Netgrimoire/Ward-Grimoire/Overview.md

title	description	published	date	tags	editor	dateCreated
Ward Grimoire	Security — the gargoyle sentinel watches the gates	true	2026-04-12T00:00:00.000Z	ward, security	markdown	2026-04-12T00:00:00.000Z

Ward Grimoire

The Ward Grimoire covers all security enforcement, access control, and threat response for Netgrimoire. The gargoyle sees everything that tries to come through.

---

Sections

Section	Contents
Firewall	OPNsense dual-WAN, NAT, static IPs, Suricata IDS, Zenarmor, blocklists, GeoIP
Access	Authentik (SSO), Authelia (wasted-bandwidth), LLDAP, Vaultwarden, YubiKey, WireGuard
Notifications	ntfy, CrowdSec alerts, OPNsense Monit, alert routing

---

Security Stack Status

Component	Status	Notes
OPNsense firewall	✅ Active	Dual-WAN, ATT primary
CrowdSec (OPNsense bouncer)	✅ Active	Perimeter blocking
CrowdSec (Caddy bouncer)	🔧 In progress	Gradual per-service rollout
Authentik	✅ Active	SSO for *.netgrimoire.com
Authelia	✅ Active	SSO for *.wasted-bandwidth.net
LLDAP	✅ Active	LDAP directory backend
Vaultwarden	✅ Active	pass.netgrimoire.com
WireGuard	✅ Active	5 peers, 192.168.32.0/24
Suricata IDS/IPS	📋 Pending	OPNsense plugin, config not started
Zenarmor	📋 Pending	Free tier, not installed
dnscrypt-proxy	📋 Pending	Encrypted upstream DNS
os-git-backup	📋 Pending	OPNsense config → Forgejo
Spamhaus + GeoIP rules	🔧 Broken	Currently disabled — needs fixing
YubiKey PIV (SSH)	📋 Planned	High-impact, not started

---

Key Principles

• Fail open — CrowdSec Caddy bouncer is configured to fail open. If CrowdSec is unreachable, Caddy continues serving. Sites stay up, enforcement suspends temporarily. Do not change to enable_hard_fails true in a homelab.
• Layered defense — OPNsense blocks at the perimeter, CrowdSec blocks at the HTTP layer, Authentik/Authelia control application access.
• Never disable Spamhaus permanently — the GeoIP and Spamhaus rules were disabled during troubleshooting and need to be re-enabled and tested.