remove the proxy role #440 (#457)

* remove the proxy role #440

* Separate facts. Make roles more independent from each other

move openssl to local tasks

move unneeded tasks

README.md

@@ -15,7 +15,7 @@ Algo VPN is a set of Ansible scripts that simplify the setup of a personal IPSEC
 * Supports only IKEv2 with strong crypto: AES-GCM, SHA2, and P-256
 * Generates Apple profiles to auto-configure iOS and macOS devices
 * Includes a helper script to add and remove users
-* Blocks ads with a local DNS resolver and HTTP proxy (optional)
+* Blocks ads with a local DNS resolver (optional)
 * Sets up limited SSH users for tunneling traffic (optional)
 * Based on current versions of Ubuntu and strongSwan
 * Installs to DigitalOcean, Amazon EC2, Microsoft Azure, Google Compute Engine, or your own server
@@ -79,7 +79,7 @@ You can now setup clients to connect it, e.g. your iPhone or laptop. Proceed to
         "\"#    Config files and certificates are in the ./configs/ directory.    #\"",
         "\"#              Go to https://whoer.net/ after connecting               #\"",
         "\"#        and ensure that all your traffic passes through the VPN.      #\"",
-        "\"#          Local DNS resolver and Proxy IP address: 172.16.0.1         #\"",
+        "\"#                    Local DNS resolver 172.16.0.1                     #\"",
         "\"#                The p12 and SSH keys password is XXXXXXXX             #\"",
         "\"#----------------------------------------------------------------------#\"",
 ```
@@ -180,9 +180,9 @@ Use the example command below to start an SSH tunnel by replacing `user` and `ip
 To SSH into the Algo server for administrative purposes you can use the example command below by replacing `ip` with your own:
 
  `ssh ubuntu@ip -i ~/.ssh/algo.pem`
- 
+
 If you find yourself regularly logging into Algo then it will be useful to load your Algo ssh key automatically.  Add the following snippet to the bottom of `~/.bash_profile` to add it to your shell environment permanently.
- 
+
  `ssh-add ~/.ssh/algo > /dev/null 2>&1`
 
 

config.cfg

@@ -28,7 +28,7 @@ dns_servers:
     - 2001:4860:4860::8888
     - 2001:4860:4860::8844
 
-# IP address for the proxy and the local dns resolver
+# IP address for the local dns resolver
 local_service_ip: 172.16.0.1
 
 pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}"
@@ -45,7 +45,7 @@ congrats:
     "#    Config files and certificates are in the ./configs/ directory.    #"
     "#              Go to https://whoer.net/ after connecting               #"
     "#        and ensure that all your traffic passes through the VPN.      #"
-    "#          Local DNS resolver and Proxy IP address: {{ local_service_ip }}         #"
+    "#               Local DNS resolver {{ local_service_ip }}              #"
   p12_pass: |
     "#                The p12 and SSH keys password is {{ easyrsa_p12_export_password }}             #"
   ca_key_pass: |

deploy.yml

@@ -41,13 +41,8 @@
       include: playbooks/common.yml
       tags: [ 'digitalocean', 'ec2', 'gce', 'azure', 'local', 'pre' ]
 
-    - set_fact:
-        cloud_deployment: true
-      tags: ['cloud']
-
   roles:
     - { role: security, tags: [ 'security' ] }
-    - { role: proxy, tags: [ 'proxy', 'adblock' ] }
     - { role: dns_adblocking, tags: ['dns', 'adblock' ] }
     - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ] }
     - { role: vpn, tags: [ 'vpn' ] }

docs/setup-roles.md

@@ -17,10 +17,6 @@
   * Enables [unattended-upgrades](https://help.ubuntu.com/community/AutomaticSecurityUpdates) to ensure available patches are always applied
