
+
       
    local = {

     

       
20
       
20
       
+
       
      source  = "hashicorp/local"

     

       
21
       
21
       
+
       
      version = "2.5.2"

     

       
22
       
22
       
+
       
    }

     

       
23
       
23
       
+
       
  }

     

       
24
       
24
       
+
       
}

     

       
25
       
25
       
+
       


     

       
26
       
26
       
+
       
provider "bitwarden" {

     

       
27
       
27
       
+
       
  access_token = var.bws_access_token

     

       
28
       
28
       
+
       
  experimental {

     

       
29
       
29
       
+
       
    embedded_client = true

     

       
30
       
30
       
+
       
  }

     

       
31
       
31
       
+
       
}

     

       
32
       
32
       
+
       


     

       
33
       
33
       
+
       
data "bitwarden_secret" "proxmox_password" {

     

       
34
       
34
       
+
       
  id = var.proxmox_config.password_secret_id

     

       
35
       
35
       
+
       
}

     

       
36
       
36
       
+
       


     

       
37
       
37
       
+
       
provider "proxmox" {

     

       
38
       
38
       
+
       
  endpoint = var.proxmox_config.endpoint

     

       
39
       
39
       
+
       
  insecure = true

     

       
40
       
40
       
+
       


     

       
41
       
41
       
+
       
  // Unfortunately Proxmox can execute a lot of actions only under root user...

     

       
42
       
42
       
+
       
  username = "root@pam"

     

       
43
       
43
       
+
       
  password = data.bitwarden_secret.proxmox_password.value

     

       
44
       
44
       
+
       


     

       
45
       
45
       
+
       
  ssh {

     

       
46
       
46
       
+
       
    agent = true

     

       
47
       
47
       
+
       
  }

     

       
48
       
48
       
+
       
}

     

···

       
1
       
1
       
+
       
[Unit]

     

       
2
       
2
       
+
       
Description=Actual Budget Quadlet

     

       
3
       
3
       
+
       


     

       
4
       
4
       
+
       
[Container]

     

       
5
       
5
       
+
       
Image=docker.io/actualbudget/actual-server:latest

     

       
6
       
6
       
+
       
AutoUpdate=registry

     

       
7
       
7
       
+
       
ContainerName=actual-budget

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
User=1000:1000

     

       
10
       
10
       
+
       
UIDMap=+1000:@1000:1

     

       
11
       
11
       
+
       


     

       
12
       
12
       
+
       
Label="traefik.enable=true"

     

       
13
       
13
       
+
       
Label="traefik.http.routers.actual-budget.rule=Host(`actual.${base_domain}`)"

     

       
14
       
14
       
+
       


     

       
15
       
15
       
+
       
Volume=/var/mnt/docker/app_data/actual-budget:/data:Z

     

       
16
       
16
       
+
       


     

       
17
       
17
       
+
       
Network=reverse-proxy.network

     

       
18
       
18
       
+
       


     

       
19
       
19
       
+
       
[Service]

     

       
20
       
20
       
+
       
TimeoutStartSec=900

     

       
21
       
21
       
+
       
Restart=always

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
[Install]

     

       
24
       
24
       
+
       
WantedBy=multi-user.target default.target

     

···

       
1
       
1
       
+
       
[Unit]

     

       
2
       
2
       
+
       
Description=OAuth2 Proxy Quadlet

     

       
3
       
3
       
+
       
# OAuth2 Proxy requests OIDC configuration after launch, Pocket-ID should be ready

     

       
4
       
4
       
+
       
Wants=pocket-id.service

     

       
5
       
5
       
+
       
After=pocket-id.service

     

       
6
       
6
       
+
       


     

       
7
       
7
       
+
       
[Container]

     

       
8
       
8
       
+
       
Image=quay.io/oauth2-proxy/oauth2-proxy:latest

     

       
9
       
9
       
+
       
AutoUpdate=registry

     

       
10
       
10
       
+
       
ContainerName=oauth2-proxy

     

       
11
       
11
       
+
       


     

       
12
       
12
       
+
       
User=1000:1000

     

       
13
       
13
       
+
       


     

       
14
       
14
       
+
       
Environment=OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:4180

     

       
15
       
15
       
+
       
Environment=OAUTH2_PROXY_PROVIDER=oidc

     

       
16
       
16
       
+
       
Environment=OAUTH2_PROXY_OIDC_ISSUER_URL=https://id.${base_domain}

     

