Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00
commit eac77ef7b4
213 changed files with 11724 additions and 0 deletions
--- a/node-hardening/config.json
+++ b/node-hardening/config.json
@@ -0,0 +1,54 @@
+{
+  "version": "1.0.0",
+  "skill": "node-hardening",
+  "description": "Safe-by-default hardening: UFW + SSH + fail2ban + auditd",
+  "parameters": {
+    "required": [],
+    "optional": {
+      "NODE_NAME": "node-a",
+      "SSH_PORT": 22,
+      "ALLOW_HTTP": true,
+      "ALLOW_HTTPS": true,
+      "ALLOW_ICMP": false,
+      "DRY_RUN": 1,
+      "REQUIRE_CONFIRM": 1,
+      "CONFIRM_PHRASE": "I UNDERSTAND THIS CAN LOCK ME OUT",
+      "BACKUP_DIR": "outputs/backups",
+      "FAIL2BAN_ENABLE": true,
+      "AUDITD_ENABLE": true
+    }
+  },
+  "phases": {
+    "preflight": ["00_preflight.sh"],
+    "ufw": {
+      "plan": ["10_ufw_plan.sh"],
+      "apply": ["11_ufw_apply.sh"],
+      "rollback": ["rollback/undo_ufw.sh"]
+    },
+    "ssh": {
+      "plan": ["20_ssh_plan.sh"],
+      "apply": ["21_ssh_apply.sh"],
+      "rollback": ["rollback/undo_ssh.sh", "rollback/emergency_restore.sh"]
+    },
+    "fail2ban": ["30_fail2ban_setup.sh"],
+    "auditd": ["40_auditd_setup.sh"],
+    "verify": ["90_verify.sh"],
+    "report": ["99_report.sh"]
+  },
+  "checks": {
+    "ufw": ["check_ufw.sh"],
+    "ssh": ["check_ssh.sh"],
+    "fail2ban": ["check_fail2ban.sh"],
+    "auditd": ["check_auditd.sh"]
+  },
+  "rollback_order": [
+    "emergency_restore.sh",
+    "undo_ssh.sh",
+    "undo_ufw.sh"
+  ],
+  "eu_compliance": {
+    "data_residency": "EU",
+    "jurisdiction": "Ireland",
+    "gdpr_applicable": true
+  }
+}