ilia
3415340e26
All checks were successful
CI / skip-ci-check (pull_request) Successful in 1m18s
CI / lint-and-test (pull_request) Successful in 1m21s
CI / ansible-validation (pull_request) Successful in 2m43s
CI / secret-scanning (pull_request) Successful in 1m19s
CI / dependency-scan (pull_request) Successful in 1m23s
CI / sast-scan (pull_request) Successful in 2m28s
CI / license-check (pull_request) Successful in 1m20s
CI / vault-check (pull_request) Successful in 2m21s
CI / playbook-test (pull_request) Successful in 2m19s
CI / container-scan (pull_request) Successful in 1m48s
CI / sonar-analysis (pull_request) Successful in 1m26s
CI / workflow-summary (pull_request) Successful in 1m17s
682 B
682 B
Security hardening guide
This repo’s “security” work is primarily implemented via roles and inventory defaults.
What runs where
- SSH hardening + firewall:
roles/ssh/ - Baseline packages/security utilities:
roles/base/ - Monitoring + intrusion prevention (servers):
roles/monitoring_server/(includesfail2ban) - Secrets: Ansible Vault in
inventories/production/group_vars/all/vault.yml
Recommended flow
# Dry-run first
make check
# Apply only security-tagged roles
make security
Secrets / Vault
Use vault for anything sensitive:
- Guide:
docs/guides/vault.md
Canonical standards
project-docs/standards.md