       
17
       
17
       
+
       
Environment=OAUTH2_PROXY_EMAIL_DOMAINS=*

     

       
18
       
18
       
+
       
Environment=OAUTH2_PROXY_CLIENT_ID=643ae98a-24a1-4c1d-9d0a-a102dd2fe38c

     

       
19
       
19
       
+
       
Environment=OAUTH2_PROXY_COOKIE_SECURE=true

     

       
20
       
20
       
+
       
Environment=OAUTH2_PROXY_REDIRECT_URL=https://oauth2-proxy.${base_domain}/oauth2/callback

     

       
21
       
21
       
+
       
Environment=OAUTH2_PROXY_COOKIE_DOMAINS=.${base_domain}

     

       
22
       
22
       
+
       
Environment=OAUTH2_PROXY_WHITELIST_DOMAINS=.${base_domain}

     

       
23
       
23
       
+
       
Environment=OAUTH2_PROXY_COOKIE_REFRESH=0

     

       
24
       
24
       
+
       
Environment=OAUTH2_PROXY_COOKIE_EXPIRE=59m

     

       
25
       
25
       
+
       
Environment=OAUTH2_PROXY_REVERSE_PROXY=true

     

       
26
       
26
       
+
       
Environment=OAUTH2_PROXY_UPSTREAMS=static://202

     

       
27
       
27
       
+
       
Secret=oauth2-proxy-cookie-secret,type=env,target=OAUTH2_PROXY_COOKIE_SECRET

     

       
28
       
28
       
+
       
Secret=oauth2-proxy-client-secret,type=env,target=OAUTH2_PROXY_CLIENT_SECRET

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
Label="traefik.enable=true"

     

       
31
       
31
       
+
       
Label="traefik.http.routers.oauth2-proxy.rule=Host(`oauth2-proxy.${base_domain}`)"

     

       
32
       
32
       
+
       
Label="traefik.http.services.oauth2-proxy.loadbalancer.server.port=4180"

     

       
33
       
33
       
+
       


     

       
34
       
34
       
+
       
Network=reverse-proxy.network

     

       
35
       
35
       
+
       


     

       
36
       
36
       
+
       
[Service]

     

       
37
       
37
       
+
       
TimeoutStartSec=900

     

       
38
       
38
       
+
       
Restart=always

     

       
39
       
39
       
+
       


     

       
40
       
40
       
+
       
[Install]

     

       
41
       
41
       
+
       
WantedBy=multi-user.target default.target

     

···

       
1
       
1
       
+
       
[Unit]

     

       
2
       
2
       
+
       
Description=Open WebUI Quadlet

     

       
3
       
3
       
+
       


     

       
4
       
4
       
+
       
[Container]

     

       
5
       
5
       
+
       
Image=ghcr.io/open-webui/open-webui:main

     

       
6
       
6
       
+
       
AutoUpdate=registry

     

       
7
       
7
       
+
       
ContainerName=open-webui

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
User=0:0

     

       
10
       
10
       
+
       


     

       
11
       
11
       
+
       
Environment=WEBUI_URL=https://ai.${base_domain}

     

       
12
       
12
       
+
       
Environment=ENABLE_LOGIN_FORM=False

     

       
13
       
13
       
+
       
Environment=DEFAULT_LOCALE=ru

     

       
14
       
14
       
+
       
Environment=CORS_ALLOW_ORIGIN=https://localhost

     

       
15
       
15
       
+
       
Environment=ENABLE_OAUTH_SIGNUP=True

     

       
16
       
16
       
+
       
Environment=OAUTH_CLIENT_ID=d4979561-8290-49c9-878e-0d325f7f06a6

     

       
17
       
17
       
+
       
Environment=OPENID_PROVIDER_URL=https://id.${base_domain}/.well-known/openid-configuration

     

       
18
       
18
       
+
       
Environment=OAUTH_PROVIDER_NAME="Pocket ID"

     

       
19
       
19
       
+
       
Secret=open-webui-oauth-client-secret,type=env,target=OAUTH_CLIENT_SECRET

     

       
20
       
20
       
+
       


     

       
21
       
21
       
+
       
Label="traefik.enable=true"

     

       
22
       
22
       
+
       
Label="traefik.http.routers.open-webui.rule=Host(`ai.${base_domain}`)"

     

       
23
       
23
       
+
       


     

       
24
       
24
       
+
       
Volume=/var/mnt/docker/app_data/open-webui:/app/backend/data:Z

     

