[traefik] Remove broken rewrite-body plugin and all rybbit/anti-AI injection

The rewrite-body Traefik plugin (both packruler/rewrite-body v1.2.0 and
the-ccsn/traefik-plugin-rewritebody v0.1.3) silently fails on Traefik
v3.6.12 due to Yaegi interpreter issues with ResponseWriter wrapping.
Both plugins load without errors but never inject content.

Removed:
- rewrite-body plugin download (init container) and registration
- strip-accept-encoding middleware (only existed for rewrite-body bug)
- anti-ai-trap-links middleware (used rewrite-body for injection)
- rybbit_site_id variable from ingress_factory and reverse_proxy factory
- rybbit_site_id from 25 service stacks (39 instances)
- Per-service rybbit-analytics middleware CRD resources

Kept:
- compress middleware (entrypoint-level, working correctly)
- ai-bot-block middleware (ForwardAuth to bot-block-proxy)
- anti-ai-headers middleware (X-Robots-Tag: noai, noimageai)
- All CrowdSec, Authentik, rate-limit middleware unchanged

Next: Cloudflare Workers with HTMLRewriter for edge-side injection.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

stacks/traefik/modules/traefik/main.tf

@@ -53,12 +53,9 @@ resource "helm_release" "traefik" {
           "set -e; ",
           "STORAGE=/plugins-storage; ",
           "mkdir -p \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\"; ",
-          "mkdir -p \"$STORAGE/archives/github.com/the-ccsn/traefik-plugin-rewritebody\"; ",
           "wget -q -T 30 -O \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/v1.4.2.zip\" ",
           "\"https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/archive/refs/tags/v1.4.2.zip\"; ",
-          "wget -q -T 30 -O \"$STORAGE/archives/github.com/the-ccsn/traefik-plugin-rewritebody/v0.1.3.zip\" ",
-          "\"https://github.com/the-ccsn/traefik-plugin-rewritebody/archive/refs/tags/v0.1.3.zip\"; ",
-          "printf '{\"github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\":\"v1.4.2\",\"github.com/the-ccsn/traefik-plugin-rewritebody\":\"v0.1.3\"}' ",
+          "printf '{\"github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\":\"v1.4.2\"}' ",
           "> \"$STORAGE/archives/state.json\"; ",
           "echo \"Plugins pre-downloaded successfully\"",
         ])]
@@ -170,10 +167,6 @@ resource "helm_release" "traefik" {
           moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
           version    = "v1.4.2"
         }
-        traefik-plugin-rewritebody = {
-          moduleName = "github.com/the-ccsn/traefik-plugin-rewritebody"
-          version    = "v0.1.3"
-        }
       }
     }
 

stacks/traefik/modules/traefik/middleware.tf

@@ -253,33 +253,8 @@ resource "kubernetes_manifest" "middleware_immich_rate_limit" {
   depends_on = [helm_release.traefik]
 }
 
-# Strip Accept-Encoding header so backends send uncompressed responses.
-# Used alongside rewrite-body plugin (rybbit analytics) which fails to
-# decompress certain gzip responses (flate: corrupt input before offset 5).
-# Also used by anti-AI trap links rewrite-body middleware.
-resource "kubernetes_manifest" "middleware_strip_accept_encoding" {
-  manifest = {
-    apiVersion = "traefik.io/v1alpha1"
-    kind       = "Middleware"
-    metadata = {
-      name      = "strip-accept-encoding"
-      namespace = kubernetes_namespace.traefik.metadata[0].name
-    }
-    spec = {
-      headers = {
-        customRequestHeaders = {
-          "Accept-Encoding" = ""
-        }
-      }
-    }
-  }
-
-  depends_on = [helm_release.traefik]
-}
-
-# Re-compress responses to clients after rewrite-body plugin has modified them.
-# Applied at websecure entrypoint level (outermost), so the response path is:
-# backend → rewrite-body modifies uncompressed HTML → compress gzips → client.
+# Compress responses to clients at the entrypoint level (outermost).
+# Applied at websecure entrypoint so all responses get compressed.
 # Uses includedContentTypes (whitelist) instead of excludedContentTypes:
 # - Only compresses text-based types that benefit from compression
 # - Binary types (images, video, zip) are never compressed (no wasted CPU)
@@ -368,36 +343,6 @@ resource "kubernetes_manifest" "middleware_anti_ai_headers" {
   depends_on = [helm_release.traefik]
 }
 
-# Inject hidden trap links before </body> to catch AI scrapers
-# Links are CSS-hidden and aria-hidden so humans never see them
-resource "kubernetes_manifest" "middleware_anti_ai_trap_links" {
-  manifest = {
-    apiVersion = "traefik.io/v1alpha1"
-    kind       = "Middleware"
-    metadata = {
-      name      = "anti-ai-trap-links"
-      namespace = kubernetes_namespace.traefik.metadata[0].name
-    }
-    spec = {
-      plugin = {
-        traefik-plugin-rewritebody = {
-          lastModified = true
-          rewrites = [{
-            regex       = "</body>"
-            replacement = "<div style=\"position:absolute;left:-9999px;height:0;overflow:hidden\" aria-hidden=\"true\"><a href=\"https://poison.viktorbarzin.me/article/training-data-2024-research-corpus\">Research Archive</a><a href=\"https://poison.viktorbarzin.me/article/dataset-export-machine-learning-v3\">Dataset Export</a><a href=\"https://poison.viktorbarzin.me/article/nlp-benchmark-evaluation-results\">Benchmark Results</a><a href=\"https://poison.viktorbarzin.me/article/web-crawl-index-2024-archive\">Web Index</a><a href=\"https://poison.viktorbarzin.me/article/text-corpus-english-dump\">Text Corpus</a></div></body>"
-          }]
-          monitoring = {
-            types   = ["text/html"]
-            methods = ["GET"]
-          }
-        }
-      }
-    }
-  }
-
-  depends_on = [helm_release.traefik]
-}
-
 # Retry middleware for transient backend failures (502/503 during restarts)
 resource "kubernetes_manifest" "middleware_retry" {
   manifest = {