2025-11-04

containers/conf/traefik/dynamic/certs.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
+
+tls:
+  certificates:
+    - certFile: "/etc/certs/_wildcard.gcch.local.pem"
+      keyFile: "/etc/certs/_wildcard.gcch.local-key.pem"

containers/conf/traefik/dynamic/general.yaml

@@ -0,0 +1,59 @@
+---
+# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
+
+http:
+  middlewares:
+    compression:
+      compress:
+        excludedContentTypes:
+          - text/event-stream
+
+    security:
+      headers:
+        accessControlAllowCredentials: true
+        accessControlAllowHeaders: "content-type"
+        accessControlAllowMethods:
+          - GET
+          - OPTIONS
+          - POST
+          - PUT
+        accessControlAllowOriginListRegex: "https://.*\\.gcch\\.local(.*)"
+        accessControlMaxAge: 100
+        addVaryHeader: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        customFrameOptionsValue: SAMEORIGIN
+        featurePolicy: "camera 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none'; vibrate 'self';"
+        forceSTSHeader: false
+        frameDeny: true
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        isDevelopment: true
+        referrerPolicy: "origin"
+        stsPreload: true
+        stsSeconds: 315360000
+
+tls:
+  options:
+    default:
+      alpnProtocols:
+        - h2
+        - http/1.1
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+      curvePreferences:
+        - CurveP521
+        - CurveP384
+      minVersion: VersionTLS12
+      sniStrict: true
+
+    mintls13:
+      minVersion: VersionTLS13

containers/conf/traefik/dynamic/routers.yaml

@@ -0,0 +1,48 @@
+---
+# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
+
+http:
+  routers:
+    haikuatelier:
+      entryPoints:
+        - websecure
+      middlewares:
+        - compression
+        - security
+      rule: Host(`haikuatelier.gcch.local`)
+      service: service-haikuatelier
+      tls: true
+
+    jaeger:
+      entryPoints:
+        - websecure
+      middlewares:
+        - compression
+        - security
+      rule: Host(`jaeger.gcch.local`)
+      service: service-jaeger
+      tls: true
+
+    jaeger-http:
+      entryPoints:
+        - websecure
+      middlewares:
+        - compression
+        - security
+      rule: Host(`jaeger-http.gcch.local`)
+      service: service-jaeger-http
+      tls: true
+
+    monitor:
+      entryPoints:
+        - websecure
+      rule: Host(`monitor.gcch.local`)
+      service: api@internal
+      tls: true
+
+    whoami:
+      entryPoints:
+        - websecure
+      rule: Host(`gcch.local`)
+      service: service-whoami
+      tls: true

containers/conf/traefik/dynamic/services.yaml

@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://www.schemastore.org/traefik-v3.json
+
+http:
+  services:
+    service-haikuatelier:
+      loadBalancer:
+        servers:
+          - url: "http://proxy:80"
+
+    service-jaeger:
+      loadBalancer:
+        servers:
+          - url: "http://jaeger:16686"
+
+    service-jaeger-http:
+      loadBalancer:
+        servers:
+          - url: "http://jaeger:4318"
+
+    service-whoami:
+      loadBalancer:
+        servers:
+          - url: "http://whoami"