Initial commit

files/add-secrets.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -o errexit -o pipefail -o noclobber -o nounset -o errtrace -o functrace
+
+file="$1"
+if [[ ! -f "${file}" ]]; then
+  echo "File ${file} does not exist"
+  exit 1
+fi
+
+while read -r line; do
+  secret="${line%%=*}"
+  value="${line#*=}"
+  echo "Adding secret ${secret}"
+  printf '%s' "${value}" | podman secret create "${secret}" -
+done < "${file}"
+rm -f "${file}"

files/copy-music.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Copies the music from Nextcloud to Navidrome
+
+[Service]
+Type=oneshot
+ExecStart=/root/scripts/copy-music.sh
+
+[Install]
+WantedBy=multi-user.target

files/copy-music.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Timer for the copy-music service
+
+[Timer]
+OnCalendar=12:00:00
+OnCalendar=20:00:00
+Persistent=true
+Unit=copy-music.service
+
+[Install]
+WantedBy=timers.target

files/install-additional-packages.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=Layer packages with rpm-ostree
+Wants=network-online.target
+After=network-online.target
+# We run before `zincati.service` to avoid conflicting rpm-ostree
+# transactions.
+Before=zincati.service
+ConditionPathExists=!/var/lib/additional-packages.stamp
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+# `--allow-inactive` ensures that rpm-ostree does not return an error
+# if the package is already installed. This is useful if the package is
+# added to the root image in a future Fedora CoreOS release as it will
+# prevent the service from failing.
+ExecStart=/usr/bin/rpm-ostree install -y --allow-inactive firewalld fail2ban fail2ban-firewalld setroubleshoot-server setools
+ExecStart=/bin/touch /var/lib/additional-packages.stamp
+ExecStart=/bin/systemctl enable configure-firewalld.service enable-all-quadlets.service move-downloads-nextcloud.timer copy-music.timer
+ExecStart=semanage fcontext -a -t bin_t "/var/opt/bin(/.*)?"
+ExecStart=semanage fcontext -a -t bin_t "/root/scripts(/.*)?"
+ExecStart=restorecon -vR /var/opt/bin
+ExecStart=restorecon -vR /root/scripts
+ExecStart=/bin/systemctl --no-block reboot
+
+[Install]
+WantedBy=multi-user.target

files/jail.local

@@ -0,0 +1,9 @@
+[DEFAULT]
+banaction = firewallcmd-rich-rules[actiontype=]
+banaction_allports = firewallcmd-rich-rules[actiontype=]
+bantime = 1h
+bantime.multipliers = 1 5 30 60 300 720 1440 2880
+ignoreip = 127.0.0.1/8 ::1
+
+[sshd]
+enabled = true

files/move-downloads-nextcloud.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Move the completed torrents and jdownloader downloads to nextcloud
+
+[Service]
+Type=oneshot
+ExecStart=/root/scripts/move-downloads-nextcloud.sh
+
+[Install]
+WantedBy=multi-user.target

files/move-downloads-nextcloud.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Timer for the move-downloads-nextcloud service
+
+[Timer]
+OnCalendar=12:00:00
+OnCalendar=20:00:00
+Persistent=true
+Unit=move-downloads-nextcloud.service
+
+[Install]
+WantedBy=timers.target

files/poweroff

@@ -0,0 +1 @@
+homeassistant ALL=(ALL) NOPASSWD: /sbin/poweroff, /sbin/reboot, /sbin/shutdown

files/smartd.conf

@@ -0,0 +1,2 @@
+/dev/disk/by-id/ata-WDC_WD120EFBX-68B0EN0_5QKYB19B -a -o on -S on -n standby,q -s (S/../.././12|L/../01/./08) -W 4,45,60 -m tga
+/dev/disk/by-id/ata-WDC_WD120EFGX-68CPHN0_WD-B00K2ELD -a -o on -S on -n standby,q -s (S/../.././12|L/../01/./08) -W 4,45,60 -m tga

files/sshd_config

@@ -0,0 +1,2 @@
+PasswordAuthentication no
+AllowUsers tga homeassistant git