Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitized mirror from private repository - 2026-04-19 08:44:05 UTC
Some checks failed
Documentation / Build Docusaurus (push) Has been cancelled
Details
Documentation / Deploy to GitHub Pages (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Gitea Mirror Bot
2026-04-19 08:44:05 +00:00
commit bd12218c79
1439 changed files with 363180 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

203
docs/security/SECURITY_GUIDELINES.md Normal file
View File

@@ -0,0 +1,203 @@
# 🔐 Security Guidelines
*Comprehensive security guidelines for homelab infrastructure*
## Overview
Security best practices and guidelines for maintaining a secure homelab environment while balancing usability and functionality.
## Network Security
### Network Segmentation
- **VLAN isolation**: Separate networks for different service tiers
- **DMZ configuration**: Isolated zone for public-facing services
- **Management network**: Dedicated network for administration
- **IoT isolation**: Separate network for IoT devices
### Firewall Configuration
- **Default deny**: Block all traffic by default
- **Explicit allow**: Only permit required traffic
- **Geo-blocking**: Block traffic from suspicious countries
- **Rate limiting**: Prevent brute force attacks
### VPN Security
- **WireGuard**: Modern, secure VPN protocol
- **Tailscale**: Zero-trust mesh networking
- **Certificate-based auth**: Strong authentication methods
- **Regular key rotation**: Periodic key updates
## Access Control
### Authentication
- **Multi-factor authentication**: Required for all admin access
- **Strong passwords**: Minimum complexity requirements
- **Password managers**: Centralized password management
- **Biometric authentication**: Where supported
### Authorization
- **Principle of least privilege**: Minimal required permissions
- **Role-based access**: Defined user roles and permissions
- **Regular access reviews**: Periodic permission audits
- **Automated deprovisioning**: Remove unused accounts
### Single Sign-On (SSO)
- **Authentik integration**: Centralized authentication
- **SAML/OIDC**: Standard authentication protocols
- **Session management**: Secure session handling
- **Audit logging**: Track authentication events
## Container Security
### Image Security
- **Trusted registries**: Use official/verified images
- **Image scanning**: Vulnerability assessment
- **Minimal base images**: Reduce attack surface
- **Regular updates**: Keep images current
### Runtime Security
- **Non-root containers**: Run as unprivileged users
- **Resource limits**: Prevent resource exhaustion
- **Network policies**: Restrict container networking
- **Security contexts**: Apply security constraints
### Secrets Management
- **Docker secrets**: Secure secret distribution
- **Environment variables**: Avoid secrets in env vars
- **External secret stores**: HashiCorp Vault integration
- **Secret rotation**: Regular secret updates
## Data Protection
### Encryption
- **Data at rest**: Encrypt stored data
- **Data in transit**: TLS/SSL for all communications
- **Database encryption**: Encrypt sensitive databases
- **Backup encryption**: Encrypt all backups
### Backup Security
- **3-2-1 rule**: 3 copies, 2 different media, 1 offsite
- **Immutable backups**: Prevent backup tampering
- **Backup testing**: Regular restore testing
- **Access controls**: Restrict backup access
### Data Classification
- **Public data**: No special protection required
- **Internal data**: Standard protection measures
- **Confidential data**: Enhanced protection required
- **Restricted data**: Maximum protection measures
## System Hardening
### Operating System
- **Minimal installation**: Remove unnecessary packages
- **Security updates**: Automated security patching
- **Service hardening**: Secure service configurations
- **Audit logging**: Comprehensive system logging
### SSH Security
- **Key-based authentication**: Disable password auth
- **Non-standard ports**: Change default SSH port
- **Fail2ban**: Automated intrusion prevention
- **SSH hardening**: Secure SSH configuration
### Web Services
- **HTTPS only**: Force encrypted connections
- **Security headers**: Implement security headers
- **Input validation**: Sanitize all user input
- **Rate limiting**: Prevent abuse
## Monitoring & Incident Response
### Security Monitoring
- **Log aggregation**: Centralized log collection
- **SIEM integration**: Security information management
- **Anomaly detection**: Identify unusual activity
- **Real-time alerts**: Immediate threat notification
### Vulnerability Management
- **Regular scanning**: Automated vulnerability scans
- **Patch management**: Timely security updates
- **Risk assessment**: Prioritize vulnerabilities
- **Remediation tracking**: Track fix implementation
### Incident Response
- **Response plan**: Documented incident procedures
- **Communication plan**: Stakeholder notification
- **Evidence preservation**: Forensic data collection
- **Post-incident review**: Learn from incidents
## Compliance & Governance
### Security Policies
- **Acceptable use**: Define acceptable system use
- **Data handling**: Data protection procedures
- **Access management**: User access procedures
- **Change management**: Secure change processes
### Documentation
- **Security procedures**: Document all procedures
- **Configuration baselines**: Standard configurations
- **Risk assessments**: Regular risk evaluations
- **Audit trails**: Maintain audit records
### Training & Awareness
- **Security training**: Regular security education
- **Phishing awareness**: Social engineering protection
- **Best practices**: Promote security best practices
- **Incident reporting**: Encourage incident reporting
## Physical Security
### Hardware Protection
- **Secure locations**: Physical access controls
- **Environmental controls**: Temperature, humidity
- **Power protection**: UPS, surge protection
- **Asset tracking**: Hardware inventory management
### Data Center Security
- **Access controls**: Restricted physical access
- **Surveillance**: Security cameras, monitoring
- **Environmental monitoring**: Temperature, humidity
- **Fire suppression**: Fire detection and suppression
## Cloud Security
### Cloud Services
- **Shared responsibility**: Understand security models
- **Identity management**: Cloud identity integration
- **Data sovereignty**: Data location requirements
- **Vendor assessment**: Evaluate cloud providers
### Hybrid Security
- **Consistent policies**: Uniform security across environments
- **Secure connectivity**: Encrypted cloud connections
- **Data classification**: Consistent data handling
- **Monitoring integration**: Unified security monitoring
## Regular Security Tasks
### Daily Tasks
- **Monitor alerts**: Review security alerts
- **Check logs**: Review critical system logs
- **Verify backups**: Ensure backup completion
- **Update awareness**: Stay informed on threats
### Weekly Tasks
- **Vulnerability scans**: Run security scans
- **Access reviews**: Review user access
- **Patch assessment**: Evaluate available patches
- **Incident review**: Review security incidents
### Monthly Tasks
- **Security metrics**: Generate security reports
- **Policy reviews**: Review security policies
- **Training updates**: Update security training
- **Vendor assessments**: Review vendor security
### Quarterly Tasks
- **Risk assessments**: Comprehensive risk evaluation
- **Penetration testing**: Security testing
- **Disaster recovery**: Test recovery procedures
- **Security audits**: Internal security audits
---
**Status**: ✅ Security guidelines implemented across all homelab systems

