Skip to main content

Network Security

Network boundaries, TLS, and access controls for RavenmaskOS.

Network Model

  • External entrypoints terminate at Traefik (ports 80/443).
  • Internal services communicate over the ravenhelm_net Docker network.
  • LiveKit exposes additional UDP/TCP ports for WebRTC media.

TLS and DNS

  • TLS certificates are issued by Let's Encrypt via Traefik.
  • DNS challenges are handled through Route53 credentials.
  • Public services are exposed via *.ravenhelm.dev.
  • Restrict host firewall to required ports only.
  • Use Tailscale or VPN for administrative access.
  • Avoid exposing internal APIs directly to the public internet.
  • Enforce SSO on all web UIs via OAuth2-Proxy.