added readme

README.md

@@ -1,2 +1,210 @@
-ansible-playbook site.yml
+# Cloud-Forge
 
+Ansible-based infrastructure automation for deploying and managing a VPS with multiple VPN services and web proxies.
+
+## Architecture
+
+The project deploys:
+- **VPN Services**: OpenConnect (ocserv) with multiple instances, WireGuard, AmneziaWG
+- **Web Infrastructure**: HAProxy load balancer, Nginx reverse proxy with SSL termination
+- **Security**: Fail2ban, automated Let's Encrypt certificates, iptables firewall rules
+- **Network Configuration**: NAT masquerading, port management, reverse proxy setup
+
+## Requirements
+
+- Ubuntu 22.04 or 24.04 target server
+- Ansible 2.9+
+- Root SSH access to target server
+- Domain names with DNS pointing to server IP
+
+## Quick Start
+
+1. Clone repository:
+```bash
+git clone https://github.com/okhsunrog/cloud-forge.git
+cd cloud-forge
+```
+
+2. Configure inventory:
+```bash
+cp inventory.yml.example inventory.yml
+# Edit inventory.yml with your server details
+```
+
+3. Configure variables:
+```bash
+cp group_vars/all/vault.yml.example group_vars/all/vault.yml
+# Edit group_vars/all/vars.yml for domain and network configuration
+# Edit group_vars/all/vault.yml for credentials and user accounts
+```
+
+4. Encrypt sensitive data:
+```bash
+ansible-vault encrypt group_vars/all/vault.yml
+```
+
+5. Deploy infrastructure:
+```bash
+ansible-playbook site.yml --ask-vault-pass
+```
+
+## Configuration
+
+### Network Subnets
+Edit `group_vars/all/vars.yml`:
+```yaml
+vpn_subnets:
+  ocserv_personal: "10.67.76.0/24"
+  ocserv_friends: "10.68.68.0/24"
+  wireguard: "10.66.66.0/24"
+  amneziawg: "10.65.65.0/24"
+```
+
+### Port Configuration
+```yaml
+ports:
+  external:
+    wireguard:
+      port: 58889
+      type: udp
+    amneziawg:
+      port: 58888
+      type: udp
+```
+
+### VPN Users
+Add users to `group_vars/all/vault.yml`:
+
+**WireGuard peers:**
+```yaml
+wireguard_peers:
+  - name: "client1"
+    private_key: "generated_private_key"
+    public_key: "generated_public_key"
+    ip: "10.66.66.2"
+```
+
+**AmneziaWG peers:**
+```yaml
+amneziawg_peers:
+  - name: "client1"
+    private_key: "generated_private_key"
+    public_key: "generated_public_key"
+    ip: "10.65.65.2"
+```
+
+**OpenConnect users:**
+```yaml
+ocserv_users:
+  personal:
+    - username: "user1"
+      password: "password"
+```
+
+### Domains
+```yaml
+domains:
+  nginx:
+    blog:
+      - "example.com"
+      - "www.example.com"
+```
+
+## Key Generation
+
+**WireGuard:**
+```bash
+wg genkey | tee private.key | wg pubkey > public.key
+```
+
+**AmneziaWG:**
+```bash
+awg genkey | tee private.key | awg pubkey > public.key
+```
+
+## Management Commands
+
+### Full Deployment
+```bash
+ansible-playbook site.yml --ask-vault-pass
+```
+
+### Update VPN Users Only
+```bash
+ansible-playbook update_vpn_users.yml --ask-vault-pass      # OpenConnect
+ansible-playbook update_amneziawg_users.yml --ask-vault-pass # AmneziaWG
+```
+
+### Lint and Validation
+```bash
+ansible-playbook --syntax-check site.yml
+ansible-playbook --check --diff site.yml
+ansible-lint site.yml
+```
+
+## File Structure
+
+```
+├── site.yml                    # Main playbook
+├── inventory.yml               # Target hosts configuration
+├── ansible.cfg                 # Ansible configuration
+├── group_vars/all/
+│   ├── vars.yml               # Plain variables
+│   └── vault.yml              # Encrypted credentials
+├── roles/
+│   ├── base_system/           # Base system hardening
+│   ├── wireguard/             # WireGuard VPN
+│   ├── amneziawg/             # AmneziaWG VPN with DPI obfuscation
+│   ├── ocserv/                # OpenConnect VPN server
+│   ├── nginx/                 # Reverse proxy with SSL
+│   ├── haproxy/               # Load balancer
+│   ├── certbot/               # Let's Encrypt certificates
+│   ├── network/               # Firewall and routing
+│   └── fail2ban/              # Intrusion prevention
+└── update_*.yml               # User management playbooks
+```
+
+## Client Configuration
+
+After deployment, client configurations are available at:
+- WireGuard: `/etc/wireguard/clients/`
+- AmneziaWG: `/etc/amnezia/amneziawg/clients/`
+
+Download configurations:
+```bash
+scp root@server:/etc/wireguard/clients/client.conf ./
+scp root@server:/etc/amnezia/amneziawg/clients/client.conf ./
+```
+
+## Customization
+
+### Adding New VPN Instance
+1. Add subnet to `vpn_subnets` in `vars.yml`
+2. Add port configuration to `ports.external`
+3. Update `roles/network/tasks/main.yml` firewall rules
+4. Create role or extend existing role configuration
+
+### Modifying SSL Domains
+1. Update `domains` section in `vars.yml`
+2. Run `ansible-playbook site.yml --tags certbot,nginx`
+
+### Network Isolation
+The configuration includes network isolation between VPN networks. Friends VPN network is blocked from accessing other VPN subnets by default.
+
+## Troubleshooting
+
+### AmneziaWG DKMS Issues (Ubuntu 24.04)
+The playbook automatically fixes Ubuntu 24.04 DKMS compilation issues by adding required source repositories.
+
+### Certificate Renewal
+Certificates auto-renew via systemd timer. Check status:
+```bash
+systemctl status certbot-renewal.timer
+```
+
+### VPN Service Issues
+```bash
+systemctl status wg-quick@wg0           # WireGuard
+systemctl status awg-quick@awg0         # AmneziaWG  
+systemctl status ocserv-personal        # OpenConnect
+```