elreydetoda/Vagrantfile

## Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do |config|
  config.vm.box = "bento/ubuntu-18.04"
  config.vm.provision "shell", inline: <<-SHELL
    # installing and configure docker stuff
    curl -fsSL 'https://get.docker.com' | bash
    sudo usermod -aG docker vagrant

    # get algo docker stuff
    docker pull trailofbits/algo:latest

    # disable MOTD (it's annoying...)
    sudo chmod -x /etc/update-motd.d/*

    # installing necessary packages
    export DEBIAN_FRONTEND='noninteractive'
    sudo apt-get update && sudo apt-get install -y \
      qrencode

    # putting all following stuff in /vagrant
    pushd /vagrant

    # saving default config.cfg
    curl -OfsSL 'https://raw.githubusercontent.com/trailofbits/algo/master/config.cfg'

    # checking if configs dir exists
    # putting in ~vagrant/.bashrc for when user gets in
    if [[ -d /vagrant/configs ]] ; then
      # execute with a user update
      cat >> ~vagrant/.bashrc <<'EOF'
pushd /vagrant && printf '\nPlease run the following command:\n\ndocker container run -it -v \"$(pwd)\":/data -e \"ALGO_ARGS=update-users\" \\\n--cap-drop=all --cap-add=DAC_OVERRIDE --cap-add=FOWNER \\\ntrailofbits/algo:latest\n'
EOF
    else
      # all the following happens
      # execute normally
      cat >> ~vagrant/.bashrc <<'EOF'
pushd /vagrant && printf '\nPlease run the following command:\n\ndocker container run -it -v \"$(pwd)\":/data \\\n--cap-drop=all --cap-add=DAC_OVERRIDE --cap-add=FOWNER \\\ntrailofbits/algo:latest\n'
EOF
    fi
  SHELL
end

## Vagrantfile.elrey
# -*- mode: ruby -*-
# vi: set ft=ruby :

Vagrant.configure("2") do |config|
  config.vm.box = "bento/ubuntu-18.04"
  config.vm.provision "shell", inline: <<-SHELL
    # installing and configure docker stuff
    curl -fsSL 'https://get.docker.com' | bash
    sudo usermod -aG docker vagrant

    # get algo docker stuff
    docker pull trailofbits/algo:latest

    # disable MOTD (it's annoying...)
    sudo chmod -x /etc/update-motd.d/*

    # installing necessary packages
    export DEBIAN_FRONTEND='noninteractive'
    sudo apt-get update && sudo apt-get install -y \
      qrencode

    # putting all following stuff in /vagrant
    pushd /vagrant

    # saving default config.cfg
    curl -fsSLo config.cfg 'https://gist.githubusercontent.com/elreydetoda/bac472aef59fc8d47145c4f25330187b/raw/z-personal_config.cfg'

    # checking if configs dir exists
    # putting in ~vagrant/.bashrc for when user gets in
    if [[ -d /vagrant/configs ]] ; then
      # execute with a user update
      cat >> ~vagrant/.bashrc <<'EOF'
pushd /vagrant && printf '\nPlease run the following command:\n\ndocker container run -it -v \"$(pwd)\":/data -e \"ALGO_ARGS=update-users\" \\\n--cap-drop=all --cap-add=DAC_OVERRIDE --cap-add=FOWNER \\\ntrailofbits/algo:latest\n'
EOF
    else
      # all the following happens
      # execute normally
      cat >> ~vagrant/.bashrc <<'EOF'
pushd /vagrant && printf '\nPlease run the following command:\n\ndocker container run -it -v \"$(pwd)\":/data \\\n--cap-drop=all --cap-add=DAC_OVERRIDE --cap-add=FOWNER \\\ntrailofbits/algo:latest\n'
EOF
    fi
  SHELL
end

## z-cmds
# if you a vanilla install
wget 'https://gist.githubusercontent.com/elreydetoda/bac472aef59fc8d47145c4f25330187b/raw/Vagrantfile'

# if you want my personal config
wget -O Vagrantfile 'https://gist.githubusercontent.com/elreydetoda/bac472aef59fc8d47145c4f25330187b/raw/Vagrantfile.elrey'

## my personal config contains the following customizations
# - pki_in_tmpfs: false - changed to not be in tmpfs so you can continue to use wireguard for long periods of time (although, cool feature checkout more here: https://github.com/trailofbits/algo/issues/145)
# - disables ipsec vpn, to only use wireguard
# - sets the wireguard_PersistentKeepalive to 25 to help with NAT Traversal (https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence)
# - change ip address to 100.66.0.0/24 so it doesn't clash with internal ips: https://en.wikipedia.org/wiki/Reserved_IP_addresses
# - enable unattended_reboot (reboot machine if need to install updates: https://github.com/trailofbits/algo/blob/f8ce1f84a2777f18803d62e4324bbf67989a7450/config.cfg#L99-L103)
# - BetweenClients_DROP: false - Allow clients to communicate to each other (to allow you to ssh or rdp to them)
# -

## z-personal_config.cfg
---

# This is the list of users to generate.
# Every device must have a unique user.
# You can add up to 65,534 new users over the lifetime of an AlgoVPN.
# User names with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
# Email addresses are not allowed.
users:
  - phone
  - laptop
  - desktop

### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.

# Change default SSH port for the cloud roles only
# It doesn't apply if you deploy to your existing Ubuntu Server
ssh_port: 4160

# Deploy StrongSwan to enable IPsec support
ipsec_enabled: false

# Deploy WireGuard
# WireGuard will listen on 51820/UDP. You might need to change to another port
# if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some
# mobile data networks.
wireguard_enabled: true
wireguard_port: 51820

# This feature allows you to configure the Algo server to send outbound traffic
# through a different external IP address than the one you are establishing the VPN connection with.
# More info https://trailofbits.github.io/algo/cloud-alternative-ingress-ip.html
# Available for the following cloud providers:
# - DigitalOcean
alternative_ingress_ip: false

# Reduce the MTU of the VPN tunnel
# Some cloud and internet providers use a smaller MTU (Maximum Transmission
# Unit) than the normal value of 1500 and if you don't reduce the MTU of your
# VPN tunnel some network connections will hang. Algo will attempt to set this
# automatically based on your server, but if connections hang you might need to
# adjust this yourself.
# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
reduce_mtu: 0

# Algo will use the following lists to block ads. You can add new block lists
# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
# /usr/local/sbin/adblock.sh
# If you load very large blocklists, you may also have to modify resource limits:
# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
adblock_lists:
 - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"

# Enable DNS encryption.
# If 'false', 'dns_servers' should be specified below.
# DNS encryption can not be disabled if DNS adblocking is enabled
dns_encryption: true

# Block traffic between connected clients. Change this to false to enable
# connected clients to reach each other, as well as other computers on the
# same LAN as your Algo server (i.e. the "road warrior" setup). In this
# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
BetweenClients_DROP: false

# Block SMB/CIFS traffic
block_smb: true

# Block NETBIOS traffic
block_netbios: true

# Your Algo server will automatically install security updates. Some updates
# require a reboot to take effect but your Algo server will not reboot itself
# automatically unless you change 'enabled' below from 'false' to 'true', in
# which case a reboot will take place if necessary at the time specified (as
# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
unattended_reboot:
  enabled: true
  time: 03:00

### Advanced users only below this line ###

# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
# providers may be specified, but avoid mixing providers that filter results
# (like Cisco) with those that don't (like Cloudflare) or you could get
# inconsistent results. The list of available public providers can be found
# here:
# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
dnscrypt_servers:
  ipv4:
    - cloudflare
#   - google
  ipv6:
    - cloudflare-ipv6

# DNS servers which will be used if 'dns_encryption' is 'false'.
# Fallback resolvers for systemd-resolved
# The default is to use Cloudflare.
dns_servers:
  ipv4:
    - 1.1.1.1
    - 1.0.0.1
  ipv6:
    - 2606:4700:4700::1111
    - 2606:4700:4700::1001

# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
pki_in_tmpfs: false

# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users.
keys_clean_all: false

# StrongSwan log level
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level: 2

# rightsourceip for ipsec
# ipv4
strongswan_network: 10.48.0.0/16
# ipv6
strongswan_network_ipv6: '2001:db8:4160::/48'

# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
# This option will keep the "connection" open in the eyes of NAT.
# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
wireguard_PersistentKeepalive: 25

# WireGuard network configuration
wireguard_network_ipv4: 100.66.0.0/24
wireguard_network_ipv6: 2001:db8:a160::/48

# Randomly generated IP address for the local dns resolver
local_service_ip: "{{ '172.16.0.1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
local_service_ipv6: "{{ 'fd00::1' | ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"

# Hide sensetive data
no_log: true

congrats:
  common: |
    "#                          Congratulations!                            #"
    "#                     Your Algo server is running.                     #"
    "#    Config files and certificates are in the ./configs/ directory.    #"
    "#              Go to https://whoer.net/ after connecting               #"
    "#        and ensure that all your traffic passes through the VPN.      #"
    "#                     Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }}                   #"
  p12_pass: |
    "#        The p12 and SSH keys password for new users is {{ p12_export_password }}       #"
  ca_key_pass: |
    "#        The CA key password is {{ CA_password|default(omit) }}       #"
  ssh_access: |
    "#      Shell access: ssh -F configs/{{ ansible_ssh_host|default(omit) }}/ssh_config {{ algo_server_name }}        #"

SSH_keys:
  comment: algo@ssh
  private: configs/algo.pem
  private_tmp: /tmp/algo-ssh.pem
  public: configs/algo.pem.pub

cloud_providers:
  azure:
    size: Standard_B1S
    image:
      publisher: Canonical
      offer: 0001-com-ubuntu-server-focal-daily
      sku: 20_04-daily-lts
      version: latest
  digitalocean:
    size: s-1vcpu-1gb
    image: "ubuntu-20-04-x64"
  ec2:
    # Change the encrypted flag to "false" to disable AWS volume encryption.
    encrypted: true
    # Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
    # Additional prompt will be raised to determine which IP to use
    use_existing_eip: false
    size: t2.micro
    image:
      name: "ubuntu-focal-20.04"
      owner: "099720109477"
  gce:
    size: f1-micro
    image: ubuntu-2004-lts
    external_static_ip: false
  lightsail:
    size: nano_2_0
    image: ubuntu_20_04
  scaleway:
    size: DEV1-S
    image: Ubuntu 20.04 Focal Fossa
    arch: x86_64
  hetzner:
    server_type: cx11
    image: ubuntu-20.04
  openstack:
    flavor_ram: ">=512"
    image:  Ubuntu-18.04
  cloudstack:
    size: Micro
    image: Linux Ubuntu 20.04 LTS 64-bit
    disk: 10
  vultr:
    os: Ubuntu 20.04 x64
    size: 1024 MB RAM,25 GB SSD,1.00 TB BW
  linode:
    type: g6-nanode-1
    image: linode/ubuntu20.04
  local:

fail_hint:
  - Sorry, but something went wrong!
  - Please check the troubleshooting guide.
  - https://trailofbits.github.io/algo/troubleshooting.html

booleans_map:
  Y: true
  y: true
	# -- mode: ruby --
	# vi: set ft=ruby :

	Vagrant.configure("2") do \|config\|
	config.vm.box = "bento/ubuntu-18.04"
	config.vm.provision "shell", inline: <<-SHELL
	# installing and configure docker stuff
	curl -fsSL 'https://get.docker.com' \| bash
	sudo usermod -aG docker vagrant

	# get algo docker stuff
	docker pull trailofbits/algo:latest

	# disable MOTD (it's annoying...)
	sudo chmod -x /etc/update-motd.d/*

	# installing necessary packages
	export DEBIAN_FRONTEND='noninteractive'
	sudo apt-get update && sudo apt-get install -y \
	qrencode

	# putting all following stuff in /vagrant
	pushd /vagrant

	# saving default config.cfg
	curl -OfsSL 'https://raw.githubusercontent.com/trailofbits/algo/master/config.cfg'

	# checking if configs dir exists
	# putting in ~vagrant/.bashrc for when user gets in
	if [[ -d /vagrant/configs ]] ; then
	# execute with a user update
	cat >> ~vagrant/.bashrc <<'EOF'
	pushd /vagrant && printf '\nPlease run the following command:\n\ndocker container run -it -v \"$(pwd)\":/data -e \"ALGO_ARGS=update-users\" \\\n--cap-drop=all --cap-add=DAC_OVERRIDE --cap-add=FOWNER \\\ntrailofbits/algo:latest\n'
	EOF
	else
	# all the following happens
	# execute normally
	cat >> ~vagrant/.bashrc <<'EOF'
	pushd /vagrant && printf '\nPlease run the following command:\n\ndocker container run -it -v \"$(pwd)\":/data \\\n--cap-drop=all --cap-add=DAC_OVERRIDE --cap-add=FOWNER \\\ntrailofbits/algo:latest\n'
	EOF
	fi
	SHELL
	end
	# if you a vanilla install
	wget 'https://gist.githubusercontent.com/elreydetoda/bac472aef59fc8d47145c4f25330187b/raw/Vagrantfile'

	# if you want my personal config
	wget -O Vagrantfile 'https://gist.githubusercontent.com/elreydetoda/bac472aef59fc8d47145c4f25330187b/raw/Vagrantfile.elrey'

	## my personal config contains the following customizations
	# - pki_in_tmpfs: false - changed to not be in tmpfs so you can continue to use wireguard for long periods of time (although, cool feature checkout more here: https://github.com/trailofbits/algo/issues/145)
	# - disables ipsec vpn, to only use wireguard
	# - sets the wireguard_PersistentKeepalive to 25 to help with NAT Traversal (https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence)
	# - change ip address to 100.66.0.0/24 so it doesn't clash with internal ips: https://en.wikipedia.org/wiki/Reserved_IP_addresses
	# - enable unattended_reboot (reboot machine if need to install updates: https://github.com/trailofbits/algo/blob/f8ce1f84a2777f18803d62e4324bbf67989a7450/config.cfg#L99-L103)
	# - BetweenClients_DROP: false - Allow clients to communicate to each other (to allow you to ssh or rdp to them)
	# -
	---

	# This is the list of users to generate.
	# Every device must have a unique user.
	# You can add up to 65,534 new users over the lifetime of an AlgoVPN.
	# User names with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123".
	# Email addresses are not allowed.
	users:
	- phone
	- laptop
	- desktop

	### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.

	# Change default SSH port for the cloud roles only
	# It doesn't apply if you deploy to your existing Ubuntu Server
	ssh_port: 4160

	# Deploy StrongSwan to enable IPsec support
	ipsec_enabled: false

	# Deploy WireGuard
	# WireGuard will listen on 51820/UDP. You might need to change to another port
	# if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some
	# mobile data networks.
	wireguard_enabled: true
	wireguard_port: 51820

	# This feature allows you to configure the Algo server to send outbound traffic
	# through a different external IP address than the one you are establishing the VPN connection with.
	# More info https://trailofbits.github.io/algo/cloud-alternative-ingress-ip.html
	# Available for the following cloud providers:
	# - DigitalOcean
	alternative_ingress_ip: false

	# Reduce the MTU of the VPN tunnel
	# Some cloud and internet providers use a smaller MTU (Maximum Transmission
	# Unit) than the normal value of 1500 and if you don't reduce the MTU of your
	# VPN tunnel some network connections will hang. Algo will attempt to set this
	# automatically based on your server, but if connections hang you might need to
	# adjust this yourself.
	# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
	reduce_mtu: 0

	# Algo will use the following lists to block ads. You can add new block lists
	# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
	# /usr/local/sbin/adblock.sh
	# If you load very large blocklists, you may also have to modify resource limits:
	# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
	adblock_lists:
	- "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"

	# Enable DNS encryption.
	# If 'false', 'dns_servers' should be specified below.
	# DNS encryption can not be disabled if DNS adblocking is enabled
	dns_encryption: true

	# Block traffic between connected clients. Change this to false to enable
	# connected clients to reach each other, as well as other computers on the
	# same LAN as your Algo server (i.e. the "road warrior" setup). In this
	# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
	BetweenClients_DROP: false

	# Block SMB/CIFS traffic
	block_smb: true

	# Block NETBIOS traffic
	block_netbios: true

	# Your Algo server will automatically install security updates. Some updates
	# require a reboot to take effect but your Algo server will not reboot itself
	# automatically unless you change 'enabled' below from 'false' to 'true', in
	# which case a reboot will take place if necessary at the time specified (as
	# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
	unattended_reboot:
	enabled: true
	time: 03:00

	### Advanced users only below this line ###

	# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
	# providers may be specified, but avoid mixing providers that filter results
	# (like Cisco) with those that don't (like Cloudflare) or you could get
	# inconsistent results. The list of available public providers can be found
	# here:
	# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
	dnscrypt_servers:
	ipv4:
	- cloudflare
	# - google
	ipv6:
	- cloudflare-ipv6

	# DNS servers which will be used if 'dns_encryption' is 'false'.
	# Fallback resolvers for systemd-resolved
	# The default is to use Cloudflare.
	dns_servers:
	ipv4:
	- 1.1.1.1
	- 1.0.0.1
	ipv6:
	- 2606:4700:4700::1111
	- 2606:4700:4700::1001

	# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
	# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
	pki_in_tmpfs: false

	# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users.
	keys_clean_all: false

	# StrongSwan log level
	# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
	strongswan_log_level: 2

	# rightsourceip for ipsec
	# ipv4
	strongswan_network: 10.48.0.0/16
	# ipv6
	strongswan_network_ipv6: '2001:db8:4160::/48'

	# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
	# This option will keep the "connection" open in the eyes of NAT.
	# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
	wireguard_PersistentKeepalive: 25

	# WireGuard network configuration
	wireguard_network_ipv4: 100.66.0.0/24
	wireguard_network_ipv6: 2001:db8:a160::/48

	# Randomly generated IP address for the local dns resolver
	local_service_ip: "{{ '172.16.0.1' \| ipmath(1048573 \| random(seed=algo_server_name + ansible_fqdn)) }}"
	local_service_ipv6: "{{ 'fd00::1' \| ipmath(1048573 \| random(seed=algo_server_name + ansible_fqdn)) }}"

	# Hide sensetive data
	no_log: true

	congrats:
	common: \|
	"# Congratulations! #"
	"# Your Algo server is running. #"
	"# Config files and certificates are in the ./configs/ directory. #"
	"# Go to https://whoer.net/ after connecting #"
	"# and ensure that all your traffic passes through the VPN. #"
	"# Local DNS resolver {{ local_service_ip }}{{ ', ' + local_service_ipv6 if ipv6_support else '' }} #"
	p12_pass: \|
	"# The p12 and SSH keys password for new users is {{ p12_export_password }} #"
	ca_key_pass: \|
	"# The CA key password is {{ CA_password\|default(omit) }} #"
	ssh_access: \|
	"# Shell access: ssh -F configs/{{ ansible_ssh_host\|default(omit) }}/ssh_config {{ algo_server_name }} #"

	SSH_keys:
	comment: algo@ssh
	private: configs/algo.pem
	private_tmp: /tmp/algo-ssh.pem
	public: configs/algo.pem.pub

	cloud_providers:
	azure:
	size: Standard_B1S
	image:
	publisher: Canonical
	offer: 0001-com-ubuntu-server-focal-daily
	sku: 20_04-daily-lts
	version: latest
	digitalocean:
	size: s-1vcpu-1gb
	image: "ubuntu-20-04-x64"
	ec2:
	# Change the encrypted flag to "false" to disable AWS volume encryption.
	encrypted: true
	# Set use_existing_eip to "true" if you want to use a pre-allocated Elastic IP
	# Additional prompt will be raised to determine which IP to use
	use_existing_eip: false
	size: t2.micro
	image:
	name: "ubuntu-focal-20.04"
	owner: "099720109477"
	gce:
	size: f1-micro
	image: ubuntu-2004-lts
	external_static_ip: false
	lightsail:
	size: nano_2_0
	image: ubuntu_20_04
	scaleway:
	size: DEV1-S
	image: Ubuntu 20.04 Focal Fossa
	arch: x86_64
	hetzner:
	server_type: cx11
	image: ubuntu-20.04
	openstack:
	flavor_ram: ">=512"
	image: Ubuntu-18.04
	cloudstack:
	size: Micro
	image: Linux Ubuntu 20.04 LTS 64-bit
	disk: 10
	vultr:
	os: Ubuntu 20.04 x64
	size: 1024 MB RAM,25 GB SSD,1.00 TB BW
	linode:
	type: g6-nanode-1
	image: linode/ubuntu20.04
	local:

	fail_hint:
	- Sorry, but something went wrong!
	- Please check the troubleshooting guide.
	- https://trailofbits.github.io/algo/troubleshooting.html

	booleans_map:
	Y: true
	y: true