107 lines
4.0 KiB
YAML
107 lines
4.0 KiB
YAML
---
|
|
# Complete Two-Tier VPN Infrastructure Deployment
|
|
#
|
|
# This playbook deploys the entire infrastructure in the correct order:
|
|
# 1. ValleyForge (admin control plane)
|
|
# 2. VPN1, VPN2, VPN3 (user-facing VPN endpoints)
|
|
#
|
|
# Usage:
|
|
# # Deploy everything from your local machine:
|
|
# ansible-playbook -i inventory/hosts.yml playbooks/deploy_all.yml
|
|
#
|
|
# # Or deploy in phases:
|
|
# ansible-playbook -i inventory/hosts.yml playbooks/deploy_all.yml --tags valleyforge
|
|
# ansible-playbook -i inventory/hosts.yml playbooks/deploy_all.yml --tags vpn-endpoints
|
|
|
|
- name: Phase 1 - Deploy ValleyForge Admin Control Plane
|
|
import_playbook: valleyforge.yml
|
|
tags: ['valleyforge', 'phase1']
|
|
|
|
- name: Phase 1 Complete - Pause for Manual Steps
|
|
hosts: localhost
|
|
gather_facts: no
|
|
tags: ['valleyforge', 'phase1']
|
|
|
|
tasks:
|
|
- name: Display next steps
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "========================================="
|
|
- "Phase 1 Complete: ValleyForge Deployed"
|
|
- "========================================="
|
|
- ""
|
|
- "Before proceeding to Phase 2, you must:"
|
|
- ""
|
|
- "1. Download admin VPN configs from ValleyForge:"
|
|
- " scp root@VALLEYFORGE-IP:/root/wireguard-client-configs/* ./"
|
|
- ""
|
|
- "2. Install WireGuard client on your machine"
|
|
- ""
|
|
- "3. Import admin VPN config and connect"
|
|
- ""
|
|
- "4. Test admin VPN connection:"
|
|
- " ping 10.100.0.1"
|
|
- ""
|
|
- "5. Copy Ansible SSH key to VPN endpoints:"
|
|
- " ssh root@VALLEYFORGE-IP"
|
|
- " ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN1-IP"
|
|
- " ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN2-IP"
|
|
- " ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN3-IP"
|
|
- ""
|
|
- "6. Update inventory/hosts.yml on ValleyForge:"
|
|
- " - Set ansible_ssh_private_key_file: /root/.ssh/ansible_ed25519"
|
|
- " - Verify VPN endpoint IPs are correct"
|
|
- ""
|
|
- "7. Run Phase 2 FROM ValleyForge:"
|
|
- " cd /root/resist-vpn-infra"
|
|
- " ansible-playbook -i inventory/hosts.yml playbooks/site.yml"
|
|
- ""
|
|
- "========================================="
|
|
|
|
- name: Pause for manual steps
|
|
ansible.builtin.pause:
|
|
prompt: |
|
|
|
|
Complete the manual steps above, then press ENTER to continue to Phase 2.
|
|
|
|
Or press Ctrl+C to stop here and run Phase 2 manually later.
|
|
when: not (skip_pause | default(false))
|
|
|
|
- name: Phase 2 - Deploy VPN Endpoints
|
|
import_playbook: site.yml
|
|
tags: ['vpn-endpoints', 'phase2']
|
|
when: deploy_vpn_endpoints | default(false)
|
|
|
|
- name: Deployment Complete
|
|
hosts: localhost
|
|
gather_facts: no
|
|
tags: ['always']
|
|
|
|
tasks:
|
|
- name: Display final summary
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "========================================="
|
|
- "Complete Infrastructure Deployment"
|
|
- "========================================="
|
|
- ""
|
|
- "Phase 1: ValleyForge (Admin Control Plane)"
|
|
- " ✓ System hardening (CIS Level 1)"
|
|
- " ✓ Admin users created"
|
|
- " ✓ WireGuard admin VPN deployed"
|
|
- " ✓ Ansible control node configured"
|
|
- ""
|
|
- "Phase 2: VPN Endpoints (User VPN)"
|
|
- " {{ '✓' if deploy_vpn_endpoints | default(false) else '⏸' }} VPN1, VPN2, VPN3 deployment"
|
|
- " {{ '✓' if deploy_vpn_endpoints | default(false) else '⏸' }} User VPN configured"
|
|
- " {{ '✓' if deploy_vpn_endpoints | default(false) else '⏸' }} Firewall lockdown complete"
|
|
- ""
|
|
- "{% if not (deploy_vpn_endpoints | default(false)) %}"
|
|
- "To complete Phase 2, run from ValleyForge:"
|
|
- " cd /root/resist-vpn-infra"
|
|
- " ansible-playbook -i inventory/hosts.yml playbooks/site.yml"
|
|
- "{% endif %}"
|
|
- ""
|
|
- "Infrastructure ready for 200+ users!"
|
|
- "========================================="
|