SSH hardening (no root, no password) prevents pct exec and deploy
access on dev/staging servers. Moved to security skill as
production-only optional step. Kept: fail2ban, auto-updates, sysctl.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- proxmox-lxc: auto-harden on setup (SSH no-root/no-password,
fail2ban, unattended-upgrades, sysctl kernel hardening)
- security: now covers BOTH code AND infrastructure
- SSH config validation
- Firewall/open ports check
- Fail2Ban status
- Auto-updates verification
- File permissions audit
- Auto-fix for all server issues found
- workflow provision: security check after LXC setup AND after deploy
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>