benok/cloud-init.yml

## cloud-init.yml
#cloud-config
hostname: burmilla
rancher:
  upgrade:
   #url: https://raw.githubusercontent.com/benok/burmilla-os-releases/master/releases.yml
    url: https://raw.githubusercontent.com/burmilla/releases/master/releases.yml
  repositories:
    console:
      url: https://raw.githubusercontent.com/benok/burmilla-os-console/master
  console: debian-testing
  network:
    #dns:
    #  nameservers:
    #  - 1.1.1.1
    #  - 1.0.0.1
    interfaces:
      eth0:
      #  address: 192.168.1.123/24
      #  gateway: 192.168.1.254
        dhcp: true
        mtu: 1500
      #eth1:
      #  address: 192.168.2.1/24
      #  mtu: 1500
      #eth2:
      #  address: 192.168.3.1/24
      #  mtu: 1500
    post_cmds:
    - /var/lib/iptables/rules.sh
  sysctl:
    # disable ipv6
    net.ipv6.conf.all.disable_ipv6: 1
    net.ipv6.conf.default.disable_ipv6: 1
  environment:
    TZ: JST-9
  services:
    syslog:
      environment:
        - TZ
    console:
      environment:
        - TZ
    system-cron:
      environment:
        - TZ
  services_include:
    #open-vm-tools: true
    qemu-guest-agent: true
  resize_device: /dev/sda
write_files:
# configure docker's address pool
- path: /etc/docker/daemon.json
  owner: root:root
  content: |
    {
      "default-address-pools":
      [
        { "base":"10.254.0.0/16", "size": 24 }
      ]
    }
# define ip table rules
- container: network
  path: /var/lib/iptables/rules.sh
  owner: root:root
  permissions: "0755"
  content: |
    #!/bin/sh
    #iptables -F
    #iptables -P FORWARD ACCEPT
    #iptables -P OUTPUT ACCEPT
    #iptables -A INPUT -s 127.0.0.1 -j ACCEPT
    #iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    #iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    #iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
    #iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
    #iptables -A INPUT -p tcp -i eth0 --dport 992 -j ACCEPT
    #iptables -P INPUT DROP
# ntp config
- container: ntp
  path: /etc/ntp.conf
  owner: root
  permissions: "0644"
  content: |+
    server ntp.nict.jp iburst
    server ntp.jst.mfeed.ad.jp iburst
    server time.google.com iburst
    # Allow only time queries, at a limited rate, sending KoD when in excess.
    # Allow all local queries (IPv4, IPv6)
    restrict default nomodify nopeer noquery limited kod
    restrict 127.0.0.1
    restrict [::1]
# add swap file
- path: /etc/rc.addswap
  owner: root
  permissions: "0755"
  content: |+
    #!/bin/sh
    # add swap (original: https://web.archive.org/web/20170713205503/https://coreos.com/os/docs/latest/adding-swap.html)
    SWAP_PATH=/var/lib/rancher/cache/swap
    SWAP_FILE=swapfile1
    #SWAP_SIZE=4g
    SWAP_SIZE=$(grep 'MemTotal:' /proc/meminfo| awk '{printf("%dm\n", $2/1000*2)}') # RAM size * 2
    SWAPINESS=5
    /bin/rm -rf ${SWAP_PATH}
    /bin/mkdir -p ${SWAP_PATH}
    /bin/touch ${SWAP_PATH}/${SWAP_FILE}
    /bin/bash -c "fallocate -l ${SWAP_SIZE} ${SWAP_PATH}/${SWAP_FILE}"
    /bin/chmod 600 ${SWAP_PATH}/${SWAP_FILE}
    /sbin/mkswap ${SWAP_PATH}/${SWAP_FILE}
    /sbin/sysctl vm.swappiness=${SWAPINESS}
    /sbin/swapon ${SWAP_PATH}/${SWAP_FILE}
# setup console
- path: /etc/rc.runonce
  owner: root
  permissions: "0755"
  content: |+
    #!/bin/sh
    FLAG_FILE=/.done.rc.runonce

