Merge branch 'trailofbits:master' into patch-1

2025-08-02 19:03:04 +02:00 · 2022-03-29 17:54:26 +03:00 · 2022-03-29 17:54:26 +03:00 · 72cd9e4940
commit 72cd9e4940
parent f6fc9357b2 c0968a8fdb
56 changed files with 713 additions and 1263 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -1,3 +1,6 @@
 skip_list:
  - '204'
 verbosity: 1
 warn_list:
  - no-changed-when
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -4,12 +4,13 @@ on: [push, pull_request]
 jobs:
  lint:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2.2.2
+      - uses: actions/setup-python@v2.3.2
        with:
-          python-version: '3.7'
+          python-version: '3.9'
          cache: 'pip'
      - name: Install dependencies
        run: |
@ -26,43 +27,35 @@ jobs:
          ansible-lint -x experimental,package-latest,unnamed-task -v *.yml roles/{local,cloud-*}/*/*.yml
  scripted-deploy:
-    runs-on: ubuntu-16.04
+    runs-on: ubuntu-20.04
    strategy:
      matrix:
-        UBUNTU_VERSION: ["18.04", "20.04"]
+        UBUNTU_VERSION: ["20.04"]
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2.2.2
+      - uses: actions/setup-python@v2.3.2
        with:
-          python-version: '3.7'
+          python-version: '3.9'
          cache: 'pip'
      - name: Install dependencies
        run: |
          sudo apt update -y
          sudo apt install -y \
            python3-pip \
            lxd \
            expect-dev \
            debootstrap \
            tree \
            bridge-utils \
            dnsutils \
            build-essential \
            libssl-dev \
            libffi-dev \
            python3-dev \
            linux-headers-$(uname -r) \
            wireguard \
            libxml2-utils \
            crudini \
            fping \
            strongswan \
            libstrongswan-standard-plugins \
-            resolvconf
+            openresolv
          python3 -m pip install --upgrade pip
          python3 -m pip install -r requirements.txt
          sudo snap refresh lxd
          sudo lxd init --auto
      - name: Provision
        env:
          DEPLOY: cloud-init
@ -93,46 +86,37 @@ jobs:
          sudo -E bash -x ./tests/wireguard-client.sh
          sudo env "PATH=$PATH" ./tests/ipsec-client.sh
-  local-deploy:
+  docker-deploy:
-    runs-on: ubuntu-16.04
+    runs-on: ubuntu-20.04
    strategy:
      matrix:
-        UBUNTU_VERSION: ["18.04", "20.04"]
+        UBUNTU_VERSION: ["20.04"]
    steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2.2.2
+      - uses: actions/setup-python@v2.3.2
        with:
-          python-version: '3.7'
+          python-version: '3.9'
          cache: 'pip'
      - name: Install dependencies
        run: |
          set -x
          sudo add-apt-repository -yu ppa:ubuntu-lxc/stable
          sudo apt update -y
          sudo apt install -y \
            python3-pip \
            lxd \
            expect-dev \
            debootstrap \
            tree \
            bridge-utils \
            dnsutils \
            build-essential \
            libssl-dev \
            libffi-dev \
            python3-dev \
            linux-headers-$(uname -r) \
            wireguard \
            libxml2-utils \
            crudini \
            fping \
            strongswan \
            libstrongswan-standard-plugins \
-            resolvconf
+            openresolv
          python3 -m pip install --upgrade pip
          python3 -m pip install -r requirements.txt
          sudo snap refresh lxd
          sudo lxd init --auto
      - name: Provision
        env:
          DEPLOY: docker
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@ inventory_users
 .DS_Store
 venvs/*
 !venvs/.gitinit
 .vagrant
--- a/README.md
+++ b/README.md
@ -35,11 +35,14 @@ The easiest way to get an Algo server running is to run it on your local system
    - Download the [ZIP file](https://github.com/trailofbits/algo/archive/master.zip). Unzip the file to create a directory named `algo-master` containing the Algo scripts.
-    - Run the command `git clone https://github.com/trailofbits/algo.git` to create a directory named `algo` containing the Algo scripts.
+    - Use `git clone` to create a directory named `algo` containing the Algo scripts:
        ```bash
        git clone https://github.com/trailofbits/algo.git
        ```
-3. **Install Algo's core dependencies.** Algo requires that **Python 3.6 or later** and at least one supporting package are installed on your system.
+3. **Install Algo's core dependencies.** Algo requires that **Python 3.8 or later** and at least one supporting package are installed on your system.
-    - **macOS:** Catalina includes Python 3 as part of the optional Command Line Developer Tools package. From Terminal run:
+    - **macOS:** Catalina (10.15) and higher includes Python 3 as part of the optional Command Line Developer Tools package. From Terminal run:
        ```bash
        python3 -m pip install --user --upgrade virtualenv
@ -47,7 +50,7 @@ The easiest way to get an Algo server running is to run it on your local system
        If prompted, install the Command Line Developer Tools and re-run the above command.
-        See [Deploy from macOS](docs/deploy-from-macos.md) for information on installing Python 3 on macOS versions prior to Catalina.
+        For macOS versions prior to Catalina, see [Deploy from macOS](docs/deploy-from-macos.md) for information on installing Python 3 .
    - **Linux:** Recent releases of Ubuntu, Debian, and Fedora come with Python 3 already installed. Make sure your system is up-to-date and install the supporting package(s):
        * Ubuntu and Debian:
@ -55,17 +58,13 @@ The easiest way to get an Algo server running is to run it on your local system
            sudo apt install -y --no-install-recommends python3-virtualenv
            ```
            On a Raspberry Pi running Ubuntu also install `libffi-dev` and `libssl-dev`.
        * Fedora:
            ```bash
            sudo dnf install -y python3-virtualenv
            ```
        * Red Hat and CentOS 7 and later (for earlier versions see this [documentation](docs/deploy-from-redhat-centos6.md)):
            ```bash
            sudo yum -y install epel-release
            sudo yum -y install python36-virtualenv
            ```
-    - **Windows:** Use the Windows Subsystem for Linux (WSL) to create your own copy of Ubuntu running under Windows from which to install and run Algo. See the [Windows documentation](docs/deploy-from-windows.md).
+    - **Windows:** Use the Windows Subsystem for Linux (WSL) to create your own copy of Ubuntu running under Windows from which to install and run Algo. See the [Windows documentation](docs/deploy-from-windows.md) for more information.
 4. **Install Algo's remaining dependencies.** You'll need to run these commands from the Algo directory each time you download a new copy of Algo. In a Terminal window `cd` into the `algo-master` (ZIP file) or `algo` (`git clone`) directory and run:
    ```bash
@ -74,11 +73,11 @@ The easiest way to get an Algo server running is to run it on your local system
      python3 -m pip install -U pip virtualenv &&
      python3 -m pip install -r requirements.txt
    ```
-    On Fedora add the option `--system-site-packages` to the first command above. On macOS install the C compiler if prompted.
+    On Fedora first run `export TMPDIR=/var/tmp`, then add the option `--system-site-packages` to the first command above (after `python3 -m virtualenv`). On macOS install the C compiler if prompted.
-5. **Set your configuration options.** Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. Create a unique user for each device you plan to connect to your VPN. If you want to be able to add or delete users later, you **must** select `yes` at the `Do you want to retain the keys (PKI)?` prompt during the deployment. You should also review the other options before deployment, as changing your mind about them later [may require you to deploy a brand new server](https://github.com/trailofbits/algo/blob/master/docs/faq.md#i-deployed-an-algo-server-can-you-update-it-with-new-features).
+5. **Set your configuration options.** Open the file `config.cfg` in your favorite text editor. Specify the users you wish to create in the `users` list. Create a unique user for each device you plan to connect to your VPN. If you want to add or delete users later, you **must** select `yes` at the `Do you want to retain the keys (PKI)?` prompt during the server deployment. You should also review the other options before deployment, as changing your mind about them later [may require you to deploy a brand new server](https://github.com/trailofbits/algo/blob/master/docs/faq.md#i-deployed-an-algo-server-can-you-update-it-with-new-features).
-6. **Start the deployment.** Return to your terminal. In the Algo directory, run `./algo` and follow the instructions. There are several optional features available. None are required for a fully functional VPN server. These optional features are described in greater detail in [here](docs/deploy-from-ansible.md).
+6. **Start the deployment.** Return to your terminal. In the Algo directory, run `./algo` and follow the instructions. There are several optional features available, none of which are required for a fully functional VPN server. These optional features are described in greater detail in [here](docs/deploy-from-ansible.md).
 That's it! You will get the message below when the server deployment process completes. Take note of the p12 (user certificate) password and the CA key in case you need them later, **they will only be displayed this time**.
@ -132,6 +131,10 @@ WireGuard works great with Linux clients. See [this page](docs/client-linux-wire
 Please see [this page](docs/client-linux-ipsec.md).
 ### OpenWrt Wireguard Clients
 Please see [this page](docs/client-openwrt-router-wireguard.md).
 ### Other Devices
 Depending on the platform, you may need one or multiple of the following files.
--- a/36
+++ b/36
@ -0,0 +1,36 @@
 Vagrant.configure("2") do |config| 
  config.vm.box = "bento/ubuntu-20.04" 
  config.vm.provider "virtualbox" do |v| 
    v.name = "algo-20.04"
    v.memory = "512" 
    v.cpus = "1" 
  end
  config.vm.synced_folder "./", "/opt/algo", create: true
  config.vm.provision "ansible_local" do |ansible|
    ansible.playbook = "/opt/algo/main.yml"
    # https://github.com/hashicorp/vagrant/issues/12204
    ansible.pip_install_cmd = "sudo apt-get install -y python3-pip python-is-python3 && sudo ln -s -f /usr/bin/pip3 /usr/bin/pip"
    ansible.install_mode = "pip_args_only"
    ansible.pip_args = "-r /opt/algo/requirements.txt"
    ansible.inventory_path = "/opt/algo/inventory"
    ansible.limit = "local"
    ansible.verbose = "-vvvv"
    ansible.extra_vars = {
      provider: "local",
      server: "localhost",
      ssh_user: "",
      endpoint: "127.0.0.1",
      ondemand_cellular: true,
      ondemand_wifi: false,
      dns_adblocking: true,
      ssh_tunneling: true,
      store_pki: true,
      tests: true,
      no_log: false
    }
  end
 end
--- a/config.cfg
+++ b/config.cfg
@ -88,9 +88,15 @@ dnscrypt_servers:
  ipv4:
    - cloudflare
 #   - google
 #   - <YourCustomServer>  # E.g., if using NextDNS, this will be something like NextDNS-abc123.
                          # You must also fill in custom_server_stamps below. You may specify
                          # multiple custom servers.
  ipv6:
    - cloudflare-ipv6
 custom_server_stamps:
 # YourCustomServer: 'sdns://...'
 # DNS servers which will be used if 'dns_encryption' is 'false'.
 # Fallback resolvers for systemd-resolved
 # The default is to use Cloudflare.
@ -176,9 +182,13 @@ cloud_providers:
    size: t2.micro
    image:
      name: "ubuntu-focal-20.04"
      arch: x86_64
      owner: "099720109477"
    # Change instance_market_type from "on-demand" to "spot" to launch a spot
    # instance. See deploy-from-ansible.md for spot's additional IAM permission
    instance_market_type: on-demand
  gce:
-    size: f1-micro
+    size: e2-micro
    image: ubuntu-2004-lts
    external_static_ip: false
  lightsail:
@ -193,7 +203,7 @@ cloud_providers:
    image: ubuntu-20.04
  openstack:
    flavor_ram: ">=512"
-    image:  Ubuntu-18.04
+    image:  Ubuntu-20.04
  cloudstack:
    size: Micro
    image: Linux Ubuntu 20.04 LTS 64-bit
--- a/docs/client-openwrt-router-wireguard.md
+++ b/docs/client-openwrt-router-wireguard.md
@ -0,0 +1,88 @@
 # Using Router wıth OpenWRT as a Client with WireGuard
 This scenario is useful in case you want to use vpn with devices which has no vpn capability like smart tv, or make vpn connection available via router for multiple devices.
 This is a tested, working scenario with following environment: 
 - algo installed ubuntu at digitalocean
 - client side router "TP-Link TL-WR1043ND" with openwrt ver. 21.02.1. [Openwrt Install instructions](https://openwrt.org/toh/tp-link/tl-wr1043nd)
 - or client side router "TP-Link Archer C20i AC750" with openwrt ver. 21.02.1. [Openwrt install instructions](https://openwrt.org/toh/tp-link/archer_c20i)
 see compatible device list at https://openwrt.org/toh/start . Theoretically any of the device on list should work
 ## Router setup
 Make sure that you have 
 - router with openwrt installed, 
 - router is connected to internet, 
 - router and device in front of router does not have same ip . By default openwrt have 192.168.1.1 if so change it to something like 192.168.2.1 
 ### Install required packages(WebUI)
 - Open router web UI (mostly http://192.168.1.1 )
 - Login. (by default username: root, password:<empt
 - System -> Software, click "Update lists"
 - Install following packages wireguard-tools, kmod-wireguard, luci-app-wireguard, wireguard, kmod-crypto-sha256, kmod-crypto-sha1, kmod-crypto-md5
 - restart router
 ### Aluternative Install required packages(ssh)
 - Open router web UI (mostly http://192.168.1.1 )
 - ssh root@192.168.1.1
 - opkg update
 - opkg install wireguard-tools, kmod-wireguard, luci-app-wireguard, wireguard, kmod-crypto-sha256, kmod-crypto-sha1, kmod-crypto-md5
 - reboot
 ### Create an Interface(WebUI)
 - Open router web UI 
 - Navigate Network -> Interface
 - Click "Add new interface"
 - Give a Name. e.g. `AlgoVpn`
 - Select Protocol. `Wireguard VPN` 
 - click `Create Interface`
 - In *General Settings* tab
 - `Bring up on boot` *checked*
 - Private key: `Interface -> Private Key` from algo config file
 - Ip Address: `Interface -> Address` from algo config file
 - In *Peers* tab
 - Click add
 - Name `algo`
 - Public key: `[Peer]->PublicKey` from algo config file
 - Preshared key: `[Peer]->PresharedKey` from algo config file
 - Allowed IPs: 0.0.0.0/0
 - Route Allowed IPs: checked
 - Endpoint Host: `[Peer]->Endpoint` ip from algo config file
 - Endpoint Port: `[Peer]->Endpoint` port from algo config file
 - Persistent Keep Alive: `25`
 - Click Save & Save Apply
 ### Configure Firewall(WebUI)
 - Open router web UI 
 - Navigate to Network -> Firewall
 - Click `Add configuration`:
 - Name: e.g. ivpn_fw
 - Input: Reject
 - Output: Accept
 - Forward: Reject
 - Masquerading: Checked
 - MSS clamping: Checked
 - Covered networks: Select created VPN interface
 - Allow forward to destination zones - Unspecified
 - Allow forward from source zones - lan
 - Click Save & Save Apply
 - Reboot router
 There may be additional configuration required depending on environment like dns configuration.
 You can also verify the configuration using ssh. /etc/config/network. It should look like 
 ```
 config interface 'algo'                 
    option proto 'wireguard'                                                                                             
    list addresses '10.0.0.2/32'         
    option private_key '......'  # The private key generated by itself just now        
 config wireguard_wg0
    option public_key '......' # Server's public key
    option route_allowed_ips '1'
    list allowed_ips '0.0.0.0/0'
    option endpoint_host '......' # Server's public ip address
    option endpoint_port '51820'
    option persistent_keepalive '25'
 ```
--- a/docs/cloud-amazon-ec2.md
+++ b/docs/cloud-amazon-ec2.md
@ -12,6 +12,8 @@ The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the "AWS Free Tie
 As of the time of this writing (July 2018), the Free Tier limits include "750 hours of Amazon EC2 Linux t2.micro instance  usage" per month, 15 GB of bandwidth (outbound) per month, and 30 GB of cloud storage. Algo will not even use 1% of the storage limit, but you may have to monitor your bandwidth usage or keep an eye out for the email from Amazon when you are about to exceed the Free Tier limits.
 Addtional configurations are documented in the [EC2 section of the deploy from ansible guide](https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md#amazon-ec2)
 ### Create an AWS permissions policy
 In the AWS console, find the policies menu: click Services > IAM > Policies. Click Create Policy.
@ -48,22 +50,27 @@ On the final screen, click the Download CSV button. This file includes the AWS a
 After you have downloaded Algo and installed its dependencies, the next step is running Algo to provision the VPN server  on your AWS account.
-First you will be asked which server type to setup. You would want to enter "2" to use Amazon EC2.
+First you will be asked which server type to setup. You would want to enter "3" to use Amazon EC2.
 ```
 $ ./algo
  What provider would you like to use?
    1. DigitalOcean
-    2. Amazon EC2
+    2. Amazon Lightsail
-    3. Microsoft Azure
+    3. Amazon EC2
-    4. Google Compute Engine
+    4. Microsoft Azure
-    5. Scaleway
+    5. Google Compute Engine
-    6. OpenStack (DreamCompute optimised)
+    6. Hetzner Cloud
-    7. Install to existing Ubuntu 16.04 server (Advanced)
+    7. Vultr
    8. Scaleway
    9. OpenStack (DreamCompute optimised)
    10. CloudStack (Exoscale optimised)
    11. Linode
    12. Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
 Enter the number of your desired provider
-: 2
+: 3
 ```
 Next you will be asked for the AWS Access Key (Access Key ID) and AWS Secret Key (Secret Access Key) that you received in  the CSV file when you setup the account (don't worry if you don't see your text entered in the console; the key input is  hidden here by Algo).
--- a/docs/cloud-cloudstack.md
+++ b/docs/cloud-cloudstack.md
@ -1,20 +1,11 @@
 ### Configuration file
-You need to create a configuration file in INI format with your api key in `$HOME/.cloudstack.ini`
+Algo scripts will ask you for the API detail. You need to fetch the API credentials and the endpoint from the provider cocntrol panel.
-```
+Example for Exoscale (European cloud provider exposing CloudStack API), visit https://portal.exoscale.com/u/<your@account>/account/profile/api to gather the required information: CloudStack api key and secret.
 [cloudstack]
 endpoint = <endpoint>
 key = <your api key>
 secret = <your secret>
 timeout = 30
 ```
-Example for Exoscale (European cloud provider exposing CloudStack API), visit https://portal.exoscale.com/u/<your@account>/account/profile/api to gather the required information:  
+```bash
-```
+export CLOUDSTACK_KEY="<your api key>"
-[exoscale]
+export CLOUDSTACK_SECRET="<your secret>"
-endpoint = https://api.exoscale.com/compute
+export CLOUDSTACK_ENDPOINT="https://api.exoscale.com/compute"
 key = <your api key>
 secret = <your secret>
 timeout = 30
 ```
--- a/docs/cloud-linode.md
+++ b/docs/cloud-linode.md
@ -4,5 +4,6 @@ Sign into the Linode Manager and go to the
 [tokens management page](https://cloud.linode.com/profile/tokens).
 Click `Add a Personal Access Token`. Label your new token and select *at least* the
-`Linodes` read/write permission. Press `Submit` and make sure to copy the displayed token
+`Linodes` read/write permission and `StackScripts` read/write permission. 
 Press `Submit` and make sure to copy the displayed token
 as it won't be shown again.
--- a/docs/deploy-from-ansible.md
+++ b/docs/deploy-from-ansible.md
@ -110,7 +110,21 @@ Possible options can be gathered via cli `aws ec2 describe-regions`
 Additional variables:
- [encrypted](https://aws.amazon.com/blogs/aws/new-encrypted-ebs-boot-volumes/) - Encrypted EBS boot volume. Boolean (Default: false)
+- [encrypted](https://aws.amazon.com/blogs/aws/new-encrypted-ebs-boot-volumes/) - Encrypted EBS boot volume. Boolean (Default: true)
 - [size](https://aws.amazon.com/ec2/instance-types/) - EC2 instance type. String (Default: t2.micro)
 - [image](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-images.html) - AMI `describe-images` search parameters to find the OS for the hosted image. Each OS and architecture has a unique AMI-ID. The OS owner, for example [Ubuntu](https://cloud-images.ubuntu.com/locator/ec2/), updates these images often. If parameters below result in multiple results, the most recent AMI-ID is chosen
   ```
   # Example of equivalent cli comand
   aws ec2 describe-images --owners "099720109477" --filters "Name=architecture,Values=arm64" "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-focal-20.04*"
   ```
  - [owners] - The operating system owner id. Default is [Canonical](https://help.ubuntu.com/community/EC2StartersGuide#Official_Ubuntu_Cloud_Guest_Amazon_Machine_Images_.28AMIs.29) (Default: 099720109477)
  - [arch] - The architecture (Default: x86_64, Optional: arm64)
  - [name] - The wildcard string to filter available ami names. Algo appends this name with the string "-\*64-server-\*", and prepends with "ubuntu/images/hvm-ssd/" (Default: ubuntu-focal-20.04)
 - [instance_market_type](https://aws.amazon.com/ec2/pricing/) - Two pricing models are supported: on-demand and spot. String (Default: on-demand)
  * If using spot instance types, one additional IAM permission along with the below minimum is required for deployment:
    ```
      "ec2:CreateLaunchTemplate"
    ```
 #### Minimum required IAM permissions for deployment:
@ -156,9 +170,12 @@ Additional variables:
                "ec2:CreateVpc",
                "ec2:DescribeInternetGateways",
                "ec2:ModifyVpcAttribute",
-                "ec2:createTags",
+                "ec2:CreateTags",
                "ec2:CreateSubnet",
-                "ec2:Associate*",
+                "ec2:AssociateVpcCidrBlock",
                "ec2:AssociateSubnetCidrBlock",
                "ec2:AssociateRouteTable",
                "ec2:AssociateAddress",
                "ec2:CreateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:DescribeRouteTables",
@ -228,7 +245,25 @@ Possible options can be gathered via cli `aws lightsail get-regions`
                "lightsail:GetRegions",
                "lightsail:GetInstance",
                "lightsail:CreateInstances",
-                "lightsail:OpenInstancePublicPorts"
+                "lightsail:DisableAddOn",
                "lightsail:PutInstancePublicPorts",
                "lightsail:StartInstance",
                "lightsail:GetStaticIp",
                "lightsail:AllocateStaticIp",
                "lightsail:AttachStaticIp"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "DeployCloudFormationStack",
            "Effect": "Allow",
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:ListStackResources"
            ],
            "Resource": [
                "*"
--- a/docs/deploy-from-cloudshell.md
+++ b/docs/deploy-from-cloudshell.md
@ -1,4 +1,5 @@
 # Deploy from Google Cloud Shell
 **IMPORTANT NOTE: As of 2021-12-14 Algo requires Python 3.8, but Google Cloud Shell only provides Python 3.7.3. The instructions below will not work until Google updates Cloud Shell to have at least Python 3.8.**
 If you want to try Algo but don't wish to install the software on your own system you can use the **free** [Google Cloud Shell](https://cloud.google.com/shell/) to deploy a VPN to any supported cloud provider. Note that you cannot choose `Install to existing Ubuntu server` to turn Google Cloud Shell into your VPN server.
--- a/docs/deploy-from-redhat-centos6.md
+++ b/docs/deploy-from-redhat-centos6.md
@ -1,97 +0,0 @@
 # RedHat/CentOS 6.x pre-installation requirements
 Many people prefer RedHat or CentOS 6 (or similar variants like Amazon Linux) for to their stability and lack of systemd. Unfortunately, there are a number of dated libraries, notably Python 2.6, that prevent Algo from running without errors. This script will prepare a RedHat, CentOS, or similar VM to deploy to Algo cloud instances.
 ## Step 1: Prep for RH/CentOS 6.8/Amazon
 ```shell
 yum -y update
 yum -y install epel-release
 ```
 Enable any kernel updates:
 ```shell
 reboot
 ```
 ## Step 2: Install Ansible and launch Algo
 RedHat/CentOS 6.x uses Python 2.6 by default, which is explicitly deprecated and produces many warnings and errors, so we must install a safe, non-invasive 3.6 tool set which has to be expressly enabled (and will not survive login sessions and reboots):
 - Install the Software Collections Library (to enable Python 3.6)  
 ```shell
 yum -y install centos-release-SCL
 yum -y install \
  openssl-devel \
  libffi-devel \
  automake \
  gcc \
  gcc-c++ \
  kernel-devel \
  rh-python36-python \
  rh-python36-python-devel \
  rh-python36-python-setuptools \
  rh-python36-python-pip \
  rh-python36-python-virtualenv \
  rh-python36-python-crypto \
  rh-python36-PyYAML \
  libselinux-python \
  python-crypto \
  wget \
  unzip \
  nano
 ```
 - 3.6 will not be used until explicitly enabled, per login session. Enable 3.6 default for this session (needs re-run between logins & reboots)  
 ```
 scl enable rh-python36 bash
 ```
 - We're now defaulted to 3.6. Upgrade required components  
 ```
 python3 -m pip install -U pip virtualenv pycrypto setuptools
 ```
 - Download and uzip Algo  
 ```
 wget https://github.com/trailofbits/algo/archive/master.zip
 unzip master.zip
 cd algo-master || echo "No Algo directory found"
 ```
 - Set up a virtualenv and install the local Algo dependencies (must be run from algo-master)  
 ```
 python3 -m virtualenv --python="$(command -v python3)" .env
 source .env/bin/activate
 python3 -m pip install -U pip virtualenv
 python3 -m pip install -r requirements.txt
 ```
 - Edit the userlist and any other settings you desire  
 ```
 nano config.cfg
 ```
 - Now you can run the Algo installer!  
 ```
 ./algo
 ```
 ## Post-install macOS
 1. Copy `./configs/*mobileconfig` to your local Mac
 2. Install the VPN profile on your Mac (10.10+ required)
    ```shell
    /usr/bin/profiles -I -F ./x.x.x.x_NAME.mobileconfig
    ```
 3. To remove:
    ```shell
    /usr/bin/profiles -D -F ./x.x.x.x_NAME.mobileconfig
    ```
 The VPN connection will now appear under Networks (which can be pinned to the top menu bar if preferred)
--- a/docs/deploy-from-windows.md
+++ b/docs/deploy-from-windows.md
@ -21,7 +21,7 @@ Wait a minute for Windows to install a few things in the background (it will eve
 2. Click on 'Turn Windows features on or off'
 3. Scroll down and check 'Windows Subsystem for Linux', and then click OK.
 4. The subsystem will be installed, then Windows will require a restart.
-5. Restart Windows and then [install Ubuntu 18.04 LTS from the Windows Store](https://www.microsoft.com/p/ubuntu-1804-lts/9n9tngvndl3q) (at this time Ubuntu 20.04 LTS does not work with Algo when running under WSL).
+5. Restart Windows and then install [Ubuntu 20.04 LTS from the Windows Store](https://www.microsoft.com/p/ubuntu-2004-lts/9n6svws3rx71).
 6. Run Ubuntu from the Start menu. It will take a few minutes to install. It will have you create a separate user account for the Linux subsystem. Once that's done, you will finally have Ubuntu running somewhat integrated with Windows.
 ## Install Algo
--- a/docs/deploy-to-ubuntu.md
+++ b/docs/deploy-to-ubuntu.md
@ -1,5 +1,11 @@
 # Local Installation
 **PLEASE NOTE**: Algo is intended for use to create a _dedicated_ VPN server. No uninstallation option is provided. If you install Algo on an existing server any existing services might break. In particular, the firewall rules will be overwritten. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
 ------
 ## Outbound VPN Server
 You can use Algo to configure a pre-existing server as an AlgoVPN rather than using it to create and configure a new server on a supported cloud provider. This is referred to as a **local** installation rather than a **cloud** deployment. If you're new to Algo or unfamiliar with Linux you'll find a cloud deployment to be easier.
 To perform a local installation, install the Algo scripts following the normal installation instructions, then choose:
@ -8,11 +14,9 @@ Install to existing Ubuntu 18.04 or 20.04 server (for more advanced users)
 ```
 Make sure your target server is running an unmodified copy of the operating system version specified. The target can be the same system where you've installed the Algo scripts, or a remote system that you are able to access as root via SSH without needing to enter the SSH key passphrase (such as when using `ssh-agent`).
-# Road Warrior setup
+## Inbound VPN Server (also called "Road Warrior" setup)
 Some may find it useful to set up an Algo server on an Ubuntu box on your home LAN, with the intention of being able to securely access your LAN and any resources on it when you're traveling elsewhere (the ["road warrior" setup](https://en.wikipedia.org/wiki/Road_warrior_(computing))). A few tips if you're doing so:
 - Make sure you forward any [relevant incoming ports](/docs/firewalls.md#external-firewall) to the Algo server from your router;
 - Change `BetweenClients_DROP` in `config.cfg` to `false`, and also consider changing `block_smb` and `block_netbios` to `false`;
 - If you want to use a DNS server on your LAN to resolve local domain names properly (e.g. a Pi-hole), set the `dns_encryption` flag in `config.cfg` to `false`, and change `dns_servers` to the local DNS server IP (i.e. `192.168.1.2`).
 **PLEASE NOTE**: Algo is intended for use to create a _dedicated_ VPN server. No uninstallation option is provided. If you install Algo on an existing server any existing services might break. In particular, the firewall rules will be overwritten. See [AlgoVPN and Firewalls](/docs/firewalls.md) for more information.
--- a/docs/troubleshooting.md
+++ b/docs/troubleshooting.md
@ -42,7 +42,7 @@ Look here if you have a problem running the installer to set up a new Algo serve
 ### Python version is not supported
-The minimum Python version required to run Algo is 3.6. Most modern operation systems should have it by default, but if the OS you are using doesn't meet the requirements, you have to upgrade. See the official documentation for your OS, or manual download it from https://www.python.org/downloads/. Otherwise, you may [deploy from docker](deploy-from-docker.md)
+The minimum Python version required to run Algo is 3.8. Most modern operation systems should have it by default, but if the OS you are using doesn't meet the requirements, you have to upgrade. See the official documentation for your OS, or manual download it from https://www.python.org/downloads/. Otherwise, you may [deploy from docker](deploy-from-docker.md)
 ### Error: "You have not agreed to the Xcode license agreements"
--- a/files/cloud-init/base.sh
+++ b/files/cloud-init/base.sh
@ -19,6 +19,8 @@ EOF
 test -d /home/algo/.ssh || sudo -u algo mkdir -m 0700 /home/algo/.ssh
 echo "{{ lookup('file', '{{ SSH_keys.public }}') }}" | (sudo -u algo tee /home/algo/.ssh/authorized_keys && chmod 0600 /home/algo/.ssh/authorized_keys)
 ufw --force reset
 # shellcheck disable=SC2015
 dpkg -l sshguard && until apt-get remove -y --purge sshguard; do
  sleep 3
--- a/files/cloud-init/base.yml
+++ b/files/cloud-init/base.yml
@ -25,5 +25,6 @@ write_files:
 runcmd:
  - set -x
  - ufw --force reset
  - sudo apt-get remove -y --purge sshguard || true
  - systemctl restart sshd.service
--- a/install.sh
+++ b/install.sh
@ -22,16 +22,7 @@ installRequirements() {
  export DEBIAN_FRONTEND=noninteractive
  apt-get update
  apt-get install \
    software-properties-common \
    git \
    build-essential \
    libssl-dev \
    libffi-dev \
    python3-dev \
    python3-pip \
    python3-setuptools \
    python3-virtualenv \
    bind9-host \
    jq -y
 }
@ -50,7 +41,7 @@ publicIpFromInterface() {
  echo "Couldn't find a valid ipv4 address, using the first IP found on the interfaces as the endpoint."
  DEFAULT_INTERFACE="$(ip -4 route list match default | grep -Eo "dev .*" | awk '{print $2}')"
  ENDPOINT=$(ip -4 addr sh dev "$DEFAULT_INTERFACE" | grep -w inet | head -n1 | awk '{print $2}' | grep -oE '\b([0-9]{1,3}\.){3}[0-9]{1,3}\b')
-  export ENDPOINT=$ENDPOINT
+  export ENDPOINT="${ENDPOINT}"
  echo "Using ${ENDPOINT} as the endpoint"
 }
@ -66,7 +57,7 @@ publicIpFromMetadata() {
  fi
  if echo "${ENDPOINT}" | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"; then
-    export ENDPOINT=$ENDPOINT
+    export ENDPOINT="${ENDPOINT}"
    echo "Using ${ENDPOINT} as the endpoint"
  else
    publicIpFromInterface
--- a/library/cloudstack_zones.py
+++ b/library/cloudstack_zones.py
@ -1,110 +0,0 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 #
 ANSIBLE_METADATA = {'metadata_version': '1.1',
                    'status': ['preview'],
                    'supported_by': 'community'}
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.cloudstack import (
    AnsibleCloudStack,
    cs_argument_spec,
    cs_required_together,
 )
 DOCUMENTATION = '''
 ---
 module: cloudstack_zones
 short_description: List zones on Apache CloudStack based clouds.
 description:
    - List zones.
 version_added: '0.1'
 author: Julien Bachmann (@0xmilkmix)
 extends_documentation_fragment: cloudstack
 '''
 EXAMPLES = '''
 - name: List zones
  cloudstack_zones:
  register: _cs_zones
 '''
 RETURN = '''
 ---
 zone:
  description: List of zones.
  returned: success
  type: list
  sample:
     [
        {
        "allocationstate": "Enabled",
        "dhcpprovider": "VirtualRouter",
        "id": "<id>",
        "localstorageenabled": true,
        "name": "ch-gva-2",
        "networktype": "Basic",
        "securitygroupsenabled": true,
        "tags": [],
        "zonetoken": "token"
        },
        {
        "allocationstate": "Enabled",
        "dhcpprovider": "VirtualRouter",
        "id": "<id>",
        "localstorageenabled": true,
        "name": "ch-dk-2",
        "networktype": "Basic",
        "securitygroupsenabled": true,
        "tags": [],
        "zonetoken": "token"
        },
        {
        "allocationstate": "Enabled",
        "dhcpprovider": "VirtualRouter",
        "id": "<id>",
        "localstorageenabled": true,
        "name": "at-vie-1",
        "networktype": "Basic",
        "securitygroupsenabled": true,
        "tags": [],
        "zonetoken": "token"
        },
        {
        "allocationstate": "Enabled",
        "dhcpprovider": "VirtualRouter",
        "id": "<id>",
        "localstorageenabled": true,
        "name": "de-fra-1",
        "networktype": "Basic",
        "securitygroupsenabled": true,
        "tags": [],
        "zonetoken": "token"
        }
    ]
 '''
 class AnsibleCloudStackZones(AnsibleCloudStack):
    def __init__(self, module):
        super(AnsibleCloudStackZones, self).__init__(module)
        self.zones = None
    def get_zones(self):
        args = {}
        if not self.zones:
            zones = self.query_api('listZones', **args)
            if zones:
                self.zones = zones
        return self.zones
 def main():
    module = AnsibleModule(argument_spec={})
    acs_zones = AnsibleCloudStackZones(module)
    result = acs_zones.get_zones()
    module.exit_json(**result)
 if __name__ == '__main__':
    main()
--- a/library/lightsail.py
+++ b/library/lightsail.py
@ -1,551 +0,0 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-
 # Copyright: Ansible Project
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
 from __future__ import absolute_import, division, print_function
 __metaclass__ = type
 ANSIBLE_METADATA = {'metadata_version': '1.1',
                    'status': ['preview'],
                    'supported_by': 'community'}
 DOCUMENTATION = '''
 ---
 module: lightsail
 short_description: Create or delete a virtual machine instance in AWS Lightsail
 description:
     - Creates or instances in AWS Lightsail and optionally wait for it to be 'running'.
 version_added: "2.4"
 author: "Nick Ball (@nickball)"
 options:
  state:
    description:
      - Indicate desired state of the target.
    default: present
    choices: ['present', 'absent', 'running', 'restarted', 'stopped']
  name:
    description:
      - Name of the instance
    required: true
    default : null
  zone:
    description:
      - AWS availability zone in which to launch the instance. Required when state='present'
    required: false
    default: null
  blueprint_id:
    description:
      - ID of the instance blueprint image. Required when state='present'
    required: false
    default: null
  bundle_id:
    description:
      - Bundle of specification info for the instance. Required when state='present'
    required: false
    default: null
  user_data:
    description:
      - Launch script that can configure the instance with additional data
    required: false
    default: null
  key_pair_name:
    description:
      - Name of the key pair to use with the instance
    required: false
    default: null
  wait:
    description:
      - Wait for the instance to be in state 'running' before returning.  If wait is "no" an ip_address may not be returned
    default: "yes"
    choices: [ "yes", "no" ]
  wait_timeout:
    description:
      - How long before wait gives up, in seconds.
    default: 300
  open_ports:
    description:
      - Adds public ports to an Amazon Lightsail instance.
    default: null
    suboptions:
        from_port:
            description: Begin of the range
            required: true
            default: null
        to_port:
            description: End of the range
            required: true
            default: null
        protocol:
            description: Accepted traffic protocol.
            required: true
            choices:
              - udp
              - tcp
              - all
            default: null
 requirements:
  - "python >= 2.6"
  - boto3
 extends_documentation_fragment:
  - aws
  - ec2
 '''
 EXAMPLES = '''
 # Create a new Lightsail instance, register the instance details
 - lightsail:
    state: present
    name: myinstance
    region: us-east-1
    zone: us-east-1a
    blueprint_id: ubuntu_16_04
    bundle_id: nano_1_0
    key_pair_name: id_rsa
    user_data: " echo 'hello world' > /home/ubuntu/test.txt"
    wait_timeout: 500
    open_ports:
      - from_port: 4500
        to_port: 4500
        protocol: udp
      - from_port: 500
        to_port: 500
        protocol: udp
  register: my_instance
 - debug:
    msg: "Name is {{ my_instance.instance.name }}"
 - debug:
    msg: "IP is {{ my_instance.instance.publicIpAddress }}"
 # Delete an instance if present
 - lightsail:
    state: absent
    region: us-east-1
    name: myinstance
 '''
 RETURN = '''
 changed:
  description: if a snapshot has been modified/created
  returned: always
  type: bool
  sample:
    changed: true
 instance:
  description: instance data
  returned: always
  type: dict
  sample:
    arn: "arn:aws:lightsail:us-east-1:448830907657:Instance/1fef0175-d6c8-480e-84fa-214f969cda87"
    blueprint_id: "ubuntu_16_04"
    blueprint_name: "Ubuntu"
    bundle_id: "nano_1_0"
    created_at: "2017-03-27T08:38:59.714000-04:00"
    hardware:
      cpu_count: 1
      ram_size_in_gb: 0.5
    is_static_ip: false
    location:
      availability_zone: "us-east-1a"
      region_name: "us-east-1"
    name: "my_instance"
    networking:
      monthly_transfer:
        gb_per_month_allocated: 1024
      ports:
        - access_direction: "inbound"
          access_from: "Anywhere (0.0.0.0/0)"
          access_type: "public"
          common_name: ""
          from_port: 80
          protocol: tcp
          to_port: 80
        - access_direction: "inbound"
          access_from: "Anywhere (0.0.0.0/0)"
          access_type: "public"
          common_name: ""
          from_port: 22
          protocol: tcp
          to_port: 22
    private_ip_address: "172.26.8.14"
    public_ip_address: "34.207.152.202"
    resource_type: "Instance"
    ssh_key_name: "keypair"
    state:
      code: 16
      name: running
    support_code: "588307843083/i-0997c97831ee21e33"
    username: "ubuntu"
 '''
 import time
 import traceback
 try:
    import botocore
    HAS_BOTOCORE = True
 except ImportError:
    HAS_BOTOCORE = False
 try:
    import boto3
 except ImportError:
    # will be caught by imported HAS_BOTO3
    pass
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ec2 import (ec2_argument_spec, get_aws_connection_info, boto3_conn,
                                      HAS_BOTO3, camel_dict_to_snake_dict)
 def create_instance(module, client, instance_name):
    """
    Create an instance
    module: Ansible module object
    client: authenticated lightsail connection object
    instance_name: name of instance to delete
    Returns a dictionary of instance information
    about the new instance.
    """
    changed = False
    # Check if instance already exists
    inst = None
    try:
        inst = _find_instance_info(client, instance_name)
    except botocore.exceptions.ClientError as e:
        if e.response['Error']['Code'] != 'NotFoundException':
            module.fail_json(msg='Error finding instance {0}, error: {1}'.format(instance_name, e))
    zone = module.params.get('zone')
    blueprint_id = module.params.get('blueprint_id')
    bundle_id = module.params.get('bundle_id')
    user_data = module.params.get('user_data')
    user_data = '' if user_data is None else user_data
    wait = module.params.get('wait')
    wait_timeout = int(module.params.get('wait_timeout'))
    wait_max = time.time() + wait_timeout
    if module.params.get('key_pair_name'):
        key_pair_name = module.params.get('key_pair_name')
    else:
        key_pair_name = ''
    if module.params.get('open_ports'):
        open_ports = module.params.get('open_ports')
    else:
        open_ports = '[]'
    resp = None
    if inst is None:
        try:
            resp = client.create_instances(
                instanceNames=[
                    instance_name
                ],
                availabilityZone=zone,
                blueprintId=blueprint_id,
                bundleId=bundle_id,
                userData=user_data,
                keyPairName=key_pair_name,
            )
            resp = resp['operations'][0]
        except botocore.exceptions.ClientError as e:
            module.fail_json(msg='Unable to create instance {0}, error: {1}'.format(instance_name, e))
        inst = _find_instance_info(client, instance_name)
        # Wait for instance to become running
        if wait:
            while (wait_max > time.time()) and (inst is not None and inst['state']['name'] != "running"):
                try:
                    time.sleep(2)
                    inst = _find_instance_info(client, instance_name)
                except botocore.exceptions.ClientError as e:
                    if e.response['ResponseMetadata']['HTTPStatusCode'] == "403":
                        module.fail_json(msg="Failed to start/stop instance {0}. Check that you have permissions to perform the operation".format(instance_name),
                                         exception=traceback.format_exc())
                    elif e.response['Error']['Code'] == "RequestExpired":
                        module.fail_json(msg="RequestExpired: Failed to start instance {0}.".format(instance_name), exception=traceback.format_exc())
                    time.sleep(1)
        # Timed out
        if wait and not changed and wait_max <= time.time():
            module.fail_json(msg="Wait for instance start timeout at %s" % time.asctime())
        # Attempt to open ports
        if open_ports:
            if inst is not None:
                try:
                    for o in open_ports:
                        resp = client.open_instance_public_ports(
                            instanceName=instance_name,
                            portInfo={
                                'fromPort': o['from_port'],
                                'toPort':   o['to_port'],
                                'protocol': o['protocol']
                            }
                        )
                except botocore.exceptions.ClientError as e:
                    module.fail_json(msg='Error opening ports for instance {0}, error: {1}'.format(instance_name, e))
        changed = True
    return (changed, inst)
 def delete_instance(module, client, instance_name):
    """
    Terminates an instance
    module: Ansible module object
    client: authenticated lightsail connection object
    instance_name: name of instance to delete
    Returns a dictionary of instance information
    about the instance deleted (pre-deletion).
    If the instance to be deleted is running
    "changed" will be set to False.
    """
    # It looks like deleting removes the instance immediately, nothing to wait for
    wait = module.params.get('wait')
    wait_timeout = int(module.params.get('wait_timeout'))
    wait_max = time.time() + wait_timeout
    changed = False
    inst = None
    try:
        inst = _find_instance_info(client, instance_name)
    except botocore.exceptions.ClientError as e:
        if e.response['Error']['Code'] != 'NotFoundException':
            module.fail_json(msg='Error finding instance {0}, error: {1}'.format(instance_name, e))
    # Wait for instance to exit transition state before deleting
    if wait:
        while wait_max > time.time() and inst is not None and inst['state']['name'] in ('pending', 'stopping'):
            try:
                time.sleep(5)
                inst = _find_instance_info(client, instance_name)
            except botocore.exceptions.ClientError as e:
                if e.response['ResponseMetadata']['HTTPStatusCode'] == "403":
                    module.fail_json(msg="Failed to delete instance {0}. Check that you have permissions to perform the operation.".format(instance_name),
                                     exception=traceback.format_exc())
                elif e.response['Error']['Code'] == "RequestExpired":
                    module.fail_json(msg="RequestExpired: Failed to delete instance {0}.".format(instance_name), exception=traceback.format_exc())
                # sleep and retry
                time.sleep(10)
    # Attempt to delete
    if inst is not None:
        while not changed and ((wait and wait_max > time.time()) or (not wait)):
            try:
                client.delete_instance(instanceName=instance_name)
                changed = True
            except botocore.exceptions.ClientError as e:
                module.fail_json(msg='Error deleting instance {0}, error: {1}'.format(instance_name, e))
    # Timed out
    if wait and not changed and wait_max <= time.time():
        module.fail_json(msg="wait for instance delete timeout at %s" % time.asctime())
    return (changed, inst)
 def restart_instance(module, client, instance_name):
    """
    Reboot an existing instance
    module: Ansible module object
    client: authenticated lightsail connection object
    instance_name: name of instance to reboot
    Returns a dictionary of instance information
    about the restarted instance
    If the instance was not able to reboot,
    "changed" will be set to False.
    Wait will not apply here as this is an OS-level operation
    """
    wait = module.params.get('wait')
    wait_timeout = int(module.params.get('wait_timeout'))
    wait_max = time.time() + wait_timeout
    changed = False
    inst = None
    try:
        inst = _find_instance_info(client, instance_name)
    except botocore.exceptions.ClientError as e:
        if e.response['Error']['Code'] != 'NotFoundException':
            module.fail_json(msg='Error finding instance {0}, error: {1}'.format(instance_name, e))
    # Wait for instance to exit transition state before state change
    if wait:
        while wait_max > time.time() and inst is not None and inst['state']['name'] in ('pending', 'stopping'):
            try:
                time.sleep(5)
                inst = _find_instance_info(client, instance_name)
            except botocore.exceptions.ClientError as e:
                if e.response['ResponseMetadata']['HTTPStatusCode'] == "403":
                    module.fail_json(msg="Failed to restart instance {0}. Check that you have permissions to perform the operation.".format(instance_name),
                                     exception=traceback.format_exc())
                elif e.response['Error']['Code'] == "RequestExpired":
                    module.fail_json(msg="RequestExpired: Failed to restart instance {0}.".format(instance_name), exception=traceback.format_exc())
                time.sleep(3)
    # send reboot
    if inst is not None:
        try:
            client.reboot_instance(instanceName=instance_name)
        except botocore.exceptions.ClientError as e:
            if e.response['Error']['Code'] != 'NotFoundException':
                module.fail_json(msg='Unable to reboot instance {0}, error: {1}'.format(instance_name, e))
        changed = True
    return (changed, inst)
 def startstop_instance(module, client, instance_name, state):
    """
    Starts or stops an existing instance
    module: Ansible module object
    client: authenticated lightsail connection object
    instance_name: name of instance to start/stop
    state: Target state ("running" or "stopped")
    Returns a dictionary of instance information
    about the instance started/stopped
    If the instance was not able to state change,
    "changed" will be set to False.
    """
    wait = module.params.get('wait')
    wait_timeout = int(module.params.get('wait_timeout'))
    wait_max = time.time() + wait_timeout
    changed = False
    inst = None
    try:
        inst = _find_instance_info(client, instance_name)
    except botocore.exceptions.ClientError as e:
        if e.response['Error']['Code'] != 'NotFoundException':
            module.fail_json(msg='Error finding instance {0}, error: {1}'.format(instance_name, e))
    # Wait for instance to exit transition state before state change
    if wait:
        while wait_max > time.time() and inst is not None and inst['state']['name'] in ('pending', 'stopping'):
            try:
                time.sleep(5)
                inst = _find_instance_info(client, instance_name)
            except botocore.exceptions.ClientError as e:
                if e.response['ResponseMetadata']['HTTPStatusCode'] == "403":
                    module.fail_json(msg="Failed to start/stop instance {0}. Check that you have permissions to perform the operation".format(instance_name),
                                     exception=traceback.format_exc())
                elif e.response['Error']['Code'] == "RequestExpired":
                    module.fail_json(msg="RequestExpired: Failed to start/stop instance {0}.".format(instance_name), exception=traceback.format_exc())
                time.sleep(1)
    # Try state change
    if inst is not None and inst['state']['name'] != state:
        try:
            if state == 'running':
                client.start_instance(instanceName=instance_name)
            else:
                client.stop_instance(instanceName=instance_name)
        except botocore.exceptions.ClientError as e:
            module.fail_json(msg='Unable to change state for instance {0}, error: {1}'.format(instance_name, e))
        changed = True
        # Grab current instance info
        inst = _find_instance_info(client, instance_name)
    return (changed, inst)
 def core(module):
    region, ec2_url, aws_connect_kwargs = get_aws_connection_info(module, boto3=True)
    if not region:
        module.fail_json(msg='region must be specified')
    client = None
    try:
        client = boto3_conn(module, conn_type='client', resource='lightsail',
                            region=region, endpoint=ec2_url, **aws_connect_kwargs)
    except (botocore.exceptions.ClientError, botocore.exceptions.ValidationError) as e:
        module.fail_json(msg='Failed while connecting to the lightsail service: %s' % e, exception=traceback.format_exc())
    changed = False
    state = module.params['state']
    name = module.params['name']
    if state == 'absent':
        changed, instance_dict = delete_instance(module, client, name)
    elif state in ('running', 'stopped'):
        changed, instance_dict = startstop_instance(module, client, name, state)
    elif state == 'restarted':
        changed, instance_dict = restart_instance(module, client, name)
    elif state == 'present':
        changed, instance_dict = create_instance(module, client, name)
    module.exit_json(changed=changed, instance=camel_dict_to_snake_dict(instance_dict))
 def _find_instance_info(client, instance_name):
    ''' handle exceptions where this function is called '''
    inst = None
    try:
        inst = client.get_instance(instanceName=instance_name)
    except botocore.exceptions.ClientError as e:
        raise
    return inst['instance']
 def main():
    argument_spec = ec2_argument_spec()
    argument_spec.update(dict(
        name=dict(type='str', required=True),
        state=dict(type='str', default='present', choices=['present', 'absent', 'stopped', 'running', 'restarted']),
        zone=dict(type='str'),
        blueprint_id=dict(type='str'),
        bundle_id=dict(type='str'),
        key_pair_name=dict(type='str'),
        user_data=dict(type='str'),
        wait=dict(type='bool', default=True),
        wait_timeout=dict(default=300),
        open_ports=dict(type='list')
    ))
    module = AnsibleModule(argument_spec=argument_spec)
    if not HAS_BOTO3:
        module.fail_json(msg='Python module "boto3" is missing, please install it')
    if not HAS_BOTOCORE:
        module.fail_json(msg='Python module "botocore" is missing, please install it')
    try:
        core(module)
    except (botocore.exceptions.ClientError, Exception) as e:
        module.fail_json(msg=str(e), exception=traceback.format_exc())
 if __name__ == '__main__':
    main()
--- a/main.yml
+++ b/main.yml
@ -9,7 +9,7 @@
    - name: Ensure Ansible is not being run in a world writable directory
      assert:
-        that: _playbook_dir.stat.mode|int <= 0775
+        that: _playbook_dir.stat.mode|int <= 775
        msg: >
          Ansible is being run in a world writable directory ({{ playbook_dir }}), ignoring it as an ansible.cfg source.
          For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
@ -24,17 +24,17 @@
    - name: Set required ansible version as a fact
      set_fact:
        required_ansible_version:
-          "{{ item |  regex_replace('^ansible[\\s+]?(?P<op>[=,>,<]+)[\\s+]?(?P<ver>\\d.\\d+(.\\d+)?)$',
+          "{{ item |  regex_replace('^ansible-core[\\s+]?(?P<op>[=,>,<]+)[\\s+]?(?P<ver>\\d.\\d+(.\\d+)?)$',
                      '{\"op\": \"\\g<op>\",\"ver\": \"\\g<ver>\" }') }}"
-      when: '"ansible" in item'
+      when: '"ansible-core" in item'
      with_items: "{{ lookup('file', 'requirements.txt').splitlines() }}"
    - name: Verify Python meets Algo VPN requirements
      assert:
-        that: (ansible_python.version.major|string + '.' + ansible_python.version.minor|string)|float is version('3.6', '>=')
+        that: (ansible_python.version.major|string + '.' + ansible_python.version.minor|string) is version('3.8', '>=')
        msg: >
          Python version is not supported.
-          You must upgrade to at least Python 3.6 to use this version of Algo.
+          You must upgrade to at least Python 3.8 to use this version of Algo.
          See for more details - https://trailofbits.github.io/algo/troubleshooting.html#python-version-is-not-supported
    - name: Verify Ansible meets Algo VPN requirements
--- a/playbooks/cloud-pre.yml
+++ b/playbooks/cloud-pre.yml
@ -13,7 +13,7 @@
        'algo_ssh_tunneling "{{ algo_ssh_tunneling }}"' \
        'wireguard_enabled "{{ wireguard_enabled }}"' \
        'dns_encryption "{{ dns_encryption }}"' \
-        > /dev/tty
+        > /dev/tty || true
    tags: debug
  - name: Install the requirements
--- a/requirements.txt
+++ b/requirements.txt
@ -1,3 +1,4 @@
-ansible==2.9.20
+ansible-core==2.12.3
-jinja2==2.8
+ansible==5.0.1
 jinja2~=3.0.3
 netaddr
--- a/roles/client/handlers/main.yml
+++ b/roles/client/handlers/main.yml
@ -1,3 +1,3 @@
 ---
 - name: restart strongswan
-  service: name=strongswan state=restarted
+  service: name={{ strongswan_service }} state=restarted
--- a/roles/cloud-azure/defaults/main.yml
+++ b/roles/cloud-azure/defaults/main.yml
@ -1,242 +1,211 @@
 ---
-_azure_regions: >
+# az account list-locations --query 'sort_by([].{name:name,displayName:displayName,regionalDisplayName:regionalDisplayName}, &name)' -o yaml
-  [
+azure_regions:
-    {
+  - displayName: Asia
-      "displayName": "East Asia",
+    name: asia
-      "latitude": "22.267",
+    regionalDisplayName: Asia
-      "longitude": "114.188",
+  - displayName: Asia Pacific
-      "name": "eastasia",
+    name: asiapacific
-      "subscriptionId": null
+    regionalDisplayName: Asia Pacific
-    },
+  - displayName: Australia
-    {
+    name: australia
-      "displayName": "Southeast Asia",
+    regionalDisplayName: Australia
-      "latitude": "1.283",
+  - displayName: Australia Central
-      "longitude": "103.833",
+    name: australiacentral
-      "name": "southeastasia",
+    regionalDisplayName: (Asia Pacific) Australia Central
-      "subscriptionId": null
+  - displayName: Australia Central 2
-    },
+    name: australiacentral2
-    {
+    regionalDisplayName: (Asia Pacific) Australia Central 2
-      "displayName": "Central US",
+  - displayName: Australia East
-      "latitude": "41.5908",
+    name: australiaeast
-      "longitude": "-93.6208",
+    regionalDisplayName: (Asia Pacific) Australia East
-      "name": "centralus",
+  - displayName: Australia Southeast
-      "subscriptionId": null
+    name: australiasoutheast
-    },
+    regionalDisplayName: (Asia Pacific) Australia Southeast
-    {
+  - displayName: Brazil
-      "displayName": "East US",
+    name: brazil
-      "latitude": "37.3719",
+    regionalDisplayName: Brazil
-      "longitude": "-79.8164",
+  - displayName: Brazil South
-      "name": "eastus",
+    name: brazilsouth
-      "subscriptionId": null
+    regionalDisplayName: (South America) Brazil South
-    },
+  - displayName: Brazil Southeast
-    {
+    name: brazilsoutheast
-      "displayName": "East US 2",
+    regionalDisplayName: (South America) Brazil Southeast
-      "latitude": "36.6681",
+  - displayName: Canada
-      "longitude": "-78.3889",
+    name: canada
-      "name": "eastus2",
+    regionalDisplayName: Canada
-      "subscriptionId": null
+  - displayName: Canada Central
-    },
+    name: canadacentral
-    {
+    regionalDisplayName: (Canada) Canada Central
-      "displayName": "West US",
+  - displayName: Canada East
-      "latitude": "37.783",
+    name: canadaeast
-      "longitude": "-122.417",
+    regionalDisplayName: (Canada) Canada East
-      "name": "westus",
+  - displayName: Central India
-      "subscriptionId": null
+    name: centralindia
-    },
+    regionalDisplayName: (Asia Pacific) Central India
-    {
+  - displayName: Central US
-      "displayName": "North Central US",
+    name: centralus
-      "latitude": "41.8819",
+    regionalDisplayName: (US) Central US
-      "longitude": "-87.6278",
+  - displayName: Central US EUAP
-      "name": "northcentralus",
+    name: centraluseuap
-      "subscriptionId": null
+    regionalDisplayName: (US) Central US EUAP
-    },
+  - displayName: Central US (Stage)
-    {
+    name: centralusstage
-      "displayName": "South Central US",
+    regionalDisplayName: (US) Central US (Stage)
-      "latitude": "29.4167",
+  - displayName: East Asia
-      "longitude": "-98.5",
+    name: eastasia
-      "name": "southcentralus",
+    regionalDisplayName: (Asia Pacific) East Asia
-      "subscriptionId": null
+  - displayName: East Asia (Stage)
-    },
+    name: eastasiastage
-    {
+    regionalDisplayName: (Asia Pacific) East Asia (Stage)
-      "displayName": "North Europe",
+  - displayName: East US
-      "latitude": "53.3478",
+    name: eastus
-      "longitude": "-6.2597",
+    regionalDisplayName: (US) East US
-      "name": "northeurope",
+  - displayName: East US 2
-      "subscriptionId": null
+    name: eastus2
-    },
+    regionalDisplayName: (US) East US 2
-    {
+  - displayName: East US 2 EUAP
-      "displayName": "West Europe",
+    name: eastus2euap
-      "latitude": "52.3667",
+    regionalDisplayName: (US) East US 2 EUAP
-      "longitude": "4.9",
+  - displayName: East US 2 (Stage)
-      "name": "westeurope",
+    name: eastus2stage
-      "subscriptionId": null
+    regionalDisplayName: (US) East US 2 (Stage)
-    },
+  - displayName: East US (Stage)
-    {
+    name: eastusstage
-      "displayName": "Japan West",
+    regionalDisplayName: (US) East US (Stage)
-      "latitude": "34.6939",
+  - displayName: Europe
-      "longitude": "135.5022",
+    name: europe
-      "name": "japanwest",
+    regionalDisplayName: Europe
-      "subscriptionId": null
+  - displayName: France Central
-    },
+    name: francecentral
-    {
+    regionalDisplayName: (Europe) France Central
-      "displayName": "Japan East",
+  - displayName: France South
-      "latitude": "35.68",
+    name: francesouth
-      "longitude": "139.77",
+    regionalDisplayName: (Europe) France South
-      "name": "japaneast",
+  - displayName: Germany North
-      "subscriptionId": null
+    name: germanynorth
-    },
+    regionalDisplayName: (Europe) Germany North
-    {
+  - displayName: Germany West Central
-      "displayName": "Brazil South",
+    name: germanywestcentral
-      "latitude": "-23.55",
+    regionalDisplayName: (Europe) Germany West Central
-      "longitude": "-46.633",
+  - displayName: Global
-      "name": "brazilsouth",
+    name: global
-      "subscriptionId": null
+    regionalDisplayName: Global
-    },
+  - displayName: India
-    {
+    name: india
-      "displayName": "Australia East",
+    regionalDisplayName: India
-      "latitude": "-33.86",
+  - displayName: Japan
-      "longitude": "151.2094",
+    name: japan
-      "name": "australiaeast",
+    regionalDisplayName: Japan
-      "subscriptionId": null
+  - displayName: Japan East
-    },
+    name: japaneast
-    {
+    regionalDisplayName: (Asia Pacific) Japan East
-      "displayName": "Australia Southeast",
+  - displayName: Japan West
-      "latitude": "-37.8136",
+    name: japanwest
-      "longitude": "144.9631",
+    regionalDisplayName: (Asia Pacific) Japan West
-      "name": "australiasoutheast",
+  - displayName: Jio India Central
-      "subscriptionId": null
+    name: jioindiacentral
-    },
+    regionalDisplayName: (Asia Pacific) Jio India Central
-    {
+  - displayName: Jio India West
-      "displayName": "South India",
+    name: jioindiawest
-      "latitude": "12.9822",
+    regionalDisplayName: (Asia Pacific) Jio India West
-      "longitude": "80.1636",
+  - displayName: Korea Central
-      "name": "southindia",
+    name: koreacentral
-      "subscriptionId": null
+    regionalDisplayName: (Asia Pacific) Korea Central
-    },
+  - displayName: Korea South
-    {
+    name: koreasouth
-      "displayName": "Central India",
+    regionalDisplayName: (Asia Pacific) Korea South
-      "latitude": "18.5822",
+  - displayName: North Central US
-      "longitude": "73.9197",
+    name: northcentralus
-      "name": "centralindia",
+    regionalDisplayName: (US) North Central US
-      "subscriptionId": null
+  - displayName: North Central US (Stage)
-    },
+    name: northcentralusstage
-    {
+    regionalDisplayName: (US) North Central US (Stage)
-      "displayName": "West India",
+  - displayName: North Europe
-      "latitude": "19.088",
+    name: northeurope
-      "longitude": "72.868",
+    regionalDisplayName: (Europe) North Europe
-      "name": "westindia",
+  - displayName: Norway East
-      "subscriptionId": null
+    name: norwayeast
-    },
+    regionalDisplayName: (Europe) Norway East
-    {
+  - displayName: Norway West
-      "displayName": "Canada Central",
+    name: norwaywest
-      "latitude": "43.653",
+    regionalDisplayName: (Europe) Norway West
-      "longitude": "-79.383",
+  - displayName: Qatar Central
-      "name": "canadacentral",
+    name: qatarcentral
-      "subscriptionId": null
+    regionalDisplayName: (Europe) Qatar Central
-    },
+  - displayName: South Africa North
-    {
+    name: southafricanorth
-      "displayName": "Canada East",
+    regionalDisplayName: (Africa) South Africa North
-      "latitude": "46.817",
+  - displayName: South Africa West
-      "longitude": "-71.217",
+    name: southafricawest
-      "name": "canadaeast",
+    regionalDisplayName: (Africa) South Africa West
-      "subscriptionId": null
+  - displayName: South Central US
-    },
+    name: southcentralus
-    {
+    regionalDisplayName: (US) South Central US
-      "displayName": "UK South",
+  - displayName: South Central US (Stage)
-      "latitude": "50.941",
+    name: southcentralusstage
-      "longitude": "-0.799",
+    regionalDisplayName: (US) South Central US (Stage)
-      "name": "uksouth",
+  - displayName: Southeast Asia
-      "subscriptionId": null
+    name: southeastasia
-    },
+    regionalDisplayName: (Asia Pacific) Southeast Asia
-    {
+  - displayName: Southeast Asia (Stage)
-      "displayName": "UK West",
+    name: southeastasiastage
-      "latitude": "53.427",
+    regionalDisplayName: (Asia Pacific) Southeast Asia (Stage)
-      "longitude": "-3.084",
+  - displayName: South India
-      "name": "ukwest",
+    name: southindia
-      "subscriptionId": null
+    regionalDisplayName: (Asia Pacific) South India
-    },
+  - displayName: Sweden Central
-    {
+    name: swedencentral
-      "displayName": "West Central US",
+    regionalDisplayName: (Europe) Sweden Central
-      "latitude": "40.890",
+  - displayName: Sweden South
-      "longitude": "-110.234",
+    name: swedensouth
-      "name": "westcentralus",
+    regionalDisplayName: (Europe) Sweden South
-      "subscriptionId": null
+  - displayName: Switzerland North
-    },
+    name: switzerlandnorth
-    {
+    regionalDisplayName: (Europe) Switzerland North
-      "displayName": "West US 2",
+  - displayName: Switzerland West
-      "latitude": "47.233",
+    name: switzerlandwest
-      "longitude": "-119.852",
+    regionalDisplayName: (Europe) Switzerland West
-      "name": "westus2",
+  - displayName: UAE Central
-      "subscriptionId": null
+    name: uaecentral
-    },
+    regionalDisplayName: (Middle East) UAE Central
-    {
+  - displayName: UAE North
-      "displayName": "Korea Central",
+    name: uaenorth
-      "latitude": "37.5665",
+    regionalDisplayName: (Middle East) UAE North
-      "longitude": "126.9780",
+  - displayName: United Kingdom
-      "name": "koreacentral",
+    name: uk
-      "subscriptionId": null
+    regionalDisplayName: United Kingdom
-    },
+  - displayName: UK South
-    {
+    name: uksouth
-      "displayName": "Korea South",
+    regionalDisplayName: (Europe) UK South
-      "latitude": "35.1796",
+  - displayName: UK West
-      "longitude": "129.0756",
+    name: ukwest
-      "name": "koreasouth",
+    regionalDisplayName: (Europe) UK West
-      "subscriptionId": null
+  - displayName: United States
-    },
+    name: unitedstates
-    {
+    regionalDisplayName: United States
-      "displayName": "France Central",
+  - displayName: West Central US
-      "latitude": "46.3772",
+    name: westcentralus
-      "longitude": "2.3730",
+    regionalDisplayName: (US) West Central US
-      "name": "francecentral",
+  - displayName: West Europe
-      "subscriptionId": null
+    name: westeurope
-    },
+    regionalDisplayName: (Europe) West Europe
-    {
+  - displayName: West India
-      "displayName": "France South",
+    name: westindia
-      "latitude": "43.8345",
+    regionalDisplayName: (Asia Pacific) West India
-      "longitude": "2.1972",
+  - displayName: West US
-      "name": "francesouth",
+    name: westus
-      "subscriptionId": null
+    regionalDisplayName: (US) West US
-    },
+  - displayName: West US 2
-    {
+    name: westus2
-      "displayName": "Australia Central",
+    regionalDisplayName: (US) West US 2
-      "latitude": "-35.3075",
+  - displayName: West US 2 (Stage)
-      "longitude": "149.1244",
+    name: westus2stage
-      "name": "australiacentral",
+    regionalDisplayName: (US) West US 2 (Stage)
-      "subscriptionId": null
+  - displayName: West US 3
-    },
+    name: westus3
-    {
+    regionalDisplayName: (US) West US 3
-      "displayName": "Australia Central 2",
+  - displayName: West US (Stage)
-      "latitude": "-35.3075",
+    name: westusstage
-      "longitude": "149.1244",
+    regionalDisplayName: (US) West US (Stage)
-      "name": "australiacentral2",
+
      "subscriptionId": null
    },
    {
      "displayName": "UAE Central",
      "latitude": "‎24.466667",
      "longitude": "‎54.366669",
      "name": "uaecentral",
      "subscriptionId": null
    },
    {
      "displayName": "UAE North",
      "latitude": "25.266666",
      "longitude": "55.316666",
      "name": "uaenorth",
      "subscriptionId": null
    },
    {
      "displayName": "South Africa North",
      "latitude": "-25.731340",
      "longitude": "28.218370",
      "name": "southafricanorth",
      "subscriptionId": null
    },
    {
      "displayName": "South Africa West",
      "latitude": "-34.075691",
      "longitude": "18.843266",
      "name": "southafricawest",
      "subscriptionId": null
    }
  ]
--- a/roles/cloud-azure/tasks/prompts.yml
+++ b/roles/cloud-azure/tasks/prompts.yml
@ -6,10 +6,6 @@
    subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_SUBSCRIPTION_ID'), true) }}"
 - block:
  - name: Set facts about the regions
    set_fact:
      azure_regions: "{{ _azure_regions|from_json | sort(attribute='name') }}"
  - name: Set the default region
    set_fact:
      default_region: >-
@ -21,7 +17,7 @@
      prompt: |
        What region should the server be located in?
          {% for r in azure_regions %}
-          {{ loop.index }}. {{ r['displayName'] }}
+          {{ loop.index }}. {{ r['regionalDisplayName'] }}
          {% endfor %}
        Enter the number of your desired region
--- a/roles/cloud-azure/tasks/venv.yml
+++ b/roles/cloud-azure/tasks/venv.yml
@ -1,45 +1,6 @@
 ---
 - name: Install requirements
  pip:
-    name:
+    requirements: https://raw.githubusercontent.com/ansible-collections/azure/v1.9.0/requirements-azure.txt
      - packaging
      - requests[security]
      - xmltodict
      - azure-cli-core==2.0.35
      - azure-cli-nspkg==3.0.2
      - azure-common==1.1.11
      - azure-mgmt-authorization==0.51.1
      - azure-mgmt-batch==5.0.1
      - azure-mgmt-cdn==3.0.0
      - azure-mgmt-compute==4.4.0
      - azure-mgmt-containerinstance==1.4.0
      - azure-mgmt-containerregistry==2.0.0
      - azure-mgmt-containerservice==4.4.0
      - azure-mgmt-dns==2.1.0
      - azure-mgmt-keyvault==1.1.0
      - azure-mgmt-marketplaceordering==0.1.0
      - azure-mgmt-monitor==0.5.2
      - azure-mgmt-network==2.3.0
      - azure-mgmt-nspkg==2.0.0
      - azure-mgmt-redis==5.0.0
      - azure-mgmt-resource==2.1.0
      - azure-mgmt-rdbms==1.4.1
      - azure-mgmt-servicebus==0.5.3
      - azure-mgmt-sql==0.10.0
      - azure-mgmt-storage==3.1.0
      - azure-mgmt-trafficmanager==0.50.0
      - azure-mgmt-web==0.41.0
      - azure-nspkg==2.0.0
      - azure-storage==0.35.1
      - msrest==0.6.1
      - msrestazure==0.5.0
      - azure-keyvault==1.0.0a1
      - azure-graphrbac==0.40.0
      - azure-mgmt-cosmosdb==0.5.2
      - azure-mgmt-hdinsight==0.1.0
      - azure-mgmt-devtestlabs==3.0.0
      - azure-mgmt-loganalytics==0.2.0
      - azure-mgmt-automation==0.1.1
      - azure-mgmt-iothub==0.7.0
    state: latest
    virtualenv_python: python3
--- a/roles/cloud-cloudstack/tasks/main.yml
+++ b/roles/cloud-cloudstack/tasks/main.yml
@ -54,5 +54,6 @@
        ansible_ssh_port: "{{ ssh_port }}"
        cloudinit: true
  environment:
-    CLOUDSTACK_CONFIG: "{{ algo_cs_config }}"
+    CLOUDSTACK_KEY: "{{ algo_cs_key }}"
-    CLOUDSTACK_REGION: "{{ algo_cs_region }}"
+    CLOUDSTACK_SECRET: "{{ algo_cs_token }}"
    CLOUDSTACK_ENDPOINT: "{{ algo_cs_url }}"
--- a/roles/cloud-cloudstack/tasks/prompts.yml
+++ b/roles/cloud-cloudstack/tasks/prompts.yml
@ -2,36 +2,47 @@
 - block:
  - pause:
      prompt: |
-        Enter path for cloudstack.ini file (https://trailofbits.github.io/algo/cloud-cloudstack.html)
+        Enter the API key (https://trailofbits.github.io/algo/cloud-cloudstack.html):
-        [~/.cloudstack.ini]
+      echo: false
-    register: _cs_config
+    register: _cs_key
    when:
-      - cs_config is undefined
+      - cs_key is undefined
-      - lookup('env', 'CLOUDSTACK_CONFIG') | length <= 0
+      - lookup('env','CLOUDSTACK_KEY')|length <= 0
  - pause:
      prompt: |
-        Specify region to use in cloudstack.ini file
+        Enter the API ssecret (https://trailofbits.github.io/algo/cloud-cloudstack.html):
-        [exoscale]
+      echo: false
-    register: _cs_region
+    register: _cs_secret
    when:
-      - cs_region is undefined
+      - cs_secret is undefined
-      - lookup('env', 'CLOUDSTACK_REGION') | length <= 0
+      - lookup('env','CLOUDSTACK_SECRET')|length <= 0
  - pause:
      prompt: |
        Enter the API endpoint (https://trailofbits.github.io/algo/cloud-cloudstack.html)
        [https://api.exoscale.com/compute]
    register: _cs_url
    when:
      - cs_url is undefined
      - lookup('env', 'CLOUDSTACK_ENDPOINT') | length <= 0
  - set_fact:
-      algo_cs_config: "{{ cs_config | default(_cs_config.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_CONFIG'), true) | default('~/.cloudstack.ini', true) }}"
+      algo_cs_key: "{{ cs_key | default(_cs_key.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_KEY'), true) }}"
-      algo_cs_region:  "{{ cs_region | default(_cs_region.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_REGION'), true) | default('exoscale', true) }}"
+      algo_cs_token: "{{ cs_secret | default(_cs_secret.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_SECRET'), true) }}"
      algo_cs_url: "{{ cs_url | default(_cs_url.user_input|default(None)) | default(lookup('env', 'CLOUDSTACK_ENDPOINT'), true) | default('https://api.exoscale.com/compute', true) }}"
  - name: Get zones on cloud
-    cloudstack_zones:
+    cs_zone_info:
    register: _cs_zones
    environment:
-      CLOUDSTACK_CONFIG: "{{ algo_cs_config }}"
+      CLOUDSTACK_KEY: "{{ algo_cs_key }}"
-      CLOUDSTACK_REGION: "{{ algo_cs_region }}"
+      CLOUDSTACK_SECRET: "{{ algo_cs_token }}"
      CLOUDSTACK_ENDPOINT: "{{ algo_cs_url }}"
  - name: Extract zones from output
    set_fact:
-      cs_zones: "{{ _cs_zones['zone'] | sort(attribute='name') }}"
+      cs_zones: "{{ _cs_zones['zones'] | sort(attribute='name') }}"
  - name: Set the default zone
    set_fact:
--- a/roles/cloud-digitalocean/tasks/main.yml
+++ b/roles/cloud-digitalocean/tasks/main.yml
@ -26,12 +26,16 @@
      - Environment:Algo
  register: digital_ocean_droplet
 # Return data is not idempotent
 - set_fact:
    droplet: "{{ digital_ocean_droplet.data.droplet | default(digital_ocean_droplet.data) }}"
 - block:
  - name: "Create a Floating IP"
    digital_ocean_floating_ip:
      state: present
      oauth_token: "{{ algo_do_token }}"
-      droplet_id: "{{ digital_ocean_droplet.data.droplet.id }}"
+      droplet_id: "{{ droplet.id }}"
    register: digital_ocean_floating_ip
  - name: Set the static ip as a fact
@ -40,7 +44,7 @@
  when: alternative_ingress_ip
 - set_fact:
-    cloud_instance_ip: "{{ digital_ocean_droplet.data.ip_address }}"
+    cloud_instance_ip: "{{ (droplet.networks.v4 | selectattr('type', '==', 'public')).0.ip_address }}"
    ansible_ssh_user: algo
    ansible_ssh_port: "{{ ssh_port }}"
    cloudinit: true
--- a/roles/cloud-digitalocean/tasks/prompts.yml
+++ b/roles/cloud-digitalocean/tasks/prompts.yml
@ -24,7 +24,7 @@
 - name: Set facts about the regions
  set_fact:
-    do_regions: "{{ _do_regions.json.regions | sort(attribute='slug') }}"
+    do_regions: "{{ _do_regions.json.regions | selectattr('available', 'true') | sort(attribute='slug') }}"
 - name: Set default region
  set_fact:
--- a/roles/cloud-ec2/files/stack.yaml
+++ b/roles/cloud-ec2/files/stack.yaml
@ -20,9 +20,17 @@ Parameters:
    Type: String
  SshPort:
    Type: String
  InstanceMarketTypeParameter:
    Description: Launch a Spot instance or standard on-demand instance
    Type: String
    Default: on-demand
    AllowedValues:
      - spot
      - on-demand
 Conditions:
  AllocateNewEIP: !Equals [!Ref UseThisElasticIP, '']
  AssociateExistingEIP: !Not [!Equals [!Ref UseThisElasticIP, '']]
  InstanceIsSpot: !Equals [spot, !Ref InstanceMarketTypeParameter]
 Resources:
  VPC:
    Type: AWS::EC2::VPC
@ -146,6 +154,15 @@ Resources:
        - Key: Name
          Value: !Ref AWS::StackName
  EC2LaunchTemplate:
    Type: AWS::EC2::LaunchTemplate
    Condition: InstanceIsSpot    # Only create this template if requested
    Properties:                  # a spot instance_market_type in config.cfg
      LaunchTemplateName: !Ref AWS::StackName
      LaunchTemplateData:
        InstanceMarketOptions:
          MarketType: spot
  EC2Instance:
    Type: AWS::EC2::Instance
    DependsOn:
@ -169,6 +186,14 @@ Resources:
      SubnetId: !Ref Subnet
      Ipv6AddressCount: 1
      UserData: !Ref UserData
      LaunchTemplate:
        !If               # Only if Conditions created "EC2LaunchTemplate"
          - InstanceIsSpot
          -
            LaunchTemplateId:
              !Ref EC2LaunchTemplate
            Version: 1
          - !Ref AWS::NoValue  # Else this LaunchTemplate not set
      Tags:
        - Key: Name
          Value: !Ref AWS::StackName
--- a/roles/cloud-ec2/tasks/cloudformation.yml
+++ b/roles/cloud-ec2/tasks/cloudformation.yml
@ -16,6 +16,7 @@
      EbsEncrypted: "{{ encrypted }}"
      UserData: "{{ lookup('template', 'files/cloud-init/base.yml') | b64encode }}"
      SshPort: "{{ ssh_port }}"
      InstanceMarketTypeParameter: "{{ cloud_providers.ec2.instance_market_type }}"
    tags:
      Environment: Algo
  register: stack
--- a/roles/cloud-ec2/tasks/main.yml
+++ b/roles/cloud-ec2/tasks/main.yml
@ -6,13 +6,14 @@
  import_tasks: prompts.yml
 - name: Locate official AMI for region
-  ec2_ami_facts:
+  ec2_ami_info:
    aws_access_key: "{{ access_key }}"
    aws_secret_key: "{{ secret_key }}"
    owners: "{{ cloud_providers.ec2.image.owner }}"
    region: "{{ algo_region }}"
    filters:
-      name: "ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-amd64-server-*"
+      architecture: "{{ cloud_providers.ec2.image.arch }}"
      name: "ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-*64-server-*"
  register: ami_search
 - name: Set the ami id as a fact
--- a/roles/cloud-ec2/tasks/prompts.yml
+++ b/roles/cloud-ec2/tasks/prompts.yml
@ -24,7 +24,7 @@
 - block:
  - name: Get regions
-    aws_region_facts:
+    aws_region_info:
      aws_access_key: "{{ access_key }}"
      aws_secret_key: "{{ secret_key }}"
      region: us-east-1
@ -64,7 +64,7 @@
 - block:
  - name: Get existing available Elastic IPs
-    ec2_eip_facts:
+    ec2_eip_info:
      aws_access_key: "{{ access_key }}"
      aws_secret_key: "{{ secret_key }}"
      region: "{{ algo_region }}"
--- a/roles/cloud-hetzner/tasks/prompts.yml
+++ b/roles/cloud-hetzner/tasks/prompts.yml
@ -17,7 +17,7 @@
    api_token: "{{ algo_hcloud_token }}"
  register: _hcloud_regions
- name: Set facts about thre regions
+- name: Set facts about the regions
  set_fact:
    hcloud_regions: "{{ hcloud_datacenter_facts | sort(attribute='location') }}"
--- a/roles/cloud-lightsail/files/stack.yaml
+++ b/roles/cloud-lightsail/files/stack.yaml
@ -0,0 +1,73 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: 'Algo VPN stack (LightSail)'
 Parameters:
  InstanceTypeParameter:
    Type: String
    Default: 'nano_2_0'
  ImageIdParameter:
    Type: String
    Default: 'ubuntu_20_04'
  WireGuardPort:
    Type: String
    Default: '51820'
  SshPort:
    Type: String
    Default: '4160'
  UserData:
    Type: String
    Default: 'true'
 Resources:
  Instance:
    Type: AWS::Lightsail::Instance
    Properties: 
      BlueprintId:
        Ref: ImageIdParameter
      BundleId: 
        Ref: InstanceTypeParameter
      InstanceName: !Ref AWS::StackName
      Networking: 
        Ports: 
          - AccessDirection: inbound
            Cidrs: ['0.0.0.0/0']
            Ipv6Cidrs: ['::/0']
            CommonName: SSH
            FromPort: !Ref SshPort
            ToPort: !Ref SshPort
            Protocol: tcp
          - AccessDirection: inbound
            Cidrs: ['0.0.0.0/0']
            Ipv6Cidrs: ['::/0']
            CommonName: WireGuard
            FromPort: !Ref WireGuardPort
            ToPort: !Ref WireGuardPort
            Protocol: udp
          - AccessDirection: inbound
            Cidrs: ['0.0.0.0/0']
            Ipv6Cidrs: ['::/0']
            CommonName: IPSec-4500
            FromPort: 4500
            ToPort: 4500
            Protocol: udp
          - AccessDirection: inbound
            Cidrs: ['0.0.0.0/0']
            Ipv6Cidrs: ['::/0']
            CommonName: IPSec-500
            FromPort: 500
            ToPort: 500
            Protocol: udp  
      Tags:
        - Key: Name
          Value: !Ref AWS::StackName
      UserData: !Ref UserData
  StaticIP:
    Type: AWS::Lightsail::StaticIp
    Properties: 
      AttachedTo: !Ref Instance
      StaticIpName: !Join [ "-", [ !Ref AWS::StackName, "ip" ] ]
    DependsOn:
      - Instance
 Outputs:
  IpAddress:
    Value: !GetAtt [StaticIP, IpAddress]
--- a/roles/cloud-lightsail/tasks/cloudformation.yml
+++ b/roles/cloud-lightsail/tasks/cloudformation.yml
@ -0,0 +1,19 @@
 ---
 - name: Deploy the template
  cloudformation:
    aws_access_key: "{{ access_key }}"
    aws_secret_key: "{{ secret_key }}"
    stack_name: "{{ stack_name }}"
    state: "present"
    region: "{{ algo_region }}"
    template: roles/cloud-lightsail/files/stack.yaml
    template_parameters:
      InstanceTypeParameter: "{{ cloud_providers.lightsail.size }}"
      ImageIdParameter: "{{ cloud_providers.lightsail.image }}"
      WireGuardPort: "{{ wireguard_port }}"
      SshPort: "{{ ssh_port }}"
      UserData: "{{ lookup('template', 'files/cloud-init/base.sh') }}"
    tags:
      Environment: Algo
      Lightsail: true
  register: stack
--- a/roles/cloud-lightsail/tasks/main.yml
+++ b/roles/cloud-lightsail/tasks/main.yml
@ -5,36 +5,11 @@
 - name: Include prompts
  import_tasks: prompts.yml
- name: Create an instance
+- name: Deploy the stack
-  lightsail:
+  import_tasks: cloudformation.yml
    aws_access_key: "{{ access_key }}"
    aws_secret_key: "{{ secret_key }}"
    name: "{{ algo_server_name }}"
    state: present
    region: "{{ algo_region }}"
    zone: "{{ algo_region }}a"
    blueprint_id: "{{ cloud_providers.lightsail.image }}"
    bundle_id: "{{ cloud_providers.lightsail.size }}"
    wait_timeout: "300"
    open_ports:
      - from_port: "{{ ssh_port }}"
        to_port:  "{{ ssh_port }}"
        protocol: tcp
      - from_port: 4500
        to_port: 4500
        protocol: udp
      - from_port: 500
        to_port: 500
        protocol: udp
      - from_port: "{{ wireguard_port }}"
        to_port: "{{ wireguard_port }}"
        protocol: udp
    user_data: |
      {{ lookup('template', 'files/cloud-init/base.sh') }}
  register: algo_instance
 - set_fact:
-    cloud_instance_ip: "{{ algo_instance['instance']['public_ip_address'] }}"
+    cloud_instance_ip: "{{ stack.stack_outputs.IpAddress }}"
    ansible_ssh_user: algo
    ansible_ssh_port: "{{ ssh_port }}"
    cloudinit: true
--- a/roles/cloud-lightsail/tasks/prompts.yml
+++ b/roles/cloud-lightsail/tasks/prompts.yml
@ -55,6 +55,7 @@
  when: region is undefined
 - set_fact:
    stack_name: "{{ algo_server_name | replace('.', '-') }}"
    algo_region: >-
      {% if region is defined %}{{ region }}
      {%- elif _algo_region.user_input %}{{ lightsail_regions[_algo_region.user_input | int -1 ]['name'] }}
--- a/roles/cloud-openstack/tasks/main.yml
+++ b/roles/cloud-openstack/tasks/main.yml
@ -7,14 +7,14 @@
  import_tasks: venv.yml
 - name: Security group created
-  os_security_group:
+  openstack.cloud.security_group:
    state: "{{ state|default('present') }}"
    name: "{{ algo_server_name }}-security_group"
    description: AlgoVPN security group
  register: os_security_group
 - name: Security rules created
-  os_security_group_rule:
+  openstack.cloud.security_group_rule:
    state: "{{ state|default('present') }}"
    security_group: "{{ os_security_group.id }}"
    protocol: "{{ item.proto }}"
@ -29,22 +29,25 @@
    - { proto: udp, port_min: "{{ wireguard_port }}", port_max: "{{ wireguard_port }}", range: 0.0.0.0/0 }
 - name: Gather facts about flavors
-  os_flavor_facts:
+  openstack.cloud.compute_flavor_info:
    ram: "{{ cloud_providers.openstack.flavor_ram }}"
  register: os_flavor
 - name: Gather facts about images
-  os_image_facts:
+  openstack.cloud.image_info:
  register: os_image
 - name: Set image as a fact
  set_fact:
    image_id: "{{ item.id }}"
-  loop: "{{ openstack_image }}"
+  loop: "{{ os_image.openstack_image }}"
  when:
    - item.name == cloud_providers.openstack.image
    - item.status == "active"
 - name: Gather facts about public networks
-  os_networks_facts:
+  openstack.cloud.networks_info:
  register: os_network
 - name: Set the network as a fact
  set_fact:
@ -53,15 +56,15 @@
    - item['router:external']|default(omit)
    - item['admin_state_up']|default(omit)
    - item['status'] == 'ACTIVE'
-  with_items: "{{ openstack_networks }}"
+  with_items: "{{ os_network.openstack_networks }}"
 - name: Set facts
  set_fact:
-    flavor_id: "{{ (openstack_flavors | sort(attribute='ram'))[0]['id'] }}"
+    flavor_id: "{{ (os_flavor.openstack_flavors | sort(attribute='ram'))[0]['id'] }}"
    security_group_name: "{{ os_security_group['secgroup']['name'] }}"
 - name: Server created
-  os_server:
+  openstack.cloud.server:
    state: "{{ state|default('present') }}"
    name: "{{ algo_server_name }}"
    image: "{{ image_id }}"
--- a/roles/cloud-scaleway/tasks/main.yml
+++ b/roles/cloud-scaleway/tasks/main.yml
@ -3,17 +3,19 @@
 - block:
  - name: Gather Scaleway organizations facts
-    scaleway_organization_facts:
+    scaleway_organization_info:
    register: scaleway_org
  - name: Get images
-    scaleway_image_facts:
+    scaleway_image_info:
      region: "{{ algo_region }}"
    register: scaleway_image
  - name: Set cloud specific facts
    set_fact:
-      organization_id: "{{ scaleway_organization_facts[0]['id'] }}"
+      organization_id: "{{ scaleway_org.scaleway_organization_info[0]['id'] }}"
      images: >-
-        [{% for i in scaleway_image_facts -%}
+        [{% for i in scaleway_image.scaleway_image_info -%}
          {% if i.name == cloud_providers.scaleway.image and
                i.arch == cloud_providers.scaleway.arch -%}
          '{{ i.id }}'{% if not loop.last %},{% endif %}
--- a/roles/cloud-vultr/tasks/main.yml
+++ b/roles/cloud-vultr/tasks/main.yml
@ -28,9 +28,7 @@
    vultr_startup_script:
      name: algo-startup
      script:  |
-        {{ lookup('template', 'files/cloud-init/base.sh') }}
+        {{ lookup('template', 'files/cloud-init/base.yml') }}
        mkdir -p /var/lib/cloud/data/ || true
        touch /var/lib/cloud/data/result.json
  - name: Creating a server
    vultr_server:
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -6,6 +6,9 @@
  tags:
    - update-users
 - fail:
  when: cloud_test|default(false)|bool
 - include_tasks: ubuntu.yml
  when: '"Ubuntu" in OS.stdout or "Linux" in OS.stdout'
  tags:
--- a/roles/common/tasks/ubuntu.yml
+++ b/roles/common/tasks/ubuntu.yml
@ -36,7 +36,7 @@
      become: false
  when: algo_provider != "local"
- name: Include unatteded upgrades configuration
+- name: Include unattended upgrades configuration
  import_tasks: unattended-upgrades.yml
 - name: Disable MOTD on login and SSHD
@ -119,7 +119,7 @@
      - linux-headers-generic
      - "linux-headers-{{ ansible_kernel }}"
    state: present
-  when: install_headers
+  when: install_headers | bool
 - name: Configure the alternative ingress ip
  include_tasks: aip/main.yml
--- a/roles/common/templates/rules.v4.j2
+++ b/roles/common/templates/rules.v4.j2
@ -95,7 +95,7 @@ COMMIT
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 # Drop SMB/CIFS traffic that requests to be forwarded
 -A FORWARD -p tcp --dport 445 -j {{ "DROP" if block_smb else "ACCEPT" }}
-# Drop NETBIOS trafic that requests to be forwarded
+# Drop NETBIOS traffic that requests to be forwarded
 -A FORWARD -p udp -m multiport --ports 137,138 -j {{ "DROP" if block_netbios else "ACCEPT" }}
 -A FORWARD -p tcp -m multiport --ports 137,139 -j {{ "DROP" if block_netbios else "ACCEPT" }}
--- a/roles/dns/files/apparmor.profile.dnscrypt-proxy
+++ b/roles/dns/files/apparmor.profile.dnscrypt-proxy
@ -14,7 +14,7 @@
  /etc/dnscrypt-proxy/** r,
  /usr/bin/dnscrypt-proxy mr,
-  /tmp/public-resolvers.md* rw,
+  /var/cache/{private/,}dnscrypt-proxy/** rw,
  /tmp/*.tmp w,
  owner /tmp/*.tmp r,
--- a/roles/dns/templates/dnscrypt-proxy.toml.j2
+++ b/roles/dns/templates/dnscrypt-proxy.toml.j2
@ -118,11 +118,12 @@ timeout = 2500
 keepalive = 30
-## Use the REFUSED return code for blocked responses
+## Response for blocked queries. Options are `refused`, `hinfo` (default) or
-## Setting this to `false` means that some responses will be lies.
+## an IP response. To give an IP response, use the format `a:<IPv4>,aaaa:<IPv6>`.
-## Unfortunately, `false` appears to be required for Android 8+
+## Using the `hinfo` option means that some responses will be lies.
 ## Unfortunately, the `hinfo` option appears to be required for Android 8+
-refused_code_in_responses = false
+# blocked_query_response = 'refused'
 ## Load-balancing strategy: 'p2' (default), 'ph', 'first' or 'random'
@ -523,7 +524,7 @@ cache_neg_max_ttl = 600
  [sources.'public-resolvers']
  urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
-  cache_file = '/tmp/public-resolvers.md'
+  cache_file = '/var/cache/dnscrypt-proxy/public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  prefix = ''
@ -550,5 +551,10 @@ cache_neg_max_ttl = 600
 [static]
 {% if custom_server_stamps %}{% for name, stamp in custom_server_stamps.items() %}
  [static.'{{ name }}']
  stamp = '{{ stamp }}'
 {%- endfor %}{% endif %}
  # [static.'myserver']
  # stamp = 'sdns:AQcAAAAAAAAAAAAQMi5kbnNjcnlwdC1jZXJ0Lg'
--- a/roles/local/tasks/prompts.yml
+++ b/roles/local/tasks/prompts.yml
@ -1,4 +1,16 @@
 ---
 - pause:
    prompt: "{{ item }}"
  when: not tests|default(false)|bool
  tags:
    - skip_ansible_lint
  with_items: |
    https://trailofbits.github.io/algo/deploy-to-ubuntu.html
    Local installation might break your server. Use at your own risk.
    Proceed? Press ENTER to continue or CTRL+C and A to abort...
 - pause:
    prompt: |
      Enter the IP address of your server: (or use localhost for local installation):
--- a/roles/ssh_tunneling/tasks/main.yml
+++ b/roles/ssh_tunneling/tasks/main.yml
@ -64,7 +64,7 @@
      openssl_privatekey:
        path: "{{ ssh_tunnels_config_path }}/{{ item.item }}.pem"
        passphrase: "{{ p12_export_password }}"
-        cipher: aes256
+        cipher: auto
        force: false
      no_log: "{{ no_log|bool }}"
      when: not item.stat.exists
--- a/roles/strongswan/tasks/openssl.yml
+++ b/roles/strongswan/tasks/openssl.yml
@ -220,7 +220,7 @@
    when: item.split('@')[0] not in users
    with_items: "{{ valid_certs.stdout_lines }}"
-  - name: Genereate new CRL file
+  - name: Generate new CRL file
    shell: >
      {{ openssl_bin }} ca -gencrl
      -config <(cat openssl.cnf <(printf "[basic_exts]\nsubjectAltName=DNS:{{ IP_subject_alt_name }}"))
--- a/roles/strongswan/templates/openssl.cnf.j2
+++ b/roles/strongswan/templates/openssl.cnf.j2
@ -21,7 +21,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem	# The private key
 RANDFILE	= $dir/private/.rand		# private random number file
-x509_extensions	= basic_exts		# The extentions to add to the cert
+x509_extensions	= basic_exts		# The extensions to add to the cert
 # This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
 # is designed for will. In return, we get the Issuer attached to CRLs.
@ -56,7 +56,7 @@ default_bits		= 2048
 default_keyfile 	= privkey.pem
 default_md		= sha256
 distinguished_name	= cn_only
-x509_extensions		= easyrsa_ca	# The extentions to add to the self signed cert
+x509_extensions		= easyrsa_ca	# The extensions to add to the self signed cert
 # A placeholder to handle the $EXTRA_EXTS feature:
 #%EXTRA_EXTS%	# Do NOT remove or change this line as $EXTRA_EXTS support requires it
--- a/tests/algo.conf
+++ b/tests/algo.conf
@ -1 +0,0 @@
 dhcp-host=algo,10.0.8.100
--- a/tests/lxd-bridge
+++ b/tests/lxd-bridge
@ -1,16 +0,0 @@
 USE_LXD_BRIDGE="true"
 LXD_BRIDGE="lxdbr0"
 UPDATE_PROFILE="true"
 LXD_CONFILE="/etc/default/algo.conf"
 LXD_DOMAIN="lxd"
 LXD_IPV4_ADDR="10.0.8.1"
 LXD_IPV4_NETMASK="255.255.255.0"
 LXD_IPV4_NETWORK="10.0.8.0/24"
 LXD_IPV4_DHCP_RANGE="10.0.8.2,10.0.8.254"
 LXD_IPV4_DHCP_MAX="250"
 LXD_IPV4_NAT="true"
 LXD_IPV6_ADDR=""
 LXD_IPV6_MASK=""
 LXD_IPV6_NETWORK=""
 LXD_IPV6_NAT="false"
 LXD_IPV6_PROXY="false"
--- a/tests/pre-deploy.sh
+++ b/tests/pre-deploy.sh
@ -4,10 +4,6 @@ set -euxo pipefail
 sysctl net.ipv6.conf.all.disable_ipv6=0
 tar xf $HOME/lxc/cache.tar -C / || echo "Didn't extract cache."
 cp -f tests/lxd-bridge /etc/default/lxd-bridge
 cp -f tests/algo.conf /etc/default/algo.conf
 export REPOSITORY=${REPOSITORY:-${GITHUB_REPOSITORY}}
 export _BRANCH=${BRANCH#refs/heads/}
 export BRANCH=${_BRANCH:-${GITHUB_REF#refs/heads/}}
@ -18,16 +14,16 @@ else
  echo -e "#cloud-config\nssh_authorized_keys:\n - $(cat ~/.ssh/id_rsa.pub)" | lxc profile set default user.user-data -
 fi
-systemctl restart lxd-bridge.service lxd-containers.service lxd.service
+lxc network set lxdbr0 ipv4.address 10.0.8.1/24
-lxc profile set default raw.lxc lxc.aa_profile=unconfined
+lxc profile set default raw.lxc 'lxc.apparmor.profile = unconfined'
 lxc profile set default security.privileged true
 lxc profile show default
 lxc launch ubuntu:${UBUNTU_VERSION} algo
-if [[ ${UBUNTU_VERSION} == "20.04" ]]; then
+lxc init ubuntu:${UBUNTU_VERSION} algo
-  lxc exec algo -- apt remove snapd --purge -y || true
+lxc network attach lxdbr0 algo eth0 eth0
-fi
+lxc config device set algo eth0 ipv4.address 10.0.8.100
 lxc start algo
 ip addr
@ -35,4 +31,13 @@ until dig A +short algo.lxd @10.0.8.1 | grep -vE '^$' > /dev/null; do
  sleep 3
 done
 case ${UBUNTU_VERSION} in
  20.04)
    lxc exec algo -- apt remove snapd --purge -y || true
    ;;
  18.04)
    lxc exec algo -- apt install python3.8 -y
    ;;
 esac
 lxc list