xynova/openvpn-userdata.tf

## openvpn-userdata.tf
#!/bin/bash

set -eu

###
echo  '!!!!  INSTALL PACKAGES'
apt-get -y update && apt install -y awscli mysql-client libmysqlclient-dev

###
echo  '!!!!  SETUP VARS'
printf ${tf_db_enc} | base64 --decode > encrypted_file

DB_PASSWORD="`/usr/bin/aws kms decrypt --region ap-southeast-2 --ciphertext-blob fileb://encrypted_file --query Plaintext --output text | base64 --decode`"
DB_FQND="${tf_rds_fqdn}"
DB_PREFIX="${tf_db_prefix}"
DNS_HZ_ID="${tf_r53_zone_id}"
DNS_OPENVPN_FQDN="${tf_r53_fqdn}"
MYSQL_PREF=/etc/.my.cnf

###
echo  '!!!!  CONFIGURE MYSQL CLIENT PREFs FILE'
cat <<EOF > $${MYSQL_PREF}
[client]
user=openvpn_root
password="$${DB_PASSWORD}"
port=3306
host="$${DB_FQND}"
EOF

ln -s $${MYSQL_PREF} /root/.my.cnf

###
echo  '!!!!  CONFIGURE DATABASES'
systemctl stop openvpnas.service

pushd /usr/local/openvpn_as/scripts
for ITEM in certs user_prop config log; do
  echo  "...  preparing $${ITEM} database and config"

  MYSQL_DB_NAME="$${DB_PREFIX}as_$${ITEM}"
  LOCAL_DB_NAME=`echo $${ITEM} | tr -d '_'`
  LOCAL_DB_FILE="/usr/local/openvpn_as/etc/db/$${LOCAL_DB_NAME}.db"
  DB_KEY="$${ITEM}_db"

  #- set db configuration value
  sed -i "s|$${DB_KEY}=.*|$${DB_KEY}=mysql://$${DB_FQND}/$${MYSQL_DB_NAME}|" /usr/local/openvpn_as/etc/as.conf

  #- create MySql DB
  mysql --defaults-file=$${MYSQL_PREF} -e "CREATE DATABASE IF NOT EXISTS $${MYSQL_DB_NAME};"

  #- import local DB schema into MySql if no tables exist
  mysql --defaults-file=$${MYSQL_PREF} --silent --skip-column-names \
  -e "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema = '$${MYSQL_DB_NAME}';" \
  | grep -e ^0 -q \
  && ./dbcvt -t $${ITEM} -s sqlite:///$${LOCAL_DB_FILE} -d mysql://$${DB_FQND}/$${MYSQL_DB_NAME} -p $${MYSQL_PREF}
done
popd


###
echo  '!!!!  RESTART OPENVPN'
systemctl restart openvpnas.service

###
echo  '!!!!  UPDATE ROUTE53 DNS ROUTE'
PUBLIC_IP=`curl -w '\n' -s http://169.254.169.254/latest/meta-data/public-ipv4`
BATCH_TEMPLATE='{"Changes": [{"Action":"UPSERT", "ResourceRecordSet":{"Name":"%FQDN%", "Type":"A", "TTL":30, "ResourceRecords":[{"Value":"%IPADDR%"}]}}]}'
BATCH_PAYLOAD=`echo "$${BATCH_TEMPLATE}" | sed "s/%IPADDR%/$${PUBLIC_IP}/g; s/%FQDN%/$${DNS_OPENVPN_FQDN}/g" | sed "s|\"|\"|g" `
aws route53 change-resource-record-sets --hosted-zone-id  $${DNS_HZ_ID} --change-batch "$${BATCH_PAYLOAD}"

###
echo  '!!!!  CONFIGURE OPENVPN DEFAULTS'
sleep 10
pushd /usr/local/openvpn_as/scripts
./sacli --key "host.name" --value "$${DNS_OPENVPN_FQDN%.}" ConfigPut
./sacli --key "vpn.server.daemon.enable" --value "false" ConfigPut
./sacli --key "vpn.server.port_share.service" --value "client" ConfigPut
./sacli --key "vpn.client.routing.reroute_dns" --value "true" ConfigPut
./sacli --key "vpn.server.google_auth.enable" --value "true" ConfigPut
./sacli --key "cs.tls_version_min" --value "1.2" ConfigPut
./sacli --key "vpn.server.tls_version_min" --value "1.2" ConfigPut
./sacli start
popd
	#!/bin/bash

	set -eu

	###
	echo '!!!! INSTALL PACKAGES'
	apt-get -y update && apt install -y awscli mysql-client libmysqlclient-dev

	###
	echo '!!!! SETUP VARS'
	printf ${tf_db_enc} \| base64 --decode > encrypted_file

	DB_PASSWORD="`/usr/bin/aws kms decrypt --region ap-southeast-2 --ciphertext-blob fileb://encrypted_file --query Plaintext --output text \| base64 --decode`"
	DB_FQND="${tf_rds_fqdn}"
	DB_PREFIX="${tf_db_prefix}"
	DNS_HZ_ID="${tf_r53_zone_id}"
	DNS_OPENVPN_FQDN="${tf_r53_fqdn}"
	MYSQL_PREF=/etc/.my.cnf

	###
	echo '!!!! CONFIGURE MYSQL CLIENT PREFs FILE'
	cat <<EOF > $${MYSQL_PREF}
	[client]
	user=openvpn_root
	password="$${DB_PASSWORD}"
	port=3306
	host="$${DB_FQND}"
	EOF

	ln -s $${MYSQL_PREF} /root/.my.cnf

	###
	echo '!!!! CONFIGURE DATABASES'
	systemctl stop openvpnas.service

	pushd /usr/local/openvpn_as/scripts
	for ITEM in certs user_prop config log; do
	echo "... preparing $${ITEM} database and config"

	MYSQL_DB_NAME="$${DB_PREFIX}as_$${ITEM}"
	LOCAL_DB_NAME=`echo $${ITEM} \| tr -d '_'`
	LOCAL_DB_FILE="/usr/local/openvpn_as/etc/db/$${LOCAL_DB_NAME}.db"
	DB_KEY="$${ITEM}_db"

	#- set db configuration value
	sed -i "s\|$${DB_KEY}=.*\|$${DB_KEY}=mysql://$${DB_FQND}/$${MYSQL_DB_NAME}\|" /usr/local/openvpn_as/etc/as.conf

	#- create MySql DB
	mysql --defaults-file=$${MYSQL_PREF} -e "CREATE DATABASE IF NOT EXISTS $${MYSQL_DB_NAME};"

	#- import local DB schema into MySql if no tables exist
	mysql --defaults-file=$${MYSQL_PREF} --silent --skip-column-names \
	-e "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema = '$${MYSQL_DB_NAME}';" \
	\| grep -e ^0 -q \
	&& ./dbcvt -t $${ITEM} -s sqlite:///$${LOCAL_DB_FILE} -d mysql://$${DB_FQND}/$${MYSQL_DB_NAME} -p $${MYSQL_PREF}
	done
	popd


	###
	echo '!!!! RESTART OPENVPN'
	systemctl restart openvpnas.service

	###
	echo '!!!! UPDATE ROUTE53 DNS ROUTE'
	PUBLIC_IP=`curl -w '\n' -s http://169.254.169.254/latest/meta-data/public-ipv4`
	BATCH_TEMPLATE='{"Changes": [{"Action":"UPSERT", "ResourceRecordSet":{"Name":"%FQDN%", "Type":"A", "TTL":30, "ResourceRecords":[{"Value":"%IPADDR%"}]}}]}'
	BATCH_PAYLOAD=`echo "$${BATCH_TEMPLATE}" \| sed "s/%IPADDR%/$${PUBLIC_IP}/g; s/%FQDN%/$${DNS_OPENVPN_FQDN}/g" \| sed "s\|\"\|\"\|g" `
	aws route53 change-resource-record-sets --hosted-zone-id $${DNS_HZ_ID} --change-batch "$${BATCH_PAYLOAD}"

	###
	echo '!!!! CONFIGURE OPENVPN DEFAULTS'
	sleep 10
	pushd /usr/local/openvpn_as/scripts
	./sacli --key "host.name" --value "$${DNS_OPENVPN_FQDN%.}" ConfigPut
	./sacli --key "vpn.server.daemon.enable" --value "false" ConfigPut
	./sacli --key "vpn.server.port_share.service" --value "client" ConfigPut
	./sacli --key "vpn.client.routing.reroute_dns" --value "true" ConfigPut
	./sacli --key "vpn.server.google_auth.enable" --value "true" ConfigPut
	./sacli --key "cs.tls_version_min" --value "1.2" ConfigPut
	./sacli --key "vpn.server.tls_version_min" --value "1.2" ConfigPut
	./sacli start
	popd