feat(provision): automated user provisioning via Authentik webhook

- Expand CI Vault policy: write secret/data/platform + Transit SOPS keys - Add Woodpecker provision-user.yml pipeline (manual event, API-triggered) - Add env vars to webhook-handler deployment for Woodpecker/Authentik integration - Update add-user skill with automated flow documentation - Update Woodpecker repo ID list in CLAUDE.md
2026-03-17 23:56:30 +00:00 · 2026-03-17 23:56:30 +00:00 · fd130971aa
commit fd130971aa
parent 82b9dd9e8a
5 changed files with 287 additions and 22 deletions
--- a/stacks/vault/main.tf
+++ b/stacks/vault/main.tf
@ -327,10 +327,24 @@ resource "vault_policy" "ci" {
    path "secret/metadata/*" {
      capabilities = ["list"]
    }
+    # Allow CI to write k8s_users during automated user provisioning
+    path "secret/data/platform" {
+      capabilities = ["create", "read", "update"]
+    }
    # Allow CI to get dynamic K8s deploy tokens for user namespaces
    path "kubernetes/creds/*-deployer" {
      capabilities = ["read"]
    }
+    # SOPS state encrypt/decrypt (per-stack Transit keys)
+    path "transit/encrypt/sops-state-*" {
+      capabilities = ["update"]
+    }
+    path "transit/decrypt/sops-state-*" {
+      capabilities = ["update"]
+    }
+    path "transit/keys/sops-state-*" {
+      capabilities = ["read"]
+    }
  EOT
 }

--- a/stacks/webhook_handler/main.tf
+++ b/stacks/webhook_handler/main.tf
@ -187,6 +187,37 @@ resource "kubernetes_deployment" "webhook_handler" {
            name  = "SSH_KEY"
            value = "/opt/id_rsa"
          }
+          env {
+            name  = "WOODPECKER_API_URL"
+            value = "https://ci.viktorbarzin.me"
+          }
+          env {
+            name = "WOODPECKER_TOKEN"
+            value_from {
+              secret_key_ref {
+                name = "webhook-handler-secrets"
+                key  = "woodpecker_token"
+              }
+            }
+          }
+          env {
+            name = "WOODPECKER_INFRA_REPO_ID"
+            value_from {
+              secret_key_ref {
+                name = "webhook-handler-secrets"
+                key  = "woodpecker_infra_repo_id"
+              }
+            }
+          }
+          env {
+            name = "AUTHENTIK_WEBHOOK_SECRET"
+            value_from {
+              secret_key_ref {
+                name = "webhook-handler-secrets"
+                key  = "authentik_webhook_secret"
+              }
+            }
+          }
        }
        volume {
          name = "id-rsa"