1 files changed, 0 insertions, 119 deletions
diff --git a/assets/security-and-hardening-recommendations.txt b/assets/security-and-hardening-recommendations.txt
deleted file mode 100644
index 22a0c53..0000000
--- a/assets/security-and-hardening-recommendations.txt
+++ /dev/null
@@ -1,119 +0,0 @@
-# Security and Hardening Recommendations for archsetup
-
-These recommendations come from the install-archzfs base install.
-The base system is minimal - archsetup should handle hardening.
-
-## SSH Hardening (Priority: High)
-
-If SSH was enabled during install (for headless servers), it uses password auth.
-archsetup should:
-
-1. Install and configure fail2ban
-   - pacman -S fail2ban
-   - Enable sshd jail
-   - Configure ban times (suggested: 10m first offense, escalating)
-   - Consider integration with firewalld/nftables
-
-2. Switch to key-based authentication
-   - Prompt user for SSH public key or generate keypair
-   - Disable password authentication in /etc/ssh/sshd_config:
-     PasswordAuthentication no
-     PermitRootLogin prohibit-password (or 'no' for desktop)
-
-3. Consider changing default SSH port (optional, security through obscurity)
-
-## Firewall (Priority: High)
-
-Base install has no firewall configured. Options:
-
-1. firewalld (recommended for most users)
-   - pacman -S firewalld
-   - systemctl enable --now firewalld
-   - Default zone should block incoming except SSH
-
-2. nftables (for advanced users)
-   - Already installed as iptables backend
-   - Needs manual configuration
-
-3. ufw (simpler alternative)
-   - pacman -S ufw
-   - Good for users coming from Ubuntu
-
-## ZFS-Specific Recommendations
-
-1. Sanoid/Syncoid for automated snapshots
-   - pacman -S sanoid
-   - Configure /etc/sanoid/sanoid.conf for automatic snapshot retention
-   - Suggested policy: hourly for 24h, daily for 7d, monthly for 12m
-
-2. ZFS scrub timer
-   - systemctl enable zfs-scrub-weekly.timer
-   - Or create monthly timer for large pools
-
-3. ZED (ZFS Event Daemon) email alerts
-   - Configure /etc/zfs/zed.d/zed.rc
-   - Set ZED_EMAIL_ADDR for pool health notifications
-
-4. Consider zfs-auto-snapshot as alternative to sanoid
-
-## User Account Setup
-
-Base install only has root. archsetup should:
-
-1. Create primary user account with sudo access
-2. Lock root account for direct login (sudo only)
-3. Configure sudo timeout and logging
-
-## Package Manager Hardening
-
-1. Enable pacman hooks for security
-   - Verify package signatures (already default)
-
-2. Consider enabling reflector timer
-   - Keeps mirrorlist updated with fastest/most recent mirrors
-
-3. Install pacman-contrib for paccache
-   - Configure paccache.timer to clean old package cache
-
-## Automatic Updates (Optional)
-
-For servers that need unattended security updates:
-- Consider pacman-auto-update or similar
-- ZFS pre-pacman snapshots (already in install-archzfs) make this safer
-
-## AppArmor/SELinux (Optional, Advanced)
-
-For high-security environments:
-- AppArmor is easier: pacman -S apparmor
-- Requires kernel parameter: lsm=apparmor
-
-## Misc Recommendations
-
-1. Install and enable systemd-timesyncd or chrony for NTP
-
-2. Configure journald retention
-   - /etc/systemd/journald.conf
-   - SystemMaxUse=500M (or appropriate for system)
-
-3. Disable core dumps for security (optional)
-   - /etc/security/limits.conf: * hard core 0
-
-4. Install lynis for security auditing
-   - pacman -S lynis
-   - Run: lynis audit system
-
-## Desktop-Specific (if applicable)
-
-1. Consider firejail for sandboxing applications
-2. Install a password manager (pass, keepassxc)
-3. Configure automatic screen lock
-
-## Server-Specific (if applicable)
-
-1. Install and configure logwatch or logrotate
-2. Consider setting up centralized logging
-3. Install monitoring (prometheus node_exporter, netdata, etc.)
-
----
-Generated by install-archzfs build system
-These are recommendations - implement based on your security requirements.