lrvick/cloud-config.yml

## cloud-config.yml
#cloud-config

coreos:
  etcd:
    addr: $private_ipv4:4001
    peer-addr: $private_ipv4:7001
  fleet:
    public-ip: $private_ipv4
  update:
    reboot-strategy: off
  units:
    - name: etcd.service
      command: start
    - name: fleet.service
      command: start
    - name: hourly.timer
      command: start
      content: |
        [Unit]
        Description=Hourly Timer

        [Timer]
        OnBootSec=5min
        OnUnitActiveSec=1h
        Unit=timer-hourly.target

        [Install]
        WantedBy=basic.target
    - name: timer-hourly.target
      content: |
        [Unit]
        Description=Hourly Timer Target
        StopWhenUnneeded=yes
    - name: clean-dangling.service
      content: |
        [Unit]
        Description=Remove all dangling docker image layers
        Wants=hourly.timer

        [Service]
        ExecStart=/bin/sh -c 'docker rmi $(docker images --filter dangling=true -q)'

        [Install]
        WantedBy=timer-hourly.target
    - name: fix-ssl-certs.service
      command: start
      content: |
        [Unit]
        Description=Copy SSL Certificates to proper place
        Before=docker.service

        [Service]
        Type=oneshot
        User=core
        ExecStartPre=/bin/sh -c 'mkdir /home/core/certs'
        ExecStart=/bin/sh -c 'cat /etc/ssl/certs/*.pem > /home/core/certs/ca-certificates.crt'
    - name: docker-coreos-er.service
      command: start
      content: |
        [Unit]
        Description=CoreOS Enterprise Registry
        After=docker.service

        [Service]
        User=core
        Restart=always
        TimeoutStartSec=0
        ExecStartPre=-/usr/bin/docker kill coreos-er
        ExecStartPre=-/usr/bin/docker rm -f coreos-er
        ExecStartPre=/usr/bin/docker pull quay.io/coreos/registry
        ExecStart=/usr/bin/docker run \
          --privileged=true \
          -v /home/core/config:/conf/stack \
          -v /home/core/storage:/datastorage \
          --rm \
          --name="coreos-er" \
          quay.io/coreos/registry
        ExecStop=/usr/bin/docker stop coreos-er
    - name: docker-nginx-proxy.service
      command: start
      content: |
        [Unit]
        Description=Public Facing Nginx Proxy for CoreOS ER
        After=docker-coreos-er.service

        [Service]
        ExecStartPre=-/usr/bin/docker kill nginx-proxy
        ExecStartPre=-/usr/bin/docker rm -f nginx-proxy
        ExecStartPre=/usr/bin/docker pull nginx
        ExecStart=/usr/bin/docker run \
          -p 80:80 \
          --rm \
          --name nginx-proxy \
          --link coreos-er:registry \
          -v /home/core/nginx:/etc/nginx/conf.d \
          nginx
        ExecStop=/usr/bin/docker stop nginx-proxy
    - name: docker-build-worker.service
      command: start
      content: |
        [Unit]
        Description=CoreOS Docker Build Worker
        After=docker-coreos-er.service

        [Service]
        User=core
        Restart=on-failure
        TimeoutStartSec=0
        ExecStartPre=-/usr/bin/docker rm -f docker-build-worker
        ExecStart=/usr/bin/docker run \
          --cpuset 0,1 \
          -e SERVER=ws://registry \
          --link coreos-er:registry \
          -v /var/run/docker.sock:/var/run/docker.sock \
          -v /home/core/certs:/etc/ssl/certs \
          --rm \
          --name="docker-build-worker" \
          quay.io/coreos/registry-build-worker:latest
        ExecStop=/usr/bin/docker stop docker-build-worker

write_files:
  - path: /home/core/nginx/coreos-er.conf
    permissions: 0644
    owner: core
    content: |
      server {
        server_name registry.someorg.com;
        listen 80;

        # This should be /health except it always 503s due to 'registry_gunicorn: false'
        # so we use /about as a hack workaround instead
        location /about {
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host $http_host;
          proxy_redirect off;
          proxy_next_upstream error;
          proxy_pass http://registry;
          break;
        }

        location / {
          allow all;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host $http_host;
          proxy_redirect off;
          proxy_next_upstream error;

          # this -should- work but it causes redirect loops
          #if ($http_x_forwarded_proto != "https") {
          #  rewrite ^(.*)$ https://$server_name$1 permanent;
          #}

          proxy_pass http://registry;

          add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";

        }
        # Without this anyone will be able to upload images to any app in your registry without authentication
        location ~ /b1/* {
          deny all;
        }
      }
  - path: /home/core/.dockercfg
    permissions: 0644
    owner: core
    content: |
      {"quay.io": {"auth":"*************************************************************************","email":""}}
  - path: /home/core/storage/.keep
    permissions: 0644
    owner: core
    content: ""
  - path: /etc/ssh/sshd_config
    permissions: 0600
    owner: root:root
    content: |
      # Use most defaults for sshd configuration.
      UsePrivilegeSeparation sandbox
      Subsystem sftp internal-sftp
      PermitRootLogin no
      AllowUsers core
      PasswordAuthentication no
      ChallengeResponseAuthentication no

  - path: /home/core/config/config.yaml
    permissions: 0644
    owner: core
    content: |
      SECRET_KEY: '*****************************************'
      PREFERRED_URL_SCHEME: 'https'
      SERVER_HOSTNAME: 'registry.someorg.com'
      ENTERPRISE_LOGO_URL: 'https://someorg.com/assets/logo.svg'
      CONTACT_INFO:
        - 'mailto:team@someorg.com'
        - 'tel:+1-555-555-5555'
      MAIL_PORT: 587
      MAIL_PASSWORD: '***********'
      MAIL_SERVER: 'smtp.someorg.com'
      MAIL_USERNAME: 'team@someorg.com'
      MAIL_USE_TLS: true
      DB_URI: 'postgresql://coreos:*************************@someorg.com:5432/coreos_enterprise'
      BUILDLOGS_REDIS: {'host': 'redis1.someorg.com'}
      USER_EVENTS_REDIS: {'host': 'redis2.someorg.com'}
      FEATURE_SUPER_USERS: true
      SUPER_USERS: ['someuser1', 'someuser2']
      AUTHENTICATION_TYPE: 'Database'
      DISTRIBUTED_STORAGE_PREFERENCE: ['local']
      DISTRIBUTED_STORAGE_CONFIG:
        local:
        - S3Storage
        - {s3_access_key: *******************, s3_bucket: coreos-enterprise, s3_secret_key: **********************,storage_path: /datastorage/registry}
      USERFILES_LOCATION: 'local'
      USERFILES_PATH: 'userfiles/'
      TESTING: false
      USE_CDN: false
      FEATURE_USER_LOG_ACCESS: true
      FEATURE_BUILD_SUPPORT: true
      FEATURE_GITHUB_BUILD: true
      FEATURE_GITHUB_LOGIN: true
      GITHUB_LOGIN_CONFIG: {
        'GITHUB_ENDPOINT': 'https://github.com/',
        'API_ENDPOINT': 'https://api.github.com/',
        'CLIENT_ID': '*********************',
        'CLIENT_SECRET': '********************',
      }
      GITHUB_TRIGGER_CONFIG: {
        'GITHUB_ENDPOINT': 'https://github.com/',
        'API_ENDPOINT': 'https://api.github.com/',
        'CLIENT_ID': '************************',
        'CLIENT_SECRET': '*******************************',
      }
ssh_authorized_keys:
  - ssh-rsa ................................... someuser
	#cloud-config

	coreos:
	etcd:
	addr: $private_ipv4:4001
	peer-addr: $private_ipv4:7001
	fleet:
	public-ip: $private_ipv4
	update:
	reboot-strategy: off
	units:
	- name: etcd.service
	command: start
	- name: fleet.service
	command: start
	- name: hourly.timer
	command: start
	content: \|
	[Unit]
	Description=Hourly Timer

	[Timer]
	OnBootSec=5min
	OnUnitActiveSec=1h
	Unit=timer-hourly.target

	[Install]
	WantedBy=basic.target
	- name: timer-hourly.target
	content: \|
	[Unit]
	Description=Hourly Timer Target
	StopWhenUnneeded=yes
	- name: clean-dangling.service
	content: \|
	[Unit]
	Description=Remove all dangling docker image layers
	Wants=hourly.timer

	[Service]
	ExecStart=/bin/sh -c 'docker rmi $(docker images --filter dangling=true -q)'

	[Install]
	WantedBy=timer-hourly.target
	- name: fix-ssl-certs.service
	command: start
	content: \|
	[Unit]
	Description=Copy SSL Certificates to proper place
	Before=docker.service

	[Service]
	Type=oneshot
	User=core
	ExecStartPre=/bin/sh -c 'mkdir /home/core/certs'
	ExecStart=/bin/sh -c 'cat /etc/ssl/certs/*.pem > /home/core/certs/ca-certificates.crt'
	- name: docker-coreos-er.service
	command: start
	content: \|
	[Unit]
	Description=CoreOS Enterprise Registry
	After=docker.service

	[Service]
	User=core
	Restart=always
	TimeoutStartSec=0
	ExecStartPre=-/usr/bin/docker kill coreos-er
	ExecStartPre=-/usr/bin/docker rm -f coreos-er
	ExecStartPre=/usr/bin/docker pull quay.io/coreos/registry
	ExecStart=/usr/bin/docker run \
	--privileged=true \
	-v /home/core/config:/conf/stack \
	-v /home/core/storage:/datastorage \
	--rm \
	--name="coreos-er" \
	quay.io/coreos/registry
	ExecStop=/usr/bin/docker stop coreos-er
	- name: docker-nginx-proxy.service
	command: start
	content: \|
	[Unit]
	Description=Public Facing Nginx Proxy for CoreOS ER
	After=docker-coreos-er.service

