#cloud-config
# Scaleway Elastic Metal — latest Debian
# Provisions: sienna user w/ GitHub SSH keys, k3s (traefik disabled)

users:
  - name: sienna
    groups: [sudo]
    shell: /bin/bash
    sudo: "ALL=(ALL) NOPASSWD:ALL"
    ssh_import_id:
      - gh:siennathesane

# Lock root and default debian user from password auth (SSH keys only)
disable_root: true

package_update: true
package_upgrade: true

packages:
  - curl
  - ca-certificates
  - jq

# Write k3s config before the installer runs so traefik is never started
write_files:
  - path: /etc/rancher/k3s/config.yaml
    owner: root:root
    permissions: "0644"
    content: |
      disable:
        - traefik

runcmd:
  # Install k3s (picks up /etc/rancher/k3s/config.yaml automatically)
  - curl -sfL https://get.k3s.io | sh -
  # Allow sienna to use kubectl without sudo
  - mkdir -p /home/sienna/.kube
  - cp /etc/rancher/k3s/k3s.yaml /home/sienna/.kube/config
  - chown -R sienna:sienna /home/sienna/.kube
  - chmod 600 /home/sienna/.kube/config
  # Fix server address in kubeconfig (loopback is fine for local use)
  - systemctl enable --now k3s

final_message: |
  Sunbeam node ready. k3s installed, traefik disabled.
  SSH: ssh sienna@<server-ip>
  kubectl: KUBECONFIG=~/.kube/config kubectl get nodes