Compare commits
No commits in common. "91af50acc2d1d493c63c9bfb8a96385457c71ebd" and "fd7778c01a6c7e61d66f53f698f985e184ea57c6" have entirely different histories.
91af50acc2
...
fd7778c01a
|
|
@ -1,27 +0,0 @@
|
||||||
# vim: set ft=systemd :
|
|
||||||
[Unit]
|
|
||||||
Description=Apply Configuration Policy
|
|
||||||
Wants=network-online.target
|
|
||||||
After=network-online.target
|
|
||||||
After=install-packages.service
|
|
||||||
After=ssh-host-certs.service
|
|
||||||
|
|
||||||
[Container]
|
|
||||||
Image=git.pyrocufflink.net/infra/cfg:latest
|
|
||||||
Pull=newer
|
|
||||||
Environment=RUST_LOG=debug
|
|
||||||
Volume=/:/host:rw
|
|
||||||
Volume=/run:/run:rw
|
|
||||||
Tmpfs=/root
|
|
||||||
ReadOnly=true
|
|
||||||
VolatileTmp=true
|
|
||||||
SecurityLabelDisable=true
|
|
||||||
PodmanArgs=--uts=host --cgroupns=host --ipc=host --pid=host --privileged
|
|
||||||
Network=host
|
|
||||||
LogDriver=passthrough
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
14
cfg.yaml
14
cfg.yaml
|
|
@ -1,14 +0,0 @@
|
||||||
variant: fcos
|
|
||||||
version: 1.4.0
|
|
||||||
|
|
||||||
storage:
|
|
||||||
files:
|
|
||||||
- path: /etc/containers/systemd/apply-config-policy.container
|
|
||||||
mode: 0644
|
|
||||||
contents:
|
|
||||||
local: apply-config-policy.container
|
|
||||||
|
|
||||||
systemd:
|
|
||||||
units:
|
|
||||||
- name: apply-config-policy.service
|
|
||||||
enabled: true
|
|
||||||
|
|
@ -1,36 +0,0 @@
|
||||||
variant: fcos
|
|
||||||
version: 1.4.0
|
|
||||||
|
|
||||||
storage:
|
|
||||||
files:
|
|
||||||
- path: /etc/ignition/fix-hybrid-mbr.sh
|
|
||||||
mode: 0755
|
|
||||||
contents:
|
|
||||||
inline: |-
|
|
||||||
#!/bin/sh
|
|
||||||
|
|
||||||
set -ex
|
|
||||||
|
|
||||||
bootdev=$(awk '$5=="/boot"{print $10}' /proc/1/mountinfo)
|
|
||||||
sysdev=$(readlink -e /sys/class/block/${bootdev##*/})
|
|
||||||
sysdev_parent=${sysdev%/*}
|
|
||||||
disk=/dev/${sysdev_parent##*/}
|
|
||||||
|
|
||||||
sgdisk -h 2:EE "${disk}"
|
|
||||||
echo type=0c,bootable | sfdisk -Y mbr -N 1 "${disk}"
|
|
||||||
|
|
||||||
systemd:
|
|
||||||
units:
|
|
||||||
- name: fix-hybrid-mbr.service
|
|
||||||
contents: |-
|
|
||||||
[Unit]
|
|
||||||
Description=Fix Hybrid MBR for Raspberry Pi 2/3
|
|
||||||
ConditionFirstBoot=yes
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=/etc/ignition/fix-hybrid-mbr.sh
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=basic.target
|
|
||||||
enabled: true
|
|
||||||
17
nut0.yaml
17
nut0.yaml
|
|
@ -1,17 +0,0 @@
|
||||||
variant: fcos
|
|
||||||
version: 1.4.0
|
|
||||||
|
|
||||||
ignition:
|
|
||||||
config:
|
|
||||||
merge:
|
|
||||||
- local: fix-hybrid-mbr.ign
|
|
||||||
- local: common.ign
|
|
||||||
- local: zram.ign
|
|
||||||
- local: cfg.ign
|
|
||||||
|
|
||||||
storage:
|
|
||||||
files:
|
|
||||||
- path: /etc/hostname
|
|
||||||
mode: 0644
|
|
||||||
contents:
|
|
||||||
inline: nut0.pyrocufflink.blue
|
|
||||||
|
|
@ -1,22 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Request %I SSH Host Certificate
|
|
||||||
After=network-online.target
|
|
||||||
Wants=network-online.target
|
|
||||||
Before=ssh-host-certs.service
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
|
|
||||||
[Container]
|
|
||||||
Image=git.pyrocufflink.net/containerimages/sshca-cli
|
|
||||||
Pull=newer
|
|
||||||
EnvironmentFile=/etc/sysconfig/ssh-host-cert-sign
|
|
||||||
Exec=host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
|
|
||||||
Volume=/etc/ssh:/etc/ssh:rw
|
|
||||||
Volume=/sys/firmware:/sys/firmware:ro
|
|
||||||
Volume=/sys/class/dmi/id:/sys/class/dmi/id:ro
|
|
||||||
Network=host
|
|
||||||
SecurityLabelDisable=yes
|
|
||||||
ContainerName=%p-%i
|
|
||||||
PodmanArgs=--uts=host
|
|
||||||
PodmanArgs=--security-opt=unmask=/sys/firmware
|
|
||||||
|
|
@ -1,7 +0,0 @@
|
||||||
# vim: set ft=systemd :
|
|
||||||
[Unit]
|
|
||||||
Description=Request SSH Host Certificates
|
|
||||||
StopWhenUnneeded=yes
|
|
||||||
Wants=ssh-host-cert-sign@ed25519.service
|
|
||||||
Wants=ssh-host-cert-sign@rsa.service
|
|
||||||
Wants=ssh-host-cert-sign@ecdsa.service
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
||||||
# vim: set ft=systemd :
|
|
||||||
[Unit]
|
|
||||||
Description=Periodically renew SSH host certificates
|
|
||||||
|
|
||||||
[Timer]
|
|
||||||
Unit=%N.target
|
|
||||||
OnCalendar=Tue *-*-* 00:00:00
|
|
||||||
RandomizedDelaySec=48h
|
|
||||||
Persistent=yes
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=timers.target
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
||||||
# vim: set ft=systemd :
|
|
||||||
[Unit]
|
|
||||||
Description=Request SSH Host Certificates
|
|
||||||
ConditionFirstBoot=yes
|
|
||||||
Wants=ssh-host-certs-renew.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=/usr/bin/systemctl disable %n
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
|
|
@ -1,12 +1,18 @@
|
||||||
variant: fcos
|
variant: fcos
|
||||||
version: 1.4.0
|
version: 1.4.0
|
||||||
|
|
||||||
|
ignition:
|
||||||
|
config:
|
||||||
|
merge:
|
||||||
|
- local: dch-repo.ign
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
files:
|
files:
|
||||||
- path: /etc/containers/systemd/ssh-host-cert-sign@.container
|
- path: /etc/ignition/packages.d/sshca
|
||||||
mode: 0644
|
mode: 0644
|
||||||
contents:
|
contents:
|
||||||
local: ssh-host-cert-sign@.container
|
inline: |
|
||||||
|
sshca-cli-systemd
|
||||||
|
|
||||||
- path: /etc/ssh/sshd_config.d/10-hostcertificate.conf
|
- path: /etc/ssh/sshd_config.d/10-hostcertificate.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
@ -22,24 +28,13 @@ storage:
|
||||||
inline: |
|
inline: |
|
||||||
SSHCA_SERVER=https://sshca.pyrocufflink.blue
|
SSHCA_SERVER=https://sshca.pyrocufflink.blue
|
||||||
|
|
||||||
- path: /etc/systemd/system/ssh-host-certs-renew.timer
|
links:
|
||||||
mode: 0644
|
- path: /etc/systemd/system/after-install.target.wants/ssh-host-certs.target
|
||||||
contents:
|
target: /usr/lib/systemd/system/ssh-host-certs.target
|
||||||
local: ssh-host-certs-renew.timer
|
- path: /etc/systemd/system/after-install.target.wants/ssh-host-certs-renew.timer
|
||||||
|
target: /usr/lib/systemd/system/ssh-host-certs-renew.timer
|
||||||
- path: /etc/systemd/system/ssh-host-certs-renew.target
|
|
||||||
mode: 0644
|
|
||||||
contents:
|
|
||||||
local: ssh-host-certs-renew.target
|
|
||||||
|
|
||||||
- path: /etc/systemd/system/ssh-host-certs.service
|
|
||||||
mode: 0644
|
|
||||||
contents:
|
|
||||||
local: ssh-host-certs.service
|
|
||||||
|
|
||||||
systemd:
|
systemd:
|
||||||
units:
|
units:
|
||||||
- name: ssh-host-certs.service
|
|
||||||
enabled: true
|
|
||||||
- name: ssh-host-certs-renew.timer
|
- name: ssh-host-certs-renew.timer
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue