modified: core/authelia/docker-compose.yml

modified: core/crowdsec/docker-compose.yml modified: core/error-pages/docker-compose.yml modified: monitoring/docker-exporter/docker-compose.yml modified: monitoring/docker-socket-proxy/docker-compose.yml deleted: monitoring/influxdb-service/docker-compose.yml modified: monitoring/node-exporter/docker-compose.yml modified: monitoring/pihole-exporter/docker-compose.yml modified: monitoring/telegraf/docker-compose.yml new file: service-access-policy.md
2026-04-13 11:51:45 +10:00
parent 9678c6a8f1
commit 43f25321d7
10 changed files with 86 additions and 50 deletions
@@ -1,6 +1,6 @@
 services:
  authelia:
-    profiles: ["core","all","authelia"]
+    profiles: ["core","all","authelia", "traefik"]
    image: authelia/authelia
    restart: always
    build:
@@ -1,6 +1,6 @@
 services:
  crowdsec:
-    profiles: ["core","all","crowdsec"]
+    profiles: ["core","all","crowdsec", "traefik"]
 #    image: crowdsecurity/crowdsec:latest
    build: ${PROJECT_ROOT}/core/crowdsec
    container_name: crowdsec
@@ -1,6 +1,6 @@
 services:
  error-pages:
-    profiles: ["core","all","error-pages"]
+    profiles: ["core","all","error-pages", "traefik"]
    image: tarampampam/error-pages:3
    restart: always
    container_name: error-pages
@@ -1,6 +1,6 @@
 services:
  docker-update-exporter:
-    profiles: ["monitoring","all","docker-exporter"]
+    profiles: ["monitoring","all","docker-exporter", "prometheus"]
    build:
      context: ${PROJECT_ROOT}/monitoring/docker-exporter
    container_name: docker-update-exporter
@@ -1,6 +1,6 @@
 services:
  docker-socket-proxy:
-    profiles: ["monitoring","all","docker-socket-proxy"]
+    profiles: ["monitoring","all","docker-socket-proxy", "core", "traefik", "prometheus"]
    image: tecnativa/docker-socket-proxy:latest
    container_name: docker-socket-proxy
    hostname: docker-socket-proxy
@@ -1,42 +0,0 @@
 services:
  influxdb:
    profiles: ["monitoring","all","influxdb-service"]
    image: influxdb:2.7
    container_name: influxdb
    restart: unless-stopped
 #    env_file:
 #      - ${PROJECT_ROOT}/secrets/stack-secrets.env
    volumes:
      - ${PROJECT_ROOT}/monitoring/influxdb:/var/lib/influxdb2
    environment:
      DOCKER_INFLUXDB_INIT_MODE: ${INFLUXDB_INIT_MODE}
      DOCKER_INFLUXDB_INIT_USERNAME: ${INFLUXDB_INIT_USERNAME}
      DOCKER_INFLUXDB_INIT_PASSWORD_FILE: /run/secrets/influxdb_init_password
      DOCKER_INFLUXDB_INIT_ORG: ${INFLUXDB_INIT_ORG}
      DOCKER_INFLUXDB_INIT_BUCKET: ${INFLUXDB_INIT_BUCKET}
    secrets:
      - influxdb_init_password
    networks:
 #      - edge
 #      - traefik_reverse_proxy
      - traefik
      - monitor
    labels:
       - "traefik.http.routers.influxdb.rule=Host(`influxdb.lan.ddnsgeek.com`)"
       - "traefik.enable=true"
       - "traefik.http.routers.influxdb.entrypoints=websecure"
       - "traefik.http.routers.influxdb.tls.certresolver=myresolver"
       - "io.portainer.accesscontrol.public"
       - "traefik.http.services.influxdb.loadbalancer.server.port=8086"
       - "traefik.http.routers.influxdb.middlewares=authelia"
       - "traefik.docker.network=core_traefik"
    healthcheck:
      test: ["CMD-SHELL", "curl -f http://localhost:8086/health || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
 secrets:
  influxdb_init_password:
    file: ${PROJECT_ROOT}/secrets/influxdb_init_password.txt
@@ -1,6 +1,6 @@
 services:
  node-exporter:
-    profiles: ["monitoring","all","node-exporter"]
+    profiles: ["monitoring","all","node-exporter", "prometheus"]
    image: prom/node-exporter:latest
    container_name: node-exporter
    pid: host
@@ -1,6 +1,6 @@
 services:
  pihole-exporter:
-    profiles: ["monitoring","all","pihole-exporter"]
+    profiles: ["monitoring","all","pihole-exporter", "prometheus"]
    image: ekofr/pihole-exporter:latest
    container_name: pihole-exporter
 #    env_file:
@@ -1,6 +1,6 @@
 services:
  telegraf:
-    profiles: ["monitoring","all","telegraf"]
+    profiles: ["monitoring","all","telegraf", "prometheus"]
    image: telegraf:latest
    container_name: telegraf
    restart: unless-stopped
@@ -0,0 +1,78 @@
 # Service Access Policy and External Exposure Hardening
 ## 1) Service classification
 | Service/Host | Classification | Rationale |
 |---|---|---|
 | `auth.lan.ddnsgeek.com` | `authenticated-public` | Public identity/login entrypoint; internet-accessible but requires user authentication. |
 | `nextcloud.lan.ddnsgeek.com` | `authenticated-public` | Internet-facing collaboration app that must remain reachable to authenticated users. |
 | `passbolt.lan.ddnsgeek.com` | `authenticated-public` | Public password-management portal with strong authentication controls. |
 | `gitea.lan.ddnsgeek.com` | `authenticated-public` | Public developer endpoint with account-based access. |
 | `searxng.lan.ddnsgeek.com` | `public` | Intended anonymous/search access endpoint. |
 | `familytree.lan.ddnsgeek.com` | `authenticated-public` | End-user app; externally reachable but login-protected. |
 | `shifts.lan.ddnsgeek.com` | `authenticated-public` | End-user app; externally reachable but login-protected. |
 | `stockfill.lan.ddnsgeek.com` | `authenticated-public` | End-user app; externally reachable but login-protected. |
 | `gotify.lan.ddnsgeek.com` | `private-admin` | Admin/ops notification backend; should not be internet reachable. |
 | `grafana.lan.ddnsgeek.com` | `private-admin` | Infrastructure admin/observability console. |
 | `prometheus.lan.ddnsgeek.com` | `private-admin` | Monitoring datastore/query interface. |
 | `node-red.lan.ddnsgeek.com` | `private-admin` | Automation runtime and flow editor. |
 | `traefik.lan.ddnsgeek.com` | `private-admin` | Reverse-proxy admin/dashboard surface. |
 | `portainer.lan.ddnsgeek.com` | `private-admin` | Container management plane. |
 | `influxdb.lan.ddnsgeek.com` | `private-admin` | Metrics datastore admin/API surface. |
 | `kuma.lan.ddnsgeek.com` | `private-admin` | Monitoring admin surface. |
 | `monitor-kuma.lan.ddnsgeek.com` | `private-admin` | Monitoring admin surface. |
 | `edge.lan.ddnsgeek.com` | `private-admin` | Edge/network administration plane. |
 ## 2) Required controls for `private-admin`
 Apply **at least one** trusted-path control (preferably layered):
 - Private network only (no public DNS / no internet route).
 - WireGuard/Tailscale/OpenVPN access gate.
 - mTLS client certificate requirement at reverse proxy.
 - Source IP allowlist at firewall and reverse proxy.
 Minimum target state for all `private-admin` hosts:
 - Public internet: connection refused/timeout, or immediate `403` for untrusted source.
 - Trusted path (VPN/mTLS/allowlisted IP): normal authenticated access.
 ## 3) Gateway auth hardening
 For all `public` and `authenticated-public` services:
 - Keep SSO and MFA enforcement at the identity gateway.
 - Enforce lockout/backoff on `/login`, `/oauth/*`, `/auth/*`, `/api/auth/*`.
 - Rate-limit by source IP + account identifier to deter credential stuffing.
 Suggested baseline:
 - Soft limit: `10 req/min` per IP for auth endpoints.
 - Burst: `20`.
 - Temporary block: `15 min` after repeated failures.
 - Account lockout: `5-10` consecutive failed attempts (with secure unlock flow).
 ## 4) WAF / reverse-proxy protections
 Deploy one of:
 - WAF managed rules for bot/credential-stuffing signatures.
 - Reverse-proxy failed-auth throttling and tarpit/delay policy.
 Implement logging + alerting thresholds:
 - High failed-auth rate from one IP/CIDR.
 - Password spray pattern across many usernames.
 - Geo/ASN anomalies for sensitive apps.
 ## 5) External re-test procedure
 Re-test from a non-trusted external network and record outcomes.
 Success criteria:
 - Every `private-admin` host is inaccessible without VPN/mTLS/allowlisted source.
 - `public` and `authenticated-public` hosts remain reachable.
 - Auth endpoints trigger rate-limit/lockout controls under failed-attempt simulation.
 Use `./scripts/retest-external-access.sh` for a repeatable external validation pass.