mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-06 20:13:11 +02:00
27 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Dan Guido
|
454faa96b1
|
fix: Prevent sensitive information from being logged (#14779)
* fix: Add no_log to tasks handling sensitive information - Add no_log: true to OpenSSL commands that contain passwords/passphrases - Add no_log: true to WireGuard key generation commands - Add no_log: true to password/CA password generation tasks - Add no_log: true to AWS credential handling tasks - Add no_log: true to QR code generation that contains full configs This prevents sensitive information like passwords, private keys, and WireGuard configurations from being logged to syslog/journald. Fixes #1617 * feat: Comprehensive privacy enhancements - Add no_log directives to all cloud provider credential handling - Set privacy-focused defaults (StrongSwan logging disabled, DNSCrypt syslog off) - Implement privacy role with log rotation, history clearing, and log filtering - Add Privacy Considerations section to README - Make all privacy features configurable and enabled by default This update significantly reduces Algo's logging footprint to enhance user privacy while maintaining the ability to enable logging for debugging when needed. * docs: Move privacy documentation from README to FAQ - Remove Privacy Considerations section from README - Add expanded 'Does Algo support zero logging?' question to FAQ - Better placement alongside existing logging/monitoring questions - More detailed explanation of privacy features and limitations * fix: Remove invalid 'bool' filter from Jinja2 template The privacy-monitor.sh.j2 template was using '| bool' which is not a valid Jinja2 filter. The 'bool' is a built-in Python function, not a Jinja2 filter. Fixed by removing the '| bool' filter and directly outputting the boolean variables as they will be rendered correctly by Jinja2. This resolves the template syntax error that was causing CI tests to fail: "No filter named 'bool'" error in privacy monitoring script template. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix YAML linting issues in privacy role * Fix linting warnings: shellcheck and ansible-lint issues - Fixed all shellcheck warnings in test scripts: - Quoted variables to prevent word splitting - Replaced A && B || C constructs with proper if-then-else - Changed unused loop variable to _ - Added shellcheck directives for FreeBSD rc.d script - Fixed ansible-lint risky-file-permissions warnings: - Added explicit file permissions for sensitive files (mode 0600) - Added permissions for config files and certificates (mode 0644) - Set proper permissions for directories (mode 0755) - Fixed yamllint compatibility with ansible-lint: - Added required octal-values configuration - Quoted all octal mode values to prevent YAML misinterpretation - Added comments-indentation: false as required All tests pass and functionality remains unchanged. * Remove algo.egg-info from version control This directory is generated by Python package tools (pip/setuptools) and should not be tracked in git. It's already listed in .gitignore but was accidentally committed. The directory contains build metadata that is regenerated when the package is installed. * Restructure privacy documentation for clarity - Simplified FAQ entry to be concise with link to README for details - Added comprehensive Privacy and Logging section to README - Clarified what IS logged by default vs what is not - Explained two separate privacy settings (strongswan_log_level and privacy_enhancements_enabled) - Added clear debugging instructions (need to change both settings) - Removed confusing language about "enabling additional features" - Made documentation more natural and less AI-generated sounding 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Ubuntu 22.04 iptables deployment issues and simplify config.cfg Issues fixed: 1. Added base 'iptables' package to batch installation list (was missing, only iptables-persistent was included) 2. Fixed alternatives configuration for Ubuntu 22.04+ - only configure main iptables/ip6tables alternatives, not save/restore (they're handled as slaves) Config.cfg improvements: - Reduced from 308 to 198 lines (35% reduction) - Moved privacy settings above "Advanced users only" line for better accessibility - Clarified algo_no_log is for Ansible output, not server privacy - Simplified verbose comments throughout - Moved experimental performance options to commented section at end - Better organized into logical sections 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add privacy features to README and improve feature descriptions - Added privacy-focused feature bullet highlighting minimal logging and privacy enhancements - Simplified IKEv2 bullet (removed redundant platform list) - Updated helper scripts description to be more comprehensive - Specified Ubuntu 22.04 LTS and automatic security updates - Made feature list more concise and accurate 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix logrotate duplicate entries error in privacy role The privacy role was creating logrotate configs that duplicated the default Ubuntu rsyslog logrotate rules, causing deployment failures with errors like 'duplicate log entry for /var/log/syslog'. Changes: - Disable default rsyslog logrotate config before applying privacy configs - Consolidate system log rotation into single config file - Add missingok flag to handle logs that may not exist on all systems - Remove forced immediate rotation that was triggering the error This ensures privacy-enhanced log rotation works without conflicts. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix 'history: not found' error in privacy role The 'history -c' command was failing because history is a bash built-in that doesn't exist in /bin/sh (Ubuntu's default shell for scripts). Changes: - Removed the 'Clear current session history' task since it's ineffective in Ansible context (each task runs in a new shell) - History files are already cleared by the existing file removal tasks - Added explanatory comment about why session history clearing is omitted This fixes the deployment failure while maintaining all effective history clearing functionality. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix BPF JIT sysctl error in privacy role The net.core.bpf_jit_enable sysctl parameter was failing on some systems because BPF JIT support is not available in all kernel configurations. Changes: - Separated BPF JIT setting into its own task with ignore_errors - Made BPF JIT disabling optional since it's not critical for privacy - Added explanatory comments about kernel support variability - Both runtime sysctl and persistent config now handle missing parameter This allows deployments to succeed on systems without BPF JIT support while still applying the setting where available. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|
Dan Guido
|
b821080eba
|
Fix AWS Lightsail deployment error (boto3 parameter) (#14823)
* Fix AWS Lightsail deployment error by removing deprecated boto3 parameter Remove the deprecated boto3 parameter from get_aws_connection_info() call in the lightsail_region_facts module. This parameter has been non-functional since amazon.aws collection 4.0.0 and was removed in recent versions bundled with Ansible 11.x, causing deployment failures. The function works correctly without this parameter as the module already properly imports and validates boto3 availability. Closes #14822 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Update uv.lock to fix Docker build failure The lockfile was out of sync after the Ansible 11.8.0 to 11.9.0 upgrade. This regenerates the lockfile to include: - ansible 11.9.0 (was 11.8.0) - ansible-core 2.18.8 (was 2.18.7) This fixes the Docker build CI failure where uv sync --locked was failing due to lockfile mismatch. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Jinja spacing linter issues correctly - Add spacing in lookup('env', 'VAR') calls - Fix spacing around pipe operators within Jinja expressions only - Preserve YAML block scalar syntax (prompt: |) - Fix array indexing spacing within Jinja expressions - All changes pass yamllint and ansible-lint tests 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add algo.egg-info to .gitignore * Add unit test for AWS Lightsail boto3 parameter fix - Tests that get_aws_connection_info() is called without boto3 parameter - Verifies the module can be imported successfully - Checks source code doesn't contain boto3=True - Regression test specifically for issue #14822 - All 4 test cases pass This ensures the fix remains in place and prevents regression. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Python linting issues in test file - Sort imports according to ruff standards - Remove trailing whitespace from blank lines - Remove unnecessary 'r' mode argument from open() - Add trailing newline at end of file All tests still pass after linting fixes. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|
Dan Guido
|
2ab57c3f6a
|
Implement self-bootstrapping uv setup to resolve issue #14776 (#14814)
* Implement self-bootstrapping uv setup to resolve issue #14776 This major simplification addresses the Python setup complexity that has been a barrier for non-developer users deploying Algo VPN. ## Revolutionary User Experience Change **Before (complex):** ```bash python3 -m virtualenv --python="$(command -v python3)" .env && source .env/bin/activate && python3 -m pip install -U pip virtualenv && python3 -m pip install -r requirements.txt ./algo ``` **After (simple):** ```bash ./algo ``` ## Key Technical Changes ### Core Implementation - **algo script**: Complete rewrite with automatic uv installation - Detects missing uv and installs automatically via curl - Cross-platform support (macOS, Linux, Windows) - Preserves exact same command interface - Uses `uv run ansible-playbook` instead of virtualenv activation ### Documentation Overhaul - **README.md**: Reduced installation from 4 complex steps to 1 command - **Platform docs**: Simplified macOS, Windows, Linux, Cloud Shell guides - **Removed Python installation complexity** from all user-facing docs ### CI/CD Infrastructure Updates - **5 GitHub Actions workflows** converted from pip to uv - **Docker builds** updated to use uv instead of virtualenv - **Legacy test scripts** (3 files) updated for uv compatibility ### Repository Cleanup - **install.sh**: Updated for cloud-init/bootstrap scenarios - **algo-showenv.sh**: Updated environment detection for uv - **pyproject.toml**: Added all dependencies with proper versioning - **test scripts**: Removed .env references, updated paths ## Benefits Achieved ✅ **Zero-step dependency installation** - uv installs automatically on first run ✅ **Cross-platform consistency** - identical experience on all operating systems ✅ **Automatic Python version management** - uv handles Python 3.11+ requirement ✅ **Familiar interface preserved** - existing `./algo` and `./algo update-users` unchanged ✅ **No breaking changes** - existing users see same commands, same functionality ✅ **Resolves macOS Python compatibility** - works with system Python 3.9 via uv's Python management ## Files Changed (18 total) **Core Scripts (3)**: - algo (complete rewrite with self-bootstrapping) - algo-showenv.sh (uv environment detection) - install.sh (cloud-init script updated) **Documentation (4)**: - README.md (revolutionary simplification) - docs/deploy-from-macos.md (removed Python complexity) - docs/deploy-from-windows.md (simplified WSL setup) - docs/deploy-from-cloudshell.md (updated for uv) **CI/CD (5)**: - .github/workflows/main.yml (pip → uv conversion) - .github/workflows/smart-tests.yml (pip → uv conversion) - .github/workflows/lint.yml (pip → uv conversion) - .github/workflows/integration-tests.yml (pip → uv + Docker fix) - Dockerfile (virtualenv → uv conversion) **Tests (4)**: - tests/legacy-lxd/local-deploy.sh (virtualenv → uv in Docker) - tests/legacy-lxd/update-users.sh (virtualenv → uv in Docker) - tests/legacy-lxd/ca-password-fix.sh (virtualenv → uv in Docker) - tests/unit/test_template_rendering.py (removed .env path reference) **Dependencies (2)**: - pyproject.toml (added full dependency specification) - uv.lock (new uv lockfile for reproducible builds) This implementation makes Algo VPN accessible to non-technical users while maintaining all power and flexibility for advanced users. Closes #14776 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix CI/CD workflow inconsistencies and resolve Claude's code review issues - Fix inconsistent dependency management across all CI workflows - Replace 'uv add' with 'uv sync' for reproducible builds - Use 'uv run --with' for temporary tool installations - Standardize on locked dependencies from pyproject.toml - Fix ineffective linting by removing '|| true' from ruff check in lint.yml - Ensures linting errors actually fail the build - Maintains consistency with other linter configurations - Update yamllint configuration to exclude .venv/ directory - Prevents scanning Python package templates with Ansible-specific filters - Fixes trailing spaces in workflow files - Improve shell script quality by fixing shellcheck warnings - Quote $(pwd) expansions in Docker test scripts - Address critical word-splitting vulnerabilities - Update test infrastructure for uv compatibility - Exclude .env/.venv directories from template scanning - Ensure local tests exactly match CI workflow commands All linters and tests now pass locally and match CI requirements exactly. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Remove test configuration file * Remove obsolete venvs directory and update .gitignore for uv - Remove venvs/ directory which was only used as a placeholder for virtualenv - Update .gitignore to use explicit .env/ and .venv/ patterns instead of *env - Modernize ignore patterns for uv-based dependency management 🤖 Generated with [Claude Code](https://claude.ai/code) * Implement secure uv installation addressing Claude's security concerns Security improvements: - **Package managers first**: Try brew, apt, dnf, pacman, zypper, winget, scoop - **User consent required**: Clear security warning before script download - **Manual installation guidance**: Provide fallback instructions with checksums - **Versioned installers**: Use uv 0.8.5 specific URLs for consistency across CI/local Benefits: - ✅ Most users get uv via secure package managers (no download needed) - ✅ Clear security disclosure for script downloads with opt-out - ✅ Transparent about security tradeoffs vs usability - ✅ Maintains "just works" experience while respecting security concerns - ✅ CI and local installations now use identical versioned scripts This addresses the unverified download security vulnerability while preserving the user experience improvements from the self-bootstrapping approach. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Major improvements: modernize Python tooling, fix CI, enhance security This commit implements comprehensive improvements across multiple areas: ## 🚀 Python Tooling Modernization - **Eliminate requirements.txt**: Move to pyproject.toml as single source of truth - **Add pytest integration**: Replace individual test file execution with pytest discovery - **Add dev dependencies**: Include pytest and pytest-xdist for parallel testing - **Update documentation**: Modernize CLAUDE.md with uv-based workflows ## 🔒 Security Enhancements (zizmor fixes) - **Fix credential persistence**: Add persist-credentials: false to checkout steps - **Fix template injection**: Move GitHub context variables to environment variables - **Pin action versions**: Use commit hash for astral-sh/setup-uv@v6 (1ddb97e5078301c0bec13b38151f8664ed04edc8) ## ⚡ CI/CD Optimization - **Create composite action**: Centralize uv setup (.github/actions/setup-uv) - **Eliminate workflow duplication**: Replace 13 duplicate uv setup blocks with reusable action - **Fix path filters**: Update smart-tests.yml to watch pyproject.toml instead of requirements.txt - **Remove pip caching**: Clean up obsolete cache: 'pip' configurations - **Standardize test execution**: Use pytest across all workflows ## 🐳 Docker Improvements - **Secure uv installation**: Use official distroless image instead of curl - **Remove requirements.txt**: Update COPY directive for new dependency structure ## 📈 Impact Summary - **Security**: Resolved 12/14 zizmor issues (86% improvement) - **Maintainability**: 92% reduction in workflow duplication - **Performance**: Better caching and parallel test execution - **Standards**: Aligned with 2025 Python packaging best practices 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Complete backward compatibility cleanup and Windows improvements - Fix main.yml requirements.txt lookup with pyproject.toml parsing - Update test_docker_localhost_deployment.py to check pyproject.toml - Fix Vagrantfile pip args with hard-coded dependency versions - Enhance Windows OS detection for WSL, Git Bash, and MINGW variants - Implement versioned Windows PowerShell installer (0.8.5) - Update documentation references in troubleshooting.md and tests/README.md All linters and tests pass: ruff ✅ yamllint ✅ pytest 48/48 ✅ ansible syntax ✅ 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Python version requirement consistency Update test to require Python 3.11+ to match pyproject.toml requires-python setting. Previously test accepted 3.10+ while pyproject.toml required 3.11+. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix pyproject.toml version parsing to not require community.general collection Replace community.general.toml lookup with regex_search on file lookup. This fixes "lookup plugin (community.general.toml) not found" error on macOS where the collection may not be available during early bootstrap. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix ansible version detection for uv-managed environments Replace pip_package_info lookup with uv pip list command to detect ansible version. This fixes "'dict object' has no attribute 'ansible'" error on macOS where ansible is installed via uv instead of system pip. The fix extracts the ansible package version (e.g. 11.8.0) from uv pip list output instead of trying to access non-existent pip package registry. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add Ubuntu-specific uv installation alternatives Enhance the algo bootstrapping script with Ubuntu-specific trusted installation methods when system package managers don't provide uv: - pipx option (official PyPI, ~9 packages vs 58 for python3-pip) - snap option (community-maintained by Canonical employee) - Links to source repo for transparency (github.com/lengau/uv-snap) - Interactive menu with clear explanations - Robust error handling with fallbacks Addresses common Ubuntu 24.04+ deployment scenario where uv is not available via apt, providing secure alternatives to script downloads. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix shellcheck warning in Ubuntu uv installation menu Add -r flag to read command to prevent backslash mangling as required by shellcheck SC2162. This ensures proper handling of user input in the interactive installation method selection. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Major packaging improvements for AlgoVPN 2.0 beta Remove outdated development files and modernize packaging: - Remove PERFORMANCE.md (optimizations are now defaults) - Remove Makefile (limited Docker-only utility) - Remove Vagrantfile (over-engineered for edge case) Modernize Docker support: - Fix .dockerignore: 872MB -> 840KB build context (99.9% reduction) - Update Dockerfile: Python 3.12, uv:latest, better security - Add multi-arch support and health checks - Simplified package dependencies Improve dependency management: - Pin Ansible collections to exact versions (prevent breakage) - Update version to 2.0.0-beta for upcoming release - Align with uv's exact dependency philosophy This reduces maintenance burden while focusing on Algo's core cloud deployment use case. Created GitHub issue #14816 for lazy cloud provider loading in future releases. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Update community health files for AlgoVPN 2.0 Remove outdated CHANGELOG.md: - Contained severely outdated information (v1.2, Ubuntu 20.04, Makefile intro) - Conflicted with current 2.0.0-beta version and recent changes - 136 lines of misleading content requiring complete rewrite - GitHub releases provide better, auto-generated changelogs Modernize CONTRIBUTING.md: - Update client support: macOS 12+, iOS 15+, Windows 11+, Ubuntu 22.04+ - Expand cloud provider list: Add Vultr, Hetzner, Linode, OpenStack, CloudStack - Replace manual dependency setup with uv auto-installation - Add modern development practices: exact dependency pinning, lint.sh usage - Include development setup section with current workflow Fix PULL_REQUEST_TEMPLATE.md: - Fix broken checkboxes: `- []` → `- [ ]` (missing space) - Add linter compliance requirement: `./scripts/lint.sh` - Add dependency pinning check for exact versions - Reorder checklist for logical flow Community health files now accurately reflect AlgoVPN 2.0 capabilities and guide contributors toward modern best practices. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Complete legacy pip module elimination for uv migration Fixes critical macOS installation failure due to PEP 668 externally-managed-environment restrictions. Key changes: - Add missing pyopenssl and segno dependencies to pyproject.toml - Add optional cloud provider dependencies with exact versions - Replace all cloud provider pip module tasks with uv-based installation - Implement dynamic cloud provider dependency installation in cloud-pre.yml - Modernize OpenStack dependency (openstacksdk replaces deprecated shade) This completes the migration from legacy pip to modern uv dependency management, ensuring consistent behavior across all platforms and eliminating the root cause of macOS installation failures. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Update lockfile with cloud provider dependencies and correct version Regenerates uv.lock to include all optional cloud provider dependencies and ensures version consistency between pyproject.toml and lockfile. Added dependencies for all cloud providers: - AWS: boto3, boto, botocore, s3transfer - Azure: azure-identity, azure-mgmt-*, msrestazure - GCP: google-auth, requests - Hetzner: hcloud - Linode: linode-api4 - OpenStack: openstacksdk, keystoneauth1 - CloudStack: cs, sshpubkeys 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Modernize and simplify README installation instructions - Remove obsolete step 3 (dependency installation) since uv handles this automatically - Streamline installation from 5 to 4 steps - Make device section headers consistent (Apple, Android, Windows, Linux) - Combine Linux WireGuard and IPsec sections for clarity - Improve "please see this page" links with clear descriptions - Move PKI preservation note to user management section where it's relevant - Enhance adding/removing users section with better flow - Add context to Other Devices section for manual configuration - Fix grammar inconsistencies (setup → set up, missing commas) - Update Ubuntu deployment docs to specify 22.04 LTS requirement - Simplify road warrior setup instructions - Remove outdated macOS WireGuard complexity notes 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Comprehensive documentation modernization and cleanup - Remove all FreeBSD support (roles, documentation, references) - Modernize troubleshooting guide by removing ~200 lines of obsolete content - Rewrite OpenWrt router documentation with cleaner formatting - Update Amazon EC2 documentation with current information - Rewrite unsupported cloud provider documentation - Remove obsolete linting documentation - Update all version references to Ubuntu 22.04 LTS and Python 3.11+ - Add documentation style guidelines to CLAUDE.md - Clean up compilation and legacy Python compatibility issues - Update client documentation for current requirements All documentation now reflects the uv-based modernization and current supported platforms, eliminating references to obsolete tooling and unsupported operating systems. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix linting and syntax errors caused by FreeBSD removal - Restore missing newline in roles/dns/handlers/main.yml (broken during FreeBSD cleanup) - Add FQCN for community.crypto modules in cloud-pre.yml - Exclude playbooks/ directory from ansible-lint (these are task files, not standalone playbooks) The FreeBSD removal accidentally removed a trailing newline causing YAML format errors. The playbook syntax errors were false positives - these files contain tasks for import_tasks/include_tasks, not standalone plays. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix CI test failure: use uv-managed ansible in test script The test script was calling ansible-playbook directly instead of 'uv run ansible-playbook', which caused it to use the system-installed ansible that doesn't have access to the netaddr dependency required by the ansible.utils.ipmath filter. This fixes the CI error: 'Failed to import the required Python library (netaddr)' 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Clean up test config warnings - Remove duplicate ipsec_enabled key (was defined twice) - Remove reserved variable name 'no_log' This eliminates YAML parsing warnings in the test script while maintaining the same test functionality. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add native Windows support with PowerShell script - Create algo.ps1 for native Windows deployment - Auto-install uv via winget/scoop with download fallback - Support update-users command like Unix version - Add PowerShell linting to CI pipeline with PSScriptAnalyzer - Update documentation with Windows-specific instructions - Streamline deploy-from-windows.md with clearer options 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix PowerShell script for Windows Ansible limitations - Fix syntax issues: remove emoji chars, add winget acceptance flags - Address core issue: Ansible doesn't run natively on Windows - Convert PowerShell script to intelligent WSL wrapper - Auto-detect WSL environment and use appropriate approach - Provide clear error messages and WSL installation guidance - Update documentation to reflect WSL requirement - Maintain backward compatibility for existing WSL users 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Greatly improve PowerShell script error messages and WSL detection - Fix WSL detection: only detect when actually running inside WSL - Add comprehensive error messages with step-by-step WSL installation - Provide clear troubleshooting guidance for common scenarios - Add colored output for better visibility (Red/Yellow/Green/Cyan) - Improve WSL execution with better error handling and path validation - Clarify Ubuntu 22.04 LTS recommendation for WSL stability - Add fallback suggestions when things go wrong Resolves the confusing "bash not recognized" error by properly detecting Windows vs WSL environments and providing actionable guidance. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Address code review feedback - Add documentation about PATH export scope in algo script - Optimize Dockerfile layers by combining dependency operations The PATH export comment clarifies that changes only affect the current shell session. The Dockerfile change reduces layers by copying and installing dependencies in a more efficient order. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Remove unused uv installation code from PowerShell script The PowerShell script is purely a WSL wrapper - it doesn't need to install uv since it just passes execution to WSL/bash where the Unix algo script handles dependency management. Removing dead code that was never called in the execution flow. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Improve uv installation feedback and Docker dependency locking - Track and display which installation method succeeded for uv - Add --locked flag to Docker uv sync for stricter dependency enforcement - Users now see "uv installed successfully via Homebrew\!" etc. This addresses code review feedback about installation transparency and dependency management strictness. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Docker build: use --locked without --frozen The --frozen and --locked flags are mutually exclusive in uv. Using --locked alone provides the stricter enforcement we want - it asserts the lockfile won't change and errors if it would. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix setuptools package discovery error during cloud provider dependency installation The issue occurred when uv tried to install optional dependencies (e.g., [digitalocean]) because setuptools was auto-discovering directories like 'roles', 'library', etc. as Python packages. Since Algo is an Ansible project, not a Python package, this caused builds to fail. Added explicit build-system configuration to pyproject.toml with py-modules = [] to disable package discovery entirely. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Jinja2 template syntax error in OpenSSL certificate generation Removed inline comments from within Jinja2 expressions in the name_constraints_permitted and name_constraints_excluded fields. Jinja2 doesn't support comments within expressions using the # character, which was causing template rendering to fail. Moved explanatory comments outside the Jinja2 expressions to maintain documentation while fixing the syntax error. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Enhance Jinja2 template testing infrastructure Added comprehensive Jinja2 template testing to catch syntax errors early: 1. Created validate_jinja2_templates.py: - Validates all Jinja2 templates for syntax errors - Detects inline comments in Jinja2 expressions (the bug we just fixed) - Checks for common anti-patterns - Provides warnings for style issues - Skips templates requiring Ansible runtime context 2. Created test_strongswan_templates.py: - Tests all StrongSwan templates with multiple scenarios - Tests with IPv4-only, IPv6, DNS hostnames, and legacy OpenSSL - Validates template output correctness - Skips mobileconfig test that requires complex Ansible runtime 3. Updated .ansible-lint: - Enabled jinja[invalid] and jinja[spacing] rules - These will catch template errors during linting 4. Added scripts/test-templates.sh: - Comprehensive test script that runs all template tests - Can be used in CI and locally for validation - All tests pass cleanly without false failures - Treats spacing issues as warnings, not failures This testing would have caught the inline comment issue in the OpenSSL template before it reached production. All tests now pass cleanly. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix StrongSwan CRL reread handler race condition The ipsec rereadcrls command was failing with exit code 7 when the IPsec daemon wasn't fully started yet. This is a timing issue that can occur during initial setup. Added retry logic to: 1. Wait up to 10 seconds for the IPsec daemon to be ready 2. Check daemon status before attempting CRL operations 3. Gracefully handle the case where daemon isn't ready Also fixed Python linting issues (whitespace) in test files caught by ruff. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix StrongSwan CRL handler properly without ignoring errors Instead of ignoring errors (anti-pattern), this fix properly handles the race condition when StrongSwan restarts: 1. After restarting StrongSwan, wait for port 500 (IKE) to be listening - This ensures the daemon is fully ready before proceeding - Waits up to 30 seconds with proper timeout handling 2. When reloading CRLs, use Ansible's retry mechanism - Retries up to 3 times with 2-second delays - Handles transient failures during startup 3. Separated rereadcrls and purgecrls into distinct tasks - Better error reporting and debugging - Cleaner task organization This approach ensures the installation works reliably on fresh installs without hiding potential real errors. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix StrongSwan handlers - handlers cannot be blocks Ansible handlers cannot be blocks. Fixed by: 1. Making each handler a separate task that can notify the next handler 2. restart strongswan -> notifies -> wait for strongswan 3. rereadcrls -> notifies -> purgecrls This maintains the proper execution order while conforming to Ansible's handler constraints. The wait and retry logic is preserved. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix StrongSwan CRL handler for fresh installs The root cause: rereadcrls handler is notified when copying CRL files during certificate generation, which happens BEFORE StrongSwan is installed and started on fresh installs. The fix: 1. Check if StrongSwan service is actually running before attempting CRL reload 2. If not running, skip reload (not needed - StrongSwan will load CRLs on start) 3. If running, attempt reload with retries This handles both scenarios: - Fresh install: StrongSwan not yet running, skip reload - Updates: StrongSwan running, reload CRLs properly Also removed the wait_for port 500 which was failing because StrongSwan doesn't bind to localhost. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|
