From dc7c19d88e0feb9d7c0e9173dea2e167c10549e8 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 10 May 2026 22:02:21 +0000
Subject: [PATCH] frigate: lan ingress auth=none for HA Sofia integration

The frigate-lan.viktorbarzin.lan ingress had Authentik forward-auth in
front. HA Sofia's frigate integration polls /api/config and only knows
how to use Frigate's own API key (not browser SSO), so every poll got
a 302 to authentik.viktorbarzin.me and the integration entered the
errors-state. Same pattern as idrac-redfish-exporter (5c594291).

allow_local_access_only IP allowlist + Frigate's API key are enough.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 stacks/frigate/main.tf | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/stacks/frigate/main.tf b/stacks/frigate/main.tf
index 520b0c2a..cb405de9 100644
--- a/stacks/frigate/main.tf
+++ b/stacks/frigate/main.tf
@@ -309,8 +309,13 @@ module "ingress" {
 }
 
 module "ingress-internal" {
-  source                  = "../../modules/kubernetes/ingress_factory"
-  auth                    = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # Auth disabled: HA Sofia's frigate integration uses an API key
+  # (set inside HA), not browser SSO. With auth=required, the integration
+  # gets a 302 to authentik.viktorbarzin.me on every poll and reports
+  # the integration as broken. local-only IP allowlist + Frigate's own
+  # API-key auth are sufficient.
+  auth                    = "none"
   namespace               = kubernetes_namespace.frigate.metadata[0].name
   name                    = "frigate-lan"
   host                    = "frigate-lan"