--- # VPS Scaleway : point d'entree public # - Hardening Debian # - WireGuard (tunnel vers gateway homelab) # - Caddy (reverse proxy + TLS Let's Encrypt) - name: Configuration VPS hosts: vps become: true vars: wg_vps_private_key: "{{ vault_wg_vps_private_key }}" wg_gateway_public_key: "{{ vault_wg_gateway_public_key }}" tasks: # -- Hardening de base -- - name: Mise a jour des paquets ansible.builtin.apt: update_cache: true upgrade: dist tags: [base] - name: Installation paquets utilitaires ansible.builtin.apt: name: - vim - curl - wget - ufw - wireguard - python3 state: present tags: [base] - name: Creation utilisateur {{ admin_user }} ansible.builtin.user: name: "{{ admin_user }}" groups: sudo shell: /bin/bash create_home: true password: "{{ vault_admin_password | password_hash('sha512') }}" state: present tags: [base] - name: Cle SSH pour {{ admin_user }} ansible.posix.authorized_key: user: "{{ admin_user }}" key: "{{ lookup('file', '~/.ssh/homelab.pub') }}" state: present tags: [base] - name: Sudo sans mot de passe pour sudo group ansible.builtin.lineinfile: path: /etc/sudoers.d/sudo-nopasswd line: "%sudo ALL=(ALL) NOPASSWD: ALL" create: true mode: "0440" validate: "visudo -cf %s" tags: [base] - name: Desactiver login root SSH ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#?PermitRootLogin" line: "PermitRootLogin no" notify: restart sshd tags: [base] - name: Desactiver auth par mot de passe SSH ansible.builtin.lineinfile: path: /etc/ssh/sshd_config regexp: "^#?PasswordAuthentication" line: "PasswordAuthentication no" notify: restart sshd tags: [base] # -- Firewall UFW -- - name: Autoriser SSH community.general.ufw: rule: allow port: "22" proto: tcp tags: [firewall] - name: Autoriser HTTP community.general.ufw: rule: allow port: "80" proto: tcp tags: [firewall] - name: Autoriser HTTPS community.general.ufw: rule: allow port: "443" proto: tcp tags: [firewall] - name: Autoriser WireGuard community.general.ufw: rule: allow port: "51820" proto: udp tags: [firewall] - name: Activer UFW community.general.ufw: state: enabled policy: deny tags: [firewall] # -- WireGuard -- - name: Activation IP forwarding ansible.posix.sysctl: name: net.ipv4.ip_forward value: "1" sysctl_set: true reload: true tags: [wireguard] - name: Creation repertoire WireGuard ansible.builtin.file: path: /etc/wireguard state: directory mode: "0700" tags: [wireguard] - name: Deploiement config WireGuard VPS ansible.builtin.template: src: wg0-vps.conf.j2 dest: /etc/wireguard/wg0.conf mode: "0600" notify: restart wireguard tags: [wireguard] - name: Activation WireGuard au boot ansible.builtin.systemd: name: wg-quick@wg0 state: started enabled: true tags: [wireguard] # -- Caddy -- - name: Installation des prerequis Caddy ansible.builtin.apt: name: - debian-keyring - debian-archive-keyring - apt-transport-https state: present tags: [caddy] - name: Ajout cle GPG Caddy ansible.builtin.shell: | curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \ | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg args: creates: /usr/share/keyrings/caddy-stable-archive-keyring.gpg tags: [caddy] - name: Ajout repo Caddy ansible.builtin.shell: | curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \ | tee /etc/apt/sources.list.d/caddy-stable.list args: creates: /etc/apt/sources.list.d/caddy-stable.list notify: apt update tags: [caddy] - name: Installation Caddy ansible.builtin.apt: name: caddy state: present update_cache: true tags: [caddy] - name: Deploiement Caddyfile ansible.builtin.template: src: Caddyfile-vps.j2 dest: /etc/caddy/Caddyfile mode: "0644" notify: restart caddy tags: [caddy] - name: Activation Caddy ansible.builtin.systemd: name: caddy state: started enabled: true tags: [caddy] handlers: - name: restart sshd ansible.builtin.systemd: name: sshd state: restarted - name: restart wireguard ansible.builtin.systemd: name: wg-quick@wg0 state: restarted - name: restart caddy ansible.builtin.systemd: name: caddy state: restarted - name: apt update ansible.builtin.apt: update_cache: true