23 lines
1.4 KiB
HTML
23 lines
1.4 KiB
HTML
<!--
|
|
title: Security
|
|
description:
|
|
published: true
|
|
date: 2024-06-23T15:06:23.329Z
|
|
tags:
|
|
editor: ckeditor
|
|
dateCreated: 2024-06-23T15:04:44.411Z
|
|
-->
|
|
|
|
<p>This page documents the security practices we take.</p>
|
|
<p>If something we do is missing from the list, or you want us to add something that improves Project Segfault's security, email contact@projectsegfau.lt (preferably with <a href="https://keys.openpgp.org/search?q=contact@projectsegfau.lt">PGP</a>) or contact a sysadmin over matrix/xmpp.</p>
|
|
<ul>
|
|
<li>System updates every 2 weeks</li>
|
|
<li>Most of our services run under docker or LXC</li>
|
|
<li>All places where public code can be run is completely isolated (example Gitea Actions and Pubnix)</li>
|
|
<li>DNSSEC enabled for all domains</li>
|
|
<li>All nodes are almost completely separate from one another and when node-interop is needed (example CDN and Authoritative DNS), it is done through an unprivileged user (Exception is our new ansible-semaphore instance which is on IN Node, and has root access to all servers. However the SSH key is stored encrypted so it should be fine :P)</li>
|
|
<li>All management interfaces and ssh to servers are behind our selfhosted tailscale instance.</li>
|
|
<li>Backups are encrypted with borg (the decryption phrase is only on the server itself so it can send new backups and with arya, midou and devrand (the sysadmins))</li>
|
|
<li>On all servers, the VMs are stored in ZFS encrypted medium</li>
|
|
</ul>
|