2.4 KiB
LAYLO Code - Secure, resilient, privacy-friendly code hosting
This document gives an overview to the applied security standards that are in use on code.laylo.cloud
.
Goals
This Gitea instance is configured following best practices, in order to thwart low to medium level attacks. The threat model does not include protection against high-level adversaries (eg, nation states).
Global
- The OS and software is updated every week (Thursdays, 22:00 - 23:59 CEST).
- The storage on the server is fully encrypted, both in OpenStack and the VM itself (the latter one using
AES-XTS-256
, seemisc/softraid.pdf
for the specification). - The server solely runs the Gitea stack (with Nginx and PostgreSQL), thus preventing additional attack surface.
Web front-end
-
Any plain-text (HTTP) traffic is redirected to the TLS secure counterpart (HTTPS).
-
TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption - with HSTS and the following ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCM
-
OCSP stapling and OCSP must-stable are enabled.
-
TLS session tickets are disabled (at least until Nginx fixes this properly).
Networking
- The server itself is strictly firewalled (using
pf(8)
), both egress and ingress - on a daemon/service level. - Internal service communication is encrypted (eg: Gitea is configured to connect to the local PostgreSQL server using TLS).
Etc
-
Official commits (eg, in the
laylo/docs
repository) are GPG signed, and MFA is enforced for accounts with write access. -
Backups are made every 24 hours, using a 'pull mechanism'. This server does NOT have access to the backup repository.
-
SSH is hardened (PKI authentication, MFA via hardware tokens).
-
The SSH fingerprint is:
SHA256:Uo+OE0V8yAMWTT0jyJrROJcJ5S9TmCnp3evQQ7xL538
. -
SSH ciphers are hardened, these are in use:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group16-sha512 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
-
The GPG public keys can be found in
signing-keys/