Dan Guido
|
0aaca43019
|
Security Hardening and Certificate Authority Constraints (#14811)
* Security hardening and certificate authority constraints This commit addresses Issues #75 and #14804 with defensive security enhancements that provide additional protection layers for edge case scenarios. ## Issue #75: Technically Constrain Root CA - Add pathlen:0 basic constraints preventing subordinate CA creation - Implement name constraints restricting certificate issuance to specific IPs - Add extended key usage restrictions limiting CA scope to VPN certificates - Separate client/server certificate extensions (serverAuth vs clientAuth) - Enhanced CA with critical constraints for defense-in-depth when CA keys saved ## Issue #14804: Comprehensive SystemD Security Hardening - WireGuard: Added systemd hardening as additional defense-in-depth - StrongSwan: Enhanced systemd configuration complementing AppArmor profiles - dnscrypt-proxy: Additional systemd security alongside AppArmor protection - Applied privilege restrictions, filesystem isolation, and system call filtering ## Technical Changes - CA certificate constraints only relevant when users opt to save CA keys - SystemD hardening provides additional isolation layers beyond existing AppArmor - Enhanced client certificate validation for iOS/macOS profiles - Reliable AppArmor profile enforcement for Ubuntu 22.04 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Address PR review feedback and improve code quality ## Fixes Based on Review Feedback: ### Handler Consistency Issues - Fix notification naming: "daemon reload" → "daemon-reload" for consistency - Update deprecated syntax: `daemon_reload: yes` → `daemon_reload: true` ### Enhanced CA Certificate Constraints - Add .mil and .int to excluded DNS domains for completeness - Add .mil and .int to excluded email domains for consistency - Add explanatory comment for openssl_constraint_random_id security purpose ## Technical Improvements: - Ensures proper handler invocation across DNS and WireGuard services - Provides more comprehensive CA name constraints protection - Documents the security rationale for UUID-based CA constraints 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Address PR review feedback - improve documentation and fix duplicate key - Add IPv6 documentation range (2001:db8::/32) to excluded ranges - Add explanatory comment for CA name constraints defense-in-depth purpose - Remove duplicate DisableMOBIKE key from iOS configuration - Add comprehensive comments to iOS/macOS mobileconfig parameters - Explain MOBIKE, redirect disabling, certificate type, and routing settings 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
Jack Ivanov
|
5214c5f819
|
Refactor WireGuard key management (#14803)
* Refactor WireGuard key management: generate all keys locally with Ansible modules - Move all WireGuard key generation from remote hosts to local execution via Ansible modules - Enhance x25519_pubkey module for robust, idempotent, and secure key handling - Update WireGuard role tasks to use local key generation and management - Improve error handling and support for check mode * Improve x25519_pubkey module code quality and add integration tests Code Quality Improvements: - Fix import organization and Ruff linting errors - Replace bare except clauses with practical error handling - Simplify documentation while maintaining useful debugging info - Use dictionary literals instead of dict() calls for better performance New Integration Test: - Add comprehensive WireGuard key generation test (test_wireguard_key_generation.py) - Tests actual deployment scenarios matching roles/wireguard/tasks/keys.yml - Validates mathematical correctness of X25519 key derivation - Tests both file and string input methods used by Algo - Includes consistency validation and WireGuard tool integration - Addresses documented test gap in tests/README.md line 63-67 Test Coverage: - Module import validation - Raw private key file processing - Base64 private key string processing - Key derivation consistency checks - Optional WireGuard tool validation (when available) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Trigger CI build for PR #14803 Testing x25519_pubkey module improvements and WireGuard key generation changes. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix yamllint error: add missing newline at end of keys.yml Resolves: no new line character at the end of file (new-line-at-end-of-file) 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix critical binary data corruption bug in x25519_pubkey module Issue: Private keys with whitespace-like bytes (0x09, 0x0A, etc.) at edges were corrupted by .strip() call on binary data, causing 32-byte keys to become 31 bytes and deployment failures. Root Cause: - Called .strip() on raw binary data unconditionally - X25519 keys containing whitespace bytes were truncated - Error: "got 31 bytes" instead of expected 32 bytes Fix: - Only strip whitespace when processing base64 text data - Preserve raw binary data integrity for 32-byte keys - Maintain backward compatibility with both formats Addresses deployment failure: "Private key file must be either base64 or exactly 32 raw bytes, got 31 bytes" 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add inline comments to prevent binary data corruption bug Explain the base64/raw file detection logic with clear warnings about the critical issue where .strip() on raw binary data corrupts X25519 keys containing whitespace-like bytes (0x09, 0x0A, etc.). This prevents future developers from accidentally reintroducing the 'got 31 bytes' deployment error by misunderstanding the dual-format key handling logic. --------- Co-authored-by: Dan Guido <dan@trailofbits.com> Co-authored-by: Claude <noreply@anthropic.com> |
||
|
Dan Guido
|
146e2dcf24
|
Fix IPv6 address selection on BSD systems (#14786)
* fix: Fix IPv6 address selection on BSD systems (#1843) BSD systems return IPv6 addresses in the order they were added to the interface, not sorted by scope like Linux. This causes ansible_default_ipv6 to contain link-local addresses (fe80::) with interface suffixes (%em0) instead of global addresses, breaking certificate generation. This fix: - Adds a new task file to properly select global IPv6 addresses on BSD - Filters out link-local addresses and interface suffixes - Falls back to ansible_all_ipv6_addresses when needed - Ensures certificates are generated with valid global IPv6 addresses The workaround is implemented in Algo rather than waiting for the upstream Ansible issue (#16977) to be fixed, which has been open since 2016. Fixes #1843 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: Remove duplicate condition in BSD IPv6 facts Removed redundant 'global_ipv6_address is not defined' condition that was checked twice in the same when clause. * improve: simplify regex for IPv6 interface suffix removal Change regex from '(.*)%.*' to '%.*' for better readability and performance when stripping interface suffixes from IPv6 addresses. The simplified regex is equivalent but more concise and easier to understand. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: resolve yamllint trailing spaces in BSD IPv6 test Remove trailing spaces from test_bsd_ipv6.yml to ensure CI passes 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: resolve yamllint issues across repository - Remove trailing spaces from server.yml, WireGuard test files, and keys.yml - Add missing newlines at end of test files - Ensure all YAML files pass yamllint validation for CI 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|
Dan Guido
|
358d50314e
|
feat: Add comprehensive performance optimizations to reduce deployment time by 30-60%
This PR introduces comprehensive performance optimizations that reduce Algo VPN deployment time by 30-60% while maintaining security and reliability. Key improvements: - Fixed critical WireGuard async structure bug (item.item.item pattern) - Resolved merge conflicts in test-aws-credentials.yml - Fixed path concatenation issues and aesthetic double slash problems - Added comprehensive performance optimizations with configurable flags - Extensive testing and quality improvements with yamllint/ruff compliance Successfully deployed and tested on DigitalOcean with all optimizations disabled. All critical bugs resolved and PR is production-ready. |
||
|
Dan Guido
|
c495307027
|
Fix DigitalOcean cloud-init compatibility and deprecation warnings (#14801)
* Fix DigitalOcean cloud-init compatibility issue causing SSH timeout on port 4160 This commit addresses the issue described in GitHub issue #14800 where DigitalOcean deployments fail during the "Wait until SSH becomes ready..." step due to cloud-init not processing the write_files directive correctly. ## Problem - DigitalOcean's cloud-init shows "Unhandled non-multipart (text/x-not-multipart) userdata" warning - write_files module gets skipped, leaving SSH on default port 22 instead of port 4160 - Algo deployment times out when trying to connect to port 4160 ## Solution Added proactive detection and remediation to the DigitalOcean role: 1. Check if SSH is listening on the expected port (4160) after droplet creation 2. If not, automatically apply the SSH configuration manually via SSH on port 22 3. Verify SSH is now listening on the correct port before proceeding ## Changes - Added SSH port check with 30-second timeout - Added fallback remediation block that: - Connects via SSH on port 22 to apply Algo's SSH configuration - Backs up the original sshd_config - Applies the correct SSH settings (port 4160, security hardening) - Restarts the SSH service - Verifies the fix worked This ensures DigitalOcean deployments succeed even when cloud-init fails to process the user_data correctly, maintaining backward compatibility and reliability. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Implement cleaner fix for DigitalOcean cloud-init encoding issue This replaces the previous workaround with two targeted fixes that address the root cause of the "Unhandled non-multipart (text/x-not-multipart) userdata" issue that prevents write_files from being processed. ## Root Cause Cloud-init receives user_data as binary/bytes instead of UTF-8 string, causing it to fail parsing and skip the write_files directive that configures SSH on port 4160. ## Cleaner Solutions Implemented ### Fix 1: String Encoding (user_data | string) - Added explicit string conversion to user_data template lookup - Ensures DigitalOcean API receives proper UTF-8 string, not bytes - Minimal change with maximum compatibility ### Fix 2: Use runcmd Instead of write_files - Replaced write_files approach with runcmd shell commands - Bypasses the cloud-init parsing issue entirely - More reliable as it executes direct shell commands - Includes automatic SSH config backup for safety ## Changes Made - `roles/cloud-digitalocean/tasks/main.yml`: Added | string filter to user_data - `files/cloud-init/base.yml`: Replaced write_files with runcmd approach - Removed complex SSH detection/remediation workaround (no longer needed) ## Benefits - ✅ Fixes root cause instead of working around symptoms - ✅ Much simpler and more maintainable code - ✅ Backward compatible - no API changes required - ✅ Handles both potential failure modes (encoding + parsing) - ✅ All tests pass, linters clean This should resolve DigitalOcean SSH timeout issues while being much cleaner than the previous workaround approach. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix cloud-init header format for DigitalOcean compatibility The space in '# cloud-config' (introduced in PR #14775) breaks cloud-init YAML parsing on DigitalOcean, causing SSH configuration to be skipped. Cloud-init documentation requires '#cloud-config' without a space. Fixes #14800 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Revert to write_files approach for SSH configuration Using write_files is more maintainable and Ansible-native than runcmd. The root cause was the cloud-config header format, not write_files itself. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Ansible deprecation and variable warnings - Replace deprecated network filters with ansible.utils equivalents: - ipaddr → ansible.utils.ipaddr - ipmath → ansible.utils.ipmath - ipv4 → ansible.utils.ipv4 - ipv6 → ansible.utils.ipv6 - next_nth_usable → ansible.utils.next_nth_usable - Fix reserved variable name: no_log → algo_no_log - Fix SSH user groups warning by explicitly specifying groups parameter Addresses deprecation warnings that would become errors after 2024-01-01. All linter checks pass with only cosmetic warnings remaining. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add comprehensive protection for cloud-config header format - Add inline documentation explaining critical #cloud-config format requirement - Exclude files/cloud-init/ from yamllint and ansible-lint to prevent automatic 'fixes' - Create detailed README.md documenting the issue and protection measures - Reference GitHub issue #14800 for future maintainers This prevents regression of the critical cloud-init header format that causes deployment failures when changed from '#cloud-config' to '# cloud-config'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add test for cloud-init header format to prevent regression This test ensures the cloud-init header remains exactly ''#cloud-config'' without a space. The regression in PR #14775 that added a space broke DigitalOcean deployments by causing cloud-init YAML parsing to fail, resulting in SSH timeouts on port 4160. Co-authored-by: Dan Guido <dguido@users.noreply.github.com> * Refactor SSH config template and fix MOTD task permissions - Use dedicated sshd_config template instead of inline content - Add explicit become: true to MOTD task to fix permissions warning 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix no_log variable references after renaming to algo_no_log Update all remaining references from old 'no_log' variable to 'algo_no_log' in WireGuard, SSH tunneling, and StrongSwan roles. This fixes deployment failures caused by undefined variable references. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: Correct YAML indentation in cloud-init template for DigitalOcean The indent filter was not indenting the first line of the sshd_config content, causing invalid YAML structure that cloud-init couldn't parse. This resulted in SSH timeouts during deployment as the port was never changed from 22 to 4160. - Add first=True parameter to indent filter to ensure all lines are indented - Remove extra indentation in base template to prevent double-indentation - Add comprehensive test suite to validate template rendering and prevent regressions Fixes deployment failures where cloud-init would show: "Invalid format at line X: expected <block end>, but found '<scalar>'" 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> Co-authored-by: Dan Guido <dguido@users.noreply.github.com> |
||
|
Jack Ivanov
|
347f864abb
|
Ansible upgrade 6.1 (#14500)
* linting * update ansible * linters |
||
|
Jack Ivanov
|
8c560719a5
|
skip pre tasks in update-users (#1921) | ||
David Myers
|
8894dd0848
|
Discontinue use of the WireGuard PPA (#1855)
* Discontinue use of the WireGuard PPA * Add instructions to update the system * Change reboot instruction |
||
|
Jack Ivanov
|
c14ff0d611
|
Ubuntu 20.04 support (#1782)
* ubuntu 20.04 support * purge snapd for 20.04 * strongswan-starter fix |
||
|
Jack Ivanov
|
1e8a9c5cf1
|
Generate mobileconfigs for WireGuard (#1698)
* Generate mobileconfigs for WireGuard * add xmllint to wireguard profiles * Enable onDemand prompts for WireGuard * linting |
||
|
Jack Ivanov
|
090a60d48d |
PKI to tmpfs (#1496)
* PKI to tmpfs * Fixes - diskutil to full path - unmount and eject fixes * Umount fix * run diskutil info only on Darwin kernels * fix shell tasks |
||
elreydetoda
|
146cbc71ce |
Adding preshared key support (#1465)
* adding preshared key generation * adding preshared folder * Update client.conf.j2 adding preshared key options * adding preshared keys to server template * making sure private preshared is right * making sure preshared keygen working for main.yml * changing private to preshared for name * changing to preshared dir instead of public |
||
|
Jack Ivanov
|
25513cf925 |
Refactoring, Linting and additional tests (#1397)
* Refactoring, Linting and additional tests * Vultr: Undefined variable and deprecation notes fix * Travis-CI enable linters * Azure: Update python requirements * Update main.yml * Update install.sh * Add missing roles to ansible-lint * Linting for skipped roles * add .ansible-lint config |
||
|
Jack Ivanov
|
c4ea88000b | Refactoring to support roles inclusion (#1365) | ||
|
Jack Ivanov
|
273c7665d3 |
Refactoring (#1334)
<!--- Provide a general summary of your changes in the Title above --> ## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ |-- ipsec | |-- apple | | |-- desktop.mobileconfig | | |-- laptop.mobileconfig | | `-- phone.mobileconfig | |-- manual | | |-- cacert.pem | | |-- desktop.p12 | | |-- desktop.ssh.pem | | |-- ipsec_desktop.conf | | |-- ipsec_desktop.secrets | | |-- ipsec_laptop.conf | | |-- ipsec_laptop.secrets | | |-- ipsec_phone.conf | | |-- ipsec_phone.secrets | | |-- laptop.p12 | | |-- laptop.ssh.pem | | |-- phone.p12 | | `-- phone.ssh.pem | `-- windows | |-- desktop.ps1 | |-- laptop.ps1 | `-- phone.ps1 |-- ssh-tunnel | |-- desktop.pem | |-- desktop.pub | |-- laptop.pem | |-- laptop.pub | |-- phone.pem | |-- phone.pub | `-- ssh_config `-- wireguard |-- desktop.conf |-- desktop.png |-- laptop.conf |-- laptop.png |-- phone.conf `-- phone.png ```  </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Refactoring ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I have read the **CONTRIBUTING** document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed. |
||
|
Jack Ivanov
|
66d30e3005
|
WireGuard update-users fix (#1183) | ||
|
Jack Ivanov
|
fbc7b29456 | WireGuard update-users fix (#1154) | ||
|
Jack Ivanov
|
efc8dc7620
|
add tags for the wireguard qr code task. variables fix (#1147) | ||
|
Jack Ivanov
|
1442586682 |
WireGuard: Generate QR codes (#1129)
* WireGuard: Generate QR codes * Update client-android.md |
||
|
Jack Ivanov
|
dbd68aa97d |
WireGuard BSD (#1083)
* WireGuard BSD * Remove unneeded config option * Enable PersistentKeepalive for NAT and Firewall Traversal Persistence * Install dnscrypt-proxy from repositories |
||
|
Jack Ivanov
|
e8947f318b |
Large refactor to support Ansible 2.5 (#976)
* Refactoring, booleans declaration and update users fix * Make server_name more FQDN compatible * Rename variables * Define the default value for store_cakey * Skip a prompt about the SSH user if deploying to localhost * Disable reboot for non-cloud deployments * Enable EC2 volume encryption by default * Add default server value (localhost) for the local installation Delete empty files * Add default region to aws_region_facts * Update docs * EC2 credentials fix * Warnings fix * Update deploy-from-ansible.md * Fix a typo * Remove lightsail from the docs * Disable EC2 encryption by default * rename droplet to server * Disable dependencies * Disable tls_cipher_suite * Convert wifi-exclude to a string. Update-users fix * SSH access congrats fix * 16.04 > 18.04 * Dont ask for the credentials if specified in the environment vars * GCE server name fix |
||
|
Jack Ivanov
|
53d1113881 | Split up unattended upgrades (#1041) | ||
|
Jack Ivanov
|
d1c58f0d28
|
apt_repository fix (#1017) | ||
|
Jack Ivanov
|
3488e660ad |
Add WireGuard support for Android (#910)
* WireGuard Implementation * Update client-android.md * Update README.md * WireGuard unattended upgrades * Update README.md * reload-module-on-update and syntax fix * SaveConfig to true * Azure firewall. Fixes #962 * Update README.md * Update client-android.md |
