Security model¶

Who can reach what, and why. The model is three concentric rings: public Internet, tailnet, and localhost.

Access tiers¶

Ingress path¶

Public traffic never hits an open port. cloudflared keeps an outbound tunnel to Cloudflare; requests arrive through it at local Caddy (https://localhost:443), which routes by hostname. Anything not explicitly routed gets 404.

grafana.ridewithmin.com is deliberately not in the tunnel's hostname list and is gated by Caddy to Tailscale address ranges (100.64.0.0/10, fd7a:115c:a1e0::/48). Non-tailnet clients receive 404.

The public Uptime Kuma route allows only status-page paths and returns 404 for everything else.

Firewall¶

The NixOS firewall is enabled on every host. Home hosts allow SSH 22 directly; alfheim accepts SSH only through the trusted tailscale0 interface. Its public OCI address does not answer SSH at all. Application and monitoring ports (3000, 3001, 8082, 8222, 9090, 9100, ...) are never opened publicly.

SSH policy¶

• Root login disabled everywhere.
• Password login disabled everywhere: keys only.
• Operations go through the poby operator account (wheel, passwordless sudo).

Secrets trust model¶

Each host decrypts repo secrets with its own SSH host key as the age identity. Only hosts registered as recipients in .sops.yaml (plus the poby operator key) can read them. Plaintext exists only at runtime under /run/secrets, never in the repo or the Nix store. Details in Secrets.

What this repo does not control¶

• Tailscale ACLs. Tailnet-internal access control is configured in the Tailscale admin console, not declared here.
• Cloudflare-side policies. DNS records and any Cloudflare Access rules live in the Cloudflare dashboard.