- Full service map (18 public services documented) - Mermaid architecture diagram: Internet → Caddy → Authentik → Apps → AI - AI stack diagram: local router tiers + cloud fallback chain - Deployment guide: VPS spec, Caddy SSO pattern, env layout - Security model: perimeter, auth gates, AI kill-switch, secrets policy - Repo structure tree - Atlas branding header + shields.io badges
46 lines
1.5 KiB
Markdown
46 lines
1.5 KiB
Markdown
# Security model
|
|
|
|
## Perimeter
|
|
|
|
All HTTP traffic enters through **Caddy** which:
|
|
- Terminates TLS (Let's Encrypt, auto-renew)
|
|
- Applies rate limiting
|
|
- Logs all requests
|
|
|
|
## Authentication
|
|
|
|
**Authentik** (self-hosted) provides SSO via `forward_auth`:
|
|
- Every service route checks with Authentik before proxying
|
|
- Unauthenticated requests get a 302 to the login page — never a data response
|
|
- Sessions are JWT-based with configurable expiry
|
|
- MFA supported (TOTP, WebAuthn)
|
|
|
|
## Network isolation
|
|
|
|
- Internal services (cockpit, LLM router, DBs) bind to `127.0.0.1` only
|
|
- Admin APIs bind to the Tailscale interface (`100.x.x.x`) only
|
|
- Public internet never reaches internal ports directly
|
|
|
|
## AI agent gates
|
|
|
|
The Atlas Brain respects a policy file that hard-blocks autonomous action for:
|
|
- Any financial transaction
|
|
- Any external communication (email, WhatsApp send)
|
|
- Any self-modification (config changes, code deploy)
|
|
|
|
These always require human approval in the Control screen.
|
|
|
|
## Secrets management
|
|
|
|
- No secrets in git (`.gitignore` enforced)
|
|
- Vaultwarden (self-hosted) for human-facing passwords
|
|
- Env files on the VPS in `/opt/atlas/secrets/` (not world-readable)
|
|
- Rotation: manual — planned for automated rotation via Vault/n8n
|
|
|
|
## What to audit after forking
|
|
|
|
1. Change all default passwords (Authentik akadmin, Forgejo, etc.)
|
|
2. Rotate the Evolution API key
|
|
3. Disable Authentik user registration if not needed
|
|
4. Review Caddy rate-limit thresholds for your traffic
|
|
5. Set up Uptime Kuma alerts for all services
|