initial commit, here be dragons

roles/traefik/files/traefik

@@ -0,0 +1,8 @@
+/srv/traefik/logs/access.log
+/srv/traefik/logs/traefik.log
+{
+  rotate 12
+  monthly
+  compress
+  missingok
+}

roles/traefik/files/traefik.yml

@@ -0,0 +1,128 @@
+---
+# Traefik static config options
+# Only loaded on startup!
+
+global:
+  sendAnonymousUsage: false
+
+#serversTransport:
+#  insecureSkipVerify: true
+
+entryPoints:
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  websecure:
+    address: ":443"
+
+providers:
+  file:
+    filename: "/etc/traefik/traefik.yml"
+  docker:
+    watch: true
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+    network: traefik
+
+api:
+  dashboard: true
+
+metrics:
+  prometheus: { }
+
+ping: { }
+
+log:
+  level: WARN
+
+accessLog:
+  filePath: "/data/logs/access.log"
+  bufferingSize: 128
+
+certificatesResolvers:
+  letsencrypt:
+    acme:
+      email: "changeme@chaospott.de"
+      caServer: "https://acme-v02.api.letsencrypt.org/directory"
+      storage: "/data/acme.json"
+      keyType: "EC384"
+      #httpChallenge:
+      #  entryPoint: web
+      dnsChallenge:
+        provider: inwx # more available at: https://doc.traefik.io/traefik/https/acme/#providers
+        # Checked by traefik before issuing LE, need to be public DNS server!
+        # Quad9
+        resolvers: [ "9.9.9.9", "2620:fe::fe" ]
+  letsencrypt-staging: # this is for testing new services
+    acme:
+      email: "changeme@chaospott.de"
+      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      storage: "/data/acme-staging.json"
+      keyType: "EC384"
+      #httpChallenge:
+      #  entryPoint: web
+      dnsChallenge:
+        provider: inwx
+        # Checked by traefik before issuing LE, need to be public DNS server!
+        # Quad9
+        resolvers: [ "9.9.9.9", "2620:fe::fe" ]
+
+
+###
+# Traefik dynamic configuration options
+# File is live-reloaded.
+# Not all dynamic options can be set via labels. This is why some general, dynamic
+# traefik options are configured here instead on labels.
+# See also: https://github.com/traefik/traefik/issues/5507
+
+tls:
+  options:
+    default:
+      sniStrict: true
+#     # Forced TLS v1.3 still causes issues like renovate failing to check our repos
+#      minVersion: "VersionTLS13"
+#     # TLS v1.2 Alternative config for more compatibility
+      minVersion: "VersionTLS12"
+      cipherSuites:
+        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
+        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
+
+# global HTTP config
+http:
+  routers:
+    api:
+      rule: "Host(`traefik.chaospott.de`)"
+      service: api@internal
+      middlewares: [ "dashboard-auth" ]
+      tls:
+        certResolver: "letsencrypt"
+        # generate cert for main domain and wildcard (requires DNS-01)
+        domains:
+          - main: "chaospott.de"
+          - main: "*.chaospott.de"
+  middlewares:
+    redirect-to-https:
+      redirectScheme:
+        scheme: "https"
+    hsts-header:
+      headers:
+        # HSTSPreload is an initiative that forces browsers to only access a website
+        #  via HTTPS. This implies some requirements. https://hstspreload.org/
+        customResponseHeaders:
+          frameDeny: true # forbid embedding into frames
+          sslRedirect: true
+          stsSeconds: 3600 # Must be at least 31536000 (1-year) for HSTSPreload
+          stsPreload: true # HSTSPreload requirement
+          stsIncludeSubdomains: true # HSTSPreload requirement
+          browserXssFilter: true
+    dashboard-auth:
+      basicauth:
+        users: "admin:htpasswd-generated-password"