A members-only companion to the public homelab posts — the actual files, not just the story. Thanks for supporting the work.
The Traefik label set I put on every service
labels:
- traefik.enable=true
- "traefik.http.routers.APP.rule=Host(`app.example.com`)"
- traefik.http.routers.APP.entrypoints=websecure
- traefik.http.routers.APP.tls.certresolver=le
- traefik.http.services.APP.loadbalancer.server.port=PORT
- traefik.http.routers.APP.middlewares=crowdsec@file,sec-headers@fileCrowdSec + the Traefik bouncer
CrowdSec runs as its own container reading Traefik's access logs; the bouncer (a forward-auth middleware) checks each request against CrowdSec's decisions plus the community blocklist, pulled in stream mode so blocking is near-instant.
The egress firewall (the part people skip)
# Block an untrusted container network from reaching prod, metadata, and SMTP
iptables -I DOCKER-USER -s 172.30.0.0/24 -d 169.254.169.254 -j DROP # cloud metadata
iptables -I DOCKER-USER -s 172.30.0.0/24 -p tcp --dport 25 -j DROP # SMTP
iptables -I DOCKER-USER -s 172.30.0.0/24 -d 172.18.0.0/16 -j DROP # prod network
iptables -A DOCKER-USER -s 172.30.0.0/24 -j ACCEPT # allow the restAdapt the subnets to your own networks. Questions? contact@paulhitt.com.