Tag: Rollback |
No edit summary |
||
| Line 12: | Line 12: | ||
* DNSSEC enabled for all domains (though the DS record isn't in .lt for projectsegfau.lt since ovh sucks) | * DNSSEC enabled for all domains (though the DS record isn't in .lt for projectsegfau.lt since ovh sucks) | ||
* All nodes are almost completely separate from one another and when node-interop is needed (example CDN and Authoritative DNS), it is done through an unprivileged user | * All nodes are almost completely separate from one another and when node-interop is needed (example CDN and Authoritative DNS), it is done through an unprivileged user | ||
* All management interfaces and ssh to servers are behind our selfhosted tailscale instance. | |||
=== Things we are currently implementing === | === Things we are currently implementing === | ||
* | * | ||
Revision as of 05:33, 1 July 2023
WIP
This page documents the security practices we take.
If something we do is missing from the list, or you want us to add something that improves Project Segfault's security, email contact@projectsegfau.lt (preferably with PGP) or contact a sysadmin over matrix/xmpp.
- System updates every 2 weeks
- Database is on a separate VM from the services themselves
- Most of our services run under docker or LXC
- All places where public code can be run is completely isolated (example Gitea Actions and Pubnix)
- Webserver is in a VM separate from the services and Database
- DNSSEC enabled for all domains (though the DS record isn't in .lt for projectsegfau.lt since ovh sucks)
- All nodes are almost completely separate from one another and when node-interop is needed (example CDN and Authoritative DNS), it is done through an unprivileged user
- All management interfaces and ssh to servers are behind our selfhosted tailscale instance.