Support for Ubuntu 19.04 (#1405)

* Ubuntu 19.04

* Azure to 19.04

.travis.yml

@@ -51,56 +51,73 @@ custom_scripts:
     - sudo env "PATH=$PATH" ./tests/ipsec-client.sh
     - sudo ./tests/ssh-tunnel.sh
 
+stages:
+  - &tests-and-linters
+    stage: Tests
+    name: code checks and linters
+    addons:
+      apt:
+        packages:
+          - shellcheck
+    script:
+      - pip install ansible-lint
+      - shellcheck algo install.sh
+      - ansible-playbook main.yml --syntax-check
+      - ansible-lint -v *.yml
+
+  - &deploy-local
+    stage: Deploy
+    name: local deployment from docker
+    addons:
+      apt:
+        sources: *default_sources
+        packages: *default_packages
+    before_install: *provisioning
+    before_script:
+      - docker build -t travis/algo .
+      - ./tests/local-deploy.sh
+      - ./tests/update-users.sh
+    script: *tests
+
+  - &deploy-cloudinit
+    stage: Deploy
+    name: cloud-init deployment
+    addons:
+      apt:
+        sources: *default_sources
+        packages: *default_packages
+    env: DEPLOY=cloud-init
+    before_install: *provisioning
+    before_script:
+      - until sudo lxc exec algo -- test -f /var/log/cloud-init-output.log; do echo 'Log file not found, Sleep for 3 seconds'; sleep 3; done
+      - ( sudo lxc exec algo -- tail -f /var/log/cloud-init-output.log & )
+      - |
+        until sudo lxc exec algo -- test -f /var/lib/cloud/data/result.json; do
+          echo 'Cloud init is not finished. Sleep for 30 seconds';
+          sleep 30;
+        done
+      - sudo lxc exec algo -- test -f /opt/algo/configs/localhost/.config.yml
+      - sudo lxc exec algo -- tar zcf /root/algo-configs.tar -C /opt/algo/configs/ .
+      - sudo lxc file pull algo/root/algo-configs.tar ./
+      - sudo tar -C ./configs -zxf algo-configs.tar
+    script: *tests
+
 matrix:
   fast_finish: true
   include:
-    - stage: Tests
+    - <<: *tests-and-linters
-      name: code checks and linters
+    - <<: *deploy-local
-      addons:
+      name: 'Ubuntu 18.04: local deployment from docker'
-        apt:
+      env: DEPLOY=docker UBUNTU_VERSION=18.04
-          packages:
+    - <<: *deploy-local
-            - shellcheck
+      name: 'Ubuntu 19.04: local deployment from docker'
-      script:
+      env: DEPLOY=docker UBUNTU_VERSION=19.04
-        - pip install ansible-lint
+    - <<: *deploy-cloudinit
-        - shellcheck algo install.sh
+      name: 'Ubuntu 18.04: cloud-init deployment'
-        - ansible-playbook main.yml --syntax-check
+      env: DEPLOY=cloud-init UBUNTU_VERSION=18.04
-        - ansible-lint -v roles/*/*/*.yml playbooks/*.yml *.yml
+    - <<: *deploy-cloudinit
-
+      name: 'Ubuntu 19.04: cloud-init deployment'
-    - stage: Deploy
+      env: DEPLOY=cloud-init UBUNTU_VERSION=19.04
-      name: local deployment from docker
-      addons:
-        apt:
-          sources: *default_sources
-          packages: *default_packages
-      env: DEPLOY=docker
-      before_install: *provisioning
-      before_script:
-        - docker build -t travis/algo .
-        - ./tests/local-deploy.sh
-        - ./tests/update-users.sh
-      script: *tests
-
-    - stage: Deploy
-      name: cloud-init deployment
-      addons:
-        apt:
-          sources: *default_sources
-          packages: *default_packages
-      env: DEPLOY=cloud-init
-      before_install: *provisioning
-      before_script:
-        - until sudo lxc exec algo -- test -f /var/log/cloud-init-output.log; do echo 'Log file not found, Sleep for 3 seconds'; sleep 3; done
-        - ( sudo lxc exec algo -- tail -f /var/log/cloud-init-output.log & )
-        - |
-          until sudo lxc exec algo -- test -f /var/lib/cloud/data/result.json; do
-            echo 'Cloud init is not finished. Sleep for 30 seconds';
-            sleep 30;
-          done
-        - sudo lxc exec algo -- test -f /opt/algo/configs/localhost/.config.yml
-        - sudo lxc exec algo -- tar zcf /root/algo-configs.tar -C /opt/algo/configs/ .
-        - sudo lxc file pull algo/root/algo-configs.tar ./
-        - sudo tar -C ./configs -zxf algo-configs.tar
-      script: *tests
 
 notifications:
   email: false

README.md

@@ -14,7 +14,7 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC
 * Blocks ads with a local DNS resolver (optional)
 * Sets up limited SSH users for tunneling traffic (optional)
 * Based on current versions of Ubuntu and strongSwan
-* Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, or your own Ubuntu 18.04 LTS server
+* Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, or your own Ubuntu server
 
 ## Anti-features
 
@@ -93,9 +93,9 @@ WireGuard is used to provide VPN services on Apple devices. Algo generates a Wir
 
 On iOS, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1441195209?mt=8) app from the iOS App Store. Then, use the WireGuard app to scan the QR code or AirDrop the configuration file to the device.
 
-On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file. 
+On macOS Mojave or later, install the [WireGuard](https://itunes.apple.com/us/app/wireguard/id1451685025?mt=12) app from the Mac App Store. WireGuard will appear in the menu bar once you run the app. Click on the WireGuard icon, choose **Import tunnel(s) from file...**, then select the appropriate WireGuard configuration file.
 
-On either iOS or macOS, you can enable "Connect on Demand" and/or exclude certain trusted Wi-Fi networks (such as your home or work) by editing the tunnel configuration in the WireGuard app. (Algo can't do this automatically for you.) 
+On either iOS or macOS, you can enable "Connect on Demand" and/or exclude certain trusted Wi-Fi networks (such as your home or work) by editing the tunnel configuration in the WireGuard app. (Algo can't do this automatically for you.)
 
 Installing WireGuard is a little more complicated on older version of macOS. See [Using macOS as a Client with WireGuard](docs/client-macos-wireguard.md).
 
@@ -122,7 +122,7 @@ Network Manager does not support AES-GCM. In order to support Linux Desktop clie
 
 Install strongSwan, then copy the included ipsec_user.conf, ipsec_user.secrets, user.crt (user certificate), and user.key (private key) files to your client device. These will require customization based on your exact use case. These files were originally generated with a point-to-point OpenWRT-based VPN in mind.
 
-#### Ubuntu Server 18.04 example
+#### Ubuntu Server example
 
 1. `sudo apt-get install strongswan libstrongswan-standard-plugins`: install strongSwan
 2. `/etc/ipsec.d/certs`: copy `<name>.crt` from `algo-master/configs/<server_ip>/ipsec/manual/<name>.crt`

config.cfg

@@ -126,10 +126,10 @@ SSH_keys:
 cloud_providers:
   azure:
     size: Basic_A0
-    image: 18.04-LTS
+    image: 19.04
   digitalocean:
     size: s-1vcpu-1gb
-    image: "ubuntu-18-04-x64"
+    image: "ubuntu-19-04-x64"
   ec2:
     # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
     # Warning: the Algo script will take approximately 6 minutes longer to complete.
@@ -139,11 +139,11 @@ cloud_providers:
     use_existing_eip: false
     size: t2.micro
     image:
-      name: "ubuntu-bionic-18.04"
+      name: "ubuntu-disco-19.04"
       owner: "099720109477"
   gce:
     size: f1-micro
-    image: ubuntu-1804
+    image: ubuntu-1904
     external_static_ip: false
   lightsail:
     size: nano_1_0
@@ -156,7 +156,7 @@ cloud_providers:
     flavor_ram: ">=512"
     image:  Ubuntu-18.04
   vultr:
-    os: Ubuntu 18.04 x64
+    os: Ubuntu 19.04 x64
     size: 1024 MB RAM,25 GB SSD,1.00 TB BW
   local:
 

docs/cloud-do.md

@@ -34,8 +34,8 @@ What provider would you like to use?
     6. Google Compute Engine
     7. Scaleway
     8. OpenStack (DreamCompute optimised)
-    9. Install to existing Ubuntu 18.04 server (Advanced)
+    9. Install to existing Ubuntu server (Advanced)
-  
+
 Enter the number of your desired provider
 :
 1
@@ -68,7 +68,7 @@ What region should the server be located in?
     7. sfo2     San Francisco 2
     8. sgp1     Singapore 1
     9. tor1     Toronto 1
-  
+
 Enter the number of your desired region
 [6]
 :

docs/deploy-to-ubuntu.md

@@ -4,7 +4,7 @@ You can use Algo to configure a local server as an AlgoVPN rather than create an
 
 Install the Algo scripts on your server and follow the normal installation instructions, then choose:
 ```
-Install to existing Ubuntu 18.04 server (Advanced)
+Install to existing Ubuntu 18.04 or 19.04 server (Advanced)
 ```
 Make sure your server is running the operating system specified.
 

docs/deploy-to-unsupported-cloud.md

@@ -2,7 +2,7 @@
 
 Algo officially supports DigitalOcean, Amazon Web Services, Microsoft Azure, and Google Cloud Engine. If you want to deploy Algo on another virtual hosting provider, that provider must support:
 
-1. the base operating system image that Algo uses (Ubuntu 18.04), and
+1. the base operating system image that Algo uses (Ubuntu 18.04, 19.04), and
 2. a minimum of certain kernel modules required for the strongSwan IPsec server.
 
 Please see the [Required Kernel Modules](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules) documentation from strongSwan for a list of the specific required modules and a script to check for them. As a first step, we recommend running their shell script to determine initial compatibility with your new hosting provider.

docs/index.md

@@ -22,7 +22,7 @@
   - Configure [Vultr](cloud-vultr.md)
 * Advanced Deployment
   - Deploy to your own [FreeBSD](deploy-to-freebsd.md) server
-  - Deploy to your own [Ubuntu 18.04](deploy-to-ubuntu.md) server
+  - Deploy to your own [Ubuntu](deploy-to-ubuntu.md) server
   - Deploy to an [unsupported cloud provider](deploy-to-unsupported-cloud.md)
 * [FAQ](faq.md)
 * [Firewalls](firewalls.md)

input.yml

@@ -20,7 +20,7 @@
       - { name: Google Compute Engine, alias: gce }
       - { name: Scaleway, alias: scaleway}
       - { name: OpenStack (DreamCompute optimised), alias: openstack }
-      - { name: Install to existing Ubuntu 18.04 server (Advanced), alias: local }
+      - { name: Install to existing Ubuntu 18.04 or 19.04 server (Advanced), alias: local }
   vars_files:
     - config.cfg
 

roles/dns_encryption/files/apparmor.profile.dnscrypt-proxy

@@ -1,6 +1,6 @@
 #include <tunables/global>
 
-/usr/bin/dnscrypt-proxy flags=(attach_disconnected) {
+/usr/{s,}bin/dnscrypt-proxy flags=(attach_disconnected) {
   #include <abstractions/base>
   #include <abstractions/nameservice>
   #include <abstractions/openssl>

roles/dns_encryption/tasks/ubuntu.yml

@@ -2,8 +2,9 @@
 - name: Add the repository
   apt_repository:
     state: present
-    codename: bionic
+    codename: "{{ ansible_distribution_release }}"
     repo: ppa:shevchuk/dnscrypt-proxy
+  when: ansible_distribution_version is version_compare('19.04', '<')
   register: result
   until: result is succeeded
   retries: 10

roles/strongswan/tasks/ubuntu.yml

@@ -10,17 +10,26 @@
     update_cache: yes
     install_recommends: yes
 
-- name: Ubuntu | Enforcing ipsec with apparmor
+- block:
-  command: aa-enforce "{{ item }}"
+  # https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1826238
+  - name: Ubuntu | Charon profile for apparmor configured
+    copy:
+      dest: /etc/apparmor.d/local/usr.lib.ipsec.charon
+      content: ' capability setpcap,'
+      owner: root
+      group: root
+      mode: 0644
+    notify: restart strongswan
+
+  - name: Ubuntu | Enforcing ipsec with apparmor
+    command: aa-enforce "{{ item }}"
+    changed_when: false
+    with_items:
+      - /usr/lib/ipsec/charon
+      - /usr/lib/ipsec/lookip
+      - /usr/lib/ipsec/stroke
+  tags: apparmor
   when: apparmor_enabled|default(false)|bool
-  changed_when: false
-  with_items:
-    - /usr/lib/ipsec/charon
-    - /usr/lib/ipsec/lookip
-    - /usr/lib/ipsec/stroke
-  notify:
-    - restart apparmor
-  tags: ['apparmor']
 
 - name: Ubuntu | Enable services
   service: name={{ item }} enabled=yes

tests/pre-deploy.sh

@@ -19,7 +19,7 @@ systemctl restart lxd-bridge.service lxd-containers.service lxd.service
 lxc profile set default raw.lxc lxc.aa_profile=unconfined
 lxc profile set default security.privileged true
 lxc profile show default
-lxc launch ubuntu:18.04 algo
+lxc launch ubuntu:${UBUNTU_VERSION} algo
 
 ip addr