fix(homelab)!: use traefik middleware to restrict WAN access

2025-12-27 23:29:35 -08:00
parent 13e61322a0
commit d1b81ce0db
11 changed files with 118 additions and 11 deletions
--- a/nix/homelab/kustomize/generate-restore-job.sh
+++ b/nix/homelab/kustomize/generate-restore-job.sh
@@ -1,16 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-if [ "$#" -ne 2 ]; then
-  echo "Usage: $0 <server_name> <backup_file>" >&2
-  exit 1
-fi
-
-SERVER_NAME="$1"
-BACKUP_FILE="$2"
-
-kubectl scale deployment minecraft-$SERVER_NAME --replicas 0
-
-sed -e "s/{{SERVER_NAME}}/$SERVER_NAME/g" \
-    -e "s/{{BACKUP_FILE}}/$BACKUP_FILE/g" \
-    restore-job.yaml | kubectl apply -f -
--- a/nix/homelab/kustomize/kustomization.yaml
+++ b/nix/homelab/kustomize/kustomization.yaml
@@ -4,6 +4,8 @@ kind: Kustomization
 resources:
  - ./metallb/pool.yaml
  - ./traefik/config.yaml
+  - ./traefik/private-networks.yaml
+  - ./traefik/chains.yaml
  - ./cert-manager/config.yaml
  - ./routes/minecraft.yaml
  - ./routes/gitea/ssh.yaml
--- a/nix/homelab/kustomize/routes/home-assistant.yaml
+++ b/nix/homelab/kustomize/routes/home-assistant.yaml
@@ -10,6 +10,12 @@ spec:
  hostnames:
    - "home-assistant.lucalise.ca"
  rules:
-    - backendRefs:
+    - filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: private-networks
+      backendRefs:
        - name: home-assistant
          port: 8080
--- a/nix/homelab/kustomize/routes/longhorn.yaml
+++ b/nix/homelab/kustomize/routes/longhorn.yaml
@@ -10,6 +10,12 @@ spec:
  hostnames:
    - "storage.lucalise.ca"
  rules:
-    - backendRefs:
+    - filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: private-networks
+      backendRefs:
        - name: longhorn-frontend
          port: 80
--- a/nix/homelab/kustomize/routes/pihole.yaml
+++ b/nix/homelab/kustomize/routes/pihole.yaml
@@ -1,7 +1,7 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: longhorn
+  name: pihole
  namespace: pihole-system
 spec:
  parentRefs:
@@ -10,6 +10,12 @@ spec:
  hostnames:
    - "pihole.lucalise.ca"
  rules:
-    - backendRefs:
+    - filters:
+        - type: ExtensionRef
+          extensionRef:
+            group: traefik.io
+            kind: Middleware
+            name: private-networks
+      backendRefs:
        - name: pihole-web
          port: 80
--- a/nix/homelab/kustomize/traefik/chains.yaml
+++ b/nix/homelab/kustomize/traefik/chains.yaml
@@ -0,0 +1,32 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks 
+  namespace: home
+spec:
+  chain:
+    middlewares:
+      - name: private-networks
+        namespace: kube-system
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks 
+  namespace: longhorn-system
+spec:
+  chain:
+    middlewares:
+      - name: private-networks
+        namespace: kube-system
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks 
+  namespace: pihole-system
+spec:
+  chain:
+    middlewares:
+      - name: private-networks
+        namespace: kube-system
--- a/nix/homelab/kustomize/traefik/config.yaml
+++ b/nix/homelab/kustomize/traefik/config.yaml
@@ -11,6 +11,8 @@ spec:
    service:
      annotations:
        metallb.universe.tf/address-pool: rufus-pool
+      spec:
+        externalTrafficPolicy: Local

    ports:
      web:
--- a/nix/homelab/kustomize/traefik/private-networks.yaml
+++ b/nix/homelab/kustomize/traefik/private-networks.yaml
@@ -0,0 +1,13 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks
+  namespace: kube-system
+spec:
+  ipAllowList:
+    sourceRange:
+      # RFC1918 private address ranges
+      - 10.0.0.0/8
+      - 172.16.0.0/12
+      - 192.168.0.0/16
+      - 100.64.0.0/10