argo for backup traefik

backup/applications.yaml

@@ -16,3 +16,21 @@ spec:
   syncPolicy:
     automated:
       enabled: true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik
+  namespace: argocd
+spec:
+  destination:
+    namespace: kube-system
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: backup/traefik
+    repoURL: https://gogs.jibby.org/jhb2345/server
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      enabled: true

backup/traefik/middleware-lanonly.yaml

@@ -0,0 +1,16 @@
+# Without this, internal services would be accessible by forcing resolution of
+# an internal domain into the external IP. Eg:
+#
+#  curl -v --resolve sonarr.lan.jibby.org:443:<external IP> https://sonarr.lan.jibby.org
+#
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: lanonly
+  namespace: kube-system
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 10.0.0.0/24    # LAN access
+      - 10.42.0.0/16   # Pod access