johan
/
docs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
docs/soc2/disaster-recovery.md

173 lines
6.2 KiB
Markdown
Raw Permalink Blame History

# Disaster Recovery Plan
*Last updated: 2026-02-04*
*Owner: James ⚡*
---
## Infrastructure Overview
| Component | Host | Purpose |
|---|---|---|
| **forge** | 192.168.1.16 | Primary server — OpenClaw gateway, all services |
| **Zurich VPS** | 82.22.36.202 | Git repos, Uptime Kuma, security scanning |
| **192.168.1.253** | LAN | Docker services (Immich, ClickHouse, Jellyfin, Signal, qBittorrent) |
| **192.168.1.252** | LAN | Home Assistant OS |
| **Caddy** | 192.168.0.2 | Reverse proxy (james.jongsma.me, inou.com) |
---
## Backup Strategy
### Tier 1: Git-backed (automated)
All source code is pushed to `git@zurich.inou.com:<repo>.git`. Hourly audit (`scripts/git-audit.sh`) checks for anomalies.
**Repos (as of 2026-02-04):**
- inou, azure-backup, james-dashboard, mail-bridge, mail-agent
- inou-mobile, clawdnode-android, clawdnode-debug-server, clawdnode-gateway
- message-bridge, messaging-center, docman, docsys, docs
- moltmobile-android, moltmobile-gateway, screenshot-server
- docproc, clawd (workspace)
**Recovery:** `git clone git@zurich.inou.com:<repo>.git`
### Tier 2: Configuration (documented, manually recoverable)
These items can't be git-tracked but are documented here for recovery.
#### Signal CLI (bot number: +31634481877)
- **Data:** `~/.clawdbot/tools/signal-cli/` (linked device keys)
- **Recovery:** Re-link using QR code from primary device. Takes ~2 minutes.
- **Impact:** Bot is offline until re-linked. No data loss — message history is on Signal servers.
- **Note:** Signal CLI version and trust store rebuild automatically on first run.
#### WhatsApp (message-bridge, linked to +1 727 225 2475)
- **Data:** `~/.message-bridge/whatsapp.db` (session keys + media refs)
- **Recovery:** Delete `whatsapp.db`, restart message-bridge, scan new QR code from Johan's phone.
- **Impact:** Bot offline until re-linked. Historical messages in WhatsApp, not in our DB.
- **Note:** QR code available at `http://localhost:8030/qr?format=png` after restart.
#### Proton Mail Bridge
- **Data:** `~/.config/protonmail/bridge-v3/` (account link, encryption keys)
- **Recovery:**
1. `apt install protonmail-bridge` (or download from proton.me)
2. Set keychain: `echo '{"preferred_keychain": "pass"}' > ~/.config/protonmail/bridge-v3/prefs.json`
3. Run `protonmail-bridge --cli`, login with tj@jongsma.me credentials
4. Note new bridge password, update mail-bridge config
- **Impact:** Email processing offline until re-linked. ~10 min recovery.
- **Credentials:** Account password with Johan. Bridge password regenerated on setup.
### Tier 3: Data (critical, needs backup solution)
| Data | Path | Size | Backup Status |
|---|---|---|---|
| **Sophia's documents** | `~/sophia/` | 9.2 GB | ⚠️ **SINGLE COPY** — needs offsite backup |
| **Document store** | `~/documents/` | 7.9 MB | In git (docsys repo) for records, PDFs local only |
| **GLM-OCR model** | `~/models/glm-ocr/` | 2.5 GB | Re-downloadable from HuggingFace |
### Tier 4: Rebuildable (no backup needed)
| Component | Recovery |
|---|---|
| Python venvs (`ocr-env/`, `.venv/`) | `pip install -r requirements.txt` |
| Node modules | `npm install` |
| Flutter SDK | Re-download |
| Docker images on 253 | `docker compose pull` |
| OC session transcripts | Nice-to-have, not critical |
---
## Service Recovery Procedures
### Full Server Loss (forge)
**Prerequisites:** SSH key authorized on Zurich VPS, new Ubuntu 24.04 server.
1. **OS Setup:**
```
apt update && apt upgrade
adduser johan
# Install: git, go, node, python3, docker (if needed)
```
2. **SSH Keys:**
- Generate new: `ssh-keygen -t ed25519`
- Authorize on Zurich: `ssh root@zurich.inou.com` → add to `/home/git/.ssh/authorized_keys`
3. **Clone all repos:**
```
mkdir ~/dev && cd ~/dev
for repo in inou azure-backup james-dashboard mail-bridge mail-agent \
inou-mobile clawdnode-android message-bridge messaging-center \
docman docsys docs docproc screenshot-server; do
git clone git@zurich.inou.com:$repo.git
done
git clone git@zurich.inou.com:clawd.git ~/clawd
```
4. **Install OpenClaw:**
```
npm install -g openclaw
openclaw init
# Restore gateway config from clawd/config-backups/ or memory
```
5. **Restore services** (see systemd units below)
6. **Re-link integrations:**
- Signal CLI: QR code link
- WhatsApp: QR code link
- Proton Bridge: CLI login
### Systemd Service Units
All services run as user units (`systemctl --user`).
| Service | Binary/Command | Port | Working Dir |
|---|---|---|---|
| `openclaw-gateway` | `node openclaw gateway` | 18789 | — |
| `signal-cli` | `signal-cli daemon --http 0.0.0.0:8080` | 8080 | — |
| `protonmail-bridge` | `protonmail-bridge --noninteractive` | 1143/1025 | — |
| `mail-bridge` | `message-center -config config.yaml` | 8025 | `~/dev/mail-bridge` |
| `message-bridge` | `message-bridge` | 8030 | `~/dev/message-bridge` |
| `james-dashboard` | `james-dashboard --dir .` | 9200 | `~/dev/james-dashboard` |
| `ocr-service` | `python server.py` | 8090 | `~/ocr-service` |
| `docsys` | `docsys` | — | `~/dev/docsys` |
**Unit files location:** `~/.config/systemd/user/`
**Environment files:**
- `~/.config/message-center.env` (mail-bridge credentials)
- OpenClaw gateway env vars in unit file (API keys, tokens)
### Zurich VPS Loss
1. Provision new VPS
2. Install git, create `git` user with `git-shell`
3. Push all repos from forge (they're the primary copies)
4. Reinstall Uptime Kuma, Caddy, nuclei
5. Update DNS if IP changes
---
## Monitoring
| Check | Frequency | Tool |
|---|---|---|
| Service health | Every heartbeat | `scripts/service-health.sh` |
| Git audit | Hourly (:30) | `scripts/git-audit.sh` via cron |
| Claude usage | Hourly (:00) | `scripts/claude-usage-check.sh` via cron |
| Nuclei security scan | Monthly | Cron from Zurich |
| Docker updates (253) | Weekly (Sunday) | Heartbeat task |
| HAOS updates | Weekly (Sunday) | Heartbeat task |
| Uptime Kuma | Continuous | https://zurich.inou.com:3001 |
---
## Open Items
- [ ] **Sophia docs backup** — 9.2 GB, single copy. Needs offsite (Proton Drive, Zurich, or both)
- [ ] **Systemd unit backup** — Track in git (docs repo or clawd)
- [ ] **Automated config snapshots** — Gateway config, env files
Reference in New Issue View Git Blame Copy Permalink