mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-05 03:23:14 +02:00
454faa96b1
* fix: Add no_log to tasks handling sensitive information - Add no_log: true to OpenSSL commands that contain passwords/passphrases - Add no_log: true to WireGuard key generation commands - Add no_log: true to password/CA password generation tasks - Add no_log: true to AWS credential handling tasks - Add no_log: true to QR code generation that contains full configs This prevents sensitive information like passwords, private keys, and WireGuard configurations from being logged to syslog/journald. Fixes #1617 * feat: Comprehensive privacy enhancements - Add no_log directives to all cloud provider credential handling - Set privacy-focused defaults (StrongSwan logging disabled, DNSCrypt syslog off) - Implement privacy role with log rotation, history clearing, and log filtering - Add Privacy Considerations section to README - Make all privacy features configurable and enabled by default This update significantly reduces Algo's logging footprint to enhance user privacy while maintaining the ability to enable logging for debugging when needed. * docs: Move privacy documentation from README to FAQ - Remove Privacy Considerations section from README - Add expanded 'Does Algo support zero logging?' question to FAQ - Better placement alongside existing logging/monitoring questions - More detailed explanation of privacy features and limitations * fix: Remove invalid 'bool' filter from Jinja2 template The privacy-monitor.sh.j2 template was using '| bool' which is not a valid Jinja2 filter. The 'bool' is a built-in Python function, not a Jinja2 filter. Fixed by removing the '| bool' filter and directly outputting the boolean variables as they will be rendered correctly by Jinja2. This resolves the template syntax error that was causing CI tests to fail: "No filter named 'bool'" error in privacy monitoring script template. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix YAML linting issues in privacy role * Fix linting warnings: shellcheck and ansible-lint issues - Fixed all shellcheck warnings in test scripts: - Quoted variables to prevent word splitting - Replaced A && B || C constructs with proper if-then-else - Changed unused loop variable to _ - Added shellcheck directives for FreeBSD rc.d script - Fixed ansible-lint risky-file-permissions warnings: - Added explicit file permissions for sensitive files (mode 0600) - Added permissions for config files and certificates (mode 0644) - Set proper permissions for directories (mode 0755) - Fixed yamllint compatibility with ansible-lint: - Added required octal-values configuration - Quoted all octal mode values to prevent YAML misinterpretation - Added comments-indentation: false as required All tests pass and functionality remains unchanged. * Remove algo.egg-info from version control This directory is generated by Python package tools (pip/setuptools) and should not be tracked in git. It's already listed in .gitignore but was accidentally committed. The directory contains build metadata that is regenerated when the package is installed. * Restructure privacy documentation for clarity - Simplified FAQ entry to be concise with link to README for details - Added comprehensive Privacy and Logging section to README - Clarified what IS logged by default vs what is not - Explained two separate privacy settings (strongswan_log_level and privacy_enhancements_enabled) - Added clear debugging instructions (need to change both settings) - Removed confusing language about "enabling additional features" - Made documentation more natural and less AI-generated sounding 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix Ubuntu 22.04 iptables deployment issues and simplify config.cfg Issues fixed: 1. Added base 'iptables' package to batch installation list (was missing, only iptables-persistent was included) 2. Fixed alternatives configuration for Ubuntu 22.04+ - only configure main iptables/ip6tables alternatives, not save/restore (they're handled as slaves) Config.cfg improvements: - Reduced from 308 to 198 lines (35% reduction) - Moved privacy settings above "Advanced users only" line for better accessibility - Clarified algo_no_log is for Ansible output, not server privacy - Simplified verbose comments throughout - Moved experimental performance options to commented section at end - Better organized into logical sections 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Add privacy features to README and improve feature descriptions - Added privacy-focused feature bullet highlighting minimal logging and privacy enhancements - Simplified IKEv2 bullet (removed redundant platform list) - Updated helper scripts description to be more comprehensive - Specified Ubuntu 22.04 LTS and automatic security updates - Made feature list more concise and accurate 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix logrotate duplicate entries error in privacy role The privacy role was creating logrotate configs that duplicated the default Ubuntu rsyslog logrotate rules, causing deployment failures with errors like 'duplicate log entry for /var/log/syslog'. Changes: - Disable default rsyslog logrotate config before applying privacy configs - Consolidate system log rotation into single config file - Add missingok flag to handle logs that may not exist on all systems - Remove forced immediate rotation that was triggering the error This ensures privacy-enhanced log rotation works without conflicts. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix 'history: not found' error in privacy role The 'history -c' command was failing because history is a bash built-in that doesn't exist in /bin/sh (Ubuntu's default shell for scripts). Changes: - Removed the 'Clear current session history' task since it's ineffective in Ansible context (each task runs in a new shell) - History files are already cleared by the existing file removal tasks - Added explanatory comment about why session history clearing is omitted This fixes the deployment failure while maintaining all effective history clearing functionality. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Fix BPF JIT sysctl error in privacy role The net.core.bpf_jit_enable sysctl parameter was failing on some systems because BPF JIT support is not available in all kernel configurations. Changes: - Separated BPF JIT setting into its own task with ignore_errors - Made BPF JIT disabling optional since it's not critical for privacy - Added explanatory comments about kernel support variability - Both runtime sysctl and persistent config now handle missing parameter This allows deployments to succeed on systems without BPF JIT support while still applying the setting where available. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
199 lines
6.6 KiB
INI
199 lines
6.6 KiB
INI
---
|
|
|
|
# This is the list of users to generate.
|
|
# Every device must have a unique user.
|
|
# You can add up to 65,534 new users over the lifetime of an AlgoVPN.
|
|
# User names with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
|
|
# Email addresses are not allowed.
|
|
users:
|
|
- phone
|
|
- laptop
|
|
- desktop
|
|
|
|
### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
|
|
|
|
# SSH port for cloud deployments (doesn't apply to existing Ubuntu servers)
|
|
ssh_port: 4160
|
|
|
|
# VPN protocols to deploy
|
|
ipsec_enabled: true
|
|
wireguard_enabled: true
|
|
wireguard_port: 51820 # Change if blocked by your network (avoid 53/UDP)
|
|
|
|
# Use different IP for outbound traffic (DigitalOcean only)
|
|
alternative_ingress_ip: false
|
|
|
|
# Reduce MTU if connections hang (0 = auto-detect)
|
|
# See: docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
|
|
reduce_mtu: 0
|
|
|
|
# Ad blocking lists (modify /usr/local/sbin/adblock.sh after deployment to add more)
|
|
adblock_lists:
|
|
- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
|
|
|
|
# DNS encryption (required if using ad blocking)
|
|
dns_encryption: true
|
|
|
|
# Client isolation (set false for "road warrior" setup where clients can reach each other)
|
|
BetweenClients_DROP: true
|
|
block_smb: true # Block SMB/CIFS traffic
|
|
block_netbios: true # Block NETBIOS traffic
|
|
|
|
# Automatic reboot for security updates (time in server's timezone, default UTC)
|
|
unattended_reboot:
|
|
enabled: false
|
|
time: 06:00
|
|
|
|
### Privacy Settings ###
|
|
# StrongSwan connection logging (-1 = disabled, 2 = debug)
|
|
strongswan_log_level: -1
|
|
|
|
# Master switch for privacy enhancements (log rotation, history clearing, etc.)
|
|
# Set to false for debugging. For advanced privacy options, see roles/privacy/defaults/main.yml
|
|
privacy_enhancements_enabled: true
|
|
|
|
### Advanced users only below this line ###
|
|
|
|
# DNSCrypt providers (see https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md)
|
|
dnscrypt_servers:
|
|
ipv4:
|
|
- cloudflare
|
|
# - google
|
|
# - YourCustomServer # For NextDNS etc., add stamp below
|
|
ipv6:
|
|
- cloudflare-ipv6
|
|
|
|
custom_server_stamps:
|
|
# YourCustomServer: 'sdns://...'
|
|
|
|
# DNS servers when encryption is disabled
|
|
dns_servers:
|
|
ipv4:
|
|
- 1.1.1.1
|
|
- 1.0.0.1
|
|
ipv6:
|
|
- 2606:4700:4700::1111
|
|
- 2606:4700:4700::1001
|
|
|
|
# Store PKI in RAM disk when not retaining (MacOS/Linux only)
|
|
pki_in_tmpfs: true
|
|
|
|
# Regenerate ALL user certs on update-users (not just new users)
|
|
keys_clean_all: false
|
|
|
|
### VPN Network Configuration ###
|
|
strongswan_network: 10.48.0.0/16
|
|
strongswan_network_ipv6: '2001:db8:4160::/48'
