clueless-infrastructure

Automated infrastructure for hosting websites using Podman Quadlets, featuring Nginx as a reverse proxy, automated Certbot SSL renewals, and a systemd-based image update watcher.

Table of Contents

• Containers
• Networks
• Volumes
• Systemd Services
• Installation
• First Time Usage
• Usage
• Podman Image Watch

Containers

• certbot-renew: This container runs certbot to renew certificates. It's accompanied by a systemd timer that runs it twice a day.
• clueless-website: My personal website.
• nginx: This container runs nginx as a reverse proxy for the clueless-website container, and any other websites that I want to host.

Networks

• web-gateway: This network is used to connect the nginx container to the clueless-website container, and any other websites that I want to host.

Volumes

• certbot-certs: This volume is used to store certificates generated by certbot.
• certbot-webroot: This volume is used to store the webroot for certbot.

Systemd Services

• podman-image-watch.path: Monitors ~/.local/share/podman/incoming-images for new .tar files.
• podman-image-watch.service: Triggered by the .path unit, it runs a script to load images and restart affected containers.
• certbot-renew.timer: Triggers the certbot-renew container twice daily.

Installation

Enter the directory in which you cloned this repository and perform the following commands:

sudo apt install make
make all

First time usage

Perform the following steps after installing for the first time or after migrating to a different machine:

1. Reload the systemd user daemon:

   systemctl --user daemon-reload

2. Enable and start the network and volumes:

   systemctl --user enable --now web-gateway.network
   systemctl --user enable --now certbot-certs.volume
   systemctl --user enable --now certbot-webroot.volume

3. Generate certificates using certbot:

   podman run --rm -it \
     --name certbot-init \
     --network host \
     -v certbot-certs:/etc/letsencrypt:Z \
     docker.io/certbot/certbot \
     certonly \
     --standalone \
     -d clueless.no \
     -d www.clueless.no \
     --email maritim@gmail.com \
     --agree-tos \
     --non-interactive

4. Enable and start the remaining services:

   systemctl --user enable --now nginx
   systemctl --user enable --now clueless-website
   systemctl --user enable --now certbot-renew.timer
   systemctl --user enable --now podman-image-watch.path

Usage

You can manage the services using standard systemctl --user commands:

# Check status
systemctl --user status nginx

# Restart a service
systemctl --user restart clueless-website

# View logs
journalctl --user -u nginx

Podman Image Watch

This repository includes a mechanism to automatically update containers when new images are available.

1. Drop a .tar file of a Podman image (e.g., from podman save) into ~/.local/share/podman/incoming-images/.
2. podman-image-watch.path detects the new file.
3. podman-image-watch.service runs clueless-load-and-restart.sh.
4. The script loads the image and restarts any running containers that use that image name and tag.
5. The original .tar file is moved to ~/.local/share/podman/processed-images/.