TELEICU/Security baseline
From OHC Network Wiki
More languages
More actions
Standard security controls applied to every TELEICU node regardless of migration path.
Network
- All inter-node traffic over Tailscale with ACL-based tagging
- Tailscale ACLs enforce least-privilege: agents can reach CP on specific ports only
- No direct SSH from the internet — all admin access through Tailscale
- Cloudflare Tunnel for public-facing services (outbound-only from the node)
- Firewall: only Tailscale interface + outbound tunnel allowed; all other inbound dropped
Secrets
- Ansible path: Ansible Vault + sops — encrypted files in the git repo, decrypted at pull time
- NixOS path: sops-nix — secrets decrypted at build time, never stored in the Nix store as plaintext
- Cloudflare tunnel credentials, registry auth, and API keys are never in unencrypted files
- No secrets in wiki pages, commit messages, or CI logs
Authentication
- SSH: key-based only, no password auth
- Tailscale: SSO-backed or pre-authenticated keys
- K3s: RBAC with per-node certificates, auto-rotated
- Admin access: Tailscale SSH or tailscale serve for web UIs
System hardening
- NixOS path: immutability by design — /etc is read-only, package set is pinned to a single nixpkgs revision, no unregistered binaries can persist
- Ansible path: ansible-pull enforces file permissions, firewall rules, and package state on each check-in; drift is reverted within the pull interval
- Both: automatic security patches (NixOS: flake update + comin / Ansible: unattended-upgrades or ansible-pull patch role)
Audit
- All configuration changes go through git — full history of who changed what and when
- NixOS path adds the Nix store as a cryptographic audit trail: every generation is content-addressed
- Node inventory tracked in the TeleicuSites Cargo table (no sensitive data)