Add canary tokens to detect infrastructure compromise

[cwage]

Plant Canarytokens (or self-hosted equivalent) across managed hosts as tripwires for intrusion detection.

Background

Canarytokens are honeytokens that "phone home" when an attacker interacts with them. AWS key tokens are the strongest type — they're real IAM credentials (with no permissions) in a Thinkst-controlled account, so they're completely opaque to attackers. Any usage attempt triggers a CloudTrail alert.

For DNS/URL-based tokens, self-hosting with a custom domain avoids the obvious canarytokens.com fingerprint.

High-value placement targets

• Local .env files — fake AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY alongside real Proxmox/Bao creds
• OpenBao host (10.10.15.11) — fake tokens in backup scripts, home directories. Crown jewel of the infra.
• Containers host (10.10.15.12) — /opt/backup/.env, fake AWS keys blend in naturally
• Gaming server (45.56.118.89) — profile home directories. Public-facing, most likely to get popped.
• User home ~/.ssh/ directories on managed hosts — fake aws-credentials files
• Workstation — .env files in this repo

Implementation

• Generate AWS key tokens from canarytokens.org (or self-hosted)
• Consider self-hosting with custom domain for DNS-based tokens
• Distribute via a small Ansible role to managed hosts
• Document which tokens are planted where (in OpenBao or a private doc, NOT in the repo)