LAPI does not let machine JWTs hit GET /v1/decisions even after the machine
is validated (returns 403 access forbidden). Conversely, bouncer X-Api-Key
does not satisfy DELETE /v1/decisions (returns 401 "cookie token is empty").
The webapp now holds both credentials and routes each call to the right
authority. Adds LAPI_BOUNCER_KEY env var + Gitea secret.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Traefik docker provider skips routing for containers whose Docker HEALTHCHECK
reports unhealthy. Our /healthz returns 503 if LAPI is unreachable, which left
the container stuck unhealthy and the router never appeared — every request
returned 404 from Traefik.
/healthz still exists for manual probes; Kuma probes via Traefik also still
work.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Flask + htmx mini-app to list and delete CrowdSec decisions from a browser,
gated behind Authentik. Talks to host LAPI via host.docker.internal:8080
using machine JWT auth (bouncer X-Api-Key is read-only).
Gitea Actions CI/CD on push to main: runner rebuilds image and brings the
stack up via docker compose on the host (same pattern as flight-radar).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
