#cloud-config

# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

write_files:
%{ for path, data in files }
  - path: ${path}
    owner: ${lookup(data, "owner", "root")}
    permissions: ${lookup(data, "permissions", "0644")}
    content: |
      ${indent(6, data.content)}
%{ endfor }

  - path: /etc/systemd/system/routing.service
    permissions: 0644
    owner: root
    content: |
      [Install]
      WantedBy=multi-user.target
      [Unit]
      Description=Start routing
      After=network-online.target
      Wants=network-online.target
      [Service]
      RemainAfterExit=true
      ExecStart=/bin/sh -c "/var/run/nva/start-routing.sh"
  - path: /var/run/nva/start-routing.sh
    permissions: 0744
    owner: root
    content: |
      iptables --policy FORWARD ACCEPT
%{ for interface in network_interfaces ~}
%{ if enable_health_checks ~}
      /var/run/nva/policy_based_routing.sh ${interface.name} &>/dev/null &
%{ endif ~}
%{ if interface.enable_masquerading ~}
%{ for cidr in interface.non_masq_cidrs ~}
      iptables -t nat -A POSTROUTING -o ${interface.name} -d ${cidr} -j ACCEPT
%{ endfor ~}
      iptables -t nat -A POSTROUTING -o ${interface.name} -j MASQUERADE
%{ endif ~}
%{ for route in interface.routes ~}
      ip route add ${route} via `curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/${interface.number}/gateway -H "Metadata-Flavor:Google"` dev ${interface.name}
%{ endfor ~}
%{ endfor ~}
%{ for port in open_tcp_ports ~}
      iptables -A INPUT -p tcp --dport ${port} -j ACCEPT
%{ endfor ~}
%{ for port in open_udp_ports ~}
      iptables -A INPUT -p udp --dport ${port} -j ACCEPT
%{ endfor ~}

bootcmd:
  - systemctl start node-problem-detector

runcmd:
  - systemctl daemon-reload
  - systemctl enable routing
  - systemctl start routing
%{ for cmd in run_cmds ~}
  - ${cmd}
%{ endfor ~}