viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/terminal/files/devvm/sudoers.d-ttyd-users

14 lines
605 B
Text
Raw Normal View History

terminal: per-Authentik-user OS-user isolation; deny unmapped users Restores the kernel-level isolation the pre-cutover ttyd-session.sh had, but keeps the multi-session lobby UX: - ttyd.service gets `-H X-authentik-username` back. `tmux-attach.sh` reads $TTYD_USER, looks up the local part in /etc/ttyd-user-map, denies the connection (no fallback to wizard) if there's no mapping, otherwise `sudo -n -H -u <os_user> tmux …`. Each Authentik identity → its own Unix user → its own `/tmp/tmux-<uid>/default` socket. - tmux-api scopes every request to the same OS user via the same header. Adds /whoami so the lobby HTML can preflight access and render "logged in as <os_user> (<authentik>)" instead of leaving the user to discover the deny via a reconnect loop. - Commits /etc/ttyd-user-map and the matching /etc/sudoers.d/ttyd-users fragment under files/devvm/ so future operators see one canonical source of truth. Current mappings: vbarzin → wizard, emil.barzin → emo. Adding a user is now: append a line to ttyd-user-map + a NOPASSWD sudoers line + `useradd -m`. README walks through it. No Terraform changes — this is all DevVM-side + lobby JS.
2026-05-13 19:25:55 +00:00
# Install at /etc/sudoers.d/ttyd-users (mode 0440, owner root:root).
#
# wizard (the user running ttyd.service + tmux-api.service) needs to run
# tmux as the OS user that backs each Authentik identity. Narrow the
# NOPASSWD grant to the tmux binary only, scoped to each named target user
# — never `(ALL)`.
#
# Add one line per OS user listed on the right-hand side of
# /etc/ttyd-user-map. The mapping file is the source of truth for which
# Authentik usernames are accepted; this file is the kernel-level grant
# that makes the per-user attach actually work.
wizard ALL=(emo) NOPASSWD: /usr/bin/tmux
Reference in a new issue Copy permalink