diff --git a/docs/HOST-MATRIX.md b/docs/HOST-MATRIX.md index af782bf..e0b58b9 100644 --- a/docs/HOST-MATRIX.md +++ b/docs/HOST-MATRIX.md @@ -211,7 +211,10 @@ _See [`../AGENTS.md`](../AGENTS.md) for the canonical agent matrix and operating - **EU region only**: All OVHcloud resources in FR/DE/PL. Sidesteps non-EU transfer/SCC burden under GDPR. - **Off-box backup before any reinstall**: OVH DPA §10 + GTS §6.3/6.5/10.6 — reinstall/termination = irreversible deletion including OVH-side backups, no recovery, OVH not liable. Identity/skills covered by git (layered-soul + hermes-soul on Forgejo). Runtime state (ZFS snapshots, Vaultwarden DB) must be verified backed up outside OVH. -- **MFA on the OVH account**: GTS §2.3/2.4 — operator responsible for account credentials, liable for fraudulent use. Master key to all infra. + - **Backup independence (verified 2026-06-20):** Forgejo **and** Vaultwarden both run on **Vultr** (the `code` / `vault.smilepowered.org` host) — a _different provider_ than osa/OVH, so an OVH loss does not take the git backup (good). **But Forgejo and Vaultwarden share that one Vultr box**, making it a single point of failure for _both_ the backups _and_ all secrets. → that box needs its _own_ off-box backup (Vaultwarden DB export + Forgejo data to a third location), and **backups are unverified until test-restored** (cost-discipline applies to backups: check, don't assume). Add the Vultr host to the provenance table; apply EU-region (verify) + MFA to it too. +- **MFA on every master-key account**: GTS §2.3/2.4 — operator is liable for fraudulent account use. Enable MFA on **OVH, Vultr, the domain registrar (clawdie.si / smilepowered.org), Forgejo admin, and Vaultwarden** — each is a master key to the fleet. **Auto-renew the domains**: a lapsed domain silently kills `pkg.clawdie.si`, ACME certs, and SSH-by-hostname. +- **Billing hygiene**: provider **auto-renew is on by default** (OVH/Vultr) — disable before the 19th of the month if not renewing. **Commitment Periods lock you in** (full term due, no refund for early cancel/non-use). Act on **price-increase / end-of-life** notices within the 30-day cancel window. Track renewal dates per provider in the provenance table. +- **Continuity plan (contractually required)**: OVH GTS §6.3 makes a recovery plan the Client's obligation, and §4/§10 cap provider liability at service credits — no data-loss or downtime damages. The fleet's **multi-host survivability** (Linux/Docker + FreeBSD/jails, relocatable via layered-soul) **is** the recovery plan; pair it with the off-box backups above. - **Do not commit OVH contracts/credentials**: GTS §13 makes contract terms confidential. A compliance summary only in public repos — no verbatim DPA/GTS text, no NIC handles or login credentials. ### Multi-tenant GDPR gates (administrative, not technical)