---
title: Ward Grimoire
description: Security — the gargoyle sentinel watches the gates
published: true
date: 2026-04-12T00:00:00.000Z
tags: ward, security
editor: markdown
dateCreated: 2026-04-12T00:00:00.000Z
---

# Ward Grimoire

![ward-badge](/images/ward-badge.png)

The Ward Grimoire covers all security enforcement, access control, and threat response for Netgrimoire. The gargoyle sees everything that tries to come through.

---

## Sections

| Section | Contents |
|---------|----------|
| [Firewall](/Ward-Grimoire/Firewall/OPNsense) | OPNsense dual-WAN, NAT, static IPs, Suricata IDS, Zenarmor, blocklists, GeoIP |
| [Access](/Ward-Grimoire/Access/Auth-Overview) | Authentik (SSO), Authelia (wasted-bandwidth), LLDAP, Vaultwarden, YubiKey, WireGuard |
| [Notifications](/Ward-Grimoire/Notifications/Alert-Routing) | ntfy, CrowdSec alerts, OPNsense Monit, alert routing |

---

## Security Stack Status

| Component | Status | Notes |
|-----------|--------|-------|
| OPNsense firewall | ✅ Active | Dual-WAN, ATT primary |
| CrowdSec (OPNsense bouncer) | ✅ Active | Perimeter blocking |
| CrowdSec (Caddy bouncer) | 🔧 In progress | Gradual per-service rollout |
| Authentik | ✅ Active | SSO for `*.netgrimoire.com` |
| Authelia | ✅ Active | SSO for `*.wasted-bandwidth.net` |
| LLDAP | ✅ Active | LDAP directory backend |
| Vaultwarden | ✅ Active | `pass.netgrimoire.com` |
| WireGuard | ✅ Active | 5 peers, 192.168.32.0/24 |
| Suricata IDS/IPS | 📋 Pending | OPNsense plugin, config not started |
| Zenarmor | 📋 Pending | Free tier, not installed |
| dnscrypt-proxy | 📋 Pending | Encrypted upstream DNS |
| os-git-backup | 📋 Pending | OPNsense config → Forgejo |
| Spamhaus + GeoIP rules | 🔧 Broken | Currently disabled — needs fixing |
| YubiKey PIV (SSH) | 📋 Planned | High-impact, not started |

---

## Key Principles

- **Fail open** — CrowdSec Caddy bouncer is configured to fail open. If CrowdSec is unreachable, Caddy continues serving. Sites stay up, enforcement suspends temporarily. Do not change to `enable_hard_fails true` in a homelab.
- **Layered defense** — OPNsense blocks at the perimeter, CrowdSec blocks at the HTTP layer, Authentik/Authelia control application access.
- **Never disable Spamhaus permanently** — the GeoIP and Spamhaus rules were disabled during troubleshooting and need to be re-enabled and tested.