Service Reference
Purpose
This page provides a functional view of services running within the Scheol Security Lab.
The objective is to:
- describe what each service does
- clarify its role in the overall architecture
- support understanding of dependencies and exposure
- complement the System Inventory (which focuses on systems, not services)
Scope
This page includes:
- application services
- infrastructure services
- security-related services
It does not include:
- system-level details (covered in System Inventory)
- control definitions (covered in Control Framework)
- detailed architecture (covered in Applied Security Architecture)
Service Model
Each service is described using the following attributes:
| Field | Description |
|---|---|
| Asset ID | Unique identifier (A-XXX) |
| Name | Service name |
| Category | Application / Infrastructure / Security |
| Description | Functional purpose |
| Location | Heaven / Hell |
| Exposure | Public / Internal |
| Dependencies | Other services or components |
| Notes | Optional context |
Services
Public-Facing Services (Heaven)
A-062 - Reverse Proxy
| Field | Value |
|---|---|
| Category | Infrastructure |
| Description | Entry point for HTTP/HTTPS traffic, routing requests to backend services |
| Location | Heaven |
| Exposure | Public |
| Dependencies | VPS-01 |
| Notes | Critical control point; misconfiguration directly linked to R-001 |
A-063 - Documentation Site
| Field | Value |
|---|---|
| Category | Application |
| Description | Public documentation platform (Docusaurus) |
| Location | Heaven |
| Exposure | Public |
| Dependencies | Reverse Proxy |
| Notes | Static content, low sensitivity |
A-061 - Gitea
| Field | Value |
|---|---|
| Category | Application |
| Description | Source code management and CI/CD entry point |
| Location | Heaven |
| Exposure | Public |
| Dependencies | Reverse Proxy |
| Notes | Sensitive due to code and potential automation secrets |
A-064 - Dolibarr
| Field | Value |
|---|---|
| Category | Application |
| Description | Business application (ERP/CRM) |
| Location | Heaven |
| Exposure | Public |
| Dependencies | Reverse Proxy, Database |
| Notes | Handles business data; directly linked to R-002 |
A-065 - Database (Dolibarr)
| Field | Value |
|---|---|
| Category | Infrastructure |
| Description | Data storage for Dolibarr |
| Location | Heaven |
| Exposure | Internal (intended) |
| Dependencies | Dolibarr |
| Notes | Currently co-located; segmentation incomplete |
Internal & Planned Services (Hell)
A-076 - Proxmox Platform
| Field | Value |
|---|---|
| Category | Infrastructure |
| Description | Virtualization platform hosting internal systems |
| Location | Hell |
| Exposure | Internal |
| Dependencies | Physical host |
| Notes | Core infrastructure component |
A-077 - Bastion (Planned)
| Field | Value |
|---|---|
| Category | Security |
| Description | Controlled entry point for administrative access |
| Location | Hell |
| Exposure | Internal |
| Dependencies | Identity system (future) |
| Notes | Key control for R-003 |
A-066 - Logging & Detection (Wazuh - Planned)
| Field | Value |
|---|---|
| Category | Security |
| Description | Centralized logging and detection platform |
| Location | Hell |
| Exposure | Internal |
| Dependencies | All systems (log sources) |
| Notes | Not yet deployed |
A-069 - Monitoring Stack (Planned)
| Field | Value |
|---|---|
| Category | Infrastructure |
| Description | Metrics and system monitoring (Prometheus / Grafana) |
| Location | Hell |
| Exposure | Internal |
| Dependencies | Internal systems |
| Notes | Observability improvement |
A-071 / A-072 - Automation & CI/CD (Planned)
| Field | Value |
|---|---|
| Category | Infrastructure |
| Description | Automation workflows (Ansible, runners) |
| Location | Hell |
| Exposure | Internal |
| Dependencies | Gitea |
| Notes | High privilege operations |
Observations
- Multiple critical services are co-located on VPS infrastructure
- Reverse proxy acts as a single point of control and failure
- Several security services are not yet implemented
- Some internal services have broad implicit trust
Known Limitations
At the current stage:
- service dependencies are simplified
- some services are grouped logically
- planned services are not yet validated in real conditions
This reflects the current maturity of the lab.
Relationship with Other Sections
This page is used by:
- System Inventory → mapping services to systems
- Risk Register → identifying service-level risks
- Control Framework → defining service-specific controls
- Architecture → understanding flows and interactions
Governance Rule
Any new service must be documented in this reference.
Updates must occur:
- when deploying a new service
- when modifying service exposure
- when introducing dependencies or integrations
Current Maturity
At the current stage, service documentation is considered partially established.
Established
- identification of core services
- separation between public and internal services
- basic understanding of service roles
In Progress
- refinement of dependencies
- alignment with architecture and risk model
- improved service classification
Planned / Next Phase
- detailed dependency mapping
- integration with monitoring and validation data
- stronger linkage with control framework
This page provides a functional view of the services composing the Scheol Security Lab.