control-plane/config.bu

variant: fcos
version: 1.5.0
boot_device:
  luks:
    tpm2: true
    discard: true
kernel_arguments:
  should_exist:
    - selinux=0
  should_not_exist:
    - mitigations=auto,nosmt
passwd:
  users:
    - name: sam
      groups:
        - adm
        - wheel
        - sudo
        - systemd-journal
      ssh_authorized_keys: [ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFwawprQXEkGl38Q7T0PNseL0vpoyr4TbATMkEaZJTWQ]
storage:
  directories:
    - path: /etc/haproxy
    - path: /etc/haproxy/conf.d
  disks:
    - device: /dev/disk/by-id/coreos-boot-disk
      wipe_table: false
      partitions:
        - number: 4
          label: root
          size_mib: 9216
          resize: true
        - size_mib: 0
          label: var
  files:
    - path: /etc/containerd/config.toml
      overwrite: true
    - path: /etc/kubeadm.yaml
      mode: 0600
    - path: /etc/ssh/ssh_host_ecdsa_key
      mode: 0600
    - path: /etc/ssh/ssh_host_ed25519_key
      mode: 0600
    - path: /etc/ssh/ssh_host_rsa_key
      mode: 0600
    - path: /var/lib/kubernetes/pki/ca.crt
      overwrite: true
    - path: /var/lib/kubernetes/pki/ca.key
      mode: 0600
      overwrite: true
  filesystems:
    - path: /var
      device: /dev/mapper/var
      format: ext4
      with_mount_unit: true
  luks:
    - name: var
      device: /dev/disk/by-partlabel/var
      discard: true
      key_file:
        local: var.luks-key
  trees:
    - local: tree
systemd:
  units:
    - name: containerd.service
      enabled: true
    - name: etc-kubernetes.mount
      enabled: true
      contents: |
        [Mount]
        What=/var/lib/kubernetes
        Where=/etc/kubernetes
        Type=none
        Options=bind

        [Install]
        WantedBy=multi-user.target
    - name: init.service
      enabled: true
      contents: |
        [Unit]
        Wants=network-online.target
        After=network-online.target
        Before=zincati.service
        ConditionPathExists=!/etc/%N.stamp

        [Service]
        LoadCredential=authkey:/etc/tailscale-auth.key
        RemainAfterExit=yes
        Type=oneshot
        # Install stuff.
        ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive dmidecode haproxy kubeadm kubectl kubelet man-db man-pages tailscale tcpdump usbutils vim

        # Start stuff just installed.
        ExecStart=systemctl enable --now haproxy.service kubelet.service tailscaled.service

        # Wait until tailscale is up.
        ExecStart=bash -c 'until tailscale status --json; do sleep 0.5; done'
        ExecStart=bash -c 'while [[ "$(tailscale status --json | jq -r .BackendState)" == "NoState" ]]; do sleep 0.5; done'
        ExecStart=bash -c '[[ "$(tailscale status --json | jq -r .BackendState)" == "NeedsLogin" ]] && tailscale up --auth-key=file:${CREDENTIALS_DIRECTORY}/authkey --accept-dns --accept-routes --advertise-routes=172.29.0.1/32 || exit 0'
        ExecStart=bash -c 'sed -i "s/_TAILNET_IP4_/$(tailscale ip -4)/g" /etc/kubeadm.yaml'
        ExecStart=/bin/touch /etc/%N.stamp

        [Install]
        WantedBy=multi-user.target