-
Notifications
You must be signed in to change notification settings - Fork 3
/
user-data.yaml
124 lines (109 loc) · 4.29 KB
/
user-data.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
## template: jinja
#cloud-config
# {# v0.2.1 #}
# {# ####### START REQUIRED SETTINGS ####### #}
# {# REQUIRED - Provide the Publisher enrolment key/token. Ensure to paste it within the double quotes! #}
# {# Leaving this as the default value will install the publisher software, but not enrol it. #}
{% set token = "TOKEN" %}
# {# OPTIONAL - Import an SSH key from a public keyserver (GitHub). Enter your GitHub username, eg: "nathancatania" #}
# {# Leave default if not needed #}
{% set gh_identity = "username" %}
# {# OPTIONAL - Add an authorized public SSH key to permit access to the Publisher host via npa username #}
# {# Leave default if not needed #}
{% set ssh_key = "ssh-rsa AAAABBBBCCCC..." %}
# {# ####### END REQUIRED SETTINGS ####### #}
# Update software packages
package_update: true
package_upgrade: true
# Install the following packages
packages:
- wget
- apt-transport-https
- ca-certificates
- curl
- gnupg
- lsb-release
- software-properties-common
- net-tools
- bind9-utils
- ufw
- cracklib-runtime
# create the docker group
groups:
- docker
# Add default auto created user to docker group
system_info:
default_user:
name: npa
groups: [docker]
{% if (gh_identity != "username") or (not gh_identity) %}
ssh_import_id:
- gh:{{ gh_identity }}
{% endif %}
{% if (ssh_key != "ssh-rsa AAAABBBBCCCC...") or (not ssh_key) %}
ssh_authorized_keys:
- {{ ssh_key }}
{% endif %}
# Harden SSH
write_files:
- path: /etc/ssh/sshd_config.d/00-cloud-init
content: |
X11Forwarding no
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256,[email protected],diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
AllowTcpForwarding no
MaxSessions 10
- path: /etc/docker/daemon.json
content: |
{
"bridge": "none",
"iptables": false
}
# Configure and deploy publisher
runcmd:
- 'echo y | ufw enable'
- 'ufw allow to 191.1.1.1/32 proto tcp port 784'
- 'ufw allow to 191.1.1.1/32 proto udp port 785'
- 'ufw allow in on tun0 to any port 53 proto tcp'
- 'ufw allow in on tun0 to any port 53 proto udp'
- 'ufw allow 22/tcp'
- 'ufw allow in on lo'
- 'ufw deny in from 127.0.0.0/8'
- 'ufw deny in from ::1'
- 'ufw reload'
- 'curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -'
- 'add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"'
- 'apt-get update -y && apt-get install docker-ce docker-ce-cli containerd.io -y'
- systemctl start docker
- systemctl enable docker
- 'sleep 10'
- 'sg docker -c "docker pull netskopeprivateaccess/publisher:latest"'
- 'sg docker -c "docker tag netskopeprivateaccess/publisher:latest new_edge_access:latest"'
- 'mkdir /home/npa/resources'
- 'mkdir /home/npa/logs'
- 'sleep 3'
- 'docker run --rm --entrypoint cat new_edge_access:latest /home/npa_publisher_wizard > /home/npa/npa_publisher_wizard'
- 'sleep 3'
- 'chmod +x /home/npa/npa_publisher_wizard'
- 'chown npa:npa /home/npa/npa_publisher_wizard'
- 'wget https://s3-us-west-2.amazonaws.com/publisher.netskope.com/latest/generic/npa-publisher.ubuntu.service -O npa-publisher.service'
- 'mv npa-publisher.service /usr/lib/systemd/system'
- 'systemctl enable npa-publisher'
- 'sg docker -c "docker run --restart always --network=host --privileged --memory-swappiness=0 -e HOST_OS_TYPE=ubuntu -v /home/npa/resources:/home/resources -v /home/npa/logs:/home/logs -d new_edge_access:latest"'
- 'echo > /etc/securetty'
- 'passwd -d root'
- 'passwd --lock root'
- 'systemctl mask ctrl-alt-del.target'
- 'apt-get remove linux-firmware -y'
- sh -c "echo 'kernel.core_pattern=|/bin/false' > /etc/sysctl.d/50-coredump.conf"
- 'sysctl -p /etc/sysctl.d/50-coredump.conf'
- systemctl restart ssh
- 'apt autoremove -y'
- 'apt-get clean -y'
{% if (token != "TOKEN") or (not token) %}
- "/home/npa/npa_publisher_wizard -token {{ token }}"
{% endif %}