104 lines
2.9 KiB
YAML
104 lines
2.9 KiB
YAML
#cloud-config
|
|
|
|
coreos:
|
|
update:
|
|
reboot-strategy: off
|
|
units:
|
|
- name: iptables-restore.service
|
|
enable: true
|
|
command: start
|
|
- name: create-swap.service
|
|
command: start
|
|
runtime: true
|
|
content: |
|
|
[Unit]
|
|
Description=Create swap file
|
|
Before=swap.service
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
Environment="SWAPFILE=/2GiB.swap"
|
|
ExecStart=/usr/bin/touch ${SWAPFILE}
|
|
ExecStart=/usr/bin/chattr +C ${SWAPFILE}
|
|
ExecStart=/usr/bin/fallocate -l 2048m ${SWAPFILE}
|
|
ExecStart=/usr/bin/chmod 600 ${SWAPFILE}
|
|
ExecStart=/usr/sbin/mkswap ${SWAPFILE}
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
- name: swap.service
|
|
command: start
|
|
content: |
|
|
[Unit]
|
|
Description=Turn on swap
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
Environment="SWAPFILE=/2GiB.swap"
|
|
RemainAfterExit=true
|
|
ExecStartPre=/usr/sbin/losetup -f ${SWAPFILE}
|
|
ExecStart=/usr/bin/sh -c "/sbin/swapon $(/usr/sbin/losetup -j ${SWAPFILE} | /usr/bin/cut -d : -f 1)"
|
|
ExecStop=/usr/bin/sh -c "/sbin/swapoff $(/usr/sbin/losetup -j ${SWAPFILE} | /usr/bin/cut -d : -f 1)"
|
|
ExecStopPost=/usr/bin/sh -c "/usr/sbin/losetup -d $(/usr/sbin/losetup -j ${SWAPFILE} | /usr/bin/cut -d : -f 1)"
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
- name: restart.service
|
|
content: |
|
|
[Unit]
|
|
Description=Restart docker containers
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/home/core/docker/restartContainers.sh
|
|
- name: restart.timer
|
|
command: start
|
|
content: |
|
|
[Unit]
|
|
Description=Restarts the app container 2 times a week
|
|
|
|
[Timer]
|
|
OnCalendar=Mon,Thu *-*-* 6:0:0
|
|
|
|
write_files:
|
|
- path: /etc/sysctl.d/swap.conf
|
|
permissions: 0644
|
|
owner: root
|
|
content: |
|
|
vm.swappiness=10
|
|
vm.vfs_cache_pressure=50
|
|
|
|
write_files:
|
|
- path: /etc/ssh/sshd_config
|
|
permissions: 0600
|
|
owner: root
|
|
content: |
|
|
# Use most defaults for sshd configuration.
|
|
UsePrivilegeSeparation sandbox
|
|
Subsystem sftp internal-sftp
|
|
UseDNS no
|
|
|
|
PermitRootLogin no
|
|
AllowUsers core
|
|
AuthenticationMethods publickey
|
|
|
|
write_files:
|
|
- path: /var/lib/iptables/rules-save
|
|
permissions: 0644
|
|
owner: 'root:root'
|
|
content: |
|
|
*filter
|
|
:INPUT DROP [0:0]
|
|
:FORWARD DROP [0:0]
|
|
:OUTPUT ACCEPT [0:0]
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A INPUT -i eth1 -j ACCEPT
|
|
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
|
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
|
|
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
|
|
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
|
|
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
|
|
COMMIT
|
|
# the last line of the file needs to be a blank line or a comment
|