## ✅ **Point 5 – Access & Identity – FINAL**

### **Role**

* Defines how operators, admins, and services authenticate and access the homelab
* Covers remote access, SSO/identity, password/MFA policy, and onboarding/offboarding

---

### **Remote access methods**

* Supported: Omada VPN, Tailscale, VS Code Tunnel, SSH (as needed)
* Operator-only: all remote access methods
* End-user access: none (homelab is operator-managed only)
* Public-facing services: must be authenticated and proxied; no direct management UI exposure

---

### **Identity & SSO**

* Authentik is deployed and serves as the centralized SSO/identity provider for the homelab
* Operator/admin accounts are provisioned and managed via Authentik where possible; legacy per-service accounts should be migrated to SSO
* All new services must integrate with Authentik for authentication if supported
* Periodically review and update SSO integrations to ensure coverage and security

---

### **Passwords, MFA, and secrets**

* All admin/operator accounts must use strong, unique passwords
* MFA is required wherever supported (VPN, SSO, cloud, etc.)
* Credentials and secrets must be stored in a secure vault (e.g., Bitwarden, 1Password)

---

### **Operational constraints / "never do this"**

* Never expose management UIs (Proxmox, Watchtower, NAS, etc.) to the public internet
* Never share admin/operator credentials
* Never disable MFA on critical services
* All access changes must be documented and reviewed

---

### **Onboarding/offboarding & change model**

* Onboarding: create accounts, set up VPN/Tailscale, grant secrets vault access
* Offboarding: disable accounts, rotate credentials, audit access
* Changes to access policy require contract update

---

### **Further considerations**

* Exact VPN/Tailscale/SSO setup details, onboarding checklists, and secrets management procedures will live in a separate, detailed access/identity doc (to be referenced here)
* Access & identity contract should be reviewed at least annually or after major personnel/infra changes