From e7017d76ae14745945455013cc41736ee4402a8c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= <nmasse@redhat.com>
Date: Wed, 10 Sep 2025 11:29:28 -0400
Subject: [PATCH] wip

---
 .../flightctl-agent.service.d/override.conf   |  3 ++
 .../hooks.d/afterupdating/30-nextcloud.yaml   |  4 +++
 .../root/etc/systemd/system/nextcloud.target  |  2 ++
 bootc/scenario3a/Containerfile                |  1 +
 .../check/required.d/30_nextcloud_check.sh    |  2 --
 .../etc/libvirt/qemu/networks/default.xml     |  4 +--
 .../scenario3a/root/etc/nftables/libvirt.nft  | 16 ++++++++++
 .../root/etc/sysconfig/nftables.conf          |  1 +
 .../etc/systemd/system/bootstrap-vm@.service  |  4 +--
 .../root/usr/local/bin/bootstrap-vm.sh        | 15 ++++++++--
 .../hooks.d/afterupdating/30-odoo.yaml        |  4 +++
 .../root/etc/systemd/system/odoo.target       |  2 ++
 flightctl/fleets.yaml                         | 29 ++++++++++++++++++-
 .../sites/default/etc/motd.d/unconfigured     |  6 ++++
 .../systemd/configs/nextcloud-config.env      |  0
 .../systemd/configs/nextcloud-config.env      | 16 ++++++++++
 .../sites/default/etc/motd.d/unconfigured     |  6 ++++
 .../systemd/villeneuve-d-ascq/odoo-config.env |  4 +++
 .../systemd/villeneuve-d-ascq/odoo-config.env |  4 +++
 19 files changed, 112 insertions(+), 11 deletions(-)
 create mode 100644 bootc/base/root/etc/systemd/system/flightctl-agent.service.d/override.conf
 create mode 100644 bootc/scenario1/root/etc/flightctl/hooks.d/afterupdating/30-nextcloud.yaml
 create mode 100755 bootc/scenario3a/root/etc/nftables/libvirt.nft
 create mode 100644 bootc/scenario3a/root/etc/sysconfig/nftables.conf
 mode change 100644 => 100755 bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh
 create mode 100644 bootc/scenario4/root/etc/flightctl/hooks.d/afterupdating/30-odoo.yaml
 create mode 100644 flightctl/scenario1/sites/default/etc/motd.d/unconfigured
 rename flightctl/scenario1/{ => sites/paris-wagram}/etc/containers/systemd/configs/nextcloud-config.env (100%)
 create mode 100644 flightctl/scenario1/sites/villeneuve-d-ascq/etc/containers/systemd/configs/nextcloud-config.env
 create mode 100644 flightctl/scenario3a/sites/default/etc/motd.d/unconfigured
 create mode 100644 flightctl/scenario3a/sites/paris-wagram/etc/containers/systemd/villeneuve-d-ascq/odoo-config.env
 create mode 100644 flightctl/scenario3a/sites/villeneuve-d-ascq/etc/containers/systemd/villeneuve-d-ascq/odoo-config.env

diff --git a/bootc/base/root/etc/systemd/system/flightctl-agent.service.d/override.conf b/bootc/base/root/etc/systemd/system/flightctl-agent.service.d/override.conf
new file mode 100644
index 0000000..327f856
--- /dev/null
+++ b/bootc/base/root/etc/systemd/system/flightctl-agent.service.d/override.conf
@@ -0,0 +1,3 @@
+[Service]
+# If the config file has been injected into the qcow2 image in /var, move it to the right place
+ExecStartPre=/bin/bash -Eeuo pipefail -c 'if [ -f /var/lib/flightctl/config.yaml -a ! -f /etc/flightctl/config.yaml ]; then mv /var/lib/flightctl/config.yaml /etc/flightctl/config.yaml; restorecon -RF /etc/flightctl/config.yaml; fi'
diff --git a/bootc/scenario1/root/etc/flightctl/hooks.d/afterupdating/30-nextcloud.yaml b/bootc/scenario1/root/etc/flightctl/hooks.d/afterupdating/30-nextcloud.yaml
new file mode 100644
index 0000000..b57fe9f
--- /dev/null
+++ b/bootc/scenario1/root/etc/flightctl/hooks.d/afterupdating/30-nextcloud.yaml
@@ -0,0 +1,4 @@
+- if:
+  - path: /etc/containers/systemd/configs/nextcloud-config.env
+    op: [created, updated, removed]
+  run: systemctl restart nextcloud.target
diff --git a/bootc/scenario1/root/etc/systemd/system/nextcloud.target b/bootc/scenario1/root/etc/systemd/system/nextcloud.target
index c045880..5fef999 100644
--- a/bootc/scenario1/root/etc/systemd/system/nextcloud.target
+++ b/bootc/scenario1/root/etc/systemd/system/nextcloud.target
@@ -5,6 +5,8 @@ Wants=nextcloud-db.service nextcloud-redis.service nextcloud-app.service nextclo
 After=nextcloud-db.service nextcloud-redis.service nextcloud-app.service nextcloud-nginx.service
 # Allow isolation - can stop/start this target independently
 AllowIsolate=yes
+# Only start if Nextcloud has been configured
+ConditionPathExists=/etc/containers/systemd/configs/nextcloud-config.env
 
 [Install]
 WantedBy=multi-user.target
diff --git a/bootc/scenario3a/Containerfile b/bootc/scenario3a/Containerfile
index c6d3b77..ceaf4f8 100644
--- a/bootc/scenario3a/Containerfile
+++ b/bootc/scenario3a/Containerfile
@@ -5,4 +5,5 @@ ADD --chown=root:root root /
 RUN <<EOF
 set -Eeuo pipefail
 systemctl enable bootstrap-vm@nextcloud.service
+systemctl enable nftables.service
 EOF
diff --git a/bootc/scenario3a/root/etc/greenboot/check/required.d/30_nextcloud_check.sh b/bootc/scenario3a/root/etc/greenboot/check/required.d/30_nextcloud_check.sh
index aca5e83..98312d4 100755
--- a/bootc/scenario3a/root/etc/greenboot/check/required.d/30_nextcloud_check.sh
+++ b/bootc/scenario3a/root/etc/greenboot/check/required.d/30_nextcloud_check.sh
@@ -1,7 +1,5 @@
 #!/bin/bash
 
-exit 0 # Temporary disable the check
-
 set -Eeuo pipefail
 MAX_ATTEMPTS=60
 
diff --git a/bootc/scenario3a/root/etc/libvirt/qemu/networks/default.xml b/bootc/scenario3a/root/etc/libvirt/qemu/networks/default.xml
index 9eef7dd..d7805a3 100644
--- a/bootc/scenario3a/root/etc/libvirt/qemu/networks/default.xml
+++ b/bootc/scenario3a/root/etc/libvirt/qemu/networks/default.xml
@@ -11,9 +11,9 @@
   <ip address="192.168.122.1" netmask="255.255.255.0" localPtr="yes">
     <dhcp>
       <range start="192.168.122.100" end="192.168.122.200">
-        <lease expiry='1' unit='days'/>
+        <lease expiry='24' unit='hours'/>
       </range>
-      <host mac="04:00:00:00:00:01" name="vm.libvirt.test" ip="192.168.122.2" />
+      <host mac="04:00:00:00:00:01" name="nextcloud" ip="192.168.122.2" />
     </dhcp>
   </ip>
 </network>
diff --git a/bootc/scenario3a/root/etc/nftables/libvirt.nft b/bootc/scenario3a/root/etc/nftables/libvirt.nft
new file mode 100755
index 0000000..ae8ec5d
--- /dev/null
+++ b/bootc/scenario3a/root/etc/nftables/libvirt.nft
@@ -0,0 +1,16 @@
+#!/usr/sbin/nft -f
+
+destroy table ip libvirt-nat
+
+table ip libvirt-nat {
+    chain Pre-Routing {
+        type nat hook prerouting priority dstnat
+        policy accept
+
+        # Log incoming packets
+        iifname != lo iifname != virbr0 log prefix "PREROUTING: "
+
+        # Redirect port 80 to the Nextcloud VM
+        ip daddr 192.168.2.0/24 iifname != "virbr0" tcp dport { 80 } counter dnat to 192.168.122.2
+    }
+}
diff --git a/bootc/scenario3a/root/etc/sysconfig/nftables.conf b/bootc/scenario3a/root/etc/sysconfig/nftables.conf
new file mode 100644
index 0000000..d0e254c
--- /dev/null
+++ b/bootc/scenario3a/root/etc/sysconfig/nftables.conf
@@ -0,0 +1 @@
+include "/etc/nftables/libvirt.nft"
diff --git a/bootc/scenario3a/root/etc/systemd/system/bootstrap-vm@.service b/bootc/scenario3a/root/etc/systemd/system/bootstrap-vm@.service
index 96e4a6c..508b19e 100644
--- a/bootc/scenario3a/root/etc/systemd/system/bootstrap-vm@.service
+++ b/bootc/scenario3a/root/etc/systemd/system/bootstrap-vm@.service
@@ -3,13 +3,11 @@ Description=RHDE VM Bootstrap Service
 Documentation=man:systemd.service(5)
 
