diff --git a/apply-config-policy.container b/apply-config-policy.container
new file mode 100644
index 0000000..4fd48e6
--- /dev/null
+++ b/apply-config-policy.container
@@ -0,0 +1,27 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Apply Configuration Policy
+Wants=network-online.target
+After=network-online.target
+After=install-packages.service
+After=ssh-host-certs.service
+
+[Container]
+Image=git.pyrocufflink.net/infra/cfg:latest
+Pull=newer
+Environment=RUST_LOG=debug
+Volume=/:/host:rw
+Volume=/run:/run:rw
+Tmpfs=/root
+ReadOnly=true
+VolatileTmp=true
+SecurityLabelDisable=true
+PodmanArgs=--uts=host --cgroupns=host --ipc=host --pid=host --privileged
+Network=host
+LogDriver=passthrough
+
+[Service]
+Type=oneshot
+
+[Install]
+WantedBy=multi-user.target
diff --git a/cfg.yaml b/cfg.yaml
new file mode 100644
index 0000000..4f701e4
--- /dev/null
+++ b/cfg.yaml
@@ -0,0 +1,14 @@
+variant: fcos
+version: 1.4.0
+
+storage:
+  files:
+  - path: /etc/containers/systemd/apply-config-policy.container
+    mode: 0644
+    contents:
+      local: apply-config-policy.container
+
+systemd:
+  units:
+  - name: apply-config-policy.service
+    enabled: true