Go to file
2021-06-12 00:26:52 +01:00
tasks first commit 2021-06-12 00:17:01 +01:00
templates first commit 2021-06-12 00:17:01 +01:00
LICENSE Initial commit 2021-06-12 01:14:25 +02:00
README.md udpated README.md 2021-06-12 00:26:52 +01:00

Network Vault

Ansible playbook for network vault.

  • This creates a share vault on the target server which is writeable.
  • A second share is read only and keeps snapshots of the data from the rw-share.
  • Everey 4 hours, rsnapshot creates cheap copies of the data on the ro-share.
  • How long the data will be kept depends on settings in rsnapshot.conf

Use-Case:

  • Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like disaster-recovery-plans, password databases, network-plans, contact-lists - all the data that should not be encrypted and you need in case of ransomware-attack to bootstrap youself.
  • When ransomware locks down your systems, this is your machine to go, plug in a console and start recovery.
  • When sealing the vault, you can not access it over ssh any more, change settings, access system over network so no ransomware can to this either.
  • You should NOT NOT NOT NOT have a KVM-Console connected because this can be used to access the system over the network
  • Place this machine on something like an Intel NUC, paint it red and put it into a safe place where you have network connection.
  • Create any job to copy your DR-plans there regular.
  • It uses cron-apt to update the system and reboots at 6 in the morning to keep kernel up to date

Varialbes:

  • networkvault_vault_password -> password for user to access shares
  • networkvault_seal_vault -> when set to "true" it will uninstall ssh-server to prevent any access via network

ToDo:

  • Quota to ensure, space*backup-copies can not be exceed disk space and break backups by abusing share
  • Check diff-size and do some kind of alter
  • Add monitoring-agent/SNMP-support to be able to monitor system (alive? disk OK?)
  • Add more interfaces like WebDAV, FTP
  • Only reboot if required
  • check no unneeded ports open/block with firewall