STD-023: Home Lab Infrastructure
Security and operational standards for personal workstations and home lab infrastructure. These baselines define the minimum acceptable security posture for any system under Domus Digitalis management. Measured by the security dashboard (security-dashboard.py).
Applicability
This standard applies to personal (Domus Digitalis) systems only. CHLA infrastructure follows STD-022 (CHLA Network Operations) and organizational security policies.
Disk Encryption (LUKS)
| Requirement | Detail |
|---|---|
All data volumes encrypted |
LUKS2 on every partition containing user data. No unencrypted data at rest. |
Cipher |
|
Key size |
512-bit minimum |
Swap |
Encrypted swap or zram (no plaintext swap) |
Boot |
|
Verification
# List encrypted volumes
dmsetup ls --target crypt
# Verify cipher and key size
sudo cryptsetup status cryptroot
sudo cryptsetup status crypthomeMandatory Access Control (AppArmor)
| Requirement | Detail |
|---|---|
Module loaded |
AppArmor in LSM stack, |
Browser profiles |
Firefox, Chrome, Chromium in enforce mode with credential store deny rules |
Credential lockdown |
|
|
Default Arch profiles ship with |
Target |
>80% of profiles in enforce mode |
Verification
sudo aa-status | head -15
# Check enforce vs complain vs unconfined countsHost Firewall
| Requirement | Detail |
|---|---|
Firewall active |
UFW or nftables — default deny incoming, allow outgoing |
SSH allowed |
Port 22 from trusted networks only (not 0.0.0.0) |
Docker chains |
Docker manages its own chains — do not conflict with UFW rules |
Boot persistence |
Firewall service enabled at boot |
Verification
sudo ufw status verbose
systemctl is-active ufwKernel Hardening
All systems MUST pass these sysctl checks:
| Parameter | Required Value | Purpose |
|---|---|---|
|
|
Full ASLR — randomize stack, heap, mmap, VDSO |
|
|
Restrict ptrace to parent processes only |
|
|
Non-root cannot read kernel ring buffer |
|
|
Hide kernel pointers from non-root |
|
|
Prevent unprivileged BPF programs (local privesc vector) |
|
|
Reverse path filtering — reject spoofed source IPs |
|
|
Reject ICMP redirects — prevents route manipulation |
|
|
SYN flood protection |
Verification
# Check all parameters
for param in kernel.randomize_va_space kernel.yama.ptrace_scope \
kernel.dmesg_restrict kernel.kptr_restrict \
kernel.unprivileged_bpf_disabled \
net.ipv4.conf.all.rp_filter \
net.ipv4.conf.all.accept_redirects \
net.ipv4.tcp_syncookies; do
printf "%-45s %s\n" "$param" "$(sysctl -n $param 2>/dev/null || echo '?')"
doneSystemd Service Sandboxing
| Requirement | Detail |
|---|---|
Target |
>50% of services rated OK or MEDIUM by |
Critical services |
|
Monitoring |
Run |
Network Authentication
| Requirement | Detail |
|---|---|
WiFi |
802.1X EAP-TLS where available (Domus-Secure SSID) |
Certificates |
Client cert + private key managed via NetworkManager |
Fallback |
WPA2/WPA3-Personal for guest/IoT networks only |
Key Management
| Requirement | Detail |
|---|---|
age |
Identities in |
GPG |
Keys managed, no expired keys in active use |
SSH |
Ed25519 keys preferred. No RSA keys below 4096-bit. |
gopass |
Credential store for secrets. No plaintext credentials anywhere. |
Automated Security Assessment
Run the unified security dashboard to measure posture against this standard:
sudo MPLBACKEND=Agg python3 docs/modules/ROOT/examples/codex/python/security-dashboard.pyOutput: /tmp/security-dashboard.png — 18 panels covering every requirement in this standard.
Baseline (2026-04-10): 59/100 (Grade D) — LUKS and AppArmor complete, firewall and kernel hardening pending.
Target: 80/100 (Grade B) after completing P16g Phase 12 security hardening.
Cross-Reference
-
STD-005 (Change Control) — verify-change-verify for all system changes
-
STD-002 (Deployment Validation) — post-deployment verification checklist
-
STD-006 (Secrets Handling) — credential management requirements
-
P16g Phase 12: Security Hardening — implementation plan