From 196ce46d5467095560a5785866d199677a2d13e1 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 17 Jan 2024 18:38:34 -0600
Subject: [PATCH] cfg: Add apply-config-policy container unit

The *apply-config-policy* service does what it says on the tin.  It
fetches the *cfg.git* repository and applies the configuration policy
therein for the current host.  This is a privileged container with
practically allisolation disabled, to allow the configuration tools to
manage the system.
---
 apply-config-policy.container | 27 +++++++++++++++++++++++++++
 cfg.yaml                      | 14 ++++++++++++++
 2 files changed, 41 insertions(+)
 create mode 100644 apply-config-policy.container
 create mode 100644 cfg.yaml

diff --git a/apply-config-policy.container b/apply-config-policy.container
new file mode 100644
index 0000000..4fd48e6
--- /dev/null
+++ b/apply-config-policy.container
@@ -0,0 +1,27 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Apply Configuration Policy
+Wants=network-online.target
+After=network-online.target
+After=install-packages.service
+After=ssh-host-certs.service
+
+[Container]
+Image=git.pyrocufflink.net/infra/cfg:latest
+Pull=newer
+Environment=RUST_LOG=debug
+Volume=/:/host:rw
+Volume=/run:/run:rw
+Tmpfs=/root
+ReadOnly=true
+VolatileTmp=true
+SecurityLabelDisable=true
+PodmanArgs=--uts=host --cgroupns=host --ipc=host --pid=host --privileged
+Network=host
+LogDriver=passthrough
+
+[Service]
+Type=oneshot
+
+[Install]
+WantedBy=multi-user.target
diff --git a/cfg.yaml b/cfg.yaml
new file mode 100644
index 0000000..4f701e4
--- /dev/null
+++ b/cfg.yaml
@@ -0,0 +1,14 @@
+variant: fcos
+version: 1.4.0
+
+storage:
+  files:
+  - path: /etc/containers/systemd/apply-config-policy.container
+    mode: 0644
+    contents:
+      local: apply-config-policy.container
+
+systemd:
+  units:
+  - name: apply-config-policy.service
+    enabled: true