manifests/tier-x: use readonly in repo config only

Currently, when building the squashfs, we drop the `sysroot.readonly`
flag from the ostree config because `ostree-prepare-root` doesn't know
how to handle it in the setup we have in our live environments.

But now inheriting from tier-x, we also inherited the move of that
knob to `/usr/lib/ostree/prepare-root.conf`, which is then included in
the initramfs. That's much harder to override during the build process
because we don't want to rebuild the initramfs. We could probably
instead just append a CPIO to the live initramfs that shadows it but the
real fix anyway is to adapt libostree to work in live environments.[^1]

So for now, just undo this bit to go back to how it was set up before
inheriting from tier-x, where the only sysroot.readonly knob lives in
the ostree repo config.

[^1]: ostreedev/ostree#1921

manifests/tier-x.yaml

@@ -12,3 +12,21 @@ machineid-compat: false
 # This is the historical default and what FCOS currently ships. fedora-bootc
 # uses the new `root` value, but migrating FCOS is not that simple...
 opt-usrlocal: var
+
+postprocess:
+  - |
+    #!/usr/bin/env bash
+    set -euo pipefail
+    # For now, rely on the `sysroot.readonly` knob in /ostree/config only.
+    # Having it in prepare-root.conf too throws off ostree-prepare-root in
+    # live PXE/ISO and we have no easy way to override it when building those.
+    # Really, we need to fix libostree + live ISOs to work well together:
+    # https://github.com/ostreedev/ostree/issues/1921
+    # It's awkward to edit arbitrary keyfile configs. Just rewrite it.
+    if grep -q readonly /usr/lib/ostree/prepare-root.conf; then
+        grep -q '^4 ' <(wc -l /usr/lib/ostree/prepare-root.conf)
+        cat > /usr/lib/ostree/prepare-root.conf <<EOF
+    [composefs]
+    enabled = true
+    EOF
+    fi