---
# early system configuration
anti_phishing_code: "Direktil<3"

modules: /modules.sqfs

auths:
- name:     local
  password: {{ password "root" "bootstrap" }}
{{ .vars.bootstrap_auths |yaml }}

ssh:
  listen: "[::]:22"
  user_ca: "/user_ca.pub"

networks:
- name: loopback
  interfaces: [ { var: iface, n: 1, regexps: [ "^lo$" ] } ]
  script: |
    ip a add 127.0.0.1/8 dev lo
    ip a add ::1/128 dev lo
    ip li set lo up

{{ if .vars.net_custom }}
{{   .vars.net_custom | indent "    " }}
{{ else }}
    ip link add name main type bond
{{   if not .vars.net_dhcp }}
    ip addr add {{host_ip}}/{{.vars.netmask}} dev main
{{   end }}
    ip link set main up
{{   if .vars.gateway_mask }}
    ip route add {{.vars.gateway}}/{{.vars.gateway_mask}} dev main
{{   end }}
{{   if not .vars.net_dhcp }}
    ip route add default via {{.vars.gateway}}
{{   end }}

{{   if .vars.dns }}
    echo "nameserver {{.vars.dns}}" >/etc/resolv.conf
{{   end }}

- name: main
  interfaces:
  - var: ifaces
    n: -1 # grab all matches
    regexps:
    - {{ .vars.iface }}
  script: |
    for iface in $ifaces
    do
      ip link set $iface master main
      ip li set $iface up
    done
{{   if .vars.net_dhcp }}
    udhcpc -i main
{{   end }}
{{-  range .vars.extra_routes }}
    ip route add {{.}}
{{-  end }}

{{   if and .vars.dmz_ip .vars.dmz_netmask .vars.dmz_interface }}
- interfaces:
  - var: ifaces
    regexps:
    - {{ .vars.dmz_interface }}
      n: 1
  script: |
    ip a add {{.vars.dmz_ip}}/{{.vars.dmz_netmask}} dev $iface
    ip li set $iface up
{{     if .vars.dmz_net_custom }}
{{       .vars.dmz_net_custom | indent "    " }}
{{     end }}
{{   end }}
{{ end }}

{{- with .vars.network_extra }}
{{ . }}
{{- end }}

{{ if .vars.pre_lvm_crypt }}
pre_lvm_crypt:
{{ .vars.pre_lvm_crypt |yaml }}
{{ end }}

lvm:
- vg: storage
  pvs:
    n: 1
    regexps:
    - {{ .vars.devname_match }}

  defaults:
    fs: ext4

  lvs:
  - name: bootstrap
    size: 2g

  - name: varlog
    extents: 10%VG

{{- if .vars.is_master }}
  - name: etcd
    extents: 10%VG
{{- end }}
  - name: kubelet
    extents: 5%VG

{{- if .vars.cri_o }}
  - name: crio
    extents: {{ .vars.containerd_size }}
{{- else }}
  - name: containerd
    extents: {{ .vars.containerd_size }}
{{- end }}

crypt:
  {{- if .vars.encrypt_disks }}
  - dev: /dev/storage/bootstrap
  - dev: /dev/storage/varlog
  - dev: /dev/storage/kubelet
  {{- if .vars.cri_o }}
  - dev: /dev/storage/crio
  {{- else }}
  - dev: /dev/storage/containerd
  {{- end }}
  {{- if .vars.is_master }}
  - dev: /dev/storage/etcd
  {{- end }}
  {{- end }}
  - prefix: /dev/storage/k8s-crypt-
    name:   k8s-pv-crypt-

bootstrap:
{{- if .vars.encrypt_disks }}
  dev: /dev/mapper/bootstrap
{{- else }}
  dev: /dev/storage/bootstrap
{{- end }}
{{ if .vars.dls_base_url }}
  seed: {{ .vars.dls_base_url }}/hosts-by-token/{{ host_download_token }}/bootstrap.tar
  # TODO seed_sign_key: "..."
{{ end }}
  # TODO load_and_close: true