From 60781182f6a8f7ad3b905ca9f32768fe3fc89b7e Mon Sep 17 00:00:00 2001
From: Eduardo Figueroa <mr.eduardo.figueroa@gmail.com>
Date: Thu, 4 Dec 2025 18:43:46 +0000
Subject: [PATCH] feat(security): Restrict sensitive services to local network

Apply local-only middleware to:
- Backrest (backup management)
- Code Server (IDE)
- Ollama (LLM API)

These services now require both SSO authentication and local network
access (10.0.0.0/16), preventing external access while maintaining
convenience on LAN.
---
 compose/services/backrest/compose.yaml    | 4 ++--
 compose/services/code-server/compose.yaml | 4 ++--
 compose/services/ollama/compose.yaml      | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/compose/services/backrest/compose.yaml b/compose/services/backrest/compose.yaml
index 864f823..310897f 100644
--- a/compose/services/backrest/compose.yaml
+++ b/compose/services/backrest/compose.yaml
@@ -26,8 +26,8 @@ services:
       traefik.http.routers.backrest.tls.certresolver: letsencrypt
       traefik.http.services.backrest.loadbalancer.server.port: 9898
 
-      # Require authentication
-      traefik.http.routers.backrest.middlewares: tinyauth
+      # Require authentication and restrict to local network
+      traefik.http.routers.backrest.middlewares: tinyauth,local-only
 
       # Homarr Discovery
       homarr.name: Backrest Backup
diff --git a/compose/services/code-server/compose.yaml b/compose/services/code-server/compose.yaml
index a75de26..c6ef337 100644
--- a/compose/services/code-server/compose.yaml
+++ b/compose/services/code-server/compose.yaml
@@ -29,8 +29,8 @@ services:
       traefik.http.routers.code-server.tls.certresolver: letsencrypt
       traefik.http.services.code-server.loadbalancer.server.port: 8443
 
-      # SSO Protection
-      traefik.http.routers.code-server.middlewares: tinyauth
+      # SSO Protection and restrict to local network
+      traefik.http.routers.code-server.middlewares: tinyauth,local-only
 
       # Homarr Discovery
       homarr.name: Code Server (IDE)
diff --git a/compose/services/ollama/compose.yaml b/compose/services/ollama/compose.yaml
index f6b32db..5fbc7fe 100644
--- a/compose/services/ollama/compose.yaml
+++ b/compose/services/ollama/compose.yaml
@@ -43,8 +43,8 @@ services:
       traefik.http.routers.ollama.tls.certresolver: letsencrypt
       traefik.http.services.ollama.loadbalancer.server.port: 11434
 
-      # SSO Protection for API
-      traefik.http.routers.ollama.middlewares: tinyauth
+      # SSO Protection for API and restrict to local network
+      traefik.http.routers.ollama.middlewares: tinyauth,local-only
 
       # Homarr Discovery
       homarr.name: Ollama (LLM)