Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
dependabot/pip/ansible-9.4.0
dependabot/github_actions/actions/setup-python-5.1.0
fix/14704
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6ce6f5c81e'
${ noResults }
algo/config.cfg

234 lines
8.4 KiB
INI
Raw Normal View History Unescape Escape

Cert auth
8 years ago
---
Update config.cfg (#1436) * Update config.cfg Reflects fixes in #1434 and #1435. * Update config.cfg
5 years ago
# This is the list of users to generate.
Allow more users (#1895)
4 years ago
# Every device must have a unique user.
# You can add up to 65,534 new users over the lifetime of an AlgoVPN.
# User names with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
# Email addresses are not allowed.
Make config.cfg a little more user-friendly
8 years ago
users:
Document using WireGuard app on macOS (#1327) * Document using WireGuard app on macOS * Update README.md * Make WireGuard the default for Apple devices * clarify user list * fix tests * connect on demand
5 years ago
- phone
- laptop
- desktop
Make config.cfg a little more user-friendly
8 years ago
Documentation updates (#1607) * update variable name to store_pki * Document BetweenClients_DROP * Update README.md * Update faq.md * VPN On Demand is for Apple IPSEC clients only * How to update users from cloud-init * How to monitor user activity * Fix typo * Update FAQ about WireGuard, fix typos * Correct locations of install log and user configs * Update-users from cloud-init * Update features list * More "IPsec" and "WireGuard" changes * fixed broken link/absent link in FAQ * Python version README fix for #1622 * road warrior instructions * Update index.md * Reorganize config.cfg As per @davidemyers suggestions * Further config changes As per feedback, also better explanation of keys_clean_all * Add road warrior instructions to FAQ * Remove specific ports from RW instructions
4 years ago
### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
Cert auth
8 years ago
Change default SSH port and introduce cloud-init support (#1636) * Change default SSH port * Iptables to ansible_ssh_port * Add Scaleway * permissions and groups fixes * update firewall docs * SSH fixes * add missing cloudinit to cloud-azure * remove ansible_ssh_user from the tests * congrats message fix
4 years ago
# Change default SSH port for the cloud roles only
# It doesn't apply if you deploy to your existing Ubuntu Server
ssh_port: 4160
Refactoring (#1334) <!--- Provide a general summary of your changes in the Title above --> ## Description Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162 Configures Ansible to use python3 on the server side. Closes #1024 Removes unneeded playbooks, reorganises a lot of variables Reorganises the `config` folder. Closes #1330 <details><summary>Here is how the config directory looks like now</summary> <p> ``` configs/X.X.X.X/ |-- ipsec | |-- apple | | |-- desktop.mobileconfig | | |-- laptop.mobileconfig | | `-- phone.mobileconfig | |-- manual | | |-- cacert.pem | | |-- desktop.p12 | | |-- desktop.ssh.pem | | |-- ipsec_desktop.conf | | |-- ipsec_desktop.secrets | | |-- ipsec_laptop.conf | | |-- ipsec_laptop.secrets | | |-- ipsec_phone.conf | | |-- ipsec_phone.secrets | | |-- laptop.p12 | | |-- laptop.ssh.pem | | |-- phone.p12 | | `-- phone.ssh.pem | `-- windows | |-- desktop.ps1 | |-- laptop.ps1 | `-- phone.ps1 |-- ssh-tunnel | |-- desktop.pem | |-- desktop.pub | |-- laptop.pem | |-- laptop.pub | |-- phone.pem | |-- phone.pub | `-- ssh_config `-- wireguard |-- desktop.conf |-- desktop.png |-- laptop.conf |-- laptop.png |-- phone.conf `-- phone.png ``` ![finder](https://i.imgur.com/FtOmKO0.png) </p> </details> ## Motivation and Context This refactoring is focused to aim to the 1.0 release ## How Has This Been Tested? Deployed to several cloud providers with various options enabled and disabled ## Types of changes <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: --> - [x] Refactoring ## Checklist: <!--- Go over all the following points, and put an `x` in all the boxes that apply. --> <!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! --> - [x] I have read the **CONTRIBUTING** document. - [x] My code follows the code style of this project. - [x] My change requires a change to the documentation. - [x] I have updated the documentation accordingly. - [x] All new and existing tests passed.
5 years ago
# Deploy StrongSwan to enable IPsec support
ipsec_enabled: true
# Deploy WireGuard
Allow WireGuard to listen on port 53 (#1594) * Allow WireGuard to listen on port 53 * Use a variable for the port to avoid * Add comment to config.cfg
5 years ago
# WireGuard will listen on 51820/UDP. You might need to change to another port
# if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some
# mobile data networks.
Add WireGuard support for Android (#910) * WireGuard Implementation * Update client-android.md * Update README.md * WireGuard unattended upgrades * Update README.md * reload-module-on-update and syntax fix * SaveConfig to true * Azure firewall. Fixes #962 * Update README.md * Update client-android.md
6 years ago
wireguard_enabled: true
wireguard_port: 51820
Refactoring to support roles inclusion (#1365)
5 years ago
Alternative Ingress IP (#1605) * Separate ingress IP draft * task name fix * placeholder
4 years ago
# This feature allows you to configure the Algo server to send outbound traffic
# through a different external IP address than the one you are establishing the VPN connection with.
# More info https://trailofbits.github.io/algo/cloud-alternative-ingress-ip.html
# Available for the following cloud providers:
# - DigitalOcean
alternative_ingress_ip: false
Replace 'max_mss' with 'reduce_mtu' (#1253)
5 years ago
# Reduce the MTU of the VPN tunnel
# Some cloud and internet providers use a smaller MTU (Maximum Transmission
# Unit) than the normal value of 1500 and if you don't reduce the MTU of your
# VPN tunnel some network connections will hang. Algo will attempt to set this
# automatically based on your server, but if connections hang you might need to
# adjust this yourself.
# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
reduce_mtu: 0
Move max_mss to config.cfg (#1015) * Move max_mss to config.cfg * Add docs about max_mss * Update troubleshooting.md
6 years ago
Disable wireguard PersistentKeepalive by default (#1338)
5 years ago
# Algo will use the following lists to block ads. You can add new block lists
Add info about modifying blacklists (#1236) # Algo will use the following lists to block ads. You can add new block lists # after deployment by modifying the line starting "BLOCKLIST_URLS=" at: # /usr/local/sbin/adblock.sh # If you load very large blocklists, you may also have to modify resource limits: # /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
6 years ago
# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
Disable wireguard PersistentKeepalive by default (#1338)
5 years ago
# /usr/local/sbin/adblock.sh
Add info about modifying blacklists (#1236) # Algo will use the following lists to block ads. You can add new block lists # after deployment by modifying the line starting "BLOCKLIST_URLS=" at: # /usr/local/sbin/adblock.sh # If you load very large blocklists, you may also have to modify resource limits: # /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
6 years ago
# If you load very large blocklists, you may also have to modify resource limits:
# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
Make DNS blocklist URLs configurable (#548)
7 years ago
adblock_lists:
Update Adblock lists (#1394) Uses the Unified hosts file from @StevenBlack available [here](https://github.com/StevenBlack/hosts). This encompasses the Ad Away, MVPS, and Malware Domain lists, deleting duplicates for us, and also adds a bunch more.
5 years ago
- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
Make DNS blocklist URLs configurable (#548)
7 years ago
Allow more flexible DNSCrypt configuration (#1120) * Allow more flexible DNSCrypt configuration * Correct permissions on files changed in #1120 I'm not sure why using BBEdit over SMB makes every file executable. * Put the public resolvers cache file in /tmp.
6 years ago
# Enable DNS encryption.
# If 'false', 'dns_servers' should be specified below.
dnscrypt-proxy as a dns adblocker (#1480) * Move DNS adblocking to dnscrypt-proxy * Update docs * remove unneeded variable dnscrypt_proxy_version * Update to the latest dnscrypt-proxy version * install.sh fix * spelling
5 years ago
# DNS encryption can not be disabled if DNS adblocking is enabled
DNS-over-HTTPS (#875)
6 years ago
dns_encryption: true
Documentation updates (#1607) * update variable name to store_pki * Document BetweenClients_DROP * Update README.md * Update faq.md * VPN On Demand is for Apple IPSEC clients only * How to update users from cloud-init * How to monitor user activity * Fix typo * Update FAQ about WireGuard, fix typos * Correct locations of install log and user configs * Update-users from cloud-init * Update features list * More "IPsec" and "WireGuard" changes * fixed broken link/absent link in FAQ * Python version README fix for #1622 * road warrior instructions * Update index.md * Reorganize config.cfg As per @davidemyers suggestions * Further config changes As per feedback, also better explanation of keys_clean_all * Add road warrior instructions to FAQ * Remove specific ports from RW instructions
4 years ago
# Block traffic between connected clients. Change this to false to enable
# connected clients to reach each other, as well as other computers on the
# same LAN as your Algo server (i.e. the "road warrior" setup). In this
# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
BetweenClients_DROP: true
# Block SMB/CIFS traffic
block_smb: true
# Block NETBIOS traffic
block_netbios: true
# Your Algo server will automatically install security updates. Some updates
# require a reboot to take effect but your Algo server will not reboot itself
# automatically unless you change 'enabled' below from 'false' to 'true', in
# which case a reboot will take place if necessary at the time specified (as
# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
unattended_reboot:
enabled: false
time: 06:00
### Advanced users only below this line ###
Allow more flexible DNSCrypt configuration (#1120) * Allow more flexible DNSCrypt configuration * Correct permissions on files changed in #1120 I'm not sure why using BBEdit over SMB makes every file executable. * Put the public resolvers cache file in /tmp.
