Remote-BackyardAI is designed around one core principle:
Reduce exposure. Limit capability. Control access.
This project prioritizes:
- Private networking over public exposure
- SSH key authentication over passwords
- Forced command execution over shell access
- Minimal service surface area
- Clear infrastructure boundaries
This is not a zero-risk system. It is a risk-reduced architecture.
The secure configuration assumes:
- Tailscale private mesh network
- No router port forwarding
- SSH key-only authentication
- Forced-command gateway (no interactive shell)
- Docker services not bound to 0.0.0.0
- No password authentication enabled
If deployed differently, the security guarantees change.
- Password authentication must be disabled
- Root login must be disabled
- Only public key authentication allowed
- Each user must have their own key
- Keys must be removable without redeploying entire stack
- SSH must bind only to Tailscale IP (100.x)
- Do not expose service on 0.0.0.0
- Do not open router ports
- Do not expose Ollama externally
- Avoid privileged containers
- Avoid mounting sensitive host directories
- Do not expose Docker socket inside containers
- Keep images updated
If you discover a security issue:
- Do not publicly disclose immediately.
- Open a private issue or contact the repository owner.
- Provide:
- Description of the issue
- Steps to reproduce
- Potential impact
- Suggested mitigation (if available)
Security issues will be reviewed and addressed responsibly.
- Containers are not perfect isolation boundaries
- Compromised SSH keys grant chat-level access
- Host OS compromise bypasses container protections
- Tailscale account compromise affects network trust
If deploying in a production environment, consider:
- Rootless Docker
- Fail2ban or connection rate limiting
- Mandatory key rotation policy
- MFA enforcement on Tailscale
- Network segmentation (VLAN separation)
- Centralized logging pipeline (SIEM)
- Vulnerability scanning for container images
- Signed Docker images
- Intrusion detection monitoring
This repository provides a template architecture.
Security of deployment depends on:
- Host configuration
- Key management practices
- Network setup
- Update hygiene
- Operational discipline
Misconfiguration can significantly increase risk.
Security is a process, not a state.
This project demonstrates defensive architectural thinking, not absolute protection.