Auth / Exposure Rollout Plan
Status after the security pass (2026-07-04):- Agent (mastra): SECURED. Public Ingress removed; k8s-native (read-only RBAC SA,
no SSH, no shell, no run-command); git-commit via repo-scoped token. Needs
GITHUB_TOKEN. - Internal-only backends: DONE. searxng-mcp, browserless, rsshub Ingresses removed (reachable in-cluster via ClusterIP).
- Pocket-ID forward-auth for the 13: PENDING β needs the decisions below.
Exposure classification (all 30 original services)
π Public β no gate (safe/required to be internet-facing)
| Service | Why |
|---|---|
| pocket-id | The auth provider β must be reachable to log in. |
| stalwart (+mta-sts/autoconfig/autodiscover) | Mail server; needs public SMTP/IMAP + discovery. Native auth. |
| ntfy | Push service; own token/ACL model, designed public. |
π Keep public, rely on NATIVE auth (has solid built-in login)
bulwark (webmail), jellyfin, audiobookshelf, miniflux, grafana, seerr, calibre-web. Action: verify each has a strong admin password / accounts; no infra change needed. (grafana is borderline β consider Pocket-ID for defense-in-depth.)π Gate behind POCKET-ID (weak/no native auth, admin-grade control)
sonarr, radarr, prowlarr, bazarr, chaptarr, qbittorrent, firefox (remote browser!), temporal-ui, beszel, bifrost (LLM gateway w/ billing keys), yamtrack, nextflux, excalideck (web+collab), searxng. firefox + bifrost are the highest urgency here.π« Internal-only β no Ingress (DONE)
searxng-mcp, browserless, rsshub. (mastra also β done.)Pocket-ID forward-auth: how to wire it (the pending work)
Traefik currently runs with ONLY--providers.kubernetesingress β the Middleware CRD
provider is off and the CRDs arenβt installed. So there are two viable paths:
Option A β oauth2-proxy sidecar/deployment + Traefik forwardAuth (recommended).
- In pocket-id (admin UI): create ONE OIDC client βtraefik-forward-authβ, redirect URI
https://auth.augustin.ai/oauth2/callback. Note client_id + secret. β needs you - Deploy
oauth2-proxy(cluster/infra/oauth2-proxy/) configured against pocket-idβs issuer, onauth.augustin.ai. - Enable the Traefik CRD provider (
--providers.kubernetescrd=true) + install the traefik.io CRDs (Middleware, etc.) β a one-line arg + a CRD manifest. - Add a
Middleware(forwardAuth β oauth2-proxy) and annotate each of the 13 Ingresses withtraefik.ingress.kubernetes.io/router.middlewares: infra-oidc@kubernetescrd.
Decisions needed before I build the Pocket-ID rollout
- Option A (in-cluster oauth2-proxy) vs Option B (Cloudflare Access)?
- The pocket-id OIDC client (client_id/secret) β created by you in the pocket-id admin UI.
- Confirm the βkeep native authβ set (esp. grafana) β gate it too, or trust native?