Skip to main content

KALNET Security Guide

Overview

This document describes the security architecture and best practices for KALNET deployment. Security is implemented in layers:
  1. Network Security - Firewall rules, network isolation
  2. Container Security - Docker hardening, resource limits
  3. Authentication - Service access controls
  4. Secrets Management - Credential handling
  5. TLS/Encryption - Data in transit protection

Quick Start

# 1. Initialize security settings
./security/init-security.sh --check   # Audit current state
./security/init-security.sh --fix     # Auto-fix issues

# 2. Configure secrets
cp .secrets.example .secrets
chmod 600 .secrets
# Edit .secrets with your values

# 3. Apply firewall rules
./security/firewall-rules.sh --apply

Security Architecture

┌─────────────────────────────────────────────────────────────────────────────┐
│                              INTERNET                                        │
│                                  │                                           │
│                           ┌──────┴──────┐                                   │
│                           │   Firewall   │                                   │
│                           │  (UFW/nftables)                                 │
│                           └──────┬──────┘                                   │
│                                  │                                           │
│                    ┌─────────────┴─────────────┐                            │
│                    │      Port 80, 443         │                            │
│                    │    (Public Access)        │                            │
│                    └─────────────┬─────────────┘                            │
│                                  │                                           │
│  ┌───────────────────────────────┴───────────────────────────────────────┐  │
│  │                         TRAEFIK PROXY                                  │  │
│  │  - TLS Termination                                                     │  │
│  │  - Rate Limiting                                                       │  │
│  │  - Security Headers                                                    │  │
│  │  - Request Filtering                                                   │  │
│  └───────────────────────────────┬───────────────────────────────────────┘  │
│                                  │                                           │
│  ┌───────────────────────────────┴───────────────────────────────────────┐  │
│  │                      DOCKER NETWORK (kalnet)                           │  │
│  │                        172.20.0.0/16                                   │  │
│  │                                                                         │  │
│  │  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐   │  │
│  │  │  Jellyfin   │  │     n8n     │  │   Samba     │  │  Discovery  │   │  │
│  │  │  (Media)    │  │ (Automation)│  │   (NAS)     │  │  (API)      │   │  │
│  │  │             │  │             │  │             │  │             │   │  │
│  │  │ no-new-priv │  │ no-new-priv │  │ LAN-only    │  │ no-new-priv │   │  │
│  │  │ read-only   │  │ resource-   │  │ ports       │  │ minimal     │   │  │
│  │  │ mounts      │  │ limited     │  │             │  │ image       │   │  │
│  │  └─────────────┘  └─────────────┘  └─────────────┘  └─────────────┘   │  │
│  │                                                                         │  │
│  └─────────────────────────────────────────────────────────────────────────┘  │
│                                                                              │
└─────────────────────────────────────────────────────────────────────────────┘

1. Network Security

Firewall Configuration

KALNET uses UFW (Uncomplicated Firewall) for network access control: 
# View current rules
./security/firewall-rules.sh

# Apply KALNET rules
./security/firewall-rules.sh --apply

Port Matrix

PortProtocolAccessServiceNotes
22TCPLANSSHRemote management
80TCPPublicHTTPRedirects to HTTPS
443TCPPublicHTTPSMain entry point
139TCPLANSambaNetBIOS
445TCPLANSambaSMB direct
8080TCPLANTraefikDashboard
9090TCPLANMetricsPrometheus endpoint

Docker/UFW Compatibility

Docker manipulates iptables directly, which can bypass UFW rules. Apply the Docker UFW fix: 
./security/firewall-rules.sh --docker
This adds DOCKER-USER chain rules to ensure UFW policies are respected.

Network Isolation

Services communicate via an isolated Docker bridge network: 
networks:
  kalnet:
    driver: bridge
    ipam:
      config:
        - subnet: 172.20.0.0/16
Best Practices:
  • Services only expose ports to Traefik, not the host
  • Samba is an exception (SMB can’t be HTTP-proxied)
  • Inter-service communication uses container names

2. Container Security

Security Options

All containers should include these security options: 
services:
  example:
    security_opt:
      - no-new-privileges:true    # Prevent privilege escalation
    cap_drop:
      - ALL                        # Drop all capabilities
    cap_add:
      - CHOWN                      # Add only what's needed
      - SETUID
      - SETGID
    read_only: true                # Read-only root filesystem
    tmpfs:
      - /tmp                       # Writable temp directories
      - /run

Resource Limits

Prevent resource exhaustion with deploy limits: 
deploy:
  resources:
    limits:
      cpus: '1.0'
      memory: 512M
    reservations:
      cpus: '0.25'
      memory: 128M

