# Security reference

## Overview

Security in this repo is implemented via:
- hardened SSH + firewall defaults (`roles/ssh/`)
- baseline system configuration (`roles/base/`)
- monitoring/intrusion prevention on servers (`roles/monitoring_server/`)
- secrets handled via Ansible Vault (`inventories/production/group_vars/all/vault.yml`)

## Recommended execution

```bash
# Dry-run first
make check

# Apply security-tagged tasks
make security
```

## Vault

- Vault guide: `docs/guides/vault.md`

## Canonical standards

- `project-docs/standards.md`