-
Notifications
You must be signed in to change notification settings - Fork 1
/
sgw-vm-init.tpl
63 lines (55 loc) · 1.9 KB
/
sgw-vm-init.tpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#cloud-config
datasource:
Ec2:
strict_id: false
ssh_pwauth: yes
users:
- name: "${ADMIN_NAME}"
sudo: ALL=(ALL) NOPASSWD:ALL
shell: /bin/bash
ssh-authorized-keys:
- "${ADMIN_SSH_KEY}"
write_files:
- content: |
#!/bin/bash
usermod -a -G docker ${ADMIN_NAME}
# Get strongSwan container image version (tag)
SWAN_VER=$(docker image ls strongswan --format "{{.Tag}}")
# Create SGW container
docker create --name=strongswan --hostname=strongswan --network=host \
--cap-add=NET_ADMIN --cap-add=SYS_ADMIN --cap-add=SYS_MODULE \
--env REMOTE_SGW_IP="${REMOTE_SGW_IP}" \
--env POLICY_NAME="${POLICY_NAME}" \
--env IKE_PROPOSAL="${IKE_PROPOSAL}" \
--env ESP_PROPOSAL="${ESP_PROPOSAL}" \
--env PSK="${PSK}" \
strongswan:$SWAN_VER
docker start strongswan
# Add ip routes via ipsec0 tunnel
rlist="${ROUTE_LIST}"
IFS=';'; IN=($rlist); unset IFS;
for r in "$${IN[@]}" ;
do
echo $r | tee -a /etc/rc.local
echo $r | tee -a /root/add-routes.sh
done
# Prepare a shared volume for both containers
mkdir -p /opt/webhc
mount -t tmpfs tmpfs /opt/webhc -o size=1m
# Create Web-HC container
WEBHC_VER=$(docker image ls web-hc --format "{{.Tag}}")
docker create --name=web-hc --hostname=web-hc \
--network=host \
--volume=/opt/webhc:/var/www/local \
web-hc:$WEBHC_VER
docker start web-hc
# Schedule the IPsec tunnel status checker
(echo "#* * * * * docker exec -it strongswan swanctl --list-conns | head -1 | awk '{split($0,a,":"); print a[1]}' | grep -q INSTALLED && touch /opt/webhc/status-ok || rm -f /opt/webhc/status-ok\"") | crontab -
path: "/root/sgw-init.sh"
permissions: "0740"
runcmd:
- sleep 1
- sudo -i
- /root/sgw-init.sh
- chmod +x /root/add-routes.sh
- /root/add-routes.sh