diff --git a/config.cfg b/config.cfg index e8b6559bc..6d579b71e 100644 --- a/config.cfg +++ b/config.cfg @@ -206,7 +206,7 @@ cloud_providers: image: Ubuntu 22.04 Jammy Jellyfish arch: x86_64 hetzner: - server_type: cx11 + server_type: cx22 image: ubuntu-22.04 openstack: flavor_ram: ">=512" @@ -217,7 +217,7 @@ cloud_providers: disk: 10 vultr: os: Ubuntu 22.04 LTS x64 - size: 1024 MB RAM,25 GB SSD,1.00 TB BW + size: vc2-1c-1gb linode: type: g6-nanode-1 image: linode/ubuntu22.04 diff --git a/docs/cloud-amazon-ec2.md b/docs/cloud-amazon-ec2.md index 90026dc53..9c0292744 100644 --- a/docs/cloud-amazon-ec2.md +++ b/docs/cloud-amazon-ec2.md @@ -6,12 +6,18 @@ Creating an Amazon AWS account requires giving Amazon a phone number that can re ### Select an EC2 plan -The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the "AWS Free Tier." It is only available to new AWS customers, it has limits on usage, and it converts to standard pricing after 12 months (the "introductory period"). After you exceed the usage limits, after the 12 month period, or if you are an existing AWS customer, then you will pay standard pay-as-you-go service prices. +The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the ["AWS Free Tier"](https://aws.amazon.com/free/). It is only available to new AWS customers, it has limits on usage, and it converts to standard pricing after 12 months (the "introductory period"). After you exceed the usage limits, after the 12 month period, or if you are an existing AWS customer, then you will pay standard pay-as-you-go service prices. *Note*: Your Algo instance will not stop working when you hit the bandwidth limit, you will just start accumulating service charges on your AWS account. As of the time of this writing (July 2018), the Free Tier limits include "750 hours of Amazon EC2 Linux t2.micro instance usage" per month, 15 GB of bandwidth (outbound) per month, and 30 GB of cloud storage. Algo will not even use 1% of the storage limit, but you may have to monitor your bandwidth usage or keep an eye out for the email from Amazon when you are about to exceed the Free Tier limits. +If you are not eligible for the free tier plan or have passed the 12 months of the introductory period, you can switch to [AWS Graviton](https://aws.amazon.com/ec2/graviton/) instances that are generally cheaper. To use the graviton instances, make the following changes in the ec2 section of your `config.cfg` file: +* Set the `size` to `t4g.nano` +* Set the `arch` to `arm64` + +> Currently, among all the instance sizes available on AWS, the t4g.nano instance is the least expensive option that does not require any promotional offers. However, AWS is currently running a promotion that provides a free trial of the `t4g.small` instance until December 31, 2023, which is available to all customers. For more information about this promotion, please refer to the [documentation](https://aws.amazon.com/ec2/faqs/#t4g-instances). + Additional configurations are documented in the [EC2 section of the deploy from ansible guide](https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md#amazon-ec2) ### Create an AWS permissions policy @@ -81,11 +87,11 @@ Next, you will be asked for the AWS Access Key (Access Key ID) and AWS Secret Ke Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md). [pasted values will not be displayed] -[AKIA...]: +[AKIA...]: Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) [pasted values will not be displayed] -[ABCD...]: +[ABCD...]: ``` You will be prompted for the server name to enter. Feel free to leave this as the default ("algo") if you are not certain how this will affect your setup. Here we chose to call it "algovpn". @@ -116,7 +122,7 @@ What region should the server be located in? 14. us-east-2 15. us-west-1 16. us-west-2 - + Enter the number of your desired region [13] : diff --git a/docs/deploy-from-cloudshell.md b/docs/deploy-from-cloudshell.md index 369824765..e43ecd24a 100644 --- a/docs/deploy-from-cloudshell.md +++ b/docs/deploy-from-cloudshell.md @@ -1,5 +1,4 @@ # Deploy from Google Cloud Shell -**IMPORTANT NOTE: As of 2021-12-14 Algo requires Python 3.8, but Google Cloud Shell only provides Python 3.7.3. The instructions below will not work until Google updates Cloud Shell to have at least Python 3.8.** If you want to try Algo but don't wish to install the software on your own system, you can use the **free** [Google Cloud Shell](https://cloud.google.com/shell/) to deploy a VPN to any supported cloud provider. Note that you cannot choose `Install to existing Ubuntu server` to turn Google Cloud Shell into your VPN server. diff --git a/roles/cloud-hetzner/tasks/main.yml b/roles/cloud-hetzner/tasks/main.yml index c533164c9..e30ae008e 100644 --- a/roles/cloud-hetzner/tasks/main.yml +++ b/roles/cloud-hetzner/tasks/main.yml @@ -6,7 +6,7 @@ import_tasks: prompts.yml - name: Create an ssh key - hcloud_ssh_key: + hetzner.hcloud.ssh_key: name: algo-{{ 999999 | random(seed=lookup('file', SSH_keys.public)) }} public_key: "{{ lookup('file', SSH_keys.public) }}" state: present @@ -14,7 +14,7 @@ register: hcloud_ssh_key - name: Create a server... - hcloud_server: + hetzner.hcloud.server: name: "{{ algo_server_name }}" location: "{{ algo_hcloud_region }}" server_type: "{{ cloud_providers.hetzner.server_type }}" diff --git a/roles/cloud-hetzner/tasks/prompts.yml b/roles/cloud-hetzner/tasks/prompts.yml index 5f240df29..3663b7e67 100644 --- a/roles/cloud-hetzner/tasks/prompts.yml +++ b/roles/cloud-hetzner/tasks/prompts.yml @@ -13,13 +13,13 @@ algo_hcloud_token: "{{ hcloud_token | default(_hcloud_token.user_input|default(None)) | default(lookup('env','HCLOUD_TOKEN'), true) }}" - name: Get regions - hcloud_datacenter_facts: + hetzner.hcloud.datacenter_info: api_token: "{{ algo_hcloud_token }}" register: _hcloud_regions - name: Set facts about the regions set_fact: - hcloud_regions: "{{ hcloud_datacenter_facts | sort(attribute='location') }}" + hcloud_regions: "{{ _hcloud_regions.hcloud_datacenter_info | sort(attribute='location') }}" - name: Set default region set_fact: diff --git a/roles/cloud-vultr/tasks/main.yml b/roles/cloud-vultr/tasks/main.yml index 2aa1b8daf..ccbcd13b6 100644 --- a/roles/cloud-vultr/tasks/main.yml +++ b/roles/cloud-vultr/tasks/main.yml @@ -4,16 +4,17 @@ - block: - name: Creating a firewall group - vultr_firewall_group: + vultr.cloud.firewall_group: name: "{{ algo_server_name }}" - name: Creating firewall rules - vultr_firewall_rule: + vultr.cloud.firewall_rule: group: "{{ algo_server_name }}" protocol: "{{ item.protocol }}" port: "{{ item.port }}" - ip_version: "{{ item.ip }}" - cidr: "{{ item.cidr }}" + ip_type: "{{ item.ip }}" + subnet: "{{ item.cidr.split('/')[0] }}" + subnet_size: "{{ item.cidr.split('/')[1] }}" with_items: - { protocol: tcp, port: "{{ ssh_port }}", ip: v4, cidr: 0.0.0.0/0 } - { protocol: tcp, port: "{{ ssh_port }}", ip: v6, cidr: "::/0" } @@ -25,13 +26,13 @@ - { protocol: udp, port: "{{ wireguard_port }}", ip: v6, cidr: "::/0" } - name: Upload the startup script - vultr_startup_script: + vultr.cloud.startup_script: name: algo-startup script: | {{ lookup('template', 'files/cloud-init/base.yml') }} - name: Creating a server - vultr_server: + vultr.cloud.instance: name: "{{ algo_server_name }}" startup_script: algo-startup hostname: "{{ algo_server_name }}" @@ -40,17 +41,18 @@ region: "{{ algo_vultr_region }}" firewall_group: "{{ algo_server_name }}" state: started - tag: Environment:Algo - ipv6_enabled: true - auto_backup_enabled: false - notify_activate: false + tags: + - Environment:Algo + enable_ipv6: true + backups: false + activation_email: false register: vultr_server - set_fact: - cloud_instance_ip: "{{ vultr_server.vultr_server.v4_main_ip }}" + cloud_instance_ip: "{{ vultr_server.vultr_instance.main_ip }}" ansible_ssh_user: algo ansible_ssh_port: "{{ ssh_port }}" cloudinit: true environment: - VULTR_API_CONFIG: "{{ algo_vultr_config }}" + VULTR_API_KEY: "{{ lookup('ini', 'key', section='default', file=algo_vultr_config) }}" diff --git a/roles/cloud-vultr/tasks/prompts.yml b/roles/cloud-vultr/tasks/prompts.yml index 1245b719f..51e2ddd61 100644 --- a/roles/cloud-vultr/tasks/prompts.yml +++ b/roles/cloud-vultr/tasks/prompts.yml @@ -42,7 +42,7 @@ What region should the server be located in? (https://www.vultr.com/locations/): {% for r in vultr_regions %} - {{ loop.index }}. {{ r['name'] }} + {{ loop.index }}. {{ r['name'] }} ({{ r['regioncode'] | lower }}) {% endfor %} Enter the number of your desired region @@ -54,5 +54,5 @@ set_fact: algo_vultr_region: >- {% if region is defined %}{{ region }} - {%- elif _algo_region.user_input %}{{ vultr_regions[_algo_region.user_input | int -1 ]['name'] }} - {%- else %}{{ vultr_regions[default_region | int - 1]['name'] }}{% endif %} + {%- elif _algo_region.user_input %}{{ vultr_regions[_algo_region.user_input | int -1 ]['regioncode'] | lower }} + {%- else %}{{ vultr_regions[default_region | int - 1]['regioncode'] | lower }}{% endif %} diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml index f51ac9dd0..f51a74dc3 100644 --- a/roles/strongswan/tasks/openssl.yml +++ b/roles/strongswan/tasks/openssl.yml @@ -155,10 +155,25 @@ format: OpenSSH with_items: "{{ users }}" + - name: Get OpenSSL version + shell: | + set -o pipefail + {{ openssl_bin }} version | + cut -f 2 -d ' ' + args: + executable: bash + register: ssl_version + run_once: true + + - name: Set OpenSSL version fact + set_fact: + openssl_version: "{{ ssl_version.stdout }}" + - name: Build the client's p12 shell: > umask 077; {{ openssl_bin }} pkcs12 + {{ (openssl_version is version('3', '>=')) | ternary('-legacy', '') }} -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export @@ -175,6 +190,7 @@ shell: > umask 077; {{ openssl_bin }} pkcs12 + {{ (openssl_version is version('3', '>=')) | ternary('-legacy', '') }} -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export diff --git a/users.yml b/users.yml index e9e8c0868..77c81a90b 100644 --- a/users.yml +++ b/users.yml @@ -25,18 +25,17 @@ set_fact: server_list: >- [{% for i in _configs_list.files %} - {% set config = lookup('file', i.path)|from_yaml %} - '{{ config.server }}' - {{ ',' if not loop.last else '' }} + {% set config = lookup('file', i.path) | from_yaml %} + {{ {'server': config.server, 'IP_subject_alt_name': config.IP_subject_alt_name} }} {% endfor %}] - name: Server address prompt pause: prompt: | - Select the server to update user list below: + Select the server to update user list below: {% for r in server_list %} - {{ loop.index }}. {{ r }} - {% endfor %} + {{ loop.index }}. {{ r.server }} ({{ r.IP_subject_alt_name }}) + {% endfor %} register: _server when: server is undefined @@ -45,7 +44,7 @@ set_fact: algo_server: >- {% if server is defined %}{{ server }} - {%- elif _server.user_input %}{{ server_list[_server.user_input | int -1 ] }} + {%- elif _server.user_input %}{{ server_list[_server.user_input | int -1 ].server }} {%- else %}omit{% endif %} - name: Import host specific variables