From d1fff030ab55107224fbd19a2b1c71c476d881df Mon Sep 17 00:00:00 2001
From: TC1977 <37350377+TC1977@users.noreply.github.com>
Date: Sun, 27 Oct 2019 13:43:35 -0400
Subject: [PATCH] Reorganize config.cfg

As per @davidemyers suggestions
---
 config.cfg | 80 ++++++++++++++++++++++++++++--------------------------
 1 file changed, 42 insertions(+), 38 deletions(-)

diff --git a/config.cfg b/config.cfg
index 61b401a..06302dd 100644
--- a/config.cfg
+++ b/config.cfg
@@ -9,39 +9,14 @@ users:
   - laptop
   - desktop
 
-### Advanced users only below this line ###
-
-# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
-# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
-pki_in_tmpfs: true
-
-# If True re-init all existing certificates. Boolean
-keys_clean_all: False
+### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
 
 # Deploy StrongSwan to enable IPsec support
 ipsec_enabled: true
 
-# StrongSwan log level
-# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
-strongswan_log_level: 2
-
-# rightsourceip for ipsec
-# ipv4
-strongswan_network: 10.19.48.0/24
-# ipv6
-strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
-
 # Deploy WireGuard
 wireguard_enabled: true
 wireguard_port: 51820
-# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
-# This option will keep the "connection" open in the eyes of NAT.
-# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
-wireguard_PersistentKeepalive: 0
-
-# WireGuard network configuration
-wireguard_network_ipv4: 10.19.49.0/24
-wireguard_network_ipv6: fd9d:bc11:4021::/48
 
 # Reduce the MTU of the VPN tunnel
 # Some cloud and internet providers use a smaller MTU (Maximum Transmission
@@ -66,6 +41,46 @@ adblock_lists:
 # DNS encryption can not be disabled if DNS adblocking is enabled
 dns_encryption: true
 
+# Block traffic between connected clients. Change this to false to enable
+# connected clients to reach each other, as well as other computers on the
+# same LAN as your Algo server (i.e. the "road warrior" setup). In this
+# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
+BetweenClients_DROP: true
+
+# Block SMB/CIFS traffic
+block_smb: true
+
+# Block NETBIOS traffic
+block_netbios: true
+
+### Advanced users only below this line ###
+
+# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
+# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
+pki_in_tmpfs: true
+
+# If True re-init all existing certificates. Boolean
+keys_clean_all: False
+
+# StrongSwan log level
+# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
+strongswan_log_level: 2
+
+# rightsourceip for ipsec
+# ipv4
+strongswan_network: 10.19.48.0/24
+# ipv6
+strongswan_network_ipv6: 'fd9d:bc11:4020::/48'
+
+# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
+# This option will keep the "connection" open in the eyes of NAT.
+# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
+wireguard_PersistentKeepalive: 0
+
+# WireGuard network configuration
+wireguard_network_ipv4: 10.19.49.0/24
+wireguard_network_ipv6: fd9d:bc11:4021::/48
+
 # DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
 # providers may be specified, but avoid mixing providers that filter results
 # (like Cisco) with those that don't (like Cloudflare) or you could get
@@ -102,17 +117,6 @@ unattended_reboot:
   enabled: false
   time: 06:00
 
-# Block traffic between connected clients. Change this to false to enable
-# connected clients to reach each other, as well as other computers on the
-# same LAN as your Algo server (i.e. the "road warrior" setup). In this
-# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
-BetweenClients_DROP: true
-
-# Block SMB/CIFS traffic
-block_smb: true
-
-# Block NETBIOS traffic
-block_netbios: true
 
 congrats:
   common: |
@@ -142,7 +146,7 @@ cloud_providers:
     size: s-1vcpu-1gb
     image: "ubuntu-19-04-x64"
   ec2:
-    # Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
+    # Change the encrypted flag to "false" to disable AWS volume encryption.
     encrypted: true
     # Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
     # Additional prompt will be raised to determine which IP to use