From b1b9de90e4d8b90d02c6e959fc7ef71ee6aed894 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Fri, 12 Jun 2026 19:18:40 +0000 Subject: [PATCH] tripit: tripit-api ingress joins the dedicated 100/1000 rate-limit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up to eef4dc7f: the Android Shell's dedicated bearer-auth host (tripit-api, ADR-0017) serves the same thumbnail-proxy traffic and was still on the default 10/50 limiter — the shell's photo grid would have hit the identical 429 wall Viktor just reported on the PWA host. Co-Authored-By: Claude Fable 5 --- stacks/tripit/main.tf | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/stacks/tripit/main.tf b/stacks/tripit/main.tf index 857a7657..b91f3940 100644 --- a/stacks/tripit/main.tf +++ b/stacks/tripit/main.tf @@ -838,13 +838,20 @@ module "ingress_api" { # tripit slice 2; 401 for everything else). strip-auth-headers deletes # inbound X-authentik-* so the hybrid fallback header can never be spoofed # through this host. - auth = "none" - anti_ai_scraping = false - dns_type = "proxied" - namespace = kubernetes_namespace.tripit.metadata[0].name - name = "tripit-api" - service_name = "tripit" - port = 8080 - tls_secret_name = var.tls_secret_name - extra_middlewares = ["traefik-strip-auth-headers@kubernetescrd"] + auth = "none" + anti_ai_scraping = false + dns_type = "proxied" + namespace = kubernetes_namespace.tripit.metadata[0].name + name = "tripit-api" + service_name = "tripit" + port = 8080 + tls_secret_name = var.tls_secret_name + # Same photo-grid burst profile as the main tripit host (the Android Shell's + # gallery fetches thumbnails through this host) — share the dedicated + # 100/1000 tripit-rate-limit instead of the default 10/50. + skip_default_rate_limit = true + extra_middlewares = [ + "traefik-strip-auth-headers@kubernetescrd", + "traefik-tripit-rate-limit@kubernetescrd", + ] }