- host-facing services bind to
127.0.0.1 - internal-only services do not expose host ports
- real secrets stay outside git
- generated logs should be treated as potentially sensitive
- public host-facts artifacts must be reviewed for overexposed fields before commit
- private host-facts artifacts stay outside git
Expected live pattern:
- runtime configs under
/srv/abyss-stack/Configs - secrets under
/srv/abyss-stack/Secrets - example env files in
env/ - real env files never committed
- committing live
stack.env - publishing raw inspect output that may contain env values
- treating secret paths as normal source files
- widening network exposure casually
- committing private host-facts captures from
/srv/abyss-stack/Logs/host-facts/
- localhost-first
- rootless containers
- smallest possible exposed surface
- explicit profiles instead of always-on sprawl
- public-safe host-facts only in repo history
Before exposing or changing a service, ask:
- Does this need a host port at all?
- Does it need more than localhost?
- Does this introduce secret-bearing config drift?
- Does this make rollback harder?
- Does this leak host reconnaissance detail without adding operational value?