 # Only start if the VM root disk does not exist
-#ConditionPathExists=!/var/lib/libvirt/images/%i/root.qcow2
-ConditionPathExists=/dummy
+ConditionPathExists=!/var/lib/libvirt/images/%i/root.qcow2
 
 [Service]
 Type=oneshot
 Persistent=true
-#ExecStartPre=/usr/local/bin/configure-network.sh
 ExecStart=/usr/local/bin/bootstrap-vm.sh %i
 EnvironmentFile=/etc/default/bootstrap-vm-%i.env
 
diff --git a/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh b/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh
old mode 100644
new mode 100755
index 0ed35e9..4033310
--- a/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh
+++ b/bootc/scenario3a/root/usr/local/bin/bootstrap-vm.sh
@@ -9,7 +9,15 @@ fi
 
 VM="${1}"
 
-cp -a "/usr/local/libvirt/images/nextcloud/qcow2/disk.qcow2" "/var/lib/libvirt/images/${VM}/root.qcow2"
+mkdir -p "/var/lib/libvirt/images/${VM}"
+cp -a "/usr/local/libvirt/images/${VM}/qcow2/disk.qcow2" "/var/lib/libvirt/images/${VM}/root.qcow2"
+
+# Inject the Flightctl configuration file (w/ enrollment certificates) into the VM image
+if [ -f /etc/flightctl/config.yaml ]; then
+  guestfish --add /var/lib/libvirt/images/${VM}/root.qcow2 -m /dev/sda4 <<'EOF'
+copy-in /etc/flightctl/config.yaml /ostree/deploy/default/var/lib/flightctl/
+EOF
+fi
 
 virt-install --name "${VM}" \
              --autostart \
@@ -17,9 +25,10 @@ virt-install --name "${VM}" \
              --vcpus=${DOMAIN_VCPUS} \
              --ram=${DOMAIN_RAM} \
              --os-variant=${DOMAIN_OS_VARIANT} \
-             --disk=path=/var/lib/libvirt/images/${VM}/root.qcow2,bus=virtio,format=qcow2,size=${DOMAIN_DISK_SIZE}G \
+             --disk=path=/var/lib/libvirt/images/${VM}/root.qcow2,bus=virtio,format=qcow2,size=${DOMAIN_DISK_SIZE} \
              --console=pty,target_type=virtio \
              --serial=pty \
              --graphics=none \
              --import \
-             --network=network=bridged,mac=${DOMAIN_MAC_ADDRESS}
+             --network=network=default,mac=${DOMAIN_MAC_ADDRESS} \
+             --noautoconsole
diff --git a/bootc/scenario4/root/etc/flightctl/hooks.d/afterupdating/30-odoo.yaml b/bootc/scenario4/root/etc/flightctl/hooks.d/afterupdating/30-odoo.yaml
new file mode 100644
index 0000000..f570c56
--- /dev/null
+++ b/bootc/scenario4/root/etc/flightctl/hooks.d/afterupdating/30-odoo.yaml
@@ -0,0 +1,4 @@
+- if:
+  - path: /etc/containers/systemd/configs/odoo-config.env
+    op: [created, updated, removed]
+  run: systemctl restart odoo.target
diff --git a/bootc/scenario4/root/etc/systemd/system/odoo.target b/bootc/scenario4/root/etc/systemd/system/odoo.target
index 59e9fae..76393d3 100644
--- a/bootc/scenario4/root/etc/systemd/system/odoo.target
+++ b/bootc/scenario4/root/etc/systemd/system/odoo.target
@@ -5,6 +5,8 @@ Wants=odoo-db.service odoo-init.service odoo-app.service
 After=odoo-db.service odoo-init.service odoo-app.service
 # Allow isolation - can stop/start this target independently
 AllowIsolate=yes
+# Only start if Odoo has been configured
+ConditionPathExists=/etc/containers/systemd/configs/odoo-config.env
 
