diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf index 0f239fb4..fc9bc9f5 100644 --- a/modules/kubernetes/ingress_factory/main.tf +++ b/modules/kubernetes/ingress_factory/main.tf @@ -107,10 +107,6 @@ variable "custom_content_security_policy" { type = string default = null } -variable "exclude_crowdsec" { - type = bool - default = false -} variable "full_host" { type = string default = null @@ -310,7 +306,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { "traefik-error-pages@kubernetescrd", var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd", var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null, - var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd", local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null, local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null, local.auth_middleware, diff --git a/stacks/authentik/guest.tf b/stacks/authentik/guest.tf index 63724ab4..66fb406c 100644 --- a/stacks/authentik/guest.tf +++ b/stacks/authentik/guest.tf @@ -211,7 +211,6 @@ module "ingress_public_outpost" { tls_secret_name = var.tls_secret_name dns_type = "proxied" anti_ai_scraping = false - exclude_crowdsec = true homepage_enabled = false depends_on = [authentik_outpost.public] } diff --git a/stacks/authentik/modules/authentik/main.tf b/stacks/authentik/modules/authentik/main.tf index 38584114..3ae6d7c6 100644 --- a/stacks/authentik/modules/authentik/main.tf +++ b/stacks/authentik/modules/authentik/main.tf @@ -82,13 +82,6 @@ module "ingress" { service_name = "goauthentik-server" tls_secret_name = var.tls_secret_name anti_ai_scraping = false - # Never let the in-cluster CrowdSec bouncer serve a Turnstile/captcha - # interstitial or 403 on Authentik's own login + WebAuthn XHR endpoints — that - # walls users out of the very gate they authenticate through (a CrowdSec hit - # would break the passkey ceremony / session refresh mid-flow). Auth keeps - # Traefik rate-limiting; the Cloudflare edge WAF also carves out this host - # (stacks/rybbit/crowdsec_edge.tf). 2026-06-20. - exclude_crowdsec = true extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "Authentik" @@ -116,7 +109,6 @@ module "ingress-outpost" { ingress_path = ["/outpost.goauthentik.io"] tls_secret_name = var.tls_secret_name anti_ai_scraping = false - exclude_crowdsec = true } # Immutable caching for the flow-executor static assets. Authentik serves diff --git a/stacks/beads-server/main.tf b/stacks/beads-server/main.tf index 7ef9d6a0..0b9a84f2 100644 --- a/stacks/beads-server/main.tf +++ b/stacks/beads-server/main.tf @@ -527,8 +527,7 @@ module "ingress" { name = "dolt-workbench" tls_secret_name = var.tls_secret_name # auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress. - auth = "none" - exclude_crowdsec = true + auth = "none" extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "Dolt Workbench" @@ -792,13 +791,12 @@ resource "kubernetes_service" "beadboard" { } module "beadboard_ingress" { - source = "../../modules/kubernetes/ingress_factory" - dns_type = "proxied" - namespace = kubernetes_namespace.beads.metadata[0].name - name = "beadboard" - tls_secret_name = var.tls_secret_name - auth = "required" - exclude_crowdsec = true + source = "../../modules/kubernetes/ingress_factory" + dns_type = "proxied" + namespace = kubernetes_namespace.beads.metadata[0].name + name = "beadboard" + tls_secret_name = var.tls_secret_name + auth = "required" extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "BeadBoard" diff --git a/stacks/crowdsec/modules/crowdsec/main.tf b/stacks/crowdsec/modules/crowdsec/main.tf index 86b8c3ab..b126805e 100644 --- a/stacks/crowdsec/modules/crowdsec/main.tf +++ b/stacks/crowdsec/modules/crowdsec/main.tf @@ -303,13 +303,12 @@ resource "kubernetes_service" "crowdsec-web" { } } module "ingress" { - source = "../../../../modules/kubernetes/ingress_factory" - dns_type = "proxied" - namespace = kubernetes_namespace.crowdsec.metadata[0].name - name = "crowdsec-web" - auth = "required" - tls_secret_name = var.tls_secret_name - exclude_crowdsec = true + source = "../../../../modules/kubernetes/ingress_factory" + dns_type = "proxied" + namespace = kubernetes_namespace.crowdsec.metadata[0].name + name = "crowdsec-web" + auth = "required" + tls_secret_name = var.tls_secret_name } # CronJob to import public blocklists into CrowdSec diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf index 11ff8cd4..0fe6bacf 100644 --- a/stacks/f1-stream/main.tf +++ b/stacks/f1-stream/main.tf @@ -301,7 +301,6 @@ module "ingress" { service_name = module.anubis.service_name port = module.anubis.service_port tls_secret_name = var.tls_secret_name - exclude_crowdsec = true anti_ai_scraping = false extra_middlewares = ["traefik-x402@kubernetescrd"] extra_annotations = { diff --git a/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml b/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml index 2bcd474e..50ae668b 100644 --- a/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml +++ b/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml @@ -32,7 +32,7 @@ ingress: enabled: "true" ingressClassName: "traefik" annotations: - traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd" + traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" gethomepage.dev/enabled: "true" gethomepage.dev/name: "Grafana" diff --git a/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl b/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl index f7bbe256..f2510951 100755 --- a/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl +++ b/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl @@ -15,7 +15,7 @@ alertmanager: enabled: true ingressClassName: "traefik" annotations: - traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd" + traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" gethomepage.dev/enabled: "true" gethomepage.dev/name: "Alertmanager" @@ -399,7 +399,7 @@ server: enabled: true ingressClassName: "traefik" annotations: - traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd" + traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" gethomepage.dev/enabled: "true" diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf index b5c20645..d8d3627a 100644 --- a/stacks/owntracks/main.tf +++ b/stacks/owntracks/main.tf @@ -49,7 +49,7 @@ resource "kubernetes_namespace" "owntracks" { name = "owntracks" labels = { "istio-injection" : "disabled" - tier = local.tiers.aux + tier = local.tiers.aux "keel.sh/enrolled" = "true" } } @@ -249,7 +249,7 @@ module "ingress" { tls_secret_name = var.tls_secret_name port = 80 extra_annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" + "traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd" "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "OwnTracks" "gethomepage.dev/description" = "Location tracking" diff --git a/stacks/poison-fountain/main.tf b/stacks/poison-fountain/main.tf index 16fd20c9..6872a5c0 100644 --- a/stacks/poison-fountain/main.tf +++ b/stacks/poison-fountain/main.tf @@ -9,8 +9,8 @@ resource "kubernetes_namespace" "poison_fountain" { metadata { name = "poison-fountain" labels = { - "istio-injection" = "disabled" - tier = local.tiers.cluster + "istio-injection" = "disabled" + tier = local.tiers.cluster "keel.sh/enrolled" = "true" } } @@ -228,7 +228,6 @@ module "ingress" { port = 8080 tls_secret_name = var.tls_secret_name skip_default_rate_limit = true - exclude_crowdsec = true anti_ai_scraping = false # Deployment is scaled to 0 (see replicas above). Opt the ingress out of # Uptime Kuma external monitoring so the sync CronJob deletes the orphaned diff --git a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf index 850675d5..3ee18e8e 100644 --- a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf +++ b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf @@ -211,7 +211,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { "traefik-retry@kubernetescrd", var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd", var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null, - "traefik-crowdsec@kubernetescrd", var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null, var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null, var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null, diff --git a/stacks/reverse-proxy/modules/reverse_proxy/main.tf b/stacks/reverse-proxy/modules/reverse_proxy/main.tf index deb5a83b..b891139f 100644 --- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf +++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf @@ -31,11 +31,11 @@ module "tls_secret" { # https://pfsense.viktorbarzin.me/ module "pfsense" { - source = "./factory" - dns_type = "proxied" - name = "pfsense" - external_name = "pfsense.viktorbarzin.lan" - tls_secret_name = var.tls_secret_name + source = "./factory" + dns_type = "proxied" + name = "pfsense" + external_name = "pfsense.viktorbarzin.lan" + tls_secret_name = var.tls_secret_name # webGUI moved to :8443 on 2026-06-10 — :443 on pfSense is now the # SNI-routed HAProxy frontend (hostname->Traefik, no-SNI->GUI). Direct # backend port avoids a Traefik->HAProxy->GUI double hop. @@ -163,7 +163,7 @@ module "docker-registry-ui" { depends_on = [kubernetes_namespace.reverse-proxy] extra_annotations = { # Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd" + "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd" "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "Docker Registry" "gethomepage.dev/description" = "Container registry"