1.\" SPDX-License-Identifier: BSD-2-Clause 2.\" 3.\" Copyright (c) 2025 Baptiste Daroussin <bapt@FreeBSD.org> 4.\" Copyright (c) 2025 Jesús Daniel Colmenares Oviedo <dtxdf@FreeBSD.org> 5.\" 6.Dd June 8, 2026 7.Dt NUAGEINIT 7 8.Os 9.Sh NAME 10.Nm nuageinit 11.Nd initialize a cloud-init environment 12.Sh DESCRIPTION 13The 14.Nm 15program is used to initialize instances in a cloud environment. 16.Nm 17runs at the first boot after the system installation. 18It is composed of three 19.Xr rc 8 20scripts: 21.Bl -tag -width "nuageinit" 22.It Cm nuageinit 23This script detects the type of cloud environment and gathers 24the configuration data accordingly. 25The following cloud environments are supported right now: 26.Bl -tag -width "OpenStack" 27.It ondisk 28A cloud agnostic environment where the disk is provided to the system 29with the configuration data on it. 30The disk must be formatted using one of the following filesystems: 31.Xr cd9660 4 32or 33.Xr msdosfs 4 34and be labelled (via filesystem label) either 35.Ar config-2 36or 37.Ar cidata . 38.It OpenStack 39The system is running in an 40.Lk https://www.openstack.org/ OpenStack environment . 41It is detected via the 42.Ar smbios.system.product 43.Xr smbios 4 44description available in 45.Xr kenv 2 . 46.El 47.Pp 48Depending on the cloud environment above, 49.Nm 50will attempt to configure the instance. 51This script executes early 52after all the local filesystem are mounted but before 53the network is configured. 54.It Cm nuageinit_post_net 55This script is responsible for processing the configurations that are network 56dependent: 57.Bl -bullet 58.It 59dealing with packages 60.It 61dealing with users (which can depend on shell provided by packages) 62.El 63.It Cm nuageinit_user_data_script 64This script is responsible for executing everything which would have 65been passed via the configuration to be executed, via the configuration 66or because the user_data provided is a script. 67.El 68.Pp 69The default user for nuageinit is a user named 70.Va freebsd 71with a password set to 72.Va freebsd 73and a login shell set to 74.Va /bin/sh . 75.Sh CONFIGURATION 76The configuration of 77.Nm 78is typically provided as metadata by the cloud provider. 79The metadata is presented to nuageinit in different forms depending on 80the provider: 81.Bl -tag -width "config-2" 82.It nocloud 83If the data is provided via a disk labelled 84.Va cidata , 85then the metadata is provided in the form of a file named 86.Pa meta-data 87in YAML format. 88.Nm 89will configure the hostname of the instance according to the value of the 90following variables 91.Va local-hostname 92or 93.Va hostname . 94.It config-2 95If the data is provided via a disk labelled 96.Va config-2 97or if it is fetched from OpenStack, 98the metadata is expected in two json files: 99.Pp 100The 101.Pa meta_data.json 102file supports the following keys: 103.Bl -tag -width "public_keys" 104.It Ic hostname 105Set the hostname of the instance. 106.It Ic public_keys 107Append each entry of the array to 108.Nm 109default user which will be created. 110.El 111.Pp 112The 113.Pa network_data.json 114file supports the following keys: 115.Bl -tag -width "public_keys" 116.It Ic links 117Array of network interfaces to be configured. 118.It Ic networks 119Array of network configurations to be set. 120.It Ic services 121Array of service configurations to be set (e.g: DNS). 122.El 123.El 124.Pp 125Along with the metadata, a user data file is provided, either named 126.Pa user_data 127or 128.Pa user-data . 129If this file starts with a 130.Qq #! , 131it will be executed at the end of the boot via 132.Cm nuageinit_user_data_script . 133If this file starts with 134.Qq #cloud-config , 135it will be parsed as a YAML configuration file. 136All other cases will be ignored. 137.Pp 138The 139.Qq #cloud-config 140configuration entries supported by 141.Nm : 142.Bl -tag -width "config-2" 143.It Ic fqdn 144Specify a fully qualified domain name for the instance. 145.It Ic hostname 146Specify the hostname of the instance if 147.Qq Ic fqdn 148is not set. 149.It Ic manage_etc_hosts 150Boolean which determines whether the hostname should be added to 151.Pa /etc/hosts 152on the 153.Qq 127.0.0.1 154and 155.Qq ::1 156localhost lines. 157Defaults to 158.Ar true . 159Set to 160.Ar false 161to skip this behaviour. 162.It Ic mounts 163A list of mount points to configure. 164Each entry is written to 165.Pa /etc/fstab 166and the mount point directory is created. 167.Pp 168Each entry can be specified as a list: 169.Bd -literal -offset indent 170[ device, mountpoint, fstype ] 171.Ed 172.Pp 173or as an object: 174.Bd -literal -offset indent 175{ device: "...", mountpoint: "...", type: "...", options: "..." } 176.Ed 177.Pp 178The following keys are recognized: 179.Bl -tag -width "options" 180.It device (or name, spec) 181The device to mount. 182.It mountpoint (or mount_point) 183The mount point directory. 184.It type (or fstype, filesystem) 185The filesystem type. 186.It options (or opts) 187The mount options, defaults to 188.Qq rw . 189.It dump 190The dump frequency for 191.Xr dump 8 , 192defaults to 0. 193.It passno 194The pass number for 195.Xr fsck 8 , 196defaults to 0. 197.El 198.It Ic resolv_conf 199An object configuring the content of 200.Pa /etc/resolv.conf . 201.Pp 202The following keys are recognized: 203.Bl -tag -width "nameservers" 204.It nameservers 205A list of IP addresses for DNS name servers. 206.It searchdomains 207A list of search domains. 208.It domain 209A single domain name. 210.It sortlist 211A list of IP/netmask sortlist entries. 212.It options 213A dictionary of resolver options. 214.El 215.It Ic locale 216Set the system locale by appending 217.Qq Cm export 218statements to 219.Pa /etc/profile . 220.Pp 221If the value is a string, it is used as the 222.Dq Cm LANG 223value. 224If the value is an object mapping, each key-value pair is exported. 225.It Ic keyboard 226An object configuring the keyboard layout. 227.Pp 228Sets the 229.Va keymap 230variable in 231.Pa /etc/rc.conf.d/keymap . 232.Pp 233The following keys are recognized: 234.Bl -tag -width "variant" 235.It layout 236The keyboard layout (e.g., 237.Qq fr , 238.Qq de , 239.Qq us ) . 240.It variant 241The keyboard variant (e.g., 242.Qq acc , 243.Qq nodeadkeys ) . 244.El 245.It Ic ssh_authkey_fingerprints 246Boolean which determines whether fingerprints of SSH host keys 247should be logged to the console. 248Defaults to 249.Ar false . 250.It Ic ntp 251An object configuring the NTP daemon by writing 252.Pa /etc/ntp.conf . 253.Pp 254The following keys are recognized: 255.Bl -tag -width "enabled" 256.It servers 257A list of NTP server addresses. 258.It pools 259A list of NTP pool addresses. 260.It enabled 261Boolean, defaults to 262.Ar true . 263Set to 264.Ar false 265to skip NTP configuration. 266.El 267.Pp 268Alternatively, 269.Ic ntp 270can be a list of server addresses (legacy format). 271.It Ic ca_certs 272An object managing CA certificates. 273.Pp 274The following keys are recognized: 275.Bl -tag -width "remove_defaults" 276.It trusted 277A list of PEM-encoded CA certificates to add to the system trust store. 278Certificates are written to 279.Pa /usr/share/certs/trusted/ 280and 281.Xr certctl 8 282rehash is executed. 283.It remove_defaults 284Boolean, if 285.Ar true , 286remove the default CA certificates. 287.El 288.It Ic timezone 289Sets the system timezone based on the value provided. 290.Pp 291See also 292.Xr tzfile 5 . 293.It Ic groups 294An array of strings or objects to be created: 295.Bl -bullet 296.It 297If the entry is a string, 298a group using this string as a name will be created. 299.It 300if the entry is an object, the 301.Qq Ar key 302will be used as the name of the group, the 303.Qq Ar value 304is expected to be a list of members (array), specified by name. 305.El 306.It Ic ssh_deletekeys 307Boolean which determines if the existing SSH host keys in 308.Pa /etc/ssh 309should be removed on first boot. 310New host keys will be generated automatically by 311.Xr sshd 8 . 312.It Ic ssh_keys 313An object of multiple key/values, 314.Qq Cm keys 315being in the form 316.Ar algo_private 317or 318.Ar algo_public , 319.Qq Cm values 320being the actual content of the files in 321.Pa /etc/ssh . 322.It Ic ssh_authorized_keys 323Append each entry of the array to 324.Nm 325default user which will be created. 326.It Ic ssh_pwauth 327boolean which determines the value of the 328.Qq Ic PasswordAuthentication 329configuration in 330.Pa /etc/ssh/sshd_config 331.It Ic disable_root 332Boolean which determines if root login via SSH should be disabled. 333If set to 334.Ar true , 335sets 336.Qq Ic PermitRootLogin 337to 338.Ar no 339.Pq or the value specified in Ic disable_root_opts 340in 341.Pa /etc/ssh/sshd_config . 342.It Ic disable_root_opts 343String or array of options used to set the value of 344.Qq Ic PermitRootLogin 345in 346.Pa /etc/ssh/sshd_config , 347when 348.Ic disable_root 349is set to 350.Ar true . 351If not specified, defaults to 352.Ar no . 353.Pp 354Only the first value is used when an array is provided. 355.It Ic network 356Network configuration parameters. 357.Pp 358Specifying the following parameters from a file named 359.Pa network-config 360takes precedence over their specification from the 361.Ic network 362parameter of 363.Pa user-data . 364.Bl -tag -width "ethernets" 365.It Ic ethernets 366Mapping representing a generic configuration for existing network interfaces. 367.Pp 368Each key is an interface name that is only used when no 369.Sy match 370rule is specified. 371If 372.Sy match 373rules are specified, an arbitrary name can be used 374.Po e.g.: id0 Pc . 375.Bl -tag -width "nameservers" 376.It Ic match 377This selects a subset of available physical devices by various hardware 378properties. 379The following configuration will then apply to all matching devices, as soon as 380they appear. 381All specified properties must match. 382The following properties for 383creating matches are supported: 384.Bl -tag -width "macaddress" 385.It Ic macaddress 386.No Device's MAC address in the form Sy xx:xx:xx:xx:xx:xx . 387Letters should be lowercase. 388.It Ic name 389Current interface name. 390Lua pattern-matching expressions are supported. 391.It Ic driver 392Interface driver name and unit number of the interface. 393Lua pattern-natching expressions 394are supported. 395.El 396.It Ic set-name 397When matching on unique properties such as MAC, match rules can be written so 398that they match only one device. 399Then this property can be used to give that device a more 400specific/desirable/nicer name than the default. 401.Pp 402While multiple properties can be used in a match, 403.Sy macaddress 404is required for nuageinit to perform the rename. 405.It Ic mtu 406The MTU key represents a device's Maximum Transmission Unit, the largest size 407packet or frame. 408.It Ic wakeonlan 409Enable wake on LAN. 410Off by default. 411.It Ic dhcp4 412Configure the interface to use DHCP. 413.Pp 414This takes precedence over 415.Sy addresses 416when both are specified. 417.It Ic addresses 418List of strings representing IPv4 or IPv6 addresses. 419.It Ic gateway4 420Set default gateway for IPv4, for manual address configuration. 421This requires setting 422.Sy addresses 423too. 424.Pp 425Since only one default router can be configured at a time, this parameter is 426applied when processing the first entry, and any others are silently ignored. 427.It Ic gateway6 428Set default gateway for IPv6, for manual address configuration. 429This requires setting 430.Sy addresses 431too. 432.Pp 433Since only one default router can be configured at a time, this parameter is 434applied when processing the first entry, and any others are silently ignored. 435.It Ic nameservers 436Set DNS servers and search domains, for manual address configuration. 437.Pp 438There are two supported fields: 439.Bl -tag -width "addresses" 440.It Ic search 441Search list for host-name lookup. 442.It Ic addresses 443List of IPv4 or IPv6 name server addresses that the resolver should query. 444.El 445.El 446.El 447.It Ic runcmd 448An array of commands to be run at the end of the boot process 449.It Ic packages 450List of packages to be installed. 451.It Ic package_update 452Update the remote package metadata. 453.It Ic package_upgrade 454Upgrade the packages installed to their latest version. 455.It Ic power_state 456An object controlling the power state of the instance after configuration. 457The following keys are recognized: 458.Bl -tag -width "condition" 459.It Ic delay 460Time to wait before the action. 461Can be 462.Qq now 463or a time accepted by 464.Xr shutdown 8 465(e.g., 466.Qq +5 467for five minutes). 468Defaults to 469.Qq now . 470.It Ic mode 471The action to take: 472.Qq poweroff , 473.Qq reboot , 474or 475.Qq halt . 476Defaults to 477.Qq poweroff . 478.It Ic message 479Optional message to display to users. 480.It Ic timeout 481Not supported on 482.Fx , 483silently ignored. 484.It Ic condition 485Boolean or command string. 486If 487.Qq false , 488the action is skipped. 489If a string, it is run as a command; the action is only taken if the command 490succeeds. 491Defaults to 492.Qq true . 493.El 494.It Ic phone_home 495An object configuring the posting of instance data to a URL. 496.Pp 497The following keys are recognized: 498.Bl -tag -width "tries" 499.It Ic url 500The target URL to which the data will be posted. 501.It Ic post 502A list of data items to send, or the string 503.Qq all 504to send all supported items. 505Supported items are: 506.Qq hostname , 507.Qq fqdn , 508.Qq instance_id , 509.Qq pub_key_rsa , 510.Qq pub_key_ecdsa , 511and 512.Qq pub_key_ed25519 . 513.It Ic tries 514Number of retry attempts. 515Defaults to 1. 516.El 517.Pp 518The data is posted using 519.Xr fetch 1 . 520.It Ic final_message 521A string message to be displayed at the end of the boot process. 522The placeholder 523.Qq $UPTIME 524is replaced with the system uptime in seconds. 525.It Ic users 526Specify a list of users to be created: 527.Bl -tag -width "ssh_authorized_keys" 528.It Ic name 529Name of the user. 530.It Ic gecos 531GECOS for the user. 532.It Ic homedir 533The path of the home directory for the user. 534.It Ic primary_group 535The main group the user should belong to. 536.It Ic groups 537The list of other groups the user should belong to. 538.It Ic no_create_home 539A boolean which determines if the home directory should be created or not. 540.It Ic shell 541The shell that should be used for the user. 542.It Ic ssh_authorized_keys 543List of SSH keys for the user. 544.It Ic passwd 545The encrypted password for the user. 546.It Ic plain_text_passwd 547The password in plain text for the user. 548Ignored if an encrypted password is already provided. 549.It Ic locked 550Boolean to determine if the user account should be locked. 551.It Ic sudo 552A string or an array of strings which should be appended to 553.Pa ${LOCALBASE}/etc/sudoers.d/90-nuageinit-users 554.It Ic doas 555A string or an array of strings which should be appended to 556.Pa ${LOCALBASE}/etc/doas.conf 557.Pp 558Instead of hardcoding the username, you can use 559.Sy %u , 560which will be replaced by the current username. 561.El 562.Pp 563A special case exist: if the entry is a simple string with the value 564.Qq default , 565then the default user is created. 566Configuring 567.Nm sudo 568or 569.Nm doas 570does not automatically install them. 571Ensure the relevant command is listed in your 572.Nm packages 573section. 574.It Ic bootcmd 575An array of commands to be run early in the boot process, 576before the hostname is set and before the network is configured. 577.It Ic chpasswd 578Change the passwords for users, it accepts the following keys: 579.Bl -tag -width "expire" 580.It Ic expire 581Boolean to force the user to change their password on first login. 582.It Ic users 583An array of objects: 584.Bl -tag -width "password" 585.It Ic name 586Specify the user whose password will be changed. 587.It Ic password 588Specify a text line with the new password or 589.Qq Cm RANDOM 590to assign the password randomly. 591If the textline starts with 592.Qq Cm $x$ 593where x is a number, then the password is considered encrypted, 594otherwise the password is considered plaintext. 595.El 596.El 597.It Ic write_files 598An array of objects representing files to be created at first boot. 599The files are being created before the installation of any packages 600and the creation of the users. 601The only mandatory field is: 602.Ic path . 603It accepts the following keys for each objects: 604.Bl -tag -width "permissions" 605.It Ic content 606The content to be written to the file. 607If this key is not existing then an empty file will be created. 608.It Ic encoding 609Specify the encoding used for content. 610If not specified, then plain text is considered. 611Only 612.Ar b64 613and 614.Ar base64 615are supported for now. 616.It Ic path 617The path of the file to be created. 618.Pq Note intermerdiary directories will be created . 619.It Ic permissions 620A string representing the permission of the file in octal. 621.It Ic owner 622A string representing the owner, two forms are possible: 623.Ar user 624or 625.Ar user:group . 626.It Ic append 627A boolean to specify the content should be appended to the file if the file 628exists. 629.It Ic defer 630A boolean to specify that the files should be created after the packages are 631installed and the users are created. 632.El 633.El 634.Pp 635Additionally, user-data can be provided as a MIME multipart message 636with content type 637.Qq multipart/mixed . 638Each part is handled according to its 639.Qq Content-Type 640header. 641Supported part types: 642.Bl -tag -width "text/x-shellscript" 643.It text/cloud-config 644Processed as a cloud-config YAML document. 645.It text/x-shellscript 646Saved as an executable script for later execution. 647.El 648.Sh EXAMPLES 649Here is an example of a YAML configuration for 650.Nm : 651.Bd -literal 652#cloud-config 653bootcmd: 654 - kldload if_bridge 655fqdn: myhost.mynetwork.tld 656users: 657 - default 658 - name: user 659 gecos: Foo B. Bar 660 sudo: ALL=(ALL) NOPASSWD:ALL 661 ssh_authorized_keys: 662 - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr... 663packages: 664 - neovim 665 - git-lite 666 - sudo 667package_update: true 668package_upgrade: true 669runcmd: 670 - logger -t nuageinit "boot finished" 671ssh_deletekeys: true 672disable_root: true 673ssh_keys: 674 ed25519_private: | 675 -----BEGIN OPENSSH PRIVATE KEY----- 676 blabla 677 ... 678 -----END OPENSSH PRIVATE KEY----- 679 ed25519_public: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+MH4E8KO32N5CXRvXVqvyZVl0+6ue4DobdhU0FqFd+ 680network: 681 ethernets: 682 vtnet0: 683 addresses: 684 - 192.168.8.2/24 685 gateway4: 192.168.8.1 686.Ed 687.Sh SEE ALSO 688.Xr kenv 2 , 689.Xr cd9660 4 , 690.Xr msdosfs 4 , 691.Xr smbios 4 , 692.Xr ssh_config 5 , 693.Xr rc 8 694.Sh STANDARDS 695.Nm 696is believed to conform to the 697.Lk https://cloud-init.io/ Cloud Init 698specification. 699.Sh HISTORY 700.Nm 701appeared in 702.Fx 14.1 703