32 lines
682 B
Markdown
32 lines
682 B
Markdown
# Security hardening guide
|
||
|
||
This repo’s “security” work is primarily implemented via roles and inventory defaults.
|
||
|
||
## What runs where
|
||
|
||
- **SSH hardening + firewall**: `roles/ssh/`
|
||
- **Baseline packages/security utilities**: `roles/base/`
|
||
- **Monitoring + intrusion prevention (servers)**: `roles/monitoring_server/` (includes `fail2ban`)
|
||
- **Secrets**: Ansible Vault in `inventories/production/group_vars/all/vault.yml`
|
||
|
||
## Recommended flow
|
||
|
||
```bash
|
||
# Dry-run first
|
||
make check
|
||
|
||
# Apply only security-tagged roles
|
||
make security
|
||
```
|
||
|
||
## Secrets / Vault
|
||
|
||
Use vault for anything sensitive:
|
||
|
||
- Guide: `docs/guides/vault.md`
|
||
|
||
## Canonical standards
|
||
|
||
- `project-docs/standards.md`
|
||
|