seiji/Vagrantfile

## Vagrantfile
# -*- mode: ruby -*-
# # vi: set ft=ruby :
$vm_name_prefix = 'cores'
$region = 'sgp1'
$timezone = 'Asia/Tokyo'

# config options
$num_instances=1
$update_channel = "alpha"

# vb
$vb_gui = false
$vb_memory = 512
$vb_cpus = 1

$cloud_config = <<"EOS"
#cloud-config

write_files:
  - path: /etc/ssh/sshd_config
    permissions: 0600
    owner: root:root
    content: |
      # Use most defaults for sshd configuration.
      UsePrivilegeSeparation sandbox
      Subsystem sftp internal-sftp

      PermitRootLogin no
      AllowUsers core
      PasswordAuthentication no
      ChallengeResponseAuthentication no
  - path: /etc/resolv.conf
    permissions: 0644
    owner: root:root
    content: |
      nameserver 8.8.8.8
      nameserver 8.8.4.4
  - path: /etc/iptables.rules
    permissions: 0644
    owner: root:root
    content: |
      *filter

      :INPUT DROP [0:0]
      :FORWARD DROP [0:0]
      :OUTPUT ACCEPT [0:0]
      :SERVICES - [0:0]

      # etcd
      -A INPUT -j ACCEPT -i eth1 -p tcp -s 10.132.0.0/16,172.17.0.0/16,127.0.0.1 --dport 4001
      -A INPUT -j ACCEPT -i eth1 -p tcp -s 10.132.0.0/16 --dport 7001
      -A INPUT -j ACCEPT -i docker0 -p tcp -s 172.17.0.0/16

      # custom chain rules
      -A INPUT -j SERVICES
      -A FORWARD -j SERVICES

      ## ACCEPT
      -A SERVICES -j ACCEPT -i lo
      -A SERVICES -j ACCEPT -p icmp --icmp-type echo-reply
      -A SERVICES -j ACCEPT -p icmp --icmp-type destination-unreachable
      -A SERVICES -j ACCEPT -p icmp --icmp-type time-exceeded
      ### Accept pings
      -A SERVICES -j ACCEPT -p icmp --icmp-type echo-request
      ### Accept any established connections
      -A SERVICES -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED

      ### Accept ssh
      -A SERVICES -j ACCEPT -m conntrack --ctstate NEW -p tcp --dport 22
      ### Accept http[s]
      -A SERVICES -j ACCEPT -m conntrack --ctstate NEW -m multiport -p tcp --dports 80,443
      ### Accept znc
      -A SERVICES -j ACCEPT -m conntrack --ctstate NEW -m multiport -p tcp --dports 6667,6697

      ## LOG and REJECT
      -A SERVICES -j LOG
      -A SERVICES -j REJECT --reject-with icmp-host-prohibited

      COMMIT
coreos:
  etcd:
    discovery: #{ENV["ETCD_DISCOVERY_URL"]}
    addr: $private_ipv4:4001
    peer-addr: $private_ipv4:7001
  fleet:
    public-ip: $private_ipv4
    metadata: region=#{$region},public_ip=$public_ipv4,private_ip=$private_ipv4
  units:
    - name: etcd.service
      command: start
    - name: docker.service
      command: start
    - name: fleet.service
      command: start
    - name: iptables.service
      command: start
      content: |
        [Unit]
        Description=iptables
        DefaultDependencies=no
        After=systemd-sysctl.service
        Before=sysinit.target

        [Service]
        Type=oneshot
        ExecStart=/usr/sbin/iptables-restore /etc/iptables.rules
        ExecReload=/usr/sbin/iptables-restore /etc/iptables.rules
        ExecStop=/usr/sbin/iptables --flush
        RemainAfterExit=yes

        [Install]
        WantedBy=multi-user.target
    - name: settimezone.service
      command: start
      content: |
        [Unit]
        Description=Set the timezone

