feat(authentik): TripIt external self-signup group + forward-auth fence (ADR-0020)
Viktor wants people outside the homelab to self-register to TripIt with email + a passkey (no password), kept separate from the rest of the homelab. Adds the empty, parentless 'TripIt External' Authentik group and a first-position branch in the catch-all policy that admits those users to tripit.viktorbarzin.me only and denies every other forward-auth host. Inert on apply (group empty => matches no existing user => no lockout). An adversarial review found the fence is forward-auth-only, so the runbook records the OIDC-app containment audit (every sensitive app already requires a trusted group External users won't hold), the Vault->Allow Login Users binding that closes the one open OIDC app, the SMTP prerequisite for email verification, and the before/after access-matrix verification. Flows/SMTP/Vault binding are UI steps per the runbook; the push that applies the catch-all edit must be human-watched (CI auto-applies the authentik stack). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
cf51cb45de
commit
cbca281aaa
4 changed files with 288 additions and 0 deletions
22
stacks/authentik/tripit-external.tf
Normal file
22
stacks/authentik/tripit-external.tf
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
# "TripIt External" group — containment anchor for publicly self-enrolled TripIt
|
||||
# users (ADR-0020 in the tripit repo). Members are admitted to
|
||||
# tripit.viktorbarzin.me ONLY and denied every other *.viktorbarzin.me
|
||||
# forward-auth host by the prepended branch in admin-services-restriction.tf.
|
||||
#
|
||||
# Created EMPTY and PARENTLESS, on purpose:
|
||||
# * EMPTY — the no-lockout guarantee. Zero members at apply time => the
|
||||
# prepended policy branch matches zero existing principals => it cannot
|
||||
# change anyone's authorization (contrast authentik_group "T3 Users", which
|
||||
# is created WITH members atomically because THAT gate's safety property is
|
||||
# the opposite). Membership is assigned at RUNTIME by the tripit-enrollment
|
||||
# flow's user_write "Create users group" option (UI-managed per the ADR
|
||||
# management split). Terraform owns only the group's EXISTENCE.
|
||||
# * PARENTLESS — do NOT make this a child of "Allow Login Users". The sensitive
|
||||
# OIDC apps gate on "Home Server Admins" / "Headscale Users" / "Wrongmove
|
||||
# Users" (children of "Allow Login Users") or, for Vault, on "Allow Login
|
||||
# Users" itself (bound as part of ADR-0020). Keeping External out of that
|
||||
# tree is what stops these users reaching OIDC apps — mirrors guest.tf, which
|
||||
# keeps the guest group out of "Allow Login Users" for the same reason.
|
||||
resource "authentik_group" "tripit_external" {
|
||||
name = "TripIt External"
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue