crowdsec: whitelist internal/LAN/tailnet CIDRs at the decision layer

Preparing for real CrowdSec enforcement (edge Cloudflare Worker for proxied
hosts + cs-firewall-bouncer for direct hosts). Both enforce by dropping the
real source IP, so if an internal/RFC1918 address ever ended up in a ban
decision it could blackhole legitimate internal traffic. Whitelisting the
cluster/LAN/tailnet ranges (10/8, 172.16/12, 192.168/16, 100.64/10) at the
CrowdSec parser layer makes that structurally impossible — a trusted source
can never produce a decision in the first place. Public IP already whitelisted.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/crowdsec/modules/crowdsec/main.tf

@@ -102,6 +102,15 @@ resource "kubernetes_config_map" "crowdsec_whitelist" {
         reason: "Trusted IP - never block"
         ip:
           - "176.12.22.76"
+        cidr:
+          # Never ban internal/cluster/LAN/tailnet sources. Enforcement (edge
+          # Worker + firewall-bouncer) drops on real source IP, so an internal
+          # range slipping into a decision could blackhole legit traffic — this
+          # makes that structurally impossible at the decision layer.
+          - "10.0.0.0/8"        # k8s nodes/pods/services + VLAN 10/20
+          - "172.16.0.0/12"     # RFC1918
+          - "192.168.0.0/16"    # LAN (192.168.1.0/24) + Sofia
+          - "100.64.0.0/10"     # Headscale tailnet (CGNAT)
       ---
       name: viktor/immich-asset-paths-whitelist
       description: "Don't penalise legit Immich timeline bursts (mobile scrub, web grid)"