#cloud-config package_update: true package_upgrade: true packages: - ca-certificates - curl - gnupg - jq - nfs-common - open-iscsi - apt-transport-https - software-properties-common - unattended-upgrades - ufw write_files: - path: /etc/sysctl.d/90-k3s-single-node.conf permissions: '0644' owner: root:root content: | vm.max_map_count=1048575 fs.inotify.max_user_instances=8192 fs.inotify.max_user_watches=1048576 fs.file-max=1048576 net.core.somaxconn=65535 net.ipv4.ip_local_port_range=1024 65535 net.ipv4.tcp_tw_reuse=1 - path: /etc/rancher/k3s/config.yaml permissions: '0600' owner: root:root content: | write-kubeconfig-mode: "0640" kube-apiserver-arg: - anonymous-auth=false protect-kernel-defaults: true disable: - traefik - path: /usr/local/bin/post-k3s-bootstrap.sh permissions: '0755' owner: root:root content: | #!/usr/bin/env bash set -euo pipefail install -d -m 0755 /var/lib/redpanda/data install -d -m 0755 /var/lib/unrip/executor-state chown root:root /var/lib/redpanda/data /var/lib/unrip/executor-state systemctl enable --now iscsid || true export KUBECONFIG=/etc/rancher/k3s/k3s.yaml curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash install -d -m 0755 /usr/local/share/unrip cat >/usr/local/share/unrip/bootstrap-metadata.env <<'EOF' BOOTSTRAP_MODE=k3s-single-node BOOTSTRAP_PROJECT_NAME=unrip BOOTSTRAP_PROJECT_NAMESPACE=unrip K3S_KUBECONFIG=/opt/bootstrap/kubeconfig-internal.yaml BOOTSTRAP_MANIFEST_SOURCE=operator-workstation GITOPS_HANDOFF=seed-self-hosted-git-and-runner EOF chmod 0644 /usr/local/share/unrip/bootstrap-metadata.env install -d -m 0755 /opt/bootstrap cp /etc/rancher/k3s/k3s.yaml /opt/bootstrap/kubeconfig-internal.yaml chmod 0640 /opt/bootstrap/kubeconfig-internal.yaml chgrp k3s-readers /opt/bootstrap/kubeconfig-internal.yaml sed -i 's/127.0.0.1/{{PRIVATE_IPV4}}/' /opt/bootstrap/kubeconfig-internal.yaml cat >/opt/bootstrap/README.txt <<'EOF' This node was provisioned by Terraform + cloud-init. Use /opt/bootstrap/kubeconfig-internal.yaml for automation. Bootstrap metadata lives at /usr/local/share/unrip/bootstrap-metadata.env. Kubernetes bootstrap assets are applied from the operator workstation after provisioning. EOF chmod 0644 /opt/bootstrap/README.txt if command -v kubectl >/dev/null 2>&1; then kubectl get nodes -o wide >/opt/bootstrap/kubectl-get-nodes.txt fi if id ubuntu >/dev/null 2>&1; then usermod -aG k3s-readers ubuntu || true install -d -o ubuntu -g ubuntu -m 0700 /home/ubuntu/.kube cp /etc/rancher/k3s/k3s.yaml /home/ubuntu/.kube/config chown ubuntu:ubuntu /home/ubuntu/.kube/config chmod 0600 /home/ubuntu/.kube/config sed -i 's/127.0.0.1/{{PRIVATE_IPV4}}/' /home/ubuntu/.kube/config fi runcmd: - sysctl --system - systemctl enable unattended-upgrades - systemctl enable --now ufw - ufw default deny incoming - ufw default allow outgoing - ufw allow 22/tcp - ufw allow 6443/tcp - ufw allow 80/tcp - ufw allow 443/tcp - groupadd --system k3s-readers || true - mkdir -p /etc/rancher/k3s - curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC='server --cluster-init --tls-san {{PUBLIC_IPV4}} --node-ip {{PRIVATE_IPV4}} --advertise-address {{PRIVATE_IPV4}} --flannel-backend vxlan --disable servicelb' sh - - cloud-init status --wait - /usr/local/bin/post-k3s-bootstrap.sh final_message: "cloud-init finished: k3s first node bootstrapped"