lucalise/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(homelab): use iptables rules to prevent wan access

Browse Source
This commit is contained in:
lucalise
2025-12-27 20:31:37 -08:00
parent 136d127117
commit 13e61322a0
11 changed files with 48 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
nix/homelab/helm/helmfile.yaml
View File

@@ -11,6 +11,8 @@ repositories:
url: https://charts.longhorn.io url: https://charts.longhorn.io
- name: home-assistant - name: home-assistant
url: https://pajikos.github.io/home-assistant-helm-chart url: https://pajikos.github.io/home-assistant-helm-chart
- name: pihole
url: https://mojo2600.github.io/pihole-kubernetes/
releases: releases:
# Load Balancer # Load Balancer
@@ -47,6 +49,13 @@ releases:
- persistence: - persistence:
defaultClassReplicaCount: 1 defaultClassReplicaCount: 1
- name: pihole
namespace: pihole-system
chart: pihole/pihole
version: 2.35.0
values:
- values/pihole.yaml
# Minecraft # Minecraft
- name: minecraft-router - name: minecraft-router
namespace: minecraft namespace: minecraft

17
nix/homelab/helm/values/pihole.yaml Normal file
View File

@@ -0,0 +1,17 @@
persistentVolumeClaim:
enabled: true
DNS1:
1.1.1.1
serviceWeb:
https:
enabled: false
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi

3
nix/homelab/kustomize/kustomization.yaml
View File

@@ -4,8 +4,6 @@ kind: Kustomization
resources: resources:
- ./metallb/pool.yaml - ./metallb/pool.yaml
- ./traefik/config.yaml - ./traefik/config.yaml
- ./traefik/rfc1918-middleware.yaml
- ./traefik/chain.yaml
- ./cert-manager/config.yaml - ./cert-manager/config.yaml
- ./routes/minecraft.yaml - ./routes/minecraft.yaml
- ./routes/gitea/ssh.yaml - ./routes/gitea/ssh.yaml
@@ -14,3 +12,4 @@ resources:
- ./routes/home-assistant.yaml - ./routes/home-assistant.yaml
- ./routes/consul-media.yaml - ./routes/consul-media.yaml
- ./routes/consul-vaultwarden.yaml - ./routes/consul-vaultwarden.yaml
- ./routes/pihole.yaml

42
nix/homelab/kustomize/routes/consul-media.yaml
View File

@@ -36,12 +36,6 @@ spec:
- backendRefs: - backendRefs:
- name: bazarr - name: bazarr
port: 6767 port: 6767
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: rfc1918-chain
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -81,12 +75,6 @@ spec:
- backendRefs: - backendRefs:
- name: prowlarr - name: prowlarr
port: 9696 port: 9696
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: rfc1918-chain
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -126,12 +114,6 @@ spec:
- backendRefs: - backendRefs:
- name: radarr - name: radarr
port: 7878 port: 7878
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: rfc1918-chain
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -171,12 +153,6 @@ spec:
- backendRefs: - backendRefs:
- name: sonarr - name: sonarr
port: 8989 port: 8989
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: rfc1918-chain
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -216,12 +192,6 @@ spec:
- backendRefs: - backendRefs:
- name: qbittorrent - name: qbittorrent
port: 8090 port: 8090
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: rfc1918-chain
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -261,12 +231,6 @@ spec:
- backendRefs: - backendRefs:
- name: flaresolverr - name: flaresolverr
port: 8191 port: 8191
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: rfc1918-chain
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -306,9 +270,3 @@ spec:
- backendRefs: - backendRefs:
- name: jellyfin - name: jellyfin
port: 8096 port: 8096
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: rfc1918-chain

6
nix/homelab/kustomize/routes/consul-vaultwarden.yaml
View File

@@ -41,9 +41,3 @@ spec:
- backendRefs: - backendRefs:
- name: vaultwarden - name: vaultwarden
port: 8000 port: 8000
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: rfc1918-chain

6
nix/homelab/kustomize/routes/home-assistant.yaml
View File

@@ -13,9 +13,3 @@ spec:
- backendRefs: - backendRefs:
- name: home-assistant - name: home-assistant
port: 8080 port: 8080
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: rfc1918-chain

6
nix/homelab/kustomize/routes/longhorn.yaml
View File

@@ -13,9 +13,3 @@ spec:
- backendRefs: - backendRefs:
- name: longhorn-frontend - name: longhorn-frontend
port: 80 port: 80
filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: rfc1918-chain

15
nix/homelab/kustomize/routes/pihole.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: longhorn
namespace: pihole-system
spec:
parentRefs:
- name: traefik-gateway
namespace: kube-system
hostnames:
- "pihole.lucalise.ca"
rules:
- backendRefs:
- name: pihole-web
port: 80

43
nix/homelab/kustomize/traefik/chain.yaml
View File

@@ -1,43 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rfc1918-chain
namespace: home
spec:
chain:
middlewares:
- name: rfc1918-only
namespace: kube-system
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rfc1918-chain
namespace: longhorn-system
spec:
chain:
middlewares:
- name: rfc1918-only
namespace: kube-system
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rfc1918-chain
namespace: media
spec:
chain:
middlewares:
- name: rfc1918-only
namespace: kube-system
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rfc1918-chain
namespace: vaultwarden
spec:
chain:
middlewares:
- name: rfc1918-only
namespace: kube-system

11
nix/homelab/kustomize/traefik/rfc1918-middleware.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rfc1918-only
namespace: kube-system
spec:
ipAllowList:
sourceRange:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"

6
nix/homelab/nodes/kube/configuration.nix
View File

@@ -20,6 +20,12 @@
networking.hostName = meta.hostname; networking.hostName = meta.hostname;
networking.networkmanager.enable = true; networking.networkmanager.enable = true;
networking.firewall.extraCommands = ''
iptables -I INPUT -d 192.168.27.10/32 -s 10.0.0.0/8 -j ACCEPT
iptables -I INPUT -d 192.168.27.10/32 -s 172.16.0.0/12 -j ACCEPT
iptables -I INPUT -d 192.168.27.10/32 -s 192.168.0.0/16 -j ACCEPT
iptables -I INPUT -d 192.168.27.10/32 -j DROP
'';
time.timeZone = "America/Vancouver"; time.timeZone = "America/Vancouver";