3fd045aacb
Deploy Dashboard / deploy (push) Successful in 1m28s
- Narrow trusted proxies, remove overly broad 10.0.0.0/8 - Fail closed on missing SSH known_hosts in terminal proxy - Add Navidrome reverse proxy headers for Authelia SSO - Add Gitea docker-compose definition - Add Caddy configs for NAS and VPS edge proxies - Add dnsmasq split-horizon DNS config - Add security execution plan document
4.6 KiB
4.6 KiB
Security Execution Plan (Dual Caddy: VPS Public + NAS Internal)
Confirmed Architecture
caddy-vpsis public ingress only.nas-caddyis internal ingress only (LAN/Tailscale/internal service routing).server2is for VLESS+REALITY and Tailscale exit-node use, not app ingress/CI.- CI/CD is Gitea push-triggered deploy on NAS.
Public Host Responsibility Matrix
auth.jimmygan.com-> VPS Caddy -> NAS Authelia (100.78.131.124:9092).nas.jimmygan.com-> VPS Caddy -> NAS dashboard (100.78.131.124:4000).music.jimmygan.com-> VPS Caddy -> NAS navidrome (100.78.131.124:4533).photos.jimmygan.com-> VPS Caddy -> NAS immich (100.78.131.124:2283).photos-app.jimmygan.com-> VPS Caddy -> NAS immich (100.78.131.124:2283).
All other service domains remain internal-only unless explicitly approved.
Security Objectives
- Keep your public access goals (
nas/music/photos/photos-app) working. - Enforce centralized auth + policy at public edge (
caddy-vps+ Authelia). - Remove secret leakage risk and tighten trust boundaries.
- Preserve internal NAS workflows and current service availability.
Phase 0 - Pre-Change Safety
- Snapshot current configs:
- VPS:
/etc/caddy/Caddyfile - NAS:
/volume1/docker/caddy/Caddyfile - NAS:
/volume1/docker/authelia/config/configuration.yml
- VPS:
- Export backups for dashboard/gitea/immich/auth config + DB.
- Define maintenance window (expect auth/session resets).
Phase 1 - Secret Rotation and Hygiene
- Rotate exposed secrets immediately:
- Authelia
session.secret, storage encryption key, reset JWT secret. - LDAP bind password.
- SMTP app password.
- Gitea DB password and runner registration token.
- Telegram bot token and any API tokens.
- Authelia
- Move secrets to non-git env/secret files.
- Keep
.envand local assistant memory files untracked. - Verify no plaintext secrets remain in tracked files.
Phase 2 - VPS Caddy as Single Public Auth Edge
- Update VPS Caddyfile to include all public hosts:
auth,nas,music,photos,photos-app.
- Ensure
forward_authis applied onnas/music/photos/photos-app. - Keep
auth.jimmygan.comwithoutforward_auth(Authelia portal itself). - Keep TLS + security headers on VPS Caddy.
- Reload Caddy and test all hostnames from public internet.
Phase 3 - Authelia Policy Enforcement
- Keep Authelia + LDAP as unified identity source.
- Enforce mandatory 2FA for public apps:
nas,music,photos,photos-app.
- Use group-based access rules where needed (family/media/admin groups).
- Keep documented break-glass admin recovery procedure.
Phase 4 - NAS Internal Plane Hardening
- Keep NAS Caddy for internal-only domains/routes.
- Remove overlap for public host policies from NAS Caddy (or clearly isolate).
- Reduce direct host port exposure where possible.
- Restrict NAS firewall/source ACL so public app ports are intended-path only.
Phase 5 - Dashboard Hardening
- Tighten trusted proxy logic in dashboard backend:
- Only explicit proxy IPs/subnets.
- No broad trust defaults.
- Harden
/api/auth/proxyagainst header spoofing. - Make SSH terminal fail-closed when
known_hostsis missing. - Move dashboard auth from
localStoragetokens to secure httpOnly cookies. - Add CSRF defenses for state-changing endpoints after cookie migration.
Phase 6 - Jellyfin/LLDAP Persistence Fix
- Persist network attachment in compose (current runtime
docker network connectis not durable). - Avoid exposing LDAP bind ports publicly if not required.
- Keep Jellyfin auth path consistent with Authelia/LDAP strategy.
Phase 7 - Validation Checklist
- Public access works for:
https://nas.jimmygan.comhttps://music.jimmygan.comhttps://photos.jimmygan.comhttps://photos-app.jimmygan.com
- All above require Authelia login and 2FA.
https://auth.jimmygan.comis reachable and stable.- No app access from internet via raw NAS ports.
- Internal-only routes still work from LAN/Tailscale.
- Secret scan returns no tracked plaintext credentials.
Rollback Plan
- Restore previous VPS Caddyfile and reload Caddy.
- Restore previous NAS Caddyfile/Authelia config.
- Revert to prior container image tags if app auth breaks.
- Keep old+new secrets during transition window, then remove old.
New Conversation Handoff Prompt
Use this to resume execution in a new chat:
"Execute SECURITY_EXECUTION_PLAN.md phase-by-phase. Start with Phase 0 and Phase 1 only, show diffs before apply, and validate after each phase. Preserve dual-Caddy architecture: VPS public ingress, NAS internal ingress."