Added traefik config

.gitignore

@@ -1 +1,2 @@
 .env.local
+_copy_to_traefik/tls

_copy_to_traefik/dynamic/dynamic.yml

@@ -0,0 +1,30 @@
+http:
+  serversTransports:
+    insecuretransport:
+      insecureSkipVerify: true
+  middlewares:
+    secureHeaders:
+      headers:
+        sslRedirect: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+        customFrameOptionsValue: "SAMEORIGIN"
+        contentTypeNosniff: true
+        browserXssFilter: true
+        referrerPolicy: "strict-origin-when-cross-origin"
+        permissionsPolicy: "camera=(), microphone=(), geolocation=()"
+        customResponseHeaders:
+          X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"
+
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/traefik/tls/cert.pem
+        keyFile: /etc/traefik/tls/key.pem
+  certificates:
+    - certFile: /etc/traefik/tls/cert.pem
+      keyFile: /etc/traefik/tls/key.pem
+

_copy_to_traefik/dynamic/fwd-auth-sysmgr.yml

@@ -0,0 +1,18 @@
+http:
+  middlewares:
+    authentik_sysmgr:
+      forwardAuth:
+        address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version

_copy_to_traefik/dynamic/ha.yml

@@ -0,0 +1,23 @@
+# http routing section
+http:
+  routers:
+    # Define a connection between requests and services
+    "to-ha":
+      rule: "Host(`ha.lksz.me`)" 
+      entrypoints:
+      - websecure
+    # # If the rule matches, applies the middleware
+    # middlewares:
+    # - test-user
+      # If the rule matches, forward to the whoami service (declared below)
+      service: home-assistant
+      tls:
+        certresolver: myresolver
+
+  services:
+    # Define how to reach an existing service on our infrastructure
+    home-assistant:
+      loadBalancer:      
+        servers:
+        - url: "http://ha.lan:8123"
+        #- address: "ha.lan:8123"

_copy_to_traefik/dynamic/kasm-workspaces.yml

@@ -0,0 +1,42 @@
+# http routing section
+http:
+  routers:
+    # Define a connection between requests and services
+    "to-kasm-main":
+      rule: "Host(`k.szk.li`)" 
+      entrypoints:
+      - websecure
+    # # If the rule matches, applies the middleware
+      middlewares:
+      - authentik_sysmgr
+    # - test-user
+      # If the rule matches, forward to the whoami service (declared below)
+      service: kasm-main
+      tls:
+        certresolver: myresolver
+
+    # Define a connection between requests and services
+    "to-kasm-setup":
+      rule: "Host(`ksetup.szk.li`)" 
+      entrypoints:
+      - websecure
+    # # If the rule matches, applies the middleware
+      middlewares:
+      - authentik_sysmgr
+    # - test-user
+      # If the rule matches, forward to the whoami service (declared below)
+      service: kasm-setup
+      tls:
+        certresolver: myresolver
+
+
+  services:
+    # Define how to reach an existing service on our infrastructure
+    kasm-main:
+      loadBalancer:      
+        servers:
+        - url: "https://kasm-workspaces:8744"
+    kasm-setup:
+      loadBalancer:      
+        servers:
+        - url: "https://kasm-workspaces:8743"

_copy_to_traefik/dynamic/kateryna_apps.yml

@@ -0,0 +1,40 @@
+# http routing section
+http:
+  routers:
+    to-auth:
+      rule: "Host(`auth.lksz.me`)"
+      entrypoints:
+      - websecure
+      service: kateryna-traefik
+      tls:
+        certresolver: myresolver
+    to-syncthing:
+      rule: "Host(`sync.lksz.me`)" 
+      entrypoints:
+      - websecure
+      service: kateryna-traefik
+      tls:
+        certresolver: myresolver
+    to-kateryna:
+      rule: "Host(`kateryna.szk.li`)
+        || Host(`kateryna.lksz.me`)
+        || Host(`radarr.lksz.me`)
+        || Host(`sonarr.lksz.me`)
+        || Host(`prowlarr.lksz.me`)
+        || Host(`req.lksz.me`)
+        || Host(`jd.lksz.me`)
+        || Host(`nzb.lksz.me`)
+        || Host(`stats.player.lksz.me`)
+        "
+      entrypoints:
+      - websecure
+      service: kateryna-traefik
+      tls:
+        certresolver: myresolver
+
+  services:
+    # Define how to reach an existing service on our infrastructure
+    kateryna-traefik:
+      loadBalancer:
+        servers:
+        - url: https://kateryna.lksz.me

_copy_to_traefik/traefik.yml

@@ -0,0 +1,34 @@
+api:
+  dashboard: true
+  insecure: true
+
+providers:
+  docker:
+    endpoint: 'unix:///var/run/docker.sock'
+    watch: true
+    exposedByDefault: false
+  file:
+    directory: /etc/traefik/dynamic
+    watch: true
+
+entryPoints:
+  web:
+    address: ':80'
+    http:
+      redirections:
+        entryPoint:
+          to: 'websecure'
+          scheme: 'https'
+  websecure:
+    address: ':443'
+
+certificatesResolvers:
+  httpresolver:
+    acme:
+#     email: acme@thisprops.com
+      storage: /shared/acme.json
+      httpChallenge:
+        entryPoint: web
+
+log:
+  level: ERROR