wallenstein/algo
1
0
Fork 0
mirror of https://github.com/trailofbits/algo.git synced 2025-09-24 20:55:30 +02:00
Code Issues Projects Releases Wiki Activity
algo/config.cfg
Dan Guido ac9d7b0e2c
Fix DigitalOcean API error handling and improve debugging (fixes #14829) (#14830) 
* Fix DigitalOcean API error handling and debugging (fixes #14829)

- Replace hardcoded no_log with configurable algo_no_log variable
- Add comprehensive error checking with specific guidance for each HTTP status code
- Provide actionable troubleshooting steps without exposing sensitive data
- Add troubleshooting section to config.cfg for better discoverability
- Enable debugging by setting algo_no_log: false when needed

This fix addresses issue #14829 where users couldn't debug DigitalOcean
API failures due to hidden error messages from no_log: true directive.

* Clean up config.cfg - consolidate algo_no_log setting

- Move algo_no_log setting to top troubleshooting section
- Remove duplicate setting from line 117
- Keep the prominent warning about debugging at the top where users will see it
- Cleaner, single source of truth for the setting
2025-09-15 10:20:31 -04:00

206 lines
6.9 KiB
INI
Raw Blame History

---
# ============================================
# TROUBLESHOOTING DEPLOYMENT ISSUES
# ============================================
# If your deployment fails with hidden/censored output, temporarily set
# algo_no_log to 'false' below. This will show detailed error messages
# including API responses.
# IMPORTANT: Set back to 'true' before sharing logs or screenshots!
# ============================================
algo_no_log: true # Set to 'false' for debugging (shows sensitive data in output)
# This is the list of users to generate.
# Every device must have a unique user.
# You can add up to 65,534 new users over the lifetime of an AlgoVPN.
# User names with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
# Email addresses are not allowed.
users:
- phone
- laptop
- desktop
### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
# SSH port for cloud deployments (doesn't apply to existing Ubuntu servers)
ssh_port: 4160
# VPN protocols to deploy
ipsec_enabled: true
wireguard_enabled: true
wireguard_port: 51820 # Change if blocked by your network (avoid 53/UDP)
# Use different IP for outbound traffic (DigitalOcean only)
alternative_ingress_ip: false
# Reduce MTU if connections hang (0 = auto-detect)
# See: docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
reduce_mtu: 0
# Ad blocking lists (modify /usr/local/sbin/adblock.sh after deployment to add more)
adblock_lists:
- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
# DNS encryption (required if using ad blocking)
dns_encryption: true
# Client isolation (set false for "road warrior" setup where clients can reach each other)
BetweenClients_DROP: true
block_smb: true # Block SMB/CIFS traffic
block_netbios: true # Block NETBIOS traffic
# Automatic reboot for security updates (time in server's timezone, default UTC)
unattended_reboot:
enabled: false
time: 06:00
### Privacy Settings ###
# StrongSwan connection logging (-1 = disabled, 2 = debug)
strongswan_log_level: -1
# Master switch for privacy enhancements (log rotation, history clearing, etc.)
# Set to false for debugging. For advanced privacy options, see roles/privacy/defaults/main.yml
privacy_enhancements_enabled: true
### Advanced users only below this line ###
# DNSCrypt providers (see https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md)
dnscrypt_servers:
ipv4:
- cloudflare
# - google
# - YourCustomServer # For NextDNS etc., add stamp below
ipv6:
- cloudflare-ipv6
custom_server_stamps:
# YourCustomServer: 'sdns://...'
# DNS servers when encryption is disabled
dns_servers:
ipv4:
- 1.1.1.1
- 1.0.0.1
ipv6:
- 2606:4700:4700::1111
- 2606:4700:4700::1001
# Store PKI in RAM disk when not retaining (MacOS/Linux only)
pki_in_tmpfs: true
# Regenerate ALL user certs on update-users (not just new users)
keys_clean_all: false
### VPN Network Configuration ###
strongswan_network: 10.48.0.0/16
strongswan_network_ipv6: '2001:db8:4160::/48'
wireguard_network_ipv4: 10.49.0.0/16
wireguard_network_ipv6: 2001:db8:a160::/48
# Keep NAT connections alive (0 = disabled)
wireguard_PersistentKeepalive: 0
### Experimental Performance Options ###
# These are experimental and may cause issues. Enable at your own risk.
# performance_skip_optional_reboots: false # Skip non-kernel reboots
# performance_parallel_crypto: false # Parallel key generation
# performance_parallel_packages: false # Batch package installation
# performance_preinstall_packages: false # Pre-install via cloud-init
# performance_parallel_services: false # Configure VPN services in parallel
# Randomly generated IP address for the local dns resolver
local_service_ip: "{{ '172.16.0.1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
local_service_ipv6: "{{ 'fd00::1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
congrats:
common: |
"# Congratulations! #"
"# Your Algo server is running. #"
"# Config files and certificates are in the ./configs/ directory. #"
"# Go to https://whoer.net/ after connecting #"
"# and ensure that all your traffic passes through the VPN. #"
"# Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} #"
p12_pass: |
"# The p12 and SSH keys password for new users is {{ p12_export_password }} #"
ca_key_pass: |
"# The CA key password is {{ CA_password|default(omit) }} #"
ssh_access: |
"# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }} #"
SSH_keys:
comment: algo@ssh
private: configs/algo.pem
private_tmp: /tmp/algo-ssh.pem
public: configs/algo.pem.pub
cloud_providers:
azure:
size: Standard_B1S
osDisk:
# The storage account type to use for the OS disk. Possible values:
# 'Standard_LRS', 'Premium_LRS', 'StandardSSD_LRS', 'UltraSSD_LRS',
# 'Premium_ZRS', 'StandardSSD_ZRS', 'PremiumV2_LRS'.
type: Standard_LRS
image:
publisher: Canonical
offer: 0001-com-ubuntu-minimal-jammy-daily
sku: minimal-22_04-daily-lts
version: latest
digitalocean:
# See docs for extended droplet options, pricing, and availability.
# Possible values: 's-1vcpu-512mb-10gb', 's-1vcpu-1gb', ...
size: s-1vcpu-1gb
image: "ubuntu-22-04-x64"
ec2:
# Change the encrypted flag to "false" to disable AWS volume encryption.
encrypted: true
# Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
# Additional prompt will be raised to determine which IP to use
use_existing_eip: false
size: t2.micro
image:
name: "ubuntu-jammy-22.04"
arch: x86_64
owner: "099720109477"
# Change instance_market_type from "on-demand" to "spot" to launch a spot
# instance. See deploy-from-ansible.md for spot's additional IAM permission
instance_market_type: on-demand
gce:
size: e2-micro
image: ubuntu-2204-lts
external_static_ip: false
lightsail:
size: nano_2_0
image: ubuntu_22_04
scaleway:
size: DEV1-S
image: Ubuntu 22.04 Jammy Jellyfish
arch: x86_64
hetzner:
server_type: cpx11
image: ubuntu-22.04
openstack:
flavor_ram: ">=512"
image: Ubuntu-22.04
cloudstack:
size: Micro
image: Linux Ubuntu 22.04 LTS 64-bit
disk: 10
vultr:
os: Ubuntu 22.04 LTS x64
size: vc2-1c-1gb
linode:
type: g6-nanode-1
image: linode/ubuntu22.04
local:
fail_hint:
- Sorry, but something went wrong!
- Please check the troubleshooting guide.
- https://trailofbits.github.io/algo/troubleshooting.html
booleans_map:
Y: true
y: true
Reference in a new issue View git blame Copy permalink