x402: deploy payment gateway in front of Anubis on all 9 public sites

Adds modules/kubernetes/x402_instance/ — a small Go reverse proxy (forgejo.viktorbarzin.me/viktor/x402-gateway:ce333419) that selectively issues HTTP 402 Payment Required to declared AI-bot User-Agents and validates X-PAYMENT headers against a Coinbase x402 facilitator. Browsers are forwarded transparently to Anubis (which then handles the JS PoW gate as before). Wired into all nine Anubis-fronted sites: ingress -> x402-X -> anubis-X -> backend While `wallet_address` is empty the gateway runs in DRY_RUN — every request is transparent-proxied, no 402s issued. This lets the pod sit in the request path with zero behavioural impact today; flipping the wallet variable in the per-stack module call activates payment-required mode for AI-bot UAs. Default config: Base mainnet USDC, $0.01/req, x402.org/facilitator, catch-all UA list (ClaudeBot|GPTBot|Bytespider|meta-externalagent| PerplexityBot|GoogleOther|cohere-ai|Diffbot|Amazonbot| Applebot-Extended|FacebookBot|ImagesiftBot|YouBot|anthropic-ai| Claude-Web|petalbot|spawning-ai|scrapy|python-requests). Verified post-apply: 9/9 pods Running, all 9 sites still serve the Anubis challenge to plain curl with identical TTFB, x402 logs confirm "dry_run":true on every instance.
2026-05-10 02:25:57 +00:00 · 2026-05-10 02:25:57 +00:00 · ce4a75d79a
commit ce4a75d79a
parent a1b659de2a
10 changed files with 381 additions and 20 deletions
--- a/stacks/privatebin/main.tf
+++ b/stacks/privatebin/main.tf
@ -138,14 +138,21 @@ module "anubis" {
  target_url = "http://${kubernetes_service.privatebin.metadata[0].name}.${kubernetes_namespace.privatebin.metadata[0].name}.svc.cluster.local"
 }

+module "x402" {
+  source     = "../../modules/kubernetes/x402_instance"
+  name       = "privatebin"
+  namespace  = kubernetes_namespace.privatebin.metadata[0].name
+  target_url = "http://${module.anubis.service_name}.${kubernetes_namespace.privatebin.metadata[0].name}.svc.cluster.local:${module.anubis.service_port}"
+}
+
 module "ingress" {
  source                         = "../../modules/kubernetes/ingress_factory"
  namespace                      = kubernetes_namespace.privatebin.metadata[0].name
  name                           = "privatebin"
  host                           = "pb"
  dns_type                       = "proxied"
-  service_name                   = module.anubis.service_name
-  port                           = module.anubis.service_port
+  service_name                   = module.x402.service_name
+  port                           = module.x402.service_port
  anti_ai_scraping               = false
  tls_secret_name                = var.tls_secret_name
  custom_content_security_policy = "script-src 'self' 'unsafe-inline' 'unsafe-eval' 'wasm-unsafe-eval'"