Cloudblock deploys secure ad-blocking and VPN for all devices. Text and video guides included! 6 supported cloud providers, plus Ubuntu and Raspberry Pi. Cloudblock deploys Wireguard VPN, Pi-Hole DNS Ad-blocking, and DNS over HTTPS in a cloud provider - or locally - using Terraform and Ansible.
License: Apache License 2.0
Hey Chad :)
I tried to upgrade to Ubuntu 22 in an Azure deployment and it completely broke down the os lol.
Seems that there are couple of things to address:
Thanks again!
D
TASK [Get ph_password from Azure Vault Secret] *********************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: KeyError: 'credential'
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File "/root/.ansible/tmp/ansible-tmp-1644863984.6313643-27889-142727842169844/AnsiballZ_azure_rm_keyvaultsecret_info.py", line 100, in \n _ansiballz_main()\n File "/root/.ansible/tmp/ansible-tmp-1644863984.6313643-27889-142727842169844/AnsiballZ_azure_rm_keyvaultsecret_info.py", line 92, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File "/root/.ansible/tmp/ansible-tmp-1644863984.6313643-27889-142727842169844/AnsiballZ_azure_rm_keyvaultsecret_info.py", line 41, in invoke_module\n run_name='main', alter_sys=True)\n File "/usr/lib/python3.6/runpy.py", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File "/usr/lib/python3.6/runpy.py", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File "/usr/lib/python3.6/runpy.py", line 85, in _run_code\n exec(code, run_globals)\n File "/tmp/ansible_azure_rm_keyvaultsecret_info_payload_2q4sz8fg/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py", line 430, in \n File "/tmp/ansible_azure_rm_keyvaultsecret_info_payload_2q4sz8fg/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py", line 426, in main\n File "/tmp/ansible_azure_rm_keyvaultsecret_info_payload_2q4sz8fg/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py", line 239, in init\n File "/tmp/ansible_azure_rm_keyvaultsecret_info_payload_2q4sz8fg/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py", line 464, in init\n File "/tmp/ansible_azure_rm_keyvaultsecret_info_payload_2q4sz8fg/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py", line 1509, in init\nKeyError: 'credential'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
Hi, my isp does not provide me with a static public ip address, its dynamic, what do i put on the mngt_cidr variable?? if i use my current ip it will work until my ip changes...
Did a pull thinking the new patch you did to pin a working version in the other issue would fix me up, but getting this error still:
azurerm_role_assignment.ph-instance-role-assignment: Refreshing state... [id=/subscriptions/...mysubid.../providers/Microsoft.Authorization/roleAssignments/6fe97f4d-fae9-a444-027d-6ad7d27021fe]
╷
│ Error: expected "object_id" to be a valid UUID, got
│
│ with azurerm_key_vault_access_policy.ph-vault-disk-admin,
│ on az-encryption.tf line 24, in resource "azurerm_key_vault_access_policy" "ph-vault-disk-admin":
│ 24: object_id = data.azurerm_client_config.ph-client-conf.object_id
│
╵
╷
│ Error: expected "object_id" to be a valid UUID, got
│
│ with azurerm_key_vault_access_policy.ph-vault-storage-admin,
│ on az-encryption.tf line 71, in resource "azurerm_key_vault_access_policy" "ph-vault-storage-admin":
│ 71: object_id = data.azurerm_client_config.ph-client-conf.object_id
│
╵
╷
│ Error: expected "object_id" to be a valid UUID, got
│
│ with azurerm_key_vault_access_policy.ph-vault-secret-admin,
│ on az-encryption.tf line 118, in resource "azurerm_key_vault_access_policy" "ph-vault-secret-admin":
│ 118: object_id = data.azurerm_client_config.ph-client-conf.object_id
│
This is happening on brand new installs and when running as an update for pihole.
Edit: The issue seems to be with using the https://raw.githubusercontent.com/ansible-collections/azure/dev/requirements-azure.txt. There was an update a few days ago that broke this, I swapped the dev branch for the commit from a few days ago and it works fine. https://raw.githubusercontent.com/ansible-collections/azure/fbfe197215f74d271a448161b5b499151e261d39/requirements-azure.txt
TASK [Get ph_password from Azure Vault Secret] *********************************
task path: /opt/cloudblock/playbooks/cloudblock_azure.yml:86
<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: root
<127.0.0.1> EXEC /bin/sh -c 'echo ~root && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp `"&& mkdir "` echo /root/.ansible/tmp/ansible-tmp-1640550184.5302355-19419-194224603752523 `" && echo ansible-tmp-1640550184.5302355-19419-194224603752523="` echo /root/.ansible/tmp/ansible-tmp-1640550184.5302355-19419-194224603752523 `" ) && sleep 0'
Using module file /root/.ansible/collections/ansible_collections/azure/azcollection/plugins/modules/azure_rm_keyvaultsecret_info.py
<127.0.0.1> PUT /root/.ansible/tmp/ansible-local-18679q0jpd26e/tmpic8_9fj3 TO /root/.ansible/tmp/ansible-tmp-1640550184.5302355-19419-194224603752523/AnsiballZ_azure_rm_keyvaultsecret_info.py
<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1640550184.5302355-19419-194224603752523/ /root/.ansible/tmp/ansible-tmp-1640550184.5302355-19419-194224603752523/AnsiballZ_azure_rm_keyvaultsecret_info.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-tmp-1640550184.5302355-19419-194224603752523/AnsiballZ_azure_rm_keyvaultsecret_info.py && sleep 0'
<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1640550184.5302355-19419-194224603752523/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/tmp/ansible_azure_rm_keyvaultsecret_info_payload_nh1bkfmr/ansible_azure_rm_keyvaultsecret_info_payload.zip/ansible_collections/azure/azcollection/plugins/module_utils/azure_rm_common.py", line 235, in <module>
from azure.mgmt.monitor.version import VERSION as monitor_client_version
ModuleNotFoundError: No module named 'azure.mgmt.monitor.version'
fatal: [localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"ad_user": null,
"adfs_authority_url": null,
"api_profile": "latest",
"auth_source": "msi",
"cert_validation_mode": null,
"client_id": null,
"cloud_environment": "AzureCloud",
"log_mode": null,
"log_path": null,
"name": "cloudblock-secret",
"password": null,
"profile": null,
"secret": null,
"show_deleted_secret": false,
"subscription_id": null,
"tags": null,
"tenant": null,
"vault_uri": "https://cloudblock-secret-d070s.vault.azure.net",
"version": "current"
}
},
"msg": "Failed to import the required Python library (ansible[azure] (azure >= 2.0.0)) on cloudblock-instance's Python /usr/bin/python3. Please read the module documentation and install it in the appropriate location. If the required library is installed, but Ansible is using the wrong Python interpreter, please consult the documentation on ansible_python_interpreter"
}
Hello, I've followed the instructions, however the ssh, vpn and pihole connections keep timing out. I can't connect in any way to the instance.
I'm not sure what I can do to fix the problem.
Unable to ssh into instance via Google Cloud. This may be because the ssh-keys metadata is throwing out wacky errors in gcp-instance.tf file.
e.g.
{
"adguard": "https://dns.adguard.com/dns-query",
"cloudflare": "https://cloudflare-dns.com/dns-query"
}
ERROR! Unexpected Exception, this is probably a bug: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
the full traceback was:
Traceback (most recent call last):
File "/usr/local/bin/ansible-galaxy", line 104, in <module>
mycli = getattr(__import__("ansible.cli.%s" % sub, fromlist=[myclass]), myclass)
File "/usr/local/lib/python3.6/dist-packages/ansible/cli/galaxy.py", line 25, in <module>
from ansible.galaxy.api import GalaxyAPI
File "/usr/local/lib/python3.6/dist-packages/ansible/galaxy/api.py", line 28, in <module>
from ansible.module_utils.urls import open_url, prepare_multipart
File "/usr/local/lib/python3.6/dist-packages/ansible/module_utils/urls.py", line 115, in <module>
from urllib3.contrib.pyopenssl import PyOpenSSLContext
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
import OpenSSL.SSL
File "/usr/lib/python3/dist-packages/OpenSSL/__init__.py", line 8, in <module>
from OpenSSL import crypto, SSL
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1550, in <module>
class X509StoreFlags(object):
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1570, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
TASK [required packages] *******************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/root/.ansible/tmp/ansible-tmp-1651012355.0121708-9039-74068407239762/AnsiballZ_apt.py\", line 100, in <module>\n _ansiballz_main()\n File \"/root/.ansible/tmp/ansible-tmp-1651012355.0121708-9039-74068407239762/AnsiballZ_apt.py\", line 92, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/root/.ansible/tmp/ansible-tmp-1651012355.0121708-9039-74068407239762/AnsiballZ_apt.py\", line 41, in invoke_module\n run_name='__main__', alter_sys=True)\n File \"/usr/lib/python3.6/runpy.py\", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib/python3.6/runpy.py\", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File \"/usr/lib/python3.6/runpy.py\", line 85, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_apt_payload_cprt99gy/ansible_apt_payload.zip/ansible/modules/apt.py\", line 327, in <module>\n File \"<frozen importlib._bootstrap>\", line 971, in _find_and_load\n File \"<frozen importlib._bootstrap>\", line 955, in _find_and_load_unlocked\n File \"<frozen importlib._bootstrap>\", line 656, in _load_unlocked\n File \"<frozen importlib._bootstrap>\", line 626, in _load_backward_compatible\n File \"/tmp/ansible_apt_payload_cprt99gy/ansible_apt_payload.zip/ansible/module_utils/urls.py\", line 115, in <module>\n File \"/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py\", line 46, in <module>\n import OpenSSL.SSL\n File \"/usr/lib/python3/dist-packages/OpenSSL/__init__.py\", line 8, in <module>\n from OpenSSL import crypto, SSL\n File \"/usr/lib/python3/dist-packages/OpenSSL/crypto.py\", line 1550, in <module>\n class X509StoreFlags(object):\n File \"/usr/lib/python3/dist-packages/OpenSSL/crypto.py\", line 1570, in X509StoreFlags\n CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK\nAttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
Hi Chad,
Thanks for the awesome effort. One additional feature that would be great is if you can add the option to enable peers connected to the same WireGuard server to be able to send traffic between each other.
One use case that I am currently facing is, setting up a FreePBX system, which is an IP phone system, such that connecting the whole system to the WireGuard server will enable the phones, FreePBX server and Trunks (Gateways / SIP devices) to communicate between each other remotely / securely without any restrictions as if they're installed locally on one network.
Cheers,
TASK [cloudflared_doh container] ****************************************************************************************************************************************************************************************************************************
[DEPRECATION WARNING]: The container_default_behavior option will change its default value from "compatibility" to "no_defaults" in community.general 3.0.0. To remove this warning, please specify an explicit value for it now. This feature will be
removed from community.general in version 3.0.0. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Please note that docker_container handles networks slightly different than docker CLI. If you specify networks, the default network will still be attached as the first network. (You can specify purge_networks to remove all
networks not explicitly listed.) This behavior will change in community.general 2.0.0. You can change the behavior now by setting the new `networks_cli_compatible` option to `yes`, and remove this warning by setting it to `no`. This feature will be
removed from community.general in version 2.0.0. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error pulling image cloudflared_doh:latest - 404 Client Error: Not Found (\"{\"message\":\"pull access denied for cloudflared_doh, repository does not exist or may require 'docker login': denied: requested access to the resource is denied\"}\")"}
what image is this supposed to be ?
Apache is... pretty gross.
Nginx is really the new (or moreso just more sane and more used) hotness as this point.
Most stuff I toss up inAWS via terraform or cloudformation is just all nginx now... the tide is turning.
I'm well versed enough in both, that I might be able to submit a PR to change the proxy and ssl config over for the aws stuff and ansible... to work with nginx... but it could be a few weeks, so if it slips, ping me...
Or even https://www.lighttpd.net/ but that's aging a lot...
I'm looking to setup Cloudblock, but I'm wondering what it's using for a DNS recursive resolver? It's doesn't appear to be using DNSCrypt or Unbound. Or if it's not using anything at all?
All I see in the script is that it's possibly using Wireguard's DNS?
Is anyone using this setup that can verify?
Brand new checkout of master, dropped in my az.tfvars, terraform init, then terraform plan -var-file="az.tfvars" getting this error still:
derek@Azure:~/clouddrive/cloudblock/azure$ terraform plan -var-file="az.tfvars"
╷
│ Error: expected "object_id" to be a valid UUID, got
│
│ with azurerm_key_vault_access_policy.ph-vault-disk-admin,
│ on az-encryption.tf line 24, in resource "azurerm_key_vault_access_policy" "ph-vault-disk-admin":
│ 24: object_id = data.azurerm_client_config.ph-client-conf.object_id
│
╵
╷
│ Error: expected "object_id" to be a valid UUID, got
│
│ with azurerm_key_vault_access_policy.ph-vault-storage-admin,
│ on az-encryption.tf line 71, in resource "azurerm_key_vault_access_policy" "ph-vault-storage-admin":
│ 71: object_id = data.azurerm_client_config.ph-client-conf.object_id
│
╵
╷
│ Error: expected "object_id" to be a valid UUID, got
│
│ with azurerm_key_vault_access_policy.ph-vault-secret-admin,
│ on az-encryption.tf line 118, in resource "azurerm_key_vault_access_policy" "ph-vault-secret-admin":
│ 118: object_id = data.azurerm_client_config.ph-client-conf.object_id
I even cleared the .terraform directory from my home drive. Now sure what else could be the culprit.
i am following your directions to the letter both on your YT vid and her on github to update my instance of your project on GCP. this is what I'm seeing:
PS C:\Users\XXX> wsl
XXX@Tower-PC:/mnt/c/Users/XXX$ cd /cloudblock/gcp//cloudblock/gcp$ git pull
XXX@Tower-PC:
Already up to date.
XXX@Tower-PC:~/cloudblock/gcp$ terraform init
Initializing the backend...
Initializing provider plugins...
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
XXX@Tower-PC:~/cloudblock/gcp$ terraform apply -var-file="pvars.tfvars"
Error: Failed to read variables file
Error while reading pvars.tfvars: open pvars.tfvars: permission denied.
cloudblock/aws/aws-instance.tf
Line 26 in 9dfea91
user_data = <<EOF
#!/bin/bash
-DNS_SERVER=$(systemd-resolve --status | awk -F': ' '/DNS Servers/{print $2}')
+DNS_SERVER=$(resolvectl | awk -F': ' '/DNS Servers/{print $2}')
systemctl disable systemd-resolved
systemctl stop systemd-resolved
rm -f /etc/resolv.conf
I am reporting a few errors that I came across when deploying on Azure. I managed to fix a couple of them but got stuck with the last one.
