# Security hardening guide

This repo’s “security” work is primarily implemented via roles and inventory defaults.

## What runs where

- **SSH hardening + firewall**: `roles/ssh/`
- **Baseline packages/security utilities**: `roles/base/`
- **Monitoring + intrusion prevention (servers)**: `roles/monitoring_server/` (includes `fail2ban`)
- **Secrets**: Ansible Vault in `inventories/production/group_vars/all/vault.yml`

## Recommended flow

```bash
# Dry-run first
make check

# Apply only security-tagged roles
make security
```

## Secrets / Vault

Use vault for anything sensitive:

- Guide: `docs/guides/vault.md`

## Canonical standards

- `project-docs/standards.md`