From 40fc8e00d349da9dc2f455715dfbcacceda7ba20 Mon Sep 17 00:00:00 2001
From: stratholme <root@stratholme.zom.bi>
Date: Tue, 9 Jun 2020 21:02:11 +0200
Subject: [PATCH 1/6] add stratholme specific compose file

---
 docker-compose.stratholme.yml | 50 +++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 docker-compose.stratholme.yml

diff --git a/docker-compose.stratholme.yml b/docker-compose.stratholme.yml
new file mode 100644
index 0000000..0d7cc36
--- /dev/null
+++ b/docker-compose.stratholme.yml
@@ -0,0 +1,50 @@
+version: '2'
+
+services:
+  proxy:
+    image: traefik:v2.1
+    ports:
+      - "80:80"
+      - "443:443"
+      - "10.0.0.2:8080:8080"
+    volumes:
+      - "/var/run/docker.sock:/var/run/docker.sock:ro"
+      - "./cert/:/cert/"
+      - "./config/:/etc/traefik/:ro"
+    labels:
+      - "traefik.enable=true" # set to true to expose the Monitoring & API
+      # middleware redirect
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      # global redirect to https
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=web"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
+
+      # Password middleware
+      - "traefik.http.middlewares.simpleauth.basicauth.users=zombi:$$apr1$$kv8xG9wi$$4UPHqcvKnYUab/tts6ZIU1"
+      # Dashboard, running at https://zom.bi/dashboard/
+      - "traefik.http.routers.dashboard.rule=Host(`zom.bi`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
+      - "traefik.http.routers.dashboard.entrypoints=websecure"
+      - "traefik.http.routers.dashboard.service=api@internal"
+      - "traefik.http.routers.dashboard.middlewares=simpleauth"
+      - "traefik.http.routers.dashboard.tls=true"
+      - "traefik.http.routers.dashboard.tls.certresolver=default"
+      - "traefik.docker.network=proxy_web"
+    networks:
+      - "web"
+
+  dumper:
+    image: ldez/traefik-certs-dumper:latest
+    volumes:
+      - "./cert/:/cert/"
+      - "/data/ssl/:/ssl/"
+    command: >
+      file --watch --source /cert/acme.json --version v2 --domain-subdir
+      --crt-name=fullchain --crt-ext=.pem
+      --key-name=privkey --key-ext=.pem
+      --dest /ssl
+
+
+networks:
+  web:
+    driver: bridge

From 8c126fdc768fb5dd066bd3d59726f6d8afad3d76 Mon Sep 17 00:00:00 2001
From: stratholme <root@stratholme.zom.bi>
Date: Tue, 9 Jun 2020 21:06:26 +0200
Subject: [PATCH 2/6] cleanup workdir: add readme for host specific compose
 file

---
 README.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 README.md

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..714f46f
--- /dev/null
+++ b/README.md
@@ -0,0 +1,5 @@
+run on stratholme:
+
+```
+docker-compose -f docker-compose.stratholme.yml up
+```

From 1c3113d44037b34f18a3068f8fc33db8fd42790a Mon Sep 17 00:00:00 2001
From: Linuro <cpp@zom.bi>
Date: Thu, 15 Oct 2020 22:59:34 +0200
Subject: [PATCH 3/6] removing unused port

---
 docker-compose.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index b5d254e..8cf8eb4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,7 +6,6 @@ services:
     ports:
       - "80:80"
       - "443:443"
-      - "10.0.0.1:8080:8080"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "./cert/:/cert/"

From 66156dc36e553a88eb9aff1f8822f322ee9189b5 Mon Sep 17 00:00:00 2001
From: Linuro <cpp@zom.bi>
Date: Thu, 15 Oct 2020 23:09:02 +0200
Subject: [PATCH 4/6] removing unneccesary docker.compose.stratholme.yml

---
 docker-compose.stratholme.yml | 50 -----------------------------------
 1 file changed, 50 deletions(-)
 delete mode 100644 docker-compose.stratholme.yml

diff --git a/docker-compose.stratholme.yml b/docker-compose.stratholme.yml
deleted file mode 100644
index 0d7cc36..0000000
--- a/docker-compose.stratholme.yml
+++ /dev/null
@@ -1,50 +0,0 @@
-version: '2'
-
-services:
-  proxy:
-    image: traefik:v2.1
-    ports:
-      - "80:80"
-      - "443:443"
-      - "10.0.0.2:8080:8080"
-    volumes:
-      - "/var/run/docker.sock:/var/run/docker.sock:ro"
-      - "./cert/:/cert/"
-      - "./config/:/etc/traefik/:ro"
-    labels:
-      - "traefik.enable=true" # set to true to expose the Monitoring & API
-      # middleware redirect
-      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-      # global redirect to https
-      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
-      - "traefik.http.routers.http-catchall.entrypoints=web"
-      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
-
-      # Password middleware
-      - "traefik.http.middlewares.simpleauth.basicauth.users=zombi:$$apr1$$kv8xG9wi$$4UPHqcvKnYUab/tts6ZIU1"
-      # Dashboard, running at https://zom.bi/dashboard/
-      - "traefik.http.routers.dashboard.rule=Host(`zom.bi`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
-      - "traefik.http.routers.dashboard.entrypoints=websecure"
-      - "traefik.http.routers.dashboard.service=api@internal"
-      - "traefik.http.routers.dashboard.middlewares=simpleauth"
-      - "traefik.http.routers.dashboard.tls=true"
-      - "traefik.http.routers.dashboard.tls.certresolver=default"
-      - "traefik.docker.network=proxy_web"
-    networks:
-      - "web"
-
-  dumper:
-    image: ldez/traefik-certs-dumper:latest
-    volumes:
-      - "./cert/:/cert/"
-      - "/data/ssl/:/ssl/"
-    command: >
-      file --watch --source /cert/acme.json --version v2 --domain-subdir
-      --crt-name=fullchain --crt-ext=.pem
-      --key-name=privkey --key-ext=.pem
-      --dest /ssl
-
-
-networks:
-  web:
-    driver: bridge

From f119bd7c375adab924ce839f47112e40772059bd Mon Sep 17 00:00:00 2001
From: Chris <bsod@zom.bi>
Date: Thu, 5 Nov 2020 20:41:47 +0100
Subject: [PATCH 5/6] update tls options

fixes #39
---
 config/traefik.toml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/config/traefik.toml b/config/traefik.toml
index c72af33..c7a595e 100644
--- a/config/traefik.toml
+++ b/config/traefik.toml
@@ -49,3 +49,17 @@
 [[tls.certificates]]
   certFile = "cert/grun.host.origin.pem"
   keyFile = "cert/grun.host.origin.key"
+
+[tls.options]
+  [tls.options.default]
+    minVersion = "VersionTLS12"
+    cipherSuites = [
+      "TLS_CHACHA20_POLY1305_SHA256",
+      "TLS_AES_128_GCM_SHA256",
+      "TLS_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+    ]
+  [tls.options.mintls13]
+    minVersion = "VersionTLS13"
\ No newline at end of file

From 85ca1d8890f4b43c9e2e777cfe7eadd30244935f Mon Sep 17 00:00:00 2001
From: Chris <bsod@zom.bi>
Date: Fri, 6 Nov 2020 17:55:48 +0100
Subject: [PATCH 6/6] move tls configuration from static configuration to
 dynamic configuration

---
 config/dynamic/tls.yml | 11 +++++++++++
 config/traefik.toml    | 20 +++++---------------
 docker-compose.yml     |  3 ++-
 3 files changed, 18 insertions(+), 16 deletions(-)
 create mode 100644 config/dynamic/tls.yml

diff --git a/config/dynamic/tls.yml b/config/dynamic/tls.yml
new file mode 100644
index 0000000..94311c1
--- /dev/null
+++ b/config/dynamic/tls.yml
@@ -0,0 +1,11 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        - TLS_CHACHA20_POLY1305_SHA256
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
diff --git a/config/traefik.toml b/config/traefik.toml
index c7a595e..c43fd81 100644
--- a/config/traefik.toml
+++ b/config/traefik.toml
@@ -34,6 +34,10 @@
   exposedByDefault = false
   defaultRule = "Host(`{{ normalize .Name }}.docker.localhost`)"
 
+[providers.file]
+  directory = "/etc/traefik/dynamic"
+  watch = true
+
 [certificatesResolvers.default.acme]
   email = "hostmaster@zom.bi"
   storage = "/cert/acme.json"
@@ -48,18 +52,4 @@
   keyFile = "cert/bitmask.me.origin.key"
 [[tls.certificates]]
   certFile = "cert/grun.host.origin.pem"
-  keyFile = "cert/grun.host.origin.key"
-
-[tls.options]
-  [tls.options.default]
-    minVersion = "VersionTLS12"
-    cipherSuites = [
-      "TLS_CHACHA20_POLY1305_SHA256",
-      "TLS_AES_128_GCM_SHA256",
-      "TLS_AES_256_GCM_SHA384",
-      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
-      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
-      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
-    ]
-  [tls.options.mintls13]
-    minVersion = "VersionTLS13"
\ No newline at end of file
+  keyFile = "cert/grun.host.origin.key"
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 8cf8eb4..ce50979 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,7 +2,7 @@ version: '2'
 
 services:
   proxy:
-    image: traefik:v2.1
+    image: traefik:v2.3
     ports:
       - "80:80"
       - "443:443"
@@ -10,6 +10,7 @@ services:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
       - "./cert/:/cert/"
       - "./config/:/etc/traefik/:ro"
+      - "./config/dynamic/:/etc/traefik/dynamic/:ro"
     labels:
       - "traefik.enable=true" # set to true to expose the Monitoring & API
       # middleware redirect