feat: Add backup and security hardening

2025-11-08 00:28:17 +01:00
parent 8de3f16ee6
commit 96f521a474
23 changed files with 5696 additions and 939 deletions
--- a/BACKUP-SECURITY-STATUS.md
+++ b/BACKUP-SECURITY-STATUS.md
@@ -0,0 +1,264 @@
+# Backup & Security Implementation Status
+
+**Last Updated**: 2025-11-07
+
+## Overview
+
+Implementation of comprehensive backup system and security hardening for Gentoo workstation.
+
+---
+
+## Part 1: Backup System
+
+### ✅ Completed Components
+
+#### Backup Scripts
+- **backup-setup** - Interactive management script
+  - Location: `/usr/local/bin/backup-setup`
+  - Functions: status, backup, list, logs, test
+  - Status: ✅ Created and installed
+
+- **backup-full** - Full system backup
+  - Location: `/usr/local/bin/backup-full`
+  - Excludes: caches, tmp, portage build dirs
+  - Status: ✅ Created and installed
+
+- **backup-home** - Home directory backup
+  - Location: `/usr/local/bin/backup-home`
+  - Backs up: `/home/alexander`
+  - Status: ✅ Created and installed
+
+- **backup-incremental** - Incremental backup
+  - Location: `/usr/local/bin/backup-incremental`
+  - Uses: rsync --link-dest for space efficiency
+  - Status: ✅ Created and installed
+
+- **backup-configs** - Configuration backup
+  - Location: `/usr/local/bin/backup-configs`
+  - Backs up: /etc, dotfiles, portage config, custom scripts
+  - Status: ✅ Created and installed
+
+#### Configuration
+- **backup.conf.example** - Configuration template
+  - Location: `/usr/local/share/backup-setup/backup.conf.example`
+  - Status: ✅ Created
+
+- **backup.conf** - Active configuration
+  - Location: `/etc/backup.conf`
+  - Status: ⚠️ **NEEDS CONFIGURATION** - Edit with NAS details
+
+#### Logging
+- **Log file**: `/var/log/backup.log`
+- **State directory**: `/var/lib/backup/`
+- Status: ✅ Created
+
+### ⏳ Pending Components
+
+#### ZSH Completion
+- **_backup-setup** - ZSH autocompletion
+  - Location: `/usr/local/share/zsh/site-functions/_backup-setup`
+  - Status: ⏳ Not yet created
+
+#### Network Trigger Service
+- **backup-monitor** - OpenRC service
+  - Watches for NAS availability on network
+  - Triggers automatic backup when NAS detected
+  - Cooldown mechanism to prevent spam
+  - Status: ⏳ Not yet created
+
+#### Documentation
+- **Backup-Setup.md** - Complete backup guide
+  - Installation instructions
+  - Configuration guide
+  - Usage examples
+  - Troubleshooting
+  - Status: ⏳ Not yet created
+
+---
+
+## Part 2: Security Hardening
+
+### ⏳ All Components Pending
+
+#### Firewall (nftables)
+- **nftables.conf** - Firewall ruleset
+  - Default deny incoming
+  - Allow outgoing
+  - Docker integration
+  - Status: ⏳ Not yet created
+
+- **nftables OpenRC service**
+  - Auto-start at boot
+  - Status: ⏳ Not yet created
+
+#### Intrusion Detection
+- **fail2ban** - SSH brute-force protection
+  - SSH jail configuration
+  - Auto-ban on failed attempts
+  - Status: ⏳ Not yet created
+
+#### System Hardening
+- **SSH hardening**
+  - Key-only authentication (optional)
+  - fail2ban integration
+  - Status: ⏳ Not yet created
+
+- **Audit & Monitoring**
+  - Log aggregation
+  - File integrity monitoring (optional)
+  - Status: ⏳ Not yet created
+
+#### Documentation
+- **Security-Hardening.md** - Security guide
+  - Firewall configuration
+  - fail2ban setup
+  - SSH hardening
+  - Monitoring setup
+  - Status: ⏳ Not yet created
+
+---
+
+## Installation Steps
+
+### Current Step: Configure and Test Backup
+
