anubis: per-site PoW reverse proxy on blog + kms + travel-blog

Adds modules/kubernetes/anubis_instance/ — a per-site reverse proxy instance pinned to ghcr.io/techarohq/anubis:v1.25.0. Each instance issues a 30-day JWT cookie scoped to viktorbarzin.me after a tiny proof-of-work (difficulty 2 ≈ 250 ms desktop / 700 ms mobile). The shared ed25519 signing key (Vault: secret/viktor → anubis_ed25519_key) makes a single solve good across every Anubis-fronted subdomain. Wired into blog (viktorbarzin.me + www), kms.viktorbarzin.me, and travel.viktorbarzin.me — each with anti_ai_scraping=false on the ingress so the redundant ai-bot-block forwardAuth is dropped from the chain. Skipped forgejo (Git/API clients can't solve PoW) and resume (replicas=0). Also tightens bot-block-proxy nginx timeouts (3s/5s → 100ms/200ms) so any ingress still using the ai-bot-block forwardAuth pays at most ~150 ms when poison-fountain is scaled down, instead of 3 s. End-to-end TTFB on viktorbarzin.me dropped from ~3.2 s to ~150-200 ms. Docs: .claude/reference/patterns.md "Anti-AI Scraping" updated to 4 layers; .claude/CLAUDE.md adds the Anubis usage paragraph and Forgejo/API caveat.
2026-05-10 00:04:37 +00:00 · 2026-05-10 00:04:37 +00:00 · f48da84770
commit f48da84770
parent 27675cb8f1
7 changed files with 418 additions and 30 deletions
--- a/stacks/blog/main.tf
+++ b/stacks/blog/main.tf
@ -112,14 +112,26 @@ resource "kubernetes_service" "blog" {
  }
 }

+# Anubis reverse proxy in front of the blog. First-time visitors solve a
+# tiny PoW (~250ms desktop), get a 30-day cookie, and pass through. Replaces
+# the global ai-bot-block forwardAuth for this site.
+module "anubis" {
+  source     = "../../modules/kubernetes/anubis_instance"
+  name       = "blog"
+  namespace  = kubernetes_namespace.website.metadata[0].name
+  target_url = "http://${kubernetes_service.blog.metadata[0].name}.${kubernetes_namespace.website.metadata[0].name}.svc.cluster.local"
+}
+
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  namespace       = kubernetes_namespace.website.metadata[0].name
-  name            = "blog"
-  service_name    = "blog"
-  full_host       = "viktorbarzin.me"
-  dns_type        = "proxied"
-  tls_secret_name = var.tls_secret_name
+  source           = "../../modules/kubernetes/ingress_factory"
+  namespace        = kubernetes_namespace.website.metadata[0].name
+  name             = "blog"
+  service_name     = module.anubis.service_name
+  port             = module.anubis.service_port
+  full_host        = "viktorbarzin.me"
+  dns_type         = "proxied"
+  tls_secret_name  = var.tls_secret_name
+  anti_ai_scraping = false # Anubis is the gatekeeper now — drop the redundant ai-bot-block forwardAuth.
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Blog"
@ -131,10 +143,12 @@ module "ingress" {
 }

 module "ingress-www" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  namespace       = kubernetes_namespace.website.metadata[0].name
-  name            = "blog-www"
-  service_name    = "blog"
-  full_host       = "www.viktorbarzin.me"
-  tls_secret_name = var.tls_secret_name
+  source           = "../../modules/kubernetes/ingress_factory"
+  namespace        = kubernetes_namespace.website.metadata[0].name
+  name             = "blog-www"
+  service_name     = module.anubis.service_name
+  port             = module.anubis.service_port
+  full_host        = "www.viktorbarzin.me"
+  tls_secret_name  = var.tls_secret_name
+  anti_ai_scraping = false
 }
--- a/stacks/kms/main.tf
+++ b/stacks/kms/main.tf
@ -103,12 +103,22 @@ resource "kubernetes_service" "kms-web-page" {
  }
 }

+module "anubis" {
+  source     = "../../modules/kubernetes/anubis_instance"
+  name       = "kms"
+  namespace  = kubernetes_namespace.kms.metadata[0].name
+  target_url = "http://${kubernetes_service.kms-web-page.metadata[0].name}.${kubernetes_namespace.kms.metadata[0].name}.svc.cluster.local"
+}
+
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  dns_type        = "non-proxied"
-  namespace       = kubernetes_namespace.kms.metadata[0].name
-  name            = "kms"
-  tls_secret_name = var.tls_secret_name
+  source           = "../../modules/kubernetes/ingress_factory"
+  dns_type         = "non-proxied"
+  namespace        = kubernetes_namespace.kms.metadata[0].name
+  name             = "kms"
+  service_name     = module.anubis.service_name
+  port             = module.anubis.service_port
+  tls_secret_name  = var.tls_secret_name
+  anti_ai_scraping = false
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "KMS"
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@ -314,9 +314,13 @@ resource "kubernetes_config_map" "bot_block_proxy_config" {
                  ngx.req.clear_header("If-Unmodified-Since")
              }
              proxy_pass http://poison_fountain;
-              proxy_connect_timeout 3s;
-              proxy_read_timeout 5s;
-              proxy_send_timeout 5s;
+              # Tight timeouts: poison-fountain may be scaled to 0 (graveyard
+              # endpoints) — failing open in <200ms keeps the 68-ingress chain
+              # responsive instead of paying 3s per request. Healthy upstream
+              # responds in <50ms anyway.
+              proxy_connect_timeout 100ms;
+              proxy_read_timeout 200ms;
+              proxy_send_timeout 200ms;
              proxy_intercept_errors on;
              error_page 502 503 504 =200 /fallback-allow;
              proxy_set_header Host $host;
--- a/stacks/travel_blog/main.tf
+++ b/stacks/travel_blog/main.tf
@ -102,12 +102,21 @@ resource "kubernetes_service" "travel-blog" {
  }
 }

+module "anubis" {
+  source     = "../../modules/kubernetes/anubis_instance"
+  name       = "travel"
+  namespace  = kubernetes_namespace.travel-blog.metadata[0].name
+  target_url = "http://${kubernetes_service.travel-blog.metadata[0].name}.${kubernetes_namespace.travel-blog.metadata[0].name}.svc.cluster.local"
+}
+
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  namespace       = kubernetes_namespace.travel-blog.metadata[0].name
-  name            = "travel"
-  tls_secret_name = var.tls_secret_name
-  service_name    = "travel-blog"
+  source           = "../../modules/kubernetes/ingress_factory"
+  namespace        = kubernetes_namespace.travel-blog.metadata[0].name
+  name             = "travel"
+  tls_secret_name  = var.tls_secret_name
+  service_name     = module.anubis.service_name
+  port             = module.anubis.service_port
+  anti_ai_scraping = false
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Travel Blog"