Skip to content

Instantly share code, notes, and snippets.

@dm0-

dm0-/user_data.yml

Created July 18, 2016 21:25
Show Gist options
  • Save dm0-/5c8f525194b47ac96043de72de20ad01 to your computer and use it in GitHub Desktop.
Save dm0-/5c8f525194b47ac96043de72de20ad01 to your computer and use it in GitHub Desktop.
Download ZIP
The nightmare config for a CoreOS workstation (messy, unsafe, and wildly incomplete)
Raw
user_data.yml
#cloud-config
hostname: "set-this"
coreos:
update:
reboot-strategy: "off"
units:
- name: "default.target"
command: "start"
content: |
[Unit]
Description=Default System State
After=multi-user.target
Requires=multi-user.target zone-set@America-Los_Angeles.service \
iptables-restore.service ip6tables-restore.service
Wants=wpa_supplicant.service
#Wants=fedora.service
#Wants=gentoo.service
#Wants=windows.service
- name: "boot.mount"
content: |
[Unit]
Description=EFI System Partition (read-only to avoid Windows conflicts)
After=custom-udev-rescan.service
Wants=custom-udev-rescan.service
[Mount]
What=LABEL=SYSTEM
Where=/boot
Options=ro
- name: "lib-firmware.mount"
content: |
[Unit]
Description=Custom Firmware
ConditionPathExists=/opt/coreos/firmware
After=opt.mount
Wants=opt.mount
[Mount]
What=/opt/coreos/firmware
Where=/lib/firmware
Options=ro,bind
- name: "lib-modules.mount"
content: |
[Unit]
Description=Custom Kernel Modules
ConditionPathExists=/opt/coreos/modules/%v
After=opt.mount
Wants=opt.mount
[Mount]
What=/opt/coreos/modules
Where=/lib/modules
Options=ro,bind
- name: "mnt-fedora.mount"
content: |
[Unit]
Description=Local Fedora Installation
After=custom-udev-rescan.service
Wants=custom-udev-rescan.service
[Mount]
What=LABEL=Fedora
Where=/mnt/fedora
- name: "mnt-gentoo.mount"
content: |
[Unit]
Description=Local Gentoo Installation
After=custom-udev-rescan.service
Wants=custom-udev-rescan.service
[Mount]
What=LABEL=Gentoo
Where=/mnt/gentoo
- name: "opt.mount"
content: |
[Unit]
Description=Config Drive (writable to use for shared space)
After=media-configdrive.mount
Conflicts=media-configdrive.mount
[Mount]
What=LABEL=config-2
Where=/opt
Options=discard,umask=0022
- name: "[email protected]"
mask: true
- name: "custom-udev-rescan.service"
content: |
[Unit]
Description=Rescan devices if custom kernel modules were mounted
ConditionPathIsMountPoint=/lib/modules
After=lib-firmware.mount lib-modules.mount
Requires=lib-modules.mount
Wants=lib-firmware.mount
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/bin/udevadm control --reload
ExecStart=/usr/bin/udevadm trigger --verbose
ExecStartPost=/usr/bin/udevadm settle
- name: "fedora.service"
content: |
[Unit]
Description=Start the local Fedora installation in a container
After=docker.service [email protected] [email protected] \
boot.mount mnt-fedora.mount opt.mount
[email protected] [email protected]
Requires=docker.service mnt-fedora.mount
Wants=boot.mount opt.mount
[Service]
TimeoutStartSec=0
ExecStartPre=-/usr/bin/docker kill fedora
ExecStartPre=-/usr/bin/docker rm fedora
ExecStartPre=/usr/bin/docker pull busybox
ExecStart=/usr/bin/docker run --name=fedora \
--env=container=docker \
--hostname=%H \
--privileged \
--rm \
--volume=/mnt/fedora:/sysroot \
--volume=/boot:/sysroot/boot/efi:ro \
--volume=/opt:/sysroot/opt \
--volume=/dev/null:/sysroot/etc/fstab:ro \
--volume=/etc/resolv.conf:/sysroot/opt/tmp/resolv.conf:ro \
--volume=/lib/modules:/sysroot/lib/modules:ro \
--volume=/etc/systemd/system/fedora-container.target:/sysroot/usr/lib/systemd/system/getty.target \
--volume=/etc/systemd/system/fedora-container.target.wants:/sysroot/etc/systemd/system/getty.target.wants \
--volume=/etc/systemd/system/fedora-container.target.wants/xdm.service:/sysroot/usr/lib/systemd/system/xdm.service \
busybox /bin/chroot /sysroot /usr/lib/systemd/systemd 3
ExecStartPost=-/usr/bin/sleep 3
ExecStartPost=/usr/bin/docker exec fedora /bin/ln -fns /opt/tmp/resolv.conf /sysroot/run/NetworkManager/resolv.conf
ExecStop=/usr/bin/docker stop fedora
- name: "gentoo.service"
content: |
[Unit]
Description=Start the local Gentoo installation in a container
After=docker.service [email protected] [email protected] \
boot.mount mnt-gentoo.mount opt.mount
[email protected] [email protected]
Requires=docker.service mnt-gentoo.mount
Wants=boot.mount opt.mount
[Service]
TimeoutStartSec=0
ExecStartPre=-/usr/bin/docker kill gentoo
ExecStartPre=-/usr/bin/docker rm gentoo
ExecStartPre=/usr/bin/docker pull busybox
ExecStart=/usr/bin/docker run --name=gentoo \
--env=container=docker \
--hostname=%H \
