From b9660c986d1f1aea902b06ec70471943a19031ed Mon Sep 17 00:00:00 2001
From: Nick Adam <hi@nixk.de>
Date: Sun, 18 Jan 2026 00:33:49 +0100
Subject: [PATCH] added new traefik rules

---
 .../dynamic/05-internal-ipwhitelist.yaml      | 30 +++++++++++++++++++
 .../traefik-edge/config/dynamic/10-k3s.yaml   |  3 +-
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 infrastructure/apps/traefik-edge/config/dynamic/05-internal-ipwhitelist.yaml

diff --git a/infrastructure/apps/traefik-edge/config/dynamic/05-internal-ipwhitelist.yaml b/infrastructure/apps/traefik-edge/config/dynamic/05-internal-ipwhitelist.yaml
new file mode 100644
index 0000000..a7cdb49
--- /dev/null
+++ b/infrastructure/apps/traefik-edge/config/dynamic/05-internal-ipwhitelist.yaml
@@ -0,0 +1,30 @@
+http:
+  middlewares:
+    internal-ipwhitelist:
+      ipWhiteList:
+        sourceRange:
+          - "10.100.0.0/16"  # Internes Netzwerk (VLAN 30, 40, 90, etc.)
+          - "10.200.0.0/24"  # VPN-Netzwerk
+          # Nur VPN-Clients dürfen auf *.apps.internal.* zugreifen
+
+  routers:
+    # Separate Route für interne Apps mit TLS Termination (nicht Passthrough)
+    # Damit können wir IP-Whitelist anwenden
+    internal-apps:
+      rule: "HostRegexp(`^.+\\.apps\\.internal\\.k3s\\.stabify\\.de$`)"
+      entryPoints:
+        - websecure
+      service: k3s-cluster-internal
+      middlewares:
+        - internal-ipwhitelist
+      tls:
+        certResolver: le
+        domains:
+          - main: "*.apps.internal.k3s.stabify.de"
+
+  services:
+    k3s-cluster-internal:
+      loadBalancer:
+        servers:
+          - url: "https://10.100.40.6:443"
+        passHostHeader: true
diff --git a/infrastructure/apps/traefik-edge/config/dynamic/10-k3s.yaml b/infrastructure/apps/traefik-edge/config/dynamic/10-k3s.yaml
index 9dc73fa..3c4fd82 100644
--- a/infrastructure/apps/traefik-edge/config/dynamic/10-k3s.yaml
+++ b/infrastructure/apps/traefik-edge/config/dynamic/10-k3s.yaml
@@ -1,7 +1,8 @@
 tcp:
   routers:
+    # Öffentliche k3s Domains (NICHT *.apps.internal.*)
     k3s-passthrough:
-      rule: "HostSNIRegexp(`^.+\\.k3s\\.stabify\\.de$`)"
+      rule: "HostSNIRegexp(`^[^.]+\\.(apps|sys)\\.k3s\\.stabify\\.de$`) && !HostSNIRegexp(`^.+\\.apps\\.internal\\.k3s\\.stabify\\.de$`)"
       entryPoints:
         - websecure
       service: k3s-cluster