stacco 0.1.0

data/priv/cloud-init/common.after.sh

@@ -0,0 +1,17 @@
+# hit aws bootstrapping webhook
+unique_id=$(uuidgen -t)
+
+aws_wait_handle_response_file="/tmp/cf-wait-handle-response.json"
+
+cat >"${aws_wait_handle_response_file}" <<EOF
+{"Status": "SUCCESS",
+ "Reason": "Configuration Complete",
+ "UniqueId": "${unique_id}",
+ "Data": "Application has completed configuration."
+}
+EOF
+
+curl -s -T "${aws_wait_handle_response_file}" "${AWS_WAIT_HANDLE}"
+rm "${aws_wait_handle_response_file}"
+
+echo "done bootstrapping!"

data/priv/cloud-init/common.before.sh

@@ -0,0 +1,37 @@
+# configure hostname from metadata service
+public_hostname_response_code=404
+while [ "${public_hostname_response_code}" != "200" ]; do
+  public_hostname_response_code=$(curl -sL -w "%{http_code}" "http://169.254.169.254/latest/meta-data/public-hostname" -o /dev/null)
+  sleep 3
+done
+
+public_hostname=$(curl http://169.254.169.254/latest/meta-data/public-hostname)
+private_hostname=$(curl http://169.254.169.254/latest/meta-data/hostname)
+
+echo "${public_hostname}" > /etc/hostname
+hostname -b -F /etc/hostname
+
+short_hostname=$(hostname -s)
+
+sed -i '/127\.0\.0\.1/d' /etc/hosts
+cat >>/etc/hosts <<EOF
+127.0.0.1 localhost ${short_hostname} ${public_hostname} ${private_hostname}
+EOF
+
+
+# disable long update-initramfs calls (we're ephemeral!)
+sed -i 's/=yes/=no/g' /etc/initramfs-tools/update-initramfs.conf
+
+echo 'deb http://get.docker.io/ubuntu docker main' > /etc/apt/sources.list.d/docker.list
+curl -sL "https://get.docker.io/gpg" | apt-key add -
+apt-get update
+apt-get upgrade -qy
+apt-get -qy install htop tree btrfs-tools xz-utils cloud-utils
+
+
+if [ -b "/dev/xvdd" ]; then
+  mkfs.btrfs -L datavols /dev/xvdd
+  mkdir -p /volumes
+  mount /dev/xvdd /volumes
+fi
+

data/priv/cloud-init/roles/backend.sh

@@ -0,0 +1,36 @@
+mkdir -p /etc/bexng
+echo "${DOMAIN}" > /etc/bexng/name
+
+cat >"/etc/bexng/secrets.exs" <<EOF
+[
+  authy: "${AUTHY_KEY}",
+  mandrill: "${MANDRILL_KEY}",
+  admin_password: "${ADMIN_PASSWORD}"
+]
+EOF
+
+base64 -d >"/etc/bexng/armory_testnet_watch_only.wallet" <<EOF
+${WALLET_DATA}
+EOF
+
+start_container "postgresql" \
+  --volume="/volumes/postgresql:/var/lib/postgresql"
+
+start_container "bitcoind" \
+  --volume="/volumes/bitcoind:/var/lib/bitcoin"
+
+start_container "bexng" \
+  -e "BEXNG_TARGET_SYSTEM=${DOMAIN}" \
+  --link="${containers[bitcoind]}:bitcoind" \
+  --link="${containers[postgresql]}:postgresql" \
+  --publish="4369:4369" \
+  --publish="9999:9999" \
+  --publish="20000:20000" \
+  --publish="20001:20001" \
+  --publish="51607:51607" \
+  --publish="51608:51608" \
+  --volume="/etc/bexng:/target"
+
+start_container "bexng_frontend" \
+  -e "BEXNG_BACKEND=127.0.0.1:51608" \
+  --publish="80:8080"

data/priv/cloud-init/roles/docker-host.sh

@@ -0,0 +1,24 @@
+docker_volume="/dev/xvdc"
+
+# install docker
+mkdir -p /var/lib/docker
+mount -t btrfs -o "rw,noatime,space_cache" "${docker_volume}" /var/lib/docker
+
+apt-get install -qy lxc-docker
+gpasswd -a ubuntu docker
+docker login -e="${DOCKER_REGISTRY_EMAIL}" -p="${DOCKER_REGISTRY_PASSWORD}" -u="${DOCKER_REGISTRY_USER}" "${DOCKER_REGISTRY}"
+
+# start containers
+declare -A containers
+
+start_container() {
+  image_name=$1
+  shift
+
+  echo "starting container: ${image_name}..." >&2
+  container_id=$(docker run -d $@ quay.io/bexio/${image_name}:latest)
+  container_name=$(docker inspect "${container_id}" | grep Name | tr '"/' '  ' | awk '{print $3;}')
+  echo "started."
+
+  containers[${image_name}]=${container_name}
+}

data/priv/cloud-init/roles/frontend.sh

@@ -0,0 +1,3 @@
+start_container "bexng_frontend" \
+  -e "BEXNG_BACKEND=${BACKEND_ENDPOINT}:51607" \
+  --publish="80:8080"

data/priv/cloud-init/roles/vpn.sh

@@ -0,0 +1,88 @@
+openvpn_pkg_path="/tmp/openvpn-as.deb"
+curl -sL "http://swupdate.openvpn.org/as/openvpn-as-2.0.7-Debian7.amd64.deb" > "${openvpn_pkg_path}"
+sudo dpkg -i "${openvpn_pkg_path}"
+rm "${openvpn_pkg_path}"
+
+mkdir -p /usr/local/openvpn_as/etc/licenses
+echo "openvpn:openvpn" | sudo chpasswd
+
+cat >"/usr/local/openvpn_as/etc/licenses/IOVS-WMFK-YDTO-MKPY.lic" <<EOF
+CPU_MODEL_NAME=Intel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz
+HOSTNAME=OVPNAS20
+INODE_HASH=304d68e87dfb6280e1f2fbf1e52d84286420f638273e281ec9bef7df3603d821
+LICENSE_KEY=IOVS-WMFK-YDTO-MKPY
+MAC_ADDR=06:53:b9:ea:dd:c0
+MAC_ADDR_0=06:53:b9:ea:dd:c0
+PROP_FUZZY=MAC_ADDR
+PROP_STRICT=CPU_MODEL_NAME
+VPROP_N_REQUIRED=2
+VPROP_VERSION=2
+concurrent_connections=0
+concurrent_connections_aggregated=10
+expiry_date=20150210
+expiry_date_updates=
+openvpn_core_max_version=1.0
+quota_properties=concurrent_connections
+-----BEGIN RSA SIGNATURE-----
+vpin6QaiijAJYaDj1D1zTxY3muCNDdCXJsM/yIVtsif6smBsdK
+I8+OfdzXzKROo1fit7zlaXfEfufar1vwA1ofciORF6T/ky+AG/
+GiAAn057TBOGCCfxy1aUHkRslGKmJPnWUsl7qGQYlGG/JfYBzS
+ZRP/jckzWEc65IigRynPA=
+-----END RSA SIGNATURE-----
+EOF
+
+cat >"/usr/local/openvpn_as/etc/config.json" <<EOF
+{
+  "Default": {
+    "admin_ui.https.ip_address": "eth0",
+    "admin_ui.https.port": "943",
+    "aui.eula_version": "2",
+    "auth.ldap.0.name": "My LDAP servers",
+    "auth.ldap.0.ssl_verify": "never",
+    "auth.ldap.0.timeout": "4",
+    "auth.ldap.0.use_ssl": "never",
+    "auth.module.type": "pam",
+    "auth.pam.0.service": "openvpnas",
+    "auth.radius.0.acct_enable": "false",
+    "auth.radius.0.name": "My Radius servers",
+    "cs.cws_proto_v2": "true",
+    "cs.https.ip_address": "eth0",
+    "cs.https.port": "943",
+    "cs.prof_sign_web": "true",
+    "host.name": "vpn.${DOMAIN}",
+    "sa.initial_run_groups.0": "web_group",
+    "sa.initial_run_groups.1": "openvpn_group",
+    "vpn.client.routing.inter_client": "false",
+    "vpn.client.routing.reroute_dns": "true",
+    "vpn.client.routing.reroute_gw": "false",
+    "vpn.daemon.0.client.netmask_bits": "20",
+    "vpn.daemon.0.client.network": "172.27.224.0",
+    "vpn.daemon.0.listen.ip_address": "eth0",
+    "vpn.daemon.0.listen.port": "443",
+    "vpn.daemon.0.listen.protocol": "tcp",
+    "vpn.daemon.0.server.ip_address": "eth0",
+    "vpn.server.daemon.enable": "true",
+    "vpn.server.daemon.tcp.n_daemons": 1,
+    "vpn.server.daemon.tcp.port": "443",
+    "vpn.server.daemon.udp.n_daemons": 1,
+    "vpn.server.daemon.udp.port": "1194",
+    "vpn.server.group_pool.0": "172.27.240.0/20",
+    "vpn.server.port_share.enable": "true",
+    "vpn.server.port_share.ip_address": "1.2.3.4",
+    "vpn.server.port_share.port": "1234",
+    "vpn.server.port_share.service": "admin+client",
+    "vpn.server.routing.gateway_access": "true",
+    "vpn.server.routing.private_access": "nat",
+    "vpn.server.routing.private_network.0": "10.100.0.0/24",
+    "vpn.server.routing.private_network.1": "10.100.1.0/24",
+    "vpn.tls_refresh.do_reauth": "true",
+    "vpn.tls_refresh.interval": "360"
+  },
+  "_INTERNAL": {
+    "run_api.active_profile": "Default",
+    "webui.edit_profile": "Default"
+  }
+}
+EOF
+
+/usr/local/openvpn_as/scripts/confdba -l -f /usr/local/openvpn_as/etc/config.json

data/priv/templates/cloudformation.json.erb

@@ -0,0 +1,534 @@
+<%
+  ubuntu_daily_ami = "ami-6ac2a85a"
+  docker_library_snapshot = "snap-ee9ca31c"
+%>
+
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": <%= j @stack.description %>,
+
+  "Resources": {
+
+    "VPC": {"Type": "AWS::EC2::VPC", "Properties": {
+      "CidrBlock": "10.100.0.0/16",
+      "InstanceTenancy": "default",
+      "EnableDnsSupport": true,
+      "EnableDnsHostnames": true
+    }},
+
+    "InternetGateway": {"Type": "AWS::EC2::InternetGateway", "Properties": {
+    }},
+
+    "InternetGatewayAttachment": {"Type": "AWS::EC2::VPCGatewayAttachment", "Properties": {
+      "VpcId": {"Ref": "VPC"},
+      "InternetGatewayId": {"Ref": "InternetGateway"}
+    }},
+
+    "NetworkAcl": {"Type": "AWS::EC2::NetworkAcl", "Properties": {
+      "VpcId": {"Ref": "VPC"}
+    }},
+
+    "PublicSubnet": {"Type": "AWS::EC2::Subnet", "Properties": {
+      "VpcId": {"Ref": "VPC"},
+      "CidrBlock": "10.100.0.0/24"
+    }},
+    "PublicSubnetAcl": {"Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": {
+      "NetworkAclId": {"Ref": "NetworkAcl"},
+      "SubnetId": {"Ref": "PublicSubnet"}
+    }},
+    "PublicRouteTable": {"Type": "AWS::EC2::RouteTable", "Properties": {
+      "VpcId": {"Ref": "VPC"}
+    }},
+    "PublicSubnetRoute": {"Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": {
+      "SubnetId": {"Ref": "PublicSubnet"},
+      "RouteTableId": {"Ref": "PublicRouteTable"}
+    }},
+    "PublicSubnetGatewayRoute": {"Type": "AWS::EC2::Route", "DependsOn": "InternetGatewayAttachment", "Properties": {
+      "DestinationCidrBlock": "0.0.0.0/0",
+      "RouteTableId": {"Ref": "PublicRouteTable"},
+      "GatewayId": {"Ref": "InternetGateway"}
+    }},
+    "PublicIngressAcl": {"Type": "AWS::EC2::NetworkAclEntry", "Properties": {
+      "NetworkAclId": {"Ref": "NetworkAcl"},
+      "RuleNumber": "100",
+
+      "CidrBlock": "0.0.0.0/0",
+      "Protocol": "-1",
+      "RuleAction": "allow"
+    }},
+    "PublicEgressAcl": {"Type": "AWS::EC2::NetworkAclEntry", "Properties": {
+      "NetworkAclId": {"Ref": "NetworkAcl"},
+      "RuleNumber": "100",
+
+      "Egress": true,
+      "CidrBlock": "0.0.0.0/0",
+      "Protocol": "-1",
+      "RuleAction": "allow"
+    }},
+
+    "PrivateSubnet": {"Type": "AWS::EC2::Subnet", "Properties": {
+      "VpcId": {"Ref": "VPC"},
+      "AvailabilityZone": {"Fn::GetAtt": ["PublicSubnet", "AvailabilityZone"]},
+      "CidrBlock": "10.100.1.0/24"
+    }},
+    "PrivateSubnetAcl": {"Type": "AWS::EC2::SubnetNetworkAclAssociation", "Properties": {
+      "NetworkAclId": {"Ref": "NetworkAcl"},
+      "SubnetId": {"Ref": "PrivateSubnet"}
+    }},
+    "PrivateRouteTable": {"Type": "AWS::EC2::RouteTable", "Properties": {
+      "VpcId": {"Ref": "VPC"}
+    }},
+    "PrivateSubnetRoute": {"Type": "AWS::EC2::SubnetRouteTableAssociation", "Properties": {
+      "SubnetId": {"Ref": "PrivateSubnet"},
+      "RouteTableId": {"Ref": "PrivateRouteTable"}
+    }},
+    "PrivateSubnetGatewayRoute": {"Type": "AWS::EC2::Route", "DependsOn": "InternetGatewayAttachment", "Properties": {
+      "DestinationCidrBlock": "0.0.0.0/0",
+      "RouteTableId": {"Ref": "PrivateRouteTable"},
+      "GatewayId": {"Ref": "InternetGateway"}
+    }},
+
+    "DHCPOptions": {"Type": "AWS::EC2::DHCPOptions", "Properties": {
+      "DomainName": <%= j domain %>,
+      "DomainNameServers": ["AmazonProvidedDNS"]
+    }},
+    "VPCDHCPOptionsAssociation": {"Type": "AWS::EC2::VPCDHCPOptionsAssociation", "Properties": {
+      "VpcId": {"Ref": "VPC"},
+      "DhcpOptionsId": {"Ref": "DHCPOptions"}
+    }},
+
+
+
+
+
+
+
+    "AppS3Bucket": {"Type": "AWS::S3::Bucket", "Properties": {
+      "BucketName": <%= j domain %>,
+      "AccessControl": "PublicRead",
+      "WebsiteConfiguration": {
+        "IndexDocument": "index.html",
+        "ErrorDocument": "404.html"
+      }
+    }},
+
+    "AppS3BucketDistribution": {"Type": "AWS::CloudFront::Distribution", "Properties": {
+      "DistributionConfig": {
+        "Aliases": [<%= j domain %>],
+        "Enabled": "true",
+
+        "Origins": [{
+          "Id": "AppS3BucketOrigin",
+          "DomainName": {"Fn::Join": ["", [<%= j domain %>, ".s3-website-", {"Ref": "AWS::Region"}, ".amazonaws.com"]]},
+
+          "CustomOriginConfig": {
+            "HTTPPort": "80",
+            "HTTPSPort": "443",
+            "OriginProtocolPolicy": "http-only"
+          }
+        }],
+
+        "DefaultCacheBehavior": {
+          "TargetOriginId": "AppS3BucketOrigin",
+          "ForwardedValues": {"QueryString": "false"},
+          "ViewerProtocolPolicy": "redirect-to-https"
+        }
+      }
+    }},
+
+    "AppS3BucketDNSRecord": {"Type": "AWS::Route53::RecordSet", "Properties": {
+      "HostedZoneId": <%= j hosted_zone %>,
+      "Type": "A",
+      "Name": <%= j "#{domain}." %>,
+      "AliasTarget": {
+        "HostedZoneId": <%= j @config['cloudfront']['hosted_zone'] %>,
+        "DNSName": {"Fn::GetAtt": ["AppS3BucketDistribution", "DomainName"]}
+       }
+    }},
+
+    "WwwS3Bucket": {"Type": "AWS::S3::Bucket", "Properties": {
+      "BucketName": <%= j "www.#{domain}" %>,
+      "AccessControl": "PublicRead",
+      "WebsiteConfiguration": {
+        "RedirectAllRequestsTo": {
+          "HostName": <%= j domain %>,
+          "Protocol": "https"
+        }
+      }
+    }},
+
+    "WwwS3BucketDistribution": {"Type": "AWS::CloudFront::Distribution", "Properties": {
+      "DistributionConfig": {
+        "Aliases": [<%= j "www.#{domain}" %>],
+        "Enabled": "true",
+
+        "Origins": [{
+          "Id": "WwwS3BucketOrigin",
+          "DomainName": {"Fn::Join": ["", [<%= j "www.#{domain}" %>, ".s3-website-", {"Ref": "AWS::Region"}, ".amazonaws.com"]]},
+
+          "CustomOriginConfig": {
+            "HTTPPort": "80",
+            "HTTPSPort": "443",
+            "OriginProtocolPolicy": "http-only"
+          }
+        }],
+
+        "DefaultCacheBehavior": {
+          "TargetOriginId": "WwwS3BucketOrigin",
+          "ForwardedValues": {"QueryString": "false"},
+          "ViewerProtocolPolicy": "redirect-to-https"
+        }
+      }
+    }},
+
+    "WwwS3BucketDNSRecord": {"Type": "AWS::Route53::RecordSet", "Properties": {
+      "HostedZoneId": <%= j hosted_zone %>,
+      "Type": "CNAME", "TTL": "300",
+      "Name": <%= j "www.#{domain}." %>,
+      "ResourceRecords": [{"Fn::GetAtt": ["WwwS3BucketDistribution", "DomainName"]}]
+    }},
+
+
+    "AdminS3Bucket": {"Type": "AWS::S3::Bucket", "Properties": {
+      "BucketName": <%= j "admin.#{domain}" %>,
+      "AccessControl": "PublicRead",
+      "WebsiteConfiguration": {
+        "IndexDocument": "index.html",
+        "ErrorDocument": "404.html"
+      }
+    }},
+
+    "AdminS3BucketDistribution": {"Type": "AWS::CloudFront::Distribution", "Properties": {
+      "DistributionConfig": {
+        "Aliases": [<%= j "admin.#{domain}" %>],
+        "Enabled": "true",
+
+        "Origins": [{
+          "Id": "AdminS3BucketOrigin",
+          "DomainName": {"Fn::Join": ["", [<%= j "admin.#{domain}" %>, ".s3-website-", {"Ref": "AWS::Region"}, ".amazonaws.com"]]},
+
+          "CustomOriginConfig": {
+            "HTTPPort": "80",
+            "HTTPSPort": "443",
+            "OriginProtocolPolicy": "http-only"
+          }
+        }],
+
+        "DefaultCacheBehavior": {
+          "TargetOriginId": "AdminS3BucketOrigin",
+          "ForwardedValues": {"QueryString": "false"},
+          "ViewerProtocolPolicy": "redirect-to-https"
+        }
+      }
+    }},
+
+    "AdminS3BucketDNSRecord": {"Type": "AWS::Route53::RecordSet", "Properties": {
+      "HostedZoneId": <%= j hosted_zone %>,
+      "Type": "CNAME", "TTL": "300",
+      "Name": <%= j "admin.#{domain}." %>,
+      "ResourceRecords": [{"Fn::GetAtt": ["AdminS3BucketDistribution", "DomainName"]}]
+    }},
+
+
+
+
+    "InstanceBootstrapWaitHandle": {"Type": "AWS::CloudFormation::WaitConditionHandle", "Properties": {}},
+    "InstanceBootstrap": {"Type": "AWS::CloudFormation::WaitCondition", "DependsOn": ["Frontend", "Backend", "OpenVPN"], "Properties": {
+      "Handle": {"Ref": "InstanceBootstrapWaitHandle"},
+      "Count": "3",
+      "Timeout": "6000"
+    }},
+
+
+
+    "Frontend": {"Type": "AWS::EC2::Instance", "Properties": {
+      "InstanceType": "m1.small",
+      "ImageId": <%= j ubuntu_daily_ami %>,
+
+      "Tags": [
+        { "Key": "Name", "Value": "web01" },
+        { "Key": "Environment", "Value": <%= j environment %> }
+      ],
+
+      "KeyName": <%= j @stack.iam_keypair_name %>,
+
+      "BlockDeviceMappings": [
+        {"DeviceName": "/dev/xvdc", "Ebs": {
+          "SnapshotId": <%= j docker_library_snapshot %>,
+          "VolumeSize": "50"
+        }}
+      ],
+
+      "NetworkInterfaces": [{
+          "Description": "Primary network interface",
+          "DeviceIndex": 0,
+          "DeleteOnTermination": true,
+
+          "SubnetId": {"Ref": "PublicSubnet"},
+          "GroupSet": [{"Ref": "FrontendSecurityGroup"}]
+      }],
+
+      "UserData": {"Fn::Base64": {"Fn::Join": ["", [
+        "#!/bin/bash -e\n",
+        "export AWS_WAIT_HANDLE='", {"Ref": "InstanceBootstrapWaitHandle"}, "'\n",
+        "export BACKEND_ENDPOINT='", {"Fn::GetAtt": ["BackendEndpoint", "DNSName"]}, "'\n",
+        <%= ja 8, userdata['frontend'] %>
+      ]]}}
+    }},
+
+    "FrontendSecurityGroup": {"Type": "AWS::EC2::SecurityGroup", "Properties": {
+      "GroupDescription": "Enable SSH access via port 22 and HTTP via 80",
+      "VpcId": {"Ref": "VPC"},
+
+      "SecurityGroupIngress": [
+        {"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": <%= j external_ssh_cidr %>},
+        {"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": <%= j bastion_ssh_cidr %>},
+        {"IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": "10.100.0.0/24"}
+      ],
+      "SecurityGroupEgress": [{"IpProtocol": "-1", "CidrIp": "0.0.0.0/0"}]
+    }},
+
+    "FrontendEIP": {"Type": "AWS::EC2::EIP", "Properties": {
+      "Domain": "VPC"
+    }},
+
+    "FrontendEIPAssociation": {"Type": "AWS::EC2::EIPAssociation", "Properties": {
+      "AllocationId": {"Fn::GetAtt": ["FrontendEIP", "AllocationId"]},
+      "InstanceId": {"Ref": "Frontend"}
+    }},
+
+    "FrontendEndpoint": {"Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": {
+      "Instances": [{"Ref": "Frontend"}],
+      "Subnets": [{"Ref": "PublicSubnet"}],
+      "SecurityGroups": [{"Ref": "FrontendEndpointSecurityGroup"}],
+
+      "HealthCheck": {
+        "HealthyThreshold": "5",
+        "Interval": "30",
+        "Target": "HTTP:80/v1/info",
+        "Timeout": "5",
+        "UnhealthyThreshold": "2"
+      },
+      "Listeners": [{
+        "LoadBalancerPort": "443",
+        "InstancePort": "80",
+        "Protocol": "SSL",
+        "InstanceProtocol": "TCP",
+        "SSLCertificateId": {"Fn::Join": ["", [
+          "arn:aws:iam::", {"Ref": "AWS::AccountId"}, ":server-certificate/",
+          <%= j frontend_cert_path %>, ".pem"
+        ]]}
+      }]
+    }},
+
+    "FrontendEndpointDNSRecord": {"Type": "AWS::Route53::RecordSet", "Properties": {
+      "HostedZoneId": <%= j hosted_zone %>,
+      "Type": "CNAME", "TTL": "300",
+      "Name": <%= j "api.#{domain}." %>,
+      "ResourceRecords": [{"Fn::GetAtt": ["FrontendEndpoint", "DNSName"]}]
+    }},
+
+    "FrontendEndpointSecurityGroup": {"Type": "AWS::EC2::SecurityGroup", "Properties": {
+      "GroupDescription": "Frontend ELB security group",
+      "VpcId": {"Ref": "VPC"},
+
+      "SecurityGroupIngress": [
+        {"IpProtocol": "tcp", "FromPort": "443", "ToPort": "443", "CidrIp": "0.0.0.0/0"}
+      ],
+      "SecurityGroupEgress": [
+        {"IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": "0.0.0.0/0"}
+      ]
+    }},
+
+
+
+
+    "Backend": {"Type": "AWS::EC2::Instance", "Properties": {
+      "InstanceType": "m3.medium",
+      "ImageId": <%= j ubuntu_daily_ami %>,
+
+      "Tags": [
+        { "Key": "Name", "Value": "app01" },
+        { "Key": "Environment", "Value": <%= j environment %> }
+      ],
+
+      "KeyName": <%= j @stack.iam_keypair_name %>,
+
+      "BlockDeviceMappings": [
+        {"DeviceName": "/dev/xvdc", "Ebs": {
+          "SnapshotId": <%= j docker_library_snapshot %>,
+          "VolumeSize": "50"
+        }},
+
+        {"DeviceName": "/dev/xvdd", "Ebs": {
+          "VolumeSize": "300"
+        }}
+      ],
+
+      "NetworkInterfaces": [{
+        "Description": "Primary network interface",
+        "DeviceIndex": 0,
+        "DeleteOnTermination": true,
+
+        "SubnetId": {"Ref": "PrivateSubnet"},
+        "GroupSet": [{"Ref": "BackendSecurityGroup"}]
+      }],
+
+      "UserData": {"Fn::Base64": {"Fn::Join": ["", [
+        "#!/bin/bash -e\n",
+        "export AWS_WAIT_HANDLE='", {"Ref": "InstanceBootstrapWaitHandle"}, "'\n",
+        <%= ja 8, userdata['backend'] %>
+      ]]}}
+    }},
+
+    "BackendSecurityGroup": {"Type": "AWS::EC2::SecurityGroup", "Properties": {
+        "GroupDescription": "Enable SSH access via port 22",
+        "VpcId": {"Ref": "VPC"},
+
+        "SecurityGroupIngress": [
+          {"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": <%= j external_ssh_cidr %>},
+          {"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": <%= j bastion_ssh_cidr %>},
+          {"IpProtocol": "tcp", "FromPort": "51607", "ToPort": "51607", "CidrIp": "10.100.0.0/24"}
+        ],
+        "SecurityGroupEgress": [
+          {"IpProtocol": "-1", "CidrIp": "0.0.0.0/0"}
+        ]
+      }
+    },
+
+    "BackendEIP": {"Type": "AWS::EC2::EIP", "Properties": {
+      "Domain": "VPC"
+    }},
+    "BackendEIPAssociation": {"Type": "AWS::EC2::EIPAssociation", "Properties": {
+      "AllocationId": {"Fn::GetAtt": ["BackendEIP", "AllocationId"]},
+      "InstanceId": {"Ref": "Backend"}
+    }},
+
+    "BackendEndpoint": {"Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": {
+      "Instances": [{"Ref": "Backend"}],
+      "Subnets": [{"Ref": "PrivateSubnet"}],
+      "SecurityGroups": [{"Ref": "BackendEndpointSecurityGroup"}],
+      "Scheme": "internal",
+
+      "HealthCheck": {
+        "HealthyThreshold": "5",
+        "Interval": "30",
+        "Target": "HTTP:80/v1/info",
+        "Timeout": "5",
+        "UnhealthyThreshold": "2"
+      },
+
+      "Listeners": [{
+        "LoadBalancerPort": "443",
+        "InstancePort": "80",
+        "Protocol": "SSL",
+        "InstanceProtocol": "TCP",
+        "SSLCertificateId": {"Fn::Join": ["", [
+          "arn:aws:iam::", {"Ref": "AWS::AccountId"}, ":server-certificate/",
+          <%= j backend_cert_path %>, ".pem"
+        ]]}
+      }]
+    }},
+
+    "BackendEndpointDNSRecord": {"Type": "AWS::Route53::RecordSet", "Properties": {
+      "HostedZoneId": <%= j hosted_zone %>,
+      "Type": "CNAME", "TTL": "300",
+      "Name": <%= j "api.admin.#{domain}." %>,
+      "ResourceRecords": [{"Fn::GetAtt": ["BackendEndpoint", "DNSName"]}]
+    }},
+
+    "BackendEndpointSecurityGroup": {"Type": "AWS::EC2::SecurityGroup", "Properties": {
+      "GroupDescription": "Backend ELB security group",
+      "VpcId": {"Ref": "VPC"},
+
+      "SecurityGroupIngress": [
+        {"IpProtocol": "tcp", "FromPort": "443", "ToPort": "443", "CidrIp": "10.100.0.0/24"}
+      ],
+      "SecurityGroupEgress": [
+        {"IpProtocol": "tcp", "FromPort": "80", "ToPort": "80", "CidrIp": "0.0.0.0/0"}
+      ]
+    }},
+
+    "BackendIngress": {"Type": "AWS::EC2::SecurityGroupIngress", "Properties": {
+      "GroupId": {"Ref": "BackendSecurityGroup"},
+      "SourceSecurityGroupId": {"Ref": "BackendEndpointSecurityGroup"},
+
+      "IpProtocol": "tcp", "FromPort": "80", "ToPort": "80"
+    }},
+
+
+
+
+
+
+    "OpenVPN": {"Type": "AWS::EC2::Instance", "Properties": {
+      "InstanceType": "m1.small",
+      "ImageId": <%= j ubuntu_daily_ami %>,
+      "AvailabilityZone": {"Fn::GetAtt": ["PublicSubnet", "AvailabilityZone"]},
+
+      "Tags": [
+        { "Key": "Name", "Value": "vpn01" },
+        { "Key": "Environment", "Value": <%= j environment %> }
+      ],
+
+      "KeyName": <%= j @stack.iam_keypair_name %>,
+
+      "NetworkInterfaces": [
+        {
+          "NetworkInterfaceId": {"Ref": "OpenVPNPublicInterface"},
+          "DeviceIndex": "0"
+        },
+        {
+          "Description": "Private network interface",
+          "DeviceIndex": "1",
+          "DeleteOnTermination": true,
+
+          "SubnetId": {"Ref": "PrivateSubnet"},
+          "GroupSet": [{"Ref": "OpenVPNSecurityGroup"}]
+        }
+      ],
+
+      "UserData": {"Fn::Base64": {"Fn::Join": ["", [
+        "#!/bin/bash -e\n",
+        "export AWS_WAIT_HANDLE='", {"Ref": "InstanceBootstrapWaitHandle"}, "'\n",
+        <%= ja 8, userdata['openvpn'] %>
+      ]]}}
+    }},
+
+    "OpenVPNPublicInterface": {"Type": "AWS::EC2::NetworkInterface", "Properties": {
+      "Description": "Public network interface",
+
+      "SubnetId": {"Ref": "PublicSubnet"},
+      "GroupSet": [{"Ref": "OpenVPNSecurityGroup"}]
+    }},
+
+    "OpenVPNEIP": {"Type": "AWS::EC2::EIP", "Properties": {
+      "Domain": "VPC"
+    }},
+
+    "OpenVPNEIPAssociation": {"Type": "AWS::EC2::EIPAssociation", "Properties": {
+      "AllocationId": {"Fn::GetAtt": ["OpenVPNEIP", "AllocationId"]},
+      "NetworkInterfaceId": {"Ref": "OpenVPNPublicInterface"}
+    }},
+
+    "OpenVPNDNSRecord": {"Type": "AWS::Route53::RecordSet", "DependsOn": "OpenVPNEIPAssociation", "Properties": {
+      "HostedZoneId": <%= j hosted_zone %>,
+      "Type": "CNAME", "TTL": "300",
+      "Name": <%= j "vpn.#{domain}." %>,
+      "ResourceRecords": [{"Fn::GetAtt": ["OpenVPN", "PublicDnsName"]}]
+    }},
+
+    "OpenVPNSecurityGroup": {"Type": "AWS::EC2::SecurityGroup", "Properties": {
+      "GroupDescription": "Enable everything",
+      "VpcId": {"Ref": "VPC"},
+
+      "SecurityGroupIngress": [
+        {"IpProtocol": "tcp", "FromPort": "443", "ToPort": "443", "CidrIp": "0.0.0.0/0"},
+        {"IpProtocol": "udp", "FromPort": "1192", "ToPort": "1194", "CidrIp": "0.0.0.0/0"},
+        {"IpProtocol": "tcp", "FromPort": "943", "ToPort": "943", "CidrIp": "0.0.0.0/0"},
+        {"IpProtocol": "tcp", "FromPort": "22", "ToPort": "22", "CidrIp": "0.0.0.0/0"}
+      ]
+    }}
+
+  }
+}