chore(authentik): tear down obsolete tripit-enrollment (ADR-0020 superseded by ADR-0028)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
TripIt external users are now LOCAL TripIt accounts (ADR-0028 native passkey + Authentik OIDC), so the Authentik-side self-enrollment machinery is dead. Removes the tripit-enrollment + tripit-recovery flows and all their stages/prompts/policies/bindings, the tripit-email-stages blueprint (+yaml), and the 'TripIt External' group; reverts the admin-services-restriction fence branch that contained those users (its sole member, the leftover tripit-demo@ test account, was deleted first, so the revert affects zero live principals). Real external collaborators (type=external) are untouched. tg plan: 0 add, 1 change (the policy expression), 20 destroy (all tripit_*). Closes tripit#97; moots the B2 per-app OIDC fences. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
834c5e6a2a
commit
3278588325
7 changed files with 0 additions and 564 deletions
|
|
@ -108,31 +108,6 @@ All new users must use an invitation link to register. The invitation-enrollment
|
|||
|
||||
Group membership is auto-assigned from the invitation's `fixed_data` field. This prevents open registration while maintaining SSO convenience.
|
||||
|
||||
### TripIt External self-signup (open enrollment, fenced)
|
||||
|
||||
Unlike every other app, **TripIt allows open public self-signup** for people
|
||||
outside the homelab (ADR-0020 in the tripit repo; runbook
|
||||
`docs/runbooks/tripit-external-signup.md`). A dedicated public `tripit-enrollment`
|
||||
flow (email + passkey, no password) creates the account and stamps it into the
|
||||
parentless **`TripIt External`** group. Containment is two-layered:
|
||||
|
||||
- **Forward-auth apps**: a branch prepended to the `admin-services-restriction`
|
||||
catch-all policy admits `TripIt External` to `tripit.viktorbarzin.me` only and
|
||||
denies every other `auth="required"` host.
|
||||
- **OIDC apps**: that branch does NOT cover OIDC (OIDC bypasses forward-auth).
|
||||
External users are contained because every sensitive OIDC app already requires a
|
||||
trusted group they do not hold — audited 2026-06-15:
|
||||
Immich/Grafana/Linkwarden/Cloudflare Access → `Home Server Admins`, Forgejo →
|
||||
`Task Submitters`/`Forgejo Users`, Headscale → `Headscale Users`, wrongmove →
|
||||
`Wrongmove Users`. **Vault** was OPEN (any OIDC identity got a powerless
|
||||
`default`-policy token) and is bound to **`Allow Login Users`** as part of this
|
||||
change. The Kubernetes OIDC clients are OPEN but idle (apiserver rejects OIDC).
|
||||
|
||||
**Invariants**: keep `TripIt External` parentless (never under `Allow Login
|
||||
Users`); keep the catch-all branch first; never co-assign `TripIt External` to a
|
||||
trusted/internal user; the `tripit-enrollment` user_write "Create users group"
|
||||
setting is the keystone that tags every signup.
|
||||
|
||||
### OIDC Applications
|
||||
|
||||
Authentik provides OIDC for 10 applications:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue