98cd535b97
All checks were successful
ci/woodpecker/push/default Pipeline was successful
The chrome-service noVNC exposes Viktor's live logged-in browser sessions (Instagram etc. — he'll sign in there for homelab browser to reuse). It was auth="required" = any authenticated user, and "Home Server Admins" includes emo (emil.barzin@gmail.com), so the admin group is not a sufficient gate. Add a host-specific case to the domain-wide forward-auth restriction allowing only Viktor's accounts (vbarzin@gmail.com + akadmin break-glass); everyone else, incl. emo, is denied at the noVNC. emo's AGENT already can't reach the browser (read-only RBAC blocks port-forward); this closes the human noVNC path. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| modules/authentik | ||
| admin-services-restriction.tf | ||
| authentik_provider.tf | ||
| email-secret.tf | ||
| guest.tf | ||
| main.tf | ||
| secrets | ||
| t3-users.tf | ||
| terragrunt.hcl | ||
| vault-authz-binding.tf | ||