Add v0.9.1 release notes and update docs

* Deprecate rendering Container Linux Configs
* Use tools like [poseidon/ct](https://github.com/poseidon/terraform-provider-ct) or
[butane](https://coreos.github.io/butane/getting-started/) to validate and convert a
Butane Config (`focs` or `flatcar`) to Ignition (for Matchbox to serve)
* Please migrate to serving CoreOS Ignition directly, the Container
Linux related HTTP and gRPC endpoints will be removed in future

.dockerignore

@@ -1,2 +1,3 @@
-*
-!bin/matchbox
+bin/
+_output/
+

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,36 @@
+---
+name: Bug report
+about: Report a bug to improve the project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!-- READ: Issues are used to receive focused bug reports from users and to track planned future enhancements by the authors. Topics like support, debugging help, advice, and operation are out of scope and should not use issues-->
+
+**Description**
+
+A clear and concise description of what the bug is.
+
+**Steps to Reproduce**
+
+Provide clear steps to reproduce the bug.
+
+- [ ] Relevant error messages if appropriate (concise, not a dump of everything).
+
+**Expected behavior**
+
+A clear and concise description of what you expected to happen.
+
+**Environment**
+
+* OS: fedora-coreos, flatcar-linux (include release version)
+* Release: Matchbox version or Git SHA (reporting latest is **not** helpful)
+
+**Possible Solution**
+
+<!-- Most bug reports should have some inkling about solutions. Otherwise, your report may be less of a bug and more of a support request (see top).-->
+
+Link to a PR or description.
+

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Security
+    url: https://typhoon.psdn.io/topics/security/
+    about: Report security vulnerabilities

.github/dependabot.yaml

@@ -0,0 +1,23 @@
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: daily
+  pull-request-branch-name:
+    separator: "-"
+  open-pull-requests-limit: 3
+- package-ecosystem: docker
+  directory: "/"
+  schedule:
+    interval: daily
+  pull-request-branch-name:
+    separator: "-"
+  open-pull-requests-limit: 3
+- package-ecosystem: pip
+  directory: "/"
+  schedule:
+    interval: weekly
+  pull-request-branch-name:
+    separator: "-"
+  open-pull-requests-limit: 3

.github/workflows/test.yaml

@@ -0,0 +1,26 @@
+name: test
+on:
+  push:
+jobs:
+  build:
+    name: go
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        go: ['1.17', '1.18']
+    steps:
+      - name: setup
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{matrix.go}}
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: tools
+        run: go install golang.org/x/lint/golint@latest
+
+      - name: test
+        run: make
+

.travis.yml

@@ -1,29 +0,0 @@
-language: go
-sudo: required
-services:
-  - docker
-go:
-  - "1.11.x"
-  - "1.12.x"
-  - "1.13.x"
-  - "1.13.4"
-install:
-  - GO111MODULE=off go get golang.org/x/lint/golint
-script:
-  - make
-deploy:
-  - provider: script
-    script: scripts/dev/travis-docker-push
-    skip_cleanup: true
-    on:
-      branch: master
-      go: '1.13.4'
-  - provider: script
-    script: contrib/dnsmasq/travis-deploy
-    skip_cleanup: true
-    on:
-      branch: dnsmasq
-      # pick one, so travis deploys once
-      go: '1.11.x'
-notifications:
-  email: change

CHANGES.md

@@ -4,6 +4,35 @@ Notable changes between releases.
 
 ## Latest
 
+## v0.9.1
+
+* Add dependabot Go module update automation ([#833](https://github.com/poseidon/matchbox/pull/833))
+* Build multi-arch container images (amd64, arm64) ([#823](https://github.com/poseidon/matchbox/pull/823))
+* Update Go version (v1.18.4) and alpine base image (v3.16.1)
+* Move `dnsmasq` container image to its own [repo](https://github.com/poseidon/dnsmasq) ([#840](https://github.com/poseidon/matchbox/pull/840))
+* Deprecate rendering Container Linux Configs
+  * Please migrate to serving CoreOS Ignition directly
+  * Use tools like [poseidon/ct](https://github.com/poseidon/terraform-provider-ct) or [butane](https://coreos.github.io/butane/getting-started/) to validate and convert a Butane Config (`focs` or `flatcar`) to Ignition (for Matchbox to serve)
+
+### Docs/Examples
+
+* Migrate docs website to GitHub Pages ([#976](https://github.com/poseidon/matchbox/pull/976))
+* Update Fedora CoreOS images and configuration ([#972](https://github.com/poseidon/matchbox/pull/972))
+* Update Fedora CoreOS initrd karg for UEFI ([#978](https://github.com/poseidon/matchbox/pull/978))
+* Update Flatcar Linux examples to use Ignition v3.3.0 ([#980](https://github.com/poseidon/matchbox/pull/980))
+
+## v0.9.0
+
+* Refresh docs and examples for Fedora CoreOS and Flatcar Linux ([#815](https://github.com/poseidon/matchbox/pull/815), [#816](https://github.com/poseidon/matchbox/pull/816))
+* Update Kubernetes manifest examples ([#791](https://github.com/poseidon/matchbox/pull/791), [#817](https://github.com/poseidon/matchbox/pull/817))
+* Update Matchbox container image publishing ([#795](https://github.com/poseidon/matchbox/pull/795))
+  * Publish Matchbox images from internal infra to Quay (`quay.io/poseidon/matchbox`)
+  * Update Go version from v1.13.4 to v1.14.9
+  * Update base image from `alpine:3.10` to `alpine:3.12` ([#784](https://github.com/poseidon/matchbox/pull/784))
+* Include `contrib/k8s` in release tarballs ([#788](https://github.com/poseidon/matchbox/pull/788))
+* Remove outdated systemd units ([#817](https://github.com/poseidon/matchbox/pull/817))
+* Remove RPM spec file (Copr publishing stopped in v0.6)
+
 ## v0.8.3
 
 * Publish docs to [https://matchbox.psdn.io](https://matchbox.psdn.io/) ([#769](https://github.com/poseidon/matchbox/pull/769))
@@ -97,7 +126,7 @@ Note: Release signing key [has changed](https://github.com/poseidon/matchbox/blo
 * Use etcd3 by default in all clusters (remove etcd2 clusters)
 * Add Terraform examples for etcd3 and self-hosted Kubernetes 1.6.1
 
-## v0.5.0 (2017-01-23) 
+## v0.5.0 (2017-01-23)
 
 * Rename project to CoreOS `matchbox`!
 * Add Profile `args` field to list kernel args
@@ -179,7 +208,7 @@ Note: Release signing key [has changed](https://github.com/poseidon/matchbox/blo
     * Allow Fuze YAML template files for Ignition 2.0.0 (#141)
     * Stop requiring Ignition templates to use file extensions (#176)
 * Logging Improvements:
-    * Add structured loggging with Logrus (#254, #268)
+    * Add structured logging with Logrus (#254, #268)
     * Log requests for bootcfg assets (#214)
     * Show `bootcfg` message at the home path `/`
     * Fix http package log messages (#173)

Dockerfile

@@ -1,5 +1,9 @@
-FROM alpine:3.10
+FROM docker.io/golang:1.18.4 AS builder
+COPY . src
+RUN cd src && make build
+
+FROM docker.io/alpine:3.16.1
 LABEL maintainer="Dalton Hubble <dghubble@gmail.com>"
-COPY bin/matchbox /matchbox
+COPY --from=builder /go/src/bin/matchbox /matchbox
 EXPOSE 8080
 ENTRYPOINT ["/matchbox"]

Makefile

@@ -1,7 +1,7 @@
 export CGO_ENABLED:=0
 export GO111MODULE=on
-export GOFLAGS=-mod=vendor
 
+DIR := $(abspath $(dir $(lastword $(MAKEFILE_LIST))))
 VERSION=$(shell git describe --tags --match=v* --always --dirty)
 LD_FLAGS="-w -X github.com/poseidon/matchbox/matchbox/version.Version=$(VERSION)"
 
@@ -16,9 +16,6 @@ all: build test vet lint fmt
 build: clean bin/matchbox
 
 bin/%:
-	git describe --tags --match=v* --always --dirty
-	git status
-	git diff
 	@go build -o bin/$* -ldflags $(LD_FLAGS) $(REPO)/cmd/$*
 
 .PHONY: test
@@ -37,39 +34,28 @@ lint:
 fmt:
 	@test -z $$(go fmt ./...)
 
-.PHONY: docker-image
-docker-image:
-	@sudo docker build --rm=true -t $(LOCAL_REPO):$(VERSION) .
-	@sudo docker tag $(LOCAL_REPO):$(VERSION) $(LOCAL_REPO):latest
+.PHONY: image
+image: \
+	image-amd64 \
+	image-arm64
 
-.PHONY: docker-push
-docker-push: docker-image
-	@sudo docker tag $(LOCAL_REPO):$(VERSION) $(IMAGE_REPO):latest
-	@sudo docker tag $(LOCAL_REPO):$(VERSION) $(IMAGE_REPO):$(VERSION)
-	@sudo docker push $(IMAGE_REPO):latest
-	@sudo docker push $(IMAGE_REPO):$(VERSION)
+image-%:
+	buildah bud -f Dockerfile \
+	-t $(LOCAL_REPO):$(VERSION)-$* \
+	--arch $* --override-arch $* \
+	--format=docker .
 
-.PHONY: update
-update:
-	@GOFLAGS="" go get -u
-	@go mod tidy
+protoc/%:
+	podman run --security-opt label=disable \
+		-u root \
+		--mount type=bind,src=$(DIR),target=/mnt/code \
+		quay.io/dghubble/protoc:v3.10.1 \
+		--go_out=plugins=grpc,paths=source_relative:. $*
 
-.PHONY: vendor
-vendor:
-	@go mod vendor
-
-.PHONY: codegen
-codegen: tools
-	@./scripts/dev/codegen
-
-.PHONY: tools
-tools: bin/protoc bin/protoc-gen-go
-
-bin/protoc:
-	@./scripts/dev/get-protoc
-
-bin/protoc-gen-go:
-	@go build -o bin/protoc-gen-go $(REPO)/vendor/github.com/golang/protobuf/protoc-gen-go
+codegen: \
+	protoc/matchbox/storage/storagepb/*.proto \
+	protoc/matchbox/server/serverpb/*.proto \
+	protoc/matchbox/rpc/rpcpb/*.proto
 
 clean:
 	@rm -rf bin
@@ -89,6 +75,7 @@ bin/linux-amd64/matchbox: GOARGS = GOOS=linux GOARCH=amd64
 bin/linux-arm/matchbox: GOARGS = GOOS=linux GOARCH=arm GOARM=6
 bin/linux-arm64/matchbox: GOARGS = GOOS=linux GOARCH=arm64
 bin/darwin-amd64/matchbox: GOARGS = GOOS=darwin GOARCH=amd64
+bin/linux-ppc64le/matchbox: GOARGS = GOOS=linux GOARCH=ppc64le
 
 bin/%/matchbox:
 	$(GOARGS) go build -o $@ -ldflags $(LD_FLAGS) -a $(REPO)/cmd/matchbox

README.md

@@ -1,35 +1,38 @@
-# matchbox [![Build Status](https://travis-ci.org/poseidon/matchbox.svg?branch=master)](https://travis-ci.org/poseidon/matchbox) [![GoDoc](https://godoc.org/github.com/poseidon/matchbox?status.svg)](https://godoc.org/github.com/poseidon/matchbox) [![Docker Repository on Quay](https://quay.io/repository/poseidon/matchbox/status "Docker Repository on Quay")](https://quay.io/repository/poseidon/matchbox)
+# matchbox
 
-`matchbox` is a service that matches bare-metal machines to profiles that PXE boot and provision clusters. Machines are matched by labels like MAC or UUID during PXE and profiles specify a kernel/initrd, iPXE config, and Container Linux or Fedora CoreOS config.
+[![GoDoc](https://pkg.go.dev/badge/github.com/poseidon/matchbox.svg)](https://pkg.go.dev/github.com/poseidon/matchbox) [![Quay](https://img.shields.io/badge/container-quay-green)](https://quay.io/repository/poseidon/matchbox) [![Workflow](https://github.com/poseidon/matchbox/actions/workflows/test.yaml/badge.svg)](https://github.com/poseidon/matchbox/actions/workflows/test.yaml?query=branch%3Amain) ![Downloads](https://img.shields.io/github/downloads/poseidon/matchbox/total) [![Sponsors](https://img.shields.io/github/sponsors/poseidon?logo=github)](https://github.com/sponsors/poseidon) [![Twitter](https://img.shields.io/badge/follow-news-1da1f2?logo=twitter)](https://twitter.com/poseidonlabs)
+
+`matchbox` is a service that matches bare-metal machines to profiles that PXE boot and provision clusters. Machines are matched by labels like MAC or UUID during PXE and profiles specify a kernel/initrd, iPXE config, and Ignition config.
 
 ## Features
 
 * Chainload via iPXE and match hardware labels
-* Provision Container Linux and Fedora CoreOS (powered by [Ignition](https://github.com/coreos/ignition))
+* Provision Fedora CoreOS or Flatcar Linux (powered by [Ignition](https://github.com/coreos/ignition))
 * Authenticated gRPC API for clients (e.g. Terraform)
 
 ## Documentation
 
 * [Docs](https://matchbox.psdn.io/)
 * [Configuration](docs/config.md)
-* [HTTP API](docs/api-http.md) / [gRPC API](docs/grpc-api.md)
+* [HTTP API](docs/api-http.md) / [gRPC API](docs/api-grpc.md)
 
 ## Installation
 
 Matchbox can be installed from a binary or a container image.
 
-* Install Matchbox on [Kubernetes](docs/deployment.md#kubernetes), on a [Linux](docs/deployment.md) host, or as a [container](docs/deployment.md#docker)
+* Install Matchbox as a [binary](docs/deployment.md#matchbox-binary), as a [container image](docs/deployment.md#container-image), or on [Kubernetes](docs/deployment.md#kubernetes)
 * Setup a PXE-enabled [network](docs/network-setup.md)
 
 ## Tutorials
 
-[Getting started](docs/getting-started.md) provisioning machines with Container Linux.
+Start provisioning machines with Fedora CoreOS or Flatcar Linux.
 
-* Local QEMU/KVM
-    * [matchbox with Docker](docs/getting-started-docker.md)
-* Clusters
-    * [etcd3](docs/getting-started-docker.md) - Install a 3-node etcd3 cluster
-    * [etcd3](https://github.com/poseidon/matchbox/tree/master/examples/terraform/etcd3-install) - Install a 3-node etcd3 cluster (terraform-based)
+* [Terraform Usage](docs/getting-started.md)
+  * Fedora CoreOS (PXE install to disk)
+  * Flatcar Linux (PXE install to disk)
+* [Local QEMU/KVM](docs/getting-started-docker.md)
+    * Fedora CoreOS (live PXE or PXE install to disk)
+    * Flatcar Linux (live PXE or PXE install to disk)
 
 ## Contrib
 

contrib/dnsmasq/CHANGES.md

@@ -1,18 +0,0 @@
-# dnsmasq
-
-Notable changes image releases. The dnsmasq project [upstream](http://www.thekelleys.org.uk/dnsmasq/doc.html) has its own [changelog](http://www.thekelleys.org.uk/dnsmasq/CHANGELOG).
-
-## v0.4.1
-
-* Rebuild with alpine:3.6 base image
-* Add EXPOSE ports 67 and 69 to Dockerfile
-
-## v0.4.0
-
-* `dnsmasq` package version 2.76
-* Rebuild with alpine:3.5 base image to receive patches
-* Update CoreOS `grub.efi` to be recent (stable, 1298.7.0)
-
-## v0.3.0
-
-* `dnsmasq` package version 2.75

contrib/dnsmasq/Dockerfile

@@ -1,6 +0,0 @@
-FROM alpine:3.10
-LABEL maintainer="Dalton Hubble <dghubble@gmail.com>"
-RUN apk -U add dnsmasq curl
-COPY tftpboot /var/lib/tftpboot
-EXPOSE 53 67 69
-ENTRYPOINT ["/usr/sbin/dnsmasq"]

contrib/dnsmasq/Makefile

@@ -1,24 +0,0 @@
-DIR := $(abspath $(dir $(lastword $(MAKEFILE_LIST))))
-VERSION=$(shell git rev-parse HEAD)
-
-IMAGE_REPO=poseidon/dnsmasq
-QUAY_REPO=quay.io/poseidon/dnsmasq
-
-.PHONY: all
-all: docker-image
-
-.PHONY: tftp
-tftp:
-	@$(DIR)/get-tftp-files
-
-.PHONY: docker-image
-docker-image: tftp
-	@sudo docker build --rm=true -t $(IMAGE_REPO):$(VERSION) .
-	@sudo docker tag $(IMAGE_REPO):$(VERSION) $(IMAGE_REPO):latest
-
-.PHONY: docker-push
-docker-push:
-	@sudo docker tag $(IMAGE_REPO):$(VERSION) $(QUAY_REPO):latest
-	@sudo docker tag $(IMAGE_REPO):$(VERSION) $(QUAY_REPO):$(VERSION)
-	@sudo docker push $(QUAY_REPO):latest
-	@sudo docker push $(QUAY_REPO):$(VERSION)

contrib/dnsmasq/README.md

@@ -1,57 +1,4 @@
-# dnsmasq [![Docker Repository on Quay](https://quay.io/repository/poseidon/dnsmasq/status "Docker Repository on Quay")](https://quay.io/repository/poseidon/dnsmasq)
+# dnsmasq
 
-`dnsmasq` provides a container image for running DHCP, proxy DHCP, DNS, and/or TFTP with [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html). Use it to test different network setups with clusters of network bootable machines.
-
-The image bundles `undionly.kpxe`, `ipxe.efi`, and `grub.efi` (experimental) for chainloading BIOS and UEFI clients to iPXE.
-
-## Usage
-
-Run the container image as a DHCP, DNS, and TFTP service.
-
-```sh
-sudo docker run --rm --cap-add=NET_ADMIN --net=host quay.io/poseidon/dnsmasq \
-  -d -q \
-  --dhcp-range=192.168.1.3,192.168.1.254 \
-  --enable-tftp --tftp-root=/var/lib/tftpboot \
-  --dhcp-match=set:bios,option:client-arch,0 \
-  --dhcp-boot=tag:bios,undionly.kpxe \
-  --dhcp-match=set:efi32,option:client-arch,6 \
-  --dhcp-boot=tag:efi32,ipxe.efi \
-  --dhcp-match=set:efibc,option:client-arch,7 \
-  --dhcp-boot=tag:efibc,ipxe.efi \
-  --dhcp-match=set:efi64,option:client-arch,9 \
-  --dhcp-boot=tag:efi64,ipxe.efi \
-  --dhcp-userclass=set:ipxe,iPXE \
-  --dhcp-boot=tag:ipxe,http://matchbox.example.com:8080/boot.ipxe \
-  --address=/matchbox.example.com/192.168.1.2 \
-  --log-queries \
-  --log-dhcp
-```
-
-Press ctrl-C to stop the Docker container.
-
-## Configuration Flags
-
-Configuration arguments can be provided as flags. Check the dnsmasq [man pages](http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html) for a complete list.
-
-| flag     | description | example |
-|----------|-------------|---------|
-| --dhcp-range | Enable DHCP, lease given range | `172.18.0.50,172.18.0.99`, `192.168.1.1,proxy,255.255.255.0` |
-| --dhcp-boot | DHCP next server option | `http://matchbox.foo:8080/boot.ipxe` |
-| --enable-tftp | Enable serving from tftp-root over TFTP | NA |
-| --address | IP address for a domain name | /matchbox.foo/172.18.0.2 |
-
-## Development
-
-Build a container image locally.
-
-```
-make docker-image
-```
-
-Run the image with Docker on the `docker0` bridge (default).
-
-```
-sudo docker run --rm --cap-add=NET_ADMIN poseidon/dnsmasq -d -q
-```
+Moved to [dnsmasq](https://github.com/poseidon/dnsmasq).
 

contrib/dnsmasq/get-tftp-files

@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-set -eu
-
-DEST=${1:-"tftpboot"}
-
-if [ ! -d $DEST ]; then
-  echo "Creating directory $DEST"
-  mkdir -p $DEST
-fi
-
-curl -s -o $DEST/undionly.kpxe http://boot.ipxe.org/undionly.kpxe
-cp $DEST/undionly.kpxe $DEST/undionly.kpxe.0
-curl -s -o $DEST/ipxe.efi http://boot.ipxe.org/ipxe.efi
-
-# Any vaguely recent CoreOS grub.efi is fine
-curl -s -o $DEST/grub.efi https://stable.release.core-os.net/amd64-usr/1353.7.0/coreos_production_pxe_grub.efi

contrib/dnsmasq/travis-deploy

@@ -1,11 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# dirty hack
-cd "$(dirname $0)"
-
-docker info
-make docker-image
-docker login -u="$DOCKER_USERNAME" -p=$DOCKER_PASSWORD quay.io
-make docker-push
-

contrib/k8s/deployment.yaml

@@ -1,4 +1,4 @@
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: matchbox
@@ -7,15 +7,20 @@ spec:
   strategy:
     rollingUpdate:
       maxUnavailable: 1
+  selector:
+    matchLabels:
+      name: matchbox
   template:
     metadata:
       labels:
         name: matchbox
-        phase: prod
     spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
       containers:
         - name: matchbox
-          image: quay.io/poseidon/matchbox:v0.8.0
+          image: quay.io/poseidon/matchbox:v0.9.1
           env:
             - name: MATCHBOX_ADDRESS
               value: "0.0.0.0:8080"
@@ -28,10 +33,18 @@ spec:
               containerPort: 8080
             - name: https
               containerPort: 8081
+          livenessProbe:
+            initialDelaySeconds: 5
+            httpGet:
+              path: /
+              port: 8080
           resources:
             requests:
-              cpu: "50m"
-              memory: "50Mi"
+              cpu: 30m
+              memory: 20Mi
+            limits:
+              cpu: 50m
+              memory: 50Mi
           volumeMounts:
             - name: config
               mountPath: /etc/matchbox
@@ -39,9 +52,6 @@ spec:
               mountPath: /var/lib/matchbox
             - name: assets
               mountPath: /var/lib/matchbox/assets
-      dnsPolicy: ClusterFirst
-      restartPolicy: Always
-      terminationGracePeriodSeconds: 30
       volumes:
         - name: config
           secret:

contrib/k8s/ingress.yaml

@@ -0,0 +1,43 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: matchbox
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+spec:
+  ingressClassName: public
+  # tls ... optional
+  rules:
+    - host: matchbox.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: matchbox
+                port:
+                  number: 8080
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: matchbox-rpc
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+spec:
+  ingressClassName: public
+  tls:
+    - hosts:
+        - matchbox-rpc.example.com
+  rules:
+    - host: matchbox-rpc.example.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: matchbox
+                port:
+                  number: 8081

contrib/k8s/matchbox-ingress.yaml

@@ -1,32 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: matchbox
-spec:
-  rules:
-    - host: matchbox.example.com
-      http:
-        paths:
-          - path: /
-            backend:
-              serviceName: matchbox
-              servicePort: 8080
----
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: matchbox
-  annotations:
-    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
-spec:
-  tls:
-    - hosts:
-        - matchbox-rpc.example.com
-  rules:
-    - host: matchbox-rpc.example.com
-      http:
-        paths:
-          - path: /
-            backend:
-              serviceName: matchbox
-              servicePort: 8081

contrib/k8s/service.yaml

@@ -6,7 +6,6 @@ spec:
   type: ClusterIP
   selector:
     name: matchbox
-    phase: prod
   ports:
     - name: http
       protocol: TCP

contrib/rpm/matchbox.spec

@@ -1,86 +0,0 @@
-%global import_path github.com/coreos/matchbox
-%global repo matchbox
-%global debug_package %{nil}
-
-Name:		matchbox
-Version:	0.6.0
-Release:	2%{?dist}
-Summary:	Network boot and provision CoreOS machines
-License:	ASL 2.0
-URL:		https://%{import_path}
-Source0:        https://%{import_path}/archive/v%{version}/%{name}-%{version}.tar.gz
-
-
-BuildRequires: golang
-BuildRequires: systemd
-%{?systemd_requires}
-
-Requires(pre): shadow-utils
-
-%description
-matchbox is a service that matches machines to profiles to PXE boot and provision
-clusters. Profiles specify the kernel/initrd, kernel args, iPXE config, GRUB
-config, Container Linux config, Cloud-config, or other configs. matchbox provides
-a read-only HTTP API for machines and an authenticated gRPC API for clients.
-
-# Limit to architectures supported by golang or gcc-go compilers
-ExclusiveArch: %{go_arches}
-# Use golang or gcc-go compiler depending on architecture
-BuildRequires: compiler(golang)
-
-%prep
-%setup -q -n %{repo}-%{version}
-
-%build
-# create a Go workspace with a symlink to builddir source
-mkdir -p src/github.com/coreos
-ln -s ../../../ src/github.com/coreos/matchbox
-export GOPATH=$(pwd):%{gopath}
-export GO15VENDOREXPERIMENT=1
-function gobuild { go build -a -ldflags "-w -X github.com/coreos/matchbox/matchbox/version.Version=v%{version}" "$@"; }
-gobuild -o bin/matchbox %{import_path}/cmd/matchbox
-
-%install
-install -d %{buildroot}/%{_bindir}
-install -d %{buildroot}%{_sharedstatedir}/%{name}
-install -p -m 0755 bin/matchbox %{buildroot}/%{_bindir}
-# systemd service unit
-mkdir -p %{buildroot}%{_unitdir}
-cp contrib/systemd/%{name}.service %{buildroot}%{_unitdir}/
-
-%files
-%doc README.md CHANGES.md CONTRIBUTING.md LICENSE NOTICE DCO
-%{_bindir}/matchbox
-%{_sharedstatedir}/%{name}
-%{_unitdir}/%{name}.service
-
-%pre
-getent group matchbox >/dev/null || groupadd -r matchbox
-getent passwd matchbox >/dev/null || \
-    useradd -r -g matchbox -s /sbin/nologin matchbox
-
-%post
-%systemd_post matchbox.service
-
-%preun
-%systemd_preun matchbox.service
-
-%postun
-%systemd_postun_with_restart matchbox.service
-
-%changelog
-* Mon Apr 24 2017 <dalton.hubble@coreos.com> - 0.6.0-1
-- New support for terraform-provider-matchbox plugin
-- Add ProfileDelete, GroupDelete, IgnitionGet and IgnitionDelete gRPC endpoints
-- Generate code with gRPC v1.2.1 and matching Go protoc-gen-go plugin
-- Update Ignition to v0.14.0 and coreos-cloudinit to v1.13.0
-- New documentation at https://coreos.com/matchbox/docs/latest
-* Wed Jan 25 2017 <dalton.hubble@coreos.com> - 0.5.0-1
-- Rename project from bootcfg to matchbox
-* Sat Dec 3 2016 <dalton.hubble@coreos.com> - 0.4.1-3
-- Add missing ldflags which caused bootcfg -version to report wrong version
-* Fri Dec 2 2016 <dalton.hubble@coreos.com> - 0.4.1-2
-- Fix bootcfg user creation
-* Fri Dec 2 2016 <dalton.hubble@coreos.com> - 0.4.1-1
-- Initial package
-

contrib/systemd/matchbox-local.service

@@ -1,16 +0,0 @@
-[Unit]
-Description=CoreOS matchbox Server
-Documentation=https://github.com/coreos/matchbox
-
-[Service]
-User=matchbox
-Group=matchbox
-Environment="MATCHBOX_ADDRESS=0.0.0.0:8080"
-ExecStart=/usr/local/bin/matchbox
-
-# systemd.exec
-ProtectHome=yes
-ProtectSystem=full
-
-[Install]
-WantedBy=multi-user.target

contrib/systemd/matchbox-on-coreos.service

@@ -1,22 +0,0 @@
-[Unit]
-Description=CoreOS matchbox Server
-Documentation=https://github.com/coreos/matchbox
-
-[Service]
-Environment="IMAGE=quay.io/poseidon/matchbox"
-Environment="VERSION=v0.8.0"
-Environment="MATCHBOX_ADDRESS=0.0.0.0:8080"
-ExecStartPre=/usr/bin/mkdir -p /etc/matchbox
-ExecStartPre=/usr/bin/mkdir -p /var/lib/matchbox/assets
-ExecStart=/usr/bin/rkt run \
-  --net=host \
-  --inherit-env \
-  --trust-keys-from-https \
-  --mount volume=data,target=/var/lib/matchbox \
-  --mount volume=config,target=/etc/matchbox \
-  --volume data,kind=host,source=/var/lib/matchbox \
-  --volume config,kind=host,source=/etc/matchbox \
-  ${IMAGE}:${VERSION}
-
-[Install]
-WantedBy=multi-user.target

contrib/systemd/matchbox.service

@@ -1,16 +1,16 @@
 [Unit]
-Description=CoreOS matchbox Server
-Documentation=https://github.com/coreos/matchbox
+Description=Matchbox Server
+Documentation=https://github.com/poseidon/matchbox
 
 [Service]
 User=matchbox
 Group=matchbox
 Environment="MATCHBOX_ADDRESS=0.0.0.0:8080"
-ExecStart=/usr/bin/matchbox
+ExecStart=/usr/local/bin/matchbox
 
 # systemd.exec
 ProtectHome=yes
 ProtectSystem=full
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

docs/CNAME

@@ -0,0 +1 @@
+matchbox.psdn.io

docs/api-http.md

@@ -191,7 +191,7 @@ REQUEST_RAW_QUERY=mac=52-54-00-a1-9c-ae&foo=bar&count=3&gate=true
 
 ## OpenPGP signatures
 
-OpenPGPG signature endpoints serve detached binary and ASCII armored signatures of rendered configs, if enabled. See [OpenPGP Signing](openpgp.md).
+OpenPGP signature endpoints serve detached binary and ASCII armored signatures of rendered configs, if enabled. See [OpenPGP Signing](openpgp.md).
 
 | Endpoint   | Signature Endpoint | ASCII Signature Endpoint |
 |------------|--------------------|-------------------------|

docs/deployment.md

@@ -1,57 +1,46 @@
 # Installation
 
-This guide walks through deploying the `matchbox` service on a Linux host (via RPM, docker, or binary) or on a Kubernetes cluster.
+This guide walks through deploying the `matchbox` service on a Linux host (as a binary or container image) or on a Kubernetes cluster.
 
 ## Provisoner
 
-`matchbox` is a service for network booting and provisioning machines to create CoreOS Container Linux clusters. `matchbox` should be installed on a provisioner machine (Container Linux or any Linux distribution) or cluster (Kubernetes) which can serve configs to client machines in a lab or datacenter.
+Matchbox is a service for network booting and provisioning machines to create Fedora CoreOS or Flatcar Linux clusters. Matchbox may installed on a host server or Kubernetes cluster that can serve configs to client machines in a lab or datacenter.
 
 Choose one of the supported installation options:
 
-* [CoreOS Container Linux](#coreos-container-linux)
-* [RPM-based](#rpm-based-distro)
-* [Generic Linux (binary)](#generic-linux)
-* [With docker](#docker)
-* [Kubernetes Service](#kubernetes)
+* [Matchbox binary](#matchbox-binary)
+* [Container image](#container-image)
+* [Kubernetes manifests](#kubernetes)
 
 ## Download
 
-Download the latest matchbox [release](https://github.com/poseidon/matchbox/releases) to the provisioner host.
+Download the latest Matchbox [release](https://github.com/poseidon/matchbox/releases).
 
 ```sh
-$ wget https://github.com/poseidon/matchbox/releases/download/v0.8.0/matchbox-v0.8.0-linux-amd64.tar.gz
-$ wget https://github.com/poseidon/matchbox/releases/download/v0.8.0/matchbox-v0.8.0-linux-amd64.tar.gz.asc
+$ wget https://github.com/poseidon/matchbox/releases/download/v0.9.1/matchbox-v0.9.1-linux-amd64.tar.gz
+$ wget https://github.com/poseidon/matchbox/releases/download/v0.9.1/matchbox-v0.9.1-linux-amd64.tar.gz.asc
 ```
 
 Verify the release has been signed by Dalton Hubble's GPG [Key](https://keyserver.ubuntu.com/pks/lookup?search=0x8F515AD1602065C8&op=vindex)'s signing subkey.
 
 ```sh
 $ gpg --keyserver keyserver.ubuntu.com --recv-key 2E3D92BF07D9DDCCB3BAE4A48F515AD1602065C8
-$ gpg --verify matchbox-v0.8.0-linux-amd64.tar.gz.asc matchbox-v0.8.0-linux-amd64.tar.gz
+$ gpg --verify matchbox-v0.9.1-linux-amd64.tar.gz.asc matchbox-v0.9.1-linux-amd64.tar.gz
 gpg: Good signature from "Dalton Hubble <dghubble@gmail.com>"
 ```
 
 Untar the release.
 
 ```sh
-$ tar xzvf matchbox-v0.8.0-linux-amd64.tar.gz
-$ cd matchbox-v0.8.0-linux-amd64
+$ tar xzvf matchbox-v0.9.1-linux-amd64.tar.gz
+$ cd matchbox-v0.9.1-linux-amd64
 ```
 
 ## Install
 
-### RPM-based distro
+Run Matchbox as a binary, a container image, or on Kubernetes.
 
-On an RPM-based provisioner (Fedora 24+), install the `matchbox` RPM from the Copr [repository](https://copr.fedorainfracloud.org/coprs/g/CoreOS/matchbox/) using `dnf`.
-
-```sh
-dnf copr enable @CoreOS/matchbox
-dnf install matchbox
-```
-
-RPMs are not currently available for CentOS and RHEL (due to Go version). CentOS and RHEL users should follow the Generic Linux section below.
-
-### Generic Linux
+### Matchbox Binary
 
 Pre-built binaries are available for generic Linux distributions. Copy the `matchbox` static binary to an appropriate location on the host.
 
@@ -74,12 +63,12 @@ $ sudo chown -R matchbox:matchbox /var/lib/matchbox
 Copy the provided `matchbox` systemd unit file.
 
 ```sh
-$ sudo cp contrib/systemd/matchbox-local.service /etc/systemd/system/matchbox.service
+$ sudo cp contrib/systemd/matchbox.service /etc/systemd/system/matchbox.service
 ```
 
-## Customization
+#### systemd dropins
 
-Customize matchbox by editing the systemd unit or adding a systemd dropin. Find the complete set of `matchbox` flags and environment variables at [config](config.md).
+Customize Matchbox by editing the systemd unit or adding a systemd dropin. Find the complete set of `matchbox` flags and environment variables at [config](config.md).
 
 ```sh
 $ sudo systemctl edit matchbox
@@ -105,6 +94,70 @@ Environment="MATCHBOX_RPC_ADDRESS=0.0.0.0:8081"
 
 Customize `matchbox` to suit your preferences.
 
+#### Start
+
+Start the Matchbox service and enable it if you'd like it to start on every boot.
+
+```
+$ sudo systemctl daemon-reload
+$ sudo systemctl start matchbox
+$ sudo systemctl enable matchbox
+```
+
+### Container Image
+
+Run the container image with Podman,
+
+```
+mkdir -p /var/lib/matchbox/assets
+podman run --net=host --rm -v /var/lib/matchbox:/var/lib/matchbox:Z -v /etc/matchbox:/etc/matchbox:Z,ro quay.io/poseidon/matchbox:v0.9.1 -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
+```
+
+Or with Docker,
+
+```
+mkdir -p /var/lib/matchbox/assets
+sudo docker run --net=host --rm -v /var/lib/matchbox:/var/lib/matchbox:Z -v /etc/matchbox:/etc/matchbox:Z,ro quay.io/poseidon/matchbox:v0.9.1 -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
+```
+
+Create machine profiles, groups, or Ignition configs by adding files to `/var/lib/matchbox`.
+
+### Kubernetes
+
+Install Matchbox on a Kubernetes cluster with the example manifests.
+
+```sh
+$ kubectl apply -R -f contrib/k8s
+$ kubectl get services
+NAME                 CLUSTER-IP   EXTERNAL-IP   PORT(S)             AGE
+matchbox             10.3.0.145   <none>        8080/TCP,8081/TCP   46m
+```
+
+Example manifests in [contrib/k8s](../contrib/k8s) enable the gRPC API to allow client apps to update matchbox objects. Generate TLS server certificates for `matchbox-rpc.example.com` [as shown](#generate-tls-certificates) and create a Kubernetes secret. Alternately, edit the example manifests if you don't need the gRPC API enabled.
+
+```sh
+$ kubectl create secret generic matchbox-rpc --from-file=ca.crt --from-file=server.crt --from-file=server.key
+```
+
+Create an Ingress resource to expose the HTTP read-only and gRPC API endpoints. The Ingress example requires the cluster to have a functioning [Nginx Ingress Controller](https://github.com/kubernetes/ingress).
+
+```sh
+$ kubectl create -f contrib/k8s/matchbox-ingress.yaml
+$ kubectl get ingress
+NAME      HOSTS                                          ADDRESS            PORTS     AGE
+matchbox       matchbox.example.com                      10.128.0.3,10...   80        29m
+matchbox-rpc   matchbox-rpc.example.com                  10.128.0.3,10...   80, 443   29m
+```
+
+Add DNS records `matchbox.example.com` and `matchbox-rpc.example.com` to route traffic to the Ingress Controller.
+
+Verify `http://matchbox.example.com` responds with the text "matchbox" and verify gRPC clients can connect to `matchbox-rpc.example.com:443`.
+
+```sh
+$ curl http://matchbox.example.com
+$ openssl s_client -connect matchbox-rpc.example.com:443 -CAfile ca.crt -cert client.crt -key client.key
+```
+
 ## Firewall
 
 Allow your port choices on the provisioner's firewall so the clients can access the service. Here are the commands for those using `firewalld`:
@@ -130,7 +183,7 @@ Export `SAN` to set the Subject Alt Names which should be used in certificates.
 
 ```sh
 # DNS or IP Subject Alt Names where matchbox runs
-$ export SAN=DNS.1:matchbox.example.com,IP.1:172.18.0.2
+$ export SAN=DNS.1:matchbox.example.com,IP.1:172.17.0.2
 ```
 
 Generate a `ca.crt`, `server.crt`, `server.key`, `client.crt`, and `client.key`.
@@ -154,22 +207,12 @@ $ mkdir -p ~/.matchbox
 $ cp client.crt client.key ca.crt ~/.matchbox/
 ```
 
-## Start matchbox
-
-Start the `matchbox` service and enable it if you'd like it to start on every boot.
-
-```sh
-$ sudo systemctl daemon-reload
-$ sudo systemctl start matchbox
-$ sudo systemctl enable matchbox
-```
-
 ## Verify
 
 Verify the matchbox service is running and can be reached by client machines (those being provisioned).
 
 ```sh
-$ systemctl status matchbox
+$ systemctl status matchbox   # Matchbox binary method
 $ dig matchbox.example.com
 ```
 
@@ -183,7 +226,7 @@ matchbox
 If you enabled the gRPC API,
 
 ```sh
-$ openssl s_client -connect matchbox.example.com:8081 -CAfile /etc/matchbox/ca.crt -cert scripts/tls/client.crt -key scripts/tls/client.key
+$ openssl s_client -connect matchbox.example.com:8081 -CAfile scripts/tls/ca.crt -cert scripts/tls/client.crt -key scripts/tls/client.key
 CONNECTED(00000003)
 depth=1 CN = fake-ca
 verify return:1
@@ -197,43 +240,45 @@ Certificate chain
 ....
 ```
 
-## Download Container Linux (optional)
+## Download Images (optional)
 
-`matchbox` can serve Container Linux images in development or lab environments to reduce bandwidth usage and increase the speed of Container Linux PXE boots and installs to disk.
+Matchbox can serve OS images in development or lab environments to reduce bandwidth usage and increase the speed of PXE boots and installs to disk.
 
-Download a recent Container Linux [release](https://coreos.com/releases/) with signatures.
+Download a recent Fedora CoreOS or Flatcar Linux release.
 
-```sh
-$ ./scripts/get-coreos stable 1967.3.0 .     # note the "." 3rd argument
+```
+$ ./scripts/get-fedora-coreos stable 36.20220618.3.1 .
+$ ./scripts/get-flatcar stable 3227.2.0 .
 ```
 
 Move the images to `/var/lib/matchbox/assets`,
 
-```sh
-$ sudo cp -r coreos /var/lib/matchbox/assets
+```
+/var/lib/matchbox/assets/fedora-coreos/
+├── fedora-coreos-36.20220618.3.1-live-initramfs.x86_64.img
+├── fedora-coreos-36.20220618.3.1-live-kernel-x86_64
+├── fedora-coreos-36.20220618.3.1-live-rootfs.x86_64.img
+
+/var/lib/matchbox/assets/flatcar/
+└── 3227.2.0
+    ├── Flatcar_Image_Signing_Key.asc
+    ├── flatcar_production_image.bin.bz2
+    ├── flatcar_production_image.bin.bz2.sig
+    ├── flatcar_production_pxe_image.cpio.gz
+    ├── flatcar_production_pxe_image.cpio.gz.sig
+    ├── flatcar_production_pxe.vmlinuz
+    ├── flatcar_production_pxe.vmlinuz.sig
+    └── version.txt
 ```
 
-```
-/var/lib/matchbox/assets/
-├── coreos
-│   └── 1967.3.0
-│       ├── CoreOS_Image_Signing_Key.asc
-│       ├── coreos_production_image.bin.bz2
-│       ├── coreos_production_image.bin.bz2.sig
-│       ├── coreos_production_pxe_image.cpio.gz
-│       ├── coreos_production_pxe_image.cpio.gz.sig
-│       ├── coreos_production_pxe.vmlinuz
-│       └── coreos_production_pxe.vmlinuz.sig
-```
-
-and verify the images are acessible.
+and verify the images are accessible.
 
 ```sh
-$ curl http://matchbox.example.com:8080/assets/coreos/1967.3.0/
+$ curl http://matchbox.example.com:8080/assets/fedora-coreos/
 <pre>...
 ```
 
-For large production environments, use a cache proxy or mirror suitable for your environment to serve Container Linux images.
+For large production environments, use a cache proxy or mirror suitable for your environment to serve images.
 
 ## Network
 
@@ -245,63 +290,17 @@ Review [network setup](https://github.com/poseidon/matchbox/blob/master/docs/net
 
 Poseidon provides [dnsmasq](https://github.com/poseidon/matchbox/tree/master/contrib/dnsmasq) as `quay.io/poseidon/dnsmasq`.
 
-## Docker
+# TLS
 
-Run the container image with docker.
+Matchbox can serve the read-only HTTP API with TLS.
 
-```sh
-$ mkdir -p /var/lib/matchbox/assets
-$ sudo docker run --net=host --rm -v /var/lib/matchbox:/var/lib/matchbox:Z -v /etc/matchbox:/etc/matchbox:Z,ro quay.io/poseidon/matchbox:latest -address=0.0.0.0:8080 -rpc-address=0.0.0.0:8081 -log-level=debug
-```
+| Name           | Type   | Description |
+|----------------|--------|-------------|
+| -web-ssl       | bool   | true/false  |
+| -web-cert-file | string | Path to the server TLS certificate file |
+| -web-key-file  | string | Path to the server TLS key file |
 
-Create machine profiles, groups, or Ignition configs by adding files to `/var/lib/matchbox`.
-
-## Kubernetes
-
-Install `matchbox` on a Kubernetes cluster by creating a deployment and service.
-
-```sh
-$ kubectl apply -f contrib/k8s/matchbox-deployment.yaml
-$ kubectl apply -f contrib/k8s/matchbox-service.yaml
-$ kubectl get services
-NAME                 CLUSTER-IP   EXTERNAL-IP   PORT(S)             AGE
-matchbox             10.3.0.145   <none>        8080/TCP,8081/TCP   46m
-```
-
-Example manifests in [contrib/k8s](../contrib/k8s) enable the gRPC API to allow client apps to update matchbox objects. Generate TLS server credentials for `matchbox-rpc.example.com` [as shown](#generate-tls-credentials) and create a Kubernetes secret. Alternately, edit the example manifests if you don't need the gRPC API enabled.
-
-```sh
-$ kubectl create secret generic matchbox-rpc --from-file=ca.crt --from-file=server.crt --from-file=server.key
-```
-
-Create an Ingress resource to expose the HTTP read-only and gRPC API endpoints. The Ingress example requires the cluster to have a functioning [Nginx Ingress Controller](https://github.com/kubernetes/ingress).
-
-```sh
-$ kubectl create -f contrib/k8s/matchbox-ingress.yaml
-$ kubectl get ingress
-NAME      HOSTS                                          ADDRESS            PORTS     AGE
-matchbox       matchbox.example.com                      10.128.0.3,10...   80        29m
-matchbox-rpc   matchbox-rpc.example.com                  10.128.0.3,10...   80, 443   29m
-```
-
-Add DNS records `matchbox.example.com` and `matchbox-rpc.example.com` to route traffic to the Ingress Controller.
-
-Verify `http://matchbox.example.com` responds with the text "matchbox" and verify gRPC clients can connect to `matchbox-rpc.example.com:443`.
-
-```sh
-$ curl http://matchbox.example.com
-$ openssl s_client -connect matchbox-rpc.example.com:443 -CAfile ca.crt -cert client.crt -key client.key
-```
-
-# HTTPS - The read-only Matchbox API is also available with HTTPS
-
-To start matchbox in this mode you will need the following flags set:
-
-| Name           | Type   | Description                                                   |
-|----------------|--------|---------------------------------------------------------------|
-| -web-ssl       | bool   | true/false                                                    |
-| -web-cert-file | string | Path to the server TLS certificate file                       |
-| -web-key-file  | string | Path to the server TLS key file                               |
+However, it is more common to use an Ingress Controller (Kubernetes) to terminate TLS.
 
 ### Operational notes
 

docs/dev/release.md

@@ -8,7 +8,7 @@ This guide covers releasing new versions of matchbox.
 Create a release commit which updates old version references.
 
 ```sh
-$ export VERSION=v0.8.0
+$ export VERSION=v0.9.1
 ```
 
 ## Tag
@@ -44,7 +44,7 @@ $ make release
 Verify the reported version.
 
 ```
-./_output/matchbox-v0.8.0-linux-amd64/matchbox -version
+./_output/matchbox-v0.9.1-linux-amd64/matchbox -version
 ```
 
 ## Signing

docs/getting-started-docker.md

@@ -1,8 +1,9 @@
 # Getting started with Docker
 
-In this tutorial, we'll run `matchbox` on your Linux machine with Docker to network boot and provision a cluster of QEMU/KVM Container Linux machines locally. You'll be able to create Kubernetes clusters, etcd3 clusters, and test network setups.
+In this tutorial, we'll run `matchbox` on a Linux machine with Docker to network boot and provision local QEMU/KVM machines as Fedora CoreOS or Flatcar Linux machines. You'll be able to test network setups and Ignition provisioning.
 
-*Note*: To provision physical machines, see [network setup](network-setup.md) and [deployment](deployment.md).
+!!! note
+    To provision physical machines, see [network setup](network-setup.md) and [deployment](deployment.md).
 
