diff --git a/config.cfg b/config.cfg index d4a1164f..ddf80f51 100644 --- a/config.cfg +++ b/config.cfg @@ -12,106 +12,61 @@ users: ### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed. -# Performance optimizations (reduces deployment time) -# Skip reboots unless kernel was updated (saves 0-5 minutes) -performance_skip_optional_reboots: false -# Use parallel key generation for certificates (saves 1-2 minutes) -performance_parallel_crypto: false -# Batch install all packages in one operation (saves 30-60 seconds) -performance_parallel_packages: false -# Pre-install universal packages via cloud-init (saves 30-90 seconds) -performance_preinstall_packages: false -# Configure VPN services in parallel (saves 1-2 minutes) -performance_parallel_services: false - -# Change default SSH port for the cloud roles only -# It doesn't apply if you deploy to your existing Ubuntu Server +# SSH port for cloud deployments (doesn't apply to existing Ubuntu servers) ssh_port: 4160 -# Deploy StrongSwan to enable IPsec support +# VPN protocols to deploy ipsec_enabled: true - -# Deploy WireGuard -# WireGuard will listen on 51820/UDP. You might need to change to another port -# if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some -# mobile data networks. wireguard_enabled: true -wireguard_port: 51820 +wireguard_port: 51820 # Change if blocked by your network (avoid 53/UDP) -# This feature allows you to configure the Algo server to send outbound traffic -# through a different external IP address than the one you are establishing the VPN connection with. -# More info https://trailofbits.github.io/algo/cloud-alternative-ingress-ip.html -# Available for the following cloud providers: -# - DigitalOcean +# Use different IP for outbound traffic (DigitalOcean only) alternative_ingress_ip: false -# Reduce the MTU of the VPN tunnel -# Some cloud and internet providers use a smaller MTU (Maximum Transmission -# Unit) than the normal value of 1500 and if you don't reduce the MTU of your -# VPN tunnel some network connections will hang. Algo will attempt to set this -# automatically based on your server, but if connections hang you might need to -# adjust this yourself. -# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn +# Reduce MTU if connections hang (0 = auto-detect) +# See: docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn reduce_mtu: 0 -# Algo will use the following lists to block ads. You can add new block lists -# after deployment by modifying the line starting "BLOCKLIST_URLS=" at: -# /usr/local/sbin/adblock.sh -# If you load very large blocklists, you may also have to modify resource limits: -# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf +# Ad blocking lists (modify /usr/local/sbin/adblock.sh after deployment to add more) adblock_lists: - - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" + - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" -# Enable DNS encryption. -# If 'false', 'dns_servers' should be specified below. -# DNS encryption can not be disabled if DNS adblocking is enabled +# DNS encryption (required if using ad blocking) dns_encryption: true -# Block traffic between connected clients. Change this to false to enable -# connected clients to reach each other, as well as other computers on the -# same LAN as your Algo server (i.e. the "road warrior" setup). In this -# case, you may also want to enable SMB/CIFS and NETBIOS traffic below. +# Client isolation (set false for "road warrior" setup where clients can reach each other) BetweenClients_DROP: true +block_smb: true # Block SMB/CIFS traffic +block_netbios: true # Block NETBIOS traffic -# Block SMB/CIFS traffic -block_smb: true - -# Block NETBIOS traffic -block_netbios: true - -# Your Algo server will automatically install security updates. Some updates -# require a reboot to take effect but your Algo server will not reboot itself -# automatically unless you change 'enabled' below from 'false' to 'true', in -# which case a reboot will take place if necessary at the time specified (as -# HH:MM) in the time zone of your Algo server. The default time zone is UTC. +# Automatic reboot for security updates (time in server's timezone, default UTC) unattended_reboot: enabled: false time: 06:00 +### Privacy Settings ### +# StrongSwan connection logging (-1 = disabled, 2 = debug) +strongswan_log_level: -1 + +# Master switch for privacy enhancements (log rotation, history clearing, etc.) +# Set to false for debugging. For advanced privacy options, see roles/privacy/defaults/main.yml +privacy_enhancements_enabled: true + ### Advanced users only below this line ### -# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple -# providers may be specified, but avoid mixing providers that filter results -# (like Cisco) with those that don't (like Cloudflare) or you could get -# inconsistent results. The list of available public providers can be found -# here: -# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md +# DNSCrypt providers (see https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md) dnscrypt_servers: ipv4: - cloudflare # - google -# - # E.g., if using NextDNS, this will be something like NextDNS-abc123. - # You must also fill in custom_server_stamps below. You may specify - # multiple custom servers. +# - YourCustomServer # For NextDNS etc., add stamp below ipv6: - cloudflare-ipv6 custom_server_stamps: # YourCustomServer: 'sdns://...' -# DNS servers which will be used if 'dns_encryption' is 'false'. -# Fallback resolvers for systemd-resolved -# The default is to use Cloudflare. +# DNS servers when encryption is disabled dns_servers: ipv4: - 1.1.1.1 @@ -120,99 +75,36 @@ dns_servers: - 2606:4700:4700::1111 - 2606:4700:4700::1001 -# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false -# Supports on MacOS and Linux only (including Windows Subsystem for Linux) +# Store PKI in RAM disk when not retaining (MacOS/Linux only) pki_in_tmpfs: true -# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users. +# Regenerate ALL user certs on update-users (not just new users) keys_clean_all: false -# StrongSwan log level -# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration -# Privacy enhancement: Set to -1 to disable logging of VPN connection details -# Level 2 logs connection attempts and authentication which may reveal usage patterns -# Level -1 disables logging entirely for enhanced privacy -strongswan_log_level: -1 - -### Privacy Enhancements ### -# Additional privacy measures to reduce server-side traces of VPN usage -# These settings help protect user privacy by minimizing log retention and filtering sensitive data - -# Enable enhanced privacy features -# Set to false to disable all privacy enhancements (useful for debugging) -privacy_enhancements_enabled: true - -# Log rotation and retention settings -privacy_log_rotation: - # Maximum age for logs in days (shorter = more private, but less debugging info) - max_age: 7 - # Maximum size for individual log files in MB - max_size: 10 - # Number of rotated files to keep - rotate_count: 3 - # Compress rotated logs to save space - compress: true - # Force daily rotation - daily_rotation: true - -# History clearing configuration -privacy_history_clearing: - # Clear bash/shell history after deployment - clear_bash_history: true - # Clear system command history logs - clear_system_history: true - # Disable persistent history for system users - disable_service_history: true - -# Log filtering to exclude VPN-related entries -privacy_log_filtering: - # Filter out VPN connection logs (WireGuard, StrongSwan, etc.) - exclude_vpn_logs: true - # Filter out detailed authentication logs (reduces security logging - use with caution) - exclude_auth_logs: false - # Filter kernel messages related to VPN traffic - filter_kernel_vpn_logs: true - -# Automatic cleanup policies -privacy_auto_cleanup: - # Enable automatic cleanup of old logs and temporary files - enabled: true - # Cleanup frequency: daily, weekly, or monthly - frequency: "daily" - # Remove temporary files older than N days - temp_files_max_age: 1 - # Clean package manager cache - clean_package_cache: true - -# Advanced privacy settings (use with caution) -privacy_advanced: - # Disable logging of successful SSH connections (keeps failures for security) - disable_ssh_success_logs: false - # Reduce kernel log verbosity to minimize VPN traces - reduce_kernel_verbosity: true - # Clear all logs on system shutdown (extreme privacy measure) - clear_logs_on_shutdown: false - -# rightsourceip for ipsec -# ipv4 +### VPN Network Configuration ### strongswan_network: 10.48.0.0/16 -# ipv6 strongswan_network_ipv6: '2001:db8:4160::/48' -# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent. -# This option will keep the "connection" open in the eyes of NAT. -# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence -wireguard_PersistentKeepalive: 0 - -# WireGuard network configuration wireguard_network_ipv4: 10.49.0.0/16 wireguard_network_ipv6: 2001:db8:a160::/48 +# Keep NAT connections alive (0 = disabled) +wireguard_PersistentKeepalive: 0 + +### Experimental Performance Options ### +# These are experimental and may cause issues. Enable at your own risk. +# performance_skip_optional_reboots: false # Skip non-kernel reboots +# performance_parallel_crypto: false # Parallel key generation +# performance_parallel_packages: false # Batch package installation +# performance_preinstall_packages: false # Pre-install via cloud-init +# performance_parallel_services: false # Configure VPN services in parallel + # Randomly generated IP address for the local dns resolver local_service_ip: "{{ '172.16.0.1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}" local_service_ipv6: "{{ 'fd00::1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}" -# Hide sensitive data +# Hide sensitive data in Ansible output during deployment (passwords, keys, etc.) +# This is NOT related to privacy/logging on the VPN server itself algo_no_log: true congrats: @@ -280,11 +172,11 @@ cloud_providers: image: Ubuntu 22.04 Jammy Jellyfish arch: x86_64 hetzner: - server_type: cpx11 + server_type: cpx11 image: ubuntu-22.04 openstack: flavor_ram: ">=512" - image: Ubuntu-22.04 + image: Ubuntu-22.04 cloudstack: size: Micro image: Linux Ubuntu 22.04 LTS 64-bit diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index bc53075d..9f59e33e 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -123,6 +123,7 @@ - apparmor-utils - uuid-runtime - coreutils + - iptables - iptables-persistent - cgroup-tools - openssl @@ -180,10 +181,6 @@ with_items: - iptables - ip6tables - - iptables-save - - iptables-restore - - ip6tables-save - - ip6tables-restore when: - ansible_distribution == "Ubuntu" - ansible_distribution_version is version('22.04', '>=')