If you discover a security issue in this repository, please report it via GitHub's Private Vulnerability Reporting:
- Navigate to the Security tab of this repository
- Click Report a vulnerability
- Provide details about the issue and steps to reproduce
This keeps the report confidential until a fix is in place.
This repository documents a self-hosted Windows 11 / Docker Desktop homelab. The architecture follows defense-in-depth principles:
- Identity — Authentik provides OIDC, OAuth2, and LDAP single sign-on for user-facing services
- Network scoping — User-facing services bind to private network paths (ZeroTier overlay) rather than broad host exposure where practical
- Egress isolation — VPN sidecars (
network_mode: service:<sidecar>) isolate selected services - Secrets handling — Environment files, API-generated credentials, runtime artifacts, and database state are excluded from version control
- Bounded public exposure — Public reachability is limited to Cloudflare-tunneled endpoints with VPN-routed egress
- Pre-commit secret scanning — A local Gitleaks hook (
.githooks/pre-commit) blocks commits containing detectable secrets - GitHub-native scanning — Secret scanning + push protection + Dependabot are enabled on this repository
For architecture decisions, see DECISIONS.md. For operational practices, see OPERATIONS.md.
This repository tracks the current configuration of a live homelab. Security updates are applied to the running stack on a rolling basis; the repository reflects the current state.