Skip to content

CodisTech/security-architecture

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Security Architecture — Zero-Trust Homelab

A production-grade home infrastructure designed as a zero-trust, defense-in-depth environment: VLAN-segmented, default-deny firewalling, high-availability routing, and disaster-recovery engineering — all mapped to NIST CSF 2.0 and CIS Controls v8.

This repo documents the architecture and the reasoning behind it: the segmentation model, the firewall policy, the resilience/DR design, and the decision records that explain why each choice was made. It is the design counterpart to my policy-as-code-demo repo — the network segmentation described here is the same model enforced programmatically by network_policy.rego there.

All addresses in this repo use documentation ranges (10.0.0.0/8). No production IPs, hostnames, credentials, or CARP VHIDs are published.

Topology

flowchart TB
    INET([Internet]) --- EDGE[Edge Firewall / IDS-IPS]
    EDGE --- FW{{OPNsense HA Pair<br/>CARP VIP + pfsync}}
    FW --- SW[L2/L3 Switch<br/>802.1Q trunks]

    SW --- V10[VLAN 10 · DMZ<br/>external-facing]
    SW --- V20[VLAN 20 · IoT<br/>internet-only]
    SW --- V30[VLAN 30 · TRUSTED<br/>workstations]
    SW --- V40[VLAN 40 · MGMT<br/>net controller/switches]
    SW --- V50[VLAN 50 · GUEST<br/>isolated]
    SW --- V60[VLAN 60 · SERVICES<br/>servers · k8s · DNS · hypervisor mgmt]
    SW --- V70[VLAN 70 · ISOLATED<br/>lab platform]

    V60 --- K8S[k3s cluster]
    V60 --- DNS[Recursive DNS sink]
    V60 --- HV[Hypervisor mgmt plane]

    classDef untrusted fill:#3a1f1f,stroke:#a33;
    classDef trusted fill:#1f2f1f,stroke:#3a3;
    classDef mgmt fill:#1f2333,stroke:#46a;
    class V10,V20,V50,V70 untrusted;
    class V30 trusted;
    class V40,V60 mgmt;
Loading

What's here

Area Docs
Network segmentation network/segmentation.md — VLAN model, trust tiers, zero-trust rationale
Firewall policy network/firewall-model.md — default-deny, inter-VLAN matrix, DNS/QUIC egress control
Resilience & DR resilience/dr-runbook.md, resilience/break-glass.md
Decision records decisions/ — CARP HA, DHCP engine, management-plane placement
Automation (IaC) automation/ — Ansible patch-management, sanitized

Design principles

  1. Default-deny everywhere — every segment starts closed; access is explicitly granted per flow.
  2. Trust tiers, not a flat LAN — untrusted (IoT/Guest/DMZ), trusted (users), and management planes are isolated.
  3. No single point of failure on the control path — routing/DHCP/DNS are being moved to HA; SPOFs are documented and tracked as decision records.
  4. Monitoring integrity — DNS is forced to a sink and encrypted-DNS bypass (DoH/DoT) + QUIC are blocked so visibility can't be silently defeated.
  5. Operability under failure — a documented break-glass path and DR runbook exist for when the automated control plane is down.

Standards alignment

  • NIST CSF 2.0 — PR.AA / PR.IR (segmentation), PR.DS (data-in-transit control), DE.CM (monitoring), RC.RP (recovery).
  • CIS Controls v8 — 4 (secure config), 12 (network infrastructure mgmt), 13 (network monitoring & defense).

About

Zero-trust, defense-in-depth homelab network architecture — VLAN segmentation, OPNsense CARP HA, DR/break-glass runbooks, and ADRs, mapped to NIST CSF 2.0 & CIS Controls v8.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors