From e77e170421e4651a091a7b8eade67d13c55bc68e Mon Sep 17 00:00:00 2001
From: Roger Oriol <rogi23696@gmail.com>
Date: Fri, 26 Jun 2026 11:58:46 +0200
Subject: [PATCH] fix(homeassistant): trust k3s pod/service CIDRs as
 X-Forwarded-For proxies

HA runs with hostNetwork on roger-nucbox-evo-x2 while Traefik runs on the
raspberrypi node, so requests arrive at HA from 10.88.20.11. The previous
trusted_proxies entry (10.88.88.0/24) did not include this address, causing
HA to reject X-Forwarded-For and return 400 on every ingress request.
---
 homeassistant/homeassistant.yaml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/homeassistant/homeassistant.yaml b/homeassistant/homeassistant.yaml
index 78e5fdd..639c271 100644
--- a/homeassistant/homeassistant.yaml
+++ b/homeassistant/homeassistant.yaml
@@ -32,7 +32,9 @@ data:
     http:
       use_x_forwarded_for: true
       trusted_proxies:
-        - 10.88.88.0/24
+        - 10.42.0.0/16   # k3s pod CIDR (Traefik pod lives here)
+        - 10.43.0.0/16   # k3s service CIDR
+        - 10.88.20.0/24  # node subnet (Traefik runs hostNetwork-ish, forwards from 10.88.20.11)
 ---
 apiVersion: apps/v1
 kind: Deployment