e4512f3566
All checks were successful
ci/woodpecker/push/default Pipeline was successful
Pipeline 214 failed: the pinned goauthentik 2024.x provider models EmailStage.token_expiry as an integer, but the live 2026.2.x server requires a duration string ('hours=24') and 400s any number (even the provider default 30). Bumping the provider is a global terragrunt.hcl change re-applying every platform stack + breaking 3 other authentik-using stacks' lockfiles — disproportionate. Instead the two email-verification stages + their flow bindings move into an Authentik blueprint (tripit-email-stages.yaml) applied server-side via authentik_blueprint; the server parses token_expiry natively. Validated on the live server + terraform validate. Restores the ADR-0020 email-verification security gate.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| modules/authentik | ||
| admin-services-restriction.tf | ||
| authentik_provider.tf | ||
| email-secret.tf | ||
| guest.tf | ||
| main.tf | ||
| secrets | ||
| t3-users.tf | ||
| terragrunt.hcl | ||
| tripit-email-blueprint.tf | ||
| tripit-email-stages.yaml | ||
| tripit-external.tf | ||
| tripit-flows.tf | ||
| vault-authz-binding.tf | ||