* Several updates 2024_01_22. See full commit log.

* Changed domain name variables to align with hostnames (and their prefixes/suffixes) I implemented in the previous commit
    - DOMAINNAME_CLOUD_SERVER is now DOMAINNAME_HS
    - DOMAINNAME_HOME_SYNOLOGY is now DOMAINNAME_DS918
    - DOMAINNAME_SHB is now DOMAINNAME_WS
* Replace Traefik/Cloudflare ACME validation from using Email and Global API Key to Scoped API Toekn (CF_DNS_API_TOKEN). Deleted unwated secrets.
* Split middlewares.yml to individual middleware YML files - to align with Auto-Traefik.
* Split middlewares-chains.yml to individual chain YML files - to align with Auto-Traefik.
* Moved some of the media apps to Media Server docker stack (docker-compose-mds.yml)
* Added more example file providers for various scenarios.

Author: SimpleHomelab

.gitignore

@@ -79,12 +79,21 @@ appdata/traefik2/rules/toml/*
 !appdata/traefik2/rules/ds918
 appdata/traefik2/rules/ds918/*
 !appdata/traefik2/rules/ds918/*.example
+!appdata/traefik2/rules/ds918/tls-opts.yml
+!appdata/traefik2/rules/ds918/middlewares-*.yml
+!appdata/traefik2/rules/ds918/chain-*.yml
 !appdata/traefik2/rules/hs
 appdata/traefik2/rules/hs/*
 !appdata/traefik2/rules/hs/*.example
 !appdata/traefik2/rules/hs/tls-opts.yml
-!appdata/traefik2/rules/hs/middlewares.yml
-!appdata/traefik2/rules/hs/middlewares-chains.yml
+!appdata/traefik2/rules/hs/middlewares-*.yml
+!appdata/traefik2/rules/hs/chain-*.yml
+!appdata/traefik2/rules/ws
+appdata/traefik2/rules/ws/*
+!appdata/traefik2/rules/ws/*.example
+!appdata/traefik2/rules/ws/tls-opts.yml
+!appdata/traefik2/rules/ws/middlewares-*.yml
+!appdata/traefik2/rules/ws/chain-*.yml
 
 !appdata/authelia
 appdata/authelia/*

appdata/traefik2/rules/ds918/app-ds918-dsm-oauth.yml.example

@@ -0,0 +1,17 @@
+http:
+  routers:
+    synology-rtr:
+      rule: "Host(`dsm.{{env "DOMAINNAME_DS918"}}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - chain-oauth
+      service: synology-svc
+      tls:
+        certResolver: dns-cloudflare
+        options: tls-opts@file
+  services:
+    synology-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.254:5000"

appdata/traefik2/rules/ds918/app-ds918-video-oauth.yml.example

@@ -0,0 +1,17 @@
+http:
+  routers:
+    synology-video-rtr:
+      rule: "Host(`video.{{env "DOMAINNAME_DS918"}}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - chain-oauth
+      service: synology-video-svc
+      tls:
+        certResolver: dns-cloudflare
+        options: tls-opts@file
+  services:
+    synology-video-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.254:5003"

appdata/traefik2/rules/ds918/chain-basic-auth.yml

@@ -0,0 +1,10 @@
+http:
+  middlewares:
+    chain-basic-auth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers
+          - middlewares-basic-auth
+          - middlewares-compress

appdata/traefik2/rules/ds918/chain-no-auth.yml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    chain-no-auth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers
+          - middlewares-compress

appdata/traefik2/rules/ds918/chain-oauth-external.yml

@@ -0,0 +1,11 @@
+http:
+  middlewares:
+    chain-oauth-external:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers
+          - middlewares-oauth-external
+          - middlewares-compress
+

appdata/traefik2/rules/ds918/chain-oauth.yml

@@ -0,0 +1,10 @@
+http:
+  middlewares:
+    chain-oauth:
+      chain:
+        middlewares:
+          - middlewares-rate-limit
+          - middlewares-https-redirectscheme
+          - middlewares-secure-headers
+          - middlewares-oauth
+          - middlewares-compress

appdata/traefik2/rules/ds918/middlewares-basic-auth.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-basic-auth:
+      basicAuth:
+        # users:
+        #   - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1"
+        usersFile: "/run/secrets/htpasswd" #be sure to mount the volume through docker-compose.yml
+        realm: "Traefik 2 Basic Auth"

