Remove unnecessary config

Signed-off-by: Tommy <contact@tommytran.io>
Add docker-auto-update
2025-10-14 18:28:51 +02:00 · 2025-06-12 09:16:14 -07:00 · 2025-06-12 02:55:44 -07:00 · 2025-06-12 02:38:28 -07:00 · 2025-06-12 02:37:49 -07:00 · 2025-06-10 14:39:31 -07:00
3 changed files with 38 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -1,8 +1,8 @@
 # Fedora-CoreOS-Ignition
 Ignition configurations for Fedora CoreOS<br />
-# Notes
+## Notes
 These configurations are tailored for Metropolis.nexus environment:
 - Firewalling is handled by Proxmox (not the individual VMs)
 - DNSSEC validation is done by either OPNsense or a central VM dedicated to running the DNS resolver
- Podman will be used for deployment, not Docker
+- The `docker-auto-update@.timer` in `/etc/systemd/system` can be enabled to have automatic updates for your containers created by Docker Compose.
--- a/x86.ign
+++ b/x86.ign
--- a/x86.yml
+++ b/x86.yml
@@ -36,6 +36,7 @@ systemd:
        After=systemd-machine-id-commit.service
        After=network-online.target
        Before=zincati.service
        ConditionPathExists=!/var/lib/%N.stamp
        [Service]
        Type=oneshot
@@ -44,11 +45,33 @@ systemd:
        ExecStart=/usr/sbin/setsebool -P container_use_cephfs off
        ExecStart=/usr/sbin/setsebool -P virt_use_nfs off
        ExecStart=/usr/sbin/setsebool -P virt_use_samba off
-        ExecStart=/usr/bin/rpm-ostree install hardened_malloc qemu-guest-agent tuned
+        ExecStart=/usr/bin/systemctl start gvisor-auto-update.service
        ExecStart=/usr/bin/rpm-ostree override remove containerd docker-cli moby-engine runc systemd-resolved
        ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin hardened_malloc qemu-guest-agent tuned
        ExecStart=/usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
        ExecStart=/usr/bin/systemctl disable --now systemd-resolved
        ExecStart=/usr/bin/rm /etc/resolv.conf
        ExecStart=/usr/bin/touch /var/lib/%N.stamp
        ExecStart=/usr/bin/systemctl --no-block reboot
        [Install]
        WantedBy=multi-user.target
    - name: postinst2.service
      enabled: true
      contents: |
        [Unit]
        ConditionPathExists=/var/lib/postinst.stamp
        [Service]
        Type=oneshot
        RemainAfterExit=yes
        ExecStart=/usr/bin/echo 'libhardened_malloc.so' > /etc/ld.so.preload
        ExecStart=/usr/bin/systemctl disable postinst
        ExecStart=/usr/bin/rm /etc/systemd/system/postinst.service
-        ExecStart=/usr/bin/echo 'libhardened_malloc.so' > /etc/ld.so.preload
+        ExecStart=/usr/bin/rm /var/lib/postinst.stamp
        ExecStart=/usr/bin/systemctl disable postinst2
        ExecStart=/usr/bin/rm /etc/systemd/system/postinst2.service
        ExecStart=/usr/bin/systemctl --no-block reboot
        [Install]
@@ -57,8 +80,6 @@ systemd:
    - name: debug-shell.service
      enabled: false
      mask: true 
    - name: docker.service
      enabled: false
    - name: podman-auto-update.timer
      enabled: true
    - name: rpm-ostree-countme.timer
@@ -124,6 +145,13 @@ storage:
      contents:
        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/coredump.conf.d/disable.conf
    - path: /etc/systemd/system/docker-auto-update@.service
      contents:
        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/refs/heads/main/etc/systemd/system/docker-auto-update%40.service
    - path: /etc/systemd/system/docker-auto-update@.timer
      contents:
        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/refs/heads/main/etc/systemd/system/docker-auto-update%40.timer
    - path: /etc/systemd/system/gvisor-auto-update.service
      contents:
        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/system/gvisor-auto-update.service
@@ -154,7 +182,9 @@ storage:
    - path: /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
      contents:
        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
-      overwrite: true
+    - path: /etc/yum.repos.d/docker-ce.repo
      contents:
        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/refs/heads/main/etc/yum.repos.d/docker-ce.repo
    - path: /etc/zincati/config.d/51-rollout-wariness.toml
      contents:
Author	SHA1	Message	Date
Tommy	5e7b96e582	Remove unnecessary config Signed-off-by: Tommy <contact@tommytran.io>	2025-06-12 09:16:14 -07:00
Tommy	e93575a87f	Add docker-auto-update Signed-off-by: Tommy <contact@tommytran.io>	2025-06-12 02:55:44 -07:00
Tommy	bffb50dd7a	Make Notes smaller Signed-off-by: Tommy <contact@tommytran.io>	2025-06-12 02:38:28 -07:00
Tommy	48b5df3957	Switch back to Docker Signed-off-by: Tommy <contact@tommytran.io>	2025-06-12 02:37:49 -07:00
Tommy	90b5b42aa9	Download gvisor at first boot Signed-off-by: Tommy <contact@tommytran.io>	2025-06-10 14:39:31 -07:00
Tommy	c193aecd1e	Fix /etc/ld.so.preload handling Signed-off-by: Tommy <contact@tommytran.io>	2025-06-08 03:31:06 -07:00
Tommy	494371382f	Reorganize postinst.service Signed-off-by: Tommy <contact@tommytran.io>	2025-06-08 03:11:52 -07:00