user-data.yml.erb

#cloud-config

coreos:
  update:
    group: beta
    reboot-strategy: off
  etcd2:
    discovery:
    advertise-client-urls: "http://$private_ipv4:2379"
    initial-advertise-peer-urls: "http://$private_ipv4:2380"
    listen-client-urls: "http://0.0.0.0:2379"
    listen-peer-urls: "http://$private_ipv4:2380"
  units:
<% if instance_type == :manager %>
    - name: sshd.socket
      command: restart
      runtime: true
      content: |
        [Socket]
        ListenStream=2222
        FreeBind=true
        Accept=yes
<% end %>
    - name: etcd2.service
      command: start
    - name: docker.service
      drop-ins:
        - name: 10-cluster-config.conf
          content: |
            [Service]
            Environment="DOCKER_OPTS=--cluster-store=etcd://0.0.0.0:2379 --cluster-advertise=eth0:2375"
    - name: settimezone.service
      command: start
      content: |
        [Unit]
        Description=Set the timezone

        [Service]
        ExecStart=/usr/bin/timedatectl set-timezone <%= ENV["TIMEZONE"] %>
        RemainAfterExit=yes
        Type=oneshot
    - name: docker-tcp.socket
      command: start
      enable: true
      content: |
        [Unit]
        Description=Docker Socket for the API

        [Socket]
        ListenStream=2375
        Service=docker.service
        BindIPv6Only=both

        [Install]
        WantedBy=sockets.target
    - name: install-docker-compose.service
      command: start
      content: |
        [Unit]
        Description=Install Docker Compose

        [Service]
        ExecStartPre=/usr/bin/mkdir -p /opt/bin
        ExecStart=/usr/bin/wget https://github.com/docker/compose/releases/download/<%= ENV["DOCKER_COMPOSE_VERSION"] %>/docker-compose-Linux-x86_64 -O /opt/bin/docker-compose
        ExecStartPost=/usr/bin/chown root:root /opt/bin/docker-compose
        ExecStartPost=/usr/bin/chmod +x /opt/bin/docker-compose
        RemainAfterExit=yes
        Type=oneshot
    - name: docker-cleanup.service
      command: start
      content: |
        [Unit]
        Description=Clean up old containers and images

        [Service]
        ExecStart=/home/core/cleanup.sh
        Type=oneshot
    - name: docker-cleanup.timer
      command: start
      content: |
        [Unit]
        Description=Run clean up script hourly

        [Timer]
        OnCalendar=hourly
    - name: swarm-manager.service
      command: start
      content: |
        [Unit]
        Description=swarm-manager Container
        After=docker.service
        Requires=docker.service

        [Service]
        TimeoutStartSec=0
        Restart=always
        User=core
        ExecStartPre=-/usr/bin/docker stop swarm-manager
        ExecStartPre=-/usr/bin/docker rm swarm-manager
        ExecStartPre=-/usr/bin/docker pull swarm:<%= ENV["DOCKER_SWARM_VERSION"] %>
        ExecStart=/usr/bin/docker run \
          -p 2377:2377 \
          --name=swarm-manager \
          swarm:<%= ENV["DOCKER_SWARM_VERSION"] %> \
          manage -H :2377 --replication --addr=$private_ipv4:2377 etcd://$private_ipv4:2379/swarm
        ExecStop=/usr/bin/docker stop swarm-manager

        [Install]
        WantedBy=multi-user.target
<% if instance_type == :manager %>
    - name: paus-frontend.service
      command: start
      enable: true
      content: |
        [Unit]
        Description=Paus frontend
        After=docker.service
        Requires=docker.service

        [Service]
        TimeoutStartSec=0
        Restart=always
        User=core
        ExecStartPre=-/usr/bin/docker kill paus-frontend
        ExecStartPre=-/usr/bin/docker rm paus-frontend
        ExecStartPre=/usr/bin/docker pull quay.io/dtan4/paus-frontend:latest
        ExecStart=/usr/bin/docker run \
          --name paus-frontend \
          -e PAUS_BASE_DOMAIN=<%= ENV["PAUS_BASE_DOMAIN"] %> \
          -e PAUS_ETCD_ENDPOINT=http://$private_ipv4:2379 \
          -e PAUS_GITHUB_CLIENT_ID=<%= ENV["PAUS_GITHUB_CLIENT_ID"] %> \
          -e PAUS_GITHUB_CLIENT_SECRET=<%= ENV["PAUS_GITHUB_CLIENT_SECRET"] %> \
          -e PAUS_SECRET_KEY_BASE=<%= ENV["PAUS_SECRET_KEY_BASE"] %> \
          -e PAUS_URI_SCHEME=<%= ENV["PAUS_URI_SCHEME"] %> \
          -v /var/run/docker.sock:/var/run/docker.sock \
          -v /home/core/docker-compose.yml:/app/docker-compose.yml:ro \
          quay.io/dtan4/paus-frontend:latest
        ExecStop=/usr/bin/docker stop paus-frontend

