-
Notifications
You must be signed in to change notification settings - Fork 17
Expand file tree
/
Copy pathuserdata.sh.tmpl
More file actions
145 lines (127 loc) · 4.54 KB
/
userdata.sh.tmpl
File metadata and controls
145 lines (127 loc) · 4.54 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
#!/bin/bash
# Amazon Linux 2023 ONLY
set -Eeuo pipefail
# Log to file and console
exec > >(tee /var/log/user-data.log | logger -t user-data -s 2>/dev/console) 2>&1
echo "Starting user-data script..."
# --------------------- Configuration variables ----------------
PKG="dnf"
TS_REPO_ROOT="https://pkgs.tailscale.com/stable/amazon-linux/2023"
# ---- Guard: require AL2023 (robust) ----
if [ -r /etc/os-release ]; then
. /etc/os-release
if [ "$${ID:-}" != "amzn" ] || [[ "$${VERSION_ID:-}" != 2023* ]]; then
echo "ERROR: This user-data requires Amazon Linux 2023. Detected ID=$${ID:-?} VERSION_ID=$${VERSION_ID:-?}" >&2
exit 1
fi
else
grep -qiE 'Amazon Linux.*2023' /etc/system-release || {
echo "ERROR: This user-data requires Amazon Linux 2023." >&2
exit 1
}
fi
# --------------------- Networking sysctls ---------------------
echo "Enabling IP forwarding (IPv4+IPv6)..."
mkdir -p /etc/sysctl.d
cat >/etc/sysctl.d/99-forwarding.conf <<'EOF'
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
EOF
sysctl --system
# --------------------- journald tuning -----------------------
# In systemd, Administrator drop-ins should reside in /etc/systemd/, ensuring they
# are preserved across updates and have higher precedence than vendor defaults.
# We name our file 99-custom.conf so it loads last among any .conf files.
# That way, it overrides any settings that come earlier.
mkdir -p /etc/systemd/journald.conf.d
cat <<EOF > /etc/systemd/journald.conf.d/99-custom.conf
[Journal]
SystemMaxUse=${journald_system_max_use}
MaxRetentionSec=${journald_max_retention_sec}
EOF
systemctl restart systemd-journald || true
# --------------------- Helper functions ----------------------
wait_pkg_lock() {
# Wait while the RPM DB or package managers are busy (bounded wait).
local waited=0
local max_wait=300 # seconds
while true; do
busy=false
if command -v fuser >/dev/null 2>&1; then
if fuser /var/lib/rpm/.rpm.lock >/dev/null 2>&1; then busy=true; fi
else
# Best-effort if fuser is missing
if [ -e /var/lib/rpm/.rpm.lock ]; then busy=true; fi
fi
if pgrep -x dnf >/dev/null 2>&1 || pgrep -x rpm >/dev/null 2>&1; then
busy=true
fi
if [ "$busy" = false ]; then
return 0
fi
if [ $waited -ge $max_wait ]; then
echo "WARNING: Package manager busy for $${max_wait}s; continuing."
return 0
fi
echo "Waiting for package manager / RPM DB lock..."
sleep 3
waited=$((waited+3))
done
}
retry() {
local n=0 max=6
until "$@"; do
n=$((n+1))
echo "Command failed (attempt $n)."
[[ $n -ge $max ]] && return 1
sleep $((2**n)) # 2,4,8,16,32 sec
done
}
pkg() { wait_pkg_lock; retry $PKG -y "$@"; }
# --------------------- CloudWatch Agent ----------------------
echo "Installing CloudWatch Agent..."
pkg install amazon-cloudwatch-agent
amazon-cloudwatch-agent-ctl -a start -m ec2 || true
# --------------------- Tailscale repo + install --------------
echo "Configuring Tailscale repo (AL2023)..."
pkg install dnf-plugins-core
wait_pkg_lock
retry dnf config-manager --add-repo "$${TS_REPO_ROOT}/tailscale.repo"
echo "Installing Tailscale..."
pkg makecache || true
pkg install tailscale
# --------------------- Optional extra tailscaled FLAGS -------
%{ if tailscaled_extra_flags_enabled == true }
echo "Writing FLAGS to /etc/sysconfig/tailscaled..."
install -d -m 0755 /etc/sysconfig
echo "FLAGS=\"${tailscaled_extra_flags}\"" > /etc/sysconfig/tailscaled
%{ endif }
# --------------------- Enable + start tailscaled -------------
echo "Enabling and starting tailscaled..."
systemctl enable --now tailscaled
echo "Waiting for tailscaled to be ready..."
for i in {1..20}; do
if tailscale status >/dev/null 2>&1; then break; fi
sleep 2
done
# --------------------- tailscale up (hide secrets) -----------
set +x
echo "Running 'tailscale up'..."
tailscale up \
%{ if ssh_enabled == true }--ssh%{ endif } \
%{ if exit_node_enabled == true }--advertise-exit-node%{ endif } \
%{ if tailscale_up_extra_flags_enabled == true }${tailscale_up_extra_flags}%{ endif } \
--advertise-routes=${routes} \
--advertise-tags=${tags} \
--hostname=${hostname} \
--authkey=${authkey} \
|| { echo "WARNING: 'tailscale up' failed; continuing."; }
set -x || true
# --------------------- tailscale set (persistent prefs) -----
%{ if tailscale_set_extra_flags_enabled == true }
echo "Running 'tailscale set'..."
tailscale set ${tailscale_set_extra_flags} \
|| { echo "WARNING: 'tailscale set' failed; continuing."; }
%{ endif }
echo "Tailscale setup completed."
echo "User-data script finished successfully."