From 7cf82d660a319f0949eac3599ac7b5853ed7647f Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Sun, 10 Nov 2024 13:38:49 +1300 Subject: [PATCH] docs: Revise quadlet config snippet - Revised the inline commentary. - Volume base path adjusted. Timezone volume swapped with equivalent feature supported by podman. - Container name and volume paths using `%N` systemd specifier to refer to the config file name without the `.container` extension. - Added note about interface name in rootless context. --- docs/content/config/advanced/podman.md | 43 +++++++++++++++++++------- 1 file changed, 32 insertions(+), 11 deletions(-) diff --git a/docs/content/config/advanced/podman.md b/docs/content/config/advanced/podman.md index a04183d9..ce14158b 100644 --- a/docs/content/config/advanced/podman.md +++ b/docs/content/config/advanced/podman.md @@ -133,12 +133,19 @@ Documentation=https://docker-mailserver.github.io/docker-mailserver/latest [Service] Restart=always +# Optional - This will run before the container starts: +# - It ensures all the DMS volumes have the host directories created for you. +# - For `mkdir` command to leverage the shell brace expansion syntax, you need to run it via bash. +ExecStartPre=/usr/bin/bash -c 'mkdir -p %h/volumes/%N/{mail-data,mail-state,mail-logs,config}' +# This section enables the service at generation, avoids requiring `systemctl --user enable dms`: +# - `multi-user.target` => root +# - `default.target` => rootless [Install] WantedBy=default.target [Container] -ContainerName=dms +ContainerName=%N HostName=mail.example.com Image=docker.io/mailserver/docker-mailserver:latest @@ -152,19 +159,33 @@ PublishPort=143:143 PublishPort=587:587 PublishPort=993:993 -# Volumes (Add `:Z` to avoid permission errors if your host has SELinux present) -Volume=%h/containers/dms/mail-data:/var/mail -Volume=%h/containers/dms/mail-state:/var/mail-state -Volume=%h/containers/dms/mail-logs:/var/log/mail -Volume=%h/containers/dms/config:/tmp/docker-mailserver -Volume=%h/containers/certbot/certs:/etc/letsencrypt -Volume=/etc/localtime:/etc/localtime:ro +# Volumes (Base location example: `%h/volumes/%N` => `~/volumes/dms`) +# NOTE: If your host has SELinux enabled, avoid permission errors by appending the mount option `:Z`. +Volume=%h/volumes/%N/mail-data:/var/mail +Volume=%h/volumes/%N/mail-state:/var/mail-state +Volume=%h/volumes/%N/mail-logs:/var/log/mail +Volume=%h/volumes/%N/config:/tmp/docker-mailserver +# Optional - Additional mounts: +# NOTE: For SELinux, when using the `z` or `Z` mount options: +# Take caution if choosing a host location not belonging to your user. Consider using `SecurityLabelDisable=true` instead. +# https://docs.podman.io/en/latest/markdown/podman-run.1.html#volume-v-source-volume-host-dir-container-dir-options +Volume=%h/volumes/certbot/certs:/etc/letsencrypt:ro -# If you want to use podmans auto-update service: -AutoUpdate=registry +# Podman can create a timer (defaults to daily at midnight) to check the `registry` or `local` storage for detecting if the +# image tag points to a new digest, if so it updates the image and restarts the service (similar to `containrrr/watchtower`): +# https://docs.podman.io/en/latest/markdown/podman-auto-update.1.html +AutoUpdate=registry + +# Podman Quadlet has a better alternative instead of a volume directly bind mounting `/etc/localtime` to match the host TZ: +# https://docs.podman.io/en/latest/markdown/podman-run.1.html#tz-timezone +# NOTE: Should the host modify the system TZ, neither approach will sync the change to the `/etc/localtime` inside the running container. +Timezone=local -# Environment variables Environment=SSL_TYPE=letsencrypt +# NOTE: You may need to adjust the default `NETWORK_INTERFACE`: +# https://docker-mailserver.github.io/docker-mailserver/latest/config/environment/#network_interface +#Environment=NETWORK_INTERFACE=enp1s0 +#Environment=NETWORK_INTERFACE=tap0 ``` Stopping the service with systemd will result in the container being removed. Restarting will use the existing container, which is however not recommended. You do not need to enable services with Quadlet.