2.0 KiB
2.0 KiB
✅ Point 5 – Access & Identity – FINAL
Role
- Defines how operators, admins, and services authenticate and access the homelab
- Covers remote access, SSO/identity, password/MFA policy, and onboarding/offboarding
Remote access methods
- Supported: Omada VPN, Tailscale, VS Code Tunnel, SSH (as needed)
- Operator-only: all remote access methods
- End-user access: none (homelab is operator-managed only)
- Public-facing services: must be authenticated and proxied; no direct management UI exposure
Identity & SSO
- Authentik is deployed and serves as the centralized SSO/identity provider for the homelab
- Operator/admin accounts are provisioned and managed via Authentik where possible; legacy per-service accounts should be migrated to SSO
- All new services must integrate with Authentik for authentication if supported
- Periodically review and update SSO integrations to ensure coverage and security
Passwords, MFA, and secrets
- All admin/operator accounts must use strong, unique passwords
- MFA is required wherever supported (VPN, SSO, cloud, etc.)
- Credentials and secrets must be stored in a secure vault (e.g., Bitwarden, 1Password)
Operational constraints / "never do this"
- Never expose management UIs (Proxmox, Watchtower, NAS, etc.) to the public internet
- Never share admin/operator credentials
- Never disable MFA on critical services
- All access changes must be documented and reviewed
Onboarding/offboarding & change model
- Onboarding: create accounts, set up VPN/Tailscale, grant secrets vault access
- Offboarding: disable accounts, rotate credentials, audit access
- Changes to access policy require contract update
Further considerations
- Exact VPN/Tailscale/SSO setup details, onboarding checklists, and secrets management procedures will live in a separate, detailed access/identity doc (to be referenced here)
- Access & identity contract should be reviewed at least annually or after major personnel/infra changes