zipcode/cloud-config

## cloud-config
#cloud-config

# Edit line 52 to list your users
# Edit line 70 to remove --staging and insert your email address

packages:
 - strongswan
 - strongswan-plugin-eap-mschapv2
 - letsencrypt
package_upgrade: true

write_files:
  - path: /etc/ipsec.conf
    content: |
      conn vpn2
          auto=add
          keyexchange=ikev2
          leftauth=pubkey
          leftcert=fullchain.pem
          leftid="@$FQDN"
          leftsendcert=always
          leftsubnet=0.0.0.0/0
          rightauth=eap-mschapv2
          eap_identity=%any
          rightsendcert=never
          rightdns=8.8.8.8
          rightsourceip=10.0.98.0/24

      #conn vpn
      #    auto=add
      #    keyexchange=ikev1
      #    leftauth=pubkey
      #    leftcert=fullchain.pem
      #    leftid="@$FQDN"
      #    leftsendcert=always
      #    leftsubnet=0.0.0.0/0
      #    right=%any
      #    rightauth=xauth
      #    rightsendcert=never
      #    rightdns=8.8.8.8
      #    rightsourceip=10.0.98.0/24
      #    ike=aes128-sha1-modp1024!
      #    esp=aes128-sha1!
  - path: /tmp/nat.rules
    content: |

      # NAT rules
      *nat
      :POSTROUTING ACCEPT [0:0]

      -A POSTROUTING -s 10.0.98.0/24 -o eth0 -j MASQUERADE
      COMMIT
  - path: /tmp/filter.rules
    content: |

      # Pass encapsulated packets
      -A ufw-before-forward -s 10.0.98.0/24 -m policy --pol ipsec --dir in -j ACCEPT
      -A ufw-before-forward -d 10.0.98.0/24 -m policy --pol ipsec --dir out -j ACCEPT
  - path: /etc/ipsec.secrets
    content: |
      : RSA privkey.pem
  - path: /etc/apparmor.d/local/usr.lib.ipsec.charon
    content: |
      /etc/letsencrypt/archive/** r,
  - path: /root/makesecrets.sh
    content: |
      #!/bin/bash
      for person in zip; do # list your users here
        printf '%s : EAP "%s"\n' $person `openssl rand -base64 6` >> /etc/ipsec.secrets
      done

runcmd:
  - sed -i "1 r /tmp/nat.rules" /etc/ufw/before.rules
  - sed -i "/^# End required lines$/r /tmp/filter.rules" /etc/ufw/before.rules
  - sed -i "s/\$FQDN/`hostname -f`/g" /etc/ipsec.conf
  - sed -i 's|^#\(net/ipv4/ip_forward=1\)|\1|' /etc/ufw/sysctl.conf
  - sed -i "s|#\(include <local/usr.lib.ipsec.charon>\)|\1|" /etc/apparmor.d/usr.lib.ipsec.charon
  - apparmor_parser -r /etc/apparmor.d/usr.lib.ipsec.charon
  - ufw allow proto udp to any port 500
  - ufw allow proto udp to any port 4500
  - ufw allow proto ah to any
  - ufw allow proto esp to any
  - ufw allow ssh
  - ufw enable
  - ufw allow https
  - letsencrypt -d `hostname -f` --agree-tos --email you@example.com --staging --keep certonly
  - ufw deny https
  - ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem /etc/ipsec.d/private/privkey.pem
  - ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem /etc/ipsec.d/certs/fullchain.pem
  - ln -s /etc/letsencrypt/live/`hostname -f`/chain.pem /etc/ipsec.d/cacerts/chain.pem
  - chmod u+x /root/makesecrets.sh
  - /root/makesecrets.sh
  - ipsec restart
	#cloud-config

	# Edit line 52 to list your users
	# Edit line 70 to remove --staging and insert your email address

	packages:
	- strongswan
	- strongswan-plugin-eap-mschapv2
	- letsencrypt
	package_upgrade: true

	write_files:
	- path: /etc/ipsec.conf
	content: \|
	conn vpn2
	auto=add
	keyexchange=ikev2
	leftauth=pubkey
	leftcert=fullchain.pem
	leftid="@$FQDN"
	leftsendcert=always
	leftsubnet=0.0.0.0/0
	rightauth=eap-mschapv2
	eap_identity=%any
	rightsendcert=never
	rightdns=8.8.8.8
	rightsourceip=10.0.98.0/24

	#conn vpn
	# auto=add
	# keyexchange=ikev1
	# leftauth=pubkey
	# leftcert=fullchain.pem
	# leftid="@$FQDN"
	# leftsendcert=always
	# leftsubnet=0.0.0.0/0
	# right=%any
	# rightauth=xauth
	# rightsendcert=never
	# rightdns=8.8.8.8
	# rightsourceip=10.0.98.0/24
	# ike=aes128-sha1-modp1024!
	# esp=aes128-sha1!
	- path: /tmp/nat.rules
	content: \|

	# NAT rules
	*nat
	:POSTROUTING ACCEPT [0:0]

	-A POSTROUTING -s 10.0.98.0/24 -o eth0 -j MASQUERADE
	COMMIT
	- path: /tmp/filter.rules
	content: \|

	# Pass encapsulated packets
	-A ufw-before-forward -s 10.0.98.0/24 -m policy --pol ipsec --dir in -j ACCEPT
	-A ufw-before-forward -d 10.0.98.0/24 -m policy --pol ipsec --dir out -j ACCEPT
	- path: /etc/ipsec.secrets
	content: \|
	: RSA privkey.pem
	- path: /etc/apparmor.d/local/usr.lib.ipsec.charon
	content: \|
	/etc/letsencrypt/archive/** r,
	- path: /root/makesecrets.sh
	content: \|
	#!/bin/bash
	for person in zip; do # list your users here
	printf '%s : EAP "%s"\n' $person `openssl rand -base64 6` >> /etc/ipsec.secrets
	done

	runcmd:
	- sed -i "1 r /tmp/nat.rules" /etc/ufw/before.rules
	- sed -i "/^# End required lines$/r /tmp/filter.rules" /etc/ufw/before.rules
	- sed -i "s/\$FQDN/`hostname -f`/g" /etc/ipsec.conf
	- sed -i 's\|^#\(net/ipv4/ip_forward=1\)\|\1\|' /etc/ufw/sysctl.conf
	- sed -i "s\|#\(include <local/usr.lib.ipsec.charon>\)\|\1\|" /etc/apparmor.d/usr.lib.ipsec.charon
	- apparmor_parser -r /etc/apparmor.d/usr.lib.ipsec.charon
	- ufw allow proto udp to any port 500
	- ufw allow proto udp to any port 4500
	- ufw allow proto ah to any
	- ufw allow proto esp to any
	- ufw allow ssh
	- ufw enable
	- ufw allow https
	- letsencrypt -d `hostname -f` --agree-tos --email you@example.com --staging --keep certonly
	- ufw deny https
	- ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem /etc/ipsec.d/private/privkey.pem
	- ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem /etc/ipsec.d/certs/fullchain.pem
	- ln -s /etc/letsencrypt/live/`hostname -f`/chain.pem /etc/ipsec.d/cacerts/chain.pem
	- chmod u+x /root/makesecrets.sh
	- /root/makesecrets.sh
	- ipsec restart