#cloud-config

hostname: {{ build_uuid | default('quay-builder', True) }}

users:
  groups:
  - sudo
  - docker

{% if ssh_authorized_keys -%}
ssh_authorized_keys:
{% for ssh_key in ssh_authorized_keys -%}
- {{ ssh_key }}
{%- endfor %}
{%- endif %}

write_files:
- path: /root/disable-aws-metadata.sh
  permission: '0755'
  content: |
    iptables -t nat -I PREROUTING -p tcp -d 169.254.169.254 --dport 80 -j DNAT --to-destination 1.1.1.1

- path: /etc/docker/daemon.json
  permission: '0644'
  content: |
    {
        "storage-driver": "overlay2"
    }

- path: /root/overrides.list
  permission: '0644'
  content: |
    REALM={{ realm }}
    TOKEN={{ token }}
    SERVER={{ websocket_scheme }}://{{ manager_hostname }}
    {% if logentries_token -%}
    LOGENTRIES_TOKEN={{ logentries_token }}
    {%- endif %}

coreos:
  update:
    reboot-strategy: off
    group: {{ coreos_channel }}

  units:
    - name: update-engine.service
      command: stop
    - name: locksmithd.service
      command: stop
    - name: systemd-journal-gatewayd.socket
      command: start
      enable: yes
      content: |
        [Unit]
        Description=Journal Gateway Service Socket
        [Socket]
        ListenStream=/var/run/journald.sock
        Service=systemd-journal-gatewayd.service
        [Install]
        WantedBy=sockets.target
    {{ dockersystemd('quay-builder',
                     worker_image,
                     quay_username,
                     quay_password,
                     worker_tag,
                     extra_args='--net=host --privileged --env-file /root/overrides.list -v /var/run/docker.sock:/var/run/docker.sock -v /usr/share/ca-certificates:/etc/ssl/certs',
                     exec_stop_post=['/bin/sh -xc "/bin/sleep 120; /usr/bin/systemctl --no-block poweroff"'],
                     flattened=True,
                     restart_policy='no'
                    ) | indent(4) }}
    {% if logentries_token -%}
    # https://github.com/kelseyhightower/journal-2-logentries/pull/11 so moved journal-2-logentries to coreos
    {{ dockersystemd('builder-logs',
                     'quay.io/coreos/journal-2-logentries',
                     extra_args='--env-file /root/overrides.list -v /run/journald.sock:/run/journald.sock',
                     flattened=True,
                     after_units=['quay-builder.service']
                     ) | indent(4) }}
    {%- endif %}
    - name: disable-aws-metadata.service
      command: start
      enable: yes
      content: |
        [Unit]
        Description=Disable AWS metadata service
        Before=network-pre.target
        Wants=network-pre.target
        [Service]
        Type=oneshot
        ExecStart=/root/disable-aws-metadata.sh
        RemainAfterExit=yes
        [Install]
        WantedBy=multi-user.target
    - name: machine-lifetime.service
      command: start
      enable: yes
      content: |
        [Unit]
        Description=Machine Lifetime Service
        [Service]
        Type=oneshot
        ExecStart=/bin/sh -xc "/bin/sleep {{ max_lifetime_s }}; /usr/bin/systemctl --no-block poweroff"