At the boundary, a few things stand between the enclave and the open internet. Public DNS — the authoritative record of where the enclave’s names resolve — is served by the enclave’s own control panel (see Software › HestiaCP), not handed to a third party. An edge router (see Software › OPNsense) governs what crosses into the enclave’s networks. A reverse proxy terminates TLS and routes inbound web traffic to the right service by hostname, so nothing internal is exposed directly.

This is the public face — the narrow, watched set of doors all outside traffic must pass through. The boundary devices are named here in the role they play; their configuration lives in Software, the rules that harden them in Guard › Hardening, and the naming scheme behind the hostnames in Wire › URLs.

Has anything touched?

If reading this made you want to argue with it, extend it, or notice what's missing, that's the signal to show up.

:/back-to-top