--- # ValleyForge Admin Control Plane Deployment # # This playbook deploys ValleyForge server with: # - System hardening (CIS Level 1) # - Admin users for infrastructure management # - WireGuard admin VPN (for admin team access) # - Ansible control node setup # - Firewall (allows admin VPN, restricts SSH to admin VPN) - name: Deploy ValleyForge Admin Control Plane hosts: valleyforge become: yes gather_facts: yes pre_tasks: - name: Display deployment information ansible.builtin.debug: msg: - "Deploying ValleyForge admin control plane to: {{ inventory_hostname }}" - "IP Address: {{ ansible_default_ipv4.address }}" - "OS: {{ ansible_distribution }} {{ ansible_distribution_version }}" - "Admin VPN Network: {{ wg_network | default('10.100.0.0/24') }}" - name: Verify Ubuntu 24.04 ansible.builtin.assert: that: - ansible_distribution == "Ubuntu" - ansible_distribution_version is version('22.04', '>=') fail_msg: "This playbook requires Ubuntu 22.04 or newer" success_msg: "OS version check passed" roles: - role: system_hardening tags: ['hardening', 'security', 'cis'] - role: ssh_users tags: ['users', 'ssh', 'security'] when: admin_users is defined and admin_users | length > 0 - role: wireguard_server tags: ['wireguard', 'vpn', 'admin-vpn'] - role: secure_firewall tags: ['firewall', 'security'] post_tasks: - name: Install Ansible and control node dependencies ansible.builtin.apt: name: - ansible - git - python3-pip - python3-venv - jq state: present update_cache: yes tags: ['ansible', 'control-node'] - name: Install Ansible collections for control node ansible.builtin.command: cmd: ansible-galaxy collection install {{ item }} loop: - community.general - community.crypto tags: ['ansible', 'control-node'] register: galaxy_install changed_when: "'was installed successfully' in galaxy_install.stdout" - name: Clone resist-vpn-infra repository ansible.builtin.git: repo: "{{ valleyforge_repo_url | default('https://git.hacker.supply/valleyforge/resist-vpn-infra.git') }}" dest: /root/resist-vpn-infra version: master force: yes tags: ['ansible', 'control-node', 'repo'] when: valleyforge_clone_repo | default(true) - name: Generate SSH key for Ansible management ansible.builtin.user: name: root generate_ssh_key: yes ssh_key_type: ed25519 ssh_key_file: .ssh/ansible_ed25519 ssh_key_comment: "ansible@valleyforge" tags: ['ansible', 'control-node', 'ssh'] - name: Display ValleyForge public key ansible.builtin.slurp: src: /root/.ssh/ansible_ed25519.pub register: valleyforge_pubkey tags: ['ansible', 'control-node', 'ssh'] - name: Save ValleyForge public key to file ansible.builtin.copy: content: "{{ valleyforge_pubkey.content | b64decode }}" dest: /root/valleyforge_ansible_pubkey.txt mode: '0644' tags: ['ansible', 'control-node', 'ssh'] - name: Display deployment summary ansible.builtin.debug: msg: - "=========================================" - "ValleyForge Deployment Complete!" - "=========================================" - "" - "Server: {{ inventory_hostname }}" - "Public IP: {{ ansible_default_ipv4.address }}" - "Admin VPN Network: {{ wg_network }}" - "Admin Users: {{ admin_users | map(attribute='username') | list | join(', ') if admin_users is defined else 'none' }}" - "" - "Admin VPN Configs: /root/wireguard-client-configs/" - "{% if admin_users is defined and admin_users | length > 0 %}SSH Keys: {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{% endif %}" - "Ansible Public Key: /root/valleyforge_ansible_pubkey.txt" - "Repository: /root/resist-vpn-infra" - "" - "Next steps:" - "1. Download admin VPN configs from server" - "2. Connect to admin VPN" - "3. Copy Ansible public key to VPN endpoints:" - " ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN1-IP" - "4. Configure /root/resist-vpn-infra/inventory/" - "5. Deploy VPN endpoints: ansible-playbook -i inventory/hosts.yml playbooks/site.yml" - "" - "=========================================" - name: Save ValleyForge deployment summary ansible.builtin.copy: dest: /root/valleyforge-deployment-summary.txt content: | ValleyForge Admin Control Plane Deployment Summary =================================================== Deployment Date: {{ ansible_date_time.iso8601 }} Server: {{ inventory_hostname }} Public IP: {{ ansible_default_ipv4.address }} Components Deployed: - System Hardening (CIS Level 1 compliant) - SSH User Management - WireGuard Admin VPN Server - Secure Firewall (Management access via admin VPN) - Ansible Control Node Admin Users: {% if admin_users is defined %} {% for user in admin_users %} - {{ user.username }} ({{ user.comment | default('') }}) {% endfor %} {% else %} - None created (using root) {% endif %} Admin VPN Configuration: - Network: {{ wg_network }} - Server IP: {{ wg_server_ip }} - Port: {{ wg_port }} - Admin Users: {{ wg_peers | length }} Ansible Control Node: - Ansible version: {{ ansible_version.full }} - Repository: /root/resist-vpn-infra - SSH Key: /root/.ssh/ansible_ed25519 - Public Key: /root/valleyforge_ansible_pubkey.txt Admin VPN Client Configurations: {% for peer in wg_peers %} - {{ peer.name }}: /root/wireguard-client-configs/{{ peer.name }}.conf {% endfor %} Security Features (CIS Compliant): - SSH hardened (key-only, strong ciphers) - Root SSH login disabled (after admin users created) - Password policies enforced - AppArmor enabled and enforcing - Comprehensive audit logging - Automatic security updates enabled - Fail2ban active - Management ports restricted to admin VPN Next Steps: ========== 1. Download Admin VPN Configs: scp root@{{ ansible_default_ipv4.address }}:/root/wireguard-client-configs/* ./ 2. Install WireGuard client on your machine: - Linux: sudo apt install wireguard - macOS: brew install wireguard-tools - Windows: https://www.wireguard.com/install/ 3. Import admin VPN config and connect 4. Copy Ansible SSH key to VPN endpoints: ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN1-IP ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN2-IP ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN3-IP 5. Configure inventory: cd /root/resist-vpn-infra nano inventory/hosts.yml nano inventory/group_vars/vpn_servers.yml 6. Deploy VPN endpoints: ansible-playbook -i inventory/hosts.yml playbooks/site.yml Important Files: - Admin VPN configs: /root/wireguard-client-configs/ - Ansible SSH key: /root/.ssh/ansible_ed25519 - Ansible public key: /root/valleyforge_ansible_pubkey.txt - Repository: /root/resist-vpn-infra - Firewall config: /root/firewall-config.txt - Sudo log: /var/log/sudo.log - Audit logs: /var/log/audit/audit.log mode: '0600'