diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf
index 9ea84d69..72367979 100644
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@@ -58,10 +58,6 @@ variable "root_domain" {
default = "viktorbarzin.me"
type = string
}
-variable "rybbit_site_id" {
- default = null
- type = string
-}
variable "custom_content_security_policy" {
type = string
default = null
@@ -237,12 +233,8 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
- local.effective_anti_ai ? "traefik-strip-accept-encoding@kubernetescrd" : null,
- local.effective_anti_ai ? "traefik-anti-ai-trap-links@kubernetescrd" : null,
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
var.allow_local_access_only ? "traefik-local-only@kubernetescrd" : null,
- var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null,
- var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
], var.extra_middlewares)))
"traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
@@ -282,33 +274,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
}
}
-# Rybbit analytics middleware (rewrite-body plugin with content-type filtering) - created per service when rybbit_site_id is set
-resource "kubernetes_manifest" "rybbit_analytics" {
- count = var.rybbit_site_id != null ? 1 : 0
-
- manifest = {
- apiVersion = "traefik.io/v1alpha1"
- kind = "Middleware"
- metadata = {
- name = "rybbit-analytics-${var.name}"
- namespace = var.namespace
- }
- spec = {
- plugin = {
- traefik-plugin-rewritebody = {
- rewrites = [{
- regex = ""
- replacement = ""
- }]
- monitoring = {
- types = ["text/html"]
- }
- }
- }
- }
- }
-}
-
# Custom CSP headers middleware - created per service when custom_content_security_policy is set
resource "kubernetes_manifest" "custom_csp" {
count = var.custom_content_security_policy != null ? 1 : 0
diff --git a/stacks/actualbudget/factory/main.tf b/stacks/actualbudget/factory/main.tf
index ad719aa5..dda5816a 100644
--- a/stacks/actualbudget/factory/main.tf
+++ b/stacks/actualbudget/factory/main.tf
@@ -145,7 +145,6 @@ module "ingress" {
name = "budget-${var.name}"
tls_secret_name = var.tls_secret_name
dns_type = "proxied"
- rybbit_site_id = "3e6b6b68088a"
extra_annotations = var.homepage_annotations
}
diff --git a/stacks/blog/main.tf b/stacks/blog/main.tf
index df55cd5c..e044f4d7 100644
--- a/stacks/blog/main.tf
+++ b/stacks/blog/main.tf
@@ -112,7 +112,6 @@ module "ingress" {
full_host = "viktorbarzin.me"
dns_type = "proxied"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "da853a2438d0"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Blog"
@@ -130,5 +129,4 @@ module "ingress-www" {
service_name = "blog"
full_host = "www.viktorbarzin.me"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "da853a2438d0"
}
diff --git a/stacks/crowdsec/modules/crowdsec/main.tf b/stacks/crowdsec/modules/crowdsec/main.tf
index c0068124..0969d383 100644
--- a/stacks/crowdsec/modules/crowdsec/main.tf
+++ b/stacks/crowdsec/modules/crowdsec/main.tf
@@ -128,7 +128,7 @@ resource "helm_release" "crowdsec" {
repository = "https://crowdsecurity.github.io/helm-charts"
chart = "crowdsec"
- values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url, mysql_host = var.mysql_host, postgresql_host = var.postgresql_host })]
+ values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url, mysql_host = var.mysql_host, postgresql_host = var.postgresql_host })]
timeout = 1200
wait = true
wait_for_jobs = true
@@ -256,13 +256,12 @@ resource "kubernetes_service" "crowdsec-web" {
}
module "ingress" {
source = "../../../../modules/kubernetes/ingress_factory"
- dns_type = "proxied"
+ dns_type = "proxied"
namespace = kubernetes_namespace.crowdsec.metadata[0].name
name = "crowdsec-web"
protected = true
tls_secret_name = var.tls_secret_name
exclude_crowdsec = true
- rybbit_site_id = "d09137795ccc"
}
# CronJob to import public blocklists into CrowdSec
diff --git a/stacks/cyberchef/main.tf b/stacks/cyberchef/main.tf
index 620b1c4e..9462393d 100644
--- a/stacks/cyberchef/main.tf
+++ b/stacks/cyberchef/main.tf
@@ -102,7 +102,6 @@ module "ingress" {
namespace = kubernetes_namespace.cyberchef.metadata[0].name
name = "cc"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "7c460afc68c4"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "CyberChef"
diff --git a/stacks/dawarich/main.tf b/stacks/dawarich/main.tf
index b5ef04e6..15ca12dd 100644
--- a/stacks/dawarich/main.tf
+++ b/stacks/dawarich/main.tf
@@ -385,7 +385,6 @@ module "ingress" {
namespace = kubernetes_namespace.dawarich.metadata[0].name
name = "dawarich"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "0abfd409f2fb"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Dawarich"
diff --git a/stacks/dbaas/modules/dbaas/main.tf b/stacks/dbaas/modules/dbaas/main.tf
index aa94d1d4..df68afbd 100644
--- a/stacks/dbaas/modules/dbaas/main.tf
+++ b/stacks/dbaas/modules/dbaas/main.tf
@@ -1004,15 +1004,13 @@ resource "kubernetes_service" "phpmyadmin" {
}
}
module "ingress" {
- source = "../../../../modules/kubernetes/ingress_factory"
- dns_type = "proxied"
- namespace = kubernetes_namespace.dbaas.metadata[0].name
- name = "pma"
- tls_secret_name = var.tls_secret_name
- protected = true
- extra_annotations = {}
- rybbit_site_id = "942c76b8bd4d"
- custom_content_security_policy = "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://rybbit.viktorbarzin.me"
+ source = "../../../../modules/kubernetes/ingress_factory"
+ dns_type = "proxied"
+ namespace = kubernetes_namespace.dbaas.metadata[0].name
+ name = "pma"
+ tls_secret_name = var.tls_secret_name
+ protected = true
+ extra_annotations = {}
}
@@ -1514,7 +1512,6 @@ module "ingress-pgadmin" {
name = "pgadmin"
tls_secret_name = var.tls_secret_name
protected = true
- rybbit_site_id = "7cef78e30485"
}
diff --git a/stacks/ebooks/main.tf b/stacks/ebooks/main.tf
index 0012a443..31858dd2 100644
--- a/stacks/ebooks/main.tf
+++ b/stacks/ebooks/main.tf
@@ -390,8 +390,6 @@ module "calibre_ingress" {
"gethomepage.dev/widget.password" = local.calibre_homepage_credentials["calibre-web"]["password"]
"gethomepage.dev/pod-selector" = ""
}
- rybbit_site_id = "17a5c7fbb077"
- custom_content_security_policy = "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://rybbit.viktorbarzin.me"
}
# Stacks - Anna's Archive Download Manager
@@ -501,7 +499,6 @@ module "stacks_ingress" {
service_name = "annas-archive-stacks"
tls_secret_name = var.tls_secret_name
protected = true
- rybbit_site_id = "ce5f8aed6bbb"
extra_annotations = {
"gethomepage.dev/enabled" = "false"
}
@@ -650,7 +647,6 @@ module "audiobookshelf_ingress" {
namespace = kubernetes_namespace.ebooks.metadata[0].name
name = "audiobookshelf"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "b38fda4285df"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Audiobookshelf"
diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf
index 004b59a3..e03113be 100644
--- a/stacks/f1-stream/main.tf
+++ b/stacks/f1-stream/main.tf
@@ -169,11 +169,10 @@ module "tls_secret" {
module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
- dns_type = "non-proxied"
+ dns_type = "non-proxied"
namespace = kubernetes_namespace.f1-stream.metadata[0].name
name = "f1"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "7e69786f66d5"
exclude_crowdsec = true
extra_annotations = {
"gethomepage.dev/enabled" = "true"
diff --git a/stacks/frigate/main.tf b/stacks/frigate/main.tf
index 2f0f1330..d9966913 100644
--- a/stacks/frigate/main.tf
+++ b/stacks/frigate/main.tf
@@ -281,7 +281,6 @@ module "ingress" {
name = "frigate"
tls_secret_name = var.tls_secret_name
protected = true
- rybbit_site_id = "0d4044069ff5"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Frigate"
diff --git a/stacks/immich/frame.tf b/stacks/immich/frame.tf
index 3e7e22aa..5e3ea8ca 100644
--- a/stacks/immich/frame.tf
+++ b/stacks/immich/frame.tf
@@ -125,5 +125,4 @@ module "ingress" {
name = "highlights-immich"
tls_secret_name = var.tls_secret_name
service_name = "immich-frame"
- rybbit_site_id = "602167601c6b"
}
diff --git a/stacks/immich/main.tf b/stacks/immich/main.tf
index 66c7ba7b..2cd804d2 100644
--- a/stacks/immich/main.tf
+++ b/stacks/immich/main.tf
@@ -674,13 +674,12 @@ resource "kubernetes_service" "immich-machine-learning" {
module "ingress-immich" {
source = "../../modules/kubernetes/ingress_factory"
- dns_type = "non-proxied"
+ dns_type = "non-proxied"
namespace = kubernetes_namespace.immich.metadata[0].name
name = "immich"
service_name = "immich-server"
port = 2283
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "35eedb7a3d2b"
skip_default_rate_limit = true
extra_middlewares = ["traefik-immich-rate-limit@kubernetescrd"]
anti_ai_scraping = false
diff --git a/stacks/mailserver/modules/mailserver/roundcubemail.tf b/stacks/mailserver/modules/mailserver/roundcubemail.tf
index c6d819e0..4ddf7892 100644
--- a/stacks/mailserver/modules/mailserver/roundcubemail.tf
+++ b/stacks/mailserver/modules/mailserver/roundcubemail.tf
@@ -263,7 +263,6 @@ module "ingress" {
name = "mail"
service_name = "roundcubemail"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "082f164faa7d"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Roundcube Mail"
diff --git a/stacks/navidrome/main.tf b/stacks/navidrome/main.tf
index ef880824..dff0fff0 100644
--- a/stacks/navidrome/main.tf
+++ b/stacks/navidrome/main.tf
@@ -225,7 +225,6 @@ module "ingress" {
namespace = kubernetes_namespace.navidrome.metadata[0].name
name = "navidrome"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "8a3844ff75ba"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Navidrome"
diff --git a/stacks/networking-toolbox/main.tf b/stacks/networking-toolbox/main.tf
index ea59d4dc..a5c691c9 100644
--- a/stacks/networking-toolbox/main.tf
+++ b/stacks/networking-toolbox/main.tf
@@ -96,7 +96,6 @@ module "ingress" {
name = "networking-toolbox"
tls_secret_name = var.tls_secret_name
protected = true
- rybbit_site_id = "50e38577e41c"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Networking Toolbox"
diff --git a/stacks/nextcloud/main.tf b/stacks/nextcloud/main.tf
index f19080ab..ad17e141 100644
--- a/stacks/nextcloud/main.tf
+++ b/stacks/nextcloud/main.tf
@@ -221,7 +221,6 @@ module "ingress" {
name = "nextcloud"
tls_secret_name = var.tls_secret_name
port = 8080
- rybbit_site_id = "5a3bfe59a3fe"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Nextcloud"
diff --git a/stacks/ollama/main.tf b/stacks/ollama/main.tf
index 4140a582..8c467ec9 100644
--- a/stacks/ollama/main.tf
+++ b/stacks/ollama/main.tf
@@ -369,7 +369,6 @@ module "ingress" {
service_name = "ollama-ui"
tls_secret_name = var.tls_secret_name
port = 80
- rybbit_site_id = "e73bebea399f"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Ollama"
diff --git a/stacks/paperless-ngx/main.tf b/stacks/paperless-ngx/main.tf
index 4e36ff78..b64139c7 100644
--- a/stacks/paperless-ngx/main.tf
+++ b/stacks/paperless-ngx/main.tf
@@ -247,5 +247,4 @@ module "ingress" {
# gethomepage.dev/weight: 10 # optional
# gethomepage.dev/instance: "public" # optional
}
- rybbit_site_id = "be6d140cbed8"
}
diff --git a/stacks/privatebin/main.tf b/stacks/privatebin/main.tf
index fb30938a..5ed188e8 100644
--- a/stacks/privatebin/main.tf
+++ b/stacks/privatebin/main.tf
@@ -130,8 +130,7 @@ module "ingress" {
host = "pb"
dns_type = "proxied"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "3ae810b0476d"
- custom_content_security_policy = "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval' https://rybbit.viktorbarzin.me"
+ custom_content_security_policy = "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval'"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "PrivateBin"
diff --git a/stacks/real-estate-crawler/main.tf b/stacks/real-estate-crawler/main.tf
index bbff4211..168a1b19 100644
--- a/stacks/real-estate-crawler/main.tf
+++ b/stacks/real-estate-crawler/main.tf
@@ -331,7 +331,6 @@ module "ingress" {
name = "wrongmove"
service_name = "realestate-crawler-ui"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "edee05de453d"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Wrongmove"
diff --git a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
index 271d8b4b..6f432225 100644
--- a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
@@ -37,10 +37,6 @@ variable "max_body_size" {
variable "extra_annotations" {
default = {}
}
-variable "rybbit_site_id" {
- default = null
- type = string
-}
variable "custom_content_security_policy" {
default = null
type = string
@@ -143,8 +139,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
"traefik-crowdsec@kubernetescrd",
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
- var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null,
- var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
], var.extra_middlewares)))
"traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
@@ -186,33 +180,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
}
}
-# Rybbit analytics middleware (rewrite-body plugin with content-type filtering) - created per service when rybbit_site_id is set
-resource "kubernetes_manifest" "rybbit_analytics" {
- count = var.rybbit_site_id != null ? 1 : 0
-
- manifest = {
- apiVersion = "traefik.io/v1alpha1"
- kind = "Middleware"
- metadata = {
- name = "rybbit-analytics-${var.name}"
- namespace = var.namespace
- }
- spec = {
- plugin = {
- traefik-plugin-rewritebody = {
- rewrites = [{
- regex = ""
- replacement = ""
- }]
- monitoring = {
- types = ["text/html"]
- }
- }
- }
- }
- }
-}
-
# Custom CSP headers middleware - created per service when custom_content_security_policy is set
resource "kubernetes_manifest" "custom_csp" {
count = var.custom_content_security_policy != null ? 1 : 0
diff --git a/stacks/reverse-proxy/modules/reverse_proxy/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
index 91726faa..51e387f3 100644
--- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
@@ -26,7 +26,7 @@ module "tls_secret" {
# https://pfsense.viktorbarzin.me/
module "pfsense" {
source = "./factory"
- dns_type = "proxied"
+ dns_type = "proxied"
name = "pfsense"
external_name = "pfsense.viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
@@ -47,14 +47,13 @@ module "pfsense" {
"gethomepage.dev/widget.fields" = "[\"load\", \"memory\", \"temp\", \"disk\"]"
"gethomepage.dev/widget.wan" = "vtnet0"
}
- depends_on = [kubernetes_namespace.reverse-proxy]
- rybbit_site_id = "b029580e5a7c"
+ depends_on = [kubernetes_namespace.reverse-proxy]
}
# https://nas.viktorbarzin.me/
module "nas" {
source = "./factory"
- dns_type = "proxied"
+ dns_type = "proxied"
name = "nas"
external_name = "nas.viktorbarzin.lan"
port = 5001
@@ -62,7 +61,6 @@ module "nas" {
backend_protocol = "HTTPS"
max_body_size = "0m"
depends_on = [kubernetes_namespace.reverse-proxy]
- rybbit_site_id = "1e11f8449f7d"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Synology NAS"
@@ -76,7 +74,7 @@ module "nas" {
# https://files.viktorbarzin.me/
module "nas-files" {
source = "./factory"
- dns_type = "non-proxied"
+ dns_type = "non-proxied"
name = "files"
external_name = "nas.viktorbarzin.lan"
port = 5001
@@ -92,7 +90,7 @@ module "nas-files" {
# https://idrac.viktorbarzin.me/
module "idrac" {
source = "./factory"
- dns_type = "proxied"
+ dns_type = "proxied"
name = "idrac"
external_name = "idrac.viktorbarzin.lan"
port = 443
@@ -114,7 +112,7 @@ module "idrac" {
# TODO: Not working yet
module "tp-link-gateway" {
source = "./factory"
- dns_type = "proxied"
+ dns_type = "proxied"
name = "gw"
external_name = "gw.viktorbarzin.lan"
port = 443
@@ -148,8 +146,7 @@ module "truenas" {
# "gethomepage.dev/widget.enablePools" : "true"
# "gethomepage.dev/pod-selector" : ""
}
- depends_on = [kubernetes_namespace.reverse-proxy]
- rybbit_site_id = "b66fbd3cb58a"
+ depends_on = [kubernetes_namespace.reverse-proxy]
}
# https://r730.viktorbarzin.me/
@@ -174,7 +171,7 @@ module "r730" {
# https://proxmox.viktorbarzin.me/
module "proxmox" {
source = "./factory"
- dns_type = "proxied"
+ dns_type = "proxied"
name = "proxmox"
external_name = "proxmox.viktorbarzin.lan"
port = 8006
@@ -182,7 +179,6 @@ module "proxmox" {
backend_protocol = "HTTPS"
max_body_size = "0" # unlimited
depends_on = [kubernetes_namespace.reverse-proxy]
- rybbit_site_id = "190a7ad3e1c7"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Proxmox"
@@ -217,14 +213,14 @@ module "docker-registry-ui" {
# https://registry.viktorbarzin.me/ (Docker CLI push/pull endpoint)
module "docker-registry-cli" {
source = "./factory"
- dns_type = "non-proxied"
+ dns_type = "non-proxied"
name = "registry"
external_name = "docker-registry.viktorbarzin.lan"
port = 5050
backend_protocol = "HTTPS"
tls_secret_name = var.tls_secret_name
- protected = false # Docker CLI uses htpasswd, NOT Authentik
- max_body_size = "0" # unlimited - Docker layers can be large
+ protected = false # Docker CLI uses htpasswd, NOT Authentik
+ max_body_size = "0" # unlimited - Docker layers can be large
depends_on = [kubernetes_namespace.reverse-proxy]
extra_annotations = {
# Skip rate-limit (Docker push/pull generates many rapid requests)
@@ -237,7 +233,7 @@ module "docker-registry-cli" {
# https://valchedrym.viktorbarzin.me/
module "valchedrym" {
source = "./factory"
- dns_type = "proxied"
+ dns_type = "proxied"
name = "valchedrym"
external_name = "valchedrym.viktorbarzin.lan"
tls_secret_name = var.tls_secret_name
@@ -303,14 +299,13 @@ resource "kubernetes_manifest" "ha_sofia_rate_limit" {
module "ha-sofia" {
source = "./factory"
- dns_type = "non-proxied"
+ dns_type = "non-proxied"
name = "ha-sofia"
external_name = "ha-sofia.viktorbarzin.lan"
port = 8123
tls_secret_name = var.tls_secret_name
depends_on = [kubernetes_namespace.reverse-proxy]
protected = false
- rybbit_site_id = "590fc392690a"
skip_global_rate_limit = true
extra_middlewares = [
"reverse-proxy-ha-sofia-rate-limit@kubernetescrd",
@@ -328,7 +323,7 @@ module "ha-sofia" {
# https://music-assistant.viktorbarzin.me/
module "music-assistant" {
source = "./factory"
- dns_type = "non-proxied"
+ dns_type = "non-proxied"
name = "music-assistant"
external_name = "ha-sofia.viktorbarzin.lan"
port = 8095
@@ -364,7 +359,7 @@ module "ha-london" {
# https://london.viktorbarzin.me/
module "london" {
source = "./factory"
- dns_type = "proxied"
+ dns_type = "proxied"
name = "london"
external_name = "openwrt-london.viktorbarzin.lan"
port = 443
@@ -388,7 +383,7 @@ module "london" {
}
module "pi-lights" {
source = "./factory"
- dns_type = "proxied"
+ dns_type = "proxied"
name = "pi"
external_name = "ha-london.viktorbarzin.lan"
port = 5000
@@ -416,7 +411,7 @@ module "pi-lights" {
module "mbp14" {
source = "./factory"
- dns_type = "proxied"
+ dns_type = "proxied"
name = "mbp14"
external_name = "mbp14.viktorbarzin.lan"
port = 4020
diff --git a/stacks/rybbit/main.tf b/stacks/rybbit/main.tf
index 73380235..3cdefbb9 100644
--- a/stacks/rybbit/main.tf
+++ b/stacks/rybbit/main.tf
@@ -548,7 +548,6 @@ module "ingress" {
name = "rybbit"
service_name = "rybbit-client"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "3c476801a777"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Rybbit"
diff --git a/stacks/send/main.tf b/stacks/send/main.tf
index 84890ac0..6d4c2821 100644
--- a/stacks/send/main.tf
+++ b/stacks/send/main.tf
@@ -163,7 +163,6 @@ module "ingress" {
name = "send"
tls_secret_name = var.tls_secret_name
port = 1443
- rybbit_site_id = "c1b8f8aa831b"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Send"
diff --git a/stacks/stirling-pdf/main.tf b/stacks/stirling-pdf/main.tf
index 0f2f5c87..b8306f96 100644
--- a/stacks/stirling-pdf/main.tf
+++ b/stacks/stirling-pdf/main.tf
@@ -128,7 +128,6 @@ module "ingress" {
namespace = kubernetes_namespace.stirling-pdf.metadata[0].name
name = "stirling-pdf"
tls_secret_name = var.tls_secret_name
- rybbit_site_id = "a55ac54ec749"
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Stirling PDF"
diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf
index febe3383..ceed9bdb 100644
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@@ -53,12 +53,9 @@ resource "helm_release" "traefik" {
"set -e; ",
"STORAGE=/plugins-storage; ",
"mkdir -p \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\"; ",
- "mkdir -p \"$STORAGE/archives/github.com/the-ccsn/traefik-plugin-rewritebody\"; ",
"wget -q -T 30 -O \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/v1.4.2.zip\" ",
"\"https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/archive/refs/tags/v1.4.2.zip\"; ",
- "wget -q -T 30 -O \"$STORAGE/archives/github.com/the-ccsn/traefik-plugin-rewritebody/v0.1.3.zip\" ",
- "\"https://github.com/the-ccsn/traefik-plugin-rewritebody/archive/refs/tags/v0.1.3.zip\"; ",
- "printf '{\"github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\":\"v1.4.2\",\"github.com/the-ccsn/traefik-plugin-rewritebody\":\"v0.1.3\"}' ",
+ "printf '{\"github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\":\"v1.4.2\"}' ",
"> \"$STORAGE/archives/state.json\"; ",
"echo \"Plugins pre-downloaded successfully\"",
])]
@@ -170,10 +167,6 @@ resource "helm_release" "traefik" {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
version = "v1.4.2"
}
- traefik-plugin-rewritebody = {
- moduleName = "github.com/the-ccsn/traefik-plugin-rewritebody"
- version = "v0.1.3"
- }
}
}
diff --git a/stacks/traefik/modules/traefik/middleware.tf b/stacks/traefik/modules/traefik/middleware.tf
index 4edbf264..9cfac0a3 100644
--- a/stacks/traefik/modules/traefik/middleware.tf
+++ b/stacks/traefik/modules/traefik/middleware.tf
@@ -253,33 +253,8 @@ resource "kubernetes_manifest" "middleware_immich_rate_limit" {
depends_on = [helm_release.traefik]
}
-# Strip Accept-Encoding header so backends send uncompressed responses.
-# Used alongside rewrite-body plugin (rybbit analytics) which fails to
-# decompress certain gzip responses (flate: corrupt input before offset 5).
-# Also used by anti-AI trap links rewrite-body middleware.
-resource "kubernetes_manifest" "middleware_strip_accept_encoding" {
- manifest = {
- apiVersion = "traefik.io/v1alpha1"
- kind = "Middleware"
- metadata = {
- name = "strip-accept-encoding"
- namespace = kubernetes_namespace.traefik.metadata[0].name
- }
- spec = {
- headers = {
- customRequestHeaders = {
- "Accept-Encoding" = ""
- }
- }
- }
- }
-
- depends_on = [helm_release.traefik]
-}
-
-# Re-compress responses to clients after rewrite-body plugin has modified them.
-# Applied at websecure entrypoint level (outermost), so the response path is:
-# backend → rewrite-body modifies uncompressed HTML → compress gzips → client.
+# Compress responses to clients at the entrypoint level (outermost).
+# Applied at websecure entrypoint so all responses get compressed.
# Uses includedContentTypes (whitelist) instead of excludedContentTypes:
# - Only compresses text-based types that benefit from compression
# - Binary types (images, video, zip) are never compressed (no wasted CPU)
@@ -368,36 +343,6 @@ resource "kubernetes_manifest" "middleware_anti_ai_headers" {
depends_on = [helm_release.traefik]
}
-# Inject hidden trap links before to catch AI scrapers
-# Links are CSS-hidden and aria-hidden so humans never see them
-resource "kubernetes_manifest" "middleware_anti_ai_trap_links" {
- manifest = {
- apiVersion = "traefik.io/v1alpha1"
- kind = "Middleware"
- metadata = {
- name = "anti-ai-trap-links"
- namespace = kubernetes_namespace.traefik.metadata[0].name
- }
- spec = {
- plugin = {
- traefik-plugin-rewritebody = {
- lastModified = true
- rewrites = [{
- regex = ""
- replacement = "