cfg: Add apply-config-policy container unit

The *apply-config-policy* service does what it says on the tin.  It
fetches the *cfg.git* repository and applies the configuration policy
therein for the current host.  This is a privileged container with
practically allisolation disabled, to allow the configuration tools to
manage the system.

apply-config-policy.container

@@ -0,0 +1,27 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Apply Configuration Policy
+Wants=network-online.target
+After=network-online.target
+After=install-packages.service
+After=ssh-host-certs.service
+
+[Container]
+Image=git.pyrocufflink.net/infra/cfg:latest
+Pull=newer
+Environment=RUST_LOG=debug
+Volume=/:/host:rw
+Volume=/run:/run:rw
+Tmpfs=/root
+ReadOnly=true
+VolatileTmp=true
+SecurityLabelDisable=true
+PodmanArgs=--uts=host --cgroupns=host --ipc=host --pid=host --privileged
+Network=host
+LogDriver=passthrough
+
+[Service]
+Type=oneshot
+
+[Install]
+WantedBy=multi-user.target

cfg.yaml

@@ -0,0 +1,14 @@
+variant: fcos
+version: 1.4.0
+
+storage:
+  files:
+  - path: /etc/containers/systemd/apply-config-policy.container
+    mode: 0644
+    contents:
+      local: apply-config-policy.container
+
+systemd:
+  units:
+  - name: apply-config-policy.service
+    enabled: true