variant: flatcar
version: 1.0.0

passwd:
  users:
    - name: core
      ssh_authorized_keys:
        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCIhNrBrqfudEpoqScJMnLCGZQ3QUzcmsX7H96v7ej3qVxLwxN5YY3wWQgozcfz4mWsUPgkICR11rpvRa7H44OSDPUwGLaDm1CnLeLp1RzIecJRUIVMCz5v+9Xgq9MF+jkO09pwTpkb6ZplmsCs8pedjBNwaE5n7mesNDDfvbo4Joe3zJemys5EVEcwVE/0CjU50bnZ65QTfgRrEC0+71PYJkARTjdoMeTjEP7s4/pntONGEjQrRoJCypSszqSee0U7r530mCN2x+TGZfdaJv3sm9Nf689WcxL5Uy4mihUrgXZ4sFlPUXrbHG/YRDreL+q16LcQZWFLNbW0xzffo4wArlPPszPdDy3r4dw5jGCynlXxFhGA0FwlMp5jd6Zgz0z/7oZhkWAwpt3xzfCxC2dJbUCbXi1aTo4YCvdJnq71QbVuPXt8X/BqAY/a0O2Z+IxmjEM7h79Z/PC1lIIiwwsk99fHtdQCzSFQ/7pvPp7FyFXYSyjflb0uMy6/DiPnRQE= defalt2111@desktop-antonio
    - name: bitwarden
      groups:
        - docker
      shell: /bin/bash

storage:
  files:
    - path: /etc/systemd/network/10-eth0.network
      mode: 0644
      contents:
        inline: |
          [Match]
          Name=eth0

          [Network]
          Address=46.38.243.134/22
          Gateway=46.38.240.1
          RouteMetric=100
          IPv6AcceptRA=no
          LinkLocalAddressing=no

    - path: /etc/systemd/network/20-eth1.network
      mode: 0644
      contents:
        inline: |
          [Match]
          Name=eth1

          [Network]
          DHCP=yes
          RouteMetric=200
          IPv6AcceptRA=no
          LinkLocalAddressing=no

          [Route]
          Destination=10.0.0.0/8
          Gateway=_dhcp4

          [Route]
          Destination=172.16.0.0/12
          Gateway=_dhcp4

          [Route]
          Destination=192.168.0.0/16
          Gateway=_dhcp4

          [Route]
          Destination=100.64.0.0/10
          Gateway=_dhcp4

    - path: /etc/nftables.conf
      mode: 0644
      contents:
        inline: |
          table inet filter {
            chain input {
              type filter hook input priority 0; policy accept;

              iifname "eth0" tcp dport 22 drop
            }
          }

systemd:
  units:
    - name: docker.service
      enabled: true

    - name: nftables.service
      enabled: true
      contents: |
        [Unit]
        Description=NFT firewall
        Before=network-pre.target
        Wants=network-pre.target
        DefaultDependencies=no

        [Service]
        Type=oneshot
        ExecStart=/usr/sbin/nft -f /etc/nftables.conf
        RemainAfterExit=yes

        [Install]
        WantedBy=multi-user.target

    - name: docker-compose-install.service
      enabled: true
      contents: |
        [Unit]
        Description=Install docker-compose
        Wants=network-online.target
        After=network-online.target docker.service
        ConditionPathExists=!/usr/local/bin/docker-compose

        [Service]
        Type=oneshot
        ExecStart=/bin/sh -c 'set -eu; arch="$(uname -m)"; case "$arch" in x86_64) asset=docker-compose-linux-x86_64 ;; aarch64|arm64) asset=docker-compose-linux-aarch64 ;; *) echo "unsupported arch: $arch" >&2; exit 1 ;; esac; curl -fsSL "https://github.com/docker/compose/releases/latest/download/${asset}" -o /usr/local/bin/docker-compose && chmod 0755 /usr/local/bin/docker-compose'
        RemainAfterExit=yes

        [Install]
        WantedBy=multi-user.target