initial commit

Author: jvsteiner

.gitignore

@@ -0,0 +1,24 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+public_dns.txt

deploy.tf

@@ -0,0 +1,98 @@
+provider "aws" {
+  # region          = "us-east-1"
+  # region          = "us-east-2"
+  # region          = "us-west-1"
+  # region          = "us-west-2"
+  region          = "ap-south-1"
+  # region          = "ap-northeast-2"
+  # region          = "ap-southeast-1"
+  # region          = "ap-southeast-2"
+  # region          = "ap-northeast-1"
+  # region          = "eu-central-1"
+  # region          = "eu-west-1"
+  # region          = "eu-west-2"
+  # region          = "eu-west-3"
+  # region          = "eu-north-1"
+  # region          = "ca-central-1"
+  # region          = "cn-north-1"
+  # region          = "sa-east-1"
+}
+
+resource "aws_instance" "ssocks" {
+  count           = 1 # number of copies to spin up - if you put 1000 here, your bill might surprise you...
+  ami             = "${data.aws_ami.ubuntu.id}"
+  instance_type   = "t2.micro"
+  key_name        = "narc_key"
+  security_groups = [
+    "${aws_security_group.ssh_https.name}"
+  ]
+
+  provisioner "remote-exec" {
+    script        = "scripts/provision.sh"
+    connection {
+      type        = "ssh"
+      user        = "ubuntu"
+      private_key = "${file("~/.ssh/narc_key.pem")}"
+    }
+  }
+
+  # Return the public dns names into a local file for later use.
+  provisioner "local-exec" {
+    command       = "echo ${self.public_dns} >> public_dns.txt"
+  }
+}
+
+resource "aws_security_group" "ssh_https" {
+  count           = 1
+  name            = "ssh_https"
+  description     = "Allow all inbound traffic"
+
+  ingress {
+    from_port     = 443
+    to_port       = 443
+    protocol      = "tcp"
+    cidr_blocks   = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port     = 22
+    to_port       = 22
+    protocol      = "tcp"
+    cidr_blocks   = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port     = 0
+    to_port       = 65535
+    protocol      = "tcp"
+    cidr_blocks   = ["0.0.0.0/0"]
+  }
+
+  tags            = {
+    Name          = "ssh_https"
+  }
+}
+
+data "aws_ami" "ubuntu" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
+  }
+
+  owners = ["099720109477"] # Canonical
+}
+
+resource "null_resource" "after_cleanup" {
+  provisioner "local-exec" {
+    when          = "destroy"
+    command       = "rm -f public_dns.txt"
+  }
+}
+
+resource "null_resource" "before_cleanup" {
+  provisioner "local-exec" {
+    command       = "rm -f public_dns.txt"
+  }
+}

scripts/provision.sh

@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+sudo apt update && sudo apt upgrade -yuf
+sudo apt-get install -y --no-install-recommends gettext build-essential autoconf libtool libpcre3-dev asciidoc xmlto libev-dev libudns-dev automake libmbedtls-dev libsodium-dev git python-m2crypto libc-ares-dev
+cd /opt
+sudo git clone https://github.com/shadowsocks/shadowsocks-libev.git
+cd shadowsocks-libev
+sudo git submodule update --init --recursive
+sudo ./autogen.sh
+sudo ./configure
+sudo make && sudo make install
+sudo adduser --system --no-create-home --group shadowsocks
+sudo mkdir -m 755 /etc/shadowsocks
+ip=`ifconfig | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1'`
+
+printf "{\n\
+    \"server\":\"$ip\",\n\
+    \"server_port\":443,\n\
+    \"password\":\"holymoly\",\n\
+    \"timeout\":300,\n\
+    \"method\":\"aes-256-gcm\",\n\
+    \"fast_open\": true\n}\n" | sudo tee /etc/shadowsocks/shadowsocks.json
+
+sudo bash -c 'cat >/etc/sysctl.d/local.conf <<EOL
+# max open files
+fs.file-max = 51200
+# max read buffer
+net.core.rmem_max = 67108864
+# max write buffer
+net.core.wmem_max = 67108864
+# default read buffer
+net.core.rmem_default = 65536
+# default write buffer
+net.core.wmem_default = 65536
+# max processor input queue
+net.core.netdev_max_backlog = 4096
+# max backlog
+net.core.somaxconn = 4096
+# resist SYN flood attacks
+net.ipv4.tcp_syncookies = 1
+# reuse timewait sockets when safe
+net.ipv4.tcp_tw_reuse = 1
+# turn off fast timewait sockets recycling
+net.ipv4.tcp_tw_recycle = 0
+# short FIN timeout
+net.ipv4.tcp_fin_timeout = 30
+# short keepalive time
+net.ipv4.tcp_keepalive_time = 1200
+# outbound port range
+net.ipv4.ip_local_port_range = 10000 65000
+# max SYN backlog
+net.ipv4.tcp_max_syn_backlog = 4096
+# max timewait sockets held by system simultaneously
+net.ipv4.tcp_max_tw_buckets = 5000
+# turn on TCP Fast Open on both client and server side
+net.ipv4.tcp_fastopen = 3
+# TCP receive buffer
+net.ipv4.tcp_rmem = 4096 87380 67108864
+# TCP write buffer
+net.ipv4.tcp_wmem = 4096 65536 67108864
+# turn on path MTU discovery
+net.ipv4.tcp_mtu_probing = 1
+# for high-latency network
+net.ipv4.tcp_congestion_control = hybla
+# for low-latency network, use cubic instead
+net.ipv4.tcp_congestion_control = cubic
+EOL'
+
+sudo sysctl --system
+
+sudo bash -c 'cat >/etc/systemd/system/shadowsocks.service <<EOL
+[Unit]
+Description=Shadowsocks proxy server
+
+[Service]
+User=root
+Group=root
+Type=simple
+ExecStart=/usr/local/bin/ss-server -c /etc/shadowsocks/shadowsocks.json -a shadowsocks -v start
+ExecStop=/usr/local/bin/ss-server -c /etc/shadowsocks/shadowsocks.json -a shadowsocks -v stop
+
+[Install]
+WantedBy=multi-user.target
+EOL'
+
+sudo systemctl daemon-reload
+sudo systemctl enable shadowsocks
+sudo systemctl start shadowsocks

ssh_to.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+n=`sed "${1}q;d" public_dns.txt`
+ssh -t -o "StrictHostKeyChecking no" -o "UserKnownHostsFile /dev/null" -i ~/.ssh/narc_key.pem ubuntu@$n