appdata/traefik2/rules/ds918/middlewares-buffering.yml

@@ -0,0 +1,9 @@
+http:
+  middlewares:
+    middlewares-buffering:
+      buffering:
+        maxResponseBodyBytes: 2000000
+        maxRequestBodyBytes: 10485760  
+        memRequestBodyBytes: 2097152  
+        memResponseBodyBytes: 2097152
+        retryExpression: "IsNetworkError() && Attempts() <= 2"

appdata/traefik2/rules/ds918/middlewares-compress.yml

@@ -0,0 +1,4 @@
+http:
+  middlewares:
+    middlewares-compress:
+      compress: {}

appdata/traefik2/rules/ds918/middlewares-https-redirectscheme.yml

@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    middlewares-https-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true

appdata/traefik2/rules/ds918/middlewares-oauth-external.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-oauth-external:
+      forwardAuth:
+        address: "https://oauth.{{env "DOMAINNAME_DS918"}}" 
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "X-Forwarded-User"

appdata/traefik2/rules/ds918/middlewares-oauth.yml

@@ -0,0 +1,8 @@
+http:
+  middlewares:
+    middlewares-oauth:
+      forwardAuth:
+        address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
+        trustForwardHeader: true
+        authResponseHeaders:
+          - "X-Forwarded-User"

appdata/traefik2/rules/ds918/middlewares-rate-limit.yml

@@ -0,0 +1,6 @@
+http:
+  middlewares:
+    middlewares-rate-limit:
+      rateLimit:
+        average: 100
+        burst: 50

appdata/traefik2/rules/ws/middlewares.yml.example renamed to appdata/traefik2/rules/ds918/middlewares-secure-headers.yml

@@ -1,22 +1,5 @@
 http:
   middlewares:
-    middlewares-basic-auth:
-      basicAuth:
-        # users:
-        #   - "user:$apsdfswWvC/6.$E3FtsfTntPC0wVJ7IUVtX1"
-        usersFile: "/run/secrets/htpasswd" #be sure to mount the volume through docker-compose.yml
-        realm: "Traefik 2 Basic Auth"
-
-    middlewares-rate-limit:
-      rateLimit:
-        average: 100
-        burst: 50
-
-    middlewares-https-redirectscheme:
-      redirectScheme:
-        scheme: https
-        permanent: true
-
     middlewares-secure-headers:
       headers:
         accessControlAllowMethods:
@@ -32,50 +15,20 @@ http:
         stsPreload: true
         forceSTSHeader: true
         # frameDeny: true #overwritten by customFrameOptionsValue
-        customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_SHB"}}" #CSP takes care of this but may be needed for organizr.
+        customFrameOptionsValue: "allow-from https:{{env "DOMAINNAME_DS918"}}" #CSP takes care of this but may be needed for organizr.
         contentTypeNosniff: true
         browserXssFilter: true
         # sslForceHost: true # add sslHost to all of the services
-        # sslHost: "{{env "DOMAINNAME_SHB"}}"
+        # sslHost: "{{env "DOMAINNAME_DS918"}}"
         referrerPolicy: "same-origin"
         # Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
         # the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
-        # contentSecurityPolicy: "frame-ancestors '*.{{env "DOMAINNAME_SHB"}}:*';object-src 'none';script-src 'none';"
+        # contentSecurityPolicy: "frame-ancestors '*.{{env "DOMAINNAME_DS918"}}:*';object-src 'none';script-src 'none';"
         # Line below, featurePolicy, was deprecated in v2.5.x in favor permissionPolicy
         # featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
         permissionsPolicy: "camera=(), microphone=(), geolocation=(), payment=(), usb=(), vr=()"
         customResponseHeaders:
           X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
           server: ""
           # https://community.traefik.io/t/how-to-make-websockets-work-with-traefik-2-0-setting-up-rancher/1732
-          # X-Forwarded-Proto: "https"
-
-    middlewares-secure-headers-wp:
-      headers:
-        hostsProxyHeaders:
-          - "X-Forwarded-Host"
-        stsSeconds: 31536000
-        stsIncludeSubdomains: true
-        stsPreload: true
-        frameDeny: true
-        contentTypeNosniff: true
-        browserXssFilter: true
-
-    middlewares-oauth:
-      forwardAuth:
-        address: "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
-        trustForwardHeader: true
-        authResponseHeaders:
-          - "X-Forwarded-User"
-
-    middlewares-authelia:
-      forwardAuth:
-        address: "http://authelia:9091/api/verify?rd=https://authelia.{{env "DOMAINNAME_SHB"}}"
-        trustForwardHeader: true
-        authResponseHeaders:
-          - "Remote-User"
-          - "Remote-Groups"
-
-    middlewares-compress:
-      compress: {}
-
+          # X-Forwarded-Proto: "https"

