feat(authentik): TripIt external self-signup group + forward-auth fence (ADR-0020)

Viktor wants people outside the homelab to self-register to TripIt with email + a passkey (no password), kept separate from the rest of the homelab. Adds the empty, parentless 'TripIt External' Authentik group and a first-position branch in the catch-all policy that admits those users to tripit.viktorbarzin.me only and denies every other forward-auth host. Inert on apply (group empty => matches no existing user => no lockout). An adversarial review found the fence is forward-auth-only, so the runbook records the OIDC-app containment audit (every sensitive app already requires a trusted group External users won't hold), the Vault->Allow Login Users binding that closes the one open OIDC app, the SMTP prerequisite for email verification, and the before/after access-matrix verification. Flows/SMTP/Vault binding are UI steps per the runbook; the push that applies the catch-all edit must be human-watched (CI auto-applies the authentik stack).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/authentik/admin-services-restriction.tf

@@ -49,6 +49,21 @@ resource "authentik_policy_expression" "admin_services_restriction" {
 
     host = request.context.get("host", "")
 
+    # TripIt External containment fence (ADR-0020 in the tripit repo). Publicly
+    # self-enrolled TripIt users (group "TripIt External", assigned by the
+    # tripit-enrollment flow's user_write) may reach tripit.viktorbarzin.me and
+    # NOTHING else. MUST be the FIRST host-dispatch branch: it is a request.user
+    # predicate that must dominate every host branch below, ESPECIALLY the
+    # default-allow `if host not in ADMIN_ONLY_HOSTS: return True` — placed after
+    # it, a tagged user would slip into other hosts. Safe to add: the group is
+    # net-new and created EMPTY, so this matches zero existing principals (no
+    # lockout). The fence is forward-auth ONLY; OIDC apps (Vault, Immich, …)
+    # contain External users via their own per-app group bindings — see
+    # docs/runbooks/tripit-external-signup.md. NEVER co-assign "TripIt External"
+    # to a trusted/internal user (this branch would fence them out of admin hosts).
+    if ak_is_group_member(request.user, name="TripIt External"):
+        return host == "tripit.viktorbarzin.me"
+
     # t3 Workstation edge gate: only members of "T3 Users" may reach t3.
     # Placed BEFORE the ADMIN_ONLY_HOSTS early-return (t3 is intentionally not in
     # that set — it must not require Home-Server-Admins, just T3 Users membership).

stacks/authentik/tripit-external.tf

@@ -0,0 +1,22 @@
+# "TripIt External" group — containment anchor for publicly self-enrolled TripIt
+# users (ADR-0020 in the tripit repo). Members are admitted to
+# tripit.viktorbarzin.me ONLY and denied every other *.viktorbarzin.me
+# forward-auth host by the prepended branch in admin-services-restriction.tf.
+#
+# Created EMPTY and PARENTLESS, on purpose:
+#   * EMPTY — the no-lockout guarantee. Zero members at apply time => the
+#     prepended policy branch matches zero existing principals => it cannot
+#     change anyone's authorization (contrast authentik_group "T3 Users", which
+#     is created WITH members atomically because THAT gate's safety property is
+#     the opposite). Membership is assigned at RUNTIME by the tripit-enrollment
+#     flow's user_write "Create users group" option (UI-managed per the ADR
+#     management split). Terraform owns only the group's EXISTENCE.
+#   * PARENTLESS — do NOT make this a child of "Allow Login Users". The sensitive
+#     OIDC apps gate on "Home Server Admins" / "Headscale Users" / "Wrongmove
+#     Users" (children of "Allow Login Users") or, for Vault, on "Allow Login
+#     Users" itself (bound as part of ADR-0020). Keeping External out of that
+#     tree is what stops these users reaching OIDC apps — mirrors guest.tf, which
+#     keeps the guest group out of "Allow Login Users" for the same reason.
+resource "authentik_group" "tripit_external" {
+  name = "TripIt External"
+}