traefik/file-provider.yml.tmpl

---
http:
  middlewares:
    {{ if eq (env "KEYCLOAK_MIDDLEWARE_ENABLED") "1" }}
    keycloak:
      forwardAuth:
        address: "http://{{ env "KEYCLOAK_TFA_SERVICE" }}:4181"
        trustForwardHeader: true
        authResponseHeaders:
          - X-Forwarded-User
    {{ end }}
    {{ if eq (env "KEYCLOAK_MIDDLEWARE_2_ENABLED") "1" }}
    keycloak2:
      forwardAuth:
        address: "http://{{ env "KEYCLOAK_TFA_SERVICE_2" }}:4181"
        trustForwardHeader: true
        authResponseHeaders:
          - X-Forwarded-User
    {{ end }}
    {{ if eq (env "BASIC_AUTH") "1" }}
    basicauth:
      basicAuth:
        usersFile: "/run/secrets/usersfile"
    {{ end }}
    security:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: "31536000"
  {{ if eq (env "METRICS_ENABLED") "1" }}
  routers:
    traefik-metrics:
      rule: "Host(`{{ env "METRICS_FQDN" }}`)"
      entrypoints:
        - web-secure
      tls:
        certResolver: {{ env "LETS_ENCRYPT_ENV" }}
      middlewares:
        - basicauth@file
      service: prometheus@internal
  {{ end }}

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   # TLS 1.2
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305    # TLS 1.2
        - TLS_AES_256_GCM_SHA384                  # TLS 1.3
        - TLS_CHACHA20_POLY1305_SHA256            # TLS 1.3
      curvePreferences:
        - CurveP521
        - CurveP384
        - CurveP256
      sniStrict: true
  {{ if eq (env "WILDCARDS_ENABLED") "1" }}
  certificates:
    - certFile: /run/secrets/ssl_cert
      keyFile: /run/secrets/ssl_key
  {{ end }}