Before you begin, make sure you have installed all the dependencies necessary for your operating system as described in the README.
You can deploy Algo non-interactively by running the Ansible playbooks directly with ansible-playbook.
ansible-playbook accepts variables via the -e or --extra-vars option. You can pass variables as space separated key=value pairs. Algo requires certain variables that are listed below. You can also use the --skip-tags option to skip certain parts of the install, such as iptables (overwrite iptables rules), ipsec (install strongSwan), wireguard (install Wireguard). We don’t recommend using the -t option as it will only include the tagged portions of the deployment, and skip certain necessary roles (such as common).
Here is a full example for DigitalOcean:
ansible-playbook main.yml -e "provider=digitalocean
server_name=algo
ondemand_cellular=false
ondemand_wifi=false
dns_adblocking=true
ssh_tunneling=true
store_pki=true
region=ams3
do_token=token"
See below for more information about variables and roles.
provider - (Required) The provider to use. See possible values belowserver_name - (Required) Server name. Default: algoondemand_cellular (Optional) Enables VPN On Demand when connected to cellular networks for iOS/macOS clients using IPsec. Default: falseondemand_wifi - (Optional. See ondemand_wifi_exclude) Enables VPN On Demand when connected to WiFi networks for iOS/macOS clients using IPsec. Default: falseondemand_wifi_exclude (Required if ondemand_wifi set) - WiFi networks to exclude from using the VPN. Comma-separated valuesdns_adblocking - (Optional) Enables dnscrypt-proxy adblocking. Default: falsessh_tunneling - (Optional) Enable SSH tunneling for each user. Default: falsestore_pki - (Optional) Whether or not keep the CA key (required to add users in the future, but less secure). Default: falseIf any of the above variables are unspecified, ansible will ask the user to input them.
Cloud roles can be activated by specifying an extra variable provider.
Cloud roles:
Server roles:
adblock_lists in config.cfg - note this will occur even if dns_encryption in config.cfg is set to falsealgo group with no shell access and limited SSH forwarding optionsNote: The strongswan role generates Apple profiles with On-Demand Wifi and Cellular if you pass the following variables:
This role is intended to be run for local install onto an Ubuntu server, or onto an unsupported cloud provider’s Ubuntu instance. Required variables:
server=localhost, this isn’t required.Note that by default, the iptables rules on your existing server will be overwritten. If you don’t want to overwrite the iptables rules, you can use the --skip-tags iptables flag.
Required variables:
Possible options can be gathered calling to https://api.digitalocean.com/v2/regions
Required variables:
AKIA...us-east-1Possible options can be gathered via cli aws ec2 describe-regions
Additional variables:
image - AMI describe-images search parameters to find the OS for the hosted image. Each OS and architecture has a unique AMI-ID. The OS owner, for example Ubuntu, updates these images often. If parameters below result in multiple results, the most recent AMI-ID is chosen
# Example of equivalent cli command
aws ec2 describe-images --owners "099720109477" --filters "Name=architecture,Values=arm64" "Name=name,Values=ubuntu/images/hvm-ssd/ubuntu-jammy-22.04*"
If using spot instance types, one additional IAM permission along with the below minimum is required for deployment:
"ec2:CreateLaunchTemplate"
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PreDeployment",
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeRegions",
"ec2:ImportKeyPair",
"ec2:CopyImage"
],
"Resource": [
"*"
]
},
{
"Sid": "DeployCloudFormationStack",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ListStackResources"
],
"Resource": [
"*"
]
},
{
"Sid": "CloudFormationEC2Access",
"Effect": "Allow",
"Action": [
"ec2:DescribeRegions",
"ec2:CreateInternetGateway",
"ec2:DescribeVpcs",
"ec2:CreateVpc",
"ec2:DescribeInternetGateways",
"ec2:ModifyVpcAttribute",
"ec2:CreateTags",
"ec2:CreateSubnet",
"ec2:AssociateVpcCidrBlock",
"ec2:AssociateSubnetCidrBlock",
"ec2:AssociateRouteTable",
"ec2:AssociateAddress",
"ec2:CreateRouteTable",
"ec2:AttachInternetGateway",
"ec2:DescribeRouteTables",
"ec2:DescribeSubnets",
"ec2:ModifySubnetAttribute",
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:AllocateAddress",
"ec2:DescribeAddresses"
],
"Resource": [
"*"
]
}
]
}
Required variables:
useast-1Required variables:
Chicago, 'New Jersey'Required variables:
Required variables:
AKIA...us-east-1Possible options can be gathered via cli aws lightsail get-regions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LightsailDeployment",
"Effect": "Allow",
"Action": [
"lightsail:GetRegions",
"lightsail:GetInstance",
"lightsail:CreateInstances",
"lightsail:DisableAddOn",
"lightsail:PutInstancePublicPorts",
"lightsail:StartInstance",
"lightsail:TagResource",
"lightsail:GetStaticIp",
"lightsail:AllocateStaticIp",
"lightsail:AttachStaticIp"
],
"Resource": [
"*"
]
},
{
"Sid": "DeployCloudFormationStack",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:ListStackResources"
],
"Resource": [
"*"
]
}
]
}
Required variables:
ams1, par1You need to source the rc file prior to run Algo. Download it from the OpenStack dashboard->Compute->API Access and source it in the shell (eg: source /tmp/dhc-openrc.sh)
Required variables:
exoscalech-gva2The first two can also be defined in your environment, using the variables CLOUDSTACK_CONFIG and CLOUDSTACK_REGION.
Required variables:
nbg1Required variables:
us-eastPlaybook:
users.yml
Required variables:
Tags required: