/
ignition.yml
241 lines (210 loc) · 6.43 KB
/
ignition.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
passwd:
users:
- name: core
ssh_authorized_keys:
- "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgakqOKbhaZe7ku2SOmHCrOCeAx//4PQy/nB6jSqIv94yDcyTcnxlJGhcoWdDFUzesFSYLvO63qgm5oA7ApFw413+R/M4FKuq4afhakSn8srthpW1gwI148hF+a8ugcz6h+COXEzOBdJLE0EUGcvKlI79+oF3h/egoO/2gLH0Pi5q5WQxkNXHBLUhZX4jU6uwS22ot4ThiAFKluB+/Asfvbd8ghZ0RDI6Q7H/yAKMp3E/CgA+xFQoTwybcUMm3e6ACJWD00yRczWapwv9ohaINac0ssym/3bFJZArW7foFgI0pyR56/s/0hWaGnA/nsTTHWs/HQ+324opm/a+908zv"
storage:
files:
# TODO(mcsaucy): this is sad. Stop doing this.
- path: "/etc/selinux/config"
contents:
inline: "SELINUX=permissive\nSELINUXTYPE=targeted"
mode: 0644
overwrite: true
- path: "/opt/bin/k3s"
contents:
remote:
url: "https://github.com/rancher/k3s/releases/download/v1.18.8%2Bk3s1/k3s"
verification:
hash:
function: sha512
sum: 1d9d460763784146d0ecfb8ccda26122e8fe5fc1d4e89f5829e6ef8f61a751e44dc62d167baf3abd407561d9a979b50e59805389b01a860f48c2f5641920c5b3
mode: 0755
user:
name: root
group:
name: root
- path: "/opt/bin/k_params"
contents:
remote:
url: "https://raw.githubusercontent.com/mcsaucy/k_params/master/k_params"
mode: 0755
user:
name: root
group:
name: root
- path: "/opt/bin/namecheap_update"
contents:
remote:
url: "https://raw.githubusercontent.com/mcsaucy/ddns_scripts/master/namecheap.sh"
mode: 0755
user:
name: root
group:
name: root
links:
- path: "/opt/bin/kubectl"
target: "/opt/bin/k3s"
hard: false
networkd:
units:
- name: 25-jamesbond.netdev
contents: |
[NetDev]
Name=james
Kind=bond
[Bond]
Mode=802.3ad
TransmitHashPolicy=layer3+4
MIIMonitorSec=1s
LACPTransmitRate=fast
- name: james.network
contents: |
[Match]
Name=eno*
[Network]
Bond=james
- name: james_dhcp.network
contents: |
[Match]
Name=james
[Network]
DHCP=yes
systemd:
units:
- name: sethostname.service
enabled: true
contents: |
[Unit]
Description=Set hostname based upon kernel commandline
ConditionKernelCommandLine=hostname
[Install]
WantedBy=k3s.service
[Service]
ExecStart=/bin/bash -c 'hostnamectl set-hostname --static "$(/opt/bin/k_params hostname)"'
TimeoutStartSec=0
Restart=on-failure
RestartSec=30s
- name: k3s.service
enabled: true
contents: |
[Unit]
Description=Lightweight Kubernetes
Documentation=https://k3s.io
After=network-online.target
ConditionFileNotEmpty=/secrets/k3s_env
[Install]
WantedBy=multi-user.target
[Service]
Type=notify
KillMode=process
Delegate=yes
LimitNOFILE=1048576
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
TimeoutStartSec=0
Restart=always
RestartSec=5s
EnvironmentFile=/secrets/k3s_env
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStart=/opt/bin/k3s server
- name: logexport.service
enabled: true
contents: |
[Unit]
Description=Log Exporter
After=systemd-journald.service
Requires=systemd-journald.service
ConditionFileNotEmpty=/secrets/logexport_env
[Service]
EnvironmentFile=/secrets/logexport_env
ExecStart=/bin/sh -c 'journalctl -f | ncat --ssl "${LOGEXPORT_HOST}" "${LOGEXPORT_PORT}"'
TimeoutStartSec=0
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
- name: heartbeat.service
enabled: true
contents: |
[Unit]
Description=Monitoring Heartbeat Pulse
Requires=network-online.target
ConditionFileNotEmpty=/secrets/heartbeat_env
[Service]
EnvironmentFile=/secrets/heartbeat_env
ExecStart=/bin/sh -c 'wget --spider "${HEARTBEAT_URL}" >/dev/null 2>&1'
TimeoutStartSec=0
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
- name: primary_ddns.service
enabled: true
contents: |
[Unit]
Description=Set the primary hostname via DDNS
Requires=network-online.target k3s.service
ConditionFileNotEmpty=/secrets/namecheap_ddns_env
[Service]
EnvironmentFile=/secrets/namecheap_ddns_env
ExecStart=/bin/sh -c '/opt/bin/kubectl get nodes/$(hostname) | grep -q Ready && /opt/bin/namecheap_update "${NAMECHEAP_DDNS_INTERFACE:-james}" "primary.$(hostname -d)"'
TimeoutStartSec=0
Restart=on-failure
RestartSec=1m
[Install]
WantedBy=multi-user.target
- name: host_ddns.service
enabled: true
contents: |
[Unit]
Description=Update our host's dynamic DNS record
After=sethostname.service
Requires=network-online.target
ConditionFileNotEmpty=/secrets/namecheap_ddns_env
[Service]
EnvironmentFile=/secrets/namecheap_ddns_env
ExecStart=/bin/sh -c '[ "$(hostname)" != localhost ] && /opt/bin/namecheap_update "${NAMECHEAP_DDNS_INTERFACE:-james}"'
TimeoutStartSec=0
Restart=always
RestartSec=10m
[Install]
WantedBy=multi-user.target
- name: heartbeat.timer
enabled: true
contents: |
[Unit]
Description=Run Heartbeat every 5 minutes
Requires=heartbeat.service
[Timer]
Unit=heartbeat.service
OnUnitInactiveSec=5m
AccuracySec=10s
[Install]
WantedBy=timers.target
- name: primary_ddns.timer
enabled: true
contents: |
[Unit]
Description=Run primary_ddns every 5 minutes
Requires=primary_ddns.service
[Timer]
Unit=primary_ddns.service
OnUnitInactiveSec=5m
AccuracySec=10s
[Install]
WantedBy=timers.target
- name: secrets.mount
enabled: true
contents: |
[Unit]
Description=Secrets
[Mount]
What=/dev/disk/by-label/secrets
Where=/secrets
Options=ro
DirectoryMode=0700
[Install]
WantedBy=k3s.service