Remove unnecessary config

Signed-off-by: Tommy <contact@tommytran.io>

README.md

@@ -1,8 +1,8 @@
 # Fedora-CoreOS-Ignition
 Ignition configurations for Fedora CoreOS<br />
 
-# Notes
+## Notes
 These configurations are tailored for Metropolis.nexus environment:
 - Firewalling is handled by Proxmox (not the individual VMs)
 - DNSSEC validation is done by either OPNsense or a central VM dedicated to running the DNS resolver
-- Podman will be used for deployment, not Docker
+- The `docker-auto-update@.timer` in `/etc/systemd/system` can be enabled to have automatic updates for your containers created by Docker Compose.

x86.yml

@@ -35,8 +35,6 @@ systemd:
         # `ConditionFirstBoot=true` services won't rerun on the next boot.
         After=systemd-machine-id-commit.service
         After=network-online.target
-        # We run before `zincati.service` to avoid conflicting rpm-ostree
-        # transactions.
         Before=zincati.service
         ConditionPathExists=!/var/lib/%N.stamp
 
@@ -47,12 +45,33 @@ systemd:
         ExecStart=/usr/sbin/setsebool -P container_use_cephfs off
         ExecStart=/usr/sbin/setsebool -P virt_use_nfs off
         ExecStart=/usr/sbin/setsebool -P virt_use_samba off
-        ExecStart=/usr/bin/rpm-ostree install hardened_malloc qemu-guest-agent tuned
+        ExecStart=/usr/bin/systemctl start gvisor-auto-update.service
+        ExecStart=/usr/bin/rpm-ostree override remove containerd docker-cli moby-engine runc systemd-resolved
+        ExecStart=/usr/bin/rpm-ostree install docker-ce docker-compose-plugin hardened_malloc qemu-guest-agent tuned
         ExecStart=/usr/bin/sed -i 's/\s+nullok//g' /etc/pam.d/system-auth
-        ExecStart=/usr/bin/systemctl disable systemd-resolved
+        ExecStart=/usr/bin/systemctl disable --now systemd-resolved
         ExecStart=/usr/bin/rm /etc/resolv.conf
         ExecStart=/usr/bin/touch /var/lib/%N.stamp
+        ExecStart=/usr/bin/systemctl --no-block reboot
+
+        [Install]
+        WantedBy=multi-user.target
+
+    - name: postinst2.service
+      enabled: true
+      contents: |
+        [Unit]
+        ConditionPathExists=/var/lib/postinst.stamp
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
         ExecStart=/usr/bin/echo 'libhardened_malloc.so' > /etc/ld.so.preload
+        ExecStart=/usr/bin/systemctl disable postinst
+        ExecStart=/usr/bin/rm /etc/systemd/system/postinst.service
+        ExecStart=/usr/bin/rm /var/lib/postinst.stamp
+        ExecStart=/usr/bin/systemctl disable postinst2
+        ExecStart=/usr/bin/rm /etc/systemd/system/postinst2.service
         ExecStart=/usr/bin/systemctl --no-block reboot
 
         [Install]
@@ -61,8 +80,8 @@ systemd:
     - name: debug-shell.service
       enabled: false
       mask: true 
-    - name: docker.service
-      enabled: false
+    - name: podman-auto-update.timer
+      enabled: true
     - name: rpm-ostree-countme.timer
       enabled: false
       mask: true
@@ -126,15 +145,29 @@ storage:
       contents:
         source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/coredump.conf.d/disable.conf
 
-    - path: /etc/systemd/system/gvisor-updater.service
+    - path: /etc/systemd/system/docker-auto-update@.service
       contents:
-        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/system/gvisor-updater.service
+        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/refs/heads/main/etc/systemd/system/docker-auto-update%40.service
+    - path: /etc/systemd/system/docker-auto-update@.timer
+      contents:
+        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/refs/heads/main/etc/systemd/system/docker-auto-update%40.timer
+
+    - path: /etc/systemd/system/gvisor-auto-update.service
+      contents:
+        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/system/gvisor-auto-update.service
+    - path: /etc/systemd/system/gvisor-auto-update.timer
+      contents:
+        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/system/gvisor-auto-update.timer
 
     # Annoying AGPL3 license
     - path: /etc/systemd/system/NetworkManager.service.d/99-brace.conf
       contents:
         source: https://gitlab.com/divested/brace/-/raw/master/brace/usr/lib/systemd/system/NetworkManager.service.d/99-brace.conf
 
+    - path: /etc/systemd/system/podman-auto-update.timer.d/override.conf
+      contents:
+        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/system/podman-auto-update.timer.d/override.conf
+
     - path: /etc/systemd/zram-generator.conf
       contents:
         source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/systemd/zram-generator.conf
@@ -149,7 +182,9 @@ storage:
     - path: /etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
       contents:
         source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/yum.repos.d/_copr:copr.fedorainfracloud.org:secureblue:hardened_malloc.repo
-      overwrite: true
+    - path: /etc/yum.repos.d/docker-ce.repo
+      contents:
+        source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/refs/heads/main/etc/yum.repos.d/docker-ce.repo
 
     - path: /etc/zincati/config.d/51-rollout-wariness.toml
       contents:
@@ -159,10 +194,10 @@ storage:
         source: https://raw.githubusercontent.com/Metropolis-nexus/Common-Files/main/etc/zincati/config.d/55-updates-strategy.toml
 
   links:
-    - path: /etc/systemd/system/multi-user.target.wants/gvisor-updater.service
-      target: /etc/systemd/system/gvisor-updater.service
     - path: /etc/systemd/system/multi-user.target.wants/tuned.service
       target: /usr/lib/systemd/system/tuned.service
+    - path: /etc/systemd/system/timers.target.wants/gvisor-auto-update.timer
+      target: /etc/systemd/system/gvisor-auto-update.timer
 
 kernel_arguments:
   should_exist: