Starting up a new AWSible environment
-------------------------------------
+* initialize CA for environment
+
+ env="myAwsibleEnvironment"
+ region="us-east-1"
+
+ curl -fOL https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz
+ mkdir "${env}_ca"
+ tar -C "${env}_ca" --strip-components 1 -x -f EasyRSA-3.0.1.tgz
+
+ pushd "${env}_ca"
+ # create CA cert
+ ./easyrsa init-pki
+ ./easyrsa build-ca
+ cn: ${env}
+
+ # create openVPN region server cert
+ ./easyrsa build-server-full ${region}.${env} nopass
+
+ # create CRL
+ ./easyrsa gen-crl
+
+ pushd "pki"
+ openvpn --genkey --secret ta.key
+ popd
+ popd
+
+* generate ansible variables for VPN
+
+ ./generate-ansible-vpcaccess-vars.sh ${env} ${region}
+
* create ssh keypair as keys/management{,.pub}
* configure group_vars/all with:
* change pub-subnets to auto-assign external IPs
+* bootstrap vpcaccess from external system
+ ansible-playbook init_vpcaccess.yml
+ aws --region ${region} iam create-policy --policy-name vpcaccess-policy --description vpcaccess --policy-document file://../roles/vpcaccess-infrastructure/files/vpcaccess-policy.json
+ # attach policy to role
+ INVENTORY_PUBLIC=1 ansible-playbook vpcaccess-d0stage
+
* configure group_vars/all with chosen MANAGEMENT_SUBNET
* ansible-playbook init_management.yml
* install AWSible repo in /data/management/
* bootstrap management server from external system
- * INVENTORY_PUBLIC=1 ansible-playbook management.yml
+ ansible-playbook management.yml
--- /dev/null
+#!/bin/bash
+
+set -e
+
+DIR_SUFFIX="_ca"
+ME=`basename "${0}"`
+RED='\033[0;31m'
+NC='\033[0m'
+
+echo "${ME} - Create VPN Configs"
+echo ""
+
+allDone()
+{
+ echo -e " ${RED}-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-${NC}"
+ echo -e " ${RED}L O O K A T W H A T T O D O${NC}"
+ echo -e " ${RED}-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-${NC}"
+ echo ""
+ echo "Assuming no failures were output above, here's what you should have:"
+ echo " VPNConfigs/${1}-${2}.ovpn"
+ echo ""
+ echo "For Windows users, you should rename this to ${1}.ovpn and put it into the configurations directory"
+ echo "as described on the confluence page."
+ echo ""
+ echo "For Mac users (running tunnelblick) you should create a directory named ${1}.tblk and put"
+ echo "VPNConfigs/${1}-${2}.ovpn into it. Once you have that on your Mac, you should just be able"
+ echo "to double click on it."
+ echo ""
+ echo "...magics..."
+}
+
+usage(){
+ local i
+ cat<<EOF
+Usage:
+ ${ME} environment user
+Example:
+ ${ME} userStage test.user@samsung.com
+---------------------
+Currently defined environments:
+EOF
+ for i in $(ls -d1 *${DIR_SUFFIX})
+ do
+ echo " - ${i%${DIR_SUFFIX}}"
+ done
+ exit
+}
+
+genConfiguration(){
+ local environment="$1"
+ local user="$2"
+
+ userManagementTemplates/"${environment}".sh "${environment}" "${user}" > "VPNConfigs/${environment}-${user}.ovpn"
+}
+
+if [ -z $2 ] || [ "$1" == "-h" ] ; then
+ usage;
+fi
+if [ ! -d "${1}${DIR_SUFFIX}" ] || [ ! -e "userManagementTemplates/${1}.sh" ] ; then
+ echo "Invalid configuration profile: ${1}"
+ echo ""
+ usage
+fi
+
+if [ -e ${1}${DIR_SUFFIX}/pki/issued/${2}.crt ]; then
+ echo "${2} already has a certificate..."
+ echo ""
+ genConfiguration "${1}" "${2}"
+else
+ echo "Well, you didn't ask for help, and you provided a valid profile, and the user doesn't already exist..."
+ echo ""
+ echo -e "${RED}**************************************************************************${NC}"
+ echo -e "${RED}*** ***${NC}"
+ echo -e "${RED}*** ${NC}The next step will ask you for a password, this is the CA password ${RED}***${NC}"
+ echo -e "${RED}*** ***${NC}"
+ echo -e "${RED}**************************************************************************${NC}"
+
+ pushd "${1}${DIR_SUFFIX}" >/dev/null
+ ./easyrsa build-client-full "${2}" nopass
+ popd >/dev/null
+ genConfiguration "${1}" "${2}"
+fi
+
+allDone "${1}" "${2}"
--- /dev/null
+#!/bin/sh
+
+set -e
+
+if [ $# -ne 2 ]
+then
+ echo "usage: $(basename "$0") environment region"
+ exit 64
+fi
+
+ca_cert="${1}_ca/pki/ca.crt"
+crl_pem="${1}_ca/pki/crl.pem"
+cert="${1}_ca/pki/issued/${2}.${1}.crt"
+key="${1}_ca/pki/private/${2}.${1}.key"
+ta_secret="${1}_ca/pki/ta.key"
+
+function onlycert(){
+ sed -n '/-----BEGIN /,/-----END /p' "$@"
+}
+function indent(){
+ sed 's/^/ /' "$@"
+}
+
+cat<<EOF
+---
+QUAGGA_PASSWORD: $(pwgen -y 16)
+ca_name: $1
+ca_cert: |
+$(indent "${ca_cert}")
+crl_pem: |
+$(indent "${crl_pem}")
+cert: |
+$(onlycert "${cert}" | indent)
+key: |
+$(indent "${key}")
+ta_secret: |
+$(indent "${ta_secret}")
+EOF
--- /dev/null
+#!/bin/sh
+
+CA_SUFFIX='_ca'
+
+function usage(){
+ cat<<EOF
+Usage: $(basename "$0") environment user eip vpc_16
+EOF
+}
+function onlycert(){
+ sed -n '/-----BEGIN /,/-----END /p' "$@"
+}
+
+if [ $# -ne 4 ]
+then
+ usage
+ exit 64
+fi
+
+ca_cert_file="${1}${CA_SUFFIX}/pki/ca.crt"
+user_cert_file="${1}${CA_SUFFIX}/pki/issued/${2}.crt"
+user_key_file="${1}${CA_SUFFIX}/pki/private/${2}.key"
+ta_secret_file="${1}${CA_SUFFIX}/pki/ta.key"
+
+if [ ! -e "${user_cert_file}" -o ! -e "${user_key_file}" ]
+then
+ echo "could not find credentials" 1>&2
+ exit 1
+fi
+
+cat<<EOF
+# User: ${2}
+# Profile: ${1}
+client
+
+port 1195
+proto tcp
+dev tun
+cipher AES-256-CBC
+
+remote ${3} 1195
+nobind
+
+persist-key
+persist-tun
+
+#auth-user-pass
+
+#comp-lzo
+
+route ${4} 255.240.0.0
+
+<ca>
+EOF
+onlycert "${ca_cert_file}"
+cat<<EOF
+</ca>
+
+<cert>
+EOF
+onlycert "${user_cert_file}"
+cat<<EOF
+</cert>
+
+<key>
+EOF
+onlycert "${user_key_file}"
+cat<<EOF
+</key>
+
+key-direction 1
+<tls-auth>
+EOF
+cat "${ta_secret_file}"
+cat<<EOF
+</tls-auth>
+EOF
projects / awsible / commitdiff