diff --git a/docker/traefik/docker-compose.toml b/docker/traefik/docker-compose.toml index a97cda0..19402fd 100644 --- a/docker/traefik/docker-compose.toml +++ b/docker/traefik/docker-compose.toml @@ -5,7 +5,7 @@ restart = "unless-stopped" ports = ["80:80", "443:443/tcp", "443:443/udp"] environment = [ "TZ=Europe/Helsinki", - "CF_API_EMAIL", + "CF_API_EMAIL=${ADMIN_EMAIL}", "CF_API_KEY", "CF_ZONE_API_TOKEN", "CF_DNS_API_TOKEN", @@ -15,9 +15,8 @@ networks = ["proxy"] volumes = [ "/etc/localtime:/etc/localtime:ro", "/var/run/docker.sock:/var/run/docker.sock:ro", - "/docker/traefik/traefik/traefik.toml:/traefik.toml:ro", - "/docker/traefik/traefik/dynamic.toml:/dynamic.toml:ro", - "/docker/traefik/traefik/dashboard-users:/dashboard-users:ro", + "./traefik.toml:/traefik.toml:ro", + "./dynamic.toml:/dynamic.toml:ro", "/docker/traefik/traefik/acme.json:/acme.json", "/docker/traefik/traefik/log:/var/log", ] diff --git a/docker/traefik/dynamic.toml b/docker/traefik/dynamic.toml new file mode 100644 index 0000000..c22acb6 --- /dev/null +++ b/docker/traefik/dynamic.toml @@ -0,0 +1,80 @@ +[http.middlewares.authentik.forwardAuth] +address = "http://authentik:9000/outpost.goauthentik.io/auth/traefik" +trustForwardHeader = true +authResponseHeaders = [ + "X-authentik-username", + "X-authentik-groups", + "X-authentik-email", + "X-authentik-name", + "X-authentik-uid", + "X-authentik-jwt", + "X-authentik-meta-jwks", + "X-authentik-meta-outpost", + "X-authentik-meta-provider", + "X-authentik-meta-app", + "X-authentik-meta-version", +] + +[http.middlewares.compress.compress] + +[http.middlewares.http2https.redirectScheme] +scheme = "https" +permanent = true + +[http.middlewares.secHeaders.headers] +browserXssFilter = true +contentTypeNosniff = true +frameDeny = true +sslRedirect = true +stsIncludeSubdomains = true +stsPreload = true +stsSeconds = 31_536_000 +customFrameOptionsValue = "SAMEORIGIN" +referrerPolicy = "strict-origin-when-cross-origin" +accesscontrolAllowMethods = ["GET", "OPTIONS", "POST"] +accesscontrolAllowOriginList = ["https://korhonen.cc"] +accessControlAllowHeaders = [ + "Accept", + "Accept-Encoding", + "Accept-Language", + "Access-Control-Request-Headers", + "Access-Control-Request-Method", + "Connection", + "Content-Type", + "DNT", + "Host", + "Origin", + "Referer", + "Sec-Fetch-Dest", + "Sec-Fetch-Mode", + "Sec-Fetch-Site", + "User-Agent", +] +accesscontrolMaxAge = 100 +addVaryHeader = true + +[http.middlewares.nextcloud-redirect-dav.redirectRegex] +permanent = true +regex = "https://(.*)/.well-known/(card|cal)dav" +replacement = "https://${1}/remote.php/dav/" + +[http.middlewares.nextcloud-redirect-extra.redirectRegex] +permanent = true +regex = "https://(.*)/.well-known/(webfinger|nodeinfo)" +replacement = "https://${1}/index.php/.well-known/${2}" + +[http.middlewares.www2non-www.redirectregex] +permanent = true +regex = "^https?://www\\.(.+)" +replacement = "https://${1}" + +[tls.options.default] +minVersion = "VersionTLS12" +cipherSuites = [ + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", +] + +[tls.options.mintls13] +minVersion = "VersionTLS13" diff --git a/docker/traefik/traefik.toml b/docker/traefik/traefik.toml new file mode 100644 index 0000000..0e77454 --- /dev/null +++ b/docker/traefik/traefik.toml @@ -0,0 +1,41 @@ +[experimental] +http3 = true + +[api] +dashboard = true + +[entryPoints.http] +address = ":80" + +[entryPoints.https] +address = ":443" + +[entryPoints.https.http3] + +[entryPoints.https.http.tls] +options = "default" +certResolver = "letsEncrypt" + +[[entryPoints.https.http.tls.domains]] +main = "korhonen.cc" +sans = ["*.korhonen.cc"] + +[providers.docker] +endpoint = "unix:///var/run/docker.sock" +exposedByDefault = false + +[providers.file] +filename = "/dynamic.toml" + +[certificatesResolvers.letsEncrypt.acme] +email = "{{env 'ADMIN_EMAIL'}}" +storage = "acme.json" + +[certificatesResolvers.letsEncrypt.acme.dnsChallenge] +provider = "cloudflare" + +[accessLog] +filePath = "/var/log/access.log" + +[accessLog.filters] +statusCodes = ["400-499"]