        [Install]
        WantedBy=multi-user.target
    - name: vulcand.service
      command: start
      enable: true
      content: |
        [Unit]
        Description=Vulcand
        After=paus-frontend.service
        Requires=paus-frontend.service

        [Service]
        TimeoutStartSec=0
        Restart=always
        User=core
        ExecStartPre=-/usr/bin/docker kill vulcand
        ExecStartPre=-/usr/bin/docker rm vulcand
        ExecStartPre=/usr/bin/docker pull mailgun/vulcand:v0.8.0-beta.3
        ExecStart=/usr/bin/docker run \
          --name vulcand \
          --link paus-frontend:paus-frontend \
          -p 80:80 \
          -p 443:443 \
          -p 8182:8182 \
          -p 8181:8181 \
          mailgun/vulcand:v0.8.0-beta.3 \
          /go/bin/vulcand -apiInterface=0.0.0.0 -interface=0.0.0.0 -etcd=http://$private_ipv4:2379 -port=80 -apiPort=8182
        ExecStop=/usr/bin/docker stop vulcand

        [Install]
        WantedBy=multi-user.target
    - name: add-route-to-paus-frontend.service
      command: start
      content: |
        [Unit]
        Description=Add route to paus-frontend
        After=etcd2.service vulcand.service paus-frontend.service
        Requires=etcd2.service vulcand.service paus-frontend.service

        [Service]
        ExecStart=/home/core/add-route-to-paus-frontend.sh
        RemainAfterExit=yes
        Type=oneshot
    - name: paus-gitreceive.service
      command: start
      enable: true
      content: |
        [Unit]
        Description=Paus gitreceive
        After=docker.service
        Requires=docker.service

        [Service]
        TimeoutStartSec=0
        Restart=always
        User=core
        ExecStartPre=-/usr/bin/docker kill paus-gitreceive
        ExecStartPre=-/usr/bin/docker rm paus-gitreceive
        ExecStartPre=/usr/bin/docker pull quay.io/dtan4/paus-gitreceive:latest
        ExecStart=/usr/bin/docker run \
          --name paus-gitreceive \
          -p 22:22 \
          -e PAUS_BASE_DOMAIN=<%= ENV["PAUS_BASE_DOMAIN"] %> \
          -e PAUS_DOCKER_CONFIG_BASE64=<%= ENV["PAUS_DOCKER_CONFIG_BASE64"] %> \
          -e PAUS_DOCKER_HOST=tcp://$private_ipv4:2377 \
          -e PAUS_ETCD_ENDPOINT=http://$private_ipv4:2379 \
          -e PAUS_MAX_APP_DEPLOY=<%= ENV["PAUS_MAX_APP_DEPLOY"] %> \
          -e PAUS_REPOSITORY_DIR=/repos \
          -e PAUS_URI_SCHEME=<%= ENV["PAUS_URI_SCHEME"] %> \
          -v /home/core/repos:/repos \
          -v /home/core/git-ssh:/home/git/.ssh \
          quay.io/dtan4/paus-gitreceive:latest
        ExecStop=/usr/bin/docker stop paus-gitreceive

        [Install]
        WantedBy=multi-user.target
    - name: hchecks.service
      command: start
      enable: true
      content: |
        [Unit]
        Description=health-check server
        After=paus-gitreceive.service
        Requires=paus-gitreceive.service

        [Service]
        TimeoutStartSec=0
        Restart=always
        User=core
        ExecStartPre=-/usr/bin/docker kill hchecks
        ExecStartPre=-/usr/bin/docker rm hchecks
        ExecStartPre=/usr/bin/docker pull quay.io/dtan4/hchecks:latest
        ExecStart=/usr/bin/docker run \
          --name hchecks \
          -p 8080:8080 \
          quay.io/dtan4/hchecks:latest
        ExecStop=/usr/bin/docker stop hchecks

        [Install]
        WantedBy=multi-user.target
<% else %>
    - name: swarm-agent.service
      command: start
      content: |
        [Unit]
        Description=swarm-agent Container
        After=docker.service
        Requires=docker.service

        [Service]
        TimeoutStartSec=0
        Restart=always
        User=core
        ExecStartPre=-/usr/bin/docker stop swarm-agent
        ExecStartPre=-/usr/bin/docker rm swarm-agent
        ExecStartPre=-/usr/bin/docker pull swarm:<%= ENV["DOCKER_SWARM_VERSION"] %>
        ExecStart=/usr/bin/docker run \
          --name=swarm-agent \
          swarm:<%= ENV["DOCKER_SWARM_VERSION"] %> \
          join --addr=$private_ipv4:2375 etcd://$private_ipv4:2379/swarm
        ExecStop=/usr/bin/docker stop swarm-agent

        [Install]
        WantedBy=multi-user.target
<% end %>
<% if datadog_enabled %>
    - name: dd-agent.service
      command: start
      content: |
        [Unit]
        Description=Datadog Agent
        After=docker.service
        Requires=docker.service

        [Service]
        TimeoutStartSec=0
        ExecStartPre=-/usr/bin/docker stop dd-agent
        ExecStartPre=-/usr/bin/docker rm dd-agent
        ExecStartPre=-/usr/bin/docker pull datadog/docker-dd-agent:latest
        ExecStart=/usr/bin/docker run \
          --privileged \
          --name dd-agent \
          -h `hostname` \
          -v /var/run/docker.sock:/var/run/docker.sock \
          -v /proc/:/host/proc/:ro \
          -v /sys/fs/cgroup/:/host/sys/fs/cgroup:ro \
          -v /opt/dd-agent-conf.d:/conf.d:ro \
          -e API_KEY=<%= ENV["DATADOG_API_KEY"] %> \
          -e TAGS="paus" \
          datadog/docker-dd-agent:latest
        ExecStop=/usr/bin/docker stop dd-agent

        [Install]
        WantedBy=multi-user.target
<% end %>
write_files:
  - path: /etc/ssh/sshd_config
    permissions: "0600"
    owner: root:root
    content: |
      # Use most defaults for sshd configuration.
      UsePrivilegeSeparation sandbox
      Subsystem sftp internal-sftp

      PermitRootLogin no
      PasswordAuthentication no
      ChallengeResponseAuthentication no
  - path: /etc/ntp.conf
    content: |
      # Common pool
      server 0.pool.ntp.org
      server 1.pool.ntp.org
      server 2.pool.ntp.org
      server 3.pool.ntp.org

      # - Allow only time queries, at a limited rate.
      # - Allow all local queries (IPv4, IPv6)
      restrict default nomodify nopeer noquery limited kod
      restrict 127.0.0.1
      restrict [::1]
  - path: /home/core/.docker/config.json
    permissions: "0644"
    owner: core:core
    content: |
      {
        "auths": {
          "quay.io": {
            "auth": "<%= ENV["DOCKER_QUAY_AUTH"]%>",
            "email": ""
          }
        }
      }
  - path: /home/core/cleanup.sh
    permissions: "0755"
    owner: core:core
    content: |
      #!/bin/bash

      docker -H tcp://localhost:2377 rm $(docker -H tcp://localhost:2377 ps -a -q) || true
      docker -H tcp://localhost:2377 rmi $(docker -H tcp://localhost:2377 images -f "dangling=true" -q) || true
<% if instance_type == :manager %>
  - path: /home/core/add-route-to-paus-frontend.sh
    permissions: "0755"
    owner: core:core
    content: |
      #!/bin/bash

      etcdctl set /vulcand/backends/paus-frontend/backend '{"Type": "http"}' > /dev/null
      etcdctl set /vulcand/backends/paus-frontend/servers/paus-frontend '{"URL": "http://paus-frontend:8080"}' > /dev/null
      etcdctl set /vulcand/frontends/paus-frontend/frontend '{"Type": "http", "BackendId": "paus-frontend", "Route": "Host(`<%= ENV["PAUS_BASE_DOMAIN"] %>`) && PathRegexp(`/`)", "Settings": {"TrustForwardHeader": true}}'
  - path: /home/core/docker-compose.yml
    content: |
      gitreceive-upload-key:
        image: quay.io/dtan4/paus-gitreceive:latest
        volumes_from:
          - paus-gitreceive
        entrypoint: /usr/local/bin/upload-key
<% end %>
<% if datadog_enabled %>
  - path: /opt/dd-agent-conf.d/etcd.yaml
    content: |
      init_config:

      instances:
        - url: "http://$private_ipv4:2379"
          timeout: 5
<% end %>