ingress_factory: replace protected bool with auth enum + audit pass across 100 stacks

Phase 3+4 of default-deny ingress plan. Replaces the `protected = bool` (default false → unprotected) variable in `modules/kubernetes/ingress_factory` with `auth = string` enum (default "required" → fail-closed). Touches every ingress_factory caller so the audit decision is recorded explicitly in code. ingress_factory (Phase 3): - `auth = "required"`: standard Authentik forward-auth (the legacy `protected = true` semantic). - `auth = "public"`: forward-auth via the new `authentik-forward-auth-public` middleware → dedicated public outpost → guest auto-bind. Logged-in users keep their real identity. - `auth = "none"`: no Authentik middleware. For Anubis-fronted content, native client APIs (Git, /v2/, WebDAV), webhook receivers, the Authentik outpost itself. - `effective_anti_ai` default flips ON only when `auth = "none"` (auth-gated ingresses don't need anti-AI noise; the auth flow already discourages bots). Audit pass (Phase 4) across 96 ingress_factory call sites: - 49 explicit `protected = true` → `auth = "required"` - 8 explicit `protected = false` → `auth = "none"` (5) or `auth = "public"` (3) - 64 previously-default (no protected line) → `auth = "required"` ADDED, then reviewed individually: * 9 Anubis-fronted (blog, www, kms, travel, f1, cyberchef, jsoncrack, homepage, wrongmove UI, privatebin) → `auth = "none"` * 22 native-client / programmatic surfaces (Forgejo Git+/v2/, webhook handler, claude-memory MCP, Nextcloud WebDAV, Matrix, Vault CLI/OIDC, xray VPN, ntfy, woodpecker webhooks, n8n triggers, ntfy push, dawarich location ingestion, immich frame kiosk, headscale CP, send anonymous drops, rybbit beacon, vaultwarden API, Authentik UI itself + outposts) → `auth = "none"` * Remaining ~33 → `auth = "required"` confirmed (admin tools, internal UIs, services without app-level auth) - Smoke-test promotions to `auth = "public"`: fire-planner public UI, k8s-portal API, insta2spotify callback. Three call sites in wrapper modules (`stacks/freedify/factory/`, `stacks/reverse-proxy/modules/reverse_proxy/`) keep their internal `protected` bool — they translate to `auth` internally, out of scope for this rename. Behavior change: previously-default ingresses now fail closed (require Authentik login) unless explicitly flipped to `auth = "none"` or `auth = "public"`. This is the audit goal — no more accidentally-unprotected surfaces. Sites that were intentionally public (Anubis content, native APIs, webhooks) are now explicitly recorded as `auth = "none"`. Drive-by: `modules/create-vm/main.tf` picked up cosmetic alignment via `terraform fmt -recursive` during the audit. Behavior-neutral. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-10 18:53:49 +00:00 · 2026-05-10 18:53:49 +00:00 · e4f806abe3
commit e4f806abe3
parent 317d6aa99f
100 changed files with 351 additions and 165 deletions
--- a/stacks/freedify/factory/main.tf
+++ b/stacks/freedify/factory/main.tf
@ -225,7 +225,7 @@ module "ingress" {
  name              = "music-${var.name}"
  tls_secret_name   = var.tls_secret_name
  dns_type          = "non-proxied"
-  protected         = var.protected
+  auth              = var.protected ? "required" : "none"
  extra_annotations = var.extra_annotations
 }

@ -235,9 +235,9 @@ resource "kubernetes_ingress_v1" "stream-noauth" {
    name      = "music-${var.name}-stream"
    namespace = "freedify"
    annotations = {
-      "traefik.ingress.kubernetes.io/router.middlewares"  = "traefik-retry@kubernetescrd,traefik-rate-limit@kubernetescrd"
-      "traefik.ingress.kubernetes.io/router.entrypoints"  = "websecure"
-      "traefik.ingress.kubernetes.io/router.priority"     = "100"
+      "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-retry@kubernetescrd,traefik-rate-limit@kubernetescrd"
+      "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
+      "traefik.ingress.kubernetes.io/router.priority"    = "100"
    }
  }
  spec {
--- a/stacks/freedify/main.tf
+++ b/stacks/freedify/main.tf
@ -98,14 +98,14 @@ module "viktor" {

 # https://music-emo.viktorbarzin.me/
 module "emo" {
-  source          = "./factory"
-  name            = "emo"
-  tag             = "latest"
-  tls_secret_name = var.tls_secret_name
-  depends_on      = [kubernetes_namespace.freedify]
-  tier            = local.tiers.aux
-  protected       = true
-  genius_token    = lookup(local.credentials["emo"], "genius_token", null)
+  source             = "./factory"
+  name               = "emo"
+  tag                = "latest"
+  tls_secret_name    = var.tls_secret_name
+  depends_on         = [kubernetes_namespace.freedify]
+  tier               = local.tiers.aux
+  protected          = true
+  genius_token       = lookup(local.credentials["emo"], "genius_token", null)
  gemini_api_key     = lookup(local.credentials["emo"], "gemini_api_key", null)
  navidrome_scan_url = data.kubernetes_secret.eso_secrets.data["navidrome_scan_url"]
  ha_sofia_url       = lookup(data.kubernetes_secret.eso_secrets.data, "ha_sofia_url", "")