|
|
|
|
wireguard_network_ipv4: 10.49.0.0/16
|
|
wireguard_network_ipv6: 2001:db8:a160::/48
|
|
|
|
# Keep NAT connections alive (0 = disabled)
|
|
wireguard_PersistentKeepalive: 0
|
|
|
|
### Experimental Performance Options ###
|
|
# These are experimental and may cause issues. Enable at your own risk.
|
|
# performance_skip_optional_reboots: false # Skip non-kernel reboots
|
|
# performance_parallel_crypto: false # Parallel key generation
|
|
# performance_parallel_packages: false # Batch package installation
|
|
# performance_preinstall_packages: false # Pre-install via cloud-init
|
|
# performance_parallel_services: false # Configure VPN services in parallel
|
|
|
|
# Randomly generated IP address for the local dns resolver
|
|
local_service_ip: "{{ '172.16.0.1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
|
|
local_service_ipv6: "{{ 'fd00::1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
|
|
|
|
# Hide sensitive data in Ansible output during deployment (passwords, keys, etc.)
|
|
# This is NOT related to privacy/logging on the VPN server itself
|
|
algo_no_log: true
|
|
|
|
congrats:
|
|
common: |
|
|
"# Congratulations! #"
|
|
"# Your Algo server is running. #"
|
|
"# Config files and certificates are in the ./configs/ directory. #"
|
|
"# Go to https://whoer.net/ after connecting #"
|
|
"# and ensure that all your traffic passes through the VPN. #"
|
|
"# Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} #"
|
|
p12_pass: |
|
|
"# The p12 and SSH keys password for new users is {{ p12_export_password }} #"
|
|
ca_key_pass: |
|
|
"# The CA key password is {{ CA_password|default(omit) }} #"
|
|
ssh_access: |
|
|
"# Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }} #"
|
|
|
|
SSH_keys:
|
|
comment: algo@ssh
|
|
private: configs/algo.pem
|
|
private_tmp: /tmp/algo-ssh.pem
|
|
public: configs/algo.pem.pub
|
|
|
|
cloud_providers:
|
|
azure:
|
|
size: Standard_B1S
|
|
osDisk:
|
|
# The storage account type to use for the OS disk. Possible values:
|
|
# 'Standard_LRS', 'Premium_LRS', 'StandardSSD_LRS', 'UltraSSD_LRS',
|
|
# 'Premium_ZRS', 'StandardSSD_ZRS', 'PremiumV2_LRS'.
|
|
type: Standard_LRS
|
|
image:
|
|
publisher: Canonical
|
|
offer: 0001-com-ubuntu-minimal-jammy-daily
|
|
sku: minimal-22_04-daily-lts
|
|
version: latest
|
|
digitalocean:
|
|
# See docs for extended droplet options, pricing, and availability.
|
|
# Possible values: 's-1vcpu-512mb-10gb', 's-1vcpu-1gb', ...
|
|
size: s-1vcpu-1gb
|
|
image: "ubuntu-22-04-x64"
|
|
ec2:
|
|
# Change the encrypted flag to "false" to disable AWS volume encryption.
|
|
encrypted: true
|
|
# Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
|
|
# Additional prompt will be raised to determine which IP to use
|
|
use_existing_eip: false
|
|
size: t2.micro
|
|
image:
|
|
name: "ubuntu-jammy-22.04"
|
|
arch: x86_64
|
|
owner: "099720109477"
|
|
# Change instance_market_type from "on-demand" to "spot" to launch a spot
|
|
# instance. See deploy-from-ansible.md for spot's additional IAM permission
|
|
instance_market_type: on-demand
|
|
gce:
|
|
size: e2-micro
|
|
image: ubuntu-2204-lts
|
|
external_static_ip: false
|
|
lightsail:
|
|
size: nano_2_0
|
|
image: ubuntu_22_04
|
|
scaleway:
|
|
size: DEV1-S
|
|
image: Ubuntu 22.04 Jammy Jellyfish
|
|
arch: x86_64
|
|
hetzner:
|
|
server_type: cpx11
|
|
image: ubuntu-22.04
|
|
openstack:
|
|
flavor_ram: ">=512"
|
|
image: Ubuntu-22.04
|
|
cloudstack:
|
|
size: Micro
|
|
image: Linux Ubuntu 22.04 LTS 64-bit
|
|
disk: 10
|
|
vultr:
|
|
os: Ubuntu 22.04 LTS x64
|
|
size: vc2-1c-1gb
|
|
linode:
|
|
type: g6-nanode-1
|
|
image: linode/ubuntu22.04
|
|
local:
|
|
|
|
fail_hint:
|
|
- Sorry, but something went wrong!
|
|
- Please check the troubleshooting guide.
|
|
- https://trailofbits.github.io/algo/troubleshooting.html
|
|
|
|
booleans_map:
|
|
Y: true
|
|
y: true
|