#butane --pretty --strict main.bu -d . | save -f main.ign

variant: fcos
version: 1.5.0
passwd:
  users:
    - name: core
      password_hash: $y$j9T$Ww5YZpVbpY474eIDLe3Pj/$D79wYZxooJyVKJTeodhyJ53c1dE2Kituh0cY3Nqw4AA
      ssh_authorized_keys:
        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILqathM/KAjYvI4NzwDs4UJxVcMyv+xwYt0axPP7HzmZ

systemd:
  units:
    # Installing customisations as a layered package with rpm-ostree
    # - name: rpm-ostree-install-packages.service
    #   enabled: true
    #   # cockpit-certificates cockpit-tailscale 
    #   # cockpit-system cockpit-ostree cockpit-podman cockpit-storaged cockpit-networkmanager cockpit-ostree cockpit-selinux cockpit-kdump  cockpit-sosreport cockpit-pcp
    #   #  --disablerepo fedora-cisco-openh264 
    #   contents: |
    #     [Unit]
    #     Description=Layer packages with rpm-ostree
    #     Wants=network-online.target
    #     After=network-online.target
    #     # We run before `zincati.service` to avoid conflicting rpm-ostree
    #     # transactions.
    #     Before=zincati.service
    #     ConditionPathExists=!/var/lib/%N.stamp

    #     [Service]
    #     Type=oneshot
    #     RemainAfterExit=yes
    #     # `--allow-inactive` ensures that rpm-ostree does not return an error
    #     # if the package is already installed. This is useful if the package is
    #     # added to the root image in a future Fedora CoreOS release as it will
    #     # prevent the service from failing.
    #     ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive fail2ban fail2ban-firewalld firewalld
    #     ExecStart=/bin/touch /var/lib/%N.stamp

    #     [Install]
    #     WantedBy=multi-user.target
    - name: podman.socket
      enabled: true
    - name: podman.service
      enabled: true
    # - name: firewalld.service
    #   enabled: true
    # - name: pmlogger.service
    #   enabled: true
    # - name: fail2ban.service
    #   enabled: true
    # - name: cockpit.service
    #   enabled: true

storage:
  directories:
    - path: /var/opt/thelounge
    - path: /var/srv/traefik
    - path: /var/opt/kanidm_data
    # - path: /var/opt/mysql-database
    # - path: /var/opt/pterodactyl
    # - path: /var/opt/pterodactyl/panel/nginx
    # - path: /var/opt/pterodactyl/panel/var
    # - path: /var/opt/pterodactyl/panel/logs
    # - path: /etc/firewalld
    #   mode: 0750
  # See: https://docs.fedoraproject.org/en-US/fedora-coreos/storage/
  # filesystems:
  #   - device: /dev/disk/by-partlabel/var
  #     label: var
  #     format: xfs
  #     wipe_filesystem: false
  #     path: /var
  #     with_mount_unit: true
  trees:
  - local: containers
    path: /etc/containers/systemd
  - local: traefik
    path: /etc/traefik
  - local: kanidm
    path: /etc/kanidm
  # - local: images
  #   path: /var/opt/images
  files:
    - path: /etc/hostname
      mode: 0644
      contents:
        inline: jade-personal1
    # - path: /etc/ssh/sshd_config.d/20-enable-passwords.conf
    #   mode: 0644
    #   contents:
    #     inline: |
    #       # Fedora CoreOS disables SSH password login by default.
    #       # Enable it.
    #       # This file must sort before 40-disable-passwords.conf.
    #       PasswordAuthentication yes
    - path: /etc/zincati/config.d/55-updates-strategy.toml
      contents:
        inline: |
          [updates]
          strategy = "periodic"
          [[updates.periodic.window]]
          days = [ "Sat", "Sun" ]
          start_time = "22:30"
          length_minutes = 60

    - path: /etc/systemd/zram-generator.conf
      mode: 0644
      contents:
        inline: |
          # This config file enables a /dev/zram0 device with the default settings
          [zram0]
    - path: /etc/NetworkManager/system-connections/Wired connection 1.nmconnection
      mode: 0600
      contents:
        inline: |
          [connection]
          id=Wired connection 1
          uuid=e8a777c2-85a8-3edc-8895-cd9c9f9c06bc
          type=ethernet
          autoconnect-priority=-999
          interface-name=ens3
          timestamp=1709836038

          [ethernet]

          [ipv4]
          method=auto

          [ipv6]
          addr-gen-mode=default
          address1=2a00:1098:318::1/64
          method=auto

          [proxy]
    # - path: /etc/yum.repos.d/fedora-cisco-openh264.repo
      # contents:
      #   inline: |
      #     [fedora-cisco-openh264]
      #     name=Fedora $releasever openh264 (From Cisco) - $basearch
      #     metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-$releasever&arch=$basearch
      #     type=rpm
      #     enabled=0
      #     metadata_expire=14d
      #     repo_gpgcheck=0
      #     gpgcheck=1
      #     gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
      #     skip_if_unavailable=True

      #     [fedora-cisco-openh264-debuginfo]
      #     name=Fedora $releasever openh264 (From Cisco) - $basearch - Debug
      #     metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-cisco-openh264-debug-$releasever&arch=$basearch
      #     type=rpm
      #     enabled=0
      #     metadata_expire=14d
      #     repo_gpgcheck=0
      #     gpgcheck=1
      #     gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
      #     skip_if_unavailable=True