doran/infra/terraform/hetzner/cloud-init.yaml.tftpl

#cloud-config
package_update: true
package_upgrade: true
packages:
  - curl
  - git
  - ca-certificates
  - jq
  - bash
  - apt-transport-https
write_files:
  - path: /etc/sysctl.d/90-unrip.conf
    permissions: '0644'
    content: |
      vm.max_map_count = 262144
  - path: /usr/local/bin/bootstrap-unrip.sh
    permissions: '0755'
    content: |
      #!/usr/bin/env bash
      set -euo pipefail

      install -d -m 0755 /opt/unrip
      if [ ! -d /opt/unrip/repo/.git ]; then
        git clone --branch ${bootstrap_repo_branch} ${bootstrap_repo_url} /opt/unrip/repo
      else
        git -C /opt/unrip/repo fetch --all --prune
        git -C /opt/unrip/repo checkout ${bootstrap_repo_branch}
        git -C /opt/unrip/repo pull --ff-only origin ${bootstrap_repo_branch}
      fi

      install -d -m 0755 /opt/unrip/bootstrap
      cat >/opt/unrip/bootstrap/README.txt <<'EOF'
      This node was provisioned by Terraform + cloud-init.
      Future Kubernetes bootstrap assets should live in:
      /opt/unrip/repo/${bootstrap_repo_path}
      EOF
  - path: /etc/rancher/k3s/config.yaml
    permissions: '0644'
    content: |
      write-kubeconfig-mode: "0644"
      node-name: ${node_name}
      tls-san:
        - ${public_domain}
%{ if tailscale_control_plane_hostname != "" ~}
        - ${tailscale_control_plane_hostname}
%{ endif ~}
      node-ip: ${private_ipv4_address}
      advertise-address: ${private_ipv4_address}
      disable:
        - servicelb
runcmd:
  - sysctl --system
%{ if tailscale_enabled && tailscale_auth_key != "" ~}
  - curl -fsSL https://tailscale.com/install.sh | sh
  - tailscale up --auth-key=${tailscale_auth_key} --ssh --hostname=${node_name}
%{ endif ~}
  - curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL=${k3s_channel} sh -s - server
  - /usr/local/bin/bootstrap-unrip.sh
final_message: "k3s bootstrap finished for ${node_name}"