+1. **Install backup scripts** ✅ Done
+   ```bash
+   # Scripts installed to /usr/local/bin/
+   # backup-setup, backup-full, backup-home, backup-incremental, backup-configs
+   ```
+
+2. **Configure NAS connection** ⚠️ **DO THIS NOW**
+   ```bash
+   sudo nvim /etc/backup.conf
+
+   # Edit these values:
+   # NAS_HOST="your-nas-hostname"
+   # NAS_USER="your-backup-user"
+   # NAS_PATH="/path/to/backup/dir"
+   ```
+
+3. **Set up SSH key authentication** ⚠️ **REQUIRED**
+   ```bash
+   # Generate SSH key if you don't have one
+   ssh-keygen -t ed25519 -C "backup@gentoo-workstation"
+
+   # Copy to NAS
+   ssh-copy-id -p 22 backup-user@nas-hostname
+   ```
+
+4. **Test connection**
+   ```bash
+   backup-setup test
+   ```
+
+5. **Test backup (configs - lightweight)**
+   ```bash
+   backup-setup backup configs
+   ```
+
+6. **Check backup status**
+   ```bash
+   backup-setup status
+   backup-setup list
+   backup-setup logs
+   ```
+
+### Next Steps
+
+After successful backup test:
+
+1. **Create ZSH completion** - For backup-setup autocompletion
+2. **Create network trigger** - Automated backups when NAS detected
+3. **Implement firewall** - nftables configuration
+4. **Set up fail2ban** - SSH protection
+5. **Create documentation** - Complete guides
+
+---
+
+## Testing Checklist
+
+### Backup System Testing
+
+- [ ] Configuration file created (`/etc/backup.conf`)
+- [ ] NAS details configured (host, user, path)
+- [ ] SSH key authentication set up
+- [ ] Connection test passes (`backup-setup test`)
+- [ ] Config backup works (`backup-setup backup configs`)
+- [ ] Backup appears on NAS (`backup-setup list`)
+- [ ] Logs are written (`backup-setup logs`)
+- [ ] Status shows last backup (`backup-setup status`)
+
+### Security Testing (Future)
+
+- [ ] Firewall rules applied
+- [ ] fail2ban active and monitoring
+- [ ] SSH hardening verified
+- [ ] Logs monitored
+
+---
+
+## Quick Reference
+
+### Backup Commands
+
+```bash
+# Show status
+backup-setup status
+
+# Test connection
+backup-setup test
+
+# Run backups
+backup-setup backup configs      # Lightweight: configs only
+backup-setup backup home         # Medium: home directory
+backup-setup backup incremental  # Efficient: incremental changes
+backup-setup backup full         # Complete: entire system
+
+# View backups
+backup-setup list
+
+# View logs
+backup-setup logs
+```
+
+### File Locations
+
+```
+/usr/local/bin/backup-setup              # Main script
+/usr/local/bin/backup-{full,home,incremental,configs}  # Worker scripts
+/etc/backup.conf                         # Configuration
+/var/log/backup.log                      # Logs
+/var/lib/backup/last-backup              # Last backup timestamp
+/usr/local/share/backup-setup/           # Resources
+```
+
+---
+
+## Progress Summary
+
+**Backup System**: 60% Complete
+- ✅ All backup scripts created
+- ✅ Configuration system created
+- ✅ Logging set up
+- ⏳ ZSH completion pending
+- ⏳ Network trigger pending
+- ⏳ Documentation pending
+
+**Security Hardening**: 0% Complete
+- ⏳ Firewall pending
+- ⏳ fail2ban pending
+- ⏳ SSH hardening pending
+- ⏳ Documentation pending
+
+**Overall**: 30% Complete
+
+---
+
+## Notes
+
+- Backup system is functional and ready for testing
+- Security hardening will begin after backup system is confirmed working
+- Network trigger will be implemented using OpenRC service (not systemd)
+- All scripts are POSIX sh compatible
+- Follows same pattern as existing scripts (wifi-setup, audio-setup, etc.)