viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/authentik/tripit-external.tf
Viktor Barzin 89eb090be3
Some checks failed
ci/woodpecker/push/default Pipeline failed
Details
feat(authentik): tripit-enrollment + tripit-recovery flows (passwordless signup, ADR-0020) 
Makes the WebLanding 'Sign up' button work (it was 404ing — the tripit-enrollment flow didn't exist). Open passwordless registration: prompt(email,name) -> user_write(INACTIVE, external, group 'TripIt External') -> email verification (activates) -> passkey -> login. The inactive-until-verified gate is the security boundary: tripit trusts X-authentik-email, so activation must require proving inbox ownership. Passwordless login already works via the built-in webauthn flow. tripit-recovery (email -> new passkey) is built but intentionally NOT wired into the global brand recovery, so admin recovery is unchanged. Schema validated with terraform validate.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-17 07:20:11 +00:00

23 lines
1.4 KiB
HCL
Raw Blame History

# "TripIt External" group — containment anchor for publicly self-enrolled TripIt
# users (ADR-0020 in the tripit repo). Members are admitted to
# tripit.viktorbarzin.me ONLY and denied every other *.viktorbarzin.me
# forward-auth host by the prepended branch in admin-services-restriction.tf.
#
# Created EMPTY and PARENTLESS, on purpose:
# * EMPTY — the no-lockout guarantee. Zero members at apply time => the
# prepended policy branch matches zero existing principals => it cannot
# change anyone's authorization (contrast authentik_group "T3 Users", which
# is created WITH members atomically because THAT gate's safety property is
# the opposite). Membership is assigned at RUNTIME by the tripit-enrollment
# flow's user_write "Create users group" option (authentik_stage_user_write
# in tripit-flows.tf). Terraform owns the group's EXISTENCE and the flow that
# assigns it.
# * PARENTLESS — do NOT make this a child of "Allow Login Users". The sensitive
# OIDC apps gate on "Home Server Admins" / "Headscale Users" / "Wrongmove
# Users" (children of "Allow Login Users") or, for Vault, on "Allow Login
# Users" itself (bound as part of ADR-0020). Keeping External out of that
# tree is what stops these users reaching OIDC apps — mirrors guest.tf, which
# keeps the guest group out of "Allow Login Users" for the same reason.
resource "authentik_group" "tripit_external" {
name = "TripIt External"
}
Reference in a new issue View git blame Copy permalink