%post
cat > /root/.ssh/authorized_keys <<EOF
expiry-time="$(date -d +1hour +%Y%m%d%H%M)",restrict,pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner
EOF

cat > /usr/local/libexec/notify-online.sh <<'EOF'
#!/bin/sh

set -- \
    -F "hostname=$(hostname -f)" \
    -F 'sshkeys=<-;type=text/plain'

fw_cfg=/sys/firmware/qemu_fw_cfg/by_name/opt/dch/cfg-branch/raw
if [ -r "${fw_cfg}" ]; then
    set -- "$@" -F branch="$(cat "${fw_cfg}")"
fi

cat /etc/ssh/ssh_host_*_key.pub \
| curl -fsS https://webhooks.pyrocufflink.blue/host/online "$@"
EOF
chmod +x /usr/local/libexec/notify-online.sh

cat > /etc/systemd/system/notify-online.service <<'EOF'
[Unit]
Description=Notify infrastructure services that this host is online
ConditionFirstBoot=yes
After=sshd.service
After=network-online.target
Wants=network-online.target
After=systemd-user-sessions.service

[Service]
Type=exec
ExecStart=/usr/local/libexec/notify-online.sh
# Must run as root in order to read QEMU fw_config, so enable maximum
# sandbox restrictions.
CapabilityBoundingSet=
DeviceAllow=
DevicePolicy=closed
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateUsers=yes
PrivateTmp=yes
ProcSubset=pid
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectProc=invisible
ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged @resources

[Install]
WantedBy=multi-user.target
EOF

systemctl enable --no-reload notify-online.service
%end