-
Notifications
You must be signed in to change notification settings - Fork 16
/
openvpn.json
157 lines (157 loc) · 9.13 KB
/
openvpn.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
{
"_copyright": "2016-2022, Frederico Martins",
"_author": "Frederico Martins <http://github.com/fscm>",
"_license": "SPDX-License-Identifier: MIT",
"variables": {
"aws_access_key": "{{env `aws_access_key`}}",
"aws_ami_name": "openvpn",
"aws_ami_name_prefix": "",
"aws_instance_type": "t2.micro",
"aws_region": "{{env `aws_region`}}",
"aws_secret_key": "{{env `aws_secret_key`}}",
"aws_ssh_username": "admin",
"aws_ssh_port": "222",
"easyrsa_req_city": "San Francisco",
"easyrsa_req_country": "US",
"easyrsa_req_email": "private",
"easyrsa_req_org": "Private Company",
"easyrsa_req_ou": "IT",
"easyrsa_req_state": "California",
"easyrsa_version": "3.0.1",
"system_locale": "en_US"
},
"builders": [{
"type": "amazon-ebs",
"access_key": "{{user `aws_access_key`}}",
"secret_key": "{{user `aws_secret_key`}}",
"region": "{{user `aws_region`}}",
"instance_type": "{{user `aws_instance_type`}}",
"ssh_username": "{{user `aws_ssh_username`}}",
"associate_public_ip_address": true,
"ami_name": "{{user `aws_ami_name_prefix`}}{{user `aws_ami_name`}}-({{isotime \"20060102150405\"}})",
"source_ami_filter": {
"filters": {
"architecture": "x86_64",
"name": "debian-jessie-*",
"root-device-type": "ebs",
"virtualization-type": "hvm"
},
"owners": ["379101102735"],
"most_recent": true
}
}],
"provisioners": [
{
"type": "file",
"source": "files/sysctl/",
"destination": "/tmp"
},
{
"type": "file",
"source": "files/openvpn/",
"destination": "/tmp"
},
{
"type": "shell",
"inline_shebang": "/bin/bash -e",
"environment_vars": [
"DEBIAN_FRONTEND=noninteractive"
],
"inline": [
"unset HISTFILE",
"history -cw",
"echo === Waiting for Cloud-Init ===",
"timeout 180 /bin/bash -c 'until stat /var/lib/cloud/instance/boot-finished &>/dev/null; do echo waiting...; sleep 6; done'",
"echo === System Packages ===",
"echo 'deb http://ftp.debian.org/debian jessie-backports main contrib non-free' | sudo tee /etc/apt/sources.list.d/backports.list > /dev/null",
"sudo apt-get -qq update",
"sudo apt-get -y -qq install --no-install-recommends apt-transport-https apt-show-versions bash-completion logrotate ntp ntpdate htop vim wget curl dbus bmon nmon parted wget curl sudo rsyslog ethtool unzip zip telnet tcpdump strace tar libyaml-0-2 lsb-base lsb-release xfsprogs sysfsutils",
"sudo apt-get -y -qq --purge autoremove",
"sudo apt-get autoclean",
"sudo apt-get clean",
"echo === System Settings ===",
"echo 'dash dash/sh boolean false' | sudo debconf-set-selections",
"sudo dpkg-reconfigure -f noninteractive dash",
"sudo update-locale LC_CTYPE={{user `system_locale`}}.UTF-8",
"echo 'export TZ=:/etc/localtime' | sudo tee /etc/profile.d/tz.sh > /dev/null",
"sudo update-alternatives --set editor /usr/bin/vim.basic",
"echo === Sysctl ===",
"sudo cp /tmp/50-openvpn.conf /etc/sysctl.d/",
"sudo chown root:root /etc/sysctl.d/50-openvpn.conf",
"sudo chmod 0644 /etc/sysctl.d/50-openvpn.conf",
"sudo sysctl -p /etc/sysctl.d/50-openvpn.conf",
"echo === SSH Server ===",
"sudo sed -i -r -e 's/^Port .*/Port {{user `aws_ssh_port`}}/' /etc/ssh/sshd_config",
"sudo sed -i -r -e '/UseDNS /{h;s/#*UseDNS .*/UseDNS no/};${x;/^$/{s//\\nUseDNS no/;H};x}' /etc/ssh/sshd_config",
"echo === Entropy Generation ===",
"sudo apt-get -qq update",
"sudo apt-get -y -qq install --no-install-recommends rng-tools",
"sudo apt-get autoclean",
"sudo apt-get clean",
"sudo sed -i -r -e 's/^HRNGDEVICE/#HRNGDEVICE/g' /etc/default/rng-tools",
"sudo sed -i -r -e '/#HRNGDEVICE[^\\n]*/,$!b;//{x;//p;g};//!H;$!d;x;s||&\\nHRNGDEVICE=/dev/urandom|' /etc/default/rng-tools",
"sudo systemctl enable rng-tools.service",
"sudo systemctl start rng-tools.service",
"echo === OpenVPN ===",
"sudo apt-get -qq update",
"echo iptables-persistent iptables-persistent/autosave_v4 boolean true | sudo debconf-set-selections",
"echo iptables-persistent iptables-persistent/autosave_v6 boolean true | sudo debconf-set-selections",
"sudo apt-get -y -qq install --no-install-recommends openvpn openssl iptables iptables-persistent netfilter-persistent",
"sudo apt-get autoclean",
"sudo apt-get clean",
"sudo openssl dhparam -out /etc/openvpn/dh2048.pem 2048",
"sudo cp /tmp/ovpn_initpki /usr/local/bin/",
"sudo cp /tmp/ovpn_config /usr/local/bin/",
"sudo cp /tmp/ovpn_addclient /usr/local/bin/",
"sudo cp /tmp/ovpn_delclient /usr/local/bin/",
"sudo cp /tmp/ovpn_getclient /usr/local/bin/",
"sudo cp /tmp/ovpn_status /usr/local/bin/",
"sudo chown root:staff /usr/local/bin/ovpn_initpki",
"sudo chown root:staff /usr/local/bin/ovpn_config",
"sudo chown root:staff /usr/local/bin/ovpn_addclient",
"sudo chown root:staff /usr/local/bin/ovpn_delclient",
"sudo chown root:staff /usr/local/bin/ovpn_getclient",
"sudo chown root:staff /usr/local/bin/ovpn_status",
"sudo chmod 0755 /usr/local/bin/ovpn_initpki",
"sudo chmod 0755 /usr/local/bin/ovpn_config",
"sudo chmod 0755 /usr/local/bin/ovpn_addclient",
"sudo chmod 0755 /usr/local/bin/ovpn_delclient",
"sudo chmod 0755 /usr/local/bin/ovpn_getclient",
"sudo chmod 0755 /usr/local/bin/ovpn_status",
"echo === EasyRSA ===",
"sudo mkdir /opt/easyrsa",
"curl -sL --retry 3 --insecure --header 'Cookie: oraclelicense=accept-securebackup-cookie;' 'https://github.com/OpenVPN/easy-rsa/releases/download/{{user `easyrsa_version`}}/EasyRSA-{{user `easyrsa_version`}}.tgz' | sudo tar xz --strip-components=1 -C /opt/easyrsa/",
"sudo cp /opt/easyrsa/vars.example /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA\\t/set_var EASYRSA\\t/;/^set_var EASYRSA\\t/s|\\t.*|\\t\"/opt/easyrsa\"|' /opt/easyrsa/vars",
"sudo sed -i -r -e '/openssl.exe/s/^/#/;s/#set_var EASYRSA_OPENSSL/set_var EASYRSA_OPENSSL/' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_PKI/set_var EASYRSA_PKI/' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_REQ_COUNTRY/set_var EASYRSA_REQ_COUNTRY/;/^set_var EASYRSA_REQ_COUNTRY/s|\\t.*|\\t\"{{user `easyrsa_req_country`}}\"|' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_REQ_PROVINCE/set_var EASYRSA_REQ_PROVINCE/;/^set_var EASYRSA_REQ_PROVINCE/s|\\t.*|\\t\"{{user `easyrsa_req_state`}}\"|' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_REQ_CITY/set_var EASYRSA_REQ_CITY/;/^set_var EASYRSA_REQ_CITY/s|\\t.*|\\t\"{{user `easyrsa_req_city`}}\"|' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_REQ_ORG/set_var EASYRSA_REQ_ORG/;/^set_var EASYRSA_REQ_ORG/s|\\t.*|\\t\"{{user `easyrsa_req_org`}}\"|' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_REQ_EMAIL/set_var EASYRSA_REQ_EMAIL/;/^set_var EASYRSA_REQ_EMAIL/s|\\t.*|\\t\"{{user `easyrsa_req_email`}}\"|' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_REQ_OU/set_var EASYRSA_REQ_OU/;/^set_var EASYRSA_REQ_OU/s|\\t.*|\\t\"{{user `easyrsa_req_ou`}}\"|' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_KEY_SIZE/set_var EASYRSA_KEY_SIZE/;/^set_var EASYRSA_KEY_SIZE/s|\\t.*|\\t2048|' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_ALGO/set_var EASYRSA_ALGO/;/^set_var EASYRSA_ALGO/s|\\t.*|\\trsa|' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_CA_EXPIRE/set_var EASYRSA_CA_EXPIRE/;/^set_var EASYRSA_CA_EXPIRE/s|\\t.*|\\t3650|' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_CERT_EXPIRE/set_var EASYRSA_CERT_EXPIRE/;/^set_var EASYRSA_CERT_EXPIRE/s|\\t.*|\\t3650|' /opt/easyrsa/vars",
"sudo sed -i -r -e 's/#set_var EASYRSA_DIGEST/set_var EASYRSA_DIGEST/;/^set_var EASYRSA_DIGEST/s|\\t.*|\\t\"sha256\"|' /opt/easyrsa/vars",
"sudo chown -R root:root /opt/easyrsa",
"sudo update-alternatives --install /usr/bin/easyrsa easyrsa /opt/easyrsa/easyrsa 1",
"echo === System Cleanup ===",
"sudo rm -f /root/.bash_history",
"sudo rm -f /home/{{user `aws_ssh_username`}}/.bash_history",
"sudo rm -f /var/log/wtmp",
"sudo rm -f /var/log/btmp",
"sudo rm -rf /var/log/installer",
"sudo rm -rf /var/lib/cloud/instances",
"sudo rm -rf /tmp/* /var/tmp/* /tmp/.*-unix",
"sudo find /var/cache -type f -delete",
"sudo find /var/log -type f | while read f; do echo -n '' | sudo tee $f > /dev/null; done;",
"sudo find /var/lib/apt/lists -not -name lock -type f -delete",
"sudo sync",
"echo === All Done ==="
]
}
]
}