6 years ago
# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
# providers may be specified, but avoid mixing providers that filter results
# (like Cisco) with those that don't (like Cloudflare) or you could get
# inconsistent results. The list of available public providers can be found
# here:
# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
dnscrypt_servers:
ipv4:
- cloudflare
# - google
Make it easier to use NextDNS or other private DNS server (#14288)
3 years ago
# - <YourCustomServer> # E.g., if using NextDNS, this will be something like NextDNS-abc123.
# You must also fill in custom_server_stamps below. You may specify
# multiple custom servers.
Allow more flexible DNSCrypt configuration (#1120) * Allow more flexible DNSCrypt configuration * Correct permissions on files changed in #1120 I'm not sure why using BBEdit over SMB makes every file executable. * Put the public resolvers cache file in /tmp.
6 years ago
ipv6:
- cloudflare-ipv6
DNS-over-HTTPS (#875)
6 years ago
Make it easier to use NextDNS or other private DNS server (#14288)
3 years ago
custom_server_stamps:
# YourCustomServer: 'sdns://...'
Allow more flexible DNSCrypt configuration (#1120) * Allow more flexible DNSCrypt configuration * Correct permissions on files changed in #1120 I'm not sure why using BBEdit over SMB makes every file executable. * Put the public resolvers cache file in /tmp.
6 years ago
# DNS servers which will be used if 'dns_encryption' is 'false'.
Multiple Azure fixes (#1908) * Multiple Azure fixes * back to azure daily
4 years ago
# Fallback resolvers for systemd-resolved
Allow more flexible DNSCrypt configuration (#1120) * Allow more flexible DNSCrypt configuration * Correct permissions on files changed in #1120 I'm not sure why using BBEdit over SMB makes every file executable. * Put the public resolvers cache file in /tmp.
6 years ago
# The default is to use Cloudflare.
Add lightweight ad-blocking to the proxy #14
8 years ago
dns_servers:
DNS fix
8 years ago
ipv4:
DNS-over-HTTPS (#875)
6 years ago
- 1.1.1.1
- 1.0.0.1
DNS fix
8 years ago
ipv6:
DNS-over-HTTPS (#875)
6 years ago
- 2606:4700:4700::1111
- 2606:4700:4700::1001
Cert auth
8 years ago
Documentation updates (#1607) * update variable name to store_pki * Document BetweenClients_DROP * Update README.md * Update faq.md * VPN On Demand is for Apple IPSEC clients only * How to update users from cloud-init * How to monitor user activity * Fix typo * Update FAQ about WireGuard, fix typos * Correct locations of install log and user configs * Update-users from cloud-init * Update features list * More "IPsec" and "WireGuard" changes * fixed broken link/absent link in FAQ * Python version README fix for #1622 * road warrior instructions * Update index.md * Reorganize config.cfg As per @davidemyers suggestions * Further config changes As per feedback, also better explanation of keys_clean_all * Add road warrior instructions to FAQ * Remove specific ports from RW instructions
4 years ago
# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
pki_in_tmpfs: true
Fixed. #137
8 years ago
Change default SSH port and introduce cloud-init support (#1636) * Change default SSH port * Iptables to ansible_ssh_port * Add Scaleway * permissions and groups fixes * update firewall docs * SSH fixes * add missing cloudinit to cloud-azure * remove ansible_ssh_user from the tests * congrats message fix
4 years ago
# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users.
