Merging 2.x.

Author: gregharvey

docs/_Sidebar.md

@@ -60,7 +60,7 @@
        - [MySQL Server - Oracle Community Edition](/roles/debian/mysql_server_oracle_ce)
        - [NGINX](/roles/debian/nginx)
        - [NodeJS](/roles/debian/nodejs)
-       - [OpenVPN Config](/roles/debian/openvpn_config)
+       - [OpenVPN](/roles/debian/openvpn)
        - [OSSEC](/roles/debian/ossec)
        - [Packer](/roles/debian/packer)
        - [PHP Composer](/roles/debian/php_composer)

docs/roles/debian/nginx.md

@@ -69,6 +69,7 @@ nginx:
         # reload_command: restart
         # reload:
         #   - nginx
+        # on_calendar: "Mon *-*-* 04:00:00"
       ratelimitingcrawlers: true
       is_default: true
       basic_auth:

docs/roles/debian/openvpn.md

@@ -0,0 +1,61 @@
+# OpenVPN
+This role installs [the `openvpn-install.sh`` bash script from GitHub](https://github.com/angristan/openvpn-install) and optionally runs it in headless mode.
+
+## PAM authentication
+There are two options here, one is simple PAM authentication against Linux users, the other is PAM authentication with LDAP. If you want to provide a custom PAM configuration you should set `openvpn.pam.enabled` to `true` and create your own template to override the `openvpn.pam.j2` template provided. This file is placed in `/etc/pam.d/openvpn` and loaded by the OpenVPN authentication module to perform authorisation checks.
+
+The LDAP integration ships with a default configuration for PAM which, as above, can be overridden. It assumes the use of [our `pam_ldap` role](https://github.com/codeenigma/ce-provision/tree/2.x/roles/debian/pam_ldap) for the LDAP variables and defaults to those values, but they can be set explicitly if required.
+
+## Hardcoded values
+At the moment we do not support headless customisation of encryption settings. This seems possible [by setting the right variables](https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L392-L401) and we'll add it later if we can. The defaults are sane, but please note the default cipher is `AES-128-GCM`. We have allowed for finding and replacing this value as part of our role.
+
+[The client config directory is set to `/etc/openvpn/ccd`.](https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L900C19-L900C35)
+
+<!--ROLEVARS-->
+## Default variables
+```yaml
+---
+openvpn:
+  script_install_path: "/home/{{ user_provision.username }}"
+  auto_install: true
+  name: vpn.example.com
+  ipv4_settings: "" # defaults to `10.8.0.0 255.255.255.0` - example, to use 192.168.140.0/24 set "192.168.140.0 255.255.255.0"
+  cipher: "" # defaults to AES-128-GCM, see https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L404-L410
+  allow_floating_client_ip: true # allow for ISP address change with DHCP (option float)
+  multiple_connections: false # set to true to enable multiple VPN connections (option duplicate-cn)
+  approve_ip: "y"
+  ipv6_support: "n"
+  port_choice: "1" # 1 = use default 1194, 3 means use a random port
+  protocol_choice: "1" # 1 = udp, 2 = tcp
+  dns: "1" # 1 = system default, see options - https://github.com/angristan/openvpn-install/blob/master/openvpn-install.sh#L314-L327
+  compression_enabled: "n"
+  compression_choice: "1" # only works if compression_enabled is "y", 1 = LZ4-v2, 2 = LZ4, 3 = LZ0
+  customize_enc: "n"
+  pass: "1"
+  #nat_endpoint: "$(curl -4 ifconfig.co)" # for servers behind NAT, see https://github.com/angristan/openvpn-install?tab=readme-ov-file#headless-install
+  push_routes_ipv4: [] # list of VPN push routes for ipv4 networks
+    # Examples:
+    # - "192.168.1.0 255.255.255.0" # push range 192.168.1.0/24, format = "IP-address/range netmask"
+    # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4
+    # - www.google-analytics.com # push any IP resolving to www.google-analytics.com
+  push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y"
+  pam:
+    enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian
+    module_path: /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so # use `dpkg -L openvpn | grep '\bpam\b'` to discover the path
+    config_template: openvpn.pam.j2 # allow override of PAM config template
+  ldap:
+    enabled: false # if true we assume the pam_ldap role is also being used on this server
+    config_template: openvpn.pam.ldap.j2 # allow override of PAM config template for LDAP
+    endpoints: "{{ pam_ldap.endpoints | default('[]') }}"
+    lookup_base: "{{ pam_ldap.lookup_base | default('') }}"
+    lookup_filter: "|(objectClass=inetOrgPerson)" # LDAP filter to apply to lookups
+    login_attribute: uid # the LDAP attribute to check the OpenVPN username against
+    group_base: "" # e.g. ou=Groups,dc=example,dc=com
+    group_dn: "" # restrict to specific group, e.g. cn=admins,ou=Groups,dc=example,dc=com
+    group_attribute: memberUid # the LDAP group attribute to check the OpenVPN username against
+    ssl_certificate: "{{ pam_ldap.ssl_certificate | default('') }}"
+    ssl_certificate_check: "{{ pam_ldap.ssl_certificate_check | default(true) }}"
+
+```
+
+<!--ENDROLEVARS-->

