From 5c378dd5e376a328b9bdc24f02989ed9642b4397 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 8 Jun 2026 17:50:40 +0000 Subject: [PATCH] workstation: gate t3.viktorbarzin.me to the T3 Users group (Phase 4) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit New authentik_group 'T3 Users' (members wizard/emo/ancamilea via data lookups — usernames ARE their emails in this Authentik instance) + a branch in the admin-services-restriction expression policy gating t3.viktorbarzin.me to that group, placed BEFORE the ADMIN_ONLY_HOSTS early-return. Surgical two-step targeted apply (group-with-members first, then the gate) → zero lock-out window. Verified: group has all 3 members, the live policy contains the t3 branch, t3 still 302s to Authentik. Membership is HCL for now (FUTURE: roster-reconciled via the Authentik API). Note: the authentik stack had 3 unrelated pending drift changes (pgbouncer deployment + 2 tls_secrets) — deliberately NOT applied (targeted apply isolated this change; left for the stack owner). Co-Authored-By: Claude Opus 4.8 --- .../authentik/admin-services-restriction.tf | 6 ++++ stacks/authentik/t3-users.tf | 33 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 stacks/authentik/t3-users.tf diff --git a/stacks/authentik/admin-services-restriction.tf b/stacks/authentik/admin-services-restriction.tf index e17c8d06..2dcc1ca2 100644 --- a/stacks/authentik/admin-services-restriction.tf +++ b/stacks/authentik/admin-services-restriction.tf @@ -49,6 +49,12 @@ resource "authentik_policy_expression" "admin_services_restriction" { host = request.context.get("host", "") + # t3 Workstation edge gate: only members of "T3 Users" may reach t3. + # Placed BEFORE the ADMIN_ONLY_HOSTS early-return (t3 is intentionally not in + # that set — it must not require Home-Server-Admins, just T3 Users membership). + if host == "t3.viktorbarzin.me": + return ak_is_group_member(request.user, name="T3 Users") + # Not an admin-only host: allow any authenticated user. if host not in ADMIN_ONLY_HOSTS: return True diff --git a/stacks/authentik/t3-users.tf b/stacks/authentik/t3-users.tf new file mode 100644 index 00000000..38aba94a --- /dev/null +++ b/stacks/authentik/t3-users.tf @@ -0,0 +1,33 @@ +# "T3 Users" group — gates the devvm Claude Code Workstation (t3.viktorbarzin.me) +# at the Authentik edge (the branch in admin-services-restriction.tf). The group +# is created WITH its members atomically so enabling the gate can never lock +# everyone (incl. wizard) out. +# +# emo / ancamilea / wizard are NOT Terraform-managed authentik_user resources in +# this stack, so they're looked up by username — which in this Authentik instance +# IS the user's email (verified live 2026-06-08): vbarzin@gmail.com, etc. +# +# Membership is in HCL for now (matches the roster's 3 users). FUTURE: when the +# devvm provisioner reconciles T3 Users membership from roster.yaml via the +# Authentik API, drop the `users` arg here so TF owns only the group's existence. + +data "authentik_user" "wizard" { + username = "vbarzin@gmail.com" +} + +data "authentik_user" "emo" { + username = "emil.barzin@gmail.com" +} + +data "authentik_user" "ancamilea" { + username = "ancaelena98@gmail.com" +} + +resource "authentik_group" "t3_users" { + name = "T3 Users" + users = [ + data.authentik_user.wizard.id, + data.authentik_user.emo.id, + data.authentik_user.ancamilea.id, + ] +}