217 lines
8.0 KiB
YAML
217 lines
8.0 KiB
YAML
---
|
|
# ValleyForge Admin Control Plane Deployment
|
|
#
|
|
# This playbook deploys ValleyForge server with:
|
|
# - System hardening (CIS Level 1)
|
|
# - Admin users for infrastructure management
|
|
# - WireGuard admin VPN (for admin team access)
|
|
# - Ansible control node setup
|
|
# - Firewall (allows admin VPN, restricts SSH to admin VPN)
|
|
|
|
- name: Deploy ValleyForge Admin Control Plane
|
|
hosts: valleyforge
|
|
become: yes
|
|
gather_facts: yes
|
|
|
|
pre_tasks:
|
|
- name: Display deployment information
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "Deploying ValleyForge admin control plane to: {{ inventory_hostname }}"
|
|
- "IP Address: {{ ansible_default_ipv4.address }}"
|
|
- "OS: {{ ansible_distribution }} {{ ansible_distribution_version }}"
|
|
- "Admin VPN Network: {{ wg_network | default('10.100.0.0/24') }}"
|
|
|
|
- name: Verify Ubuntu 24.04
|
|
ansible.builtin.assert:
|
|
that:
|
|
- ansible_distribution == "Ubuntu"
|
|
- ansible_distribution_version is version('22.04', '>=')
|
|
fail_msg: "This playbook requires Ubuntu 22.04 or newer"
|
|
success_msg: "OS version check passed"
|
|
|
|
roles:
|
|
- role: system_hardening
|
|
tags: ['hardening', 'security', 'cis']
|
|
|
|
- role: ssh_users
|
|
tags: ['users', 'ssh', 'security']
|
|
when: admin_users is defined and admin_users | length > 0
|
|
|
|
- role: wireguard_server
|
|
tags: ['wireguard', 'vpn', 'admin-vpn']
|
|
|
|
- role: secure_firewall
|
|
tags: ['firewall', 'security']
|
|
|
|
post_tasks:
|
|
- name: Install Ansible and control node dependencies
|
|
ansible.builtin.apt:
|
|
name:
|
|
- ansible
|
|
- git
|
|
- python3-pip
|
|
- python3-venv
|
|
- jq
|
|
state: present
|
|
update_cache: yes
|
|
tags: ['ansible', 'control-node']
|
|
|
|
- name: Install Ansible collections for control node
|
|
ansible.builtin.command:
|
|
cmd: ansible-galaxy collection install {{ item }}
|
|
loop:
|
|
- community.general
|
|
- community.crypto
|
|
tags: ['ansible', 'control-node']
|
|
register: galaxy_install
|
|
changed_when: "'was installed successfully' in galaxy_install.stdout"
|
|
|
|
- name: Clone resist-vpn-infra repository
|
|
ansible.builtin.git:
|
|
repo: "{{ valleyforge_repo_url | default('https://git.hacker.supply/valleyforge/resist-vpn-infra.git') }}"
|
|
dest: /root/resist-vpn-infra
|
|
version: master
|
|
force: yes
|
|
tags: ['ansible', 'control-node', 'repo']
|
|
when: valleyforge_clone_repo | default(true)
|
|
|
|
- name: Generate SSH key for Ansible management
|
|
ansible.builtin.user:
|
|
name: root
|
|
generate_ssh_key: yes
|
|
ssh_key_type: ed25519
|
|
ssh_key_file: .ssh/ansible_ed25519
|
|
ssh_key_comment: "ansible@valleyforge"
|
|
tags: ['ansible', 'control-node', 'ssh']
|
|
|
|
- name: Display ValleyForge public key
|
|
ansible.builtin.slurp:
|
|
src: /root/.ssh/ansible_ed25519.pub
|
|
register: valleyforge_pubkey
|
|
tags: ['ansible', 'control-node', 'ssh']
|
|
|
|
- name: Save ValleyForge public key to file
|
|
ansible.builtin.copy:
|
|
content: "{{ valleyforge_pubkey.content | b64decode }}"
|
|
dest: /root/valleyforge_ansible_pubkey.txt
|
|
mode: '0644'
|
|
tags: ['ansible', 'control-node', 'ssh']
|
|
|
|
- name: Display deployment summary
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "========================================="
|
|
- "ValleyForge Deployment Complete!"
|
|
- "========================================="
|
|
- ""
|
|
- "Server: {{ inventory_hostname }}"
|
|
- "Public IP: {{ ansible_default_ipv4.address }}"
|
|
- "Admin VPN Network: {{ wg_network }}"
|
|
- "Admin Users: {{ admin_users | map(attribute='username') | list | join(', ') if admin_users is defined else 'none' }}"
|
|
- ""
|
|
- "Admin VPN Configs: /root/wireguard-client-configs/"
|
|
- "{% if admin_users is defined and admin_users | length > 0 %}SSH Keys: {{ ssh_keys_local_dir }}/{{ inventory_hostname }}/{% endif %}"
|
|
- "Ansible Public Key: /root/valleyforge_ansible_pubkey.txt"
|
|
- "Repository: /root/resist-vpn-infra"
|
|
- ""
|
|
- "Next steps:"
|
|
- "1. Download admin VPN configs from server"
|
|
- "2. Connect to admin VPN"
|
|
- "3. Copy Ansible public key to VPN endpoints:"
|
|
- " ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN1-IP"
|
|
- "4. Configure /root/resist-vpn-infra/inventory/"
|
|
- "5. Deploy VPN endpoints: ansible-playbook -i inventory/hosts.yml playbooks/site.yml"
|
|
- ""
|
|
- "========================================="
|
|
|
|
- name: Save ValleyForge deployment summary
|
|
ansible.builtin.copy:
|
|
dest: /root/valleyforge-deployment-summary.txt
|
|
content: |
|
|
ValleyForge Admin Control Plane Deployment Summary
|
|
===================================================
|
|
|
|
Deployment Date: {{ ansible_date_time.iso8601 }}
|
|
Server: {{ inventory_hostname }}
|
|
Public IP: {{ ansible_default_ipv4.address }}
|
|
|
|
Components Deployed:
|
|
- System Hardening (CIS Level 1 compliant)
|
|
- SSH User Management
|
|
- WireGuard Admin VPN Server
|
|
- Secure Firewall (Management access via admin VPN)
|
|
- Ansible Control Node
|
|
|
|
Admin Users:
|
|
{% if admin_users is defined %}
|
|
{% for user in admin_users %}
|
|
- {{ user.username }} ({{ user.comment | default('') }})
|
|
{% endfor %}
|
|
{% else %}
|
|
- None created (using root)
|
|
{% endif %}
|
|
|
|
Admin VPN Configuration:
|
|
- Network: {{ wg_network }}
|
|
- Server IP: {{ wg_server_ip }}
|
|
- Port: {{ wg_port }}
|
|
- Admin Users: {{ wg_peers | length }}
|
|
|
|
Ansible Control Node:
|
|
- Ansible version: {{ ansible_version.full }}
|
|
- Repository: /root/resist-vpn-infra
|
|
- SSH Key: /root/.ssh/ansible_ed25519
|
|
- Public Key: /root/valleyforge_ansible_pubkey.txt
|
|
|
|
Admin VPN Client Configurations:
|
|
{% for peer in wg_peers %}
|
|
- {{ peer.name }}: /root/wireguard-client-configs/{{ peer.name }}.conf
|
|
{% endfor %}
|
|
|
|
Security Features (CIS Compliant):
|
|
- SSH hardened (key-only, strong ciphers)
|
|
- Root SSH login disabled (after admin users created)
|
|
- Password policies enforced
|
|
- AppArmor enabled and enforcing
|
|
- Comprehensive audit logging
|
|
- Automatic security updates enabled
|
|
- Fail2ban active
|
|
- Management ports restricted to admin VPN
|
|
|
|
Next Steps:
|
|
==========
|
|
|
|
1. Download Admin VPN Configs:
|
|
scp root@{{ ansible_default_ipv4.address }}:/root/wireguard-client-configs/* ./
|
|
|
|
2. Install WireGuard client on your machine:
|
|
- Linux: sudo apt install wireguard
|
|
- macOS: brew install wireguard-tools
|
|
- Windows: https://www.wireguard.com/install/
|
|
|
|
3. Import admin VPN config and connect
|
|
|
|
4. Copy Ansible SSH key to VPN endpoints:
|
|
ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN1-IP
|
|
ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN2-IP
|
|
ssh-copy-id -i /root/.ssh/ansible_ed25519 root@VPN3-IP
|
|
|
|
5. Configure inventory:
|
|
cd /root/resist-vpn-infra
|
|
nano inventory/hosts.yml
|
|
nano inventory/group_vars/vpn_servers.yml
|
|
|
|
6. Deploy VPN endpoints:
|
|
ansible-playbook -i inventory/hosts.yml playbooks/site.yml
|
|
|
|
Important Files:
|
|
- Admin VPN configs: /root/wireguard-client-configs/
|
|
- Ansible SSH key: /root/.ssh/ansible_ed25519
|
|
- Ansible public key: /root/valleyforge_ansible_pubkey.txt
|
|
- Repository: /root/resist-vpn-infra
|
|
- Firewall config: /root/firewall-config.txt
|
|
- Sudo log: /var/log/sudo.log
|
|
- Audit logs: /var/log/audit/audit.log
|
|
mode: '0600'
|