> ## Documentation Index
> Fetch the complete documentation index at: https://docs.augustin.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth rollout plan

# Auth / Exposure Rollout Plan

Status after the security pass (2026-07-04):

* **Agent (mastra): SECURED.** Public Ingress removed; k8s-native (read-only RBAC SA,
  no SSH, no shell, no run-command); git-commit via repo-scoped token. Needs `GITHUB_TOKEN`.
* **Internal-only backends: DONE.** searxng-mcp, browserless, rsshub Ingresses removed
  (reachable in-cluster via ClusterIP).
* **Pocket-ID forward-auth for the 13: PENDING** — needs the decisions below.

## Exposure classification (all 30 original services)

### 🌐 Public — no gate (safe/required to be internet-facing)

| Service                                     | Why                                                           |
| ------------------------------------------- | ------------------------------------------------------------- |
| pocket-id                                   | The auth provider — must be reachable to log in.              |
| stalwart (+mta-sts/autoconfig/autodiscover) | Mail server; needs public SMTP/IMAP + discovery. Native auth. |
| ntfy                                        | Push service; own token/ACL model, designed public.           |

### 🔑 Keep public, rely on NATIVE auth (has solid built-in login)

bulwark (webmail), jellyfin, audiobookshelf, miniflux, grafana, seerr, calibre-web.
*Action: verify each has a strong admin password / accounts; no infra change needed.*
*(grafana is borderline — consider Pocket-ID for defense-in-depth.)*

### 🔒 Gate behind POCKET-ID (weak/no native auth, admin-grade control)

sonarr, radarr, prowlarr, bazarr, chaptarr, qbittorrent, firefox (remote browser!),
temporal-ui, beszel, bifrost (LLM gateway w/ billing keys), yamtrack, nextflux,
excalideck (web+collab), searxng.
*firefox + bifrost are the highest urgency here.*

### 🚫 Internal-only — no Ingress (DONE)

searxng-mcp, browserless, rsshub. *(mastra also — done.)*

## Pocket-ID forward-auth: how to wire it (the pending work)

Traefik currently runs with ONLY `--providers.kubernetesingress` — the Middleware CRD
provider is off and the CRDs aren't installed. So there are two viable paths:

**Option A — oauth2-proxy sidecar/deployment + Traefik forwardAuth (recommended).**

1. In pocket-id (admin UI): create ONE OIDC client "traefik-forward-auth", redirect URI
   `https://auth.augustin.ai/oauth2/callback`. Note client\_id + secret.  → **needs you**
2. Deploy `oauth2-proxy` (cluster/infra/oauth2-proxy/) configured against pocket-id's
   issuer, on `auth.augustin.ai`.
3. Enable the Traefik CRD provider (`--providers.kubernetescrd=true`) + install the
   traefik.io CRDs (Middleware, etc.) — a one-line arg + a CRD manifest.
4. Add a `Middleware` (forwardAuth → oauth2-proxy) and annotate each of the 13 Ingresses
   with `traefik.ingress.kubernetes.io/router.middlewares: infra-oidc@kubernetescrd`.

**Option B — Cloudflare Access (if the tunnel fronts everything).**
Since ingress rides cloudflared, gate the 13 hostnames with Cloudflare Access policies
(SSO to pocket-id as an OIDC IdP). No in-cluster changes, but moves auth to Cloudflare.

## Decisions needed before I build the Pocket-ID rollout

1. Option A (in-cluster oauth2-proxy) vs Option B (Cloudflare Access)?
2. The pocket-id OIDC client (client\_id/secret) — created by you in the pocket-id admin UI.
3. Confirm the "keep native auth" set (esp. grafana) — gate it too, or trust native?
