6ea457d01d
- Nginx configs with security headers (X-Frame-Options, CSP, etc.) - fail2ban jails for nginx (botsearch, bad-request, forbidden) - Kernel hardening via sysctl (rp_filter, no redirects, log martians) - SSH hardening (no root, max 3 attempts, no X11) - UFW rules export - Idempotent setup.sh to restore all configs on fresh install - Flask bound to 127.0.0.1 (nginx-only access) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>