Thursday, August 20, 2020

Autoparked AWS Instance

--This post is a draft and is a work in progress--

Goal: An AWS instance that runs, is trustworthy, easy to access, but also shuts down when isn't needed, and doesn't cost extra when it isn't running.

Tools: ddclient (dyndns client), letsencrypt (free certificates), AWS Instance Scheduler

1) set up aws to get a public ip which isn't default https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html
- Create new VPC
- Create new Internet Gateway (in VPCs), attach it to the new VPC
- Create new Subnet
- On the Route Table tab of new subnet, verify that there is a route with 0.0.0.0/0 as the destination and the internet gateway for your VPC as the target. If not, choose Route Tables->your route table->Edit routes. Choose Add route, use 0.0.0.0/0 as the destination and the internet gateway as the target. For IPv6, choose Add route, use ::/0 as the destination and the internet gateway as the target then save.

2) install ddclient
sudo apt-get install ddclient

edit /etc/ddclient.conf

daemon=300
syslog=yes
use=cmd
cmd='curl -s http://169.254.169.254/latest/meta-data/public-ipv4'

protocol=googledomains
login=value-from-google
password='value-from-google'
DOMAINNAME.com

protocol=googledomains
login=value-from-google
password='value-from-google'
SUB.DOMAINNAME.com

protocol=googledomains
login=value-from-google
password='value-from-google'
ANOTHERDOMAINNAME.com

ddclient -syslog -noquiet -verbose -force
to ensure the registration goes well
now you can set up your SSH instance to connect to ubuntu@domain.name with your private key

3) install letsencrypt
sudo apt-get install letsencrypt
certbot certonly -d DOMAINNAME.com -d SUB.DOMAINNAME.com -d ANOTHERDOMAINNAME.com --manual --preferred-challenges dns --expand

Follow the instructions and add the required TXT records in Google Domains... wait a while (at least a couple minutes) before continuing. You should get the certificates.

(More work to be done to let this be automatically renewable - sudo certbot renew should do it).


...Profit?