adding more flavors and nuo recipes

recipes/nuo/templates/conf/cloud-init/user-data

@@ -0,0 +1,47 @@
+#alpine-config
+user: 
+  name: ${user}
+  password: ${password}
+chpasswd:
+  expire: False
+apk:
+  repositories:
+    - base_url: https://mirrors.ircam.fr/pub/alpine/
+      repos: [ "main", "community" ]
+package_update: true
+packages:
+  - tmux
+  - vim
+  - openssh-server
+  - openssh-sftp-server
+users:
+  - name: root
+    lock-passwd: false
+    passwd: ${root_password}
+    ssh_authorized_keys:
+%{ for sk in ssh_keys ~}
+      - ${sk}
+%{ endfor ~}
+ssh_authorized_keys:
+%{ for sk in ssh_keys ~}
+  - ${sk}
+%{ endfor ~}
+%{ if files != [] ~}
+write_files:
+%{ for fl in files ~}
+  - path: ${fl.path}
+    owner: ${fl.owner}:${fl.group}
+    permissions: '0${fl.permissions}'
+    content: |
+%{ for li in fl.content ~}
+      ${li}
+%{ endfor ~}
+%{ endfor ~}
+%{ endif ~}
+%{ if runcmd != [] ~}
+# Work around network interface down after boot
+runcmd:
+%{ for cmd in runcmd ~}
+  - ${cmd}
+%{ endfor ~}
+%{ endif ~}

recipes/nuo/templates/conf/conf.d/chronyd

@@ -0,0 +1,6 @@
+# /etc/conf.d/chronyd
+CFGFILE="/etc/chrony/chrony.conf"
+FAST_STARTUP=yes
+ARGS=""
+# vrf e.g 'vrf-mgmt'
+#vrf=""

