Initial commit: VaultMesh Skills collection

Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2025-12-27 00:25:00 +00:00
commit eac77ef7b4
213 changed files with 11724 additions and 0 deletions
--- a/node-hardening/scripts/90_verify.sh
+++ b/node-hardening/scripts/90_verify.sh
@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_NAME="$(basename "$0")"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
+CHECKS_DIR="$SKILL_ROOT/checks"
+
+: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"
+
+log_info()  { echo "[INFO]  $(date -Iseconds) $*"; }
+log_warn()  { echo "[WARN]  $(date -Iseconds) $*" >&2; }
+
+run_check_bool() {
+  local script="$1"
+  if [[ -x "$CHECKS_DIR/$script" ]]; then
+    if "$CHECKS_DIR/$script" &>/dev/null; then
+      echo "true"
+    else
+      echo "false"
+    fi
+  else
+    echo "skip"
+  fi
+}
+
+main() {
+  mkdir -p "$OUTPUT_DIR"
+
+  local ufw_ok ssh_ok f2b_ok audit_ok
+  ufw_ok=$(run_check_bool check_ufw.sh)
+  ssh_ok=$(run_check_bool check_ssh.sh)
+  f2b_ok=$(run_check_bool check_fail2ban.sh)
+  audit_ok=$(run_check_bool check_auditd.sh)
+
+  local blockers=""
+  local warnings=""
+  local next_steps=""
+
+  if [[ "$ssh_ok" == "false" ]]; then
+    blockers="${blockers}\"SSH hardening check failed\","
+  fi
+  if [[ "$ufw_ok" == "false" ]]; then
+    warnings="${warnings}\"UFW not active\","
+  fi
+  if [[ "$f2b_ok" == "false" ]]; then
+    warnings="${warnings}\"fail2ban not active\","
+  fi
+  if [[ "$audit_ok" == "false" ]]; then
+    warnings="${warnings}\"auditd not active\","
+  fi
+
+  next_steps="${next_steps}\"Run ./scripts/99_report.sh\","
+  if [[ "$ssh_ok" == "true" && "$ufw_ok" == "true" ]]; then
+    next_steps="${next_steps}\"Proceed to backup-sovereign skill\","
+  fi
+
+  blockers="[${blockers%,}]"
+  warnings="[${warnings%,}]"
+  next_steps="[${next_steps%,}]"
+
+  cat > "$OUTPUT_DIR/status_matrix.json" <<EOF
+{
+  "timestamp": "$(date -Iseconds)",
+  "skill": "node-hardening",
+  "node": "${NODE_NAME:-node-a}",
+  "checks": {
+    "ufw": $ufw_ok,
+    "ssh": $ssh_ok,
+    "fail2ban": $f2b_ok,
+    "auditd": $audit_ok
+  },
+  "blockers": $blockers,
+  "warnings": $warnings,
+  "next_steps": $next_steps
+}
+EOF
+
+  log_info "Status matrix written to $OUTPUT_DIR/status_matrix.json"
+
+  echo
+  echo "============================================"
+  echo "  VERIFICATION SUMMARY"
+  echo "============================================"
+  echo
+  echo "  UFW:       $ufw_ok"
+  echo "  SSH:       $ssh_ok"
+  echo "  fail2ban:  $f2b_ok"
+  echo "  auditd:    $audit_ok"
+  echo
+
+  if [[ "$ssh_ok" == "true" ]]; then
+    return 0
+  fi
+  return 1
+}
+
+[[ "${BASH_SOURCE[0]}" == "$0" ]] && main "$@"