Configure traefik

traefik/.env.template

@@ -0,0 +1,2 @@
+CF_API_EMAIL=markus@bitsandbobs.net
+CF_API_KEY=YOUR_CLOUDFLARE_API_TOKEN_HERE

traefik/acme.json

@@ -0,0 +1,6 @@
+{
+  "let's encrypt": {
+    "email": "markus@bitsandbobs.net",
+    "caaPropagationTimeout": 30
+  }
+}

traefik/config.yml

@@ -0,0 +1,30 @@
+api:
+  dashboard: true
+  insecure: false
+
+entryPoints:
+  http:
+    address: ":80"
+  https:
+    address: ":443"
+    http:
+      tls:
+        certResolver: letsencrypt
+
+certificateResolvers:
+  letsencrypt:
+    acme:
+      email: markus@bitsandbobs.net
+      storage: /acme.json
+      dnsChallenge:
+        provider: cloudflare
+        resolvers:
+          - "1.1.1.1:53"
+          - "8.8.8.8:53"
+
+providers:
+  file:
+    filename: /etc/traefik/middleware.yml
+  docker:
+    network: public
+    exposedByDefault: false

traefik/docker-compose.yml

@@ -0,0 +1,41 @@
+services:
+  traefik:
+    image: traefik:v3.7.5
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    ports:
+      - "80:80"
+      - "443:443"
+    environment:
+      - CF_API_EMAIL=${CF_API_EMAIL}
+      - CF_API_KEY=${CF_API_KEY}
+    env_file:
+      - .env
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - ./config.yml:/etc/traefik/traefik.yml:ro
+      - ./middleware.yml:/etc/traefik/middleware.yml:ro
+      - ./acme.json:/acme.json
+    networks:
+      - public
+
+  whoami:
+    image: traefik/whoami
+    container_name: whoami
+    restart: unless-stopped
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.whoami.rule=Host(`whoami.bnb1.net`)"
+      - "traefik.http.routers.whoami.entrypoints=https"
+      - "traefik.http.routers.whoami.middlewares=secure-headers@file"
+      - "traefik.http.routers.whoami.tls=true"
+      - "traefik.http.services.whoami.loadbalancer.server.port=80"
+    networks:
+      - public
+
+networks:
+  public:
+    name: public

traefik/middleware.yml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    secure-headers:
+      headers:
+        sslRedirect: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsPreload: true
+        stsSeconds: 31536000