Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(Chunk3): complete Pi-hole removal, update ACL policy

Browse Source 
- Replaced remaining Pi-hole references with AdGuard throughout master PRD
- Constraints, Service Catalog, Data Persistence, Open Questions, Appendix all updated
- ACL policy: fixed placeholder (MK7,MK7,MK7,MK7) to actual worker nodes
- Appendix skeleton: removed pihole/ directory, updated image count 16→15
- Outstanding Decisions: Pi-hole inclusion marked as resolved
This commit is contained in:
jarvis
2026-05-27 13:08:50 -04:00
parent fae739f3fa
commit b7cc09cca2
3 changed files with 10 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
07-security-model.md
View File

@@ -38,7 +38,7 @@ traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/
- **No VLANs.** Tailscale ACLs handle segment isolation.
- **ACL policy (draft):**
- `tag:admin` nodes (Bobby, Artemis) → all ports on all nodes
- `tag:services` (MK7, MK7, MK7, MK7) → only their assigned service ports, no cross-node SSH except via Tailscale SSH
- `tag:services` (MK7 manager + MK33, MK34, MK39, MK42 workers) → only their assigned service ports, no cross-node SSH except via Tailscale SSH
- `tag:user` (Bobby's phone, laptop) → HTTPS 443 on MK7 only, Jellyfin 8096 on MK7 directly
- **Default deny.** Any traffic not explicitly allowed in Tailscale ACL is dropped.