I’m deploying a nodejs-based website for someone. It will be low traffic, but I want to make sure I’ve got all my bases covered in terms of best practices for deployment and security. This is what I’ve got so far:

  • Code is hosted in private repo on private gitea instance
    • build into a docker image
  • Separate repo for all deployment code using ansible
    • secrets are saved in a vault and templated to the host
  • Runs on dedicated host with dedicated ipv4
  • host has fail2ban installed and firewalled to only allow ports 80/443 and shh
  • ssh hardened
    • non-standard port
    • public key auth only
  • images are run on docker
    • non-root user
    • one network for app+db, another for app+reverse proxy
    • only mapped ports are 80/443 on reverse proxy container
  • using swag for reverse proxy (includes fail2ban and letsencrypt)
    • php disabled
  • backups
    • database dumped nightly
    • everything synced to backblaze (wip)

What else should I be doing? The one thing I know I don’t have is any monitoring. I’m going to set up some kind of healthcheck, but not sure if there’s anything easy to set up wrt log monitoring…

Thanks!