108 lines
3.0 KiB
YAML
108 lines
3.0 KiB
YAML
---
|
|
# Group Variables for VPN Servers
|
|
# These settings apply to VPN1, VPN2, VPN3 (user-facing VPN endpoints)
|
|
|
|
# ==========================================
|
|
# CRITICAL: Set ValleyForge Public IP
|
|
# ==========================================
|
|
valleyforge_public_ip: "185.112.147.205" # CHANGE THIS!
|
|
|
|
# ==========================================
|
|
# Admin Users (SSH Access Management)
|
|
# ==========================================
|
|
# Create admin users with SSH keys and sudo access
|
|
admin_users:
|
|
- username: alice
|
|
comment: "Alice - Infrastructure Admin"
|
|
groups: ["sudo", "adm"]
|
|
generate_keys: true # Auto-generate SSH key pair
|
|
shell: /bin/bash
|
|
state: present
|
|
|
|
- username: bob
|
|
comment: "Bob - Security Admin"
|
|
groups: ["sudo"]
|
|
generate_keys: true
|
|
shell: /bin/bash
|
|
state: present
|
|
|
|
# Example with existing SSH key:
|
|
# - username: charlie
|
|
# comment: "Charlie - Operations"
|
|
# groups: ["sudo"]
|
|
# generate_keys: false
|
|
# authorized_keys:
|
|
# - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAA... charlie@laptop"
|
|
# shell: /bin/bash
|
|
# state: present
|
|
|
|
# ==========================================
|
|
# Management Access Control (Two-Tier Architecture)
|
|
# ==========================================
|
|
# Allow management from ValleyForge only
|
|
management_allowed_sources:
|
|
- "{{ valleyforge_public_ip }}" # ValleyForge public IP
|
|
# - "10.100.0.0/24" # Optional: ValleyForge admin VPN network
|
|
|
|
# Management ports (restricted to management_allowed_sources)
|
|
management_ports:
|
|
- port: 22
|
|
proto: tcp
|
|
comment: "SSH"
|
|
|
|
# Public ports (user VPN - always accessible)
|
|
public_ports:
|
|
- port: "{{ wg_port }}"
|
|
proto: udp
|
|
comment: "WireGuard User VPN"
|
|
|
|
# Enable VPN-only mode (restrict management to management_allowed_sources)
|
|
vpn_only_mode: true
|
|
|
|
# ==========================================
|
|
# WireGuard User VPN Configuration
|
|
# ==========================================
|
|
# Each VPN endpoint has its own network (override in host_vars)
|
|
wg_network: "10.200.0.0/24" # Default
|
|
wg_server_ip: "10.200.0.1" # Default
|
|
wg_port: 51820
|
|
|
|
# VPN users (end users, not admins)
|
|
wg_peers:
|
|
- name: user1
|
|
- name: user2
|
|
- name: user3
|
|
# Add 50-70 users per endpoint
|
|
|
|
# ==========================================
|
|
# System Hardening (CIS Level 1 Compliant)
|
|
# ==========================================
|
|
system_timezone: "UTC"
|
|
|
|
# SSH Configuration (CIS 5.2.x)
|
|
ssh_port: 22
|
|
ssh_permit_root_login: "no" # CIS 5.2.8
|
|
ssh_password_authentication: "no" # Key-only auth
|
|
ssh_allowed_users: [] # Empty = allow all users
|
|
|
|
# Security Features
|
|
fail2ban_enabled: true
|
|
auditd_enabled: true
|
|
apparmor_enabled: true
|
|
unattended_upgrades_enabled: true
|
|
ssh_rate_limit: true
|
|
|
|
# Password Policies (CIS 5.4.x, 5.5.x)
|
|
password_max_days: 365
|
|
password_min_days: 1
|
|
password_warn_age: 7
|
|
password_inactive_days: 30
|
|
|
|
# Sudo Configuration (CIS 5.3.x)
|
|
sudo_nopasswd: true # For automation
|
|
sudo_timeout: 15 # Minutes
|
|
|
|
# Root Account
|
|
disable_root_login: true # Disable root SSH
|
|
lock_root_account: false # Allow sudo to root
|