Voltis Documentation
User Guide
Security Considerations

Security Considerations

Voltis prioritizes simplicity for edge environments, but security is critical for production use. This guide outlines risks, mitigations, and best practices based on the architecture (e.g., open API, task execution). Always follow the principle of least privilege.

Known Risks

  • Unauthenticated API: Default HTTP endpoints have no auth; exposed to network.
  • Task Execution: Shell cmds in taskfiles run as daemon user (root if sudo); potential injection.
  • File Handling: Tarball extraction could include malicious files (e.g., .service with exploits).
  • Database Exposure: SQLite file writable by daemon; no encryption.
  • Network: HTTP only; no TLS; reconciliation polls without backoff.
  • Secrets: Env vars in voltis.toml passed to tasks; logged if not careful.

API Security

Authentication

  • Current: None; all requests succeed.

  • Mitigations:

    • Proxy Auth: Front with Nginx/Apache:
      server {
  listen 443 ssl;
  location / {
    auth_basic "Voltis API";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://localhost:4650;
  }
}
      Use htpasswd for users; integrate LDAP/OAuth.
    • Custom Middleware: Extend api.Server in server.go:
      func authMiddleware(next http.Handler) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
    token := r.Header.Get("X-API-Token")
    if token != "secret" { http.Error(w, "Unauthorized", 401); return }
    next.ServeHTTP(w, r)
  })
}
// In NewServer: mux = authMiddleware(mux)
      Store tokens in env or DB.
    • mTLS: For device auth; configure proxy to require client certs.

  • RBAC: Future; add roles (e.g., read-only for monitoring).

Network Security

  • TLS Termination: Always use HTTPS in prod.
    • Self-signed for testing: openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes.
    • Prod: Let’s Encrypt or CA certs.
  • Firewall: Restrict to trusted IPs:
    sudo ufw allow from 192.168.1.0/24 to any port 4650
sudo ufw enable
  • VPN: Tunnel API over WireGuard/OpenVPN for remote edges.

Rate Limiting

  • Current: None; vulnerable to DoS.
  • Mitigation: Proxy with limit_req in Nginx:
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
location / { limit_req zone=api burst=20; proxy_pass ... }

Workload and Task Security

Input Validation

  • Tarball Scanning: Before extract, check digest; scan for malware (e.g., clamav in build step).
  • Taskfile Sanitization: Limit cmds to whitelisted (e.g., no rm -rf /); parse YAML safely.
    • Current: Exec via os/exec; escapes args but vulnerable to ; rm -rf /.
    • Fix: Use safer runner or sandbox (e.g., run in container).

Privilege Management

  • Daemon User: Run as non-root: Edit service file User=voltis.
    • Create user: useradd -r -s /bin/false voltis; chown voltis /var/lib/voltis.
  • Task Isolation: Tasks run as daemon user; avoid sudo in taskfiles.
  • File Permissions: extras/ files chmod 644; services 644.
    • On extract: Set umask; validate paths (no ../ escapes).

Secrets Handling

  • Avoid Hardcoding: Use env vars or external (e.g., K3S_TOKEN from node env).
  • No Logging Secrets: slog filters? Custom handler to redact.
  • Vault Integration: In tasks: vault kv get secret/my-app | jq .data.token.
  • Encryption: Future; encrypt DB or workload data.

Database Security

  • File Permissions: chmod 600 voltis.sqlite.db; chown voltis:voltis.
  • Backup Encryption: Use sqlite3 ... .dump | gpg -c > backup.sql.gpg.
  • No Remote Access: Local file only; no network exposure.
  • Auditing: Log all DB ops (extend repositories with slog).

Deployment Best Practices

  • Immutable Workloads: Sign tarballs (gpg); verify on push.
  • Audit Logs: Enable journald for daemon; forward to central (ELK).
  • Updates: Pin versions; test workloads in staging.
  • Monitoring: Alert on failed reconciles (e.g., Prometheus scrape /health).
  • Compliance: For regulated envs, audit taskfiles for FIPS (e.g., no openssl).

Vulnerability Reporting

  • Report security issues privately: [email protected] or GitHub Security Advisories.
  • Do not disclose publicly until patched.
  • Bounty: None yet; swag/merch for valid reports.

Future Improvements

  • Built-in JWT auth.
  • Task sandboxing (e.g., firejail).
  • Encrypted storage.
  • SBOM for workloads.

Secure your deployments; review code for custom needs.

TroubleshootingTroubleshooting