docs/SECURITY.md

2.4 KiB

LAYLO Code - Secure, resilient, privacy-friendly code hosting

This document gives an overview to the applied security standards that are in use on code.laylo.cloud.

Goals

This Gitea instance is configured following best practices, in order to thwart low to medium level attacks. The threat model does not include protection against high-level adversaries (eg, nation states).

Global

  • The OS and software is updated every week (Thursdays, 22:00 - 23:59 CEST).
  • The storage on the server is fully encrypted, both in OpenStack and the VM itself (the latter one using AES-XTS-256, see misc/softraid.pdf for the specification).
  • The server solely runs the Gitea stack (with Nginx and PostgreSQL), thus preventing additional attack surface.

Web front-end

  • Any plain-text (HTTP) traffic is redirected to the TLS secure counterpart (HTTPS).

  • TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption - with HSTS and the following ciphers:

    ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM
    
  • OCSP stapling and OCSP must-stable are enabled.

  • TLS session tickets are disabled (at least until Nginx fixes this properly).

Networking

  • The server itself is strictly firewalled (using pf(8)), both egress and ingress - on a daemon/service level.
  • Internal service communication is encrypted (eg: Gitea is configured to connect to the local PostgreSQL server using TLS).

Etc

  • Official commits (eg, in the laylo/docs repository) are GPG signed, and MFA is enforced for accounts with write access.

  • Backups are made every 24 hours, using a 'pull mechanism'. This server does NOT have access to the backup repository.

  • SSH is hardened (PKI authentication, MFA via hardware tokens).

  • The SSH fingerprint is: SHA256:Uo+OE0V8yAMWTT0jyJrROJcJ5S9TmCnp3evQQ7xL538.

  • SSH ciphers are hardened, these are in use:

    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
    KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
    HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
    
  • The GPG public keys can be found in signing-keys/