- The storage on the server is fully encrypted, both in OpenStack and the VM itself (the latter one using `AES-XTS-256`, see `misc/softraid.pdf` for the specification).
- The server _solely_ runs the Gitea stack (with Nginx and PostgreSQL), thus preventing additional attack surface.
### Web front-end
- Any plain-text (HTTP) traffic is redirected to the TLS secure counterpart (HTTPS).
- TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption, with the following ciphers: `ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM` and with HSTS.
### Networking
- The server itself is strictly firewalled (using `pf(8)`), both egress and ingress - on a daemon/service level.
- Internal service communication is encrypted (eg: Gitea is configured to connect to the local PostgreSQL server using TLS).