Basically every local service is accessed via a web interface, and every interface wants a username and password. Assuming none of these services are exposed to the internet, how much effort do you put into security here?
Personally, I didn’t really think about it when I started. I make a half-assed effort at security where I don’t use “admin” or anything obvious as the username, and I use a decent-but-not-industrial password - but I started reusing the u/p as the number of services I’m running grew. I have my browsers remember the u/ps.
Should one go farther than this? And if so, what’s the threat model? Is there an easier way?
Unify them.
- I use a container that runs an AD in Samba4: https://nowsci.com/samba-domain
- LDAP from that is used for services like Nexcloud, etc.
- I then run Keycloak to add OIDC to the AD: https://www.keycloak.org/
- This is for other services like Outline that only support Oauth/OIDC
- And lastly, I use Oauth2-proxy to support everything else by adding OIDC to my nginx proxy: https://oauth2-proxy.github.io/oauth2-proxy/
- This supports systems like SearNGX with no native login that I want to limit to my users.
Now I have a full FOSS Active Directory for SSO logging into computers and services that supports 2FA where desired.
