From 58ffdeab0e04ed409c2cbf47762080b215ce1d3e Mon Sep 17 00:00:00 2001 From: TC1977 <37350377+TC1977@users.noreply.github.com> Date: Sun, 27 Oct 2019 19:03:05 -0400 Subject: [PATCH] Further config changes As per feedback, also better explanation of keys_clean_all --- config.cfg | 70 +++++++++++++++++++++++++++--------------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/config.cfg b/config.cfg index 06302dd..e0f1431 100644 --- a/config.cfg +++ b/config.cfg @@ -53,34 +53,17 @@ block_smb: true # Block NETBIOS traffic block_netbios: true +# Your Algo server will automatically install security updates. Some updates +# require a reboot to take effect but your Algo server will not reboot itself +# automatically unless you change 'enabled' below from 'false' to 'true', in +# which case a reboot will take place if necessary at the time specified (as +# HH:MM) in the time zone of your Algo server. The default time zone is UTC. +unattended_reboot: + enabled: false + time: 06:00 + ### Advanced users only below this line ### -# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false -# Supports on MacOS and Linux only (including Windows Subsystem for Linux) -pki_in_tmpfs: true - -# If True re-init all existing certificates. Boolean -keys_clean_all: False - -# StrongSwan log level -# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration -strongswan_log_level: 2 - -# rightsourceip for ipsec -# ipv4 -strongswan_network: 10.19.48.0/24 -# ipv6 -strongswan_network_ipv6: 'fd9d:bc11:4020::/48' - -# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent. -# This option will keep the "connection" open in the eyes of NAT. -# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence -wireguard_PersistentKeepalive: 0 - -# WireGuard network configuration -wireguard_network_ipv4: 10.19.49.0/24 -wireguard_network_ipv6: fd9d:bc11:4021::/48 - # DNS servers which will be used if 'dns_encryption' is 'true'. Multiple # providers may be specified, but avoid mixing providers that filter results # (like Cisco) with those that don't (like Cloudflare) or you could get @@ -104,19 +87,36 @@ dns_servers: - 2606:4700:4700::1111 - 2606:4700:4700::1001 +# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false +# Supports on MacOS and Linux only (including Windows Subsystem for Linux) +pki_in_tmpfs: true + +# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users. +keys_clean_all: false + +# StrongSwan log level +# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration +strongswan_log_level: 2 + +# rightsourceip for ipsec +# ipv4 +strongswan_network: 10.19.48.0/24 +# ipv6 +strongswan_network_ipv6: 'fd9d:bc11:4020::/48' + +# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent. +# This option will keep the "connection" open in the eyes of NAT. +# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence +wireguard_PersistentKeepalive: 0 + +# WireGuard network configuration +wireguard_network_ipv4: 10.19.49.0/24 +wireguard_network_ipv6: fd9d:bc11:4021::/48 + # Randomly generated IP address for the local dns resolver local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}" local_service_ipv6: "{{ 'fd00::1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}" -# Your Algo server will automatically install security updates. Some updates -# require a reboot to take effect but your Algo server will not reboot itself -# automatically unless you change 'enabled' below from 'false' to 'true', in -# which case a reboot will take place if necessary at the time specified (as -# HH:MM) in the time zone of your Algo server. The default time zone is UTC. -unattended_reboot: - enabled: false - time: 06:00 - congrats: common: |