        [Service]
        ExecStart=/usr/bin/timedatectl set-timezone #{$timezone}
        RemainAfterExit=yes
        Type=oneshot
    - name: sshd.socket
      command: restart
      content: |
        [Socket]
        ListenStream=22
        Accept=yes

  update:
    reboot-strategy: etcd-lock
EOS


if ENV["NUM_INSTANCES"].to_i > 0 && ENV["NUM_INSTANCES"]
  $num_instances = ENV["NUM_INSTANCES"].to_i
end

if ENV["VM_NAME_PREFIX"]
  $vm_name_prefix = ENV["VM_NAME_PREFIX"]
end

Vagrant.configure("2") do |config|
  config.vm.box = "coreos-%s" % $update_channel
  config.vm.box_version = ">= 308.0.1"
  config.vm.box_url = "http://%s.release.core-os.net/amd64-usr/current/coreos_production_vagrant.json" % $update_channel
  config.vm.synced_folder ".", "/vagrant", disabled: true
  config.ssh.username = 'core'
  config.ssh.forward_agent = true

  config.vm.provider :virtualbox do |provider, override|
    provider.gui = $vb_gui
    provider.memory = $vb_memory
    provider.cpus = $vb_cpus
    provider.check_guest_additions = false
    provider.functional_vboxsf     = false

    # override.vm.provision :file,
    #   source: "#{CLOUD_CONFIG_PATH}",
    #   destination: "/tmp/vagrantfile-user-data"
    override.vm.provision :shell,
      inline: "echo '#{$cloud_config}'>/tmp/vagrantfile-user-data; mv /tmp/vagrantfile-user-data /var/lib/coreos-vagrant/",
      privileged: true
  end

  config.vm.provider :digital_ocean do |provider, override|
    provider.token                 = "#{ENV['API_TOKEN_DO']}"
    provider.image                 = '494.0.0 (alpha)'
    provider.region                = $region
    provider.size                  = '512mb'
    provider.setup                 = false
    provider.private_networking    = true
    provider.user_data             = $cloud_config
    override.ssh.private_key_path  = '~/.ssh/id_rsa'
    override.vm.box_url            = "https://github.com/smdahlen/vagrant-digitalocean/raw/master/box/digital_ocean.box"
  end

  (1..$num_instances).each do |i|
    config.vm.define vm_name = "#{$vm_name_prefix}-%02d" % i do |config|
      config.vm.hostname = vm_name
      config.vm.provider :virtualbox   do |provider, override|
        override.vm.network :private_network, ip: "172.17.8.#{i+100}"
      end
    end
  end
end
	# -- mode: ruby --
	# # vi: set ft=ruby :
	$vm_name_prefix = 'cores'
	$region = 'sgp1'
	$timezone = 'Asia/Tokyo'

	# config options
	$num_instances=1
	$update_channel = "alpha"

	# vb
	$vb_gui = false
	$vb_memory = 512
	$vb_cpus = 1

	$cloud_config = <<"EOS"
	#cloud-config

	write_files:
	- path: /etc/ssh/sshd_config
	permissions: 0600
	owner: root:root
	content: \|
	# Use most defaults for sshd configuration.
	UsePrivilegeSeparation sandbox
	Subsystem sftp internal-sftp

	PermitRootLogin no
	AllowUsers core
	PasswordAuthentication no
	ChallengeResponseAuthentication no
	- path: /etc/resolv.conf
	permissions: 0644
	owner: root:root
	content: \|
	nameserver 8.8.8.8
	nameserver 8.8.4.4
	- path: /etc/iptables.rules
	permissions: 0644
	owner: root:root
	content: \|
	*filter

	:INPUT DROP [0:0]
	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [0:0]
	:SERVICES - [0:0]

	# etcd
	-A INPUT -j ACCEPT -i eth1 -p tcp -s 10.132.0.0/16,172.17.0.0/16,127.0.0.1 --dport 4001
	-A INPUT -j ACCEPT -i eth1 -p tcp -s 10.132.0.0/16 --dport 7001
	-A INPUT -j ACCEPT -i docker0 -p tcp -s 172.17.0.0/16

	# custom chain rules
	-A INPUT -j SERVICES
	-A FORWARD -j SERVICES

	## ACCEPT
	-A SERVICES -j ACCEPT -i lo
	-A SERVICES -j ACCEPT -p icmp --icmp-type echo-reply
	-A SERVICES -j ACCEPT -p icmp --icmp-type destination-unreachable
	-A SERVICES -j ACCEPT -p icmp --icmp-type time-exceeded
	### Accept pings
	-A SERVICES -j ACCEPT -p icmp --icmp-type echo-request
	### Accept any established connections
	-A SERVICES -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED

	### Accept ssh
	-A SERVICES -j ACCEPT -m conntrack --ctstate NEW -p tcp --dport 22
	### Accept http[s]
	-A SERVICES -j ACCEPT -m conntrack --ctstate NEW -m multiport -p tcp --dports 80,443
	### Accept znc
	-A SERVICES -j ACCEPT -m conntrack --ctstate NEW -m multiport -p tcp --dports 6667,6697

	## LOG and REJECT
	-A SERVICES -j LOG
	-A SERVICES -j REJECT --reject-with icmp-host-prohibited

	COMMIT
	coreos:
	etcd:
	discovery: #{ENV["ETCD_DISCOVERY_URL"]}
	addr: $private_ipv4:4001
	peer-addr: $private_ipv4:7001
	fleet:
	public-ip: $private_ipv4
	metadata: region=#{$region},public_ip=$public_ipv4,private_ip=$private_ipv4
	units:
	- name: etcd.service
	command: start
	- name: docker.service
	command: start
	- name: fleet.service
	command: start
	- name: iptables.service
	command: start
	content: \|
	[Unit]
	Description=iptables
	DefaultDependencies=no
	After=systemd-sysctl.service
	Before=sysinit.target

	[Service]
	Type=oneshot
	ExecStart=/usr/sbin/iptables-restore /etc/iptables.rules
	ExecReload=/usr/sbin/iptables-restore /etc/iptables.rules
	ExecStop=/usr/sbin/iptables --flush
	RemainAfterExit=yes

	[Install]
	WantedBy=multi-user.target
	- name: settimezone.service
	command: start
	content: \|
	[Unit]
	Description=Set the timezone

	[Service]
	ExecStart=/usr/bin/timedatectl set-timezone #{$timezone}
	RemainAfterExit=yes
	Type=oneshot
	- name: sshd.socket
	command: restart
	content: \|
	[Socket]
	ListenStream=22
	Accept=yes

	update:
	reboot-strategy: etcd-lock
	EOS


	if ENV["NUM_INSTANCES"].to_i > 0 && ENV["NUM_INSTANCES"]
	$num_instances = ENV["NUM_INSTANCES"].to_i
	end

	if ENV["VM_NAME_PREFIX"]
	$vm_name_prefix = ENV["VM_NAME_PREFIX"]
	end

	Vagrant.configure("2") do \|config\|
	config.vm.box = "coreos-%s" % $update_channel
	config.vm.box_version = ">= 308.0.1"
	config.vm.box_url = "http://%s.release.core-os.net/amd64-usr/current/coreos_production_vagrant.json" % $update_channel
	config.vm.synced_folder ".", "/vagrant", disabled: true
	config.ssh.username = 'core'
	config.ssh.forward_agent = true

	config.vm.provider :virtualbox do \|provider, override\|
	provider.gui = $vb_gui
	provider.memory = $vb_memory
	provider.cpus = $vb_cpus
	provider.check_guest_additions = false
	provider.functional_vboxsf = false

	# override.vm.provision :file,
	# source: "#{CLOUD_CONFIG_PATH}",
	# destination: "/tmp/vagrantfile-user-data"
	override.vm.provision :shell,
	inline: "echo '#{$cloud_config}'>/tmp/vagrantfile-user-data; mv /tmp/vagrantfile-user-data /var/lib/coreos-vagrant/",
	privileged: true
	end

	config.vm.provider :digital_ocean do \|provider, override\|
	provider.token = "#{ENV['API_TOKEN_DO']}"
	provider.image = '494.0.0 (alpha)'
	provider.region = $region
	provider.size = '512mb'
	provider.setup = false
	provider.private_networking = true
	provider.user_data = $cloud_config
	override.ssh.private_key_path = '~/.ssh/id_rsa'
	override.vm.box_url = "https://github.com/smdahlen/vagrant-digitalocean/raw/master/box/digital_ocean.box"
	end

	(1..$num_instances).each do \|i\|
	config.vm.define vm_name = "#{$vm_name_prefix}-%02d" % i do \|config\|
	config.vm.hostname = vm_name
	config.vm.provider :virtualbox do \|provider, override\|
	override.vm.network :private_network, ip: "172.17.8.#{i+100}"
	end
	end
	end
	end