   * Modify features like core dumps, kernel parameters, and SUID binaries to limit possible attacks
   * Enhances SSH with modern ciphers and seccomp, and restricts access to old or unwanted features like X11 forwarding and SFTP
-* **Proxy-based Adblocking and Compression**
-  * Installs [Privoxy](https://www.privoxy.org/) with an ad blocking ruleset
-  * Installs Apache with [mod_pagespeed](http://modpagespeed.com/) as an HTTP proxy
-  * Constrains Privoxy and Apache with AppArmor and cgroups CPU and memory limitations
 * **DNS-based Adblocking**
   * Install the [dnsmasq](http://www.thekelleys.org.uk/dnsmasq/doc.html) local resolver with a blacklist for advertising domains
   * Constrains dnsmasq with AppArmor and cgroups CPU and memory limitations

playbooks/common.yml

@@ -12,9 +12,4 @@
   include: freebsd.yml
   when: '"FreeBSD" in OS.stdout'
 
-- name: Ensure the algo ssh key exist on the server
+- include: facts/main.yml
-  authorized_key:
-    user: "{{ ansible_ssh_user }}"
-    state: present
-    key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
-  tags: [ 'cloud' ]

playbooks/facts/main.yml

@@ -0,0 +1,42 @@
+---
+
+- name: Gather Facts
+  setup:
+
+- name: Ensure the algo ssh key exist on the server
+  authorized_key:
+    user: "{{ ansible_ssh_user }}"
+    state: present
+    key: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
+  tags: [ 'cloud' ]
+
+- name: Enable IPv6
+  set_fact:
+    ipv6_support: true
+  when: ansible_default_ipv6.gateway is defined
+
+- name: Set facts if the deployment in a cloud
+  set_fact:
+    cloud_deployment: true
+  tags: ['cloud']
+
+- name: Generate password for the CA key
+  local_action:
+    module: shell
+      openssl rand -hex 16
+  become: no
+  register: CA_password
+
+- name: Define password facts
+  set_fact:
+    easyrsa_p12_export_password: "{{ p12_export_password|default((ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0]) }}"
+    easyrsa_CA_password: "{{ CA_password.stdout }}"
+
+- name: Define the commonName
+  set_fact:
+    IP_subject_alt_name: "{{ IP_subject_alt_name }}"
+
+- name: Change the algorithm to RSA
+  set_fact:
+    algo_params: "rsa:2048"
+  when: Win10_Enabled is defined and Win10_Enabled == "Y"

roles/dns_adblocking/tasks/main.yml

@@ -1,5 +1,4 @@
-- name: Gather Facts
+---
-  setup:
 
 - name: Dnsmasq installed
   package: name=dnsmasq

roles/proxy/handlers/main.yml

@@ -1,12 +0,0 @@
-- name: restart privoxy
-  service: name=privoxy state=restarted
-
-- name: daemon-reload
-  shell: systemctl daemon-reload
-
-- name: restart apparmor
-  service: name=apparmor state=restarted
-
-- name: restart apache2
-  service: name=apache2 state=restarted
-

roles/proxy/meta/main.yml

@@ -1,5 +0,0 @@
----
-
-dependencies:
-  - { role: common, tags: common }
-  - { role: vpn,  tags: vpn }

roles/proxy/tasks/main.yml

@@ -1,115 +0,0 @@
-- name: Gather Facts
-  setup:
-
-- name: Privoxy installed
-  apt: name=privoxy state=latest
-
-- name: Privoxy configured
-  template: src="{{ item.src }}" dest="{{ item.dest }}"
-  with_items:
-    - { src: privoxy_config.j2, dest: /etc/privoxy/config }
-    - { src: default.filter.j2, dest: /etc/privoxy/default.filter }
-  notify:
-    - restart privoxy
-
-- name: Privoxy profile for apparmor configured
-  template: src=usr.sbin.privoxy.j2 dest=/etc/apparmor.d/usr.sbin.privoxy owner=root group=root mode=0600
-  when: apparmor_enabled is defined and apparmor_enabled == true
-  notify:
-    - restart privoxy
-
-- name: Enforce the privoxy AppArmor policy
-  shell: aa-enforce usr.sbin.privoxy
-  when: apparmor_enabled is defined and apparmor_enabled == true
-  tags: ['apparmor']
-
-- name: Ensure that the privoxy service directory exist
-  file: path=/etc/systemd/system/privoxy.service.d/ state=directory mode=0755  owner=root group=root
-
-- name: Setup the cgroup limitations for the privoxy daemon
-  template: src=privoxy_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/privoxy.service.d/100-CustomLimitations.conf
-  notify:
-    - daemon-reload
-    - restart privoxy
-
-- meta: flush_handlers
-
-- name: Privoxy enabled and started
-  service: name=privoxy state=started enabled=yes
-
-# PageSpeed
-
-- name: Apache installed
-  apt: name=apache2 state=latest
-
-- name: PageSpeed installed for x86_64
-  apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_amd64.deb
-  when: ansible_architecture == "x86_64"
-
-- name: PageSpeed installed for i386
-  apt: deb=https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_i386.deb
-  when: ansible_architecture != "x86_64"
-
-- name: PageSpeed configured
-  template: src=pagespeed.conf.j2 dest=/etc/apache2/mods-available/pagespeed.conf
-  notify:
-    - restart apache2
-
-- name: Modules enabled
-  apache2_module: state=present name="{{ item }}"
-  with_items:
-    - proxy_http
-    - pagespeed
-    - cache
-    - proxy_connect
-    - proxy_html
-    - rewrite
-  notify:
-    - restart apache2
-
-- name: VirtualHost configured for the PageSpeed module
-  template: src=000-default.conf.j2 dest=/etc/apache2/sites-enabled/000-default.conf
-  notify:
-    - restart apache2
-
-- name: Apache ports configured
-  template: src=ports.conf.j2 dest=/etc/apache2/ports.conf
-  notify:
-    - restart apache2
-
-- name: Ensure that the apache2 service directory exist
-  file: path=/etc/systemd/system/apache2.service.d/ state=directory mode=0755  owner=root group=root
-
-- name: Setup the cgroup limitations for the apache2 daemon
-  template: src=apache2_100-CustomLimitations.conf.j2 dest=/etc/systemd/system/apache2.service.d/100-CustomLimitations.conf
-  notify:
-    - daemon-reload
-    - restart apache2
-
-- meta: flush_handlers
-
-- name: Set facts for mobileconfigs
-  set_fact:
-    proxy_enabled: true
-
-- name: Register p12 PayloadContent
-  shell: >
-    cat /{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}.p12 | base64
-  register:  PayloadContent
-  with_items: "{{ users }}"
-
-- name: Register CA PayloadContent
-  shell: >
-    cat /{{ easyrsa_dir }}/easyrsa3/pki/ca.crt | base64
-  register:  PayloadContentCA
-
-- name: Build the mobileconfigs
-  template: src=roles/vpn/templates/mobileconfig.j2 dest=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item.0 }}_proxy.mobileconfig mode=0600
-  with_together:
-    - "{{ users }}"
-    - "{{ PayloadContent.results }}"
-  no_log: True
-
-- name: Fetch users mobileconfig
-  fetch: src=/{{ easyrsa_dir }}/easyrsa3//pki/private/{{ item }}_proxy.mobileconfig dest=configs/{{ IP_subject_alt_name }}_{{ item }}_proxy.mobileconfig flat=yes
-  with_items: "{{ users }}"

roles/proxy/templates/000-default.conf.j2

@@ -1,11 +0,0 @@
-<VirtualHost *:*>
-    <Proxy *>
-            Order deny,allow
-            Allow from all
-    </Proxy>
-    RewriteEngine On
-    RewriteRule ^(.*)$ http://%{HTTP_HOST}$1 [NC,P]
-    ProxyPass            /  http://$1
-    ProxyPassReverse     /  http://$1
-    ProxyPreserveHost On
-</VirtualHost>

roles/proxy/templates/apache2_100-CustomLimitations.conf.j2

@@ -1,4 +0,0 @@
-[Service]
-MemoryLimit=134217728
-CPUAccounting=true
-CPUQuota=15%

roles/proxy/templates/pagespeed.conf.j2

@@ -1,369 +0,0 @@
-<IfModule pagespeed_module>
-    # Turn on mod_pagespeed. To completely disable mod_pagespeed, you
-    # can set this to "off".
-    ModPagespeed on
-
-    # We want VHosts to inherit global configuration.
-    # If this is not included, they'll be independent (except for inherently
-    # global options), at least for backwards compatibility.
-    ModPagespeedInheritVHostConfig on
-
-    # Direct Apache to send all HTML output to the mod_pagespeed
-    # output handler.
-    AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER text/html
-
-    # If you want mod_pagespeed process XHTML as well, please uncomment this
-    # line.
-    # AddOutputFilterByType MOD_PAGESPEED_OUTPUT_FILTER application/xhtml+xml
-
-    # The ModPagespeedFileCachePath directory must exist and be writable
-    # by the apache user (as specified by the User directive).
-    ModPagespeedFileCachePath            "/var/cache/mod_pagespeed/"
-
-    # LogDir is needed to store various logs, including the statistics log
-    # required for the console.
-    ModPagespeedLogDir "/var/log/pagespeed"
-
-    # The locations of SSL Certificates is distribution-dependent.
-    ModPagespeedSslCertDirectory "/etc/ssl/certs"
-    
-
-    # If you want, you can use one or more memcached servers as the store for
-    # the mod_pagespeed cache.
-    # ModPagespeedMemcachedServers localhost:11211
-
-    # A portion of the cache can be kept in memory only, to reduce load on disk
-    # (or memcached) from many small files.
-    # ModPagespeedCreateSharedMemoryMetadataCache "/var/cache/mod_pagespeed/" 51200
-
-    # Override the mod_pagespeed 'rewrite level'. The default level
-    # "CoreFilters" uses a set of rewrite filters that are generally
-    # safe for most web pages. Most sites should not need to change
-    # this value and can instead fine-tune the configuration using the
-    # ModPagespeedDisableFilters and ModPagespeedEnableFilters
-    # directives, below. Valid values for ModPagespeedRewriteLevel are
-    # PassThrough, CoreFilters and TestingCoreFilters.
-    #
-    ModPagespeedRewriteLevel  CoreFilters
-    
-    ModPagespeedEnableFilters combine_heads
-    ModPagespeedEnableFilters combine_javascript
-    ModPagespeedEnableFilters convert_jpeg_to_webp
-    ModPagespeedEnableFilters convert_png_to_jpeg
-    ModPagespeedEnableFilters inline_preview_images
-    ModPagespeedEnableFilters make_google_analytics_async
-    ModPagespeedEnableFilters move_css_above_scripts
-    ModPagespeedEnableFilters move_css_to_head
-    ModPagespeedEnableFilters resize_mobile_images
-    ModPagespeedEnableFilters sprite_images
-
-    ModPagespeedEnableFilters defer_iframe
-    ModPagespeedEnableFilters defer_javascript
-    ModPagespeedEnableFilters lazyload_images
-
-    # Explicitly disables specific filters. This is useful in
-    # conjunction with ModPagespeedRewriteLevel. For instance, if one
-    # of the filters in the CoreFilters needs to be disabled for a
-    # site, that filter can be added to
-    # ModPagespeedDisableFilters. This directive contains a
-    # comma-separated list of filter names, and can be repeated.
-    #
-    # ModPagespeedDisableFilters rewrite_images
-
-    # Explicitly enables specific filters. This is useful in
-    # conjunction with ModPagespeedRewriteLevel. For instance, filters
-    # not included in the CoreFilters may be enabled using this
-    # directive. This directive contains a comma-separated list of
-    # filter names, and can be repeated.
-    #
-    # ModPagespeedEnableFilters rewrite_javascript,rewrite_css
-    # ModPagespeedEnableFilters collapse_whitespace,elide_attributes
-
-    # Explicitly forbids the enabling of specific filters using either query
-    # parameters or request headers. This is useful, for example, when we do
-    # not want the filter to run for performance or security reasons. This
-    # directive contains a comma-separated list of filter names, and can be
-    # repeated.
-    #
-    # ModPagespeedForbidFilters rewrite_images
-
-    # How long mod_pagespeed will wait to return an optimized resource
-    # (per flush window) on first request before giving up and returning the
-    # original (unoptimized) resource. After this deadline is exceeded the
-    # original resource is returned and the optimization is pushed to the
-    # background to be completed for future requests. Increasing this value will
-    # increase page latency, but might reduce load time (for instance on a
-    # bandwidth-constrained link where it's worth waiting for image
-    # compression to complete). If the value is less than or equal to zero
-    # mod_pagespeed will wait indefinitely for the rewrite to complete before
-    # returning.
-    #
-    # ModPagespeedRewriteDeadlinePerFlushMs 10
-
-    # ModPagespeedDomain
-    # authorizes rewriting of JS, CSS, and Image files found in this
-    # domain. By default only resources with the same origin as the
-    # HTML file are rewritten. For example:
-    #
-    ModPagespeedDomain *
-    #
-    # This will allow resources found on http://cdn.myhost.com to be
-    # rewritten in addition to those in the same domain as the HTML.
-    #
-    # Other domain-related directives (like ModPagespeedMapRewriteDomain
-    # and ModPagespeedMapOriginDomain) can also authorize domains.
-    #
-    # Wildcards (* and ?) are allowed in the domain specification. Be
-    # careful when using them as if you rewrite domains that do not
-    # send you traffic, then the site receiving the traffic will not
-    # know how to serve the rewritten content.
-
-    # If you use downstream caches such as varnish or proxy_cache for caching
-    # HTML, you can configure pagespeed to work with these caches correctly
-    # using the following directives. Note that the values for
-    # ModPagespeedDownstreamCachePurgeLocationPrefix and
-    # ModPagespeedDownstreamCacheRebeaconingKey are deliberately left empty here
-    # in order to force the webmaster to choose appropriate value for these.
-    #
-    # ModPagespeedDownstreamCachePurgeLocationPrefix
-    # ModPagespeedDownstreamCachePurgeMethod PURGE
-    # ModPagespeedDownstreamCacheRewrittenPercentageThreshold 95
-    # ModPagespeedDownstreamCacheRebeaconingKey
-
-    # Other defaults (cache sizes and thresholds):
-    #
-    # ModPagespeedFileCacheSizeKb          102400
-    # ModPagespeedFileCacheCleanIntervalMs 3600000
-    # ModPagespeedLRUCacheKbPerProcess     1024
-    # ModPagespeedLRUCacheByteLimit        16384
-    # ModPagespeedCssFlattenMaxBytes       102400
-    # ModPagespeedCssInlineMaxBytes        2048
-    # ModPagespeedCssImageInlineMaxBytes   0
-    # ModPagespeedImageInlineMaxBytes      3072
-    # ModPagespeedJsInlineMaxBytes         2048
-    # ModPagespeedCssOutlineMinBytes       3000
-    # ModPagespeedJsOutlineMinBytes        3000
-    # ModPagespeedMaxCombinedCssBytes      -1
-    # ModPagespeedMaxCombinedJsBytes       92160
-
-    # Limit the number of inodes in the file cache. Set to 0 for no limit.
-    # The default value if this parameter is not specified is 0 (no limit).
-    ModPagespeedFileCacheInodeLimit        500000
-
-    # Bound the number of images that can be rewritten at any one time; this
-    # avoids overloading the CPU.  Set this to 0 to remove the bound.
-    #
-    # ModPagespeedImageMaxRewritesAtOnce      8
-
-    # You can also customize the number of threads per Apache process
-    # mod_pagespeed will use to do resource optimization. Plain
-    # "rewrite threads" are used to do short, latency-sensitive work,
-    # while "expensive rewrite threads" are used for actual optimization
-    # work that's more computationally expensive. If you live these unset,
-    # or use values <= 0 the defaults will be used, which is 1 for both
-    # values when using non-threaded MPMs (e.g. prefork) and 4 for both
-    # on threaded MPMs (e.g. worker and event). These settings can only
-    # be changed globally, and not per virtual host.
-    #
-    # ModPagespeedNumRewriteThreads 4
-    # ModPagespeedNumExpensiveRewriteThreads 4
-
-    # Randomly drop rewrites (*) to increase the chance of optimizing
-    # frequently fetched resources and decrease the chance of optimizing
-    # infrequently fetched resources. This can reduce CPU load. The default
-    # value of this parameter is 0 (no drops).  90 means that a resourced
-    # fetched once has a 10% probability of being optimized while a resource
-    # that is fetched 50 times has a 99.65% probability of being optimized.
-    #
-    # (*) Currently only CSS files and images are randomly dropped.  Images
-    # within CSS files are not randomly dropped.
-    #
-    # ModPagespeedRewriteRandomDropPercentage 90
-
-    # Many filters modify the URLs of resources in HTML files. This is typically
-    # harmless but pages whose JavaScript expects to read or modify the original
-    # URLs may break. The following parameters prevent filters from modifying
-    # URLs of their respective types.
-    #
-    # ModPagespeedJsPreserveURLs on
-    # ModPagespeedImagePreserveURLs on
-    # ModPagespeedCssPreserveURLs on
-
-    # When PreserveURLs is on, it is still possible to enable browser-specific
-    # optimizations (for example, webp images can be served to browsers that
-    # will accept them).  They'll be served with Vary: Accept or Vary:
-    # User-Agent headers as appropriate.  Note that this may require configuring
-    # reverse proxy caches such as varnish to handle these headers properly.
-    #
-    # ModPagespeedFilters in_place_optimize_for_browser
-
-    # Internet Explorer has difficulty caching resources with Vary: headers.
-    # They will either be uncached (older IE) or require revalidation.  See:
-    # http://blogs.msdn.com/b/ieinternals/archive/2009/06/17/vary-header-prevents-caching-in-ie.aspx
-    # As a result we serve them as Cache-Control: private instead by default.
-    # If you are using a reverse proxy or CDN configured to cache content with
-    # the Vary: Accept header you should turn this setting off.
-    #
-    # ModPagespeedPrivateNotVaryForIE on
-
-    # Settings for image optimization:
-    #
-    # Lossy image recompression quality (0 to 100, -1 just strips metadata):
-    # ModPagespeedImageRecompressionQuality 85
-    #
-    # Jpeg recompression quality (0 to 100, -1 uses ImageRecompressionQuality):
-    # ModPagespeedJpegRecompressionQuality -1
-    # ModPagespeedJpegRecompressionQualityForSmallScreens 70
-    
-    ModPagespeedJpegRecompressionQuality 75
-    
-    #
-    # WebP recompression quality (0 to 100, -1 uses ImageRecompressionQuality):
-    # ModPagespeedWebpRecompressionQuality 80
-    # ModPagespeedWebpRecompressionQualityForSmallScreens 70
-    #
-    # Timeout for conversions to WebP format, in
-    # milliseconds. Negative values mean no timeout is applied. The
-    # default value is -1:
-    # ModPagespeedWebpTimeoutMs 5000
-    #
-    # Percent of original image size below which optimized images are retained:
-    # ModPagespeedImageLimitOptimizedPercent 100
-    #
-    # Percent of original image area below which image resizing will be
-    # attempted:
-    # ModPagespeedImageLimitResizeAreaPercent 100
-
-    # Settings for inline preview images
-    #
-    # Setting this to n restricts preview images to the first n images found on
-    # the page.  The default of -1 means preview images can appear anywhere on
-    # the page (if those images appear above the fold).
-    # ModPagespeedMaxInlinedPreviewImagesIndex -1
-
-    # Sets the minimum size in bytes of any image for which a low quality image
-    # is generated.
-    # ModPagespeedMinImageSizeLowResolutionBytes 3072
-
-    # The maximum URL size is generally limited to about 2k characters
-    # due to IE: See http://support.microsoft.com/kb/208427/EN-US.
-    # Apache servers by default impose a further limitation of about
-    # 250 characters per URL segment (text between slashes).
-    # mod_pagespeed circumvents this limitation, but if you employ
-    # proxy servers in your path you may need to re-impose it by
-    # overriding the setting here.  The default setting is 1024
-    # characters.
