2025-11-04

containers/conf/traefik/dynamic/certs.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
+
+tls:
+  certificates:
+    - certFile: "/etc/certs/_wildcard.gcch.local.pem"
+      keyFile: "/etc/certs/_wildcard.gcch.local-key.pem"

containers/conf/traefik/dynamic/general.yaml

@@ -0,0 +1,59 @@
+---
+# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
+
+http:
+  middlewares:
+    compression:
+      compress:
+        excludedContentTypes:
+          - text/event-stream
+
+    security:
+      headers:
+        accessControlAllowCredentials: true
+        accessControlAllowHeaders: "content-type"
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - POST
+          - PUT
+        accessControlAllowOriginListRegex: "https://.*\\.gcch\\.local(.*)"
+        accessControlMaxAge: 100
+        addVaryHeader: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        customFrameOptionsValue: SAMEORIGIN
+        featurePolicy: "camera 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none'; vibrate 'self';"
+        forceSTSHeader: false
+        frameDeny: true
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        isDevelopment: true
+        referrerPolicy: "origin"
+        stsPreload: true
+        stsSeconds: 315360000
+
+tls:
+  options:
+    default:
+      alpnProtocols:
+        - h2
+        - http/1.1
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      minVersion: VersionTLS12
+      sniStrict: true
+
+    mintls13:
+      minVersion: VersionTLS13

containers/conf/traefik/dynamic/routers.yaml

@@ -0,0 +1,48 @@
+---
+# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
+
+http:
+  routers:
+    haikuatelier:
+      entryPoints:
+        - websecure
+      middlewares:
+        - compression
+        - security
+      rule: Host(`haikuatelier.gcch.local`)
+      service: service-haikuatelier
+      tls: true
+
+    jaeger:
+      entryPoints:
+        - websecure
+      middlewares:
+        - compression
+        - security
+      rule: Host(`jaeger.gcch.local`)
+      service: service-jaeger
+      tls: true
+
+    jaeger-http:
+      entryPoints:
+        - websecure
+      middlewares:
+        - compression
+        - security
+      rule: Host(`jaeger-http.gcch.local`)
+      service: service-jaeger-http
+      tls: true
+
+    monitor:
+      entryPoints:
+        - websecure
+      rule: Host(`monitor.gcch.local`)
+      service: api@internal
+      tls: true
+
+    whoami:
+      entryPoints:
+        - websecure
+      rule: Host(`gcch.local`)
+      service: service-whoami
+      tls: true

containers/conf/traefik/dynamic/services.yaml

@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
+
+http:
+  services:
+    service-haikuatelier:
+      loadBalancer:
+        servers:
+          - url: "http://proxy:80"
+
+    service-jaeger:
+      loadBalancer:
+        servers:
+          - url: "http://jaeger:16686"
+
+    service-jaeger-http:
+      loadBalancer:
+        servers:
+          - url: "http://jaeger:4318"
+
+    service-whoami:
+      loadBalancer:
+        servers:
+          - url: "http://whoami"

containers/conf/traefik/traefik.yaml

@@ -0,0 +1,60 @@
+---
+# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
+
+accessLog:
+  # Journalise l'accès aux ressources internes.
+  addInternals: false
+  # Chemin du fichier où les journaux seront enregistrés.
+  bufferingSize: 100
+  # Format des journaux.
+  filePath: "/var/log/traefik/access_log.log"
+  # Créé un buffer de n lignes avant d'écrire les journaux. Permet de journaliser de manière asynchrone.
+  format: "common"
+
+api:
+  # Active le tableau de bord Traefik.
+  dashboard: true
+  # Active des points d'accès de déboguage.
+  debug: false
+  # Rend l'API directement disponible sans sécurisation.
+  insecure: true
+
+entryPoints:
+  ping:
+    address: ":8082"
+  web:
+    address: ":80"
+    http:
+      redirections:
+        entryPoint:
+          scheme: https
+          to: websecure
+  websecure:
+    address: ":443"
+
+global:
+  # Vérifie la disponibilité d'une version plus récente de Traefik.
+  checkNewVersion: true
+  # Partage des données avec l'éditeur de Traefik.
+  sendAnonymousUsage: false
+
+log:
+  filePath: "/var/log/traefik/traefik.log"
+  format: common
+  level: "INFO"
+  maxBackups: 0
+  maxSize: 100
+
+ping:
+  # Nom du point d'entrée de ping.
+  entryPoint: "ping"
+
+providers:
+  docker:
+    endpoint: unix:///var/run/docker.sock
+    exposedByDefault: false
+    network: haiku-network
+    watch: true
+  file:
+    directory: "/etc/traefik/dynamic"
+    watch: true