Archives
/
algo
mirror of https://github.com/trailofbits/algo
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
975 Commits
5 Branches
2 Tags
10 MiB
fix/14704
dependabot/pip/ansible-9.4.0
master
dependabot/github_actions/actions/setup-python-5.1.0
dependabot/pip/jinja2-approx-eq-3.1.3
v1.1
v1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fe7755e6a0'
${ noResults }
Commit Graph

975 Commits (fe7755e6a09bc3fb216e07d2623bd56ddc79d4e5)
 

Author SHA1 Message Date
TC1977 638a355196 Update config.cfg (#1436) 
* Update config.cfg

Reflects fixes in #1434 and #1435.

* Update config.cfg
 5 years ago
Jack Ivanov de88211fb9
Update config.cfg 
Closes #1435
 5 years ago
Jack Ivanov 3ce92f9fee
Update deploy-from-ansible.md 
Closes #1434
 5 years ago
Jack Ivanov 515494e90e
Update config.cfg 5 years ago
TC1977 bcf2008b8d Update deploy-from-script-or-cloud-init-to-localhost.md (#1433) 
I was going to add this onto the existing PR for docs update, but it turned out to be a little more involved and require some testing of actual deployment.
 5 years ago
Rémy Léone 826a2c5036 Add documentation about Scaleway credentials (#1419) 5 years ago
Jack Ivanov 6b33d09d9f
Scaleway modules (#1410) 
* Scaleway modules

* Update docs
 5 years ago
Jack Ivanov d6a1fb91bd
WIP: Facts definition fix (#1415) 
Facts definition fix
 5 years ago
TC1977 b526f73881 Update troubleshooting.md - regions not available (#1414) 
Changes the "region not available" question to reflect Algo behavior since #976. Also addresses #1413.

Adds a couple of quote marks to the Ubuntu error question, which disappeared for some reason.
 5 years ago
TC1977 faa4b9a8da Automatically create cloud firewall rules for installs onto Vultr (#1400) 
* Update main.yml

* Change module names and add IPv6 firewall rules

Uses guide at https://www.renemoser.net/blog/2018/03/19/vultr-firewalling-with-ansible/ written by Rene Moser.

* change vultr to vr

* add ip_version to firewall rules

* add SSH access rules

* Use variable for wireguard port

* update module names for ansible 2.7

* Fix trailing whitespaces

* Try to fix trailing whitespaces again
 6 years ago
Jack Ivanov 25513cf925 Refactoring, Linting and additional tests (#1397) 
* Refactoring, Linting and additional tests

* Vultr: Undefined variable and deprecation notes fix

* Travis-CI enable linters

* Azure: Update python requirements

* Update main.yml

* Update install.sh

* Add missing roles to ansible-lint

* Linting for skipped roles

* add .ansible-lint config
 6 years ago
David Myers feb0091448 Update Linux WireGuard client instructions (#1407) 6 years ago
TC1977 b7a448350a Update cloud-vultr.md (#1406) 
* Update cloud-vultr.md

More fleshed-out instructions for generating an API key and saving the file. Also notes the default ansible behavior of looking for the file in `~/.vultr.ini`.

* Update README.md
 6 years ago
Jack Ivanov 1e35753aa2
Update openssl.yml (#1403) 6 years ago
Jack Ivanov a60d49f5fc
Update deploy-from-script-or-cloud-init-to-localhost.md 6 years ago
TC1977 505538bcbb Update README.md (#1380) 
Add mention of Wireguard SSID exclusion ability.
 6 years ago
TC1977 a1117ecf0a Update Adblock lists (#1394) 
Uses the Unified hosts file from @StevenBlack available [here](https://github.com/StevenBlack/hosts). This encompasses the Ad Away, MVPS, and Malware Domain lists, deleting duplicates for us, and also adds a bunch more.
 6 years ago
wtgtybhertgeghgtwtg 8f10647ec1 fix: get public IP from default interface (#1396) 6 years ago
Jack Ivanov 1c7e1dc331
Move `Delete the CA key` task to the appropriate role (#1393) 6 years ago
Jack Ivanov 4ea1dcdf5a
Update deploy-from-script-or-cloud-init-to-localhost.md 6 years ago
David Myers 4cb8c6dc22 Consolidate firewall documentation (#1386) 6 years ago
TC1977 d969b8e1b6 Fix 963 again (#1379) 
* Create charon.conf.j2

Create charon.conf template with mods

* Update mobileconfig.j2

Increase client side lifetimes

* Update ipsec.conf.j2

Add server-side lifetimes

* Add charon.conf
 6 years ago
Jack Ivanov c4ea88000b Refactoring to support roles inclusion (#1365) 6 years ago
TC1977 8af0efa623 Update DNS filtering advice in FAQ (#1389) 
* Update DNS filtering advice in FAQ

Updates how to temporarily disable adblocking on IPsec and Wireguard clients separately, and also updates the IPSsec command to avoid `ipsec restart` which [isn't appreciated by systemd](https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1287339).

* Update faq.md

Fix typo
 6 years ago
David Myers d50a2039a6 Use VULTR_API_CONFIG variable if set (#1374) 6 years ago
Jack Ivanov cf4d5b47a9
IPv6 range to AllowedIPs only when ipv6_support (#1388) 6 years ago
Jack Ivanov 84bbc0e22c
Update ubuntu.yml (#1383) 6 years ago
Jack Ivanov d3d22fec47
Script to support cloud-init and local easy deploy (#1366) 
* add the install script to support cloud-init and local one-shot deployments

* update travis-ci tests

* update docs

* enable no_log again

* update docs
 6 years ago
adamluk d996b1d02f Update 10-algo-lo100.network.j2 (#1369) 6 years ago
Fabian Foerg 13c4628b5d Simplify Apple Profile Configuration Template (#1033) 
* Simplify Apple Profile Configuration Template

* enable lstrip_blocks

* remove ldashes
 6 years ago
Jack Ivanov 58ce62e2bd
Update CHANGELOG.md 6 years ago
Dan Guido db34d55b78
AGPLv3 change (#1351) 6 years ago
Jack Ivanov 30beadb949
Modify naming in the cloud resources and client config files (#1353) 
* Modify naming in the cloud resources and client config files

* Azure template: Eliminate unneeded variables
 6 years ago
Jack Ivanov 4ae5972f94
Start dnscrypt-proxy after systemd-resolved (#1357) 6 years ago
Ryan Kasper 3428c5197e Fix typo in doctl command (#1350) 6 years ago
Les Aker 9b89801b8a skip generation of SSH keypair when deploying locally (#1348) 6 years ago
Jack Ivanov 273c7665d3 Refactoring (#1334) 
<!--- Provide a general summary of your changes in the Title above -->

## Description
Renames the vpn role to strongswan, and split up the variables to support 2 separate VPNs. Closes #1330 and closes #1162
Configures Ansible to use python3 on the server side. Closes #1024 
Removes unneeded playbooks, reorganises a lot of variables
Reorganises the `config` folder. Closes #1330
<details><summary>Here is how the config directory looks like now</summary>
<p>

```
configs/X.X.X.X/
|-- ipsec
|   |-- apple
|   |   |-- desktop.mobileconfig
|   |   |-- laptop.mobileconfig
|   |   `-- phone.mobileconfig
|   |-- manual
|   |   |-- cacert.pem
|   |   |-- desktop.p12
|   |   |-- desktop.ssh.pem
|   |   |-- ipsec_desktop.conf
|   |   |-- ipsec_desktop.secrets
|   |   |-- ipsec_laptop.conf
|   |   |-- ipsec_laptop.secrets
|   |   |-- ipsec_phone.conf
|   |   |-- ipsec_phone.secrets
|   |   |-- laptop.p12
|   |   |-- laptop.ssh.pem
|   |   |-- phone.p12
|   |   `-- phone.ssh.pem
|   `-- windows
|       |-- desktop.ps1
|       |-- laptop.ps1
|       `-- phone.ps1
|-- ssh-tunnel
|   |-- desktop.pem
|   |-- desktop.pub
|   |-- laptop.pem
|   |-- laptop.pub
|   |-- phone.pem
|   |-- phone.pub
|   `-- ssh_config
`-- wireguard
    |-- desktop.conf
    |-- desktop.png
    |-- laptop.conf
    |-- laptop.png
    |-- phone.conf
    `-- phone.png
```

![finder](https://i.imgur.com/FtOmKO0.png)

</p>
</details>

## Motivation and Context
This refactoring is focused to aim to the 1.0 release

## How Has This Been Tested?
Deployed to several cloud providers with various options enabled and disabled

## Types of changes
<!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
- [x] Refactoring

## Checklist:
<!--- Go over all the following points, and put an `x` in all the boxes that apply. -->
<!--- If you're unsure about any of these, don't hesitate to ask. We're here to help! -->
- [x] I have read the **CONTRIBUTING** document.
- [x] My code follows the code style of this project.
- [x] My change requires a change to the documentation.
- [x] I have updated the documentation accordingly.
- [x] All new and existing tests passed.
 6 years ago
Jack Ivanov 7e7476ec6b
Update cloud-pre.yml 6 years ago
Tim H b4740185e8 Add catch-all VPN On Demand Rule (#739) 
If a user is not connected to a trusted Wi-Fi network or if the
URLStringProbe fails none of the existing dictionaries match.

According to the Apple Configuration Profile Reference[1] section "VPN
Payload > On Demand Rules Dictionary Keys" a default behavior for
unknown networks with no matching criteria should always be set as the
last dictionary in the array. The current default behavior is to allow a
connection to occur, but this behavior is not guaranteed.

Tear down the VPN connection and do not reconnect on demand as long as
the catch-all dictionary matches to guarantee the default behavior and
more specifically allow users to access captive portals.

[1]: https://developer.apple.com/library/content/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html
 6 years ago
Demian 5e5424df69 fix OS is undefined error (#1335) 6 years ago
Jack Ivanov ec56203b87
Support for custom domain names in the endpoint (#1337) 6 years ago
Jack Ivanov 216cd09dcf
Disable wireguard PersistentKeepalive by default (#1338) 6 years ago
Jack Ivanov bfe168d31c
Closes #1059 6 years ago
David Myers 5cb1fdd339 Clarify prompts (#1331) 6 years ago
David Myers df3d547fb3 Document using WireGuard app on macOS (#1327) 
* Document using WireGuard app on macOS

* Update README.md

* Make WireGuard the default for Apple devices

* clarify user list

* fix tests

* connect on demand
 6 years ago
David Myers 1be0908c51 Add note about new WireGuard for iOS default MTU (#1293) 6 years ago
Jack Ivanov 40b42c4f33
Get started with Azure more easily (#1323) 6 years ago
Jack Ivanov 9f66e47607
Closes #1321 6 years ago
Jack Ivanov 4a6888add6
WiFi exclude list fix (#1318) 6 years ago
Jack Ivanov 43ed5b2aaa
add flags=(attach_disconnected) to dnscrypt-proxy apparmor profile (#1312) 6 years ago