Revision 508d7dfecfa86c1d95aee85ecebacd4ceb651625 authored by Emma O'Neill on 06 August 2019, 17:13:29 UTC, committed by Emma O'Neill on 08 August 2019, 20:42:38 UTC
1 parent 54434e4
nginx.yml
#cloud-config
# Launch instance with a network interface configured to the local IP addresses we references in the config.
# Specify availability zone as we have a different subnet in each one.
# $ aws --profile production ec2 run-instances --user-data file://nginx.yml --iam-instance-profile Name="proxy" --image-id ami-5189a661 --instance-type t2.medium --region us-west-2 --placement AvailabilityZone=us-west-2c --network-interfaces '[{"DeviceIndex": 0, "Groups": ["sg-4ae7be2f"], "SubnetId": "subnet-201d1766", "PrivateIpAddresses": [{"PrivateIpAddress": "172.31.2.70", "Primary": true}, {"PrivateIpAddress": "172.31.2.78", "Primary": false}, {"PrivateIpAddress": "172.31.2.79", "Primary": false}]}]'
# Choose instance size based on network performance required.
# After boot associate elastic ip addresses with the private ip addresses
# $ aws --profile production ec2 associate-address --region us-west-2 --public-ip 52.11.61.187 --private-ip-address 172.31.2.70 --allow-reassociation --instance-id <instance-id>
# $ aws --profile production ec2 associate-address --region us-west-2 --public-ip 52.88.20.43 --private-ip-address 172.31.2.78 --allow-reassociation --instance-id <instance-id>
# $ aws --profile production ec2 associate-address --region us-west-2 --public-ip 52.32.76.4 --private-ip-address 172.31.2.79 --allow-reassociation --instance-id <instance-id>
apt_sources:
- source: ppa:nginx/stable
bootcmd:
- cloud-init-per once ssh-users-ca echo "TrustedUserCAKeys /etc/ssh/users_ca.pub" >> /etc/ssh/sshd_config
output:
all: '| tee -a /var/log/cloud-init-output.log'
package_upgrade: true
packages:
- awscli
- curl
- dnsmasq
- nginx-full
- ntp
- unattended-upgrades
- update-notifier-common
power_state:
mode: reboot
runcmd:
- aws --region us-west-2 s3 cp s3://encoded-conf-proxy/ssl.tgz ssl.tgz
- mkdir -p /etc/nginx/ssl
- tar -zxf ssl.tgz --directory /etc/nginx/ssl
# Generate a big prime number for DH SSL (takes a few minutes.)
- openssl dhparam 2048 -out /etc/nginx/ssl/dhparam.pem
- chmod 600 /etc/nginx/ssl/dhparam.pem
- curl -o /etc/nginx/nginx.conf https://raw.githubusercontent.com/ENCODE-DCC/encoded/master/encode-proxy-nginx.conf
# The final octets of the local IP addresses configured above match the public IPs
- sed -i.bak s/171.67.205./172.31.2./g /etc/nginx/nginx.conf
write_files:
- path: /etc/apt/apt.conf.d/20auto-upgrades
content: |
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
- path: /etc/apt/apt.conf.d/50unattended-upgrades
content: |
Unattended-Upgrade::Allowed-Origins {
"${distro_id} ${distro_codename}-security";
};
Unattended-Upgrade::Automatic-Reboot "true";
- path: /etc/motd
content: |
#########################################
## Nginx proxy server ##
## For demo instances: ##
## ssh <name>.instance.encodedcc.org ##
#########################################
- path: /etc/network/interfaces.d/eth0.cfg
content: |
# The primary network interface
auto eth0
iface eth0 inet dhcp
post-up ip addr add 172.31.2.78/20 dev eth0
post-up ip addr add 172.31.2.79/20 dev eth0
- path: /etc/ssh/users_ca.pub
content: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAv/ymOcnN4LhM4NACc3Or116XXJ6KytuOgB/+1qNkOFBqBosrn7cmJ35rsoNHRgYNrCsRE9ch74RKsN6H72FtSJgBhGh/9oUK7Os6Fqt3/ZZXxgxIx6ubs/MTgrxrAnujiBxUXMXQhLKMriNMpo8mt4nGYVtLk9PBjiyfncaS8H9ZKoNio9dhP8bmTuYvioAI35dqKdSlVLyzr/XkZxia8Ki+pQ0N6uuiEwMR3ToM+LSp8wpFOOAiu4PEAujRW7us/+1hlpKWfn0J7/V3826joHE+I967Vg/+ikcVhF77JjK1nib879VgCWfmn1HPQosIpk4yJfVgGvRVI7I2nfBPVw== encoded@demo-l.encodedcc.org
Computing file changes ...
