add launch ops checklists and backup security templates

2026-02-14 21:23:30 -08:00 · 2026-02-14 21:23:30 -08:00 · eef058027d
commit eef058027d
parent fa3129bb1a
11 changed files with 177 additions and 0 deletions
--- a/docker/security/README.md
+++ b/docker/security/README.md
@ -0,0 +1,22 @@
+# Security Templates
+
+This folder contains host-side security templates for public launch hardening.
+
+## fail2ban (recommended baseline)
+- Config location:
+  - `docker/security/fail2ban/jail.d/fiddy-nginx.conf`
+  - `docker/security/fail2ban/filter.d/fiddy-nginx-auth.conf`
+- Purpose:
+  - ban repeated abusive requests against auth, join, and invite endpoints.
+
+## CrowdSec (optional alternative/complement)
+- Config location:
+  - `docker/security/crowdsec/acquis.yaml`
+- Purpose:
+  - ingest Nginx access/error logs with CrowdSec for broader behavior-based decisions.
+
+## Notes
+- Use either fail2ban or CrowdSec as your primary auto-ban control, or carefully run both with clear ownership of ban actions.
+- Validate log paths match your deployment:
+  - `/var/log/nginx/fiddy-access.log`
+  - `/var/log/nginx/fiddy-error.log`
--- a/docker/security/crowdsec/acquis.yaml
+++ b/docker/security/crowdsec/acquis.yaml
@ -0,0 +1,11 @@
+filenames:
+  - /var/log/nginx/fiddy-access.log
+labels:
+  type: nginx
+  service: fiddy
+---
+filenames:
+  - /var/log/nginx/fiddy-error.log
+labels:
+  type: nginx-error
+  service: fiddy
--- a/docker/security/fail2ban/filter.d/fiddy-nginx-auth.conf
+++ b/docker/security/fail2ban/filter.d/fiddy-nginx-auth.conf
@ -0,0 +1,5 @@
+[Definition]
+failregex = ^.*"uri":"\\/api\\/auth\\/(login|register)".*"status":(401|403|429).*
+            ^.*"uri":"\\/api\\/groups\\/join".*"status":(400|403|404|409|429).*
+            ^.*"uri":"\\/api\\/invite-links\\/.*".*"status":(404|410|429).*
+ignoreregex =
--- a/docker/security/fail2ban/jail.d/fiddy-nginx.conf
+++ b/docker/security/fail2ban/jail.d/fiddy-nginx.conf
@ -0,0 +1,9 @@
+[fiddy-nginx-auth]
+enabled  = true
+port     = http,https
+filter   = fiddy-nginx-auth
+logpath  = /var/log/nginx/fiddy-access.log
+backend  = auto
+maxretry = 20
+findtime = 10m
+bantime  = 1h
--- a/docs/05_REFACTOR_2.md
+++ b/docs/05_REFACTOR_2.md
@ -123,6 +123,16 @@ Primary outcomes:
 - Added deploy health gate automation:
  - `scripts/wait-for-health.sh` polls ready endpoint and verifies `request_id` payload.
  - `.gitea/workflows/deploy-dokploy.yml` now runs post-deploy health verification using `DOKPLOY_HEALTHCHECK_URL`.
+- Added DR + host-ban operational templates:
+  - `scripts/basebackup-postgres.sh` for periodic `pg_basebackup` snapshots.
+  - `docker/security/fail2ban/*` for auth/join/invite abuse bans from nginx JSON logs.
+  - `docker/security/crowdsec/acquis.yaml` as optional CrowdSec ingestion baseline.
+  - `docker/security/README.md` to document security template usage.
+- Added restore drill logging artifacts:
+  - `docs/restore-drill-log.csv` as evidence log template.
+  - `scripts/log-restore-drill.sh` to append timestamped restore outcomes and measured RTO.
+- Added consolidated execution checklist:
+  - `docs/07_PUBLIC_LAUNCH_CHECKLIST.md` for go-live gating across infra, deploy, security, observability, DR, and rollback.

 ### Risks / Notes to Revisit
 - Workspace is intentionally dirty; commits must be path-scoped to avoid mixing unrelated changes.
--- a/docs/06_SECURITY_REVIEW.md
+++ b/docs/06_SECURITY_REVIEW.md
@ -69,3 +69,6 @@ This document tracks launch-critical security findings for app, data, users, and
 - [ ] Production host firewall rules verified (`scripts/harden-host-ufw.sh` + `scripts/check-host-security.sh`).
 - [ ] SSH restricted to VPN/allowlist.
 - [ ] Backup restore drill logged for current week (`scripts/restore-drill-postgres.sh`).
+- [ ] Backup restore drill logged for current week (`scripts/restore-drill-postgres.sh` + `scripts/log-restore-drill.sh`).
+- [ ] Base backup job configured and validated (`scripts/basebackup-postgres.sh`).
+- [ ] Auto-ban tooling configured (fail2ban or crowdsec) from `docker/security/`.
--- a/docs/07_PUBLIC_LAUNCH_CHECKLIST.md
+++ b/docs/07_PUBLIC_LAUNCH_CHECKLIST.md
@ -0,0 +1,48 @@
+# Public Launch Checklist
+
+## A) Infrastructure Baseline
+- [ ] Domain DNS points to public IP.
+- [ ] Router forwards only `80` and `443`.
+- [ ] Host firewall denies all inbound except `80/443` and restricted `22`.
+- [ ] `SSH_ALLOW_CIDR` policy validated.
+- [ ] Postgres port `5432` is not public.
+
+## B) App and Deployment
+- [ ] Dokploy project connected to Gitea repo.
+- [ ] Secrets configured:
+  - [ ] `DATABASE_URL`
+  - [ ] `DATABASE_SSL`
+  - [ ] `ALLOWED_DB_NAMES`
+  - [ ] `SESSION_COOKIE_NAME`
+  - [ ] `SESSION_TTL_DAYS`
+  - [ ] `DEBUG_API=0`
+  - [ ] `DOKPLOY_DEPLOY_HOOK`
+  - [ ] `DOKPLOY_HEALTHCHECK_URL`
+- [ ] Deploy workflow passes build/test/push/deploy.
+- [ ] Post-deploy health gate passes (`scripts/wait-for-health.sh`).
+- [ ] Manual smoke passes (`scripts/smoke-public-launch.sh`).
+
+## C) Security Controls
+- [ ] Nginx TLS/headers/rate limits enabled (`docker/nginx/fiddy.conf`).
+- [ ] Request-id propagation enabled (`X-Request-Id` in responses).
+- [ ] Server-side rate limits active (auth/write/ip limiters).
+- [ ] Fail2ban or CrowdSec configured from `docker/security/`.
+- [ ] No secrets/full invite codes in logs.
+
+## D) Observability
+- [ ] Loki, Promtail, Grafana, Uptime Kuma running.
+- [ ] Promtail ingests `job="nginx"`.
+- [ ] Dashboards show request IDs for incident triage.
+- [ ] Alerts configured for 5xx/auth spikes/DB failures/resource pressure.
+
+## E) Backup and Recovery
+- [ ] Daily logical backup scheduled (`scripts/backup-postgres.sh`).
+- [ ] Periodic base backup scheduled (`scripts/basebackup-postgres.sh`).
+- [ ] Latest restore drill succeeded (`scripts/restore-drill-postgres.sh`).
+- [ ] Drill logged (`scripts/log-restore-drill.sh` -> `docs/restore-drill-log.csv`).
+- [ ] Measured RTO is acceptable.
+
+## F) Rollback Readiness
+- [ ] Previous stable release retained in Dokploy.
+- [ ] Rollback runbook tested once in staging or low-risk window.
+- [ ] Rollback smoke check verified.
--- a/docs/public-launch-runbook.md
+++ b/docs/public-launch-runbook.md
@ -49,6 +49,9 @@
  - dry-run firewall apply: `SSH_ALLOW_CIDR=<your-cidr> DRY_RUN=1 scripts/harden-host-ufw.sh`
  - real firewall apply: `SSH_ALLOW_CIDR=<your-cidr> DRY_RUN=0 sudo scripts/harden-host-ufw.sh`
  - host status audit: `scripts/check-host-security.sh`
+- Auto-ban templates:
+  - fail2ban: `docker/security/fail2ban/*`
+  - crowdsec (optional): `docker/security/crowdsec/acquis.yaml`

 ## 5) Observability
 - Bring up monitoring stack:
@ -71,11 +74,16 @@
 ## 6) Backup + Restore
 - Daily backup command:
  - `scripts/backup-postgres.sh`
+- Periodic base backup (for faster full recovery):
+  - `PRIMARY_DATABASE_URL=<replication-url> scripts/basebackup-postgres.sh`
 - Retention:
  - default 7 days (`RETENTION_DAYS=7`)
 - Restore drill:
  - `scripts/restore-drill-postgres.sh backups/postgres/<file>.dump <target_database_url>`
 - Run restore drill on non-prod DB before public launch.
+- Record drill outcome:
+  - `scripts/log-restore-drill.sh <environment> <backup_file> <restore_target> <status> <rto_minutes> <notes>`
+  - log file: `docs/restore-drill-log.csv`

 ## 7) Incident Response Quick Flow
 1. Identify failing request and `request_id`.
--- a/docs/restore-drill-log.csv
+++ b/docs/restore-drill-log.csv
@ -0,0 +1 @@
+timestamp_utc,environment,backup_file,restore_target,status,rto_minutes,notes
--- a/scripts/basebackup-postgres.sh
+++ b/scripts/basebackup-postgres.sh
@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ -z "${PRIMARY_DATABASE_URL:-}" ]]; then
+  echo "PRIMARY_DATABASE_URL is required (replication-capable connection string)."
+  exit 1
+fi
+
+BACKUP_DIR="${BACKUP_DIR:-./backups/postgres/base}"
+RETENTION_DAYS="${RETENTION_DAYS:-7}"
+TIMESTAMP="$(date -u +%Y%m%dT%H%M%SZ)"
+WORK_DIR="${BACKUP_DIR}/fiddy_base_${TIMESTAMP}"
+ARCHIVE_PATH="${BACKUP_DIR}/fiddy_base_${TIMESTAMP}.tar.gz"
+
+mkdir -p "$BACKUP_DIR"
+
+echo "Creating base backup directory snapshot..."
+pg_basebackup \
+  --dbname="$PRIMARY_DATABASE_URL" \
+  --pgdata="$WORK_DIR" \
+  --format=plain \
+  --wal-method=stream \
+  --checkpoint=fast \
+  --write-recovery-conf \
+  --progress \
+  --verbose
+
+echo "Compressing base backup..."
+tar -C "$BACKUP_DIR" -czf "$ARCHIVE_PATH" "fiddy_base_${TIMESTAMP}"
+rm -rf "$WORK_DIR"
+
+echo "Pruning base backups older than ${RETENTION_DAYS} days..."
+find "$BACKUP_DIR" -type f -name "fiddy_base_*.tar.gz" -mtime "+${RETENTION_DAYS}" -delete
+
+echo "Base backup complete: $ARCHIVE_PATH"
--- a/scripts/log-restore-drill.sh
+++ b/scripts/log-restore-drill.sh
@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ $# -lt 6 ]]; then
+  echo "Usage: $0 <environment> <backup_file> <restore_target> <status> <rto_minutes> <notes>"
+  exit 1
+fi
+
+ENVIRONMENT="$1"
+BACKUP_FILE="$2"
+RESTORE_TARGET="$3"
+STATUS="$4"
+RTO_MINUTES="$5"
+NOTES="$6"
+TIMESTAMP="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+LOG_FILE="${LOG_FILE:-docs/restore-drill-log.csv}"
+
+mkdir -p "$(dirname "$LOG_FILE")"
+if [[ ! -f "$LOG_FILE" ]]; then
+  echo "timestamp_utc,environment,backup_file,restore_target,status,rto_minutes,notes" > "$LOG_FILE"
+fi
+
+safe_notes="$(printf '%s' "$NOTES" | tr '\n' ' ' | sed 's/"/'\''/g')"
+echo "${TIMESTAMP},${ENVIRONMENT},${BACKUP_FILE},${RESTORE_TARGET},${STATUS},${RTO_MINUTES},\"${safe_notes}\"" >> "$LOG_FILE"
+echo "Logged restore drill to $LOG_FILE"
				`@ -0,0 +1 @@`
				`timestamp_utc,environment,backup_file,restore_target,status,rto_minutes,notes`