lucalise/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(homelab)!: use traefik middleware to restrict WAN access

Browse Source
This commit is contained in:
lucalise
2025-12-27 23:29:35 -08:00
parent 13e61322a0
commit d1b81ce0db
11 changed files with 118 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
nix/homelab/kustomize/kustomization.yaml
View File

@@ -4,6 +4,8 @@ kind: Kustomization
resources: resources:
- ./metallb/pool.yaml - ./metallb/pool.yaml
- ./traefik/config.yaml - ./traefik/config.yaml
- ./traefik/private-networks.yaml
- ./traefik/chains.yaml
- ./cert-manager/config.yaml - ./cert-manager/config.yaml
- ./routes/minecraft.yaml - ./routes/minecraft.yaml
- ./routes/gitea/ssh.yaml - ./routes/gitea/ssh.yaml

8
nix/homelab/kustomize/routes/home-assistant.yaml
View File

@@ -10,6 +10,12 @@ spec:
hostnames: hostnames:
- "home-assistant.lucalise.ca" - "home-assistant.lucalise.ca"
rules: rules:
- backendRefs: - filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: private-networks
backendRefs:
- name: home-assistant - name: home-assistant
port: 8080 port: 8080

8
nix/homelab/kustomize/routes/longhorn.yaml
View File

@@ -10,6 +10,12 @@ spec:
hostnames: hostnames:
- "storage.lucalise.ca" - "storage.lucalise.ca"
rules: rules:
- backendRefs: - filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: private-networks
backendRefs:
- name: longhorn-frontend - name: longhorn-frontend
port: 80 port: 80

10
nix/homelab/kustomize/routes/pihole.yaml
View File

@@ -1,7 +1,7 @@
apiVersion: gateway.networking.k8s.io/v1 apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute kind: HTTPRoute
metadata: metadata:
name: longhorn name: pihole
namespace: pihole-system namespace: pihole-system
spec: spec:
parentRefs: parentRefs:
@@ -10,6 +10,12 @@ spec:
hostnames: hostnames:
- "pihole.lucalise.ca" - "pihole.lucalise.ca"
rules: rules:
- backendRefs: - filters:
- type: ExtensionRef
extensionRef:
group: traefik.io
kind: Middleware
name: private-networks
backendRefs:
- name: pihole-web - name: pihole-web
port: 80 port: 80

32
nix/homelab/kustomize/traefik/chains.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: private-networks
namespace: home
spec:
chain:
middlewares:
- name: private-networks
namespace: kube-system
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: private-networks
namespace: longhorn-system
spec:
chain:
middlewares:
- name: private-networks
namespace: kube-system
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: private-networks
namespace: pihole-system
spec:
chain:
middlewares:
- name: private-networks
namespace: kube-system

2
nix/homelab/kustomize/traefik/config.yaml
View File

@@ -11,6 +11,8 @@ spec:
service: service:
annotations: annotations:
metallb.universe.tf/address-pool: rufus-pool metallb.universe.tf/address-pool: rufus-pool
spec:
externalTrafficPolicy: Local
ports: ports:
web: web:

13
nix/homelab/kustomize/traefik/private-networks.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: private-networks
namespace: kube-system
spec:
ipAllowList:
sourceRange:
# RFC1918 private address ranges
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 100.64.0.0/10

36
nix/homelab/scripts/generate-chains.sh Executable file
View File

@@ -0,0 +1,36 @@
#!/usr/bin/env bash
set -e
NAMESPACES=(
"home"
"longhorn-system"
"pihole-system"
)
OUTPUT_FILE="kustomize/traefik/chains.yaml"
> "$OUTPUT_FILE"
for i in "${!NAMESPACES[@]}"; do
ns="${NAMESPACES[$i]}"
if [[ $i -gt 0 ]]; then
echo "---" >> "$OUTPUT_FILE"
fi
cat >> "$OUTPUT_FILE" <<EOF
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: private-networks
namespace: ${ns}
spec:
chain:
middlewares:
- name: private-networks
namespace: kube-system
EOF
done
echo "Generated $OUTPUT_FILE with ${#NAMESPACES[@]} namespace chains"

4
nix/homelab/kustomize/generate-restore-job.sh → nix/homelab/scripts/generate-restore-job.sh
View File

@@ -9,8 +9,12 @@ fi
SERVER_NAME="$1" SERVER_NAME="$1"
BACKUP_FILE="$2" BACKUP_FILE="$2"
cd kustomize
kubectl scale deployment minecraft-$SERVER_NAME --replicas 0 kubectl scale deployment minecraft-$SERVER_NAME --replicas 0
sed -e "s/{{SERVER_NAME}}/$SERVER_NAME/g" \ sed -e "s/{{SERVER_NAME}}/$SERVER_NAME/g" \
-e "s/{{BACKUP_FILE}}/$BACKUP_FILE/g" \ -e "s/{{BACKUP_FILE}}/$BACKUP_FILE/g" \
restore-job.yaml | kubectl apply -f - restore-job.yaml | kubectl apply -f -
cd -

0
nix/homelab/update-node.sh → nix/homelab/scripts/update-node.sh
View File

14
nix/modules/dns.nix
View File

@@ -17,13 +17,13 @@
enable = true; enable = true;
dns = "systemd-resolved"; dns = "systemd-resolved";
}; };
networking.extraHosts = '' # networking.extraHosts = ''
192.168.27.10 traefik.lucalise.ca # 75.157.238.86 traefik.lucalise.ca
192.168.27.10 media.lucalise.ca # 75.157.238.86 media.lucalise.ca
192.168.27.10 git.lucalise.ca # 75.157.238.86 git.lucalise.ca
192.168.27.10 storage.lucalise.ca # 75.157.238.86 storage.lucalise.ca
192.168.27.10 home-assistant.lucalise.ca # 75.157.238.86 home-assistant.lucalise.ca
''; # '';
services.resolved = { services.resolved = {
enable = true; enable = true;