Error: current client lacks permissions to read Key Rotation Policy for Key "cloudblock-disk-key" ("Key Vault (Subscription: \"....", Vault url: "....."), please update this as described here: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#example-usage : keyvault.BaseClient#GetKeyRotationPolicy: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application '...' does not have keys getrotationpolicy permission on key vault 'cloudblock-disk-...;location=...'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"ForbiddenByPolicy"}
I fixed this by adding the GetRotationPolicy to key_permissions in az-encryption.tf (in 4 places where key_permissions is defined)
key_permissions = [ "Backup", "Create", "Decrypt", "Delete", "Encrypt", "Get", "Import", "List", "Purge", "Recover", "Restore", "Sign", "UnwrapKey", "Update", "Verify", "WrapKey", "GetRotationPolicy" ]
source_image_reference { publisher = "Canonical" offer = "0001-com-ubuntu-server-jammy" sku = "22_04-lts-gen2" version = var.az_image_version }
TASK [various container directories] *******************************************
ok: [localhost] => (item=/opt/cloudflared)
ok: [localhost] => (item=/opt/pihole)
ok: [localhost] => (item=/opt/pihole/etc)
ok: [localhost] => (item=/opt/pihole/dnsmasq.d)
ok: [localhost] => (item=/opt/webproxy)
ok: [localhost] => (item=/opt/wireguard)
TASK [secure proxy to pihole confs] ********************************************
ok: [localhost] => (item=httpd-ssl.conf)
ok: [localhost] => (item=httpd.conf)
TASK [DoH Endpoints] ***********************************************************
ok: [localhost]
TASK [Set DoH URL from DoH provider var] ***************************************
changed: [localhost]
TASK [Get ph_password from Azure Vault Secret] *********************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to get MSI token: 'MSIAuthentication' object has no attribute 'get_token'. Please check whether your machine enabled MSI or grant access to any subscription."}
PLAY RECAP *********************************************************************
localhost : ok=9 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Android 9+ supports DoT with domain-name in the settings, DoH is supported as of Android 13 https://www.xda-developers.com/android-13-dns-https-support/
It would be really great to facilitate support for this directly so I don't have to use Wireguard!
Hello!
I'm following the steps to get DO up and running and just bumped into something.
# digitalocean_ssh_key.do-sshkey will be created
+ resource "digitalocean_ssh_key" "do-sshkey" {
+ fingerprint = (known after apply)
+ id = (known after apply)
+ name = "cloudblock-sshkey-fec0i"
+ public_key = "ssh-rsa AAAAB3replace_me_replace_me_replace_me"
}
Plan: 5 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
digitalocean_ssh_key.do-sshkey: Creating...
╷
│ Error: Error creating SSH Key: POST https://api.digitalocean.com/v2/account/keys: 422 (request "063d3b2a-70a2-4b0b-a2d5-4cbc68636d9a") Fingerprint could not be generated, please make sure your key is valid
│
│ with digitalocean_ssh_key.do-sshkey,
│ on do-instance.tf line 1, in resource "digitalocean_ssh_key" "do-sshkey":
│ 1: resource "digitalocean_ssh_key" "do-sshkey" {
│
Any suggestions?
Every time I run apply or plan, it switches from wanting to remove those permissions and then wanting to add them back.
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# module.azure.azurerm_key_vault.ph-vault-disk will be updated in-place
~ resource "azurerm_key_vault" "ph-vault-disk" {
~ access_policy = [
{
application_id = ""
certificate_permissions = []
key_permissions = [
"Get",
"Create",
"Delete",
"List",
"Restore",
"Recover",
"UnwrapKey",
"WrapKey",
"Purge",
"Encrypt",
"Decrypt",
"Sign",
"Verify",
]
object_id = "<REMOVED>"
secret_permissions = []
storage_permissions = []
tenant_id = "<REMOVED>"
},
- {
- application_id = ""
- certificate_permissions = []
- key_permissions = [
- "Get",
- "Decrypt",
- "Encrypt",
- "Sign",
- "UnwrapKey",
- "Verify",
- "WrapKey",
- "UnwrapKey",
]
- object_id = "<REMOVED>"
- secret_permissions = []
- storage_permissions = []
- tenant_id = "<REMOVED>"
},
]
id = "<REMOVED>"
name = "cloudblock-disk-owo39"
tags = {}
# (12 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Hey Chad, thanks a lot for this brilliant project.
I have a very niche issue which I'm currently struggling to set up Site-to-Site VPN using Wireguard to my opnsense.
Opnsense runs local wireguard instance and I've set the cloud server as a peer, but I couldn't make the server connect back to the opnsense instance.
Is it possible to run the wireguard docker with a client instance that would connect back?
Thanks again
D
Mutley: @chadgeary would it be possible to specify multiple mgmt-cidrs in the config? Thinking about the idea of having a friend make use of this, and their router pointing to my CloudBlock.
