Push lots of changes to catch up on restructuring

.gitignore

@@ -1,3 +1,4 @@
-oci-archive.tar
 build_id
+build_log
+image/
 secrets/

Makefile

@@ -2,49 +2,69 @@ include config.mk
 
 .DEFAULT_GOAL := all
 
+# Disabled due to https://github.com/containers/buildah/issues/5581
+#REPO_STAMP := push-stamp
+#REPO_PATH := repo/
+#REPO_STAMPS := $(addsuffix /${REPO_STAMP},${CONTAINERS})
+#
+#%/${REPO_STAMP}: %/${BUILD_ID_OUT}
+#	@mkdir -p ${REPO_PATH}
+#	buildah push \
+#		-f oci \
+#		--compression-format zstd \
+#		--compression-level 10 \
+#		$(shell cat $<) \
+#		oci:${REPO_PATH}:$*:latest
+#	touch $@
+
+MANIFEST_FILE = ${IMAGE_DIR}/manifest.json
+
 # Autogenerated lists
 CONTAINERS := $(shell find ./ -name 'Containerfile' -exec 'dirname' '{}' ';' | cut -d'/' -f2-)
-IMAGES := $(addsuffix /${IMAGE_OUTPUT},${CONTAINERS})
+IMAGE_DIRS := $(addsuffix /${IMAGE_DIR},${CONTAINERS})
 BUILD_IDS := $(addsuffix /${BUILD_ID_OUT},${CONTAINERS})
+BUILD_LOGS := $(addsuffix /${BUILD_LOG},${CONTAINERS})
+MANIFESTS := $(addsuffix /${MANIFEST_FILE},${CONTAINERS})
 
 # Make workaround
 # Inserting literal commas into function calls without interpreting them as delimiters
 , := ,
 
 # Build all containers in order by default
-all: oci
+all: unified
 
-oci: $(IMAGES)
+unified: $(MANIFESTS) # $(REPO_STAMPS)
 localbuild: $(BUILD_IDS)
-import: $(addsuffix /import,${IMAGES})
 
 # Build process
-%/${IMAGE_OUTPUT}: %/${BUILD_ID_OUT}
+%/${MANIFEST_FILE}: %/${BUILD_ID_OUT}
+	@mkdir -p $*/${IMAGE_DIR}
 	buildah push \
 		-f oci \
 		$(shell cat $<) \
-		oci-archive:$@:${DOMAIN}/$*:$(shell date +%s)
-
-%/${IMAGE_OUTPUT}/import: %/${IMAGE_OUTPUT}
-	buildah pull \
-		oci-archive:$<
+		dir:$*/${IMAGE_DIR}
 
 %/${BUILD_ID_OUT}: %/Containerfile
 	buildah build \
 		--jobs 0 \
 		--network=none \
-		--layers=true \
-		-t ${DOMAIN}/$*:latest \
-		--iidfile $*/${BUILD_ID_OUT} \
+		--logfile=$*/${BUILD_LOG} \
+		-t $*:latest \
+		--iidfile $@ \
 		$(foreach secretpath,$(wildcard $*/secrets/*),\
 			--secret id=$(patsubst $*/secrets/%,%,${secretpath})$(,)src=${secretpath}) \
 		$*
 
 # Clean up
-clean:
-	-rm -rv ${IMAGES} ${BUILD_IDS}
+clean: cleanbuild cleandirs
 
-.PHONY: all localbuild oci clean import
+cleanbuild:
+	-rm -rv ${BUILD_IDS}
+
+cleandirs:
+	-rm -rv ${IMAGE_DIRS}
+
+.PHONY: all clean cleanbuild cleandirs localbuild unified
 .SUFFIXES:
 
 # Somehow GNU make forgets these are intermediates if not explicitly stated, feel free to look into it *shrug*

config.mk

@@ -1,88 +1,5 @@
-DOMAIN := redxen.eu
-
-IMAGE_OUTPUT := oci-archive.tar
+IMAGE_DIR := image
 BUILD_ID_OUT := build_id
+BUILD_LOG := build_log
 
-# DNS
-daemons/nsd/${BUILD_ID_OUT}: daemons/nsd/% : \
-	daemons/nsd/nsd.conf \
-	data/dns/%
-
-data/dns/${BUILD_ID_OUT}: data/dns/% : \
-	data/dns/redxen.eu \
-	data/dnssec/% \
-	data/opendkim/%
-
-# Certificates
-data/postgres-cert/${BUILD_ID_OUT}: data/postgres-cert/% : \
-	data/postgres-cert/x509v3_config \
-	data/postgres-cert/gen-cert.sh \
-	data/ca/%
-
-data/letsencrypt/${BUILD_ID_OUT}: data/letsencrypt/% : \
-	data/letsencrypt/ca.crt \
-	data/letsencrypt/public.crt \
-	data/letsencrypt/secrets/private.key
-
-data/selfsigned/${BUILD_ID_OUT}: data/selfsigned/% : \
-	data/postgres-cert/x509v3_config \
-	data/selfsigned/gen-cert.sh \
-	data/ca/%
-
-# Databases
-daemons/postgres/${BUILD_ID_OUT}: daemons/postgres/% : \
-	daemons/postgres/disable-hba-patcher.patch \
-	daemons/postgres/postgresql.conf \
-	daemons/postgres/init-db-hba.py \
-	data/ca/% \
-	data/postgres-cert/%
-
-daemons/redis/${BUILD_ID_OUT}: daemons/redis/% : \
-	daemons/redis/redis.conf
-
-daemons/etcd/${BUILD_ID_OUT}: daemons/etcd/% : \
-	data/ca/% \
-	data/selfsigned/%
-
-# Monitoring
-daemons/grafana/${BUILD_ID_OUT}: daemons/grafana/% : \
-	daemons/grafana/config.ini \
-	data/ca/% \
-	data/postgres-cert/%
-
-daemons/prometheus/${BUILD_ID_OUT}: daemons/prometheus/% : \
-	daemons/prometheus/config.yaml
-
-# Mail
-daemons/opendkim/${BUILD_ID_OUT}: daemons/opendkim/% : \
-	daemons/opendkim/trusted_hosts \
-	daemons/opendkim/opendkim.conf \
-	data/opendkim/%
-
-daemons/rspamd/${BUILD_ID_OUT}: daemons/rspamd/% : \
-	daemons/rspamd/config/
-
-daemons/dovecot/${BUILD_ID_OUT}: daemons/dovecot/% : \
-	daemons/dovecot/automove.sieve \
-	daemons/dovecot/dovecot.conf \
-	daemons/dovecot/pgsql.conf \
-	data/ca/% \
-	data/postgres-cert/% \
-	data/letsencrypt/%
-
-daemons/postfix/${BUILD_ID_OUT}: daemons/postfix/% : \
-	daemons/postfix/main.cf \
-	daemons/postfix/master.cf \
-	daemons/postfix/pgsql-aliases.cf \
-	daemons/postfix/pgsql-users.cf \
-	data/ca/% \
-	data/postgres-cert/% \
-	data/letsencrypt/%
-
-# Other
-daemons/murmurd/${BUILD_ID_OUT}: daemons/murmurd/% : \
-	daemons/murmurd/murmur.ini \
-	daemons/murmurd/secrets/mregpass \
-	data/ca/% \
-	data/postgres-cert/% \
-	data/selfsigned/%
+include */config.mk

creators/common.sh

@@ -1,12 +0,0 @@
-#!/bin/sh
-
-randmac() {
-	printf \
-		'%2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X\n' \
-		'242' '0' '0' \
-		"$(randhextet)" "$(randhextet)" "$(randhextet)"
-}
-
-randhextet() {
-	seq 0 255 | shuf | head -n 1
-}

creators/dovecot.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-. "$(dirname $0)"/common.sh
-
-podman container create \
-	--pod host \
-	--pull missing \
-	--image-volume tmpfs \
-	--mount type=volume,src=dovecot-data,dst=/var/mail/ \
-	oci-archive:daemons/dovecot/oci-archive.tar:redxen.eu/daemons/dovecot:latest

creators/etcd-cluster.sh

@@ -1,41 +0,0 @@
-#!/bin/sh
-OWNHOST="[::1]"
-
-podman run \
-	-d \
-	--network=host \
-	--name node-1 \
-	redxen.eu/daemons/etcd \
-		--name node-1 \
-		--listen-peer-urls 'https://[::]:2380' \
-		--initial-advertise-peer-urls "https://$OWNHOST:2380" \
-		--listen-client-urls 'https://[::]:2379' \
-		--advertise-client-urls "https://$OWNHOST:2379" \
-		--initial-cluster-state new \
-		--initial-cluster "node-1=https://$OWNHOST:2380,node-2=https://$OWNHOST:2381,node-3=https://$OWNHOST:2382"
-
-podman run \
-	-d \
-	--network=host \
-	--name node-2 \
-	redxen.eu/daemons/etcd \
-		--name node-2 \
-		--listen-peer-urls 'https://[::]:2381' \
-		--initial-advertise-peer-urls "https://$OWNHOST:2381" \
-		--listen-client-urls 'https://[::]:2378' \
-		--advertise-client-urls "https://$OWNHOST:2378" \
-		--initial-cluster-state new \
-		--initial-cluster "node-1=https://$OWNHOST:2380,node-2=https://$OWNHOST:2381,node-3=https://$OWNHOST:2382"
-
-podman run \
-	-d \
-	--network=host \
-	--name node-3 \
-	redxen.eu/daemons/etcd \
-		--name node-3 \
-		--listen-peer-urls 'https://[::]:2382' \
-		--initial-advertise-peer-urls "https://$OWNHOST:2382" \
-		--listen-client-urls 'https://[::]:2377' \
-		--advertise-client-urls "https://$OWNHOST:2377" \
-		--initial-cluster-state new \
-		--initial-cluster "node-1=https://$OWNHOST:2380,node-2=https://$OWNHOST:2381,node-3=https://$OWNHOST:2382"

creators/host-net-pod.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-. "$(dirname $0)"/common.sh
-
-podman pod create \
-	--userns=auto \
-	--network=host \
-	host

creators/macvlan-pod.sh

@@ -1,23 +0,0 @@
-#!/bin/sh
-
-. "$(dirname $0)"/common.sh
-
-podman network create \
-	--ipv6 \
-	-d macvlan \
-	--ipam-driver host-local \
-	--subnet 172.20.254.192/30 \
-	macvlan-br
-
-podman pod create \
-	--userns=auto \
-	--dns='2606:4700:4700::1111' \
-	--dns='2606:4700:4700::1001' \
-	--dns='2001:4860:4860::8888' \
-	--dns='2001:4860:4860::8844' \
-	--dns='1.1.1.1' \
-	--dns='1.0.0.1' \
-	--dns='8.8.8.8' \
-	--dns='8.8.4.4' \
-	--network=macvlan-br \
-	macvlan

creators/nsd.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-. "$(dirname $0)"/common.sh
-
-podman container create \
-	--pod macvlan \
-	--pull missing \
-	--image-volume tmpfs \
-	--mount type=volume,src=nsd-data,dst=/var/lib/nsd/ \
-	oci-archive:daemons/nsd/oci-archive.tar:redxen.eu/daemons/nsd:latest

creators/opendkim.sh

@@ -1,9 +0,0 @@
-#!/bin/sh
-
-. "$(dirname $0)"/common.sh
-
-podman container create \
-	--pod host \
-	--pull missing \
-	--image-volume tmpfs \
-	oci-archive:daemons/opendkim/oci-archive.tar:redxen.eu/daemons/opendkim:latest

creators/postfix.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-. "$(dirname $0)"/common.sh
-
-podman container create \
-	--pod host \
-	--pull missing \
-	--image-volume tmpfs \
-	--mount type=volume,src=postfix-data,dst=/var/lib/postfix/ \
-	oci-archive:daemons/postfix/oci-archive.tar:redxen.eu/daemons/postfix:latest

creators/postgres.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-. "$(dirname $0)"/common.sh
-
-podman container create \
-	--pod host \
-	--pull missing \
-	--image-volume tmpfs \
-	--mount type=volume,src=postgres-data,dst=/var/lib/postgres/ \
-	oci-archive:daemons/postgres/oci-archive.tar:redxen.eu/daemons/postgres:latest

creators/prometheus.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-. "$(dirname $0)"/common.sh
-
-podman container create \
-	--pod host \
-	--pull missing \
-	--image-volume tmpfs \
-	--mount type=volume,src=prometheus-data,dst=/var/lib/prometheus/data \
-	oci-archive:daemons/prometheus/oci-archive.tar:redxen.eu/daemons/prometheus:latest

creators/redis.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-. "$(dirname $0)"/common.sh
-
-podman container create \
-	--pod host \
-	--pull missing \
-	--image-volume tmpfs \
-	--mount type=volume,src=redis-data,dst=/var/lib/redis/ \
-	oci-archive:daemons/redis/oci-archive.tar:redxen.eu/daemons/redis:latest

creators/rspamd.sh

@@ -1,9 +0,0 @@
-#!/bin/sh
-
-. "$(dirname $0)"/common.sh
-
-podman container create \
-	--pod host \
-	--pull missing \
-	--image-volume tmpfs \
-	oci-archive:daemons/rspamd/oci-archive.tar:redxen.eu/daemons/rspamd:latest

daemons/postgres/disable-hba-patcher.patch

@@ -1,69 +0,0 @@
-@@ -98,59 +98,6 @@
- 	fi
- }
- 
--# print large warning if POSTGRES_PASSWORD is long
--# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
--# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
--# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
--docker_verify_minimum_env() {
--	# check password first so we can output the warning before postgres
--	# messes it up
--	if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
--		cat >&2 <<-'EOWARN'
--
--			WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
--
--			  This will not work if used via PGPASSWORD with "psql".
--
--			  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
--			  https://github.com/docker-library/postgres/issues/507
--
--		EOWARN
--	fi
--	if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
--		# The - option suppresses leading tabs but *not* spaces. :)
--		cat >&2 <<-'EOE'
--			Error: Database is uninitialized and superuser password is not specified.
--			       You must specify POSTGRES_PASSWORD to a non-empty value for the
--			       superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
--
--			       You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
--			       connections without a password. This is *not* recommended.
--
--			       See PostgreSQL documentation about "trust":
--			       https://www.postgresql.org/docs/current/auth-trust.html
--		EOE
--		exit 1
--	fi
--	if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
--		cat >&2 <<-'EOWARN'
--			********************************************************************************
--			WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
--			         anyone with access to the Postgres port to access your database without
--			         a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
--			         documentation about "trust":
--			         https://www.postgresql.org/docs/current/auth-trust.html
--			         In Docker's default configuration, this is effectively any other
--			         container on the same system.
--
--			         It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
--			         it with "-e POSTGRES_PASSWORD=password" instead to set a password in
--			         "docker run".
--			********************************************************************************
--		EOWARN
--	fi
--}
--
- # usage: docker_process_init_files [file [file [...]]]
- #    ie: docker_process_init_files /always-initdb.d/*
- # process initializer files, based on file extensions and permissions
-@@ -310,8 +257,6 @@
- 
- 		# only run initialization on an empty data directory
- 		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
--			docker_verify_minimum_env
--
- 			# check dir permissions to reduce likelihood of half-initialized database
- 			ls /docker-entrypoint-initdb.d/ > /dev/null
- 

data/dns/Containerfile

@@ -1,34 +0,0 @@
-FROM alpine:latest AS signer
-
-RUN --network=host apk add \
-	cmd:dnssec-signzone \
-	cmd:named-checkzone
-
-RUN mkdir -p /tmp/zones
-ADD redxen.eu /tmp/zones/redxen.eu
-RUN sed -i 's/CURRENTSOA/'"$(date +'%Y%m%d'01)"'/' /tmp/zones/redxen.eu
-
-# Copy keys into the signer
-COPY --from=redxen.eu/data/dnssec:latest "/redxen.eu" "/tmp/keys/redxen.eu"
-COPY --from=redxen.eu/data/opendkim:latest "/redxen.eu" "/tmp/opendkim/redxen.eu"
-
-# Add keys to zone
-RUN cat /tmp/keys/redxen.eu/*.key | tee -a /tmp/zones/redxen.eu
-
-# Add OpenDKIM record to zone
-RUN cat /tmp/opendkim/redxen.eu/*.txt | tee -a /tmp/zones/redxen.eu
-
-# Sign zone
-RUN dnssec-signzone -t \
-	-K /tmp/keys/redxen.eu/ \
-	-o redxen.eu \
-	-f /tmp/zones/redxen.eu \
-	-e "+90d" \
-	/tmp/zones/redxen.eu
-
-# Verify zone after signing
-RUN named-checkzone redxen.eu /tmp/zones/redxen.eu
-
-# Copy back only signed zone
-FROM scratch
-COPY --from=signer /tmp/zones /dns-zones

data/letsencrypt/ca.crt

@@ -1,63 +0,0 @@
-
------BEGIN CERTIFICATE-----
-MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
-WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
-RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
-AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
-R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
-sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
-NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
-Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
-/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
-AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
-Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
-FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
-AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
-Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
-gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
-PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
-ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
-CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
-lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
-avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
-yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
-yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
-hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
-HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
-MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
-nLRbwHOoq7hHwg==
------END CERTIFICATE-----
-
------BEGIN CERTIFICATE-----
-MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
-TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
-cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
-ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
-wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
-LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
-4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
-bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
-sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
-Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
-FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
-SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
-PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
-TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
-SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
-c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
-+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
-ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
-b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
-U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
-MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
-5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
-9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
-WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
-he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
-Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
------END CERTIFICATE-----

data/letsencrypt/public.crt

@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE6zCCA9OgAwIBAgISAy/p3h/wo08W4wsYNslIELVmMA0GCSqGSIb3DQEBCwUA
-MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
-EwJSMzAeFw0yMzEwMTYxMjIyMjNaFw0yNDAxMTQxMjIyMjJaMBQxEjAQBgNVBAMT
-CXJlZHhlbi5ldTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANeD0yl2
-aQaIK73GpBOA1JpdesESlCvjEw9g84uN8Yk4fG77wGcDZw1Ja4vrj9MBmzvnLMUe
-j5mizZP2L3eIgx3KKsuIT4hClGSR/oeN0cL93RUYAwZqW1q8NBuAxu1QPhXn82ZK
-8qLnlZGJQBvRy2rCAru26QjgeJHt7P9jdDpq0KolT3Nlt+gmO/oJJiZUcfvUWJ+K
-D0cX7BQy+GFH4XSAWSMB1w+HhLaKUESaBfSvAuX6awUu1JfbJW0yUoG+We9/RuMI
-44TDLGfVujmpRYgcOlJRBQiSXi/pMie1kdQqev0uFYRCSuM6QTkHlPYRrPXHPZks
-vmqRDe1do7TgnFkCAwEAAaOCAhcwggITMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
-FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
-PIwzPDkx1+DgEji18Q8rc+Y0dXAwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
-nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
-ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wIQYD
-VR0RBBowGIILKi5yZWR4ZW4uZXWCCXJlZHhlbi5ldTATBgNVHSAEDDAKMAgGBmeB
-DAECATCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1ANq2v2s/tbYin5vCu1xr6HCR
-cWy7UYSFNL2kPTBI1/urAAABizim4x8AAAQDAEYwRAIgJQdzMMJr9YZLo3CEw5K7
-cM8EhBue/QmJNNM9Tk3z+RkCIAjG4Ix37WGEAouSh/eutvyH0fx7Ry6I/+QKsS+5
-xUcZAHYAdv+IPwq2+5VRwmHM9Ye6NLSkzbsp3GhCCp/mZ0xaOnQAAAGLOKbjTgAA
-BAMARzBFAiBXQmNcEN2iIIYJjvKf0ZbFUYRzK8CrFk0iB5Qk08gPZAIhAP1ogV9F
-V3XsGB5iFjnLDpU75mrizxqNTO8w9uRZbZNmMA0GCSqGSIb3DQEBCwUAA4IBAQCZ
-m1idEdbYkq6g23rwl4RiwE4wFa4IIeCp632Cuv2SaD4tRBAyIXiAvi1bYpz/qN1A
-14e++ufnRu6pwjrKBSI8sZwZLqWapdRJFp09vJK+o1M7+2kO2dYG6HX4C95Mrkku
-yw87mrc0M8U8Uw2NIxGYwPn5QFLies6mSaP/eqVkXOIOaglxDMyPIOCBqTu0c/KV
-cIY77MCqAv9J7pSFAn76dHeLZEYP4hPP9JocVTYFEzv2ZCTyvWR0Icu4ujfp3FVa
-uJnr16oWSHLXAL8gkNYruktc6CbJcQezQWClVAdTXGc3+0hxz7eTlEs/8O16ocN/
-EgIR8Ef47UL9jhVX8cT7
------END CERTIFICATE-----

