Merge branch 'master' into master

2025-04-19 07:37:10 +02:00 · 2024-10-08 23:58:42 -04:00 · 2024-10-08 23:58:42 -04:00 · e15cdfdc60
commit e15cdfdc60
parent 5b1801ed13 346437fa6e
9 changed files with 55 additions and 33 deletions
--- a/config.cfg
+++ b/config.cfg
@ -206,7 +206,7 @@ cloud_providers:
    image: Ubuntu 22.04 Jammy Jellyfish
    arch: x86_64
  hetzner:
-    server_type: cx11
+    server_type: cx22
    image: ubuntu-22.04
  openstack:
    flavor_ram: ">=512"
@ -217,7 +217,7 @@ cloud_providers:
    disk: 10
  vultr:
    os: Ubuntu 22.04 LTS x64
-    size: 1024 MB RAM,25 GB SSD,1.00 TB BW
+    size: vc2-1c-1gb
  linode:
    type: g6-nanode-1
    image: linode/ubuntu22.04
--- a/docs/cloud-amazon-ec2.md
+++ b/docs/cloud-amazon-ec2.md
@ -6,12 +6,18 @@ Creating an Amazon AWS account requires giving Amazon a phone number that can re

 ### Select an EC2 plan

-The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the "AWS Free Tier." It is only available to new AWS customers, it has limits on usage, and it converts to standard pricing after 12 months (the "introductory period"). After you exceed the usage limits, after the 12 month period, or if you are an existing AWS customer, then you will pay standard pay-as-you-go service prices.
+The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the ["AWS Free Tier"](https://aws.amazon.com/free/). It is only available to new AWS customers, it has limits on usage, and it converts to standard pricing after 12 months (the "introductory period"). After you exceed the usage limits, after the 12 month period, or if you are an existing AWS customer, then you will pay standard pay-as-you-go service prices.

 *Note*: Your Algo instance will not stop working when you hit the bandwidth limit, you will just start accumulating service charges on your AWS account.

 As of the time of this writing (July 2018), the Free Tier limits include "750 hours of Amazon EC2 Linux t2.micro instance usage" per month, 15 GB of bandwidth (outbound) per month, and 30 GB of cloud storage. Algo will not even use 1% of the storage limit, but you may have to monitor your bandwidth usage or keep an eye out for the email from Amazon when you are about to exceed the Free Tier limits.

+If you are not eligible for the free tier plan or have passed the 12 months of the introductory period, you can switch to [AWS Graviton](https://aws.amazon.com/ec2/graviton/) instances that are generally cheaper. To use the graviton instances, make the following changes in the ec2 section of your `config.cfg` file:
+* Set the `size` to `t4g.nano`
+* Set the `arch` to `arm64`
+
+> Currently, among all the instance sizes available on AWS, the t4g.nano instance is the least expensive option that does not require any promotional offers. However, AWS is currently running a promotion that provides a free trial of the `t4g.small` instance until December 31, 2023, which is available to all customers. For more information about this promotion, please refer to the [documentation](https://aws.amazon.com/ec2/faqs/#t4g-instances).
+
 Additional configurations are documented in the [EC2 section of the deploy from ansible guide](https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md#amazon-ec2)

 ### Create an AWS permissions policy
@ -81,11 +87,11 @@ Next, you will be asked for the AWS Access Key (Access Key ID) and AWS Secret Ke
 Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
 Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md).
 [pasted values will not be displayed]
-[AKIA...]: 
+[AKIA...]:

 Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
 [pasted values will not be displayed]
-[ABCD...]: 
+[ABCD...]:
 ```

 You will be prompted for the server name to enter. Feel free to leave this as the default ("algo") if you are not certain how this will affect your setup. Here we chose to call it "algovpn".
@ -116,7 +122,7 @@ What region should the server be located in?
    14. us-east-2
    15. us-west-1
    16. us-west-2
-  
+
 Enter the number of your desired region
 [13]
 :
--- a/docs/deploy-from-cloudshell.md
+++ b/docs/deploy-from-cloudshell.md
@ -1,5 +1,4 @@
 # Deploy from Google Cloud Shell
-**IMPORTANT NOTE: As of 2021-12-14 Algo requires Python 3.8, but Google Cloud Shell only provides Python 3.7.3. The instructions below will not work until Google updates Cloud Shell to have at least Python 3.8.**

 If you want to try Algo but don't wish to install the software on your own system, you can use the **free** [Google Cloud Shell](https://cloud.google.com/shell/) to deploy a VPN to any supported cloud provider. Note that you cannot choose `Install to existing Ubuntu server` to turn Google Cloud Shell into your VPN server.

--- a/roles/cloud-hetzner/tasks/main.yml
+++ b/roles/cloud-hetzner/tasks/main.yml
@ -6,7 +6,7 @@
  import_tasks: prompts.yml

 - name: Create an ssh key
-  hcloud_ssh_key:
+  hetzner.hcloud.ssh_key:
    name: algo-{{ 999999 | random(seed=lookup('file', SSH_keys.public)) }}
    public_key: "{{ lookup('file', SSH_keys.public) }}"
    state: present
@ -14,7 +14,7 @@
  register: hcloud_ssh_key

 - name: Create a server...
-  hcloud_server:
+  hetzner.hcloud.server:
    name: "{{ algo_server_name }}"
    location: "{{ algo_hcloud_region }}"
    server_type: "{{ cloud_providers.hetzner.server_type }}"
--- a/roles/cloud-hetzner/tasks/prompts.yml
+++ b/roles/cloud-hetzner/tasks/prompts.yml
@ -13,13 +13,13 @@
    algo_hcloud_token: "{{ hcloud_token | default(_hcloud_token.user_input|default(None)) | default(lookup('env','HCLOUD_TOKEN'), true) }}"

 - name: Get regions
-  hcloud_datacenter_facts:
+  hetzner.hcloud.datacenter_info:
    api_token: "{{ algo_hcloud_token }}"
  register: _hcloud_regions

 - name: Set facts about the regions
  set_fact:
-    hcloud_regions: "{{ hcloud_datacenter_facts | sort(attribute='location') }}"
+    hcloud_regions: "{{ _hcloud_regions.hcloud_datacenter_info | sort(attribute='location') }}"

 - name: Set default region
  set_fact:
--- a/roles/cloud-vultr/tasks/main.yml
+++ b/roles/cloud-vultr/tasks/main.yml
@ -4,16 +4,17 @@

 - block:
    - name: Creating a firewall group
-      vultr_firewall_group:
+      vultr.cloud.firewall_group:
        name: "{{ algo_server_name }}"

    - name: Creating firewall rules
-      vultr_firewall_rule:
+      vultr.cloud.firewall_rule:
        group: "{{ algo_server_name }}"
        protocol: "{{ item.protocol }}"
        port: "{{ item.port }}"
-        ip_version: "{{ item.ip }}"
-        cidr: "{{ item.cidr }}"
+        ip_type: "{{ item.ip }}"
+        subnet: "{{ item.cidr.split('/')[0] }}"
+        subnet_size: "{{ item.cidr.split('/')[1] }}"
      with_items:
        - { protocol: tcp, port: "{{ ssh_port }}", ip: v4, cidr: 0.0.0.0/0 }
        - { protocol: tcp, port: "{{ ssh_port }}", ip: v6, cidr: "::/0" }
@ -25,13 +26,13 @@
        - { protocol: udp, port: "{{ wireguard_port }}", ip: v6, cidr: "::/0" }

    - name: Upload the startup script
-      vultr_startup_script:
+      vultr.cloud.startup_script:
        name: algo-startup
        script: |
          {{ lookup('template', 'files/cloud-init/base.yml') }}

    - name: Creating a server
-      vultr_server:
+      vultr.cloud.instance:
        name: "{{ algo_server_name }}"
        startup_script: algo-startup
        hostname: "{{ algo_server_name }}"
@ -40,17 +41,18 @@
        region: "{{ algo_vultr_region }}"
        firewall_group: "{{ algo_server_name }}"
        state: started
-        tag: Environment:Algo
-        ipv6_enabled: true
-        auto_backup_enabled: false
-        notify_activate: false
+        tags:
+          - Environment:Algo
+        enable_ipv6: true
+        backups: false
+        activation_email: false
      register: vultr_server

    - set_fact:
-        cloud_instance_ip: "{{ vultr_server.vultr_server.v4_main_ip }}"
+        cloud_instance_ip: "{{ vultr_server.vultr_instance.main_ip }}"
        ansible_ssh_user: algo
        ansible_ssh_port: "{{ ssh_port }}"
        cloudinit: true

  environment:
-    VULTR_API_CONFIG: "{{ algo_vultr_config }}"
+    VULTR_API_KEY: "{{ lookup('ini', 'key', section='default', file=algo_vultr_config) }}"
--- a/roles/cloud-vultr/tasks/prompts.yml
+++ b/roles/cloud-vultr/tasks/prompts.yml
@ -42,7 +42,7 @@
      What region should the server be located in?
      (https://www.vultr.com/locations/):
        {% for r in vultr_regions %}
-        {{ loop.index }}.   {{ r['name'] }}
+        {{ loop.index }}.   {{ r['name'] }} ({{ r['regioncode'] | lower }})
        {% endfor %}

      Enter the number of your desired region
@ -54,5 +54,5 @@
  set_fact:
    algo_vultr_region: >-
      {% if region is defined %}{{ region }}
-      {%- elif _algo_region.user_input %}{{ vultr_regions[_algo_region.user_input | int -1 ]['name'] }}
-      {%- else %}{{ vultr_regions[default_region | int - 1]['name'] }}{% endif %}
+      {%- elif _algo_region.user_input %}{{ vultr_regions[_algo_region.user_input | int -1 ]['regioncode'] | lower }}
+      {%- else %}{{ vultr_regions[default_region | int - 1]['regioncode'] | lower }}{% endif %}
--- a/roles/strongswan/tasks/openssl.yml
+++ b/roles/strongswan/tasks/openssl.yml
@ -155,10 +155,25 @@
        format: OpenSSH
      with_items: "{{ users }}"

+    - name: Get OpenSSL version
+      shell: |
+        set -o pipefail
+        {{ openssl_bin }} version |
+        cut -f 2 -d ' '
+      args:
+        executable: bash
+      register: ssl_version
+      run_once: true
+
+    - name: Set OpenSSL version fact
+      set_fact:
+        openssl_version: "{{ ssl_version.stdout }}"
+
    - name: Build the client's p12
      shell: >
        umask 077;
        {{ openssl_bin }} pkcs12
+        {{ (openssl_version is version('3', '>=')) | ternary('-legacy', '') }}
        -in certs/{{ item }}.crt
        -inkey private/{{ item }}.key
        -export
@ -175,6 +190,7 @@
      shell: >
        umask 077;
        {{ openssl_bin }} pkcs12
+        {{ (openssl_version is version('3', '>=')) | ternary('-legacy', '') }}
        -in certs/{{ item }}.crt
        -inkey private/{{ item }}.key
        -export
--- a/users.yml
+++ b/users.yml
@ -25,18 +25,17 @@
          set_fact:
            server_list: >-
              [{% for i in _configs_list.files %}
-                {% set config  = lookup('file', i.path)|from_yaml %}
-                '{{ config.server }}'
-                {{ ',' if not loop.last else '' }}
+                {% set config = lookup('file', i.path) | from_yaml %}
+                {{ {'server': config.server, 'IP_subject_alt_name': config.IP_subject_alt_name} }}
              {% endfor %}]

        - name: Server address prompt
          pause:
            prompt: |
-              Select the server to update user list below:
+              Select the server to update user list below: 
                {% for r in server_list %}
-                {{ loop.index }}. {{ r }}
-                {% endfor %}
+                  {{ loop.index }}. {{ r.server }} ({{ r.IP_subject_alt_name }})
+              {% endfor %}
          register: _server
      when: server is undefined

@ -45,7 +44,7 @@
          set_fact:
            algo_server: >-
              {% if server is defined %}{{ server }}
-              {%- elif _server.user_input %}{{ server_list[_server.user_input | int -1 ] }}
+              {%- elif _server.user_input %}{{ server_list[_server.user_input | int -1 ].server }}
              {%- else %}omit{% endif %}

        - name: Import host specific variables