docker/service-access-policy.md

# Service Access Policy and External Exposure Hardening

## 1) Service classification

| Service/Host | Classification | Rationale |
|---|---|---|
| `auth.lan.ddnsgeek.com` | `authenticated-public` | Public identity/login entrypoint; internet-accessible but requires user authentication. |
| `nextcloud.lan.ddnsgeek.com` | `authenticated-public` | Internet-facing collaboration app that must remain reachable to authenticated users. |
| `passbolt.lan.ddnsgeek.com` | `authenticated-public` | Public password-management portal with strong authentication controls. |
| `gitea.lan.ddnsgeek.com` | `authenticated-public` | Public developer endpoint with account-based access. |
| `searxng.lan.ddnsgeek.com` | `public` | Intended anonymous/search access endpoint. |
| `familytree.lan.ddnsgeek.com` | `authenticated-public` | End-user app; externally reachable but login-protected. |
| `shifts.lan.ddnsgeek.com` | `authenticated-public` | End-user app; externally reachable but login-protected. |
| `stockfill.lan.ddnsgeek.com` | `authenticated-public` | End-user app; externally reachable but login-protected. |
| `gotify.lan.ddnsgeek.com` | `private-admin` | Admin/ops notification backend; should not be internet reachable. |
| `grafana.lan.ddnsgeek.com` | `private-admin` | Infrastructure admin/observability console. |
| `prometheus.lan.ddnsgeek.com` | `private-admin` | Monitoring datastore/query interface. |
| `node-red.lan.ddnsgeek.com` | `private-admin` | Automation runtime and flow editor. |
| `traefik.lan.ddnsgeek.com` | `private-admin` | Reverse-proxy admin/dashboard surface. |
| `portainer.lan.ddnsgeek.com` | `private-admin` | Container management plane. |
| `influxdb.lan.ddnsgeek.com` | `private-admin` | Metrics datastore admin/API surface. |
| `kuma.lan.ddnsgeek.com` | `private-admin` | Monitoring admin surface. |
| `monitor-kuma.lan.ddnsgeek.com` | `private-admin` | Monitoring admin surface. |
| `edge.lan.ddnsgeek.com` | `private-admin` | Edge/network administration plane. |

## 2) Required controls for `private-admin`

Apply **at least one** trusted-path control (preferably layered):

- Private network only (no public DNS / no internet route).
- WireGuard/Tailscale/OpenVPN access gate.
- mTLS client certificate requirement at reverse proxy.
- Source IP allowlist at firewall and reverse proxy.

Minimum target state for all `private-admin` hosts:

- Public internet: connection refused/timeout, or immediate `403` for untrusted source.
- Trusted path (VPN/mTLS/allowlisted IP): normal authenticated access.

## 3) Gateway auth hardening

For all `public` and `authenticated-public` services:

- Keep SSO and MFA enforcement at the identity gateway.
- Enforce lockout/backoff on `/login`, `/oauth/*`, `/auth/*`, `/api/auth/*`.
- Rate-limit by source IP + account identifier to deter credential stuffing.

Suggested baseline:

- Soft limit: `10 req/min` per IP for auth endpoints.
- Burst: `20`.
- Temporary block: `15 min` after repeated failures.
- Account lockout: `5-10` consecutive failed attempts (with secure unlock flow).

## 4) WAF / reverse-proxy protections

Deploy one of:

- WAF managed rules for bot/credential-stuffing signatures.
- Reverse-proxy failed-auth throttling and tarpit/delay policy.

Implement logging + alerting thresholds:

- High failed-auth rate from one IP/CIDR.
- Password spray pattern across many usernames.
- Geo/ASN anomalies for sensitive apps.

## 5) External re-test procedure

Re-test from a non-trusted external network and record outcomes.

Success criteria:

- Every `private-admin` host is inaccessible without VPN/mTLS/allowlisted source.
- `public` and `authenticated-public` hosts remain reachable.
- Auth endpoints trigger rate-limit/lockout controls under failed-attempt simulation.

Use `./scripts/retest-external-access.sh` for a repeatable external validation pass.