Non-Root Users

Containers should run as non-root users: 
environment:
  - PUID=1000
  - PGID=1000
user: "1000:1000"

Image Security

  • Use specific image tags, not latest
  • Prefer minimal base images (Alpine)
  • Regularly update images: docker-compose pull && docker-compose up -d
  • Scan images: docker scan <image>

3. Authentication

Current State (TASKSET 2)

Individual service authentication:
  • Jellyfin: Built-in user accounts
  • n8n: Basic auth via environment variables
  • Traefik Dashboard: IP whitelist (LAN only)
  • Samba: Unix user authentication

Future State (TASKSET 4+)

Centralized SSO with Authelia:
  • Single sign-on for all web services
  • 2FA/MFA support
  • LDAP integration for user management

Traefik Basic Auth

For services without built-in auth, use Traefik middleware: 
# In traefik/dynamic.yml
http:
  middlewares:
    basic-auth:
      basicAuth:
        users:
          # Generate with: htpasswd -nb user password
          - "admin:$apr1$xyz..."

4. Secrets Management

File-Based Secrets

Secrets are stored in .secrets file: 
# Setup
cp .secrets.example .secrets
chmod 600 .secrets

# Use
source .secrets
docker-compose -f docker-compose.prod.yml up -d

Docker Secrets (Alternative)

For swarm mode or enhanced security: 
secrets:
  db_password:
    file: ./secrets/db_password.txt

services:
  database:
    secrets:
      - db_password

Secret Rotation

  1. Generate new secret
  2. Update .secrets file
  3. Restart affected service
  4. Verify functionality
  5. Remove old secret from any backups

What NOT to Do

  • Store secrets in .env (may be logged)
  • Commit secrets to git
  • Use default passwords
  • Share secrets between services

5. TLS/Encryption

Certificate Management

Traefik handles TLS with Let’s Encrypt: 
# traefik/traefik.yml
certificatesResolvers:
  letsencrypt:
    acme:
      email: "${ACME_EMAIL}"
      storage: /etc/traefik/acme/acme.json
      httpChallenge:
        entryPoint: web

Self-Signed Certificates (Development)

For local development without public DNS: 
# Generate self-signed cert
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout traefik/certs/kalnet.key \
  -out traefik/certs/kalnet.crt \
  -subj "/CN=*.localhost"

chmod 600 traefik/certs/kalnet.key

TLS Best Practices

  • Minimum TLS 1.2 (configured in Traefik)
  • Strong cipher suites
  • HSTS headers enabled
  • Certificate pinning for mobile apps

6. Security Hardening Checklist

Initial Setup

  • Run ./security/init-security.sh --fix
  • Configure .secrets file
  • Apply firewall rules
  • Generate/obtain TLS certificates
  • Set strong passwords for all services

Ongoing

  • Weekly: docker-compose pull to update images
  • Monthly: Review access logs
  • Quarterly: Rotate secrets
  • As needed: Security patches

Audit

# Full security audit
./security/init-security.sh --check

# Check for exposed ports
ss -tlnp | grep -E ':(80|443|445|8080|9090)'

# Check container security
docker inspect --format='{{.HostConfig.SecurityOpt}}' kalnet-jellyfin

# Check for outdated images
docker images --format "{{.Repository}}:{{.Tag}} {{.CreatedSince}}"

7. Incident Response

If Compromised

  1. Isolate: docker-compose down
  2. Preserve: Copy logs before wiping
  3. Investigate: Check access logs, container logs
  4. Remediate: Identify entry point, patch vulnerability
  5. Recover: Restore from clean backup
  6. Rotate: All secrets, certificates, passwords

Log Locations

# Container logs
docker logs kalnet-traefik
docker logs kalnet-jellyfin

# Host firewall logs
sudo journalctl -u ufw

# Access logs
/srv/kalnet/logs/traefik/access.log

Emergency Contacts

Configure in .secrets: 
ALERT_EMAIL=admin@example.com
ALERT_PHONE=+1234567890

8. Compliance Notes

Home Use

For personal/home use, this security configuration provides:
  • Protection from casual attacks
  • Network isolation between services
  • Basic access logging
  • Encrypted external access

NOT Suitable For

  • Healthcare (HIPAA)
  • Payment processing (PCI-DSS)
  • Enterprise production
  • Multi-tenant environments
  • firewall-rules.sh - Firewall configuration script
  • init-security.sh - Security initialization script
  • .secrets.example - Secrets template
  • ../traefik/dynamic.yml - Security middleware configuration