Skip to content

Security Model

The SZ Homelab is designed around a zero-trust exposure model.

🛡️ Principles

1. No direct exposure

  • Proxmox cluster is not public
  • Only VPS is exposed

2. VPN-first architecture

  • All internal services require Tailscale connectivity

3. Reverse proxy isolation

  • VPS handles all incoming traffic
  • Internal services are never directly reachable

🔑 Authentication

  • Authentik provides identity management
  • Centralized authentication for services behind Caddy

🔑 Identity & Authentication (Authentik)

The homelab uses Authentik as the central Identity Provider (IdP).

🧭 Role in the Architecture

Authentik is responsible for:

  • Single Sign-On (SSO)
  • Centralized user management
  • OAuth2 / OIDC authentication flows
  • Access control policies for selected services

☁️ Nextcloud Integration

Nextcloud is integrated with Authentik using OpenID Connect (OIDC).

This means:

  • Users authenticate via Authentik instead of local Nextcloud accounts
  • Central login session applies across services
  • Passwords are not managed inside Nextcloud
  • Access policies can be enforced centrally (groups, roles, rules)

🔁 Login Flow Example

  1. User opens nextcloud.sz-homelab.com
  2. Nextcloud redirects to Authentik login page
  3. Authentik authenticates user
  4. Authentik issues OIDC token
  5. User is redirected back to Nextcloud with active session

🧱 Security Benefit

  • Reduces attack surface (no local auth brute-force targets in Nextcloud)
  • Centralized MFA enforcement
  • Unified identity across homelab services

🌍 TLS Strategy

  • Cloudflare DNS challenge
  • Automatic certificate issuance via Caddy
  • End-to-end HTTPS routing