feat(main): replace caddy with traefik as reverse proxy

rvproxy/Caddyfile

@@ -1,35 +0,0 @@
-# Global options
-{
-        auto_https disable_certs
-        persist_config off
-}
-
-# Reverse-proxy configuration
-*.ublue.local {
-        ## TLS certificates
-        tls /certs/_.ublue.local/cert.pem /certs/_.ublue.local/key.pem
-
-        # container registry
-        @registry host registry.ublue.local
-
-        handle @registry {
-                reverse_proxy ublue-os_forge-registry.ublue.local:5000 {
-                        transport http {
-                                tls
-                                tls_trusted_ca_certs /certs/tls/ublue-os_forge-root.pem
-                        }
-                }
-        }
-
-        # semaphore
-        @semaphore host forge.ublue.local
-
-        handle @semaphore {
-                reverse_proxy ublue-os_forge-semaphore.ublue.local:3000
-        }
-
-        # Fallback for otherwise unhandled domains
-        handle {
-                respond "Bad hostname" 400
-        }
-}

rvproxy/Containerfile

@@ -1,5 +0,0 @@
-# Source Image
-FROM docker.io/library/caddy:2.6.4-alpine
-
-# Add configuration file
-COPY ./Caddyfile /etc/caddy/Caddyfile

traefik/Containerfile

@@ -0,0 +1,5 @@
+# Source Image
+FROM docker.io/traefik:v2.11
+
+# Add configuration file
+COPY ./config/*.yml /etc/traefik/

traefik/config/fileConfig.yml

@@ -0,0 +1,43 @@
+---
+http:
+  ## EXTERNAL ROUTING - Only use if you want to proxy something manually ##
+  routers:
+  ## SERVICES ##
+  services:
+  ## MIDDLEWARES ##
+  middlewares:
+    securityHeaders:
+      headers:
+        customResponseHeaders:
+          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
+          X-Forwarded-Proto: "https"
+          server: ""
+        customRequestHeaders:
+          X-Forwarded-Proto: "https"
+        sslProxyHeaders:
+          X-Forwarded-Proto: "https"
+        referrerPolicy: "same-origin"
+        hostsProxyHeaders:
+          - "X-Forwarded-Host"
+        contentTypeNosniff: true
+        browserXssFilter: true
+        forceSTSHeader: true
+        stsIncludeSubdomains: true
+        stsSeconds: 63072000
+        stsPreload: true
+
+# Only use secure ciphers - https://ssl-config.mozilla.org/#server=traefik&version=2.6.0&config=intermediate&guideline=5.6
+tls:
+  certificates:
+    - certFile: /certs/_.ublue.local/cert.pem
+      keyFile: /certs/_.ublue.local/key.pem
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

traefik/config/traefik.yml

@@ -0,0 +1,53 @@
+# Traefik configuration
+global:
+  checkNewVersion: false
+  sendAnonymousUsage: false
+
+serversTransport:
+  insecureSkipVerify: true
+
+api:
+  dashboard: true
+
+# Log level INFO|DEBUG|ERROR
+log:
+  level: INFO
+
+# Configuring a buffer of 100 lines
+accessLog:
+  filePath: "/etc/traefik/access.log"
+  bufferingSize: 100
+
+entryPoints:
+  # Not used in apps, but redirect everything from HTTP to HTTPS
+  web:
+    address: :80
+    http:
+      redirections:
+        entryPoint:
+          to: websecure
+          scheme: https
+  # HTTPS endpoint, with domain wildcard
+  websecure:
+    address: :443
+    http:
+      tls:
+        domains:
+          - main: ublue.local
+            sans:
+              - "*.ublue.local"
+      middlewares:
+        - securityHeaders@file
+
+providers:
+  providersThrottleDuration: 2s
+  # File provider for connecting things that are outside of docker / defining middleware
+  file:
+    filename: /etc/traefik/fileConfig.yml
+    watch: true
+  # Docker / Podman configuration backend
+  docker:
+    watch: true
+    network: "ublue-os_forge"
+    exposedByDefault: false
+    endpoint: "unix:///var/run/podman.sock"