Add sysext policy config for uki mode (#890)

2025-07-31 15:23:34 +00:00 · 2024-06-10 10:10:32 +02:00 · 2024-06-10 10:10:32 +02:00 · d6e7a31eb1
commit d6e7a31eb1
parent 2b83dc4031
2 changed files with 15 additions and 1 deletions
--- a/packages/static/kairos-overlay-files/collection.yaml
+++ b/packages/static/kairos-overlay-files/collection.yaml
@ -1,4 +1,4 @@
 packages:
  - name: "kairos-overlay-files"
    category: "static"
-    version: "1.1.33"
+    version: "1.1.34"
--- a/packages/static/kairos-overlay-files/files/system/oem/24_sysext.yaml
+++ b/packages/static/kairos-overlay-files/files/system/oem/24_sysext.yaml
@ -10,6 +10,20 @@ stages:
        - path: /usr/lib/extensions
        - path: /usr/local/lib/extensions
  initramfs:
+    - name: "systemd-sysext uki config"
+      if: '[ -e "/run/cos/uki_boot_mode" ] && [ ! -e "/run/cos/recovery_mode" ] && [ ! -e "/run/cos/autoreset_mode" ]'
+      files:
+        - path: /etc/systemd/system/systemd-sysext.service.d/uki.conf
+          permissions: 0644
+          owner: 0
+          group: 0
+          content: |
+            [Service]
+            TimeoutStartSec=10
+            ExecStart=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent"
+            ExecReload=systemd-sysext refresh --image-policy="root=verity+signed+absent:usr=verity+signed+absent"
+            [Unit]
+            JobRunningTimeoutSec=5
    - name: "systemd-sysext initramfs settings"
      if: '[ -e "/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ] || [ -e "/usr/sbin/systemctl" ] || [ -e "/usr/bin/systemctl" ]'
      systemctl: