Openvpn client config pr devel 2.x (#2296)

gregharvey · matej5 · Matej Stajduhar · web-flow · commit 8be6475ff80a · 2025-02-11T17:17:24.000+01:00
* Adding-retry-and-delay-on-lambda-creation-due-to-IAM-role-creation (#1593)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Adding-wait-task-prior-to-lambda-creation (#1595)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* nginx-config-backup-and-cleaup-vhosts-on-rebuild (#1590)

* nginx-config-backup-and-cleaup-vhosts-on-rebuild

* change module from command to unarchive

* change module from command to unarchive

* Adding-CF-S3-logging (#1596)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* php clear_env config option (#1599)

* move ssl to domain.yml to fix the loop; remove checking for existing vhost as the LE proxy handling may not be there if SSL wasn not configured before, and the vhost will not be there as we are recreating them by default (#1601)

* Allowing multiple clamscan wrapper scripts and timers per server. (#1538)

* Allowing multiple clamscan wrapper scripts and timers per server.

* Updating docs.!

* Giving the timer a consistent name.

* r69219-Updating-Scheduler-json-target (#1603)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* R68069 alb healthchecks and nginx pr 2.x (#1609)

* r68069-alb-healthchecks-and-nginx

* r68069-alb-healthchecks-and-nginx

* r68069-alb-healthchecks-and-nginx

* r68069-nice-indentation

* R69332 le cron mail alerts pr 2.x (#1605)

* r69332-le-cron-mail-alerts

* Changing-recipient-to-var

* Changing-recipient-to-var-2

* Fixing-email-var

* Fixing-email-var-2

* Aws acl defaults pr 2.x (#1614)

* Fixing AWS ACL role defaults.

* Docs update.

* Punctuation fix!

* Small-changes-to-roles (#1617)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Updating-aws-acl-role (#1626)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Apt repo role pr 2.x (#1620)

* First pass at APT repo role.

* Adding APT autoremove task to the _exit role.

* Adding systemd timer for APT key renewal.

* Adding role documentation.

* Adding new role to MySQL role to test.

* Adding python-debian dependency for deb822 repo handling.

* Removing obsolete variable check.

* Defaulting the APT 'suites' value to the Ansible-detected release name.

* Adding APT suite to MySQL repo installation.

* Better docs and fixed a syntax error.

* Fixing shell script for refreshing APT keys.

* Ensuring APT clean-up in _exit always runs as root.

* Fixing up MySQL config for 8.0 and tidying vars.

* Apt repo role pr 2.x (#1631)

* First pass at APT repo role.

* Adding APT autoremove task to the _exit role.

* Adding systemd timer for APT key renewal.

* Adding role documentation.

* Adding new role to MySQL role to test.

* Adding python-debian dependency for deb822 repo handling.

* Removing obsolete variable check.

* Defaulting the APT 'suites' value to the Ansible-detected release name.

* Adding APT suite to MySQL repo installation.

* Better docs and fixed a syntax error.

* Fixing shell script for refreshing APT keys.

* Ensuring APT clean-up in _exit always runs as root.

* Fixing up MySQL config for 8.0 and tidying vars.

* Adding MySQL repo to unattended upgrades.

* Adding README for Docker CE, Docker Compose support and switching to apt_repository role.

* Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role.

* Updating docs index.

* Adding Docker repo to unattended upgrades.

* Updating MySQL docs.

* Updating repo handling for GitLab and GitLab Runner.

* Ensuring wget is installed.

* wget seems more reliable than cURL for key fetching.

* Updating Jenkins repo handling.

* Fixing openjdk default version and updating nodejs APT repo handling.

* Removing OSSEC, replaced by Wazuh.

* Updating repo handling for the PAM LinOTP role.

* Updating repo handling for the LHCI role.

* Updating repo handling for PHP components.

* Trying out a different config for Jenkins.

* Updating docs.

* Forgot to remove old yarn repo code.

* Adding python3-debian package to python_common defaults to avoid first build failures.

* Adding list format support to APT role.

* Testing list format support with jenkins role.

* Downloading GPG public key.

* Ensuring the _apt_repository.key_filename var exists.

* Fixing SSL vars in Jenkins role.

* Updating repo handling for jitsi role.

* Updating docs.

* Bad SSL var name.

* required_paramater_for_gp3_storage_type_tidying_up_and_refactoring (#1641)

* required_paramater_for_gp3_storage_type_tidying_up_and_refactoring

* fix vars

* fixing more vars

* fixing more vars

* fixing loop in template

* fixing_rds_vars (#1652)

* Fixing-aws-acl-condition (#1654)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Apt repo role pr 2.x (#1661)

* First pass at APT repo role.

* Adding APT autoremove task to the _exit role.

* Adding systemd timer for APT key renewal.

* Adding role documentation.

* Adding new role to MySQL role to test.

* Adding python-debian dependency for deb822 repo handling.

* Removing obsolete variable check.

* Defaulting the APT 'suites' value to the Ansible-detected release name.

* Adding APT suite to MySQL repo installation.

* Better docs and fixed a syntax error.

* Fixing shell script for refreshing APT keys.

* Ensuring APT clean-up in _exit always runs as root.

* Fixing up MySQL config for 8.0 and tidying vars.

* Adding MySQL repo to unattended upgrades.

* Adding README for Docker CE, Docker Compose support and switching to apt_repository role.

* Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role.

* Updating docs index.

* Adding Docker repo to unattended upgrades.

* Updating MySQL docs.

* Updating repo handling for GitLab and GitLab Runner.

* Ensuring wget is installed.

* wget seems more reliable than cURL for key fetching.

* Updating Jenkins repo handling.

* Fixing openjdk default version and updating nodejs APT repo handling.

* Removing OSSEC, replaced by Wazuh.

* Updating repo handling for the PAM LinOTP role.

* Updating repo handling for the LHCI role.

* Updating repo handling for PHP components.

* Trying out a different config for Jenkins.

* Updating docs.

* Forgot to remove old yarn repo code.

* Adding python3-debian package to python_common defaults to avoid first build failures.

* Adding list format support to APT role.

* Testing list format support with jenkins role.

* Downloading GPG public key.

* Ensuring the _apt_repository.key_filename var exists.

* Fixing SSL vars in Jenkins role.

* Updating repo handling for jitsi role.

* Updating docs.

* Bad SSL var name.

* Making timer name dynamic.

* Adding missing repo format var to all APT repo handling.

* Updating docs.

* Bug fixes 2.x pr 2.x (#1662)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* fix(scripts): Fix git checkout to fetch any new branches (#1655)

* Apt repo role pr 2.x (#1666)

* First pass at APT repo role.

* Adding APT autoremove task to the _exit role.

* Adding systemd timer for APT key renewal.

* Adding role documentation.

* Adding new role to MySQL role to test.

* Adding python-debian dependency for deb822 repo handling.

* Removing obsolete variable check.

* Defaulting the APT 'suites' value to the Ansible-detected release name.

* Adding APT suite to MySQL repo installation.

* Better docs and fixed a syntax error.

* Fixing shell script for refreshing APT keys.

* Ensuring APT clean-up in _exit always runs as root.

* Fixing up MySQL config for 8.0 and tidying vars.

* Adding MySQL repo to unattended upgrades.

* Adding README for Docker CE, Docker Compose support and switching to apt_repository role.

* Updating docker_registry role to use docker_ce and deleting obsolete docker_compose role.

* Updating docs index.

* Adding Docker repo to unattended upgrades.

* Updating MySQL docs.

* Updating repo handling for GitLab and GitLab Runner.

* Ensuring wget is installed.

* wget seems more reliable than cURL for key fetching.

* Updating Jenkins repo handling.

* Fixing openjdk default version and updating nodejs APT repo handling.

* Removing OSSEC, replaced by Wazuh.

* Updating repo handling for the PAM LinOTP role.

* Updating repo handling for the LHCI role.

* Updating repo handling for PHP components.

* Trying out a different config for Jenkins.

* Updating docs.

* Forgot to remove old yarn repo code.

* Adding python3-debian package to python_common defaults to avoid first build failures.

* Adding list format support to APT role.

* Testing list format support with jenkins role.

* Downloading GPG public key.

* Ensuring the _apt_repository.key_filename var exists.

* Fixing SSL vars in Jenkins role.

* Updating repo handling for jitsi role.

* Updating docs.

* Bad SSL var name.

* Making timer name dynamic.

* Adding missing repo format var to all APT repo handling.

* Updating docs.

* Fixing bug where list is passed instead of dict for systemd timer.

