This repository has been archived by the owner on Mar 6, 2022. It is now read-only.
forked from trailofbits/algo
-
Notifications
You must be signed in to change notification settings - Fork 9
/
config.cfg
210 lines (181 loc) · 7.37 KB
/
config.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
---
# This is the list of users to generate.
# Every device must have a unique username.
# You can generate up to 250 users at one time.
# Usernames with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
# Emails are not allowed
users:
- phone
- laptop
- desktop
### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
# Change default SSH port for the cloud roles only
# It doesn't apply if you deploy to your existing Ubuntu Server
ssh_port: 4160
# Deploy StrongSwan to enable IPsec support
ipsec_enabled: true
# Deploy WireGuard
# WireGuard will listen on 51820/UDP. You might need to change to another port
# if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some
# mobile data networks.
wireguard_enabled: true
wireguard_port: 51820
# This feature allows you to configure the Algo server to send outbound traffic
# through a different external IP address than the one you are establishing the VPN connection with.
# More info https://trailofbits.github.io/algo/cloud-alternative-ingress-ip.html
# Available for the following cloud providers:
# - DigitalOcean
alternative_ingress_ip: false
# Reduce the MTU of the VPN tunnel
# Some cloud and internet providers use a smaller MTU (Maximum Transmission
# Unit) than the normal value of 1500 and if you don't reduce the MTU of your
# VPN tunnel some network connections will hang. Algo will attempt to set this
# automatically based on your server, but if connections hang you might need to
# adjust this yourself.
# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
reduce_mtu: 0
# Algo will use the following lists to block ads. You can add new block lists
# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
# /usr/local/sbin/adblock.sh
# If you load very large blocklists, you may also have to modify resource limits:
# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
adblock_lists:
- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
# Enable DNS encryption.
# If 'false', 'dns_servers' should be specified below.
# DNS encryption can not be disabled if DNS adblocking is enabled
dns_encryption: true
# Block traffic between connected clients. Change this to false to enable
# connected clients to reach each other, as well as other computers on the
# same LAN as your Algo server (i.e. the "road warrior" setup). In this
# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
BetweenClients_DROP: true
# Block SMB/CIFS traffic
block_smb: true
# Block NETBIOS traffic
block_netbios: true
# Your Algo server will automatically install security updates. Some updates
# require a reboot to take effect but your Algo server will not reboot itself
# automatically unless you change 'enabled' below from 'false' to 'true', in
# which case a reboot will take place if necessary at the time specified (as
# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
unattended_reboot:
enabled: true
time: 06:00
### Advanced users only below this line ###
# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
# providers may be specified, but avoid mixing providers that filter results
# (like Cisco) with those that don't (like Cloudflare) or you could get
# inconsistent results. The list of available public providers can be found
# here:
# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
dnscrypt_servers:
ipv4:
- cloudflare
# - google
ipv6:
- cloudflare-ipv6
# DNS servers which will be used if 'dns_encryption' is 'false'.
# The default is to use Cloudflare.
dns_servers:
ipv4:
- 1.1.1.1
- 1.0.0.1
ipv6:
- 2606:4700:4700::1111
- 2606:4700:4700::1001
# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
pki_in_tmpfs: true
# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users.
keys_clean_all: false
# StrongSwan log level
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: 2
# rightsourceip for ipsec
# ipv4
strongswan_network: 10.19.48.0/24
# ipv6
strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
# This option will keep the "connection" open in the eyes of NAT.
# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
wireguard_PersistentKeepalive: 0
# WireGuard network configuration
wireguard_network_ipv4: 10.19.49.0/24
wireguard_network_ipv6: fd9d:bc11:4021::/48
# Randomly generated IP address for the local dns resolver
local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
local_service_ipv6: "{{ 'fd00::1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
congrats:
common: |
"# Congratulations! #"
"# Your Algo server is running. #"
"# Config files and certificates are in the ./configs/ directory. #"
"# Go to https://whoer.net/ after connecting #"
"# and ensure that all your traffic passes through the VPN. #"
"# Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} #"
p12_pass: |
"# The p12 and SSH keys password for new users is {{ p12_export_password }} #"
ca_key_pass: |
"# The CA key password is {{ CA_password|default(omit) }} #"
ssh_access: |
"# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }} #"
SSH_keys:
comment: algo@ssh
private: configs/algo.pem
private_tmp: /tmp/algo-ssh.pem
public: configs/algo.pem.pub
cloud_providers:
azure:
size: Standard_B1S
image:
publisher: Canonical
offer: 0001-com-ubuntu-server-focal-daily
sku: 20_04-daily-lts
version: latest
digitalocean:
size: s-1vcpu-1gb
image: "ubuntu-20-04-x64"
ec2:
# Change the encrypted flag to "false" to disable AWS volume encryption.
encrypted: true
# Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
# Additional prompt will be raised to determine which IP to use
use_existing_eip: false
size: t2.micro
image:
name: "ubuntu-focal-20.04"
owner: "099720109477"
gce:
size: f1-micro
image: ubuntu-2004-lts
external_static_ip: false
lightsail:
size: nano_1_0
image: ubuntu_18_04
scaleway:
size: DEV1-S
image: Ubuntu 20.04 Focal Fossa
arch: x86_64
hetzner:
server_type: cx11
image: ubuntu-20.04
openstack:
flavor_ram: ">=512"
image: Ubuntu-18.04
cloudstack:
size: Micro
image: Linux Ubuntu 20.04 LTS 64-bit
disk: 10
vultr:
os: Ubuntu 20.04 x64
size: 1024 MB RAM,25 GB SSD,1.00 TB BW
local:
fail_hint:
- Sorry, but something went wrong!
- Please check the troubleshooting guide.
- https://trailofbits.github.io/algo/troubleshooting.html
booleans_map:
Y: true
y: true