first commit

apt-ostree-systemd/systemd/system/apt-ostree-bootstatus.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Log apt-ostree Booted Deployment Status To Journal
+Documentation=man:apt-ostree(1)
+ConditionPathExists=/run/ostree-booted
+
+[Service]
+Type=oneshot
+ExecStart=apt-ostree status -b
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

apt-ostree-systemd/systemd/system/apt-ostree-countme.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Weekly apt-ostree Count Me reporting
+Documentation=man:apt-ostree-countme.service(8)
+ConditionPathExists=/run/ostree-booted
+
+[Service]
+Type=oneshot
+User=apt-ostree
+DynamicUser=yes
+StateDirectory=apt-ostree-countme
+StateDirectoryMode=750
+ExecStart=apt-ostree countme

apt-ostree-systemd/systemd/system/apt-ostree-countme.timer

@@ -0,0 +1,12 @@
+[Unit]
+Description=Weekly apt-ostree Count Me reporting
+Documentation=man:apt-ostree-countme.service(8)
+ConditionPathExists=/run/ostree-booted
+
+[Timer]
+OnCalendar=weekly
+RandomizedDelaySec=1d
+Persistent=true
+
+[Install]
+WantedBy=timers.target

apt-ostree-systemd/systemd/system/apt-ostree-fix-shadow-mode.service

@@ -0,0 +1,25 @@
+[Unit]
+# apt-ostree v2023.6 introduced a permission issue on `/etc/[g]shadow[-]`.
+# This makes sure to fix permissions on systems that were deployed with the wrong permissions.
+Description=Update permissions for /etc/shadow
+Documentation=https://github.com/coreos/rpm-ostree-ghsa-2m76-cwhg-7wv6
+# This new stamp file is written by the Rust code, and obsoletes
+# the old /etc/.apt-ostree-shadow-mode-fixed.stamp
+ConditionPathExists=!/etc/.apt-ostree-shadow-mode-fixed2.stamp
+ConditionPathExists=/run/ostree-booted
+# Filter out non-traditional ostree setups (e.g. live boots)
+ConditionKernelCommandLine=ostree
+# Because we read the sysroot
+RequiresMountsFor=/boot
+# Make sure this is started before any unprivileged (interactive) user has access to the system.
+Before=systemd-user-sessions.service
+
+[Service]
+Type=oneshot
+ExecStart=apt-ostree fix-shadow-perms
+RemainAfterExit=yes
+# So we can remount /sysroot writable in our own namespace
+MountFlags=slave
+
+[Install]
+WantedBy=multi-user.target

apt-ostree-systemd/systemd/system/apt-ostreed-automatic.service

@@ -0,0 +1,8 @@
+[Unit]
+Description=APT-OSTree Automatic Update
+Documentation=man:apt-ostree(1) man:apt-ostreed.conf(5)
+ConditionPathExists=/run/ostree-booted
+
+[Service]
+Type=simple
+ExecStart=apt-ostree upgrade --quiet --trigger-automatic-update-policy

apt-ostree-systemd/systemd/system/apt-ostreed-automatic.timer

@@ -0,0 +1,14 @@
+[Unit]
+Description=APT-OSTree Automatic Update Trigger
+Documentation=man:apt-ostree(1) man:apt-ostreed.conf(5)
+ConditionPathExists=/run/ostree-booted
+After=network-online.target
+Wants=network-online.target
+
+[Timer]
+OnBootSec=1h
+OnUnitInactiveSec=1d
+Persistent=true
+
+[Install]
+WantedBy=timers.target

apt-ostree-systemd/systemd/system/apt-ostreed.service

@@ -0,0 +1,32 @@
+[Unit]
+Description=APT-OSTree System Management Daemon
+Documentation=man:apt-ostree(1)
+ConditionPathExists=/ostree
+RequiresMountsFor=/boot
+
+[Service]
+# See similar code in apt-ostree-countme.service
+User=apt-ostree
+DynamicUser=yes
+# As of right now, our primary API is DBus.  But see also https://github.com/coreos/rpm-ostree/issues/3850
+Type=dbus
+BusName=org.debian.aptostree1
+# To use the read-only sysroot bits
+MountFlags=slave
+# We have no business accessing /var/roothome or /var/home.  In general
+# the ostree design clearly avoids touching those, but since systemd offers
+# us easy tools to toggle on protection, let's use them.  In the future
+# it'd be nice to do something like using DynamicUser=yes for the main service,
+# and have a system apt-ostreed-transaction.service that runs privileged
+# but as a subprocess.
+ProtectHome=true
+NotifyAccess=main
+# Significantly bump this timeout from the default because
+# we do a lot of stuff on daemon startup.
+TimeoutStartSec=5m
+# We start this main process with full privileges; it may spawn unprivileged processes
+# with the apt-ostree user.
+ExecStart=+apt-ostree start-daemon
+ExecReload=apt-ostree reload
+# disable/enable downloading filelists
+Environment="DOWNLOAD_FILELISTS=false"