Nicola Sella
morla@morla
morla@morla
morla@morla
Requirements | Portainer |
---|---|
Easy installation | Portainer is easy to install on some systems |
Rootless | Only supports Docker (at least some time ago) |
Not GUI dependent | Heavily dependent on GUI |
---
services:
piwigo:
image: lscr.io/linuxserver/piwigo:latest
container_name: piwigo
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
volumes:
- /path/to/piwigo/config:/config
- /path/to/appdata/gallery:/gallery
ports:
- 80:80
restart: unless-stopped
[morla@morla ~]$ ls -ld ~/Config/Piwigo
drwxr-xr-x. 7 100998 100998 83 Feb 9 2023 ~/Piwigo
This is what I'd like to see:
[morla@morla ~]$ ls -ld ~/Config/Piwigo
drwxr-xr-x. 7 morla morla 83 Feb 9 2023 ~/Piwigo
[morla@morla ~]$ touch ~/Config/Piwigo/test
touch: cannot touch '/home/morla/Config/Piwigo/test': Permission denied
[morla@morla ~]$ podman unshare
[root@morla ~]# touch ~/Config/Piwigo/test
[root@morla ~]# ^D
exit
[morla@morla ~]$ ls -l ~/Config/Piwigo
total 0
drwxr-xr-x. 2 100998 100998 38 Feb 9 2023 keys
drwxr-xr-x. 4 100998 100998 54 Jun 5 2023 log
drwxrwxr-x. 3 100998 100998 176 May 28 2023 nginx
drwxr-xr-x. 2 100998 100998 44 Feb 9 2023 php
drwxr-xr-x. 8 100998 100998 121 Feb 9 2023 www
-rw-r--r--. 1 morla morla 0 Jan 30 15:27 test
Root Outside | User Outside | |
---|---|---|
Root Inside |
# whoami
root
# podman run -it fedora whoami
root
|
$ whoami
morla
$ podman run -it fedora whoami
root
|
User Inside |
# whoami
root
# podman run -itu sync fedora whoami
sync
|
$ whoami
morla
$ podman run -itu sync fedora whoami
sync
|
User Outside | |
---|---|
Root Inside |
$ id
uid=1000(morla) ...
$ podman run -id fedora bash
6175d5d...
$ podman top --latest huser user
HUSER USER
1000 root
|
User Inside |
$ id
uid=1000(morla) ...
$ podman run -idu sync fedora bash
3103607...
$ podman top --latest huser user
HUSER USER
100998 sync
|
$ podman run \
--uidmap=$uid:0:1 \
--uidmap=0:1:$uid \
--uidmap $(($uid+1)):$(($uid+1)):$(($subuidSize-$uid))
podman run --uidmap=
podman run --uidmap=
$uid
0
1
podman run --uidmap
0
1
$uid
podman run --uidmap
1
$uid
0
podman run --uidmap
$uid+1
$uid+1
$sSize-$uid
$ podman run \
--uidmap=911:0:1 \
--uidmap=0:1:911 \
--uidmap:912:912:64625
$ podman exec -it morla-piwigo cat /proc/self/uid_map
911 0 1
0 1 911
912 912 64625
drwxr-xr-x. 7 morla morla 83 Feb 9 2023 Piwigo
drwxr-xr-x. 4 morla morla 52 Feb 9 2023 PiwigoDB
--userns keep-id:uid=$uid,gid=$gid
Requirements | Solution |
---|---|
Easy installation | ... |
Rootless | Podman |
Not GUI dependent | ... |
roles/morla-piwigo/
├── defaults
│ └── main.yml
└── tasks
├── destroy_piwigo.yml
├── init_flag.yml
├── init.yml
├── main.yml
├── pull_piwigo.yml
└── setup_piwigo.yml
---
# SPDX-FileCopyrightText: Nicola Sella
#
# SPDX-License-Identifier: GPL-3.0-or-later
# configuration file for piwigo
morla_piwigo_enabled: false
morla_piwigo_flag_public: true
morla_piwigo_flag_autostart: true
morla_piwigo_flag_wireguard: true
morla_piwigo_flag_firewall: true # replace with if port list non empty
# Name
morla_piwigo_long_name: Piwigo
morla_piwigo_short_name: piwigo
morla_piwigo_container_short_name: '{{ morla_piwigo_short_name }}'
morla_piwigo_container_name: '{{ morla_user_username }}-{{ morla_piwigo_container_short_name }}'
morla_piwigo_public_url: '{{ morla_piwigo_short_name }}.{{ morla_public_url }}'
morla_piwigo_pod_name: '{{ morla_piwigo_container_name }}-pod'
morla_piwigo_container_image_base: lscr.io/linuxserver/piwigo
morla_piwigo_container_image_tag: latest
morla_piwigo_container_image: '{{ morla_piwigo_container_image_base }}:{{ morla_piwigo_container_image_tag }}'
# Networking
morla_piwigo_reverse_proxy_port: '5050'
morla_piwigo_exposed_proxy_port: '80'
# Networking/Firewall
morla_piwigo_fw_ports:
tcp:
- '{{ morla_piwigo_reverse_proxy_port }}'
udp:
# Networking/Port Forwarding
morla_piwigo_ports:
- '{{ morla_piwigo_reverse_proxy_port }}:{{ morla_piwigo_exposed_proxy_port }}'
# Storage/Host
morla_piwigo_config_dir: '{{ morla_config_dir }}/{{ morla_piwigo_long_name }}'
# Storage/Mount
morla_piwigo_volumes:
- '{{ morla_piwigo_config_dir }}:/config:Z'
- '{{ morla_media_dir }}/pictures/Piwigo:/gallery:z'
# Labels/Traefik
morla_piwigo_labels:
traefik.enable: '{{ morla_piwigo_flag_public }}'
traefik.http.services.piwigo.loadbalancer.server.port: '{{ morla_piwigo_exposed_proxy_port }}'
