CentOS infra security guidelines

We want to enforce the following security points on Every deployed node:

• iptables rules (even if hosted in a DC behind a hardware firewall and so not using public IP)
• selinux turned on (enforcing and not permissive or even worse : disabled)
• TLS communication between infra components (if possible, or through similar method)
• consuming only GPG signed RPM pkgs from our own infra cbs/koji tags (so signed with our key)

Optional (depending on the criticality level, if storing sensitive information on disk):

• luks to encrypt the filesystem on disk (with luks passphrase itself crypted in git repo for inventory)