# vim: set filetype=yaml :

#cloud-config
# user-data.tmpl — plaintext template, safe to commit to git
# Secrets are injected at build time via envsubst from secrets.sops.yaml
autoinstall:
  version: 1

  # ─── LOCALE & KEYBOARD ─────────────────────────────────────────────────────
  locale: en_US.UTF-8
  keyboard:
    layout: us

  # ─── NETWORK ───────────────────────────────────────────────────────────────
  network:
    version: 2
    ethernets:
      any-eth:
        match:
          name: "en*"
        dhcp4: true
    wifis:
      wlp0s20f3:
        dhcp4: true
        access-points:
          "house":
            password: "${WIFI_HOUSE_PASSWORD}"
          "house5":
            password: "${WIFI_HOUSE_PASSWORD}"
          "NOKIA":
            auth:
              key-management: eap
              eap-method: tls
              identity: "host/alfoldi.ipa.nsn-net.net"
              ca-certificate: /nokia/vpn/NOKIA_Root_CA.crt
              client-certificate: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt
              client-key: /nokia/vpn/alfoldi.ipa.nsn-net.net.key
              client-key-password: "${NOKIA_WIFI_KEY_PASSWORD}"

  # ─── DISK LAYOUT: LVM on LUKS ──────────────────────────────────────────────
  storage:
    layout:
      name: lvm
      match:
        path: /dev/ nvme0n1
      sizing-policy: all
      encrypted: true
      password: "${LUKS_PASSPHRASE}"

  # ─── IDENTITY ──────────────────────────────────────────────────────────────
  identity:
    hostname: nokia
    username: alfoldi
    password: "${USER_PASSWORD_HASH}"

  # ─── SSH ───────────────────────────────────────────────────────────────────
  ssh:
    install-server: true
    allow-pw: false
    authorized-keys:
      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgcJfi0dZotMWa8zQvxXduM76GmQfoPvMU5FjIFZCAa alfonzso@gmail.com"

  # ─── CERT FILES ────────────────────────────────────────────────────────────
  write_files:
    - path: /nokia/vpn/NOKIA_Root_CA.crt
      permissions: '0600'
      owner: root:root
      encoding: b64
      content: "${NOKIA_CA_CERT_B64}"

    - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.crt
      permissions: '0600'
      owner: root:root
      encoding: b64
      content: "${NOKIA_CLIENT_CERT_B64}"

    - path: /nokia/vpn/alfoldi.ipa.nsn-net.net.key
      permissions: '0600'
      owner: root:root
      encoding: b64
      content: "${NOKIA_CLIENT_KEY_B64}"

  # ─── PACKAGES ──────────────────────────────────────────────────────────────
  packages:
    - git
    - curl
    - wget
    - vim
    - build-essential
    - python3
    - python3-pip
    - python3-venv
    - apt-transport-https
    - ca-certificates
    - gnupg
    - lsb-release

  late-commands:
    - curtin in-target -- bash /post-install.sh

  updates: security
  shutdown: reboot