Compare commits
10 Commits
e8e3df738d
...
3ccdc864cb
| Author | SHA1 | Date |
|---|---|---|
 Alexander Gabriel
|
3ccdc864cb | |
|
Alexander Gabriel
|
953803a2fa | |
|
Alexander Gabriel
|
378dc0ccc1 | |
|
Alexander Gabriel
|
2dce9a5d44 | |
|
Alexander Gabriel
|
57d27308ef | |
|
Alexander Gabriel
|
09adf9b273 | |
|
Alexander Gabriel
|
52408e5e1d | |
|
Alexander Gabriel
|
a87af3e264 | |
|
Alexander Gabriel
|
c5b0e36ee2 | |
|
Alexander Gabriel
|
99303d9810 |
13
README.md
13
README.md
|
|
@ -8,15 +8,15 @@ Ansible playbook for network vault.
|
|||
* How long the data will be kept depends on settings in rsnapshot.conf
|
||||
|
||||
## Use-Case:
|
||||
* Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like desaster-recovery-plans, password databases, network-plans, all the data you need in worst case and that should not be encrypted by any ransomware.
|
||||
* Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like disaster-recovery-plans, password databases, network-plans, contact-lists - all the data that should not be encrypted and you need in case of ransomware-attack to bootstrap youself.
|
||||
* When ransomware locks down your systems, this is your machine to go, plug in a console and start recovery.
|
||||
* When sealing the vault, you can not access it over ssh any more, change settings, access system over network so no ransomware can to this either.
|
||||
* You should **NOT NOT NOT NOT** have a KVM-Console connected because this can be used to access the system over the network
|
||||
* Place this machine on something like an Intel NUC, paint it red and put it into a safe place.
|
||||
* Place this machine on something like an Intel NUC, paint it red and put it into a safe place where you have network connection.
|
||||
* Create any job to copy your DR-plans there regular.
|
||||
* It uses cron-apt to update the system and reboots at 6 in the morning to keep kernel up to date
|
||||
|
||||
Varialbes:
|
||||
Variables:
|
||||
* networkvault_vault_password -> password for user to access shares
|
||||
* networkvault_seal_vault -> when set to "true" it will uninstall ssh-server to prevent any access via network
|
||||
|
||||
|
|
@ -24,6 +24,9 @@ ToDo:
|
|||
* Quota to ensure, space*backup-copies can not be exceed disk space and break backups by abusing share
|
||||
* Check diff-size and do some kind of alter
|
||||
* Add monitoring-agent/SNMP-support to be able to monitor system (alive? disk OK?)
|
||||
* Add more interfaces like WebDAV, FTP
|
||||
* Add more interfaces like WebDAV, FTP, email to receive data
|
||||
* Only reboot if required
|
||||
* check no unneeded ports open/block with firewall
|
||||
* check no unneeded ports open/block with firewall
|
||||
* encrypt harddrive
|
||||
* copy date on flash drive to have some kind of "rescue-dongle"
|
||||
* build checksums and signatures of data
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
- name: restart smbd
|
||||
service:
|
||||
name: smbd
|
||||
state: restarted
|
||||
|
||||
- name: restart cron
|
||||
service:
|
||||
name: cron
|
||||
state: restarted
|
||||
|
|
@ -30,6 +30,27 @@
|
|||
New SMB password: "{{ networkvault_vault_password }}"
|
||||
Retype new SMB password: "{{ networkvault_vault_password }}"
|
||||
|
||||
- name: generate /etc/samba/smb.conf
|
||||
template:
|
||||
src: smb.conf.j2
|
||||
dest: /etc/samba/smb.conf
|
||||
notify:
|
||||
- restart smbd
|
||||
|
||||
- name: set permission for ro-share
|
||||
file:
|
||||
path: /var/cache/rsnapshot
|
||||
mode: '0755'
|
||||
state: directory
|
||||
recurse: yes
|
||||
|
||||
- name: generate /etc/rsnapshot.conf
|
||||
template:
|
||||
src: rsnapshot.conf.j2
|
||||
dest: /etc/rsnapshot.conf
|
||||
notify:
|
||||
- restart cron
|
||||
|
||||
- name: reboot at 6 in the morning to activate kernel-updates
|
||||
cron:
|
||||
name: "reboot"
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
# CONFIG FILE VERSION #
|
||||
#######################
|
||||
|
||||
config_version 1.2
|
||||
config_version 1.2
|
||||
|
||||
###########################
|
||||
# SNAPSHOT ROOT DIRECTORY #
|
||||
|
|
@ -20,7 +20,7 @@ config_version 1.2
|
|||
|
||||
# All snapshots will be stored under this root directory.
|
||||
#
|
||||
snapshot_root /var/cache/rsnapshot/
|
||||
snapshot_root /var/cache/rsnapshot/
|
||||
|
||||
# If no_create_root is enabled, rsnapshot will not automatically create the
|
||||
# snapshot_root directory. This is particularly useful if you are backing
|
||||
|
|
@ -37,16 +37,16 @@ snapshot_root /var/cache/rsnapshot/
|
|||
#
|
||||
# See the README file or the man page for more details.
|
||||
#
|
||||
cmd_cp /bin/cp
|
||||
cmd_cp /bin/cp
|
||||
|
||||
# uncomment this to use the rm program instead of the built-in perl routine.
|
||||
#
|
||||
cmd_rm /bin/rm
|
||||
cmd_rm /bin/rm
|
||||
|
||||
# rsync must be enabled for anything to work. This is the only command that
|
||||
# must be enabled.
|
||||
#
|
||||
cmd_rsync /usr/bin/rsync
|
||||
cmd_rsync /usr/bin/rsync
|
||||
|
||||
# Uncomment this to enable remote ssh backups over rsync.
|
||||
#
|
||||
|
|
@ -54,7 +54,7 @@ cmd_rsync /usr/bin/rsync
|
|||
|
||||
# Comment this out to disable syslog support.
|
||||
#
|
||||
cmd_logger /usr/bin/logger
|
||||
cmd_logger /usr/bin/logger
|
||||
|
||||
# Uncomment this to specify the path to "du" for disk usage checks.
|
||||
# If you have an older version of "du", you may also want to check the
|
||||
|
|
@ -90,10 +90,10 @@ cmd_logger /usr/bin/logger
|
|||
# e.g. alpha, beta, gamma, etc. #
|
||||
#########################################
|
||||
|
||||
retain alpha 6
|
||||
retain beta 7
|
||||
retain gamma 4
|
||||
retain delta 12
|
||||
retain alpha 6
|
||||
retain beta 7
|
||||
retain gamma 4
|
||||
retain delta 12
|
||||
|
||||
############################################
|
||||
# GLOBAL OPTIONS #
|
||||
|
|
@ -107,13 +107,13 @@ retain delta 12
|
|||
# 4 Extra Verbose Show extra verbose information
|
||||
# 5 Debug mode Everything
|
||||
#
|
||||
verbose 2
|
||||
verbose 2
|
||||
|
||||
# Same as "verbose" above, but controls the amount of data sent to the
|
||||
# logfile, if one is being used. The default is 3.
|
||||
# If you want the rsync output, you have to set it to 4
|
||||
#
|
||||
loglevel 3
|
||||
loglevel 3
|
||||
|
||||
# If you enable this, data will be written to the file you specify. The
|
||||
# amount of data written is controlled by the "loglevel" parameter.
|
||||
|
|
@ -125,7 +125,7 @@ loglevel 3
|
|||
# If you enable this, make sure the lockfile directory is not world
|
||||
# writable. Otherwise anyone can prevent the program from running.
|
||||
#
|
||||
lockfile /var/run/rsnapshot.pid
|
||||
lockfile /var/run/rsnapshot.pid
|
||||
|
||||
# By default, rsnapshot check lockfile, check if PID is running
|
||||
# and if not, consider lockfile as stale, then start
|
||||
|
|
@ -224,8 +224,8 @@ lockfile /var/run/rsnapshot.pid
|
|||
###############################
|
||||
|
||||
# LOCALHOST
|
||||
#backup /home/ localhost/
|
||||
#backup /etc/ localhost/
|
||||
#backup /home/ localhost/
|
||||
#backup /etc/ localhost/
|
||||
#backup /usr/local/ localhost/
|
||||
|
||||
#backup /var/log/rsnapshot localhost/
|
||||
|
|
@ -251,4 +251,4 @@ lockfile /var/run/rsnapshot.pid
|
|||
#backup rsync://rsync.samba.org/rsyncftp/ rsync.samba.org/rsyncftp/
|
||||
|
||||
|
||||
backup /var/vault/ localhost/
|
||||
backup /var/vault/ localhost/
|
||||
|
|
|
|||
|
|
@ -245,11 +245,11 @@ create mask = 0755
|
|||
public = no
|
||||
|
||||
[roshare]
|
||||
comment = Vault
|
||||
comment = Read Only Share
|
||||
path = /var/cache/rsnapshot
|
||||
browsable = yes
|
||||
guest ok = no
|
||||
read only = yes
|
||||
read list = vault
|
||||
create mask = 0755
|
||||
create mask = 0644
|
||||
public = no
|
||||
|
|
|
|||
Loading…
Reference in New Issue