Compare commits
No commits in common. "91af50acc2d1d493c63c9bfb8a96385457c71ebd" and "fd7778c01a6c7e61d66f53f698f985e184ea57c6" have entirely different histories.
91af50acc2
...
fd7778c01a
|
|
@ -1,27 +0,0 @@
|
|||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Apply Configuration Policy
|
||||
Wants=network-online.target
|
||||
After=network-online.target
|
||||
After=install-packages.service
|
||||
After=ssh-host-certs.service
|
||||
|
||||
[Container]
|
||||
Image=git.pyrocufflink.net/infra/cfg:latest
|
||||
Pull=newer
|
||||
Environment=RUST_LOG=debug
|
||||
Volume=/:/host:rw
|
||||
Volume=/run:/run:rw
|
||||
Tmpfs=/root
|
||||
ReadOnly=true
|
||||
VolatileTmp=true
|
||||
SecurityLabelDisable=true
|
||||
PodmanArgs=--uts=host --cgroupns=host --ipc=host --pid=host --privileged
|
||||
Network=host
|
||||
LogDriver=passthrough
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
14
cfg.yaml
14
cfg.yaml
|
|
@ -1,14 +0,0 @@
|
|||
variant: fcos
|
||||
version: 1.4.0
|
||||
|
||||
storage:
|
||||
files:
|
||||
- path: /etc/containers/systemd/apply-config-policy.container
|
||||
mode: 0644
|
||||
contents:
|
||||
local: apply-config-policy.container
|
||||
|
||||
systemd:
|
||||
units:
|
||||
- name: apply-config-policy.service
|
||||
enabled: true
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
variant: fcos
|
||||
version: 1.4.0
|
||||
|
||||
storage:
|
||||
files:
|
||||
- path: /etc/ignition/fix-hybrid-mbr.sh
|
||||
mode: 0755
|
||||
contents:
|
||||
inline: |-
|
||||
#!/bin/sh
|
||||
|
||||
set -ex
|
||||
|
||||
bootdev=$(awk '$5=="/boot"{print $10}' /proc/1/mountinfo)
|
||||
sysdev=$(readlink -e /sys/class/block/${bootdev##*/})
|
||||
sysdev_parent=${sysdev%/*}
|
||||
disk=/dev/${sysdev_parent##*/}
|
||||
|
||||
sgdisk -h 2:EE "${disk}"
|
||||
echo type=0c,bootable | sfdisk -Y mbr -N 1 "${disk}"
|
||||
|
||||
systemd:
|
||||
units:
|
||||
- name: fix-hybrid-mbr.service
|
||||
contents: |-
|
||||
[Unit]
|
||||
Description=Fix Hybrid MBR for Raspberry Pi 2/3
|
||||
ConditionFirstBoot=yes
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/etc/ignition/fix-hybrid-mbr.sh
|
||||
|
||||
[Install]
|
||||
WantedBy=basic.target
|
||||
enabled: true
|
||||
17
nut0.yaml
17
nut0.yaml
|
|
@ -1,17 +0,0 @@
|
|||
variant: fcos
|
||||
version: 1.4.0
|
||||
|
||||
ignition:
|
||||
config:
|
||||
merge:
|
||||
- local: fix-hybrid-mbr.ign
|
||||
- local: common.ign
|
||||
- local: zram.ign
|
||||
- local: cfg.ign
|
||||
|
||||
storage:
|
||||
files:
|
||||
- path: /etc/hostname
|
||||
mode: 0644
|
||||
contents:
|
||||
inline: nut0.pyrocufflink.blue
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
[Unit]
|
||||
Description=Request %I SSH Host Certificate
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
Before=ssh-host-certs.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
||||
[Container]
|
||||
Image=git.pyrocufflink.net/containerimages/sshca-cli
|
||||
Pull=newer
|
||||
EnvironmentFile=/etc/sysconfig/ssh-host-cert-sign
|
||||
Exec=host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
|
||||
Volume=/etc/ssh:/etc/ssh:rw
|
||||
Volume=/sys/firmware:/sys/firmware:ro
|
||||
Volume=/sys/class/dmi/id:/sys/class/dmi/id:ro
|
||||
Network=host
|
||||
SecurityLabelDisable=yes
|
||||
ContainerName=%p-%i
|
||||
PodmanArgs=--uts=host
|
||||
PodmanArgs=--security-opt=unmask=/sys/firmware
|
||||
|
|
@ -1,7 +0,0 @@
|
|||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Request SSH Host Certificates
|
||||
StopWhenUnneeded=yes
|
||||
Wants=ssh-host-cert-sign@ed25519.service
|
||||
Wants=ssh-host-cert-sign@rsa.service
|
||||
Wants=ssh-host-cert-sign@ecdsa.service
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Periodically renew SSH host certificates
|
||||
|
||||
[Timer]
|
||||
Unit=%N.target
|
||||
OnCalendar=Tue *-*-* 00:00:00
|
||||
RandomizedDelaySec=48h
|
||||
Persistent=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
|
|
@ -1,12 +0,0 @@
|
|||
# vim: set ft=systemd :
|
||||
[Unit]
|
||||
Description=Request SSH Host Certificates
|
||||
ConditionFirstBoot=yes
|
||||
Wants=ssh-host-certs-renew.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/systemctl disable %n
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -1,12 +1,18 @@
|
|||
variant: fcos
|
||||
version: 1.4.0
|
||||
|
||||
ignition:
|
||||
config:
|
||||
merge:
|
||||
- local: dch-repo.ign
|
||||
|
||||
storage:
|
||||
files:
|
||||
- path: /etc/containers/systemd/ssh-host-cert-sign@.container
|
||||
- path: /etc/ignition/packages.d/sshca
|
||||
mode: 0644
|
||||
contents:
|
||||
local: ssh-host-cert-sign@.container
|
||||
inline: |
|
||||
sshca-cli-systemd
|
||||
|
||||
- path: /etc/ssh/sshd_config.d/10-hostcertificate.conf
|
||||
mode: 0644
|
||||
|
|
@ -22,24 +28,13 @@ storage:
|
|||
inline: |
|
||||
SSHCA_SERVER=https://sshca.pyrocufflink.blue
|
||||
|
||||
- path: /etc/systemd/system/ssh-host-certs-renew.timer
|
||||
mode: 0644
|
||||
contents:
|
||||
local: ssh-host-certs-renew.timer
|
||||
|
||||
- path: /etc/systemd/system/ssh-host-certs-renew.target
|
||||
mode: 0644
|
||||
contents:
|
||||
local: ssh-host-certs-renew.target
|
||||
|
||||
- path: /etc/systemd/system/ssh-host-certs.service
|
||||
mode: 0644
|
||||
contents:
|
||||
local: ssh-host-certs.service
|
||||
links:
|
||||
- path: /etc/systemd/system/after-install.target.wants/ssh-host-certs.target
|
||||
target: /usr/lib/systemd/system/ssh-host-certs.target
|
||||
- path: /etc/systemd/system/after-install.target.wants/ssh-host-certs-renew.timer
|
||||
target: /usr/lib/systemd/system/ssh-host-certs-renew.timer
|
||||
|
||||
systemd:
|
||||
units:
|
||||
- name: ssh-host-certs.service
|
||||
enabled: true
|
||||
- name: ssh-host-certs-renew.timer
|
||||
enabled: true
|
||||
|
|
|
|||
Loading…
Reference in New Issue