nut0: Add host Ignition config

*nut0.pyrocufflink.blue* is a Raspberry Pi 3 that will run `upsd` and
`upsmon` to monitor and control the UPS on the server rack.

apply-config-policy.container

@@ -0,0 +1,27 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Apply Configuration Policy
+Wants=network-online.target
+After=network-online.target
+After=install-packages.service
+After=ssh-host-certs.service
+
+[Container]
+Image=git.pyrocufflink.net/infra/cfg:latest
+Pull=newer
+Environment=RUST_LOG=debug
+Volume=/:/host:rw
+Volume=/run:/run:rw
+Tmpfs=/root
+ReadOnly=true
+VolatileTmp=true
+SecurityLabelDisable=true
+PodmanArgs=--uts=host --cgroupns=host --ipc=host --pid=host --privileged
+Network=host
+LogDriver=passthrough
+
+[Service]
+Type=oneshot
+
+[Install]
+WantedBy=multi-user.target

cfg.yaml

@@ -0,0 +1,14 @@
+variant: fcos
+version: 1.4.0
+
+storage:
+  files:
+  - path: /etc/containers/systemd/apply-config-policy.container
+    mode: 0644
+    contents:
+      local: apply-config-policy.container
+
+systemd:
+  units:
+  - name: apply-config-policy.service
+    enabled: true

fix-hybrid-mbr.yaml

@@ -0,0 +1,36 @@
+variant: fcos
+version: 1.4.0
+
+storage:
+  files:
+  - path: /etc/ignition/fix-hybrid-mbr.sh
+    mode: 0755
+    contents:
+      inline: |-
+        #!/bin/sh
+
+        set -ex
+        
+        bootdev=$(awk '$5=="/boot"{print $10}' /proc/1/mountinfo)
+        sysdev=$(readlink -e /sys/class/block/${bootdev##*/})
+        sysdev_parent=${sysdev%/*}
+        disk=/dev/${sysdev_parent##*/}
+        
+        sgdisk -h 2:EE "${disk}"
+        echo type=0c,bootable | sfdisk -Y mbr -N 1 "${disk}"
+
+systemd:
+  units:
+  - name: fix-hybrid-mbr.service
+    contents: |-
+      [Unit]
+      Description=Fix Hybrid MBR for Raspberry Pi 2/3
+      ConditionFirstBoot=yes
+      
+      [Service]
+      Type=oneshot
+      ExecStart=/etc/ignition/fix-hybrid-mbr.sh
+      
+      [Install]
+      WantedBy=basic.target
+    enabled: true

nut0.yaml

@@ -0,0 +1,17 @@
+variant: fcos
+version: 1.4.0
+
+ignition:
+  config:
+    merge:
+    - local: fix-hybrid-mbr.ign
+    - local: common.ign
+    - local: zram.ign
+    - local: cfg.ign
+
+storage:
+  files:
+  - path: /etc/hostname
+    mode: 0644
+    contents:
+      inline: nut0.pyrocufflink.blue

ssh-host-cert-sign@.container

@@ -0,0 +1,22 @@
+[Unit]
+Description=Request %I SSH Host Certificate
+After=network-online.target
+Wants=network-online.target
+Before=ssh-host-certs.service
+
+[Service]
+Type=oneshot
+
+[Container]
+Image=git.pyrocufflink.net/containerimages/sshca-cli
+Pull=newer
+EnvironmentFile=/etc/sysconfig/ssh-host-cert-sign
+Exec=host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
+Volume=/etc/ssh:/etc/ssh:rw
+Volume=/sys/firmware:/sys/firmware:ro
+Volume=/sys/class/dmi/id:/sys/class/dmi/id:ro
+Network=host
+SecurityLabelDisable=yes
+ContainerName=%p-%i
+PodmanArgs=--uts=host
+PodmanArgs=--security-opt=unmask=/sys/firmware

ssh-host-certs-renew.target

@@ -0,0 +1,7 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Request SSH Host Certificates
+StopWhenUnneeded=yes
+Wants=ssh-host-cert-sign@ed25519.service
+Wants=ssh-host-cert-sign@rsa.service
+Wants=ssh-host-cert-sign@ecdsa.service

ssh-host-certs-renew.timer

@@ -0,0 +1,12 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Periodically renew SSH host certificates
+
+[Timer]
+Unit=%N.target
+OnCalendar=Tue *-*-* 00:00:00
+RandomizedDelaySec=48h
+Persistent=yes
+
+[Install]
+WantedBy=timers.target

ssh-host-certs.service

@@ -0,0 +1,12 @@
+# vim: set ft=systemd :
+[Unit]
+Description=Request SSH Host Certificates
+ConditionFirstBoot=yes
+Wants=ssh-host-certs-renew.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl disable %n
+
+[Install]
+WantedBy=multi-user.target

ssh-host-certs.yaml

@@ -1,18 +1,12 @@
 variant: fcos
 version: 1.4.0
 
-ignition:
-  config:
-    merge:
-    - local: dch-repo.ign
-
 storage:
   files:
-  - path: /etc/ignition/packages.d/sshca
+  - path: /etc/containers/systemd/ssh-host-cert-sign@.container
     mode: 0644
     contents:
-      inline: |
-        sshca-cli-systemd
+      local: ssh-host-cert-sign@.container
 
   - path: /etc/ssh/sshd_config.d/10-hostcertificate.conf
     mode: 0644
@@ -28,13 +22,24 @@ storage:
       inline: |
         SSHCA_SERVER=https://sshca.pyrocufflink.blue
 
-  links:
-  - path: /etc/systemd/system/after-install.target.wants/ssh-host-certs.target
-    target: /usr/lib/systemd/system/ssh-host-certs.target
-  - path: /etc/systemd/system/after-install.target.wants/ssh-host-certs-renew.timer
-    target: /usr/lib/systemd/system/ssh-host-certs-renew.timer
+  - path: /etc/systemd/system/ssh-host-certs-renew.timer
+    mode: 0644
+    contents:
+      local: ssh-host-certs-renew.timer
+
+  - path: /etc/systemd/system/ssh-host-certs-renew.target
+    mode: 0644
+    contents:
+      local: ssh-host-certs-renew.target
+
+  - path: /etc/systemd/system/ssh-host-certs.service
+    mode: 0644
+    contents:
+      local: ssh-host-certs.service
 
 systemd:
   units:
+  - name: ssh-host-certs.service
+    enabled: true
   - name: ssh-host-certs-renew.timer
     enabled: true