[Unit]
Description=Request %I SSH Host Certificate
After=network-online.target
Wants=network-online.target
Before=ssh-host-certs.service

[Service]
Type=oneshot

[Container]
Image=git.pyrocufflink.net/containerimages/sshca-cli
Pull=newer
EnvironmentFile=/etc/sysconfig/ssh-host-cert-sign
Exec=host sign --output /etc/ssh/ssh_host_%I_key-cert.pub /etc/ssh/ssh_host_%I_key.pub
Volume=/etc/ssh:/etc/ssh:rw
Volume=/sys/firmware:/sys/firmware:ro
Volume=/sys/class/dmi/id:/sys/class/dmi/id:ro
Network=host
SecurityLabelDisable=yes
ContainerName=%p-%i
PodmanArgs=--uts=host
PodmanArgs=--security-opt=unmask=/sys/firmware