ssh-host-certs: Run sshca-cli from a container

Installing packages on the host system via `rpm-ostree` is _insanely_
slow, especially on Raspberry Pi devices.  The main reason I chose to go
that route for managing the SSH host certificates was to avoid having to
maintain the systemd units in multiple places.  I think the trade-off is
worth it, though; bringing up a new Raspberry Pi is significantly
faster, by 15+ minutes, if we do not have to wait for `rpm-ostree` at
all.

ssh-host-cert-sign@.container

@@ -0,0 +1,22 @@
+[Unit]
+Description=Request %I SSH Host Certificate
+After=network-online.target
+Wants=network-online.target
+Before=ssh-host-certs.service
+
+[Service]
+Type=oneshot
+
+[Container]
+Image=git.pyrocufflink.net/containerimages/sshca-cli
+Pull=newer
+EnvironmentFile=/etc/sysconfig/ssh-host-cert-sign
+Exec=host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
+Volume=/etc/ssh:/etc/ssh:rw
+Volume=/sys/firmware:/sys/firmware:ro
+Volume=/sys/class/dmi/id:/sys/class/dmi/id:ro
+Network=host
+SecurityLabelDisable=yes
+ContainerName=%p-%i
+PodmanArgs=--uts=host
+PodmanArgs=--security-opt=unmask=/sys/firmware

ssh-host-certs-renew.target

@@ -0,0 +1,7 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Request SSH Host Certificates
+StopWhenUnneeded=yes
+Wants=ssh-host-cert-sign@ed25519.service
+Wants=ssh-host-cert-sign@rsa.service
+Wants=ssh-host-cert-sign@ecdsa.service

ssh-host-certs-renew.timer

@@ -0,0 +1,12 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Periodically renew SSH host certificates
+
+[Timer]
+Unit=%N.target
+OnCalendar=Tue *-*-* 00:00:00
+RandomizedDelaySec=48h
+Persistent=yes
+
+[Install]
+WantedBy=timers.target

ssh-host-certs.service

@@ -0,0 +1,12 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Request SSH Host Certificates
+ConditionFirstBoot=yes
+Wants=ssh-host-certs-renew.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl disable %n
+
+[Install]
+WantedBy=multi-user.target

ssh-host-certs.yaml

@@ -1,18 +1,12 @@
 variant: fcos
 version: 1.4.0
 
-ignition:
-  config:
-    merge:
-    - local: dch-repo.ign
-
 storage:
   files:
-  - path: /etc/ignition/packages.d/sshca
+  - path: /etc/containers/systemd/ssh-host-cert-sign@.container
     mode: 0644
     contents:
-      inline: |
+      local: ssh-host-cert-sign@.container
-        sshca-cli-systemd
 
   - path: /etc/ssh/sshd_config.d/10-hostcertificate.conf
     mode: 0644
@@ -28,13 +22,24 @@ storage:
       inline: |
         SSHCA_SERVER=https://sshca.pyrocufflink.blue
 
-  links:
+  - path: /etc/systemd/system/ssh-host-certs-renew.timer
-  - path: /etc/systemd/system/after-install.target.wants/ssh-host-certs.target
+    mode: 0644
-    target: /usr/lib/systemd/system/ssh-host-certs.target
+    contents:
-  - path: /etc/systemd/system/after-install.target.wants/ssh-host-certs-renew.timer
+      local: ssh-host-certs-renew.timer
-    target: /usr/lib/systemd/system/ssh-host-certs-renew.timer
+
+  - path: /etc/systemd/system/ssh-host-certs-renew.target
+    mode: 0644
+    contents:
+      local: ssh-host-certs-renew.target
+
+  - path: /etc/systemd/system/ssh-host-certs.service
+    mode: 0644
+    contents:
+      local: ssh-host-certs.service
 
 systemd:
   units:
+  - name: ssh-host-certs.service
+    enabled: true
   - name: ssh-host-certs-renew.timer
     enabled: true