ingress_factory: replace protected bool with auth enum + audit pass across 100 stacks

Phase 3+4 of default-deny ingress plan. Replaces the `protected = bool` (default false → unprotected) variable in `modules/kubernetes/ingress_factory` with `auth = string` enum (default "required" → fail-closed). Touches every ingress_factory caller so the audit decision is recorded explicitly in code. ingress_factory (Phase 3): - `auth = "required"`: standard Authentik forward-auth (the legacy `protected = true` semantic). - `auth = "public"`: forward-auth via the new `authentik-forward-auth-public` middleware → dedicated public outpost → guest auto-bind. Logged-in users keep their real identity. - `auth = "none"`: no Authentik middleware. For Anubis-fronted content, native client APIs (Git, /v2/, WebDAV), webhook receivers, the Authentik outpost itself. - `effective_anti_ai` default flips ON only when `auth = "none"` (auth-gated ingresses don't need anti-AI noise; the auth flow already discourages bots). Audit pass (Phase 4) across 96 ingress_factory call sites: - 49 explicit `protected = true` → `auth = "required"` - 8 explicit `protected = false` → `auth = "none"` (5) or `auth = "public"` (3) - 64 previously-default (no protected line) → `auth = "required"` ADDED, then reviewed individually: * 9 Anubis-fronted (blog, www, kms, travel, f1, cyberchef, jsoncrack, homepage, wrongmove UI, privatebin) → `auth = "none"` * 22 native-client / programmatic surfaces (Forgejo Git+/v2/, webhook handler, claude-memory MCP, Nextcloud WebDAV, Matrix, Vault CLI/OIDC, xray VPN, ntfy, woodpecker webhooks, n8n triggers, ntfy push, dawarich location ingestion, immich frame kiosk, headscale CP, send anonymous drops, rybbit beacon, vaultwarden API, Authentik UI itself + outposts) → `auth = "none"` * Remaining ~33 → `auth = "required"` confirmed (admin tools, internal UIs, services without app-level auth) - Smoke-test promotions to `auth = "public"`: fire-planner public UI, k8s-portal API, insta2spotify callback. Three call sites in wrapper modules (`stacks/freedify/factory/`, `stacks/reverse-proxy/modules/reverse_proxy/`) keep their internal `protected` bool — they translate to `auth` internally, out of scope for this rename. Behavior change: previously-default ingresses now fail closed (require Authentik login) unless explicitly flipped to `auth = "none"` or `auth = "public"`. This is the audit goal — no more accidentally-unprotected surfaces. Sites that were intentionally public (Anubis content, native APIs, webhooks) are now explicitly recorded as `auth = "none"`. Drive-by: `modules/create-vm/main.tf` picked up cosmetic alignment via `terraform fmt -recursive` during the audit. Behavior-neutral. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-10 18:53:49 +00:00 · 2026-05-10 18:53:49 +00:00 · e4f806abe3
commit e4f806abe3
parent 317d6aa99f
100 changed files with 351 additions and 165 deletions
--- a/stacks/postiz/modules/postiz/main.tf
+++ b/stacks/postiz/modules/postiz/main.tf
@ -136,19 +136,19 @@ resource "helm_release" "postiz" {

    # Non-secret env. Note: BACKEND_INTERNAL_URL stays in-pod (Postiz convention).
    env = {
-      MAIN_URL                         = "https://postiz.viktorbarzin.me"
-      FRONTEND_URL                     = "https://postiz.viktorbarzin.me"
-      NEXT_PUBLIC_BACKEND_URL          = "https://postiz.viktorbarzin.me/api"
-      BACKEND_INTERNAL_URL             = "http://localhost:3000"
-      STORAGE_PROVIDER                 = "local"
-      UPLOAD_DIRECTORY                 = "/uploads"
-      NEXT_PUBLIC_UPLOAD_DIRECTORY     = "/uploads"
+      MAIN_URL                     = "https://postiz.viktorbarzin.me"
+      FRONTEND_URL                 = "https://postiz.viktorbarzin.me"
+      NEXT_PUBLIC_BACKEND_URL      = "https://postiz.viktorbarzin.me/api"
+      BACKEND_INTERNAL_URL         = "http://localhost:3000"
+      STORAGE_PROVIDER             = "local"
+      UPLOAD_DIRECTORY             = "/uploads"
+      NEXT_PUBLIC_UPLOAD_DIRECTORY = "/uploads"
      # Disabled — admin user already created; sign-in only.
-      DISABLE_REGISTRATION             = "true"
-      IS_GENERAL                       = "true"
-      NX_ADD_PLUGINS                   = "false"
+      DISABLE_REGISTRATION = "true"
+      IS_GENERAL           = "true"
+      NX_ADD_PLUGINS       = "false"
      # Postiz uses Temporal for cron/scheduling — bring our own; Helm chart doesn't.
-      TEMPORAL_ADDRESS                 = "temporal:7233"
+      TEMPORAL_ADDRESS = "temporal:7233"
    }

    # Postiz reads DATABASE_URL/REDIS_URL from this Secret. The chart does
@ -159,13 +159,13 @@ resource "helm_release" "postiz" {
    # postiz-redis-password) — both Services are ClusterIP, only routable
    # from inside the postiz namespace, so the well-known creds are safe.
    secrets = {
-      DATABASE_URL         = "postgresql://postiz:postiz-password@postiz-postgresql:5432/postiz"
-      REDIS_URL            = "redis://default:postiz-redis-password@postiz-redis-master:6379"
-      JWT_SECRET           = ""
+      DATABASE_URL = "postgresql://postiz:postiz-password@postiz-postgresql:5432/postiz"
+      REDIS_URL    = "redis://default:postiz-redis-password@postiz-redis-master:6379"
+      JWT_SECRET   = ""
      # IG-via-Facebook OAuth (Postiz Instagram-Business integration). Empty
      # placeholder; ESO patches the real values from Vault below.
-      FACEBOOK_APP_ID      = ""
-      FACEBOOK_APP_SECRET  = ""
+      FACEBOOK_APP_ID     = ""
+      FACEBOOK_APP_SECRET = ""
      # IG standalone (Postiz Instagram-Login integration). Uses the modern
      # `instagram_business_*` scopes — does not require the FB Login dance.
      INSTAGRAM_APP_ID     = ""
@ -247,7 +247,7 @@ module "ingress_uploads_public" {
  host            = var.host
  service_name    = "postiz"
  port            = 80
-  protected       = false
+  auth            = "none"
  ingress_path    = ["/uploads"]
  tls_secret_name = var.tls_secret_name
 }
@ -260,7 +260,7 @@ module "ingress" {
  host            = var.host
  service_name    = "postiz"
  port            = 80
-  protected       = true # Authentik forward-auth on the UI / API path
+  auth            = "required" # Authentik forward-auth on the UI / API path
  ingress_path    = ["/"]
  tls_secret_name = var.tls_secret_name
  extra_annotations = {
@ -473,7 +473,7 @@ resource "kubernetes_cron_job_v1" "postgres_backup" {
          spec {
            restart_policy = "OnFailure"
            container {
-              name    = "backup"
+              name = "backup"
              # Same image/pattern as dbaas/postgresql-backup: official postgres
              # client tools + apt-installed curl for the Pushgateway push. The
              # bitnamilegacy/postgresql variant is stripped (no curl/wget/python),