sync: Add Wrightstown Solar and Smart Home projects

New projects from 2026-02-09 research session: Wrightstown Solar: - DIY 48V LiFePO4 battery storage (EVE C40 cells) - Victron MultiPlus II whole-house UPS design - BMS comparison (Victron CAN bus compatible) - EV salvage analysis (new cells won) - Full parts list and budget Wrightstown Smart Home: - Home Assistant Yellow setup (local voice, no cloud) - Local LLM server build guide (Ollama + RTX 4090) - Hybrid LLM bridge (LiteLLM + Claude API + Grok API) - Network security (VLAN architecture, PII sanitization) Machine: ACG-M-L5090 Timestamp: 2026-02-09 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-10 18:44:35 -07:00
parent fee9cc01ac
commit aaf4172b3c
12 changed files with 1953 additions and 0 deletions
--- a/projects/wrightstown-smarthome/documentation/network-security.md
+++ b/projects/wrightstown-smarthome/documentation/network-security.md
@@ -0,0 +1,210 @@
+# Network Security - VLAN Architecture & Privacy
+
+**Created:** 2026-02-09
+**Purpose:** IoT isolation, private data protection, PII sanitization for cloud APIs
+
+---
+
+## VLAN Architecture
+
+```
+---------------------------------------------+
+|  VLAN 1: Trusted (192.168.1.0/24)          |
+|  Laptops, phones, tablets                   |
+|  Full internet access                       |
+|  Can initiate connections to all VLANs      |
+---------------------------------------------+
+                  | (can access)
+---------------------------------------------+
+|  VLAN 10: Infrastructure (192.168.10.0/24)  |
+|  Home Assistant Yellow                      |
+|  LLM Server                                |
+|  NAS (if applicable)                        |
+|  Can access Trusted + IoT VLANs            |
+---------------------------------------------+
+                  | (can access)
+---------------------------------------------+
+|  VLAN 20: IoT (192.168.20.0/24)            |
+|  Zigbee coordinator (HA Yellow)             |
+|  WiFi cameras, sensors, smart plugs        |
+|  BLOCKED from initiating to Trusted        |
+|  Internet restricted (DNS/NTP only)         |
+---------------------------------------------+
+                  | (restricted)
+---------------------------------------------+
+|  VLAN 99: Guest (192.168.99.0/24)          |
+|  Guest devices                              |
+|  Internet only, no internal access          |
+---------------------------------------------+
+```
+
+---
+
+## Firewall Rules
+
+### Rule 1: IoT Isolation (Critical)
+- **ALLOW:** Trusted --> IoT (control devices from phone)
+- **BLOCK:** IoT --> Trusted (prevent compromised device probing network)
+
+### Rule 2: Infrastructure Bridge
+- **ALLOW:** Infrastructure --> IoT (HA controls devices)
+- **ALLOW:** Infrastructure --> Trusted (send notifications)
+- **ALLOW:** Trusted --> Infrastructure (access HA web UI, LLM)
+
+### Rule 3: IoT Internet Restriction
+- **ALLOW:** IoT --> DNS (port 53) and NTP (port 123)
+- **BLOCK:** IoT --> Internet (all other ports)
+- **EXCEPTION:** Whitelist specific cloud services if device requires it
+
+### Rule 4: mDNS Control
+- **BLOCK:** Broadcast protocols across VLANs by default
+- **ALLOW:** Selective mDNS reflection for HA discovery
+
+---
+
+## Hardware Options
+
+### Budget: TP-Link Omada (~$150)
+- ER605 router ($60) -- VLAN routing, firewall rules
+- TL-SG2008P managed switch ($90) -- VLAN tagging, PoE
+
+### Mid-tier: Ubiquiti UniFi (~$760)
+- Dream Machine Pro ($379) -- Router + controller + IDS
+- USW-24-PoE switch ($379) -- 24 ports, VLAN, PoE
+- Better UI, more features, IDS/IPS built in
+
+### Existing Gear
+- Most Netgear managed switches support VLANs
+- OpenWRT on consumer routers adds VLAN capability
+- pfSense/OPNsense on old PC is free and powerful
+
+---
+
+## Privacy: Keeping Data Local
+
+### Core Principle
+
+**Private data NEVER leaves the local network.**
+
+| Data Type | Route | Why |
+|---|---|---|
+| Sensor readings | Local LLM only | Reveals activity patterns |
+| Camera feeds | Local LLM only | Obvious privacy concern |
+| Device names/locations | Local LLM only | Reveals home layout |
+| Presence detection | Local LLM only | Reveals who's home |
+| Personal names/addresses | Strip before cloud | PII |
+| Energy usage patterns | Sanitize before cloud | Activity inference |
+| General questions | Cloud OK | No private data |
+| Internet searches | Cloud OK (Grok) | No private data |
+
+### PII Sanitization Pipeline
+
+For queries that go to cloud APIs, scrub private information first:
+
+```python
+from presidio_analyzer import AnalyzerEngine
+from presidio_anonymizer import AnonymizerEngine
+
+analyzer = AnalyzerEngine()
+anonymizer = AnonymizerEngine()
+
+def sanitize_for_cloud(query):
+    """Remove PII before sending to Claude/Grok"""
+
+    # Detect sensitive entities
+    results = analyzer.analyze(
+        text=query,
+        entities=["PERSON", "LOCATION", "PHONE_NUMBER",
+                  "EMAIL_ADDRESS", "DATE_TIME"],
+        language="en"
+    )
+
+    # Anonymize detected entities
+    sanitized = anonymizer.anonymize(text=query, analyzer_results=results)
+
+    # Hard block certain categories
+    blocked_keywords = ["camera", "location", "address",
+                       "password", "who is home", "alarm"]
+    if any(kw in query.lower() for kw in blocked_keywords):
+        return None  # Block query entirely, handle locally
+
+    return sanitized.text
+```
+
+### Cloud API Data Policies
+
+**Anthropic (Claude):**
+- API inputs are NOT used for training by default
+- Can explicitly opt out
+- Data retained 30 days for safety, then deleted
+
+**xAI (Grok):**
+- Data sharing program is opt-in ($150/month credit if you opt in)
+- Can opt out and keep data private
+- Standard API usage not used for training if opted out
+
+---
+
+## Remote Access
+
+### Recommended: Tailscale (Zero-Config VPN)
+
+```bash
+# Install on LLM server and HA
+curl -fsSL https://tailscale.com/install.sh | sh
+tailscale up
+```
+
+- WireGuard-based mesh network
+- No port forwarding needed
+- Free for personal use (up to 20 devices)
+- Access HA + LLM from anywhere securely
+
+### Alternative: WireGuard (Self-Hosted)
+
+- Run on router or dedicated server
+- Full control, no third-party dependency
+- Requires port forwarding (one UDP port)
+- More setup, more control
+
+### Home Assistant Cloud (Nabu Casa)
+
+- $6.50/month, official HA remote access
+- No VPN config needed
+- Supports HA development team
+- Simplest option
+
+---
+
+## Security Hardening Checklist
+
+- [ ] Disable UPnP on router
+- [ ] Enable 2FA on Home Assistant
+- [ ] Strong passwords (16+ chars, random) on all services
+- [ ] Regular updates: HA, Ollama, OS, router firmware
+- [ ] Monitor failed login attempts in HA logs
+- [ ] Daily automated backups (HA + LLM configs)
+- [ ] Firewall rules reviewed quarterly
+- [ ] IoT devices on isolated VLAN
+- [ ] No camera feeds sent to cloud APIs
+- [ ] PII sanitization active on cloud-bound queries
+
+---
+
+## Data Retention
+
+| System | Retention | Notes |
+|---|---|---|
+| HA sensor data | 30 days raw, indefinite aggregated | Purge in Settings > System > Storage |
+| Camera recordings | 7-14 days | Local storage only (NAS or NVMe) |
+| LLM conversation logs | Purge monthly | Ollama logs stored locally |
+| Cloud API logs | Disable or redact PII | Check provider settings |
+
+---
+
+## Sources
+
+- https://newerest.space/mastering-network-segmentation-vlans-home-assistant-iot-security/
+- https://www.xda-developers.com/vlan-rules-every-smart-home-should-have/
+- https://thehomesmarthome.com/home-assistant-security-vlans-firewalls-ids/
+- https://tailscale.com/