kms: carve /keys.json out of Anubis for script auto-key-selection

The activation scripts now fetch the published GVLK list from /keys.json to auto-select the right key for the detected edition. Like the .ps1 scripts, that endpoint must bypass Anubis (PowerShell/ConvertFrom-Json can't solve the PoW). Add /keys.json to the ingress_scripts carve-out path list. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-01 10:10:43 +00:00 · 2026-06-01 10:10:43 +00:00 · 6f0bdf2993
commit 6f0bdf2993
parent 7a297deb24
1 changed files with 11 additions and 9 deletions
--- a/stacks/kms/main.tf
+++ b/stacks/kms/main.tf
@ -133,25 +133,27 @@ module "ingress" {
  }
 }

-# Carve-out for /scripts/* — the PowerShell activators (kms-bootstrap.ps1,
-# setup-kms.ps1) that visitors fetch with `iwr ... | iex`. Anubis cannot gate
-# this path: PowerShell/curl are non-JS clients and can't solve the PoW
-# challenge, so they'd receive the challenge HTML and `iex` would choke on it.
-# Points at the bare kms-web-page nginx service, bypassing the Anubis proxy.
-# Traefik prioritises the longer /scripts prefix over the main "/" router.
+# Carve-out for /scripts/* and /keys.json — the PowerShell activators
+# (kms-bootstrap.ps1, setup-kms.ps1) that visitors fetch with `iwr ... | iex`,
+# plus /keys.json (the published GVLK list the scripts fetch to auto-select a
+# key). Anubis cannot gate these paths: PowerShell/curl are non-JS clients and
+# can't solve the PoW challenge, so they'd receive the challenge HTML and the
+# script (or ConvertFrom-Json) would choke on it. Points at the bare
+# kms-web-page nginx service, bypassing the Anubis proxy. Traefik prioritises
+# the longer /scripts and /keys.json prefixes over the main "/" router.
 module "ingress_scripts" {
  source = "../../modules/kubernetes/ingress_factory"
-  # auth = "none": public read-only static scripts (iwr|iex). No login, no PoW.
+  # auth = "none": public read-only static scripts + key list (iwr|iex). No login, no PoW.
  auth             = "none"
  namespace        = kubernetes_namespace.kms.metadata[0].name
  name             = "kms-scripts"
  service_name     = kubernetes_service.kms-web-page.metadata[0].name
  port             = "80"
-  ingress_path     = ["/scripts"]
+  ingress_path     = ["/scripts", "/keys.json"]
  full_host        = "kms.viktorbarzin.me" # MUST match the main ingress host; without this the factory derives kms-scripts.viktorbarzin.me and the carve-out never matches.
  dns_type         = "none"                # DNS already owned by the main kms ingress.
  tls_secret_name  = var.tls_secret_name
-  anti_ai_scraping = false # Two static scripts; nothing for scrapers to mine.
+  anti_ai_scraping = false # Static scripts + key list; nothing for scrapers to mine.
 }

 # Dedicated KMS endpoint hostname. kms.viktorbarzin.me is the *website* (Traefik