elreydetoda · October 14, 2019 09:04
diff --git a/config.cfg b/config.cfg
 ---

 # This is the list of users to generate.
 # Every device must have a unique username.
 # You can generate up to 250 users at one time.
 # Usernames with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
 users:
  - phone
  - laptop
  - desktop

 ### Advanced users only below this line ###

 # Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
 # Supports on MacOS and Linux only (including Windows Subsystem for Linux)
 pki_in_tmpfs: false

 # If True re-init all existing certificates. Boolean
 keys_clean_all: False

 # Clean up cloud python environments
 clean_environment: false

 # Deploy StrongSwan to enable IPsec support
 ipsec_enabled: false

 # StrongSwan log level
 # https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
 strongswan_log_level: 2

 # rightsourceip for ipsec
 # ipv4
 strongswan_network: 10.19.48.0/24
 # ipv6
 strongswan_network_ipv6: 'fd9d:bc11:4020::/48'

 # Deploy WireGuard
 wireguard_enabled: true
 wireguard_port: 51820
 # If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
 # This option will keep the "connection" open in the eyes of NAT.
 # See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
 wireguard_PersistentKeepalive: 25

 # WireGuard network configuration
 wireguard_network_ipv4: 100.66.0.0/24
 wireguard_network_ipv6: fd9d:bc11:4021::/48

 # Reduce the MTU of the VPN tunnel
 # Some cloud and internet providers use a smaller MTU (Maximum Transmission
 # Unit) than the normal value of 1500 and if you don't reduce the MTU of your
 # VPN tunnel some network connections will hang. Algo will attempt to set this
 # automatically based on your server, but if connections hang you might need to
 # adjust this yourself.
 # See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
 reduce_mtu: 0

 # Algo will use the following lists to block ads. You can add new block lists
 # after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
 # /usr/local/sbin/adblock.sh
 # If you load very large blocklists, you may also have to modify resource limits:
 # /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
 adblock_lists:
 - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
 - "https://hosts-file.net/ad_servers.txt"

 # Enable DNS encryption.
 # If 'false', 'dns_servers' should be specified below.
 dns_encryption: true

 # DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
 # providers may be specified, but avoid mixing providers that filter results
 # (like Cisco) with those that don't (like Cloudflare) or you could get
 # inconsistent results. The list of available public providers can be found
 # here:
 # https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
 dnscrypt_servers:
  ipv4:
    - cloudflare
 #   - google
  ipv6:
    - cloudflare-ipv6

 # DNS servers which will be used if 'dns_encryption' is 'false'.
 # The default is to use Cloudflare.
 dns_servers:
  ipv4:
    - 1.1.1.1
    - 1.0.0.1
  ipv6:
    - 2606:4700:4700::1111
    - 2606:4700:4700::1001

 # Randomly generated IP address for the local dns resolver
 local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
 local_service_ipv6: "{{ 'fd00::1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"

 # Your Algo server will automatically install security updates. Some updates
 # require a reboot to take effect but your Algo server will not reboot itself
 # automatically unless you change 'enabled' below from 'false' to 'true', in
 # which case a reboot will take place if necessary at the time specified (as
 # HH:MM) in the time zone of your Algo server. The default time zone is UTC.
 unattended_reboot:
  enabled: true
  time: 03:00

 # Block traffic between connected clients
 BetweenClients_DROP: false

 congrats:
  common: |
    "#                          Congratulations!                            #"
    "#                     Your Algo server is running.                     #"
    "#    Config files and certificates are in the ./configs/ directory.    #"
    "#              Go to https://whoer.net/ after connecting               #"
    "#        and ensure that all your traffic passes through the VPN.      #"
    "#                     Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }}                   #"
  p12_pass: |
    "#        The p12 and SSH keys password for new users is {{ p12_export_password }}       #"
  ca_key_pass: |
    "#        The CA key password is {{ CA_password|default(omit) }}       #"
  ssh_access: |
    "#      Shell access: ssh -i {{ ansible_ssh_private_key_file|default(omit) }} {{ ansible_ssh_user|default(omit) }}@{{ ansible_ssh_host|default(omit) }}        #"

 SSH_keys:
  comment: algo@ssh
  private: configs/algo.pem
  public: configs/algo.pem.pub

 cloud_providers:
  azure:
    size: Basic_A0
    image: 19.04
  digitalocean:
    size: s-1vcpu-1gb
    image: "ubuntu-19-04-x64"
  ec2:
    # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
    # Warning: the Algo script will take approximately 6 minutes longer to complete.
    encrypted: false
    # Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
    # Additional prompt will be raised to determine which IP to use
    use_existing_eip: false
    size: t2.micro
    image:
      name: "ubuntu-disco-19.04"
      owner: "099720109477"
  gce:
    size: f1-micro
    image: ubuntu-1904
    external_static_ip: false
  lightsail:
    size: nano_1_0
    image: ubuntu_18_04
  scaleway:
    size: START1-S
    image: Ubuntu Bionic Beaver
    arch: x86_64
  openstack:
    flavor_ram: ">=512"
    image:  Ubuntu-18.04
  vultr:
    os: Ubuntu 19.04 x64
    size: 1024 MB RAM,25 GB SSD,1.00 TB BW
  local:

 fail_hint:
  - Sorry, but something went wrong!
  - Please check the troubleshooting guide.
  - https://trailofbits.github.io/algo/troubleshooting.html

 booleans_map:
  Y: true
  y: true
	---

	# This is the list of users to generate.
	# Every device must have a unique username.
	# You can generate up to 250 users at one time.
	# Usernames with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
	users:
	- phone
	- laptop
	- desktop

	### Advanced users only below this line ###

	# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
	# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
	pki_in_tmpfs: false

	# If True re-init all existing certificates. Boolean
	keys_clean_all: False

	# Clean up cloud python environments
	clean_environment: false

	# Deploy StrongSwan to enable IPsec support
	ipsec_enabled: false

	# StrongSwan log level
	# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
	strongswan_log_level: 2

	# rightsourceip for ipsec
	# ipv4
	strongswan_network: 10.19.48.0/24
	# ipv6
	strongswan_network_ipv6: 'fd9d:bc11:4020::/48'

	# Deploy WireGuard
	wireguard_enabled: true
	wireguard_port: 51820
	# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
	# This option will keep the "connection" open in the eyes of NAT.
	# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
	wireguard_PersistentKeepalive: 25

	# WireGuard network configuration
	wireguard_network_ipv4: 100.66.0.0/24
	wireguard_network_ipv6: fd9d:bc11:4021::/48

	# Reduce the MTU of the VPN tunnel
	# Some cloud and internet providers use a smaller MTU (Maximum Transmission
	# Unit) than the normal value of 1500 and if you don't reduce the MTU of your
	# VPN tunnel some network connections will hang. Algo will attempt to set this
	# automatically based on your server, but if connections hang you might need to
	# adjust this yourself.
	# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
	reduce_mtu: 0

	# Algo will use the following lists to block ads. You can add new block lists
	# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
	# /usr/local/sbin/adblock.sh
	# If you load very large blocklists, you may also have to modify resource limits:
	# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
	adblock_lists:
	- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
	- "https://hosts-file.net/ad_servers.txt"

	# Enable DNS encryption.
	# If 'false', 'dns_servers' should be specified below.
	dns_encryption: true

	# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
	# providers may be specified, but avoid mixing providers that filter results
	# (like Cisco) with those that don't (like Cloudflare) or you could get
	# inconsistent results. The list of available public providers can be found
	# here:
	# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
	dnscrypt_servers:
	ipv4:
	- cloudflare
	# - google
	ipv6:
	- cloudflare-ipv6

	# DNS servers which will be used if 'dns_encryption' is 'false'.
	# The default is to use Cloudflare.
	dns_servers:
	ipv4:
	- 1.1.1.1
	- 1.0.0.1
	ipv6:
	- 2606:4700:4700::1111
	- 2606:4700:4700::1001

	# Randomly generated IP address for the local dns resolver
	local_service_ip: "{{ '172.16.0.1' \| ipmath(1048573 \| random(seed=algo_server_name + ansible_fqdn)) }}"
	local_service_ipv6: "{{ 'fd00::1' \| ipmath(1048573 \| random(seed=algo_server_name + ansible_fqdn)) }}"

	# Your Algo server will automatically install security updates. Some updates
	# require a reboot to take effect but your Algo server will not reboot itself
	# automatically unless you change 'enabled' below from 'false' to 'true', in
	# which case a reboot will take place if necessary at the time specified (as
	# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
	unattended_reboot:
	enabled: true
	time: 03:00

	# Block traffic between connected clients
	BetweenClients_DROP: false

	congrats:
	common: \|
	"# Congratulations! #"
	"# Your Algo server is running. #"
	"# Config files and certificates are in the ./configs/ directory. #"
	"# Go to https://whoer.net/ after connecting #"
	"# and ensure that all your traffic passes through the VPN. #"
	"# Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} #"
	p12_pass: \|
	"# The p12 and SSH keys password for new users is {{ p12_export_password }} #"
	ca_key_pass: \|
	"# The CA key password is {{ CA_password\|default(omit) }} #"
	ssh_access: \|
	"# Shell access: ssh -i {{ ansible_ssh_private_key_file\|default(omit) }} {{ ansible_ssh_user\|default(omit) }}@{{ ansible_ssh_host\|default(omit) }} #"

	SSH_keys:
	comment: algo@ssh
	private: configs/algo.pem
	public: configs/algo.pem.pub

	cloud_providers:
	azure:
	size: Basic_A0
	image: 19.04
	digitalocean:
	size: s-1vcpu-1gb
	image: "ubuntu-19-04-x64"
	ec2:
	# Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
	# Warning: the Algo script will take approximately 6 minutes longer to complete.
	encrypted: false
	# Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
	# Additional prompt will be raised to determine which IP to use
	use_existing_eip: false
	size: t2.micro
	image:
	name: "ubuntu-disco-19.04"
	owner: "099720109477"
	gce:
	size: f1-micro
	image: ubuntu-1904
	external_static_ip: false
	lightsail:
	size: nano_1_0
	image: ubuntu_18_04
	scaleway:
	size: START1-S
	image: Ubuntu Bionic Beaver
	arch: x86_64
	openstack:
	flavor_ram: ">=512"
	image: Ubuntu-18.04
	vultr:
	os: Ubuntu 19.04 x64
	size: 1024 MB RAM,25 GB SSD,1.00 TB BW
	local:

	fail_hint:
	- Sorry, but something went wrong!
	- Please check the troubleshooting guide.
	- https://trailofbits.github.io/algo/troubleshooting.html

	booleans_map:
	Y: true
	y: true