496198d49a
Platform pivot from Raspberry Pi to three-tier model: - Tier 1: Bootable Debian Live USB for field reporters - Tier 2: Docker/K8s org server for newsrooms - Tier 3: Docker/K8s federation relay for VPS Tier 1 — Live USB (deploy/live-usb/): - build.sh: live-build based image builder for amd64 - Package list: Python + system deps + minimal GUI (openbox + Firefox) - Install hook: creates venv, pip installs soosef[web,cli,attest,...] - Hardening hook: disable swap/coredumps, UFW, auto-login to web UI - systemd service with security hardening (NoNewPrivileges, ProtectSystem) - Auto-opens Firefox kiosk to http://127.0.0.1:5000 on boot Tier 2+3 — Docker (deploy/docker/): - Multi-stage Dockerfile with two targets: - server: full web UI + stego + attestation + federation (Tier 2) - relay: lightweight FastAPI attestation API only (Tier 3) - docker-compose.yml with both services and persistent volumes - .dockerignore for clean builds Kubernetes (deploy/kubernetes/): - namespace.yaml, server-deployment.yaml, relay-deployment.yaml - PVCs, services, health checks, resource limits - Single-writer strategy (Recreate, not RollingUpdate) for SQLite safety - README with architecture diagram and deployment instructions Config presets (deploy/config-presets/): - low-threat.json: press freedom country (no killswitch, 30min sessions) - medium-threat.json: restricted press (48h deadman, USB monitoring) - high-threat.json: conflict zone (12h deadman, tamper monitoring, 5min sessions) - critical-threat.json: targeted surveillance (127.0.0.1 only, 6h deadman, 3min sessions) Deployment guide rewritten for three-tier model with RPi as legacy appendix. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| critical-threat.json | ||
| high-threat.json | ||
| low-threat.json | ||
| medium-threat.json | ||
| README.md | ||
SooSeF Threat Level Configuration Presets
Select a preset based on your operational environment. Copy the appropriate
JSON file to ~/.soosef/config.json (or let the setup wizard choose one).
Presets
low-threat.json — Press Freedom Country
Nordics, New Zealand, Canada. Risk is accidental data loss, not adversarial seizure.
- No killswitch or dead man's switch
- Relaxed session timeouts (30 min)
- Backup reminders every 14 days
- Chain enabled for provenance integrity
medium-threat.json — Restricted Press
Turkey, Hungary, India. Risk of legal pressure, device seizure at borders.
- Killswitch available, dead man's switch at 48h/4h grace
- USB monitoring enabled
- Cover name: "Office Document Manager"
- Backup reminders every 7 days
high-threat.json — Active Conflict Zone
Syria, Myanmar, Ethiopia, Iran. Risk of raids, equipment seizure, physical coercion.
- 5-minute session timeout
- Dead man's switch at 12h/1h grace
- Tamper monitoring enabled
- Cover name: "Local Inventory Tracker"
- Daily backup reminders
critical-threat.json — Targeted Surveillance
Specific journalist or org targeted by state actor (Pegasus-level).
- Web UI bound to 127.0.0.1 only (access via SSH tunnel)
- 3-minute session timeout
- Dead man's switch at 6h/1h grace
- Cover name: "System Statistics"
- All monitoring enabled
- Consider: full-disk encryption, remove SSH after setup, Tor hidden service
Usage
# Copy preset to config location
cp deploy/config-presets/high-threat.json ~/.soosef/config.json
# Or via CLI (future: soosef init --threat-level high)