revised approach

traefik/compose.yml

@@ -0,0 +1,22 @@
+services:
+  ingress:
+    image: traefik:latest
+    restart: unless-stopped
+    command:
+      - --configFile=/etc/traefik/traefik.yml
+    ports:
+      - 80:80/tcp
+      - 443:443/tcp
+      - 443:443/udp
+      - 8080:8080/tcp
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /var/log/traefik:/var/log/traefik
+      - ./etc:/etc/traefik:ro
+      - ./tls:/letsencrypt
+    networks:
+      - traefik
+
+networks:
+  traefik:
+    external: true

traefik/etc/dynamic.yml

@@ -1,50 +1,167 @@
+defaultTLS: &defaultTLS
+  minVersion: VersionTLS13
+  cipherSuites:
+    - TLS_AES_256_GCM_SHA384
+    - TLS_AES_128_GCM_SHA256
+    - TLS_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+    - TLS_FALLBACK_SCSV
+
 tls:
   options:
-    docs:
-      minVersion: VersionTLS13
-      cipherSuites:
-        - TLS_AES_256_GCM_SHA384
-        - TLS_AES_128_GCM_SHA256
-        - TLS_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-        - TLS_FALLBACK_SCSV
-    dashboard:
-      minVersion: VersionTLS13
-      cipherSuites:
-        - TLS_AES_256_GCM_SHA384
-        - TLS_AES_128_GCM_SHA256
-        - TLS_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
-        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-        - TLS_FALLBACK_SCSV
+    external:
+      <<: *defaultTLS
+
+    internal:
       clientAuth:
         caFiles:
           - /etc/traefik/com.rskio.ca.crt
         clientAuthType: RequireAndVerifyClientCert
+      <<: *defaultTLS
 
 http:
   routers:
-    traefik-dashboard:
-      rule: "Host(`oxy.rskio.com`)"
-      service: "api@internal"
+    stream:
+      rule: Host(`stream.rskio.com`)
+      service: stream@file
       entryPoints:
-        - "websecure"
-      middlewares:
-        - "redirect-dashboard"
+        - websecure
       tls:
-        options: dashboard@file
+        options: external@file
         certResolver: rskio_certresolver
+
+    #    storage:
+    #      rule: Host(`storage.rskio.com`)
+    #      service: storage@file
+    #      entryPoints:
+    #        - websecure
+    #      tls:
+    #        options: internal@file
+    #        certResolver: rskio_certresolver
+    #
+    #    metrics:
+    #      rule: Host(`metrics.rskio.com`)
+    #      service: metrics@file
+    #      entryPoints:
+    #        - websecure
+    #      tls:
+    #        options: internal@file
+    #        certResolver: rskio_certresolver
+
+    pihole:
+      rule: Host(`dns.rskio.com`)
+      service: pihole@file
+      entryPoints:
+        - websecure
+      middlewares:
+        - redirect-pihole
+      tls:
+        options: internal@file
+        certResolver: rskio_certresolver
+
+    #    ghost:
+    #      rule: Host(`blog.rskio.com`)
+    #      service: ghost@file
+    #      entryPoints:
+    #        - websecure
+    #      middlewares:
+    #        - secureHeaders
+    #      tls:
+    #        options: external@file
+    #        certResolver: rskio_certresolver
+
+    network:
+      rule: Host(`network.rskio.com`)
+      service: network@file
+      entryPoints:
+        - websecure
+      middlewares:
+        - secureHeaders
+      tls:
+        options: internal@file
+        certResolver: rskio_certresolver
+
+    core01kvm:
+      rule: Host(`core01.rskio.com`)
+      service: core01kvm@file
+      entrypoints:
+        - websecure
+      middlewares:
+        - secureHeaders
+      tls:
+        options: internal@file
+        certResolver: rskio_certresolver
+
+    traefik-dashboard:
+      rule: Host(`oxy.rskio.com`)
+      service: api@internal
+      entryPoints:
+        - websecure
+      middlewares:
+        - redirect-dashboard
+      tls:
+        options: internal@file
+        certResolver: rskio_certresolver
+
+  serversTransports:
+    backendIgnoreTLS:
+      insecureSkipVerify: true
+
+  services:
+    stream:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.179:8096"
+
+    #    storage:
+    #      loadBalancer:
+    #        servers:
+    #          - url: "https://192.168.1.230:8443"
+    #        serversTransport: backendIgnoreTLS
+    #
+    #    metrics:
+    #      loadBalancer:
+    #        servers:
+    #          - url: "https://192.168.1.230:3000"
+    #        serversTransport: backendIgnoreTLS
+
+    pihole:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.152:8001"
+
+    #    ghost:
+    #      loadBalancer:
+    #        servers:
+    #          - url: "http://192.168.1.152:2368"
+
+    network:
+      loadBalancer:
+        servers:
+          - url: "https://192.168.1.254"
+        serversTransport: backendIgnoreTLS
+
+    core01kvm:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.202"
+
   middlewares:
     redirect-dashboard:
       redirectRegex:
         regex: "^https?://([^/]+)/?$"
         replacement: "https://${1}/dashboard/"
         permanent: true
+
+    redirect-pihole:
+      redirectRegex:
+        regex: "^https?://([^/]+)/?$"
+        replacement: "https://${1}/admin/"
+        permanent: true
+
     secureHeaders:
       headers:
         browserXssFilter: true

traefik/etc/traefik.yml

@@ -37,7 +37,7 @@ api:
 providers:
   docker:
     endpoint: unix:///var/run/docker.sock
-    network: hq_default
+    network: traefik
     exposedByDefault: false
   file:
     filename: /etc/traefik/dynamic.yml