infra/stacks/authentik/admin-services-restriction.tf

# Catch-all forward-auth restriction: gate the admin-only hostnames to the
# "Home Server Admins" group. Bound to the "Domain wide catch all" application
# (binding stays UI-managed; only the expression is adopted here).
#
# Adopted into Terraform 2026-06-04 to add a carve-out: the Kubernetes Dashboard
# (k8s.viktorbarzin.me) ALSO admits the kubernetes-* RBAC groups, so
# namespace-owners (e.g. gheorghe) can reach the dashboard login page. The
# dashboard itself enforces per-namespace access via the pasted ServiceAccount
# token (stacks/rbac/modules/rbac/dashboard-sa.tf) — this policy only controls
# who reaches the page. All other admin-only hosts remain Home-Server-Admins-only.
import {
  to = authentik_policy_expression.admin_services_restriction
  id = "07a11b85-8f37-4844-aebb-ac9c112ec87c"
}

resource "authentik_policy_expression" "admin_services_restriction" {
  name = "admin-services-restriction"
  expression = trimspace(<<-EOT
    ADMIN_ONLY_HOSTS = {
        "terminal.viktorbarzin.me",
        "frigate.viktorbarzin.me",
        "netbox.viktorbarzin.me",
        "trading.viktorbarzin.me",
        "speedtest.viktorbarzin.me",
        "meshcentral.viktorbarzin.me",
        "k8s.viktorbarzin.me",
        "dashy.viktorbarzin.me",
        "prowlarr.viktorbarzin.me",
        "qbittorrent.viktorbarzin.me",
        "listenarr.viktorbarzin.me",
        "shlink.viktorbarzin.me",
        "openclaw.viktorbarzin.me",
        "openlobster.viktorbarzin.me",
        "wealthfolio.viktorbarzin.me",
    }

    ADMIN_GROUP = "Home Server Admins"

    # The K8s Dashboard additionally admits the Kubernetes RBAC groups. Access
    # to the page is not the security boundary — the pasted ServiceAccount token
    # is (per-namespace admin + cluster read-only). See dashboard-sa.tf.
    K8S_DASHBOARD_HOST = "k8s.viktorbarzin.me"
    K8S_DASHBOARD_GROUPS = [
        "Home Server Admins",
        "kubernetes-admins",
        "kubernetes-power-users",
        "kubernetes-namespace-owners",
    ]

    host = request.context.get("host", "")

    # TripIt External containment fence (ADR-0020 in the tripit repo). Publicly
    # self-enrolled TripIt users (group "TripIt External", assigned by the
    # tripit-enrollment flow's user_write) may reach tripit.viktorbarzin.me and
    # NOTHING else. MUST be the FIRST host-dispatch branch: it is a request.user
    # predicate that must dominate every host branch below, ESPECIALLY the
    # default-allow `if host not in ADMIN_ONLY_HOSTS: return True` — placed after
    # it, a tagged user would slip into other hosts. Safe to add: the group is
    # net-new and created EMPTY, so this matches zero existing principals (no
    # lockout). The fence is forward-auth ONLY; OIDC apps (Vault, Immich, …)
    # contain External users via their own per-app group bindings — see
    # docs/runbooks/tripit-external-signup.md. NEVER co-assign "TripIt External"
    # to a trusted/internal user (this branch would fence them out of admin hosts).
    if ak_is_group_member(request.user, name="TripIt External"):
        return host == "tripit.viktorbarzin.me"

    # t3 Workstation edge gate: only members of "T3 Users" may reach t3.
    # Placed BEFORE the ADMIN_ONLY_HOSTS early-return (t3 is intentionally not in
    # that set — it must not require Home-Server-Admins, just T3 Users membership).
    if host == "t3.viktorbarzin.me":
        return ak_is_group_member(request.user, name="T3 Users")

    # Not an admin-only host: allow any authenticated user.
    if host not in ADMIN_ONLY_HOSTS:
        return True

    # K8s Dashboard: allow admins OR any Kubernetes RBAC group.
    if host == K8S_DASHBOARD_HOST:
        return any(ak_is_group_member(request.user, name=g) for g in K8S_DASHBOARD_GROUPS)

    # Every other admin-only host: Home Server Admins only.
    return ak_is_group_member(request.user, name=ADMIN_GROUP)
  EOT
  )
}
fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip] 6d224861 came from a --no-checkout worktree whose empty index made the commit drop every file except two. This restores 05b50d2b's full tree and correctly adds stacks/stem95su/gdrive-sync.tf + the service-catalog stem95su entry. Forward-only (parent=6d224861, no force-push); [ci skip] since the live infra was never applied from the broken commit. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-09 08:45:33 +00:00			`# Catch-all forward-auth restriction: gate the admin-only hostnames to the`
			`# "Home Server Admins" group. Bound to the "Domain wide catch all" application`
			`# (binding stays UI-managed; only the expression is adopted here).`
			`#`
			`# Adopted into Terraform 2026-06-04 to add a carve-out: the Kubernetes Dashboard`
			`# (k8s.viktorbarzin.me) ALSO admits the kubernetes-* RBAC groups, so`
			`# namespace-owners (e.g. gheorghe) can reach the dashboard login page. The`
			`# dashboard itself enforces per-namespace access via the pasted ServiceAccount`
			`# token (stacks/rbac/modules/rbac/dashboard-sa.tf) — this policy only controls`
			`# who reaches the page. All other admin-only hosts remain Home-Server-Admins-only.`
			`import {`
			`to = authentik_policy_expression.admin_services_restriction`
			`id = "07a11b85-8f37-4844-aebb-ac9c112ec87c"`
			`}`

			`resource "authentik_policy_expression" "admin_services_restriction" {`
			`name = "admin-services-restriction"`
			`expression = trimspace(<<-EOT`
			`ADMIN_ONLY_HOSTS = {`
			`"terminal.viktorbarzin.me",`
			`"frigate.viktorbarzin.me",`
			`"netbox.viktorbarzin.me",`
			`"trading.viktorbarzin.me",`
			`"speedtest.viktorbarzin.me",`
			`"meshcentral.viktorbarzin.me",`
			`"k8s.viktorbarzin.me",`
			`"dashy.viktorbarzin.me",`
			`"prowlarr.viktorbarzin.me",`
			`"qbittorrent.viktorbarzin.me",`
			`"listenarr.viktorbarzin.me",`
			`"shlink.viktorbarzin.me",`
			`"openclaw.viktorbarzin.me",`
			`"openlobster.viktorbarzin.me",`
			`"wealthfolio.viktorbarzin.me",`
			`}`

			`ADMIN_GROUP = "Home Server Admins"`

			`# The K8s Dashboard additionally admits the Kubernetes RBAC groups. Access`
			`# to the page is not the security boundary — the pasted ServiceAccount token`
			`# is (per-namespace admin + cluster read-only). See dashboard-sa.tf.`
			`K8S_DASHBOARD_HOST = "k8s.viktorbarzin.me"`
			`K8S_DASHBOARD_GROUPS = [`
			`"Home Server Admins",`
			`"kubernetes-admins",`
			`"kubernetes-power-users",`
			`"kubernetes-namespace-owners",`
			`]`

			`host = request.context.get("host", "")`

feat(authentik): TripIt external self-signup group + forward-auth fence (ADR-0020) Viktor wants people outside the homelab to self-register to TripIt with email + a passkey (no password), kept separate from the rest of the homelab. Adds the empty, parentless 'TripIt External' Authentik group and a first-position branch in the catch-all policy that admits those users to tripit.viktorbarzin.me only and denies every other forward-auth host. Inert on apply (group empty => matches no existing user => no lockout). An adversarial review found the fence is forward-auth-only, so the runbook records the OIDC-app containment audit (every sensitive app already requires a trusted group External users won't hold), the Vault->Allow Login Users binding that closes the one open OIDC app, the SMTP prerequisite for email verification, and the before/after access-matrix verification. Flows/SMTP/Vault binding are UI steps per the runbook; the push that applies the catch-all edit must be human-watched (CI auto-applies the authentik stack). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-15 21:34:37 +00:00			`# TripIt External containment fence (ADR-0020 in the tripit repo). Publicly`
			`# self-enrolled TripIt users (group "TripIt External", assigned by the`
			`# tripit-enrollment flow's user_write) may reach tripit.viktorbarzin.me and`
			`# NOTHING else. MUST be the FIRST host-dispatch branch: it is a request.user`
			`# predicate that must dominate every host branch below, ESPECIALLY the`
			# default-allow `if host not in ADMIN_ONLY_HOSTS: return True` — placed after
			`# it, a tagged user would slip into other hosts. Safe to add: the group is`
			`# net-new and created EMPTY, so this matches zero existing principals (no`
			`# lockout). The fence is forward-auth ONLY; OIDC apps (Vault, Immich, …)`
			`# contain External users via their own per-app group bindings — see`
			`# docs/runbooks/tripit-external-signup.md. NEVER co-assign "TripIt External"`
			`# to a trusted/internal user (this branch would fence them out of admin hosts).`
			`if ak_is_group_member(request.user, name="TripIt External"):`
			`return host == "tripit.viktorbarzin.me"`

fix: restore tree dropped by 6d224861; land stem95su gdrive-sync (10m) [ci skip] 6d224861 came from a --no-checkout worktree whose empty index made the commit drop every file except two. This restores 05b50d2b's full tree and correctly adds stacks/stem95su/gdrive-sync.tf + the service-catalog stem95su entry. Forward-only (parent=6d224861, no force-push); [ci skip] since the live infra was never applied from the broken commit. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-09 08:45:33 +00:00			`# t3 Workstation edge gate: only members of "T3 Users" may reach t3.`
			`# Placed BEFORE the ADMIN_ONLY_HOSTS early-return (t3 is intentionally not in`
			`# that set — it must not require Home-Server-Admins, just T3 Users membership).`
			`if host == "t3.viktorbarzin.me":`
			`return ak_is_group_member(request.user, name="T3 Users")`

			`# Not an admin-only host: allow any authenticated user.`
			`if host not in ADMIN_ONLY_HOSTS:`
			`return True`

			`# K8s Dashboard: allow admins OR any Kubernetes RBAC group.`
			`if host == K8S_DASHBOARD_HOST:`
			`return any(ak_is_group_member(request.user, name=g) for g in K8S_DASHBOARD_GROUPS)`

			`# Every other admin-only host: Home Server Admins only.`
			`return ak_is_group_member(request.user, name=ADMIN_GROUP)`
			`EOT`
			`)`
			`}`