Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df965892d5a0935a7d81d3eb4bbbebe7d5fefb13
documentation/07-security-model.md
jarvis b7cc09cca2 fix(Chunk3): complete Pi-hole removal, update ACL policy 
- Replaced remaining Pi-hole references with AdGuard throughout master PRD
- Constraints, Service Catalog, Data Persistence, Open Questions, Appendix all updated
- ACL policy: fixed placeholder (MK7,MK7,MK7,MK7) to actual worker nodes
- Appendix skeleton: removed pihole/ directory, updated image count 16→15
- Outstanding Decisions: Pi-hole inclusion marked as resolved
2026-05-27 13:08:50 -04:00

3.0 KiB
Raw Blame History

Iron Legion Homelab Services Stack — Security Model

Authentication Layers

Layer Service Scope Notes
Edge Auth Authelia Traefik-secured endpoints MFA portal, session cookies
App Auth Vaultwarden Password vault Master password + 2FA
App Auth Portainer Container mgmt Built-in RBAC, can integrate LDAP
App Auth Nextcloud File collaboration Built-in, can integrate Authelia OIDC
OS Auth SSH keys Node access Tailscale SSH + local keypairs

Authelia Deployment Notes

  • Target node: MK7 (lightweight, sits beside Traefik)
  • Redirection URL: Set Authelia redirection_url to the base domain of services needing auth.
  • Backend storage: Uses SQLite initially. If Bobby wants HA, migrate to PostgreSQL on MK7.
  • Notification method: File-based (writes to /opt/iron-legion/authelia/notifications/) until SMTP/Discord is configured.
  • Rule granularity: Per-service access_control rules in configuration.yml. Default: one_factor for internal services, two_factor for management interfaces (Portainer, Grafana admin).

Traefik ↔ Authelia Integration

# Traefik middleware label (example)
traefik.http.routers.portainer.middlewares: authelia@docker
traefik.http.middlewares.authelia.forwardauth.address: http://authelia:9091/api/verify?rd=https://auth.labs.internal
  • No nginx. ForwardAuth middleware talks directly to Authelia over internal Docker network.
  • Bypass list: Prometheus scrape targets, Beszel agents, Technitium DNS queries — these are internal metrics/DNS, no auth required.

Secret Handling

Secret Type Storage Method Rotation Trigger
Authelia session secret .env file, 64-byte random hex On any Authelia config reload
Vaultwarden admin token .env file, 48-byte random Only on compromise
DB passwords (Nextcloud ↔ PostgreSQL) .env files on both nodes On any DB migration or rebuild
Tailscale auth keys Vaultwarden secure note On key expiry or node rebuild
API keys (indexers, Cloudflare) Vaultwarden secure note On key rotation by provider

Network Segmentation

  • No VLANs. Tailscale ACLs handle segment isolation.
  • ACL policy (draft):
    • tag:admin nodes (Bobby, Artemis) → all ports on all nodes
    • tag:services (MK7 manager + MK33, MK34, MK39, MK42 workers) → only their assigned service ports, no cross-node SSH except via Tailscale SSH
    • tag:user (Bobby's phone, laptop) → HTTPS 443 on MK7 only, Jellyfin 8096 on MK7 directly
  • Default deny. Any traffic not explicitly allowed in Tailscale ACL is dropped.

Monitoring for Security Events

  • Dozzle provides real-time log viewing but is NOT a SIEM.
  • Promtail/Loki not yet in catalog. If Bobby wants log aggregation + alerting, add to Phase 3.
  • Beszel alerts on anomalous CPU/memory — use as coarse intrusion detection proxy.
Reference in New Issue View Git Blame Copy Permalink