archy/.claude/skills/polish/references/security.md

# Polish: Security Hardening

## 1. Systemd Service
Add to `image-recipe/configs/archipelago.service`:
`NoNewPrivileges=true`, `ProtectSystem=strict`, `ReadWritePaths=/var/lib/archipelago`
Verify: `ssh ... "sudo systemd-analyze security archipelago"` — score < 5.0

## 2. Nginx Headers
- HSTS (HTTPS only): `add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`
- Rate limiting zones: `limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/m;`
- Custom log format stripping tokens

## 3. Secrets Management
Replace hardcoded `archipelago123` with generated secrets:
- Generate on first boot: `openssl rand -base64 24 > /var/lib/archipelago/secrets/bitcoin-rpc-pass`
- Backend reads from env var: `std::env::var("ARCHIPELAGO_BITCOIN_RPC_PASS")`

## 4. SSH Hardening
Replace `StrictHostKeyChecking=no` with `StrictHostKeyChecking=accept-new` in deploy script.

## Verify
`grep -rn 'archipelago123' scripts/ core/` should return zero. Nginx headers pass curl check. Rate limiting returns 429 on rapid auth requests.