# Podman matrix - [Podman matrix](#podman-matrix) - [Setup matrix Project](#setup-matrix-project) - [Install matrix](#install-matrix) - [Create the matrix user](#create-the-matrix-user) - [Write the matrix compose spec](#write-the-matrix-compose-spec) - [A Note on Volumes](#a-note-on-volumes) - [Convert matrix compose spec to quadlets](#convert-matrix-compose-spec-to-quadlets) - [Setup matrix users](#setup-matrix-users) - [Expose matrix](#expose-matrix) - [firewalld](#firewalld) - [Backup matrix](#backup-matrix) - [Upgrade matrix](#upgrade-matrix) - [Upgrade Quadlets](#upgrade-quadlets) - [Notes](#notes) - [SELinux](#selinux) ## Setup matrix Project - [x] Copy and rename this folder to active/podman_matrix - [x] Find and replace matrix with the name of the service. - [x] Create the rootless user to run the podman containers - [x] Write the compose.yaml spec for your service - [x] Convert the compose.yaml spec to a quadlet - [x] Install the quadlet on the podman server - [ ] Expose the quadlet service - [ ] Install a backup service and timer ## Install matrix ### Create the matrix user ```bash # SSH into your podman server as root useradd matrix loginctl enable-linger $(id -u matrix) systemctl --user --machine=matrix@.host enable podman-restart systemctl --user --machine=matrix@.host enable --now podman.socket mkdir -p /home/matrix/.config/containers/systemd ``` ### Write the matrix compose spec Edit the compose.yaml at active/matrix/compose/compose.yaml #### A Note on Volumes Named volumes are stored at `~/.local/share/containers/storage/volumes/`. ### Convert matrix compose spec to quadlets On your local machine: ```bash # Generate the systemd service podman run \ --security-opt label=disable \ --rm \ -v $(pwd)/active/podman_matrix/compose:/compose \ -v $(pwd)/active/podman_matrix/quadlets:/quadlets \ quay.io/k9withabone/podlet \ -f /quadlets \ -i \ --overwrite \ compose /compose/compose.yaml # Copy the files to the server scp -r active/podman_matrix/quadlets/. matrix:~/.config/containers/systemd/ # Copy the compose files to the server scp -r active/podman_matrix/compose/. matrix:~/.config// ``` ```bash ssh matrix systemctl --user daemon-reload ssh matrix systemctl --user restart matrix # Enables auto-update service which will pull new container images automatically every day ssh matrix systemctl --user enable --now podman-auto-update.timer ``` ### Setup matrix users ```bash podman run \ -v /home/matrix/tuwunel-db:/var/lib/tuwunel:Z \ -e TUWUNEL_SERVER_NAME=matrix.reeseapps.com \ -e TUWUNEL_DATABASE_PATH=/var/lib/tuwunel \ --userns=keep-id \ -- -it \ --rm \ ghcr.io/matrix-construct/tuwunel:latest \ --execute "users create_user ducoterra" ``` ### Expose matrix 1. If you need a domain, follow the [DDNS instructions](/active/podman_ddns/ddns.md#install-a-new-ddns-service) 2. For a web service, follow the [Caddy instructions](/active/podman_caddy/caddy.md#adding-a-new-caddy-record) 3. Finally, follow your OS's guide for opening ports via its firewall service. #### firewalld ```bash # command to get current active zone and default zone firewall-cmd --get-active-zones firewall-cmd --get-default-zone # command to open 443 on tcp firewall-cmd --permanent --zone= --add-port=443/tcp # command to open 80 and 443 on tcp and udp firewall-cmd --permanent --zone= --add-port={80,443}/{tcp,udp} # command to list available services and then open http and https firewall-cmd --get-services firewall-cmd --permanent --zone= --add-service={http,https} ``` ## Backup matrix Follow the [Borg Backup instructions](/active/systemd_borg/borg.md#set-up-a-client-for-backup) ## Upgrade matrix ### Upgrade Quadlets Upgrades should be a repeat of [writing the compose spec](#convert-compose-to-quadlet) and [installing the quadlets](#convert-compose-to-quadlet) ```bash scp -r quadlets/. matrix:~/.config/containers/systemd/ ssh matrix systemctl --user daemon-reload ssh matrix systemctl --user restart matrix ``` ## Notes ### SELinux :z allows a container to share a mounted volume with all other containers. :Z allows a container to reserve a mounted volume and prevents any other container from accessing.