From 98cd535b974632237be425353a6183635feff568 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 22 Jun 2026 18:09:27 +0000 Subject: [PATCH] authentik: lock chrome.viktorbarzin.me noVNC to Viktor only MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The chrome-service noVNC exposes Viktor's live logged-in browser sessions (Instagram etc. — he'll sign in there for homelab browser to reuse). It was auth="required" = any authenticated user, and "Home Server Admins" includes emo (emil.barzin@gmail.com), so the admin group is not a sufficient gate. Add a host-specific case to the domain-wide forward-auth restriction allowing only Viktor's accounts (vbarzin@gmail.com + akadmin break-glass); everyone else, incl. emo, is denied at the noVNC. emo's AGENT already can't reach the browser (read-only RBAC blocks port-forward); this closes the human noVNC path. Co-Authored-By: Claude Opus 4.8 --- stacks/authentik/admin-services-restriction.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/stacks/authentik/admin-services-restriction.tf b/stacks/authentik/admin-services-restriction.tf index 2dcc1ca2..806dd417 100644 --- a/stacks/authentik/admin-services-restriction.tf +++ b/stacks/authentik/admin-services-restriction.tf @@ -49,6 +49,17 @@ resource "authentik_policy_expression" "admin_services_restriction" { host = request.context.get("host", "") + # chrome-service noVNC (chrome.viktorbarzin.me) exposes Viktor's LIVE + # logged-in browser sessions, so lock it to Viktor's own accounts ONLY. + # "Home Server Admins" is NOT sufficient — emo (emil.barzin@gmail.com) is a + # member. akadmin kept as break-glass. The homelab-browser CDP path is + # already RBAC-gated (emo = oidc-power-user-readonly, no pods/portforward), + # so this closes the only remaining, human, noVNC path. Match username OR + # email so neither attribute alone can lock Viktor out. + CHROME_ALLOWED = {"akadmin", "akadmin@viktorbarzin.me", "vbarzin@gmail.com"} + if host == "chrome.viktorbarzin.me": + return request.user.username in CHROME_ALLOWED or request.user.email in CHROME_ALLOWED + # t3 Workstation edge gate: only members of "T3 Users" may reach t3. # Placed BEFORE the ADMIN_ONLY_HOSTS early-return (t3 is intentionally not in # that set — it must not require Home-Server-Admins, just T3 Users membership).