Security Best Practices¶
Secrets Management¶
See ADR-0002.
- All secrets stored in Infisical at
https://caneast-c1-node3:8443 - Never commit secrets to git — ever
- Use machine identities for pipeline injection
- Rotate secrets on any suspected compromise immediately
Container Scanning¶
See ADR-0003.
Use Grype for all container image scans:
Run on every image before deploying to staging or prod.
SSH Hardening¶
Applied via ssh_hardening Ansible role.
| Setting | IT nodes | OT nodes |
|---|---|---|
| Port | 2222 | 22 |
| Root login | Disabled | Disabled |
| Password auth | Disabled | Disabled |
| Allowed users | operator | pi |
Firewall (UFW)¶
Applied via ufw Ansible role.
| Policy | IT | OT |
|---|---|---|
| Default inbound | Deny | Deny |
| Default outbound | Allow | Deny (whitelist only) |
| fail2ban maxretry | 5 | 3 |
| fail2ban bantime | 600s | 3600s |
CrowdSec¶
Running via Cloudflare bouncer on peries.ca. No public Docker image for cs-firewall-bouncer — build from source.
PAT Management¶
- ADO PATs stored in Infisical, not in shell profiles
- Minimum required scopes only
- 90-day rotation maximum
- Full access PATs: 30-day maximum, for unblocking only