Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
955 Commits
5 Branches
2 Tags
10 MiB
fix/14704
dependabot/pip/ansible-9.4.0
master
dependabot/github_actions/actions/setup-python-5.1.0
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6f58093a06'
${ noResults }
Commit Graph

355 Commits (6f58093a0646c6433ff19fa1bed468a85b9a5d74)

Author SHA1 Message Date
TC1977 a76642c4d5 Update mobileconfig.j2 (#1197) 
Adds "Algo VPN" to the organization in the "Profiles" menu of "General Settings". (The type still shows up as "Unknown" in the "VPN" menu, because that seems to be governed by the "VPNSubType" string, which must be empty according to the [developer reference](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf) Maybe this can help clear the way for #1101.
 6 years ago
zuccs 2b2d90a8a9 Fix typo (#1165) 6 years ago
datew0 30446d0363 Set disk size depending on server plan (#1159) 
Scaleway`s START1-XS does not start with a disk size of 50GB.
 6 years ago
Jack Ivanov 399d47233a
add region (#1182) 6 years ago
Jack Ivanov 3468d27e61 Lightsail back (#1157) 6 years ago
Jack Ivanov fbc7b29456 WireGuard update-users fix (#1154) 6 years ago
Jack Ivanov efc8dc7620
add tags for the wireguard qr code task. variables fix (#1147) 6 years ago
Jack Ivanov bcba905547 ssh tunneling fixes (#1127) 6 years ago
David Myers d90ba3d11a Allow more flexible DNSCrypt configuration (#1120) 
* Allow more flexible DNSCrypt configuration

* Correct permissions on files changed in #1120

I'm not sure why using BBEdit over SMB makes every file executable.

* Put the public resolvers cache file in /tmp.
 6 years ago
Jack Ivanov 1442586682 WireGuard: Generate QR codes (#1129) 
* WireGuard: Generate QR codes

* Update client-android.md
 6 years ago
Jack Ivanov dbd68aa97d WireGuard BSD (#1083) 
* WireGuard BSD

* Remove unneeded config option

* Enable PersistentKeepalive for NAT and Firewall Traversal Persistence

* Install dnscrypt-proxy from repositories
 6 years ago
Jack Ivanov 6c0753e3b8 GCE: Static external ip (optional) (#1125) 6 years ago
Jack Ivanov eb2224cde1
install generic linux headers (#1124) 6 years ago
James 14234344eb Use gateway ip address for wireguard interface (#1115) 6 years ago
Jack Ivanov 4a42fbea35 Move to the ARM deployment schema (#1107) 6 years ago
David Myers d95df710a5 Add an unattended reboot option (#1082) 6 years ago
Jack Ivanov 91a9dfd983 invoke dns encryption from main playbook instead of meta-dependencies (#1097) 6 years ago
Jack Ivanov e860b78d80
Scaleway authentication fix (#1088) 6 years ago
Jack Ivanov e8947f318b Large refactor to support Ansible 2.5 (#976) 
* Refactoring, booleans declaration and update users fix

* Make server_name more FQDN compatible

* Rename variables

* Define the default value for store_cakey

* Skip a prompt about the SSH user if deploying to localhost

* Disable reboot for non-cloud deployments

* Enable EC2 volume encryption by default

* Add default server value (localhost) for the local installation

Delete empty files

* Add default region to aws_region_facts

* Update docs

* EC2 credentials fix

* Warnings fix

* Update deploy-from-ansible.md

* Fix a typo

* Remove lightsail from the docs

* Disable EC2 encryption by default

* rename droplet to server

* Disable dependencies

* Disable tls_cipher_suite

* Convert wifi-exclude to a string. Update-users fix

* SSH access congrats fix

* 16.04 > 18.04

* Dont ask for the credentials if specified in the environment vars

* GCE server name fix
 6 years ago
Jack Ivanov 53d1113881 Split up unattended upgrades (#1041) 6 years ago
David Myers b86ebe20d7 Prevent DNS rebinding (#1049) 6 years ago
Fabian Foerg 3ddd0ac30f Run dnsmasq as the dnsmasq user (#1029) 
* Run dnsmasq as the dnsmasq user

There is a task that checks whether the dnsmasq user exists.
However, dnsmasq is configured to run as user "nobody" instead.
This change lets dnsmasq run as user "dnsmasq".

