docs: README, changelog, contributing, security, deployment, operations, CI
Some checks are pending
build / build (push) Waiting to run

This commit is contained in:
root 2026-05-24 18:21:04 +01:00
commit 473855e59a
12 changed files with 551 additions and 0 deletions

22
SECURITY.md Normal file
View file

@ -0,0 +1,22 @@
# Security
## Reporting
Raise a private issue in Forgejo or contact the repo owner directly.
## Credentials
- Never commit keytabs, .ccache files, or .env files - all are in .gitignore
- The keytab must be stored as a Docker secret only
- The service account (dns-updater) should have no other privileges beyond DnsAdmins
- Rotate the keytab periodically - see docs/operations.md
## Threat model
| Threat | Mitigation |
|---|---|
| Keytab compromise | Scoped to DnsAdmins only; rotate via samba-tool user setpassword |
| Container escape | Runs as nobody; no capabilities; no host mounts beyond the secret |
| DNS spoofing | GSS-TSIG: updates are Kerberos-signed and verified by the KDC |
| Unauthorised DNS writes | Only the dns-updater principal can authenticate with this keytab |
| Traefik API abuse | API is read-only; no writes to Traefik from this service |