diff --git a/conf/traefik-conf/dynamic.yml b/conf/traefik-conf/dynamic.yml index 50f30e7..76e6a02 100644 --- a/conf/traefik-conf/dynamic.yml +++ b/conf/traefik-conf/dynamic.yml @@ -1,9 +1,9 @@ # Traefik Dynamic Configuration for External Services # This file handles routing to services NOT managed by Docker Swarm http: - #----------------------------------------------------------------------------------- + #----------------------------------------------------------------------------------- # EXTERNAL SERVICES SECTION - #----------------------------------------------------------------------------------- + #----------------------------------------------------------------------------------- services: unraid: loadBalancer: @@ -14,9 +14,9 @@ http: # servers: # - url: "http://10.0.4.10:8096" - #----------------------------------------------------------------------------------- + #----------------------------------------------------------------------------------- # ROUTERS SECTION - #----------------------------------------------------------------------------------- + #----------------------------------------------------------------------------------- routers: # Local VPN-only services (*.swarm.home) unraid-local: @@ -26,6 +26,19 @@ http: - websecure service: unraid tls: {} + + # Public-facing services (*.frostlabs.me) + # Example: To add a public service, uncomment and customize: + # my-public-service: + # rule: "Host(`myapp.frostlabs.me`)" + # entryPoints: + # - websecure + # service: my-service-name + # tls: + # certResolver: cloudflare + # middlewares: + # - authentik # Optional: Add authentication + # emby: # rule: "Host(`movies.swarm.home`)" # entryPoints: @@ -34,10 +47,11 @@ http: # service: emby # tls: {} - #----------------------------------------------------------------------------------- + #----------------------------------------------------------------------------------- # MIDDLEWARES SECTION - #----------------------------------------------------------------------------------- + #----------------------------------------------------------------------------------- middlewares: + # Authentik forward auth for protecting services authentik: forwardAuth: address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik" @@ -48,3 +62,22 @@ http: - X-authentik-email - X-authentik-name - X-authentik-uid + + # Security headers for public-facing services + security-headers: + headers: + frameDeny: true + browserXssFilter: true + contentTypeNosniff: true + sslRedirect: true + forceSTSHeader: true + stsSeconds: 31536000 + stsIncludeSubdomains: true + stsPreload: true + + # Rate limiting for public services + rate-limit: + rateLimit: + average: 100 + period: 1s + burst: 50 diff --git a/conf/traefik-conf/static.yml b/conf/traefik-conf/static.yml index 4d24c82..b31fe42 100644 --- a/conf/traefik-conf/static.yml +++ b/conf/traefik-conf/static.yml @@ -41,14 +41,16 @@ providers: watch: true # Certificate resolvers -tls: - certificatesResolvers: - cloudflare: - acme: - email: john.allisonwin@outlook.com - storage: /certificates/acme.json - dnsChallenge: - provider: cloudflare +certificatesResolvers: + cloudflare: + acme: + email: john.allisonwin@outlook.com + storage: /certificates/acme.json + dnsChallenge: + provider: cloudflare + resolvers: + - 1.1.1.1:53 + - 8.8.8.8:53 # Logging log: diff --git a/stacks/apps/outline/stack.yml b/stacks/apps/outline/stack.yml index fde2ac8..fd74165 100644 --- a/stacks/apps/outline/stack.yml +++ b/stacks/apps/outline/stack.yml @@ -40,9 +40,11 @@ services: labels: - "traefik.enable=true" - "traefik.swarm.network=homelab" - - "traefik.http.routers.outline.rule=Host(`flow.swarm.home`)" + # Public-facing domain with Let's Encrypt certificate + - "traefik.http.routers.outline.rule=Host(`flow.frostlabs.me`)" - "traefik.http.routers.outline.entrypoints=websecure" - "traefik.http.routers.outline.tls=true" + - "traefik.http.routers.outline.tls.certresolver=cloudflare" - "traefik.http.services.outline.loadbalancer.server.port=3000" depends_on: - redis diff --git a/stacks/core/authentik/stack.yml b/stacks/core/authentik/stack.yml index db699b7..2117e1e 100644 --- a/stacks/core/authentik/stack.yml +++ b/stacks/core/authentik/stack.yml @@ -61,9 +61,11 @@ services: labels: - "traefik.enable=true" - "traefik.swarm.network=homelab" + # Public-facing domain with Let's Encrypt certificate - "traefik.http.routers.authentik.rule=Host(`auth.frostlabs.me`)" - "traefik.http.routers.authentik.entrypoints=websecure" - - "traefik.http.routers.authentik.tls=certificatesResolvers=cloudflare" + - "traefik.http.routers.authentik.tls=true" + - "traefik.http.routers.authentik.tls.certresolver=cloudflare" - "traefik.http.services.authentik.loadbalancer.server.port=9000" depends_on: diff --git a/stacks/core/traefik/stack.yml b/stacks/core/traefik/stack.yml index 0c5c1c7..f1f2b28 100644 --- a/stacks/core/traefik/stack.yml +++ b/stacks/core/traefik/stack.yml @@ -10,9 +10,9 @@ services: - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - # - /home/doc/projects/swarm/conf/traefik-conf/static.yml:/etc/traefik/traefik.yml:ro - /home/doc/projects/swarm/conf/traefik-conf/dynamic.yml:/etc/traefik/dynamic/dynamic.yml:rw + - /home/doc/projects/swarm-data/appdata/traefik/certificates:/certificates secrets: - cloudflare_api_token networks: