docs: Describe how to avoid home directory persistence

Since many if not most of our initial target use cases I think don't want this.
CentOS · Jan 18, 2024 · a7a386a · a7a386a
1 parent e374bcc
commit a7a386a
Showing 1 changed file with 30 additions and 0 deletions.
diff --git a/docs/builds.md b/docs/builds.md
@@ -86,6 +86,36 @@ to use the network as source of truth for authentication, using e.g. [FreeIPA](h
 That avoids the need to hardcode any users or keys in the image, just the
 setup necessary to contact the IPA server.
 
+### Avoiding home directory persistence
+
+In a default installation, the `/root` and `/home` directories are persistent,
+and are symbolic links to `/var/roothome` and `/var/home` respectively.
+This persistence is typically highly desirable for machines that are somewhat "pet" like,
+from desktops to some types of servers, and often undesirable for scale-out
+servers and edge devices.
+
+It's recommended for most use cases that don't want a persistent home
+directory to inject a systemd unit like this for both these directories, for
+example:
+
+```systemd
+[Unit]
+Description=Create a temporary filesystem for /var/home
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=swap.target
+
+[Mount]
+What=tmpfs
+Where=/var/home
+Type=tmpfs
+```
+
+If your systems management tooling discovers SSH keys dynamically
+on boot (cloud-init, afterburn, etc.) this helps ensure that there's fewer
+conflicts around "source of truth" for keys.
+
 ## Example repositories
 
 The following git repositories have some useful examples: