#cloud-config
package_update: true
package_upgrade: true
package_reboot_if_required: true

users:
- name: ${username}
  groups: [ sudo ]
  shell: /usr/bin/zsh
  hashed_passwd: ${user_hashed_password}
  lock_passwd: false
  ssh_authorized_keys:
  %{ for key in user_ssh_public_keys ~}
    - ${key}
  %{ endfor ~}
- name: git
  lock_passwd: true

packages:
  - apt-transport-https
  - ca-certificates
  - curl
  - gnupg2
  - git
  - zsh
  - ufw
  - fail2ban
  - tmux
  - bat
  - unzip
  - age

write_files:
  - content: |
      #!/bin/sh
      GITEA_POD=$(kubectl --kubeconfig /home/git/.kube/config get po -n gitea -l app=gitea -o name --no-headers=true | cut -d'/' -f2)
      kubectl --kubeconfig /home/git/.kube/config exec -i -n gitea $GITEA_POD -c gitea -- env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" /bin/sh "$@"      
    path: /usr/local/bin/gitea-shell
    permissions: '0755'
  - content: |
      #!/bin/sh
      GITEA_POD=$(kubectl --kubeconfig /home/git/.kube/config get po -n gitea -l app=gitea -o name --no-headers=true | cut -d'/' -f2)
      kubectl --kubeconfig /home/git/.kube/config exec -i -n gitea $GITEA_POD -c gitea -- /usr/local/bin/gitea keys -e git -u $1 -t $2 -k $3      
    permissions: '0755'
    path: /usr/local/bin/gitea-keys

ssh:
  emit_keys_to_console: false
ssh_pwauth: false
disable_root: true

ssh_config:
  Match User git:
    AuthorizedKeysCommandUser: git
    AuthorizedKeysCommand: /usr/local/bin/gitea-keys %u %t %k

runcmd:
  # UFW
  - ufw default deny incoming
  - ufw default allow outgoing
  - ufw allow ssh
  - ufw allow http
  - ufw allow https
  - ufw logging on
  - ufw enable
  # SSH key for user
  - su ${username} -c 'ssh-keygen -t ed25519 -f /home/${username}/.ssh/id_ed25519 -q -N "" '
  # SSH Passthrough for user git
  - usermod -s /usr/local/bin/gitea-shell git
  # k3s
  - curl -sfL https://get.k3s.io | sh -s - --disable=traefik
  # Wait for k3s to be ready
  - timeout 300 bash -c 'until kubectl get nodes; do sleep 5; done'
  # Set up kubeconfig for user
  - mkdir -p /home/${username}/.kube
  - cp /etc/rancher/k3s/k3s.yaml /home/${username}/.kube/config
  - chown -R ${username}:${username} /home/${username}/.kube
  - chmod 600 /home/${username}/.kube/config
  # Dotfiles
  - su ${username} -c 'curl https://raw.githubusercontent.com/LordMathis/dotfiles/main/install.sh | /usr/bin/zsh -s -- server'
  # Helm
  - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
  - chmod 700 get_helm.sh
  - ./get_helm.sh
  # Kustomize
  - curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash
  - mv kustomize /usr/local/bin/
  - chmod +x /usr/local/bin/kustomize
  # Sops
  - curl -LO https://github.com/getsops/sops/releases/download/v3.9.0/sops-v3.9.0.linux.amd64
  - mv sops-v3.9.0.linux.amd64 /usr/local/bin/sops
  - chmod +x /usr/local/bin/sops
  # Install and bootstrap Flux
  - curl -s https://fluxcd.io/install.sh | bash
  - su ${username} -c 'export GITHUB_TOKEN=${github_token} && flux bootstrap github --owner=${github_username} --repository=${github_repo} --path=clusters/prod --personal'
final_message: "The system is finally up, after $UPTIME seconds"