--- # Complete Two-Tier VPN Infrastructure Deployment # # This playbook deploys the entire infrastructure in the correct order: # 1. ValleyForge (admin control plane) # 2. VPN1, VPN2, VPN3 (user-facing VPN endpoints) # # Usage: # # Deploy everything from your local machine: # ansible-playbook -i inventory/hosts.yml playbooks/deploy_all.yml # # # Or deploy in phases: # ansible-playbook -i inventory/hosts.yml playbooks/deploy_all.yml --tags valleyforge # ansible-playbook -i inventory/hosts.yml playbooks/deploy_all.yml --tags vpn-endpoints - name: Phase 1 - Deploy ValleyForge Admin Control Plane import_playbook: valleyforge.yml tags: ['valleyforge', 'phase1'] - name: Phase 1 Complete - Pause for Manual Steps hosts: localhost gather_facts: no tags: ['valleyforge', 'phase1'] tasks: - name: Display next steps ansible.builtin.debug: msg: - "=========================================" - "Phase 1 Complete: ValleyForge Deployed" - "=========================================" - "" - "Before proceeding to Phase 2, you must:" - "" - "1. Download admin VPN configs from ValleyForge:" - " scp root@VALLEYFORGE-IP:/root/wireguard-client-configs/* ./" - "" - "2. Install WireGuard client on your machine" - "" - "3. Import admin VPN config and connect" - "" - "4. Test admin VPN connection:" - " ping 10.100.0.1" - "" - "5. Copy Ansible SSH key to VPN endpoints:" - " ssh root@VALLEYFORGE-IP" - " ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN1-IP" - " ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN2-IP" - " ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN3-IP" - "" - "6. Update inventory/hosts.yml on ValleyForge:" - " - Set ansible_ssh_private_key_file: /root/.ssh/ansible_ed25519" - " - Verify VPN endpoint IPs are correct" - "" - "7. Run Phase 2 FROM ValleyForge:" - " cd /root/resist-vpn-infra" - " ansible-playbook -i inventory/hosts.yml playbooks/site.yml" - "" - "=========================================" - name: Pause for manual steps ansible.builtin.pause: prompt: | Complete the manual steps above, then press ENTER to continue to Phase 2. Or press Ctrl+C to stop here and run Phase 2 manually later. when: not (skip_pause | default(false)) - name: Phase 2 - Deploy VPN Endpoints import_playbook: site.yml tags: ['vpn-endpoints', 'phase2'] when: deploy_vpn_endpoints | default(false) - name: Deployment Complete hosts: localhost gather_facts: no tags: ['always'] tasks: - name: Display final summary ansible.builtin.debug: msg: - "=========================================" - "Complete Infrastructure Deployment" - "=========================================" - "" - "Phase 1: ValleyForge (Admin Control Plane)" - " ✓ System hardening (CIS Level 1)" - " ✓ Admin users created" - " ✓ WireGuard admin VPN deployed" - " ✓ Ansible control node configured" - "" - "Phase 2: VPN Endpoints (User VPN)" - " {{ '✓' if deploy_vpn_endpoints | default(false) else '⏸' }} VPN1, VPN2, VPN3 deployment" - " {{ '✓' if deploy_vpn_endpoints | default(false) else '⏸' }} User VPN configured" - " {{ '✓' if deploy_vpn_endpoints | default(false) else '⏸' }} Firewall lockdown complete" - "" - "{% if not (deploy_vpn_endpoints | default(false)) %}" - "To complete Phase 2, run from ValleyForge:" - " cd /root/resist-vpn-infra" - " ansible-playbook -i inventory/hosts.yml playbooks/site.yml" - "{% endif %}" - "" - "Infrastructure ready for 200+ users!" - "========================================="