-
-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathconfig.auto.tfvars
147 lines (127 loc) · 4.01 KB
/
config.auto.tfvars
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
config = {
# This is the list of users to generate.
# Every device must have a unique username.
vpn_users = [
"phone",
"laptop",
"desktop"
]
# Deploy StrongSwan to enable IPsec support
ipsec = {
enabled = true
ipv4 = "10.100.0.0/16"
ipv6 = "fd9d:bc11:4020::/64"
}
# Deploy WireGuard
wireguard = {
enabled = true
ipv4 = "10.200.0.0/16"
ipv6 = "fd9d:bc11:4021::/64"
port = 51820
# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
# This option will keep the "connection" open in the eyes of NAT.
# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
persistent_keepalive = 0
}
dns = {
adblocking = {
enabled = true
lists = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts",
"https://hosts-file.net/ad_servers.txt"
]
}
encryption = {
# Enable DNS encryption.
# If 'false', resolvers should be specified below.
# Can not be disable if adblocking is enabled
enabled = true
# DNS servers which will be used if dns encryption is enabled. Multiple
# providers may be specified, but avoid mixing providers that filter results
# (like Cisco) with those that don't (like Cloudflare) or you could get
# inconsistent results. The list of available public providers can be found
# here:
# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
servers = {
ipv4 = [
"cloudflare"
]
ipv6 = [
"cloudflare-ipv6"
]
}
}
# DNS resolvers which will be used if dns encryption is disabled
# The default is to use Cloudflare.
resolvers = {
ipv4 = [
"1.1.1.1",
"1.0.0.1"
]
ipv6 = [
"2606:4700:4700::1111",
"2606:4700:4700::1001"
]
}
}
ssh_tunneling = true
# MSS is the TCP Max Segment Size
# Setting the 'max_mss' variable can solve some issues related to packet fragmentation
# This appears to be necessary on (at least) Google Cloud,
# however, some routers also require a change to this parameter
# See also:
# - https://github.com/trailofbits/algo/issues/216
# - https://github.com/trailofbits/algo/issues?utf8=%E2%9C%93&q=is%3Aissue%20mtu
# - https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
# max_mss = 1316
max_mss = 0
# Block traffic between connected clients
drop_traffic_between_clients = true
# StrongSwan log level
# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
strongswan_log_level = "2"
# Your Algo server will automatically install security updates. Some updates
# require a reboot to take effect but your Algo server will not reboot itself
# automatically unless you change 'enabled' below from 'false' to 'true', in
# which case a reboot will take place if necessary at the time specified (as
# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
unattended_reboot = {
enabled = false
time = "06:00"
}
# TODO: delete ssh authorized keys
unmanaged = false
# Upgrade the system during the deployment
system_upgrade = true
ciphers = {
ipsec = {
ike = "aes256gcm16-prfsha512-ecp384!"
esp = "aes256gcm16-ecp384!"
}
}
clouds = {
azure = {
image = "19.04"
size = "Standard_B1S"
region = "eastus"
}
digitalocean = {
image = "ubuntu-19-04-x64"
size = "s-1vcpu-1gb"
region = "nyc1"
}
ec2 = {
# Change the encrypted flag to "true" to enable AWS volume encryption, for encryption of data at rest.
encrypted = true
kms_key_id = ""
image = "ubuntu-disco-19.04"
size = "t2.micro"
region = "us-east-1"
}
gce = {
image = "ubuntu-os-cloud/ubuntu-1904"
size = "f1-micro"
region = "us-east1"
}
}
}