mirror of
https://github.com/lordmathis/dev-cluster.git
synced 2025-12-22 16:44:24 +00:00
103 lines
3.3 KiB
YAML
103 lines
3.3 KiB
YAML
#cloud-config
|
|
package_update: true
|
|
package_upgrade: true
|
|
package_reboot_if_required: true
|
|
|
|
users:
|
|
- name: ${username}
|
|
groups: [sudo]
|
|
shell: /usr/bin/zsh
|
|
hashed_passwd: ${user_hashed_password}
|
|
lock_passwd: false
|
|
ssh_authorized_keys:
|
|
%{ for key in user_ssh_public_keys ~}
|
|
- ${key}
|
|
%{ endfor ~}
|
|
- name: git
|
|
lock_passwd: true
|
|
|
|
packages:
|
|
- apt-transport-https
|
|
- ca-certificates
|
|
- curl
|
|
- gnupg2
|
|
- git
|
|
- zsh
|
|
- ufw
|
|
- fail2ban
|
|
- tmux
|
|
- bat
|
|
- unzip
|
|
- age
|
|
|
|
write_files:
|
|
- content: |
|
|
#!/bin/sh
|
|
GITEA_POD=$(kubectl --kubeconfig /home/git/.kube/config get po -n gitea -l app=gitea -o name --no-headers=true | cut -d'/' -f2)
|
|
kubectl --kubeconfig /home/git/.kube/config exec -i -n gitea $GITEA_POD -c gitea -- env SSH_ORIGINAL_COMMAND="$SSH_ORIGINAL_COMMAND" /bin/sh "$@"
|
|
path: /usr/local/bin/gitea-shell
|
|
permissions: "0755"
|
|
- content: |
|
|
#!/bin/sh
|
|
GITEA_POD=$(kubectl --kubeconfig /home/git/.kube/config get po -n gitea -l app=gitea -o name --no-headers=true | cut -d'/' -f2)
|
|
kubectl --kubeconfig /home/git/.kube/config exec -i -n gitea $GITEA_POD -c gitea -- /usr/local/bin/gitea keys -e git -u $1 -t $2 -k $3
|
|
permissions: "0755"
|
|
path: /usr/local/bin/gitea-keys
|
|
- content: |
|
|
Match User git
|
|
AuthorizedKeysCommandUser git
|
|
AuthorizedKeysCommand /usr/local/bin/gitea-keys %u %t %k
|
|
path: /etc/ssh/sshd_config.d/50-gitea.conf
|
|
permissions: "0644"
|
|
|
|
ssh:
|
|
emit_keys_to_console: true
|
|
ssh_pwauth: false
|
|
disable_root: true
|
|
|
|
runcmd:
|
|
# UFW
|
|
- ufw default deny incoming
|
|
- ufw default allow outgoing
|
|
- ufw allow ssh
|
|
- ufw allow http
|
|
- ufw allow https
|
|
- ufw logging on
|
|
- ufw enable
|
|
# SSH key for user
|
|
- su ${username} -c 'ssh-keygen -t ed25519 -f /home/${username}/.ssh/id_ed25519 -q -N "" '
|
|
# SSH Passthrough for user git
|
|
- usermod -s /usr/local/bin/gitea-shell git
|
|
# Install kubectl
|
|
- curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
|
|
- install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
|
|
# Install k0s
|
|
- curl -sSLf https://get.k0s.sh | sh
|
|
- k0s install controller --single
|
|
- systemctl enable --now k0scontroller
|
|
# Wait for k0s to be ready
|
|
- sleep 10
|
|
- timeout 300 bash -c 'until test -f /var/lib/k0s/pki/admin.conf; do echo "Waiting for k0s to generate kubeconfig..."; sleep 10; done'
|
|
- timeout 300 bash -c 'until k0s kubectl get nodes; do echo "Waiting for k0s nodes..."; sleep 10; done'
|
|
# Set up kubeconfig for user
|
|
- mkdir -p /home/${username}/.kube
|
|
- cp /var/lib/k0s/pki/admin.conf /home/${username}/.kube/config
|
|
- chown -R ${username}:${username} /home/${username}/.kube
|
|
- chmod 600 /home/${username}/.kube/config
|
|
# Set up kubeconfig for git
|
|
- mkdir -p /home/git/.kube
|
|
- cp /var/lib/k0s/pki/admin.conf /home/git/.kube/config
|
|
- chown -R git:git /home/git/.kube
|
|
- chmod 600 /home/git/.kube/config
|
|
# Dotfiles
|
|
- |
|
|
su ${username} -c '
|
|
cd /home/${username}
|
|
curl -fsSL https://raw.githubusercontent.com/LordMathis/dotfiles/main/install.sh > /tmp/install_dotfiles.sh
|
|
chmod +x /tmp/install_dotfiles.sh
|
|
/tmp/install_dotfiles.sh server
|
|
'
|
|
# Install Flux
|
|
- curl -s https://fluxcd.io/install.sh | bash
|
|
final_message: "The system is finally up, after $UPTIME seconds"
|