Moar playbooks

2026-01-26 22:33:14 -05:00
parent 28db1d2104
commit cc14147e80
4 changed files with 428 additions and 21 deletions
@@ -0,0 +1,64 @@
+---
+# ValleyForge Admin Control Plane Configuration
+
+# Admin Users (for infrastructure management)
+# These users will have SSH access and sudo privileges on ValleyForge
+admin_users:
+  - username: alice
+    comment: "Alice - Infrastructure Lead"
+    groups: ["sudo"]
+    generate_keys: true
+  
+  - username: bob
+    comment: "Bob - Security Admin"
+    groups: ["sudo"]
+    generate_keys: true
+
+# WireGuard Admin VPN Configuration
+# This VPN is for your admin team to securely access ValleyForge
+wg_network: "10.100.0.0/24"
+wg_server_address: "10.100.0.1/24"
+wg_port: 51820
+
+# Admin VPN peers (your infrastructure team)
+wg_peers:
+  - name: admin1
+    # ip: 10.100.0.10  # Auto-assigned
+  - name: admin2
+    # ip: 10.100.0.11  # Auto-assigned
+  - name: admin3
+    # ip: 10.100.0.12  # Auto-assigned
+
+# Firewall Configuration
+# IMPORTANT: Set vpn_only_mode to false initially to allow SSH access
+# After admin VPN is working, set to true and redeploy
+vpn_only_mode: false  # Change to true after admin VPN is configured
+
+management_allowed_sources:
+  - "0.0.0.0/0"  # Allow from anywhere initially
+  # After admin VPN is working, change to:
+  # - "10.100.0.0/24"  # Admin VPN network only
+
+management_ports:
+  - port: 22
+    proto: tcp
+    comment: "SSH"
+  - port: 51820
+    proto: udp
+    comment: "WireGuard Admin VPN"
+
+# SSH Hardening
+# Keep root login enabled initially for bootstrapping
+ssh_permit_root_login: "yes"  # Change to "no" after admin users are working
+ssh_password_authentication: "no"
+ssh_max_auth_tries: 3
+
+# Security Settings
+enable_apparmor: true
+enable_auditd: true
+enable_fail2ban: true
+enable_unattended_upgrades: true
+
+# Ansible Control Node Settings
+valleyforge_repo_url: "https://git.hacker.supply/valleyforge/resist-vpn-infra.git"
+valleyforge_clone_repo: true
@@ -1,30 +1,55 @@
 ---
 # Inventory File for Two-Tier VPN Architecture
 #
-# This inventory is for managing VPN1, VPN2, VPN3 (user-facing VPN endpoints)
-# from ValleyForge (admin control plane)
-#
-# Deploy this FROM ValleyForge server after:
-# 1. ValleyForge is set up with WireGuard admin VPN
-# 2. Ansible is installed on ValleyForge
-# 3. SSH keys are configured from ValleyForge to VPN endpoints
+# This inventory includes:
+# 1. ValleyForge - Admin control plane (deploy first from local machine)
+# 2. VPN1, VPN2, VPN3 - User-facing VPN endpoints (deploy from ValleyForge)

 all:
  children:
-    # User-facing VPN endpoints
+    # Admin Control Plane
+    # Deploy ValleyForge FIRST from your local machine
+    admin_control_plane:
+      hosts:
+        valleyforge:
+          ansible_host: 185.112.147.186  # ValleyForge public IP 
+          ansible_user: root
+      
+      vars:
+        # ValleyForge-specific variables
+        # Admin VPN network for infrastructure management
+        wg_network: "10.100.0.0/24"
+        wg_server_address: "10.100.0.1/24"
+        
+        # Admin VPN users (your infrastructure team)
+        wg_peers:
+          - name: gozer
+          - name: admin2
+          - name: admin3
+        
+        # Firewall: Initially allow SSH from anywhere, then restrict to admin VPN
+        vpn_only_mode: false  # Set to true after admin VPN is working
+        
+        # Repository to clone on ValleyForge
+        valleyforge_repo_url: "https://git.hacker.supply/valleyforge/resist-vpn-infra.git"
+        valleyforge_clone_repo: true
+    
+    # User-facing VPN Endpoints
+    # Deploy AFTER ValleyForge is set up
+    # Deploy FROM ValleyForge server
    vpn_servers:
      hosts:
        vpn1:
-          ansible_host: 203.0.113.10  # VPN1 public IP (CHANGE THIS!)
+          ansible_host: 185.112.147.205   # VPN1 public IP 
          ansible_user: root
        
-        vpn2:
-          ansible_host: 203.0.113.11  # VPN2 public IP (CHANGE THIS!)
-          ansible_user: root
-        
-        vpn3:
-          ansible_host: 203.0.113.12  # VPN3 public IP (CHANGE THIS!)
-          ansible_user: root
+            #        vpn2:
+            #          ansible_host: 203.0.113.11  # VPN2 public IP (CHANGE THIS!)
+            #          ansible_user: root
+            #        
+            #        vpn3:
+            #          ansible_host: 203.0.113.12  # VPN3 public IP (CHANGE THIS!)
+            #          ansible_user: root
      
      vars:
        # Common variables for all VPN servers
@@ -32,8 +57,4 @@ all:
        
        # ValleyForge public IP (for firewall rules)
        # IMPORTANT: Change this to your actual ValleyForge IP!
-        valleyforge_public_ip: "185.112.147.205"
-
-# Note: ValleyForge itself is NOT in this inventory
-# ValleyForge is the control plane where you run Ansible FROM
-# It should be configured separately with its own WireGuard admin VPN
+        valleyforge_public_ip: "185.112.147.186"  # (CHANGE THIS!)