infra: drop Authentik forward-auth from 7 self-authed apps (auth = "none")

Apps with their own user auth + bearer-token APIs were being broken by Traefik → Authentik forward-auth: every iOS/Android/native client got a 302 to authentik.viktorbarzin.me instead of the JSON they expected. Authentik's 302+cookie dance can only be followed by a real browser. Changed: - immich (Immich mobile app + bearer-token /api) - linkwarden (NextAuth + Linkwarden mobile clients) - tandoor (Django auth + Tandoor mobile clients) - freshrss (Fever/GReader API used by Reeder/FeedMe/etc.) - affine (workspace auth + AFFiNE desktop/mobile sync) - actualbudget (server password + Actual mobile/sync clients) - ebooks/abs (Audiobookshelf iOS/Android app) Each app's own auth is the gate now. CrowdSec + rate-limit + anti-AI UA filter still front the ingresses. Same pattern as the novelapp change earlier this session. [ci skip]
2026-05-11 18:46:36 +00:00 · 2026-05-11 18:46:36 +00:00 · 7b6eee49c4
commit 7b6eee49c4
parent f98c3f2049
7 changed files with 35 additions and 14 deletions
--- a/stacks/actualbudget/factory/main.tf
+++ b/stacks/actualbudget/factory/main.tf
@ -155,8 +155,11 @@ resource "kubernetes_service" "actualbudget" {
 }

 module "ingress" {
-  source            = "../../../modules/kubernetes/ingress_factory"
-  auth              = "required"
+  source = "../../../modules/kubernetes/ingress_factory"
+  # auth = "none": Actual Budget enforces a server password + per-user login
+  # on its own sync API. Authentik forward-auth was 302-ing the mobile/web
+  # sync clients; Actual's own auth gates users.
+  auth              = "none"
  namespace         = "actualbudget"
  name              = "budget-${var.name}"
  tls_secret_name   = var.tls_secret_name
--- a/stacks/affine/main.tf
+++ b/stacks/affine/main.tf
@ -358,8 +358,11 @@ resource "kubernetes_service" "affine" {
 }

 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": AFFiNE has its own workspace auth + bearer-token API
+  # used by desktop/mobile sync clients. Authentik forward-auth was 302-ing
+  # those API callers; AFFiNE's own auth gates users.
+  auth            = "none"
  dns_type        = "non-proxied"
  namespace       = kubernetes_namespace.affine.metadata[0].name
  name            = "affine"
--- a/stacks/ebooks/main.tf
+++ b/stacks/ebooks/main.tf
@ -661,8 +661,11 @@ resource "kubernetes_service" "audiobookshelf" {
 }

 module "audiobookshelf_ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": Audiobookshelf has its own user/password login + API
+  # tokens used by the iOS/Android Audiobookshelf app. Authentik forward-auth
+  # was 302-ing the mobile clients; ABS's own auth gates users.
+  auth            = "none"
  dns_type        = "non-proxied"
  namespace       = kubernetes_namespace.ebooks.metadata[0].name
  name            = "audiobookshelf"
--- a/stacks/freshrss/main.tf
+++ b/stacks/freshrss/main.tf
@ -228,8 +228,11 @@ resource "kubernetes_service" "freshrss" {
  }
 }
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": FreshRSS has built-in user login and exposes Fever +
+  # GReader APIs (/api/fever.php, /api/greader.php) used by mobile RSS
+  # readers like Reeder/FeedMe. Authentik forward-auth was 302-ing those.
+  auth            = "none"
  dns_type        = "proxied"
  namespace       = "freshrss"
  name            = "rss"
--- a/stacks/immich/main.tf
+++ b/stacks/immich/main.tf
@ -737,8 +737,11 @@ resource "kubernetes_service" "immich-machine-learning" {
 }

 module "ingress-immich" {
-  source                  = "../../modules/kubernetes/ingress_factory"
-  auth                    = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": Immich has its own user auth + bearer-token API. Authentik
+  # forward-auth on `/api/*` was 302-ing the iOS/Android Immich app and any
+  # external API consumer. App-level auth is the gate now.
+  auth                    = "none"
  dns_type                = "non-proxied"
  namespace               = kubernetes_namespace.immich.metadata[0].name
  name                    = "immich"
--- a/stacks/linkwarden/main.tf
+++ b/stacks/linkwarden/main.tf
@ -228,8 +228,11 @@ resource "kubernetes_service" "linkwarden" {
 }

 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": Linkwarden uses NextAuth (NEXTAUTH_SECRET/URL set above)
+  # and exposes /api/* for its mobile clients. Authentik forward-auth would
+  # 302 those callers; app-level NextAuth gates users.
+  auth            = "none"
  dns_type        = "proxied"
  namespace       = kubernetes_namespace.linkwarden.metadata[0].name
  name            = "linkwarden"
--- a/stacks/tandoor/main.tf
+++ b/stacks/tandoor/main.tf
@ -258,8 +258,11 @@ resource "kubernetes_service" "tandoor" {
 }

 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": Tandoor uses Django auth (SECRET_KEY set above) and exposes
+  # /api/* with token auth for its mobile clients. Authentik forward-auth was
+  # 302-ing those callers; Django session/token auth gates users.
+  auth            = "none"
  dns_type        = "proxied"
  namespace       = kubernetes_namespace.tandoor.metadata[0].name
  name            = "tandoor"