data/postgres-cert/Containerfile

@@ -1,28 +0,0 @@
-FROM alpine:latest as generator
-
-RUN --network=host apk add \
-	cmd:openssl
-
-COPY --from=redxen.eu/data/ca:latest "/redxen.eu" "/ca"
-
-ADD x509v3_config /tmp/x509v3_config
-
-RUN mkdir -p "/redxen.eu/certs"
-RUN mkdir -p "/redxen.eu/keys"
-
-WORKDIR "/redxen.eu"
-
-ADD gen-cert.sh /tmp/gen-cert.sh
-
-# Server
-RUN /tmp/gen-cert.sh postgres
-
-# Roles
-RUN /tmp/gen-cert.sh murmur
-RUN /tmp/gen-cert.sh dovecot
-RUN /tmp/gen-cert.sh postfix
-RUN /tmp/gen-cert.sh grafana
-
-FROM scratch
-
-COPY --from=generator "/redxen.eu" "/redxen.eu"

data/selfsigned/Containerfile

@@ -1,22 +0,0 @@
-FROM alpine:latest as generator
-
-RUN --network=host apk add \
-	cmd:openssl
-
-COPY --from=redxen.eu/data/ca:latest "/redxen.eu" "/ca"
-
-ADD x509v3_config /tmp/x509v3_config
-
-RUN mkdir -p "/redxen.eu/certs"
-RUN mkdir -p "/redxen.eu/keys"
-
-WORKDIR "/redxen.eu"
-
-ADD gen-cert.sh /tmp/gen-cert.sh
-
-RUN /tmp/gen-cert.sh mumble "DNS: mumble.redxen.eu"
-RUN /tmp/gen-cert.sh etcd "IP: 0:0:0:0:0:0:0:1, IP: 127.0.0.1, DNS: localhost" # I hate i cannot use compressor here but it is what it is
-
-FROM scratch
-
-COPY --from=generator "/redxen.eu" "/redxen.eu"

redxen.eu/config.mk

@@ -0,0 +1,97 @@
+# DNS
+redxen.eu/daemons/nsd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/nsd.conf \
+	redxen.eu/data/dns/${BUILD_ID_OUT}
+
+redxen.eu/data/dns/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/redxen.eu \
+	redxen.eu/data/dnssec/${BUILD_ID_OUT} \
+	redxen.eu/data/opendkim/${BUILD_ID_OUT}
+
+# Certificates
+redxen.eu/data/postgres-cert/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/x509v3_config \
+	%/gen-cert.sh \
+	redxen.eu/data/ca/${BUILD_ID_OUT}
+
+redxen.eu/data/letsencrypt/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/ca.crt \
+	%/public.crt \
+	%/secrets/private.key
+
+redxen.eu/data/selfsigned/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/x509v3_config \
+	%/gen-cert.sh \
+	redxen.eu/data/ca/${BUILD_ID_OUT}
+
+# Databases
+redxen.eu/daemons/postgres/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/disable-hba-patcher.patch \
+	%/postgresql.conf \
+	%/init-db-hba.py \
+	redxen.eu/data/ca/${BUILD_ID_OUT} \
+	redxen.eu/data/postgres-cert/${BUILD_ID_OUT}
+
+redxen.eu/daemons/redis/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/redis.conf
+
+redxen.eu/daemons/etcd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	redxen.eu/data/ca/${BUILD_ID_OUT} \
+	redxen.eu/data/selfsigned/${BUILD_ID_OUT}
+
+# Monitoring
+redxen.eu/daemons/grafana/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/config.ini \
+	redxen.eu/data/ca/${BUILD_ID_OUT} \
+	redxen.eu/data/postgres-cert/${BUILD_ID_OUT}
+
+redxen.eu/daemons/prometheus/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/config.yaml
+
+# Mail
+redxen.eu/daemons/opendkim/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/trusted_hosts \
+	%/opendkim.conf \
+	redxen.eu/data/opendkim/${BUILD_ID_OUT}
+
+redxen.eu/daemons/rspamd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/config/
+
+redxen.eu/daemons/dovecot/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/automove.sieve \
+	%/dovecot.conf \
+	%/pgsql.conf \
+	redxen.eu/data/ca/${BUILD_ID_OUT} \
+	redxen.eu/data/postgres-cert/${BUILD_ID_OUT} \
+	redxen.eu/data/letsencrypt/${BUILD_ID_OUT}
+
+redxen.eu/daemons/postfix/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/main.cf \
+	%/master.cf \
+	%/pgsql-aliases.cf \
+	%/pgsql-users.cf \
+	redxen.eu/data/ca/${BUILD_ID_OUT} \
+	redxen.eu/data/postgres-cert/${BUILD_ID_OUT} \
+	redxen.eu/data/letsencrypt/${BUILD_ID_OUT}
+
+# Other
+redxen.eu/daemons/murmurd/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/murmur.ini \
+	%/secrets/mregpass \
+	redxen.eu/data/ca/${BUILD_ID_OUT} \
+	redxen.eu/data/postgres-cert/${BUILD_ID_OUT} \
+	redxen.eu/data/selfsigned/${BUILD_ID_OUT}
+
+# Services
+redxen.eu/services/tshock/terraria-rx/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/config.json \
+	%/motd.txt \
+	%/sscconfig.json \
+	%/bootstrap.sh \
+	redxen.eu/services/tshock/base/${BUILD_ID_OUT}
+
+redxen.eu/services/minecraft/minecraft-rx/${BUILD_ID_OUT}: %/${BUILD_ID_OUT} : \
+	%/config/ops.json \
+	%/config/server.properties \
+	%/config/server-icon.png \
+	redxen.eu/services/minecraft/spigot/${BUILD_ID_OUT}

