community services for woodbine.nyc

Experiment in digital autonomy

Latest code is hosted on https://git.woodbine.nyc/micro/woodbine.nyc

In general, everything is orchestrated by the compose files.

Sometimes, you will see a -setup service in the compose file. This usually runs a script that checks or generates secrets, and does initial configuration if needed.

Goals

We hope this is understandable by a single individual, after learning a bit about docker compose and caddy.

setup

Make a backblaze B2 account for backups. Add the secrets to ./secrets/backup/.

Fill out env.template and make sure to pass it in the next command

running

To enable additional services, add their compose file to the following command

podman compose --env-file env.production \
  --file services/secrets.yaml \
  --file services/backup.yaml \
  --file services/smtp.yaml \
  --file services/caddy.yaml \
  --file services/authelia.yaml \
  --file services/web.yaml \
  up --build --abort-on-container-exit

port forwarding

The caddy service expects to be able to bind to ports 80 and 443

One simple way is to allow unprivileged users access to these low ports

echo 'net.ipv4.ip_unprivileged_port_start=80' | sudo tee -a /etc/sysctl.conf
sudo sysctl -w net.ipv4.ip_unprivileged_port_start=80

alpha

• [~] single sign-on (authelia)
  • per-user webdav folders via authelia
  • any OIDC service setup
• [~] file backup (duplicity)
• postgres backup (duplicity)
• decide on single postgres instance or multiple
• reverse proxy (caddy)
• personal home pages (caddy-webdav)
• migrate from yaml to env for authelia config
• setup notifications via smtp

beta

• file restore
• postgres restore
• wiki
• matrix server (dendrite)
• mail server (stalwart or maddy)
• mailing list (listmonk)
• code forge (gitea or forgejo)

0.1

• only expose 443, 587, 993
• running on betabasement-woodbine.nyc
• audit on secrets management
• audit on mail server
• audit on general architecture

credits

thank you https://hackerspace.zone