anubis: per-site PoW reverse proxy on blog + kms + travel-blog

Adds modules/kubernetes/anubis_instance/ — a per-site reverse proxy instance pinned to ghcr.io/techarohq/anubis:v1.25.0. Each instance issues a 30-day JWT cookie scoped to viktorbarzin.me after a tiny proof-of-work (difficulty 2 ≈ 250 ms desktop / 700 ms mobile). The shared ed25519 signing key (Vault: secret/viktor → anubis_ed25519_key) makes a single solve good across every Anubis-fronted subdomain. Wired into blog (viktorbarzin.me + www), kms.viktorbarzin.me, and travel.viktorbarzin.me — each with anti_ai_scraping=false on the ingress so the redundant ai-bot-block forwardAuth is dropped from the chain. Skipped forgejo (Git/API clients can't solve PoW) and resume (replicas=0). Also tightens bot-block-proxy nginx timeouts (3s/5s → 100ms/200ms) so any ingress still using the ai-bot-block forwardAuth pays at most ~150 ms when poison-fountain is scaled down, instead of 3 s. End-to-end TTFB on viktorbarzin.me dropped from ~3.2 s to ~150-200 ms. Docs: .claude/reference/patterns.md "Anti-AI Scraping" updated to 4 layers; .claude/CLAUDE.md adds the Anubis usage paragraph and Forgejo/API caveat.
2026-05-10 00:04:37 +00:00 · 2026-05-10 00:04:37 +00:00 · f48da84770
commit f48da84770
parent 27675cb8f1
7 changed files with 418 additions and 30 deletions
--- a/stacks/blog/main.tf
+++ b/stacks/blog/main.tf
@ -112,14 +112,26 @@ resource "kubernetes_service" "blog" {
  }
 }

+# Anubis reverse proxy in front of the blog. First-time visitors solve a
+# tiny PoW (~250ms desktop), get a 30-day cookie, and pass through. Replaces
+# the global ai-bot-block forwardAuth for this site.
+module "anubis" {
+  source     = "../../modules/kubernetes/anubis_instance"
+  name       = "blog"
+  namespace  = kubernetes_namespace.website.metadata[0].name
+  target_url = "http://${kubernetes_service.blog.metadata[0].name}.${kubernetes_namespace.website.metadata[0].name}.svc.cluster.local"
+}
+
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  namespace       = kubernetes_namespace.website.metadata[0].name
-  name            = "blog"
-  service_name    = "blog"
-  full_host       = "viktorbarzin.me"
-  dns_type        = "proxied"
-  tls_secret_name = var.tls_secret_name
+  source           = "../../modules/kubernetes/ingress_factory"
+  namespace        = kubernetes_namespace.website.metadata[0].name
+  name             = "blog"
+  service_name     = module.anubis.service_name
+  port             = module.anubis.service_port
+  full_host        = "viktorbarzin.me"
+  dns_type         = "proxied"
+  tls_secret_name  = var.tls_secret_name
+  anti_ai_scraping = false # Anubis is the gatekeeper now — drop the redundant ai-bot-block forwardAuth.
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Blog"
@ -131,10 +143,12 @@ module "ingress" {
 }

 module "ingress-www" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  namespace       = kubernetes_namespace.website.metadata[0].name
-  name            = "blog-www"
-  service_name    = "blog"
-  full_host       = "www.viktorbarzin.me"
-  tls_secret_name = var.tls_secret_name
+  source           = "../../modules/kubernetes/ingress_factory"
+  namespace        = kubernetes_namespace.website.metadata[0].name
+  name             = "blog-www"
+  service_name     = module.anubis.service_name
+  port             = module.anubis.service_port
+  full_host        = "www.viktorbarzin.me"
+  tls_secret_name  = var.tls_secret_name
+  anti_ai_scraping = false
 }