 ## Requirements
 
@@ -25,10 +26,11 @@ $ git clone https://github.com/poseidon/matchbox.git
 $ cd matchbox
 ```
 
-Download CoreOS Container Linux image assets referenced by the `etcd3` [example](../examples) to `examples/assets`.
+Download Fedora CoreOS or Flatcar Linux image assets to `examples/assets`.
 
 ```sh
-$ ./scripts/get-coreos stable 1967.3.0 ./examples/assets
+$ ./scripts/get-fedora-coreos stable 36.20220618.3.1 ./examples/assets
+$ ./scripts/get-flatcar stable 3227.2.0 ./examples/assets
 ```
 
 For development convenience, add `/etc/hosts` entries for nodes so they may be referenced by name.
@@ -45,10 +47,10 @@ For development convenience, add `/etc/hosts` entries for nodes so they may be r
 
 Run the `matchbox` and `dnsmasq` services on the `docker0` bridge. `dnsmasq` will run DHCP, DNS and TFTP services to create a suitable network boot environment. `matchbox` will serve configs to machines as they PXE boot.
 
-The `devnet` convenience script can start these services and accepts the name of any example cluster in [examples](../examples).
+The `devnet` convenience script can start these services and accepts the name of any example in [examples](https://github.com/poseidon/matchbox/tree/master/examples).
 
 ```sh
-$ sudo ./scripts/devnet create etcd3
+$ sudo ./scripts/devnet create fedora-coreos
 ```
 
 Inspect the logs.
@@ -57,7 +59,7 @@ Inspect the logs.
 $ sudo ./scripts/devnet status
 ```
 
-Take a look at the [etcd3 groups](../examples/groups/etcd3) to get an idea of how machines are mapped to Profiles. Explore some endpoints exposed by the service, say for QEMU/KVM node1.
+Inspect the examples and Matchbox endpoints to see how machines (e.g. node1 with MAC `52:54:00:a1:9c:ae`) are mapped to Profiles, and therefore iPXE and Ignition configs.
 
 * iPXE [http://127.0.0.1:8080/ipxe?mac=52:54:00:a1:9c:ae](http://127.0.0.1:8080/ipxe?mac=52:54:00:a1:9c:ae)
 * Ignition [http://127.0.0.1:8080/ignition?mac=52:54:00:a1:9c:ae](http://127.0.0.1:8080/ignition?mac=52:54:00:a1:9c:ae)
@@ -68,7 +70,7 @@ Take a look at the [etcd3 groups](../examples/groups/etcd3) to get an idea of ho
 If you prefer to start the containers yourself, instead of using `devnet`,
 
 ```sh
-$ sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/etcd3:/var/lib/matchbox/groups:Z quay.io/poseidon/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
+$ sudo docker run -p 8080:8080 --rm -v $PWD/examples:/var/lib/matchbox:Z -v $PWD/examples/groups/fedora-coreos:/var/lib/matchbox/groups:Z quay.io/poseidon/matchbox:latest -address=0.0.0.0:8080 -log-level=debug
 $ sudo docker run --name dnsmasq --cap-add=NET_ADMIN -v $PWD/contrib/dnsmasq/docker0.conf:/etc/dnsmasq.conf:Z quay.io/poseidon/dnsmasq -d
 ```
 
@@ -80,13 +82,18 @@ Create QEMU/KVM VMs which have known hardware attributes. The nodes will be atta
 $ sudo ./scripts/libvirt create
 ```
 
-You can connect to the serial console of any node (ctrl+] to exit). If you provisioned nodes with an SSH key, you can SSH after bring-up.
+If you provisioned nodes with an SSH key, you can SSH after bring-up.
 
 ```sh
-$ sudo virsh console node1
 $ ssh core@node1.example.com
 ```
 
+If you set a `console=ttyS0` kernel arg, you can connect to the serial console of any node (ctrl+] to exit).
+
+```
+$ sudo virsh console node1
+```
+
 You can also use `virt-manager` to watch the console.
 
 ```sh
@@ -101,15 +108,12 @@ $ sudo ./scripts/libvirt [start|reboot|shutdown|poweroff|destroy]
 
 ## Verify
 
-The VMs should network boot and provision themselves into a three node etcd3 cluster, with other nodes behaving as etcd3 gateways.
+The VMs should network boot and provision themselves as declared.
 
-The example profile added autologin so you can verify that etcd3 works between nodes.
-
-```sh
-$ systemctl status etcd-member
-$ etcdctl set /message hello
-$ etcdctl get /message
 ```
+cat /etc/os-release
+```
+
 ## Clean up
 
 Clean up the containers and VM machines.
@@ -119,6 +123,13 @@ $ sudo ./scripts/devnet destroy
 $ sudo ./scripts/libvirt destroy
 ```
 
-## Going further
+## Going Further
+
+Learn more about [matchbox](matchbox.md) or explore the other [examples](https://github.com/poseidon/matchbox/tree/master/examples).
+
+Try different examples and Ignition declarations:
+
+* Declare an SSH authorized public key (see examples README)
+* Declare a systemd unit
+* Declare file or directory content
 
-Learn more about [matchbox](matchbox.md) or explore the other [example](../examples) clusters.

docs/getting-started.md

@@ -1,14 +1,14 @@
 # Getting started
 
-In this tutorial, we'll show how to use terraform with `matchbox` to provision Container Linux machines.
+In this tutorial, we'll use `matchbox` with Terraform to provision Fedora CoreOS or Flatcar Linux machines.
 
-You'll install the `matchbox` service, setup a PXE network boot environment, and then use terraform configs to describe your infrastructure and the terraform CLI to create those resources on `matchbox`.
+We'll install the `matchbox` service, setup a PXE network boot environment, and use Terraform configs to declare infrastructure and apply resources on `matchbox`.
 
 ## matchbox
 
-Install `matchbox` on a dedicated server or Kubernetes cluster. Generate TLS credentials and enable the gRPC API as directed. Save the `ca.crt`, `client.crt`, and `client.key` on your local machine (e.g. `~/.matchbox`).
+Install `matchbox` on a host server or Kubernetes cluster. Generate TLS credentials and enable the gRPC API as directed. Save the `ca.crt`, `client.crt`, and `client.key` on your local machine (e.g. `~/.matchbox`).
 
-* Installing on [Container Linux / other distros](deployment.md)
+* Installing on a [Linux distro](deployment.md)
 * Installing on [Kubernetes](deployment.md#kubernetes)
 * Running with [docker](deployment.md#docker)
 
@@ -30,115 +30,133 @@ $ openssl s_client -connect matchbox.example.com:8081 \
 
 ## Terraform
 
-Install [Terraform][terraform-dl] v0.11+ on your system.
+Install [Terraform](https://www.terraform.io/downloads.html) v0.13+ on your system.
 
 ```sh
 $ terraform version
-Terraform v0.11.13
+Terraform v1.1.8
 ```
 
-Add the [terraform-provider-matchbox](https://github.com/poseidon/terraform-provider-matchbox) plugin binary for your system to `~/.terraform.d/plugins/`, noting the final name.
+### Examples
 
-```sh
-wget https://github.com/poseidon/terraform-provider-matchbox/releases/download/v0.2.3/terraform-provider-matchbox-v0.2.3-linux-amd64.tar.gz
-tar xzf terraform-provider-matchbox-v0.2.3-linux-amd64.tar.gz
-mv terraform-provider-matchbox-v0.2.3-linux-amd64/terraform-provider-matchbox ~/.terraform.d/plugins/terraform-provider-matchbox_v0.2.3
-```
-
-```sh
-$ wget https://github.com/poseidon/terraform-provider-matchbox/releases/download/v0.2.3/terraform-provider-matchbox-v0.2.3-linux-amd64.tar.gz
-$ tar xzf terraform-provider-matchbox-v0.2.3-linux-amd64.tar.gz
-```
-
-## First cluster
-
-Clone the matchbox source and take a look at the Terraform examples.
+Clone the matchbox source.
 
 ```sh
 $ git clone https://github.com/poseidon/matchbox.git
 $ cd matchbox/examples/terraform
 ```
 
-Let's start with the `simple-install` example. With `simple-install`, any machines which PXE boot from matchbox will install Container Linux to `dev/sda`, reboot, and have your SSH key set. Its not much of a cluster, but we'll get to that later.
+Select from the Terraform [examples](https://github.com/poseidon/matchbox/tree/master/examples/terraform). For example,
+
+* `fedora-coreos-install` - PXE boot, install Fedora CoreOS to disk, reboot, and machines come up with your SSH authorized key set
+* `flatcar-install` - PXE boot, install Flatcar Linux to disk, reboot, and machines come up with your SSH authorized key set
+
+These aren't exactly full clusters, but they show declarations and network provisioning.
 
 ```sh
-$ cd simple-install
+$ cd fedora-coreos-install    # or flatcar-install
 ```
 
-Configure the variables in `variables.tf` by creating a `terraform.tfvars` file.
+!!! note
+    Fedora CoreOS images are only served via HTTPS, so your iPXE firmware must be compiled to support HTTPS downloads.
 
-```hcl
-matchbox_http_endpoint = "http://matchbox.example.com:8080"
-matchbox_rpc_endpoint = "matchbox.example.com:8081"
-ssh_authorized_key = "YOUR_SSH_KEY"
-```
+Let's review the terraform config and learn a bit about Matchbox.
 
-Terraform can now interact with the matchbox service and create resources.
-
-```sh
-$ terraform plan
-Plan: 4 to add, 0 to change, 0 to destroy.
-```
-
-Let's review the terraform config and learn a bit about matchbox.
-
-#### Provider
+### Provider
 
 Matchbox is configured as a provider platform for bare-metal resources.
 
-```hcl
+```tf
 // Configure the matchbox provider
 provider "matchbox" {
-  endpoint = "${var.matchbox_rpc_endpoint}"
-  client_cert = "${file("~/.matchbox/client.crt")}"
-  client_key = "${file("~/.matchbox/client.key")}"
-  ca         = "${file("~/.matchbox/ca.crt")}"
+  endpoint    = var.matchbox_rpc_endpoint
+  client_cert = file("~/.matchbox/client.crt")
+  client_key  = file("~/.matchbox/client.key")
+  ca          = file("~/.matchbox/ca.crt")
 }
-```
 
-#### Profiles
-
-Machine profiles specify the kernel, initrd, kernel args, Container Linux Config, Cloud-config, or other configs used to network boot and provision a bare-metal machine. This profile will PXE boot machines using the current stable Container Linux kernel and initrd (see [assets](api-http.md#assets) to learn about caching for speed) and supply a Container Linux Config specifying that a disk install and reboot should be performed. Learn more about [Container Linux configs](https://coreos.com/os/docs/latest/configuration.html).
-
-```hcl
-// Create a CoreOS-install profile
-resource "matchbox_profile" "coreos-install" {
-  name = "coreos-install"
-  kernel = "https://stable.release.core-os.net/amd64-usr/current/coreos_production_pxe.vmlinuz"
-  initrd = [
-    "https://stable.release.core-os.net/amd64-usr/current/coreos_production_pxe_image.cpio.gz"
-  ]
-  args = [
-    "coreos.config.url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}",
-    "coreos.first_boot=yes",
-    "console=tty0",
-    "console=ttyS0",
-  ]
-  container_linux_config = "${file("./cl/coreos-install.yaml.tmpl")}"
-}
-```
-
-#### Groups
-
-Matcher groups match machines based on labels like MAC, UUID, etc. to different profiles and templates in machine-specific values. This group does not have a `selector` block, so any machines which network boot from matchbox will match this group and be provisioned using the `coreos-install` profile. Machines are matched to the most specific matching group.
-
-```hcl
-resource "matchbox_group" "default" {
-  name = "default"
-  profile = "${matchbox_profile.coreos-install.name}"
-  # no selector means all machines can be matched
-  metadata {
-    ignition_endpoint = "${var.matchbox_http_endpoint}/ignition"
-    ssh_authorized_key = "${var.ssh_authorized_key}"
+terraform {
+  required_providers {
+    ct = {
+      source  = "poseidon/ct"
+      version = "0.10.0"
+    }
+    matchbox = {
+      source = "poseidon/matchbox"
+      version = "0.5.0"
+    }
   }
 }
 ```
 
+### Profiles
+
+Machine profiles specify the kernel, initrd, kernel args, Ignition Config, and other configs (e.g. templated Container Linux Config, Cloud-config, generic) used to network boot and provision a bare-metal machine. The profile below would PXE boot machines using a Fedora CoreOS kernel and initrd (see [assets](api-http.md#assets) to learn about caching for speed), perform a disk install, reboot (first boot from disk), and use a [Fedora CoreOS Config](https://github.com/coreos/fcct/blob/master/docs/configuration-v1_1.md) to generate an Ignition config to provision.
+
+```tf
+// Fedora CoreOS profile
+resource "matchbox_profile" "fedora-coreos-install" {
+  name  = "worker"
+  kernel = "https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-kernel-x86_64"
+
+  initrd = [
+    "--name main https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-initramfs.x86_64.img"
+  ]
+
+  args = [
+    "initrd=main",
+    "coreos.live.rootfs_url=https://builds.coreos.fedoraproject.org/prod/streams/${var.os_stream}/builds/${var.os_version}/x86_64/fedora-coreos-${var.os_version}-live-rootfs.x86_64.img",
+    "coreos.inst.install_dev=/dev/sda",
+    "coreos.inst.ignition_url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}"
+  ]
+
+  raw_ignition = data.ct_config.worker.rendered
+}
+
+data "ct_config" "worker" {
+  content = templatefile("fcc/fedora-coreos.yaml", {
+    ssh_authorized_key = var.ssh_authorized_key
+  })
+  strict = true
+}
+```
+
+### Groups
+
+Matcher groups match machines based on labels like MAC, UUID, etc. to different profiles and templates in machine-specific values. The group below does not have a `selector` block, so any machines which network boot from Matchbox will match this group and be provisioned using the `fedora-coreos-install` profile. Machines are matched to the most specific matching group.
+
+```tf
+// Default matcher group for machines
+resource "matchbox_group" "default" {
+  name    = "default"
+  profile = matchbox_profile.fedora-coreos-install.name
+}
+```
+
+### Variables
+
+Some Terraform [variables](https://www.terraform.io/docs/configuration/variables.html) are used in the examples. A quick way to set their value is by creating a `terraform.tfvars` file.
+
+```
+cp terraform.tfvars.example terraform.tfvars
+```
+
+```tf
+matchbox_http_endpoint = "http://matchbox.example.com:8080"
+matchbox_rpc_endpoint  = "matchbox.example.com:8081"
+os_version             = "36.20220618.3.1"
+ssh_authorized_key     = "YOUR_SSH_KEY"
+```
+
 ### Apply
 
-Apply the terraform configuration.
+Initialize the Terraform workspace. Then plan and apply the resources.
 
-```sh
+```
+terraform init
+```
+
+```
 $ terraform apply
 Apply complete! Resources: 4 added, 0 changed, 0 destroyed.
 ```
@@ -148,13 +166,12 @@ Matchbox serves configs to machines and respects query parameters, if you're int
 * iPXE default - [/ipxe](http://matchbox.example.com:8080/ipxe)
 * Ignition default - [/ignition](http://matchbox.example.com:8080/ignition)
 * Ignition post-install - [/ignition?os=installed](http://matchbox.example.com:8080/ignition?os=installed)
-* GRUB default - [/grub](http://matchbox.example.com:8080/grub)
 
 ## Network
 
-Matchbox can integrate with many on-premise network setups. It does not seek to be the DHCP server, TFTP server, or DNS server for the network. Instead, matchbox serves iPXE scripts and GRUB configs as the entrypoint for provisioning network booted machines. PXE clients are supported by chainloading iPXE firmware.
+Matchbox can integrate with many on-premise network setups. It does not seek to be the DHCP server, TFTP server, or DNS server for the network. Instead, matchbox serves iPXE scripts as the entrypoint for provisioning network booted machines. PXE clients are supported by chainloading iPXE firmware.
 
-In the simplest case, an iPXE-enabled network can chain to matchbox,
+In the simplest case, an iPXE-enabled network can chain to Matchbox,
 
 ```
 # /var/www/html/ipxe/default.ipxe
@@ -171,7 +188,7 @@ If you've never setup a PXE-enabled network before or you're trying to setup a h
 
 ## Boot
 
-Its time to network boot your machines. Use the BMC's remote management capablities (may be vendor-specific) to set the boot device (on the next boot only) to PXE and power on each machine.
+Its time to network boot your machines. Use the BMC's remote management capabilities (may be vendor-specific) to set the boot device (on the next boot only) to PXE and power on each machine.
 
 ```sh
 $ ipmitool -H node1.example.com -U USER -P PASS power off
@@ -179,20 +196,19 @@ $ ipmitool -H node1.example.com -U USER -P PASS chassis bootdev pxe
 $ ipmitool -H node1.example.com -U USER -P PASS power on
 ```
 
-Each machine should chainload iPXE, delegate to `matchbox`, receive its iPXE config (or other supported configs) and begin the provisioning process. The `simple-install` example assumes your machines are configured to boot from disk first and PXE only when requested, but you can write profiles for different cases.
+Each machine should chainload iPXE, delegate to Matchbox, receive its iPXE config (or other supported configs) and begin the provisioning process. The examples assume machines are configured to boot from disk first and PXE only when requested, but you can write profiles for different cases.
 
-Once the Container Linux install completes and the machine reboots you can SSH,
+Once the install completes and the machine reboots, you can SSH.
 
 ```ssh
 $ ssh core@node1.example.com
 ```
 
-To re-provision the machine for another purpose, run `terraform apply` and PXE boot it again.
+To re-provision the machine for another purpose, run `terraform apply` and PXE boot machines again.
 
 ## Going Further
 
-Matchbox can be used to provision multi-node Container Linux clusters at one or many on-premise sites if deployed in an HA way. Machines can be matched individually by MAC address, UUID, region, or other labels you choose. Installs can be made much faster by caching images in the built-in HTTP [assets](api-http.md#assets) server.
+Matchbox can be used to provision multi-node Fedora CoreOS or Flatcar Linux clusters at one or many on-premise sites if deployed in an HA way. Machines can be matched individually by MAC address, UUID, region, or other labels you choose. Installs can be made much faster by caching images in the built-in HTTP [assets](api-http.md#assets) server.
 
-[Container Linux configs](https://coreos.com/os/docs/latest/configuration.html) can be used to partition disks and filesystems, write systemd units, write networkd configs or regular files, and create users. Container Linux nodes can be provisioned into a system that meets your needs. Checkout the examples which create a 3 node [etcd](../examples/terraform/etcd3-install) cluster or a 3 node [Kubernetes](../examples/terraform/bootkube-install) cluster.
+[Ignition](https://github.com/coreos/ignition) can be used to partition disks, create file systems, write systemd units, write networkd configs or regular files, and create users. Nodes can be network provisioned into a complete cluster system that meets your needs. For example, see [Typhoon](https://typhoon.psdn.io/fedora-coreos/bare-metal/).
 
-[terraform-dl]: https://www.terraform.io/downloads.html

docs/index.md

@@ -1,29 +1,30 @@
 # Matchbox
 
-Matchbox is a service that matches bare-metal machines to profiles that PXE boot and provision clusters. Machines are matched by labels like MAC or UUID during PXE and profiles specify a kernel/initrd, iPXE config, and Container Linux or Fedora CoreOS config.
+Matchbox is a service that matches bare-metal machines to profiles that PXE boot and provision clusters. Machines are matched by labels like MAC or UUID during PXE and profiles specify a kernel/initrd, iPXE config, and Ignition config.
 
 ## Features
 
 * Chainload via iPXE and match hardware labels
-* Provision Container Linux and Fedora CoreOS (powered by [Ignition](https://github.com/coreos/ignition))
+* Provision Fedora CoreOS or Flatcar Linux (powered by [Ignition](https://github.com/coreos/ignition))
 * Authenticated gRPC API for clients (e.g. Terraform)
 
 ## Installation
 
 Matchbox can be installed from a binary or a container image.
 
-* Install Matchbox on [Kubernetes](deployment.md#kubernetes), on a [Linux](deployment.md) host, or as a [container](deployment.md#docker)
+* Install Matchbox as a [binary](deployment.md#matchbox-binary), as a [container image](deployment.md#container-image), or on [Kubernetes](deployment.md#kubernetes)
 * Setup a PXE-enabled [network](network-setup.md)
 
 ## Tutorials
 
-[Getting started](getting-started.md) provisioning machines with Container Linux.
+Start provisioning machines with Fedora CoreOS or Flatcar Linux.
 
-* Local QEMU/KVM
-    * [matchbox with Docker](getting-started-docker.md)
-* Clusters
-    * [etcd3](getting-started-docker.md) - Install a 3-node etcd3 cluster
-    * [etcd3](https://github.com/poseidon/matchbox/tree/master/examples/terraform/etcd3-install) - Install a 3-node etcd3 cluster (terraform-based)
+* [Terraform Usage](getting-started.md)
+    * Fedora CoreOS (live PXE or PXE install to disk)
+    * Flatcar Linux (live PXE or PXE install to disk)
+* [Local QEMU/KVM](getting-started-docker.md)
+    * Fedora CoreOS (live PXE or PXE install to disk)
+    * Flatcar Linux (live PXE or PXE install to disk)
 
 ## Related
 

docs/matchbox.md

@@ -172,7 +172,7 @@ matchbox.foo/assets/
 
 For example, a `Profile` might refer to a local asset `/assets/coreos/VERSION/coreos_production_pxe.vmlinuz` instead of `http://stable.release.core-os.net/amd64-usr/VERSION/coreos_production_pxe.vmlinuz`.
 
-See the [get-coreos](https://github.com/poseidon/matchbox/blob/master/scripts/get-coreos) script to quickly download, verify, and place Container Linux assets.
+See the [get-fedora-coreos](https://github.com/poseidon/matchbox/blob/master/scripts/get-fedora-coreos) or [get-flatcar](https://github.com/poseidon/matchbox/blob/master/scripts/get-flatcar) scripts to quickly download, verify, and place image assets.
 
 ## Network
 

docs/network-setup.md

@@ -2,7 +2,7 @@
 
 This guide shows how to create a DHCP/TFTP/DNS network boot environment to boot and provision BIOS/PXE, iPXE, or UEFI client machines.
 
-Matchbox serves iPXE scripts over HTTP to serve as the entrypoint for provisioning clusters. It does not implement or exec a DHCP, TFTP, or DNS server. Instead, configure your network environment to point to Matchbox or use the convenient [poseidon/dnsmasq](../contrib/dnsmasq) container image (used in local QEMU/KVM setup).
+Matchbox serves iPXE scripts over HTTP to serve as the entrypoint for provisioning clusters. It does not implement or exec a DHCP, TFTP, or DNS server. Instead, configure your network environment to point to Matchbox or use the convenient [quay.io/poseidon/dnsmasq](https://quay.io/repository/poseidon/matchbox) container image (used in local QEMU/KVM setup).
 
 *Note*: These are just suggestions. Your network administrator or system administrator should choose the right network setup for your company.
 
@@ -88,7 +88,7 @@ dhcp-boot=tag:ipxe,http://matchbox.example.com:8080/boot.ipxe
 log-queries
 log-dhcp
 
-# static DNS assignements
+# static DNS assignments
 address=/matchbox.example.com/192.168.1.100
 
 # (optional) disable DNS and specify alternate
@@ -138,7 +138,7 @@ $ sudo firewall-cmd --add-service=dhcp --add-service=tftp [--add-service=dns]
 $ sudo firewall-cmd --list-services
 ```
 
-See [dnsmasq](#coreosdnsmasq) below to run dnsmasq with a container.
+See [dnsmasq](#poseidon/dnsmasq) below to run dnsmasq with a container.
 
 ### Configurable TFTP
 
@@ -158,7 +158,7 @@ Add ipxe.lkrn to `/var/lib/tftpboot` (see [iPXE docs](http://ipxe.org/embed)).
 
 ## poseidon/dnsmasq
 
-The [quay.io/poseidon/dnsmasq](https://quay.io/repository/poseidon/dnsmasq) container image can run DHCP, TFTP, and DNS services via docker. The image bundles `ipxe.efi`, `undionly.kpxe`, and `grub.efi` for convenience. See [contrib/dnsmasq](../contrib/dnsmasq) for details.
+The [quay.io/poseidon/dnsmasq](https://quay.io/repository/poseidon/dnsmasq) container image can run DHCP, TFTP, and DNS services via docker. The image bundles `ipxe.efi`, `undionly.kpxe`, and `grub.efi` for convenience. See [contrib/dnsmasq](https://github.com/poseidon/matchbox/tree/master/contrib/dnsmasq) for details.
 
 Run DHCP, TFTP, and DNS on the host's network:
 

examples/README.md

@@ -1,6 +1,6 @@
 # Examples
 
-Matchbox automates network booting and provisioning of clusters. These examples show how to use matchbox on-premise or locally with [QEMU/KVM](scripts/README.md#libvirt).
+Matchbox automates network booting and provisioning of clusters. These examples show how to use Matchbox on-premise or locally with QEMU/KVM.
 
 ## Terraform Examples
 
@@ -8,46 +8,55 @@ These examples use [Terraform](https://www.terraform.io/intro/) as a client to M
 
 | Name                          | Description                   |
 |-------------------------------|-------------------------------|
-| [simple-install](terraform/simple-install/) | Install Container Linux with an SSH key |
-| [etcd3-install](terraform/etcd3-install/) | Install a 3-node etcd3 cluster |
+| [fedora-coreos-install](terraform/fedora-coreos-install) | Fedora CoreOS disk install |
+| [flatcar-install](terraform/flatcar-install) | Flatcar Linux disk install |
 
 ### Customization
 
-You are encouraged to look through the examples and Terraform modules. Implement your own profiles or package them as modules to meet your needs. We've just provided a starting point. Learn more about [matchbox](../docs/matchbox.md) and [Container Linux configs](../docs/container-linux-config.md).
+Look through the examples and Terraform modules and use them as a starting point. Learn more about [matchbox](../docs/matchbox.md).
 
 ## Manual Examples
 
 These examples mount raw Matchbox objects into a Matchbox server's `/var/lib/matchbox/` directory.
 
-| Name       | Description | CoreOS Container Linux Version | FS | Docs |
-|------------|-------------|----------------|----|-----------|
-| simple | CoreOS Container Linux with autologin, using iPXE | stable/1967.3.0 | RAM | [reference](https://coreos.com/os/docs/latest/booting-with-ipxe.html) |
-| simple-install | CoreOS Container Linux Install, using iPXE | stable/1967.3.0 | RAM | [reference](https://coreos.com/os/docs/latest/booting-with-ipxe.html) |
-| grub | CoreOS Container Linux via GRUB2 Netboot | stable/1967.3.0 | RAM | NA |
-| etcd3 | PXE boot a 3-node etcd3 cluster with proxies | stable/1967.3.0 | RAM | None |
-| etcd3-install | Install a 3-node etcd3 cluster to disk | stable/1967.3.0 | Disk | None |
+| Name          | Description                  | FS  | Docs  |
+|---------------|------------------------------|-----|-------|
+| fedora-coreos | Fedora CoreOS live PXE       | RAM | [docs](https://docs.fedoraproject.org/en-US/fedora-coreos/live-booting/) |
+| fedora-coreos-install | Fedora CoreOS install | Disk | [docs](https://docs.fedoraproject.org/en-US/fedora-coreos/bare-metal/) |
+| flatcar       | Flatcar Linux live PXE       | RAM | [docs](https://docs.flatcar-linux.org/os/booting-with-ipxe/) |
+| flatcar-install | Flatcar Linux install      | Disk | [docs](https://docs.flatcar-linux.org/os/booting-with-ipxe/) |
 
-### Customization
+### SSH Access
 
-#### Autologin
+For Fedora CoreOS, add an SSH authorized key to the Butane Config (`ignition/fedora-coreos.yaml`) and regenerate the Ignition Config.
 
-Example profiles pass the `coreos.autologin` kernel argument. This skips the password prompt for development and troubleshooting and should be removed **before production**.
+```yaml
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+        - ssh-ed25519 SET_PUBKEY_HERE
+```
 
-## SSH Keys
+```
+podman run -i --rm quay.io/coreos/fcct:release --pretty --strict < fedora-coreos.yaml > fedora-coreos.ign
+```
 
-Example groups allow `ssh_authorized_keys` to be added for the `core` user as metadata. You might also include this directly in your Ignition.
+For Flatcar Linux, add an SSH authorized key to the Butane config (`ignition/flatcar.yaml` or `ignition/flatcar-install.yaml`) and regenerate the Ignition Config.
 
-    # /var/lib/matchbox/groups/default.json
-    {
-        "name": "Example Machine Group",
-        "profile": "pxe",
-        "metadata": {
-            "ssh_authorized_keys": ["ssh-rsa pub-key-goes-here"]
-        }
-    }
+```yaml
+variant: flatcar
+version: 1.0.0
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+        - ssh-ed25519 SET_PUBKEY_HERE
+```
 
-#### Conditional Variables
-
-**"pxe"**
-
-Some examples check the `pxe` variable to determine whether to create a `/dev/sda1` filesystem and partition for PXEing with `root=/dev/sda1` ("pxe":"true") or to write files to the existing filesystem on `/dev/disk/by-label/ROOT` ("pxe":"false").
+```
+podman run -i --rm quay.io/coreos/fcct:release --pretty --strict < flatcar.yaml > flatcar.ign
+podman run -i --rm quay.io/coreos/fcct:release --pretty --strict < flatcar-install.yaml > flatcar-install.ign
+```

examples/groups/bootkube-install/install.json

@@ -1,11 +0,0 @@
-{
-  "id": "coreos-install",
-  "name": "CoreOS Container Linux Install",
-  "profile": "install-reboot",
-  "metadata": {
-    "coreos_channel": "stable",
-    "coreos_version": "1967.3.0",
-    "ignition_endpoint": "http://matchbox.example.com:8080/ignition",
-    "baseurl": "http://matchbox.example.com:8080/assets/coreos"
-  }
-}

examples/groups/bootkube-install/node1.json

@@ -1,19 +0,0 @@
-{
-  "id": "node1",
-  "name": "Controller Node",
-  "profile": "bootkube-controller",
-  "selector": {
-    "mac": "52:54:00:a1:9c:ae",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node1.example.com",
-    "etcd_initial_cluster": "node1=https://node1.example.com:2380",
-    "etcd_name": "node1",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "ssh_authorized_keys": [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPQFdwVLr+alsWIgYRz9OdqDhnx9jjuFbkdSdpqq4gd9uZApYlivMDD4UgjFazQpezx8DiNhu9ym7i6LgAcdwi+10hE4L9yoJv9uBgbBxOAd65znqLqF91NtV4mlKP5YfJtR7Ehs+pTB+IIC+o5veDbPn+BYgDMJ2x7Osbn1/gFSDken/yoOFbYbRMGMfVEQYjJzC4r/qCKH0bl/xuVNLxf9FkWSTCcQFKGOndwuGITDkshD4r2Kk8gUddXPxoahBv33/2QH0CY5zbKYjhgN6I6WtwO+O1uJwtNeV1AGhYjurdd60qggNwx+W7623uK3nIXvJd3hzDO8u5oa53/tIL fake-test-key-REMOVE-ME"
-
-    ]
-  }
-}

