- Full service map (18 public services documented) - Mermaid architecture diagram: Internet → Caddy → Authentik → Apps → AI - AI stack diagram: local router tiers + cloud fallback chain - Deployment guide: VPS spec, Caddy SSO pattern, env layout - Security model: perimeter, auth gates, AI kill-switch, secrets policy - Repo structure tree - Atlas branding header + shields.io badges
1.5 KiB
1.5 KiB
Security model
Perimeter
All HTTP traffic enters through Caddy which:
- Terminates TLS (Let's Encrypt, auto-renew)
- Applies rate limiting
- Logs all requests
Authentication
Authentik (self-hosted) provides SSO via forward_auth:
- Every service route checks with Authentik before proxying
- Unauthenticated requests get a 302 to the login page — never a data response
- Sessions are JWT-based with configurable expiry
- MFA supported (TOTP, WebAuthn)
Network isolation
- Internal services (cockpit, LLM router, DBs) bind to
127.0.0.1only - Admin APIs bind to the Tailscale interface (
100.x.x.x) only - Public internet never reaches internal ports directly
AI agent gates
The Atlas Brain respects a policy file that hard-blocks autonomous action for:
- Any financial transaction
- Any external communication (email, WhatsApp send)
- Any self-modification (config changes, code deploy)
These always require human approval in the Control screen.
Secrets management
- No secrets in git (
.gitignoreenforced) - Vaultwarden (self-hosted) for human-facing passwords
- Env files on the VPS in
/opt/atlas/secrets/(not world-readable) - Rotation: manual — planned for automated rotation via Vault/n8n
What to audit after forking
- Change all default passwords (Authentik akadmin, Forgejo, etc.)
- Rotate the Evolution API key
- Disable Authentik user registration if not needed
- Review Caddy rate-limit thresholds for your traffic
- Set up Uptime Kuma alerts for all services