feat(homelab): move traefik to rufus node, add rfc1918 middlewares

2025-12-27 02:20:41 -08:00
parent 037036a684
commit 402f1243a2
11 changed files with 144 additions and 69 deletions
--- a/nix/homelab/kustomize/kustomization.yaml
+++ b/nix/homelab/kustomize/kustomization.yaml
@@ -4,6 +4,8 @@ kind: Kustomization
 resources:
  - ./metallb/pool.yaml
  - ./traefik/config.yaml
+  - ./traefik/rfc1918-middleware.yaml
+  - ./traefik/chain.yaml
  - ./cert-manager/config.yaml
  - ./routes/media.yaml
  - ./routes/minecraft.yaml
--- a/nix/homelab/kustomize/metallb/pool.yaml
+++ b/nix/homelab/kustomize/metallb/pool.yaml
@@ -8,6 +8,16 @@ spec:
    - 192.168.18.31-192.168.18.61
 ---
 apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: rufus-pool
+  namespace: metallb-system
+spec:
+  addresses:
+    - 192.168.27.10-192.168.27.30
+  autoAssign: false
+---
+apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
  name: pool
@@ -15,3 +25,15 @@ metadata:
 spec:
  ipAddressPools:
    - pool
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: rufus-advertisement
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+    - rufus-pool
+  nodeSelectors:
+    - matchLabels:
+        kubernetes.io/hostname: rufus
--- a/nix/homelab/kustomize/routes/home-assistant.yaml
+++ b/nix/homelab/kustomize/routes/home-assistant.yaml
@@ -13,3 +13,9 @@ spec:
    - backendRefs:
        - name: home-assistant
          port: 8080
+      filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: rfc1918-chain
--- a/nix/homelab/kustomize/routes/longhorn.yaml
+++ b/nix/homelab/kustomize/routes/longhorn.yaml
@@ -13,3 +13,9 @@ spec:
    - backendRefs:
        - name: longhorn-frontend
          port: 80
+      filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: rfc1918-chain
--- a/nix/homelab/kustomize/routes/media.yaml
+++ b/nix/homelab/kustomize/routes/media.yaml
@@ -13,3 +13,9 @@ spec:
    - backendRefs:
        - name: jellyfin
          port: 8096
+      filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: rfc1918-chain
--- a/nix/homelab/kustomize/traefik/chain.yaml
+++ b/nix/homelab/kustomize/traefik/chain.yaml
@@ -0,0 +1,32 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rfc1918-chain
+  namespace: home
+spec:
+  chain:
+    middlewares:
+      - name: rfc1918-only
+        namespace: default
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rfc1918-chain
+  namespace: longhorn-system
+spec:
+  chain:
+    middlewares:
+      - name: rfc1918-only
+        namespace: default
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rfc1918-chain
+  namespace: media
+spec:
+  chain:
+    middlewares:
+      - name: rfc1918-only
+        namespace: default
--- a/nix/homelab/kustomize/traefik/config.yaml
+++ b/nix/homelab/kustomize/traefik/config.yaml
@@ -5,6 +5,13 @@ metadata:
  namespace: kube-system
 spec:
  valuesContent: |-
+    nodeSelector:
+      kubernetes.io/hostname: rufus
+
+    service:
+      annotations:
+        metallb.universe.tf/address-pool: rufus-pool
+
    ports:
      web:
        port: 80
@@ -52,6 +59,8 @@ spec:
         enabled: false
      kubernetesGateway:
         enabled: true
+      kubernetesCRD:
+        allowCrossNamespace: true
    gateway:
      listeners:
        web:
--- a/nix/homelab/kustomize/traefik/rfc1918-middleware.yaml
+++ b/nix/homelab/kustomize/traefik/rfc1918-middleware.yaml
@@ -0,0 +1,11 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: rfc1918-only
+  namespace: default
+spec:
+  ipAllowList:
+    sourceRange:
+      - "10.0.0.0/8"
+      - "172.16.0.0/12"
+      - "192.168.0.0/16"