Initial commit

rootfs/overlay/usr/lib/systemd/system-preset/90-default.preset

@@ -0,0 +1,31 @@
+enable chrony-wait.service
+
+enable dhcpcd.service
+
+enable dbus.socket
+enable dbus-broker.service
+
+enable sshd.service
+
+enable chronyd.service
+enable chrony.service
+
+enable auditd.service
+
+enable restorecond.service
+
+enable rsyslog.*
+enable syslog-ng.*
+enable sysklogd.*
+
+enable firewalld.service
+
+enable lm_sensors.service
+enable mcelog.*
+enable smartd.service
+
+enable rngd.service
+
+enable fstrim.timer
+
+enable logrotate.timer

rootfs/overlay/usr/lib/systemd/system-preset/99-default-disable.preset

@@ -0,0 +1 @@
+disable *

rootfs/overlay/usr/lib/systemd/system/chrony-wait.service

@@ -0,0 +1,47 @@
+[Unit]
+Description=Wait for chrony to synchronize system clock
+Documentation=man:chronyc(1)
+After=chrony.service chronyd.service
+After=network-online.target
+Before=time-sync.target
+Wants=time-sync.target
+Wants=network-online.target
+
+[Service]
+Type=oneshot
+# Wait for chronyd to update the clock and the remaining
+# correction to be less than 0.1 seconds
+ExecStart=/usr/bin/chronyc -h 127.0.0.1,::1 waitsync 0 0.1 0.0 1
+TimeoutStartSec=5m
+RemainAfterExit=yes
+StandardOutput=null
+
+CapabilityBoundingSet=
+DevicePolicy=closed
+DynamicUser=yes
+IPAddressAllow=localhost
+IPAddressDeny=any
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+PrivateDevices=yes
+PrivateUsers=yes
+ProcSubset=pid
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0777
+
+[Install]
+WantedBy=multi-user.target

rootfs/overlay/usr/lib/systemd/system/collectd.service.d/after-network-online.conf

@@ -0,0 +1,7 @@
+[Unit]
+# If collectd starts before eth0 is "UP," it will fail to bind to the TCP
+# socket for Prometheus:
+#
+#     write_prometheus plugin: Opening a listening socket for [::]:9103 failed.
+After=network-online.target
+Wants=network-online.target

rootfs/overlay/usr/lib/systemd/system/copy-var.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Copy /var contents to writable storage
+DefaultDependencies=no
+After=local-fs.target
+Before=sysinit.target
+Before=systemd-update-done.service
+ConditionPathIsMountPoint=/var
+ConditionNeedsUpdate=/var
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/copy-var.sh

rootfs/overlay/usr/lib/systemd/system/dhcpcd.service.d/before-network-online.conf

@@ -0,0 +1,2 @@
+[Unit]
+Before=network-online.target

rootfs/overlay/usr/lib/systemd/system/dhcpcd.service.d/pidfile.conf

@@ -0,0 +1,2 @@
+[Service]
+PIDFile=/run/dhcpcd/pid

rootfs/overlay/usr/lib/systemd/system/sysinit.target.wants/copy-var.service

@@ -0,0 +1 @@
+../copy-var.service

rootfs/overlay/usr/lib/tmpfiles.d/chrony.conf

@@ -0,0 +1 @@
+d /run/chrony-dhcp 0755 root root

rootfs/overlay/usr/libexec/copy-var.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -e
+
+cleanup() {
+    if [ -n "${tmpdir}" ] && [ -d "${tmpdir}" ] && [ / != "${tmpdir}" ]; then
+        if mountpoint -q "${tmpdir}"; then
+            umount "${tmpdir}"
+        fi
+        rm -rf "${tmpdir}"
+    fi
+    unset tmpdir
+}
+
+if ! mountpoint -q /var; then
+    exit 0
+fi
+
+tmpdir=$(TMPDIR=/run mktemp -d)
+trap cleanup INT QUIT TERM EXIT
+
+mount -o bind / "${tmpdir}"
+cp -a "${tmpdir}"/var/. /var/
+
+if [ -x "$(command -v selinuxenabled)" ] && selinuxenabled; then
+    restorecon -RF /var
+fi

rootfs/overlay/usr/libexec/ssh-authorized-keys

@@ -0,0 +1,6 @@
+#!/bin/sh
+
+USER="${1}"
+KEYTYPE="${2}"
+
+curl -gs http://sshkeys.pyrocufflink.blue/"${USER}"/"${KEYTYPE}".pub