Last active
September 27, 2019 12:25
-
-
Save dhoppe/7ee24c068f1047bfc5edba41b81edb10 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| locksmith: | |
| reboot_strategy: etcd-lock | |
| window_start: Sun 04:00 | |
| window_length: 1h | |
| networkd: | |
| units: | |
| - name: 20-dhcp.network | |
| contents: | | |
| [Match] | |
| Name=eth* | |
| [Network] | |
| DHCP=yes | |
| LinkLocalAddressing=no | |
| IPv6AcceptRA=no | |
| passwd: | |
| users: | |
| - name: core | |
| ssh_authorized_keys: | |
| - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDqvjv4ecwn6MB/gy/FeNpDipQ4CUur2fv9D4/jkOIhkYIxEcP0qqmPoQopB+HzcetusvoFBfsgWeRVGNc4n9WPgDMcHIKosOHlHj68swzHDJWT5PZ5JX6M+hfysG8vGy4yXaSsDYIHPHp91m1yx6FXOO71xXh5CnDDGGiA1+LVjs3pqfV5zfvxcKv2R7V8XpYqYq73HHrdYHIeM4URBADt00hDnm3jngxkRj3PbZVYvkNtvcQCeW2G+FNca+JTqd3YYF7RZxbPF1n2RNoZtiFc14aRvpOGRDFLW50JL1XOx3qr8UhNqRRGXxcYKhtnXaDb82qZH/n7nbminCuHBAlybUQkj0GSgY6VgZHnXFj5IFrp91WNrRfFOEmPGIEGTPt0qs3EzDMaoUiXkqkrnF10/KjDLrJmqV53sbCm1E/r+xl1bWSADJYl7AGn/xQ66Y0qwHc5Du4WE+H+n+CLZ3x9XT0zeN4U5iFrFysjkZ2LLLoH7DwKD2aB9nTojqVe0xRtFWtN/mZsImaBgomzG4dyTQdPB3KhwzL8Z5HNmsyWyDYODJjEENx427wr25ACLjv2Dmo0dK35FOI9acnYCynFNddoJ/lP4phN+hCEFw0ZDRfSa43ar18fqMTC0OIm2TgLjtalq0zRmhiY++Zv6sDIj5fVtwdkRxK960S2gTl5Xw== Hetzner Cloud | |
| storage: | |
| files: | |
| - path: /etc/ssh/sshd_config | |
| filesystem: root | |
| contents: | |
| inline: | | |
| Subsystem sftp internal-sftp | |
| ClientAliveInterval 300 | |
| ClientAliveCountMax 0 | |
| UseDNS no | |
| UsePAM yes | |
| PrintLastLog no | |
| PrintMotd no | |
| PermitRootLogin no | |
| PasswordAuthentication no | |
| KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 | |
| HostKeyAlgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa | |
| Ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com | |
| MACs umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512 | |
| mode: 0600 | |
| user: | |
| id: 0 | |
| group: | |
| id: 0 | |
| - path: /etc/hostname | |
| filesystem: root | |
| contents: | |
| inline: core01 | |
| mode: 0644 | |
| user: | |
| id: 0 | |
| group: | |
| id: 0 | |
| - path: /var/lib/iptables/rules-save | |
| filesystem: root | |
| contents: | |
| inline: | | |
| *filter | |
| :INPUT DROP [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| -A INPUT -i lo -j ACCEPT | |
| -A INPUT -i eth1 -j ACCEPT | |
| -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
| -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT | |
| -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT | |
| -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT | |
| -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT | |
| -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT | |
| -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT | |
| COMMIT | |
| mode: 0644 | |
| user: | |
| id: 0 | |
| group: | |
| id: 0 | |
| - path: /etc/sysctl.d/10-disable-ipv6.conf | |
| filesystem: root | |
| contents: | |
| inline: | | |
| net.ipv6.conf.all.disable_ipv6=1 | |
| net.ipv6.conf.default.disable_ipv6=1 | |
| mode: 0644 | |
| user: | |
| id: 0 | |
| group: | |
| id: 0 | |
| systemd: | |
| units: | |
| - name: docker-tcp.socket | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Description=Docker Socket for the API | |
| [Socket] | |
| ListenStream=2375 | |
| BindIPv6Only=both | |
| Service=docker.service | |
| [Install] | |
| WantedBy=sockets.target | |
| - name: etcd-member.service | |
| enabled: true | |
| dropins: | |
| - name: 20-clct-etcd-member.conf | |
| contents: | | |
| [Unit] | |
| Requires=metadata.service | |
| After=metadata.service | |
| [Service] | |
| EnvironmentFile=/run/metadata/coreos | |
| Environment="ETCD_IMAGE_TAG=v3.3.13" | |
| ExecStart= | |
| ExecStart=/usr/lib/coreos/etcd-wrapper $ETCD_OPTS \ | |
| --name="$${COREOS_CUSTOM_HOSTNAME}" \ | |
| --initial-advertise-peer-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2380" \ | |
| --listen-peer-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2380" \ | |
| --listen-client-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2379,http://127.0.0.1:2379" \ | |
| --advertise-client-urls="http://$${COREOS_CUSTOM_PRIVATE_IPV4}:2379" \ | |
| --discovery="${discovery_url}" | |
| - name: iptables-restore.service | |
| enabled: true | |
| - name: locksmithd.service | |
| enabled: true | |
| - name: metadata.service | |
| enabled: true | |
| contents: | | |
| [Unit] | |
| Description=Custom metadata agent | |
| [Service] | |
| Type=oneshot | |
| Environment=OUTPUT=/run/metadata/coreos | |
| ExecStart=/usr/bin/mkdir --parent /run/metadata | |
| ExecStart=/usr/bin/bash -c 'echo -e "COREOS_CUSTOM_HOSTNAME=$(curl -s http://169.254.169.254/hetzner/v1/metadata/hostname)\nCOREOS_CUSTOM_PUBLIC_IPV4=$(curl -s http://169.254.169.254/hetzner/v1/metadata/public-ipv4)\nCOREOS_CUSTOM_PRIVATE_IPV4=$(curl -s http://169.254.169.254/hetzner/v1/metadata/private-networks | grep 'ip:' | cut -d: -f2 | sed \"s/ //g\")" > $${OUTPUT}' | |
| [Install] | |
| WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment