#cloud-config
package_update: true
package_upgrade: true
package_reboot_if_required: true

users:
  - name: ${username}
    groups: [sudo]
    shell: /usr/bin/zsh
    hashed_passwd: ${user_hashed_password}
    lock_passwd: false
    ssh_authorized_keys:
%{ for key in user_ssh_public_keys ~}
      - ${key}
%{ endfor ~}
  - name: git
    lock_passwd: true

packages:
  - apt-transport-https
  - ca-certificates
  - curl
  - gnupg2
  - git
  - zsh
  - ufw
  - fail2ban
  - tmux
  - bat
  - unzip
  - age

write_files:
  - content: |
      #!/bin/sh
      GITEA_POD=$(kubectl --kubeconfig /home/git/.kube/config get po -n gitea -l app=gitea -o name --no-headers=true | cut -d'/' -f2)
      kubectl --kubeconfig /home/git/.kube/config exec -i -n gitea $GITEA_POD -c gitea -- env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" /bin/sh "$@"
    path: /usr/local/bin/gitea-shell
    permissions: "0755"
  - content: |
      #!/bin/sh
      GITEA_POD=$(kubectl --kubeconfig /home/git/.kube/config get po -n gitea -l app=gitea -o name --no-headers=true | cut -d'/' -f2)
      kubectl --kubeconfig /home/git/.kube/config exec -i -n gitea $GITEA_POD -c gitea -- /usr/local/bin/gitea keys -e git -u $1 -t $2 -k $3
    permissions: "0755"
    path: /usr/local/bin/gitea-keys
  - content: |
      Match User git
        AuthorizedKeysCommandUser git
        AuthorizedKeysCommand /usr/local/bin/gitea-keys %u %t %k
    path: /etc/ssh/sshd_config.d/50-gitea.conf
    permissions: "0644"

ssh:
  emit_keys_to_console: true
ssh_pwauth: false
disable_root: true

runcmd:
  # UFW
  - ufw default deny incoming
  - ufw default allow outgoing
  - ufw allow ssh
  - ufw allow http
  - ufw allow https
  - ufw logging on
  - ufw enable
  # SSH key for user
  - su ${username} -c 'ssh-keygen -t ed25519 -f /home/${username}/.ssh/id_ed25519 -q -N "" '
  # SSH Passthrough for user git
  - usermod -s /usr/local/bin/gitea-shell git
  # Install kubectl
  - curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
  - install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
  # Install k0s
  - curl -sSLf https://get.k0s.sh | sh
  - k0s install controller --single
  - systemctl enable --now k0scontroller
  # Wait for k0s to be ready
  - sleep 10
  - timeout 300 bash -c 'until test -f /var/lib/k0s/pki/admin.conf; do echo "Waiting for k0s to generate kubeconfig..."; sleep 10; done'
  - timeout 300 bash -c 'until k0s kubectl get nodes; do echo "Waiting for k0s nodes..."; sleep 10; done'
  # Set up kubeconfig for user
  - mkdir -p /home/${username}/.kube
  - cp /var/lib/k0s/pki/admin.conf /home/${username}/.kube/config
  - chown -R ${username}:${username} /home/${username}/.kube
  - chmod 600 /home/${username}/.kube/config
  # Set up kubeconfig for git
  - mkdir -p /home/git/.kube
  - cp /var/lib/k0s/pki/admin.conf /home/git/.kube/config
  - chown -R git:git /home/git/.kube
  - chmod 600 /home/git/.kube/config
  # Dotfiles
  - |
    su ${username} -c '
    cd /home/${username}
    curl -fsSL https://raw.githubusercontent.com/lordmathis/dotfiles/main/install.sh > /tmp/install_dotfiles.sh
    chmod +x /tmp/install_dotfiles.sh
    /tmp/install_dotfiles.sh server
    '
  # Install Flux
  - curl -s https://fluxcd.io/install.sh | bash
final_message: "The system is finally up, after $UPTIME seconds"