docs(public): populate phase 2 content

Full public/ directory — services, network, decisions, security, inventory, rebuild sequence, and per-LXC setup guides. Sourced from wiki. No secrets or WAN IPs included.
2026-04-17 21:23:59 -04:00
parent b3104df54d
commit cd454b2926
17 changed files with 2053 additions and 20 deletions
@@ -1,3 +1,60 @@
-# SECURITY
+# Security

-_stub_
+Security posture — what's exposed, how auth works, update cadence, known debt. See [Network](NETWORK.md) for VLAN isolation details.
+
+## Internet-Exposed Ports
+
+| Port | Protocol | Destination | Purpose |
+|------|----------|-------------|---------|
+| 51820 | UDP | pfSense WAN | WireGuard VPN |
+
+No management ports (22, 8006, 443) exposed to the internet. All admin access requires an active WireGuard connection first. Cloudflare DNS-01 challenge handles TLS — no port 80/443 needed on WAN.
+
+## Authentication Layers
+
+| Layer | Mechanism | Coverage |
+|-------|-----------|----------|
+| All web services | Authentik SSO (OIDC or forward auth) | 100% of `*.lerkolabs.com` |
+| VPN | WireGuard pre-shared keys | Required for all remote access |
+| pfSense | Web GUI + SSH key | VPN-only access |
+| Proxmox | Web GUI + SSH key | VPN-only access |
+| Secrets | Vaultwarden (isolated LXC) | All credentials |
+
+No service is accessible anonymously. Guests and IoT have zero access to any internal service.
+
+## Secrets Policy
+
+- No plaintext secrets in any config file committed to the repo
+- All secrets referenced by Vaultwarden entry name (e.g., `homelab/pfsense`)
+- `.env` files in `.gitignore`
+- Vaultwarden lives in its own isolated LXC — no shared container
+
+## Certificate Management
+
+| Domain | Provider | Method | Renewal |
+|--------|----------|--------|---------|
+| `*.lerkolabs.com` | Let's Encrypt via Cloudflare | DNS-01 challenge | Automatic (Caddy) |
+
+Caddy handles all cert issuance and renewal automatically. No manual action unless Cloudflare API token expires.
+
+## Update Cadence
+
+| System | Frequency | Method |
+|--------|-----------|--------|
+| pfSense | Monthly | Manual — System → Update |
+| Proxmox | Monthly | `apt update && apt dist-upgrade` |
+| Pi-hole | Monthly | `pihole -up` |
+| Docker services | Weekly | `docker compose pull && docker compose up -d` |
+| Omada firmware | Quarterly | Omada Controller → Devices |
+| AT&T Gateway | Automatic | AT&T pushes updates |
+| WireGuard keys | Annually (or on peer change) | Rotate in pfSense VPN config |
+
+## Known Technical Debt
+
+| Item | Risk | Priority | Notes |
+|------|------|----------|-------|
+| IoT VLAN rules too broad | Medium | Medium | Currently allows all outbound internet; should restrict to known ports/destinations per device type |
+| No IDS/IPS | Medium | Low | pfSense supports Suricata — not deployed |
+| No automated patching | Low | Low | All updates are manual; no Watchtower or unattended-upgrades on most services |
+| Cloudflare API token scope | Low | Low | Verify token is scoped to DNS-edit only, not zone-admin |
+| Beszel agent coverage | Low | Low | Confirm all LXCs have Beszel agents deployed |