nathan/homelab
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Releases Wiki Activity
homelab/ansible/archive/documentation/contracts/AccessIdentity.md

57 lines
2.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## ✅ **Point 5 Access & Identity FINAL**
### **Role**
* Defines how operators, admins, and services authenticate and access the homelab
* Covers remote access, SSO/identity, password/MFA policy, and onboarding/offboarding
---
### **Remote access methods**
* Supported: Omada VPN, Tailscale, VS Code Tunnel, SSH (as needed)
* Operator-only: all remote access methods
* End-user access: none (homelab is operator-managed only)
* Public-facing services: must be authenticated and proxied; no direct management UI exposure
---
### **Identity & SSO**
* Authentik is deployed and serves as the centralized SSO/identity provider for the homelab
* Operator/admin accounts are provisioned and managed via Authentik where possible; legacy per-service accounts should be migrated to SSO
* All new services must integrate with Authentik for authentication if supported
* Periodically review and update SSO integrations to ensure coverage and security
---
### **Passwords, MFA, and secrets**
* All admin/operator accounts must use strong, unique passwords
* MFA is required wherever supported (VPN, SSO, cloud, etc.)
* Credentials and secrets must be stored in a secure vault (e.g., Bitwarden, 1Password)
---
### **Operational constraints / "never do this"**
* Never expose management UIs (Proxmox, Watchtower, NAS, etc.) to the public internet
* Never share admin/operator credentials
* Never disable MFA on critical services
* All access changes must be documented and reviewed
---
### **Onboarding/offboarding & change model**
* Onboarding: create accounts, set up VPN/Tailscale, grant secrets vault access
* Offboarding: disable accounts, rotate credentials, audit access
* Changes to access policy require contract update
---
### **Further considerations**
* Exact VPN/Tailscale/SSO setup details, onboarding checklists, and secrets management procedures will live in a separate, detailed access/identity doc (to be referenced here)
* Access & identity contract should be reviewed at least annually or after major personnel/infra changes
Reference in New Issue View Git Blame Copy Permalink