Wiki v1.0

Added a wiki

config-templates/dokuwiki/data/pages/architecture/security.txt

@@ -0,0 +1,299 @@
+====== Security Architecture ======
+
+The AI-Homelab implements a comprehensive security model based on defense in depth, zero trust principles, and industry best practices.
+
+===== Security Principles =====
+
+**Defense in Depth:**
+  * **Multiple Layers**: Network, application, and data security
+  * **Fail-Safe Defaults**: Secure by default, explicit opt-out
+  * **Least Privilege**: Minimal required permissions
+  * **Continuous Monitoring**: Real-time threat detection
+
+**Zero Trust:**
+  * **Never Trust**: Verify every access request
+  * **Assume Breach**: Design for compromised systems
+  * **Micro-Segmentation**: Isolate services and data
+  * **Continuous Verification**: Ongoing authentication
+
+**Compliance:**
+  * **Data Protection**: Encryption at rest and in transit
+  * **Access Control**: Role-based and attribute-based access
+  * **Audit Logging**: Comprehensive activity tracking
+  * **Regular Updates**: Security patch management
+
+===== Authentication & Authorization =====
+
+**Authelia SSO System:**
+
+**Architecture:**
+  * **Protocol**: OpenID Connect, SAML 2.0
+  * **Storage**: File-based user database
+  * **Session Management**: Secure JWT tokens
+  * **Multi-Factor**: TOTP, WebAuthn, Push notifications
+
+**User Management:**
+```yaml
+users:
+  admin:
+    displayname: Administrator
+    password: $argon2id$...
+    email: admin@yourdomain.duckdns.org
+    groups:
+      - admins
+      - dev
+```
+
+**Access Policies:**
+```yaml
+access_control:
+  default_policy: deny
+  rules:
+    # Admin services require 2FA
+    - domain: "*.yourdomain.duckdns.org"
+      policy: two_factor
+      subject:
+        - "group:admins"
+    
+    # Media services bypass SSO
+    - domain: "jellyfin.yourdomain.duckdns.org"
+      policy: bypass
+    
+    # API access with tokens
+    - domain: "*.yourdomain.duckdns.org"
+      policy: one_factor
+      resources:
+        - "^/api/.*"
+```
+
+**Session Security:**
+  * **Expiration**: 8 hour sessions
+  * **Inactivity Timeout**: 10 minute timeout
+  * **Secure Cookies**: HttpOnly, Secure, SameSite
+  * **CSRF Protection**: Token-based validation
+
+===== SSL/TLS Encryption =====
+
+**Certificate Management:**
+  * **Authority**: Let's Encrypt (trusted CA)
+  * **Type**: Wildcard ECDSA certificate
+  * **Domains**: *.yourdomain.duckdns.org
+  * **Renewal**: Automatic (30 days before expiry)
+
+**SSL Configuration:**
+```yaml
+tls:
+  certificates:
+    - certFile: /ssl/cert.pem
+      keyFile: /ssl/private.key
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+      sniStrict: true
+```
+
+**Security Headers:**
+```yaml
+headers:
+  # Prevent clickjacking
+  customResponseHeaders:
+    X-Frame-Options: "SAMEORIGIN"
+    X-Content-Type-Options: "nosniff"
+    Referrer-Policy: "strict-origin-when-cross-origin"
+    Permissions-Policy: "geolocation=(), microphone=(), camera=()"
+  
+  # HSTS (HTTP Strict Transport Security)
+  stsSeconds: 31536000
+  stsIncludeSubdomains: true
+  stsPreload: true
+```
+
+===== Network Security =====
+
+**Firewall Configuration:**
+  * **UFW**: Uncomplicated Firewall
+  * **Default Policy**: Deny all incoming
+  * **Allowed Ports**: 22 (SSH), 80 (HTTP), 443 (HTTPS)
+  * **Docker Isolation**: Container network segmentation
+
+**Network Segmentation:**
+  * **traefik-network**: Web-facing services
+  * **homelab-network**: Internal services
+  * **media-network**: Media services
+  * **isolated-networks**: High-security services
+
+**VPN Protection:**
+  * **Gluetun**: VPN client container
+  * **Provider**: Surfshark (configurable)
+  * **Protocol**: WireGuard (preferred)
+  * **Kill Switch**: Prevents IP leaks
+
+===== Container Security =====
+
+**Docker Security Best Practices:**
+  * **Non-root Users**: PUID/PGID environment variables
+  * **No Privileged Containers**: Minimal capabilities
+  * **Read-only Filesystems**: Where possible
+  * **Resource Limits**: CPU and memory constraints
+
+**Security Scanning:**
+```yaml
+# Trivy vulnerability scanning
+docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
+  aquasec/trivy image your-image:latest
+
+# Container security audit
+docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \
+  docker/docker-bench-security
+```
+
+**Image Security:**
+  * **Official Images**: LinuxServer.io preferred
+  * **Version Pinning**: Specific version tags
+  * **SBOM**: Software Bill of Materials
+  * **Signature Verification**: Image signing
+
+===== Data Protection =====
+
+**Encryption at Rest:**
+  * **SSL Certificates**: Encrypted storage
+  * **User Data**: Service-specific encryption
+  * **Backups**: AES-256 encryption
+  * **Secrets**: Environment variable protection
+
+**Encryption in Transit:**
+  * **HTTPS**: End-to-end encryption
+  * **API Communication**: TLS 1.2+
+  * **Database Connections**: SSL/TLS
+  * **VPN Tunneling**: WireGuard/OpenVPN
+
+**Data Classification:**
+  * **Public**: No encryption required
+  * **Internal**: TLS encryption
+  * **Sensitive**: Additional encryption layers
+  * **Critical**: Multi-layer encryption
+
+===== Access Control =====
+
+**Role-Based Access Control (RBAC):**
+```yaml
+# Authelia groups
+groups:
+  admins:
+    - admin
+  users:
+    - user1
+    - user2
+  media:
+    - family
+```
+
+**Service-Level Permissions:**
+  * **Nextcloud**: User and group permissions
+  * **Gitea**: Repository access control
+  * **Grafana**: Dashboard permissions
+  * **API Keys**: Scoped access tokens
+
+**Network Access Control:**
+  * **IP Whitelisting**: Restrict by IP address
+  * **Geo-blocking**: Country-based restrictions
+  * **Rate Limiting**: Prevent brute force attacks
+  * **Fail2Ban**: SSH protection
+
+===== Monitoring & Auditing =====
+
+**Security Monitoring:**
+  * **Authentication Logs**: Authelia events
+  * **Access Logs**: Traefik requests
+  * **System Logs**: Docker and system events
+  * **Intrusion Detection**: Pattern matching
+
+**Audit Logging:**
+```yaml
+# Loki log aggregation
+scrape_configs:
+  - job_name: 'authelia'
+    static_configs:
+      - targets: ['authelia:9091']
+    relabel_configs:
+      - source_labels: [__address__]
+        target_label: __param_target
+      - source_labels: [__param_target]
+        target_label: instance
+      - target_label: __address__
+        replacement: localhost:3100
+```
+
+**Alerting:**
+  * **Failed Logins**: Brute force detection
+  * **Certificate Expiry**: SSL renewal warnings
+  * **Service Downtime**: Availability monitoring
+  * **Security Events**: Suspicious activity
+
+===== Threat Mitigation =====
+
+**Common Threats:**
+  * **Brute Force**: Rate limiting, 2FA
+  * **SQL Injection**: Parameterized queries
+  * **XSS**: Content Security Policy
+  * **CSRF**: Token validation
+
+**Incident Response:**
+  1. **Detection**: Monitoring alerts
+  2. **Assessment**: Determine impact
+  3. **Containment**: Isolate affected systems
+  4. **Recovery**: Restore from backups
+  5. **Lessons Learned**: Update policies
+
+**Backup Security:**
+  * **Encryption**: AES-256-GCM
+  * **Integrity**: SHA-256 checksums
+  * **Retention**: Configurable policies
+  * **Testing**: Regular restoration tests
+
+===== Compliance & Governance =====
+
+**Security Standards:**
+  * **OWASP**: Web application security
+  * **NIST**: Cybersecurity framework
+  * **ISO 27001**: Information security
+  * **GDPR**: Data protection
+
+**Regular Assessments:**
+  * **Vulnerability Scanning**: Weekly
+  * **Penetration Testing**: Monthly
+  * **Security Audits**: Quarterly
+  * **Compliance Reviews**: Annual
+
+**Documentation:**
+  * **Security Policies**: Access and usage rules
+  * **Incident Response**: Procedures and contacts
+  * **Change Management**: Update procedures
+  * **Training**: Security awareness
+
+===== Advanced Security =====
+
+**Zero Trust Network Access (ZTNA):**
+  * **Identity-Based**: User and device verification
+  * **Context-Aware**: Risk-based access
+  * **Micro-Segmentation**: Service isolation
+  * **Continuous Monitoring**: Real-time assessment
+
+**Secrets Management:**
+  * **Environment Variables**: Runtime secrets
+  * **Docker Secrets**: Swarm mode secrets
+  * **External Vaults**: HashiCorp Vault integration
+  * **Key Rotation**: Automatic secret renewal
+
+**Intrusion Detection:**
+  * **Network IDS**: Traffic analysis
+  * **Host IDS**: System monitoring
+  * **Log Analysis**: Pattern detection
+  * **SIEM Integration**: Centralized logging
+
+This security architecture provides comprehensive protection for your homelab while maintaining usability and performance.
+
+**Next:** Learn about [[architecture:storage|Storage Strategy]] or [[architecture:backup|Backup Strategy]].