54 lines
2.3 KiB
Markdown
54 lines
2.3 KiB
Markdown
---
|
|
title: Ward Grimoire
|
|
description: Security — the gargoyle sentinel watches the gates
|
|
published: true
|
|
date: 2026-04-12T00:00:00.000Z
|
|
tags: ward, security
|
|
editor: markdown
|
|
dateCreated: 2026-04-12T00:00:00.000Z
|
|
---
|
|
|
|
# Ward Grimoire
|
|
|
|
|
|
|
|
The Ward Grimoire covers all security enforcement, access control, and threat response for Netgrimoire. The gargoyle sees everything that tries to come through.
|
|
|
|
---
|
|
|
|
## Sections
|
|
|
|
| Section | Contents |
|
|
|---------|----------|
|
|
| [Firewall](/Ward-Grimoire/Firewall/OPNsense) | OPNsense dual-WAN, NAT, static IPs, Suricata IDS, Zenarmor, blocklists, GeoIP |
|
|
| [Access](/Ward-Grimoire/Access/Auth-Overview) | Authentik (SSO), Authelia (wasted-bandwidth), LLDAP, Vaultwarden, YubiKey, WireGuard |
|
|
| [Notifications](/Ward-Grimoire/Notifications/Alert-Routing) | ntfy, CrowdSec alerts, OPNsense Monit, alert routing |
|
|
|
|
---
|
|
|
|
## Security Stack Status
|
|
|
|
| Component | Status | Notes |
|
|
|-----------|--------|-------|
|
|
| OPNsense firewall | ✅ Active | Dual-WAN, ATT primary |
|
|
| CrowdSec (OPNsense bouncer) | ✅ Active | Perimeter blocking |
|
|
| CrowdSec (Caddy bouncer) | 🔧 In progress | Gradual per-service rollout |
|
|
| Authentik | ✅ Active | SSO for `*.netgrimoire.com` |
|
|
| Authelia | ✅ Active | SSO for `*.wasted-bandwidth.net` |
|
|
| LLDAP | ✅ Active | LDAP directory backend |
|
|
| Vaultwarden | ✅ Active | `pass.netgrimoire.com` |
|
|
| WireGuard | ✅ Active | 5 peers, 192.168.32.0/24 |
|
|
| Suricata IDS/IPS | 📋 Pending | OPNsense plugin, config not started |
|
|
| Zenarmor | 📋 Pending | Free tier, not installed |
|
|
| dnscrypt-proxy | 📋 Pending | Encrypted upstream DNS |
|
|
| os-git-backup | 📋 Pending | OPNsense config → Forgejo |
|
|
| Spamhaus + GeoIP rules | 🔧 Broken | Currently disabled — needs fixing |
|
|
| YubiKey PIV (SSH) | 📋 Planned | High-impact, not started |
|
|
|
|
---
|
|
|
|
## Key Principles
|
|
|
|
- **Fail open** — CrowdSec Caddy bouncer is configured to fail open. If CrowdSec is unreachable, Caddy continues serving. Sites stay up, enforcement suspends temporarily. Do not change to `enable_hard_fails true` in a homelab.
|
|
- **Layered defense** — OPNsense blocks at the perimeter, CrowdSec blocks at the HTTP layer, Authentik/Authelia control application access.
|
|
- **Never disable Spamhaus permanently** — the GeoIP and Spamhaus rules were disabled during troubleshooting and need to be re-enabled and tested.
|