Configure Traefik for public-facing access with frostlabs.me domains

- Fixed certificatesResolvers configuration in static.yml (moved out of tls section)
- Added DNS resolvers to Cloudflare ACME challenge configuration
- Added persistent volume mount for Let's Encrypt certificates
- Updated Outline service labels to use flow.frostlabs.me with proper cert resolver
- Updated Authentik service labels to use auth.frostlabs.me with proper cert resolver
- Added security headers and rate limiting middlewares to dynamic.yml
- Added example templates for public-facing service configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

conf/traefik-conf/dynamic.yml

@@ -26,6 +26,19 @@ http:
       - websecure
       service: unraid
       tls: {}
+
+    # Public-facing services (*.frostlabs.me)
+    # Example: To add a public service, uncomment and customize:
+    # my-public-service:
+    #   rule: "Host(`myapp.frostlabs.me`)"
+    #   entryPoints:
+    #   - websecure
+    #   service: my-service-name
+    #   tls:
+    #     certResolver: cloudflare
+    #   middlewares:
+    #   - authentik  # Optional: Add authentication
+
     # emby:
     #   rule: "Host(`movies.swarm.home`)"
     #   entryPoints:
@@ -38,6 +51,7 @@ http:
     #                          MIDDLEWARES SECTION
     #-----------------------------------------------------------------------------------
   middlewares:
+    # Authentik forward auth for protecting services
     authentik:
       forwardAuth:
         address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
@@ -48,3 +62,22 @@ http:
         - X-authentik-email
         - X-authentik-name
         - X-authentik-uid
+
+    # Security headers for public-facing services
+    security-headers:
+      headers:
+        frameDeny: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        sslRedirect: true
+        forceSTSHeader: true
+        stsSeconds: 31536000
+        stsIncludeSubdomains: true
+        stsPreload: true
+
+    # Rate limiting for public services
+    rate-limit:
+      rateLimit:
+        average: 100
+        period: 1s
+        burst: 50

conf/traefik-conf/static.yml

@@ -41,7 +41,6 @@ providers:
     watch: true
 
 # Certificate resolvers
-tls:
 certificatesResolvers:
   cloudflare:
     acme:
@@ -49,6 +48,9 @@ tls:
       storage: /certificates/acme.json
       dnsChallenge:
         provider: cloudflare
+        resolvers:
+          - 1.1.1.1:53
+          - 8.8.8.8:53
 
 # Logging
 log:

stacks/apps/outline/stack.yml

@@ -40,9 +40,11 @@ services:
       labels:
       - "traefik.enable=true"
       - "traefik.swarm.network=homelab"
-      - "traefik.http.routers.outline.rule=Host(`flow.swarm.home`)"
+      # Public-facing domain with Let's Encrypt certificate
+      - "traefik.http.routers.outline.rule=Host(`flow.frostlabs.me`)"
       - "traefik.http.routers.outline.entrypoints=websecure"
       - "traefik.http.routers.outline.tls=true"
+      - "traefik.http.routers.outline.tls.certresolver=cloudflare"
       - "traefik.http.services.outline.loadbalancer.server.port=3000"
     depends_on:
     - redis

stacks/core/authentik/stack.yml

@@ -61,9 +61,11 @@ services:
       labels:
       - "traefik.enable=true"
       - "traefik.swarm.network=homelab"
+      # Public-facing domain with Let's Encrypt certificate
       - "traefik.http.routers.authentik.rule=Host(`auth.frostlabs.me`)"
       - "traefik.http.routers.authentik.entrypoints=websecure"
-      - "traefik.http.routers.authentik.tls=certificatesResolvers=cloudflare"
+      - "traefik.http.routers.authentik.tls=true"
+      - "traefik.http.routers.authentik.tls.certresolver=cloudflare"
       - "traefik.http.services.authentik.loadbalancer.server.port=9000"
 
     depends_on:

stacks/core/traefik/stack.yml

@@ -10,9 +10,9 @@ services:
     - CF_DNS_API_TOKEN_FILE=/run/secrets/cloudflare_api_token
     volumes:
     - /var/run/docker.sock:/var/run/docker.sock:ro
-    #
     - /home/doc/projects/swarm/conf/traefik-conf/static.yml:/etc/traefik/traefik.yml:ro
     - /home/doc/projects/swarm/conf/traefik-conf/dynamic.yml:/etc/traefik/dynamic/dynamic.yml:rw
+    - /home/doc/projects/swarm-data/appdata/traefik/certificates:/certificates
     secrets:
     - cloudflare_api_token
     networks: