From 06b166202d7a3052e847448fa14ca9f439d13ebe Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 15 May 2026 21:28:09 +0000 Subject: [PATCH] aiostreams: pin nightly + switch to auth=app MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Pin viren070/aiostreams:nightly → :2026.05.14.1326-nightly (avoid stale-pull cache, matches 8-char SHA convention for rolling tags) - Switch ingress auth tier required → app: Authentik forward-auth blocks Stremio clients (cannot follow OAuth 302), and AIOStreams already enforces UUID + password on /configure and /api/*, with Stremio addon URLs using encryptedPassword as a bearer token. Result: empty-stream-list issue fixed for public Stremio clients. Verified: 410 streams returned via public URL for Breaking Bad S01E01 with no cookies, vs 0 before (502→Authentik OIDC redirect). --- stacks/servarr/aiostreams/main.tf | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/stacks/servarr/aiostreams/main.tf b/stacks/servarr/aiostreams/main.tf index 65cbf598..e2d95a2d 100644 --- a/stacks/servarr/aiostreams/main.tf +++ b/stacks/servarr/aiostreams/main.tf @@ -76,7 +76,7 @@ resource "kubernetes_deployment" "aiostreams" { } spec { container { - image = "viren070/aiostreams:nightly" + image = "viren070/aiostreams:2026.05.14.1326-nightly" name = "aiostreams" port { container_port = 3000 @@ -144,13 +144,17 @@ resource "kubernetes_service" "aiostreams" { } module "ingress" { - source = "../../../modules/kubernetes/ingress_factory" - auth = "required" + source = "../../../modules/kubernetes/ingress_factory" + # auth = "app": AIOStreams enforces its own UUID + password gate on /configure + # and /api/*, and Stremio addon URLs (/stremio/{uuid}/{encryptedPassword}/...) + # use the encryptedPassword path segment as a bearer token. Authentik forward-auth + # broke Stremio clients (cannot follow OAuth 302) and is redundant with the app's + # own auth. UUIDs are 128-bit random; password attempts are rate-limited. + auth = "app" dns_type = "proxied" namespace = kubernetes_namespace.aiostreams.metadata[0].name name = "aiostreams" tls_secret_name = var.tls_secret_name - # auth = "required" extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "AIOStreams"