Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
11d70c953105fbe55c6459bc0fd6aaa544d1b419
documentation/07-security-model.md
jarvis b7cc09cca2 fix(Chunk3): complete Pi-hole removal, update ACL policy 
- Replaced remaining Pi-hole references with AdGuard throughout master PRD
- Constraints, Service Catalog, Data Persistence, Open Questions, Appendix all updated
- ACL policy: fixed placeholder (MK7,MK7,MK7,MK7) to actual worker nodes
- Appendix skeleton: removed pihole/ directory, updated image count 16→15
- Outstanding Decisions: Pi-hole inclusion marked as resolved
2026-05-27 13:08:50 -04:00

49 lines
3.0 KiB
Markdown
Raw Blame History

# Iron Legion Homelab Services Stack — Security Model
## Authentication Layers
| Layer | Service | Scope | Notes |
|-------|---------|-------|-------|
| **Edge Auth** | Authelia | Traefik-secured endpoints | MFA portal, session cookies |
| **App Auth** | Vaultwarden | Password vault | Master password + 2FA |
| **App Auth** | Portainer | Container mgmt | Built-in RBAC, can integrate LDAP |
| **App Auth** | Nextcloud | File collaboration | Built-in, can integrate Authelia OIDC |
| **OS Auth** | SSH keys | Node access | Tailscale SSH + local keypairs |
## Authelia Deployment Notes
- **Target node:** MK7 (lightweight, sits beside Traefik)
- **Redirection URL:** Set Authelia `redirection_url` to the base domain of services needing auth.
- **Backend storage:** Uses SQLite initially. If Bobby wants HA, migrate to PostgreSQL on MK7.
- **Notification method:** File-based (writes to `/opt/iron-legion/authelia/notifications/`) until SMTP/Discord is configured.
- **Rule granularity:** Per-service `access_control` rules in `configuration.yml`. Default: `one_factor` for internal services, `two_factor` for management interfaces (Portainer, Grafana admin).
## Traefik ↔ Authelia Integration
```yaml
# Traefik middleware label (example)
traefik.http.routers.portainer.middlewares: authelia@docker
traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/verify?rd=https://auth.labs.internal
```
- **No nginx.** ForwardAuth middleware talks directly to Authelia over internal Docker network.
- **Bypass list:** Prometheus scrape targets, Beszel agents, Technitium DNS queries — these are internal metrics/DNS, no auth required.
## Secret Handling
| Secret Type | Storage Method | Rotation Trigger |
|-------------|----------------|------------------|
| Authelia session secret | `.env` file, 64-byte random hex | On any Authelia config reload |
| Vaultwarden admin token | `.env` file, 48-byte random | Only on compromise |
| DB passwords (Nextcloud ↔ PostgreSQL) | `.env` files on both nodes | On any DB migration or rebuild |
| Tailscale auth keys | Vaultwarden secure note | On key expiry or node rebuild |
| API keys (indexers, Cloudflare) | Vaultwarden secure note | On key rotation by provider |
## Network Segmentation
- **No VLANs.** Tailscale ACLs handle segment isolation.
- **ACL policy (draft):**
- `tag:admin` nodes (Bobby, Artemis) → all ports on all nodes
- `tag:services` (MK7 manager + MK33, MK34, MK39, MK42 workers) → only their assigned service ports, no cross-node SSH except via Tailscale SSH
- `tag:user` (Bobby's phone, laptop) → HTTPS 443 on MK7 only, Jellyfin 8096 on MK7 directly
- **Default deny.** Any traffic not explicitly allowed in Tailscale ACL is dropped.
## Monitoring for Security Events
- **Dozzle** provides real-time log viewing but is NOT a SIEM.
- **Promtail/Loki** not yet in catalog. If Bobby wants log aggregation + alerting, add to Phase 3.
- **Beszel** alerts on anomalous CPU/memory — use as coarse intrusion detection proxy.
Reference in New Issue View Git Blame Copy Permalink