infrastructure/ansible/roles/traefik/files/file-provider-main.yml

http:
  middlewares:
    compress:
      compress: {}

    # https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
    floc-block:
      headers:
        customResponseHeaders:
          Permissions-Policy: interest-cohort=()

    tailscale-only:
      ipWhiteList:
        sourceRange:
          - "{{ tailscale_cidr }}"
          - "{{ tailscale_cidr_ipv6 }}"

    private-access:
      ipWhiteList:
        sourceRange:
          - "{{ tailscale_cidr }}"
          - "{{ tailscale_cidr_ipv6 }}"
          - "{{ nebula.cidr }}"
          - "{{ pve_hosts.internal_cidr }}"