viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

t3code: docs — auto-provisioning service-catalog entry + design status implemented

Browse source 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-01 22:46:07 +00:00
parent a587f0ee55
commit deec540fad
2 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.claude/reference/service-catalog.md
View file

@ -32,7 +32,7 @@
|---------|-------------|-------|
| k8s-dashboard | Kubernetes dashboard | k8s-dashboard |
| reverse-proxy | Generic reverse proxy | reverse-proxy |
| t3code | Multi-user coding-agent GUI at t3.viktorbarzin.me. `auth=required` (Authentik) → in-cluster nginx `t3-dispatch` maps `X-authentik-username` → that user's own `t3 serve` on DevVM (vbarzin→:3773 `t3-serve.service`; emil.barzin→:3774 `t3-serve-emo.service`; unmapped→403). Per-user isolation mirroring the `terminal` stack. **Add a user:** create `t3-serve-<u>.service` on DevVM (own `--port`/`--base-dir`, `User=<u>`) + add a line to the dispatch nginx `map` in `stacks/t3code/main.tf` + apply. RCE surface; each user self-pairs via `t3 auth pairing create`. Native app/app.t3.codes unsupported here (cross-origin) — deferred until published. | t3code |
| t3code | Multi-user coding-agent GUI at t3.viktorbarzin.me. `auth=required` (Authentik) → DevVM `t3-dispatch` service (`10.0.10.10:3780`, unprivileged user) maps `X-authentik-username` → that user's own `t3-serve@<u>` instance (file perms enforced by uid; wizard→:3773, emo→:3774; unmapped→403) and **auto-injects the t3 session on first visit** (mints via the root `t3-mint` wrapper, scoped sudoers → `/api/auth/bootstrap` `t3_session` cookie). Source of truth `/etc/ttyd-user-map`; `t3-provision-users` reconcile (systemd timer) turns map entries into `t3-serve@<u>` instances + `dispatch.json`. **Add a user:** one line in `/etc/ttyd-user-map` (must already be an OS account + Authentik identity) → reconcile. DevVM artifacts versioned in `infra/scripts/` (`t3-serve@.service`, `t3-provision-users`, `t3-dispatch/`, `t3-mint`, `sudoers-t3-autopair`); TF (`stacks/t3code`) owns only the ingress + Endpoints→:3780. Native app/app.t3.codes unsupported (cross-origin) — deferred until published. Design: `docs/plans/2026-06-01-t3-auto-provision-*`. | t3code |
## Active Use
| Service | Description | Stack |

2
docs/plans/2026-06-01-t3-auto-provision-design.md
View file

@ -1,7 +1,7 @@
# t3code per-user auto-provisioning — design
- **Date:** 2026-06-01
- **Status:** design (approved verbally; spec under review)
- **Status:** implemented 2026-06-01 (commits up to e8766756; dispatcher hardened to a dedicated unprivileged user + `t3-mint` wrapper vs the design's run-as-wizard)
- **Owner:** Viktor (wizard)
- **Builds on:** the multi-user t3 setup shipped earlier 2026-06-01 (commit `ad9472ab`): Authentik forward-auth on `t3.viktorbarzin.me` → in-cluster nginx `t3-dispatch` → per-OS-user `t3 serve` on devvm (wizard→:3773, emo→:3774).