Documentation updates (#1607) * update variable name to store_pki * Document BetweenClients_DROP * Update README.md * Update faq.md * VPN On Demand is for Apple IPSEC clients only * How to update users from cloud-init * How to monitor user activity * Fix typo * Update FAQ about WireGuard, fix typos * Correct locations of install log and user configs * Update-users from cloud-init * Update features list * More "IPsec" and "WireGuard" changes * fixed broken link/absent link in FAQ * Python version README fix for #1622 * road warrior instructions * Update index.md * Reorganize config.cfg As per @davidemyers suggestions * Further config changes As per feedback, also better explanation of keys_clean_all * Add road warrior instructions to FAQ * Remove specific ports from RW instructions
4 years ago
keys_clean_all: false
Add an unattended reboot option (#1082)
6 years ago
Documentation updates (#1607) * update variable name to store_pki * Document BetweenClients_DROP * Update README.md * Update faq.md * VPN On Demand is for Apple IPSEC clients only * How to update users from cloud-init * How to monitor user activity * Fix typo * Update FAQ about WireGuard, fix typos * Correct locations of install log and user configs * Update-users from cloud-init * Update features list * More "IPsec" and "WireGuard" changes * fixed broken link/absent link in FAQ * Python version README fix for #1622 * road warrior instructions * Update index.md * Reorganize config.cfg As per @davidemyers suggestions * Further config changes As per feedback, also better explanation of keys_clean_all * Add road warrior instructions to FAQ * Remove specific ports from RW instructions
4 years ago
# StrongSwan log level
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: 2
disable the proxy and client-to-client options
8 years ago
Documentation updates (#1607) * update variable name to store_pki * Document BetweenClients_DROP * Update README.md * Update faq.md * VPN On Demand is for Apple IPSEC clients only * How to update users from cloud-init * How to monitor user activity * Fix typo * Update FAQ about WireGuard, fix typos * Correct locations of install log and user configs * Update-users from cloud-init * Update features list * More "IPsec" and "WireGuard" changes * fixed broken link/absent link in FAQ * Python version README fix for #1622 * road warrior instructions * Update index.md * Reorganize config.cfg As per @davidemyers suggestions * Further config changes As per feedback, also better explanation of keys_clean_all * Add road warrior instructions to FAQ * Remove specific ports from RW instructions
4 years ago
# rightsourceip for ipsec
# ipv4
Allow more users (#1895)
4 years ago
strongswan_network: 10.48.0.0/16
Documentation updates (#1607) * update variable name to store_pki * Document BetweenClients_DROP * Update README.md * Update faq.md * VPN On Demand is for Apple IPSEC clients only * How to update users from cloud-init * How to monitor user activity * Fix typo * Update FAQ about WireGuard, fix typos * Correct locations of install log and user configs * Update-users from cloud-init * Update features list * More "IPsec" and "WireGuard" changes * fixed broken link/absent link in FAQ * Python version README fix for #1622 * road warrior instructions * Update index.md * Reorganize config.cfg As per @davidemyers suggestions * Further config changes As per feedback, also better explanation of keys_clean_all * Add road warrior instructions to FAQ * Remove specific ports from RW instructions
4 years ago
# ipv6
Make clients prefer IPv6 (#1822) Change IPv6 addresses to non-ULA addresses such that they are favored over IPv4.
4 years ago
strongswan_network_ipv6: '2001:db8:4160::/48'
Documentation updates (#1607) * update variable name to store_pki * Document BetweenClients_DROP * Update README.md * Update faq.md * VPN On Demand is for Apple IPSEC clients only * How to update users from cloud-init * How to monitor user activity * Fix typo * Update FAQ about WireGuard, fix typos * Correct locations of install log and user configs * Update-users from cloud-init * Update features list * More "IPsec" and "WireGuard" changes * fixed broken link/absent link in FAQ * Python version README fix for #1622 * road warrior instructions * Update index.md * Reorganize config.cfg As per @davidemyers suggestions * Further config changes As per feedback, also better explanation of keys_clean_all * Add road warrior instructions to FAQ * Remove specific ports from RW instructions
4 years ago
# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
# This option will keep the "connection" open in the eyes of NAT.
# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
wireguard_PersistentKeepalive: 0
# WireGuard network configuration
Allow more users (#1895)
4 years ago
wireguard_network_ipv4: 10.49.0.0/16
Make clients prefer IPv6 (#1822) Change IPv6 addresses to non-ULA addresses such that they are favored over IPv4.
4 years ago
wireguard_network_ipv6: 2001:db8:a160::/48
Documentation updates (#1607) * update variable name to store_pki * Document BetweenClients_DROP * Update README.md * Update faq.md * VPN On Demand is for Apple IPSEC clients only * How to update users from cloud-init * How to monitor user activity * Fix typo * Update FAQ about WireGuard, fix typos * Correct locations of install log and user configs * Update-users from cloud-init * Update features list * More "IPsec" and "WireGuard" changes * fixed broken link/absent link in FAQ * Python version README fix for #1622 * road warrior instructions * Update index.md * Reorganize config.cfg As per @davidemyers suggestions * Further config changes As per feedback, also better explanation of keys_clean_all * Add road warrior instructions to FAQ * Remove specific ports from RW instructions
