From 13e61322a00d6b31ae965504391ec76f57efe78a Mon Sep 17 00:00:00 2001 From: lucalise Date: Sat, 27 Dec 2025 20:31:37 -0800 Subject: [PATCH] fix(homelab): use iptables rules to prevent wan access --- nix/homelab/helm/helmfile.yaml | 9 ++++ nix/homelab/helm/values/pihole.yaml | 17 ++++++++ nix/homelab/kustomize/kustomization.yaml | 3 +- .../kustomize/routes/consul-media.yaml | 42 ------------------ .../kustomize/routes/consul-vaultwarden.yaml | 6 --- .../kustomize/routes/home-assistant.yaml | 6 --- nix/homelab/kustomize/routes/longhorn.yaml | 6 --- nix/homelab/kustomize/routes/pihole.yaml | 15 +++++++ nix/homelab/kustomize/traefik/chain.yaml | 43 ------------------- .../kustomize/traefik/rfc1918-middleware.yaml | 11 ----- nix/homelab/nodes/kube/configuration.nix | 6 +++ 11 files changed, 48 insertions(+), 116 deletions(-) create mode 100644 nix/homelab/helm/values/pihole.yaml create mode 100644 nix/homelab/kustomize/routes/pihole.yaml delete mode 100644 nix/homelab/kustomize/traefik/chain.yaml delete mode 100644 nix/homelab/kustomize/traefik/rfc1918-middleware.yaml diff --git a/nix/homelab/helm/helmfile.yaml b/nix/homelab/helm/helmfile.yaml index a30f1fb..7369286 100644 --- a/nix/homelab/helm/helmfile.yaml +++ b/nix/homelab/helm/helmfile.yaml @@ -11,6 +11,8 @@ repositories: url: https://charts.longhorn.io - name: home-assistant url: https://pajikos.github.io/home-assistant-helm-chart + - name: pihole + url: https://mojo2600.github.io/pihole-kubernetes/ releases: # Load Balancer @@ -47,6 +49,13 @@ releases: - persistence: defaultClassReplicaCount: 1 + - name: pihole + namespace: pihole-system + chart: pihole/pihole + version: 2.35.0 + values: + - values/pihole.yaml + # Minecraft - name: minecraft-router namespace: minecraft diff --git a/nix/homelab/helm/values/pihole.yaml b/nix/homelab/helm/values/pihole.yaml new file mode 100644 index 0000000..383fb5d --- /dev/null +++ b/nix/homelab/helm/values/pihole.yaml @@ -0,0 +1,17 @@ +persistentVolumeClaim: + enabled: true + +DNS1: + 1.1.1.1 + +serviceWeb: + https: + enabled: false + +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi diff --git a/nix/homelab/kustomize/kustomization.yaml b/nix/homelab/kustomize/kustomization.yaml index 6a77b7b..bc36645 100644 --- a/nix/homelab/kustomize/kustomization.yaml +++ b/nix/homelab/kustomize/kustomization.yaml @@ -4,8 +4,6 @@ kind: Kustomization resources: - ./metallb/pool.yaml - ./traefik/config.yaml - - ./traefik/rfc1918-middleware.yaml - - ./traefik/chain.yaml - ./cert-manager/config.yaml - ./routes/minecraft.yaml - ./routes/gitea/ssh.yaml @@ -14,3 +12,4 @@ resources: - ./routes/home-assistant.yaml - ./routes/consul-media.yaml - ./routes/consul-vaultwarden.yaml + - ./routes/pihole.yaml diff --git a/nix/homelab/kustomize/routes/consul-media.yaml b/nix/homelab/kustomize/routes/consul-media.yaml index 330b66e..2aed169 100644 --- a/nix/homelab/kustomize/routes/consul-media.yaml +++ b/nix/homelab/kustomize/routes/consul-media.yaml @@ -36,12 +36,6 @@ spec: - backendRefs: - name: bazarr port: 6767 - filters: - - type: ExtensionRef - extensionRef: - group: traefik.io - kind: Middleware - name: rfc1918-chain --- apiVersion: v1 kind: Service @@ -81,12 +75,6 @@ spec: - backendRefs: - name: prowlarr port: 9696 - filters: - - type: ExtensionRef - extensionRef: - group: traefik.io - kind: Middleware - name: rfc1918-chain --- apiVersion: v1 kind: Service @@ -126,12 +114,6 @@ spec: - backendRefs: - name: radarr port: 7878 - filters: - - type: ExtensionRef - extensionRef: - group: traefik.io - kind: Middleware - name: rfc1918-chain --- apiVersion: v1 kind: Service @@ -171,12 +153,6 @@ spec: - backendRefs: - name: sonarr port: 8989 - filters: - - type: ExtensionRef - extensionRef: - group: traefik.io - kind: Middleware - name: rfc1918-chain --- apiVersion: v1 kind: Service @@ -216,12 +192,6 @@ spec: - backendRefs: - name: qbittorrent port: 8090 - filters: - - type: ExtensionRef - extensionRef: - group: traefik.io - kind: Middleware - name: rfc1918-chain --- apiVersion: v1 kind: Service @@ -261,12 +231,6 @@ spec: - backendRefs: - name: flaresolverr port: 8191 - filters: - - type: ExtensionRef - extensionRef: - group: traefik.io - kind: Middleware - name: rfc1918-chain --- apiVersion: v1 kind: Service @@ -306,9 +270,3 @@ spec: - backendRefs: - name: jellyfin port: 8096 - filters: - - type: ExtensionRef - extensionRef: - group: traefik.io - kind: Middleware - name: rfc1918-chain diff --git a/nix/homelab/kustomize/routes/consul-vaultwarden.yaml b/nix/homelab/kustomize/routes/consul-vaultwarden.yaml index 510cff5..7cefad6 100644 --- a/nix/homelab/kustomize/routes/consul-vaultwarden.yaml +++ b/nix/homelab/kustomize/routes/consul-vaultwarden.yaml @@ -41,9 +41,3 @@ spec: - backendRefs: - name: vaultwarden port: 8000 - filters: - - type: ExtensionRef - extensionRef: - group: traefik.io - kind: Middleware - name: rfc1918-chain diff --git a/nix/homelab/kustomize/routes/home-assistant.yaml b/nix/homelab/kustomize/routes/home-assistant.yaml index b440666..cd42fd2 100644 --- a/nix/homelab/kustomize/routes/home-assistant.yaml +++ b/nix/homelab/kustomize/routes/home-assistant.yaml @@ -13,9 +13,3 @@ spec: - backendRefs: - name: home-assistant port: 8080 - filters: - - type: ExtensionRef - extensionRef: - group: traefik.io - kind: Middleware - name: rfc1918-chain diff --git a/nix/homelab/kustomize/routes/longhorn.yaml b/nix/homelab/kustomize/routes/longhorn.yaml index 4f539de..4dc79a4 100644 --- a/nix/homelab/kustomize/routes/longhorn.yaml +++ b/nix/homelab/kustomize/routes/longhorn.yaml @@ -13,9 +13,3 @@ spec: - backendRefs: - name: longhorn-frontend port: 80 - filters: - - type: ExtensionRef - extensionRef: - group: traefik.io - kind: Middleware - name: rfc1918-chain diff --git a/nix/homelab/kustomize/routes/pihole.yaml b/nix/homelab/kustomize/routes/pihole.yaml new file mode 100644 index 0000000..aaa2fbe --- /dev/null +++ b/nix/homelab/kustomize/routes/pihole.yaml @@ -0,0 +1,15 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: longhorn + namespace: pihole-system +spec: + parentRefs: + - name: traefik-gateway + namespace: kube-system + hostnames: + - "pihole.lucalise.ca" + rules: + - backendRefs: + - name: pihole-web + port: 80 diff --git a/nix/homelab/kustomize/traefik/chain.yaml b/nix/homelab/kustomize/traefik/chain.yaml deleted file mode 100644 index a1a7549..0000000 --- a/nix/homelab/kustomize/traefik/chain.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: rfc1918-chain - namespace: home -spec: - chain: - middlewares: - - name: rfc1918-only - namespace: kube-system ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: rfc1918-chain - namespace: longhorn-system -spec: - chain: - middlewares: - - name: rfc1918-only - namespace: kube-system ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: rfc1918-chain - namespace: media -spec: - chain: - middlewares: - - name: rfc1918-only - namespace: kube-system ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: rfc1918-chain - namespace: vaultwarden -spec: - chain: - middlewares: - - name: rfc1918-only - namespace: kube-system diff --git a/nix/homelab/kustomize/traefik/rfc1918-middleware.yaml b/nix/homelab/kustomize/traefik/rfc1918-middleware.yaml deleted file mode 100644 index d712fa4..0000000 --- a/nix/homelab/kustomize/traefik/rfc1918-middleware.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: rfc1918-only - namespace: kube-system -spec: - ipAllowList: - sourceRange: - - "10.0.0.0/8" - - "172.16.0.0/12" - - "192.168.0.0/16" diff --git a/nix/homelab/nodes/kube/configuration.nix b/nix/homelab/nodes/kube/configuration.nix index 8da751e..cb2d683 100644 --- a/nix/homelab/nodes/kube/configuration.nix +++ b/nix/homelab/nodes/kube/configuration.nix @@ -20,6 +20,12 @@ networking.hostName = meta.hostname; networking.networkmanager.enable = true; + networking.firewall.extraCommands = '' + iptables -I INPUT -d 192.168.27.10/32 -s 10.0.0.0/8 -j ACCEPT + iptables -I INPUT -d 192.168.27.10/32 -s 172.16.0.0/12 -j ACCEPT + iptables -I INPUT -d 192.168.27.10/32 -s 192.168.0.0/16 -j ACCEPT + iptables -I INPUT -d 192.168.27.10/32 -j DROP + ''; time.timeZone = "America/Vancouver";