wiki/Security.html
2024-06-24 14:10:54 +00:00

23 lines
1.4 KiB
HTML

<!--
title: Security
description:
published: true
date: 2024-06-23T15:06:23.329Z
tags:
editor: ckeditor
dateCreated: 2024-06-23T15:04:44.411Z
-->
<p>This page documents the security practices we take.</p>
<p>If something we do is missing from the list, or you want us to add something that improves Project Segfault's security, email contact@projectsegfau.lt (preferably with <a href="https://keys.openpgp.org/search?q=contact@projectsegfau.lt">PGP</a>) or contact a sysadmin over matrix/xmpp.</p>
<ul>
<li>System updates every 2 weeks</li>
<li>Most of our services run under docker or LXC</li>
<li>All places where public code can be run is completely isolated (example Gitea Actions and Pubnix)</li>
<li>DNSSEC enabled for all domains</li>
<li>All nodes are almost completely separate from one another and when node-interop is needed (example CDN and Authoritative DNS), it is done through an unprivileged user (Exception is our new ansible-semaphore instance which is on IN Node, and has root access to all servers. However the SSH key is stored encrypted so it should be fine :P)</li>
<li>All management interfaces and ssh to servers are behind our selfhosted tailscale instance.</li>
<li>Backups are encrypted with borg (the decryption phrase is only on the server itself so it can send new backups and with arya, midou and devrand (the sysadmins))</li>
<li>On all servers, the VMs are stored in ZFS encrypted medium</li>
</ul>