infra/stacks/authentik/tripit-external.tf

# "TripIt External" group — containment anchor for publicly self-enrolled TripIt
# users (ADR-0020 in the tripit repo). Members are admitted to
# tripit.viktorbarzin.me ONLY and denied every other *.viktorbarzin.me
# forward-auth host by the prepended branch in admin-services-restriction.tf.
#
# Created EMPTY and PARENTLESS, on purpose:
#   * EMPTY — the no-lockout guarantee. Zero members at apply time => the
#     prepended policy branch matches zero existing principals => it cannot
#     change anyone's authorization (contrast authentik_group "T3 Users", which
#     is created WITH members atomically because THAT gate's safety property is
#     the opposite). Membership is assigned at RUNTIME by the tripit-enrollment
#     flow's user_write "Create users group" option (authentik_stage_user_write
#     in tripit-flows.tf). Terraform owns the group's EXISTENCE and the flow that
#     assigns it.
#   * PARENTLESS — do NOT make this a child of "Allow Login Users". The sensitive
#     OIDC apps gate on "Home Server Admins" / "Headscale Users" / "Wrongmove
#     Users" (children of "Allow Login Users") or, for Vault, on "Allow Login
#     Users" itself (bound as part of ADR-0020). Keeping External out of that
#     tree is what stops these users reaching OIDC apps — mirrors guest.tf, which
#     keeps the guest group out of "Allow Login Users" for the same reason.
resource "authentik_group" "tripit_external" {
  name = "TripIt External"
}
feat(authentik): TripIt external self-signup group + forward-auth fence (ADR-0020) Viktor wants people outside the homelab to self-register to TripIt with email + a passkey (no password), kept separate from the rest of the homelab. Adds the empty, parentless 'TripIt External' Authentik group and a first-position branch in the catch-all policy that admits those users to tripit.viktorbarzin.me only and denies every other forward-auth host. Inert on apply (group empty => matches no existing user => no lockout). An adversarial review found the fence is forward-auth-only, so the runbook records the OIDC-app containment audit (every sensitive app already requires a trusted group External users won't hold), the Vault->Allow Login Users binding that closes the one open OIDC app, the SMTP prerequisite for email verification, and the before/after access-matrix verification. Flows/SMTP/Vault binding are UI steps per the runbook; the push that applies the catch-all edit must be human-watched (CI auto-applies the authentik stack). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-15 21:34:37 +00:00			`# "TripIt External" group — containment anchor for publicly self-enrolled TripIt`
			`# users (ADR-0020 in the tripit repo). Members are admitted to`
			`# tripit.viktorbarzin.me ONLY and denied every other *.viktorbarzin.me`
			`# forward-auth host by the prepended branch in admin-services-restriction.tf.`
			`#`
			`# Created EMPTY and PARENTLESS, on purpose:`
			`# * EMPTY — the no-lockout guarantee. Zero members at apply time => the`
			`# prepended policy branch matches zero existing principals => it cannot`
			`# change anyone's authorization (contrast authentik_group "T3 Users", which`
			`# is created WITH members atomically because THAT gate's safety property is`
			`# the opposite). Membership is assigned at RUNTIME by the tripit-enrollment`
feat(authentik): tripit-enrollment + tripit-recovery flows (passwordless signup, ADR-0020) Makes the WebLanding 'Sign up' button work (it was 404ing — the tripit-enrollment flow didn't exist). Open passwordless registration: prompt(email,name) -> user_write(INACTIVE, external, group 'TripIt External') -> email verification (activates) -> passkey -> login. The inactive-until-verified gate is the security boundary: tripit trusts X-authentik-email, so activation must require proving inbox ownership. Passwordless login already works via the built-in webauthn flow. tripit-recovery (email -> new passkey) is built but intentionally NOT wired into the global brand recovery, so admin recovery is unchanged. Schema validated with terraform validate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-17 07:20:11 +00:00			`# flow's user_write "Create users group" option (authentik_stage_user_write`
			`# in tripit-flows.tf). Terraform owns the group's EXISTENCE and the flow that`
			`# assigns it.`
feat(authentik): TripIt external self-signup group + forward-auth fence (ADR-0020) Viktor wants people outside the homelab to self-register to TripIt with email + a passkey (no password), kept separate from the rest of the homelab. Adds the empty, parentless 'TripIt External' Authentik group and a first-position branch in the catch-all policy that admits those users to tripit.viktorbarzin.me only and denies every other forward-auth host. Inert on apply (group empty => matches no existing user => no lockout). An adversarial review found the fence is forward-auth-only, so the runbook records the OIDC-app containment audit (every sensitive app already requires a trusted group External users won't hold), the Vault->Allow Login Users binding that closes the one open OIDC app, the SMTP prerequisite for email verification, and the before/after access-matrix verification. Flows/SMTP/Vault binding are UI steps per the runbook; the push that applies the catch-all edit must be human-watched (CI auto-applies the authentik stack). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-15 21:34:37 +00:00			`# * PARENTLESS — do NOT make this a child of "Allow Login Users". The sensitive`
			`# OIDC apps gate on "Home Server Admins" / "Headscale Users" / "Wrongmove`
			`# Users" (children of "Allow Login Users") or, for Vault, on "Allow Login`
			`# Users" itself (bound as part of ADR-0020). Keeping External out of that`
			`# tree is what stops these users reaching OIDC apps — mirrors guest.tf, which`
			`# keeps the guest group out of "Allow Login Users" for the same reason.`
			`resource "authentik_group" "tripit_external" {`
			`name = "TripIt External"`
			`}`