From 40ca011bd6aa29c06d47c7f1e9742c5bae6a3058 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sat, 9 May 2026 12:29:39 +0000
Subject: [PATCH] postiz: expose /uploads publicly so Meta IG fetcher can pull
 JPEGs

Stories+feed posts via Postiz failed with state=ERROR and Postiz
mistranslated the cause as 'Invalid Instagram image resolution
max: 1920x1080px'. Real cause: Postiz hands Meta an upload URL
under https://postiz.viktorbarzin.me/uploads/... and Meta gets a
302 to the Authentik login page instead of bytes. Meta returns
error 36001 (image not fetchable) which Postiz maps to that
misleading resolution string.

Split the ingress: /uploads/* on a public ingress (matches the
instagram-poster /image+/original pattern), everything else
remains behind Authentik forward-auth. /uploads contents are
random UUIDs, low blast radius if scraped.
---
 stacks/postiz/modules/postiz/main.tf | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/stacks/postiz/modules/postiz/main.tf b/stacks/postiz/modules/postiz/main.tf
index d5a159f6..351dfd66 100644
--- a/stacks/postiz/modules/postiz/main.tf
+++ b/stacks/postiz/modules/postiz/main.tf
@@ -234,15 +234,34 @@ resource "helm_release" "postiz" {
   ]
 }
 
-module "ingress" {
+# Two ingresses on the same host. /uploads/* must be reachable WITHOUT auth
+# so Meta's IG Graph API fetcher can pull the JPEG when Postiz hands it the
+# upload URL — when behind Authentik, Meta receives a 302 to the login page
+# and rejects with error code 36001 (Postiz mistranslates this as "Invalid
+# Instagram image resolution"). Everything else stays behind Authentik.
+module "ingress_uploads_public" {
   source          = "../../../../modules/kubernetes/ingress_factory"
   dns_type        = "proxied"
   namespace       = kubernetes_namespace.postiz.metadata[0].name
+  name            = "postiz-uploads"
+  host            = var.host
+  service_name    = "postiz"
+  port            = 80
+  protected       = false
+  ingress_path    = ["/uploads"]
+  tls_secret_name = var.tls_secret_name
+}
+
+module "ingress" {
+  source          = "../../../../modules/kubernetes/ingress_factory"
+  dns_type        = "none" # DNS already created by ingress_uploads_public
+  namespace       = kubernetes_namespace.postiz.metadata[0].name
   name            = "postiz"
   host            = var.host
-  service_name    = "postiz" # chart Service name resolves to fullnameOverride
+  service_name    = "postiz"
   port            = 80
-  protected       = true # Authentik forward-auth — Postiz has its own login on top, but we don't expose registration to the open internet.
+  protected       = true # Authentik forward-auth on the UI / API path
+  ingress_path    = ["/"]
   tls_secret_name = var.tls_secret_name
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"