viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/scripts/t3-dispatch.service

16 lines
413 B
SYSTEMD
Raw Normal View History

t3code: devvm dispatch + auto-pair service (Go) Routes X-authentik-username -> per-user t3 instance; on no t3_session cookie, mints a pairing token (as the OS user) and exchanges it at /api/auth/bootstrap, injecting the session cookie. Listens :3780, reads /etc/t3-serve/dispatch.json. Constants from the Task-1 auth-contract spike. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-01 22:37:33 +00:00
[Unit]
Description=t3 per-user dispatch + auto-pair (X-authentik-username -> user instance)
After=network.target
[Service]
Type=simple
t3code: harden dispatch — dedicated user + validated t3-mint + scoped sudoers Run t3-dispatch as an unprivileged dedicated user instead of wizard (who has full sudo). Privileged minting goes through /usr/local/bin/t3-mint, which validates the target against /etc/ttyd-user-map before minting as that user; sudoers permits t3-dispatch to run only that wrapper. Compromise of the network-facing service can mint pairing tokens for mapped users at most. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-01 22:40:53 +00:00
# Unprivileged dedicated user; the only privileged action is `sudo t3-mint`
# (scoped in /etc/sudoers.d/t3-autopair). Compromise => mint tokens at most.
User=t3-dispatch
t3code: devvm dispatch + auto-pair service (Go) Routes X-authentik-username -> per-user t3 instance; on no t3_session cookie, mints a pairing token (as the OS user) and exchanges it at /api/auth/bootstrap, injecting the session cookie. Listens :3780, reads /etc/t3-serve/dispatch.json. Constants from the Task-1 auth-contract spike. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-01 22:37:33 +00:00
ExecStart=/usr/local/bin/t3-dispatch
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target
Reference in a new issue Copy permalink