Fix Ubuntu 22.04 iptables deployment issues and simplify config.cfg

Issues fixed:
1. Added base 'iptables' package to batch installation list (was missing, only iptables-persistent was included)
2. Fixed alternatives configuration for Ubuntu 22.04+ - only configure main iptables/ip6tables alternatives, not save/restore (they're handled as slaves)

Config.cfg improvements:
- Reduced from 308 to 198 lines (35% reduction)
- Moved privacy settings above "Advanced users only" line for better accessibility
- Clarified algo_no_log is for Ansible output, not server privacy
- Simplified verbose comments throughout
- Moved experimental performance options to commented section at end
- Better organized into logical sections

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

config.cfg

@@ -12,106 +12,61 @@ users:
 
 ### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
 
-# Performance optimizations (reduces deployment time)
-# Skip reboots unless kernel was updated (saves 0-5 minutes)
-performance_skip_optional_reboots: false
-# Use parallel key generation for certificates (saves 1-2 minutes)  
-performance_parallel_crypto: false
-# Batch install all packages in one operation (saves 30-60 seconds)
-performance_parallel_packages: false
-# Pre-install universal packages via cloud-init (saves 30-90 seconds)
-performance_preinstall_packages: false
-# Configure VPN services in parallel (saves 1-2 minutes)
-performance_parallel_services: false
-
-# Change default SSH port for the cloud roles only
-# It doesn't apply if you deploy to your existing Ubuntu Server
+# SSH port for cloud deployments (doesn't apply to existing Ubuntu servers)
 ssh_port: 4160
 
-# Deploy StrongSwan to enable IPsec support
+# VPN protocols to deploy
 ipsec_enabled: true
-
-# Deploy WireGuard
-# WireGuard will listen on 51820/UDP. You might need to change to another port
-# if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some
-# mobile data networks.
 wireguard_enabled: true
-wireguard_port: 51820
+wireguard_port: 51820  # Change if blocked by your network (avoid 53/UDP)
 
-# This feature allows you to configure the Algo server to send outbound traffic
-# through a different external IP address than the one you are establishing the VPN connection with.
-# More info https://trailofbits.github.io/algo/cloud-alternative-ingress-ip.html
-# Available for the following cloud providers:
-# - DigitalOcean
+# Use different IP for outbound traffic (DigitalOcean only)
 alternative_ingress_ip: false
 
-# Reduce the MTU of the VPN tunnel
-# Some cloud and internet providers use a smaller MTU (Maximum Transmission
-# Unit) than the normal value of 1500 and if you don't reduce the MTU of your
-# VPN tunnel some network connections will hang. Algo will attempt to set this
-# automatically based on your server, but if connections hang you might need to
-# adjust this yourself.
-# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
+# Reduce MTU if connections hang (0 = auto-detect)
+# See: docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
 reduce_mtu: 0
 
-# Algo will use the following lists to block ads. You can add new block lists
-# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
-# /usr/local/sbin/adblock.sh
-# If you load very large blocklists, you may also have to modify resource limits:
-# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
+# Ad blocking lists (modify /usr/local/sbin/adblock.sh after deployment to add more)
 adblock_lists:
- - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
+  - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
 
-# Enable DNS encryption.
-# If 'false', 'dns_servers' should be specified below.
-# DNS encryption can not be disabled if DNS adblocking is enabled
+# DNS encryption (required if using ad blocking)
 dns_encryption: true
 
-# Block traffic between connected clients. Change this to false to enable
-# connected clients to reach each other, as well as other computers on the
-# same LAN as your Algo server (i.e. the "road warrior" setup). In this
-# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
+# Client isolation (set false for "road warrior" setup where clients can reach each other)
 BetweenClients_DROP: true
+block_smb: true          # Block SMB/CIFS traffic
+block_netbios: true      # Block NETBIOS traffic
 
-# Block SMB/CIFS traffic
-block_smb: true
-
-# Block NETBIOS traffic
-block_netbios: true
-
-# Your Algo server will automatically install security updates. Some updates
-# require a reboot to take effect but your Algo server will not reboot itself
-# automatically unless you change 'enabled' below from 'false' to 'true', in
-# which case a reboot will take place if necessary at the time specified (as
-# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
+# Automatic reboot for security updates (time in server's timezone, default UTC)
 unattended_reboot:
   enabled: false
   time: 06:00
 
+### Privacy Settings ###
+# StrongSwan connection logging (-1 = disabled, 2 = debug)
+strongswan_log_level: -1
+
+# Master switch for privacy enhancements (log rotation, history clearing, etc.)
+# Set to false for debugging. For advanced privacy options, see roles/privacy/defaults/main.yml
+privacy_enhancements_enabled: true
+
 ### Advanced users only below this line ###
 
-# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
-# providers may be specified, but avoid mixing providers that filter results
-# (like Cisco) with those that don't (like Cloudflare) or you could get
-# inconsistent results. The list of available public providers can be found
-# here:
-# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
+# DNSCrypt providers (see https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md)
 dnscrypt_servers:
   ipv4:
     - cloudflare
 #   - google
-#   - <YourCustomServer>  # E.g., if using NextDNS, this will be something like NextDNS-abc123.
-                          # You must also fill in custom_server_stamps below. You may specify
-                          # multiple custom servers.
+#   - YourCustomServer  # For NextDNS etc., add stamp below
   ipv6:
     - cloudflare-ipv6
 
 custom_server_stamps:
 # YourCustomServer: 'sdns://...'
 
-# DNS servers which will be used if 'dns_encryption' is 'false'.
-# Fallback resolvers for systemd-resolved
-# The default is to use Cloudflare.
+# DNS servers when encryption is disabled
 dns_servers:
   ipv4:
     - 1.1.1.1
@@ -120,99 +75,36 @@ dns_servers:
     - 2606:4700:4700::1111
     - 2606:4700:4700::1001
 
-# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
-# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
+# Store PKI in RAM disk when not retaining (MacOS/Linux only)
 pki_in_tmpfs: true
 
-# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users.
+# Regenerate ALL user certs on update-users (not just new users)
 keys_clean_all: false
 
-# StrongSwan log level
-# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
-# Privacy enhancement: Set to -1 to disable logging of VPN connection details
-# Level 2 logs connection attempts and authentication which may reveal usage patterns
-# Level -1 disables logging entirely for enhanced privacy
-strongswan_log_level: -1
-
-### Privacy Enhancements ###
-# Additional privacy measures to reduce server-side traces of VPN usage
-# These settings help protect user privacy by minimizing log retention and filtering sensitive data
-
-# Enable enhanced privacy features
-# Set to false to disable all privacy enhancements (useful for debugging)
-privacy_enhancements_enabled: true
-
-# Log rotation and retention settings
-privacy_log_rotation:
-  # Maximum age for logs in days (shorter = more private, but less debugging info)
-  max_age: 7
-  # Maximum size for individual log files in MB
-  max_size: 10
-  # Number of rotated files to keep
-  rotate_count: 3
-  # Compress rotated logs to save space
-  compress: true
-  # Force daily rotation
-  daily_rotation: true
-
-# History clearing configuration
-privacy_history_clearing:
-  # Clear bash/shell history after deployment
-  clear_bash_history: true
-  # Clear system command history logs
-  clear_system_history: true
-  # Disable persistent history for system users
-  disable_service_history: true
-
-# Log filtering to exclude VPN-related entries
-privacy_log_filtering:
-  # Filter out VPN connection logs (WireGuard, StrongSwan, etc.)
-  exclude_vpn_logs: true
-  # Filter out detailed authentication logs (reduces security logging - use with caution)
-  exclude_auth_logs: false
-  # Filter kernel messages related to VPN traffic
-  filter_kernel_vpn_logs: true
-
-# Automatic cleanup policies
-privacy_auto_cleanup:
-  # Enable automatic cleanup of old logs and temporary files
-  enabled: true
-  # Cleanup frequency: daily, weekly, or monthly
-  frequency: "daily"
-  # Remove temporary files older than N days
-  temp_files_max_age: 1
-  # Clean package manager cache
-  clean_package_cache: true
-
-# Advanced privacy settings (use with caution)
-privacy_advanced:
-  # Disable logging of successful SSH connections (keeps failures for security)
-  disable_ssh_success_logs: false
-  # Reduce kernel log verbosity to minimize VPN traces
-  reduce_kernel_verbosity: true
-  # Clear all logs on system shutdown (extreme privacy measure)
-  clear_logs_on_shutdown: false
-
-# rightsourceip for ipsec
-# ipv4
+### VPN Network Configuration ###
 strongswan_network: 10.48.0.0/16
-# ipv6
 strongswan_network_ipv6: '2001:db8:4160::/48'
 
-# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
-# This option will keep the "connection" open in the eyes of NAT.
-# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
-wireguard_PersistentKeepalive: 0
-
-# WireGuard network configuration
 wireguard_network_ipv4: 10.49.0.0/16
 wireguard_network_ipv6: 2001:db8:a160::/48
 
+# Keep NAT connections alive (0 = disabled)
+wireguard_PersistentKeepalive: 0
+
+### Experimental Performance Options ###
+# These are experimental and may cause issues. Enable at your own risk.
+# performance_skip_optional_reboots: false  # Skip non-kernel reboots
+# performance_parallel_crypto: false        # Parallel key generation
+# performance_parallel_packages: false      # Batch package installation
+# performance_preinstall_packages: false    # Pre-install via cloud-init
+# performance_parallel_services: false      # Configure VPN services in parallel
+
 # Randomly generated IP address for the local dns resolver
 local_service_ip: "{{ '172.16.0.1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
 local_service_ipv6: "{{ 'fd00::1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
 
-# Hide sensitive data
+# Hide sensitive data in Ansible output during deployment (passwords, keys, etc.)
+# This is NOT related to privacy/logging on the VPN server itself
 algo_no_log: true
 
 congrats:
@@ -280,11 +172,11 @@ cloud_providers:
     image: Ubuntu 22.04 Jammy Jellyfish
     arch: x86_64
   hetzner:
-    server_type: cpx11 
+    server_type: cpx11
     image: ubuntu-22.04
   openstack:
     flavor_ram: ">=512"
-    image:  Ubuntu-22.04
+    image: Ubuntu-22.04
   cloudstack:
     size: Micro
     image: Linux Ubuntu 22.04 LTS 64-bit

roles/common/tasks/ubuntu.yml

@@ -123,6 +123,7 @@
       - apparmor-utils
       - uuid-runtime
       - coreutils
+      - iptables
       - iptables-persistent
       - cgroup-tools
       - openssl
@@ -180,10 +181,6 @@
       with_items:
         - iptables
         - ip6tables
-        - iptables-save
-        - iptables-restore
-        - ip6tables-save
-        - ip6tables-restore
   when:
     - ansible_distribution == "Ubuntu"
     - ansible_distribution_version is version('22.04', '>=')