swarm-production/conf/traefik-conf/dynamic.yml

# Traefik Dynamic Configuration for External Services
# This file handles routing to services NOT managed by Docker Swarm
http:
  #-----------------------------------------------------------------------------------
  #                          EXTERNAL SERVICES SECTION
  #-----------------------------------------------------------------------------------
  services:
    unraid:
      loadBalancer:
        servers:
        - url: "http://10.0.4.10:80"
      # emby:
      #   loadBalancer:
      #     servers:
      #     - url: "http://10.0.4.10:8096"
    # peertube:
    #   loadBalancer:
    #     servers:
    #     - url: "http://10.0.4.10:9000"
    #-----------------------------------------------------------------------------------
    #                          ROUTERS SECTION
    #-----------------------------------------------------------------------------------
  routers:
    # Local VPN-only services (*.swarm.home)
    unraid:
      rule: "Host(`unraid.frostlabs.me`)"
      entryPoints:
      - websecure
      service: unraid
      middlewares:
        - authentik
      tls:
        certResolver: cloudflare

    # peertube:
    #   rule: "Host(`videos.frostlabs.me`)"
    #   entryPoints:
    #   - websecure
    #   service: peertube
    #   tls:
    #     certResolver: cloudflare
    #-----------------------------------------------------------------------------------
    #                          MIDDLEWARES SECTION
    #-----------------------------------------------------------------------------------
  middlewares:
    # Authentik forward auth for protecting services
    authentik:
      forwardAuth:
        address: "http://authentik_server:9000/outpost.goauthentik.io/auth/traefik"
        trustForwardHeader: true
        authResponseHeaders:
        - X-authentik-username
        - X-authentik-groups
        - X-authentik-email
        - X-authentik-name
        - X-authentik-uid

    # Security headers for public-facing services
    security-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        sslRedirect: true
        forceSTSHeader: true
        stsSeconds: 31536000
        stsIncludeSubdomains: true
        stsPreload: true

    # Rate limiting for public services
    rate-limit:
      rateLimit:
        average: 100
        period: 1s
        burst: 50