From d41211ddd56c59c6c8e4a8b6bc1e0ba0e38fb4be Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sun, 29 Mar 2026 00:43:34 +0200
Subject: [PATCH] add API key + unprotected API ingress for book-search iOS
 Shortcut

- API_KEY env var from calibre-secrets for /api/download-url auth
- SHORTCUT_ICLOUD_URL env var for /shortcut redirect
- Separate ingress for /api/download-url and /shortcut (bypasses Authentik)
---
 stacks/ebooks/main.tf | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/stacks/ebooks/main.tf b/stacks/ebooks/main.tf
index 1b174e4e..af880014 100644
--- a/stacks/ebooks/main.tf
+++ b/stacks/ebooks/main.tf
@@ -727,6 +727,19 @@ resource "kubernetes_deployment" "book_search" {
               }
             }
           }
+          env {
+            name = "API_KEY"
+            value_from {
+              secret_key_ref {
+                name = "calibre-secrets"
+                key  = "book_search_api_key"
+              }
+            }
+          }
+          env {
+            name  = "SHORTCUT_ICLOUD_URL"
+            value = ""
+          }
           resources {
             requests = {
               cpu    = "10m"
@@ -809,3 +822,15 @@ module "book_search_ingress" {
     "gethomepage.dev/pod-selector" = ""
   }
 }
+
+# API ingress - unprotected (API key auth handled by backend)
+module "book_search_api_ingress" {
+  source          = "../../modules/kubernetes/ingress_factory"
+  namespace       = kubernetes_namespace.ebooks.metadata[0].name
+  name            = "book-search-api"
+  host            = "book-search"
+  service_name    = "book-search"
+  tls_secret_name = var.tls_secret_name
+  protected       = false
+  ingress_path    = ["/api/download-url", "/shortcut"]
+}