5.3 KiB
5.3 KiB
Podman certbot
Setup certbot Project
- Copy and rename this folder to active/podman_certbot
- Find and replace certbot with the name of the service.
- Create the rootless user to run the podman containers
- Write the compose.yaml spec for your service
- Convert the compose.yaml spec to a quadlet
- Install the quadlet on the podman server
- Expose the quadlet service
- Install a backup service and timer
Install certbot
Create the certbot user
# SSH into your podman server as root
useradd certbot
loginctl enable-linger $(id -u certbot)
systemctl --user --machine=certbot@.host enable podman-restart
systemctl --user --machine=certbot@.host enable --now podman.socket
mkdir -p /home/certbot/.config/containers/systemd
Write the certbot compose spec
podman run -it --rm --name certbot \
-v "/etc/letsencrypt:/etc/letsencrypt:Z" \
-v "/var/lib/letsencrypt:/var/lib/letsencrypt:Z" \
certbot/certbot certonly -d keycloak.reeseapps.com -d keycloak.reeselink.com
A Note on Volumes
Named volumes are stored at /home/certbot/.local/share/containers/storage/volumes/.
Convert certbot compose spec to quadlets
Run the following to convert a compose.yaml into the various .container files for systemd:
# Generate the systemd service
podman run \
--security-opt label=disable \
--rm \
-v $(pwd)/active/podman_certbot/:/compose \
-v $(pwd)/active/podman_certbot/quadlets:/quadlets \
quay.io/k9withabone/podlet \
-f /quadlets \
-i \
--overwrite \
compose /compose/compose.yaml
# Copy the files to the server
export PODMAN_SERVER=
scp -r active/podman_certbot/quadlets/. $PODMAN_SERVER:/home/certbot/.config/containers/systemd/
ssh $PODMAN_SERVER chown -R certbot:certbot /home/certbot/.config/containers/systemd/
Create any container-mounted directories
SSH into your podman server as root:
machinectl shell certbot@
podman unshare
mkdir some_volume
# Chown to the namespaced user with UID 1000
# This will be some really obscure UID outside the namespace
# This will also solve most permission denied errors
chown -R 1000:1000 some_volume
Start and enable your systemd quadlet
SSH into your podman server as root:
machinectl shell certbot@
systemctl --user daemon-reload
systemctl --user restart certbot
# Enable auto-update service which will pull new container images automatically every day
systemctl --user enable --now podman-auto-update.timer
Expose certbot
- If you need a domain, follow the DDNS instructions
- For a web service, follow the Caddy instructions
- Finally, follow your OS's guide for opening ports via its firewall service.
firewalld
# command to get current active zone and default zone
firewall-cmd --get-active-zones
firewall-cmd --get-default-zone
# command to open 443 on tcp
firewall-cmd --permanent --zone=<zone> --add-port=443/tcp
# command to open 80 and 443 on tcp and udp
firewall-cmd --permanent --zone=<zone> --add-port={80,443}/{tcp,udp}
# command to list available services and then open http and https
firewall-cmd --get-services
firewall-cmd --permanent --zone=<zone> --add-service={http,https}
Backup certbot
Follow the Borg Backup instructions
Upgrade certbot
Upgrade Quadlets
Upgrades should be a repeat of writing the compose spec and installing the quadlets
export PODMAN_SERVER=
scp -r quadlets/. $PODMAN_SERVER$:/home/certbot/.config/containers/systemd/
ssh certbot systemctl --user daemon-reload
ssh certbot systemctl --user restart certbot
Uninstall
# Stop the user's services
systemctl --user disable podman-restart
podman container stop --all
systemctl --user disable --now podman.socket
systemctl --user disable --now podman-auto-update.timer
# Delete the user (this won't delete their home directory)
# userdel might spit out an error like:
# userdel: user certbot is currently used by process 591255
# kill those processes and try again
userdel certbot
Notes
SELinux
https://blog.christophersmart.com/2021/01/31/podman-volumes-and-selinux/
:z allows a container to share a mounted volume with all other containers.
:Z allows a container to reserve a mounted volume and prevents any other container from accessing.