viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Merge pull request 'traefik/crowdsec: remove dead plugin middleware reference (PR1/2)' (#8) from wizard/cs-deplugin-refs into master
Some checks failed
ci/woodpecker/push/default Pipeline failed
Details

Browse source
This commit is contained in:
viktor 2026-06-21 00:17:51 +00:00
commit a091689603
12 changed files with 26 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

5
modules/kubernetes/ingress_factory/main.tf
View file

@ -107,10 +107,6 @@ variable "custom_content_security_policy" {
type = string
default = null
}
variable "exclude_crowdsec" {
type = bool
default = false
}
variable "full_host" {
type = string
default = null
@ -310,7 +306,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
"traefik-error-pages@kubernetescrd",
var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
local.auth_middleware,

1
stacks/authentik/guest.tf
View file

@ -211,7 +211,6 @@ module "ingress_public_outpost" {
tls_secret_name = var.tls_secret_name
dns_type = "proxied"
anti_ai_scraping = false
exclude_crowdsec = true
homepage_enabled = false
depends_on = [authentik_outpost.public]
}

8
stacks/authentik/modules/authentik/main.tf
View file

@ -82,13 +82,6 @@ module "ingress" {
service_name = "goauthentik-server"
tls_secret_name = var.tls_secret_name
anti_ai_scraping = false
# Never let the in-cluster CrowdSec bouncer serve a Turnstile/captcha
# interstitial or 403 on Authentik's own login + WebAuthn XHR endpoints that
# walls users out of the very gate they authenticate through (a CrowdSec hit
# would break the passkey ceremony / session refresh mid-flow). Auth keeps
# Traefik rate-limiting; the Cloudflare edge WAF also carves out this host
# (stacks/rybbit/crowdsec_edge.tf). 2026-06-20.
exclude_crowdsec = true
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Authentik"
@ -116,7 +109,6 @@ module "ingress-outpost" {
ingress_path = ["/outpost.goauthentik.io"]
tls_secret_name = var.tls_secret_name
anti_ai_scraping = false
exclude_crowdsec = true
}
# Immutable caching for the flow-executor static assets. Authentik serves

16
stacks/beads-server/main.tf
View file

@ -527,8 +527,7 @@ module "ingress" {
name = "dolt-workbench"
tls_secret_name = var.tls_secret_name
# auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress.
auth = "none"
exclude_crowdsec = true
auth = "none"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Dolt Workbench"
@ -792,13 +791,12 @@ resource "kubernetes_service" "beadboard" {
}
module "beadboard_ingress" {
source = "../../modules/kubernetes/ingress_factory"
dns_type = "proxied"
namespace = kubernetes_namespace.beads.metadata[0].name
name = "beadboard"
tls_secret_name = var.tls_secret_name
auth = "required"
exclude_crowdsec = true
source = "../../modules/kubernetes/ingress_factory"
dns_type = "proxied"
namespace = kubernetes_namespace.beads.metadata[0].name
name = "beadboard"
tls_secret_name = var.tls_secret_name
auth = "required"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "BeadBoard"

13
stacks/crowdsec/modules/crowdsec/main.tf
View file

@ -303,13 +303,12 @@ resource "kubernetes_service" "crowdsec-web" {
}
}
module "ingress" {
source = "../../../../modules/kubernetes/ingress_factory"
dns_type = "proxied"
namespace = kubernetes_namespace.crowdsec.metadata[0].name
name = "crowdsec-web"
auth = "required"
tls_secret_name = var.tls_secret_name
exclude_crowdsec = true
source = "../../../../modules/kubernetes/ingress_factory"
dns_type = "proxied"
namespace = kubernetes_namespace.crowdsec.metadata[0].name
name = "crowdsec-web"
auth = "required"
tls_secret_name = var.tls_secret_name
}
# CronJob to import public blocklists into CrowdSec

1
stacks/f1-stream/main.tf
View file

@ -301,7 +301,6 @@ module "ingress" {
service_name = module.anubis.service_name
port = module.anubis.service_port
tls_secret_name = var.tls_secret_name
exclude_crowdsec = true
anti_ai_scraping = false
extra_middlewares = ["traefik-x402@kubernetescrd"]
extra_annotations = {

2
stacks/monitoring/modules/monitoring/grafana_chart_values.yaml
View file

@ -32,7 +32,7 @@ ingress:
enabled: "true"
ingressClassName: "traefik"
annotations:
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Grafana"

4
stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
View file

@ -15,7 +15,7 @@ alertmanager:
enabled: true
ingressClassName: "traefik"
annotations:
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
gethomepage.dev/enabled: "true"
gethomepage.dev/name: "Alertmanager"
@ -399,7 +399,7 @@ server:
enabled: true
ingressClassName: "traefik"
annotations:
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
gethomepage.dev/enabled: "true"

4
stacks/owntracks/main.tf
View file

@ -49,7 +49,7 @@ resource "kubernetes_namespace" "owntracks" {
name = "owntracks"
labels = {
"istio-injection" : "disabled"
tier = local.tiers.aux
tier = local.tiers.aux
"keel.sh/enrolled" = "true"
}
}
@ -249,7 +249,7 @@ module "ingress" {
tls_secret_name = var.tls_secret_name
port = 80
extra_annotations = {
"traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
"traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd"
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "OwnTracks"
"gethomepage.dev/description" = "Location tracking"

5
stacks/poison-fountain/main.tf
View file

@ -9,8 +9,8 @@ resource "kubernetes_namespace" "poison_fountain" {
metadata {
name = "poison-fountain"
labels = {
"istio-injection" = "disabled"
tier = local.tiers.cluster
"istio-injection" = "disabled"
tier = local.tiers.cluster
"keel.sh/enrolled" = "true"
}
}
@ -228,7 +228,6 @@ module "ingress" {
port = 8080
tls_secret_name = var.tls_secret_name
skip_default_rate_limit = true
exclude_crowdsec = true
anti_ai_scraping = false
# Deployment is scaled to 0 (see replicas above). Opt the ingress out of
# Uptime Kuma external monitoring so the sync CronJob deletes the orphaned

1
stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
View file

@ -211,7 +211,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
"traefik-retry@kubernetescrd",
var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
"traefik-crowdsec@kubernetescrd",
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,

12
stacks/reverse-proxy/modules/reverse_proxy/main.tf
View file

@ -31,11 +31,11 @@ module "tls_secret" {
# https://pfsense.viktorbarzin.me/
module "pfsense" {
source = "./factory"
dns_type = "proxied"
name = "pfsense"
external_name = "pfsense.viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
source = "./factory"
dns_type = "proxied"
name = "pfsense"
external_name = "pfsense.viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
# webGUI moved to :8443 on 2026-06-10 :443 on pfSense is now the
# SNI-routed HAProxy frontend (hostname->Traefik, no-SNI->GUI). Direct
# backend port avoids a Traefik->HAProxy->GUI double hop.
@ -163,7 +163,7 @@ module "docker-registry-ui" {
depends_on = [kubernetes_namespace.reverse-proxy]
extra_annotations = {
# Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags
"traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
"traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Docker Registry"
"gethomepage.dev/description" = "Container registry"