← Failure Lab

001 / Identity / Remote change / Near miss

Risk vs. reward.
Authentik over Tailscale
from the White Mountains.

The network path was available. The configuration was within reach. The real question was whether a remote identity change was worth the possibility of breaking the path required to repair it.

Classification: This is a near-miss analysis, not an outage post-mortem. No failure is being manufactured for drama. The lesson is that a successful result can still reveal an unsafe operating assumption.

CHANGE

Identity control plane

ACCESS

Tailscale

LOCATION

White Mountains

FAILURE MODE

Remote lockout

The decision

Capability is not permission.

Tailscale collapsed the distance between a laptop in the mountains and the homelab. That solved transport. It did not solve recovery.

Authentik sits in the access path for other systems. A configuration error can have a larger blast radius than the screen being edited suggests. When physical access is unavailable, every dependency between the change and its rollback matters.

The reward was immediate progress. The risk was turning a routine configuration task into a remote lockout with no local hands. The correct unit of analysis was not the individual setting—it was the complete path back to a known-good state.

Decision replay

What the successful change exposed.

[01]

Opportunity

Remote reachability made a useful Authentik configuration change possible without waiting to return home.

[02]

Hidden dependency

The same distance that made Tailscale valuable also increased the cost of a mistake. Reachability was not recoverability.

[03]

Risk test

Could the change invalidate the next authentication attempt, interrupt protected applications, or remove the path needed to undo it?

[04]

Near miss

The absence of an outage did not validate the method. It exposed that the recovery plan had not been proven to the same standard as the change.

[05]

Operating change

Remote identity work now needs an independent recovery path, a bounded change, explicit rollback, and a reason strong enough to justify the timing.

Risk register

The failure existed before the outage.

Each risk was present even if none became an incident. That is when risk is cheapest to address.

Identity lockout

A bad provider, flow, policy, or outpost change could reject the next login.

High

Recovery-path coupling

If repair depends on the identity layer being changed, remote access can become a one-way door.

Critical

No local hands

A vacation in the White Mountains put physical console access hours away.

High

False confidence

Tailscale made the network reachable; it did not make the application change reversible.

High

Corrective action

Turn judgment into a repeatable gate.

The useful artifact is not “be more careful.” It is a standard that makes the next decision easier to evaluate before risk is introduced.

  • Verify a recovery path that does not depend on the Authentik flow being modified.
  • Keep an authenticated administrative session open while validating through a separate session.
  • Export or record the known-good configuration before changing providers, flows, policies, or outposts.
  • Change one variable at a time and test the exact user journey before proceeding.
  • Define the rollback action and stop conditions before touching the control plane.
  • Defer the work when the reward is convenience rather than urgency, learning value, or risk reduction.

The lesson

Remote access answers “can I reach it?” Operational readiness answers “can I recover it?”

Explore the homelab →