network-vault/README.md

# Network Vault

Ansible playbook for network vault.

* This creates a share vault on the target server which is writeable.
* A second share is read only and keeps snapshots of the data from the rw-share.
* Everey 4 hours, rsnapshot creates cheap copies of the data on the ro-share.
* How long the data will be kept depends on settings in rsnapshot.conf

## Use-Case:
* Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like desaster-recovery-plans, password databases, network-plans, all the data you need in worst case and that should not be encrypted by any ransomware.
* When ransomware locks down your systems, this is your machine to go, plug in a console and start recovery.
* When sealing the vault, you can not access it over ssh any more so no ransomware can access the system.
* You should NOT NOT NOT NOT have a KVM-Console connected because this can be used to access the system over the network
* Place this machine on something like an Intel NUC, paint it red and put it into a safe place.
* Create any job to copy your DR-plans there regular.
* It uses cron-apt to update the system and reboots at 6 in the morning to keep kernel up to date

Varialbes:
* networkvault_vault_password -> password for user to access shares
* networkvault_seal_vault -> when set to "true" it will uninstall ssh-server to prevent any access via network

ToDo:
* Quota to ensure, space*backup-copies can not be exceed disk space and break backups by abusing share
* Check diff-size and do some kind of alter
* Add monitoring-agent/SNMP-support to be able to monitor system (alive? disk OK?)
* Add more interfaces like WebDAV, FTP
* Only reboot if required
* check no unneeded ports open/block with firewall
first commit 2021-06-12 01:17:01 +02:00			`# Network Vault`

			`Ansible playbook for network vault.`

udpates README.md 2021-06-12 01:22:03 +02:00			`* This creates a share vault on the target server which is writeable.`
			`* A second share is read only and keeps snapshots of the data from the rw-share.`
			`* Everey 4 hours, rsnapshot creates cheap copies of the data on the ro-share.`
			`* How long the data will be kept depends on settings in rsnapshot.conf`
first commit 2021-06-12 01:17:01 +02:00
udpates README.md 2021-06-12 01:19:00 +02:00			`## Use-Case:`
udpates README.md 2021-06-12 01:22:03 +02:00			`* Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like desaster-recovery-plans, password databases, network-plans, all the data you need in worst case and that should not be encrypted by any ransomware.`
			`* When ransomware locks down your systems, this is your machine to go, plug in a console and start recovery.`
			`* When sealing the vault, you can not access it over ssh any more so no ransomware can access the system.`
			`* You should NOT NOT NOT NOT have a KVM-Console connected because this can be used to access the system over the network`
			`* Place this machine on something like an Intel NUC, paint it red and put it into a safe place.`
			`* Create any job to copy your DR-plans there regular.`
			`* It uses cron-apt to update the system and reboots at 6 in the morning to keep kernel up to date`
first commit 2021-06-12 01:17:01 +02:00
			`Varialbes:`
			`* networkvault_vault_password -> password for user to access shares`
			`* networkvault_seal_vault -> when set to "true" it will uninstall ssh-server to prevent any access via network`

			`ToDo:`
			`* Quota to ensure, space*backup-copies can not be exceed disk space and break backups by abusing share`
			`* Check diff-size and do some kind of alter`
			`* Add monitoring-agent/SNMP-support to be able to monitor system (alive? disk OK?)`
			`* Add more interfaces like WebDAV, FTP`
			`* Only reboot if required`
			`* check no unneeded ports open/block with firewall`