algo/config.cfg
TC1977 76a8fe35db Document AWS disk encryption flag in config.cfg (#1102)
This is to better document the "encryption" flag for those who are interested in full disk encryption on AWS. Recently on running the script, I also found the minimum permissions documented at https://github.com/trailofbits/algo/blob/master/docs/deploy-from-ansible.md weren't enough; "ec2:CopyImage" is also required. Not sure if you'd rather have this documented in the AWS docs instead, and not sure if you want "ec2:CopyImage" added to the default minimum required permissions. I can do either if you'd prefer.
2018-09-07 13:04:20 +03:00

144 lines
4.7 KiB
INI

---
# Add as many users as you want for your VPN server here.
# Credentials will be generated for each one.
users:
- dan
- jack
# NOTE: If your usernames have leading 0's, like "000dan", you have to escape them
### Advanced users only below this line ###
# If True re-init all existing certificates. Boolean
keys_clean_all: False
vpn_network: 10.19.48.0/24
vpn_network_ipv6: 'fd9d:bc11:4020::/48'
wireguard_enabled: true
wireguard_port: 51820
# MSS is the TCP Max Segment Size
# Setting the 'max_mss' Ansible variable can solve some issues related to packet fragmentation
# This appears to be necessary on (at least) Google Cloud,
# however, some routers also require a change to this parameter
# See also:
# - https://github.com/trailofbits/algo/issues/216
# - https://github.com/trailofbits/algo/issues?utf8=%E2%9C%93&q=is%3Aissue%20mtu
# - https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
#max_mss: 1316
# StrongSwan log level
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: 2
adblock_lists:
- "http://winhelp2002.mvps.org/hosts.txt"
- "https://adaway.org/hosts.txt"
- "https://www.malwaredomainlist.com/hostslist/hosts.txt"
- "https://hosts-file.net/ad_servers.txt"
# Enable DNS encryption. Use dns_encryption_provider to specify the provider. If false dns_servers should be specified
dns_encryption: true
# Possible values: google, cloudflare
dns_encryption_provider: cloudflare
# DNS servers which will be used if dns_encryption disabled
dns_servers:
ipv4:
- 1.1.1.1
- 1.0.0.1
ipv6:
- 2606:4700:4700::1111
- 2606:4700:4700::1001
# IP address for the local dns resolver
local_service_ip: 172.16.0.1
# Your Algo server will automatically install security updates. Some updates
# require a reboot to take effect but your Algo server will not reboot itself
# automatically unless you change 'enabled' below from 'false' to 'true', in
# which case a reboot will take place if necessary at the time specified (as
# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
unattended_reboot:
enabled: false
time: 06:00
pkcs12_PayloadCertificateUUID: "{{ 900000 | random | to_uuid | upper }}"
VPN_PayloadIdentifier: "{{ 800000 | random | to_uuid | upper }}"
CA_PayloadIdentifier: "{{ 700000 | random | to_uuid | upper }}"
# Block traffic between connected clients
BetweenClients_DROP: true
congrats:
common: |
"# Congratulations! #"
"# Your Algo server is running. #"
"# Config files and certificates are in the ./configs/ directory. #"
"# Go to https://whoer.net/ after connecting #"
"# and ensure that all your traffic passes through the VPN. #"
"# Local DNS resolver {{ local_service_ip }} #"
p12_pass: |
"# The p12 and SSH keys password for new users is {{ p12_export_password }} #"
ca_key_pass: |
"# The CA key password is {{ CA_password }} #"
ssh_access: |
"# Shell access: ssh -i {{ ansible_ssh_private_key_file|default(omit) }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }} #"
SSH_keys:
comment: algo@ssh
private: configs/algo.pem
public: configs/algo.pem.pub
cloud_providers:
azure:
size: Basic_A0
image:
offer: UbuntuServer
publisher: Canonical
sku: '18.04-LTS'
version: latest
digitalocean:
size: s-1vcpu-1gb
image: "ubuntu-18-04-x64"
# Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
# Warning: the Algo script will take approximately 6 minutes longer to complete.
# Also note that the documented AWS minimum permissions aren't sufficient.
# You will have to edit the AWS user policy documented at
# https://github.com/trailofbits/algo/blob/master/docs/cloud-amazon-ec2.md to also allow "ec2:CopyImage".
# See https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-edit.html
ec2:
encrypted: false
size: t2.micro
image:
name: "ubuntu-bionic-18.04"
owner: "099720109477"
gce:
size: f1-micro
image: ubuntu-1804
lightsail:
size: nano_1_0
image: ubuntu_16_04
scaleway:
size: START1-S
image: Ubuntu Bionic Beaver
arch: x86_64
openstack:
flavor_ram: ">=512"
image: Ubuntu-18.04
vultr:
os: Ubuntu 18.04 x64
size: 1024 MB RAM,25 GB SSD,1.00 TB BW
local:
fail_hint:
- Sorry, but something went wrong!
- Please check the troubleshooting guide.
- https://trailofbits.github.io/algo/troubleshooting.html
booleans_map:
Y: true
y: true