traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

New Grimoire

Browse source
This commit is contained in:
traveler 2026-04-12 09:53:51 -05:00
parent 77d589a13d
commit cc574f8aed
157 changed files with 29420 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

54
Ward-Grimoire/Overview.md Normal file
View file

@ -0,0 +1,54 @@
---
title: Ward Grimoire
description: Security — the gargoyle sentinel watches the gates
published: true
date: 2026-04-12T00:00:00.000Z
tags: ward, security
editor: markdown
dateCreated: 2026-04-12T00:00:00.000Z
---
# Ward Grimoire
![ward-badge](/images/ward-badge.png)
The Ward Grimoire covers all security enforcement, access control, and threat response for Netgrimoire. The gargoyle sees everything that tries to come through.
---
## Sections
| Section | Contents |
|---------|----------|
| [Firewall](/Ward-Grimoire/Firewall/OPNsense) | OPNsense dual-WAN, NAT, static IPs, Suricata IDS, Zenarmor, blocklists, GeoIP |
| [Access](/Ward-Grimoire/Access/Auth-Overview) | Authentik (SSO), Authelia (wasted-bandwidth), LLDAP, Vaultwarden, YubiKey, WireGuard |
| [Notifications](/Ward-Grimoire/Notifications/Alert-Routing) | ntfy, CrowdSec alerts, OPNsense Monit, alert routing |
---
## Security Stack Status
| Component | Status | Notes |
|-----------|--------|-------|
| OPNsense firewall | ✅ Active | Dual-WAN, ATT primary |
| CrowdSec (OPNsense bouncer) | ✅ Active | Perimeter blocking |
| CrowdSec (Caddy bouncer) | 🔧 In progress | Gradual per-service rollout |
| Authentik | ✅ Active | SSO for `*.netgrimoire.com` |
| Authelia | ✅ Active | SSO for `*.wasted-bandwidth.net` |
| LLDAP | ✅ Active | LDAP directory backend |
| Vaultwarden | ✅ Active | `pass.netgrimoire.com` |
| WireGuard | ✅ Active | 5 peers, 192.168.32.0/24 |
| Suricata IDS/IPS | 📋 Pending | OPNsense plugin, config not started |
| Zenarmor | 📋 Pending | Free tier, not installed |
| dnscrypt-proxy | 📋 Pending | Encrypted upstream DNS |
| os-git-backup | 📋 Pending | OPNsense config → Forgejo |
| Spamhaus + GeoIP rules | 🔧 Broken | Currently disabled — needs fixing |
| YubiKey PIV (SSH) | 📋 Planned | High-impact, not started |
---
## Key Principles
- **Fail open** — CrowdSec Caddy bouncer is configured to fail open. If CrowdSec is unreachable, Caddy continues serving. Sites stay up, enforcement suspends temporarily. Do not change to `enable_hard_fails true` in a homelab.
- **Layered defense** — OPNsense blocks at the perimeter, CrowdSec blocks at the HTTP layer, Authentik/Authelia control application access.
- **Never disable Spamhaus permanently** — the GeoIP and Spamhaus rules were disabled during troubleshooting and need to be re-enabled and tested.