Start by updating your system.

# apt update

Install needed packages to build guacalmole-server.

# apt install --no-install-recommends build-essential libjpeg-dev libossp-uuid-dev libpulse-dev libcairo2-dev libssl-dev libvncserver-dev libvorbis-dev libtelnet-dev libssh2-1-dev libpango1.0-dev libfreerdp-dev
# apt install --no-install-recommends sudo socat nmap telnet lynx

Download guacamole server source code

wget -O guacamole-server-1.0.0.tar.gz "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz"

Before compiling guacamole, download the following packages:

# apt install libavcodec libavutil libswscale libwebp

Once you have done this, go to the source code directory and install guacamole. It will take ~5 minutes.

$ ./configure --with-init-dir=/etc/init.d
$ make
# make install

Load configuration modifications

# ldconfig

Enable automatic startup

update-rc.d guacd defaults

Start guacd

service guacd start

Reload cpan

perl -MCPAN -e shell
install CPAN
reload cpan
exit

And install cpanm

cpan App::cpanminus

Install following packages

cpanm URI
cpanm IO::HTML
cpanm Net::HTTP
cpanm File::Listing
cpanm Encode::Locale
cpanm WWW::RobotRules
cpanm HTML::Entities
cpanm HTML::HeadParser
cpanm XML::Twig
cpanm XML::Parser
cpanm Nmap::Parser
cpanm HTTP::Request
cpanm HTTP::Status
cpanm HTTP::Daemon
cpanm HTTP::Cookies
cpanm HTTP::Negotiate
cpanm LWP::UserAgent
cpanm Log::Log4perl
cpanm Log::Dispatch::Syslog
cpanm CGI

Install nagios plugins:

# apt install --no-install-recommends nagios-plugins

# update-alternatives --config editor
# vi /home/acdsn/git/fw-rules/<port number>/etc/sudoers.d/010_acdsn

# User privilege specification
acdsn   ALL=(ALL:ALL) NOPASSWD: /usr/bin/nmap

# ln -s /home/acdsn/git/fw-rules/3780/etc/sudoers.d/010_acdsn 010_acdsn

# vi /home/acdsn/git/fw-rules/3780/etc/rsyslog.d/local4.conf
$ActionFileEnableSync on

$ModLoad omrelp
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down

#*.*    :omrelp:<sever>:<port>;<template>
local4.*        :omrelp:127.0.0.1:10514

# ln -s /home/acdsn/git/fw-rules/<port number>/etc/rsyslog.d/local4.conf local4.conf

Reference: https://guacamole.apache.org/doc/gug/installing-guacamole.html

Now, clone each git repository into the respective directory.

$ cd ~/git/
$ git clone git@git.bolay.co:acdsn-scripts

$ cd ~/git/
$ git clone git@git.bolay.co:easygateway-scripts

Since /var/spool in mounted on tmps, crontab files don't exist and so, crontab will fail. To solve this, move/add crontab files for root and acdsn user in /etc/cron.d/.
From the cron man pages: “/etc/crontab and the files in /etc/cron.d must be owned by root, and must not be group- or other-writable.”

# m h  dom mon dow   command
@daily acdsn /usr/bin/curl http://easygateway.testing.com.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem
30 0 * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --readonly-check --git-check

@hourly acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --load-check --disk-check --timek
*/15 * * * * acdsn /usr/bin/perl /home/acdsn/git/acdsn-scripts/nagios_passive_check/npc.pl --central port=<port number> service=easygateway remote=master --users-check
*/5 * * * * acdsn /bin/bash /home/acdsn/git/acdsn-scripts/connect.acdsn.sh -u acdsn -t server5.bolay.co -l 22 -r  <port number> >/dev/null 2>&1
*/4 * * * * acdsn /bin/bash /home/acdsn/git/acdsn-scripts/connect.acdsn.sh -u acdsn -t server5.bolay.co -l  20514 -r 10514 -f L >/dev/null 2>&1
*/3 * * * * acdsn /bin/bash /home/acdsn/git/acdsn-scripts/connect.acdsn.sh -u acdsn -t server5.bolay.co -l 4822 -r  3788 >/dev/null 2>&1

*/2 * * * * acdsn /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync.sh -K -S >/dev/null 2>&1
*/5 * * * * acdsn /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync_eG/sync.sh -t 30 -p fMoTbxdeiJUNFDJHbe -mCc

# m h  dom mon dow   command

LANG=C
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h  dom mon dow   command
#@reboot /bin/bash /home/acdsn/git/acdsn-scripts/set_time.sh >/dev/null 2>&1
#@reboot /usr/bin/python /home/acdsn/git/acdsn-scripts/usb_off.py >/dev/null 2>&1
#@hourly /bin/bash /home/acdsn/git/acdsn-scripts/set_time.sh >/dev/null 2>&1

# This line disables all usb ports (all other ports have no efect)
# Reference : https://www.raspberrypi.org/forums/viewtopic.php?t=217858#p1339349
@reboot root /home/acdsn/git/uhubctl/uhubctl -a off -p 2

0 */3 * * * root /bin/bash /home/acdsn/git/acdsn-scripts/network.sh eth0 > /dev/null 2>&1
@hourly root /bin/bash /home/acdsn/git/acdsn-scripts/reboot.sh -u http://server5.bolay.co/eG/reboot.txt >/dev/null 2>&1

drwxr-xr-x  2 root root 4096 May  6 11:13 .
drwxr-xr-x 89 root root 4096 May  6 11:05 ..
-rw-------  1 root root 1312 May  6 11:13 acdsn
-rw-r--r--  1 root root  102 Oct  7  2017 .placeholder
-rw-------  1 root root 1862 May  6 10:41 root

# mkdir -p /etc/openvpn/
# mkdir -p /media/data/etc/openvpn/server
# ln -s /media/data/etc/openvpn/server/ /etc/openvpn/server
# chown acdsn:acdsn server/

# mkdir -p /etc/acdsn/conf.d
# mkdir -p /media/etc/acdsn/conf.d

# ln -s /media/etc/acdsn/conf.d /etc/acdsn/conf.d
# touch /etc/acdsn/conf.d/units.txt

# chown acdsn:acdsn /media/data/etc/acdsn/conf.d/

$ mkdir -p /etc/acdsn/conf.d/${spool, client}
$ mkdir -p /etc/acdsn/conf.d/spool/client
$ touch /etc/acdsn/conf.d/client.json

$ apt-get install --no-install-recommends rsyslog-relp
$ apt-get install --no-install-recommends jq
$ apt-get install --no-install-recommends libconfig-dev

Reference: https://manpages.debian.org/stretch/cron/cron.8.en.html

# apt install --no-install-recommends openvpn openssl

The CA public certificate /etc/easy-rsa/pki/ca.crt generated by server1 needs to be copied over to the machine that will be running OpenVPN.

# cp /etc/openvpn/easy-rsa/pki/ca.crt /tmp/
# chown acdsn:acdsn /tmp/ca.crt
# su acdsn
$ scp -P <port number> /tmp/ca.crt acdsn@localhost:/tmp

Move server1 certificate to /etc/openvpn/server and change its rights.

# mv /tmp/ca.crt /etc/openvpn/server/
# chown root:root /etc/openvpn/server/ca.crt

Install easy-rsa and generate a key pair for the openvpn server.

# cd /tmp
# wget --no-check-certificate https://github.com/OpenVPN/easy-rsa/releases/download/v3.0.4/EasyRSA-3.0.4.tgz
# tar -xvzf EasyRSA-3.0.4.tgz
# rm EasyRSA-3.0.4.tgz
# mv EasyRSA-3.0.4/ /etc/openvpn/easy-rsa/

# cd /etc/openvpn/easy-rsa
# easyrsa init-pki
# easyrsa gen-req <port number> nopass
# cp /etc/easy-rsa/pki/private/<port number>.key /etc/openvpn/server/

Make sure that ONLY root can WRITE and READ the raspberry pi and server1 certificates.

# cd /etc/openvpn/server
# chmod 660 <port number>.key ca.crt
# chown root:root <port number>.key ca.crt

Create the initial dh.pem file.

# openssl dhparam -out /etc/openvpn/server/dh.pem 2048

Generate the HMAC key.

# openvpn --genkey --secret /etc/openvpn/server/ta.key

Securely transfer the files to the CA (server1) machine for signing.

# cp /etc/openvpn/easy-rsa/pki/reqs/<port number>.req /tmp/
# chown acdsn:acdsn /tmp/<port number>.req

On the CA (server1) machine download, import and sign the certificate requests:

# scp -P <port number> acdsn@localhost:/tmp/<port number>.req /tmp
# cd /etc/openvpn/easy-rsa
# ./easyrsa import-req /tmp/<port number>.req <port number>
# ./easyrsa sign-req server <port number> nopass

# cp /etc/openvpn/easy-rsa/pki/issued/<port number>.crt /tmp/
# chown acdsn:acdsn /tmp/<port number>.crt

# su acdsn
# scp -P <port number> /tmp/<port number>.crt acdsn@localhost:/tmp

# mv /tmp/servername.crt /etc/openvpn/server/
# chown root:root /etc/openvpn/server/servername.crt

References:
https://wiki.debian.org/OpenVPN
https://wiki.archlinux.org/index.php/Easy-RSA

Edit init.d file, replace *.conf (3 occurences) by server.conf and launch openvnp:

# vim /etc/init.d/openvpn
# systemctl daemon-reload
# /etc/init.d/openvpn start #check with ps -Af | grep openvpn

# vi /etc/openvpn/server.conf
ca /etc/openvpn/server/ca.crt -> /etc/openvpn/server/root_ca.crt

Reference: https://askubuntu.com/a/511464

Add file for CRL download:

# touch /etc/openvpn/server/ca_crl.pem
# chmod 666 ca_crl.pem

Add client directories (as acdsn)

$ mkdir -p /etc/acdsn/conf.d/client
$ mkdir -p /etc/acdsn/conf.d/spool/client

Make sure you have the following lines in your crontab file:

@daily /usr/bin/curl https://www.easygateway.co/ca_crl.pem -o /etc/openvpn/server/ca_crl.pem 
*/5 * * * * /bin/bash /home/acdsn/git/easygateway-scripts/minicentral/sync_eG/sync.sh -t 30 -p ORG_TOKEN -mCc

References:
https://unix.stackexchange.com/a/212890
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-unit_files