modules/kubernetes/ingress_factory/main.tf

@@ -107,10 +107,6 @@ variable "custom_content_security_policy" {
   type    = string
   default = null
 }
-variable "exclude_crowdsec" {
-  type    = bool
-  default = false
-}
 variable "full_host" {
   type    = string
   default = null
@@ -310,7 +306,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
         "traefik-error-pages@kubernetescrd",
         var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
         var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
-        var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
         local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
         local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
         local.auth_middleware,

stacks/authentik/guest.tf

@@ -211,7 +211,6 @@ module "ingress_public_outpost" {
   tls_secret_name  = var.tls_secret_name
   dns_type         = "proxied"
   anti_ai_scraping = false
-  exclude_crowdsec = true
   homepage_enabled = false
   depends_on       = [authentik_outpost.public]
 }

stacks/authentik/modules/authentik/main.tf

@@ -82,13 +82,6 @@ module "ingress" {
   service_name     = "goauthentik-server"
   tls_secret_name  = var.tls_secret_name
   anti_ai_scraping = false
-  # Never let the in-cluster CrowdSec bouncer serve a Turnstile/captcha
-  # interstitial or 403 on Authentik's own login + WebAuthn XHR endpoints — that
-  # walls users out of the very gate they authenticate through (a CrowdSec hit
-  # would break the passkey ceremony / session refresh mid-flow). Auth keeps
-  # Traefik rate-limiting; the Cloudflare edge WAF also carves out this host
-  # (stacks/rybbit/crowdsec_edge.tf). 2026-06-20.
-  exclude_crowdsec = true
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "Authentik"
@@ -116,7 +109,6 @@ module "ingress-outpost" {
   ingress_path     = ["/outpost.goauthentik.io"]
   tls_secret_name  = var.tls_secret_name
   anti_ai_scraping = false
-  exclude_crowdsec = true
 }
 
 # Immutable caching for the flow-executor static assets. Authentik serves

stacks/beads-server/main.tf

@@ -527,8 +527,7 @@ module "ingress" {
   name            = "dolt-workbench"
   tls_secret_name = var.tls_secret_name
   # auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress.
-  auth             = "none"
-  exclude_crowdsec = true
+  auth = "none"
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "Dolt Workbench"
@@ -792,13 +791,12 @@ resource "kubernetes_service" "beadboard" {
 }
 
 module "beadboard_ingress" {
-  source           = "../../modules/kubernetes/ingress_factory"
-  dns_type         = "proxied"
-  namespace        = kubernetes_namespace.beads.metadata[0].name
-  name             = "beadboard"
-  tls_secret_name  = var.tls_secret_name
-  auth             = "required"
-  exclude_crowdsec = true
+  source          = "../../modules/kubernetes/ingress_factory"
+  dns_type        = "proxied"
+  namespace       = kubernetes_namespace.beads.metadata[0].name
+  name            = "beadboard"
+  tls_secret_name = var.tls_secret_name
+  auth            = "required"
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "BeadBoard"

stacks/crowdsec/modules/crowdsec/main.tf

@@ -303,13 +303,12 @@ resource "kubernetes_service" "crowdsec-web" {
   }
 }
 module "ingress" {
-  source           = "../../../../modules/kubernetes/ingress_factory"
-  dns_type         = "proxied"
-  namespace        = kubernetes_namespace.crowdsec.metadata[0].name
-  name             = "crowdsec-web"
-  auth             = "required"
-  tls_secret_name  = var.tls_secret_name
-  exclude_crowdsec = true
+  source          = "../../../../modules/kubernetes/ingress_factory"
+  dns_type        = "proxied"
+  namespace       = kubernetes_namespace.crowdsec.metadata[0].name
+  name            = "crowdsec-web"
+  auth            = "required"
+  tls_secret_name = var.tls_secret_name
 }
 
 # CronJob to import public blocklists into CrowdSec

stacks/f1-stream/main.tf

@@ -301,7 +301,6 @@ module "ingress" {
   service_name      = module.anubis.service_name
   port              = module.anubis.service_port
   tls_secret_name   = var.tls_secret_name
-  exclude_crowdsec  = true
   anti_ai_scraping  = false
   extra_middlewares = ["traefik-x402@kubernetescrd"]
   extra_annotations = {

stacks/poison-fountain/main.tf

@@ -9,8 +9,8 @@ resource "kubernetes_namespace" "poison_fountain" {
   metadata {
     name = "poison-fountain"
     labels = {
-      "istio-injection" = "disabled"
-      tier              = local.tiers.cluster
+      "istio-injection"  = "disabled"
+      tier               = local.tiers.cluster
       "keel.sh/enrolled" = "true"
     }
   }
@@ -228,7 +228,6 @@ module "ingress" {
   port                    = 8080
   tls_secret_name         = var.tls_secret_name
   skip_default_rate_limit = true
-  exclude_crowdsec        = true
   anti_ai_scraping        = false
   # Deployment is scaled to 0 (see replicas above). Opt the ingress out of
   # Uptime Kuma external monitoring so the sync CronJob deletes the orphaned