* Fix VPN routing by adding output interface to NAT rules
The NAT rules were missing the output interface specification (-o eth0),
which caused routing failures on multi-homed systems (servers with multiple
network interfaces). Without specifying the output interface, packets might
not be NAT'd correctly.
Changes:
- Added -o {{ ansible_default_ipv4['interface'] }} to all NAT rules
- Updated both IPv4 and IPv6 templates
- Updated tests to verify output interface is present
- Added ansible_default_ipv4/ipv6 to test fixtures
This fixes the issue where VPN clients could connect but not route traffic
to the internet on servers with multiple network interfaces (like DigitalOcean
droplets with private networking enabled).
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix VPN routing by adding output interface to NAT rules
On multi-homed systems (servers with multiple network interfaces or multiple IPs
on one interface), MASQUERADE rules need to specify which interface to use for
NAT. Without the output interface specification, packets may not be routed correctly.
This fix adds the output interface to all NAT rules:
-A POSTROUTING -s [vpn_subnet] -o eth0 -j MASQUERADE
Changes:
- Modified roles/common/templates/rules.v4.j2 to include output interface
- Modified roles/common/templates/rules.v6.j2 for IPv6 support
- Added tests to verify output interface is present in NAT rules
- Added ansible_default_ipv4/ipv6 variables to test fixtures
For deployments on providers like DigitalOcean where MASQUERADE still fails
due to multiple IPs on the same interface, users can enable the existing
alternative_ingress_ip option in config.cfg to use explicit SNAT.
Testing:
- Verified on live servers
- All unit tests pass (67/67)
- Mutation testing confirms test coverage
This fixes VPN connectivity on servers with multiple interfaces while
remaining backward compatible with single-interface deployments.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix dnscrypt-proxy not listening on VPN service IPs
Problem: dnscrypt-proxy on Ubuntu uses systemd socket activation by default,
which overrides the configured listen_addresses in dnscrypt-proxy.toml.
The socket only listens on 127.0.2.1:53, preventing VPN clients from
resolving DNS queries through the configured service IPs.
Solution: Disable and mask the dnscrypt-proxy.socket unit to allow
dnscrypt-proxy to bind directly to the VPN service IPs specified in
its configuration file.
This fixes DNS resolution for VPN clients on Ubuntu 20.04+ systems.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Apply Python linting and formatting
- Run ruff check --fix to fix linting issues
- Run ruff format to ensure consistent formatting
- All tests still pass after formatting changes
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Restrict DNS access to VPN clients only
Security fix: The firewall rule for DNS was accepting traffic from any
source (0.0.0.0/0) to the local DNS resolver. While the service IP is
on the loopback interface (which normally isn't routable externally),
this could be a security risk if misconfigured.
Changed firewall rules to only accept DNS traffic from VPN subnets:
- INPUT rule now includes -s {{ subnets }} to restrict source IPs
- Applied to both IPv4 and IPv6 rules
- Added test to verify DNS is properly restricted
This ensures the DNS resolver is only accessible to connected VPN
clients, not the entire internet.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix dnscrypt-proxy service startup with masked socket
Problem: dnscrypt-proxy.service has a dependency on dnscrypt-proxy.socket
through the TriggeredBy directive. When we mask the socket before starting
the service, systemd fails with "Unit dnscrypt-proxy.socket is masked."
Solution:
1. Override the service to remove socket dependency (TriggeredBy=)
2. Reload systemd daemon immediately after override changes
3. Start the service (which now doesn't require the socket)
4. Only then disable and mask the socket
This ensures dnscrypt-proxy can bind directly to the configured IPs
without socket activation, while preventing the socket from being
re-enabled by package updates.
Changes:
- Added TriggeredBy= override to remove socket dependency
- Added explicit daemon reload after service overrides
- Moved socket masking to after service start in main.yml
- Fixed YAML formatting issues
Testing: Deployment now succeeds with dnscrypt-proxy binding to VPN IPs
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix dnscrypt-proxy by not masking the socket
Problem: Masking dnscrypt-proxy.socket prevents the service from starting
because the service has Requires=dnscrypt-proxy.socket dependency.
Solution: Simply stop and disable the socket without masking it. This
prevents socket activation while allowing the service to start and bind
directly to the configured IPs.
Changes:
- Removed socket masking (just disable it)
- Moved socket disabling before service start
- Removed invalid systemd directives from override
Testing: Confirmed dnscrypt-proxy now listens on VPN service IPs
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Use systemd socket activation properly for dnscrypt-proxy
Instead of fighting systemd socket activation, configure it to listen
on the correct VPN service IPs. This is more systemd-native and reliable.
Changes:
- Create socket override to listen on VPN IPs instead of localhost
- Clear default listeners and add VPN service IPs
- Use empty listen_addresses in dnscrypt-proxy.toml for socket activation
- Keep socket enabled and let systemd manage the activation
- Add handler for restarting socket when config changes
Benefits:
- Works WITH systemd instead of against it
- Survives package updates better
- No dependency conflicts
- More reliable service management
This approach is cleaner than disabling socket activation entirely and
ensures dnscrypt-proxy is accessible to VPN clients on the correct IPs.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Document debugging lessons learned in CLAUDE.md
Added comprehensive debugging guidance based on our troubleshooting session:
- VPN connectivity troubleshooting order (DNS first!)
- systemd socket activation best practices
- Common deployment failures and solutions
- Time wasters to avoid (lessons learned the hard way)
- Multi-homed system considerations
- Testing notes for DigitalOcean
These additions will help future debugging sessions avoid the same
rabbit holes and focus on the most likely issues first.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix DNS resolution for VPN clients by enabling route_localnet
The issue was that dnscrypt-proxy listens on a special loopback IP
(randomly generated in 172.16.0.0/12 range) which wasn't accessible
from VPN clients. This fix:
1. Enables net.ipv4.conf.all.route_localnet sysctl to allow routing
to loopback IPs from other interfaces
2. Ensures dnscrypt-proxy socket is properly restarted when its
configuration changes
3. Adds proper handler flushing after socket configuration updates
This allows VPN clients to reach the DNS resolver at the local_service_ip
address configured on the loopback interface.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Improve security by using interface-specific route_localnet
Instead of enabling route_localnet globally (net.ipv4.conf.all.route_localnet),
this change enables it only on the specific interfaces that need it:
- WireGuard interface (wg0) for WireGuard VPN clients
- Main network interface (eth0/etc) for IPsec VPN clients
This minimizes the security impact by restricting loopback routing to only
the VPN interfaces, preventing other interfaces from being able to route
to loopback addresses.
The interface-specific approach provides the same functionality (allowing
VPN clients to reach the DNS resolver on the local_service_ip) while
reducing the potential attack surface.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Revert to global route_localnet to fix deployment failure
The interface-specific route_localnet approach failed because:
- WireGuard interface (wg0) doesn't exist until the service starts
- We were trying to set the sysctl before the interface was created
- This caused deployment failures with "No such file or directory"
Reverting to the global setting (net.ipv4.conf.all.route_localnet=1) because:
- It always works regardless of interface creation timing
- VPN users are trusted (they have our credentials)
- Firewall rules still restrict access to only port 53
- The security benefit of interface-specific settings is minimal
- The added complexity isn't worth the marginal security improvement
This ensures reliable deployments while maintaining the DNS resolution fix.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix dnscrypt-proxy socket restart and remove problematic BPF hardening
Two important fixes:
1. Fix dnscrypt-proxy socket not restarting with new configuration
- The socket wasn't properly restarting when its override config changed
- This caused DNS to listen on wrong IP (127.0.2.1 instead of local_service_ip)
- Now directly restart the socket when configuration changes
- Add explicit daemon reload before restarting
2. Remove BPF JIT hardening that causes deployment errors
- The net.core.bpf_jit_enable sysctl isn't available on all kernels
- It was causing "Invalid argument" errors during deployment
- This was optional security hardening with minimal benefit
- Removing it eliminates deployment errors for most users
These fixes ensure reliable DNS resolution for VPN clients and clean
deployments without error messages.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Update CLAUDE.md with comprehensive debugging lessons learned
Based on our extensive debugging session, this update adds critical documentation:
## DNS Architecture and Troubleshooting
- Explained the local_service_ip design and why it requires route_localnet
- Added detailed DNS debugging methodology with exact steps in order
- Documented systemd socket activation complexities and common mistakes
- Added specific commands to verify DNS is working correctly
## Architectural Decisions
- Added new section explaining trade-offs in Algo's design choices
- Documented why local_service_ip uses loopback instead of alternatives
- Explained iptables-legacy vs iptables-nft backend choice
## Enhanced Debugging Guidance
- Expanded troubleshooting with exact commands and expected outputs
- Added warnings about configuration changes that need restarts
- Documented socket activation override requirements in detail
- Added common pitfalls like interface-specific sysctls
## Time Wasters Section
- Added new lessons learned from this debugging session
- Interface-specific route_localnet (fails before interface exists)
- DNAT for loopback addresses (doesn't work)
- BPF JIT hardening (causes errors on many kernels)
This documentation will help future maintainers avoid the same debugging
rabbit holes and understand why things are designed the way they are.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
* Fix VPN traffic routing issue with iptables NAT rules
The MASQUERADE rules had policy matching (-m policy --pol none --dir out)
which was preventing both WireGuard AND IPsec traffic from being NAT'd
properly. This policy match was incorrect and broke internet routing for
all VPN clients.
The confusion arose because:
- IPsec FORWARD rules check for --pol ipsec (encrypted traffic)
- But POSTROUTING happens AFTER decryption, so packets no longer have policy
- The --pol none match was blocking these decrypted packets from NAT
Changes:
- Removed policy matching from both IPsec and WireGuard NAT rules
- Both VPN types now use simple source-based NAT rules
- Applied to both IPv4 and IPv6 rule templates
This fixes the issue where VPN clients (both WireGuard and IPsec) could
connect but not route traffic to the internet.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Remove unnecessary policy matching from iptables rules
The policy matching (-m policy --pol none) was causing routing issues for
both WireGuard and IPsec VPN traffic. This was based on a misunderstanding
of how iptables processes VPN traffic:
1. FORWARD chain: IPsec needs --pol ipsec to identify encrypted traffic,
but WireGuard doesn't need any policy match (it's not IPsec)
2. POSTROUTING NAT: Both VPN types see decrypted packets here, so policy
matching is unnecessary and was blocking NAT
Changes:
- Removed policy matching from all NAT rules (both VPN types)
- Removed policy matching from WireGuard FORWARD rules
- Kept policy matching only for IPsec FORWARD (where it's needed)
- Added comprehensive unit tests to prevent regression
This fully fixes VPN routing for both WireGuard and IPsec clients.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix Python linting issues in iptables test file
Fixed all ruff linting issues:
- Removed unused yaml import
- Fixed import sorting (pathlib before third-party imports)
- Removed trailing whitespace from blank lines
- Added newline at end of file
All tests still pass after formatting fixes.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
* Fix AWS Lightsail deployment error by removing deprecated boto3 parameter
Remove the deprecated boto3 parameter from get_aws_connection_info() call
in the lightsail_region_facts module. This parameter has been non-functional
since amazon.aws collection 4.0.0 and was removed in recent versions bundled
with Ansible 11.x, causing deployment failures.
The function works correctly without this parameter as the module already
properly imports and validates boto3 availability.
Closes#14822🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Update uv.lock to fix Docker build failure
The lockfile was out of sync after the Ansible 11.8.0 to 11.9.0 upgrade.
This regenerates the lockfile to include:
- ansible 11.9.0 (was 11.8.0)
- ansible-core 2.18.8 (was 2.18.7)
This fixes the Docker build CI failure where uv sync --locked was failing
due to lockfile mismatch.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix Jinja spacing linter issues correctly
- Add spacing in lookup('env', 'VAR') calls
- Fix spacing around pipe operators within Jinja expressions only
- Preserve YAML block scalar syntax (prompt: |)
- Fix array indexing spacing within Jinja expressions
- All changes pass yamllint and ansible-lint tests
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Add algo.egg-info to .gitignore
* Add unit test for AWS Lightsail boto3 parameter fix
- Tests that get_aws_connection_info() is called without boto3 parameter
- Verifies the module can be imported successfully
- Checks source code doesn't contain boto3=True
- Regression test specifically for issue #14822
- All 4 test cases pass
This ensures the fix remains in place and prevents regression.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix Python linting issues in test file
- Sort imports according to ruff standards
- Remove trailing whitespace from blank lines
- Remove unnecessary 'r' mode argument from open()
- Add trailing newline at end of file
All tests still pass after linting fixes.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
* Fix DigitalOcean cloud-init compatibility issue causing SSH timeout on port 4160
This commit addresses the issue described in GitHub issue #14800 where DigitalOcean
deployments fail during the "Wait until SSH becomes ready..." step due to cloud-init
not processing the write_files directive correctly.
## Problem
- DigitalOcean's cloud-init shows "Unhandled non-multipart (text/x-not-multipart) userdata" warning
- write_files module gets skipped, leaving SSH on default port 22 instead of port 4160
- Algo deployment times out when trying to connect to port 4160
## Solution
Added proactive detection and remediation to the DigitalOcean role:
1. Check if SSH is listening on the expected port (4160) after droplet creation
2. If not, automatically apply the SSH configuration manually via SSH on port 22
3. Verify SSH is now listening on the correct port before proceeding
## Changes
- Added SSH port check with 30-second timeout
- Added fallback remediation block that:
- Connects via SSH on port 22 to apply Algo's SSH configuration
- Backs up the original sshd_config
- Applies the correct SSH settings (port 4160, security hardening)
- Restarts the SSH service
- Verifies the fix worked
This ensures DigitalOcean deployments succeed even when cloud-init fails to process
the user_data correctly, maintaining backward compatibility and reliability.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Implement cleaner fix for DigitalOcean cloud-init encoding issue
This replaces the previous workaround with two targeted fixes that address
the root cause of the "Unhandled non-multipart (text/x-not-multipart) userdata"
issue that prevents write_files from being processed.
## Root Cause
Cloud-init receives user_data as binary/bytes instead of UTF-8 string,
causing it to fail parsing and skip the write_files directive that
configures SSH on port 4160.
## Cleaner Solutions Implemented
### Fix 1: String Encoding (user_data | string)
- Added explicit string conversion to user_data template lookup
- Ensures DigitalOcean API receives proper UTF-8 string, not bytes
- Minimal change with maximum compatibility
### Fix 2: Use runcmd Instead of write_files
- Replaced write_files approach with runcmd shell commands
- Bypasses the cloud-init parsing issue entirely
- More reliable as it executes direct shell commands
- Includes automatic SSH config backup for safety
## Changes Made
- `roles/cloud-digitalocean/tasks/main.yml`: Added | string filter to user_data
- `files/cloud-init/base.yml`: Replaced write_files with runcmd approach
- Removed complex SSH detection/remediation workaround (no longer needed)
## Benefits
- ✅ Fixes root cause instead of working around symptoms
- ✅ Much simpler and more maintainable code
- ✅ Backward compatible - no API changes required
- ✅ Handles both potential failure modes (encoding + parsing)
- ✅ All tests pass, linters clean
This should resolve DigitalOcean SSH timeout issues while being much
cleaner than the previous workaround approach.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix cloud-init header format for DigitalOcean compatibility
The space in '# cloud-config' (introduced in PR #14775) breaks cloud-init
YAML parsing on DigitalOcean, causing SSH configuration to be skipped.
Cloud-init documentation requires '#cloud-config' without a space.
Fixes#14800🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Revert to write_files approach for SSH configuration
Using write_files is more maintainable and Ansible-native than runcmd.
The root cause was the cloud-config header format, not write_files itself.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix Ansible deprecation and variable warnings
- Replace deprecated network filters with ansible.utils equivalents:
- ipaddr → ansible.utils.ipaddr
- ipmath → ansible.utils.ipmath
- ipv4 → ansible.utils.ipv4
- ipv6 → ansible.utils.ipv6
- next_nth_usable → ansible.utils.next_nth_usable
- Fix reserved variable name: no_log → algo_no_log
- Fix SSH user groups warning by explicitly specifying groups parameter
Addresses deprecation warnings that would become errors after 2024-01-01.
All linter checks pass with only cosmetic warnings remaining.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Add comprehensive protection for cloud-config header format
- Add inline documentation explaining critical #cloud-config format requirement
- Exclude files/cloud-init/ from yamllint and ansible-lint to prevent automatic 'fixes'
- Create detailed README.md documenting the issue and protection measures
- Reference GitHub issue #14800 for future maintainers
This prevents regression of the critical cloud-init header format that
causes deployment failures when changed from '#cloud-config' to '# cloud-config'.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Add test for cloud-init header format to prevent regression
This test ensures the cloud-init header remains exactly ''#cloud-config''
without a space. The regression in PR #14775 that added a space broke
DigitalOcean deployments by causing cloud-init YAML parsing to fail,
resulting in SSH timeouts on port 4160.
Co-authored-by: Dan Guido <dguido@users.noreply.github.com>
* Refactor SSH config template and fix MOTD task permissions
- Use dedicated sshd_config template instead of inline content
- Add explicit become: true to MOTD task to fix permissions warning
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* Fix no_log variable references after renaming to algo_no_log
Update all remaining references from old 'no_log' variable to 'algo_no_log'
in WireGuard, SSH tunneling, and StrongSwan roles. This fixes deployment
failures caused by undefined variable references.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: Correct YAML indentation in cloud-init template for DigitalOcean
The indent filter was not indenting the first line of the sshd_config content,
causing invalid YAML structure that cloud-init couldn't parse. This resulted
in SSH timeouts during deployment as the port was never changed from 22 to 4160.
- Add first=True parameter to indent filter to ensure all lines are indented
- Remove extra indentation in base template to prevent double-indentation
- Add comprehensive test suite to validate template rendering and prevent regressions
Fixes deployment failures where cloud-init would show:
"Invalid format at line X: expected <block end>, but found '<scalar>'"
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Co-authored-by: Dan Guido <dguido@users.noreply.github.com>
* Keep custom dnscrypt-proxy conffile when upgrading
* Unattended upgrade tuning
- Upgrade the 50unattended-upgrades file with latest options
- Keep the common unattended upgrade options in one file
- Enable removing of unused kernels and dependencies to save some space
* generate service IPs dynamically
* update cloud-init tests
* exclude ipsec and wireguard ranges from the random service ip
* Update docs
* @davidemyers: update wireguard docs for linux
* Move to netaddr filter
* AllowedIPs fix
* WireGuard IPs fix
<!--- Provide a general summary of your changes in the Title above -->
## Description
Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes#1330 and closes#1162
Configures Ansible to use python3 on the server side. Closes#1024
Removes unneeded playbooks, reorganises a lot of variables
Reorganises the `config` folder. Closes#1330
<details><summary>Here is how the config directory looks like now</summary>
<p>
```
configs/X.X.X.X/
|-- ipsec
| |-- apple
| | |-- desktop.mobileconfig
| | |-- laptop.mobileconfig
| | `-- phone.mobileconfig
| |-- manual
| | |-- cacert.pem
| | |-- desktop.p12
| | |-- desktop.ssh.pem
| | |-- ipsec_desktop.conf
| | |-- ipsec_desktop.secrets
| | |-- ipsec_laptop.conf
| | |-- ipsec_laptop.secrets
| | |-- ipsec_phone.conf
| | |-- ipsec_phone.secrets
| | |-- laptop.p12
| | |-- laptop.ssh.pem
| | |-- phone.p12
| | `-- phone.ssh.pem
| `-- windows
| |-- desktop.ps1
| |-- laptop.ps1
| `-- phone.ps1
|-- ssh-tunnel
| |-- desktop.pem
| |-- desktop.pub
| |-- laptop.pem
| |-- laptop.pub
| |-- phone.pem
| |-- phone.pub
| `-- ssh_config
`-- wireguard
|-- desktop.conf
|-- desktop.png
|-- laptop.conf
|-- laptop.png
|-- phone.conf
`-- phone.png
```
</p>
</details>
## Motivation and Context
This refactoring is focused to aim to the 1.0 release
## How Has This Been Tested?
Deployed to several cloud providers with various options enabled and disabled
## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [x] Refactoring
## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] I have read the **CONTRIBUTING** document.
- [x] My code follows the code style of this project.
- [x] My change requires a change to the documentation.
- [x] I have updated the documentation accordingly.
- [x] All new and existing tests passed.
* Move to ansible-2.4.3
* Add Lightsail support #623
* Fixing the EC2 deployment
* Scaleway integration #623
* OpenStack cloud provider (DreamCompute optimised) #623
* Remove the security role
* Enable unattended-upgrades for clouds
* New requirements to make Azure and GCE work
