Security Hardening
Odeion’s defaults are reasonably safe: registration is invite-only, failed logins are rate limited, and secrets are encrypted at rest. This page covers what is on you as the operator.
Checklist
Section titled “Checklist”| Item | Default | Your action |
|---|---|---|
| TLS | Not handled by Odeion | Put a reverse proxy in front and expose only HTTPS. |
| Public ports | Compose maps 8080 | Expose only the proxy (80/443). Do not publish 8080 or PostgreSQL. |
| Registration | Invite-only | Keep invites short-lived and single-use where possible. |
| Container user | Drops to non-root | Set PUID/PGID to an unprivileged host user. Avoid PUID=0. |
| Database | Embedded, not exposed | If using external PostgreSQL, require TLS (sslmode=require) and a strong password. |
| Config exports | Contain secrets in cleartext | Protect exported YAML files like credentials. |
| API keys | Disabled per user by default | Leave the per-user toggle off unless the user needs automation. |
Network Exposure
Section titled “Network Exposure”The only thing that should face the internet is your reverse proxy serving HTTPS. Odeion’s own port (8080 by default) should be reachable only by the proxy; in a compose setup on the same network you can drop the ports: mapping entirely. Never expose PostgreSQL.
Client apps require HTTPS, so a valid certificate is a functional requirement, not just a hardening step.
Account Security
Section titled “Account Security”- Registration only works with an invite code, and invite redemption is rate limited per IP. See Invites and Registration.
- Failed logins are limited to 10 per 15 minutes per IP and per username. See Rate Limiting and Account Locking.
- Compromised account? Lock it in Admin > Users: this blocks logins, existing sessions, and API keys at once.
- During an active incident, the Login and OAuth kill switches stop all new sign-ins immediately.
Secrets at Rest
Section titled “Secrets at Rest”Passwords are stored as bcrypt hashes. Session tokens and API keys are stored only as SHA-256 hashes. OAuth client secrets and the Apple private key are encrypted in the database and shown redacted in the admin panel.
Two places where secrets do appear in cleartext:
odeion config exportoutput includes integration API keys (Sonarr, Radarr). Treat exported files accordingly.- Reset links are bearer credentials while valid. Deliver them over a trusted channel.
API Keys
Section titled “API Keys”API keys carry an explicit scope allow-list and can never reach admin endpoints, user management, setup, or licensing routes, regardless of the owning user’s role. They do not expire, so revoke keys you no longer use. See API Keys.
Container Hardening
Section titled “Container Hardening”The official image starts as root only to fix volume ownership and join the GPU render group, then drops privileges to the odeion user via gosu. Set PUID and PGID to a dedicated unprivileged host user so files in your mounted volumes are owned sensibly. Media library mounts should be read-only (:ro), which is what the installation wizard generates.