496198d49a
Platform pivot from Raspberry Pi to three-tier model: - Tier 1: Bootable Debian Live USB for field reporters - Tier 2: Docker/K8s org server for newsrooms - Tier 3: Docker/K8s federation relay for VPS Tier 1 — Live USB (deploy/live-usb/): - build.sh: live-build based image builder for amd64 - Package list: Python + system deps + minimal GUI (openbox + Firefox) - Install hook: creates venv, pip installs soosef[web,cli,attest,...] - Hardening hook: disable swap/coredumps, UFW, auto-login to web UI - systemd service with security hardening (NoNewPrivileges, ProtectSystem) - Auto-opens Firefox kiosk to http://127.0.0.1:5000 on boot Tier 2+3 — Docker (deploy/docker/): - Multi-stage Dockerfile with two targets: - server: full web UI + stego + attestation + federation (Tier 2) - relay: lightweight FastAPI attestation API only (Tier 3) - docker-compose.yml with both services and persistent volumes - .dockerignore for clean builds Kubernetes (deploy/kubernetes/): - namespace.yaml, server-deployment.yaml, relay-deployment.yaml - PVCs, services, health checks, resource limits - Single-writer strategy (Recreate, not RollingUpdate) for SQLite safety - README with architecture diagram and deployment instructions Config presets (deploy/config-presets/): - low-threat.json: press freedom country (no killswitch, 30min sessions) - medium-threat.json: restricted press (48h deadman, USB monitoring) - high-threat.json: conflict zone (12h deadman, tamper monitoring, 5min sessions) - critical-threat.json: targeted surveillance (127.0.0.1 only, 6h deadman, 3min sessions) Deployment guide rewritten for three-tier model with RPi as legacy appendix. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
40 lines
1.2 KiB
Bash
Executable File
40 lines
1.2 KiB
Bash
Executable File
#!/bin/bash
|
|
# Security hardening for the live image.
|
|
set -euo pipefail
|
|
|
|
echo "=== Applying security hardening ==="
|
|
|
|
# Disable core dumps (Python doesn't zero memory — core dumps leak keys)
|
|
echo "* hard core 0" >> /etc/security/limits.conf
|
|
echo "fs.suid_dumpable = 0" >> /etc/sysctl.d/99-soosef.conf
|
|
echo "kernel.core_pattern=|/bin/false" >> /etc/sysctl.d/99-soosef.conf
|
|
|
|
# Disable swap (keys persist in swap pages)
|
|
systemctl mask swap.target || true
|
|
echo "vm.swappiness = 0" >> /etc/sysctl.d/99-soosef.conf
|
|
|
|
# Enable UFW with deny-all + allow web UI
|
|
ufw default deny incoming
|
|
ufw default allow outgoing
|
|
ufw allow 5000/tcp comment "SooSeF Web UI"
|
|
ufw allow 22/tcp comment "SSH"
|
|
ufw --force enable || true
|
|
|
|
# Disable unnecessary services
|
|
systemctl disable bluetooth.service 2>/dev/null || true
|
|
systemctl disable avahi-daemon.service 2>/dev/null || true
|
|
systemctl disable cups.service 2>/dev/null || true
|
|
|
|
# Enable SooSeF service
|
|
systemctl enable soosef.service
|
|
|
|
# Auto-login to openbox (so the browser opens without login prompt)
|
|
mkdir -p /etc/lightdm/lightdm.conf.d
|
|
cat > /etc/lightdm/lightdm.conf.d/50-autologin.conf << 'EOF'
|
|
[Seat:*]
|
|
autologin-user=soosef
|
|
autologin-user-timeout=0
|
|
EOF
|
|
|
|
echo "=== Hardening complete ==="
|