examples/groups/bootkube-install/node2.json

@@ -1,16 +0,0 @@
-{
-  "id": "node2",
-  "name": "Worker Node",
-  "profile": "bootkube-worker",
-  "selector": {
-    "mac": "52:54:00:b2:2f:86",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node2.example.com",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "ssh_authorized_keys": [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPQFdwVLr+alsWIgYRz9OdqDhnx9jjuFbkdSdpqq4gd9uZApYlivMDD4UgjFazQpezx8DiNhu9ym7i6LgAcdwi+10hE4L9yoJv9uBgbBxOAd65znqLqF91NtV4mlKP5YfJtR7Ehs+pTB+IIC+o5veDbPn+BYgDMJ2x7Osbn1/gFSDken/yoOFbYbRMGMfVEQYjJzC4r/qCKH0bl/xuVNLxf9FkWSTCcQFKGOndwuGITDkshD4r2Kk8gUddXPxoahBv33/2QH0CY5zbKYjhgN6I6WtwO+O1uJwtNeV1AGhYjurdd60qggNwx+W7623uK3nIXvJd3hzDO8u5oa53/tIL fake-test-key-REMOVE-ME"
-    ]
-  }
-}

examples/groups/bootkube-install/node3.json

@@ -1,16 +0,0 @@
-{
-  "id": "node3",
-  "name": "Worker Node",
-  "profile": "bootkube-worker",
-  "selector": {
-    "mac": "52:54:00:c3:61:77",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node3.example.com",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "ssh_authorized_keys": [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPQFdwVLr+alsWIgYRz9OdqDhnx9jjuFbkdSdpqq4gd9uZApYlivMDD4UgjFazQpezx8DiNhu9ym7i6LgAcdwi+10hE4L9yoJv9uBgbBxOAd65znqLqF91NtV4mlKP5YfJtR7Ehs+pTB+IIC+o5veDbPn+BYgDMJ2x7Osbn1/gFSDken/yoOFbYbRMGMfVEQYjJzC4r/qCKH0bl/xuVNLxf9FkWSTCcQFKGOndwuGITDkshD4r2Kk8gUddXPxoahBv33/2QH0CY5zbKYjhgN6I6WtwO+O1uJwtNeV1AGhYjurdd60qggNwx+W7623uK3nIXvJd3hzDO8u5oa53/tIL fake-test-key-REMOVE-ME"
-    ]
-  }
-}

examples/groups/bootkube/node1.json

@@ -1,18 +0,0 @@
-{
-  "id": "node1",
-  "name": "Controller Node",
-  "profile": "bootkube-controller",
-  "selector": {
-    "mac": "52:54:00:a1:9c:ae"
-  },
-  "metadata": {
-    "domain_name": "node1.example.com",
-    "etcd_initial_cluster": "node1=https://node1.example.com:2380",
-    "etcd_name": "node1",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "pxe": "true",
-    "ssh_authorized_keys": [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPQFdwVLr+alsWIgYRz9OdqDhnx9jjuFbkdSdpqq4gd9uZApYlivMDD4UgjFazQpezx8DiNhu9ym7i6LgAcdwi+10hE4L9yoJv9uBgbBxOAd65znqLqF91NtV4mlKP5YfJtR7Ehs+pTB+IIC+o5veDbPn+BYgDMJ2x7Osbn1/gFSDken/yoOFbYbRMGMfVEQYjJzC4r/qCKH0bl/xuVNLxf9FkWSTCcQFKGOndwuGITDkshD4r2Kk8gUddXPxoahBv33/2QH0CY5zbKYjhgN6I6WtwO+O1uJwtNeV1AGhYjurdd60qggNwx+W7623uK3nIXvJd3hzDO8u5oa53/tIL fake-test-key-REMOVE-ME"
-    ]
-  }
-}

examples/groups/bootkube/node2.json

@@ -1,16 +0,0 @@
-{
-  "id": "node2",
-  "name": "Worker Node",
-  "profile": "bootkube-worker",
-  "selector": {
-    "mac": "52:54:00:b2:2f:86"
-  },
-  "metadata": {
-    "domain_name": "node2.example.com",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "pxe": "true",
-    "ssh_authorized_keys": [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPQFdwVLr+alsWIgYRz9OdqDhnx9jjuFbkdSdpqq4gd9uZApYlivMDD4UgjFazQpezx8DiNhu9ym7i6LgAcdwi+10hE4L9yoJv9uBgbBxOAd65znqLqF91NtV4mlKP5YfJtR7Ehs+pTB+IIC+o5veDbPn+BYgDMJ2x7Osbn1/gFSDken/yoOFbYbRMGMfVEQYjJzC4r/qCKH0bl/xuVNLxf9FkWSTCcQFKGOndwuGITDkshD4r2Kk8gUddXPxoahBv33/2QH0CY5zbKYjhgN6I6WtwO+O1uJwtNeV1AGhYjurdd60qggNwx+W7623uK3nIXvJd3hzDO8u5oa53/tIL fake-test-key-REMOVE-ME"
-    ]
-  }
-}

examples/groups/bootkube/node3.json

@@ -1,16 +0,0 @@
-{
-  "id": "node3",
-  "name": "Worker Node",
-  "profile": "bootkube-worker",
-  "selector": {
-    "mac": "52:54:00:c3:61:77"
-  },
-  "metadata": {
-    "domain_name": "node3.example.com",
-    "k8s_dns_service_ip": "10.3.0.10",
-    "pxe": "true",
-    "ssh_authorized_keys": [
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPQFdwVLr+alsWIgYRz9OdqDhnx9jjuFbkdSdpqq4gd9uZApYlivMDD4UgjFazQpezx8DiNhu9ym7i6LgAcdwi+10hE4L9yoJv9uBgbBxOAd65znqLqF91NtV4mlKP5YfJtR7Ehs+pTB+IIC+o5veDbPn+BYgDMJ2x7Osbn1/gFSDken/yoOFbYbRMGMfVEQYjJzC4r/qCKH0bl/xuVNLxf9FkWSTCcQFKGOndwuGITDkshD4r2Kk8gUddXPxoahBv33/2QH0CY5zbKYjhgN6I6WtwO+O1uJwtNeV1AGhYjurdd60qggNwx+W7623uK3nIXvJd3hzDO8u5oa53/tIL fake-test-key-REMOVE-ME"
-    ]
-  }
-}

examples/groups/etcd3-install/gateway.json

@@ -1,11 +0,0 @@
-{
-  "id": "default",
-  "name": "default",
-  "profile": "etcd3-gateway",
-  "selector": {
-    "os": "installed"
-  },
-  "metadata": {
-    "etcd_endpoints": "node1.example.com:2379,node2.example.com:2379,node3.example.com:2379"
-  }
-}

examples/groups/etcd3-install/install.json

@@ -1,11 +0,0 @@
-{
-  "id": "coreos-install",
-  "name": "CoreOS Container Linux Install",
-  "profile": "install-reboot",
-  "metadata": {
-    "coreos_channel": "stable",
-    "coreos_version": "1967.3.0",
-    "ignition_endpoint": "http://matchbox.example.com:8080/ignition",
-    "baseurl": "http://matchbox.example.com:8080/assets/coreos"
-  }
-}

examples/groups/etcd3-install/node1.json

@@ -1,14 +0,0 @@
-{
-  "id": "node1",
-  "name": "etcd Node 1",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:a1:9c:ae",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node1.example.com",
-    "etcd_name": "node1",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}

examples/groups/etcd3-install/node2.json

@@ -1,14 +0,0 @@
-{
-  "id": "node2",
-  "name": "etcd Node 2",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:b2:2f:86",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node2.example.com",
-    "etcd_name": "node2",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}

examples/groups/etcd3-install/node3.json

@@ -1,14 +0,0 @@
-{
-  "id": "node3",
-  "name": "etcd Node 3",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:c3:61:77",
-    "os": "installed"
-  },
-  "metadata": {
-    "domain_name": "node3.example.com",
-    "etcd_name": "node3",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}

examples/groups/etcd3/gateway.json

@@ -1,8 +0,0 @@
-{
-  "id": "default",
-  "name": "default",
-  "profile": "etcd3-gateway",
-  "metadata": {
-    "etcd_endpoints": "node1.example.com:2379,node2.example.com:2379,node3.example.com:2379"
-  }
-}

examples/groups/etcd3/node1.json

@@ -1,13 +0,0 @@
-{
-  "id": "node1",
-  "name": "etcd Node 1",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:a1:9c:ae"
-  },
-  "metadata": {
-    "domain_name": "node1.example.com",
-    "etcd_name": "node1",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}

examples/groups/etcd3/node2.json

@@ -1,13 +0,0 @@
-{
-  "id": "node2",
-  "name": "etcd Node 2",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:b2:2f:86"
-  },
-  "metadata": {
-    "domain_name": "node2.example.com",
-    "etcd_name": "node2",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}

examples/groups/etcd3/node3.json

@@ -1,13 +0,0 @@
-{
-  "id": "node3",
-  "name": "etcd Node 3",
-  "profile": "etcd3",
-  "selector": {
-    "mac": "52:54:00:c3:61:77"
-  },
-  "metadata": {
-    "domain_name": "node3.example.com",
-    "etcd_name": "node3",
-    "etcd_initial_cluster": "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-  }
-}

examples/groups/fedora-coreos-install/default.json

@@ -0,0 +1,7 @@
+{
+  "id": "default",
+  "name": "Fedora CoreOS install",
+  "profile": "fedora-coreos-install",
+  "selector": {},
+  "metadata": {}
+}

examples/groups/fedora-coreos/default.json

@@ -0,0 +1,7 @@
+{
+  "id": "default",
+  "name": "Fedora CoreOS",
+  "profile": "fedora-coreos",
+  "selector": {},
+  "metadata": {}
+}

examples/groups/flatcar-install/flatcar.json

@@ -0,0 +1,9 @@
+{
+  "id": "stage-1",
+  "name": "Flatcar Linux",
+  "profile": "flatcar",
+  "selector": {
+    "os": "installed"
+  },
+  "metadata": {}
+}

examples/groups/flatcar-install/install.json

@@ -0,0 +1,6 @@
+{
+  "id": "stage-0",
+  "name": "Flatcar Linux install",
+  "profile": "flatcar-install",
+  "metadata": {}
+}

examples/groups/flatcar/default.json

@@ -0,0 +1,7 @@
+{
+  "id": "default",
+  "name": "Flatcar Linux",
+  "profile": "flatcar",
+  "selector": {},
+  "metadata": {}
+}

examples/groups/grub/default.json

@@ -1,5 +0,0 @@
-{
-  "id": "default",
-  "name": "GRUB CoreOS Container Linux alpha",
-  "profile": "grub"
-}

examples/groups/simple-install/install.json

@@ -1,11 +0,0 @@
-{
-  "id": "install",
-  "name": "Simple CoreOS Container Linux Install",
-  "profile": "simple-install",
-  "metadata": {
-    "coreos_channel": "stable",
-    "coreos_version": "1967.3.0",
-    "ignition_endpoint": "http://matchbox.example.com:8080/ignition",
-    "baseurl": "http://matchbox.example.com:8080/assets/coreos"
-  }
-}

examples/groups/simple-install/simple.json

@@ -1,9 +0,0 @@
-{
-  "id": "simple",
-  "name": "Simple CoreOS Container Linux Alpha",
-  "profile": "simple",
-  "selector": {
-    "os": "installed"
-  },
-  "metadata": {}
-}

examples/groups/simple/default.json

@@ -1,5 +0,0 @@
-{
-  "id": "default",
-  "name": "Simple CoreOS Container Linux Alpha with RAM disk",
-  "profile": "simple"
-}

examples/ignition/etcd3-gateway.yaml

@@ -1,31 +0,0 @@
----
-systemd:
-  units:
-    - name: etcd-member.service
-      enable: true
-      dropins:
-        - name: 40-etcd-cluster.conf
-          contents: |
-            [Service]
-            Environment="ETCD_IMAGE_TAG=v3.2.0"
-            ExecStart=
-            ExecStart=/usr/lib/coreos/etcd-wrapper gateway start \
-              --listen-addr=127.0.0.1:2379 \
-              --endpoints={{.etcd_endpoints}}
-    - name: locksmithd.service
-      dropins:
-        - name: 40-etcd-lock.conf
-          contents: |
-            [Service]
-            Environment="REBOOT_STRATEGY=etcd-lock"
-
-{{ if index . "ssh_authorized_keys" }}
-passwd:
-  users:
-    - name: core
-      ssh_authorized_keys:
-        {{ range $element := .ssh_authorized_keys }}
-        - {{$element}}
-        {{end}}
-{{end}}
-

examples/ignition/etcd3.yaml

@@ -1,33 +0,0 @@
----
-systemd:
-  units:
-    - name: etcd-member.service
-      enable: true
-      dropins:
-        - name: 40-etcd-cluster.conf
-          contents: |
-            [Service]
-            Environment="ETCD_IMAGE_TAG=v3.2.0"
-            Environment="ETCD_NAME={{.etcd_name}}"
-            Environment="ETCD_ADVERTISE_CLIENT_URLS=http://{{.domain_name}}:2379"
-            Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=http://{{.domain_name}}:2380"
-            Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379"
-            Environment="ETCD_LISTEN_PEER_URLS=http://0.0.0.0:2380"
-            Environment="ETCD_INITIAL_CLUSTER={{.etcd_initial_cluster}}"
-            Environment="ETCD_STRICT_RECONFIG_CHECK=true"
-    - name: locksmithd.service
-      dropins:
-        - name: 40-etcd-lock.conf
-          contents: |
-            [Service]
-            Environment="REBOOT_STRATEGY=etcd-lock"
-
-{{ if index . "ssh_authorized_keys" }}
-passwd:
-  users:
-    - name: core
-      ssh_authorized_keys:
-        {{ range $element := .ssh_authorized_keys }}
-        - {{$element}}
-        {{end}}
-{{end}}

examples/ignition/fedora-coreos.ign

@@ -0,0 +1,15 @@
+{
+  "ignition": {
+    "version": "3.3.0"
+  },
+  "passwd": {
+    "users": [
+      {
+        "name": "core",
+        "sshAuthorizedKeys": [
+          "ssh-ed25519 SET_PUBKEY_HERE"
+        ]
+      }
+    ]
+  }
+}

examples/ignition/fedora-coreos.yaml

@@ -0,0 +1,8 @@
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+        - ssh-ed25519 SET_PUBKEY_HERE
+

examples/ignition/flatcar-install.ign

@@ -0,0 +1,36 @@
+{
+  "ignition": {
+    "version": "3.3.0"
+  },
+  "passwd": {
+    "users": [
+      {
+        "name": "core",
+        "sshAuthorizedKeys": [
+          "ssh-ed25519 SET_PUBKEY_HERE"
+        ]
+      }
+    ]
+  },
+  "storage": {
+    "files": [
+      {
+        "path": "/opt/installer",
+        "contents": {
+          "compression": "gzip",
+          "source": "data:;base64,H4sIAAAAAAAC/4SOsU4DMRBEe3/FEmrbx1EQRUIU/AMVzdrecEZrb+TdnC5/T3GhoaF8mhnNe3yIqfaYUBfwtLl8HQzeD7Jxg6cJvD9jZTgsZpdTjA0tL0m2QBu2C1PI0k7H6TjF+tWrVelvoq+1qyEzlQN4gd8kfKt0d2a0jMPfO/DpAHyBWGiNa8Gd30ENE9NOH/A8zy9hDtPOCf61QVUyjfezfVb/mFwLrVgaKJkxOb2pUcvGMCiJmPsJAAD//1GtasgbAQAA"
+        },
+        "mode": 320
+      }
+    ]
+  },
+  "systemd": {
+    "units": [
+      {
+        "contents": "[Unit]\nRequires=network-online.target\nAfter=network-online.target\n[Service]\nType=simple\nExecStart=/opt/installer\n[Install]\nWantedBy=multi-user.target\n",
+        "enabled": true,
+        "name": "installer.service"
+      }
+    ]
+  }
+}

