Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
844 Commits
5 Branches
2 Tags
10 MiB
fix/14704
dependabot/pip/ansible-9.4.0
master
dependabot/github_actions/actions/setup-python-5.1.0
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9187d8e637'
${ noResults }
Commit Graph

308 Commits (9187d8e63752a6bb4ba12f38907a2a96432842ed)

Author SHA1 Message Date
Jack Ivanov 9187d8e637 dnscrypt-proxy apparmor fix (#1210) 
<!--- Provide a general summary of your changes in the Title above -->

## Description
Apparmor profile for dnscrypt-proxy didn't work at all

## Motivation and Context
Fixes #1155

## How Has This Been Tested?
Deployed to DigitalOcean, checked that the dnscrypt-proxy binary is in enforce mode

## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [x] Bug fix (non-breaking change which fixes an issue)

## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] I have read the **CONTRIBUTING** document.
- [x] My code follows the code style of this project.
- [x] All new and existing tests passed.
 6 years ago
Jack Ivanov 45b00ee994
BSD StrongSwan fixes (#1207) 6 years ago
Jack Ivanov 66d30e3005
WireGuard update-users fix (#1183) 6 years ago
TC1977 a76642c4d5 Update mobileconfig.j2 (#1197) 
Adds "Algo VPN" to the organization in the "Profiles" menu of "General Settings". (The type still shows up as "Unknown" in the "VPN" menu, because that seems to be governed by the "VPNSubType" string, which must be empty according to the [developer reference](https://developer.apple.com/enterprise/documentation/Configuration-Profile-Reference.pdf) Maybe this can help clear the way for #1101.
 6 years ago
zuccs 2b2d90a8a9 Fix typo (#1165) 6 years ago
datew0 30446d0363 Set disk size depending on server plan (#1159) 
Scaleway`s START1-XS does not start with a disk size of 50GB.
 6 years ago
Jack Ivanov 399d47233a
add region (#1182) 6 years ago
Jack Ivanov 3468d27e61 Lightsail back (#1157) 6 years ago
Jack Ivanov fbc7b29456 WireGuard update-users fix (#1154) 6 years ago
Jack Ivanov efc8dc7620
add tags for the wireguard qr code task. variables fix (#1147) 6 years ago
Jack Ivanov bcba905547 ssh tunneling fixes (#1127) 6 years ago
David Myers d90ba3d11a Allow more flexible DNSCrypt configuration (#1120) 
* Allow more flexible DNSCrypt configuration

* Correct permissions on files changed in #1120

I'm not sure why using BBEdit over SMB makes every file executable.

* Put the public resolvers cache file in /tmp.
 6 years ago
Jack Ivanov 1442586682 WireGuard: Generate QR codes (#1129) 
* WireGuard: Generate QR codes

* Update client-android.md
 6 years ago
Jack Ivanov dbd68aa97d WireGuard BSD (#1083) 
* WireGuard BSD

* Remove unneeded config option

* Enable PersistentKeepalive for NAT and Firewall Traversal Persistence

* Install dnscrypt-proxy from repositories
 6 years ago
Jack Ivanov 6c0753e3b8 GCE: Static external ip (optional) (#1125) 6 years ago
Jack Ivanov eb2224cde1
install generic linux headers (#1124) 6 years ago
James 14234344eb Use gateway ip address for wireguard interface (#1115) 6 years ago
Jack Ivanov 4a42fbea35 Move to the ARM deployment schema (#1107) 6 years ago
David Myers d95df710a5 Add an unattended reboot option (#1082) 6 years ago
Jack Ivanov 91a9dfd983 invoke dns encryption from main playbook instead of meta-dependencies (#1097) 6 years ago
Jack Ivanov e860b78d80
Scaleway authentication fix (#1088) 6 years ago
Jack Ivanov e8947f318b Large refactor to support Ansible 2.5 (#976) 
* Refactoring, booleans declaration and update users fix

* Make server_name more FQDN compatible

* Rename variables

* Define the default value for store_cakey

* Skip a prompt about the SSH user if deploying to localhost

* Disable reboot for non-cloud deployments

* Enable EC2 volume encryption by default

* Add default server value (localhost) for the local installation

Delete empty files

* Add default region to aws_region_facts

* Update docs

* EC2 credentials fix

* Warnings fix

* Update deploy-from-ansible.md

* Fix a typo

* Remove lightsail from the docs

* Disable EC2 encryption by default

* rename droplet to server

* Disable dependencies

* Disable tls_cipher_suite

* Convert wifi-exclude to a string. Update-users fix

* SSH access congrats fix

* 16.04 > 18.04

* Dont ask for the credentials if specified in the environment vars

* GCE server name fix
 6 years ago
Jack Ivanov 53d1113881 Split up unattended upgrades (#1041) 6 years ago
David Myers b86ebe20d7 Prevent DNS rebinding (#1049) 6 years ago
Fabian Foerg 3ddd0ac30f Run dnsmasq as the dnsmasq user (#1029) 
* Run dnsmasq as the dnsmasq user

There is a task that checks whether the dnsmasq user exists.
However, dnsmasq is configured to run as user "nobody" instead.
This change lets dnsmasq run as user "dnsmasq".

* remove dnsmasq user task
 6 years ago
bghost 60a99faaf8 Update PPA for dnscrypt-proxy to 'bionic' (#1039) 6 years ago
Jack Ivanov ca59eeb5c3 Explicitly allow traffic between clients if enabled (#1028) 6 years ago
Jack Ivanov 952e759af4
Revert "Update dnscrypt-proxy.toml.j2 (#1022)" (#1030) 
This reverts commit e6281bc7df.
 6 years ago
adamluk e6281bc7df Update dnscrypt-proxy.toml.j2 (#1022) 6 years ago
Jack Ivanov 07a6bbe652
Move max_mss to config.cfg (#1015) 
* Move max_mss to config.cfg

* Add docs about max_mss

* Update troubleshooting.md
 6 years ago
Jack Ivanov d1c58f0d28
apt_repository fix (#1017) 6 years ago
Jack Ivanov 4ca8c03e3c New default cipher suite (#991) 
* New ciphers enabled

* Update CHANGELOG.md

* Switch ecparam to secp384r1

* Change CertificateType to ECDSA384
 6 years ago
Jack Ivanov b061df6631
Move DNSCrypt proxy fallback_resolver to systemd resolved (#1011) 6 years ago
Emir Beganović 2f142f6dcc Remove duplicate dict key (enable_ipv6) (#999) 
Warning in yaml file:
` [WARNING]: While constructing a mapping from /root/algo/roles/cloud-scaleway/tasks/main.yml, line 73, column 11, found a duplicate dict key (enable_ipv6). Using last defined value only.`
 6 years ago
Jack Ivanov ffb5a1f737 WireGuard: disable SaveConfig, update-users fix (#985) 
- Disables SaveConfig. SaveConfig totally breaks the idea of configuration management and it breaks update-users
- WireGuard update-users fix. Mentioned in https://github.com/trailofbits/algo/issues/980#issuecomment-393720561
 6 years ago
Jack Ivanov aee043977f explicit installation of linux headers (#975) 6 years ago
Jack Ivanov 2d9a36d13a Scaleway: enable ipv6 and switch to local boot (#974) 
- Enables IPv6 on Scaleway
- Adds local boot on scaleway
- Fixes #966
 6 years ago
Jack Ivanov d56f50180b Extra line and better DNS configuration for WireGuard (#968) 
- Adds an extra line after the if statement. Jinja2 trims such blocks by default in Ansible. Fixes #965
- More appropriate way to configure DNS servers
- Removes `DNS` option from the wireguard server config
- Fixes dnscrypt-proxy restart
 6 years ago
Jack Ivanov 3488e660ad Add WireGuard support for Android (#910) 
* WireGuard Implementation

* Update client-android.md

* Update README.md

* WireGuard unattended upgrades

* Update README.md

* reload-module-on-update and syntax fix

* SaveConfig to true

* Azure firewall. Fixes #962

* Update README.md

* Update client-android.md
 6 years ago
Jack Ivanov d27b849f24 Ubuntu1804 (#925) 
- Fixes #897 #944 #956

Work in progress. Lightsail is not ready for Ubuntu 18.04 yet

- [x] DigitalOcean
~~- [ ] Amazon Lightsail~~
- [x] Amazon EC2
- [x] Microsoft Azure
- [x] Google Compute Engine
- [x] Scaleway
- [x] OpenStack (DreamCompute optimised)
 6 years ago
Evgeny Aleksandrov d9dc68164f Remove algo_params (#961) 6 years ago
Evgeny Aleksandrov 87836e0358 Fix typo (#960) 6 years ago
Jack Ivanov 35e526a5a3 IPv6 fixes (#930) 6 years ago
Brian Hulette e01e82b1c3 Don't download minisig dnscrypt release (#905) 7 years ago
adamluk 3d9fa7f8c8 Update dnscrypt-proxy.toml.j2 (#899) 
Updated dnscrypt-proxy.tml with new options: cache_neg_min_ttl and cache_neg_max_ttl
 7 years ago
Dan Guido c276f971b7
monkey patch problematic dnscrypt-proxy cgroup limits (#894) 7 years ago
Jack Ivanov c82bd8c5ff DNS-over-HTTPS (#875) 7 years ago
Jack Ivanov ed6e2d998d Add ipv6 address to subjectAltName if supported (#881) 
CHANGELOG

Some changes

Some changes
 7 years ago
Micah R Ledbetter e944ee993a Embed certs into Windows deployment scripts (#840) 
- Obviate need to copy separate script and certificate files
- Allow execution from any directory, not just the script's parent
  directory (no assumption of any particular working directory)
- Fix docs that neglected to mention copying cacert.pem
- Fix docs that incorrectly referred to the user cert store

As part of this work, rewrite the windows_client.ps1.j2 deployment
script template

- Add comment-based help
- Require admin privileges
- Use a Param() block
- Use parameter sets with -Add and -Remove switches
- Add the -GetInstalledCerts switch, to list any Algo certificates
  installed the machine's cert store
- Add the -SaveCerts switch, to save the embedded certificates to files
- Put Jinja2 variables inside Powershell variables,
- Use native Powershell cmdlets rather than shell out to certutil.exe
- Add a playbook to regenerate the windows_USER.ps1 scripts
 7 years ago
Micah R Ledbetter 4b0aea8f5a Document iptables rules (#854) 
* Remove firewall rule related to the old proxy role

* Remove proxy conditionals from mobileconfig template

* Add comments explaining firewall rules
 7 years ago