====== Security Setup ====== Secure your homelab with proper authentication, encryption, and access controls. ===== Two-Factor Authentication ===== **Enable 2FA for Authelia:** 1. **Access Authelia:** * URL: `https://auth.yourdomain.duckdns.org` * Login with admin credentials 2. **Configure TOTP:** * Go to **Settings** → **One-Time Password** * Install authenticator app (Google Authenticator, Authy, etc.) * Scan QR code or enter secret manually * Enter verification code to enable 3. **Backup Codes:** * Generate backup codes for recovery * Store securely (encrypted password manager) * Use only for emergency access **2FA Best Practices:** * Use hardware security keys when possible * Enable biometric authentication on mobile * Regularly rotate backup codes * Test recovery process ===== Access Control Policies ===== **Authelia Configuration:** * Location: `/opt/stacks/core/authelia/configuration.yml` **Default Policies:** ```yaml access_control: default_policy: deny rules: # Admin services - require 2FA - domain: "*.yourdomain.duckdns.org" policy: two_factor # Media services - bypass SSO (app compatibility) - domain: jellyfin.yourdomain.duckdns.org policy: bypass - domain: plex.yourdomain.duckdns.org policy: bypass # Home Assistant - bypass (built-in auth) - domain: ha.yourdomain.duckdns.org policy: bypass ``` **Policy Types:** * **deny**: Block all access * **one_factor**: Username + password only * **two_factor**: Username + password + 2FA * **bypass**: No authentication required ===== SSL/TLS Security ===== **Certificate Management:** * **Issuer**: Let's Encrypt (trusted CA) * **Type**: Wildcard certificate (*.yourdomain.duckdns.org) * **Algorithm**: ECDSA P-256 with SHA-256 * **Validity**: 90 days with automatic renewal **Security Headers:** * **HSTS**: HTTP Strict Transport Security * **CSP**: Content Security Policy * **X-Frame-Options**: Clickjacking protection * **X-Content-Type-Options**: MIME sniffing prevention **Traefik Security:** ```yaml # In traefik.yml http: middlewares: security-headers: headers: customRequestHeaders: X-Forwarded-Proto: "https" customResponseHeaders: X-Frame-Options: "SAMEORIGIN" X-Content-Type-Options: "nosniff" Referrer-Policy: "strict-origin-when-cross-origin" Permissions-Policy: "geolocation=(), microphone=(), camera=()" ``` ===== Firewall Configuration ===== **UFW Rules (automatically configured):** ```bash # Allow SSH sudo ufw allow ssh # Allow HTTP/HTTPS sudo ufw allow 80 sudo ufw allow 443 # Enable firewall sudo ufw enable ``` **Docker Security:** * Containers run as non-root users * No privileged containers * Minimal exposed ports * Network isolation ===== Password Security ===== **Strong Password Requirements:** * Minimum 12 characters * Mix of uppercase, lowercase, numbers, symbols * No dictionary words or common patterns * Unique per service **Password Manager Integration:** * Use Bitwarden/Vaultwarden for password storage * Enable auto-fill for services * Regular password rotation * Emergency access setup ===== VPN and Network Security ===== **Download Protection:** * qBittorrent routes through Gluetun VPN * All torrent traffic encrypted * No IP leaks during downloads **Network Segmentation:** * Services isolated in Docker networks * Database access restricted * External services proxied through Traefik ===== Backup Security ===== **Encrypted Backups:** * Use Backrest with encryption * Store encryption keys securely * Offsite backup storage * Regular integrity checks **Backup Verification:** ```bash # Test backup restoration restic restore latest --target /tmp/restore-test restic check ``` ===== Service-Specific Security ===== **Nextcloud Security:** * Enable brute force protection * Configure trusted domains * Set up file encryption * Regular security scans **Gitea Security:** * Disable public registration * Enable SSH key authentication * Configure access tokens * Regular repository backups **Database Security:** * Strong database passwords * Network isolation * Regular updates * Query logging ===== Monitoring and Alerts ===== **Security Monitoring:** * Enable fail2ban for SSH protection * Monitor authentication attempts * Set up intrusion detection * Log analysis with Loki/Promtail **Alert Configuration:** * Failed login notifications * Certificate expiration warnings * Service downtime alerts * Security vulnerability notifications ===== Incident Response ===== **Security Breach Response:** 1. **Isolate**: Disconnect affected systems 2. **Assess**: Determine scope of breach 3. **Contain**: Change all passwords 4. **Recover**: Restore from clean backups 5. **Learn**: Update security policies **Emergency Access:** * Keep backup authentication methods * Document recovery procedures * Test incident response plans * Regular security audits ===== Advanced Security ===== **Certificate Pinning:** * Pin Let's Encrypt intermediate certificates * Monitor certificate transparency logs * Automated certificate validation **Zero Trust Architecture:** * Every access request verified * Minimal privilege access * Continuous authentication * Network micro-segmentation **Compliance Considerations:** * Data encryption at rest and in transit * Access logging and monitoring * Regular security assessments * Privacy-preserving configurations ===== Security Checklist ===== **Initial Setup:** * [ ] 2FA enabled for all admin accounts * [ ] Strong, unique passwords everywhere * [ ] SSL certificates properly configured * [ ] Firewall rules verified * [ ] VPN configured for downloads **Ongoing Security:** * [ ] Regular password rotation * [ ] Security updates applied * [ ] Backup encryption verified * [ ] Access logs reviewed * [ ] Security scans performed **Emergency Preparedness:** * [ ] Backup authentication methods available * [ ] Incident response plan documented * [ ] Recovery procedures tested * [ ] Contact information current Your homelab is now secure! Continue to [[architecture:security|Security Architecture]] for detailed technical information. **Need help?** Check [[troubleshooting:ssl|SSL Troubleshooting]] or visit [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]].