name: cloud-init-arch
description: Cloud-init profile for Arch instances
devices:
  aadisable:
    path: /sys/module/nf_conntrack/parameters/hashsize
    source: /sys/module/nf_conntrack/parameters/hashsize
    type: disk
  aadisable2:
    path: /proc/sys/net/netfilter/nf_conntrack_max
    source: /proc/sys/net/netfilter/nf_conntrack_max
    type: disk
  aadisable3:
    path: /dev/kmsg
    source: /dev/kmsg
    type: unix-char
  aadisable4:
    path: /sys/fs/bpf
    source: /sys/fs/bpf
    type: disk
config:
  security.privileged: 'true'
  security.nesting: 'true'
  cloud-init.user-data: |
    #cloud-config
    package_update: true
    package_upgrade: true
    package_reboot_if_required: true
    packages:
      - vim
      - zsh
      - bash
      - sudo
      - curl
      - openssh
    write_files:
      - path: /etc/sysctl.d/99-kubernetes-cri.conf
        content: |
          net.bridge.bridge-nf-call-iptables = 1
          net.ipv4.ip_forward = 1
          net.bridge.bridge-nf-call-ip6tables = 1
      - path: /etc/ssh/sshd_config
        permissions: '0600'
        content: |
          HostKey /etc/ssh/ssh_host_ed25519_key
          HostKey /etc/ssh/ssh_host_rsa_key

          PermitRootLogin no
          PubkeyAuthentication yes
          PasswordAuthentication no
          PermitEmptyPasswords no
          ChallengeResponseAuthentication no
          KbdInteractiveAuthentication no
          UsePAM yes

          Protocol 2
          KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512
          Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

          SyslogFacility AUTH
          LogLevel VERBOSE

          X11Forwarding no
          PrintMotd no
          TCPKeepAlive yes
          Compression no

          MaxAuthTries 3
          MaxSessions 2
          LoginGraceTime 30
          ClientAliveInterval 300
          ClientAliveCountMax 2

          AcceptEnv LANG LC_*

          Subsystem sftp internal-sftp

          AddressFamily inet
    users:
      - name: picard
        shell: /bin/zsh
        groups: [wheel]
        sudo: ALL=(ALL) NOPASSWD:ALL
        ssh_authorized_keys:
          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwFgFIm6DIbm+t6kIR5YVdgLE+BmaxRzXFrvSkkCyPk thomas@fourlights.nl
          - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKffoo0kKezQNLUOSawxDohmVtdor8mvzzItqrRXJvTW thomas@fourlights.nl
    runcmd:
      - systemctl enable --now sshd
      - pacman -Rdd iptables --noconfirm && pacman -S iptables-nft --noconfirm
  linux.kernel_modules: >-
    ip_vs,ip_vs_rr,ip_vs_wrr,ip_vs_sh,ip_tables,ip6_tables,netlink_diag,nf_nat,overlay,br_netfilter
  raw.lxc: |
    lxc.apparmor.profile=unconfined
    lxc.mount.auto=proc:rw sys:rw cgroup:rw
    lxc.cgroup.devices.allow=a
    lxc.cap.drop=
project: default