1.7 KiB
1.7 KiB
LAYLO Code - Secure, resilient, privacy-friendly code hosting
This document gives an overview to the applied security standards that are in use on code.laylo.cloud.
Goals
This Gitea instance is configured following best practices, in order to thwart low to medium level attacks. The threat model does not include protection against high-level adversaries (eg, nation states).
Global
- The OS and software is updated every week (Thursdays, 22:00 - 23:59 CEST).
- The storage on the server is fully encrypted, both in OpenStack and the VM itself (the latter one using
AES-XTS-256, seemisc/softraid.pdffor the specification). - The server solely runs the Gitea stack (with Nginx and PostgreSQL), thus preventing additional attack surface.
Web front-end
- Any plain-text (HTTP) traffic is redirected to the TLS secure counterpart (HTTPS).
- TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption, with the following ciphers:
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:AES-256-GCM-SHA384:EECDH+AESGCM:EDH+AESGCMand with HSTS.
Networking
- The server itself is strictly firewalled (using
pf(8)), both egress and ingress - on a daemon/service level. - Internal service communication is encrypted (eg: Gitea is configured to connect to the local PostgreSQL server using TLS).
Etc
- Official commits (eg, in the laylo/docs repository) are GPG signed, and MFA is enforced for accounts with write access).
- Backups are made every 24 hours, using a 'pull mechanism'. This server does NOT have access to the backup repository.
- SSH is hardened (PKI authentication, MFA via hardware tokens, highest level ciphersuites).