#cloud-config
package_update: true
package_upgrade: true
packages:
  - curl
  - git
  - ca-certificates
  - jq
  - bash
  - apt-transport-https
write_files:
  - path: /etc/sysctl.d/90-unrip.conf
    permissions: '0644'
    content: |
      vm.max_map_count = 262144
  - path: /usr/local/bin/bootstrap-unrip.sh
    permissions: '0755'
    content: |
      #!/usr/bin/env bash
      set -euo pipefail

      install -d -m 0755 /opt/unrip/bootstrap
      cat >/opt/unrip/bootstrap/README.txt <<'EOF'
      This node was provisioned by Terraform + cloud-init.
      This cloud-init step no longer clones a bootstrap repository.
      The current Hetzner flow remains workstation-driven after Terraform:
      - scripts/hetzner/bootstrap.sh fetches kubeconfig from the node
      - scripts/hetzner/bootstrap.sh renders secrets/overlays locally
      - scripts/hetzner/bootstrap.sh applies Kubernetes manifests from the operator workstation

      Reserved for future node-local bootstrap/GitOps assets:
      /opt/unrip/bootstrap/${bootstrap_repo_path}
      EOF
  - path: /etc/rancher/k3s/config.yaml
    permissions: '0644'
    content: |
      write-kubeconfig-mode: "0644"
      node-name: ${node_name}
      tls-san:
        - ${public_domain}
%{ if tailscale_control_plane_hostname != "" ~}
        - ${tailscale_control_plane_hostname}
%{ endif ~}
      node-ip: ${private_ipv4_address}
      advertise-address: ${private_ipv4_address}
      disable:
        - servicelb
runcmd:
  - sysctl --system
%{ if tailscale_enabled && tailscale_auth_key != "" ~}
  - curl -fsSL https://tailscale.com/install.sh | sh
  - tailscale up --auth-key=${tailscale_auth_key} --ssh --hostname=${node_name}
%{ endif ~}
  - curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=${k3s_channel} sh -s - server
  - /usr/local/bin/bootstrap-unrip.sh
final_message: "k3s bootstrap finished for ${node_name}"