traefik.http.routers.piwigo.tls: true
traefik.http.routers.piwigo.rule: Host(`{{ morla_piwigo_public_url }}`)
traefik.http.routers.piwigo.entrypoints: websecure
traefik.http.routers.piwigo.tls.certresolver: myresolver
# DB
# Name
morla_piwigo_db_long_name: PiwigoDB
morla_piwigo_db_short_name: piwigo-db
morla_piwigo_db_container_short_name: '{{ morla_piwigo_db_short_name }}'
morla_piwigo_db_container_name: '{{ morla_user_username }}-{{ morla_piwigo_db_container_short_name }}'
morla_piwigo_db_container_image_base: lscr.io/linuxserver/mariadb
morla_piwigo_db_container_image_tag: 10.6.10
morla_piwigo_db_container_image: '{{ morla_piwigo_db_container_image_base }}:{{ morla_piwigo_db_container_image_tag }}'
# Environment
morla_piwigo_db_env_mysql_user: piwigo
morla_piwigo_db_env_mysql_password: '{{ morla_piwigo_db_password }}'
morla_piwigo_db_env_mysql_database: piwigo-db
morla_piwigo_db_env_mysql_random_root_password: true
# Storage/Host
morla_piwigo_db_config_dir: '{{ morla_config_dir }}/{{ morla_piwigo_db_long_name }}'
# Storage/Mount
morla_piwigo_db_volumes:
- '{{ morla_piwigo_db_config_dir }}:/config:Z'
roles/morla-piwigo/
├── defaults
│ └── main.yml
└── tasks
├── destroy_piwigo.yml
├── init_flag.yml
├── init.yml
├── main.yml
├── pull_piwigo.yml
└── setup_piwigo.yml
---
- name: Create config directory
ansible.builtin.file:
path: '{{ morla_piwigo_config_dir }}'
state: directory
owner: '{{ morla_user_username }}'
group: '{{ morla_user_groupname }}'
when: not check_piwigo_config_dir.stat.exists
- name: Create DB config directory
ansible.builtin.file:
path: '{{ morla_piwigo_db_config_dir }}'
state: directory
owner: '{{ morla_user_username }}'
group: '{{ morla_user_groupname }}'
when: not check_piwigo_db_config_dir.stat.exists
- name: Create pod
containers.podman.podman_pod:
name: '{{ morla_piwigo_pod_name }}'
network: morla-wireguard-network
ports: '{{ morla_piwigo_ports }}'
label: '{{ morla_piwigo_labels }}'
uidmap:
- '{{ morla_fake_puid }}:0:1'
- 0:1:{{ morla_fake_puid }}
- '{{ morla_fake_puid + 1 }}:{{ morla_fake_puid + 1 }}:{{ morla_subuid_size - morla_fake_puid }}'
gidmap:
- '{{ morla_fake_pgid }}:0:1'
- 0:1:{{ morla_fake_pgid }}
- '{{ morla_fake_pgid + 1 }}:{{ morla_fake_pgid + 1 }}:{{ morla_subgid_size - morla_fake_pgid }}'
generate_systemd:
path: '{{ morla_home_config_systemd_dir }}'
restart_policy: always
names: true
pod_prefix: '{{ morla_systemd_service_pod_prefix }}'
state: started
- name: Create container
containers.podman.podman_container:
name: '{{ morla_piwigo_container_name }}'
image: '{{ morla_piwigo_container_image}}'
pod: '{{ morla_piwigo_pod_name }}'
volumes: '{{ morla_piwigo_volumes }}'
env:
PUID: '{{ morla_fake_puid }}'
PGID: '{{ morla_fake_pgid }}'
TZ: '{{ morla_tz }}'
state: started
- name: Create Database
containers.podman.podman_container:
name: '{{ morla_piwigo_db_container_name }}'
image: '{{ morla_piwigo_db_container_image }}'
pod: '{{ morla_piwigo_pod_name }}'
network: container:morla-piwigo
volumes: '{{ morla_piwigo_db_volumes }}'
env:
PUID: '{{ morla_fake_puid }}'
PGID: '{{ morla_fake_pgid }}'
TZ: '{{ morla_tz }}'
MYSQL_USER: '{{ morla_piwigo_db_env_mysql_user }}'
MYSQL_PASSWORD: '{{ morla_piwigo_db_env_mysql_password }}'
MYSQL_DATABASE: '{{ morla_piwigo_db_env_mysql_database }}'
MYSQL_RANDOM_ROOT_PASSWORD: '{{ morla_piwigo_db_env_mysql_random_root_password }}'
state: started
# inventory/vars.yml
# enabled services
morla_coredns_enabled: true
morla_discord_soundboard_bot_enabled: true
morla_filebrowser_enabled: true
morla_gandi_ddns_enabled: true
morla_ipfs_enabled: true
morla_jellyfin_enabled: true
morla_lidarr_enabled: true
morla_navidrome_enabled: true
morla_piwigo_enabled: true
morla_prowlarr_enabled: true
morla_pyload_ng_enabled: true
morla_qbittorrent_enabled: true
morla_radarr_enabled: true
morla_readarr_enabled: true
morla_sonarr_enabled: true
morla_syncthing_enabled: true
morla_transfersh_enabled: true
morla_wireguard_enabled: true
morla_wordpress_enabled: true
# run the whole setup
ansible-playbook server.yml -K
# run only some tags
ansible-playbook server.yml \
--tags=setup-nginx,setup-firewall,setup-systemd -K
Requirements | Solution |
---|---|
Easy installation | Ansible |
Rootless | Podman |
Not GUI dependent | Well... |
man podman-run