feat(tripit): finalize ADR-0028 auth env — AUTH_MODE=normal, trips@ sender, trust XFF
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Now that the native-auth rollout is complete: (1) AUTH_MODE hybrid->normal — the legacy Authentik OIDC-bearer + forward-auth arms were removed in #96, and 'hybrid' already resolved to 'normal' via backward-compat parsing; this makes it explicit and corrects the now-false comment. (2) SMTP_FROM plans@->trips@ — the dedicated native-auth sender; the trips@->spam@ send-as alias is live + verified (RCPT 250). (3) TRUST_FORWARDED_FOR=true — so #95's per-IP signup rate-limit keys on the real client behind Traefik, not the shared ingress pod IP. Env-only; the Deployment image is KEEL_IGNORE_IMAGE (lifecycle-ignored), so this does NOT touch the running image. Reloader restarts the pod to pick up the new env. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
166a2bcab4
commit
63add2a126
1 changed files with 20 additions and 14 deletions
|
|
@ -30,15 +30,20 @@ locals {
|
||||||
# (keys via the tripit-secrets ExternalSecret), WEATHER_PROVIDER=openmeteo,
|
# (keys via the tripit-secrets ExternalSecret), WEATHER_PROVIDER=openmeteo,
|
||||||
# GEOCODER_PROVIDER=openmeteo, PUSH_PROVIDER=webpush. LLM_MODE=fake and
|
# GEOCODER_PROVIDER=openmeteo, PUSH_PROVIDER=webpush. LLM_MODE=fake and
|
||||||
# MAIL_INGEST_ENABLED=false here (the ingest-plans CronJob overrides both).
|
# MAIL_INGEST_ENABLED=false here (the ingest-plans CronJob overrides both).
|
||||||
# AUTH_MODE=hybrid (tripit ADR-0017, image >= 81a816f7): a Bearer JWT from
|
# AUTH_MODE=normal (tripit ADR-0028, #96): the backend authenticates ONLY its
|
||||||
# the tripit-app Authentik provider wins (validated in-app against OIDC_*);
|
# own TripIt session (cookie or Bearer JWT) — the legacy Authentik OIDC-bearer
|
||||||
# otherwise the backend trusts the Authentik-injected X-authentik-email
|
# and forward-auth arms were removed once the Shell moved onto TripIt sessions
|
||||||
# header exactly as forwardauth did (browser path unchanged; the tripit-api
|
# (#94) and the cutover stopped injecting X-authentik-*. OIDC_* below stays: the
|
||||||
# ingress strips inbound X-authentik-* so the fallback can't be spoofed).
|
# "Log in with Authentik" web login and the Shell's /api/auth/exchange validate
|
||||||
|
# Authentik tokens against the same JWKS only to MINT a TripIt session.
|
||||||
# STORAGE_DIR points at the RWX NFS PVC — the app's default ./var is not
|
# STORAGE_DIR points at the RWX NFS PVC — the app's default ./var is not
|
||||||
# writable by the non-root user.
|
# writable by the non-root user.
|
||||||
app_env = {
|
app_env = {
|
||||||
AUTH_MODE = "hybrid"
|
AUTH_MODE = "normal"
|
||||||
|
# Open-signup abuse controls sit behind Traefik (tripit ADR-0028, #95): trust
|
||||||
|
# the proxy's X-Forwarded-For so the per-IP rate-limit keys on the real client,
|
||||||
|
# not the shared ingress pod IP. (The PoW captcha is the primary control.)
|
||||||
|
TRUST_FORWARDED_FOR = "true"
|
||||||
OIDC_ISSUER = "https://authentik.viktorbarzin.me/application/o/tripit-app/"
|
OIDC_ISSUER = "https://authentik.viktorbarzin.me/application/o/tripit-app/"
|
||||||
OIDC_JWKS_URL = "https://authentik.viktorbarzin.me/application/o/tripit-app/jwks/"
|
OIDC_JWKS_URL = "https://authentik.viktorbarzin.me/application/o/tripit-app/jwks/"
|
||||||
OIDC_AUDIENCE = "tripit-app"
|
OIDC_AUDIENCE = "tripit-app"
|
||||||
|
|
@ -66,19 +71,20 @@ locals {
|
||||||
PUSH_PROVIDER = "webpush"
|
PUSH_PROVIDER = "webpush"
|
||||||
LLM_MODE = "fake"
|
LLM_MODE = "fake"
|
||||||
MAIL_INGEST_ENABLED = "false"
|
MAIL_INGEST_ENABLED = "false"
|
||||||
# Outbound mail (linked-email verification + trip-share invites) — submitted
|
# Outbound mail (native-auth signup-verification + account recovery, linked-
|
||||||
# via the cluster mailserver authenticated as spam@ (SMTP_USER), but sent
|
# email verification, trip-share invites) — submitted via the cluster
|
||||||
# From: plans@viktorbarzin.me (SMTP_FROM). docker-mailserver SPOOF_PROTECTION
|
# mailserver authenticated as spam@ (SMTP_USER), but sent From:
|
||||||
# requires the login to "own" the From; an explicit plans@ -> spam@ virtual
|
# trips@viktorbarzin.me (SMTP_FROM; tripit ADR-0028). docker-mailserver
|
||||||
# alias grants that (see mailserver extra/aliases.txt) and keeps inbound
|
# SPOOF_PROTECTION requires the login to "own" the From; an explicit
|
||||||
# plans@ routing to spam@. Relays out via Brevo. SMTP_PASSWORD comes from
|
# trips@ -> spam@ virtual alias grants that (see mailserver extra/aliases.txt)
|
||||||
# tripit-secrets (the existing PLANS_IMAP_PASSWORD = spam@'s password).
|
# and routes inbound trips@ to spam@. Relays out via Brevo. SMTP_PASSWORD comes
|
||||||
|
# from tripit-secrets (the existing PLANS_IMAP_PASSWORD = spam@'s password).
|
||||||
# PUBLIC_BASE_URL builds the links mailed to recipients.
|
# PUBLIC_BASE_URL builds the links mailed to recipients.
|
||||||
EMAIL_PROVIDER = "smtp"
|
EMAIL_PROVIDER = "smtp"
|
||||||
SMTP_HOST = "mailserver.mailserver.svc"
|
SMTP_HOST = "mailserver.mailserver.svc"
|
||||||
SMTP_PORT = "587"
|
SMTP_PORT = "587"
|
||||||
SMTP_USER = "spam@viktorbarzin.me"
|
SMTP_USER = "spam@viktorbarzin.me"
|
||||||
SMTP_FROM = "plans@viktorbarzin.me"
|
SMTP_FROM = "trips@viktorbarzin.me"
|
||||||
PUBLIC_BASE_URL = "https://tripit.viktorbarzin.me"
|
PUBLIC_BASE_URL = "https://tripit.viktorbarzin.me"
|
||||||
# Narrator audio (ADR-0004): Chatterbox via the in-cluster `tts` stack.
|
# Narrator audio (ADR-0004): Chatterbox via the in-cluster `tts` stack.
|
||||||
# OpenAI-compatible /v1/audio/speech; the bake POSTs best-effort synth
|
# OpenAI-compatible /v1/audio/speech; the bake POSTs best-effort synth
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue