---
# Traefik static config options
# Only loaded on startup!

global:
  sendAnonymousUsage: false

#serversTransport:
#  insecureSkipVerify: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

providers:
  file:
    filename: "/etc/traefik/traefik.yml"
  docker:
    watch: true
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: traefik

api:
  dashboard: true

metrics:
  prometheus: { }

ping: { }

log:
  level: WARN

accessLog:
  filePath: "/data/logs/access.log"
  bufferingSize: 128

certificatesResolvers:
  letsencrypt:
    acme:
      email: "changeme@chaospott.de"
      caServer: "https://acme-v02.api.letsencrypt.org/directory"
      storage: "/data/acme.json"
      keyType: "EC384"
      #httpChallenge:
      #  entryPoint: web
      dnsChallenge:
        provider: inwx # more available at: https://doc.traefik.io/traefik/https/acme/#providers
        # Checked by traefik before issuing LE, need to be public DNS server!
        # Quad9
        resolvers: [ "9.9.9.9", "2620:fe::fe" ]
  letsencrypt-staging: # this is for testing new services
    acme:
      email: "changeme@chaospott.de"
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      storage: "/data/acme-staging.json"
      keyType: "EC384"
      #httpChallenge:
      #  entryPoint: web
      dnsChallenge:
        provider: inwx
        # Checked by traefik before issuing LE, need to be public DNS server!
        # Quad9
        resolvers: [ "9.9.9.9", "2620:fe::fe" ]


###
# Traefik dynamic configuration options
# File is live-reloaded.
# Not all dynamic options can be set via labels. This is why some general, dynamic
# traefik options are configured here instead on labels.
# See also: https://github.com/traefik/traefik/issues/5507

tls:
  options:
    default:
      sniStrict: true
#     # Forced TLS v1.3 still causes issues like renovate failing to check our repos
#      minVersion: "VersionTLS13"
#     # TLS v1.2 Alternative config for more compatibility
      minVersion: "VersionTLS12"
      cipherSuites:
        - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
        - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
        - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"
        - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"

# global HTTP config
http:
  routers:
    api:
      rule: "Host(`traefik.chaospott.de`)"
      service: api@internal
      middlewares: [ "dashboard-auth" ]
      tls:
        certResolver: "letsencrypt"
        # generate cert for main domain and wildcard (requires DNS-01)
        domains:
          - main: "chaospott.de"
          - main: "*.chaospott.de"
  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: "https"
    hsts-header:
      headers:
        # HSTSPreload is an initiative that forces browsers to only access a website
        #  via HTTPS. This implies some requirements. https://hstspreload.org/
        customResponseHeaders:
          frameDeny: true # forbid embedding into frames
          sslRedirect: true
          stsSeconds: 3600 # Must be at least 31536000 (1-year) for HSTSPreload
          stsPreload: true # HSTSPreload requirement
          stsIncludeSubdomains: true # HSTSPreload requirement
          browserXssFilter: true
    dashboard-auth:
      basicauth:
        users: "admin:htpasswd-generated-password"