#!/bin/bash

# A useful default
# Unfortunately broken for `aws s3` subcommand right now
export AWS_DEFAULT_REGION='us-west-2'

# Explicitly get security credentials once, to avoid timeouts
SECURITY_CREDENTIALS=`curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/Spot-1/`
export AWS_ACCESS_KEY_ID=`echo "$SECURITY_CREDENTIALS" | grep "AccessKeyId" | sed -e 's/.*"AccessKeyId".*:.*"\(.*\)".*/\1/'`
export AWS_SECRET_ACCESS_KEY=`echo "$SECURITY_CREDENTIALS" | grep "SecretAccessKey" | sed -e 's/.*"SecretAccessKey".*:.*"\(.*\)".*/\1/'`
export AWS_SECURITY_TOKEN=`echo "$SECURITY_CREDENTIALS" | grep "Token" | sed -e 's/.*"Token".*:.* "\(.*\)".*/\1/'`

# Install all security patches
yum -y update

# Install a profile.d script
aws s3 cp s3://org.altmeta.data/spot-1/aws-default-region.sh /etc/profile.d/aws-default-region.sh --region us-west-2

# Load configuration and a known host key for ssh
aws s3 cp s3://org.altmeta.data/spot-1/sshd_config /etc/ssh/sshd_config --region us-west-2
aws s3 cp s3://org.altmeta.data/spot-1/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key --region us-west-2
aws s3 cp s3://org.altmeta.data/spot-1/ssh_host_rsa_key.pub /etc/ssh/ssh_host_rsa_key.pub --region us-west-2
service sshd force-reload

# Install, configure, and run nginx
yum -y install nginx
aws s3 cp s3://org.altmeta.data/spot-1/nginx.conf /etc/nginx/nginx.conf --region us-west-2
aws s3 cp s3://org.altmeta.data/spot-1/ping /usr/share/nginx/html/ping --region us-west-2
service nginx start 

# Install, configure, and run openvpn
yum -y install openvpn
aws s3 cp s3://org.altmeta.data/spot-1/openvpn.conf /etc/openvpn/openvpn.conf --region us-west-2
aws s3 cp s3://org.altmeta.data/spot-1/keys.tgz /etc/openvpn/keys.tgz --region us-west-2
tar xzvvf /etc/openvpn/keys.tgz -C /etc/openvpn/

# copied from https://github.com/viljoviitanen/setup-simple-openvpn/blob/master/setup.sh
# TODO: understand these
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -I INPUT -p udp --dport 4494 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 0.0.0.0/0 -o eth0 -j MASQUERADE
iptables -I FORWARD -i eth0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o eth0 -j ACCEPT

service openvpn start

# Install ruby
yum -y install ruby22

# Install log-condense cron
gem2.2 install 'aws-sdk-resources'
aws s3 cp s3://org.altmeta.data/spot-1/log_condense /usr/local/bin/log_condense
chmod +x /usr/local/bin/log_condense
aws s3 cp s3://org.altmeta.data/spot-1/cron.d/log-condense /etc/cron.d/log-condense

# Reclaim our IP address, evicting current user if exists
# This is done last in case another instance is already running
ALLOC_ID='eipalloc-0c528b69'
ASSOC_ID=`aws ec2 describe-addresses --allocation-ids "$ALLOC_ID" | grep AssociationId | sed -e 's/.*"AssociationId": "\(.*\)".*/\1/'`
if [ -n "$ASSOC_ID" ]; then
  aws ec2 disassociate-address --association-id "$ASSOC_ID"
fi
aws ec2 associate-address --instance-id `curl http://169.254.169.254/latest/meta-data/instance-id` --allocation-id "$ALLOC_ID"