4 years ago
# Randomly generated IP address for the local dns resolver
local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
local_service_ipv6: "{{ 'fd00::1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
Allow to unblock smb and netbios in config.cfg (#1558)
5 years ago
Fix typo (#14145)
3 years ago
# Hide sensitive data
skip pre tasks in update-users (#1921)
3 years ago
no_log: true
Allow to unblock smb and netbios in config.cfg (#1558)
5 years ago
rewrite congrats
7 years ago
congrats:
common: |
"# Congratulations! #"
"# Your Algo server is running. #"
"# Config files and certificates are in the ./configs/ directory. #"
"# Go to https://whoer.net/ after connecting #"
"# and ensure that all your traffic passes through the VPN. #"
Add IPv6 support to DNS (#1425) * Add ipv6 * Add ipv6 * add ipv6 * add ipv6 * Switching out ipv6 address with local_service_ipv6 variable from #1429 * Fixing variable error
5 years ago
"# Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} #"
rewrite congrats
7 years ago
p12_pass: |
Fix spacing in congrats message (#1104) The spacing of several lines in the congrats message has been off. Here's the congrats output with this fix: ``` ok: [54.85.244.8] => { "msg": [ [ "\"# Congratulations! #\"", "\"# Your Algo server is running. #\"", "\"# Config files and certificates are in the ./configs/ directory. #\"", "\"# Go to https://whoer.net/ after connecting #\"", "\"# and ensure that all your traffic passes through the VPN. #\"", "\"# Local DNS resolver 172.16.0.1 #\"", "" ], " \"# The p12 and SSH keys password for new users is CR2qzRcA #\"\n", " \"# The CA key password is ed0fd57e7d355af08d12ccdbfd3f5931 #\"\n", " \"# Shell access: ssh -i configs/algo.pem ubuntu@54.85.244.8 #\"\n" ] } ```
6 years ago
"# The p12 and SSH keys password for new users is {{ p12_export_password }} #"
rewrite congrats
7 years ago
ca_key_pass: |
Don't set CA facts if IPsec is disabled (#1446) * Don't set CA facts if ipsec is disabled * localhost update-users fix
5 years ago
"# The CA key password is {{ CA_password|default(omit) }} #"
rewrite congrats
7 years ago
ssh_access: |
Use user-defined hostname for SSH hostname (#1715) * Use user-defined hostname for SSH hostname * Update readme to use hostname in ssh commands
4 years ago
"# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }} #"
Fix for the local installation
7 years ago
generating ssh-keys #152 #151 #112
8 years ago
SSH_keys:
comment: algo@ssh
private: configs/algo.pem
Windows SSH key permissions workaround (#1584) * Windows SSH key permissions workaround * Ensure Ansible is not being run in a world writable directory * linting
5 years ago
private_tmp: /tmp/algo-ssh.pem
generating ssh-keys #152 #151 #112
8 years ago
public: configs/algo.pem.pub
EC2 dynamic enventory. Fixes #73
7 years ago
Instance size (#404) * Escaping Special Characters #388 * Make instance sizes more flexible to edit #355
7 years ago
cloud_providers:
azure:
Update config.cfg default Azure instance (#1474)
5 years ago
size: Standard_B1S
Make Azure OS disk type configurable and default to a cheaper type (#14533) * add azure option for osDiskType * azure: change default image to minimal ubuntu
2 years ago
osDisk:
# The storage account type to use for the OS disk. Possible values:
# 'Standard_LRS', 'Premium_LRS', 'StandardSSD_LRS', 'UltraSSD_LRS',
# 'Premium_ZRS', 'StandardSSD_ZRS', 'PremiumV2_LRS'.
type: Standard_LRS
Ubuntu 20.04 support (#1782) * ubuntu 20.04 support * purge snapd for 20.04 * strongswan-starter fix
4 years ago
image:
publisher: Canonical
Ubuntu 22.04 support (#14579) * add 22.04 support * actions trigger * lighsail to 22.04 and remove 20.04 * test scripted deploy * ansible lint is advisory. moving to terraform
12 months ago
offer: 0001-com-ubuntu-minimal-jammy-daily
sku: minimal-22_04-daily-lts
Ubuntu 20.04 support (#1782) * ubuntu 20.04 support * purge snapd for 20.04 * strongswan-starter fix
4 years ago
version: latest
Instance size (#404) * Escaping Special Characters #388 * Make instance sizes more flexible to edit #355
7 years ago
digitalocean:
update digitalocean docs on droplets (#14659) Make note of smaller/cheaper droplets for DigitalOcean and document it.
5 months ago
# See docs for extended droplet options, pricing, and availability.
# Possible values: 's-1vcpu-512mb-10gb', 's-1vcpu-1gb', ...
minimum DigitalOcean $5 type now 's-1vcpu-1gb' (#785) https://www.digitalocean.com/pricing/
6 years ago
size: s-1vcpu-1gb
Ubuntu 22.04 support (#14579) * add 22.04 support * actions trigger * lighsail to 22.04 and remove 20.04 * test scripted deploy * ansible lint is advisory. moving to terraform
12 months ago
image: "ubuntu-22-04-x64"
Update config.cfg
5 years ago
ec2:
Documentation updates (#1607) * update variable name to store_pki * Document BetweenClients_DROP * Update README.md * Update faq.md * VPN On Demand is for Apple IPSEC clients only * How to update users from cloud-init * How to monitor user activity * Fix typo * Update FAQ about WireGuard, fix typos * Correct locations of install log and user configs * Update-users from cloud-init * Update features list * More "IPsec" and "WireGuard" changes * fixed broken link/absent link in FAQ * Python version README fix for #1622 * road warrior instructions * Update index.md * Reorganize config.cfg As per @davidemyers suggestions * Further config changes As per feedback, also better explanation of keys_clean_all * Add road warrior instructions to FAQ * Remove specific ports from RW instructions