112
docs/security/SECURITY_HARDENING_SUMMARY.md Normal file
View File

@@ -0,0 +1,112 @@
# Security Hardening Summary - seattle-vm
## Overview
Comprehensive security hardening completed for seattle-vm (Contabo VPS) running multiple web services while preserving Tailscale and direct IP access.
## Services Identified
- **Nginx**: Reverse proxy for web services
- **Obsidian**: Note-taking application (obs.vish.gg) - Public
- **Wallabag**: Read-later service (wb.vish.gg) - Public
- **PufferPanel**: Game server management (pp.vish.gg) - Restricted to Tailscale
- **MinIO**: Object storage - Restricted to Tailscale
- **Revolt**: Chat services - Restricted to Tailscale
- **Nextcloud**: File sharing - Restricted to Tailscale
## Security Measures Implemented
### 1. Firewall Configuration (UFW)
- **Status**: Active and properly configured
- **Public Access**: Only ports 22 (SSH), 80 (HTTP), 443 (HTTPS)
- **Tailscale Restricted**: Sensitive services (PufferPanel, MinIO, Revolt) restricted to 100.64.0.0/10
- **SSH**: Configured for key-based authentication only
### 2. Intrusion Prevention (fail2ban)
- **Status**: Active with enhanced configuration
- **Jails**: SSH, Nginx, PufferPanel monitoring
- **Custom Filter**: Created PufferPanel authentication monitoring
- **Monitoring**: 2587 failed login attempts detected in last 7 days
### 3. Web Server Hardening (Nginx)
- **Security Headers**: Implemented comprehensive security headers
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- X-XSS-Protection: 1; mode=block
- Content Security Policy
- Referrer Policy
- Permissions Policy
- **Rate Limiting**: 10 requests/second general, 1 request/second for login
- **Connection Limiting**: 20 connections per IP
- **SSL/TLS**: Strong cipher suites, TLS 1.2+ only
- **Server Tokens**: Hidden nginx version information
### 4. Automatic Updates
- **unattended-upgrades**: Configured for automatic security updates
- **apt-listchanges**: Email notifications for package changes
- **Status**: 0 security updates currently pending
### 5. System Monitoring
- **logwatch**: Daily system monitoring reports
- **Custom Script**: Weekly security maintenance checks
- **Cron Schedule**: Sundays at 2:00 AM
- **Monitoring Includes**:
- Failed login attempts
- fail2ban status
- Security updates
- SSL certificate expiration
- Disk usage
- Memory usage
- Network connections
- Container security status
### 6. Container Security
- **Docker Containers**: 3 running (obsidian, wallabag, minio)
- **User Context**: All running as root (acceptable for isolated containers)
- **Network Security**: Access controlled via UFW rules
- **Status**: Monitored via security maintenance script
## Current Security Status
### ✅ Strengths
- Strong firewall configuration with service-specific restrictions
- Active intrusion prevention with custom monitoring
- Comprehensive web server security headers
- Automatic security updates enabled
- Regular security monitoring and reporting
- SSL certificates valid until 2041
- Low resource usage (6.4% memory, 24% disk)
### ⚠️ Areas of Note
- High number of failed login attempts (2587 in 7 days) - being monitored
- Docker containers running as root (mitigated by network isolation)
- Some SSL certificates lack OCSP stapling (warnings only)
### 🔧 Maintenance
- **Automated**: Security updates, daily logwatch reports, weekly security checks
- **Manual**: SSL certificate renewal (not needed until 2041)
- **Monitoring**: Security maintenance script logs to `/var/log/security-maintenance.log`
## Access Preservation
- **Tailscale**: All existing Tailscale access preserved
- **Direct IP**: SSH and public web services accessible via direct IP
- **Service Restrictions**: Sensitive services (PufferPanel, MinIO, Revolt) restricted to Tailscale network only
## Next Steps
1. Monitor security maintenance logs weekly
2. Review fail2ban logs for persistent attackers
3. Consider implementing additional container security measures if needed
4. Regular review of UFW rules as services change
## Files Modified
- `/etc/ufw/` - Firewall rules
- `/etc/fail2ban/jail.local` - Enhanced fail2ban configuration
- `/etc/fail2ban/filter.d/pufferpanel.conf` - Custom PufferPanel filter
- `/etc/nginx/nginx.conf` - Rate limiting zones
- `/etc/nginx/snippets/security-headers.conf` - Security headers
- `/etc/nginx/sites-enabled/obsidian` - Added security headers
- `/etc/nginx/sites-enabled/wallabag` - Added security headers
- `/root/scripts/security-maintenance.sh` - Weekly security check script
## Security Maintenance Schedule
- **Daily**: logwatch reports
- **Weekly**: Comprehensive security maintenance check (Sundays 2:00 AM)
- **Automatic**: Security updates via unattended-upgrades