examples/ignition/flatcar-install.yaml

@@ -1,8 +1,10 @@
 ---
+variant: flatcar
+version: 1.0.0
 systemd:
   units:
     - name: installer.service
-      enable: true
+      enabled: true
       contents: |
         [Unit]
         Requires=network-online.target
@@ -15,24 +17,22 @@ systemd:
 storage:
   files:
     - path: /opt/installer
-      filesystem: root
       mode: 0500
       contents:
         inline: |
           #!/bin/bash -ex
-          curl --retry 10 "${ignition_endpoint}?{{.request.raw_query}}&os=installed" -o ignition.json
-          coreos-install \
-            -d ${install_disk} \
-            -C ${container_linux_channel} \
-            -V ${container_linux_version} \
-            -o "${container_linux_oem}" \
-            ${baseurl_flag} \
+          curl --retry 10 --fail "http://matchbox.example.com:8080/ignition?os=installed" -o ignition.json
+          flatcar-install \
+            -d /dev/vda \
+            -C stable \
+            -V 3227.2.0 \
+            -b http://matchbox.example.com:8080/assets/flatcar \
             -i ignition.json
           udevadm settle
           systemctl reboot
+
 passwd:
   users:
     - name: core
       ssh_authorized_keys:
-        - {{.ssh_authorized_key}}
-
+        - ssh-ed25519 SET_PUBKEY_HERE

examples/ignition/flatcar.ign

@@ -0,0 +1,15 @@
+{
+  "ignition": {
+    "version": "3.3.0"
+  },
+  "passwd": {
+    "users": [
+      {
+        "name": "core",
+        "sshAuthorizedKeys": [
+          "ssh-ed25519 SET_PUBKEY_HERE"
+        ]
+      }
+    ]
+  }
+}

examples/ignition/flatcar.yaml

@@ -0,0 +1,7 @@
+variant: flatcar
+version: 1.0.0
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+        - ssh-ed25519 SET_PUBKEY_HERE

examples/ignition/install-reboot.yaml

@@ -1,37 +0,0 @@
----
-systemd:
-  units:
-    - name: installer.service
-      enable: true
-      contents: |
-        [Unit]
-        Requires=network-online.target
-        After=network-online.target
-        [Service]
-        Type=simple
-        ExecStart=/opt/installer
-        [Install]
-        WantedBy=multi-user.target
-storage:
-  files:
-    - path: /opt/installer
-      filesystem: root
-      mode: 0500
-      contents:
-        inline: |
-          #!/bin/bash -ex
-          curl --retry 10 --fail "{{.ignition_endpoint}}?{{.request.raw_query}}&os=installed" -o ignition.json
-          coreos-install -d /dev/sda -C {{.coreos_channel}} -V {{.coreos_version}} -i ignition.json {{if index . "baseurl"}}-b {{.baseurl}}{{end}}
-          udevadm settle
-          systemctl reboot
-
-{{ if index . "ssh_authorized_keys" }}
-passwd:
-  users:
-    - name: core
-      ssh_authorized_keys:
-        {{ range $element := .ssh_authorized_keys }}
-        - {{$element}}
-        {{end}}
-{{end}}
-

examples/ignition/ssh.yaml

@@ -1,10 +0,0 @@
----
-{{ if index . "ssh_authorized_keys" }}
-passwd:
-  users:
-    - name: core
-      ssh_authorized_keys:
-        {{ range $element := .ssh_authorized_keys }}
-        - {{$element}}
-        {{end}}
-{{end}}

examples/profiles/etcd3-gateway.json

@@ -1,17 +0,0 @@
-{
-  "id": "etcd3-gateway",
-  "name": "etcd3-gateway",
-  "boot": {
-    "kernel": "/assets/coreos/1967.3.0/coreos_production_pxe.vmlinuz",
-    "initrd": ["/assets/coreos/1967.3.0/coreos_production_pxe_image.cpio.gz"],
-    "args": [
-      "initrd=coreos_production_pxe_image.cpio.gz",
-      "coreos.config.url=http://matchbox.example.com:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp}",
-      "coreos.first_boot=yes",
-      "console=tty0",
-      "console=ttyS0",
-      "coreos.autologin"
-    ]
-  },
-  "ignition_id": "etcd3-gateway.yaml"
-}

examples/profiles/etcd3.json

@@ -1,17 +0,0 @@
-{
-  "id": "etcd3",
-  "name": "etcd3",
-  "boot": {
-    "kernel": "/assets/coreos/1967.3.0/coreos_production_pxe.vmlinuz",
-    "initrd": ["/assets/coreos/1967.3.0/coreos_production_pxe_image.cpio.gz"],
-    "args": [
-      "initrd=coreos_production_pxe_image.cpio.gz",
-      "coreos.config.url=http://matchbox.example.com:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp}",
-      "coreos.first_boot=yes",
-      "console=tty0",
-      "console=ttyS0",
-      "coreos.autologin"
-    ]
-  },
-  "ignition_id": "etcd3.yaml"
-}

examples/profiles/fedora-coreos-install.json

@@ -0,0 +1,17 @@
+{
+  "id": "fedora-coreos-install",
+  "name": "Fedora CoreOS install to disk",
+  "boot": {
+    "kernel": "/assets/fedora-coreos/fedora-coreos-36.20220618.3.1-live-kernel-x86_64",
+    "initrd": [
+      "--name main /assets/fedora-coreos/fedora-coreos-36.20220618.3.1-live-initramfs.x86_64.img"
+    ],
+    "args": [
+      "initrd=main",
+      "coreos.live.rootfs_url=http://matchbox.example.com:8080/assets/fedora-coreos/fedora-coreos-36.20220618.3.1-live-rootfs.x86_64.img",
+      "coreos.inst.install_dev=/dev/vda",
+      "coreos.inst.ignition_url=http://matchbox.example.com:8080/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}"
+    ]
+  },
+  "ignition_id": "fedora-coreos.ign"
+}

examples/profiles/fedora-coreos.json

@@ -0,0 +1,18 @@
+{
+  "id": "fedora-coreos",
+  "name": "Fedora CoreOS",
+  "boot": {
+    "kernel": "/assets/fedora-coreos/fedora-coreos-36.20220618.3.1-live-kernel-x86_64",
+    "initrd": [
+      "--name main /assets/fedora-coreos/fedora-coreos-36.20220618.3.1-live-initramfs.x86_64.img"
+    ],
+    "args": [
+      "initrd=main",
+      "coreos.live.rootfs_url=http://matchbox.example.com:8080/assets/fedora-coreos/fedora-coreos-36.20220618.3.1-live-rootfs.x86_64.img",
+      "ignition.firstboot",
+      "ignition.platform.id=metal",
+      "ignition.config.url=http://matchbox.example.com:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp}"
+    ]
+  },
+  "ignition_id": "fedora-coreos.ign"
+}

examples/profiles/flatcar-install.json

@@ -0,0 +1,17 @@
+{
+  "id": "flatcar-install",
+  "name": "Flatcar Linux install to disk",
+  "boot": {
+    "kernel": "/assets/flatcar/3227.2.0/flatcar_production_pxe.vmlinuz",
+    "initrd": [
+      "/assets/flatcar/3227.2.0/flatcar_production_pxe_image.cpio.gz"
+    ],
+    "args": [
+      "initrd=flatcar_production_pxe_image.cpio.gz",
+      "flatcar.config.url=http://matchbox.example.com:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp}",
+      "flatcar.first_boot=yes",
+      "flatcar.autologin"
+    ]
+  },
+  "ignition_id": "flatcar-install.ign"
+}

examples/profiles/flatcar.json

@@ -0,0 +1,17 @@
+{
+  "id": "flatcar",
+  "name": "Flatcar Linux",
+  "boot": {
+    "kernel": "/assets/flatcar/3227.2.0/flatcar_production_pxe.vmlinuz",
+    "initrd": [
+      "/assets/flatcar/3227.2.0/flatcar_production_pxe_image.cpio.gz"
+    ],
+    "args": [
+      "initrd=flatcar_production_pxe_image.cpio.gz",
+      "flatcar.config.url=http://matchbox.example.com:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp}",
+      "flatcar.first_boot=yes",
+      "flatcar.autologin"
+    ]
+  },
+  "ignition_id": "flatcar.ign"
+}

examples/profiles/grub.json

@@ -1,16 +0,0 @@
-{
-  "id": "grub",
-  "name": "CoreOS Container Linux via GRUB2",
-  "boot": {
-    "kernel": "(http;matchbox.example.com:8080)/assets/coreos/1967.3.0/coreos_production_pxe.vmlinuz",
-    "initrd": ["(http;matchbox.example.com:8080)/assets/coreos/1967.3.0/coreos_production_pxe_image.cpio.gz"],
-    "args": [
-      "coreos.config.url=http://matchbox.example.com:8080/ignition",
-      "coreos.first_boot=yes",
-      "console=tty0",
-      "console=ttyS0",
-      "coreos.autologin"
-    ]
-  },
-  "ignition_id": "ssh.yaml"
-}

examples/profiles/install-reboot.json

@@ -1,17 +0,0 @@
-{
-  "id": "install-reboot",
-  "name": "Install CoreOS Container Linux and Reboot",
-  "boot": {
-    "kernel": "/assets/coreos/1967.3.0/coreos_production_pxe.vmlinuz",
-    "initrd": ["/assets/coreos/1967.3.0/coreos_production_pxe_image.cpio.gz"],
-    "args": [
-      "initrd=coreos_production_pxe_image.cpio.gz",
-      "coreos.config.url=http://matchbox.example.com:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp}",
-      "coreos.first_boot=yes",
-      "console=tty0",
-      "console=ttyS0",
-      "coreos.autologin"
-    ]
-  },
-  "ignition_id": "install-reboot.yaml"
-}

examples/profiles/simple-install.json

@@ -1,17 +0,0 @@
-{
-  "id": "simple-install",
-  "name": "Simple CoreOS Container Linux Alpha Install",
-  "boot": {
-    "kernel": "/assets/coreos/1967.3.0/coreos_production_pxe.vmlinuz",
-    "initrd": ["/assets/coreos/1967.3.0/coreos_production_pxe_image.cpio.gz"],
-    "args": [
-      "initrd=coreos_production_pxe_image.cpio.gz",
-      "coreos.config.url=http://matchbox.example.com:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp}",
-      "coreos.first_boot=yes",
-      "console=tty0",
-      "console=ttyS0",
-      "coreos.autologin"
-    ]
-  },
-  "ignition_id": "install-reboot.yaml"
-}

examples/profiles/simple.json

@@ -1,19 +0,0 @@
-{
-  "id": "simple",
-  "name": "Simple CoreOS Container Linux Alpha",
-  "boot": {
-    "kernel": "/assets/coreos/1967.3.0/coreos_production_pxe.vmlinuz",
-    "initrd": [
-      "/assets/coreos/1967.3.0/coreos_production_pxe_image.cpio.gz"
-    ],
-    "args": [
-      "initrd=coreos_production_pxe_image.cpio.gz",
-      "coreos.config.url=http://matchbox.example.com:8080/ignition?uuid=${uuid}&mac=${mac:hexhyp}",
-      "coreos.first_boot=yes",
-      "console=tty0",
-      "console=ttyS0",
-      "coreos.autologin"
-    ]
-  },
-  "ignition_id": "ssh.yaml"
-}

examples/terraform/etcd3-install/README.md

@@ -1,103 +0,0 @@
-# etcd3
-
-The `etcd3-install` example shows how to use matchbox to network boot and provision 3-node etcd3 cluster on bare-metal in an automated way.
-
-## Requirements
-
-Follow the getting started [tutorial](../../../docs/getting-started.md) to learn about matchbox and set up an environment that meets the requirements:
-
-* Matchbox v0.6+ [installation](../../../docs/deployment.md) with gRPC API enabled
-* Matchbox provider credentials `client.crt`, `client.key`, and `ca.crt`
-* PXE [network boot](../../../docs/network-setup.md) environment
-* Terraform v0.9+ and [terraform-provider-matchbox](https://github.com/poseidon/terraform-provider-matchbox) installed locally on your system
-* 3 machines with known DNS names and MAC addresses
-
-If you prefer to provision QEMU/KVM VMs on your local Linux machine, set up the matchbox [development environment](../../../docs/getting-started-docker.md).
-
-```sh
-sudo ./scripts/devnet create
-```
-
-## Usage
-
-Clone the [matchbox](https://github.com/poseidon/matchbox) project and take a look at the cluster examples.
-
-```sh
-$ git clone https://github.com/poseidon/matchbox.git
-$ cd matchbox/examples/terraform/etcd3-install
-```
-
-Copy the `terraform.tfvars.example` file to `terraform.tfvars`. Ensure `provider.tf` references your matchbox credentials.
-
-```hcl
-matchbox_http_endpoint = "http://matchbox.example.com:8080"
-matchbox_rpc_endpoint = "matchbox.example.com:8081"
-ssh_authorized_key = "ADD ME"
-```
-
-Configs in `etcd3-install` configure the matchbox provider, define profiles (e.g. `cached-container-linux-install`, `etcd3`), and define 3 groups which match machines by MAC address to a profile. These resources declare that the machines should PXE boot, install Container Linux to disk, and provision themselves into peers in a 3-node etcd3 cluster.
-
-Note: The `cached-container-linux-install` profile will PXE boot and install Container Linux from matchbox [assets](https://github.com/poseidon/matchbox/blob/master/docs/api.md#assets). If you have not populated the assets cache, use the `container-linux-install` profile to use public images (slower).
-
-### Optional
-
-You may set certain optional variables to override defaults.
-
-```hcl
-# install_disk = "/dev/sda"
-# container_linux_oem = ""
-```
-
-## Apply
-
-Fetch the [profiles](../README.md#modules) Terraform [module](https://www.terraform.io/docs/modules/index.html) which let's you use common machine profiles maintained in the matchbox repo (like `etcd3`).
-
-```sh
-$ terraform get
-```
-
-Plan and apply to create the resoures on Matchbox.
-
-```sh
-$ terraform plan
-Plan: 10 to add, 0 to change, 0 to destroy.
-$ terraform apply
-Apply complete! Resources: 10 added, 0 changed, 0 destroyed.
-```
-
-## Machines
-
-Power on each machine (with PXE boot device on next boot). Machines should network boot, install Container Linux to disk, reboot, and provision themselves as a 3-node etcd3 cluster. 
-
-```sh
-$ ipmitool -H node1.example.com -U USER -P PASS chassis bootdev pxe
-$ ipmitool -H node1.example.com -U USER -P PASS power on
-```
-
-For local QEMU/KVM development, create the QEMU/KVM VMs.
-
-```sh
-$ sudo ./scripts/libvirt create
-$ sudo ./scripts/libvirt [start|reboot|shutdown|poweroff|destroy]
-```
-
-## Verify
-
-Verify each node is running etcd3 (i.e. etcd-member.service).
-
-```sh
-$ ssh core@node1.example.com
-$ systemctl status etcd-member
-```
-
-Verify that etcd3 peers are healthy and communicating.
-
-```sh
-$ etcdctl cluster-health
-$ etcdctl set /message hello
-$ etcdctl get /message
-```
-
-## Going Further
-
-Learn more about [matchbox](../../../docs/matchbox.md) or explore the other [example](../) clusters.

