dynamic traefik configuration improvements

turned out that --providers.file.directory cli switch didn't override the file settings, and so, remapping the /etc/traefik dirs was a better approach.

_traefik/dynamic/http.yml

@@ -0,0 +1,4 @@
+http:
+  serversTransports:
+    insecuretransport:
+      insecureSkipVerify: true

_traefik/dynamic/mw.fwd-auth-sysmgr.yml

@@ -0,0 +1,19 @@
+http:
+  middlewares:
+    authentik_sysmgr:
+      forwardAuth:
+        address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeadersRegex: "^[Xx]-[Aa]uthentik"
+        # authResponseHeaders:
+        #   - X-authentik-username
+        #   - X-authentik-groups
+        #   - X-authentik-email
+        #   - X-authentik-name
+        #   - X-authentik-uid
+        #   - X-authentik-jwt
+        #   - X-authentik-meta-jwks
+        #   - X-authentik-meta-outpost
+        #   - X-authentik-meta-provider
+        #   - X-authentik-meta-app
+        #   - X-authentik-meta-version

_traefik/dynamic/mw.lan-only.yml

@@ -0,0 +1,8 @@
+# Accepts request from defined IP
+http:
+  middlewares:
+    lan-only:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.0.0/16"

_traefik/dynamic/mw.secureHeaders.yml

@@ -0,0 +1,16 @@
+http:
+  middlewares:
+    secureHeaders:
+      headers:
+        sslRedirect: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+        customFrameOptionsValue: "SAMEORIGIN"
+        contentTypeNosniff: true
+        browserXssFilter: true
+        referrerPolicy: "strict-origin-when-cross-origin"
+        permissionsPolicy: "camera=(), microphone=(), geolocation=()"
+        customResponseHeaders:
+          X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"

_traefik/dynamic/rt.ha.yml

@@ -0,0 +1,23 @@
+# http routing section
+http:
+  routers:
+    # Define a connection between requests and services
+    "to-ha":
+      rule: "Host(`ha.lksz.me`)" 
+      entrypoints:
+      - websecure
+    # # If the rule matches, applies the middleware
+    # middlewares:
+    # - test-user
+      # If the rule matches, forward to the whoami service (declared below)
+      service: home-assistant
+      tls:
+        certresolver: myresolver
+
+  services:
+    # Define how to reach an existing service on our infrastructure
+    home-assistant:
+      loadBalancer:      
+        servers:
+        - url: "http://ha.lan:8123"
+        #- address: "ha.lan:8123"

_traefik/dynamic/tls.yml

@@ -0,0 +1,9 @@
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/traefik/tls/cert.pem
+        keyFile: /etc/traefik/tls/key.pem
+  certificates:
+    - certFile: /etc/traefik/tls/cert.pem
+      keyFile: /etc/traefik/tls/key.pem

_traefik/traefik.yml

@@ -0,0 +1,48 @@
+api:
+  dashboard: true
+  insecure: true
+
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    watch: true
+    exposedByDefault: false
+  file:
+    directory: /etc/traefik/dynamic
+    watch: true
+
+entryPoints:
+  web:
+    address: ':80'
+    forwardedHeaders:
+      trustedIPs:
+        - "127.0.0.1/32"
+        - "172.16.0.0/12"
+    http:
+      redirections:
+        entryPoint:
+          to: 'websecure'
+          scheme: 'https'
+  websecure:
+    address: ':443'
+    forwardedHeaders:
+      trustedIPs:
+        - "127.0.0.1/32"
+        - "172.16.0.0/12"
+
+certificatesResolvers:
+  myresolver:
+    acme:
+      email: acme@thisprops.com
+      storage: /shared/acme.json
+      # httpChallenge:
+      #   entryPoint: web
+      #logging: true
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+        - 1.1.1.1:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[0]=1.1.1.1:53
+        - 8.8.8.8:53 # - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers[1]=8.8.8.8:53
+
+log:
+  level: INFO