Init

Personal/Areas/Servers/TrueNAS/Security TODO.md

@@ -0,0 +1,71 @@
+# Security TODO
+
+## Future Improvements
+
+### Investigate Cloudflare Tunnel as Alternative to Port Forwarding
+
+**Why:**
+- No ports opened on router (better security)
+- Cloudflare DDoS protection
+- Hides home IP address
+- Works with existing Traefik setup
+
+**Resources:**
+- [Cloudflare Tunnel Documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/)
+- Can work alongside or replace current port forwarding setup
+
+**Status:** To investigate
+
+---
+
+### Look into Pangolin
+
+**Note:** Research what Pangolin is in context of homelab/self-hosting security
+
+**Status:** To investigate
+
+---
+
+## Current Security Measures
+
+### Active:
+- ✅ SSH key-based authentication (password auth disabled)
+- ✅ Traefik SSL/TLS via Let's Encrypt
+- ✅ Basic auth on Traefik dashboard
+- ✅ VPN routing for Servarr stack (via Gluetun)
+- ✅ Watchtower for automatic container updates
+
+### Planned:
+- [ ] Investigate Cloudflare Tunnel
+- [ ] Research Pangolin
+- [ ] Add Fail2ban for brute force protection
+- [ ] Implement Traefik rate limiting middleware
+- [ ] Set up IP whitelisting for admin interfaces
+- [ ] Regular security audits of exposed services
+- [ ] Configure automated backups with encryption
+
+---
+
+## Port Forwarding Currently Active
+
+| Port | Service | Notes |
+|------|---------|-------|
+| 80 | Traefik HTTP | Auto-redirects to HTTPS |
+| 443 | Traefik HTTPS | SSL/TLS encrypted |
+| 2222 | Gitea SSH | For git operations |
+
+**Risk Level:** Medium
+- Publicly exposed services
+- Mitigated by: SSL, authentication, regular updates
+
+**Action Items:**
+- Monitor logs regularly
+- Keep services updated
+- Consider Cloudflare Tunnel migration
+
+---
+
+## References
+
+- [[Traefik Multi-Stack Setup]] - Current setup documentation
+- [[Integrating Servarr Stack with Traefik]] - VPN-routed services