resist-vpn-infra/CHANGELOG.md

# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [2.0.0] - 2025-01-26

### Added

#### CIS Compliance
- **CIS Ubuntu 24.04 Level 1** benchmark compliance
- AppArmor mandatory access control (CIS 1.3.x)
- Comprehensive audit rules (CIS 4.1.6-17)
- Enhanced sysctl parameters (CIS 3.1.x, 3.2.x)
- Uncommon network protocols disabled (CIS 3.3.x)
- Core dumps restricted (CIS 1.5.1)
- Security banners (CIS 1.4.x)

#### SSH User Management
- New `ssh_users` role for admin user management
- Automatic SSH key pair generation on control node
- Password policy enforcement (CIS 5.4.x, 5.5.x)
- PAM configuration for password complexity (CIS 5.5.1)
- Account lockout policies (CIS 5.5.2)
- Password reuse prevention (CIS 5.5.3)
- Sudo configuration with logging (CIS 5.3.x)
- Root SSH login disabled by default
- Root account locking option

#### Playbooks
- `users.yml` - User management playbook
- `add_user.yml` - Interactive user addition
- `remove_user.yml` - Interactive user removal
- `validate.yml` - Pre-deployment configuration validation

#### Documentation
- `CIS_REQUIREMENTS.md` - CIS compliance details
- `TWO_TIER_DEPLOYMENT.md` - Two-tier architecture guide
- Updated README with v2.0 features
- SSH key usage instructions

### Changed

#### Firewall Role
- **BREAKING**: `vpn_network` replaced with `management_allowed_sources` (list)
- Now supports multiple management sources (IPs and CIDRs)
- Better validation and error messages
- Improved two-tier architecture support

#### System Hardening Role
- Enhanced with CIS-specific tasks
- New `sysctl_cis.yml` for CIS network parameters
- New `apparmor.yml` for mandatory access control
- New `disable_protocols.yml` for uncommon protocols
- New `core_dumps.yml` for core dump restriction
- Updated `audit.yml` with comprehensive CIS rules

#### Inventory
- Added `admin_users` configuration examples
- Added `management_allowed_sources` configuration
- Added CIS-specific variables
- Better documentation and comments

#### Site Playbook
- Integrated `ssh_users` role
- Enhanced deployment summary with user info
- CIS compliance status in summary

### Fixed
- SSH hardening now properly disables root login
- Audit rules now immutable after loading
- Firewall rules properly handle multiple management sources
- Sudo logging configured correctly

### Security
- Root SSH login disabled by default
- Password authentication disabled
- Strong SSH ciphers enforced
- AppArmor profiles enforcing
- Comprehensive audit logging
- Account lockout after 5 failed attempts
- Password complexity requirements
- Automatic security updates

## [1.1.0] - 2025-01-26

### Added
- Two-tier architecture support
- `management_allowed_sources` for firewall
- Validation playbook
- Host-specific variables for VPN networks

### Changed
- Firewall role supports multiple management sources
- Updated documentation for two-tier architecture

## [1.0.0] - 2025-01-26

### Added
- Initial release
- System hardening role
- WireGuard server role
- Secure firewall role
- Basic playbooks (site, hardening, wireguard, firewall)
- Documentation

### Security
- SSH hardening
- Sysctl parameters
- Fail2ban
- Auditd
- Automatic updates
- UFW firewall

[2.0.0]: https://git.hacker.supply/valleyforge/secure-vpn-server/compare/v1.1.0...v2.0.0
[1.1.0]: https://git.hacker.supply/valleyforge/secure-vpn-server/compare/v1.0.0...v1.1.0
[1.0.0]: https://git.hacker.supply/valleyforge/secure-vpn-server/releases/tag/v1.0.0