# Zero‑Trust Access Policy

The *Zero‑Trust* concept means **never trust, always verify**.  The following policy documents the controls we enforce across the homelab.

## 1. Identity & Access Management

| Layer | Controls |
|-------|----------|
| User provisioning | LDAP/SSO via Authentik – Single sign‑on and MFA enforced. |
| Role‑based access | Service accounts are scoped with least privilege; use **service principals** for automation. |
| Temporal access | SSH key turn‑over every 90 days, @ 2FA enforced for remote access. |

## 2. Network Isolation

- **Segmentation** – Hyper‑viser networks (vlan‑101, vlan‑102) separate functional zones.
- **Private endpoints** – Services expose only required ports to the Internet via Nginx Proxy Manager with Lets‑Encrypt certs.
- **TLS** – All traffic between hosts uses the latest TLS 1.3 and HSTS.

## 3. Secrets Management

- Store secrets in **Hashicorp Vault** with role‑based ACLs.
- Never commit secrets to Git. Ensure `.env` files are `.gitignore`‑protected.
- Use `podman secret` or Docker secrets when running in a Docker Swarm.

## 4. Continuous Verification

- **Automated Compliance Checks** – CI pipeline runs `bandit` and `trivy` scans.
- **Runtime Monitoring** – Falco and Sysdig detect anomalies.
- **Audit Log** – All portainer, docker, and system events are forwarded to Loki.

## 5. Incident Response

1. • Detect via alerts (Grafana, Prometheus, Falco).  
2. • Verify via `docker inspect`, `docker logs`, and the audit app.  
3. • Isolate compromised container: `docker pause <id>` then identify the VM.  
4. • Rotate secrets and keys immediately.

> **Policy Owner**: Vish – <email@example.com>
---

### Quick Reference Links
- [Secrets Store Guide](../services/secret-store.md)
- [SSH Hardening](../infrastructure/SSH_ACCESS_GUIDE.md)
- [Firewall Rules](../infrastructure/port-forwarding-guide.md)