valleyforge/resist-vpn-infra
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CIS + inital

Browse Source
This commit is contained in:
Sparticus
2026-01-26 21:22:41 -05:00
parent 5b6e1567f9
commit 28db1d2104
65 changed files with 4555 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
playbooks/add_user.yml
+50
View File
@@ -0,0 +1,50 @@
---
# Add Single User Playbook
# Quick playbook to add one admin user
- name: Add Admin User
hosts: all
become: yes
gather_facts: yes
vars_prompt:
- name: new_username
prompt: "Enter username to create"
private: no
- name: new_user_comment
prompt: "Enter full name/comment"
private: no
default: ""
- name: generate_ssh_key
prompt: "Generate SSH key pair? (yes/no)"
private: no
default: "yes"
vars:
admin_users:
- username: "{{ new_username }}"
comment: "{{ new_user_comment if new_user_comment else new_username }}"
groups: ["sudo", "adm"]
generate_keys: "{{ generate_ssh_key | bool }}"
shell: /bin/bash
state: present
roles:
- role: ssh_users
post_tasks:
- name: Display success message
ansible.builtin.debug:
msg:
- "========================================="
- "User {{ new_username }} created successfully!"
- "========================================="
- "{% if generate_ssh_key | bool %}SSH keys: {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{{ new_username }}_id_ed25519{% endif %}"
- ""
- "{% if generate_ssh_key | bool %}Test SSH access:{% endif %}"
- "{% if generate_ssh_key | bool %}ssh -i {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{{ new_username }}_id_ed25519 {{ new_username }}@{{ inventory_hostname }}{% endif %}"
- "========================================="
delegate_to: localhost
run_once: true
playbooks/firewall.yml
+11
View File
@@ -0,0 +1,11 @@
---
# Firewall Configuration Only Playbook
- name: Secure Firewall Configuration
hosts: vpn_servers
become: yes
gather_facts: yes
roles:
- role: secure_firewall
tags: ['firewall', 'security']
playbooks/hardening.yml
+11
View File
@@ -0,0 +1,11 @@
---
# System Hardening Only Playbook
- name: System Hardening
hosts: vpn_servers
become: yes
gather_facts: yes
roles:
- role: system_hardening
tags: ['hardening', 'security']
playbooks/remove_user.yml
+50
View File
@@ -0,0 +1,50 @@
---
# Remove User Playbook
# Remove admin user and optionally delete SSH keys
- name: Remove Admin User
hosts: all
become: yes
gather_facts: yes
vars_prompt:
- name: remove_username
prompt: "Enter username to remove"
private: no
- name: remove_home
prompt: "Remove home directory? (yes/no)"
private: no
default: "yes"
- name: delete_ssh_keys
prompt: "Delete SSH keys from control node? (yes/no)"
private: no
default: "no"
tasks:
- name: Remove user account
ansible.builtin.user:
name: "{{ remove_username }}"
state: absent
remove: "{{ remove_home | bool }}"
- name: Delete SSH keys from control node
ansible.builtin.file:
path: "{{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{{ remove_username }}_id_ed25519{{ item }}"
state: absent
loop:
- ""
- ".pub"
delegate_to: localhost
when: delete_ssh_keys | bool
- name: Display success message
ansible.builtin.debug:
msg:
- "========================================="
- "User {{ remove_username }} removed successfully!"
- "========================================="
- "Home directory: {{ 'REMOVED' if remove_home | bool else 'KEPT' }}"
- "SSH keys: {{ 'DELETED' if delete_ssh_keys | bool else 'KEPT' }}"
- "========================================="
playbooks/site.yml
+137
View File
@@ -0,0 +1,137 @@
---
# Main Site Playbook - Complete Server Hardening + User Management + WireGuard VPN + Firewall
- name: Secure VPN Server Deployment
hosts: vpn_servers
become: yes
gather_facts: yes
pre_tasks:
- name: Display deployment information
ansible.builtin.debug:
msg:
- "Deploying secure VPN server to: {{ inventory_hostname }}"
- "IP Address: {{ ansible_default_ipv4.address }}"
- "OS: {{ ansible_distribution }} {{ ansible_distribution_version }}"
- "VPN Network: {{ wg_network | default('10.100.0.0/24') }}"
- name: Verify Ubuntu 24.04
ansible.builtin.assert:
that:
- ansible_distribution == "Ubuntu"
- ansible_distribution_version is version('22.04', '>=')
fail_msg: "This playbook requires Ubuntu 22.04 or newer"
success_msg: "OS version check passed"
roles:
- role: system_hardening
tags: ['hardening', 'security', 'cis']
- role: ssh_users
tags: ['users', 'ssh', 'security']
when: admin_users is defined and admin_users | length > 0
- role: wireguard_server
tags: ['wireguard', 'vpn']
- role: secure_firewall
tags: ['firewall', 'security']
post_tasks:
- name: Display deployment summary
ansible.builtin.debug:
msg:
- "========================================="
- "Deployment Complete!"
- "========================================="
- ""
- "Server: {{ inventory_hostname }}"
- "Public IP: {{ ansible_default_ipv4.address }}"
- "VPN Network: {{ wg_network }}"
- "Admin Users: {{ admin_users | map(attribute='username') | list | join(', ') if admin_users is defined else 'none' }}"
- ""
- "Client configs: /root/wireguard-client-configs/"
- "{% if admin_users is defined and admin_users | length > 0 %}SSH keys: {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{% endif %}"
- "Firewall config: /root/firewall-config.txt"
- ""
- "Next steps:"
- "1. Download client configs from server"
- "{% if admin_users is defined and admin_users | length > 0 %}2. Test SSH with new admin users{% endif %}"
- "3. Distribute VPN configs to users"
- "4. Test VPN connection"
- "5. Verify firewall rules"
- ""
- "========================================="
- name: Save deployment summary
ansible.builtin.copy:
dest: /root/deployment-summary.txt
content: |
Secure VPN Server Deployment Summary
=====================================
Deployment Date: {{ ansible_date_time.iso8601 }}
Server: {{ inventory_hostname }}
Public IP: {{ ansible_default_ipv4.address }}
Components Deployed:
- System Hardening (CIS Level 1 compliant)
- SSH User Management
- WireGuard VPN Server
- Secure Firewall (Management access restricted)
Admin Users:
{% if admin_users is defined %}
{% for user in admin_users %}
- {{ user.username }} ({{ user.comment | default('') }})
{% endfor %}
{% else %}
- None created (using root)
{% endif %}
VPN Configuration:
- Network: {{ wg_network }}
- Server IP: {{ wg_server_ip }}
- Port: {{ wg_port }}
- Users: {{ wg_peers | length }}
Security Features (CIS Compliant):
- SSH hardened (key-only, strong ciphers)
- Root SSH login disabled
- Password policies enforced
- AppArmor enabled and enforcing
- Comprehensive audit logging
- Automatic security updates enabled
- Fail2ban active
- Uncommon network protocols disabled
- Core dumps restricted
- Management ports restricted to authorized sources
Client Configurations:
VPN: /root/wireguard-client-configs/
{% if admin_users is defined and admin_users | length > 0 %}
SSH Keys (on control node): {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/
{% endif %}
{% for peer in wg_peers %}
- {{ peer.name }}: {{ peer.ip }}
{% endfor %}
Important Files:
- VPN client configs: /root/wireguard-client-configs/
- Firewall config: /root/firewall-config.txt
- WireGuard keys: /etc/wireguard/keys/
- Sudo log: /var/log/sudo.log
- Audit logs: /var/log/audit/audit.log
Next Steps:
1. Download VPN configs: scp root@{{ ansible_default_ipv4.address }}:/root/wireguard-client-configs/* ./
{% if admin_users is defined and admin_users | length > 0 %}
2. Test SSH with admin users (root SSH will be disabled)
3. Verify sudo access works for admin users
{% endif %}
4. Distribute VPN configs to users
5. Test VPN connection
6. Monitor logs: journalctl -u wg-quick@wg0
7. Review audit logs: ausearch -ts recent
mode: '0600'
playbooks/users.yml
+31
View File
@@ -0,0 +1,31 @@
---
# User Management Playbook
# Create admin users, generate SSH keys, configure sudo
- name: Manage SSH Users
hosts: all
become: yes
gather_facts: yes
roles:
- role: ssh_users
when: admin_users is defined and admin_users | length > 0
post_tasks:
- name: Display SSH keys location
ansible.builtin.debug:
msg:
- "========================================="
- "SSH Keys Generated"
- "========================================="
- "Location: {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/"
- ""
- "Copy private keys to your machine:"
- "scp -r {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/ ~/.ssh/"
- ""
- "Test SSH access:"
- "ssh -i ~/.ssh/{{ inventory_hostname }}/USERNAME_id_ed25519 USERNAME@{{ inventory_hostname }}"
- "========================================="
when: admin_users | selectattr('generate_keys', 'defined') | selectattr('generate_keys') | list | length > 0
delegate_to: localhost
run_once: true
playbooks/validate.yml
+39
View File
@@ -0,0 +1,39 @@
---
# Validation Playbook - Test Configuration Before Deployment
- name: Validate Configuration
hosts: vpn_servers
gather_facts: no
tasks:
- name: Test connectivity
ansible.builtin.ping:
- name: Validate management_allowed_sources is defined
ansible.builtin.assert:
that:
- management_allowed_sources is defined
- management_allowed_sources | length > 0
fail_msg: "ERROR: management_allowed_sources must be defined in group_vars!"
success_msg: "✓ management_allowed_sources is configured"
- name: Validate VPN network is unique per host
ansible.builtin.debug:
msg: "{{ inventory_hostname }}: VPN network {{ wg_network }}, Server IP {{ wg_server_ip }}"
- name: Validate ValleyForge IP is set
ansible.builtin.assert:
that:
- valleyforge_public_ip is defined
- valleyforge_public_ip != "185.112.147.205" # Default placeholder
fail_msg: "ERROR: Please set valleyforge_public_ip to your actual ValleyForge IP!"
success_msg: "✓ ValleyForge IP is configured: {{ valleyforge_public_ip }}"
when: "'185.112.147.205' in management_allowed_sources"
- name: Display configuration summary
ansible.builtin.debug:
msg:
- "Host: {{ inventory_hostname }}"
- "VPN Network: {{ wg_network }}"
- "Management allowed from: {{ management_allowed_sources | join(', ') }}"
- "Users configured: {{ wg_peers | length }}"
playbooks/wireguard.yml
+11
View File
@@ -0,0 +1,11 @@
---
# WireGuard VPN Only Playbook
- name: WireGuard VPN Installation
hosts: vpn_servers
become: yes
gather_facts: yes
roles:
- role: wireguard_server
tags: ['wireguard', 'vpn']