Dustin C. Hatch
196ce46d54
The *apply-config-policy* service does what it says on the tin. It fetches the *cfg.git* repository and applies the configuration policy therein for the current host. This is a privileged container with practically allisolation disabled, to allow the configuration tools to manage the system.
28 lines
558 B
Plaintext
28 lines
558 B
Plaintext
# vim: set ft=systemd :
|
|
[Unit]
|
|
Description=Apply Configuration Policy
|
|
Wants=network-online.target
|
|
After=network-online.target
|
|
After=install-packages.service
|
|
After=ssh-host-certs.service
|
|
|
|
[Container]
|
|
Image=git.pyrocufflink.net/infra/cfg:latest
|
|
Pull=newer
|
|
Environment=RUST_LOG=debug
|
|
Volume=/:/host:rw
|
|
Volume=/run:/run:rw
|
|
Tmpfs=/root
|
|
ReadOnly=true
|
|
VolatileTmp=true
|
|
SecurityLabelDisable=true
|
|
PodmanArgs=--uts=host --cgroupns=host --ipc=host --pid=host --privileged
|
|
Network=host
|
|
LogDriver=passthrough
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|