k3x.dev

threat model

assets

  • k3s node and workloads
  • cloudflare api token for dns-01
  • sops age private key
  • tailscale tailnet identity
  • edge vps root access
  • persistent app data

design choices that reduce risk

  • no tls private keys on edge vps
  • no public k3s api exposure
  • no port 80 requirement
  • dns-01 cert issuance instead of http-01
  • encrypted secrets in git via sops+age
  • edge vps can be rebuilt from config

main risks

  • compromised vps can forward or disrupt traffic
  • compromised tailnet device can reach tailnet services
  • single node failure loses availability until restore
  • local storage has no replication
  • bad flux commit can break cluster state

mitigations

  • keep vps minimal and patched
  • tailscale device approval and key expiry hygiene
  • restic backups with restore drills
  • branch protection and review for flux paths once stable
  • least-privilege cloudflare token scoped to dns edit for k3x.dev