* Bug fixes 2.x pr 2.x (#1667)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Bug fixes 2.x pr 2.x (#1670)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Updating-waf-acl-role (#1672)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Setting up proxy vhost pr 2.x (#1674)

* Setting-up-proxy-vhost

* Setting-up-proxy-vhost-2

* Fixing-typo (#1676)

* New-version-of-aws-acl-role (#1683)

* New-version-of-aws-acl-role

* Fixing-jinja-linting

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Updating-nginx-template (#1688)

* Updating-aws_backup-to-register-iam-arn-2 (#1696)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Updating-nginx-htpasswd-task-2 (#1698)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Bug fixes 2.x pr 2.x (#1702)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* r69424-Adding-resource-group-task (#1706)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Adding lock file behaviour to ce-provision. (#1708)

* Adding lock file behaviour to ce-provision.

* Updating documentation.

* Adding extra lock file handling for ASG EC2 machines.

* Moving lock file paths to variables.

* Adding docs about connection management.

* Fixing placement of lock files on ASGs.

* Removing the 'Remove lock file' task for ASGs as it is doomed to fail (machine is gone).

* Adding in a lock file removal if we do not replace the ASG.

* Bug fixes 2.x pr 2.x (#1715)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Bug fixes 2.x pr 2.x (#1717)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Creating a ce-provision installer script. (#1724)

* Installer pr 2.x (#1726)

* Creating a ce-provision installer script.

* Updating installation docs.

* Bug fixes 2.x pr 2.x (#1730)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Installer pr 2.x (#1732)

* Creating a ce-provision installer script.

* Updating installation docs.

* Adding pip upgrade line and python-debian.

* Installing certbot in a python venv. (#1659)

* Installing certbot in a python venv.

* Changing default location for Python packages.

* Allowing the ansible role to override venv settings.

* Preventing ce_deploy from installing in an entirely separate venv by default.

* Updating certbot installation to use _init venv variables.

* Updating duplicity role to use _init venv variables by default.

* Ordering pip docs.

* Update documentation.

* Fixing Ansible path in installer.

* Fixing occurrences of path to venv.

* Installer pr 2.x (#1735)

* Creating a ce-provision installer script.

* Updating installation docs.

* Adding pip upgrade line and python-debian.

* Updating docs.

* Some minor installer bug fixes.

* Bug fixes 2.x pr 2.x (#1737)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Bug fixes 2.x pr 2.x (#1738)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Fixing-ACM-SAN-behaviour (#1739)

* Bug fixes 2.x pr 2.x (#1742)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Bug fixes 2.x pr 2.x (#1749)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Bug fixes 2.x pr 2.x (#1752)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Bug fixes 2.x pr 2.x (#1754)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Bug fixes 2.x pr 2.x (#1756)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Redoing-changes-for-aws-acl-role (#1728)

* Redoing-changes-for-aws-acl-role

* retrigger checks

* Fixing-conflicts-4

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Remvoing-scp-extra-args-temporary (#1761)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Bug fixes 2.x pr 2.x (#1765)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Bug fixes 2.x pr 2.x (#1767)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Bug fixes 2.x pr 2.x (#1769)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Bug fixes 2.x pr 2.x (#1771)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Managing-mime-types-nginx (#1773)

* Whitelisting ce vpn ip wazuh pr 2.x (#1775)

* Whitelisting-CE-VPN-IP-wazuh

* Fixing-wazuh-whitelist-variable

* Updating-wazuh-vars (#1777)

* add community.postgresql collection and remove varnish master release (#1779)

* Updating wazuh vars pr 2.x (#1781)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating wazuh vars pr 2.x (#1783)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating-wazuh-manager-active-response

* Updating-wazuh-manager-active-response-2x

* Updating wazuh vars pr 2.x (#1785)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating-wazuh-manager-active-response

* Updating-wazuh-manager-active-response-2x

* Fixing-wazuh-broken-pipeline

* Updating wazuh vars pr 2.x (#1787)

* Updating-wazuh-vars

* Updating-manager-vars

* Updating-wazuh-manager-active-response

* Updating-wazuh-manager-active-response-2x

* Fixing-wazuh-broken-pipeline

* Tweaking-wazuh-vars

* r68065 mattermost role first commit (#1789)

* r68065 mattermost role first commit

* fixing linting/syntax

* reload systemd with ansible.builtin.systemd_service

* handler for postgresql reloads

* default systemd unit file for mattermost role

* r68065 install python psycopg2 (#1791)

* r68065 use psycopg binary package as compiling creates depsolve issues (#1793)

* permissions for postgres setup (#1795)

* r68065 add mattermost group before user (#1797)

* Updating-duplicity (#1804)

* enable mattermost systemd unit (#1810)

* nginx include for mattermost (#1812)

* nginx include for mattermost

* add mattermost project type

* ssl on handled by nginx role (#1814)

* fix mattermost nginx include (#1822)

* remove unsupported nginx option (#1824)

* Restore testing update pr 2.x (#1832)

* Restore-testing-update

* Restore-testing-update-2

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Resolving conflicts pr 2.x (#1834)

* Fixing-conflicts-and-updating-docs

* Fixed-conflicts

* Fixed-conflicts-2

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* initial commit - mattermost local backups (#1838)

* r69995-Updating-vhost-for-LE-validation (#1843)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Changing priority flexibility pr 2.x (#1841)

* Changing-priority-flexibility

* Changing-priority-flexibility-2

* Adding-aws-acl-to-meta

* Adding-cast-to-int-for-priority

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Aws acl role changes for ip set pr 2.x (#1848)

* aws_acl-role-changes-for-ip-set

* aws_acl-role-changes-for-ip-set-docs-update

---------

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* add_php_repo_before_apt_extra_packages_task_from_common_base (#1850)

* fix_opensearch_vars (#1852)

* wait_timeout_for_opensearch_domain_creation (#1854)

* wait_timeout_for_opensearch_domain_creation

* remove trailing space

* Updating-aws-acl-task (#1856)

Co-authored-by: Matej Stajduhar &lt;matej.stajduhar@codeenigma.com&gt;

* Bug fixes 2.x pr 2.x (#1859)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Docs update and making Ansible installation via _init an option.

* Bug fixes 2.x pr 2.x (#1860)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Up…
diff --git a/roles/debian/gpg_key/defaults/main.yml b/roles/debian/gpg_key/defaults/main.yml
@@ -1,8 +1,8 @@
 ---
 gpg_key_servers:
   - hkps://keyserver.ubuntu.com
-  - hkps://pgp.mit.edu
   - hkps://keys.openpgp.org
+  #- hkps://pgp.mit.edu # removed from defaults - not reliable
 gpg_key:
   - username: example # Must exist already on the server.
     publish: false # Whether to publish to HKS public servers.
diff --git a/roles/debian/openvpn/defaults/main.yml b/roles/debian/openvpn/defaults/main.yml
@@ -14,6 +14,10 @@ openvpn:
     # - "1.2.3.4 255.255.255.255" # push specific IP 1.2.3.4
     # - "www.google-analytics.com 255.255.255.255" # push any IP resolving to www.google-analytics.com, must set allow_pull_fqdn to true
   push_routes_ipv6: [] # list of VPN push routes for ipv6 networks - ipv6_support must be "y"
+  # Provide a path to a directory, such as /etc/openvpn/client, to configure a directory where OpenVPN can look up default client configs.
+  # See --client-config-dir in the manual - https://openvpn.net/community-resources/reference-manual-for-openvpn-2-0/
+  # This can be useful for activities such as providing a long list of push routes to manage as an include.
+  client_config_dir: "" # empty means this will not be set
   # PAM and LDAP authentication
   pam:
     enabled: false # relies on `openvpn-plugin-auth-pam.so` which is bundled with OpenVPN server for Debian
diff --git a/roles/debian/openvpn/tasks/main.yml b/roles/debian/openvpn/tasks/main.yml
@@ -36,17 +36,6 @@
   when: openvpn.allow_floating_client_ip
   notify: Restart OpenVPN.
 
-- name: Replace OpenVPN server tls-cipher.
-  ansible.builtin.lineinfile:
-    path: /etc/openvpn/server.conf
-    search_string: 'tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'
-    line: "tls-cipher {{ openvpn.tls_cipher }}"
-    owner: root
-    group: root
-    mode: '0644'
-  when: openvpn.tls_cipher | length > 0
-  notify: Restart OpenVPN.
-
 - name: Replace OpenVPN client IP range.
   ansible.builtin.lineinfile:
     path: /etc/openvpn/server.conf
@@ -58,69 +47,86 @@
   when: openvpn.ipv4_settings | length > 0
   notify: Restart OpenVPN.
 
-- name: Replace OpenVPN cipher on the server.
-  ansible.builtin.lineinfile:
-    path: /etc/openvpn/server.conf
-    search_string: 'cipher AES-128-GCM'
-    line: "cipher {{ openvpn.cipher }}"
-    owner: root
-    group: root
-    mode: '0644'
+- name: Set a different server cipher.
   when: openvpn.cipher | length > 0
-
-- name: Replace OpenVPN ncp-ciphers on the server.
-  ansible.builtin.lineinfile:
-    path: /etc/openvpn/server.conf
-    search_string: 'ncp-ciphers AES-128-GCM'
-    line: "ncp-ciphers {{ openvpn.cipher }}"
-    owner: root
-    group: root
-    mode: '0644'
-  when: openvpn.cipher | length > 0
-  notify: Restart OpenVPN.
+  block:
+    - name: Replace OpenVPN cipher on the server.
+      ansible.builtin.lineinfile:
+        path: /etc/openvpn/server.conf
+        search_string: 'cipher AES-128-GCM'
+        line: "cipher {{ openvpn.cipher }}"
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Replace OpenVPN ncp-ciphers on the server.
+      ansible.builtin.lineinfile:
+        path: /etc/openvpn/server.conf
+        search_string: 'ncp-ciphers AES-128-GCM'
+        line: "ncp-ciphers {{ openvpn.cipher }}"
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Restart OpenVPN.
 
 # Push routes
-- name: Remove default push-route.
-  ansible.builtin.lineinfile:
-    path: /etc/openvpn/server.conf
-    search_string: 'redirect-gateway'
-    state: absent
-    owner: root
-    group: root
-    mode: '0644'
+- name: Set up ipv4 push routes.
   when: openvpn.push_routes_ipv4 | length > 0
-
-- name: Add ipv4 push routes comment for readability.
-  ansible.builtin.lineinfile:
-    path: /etc/openvpn/server.conf
-    line: "# ipv4 push routes"
-  when: openvpn.push_routes_ipv4 | length > 0
-
-- name: Add ipv4 push routes to the VPN.
-  ansible.builtin.lineinfile:
-    path: /etc/openvpn/server.conf
-    line: 'push "route {{ item }}"'
-  with_items: "{{ openvpn.push_routes_ipv4 }}"
-  when: openvpn.push_routes_ipv4 | length > 0
-  notify: Restart OpenVPN.
-
-- name: Add ipv6 push routes comment for readability.
-  ansible.builtin.lineinfile:
-    path: /etc/openvpn/server.conf
-    line: "# ipv6 push routes"
+  block:
+    - name: Remove default push-route.
+      ansible.builtin.lineinfile:
+        path: /etc/openvpn/server.conf
+        search_string: 'redirect-gateway'
+        state: absent
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Add ipv4 push routes comment for readability.
+      ansible.builtin.lineinfile:
+        path: /etc/openvpn/server.conf
+        line: "# ipv4 push routes"
+
+    - name: Add ipv4 push routes to the VPN.
+      ansible.builtin.lineinfile:
+        path: /etc/openvpn/server.conf
+        line: 'push "route {{ item }}"'
+      with_items: "{{ openvpn.push_routes_ipv4 }}"
+      notify: Restart OpenVPN.
+
+- name: Set up ipv6 push routes.
   when:
     - openvpn.push_routes_ipv6 | length > 0
     - openvpn.ipv6_support == "y"
-
-- name: Add ipv6 push routes to the VPN.
-  ansible.builtin.lineinfile:
-    path: /etc/openvpn/server.conf
-    line: 'push "route-ipv6  {{ item }}"'
-  with_items: "{{ openvpn.push_routes_ipv6 }}"
-  when:
-    - openvpn.push_routes_ipv6 | length > 0
-    - openvpn.ipv6_support == "y"
-  notify: Restart OpenVPN.
+  block:
+    - name: Add ipv6 push routes comment for readability.
+      ansible.builtin.lineinfile:
+        path: /etc/openvpn/server.conf
+        line: "# ipv6 push routes"
+
+    - name: Add ipv6 push routes to the VPN.
+      ansible.builtin.lineinfile:
+        path: /etc/openvpn/server.conf
+        line: 'push "route-ipv6  {{ item }}"'
+      with_items: "{{ openvpn.push_routes_ipv6 }}"
+      notify: Restart OpenVPN.
+
+# You can use a 'DEFAULT' file in the specified directory to provide client-specifig config, such as managed push routes
+- name: Set up client config directory.
+  when: openvpn.client_config_dir | length > 0
+  block:
+    - name: Create client config directory if it doesn't exist.
+      ansible.builtin.file:
+        path: "{{ openvpn.client_config_dir }}"
+        state: directory
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: Add client config directory to config if path is provided.
+      ansible.builtin.lineinfile:
+        path: /etc/openvpn/server.conf
+        line: "client-config-dir {{ openvpn.client_config_dir }}"
 
 # PAM integration
 - name: Ensure the OpenVPN PAM config is in place.
@@ -133,29 +139,30 @@
   when: openvpn.pam.enabled
 
 # PAM integration using LDAP
-- name: Ensure the OpenVPN PAM config for LDAP is in place.
-  ansible.builtin.template:
-    src: "{{ openvpn.ldap.config_template }}"
-    dest: /etc/pam.d/openvpn
-    mode: "0644"
-    owner: root
-    group: root
-  when: openvpn.ldap.enabled
-
-- name: Ensure the OpenVPN LDAP config directory exists.
-  ansible.builtin.file:
-    path: /etc/openvpn/ldap
-    state: directory
-    mode: '0755'
-
-- name: Ensure the pam-ldap config for OpenVPN is in place.
-  ansible.builtin.template:
-    src: openvpn.ldap.j2
-    dest: /etc/openvpn/ldap/ldap
-    mode: "0644"
-    owner: root
-    group: root
+- name: Set up PAM integration with LDAP.
   when: openvpn.ldap.enabled
+  block:
+    - name: Ensure the OpenVPN PAM config for LDAP is in place.
+      ansible.builtin.template:
+        src: "{{ openvpn.ldap.config_template }}"
+        dest: /etc/pam.d/openvpn
+        mode: "0644"
+        owner: root
+        group: root
+
+    - name: Ensure the OpenVPN LDAP config directory exists.
+      ansible.builtin.file:
+        path: /etc/openvpn/ldap
+        state: directory
+        mode: '0755'
+
+    - name: Ensure the pam-ldap config for OpenVPN is in place.
+      ansible.builtin.template:
+        src: openvpn.ldap.j2
+        dest: /etc/openvpn/ldap/ldap
+        mode: "0644"
+        owner: root
+        group: root
 
 # Enable PAM in OpenVPN
 - name: Add PAM integration config to OpenVPN.
@@ -168,25 +175,36 @@
   notify: Restart OpenVPN.
 
 # Tweak client config template
-- name: Replace OpenVPN client tls-cipher.
-  ansible.builtin.lineinfile:
-    path: /etc/openvpn/client-template.txt
-    search_string: 'tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'
-    line: "tls-cipher {{ openvpn.tls_cipher }}"
-    owner: root
-    group: root
-    mode: '0644'
+- name: Set a different TLS cipher for client template and server.
   when: openvpn.tls_cipher | length > 0
-
-- name: Replace OpenVPN client cipher.
-  ansible.builtin.lineinfile:
-    path: /etc/openvpn/client-template.txt
-    search_string: 'cipher AES-128-GCM'
-    line: "cipher {{ openvpn.cipher }}"
-    owner: root
-    group: root
-    mode: '0644'
-  when: openvpn.cipher | length > 0
+  block:
+    - name: Replace OpenVPN client tls-cipher.
+      ansible.builtin.lineinfile:
+        path: /etc/openvpn/client-template.txt
+        search_string: 'tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'
+        line: "tls-cipher {{ openvpn.tls_cipher }}"
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Replace OpenVPN client cipher.
+      ansible.builtin.lineinfile:
+        path: /etc/openvpn/client-template.txt
+        search_string: 'cipher AES-128-GCM'
+        line: "cipher {{ openvpn.cipher }}"
+        owner: root
+        group: root
+        mode: '0644'
+
+    - name: Replace OpenVPN server tls-cipher.
+      ansible.builtin.lineinfile:
+        path: /etc/openvpn/server.conf
+        search_string: 'tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256'
+        line: "tls-cipher {{ openvpn.tls_cipher }}"
+        owner: root
+        group: root
+        mode: '0644'
+      notify: Restart OpenVPN.
 
 # Only works when openvpn.port_choice == '1' because otherwise port will not be 1194 and regexp will not match
 - name: Use FQDN as OpenVPN server remote in client config.
