Wiki v1.0

Added a wiki

config-templates/dokuwiki/data/pages/getting_started/security.txt

@@ -0,0 +1,245 @@
+====== Security Setup ======
+
+Secure your homelab with proper authentication, encryption, and access controls.
+
+===== Two-Factor Authentication =====
+
+**Enable 2FA for Authelia:**
+
+1. **Access Authelia:**
+   * URL: `https://auth.yourdomain.duckdns.org`
+   * Login with admin credentials
+
+2. **Configure TOTP:**
+   * Go to **Settings** → **One-Time Password**
+   * Install authenticator app (Google Authenticator, Authy, etc.)
+   * Scan QR code or enter secret manually
+   * Enter verification code to enable
+
+3. **Backup Codes:**
+   * Generate backup codes for recovery
+   * Store securely (encrypted password manager)
+   * Use only for emergency access
+
+**2FA Best Practices:**
+  * Use hardware security keys when possible
+  * Enable biometric authentication on mobile
+  * Regularly rotate backup codes
+  * Test recovery process
+
+===== Access Control Policies =====
+
+**Authelia Configuration:**
+  * Location: `/opt/stacks/core/authelia/configuration.yml`
+
+**Default Policies:**
+```yaml
+access_control:
+  default_policy: deny
+  rules:
+    # Admin services - require 2FA
+    - domain: "*.yourdomain.duckdns.org"
+      policy: two_factor
+      
+    # Media services - bypass SSO (app compatibility)
+    - domain: jellyfin.yourdomain.duckdns.org
+      policy: bypass
+    - domain: plex.yourdomain.duckdns.org
+      policy: bypass
+      
+    # Home Assistant - bypass (built-in auth)
+    - domain: ha.yourdomain.duckdns.org
+      policy: bypass
+```
+
+**Policy Types:**
+  * **deny**: Block all access
+  * **one_factor**: Username + password only
+  * **two_factor**: Username + password + 2FA
+  * **bypass**: No authentication required
+
+===== SSL/TLS Security =====
+
+**Certificate Management:**
+  * **Issuer**: Let's Encrypt (trusted CA)
+  * **Type**: Wildcard certificate (*.yourdomain.duckdns.org)
+  * **Algorithm**: ECDSA P-256 with SHA-256
+  * **Validity**: 90 days with automatic renewal
+
+**Security Headers:**
+  * **HSTS**: HTTP Strict Transport Security
+  * **CSP**: Content Security Policy
+  * **X-Frame-Options**: Clickjacking protection
+  * **X-Content-Type-Options**: MIME sniffing prevention
+
+**Traefik Security:**
+```yaml
+# In traefik.yml
+http:
+  middlewares:
+    security-headers:
+      headers:
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+        customResponseHeaders:
+          X-Frame-Options: "SAMEORIGIN"
+          X-Content-Type-Options: "nosniff"
+          Referrer-Policy: "strict-origin-when-cross-origin"
+          Permissions-Policy: "geolocation=(), microphone=(), camera=()"
+```
+
+===== Firewall Configuration =====
+
+**UFW Rules (automatically configured):**
+```bash
+# Allow SSH
+sudo ufw allow ssh
+
+# Allow HTTP/HTTPS
+sudo ufw allow 80
+sudo ufw allow 443
+
+# Enable firewall
+sudo ufw enable
+```
+
+**Docker Security:**
+  * Containers run as non-root users
+  * No privileged containers
+  * Minimal exposed ports
+  * Network isolation
+
+===== Password Security =====
+
+**Strong Password Requirements:**
+  * Minimum 12 characters
+  * Mix of uppercase, lowercase, numbers, symbols
+  * No dictionary words or common patterns
+  * Unique per service
+
+**Password Manager Integration:**
+  * Use Bitwarden/Vaultwarden for password storage
+  * Enable auto-fill for services
+  * Regular password rotation
+  * Emergency access setup
+
+===== VPN and Network Security =====
+
+**Download Protection:**
+  * qBittorrent routes through Gluetun VPN
+  * All torrent traffic encrypted
+  * No IP leaks during downloads
+
+**Network Segmentation:**
+  * Services isolated in Docker networks
+  * Database access restricted
+  * External services proxied through Traefik
+
+===== Backup Security =====
+
+**Encrypted Backups:**
+  * Use Backrest with encryption
+  * Store encryption keys securely
+  * Offsite backup storage
+  * Regular integrity checks
+
+**Backup Verification:**
+```bash
+# Test backup restoration
+restic restore latest --target /tmp/restore-test
+restic check
+```
+
+===== Service-Specific Security =====
+
+**Nextcloud Security:**
+  * Enable brute force protection
+  * Configure trusted domains
+  * Set up file encryption
+  * Regular security scans
+
+**Gitea Security:**
+  * Disable public registration
+  * Enable SSH key authentication
+  * Configure access tokens
+  * Regular repository backups
+
+**Database Security:**
+  * Strong database passwords
+  * Network isolation
+  * Regular updates
+  * Query logging
+
+===== Monitoring and Alerts =====
+
+**Security Monitoring:**
+  * Enable fail2ban for SSH protection
+  * Monitor authentication attempts
+  * Set up intrusion detection
+  * Log analysis with Loki/Promtail
+
+**Alert Configuration:**
+  * Failed login notifications
+  * Certificate expiration warnings
+  * Service downtime alerts
+  * Security vulnerability notifications
+
+===== Incident Response =====
+
+**Security Breach Response:**
+  1. **Isolate**: Disconnect affected systems
+  2. **Assess**: Determine scope of breach
+  3. **Contain**: Change all passwords
+  4. **Recover**: Restore from clean backups
+  5. **Learn**: Update security policies
+
+**Emergency Access:**
+  * Keep backup authentication methods
+  * Document recovery procedures
+  * Test incident response plans
+  * Regular security audits
+
+===== Advanced Security =====
+
+**Certificate Pinning:**
+  * Pin Let's Encrypt intermediate certificates
+  * Monitor certificate transparency logs
+  * Automated certificate validation
+
+**Zero Trust Architecture:**
+  * Every access request verified
+  * Minimal privilege access
+  * Continuous authentication
+  * Network micro-segmentation
+
+**Compliance Considerations:**
+  * Data encryption at rest and in transit
+  * Access logging and monitoring
+  * Regular security assessments
+  * Privacy-preserving configurations
+
+===== Security Checklist =====
+
+**Initial Setup:**
+  * [ ] 2FA enabled for all admin accounts
+  * [ ] Strong, unique passwords everywhere
+  * [ ] SSL certificates properly configured
+  * [ ] Firewall rules verified
+  * [ ] VPN configured for downloads
+
+**Ongoing Security:**
+  * [ ] Regular password rotation
+  * [ ] Security updates applied
+  * [ ] Backup encryption verified
+  * [ ] Access logs reviewed
+  * [ ] Security scans performed
+
+**Emergency Preparedness:**
+  * [ ] Backup authentication methods available
+  * [ ] Incident response plan documented
+  * [ ] Recovery procedures tested
+  * [ ] Contact information current
+
+Your homelab is now secure! Continue to [[architecture:security|Security Architecture]] for detailed technical information.
+
+**Need help?** Check [[troubleshooting:ssl|SSL Troubleshooting]] or visit [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]].