Security Overview
Principles
- Defense in Depth - Multiple layers of security controls
- Least Privilege - Minimal access required for each role
- Zero Trust - Verify explicitly, never trust implicitly
- Secrets Management - All credentials in 1Password, never in code
Security Controls
| Layer |
Control |
Implementation |
| Network |
ZeroTier |
Encrypted overlay, authorized members only |
| Network |
Firewall |
Minimal open ports (SSH, ZeroTier) |
| Network |
Cloudflare |
Zero Trust tunnels for SSH |
| Host |
SSH Hardening |
Key-only auth, no root, limited attempts |
| Host |
fail2ban |
Auto-ban after failed attempts |
| Host |
Deletion Protection |
Terraform prevent_destroy on critical resources |
| Secrets |
1Password |
Service accounts for trusted hosts |
Documentation
Quick Reference
SSH Access Policy
- Never SSH as root - Use
joe with sudo
- Key-only authentication - Passwords disabled
- Limited attempts - MaxAuthTries: 3, fail2ban enabled
Credential Policy
- Never commit secrets - All credentials in 1Password
- Service accounts - Trusted hosts use 1Password SA
- Rotation - If credential was in git, rotate immediately
Static IP Protection
- prevent_destroy - All static IPs protected in Terraform
- Separate state - IPs managed independently from instances
- Never release - Static IPs are irreplaceable
Host Trust Model
| Host |
Trust Level |
Secrets Allowed |
1Password SA |
| pluto |
✅ Trusted |
Yes |
Yes |
| dumbo |
✅ Trusted |
Yes |
Yes |
| mickey |
✅ Trusted |
Ephemeral only |
No |
| bogart |
⚠️ Untrusted |
NO |
No |
| rocky |
❓ Unknown |
TBD |
No |
Hardening Checklist
All internet-exposed hosts MUST have:
Enforced via Ansible base role: cloud/ansible/roles/base/