#cloud-config

# Copyright 2022 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# https://hub.docker.com/r/coredns/coredns/
# https://coredns.io/manual/toc/#installation

write_files:
  - path: /var/lib/docker/daemon.json
    permissions: 0644
    owner: root
    content: |
      {
        "live-restore": true,
        "storage-driver": "overlay2",
        "log-opts": {
          "max-size": "1024m"
        }
      }

  # disable systemd-resolved to free port 53 on the loopback interface
  - path: /etc/systemd/resolved.conf
    permissions: 0644
    owner: root
    content: |
      [Resolve]
      LLMNR=no
      DNSStubListener=no

  - path: /etc/coredns/Corefile
    permissions: 0644
    owner: root
    content: |
      ${indent(6, corefile)}

  # coredns container service
  - path: /etc/systemd/system/coredns.service
    permissions: 0644
    owner: root
    content: |
      [Unit]
      Description=Start CoreDNS container
      After=gcr-online.target docker.socket
      Wants=gcr-online.target docker.socket docker-events-collector.service
      [Service]
      ExecStart=/usr/bin/docker run --rm --name=coredns  \
        --network host \
        -v /etc/coredns:/etc/coredns \
        coredns/coredns -conf /etc/coredns/Corefile
      ExecStop=/usr/bin/docker stop coredns

  %{ for path, data in files }
  - path: ${path}
    owner: ${lookup(data, "owner", "root")}
    permissions: ${lookup(data, "permissions", "0644")}
    content: |
      ${indent(4, data.content)}
  %{ endfor }

bootcmd:
  - systemctl start node-problem-detector

runcmd:
  - iptables -I INPUT 1 -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
  - iptables -I INPUT 1 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
  - iptables -I INPUT 1 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
  - systemctl daemon-reload
  - systemctl restart systemd-resolved.service
  - systemctl start coredns