dhoppe · September 27, 2019 12:25
diff --git a/ignition.yml b/ignition.yml
 ---
 locksmith:
  reboot_strategy: etcd-lock
  window_start: Sun 04:00
  window_length: 1h

 networkd:
  units:
    - name: 20-dhcp.network
      contents: |
        [Match]
        Name=eth*

        [Network]
        DHCP=yes
        LinkLocalAddressing=no
        IPv6AcceptRA=no

 passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDqvjv4ecwn6MB/gy/FeNpDipQ4CUur2fv9D4/jkOIhkYIxEcP0qqmPoQopB+HzcetusvoFBfsgWeRVGNc4n9WPgDMcHIKosOHlHj68swzHDJWT5PZ5JX6M+hfysG8vGy4yXaSsDYIHPHp91m1yx6FXOO71xXh5CnDDGGiA1+LVjs3pqfV5zfvxcKv2R7V8XpYqYq73HHrdYHIeM4URBADt00hDnm3jngxkRj3PbZVYvkNtvcQCeW2G+FNca+JTqd3YYF7RZxbPF1n2RNoZtiFc14aRvpOGRDFLW50JL1XOx3qr8UhNqRRGXxcYKhtnXaDb82qZH/n7nbminCuHBAlybUQkj0GSgY6VgZHnXFj5IFrp91WNrRfFOEmPGIEGTPt0qs3EzDMaoUiXkqkrnF10/KjDLrJmqV53sbCm1E/r+xl1bWSADJYl7AGn/xQ66Y0qwHc5Du4WE+H+n+CLZ3x9XT0zeN4U5iFrFysjkZ2LLLoH7DwKD2aB9nTojqVe0xRtFWtN/mZsImaBgomzG4dyTQdPB3KhwzL8Z5HNmsyWyDYODJjEENx427wr25ACLjv2Dmo0dK35FOI9acnYCynFNddoJ/lP4phN+hCEFw0ZDRfSa43ar18fqMTC0OIm2TgLjtalq0zRmhiY++Zv6sDIj5fVtwdkRxK960S2gTl5Xw== Hetzner Cloud

 storage:
  files:
    - path: /etc/ssh/sshd_config
      filesystem: root
      contents:
        inline: |
          Subsystem sftp internal-sftp
          ClientAliveInterval 300
          ClientAliveCountMax 0
          UseDNS no
          UsePAM yes
          PrintLastLog no
          PrintMotd no
          PermitRootLogin no
          PasswordAuthentication no
          KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
          HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
          Ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
          MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512
      mode: 0600
      user:
        id: 0
      group:
        id: 0
    - path: /etc/hostname
      filesystem: root
      contents:
        inline: core01
      mode: 0644
      user:
        id: 0
      group:
        id: 0
    - path: /var/lib/iptables/rules-save
      filesystem: root
      contents:
        inline: |
          *filter
          :INPUT DROP [0:0]
          :FORWARD DROP [0:0]
          :OUTPUT ACCEPT [0:0]
          -A INPUT -i lo -j ACCEPT
          -A INPUT -i eth1 -j ACCEPT
          -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
          -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
          -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
          -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
          -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
          -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
          -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
          COMMIT
      mode: 0644
      user:
        id: 0
      group:
        id: 0
    - path: /etc/sysctl.d/10-disable-ipv6.conf
      filesystem: root
      contents:
        inline: |
          net.ipv6.conf.all.disable_ipv6=1
          net.ipv6.conf.default.disable_ipv6=1
      mode: 0644
      user:
        id: 0
      group:
        id: 0

 systemd:
  units:
    - name: docker-tcp.socket
      enabled: true
      contents: |
        [Unit]
        Description=Docker Socket for the API

        [Socket]
        ListenStream=2375
        BindIPv6Only=both
        Service=docker.service

        [Install]
        WantedBy=sockets.target
    - name: etcd-member.service
      enabled: true
      dropins:
        - name: 20-clct-etcd-member.conf
          contents: |
            [Unit]
            Requires=metadata.service
            After=metadata.service

            [Service]
            EnvironmentFile=/run/metadata/coreos
            Environment="ETCD_IMAGE_TAG=v3.3.13"
            ExecStart=
            ExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \
              --name="$${COREOS_CUSTOM_HOSTNAME}" \
              --initial-advertise-peer-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2380" \
              --listen-peer-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2380" \
              --listen-client-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2379,http://127.0.0.1:2379" \
              --advertise-client-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2379" \
              --discovery="${discovery_url}"
    - name: iptables-restore.service
      enabled: true
    - name: locksmithd.service
      enabled: true
    - name: metadata.service
      enabled: true
      contents: |
        [Unit]
        Description=Custom metadata agent

        [Service]
        Type=oneshot
        Environment=OUTPUT=/run/metadata/coreos
        ExecStart=/usr/bin/mkdir --parent /run/metadata
        ExecStart=/usr/bin/bash -c 'echo -e "COREOS_CUSTOM_HOSTNAME=$(curl -s http://169.254.169.254/hetzner/v1/metadata/hostname)\nCOREOS_CUSTOM_PUBLIC_IPV4=$(curl -s http://169.254.169.254/hetzner/v1/metadata/public-ipv4)\nCOREOS_CUSTOM_PRIVATE_IPV4=$(curl -s http://169.254.169.254/hetzner/v1/metadata/private-networks | grep 'ip:' | cut -d: -f2 | sed \"s/ //g\")" > $${OUTPUT}'

        [Install]
        WantedBy=multi-user.target
	---
	locksmith:
	reboot_strategy: etcd-lock
	window_start: Sun 04:00
	window_length: 1h

	networkd:
	units:
	- name: 20-dhcp.network
	contents: \|
	[Match]
	Name=eth*

	[Network]
	DHCP=yes
	LinkLocalAddressing=no
	IPv6AcceptRA=no

	passwd:
	users:
	- name: core
	ssh_authorized_keys:
	- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDqvjv4ecwn6MB/gy/FeNpDipQ4CUur2fv9D4/jkOIhkYIxEcP0qqmPoQopB+HzcetusvoFBfsgWeRVGNc4n9WPgDMcHIKosOHlHj68swzHDJWT5PZ5JX6M+hfysG8vGy4yXaSsDYIHPHp91m1yx6FXOO71xXh5CnDDGGiA1+LVjs3pqfV5zfvxcKv2R7V8XpYqYq73HHrdYHIeM4URBADt00hDnm3jngxkRj3PbZVYvkNtvcQCeW2G+FNca+JTqd3YYF7RZxbPF1n2RNoZtiFc14aRvpOGRDFLW50JL1XOx3qr8UhNqRRGXxcYKhtnXaDb82qZH/n7nbminCuHBAlybUQkj0GSgY6VgZHnXFj5IFrp91WNrRfFOEmPGIEGTPt0qs3EzDMaoUiXkqkrnF10/KjDLrJmqV53sbCm1E/r+xl1bWSADJYl7AGn/xQ66Y0qwHc5Du4WE+H+n+CLZ3x9XT0zeN4U5iFrFysjkZ2LLLoH7DwKD2aB9nTojqVe0xRtFWtN/mZsImaBgomzG4dyTQdPB3KhwzL8Z5HNmsyWyDYODJjEENx427wr25ACLjv2Dmo0dK35FOI9acnYCynFNddoJ/lP4phN+hCEFw0ZDRfSa43ar18fqMTC0OIm2TgLjtalq0zRmhiY++Zv6sDIj5fVtwdkRxK960S2gTl5Xw== Hetzner Cloud

	storage:
	files:
	- path: /etc/ssh/sshd_config
	filesystem: root
	contents:
	inline: \|
	Subsystem sftp internal-sftp
	ClientAliveInterval 300
	ClientAliveCountMax 0
	UseDNS no
	UsePAM yes
	PrintLastLog no
	PrintMotd no
	PermitRootLogin no
	PasswordAuthentication no
	KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
	HostKeyAlgorithms [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
	Ciphers [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
	MACs [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512
	mode: 0600
	user:
	id: 0
	group:
	id: 0
	- path: /etc/hostname
	filesystem: root
	contents:
	inline: core01
	mode: 0644
	user:
	id: 0
	group:
	id: 0
	- path: /var/lib/iptables/rules-save
	filesystem: root
	contents:
	inline: \|
	*filter
	:INPUT DROP [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [0:0]
	-A INPUT -i lo -j ACCEPT
	-A INPUT -i eth1 -j ACCEPT
	-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
	-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
	-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
	-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
	COMMIT
	mode: 0644
	user:
	id: 0
	group:
	id: 0
	- path: /etc/sysctl.d/10-disable-ipv6.conf
	filesystem: root
	contents:
	inline: \|
	net.ipv6.conf.all.disable_ipv6=1
	net.ipv6.conf.default.disable_ipv6=1
	mode: 0644
	user:
	id: 0
	group:
	id: 0

	systemd:
	units:
	- name: docker-tcp.socket
	enabled: true
	contents: \|
	[Unit]
	Description=Docker Socket for the API

	[Socket]
	ListenStream=2375
	BindIPv6Only=both
	Service=docker.service

	[Install]
	WantedBy=sockets.target
	- name: etcd-member.service
	enabled: true
	dropins:
	- name: 20-clct-etcd-member.conf
	contents: \|
	[Unit]
	Requires=metadata.service
	After=metadata.service

	[Service]
	EnvironmentFile=/run/metadata/coreos
	Environment="ETCD_IMAGE_TAG=v3.3.13"
	ExecStart=
	ExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \
	--name="$${COREOS_CUSTOM_HOSTNAME}" \
	--initial-advertise-peer-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2380" \
	--listen-peer-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2380" \
	--listen-client-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2379,http://127.0.0.1:2379" \
	--advertise-client-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2379" \
	--discovery="${discovery_url}"
	- name: iptables-restore.service
	enabled: true
	- name: locksmithd.service
	enabled: true
	- name: metadata.service
	enabled: true
	contents: \|
	[Unit]
	Description=Custom metadata agent

	[Service]
	Type=oneshot
	Environment=OUTPUT=/run/metadata/coreos
	ExecStart=/usr/bin/mkdir --parent /run/metadata
	ExecStart=/usr/bin/bash -c 'echo -e "COREOS_CUSTOM_HOSTNAME=$(curl -s http://169.254.169.254/hetzner/v1/metadata/hostname)\nCOREOS_CUSTOM_PUBLIC_IPV4=$(curl -s http://169.254.169.254/hetzner/v1/metadata/public-ipv4)\nCOREOS_CUSTOM_PRIVATE_IPV4=$(curl -s http://169.254.169.254/hetzner/v1/metadata/private-networks \| grep 'ip:' \| cut -d: -f2 \| sed \"s/ //g\")" > $${OUTPUT}'

	[Install]
	WantedBy=multi-user.target