tasks | ||
templates | ||
LICENSE | ||
README.md |
Network Vault
Ansible playbook for network vault.
- This creates a share vault on the target server which is writeable.
- A second share is read only and keeps snapshots of the data from the rw-share.
- Everey 4 hours, rsnapshot creates cheap copies of the data on the ro-share.
- How long the data will be kept depends on settings in rsnapshot.conf
Use-Case:
- Create a immutable, WORM-Like Network-Share that holds REALLY!!! sensitive data like desaster-recovery-plans, password databases, network-plans, all the data you need in worst case and that should not be encrypted by any ransomware.
- When ransomware locks down your systems, this is your machine to go, plug in a console and start recovery.
- When sealing the vault, you can not access it over ssh any more so no ransomware can access the system.
- You should NOT NOT NOT NOT have a KVM-Console connected because this can be used to access the system over the network
- Place this machine on something like an Intel NUC, paint it red and put it into a safe place.
- Create any job to copy your DR-plans there regular.
- It uses cron-apt to update the system and reboots at 6 in the morning to keep kernel up to date
Varialbes:
- networkvault_vault_password -> password for user to access shares
- networkvault_seal_vault -> when set to "true" it will uninstall ssh-server to prevent any access via network
ToDo:
- Quota to ensure, space*backup-copies can not be exceed disk space and break backups by abusing share
- Check diff-size and do some kind of alter
- Add monitoring-agent/SNMP-support to be able to monitor system (alive? disk OK?)
- Add more interfaces like WebDAV, FTP
- Only reboot if required
- check no unneeded ports open/block with firewall