 [Install]
 WantedBy=multi-user.target
diff --git a/flightctl/fleets.yaml b/flightctl/fleets.yaml
index a4bee12..46acbff 100644
--- a/flightctl/fleets.yaml
+++ b/flightctl/fleets.yaml
@@ -22,7 +22,7 @@ spec:
       - name: scenario1-config
         configType: GitConfigProviderSpec
         gitRef:
-          path: /flightctl/scenario1
+          path: /flightctl/scenario1/sites/{{ getOrDefault .metadata.labels "site" "default" }}/
           repository: demo-edge-retail
           targetRevision: main
   systemd:
@@ -32,6 +32,33 @@ spec:
 ---
 apiVersion: flightctl.io/v1alpha1
 kind: Fleet
+metadata:
+  annotations: {}
+  labels:
+    scenario: '3a'
+  name: scenario3a
+spec:
+  selector:
+    matchLabels:
+      scenario: '3a'
+      type: 'baremetal'
+  template:
+    metadata:
+      labels:
+        fleet: scenario3a
+    spec:
+      applications: []
+      config: []
+      os:
+        image: edge-registry.itix.fr/demo-edge-retail/scenario3a:latest
+  systemd:
+    matchPatterns:
+      - bootstrap-vm@nextcloud.service
+      - libvirtd.service
+      - nftables.service
+---
+apiVersion: flightctl.io/v1alpha1
+kind: Fleet
 metadata:
   annotations: {}
   labels:
diff --git a/flightctl/scenario1/sites/default/etc/motd.d/unconfigured b/flightctl/scenario1/sites/default/etc/motd.d/unconfigured
new file mode 100644
index 0000000..af8dfa1
--- /dev/null
+++ b/flightctl/scenario1/sites/default/etc/motd.d/unconfigured
@@ -0,0 +1,6 @@
+
+
+HEADS UP !!!
+
+This system is not configured !
+
diff --git a/flightctl/scenario1/etc/containers/systemd/configs/nextcloud-config.env b/flightctl/scenario1/sites/paris-wagram/etc/containers/systemd/configs/nextcloud-config.env
similarity index 100%
rename from flightctl/scenario1/etc/containers/systemd/configs/nextcloud-config.env
rename to flightctl/scenario1/sites/paris-wagram/etc/containers/systemd/configs/nextcloud-config.env
diff --git a/flightctl/scenario1/sites/villeneuve-d-ascq/etc/containers/systemd/configs/nextcloud-config.env b/flightctl/scenario1/sites/villeneuve-d-ascq/etc/containers/systemd/configs/nextcloud-config.env
new file mode 100644
index 0000000..eca8888
--- /dev/null
+++ b/flightctl/scenario1/sites/villeneuve-d-ascq/etc/containers/systemd/configs/nextcloud-config.env
@@ -0,0 +1,16 @@
+##
+## Nextcloud Configuration Environment Variables
+##
+
+# Nextcloud domain configuration
+NEXTCLOUD_TRUSTED_DOMAINS=adlink-dlap-4001.itix.fr
+OVERWRITEHOST=adlink-dlap-4001.itix.fr
+OVERWRITEPROTOCOL=http
+OVERWRITECLIURL=http://adlink-dlap-4001.itix.fr
+
+# Nextcloud admin credentials
+NEXTCLOUD_ADMIN_USER=admin
+NEXTCLOUD_ADMIN_PASSWORD=nextcloud
+
+# Nextcloud server info token
+NEXTCLOUD_SERVERINFO_TOKEN=S3cr3t!
diff --git a/flightctl/scenario3a/sites/default/etc/motd.d/unconfigured b/flightctl/scenario3a/sites/default/etc/motd.d/unconfigured
new file mode 100644
index 0000000..af8dfa1
--- /dev/null
+++ b/flightctl/scenario3a/sites/default/etc/motd.d/unconfigured
@@ -0,0 +1,6 @@
+
+
+HEADS UP !!!
+
+This system is not configured !
+
diff --git a/flightctl/scenario3a/sites/paris-wagram/etc/containers/systemd/villeneuve-d-ascq/odoo-config.env b/flightctl/scenario3a/sites/paris-wagram/etc/containers/systemd/villeneuve-d-ascq/odoo-config.env
new file mode 100644
index 0000000..b70e44c
--- /dev/null
+++ b/flightctl/scenario3a/sites/paris-wagram/etc/containers/systemd/villeneuve-d-ascq/odoo-config.env
@@ -0,0 +1,4 @@
+DATABASE=redhat
+ADMIN_PASSWORD=R3dH4t!
+RIBBON_COLOR=rgba(255,0,0,.6)
+RIBBON_NAME=Paris Wagram<br/>({db_name})
diff --git a/flightctl/scenario3a/sites/villeneuve-d-ascq/etc/containers/systemd/villeneuve-d-ascq/odoo-config.env b/flightctl/scenario3a/sites/villeneuve-d-ascq/etc/containers/systemd/villeneuve-d-ascq/odoo-config.env
new file mode 100644
index 0000000..efa44bf
--- /dev/null
+++ b/flightctl/scenario3a/sites/villeneuve-d-ascq/etc/containers/systemd/villeneuve-d-ascq/odoo-config.env
@@ -0,0 +1,4 @@
+DATABASE=redhat
+ADMIN_PASSWORD=R3dH4t!
+RIBBON_COLOR=rgba(0,0,255,.6)
+RIBBON_NAME=Villeneuve d'Ascq<br/>({db_name})