viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

postiz: expose /uploads publicly so Meta IG fetcher can pull JPEGs

Browse source 
Stories+feed posts via Postiz failed with state=ERROR and Postiz
mistranslated the cause as 'Invalid Instagram image resolution
max: 1920x1080px'. Real cause: Postiz hands Meta an upload URL
under https://postiz.viktorbarzin.me/uploads/... and Meta gets a
302 to the Authentik login page instead of bytes. Meta returns
error 36001 (image not fetchable) which Postiz maps to that
misleading resolution string.

Split the ingress: /uploads/* on a public ingress (matches the
instagram-poster /image+/original pattern), everything else
remains behind Authentik forward-auth. /uploads contents are
random UUIDs, low blast radius if scraped.
This commit is contained in:
Viktor Barzin 2026-05-09 12:29:39 +00:00
parent d62a9dcda1
commit 36d5cebb5c
No known key found for this signature in database
GPG key ID: 4056458DBDBF8863
1 changed files with 22 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

25
stacks/postiz/modules/postiz/main.tf
View file

@ -234,15 +234,34 @@ resource "helm_release" "postiz" {
] ]
} }
module "ingress" { # Two ingresses on the same host. /uploads/* must be reachable WITHOUT auth
# so Meta's IG Graph API fetcher can pull the JPEG when Postiz hands it the
# upload URL when behind Authentik, Meta receives a 302 to the login page
# and rejects with error code 36001 (Postiz mistranslates this as "Invalid
# Instagram image resolution"). Everything else stays behind Authentik.
module "ingress_uploads_public" {
source = "../../../../modules/kubernetes/ingress_factory" source = "../../../../modules/kubernetes/ingress_factory"
dns_type = "proxied" dns_type = "proxied"
namespace = kubernetes_namespace.postiz.metadata[0].name namespace = kubernetes_namespace.postiz.metadata[0].name
name = "postiz-uploads"
host = var.host
service_name = "postiz"
port = 80
protected = false
ingress_path = ["/uploads"]
tls_secret_name = var.tls_secret_name
}
module "ingress" {
source = "../../../../modules/kubernetes/ingress_factory"
dns_type = "none" # DNS already created by ingress_uploads_public
namespace = kubernetes_namespace.postiz.metadata[0].name
name = "postiz" name = "postiz"
host = var.host host = var.host
service_name = "postiz" # chart Service name resolves to fullnameOverride service_name = "postiz"
port = 80 port = 80
protected = true # Authentik forward-auth Postiz has its own login on top, but we don't expose registration to the open internet. protected = true # Authentik forward-auth on the UI / API path
ingress_path = ["/"]
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
extra_annotations = { extra_annotations = {
"gethomepage.dev/enabled" = "true" "gethomepage.dev/enabled" = "true"