recipes/nuo/templates/conf/docker/rc.conf.pktpl.hcl

@@ -0,0 +1,337 @@
+# Global OpenRC configuration settings
+# ${Vars.RootlessDocker}
+
+# Set to "YES" if you want the rc system to try and start services
+# in parallel for a slight speed improvement. When running in parallel we
+# prefix the service output with its name as the output will get
+# jumbled up.
+# WARNING: whilst we have improved parallel, it can still potentially lock
+# the boot process. Don't file bugs about this unless you can supply
+# patches that fix it without breaking other things!
+#rc_parallel="NO"
+
+# Set rc_interactive to "YES" and you'll be able to press the I key during
+# boot so you can choose to start specific services. Set to "NO" to disable
+# this feature. This feature is automatically disabled if rc_parallel is
+# set to YES.
+#rc_interactive="YES"
+
+# If we need to drop to a shell, you can specify it here.
+# If not specified we use $SHELL, otherwise the one specified in /etc/passwd,
+# otherwise /bin/sh
+# Linux users could specify /sbin/sulogin
+#rc_shell=/bin/sh
+
+# Do we allow any started service in the runlevel to satisfy the dependency
+# or do we want all of them regardless of state? For example, if net.eth0
+# and net.eth1 are in the default runlevel then with rc_depend_strict="NO"
+# both will be started, but services that depend on 'net' will work if either
+# one comes up. With rc_depend_strict="YES" we would require them both to
+# come up.
+#rc_depend_strict="YES"
+
+# rc_hotplug controls which services we allow to be hotplugged.
+# A hotplugged service is one started by a dynamic dev manager when a matching
+# hardware device is found.
+# Hotplugged services appear in the "hotplugged" runlevel.
+# If rc_hotplug is set to any value, we compare the name of this service
+# to every pattern in the value, from left to right, and we allow the
+# service to be hotplugged if it matches a pattern, or if it matches no
+# patterns. Patterns can include shell wildcards.
+# To disable services from being hotplugged, prefix patterns with "!".
+#If rc_hotplug is not set or is empty, all hotplugging is disabled.
+# Example - rc_hotplug="net.wlan !net.*"
+# This allows net.wlan and any service not matching net.* to be hotplugged.
+# Example - rc_hotplug="!net.*"
+# This allows services that do not match "net.*" to be hotplugged.
+
+# rc_logger launches a logging daemon to log the entire rc process to
+# /var/log/rc.log
+# NOTE: Linux systems require the devfs service to be started before
+# logging can take place and as such cannot log the sysinit runlevel.
+#rc_logger="NO"
+
+# Through rc_log_path you can specify a custom log file.
+# The default value is: /var/log/rc.log
+#rc_log_path="/var/log/rc.log"
+
+# If you want verbose output for OpenRC, set this to yes. If you want
+# verbose output for service foo only, set it to yes in /etc/conf.d/foo.
+#rc_verbose=no
+
+# By default we filter the environment for our running scripts. To allow other
+# variables through, add them here. Use a * to allow all variables through.
+#rc_env_allow="VAR1 VAR2"
+
+# By default we assume that all daemons will start correctly.
+# However, some do not - a classic example is that they fork and return 0 AND
+# then child barfs on a configuration error. Or the daemon has a bug and the
+# child crashes. You can set the number of milliseconds start-stop-daemon
+# waits to check that the daemon is still running after starting here.
+# The default is 0 - no checking.
+#rc_start_wait=100
+
+# rc_nostop is a list of services which will not stop when changing runlevels.
+# This still allows the service itself to be stopped when called directly.
+#rc_nostop=""
+
+# rc will attempt to start crashed services by default.
+# However, it will not stop them by default as that could bring down other
+# critical services.
+#rc_crashed_stop=NO
+#rc_crashed_start=YES
+
+# Set rc_nocolor to yes if you do not want colors displayed in OpenRC
+# output.
+#rc_nocolor=NO
+
+##############################################################################
+# MISC CONFIGURATION VARIABLES
+# There variables are shared between many init scripts
+
+# Set unicode to NO to turn off unicode support for keyboards and screens.
+#unicode="YES"
+
+# This is how long fuser should wait for a remote server to respond. The
+# default is 60 seconds, but  it can be adjusted here.
+#rc_fuser_timeout=60
+
+# Below is the default list of network fstypes.
+#
+# afs ceph cifs coda davfs fuse fuse.glusterfs fuse.sshfs gfs glusterfs lustre
+# ncpfs nfs nfs4 ocfs2 shfs smbfs
+#
+# If you would like to add to this list, you can do so by adding your
+# own fstypes to the following variable.
+#extra_net_fs_list=""
+
+##############################################################################
+# SERVICE CONFIGURATION VARIABLES
+# These variables are documented here, but should be configured in
+# /etc/conf.d/foo for service foo and NOT enabled here unless you
+# really want them to work on a global basis.
+# If your service has characters in its name which are not legal in
+# shell variable names and you configure the variables for it in this
+# file, those characters should be replaced with underscores in the
+# variable names as shown below.
+
+# Some daemons are started and stopped via start-stop-daemon.
+# We can set some things on a per service basis, like the nicelevel.
+# These need to be exported
+#export SSD_NICELEVEL="0"
+# Or the ionice level. The format is class[:data] , just like the
+# --ionice start-stop-daemon parameter.
+#export SSD_IONICELEVEL="0:0"
+# Or the OOM score adjustment.
+#export SSD_OOM_SCORE_ADJ="0"
+
+# Pass ulimit parameters
+# If you are using bash in POSIX mode for your shell, note that the
+# ulimit command uses a block size of 512 bytes for the -c and -f
+# options
+#rc_ulimit="-u 30"
+
+# It's possible to define extra dependencies for services like so
+#rc_config="/etc/foo"
+#rc_need="openvpn"
+#rc_use="net.eth0"
+#rc_after="clock"
+#rc_before="local"
+#rc_provide="!net"
+
+# You can also enable the above commands here for each service. Below is an
+# example for service foo.
+#rc_foo_config="/etc/foo"
+#rc_foo_need="openvpn"
+#rc_foo_after="clock"
+
+# Below is an example for service foo-bar. Note that the '-' is illegal
+# in a shell variable name, so we convert it to an underscore.
+# example for service foo-bar.
+#rc_foo_bar_config="/etc/foo-bar"
+#rc_foo_bar_need="openvpn"
+#rc_foo_bar_after="clock"
+
+# You can also remove dependencies.
+# This is mainly used for saying which services do NOT provide net.
+#rc_net_tap0_provide="!net"
+
+# This is the subsystem type.
+# It is used to match against keywords set by the keyword call in the
+# depend function of service scripts.
+#
+# It should be set to the value representing the environment this file is
+# PRESENTLY in, not the virtualization the environment is capable of.
+# If it is commented out, automatic detection will be used.
+#
+# The list below shows all possible settings as well as the host
+# operating systems where they can be used and autodetected.
+#
+# ""               - nothing special
+# "docker"         - Docker container manager (Linux)
+# "jail"           - Jail (DragonflyBSD or FreeBSD)
+# "lxc"            - Linux Containers
+# "openvz"         - Linux OpenVZ
+# "prefix"         - Prefix
+# "rkt"            - CoreOS container management system (Linux)
+# "subhurd"        - Hurd subhurds (to be checked)
+# "systemd-nspawn" - Container created by systemd-nspawn (Linux)
+# "uml"            - Usermode Linux
+# "vserver"        - Linux vserver
+# "xen0"           - Xen0 Domain (Linux and NetBSD)
+# "xenU"           - XenU Domain (Linux and NetBSD)
+#rc_sys=""
+
+# if  you use openrc-init, which is currently only available on Linux,
+# this is the default runlevel to activate after "sysinit" and "boot"
+# when booting.
+#rc_default_runlevel="default"
+
+# on Linux and Hurd, this is the number of ttys allocated for logins
+# It is used in the consolefont, keymaps, numlock and termencoding
+# service scripts.
+rc_tty_number=12
+
+##############################################################################
+# LINUX CGROUPS RESOURCE MANAGEMENT
+
+# This sets the mode used to mount cgroups.
+# "hybrid" mounts cgroups version 2 on /sys/fs/cgroup/unified and
+# cgroups version 1 on /sys/fs/cgroup.
+# "legacy" mounts cgroups version 1 on /sys/fs/cgroup
+# "unified" mounts cgroups version 2 on /sys/fs/cgroup
+rc_cgroup_mode="hybrid"
+
+
+# This is a list of controllers which should be enabled for cgroups version 2
+# when hybrid mode is being used.
+# Controllers listed here will not be available for cgroups version 1.
+rc_cgroup_controllers="cpuset cpu io memory hugelb openrc pids"
+
+# This variable contains the cgroups version 2 settings for your services.
+# If this is set in this file, the settings will apply to all services.
+# If you want different settings for each service, place the settings in
+# /etc/conf.d/foo for service foo.
+# The format is to specify the setting and value followed by a newline.
+# Multiple settings and values can be specified.
+# For example, you would use this to set the maximum memory and maximum
+# number of pids for a service.
+#rc_cgroup_settings="
+#memory.max 10485760
+#pids.max max
+#"
+#
+# For more information about the adjustments that can be made with
+# cgroups version 2, see Documentation/cgroups-v2.txt in the linux kernel
+# source tree.
+#rc_cgroup_settings=""
+
+# This switch controls whether or not cgroups version 1 controllers are
+# individually mounted under
+# /sys/fs/cgroup in hybrid or legacy mode.
+rc_controller_cgroups="YES"
+
+# The following setting turns on the memory.use_hierarchy setting in the
+# root memory cgroup for cgroups v1.
+# It must be set to yes in this file if you want this functionality.
+#rc_cgroup_memory_use_hierarchy="NO"
+
+# The following settings allow you to set up values for the cgroups version 1
+# controllers for your services.
+# They can be set in this file;, however, if you do this, the settings
+# will apply to all of your services.
+# If you want different settings for each service, place the settings in
+# /etc/conf.d/foo for service foo.
+# The format is to specify the names of the settings followed by their
+# values. Each variable can hold multiple settings.
+# For example, you would use this to set the cpu.shares setting in the
+# cpu controller to 512 for your service.
+# rc_cgroup_cpu="
+# cpu.shares 512
+# "
+#
+# For more information about the adjustments that can be made with
+# cgroups version 1, see Documentation/cgroups-v1/* in the linux kernel
+# source tree.
+
+# Set the blkio controller settings for this service.
+#rc_cgroup_blkio=""
+
+# Set the cpu controller settings for this service.
+#rc_cgroup_cpu=""
+
+# Add this service to the cpuacct controller (any value means yes).
+#rc_cgroup_cpuacct=""
+
+# Set the cpuset controller settings for this service.
+#rc_cgroup_cpuset=""
+
+# Set the devices controller settings for this service.
+#rc_cgroup_devices=""
+
+# Set the hugetlb controller settings for this service.
+#rc_cgroup_hugetlb=""
+
+# Set the memory controller settings for this service.
+#rc_cgroup_memory=""
+
+# Set the net_cls controller settings for this service.
+#rc_cgroup_net_cls=""
+
+# Set the net_prio controller settings for this service.
+#rc_cgroup_net_prio=""
+
+# Set the pids controller settings for this service.
+#rc_cgroup_pids=""
+
+# Set this to YES if you want all of the processes in a service's cgroup
+# killed when the service is stopped or restarted.
+# Be aware that setting this to yes means all of a service's
+# child processes will be killed. Keep this in mind if you set this to
+# yes here instead of for the individual services in
+# /etc/conf.d/<service>.
+# To perform this cleanup manually for a stopped service, you can
+# execute cgroup_cleanup with /etc/init.d/<service> cgroup_cleanup or
+# rc-service <service> cgroup_cleanup.
+# If the kernel includes support for cgroup2's cgroup.kill, this is used
+# to reliably teardown the cgroup.
+# If this fails, the process followed in this cleanup is the following:
+# 1. send stopsig (sigterm if it isn't set) to all processes left in the
+# cgroup immediately followed by sigcont.
+# 2. Send sighup to all processes in the cgroup if rc_send_sighup is
+# yes.
+# 3. delay for rc_timeout_stopsec seconds.
+# 4. send sigkill to all processes in the cgroup unless disabled by
+# setting rc_send_sigkill to no.
+# rc_cgroup_cleanup="NO"
+
+# If this is yes, we will send sighup to the processes in the cgroup
+# immediately after stopsig and sigcont.
+#rc_send_sighup="NO"
+
+# This is the amount of time in seconds that we delay after sending sigcont
+# and optionally sighup, before we optionally send sigkill to all
+# processes in the # cgroup.
+# The default is 90 seconds.
+#rc_timeout_stopsec="90"
+
+# If this is set to no, we do not send sigkill to all processes in the
+# cgroup.
+#rc_send_sigkill="YES"
+
+##############################################################################
+# SUPERVISE DAEMON CONFIGURATION VARIABLES
+# These variables sets more reasonable defaults for supervise-daemon(8).
+# They may be overriden on a per service basis.
+
+# Wait this number of seconds before restarting a daemon after it crashes.
+respawn_delay=2
+
+# Sets the maximum number of times a daemon will be respawned during a respawn
+# period. If a daemon dies more than this number of times during a respawn
+# period, supervise-daemon(8) will give up trying to respawn it and exit.
+# 0 means unlimited.
+respawn_max=5
+
+# Sets the length in seconds of a respawn period.
+respawn_period=1800

recipes/nuo/templates/conf/docker/subuid.pktpl.hcl

@@ -0,0 +1,3 @@
+%{ if Vars.RootlessDocker }
+docker:231072:65536
+%{ endif }

recipes/nuo/templates/conf/harbor/harbor.yml.pktpl.hcl

@@ -0,0 +1,265 @@
+# Configuration file of Harbor
+
+# The IP address or hostname to access admin UI and registry service.
+# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
+hostname: ${Vars.HarborDomain}
+
+# http related config
+http:
+  # port for http, default is 80. If https enabled, this port will redirect to https port
+  port: ${Vars.HarborHTTPPort}
+
+# https related config
+https:
+  # https port for harbor, default is 443
+  port: ${Vars.HarborHTTPSPort}
+  # The path of cert and key files for nginx
+  certificate: ${Vars.HarborSSLCert}
+  private_key: ${Vars.HarborSSLPrivKey}
+
+# # Uncomment following will enable tls communication between all harbor components
+# internal_tls:
+#   # set enabled to true means internal tls is enabled
+#   enabled: true
+#   # put your cert and key files on dir
+#   dir: /etc/harbor/tls/internal
+
+# Uncomment external_url if you want to enable external proxy
+# And when it enabled the hostname will no longer used
+# external_url: https://reg.mydomain.com:8433
+
+# The initial password of Harbor admin
+# It only works in first time to install harbor
+# Remember Change the admin password from UI after launching Harbor.
+harbor_admin_password: ${Vars.HarborAdminPassword}
+
+# Harbor DB configuration
+database:
+  # The password for the root user of Harbor DB. Change this before any production use.
+  password: ${Vars.HarborDBPassword}
+  # The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
+  max_idle_conns: 50
+  # The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
+  # Note: the default number of connections is 100 for postgres.
+  max_open_conns: 200
+
+# The default data volume
+data_volume: /srv/harbor/data
+
+# Harbor Storage settings by default is using /data dir on local filesystem
+# Uncomment storage_service setting If you want to using external storage
+# storage_service:
+#   # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
+#   # of registry's and chart repository's containers.  This is usually needed when the user hosts a internal storage with self signed certificate.
+#   ca_bundle:
+
+#   # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
+#   # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
+#   filesystem:
+#     maxthreads: 100
+#   # set disable to true when you want to disable registry redirect
+#   redirect:
+#     disabled: false
+
+# Trivy configuration
+#
+# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
+# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
+# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
+# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
+# 12 hours and published as a new release to GitHub.
+trivy:
+  # ignoreUnfixed The flag to display only fixed vulnerabilities
+  ignore_unfixed: false
+  # skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
+  #
+  # You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
+  # If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
+  # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
+  skip_update: false
+  #
+  # The offline_scan option prevents Trivy from sending API requests to identify dependencies.
+  # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
+  # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
+  # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
+  # It would work if all the dependencies are in local.
+  # This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
+  offline_scan: false
+  #
+  # insecure The flag to skip verifying registry certificate
+  insecure: false
+  # github_token The GitHub access token to download Trivy DB
+  #
+  # Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
+  # for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
+  # requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
+  # https://developer.github.com/v3/#rate-limiting
+  #
+  # You can create a GitHub token by following the instructions in
+  # https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
+  #
+  # github_token: xxx
+
+jobservice:
+  # Maximum number of job workers in job service
+  max_job_workers: 10
+  logger_sweeper_duration: 300
+
+notification:
+  # Maximum retry count for webhook job
+  webhook_job_max_retry: 10
+  webhook_job_http_client_timeout: 300
+
+chart:
+  # Change the value of absolute_url to enabled can enable absolute url in chart
+  absolute_url: disabled
+
+# Log configurations
+log:
+  # options are debug, info, warning, error, fatal
+  level: info
+  # configs for logs in local storage
+  local:
+    # Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
+    rotate_count: 50
+    # Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
+    # If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
+    # are all valid.
+    rotate_size: 200M
+    # The directory on your host that store log
+    location: /var/log/harbor
+
+  # Uncomment following lines to enable external syslog endpoint.
+  # external_endpoint:
+  #   # protocol used to transmit log to external endpoint, options is tcp or udp
+  #   protocol: tcp
+  #   # The host of external endpoint
+  #   host: localhost
+  #   # Port of external endpoint
+  #   port: 5140
+
+#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
+_version: 2.6.0
+
+# Uncomment external_database if using external database.
+# external_database:
+#   harbor:
+#     host: harbor_db_host
+#     port: harbor_db_port
+#     db_name: harbor_db_name
+#     username: harbor_db_username
+#     password: harbor_db_password
+#     ssl_mode: disable
+#     max_idle_conns: 2
+#     max_open_conns: 0
+#   notary_signer:
+#     host: notary_signer_db_host
+#     port: notary_signer_db_port
+#     db_name: notary_signer_db_name
+#     username: notary_signer_db_username
+#     password: notary_signer_db_password
+#     ssl_mode: disable
+#   notary_server:
+#     host: notary_server_db_host
+#     port: notary_server_db_port
+#     db_name: notary_server_db_name
+#     username: notary_server_db_username
+#     password: notary_server_db_password
+#     ssl_mode: disable
+
+# Uncomment external_redis if using external Redis server
+# external_redis:
+#   # support redis, redis+sentinel
+#   # host for redis: <host_redis>:<port_redis>
+#   # host for redis+sentinel:
+#   #  <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
+#   host: redis:6379
+#   password:
+#   # sentinel_master_set must be set to support redis+sentinel
+#   #sentinel_master_set:
+#   # db_index 0 is for core, it's unchangeable
+#   registry_db_index: 1
+#   jobservice_db_index: 2
+#   chartmuseum_db_index: 3
+#   trivy_db_index: 5
+#   idle_timeout_seconds: 30
+
+# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
+# uaa:
+#   ca_file: /path/to/ca
+
+# Global proxy
+# Config http proxy for components, e.g. http://my.proxy.com:3128
+# Components doesn't need to connect to each others via http proxy.
+# Remove component from `components` array if want disable proxy
+# for it. If you want use proxy for replication, MUST enable proxy
+# for core and jobservice, and set `http_proxy` and `https_proxy`.
+# Add domain to the `no_proxy` field, when you want disable proxy
+# for some special registry.
+proxy:
+  http_proxy:
+  https_proxy:
+  no_proxy:
+  components:
+  - core
+  - jobservice
+  - notary
+  - trivy
+
+metric:
+  enabled: false
+  port: 9090
+  path: /metrics
+
+# Trace related config
+# only can enable one trace provider(jaeger or otel) at the same time,
+# and when using jaeger as provider, can only enable it with agent mode or collector mode.
+# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
+# if using jaeger agetn mode uncomment agent_host and agent_port
+# trace:
+#   enabled: true
+#   # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
+#   sample_rate: 1
+#   # # namespace used to differenciate different harbor services
+#   # namespace:
+#   # # attributes is a key value dict contains user defined attributes used to initialize trace provider
+#   # attributes:
+#   #   application: harbor
+#   # # jaeger should be 1.26 or newer.
+#   # jaeger:
+#   #   endpoint: http://hostname:14268/api/traces
+#   #   username:
+#   #   password:
+#   #   agent_host: hostname
+#   #   # export trace data by jaeger.thrift in compact mode
+#   #   agent_port: 6831
+#   # otel:
+#   #   endpoint: hostname:4318
+#   #   url_path: /v1/traces
+#   #   compression: false
+#   #   insecure: true
+#   #   timeout: 10s
+
+# enable purge _upload directories
+upload_purging:
+  enabled: true
+  # remove files in _upload directories which exist for a period of time, default is one week.
+  age: 168h
+  # the interval of the purge operations
+  interval: 24h
+  dryrun: false
+
+# cache layer configurations
+# If this feature enabled, harbor will cache the resource
+# `project/project_metadata/repository/artifact/manifest` in the redis
+# which can especially help to improve the performance of high concurrent
+# manifest pulling.
+# NOTICE
+# If you are deploying Harbor in HA mode, make sure that all the harbor
+# instances have the same behaviour, all with caching enabled or disabled,
+# otherwise it can lead to potential data inconsistency.
+cache:
+  # not enabled by default
+  enabled: false
+  # keep cache for one day by default
+  expire_hours: 24

recipes/nuo/templates/conf/install/awnsers.pktpl.hcl

@@ -0,0 +1,47 @@
+
+# Example answer file for setup-alpine script
+# If you don't want to use a certain option, then comment it out
+
+# Use US layout with US variant
+KEYMAPOPTS="fr fr"
+
+# Set hostname to alpine-test
+HOSTNAMEOPTS="-n ${hostname}"
+
+# Contents of /etc/network/interfaces
+INTERFACESOPTS="auto lo
+iface lo inet loopback
+
+auto eth0
+iface eth0 inet dhcp
+    hostname ${hostname}
+"
+
+# Search domain of example.com, OpenDNS public nameserver
+# ex: -d example.com 1.1.1.1"
+DNSOPTS=""
+
+# Set timezone to UTC
+TIMEZONEOPTS="-z Europe/Paris"
+
+# set http/ftp proxy
+PROXYOPTS="none"
+
+# Add a random mirror
+APKREPOSOPTS="-r -c"
+
+# Install Openssh
+SSHDOPTS="-c openssh -k /root/.ssh/authorized_keys"
+
+# Use openntpd
+NTPOPTS="-c openntpd"
+
+# Use /dev/sda as a data disk
+DISKOPTS="-L -m sys ${disk_device}"
+
+USEROPTS="-a -g 'netdev' ${user}"
+
+# Setup in /media/vda1
+# LBUOPTS="/media/vda1"
+# APKCACHEOPTS="/media/vda1/cache"
+

recipes/nuo/templates/conf/k3s/k3s.conf.pkr.hcl

@@ -0,0 +1,8 @@
+# k3s options
+export PATH="/usr/libexec/cni/:$PATH"
+K3S_EXEC="server"
+%{ if Vars.DeployTraefik }
+K3S_OPTS=""
+%{ else }
+K3S_OPTS="--disable traefik"
+%{ endif }

