#cloud-config

coreos:
  update:
    reboot-strategy: off
  units:
    - name: iptables-restore.service
      enable: true
      command: start
    - name: create-swap.service
      command: start
      runtime: true
      content: |
        [Unit]
        Description=Create swap file
        Before=swap.service

        [Service]
        Type=oneshot
        Environment="SWAPFILE=/2GiB.swap"
        ExecStart=/usr/bin/touch ${SWAPFILE}
        ExecStart=/usr/bin/chattr +C ${SWAPFILE}
        ExecStart=/usr/bin/fallocate -l 2048m ${SWAPFILE}
        ExecStart=/usr/bin/chmod 600 ${SWAPFILE}
        ExecStart=/usr/sbin/mkswap ${SWAPFILE}

        [Install]
        WantedBy=multi-user.target
    - name: swap.service
      command: start
      content: |
        [Unit]
        Description=Turn on swap

        [Service]
        Type=oneshot
        Environment="SWAPFILE=/2GiB.swap"
        RemainAfterExit=true
        ExecStartPre=/usr/sbin/losetup -f ${SWAPFILE}
        ExecStart=/usr/bin/sh -c "/sbin/swapon $(/usr/sbin/losetup -j ${SWAPFILE} | /usr/bin/cut -d : -f 1)"
        ExecStop=/usr/bin/sh -c "/sbin/swapoff $(/usr/sbin/losetup -j ${SWAPFILE} | /usr/bin/cut -d : -f 1)"
        ExecStopPost=/usr/bin/sh -c "/usr/sbin/losetup -d $(/usr/sbin/losetup -j ${SWAPFILE} | /usr/bin/cut -d : -f 1)"

        [Install]
        WantedBy=multi-user.target
    - name: restart.service
      content: |
        [Unit]
        Description=Restart docker containers

        [Service]
        Type=oneshot
        ExecStart=/home/core/docker/restartContainers.sh
    - name: restart.timer
      command: start
      content: |
        [Unit]
        Description=Restarts the app container 2 times a week

        [Timer]
        OnCalendar=Mon,Thu *-*-* 6:0:0

write_files:
  - path: /etc/sysctl.d/swap.conf
    permissions: 0644
    owner: root
    content: |
      vm.swappiness=10
      vm.vfs_cache_pressure=50

write_files:
  - path: /etc/ssh/sshd_config
    permissions: 0600
    owner: root
    content: |
        # Use most defaults for sshd configuration.
        UsePrivilegeSeparation sandbox
        Subsystem sftp internal-sftp
        UseDNS no

        PermitRootLogin no
        AllowUsers core
        AuthenticationMethods publickey

write_files:
  - path: /var/lib/iptables/rules-save
    permissions: 0644
    owner: 'root:root'
    content: |
      *filter
      :INPUT DROP [0:0]
      :FORWARD DROP [0:0]
      :OUTPUT ACCEPT [0:0]
      -A INPUT -i lo -j ACCEPT
      -A INPUT -i eth1 -j ACCEPT
      -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
      -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
      -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
      -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
      -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
      COMMIT
      # the last line of the file needs to be a blank line or a comment