docker: update traefik reverse proxy dockerfile

docker/.gitignore

@@ -1 +1,2 @@
 .env
+**/.env

docker/jackett.yaml

@@ -1,18 +0,0 @@
-version: "3"
-services:  
-  jackett:
-    image: "linuxserver/jackett"
-    container_name: "jackett"
-    env_file:
-        ./.env
-    volumes:
-      - ${DOCKERDIR}/appdata/jackett:/config
-      - ${DATADIR}/downloads:/downloads
-      - "/etc/localtime:/etc/localtime:ro"
-    ports:
-      - "9117:9117"
-    restart: unless-stopped
-    environment:
-      - PUID=${PUID}
-      - PGID=${PGID}
-      - TZ=${TZ}

docker/portainer.yaml

@@ -1,9 +1,8 @@
-version: "3"
 services:
   portainer:
     image: portainer/portainer-ce:latest
-    ports:
+    # ports:
-      - 9000:9000
+    #   - 9000:9000
     volumes:
       - /home/taqi/docker/portainer/data:/data
       - /var/run/docker.sock:/var/run/docker.sock:ro

docker/radarr.yaml

@@ -1,21 +0,0 @@
-version: "3"
-services:  
-  radarr:
-    image: "linuxserver/radarr"
-    container_name: "radarr"
-    env_file:
-        ./.env
-    volumes:
-      - ${DOCKERDIR}/appdata/radarr:/config
-      - ${DATADIR}/downloads:/downloads
-      - ${DATADIR}/movies:/movies
-      - "/etc/localtime:/etc/localtime:ro"
-    ports:
-      - "7878:7878"
-    restart: always
-    environment:
-      - PUID=${PUID}
-      - PGID=${PGID}
-      - TZ=${TZ}
-    networks:
-      - bridge

docker/traefik/traefik-rules.yaml

@@ -0,0 +1,36 @@
+http:
+  middlewares:
+    # Rate Limiting Middleware
+    middlewares-rate-limit:
+      rateLimit:
+        average: 100
+        burst: 100
+        period: 1m
+
+    # Security Headers Middleware
+    middlewares-secure-headers:
+      headers:
+        browserXssFilter: true
+        contentTypeNosniff: true
+        frameDeny: true
+        permissionsPolicy: "GEOLOCATION 'none'; MICROPHONE 'none'; CAMERA 'none'"
+        referrerPolicy: "strict-origin-when-cross-origin"
+        stsIncludeSubdomains: true
+        stsMaxAge: 63072000
+        stsPreload: true
+        customFrameOptionsValue: "SAMEORIGIN"
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+
+tls:
+  options:
+    default:
+      #sniStrict: true # prevents leaking default cert; see https://doc.traefik.io/traefik/v2.2/https/tls/#strict-sni-checking
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

docker/traefik/traefik.yaml

@@ -1,5 +1,3 @@
-version: '3.8'
-
 networks:
   t3_proxy:
     name: t3_proxy
@@ -8,16 +6,10 @@ networks:
       config:
         - subnet: 192.168.90.0/24
 
-secrets:
-  basic_auth_credentials:
-    file: $DOCKERDIR/secrets/basic_auth_credentials
-  cf_dns_api_token:
-    file: $DOCKERDIR/secrets/cf_dns_api_token
-
 services:
   traefik:
     container_name: traefik
-    image: traefik:3.0
+    image: traefik:3.6.6
     restart: unless-stopped
     env_file:
       - ./.env
@@ -36,7 +28,6 @@ services:
       - --api=true
       - --api.dashboard=true
       # - --api.insecure=true
-      - --entrypoints.websecure.forwardedHeaders.trustedIPs=$CLOUDFLARE_IPS,$LOCAL_IPS
       - --log=true
       - --log.filePath=/logs/traefik.log
       - --log.level=DEBUG
@@ -52,6 +43,7 @@ services:
       - --entrypoints.websecure.http.tls.domains[0].sans=*.$DOMAINNAME
       - --providers.file.directory=/rules
       - --providers.file.watch=true
+      - --certificatesresolvers.dns-cloudflare.acme.email=${CLOUDFLARE_EMAIL}
       - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
       - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
       - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
@@ -59,38 +51,23 @@ services:
       # - 80:80
       - 443:443
       - 8080:8080
-      # - target: 80
-      #   published: 80
-      #   protocol: tcp
-      #   mode: host
-      # - target: 443
-      #   published: 443
-      #   protocol: tcp
-      #   mode: host
-      # - target: 8080
-      #   published: 8585
-      #   protocol: tcp
-      #   mode: host
     volumes:
-      - $DOCKERDIR/appdata/traefik3/rules/$HOSTNAME:/rules
+      - ./traefik-rules.yaml:/rules/traefik-rules.yaml
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      - $DOCKERDIR/appdata/traefik3/acme/acme.json:/acme.json
+      - $DOCKERDIR/appdata/traefik/acme/acme.json:/acme.json
-      - $DOCKERDIR/logs/$HOSTNAME/traefik:/logs
+      - $DOCKERDIR/logs/traefik:/logs
     environment:
       - PUID=${PUID}
       - PGID=${PGID}
       - TZ=$TZ
-      - CF_DNS_API_TOKEN_FILE=/run/secrets/cf_dns_api_token
+      - CF_DNS_API_TOKEN=${CLOUDFLARE_TOKEN}
-      - HTPASSWD_FILE=/run/secrets/basic_auth_credentials
       - DOMAINNAME=${DOMAINNAME}
-    secrets:
+      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
-      - cf_dns_api_token
-      - basic_auth_credentials
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.dashboard.tls=true"
-      - "traefik.http.routers.traefik-rtr.entrypoints=websecure"
+      - "traefik.http.routers.api.entrypoints=websecure"
-      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.${DOMAINNAME}`)"
+      - "traefik.http.routers.api.rule=Host(`traefik.${DOMAINNAME}`)"
-      - "traefik.http.routers.traefik-rtr.service=api@internal"
+      - "traefik.http.routers.api.service=api@internal"
         # Middlewares
-      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-rate-limit@file,middlewares-secure-headers@file,middlewares-basic-auth@file"
+      - "traefik.http.routers.api.middlewares=middlewares-rate-limit@file,middlewares-secure-headers@file"