Dustin C. Hatch
94a9ed900f
To initiate the automatic host provisioning process, a new machine must trigger the _POST /host/online_ webhook. Included in the request are the hostname of the new machine and its SSH host public keys. Optionally, the request can also contain the name of a branch in the configuration policy repository. For virtual machines, this branch name can be specified by a QEMU `fw_cfg` option. The `fw_cfg` values in sysfs are only readable by root, so the service must run as root, but it does not need any additional privileges, so we can use systemd sandbox features to restrict it. This feature is enabled by default for virtual machines. I haven't quite figured out how to do the branch selection for physical machines yet, but I will enable it for them once I do.