ansible/docs/guides/security.md

Security hardening guide

This repo’s “security” work is primarily implemented via roles and inventory defaults.

What runs where

• SSH hardening + firewall: roles/ssh/
• Baseline packages/security utilities: roles/base/
• Monitoring + intrusion prevention (servers): roles/monitoring_server/ (includes fail2ban)
• Secrets: Ansible Vault in inventories/production/group_vars/all/vault.yml

Recommended flow

# Dry-run first
make check

# Apply only security-tagged roles
make security

Secrets / Vault

Use vault for anything sensitive:

• Guide: docs/guides/vault.md

Canonical standards

• project-docs/standards.md