6 Security Tools · Zero Trust

Your infrastructure watches itself

Six Python tools that handle passwords, secrets, certificates, incidents, identity, and SIEM — running on your own hardware.

View Tools Source Code
6
Security Tools
5
Nodes Monitored
0
External Dependencies
UFW
Firewall Active
Threat Feed
Real incidents, real fixes

Obfuscated cron dropper on Cecilia

exec from /tmp/op.py — removed, source traced

BR-SEC-001
resolved

Leaked GitHub PAT on Lucidia

gho_Gfu* token in blackroad-git-worker.service — removed from service file

BR-SEC-002
mitigated

xmrig crypto miner reference on Lucidia

xmrig.service unit file was configured — unit gone, process terminated

BR-SEC-003
resolved

50+ SSH keys on Alice and Octavia

pi@Alice=53 keys, pi@Octavia=52 keys — audit pending

BR-SEC-004
open

PUSH_SECRET in plaintext crontabs

Moved to /opt/blackroad/stats-push.env (chmod 600) on all nodes

BR-SEC-005
resolved

Cecilia node unreachable

SSH timed out — node down or network issue. Hailo-8 + CECE API + TTS + 16 Ollama models offline

BR-SEC-006
active
Tools
Six security tools, all Python
Every tool runs locally. No SaaS, no cloud APIs, no third-party access to your secrets.
Password Manager
PBKDF2 key derivation with Fernet symmetric encryption. Vault CRUD operations, master password authentication, encrypted storage at rest.
password_manager.py
SIEM Engine
Real-time log ingestion from all 5 nodes. Correlation engine matches patterns across sources. Custom alert rules with severity classification.
siem.py
Certificate Manager
X.509 certificate lifecycle management. Automated renewal with ACME integration. Tracks expiry dates across all domains and nodes.
cert_manager.py
Incident Response
Incident tracking with severity classification. Runbook automation for common scenarios. Timeline reconstruction from audit logs.
incident_response.py
Secret Scanner
Regex and entropy-based scanning for leaked secrets across all repos. Catches API keys, tokens, passwords, and private keys before they ship.
secret_scanner.py
Identity Provider
OAuth2 and OpenID Connect provider. JWT token issuance, role-based access control, user management. Your own auth server.
identity_provider.py
Audit Log

Fleet Security Events

last 24h · 5 nodes
2026-03-09 03:00
Cecilia obfuscated cron removed — dropper /tmp/op.py deleted
2026-03-09 02:45
PUSH_SECRET migrated to stats-push.env on Cecilia, Octavia, Lucidia
2026-03-09 02:30
Cecilia github-relay.sh credentials moved to ~/.github-relay.env
2026-03-09 02:15
Lucidia 16 skeleton microservices disabled — ~800MB RAM freed
2026-03-09 01:00
Cecilia rpi-connect-wayvnc crash loop fixed — system + user service masked
Encryption
What protects the fleet
Vault Encryption
Fernet (AES-128-CBC + HMAC-SHA256)
password_manager.py
Key Derivation
PBKDF2 with 100,000 iterations
NIST SP 800-132
Network Mesh
WireGuard (ChaCha20-Poly1305)
10.8.0.x subnet
SSH Keys
Ed25519 across all 5 nodes
openssh
TLS Termination
Cloudflare Edge (18 tunnels, 48+ domains)
cloudflared
Fleet Security
Node security posture
Lucidia — UFW active (INPUT DROP)
All nodes — WireGuard encrypted mesh
Cecilia — NOPASSWD sudo (blackroad)
Alice — NOPASSWD sudo (alice, pi)
Octavia — NOPASSWD sudo (pi only)
18 Cloudflare tunnels — TLS everywhere
Related Divisions
Go deeper
Hardware Fleet
Cloudflare Infrastructure
AI Agents
Archive & Backup
Digital Identity
Enterprise Automation
CLI Tools
Cost Breakdown