viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

t3code: per-user isolation via Authentik + nginx username dispatcher

Browse source 
t3 is single-owner (no in-app multi-user), so each person runs their own
`t3 serve` on the DevVM as their own OS user: wizard→:3773 (t3-serve.service),
emo→:3774 (t3-serve-emo.service). An in-cluster nginx `t3-dispatch` maps the
Authentik-injected X-authentik-username to the right instance; unmapped
identities get 403 (no shared fallback). Flipped the ingress auth app→required
(Authentik forward-auth) — the same-origin self-served UI works behind it (WS
carries the Authentik cookie) and t3's own pairing/bearer stays the inner gate.
Mirrors the terminal stack's per-user model.

Verified: dispatcher routes vbarzin→:3773, emil.barzin→:3774, unmapped→403;
t3.viktorbarzin.me now 302s to Authentik. Cross-origin native app / app.t3.codes
intentionally unsupported here — deferred until the native app is published.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-01 21:38:06 +00:00
parent 9fb3e6e851
commit 73cb0aab8b
2 changed files with 146 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.claude/reference/service-catalog.md
View file

@ -32,7 +32,7 @@
|---------|-------------|-------|
| k8s-dashboard | Kubernetes dashboard | k8s-dashboard |
| reverse-proxy | Generic reverse proxy | reverse-proxy |
| t3code | Coding-agent GUI (`t3 serve`) on DevVM 10.0.10.10:3773, exposed at t3.viktorbarzin.me via Service+Endpoints (no pod). `auth=app` — t3's own owner-pairing/bearer auth + CrowdSec gate it (no Authentik, to keep the native app & app.t3.codes cross-origin clients working). RCE surface; re-pair via `t3 auth pairing create` on DevVM. | t3code |
| t3code | Multi-user coding-agent GUI at t3.viktorbarzin.me. `auth=required` (Authentik) → in-cluster nginx `t3-dispatch` maps `X-authentik-username` → that user's own `t3 serve` on DevVM (vbarzin→:3773 `t3-serve.service`; emil.barzin→:3774 `t3-serve-emo.service`; unmapped→403). Per-user isolation mirroring the `terminal` stack. **Add a user:** create `t3-serve-<u>.service` on DevVM (own `--port`/`--base-dir`, `User=<u>`) + add a line to the dispatch nginx `map` in `stacks/t3code/main.tf` + apply. RCE surface; each user self-pairs via `t3 auth pairing create`. Native app/app.t3.codes unsupported here (cross-origin) — deferred until published. | t3code |
## Active Use
| Service | Description | Stack |