    if [ -f ${FLAG_FILE} ]; then
      exit 0
    fi

    set -x

    #
    # basic setup
    #
    MY_UBUNTU_MIRROR=http://ftp.iij.ad.jp/pub/linux/ubuntu/archive
    MY_TIMEZONE=Asia/Tokyo

    #
    # change mirror server to my nearest.
    # (deb.debian.org is served by fastly cdn now, changing mirror is not required)
    #
    SRC=/etc/apt/sources.list
    if [ -f ${SRC} ]; then
      if grep ubuntu ${SRC}>/dev/null; then
        # ubuntu
        sed -i.bk -e "s%http://archive.ubuntu.com/ubuntu/%${MY_UBUNTU_MIRROR}/%" ${SRC}
      else
        # add contrib & non-free
        if grep -v non-free ${SRC} > /dev/null; then
          sed -i.bk -e "s/main/main contrib non-free/" ${SRC}
        fi

        # add testing-security (which is almost empty, but it might help someday. -> https://www.reddit.com/r/debian/comments/hr0aj3/sourcelist_for_debian_testing/)
        if grep testing ${SRC}>/dev/null; then
          grep security.debian.org ${SRC} || echo 'deb http://security.debian.org/debian-security testing-security main contrib non-free' >> ${SRC}
        fi
      fi
    else
      # deb822
      SRC=/etc/apt/sources.list.d/ubuntu.sources
      if [ -f ${SRC} ]; then
        # ubuntu(IIJ)
        sed -i -e "s%http://archive.ubuntu.com/ubuntu/%${MY_UBUNTU_MIRROR}/%" ${SRC}
      else
        SRC=/etc/apt/sources.list.d/debian.sources
        # add contrib & non-free
        if grep -v -e 'Components:.*non-free' ${SRC} > /dev/null; then
          sed -i -e "s/main/main contrib non-free/" ${SRC}
        fi
        # testing-security exists
      fi
    fi

    #
    # set timezone
    #
    ln -sf /usr/share/zoneinfo/${MY_TIMEZONE} /etc/localtime

    # done rc.runonce
    touch ${FLAG_FILE}

    # change motd to run package install script
    if [ -f /etc/motd ]; then
      mv /etc/motd /etc/motd.org
    fi
    echo "******************************************" > /etc/motd
    echo "Please run 'sudo /etc/rc.pkginstall' once." >> /etc/motd
    echo "******************************************" >> /etc/motd
# install docker plugins
- path: /etc/rc.install-docker-plugins
  owner: root
  permissions: "0755"
  content: |+
    #!/bin/sh
    #set -x
    # https://gist.github.com/lukechilds/a83e1d7127b78fef38c2914c4ececc3c
    get_latest_release() {
       curl --silent "https://api.github.com/repos/$1/releases/latest" | # Get latest release from GitHub api
       grep '"tag_name":' |                                            # Get tag line
       sed -E 's/.*"([^"]+)".*/\1/'                                    # Pluck JSON value
    }

    # install docker compose plugin (https://kazuhira-r.hatenablog.com/entry/2022/04/30/002702)
    sudo mkdir -p /usr/local/lib/docker/cli-plugins
    ver=$(get_latest_release docker/compose)
    url=https://github.com/docker/compose/releases/download/$ver/docker-compose-linux-x86_64
    echo "Downloading $url..."
    sudo curl -SL $url -o /usr/local/lib/docker/cli-plugins/docker-compose
    sudo chmod a+x /usr/local/lib/docker/cli-plugins/docker-compose
    # support both "docker compose" and "docker-compose" for backward comatibility
    sudo ln -sf /usr/local/lib/docker/cli-plugins/docker-compose /usr/local/bin/docker-compose

