viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

infra: document auth = "app|none" tier on every legacy ingress

Browse source 
Sweep through the 30+ stacks that predated the auth = "app" tier
and were tagged auth = "none" without a comment explaining why
they weren't behind Authentik. Each is now self-documenting at the
call site, so the tg-level anti-exposure guard passes and future
readers don't have to reverse-engineer the intent.

Flipped 6 stacks from "none" to "app" — their backends have their
own user auth and the new tier records that more accurately:
  - navidrome   (Subsonic user/password)
  - ntfy        (deny-all default + user.db tokens)
  - nextcloud   (WebDAV/CalDAV/CardDAV app passwords)
  - vaultwarden (Bitwarden-compatible token auth)
  - headscale   (OIDC + preauth keys for Tailscale nodes)
  - paperless-ngx (app-layer login + API tokens)

Kept "none" with a comment on the rest — they're genuinely public,
webhook receivers, native-protocol endpoints, OAuth callbacks, or
Anubis-fronted: authentik (×2 + guest outpost), beads-server (dolt),
claude-memory (bearer-token MCP), dawarich, ebooks/book-search-api,
fire-planner /api, forgejo (git/OCI native clients), frigate (HA
integration), immich/frame, insta2spotify /api, instagram-poster
(meta fetcher), k8s-portal, matrix (native bearer), monitoring×2
(HA REST scrapes), n8n (webhooks), nvidia, onlyoffice (JWT),
owntracks (HTTP Basic), postiz, privatebin (client-side enc),
rybbit (analytics tracker), send (E2E file drop), tuya-bridge
(API key), vault (own auth + CLI), webhook_handler, woodpecker
(forgejo webhooks + OAuth), xray (×3 VPN transports).

real-estate-crawler/main.tf:400 already had its comment from a
prior edit — not touched here.

No live state changes — auth = "app" produces the same middleware
chain as auth = "none" (verified earlier this session). This commit
is purely documentation + intent-tagging.
This commit is contained in:
Viktor Barzin 2026-05-11 19:25:48 +00:00
parent 20774f794d
commit f10784ddb6
35 changed files with 44 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
stacks/headscale/modules/headscale/main.tf
View file

@ -311,7 +311,8 @@ module "ingress" {
# Forward-auth would break every Tailscale client. Headscale has its own
# OIDC + preauth-key auth at the app layer; the web admin UI lives on a
# separate /web ingress that remains auth=required.
auth = "none"
# auth = "app": Headscale control plane native Tailscale clients register + exchange keys using headscale's own OIDC + preauth-key auth; backend manages authentication.
auth = "app"
dns_type = "non-proxied"
namespace = kubernetes_namespace.headscale.metadata[0].name
name = "headscale"