feat(security): Restrict sensitive services to local network

Apply local-only middleware to:
- Backrest (backup management)
- Code Server (IDE)
- Ollama (LLM API)

These services now require both SSO authentication and local network
access (10.0.0.0/16), preventing external access while maintaining
convenience on LAN.

compose/services/backrest/compose.yaml

@@ -26,8 +26,8 @@ services:
       traefik.http.routers.backrest.tls.certresolver: letsencrypt
       traefik.http.services.backrest.loadbalancer.server.port: 9898
 
-      # Require authentication
-      traefik.http.routers.backrest.middlewares: tinyauth
+      # Require authentication and restrict to local network
+      traefik.http.routers.backrest.middlewares: tinyauth,local-only
 
       # Homarr Discovery
       homarr.name: Backrest Backup

compose/services/code-server/compose.yaml

@@ -29,8 +29,8 @@ services:
       traefik.http.routers.code-server.tls.certresolver: letsencrypt
       traefik.http.services.code-server.loadbalancer.server.port: 8443
 
-      # SSO Protection
-      traefik.http.routers.code-server.middlewares: tinyauth
+      # SSO Protection and restrict to local network
+      traefik.http.routers.code-server.middlewares: tinyauth,local-only
 
       # Homarr Discovery
       homarr.name: Code Server (IDE)

compose/services/ollama/compose.yaml

@@ -43,8 +43,8 @@ services:
       traefik.http.routers.ollama.tls.certresolver: letsencrypt
       traefik.http.services.ollama.loadbalancer.server.port: 11434
 
-      # SSO Protection for API
-      traefik.http.routers.ollama.middlewares: tinyauth
+      # SSO Protection for API and restrict to local network
+      traefik.http.routers.ollama.middlewares: tinyauth,local-only
 
       # Homarr Discovery
       homarr.name: Ollama (LLM)