Unsupported parameters for (docker_network) module: ipam_config Supported parameters include
api_version, appends, cacert_path, cert_path, connected, debug, docker_host, driver, driver_options, filter_logger, force, ipam_driver, ipam_options, key_path, network_name, ssl_version, state, timeout, tls, tls_hostname, tls_verify"
ansible 2.5.1
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python2.7/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 2.7.17 (default, Sep 30 2020, 13:38:04) [GCC 7.5.0]
FIX
use a later version of ansible
I have set this up and deployed on lightsail. My client phone connects successfully via wireguard. However , my original IP is still being leaked rather than using the lightsail’s IP. I can’t figure out what’s wrong and why the IP leaking is happening?
I have not changed anything on the instance since cloudblock after deployed.
Ansible build fails to install docker
Current code with issue
- name: Docker apt key
ansible.builtin.get_url:
url: https://download.docker.com/linux/ubuntu/gpg
dest: /etc/apt/keyrings/docker.asc
mode: '0640'
- name: Docker apt repo
ansible.builtin.apt_repository:
repo: >
deb [arch={{ dpkg_arch.stdout }} signed-by=/etc/apt/keyrings/docker.asc]
https://download.docker.com/linux/ubuntu {{ ansible_distribution_release }} stable
state: present
Code fix, remove the lines above and add the following (update all playbooks making sure to update the architecture as required)
- name: Add repo using key from URL
deb822_repository:
name: docker
types: deb
uris: https://download.docker.com/linux/ubuntu
suites: '{{ ansible_distribution_release }}'
components: stable
architectures: amd64
signed_by: https://download.docker.com/linux/ubuntu/gpg
Ansible documentation: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/deb822_repository_module.html
I've deleted and recreated this many times, and every time it fails because there were no playbooks put into S3.
I could kick off terraform then upload the playbooks/ folder to playbook/ and the install completed.
The aws_s3_bucket_object resource isn't even in my state list, and it doesn't show when I run apply either.
❯ terraform version
Terraform v1.0.1
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.47.0
+ provider registry.terraform.io/hashicorp/random v3.1.0
module.cloudblock.data.aws_ami.ph-vendor-ami-latest
module.cloudblock.data.aws_availability_zones.ph-azs
module.cloudblock.data.aws_caller_identity.ph-aws-account
module.cloudblock.data.aws_iam_policy.ph-instance-policy-ssm
module.cloudblock.data.aws_iam_user.ph-kmsmanager
module.cloudblock.aws_ami_copy.ph-latest-vendor-ami-with-cmk
module.cloudblock.aws_eip.ph-eip-1
module.cloudblock.aws_iam_instance_profile.ph-instance-profile
module.cloudblock.aws_iam_policy.ph-instance-policy-s3
module.cloudblock.aws_iam_policy.ph-instance-policy-ssmparameter
module.cloudblock.aws_iam_role.ph-instance-iam-role
module.cloudblock.aws_iam_role_policy_attachment.ph-iam-attach-s3
module.cloudblock.aws_iam_role_policy_attachment.ph-iam-attach-ssm
module.cloudblock.aws_iam_role_policy_attachment.ph-iam-attach-ssmparameter
module.cloudblock.aws_instance.ph-instance
module.cloudblock.aws_internet_gateway.ph-gw
module.cloudblock.aws_key_pair.ph-instance-key
module.cloudblock.aws_kms_alias.ph-kmscmk-ec2-alias
module.cloudblock.aws_kms_alias.ph-kmscmk-s3-alias
module.cloudblock.aws_kms_alias.ph-kmscmk-ssm-alias
module.cloudblock.aws_kms_key.ph-kmscmk-ec2
module.cloudblock.aws_kms_key.ph-kmscmk-s3
module.cloudblock.aws_kms_key.ph-kmscmk-ssm
module.cloudblock.aws_route_table.ph-pubrt
module.cloudblock.aws_route_table_association.rt-assoc-pubnet
module.cloudblock.aws_s3_bucket.ph-bucket
module.cloudblock.aws_s3_bucket_public_access_block.ph-bucket-pubaccessblock
**MISSING**
module.cloudblock.aws_security_group.ph-pubsg
module.cloudblock.aws_security_group_rule.ph-pubsg-mgmt-dnstcp-in[0]
module.cloudblock.aws_security_group_rule.ph-pubsg-mgmt-dnsudp-in[0]
module.cloudblock.aws_security_group_rule.ph-pubsg-mgmt-https-in
module.cloudblock.aws_security_group_rule.ph-pubsg-mgmt-ssh-in
module.cloudblock.aws_security_group_rule.ph-pubsg-mgmt-wireguard-in
module.cloudblock.aws_security_group_rule.ph-pubsg-out-tcp
module.cloudblock.aws_security_group_rule.ph-pubsg-out-udp
module.cloudblock.aws_ssm_association.ph-ssm-assoc
module.cloudblock.aws_ssm_document.ph-ssm-doc
module.cloudblock.aws_ssm_parameter.ph-ssm-param-pass
module.cloudblock.aws_subnet.ph-pubnet
module.cloudblock.aws_vpc.ph-vpc
module.cloudblock.random_string.ph-random
Ansible 2.12 requires Python 3.8. When installing Ubuntu 18.04 the default Python version is 3.6 which is to old and deprecated (although ansible 2.11 is installed as of today, the user gets a deprecated warning).
