# this is just a template to copypaste, don't execute verbatim
podman network create misskey
podman pod create \
--cpus 8.0 \
--memory 16g \
--shm-size 4g \
--security-opt no-new-privileges \
misskey-middleware
# add no-new-privileges if you don't use apparmor
podman pod create \
--cpus 1.5 \
--memory 6g \
misskey-web
mkdir -p ../var/db
# migrate to 17
podman run --pod misskey-middleware \
--replace \
--read-only \
--security-opt no-new-privileges \
--network misskey \
--env-file .config/docker.env \
--name misskey-db-15 \
--volume ../var/db-15:/var/lib/postgresql/data:U \
--volume ../run/db/15:/var/run/postgresql:U \
--health-cmd "pg_isready -U \$POSTGRES_USER -d \$POSTGRES_DB" \
--health-interval 5s \
--health-retries 20 \
--restart never \
docker.io/l1drm/postgres-pgroonga:alpine-15-znver4
podman run --pod misskey-middleware -d \
--replace \
--read-only \
--security-opt no-new-privileges \
--network misskey \
--env-file .config/docker.env \
--name misskey-db \
--volume ../var/db-17:/var/lib/postgresql/data:U \
--volume ../run/db/17:/var/run/postgresql:U \
--health-cmd "pg_isready -U \$POSTGRES_USER -d \$POSTGRES_DB" \
--health-interval 5s \
--health-retries 20 \
--restart always \
docker.io/l1drm/postgres-pgroonga:alpine-17-znver4
chmod 750 /var/lib/misskey/test0/run/db
chown :vault /var/lib/misskey/test0/run/db
vault write misskey-db/config/test0 \
plugin_name="postgresql-database-plugin" \
allowed_roles="misskey-admin" \
allowed_roles="misskey-test0-runtime" \
username="misskey" \
password="dummy" \
connection_url="postgresql://misskey@/misskey?host=/var/lib/misskey/test0/run/db/17/"
# rotate root credentials so it is no longer the same as .docker.env
vault write -force misskey-db/rotate-root/test0
vault write sys/policy/misskey-test0-runtime policy=- <<EOF
path "misskey-db/creds/misskey-test0-runtime" {
capabilities = ["read", "list"]
}
path "sys/leases/revoke-prefix/misskey-db/creds/misskey-test0-runtime" {
capabilities = ["create", "update", "list", "delete", "sudo"]
}
EOF
vault token create -policy=misskey-test0-runtime --ttl=0 -period=768h -orphan
vault write misskey-db/roles/misskey-admin \
db_name=misskey \
default_ttl=4h \
max_ttl=1d \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}'; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"{{name}}\"; GRANT misskey TO \"{{name}}\"; GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA pg_catalog TO \"{{name}}\";"
vault write misskey-db/roles/misskey-test0-runtime \
db_name=test0 \
default_ttl=30d \
max_ttl=365d \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}'; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"{{name}}\"; GRANT misskey TO \"{{name}}\";" \
revocation_statements="REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM \"{{name}}\"; REASSIGN OWNED BY \"{{name}}\" TO misskey; DROP OWNED BY \"{{name}}\"; DROP ROLE \"{{name}}\";"
mkdir -p ../var/redis
podman run --pod misskey-middleware -d \
--replace \
--read-only \
--security-opt no-new-privileges \
--env-file .config/docker.env \
--name misskey-redis \
--network misskey \
--volume ../var/redis:/data:U \
--health-cmd "redis-cli ping" \
--health-interval 5s \
--health-retries 20 \
--restart always \
docker.io/redis:7-alpine
podman run --pod misskey-middleware -d \
--replace \
--read-only \
--security-opt no-new-privileges \
--network misskey \
--name misskey-replikey \
--volume ../etc/replikey:/etc/replikey:ro \
--env-file .config/docker.env \
l1drm/replikey:latest \
network reverse-proxy \
--listen 0.0.0.0:5443 \
--cert /etc/replikey/cert.pem \
--key /etc/replikey/key.pem \
--ca /etc/replikey/ca.pem \
--redis-sni "${MTLS_REDIS_SNI}" \
--redis-target misskey-redis:6379 \
--postgres-sni "${MTLS_POSTGRES_SNI}" \
--postgres-target misskey-db:5432
podman run --pod misskey-web -d \
--replace \
--security-opt no-new-privileges \
--network misskey \
--name misskey-nyuukyou \
--volume ../var/nyuukyou:/store \
--restart always \
misskey-podman