* use password module to generate password
* fix variable reference
* reduce character set to meet origin design
* CA and p12 password chanes
- Move the CA_password generation task to the native lookup plugin
- Get rid of unneeded tasks
* Keep custom dnscrypt-proxy conffile when upgrading
* Unattended upgrade tuning
- Upgrade the 50unattended-upgrades file with latest options
- Keep the common unattended upgrade options in one file
- Enable removing of unused kernels and dependencies to save some space
* adding preshared key generation
* adding preshared folder
* Update client.conf.j2
adding preshared key options
* adding preshared keys to server template
* making sure private preshared is right
* making sure preshared keygen working for main.yml
* changing private to preshared for name
* changing to preshared dir instead of public
* Support for associating to existing AWS Elastic IP
Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>
* Backport ec2_eip_facts module for EIP support
This means that EIP support no longer requires Ansible 2.6
The local fact module has been named ec2_elasticip_facts
to avoid conflict with the ec2_eip_facts module whenever
the Ansible 2.6 upgrade takes place.
Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>
* Update from review feedback.
Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>
* Move to the native module. Add additional condition for existing Elastic IP
With preexisting wait_for implementation, deployment to Ubuntu on Lightsail failed with a connection reset error on this task. It appears that Ansible’s wait_for_connection is the recommended way. I have successfully gotten past this task after this change, however I’d appreciate more eyes on this.
* generate service IPs dynamically
* update cloud-init tests
* exclude ipsec and wireguard ranges from the random service ip
* Update docs
* @davidemyers: update wireguard docs for linux
* Move to netaddr filter
* AllowedIPs fix
* WireGuard IPs fix
* Update main.yml
* Change module names and add IPv6 firewall rules
Uses guide at https://www.renemoser.net/blog/2018/03/19/vultr-firewalling-with-ansible/ written by Rene Moser.
* change vultr to vr
* add ip_version to firewall rules
* add SSH access rules
* Use variable for wireguard port
* update module names for ansible 2.7
* Fix trailing whitespaces
* Try to fix trailing whitespaces again
<!--- Provide a general summary of your changes in the Title above -->
## Description
Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes#1330 and closes#1162
Configures Ansible to use python3 on the server side. Closes#1024
Removes unneeded playbooks, reorganises a lot of variables
Reorganises the `config` folder. Closes#1330
<details><summary>Here is how the config directory looks like now</summary>
<p>
```
configs/X.X.X.X/
|-- ipsec
| |-- apple
| | |-- desktop.mobileconfig
| | |-- laptop.mobileconfig
| | `-- phone.mobileconfig
| |-- manual
| | |-- cacert.pem
| | |-- desktop.p12
| | |-- desktop.ssh.pem
| | |-- ipsec_desktop.conf
| | |-- ipsec_desktop.secrets
| | |-- ipsec_laptop.conf
| | |-- ipsec_laptop.secrets
| | |-- ipsec_phone.conf
| | |-- ipsec_phone.secrets
| | |-- laptop.p12
| | |-- laptop.ssh.pem
| | |-- phone.p12
| | `-- phone.ssh.pem
| `-- windows
| |-- desktop.ps1
| |-- laptop.ps1
| `-- phone.ps1
|-- ssh-tunnel
| |-- desktop.pem
| |-- desktop.pub
| |-- laptop.pem
| |-- laptop.pub
| |-- phone.pem
| |-- phone.pub
| `-- ssh_config
`-- wireguard
|-- desktop.conf
|-- desktop.png
|-- laptop.conf
|-- laptop.png
|-- phone.conf
`-- phone.png
```
</p>
</details>
## Motivation and Context
This refactoring is focused to aim to the 1.0 release
## How Has This Been Tested?
Deployed to several cloud providers with various options enabled and disabled
## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [x] Refactoring
## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] I have read the **CONTRIBUTING** document.
- [x] My code follows the code style of this project.
- [x] My change requires a change to the documentation.
- [x] I have updated the documentation accordingly.
- [x] All new and existing tests passed.
If a user is not connected to a trusted Wi-Fi network or if the
URLStringProbe fails none of the existing dictionaries match.
According to the Apple Configuration Profile Reference[1] section "VPN
Payload > On Demand Rules Dictionary Keys" a default behavior for
unknown networks with no matching criteria should always be set as the
last dictionary in the array. The current default behavior is to allow a
connection to occur, but this behavior is not guaranteed.
Tear down the VPN connection and do not reconnect on demand as long as
the catch-all dictionary matches to guarantee the default behavior and
more specifically allow users to access captive portals.
[1]: https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
