* Support for associating to existing AWS Elastic IP
Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>
* Backport ec2_eip_facts module for EIP support
This means that EIP support no longer requires Ansible 2.6
The local fact module has been named ec2_elasticip_facts
to avoid conflict with the ec2_eip_facts module whenever
the Ansible 2.6 upgrade takes place.
Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>
* Update from review feedback.
Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>
* Move to the native module. Add additional condition for existing Elastic IP
With preexisting wait_for implementation, deployment to Ubuntu on Lightsail failed with a connection reset error on this task. It appears that Ansible’s wait_for_connection is the recommended way. I have successfully gotten past this task after this change, however I’d appreciate more eyes on this.
* generate service IPs dynamically
* update cloud-init tests
* exclude ipsec and wireguard ranges from the random service ip
* Update docs
* @davidemyers: update wireguard docs for linux
* Move to netaddr filter
* AllowedIPs fix
* WireGuard IPs fix
* Update main.yml
* Change module names and add IPv6 firewall rules
Uses guide at https://www.renemoser.net/blog/2018/03/19/vultr-firewalling-with-ansible/ written by Rene Moser.
* change vultr to vr
* add ip_version to firewall rules
* add SSH access rules
* Use variable for wireguard port
* update module names for ansible 2.7
* Fix trailing whitespaces
* Try to fix trailing whitespaces again
<!--- Provide a general summary of your changes in the Title above -->
## Description
Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes#1330 and closes#1162
Configures Ansible to use python3 on the server side. Closes#1024
Removes unneeded playbooks, reorganises a lot of variables
Reorganises the `config` folder. Closes#1330
<details><summary>Here is how the config directory looks like now</summary>
<p>
```
configs/X.X.X.X/
|-- ipsec
| |-- apple
| | |-- desktop.mobileconfig
| | |-- laptop.mobileconfig
| | `-- phone.mobileconfig
| |-- manual
| | |-- cacert.pem
| | |-- desktop.p12
| | |-- desktop.ssh.pem
| | |-- ipsec_desktop.conf
| | |-- ipsec_desktop.secrets
| | |-- ipsec_laptop.conf
| | |-- ipsec_laptop.secrets
| | |-- ipsec_phone.conf
| | |-- ipsec_phone.secrets
| | |-- laptop.p12
| | |-- laptop.ssh.pem
| | |-- phone.p12
| | `-- phone.ssh.pem
| `-- windows
| |-- desktop.ps1
| |-- laptop.ps1
| `-- phone.ps1
|-- ssh-tunnel
| |-- desktop.pem
| |-- desktop.pub
| |-- laptop.pem
| |-- laptop.pub
| |-- phone.pem
| |-- phone.pub
| `-- ssh_config
`-- wireguard
|-- desktop.conf
|-- desktop.png
|-- laptop.conf
|-- laptop.png
|-- phone.conf
`-- phone.png
```
</p>
</details>
## Motivation and Context
This refactoring is focused to aim to the 1.0 release
## How Has This Been Tested?
Deployed to several cloud providers with various options enabled and disabled
## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [x] Refactoring
## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] I have read the **CONTRIBUTING** document.
- [x] My code follows the code style of this project.
- [x] My change requires a change to the documentation.
- [x] I have updated the documentation accordingly.
- [x] All new and existing tests passed.
If a user is not connected to a trusted Wi-Fi network or if the
URLStringProbe fails none of the existing dictionaries match.
According to the Apple Configuration Profile Reference[1] section "VPN
Payload > On Demand Rules Dictionary Keys" a default behavior for
unknown networks with no matching criteria should always be set as the
last dictionary in the array. The current default behavior is to allow a
connection to occur, but this behavior is not guaranteed.
Tear down the VPN connection and do not reconnect on demand as long as
the catch-all dictionary matches to guarantee the default behavior and
more specifically allow users to access captive portals.
[1]: https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
I change a line to Include the Algo generated password so the users do not need to manually enter the password when installing on Windows 10 computers.
<!--- Provide a general summary of your changes in the Title above -->
## Description
Apparmor profile for dnscrypt-proxy didn't work at all
## Motivation and Context
Fixes#1155
## How Has This Been Tested?
Deployed to DigitalOcean, checked that the dnscrypt-proxy binary is in enforce mode
## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [x] Bug fix (non-breaking change which fixes an issue)
## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] I have read the **CONTRIBUTING** document.
- [x] My code follows the code style of this project.
- [x] All new and existing tests passed.
Adds "Algo VPN" to the organization in the "Profiles" menu of "General Settings". (The type still shows up as "Unknown" in the "VPN" menu, because that seems to be governed by the "VPNSubType" string, which must be empty according to the [developer reference](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf) Maybe this can help clear the way for #1101.
