CIS + inital
This commit is contained in:
@@ -0,0 +1,107 @@
|
||||
---
|
||||
# Group Variables for VPN Servers
|
||||
# These settings apply to VPN1, VPN2, VPN3 (user-facing VPN endpoints)
|
||||
|
||||
# ==========================================
|
||||
# CRITICAL: Set ValleyForge Public IP
|
||||
# ==========================================
|
||||
valleyforge_public_ip: "185.112.147.205" # CHANGE THIS!
|
||||
|
||||
# ==========================================
|
||||
# Admin Users (SSH Access Management)
|
||||
# ==========================================
|
||||
# Create admin users with SSH keys and sudo access
|
||||
admin_users:
|
||||
- username: alice
|
||||
comment: "Alice - Infrastructure Admin"
|
||||
groups: ["sudo", "adm"]
|
||||
generate_keys: true # Auto-generate SSH key pair
|
||||
shell: /bin/bash
|
||||
state: present
|
||||
|
||||
- username: bob
|
||||
comment: "Bob - Security Admin"
|
||||
groups: ["sudo"]
|
||||
generate_keys: true
|
||||
shell: /bin/bash
|
||||
state: present
|
||||
|
||||
# Example with existing SSH key:
|
||||
# - username: charlie
|
||||
# comment: "Charlie - Operations"
|
||||
# groups: ["sudo"]
|
||||
# generate_keys: false
|
||||
# authorized_keys:
|
||||
# - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... charlie@laptop"
|
||||
# shell: /bin/bash
|
||||
# state: present
|
||||
|
||||
# ==========================================
|
||||
# Management Access Control (Two-Tier Architecture)
|
||||
# ==========================================
|
||||
# Allow management from ValleyForge only
|
||||
management_allowed_sources:
|
||||
- "{{ valleyforge_public_ip }}" # ValleyForge public IP
|
||||
# - "10.100.0.0/24" # Optional: ValleyForge admin VPN network
|
||||
|
||||
# Management ports (restricted to management_allowed_sources)
|
||||
management_ports:
|
||||
- port: 22
|
||||
proto: tcp
|
||||
comment: "SSH"
|
||||
|
||||
# Public ports (user VPN - always accessible)
|
||||
public_ports:
|
||||
- port: "{{ wg_port }}"
|
||||
proto: udp
|
||||
comment: "WireGuard User VPN"
|
||||
|
||||
# Enable VPN-only mode (restrict management to management_allowed_sources)
|
||||
vpn_only_mode: true
|
||||
|
||||
# ==========================================
|
||||
# WireGuard User VPN Configuration
|
||||
# ==========================================
|
||||
# Each VPN endpoint has its own network (override in host_vars)
|
||||
wg_network: "10.200.0.0/24" # Default
|
||||
wg_server_ip: "10.200.0.1" # Default
|
||||
wg_port: 51820
|
||||
|
||||
# VPN users (end users, not admins)
|
||||
wg_peers:
|
||||
- name: user1
|
||||
- name: user2
|
||||
- name: user3
|
||||
# Add 50-70 users per endpoint
|
||||
|
||||
# ==========================================
|
||||
# System Hardening (CIS Level 1 Compliant)
|
||||
# ==========================================
|
||||
system_timezone: "UTC"
|
||||
|
||||
# SSH Configuration (CIS 5.2.x)
|
||||
ssh_port: 22
|
||||
ssh_permit_root_login: "no" # CIS 5.2.8
|
||||
ssh_password_authentication: "no" # Key-only auth
|
||||
ssh_allowed_users: [] # Empty = allow all users
|
||||
|
||||
# Security Features
|
||||
fail2ban_enabled: true
|
||||
auditd_enabled: true
|
||||
apparmor_enabled: true
|
||||
unattended_upgrades_enabled: true
|
||||
ssh_rate_limit: true
|
||||
|
||||
# Password Policies (CIS 5.4.x, 5.5.x)
|
||||
password_max_days: 365
|
||||
password_min_days: 1
|
||||
password_warn_age: 7
|
||||
password_inactive_days: 30
|
||||
|
||||
# Sudo Configuration (CIS 5.3.x)
|
||||
sudo_nopasswd: true # For automation
|
||||
sudo_timeout: 15 # Minutes
|
||||
|
||||
# Root Account
|
||||
disable_root_login: true # Disable root SSH
|
||||
lock_root_account: false # Allow sudo to root
|
||||
Reference in New Issue
Block a user