chore(authentik): tear down obsolete tripit-enrollment (ADR-0020 superseded by ADR-0028)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
TripIt external users are now LOCAL TripIt accounts (ADR-0028 native passkey + Authentik OIDC), so the Authentik-side self-enrollment machinery is dead. Removes the tripit-enrollment + tripit-recovery flows and all their stages/prompts/policies/bindings, the tripit-email-stages blueprint (+yaml), and the 'TripIt External' group; reverts the admin-services-restriction fence branch that contained those users (its sole member, the leftover tripit-demo@ test account, was deleted first, so the revert affects zero live principals). Real external collaborators (type=external) are untouched. tg plan: 0 add, 1 change (the policy expression), 20 destroy (all tripit_*). Closes tripit#97; moots the B2 per-app OIDC fences. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
834c5e6a2a
commit
3278588325
7 changed files with 0 additions and 564 deletions
|
|
@ -49,21 +49,6 @@ resource "authentik_policy_expression" "admin_services_restriction" {
|
|||
|
||||
host = request.context.get("host", "")
|
||||
|
||||
# TripIt External containment fence (ADR-0020 in the tripit repo). Publicly
|
||||
# self-enrolled TripIt users (group "TripIt External", assigned by the
|
||||
# tripit-enrollment flow's user_write) may reach tripit.viktorbarzin.me and
|
||||
# NOTHING else. MUST be the FIRST host-dispatch branch: it is a request.user
|
||||
# predicate that must dominate every host branch below, ESPECIALLY the
|
||||
# default-allow `if host not in ADMIN_ONLY_HOSTS: return True` — placed after
|
||||
# it, a tagged user would slip into other hosts. Safe to add: the group is
|
||||
# net-new and created EMPTY, so this matches zero existing principals (no
|
||||
# lockout). The fence is forward-auth ONLY; OIDC apps (Vault, Immich, …)
|
||||
# contain External users via their own per-app group bindings — see
|
||||
# docs/runbooks/tripit-external-signup.md. NEVER co-assign "TripIt External"
|
||||
# to a trusted/internal user (this branch would fence them out of admin hosts).
|
||||
if ak_is_group_member(request.user, name="TripIt External"):
|
||||
return host == "tripit.viktorbarzin.me"
|
||||
|
||||
# t3 Workstation edge gate: only members of "T3 Users" may reach t3.
|
||||
# Placed BEFORE the ADMIN_ONLY_HOSTS early-return (t3 is intentionally not in
|
||||
# that set — it must not require Home-Server-Admins, just T3 Users membership).
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue