host setup

• public key
  • https://github.com/drduh/YubiKey-Guide

enable selinux /etc/selinux/config
ssh-keygen -t ed25519 -a 200
ssh-copy-id | or on win  type $env:USERPROFILE\.ssh\id_rsa.pub | ssh {IP-ADDRESS-OR-FQDN} "cat >> .ssh/authorized_keys"

• 2fa
  • https://www.techrepublic.com/article/how-to-enable-ssh-2fa-on-almalinux-for-more-secure-logins/
  • see attached google_auth_selinux.pdf
  • see attached google_auth_selinux_github.jpeg issue
• hardening
  • https://fak3r.com/2021/06/18/secure-linux-servers-by-default/
    • https://github.com/philcryer/base-secure
    • Fail2ban
• hardening section from: https://github.com/digitalis-io/k3s-on-prem-production
• dev-sec ansible collection: dev-sec/ansible-collection-hardening (github.com)
• note for openscap:

Error invoking sudo on the host: a password is required. Only passwordless sudo setup on the remote host is supported by scap-workbench. To configure a non-privileged user oscap-user to run only the oscap binary as root, add this User Specification to your sudoers file: oscap-user ALL=(root) NOPASSWD: /usr/bin/oscap xccdf eval *

k3s

• setup
  • https://github.com/alexellis/k3sup
  • https://sysdig.com/blog/k3s-sysdig-falco/
• hardening
  • https://falco.org/
  • https://cert-manager.io/
• operator olm
• monitoring
  • service mash console/dashboard: https://kiali.io/
  • https://www.infoq.com/news/2021/11/cryostat-jvm-profiler-container/

extras

• awx: https://github.com/kurokobo/awx-on-k3s#prepare-centos-8-host
• strapi: https://dev.to/strapi/deploying-and-scaling-the-official-strapi-demo-app-foodadvisor-with-kubernetes-471d
• ci/cd: https://developers.redhat.com/articles/2021/11/30/automate-dependency-analytics-github-actions?sc_cid=7013a0000026GujAAE#+
• knative: https://k33g.gitlab.io/articles/2020-05-02-KNATIVE-K3S-EN-01.html

web3

• domain
  • https://app.ens.domains/name/stefanoagazzi.eth/register
• radicle
• ipfs