4 years ago
# Change the encrypted flag to "false" to disable AWS volume encryption.
EC2: Enable EBS single step encryption by default (#1556) * EC2: EBS single step encryption by default * return back the encryption variable
5 years ago
encrypted: true
AWS support for existing EIP (revised) (#1292) * Support for associating to existing AWS Elastic IP Signed-off-by: Elliot Murphy <statik@users.noreply.github.com> * Backport ec2_eip_facts module for EIP support This means that EIP support no longer requires Ansible 2.6 The local fact module has been named ec2_elasticip_facts to avoid conflict with the ec2_eip_facts module whenever the Ansible 2.6 upgrade takes place. Signed-off-by: Elliot Murphy <statik@users.noreply.github.com> * Update from review feedback. Signed-off-by: Elliot Murphy <statik@users.noreply.github.com> * Move to the native module. Add additional condition for existing Elastic IP
5 years ago
# Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
# Additional prompt will be raised to determine which IP to use
Update config.cfg
5 years ago
use_existing_eip: false
Instance size (#404) * Escaping Special Characters #388 * Make instance sizes more flexible to edit #355
7 years ago
size: t2.micro
Let users choose the distro version #449 (#466) Make dpdaction great again add 1704 to travis Make EC2 image name more convenient modify apparmor profile
7 years ago
image:
Ubuntu 22.04 support (#14579) * add 22.04 support * actions trigger * lighsail to 22.04 and remove 20.04 * test scripted deploy * ansible lint is advisory. moving to terraform
12 months ago
name: "ubuntu-jammy-22.04"
Implemented architecture choice 'arm' or amd 'x86_64' for EC2 cloud (#14289) New `arch` config.cfg parameter is used along with the image name parameter to find the most recent OS image to be used in hosted ec2 instance. This allows the user to choose arm based instance types which was causing algo failure during cloud formation.
2 years ago
arch: x86_64
Let users choose the distro version #449 (#466) Make dpdaction great again add 1704 to travis Make EC2 image name more convenient modify apparmor profile
7 years ago
owner: "099720109477"
Change config.cfg comment regarding ec2 spot option (#14345) Reference the documentation to know the proper IAM permissions
2 years ago
# Change instance_market_type from "on-demand" to "spot" to launch a spot
# instance. See deploy-from-ansible.md for spot's additional IAM permission
Added support for EC2 Spot instances (#14248) If new instance_market_type config.cfg variable specifies 'spot' instead of 'on-demand' then the stack.yml creates a LaunchTemplate resource using spot option. The create EC2 Instance command uses that LaunchTemplate.
3 years ago
instance_market_type: on-demand
Instance size (#404) * Escaping Special Characters #388 * Make instance sizes more flexible to edit #355
7 years ago
gce:
Update Google Compute Environment machine type (#14251) Google advised that the f1-micro tier will no longer be free after 31AUG21 and suggested e2-micro will be the new free tier.
3 years ago
size: e2-micro
Ubuntu 22.04 support (#14579) * add 22.04 support * actions trigger * lighsail to 22.04 and remove 20.04 * test scripted deploy * ansible lint is advisory. moving to terraform
12 months ago
image: ubuntu-2204-lts
GCE: Static external ip (optional) (#1125)
6 years ago
external_static_ip: false
Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration (#804) * Move to ansible-2.4.3 * Add Lightsail support #623 * Fixing the EC2 deployment * Scaleway integration #623 * OpenStack cloud provider (DreamCompute optimised) #623 * Remove the security role * Enable unattended-upgrades for clouds * New requirements to make Azure and GCE work
6 years ago
lightsail:
Move Lightsail to Ubuntu 20.04 (#1873)
4 years ago
size: nano_2_0
Ubuntu 22.04 support (#14579) * add 22.04 support * actions trigger * lighsail to 22.04 and remove 20.04 * test scripted deploy * ansible lint is advisory. moving to terraform
12 months ago
image: ubuntu_22_04
Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration (#804) * Move to ansible-2.4.3 * Add Lightsail support #623 * Fixing the EC2 deployment * Scaleway integration #623 * OpenStack cloud provider (DreamCompute optimised) #623 * Remove the security role * Enable unattended-upgrades for clouds * New requirements to make Azure and GCE work
6 years ago
scaleway:
Refactor to support Ansible 2.8 (#1549) * bump ansible to 2.8.3 * DigitalOcean: move to the latest modules * Add Hetzner Cloud * Scaleway and Lightsail fixes * lint missing roles * Update roles/cloud-hetzner/tasks/main.yml Add api_token Co-Authored-By: phaer <phaer@phaer.org> * Update roles/cloud-hetzner/tasks/main.yml Add api_token Co-Authored-By: phaer <phaer@phaer.org> * Try to run apt until succeeded * Scaleway modules upgrade * GCP: Refactoring, remove deprecated modules * Doc updates (#1552) * Update README.md Adding links and mentions of Exoscale aka CloudStack and Hetzner Cloud. * Update index.md Add the Hetzner Cloud to the docs index * Remove link to Win 10 IPsec instructions * Delete client-windows.md Unnecessary since the deprecation of IPsec for Win10. * Update deploy-from-ansible.md Added sections and required variables for CloudStack and Hetzner Cloud. * Update deploy-from-ansible.md Added sections for CloudStack and Hetzner, added req variables and examples, mentioned environment variables, and added links to the provider role section. * Update deploy-from-ansible.md Cosmetic changes to links, fix typo. * Update GCE variables * Update deploy-from-script-or-cloud-init-to-localhost.md Fix a finer point, and make variables list more readable. * update azure requirements * Python3 draft * set LANG=c to the p12 password generation task * Update README * Install cloud requirements to the existing venv * FreeBSD fix * env->.env fixes * lightsail_region_facts fix * yaml syntax fix * Update README for Python 3 (#1564) * Update README for Python 3 * Remove tabs and tweak instructions * Remove cosmetic command indentation * Update README.md * Update README for Python 3 (#1565) * DO fix for "found unpermitted parameters: id" * Verify Python version * Remove ubuntu 16.04 from readme * Revert back DigitalOcean module * Update deploy-from-script-or-cloud-init-to-localhost.md * env to .env
5 years ago
size: DEV1-S
Ubuntu 22.04 support (#14579) * add 22.04 support * actions trigger * lighsail to 22.04 and remove 20.04 * test scripted deploy * ansible lint is advisory. moving to terraform
12 months ago
image: Ubuntu 22.04 Jammy Jellyfish
Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration (#804) * Move to ansible-2.4.3 * Add Lightsail support #623 * Fixing the EC2 deployment * Scaleway integration #623 * OpenStack cloud provider (DreamCompute optimised) #623 * Remove the security role * Enable unattended-upgrades for clouds * New requirements to make Azure and GCE work
6 years ago
arch: x86_64
Refactor to support Ansible 2.8 (#1549) * bump ansible to 2.8.3 * DigitalOcean: move to the latest modules * Add Hetzner Cloud * Scaleway and Lightsail fixes * lint missing roles * Update roles/cloud-hetzner/tasks/main.yml Add api_token Co-Authored-By: phaer <phaer@phaer.org> * Update roles/cloud-hetzner/tasks/main.yml Add api_token Co-Authored-By: phaer <phaer@phaer.org> * Try to run apt until succeeded * Scaleway modules upgrade * GCP: Refactoring, remove deprecated modules * Doc updates (#1552) * Update README.md Adding links and mentions of Exoscale aka CloudStack and Hetzner Cloud. * Update index.md Add the Hetzner Cloud to the docs index * Remove link to Win 10 IPsec instructions * Delete client-windows.md Unnecessary since the deprecation of IPsec for Win10. * Update deploy-from-ansible.md Added sections and required variables for CloudStack and Hetzner Cloud. * Update deploy-from-ansible.md Added sections for CloudStack and Hetzner, added req variables and examples, mentioned environment variables, and added links to the provider role section. * Update deploy-from-ansible.md Cosmetic changes to links, fix typo. * Update GCE variables * Update deploy-from-script-or-cloud-init-to-localhost.md Fix a finer point, and make variables list more readable. * update azure requirements * Python3 draft * set LANG=c to the p12 password generation task * Update README * Install cloud requirements to the existing venv * FreeBSD fix * env->.env fixes * lightsail_region_facts fix * yaml syntax fix * Update README for Python 3 (#1564) * Update README for Python 3 * Remove tabs and tweak instructions * Remove cosmetic command indentation * Update README.md * Update README for Python 3 (#1565) * DO fix for "found unpermitted parameters: id" * Verify Python version * Remove ubuntu 16.04 from readme * Revert back DigitalOcean module * Update deploy-from-script-or-cloud-init-to-localhost.md * env to .env
5 years ago
hetzner:
server_type: cx11
Ubuntu 22.04 support (#14579) * add 22.04 support * actions trigger * lighsail to 22.04 and remove 20.04 * test scripted deploy * ansible lint is advisory. moving to terraform
12 months ago
image: ubuntu-22.04
Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration (#804) * Move to ansible-2.4.3 * Add Lightsail support #623 * Fixing the EC2 deployment * Scaleway integration #623 * OpenStack cloud provider (DreamCompute optimised) #623 * Remove the security role * Enable unattended-upgrades for clouds * New requirements to make Azure and GCE work
6 years ago
openstack:
flavor_ram: ">=512"
Ubuntu 22.04 support (#14579) * add 22.04 support * actions trigger * lighsail to 22.04 and remove 20.04 * test scripted deploy * ansible lint is advisory. moving to terraform
12 months ago
