viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

infra: document auth = "app|none" tier on every legacy ingress

Browse source 
Sweep through the 30+ stacks that predated the auth = "app" tier
and were tagged auth = "none" without a comment explaining why
they weren't behind Authentik. Each is now self-documenting at the
call site, so the tg-level anti-exposure guard passes and future
readers don't have to reverse-engineer the intent.

Flipped 6 stacks from "none" to "app" — their backends have their
own user auth and the new tier records that more accurately:
  - navidrome   (Subsonic user/password)
  - ntfy        (deny-all default + user.db tokens)
  - nextcloud   (WebDAV/CalDAV/CardDAV app passwords)
  - vaultwarden (Bitwarden-compatible token auth)
  - headscale   (OIDC + preauth keys for Tailscale nodes)
  - paperless-ngx (app-layer login + API tokens)

Kept "none" with a comment on the rest — they're genuinely public,
webhook receivers, native-protocol endpoints, OAuth callbacks, or
Anubis-fronted: authentik (×2 + guest outpost), beads-server (dolt),
claude-memory (bearer-token MCP), dawarich, ebooks/book-search-api,
fire-planner /api, forgejo (git/OCI native clients), frigate (HA
integration), immich/frame, insta2spotify /api, instagram-poster
(meta fetcher), k8s-portal, matrix (native bearer), monitoring×2
(HA REST scrapes), n8n (webhooks), nvidia, onlyoffice (JWT),
owntracks (HTTP Basic), postiz, privatebin (client-side enc),
rybbit (analytics tracker), send (E2E file drop), tuya-bridge
(API key), vault (own auth + CLI), webhook_handler, woodpecker
(forgejo webhooks + OAuth), xray (×3 VPN transports).

real-estate-crawler/main.tf:400 already had its comment from a
prior edit — not touched here.

No live state changes — auth = "app" produces the same middleware
chain as auth = "none" (verified earlier this session). This commit
is purely documentation + intent-tagging.
This commit is contained in:
Viktor Barzin 2026-05-11 19:25:48 +00:00
parent 20774f794d
commit f10784ddb6
35 changed files with 44 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

1
stacks/webhook_handler/main.tf
View file

@ -262,6 +262,7 @@ module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
# Webhook receiver third parties (Forgejo, GitHub, etc.) POST events without
# browser sessions. Forward-auth would block all webhook deliveries.
# auth = "none": Webhook receiver third parties (Forgejo, GitHub, etc.) POST events without browser sessions; forward-auth blocks deliveries.
auth = "none"
namespace = kubernetes_namespace.webhook-handler.metadata[0].name
name = "webhook-handler"