Commit Graph

105 Commits

Author SHA1 Message Date
Jack Ivanov
a2fdc509e1
Support for Ubuntu 19.04 (#1405)
* Ubuntu 19.04

* Azure to 19.04
2019-05-30 20:57:47 +02:00
Jack Ivanov
634c609626
Don't set CA facts if IPsec is disabled (#1446)
* Don't set CA facts if ipsec is disabled

* localhost update-users fix
2019-05-30 07:20:45 +02:00
Jack Ivanov
a87b4c8a87
Update config.cfg 2019-05-20 14:45:03 +02:00
Elliot Murphy
e3a6170ae6 AWS support for existing EIP (revised) (#1292)
* Support for associating to existing AWS Elastic IP

Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>

* Backport ec2_eip_facts module for EIP support

This means that EIP support no longer requires Ansible 2.6
The local fact module has been named ec2_elasticip_facts
to avoid conflict with the ec2_eip_facts module whenever
the Ansible 2.6 upgrade takes place.

Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>

* Update from review feedback.

Signed-off-by: Elliot Murphy <statik@users.noreply.github.com>

* Move to the native module. Add additional condition for existing Elastic IP
2019-05-20 14:40:51 +02:00
shapiro125
72c8e9e244 Add IPv6 support to DNS (#1425)
* Add ipv6

* Add ipv6

* add ipv6

* add ipv6

* Switching out ipv6 address with local_service_ipv6 variable from #1429

* Fixing variable error
2019-05-20 13:17:39 +02:00
Jack Ivanov
5904546a48
Randomly generated IP address for the local dns resolver (#1429)
* generate service IPs dynamically

* update cloud-init tests

* exclude ipsec and wireguard ranges from the random service ip

* Update docs

* @davidemyers: update wireguard docs for linux

* Move to netaddr filter

* AllowedIPs fix

* WireGuard IPs fix
2019-05-17 14:49:29 +02:00
TC1977
638a355196 Update config.cfg (#1436)
* Update config.cfg

Reflects fixes in #1434 and #1435.

* Update config.cfg
2019-05-16 14:04:57 +02:00
Jack Ivanov
de88211fb9
Update config.cfg
Closes #1435
2019-05-16 13:28:59 +02:00
Jack Ivanov
515494e90e
Update config.cfg 2019-05-15 19:33:07 +02:00
TC1977
a1117ecf0a Update Adblock lists (#1394)
Uses the Unified hosts file from @StevenBlack available [here](https://github.com/StevenBlack/hosts). This encompasses the Ad Away, MVPS, and Malware Domain lists, deleting duplicates for us, and also adds a bunch more.
2019-04-17 13:53:41 +02:00
Jack Ivanov
c4ea88000b Refactoring to support roles inclusion (#1365) 2019-04-08 16:20:34 -04:00
Jack Ivanov
273c7665d3 Refactoring (#1334)
<!--- Provide a general summary of your changes in the Title above -->

## Description
Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162
Configures Ansible to use python3 on the server side. Closes #1024 
Removes unneeded playbooks, reorganises a lot of variables
Reorganises the `config` folder. Closes #1330
<details><summary>Here is how the config directory looks like now</summary>
<p>

```
configs/X.X.X.X/
|-- ipsec
|   |-- apple
|   |   |-- desktop.mobileconfig
|   |   |-- laptop.mobileconfig
|   |   `-- phone.mobileconfig
|   |-- manual
|   |   |-- cacert.pem
|   |   |-- desktop.p12
|   |   |-- desktop.ssh.pem
|   |   |-- ipsec_desktop.conf
|   |   |-- ipsec_desktop.secrets
|   |   |-- ipsec_laptop.conf
|   |   |-- ipsec_laptop.secrets
|   |   |-- ipsec_phone.conf
|   |   |-- ipsec_phone.secrets
|   |   |-- laptop.p12
|   |   |-- laptop.ssh.pem
|   |   |-- phone.p12
|   |   `-- phone.ssh.pem
|   `-- windows
|       |-- desktop.ps1
|       |-- laptop.ps1
|       `-- phone.ps1
|-- ssh-tunnel
|   |-- desktop.pem
|   |-- desktop.pub
|   |-- laptop.pem
|   |-- laptop.pub
|   |-- phone.pem
|   |-- phone.pub
|   `-- ssh_config
`-- wireguard
    |-- desktop.conf
    |-- desktop.png
    |-- laptop.conf
    |-- laptop.png
    |-- phone.conf
    `-- phone.png
```

![finder](https://i.imgur.com/FtOmKO0.png)

</p>
</details>

## Motivation and Context
This refactoring is focused to aim to the 1.0 release

## How Has This Been Tested?
Deployed to several cloud providers with various options enabled and disabled

## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [x] Refactoring

## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] I have read the **CONTRIBUTING** document.
- [x] My code follows the code style of this project.
- [x] My change requires a change to the documentation.
- [x] I have updated the documentation accordingly.
- [x] All new and existing tests passed.
2019-03-10 13:16:34 -04:00
Jack Ivanov
216cd09dcf
Disable wireguard PersistentKeepalive by default (#1338) 2019-02-25 17:56:19 +01:00
David Myers
df3d547fb3 Document using WireGuard app on macOS (#1327)
* Document using WireGuard app on macOS

* Update README.md

* Make WireGuard the default for Apple devices

* clarify user list

* fix tests

* connect on demand
2019-02-17 18:38:19 -05:00
David Myers
5981bb9cad Replace 'max_mss' with 'reduce_mtu' (#1253) 2018-12-20 09:21:04 -05:00
David Myers
f3519425c4 Note that WireGuard configs cannot be shared (#1238) 2018-12-07 14:41:39 -05:00
TC1977
4eeaadcfb3 Add info about modifying blacklists (#1236)
# Algo will use the following lists to block ads. You can add new block lists 
# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
# /usr/local/sbin/adblock.sh 
# If you load very large blocklists, you may also have to modify resource limits:
# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
2018-12-07 14:41:19 -05:00
Jack Ivanov
a66d8f0069 on-build python venvs (#1199) 2018-11-22 13:04:58 -05:00
Jack Ivanov
3468d27e61 Lightsail back (#1157) 2018-10-22 16:49:18 -04:00
David Myers
d90ba3d11a Allow more flexible DNSCrypt configuration (#1120)
* Allow more flexible DNSCrypt configuration

* Correct permissions on files changed in #1120

I'm not sure why using BBEdit over SMB makes every file executable.

* Put the public resolvers cache file in /tmp.
2018-10-04 18:12:48 -04:00
Jack Ivanov
6c0753e3b8 GCE: Static external ip (optional) (#1125) 2018-09-27 04:18:00 -04:00
Jack Ivanov
4a42fbea35 Move to the ARM deployment schema (#1107) 2018-09-16 20:19:29 -04:00
TC1977
76a8fe35db Document AWS disk encryption flag in config.cfg (#1102)
This is to better document the "encryption" flag for those who are interested in full disk encryption on AWS. Recently on running the script, I also found the minimum permissions documented at https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md weren't enough; "ec2:CopyImage" is also required. Not sure if you'd rather have this documented in the AWS docs instead, and not sure if you want "ec2:CopyImage" added to the default minimum required permissions. I can do either if you'd prefer.
2018-09-07 13:04:20 +03:00
TC1977
4c70b71df5 Fix spacing in congrats message (#1104)
The spacing of several lines in the congrats message has been off. Here's the congrats output with this fix:
```
ok: [54.85.244.8] => {
    "msg": [
        [
            "\"#                          Congratulations!                            #\"", 
            "\"#                     Your Algo server is running.                     #\"", 
            "\"#    Config files and certificates are in the ./configs/ directory.    #\"", 
            "\"#              Go to https://whoer.net/ after connecting               #\"", 
            "\"#        and ensure that all your traffic passes through the VPN.      #\"", 
            "\"#                     Local DNS resolver 172.16.0.1                    #\"", 
            ""
        ], 
        "    \"#        The p12 and SSH keys password for new users is CR2qzRcA       #\"\n", 
        "    \"#        The CA key password is ed0fd57e7d355af08d12ccdbfd3f5931       #\"\n", 
        "    \"#     Shell access: ssh -i configs/algo.pem ubuntu@54.85.244.8        #\"\n"
    ]
}
```
2018-09-06 21:04:23 +03:00
David Myers
d95df710a5 Add an unattended reboot option (#1082) 2018-09-02 15:26:06 -04:00
Jack Ivanov
e8947f318b Large refactor to support Ansible 2.5 (#976)
* Refactoring, booleans declaration and update users fix

* Make server_name more FQDN compatible

* Rename variables

* Define the default value for store_cakey

* Skip a prompt about the SSH user if deploying to localhost

* Disable reboot for non-cloud deployments

* Enable EC2 volume encryption by default

* Add default server value (localhost) for the local installation

Delete empty files

* Add default region to aws_region_facts

* Update docs

* EC2 credentials fix

* Warnings fix

* Update deploy-from-ansible.md

* Fix a typo

* Remove lightsail from the docs

* Disable EC2 encryption by default

* rename droplet to server

* Disable dependencies

* Disable tls_cipher_suite

* Convert wifi-exclude to a string. Update-users fix

* SSH access congrats fix

* 16.04 > 18.04

* Dont ask for the credentials if specified in the environment vars

* GCE server name fix
2018-08-27 10:05:45 -04:00
Jack Ivanov
07a6bbe652
Move max_mss to config.cfg (#1015)
* Move max_mss to config.cfg

* Add docs about max_mss

* Update troubleshooting.md
2018-07-03 09:06:45 +03:00
Jack Ivanov
3488e660ad Add WireGuard support for Android (#910)
* WireGuard Implementation

* Update client-android.md

* Update README.md

* WireGuard unattended upgrades

* Update README.md

* reload-module-on-update and syntax fix

* SaveConfig to true

* Azure firewall. Fixes #962

* Update README.md

* Update client-android.md
2018-05-24 08:15:27 -07:00
Jack Ivanov
d27b849f24 Ubuntu1804 (#925)
- Fixes #897 #944 #956

Work in progress. Lightsail is not ready for Ubuntu 18.04 yet

- [x] DigitalOcean
~~- [ ] Amazon Lightsail~~
- [x] Amazon EC2
- [x] Microsoft Azure
- [x] Google Compute Engine
- [x] Scaleway
- [x] OpenStack (DreamCompute optimised)
2018-05-24 07:08:14 -07:00
TC1977
e905220f61 Update config.cfg (#936)
Fix typos - this puzzled me when I was attempting to install algo with dnscrypt last week.
2018-05-09 13:14:31 -07:00
Jack Ivanov
c82bd8c5ff DNS-over-HTTPS (#875) 2018-04-25 12:27:58 -07:00
Jack Ivanov
02427910de Ansible 2.4, Lightsail, Scaleway, DreamCompute (OpenStack) integration (#804)
* Move to ansible-2.4.3

* Add Lightsail support #623

* Fixing the EC2 deployment

* Scaleway integration #623

* OpenStack cloud provider (DreamCompute optimised) #623

* Remove the security role

* Enable unattended-upgrades for clouds

* New requirements to make Azure and GCE work
2018-03-02 07:55:54 -05:00
Jack Ivanov
4da752b603 Ubuntu 17.10 support (#811) 2018-02-24 14:17:34 +01:00
Dan Ackerson
d8f0393dd8 minimum DigitalOcean $5 type now 's-1vcpu-1gb' (#785)
https://www.digitalocean.com/pricing/
2018-01-27 12:02:00 -08:00
Dan Guido
6572c2fb34 Closes #699 2017-10-20 22:16:28 -04:00
Julie Bernosky
dc4dff040e Add StrongSwan log level config option to ipsec.conf template (#700) 2017-10-19 16:06:43 +02:00
Jack Ivanov
26c202ded5 Generate p12 each deployment. Generate ps1 scripts if windows supported. Define become for all the section. (#580) 2017-06-04 12:18:55 -04:00
Jack Ivanov
4165eca407 Azure supports 17.04 #449 2017-05-22 17:16:00 +02:00
Rod Vagg
75d64ac018 Make DNS blocklist URLs configurable (#548) 2017-05-15 12:39:34 +02:00
Jack Ivanov
bd348af9c2 Implementing blocks and additional fail hints #487 (#497)
change the troubleshooting url
2017-04-29 10:48:25 -04:00
Jack Ivanov
2782df8cfd Move back to 16.04. Forgot to change after testing 2017-04-22 23:09:37 +02:00
Jack Ivanov
c3fcfe5d0d Let users choose the distro version #449 (#466)
Make dpdaction great again

add 1704 to travis

Make EC2 image name more convenient

modify apparmor profile
2017-04-22 17:06:10 -04:00
Jack Ivanov
a7b06058cb remove the proxy role #440 (#457)
* remove the proxy role #440

* Separate facts. Make roles more independent from each other

move openssl to local tasks

move unneeded tasks
2017-04-20 18:00:17 -04:00
Jack Ivanov
16329fe088 Instance size (#404)
* Escaping Special Characters #388

* Make instance sizes more flexible to edit #355
2017-04-16 10:19:47 -04:00
Dan Guido
1af2010f44 Update config.cfg 2017-04-05 14:31:31 -04:00
Jack Ivanov
3df33c0eba Add a comment about escaping usernames 2017-04-05 17:08:52 +02:00
brad2014
09e5d87c7b Minor name and documentation edits (#327) 2017-04-01 00:19:10 -04:00
Jack Ivanov
f7da2e3888 EC2 dynamic enventory. Fixes #73 2017-03-05 23:19:15 +03:00
Jack Ivanov
5cbf125202 Some refactoring. Disable unneeded variables. 2017-03-05 21:33:01 +03:00
Jack Ivanov
6cc3598cc6 rewrite congrats 2017-02-14 20:26:04 +03:00