image: Ubuntu-22.04
New cloud provider CloudStack (#1420) * clean commits from branch cloud-cloudstack w/ proper committer email/name * fixed ansible-lint errors * corrected typo in prompted message * standalone cloudstack zones module * added missing environment variables * remove `_cloudstack_zones` default variable * Move to Ubuntu 19.04 * Update cloud-cloudstack.md * Update cloud-cloudstack.md Markdown doesn't render `<your account>` * Update prompts.yml * Update main.yml
5 years ago
cloudstack:
size: Micro
Ubuntu 22.04 support (#14579) * add 22.04 support * actions trigger * lighsail to 22.04 and remove 20.04 * test scripted deploy * ansible lint is advisory. moving to terraform
12 months ago
image: Linux Ubuntu 22.04 LTS 64-bit
New cloud provider CloudStack (#1420) * clean commits from branch cloud-cloudstack w/ proper committer email/name * fixed ansible-lint errors * corrected typo in prompted message * standalone cloudstack zones module * added missing environment variables * remove `_cloudstack_zones` default variable * Move to Ubuntu 19.04 * Update cloud-cloudstack.md * Update cloud-cloudstack.md Markdown doesn't render `<your account>` * Update prompts.yml * Update main.yml
5 years ago
disk: 10
Large refactor to support Ansible 2.5 (#976) * Refactoring, booleans declaration and update users fix * Make server_name more FQDN compatible * Rename variables * Define the default value for store_cakey * Skip a prompt about the SSH user if deploying to localhost * Disable reboot for non-cloud deployments * Enable EC2 volume encryption by default * Add default server value (localhost) for the local installation Delete empty files * Add default region to aws_region_facts * Update docs * EC2 credentials fix * Warnings fix * Update deploy-from-ansible.md * Fix a typo * Remove lightsail from the docs * Disable EC2 encryption by default * rename droplet to server * Disable dependencies * Disable tls_cipher_suite * Convert wifi-exclude to a string. Update-users fix * SSH access congrats fix * 16.04 > 18.04 * Dont ask for the credentials if specified in the environment vars * GCE server name fix
6 years ago
vultr:
Ubuntu 22.04 support (#14579) * add 22.04 support * actions trigger * lighsail to 22.04 and remove 20.04 * test scripted deploy * ansible lint is advisory. moving to terraform
12 months ago
os: Ubuntu 22.04 LTS x64
Fix Vultr collection (#14707)
2 months ago
size: vc2-1c-1gb
add linode as one of cloud providers (#1590) * add linode as one of cloud providers * add Linode into cloud provider list * fix code style * install requirements of ansible linode module * Update prompts.yml - Make the regions list more readable - Assign us-east as the default region * remove prompt of asking root password * roles/common: Add sshd tasks * cloud-linode/tasks: Fix LINODE_API_TOKEN env lookup * docs: Add Linode to Ansible deploy docs * docs: Add cloud-linode * config: Use Ubuntu 20.04 on Linode * README: syntax * Linode stackscript support * Linode stackscript fix * linting Co-authored-by: Jack Ivanov <17044561+jackivanov@users.noreply.github.com> Co-authored-by: William Woodruff <william@yossarian.net> Co-authored-by: William Woodruff <william.woodruff@trailofbits.com> Co-authored-by: Jack Ivanov <e601809@gmail.com>
4 years ago
linode:
type: g6-nanode-1
Ubuntu 22.04 support (#14579) * add 22.04 support * actions trigger * lighsail to 22.04 and remove 20.04 * test scripted deploy * ansible lint is advisory. moving to terraform
12 months ago
image: linode/ubuntu22.04
Instance size (#404) * Escaping Special Characters #388 * Make instance sizes more flexible to edit #355
7 years ago
local:
Implementing blocks and additional fail hints #487 (#497) change the troubleshooting url
7 years ago
fail_hint:
- Sorry, but something went wrong!
- Please check the troubleshooting guide.
- https://trailofbits.github.io/algo/troubleshooting.html
Large refactor to support Ansible 2.5 (#976) * Refactoring, booleans declaration and update users fix * Make server_name more FQDN compatible * Rename variables * Define the default value for store_cakey * Skip a prompt about the SSH user if deploying to localhost * Disable reboot for non-cloud deployments * Enable EC2 volume encryption by default * Add default server value (localhost) for the local installation Delete empty files * Add default region to aws_region_facts * Update docs * EC2 credentials fix * Warnings fix * Update deploy-from-ansible.md * Fix a typo * Remove lightsail from the docs * Disable EC2 encryption by default * rename droplet to server * Disable dependencies * Disable tls_cipher_suite * Convert wifi-exclude to a string. Update-users fix * SSH access congrats fix * 16.04 > 18.04 * Dont ask for the credentials if specified in the environment vars * GCE server name fix
6 years ago
booleans_map:
Y: true
y: true