viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

workstation: gate t3.viktorbarzin.me to the T3 Users group (Phase 4)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Details
ci/woodpecker/push/build-cli Pipeline was successful
Details

Browse source 
New authentik_group 'T3 Users' (members wizard/emo/ancamilea via data lookups — usernames ARE their emails in this Authentik instance) + a branch in the admin-services-restriction expression policy gating t3.viktorbarzin.me to that group, placed BEFORE the ADMIN_ONLY_HOSTS early-return. Surgical two-step targeted apply (group-with-members first, then the gate) → zero lock-out window. Verified: group has all 3 members, the live policy contains the t3 branch, t3 still 302s to Authentik. Membership is HCL for now (FUTURE: roster-reconciled via the Authentik API).

Note: the authentik stack had 3 unrelated pending drift changes (pgbouncer deployment + 2 tls_secrets) — deliberately NOT applied (targeted apply isolated this change; left for the stack owner).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-08 17:50:40 +00:00
parent 173b1fc116
commit 5c378dd5e3
2 changed files with 39 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
stacks/authentik/admin-services-restriction.tf
View file

@ -49,6 +49,12 @@ resource "authentik_policy_expression" "admin_services_restriction" {
host = request.context.get("host", "")
# t3 Workstation edge gate: only members of "T3 Users" may reach t3.
# Placed BEFORE the ADMIN_ONLY_HOSTS early-return (t3 is intentionally not in
# that set it must not require Home-Server-Admins, just T3 Users membership).
if host == "t3.viktorbarzin.me":
return ak_is_group_member(request.user, name="T3 Users")
# Not an admin-only host: allow any authenticated user.
if host not in ADMIN_ONLY_HOSTS:
return True

33
stacks/authentik/t3-users.tf Normal file
View file

@ -0,0 +1,33 @@
# "T3 Users" group gates the devvm Claude Code Workstation (t3.viktorbarzin.me)
# at the Authentik edge (the branch in admin-services-restriction.tf). The group
# is created WITH its members atomically so enabling the gate can never lock
# everyone (incl. wizard) out.
#
# emo / ancamilea / wizard are NOT Terraform-managed authentik_user resources in
# this stack, so they're looked up by username which in this Authentik instance
# IS the user's email (verified live 2026-06-08): vbarzin@gmail.com, etc.
#
# Membership is in HCL for now (matches the roster's 3 users). FUTURE: when the
# devvm provisioner reconciles T3 Users membership from roster.yaml via the
# Authentik API, drop the `users` arg here so TF owns only the group's existence.
data "authentik_user" "wizard" {
username = "vbarzin@gmail.com"
}
data "authentik_user" "emo" {
username = "emil.barzin@gmail.com"
}
data "authentik_user" "ancamilea" {
username = "ancaelena98@gmail.com"
}
resource "authentik_group" "t3_users" {
name = "T3 Users"
users = [
data.authentik_user.wizard.id,
data.authentik_user.emo.id,
data.authentik_user.ancamilea.id,
]
}