- Add Traefik plugin via HelmChartConfig (crowdsec-bouncer-traefik-plugin)
- Create bouncer Middleware in stream mode
- Apply bouncer to all public ingresses
- IPs flagged by CrowdSec will now be blocked at Traefik level
- Add Traefik ForwardAuth middleware pointing to Authelia
- Apply to status.davidepiu.xyz and flux.davidepiu.xyz
- Users must login via auth.davidepiu.xyz before accessing these services
Without this policy, Flux default NetworkPolicies block traffic from kube-system
(where Traefik runs) to flux-system, causing 502 errors for both the weave-gitops
dashboard and cert-manager ACME HTTP-01 solver pods.