    # install docker buildx
    ver=$(get_latest_release docker/buildx)
    url=https://github.com/docker/buildx/releases/download/$ver/buildx-$ver.linux-amd64
    echo "Downloading $url..."
    sudo curl -SL $url -o /usr/local/lib/docker/cli-plugins/docker-buildx
    sudo chmod a+x /usr/local/lib/docker/cli-plugins/docker-buildx
# install packages
- path: /etc/rc.pkginstall
  owner: root
  permissions: "0755"
  content: |+
    #!/bin/sh
    set -x

    # unminimize on ubuntu
    if [ -f /etc/legal ]; then
      yes | unminimize
    fi

    # upgrade & install packages
    export DEBIAN_FRONTEND=noninteractive
    apt-get update
    apt-get full-upgrade -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold"
    apt-get autoremove -y
    apt-get install -y \
      haveged \
      tzdata \
      \
      zsh \
      screen \
      \
      vim \
      git \
      jq \
      \
      unzip \
      zstd \
      pv \
      \
      inetutils-traceroute \
      dnsutils \
      nfs-common \
      bridge-utils \
      netcat-openbsd \
      lsof \
      \
      rclone \
      fuse3 \
      \
      golang \
      \
      python3-pip \
      dos2unix \
      dialog \
      man-db

    # requires only on newer distribution
    apt-get install -y \
      linux-sysctl-defaults

    unset DEBIAN_FRONTEND

    #sudo pip3 install -I pip
    #sudo pip install pip-autoremove
    #sudo pip install docker-compose

    # install docker-compose, buildx
    /etc/rc.install-docker-plugins

    # set python3 default
    if [ -x /usr/bin/python2 ]; then
      update-alternatives --install /usr/bin/python python /usr/bin/python3 1
      update-alternatives --install /usr/bin/python python /usr/bin/python2 2
      update-alternatives --set python /usr/bin/python3
    fi

    # chsh to zsh
    if [ -x /bin/zsh ]; then
      chsh -s /bin/zsh rancher
    fi

    # symlink user_config.yml
    ln -sf /var/lib/rancher/conf/cloud-config.d/user_config.yml /home/rancher/user_config.yml

    # update motd
    if [ -f /etc/motd.org ]; then
      # debian
      mv /etc/motd.org /etc/motd
    else
      # ubuntu
      rm -f /etc/motd
    fi

    if [ -f /etc/update-motd.d/10-help-text ]; then
      rm /etc/update-motd.d/10-help-text
    fi

    # force restart sshd
    /etc/init.d/ssh restart

    set +x
    echo '###########################'
    echo '# package install finished.'
    echo '###########################'
# use IPv4 for apt
- path: /etc/apt/apt.conf.d/99force-ipv4
  owner: root
  permissions: "0644"
  content: |+
    Acquire::ForceIPv4 "true";
runcmd:
  # separate cloud specific rc to /opt/rc.oem
  - if [ -x /opt/rc.oem ]; then { /opt/rc.oem || true; }; fi
  # add appropriate swap
  - /etc/rc.addswap
  # run once script on recreate console
  - /etc/rc.runonce
  # always try to resizefs on boot
  - rm -f /var/lib/burmilla/resizefs.done
  # workaround to fix autoresize
  - bash -x -c 'd="$(sudo ros config get rancher.resize_device)1"; if [ -n "$d" -a -b "$d" ]; then sudo resize2fs $d; fi'
  # generate /etc/lsb-release for burmilla OS
  - /etc/init.d/generate-lsb-release start
  # Adding entropy is quite important for cloud, vps, VMs. (e.g. Prevent from intermittent docker command stalling)
  - if [ -x /etc/init.d/haveged ]; then /etc/init.d/haveged start; fi
  # need to setup sysctl manually on boot (systemd don't works on console container)
  - sudo sysctl --system
  # execute a script on restart (if exists)
  - if [ -x /home/rancher/on-restart.sh ]; then { /home/rancher/on-restart.sh || true; }; fi
ssh_authorized_keys:
  # https://github.com/benok.keys (Never use the line below. use your public key https://github.com/<<YOUR_ACCOUNT>>.keys)
  - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW3eVCs/HnGgUEBOxTPDWlvblEsZhlIB6Yn1elpPqXX
	#cloud-config
	hostname: burmilla
	rancher:
	upgrade:
	#url: https://raw.githubusercontent.com/benok/burmilla-os-releases/master/releases.yml
	url: https://raw.githubusercontent.com/burmilla/releases/master/releases.yml
	repositories:
	console:
	url: https://raw.githubusercontent.com/benok/burmilla-os-console/master
	console: debian-testing
	network:
	#dns:
	# nameservers:
	# - 1.1.1.1
	# - 1.0.0.1
	interfaces:
	eth0:
	# address: 192.168.1.123/24
	# gateway: 192.168.1.254
	dhcp: true
	mtu: 1500
	#eth1:
	# address: 192.168.2.1/24
	# mtu: 1500
	#eth2:
	# address: 192.168.3.1/24
	# mtu: 1500
	post_cmds:
	- /var/lib/iptables/rules.sh
	sysctl:
	# disable ipv6
	net.ipv6.conf.all.disable_ipv6: 1
	net.ipv6.conf.default.disable_ipv6: 1
	environment:
	TZ: JST-9
	services:
	syslog:
	environment:
	- TZ
	console:
	environment:
	- TZ
	system-cron:
	environment:
	- TZ
	services_include:
	#open-vm-tools: true
	qemu-guest-agent: true
	resize_device: /dev/sda
	write_files:
	# configure docker's address pool
	- path: /etc/docker/daemon.json
	owner: root:root
	content: \|
	{
	"default-address-pools":
	[
	{ "base":"10.254.0.0/16", "size": 24 }
	]
	}
	# define ip table rules
	- container: network
	path: /var/lib/iptables/rules.sh
	owner: root:root
	permissions: "0755"
	content: \|
	#!/bin/sh
	#iptables -F
	#iptables -P FORWARD ACCEPT
	#iptables -P OUTPUT ACCEPT
	#iptables -A INPUT -s 127.0.0.1 -j ACCEPT
	#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
	#iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
	#iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
	#iptables -A INPUT -p tcp -i eth0 --dport 992 -j ACCEPT
	#iptables -P INPUT DROP
	# ntp config
	- container: ntp
	path: /etc/ntp.conf
	owner: root
	permissions: "0644"
	content: \|+
	server ntp.nict.jp iburst
	server ntp.jst.mfeed.ad.jp iburst
	server time.google.com iburst
	# Allow only time queries, at a limited rate, sending KoD when in excess.
	# Allow all local queries (IPv4, IPv6)
	restrict default nomodify nopeer noquery limited kod
	restrict 127.0.0.1
	restrict [::1]
	# add swap file
	- path: /etc/rc.addswap
	owner: root
	permissions: "0755"
	content: \|+
	#!/bin/sh
	# add swap (original: https://web.archive.org/web/20170713205503/https://coreos.com/os/docs/latest/adding-swap.html)
	SWAP_PATH=/var/lib/rancher/cache/swap
	SWAP_FILE=swapfile1
	#SWAP_SIZE=4g
	SWAP_SIZE=$(grep 'MemTotal:' /proc/meminfo\| awk '{printf("%dm\n", $2/10002)}') # RAM size 2
	SWAPINESS=5
	/bin/rm -rf ${SWAP_PATH}
	/bin/mkdir -p ${SWAP_PATH}
	/bin/touch ${SWAP_PATH}/${SWAP_FILE}
	/bin/bash -c "fallocate -l ${SWAP_SIZE} ${SWAP_PATH}/${SWAP_FILE}"
	/bin/chmod 600 ${SWAP_PATH}/${SWAP_FILE}
	/sbin/mkswap ${SWAP_PATH}/${SWAP_FILE}
	/sbin/sysctl vm.swappiness=${SWAPINESS}
	/sbin/swapon ${SWAP_PATH}/${SWAP_FILE}
	# setup console
	- path: /etc/rc.runonce
	owner: root
	permissions: "0755"
	content: \|+
	#!/bin/sh
	FLAG_FILE=/.done.rc.runonce

	if [ -f ${FLAG_FILE} ]; then
	exit 0
	fi

	set -x

	#
	# basic setup
	#
	MY_UBUNTU_MIRROR=http://ftp.iij.ad.jp/pub/linux/ubuntu/archive
	MY_TIMEZONE=Asia/Tokyo

	#
	# change mirror server to my nearest.
	# (deb.debian.org is served by fastly cdn now, changing mirror is not required)
	#
	SRC=/etc/apt/sources.list
	if [ -f ${SRC} ]; then
	if grep ubuntu ${SRC}>/dev/null; then
	# ubuntu
	sed -i.bk -e "s%http://archive.ubuntu.com/ubuntu/%${MY_UBUNTU_MIRROR}/%" ${SRC}
	else
	# add contrib & non-free
	if grep -v non-free ${SRC} > /dev/null; then
	sed -i.bk -e "s/main/main contrib non-free/" ${SRC}
	fi

	# add testing-security (which is almost empty, but it might help someday. -> https://www.reddit.com/r/debian/comments/hr0aj3/sourcelist_for_debian_testing/)
	if grep testing ${SRC}>/dev/null; then
	grep security.debian.org ${SRC} \|\| echo 'deb http://security.debian.org/debian-security testing-security main contrib non-free' >> ${SRC}
	fi
	fi
	else
	# deb822
	SRC=/etc/apt/sources.list.d/ubuntu.sources
	if [ -f ${SRC} ]; then
	# ubuntu(IIJ)
	sed -i -e "s%http://archive.ubuntu.com/ubuntu/%${MY_UBUNTU_MIRROR}/%" ${SRC}
	else
	SRC=/etc/apt/sources.list.d/debian.sources
	# add contrib & non-free
	if grep -v -e 'Components:.*non-free' ${SRC} > /dev/null; then
	sed -i -e "s/main/main contrib non-free/" ${SRC}
	fi
	# testing-security exists
	fi
	fi

	#
	# set timezone
	#
	ln -sf /usr/share/zoneinfo/${MY_TIMEZONE} /etc/localtime

	# done rc.runonce
	touch ${FLAG_FILE}

	# change motd to run package install script
	if [ -f /etc/motd ]; then
	mv /etc/motd /etc/motd.org
	fi
	echo "******************************************" > /etc/motd
	echo "Please run 'sudo /etc/rc.pkginstall' once." >> /etc/motd
	echo "******************************************" >> /etc/motd
	# install docker plugins
	- path: /etc/rc.install-docker-plugins
	owner: root
	permissions: "0755"
	content: \|+
	#!/bin/sh
	#set -x
	# https://gist.github.com/lukechilds/a83e1d7127b78fef38c2914c4ececc3c
	get_latest_release() {
	curl --silent "https://api.github.com/repos/$1/releases/latest" \| # Get latest release from GitHub api
	grep '"tag_name":' \| # Get tag line
	sed -E 's/."([^"]+)"./\1/' # Pluck JSON value
	}

	# install docker compose plugin (https://kazuhira-r.hatenablog.com/entry/2022/04/30/002702)
	sudo mkdir -p /usr/local/lib/docker/cli-plugins
	ver=$(get_latest_release docker/compose)
	url=https://github.com/docker/compose/releases/download/$ver/docker-compose-linux-x86_64
	echo "Downloading $url..."
	sudo curl -SL $url -o /usr/local/lib/docker/cli-plugins/docker-compose
	sudo chmod a+x /usr/local/lib/docker/cli-plugins/docker-compose
	# support both "docker compose" and "docker-compose" for backward comatibility
	sudo ln -sf /usr/local/lib/docker/cli-plugins/docker-compose /usr/local/bin/docker-compose

	# install docker buildx
	ver=$(get_latest_release docker/buildx)
	url=https://github.com/docker/buildx/releases/download/$ver/buildx-$ver.linux-amd64
	echo "Downloading $url..."
	sudo curl -SL $url -o /usr/local/lib/docker/cli-plugins/docker-buildx
	sudo chmod a+x /usr/local/lib/docker/cli-plugins/docker-buildx
	# install packages
	- path: /etc/rc.pkginstall
	owner: root
	permissions: "0755"
	content: \|+
	#!/bin/sh
	set -x

	# unminimize on ubuntu
	if [ -f /etc/legal ]; then
	yes \| unminimize
	fi

	# upgrade & install packages
	export DEBIAN_FRONTEND=noninteractive
	apt-get update
	apt-get full-upgrade -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold"
	apt-get autoremove -y
	apt-get install -y \
	haveged \
	tzdata \
	\
	zsh \
	screen \
	\
	vim \
	git \
	jq \
	\
	unzip \
	zstd \
	pv \
	\
	inetutils-traceroute \
	dnsutils \
	nfs-common \
	bridge-utils \
	netcat-openbsd \
	lsof \
	\
	rclone \
	fuse3 \
	\
	golang \
	\
	python3-pip \
	dos2unix \
	dialog \
	man-db

	# requires only on newer distribution
	apt-get install -y \
	linux-sysctl-defaults

	unset DEBIAN_FRONTEND

	#sudo pip3 install -I pip
	#sudo pip install pip-autoremove
	#sudo pip install docker-compose

	# install docker-compose, buildx
	/etc/rc.install-docker-plugins

	# set python3 default
	if [ -x /usr/bin/python2 ]; then
	update-alternatives --install /usr/bin/python python /usr/bin/python3 1
	update-alternatives --install /usr/bin/python python /usr/bin/python2 2
	update-alternatives --set python /usr/bin/python3
	fi

	# chsh to zsh
	if [ -x /bin/zsh ]; then
	chsh -s /bin/zsh rancher
	fi

	# symlink user_config.yml
	ln -sf /var/lib/rancher/conf/cloud-config.d/user_config.yml /home/rancher/user_config.yml

	# update motd
	if [ -f /etc/motd.org ]; then
	# debian
	mv /etc/motd.org /etc/motd
	else
	# ubuntu
	rm -f /etc/motd
	fi

	if [ -f /etc/update-motd.d/10-help-text ]; then
	rm /etc/update-motd.d/10-help-text
	fi

	# force restart sshd
	/etc/init.d/ssh restart

	set +x
	echo '###########################'
	echo '# package install finished.'
	echo '###########################'
	# use IPv4 for apt
	- path: /etc/apt/apt.conf.d/99force-ipv4
	owner: root
	permissions: "0644"
	content: \|+
	Acquire::ForceIPv4 "true";
	runcmd:
	# separate cloud specific rc to /opt/rc.oem
	- if [ -x /opt/rc.oem ]; then { /opt/rc.oem \|\| true; }; fi
	# add appropriate swap
	- /etc/rc.addswap
	# run once script on recreate console
	- /etc/rc.runonce
	# always try to resizefs on boot
	- rm -f /var/lib/burmilla/resizefs.done
	# workaround to fix autoresize
	- bash -x -c 'd="$(sudo ros config get rancher.resize_device)1"; if [ -n "$d" -a -b "$d" ]; then sudo resize2fs $d; fi'
	# generate /etc/lsb-release for burmilla OS
	- /etc/init.d/generate-lsb-release start
	# Adding entropy is quite important for cloud, vps, VMs. (e.g. Prevent from intermittent docker command stalling)
	- if [ -x /etc/init.d/haveged ]; then /etc/init.d/haveged start; fi
	# need to setup sysctl manually on boot (systemd don't works on console container)
	- sudo sysctl --system
	# execute a script on restart (if exists)
	- if [ -x /home/rancher/on-restart.sh ]; then { /home/rancher/on-restart.sh \|\| true; }; fi
	ssh_authorized_keys:
	# https://github.com/benok.keys (Never use the line below. use your public key https://github.com/<<YOUR_ACCOUNT>>.keys)
	- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKW3eVCs/HnGgUEBOxTPDWlvblEsZhlIB6Yn1elpPqXX