recipes/nuo/templates/conf/kind/cluster.yaml.pktpl.hcl

@@ -0,0 +1,40 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+name: ${Vars.Cluster.Name}
+networking:
+  podSubnet: "${Vars.Cluster.PodSubNet}"
+  serviceSubnet: "${Vars.Cluster.ServieSubNet}"
+nodes:
+%{ for nd in Vars.Cluster.Nodes }
+- role: ${nd.Role}
+  image: kindest/node:v${Vars.Cluster.Version}
+  %{ if nd.Role == "control-plane"}
+  kubeadmConfigPatches:
+  - |
+    kind: InitConfiguration
+    %{ if Vars.Cluster.IngressReady }
+    nodeRegistration:
+      kubeletExtraArgs:
+        node-labels: "ingress-ready=true"
+    %{ endif }
+  extraPortMappings:
+  - containerPort: 31000
+    hostPort: 31000
+    listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
+  - containerPort: 80
+    hostPort: 8080
+    listenAddress: "0.0.0.0" # Optional, defaults to "0.0.0.0"
+    %{ if Vars.Cluster.IngressReady }
+  labels:
+    ingress-ready: true
+    %{ endif }
+  %{ endif }
+  %{ if nd.Role == "worker" }
+  kubeadmConfigPatches:
+  - |
+    kind: JoinConfiguration
+    nodeRegistration:
+      kubeletExtraArgs:
+        system-reserved: memory=2Gi
+  %{ endif }
+%{ endfor ~}

recipes/nuo/templates/conf/matchbox/conf.d/matchbox.conf.pktpl.hcl

@@ -0,0 +1 @@
+command_args="-address 0.0.0.0:${Vars.MatchBox.HTTPPort} -rpc-address 0.0.0.0:${Vars.MatchBox.gRPCPort} -log-level ${Vars.MatchBox.LogLevel}"

recipes/nuo/templates/conf/matchbox/dnsmasq.d/dnsmasq-hosts.conf.pktpl.hcl

@@ -0,0 +1,4 @@
+${Vars.NIC[0].IP} ${Vars.Set.Hostname}
+%{ if Vars.MatchBox.Hostname != "" }
+${Vars.NIC[0].IP} ${Vars.MatchBox.Hostname}
+%{ endif }

recipes/nuo/templates/conf/matchbox/dnsmasq.d/ipxe.conf.pktpl.hcl

@@ -0,0 +1,60 @@
+log-queries
+log-dhcp
+
+#port=0
+listen-address=0.0.0.0
+interface=${Vars.PXE.ListenInterface}
+no-resolv
+domain-needed
+bogus-priv
+expand-hosts
+server=${Vars.ETH0.DNS}
+strict-order
+addn-hosts=/etc/dnsmasq-hosts.conf
+domain=${Vars.PXE.DNSDomain}
+local=/${Vars.PXE.DNSDomain}/
+localise-queries
+
+
+%{ if Vars.PXE.DHCPMode == "proxy" }
+#dhcp-no-override
+dhcp-range=${Vars.ETH0.IP},proxy
+%{ else }
+dhcp-range=${Vars.PXE.DHCPRangeStart},${Vars.PXE.DHCPRangeEnd},${Vars.PXE.DHCPLeaseDuration}
+dhcp-option=option:router,${Vars.ETH0.GATEWAY}
+%{ endif }
+
+dhcp-option=option:dns-server,${Vars.ETH0.IP}
+dhcp-option=option:domain-name,${Vars.PXE.DNSDomain}
+
+# TFTP Configuration
+enable-tftp
+tftp-root="${Vars.PXE.TFTPRoot}"
+
+pxe-prompt="${Vars.PXE.GreetingMessage}",${Vars.PXE.DelayTime}
+
+# Based on logic in https://gist.github.com/robinsmidsrod/4008017
+# iPXE sends a 175 option, checking suboptions
+dhcp-match=set:ipxe-http,175,19
+dhcp-match=set:ipxe-https,175,20
+dhcp-match=set:ipxe-menu,175,39
+# pcbios specific
+dhcp-match=set:ipxe-pxe,175,33
+dhcp-match=set:ipxe-bzimage,175,24
+dhcp-match=set:ipxe-iscsi,175,17
+# efi specific
+dhcp-match=set:ipxe-efi,175,36
+# combination
+# set ipxe-ok tag if we have correct combination
+# http && menu && iscsi ((pxe && bzimage) || efi)
+tag-if=set:ipxe-ok,tag:ipxe-http,tag:ipxe-menu,tag:ipxe-iscsi,tag:ipxe-pxe,tag:ipxe-bzimage
+tag-if=set:ipxe-ok,tag:ipxe-http,tag:ipxe-menu,tag:ipxe-iscsi,tag:ipxe-efi
+
+
+## Load different PXE boot image depending on client architecture (when running as a proxy DHCP)
+pxe-service=tag:!ipxe-ok, x86PC, "Legacy boot PXE chainload to iPXE", undionly.kpxe
+pxe-service=tag:!ipxe-ok, BC_EFI, "UEFI32 boot chainload to iPXE", snponly.efi
+pxe-service=tag:!ipxe-ok, X86-64_EFI, "UEFI64 boot chainload to iPXE", snponly.efi
+
+dhcp-userclass=set:ipxe,iPXE
+dhcp-boot=tag:ipxe-ok,http://${Vars.ETH0.IP}:${Vars.MatchBox.HTTPPort}/boot.ipxe,,${Vars.ETH0.IP}

recipes/nuo/templates/conf/matchbox/init.d/matchbox.pktpl.hcl

@@ -0,0 +1,28 @@
+#!/sbin/openrc-run
+  
+name=$RC_SVCNAME
+command="/usr/local/bin/$RC_SVCNAME"
+command_user="$RC_SVCNAME"
+pidfile="/run/$RC_SVCNAME/$RC_SVCNAME.pid"
+start_stop_daemon_args="--start -b"
+command_args="$command_args"
+command_background="yes"
+
+depend() {
+        need net
+}
+
+start_pre() {
+        checkpath --directory --owner $command_user:$command_user --mode 0775 \
+                /run/$RC_SVCNAME /var/log/$RC_SVCNAME
+        if [ ! -f "/etc/matchbox/server.crt" ]; then
+                cd /root/tls
+                export SAN="DNS.1:${Vars.MatchBox.Hostname},IP.1:${Vars.ETH0.IP}"
+                ./cert-gen
+                mkdir -p /etc/matchbox
+                cp ca.crt server.crt server.key /etc/matchbox
+                chown -R matchbox:matchbox /etc/matchbox
+                mkdir -p /root/.matchbox
+                cp client.crt client.key ca.crt /root/.matchbox/
+        fi
+}

recipes/nuo/templates/conf/nuo-harbor

@@ -0,0 +1 @@
+harbor

recipes/nuo/templates/conf/nuo-matchbox/conf.d/matchbox.conf.pktpl.hcl

@@ -0,0 +1 @@
+command_args="-address 0.0.0.0:${Vars.MatchBox.HTTPPort} -rpc-address 0.0.0.0:${Vars.MatchBox.gRPCPort} -log-level ${Vars.MatchBox.LogLevel}"

recipes/nuo/templates/conf/nuo-matchbox/dnsmasq.d/dnsmasq-hosts.conf.pktpl.hcl

@@ -0,0 +1,7 @@
+${Vars.NIC[0].IP} ${Vars.Set.Hostname}
+%{ if Vars.MatchBox.Hostname != "" }
+${Vars.NIC[0].IP} ${Vars.MatchBox.Hostname}
+%{ endif }
+%{ for host in Vars.DNSMasq.Hosts }
+${host.IP} ${host.Name}
+%{ endfor }

recipes/nuo/templates/conf/nuo-matchbox/dnsmasq.d/ipxe.conf.pktpl.hcl

@@ -0,0 +1,60 @@
+log-queries
+log-dhcp
+
+#port=0
+listen-address=0.0.0.0
+interface=${Vars.PXE.ListenInterface}
+no-resolv
+domain-needed
+bogus-priv
+expand-hosts
+server=${Vars.DNS[0]}
+strict-order
+addn-hosts=/etc/dnsmasq-hosts.conf
+domain=${Vars.PXE.DNSDomain}
+local=/${Vars.PXE.DNSDomain}/
+localise-queries
+
+
+%{ if Vars.PXE.DHCPMode == "proxy" }
+#dhcp-no-override
+dhcp-range=${Vars.NIC[0].IP},proxy
+%{ else }
+dhcp-range=${Vars.PXE.DHCPRangeStart},${Vars.PXE.DHCPRangeEnd},${Vars.PXE.DHCPLeaseDuration}
+dhcp-option=option:router,${Vars.NIC[0].Gateway}
+%{ endif }
+
+dhcp-option=option:dns-server,${Vars.NIC[0].IP}
+dhcp-option=option:domain-name,${Vars.PXE.DNSDomain}
+
+# TFTP Configuration
+enable-tftp
+tftp-root="${Vars.PXE.TFTPRoot}"
+
+pxe-prompt="${Vars.PXE.GreetingMessage}",${Vars.PXE.DelayTime}
+
+# Based on logic in https://gist.github.com/robinsmidsrod/4008017
+# iPXE sends a 175 option, checking suboptions
+dhcp-match=set:ipxe-http,175,19
+dhcp-match=set:ipxe-https,175,20
+dhcp-match=set:ipxe-menu,175,39
+# pcbios specific
+dhcp-match=set:ipxe-pxe,175,33
+dhcp-match=set:ipxe-bzimage,175,24
+dhcp-match=set:ipxe-iscsi,175,17
+# efi specific
+dhcp-match=set:ipxe-efi,175,36
+# combination
+# set ipxe-ok tag if we have correct combination
+# http && menu && iscsi ((pxe && bzimage) || efi)
+tag-if=set:ipxe-ok,tag:ipxe-http,tag:ipxe-menu,tag:ipxe-iscsi,tag:ipxe-pxe,tag:ipxe-bzimage
+tag-if=set:ipxe-ok,tag:ipxe-http,tag:ipxe-menu,tag:ipxe-iscsi,tag:ipxe-efi
+
+
+## Load different PXE boot image depending on client architecture (when running as a proxy DHCP)
+pxe-service=tag:!ipxe-ok, x86PC, "Legacy boot PXE chainload to iPXE", undionly.kpxe
+pxe-service=tag:!ipxe-ok, BC_EFI, "UEFI32 boot chainload to iPXE", snponly.efi
+pxe-service=tag:!ipxe-ok, X86-64_EFI, "UEFI64 boot chainload to iPXE", snponly.efi
+
+dhcp-userclass=set:ipxe,iPXE
+dhcp-boot=tag:ipxe-ok,http://${Vars.NIC[0].IP}:${Vars.MatchBox.HTTPPort}/boot.ipxe,,${Vars.NIC[0].IP}

recipes/nuo/templates/conf/nuo-matchbox/hostname.pktpl.hcl

@@ -0,0 +1 @@
+${Vars.Set.Hostname}

recipes/nuo/templates/conf/nuo-matchbox/init.d/matchbox.pktpl.hcl

@@ -0,0 +1,28 @@
+#!/sbin/openrc-run
+  
+name=$RC_SVCNAME
+command="/usr/local/bin/$RC_SVCNAME"
+command_user="$RC_SVCNAME"
+pidfile="/run/$RC_SVCNAME/$RC_SVCNAME.pid"
+start_stop_daemon_args="--start -b"
+command_args="$command_args"
+command_background="yes"
+
+depend() {
+        need net
+}
+
+start_pre() {
+        checkpath --directory --owner $command_user:$command_user --mode 0775 \
+                /run/$RC_SVCNAME /var/log/$RC_SVCNAME
+        if [ ! -f "/etc/matchbox/server.crt" ]; then
+                cd /root/tls
+                export SAN="DNS.1:${Vars.MatchBox.Hostname},IP.1:${Vars.NIC[0].IP}"
+                ./cert-gen
+                mkdir -p /etc/matchbox
+                cp ca.crt server.crt server.key /etc/matchbox
+                chown -R matchbox:matchbox /etc/matchbox
+                mkdir -p /root/.matchbox
+                cp client.crt client.key ca.crt /root/.matchbox/
+        fi
+}

recipes/nuo/templates/conf/nuo-matchbox/network/interfaces.pktpl.hcl

@@ -0,0 +1,9 @@
+
+%{ for iface in Vars.NIC }
+auto ${iface.Name}
+
+iface ${iface.Name} inet static
+  address ${iface.IP}
+  netmask ${iface.Mask}
+  gateway ${iface.Gateway}
+%{ endfor ~}

recipes/nuo/templates/conf/nuo-matchbox/resolv.conf.pktpl.hcl

@@ -0,0 +1,4 @@
+
+%{ for dns in Vars.DNS }
+nameserver ${dns}
+%{ endfor ~}

recipes/nuo/templates/one/image/common.tpl

@@ -0,0 +1,7 @@
+NAME = <%= image_name %>
+PATH = <%= image_source %>
+TYPE = OS
+PERSISTENT = No
+DESCRIPTION = "<%= image_comment %>"
+DEV_PREFIX = vd
+FORMAT = qcow2

recipes/nuo/templates/one/service/kubernetes-cluster.json

@@ -0,0 +1,48 @@
+{
+    "name": "<%= template_name %>",
+    "deployment": "straight",
+    "description": "Cluster Kubernetes (k8s)",
+    "roles": [
+      {
+        "name": "leader",
+        "cardinality": 1,
+        "vm_template": <%= getTemplateByName(oneCli, vm_name).id %>,
+        "shutdown_action": "terminate",
+        "vm_template_contents": "NIC = [\n  NAME = \"NIC0\",\n  NETWORK_ID = \"$main\",\n  RDP = \"YES\" ]\nNIC = [\n  NAME = \"NIC1\",\n  NETWORK_ID = \"$internal\" ]\n",
+        "elasticity_policies": [],
+        "scheduled_policies": []
+      },
+      {
+        "name": "master",
+        "cardinality": 2,
+        "vm_template": <%= getTemplateByName(oneCli, vm_name).id %>,
+        "shutdown_action": "terminate",
+        "vm_template_contents": "NIC = [\n  NAME = \"NIC0\",\n  NETWORK_ID = \"$main\",\n  RDP = \"YES\" ]\nNIC = [\n  NAME = \"NIC1\",\n  NETWORK_ID = \"$internal\" ]\n",
+        "elasticity_policies": [],
+        "scheduled_policies": []
+      },
+      {
+        "name": "worker",
+        "cardinality": 4,
+        "vm_template": <%= getTemplateByName(oneCli, vm_name).id %>,
+        "shutdown_action": "terminate",
+        "parents": [
+          "leader"
+        ],
+        "vm_template_contents": "NIC = [\n  NAME = \"NIC0\",\n  NETWORK_ID = \"$main\",\n  RDP = \"YES\" ]\nNIC = [\n  NAME = \"NIC1\",\n  NETWORK_ID = \"$internal\" ]\n",
+        "elasticity_policies": [],
+        "scheduled_policies": []
+      }
+    ],
+    "networks": {
+      "main": "M|network|Main  network| |id:",
+      "internal": "M|network|Internal network| |id:"
+    },
+    "custom_attrs": {
+      "KUBEAPPS_DNS_NAME": "M|text|DNS Name for kubeapps service| |kubeapps.k3s-eole.local",
+      "INGRESS_PROVIDER": "O|list|Default ingress to install|nginx, traefik, |",
+      "LE_EMAIL": "M|text|Email | |"
+    },
+    "shutdown_action": "terminate",
+    "ready_status_gate": true
+  }

recipes/nuo/templates/one/vm/common.xml

@@ -0,0 +1,33 @@
+NAME = "<%= template_name %>"
+CONTEXT = [
+  NETWORK = "YES",
+  REPORT_READY = "YES",
+  SET_HOSTNAME = "$NAME",
+  SSH_PUBLIC_KEY = "$USER[SSH_PUBLIC_KEY]",
+  TOKEN = "YES" ]
+CPU = "0.2"
+DESCRIPTION = "Alpine basic image"
+DISK = [
+  DEV_PREFIX = "vd",
+  DRIVER = "qcow2",
+  IMAGE = "<%= image_name %>",
+  IMAGE_UNAME = "<%= user %>" ]
+GRAPHICS = [
+  KEYMAP = "fr",
+  LISTEN = "0.0.0.0",
+  TYPE = "VNC" ]
+HYPERVISOR = "kvm"
+INPUT = [
+  BUS = "usb",
+  TYPE = "tablet" ]
+INPUTS_ORDER = ""
+LOGO = "images/logos/linux.png"
+MEMORY = "512"
+MEMORY_UNIT_COST = "MB"
+NIC_DEFAULT = [
+  MODEL = "virtio" ]
+OS = [
+  ARCH = "x86_64",
+  BOOT = "",
+  SD_DISK_BUS = "scsi" ]
+VCPU = "2"

recipes/nuo/templates/one/vm/k3s.xml

@@ -0,0 +1,32 @@
+NAME = "<%= template_name %>"
+CONTEXT = [
+  NETWORK = "YES",
+  REPORT_READY = "YES",
+  SET_HOSTNAME = "$NAME",
+  SSH_PUBLIC_KEY = "$USER[SSH_PUBLIC_KEY]",
+  TOKEN = "YES" ]
+CPU = "0.2"
+DESCRIPTION = "K3S Ready VM"
+DISK = [
+  IMAGE = "<%= image_name %>",
+  IMAGE_UNAME = "<%= user %>",
+  DRIVER = "qcow2" ]
+GRAPHICS = [
+  KEYMAP = "fr",
+  LISTEN = "0.0.0.0",
+  TYPE = "VNC" ]
+HYPERVISOR = "kvm"
+INPUT = [
+  BUS = "usb",
+  TYPE = "tablet" ]
+INPUTS_ORDER = ""
+LOGO = "images/logos/alpine.png"
+MEMORY = "2048"
+MEMORY_UNIT_COST = "MB"
+NIC_DEFAULT = [
+  MODEL = "virtio" ]
+OS = [
+  ARCH = "x86_64",
+  BOOT = "",
+  SD_DISK_BUS = "scsi" ]
+VCPU = "2"

recipes/nuo/templates/one/vm/kubeleader.xml

@@ -0,0 +1,35 @@
+NAME = "<%= template_name %>"
+CONTEXT = [
+  NETWORK = "YES",
+  REPORT_READY = "YES",
+  SET_HOSTNAME = "$NAME",
+  SERVER_ROLE = "leader",
+  TOKEN = "YES",
+  SSH_PUBLIC_KEY = "$USER[SSH_PUBLIC_KEY]"
+]
+CPU = "0.8"
+DESCRIPTION = "Kubernetes master or Docker VM (check the name)"
+DISK = [
+  DEV_PREFIX = "vd",
+  IMAGE = "<%= image_name %>",
+  IMAGE_UNAME = "<%= user %>",
+  DRIVER = "qcow2" ]
+GRAPHICS = [
+  LISTEN = "0.0.0.0",
+  KEYMAP = "fr",
+  TYPE = "VNC" ]
+HYPERVISOR = "kvm"
+INPUT = [
+  BUS = "usb",
+  TYPE = "tablet" ]
+INPUTS_ORDER = ""
+LOGO = "images/logos/alpine.png"
+MEMORY = "2048"
+MEMORY_UNIT_COST = "MB"
+NIC_DEFAULT = [
+  MODEL = "virtio" ]
+OS = [
+  ARCH = "x86_64",
+  BOOT = "",
+  SD_DISK_BUS = "scsi" ]
+VCPU = "4"

recipes/nuo/templates/one/vm/kubemaster.xml

@@ -0,0 +1,42 @@
+NAME = "<%= template_name %>"
+CONTEXT = [
+  NETWORK = "YES",
+  REPORT_READY = "YES",
+  SET_HOSTNAME = "$NAME",
+  SERVER_ROLE = "master",
+  MASTER_ADDR = "$MASTER_ADDR",
+  MASTER_TOKEN = "$MASTER_TOKEN",
+  MASTER_CA_TOKEN = "$MASTER_CA_TOKEN",
+  TOKEN = "YES",
+  SSH_PUBLIC_KEY = "$USER[SSH_PUBLIC_KEY]"
+]
+CPU = "0.8"
+DESCRIPTION = "Kubernetes worker VM"
+DISK = [
+  DEV_PREFIX = "vd",
+  IMAGE = "<%= image_name %>",
+  IMAGE_UNAME = "<%= user %>",
+  DRIVER = "qcow2" ]
+GRAPHICS = [
+  LISTEN = "0.0.0.0",
+  KEYMAP = "fr",
+  TYPE = "VNC" ]
+HYPERVISOR = "kvm"
+INPUT = [
+  BUS = "usb",
+  TYPE = "tablet" ]
+INPUTS_ORDER = ""
+LOGO = "images/logos/alpine.png"
+MEMORY = "2048"
+MEMORY_UNIT_COST = "MB"
+NIC_DEFAULT = [
+  MODEL = "virtio" ]
+OS = [
+  ARCH = "x86_64",
+  BOOT = "",
+  SD_DISK_BUS = "scsi" ]
+USER_INPUTS = [
+  MASTER_ADDR = "O|text|Master address (for workers only)",
+  MASTER_TOKEN = "O|text|Master Token (for workers only)",
+  MASTER_CA_TOKEN = "O|text|Master CA Token (for workers only)" ]
+VCPU = "4"

recipes/nuo/templates/one/vm/kubeworker.xml

@@ -0,0 +1,42 @@
+NAME = "<%= template_name %>"
+CONTEXT = [
+  NETWORK = "YES",
+  REPORT_READY = "YES",
+  SET_HOSTNAME = "$NAME",
+  SERVER_ROLE = "worker",
+  MASTER_ADDR = "$MASTER_ADDR",
+  MASTER_TOKEN = "$MASTER_TOKEN",
+  MASTER_CA_TOKEN = "$MASTER_CA_TOKEN",
+  TOKEN = "YES",
+  SSH_PUBLIC_KEY = "$USER[SSH_PUBLIC_KEY]"
+]
+CPU = "0.8"
+DESCRIPTION = "Kubernetes worker VM"
+DISK = [
+  DEV_PREFIX = "vd",
+  IMAGE = "<%= image_name %>",
+  IMAGE_UNAME = "<%= user %>",
+  DRIVER = "qcow2" ]
+GRAPHICS = [
+  LISTEN = "0.0.0.0",
+  KEYMAP = "fr",
+  TYPE = "VNC" ]
+HYPERVISOR = "kvm"
+INPUT = [
+  BUS = "usb",
+  TYPE = "tablet" ]
+INPUTS_ORDER = ""
+LOGO = "images/logos/alpine.png"
+MEMORY = "4096"
+MEMORY_UNIT_COST = "MB"
+NIC_DEFAULT = [
+  MODEL = "virtio" ]
+OS = [
+  ARCH = "x86_64",
+  BOOT = "",
+  SD_DISK_BUS = "scsi" ]
+USER_INPUTS = [
+  MASTER_ADDR = "O|text|Master address (for workers only)",
+  MASTER_TOKEN = "O|text|Master Token (for workers only)",
+  MASTER_CA_TOKEN = "O|text|Master CA Token (for workers only)" ]
+VCPU = "4"

recipes/nuo/templates/one/vm/matchbox.xml

@@ -0,0 +1,47 @@
+NAME = "<%= template_name %>"
+CONTEXT = [
+  MATCHBOX_URL = "http://$NAME",
+  NETWORK = "YES",
+  PXE_DHCPLEASEDURATION = "$DHCPLEASEDURATION",
+  PXE_DHCPMODE = "$ADHCPMODE",
+  PXE_DNSDOMAIN = "$BDNSDOMAIN",
+  PXE_DHCPRANGESTART = "$CDHCPRANGESTART",
+  PXE_DHCPRANGEEND = "$DDHCPRANGEEND",
+  PXE_DHCPLEASEDURATION = "$EDHCPLEASEDURATION",
+  MATCHBOX_HOSTNAME = "$FMATCHBOX_HOSTNAME",
+  REPORT_READY = "YES",
+  SET_HOSTNAME = "$NAME",
+  SSH_PUBLIC_KEY = "$USER[SSH_PUBLIC_KEY]",
+  TOKEN = "YES" ]
+CPU = "0.2"
+DESCRIPTION = "Matchbox Ready VM"
+DISK = [
+  IMAGE = "<%= image_name %>",
+  IMAGE_UNAME = "<%= user %>",
+  DRIVER = "qcow2" ]
+GRAPHICS = [
+  KEYMAP = "fr",
+  LISTEN = "0.0.0.0",
+  TYPE = "VNC" ]
+HYPERVISOR = "kvm"
+INPUT = [
+  BUS = "usb",
+  TYPE = "tablet" ]
+INPUTS_ORDER = ""
+LOGO = "images/logos/alpine.png"
+MEMORY = "2048"
+MEMORY_UNIT_COST = "MB"
+NIC_DEFAULT = [
+  MODEL = "virtio" ]
+OS = [
+  ARCH = "x86_64",
+  BOOT = "",
+  SD_DISK_BUS = "scsi" ]
+USER_INPUTS = [
+  ADHCPMODE = "M|list|DHCP Mode|proxy,direct|proxy",
+  BDNSDOMAIN = "M|text|Nom de la zone DNS (ex: cadol.es)",
+  CDHCPRANGESTART = "O|text|DNSMASQ DHCP Range First IP", 
+  DDHCPRANGEEND = "O|text|DNSMASQ DHCP Range Last IP",
+  EDHCPLEASEDURATION = "M|list|DHCP lease duration|1h,2h,4h,6h,8h,10h,12h,14h,24h|1h",
+  FMATCHBOX_HOSTNAME = "O|text|Matchbox service hostname|mb.cadol.es" ]
+VCPU = "2"