# 🔒 Security Hardening Guide

This guide details comprehensive security measures and best practices for securing the homelab infrastructure. Implementing these recommendations will significantly improve the security posture of your network.

## 🛡️ Network Security

### Firewall Configuration
- Open only necessary ports (80, 443) at perimeter
- Block all inbound traffic by default
- Allow outbound access to all services
- Regular firewall rule reviews

### Network Segmentation
- Implement VLANs for IoT and guest networks where possible  
- Use WiFi-based isolation for IoT devices (current implementation)
- Segment critical services from general access
- Regular network topology audits

### Tailscale VPN Implementation
- Leverage Tailscale for mesh VPN with zero-trust access
- Configure appropriate ACLs to limit service access
- Monitor active connections and node status
- Rotate pre-authentication keys regularly

## 🔐 Authentication & Access Control

### Multi-Factor Authentication (MFA)
- Enable MFA for all services:
  - Authentik SSO (TOTP + FIDO2)
  - Portainer administrative accounts  
  - Nginx Proxy Manager (for internal access only)
  - Gitea Git hosting
  - Vaultwarden password manager

### Service Authentication Matrix
| Service | Authentication | MFA Support | Notes |
|---------|----------------|-------------|--------|
| Authentik SSO | Local accounts | Yes | Centralized authentication |
| Portainer | Local admin | Yes | Container management |
| Nginx Proxy Manager | Local admin | No | Internal access only |
| Gitea Git | Local accounts | Yes | Code repositories |
| Vaultwarden | Master password | Yes | Password storage |
| Prometheus | Basic auth | No | Internal use only |

### Access Control Lists
- Limit service access to only necessary hosts
- Implement granular Tailscale ACL rules
- Use Portainer role-based access control where available
- Regular review of access permissions

## 🗝️ Secrets Management

### Password Security
- Store all passwords in Vaultwarden (self-hosted Bitwarden)
- Regular password rotations for critical services
- Use unique, strong passwords for each service
- Enable 2FA for Vaultwarden itself

### Environment File Protection
- Ensure all `.env` files have restrictive permissions (`chmod 600`)
- Store sensitive environment variables in Portainer or service-specific locations
- Never commit secrets to Git repositories
- Secure backup of environment files (encrypted where possible)

### Key Management
- Store SSH keys securely with proper permissions
- Rotate SSH keys periodically  
- Use hardware security modules where possible for key storage

## 🛡️ Service Security

### Container Hardening
- Run containers as non-root users when possible
- Regularly update container images to latest versions
- Scan for known vulnerabilities using image scanners
- Review and minimize container permissions

### SSL/TLS Security  
- Use wildcard certificates via Cloudflare (NPM)
- Enable HSTS for all public services
- Maintain modern cipher suites only 
- Regular certificate renewal checks
- Use Let's Encrypt for internal services where needed

### Logging & Monitoring
- Enable logging for all services
- Implement centralized log gathering (planned: Logstash/Loki)
- Monitor for suspicious activities and failed access attempts
- Set up alerts for authentication failures and system anomalies

## 🔍 Audit & Compliance

### Regular Security Audits
- Monthly review of access permissions and user accounts
- Quarterly vulnerability scanning of active services  
- Annual comprehensive security assessment
- Review of firewall rules and network access control lists

### Compliance Requirements
- Maintain 3-2-1 backup strategy (3 copies, 2 media types, 1 offsite)
- Regular backup testing for integrity verification
- Incident response documentation updates
- Security policy compliance verification

## 🛠️ Automated Security Processes

### Updates & Patching
- Set up automated vulnerability scanning for containers  
- Implement patch management plan for host systems
- Monitor for security advisories affecting services
- Test patches in non-production environments first

### Backup Automation
- Configure HyperBackup tasks with appropriate retention policies
- Enable automatic backup notifications and alerts  
- Automate backup integrity checks
- Regular manual verification of critical backup restores

## 🔧 Emergency Security Procedures

### Compromise Response Plan
1. **Isolate**: Disconnect affected systems from network immediately
2. **Assess**: Determine scope and extent of compromise  
3. **Contain**: Block attacker access, change all credentials
4. **Eradicate**: Remove malware, patch vulnerabilities
5. **Recover**: Restore from known-good backups
6. **Review**: Document incident, improve defenses

### Emergency Access
- Document physical access procedures for critical systems  
- Ensure Tailscale works even during DNS outages
- Maintain out-of-band access methods (IPMI/iLO)
- Keep emergency access documentation securely stored

## 📚 Related Documentation

- [Security Model](../infrastructure/security.md)
- [Disaster Recovery Procedures](disaster-recovery.md) 
- [Backup Strategy](../infrastructure/backup-strategy.md)
- [Monitoring Stack](../infrastructure/monitoring/README.md)

---
*Last updated: 2026*