- No local logins (nor any need to)
- Fully documented, fully auditable
- Correct change control processes
- Rotating local logins, if necessary
- Central authentication
- Self-healing
- Continuous Compliance
- Ease of use
- Free and Open Source
- Transparent
- Reportable
- Reverse Proxy
- Automated Provisioning
- Continuous Integration / Continuous Delivery
- Password Management
- IP Address Management
- DNS
- Remote
- Monitoring and Management
- Dashboard
- User
- Storage Management
Start with a Proxmox URL and an inventory
- Spin up first host, deploy DNS.
- Add DNS record. Spin up second host, deploy CA. Bring CA data back to control node. Slurp Fingerprint and password.
- Add DNS record. Spin up third host. Deploy Bitwarden. Deposit all cached creds from CA and SSH.
- Add DNS record. Spin up fourth host. Deploy LDAP.
- Add DNS record. Spin up fifth host. Deploy IPAM. Add all records up to this point
- Add DNS record. Spin up host 14. Deploy Apache Guacamole. Add all hosts up to this point
- Create an internal certificate for the proxy host
- Add internal certificate to proxy host, implement redirection (if necessary)
- Add proxy host to Reverse Proxy
- Request LetsEncrpt External Certificate
- proxy_ssl_trusted_certificate
https://www.supereasy.com/how-to-configure-nginx-as-a-https-reverse-proxy-easily/
https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/