foundation/packages/pulumi-hetzner/cloudinit-config.ts

127 lines
3.3 KiB
TypeScript
Raw Normal View History

import * as yaml from "js-yaml";
export interface GetCloudInitConfigArgs {
sshAuthorizedKeys?: string[];
extraPackages?: string[];
additionalFiles?: {
path: string;
permissions: string;
content: string;
}[];
lateCommands?: string[];
}
export const getCloudInitConfig = (config: GetCloudInitConfigArgs) => {
const defaultCloudInitConfig = {
users: [
{
name: "root",
sudo: "ALL=(ALL) NOPASSWD:ALL",
"lock-passwd": false,
passwd:
"$6$hB5RrvU5$ll99.7zgATrkGEbInSRCF7o8t3TatZEYQK4QWqk6Ri.DT3LgG0l38Dz47CT.nBjLhhIUVgzIF6t2ZrWmDOcVl1",
ssh_authorized_keys: config.sshAuthorizedKeys || [],
},
{
name: "andiolsi",
sudo: "ALL=(ALL) NOPASSWD:ALL",
"lock-passwd": false,
passwd:
"$6$sKcNr2f8$AubrAJ..bZOPxnGVEWKQQrWShW/i7ClAZRvGLstrmeDcIS92/.BVCtYzgvg2tg6ub9rz8agfLRJg.ryDoM7jG/",
ssh_authorized_keys: config.sshAuthorizedKeys || [],
},
],
disable_root: false,
ssh_pwauth: false,
locale: "en_US.UTF-8",
mounts: [["tmpfs", "/var/log", "tmpfs", "defaults,size=10%", "0", "0"]],
package_update: true,
package_upgrade: true,
packages: [
"curl",
"apt-transport-https",
"ca-certificates",
"vim",
"jq",
"locales",
...(config.extraPackages || []),
],
write_files: [
{
path: "/etc/ssh/sshd_config.d/99-cloud-init-manual.conf",
permissions: "0600",
content: `
Port 222
PermitRootLogin without-password
PubkeyAuthentication yes
PubkeyAcceptedKeyTypes=+ssh-rsa
`,
},
{
path: "/etc/logrotate.d/var_log",
permissions: "0644",
content: `
/var/log/*.log {
daily
missingok
rotate 7
compress
delaycompress
notifempty
create 0640 root adm
sharedscripts
postrotate
systemctl reload rsyslog > /dev/null 2>/dev/null || true
endscript
}`,
},
{
path: "/etc/selinux/config",
permissions: "0644",
content: "SELINUX=disabled\nSELINUXTYPE=targeted\n",
},
{
path: "/etc/security/limits.conf",
permissions: "0644",
content: "* soft nofile 32768\n* hard nofile 65536\n",
},
{
path: "/etc/sysctl.d/99-custom.conf",
permissions: "0644",
content: `
net.ipv4.ip_forward=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2
net.ipv4.ip_nonlocal_bind=1
vm.dirty_ratio=10
vm.swappiness=0
vm.dirty_background_ratio=5
net.ipv6.conf.all.disable_ipv6=1
fs.nr_open=3000000
fs.file-max=3000000
fs.inotify.max_user_instances=1048576
fs.inotify.max_queued_events=1048576
fs.inotify.max_user_watches=1048576
vm.max_map_count=262144
net.netfilter.nf_conntrack_max=262144
net.netfilter.nf_conntrack_tcp_timeout_established=600
net.netfilter.nf_conntrack_tcp_timeout_time_wait=30
net.netfilter.nf_conntrack_tcp_timeout_close_wait=30
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=30
`,
},
...(config.additionalFiles || []),
],
runcmd: [
"echo never > /sys/kernel/mm/transparent_hugepage/enabled",
"echo never > /sys/kernel/mm/transparent_hugepage/defrag",
"systemctl stop apparmor || true",
"systemctl disable apparmor || true",
"sysctl --system",
...(config.lateCommands || []),
],
};
return `#cloud-config\n` + yaml.dump(defaultCloudInitConfig);
};