Skip to main content

Auth / Exposure Rollout Plan

Status after the security pass (2026-07-04):
  • Agent (mastra): SECURED. Public Ingress removed; k8s-native (read-only RBAC SA, no SSH, no shell, no run-command); git-commit via repo-scoped token. Needs GITHUB_TOKEN.
  • Internal-only backends: DONE. searxng-mcp, browserless, rsshub Ingresses removed (reachable in-cluster via ClusterIP).
  • Pocket-ID forward-auth for the 13: PENDING β€” needs the decisions below.

Exposure classification (all 30 original services)

🌐 Public β€” no gate (safe/required to be internet-facing)

ServiceWhy
pocket-idThe auth provider β€” must be reachable to log in.
stalwart (+mta-sts/autoconfig/autodiscover)Mail server; needs public SMTP/IMAP + discovery. Native auth.
ntfyPush service; own token/ACL model, designed public.

πŸ”‘ Keep public, rely on NATIVE auth (has solid built-in login)

bulwark (webmail), jellyfin, audiobookshelf, miniflux, grafana, seerr, calibre-web. Action: verify each has a strong admin password / accounts; no infra change needed. (grafana is borderline β€” consider Pocket-ID for defense-in-depth.)

πŸ”’ Gate behind POCKET-ID (weak/no native auth, admin-grade control)

sonarr, radarr, prowlarr, bazarr, chaptarr, qbittorrent, firefox (remote browser!), temporal-ui, beszel, bifrost (LLM gateway w/ billing keys), yamtrack, nextflux, excalideck (web+collab), searxng. firefox + bifrost are the highest urgency here.

🚫 Internal-only β€” no Ingress (DONE)

searxng-mcp, browserless, rsshub. (mastra also β€” done.)

Pocket-ID forward-auth: how to wire it (the pending work)

Traefik currently runs with ONLY --providers.kubernetesingress β€” the Middleware CRD provider is off and the CRDs aren’t installed. So there are two viable paths: Option A β€” oauth2-proxy sidecar/deployment + Traefik forwardAuth (recommended).
  1. In pocket-id (admin UI): create ONE OIDC client β€œtraefik-forward-auth”, redirect URI https://auth.augustin.ai/oauth2/callback. Note client_id + secret. β†’ needs you
  2. Deploy oauth2-proxy (cluster/infra/oauth2-proxy/) configured against pocket-id’s issuer, on auth.augustin.ai.
  3. Enable the Traefik CRD provider (--providers.kubernetescrd=true) + install the traefik.io CRDs (Middleware, etc.) β€” a one-line arg + a CRD manifest.
  4. Add a Middleware (forwardAuth β†’ oauth2-proxy) and annotate each of the 13 Ingresses with traefik.ingress.kubernetes.io/router.middlewares: infra-oidc@kubernetescrd.
Option B β€” Cloudflare Access (if the tunnel fronts everything). Since ingress rides cloudflared, gate the 13 hostnames with Cloudflare Access policies (SSO to pocket-id as an OIDC IdP). No in-cluster changes, but moves auth to Cloudflare.

Decisions needed before I build the Pocket-ID rollout

  1. Option A (in-cluster oauth2-proxy) vs Option B (Cloudflare Access)?
  2. The pocket-id OIDC client (client_id/secret) β€” created by you in the pocket-id admin UI.
  3. Confirm the β€œkeep native auth” set (esp. grafana) β€” gate it too, or trust native?