Merge branch 'master' into master

Author: dguido

Diff for: config.cfg

@@ -206,7 +206,7 @@ cloud_providers:
     image: Ubuntu 22.04 Jammy Jellyfish
     arch: x86_64
   hetzner:
-    server_type: cx11
+    server_type: cx22
     image: ubuntu-22.04
   openstack:
     flavor_ram: ">=512"
@@ -217,7 +217,7 @@ cloud_providers:
     disk: 10
   vultr:
     os: Ubuntu 22.04 LTS x64
-    size: 1024 MB RAM,25 GB SSD,1.00 TB BW
+    size: vc2-1c-1gb
   linode:
     type: g6-nanode-1
     image: linode/ubuntu22.04

Diff for: docs/cloud-amazon-ec2.md

@@ -6,12 +6,18 @@ Creating an Amazon AWS account requires giving Amazon a phone number that can re
 
 ### Select an EC2 plan
 
-The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the "AWS Free Tier." It is only available to new AWS customers, it has limits on usage, and it converts to standard pricing after 12 months (the "introductory period"). After you exceed the usage limits, after the 12 month period, or if you are an existing AWS customer, then you will pay standard pay-as-you-go service prices.
+The cheapest EC2 plan you can choose is the "Free Plan" a.k.a. the ["AWS Free Tier"](https://aws.amazon.com/free/). It is only available to new AWS customers, it has limits on usage, and it converts to standard pricing after 12 months (the "introductory period"). After you exceed the usage limits, after the 12 month period, or if you are an existing AWS customer, then you will pay standard pay-as-you-go service prices.
 
 *Note*: Your Algo instance will not stop working when you hit the bandwidth limit, you will just start accumulating service charges on your AWS account.
 
 As of the time of this writing (July 2018), the Free Tier limits include "750 hours of Amazon EC2 Linux t2.micro instance usage" per month, 15 GB of bandwidth (outbound) per month, and 30 GB of cloud storage. Algo will not even use 1% of the storage limit, but you may have to monitor your bandwidth usage or keep an eye out for the email from Amazon when you are about to exceed the Free Tier limits.
 
+If you are not eligible for the free tier plan or have passed the 12 months of the introductory period, you can switch to [AWS Graviton](https://aws.amazon.com/ec2/graviton/) instances that are generally cheaper. To use the graviton instances, make the following changes in the ec2 section of your `config.cfg` file:
+* Set the `size` to `t4g.nano`
+* Set the `arch` to `arm64`
+
+> Currently, among all the instance sizes available on AWS, the t4g.nano instance is the least expensive option that does not require any promotional offers. However, AWS is currently running a promotion that provides a free trial of the `t4g.small` instance until December 31, 2023, which is available to all customers. For more information about this promotion, please refer to the [documentation](https://aws.amazon.com/ec2/faqs/#t4g-instances).
+
 Additional configurations are documented in the [EC2 section of the deploy from ansible guide](https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md#amazon-ec2)
 
 ### Create an AWS permissions policy
@@ -81,11 +87,11 @@ Next, you will be asked for the AWS Access Key (Access Key ID) and AWS Secret Ke
 Enter your aws_access_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
 Note: Make sure to use an IAM user with an acceptable policy attached (see https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md).
 [pasted values will not be displayed]
-[AKIA...]: 
+[AKIA...]:
 
 Enter your aws_secret_key (http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html)
 [pasted values will not be displayed]
-[ABCD...]: 
+[ABCD...]:
 ```
 
 You will be prompted for the server name to enter. Feel free to leave this as the default ("algo") if you are not certain how this will affect your setup. Here we chose to call it "algovpn".
@@ -116,7 +122,7 @@ What region should the server be located in?
     14. us-east-2
     15. us-west-1
     16. us-west-2
-  
+
 Enter the number of your desired region
 [13]
 :

Diff for: docs/deploy-from-cloudshell.md

@@ -1,5 +1,4 @@
 # Deploy from Google Cloud Shell
-**IMPORTANT NOTE: As of 2021-12-14 Algo requires Python 3.8, but Google Cloud Shell only provides Python 3.7.3. The instructions below will not work until Google updates Cloud Shell to have at least Python 3.8.**
 
 If you want to try Algo but don't wish to install the software on your own system, you can use the **free** [Google Cloud Shell](https://cloud.google.com/shell/) to deploy a VPN to any supported cloud provider. Note that you cannot choose `Install to existing Ubuntu server` to turn Google Cloud Shell into your VPN server.
 

Diff for: roles/cloud-hetzner/tasks/main.yml

@@ -6,15 +6,15 @@
   import_tasks: prompts.yml
 
 - name: Create an ssh key
-  hcloud_ssh_key:
+  hetzner.hcloud.ssh_key:
     name: algo-{{ 999999 | random(seed=lookup('file', SSH_keys.public)) }}
     public_key: "{{ lookup('file', SSH_keys.public) }}"
     state: present
     api_token: "{{ algo_hcloud_token }}"
   register: hcloud_ssh_key
 
 - name: Create a server...
-  hcloud_server:
+  hetzner.hcloud.server:
     name: "{{ algo_server_name }}"
     location: "{{ algo_hcloud_region }}"
     server_type: "{{ cloud_providers.hetzner.server_type }}"

Diff for: roles/cloud-hetzner/tasks/prompts.yml

@@ -13,13 +13,13 @@
     algo_hcloud_token: "{{ hcloud_token | default(_hcloud_token.user_input|default(None)) | default(lookup('env','HCLOUD_TOKEN'), true) }}"
 
 - name: Get regions
-  hcloud_datacenter_facts:
+  hetzner.hcloud.datacenter_info:
     api_token: "{{ algo_hcloud_token }}"
   register: _hcloud_regions
 
 - name: Set facts about the regions
   set_fact:
-    hcloud_regions: "{{ hcloud_datacenter_facts | sort(attribute='location') }}"
+    hcloud_regions: "{{ _hcloud_regions.hcloud_datacenter_info | sort(attribute='location') }}"
 
 - name: Set default region
   set_fact:

Diff for: roles/cloud-vultr/tasks/main.yml

@@ -4,16 +4,17 @@
 
 - block:
     - name: Creating a firewall group
-      vultr_firewall_group:
+      vultr.cloud.firewall_group:
         name: "{{ algo_server_name }}"
 
     - name: Creating firewall rules
-      vultr_firewall_rule:
+      vultr.cloud.firewall_rule:
         group: "{{ algo_server_name }}"
         protocol: "{{ item.protocol }}"
         port: "{{ item.port }}"
-        ip_version: "{{ item.ip }}"
-        cidr: "{{ item.cidr }}"
+        ip_type: "{{ item.ip }}"
+        subnet: "{{ item.cidr.split('/')[0] }}"
+        subnet_size: "{{ item.cidr.split('/')[1] }}"
       with_items:
         - { protocol: tcp, port: "{{ ssh_port }}", ip: v4, cidr: 0.0.0.0/0 }
         - { protocol: tcp, port: "{{ ssh_port }}", ip: v6, cidr: "::/0" }
@@ -25,13 +26,13 @@
         - { protocol: udp, port: "{{ wireguard_port }}", ip: v6, cidr: "::/0" }
 
     - name: Upload the startup script
-      vultr_startup_script:
+      vultr.cloud.startup_script:
         name: algo-startup
         script: |
           {{ lookup('template', 'files/cloud-init/base.yml') }}
 
     - name: Creating a server
-      vultr_server:
+      vultr.cloud.instance:
         name: "{{ algo_server_name }}"
         startup_script: algo-startup
         hostname: "{{ algo_server_name }}"
@@ -40,17 +41,18 @@
         region: "{{ algo_vultr_region }}"
         firewall_group: "{{ algo_server_name }}"
         state: started
-        tag: Environment:Algo
-        ipv6_enabled: true
-        auto_backup_enabled: false
-        notify_activate: false
+        tags:
+          - Environment:Algo
+        enable_ipv6: true
+        backups: false
+        activation_email: false
       register: vultr_server
 
     - set_fact:
-        cloud_instance_ip: "{{ vultr_server.vultr_server.v4_main_ip }}"
+        cloud_instance_ip: "{{ vultr_server.vultr_instance.main_ip }}"
         ansible_ssh_user: algo
         ansible_ssh_port: "{{ ssh_port }}"
         cloudinit: true
 
   environment:
-    VULTR_API_CONFIG: "{{ algo_vultr_config }}"
+    VULTR_API_KEY: "{{ lookup('ini', 'key', section='default', file=algo_vultr_config) }}"

Diff for: roles/cloud-vultr/tasks/prompts.yml

@@ -42,7 +42,7 @@
       What region should the server be located in?
       (https://www.vultr.com/locations/):
         {% for r in vultr_regions %}
-        {{ loop.index }}.   {{ r['name'] }}
+        {{ loop.index }}.   {{ r['name'] }} ({{ r['regioncode'] | lower }})
         {% endfor %}
 
       Enter the number of your desired region
@@ -54,5 +54,5 @@
   set_fact:
     algo_vultr_region: >-
       {% if region is defined %}{{ region }}
-      {%- elif _algo_region.user_input %}{{ vultr_regions[_algo_region.user_input | int -1 ]['name'] }}
-      {%- else %}{{ vultr_regions[default_region | int - 1]['name'] }}{% endif %}
+      {%- elif _algo_region.user_input %}{{ vultr_regions[_algo_region.user_input | int -1 ]['regioncode'] | lower }}
+      {%- else %}{{ vultr_regions[default_region | int - 1]['regioncode'] | lower }}{% endif %}

Diff for: roles/strongswan/tasks/openssl.yml

@@ -155,10 +155,25 @@
         format: OpenSSH
       with_items: "{{ users }}"
 
+    - name: Get OpenSSL version
+      shell: |
+        set -o pipefail
+        {{ openssl_bin }} version |
+        cut -f 2 -d ' '
+      args:
+        executable: bash
+      register: ssl_version
+      run_once: true
+
+    - name: Set OpenSSL version fact
+      set_fact:
+        openssl_version: "{{ ssl_version.stdout }}"
+
     - name: Build the client's p12
       shell: >
         umask 077;
         {{ openssl_bin }} pkcs12
+        {{ (openssl_version is version('3', '>=')) | ternary('-legacy', '') }}
         -in certs/{{ item }}.crt
         -inkey private/{{ item }}.key
         -export
@@ -175,6 +190,7 @@
       shell: >
         umask 077;
         {{ openssl_bin }} pkcs12
+        {{ (openssl_version is version('3', '>=')) | ternary('-legacy', '') }}
         -in certs/{{ item }}.crt
         -inkey private/{{ item }}.key
         -export

Diff for: users.yml

@@ -25,18 +25,17 @@
           set_fact:
             server_list: >-
               [{% for i in _configs_list.files %}
-                {% set config  = lookup('file', i.path)|from_yaml %}
-                '{{ config.server }}'
-                {{ ',' if not loop.last else '' }}
+                {% set config = lookup('file', i.path) | from_yaml %}
+                {{ {'server': config.server, 'IP_subject_alt_name': config.IP_subject_alt_name} }}
               {% endfor %}]
 
         - name: Server address prompt
           pause:
             prompt: |
-              Select the server to update user list below:
+              Select the server to update user list below: 
                 {% for r in server_list %}
-                {{ loop.index }}. {{ r }}
-                {% endfor %}
+                  {{ loop.index }}. {{ r.server }} ({{ r.IP_subject_alt_name }})
+              {% endfor %}
           register: _server
       when: server is undefined
 
@@ -45,7 +44,7 @@
           set_fact:
             algo_server: >-
               {% if server is defined %}{{ server }}
-              {%- elif _server.user_input %}{{ server_list[_server.user_input | int -1 ] }}
+              {%- elif _server.user_input %}{{ server_list[_server.user_input | int -1 ].server }}
               {%- else %}omit{% endif %}
 
         - name: Import host specific variables