fix(homelab): use iptables rules to prevent wan access

2025-12-27 20:31:37 -08:00
parent 136d127117
commit 13e61322a0
11 changed files with 48 additions and 116 deletions
--- a/nix/homelab/kustomize/kustomization.yaml
+++ b/nix/homelab/kustomize/kustomization.yaml
@@ -4,8 +4,6 @@ kind: Kustomization
 resources:
  - ./metallb/pool.yaml
  - ./traefik/config.yaml
-  - ./traefik/rfc1918-middleware.yaml
-  - ./traefik/chain.yaml
  - ./cert-manager/config.yaml
  - ./routes/minecraft.yaml
  - ./routes/gitea/ssh.yaml
@@ -14,3 +12,4 @@ resources:
  - ./routes/home-assistant.yaml
  - ./routes/consul-media.yaml
  - ./routes/consul-vaultwarden.yaml
+  - ./routes/pihole.yaml
--- a/nix/homelab/kustomize/routes/consul-media.yaml
+++ b/nix/homelab/kustomize/routes/consul-media.yaml
@@ -36,12 +36,6 @@ spec:
    - backendRefs:
        - name: bazarr
          port: 6767
-      filters:
-        - type: ExtensionRef
-          extensionRef:
-            group: traefik.io
-            kind: Middleware
-            name: rfc1918-chain
 ---
 apiVersion: v1
 kind: Service
@@ -81,12 +75,6 @@ spec:
    - backendRefs:
        - name: prowlarr
          port: 9696
-      filters:
-        - type: ExtensionRef
-          extensionRef:
-            group: traefik.io
-            kind: Middleware
-            name: rfc1918-chain
 ---
 apiVersion: v1
 kind: Service
@@ -126,12 +114,6 @@ spec:
    - backendRefs:
        - name: radarr
          port: 7878
-      filters:
-        - type: ExtensionRef
-          extensionRef:
-            group: traefik.io
-            kind: Middleware
-            name: rfc1918-chain
 ---
 apiVersion: v1
 kind: Service
@@ -171,12 +153,6 @@ spec:
    - backendRefs:
        - name: sonarr
          port: 8989
-      filters:
-        - type: ExtensionRef
-          extensionRef:
-            group: traefik.io
-            kind: Middleware
-            name: rfc1918-chain
 ---
 apiVersion: v1
 kind: Service
@@ -216,12 +192,6 @@ spec:
    - backendRefs:
        - name: qbittorrent
          port: 8090
-      filters:
-        - type: ExtensionRef
-          extensionRef:
-            group: traefik.io
-            kind: Middleware
-            name: rfc1918-chain
 ---
 apiVersion: v1
 kind: Service
@@ -261,12 +231,6 @@ spec:
    - backendRefs:
        - name: flaresolverr
          port: 8191
-      filters:
-        - type: ExtensionRef
-          extensionRef:
-            group: traefik.io
-            kind: Middleware
-            name: rfc1918-chain
 ---
 apiVersion: v1
 kind: Service
@@ -306,9 +270,3 @@ spec:
    - backendRefs:
        - name: jellyfin
          port: 8096
-      filters:
-        - type: ExtensionRef
-          extensionRef:
-            group: traefik.io
-            kind: Middleware
-            name: rfc1918-chain
--- a/nix/homelab/kustomize/routes/consul-vaultwarden.yaml
+++ b/nix/homelab/kustomize/routes/consul-vaultwarden.yaml
@@ -41,9 +41,3 @@ spec:
    - backendRefs:
        - name: vaultwarden
          port: 8000
-      filters:
-        - type: ExtensionRef
-          extensionRef:
-            group: traefik.io
-            kind: Middleware
-            name: rfc1918-chain
--- a/nix/homelab/kustomize/routes/home-assistant.yaml
+++ b/nix/homelab/kustomize/routes/home-assistant.yaml
@@ -13,9 +13,3 @@ spec:
    - backendRefs:
        - name: home-assistant
          port: 8080
-      filters:
-        - type: ExtensionRef
-          extensionRef:
-            group: traefik.io
-            kind: Middleware
-            name: rfc1918-chain
--- a/nix/homelab/kustomize/routes/longhorn.yaml
+++ b/nix/homelab/kustomize/routes/longhorn.yaml
@@ -13,9 +13,3 @@ spec:
    - backendRefs:
        - name: longhorn-frontend
          port: 80
-      filters:
-        - type: ExtensionRef
-          extensionRef:
-            group: traefik.io
-            kind: Middleware
-            name: rfc1918-chain
--- a/nix/homelab/kustomize/routes/pihole.yaml
+++ b/nix/homelab/kustomize/routes/pihole.yaml
@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: longhorn
+  namespace: pihole-system
+spec:
+  parentRefs:
+    - name: traefik-gateway
+      namespace: kube-system
+  hostnames:
+    - "pihole.lucalise.ca"
+  rules:
+    - backendRefs:
+        - name: pihole-web
+          port: 80
--- a/nix/homelab/kustomize/traefik/chain.yaml
+++ b/nix/homelab/kustomize/traefik/chain.yaml
@@ -1,43 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: rfc1918-chain
-  namespace: home
-spec:
-  chain:
-    middlewares:
-      - name: rfc1918-only
-        namespace: kube-system
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: rfc1918-chain
-  namespace: longhorn-system
-spec:
-  chain:
-    middlewares:
-      - name: rfc1918-only
-        namespace: kube-system
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: rfc1918-chain
-  namespace: media
-spec:
-  chain:
-    middlewares:
-      - name: rfc1918-only
-        namespace: kube-system
---
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: rfc1918-chain
-  namespace: vaultwarden
-spec:
-  chain:
-    middlewares:
-      - name: rfc1918-only
-        namespace: kube-system
--- a/nix/homelab/kustomize/traefik/rfc1918-middleware.yaml
+++ b/nix/homelab/kustomize/traefik/rfc1918-middleware.yaml
@@ -1,11 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: rfc1918-only
-  namespace: kube-system
-spec:
-  ipAllowList:
-    sourceRange:
-      - "10.0.0.0/8"
-      - "172.16.0.0/12"
-      - "192.168.0.0/16"