Merge pull request 'traefik/crowdsec: remove dead plugin middleware reference (PR1/2)' (#8) from wizard/cs-deplugin-refs into master
Some checks failed
ci/woodpecker/push/default Pipeline failed
Some checks failed
ci/woodpecker/push/default Pipeline failed
This commit is contained in:
commit
a091689603
12 changed files with 26 additions and 46 deletions
|
|
@ -107,10 +107,6 @@ variable "custom_content_security_policy" {
|
||||||
type = string
|
type = string
|
||||||
default = null
|
default = null
|
||||||
}
|
}
|
||||||
variable "exclude_crowdsec" {
|
|
||||||
type = bool
|
|
||||||
default = false
|
|
||||||
}
|
|
||||||
variable "full_host" {
|
variable "full_host" {
|
||||||
type = string
|
type = string
|
||||||
default = null
|
default = null
|
||||||
|
|
@ -310,7 +306,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
|
||||||
"traefik-error-pages@kubernetescrd",
|
"traefik-error-pages@kubernetescrd",
|
||||||
var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
|
var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
|
||||||
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
|
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
|
||||||
var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
|
|
||||||
local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
|
local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
|
||||||
local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
|
local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
|
||||||
local.auth_middleware,
|
local.auth_middleware,
|
||||||
|
|
|
||||||
|
|
@ -211,7 +211,6 @@ module "ingress_public_outpost" {
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
dns_type = "proxied"
|
dns_type = "proxied"
|
||||||
anti_ai_scraping = false
|
anti_ai_scraping = false
|
||||||
exclude_crowdsec = true
|
|
||||||
homepage_enabled = false
|
homepage_enabled = false
|
||||||
depends_on = [authentik_outpost.public]
|
depends_on = [authentik_outpost.public]
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -82,13 +82,6 @@ module "ingress" {
|
||||||
service_name = "goauthentik-server"
|
service_name = "goauthentik-server"
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
anti_ai_scraping = false
|
anti_ai_scraping = false
|
||||||
# Never let the in-cluster CrowdSec bouncer serve a Turnstile/captcha
|
|
||||||
# interstitial or 403 on Authentik's own login + WebAuthn XHR endpoints — that
|
|
||||||
# walls users out of the very gate they authenticate through (a CrowdSec hit
|
|
||||||
# would break the passkey ceremony / session refresh mid-flow). Auth keeps
|
|
||||||
# Traefik rate-limiting; the Cloudflare edge WAF also carves out this host
|
|
||||||
# (stacks/rybbit/crowdsec_edge.tf). 2026-06-20.
|
|
||||||
exclude_crowdsec = true
|
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
"gethomepage.dev/enabled" = "true"
|
"gethomepage.dev/enabled" = "true"
|
||||||
"gethomepage.dev/name" = "Authentik"
|
"gethomepage.dev/name" = "Authentik"
|
||||||
|
|
@ -116,7 +109,6 @@ module "ingress-outpost" {
|
||||||
ingress_path = ["/outpost.goauthentik.io"]
|
ingress_path = ["/outpost.goauthentik.io"]
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
anti_ai_scraping = false
|
anti_ai_scraping = false
|
||||||
exclude_crowdsec = true
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Immutable caching for the flow-executor static assets. Authentik serves
|
# Immutable caching for the flow-executor static assets. Authentik serves
|
||||||
|
|
|
||||||
|
|
@ -527,8 +527,7 @@ module "ingress" {
|
||||||
name = "dolt-workbench"
|
name = "dolt-workbench"
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
# auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress.
|
# auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress.
|
||||||
auth = "none"
|
auth = "none"
|
||||||
exclude_crowdsec = true
|
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
"gethomepage.dev/enabled" = "true"
|
"gethomepage.dev/enabled" = "true"
|
||||||
"gethomepage.dev/name" = "Dolt Workbench"
|
"gethomepage.dev/name" = "Dolt Workbench"
|
||||||
|
|
@ -792,13 +791,12 @@ resource "kubernetes_service" "beadboard" {
|
||||||
}
|
}
|
||||||
|
|
||||||
module "beadboard_ingress" {
|
module "beadboard_ingress" {
|
||||||
source = "../../modules/kubernetes/ingress_factory"
|
source = "../../modules/kubernetes/ingress_factory"
|
||||||
dns_type = "proxied"
|
dns_type = "proxied"
|
||||||
namespace = kubernetes_namespace.beads.metadata[0].name
|
namespace = kubernetes_namespace.beads.metadata[0].name
|
||||||
name = "beadboard"
|
name = "beadboard"
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
auth = "required"
|
auth = "required"
|
||||||
exclude_crowdsec = true
|
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
"gethomepage.dev/enabled" = "true"
|
"gethomepage.dev/enabled" = "true"
|
||||||
"gethomepage.dev/name" = "BeadBoard"
|
"gethomepage.dev/name" = "BeadBoard"
|
||||||
|
|
|
||||||
|
|
@ -303,13 +303,12 @@ resource "kubernetes_service" "crowdsec-web" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
module "ingress" {
|
module "ingress" {
|
||||||
source = "../../../../modules/kubernetes/ingress_factory"
|
source = "../../../../modules/kubernetes/ingress_factory"
|
||||||
dns_type = "proxied"
|
dns_type = "proxied"
|
||||||
namespace = kubernetes_namespace.crowdsec.metadata[0].name
|
namespace = kubernetes_namespace.crowdsec.metadata[0].name
|
||||||
name = "crowdsec-web"
|
name = "crowdsec-web"
|
||||||
auth = "required"
|
auth = "required"
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
exclude_crowdsec = true
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# CronJob to import public blocklists into CrowdSec
|
# CronJob to import public blocklists into CrowdSec
|
||||||
|
|
|
||||||
|
|
@ -301,7 +301,6 @@ module "ingress" {
|
||||||
service_name = module.anubis.service_name
|
service_name = module.anubis.service_name
|
||||||
port = module.anubis.service_port
|
port = module.anubis.service_port
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
exclude_crowdsec = true
|
|
||||||
anti_ai_scraping = false
|
anti_ai_scraping = false
|
||||||
extra_middlewares = ["traefik-x402@kubernetescrd"]
|
extra_middlewares = ["traefik-x402@kubernetescrd"]
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@ ingress:
|
||||||
enabled: "true"
|
enabled: "true"
|
||||||
ingressClassName: "traefik"
|
ingressClassName: "traefik"
|
||||||
annotations:
|
annotations:
|
||||||
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||||
gethomepage.dev/enabled: "true"
|
gethomepage.dev/enabled: "true"
|
||||||
gethomepage.dev/name: "Grafana"
|
gethomepage.dev/name: "Grafana"
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@ alertmanager:
|
||||||
enabled: true
|
enabled: true
|
||||||
ingressClassName: "traefik"
|
ingressClassName: "traefik"
|
||||||
annotations:
|
annotations:
|
||||||
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||||
gethomepage.dev/enabled: "true"
|
gethomepage.dev/enabled: "true"
|
||||||
gethomepage.dev/name: "Alertmanager"
|
gethomepage.dev/name: "Alertmanager"
|
||||||
|
|
@ -399,7 +399,7 @@ server:
|
||||||
enabled: true
|
enabled: true
|
||||||
ingressClassName: "traefik"
|
ingressClassName: "traefik"
|
||||||
annotations:
|
annotations:
|
||||||
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||||
|
|
||||||
gethomepage.dev/enabled: "true"
|
gethomepage.dev/enabled: "true"
|
||||||
|
|
|
||||||
|
|
@ -49,7 +49,7 @@ resource "kubernetes_namespace" "owntracks" {
|
||||||
name = "owntracks"
|
name = "owntracks"
|
||||||
labels = {
|
labels = {
|
||||||
"istio-injection" : "disabled"
|
"istio-injection" : "disabled"
|
||||||
tier = local.tiers.aux
|
tier = local.tiers.aux
|
||||||
"keel.sh/enrolled" = "true"
|
"keel.sh/enrolled" = "true"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -249,7 +249,7 @@ module "ingress" {
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
port = 80
|
port = 80
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
"traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
|
"traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd"
|
||||||
"gethomepage.dev/enabled" = "true"
|
"gethomepage.dev/enabled" = "true"
|
||||||
"gethomepage.dev/name" = "OwnTracks"
|
"gethomepage.dev/name" = "OwnTracks"
|
||||||
"gethomepage.dev/description" = "Location tracking"
|
"gethomepage.dev/description" = "Location tracking"
|
||||||
|
|
|
||||||
|
|
@ -9,8 +9,8 @@ resource "kubernetes_namespace" "poison_fountain" {
|
||||||
metadata {
|
metadata {
|
||||||
name = "poison-fountain"
|
name = "poison-fountain"
|
||||||
labels = {
|
labels = {
|
||||||
"istio-injection" = "disabled"
|
"istio-injection" = "disabled"
|
||||||
tier = local.tiers.cluster
|
tier = local.tiers.cluster
|
||||||
"keel.sh/enrolled" = "true"
|
"keel.sh/enrolled" = "true"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -228,7 +228,6 @@ module "ingress" {
|
||||||
port = 8080
|
port = 8080
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
skip_default_rate_limit = true
|
skip_default_rate_limit = true
|
||||||
exclude_crowdsec = true
|
|
||||||
anti_ai_scraping = false
|
anti_ai_scraping = false
|
||||||
# Deployment is scaled to 0 (see replicas above). Opt the ingress out of
|
# Deployment is scaled to 0 (see replicas above). Opt the ingress out of
|
||||||
# Uptime Kuma external monitoring so the sync CronJob deletes the orphaned
|
# Uptime Kuma external monitoring so the sync CronJob deletes the orphaned
|
||||||
|
|
|
||||||
|
|
@ -211,7 +211,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
|
||||||
"traefik-retry@kubernetescrd",
|
"traefik-retry@kubernetescrd",
|
||||||
var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
|
var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
|
||||||
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
|
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
|
||||||
"traefik-crowdsec@kubernetescrd",
|
|
||||||
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
|
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
|
||||||
var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
|
var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
|
||||||
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
|
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
|
||||||
|
|
|
||||||
|
|
@ -31,11 +31,11 @@ module "tls_secret" {
|
||||||
|
|
||||||
# https://pfsense.viktorbarzin.me/
|
# https://pfsense.viktorbarzin.me/
|
||||||
module "pfsense" {
|
module "pfsense" {
|
||||||
source = "./factory"
|
source = "./factory"
|
||||||
dns_type = "proxied"
|
dns_type = "proxied"
|
||||||
name = "pfsense"
|
name = "pfsense"
|
||||||
external_name = "pfsense.viktorbarzin.lan"
|
external_name = "pfsense.viktorbarzin.lan"
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
# webGUI moved to :8443 on 2026-06-10 — :443 on pfSense is now the
|
# webGUI moved to :8443 on 2026-06-10 — :443 on pfSense is now the
|
||||||
# SNI-routed HAProxy frontend (hostname->Traefik, no-SNI->GUI). Direct
|
# SNI-routed HAProxy frontend (hostname->Traefik, no-SNI->GUI). Direct
|
||||||
# backend port avoids a Traefik->HAProxy->GUI double hop.
|
# backend port avoids a Traefik->HAProxy->GUI double hop.
|
||||||
|
|
@ -163,7 +163,7 @@ module "docker-registry-ui" {
|
||||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
# Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags
|
# Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags
|
||||||
"traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
"traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
||||||
"gethomepage.dev/enabled" = "true"
|
"gethomepage.dev/enabled" = "true"
|
||||||
"gethomepage.dev/name" = "Docker Registry"
|
"gethomepage.dev/name" = "Docker Registry"
|
||||||
"gethomepage.dev/description" = "Container registry"
|
"gethomepage.dev/description" = "Container registry"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue