mirror of
https://github.com/trailofbits/algo.git
synced 2025-10-06 18:45:24 +02:00
be744b16a2
* chore: Conservative dependency updates for security - Update Ansible from 9.1.0 to 9.2.0 (one minor version bump only) - Update Jinja2 to ~3.1.6 to fix CVE-2025-27516 (critical security fix) - Pin netaddr to 1.3.0 (current stable version) This is a minimal, conservative update focused on: 1. Critical security fix for Jinja2 2. Minor ansible update for bug fixes 3. Pinning netaddr to prevent surprises No changes to Ansible collections - keeping them unpinned for now. * fix: Address linter issues (ruff, yamllint, shellcheck) - Fixed ruff configuration by moving linter settings to [tool.ruff.lint] section - Fixed ruff code issues: - Moved imports to top of files (E402) - Removed unused variables or commented them out - Updated string formatting from % to .format() - Replaced dict() calls with literals - Fixed assert False usage in tests - Fixed yamllint issues: - Added missing newlines at end of files - Removed trailing spaces - Added document start markers (---) to YAML files - Fixed 'on:' truthy warnings in GitHub workflows - Fixed shellcheck issues: - Properly quoted variables in shell scripts - Fixed A && B || C pattern with proper if/then/else - Improved FreeBSD rc script quoting All linters now pass without errors related to our code changes. * fix: Additional yamllint fixes for GitHub workflows - Added document start markers (---) to test-effectiveness.yml - Fixed 'on:' truthy warning by quoting as 'on:' - Removed trailing spaces from main.yml - Added missing newline at end of test-effectiveness.yml
118 lines
2.5 KiB
YAML
118 lines
2.5 KiB
YAML
---
|
|
# Shared test variables for unit tests
|
|
# This ensures consistency across all tests and easier maintenance
|
|
|
|
# Server/Network basics
|
|
server_name: test-algo-vpn
|
|
IP_subject_alt_name: 10.0.0.1
|
|
ipv4_network_prefix: 10.19.49
|
|
ipv4_network: 10.19.49.0
|
|
ipv4_range: 10.19.49.2/24
|
|
ipv6_network: fd9d:bc11:4020::/48
|
|
ipv6_range: fd9d:bc11:4020::/64
|
|
wireguard_enabled: true
|
|
wireguard_port: 51820
|
|
wireguard_PersistentKeepalive: 0
|
|
wireguard_network: 10.19.49.0/24
|
|
wireguard_network_ipv6: fd9d:bc11:4020::/48
|
|
|
|
# Additional WireGuard variables
|
|
wireguard_pki_path: /etc/wireguard/pki
|
|
wireguard_port_avoid: 53
|
|
wireguard_port_actual: 51820
|
|
wireguard_network_ipv4: 10.19.49.0/24
|
|
wireguard_client_ip: 10.19.49.2/32,fd9d:bc11:4020::2/128
|
|
wireguard_dns_servers: 1.1.1.1,1.0.0.1
|
|
|
|
# IPsec variables
|
|
ipsec_enabled: true
|
|
strongswan_enabled: true
|
|
strongswan_af: ipv4
|
|
strongswan_log_level: '2'
|
|
strongswan_network: 10.19.48.0/24
|
|
strongswan_network_ipv6: fd9d:bc11:4021::/64
|
|
algo_ondemand_cellular: 'false'
|
|
algo_ondemand_wifi: 'false'
|
|
algo_ondemand_wifi_exclude: X251bGw=
|
|
|
|
# DNS
|
|
dns_adblocking: true
|
|
algo_dns_adblocking: true
|
|
adblock_lists:
|
|
- https://someblacklist.com
|
|
dns_encryption: true
|
|
dns_servers:
|
|
- 1.1.1.1
|
|
- 1.0.0.1
|
|
local_dns: true
|
|
alternative_ingress_ip: false
|
|
local_service_ip: 10.19.49.1
|
|
local_service_ipv6: fd9d:bc11:4020::1
|
|
ipv6_support: true
|
|
|
|
# Security/Firewall
|
|
algo_ssh_tunneling: false
|
|
ssh_tunneling: false
|
|
snat_aipv4: false
|
|
snat_aipv6: false
|
|
block_smb: true
|
|
block_netbios: true
|
|
|
|
# Users and auth
|
|
users:
|
|
- alice
|
|
- bob
|
|
- charlie
|
|
existing_users:
|
|
- alice
|
|
easyrsa_CA_password: test-ca-pass
|
|
p12_export_password: test-export-pass
|
|
CA_password: test-ca-pass
|
|
|
|
# System
|
|
ansible_ssh_port: 4160
|
|
ansible_python_interpreter: /usr/bin/python3
|
|
BetweenClients_DROP: 'Y'
|
|
ssh_tunnels_config_path: /etc/ssh/ssh_tunnels
|
|
config_prefix: /etc/algo
|
|
server_user: algo
|
|
IP: 10.0.0.1
|
|
reduce_mtu: 0
|
|
algo_ssh_port: 4160
|
|
algo_store_pki: true
|
|
|
|
# Ciphers
|
|
ciphers:
|
|
defaults:
|
|
ike: aes128gcm16-prfsha512-ecp256,aes128-sha2_256-modp2048
|
|
esp: aes128gcm16-ecp256,aes128-sha2_256-modp2048
|
|
ike: aes128gcm16-prfsha512-ecp256,aes128-sha2_256-modp2048
|
|
esp: aes128gcm16-ecp256,aes128-sha2_256-modp2048
|
|
|
|
# Cloud provider specific
|
|
algo_provider: local
|
|
cloud_providers:
|
|
- ec2
|
|
- gce
|
|
- azure
|
|
- do
|
|
- lightsail
|
|
- scaleway
|
|
- openstack
|
|
- cloudstack
|
|
- hetzner
|
|
- linode
|
|
- vultr
|
|
provider_dns_servers:
|
|
- 1.1.1.1
|
|
- 1.0.0.1
|
|
ansible_ssh_private_key_file: ~/.ssh/id_rsa
|
|
|
|
# Defaults
|
|
inventory_hostname: localhost
|
|
hostvars:
|
|
localhost: {}
|
|
groups:
|
|
vpn-host:
|
|
- localhost
|
|
omit: OMIT_PLACEHOLDER
|