From 6c02a4672c30b73ba5491c331e0c5a85b93e3f27 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sat, 28 Dec 2024 12:15:06 -0600
Subject: [PATCH] fedora-rpi: Start chrony-wait before host certs

On machines without an RTC, the clock will likely be very wrong on first
boot when system tries to obtain the initial SSH host certificates.
This results in the SSHCA server rejecting the request because the
authorization token has expired.  To avoid this, we need to ensure the
clock is set before attempting to have the certificates signed.
---
 fedora-rpi.ks | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fedora-rpi.ks b/fedora-rpi.ks
index 5a0bebe..a5d84cb 100644
--- a/fedora-rpi.ks
+++ b/fedora-rpi.ks
@@ -26,4 +26,13 @@ uboot-images-armv8
 cp -P /usr/share/uboot/rpi_arm64/u-boot.bin /boot/efi/rpi-u-boot.bin
 
 grubby --args='quiet systemd.show_status=1' --update-kernel=ALL
+
+systemctl enable chrony-wait
+# Ensure clock is synchronized before trying to get host certs signed
+mkdir -p /etc/systemd/system/ssh-host-cert-sign@.service.d
+cat > /etc/systemd/system/ssh-host-cert-sign@.service.d/time-sync.conf <<EOF
+[Unit]
+After=time-sync.target
+Wants=time-sync.target
+EOF
 %end