fix(homelab)!: use traefik middleware to restrict WAN access

nix/homelab/kustomize/traefik/chains.yaml

@@ -0,0 +1,32 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks 
+  namespace: home
+spec:
+  chain:
+    middlewares:
+      - name: private-networks
+        namespace: kube-system
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks 
+  namespace: longhorn-system
+spec:
+  chain:
+    middlewares:
+      - name: private-networks
+        namespace: kube-system
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks 
+  namespace: pihole-system
+spec:
+  chain:
+    middlewares:
+      - name: private-networks
+        namespace: kube-system

nix/homelab/kustomize/traefik/config.yaml

@@ -11,6 +11,8 @@ spec:
     service:
       annotations:
         metallb.universe.tf/address-pool: rufus-pool
+      spec:
+        externalTrafficPolicy: Local
 
     ports:
       web:

nix/homelab/kustomize/traefik/private-networks.yaml

@@ -0,0 +1,13 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: private-networks
+  namespace: kube-system
+spec:
+  ipAllowList:
+    sourceRange:
+      # RFC1918 private address ranges
+      - 10.0.0.0/8
+      - 172.16.0.0/12
+      - 192.168.0.0/16
+      - 100.64.0.0/10