viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'forgejo/master' into wizard/breakglass
Some checks failed
ci/woodpecker/push/build-cli Pipeline was successful
Details
ci/woodpecker/push/default Pipeline failed
Details

Browse source
This commit is contained in:
Viktor Barzin 2026-06-12 21:41:58 +00:00
commit 3138a0a040
2 changed files with 23 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

5
stacks/tripit/authentik.tf
View file

@ -51,6 +51,11 @@ resource "authentik_provider_oauth2" "tripit_app" {
name = "tripit-app"
client_id = "tripit-app"
client_type = "public"
# sub = the user's EMAIL, not the default hashed_user_id: tripit prod users
# are email-keyed (forwardauth provisioned id == email), and the backend's
# hybrid bearer arm must resolve the SAME user row, not mint a hash-keyed
# twin (review finding, tripit #50).
sub_mode = "user_email"
authorization_flow = data.authentik_flow.default_authorization_implicit_consent.id
invalidation_flow = data.authentik_flow.default_provider_invalidation.id

23
stacks/tripit/main.tf
View file

@ -30,12 +30,22 @@ locals {
# (keys via the tripit-secrets ExternalSecret), WEATHER_PROVIDER=openmeteo,
# GEOCODER_PROVIDER=openmeteo, PUSH_PROVIDER=webpush. LLM_MODE=fake and
# MAIL_INGEST_ENABLED=false here (the ingest-plans CronJob overrides both).
# AUTH_MODE=forwardauth: the backend trusts the Authentik-injected
# X-authentik-email header (forward-auth at the ingress). STORAGE_DIR points
# at the RWX NFS PVC the app's default ./var is not writable by the
# non-root user.
# AUTH_MODE=hybrid (tripit ADR-0017, image >= 81a816f7): a Bearer JWT from
# the tripit-app Authentik provider wins (validated in-app against OIDC_*);
# otherwise the backend trusts the Authentik-injected X-authentik-email
# header exactly as forwardauth did (browser path unchanged; the tripit-api
# ingress strips inbound X-authentik-* so the fallback can't be spoofed).
# STORAGE_DIR points at the RWX NFS PVC the app's default ./var is not
# writable by the non-root user.
app_env = {
AUTH_MODE = "forwardauth"
AUTH_MODE = "hybrid"
OIDC_ISSUER = "https://authentik.viktorbarzin.me/application/o/tripit-app/"
OIDC_JWKS_URL = "https://authentik.viktorbarzin.me/application/o/tripit-app/jwks/"
OIDC_AUDIENCE = "tripit-app"
# OTA Web bundles (ADR-0014): the signed zip URL must point at the
# bearer-only host the in-app request-derived base would be wrong
# behind the proxy (uvicorn doesn't trust forwarded headers).
BUNDLE_PUBLIC_BASE = "https://tripit-api.viktorbarzin.me"
SERVE_FRONTEND_DIR = "/app/frontend_build"
STORAGE_DIR = "/data/documents"
PERSONAL_STORAGE_DIR = "/data/personal-documents"
@ -187,6 +197,9 @@ resource "kubernetes_manifest" "external_secret" {
{ secretKey = "VAPID_PRIVATE_KEY", remoteRef = { key = "tripit", property = "VAPID_PRIVATE_KEY" } },
{ secretKey = "VAPID_SUBJECT", remoteRef = { key = "tripit", property = "VAPID_SUBJECT" } },
{ secretKey = "CALENDAR_TOKEN_SECRET", remoteRef = { key = "tripit", property = "CALENDAR_TOKEN_SECRET" } },
# HMAC secret signing the short-lived OTA Web-bundle zip URLs (ADR-0014
# addendum; the Shell's native downloader can't send auth headers).
{ secretKey = "BUNDLE_TOKEN_SECRET", remoteRef = { key = "tripit", property = "BUNDLE_TOKEN_SECRET" } },
{ secretKey = "DOCUMENT_ENCRYPTION_KEY", remoteRef = { key = "tripit", property = "DOCUMENT_ENCRYPTION_KEY" } },
{ secretKey = "IMAP_PASSWORD", remoteRef = { key = "tripit", property = "IMAP_PASSWORD" } },
# spam@viktorbarzin.me password used only by the ingest-plans CronJob