       
25
       
25
       
+
       


     

       
26
       
26
       
+
       
Network=reverse-proxy.network

     

       
27
       
27
       
+
       


     

       
28
       
28
       
+
       
[Service]

     

       
29
       
29
       
+
       
TimeoutStartSec=900

     

       
30
       
30
       
+
       
Restart=always

     

       
31
       
31
       
+
       


     

       
32
       
32
       
+
       
[Install]

     

       
33
       
33
       
+
       
WantedBy=multi-user.target default.target

     

···

       
1
       
1
       
+
       
[Unit]

     

       
2
       
2
       
+
       
Description=Plex Quadlet

     

       
3
       
3
       
+
       


     

       
4
       
4
       
+
       
[Container]

     

       
5
       
5
       
+
       
Image=docker.io/plexinc/pms-docker:plexpass

     

       
6
       
6
       
+
       
AutoUpdate=registry

     

       
7
       
7
       
+
       
ContainerName=plex

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
Environment=PLEX_UID=1000

     

       
10
       
10
       
+
       
Environment=PLEX_GID=1000

     

       
11
       
11
       
+
       
Environment=TZ=Europe/Belgrade

     

       
12
       
12
       
+
       
# In my setup source IP is not preserved for local network (due to SNAT hairpinning rule)

     

       
13
       
13
       
+
       
Environment=ALLOWED_NETWORKS=192.168.100.1/32

     

       
14
       
14
       
+
       


     

       
15
       
15
       
+
       
Volume=/var/mnt/docker/app_data/plex:/config:Z

     

       
16
       
16
       
+
       
Volume=/var/mnt/media/tv_shows:/data/tv_shows:z

     

       
17
       
17
       
+
       
Volume=/var/mnt/media/movies:/data/movies:z

     

       
18
       
18
       
+
       
Volume=/var/mnt/media/music:/data/music:z

     

       
19
       
19
       
+
       
Tmpfs=/transcode:size=8G,rw:Z

     

       
20
       
20
       
+
       


     

       
21
       
21
       
+
       
# Host network for simplicity

     

       
22
       
22
       
+
       
Network=host

     

       
23
       
23
       
+
       


     

       
24
       
24
       
+
       
AddDevice=/dev/dri

     

       
25
       
25
       
+
       


     

       
26
       
26
       
+
       
[Service]

     

       
27
       
27
       
+
       
TimeoutStartSec=900

     

       
28
       
28
       
+
       
Restart=always

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
[Install]

     

       
31
       
31
       
+
       
WantedBy=multi-user.target default.target

     

···

       
1
       
1
       
+
       
[Unit]

     

       
2
       
2
       
+
       
Description=Pocket ID Quadlet

     

       
3
       
3
       
+
       


     

       
4
       
4
       
+
       
[Container]

     

       
5
       
5
       
+
       
Image=ghcr.io/pocket-id/pocket-id:latest

     

       
6
       
6
       
+
       
AutoUpdate=registry

     

       
7
       
7
       
+
       
ContainerName=pocket-id

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
User=0:0

     

       
10
       
10
       
+
       
UIDMap="+1000:@1000:1"

     

       
11
       
11
       
+
       


     

       
12
       
12
       
+
       
Environment=PUBLIC_APP_URL=https://id.${base_domain}

     

       
13
       
13
       
+
       
Environment=PUID=1000

     

       
14
       
14
       
+
       
Environment=PGID=1000

     

       
15
       
15
       
+
       
Environment=CADDY_DISABLED=true

     

       
16
       
16
       
+
       
Secret=pocket-id-maxmind-license-key,type=env,target=MAXMIND_LICENSE_KEY

     

       
17
       
17
       
+
       


     

       
18
       
18
       
+
       
Label="traefik.enable=true"

     

       
19
       
19
       
+
       
Label="traefik.http.routers.pocket-id.rule=Host(`id.${base_domain}`)"

     

       
20
       
20
       
+
       
Label="traefik.http.routers.pocket-id.service=pocket-id"

     

       
21
       
21
       
+
       
Label="traefik.http.routers.pocket-id.priority=1"

     

       
22
       
22
       
+
       
Label="traefik.http.services.pocket-id.loadbalancer.server.port=3000"

     

       
23
       
23
       
+
       
Label="traefik.http.routers.pocket-id-backend.rule=Host(`id.${base_domain}`) && (PathPrefix(`/api/`) || PathPrefix(`/.well-known/`))"