redxen.eu/daemons/postgres/disable-hba-patcher.patch

@@ -0,0 +1,9 @@
+@@ -310,8 +257,6 @@
+ 
+ 		# only run initialization on an empty data directory
+ 		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+-			docker_verify_minimum_env
+-
+ 			# check dir permissions to reduce likelihood of half-initialized database
+ 			ls /docker-entrypoint-initdb.d/ > /dev/null
+ 

redxen.eu/data/dns/Containerfile

@@ -0,0 +1,36 @@
+FROM alpine:latest AS signer
+
+RUN --network=host apk add \
+	cmd:dnssec-signzone \
+	cmd:named-checkzone
+
+RUN mkdir -p /tmp/zones
+ADD redxen.eu /tmp/zones/redxen.eu
+RUN sed -i 's/CURRENTSOA/'"$(date +'%Y%m%d'01)"'/' /tmp/zones/redxen.eu
+
+# Add keys to zone
+RUN \
+	--mount=type=bind,from=redxen.eu/data/dnssec:latest,src=/redxen.eu,dst=/tmp/keys/redxen.eu \
+	cat /tmp/keys/redxen.eu/*.key | tee -a /tmp/zones/redxen.eu
+
+# Add OpenDKIM record to zone
+RUN \
+	--mount=type=bind,from=redxen.eu/data/opendkim:latest,src=/redxen.eu,dst=/tmp/opendkim/redxen.eu \
+	cat /tmp/opendkim/redxen.eu/*.txt | tee -a /tmp/zones/redxen.eu
+
+# Sign zone
+RUN \
+	--mount=type=bind,from=redxen.eu/data/dnssec:latest,src=/redxen.eu,dst=/tmp/keys/redxen.eu \
+	dnssec-signzone -t \
+		-K /tmp/keys/redxen.eu/ \
+		-o redxen.eu \
+		-f /tmp/zones/redxen.eu \
+		-e "+90d" \
+		/tmp/zones/redxen.eu
+
+# Verify zone after signing
+RUN named-checkzone redxen.eu /tmp/zones/redxen.eu
+
+# Copy back only signed zone
+FROM scratch
+COPY --from=signer /tmp/zones /dns-zones

