Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a3fc718a34c9d8e8bc388a7dc17639600789cc03
documentation/07-security-model.md
jarvis fea42f892b Remove Mark5/Bones/Neo/Mark44 — G9 Swarm Cluster is the ONLY deployment target 
All services reassigned to MK7 (Swarm Manager) or swarm-distributed.
Per Bobby: Mark5, Bones, Neo, Mark44 are NOT part of this homelab services stack.

Phase 1 infra (Traefik, DNS, AdGuard, Portainer, Prometheus, Beszel, Dozzle, Authelia, Homepage) → MK7
Phase 2 media (Jellyfin, Sonarr, Radarr, Prowlarr) → Swarm distributed
Phase 3 dashboards (Grafana, Homepage) → Swarm distributed

Also updates:
- Backup target: MK7 secondary storage (was Bones)
- Network/DNS/Security model: all refs to Bones/Neo/Mark5/Mark44 corrected
2026-05-25 18:24:22 -04:00

2.9 KiB
Raw Blame History

Iron Legion Homelab Services Stack — Security Model

Authentication Layers

Layer Service Scope Notes
Edge Auth Authelia Traefik-secured endpoints MFA portal, session cookies
App Auth Vaultwarden Password vault Master password + 2FA
App Auth Portainer Container mgmt Built-in RBAC, can integrate LDAP
App Auth Nextcloud File collaboration Built-in, can integrate Authelia OIDC
OS Auth SSH keys Node access Tailscale SSH + local keypairs

Authelia Deployment Notes

  • Target node: MK7 (lightweight, sits beside Traefik)
  • Redirection URL: Set Authelia redirection_url to the base domain of services needing auth.
  • Backend storage: Uses SQLite initially. If Bobby wants HA, migrate to PostgreSQL on MK7.
  • Notification method: File-based (writes to /opt/iron-legion/authelia/notifications/) until SMTP/Discord is configured.
  • Rule granularity: Per-service access_control rules in configuration.yml. Default: one_factor for internal services, two_factor for management interfaces (Portainer, Grafana admin).

Traefik ↔ Authelia Integration

# Traefik middleware label (example)
traefik.http.routers.portainer.middlewares: authelia@docker
traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/verify?rd=https://auth.labs.internal
  • No nginx. ForwardAuth middleware talks directly to Authelia over internal Docker network.
  • Bypass list: Prometheus scrape targets, Beszel agents, Technitium DNS queries — these are internal metrics/DNS, no auth required.

Secret Handling

Secret Type Storage Method Rotation Trigger
Authelia session secret .env file, 64-byte random hex On any Authelia config reload
Vaultwarden admin token .env file, 48-byte random Only on compromise
DB passwords (Nextcloud ↔ PostgreSQL) .env files on both nodes On any DB migration or rebuild
Tailscale auth keys Vaultwarden secure note On key expiry or node rebuild
API keys (indexers, Cloudflare) Vaultwarden secure note On key rotation by provider

Network Segmentation

  • No VLANs. Tailscale ACLs handle segment isolation.
  • ACL policy (draft):
    • tag:admin nodes (Bobby, Artemis) → all ports on all nodes
    • tag:services (MK7, MK7, MK7, MK7) → only their assigned service ports, no cross-node SSH except via Tailscale SSH
    • tag:user (Bobby's phone, laptop) → HTTPS 443 on MK7 only, Jellyfin 8096 on MK7 directly
  • Default deny. Any traffic not explicitly allowed in Tailscale ACL is dropped.

Monitoring for Security Events

  • Dozzle provides real-time log viewing but is NOT a SIEM.
  • Promtail/Loki not yet in catalog. If Bobby wants log aggregation + alerting, add to Phase 3.
  • Beszel alerts on anomalous CPU/memory — use as coarse intrusion detection proxy.
Reference in New Issue View Git Blame Copy Permalink