You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- Backup encryption: optional AES-256-CBC via BACKUP_ENCRYPTION_KEY env var
- Restore/verify: auto-detect and decrypt .dump.enc files
- Trivy scan-images.sh: create GitHub Issues when vulnerabilities found
- rotate-credentials.sh: add --platform flag for master credential rotation
- bootstrap-server.sh: Loki retention 14d→90d, add logrotate config
- server-contract.md: document all new capabilities
- New runbook: rotate-ssh-keys.md
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|`rotate-credentials.sh`| Rotate per-app or platform master credentials without downtime | Manual (`bash <script> <app-name>` or `--platform`) |
116
116
117
117
## Server Hardening
118
118
@@ -140,6 +140,14 @@ The bootstrap script applies several security measures automatically. Self-hoste
140
140
141
141
**Docker event audit logging** — A systemd service (`docker-audit.service`) runs `docker events` with JSON output to `/var/log/docker-audit.log`. Promtail scrapes this file and forwards events to Loki (label: `job=docker-audit`). All container start, stop, die, and health_status events are captured.
142
142
143
+
**Backup encryption** — Backups can be encrypted at rest using AES-256-CBC. Set the `BACKUP_ENCRYPTION_KEY` environment variable to the path of a key file. When set, `backup-postgres.sh` pipes `pg_dump` output through `openssl enc` and produces `.dump.enc` files. `restore-postgres.sh` and `verify-backup.sh` automatically detect encrypted backups and decrypt them before restoring. If the key file is not set, backups are stored unencrypted (with a warning).
144
+
145
+
**Log rotation** — A logrotate config at `/etc/logrotate.d/towlion` rotates `/var/log/towlion-*.log` and `/var/log/docker-audit.log` daily, retaining 90 compressed copies. The `docker-audit.service` is restarted after rotation since it holds the log file open.
146
+
147
+
**Log retention** — Loki retains logs for 90 days (`retention_period: 2160h`). The compactor runs retention enforcement with a 2-hour delete delay.
148
+
149
+
**Platform credential rotation** — `rotate-credentials.sh --platform` rotates the PostgreSQL superuser password and/or MinIO root password. After rotation, all app health checks are verified. Use `--yes` to skip the confirmation prompt.
150
+
143
151
**Image vulnerability scanning** — Trivy is installed via the Aqua Security apt repository. Every deploy runs a non-blocking `trivy image` scan of the newly built app image (HIGH/CRITICAL severity). A weekly cron job (`scan-images.sh`, Sunday 04:00) scans all running container images.
144
152
145
153
**Mandatory Access Control (AppArmor)** — Debian 12 ships with AppArmor enabled by default. Docker automatically applies the `docker-default` AppArmor profile to all containers, which restricts capabilities like writing to `/proc` and `/sys`, mounting filesystems, and accessing raw sockets. No configuration is needed — this works out of the box.
0 commit comments