By using deadsnakes PPA the system can be upgraded to a new Python version with 18.04 LTS.
Ref. issues in #58
╷
│ Error: expected key_permissions.6 to be one of [Backup Create Decrypt Delete Encrypt Get Import List Purge Recover Restore Sign UnwrapKey Update Verify WrapKey], got Unwrapkey
│
│ with azurerm_key_vault_access_policy.ph-vault-disk-admin,
│ on az-encryption.tf line 27, in resource "azurerm_key_vault_access_policy" "ph-vault-disk-admin":
│ 27: "Get", "Create", "Delete", "List", "Restore", "Recover", "Unwrapkey", "Wrapkey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"
│
╵
╷
│ Error: expected key_permissions.7 to be one of [Backup Create Decrypt Delete Encrypt Get Import List Purge Recover Restore Sign UnwrapKey Update Verify WrapKey], got Wrapkey
│
│ with azurerm_key_vault_access_policy.ph-vault-disk-admin,
│ on az-encryption.tf line 27, in resource "azurerm_key_vault_access_policy" "ph-vault-disk-admin":
│ 27: "Get", "Create", "Delete", "List", "Restore", "Recover", "Unwrapkey", "Wrapkey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"
│
╵
╷
│ Error: expected key_permissions.6 to be one of [Backup Create Decrypt Delete Encrypt Get Import List Purge Recover Restore Sign UnwrapKey Update Verify WrapKey], got Unwrapkey
│
│ with azurerm_key_vault_access_policy.ph-vault-storage-admin,
│ on az-encryption.tf line 74, in resource "azurerm_key_vault_access_policy" "ph-vault-storage-admin":
│ 74: "Get", "Create", "Delete", "List", "Restore", "Recover", "Unwrapkey", "Wrapkey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"
│
╵
╷
│ Error: expected key_permissions.7 to be one of [Backup Create Decrypt Delete Encrypt Get Import List Purge Recover Restore Sign UnwrapKey Update Verify WrapKey], got Wrapkey
│
│ with azurerm_key_vault_access_policy.ph-vault-storage-admin,
│ on az-encryption.tf line 74, in resource "azurerm_key_vault_access_policy" "ph-vault-storage-admin":
│ 74: "Get", "Create", "Delete", "List", "Restore", "Recover", "Unwrapkey", "Wrapkey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify"
│
╵
╷
│ Error: Unsupported argument
│
│ on az-storage.tf line 10, in resource "azurerm_storage_account" "ph-storage-account":
│ 10: allow_blob_public_access = "false"
│
│ An argument named "allow_blob_public_access" is not expected here.
Hi,
I get the following error when running the Ubuntu ansible script from a Proxmox Ubuntu linux container (LXC):
TASK [cloudflared pihole and wireguard network] ********************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Error connecting: Error while fetching server API version: HTTPConnection.request() got an unexpected keyword argument 'chunked'"}
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.