Tag: Undo |
No edit summary |
||
| Line 6: | Line 6: | ||
* System updates every 2 weeks | * System updates every 2 weeks | ||
* Most of our services run under docker or LXC | * Most of our services run under docker or LXC | ||
* All places where public code can be run is completely isolated (example Gitea Actions and Pubnix) | * All places where public code can be run is completely isolated (example Gitea Actions and Pubnix) | ||
* DNSSEC enabled for all domains (though the DS record isn't in .lt for projectsegfau.lt since ovh sucks) | * DNSSEC enabled for all domains (though the DS record isn't in .lt for projectsegfau.lt since ovh sucks) | ||
* All nodes are almost completely separate from one another and when node-interop is needed (example CDN and Authoritative DNS), it is done through an unprivileged user (Exception is our new ansible-semaphore instance which is on | * All nodes are almost completely separate from one another and when node-interop is needed (example CDN and Authoritative DNS), it is done through an unprivileged user (Exception is our new ansible-semaphore instance which is on IN Node, and has root access to all servers. However the SSH key is stored encrypted so it should be fine :P) | ||
* All management interfaces and ssh to servers are behind our selfhosted tailscale instance. | * All management interfaces and ssh to servers are behind our selfhosted tailscale instance. | ||
* Backups are encrypted with borg (the decryption phrase is only on the server itself so it can send new backups and with arya, midou and devrand (the sysadmins)) | * Backups are encrypted with borg (the decryption phrase is only on the server itself so it can send new backups and with arya, midou and devrand (the sysadmins)) | ||
* On all servers with a lot of data being stored like IN Node, the VMs are stored in ZFS encrypted medium | |||
=== Things we are currently implementing === | === Things we are currently implementing === | ||
* | * | ||
Latest revision as of 15:26, 20 September 2023
WIP
This page documents the security practices we take.
If something we do is missing from the list, or you want us to add something that improves Project Segfault's security, email contact@projectsegfau.lt (preferably with PGP) or contact a sysadmin over matrix/xmpp.
- System updates every 2 weeks
- Most of our services run under docker or LXC
- All places where public code can be run is completely isolated (example Gitea Actions and Pubnix)
- DNSSEC enabled for all domains (though the DS record isn't in .lt for projectsegfau.lt since ovh sucks)
- All nodes are almost completely separate from one another and when node-interop is needed (example CDN and Authoritative DNS), it is done through an unprivileged user (Exception is our new ansible-semaphore instance which is on IN Node, and has root access to all servers. However the SSH key is stored encrypted so it should be fine :P)
- All management interfaces and ssh to servers are behind our selfhosted tailscale instance.
- Backups are encrypted with borg (the decryption phrase is only on the server itself so it can send new backups and with arya, midou and devrand (the sysadmins))
- On all servers with a lot of data being stored like IN Node, the VMs are stored in ZFS encrypted medium