---

# This is the list of user to generate.
# Every device must have a unique username.
# You can generate up to 250 users at one time.
users:
  - phone
  - laptop
  - desktop

# NOTE: You must "escape" any usernames with leading 0's, like "000dan"

### Advanced users only below this line ###

# If True re-init all existing certificates. Boolean
keys_clean_all: False

# Clean up cloud python environments
clean_environment: false

# Deploy StrongSwan to enable IPsec support
ipsec_enabled: true

# StrongSwan log level
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: 2

# Deploy WireGuard
wireguard_enabled: true
wireguard_port: 51820
# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
# This option will keep the "connection" open in the eyes of NAT.
# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
wireguard_PersistentKeepalive: 0

# Reduce the MTU of the VPN tunnel
# Some cloud and internet providers use a smaller MTU (Maximum Transmission
# Unit) than the normal value of 1500 and if you don't reduce the MTU of your
# VPN tunnel some network connections will hang. Algo will attempt to set this
# automatically based on your server, but if connections hang you might need to
# adjust this yourself.
# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
reduce_mtu: 0

# Algo will use the following lists to block ads. You can add new block lists
# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
# /usr/local/sbin/adblock.sh
# If you load very large blocklists, you may also have to modify resource limits:
# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
adblock_lists:
 - "http://winhelp2002.mvps.org/hosts.txt"
 - "https://adaway.org/hosts.txt"
 - "https://www.malwaredomainlist.com/hostslist/hosts.txt"
 - "https://hosts-file.net/ad_servers.txt"

# Enable DNS encryption.
# If 'false', 'dns_servers' should be specified below.
dns_encryption: true

# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
# providers may be specified, but avoid mixing providers that filter results
# (like Cisco) with those that don't (like Cloudflare) or you could get
# inconsistent results. The list of available public providers can be found
# here:
# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
dnscrypt_servers:
  ipv4:
    - cloudflare
#   - google
  ipv6:
    - cloudflare-ipv6

# DNS servers which will be used if 'dns_encryption' is 'false'.
# The default is to use Cloudflare.
dns_servers:
  ipv4:
    - 1.1.1.1
    - 1.0.0.1
  ipv6:
    - 2606:4700:4700::1111
    - 2606:4700:4700::1001

# IP address for the local dns resolver
local_service_ip: 172.16.0.1

# Your Algo server will automatically install security updates. Some updates
# require a reboot to take effect but your Algo server will not reboot itself
# automatically unless you change 'enabled' below from 'false' to 'true', in
# which case a reboot will take place if necessary at the time specified (as
# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
unattended_reboot:
  enabled: false
  time: 06:00

# Block traffic between connected clients
BetweenClients_DROP: true

congrats:
  common: |
    "#                          Congratulations!                            #"
    "#                     Your Algo server is running.                     #"
    "#    Config files and certificates are in the ./configs/ directory.    #"
    "#              Go to https://whoer.net/ after connecting               #"
    "#        and ensure that all your traffic passes through the VPN.      #"
    "#                     Local DNS resolver {{ local_service_ip }}                    #"
  p12_pass: |
    "#        The p12 and SSH keys password for new users is {{ p12_export_password }}       #"
  ca_key_pass: |
    "#        The CA key password is {{ CA_password }}       #"
  ssh_access: |
    "#      Shell access: ssh -i {{ ansible_ssh_private_key_file|default(omit) }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }}        #"

SSH_keys:
  comment: algo@ssh
  private: configs/algo.pem
  public: configs/algo.pem.pub

cloud_providers:
  azure:
    size: Basic_A0
    image: 18.04-LTS
  digitalocean:
    size: s-1vcpu-1gb
    image: "ubuntu-18-04-x64"
  # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
  # Warning: the Algo script will take approximately 6 minutes longer to complete.
  # Also note that the documented AWS minimum permissions aren't sufficient.
  # You will have to edit the AWS user policy documented at
  # https://github.com/trailofbits/algo/blob/master/docs/cloud-amazon-ec2.md to also allow "ec2:CopyImage".
  # See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html
  ec2:
    encrypted: false
    size: t2.micro
    image:
      name: "ubuntu-bionic-18.04"
      owner: "099720109477"
  gce:
    size: f1-micro
    image: ubuntu-1804
    external_static_ip: false
  lightsail:
    size: nano_1_0
    image: ubuntu_18_04
  scaleway:
    size: START1-S
    image: Ubuntu Bionic Beaver
    arch: x86_64
  openstack:
    flavor_ram: ">=512"
    image:  Ubuntu-18.04
  vultr:
    os: Ubuntu 18.04 x64
    size: 1024 MB RAM,25 GB SSD,1.00 TB BW
  local:

fail_hint:
  - Sorry, but something went wrong!
  - Please check the troubleshooting guide.
  - https://trailofbits.github.io/algo/troubleshooting.html

booleans_map:
  Y: true
  y: true