infra: drop Authentik forward-auth from 7 self-authed apps (auth = "none")

Apps with their own user auth + bearer-token APIs were being broken by Traefik → Authentik forward-auth: every iOS/Android/native client got a 302 to authentik.viktorbarzin.me instead of the JSON they expected. Authentik's 302+cookie dance can only be followed by a real browser. Changed: - immich (Immich mobile app + bearer-token /api) - linkwarden (NextAuth + Linkwarden mobile clients) - tandoor (Django auth + Tandoor mobile clients) - freshrss (Fever/GReader API used by Reeder/FeedMe/etc.) - affine (workspace auth + AFFiNE desktop/mobile sync) - actualbudget (server password + Actual mobile/sync clients) - ebooks/abs (Audiobookshelf iOS/Android app) Each app's own auth is the gate now. CrowdSec + rate-limit + anti-AI UA filter still front the ingresses. Same pattern as the novelapp change earlier this session. [ci skip]
2026-05-11 18:46:36 +00:00 · 2026-05-11 18:46:36 +00:00 · 7b6eee49c4
commit 7b6eee49c4
parent f98c3f2049
7 changed files with 35 additions and 14 deletions
--- a/stacks/freshrss/main.tf
+++ b/stacks/freshrss/main.tf
@ -228,8 +228,11 @@ resource "kubernetes_service" "freshrss" {
  }
 }
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": FreshRSS has built-in user login and exposes Fever +
+  # GReader APIs (/api/fever.php, /api/greader.php) used by mobile RSS
+  # readers like Reeder/FeedMe. Authentik forward-auth was 302-ing those.
+  auth            = "none"
  dns_type        = "proxied"
  namespace       = "freshrss"
  name            = "rss"