yumechi-no-kuni/yume-mods/podman_init.sh

# this is just a template to copypaste, don't execute verbatim

podman network create misskey

podman pod create \
    --cpus 8.0 \
    --memory 16g \
    --shm-size 4g \
    --security-opt no-new-privileges \
    misskey-middleware

# add no-new-privileges if you don't use apparmor
podman pod create \
    --cpus 1.5 \
    --memory 6g \
    misskey-web

mkdir -p ../var/db

# migrate to 17
podman run --pod misskey-middleware \
    --replace \
    --read-only \
    --security-opt no-new-privileges \
    --network misskey \
    --env-file .config/docker.env \
    --name misskey-db-15 \
    --volume ../var/db-15:/var/lib/postgresql/data:U \
    --volume ../run/db/15:/var/run/postgresql:U \
    --health-cmd "pg_isready -U \$POSTGRES_USER -d \$POSTGRES_DB" \
    --health-interval 5s \
    --health-retries 20 \
    --restart never \
    docker.io/l1drm/postgres-pgroonga:alpine-15-znver4

podman run --pod misskey-middleware -d \
    --replace \
    --read-only \
    --security-opt no-new-privileges \
    --network misskey \
    --env-file .config/docker.env \
    --name misskey-db \
    --volume ../var/db-17:/var/lib/postgresql/data:U \
    --volume ../run/db/17:/var/run/postgresql:U \
    --health-cmd "pg_isready -U \$POSTGRES_USER -d \$POSTGRES_DB" \
    --health-interval 5s \
    --health-retries 20 \
    --restart always \
    docker.io/l1drm/postgres-pgroonga:alpine-17-znver4


chmod 750 /var/lib/misskey/test0/run/db
chown :vault /var/lib/misskey/test0/run/db

vault write misskey-db/config/test0 \
    plugin_name="postgresql-database-plugin" \
    allowed_roles="misskey-admin" \
    allowed_roles="misskey-test0-runtime" \
    username="misskey" \
    password="dummy" \
    connection_url="postgresql://misskey@/misskey?host=/var/lib/misskey/test0/run/db/17/"

# rotate root credentials so it is no longer the same as .docker.env
vault write -force misskey-db/rotate-root/test0


vault write sys/policy/misskey-test0-runtime policy=- <<EOF
path "misskey-db/creds/misskey-test0-runtime" {
  capabilities = ["read", "list"]
}

path "sys/leases/revoke-prefix/misskey-db/creds/misskey-test0-runtime" {
  capabilities = ["create", "update", "list", "delete", "sudo"]
}
EOF

vault token create -policy=misskey-test0-runtime --ttl=0 -period=768h -orphan

vault write misskey-db/roles/misskey-admin \
    db_name=misskey \
    default_ttl=4h \
    max_ttl=1d \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}'; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"{{name}}\"; GRANT misskey TO \"{{name}}\"; GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA pg_catalog TO \"{{name}}\";"

vault write misskey-db/roles/misskey-test0-runtime \
    db_name=test0 \
    default_ttl=30d \
    max_ttl=365d \
    creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}'; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"{{name}}\"; GRANT misskey TO \"{{name}}\";" \
    revocation_statements="REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM \"{{name}}\"; REASSIGN OWNED BY \"{{name}}\" TO misskey; DROP OWNED BY \"{{name}}\"; DROP ROLE \"{{name}}\";"

mkdir -p ../var/redis

podman run --pod misskey-middleware -d \
    --replace \
    --read-only \
    --security-opt no-new-privileges \
    --env-file .config/docker.env \
    --name misskey-redis \
    --network misskey \
    --volume ../var/redis:/data:U \
    --health-cmd "redis-cli ping" \
    --health-interval 5s \
    --health-retries 20 \
    --restart always \
    docker.io/redis:7-alpine

podman run --pod misskey-middleware -d \
    --replace \
    --read-only \
    --security-opt no-new-privileges \
    --network misskey \
    --name misskey-replikey \
    --volume ../etc/replikey:/etc/replikey:ro \
    --env-file .config/docker.env \
    l1drm/replikey:latest \
    network reverse-proxy \
    --listen 0.0.0.0:5443 \
    --cert /etc/replikey/cert.pem \
    --key /etc/replikey/key.pem \
    --ca /etc/replikey/ca.pem \
    --redis-sni "${MTLS_REDIS_SNI}" \
    --redis-target misskey-redis:6379 \
    --postgres-sni "${MTLS_POSTGRES_SNI}" \
    --postgres-target misskey-db:5432

podman run --pod misskey-web -d \
    --replace \
    --security-opt no-new-privileges \
    --network misskey \
    --name misskey-nyuukyou \
    --volume ../var/nyuukyou:/store \
    --restart always \
    misskey-podman
migrate to podman & apparmor Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 14:54:31 -06:00			`# this is just a template to copypaste, don't execute verbatim`

			`podman network create misskey`

			`podman pod create \`
			`--cpus 8.0 \`
			`--memory 16g \`
			`--shm-size 4g \`
			`--security-opt no-new-privileges \`
			`misskey-middleware`

			`# add no-new-privileges if you don't use apparmor`
			`podman pod create \`
			`--cpus 1.5 \`
update init script samples Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 17:28:52 -06:00			`--memory 6g \`
migrate to podman & apparmor Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 14:54:31 -06:00			`misskey-web`

			`mkdir -p ../var/db`

			`# migrate to 17`
			`podman run --pod misskey-middleware \`
			`--replace \`
			`--read-only \`
			`--security-opt no-new-privileges \`
			`--network misskey \`
			`--env-file .config/docker.env \`
			`--name misskey-db-15 \`
			`--volume ../var/db-15:/var/lib/postgresql/data:U \`
			`--volume ../run/db/15:/var/run/postgresql:U \`
			`--health-cmd "pg_isready -U \$POSTGRES_USER -d \$POSTGRES_DB" \`
			`--health-interval 5s \`
			`--health-retries 20 \`
			`--restart never \`
			`docker.io/l1drm/postgres-pgroonga:alpine-15-znver4`

			`podman run --pod misskey-middleware -d \`
			`--replace \`
			`--read-only \`
			`--security-opt no-new-privileges \`
			`--network misskey \`
			`--env-file .config/docker.env \`
			`--name misskey-db \`
			`--volume ../var/db-17:/var/lib/postgresql/data:U \`
			`--volume ../run/db/17:/var/run/postgresql:U \`
			`--health-cmd "pg_isready -U \$POSTGRES_USER -d \$POSTGRES_DB" \`
			`--health-interval 5s \`
			`--health-retries 20 \`
			`--restart always \`
			`docker.io/l1drm/postgres-pgroonga:alpine-17-znver4`


			`chmod 750 /var/lib/misskey/test0/run/db`
			`chown :vault /var/lib/misskey/test0/run/db`

			`vault write misskey-db/config/test0 \`
			`plugin_name="postgresql-database-plugin" \`
			`allowed_roles="misskey-admin" \`
			`allowed_roles="misskey-test0-runtime" \`
update init script samples Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 17:28:52 -06:00			`username="misskey" \`
			`password="dummy" \`
migrate to podman & apparmor Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 14:54:31 -06:00			`connection_url="postgresql://misskey@/misskey?host=/var/lib/misskey/test0/run/db/17/"`

			`# rotate root credentials so it is no longer the same as .docker.env`
			`vault write -force misskey-db/rotate-root/test0`

update init script samples Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 17:28:52 -06:00
			`vault write sys/policy/misskey-test0-runtime policy=- <<EOF`
			`path "misskey-db/creds/misskey-test0-runtime" {`
			`capabilities = ["read", "list"]`
			`}`

			`path "sys/leases/revoke-prefix/misskey-db/creds/misskey-test0-runtime" {`
			`capabilities = ["create", "update", "list", "delete", "sudo"]`
			`}`
			`EOF`

			`vault token create -policy=misskey-test0-runtime --ttl=0 -period=768h -orphan`

migrate to podman & apparmor Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 14:54:31 -06:00			`vault write misskey-db/roles/misskey-admin \`
			`db_name=misskey \`
			`default_ttl=4h \`
			`max_ttl=1d \`
more work towards actor key proxy Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-03-06 12:31:17 -06:00			`creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}'; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"{{name}}\"; GRANT misskey TO \"{{name}}\"; GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA pg_catalog TO \"{{name}}\";"`
migrate to podman & apparmor Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 14:54:31 -06:00
			`vault write misskey-db/roles/misskey-test0-runtime \`
			`db_name=test0 \`
			`default_ttl=30d \`
			`max_ttl=365d \`
more work towards actor key proxy Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-03-06 12:31:17 -06:00			`creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}'; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"{{name}}\"; GRANT misskey TO \"{{name}}\";" \`
Separate podman init and apply script Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 16:08:23 -06:00			`revocation_statements="REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM \"{{name}}\"; REASSIGN OWNED BY \"{{name}}\" TO misskey; DROP OWNED BY \"{{name}}\"; DROP ROLE \"{{name}}\";"`
migrate to podman & apparmor Signed-off-by: eternal-flame-AD <yume@yumechi.jp> 2025-02-23 14:54:31 -06:00
			`mkdir -p ../var/redis`

			`podman run --pod misskey-middleware -d \`
			`--replace \`
			`--read-only \`
			`--security-opt no-new-privileges \`
			`--env-file .config/docker.env \`
			`--name misskey-redis \`
			`--network misskey \`
			`--volume ../var/redis:/data:U \`
			`--health-cmd "redis-cli ping" \`
			`--health-interval 5s \`
			`--health-retries 20 \`
			`--restart always \`
			`docker.io/redis:7-alpine`

			`podman run --pod misskey-middleware -d \`
			`--replace \`
			`--read-only \`
			`--security-opt no-new-privileges \`
			`--network misskey \`
			`--name misskey-replikey \`
			`--volume ../etc/replikey:/etc/replikey:ro \`
			`--env-file .config/docker.env \`
			`l1drm/replikey:latest \`
			`network reverse-proxy \`
			`--listen 0.0.0.0:5443 \`
			`--cert /etc/replikey/cert.pem \`
			`--key /etc/replikey/key.pem \`
			`--ca /etc/replikey/ca.pem \`
			`--redis-sni "${MTLS_REDIS_SNI}" \`
			`--redis-target misskey-redis:6379 \`
			`--postgres-sni "${MTLS_POSTGRES_SNI}" \`
			`--postgres-target misskey-db:5432`

			`podman run --pod misskey-web -d \`
			`--replace \`
			`--security-opt no-new-privileges \`
			`--network misskey \`
			`--name misskey-nyuukyou \`
			`--volume ../var/nyuukyou:/store \`
			`--restart always \`
			`misskey-podman`
No results found.