From 71d0af084e311257d7e9409831084f47ee4d29ab Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 21 Jun 2026 00:17:40 +0000
Subject: [PATCH] traefik/crowdsec: remove 6 hard-coded middleware refs the
 variable sweep missed (PR1/2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The first PR1 commit only dropped the ingress_factory reference + the 8
exclude_crowdsec call sites. But the crowdsec middleware is ALSO hard-coded
(not via the variable) in 6 more ingresses that build their middleware chain by
hand: owntracks, the monitoring Helm values (grafana + prometheus +
alertmanager), and the reverse-proxy module + its own separate ingress factory.
Remove all 6 so that after the full-cluster apply NO live ingress references
traefik-crowdsec@kubernetescrd — the precondition for PR2 deleting the CRD.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .../modules/monitoring/grafana_chart_values.yaml     |  2 +-
 .../modules/monitoring/prometheus_chart_values.tpl   |  4 ++--
 stacks/owntracks/main.tf                             |  4 ++--
 .../modules/reverse_proxy/factory/main.tf            |  1 -
 stacks/reverse-proxy/modules/reverse_proxy/main.tf   | 12 ++++++------
 5 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml b/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml
index 2bcd474e..50ae668b 100644
--- a/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml
+++ b/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml
@@ -32,7 +32,7 @@ ingress:
   enabled: "true"
   ingressClassName: "traefik"
   annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
     traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "Grafana"
diff --git a/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl b/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
index f7bbe256..f2510951 100755
--- a/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
+++ b/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
@@ -15,7 +15,7 @@ alertmanager:
     enabled: true
     ingressClassName: "traefik"
     annotations:
-      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
       traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
       gethomepage.dev/enabled: "true"
       gethomepage.dev/name: "Alertmanager"
@@ -399,7 +399,7 @@ server:
     enabled: true
     ingressClassName: "traefik"
     annotations:
-      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
       traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
 
       gethomepage.dev/enabled: "true"
diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf
index b5c20645..d8d3627a 100644
--- a/stacks/owntracks/main.tf
+++ b/stacks/owntracks/main.tf
@@ -49,7 +49,7 @@ resource "kubernetes_namespace" "owntracks" {
     name = "owntracks"
     labels = {
       "istio-injection" : "disabled"
-      tier = local.tiers.aux
+      tier               = local.tiers.aux
       "keel.sh/enrolled" = "true"
     }
   }
@@ -249,7 +249,7 @@ module "ingress" {
   tls_secret_name = var.tls_secret_name
   port            = 80
   extra_annotations = {
-    "traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
+    "traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd"
     "gethomepage.dev/enabled"                          = "true"
     "gethomepage.dev/name"                             = "OwnTracks"
     "gethomepage.dev/description"                      = "Location tracking"
diff --git a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
index 850675d5..3ee18e8e 100644
--- a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
@@ -211,7 +211,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
         "traefik-retry@kubernetescrd",
         var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
         var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
-        "traefik-crowdsec@kubernetescrd",
         var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
         var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
         var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
diff --git a/stacks/reverse-proxy/modules/reverse_proxy/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
index deb5a83b..b891139f 100644
--- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
@@ -31,11 +31,11 @@ module "tls_secret" {
 
 # https://pfsense.viktorbarzin.me/
 module "pfsense" {
-  source           = "./factory"
-  dns_type         = "proxied"
-  name             = "pfsense"
-  external_name    = "pfsense.viktorbarzin.lan"
-  tls_secret_name  = var.tls_secret_name
+  source          = "./factory"
+  dns_type        = "proxied"
+  name            = "pfsense"
+  external_name   = "pfsense.viktorbarzin.lan"
+  tls_secret_name = var.tls_secret_name
   # webGUI moved to :8443 on 2026-06-10 — :443 on pfSense is now the
   # SNI-routed HAProxy frontend (hostname->Traefik, no-SNI->GUI). Direct
   # backend port avoids a Traefik->HAProxy->GUI double hop.
@@ -163,7 +163,7 @@ module "docker-registry-ui" {
   depends_on      = [kubernetes_namespace.reverse-proxy]
   extra_annotations = {
     # Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags
-    "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+    "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
     "gethomepage.dev/enabled"                          = "true"
     "gethomepage.dev/name"                             = "Docker Registry"
     "gethomepage.dev/description"                      = "Container registry"