--privileged \
--rm \
--volume=/mnt/gentoo:/sysroot \
--volume=/boot:/sysroot/boot/efi:ro \
--volume=/opt:/sysroot/opt \
--volume=/dev/null:/sysroot/etc/fstab:ro \
--volume=/etc/resolv.conf:/sysroot/etc/resolv.conf:ro \
--volume=/lib/modules:/sysroot/lib/modules:ro \
--volume=/etc/systemd/system/gentoo-container.target:/sysroot/usr/lib/systemd/system/getty.target \
--volume=/etc/systemd/system/gentoo-container.target.wants:/sysroot/etc/systemd/system/getty.target.wants \
--volume=/etc/systemd/system/gentoo-container.target.wants/xdm.service:/sysroot/usr/lib/systemd/system/xdm.service \
busybox /bin/chroot /sysroot /usr/lib/systemd/systemd 3
ExecStop=/usr/bin/docker stop gentoo
- name: "windows.service"
content: |
[Unit]
Description=Start the local Windows installation in a VM
[email protected] [email protected] \
opt.mount
[email protected] [email protected]
Requires=opt.mount
[Service]
TimeoutStartSec=0
ExecStart=/opt/qemu/qemu-system-x86_64 -nodefaults \
-L /opt/qemu -bios /opt/qemu/OVMF_CODE.fd \
-display fbdev -monitor /dev/tty7 \
-machine accel=kvm:tcg \
-cpu host -smp cores=2 -m 4G -vga qxl \
-netdev user,id=eth0,hostname=%H -device e1000,netdev=eth0 \
-drive media=disk,if=ide,format=raw,file=/dev/sda
# The fbdev display will first attempt to use stdin as a tty.
StandardInput=tty-fail
TTYPath=/dev/tty6
TTYReset=yes
TTYVHangup=yes
TTYVTDisallocate=yes
- name: "wpa_supplicant.service"
content: |
[Unit]
Description=Manually bring up the wireless interface
ConditionPathExists=/opt/wpa/wpa_supplicant
After=custom-udev-rescan.service opt.mount
Requires=opt.mount
Wants=custom-udev-rescan.service
[Service]
ExecStart=/opt/wpa/wpa_supplicant -D wext -i wlp4s0 -c /opt/wpa/networks.conf
- name: "[email protected]"
content: |
[Unit]
Description=Set the time zone
[Service]
ExecStart=/usr/bin/timedatectl set-timezone %I
RemainAfterExit=yes
Type=oneshot
write_files:
- path: "/etc/systemd/system/fedora-container.target"
content: |
[Unit]
Description=Limit the consoles Fedora can use when containerized
ConditionVirtualization=container
# Assume /etc/systemd/logind.conf isn't messing with default autovts.
After=console-getty.service \
[email protected] [email protected] [email protected] \
[email protected] [email protected] [email protected] \
[email protected] \
iptables.service ip6tables.service
Conflicts=console-getty.service \
[email protected] [email protected] [email protected] \
[email protected] [email protected] \
iptables.service ip6tables.service
[email protected] [email protected]
- path: "/etc/systemd/system/gentoo-container.target"
content: |
[Unit]
Description=Limit the consoles Gentoo can use when containerized
ConditionVirtualization=container
# Assume /etc/systemd/logind.conf isn't messing with default autovts.
After=console-getty.service \
[email protected] [email protected] [email protected] \
[email protected] [email protected] [email protected] \
[email protected] \
iptables.service ip6tables.service
Conflicts=console-getty.service \
[email protected] [email protected] [email protected] \
[email protected] [email protected] \
iptables.service ip6tables.service
[email protected] [email protected]
- path: "/etc/systemd/system/fedora-container.target.wants/xdm.service"
content: |
[Unit]
Description=X11 Display Manager
ConditionPathExists=/usr/bin/xdm
After=systemd-user-sessions.service plymouth-quit.service \
[email protected]
[email protected]
[Service]
ExecStartPre=/bin/sh -c "exec echo ':2 local /usr/bin/Xorg :2 vt2' > /run/Xservers-2"
ExecStart=/usr/bin/xdm -nodaemon -server /run/Xservers-2
Restart=always
IgnoreSIGPIPE=no
- path: "/etc/systemd/system/gentoo-container.target.wants/xdm.service"
content: |
[Unit]
Description=X-Window Display Manager
ConditionPathExists=/usr/bin/xdm
After=systemd-user-sessions.service \
[email protected]
[email protected]
[Service]
ExecStartPre=/bin/sh -c "exec echo ':4 local /usr/bin/Xorg :4 vt4' > /run/Xservers-4"
ExecStart=/usr/bin/xdm -nodaemon -server /run/Xservers-4
Restart=always
IgnoreSIGPIPE=no
- path: "/etc/modprobe.d/kvm.conf"
content: |
options kvm_intel nested=1
- path: "/etc/profile.d/ls.sh"
content: |
alias l='ls -1A'
alias la='ls -al'
alias ll='ls -Al'
- path: "/etc/profile.d/rc.sh"
content: |
PS1="\\[\\033[01;33m\\]\$? $PS1"
- path: "/var/lib/iptables/rules-save"
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
- path: "/var/lib/ip6tables/rules-save"
content: |
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
COMMIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment