docs: Añadir sección de seguridad a todos los servidores

- UFW configurado en 4/4 servidores con whitelist TZZR - SSH hardening (PermitRootLogin prohibit-password, PasswordAuthentication no) - SWAP 2GB en todos los servidores - Backups automatizados documentados en ARCHITECT - IPs bloqueadas documentadas en CORP 🤖 Generated with Claude Code
2025-12-30 19:14:18 +00:00
parent e47274c408
commit 5e5c8cb698
4 changed files with 144 additions and 0 deletions
--- a/servers/ARCHITECT.md
+++ b/servers/ARCHITECT.md
@@ -118,7 +118,52 @@ curl -X POST "http://localhost:3000/api/v1/user/repos" \
 psql -U architect -d tzzr_db
 ```

+## Seguridad
+
+### Firewall (UFW)
+```
+Status: active
+Default: deny incoming, allow outgoing
+
+Reglas:
+- ALLOW from 72.62.1.113 (DECK)
+- ALLOW from 92.112.181.188 (CORP)
+- ALLOW from 72.62.2.84 (HST)
+- ALLOW 22/tcp (SSH)
+- ALLOW 80/tcp (HTTP)
+- ALLOW 443/tcp (HTTPS)
+- ALLOW 3000/tcp (Gitea)
+- ALLOW 8082, 8090, 8100/tcp (Apps)
+- ALLOW on docker0 (Docker)
+- ALLOW 5432 from 172.18.0.0/16 (PostgreSQL Docker)
+```
+
+### SSH Hardening
+```
+PermitRootLogin prohibit-password
+PasswordAuthentication no
+```
+Backup config: `/etc/ssh/sshd_config.bak`
+
+### SWAP
+```
+/swapfile 2GB (persistente en /etc/fstab)
+```
+
+## Backups Automatizados
+
+### Gitea
+- **Script**: `/opt/tzzr/claude-code/backup_gitea.sh`
+- **Cron**: `0 2 * * *` (diario 2AM)
+- **Destino**: `s3://architect/backups/gitea/`
+
+### PostgreSQL
+- **Script**: `/home/architect/scripts/backup_postgres_all.sh`
+- **Cron**: `0 3 * * *` (diario 3AM)
+- **Destino**: `s3://architect/backups/postgresql/`
+
 ## Últimas Actualizaciones

+- 2025-12-30: UFW habilitado, SSH hardening, SWAP 2GB, Docker permissions
 - 2025-12-30: Documentación inicial
 - 2025-12-18: Instalación inicial de ARCHITECT