dynamic traefik configuration improvements

turned out that --providers.file.directory cli switch didn't override the file settings, and so, remapping the /etc/traefik dirs was a better approach.

_traefik/dynamic/http.yml

@@ -0,0 +1,4 @@
+http:
+  serversTransports:
+    insecuretransport:
+      insecureSkipVerify: true

_traefik/dynamic/mw.fwd-auth-sysmgr.yml

@@ -0,0 +1,19 @@
+http:
+  middlewares:
+    authentik_sysmgr:
+      forwardAuth:
+        address: https://auth.szk.li/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeadersRegex: "^[Xx]-[Aa]uthentik"
+        # authResponseHeaders:
+        #   - X-authentik-username
+        #   - X-authentik-groups
+        #   - X-authentik-email
+        #   - X-authentik-name
+        #   - X-authentik-uid
+        #   - X-authentik-jwt
+        #   - X-authentik-meta-jwks
+        #   - X-authentik-meta-outpost
+        #   - X-authentik-meta-provider
+        #   - X-authentik-meta-app
+        #   - X-authentik-meta-version

_traefik/dynamic/mw.lan-only.yml

@@ -0,0 +1,8 @@
+# Accepts request from defined IP
+http:
+  middlewares:
+    lan-only:
+      ipWhiteList:
+        sourceRange:
+          - "127.0.0.1/32"
+          - "192.168.0.0/16"

_traefik/dynamic/mw.secureHeaders.yml

@@ -0,0 +1,16 @@
+http:
+  middlewares:
+    secureHeaders:
+      headers:
+        sslRedirect: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000
+        customFrameOptionsValue: "SAMEORIGIN"
+        contentTypeNosniff: true
+        browserXssFilter: true
+        referrerPolicy: "strict-origin-when-cross-origin"
+        permissionsPolicy: "camera=(), microphone=(), geolocation=()"
+        customResponseHeaders:
+          X-Robots-Tag: "noindex,nofollow,nosnippet,noarchive,notranslate,noimageindex"

_traefik/dynamic/rt.ha.yml

@@ -0,0 +1,23 @@
+# http routing section
+http:
+  routers:
+    # Define a connection between requests and services
+    "to-ha":
+      rule: "Host(`ha.lksz.me`)" 
+      entrypoints:
+      - websecure
+    # # If the rule matches, applies the middleware
+    # middlewares:
+    # - test-user
+      # If the rule matches, forward to the whoami service (declared below)
+      service: home-assistant
+      tls:
+        certresolver: myresolver
+
+  services:
+    # Define how to reach an existing service on our infrastructure
+    home-assistant:
+      loadBalancer:      
+        servers:
+        - url: "http://ha.lan:8123"
+        #- address: "ha.lan:8123"

_traefik/dynamic/tls.yml

@@ -0,0 +1,9 @@
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/traefik/tls/cert.pem
+        keyFile: /etc/traefik/tls/key.pem
+  certificates:
+    - certFile: /etc/traefik/tls/cert.pem
+      keyFile: /etc/traefik/tls/key.pem