Compare commits

..

10 Commits

5 changed files with 57 additions and 23 deletions

View File

@ -8,15 +8,15 @@ Ansible playbook for network vault.
* How long the data will be kept depends on settings in rsnapshot.conf
## Use-Case:
* Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like desaster-recovery-plans, password databases, network-plans, all the data you need in worst case and that should not be encrypted by any ransomware.
* Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like disaster-recovery-plans, password databases, network-plans, contact-lists - all the data that should not be encrypted and you need in case of ransomware-attack to bootstrap youself.
* When ransomware locks down your systems, this is your machine to go, plug in a console and start recovery.
* When sealing the vault, you can not access it over ssh any more, change settings, access system over network so no ransomware can to this either.
* You should **NOT NOT NOT NOT** have a KVM-Console connected because this can be used to access the system over the network
* Place this machine on something like an Intel NUC, paint it red and put it into a safe place.
* Place this machine on something like an Intel NUC, paint it red and put it into a safe place where you have network connection.
* Create any job to copy your DR-plans there regular.
* It uses cron-apt to update the system and reboots at 6 in the morning to keep kernel up to date
Varialbes:
Variables:
* networkvault_vault_password -> password for user to access shares
* networkvault_seal_vault -> when set to "true" it will uninstall ssh-server to prevent any access via network
@ -24,6 +24,9 @@ ToDo:
* Quota to ensure, space*backup-copies can not be exceed disk space and break backups by abusing share
* Check diff-size and do some kind of alter
* Add monitoring-agent/SNMP-support to be able to monitor system (alive? disk OK?)
* Add more interfaces like WebDAV, FTP
* Add more interfaces like WebDAV, FTP, email to receive data
* Only reboot if required
* check no unneeded ports open/block with firewall
* check no unneeded ports open/block with firewall
* encrypt harddrive
* copy date on flash drive to have some kind of "rescue-dongle"
* build checksums and signatures of data

10
handlers/main.yml Normal file
View File

@ -0,0 +1,10 @@
---
- name: restart smbd
service:
name: smbd
state: restarted
- name: restart cron
service:
name: cron
state: restarted

View File

@ -30,6 +30,27 @@
New SMB password: "{{ networkvault_vault_password }}"
Retype new SMB password: "{{ networkvault_vault_password }}"
- name: generate /etc/samba/smb.conf
template:
src: smb.conf.j2
dest: /etc/samba/smb.conf
notify:
- restart smbd
- name: set permission for ro-share
file:
path: /var/cache/rsnapshot
mode: '0755'
state: directory
recurse: yes
- name: generate /etc/rsnapshot.conf
template:
src: rsnapshot.conf.j2
dest: /etc/rsnapshot.conf
notify:
- restart cron
- name: reboot at 6 in the morning to activate kernel-updates
cron:
name: "reboot"

View File

@ -12,7 +12,7 @@
# CONFIG FILE VERSION #
#######################
config_version 1.2
config_version 1.2
###########################
# SNAPSHOT ROOT DIRECTORY #
@ -20,7 +20,7 @@ config_version 1.2
# All snapshots will be stored under this root directory.
#
snapshot_root /var/cache/rsnapshot/
snapshot_root /var/cache/rsnapshot/
# If no_create_root is enabled, rsnapshot will not automatically create the
# snapshot_root directory. This is particularly useful if you are backing
@ -37,16 +37,16 @@ snapshot_root /var/cache/rsnapshot/
#
# See the README file or the man page for more details.
#
cmd_cp /bin/cp
cmd_cp /bin/cp
# uncomment this to use the rm program instead of the built-in perl routine.
#
cmd_rm /bin/rm
cmd_rm /bin/rm
# rsync must be enabled for anything to work. This is the only command that
# must be enabled.
#
cmd_rsync /usr/bin/rsync
cmd_rsync /usr/bin/rsync
# Uncomment this to enable remote ssh backups over rsync.
#
@ -54,7 +54,7 @@ cmd_rsync /usr/bin/rsync
# Comment this out to disable syslog support.
#
cmd_logger /usr/bin/logger
cmd_logger /usr/bin/logger
# Uncomment this to specify the path to "du" for disk usage checks.
# If you have an older version of "du", you may also want to check the
@ -90,10 +90,10 @@ cmd_logger /usr/bin/logger
# e.g. alpha, beta, gamma, etc. #
#########################################
retain alpha 6
retain beta 7
retain gamma 4
retain delta 12
retain alpha 6
retain beta 7
retain gamma 4
retain delta 12
############################################
# GLOBAL OPTIONS #
@ -107,13 +107,13 @@ retain delta 12
# 4 Extra Verbose Show extra verbose information
# 5 Debug mode Everything
#
verbose 2
verbose 2
# Same as "verbose" above, but controls the amount of data sent to the
# logfile, if one is being used. The default is 3.
# If you want the rsync output, you have to set it to 4
#
loglevel 3
loglevel 3
# If you enable this, data will be written to the file you specify. The
# amount of data written is controlled by the "loglevel" parameter.
@ -125,7 +125,7 @@ loglevel 3
# If you enable this, make sure the lockfile directory is not world
# writable. Otherwise anyone can prevent the program from running.
#
lockfile /var/run/rsnapshot.pid
lockfile /var/run/rsnapshot.pid
# By default, rsnapshot check lockfile, check if PID is running
# and if not, consider lockfile as stale, then start
@ -224,8 +224,8 @@ lockfile /var/run/rsnapshot.pid
###############################
# LOCALHOST
#backup /home/ localhost/
#backup /etc/ localhost/
#backup /home/ localhost/
#backup /etc/ localhost/
#backup /usr/local/ localhost/
#backup /var/log/rsnapshot localhost/
@ -251,4 +251,4 @@ lockfile /var/run/rsnapshot.pid
#backup rsync://rsync.samba.org/rsyncftp/ rsync.samba.org/rsyncftp/
backup /var/vault/ localhost/
backup /var/vault/ localhost/

View File

@ -245,11 +245,11 @@ create mask = 0755
public = no
[roshare]
comment = Vault
comment = Read Only Share
path = /var/cache/rsnapshot
browsable = yes
guest ok = no
read only = yes
read list = vault
create mask = 0755
create mask = 0644
public = no