|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# This is the list of users to generate.
|
|
|
|
|
# Every device must have a unique username.
|
|
|
|
|
# You can generate up to 250 users at one time.
|
|
|
|
|
# Usernames with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
|
|
|
|
|
users:
|
|
|
|
|
- phone
|
|
|
|
|
- laptop
|
|
|
|
|
- desktop
|
|
|
|
|
|
|
|
|
|
### Advanced users only below this line ###
|
|
|
|
|
|
|
|
|
|
# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
|
|
|
|
|
# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
|
|
|
|
|
pki_in_tmpfs: true
|
|
|
|
|
|
|
|
|
|
# If True re-init all existing certificates. Boolean
|
|
|
|
|
keys_clean_all: False
|
|
|
|
|
|
|
|
|
|
# Deploy StrongSwan to enable IPsec support
|
|
|
|
|
ipsec_enabled: true
|
|
|
|
|
|
|
|
|
|
# StrongSwan log level
|
|
|
|
|
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
|
|
|
|
|
strongswan_log_level: 2
|
|
|
|
|
|
|
|
|
|
# rightsourceip for ipsec
|
|
|
|
|
# ipv4
|
|
|
|
|
strongswan_network: 10.19.48.0/24
|
|
|
|
|
# ipv6
|
|
|
|
|
strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
|
|
|
|
|
|
|
|
|
|
# Deploy WireGuard
|
|
|
|
|
# WireGuard will listen on 51820/UDP. You might need to change to another port
|
|
|
|
|
# if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some
|
|
|
|
|
# mobile data networks.
|
|
|
|
|
wireguard_enabled: true
|
|
|
|
|
wireguard_port: 51820
|
|
|
|
|
# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
|
|
|
|
|
# This option will keep the "connection" open in the eyes of NAT.
|
|
|
|
|
# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
|
|
|
|
|
wireguard_PersistentKeepalive: 0
|
|
|
|
|
|
|
|
|
|
# WireGuard network configuration
|
|
|
|
|
wireguard_network_ipv4: 10.19.49.0/24
|
|
|
|
|
wireguard_network_ipv6: fd9d:bc11:4021::/48
|
|
|
|
|
|
|
|
|
|
# Reduce the MTU of the VPN tunnel
|
|
|
|
|
# Some cloud and internet providers use a smaller MTU (Maximum Transmission
|
|
|
|
|
# Unit) than the normal value of 1500 and if you don't reduce the MTU of your
|
|
|
|
|
# VPN tunnel some network connections will hang. Algo will attempt to set this
|
|
|
|
|
# automatically based on your server, but if connections hang you might need to
|
|
|
|
|
# adjust this yourself.
|
|
|
|
|
# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
|
|
|
|
|
reduce_mtu: 0
|
|
|
|
|
|
|
|
|
|
# Algo will use the following lists to block ads. You can add new block lists
|
|
|
|
|
# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
|
|
|
|
|
# /usr/local/sbin/adblock.sh
|
|
|
|
|
# If you load very large blocklists, you may also have to modify resource limits:
|
|
|
|
|
# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
|
|
|
|
|
adblock_lists:
|
|
|
|
|
- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
|
|
|
|
|
- "https://hosts-file.net/ad_servers.txt"
|
|
|
|
|
|
|
|
|
|
# Enable DNS encryption.
|
|
|
|
|
# If 'false', 'dns_servers' should be specified below.
|
|
|
|
|
# DNS encryption can not be disabled if DNS adblocking is enabled
|
|
|
|
|
dns_encryption: true
|
|
|
|
|
|
|
|
|
|
# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
|
|
|
|
|
# providers may be specified, but avoid mixing providers that filter results
|
|
|
|
|
# (like Cisco) with those that don't (like Cloudflare) or you could get
|
|
|
|
|
# inconsistent results. The list of available public providers can be found
|
|
|
|
|
# here:
|
|
|
|
|
# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
|
|
|
|
|
dnscrypt_servers:
|
|
|
|
|
ipv4:
|
|
|
|
|
- cloudflare
|
|
|
|
|
# - google
|
|
|
|
|
ipv6:
|
|
|
|
|
- cloudflare-ipv6
|
|
|
|
|
|
|
|
|
|
# DNS servers which will be used if 'dns_encryption' is 'false'.
|
|
|
|
|
# The default is to use Cloudflare.
|
|
|
|
|
dns_servers:
|
|
|
|
|
ipv4:
|
|
|
|
|
- 1.1.1.1
|
|
|
|
|
- 1.0.0.1
|
|
|
|
|
ipv6:
|
|
|
|
|
- 2606:4700:4700::1111
|
|
|
|
|
- 2606:4700:4700::1001
|
|
|
|
|
|
|
|
|
|
# Randomly generated IP address for the local dns resolver
|
|
|
|
|
local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
|
|
|
|
|
local_service_ipv6: "{{ 'fd00::1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
|
|
|
|
|
|
|
|
|
|
# Your Algo server will automatically install security updates. Some updates
|
|
|
|
|
# require a reboot to take effect but your Algo server will not reboot itself
|
|
|
|
|
# automatically unless you change 'enabled' below from 'false' to 'true', in
|
|
|
|
|
# which case a reboot will take place if necessary at the time specified (as
|
|
|
|
|
# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
|
|
|
|
|
unattended_reboot:
|
|
|
|
|
enabled: false
|
|
|
|
|
time: 06:00
|
|
|
|
|
|
|
|
|
|
# Block traffic between connected clients
|
|
|
|
|
BetweenClients_DROP: true
|
|
|
|
|
|
|
|
|
|
# Block SMB/CIFS traffic
|
|
|
|
|
block_smb: true
|
|
|
|
|
|
|
|
|
|
# Block NETBIOS traffic
|
|
|
|
|
block_netbios: true
|
|
|
|
|
|
|
|
|
|
congrats:
|
|
|
|
|
common: |
|
|
|
|
|
"# Congratulations! #"
|
|
|
|
|
"# Your Algo server is running. #"
|
|
|
|
|
"# Config files and certificates are in the ./configs/ directory. #"
|
|
|
|
|
"# Go to https://whoer.net/ after connecting #"
|
|
|
|
|
"# and ensure that all your traffic passes through the VPN. #"
|
|
|
|
|
"# Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} #"
|
|
|
|
|
p12_pass: |
|
|
|
|
|
"# The p12 and SSH keys password for new users is {{ p12_export_password }} #"
|
|
|
|
|
ca_key_pass: |
|
|
|
|
|
"# The CA key password is {{ CA_password|default(omit) }} #"
|
|
|
|
|
ssh_access: |
|
|
|
|
|
"# Shell access: ssh -i {{ ansible_ssh_private_key_file|default(omit) }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }} #"
|
|
|
|
|
|
|
|
|
|
SSH_keys:
|
|
|
|
|
comment: algo@ssh
|
|
|
|
|
private: configs/algo.pem
|
|
|
|
|
private_tmp: /tmp/algo-ssh.pem
|
|
|
|
|
public: configs/algo.pem.pub
|
|
|
|
|
|
|
|
|
|
cloud_providers:
|
|
|
|
|
azure:
|
|
|
|
|
size: Standard_B1S
|
|
|
|
|
image: 19.04
|
|
|
|
|
digitalocean:
|
|
|
|
|
size: s-1vcpu-1gb
|
|
|
|
|
image: "ubuntu-19-04-x64"
|
|
|
|
|
ec2:
|
|
|
|
|
# Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
|
|
|
|
|
encrypted: true
|
|
|
|
|
# Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
|
|
|
|
|
# Additional prompt will be raised to determine which IP to use
|
|
|
|
|
use_existing_eip: false
|
|
|
|
|
size: t2.micro
|
|
|
|
|
image:
|
|
|
|
|
name: "ubuntu-disco-19.04"
|
|
|
|
|
owner: "099720109477"
|
|
|
|
|
gce:
|
|
|
|
|
size: f1-micro
|
|
|
|
|
image: ubuntu-1904
|
|
|
|
|
external_static_ip: false
|
|
|
|
|
lightsail:
|
|
|
|
|
size: nano_1_0
|
|
|
|
|
image: ubuntu_18_04
|
|
|
|
|
scaleway:
|
|
|
|
|
size: DEV1-S
|
|
|
|
|
image: Ubuntu Bionic Beaver
|
|
|
|
|
arch: x86_64
|
|
|
|
|
hetzner:
|
|
|
|
|
server_type: cx11
|
|
|
|
|
image: ubuntu-18.04
|
|
|
|
|
openstack:
|
|
|
|
|
flavor_ram: ">=512"
|
|
|
|
|
image: Ubuntu-18.04
|
|
|
|
|
cloudstack:
|
|
|
|
|
size: Micro
|
|
|
|
|
image: Linux Ubuntu 19.04 64-bit
|
|
|
|
|
disk: 10
|
|
|
|
|
vultr:
|
|
|
|
|
os: Ubuntu 19.04 x64
|
|
|
|
|
size: 1024 MB RAM,25 GB SSD,1.00 TB BW
|
|
|
|
|
local:
|
|
|
|
|
|
|
|
|
|
fail_hint:
|
|
|
|
|
- Sorry, but something went wrong!
|
|
|
|
|
- Please check the troubleshooting guide.
|
|
|
|
|
- https://trailofbits.github.io/algo/troubleshooting.html
|
|
|
|
|
|
|
|
|
|
booleans_map:
|
|
|
|
|
Y: true
|
|
|
|
|
y: true
|