redxen.eu/data/letsencrypt/ca.crt

@@ -0,0 +1,30 @@
+
+-----BEGIN CERTIFICATE-----
+MIIFBjCCAu6gAwIBAgIRAIp9PhPWLzDvI4a9KQdrNPgwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
+WhcNMjcwMzEyMjM1OTU5WjAzMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDEMMAoGA1UEAxMDUjExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAuoe8XBsAOcvKCs3UZxD5ATylTqVhyybKUvsVAbe5KPUoHu0nsyQYOWcJ
+DAjs4DqwO3cOvfPlOVRBDE6uQdaZdN5R2+97/1i9qLcT9t4x1fJyyXJqC4N0lZxG
+AGQUmfOx2SLZzaiSqhwmej/+71gFewiVgdtxD4774zEJuwm+UE1fj5F2PVqdnoPy
+6cRms+EGZkNIGIBloDcYmpuEMpexsr3E+BUAnSeI++JjF5ZsmydnS8TbKF5pwnnw
+SVzgJFDhxLyhBax7QG0AtMJBP6dYuC/FXJuluwme8f7rsIU5/agK70XEeOtlKsLP
+Xzze41xNG/cLJyuqC0J3U095ah2H2QIDAQABo4H4MIH1MA4GA1UdDwEB/wQEAwIB
+hjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwEgYDVR0TAQH/BAgwBgEB
+/wIBADAdBgNVHQ4EFgQUxc9GpOr0w8B6bJXELbBeki8m47kwHwYDVR0jBBgwFoAU
+ebRZ5nu25eQBc4AIiMgaWPbpm24wMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAC
+hhZodHRwOi8veDEuaS5sZW5jci5vcmcvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMCcG
+A1UdHwQgMB4wHKAaoBiGFmh0dHA6Ly94MS5jLmxlbmNyLm9yZy8wDQYJKoZIhvcN
+AQELBQADggIBAE7iiV0KAxyQOND1H/lxXPjDj7I3iHpvsCUf7b632IYGjukJhM1y
+v4Hz/MrPU0jtvfZpQtSlET41yBOykh0FX+ou1Nj4ScOt9ZmWnO8m2OG0JAtIIE38
+01S0qcYhyOE2G/93ZCkXufBL713qzXnQv5C/viOykNpKqUgxdKlEC+Hi9i2DcaR1
+e9KUwQUZRhy5j/PEdEglKg3l9dtD4tuTm7kZtB8v32oOjzHTYw+7KdzdZiw/sBtn
+UfhBPORNuay4pJxmY/WrhSMdzFO2q3Gu3MUBcdo27goYKjL9CTF8j/Zz55yctUoV
+aneCWs/ajUX+HypkBTA+c8LGDLnWO2NKq0YD/pnARkAnYGPfUDoHR9gVSp/qRx+Z
+WghiDLZsMwhN1zjtSC0uBWiugF3vTNzYIEFfaPG7Ws3jDrAMMYebQ95JQ+HIBD/R
+PBuHRTBpqKlyDnkSHDHYPiNX3adPoPAcgdF3H2/W0rmoswMWgTlLn1Wu0mrks7/q
+pdWfS6PJ1jty80r2VKsM/Dj3YIDfbjXKdaFU5C+8bhfJGqU3taKauuz0wHVGT3eo
+6FlWkWYtbt4pgdamlwVeZEW+LM7qZEJEsMNPrfC03APKmZsJgpWCDWOKZvkZcvjV
+uYkQ4omYCTX5ohy+knMjdOmdH9c7SpqEWBDC86fiNex+O0XOMEZSa8DA
+-----END CERTIFICATE-----

redxen.eu/data/letsencrypt/public.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE7zCCA9egAwIBAgISA9wIO523zACIjRt1WNOIq/1gMA0GCSqGSIb3DQEBCwUA
+MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
+EwNSMTEwHhcNMjQwNjIzMDcxNTEwWhcNMjQwOTIxMDcxNTA5WjAUMRIwEAYDVQQD
+EwlyZWR4ZW4uZXUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXg9Mp
+dmkGiCu9xqQTgNSaXXrBEpQr4xMPYPOLjfGJOHxu+8BnA2cNSWuL64/TAZs75yzF
+Ho+Zos2T9i93iIMdyirLiE+IQpRkkf6HjdHC/d0VGAMGaltavDQbgMbtUD4V5/Nm
+SvKi55WRiUAb0ctqwgK7tukI4HiR7ez/Y3Q6atCqJU9zZbfoJjv6CSYmVHH71Fif
+ig9HF+wUMvhhR+F0gFkjAdcPh4S2ilBEmgX0rwLl+msFLtSX2yVtMlKBvlnvf0bj
+COOEwyxn1bo5qUWIHDpSUQUIkl4v6TIntZHUKnr9LhWEQkrjOkE5B5T2Eaz1xz2Z
+LL5qkQ3tXaO04JxZAgMBAAGjggIaMIICFjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
+BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
+FP+Xg42YO9kovig2E+M9PUsGHosiMB8GA1UdIwQYMBaAFMXPRqTq9MPAemyVxC2w
+XpIvJuO5MFcGCCsGAQUFBwEBBEswSTAiBggrBgEFBQcwAYYWaHR0cDovL3IxMS5v
+LmxlbmNyLm9yZzAjBggrBgEFBQcwAoYXaHR0cDovL3IxMS5pLmxlbmNyLm9yZy8w
+IQYDVR0RBBowGIILKi5yZWR4ZW4uZXWCCXJlZHhlbi5ldTATBgNVHSAEDDAKMAgG
+BmeBDAECATCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AEiw42vapkc0D+VqAvqd
+MOscUgHLVt0sgdm7v6s52IRzAAABkEQp1BMAAAQDAEcwRQIhALYLjsfbpfNTJTSB
+e4m3lETv3TCWDSZimMVQJs5BFlY+AiBOCFHIja+O+A5snx0pZvSdHgA9RuPGN5d6
+ddO/OwS+lwB2AD8XS0/XIkdYlB1lHIS+DRLtkDd/H4Vq68G/KIXs+GRuAAABkEQp
+1BEAAAQDAEcwRQIgFaQQBaUZ55MMT59f6WgzYdYxglJ9+DtoA+jG6iSnz1gCIQCH
+lxRR+yPkGGEkZNj11r3F6mlFfAgERLje1561Snjg3TANBgkqhkiG9w0BAQsFAAOC
+AQEAPzm70djhcgCfXiFUY7JlIKJ4/vim96u8kKGGW+kCfqheQEWmJluvtexk2qsp
+ErkPbfmQDPKIdMiCAg8vHA+4k5R4o4iHEuAIx0RTBVrBtCXS83hHfsbKWGUNQ8eL
+PG8qZV864nxWcCcSA+La4s8QxN7DRbDDQahC6UtEwuUNSYuKmebML59BYSNvfCza
+nrBnImMfCxf25NMIVj7sTLcRg+Vt/pWtUZzDntPvbNT3J3LTQZ+JPWWXYLMWL9bs
+rd82gPAGKVGN4bUs3ozzJ0tw0hGZHRG0JOQE1HhMw33q2zbXVIOl8QNW+ZkATTXQ
+Ublvn282tiFyeVXQXWI4mlubXw==
+-----END CERTIFICATE-----

redxen.eu/data/postgres-cert/Containerfile

@@ -0,0 +1,36 @@
+FROM alpine:latest as generator
+
+RUN --network=host apk add \
+	cmd:openssl
+
+ADD x509v3_config /tmp/x509v3_config
+
+RUN mkdir -p "/redxen.eu/certs"
+RUN mkdir -p "/redxen.eu/keys"
+
+WORKDIR "/redxen.eu"
+
+ADD gen-cert.sh /tmp/gen-cert.sh
+
+# Server
+RUN \
+	--mount=type=bind,from=redxen.eu/data/ca:latest,src=/redxen.eu,dst=/ca \
+	/tmp/gen-cert.sh postgres
+
+# Roles
+RUN \
+	--mount=type=bind,from=redxen.eu/data/ca:latest,src=/redxen.eu,dst=/ca \
+	/tmp/gen-cert.sh murmur
+RUN \
+	--mount=type=bind,from=redxen.eu/data/ca:latest,src=/redxen.eu,dst=/ca \
+	/tmp/gen-cert.sh dovecot
+RUN \
+	--mount=type=bind,from=redxen.eu/data/ca:latest,src=/redxen.eu,dst=/ca \
+	/tmp/gen-cert.sh postfix
+RUN \
+	--mount=type=bind,from=redxen.eu/data/ca:latest,src=/redxen.eu,dst=/ca \
+	/tmp/gen-cert.sh grafana
+
+FROM scratch
+
+COPY --from=generator "/redxen.eu" "/redxen.eu"

redxen.eu/data/postgres-cert/gen-cert.sh

@@ -20,7 +20,6 @@ if [ -z "$ALTNAME" ]; then
 		-extfile <(cat /tmp/x509v3_config) \
 		-CA /ca/certs/ca.crt \
 		-CAkey /ca/keys/ca.key \
-		-CAcreateserial \
 		-out certs/"$CN".crt
 else
 	openssl x509 \
@@ -30,8 +29,9 @@ else
 		-extfile <(cat /tmp/x509v3_config <(echo "subjectAltName=$ALTNAME")) \
 		-CA /ca/certs/ca.crt \
 		-CAkey /ca/keys/ca.key \
-		-CAcreateserial \
 		-out certs/"$CN".crt
+		#-CAcreateserial \
+		#-CAserial /tmp/discard.srl \
 fi
 
 openssl x509 \

redxen.eu/data/selfsigned/Containerfile

@@ -0,0 +1,25 @@
+FROM alpine:latest as generator
+
+RUN --network=host apk add \
+	cmd:openssl
+
+ADD x509v3_config /tmp/x509v3_config
+
+RUN mkdir -p "/redxen.eu/certs"
+RUN mkdir -p "/redxen.eu/keys"
+
+WORKDIR "/redxen.eu"
+
+ADD gen-cert.sh /tmp/gen-cert.sh
+
+RUN \
+	--mount=type=bind,from=redxen.eu/data/ca:latest,src=/redxen.eu,dst=/ca \
+	/tmp/gen-cert.sh mumble "DNS: mumble.redxen.eu"
+
+RUN \
+	--mount=type=bind,from=redxen.eu/data/ca:latest,src=/redxen.eu,dst=/ca \
+	/tmp/gen-cert.sh etcd "IP: 0:0:0:0:0:0:0:1, IP: 127.0.0.1, DNS: localhost" # I hate i cannot use compressor here but it is what it is
+
+FROM scratch
+
+COPY --from=generator "/redxen.eu" "/redxen.eu"

redxen.eu/data/selfsigned/gen-cert.sh

@@ -20,7 +20,6 @@ if [ -z "$ALTNAME" ]; then
 		-extfile <(cat /tmp/x509v3_config) \
 		-CA /ca/certs/ca.crt \
 		-CAkey /ca/keys/ca.key \
-		-CAcreateserial \
 		-out certs/"$CN".crt
 else
 	openssl x509 \
@@ -30,7 +29,6 @@ else
 		-extfile <(cat /tmp/x509v3_config <(echo "subjectAltName=$ALTNAME")) \
 		-CA /ca/certs/ca.crt \
 		-CAkey /ca/keys/ca.key \
-		-CAcreateserial \
 		-out certs/"$CN".crt
 fi