     

       
24
       
24
       
+
       
Label="traefik.http.routers.pocket-id-backend.service=pocket-id-backend"

     

       
25
       
25
       
+
       
Label="traefik.http.routers.pocket-id-backend.priority=2"

     

       
26
       
26
       
+
       
Label="traefik.http.services.pocket-id-backend.loadbalancer.server.port=8080"

     

       
27
       
27
       
+
       


     

       
28
       
28
       
+
       
Volume=/var/mnt/docker/app_data/pocket-id:/app/backend/data:Z

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
Network=reverse-proxy.network

     

       
31
       
31
       
+
       


     

       
32
       
32
       
+
       
[Service]

     

       
33
       
33
       
+
       
TimeoutStartSec=900

     

       
34
       
34
       
+
       
Restart=always

     

       
35
       
35
       
+
       


     

       
36
       
36
       
+
       
[Install]

     

       
37
       
37
       
+
       
WantedBy=multi-user.target default.target

     

···

       
1
       
1
       
+
       
[Unit]

     

       
2
       
2
       
+
       
Description=qBittorrent Quadlet

     

       
3
       
3
       
+
       


     

       
4
       
4
       
+
       
[Container]

     

       
5
       
5
       
+
       
Image=lscr.io/linuxserver/qbittorrent:latest

     

       
6
       
6
       
+
       
AutoUpdate=registry

     

       
7
       
7
       
+
       
ContainerName=qbittorrent

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
UIDMap=+1000:@1000:1

     

       
10
       
10
       
+
       


     

       
11
       
11
       
+
       
Label="traefik.enable=true"

     

       
12
       
12
       
+
       
Label="traefik.http.routers.qbittorrent.rule=Host(`qb.${base_domain}`)"

     

       
13
       
13
       
+
       
Label="traefik.http.services.qbittorrent.loadbalancer.server.port=8080"

     

       
14
       
14
       
+
       
Label="traefik.http.routers.qbittorrent.middlewares=oauth2-proxy@file,strip-referer"

     

       
15
       
15
       
+
       
Label="traefik.http.routers.qbittorrent-auth.rule=Host(`qb.${base_domain}`) && PathPrefix(`/oauth2/`)"

     

       
16
       
16
       
+
       
Label="traefik.http.routers.qbittorrent-auth.service=oauth2-proxy"

     

       
17
       
17
       
+
       
Label="traefik.http.middlewares.strip-referer.headers.customRequestHeaders.Referer="

     

       
18
       
18
       
+
       


     

       
19
       
19
       
+
       
Environment=PUID=1000

     

       
20
       
20
       
+
       
Environment=PGID=1000

     

       
21
       
21
       
+
       
Environment=TZ=Europe/Belgrade

     

       
22
       
22
       
+
       
Environment=WEBUI_PORT=8080

     

       
23
       
23
       
+
       
Environment=TORRENTING_PORT=6881

     

       
24
       
24
       
+
       


     

       
25
       
25
       
+
       
Volume=/var/mnt/docker/app_data/qbittorrent:/config:Z

     

       
26
       
26
       
+
       
Volume=/var/mnt/media:/media:z

     

       
27
       
27
       
+
       


     

       
28
       
28
       
+
       
Network=reverse-proxy.network

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
[Service]

     

       
31
       
31
       
+
       
TimeoutStartSec=900

     

       
32
       
32
       
+
       
Restart=always

     

       
33
       
33
       
+
       


     

       
34
       
34
       
+
       
[Install]

     

       
35
       
35
       
+
       
WantedBy=multi-user.target default.target

     

···

       
1
       
1
       
+
       
[Unit]

     

       
2
       
2
       
+
       
Description=Smallstep step-ca Server Quadlet

     

       
3
       
3
       
+
       


     

       
4
       
4
       
+
       
[Container]

     

       
5
       
5
       
+
       
Image=docker.io/smallstep/step-ca:latest

     

       
6
       
6
       
+
       
AutoUpdate=registry

     

       
7
       
7
       
+
       
ContainerName=step-ca

     

       
8
       
8
       
+
       


     

       
9
       
9
       
+
       
User=1000:1000

     

       
10
       
10
       
+
       
UIDMap=+1000:@1000:1

     

       
11
       
11
       
+
       


     

       
12
       
12
       
+
       
Label="traefik.enable=true"

     

