From b4b55f149cc7964e9ed29dea43dd95fbd0d2ef06 Mon Sep 17 00:00:00 2001
From: urfin00djuce <r.sukhokobyla@gmail.com>
Date: Tue, 10 Sep 2024 17:44:59 +0300
Subject: [PATCH] Add podman-systemd support

---
 README.md                             | 65 +++++++++++++++++++++++++++
 podman-systemd/certs.volume           |  2 +
 podman-systemd/conf.volume            |  2 +
 podman-systemd/db.container           | 26 +++++++++++
 podman-systemd/files.volume           |  2 +
 podman-systemd/gpg.volume             |  2 +
 podman-systemd/logs.volume            |  2 +
 podman-systemd/mail.container         | 15 +++++++
 podman-systemd/misp-core.container    | 35 +++++++++++++++
 podman-systemd/misp-modules.container | 19 ++++++++
 podman-systemd/misp-net.network       |  3 ++
 podman-systemd/mysql_data.volume      |  2 +
 podman-systemd/redis.container        | 26 +++++++++++
 podman-systemd/redis_data.volume      |  2 +
 14 files changed, 203 insertions(+)
 create mode 100644 podman-systemd/certs.volume
 create mode 100644 podman-systemd/conf.volume
 create mode 100644 podman-systemd/db.container
 create mode 100644 podman-systemd/files.volume
 create mode 100644 podman-systemd/gpg.volume
 create mode 100644 podman-systemd/logs.volume
 create mode 100644 podman-systemd/mail.container
 create mode 100644 podman-systemd/misp-core.container
 create mode 100644 podman-systemd/misp-modules.container
 create mode 100644 podman-systemd/misp-net.network
 create mode 100644 podman-systemd/mysql_data.volume
 create mode 100644 podman-systemd/redis.container
 create mode 100644 podman-systemd/redis_data.volume

diff --git a/README.md b/README.md
index 68236dd..3f9f0bd 100644
--- a/README.md
+++ b/README.md
@@ -130,6 +130,71 @@ Custom root CA certificates can be mounted under `/usr/local/share/ca-certificat
       - "./rootca.pem:/usr/local/share/ca-certificates/rootca.crt"
 ```
 
+## Podman
+
+### Use Podman-systemd instead of Docker to:
+
+- Run containers in **rootless** mode
+- Manage containers with **systemd**
+- Write container descriptions in an **ignition** file and deploy them to an OS like **Fedora CoreOS** or similar (not covered in this documentation)
+
+### Copy the following directories and files:
+
+- Files from `podman-systemd` to `$USER/.config/containers/systemd/`
+- `template.vars` to `$USER/.config/containers/systemd/vars.env`
+
+### Change the necessary DB variables in `vars.env`:
+
+```
+MYSQL_HOST=
+MYSQL_USER=
+MYSQL_PASSWORD=
+MYSQL_ROOT_PASSWORD=
+MYSQL_DATABASE=
+```
+
+### Set the Redis password:
+
+```
+REDIS_PASSWORD=
+```
+
+### Set the base URL:
+
+```
+BASE_URL=https://<IP>:10443
+```
+
+### Reload systemd user daemon:
+
+```
+systemctl --user daemon-reload
+```
+
+### Start services:
+
+```
+systemctl --user start misp-mail.service
+systemctl --user start misp-db.service
+systemctl --user start misp-redis.service
+systemctl --user start misp-core.service
+systemctl --user start misp-modules.service
+```
+
+Wait a bit and check your service at https://<IP>:10443
+
+### To make services persistent across reboots and logouts:
+
+```
+sudo loginctl enable-linger $USER
+```
+
+### To enable Podman to periodically check for new container versions, activate the specific timer `podman-auto-update.timer`:
+
+```
+systemctl --user enable podman-auto-update.timer --now
+```
+
 ## Troubleshooting
 
 -   Make sure you run a fairly recent version of Docker and Docker Compose (if in doubt, update following the steps outlined in https://docs.docker.com/engine/install/ubuntu/)
diff --git a/podman-systemd/certs.volume b/podman-systemd/certs.volume
new file mode 100644
index 0000000..77f7794
--- /dev/null
+++ b/podman-systemd/certs.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=certs
diff --git a/podman-systemd/conf.volume b/podman-systemd/conf.volume
new file mode 100644
index 0000000..30e2be0
--- /dev/null
+++ b/podman-systemd/conf.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=conf
diff --git a/podman-systemd/db.container b/podman-systemd/db.container
new file mode 100644
index 0000000..5fdc543
--- /dev/null
+++ b/podman-systemd/db.container
@@ -0,0 +1,26 @@
+[Unit]
+Description=MISP Database system
+Requires=misp-net-network.service
+After=misp-net-network.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=db
+Image=docker.io/library/mariadb:10.11
+Network=misp-net
+Volume=mysql_data:/var/lib/mysql
+PodmanArgs=--network-alias db
+EnvironmentFile=vars.env
+AddCapability=SYS_NICE
+HealthCmd=mysqladmin --user=${MYSQL_USER} --password=${MYSQL_PASSWORD} status
+HealthInterval=2s
+HealthTimeout=1s
+HealthRetries=3
+HealthStartPeriod=30s
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+Restart=always
+
+[Install]
+WantedBy=default.target
diff --git a/podman-systemd/files.volume b/podman-systemd/files.volume
new file mode 100644
index 0000000..a247b21
--- /dev/null
+++ b/podman-systemd/files.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=files
diff --git a/podman-systemd/gpg.volume b/podman-systemd/gpg.volume
new file mode 100644
index 0000000..f07288f
--- /dev/null
+++ b/podman-systemd/gpg.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=gpg
diff --git a/podman-systemd/logs.volume b/podman-systemd/logs.volume
new file mode 100644
index 0000000..c06a057
--- /dev/null
+++ b/podman-systemd/logs.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=logs
diff --git a/podman-systemd/mail.container b/podman-systemd/mail.container
new file mode 100644
index 0000000..ceb7b25
--- /dev/null
+++ b/podman-systemd/mail.container
@@ -0,0 +1,15 @@
+[Unit]
+Description=MISP Mail system
+Requires=misp-net-network.service
+After=misp-net-network.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=mail
+Image=docker.io/ixdotai/smtp
+Network=misp-net
+PodmanArgs=--network-alias mail
+EnvironmentFile=vars.env
+
+[Install]
+WantedBy=default.target
diff --git a/podman-systemd/misp-core.container b/podman-systemd/misp-core.container
new file mode 100644
index 0000000..c3cd196
--- /dev/null
+++ b/podman-systemd/misp-core.container
@@ -0,0 +1,35 @@
+[Unit]
+Description=MISP Core
+After=db.service
+After=redis.service
+Requires=db.service
+Requires=redis.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=misp-core
+Image=ghcr.io/misp/misp-docker/misp-core:latest
+PublishPort=10443:443
+Network=misp-net
+PodmanArgs=--network-alias misp-core
+Volume=conf:/var/www/MISP/app/Config/
+Volume=logs:/var/www/MISP/app/tmp/logs/
+Volume=files:/var/www/MISP/app/files/
+Volume=certs:/etc/nginx/certs/
+Volume=gpg:/var/www/MISP/.gnupg/
+EnvironmentFile=vars.env
+AddCapability=AUDIT_WRITE
+HealthCmd=curl -ks ${BASE_URL}/users/heartbeat > /dev/null || exit 1
+HealthInterval=2s
+HealthTimeout=1s
+HealthRetries=3
+HealthStartPeriod=30s
+HealthStartupInterval=30s
+
+[Service]
+ExecStartPre=/bin/sleep 30
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+Restart=always
+
+[Install]
+WantedBy=default.target
diff --git a/podman-systemd/misp-modules.container b/podman-systemd/misp-modules.container
new file mode 100644
index 0000000..178e7f5
--- /dev/null
+++ b/podman-systemd/misp-modules.container
@@ -0,0 +1,19 @@
+[Unit]
+Description=MISP Modules
+After=redis.service
+Requires=redis.service
+
+[Container]
+AutoUpdate=registry
+ContainerName=misp-modules
+Image=ghcr.io/misp/misp-docker/misp-modules:latest
+Network=misp-net
+PodmanArgs=--network-alias misp-modules
+EnvironmentFile=vars.env
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+ExecStartPre=/bin/sleep 30
+
+[Install]
+WantedBy=default.target
diff --git a/podman-systemd/misp-net.network b/podman-systemd/misp-net.network
new file mode 100644
index 0000000..aa59c92
--- /dev/null
+++ b/podman-systemd/misp-net.network
@@ -0,0 +1,3 @@
+[Network]
+NetworkName=misp-net
+DisableDNS=false
diff --git a/podman-systemd/mysql_data.volume b/podman-systemd/mysql_data.volume
new file mode 100644
index 0000000..a733180
--- /dev/null
+++ b/podman-systemd/mysql_data.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=mysql_data
diff --git a/podman-systemd/redis.container b/podman-systemd/redis.container
new file mode 100644
index 0000000..72a8b38
--- /dev/null
+++ b/podman-systemd/redis.container
@@ -0,0 +1,26 @@
+[Unit]
+Description=MISP Redis system
+Requires=misp-net-network.service
+After=misp-net-network.service
+
+[Container]
+EnvironmentFile=vars.env
+AutoUpdate=registry
+ContainerName=redis
+Image=docker.io/valkey/valkey:7.2
+Network=misp-net
+Volume=redis_data:/data
+PodmanArgs=--network-alias redis
+Exec=--requirepass ${REDIS_PASSWORD}
+HealthCmd=valkey-cli -a ${REDIS_PASSWORD} ping
+HealthInterval=2s
+HealthTimeout=1s
+HealthRetries=3
+HealthStartPeriod=30s
+
+[Service]
+EnvironmentFile=%h/.config/containers/systemd/vars.env
+Restart=always
+
+[Install]
+WantedBy=default.target
diff --git a/podman-systemd/redis_data.volume b/podman-systemd/redis_data.volume
new file mode 100644
index 0000000..ed541eb
--- /dev/null
+++ b/podman-systemd/redis_data.volume
@@ -0,0 +1,2 @@
+[Volume]
+VolumeName=redis_data