Initial commit: VaultMesh Skills collection
Collection of operational skills for VaultMesh infrastructure including: - backup-sovereign: Backup and recovery operations - btc-anchor: Bitcoin anchoring - cloudflare-tunnel-manager: Cloudflare tunnel management - container-registry: Container registry operations - disaster-recovery: Disaster recovery procedures - dns-sovereign: DNS management - eth-anchor: Ethereum anchoring - gitea-bootstrap: Gitea setup and configuration - hetzner-bootstrap: Hetzner server provisioning - merkle-forest: Merkle tree operations - node-hardening: Node security hardening - operator-bootstrap: Operator initialization - proof-verifier: Cryptographic proof verification - rfc3161-anchor: RFC3161 timestamping - secrets-vault: Secrets management 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Vault Sovereign
25
node-hardening/templates/auditd_rules.tpl
Normal file
25
node-hardening/templates/auditd_rules.tpl
Normal file
@@ -0,0 +1,25 @@
|
||||
# Managed by node-hardening skill
|
||||
|
||||
# Increase backlog for busy systems
|
||||
-b 8192
|
||||
|
||||
# Identity files
|
||||
-w /etc/passwd -p wa -k identity
|
||||
-w /etc/group -p wa -k identity
|
||||
-w /etc/shadow -p wa -k identity
|
||||
|
||||
# SSH config
|
||||
-w /etc/ssh/sshd_config -p wa -k sshd
|
||||
|
||||
# Privilege escalation
|
||||
-w /etc/sudoers -p wa -k sudo
|
||||
-w /etc/sudoers.d/ -p wa -k sudo
|
||||
|
||||
# Systemd unit changes
|
||||
-w /etc/systemd/system/ -p wa -k systemd
|
||||
|
||||
# Network config
|
||||
-w /etc/ufw/ -p wa -k ufw
|
||||
|
||||
# End of rules
|
||||
-e 1
|
||||
12
node-hardening/templates/fail2ban_jail.tpl
Normal file
12
node-hardening/templates/fail2ban_jail.tpl
Normal file
@@ -0,0 +1,12 @@
|
||||
# Managed by node-hardening skill
|
||||
[DEFAULT]
|
||||
# Ban after 5 failures within 10 minutes
|
||||
findtime = 10m
|
||||
maxretry = 5
|
||||
bantime = 1h
|
||||
backend = systemd
|
||||
|
||||
[sshd]
|
||||
enabled = true
|
||||
port = {{SSH_PORT}}
|
||||
logpath = %(sshd_log)s
|
||||
27
node-hardening/templates/sshd_config.tpl
Normal file
27
node-hardening/templates/sshd_config.tpl
Normal file
@@ -0,0 +1,27 @@
|
||||
# Managed by node-hardening skill
|
||||
# Backup of previous config stored in outputs/backups
|
||||
|
||||
Port {{SSH_PORT}}
|
||||
Protocol 2
|
||||
|
||||
PermitRootLogin no
|
||||
PasswordAuthentication no
|
||||
KbdInteractiveAuthentication no
|
||||
ChallengeResponseAuthentication no
|
||||
PubkeyAuthentication yes
|
||||
PermitEmptyPasswords no
|
||||
|
||||
# Keep PAM enabled for session setups (Ubuntu default)
|
||||
UsePAM yes
|
||||
|
||||
X11Forwarding no
|
||||
AllowAgentForwarding yes
|
||||
AllowTcpForwarding yes
|
||||
|
||||
ClientAliveInterval 300
|
||||
ClientAliveCountMax 2
|
||||
|
||||
LogLevel VERBOSE
|
||||
|
||||
# Optional: restrict users
|
||||
# AllowUsers {{ALLOW_USERS}}
|
||||
Reference in New Issue
Block a user