Toggle menu
Toggle preferences menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

TELEICU/Security baseline

From OHC Network Wiki
referenceteleicuCARE 3.0+

Standard security controls applied to every TELEICU node regardless of migration path.

Network

  • All inter-node traffic over Tailscale with ACL-based tagging
  • Tailscale ACLs enforce least-privilege: agents can reach CP on specific ports only
  • No direct SSH from the internet — all admin access through Tailscale
  • Cloudflare Tunnel for public-facing services (outbound-only from the node)
  • Firewall: only Tailscale interface + outbound tunnel allowed; all other inbound dropped

Secrets

  • Ansible path: Ansible Vault + sops — encrypted files in the git repo, decrypted at pull time
  • NixOS path: sops-nix — secrets decrypted at build time, never stored in the Nix store as plaintext
  • Cloudflare tunnel credentials, registry auth, and API keys are never in unencrypted files
  • No secrets in wiki pages, commit messages, or CI logs

Authentication

  • SSH: key-based only, no password auth
  • Tailscale: SSO-backed or pre-authenticated keys
  • K3s: RBAC with per-node certificates, auto-rotated
  • Admin access: Tailscale SSH or tailscale serve for web UIs

System hardening

  • NixOS path: immutability by design — /etc is read-only, package set is pinned to a single nixpkgs revision, no unregistered binaries can persist
  • Ansible path: ansible-pull enforces file permissions, firewall rules, and package state on each check-in; drift is reverted within the pull interval
  • Both: automatic security patches (NixOS: flake update + comin / Ansible: unattended-upgrades or ansible-pull patch role)

Audit

  • All configuration changes go through git — full history of who changed what and when
  • NixOS path adds the Nix store as a cryptographic audit trail: every generation is content-addressed
  • Node inventory tracked in the TeleicuSites Cargo table (no sensitive data)