	[Service]
	ExecStartPre=-/usr/bin/docker kill nginx-proxy
	ExecStartPre=-/usr/bin/docker rm -f nginx-proxy
	ExecStartPre=/usr/bin/docker pull nginx
	ExecStart=/usr/bin/docker run \
	-p 80:80 \
	--rm \
	--name nginx-proxy \
	--link coreos-er:registry \
	-v /home/core/nginx:/etc/nginx/conf.d \
	nginx
	ExecStop=/usr/bin/docker stop nginx-proxy
	- name: docker-build-worker.service
	command: start
	content: \|
	[Unit]
	Description=CoreOS Docker Build Worker
	After=docker-coreos-er.service

	[Service]
	User=core
	Restart=on-failure
	TimeoutStartSec=0
	ExecStartPre=-/usr/bin/docker rm -f docker-build-worker
	ExecStart=/usr/bin/docker run \
	--cpuset 0,1 \
	-e SERVER=ws://registry \
	--link coreos-er:registry \
	-v /var/run/docker.sock:/var/run/docker.sock \
	-v /home/core/certs:/etc/ssl/certs \
	--rm \
	--name="docker-build-worker" \
	quay.io/coreos/registry-build-worker:latest
	ExecStop=/usr/bin/docker stop docker-build-worker

	write_files:
	- path: /home/core/nginx/coreos-er.conf
	permissions: 0644
	owner: core
	content: \|
	server {
	server_name registry.someorg.com;
	listen 80;

	# This should be /health except it always 503s due to 'registry_gunicorn: false'
	# so we use /about as a hack workaround instead
	location /about {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_redirect off;
	proxy_next_upstream error;
	proxy_pass http://registry;
	break;
	}

	location / {
	allow all;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_redirect off;
	proxy_next_upstream error;

	# this -should- work but it causes redirect loops
	#if ($http_x_forwarded_proto != "https") {
	# rewrite ^(.*)$ https://$server_name$1 permanent;
	#}

	proxy_pass http://registry;

	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains;";

	}
	# Without this anyone will be able to upload images to any app in your registry without authentication
	location ~ /b1/* {
	deny all;
	}
	}
	- path: /home/core/.dockercfg
	permissions: 0644
	owner: core
	content: \|
	{"quay.io": {"auth":"*************************************************************************","email":""}}
	- path: /home/core/storage/.keep
	permissions: 0644
	owner: core
	content: ""
	- path: /etc/ssh/sshd_config
	permissions: 0600
	owner: root:root
	content: \|
	# Use most defaults for sshd configuration.
	UsePrivilegeSeparation sandbox
	Subsystem sftp internal-sftp
	PermitRootLogin no
	AllowUsers core
	PasswordAuthentication no
	ChallengeResponseAuthentication no

	- path: /home/core/config/config.yaml
	permissions: 0644
	owner: core
	content: \|
	SECRET_KEY: '*****************************************'
	PREFERRED_URL_SCHEME: 'https'
	SERVER_HOSTNAME: 'registry.someorg.com'
	ENTERPRISE_LOGO_URL: 'https://someorg.com/assets/logo.svg'
	CONTACT_INFO:
	- 'mailto:team@someorg.com'
	- 'tel:+1-555-555-5555'
	MAIL_PORT: 587
	MAIL_PASSWORD: '***********'
	MAIL_SERVER: 'smtp.someorg.com'
	MAIL_USERNAME: 'team@someorg.com'
	MAIL_USE_TLS: true
	DB_URI: 'postgresql://coreos:*************************@someorg.com:5432/coreos_enterprise'
	BUILDLOGS_REDIS: {'host': 'redis1.someorg.com'}
	USER_EVENTS_REDIS: {'host': 'redis2.someorg.com'}
	FEATURE_SUPER_USERS: true
	SUPER_USERS: ['someuser1', 'someuser2']
	AUTHENTICATION_TYPE: 'Database'
	DISTRIBUTED_STORAGE_PREFERENCE: ['local']
	DISTRIBUTED_STORAGE_CONFIG:
	local:
	- S3Storage
	- {s3_access_key: *****************, s3_bucket: coreos-enterprise, s3_secret_key: ********************,storage_path: /datastorage/registry}
	USERFILES_LOCATION: 'local'
	USERFILES_PATH: 'userfiles/'
	TESTING: false
	USE_CDN: false
	FEATURE_USER_LOG_ACCESS: true
	FEATURE_BUILD_SUPPORT: true
	FEATURE_GITHUB_BUILD: true
	FEATURE_GITHUB_LOGIN: true
	GITHUB_LOGIN_CONFIG: {
	'GITHUB_ENDPOINT': 'https://github.com/',
	'API_ENDPOINT': 'https://api.github.com/',
	'CLIENT_ID': '*********************',
	'CLIENT_SECRET': '********************',
	}
	GITHUB_TRIGGER_CONFIG: {
	'GITHUB_ENDPOINT': 'https://github.com/',
	'API_ENDPOINT': 'https://api.github.com/',
	'CLIENT_ID': '************************',
	'CLIENT_SECRET': '*******************************',
	}
	ssh_authorized_keys:
	- ssh-rsa ................................... someuser