Security is a critical aspect of running any internet-connected services. This guide provides an overview of security considerations and best practices for your ZombieKit deployment.

• Least Privilege: Services and users should only have the permissions necessary to perform their tasks.
• Defense in Depth: Implement multiple layers of security controls.
• Regular Updates: Keep your host system, Docker, and all ZombieKit components (via make pull && make up) updated.
• Strong Credentials: Use strong, unique passwords for all services and access points.

The infra/.env file is the most critical configuration file for your ZombieKit instance. It contains sensitive information such as:

• Passwords for TimescaleDB, Grafana, Hasura admin secret.
• API keys or secrets for external services (if any).
• Domain names and network settings.

Best Practices:

• Restrict Access: Ensure the infra/.env file has restrictive file permissions (e.g., chmod 600 infra/.env) so that only the owner can read and write to it.
• Strong Passwords: Generate strong, unique passwords for all secrets defined in this file. Use a password manager.
• Avoid Committing to Git: The .gitignore file should already prevent infra/.env from being committed. Double-check this.
• Secure Storage: If you back up infra/.env, ensure the backup is encrypted and stored securely.

• ACME/Let's Encrypt: If you configure TRAEFIK_ACME_EMAIL in infra/.env, Traefik will attempt to automatically obtain and renew SSL/TLS certificates from Let's Encrypt for your defined domain. This enables HTTPS for exposed services.
• Secure Headers: Consider adding security headers via Traefik middleware (e.g., HSTS, CSP, X-Frame-Options). This can be done by adding labels to services in infra/docker-compose.yml or by using dynamic configuration files for Traefik.
• Traefik Dashboard: By default, the Traefik dashboard might be enabled. For production, ensure it is secured with authentication or disabled if not needed.

ZombieKit aims to follow container security best practices:

• Non-Root User (USER 1000): Most service containers are configured to run their main process as a non-root user (typically UID 1000). This limits the potential impact if a container process is compromised.
• Read-Only Root Filesystem (RO root FS): Where possible, services should be configured with a read-only root filesystem (read_only: true in docker-compose.yml). Services write only to their designated data volumes. This is a target for ongoing refinement.
• Healthchecks (HEALTHCHECK): Services include health checks to allow Docker to monitor their status and restart them if they become unhealthy.
• Restart Policy (restart: unless-stopped): Services are configured to restart automatically unless manually stopped, ensuring high availability.
• Minimal Base Images: Using minimal base images (e.g., Alpine Linux) reduces the attack surface by including fewer packages and libraries.
• Pinned Base Image Tags (Major Tag): Base images are pinned to major tags (e.g., alpine:3.19) to balance stability and security updates. Minor/patch updates are pulled during docker compose pull.
• Multi-Stage Builds: Dockerfiles use multi-stage builds to keep production images small and free of build-time dependencies.

• Docker Networks: Services communicate over user-defined Docker bridge networks, providing isolation from the host network by default.
• Exposed Ports: Only necessary ports are exposed externally. Traefik typically handles external access on ports 80/443.
• Host Firewall: Configure a firewall on your host system (e.g., ufw on Linux) to restrict incoming connections to only those ports required by ZombieKit (e.g., 80, 443 for Traefik, SSH port).
• VPN/Private Network: For enhanced security, consider running ZombieKit on a host that is only accessible via a VPN or a private network, especially if you don't intend to expose services publicly.

• Keep Host Updated: Regularly update your host operating system and kernel.
• Secure SSH Access: If you manage the host via SSH:
  • Use strong passwords or, preferably, SSH key-based authentication.
  • Disable password authentication if using SSH keys.
  • Change the default SSH port.
  • Limit SSH access using the host firewall.
• Docker Daemon Security: Follow Docker's official security guidelines for the Docker daemon. Avoid exposing the Docker socket over TCP without proper security measures.

• Prometheus & Grafana: The built-in observability stack (Prometheus, Grafana, cAdvisor) helps monitor system and service health, which can aid in detecting anomalous behavior.
• Service Logs: Regularly review service logs for suspicious activity: make logs or docker compose -f infra/docker-compose.yml logs -f <service_name>.

• Trivy Scans: The CI pipeline includes Trivy scans for vulnerabilities in Docker images. You can also run Trivy locally: trivy image <image_name>.
• Review Configurations: Periodically review your infra/.env, docker-compose.yml, and Traefik configurations for any potential security misconfigurations.

• If you suspect a compromise, immediately stop the stack: make down.
• Isolate the host from the network if necessary.
• Begin investigation using logs and system state.
• Restore from a known good backup if data corruption or compromise is confirmed.

This guide provides a starting point. Security is an ongoing process, not a one-time setup. Stay informed about new vulnerabilities and best practices.