echo -E '[epel]' > /etc/yum.repos.d/epel.repo
echo -E 'name=Extra Packages for Enterprise Linux 7 - $basearch' >> /etc/yum.repos.d/epel.repo
echo -E '#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch' >> /etc/yum.repos.d/epel.repo
echo -E 'metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch' >> /etc/yum.repos.d/epel.repo
echo -E 'failovermethod=priority' >> /etc/yum.repos.d/epel.repo
echo -E 'enabled=1' >> /etc/yum.repos.d/epel.repo
echo -E 'gpgcheck=1' >> /etc/yum.repos.d/epel.repo
echo -E 'gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7' >> /etc/yum.repos.d/epel.repo
echo -E '' >> /etc/yum.repos.d/epel.repo
echo -E '[epel-debuginfo]' >> /etc/yum.repos.d/epel.repo
echo -E 'name=Extra Packages for Enterprise Linux 7 - $basearch - Debug' >> /etc/yum.repos.d/epel.repo
echo -E '#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch/debug' >> /etc/yum.repos.d/epel.repo
echo -E 'metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch' >> /etc/yum.repos.d/epel.repo
echo -E 'failovermethod=priority' >> /etc/yum.repos.d/epel.repo
echo -E 'enabled=0' >> /etc/yum.repos.d/epel.repo
echo -E 'gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7' >> /etc/yum.repos.d/epel.repo
echo -E 'gpgcheck=1' >> /etc/yum.repos.d/epel.repo
echo -E '' >> /etc/yum.repos.d/epel.repo
echo -E '[epel-source]' >> /etc/yum.repos.d/epel.repo
echo -E 'name=Extra Packages for Enterprise Linux 7 - $basearch - Source' >> /etc/yum.repos.d/epel.repo
echo -E '#baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS' >> /etc/yum.repos.d/epel.repo
echo -E 'metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch' >> /etc/yum.repos.d/epel.repo
echo -E 'failovermethod=priority' >> /etc/yum.repos.d/epel.repo
echo -E 'enabled=0' >> /etc/yum.repos.d/epel.repo
echo -E 'gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7' >> /etc/yum.repos.d/epel.repo
echo -E 'gpgcheck=1' >> /etc/yum.repos.d/epel.repo

/etc/yum.repo.d/epel-testing.repo

echo -E '[epel-testing]' > /etc/yum.repos.d/epel-testing.repo
echo -E 'name=Extra Packages for Enterprise Linux 7 - Testing - $basearch' >> /etc/yum.repos.d/epel-testing.repo
echo -E '#baseurl=http://download.fedoraproject.org/pub/epel/testing/7/$basearch' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'metalink=https://mirrors.fedoraproject.org/metalink?repo=testing-epel7&arch=$basearch' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'failovermethod=priority' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'enabled=0' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'gpgcheck=1' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7' >> /etc/yum.repos.d/epel-testing.repo
echo -E '' >> /etc/yum.repos.d/epel-testing.repo
echo -E '[epel-testing-debuginfo]' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'name=Extra Packages for Enterprise Linux 7 - Testing - $basearch - Debug' >> /etc/yum.repos.d/epel-testing.repo
echo -E '#baseurl=http://download.fedoraproject.org/pub/epel/testing/7/$basearch/debug' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'metalink=https://mirrors.fedoraproject.org/metalink?repo=testing-debug-epel7&arch=$basearch' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'failovermethod=priority' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'enabled=0' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'gpgcheck=1' >> /etc/yum.repos.d/epel-testing.repo
echo -E '' >> /etc/yum.repos.d/epel-testing.repo
echo -E '[epel-testing-source]' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'name=Extra Packages for Enterprise Linux 7 - Testing - $basearch - Source' >> /etc/yum.repos.d/epel-testing.repo
echo -E '#baseurl=http://download.fedoraproject.org/pub/epel/testing/7/SRPMS' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'metalink=https://mirrors.fedoraproject.org/metalink?repo=testing-source-epel7&arch=$basearch' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'failovermethod=priority' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'enabled=0' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7' >> /etc/yum.repos.d/epel-testing.repo
echo -E 'gpgcheck=1' >> /etc/yum.repos.d/epel-testing.repo

yum update -y
amazon-linux-extras install epel  
yum install -y epel-release 
yum install firewalld wget -y
yum install -y openvpn easy-rsa
#config
mkdir /etc/openvpn/easy-rsa
cp -r /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/
#var
openvpn --genkey --secret /etc/openvpn/myvpn.tlsauth
cd easy-rsa/
./easyrsa clean-all
./easyrsa build-ca nopass
./easyrsa build-server-full server nopass
./easyrsa gen-dh
;./easyrsa build-client-full aws nopass
./easyrsa gen-crl
cp -t /etc/openvpn/ \
/etc/openvpn/easy-rsa/pki/ca.crt \
/etc/openvpn/easy-rsa/pki/dh.pem \
/etc/openvpn/easy-rsa/pki/issued/server.crt \
/etc/openvpn/easy-rsa/pki/private/ca.key \
/etc/openvpn/easy-rsa/pki/private/server.key 
systemctl -f enable openvpn-server@server 
systemctl -f start openvpn-server@server 
systemctl -f status openvpn-server@server

systemctl enable firewalld
systemctl start firewalld
systemctl status firewalld

firewall-cmd --zone=public --add-interface=tun0 --permanent
firewall-cmd --zone=public --add-port=6174/tcp --permanent

firewall-cmd --get-active-zones
sudo firewall-cmd --zone=public --add-service openvpn --permanent
sudo firewall-cmd --list-services --zone=public
sudo firewall-cmd --add-masquerade --permanent

sudo firewall-cmd --reload
sudo firewall-cmd --query-masquerade

VAR=$(ip route get 208.67.222.222 | awk 'NR==1 {print $4}')
sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $VAR -j MASQUERADE
sudo firewall-cmd --reload

sudo vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
/usr/local/bin/gen-ovpn-client

#################################################
# Sample OpenVPN 2.0 config file for            #
# multi-client server.                          #
#                                               #
# This file is for the server side              #
# of a many-clients <-> one-server              #
# OpenVPN configuration.                        #
#                                               #
# OpenVPN also supports                         #
# single-machine <-> single-machine             #
# configurations (See the Examples page         #
# on the web site for more info).               #
#                                               #
# This config should work on Windows            #
# or Linux/BSD systems.  Remember on            #
# Windows to quote pathnames and use            #
# double backslashes, e.g.:                     #
# "C:\\Program Files\\OpenVPN\\config\\foo.key" #
#                                               #
# Comments are preceded with '#' or ';'         #
#################################################
# openvpn --config /path/to/server.conf
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 6174

# TCP or UDP server?
proto tcp4
;proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.
# Use "dev tap0" if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use "dev-node" for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one.  On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don't need this.
;dev-node MyTap

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
;ca /etc/openvpn/ca.crt
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/dh.pem

# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
;ifconfig-pool-persist ipp.txt

# Configure server mode for ethernet bridging.
# You must first use your OS's bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface.  Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0.  Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients.  Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100

# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses.  You must first use
# your OS's bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge

# Push routes to the client to allow it
# to reach other private subnets behind
# the server.  Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"

# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory "ccd" for client-specific
# configuration files (see man page for more info).

# EXAMPLE: Suppose the client
# having the certificate common name "Thelonious"
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
#   iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious' private subnet to
# access the VPN.  This example will only work
# if you are routing, not bridging, i.e. you are
# using "dev tun" and "server" directives.

# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2

# Suppose that you want to enable different
# firewall access policies for different groups
# of clients.  There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
#     group, and firewall the TUN/TAP interface
#     for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
#     modify the firewall in response to access
#     from different clients.  See man
#     page for more info on learn-address script.
;learn-address ./script

# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses.  CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
client-to-client

# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names.  This is recommended
# only for testing purposes.  For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE "COMMON NAME",
# UNCOMMENT THIS LINE OUT.
duplicate-cn

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# For extra security beyond that provided
# by SSL/TLS, create an "HMAC firewall"
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
#   openvpn --genkey tls-auth ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be '0'
# on the server and '1' on the clients.
;tls-auth ta.key 0 # This file is secret

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC

# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push "compress lz4-v2"

# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo
;allow-compression yes

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# It's a good idea to reduce the OpenVPN
# daemon's privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun

# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
log-append  /var/log/openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 5

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

# Notify the client that when the server restarts so it
# can automatically reconnect.
# explicit-exit-notify 1

tls-crypt /etc/openvpn/myvpn.tlsauth

crl-verify /etc/openvpn/easy-rsa/pki/crl.pem

/easyrsa/vars

# Easy-RSA 3 parameter settings

# NOTE: If you installed Easy-RSA from your distro's package manager, don't edit
# this file in place -- instead, you should copy the entire easy-rsa directory
# to another location so future upgrades don't wipe out your changes.

# HOW TO USE THIS FILE
#
# vars.example contains built-in examples to Easy-RSA settings. You MUST name
# this file 'vars' if you want it to be used as a configuration file. If you do
# not, it WILL NOT be automatically read when you call easyrsa commands.
#
# It is not necessary to use this config file unless you wish to change
# operational defaults. These defaults should be fine for many uses without the
# need to copy and edit the 'vars' file.
#
# All of the editable settings are shown commented and start with the command
# 'set_var' -- this means any set_var command that is uncommented has been
# modified by the user. If you're happy with a default, there is no need to
# define the value to its default.

# NOTES FOR WINDOWS USERS
#
# Paths for Windows  *MUST* use forward slashes, or optionally double-escaped
# backslashes (single forward slashes are recommended.) This means your path to
# the openssl binary might look like this:
# "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"

# A little housekeeping: DON'T EDIT THIS SECTION
# 
# Easy-RSA 3.x doesn't source into the environment directly.
# Complain if a user tries to do this:
if [ -z "$EASYRSA_CALLER" ]; then
        echo "You appear to be sourcing an Easy-RSA 'vars' file." >&2
        echo "This is no longer necessary and is disallowed. See the section called" >&2
        echo "'How to use this file' near the top comments for more details." >&2
        return 1
fi

# DO YOUR EDITS BELOW THIS POINT

# This variable is used as the base location of configuration files needed by
# easyrsa.  More specific variables for specific files (e.g., EASYRSA_SSL_CONF)
# may override this default.
#
# The default value of this variable is the location of the easyrsa script
# itself, which is also where the configuration files are located in the
# easy-rsa tree.

#set_var EASYRSA        "${0%/*}"

# If your OpenSSL command is not in the system PATH, you will need to define the
# path to it here. Normally this means a full path to the executable, otherwise
# you could have left it undefined here and the shown default would be used.
#
# Windows users, remember to use paths with forward-slashes (or escaped
# back-slashes.) Windows users should declare the full path to the openssl
# binary here if it is not in their system PATH.

#set_var EASYRSA_OPENSSL        "openssl"
#
# This sample is in Windows syntax -- edit it for your path if not using PATH:
#set_var EASYRSA_OPENSSL        "C:/Program Files/OpenSSL-Win32/bin/openssl.exe"

# Edit this variable to point to your soon-to-be-created key directory.  By
# default, this will be "$PWD/pki" (i.e. the "pki" subdirectory of the
# directory you are currently in).
#
# WARNING: init-pki will do a rm -rf on this directory so make sure you define
# it correctly! (Interactive mode will prompt before acting.)

#set_var EASYRSA_PKI            "$PWD/pki"

# Define directory for temporary subdirectories.

#set_var EASYRSA_TEMP_DIR       "$EASYRSA_PKI"

# Define X509 DN mode.
# This is used to adjust what elements are included in the Subject field as the DN
# (this is the "Distinguished Name.")
# Note that in cn_only mode the Organizational fields further below aren't used.
#
# Choices are:
#   cn_only  - use just a CN value
#   org      - use the "traditional" Country/Province/City/Org/OU/email/CN format

#set_var EASYRSA_DN     "cn_only"

# Organizational fields (used with 'org' mode and ignored in 'cn_only' mode.)
# These are the default values for fields which will be placed in the
# certificate.  Don't leave any of these fields blank, although interactively
# you may omit any specific field by typing the "." symbol (not valid for
# email.)

#set_var EASYRSA_REQ_COUNTRY    "US"
#set_var EASYRSA_REQ_PROVINCE   "California"
#set_var EASYRSA_REQ_CITY       "San Francisco"
#set_var EASYRSA_REQ_ORG        "Copyleft Certificate Co"
#set_var EASYRSA_REQ_EMAIL      "me@example.net"
#set_var EASYRSA_REQ_OU         "My Organizational Unit"

# Choose a size in bits for your keypairs. The recommended value is 2048.  Using
# 2048-bit keys is considered more than sufficient for many years into the
# future. Larger keysizes will slow down TLS negotiation and make key/DH param
# generation take much longer. Values up to 4096 should be accepted by most
# software. Only used when the crypto alg is rsa (see below.)

#set_var EASYRSA_KEY_SIZE       2048

# The default crypto mode is rsa; ec can enable elliptic curve support.
# Note that not all software supports ECC, so use care when enabling it.
# Choices for crypto alg are: (each in lower-case)
#  * rsa
#  * ec
#  * ed

#set_var EASYRSA_ALGO           rsa

# Define the named curve, used in ec & ed modes:

#set_var EASYRSA_CURVE          secp384r1

# In how many days should the root CA key expire?

set_var EASYRSA_CA_EXPIRE      3650

# In how many days should certificates expire?

set_var EASYRSA_CERT_EXPIRE    825

# How many days until the next CRL publish date?  Note that the CRL can still be
# parsed after this timeframe passes. It is only used for an expected next
# publication date.
#set_var EASYRSA_CRL_DAYS       180

# How many days before its expiration date a certificate is allowed to be
# renewed?
#set_var EASYRSA_CERT_RENEW     30

# Random serial numbers by default, set to no for the old incremental serial numbers
#
#set_var EASYRSA_RAND_SN        "yes"

# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature.  If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no".  When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.

#set_var EASYRSA_NS_SUPPORT     "no"

# When NS_SUPPORT is set to "yes", this field is added as the nsComment field.
# Set this blank to omit it. With NS_SUPPORT set to "no" this field is ignored.

#set_var EASYRSA_NS_COMMENT     "Easy-RSA Generated Certificate"

# A temp file used to stage cert extensions during signing. The default should
# be fine for most users; however, some users might want an alternative under a
# RAM-based FS, such as /dev/shm or /tmp on some systems.

#set_var EASYRSA_TEMP_FILE      "$EASYRSA_PKI/extensions.temp"

# !!
# NOTE: ADVANCED OPTIONS BELOW THIS POINT
# PLAY WITH THEM AT YOUR OWN RISK
# !!

# Broken shell command aliases: If you have a largely broken shell that is
# missing any of these POSIX-required commands used by Easy-RSA, you will need
# to define an alias to the proper path for the command.  The symptom will be
# some form of a 'command not found' error from your shell. This means your
# shell is BROKEN, but you can hack around it here if you really need. These
# shown values are not defaults: it is up to you to know what you're doing if
# you touch these.
#
#alias awk="/alt/bin/awk"
#alias cat="/alt/bin/cat"

# X509 extensions directory:
# If you want to customize the X509 extensions used, set the directory to look
# for extensions here. Each cert type you sign must have a matching filename,
# and an optional file named 'COMMON' is included first when present. Note that
# when undefined here, default behaviour is to look in $EASYRSA_PKI first, then
# fallback to $EASYRSA for the 'x509-types' dir.  You may override this
# detection with an explicit dir here.
#
#set_var EASYRSA_EXT_DIR        "$EASYRSA/x509-types"

# If you want to generate KDC certificates, you need to set the realm here.
#set_var EASYRSA_KDC_REALM      "CHANGEME.EXAMPLE.COM"

# OpenSSL config file:
# If you need to use a specific openssl config file, you can reference it here.
# Normally this file is auto-detected from a file named openssl-easyrsa.cnf from the
# EASYRSA_PKI or EASYRSA dir (in that order.) NOTE that this file is Easy-RSA
# specific and you cannot just use a standard config file, so this is an
# advanced feature.

#set_var EASYRSA_SSL_CONF       "$EASYRSA/openssl-easyrsa.cnf"

# Default CN:
# This is best left alone. Interactively you will set this manually, and BATCH
# callers are expected to set this themselves.

#set_var EASYRSA_REQ_CN         "ChangeMe"

# Cryptographic digest to use.
# Do not change this default unless you understand the security implications.
# Valid choices include: md5, sha1, sha256, sha224, sha384, sha512

#set_var EASYRSA_DIGEST         "sha256"

# Batch mode. Leave this disabled unless you intend to call Easy-RSA explicitly
# in batch mode without any user input, confirmation on dangerous operations,
# or most output. Setting this to any non-blank string enables batch mode.

#set_var EASYRSA_BATCH          ""
set_var EASYRSA_REQ_COUNTRY    "Japan"
set_var EASYRSA_REQ_PROVINCE   "Osaka"
set_var EASYRSA_REQ_CITY       "Osaka"
set_var EASYRSA_REQ_ORG        "Ourdark"
set_var EASYRSA_REQ_EMAIL      "ourdark@ourdark.org"
set_var EASYRSA_REQ_OU         "Ourdark inc."

/usr/local/bin/gen-ovpn-client

#!/bin/sh

#*****MUST CHANGE***REPLACE WITH YOUR PUBLIC IP*****
PUBLICIP="ourdark.org"

#SERVERPORT: OpenVPN Port on this server. Standard OpenVPN port is 1194.
SERVERPORT="6174"

#LOCALPORT: Client's outgoing port. Standard is 1194. If changed, alert 
#clients to adjust their
#firewalls accordingly.
LOCALPORT="6174"

echo "Client Name: "
read clientname

#EasyRSA Directory; update path if needed
cd /etc/openvpn/easy-rsa/

/etc/openvpn/easy-rsa/easyrsa build-client-full $clientname

#Generating client in /etc/openvpn/client/
profilename="$clientname.ovpn"
touch /etc/openvpn/client/$profilename

printf "client\nverb 4\nconnect-retry 2 300\nresolv-retry 60\ndev tun\nremote $PUBLICIP $SERVERPORT tcp\n--float\nlport $LOCALPORT\nproto tcp\n\n" >> /etc/openvpn/client/$profilename

#ca.crt; update path if needed
cat /etc/openvpn/ca.crt >> /etc/openvpn/client/$profilename

printf "\n\n" >> /etc/openvpn/client/$profilename

#client private key; update path if needed
cat /etc/openvpn/easy-rsa/pki/private/$clientname* >> /etc/openvpn/client/$profilename

printf "\n\n" >> /etc/openvpn/client/$profilename

#client certificate; update path if needed
cat /etc/openvpn/easy-rsa/pki/issued/$clientname* >> /etc/openvpn/client/$profilename

printf "\n\n" >> /etc/openvpn/client/$profilename

#static TLS auth key; update path if needed
cat /etc/openvpn/myvpn.tlsauth >> /etc/openvpn/client/$profilename

printf "\n" >> /etc/openvpn/client/$profilename

echo "The client profile is located at /etc/openvpn/client/$profilename"

/usr/local/bin/gen-ovpn-client-ios

#!/bin/sh

#*****MUST CHANGE***REPLACE WITH YOUR PUBLIC IP*****
PUBLICIP="ourdark.org"

#SERVERPORT: OpenVPN Port on this server. Standard OpenVPN port is 1194.
SERVERPORT="6174"

#LOCALPORT: Client's outgoing port. Standard is 1194. If changed, alert 
#clients to adjust their
#firewalls accordingly.
LOCALPORT="6174"

echo "Client Name: "
read clientname

#EasyRSA Directory; update path if needed
cd /etc/openvpn/easy-rsa/

/etc/openvpn/easy-rsa/easyrsa build-client-full $clientname

#Generating client in /etc/openvpn/client/
profilename="$clientname.ovpn"
touch /etc/openvpn/client/$profilename

printf "client\nverb 4\ndev tun\nremote $PUBLICIP $SERVERPORT tcp\nproto tcp\n\n" >> /etc/openvpn/client/$profilename

#ca.crt; update path if needed
cat /etc/openvpn/ca.crt >> /etc/openvpn/client/$profilename

printf "\n\n" >> /etc/openvpn/client/$profilename

#client private key; update path if needed
cat /etc/openvpn/easy-rsa/pki/private/$clientname* >> /etc/openvpn/client/$profilename

printf "\n\n" >> /etc/openvpn/client/$profilename

#client certificate; update path if needed
cat /etc/openvpn/easy-rsa/pki/issued/$clientname* >> /etc/openvpn/client/$profilename

printf "\n\n" >> /etc/openvpn/client/$profilename

#static TLS auth key; update path if needed
cat /etc/openvpn/myvpn.tlsauth >> /etc/openvpn/client/$profilename

printf "\n" >> /etc/openvpn/client/$profilename

echo "The client profile is located at /etc/openvpn/client/$profilename"

DECLARE @prefix VARCHAR(64) = 'Dev_LDS_Dev_LSS'
DECLARE @path VARCHAR(256) = 'E:\DB_Backup\Alex\'

DECLARE @dbname VARCHAR(256)
DECLARE @filename VARCHAR(256)
DECLARE @date VARCHAR(32)

SELECT @date = CONVERT(VARCHAR(20),GETDATE(),112)

DECLARE db_cursor CURSOR FOR
	SELECT [name]
	FROM sys.databases WHERE [name] like @prefix + '%'

OPEN db_cursor

FETCH NEXT FROM db_cursor INTO @dbname

	WHILE @@FETCH_STATUS = 0
		BEGIN
			SET @filename = @path + @dbname + '_' + @date + '.bak'
			BACKUP DATABASE @dbname TO DISK = @filename
			PRINT @filename
			FETCH NEXT FROM db_cursor INTO @dbname
		END

CLOSE db_cursor
DEALLOCATE db_cursor 

ALTER DATABASE [DBName] SET EMERGENCY;
GO
ALTER DATABASE [DBName] set single_user
GO
DBCC CHECKDB ([DBName], REPAIR_ALLOW_DATA_LOSS) WITH ALL_ERRORMSGS;
GO
ALTER DATABASE [DBName] set multi_user
GO

DECLARE @prefix VARCHAR(64) = 'Dev_LDS_Dev_LSS'
DECLARE @dbname VARCHAR(256)
DECLARE @statement VARCHAR(MAX)
DECLARE @sql VARCHAR(MAX)

DECLARE db_cursor CURSOR FOR
	SELECT [name]
	FROM sys.databases WHERE [name] like @prefix + '%'

OPEN db_cursor

FETCH NEXT FROM db_cursor INTO @dbname

	WHILE @@FETCH_STATUS = 0
		BEGIN
			SET @statement = 'SELECT ''' + @dbname+''' AS db, convert(VARCHAR(MAX),[name]) COLLATE SQL_Latin1_General_CP1_CI_AS AS tb FROM ' + @dbname +'.sys.tables where name like ''%CAWorkshopPriceList%'''
			--SET @statement = 'IF EXISTS('+ @statement + ') ' + @statement
			SET @sql = @sql + ' UNION ALL' + CHAR(13)
			SET @sql = ISNULL(@sql,'') + @statement
			--PRINT @sql
			
			FETCH NEXT FROM db_cursor INTO @dbname
		END

CLOSE db_cursor
DEALLOCATE db_cursor 

PRINT @sql
EXECUTE(@sql)

set nocount on

drop table if exists #reduce;
drop table if exists #depend;

create table #depend(
	id int identity(1,1),
	t_t int
)

declare @round int = 1

select parent_object_id as s_t,referenced_object_id as t_t into #reduce from sys.foreign_key_columns
insert into #depend select object_id as t_t from sys.tables where object_id not in (select s_t from #reduce) and object_id not in (select t_t from #reduce)

--select (select count(*) from #reduce) a,(select count(*) from #depend) b,(select count(distinct t_t) from #depend) b1, (select count(*) from sys.tables) c, 'out'
--select #depend.id,sys.tables.name from #depend left join sys.tables on #depend.t_t = sys.tables.object_id

insert into #depend select distinct a1.t_t as t_t from #reduce a1 left join #reduce a2 on a1.t_t = a2.s_t where a2.s_t is null 
insert into #depend select distinct a1.s_t as t_t from #reduce a1 where a1.t_t in (select t_t from #depend) and a1.s_t not in (select t_t from #reduce) and a1.s_t not in (select t_t from #depend)
delete from #reduce where #reduce.t_t in (select t_t from #depend)

--select (select count(*) from #reduce) a,(select count(*) from #depend) b,(select count(distinct t_t) from #depend) b1, (select count(*) from sys.tables) c , 'out'
--select #depend.id,sys.tables.name from #depend left join sys.tables on #depend.t_t = sys.tables.object_id
/*
select * from #depend
select * from #reduce
*/

declare @count int = 100
select @count = count(*) from #reduce

while(@count>0)
begin 
	insert into #depend select distinct a1.t_t as t_t from #reduce a1 left join #reduce a2 on a1.t_t = a2.s_t where a2.s_t is null 
	insert into #depend select distinct a1.s_t as t_t from #reduce a1 where a1.t_t in (select t_t from #depend) and a1.s_t not in (select t_t from #reduce) and a1.s_t not in (select t_t from #depend)
	delete from #reduce where #reduce.t_t in (select t_t from #depend)

	--select (select count(*) from #reduce) a,(select count(*) from #depend) b,(select count(distinct t_t) from #depend) b1, (select count(*) from sys.tables) c, @round
	--select #depend.id,sys.tables.name from #depend left join sys.tables on #depend.t_t = sys.tables.object_id

	select @count = count(*) from #reduce
	set @round = @round + 1
end

print cast(@round as varchar(7)) + ' round to finished'

select #depend.id,sys.tables.name from #depend left join sys.tables on #depend.t_t = sys.tables.object_id order by #depend.id
select * from sys.tables where object_id not in (select t_t from #depend)

drop table if exists #reduce;
drop table if exists #depend;

set nocount off

Official docker images
Github open source code

Install with docker-composite,  docker-compose.yml

Config documents

version: "3.2"
services:
  zero:
    image: dgraph/dgraph:latest
    volumes:
      - /tmp/data:/dgraph
    ports:
      - 5080:5080
      - 6080:6080
    restart: on-failure
    command: dgraph zero --my=zero:5180
  alpha:
    image: dgraph/dgraph:latest
    volumes:
      - /tmp/data:/dgraph
    ports:
      - 8080:8080
      - 9080:9080
    restart: on-failure
    command: dgraph alpha --my=alpha:7080 --zero=zero:5080
  ratel:
    image: dgraph/ratel
    ports:
      - 8000:8000
    command: dgraph-ratel

Start with docker-composite

docker-compose up -d

Access http://:8000

The prerequisite:
before you can install kafka you are required java jdk8+ installed, there is an old post reference
Alternative, you could use package tools like yum to install jdk as well.

Kafka require zookeeper for now, the article inlustrate how to install zk cluster

Download binary with curl, or use wget you like

curl -O https://dlcdn.apache.org/kafka/3.0.0/kafka_2.13-3.0.0.tgz

un-tar tarball

tar -xzf kafka_2.13-3.0.0.tgz

change dir to kafka

cd kafka_2.13-3.0.0

Create log dir

mkdir /data/kafka/kafka-logs

Backup your config template files

cp config/server.properties config/server.properties.template

Edit config file config/server.properties, modify highlight lines according to your fit.

vim config/server.properties

# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements.  See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License.  You may obtain a copy of the License at
#
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# see kafka.server.KafkaConfig for additional details and defaults

############################# Server Basics #############################

# The id of the broker. This must be set to a unique integer for each broker.
broker.id=0

############################# Socket Server Settings #############################

# The address the socket server listens on. It will get the value returned from 
# java.net.InetAddress.getCanonicalHostName() if not configured.
#   FORMAT:
#     listeners = listener_name://host_name:port
#   EXAMPLE:
#     listeners = PLAINTEXT://your.host.name:9092
#listeners=PLAINTEXT://:9092

# Hostname and port the broker will advertise to producers and consumers. If not set, 
# it uses the value for "listeners" if configured.  Otherwise, it will use the value
# returned from java.net.InetAddress.getCanonicalHostName().
#advertised.listeners=PLAINTEXT://your.host.name:9092

# Maps listener names to security protocols, the default is for them to be the same. See the config documentation for more details
#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL

# The number of threads that the server uses for receiving requests from the network and sending responses to the network
num.network.threads=3

# The number of threads that the server uses for processing requests, which may include disk I/O
num.io.threads=8

# The send buffer (SO_SNDBUF) used by the socket server
socket.send.buffer.bytes=102400

# The receive buffer (SO_RCVBUF) used by the socket server
socket.receive.buffer.bytes=102400

# The maximum size of a request that the socket server will accept (protection against OOM)
socket.request.max.bytes=104857600


############################# Log Basics #############################

# A comma separated list of directories under which to store log files
log.dirs=/data/kafka/kafka-logs

# The default number of log partitions per topic. More partitions allow greater
# parallelism for consumption, but this will also result in more files across
# the brokers.
num.partitions=8

# The number of threads per data directory to be used for log recovery at startup and flushing at shutdown.
# This value is recommended to be increased for installations with data dirs located in RAID array.
num.recovery.threads.per.data.dir=2

############################# Internal Topic Settings  #############################
# The replication factor for the group metadata internal topics "__consumer_offsets" and "__transaction_state"
# For anything other than development testing, a value greater than 1 is recommended to ensure availability such as 3.
offsets.topic.replication.factor=3
transaction.state.log.replication.factor=3
transaction.state.log.min.isr=3

############################# Log Flush Policy #############################

# Messages are immediately written to the filesystem but by default we only fsync() to sync
# the OS cache lazily. The following configurations control the flush of data to disk.
# There are a few important trade-offs here:
#    1. Durability: Unflushed data may be lost if you are not using replication.
#    2. Latency: Very large flush intervals may lead to latency spikes when the flush does occur as there will be a lot of data to flush.
#    3. Throughput: The flush is generally the most expensive operation, and a small flush interval may lead to excessive seeks.
# The settings below allow one to configure the flush policy to flush data after a period of time or
# every N messages (or both). This can be done globally and overridden on a per-topic basis.

# The number of messages to accept before forcing a flush of data to disk
#log.flush.interval.messages=10000

# The maximum amount of time a message can sit in a log before we force a flush
#log.flush.interval.ms=1000

############################# Log Retention Policy #############################

# The following configurations control the disposal of log segments. The policy can
# be set to delete segments after a period of time, or after a given size has accumulated.
# A segment will be deleted whenever *either* of these criteria are met. Deletion always happens
# from the end of the log.

# The minimum age of a log file to be eligible for deletion due to age
log.retention.hours=168

# A size-based retention policy for logs. Segments are pruned from the log unless the remaining
# segments drop below log.retention.bytes. Functions independently of log.retention.hours.
#log.retention.bytes=1073741824

# The maximum size of a log segment file. When this size is reached a new log segment will be created.
log.segment.bytes=1073741824

# The interval at which log segments are checked to see if they can be deleted according
# to the retention policies
log.retention.check.interval.ms=300000

############################# Zookeeper #############################

# Zookeeper connection string (see zookeeper docs for details).
# This is a comma separated host:port pairs, each corresponding to a zk
# server. e.g. "127.0.0.1:3000,127.0.0.1:3001,127.0.0.1:3002".
# You can also append an optional chroot string to the urls to specify the
# root directory for all kafka znodes.
zookeeper.connect=link1:2181,link2:2181

# Timeout in ms for connecting to zookeeper
zookeeper.connection.timeout.ms=18000


############################# Group Coordinator Settings #############################

# The following configuration specifies the time, in milliseconds, that the GroupCoordinator will delay the initial consumer rebalance.
# The rebalance will be further delayed by the value of group.initial.rebalance.delay.ms as new members join the group, up to a maximum of max.poll.interval.ms.
# The default value for this is 3 seconds.
# We override this to 0 here as it makes for a better out-of-the-box experience for development and testing.
# However, in production environments the default value of 3 seconds is more suitable as this will help to avoid unnecessary, and potentially expensive, rebalances during application startup.
group.initial.rebalance.delay.ms=30000

for more detaild config settings(such like topic delete enable), find document here:

Apache Kafka

Apache Kafka: A Distributed Streaming Platform.

Apache Kafka

then start kafka cluster

nohup ./bin/kafka-server-start.sh config/server.properties &

you can wrap your binary as auto start service, check here

repeat all above step on each node, your kafka cluster is online.

Now test your cluster:

Topics

#Create topic
bin/kafka-topics.sh --create --partitions 1 --replication-factor 1 --topic hello --bootstrap-server localhost:9092
#Check topic
bin/kafka-topics.sh --describe --topic hello --bootstrap-server localhost:9092

Producer and Consumer

#Start producer
bin/kafka-console-producer.sh --topic hello --bootstrap-server localhost:9092
#Start consumer
bin/kafka-console-consumer.sh --topic hello --from-beginning --bootstrap-server localhost:9092

Check broker registered if you like

./bin/zookeeper-shell.sh localhost:2181 ls /brokers/ids

You can login to zookeeper to get more info

It's done!

[Reference]

https://data-flair.training/blogs/kafka-cluster/

sudo docker run --net=host -d \
    --name zk \
    --restart always \
    -e ZOO_MY_ID=1 \
    -e ZOO_SERVERS="server.1=link1:2888:3888;2181 server.2=link2:2888:3888;2181" \
    zookeeper

now you can access zookeeper command via web:

http://link2.const.cc:8080/commands/

On each node:

docker exec -it zk /bin/bash
zkCli.sh

on server link1, create a node /zk_test and set string value "my_data"

create /zk_test my_data
Created /zk_test

on link2, get node value of /zk_test

get /zk_test 
my_data

then clean up test code on one of nodes.

delete /zk_test

note: this example only setup 2 nodes on server, you could startup your cluster as many as you want.

systemctl stop firewalld
systemctl disable firewalld

Then make nodes know each other

vim /etc/hosts
192.168.0.227 link1
192.168.0.228 link2

The emqx.conf is config of emqx, content(default ) is huge and you can copy it from flollowing site:

emqx/emqx.conf at main-v4.3 · emqx/emqx

An Open-Source, Cloud-Native, Distributed MQTT Message Broker for IoT. - emqx/emqx.conf at main-v4.3 · emqx/emqx

GitHubemqx

Or you can copy it with docker:

docker run -d --name emqx --rm emqx/emqx
docker cp emqx:/opt/emqx/etc .
docker rm -f emqx

Then start emqx container on each node(change the highlight line according to you nodes):

docker run -tid --name emqx --restart=always --network host \
    -e EMQX_NAME=link1 \
    -e EMQX_HOST=192.168.0.227 \
    -e EMQX_LISTENER__TCP__EXTERNAL=1883 \
    -e EMQX_WAIT_TIME=30 \
    -e EMQX_JOIN_CLUSTER="link1@192.168.0.227" \
    -e EMQX_CLUSTER__NAME=emqxcl \
    -e EMQX_CLUSTER__DISCOVERY=static \
    -e EMQX_CLUSTER__STATIC__SEEDS="link1@192.168.0.227,link2@192.168.0.228" \
    emqx/emqx

Check running status

docker logs -f emqx
cluster.discovery = "static"
cluster.name = "emqxcl"
cluster.static.seeds = "link1@192.168.0.227,link2@192.168.0.228"
listener.ssl.external.acceptors = "32"
listener.ssl.external.max_connections = "102400"
listener.tcp.external = "1883"
listener.tcp.external.acceptors = "64"
listener.tcp.external.max_connections = "1024000"
listener.ws.external.acceptors = "16"
listener.ws.external.max_connections = "102400"
listener.wss.external.acceptors = "16"
listener.wss.external.max_connections = "102400"
log.to = "console"
node.max_ets_tables = "2097152"
node.max_ports = "1048576"
node.name = "link1@192.168.0.227"
node.process_limit = "2097152"
rpc.port_discovery = "manual"
Starting emqx on node link1@192.168.0.227
Start http:management listener on 8081 successfully.
Start http:dashboard listener on 18083 successfully.
Start mqtt:tcp:internal listener on 127.0.0.1:11883 successfully.
Start mqtt:tcp:external listener on 0.0.0.0:1883 successfully.
Start mqtt:ws:external listener on 0.0.0.0:8083 successfully.
Start mqtt:ssl:external listener on 0.0.0.0:8883 successfully.
Start mqtt:wss:external listener on 0.0.0.0:8084 successfully.
EMQ X Broker 4.3.8 is running now!

Check cluster status via

docker exec -it emqx /bin/sh /opt/emqx/bin/emqx_ctl cluster status
Cluster status: #{running_nodes =>
                      ['link1@192.168.0.227','link2@192.168.0.228'],
                  stopped_nodes => []}

Open webbrowser, access site

http://link1.const.cc:18083

user: admin

password: public

• Create network for dockers, it's better you create network for the dockers, then you can access docker with name

docker network create IoT

• Create /data and /data/influx dir for docker volume

mkdir /data
mkdir /data/influx

• Start influxDB with docker, The official docker image here

docker run -p 8086:8086 \
    -v /data/influx/influxdb:/var/lib/influxdb \
    -v /data/influx/influxdb2:/var/lib/influxdb2 \
    -v /data/influx/influxdb2-config:/etc/influxdb2 \
    -v /data/influx/influxdb.conf:/etc/influxdb/influxdb.conf \
    -e DOCKER_INFLUXDB_INIT_USERNAME=admin \
    -e DOCKER_INFLUXDB_INIT_PASSWORD=ConST \
    -e DOCKER_INFLUXDB_INIT_ORG=ConST \
    -e DOCKER_INFLUXDB_INIT_BUCKET=bucket \
    -e DOCKER_INFLUXDB_INIT_ADMIN_TOKEN=123 \
    --network=IoT \
    -d \
    --restart always \
    --name influx \
    influxdb

• Now access https://ourdark.org:8086

Install telegraf

• Create telegraf dir

mkdir /data/telegraf

• Switch to /data/telegraf folder

cd /data/telegraf

• Before you can mount local config file to telegraf, make sure there is telegraf.conf exists

docker run --rm telegraf telegraf config > telegraf.conf

       telegraf.conf is auto generated under /data/telegraf/ folder, then edit the config you want, mine will like this.

vim telegraf.conf

# Configuration
[agent]
  interval = "10s"
  round_interval = true
  metric_batch_size = 1000
  metric_buffer_limit = 10000
  collection_jitter = "0s"
  flush_interval = "10s"
  flush_jitter = "0s"
  precision = ""
  hostname = ""
  omit_hostname = false
[[outputs.influxdb_v2]]
  urls = ["http://link1.const.cc:8086"]
  token = "yDLG7pUZbX5uCTMf6Qnopd62yOkhazUMeRco3sP3m6syHnn0nGS1xyj-vA3f7YinUYWH6J5pwH7_YMOu0HaKiQ=="
  organization = "ConST"
  bucket = "Default"
[[inputs.cpu]]
  percpu = true
  totalcpu = true
  collect_cpu_time = false
  report_active = false
[[inputs.disk]]
  ignore_fs = ["tmpfs", "devtmpfs", "devfs", "iso9660", "overlay", "aufs", "squashfs"]
[[inputs.diskio]]
[[inputs.mem]]
[[inputs.net]]
[[inputs.processes]]
[[inputs.swap]]
[[inputs.system]]

       You can get information from https://ourdark.org:8086, navigate to data->telegraf, then create configuration with system plugin

• Now you can start telegraf docker

docker run -v $PWD/telegraf.conf:/etc/telegraf/telegraf.conf:ro \
    --restart always \
    --name=telegraf \
    -d  \
    telegraf

      It should say "connected" after a little while, the system monitor dashboard will auto created and loaded.

• Create config file mosquitto.conf under /data/mosquitto/config/

# allow_anonymous true
listener 1883
persistence true
persistence_location /mosquitto/data/
log_dest file /mosquitto/log/mosquitto.log
password_file /mosquitto/pwd*

• Create file pwd under /mosquitto/ in docker

touch pwd

• Add user for pwd

mosquitto_passwd -c /mosquitto/pwd root

• Execute following line to start mqtt docker container

docker run -it -d --name mosquitto -v /data/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf -v /data/mosquitto/data:/mosquitto/data -v /data/mosquitto/log:/mosquitto/log --restart always -p 1883:1883 -p 9001:9001 eclipse-mosquitto

Now you can use cli to test your mqtt

• Subscribe data

docker run --rm hivemq/mqtt-cli sub -t '#' -h ourdark.org -u root -pw Forhuman1999@

• publish message

docker run --rm -it hivemq/mqtt-cli pub -t test -h ourdark.org -m "aaa"

or

docker run --rm -it hivemq/mqtt-cli shell
con -i test -h ourdark.org
pub -t test -m "aaa"

Enable Websocket

Add flollowing lines to config file:

listener 8080
protocol websockets

Then restart docker and expose port 8080

docker run -it -d --name mosquitto -v /data/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf -v /data/mosquitto/data:/mosquitto/data -v /data/mosquitto/log:/mosquitto/log --restart always -p 1883:1883 -p 9001:9001 -p 8080:8080 eclipse-mosquitto

Well, you can use your single node mqqt server, it support mqtt and websocket protocol now.

ec2-user with rsa

sudo su

Init your password for root user

passwd

change ssh config enable root login

vim /etc/ssh/sshd_config

PermitRootLogin yes
PasswordAuthentication yes

Restart sshd

service sshd restart

Then you can login amazon ec2 with root user

导语：科学之冠爱因斯坦是迄今为止最卓越的科学家和思想家，是现代物理学的开创者和奠基人，他的相对论，量子力论以及统一场论三大定理是其在特能状态之大成，于世无懈可击。爱因斯坦在二十世纪初建立相对论的伟大创见，于中年获道，晚年著作全集并没有问世，一旦公之于众必将引起轰动。 在这篇文章中，爱因斯坦以一个科学家的诚实和简洁说明了人生观，政治观，宗教观。在现今这个物欲横流道德缺失信仰危机的时代下，这样振聋发聩的文字和思想越发突显其警世正风和启迪心灵的作用。

对于人生，爱因斯坦说：
“我们每个人在这个世界上都只作一个短暂的逗留；目的何在，却无所知，尽管有时自以为对此若有所感。我每天上百次地提醒自己：我的精神生活和物质生活都依靠别人（包括活着的人和死去的人）的劳动，我必须尽力以同样的分量来报偿我所领受了的和至今还在领受的东西。每一个人的行为，虽然受着外界的强迫，最重要的是适应内心的必然。要追究一个人自己或一切生物生存的意义或目的，从客观的观点看来，我总觉得是愚蠢可笑的。可是每个人都有一定的理想，这种理想决定着他的努力和判断的方向。
就在这个意义上，我从来不把安逸和享乐看作是生活目的本身——这种伦理基础，我叫它猪栏的理想。照亮我的道路，并且不断地给我新的勇气去愉快地正视生活的理想，是善、美和真。要是没有志同道合者之间的亲切感情，要不是全神贯注于客观世界——那个在艺术和科学工作领域里永远达不到的对象，那末在我看来，生活就会是空虚的。人们所努力追求的庸俗的目标——财产、虚荣、奢侈的生活——我总觉得都是可鄙的。我强烈地向往着俭朴的生活，并且时常为发觉自己占用了同胞的过多劳动而难以忍受。简单淳朴的生活，无论在身体上还是在精神上，对每个人都是有益的。”“一个人的真正价值，首先决定于他在什么程度上和在什么意义上从自我解放出来。”

对于政治，爱因斯坦说：
“我认为阶级的区分是不合理的，它最后所凭借的是以暴力为根据。我的政治理想是民主主义。让每一个人都作为个人而受到尊重，而不让任何人成为崇拜的偶像。我自己受到了人们过分的赞扬和尊敬，这不是由于我自己的过错，也不是由于我自己的功劳，而实在是一种命运的嘲弄。其原因大概在于人们有一种愿望，想理解我以自己的微薄绵力通过不断的斗争所获得的少数几个观念，而这种愿望有很多人却未能实现。我完全明白，一个组织要实现它的目的，就必须有一个人去思考，去指挥，并且全面担负起责任来。但是被领导的人不应当受到强迫，他们必须有可能来选择自己的领袖。
在我看来，强迫的专制制度很快就会腐化堕落。因为暴力所招引来的总是一些品德低劣的人，而且我相信，天才的暴君总是由无赖来继承，这是一条千古不易的规律。在人生的丰富多彩的表演中，我觉得真正可贵的，不是政治上的国家，而是有创造性的，有感情的个人，是人格；只有个人才能创造出高尚的和卓越的东西，而群众本身在思想上总是迟钝的，在感觉上也总是迟钝的。”

对于战争，爱因斯坦说：
“我想起了群众生活中最坏的一种表现，那就是使我厌恶的军事制度。一个人能够洋洋得意地随着军乐队在四列纵队里行进，单凭这一点就足以使我对他轻视。他所以长了一个大脑，只是出于误会；单单一根脊髓就可满足他的全部需要了。文明国家的这种罪恶的渊薮，应当尽快加以消灭。
由命令而产生的勇敢行为，毫无意义的暴行，以及在爱国主义名义下一切可恶的胡闹，所有这些都使我深恶痛绝，在我看来，战争是多么卑鄙、下流！我宁愿被千刀万剐，也不愿参预这种可憎的勾当。尽管如此，我对人类的评价还是十分高的，我相信，要是人民的健康感情没有被那些通过学校和报纸而起作用的商业利益和政治利益蓄意进行败坏，那末战争这个妖魔早就该绝迹了。”

对于宗教，爱因斯坦说：
“我们所能有的最美好的经验是奥秘的经验。它是坚守在真正艺术和真正科学发源地上的基本感情。谁要是体验不到它，谁要是不再有好奇心也不再有惊讶的感觉，他就无异于行尸走肉，他的眼睛是迷糊不清的。就是这样奥秘的经验——虽然掺杂着恐怖——产生了宗教。我们认识到有某种为我们所不能洞察的东西存在，感觉到那种只能以其最原始的形式为我们感受到的最深奥的理性和最灿烂的美——正是这种认识和这种情感构成了真正的宗教感情；在这个意义上，而且也只是在这个意义上，我才是一个具有深挚的宗教感情的人。
我无法想象一个会对自己的创造物加以赏罚的上帝，也无法想象它会有像在我们自己身上所体验到的那样一种意志。我不能也不愿去想象一个人在肉体死亡以后还会继续活着；让那些脆弱的灵魂，由于恐惧或者由于可笑的唯我论，去拿这种思想当宝贝吧！我自己只求满足于生命永恒的奥秘，满足于觉察现存世界的神奇的结构，窥见它的一鳞半爪，并且以诚挚的努力去领悟在自然界中显示出来的那个理性的一部分，即使只是其极小的一部分，我也就心满意足了。”“人类的精神愈向前进化，就越是可以肯定的说，通向真正宗教感情的道路，不是对死亡的恐惧，也不是盲目崇拜信仰，而是对理性知识的追求，对宇宙无限伟大意志的谦卑和崇敬。”

“人是我们称之为宇宙的统一整体的一部分，在时间和空间上都有限的一部分。对自我、思维和感情的体验都与世界的其他部分分割开来。这是一种意识的视觉错觉。这种错觉有如一种牢笼，使我们局限于个人的欲望，只对和我们最亲近的人才怀有温情。我们的任务应是扩大同情心，去拥抱所有的生命和自然界中美好的一切，把自己从这个牢笼中解放出来。”——阿尔伯特·爱因斯坦

从解析物质到解脱物质，爱因斯坦看破了物质小丑的把戏，也看清了宇宙人生的真相，从宇宙和谐的次序中，从星汉灿烂的银河边，他看到了一个伟大的意志和力量，心悦诚服于大宇元真非凡的创造和智慧，走出自我，完成了一个智者对于生命和万物的超越，滴水入海，终归本源。他是宇宙真理的揭示者，也是返朴归真的践行者，在他的背影里，我们也看到了回家的路标。　
“对于一个人自身的存在，何者是有意义的，他自己并不知晓，并且，这一点肯定也不应该打扰其他人。
一条鱼能对它终生畅游其中的水知道些什么？　　……　

我孤寂地生活着，年轻时痛苦万分，而在成熟之年里却甘之如饴。”

“物质、空间和物质，是人类认识的错觉。”“现实即幻象，只不过比较稳定罢了。”

“走出狭隘的自我，生活才真正开始。”　——阿尔伯特·爱因斯坦

There are 2 ways of excution javascript

• Headless browser - Internet explorer without UI, you can run js in simulation envireonment.
• Js Engine/Framework - Excute javascript with engine support

The headless browser:

• WebKit.Net(free)
• Awesomium It is based on Chrome/WebKit and works like a charm. There is a free license available but also a commercial one and if need be you can buy the source code
• HTML Agility Pack (free) (An HTML Parser library, NOT a headless browser)
  This helps with extracting information from HTML etc. and might be useful in your case (possibly in combination with HttpWebRequest)
• PhantomJS - full featured headless web browser. Often used in pair with Selenium which allows you to access the browser from .NET application.
• Optimus - lightweight headless web browser. It's in beta but it is sufficient for some cases.

But they ALL dead(2021/1/22), so there is only one way posible.

The JS Engine

• Microsoft.AspNetCore.NodeServices is obsolted, it involve NodeJS run time
• microsoft/ClearScript ClearScript is a library that makes it easy to add scripting to your .NET applications. It currently supports JavaScript (via V8 and JScript) and VBScript.
• JavaScriptEngineSwitcher.ChakraCore Microsoft will continue to provide security updates for ChakraCore 1.11 until 9th March 2021 but do not intend to support it after that.

// create a script engine
using (var engine = new V8ScriptEngine())
{
    // expose a host type
    engine.AddHostType("Console", typeof(Console));
    engine.Execute("Console.WriteLine('{0} is an interesting number.', Math.PI)");
    // expose a host object
    engine.AddHostObject("random", new Random());
    engine.Execute("Console.WriteLine(random.NextDouble())");
    // expose entire assemblies
    engine.AddHostObject("lib", new HostTypeCollection("mscorlib", "System.Core"));
    engine.Execute("Console.WriteLine(lib.System.DateTime.Now)");
    // create a host object from script
    engine.Execute(@"
    birthday = new lib.System.DateTime(2007, 5, 22);
    Console.WriteLine(birthday.ToLongDateString());
    ");
    // use a generic class from script
    engine.Execute(@"
    Dictionary = lib.System.Collections.Generic.Dictionary;
    dict = new Dictionary(lib.System.String, lib.System.Int32);
    dict.Add('foo', 123);
    ");
    // call a host method with an output parameter
    engine.AddHostObject("host", new HostFunctions());
    engine.Execute(@"
    intVar = host.newVar(lib.System.Int32);
    found = dict.TryGetValue('foo', intVar.out);
    Console.WriteLine('{0} {1}', found, intVar);
    ");
    // create and populate a host array
    engine.Execute(@"
    numbers = host.newArr(lib.System.Int32, 20);
    for (var i = 0; i < numbers.Length; i++) { numbers[i] = i; }
    Console.WriteLine(lib.System.String.Join(', ', numbers));
    ");
    // create a script delegate
    engine.Execute(@"
    Filter = lib.System.Func(lib.System.Int32, lib.System.Boolean);
    oddFilter = new Filter(function(value) {
    return (value & 1) ? true : false;
    });
    ");
    // use LINQ from script
    engine.Execute(@"
    oddNumbers = numbers.Where(oddFilter);
    Console.WriteLine(lib.System.String.Join(', ', oddNumbers));
    ");
    // use a dynamic host object
    engine.Execute(@"
    expando = new lib.System.Dynamic.ExpandoObject();
    expando.foo = 123;
    expando.bar = 'qux';
    delete expando.foo;
    ");
    // call a script function
    engine.Execute("function print(x) { Console.WriteLine(x); }");
    engine.Script.print(DateTime.Now.DayOfWeek);
    // examine a script object
    engine.Execute("person = { name: 'Fred', age: 5 }");
    Console.WriteLine(engine.Script.person.name);
    // read a JavaScript typed array
    engine.Execute("values = new Int32Array([1, 2, 3, 4, 5])");
    var values = (ITypedArray)engine.Script.values;
    Console.WriteLine(string.Join(", ", values.ToArray()));
}