Obsidian-Vault/Personal/Areas/Servers/TrueNAS/Security TODO.md

# Security TODO

## Future Improvements

### Investigate Cloudflare Tunnel as Alternative to Port Forwarding

**Why:**
- No ports opened on router (better security)
- Cloudflare DDoS protection
- Hides home IP address
- Works with existing Traefik setup

**Resources:**
- [Cloudflare Tunnel Documentation](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/)
- Can work alongside or replace current port forwarding setup

**Status:** To investigate

---

### Look into Pangolin

**Note:** Research what Pangolin is in context of homelab/self-hosting security

**Status:** To investigate

---

## Current Security Measures

### Active:
- ✅ SSH key-based authentication (password auth disabled)
- ✅ Traefik SSL/TLS via Let's Encrypt
- ✅ Basic auth on Traefik dashboard
- ✅ VPN routing for Servarr stack (via Gluetun)
- ✅ Watchtower for automatic container updates

### Planned:
- [ ] Investigate Cloudflare Tunnel
- [ ] Research Pangolin
- [x] ~~Add Fail2ban for brute force protection~~ → Replaced by CrowdSec (see [[CrowdSec Setup]])
- [x] Close port 2222, disable Gitea SSH, use HTTPS git (see [[CrowdSec Setup#Step 1]])
- [ ] Implement Traefik rate limiting middleware
- [ ] Set up IP whitelisting for admin interfaces
- [ ] Regular security audits of exposed services
- [ ] Configure automated backups with encryption

---

## Port Forwarding Currently Active

| Port | Service | Notes |
|------|---------|-------|
| 80 | Traefik HTTP | Auto-redirects to HTTPS |
| 443 | Traefik HTTPS | SSL/TLS encrypted |
| 2222 | Gitea SSH | For git operations |

**Risk Level:** Medium
- Publicly exposed services
- Mitigated by: SSL, authentication, regular updates

**Action Items:**
- Monitor logs regularly
- Keep services updated
- Consider Cloudflare Tunnel migration

---

## References

- [[Traefik Multi-Stack Setup]] - Current setup documentation
- [[Integrating Servarr Stack with Traefik]] - VPN-routed services