user-data

#cloud-config

---
coreos:
  etcd2:
    advertise-client-urls: http://$public_ipv4:2379
    initial-advertise-peer-urls: http://$private_ipv4:2380
    listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
    listen-peer-urls: http://$private_ipv4:2380,http://$private_ipv4:7001
    discovery: https://discovery.etcd.io/8d003e688d682aa1e67938391e13cae3
  fleet:
    public-ip: "$public_ipv4"
  units:
  - name: etcd2.service
    command: start
  - name: fleet.service
    command: start
  - name: setup-selinux.service
    command: start
    enable: true
    content: |
      [Unit]
      Description=Enable SELinux
      ConditionPathExists=!/var/lib/selinux-has-been-setup
      Before=early-docker.service
      [Service]
      Type=oneshot
      RemainAfterExit=yes
      ExecStart=/opt/bin/setup-selinux
      ExecStartPost=/usr/bin/touch /var/lib/selinux-has-been-setup
  update:
    reboot-strategy: "reboot"
write_files:
- path: /opt/bin/setup-selinux
  permissions: 0744
  owner: root
  content: |
    #!/usr/bin/env bash
    set -ex
    rm /etc/audit/rules.d/80-selinux.rules
    rm /etc/audit/rules.d/99-default.rules
    rm /etc/selinux/mcs
    cp -a /usr/lib/selinux/mcs /etc/selinux
    rm /var/lib/selinux
    cp -a /usr/lib/selinux/policy /var/lib/selinux
    semodule -DB
    systemctl restart audit-rules
    cp --remove-destination $(readlink -f /etc/selinux/config) /etc/selinux/config
    sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
    setenforce 1
manage_etc_hosts: localhost