-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Henk Van Hoek edited this page Jan 23, 2026
·
2 revisions
The Sovereign Stack is built on the principle of Digital Autonomy. Every architectural choice prioritizes security, privacy, and low-energy consumption. By moving away from monolithic scripts toward a modular, "least-privilege" design, the stack ensures that local infrastructure remains robust and auditable.
- Centralized Configuration (.env): All hardware addresses, user credentials, and timing parameters are isolated in a single, non-executable environment file. This allows the entire stack to be agnostic; you can swap a Windows backup target for a Linux NAS simply by updating the variables.
- Modular Utility Pattern (wake_target.sh): Hardware-specific logic, such as Wake-on-LAN and reachability polling, is delegated to specialized specialist scripts. This prevents code duplication (DRY principle) and ensures that both backup and monitoring routines use the exact same logic for device discovery.
- Encapsulated Health Monitoring (monitor_backup.sh): A "Dead Man's Switch" architecture that independently verifies both local and remote backup integrity. It performs cryptographic checks using AES-256-CBC with PBKDF2 to ensure data is not only present but recoverable.
- Rootless Execution: Scripts are strictly forbidden from running as root or via sudo to protect the user's SSH identity and prevent environment poisoning.
- Unified Logging Pipeline: Through the use of global exec redirects, the stack maintains a clean, non-redundant audit trail (cron.log) that is used for automated email reporting.
- Agnostic Communication: By using standardized SSH/SFTP protocols, the stack communicates with various Operating Systems without requiring proprietary agents on the target machine.
The stack implements a smart power-management lifecycle:
- Demand: The Pi triggers a Wake-on-LAN packet.
- Verify: The wake_target.sh utility waits only as long as necessary for the target to boot.
- Execute: Data is transferred securely via SFTP.
- Suspend: The backup target (e.g., via EaseUS Todo Backup) automatically returns to a low-power sleep state once the cloud-sync is complete.