i need therapy

README.md

@@ -122,6 +122,83 @@ The ip will be outputted after the creation of the virtual machine.
 
 If for any reason you delete either the public or the private key they will both be regenerated and you should probably delete the virtual machines that use it or find another way to log in and manually put the secdep.pub key to the authorized_keys file of the secdep user.
 
+# Hardening 🛡️
+
+By using the `--deploy` flag, apart from the vps creation, you will also get a more secure than default virtual machine.
+
+The extra security measures are:
+
+1. SSH hardening
+
+We configure sshd with better security measures among which are:
+1. Disabling root login
+2. Disabling password authentication
+3. Allowing only public key authentication
+4. Changing the default port
+
+2. Firewall installation and configuration
+
+We install and configure a firewall (UFW or firewalld) to block all incoming traffic except for the ports we need.
+
+3. Fail2ban installation and configuration
+
+We install and configure fail2ban to block ip addresses that have too many failed login attempts.
+
+4. Kernel Security Module installation (AppArmor or SELinux)
+
+We install and setup a kernel security module (AppArmor or SELinux) on enforcing mode to confine the processes.
+
+5. Docker Rootless installation
+
+We install docker rootless to run docker as a non-root user and avoid the security risks that come with running docker as root.
+
+6. gVisor installation and integration with Docker Rootless
+
+We install gVisor to add an extra layer of security to docker containers by running them in a more sandboxed environment.
+
+7. CronJob to update the system periodically
+
+We create a cronjob to update the system periodically to avoid security vulnerabilities that might come with outdated packages, with a script that works on all supported distros.
+
+8. CronJob to allow or disallow docker ports
+
+We create a cronjob to allow or disallow docker ports periodically to avoid security vulnerabilities that might come with having ports open that we forgot to close and no longer need.
+
+9. Watchtower deployment
+
+When using the `--deploy` flag, we also deploy watchtower to automatically update our docker containers to avoid security vulnerabilities that might come with outdated containers.
+For more information about watchtower check [here](https://containrrr.dev/watchtower/)
+
+# Docker deployment 🐳
+
+The `--deploy` flag also allows you to pull containers that you may need by name like so:
+
+`--deploy <container_name1> <container_name2> ...`
+
+A full example using aws would be:
+
+`python3 secdep.py -P aws -c -n test-node -s t3.micro -i ami-08869bacfa1188ec9 --yes --deploy traefik owncast/owncast:latest`
+
+## Docker compose 🐙
+
+By having a `docker-compose.yml` file in the same directory as the script, you can deploy it by using the `--deploy` flag like so:
+
+`--docker_compose` flag alongside the `--deploy` flag.
+
+A full example using aws would be:
+
+`python3 secdep.py -P aws -c -n test-node -s t3.micro -i ami-08869bacfa1188ec9 --yes --docker_compose --deploy nginx`
+
+Note: The needed ports will be automatically allowed by the firewall but you should change any volume mappings to directories owned by your user (secdep) and not by root
+
+## Portainer
+
+By default, with the use of the `--deploy` flag, portainer will be deployed as well to help you manage your containers in a more user friendly way.
+
+You can access it by going to `https://<ip>:9443` after which you will be able to make a user and login. If that doesn't happen within 5 minutes, it stops for security reasons and must be restarted either manually or by rebooting the virtual machine.
+
+You can read more about portainer [here](https://www.portainer.io/).
+
 # Tips and tricks 🤩
 
 For some tips and tricks to make your life easier check [this](assets/pages/tips_tricks/tips_n_tricks.md) out.