appdata/traefik2/rules/ds918/tls-opts.yml

@@ -0,0 +1,19 @@
+tls:
+  options:
+    tls-opts:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+        - TLS_FALLBACK_SCSV # Client is doing version fallback. See RFC 7507
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      sniStrict: true

appdata/traefik2/rules/hs/app-adguard-home-authelia.yml.example

@@ -1,11 +1,11 @@
 http:
   routers:
     adguard-rtr:
-      rule: "Host(`ag.{{env "DOMAINNAME_CLOUD_SERVER"}}`)"
+      rule: "Host(`ag.{{env "DOMAINNAME_HS"}}`)"
       entryPoints:
         - https
       middlewares:
-        - chain-oauth
+        - chain-authelia
       service: adguard-svc
       tls:
         certResolver: dns-cloudflare

appdata/traefik2/rules/hs/app-adguard-home-oauth.yml.example

@@ -1,7 +1,7 @@
 http:
   routers:
     adguard-rtr:
-      rule: "Host(`ag.{{env "DOMAINNAME_CLOUD_SERVER"}}`)"
+      rule: "Host(`ag.{{env "DOMAINNAME_HS"}}`)"
       entryPoints:
         - https
       middlewares:

appdata/traefik2/rules/hs/app-haos-no-auth.yml.example

@@ -1,7 +1,7 @@
 http:
   routers:
     haos-rtr:
-      rule: "Host(`haos.{{env "DOMAINNAME_CLOUD_SERVER"}}`)" 
+      rule: "Host(`haos.{{env "DOMAINNAME_HS"}}`)" 
       entryPoints:
         - https
       middlewares:

appdata/traefik2/rules/hs/app-hassos-no-auth.yml.example

@@ -1,7 +1,7 @@
 http:
   routers:
     pihole-rtr:
-      rule: "Host(`pihole.{{env "DOMAINNAME_CLOUD_SERVER"}}`)" 
+      rule: "Host(`pihole.{{env "DOMAINNAME_HS"}}`)" 
       entryPoints:
         - https
       middlewares:

appdata/traefik2/rules/hs/app-pihole-oauth.yml.example

@@ -0,0 +1,17 @@
+http:
+  routers:
+    splex-rtr:
+      rule: "Host(`splex.{{env "DOMAINNAME_HS"}}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - chain-oauth
+      service: splex-svc
+      tls:
+        certResolver: dns-cloudflare
+        options: tls-opts@file
+  services:
+    splex-svc:
+      loadBalancer:
+        servers:
+          - url: "http://192.168.1.238:32400"

appdata/traefik2/rules/hs/app-plex-no-auth.yml.example

@@ -0,0 +1,22 @@
+http:
+  routers:
+    proxmox-rtr:
+      rule: "Host(`pve.{{env "DOMAINNAME_HS"}}`)"
+      entryPoints:
+        - https
+      middlewares:
+        - chain-oauth
+      service: proxmox-svc
+      tls:
+        certResolver: dns-cloudflare
+        options: tls-opts@file
+  services:
+    proxmox-svc:
+      loadBalancer:
+        passHostHeader: true
+        serversTransport: "pve"
+        servers:
+          - url: "https://192.168.1.100:8006/"
+  serversTransports:
+    pve:
+      insecureSkipVerify: true

appdata/traefik2/rules/hs/app-proxmox-ve-oauth.yml.example

@@ -0,0 +1,14 @@
+tcp:
+  routers:
+    synology-traefik-rtr:
+      entryPoints:
+        - "https"
+      rule: "HostSNIRegexp(`{{env "DOMAINNAME_DS918"}}`, `{subdomain:[a-z]+}.{{env "DOMAINNAME_DS918"}}`)"
+      service: synology-traefik-svc
+      tls:
+        passthrough: true
+  services:
+    synology-traefik-svc:
+      loadBalancer:
+        servers:
+          - address: "192.168.1.254:443"