* remove dnsmasq user task
 6 years ago
bghost 60a99faaf8 Update PPA for dnscrypt-proxy to 'bionic' (#1039) 6 years ago
Jack Ivanov ca59eeb5c3 Explicitly allow traffic between clients if enabled (#1028) 6 years ago
Jack Ivanov 952e759af4
Revert "Update dnscrypt-proxy.toml.j2 (#1022)" (#1030) 
This reverts commit e6281bc7df.
 6 years ago
adamluk e6281bc7df Update dnscrypt-proxy.toml.j2 (#1022) 6 years ago
Jack Ivanov 07a6bbe652
Move max_mss to config.cfg (#1015) 
* Move max_mss to config.cfg

* Add docs about max_mss

* Update troubleshooting.md
 6 years ago
Jack Ivanov d1c58f0d28
apt_repository fix (#1017) 6 years ago
Jack Ivanov 4ca8c03e3c New default cipher suite (#991) 
* New ciphers enabled

* Update CHANGELOG.md

* Switch ecparam to secp384r1

* Change CertificateType to ECDSA384
 6 years ago
Jack Ivanov b061df6631
Move DNSCrypt proxy fallback_resolver to systemd resolved (#1011) 6 years ago
Emir Beganović 2f142f6dcc Remove duplicate dict key (enable_ipv6) (#999) 
Warning in yaml file:
` [WARNING]: While constructing a mapping from /root/algo/roles/cloud-scaleway/tasks/main.yml, line 73, column 11, found a duplicate dict key (enable_ipv6). Using last defined value only.`
 6 years ago
Jack Ivanov ffb5a1f737 WireGuard: disable SaveConfig, update-users fix (#985) 
- Disables SaveConfig. SaveConfig totally breaks the idea of configuration management and it breaks update-users
- WireGuard update-users fix. Mentioned in https://github.com/trailofbits/algo/issues/980#issuecomment-393720561
 6 years ago
Jack Ivanov aee043977f explicit installation of linux headers (#975) 6 years ago
Jack Ivanov 2d9a36d13a Scaleway: enable ipv6 and switch to local boot (#974) 
- Enables IPv6 on Scaleway
- Adds local boot on scaleway
- Fixes #966
 6 years ago
Jack Ivanov d56f50180b Extra line and better DNS configuration for WireGuard (#968) 
- Adds an extra line after the if statement. Jinja2 trims such blocks by default in Ansible. Fixes #965
- More appropriate way to configure DNS servers
- Removes `DNS` option from the wireguard server config
- Fixes dnscrypt-proxy restart
 6 years ago
Jack Ivanov 3488e660ad Add WireGuard support for Android (#910) 
* WireGuard Implementation

* Update client-android.md

* Update README.md

* WireGuard unattended upgrades

* Update README.md

* reload-module-on-update and syntax fix

* SaveConfig to true

* Azure firewall. Fixes #962

* Update README.md

* Update client-android.md
 6 years ago
Jack Ivanov d27b849f24 Ubuntu1804 (#925) 
- Fixes #897 #944 #956

Work in progress. Lightsail is not ready for Ubuntu 18.04 yet

- [x] DigitalOcean
~~- [ ] Amazon Lightsail~~
- [x] Amazon EC2
- [x] Microsoft Azure
- [x] Google Compute Engine
- [x] Scaleway
- [x] OpenStack (DreamCompute optimised)
 6 years ago
Evgeny Aleksandrov d9dc68164f Remove algo_params (#961) 6 years ago
Evgeny Aleksandrov 87836e0358 Fix typo (#960) 6 years ago
Jack Ivanov 35e526a5a3 IPv6 fixes (#930) 6 years ago
Brian Hulette e01e82b1c3 Don't download minisig dnscrypt release (#905) 7 years ago
adamluk 3d9fa7f8c8 Update dnscrypt-proxy.toml.j2 (#899) 
Updated dnscrypt-proxy.tml with new options: cache_neg_min_ttl and cache_neg_max_ttl
 7 years ago
Dan Guido c276f971b7
monkey patch problematic dnscrypt-proxy cgroup limits (#894) 7 years ago
Jack Ivanov c82bd8c5ff DNS-over-HTTPS (#875) 7 years ago
Jack Ivanov ed6e2d998d Add ipv6 address to subjectAltName if supported (#881) 
CHANGELOG

Some changes

Some changes
 7 years ago
Micah R Ledbetter e944ee993a Embed certs into Windows deployment scripts (#840) 
- Obviate need to copy separate script and certificate files
- Allow execution from any directory, not just the script's parent
  directory (no assumption of any particular working directory)
- Fix docs that neglected to mention copying cacert.pem
- Fix docs that incorrectly referred to the user cert store

As part of this work, rewrite the windows_client.ps1.j2 deployment
script template

- Add comment-based help
- Require admin privileges
- Use a Param() block
- Use parameter sets with -Add and -Remove switches
- Add the -GetInstalledCerts switch, to list any Algo certificates
  installed the machine's cert store
- Add the -SaveCerts switch, to save the embedded certificates to files
- Put Jinja2 variables inside Powershell variables,
- Use native Powershell cmdlets rather than shell out to certutil.exe
- Add a playbook to regenerate the windows_USER.ps1 scripts
 7 years ago
Micah R Ledbetter 4b0aea8f5a Document iptables rules (#854) 
* Remove firewall rule related to the old proxy role

* Remove proxy conditionals from mobileconfig template

* Add comments explaining firewall rules
 7 years ago
Jack Ivanov 78830d96aa Android: add the CA and set the ciphers explicitly (#837) 7 years ago
Jack Ivanov 4e4440a318 Exclude CA from P12 (#835) 7 years ago
Jack Ivanov 3b19f13082 Enable no-resolv (#816) 7 years ago
adamluk b30f6db079 Update rules.v6.j2 (#818) 
Updated to use -m conntrack for consistency as per the other IPv6 rules.
 7 years ago
Jack Ivanov 7e07c35474 proper cloudformation template (#815) 7 years ago
Jack Ivanov 02427910de Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration (#804) 
* Move to ansible-2.4.3

* Add Lightsail support #623

* Fixing the EC2 deployment

* Scaleway integration #623

* OpenStack cloud provider (DreamCompute optimised) #623

* Remove the security role

* Enable unattended-upgrades for clouds

* New requirements to make Azure and GCE work
 7 years ago
Jack Ivanov 4da752b603 Ubuntu 17.10 support (#811) 7 years ago
Micah R Ledbetter 5eed1bbba4 Use dns_servers in dnsmasq.conf (#794) 7 years ago
Douglas Gastonguay-Goddard 7eb4fc5f22 DigitalOcean - Add cleanup step for SSH key (#784) 
* Add cleanup step for SSH key.

* Two space tabs are hard to see.
 7 years ago
Jack Ivanov a844870b7a Sendmail should not be installed (#738) 7 years ago
Marcelo Elizeche Landó 07a1c70bf4 Update adblock.sh for systemd to fix issue #735 (#736) 
* Update script to restart the dnsmasq service using systemctl(systemd) command instead of service(Upstart)

* Use  instead of legacy  REF: https://github.com/koalaman/shellcheck/wiki/SC2006

* Replace non-standard egrep(deprecated) for grep -E. REF: https://github.com/koalaman/shellcheck/wiki/SC2196
 7 years ago
Jack Ivanov f18c1a0d67 Certificate revocation fix (#719) 7 years ago
Jack Ivanov b64f682bae remove the dead code. Fixes #671 7 years ago
Jurgen Verhasselt 185c0f51d7 correct configs_prefix vars in client tasks (#712) 7 years ago
Julie Bernosky dc4dff040e Add StrongSwan log level config option to ipsec.conf template (#700) 7 years ago
Jack Ivanov 3c55cd15a4 GCE. replace underscores (#698) 7 years ago
Jack Ivanov ee7264f26e Ask users to enter the p12 password manually (#697) 7 years ago
Jack Ivanov 6b803e069f LibreSSL fix #625 (#685) 7 years ago
Jack Ivanov 8da53f859b Some browsers (eg. Safari) stop loading pages if the element with ads can't be loaded (#633) 7 years ago
Samuel Horwitz 0607e968d7 Update main.yml (#621) 7 years ago
Jack Ivanov 0bb9279094 bug in the gce_net module #616 (#620) 7 years ago
Jack Ivanov 78bd5b017c client fixes (#605) 7 years ago
Jack Ivanov 9d8e39f63d Move back to the Xenial repo (#606) 7 years ago
Jack Ivanov f0283856ad fix revocation (#586) 7 years ago
Jack Ivanov a8ebb16437 Enable timeouts. Fixes #581 7 years ago
Jack Ivanov 26c202ded5 Generate p12 each deployment. Generate ps1 scripts if windows supported. Define `become` for all the section. (#580) 7 years ago
Jack Ivanov ba7859ba5f Revoke non-existing users fix 7 years ago
Jack Ivanov 0131505195 Enhance PS1 script (#510) 
update docs

Update README.md

update readme
 7 years ago
Jack Ivanov e6c8f19d3c Create a VPC network for each instane (#561) 7 years ago
Jack Ivanov ee6db37428 Change the P12 and SSH passwords only for new users (#550) 7 years ago
Jack Ivanov 40e0363b18 Add html helper for Android (#554) 
* add html helper #280

move to the new local schema

fix a typo

* Update client-android.md
 7 years ago
Ruben Jongejan e9e6c6e383 cleaner syntax for local actions (#536) 
* refactored local actions to cleaner syntax

* openssl commands folded

* removed unnecessary local_action's
 7 years ago
Rod Vagg 75d64ac018 Make DNS blocklist URLs configurable (#548) 7 years ago
tetov ac6db06a19 grammar edit (#540) 
* grammar edit

* Update openssl.yml
 8 years ago
Jack Ivanov 58d5a06e87 delete tasks and move to roles (#519) 8 years ago
Ruben Jongejan 07ddb5863b improved readability with native yaml (#530) 8 years ago
Jack Ivanov 97369c303a define local_dns if dns tag used (#533) 8 years ago
Jack Ivanov 0031d2809e Disable the Signature Algorithm check and add default vars. Fixes #525 8 years ago
Christopher J. Pilkington a225bde2b8 Specify EIP domain (#521) 8 years ago
Jack Ivanov 6f170982aa move to Elastic IP (#512) 8 years ago
Jack Ivanov 9f698fdd68 Get strongswan from the Zesty repo on Xenial (#515) 8 years ago
Jack Ivanov bd348af9c2 Implementing blocks and additional fail hints #487 (#497) 
change the troubleshooting url
 8 years ago
Jack Ivanov 2f5c050fd2 dpdaction to clear (#498) 8 years ago
Jack Ivanov 0ed68b6c30 Properly configure ICMP restrictions (#492) 8 years ago
Ryan Kasper 0cb43650cb Windows 10 -PfsGroup None --> -PfsGroup ECP256 (#493) 
* Windows 10 -PfsGroup None --> -PfsGroup ECP256

Fixes broken tunnel when rekey (CREATE_CHILD_SA request [ N(REKEY_SA) SA No TSi TSr KE ]) occurs (on my Windows 10 1703 build 15063.138 Creator's Update system this is ~every 57 minutes)

* Update Windows Client PfsGroup Commandline
 8 years ago
Jack Ivanov 540c761d3b Disable RSA in the mobileconfigs. Fixes #486 8 years ago
Jack Ivanov 451394100d Some enhances in the compat ciphers (#464) 
raise the IntegrityCheckMethod to SHA384

Move Windows to ECDSA

Increase IntegrityCheckMethod
 8 years ago
Dan Guido aac052da46 this option is deprecated (#477) 8 years ago
Jack Ivanov c3fcfe5d0d Let users choose the distro version #449 (#466) 
Make dpdaction great again

add 1704 to travis

Make EC2 image name more convenient

modify apparmor profile
 8 years ago
Andy Boutte 76cdc69548 CF tested and working for EC2 deployment (#431) 
* AWS CloudFormation #132

* IPv6 EC2 draft

* CF tested and working for EC2 deployment

* IPv6 Implementation, EC2, Cloudformation

* Fixed ipv6 networking

* adding ip6tables rule for DHCP on AWS
 8 years ago
Jack Ivanov a7b06058cb remove the proxy role #440 (#457) 
* remove the proxy role #440

* Separate facts. Make roles more independent from each other

move openssl to local tasks

move unneeded tasks
 8 years ago
Dan Guido 0b05ea19bc Windows needs SHA2-256. Closes #453. (#456) 8 years ago
Dan Guido 8173b84ff8 Change uniqueids back to never (#448) 
We need this to allow multiple connections with the same id/certificate
 8 years ago