3 Security
chaib edited this page 2026-06-22 20:29:17 +00:00

Security model

Perimeter

All HTTP traffic enters through Caddy which:

  • Terminates TLS (Let's Encrypt, auto-renew)
  • Applies rate limiting
  • Logs all requests

Authentication

Authentik (self-hosted) provides SSO via forward_auth:

  • Every service route checks with Authentik before proxying
  • Unauthenticated requests get a 302 to the login page — never a data response
  • Sessions are JWT-based with configurable expiry
  • MFA supported (TOTP, WebAuthn)

Network isolation

  • Internal services (cockpit, LLM router, DBs) bind to 127.0.0.1 only
  • Admin APIs bind to the Tailscale interface (100.x.x.x) only
  • Public internet never reaches internal ports directly

AI agent gates

The Atlas Brain respects a policy file that hard-blocks autonomous action for:

  • Any financial transaction
  • Any external communication (email, WhatsApp send)
  • Any self-modification (config changes, code deploy)

These always require human approval in the Control screen.

Secrets management

  • No secrets in git (.gitignore enforced)
  • Vaultwarden (self-hosted) for human-facing passwords
  • Env files on the VPS in /opt/atlas/secrets/ (not world-readable)
  • Rotation: manual — planned for automated rotation via Vault/n8n

What to audit after forking

  1. Change all default passwords (Authentik akadmin, Forgejo, etc.)
  2. Rotate the Evolution API key
  3. Disable Authentik user registration if not needed
  4. Review Caddy rate-limit thresholds for your traffic
  5. Set up Uptime Kuma alerts for all services