roles/aws/aws_iam_saml/templates/access_billing_policy.j2

@@ -9,7 +9,8 @@
         "freetier:*",
         "ce:*",
         "cur:*",
-        "tax:*"
+        "tax:*",
+        "sustainability:*"
       ],
       "Effect": "Allow",
       "Resource": "*"
@@ -27,7 +28,7 @@
         "tax:BatchPutTaxRegistration",
         "tax:DeleteTaxRegistration",
         "tax:PutTaxInheritance"
-      ]
+      ],
       "Effect": "Deny",
       "Resource": "*"
     }

roles/debian/ce_provision/meta/requirements-10.yml

@@ -16,4 +16,3 @@ roles:
   - name: geerlingguy.firewall
   - name: geerlingguy.composer
   - name: geerlingguy.clamav
-  - name: robertdebock.openvpn

roles/debian/ce_provision/meta/requirements-11.yml

@@ -14,4 +14,3 @@ roles:
   - name: geerlingguy.firewall
   - name: geerlingguy.composer
   - name: geerlingguy.clamav
-  - name: robertdebock.openvpn

roles/debian/ce_provision/meta/requirements-12.yml

@@ -14,4 +14,3 @@ roles:
   - name: geerlingguy.firewall
   - name: geerlingguy.composer
   - name: geerlingguy.clamav
-  - name: robertdebock.openvpn

roles/debian/firewall_config/tasks/main.yml

@@ -1,14 +1,4 @@
 ---
-# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done
-- name: Install iptables with backports. # we have to do this in ce-dev or the contrib role will fail
-  ansible.builtin.apt:
-    pkg: ["iptables"]
-    state: present
-    default_release: buster-backports
-  when:
-    - is_local is defined
-    - is_local
-
 - name: Shift general firewall settings to expected variables.
   ansible.builtin.set_fact:
     firewall_state: "{{ firewall_config.firewall_state }}"

roles/debian/ldap_server/tasks/main.yml

@@ -14,21 +14,10 @@
     purge: true
   when: ldap_server.slapd.purge
 
-# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done
-- name: Ensure LDAP and dependencies are installed from backports.
-  ansible.builtin.apt:
-    pkg: ["slapd", "ldapscripts", "libldap2-dev"] # python-ldap needs libldap2-dev
-    state: present
-    default_release: buster-backports
-  when:
-    - is_local is defined
-    - is_local
-
 - name: Ensure LDAP and python-ldap and dependencies are installed.
   ansible.builtin.apt:
     pkg: ["slapd", "ldapscripts", "libldap2-dev"]
     state: present
-  when: is_local is not defined
 
 - name: Ensure additional dependencies for python-ldap are installed.
   ansible.builtin.apt:

roles/debian/lhci/tasks/main.yml

@@ -10,26 +10,6 @@
     state: present
     filename: google-chrome
 
-# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done
-- name: Install Google Chrome "headful" mode dependencies from backports.
-  ansible.builtin.apt:
-    name:
-      - xorg
-      - xvfb
-      - gtk2-engines-pixbuf
-      - dbus-x11
-      - xfonts-base
-      - xfonts-100dpi
-      - xfonts-75dpi
-      - xfonts-cyrillic
-      - xfonts-scalable
-    default_release: buster-backports
-    state: present
-  when:
-    - is_local
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version == "10"
-
 - name: Install Google Chrome "headful" mode dependencies.
   ansible.builtin.apt:
     name:
@@ -43,27 +23,13 @@
       - xfonts-cyrillic
       - xfonts-scalable
     state: present
-  when: is_local is not defined
-
-# @TODO remove when https://redmine.codeenigma.net/issues/58246 can be done
-- name: Install VNC support from backports.
-  ansible.builtin.apt:
-    name: x11vnc
-    default_release: buster-backports
-    state: present
-  when:
-    - lhci.enable_vnc
-    - is_local
-    - ansible_distribution == "Debian"
-    - ansible_distribution_major_version == "10"
 
 - name: Install VNC support.
   ansible.builtin.apt:
     name: x11vnc
     state: present
   when:
     - lhci.enable_vnc
-    - is_local is not defined
 
 - name: Configure Xvfb to start on boot.
   ansible.builtin.shell: |