105
docs/security/SERVER_HARDENING.md Normal file
View File

@@ -0,0 +1,105 @@
# Server Hardening Summary
## 🛡️ Security Measures Implemented
### SSH Security
- **Primary SSH (Port 22)**: Key-based authentication only, password authentication disabled
- **Backup SSH (Port 2222)**: Emergency access when Tailscale is down
- Restricted to authorized IP addresses
- Same security settings as primary SSH
- Currently authorized IP: YOUR_WAN_IP
- **SSH Hardening**: Disabled root password login, reduced login grace time, limited auth tries
### Firewall Configuration
- **UFW Firewall**: Active with default deny incoming policy
- **Rate Limiting**: SSH and HTTP connections rate-limited to prevent brute force
- **Service-Specific Rules**:
- SSH: Ports 22 and 2222 (rate limited)
- HTTP/HTTPS: Ports 80 and 443 (rate limited)
- Gaming Services: Minecraft (25565), Garry's Mod (27015), PufferPanel (8080)
- Revolt Chat: Ports 3000, 5000, 9000
- **Tailscale Integration**: Tailscale network (100.64.0.0/10) trusted
### Intrusion Prevention
- **Fail2ban**: Active with 6 jails protecting:
- SSH (both ports 22 and 2222)
- Nginx HTTP authentication
- Currently 34 IPs banned on SSH
- **Ban Settings**: 1-hour bans after 3 failed attempts within 10 minutes
### Web Server Security
- **Nginx Hardening**:
- Modern TLS protocols only (TLS 1.2+)
- Secure cipher suites
- Security headers (HSTS, X-Frame-Options, etc.)
- Server tokens hidden
### System Security
- **Automatic Updates**: Security updates configured for automatic installation
- **User Account Security**: Non-essential accounts secured
- **System Monitoring**:
- Security check script: `/root/scripts/security-check.sh`
- Logwatch installed for system monitoring
- Backup access manager: `/root/scripts/backup-access-manager.sh`
## 🔧 Management Tools
### Backup SSH Access Manager
Location: `/root/scripts/backup-access-manager.sh`
Commands:
- `./backup-access-manager.sh status` - Show current status
- `./backup-access-manager.sh add-ip <IP>` - Add IP to backup access
- `./backup-access-manager.sh remove-ip <IP>` - Remove IP from backup access
- `./backup-access-manager.sh connect-info` - Show connection instructions
### Security Monitoring
Location: `/root/scripts/security-check.sh`
- Run manually or via cron for security status checks
- Monitors fail2ban, firewall, SSH, and system updates
## 🚨 Emergency Access Procedures
### When Tailscale is Down
1. Ensure your current IP is authorized for backup SSH access
2. Connect using: `ssh -p 2222 root@YOUR_SERVER_IP`
3. Use the backup access manager to add/remove authorized IPs as needed
### Current Backup Access
- **Port**: 2222
- **Authorized IP**: YOUR_WAN_IP
- **Authentication**: SSH keys only (no passwords)
## 📊 Current Security Status
### Active Protections
- ✅ SSH hardened (key-based auth only)
- ✅ Firewall active with rate limiting
- ✅ Fail2ban protecting SSH and web services
- ✅ Nginx with modern TLS configuration
- ✅ Automatic security updates enabled
- ✅ Backup SSH access configured
- ✅ System monitoring in place
### Services Protected
- SSH (ports 22, 2222)
- Nginx web server
- Gaming services (Minecraft, Garry's Mod)
- PufferPanel management interface
- Revolt chat services
## 🔄 Maintenance Recommendations
1. **Regular Updates**: System will auto-update security patches
2. **Monitor Logs**: Check `/var/log/auth.log` and fail2ban logs regularly
3. **Review Access**: Periodically review authorized IPs for backup SSH
4. **Backup Keys**: Ensure SSH keys are backed up securely
5. **Test Access**: Periodically test backup SSH access method
## 📞 Support Commands
- Check firewall status: `ufw status verbose`
- Check fail2ban status: `fail2ban-client status`
- Check SSH configuration: `sshd -T`
- View security logs: `tail -f /var/log/auth.log`
- Run security check: `/root/scripts/security-check.sh`

44
docs/security/zero-trust.md Normal file
View File

@@ -0,0 +1,44 @@
# ZeroTrust Access Policy
The *ZeroTrust* concept means **never trust, always verify**. The following policy documents the controls we enforce across the homelab.
## 1. Identity & Access Management
| Layer | Controls |
|-------|----------|
| User provisioning | LDAP/SSO via Authentik Single signon and MFA enforced. |
| Rolebased access | Service accounts are scoped with least privilege; use **service principals** for automation. |
| Temporal access | SSH key turnover every 90 days, @ 2FA enforced for remote access. |
## 2. Network Isolation
- **Segmentation** Hyperviser networks (vlan101, vlan102) separate functional zones.
- **Private endpoints** Services expose only required ports to the Internet via Nginx Proxy Manager with LetsEncrypt certs.
- **TLS** All traffic between hosts uses the latest TLS 1.3 and HSTS.
## 3. Secrets Management
- Store secrets in **Hashicorp Vault** with rolebased ACLs.
- Never commit secrets to Git. Ensure `.env` files are `.gitignore`protected.
- Use `podman secret` or Docker secrets when running in a Docker Swarm.
## 4. Continuous Verification
- **Automated Compliance Checks** CI pipeline runs `bandit` and `trivy` scans.
- **Runtime Monitoring** Falco and Sysdig detect anomalies.
- **Audit Log** All portainer, docker, and system events are forwarded to Loki.
## 5. Incident Response
1. • Detect via alerts (Grafana, Prometheus, Falco).
2. • Verify via `docker inspect`, `docker logs`, and the audit app.
3. • Isolate compromised container: `docker pause <id>` then identify the VM.
4. • Rotate secrets and keys immediately.
> **Policy Owner**: Vish <email@example.com>
---
### Quick Reference Links
- [Secrets Store Guide](../services/secret-store.md)
- [SSH Hardening](../infrastructure/SSH_ACCESS_GUIDE.md)
- [Firewall Rules](../infrastructure/port-forwarding-guide.md)