hq/traefik/etc/dynamic.yml

defaultTLS: &defaultTLS
  minVersion: VersionTLS13
  cipherSuites:
    - TLS_AES_256_GCM_SHA384
    - TLS_AES_128_GCM_SHA256
    - TLS_CHACHA20_POLY1305_SHA256
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_FALLBACK_SCSV

tls:
  options:
    external:
      <<: *defaultTLS

    internal:
      clientAuth:
        caFiles:
          - /etc/traefik/com.rskio.ca.crt
        clientAuthType: RequireAndVerifyClientCert
      <<: *defaultTLS

http:
  routers:
    stream:
      rule: Host(`stream.rskio.com`)
      service: stream@file
      entryPoints:
        - websecure
      tls:
        options: external@file
        certResolver: rskio_certresolver

    pihole:
      rule: Host(`dns.rskio.com`)
      service: pihole@file
      entryPoints:
        - websecure
      middlewares:
        - redirect-pihole
      tls:
        options: internal@file
        certResolver: rskio_certresolver

    network:
      rule: Host(`network.rskio.com`)
      service: network@file
      entryPoints:
        - websecure
      middlewares:
        - secureHeaders
      tls:
        options: internal@file
        certResolver: rskio_certresolver

    traefik-dashboard:
      rule: Host(`oxy.rskio.com`)
      service: api@internal
      entryPoints:
        - websecure
      middlewares:
        - redirect-dashboard
      tls:
        options: internal@file
        certResolver: rskio_certresolver

    gitea:
      rule: Host(`git.rskio.com`)
      service: gitea@file
      entryPoints:
        - websecure
      tls:
        options: external@file
        certResolver: rskio_certresolver

  serversTransports:
    backendIgnoreTLS:
      insecureSkipVerify: true

  services:
    stream:
      loadBalancer:
        servers:
          - url: "http://192.168.1.179:8096"

    stage:
      loadBalancer:
        servers:
          - url: "https://192.168.1.25"
        serversTransport: backendIgnoreTLS

    gitea:
      loadBalancer:
        servers:
          - url: "http://192.168.1.56:9000"

    pihole:
      loadBalancer:
        servers:
          - url: "http://192.168.1.152:8001"

    network:
      loadBalancer:
        servers:
          - url: "https://192.168.1.254"
        serversTransport: backendIgnoreTLS

    core01kvm:
      loadBalancer:
        servers:
          - url: "http://192.168.1.202"

  middlewares:
    redirect-dashboard:
      redirectRegex:
        regex: "^https?://([^/]+)/?$"
        replacement: "https://${1}/dashboard/"
        permanent: true

    redirect-pihole:
      redirectRegex:
        regex: "^https?://([^/]+)/?$"
        replacement: "https://${1}/admin/"
        permanent: true

    secureHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        frameDeny: true
        referrerPolicy: "same-origin"
        sslRedirect: true
        stsSeconds: 31536000