Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
851e2132ce2339a661cf6addd7fb11f54b9ea470
homelab-optimized/docs/security/zero-trust.md
Gitea Mirror Bot 851e2132ce
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m1s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details
Sanitized mirror from private repository - 2026-03-20 09:03:20 UTC
2026-03-20 09:03:20 +00:00

45 lines
1.9 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ZeroTrust Access Policy
The *ZeroTrust* concept means **never trust, always verify**. The following policy documents the controls we enforce across the homelab.
## 1. Identity & Access Management
| Layer | Controls |
|-------|----------|
| User provisioning | LDAP/SSO via Authentik Single signon and MFA enforced. |
| Rolebased access | Service accounts are scoped with least privilege; use **service principals** for automation. |
| Temporal access | SSH key turnover every 90 days, @ 2FA enforced for remote access. |
## 2. Network Isolation
- **Segmentation** Hyperviser networks (vlan101, vlan102) separate functional zones.
- **Private endpoints** Services expose only required ports to the Internet via Nginx Proxy Manager with LetsEncrypt certs.
- **TLS** All traffic between hosts uses the latest TLS 1.3 and HSTS.
## 3. Secrets Management
- Store secrets in **Hashicorp Vault** with rolebased ACLs.
- Never commit secrets to Git. Ensure `.env` files are `.gitignore`protected.
- Use `podman secret` or Docker secrets when running in a Docker Swarm.
## 4. Continuous Verification
- **Automated Compliance Checks** CI pipeline runs `bandit` and `trivy` scans.
- **Runtime Monitoring** Falco and Sysdig detect anomalies.
- **Audit Log** All portainer, docker, and system events are forwarded to Loki.
## 5. Incident Response
1. • Detect via alerts (Grafana, Prometheus, Falco).
2. • Verify via `docker inspect`, `docker logs`, and the audit app.
3. • Isolate compromised container: `docker pause <id>` then identify the VM.
4. • Rotate secrets and keys immediately.
> **Policy Owner**: Vish <email@example.com>
---
### Quick Reference Links
- [Secrets Store Guide](../services/secret-store.md)
- [SSH Hardening](../infrastructure/SSH_ACCESS_GUIDE.md)
- [Firewall Rules](../infrastructure/port-forwarding-guide.md)
Reference in New Issue View Git Blame Copy Permalink