[Unit]
Description=Layer packages with rpm-ostree
Wants=network-online.target
After=network-online.target
# We run before `zincati.service` to avoid conflicting rpm-ostree
# transactions.
Before=zincati.service
ConditionPathExists=!/var/lib/additional-packages.stamp

[Service]
Type=oneshot
RemainAfterExit=yes
# `--allow-inactive` ensures that rpm-ostree does not return an error
# if the package is already installed. This is useful if the package is
# added to the root image in a future Fedora CoreOS release as it will
# prevent the service from failing.
ExecStart=/usr/bin/rpm-ostree install -y --allow-inactive firewalld fail2ban fail2ban-firewalld setroubleshoot-server setools smartmontools
ExecStart=/bin/touch /var/lib/additional-packages.stamp
ExecStart=/bin/systemctl enable configure-firewalld.service enable-all-quadlets.service move-downloads-nextcloud.timer copy-music.timer
ExecStart=semanage fcontext -a -t bin_t "/var/opt/bin(/.*)?"
ExecStart=semanage fcontext -a -t bin_t "/root/scripts(/.*)?"
ExecStart=restorecon -vR /var/opt/bin
ExecStart=restorecon -vR /root/scripts
ExecStart=/bin/systemctl --no-block reboot

[Install]
WantedBy=multi-user.target