Add traefik configuration under version control

docker/traefik/docker-compose.toml

@@ -5,7 +5,7 @@ restart = "unless-stopped"
 ports = ["80:80", "443:443/tcp", "443:443/udp"]
 environment = [
   "TZ=Europe/Helsinki",
-  "CF_API_EMAIL",
+  "CF_API_EMAIL=${ADMIN_EMAIL}",
   "CF_API_KEY",
   "CF_ZONE_API_TOKEN",
   "CF_DNS_API_TOKEN",
@@ -15,9 +15,8 @@ networks = ["proxy"]
 volumes = [
   "/etc/localtime:/etc/localtime:ro",
   "/var/run/docker.sock:/var/run/docker.sock:ro",
-  "/docker/traefik/traefik/traefik.toml:/traefik.toml:ro",
-  "/docker/traefik/traefik/dynamic.toml:/dynamic.toml:ro",
-  "/docker/traefik/traefik/dashboard-users:/dashboard-users:ro",
+  "./traefik.toml:/traefik.toml:ro",
+  "./dynamic.toml:/dynamic.toml:ro",
   "/docker/traefik/traefik/acme.json:/acme.json",
   "/docker/traefik/traefik/log:/var/log",
 ]

docker/traefik/dynamic.toml

@@ -0,0 +1,80 @@
+[http.middlewares.authentik.forwardAuth]
+address = "http://authentik:9000/outpost.goauthentik.io/auth/traefik"
+trustForwardHeader = true
+authResponseHeaders = [
+  "X-authentik-username",
+  "X-authentik-groups",
+  "X-authentik-email",
+  "X-authentik-name",
+  "X-authentik-uid",
+  "X-authentik-jwt",
+  "X-authentik-meta-jwks",
+  "X-authentik-meta-outpost",
+  "X-authentik-meta-provider",
+  "X-authentik-meta-app",
+  "X-authentik-meta-version",
+]
+
+[http.middlewares.compress.compress]
+
+[http.middlewares.http2https.redirectScheme]
+scheme = "https"
+permanent = true
+
+[http.middlewares.secHeaders.headers]
+browserXssFilter = true
+contentTypeNosniff = true
+frameDeny = true
+sslRedirect = true
+stsIncludeSubdomains = true
+stsPreload = true
+stsSeconds = 31_536_000
+customFrameOptionsValue = "SAMEORIGIN"
+referrerPolicy = "strict-origin-when-cross-origin"
+accesscontrolAllowMethods = ["GET", "OPTIONS", "POST"]
+accesscontrolAllowOriginList = ["https://korhonen.cc"]
+accessControlAllowHeaders = [
+  "Accept",
+  "Accept-Encoding",
+  "Accept-Language",
+  "Access-Control-Request-Headers",
+  "Access-Control-Request-Method",
+  "Connection",
+  "Content-Type",
+  "DNT",
+  "Host",
+  "Origin",
+  "Referer",
+  "Sec-Fetch-Dest",
+  "Sec-Fetch-Mode",
+  "Sec-Fetch-Site",
+  "User-Agent",
+]
+accesscontrolMaxAge = 100
+addVaryHeader = true
+
+[http.middlewares.nextcloud-redirect-dav.redirectRegex]
+permanent = true
+regex = "https://(.*)/.well-known/(card|cal)dav"
+replacement = "https://${1}/remote.php/dav/"
+
+[http.middlewares.nextcloud-redirect-extra.redirectRegex]
+permanent = true
+regex = "https://(.*)/.well-known/(webfinger|nodeinfo)"
+replacement = "https://${1}/index.php/.well-known/${2}"
+
+[http.middlewares.www2non-www.redirectregex]
+permanent = true
+regex = "^https?://www\\.(.+)"
+replacement = "https://${1}"
+
+[tls.options.default]
+minVersion = "VersionTLS12"
+cipherSuites = [
+  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+  "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+  "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+]
+
+[tls.options.mintls13]
+minVersion = "VersionTLS13"

docker/traefik/traefik.toml

@@ -0,0 +1,41 @@
+[experimental]
+http3 = true
+
+[api]
+dashboard = true
+
+[entryPoints.http]
+address = ":80"
+
+[entryPoints.https]
+address = ":443"
+
+[entryPoints.https.http3]
+
+[entryPoints.https.http.tls]
+options = "default"
+certResolver = "letsEncrypt"
+
+[[entryPoints.https.http.tls.domains]]
+main = "korhonen.cc"
+sans = ["*.korhonen.cc"]
+
+[providers.docker]
+endpoint = "unix:///var/run/docker.sock"
+exposedByDefault = false
+
+[providers.file]
+filename = "/dynamic.toml"
+
+[certificatesResolvers.letsEncrypt.acme]
+email = "{{env 'ADMIN_EMAIL'}}"
+storage = "acme.json"
+
+[certificatesResolvers.letsEncrypt.acme.dnsChallenge]
+provider = "cloudflare"
+
+[accessLog]
+filePath = "/var/log/access.log"
+
+[accessLog.filters]
+statusCodes = ["400-499"]