-    #
-    # ModPagespeedMaxSegmentLength 250
-
-    # Uncomment this if you want to prevent mod_pagespeed from combining files
-    # (e.g. CSS files) across paths
-    #
-    # ModPagespeedCombineAcrossPaths off
-
-    # Renaming JavaScript URLs can sometimes break them.  With this
-    # option enabled, mod_pagespeed uses a simple heuristic to decide
-    # not to rename JavaScript that it thinks is introspective.
-    #
-    # You can uncomment this to let mod_pagespeed rename all JS files.
-    #
-    # ModPagespeedAvoidRenamingIntrospectiveJavaScript off
-
-    # Certain common JavaScript libraries are available from Google, which acts
-    # as a CDN and allows you to benefit from browser caching if a new visitor
-    # to your site previously visited another site that makes use of the same
-    # libraries as you do.  Enable the following filter to turn on this feature.
-    #
-    # ModPagespeedEnableFilters canonicalize_javascript_libraries
-
-    # The following line configures a library that is recognized by
-    # canonicalize_javascript_libraries.  This will have no effect unless you
-    # enable this filter (generally by uncommenting the last line in the
-    # previous stanza).  The format is:
-    #    ModPagespeedLibrary bytes md5 canonical_url
-    # Where bytes and md5 are with respect to the *minified* JS; use
-    # js_minify --print_size_and_hash to obtain this data.
-    # Note that we can register multiple hashes for the same canonical url;
-    # we do this if there are versions available that have already been minified
-    # with more sophisticated tools.
-    #
-    # Additional library configuration can be found in
-    # pagespeed_libraries.conf included in the distribution.  You should add
-    # new entries here, though, so that file can be automatically upgraded.
-    # ModPagespeedLibrary 43 1o978_K0_LNE5_ystNklf http://www.modpagespeed.com/rewrite_javascript.js
-
-    # Explicitly tell mod_pagespeed to load some resources from disk.
-    # This will speed up load time and update frequency.
-    #
-    # This should only be used for static resources which do not need
-    # specific headers set or other processing by Apache.
-    #
-    # Both URL and filesystem path should specify directories and
-    # filesystem path must be absolute (for now).
-    #
-    # ModPagespeedLoadFromFile "http://example.com/static/" "/var/www/static/"
-
-
-    # Enables server-side instrumentation and statistics.  If this rewriter is
-    # enabled, then each rewritten HTML page will have instrumentation javascript
-    # added that sends latency beacons to /mod_pagespeed_beacon.  These
-    # statistics can be accessed at /mod_pagespeed_statistics.  You must also
-    # enable the mod_pagespeed_statistics and mod_pagespeed_beacon handlers
-    # below.
-    #
-    # ModPagespeedEnableFilters add_instrumentation
-
-    # The add_instrumentation filter sends a beacon after the page onload
-    # handler is called. The user might navigate to a new URL before this. If
-    # you enable the following directive, the beacon is sent as part of an
-    # onbeforeunload handler, for pages where navigation happens before the
-    # onload event.
-    #
-    # ModPagespeedReportUnloadTime on
-
-    # Uncomment the following line so that ModPagespeed will not cache or
-    # rewrite resources with Vary: in the header, e.g. Vary: User-Agent.
-    # Note that ModPagespeed always respects Vary: headers on html content.
-    # ModPagespeedRespectVary on
-
-    # Uncomment the following line if you want to disable statistics entirely.
-    #
-    # ModPagespeedStatistics off
-
-    # These handlers are central entry-points into the admin pages.
-    # By default, pagespeed_admin and pagespeed_global_admin present
-    # the same data, and differ only when
-    # ModPagespeedUsePerVHostStatistics is enabled.  In that case,
-    # /pagespeed_global_admin sees aggregated data across all vhosts,
-    # and the /pagespeed_admin sees data only for a particular vhost.
-    #
-    # You may insert other "Allow from" lines to add hosts you want to
-    # allow to look at generated statistics.  Another possibility is
-    # to comment out the "Order" and "Allow" options from the config
-    # file, to allow any client that can reach your server to access
-    # and change server state, such as statistics, caches, and
-    # messages.  This might be appropriate in an experimental setup.
-    <Location /pagespeed_admin>
-        Order allow,deny
-        Allow from localhost
-        Allow from 127.0.0.1
-        SetHandler pagespeed_admin
-    </Location>
-    <Location /pagespeed_global_admin>
-        Order allow,deny
-        Allow from localhost
-        Allow from 127.0.0.1
-        SetHandler pagespeed_global_admin
-    </Location>
-
-    # Enable logging of mod_pagespeed statistics, needed for the console.
-    ModPagespeedStatisticsLogging on
-
-    # Page /mod_pagespeed_message lets you view the latest messages from
-    # mod_pagespeed, regardless of log-level in your httpd.conf
-    # ModPagespeedMessageBufferSize is the maximum number of bytes you would
-    # like to dump to your /mod_pagespeed_message page at one time,
-    # its default value is 100k bytes.
-    # Set it to 0 if you want to disable this feature.
-    ModPagespeedMessageBufferSize 100000
-</IfModule>

roles/proxy/templates/ports.conf.j2

@@ -1,13 +0,0 @@
-# If you just change the port or add more ports here, you will likely also
-# have to change the VirtualHost statement in
-# /etc/apache2/sites-enabled/000-default.conf
-
-Listen {{ local_service_ip }}:8080
-
-<IfModule ssl_module>
-	Listen {{ local_service_ip }}:443
-</IfModule>
-
-<IfModule mod_gnutls.c>
-	Listen {{ local_service_ip }}:443
-</IfModule>

roles/proxy/templates/privoxy_100-CustomLimitations.conf.j2

@@ -1,4 +0,0 @@
-[Service]
-MemoryLimit=33554432
-CPUAccounting=true
-CPUQuota=15%

roles/proxy/templates/usr.sbin.privoxy.j2

@@ -1,15 +0,0 @@
-#include <tunables/global>
-
-/usr/sbin/privoxy {
-  #include <abstractions/apache2-common>
-  #include <abstractions/base>
-
-  capability setgid,
-  capability setuid,
-
-  /etc/privoxy/* r,
-  /etc/privoxy/templates/* r,
-  /run/privoxy.pid w,
-  /var/log/privoxy/logfile w,
-
-}

roles/security/tasks/main.yml

@@ -1,3 +1,5 @@
+---
+
 - name: Install tools
   apt: name="{{ item }}" state=latest
   with_items:

roles/ssh_tunneling/tasks/main.yml

@@ -1,8 +1,5 @@
 ---
 
-- set_fact:
-    IP_subject_alt_name: "{{ IP_subject_alt_name }}"
-
 - name: Ensure that the sshd_config file has desired options
   blockinfile:
     dest: /etc/ssh/sshd_config

roles/vpn/tasks/main.yml

@@ -1,25 +1,4 @@
-- name: Gather Facts
+---
-  setup:
-
-- name: Enable IPv6
-  set_fact:
-    ipv6_support: true
-  when: ansible_default_ipv6.gateway is defined
-
-- name: Generate password for the CA key
-  shell: >
-    openssl rand -hex 16
-  register: CA_password
-
-- set_fact:
-    easyrsa_p12_export_password: "{{ p12_export_password|default((ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0]) }}"
-    easyrsa_CA_password: "{{ CA_password.stdout }}"
-    IP_subject_alt_name: "{{ IP_subject_alt_name }}"
-
-- name: Change the algorithm to RSA
-  set_fact:
-    algo_params: "rsa:2048"
-  when: Win10_Enabled is defined and Win10_Enabled == "Y"
 
 - name: Ensure that the strongswan group exist
   group: name=strongswan state=present

users.yml

@@ -40,10 +40,6 @@
     - name: Common pre-tasks
       include: playbooks/common.yml
 
-    - set_fact:
-        IP_subject_alt_name: "{{ IP_subject }}"
-        easyrsa_p12_export_password: "{{ p12_export_password|default((ansible_date_time.iso8601_basic|sha1|to_uuid).split('-')[0]) }}"
-
   roles:
     - { role: ssh_tunneling, tags: [ 'ssh_tunneling' ], when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }