wiki: Security
parent
5cdec194c6
commit
2bd8ca941d
1 changed files with 46 additions and 0 deletions
46
Security.md
Normal file
46
Security.md
Normal file
|
|
@ -0,0 +1,46 @@
|
||||||
|
# Security model
|
||||||
|
|
||||||
|
## Perimeter
|
||||||
|
|
||||||
|
All HTTP traffic enters through **Caddy** which:
|
||||||
|
- Terminates TLS (Let's Encrypt, auto-renew)
|
||||||
|
- Applies rate limiting
|
||||||
|
- Logs all requests
|
||||||
|
|
||||||
|
## Authentication
|
||||||
|
|
||||||
|
**Authentik** (self-hosted) provides SSO via `forward_auth`:
|
||||||
|
- Every service route checks with Authentik before proxying
|
||||||
|
- Unauthenticated requests get a 302 to the login page — never a data response
|
||||||
|
- Sessions are JWT-based with configurable expiry
|
||||||
|
- MFA supported (TOTP, WebAuthn)
|
||||||
|
|
||||||
|
## Network isolation
|
||||||
|
|
||||||
|
- Internal services (cockpit, LLM router, DBs) bind to `127.0.0.1` only
|
||||||
|
- Admin APIs bind to the Tailscale interface (`100.x.x.x`) only
|
||||||
|
- Public internet never reaches internal ports directly
|
||||||
|
|
||||||
|
## AI agent gates
|
||||||
|
|
||||||
|
The Atlas Brain respects a policy file that hard-blocks autonomous action for:
|
||||||
|
- Any financial transaction
|
||||||
|
- Any external communication (email, WhatsApp send)
|
||||||
|
- Any self-modification (config changes, code deploy)
|
||||||
|
|
||||||
|
These always require human approval in the Control screen.
|
||||||
|
|
||||||
|
## Secrets management
|
||||||
|
|
||||||
|
- No secrets in git (`.gitignore` enforced)
|
||||||
|
- Vaultwarden (self-hosted) for human-facing passwords
|
||||||
|
- Env files on the VPS in `/opt/atlas/secrets/` (not world-readable)
|
||||||
|
- Rotation: manual — planned for automated rotation via Vault/n8n
|
||||||
|
|
||||||
|
## What to audit after forking
|
||||||
|
|
||||||
|
1. Change all default passwords (Authentik akadmin, Forgejo, etc.)
|
||||||
|
2. Rotate the Evolution API key
|
||||||
|
3. Disable Authentik user registration if not needed
|
||||||
|
4. Review Caddy rate-limit thresholds for your traffic
|
||||||
|
5. Set up Uptime Kuma alerts for all services
|
||||||
Loading…
Reference in a new issue