This page documents security practices applied to the Enclari server and its applications.
- Reverse proxy security: Traefik enforces TLS with Let's Encrypt (DNS-01 Hetzner).
- Identity and SSO: Authentik provides central authentication with MFA support.
- Service isolation: All apps run in Docker Compose stacks, separated into services and networks.
- Backups: Restic backups are encrypted with a strong password before upload to pCloud.
- Redirect HTTP → HTTPS (
entrypoints.web → websecure)
- HSTS headers via
secure-headers middleware:
- traefik.http.middlewares.secure-headers.headers.stsSeconds=31536000
- traefik.http.middlewares.secure-headers.headers.stsIncludeSubdomains=true
- traefik.http.middlewares.secure-headers.headers.stsPreload=true
- traefik.http.middlewares.secure-headers.headers.contentTypeNosniff=true
- traefik.http.middlewares.secure-headers.headers.browserXssFilter=true
- traefik.http.middlewares.secure-headers.headers.referrerPolicy=no-referrer
- traefik.http.middlewares.secure-headers.headers.frameDeny=true
- MFA: enabled for admin accounts
- ForwardAuth: all admin panels (Traefik, Portainer, Dashy, Netdata, phpMyAdmin) are protected by Authentik ForwardAuth
- OIDC: Wiki.js integrated natively via OIDC provider
- Groups & policies: can be used to restrict access to specific apps
- Only essential packages installed (Ubuntu 24.04 LTS)
- Root access via SSH key authentication (password login disabled)
- Tools installed:
htop, ncdu, rsync, restic, rclone
- Restic repository encrypted with password from
/root/.restic-env
- pCloud backend via rclone (access token stored in rclone config)
- Bandwidth limited (
RCLONE_BW_LIMIT=10M) to avoid DoS
- Netdata monitors system health
- Logs accessible via
docker logs and system journal
- Optional: integrate Netdata alerts or extend to Prometheus/Grafana stack
# Verify TLS certs
curl -vI https://enclari.com
# Verify Authentik login
curl -I https://traefik.enclari.com
# Check for open ports
ss -tulpen
# Check Docker networks isolation
docker network ls
docker network inspect web
# Inspect Traefik middlewares
docker inspect traefik | jq '.[0].Config.Labels'
- Collabora and Nextcloud (archived) are not active, but were also protected by Traefik SSL and optional Authentik integration.
- Always test restore flow for backup to ensure integrity.