Stop building components from source

This is an "omnibus" issue for tracking a project-wide effort to replace source-built components with alternative solutions. Building software from source is bad for:

security - missing security updates!!!!!!!!!
stability - missing bug fixes
provisioning performance - provisioning runtime is dominated by compilation

Expected behavior:

Streisand should install all required software from .deb packages source from an apt repository. The use of unattended-upgrades should keep all software patched & up to date. Provisioning should be installing binary resources, completing quickly and with minimal CPU burn.

Actual Behavior:

Streisand deploys a number of services by building them from source at the time of provisioning. Lacking any mechanism for delivering out-of-band updates or "refreshes" the Streisand instance is forever locked to the version of the software that was built/installed during server creation. The compilation takes considerable time, slowing down provisioning (and CI!).

Installed-From-Source Services to Address:

[x] - Shadowsocks (shadowsocks-libev) - https://github.com/StreisandEffect/streisand/issues/1221
- [ ] - SimpleObfs obfuscation
[x] - L2TP/IPSec (libreswan) - https://github.com/StreisandEffect/streisand/issues/1222 ?
[x] - OpenConnect (ocserv) - https://github.com/StreisandEffect/streisand/issues/1223

Shadowsocks

Streisand builds and installs shadowsocks-libev from upstream Git at a pinned release tag:

https://github.com/StreisandEffect/streisand/blob/a9c1638dea2b59e258bc49c5658c809eb70c112e/playbooks/roles/shadowsocks/tasks/main.yml#L29-L51

There are some options available upstream for installing from an APT repository. For our purpose the PPA from max-c-lv is likely the best choice short of running our own PPA. "max-c-lv" is @madeye and a core contributor to shadowsocks-libev, this PPA is an official source.

Using https://github.com/StreisandEffect/streisand/issues/1221 to track switching shadowsocks-libev to PPA.

Similar to shadowsocks-libev, we also install simpleobfs from upstream Git at a pinned release tag: https://github.com/StreisandEffect/streisand/blob/a9c1638dea2b59e258bc49c5658c809eb70c112e/playbooks/roles/shadowsocks/tasks/simple-obfs.yml#L2-L38

It doesn't look like the upstream PPA publishes packages for simpleobfs. We should consider asking them to do so!

L2TP/IPSec

Streisand builds and installs libreswan from upstream's published tarball releases: https://github.com/StreisandEffect/streisand/blob/a9c1638dea2b59e258bc49c5658c809eb70c112e/playbooks/roles/l2tp-ipsec/tasks/main.yml#L16-L39

Streisand's L2TP/IPSec config needs a lot of love outside of the question of the install method for libreswan. At this point my personal vote is we abandon any attempts to modernize the configuration for IKEv2 and remove L2TP/IPSec entirely. I think folks requiring this VPN method have better alternatives out there than when Streisand initially added support.

Tracking the idea of removing L2TP/IPSec/LibreSwan in https://github.com/StreisandEffect/streisand/issues/1222

OpenConnect

Streisand builds and installs ocserv from upstream's published tarball releases: https://github.com/StreisandEffect/streisand/blob/a9c1638dea2b59e258bc49c5658c809eb70c112e/playbooks/roles/openconnect/tasks/install.yml#L23-L49

Ubuntu packages ocserv at version 0.10.11. We should make sure we can't survive with this version. Presently we're installing 0.11.10: https://github.com/StreisandEffect/streisand/blob/a9c1638dea2b59e258bc49c5658c809eb70c112e/playbooks/roles/openconnect/vars/main.yml#L25

If we must have 0.11.10+ then we might have to make our own PPA. I don't see an official source for .debs.

Tracking the evaluation of this question in https://github.com/StreisandEffect/streisand/issues/1223

StreisandEffect / streisand