You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
88 lines
2.6 KiB
Bash
88 lines
2.6 KiB
Bash
#!/bin/bash
|
|
|
|
set -x
|
|
|
|
# Elastic IP attachment
|
|
INSTANCE_ID=$(curl -s 169.254.169.254/latest/meta-data/instance-id)
|
|
aws ec2 associate-address --allocation-id ${EIP_ID} --instance-id $INSTANCE_ID --region ${REGION}
|
|
|
|
|
|
# Install WireGuard and other dependencies
|
|
apt-get install -y software-properties-common
|
|
add-apt-repository -y ppa:wireguard/wireguard
|
|
apt-get update
|
|
apt-get install -y "linux-headers-$(uname -r)"
|
|
apt-get install -y wireguard iptables resolvconf awscli git sudo
|
|
|
|
# Initialization WireGuard configs
|
|
aws s3api head-object --bucket ${CONFIG_BUCKET} --key wg0.conf
|
|
if [[ "$?" -eq 0 ]]; then
|
|
echo "[+] Copying existing WireGuard config to system from s3://${CONFIG_BUCKET}"
|
|
aws s3 cp s3://${CONFIG_BUCKET}/wg0.conf /etc/wireguard/wg0.conf
|
|
else
|
|
echo "[+] Generating new WireGuard config"
|
|
wg genkey | tee /opt/privkey | wg pubkey > /opt/pubkey
|
|
cat << EOF > /etc/wireguard/wg0.conf
|
|
[Interface]
|
|
Address = ${WIREGUARD_INTERFACE}
|
|
ListenPort = ${WIREGUARD_PORT}
|
|
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE;
|
|
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE;
|
|
PrivateKey = $(cat /opt/privkey)
|
|
SaveConfig = true
|
|
EOF
|
|
aws s3 cp /etc/wireguard/wg0.conf s3://${CONFIG_BUCKET}/wg0.conf
|
|
fi
|
|
|
|
|
|
# Install Rust and app as a systemd service
|
|
sudo apt install build-essential -y
|
|
|
|
cat << EOF > /opt/install_app.sh
|
|
#!/bin/bash
|
|
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | RUSTUP_HOME=~/.rustup sh -s -- -y
|
|
source ~/.cargo/env
|
|
git clone https://github.com/lalanza808/wgas-rs ~/wgas-rs
|
|
cd ~/wgas-rs
|
|
rustup override set nightly
|
|
cargo build --release
|
|
EOF
|
|
chmod +x /opt/install_app.sh
|
|
sudo -u ubuntu /opt/install_app.sh
|
|
useradd wgas-rs -s /sbin/nologin -M
|
|
cat << EOF > /lib/systemd/system/wgas-rs.service
|
|
[Unit]
|
|
Description=WireGuard Access Server Service
|
|
ConditionPathExists=/home/ubuntu/wgas-rs/target/release/wgas-rs
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=wgas-rs
|
|
Group=wgas-rs
|
|
LimitNOFILE=1024
|
|
|
|
Restart=on-failure
|
|
RestartSec=10
|
|
startLimitIntervalSec=60
|
|
|
|
WorkingDirectory=/home/ubuntu/wgas-rs
|
|
ExecStart=/home/ubuntu/wgas-rs/target/release/wgas-rs
|
|
|
|
# make sure log directory exists and owned by syslog
|
|
PermissionsStartOnly=true
|
|
ExecStartPre=/bin/mkdir -p /var/log/wgas-rs
|
|
ExecStartPre=/bin/chown syslog:adm /var/log/wgas-rs
|
|
ExecStartPre=/bin/chmod 755 /var/log/wgas-rs
|
|
StandardOutput=syslog
|
|
StandardError=syslog
|
|
SyslogIdentifier=wgas-rs
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
EOF
|
|
chmod 755 /lib/systemd/system/wgas-rs.service
|
|
systemctl daemon-reload
|
|
systemctl enable wgas-rs
|
|
systemctl start wgas-rs
|