From 5f26eacc6f10750c805d45d3aae84b1eea94d637 Mon Sep 17 00:00:00 2001 From: Jesse Luehrs Date: Thu, 25 Feb 2021 23:39:23 -0500 Subject: update algo for hornet --- bin/algo-config | 10 +++++----- bin/helpers/algo-config.diff | 21 +++++++++++---------- 2 files changed, 16 insertions(+), 15 deletions(-) (limited to 'bin') diff --git a/bin/algo-config b/bin/algo-config index 532c234..aac8ece 100755 --- a/bin/algo-config +++ b/bin/algo-config @@ -20,7 +20,7 @@ dns=$(perl -nle 'print $1 if /DNS\s*=\s*(.*),/' "$config_path"/hush.conf) sed -i 's|^\(Address.*\),.*|\1|' "$config_path"/hush.conf cp "$config_path"/hush.conf "$config_path"/hush-not-captive.conf sed -i 's|^AllowedIPs.*|AllowedIPs = 0.0.0.0/0|' "$config_path"/hush.conf -sed -i "s|^AllowedIPs.*|AllowedIPs = 10.19.49.0/24, $dns/32|" "$config_path"/hush-not-captive.conf +sed -i "s|^AllowedIPs.*|AllowedIPs = 10.49.0.0/24, $dns/32|" "$config_path"/hush-not-captive.conf sudo cp "$config_path"/hush.conf /etc/wireguard/algo-captive.conf sudo cp "$config_path"/hush-not-captive.conf /etc/wireguard/algo.conf @@ -29,7 +29,7 @@ dns=$(perl -nle 'print $1 if /DNS\s*=\s*(.*),/' "$config_path"/tozt.conf) sed -i 's|^\(Address.*\),.*|\1|' "$config_path"/tozt.conf cp "$config_path"/tozt.conf "$config_path"/tozt-not-captive.conf sed -i 's|^AllowedIPs.*|AllowedIPs = 0.0.0.0/0|' "$config_path"/tozt.conf -sed -i "s|^AllowedIPs.*|AllowedIPs = 10.19.49.0/24, $dns/32|" "$config_path"/tozt-not-captive.conf +sed -i "s|^AllowedIPs.*|AllowedIPs = 10.49.0.0/24, $dns/32|" "$config_path"/tozt-not-captive.conf scp "$config_path"/tozt-not-captive.conf root@tozt.net:/etc/wireguard/algo.conf cp "$config_path"/tozt-not-captive.conf /mnt/puppet/tozt/wireguard $secrets_bin sync tozt @@ -39,7 +39,7 @@ dns=$(perl -nle 'print $1 if /DNS\s*=\s*(.*),/' "$config_path"/partofme.conf) sed -i 's|^\(Address.*\),.*|\1|' "$config_path"/partofme.conf cp "$config_path"/partofme.conf "$config_path"/partofme-not-captive.conf sed -i 's|^AllowedIPs.*|AllowedIPs = 0.0.0.0/0|' "$config_path"/partofme.conf -sed -i "s|^AllowedIPs.*|AllowedIPs = 10.19.49.0/24, $dns/32|" "$config_path"/partofme-not-captive.conf +sed -i "s|^AllowedIPs.*|AllowedIPs = 10.49.0.0/24, $dns/32|" "$config_path"/partofme-not-captive.conf scp "$config_path"/partofme-not-captive.conf root@partofme:/etc/wireguard/algo.conf cp "$config_path"/partofme-not-captive.conf /mnt/puppet/partofme/wireguard $secrets_bin sync partofme @@ -49,7 +49,7 @@ dns=$(perl -nle 'print $1 if /DNS\s*=\s*(.*),/' "$config_path"/mail.conf) sed -i 's|^\(Address.*\),.*|\1|' "$config_path"/mail.conf cp "$config_path"/mail.conf "$config_path"/mail-not-captive.conf sed -i 's|^AllowedIPs.*|AllowedIPs = 0.0.0.0/0|' "$config_path"/mail.conf -sed -i "s|^AllowedIPs.*|AllowedIPs = 10.19.49.0/24, $dns/32|" "$config_path"/mail-not-captive.conf +sed -i "s|^AllowedIPs.*|AllowedIPs = 10.49.0.0/24, $dns/32|" "$config_path"/mail-not-captive.conf scp "$config_path"/mail-not-captive.conf root@mail.tozt.net:/etc/wireguard/algo.conf cp "$config_path"/mail-not-captive.conf /mnt/puppet/mail/wireguard $secrets_bin sync mail @@ -59,7 +59,7 @@ dns=$(perl -nle 'print $1 if /DNS\s*=\s*(.*),/' "$config_path"/phone.conf) sed -i 's|^\(Address.*\),.*|\1|' "$config_path"/phone.conf cp "$config_path"/phone.conf "$config_path"/phone-not-captive.conf sed -i 's|^AllowedIPs.*|AllowedIPs = 0.0.0.0/0|' "$config_path"/phone.conf -sed -i "s|^AllowedIPs.*|AllowedIPs = 10.19.49.0/24, $dns/32|" "$config_path"/phone-not-captive.conf +sed -i "s|^AllowedIPs.*|AllowedIPs = 10.49.0.0/24, $dns/32|" "$config_path"/phone-not-captive.conf echo "algo-captive" segno --scale=5 --output="$config_path"/phone.png "$(cat "$config_path"/phone.conf)" sxiv "$config_path/phone.png" diff --git a/bin/helpers/algo-config.diff b/bin/helpers/algo-config.diff index e8181a4..efcc7fd 100644 --- a/bin/helpers/algo-config.diff +++ b/bin/helpers/algo-config.diff @@ -1,10 +1,10 @@ diff --git i/config.cfg w/config.cfg -index 6446398..671062a 100644 +index bee023f..c23c723 100644 --- i/config.cfg +++ w/config.cfg -@@ -6,9 +6,11 @@ - # Usernames with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123". - # Emails are not allowed +@@ -6,9 +6,12 @@ + # User names with leading 0's or containing only numbers should be escaped in double quotes, e.g. "000dan" or "123". + # Email addresses are not allowed. users: + - hush + - partofme @@ -13,10 +13,11 @@ index 6446398..671062a 100644 - - desktop + - tozt + - mail ++ - hornet ### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed. -@@ -17,7 +19,7 @@ users: +@@ -17,7 +20,7 @@ users: ssh_port: 4160 # Deploy StrongSwan to enable IPsec support @@ -25,7 +26,7 @@ index 6446398..671062a 100644 # Deploy WireGuard # WireGuard will listen on 51820/UDP. You might need to change to another port -@@ -40,7 +42,7 @@ alternative_ingress_ip: false +@@ -40,7 +43,7 @@ alternative_ingress_ip: false # automatically based on your server, but if connections hang you might need to # adjust this yourself. # See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn @@ -34,7 +35,7 @@ index 6446398..671062a 100644 # Algo will use the following lists to block ads. You can add new block lists # after deployment by modifying the line starting "BLOCKLIST_URLS=" at: -@@ -60,7 +62,7 @@ dns_encryption: true +@@ -59,7 +62,7 @@ dns_encryption: true # connected clients to reach each other, as well as other computers on the # same LAN as your Algo server (i.e. the "road warrior" setup). In this # case, you may also want to enable SMB/CIFS and NETBIOS traffic below. @@ -43,7 +44,7 @@ index 6446398..671062a 100644 # Block SMB/CIFS traffic block_smb: true -@@ -74,7 +76,7 @@ block_netbios: true +@@ -73,7 +76,7 @@ block_netbios: true # which case a reboot will take place if necessary at the time specified (as # HH:MM) in the time zone of your Algo server. The default time zone is UTC. unattended_reboot: @@ -52,7 +53,7 @@ index 6446398..671062a 100644 time: 06:00 ### Advanced users only below this line ### -@@ -122,7 +124,7 @@ strongswan_network_ipv6: 'fd9d:bc11:4020::/48' +@@ -122,7 +125,7 @@ strongswan_network_ipv6: '2001:db8:4160::/48' # If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent. # This option will keep the "connection" open in the eyes of NAT. # See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence @@ -60,4 +61,4 @@ index 6446398..671062a 100644 +wireguard_PersistentKeepalive: 25 # WireGuard network configuration - wireguard_network_ipv4: 10.19.49.0/24 + wireguard_network_ipv4: 10.49.0.0/16 -- cgit v1.2.3-54-g00ecf