python-support-infra/stacks/site-support/SECURITY.md

# Security
Here follows an explanation of security practices taken into account.

Refer to https://docs.docker.com/compose/compose-file/compose-file-v3/ for explanations of individual points.

## Rootness
The container process runs as `5000:5000`.
No processes are run as root within the container.

## Port Exposure
The container participates in the private `mesh_public` overlay network.
This allows the reverse proxy, Traefik, to route traffic via. internal DNS.

This traffic is unencrypted HTTP.
Thus, **the overlay network must be run on a trusted (L3) network**.

## Volume Access
Only `localtime` and `timezone` are mounted (read-only).

All files to be served are either baked into the container image, or mounted with `docker config`.

## Resource Limits
The service employs CPU/Memory usage limits in the `deploy` section.

This helps prevent a DDoS attack from crashing the entire host.

## Capabilities
The container runs with default capabilities.

## security.txt
*See https://securitytxt.org/ for RFC + generator.*

This stack comes with a `security.txt` generator in `scripts__security_txt`, which:
- Templates mail contact, expiry, GPG public key link, and canonical path.
- Signs the file with the GPG private key referenced in the link.

To use it, first adjust the following block in `gen.py`:
```python
MAILTO = 
EXPIRY = 
MAILTO_PGP_FINGERPRINT = 
DEPLOY_DOMAIN = 
```

Then, run `./gen.py` from any working directory. Remember to review the generated file, and update `docker config`.
feat: Working minimal, reproducible infrastructure. 2023-08-13 04:49:19 +02:00			`# Security`
			`Here follows an explanation of security practices taken into account.`

			`Refer to https://docs.docker.com/compose/compose-file/compose-file-v3/ for explanations of individual points.`

			`## Rootness`
			The container process runs as `5000:5000`.
			`No processes are run as root within the container.`

			`## Port Exposure`
			The container participates in the private `mesh_public` overlay network.
			`This allows the reverse proxy, Traefik, to route traffic via. internal DNS.`

			`This traffic is unencrypted HTTP.`
			`Thus, the overlay network must be run on a trusted (L3) network.`

			`## Volume Access`
			Only `localtime` and `timezone` are mounted (read-only).

			All files to be served are either baked into the container image, or mounted with `docker config`.

			`## Resource Limits`
			The service employs CPU/Memory usage limits in the `deploy` section.

			`This helps prevent a DDoS attack from crashing the entire host.`

			`## Capabilities`
refactor!: Playbooks into reusable roles. Also solving several issues along the way. Progress on #18. Closes #15. Closes #13. Closes #10. Closes #16. 2023-08-21 09:03:34 +02:00			`The container runs with default capabilities.`
feat: Working minimal, reproducible infrastructure. 2023-08-13 04:49:19 +02:00
			`## security.txt`
			`See https://securitytxt.org/ for RFC + generator.`

			This stack comes with a `security.txt` generator in `scripts__security_txt`, which:
			`- Templates mail contact, expiry, GPG public key link, and canonical path.`
			`- Signs the file with the GPG private key referenced in the link.`

			To use it, first adjust the following block in `gen.py`:
			```python
			`MAILTO =`
			`EXPIRY =`
			`MAILTO_PGP_FINGERPRINT =`
			`DEPLOY_DOMAIN =`
			```

			Then, run `./gen.py` from any working directory. Remember to review the generated file, and update `docker config`.