From 37253e1b3651d2e3f1c714c55fb05894abacf398 Mon Sep 17 00:00:00 2001 From: Justin Wind Date: Tue, 18 Apr 2017 14:02:27 -0700 Subject: [PATCH] add more vpn support things --- BOOTSTRAP.txt | 38 +++++++++++++- VPNConfigs/.keep | 0 createVPNAccount.sh | 84 ++++++++++++++++++++++++++++++ generate-ansible-vpcaccess-vars.sh | 38 ++++++++++++++ userManagementTemplates/generic.sh | 77 +++++++++++++++++++++++++++ 5 files changed, 236 insertions(+), 1 deletion(-) create mode 100644 VPNConfigs/.keep create mode 100755 createVPNAccount.sh create mode 100755 generate-ansible-vpcaccess-vars.sh create mode 100755 userManagementTemplates/generic.sh diff --git a/BOOTSTRAP.txt b/BOOTSTRAP.txt index 025c4d3..f9418e5 100644 --- a/BOOTSTRAP.txt +++ b/BOOTSTRAP.txt @@ -1,6 +1,36 @@ Starting up a new AWSible environment ------------------------------------- +* initialize CA for environment + + env="myAwsibleEnvironment" + region="us-east-1" + + curl -fOL https://github.com/OpenVPN/easy-rsa/releases/download/3.0.1/EasyRSA-3.0.1.tgz + mkdir "${env}_ca" + tar -C "${env}_ca" --strip-components 1 -x -f EasyRSA-3.0.1.tgz + + pushd "${env}_ca" + # create CA cert + ./easyrsa init-pki + ./easyrsa build-ca + cn: ${env} + + # create openVPN region server cert + ./easyrsa build-server-full ${region}.${env} nopass + + # create CRL + ./easyrsa gen-crl + + pushd "pki" + openvpn --genkey --secret ta.key + popd + popd + +* generate ansible variables for VPN + + ./generate-ansible-vpcaccess-vars.sh ${env} ${region} + * create ssh keypair as keys/management{,.pub} * configure group_vars/all with: @@ -21,6 +51,12 @@ Starting up a new AWSible environment * change pub-subnets to auto-assign external IPs +* bootstrap vpcaccess from external system + ansible-playbook init_vpcaccess.yml + aws --region ${region} iam create-policy --policy-name vpcaccess-policy --description vpcaccess --policy-document file://../roles/vpcaccess-infrastructure/files/vpcaccess-policy.json + # attach policy to role + INVENTORY_PUBLIC=1 ansible-playbook vpcaccess-d0stage + * configure group_vars/all with chosen MANAGEMENT_SUBNET * ansible-playbook init_management.yml @@ -37,5 +73,5 @@ Starting up a new AWSible environment * install AWSible repo in /data/management/ * bootstrap management server from external system - * INVENTORY_PUBLIC=1 ansible-playbook management.yml + ansible-playbook management.yml diff --git a/VPNConfigs/.keep b/VPNConfigs/.keep new file mode 100644 index 0000000..e69de29 diff --git a/createVPNAccount.sh b/createVPNAccount.sh new file mode 100755 index 0000000..276d9c1 --- /dev/null +++ b/createVPNAccount.sh @@ -0,0 +1,84 @@ +#!/bin/bash + +set -e + +DIR_SUFFIX="_ca" +ME=`basename "${0}"` +RED='\033[0;31m' +NC='\033[0m' + +echo "${ME} - Create VPN Configs" +echo "" + +allDone() +{ + echo -e " ${RED}-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-${NC}" + echo -e " ${RED}L O O K A T W H A T T O D O${NC}" + echo -e " ${RED}-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-${NC}" + echo "" + echo "Assuming no failures were output above, here's what you should have:" + echo " VPNConfigs/${1}-${2}.ovpn" + echo "" + echo "For Windows users, you should rename this to ${1}.ovpn and put it into the configurations directory" + echo "as described on the confluence page." + echo "" + echo "For Mac users (running tunnelblick) you should create a directory named ${1}.tblk and put" + echo "VPNConfigs/${1}-${2}.ovpn into it. Once you have that on your Mac, you should just be able" + echo "to double click on it." + echo "" + echo "...magics..." +} + +usage(){ + local i + cat< "VPNConfigs/${environment}-${user}.ovpn" +} + +if [ -z $2 ] || [ "$1" == "-h" ] ; then + usage; +fi +if [ ! -d "${1}${DIR_SUFFIX}" ] || [ ! -e "userManagementTemplates/${1}.sh" ] ; then + echo "Invalid configuration profile: ${1}" + echo "" + usage +fi + +if [ -e ${1}${DIR_SUFFIX}/pki/issued/${2}.crt ]; then + echo "${2} already has a certificate..." + echo "" + genConfiguration "${1}" "${2}" +else + echo "Well, you didn't ask for help, and you provided a valid profile, and the user doesn't already exist..." + echo "" + echo -e "${RED}**************************************************************************${NC}" + echo -e "${RED}*** ***${NC}" + echo -e "${RED}*** ${NC}The next step will ask you for a password, this is the CA password ${RED}***${NC}" + echo -e "${RED}*** ***${NC}" + echo -e "${RED}**************************************************************************${NC}" + + pushd "${1}${DIR_SUFFIX}" >/dev/null + ./easyrsa build-client-full "${2}" nopass + popd >/dev/null + genConfiguration "${1}" "${2}" +fi + +allDone "${1}" "${2}" diff --git a/generate-ansible-vpcaccess-vars.sh b/generate-ansible-vpcaccess-vars.sh new file mode 100755 index 0000000..0a5d14a --- /dev/null +++ b/generate-ansible-vpcaccess-vars.sh @@ -0,0 +1,38 @@ +#!/bin/sh + +set -e + +if [ $# -ne 2 ] +then + echo "usage: $(basename "$0") environment region" + exit 64 +fi + +ca_cert="${1}_ca/pki/ca.crt" +crl_pem="${1}_ca/pki/crl.pem" +cert="${1}_ca/pki/issued/${2}.${1}.crt" +key="${1}_ca/pki/private/${2}.${1}.key" +ta_secret="${1}_ca/pki/ta.key" + +function onlycert(){ + sed -n '/-----BEGIN /,/-----END /p' "$@" +} +function indent(){ + sed 's/^/ /' "$@" +} + +cat<&2 + exit 1 +fi + +cat< +EOF +onlycert "${ca_cert_file}" +cat< + + +EOF +onlycert "${user_cert_file}" +cat< + + +EOF +onlycert "${user_key_file}" +cat< + +key-direction 1 + +EOF +cat "${ta_secret_file}" +cat< +EOF -- 2.45.2