       
13
       
13
       
+
       
Label="traefik.tcp.routers.smallstep.rule=HostSNI(`ca.${base_domain}`)"

     

       
14
       
14
       
+
       
Label="traefik.tcp.routers.smallstep.tls.passthrough=true"

     

       
15
       
15
       
+
       
Label="traefik.tcp.services.smallstep.loadbalancer.server.port=9000"

     

       
16
       
16
       
+
       


     

       
17
       
17
       
+
       
Environment=DOCKER_STEPCA_INIT_NAME=Homelab

     

       
18
       
18
       
+
       
Environment=DOCKER_STEPCA_INIT_DNS_NAMES=ca.${base_domain}

     

       
19
       
19
       
+
       
Environment=DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT=true

     

       
20
       
20
       
+
       


     

       
21
       
21
       
+
       
Volume=/var/mnt/docker/app_data/smallstep:/home/step:Z

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
Network=reverse-proxy.network

     

       
24
       
24
       
+
       


     

       
25
       
25
       
+
       
[Service]

     

       
26
       
26
       
+
       
TimeoutStartSec=900

     

       
27
       
27
       
+
       
Restart=always

     

       
28
       
28
       
+
       


     

       
29
       
29
       
+
       
[Install]

     

       
30
       
30
       
+
       
WantedBy=multi-user.target default.target

     

···

       
1
       
1
       
+
       
[Unit]

     

       
2
       
2
       
+
       
Description=Traefik Quadlet

     

       
3
       
3
       
+
       
Requires=http.socket https.socket

     

       
4
       
4
       
+
       
After=http.socket https.socket

     

       
5
       
5
       
+
       


     

       
6
       
6
       
+
       
[Container]

     

       
7
       
7
       
+
       
Image=docker.io/library/traefik

     

       
8
       
8
       
+
       
AutoUpdate=registry

     

       
9
       
9
       
+
       
ContainerName=traefik

     

       
10
       
10
       
+
       


     

       
11
       
11
       
+
       
User=1000:1000

     

       
12
       
12
       
+
       
UIDMap=+1000:@1000:1

     

       
13
       
13
       
+
       


     

       
14
       
14
       
+
       
Environment=LEGO_DISABLE_CNAME_SUPPORT=true

     

       
15
       
15
       
+
       


     

       
16
       
16
       
+
       
Label="traefik.enable=true"

     

       
17
       
17
       
+
       
Label="traefik.http.routers.dashboard.rule=Host(`fcos.${base_domain}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"

     

       
18
       
18
       
+
       
Label="traefik.http.routers.dashboard.service=api@internal"

     

       
19
       
19
       
+
       
Label="traefik.http.routers.dashboard.middlewares=oauth2-proxy@file"

     

       
20
       
20
       
+
       
Label="traefik.http.routers.dashboard-auth.rule=Host(`fcos.${base_domain}`) && PathPrefix(`/oauth2/`)"

     

       
21
       
21
       
+
       
Label="traefik.http.routers.dashboard-auth.service=oauth2-proxy"

     

       
22
       
22
       
+
       


     

       
23
       
23
       
+
       
Secret=traefik-cf-dns-api-token,type=env,target=CF_DNS_API_TOKEN

     

       
24
       
24
       
+
       


     

       
25
       
25
       
+
       
Volume=/var/mnt/docker/app_data/traefik/traefik.yml:/etc/traefik/traefik.yml:Z

     

       
26
       
26
       
+
       
Volume=/var/mnt/docker/app_data/traefik/data:/data:Z

     

       
27
       
27
       
+
       
# requires user (!) podman.socket running

     

       
28
       
28
       
+
       
Volume=%t/podman/podman.sock:/var/run/docker.sock

     

       
29
       
29
       
+
       


     

       
30
       
30
       
+
       
Network=reverse-proxy.network

     

       
31
       
31
       
+
       
Notify=true

     

       
32
       
32
       
+
       


     

       
33
       
33
       
+
       
SecurityLabelDisable=true

     

       
34
       
34
       
+
       


     

       
35
       
35
       
+
       
[Service]

     

       
36
       
36
       
+
       
TimeoutStartSec=900

     

       
37
       
37
       
+
       
Restart=always

     

       
38
       
38
       
+
       
Sockets=http.socket https.socket

     

       
39
       
39
       
+
       


     

       
40
       
40
       
+
       
[Install]

     

       
41
       
41
       
+
       
WantedBy=multi-user.target default.target