Table of Contents
User facing services
Everything that gets proxied with nginx or does not need to be accessed externally, should only bind to 127.0.0.1, instead of 0.0.0.0.
Services that are only useful to me/administrators (e.g. monitoring stack) can then either be reached via an SSH tunnel - if not accessed regularly - or are behind WireGuard/Tailscale. This nginx snippet only allows internal access.
Services with OIDC support should either use Keycloak or Pocket ID as a source of truth for users.
SSH
- No password authentication, SSH keys only
- Use
AllowUsersto whitelist accounts - Block failed login attempts with Fail2Ban
- Block IP subnets with firewalld role for repeat offenders. Add those offenders manually to
mailcowas well. Unblocking can happen like this:
firewall-cmd --remove-rich-rule='rule family="ipv4" source address="193.32.248.152" reject'
firewall-cmd --remove-rich-rule='rule family="ipv4" source address="193.32.248.152" reject' --permanent
Future considerations
- Use a jump host (
ProxyJump) to reduce attack surface - Only allow
ed25519-skFIDO keys
VPN
Currently Tailscale is used with Headscale as the self-hosted control server. It connects all servers in a mesh network, which is used by the monitoring stack (Prometheus) to reach and scrape all targets. Access is controlled via access control lists and allows only the bare minimum. Only my non-server nodes (desktop, laptop, smartphone) have full access and can use Tailscale as an exit node.
Services
- Deploying a new service
- Valkey configuration
- Alternatives
- ntfy