From 188bdd50a05acb0907c2fbf1f45d9538f3181525 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 28 May 2026 16:08:41 +0000 Subject: [PATCH] infra: decommission foolery agent UI User no longer actively using foolery. Removed: - TF stack stacks/foolery (Cloudflare DNS, Traefik IngressRoute, Authentik forward-auth integration, K8s Service+Endpoints) - Devvm systemd unit /etc/systemd/system/foolery.service - Runtime at ~/.local/share/foolery and launcher ~/.local/bin/foolery - Stale foolery reference in .claude/CLAUDE.md auth="required" examples Uptime Kuma [External] foolery monitor will auto-prune on next external-monitor-sync reconcile. Co-Authored-By: Claude Opus 4.7 --- .claude/CLAUDE.md | 2 +- stacks/foolery/main.tf | 78 ----------------------------------- stacks/foolery/secrets | 1 - stacks/foolery/terragrunt.hcl | 3 -- 4 files changed, 1 insertion(+), 83 deletions(-) delete mode 100644 stacks/foolery/main.tf delete mode 120000 stacks/foolery/secrets delete mode 100644 stacks/foolery/terragrunt.hcl diff --git a/.claude/CLAUDE.md b/.claude/CLAUDE.md index 8a60982c..1df15f45 100755 --- a/.claude/CLAUDE.md +++ b/.claude/CLAUDE.md @@ -29,7 +29,7 @@ Violations cause state drift, which causes future applies to break or silently r - **New services need CI/CD** and **monitoring** (Prometheus/Uptime Kuma) - **New service**: Use `setup-project` skill for full workflow - **Ingress**: `ingress_factory` module. **Auth** (`auth` string enum, default `"required"` — fail-closed). Pick by asking "what gates the app?": - - `auth = "required"` — Authentik forward-auth gates every request. Use when the backend has **no built-in user auth** and Authentik is the only thing standing between strangers and the app (prowlarr, qbittorrent, netbox, phpipam, k8s-dashboard, foolery, any admin UI shipped without its own login). + - `auth = "required"` — Authentik forward-auth gates every request. Use when the backend has **no built-in user auth** and Authentik is the only thing standing between strangers and the app (prowlarr, qbittorrent, netbox, phpipam, k8s-dashboard, any admin UI shipped without its own login). - `auth = "app"` — the backend handles its own user authentication (NextAuth, Django, OAuth, bearer-token API, etc.); Authentik would only break it. No middleware attached; the app's own login is the gate. Examples: immich, linkwarden, tandoor, freshrss, affine, actualbudget, audiobookshelf, novelapp. **Functionally identical to `"none"`** — the distinct name exists to record intent at the call site. - `auth = "public"` — Authentik anonymous binding via the dedicated `public` outpost (routes via `traefik-authentik-forward-auth-public` → `ak-outpost-public.authentik.svc:9000`). Strangers auto-bound to `guest`; logged-in users keep their identity in `X-authentik-username`. **Only works for top-level browser navigation** — CORS preflight rejects XHR/fetch and automation can't replay the cookie dance. Audit trail, not a gate. - `auth = "none"` — no Authentik, no own-auth claim. Use for Anubis-fronted content (Anubis is the gate), native-client APIs (Git, `/v2/`, WebDAV/CalDAV, CardDAV), webhook receivers, OAuth callbacks, and Authentik outposts themselves. diff --git a/stacks/foolery/main.tf b/stacks/foolery/main.tf deleted file mode 100644 index ebe1ae7a..00000000 --- a/stacks/foolery/main.tf +++ /dev/null @@ -1,78 +0,0 @@ -variable "tls_secret_name" { - type = string - sensitive = true -} - -resource "kubernetes_namespace" "foolery" { - metadata { - name = "foolery" - labels = { - "istio-injection" : "disabled" - tier = local.tiers.aux - "keel.sh/enrolled" = "true" - } - } - lifecycle { - # KYVERNO_LIFECYCLE_V1: goldilocks-vpa-auto-mode ClusterPolicy stamps this label on every namespace - ignore_changes = [metadata[0].labels["goldilocks.fairwinds.com/vpa-update-mode"]] - } -} - -module "tls_secret" { - source = "../../modules/kubernetes/setup_tls_secret" - namespace = kubernetes_namespace.foolery.metadata[0].name - tls_secret_name = var.tls_secret_name -} - -# Service + Endpoints to reverse-proxy to Foolery at 10.0.10.10:3210 -resource "kubernetes_service" "foolery" { - metadata { - name = "foolery" - namespace = kubernetes_namespace.foolery.metadata[0].name - labels = { - app = "foolery" - } - } - - spec { - port { - name = "http" - port = 80 - target_port = 3210 - } - } -} - -resource "kubernetes_endpoints" "foolery" { - metadata { - name = "foolery" - namespace = kubernetes_namespace.foolery.metadata[0].name - } - - subset { - address { - ip = "10.0.10.10" - } - port { - name = "http" - port = 3210 - } - } -} - -module "ingress" { - source = "../../modules/kubernetes/ingress_factory" - dns_type = "proxied" - namespace = kubernetes_namespace.foolery.metadata[0].name - name = "foolery" - tls_secret_name = var.tls_secret_name - auth = "required" - extra_annotations = { - "gethomepage.dev/enabled" = "true" - "gethomepage.dev/name" = "Foolery" - "gethomepage.dev/description" = "Agent orchestration control room" - "gethomepage.dev/icon" = "mdi-robot" - "gethomepage.dev/group" = "AI" - "gethomepage.dev/pod-selector" = "" - } -} diff --git a/stacks/foolery/secrets b/stacks/foolery/secrets deleted file mode 120000 index ca54a7cf..00000000 --- a/stacks/foolery/secrets +++ /dev/null @@ -1 +0,0 @@ -../../secrets \ No newline at end of file diff --git a/stacks/foolery/terragrunt.hcl b/stacks/foolery/terragrunt.hcl deleted file mode 100644 index e147285f..00000000 --- a/stacks/foolery/terragrunt.hcl +++ /dev/null @@ -1,3 +0,0 @@ -include "root" { - path = find_in_parent_folders() -}