-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
bc14d08
commit dfb634a
Showing
19 changed files
with
772 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
name: Build Ostree Container Image | ||
|
||
# This workflow uses actions that are not certified by GitHub. | ||
# They are provided by a third-party and are governed by | ||
# separate terms of service, privacy policy, and support | ||
# documentation. | ||
|
||
on: | ||
schedule: | ||
- cron: '00 9 * * 1' | ||
push: | ||
branches: [ '*' ] | ||
|
||
env: | ||
# Use docker.io for Docker Hub if empty | ||
REGISTRY: ghcr.io | ||
# github.repository as <account>/<repo> | ||
IMAGE_NAME: ${{ github.repository }} | ||
|
||
jobs: | ||
build: | ||
runs-on: ubuntu-latest | ||
container: | ||
image: fedora:latest | ||
options: --privileged | ||
permissions: | ||
contents: read | ||
packages: write | ||
id-token: write | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@v3 | ||
|
||
- name: Build | ||
env: | ||
registry: ${{ env.REGISTRY }} | ||
username: ${{ github.actor }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
image: ${{ env.IMAGE_NAME }} | ||
tag: ${{ github.ref_name }} | ||
composefile: server.yaml | ||
run: | | ||
dnf -y install rpm-ostree skopeo selinux-policy-targeted --enablerepo=updates-testing | ||
skopeo login -u $username -p $password $registry | ||
mkdir -p repo cache | ||
ostree init --repo=repo --mode=archive | ||
rpm-ostree compose image --initialize-mode=if-not-exists \ | ||
--format registry --layer-repo repo --cachedir=cache \ | ||
$composefile \ | ||
$registry/$image:$tag | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
(block adguardhome | ||
(blockinherit container) | ||
(blockinherit restricted_net_container) | ||
(allow process process ( capability ( net_bind_service ))) | ||
|
||
(allow process dns_port_t ( tcp_socket ( name_bind ))) | ||
(allow process dns_port_t ( udp_socket ( name_bind ))) | ||
(allow process dhcpd_port_t ( udp_socket ( name_bind ))) | ||
(allow process dhcpc_port_t ( udp_socket ( name_bind ))) | ||
(allow process http_port_t ( tcp_socket ( name_bind ))) | ||
(allow process http_port_t ( tcp_socket ( name_bind ))) | ||
(allow process reserved_port_t ( udp_socket ( name_bind ))) | ||
(allow process hi_reserved_port_t ( udp_socket ( name_bind ))) | ||
(allow process ntop_port_t ( tcp_socket ( name_bind ))) | ||
(allow process ntop_port_t ( udp_socket ( name_bind ))) | ||
(allow process unreserved_port_t ( tcp_socket ( name_bind ))) | ||
(allow process unreserved_port_t ( udp_socket ( name_bind ))) | ||
|
||
(allow process port_type ( tcp_socket ( name_connect recv_msg send_msg ))) | ||
(allow process port_type ( udp_socket ( recv_msg send_msg ))) | ||
|
||
(allow process cert_t ( dir ( watch getattr open read search ))) | ||
(allow process cert_t ( file ( watch getattr open read ))) | ||
(allow process cert_t ( lnk_file ( read ))) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
(block cloudflare_with_socket_access | ||
(blockinherit container) | ||
(blockinherit net_container) | ||
|
||
(allow process node_t ( icmp_socket ( node_bind ))) | ||
|
||
(allow process var_run_t ( sock_file ( write ))) | ||
(allow process comiclib.process ( unix_stream_socket ( connectto ))) | ||
(allow process cockpit_ws_t ( unix_stream_socket ( connectto ))) | ||
(allow process container_caddy.process ( unix_stream_socket ( connectto ))) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
(block comiclib | ||
(blockinherit container) | ||
|
||
(allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) | ||
(allow process user_home_t ( file ( watch getattr ioctl lock open read ))) | ||
|
||
(dontaudit process node_t ( tcp_socket ( node_bind ) ) ) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
(block container_alist | ||
(blockinherit container) | ||
(blockinherit restricted_net_container) | ||
|
||
(allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) | ||
(allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write ))) | ||
|
||
(allow process port_type ( tcp_socket ( name_connect recv_msg send_msg ))) | ||
(allow process port_type ( udp_socket ( recv_msg send_msg ))) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
(block container_caddy | ||
(blockinherit container) | ||
(blockinherit net_container) | ||
(allow process process ( capability ( net_bind_service ))) | ||
|
||
(allow process var_run_t ( sock_file ( write ))) | ||
(allow process cockpit_ws_t ( unix_stream_socket ( connectto ))) | ||
(allow process container_alist.process ( unix_stream_socket ( connectto ))) | ||
(allow process comiclib.process ( unix_stream_socket ( connectto ))) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
(block container_hath | ||
(blockinherit container) | ||
(blockinherit restricted_net_container) | ||
(allow process process ( capability ( net_bind_service ))) | ||
|
||
(allow process port_type ( tcp_socket ( name_connect recv_msg send_msg ))) | ||
(allow process port_type ( udp_socket ( recv_msg send_msg ))) | ||
|
||
(allow process http_port_t ( tcp_socket ( name_bind ))) | ||
|
||
(allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) | ||
(allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write ))) | ||
|
||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
(block container_jellyfin | ||
(blockinherit container) | ||
(blockinherit net_container) | ||
|
||
(allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) | ||
(allow process user_home_t ( file ( watch getattr ioctl lock open read ))) | ||
|
||
(allow process tmpfs_t (file (execute map))) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
(block container_rohome_allbind | ||
(blockinherit container) | ||
(blockinherit net_container) | ||
|
||
(allow process user_home_t ( dir ( watch getattr ioctl lock open read search ))) | ||
(allow process user_home_t ( file ( watch getattr ioctl lock open read ))) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
(block container_rwhome_allbind | ||
(blockinherit container) | ||
(blockinherit net_container) | ||
|
||
(allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write ))) | ||
(allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write ))) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
(block container_wireguard | ||
(blockinherit container) | ||
(allow process process ( capability ( net_admin ))) | ||
|
||
(allow process container_wireguard.process ( netlink_route_socket ( nlmsg_write ))) | ||
|
||
(dontaudit process cgroup_t (dir (write) )) | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
[containers] | ||
userns = "auto" | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
{ | ||
"name": "podman", | ||
"id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9", | ||
"driver": "bridge", | ||
"network_interface": "podman0", | ||
"created": "2022-08-27T13:25:16.808341191+08:00", | ||
"subnets": [ | ||
{ | ||
"subnet": "10.88.0.0/16", | ||
"gateway": "10.88.0.1" | ||
}, | ||
{ | ||
"subnet": "fccc::/64", | ||
"gateway": "fccc::1" | ||
} | ||
], | ||
"ipv6_enabled": true, | ||
"internal": false, | ||
"dns_enabled": true, | ||
"ipam_options": { | ||
"driver": "host-local" | ||
} | ||
} |
Oops, something went wrong.