examples/terraform/etcd3-install/etcd3.tf

@@ -1,74 +0,0 @@
-// Create popular profiles (convenience module)
-module "profiles" {
-  source                  = "../modules/profiles"
-  matchbox_http_endpoint  = "${var.matchbox_http_endpoint}"
-  container_linux_version = "1967.3.0"
-  container_linux_channel = "stable"
-  install_disk            = "${var.install_disk}"
-  container_linux_oem     = "${var.container_linux_oem}"
-}
-
-// Install Container Linux to disk before provisioning
-resource "matchbox_group" "default" {
-  name    = "default"
-  profile = "${module.profiles.cached-container-linux-install}"
-
-  // No selector, matches all nodes
-
-  metadata {
-    ssh_authorized_key = "${var.ssh_authorized_key}"
-  }
-}
-
-// Create matcher groups for 3 machines
-
-resource "matchbox_group" "node1" {
-  name    = "node1"
-  profile = "${module.profiles.etcd3}"
-
-  selector {
-    mac = "52:54:00:a1:9c:ae"
-    os  = "installed"
-  }
-
-  metadata {
-    domain_name          = "node1.example.com"
-    etcd_name            = "node1"
-    etcd_initial_cluster = "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-    ssh_authorized_key   = "${var.ssh_authorized_key}"
-  }
-}
-
-resource "matchbox_group" "node2" {
-  name    = "node2"
-  profile = "${module.profiles.etcd3}"
-
-  selector {
-    mac = "52:54:00:b2:2f:86"
-    os  = "installed"
-  }
-
-  metadata {
-    domain_name          = "node2.example.com"
-    etcd_name            = "node2"
-    etcd_initial_cluster = "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-    ssh_authorized_key   = "${var.ssh_authorized_key}"
-  }
-}
-
-resource "matchbox_group" "node3" {
-  name    = "node3"
-  profile = "${module.profiles.etcd3}"
-
-  selector {
-    mac = "52:54:00:c3:61:77"
-    os  = "installed"
-  }
-
-  metadata {
-    domain_name          = "node3.example.com"
-    etcd_name            = "node3"
-    etcd_initial_cluster = "node1=http://node1.example.com:2380,node2=http://node2.example.com:2380,node3=http://node3.example.com:2380"
-    ssh_authorized_key   = "${var.ssh_authorized_key}"
-  }
-}

examples/terraform/etcd3-install/provider.tf

@@ -1,7 +0,0 @@
-// Configure the matchbox provider
-provider "matchbox" {
-  endpoint    = "${var.matchbox_rpc_endpoint}"
-  client_cert = "${file("~/.matchbox/client.crt")}"
-  client_key  = "${file("~/.matchbox/client.key")}"
-  ca          = "${file("~/.matchbox/ca.crt")}"
-}

examples/terraform/etcd3-install/variables.tf

@@ -1,28 +0,0 @@
-variable "matchbox_http_endpoint" {
-  type        = "string"
-  description = "Matchbox HTTP read-only endpoint (e.g. http://matchbox.example.com:8080)"
-}
-
-variable "matchbox_rpc_endpoint" {
-  type        = "string"
-  description = "Matchbox gRPC API endpoint, without the protocol (e.g. matchbox.example.com:8081)"
-}
-
-variable "ssh_authorized_key" {
-  type        = "string"
-  description = "SSH public key to set as an authorized_key on machines"
-}
-
-# optional
-
-variable "install_disk" {
-  type        = "string"
-  default     = "/dev/sda"
-  description = "Disk device to which the install profiles should install Container Linux (e.g. /dev/sda)"
-}
-
-variable "container_linux_oem" {
-  type        = "string"
-  default     = ""
-  description = "Specify an OEM image id to use as base for the installation (e.g. ami, vmware_raw, xen) or leave blank for the default image"
-}

examples/terraform/fedora-coreos-install/fcc/fedora-coreos.yaml

@@ -0,0 +1,7 @@
+variant: fcos
+version: 1.4.0
+passwd:
+  users:
+    - name: core
+      ssh_authorized_keys:
+        - ${ssh_authorized_key}

examples/terraform/fedora-coreos-install/groups.tf

@@ -0,0 +1,6 @@
+// Default matcher group for machines
+resource "matchbox_group" "default" {
+  name    = "default"
+  profile = matchbox_profile.fedora-coreos-install.name
+}
+

examples/terraform/fedora-coreos-install/profiles.tf

@@ -0,0 +1,24 @@
+// Fedora CoreOS profile
+resource "matchbox_profile" "fedora-coreos-install" {
+  name   = "worker"
+  kernel = "/assets/fedora-coreos/fedora-coreos-${var.os_version}-live-kernel-x86_64"
+  initrd = [
+    "--name main /assets/fedora-coreos/fedora-coreos-${var.os_version}-live-initramfs.x86_64.img"
+  ]
+
+  args = [
+    "initrd=main",
+    "coreos.live.rootfs_url=${var.matchbox_http_endpoint}/assets/fedora-coreos/fedora-coreos-${var.os_version}-live-rootfs.x86_64.img",
+    "coreos.inst.install_dev=/dev/vda",
+    "coreos.inst.ignition_url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}",
+  ]
+
+  raw_ignition = data.ct_config.worker.rendered
+}
+
+data "ct_config" "worker" {
+  content = templatefile("fcc/fedora-coreos.yaml", {
+    ssh_authorized_key = var.ssh_authorized_key
+  })
+  strict = true
+}

examples/terraform/fedora-coreos-install/provider.tf

@@ -0,0 +1,20 @@
+// Configure the matchbox provider
+provider "matchbox" {
+  endpoint    = var.matchbox_rpc_endpoint
+  client_cert = file("~/.matchbox/client.crt")
+  client_key  = file("~/.matchbox/client.key")
+  ca          = file("~/.matchbox/ca.crt")
+}
+
+terraform {
+  required_providers {
+    ct = {
+      source  = "poseidon/ct"
+      version = "0.11.0"
+    }
+    matchbox = {
+      source  = "poseidon/matchbox"
+      version = "0.5.2"
+    }
+  }
+}

examples/terraform/fedora-coreos-install/terraform.tfvars.example

@@ -1,7 +1,4 @@
 matchbox_http_endpoint = "http://matchbox.example.com:8080"
 matchbox_rpc_endpoint = "matchbox.example.com:8081"
-# ssh_authorized_key = "ADD ME"
-
-# Optional (defaults)
-# install_disk = "/dev/sda"
-# container_linux_oem = ""
+os_version = "36.20220618.3.1"
+ssh_authorized_key = "YOUR_SSH_KEY"

examples/terraform/fedora-coreos-install/variables.tf

@@ -0,0 +1,26 @@
+variable "matchbox_http_endpoint" {
+  type        = string
+  description = "Matchbox HTTP read-only endpoint (e.g. http://matchbox.example.com:8080)"
+}
+
+variable "matchbox_rpc_endpoint" {
+  type        = string
+  description = "Matchbox gRPC API endpoint, without the protocol (e.g. matchbox.example.com:8081)"
+}
+
+variable "os_stream" {
+  type        = string
+  description = "Fedora CoreOS release stream (e.g. testing, stable)"
+  default     = "stable"
+}
+
+variable "os_version" {
+  type        = string
+  description = "Fedora CoreOS version to PXE and install (e.g. 36.20220618.3.1)"
+}
+
+variable "ssh_authorized_key" {
+  type        = string
+  description = "SSH public key to set as an authorized_key on machines"
+}
+

examples/terraform/flatcar-install/butane/flatcar-install.yaml

@@ -1,8 +1,10 @@
 ---
+variant: flatcar
+version: 1.0.0
 systemd:
   units:
     - name: installer.service
-      enable: true
+      enabled: true
       contents: |
         [Unit]
         Requires=network-online.target
@@ -15,17 +17,19 @@ systemd:
 storage:
   files:
     - path: /opt/installer
-      filesystem: root
       mode: 0500
       contents:
         inline: |
           #!/bin/bash -ex
-          curl --retry 10 "{{.ignition_endpoint}}?{{.request.raw_query}}&os=installed" -o ignition.json
-          coreos-install -d /dev/sda -C stable -V current -i ignition.json {{if index . "baseurl"}}-b {{.baseurl}}{{end}}
+          curl --retry 10 "${matchbox_http_endpoint}/ignition?os=installed" -o ignition.json
+          flatcar-install \
+            -d /dev/vda \
+            -b ${matchbox_http_endpoint}/assets/flatcar \
+            -i ignition.json
           udevadm settle
           systemctl reboot
 passwd:
   users:
     - name: core
       ssh_authorized_keys:
-        - {{.ssh_authorized_key}}
+        - ${ssh_authorized_key}

examples/terraform/flatcar-install/butane/flatcar.yaml

@@ -1,6 +1,8 @@
 ---
+variant: flatcar
+version: 1.0.0
 passwd:
   users:
     - name: core
       ssh_authorized_keys:
-        - {{.ssh_authorized_key}}
+        - ${ssh_authorized_key}

examples/terraform/flatcar-install/groups.tf

@@ -0,0 +1,15 @@
+// Default matcher group for machines
+resource "matchbox_group" "default" {
+  name    = "default"
+  profile = matchbox_profile.flatcar-install.name
+}
+
+// Match install stage Flatcar Linux machines
+resource "matchbox_group" "stage-1" {
+  name    = "worker"
+  profile = matchbox_profile.worker.name
+
+  selector = {
+    os = "installed"
+  }
+}

examples/terraform/flatcar-install/profiles.tf

@@ -0,0 +1,38 @@
+// Create a flatcar-install profile
+resource "matchbox_profile" "flatcar-install" {
+  name   = "flatcar-install"
+  kernel = "/assets/flatcar/3227.2.0/flatcar_production_pxe.vmlinuz"
+  initrd = [
+    "/assets/flatcar/3227.2.0/flatcar_production_pxe_image.cpio.gz",
+  ]
+
+  args = [
+    "initrd=flatcar_production_pxe_image.cpio.gz",
+    "flatcar.config.url=${var.matchbox_http_endpoint}/ignition?uuid=$${uuid}&mac=$${mac:hexhyp}",
+    "flatcar.first_boot=yes",
+  ]
+
+  raw_ignition = data.ct_config.install.rendered
+}
+
+data "ct_config" "install" {
+  content = templatefile("butane/flatcar-install.yaml", {
+    matchbox_http_endpoint = var.matchbox_http_endpoint
+    ssh_authorized_key     = var.ssh_authorized_key
+  })
+  strict = true
+}
+
+
+// Profile to set an SSH authorized key on first boot from disk
+resource "matchbox_profile" "worker" {
+  name         = "worker"
+  raw_ignition = data.ct_config.worker.rendered
+}
+
+data "ct_config" "worker" {
+  content = templatefile("butane/flatcar.yaml", {
+    ssh_authorized_key = var.ssh_authorized_key
+  })
+  strict = true
+}

examples/terraform/flatcar-install/provider.tf

@@ -0,0 +1,20 @@
+// Configure the matchbox provider
+provider "matchbox" {
+  endpoint    = var.matchbox_rpc_endpoint
+  client_cert = file("~/.matchbox/client.crt")
+  client_key  = file("~/.matchbox/client.key")
+  ca          = file("~/.matchbox/ca.crt")
+}
+
+terraform {
+  required_providers {
+    ct = {
+      source  = "poseidon/ct"
+      version = "0.11.0"
+    }
+    matchbox = {
+      source  = "poseidon/matchbox"
+      version = "0.5.2"
+    }
+  }
+}

examples/terraform/flatcar-install/terraform.tfvars.example

@@ -1,3 +1,3 @@
 matchbox_http_endpoint = "http://matchbox.example.com:8080"
 matchbox_rpc_endpoint = "matchbox.example.com:8081"
-ssh_authorized_key = "ssh-rsa you-contents"
+ssh_authorized_key = "YOUR_SSH_KEY"

examples/terraform/flatcar-install/variables.tf

@@ -1,14 +1,14 @@
 variable "matchbox_http_endpoint" {
-  type        = "string"
+  type        = string
   description = "Matchbox HTTP read-only endpoint (e.g. http://matchbox.example.com:8080)"
 }
 
 variable "matchbox_rpc_endpoint" {
-  type        = "string"
+  type        = string
   description = "Matchbox gRPC API endpoint, without the protocol (e.g. matchbox.example.com:8081)"
 }
 
 variable "ssh_authorized_key" {
-  type        = "string"
+  type        = string
   description = "SSH public key to set as an authorized_key on machines"
 }

examples/terraform/modules/README.md

@@ -1,33 +0,0 @@
-# Terraform Modules
-
-Matchbox provides Terraform [modules](https://www.terraform.io/docs/modules/usage.html) you can re-use directly within your own Terraform configs. Modules are updated regularly so it is **recommended** that you pin the module version (e.g. `ref=sha`) to keep your configs deterministic.
-
-```hcl
-module "profiles" {
-  source = "git::https://github.com/poseidon/matchbox.git//examples/terraform/modules/profiles?ref=08f4e9908b167fba608e60169ec6a803df9db37f"
-  matchbox_http_endpoint = "${var.matchbox_http_endpoint}"
-  container_linux_version = "${var.container_linux_version}"
-  container_linux_channel = "${var.container_linux_channel}"
-}
-```
-
-Download referenced Terraform  modules.
-
-```sh
-$ terraform get            # does not check for updates
-$ terraform get --update   # checks for updates
-```
-
-Available modules:
-
-| Module   | Includes  | Description |
-|----------|-----------|-------------|
-| profiles | *         | Creates machine profiles you can reference in matcher groups |
-|          | container-linux-install | Install Container Linux to disk from core-os.net |
-|          | cached-container-linux-install | Install Container Linux to disk from matchbox assets cache |
-|          | etcd3    | Provision an etcd3 peer node |
-|          | etcd3-gateway | Provision an etcd3 gateway node |
-
-## Customization
-
-You are encouraged to look through the examples and modules. Implement your own profiles or package them as modules to meet your needs. We've just provided a starting point. Learn more about [matchbox](../../docs/matchbox.md) and [Container Linux configs](../../docs/container-linux-config.md).

examples/terraform/modules/profiles/cl/etcd3-gateway.yaml.tmpl

@@ -1,25 +0,0 @@
----
-systemd:
-  units:
-    - name: etcd-member.service
-      enable: true
-      dropins:
-        - name: 40-etcd-cluster.conf
-          contents: |
-            [Service]
-            Environment="ETCD_IMAGE_TAG=v3.2.0"
-            ExecStart=
-            ExecStart=/usr/lib/coreos/etcd-wrapper gateway start \
-              --listen-addr=127.0.0.1:2379 \
-              --endpoints={{.etcd_endpoints}}
-    - name: locksmithd.service
-      dropins:
-        - name: 40-etcd-lock.conf
-          contents: |
-            [Service]
-            Environment="REBOOT_STRATEGY=etcd-lock"
-passwd:
-  users:
-    - name: core
-      ssh_authorized_keys:
-        - {{.ssh_authorized_key}}

examples/terraform/modules/profiles/cl/etcd3.yaml.tmpl

@@ -1,28 +0,0 @@
----
-systemd:
-  units:
-    - name: etcd-member.service
-      enable: true
-      dropins:
-        - name: 40-etcd-cluster.conf
-          contents: |
-            [Service]
-            Environment="ETCD_IMAGE_TAG=v3.2.0"
-            Environment="ETCD_NAME={{.etcd_name}}"
-            Environment="ETCD_ADVERTISE_CLIENT_URLS=http://{{.domain_name}}:2379"
-            Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=http://{{.domain_name}}:2380"
-            Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379"
-            Environment="ETCD_LISTEN_PEER_URLS=http://0.0.0.0:2380"
-            Environment="ETCD_INITIAL_CLUSTER={{.etcd_initial_cluster}}"
-            Environment="ETCD_STRICT_RECONFIG_CHECK=true"
-    - name: locksmithd.service
-      dropins:
-        - name: 40-etcd-lock.conf
-          contents: |
-            [Service]
-            Environment="REBOOT_STRATEGY=etcd-lock"
-passwd:
-  users:
-    - name: core
-      ssh_authorized_keys:
-        - {{.ssh_authorized_key}}

examples/terraform/modules/profiles/outputs.tf

@@ -1,15 +0,0 @@
-output "container-linux-install" {
-  value = "${matchbox_profile.container-linux-install.name}"
-}
-
-output "cached-container-linux-install" {
-  value = "${matchbox_profile.cached-container-linux-install.name}"
-}
-
-output "etcd3" {
-  value = "${matchbox_profile.etcd3.name}"
-}
-
-output "etcd3-gateway" {
-  value = "${matchbox_profile.etcd3-gateway.name}"
-}