corevice/team-vps-ansible

This repository is a set of automation scripts for setting up a fleet of small Linux servers, one per developer on a team. It uses two well known tools: Ansible, which runs configuration recipes on remote machines, and Terraform, which provisions cloud resources. The idea is that an ops person on a control workstation can stand up, harden, and maintain a personal cloud server for each member of a team without anyone sharing the same login. The README says the setup was built for onboarding around 25 developers. Each person gets their own Linux server (a VPS) from Contabo at about $5 to $15 a month, with sudo rights on their own machine but nothing shared between team members. SSH access does not go over the open internet. Instead, connections route through Cloudflare Tunnel and Cloudflare Access, which check identity at the network edge. There is also a browser based version of VS Code, called code-server, on each box so developers can work from a phone or tablet without installing a VPN client. Logging is tagged per user. The Linux audit daemon records every syscall and ships logs hourly to an S3 bucket. Credentials on the boxes are not static. A broker script issues short lived AWS credentials through IAM Roles Anywhere on each call. Servers also share a private 10.200.0.0/24 network through Cloudflare WARP. Security hardening covers SSH config, fail2ban, automatic security updates, sysctl tweaks, per user disk quotas, Docker firewall and resource limits, and a supply chain monitor that watches for known npm and VS Code extension attack patterns in detect only mode. The README is explicit that for one or two developers this is overkill, and suggests Tailscale SSH instead. The license is MIT.