--- # Group Variables for VPN Servers # These settings apply to VPN1, VPN2, VPN3 (user-facing VPN endpoints) # ========================================== # CRITICAL: Set ValleyForge Public IP # ========================================== valleyforge_public_ip: "185.112.147.205" # CHANGE THIS! # ========================================== # Admin Users (SSH Access Management) # ========================================== # Create admin users with SSH keys and sudo access admin_users: - username: alice comment: "Alice - Infrastructure Admin" groups: ["sudo", "adm"] generate_keys: true # Auto-generate SSH key pair shell: /bin/bash state: present - username: bob comment: "Bob - Security Admin" groups: ["sudo"] generate_keys: true shell: /bin/bash state: present # Example with existing SSH key: # - username: charlie # comment: "Charlie - Operations" # groups: ["sudo"] # generate_keys: false # authorized_keys: # - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... charlie@laptop" # shell: /bin/bash # state: present # ========================================== # Management Access Control (Two-Tier Architecture) # ========================================== # Allow management from ValleyForge only management_allowed_sources: - "{{ valleyforge_public_ip }}" # ValleyForge public IP # - "10.100.0.0/24" # Optional: ValleyForge admin VPN network # Management ports (restricted to management_allowed_sources) management_ports: - port: 22 proto: tcp comment: "SSH" # Public ports (user VPN - always accessible) public_ports: - port: "{{ wg_port }}" proto: udp comment: "WireGuard User VPN" # Enable VPN-only mode (restrict management to management_allowed_sources) vpn_only_mode: true # ========================================== # WireGuard User VPN Configuration # ========================================== # Each VPN endpoint has its own network (override in host_vars) wg_network: "10.200.0.0/24" # Default wg_server_ip: "10.200.0.1" # Default wg_port: 51820 # VPN users (end users, not admins) wg_peers: - name: user1 - name: user2 - name: user3 # Add 50-70 users per endpoint # ========================================== # System Hardening (CIS Level 1 Compliant) # ========================================== system_timezone: "UTC" # SSH Configuration (CIS 5.2.x) ssh_port: 22 ssh_permit_root_login: "no" # CIS 5.2.8 ssh_password_authentication: "no" # Key-only auth ssh_allowed_users: [] # Empty = allow all users # Security Features fail2ban_enabled: true auditd_enabled: true apparmor_enabled: true unattended_upgrades_enabled: true ssh_rate_limit: true # Password Policies (CIS 5.4.x, 5.5.x) password_max_days: 365 password_min_days: 1 password_warn_age: 7 password_inactive_days: 30 # Sudo Configuration (CIS 5.3.x) sudo_nopasswd: true # For automation sudo_timeout: 15 # Minutes # Root Account disable_root_login: true # Disable root SSH lock_root_account: false # Allow sudo to root