Security Audit

• Are secrets managed with SOPS + age or Podman secrets? (plain .env on disk is a flag)
• .env files committed to git?
• API tokens scoped to least privilege?

Infrastructure

• UFW rules — are unnecessary ports open? (only 80, 443 for web; SSH goes through Tailscale)
• Tailscale ACLs — is inter-node traffic restricted? (default deny)
• SSH config — password auth disabled? Root login disabled? Tailscale-only?
• Caddy security headers set? (HSTS, CSP, X-Content-Type-Options, COOP/CORP/COEP, no X-XSS-Protection)

Containers (Podman/Quadlets)

• Running rootless?
• UserNS=keep-id set?
• NoNewPrivileges=true and DropCapability=ALL?
• ReadOnly=true where possible?
• Base images minimal? (slim/distroless, not full OS)
• Image scanning with Trivy?

Output format

List findings as: [CRITICAL / HIGH / MEDIUM / LOW] — description — suggested fix