65 lines
1.7 KiB
YAML
65 lines
1.7 KiB
YAML
---
|
|
# ValleyForge Admin Control Plane Configuration
|
|
|
|
# Admin Users (for infrastructure management)
|
|
# These users will have SSH access and sudo privileges on ValleyForge
|
|
admin_users:
|
|
- username: alice
|
|
comment: "Alice - Infrastructure Lead"
|
|
groups: ["sudo"]
|
|
generate_keys: true
|
|
|
|
- username: bob
|
|
comment: "Bob - Security Admin"
|
|
groups: ["sudo"]
|
|
generate_keys: true
|
|
|
|
# WireGuard Admin VPN Configuration
|
|
# This VPN is for your admin team to securely access ValleyForge
|
|
wg_network: "10.100.0.0/24"
|
|
wg_server_address: "10.100.0.1/24"
|
|
wg_port: 51820
|
|
|
|
# Admin VPN peers (your infrastructure team)
|
|
wg_peers:
|
|
- name: admin1
|
|
# ip: 10.100.0.10 # Auto-assigned
|
|
- name: admin2
|
|
# ip: 10.100.0.11 # Auto-assigned
|
|
- name: admin3
|
|
# ip: 10.100.0.12 # Auto-assigned
|
|
|
|
# Firewall Configuration
|
|
# IMPORTANT: Set vpn_only_mode to false initially to allow SSH access
|
|
# After admin VPN is working, set to true and redeploy
|
|
vpn_only_mode: false # Change to true after admin VPN is configured
|
|
|
|
management_allowed_sources:
|
|
- "0.0.0.0/0" # Allow from anywhere initially
|
|
# After admin VPN is working, change to:
|
|
# - "10.100.0.0/24" # Admin VPN network only
|
|
|
|
management_ports:
|
|
- port: 22
|
|
proto: tcp
|
|
comment: "SSH"
|
|
- port: 51820
|
|
proto: udp
|
|
comment: "WireGuard Admin VPN"
|
|
|
|
# SSH Hardening
|
|
# Keep root login enabled initially for bootstrapping
|
|
ssh_permit_root_login: "yes" # Change to "no" after admin users are working
|
|
ssh_password_authentication: "no"
|
|
ssh_max_auth_tries: 3
|
|
|
|
# Security Settings
|
|
enable_apparmor: true
|
|
enable_auditd: true
|
|
enable_fail2ban: true
|
|
enable_unattended_upgrades: true
|
|
|
|
# Ansible Control Node Settings
|
|
valleyforge_repo_url: "https://git.hacker.supply/valleyforge/resist-vpn-infra.git"
|
|
valleyforge_clone_repo: true
|