alee/fieldwitness
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6325e86873
fieldwitness/deploy/config-presets/README.md
Aaron D. Lee 496198d49a
Some checks failed
CI / lint (push) Failing after 55s
Details
CI / typecheck (push) Failing after 31s
Details
Add three-tier deployment infrastructure 
Platform pivot from Raspberry Pi to three-tier model:
- Tier 1: Bootable Debian Live USB for field reporters
- Tier 2: Docker/K8s org server for newsrooms
- Tier 3: Docker/K8s federation relay for VPS

Tier 1 — Live USB (deploy/live-usb/):
- build.sh: live-build based image builder for amd64
- Package list: Python + system deps + minimal GUI (openbox + Firefox)
- Install hook: creates venv, pip installs soosef[web,cli,attest,...]
- Hardening hook: disable swap/coredumps, UFW, auto-login to web UI
- systemd service with security hardening (NoNewPrivileges, ProtectSystem)
- Auto-opens Firefox kiosk to http://127.0.0.1:5000 on boot

Tier 2+3 — Docker (deploy/docker/):
- Multi-stage Dockerfile with two targets:
  - server: full web UI + stego + attestation + federation (Tier 2)
  - relay: lightweight FastAPI attestation API only (Tier 3)
- docker-compose.yml with both services and persistent volumes
- .dockerignore for clean builds

Kubernetes (deploy/kubernetes/):
- namespace.yaml, server-deployment.yaml, relay-deployment.yaml
- PVCs, services, health checks, resource limits
- Single-writer strategy (Recreate, not RollingUpdate) for SQLite safety
- README with architecture diagram and deployment instructions

Config presets (deploy/config-presets/):
- low-threat.json: press freedom country (no killswitch, 30min sessions)
- medium-threat.json: restricted press (48h deadman, USB monitoring)
- high-threat.json: conflict zone (12h deadman, tamper monitoring, 5min sessions)
- critical-threat.json: targeted surveillance (127.0.0.1 only, 6h deadman, 3min sessions)

Deployment guide rewritten for three-tier model with RPi as legacy appendix.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-01 22:52:38 -04:00

47 lines
1.6 KiB
Markdown
Raw Blame History

# SooSeF Threat Level Configuration Presets
Select a preset based on your operational environment. Copy the appropriate
JSON file to `~/.soosef/config.json` (or let the setup wizard choose one).
## Presets
### low-threat.json — Press Freedom Country
Nordics, New Zealand, Canada. Risk is accidental data loss, not adversarial seizure.
- No killswitch or dead man's switch
- Relaxed session timeouts (30 min)
- Backup reminders every 14 days
- Chain enabled for provenance integrity
### medium-threat.json — Restricted Press
Turkey, Hungary, India. Risk of legal pressure, device seizure at borders.
- Killswitch available, dead man's switch at 48h/4h grace
- USB monitoring enabled
- Cover name: "Office Document Manager"
- Backup reminders every 7 days
### high-threat.json — Active Conflict Zone
Syria, Myanmar, Ethiopia, Iran. Risk of raids, equipment seizure, physical coercion.
- 5-minute session timeout
- Dead man's switch at 12h/1h grace
- Tamper monitoring enabled
- Cover name: "Local Inventory Tracker"
- Daily backup reminders
### critical-threat.json — Targeted Surveillance
Specific journalist or org targeted by state actor (Pegasus-level).
- Web UI bound to 127.0.0.1 only (access via SSH tunnel)
- 3-minute session timeout
- Dead man's switch at 6h/1h grace
- Cover name: "System Statistics"
- All monitoring enabled
- Consider: full-disk encryption, remove SSH after setup, Tor hidden service
## Usage
```bash
# Copy preset to config location
cp deploy/config-presets/high-threat.json ~/.soosef/config.json
# Or via CLI (future: soosef init --threat-level high)
```
Reference in New Issue View Git Blame Copy Permalink