traefik/crowdsec: remove 6 hard-coded middleware refs the variable sweep missed (PR1/2)

The first PR1 commit only dropped the ingress_factory reference + the 8
exclude_crowdsec call sites. But the crowdsec middleware is ALSO hard-coded
(not via the variable) in 6 more ingresses that build their middleware chain by
hand: owntracks, the monitoring Helm values (grafana + prometheus +
alertmanager), and the reverse-proxy module + its own separate ingress factory.
Remove all 6 so that after the full-cluster apply NO live ingress references
traefik-crowdsec@kubernetescrd — the precondition for PR2 deleting the CRD.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/monitoring/modules/monitoring/grafana_chart_values.yaml

@@ -32,7 +32,7 @@ ingress:
   enabled: "true"
   ingressClassName: "traefik"
   annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
     traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
     gethomepage.dev/enabled: "true"
     gethomepage.dev/name: "Grafana"

stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl

@@ -15,7 +15,7 @@ alertmanager:
     enabled: true
     ingressClassName: "traefik"
     annotations:
-      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
       traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
       gethomepage.dev/enabled: "true"
       gethomepage.dev/name: "Alertmanager"
@@ -399,7 +399,7 @@ server:
     enabled: true
     ingressClassName: "traefik"
     annotations:
-      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
       traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
 
       gethomepage.dev/enabled: "true"

stacks/owntracks/main.tf

@@ -49,7 +49,7 @@ resource "kubernetes_namespace" "owntracks" {
     name = "owntracks"
     labels = {
       "istio-injection" : "disabled"
-      tier = local.tiers.aux
+      tier               = local.tiers.aux
       "keel.sh/enrolled" = "true"
     }
   }
@@ -249,7 +249,7 @@ module "ingress" {
   tls_secret_name = var.tls_secret_name
   port            = 80
   extra_annotations = {
-    "traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
+    "traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd"
     "gethomepage.dev/enabled"                          = "true"
     "gethomepage.dev/name"                             = "OwnTracks"
     "gethomepage.dev/description"                      = "Location tracking"

stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf

@@ -211,7 +211,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
         "traefik-retry@kubernetescrd",
         var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
         var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
-        "traefik-crowdsec@kubernetescrd",
         var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
         var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
         var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,

stacks/reverse-proxy/modules/reverse_proxy/main.tf

@@ -31,11 +31,11 @@ module "tls_secret" {
 
 # https://pfsense.viktorbarzin.me/
 module "pfsense" {
-  source           = "./factory"
+  source          = "./factory"
-  dns_type         = "proxied"
+  dns_type        = "proxied"
-  name             = "pfsense"
+  name            = "pfsense"
-  external_name    = "pfsense.viktorbarzin.lan"
+  external_name   = "pfsense.viktorbarzin.lan"
-  tls_secret_name  = var.tls_secret_name
+  tls_secret_name = var.tls_secret_name
   # webGUI moved to :8443 on 2026-06-10 — :443 on pfSense is now the
   # SNI-routed HAProxy frontend (hostname->Traefik, no-SNI->GUI). Direct
   # backend port avoids a Traefik->HAProxy->GUI double hop.
@@ -163,7 +163,7 @@ module "docker-registry-ui" {
   depends_on      = [kubernetes_namespace.reverse-proxy]
   extra_annotations = {
     # Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags
-    "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+    "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
     "gethomepage.dev/enabled"                          = "true"
     "gethomepage.dev/name"                             = "Docker Registry"
     "gethomepage.dev/description"                      = "Container registry"