ipwhitelist -> ipallowlist

iwl is deprecated, ial is the new version

.gitignore

@@ -1,2 +1,2 @@
-/.env
+/.env*
 /certs.json

docker-compose.yml

@@ -1,10 +1,7 @@
 ---
-version: "3"
-
 services:
   traefik:
     image: traefik:${TRAEFIK_VERSION}
-    container_name: ${TRAEFIK_CONTAINER_NAME}
     restart: unless-stopped
     command:
       # when debugging is needed
@@ -13,7 +10,8 @@ services:
       - --api.dashboard=true
       # configure Let's Encrypt automatic certificates
       - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge=true
-      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=hetzner
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.provider=${TRAEFIK_DNSPROVIDER}
+      - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.dnschallenge.resolvers=${TRAEFIK_DNSRESOLVERS}
       - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.email=${LETSENCRYPT_EMAIL}
       - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.keytype=RSA4096
       - --certificatesresolvers.${TRAEFIK_CERTRESOLVER}.acme.storage=/certs.json
@@ -22,8 +20,6 @@ services:
       - --entrypoints.https.address=:443
       # logging level
       - --log.level=${TRAEFIK_LOGLEVEL}
-      # Træfik Pilot token (of course retrieved from dotenv)
-      - --pilot.token=${TRAEFIK_PILOT_TOKEN}
       # we only use Docker (for now)
       - --providers.docker=true
       # and we want to manually specify exposed containers
@@ -32,30 +28,32 @@ services:
       # should not need, but just in case, a folder for dynamic config files is also configured
       - --providers.file.directory=/config
       - --providers.file.watch=true
-    environment:
-      - HETZNER_API_KEY=${HETZNER_API_KEY}
+    env_file:
+      - ${TRAEFIK_DNSPROVIDER_ENVFILE}
     labels:
       # expose Træfik using Træfik (dashboard)
       - traefik.enable=${TRAEFIK_ENABLED}
-      # configure a global whitelist for my home
-      - traefik.http.middlewares.dashboard-whitelist.ipwhitelist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
-      # configure the global redirect middleware
+      - traefik.docker.network=${TRAEFIK_NETWORK}
+      # configure a global whitelist for accessing the Træfik dashboard
+      - traefik.http.middlewares.dashboard-whitelist.ipallowlist.sourcerange=${TRAEFIK_DASHBOARD_WHITELIST}
+      # configure a global middleware for redirecting HTTP to HTTPS
       - traefik.http.middlewares.http-to-https.redirectscheme.scheme=https
       - traefik.http.middlewares.http-to-https.redirectscheme.permanent=true
+      # configure a global middleware to harden security through HSTS
+      - traefik.http.middlewares.hsts.headers.stsSeconds=${TRAEFIK_STS_SECONDS}
+      - traefik.http.middlewares.hsts.headers.stsIncludeSubdomains=${TRAEFIK_STS_SUBDOMAINS}
+      - traefik.http.middlewares.hsts.headers.stsPreload=${TRAEFIK_STS_PRELOAD}
       ### Section HTTP
       - traefik.http.routers.http-${TRAEFIK_ROUTER}.entrypoints=http
-      # only some people can access the dashboard, hence protect it with it's whitelist
-      - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist
       # redirect Træfik dashboard to HTTPS only
-      - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=http-to-https
-      - traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
+      - traefik.http.routers.http-${TRAEFIK_ROUTER}.middlewares=${TRAEFIK_HTTP_MIDDLEWARES}
+      - traefik.http.routers.http-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE}
       - traefik.http.routers.http-${TRAEFIK_ROUTER}.service=api@internal
       ### Section HTTPS
       - traefik.http.routers.https-${TRAEFIK_ROUTER}.entrypoints=https
-      # only some people can access the dashboard, hence protect it with it's whitelist
-      - traefik.http.routers.https-${TRAEFIK_ROUTER}.middlewares=dashboard-whitelist
       # configure Træfik dashboard to be the exposed service
-      - traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=Host(`${TRAEFIK_MATCHRULE}`)
+      - traefik.http.routers.https-${TRAEFIK_ROUTER}.middlewares=${TRAEFIK_HTTPS_MIDDLEWARES}
+      - traefik.http.routers.https-${TRAEFIK_ROUTER}.rule=${TRAEFIK_MATCHRULE}
       - traefik.http.routers.https-${TRAEFIK_ROUTER}.service=api@internal
       # of course, enable TLS and it's certificate provider
       - traefik.http.routers.https-${TRAEFIK_ROUTER}.tls=${TRAEFIK_TLSENABLED}
@@ -67,8 +65,8 @@ services:
       - 443:443
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./config:/config:ro
-      - ./certs.json:/certs.json
+      - ${TRAEFIK_DYNAMIC}:/config:ro
+      - ${TRAEFIK_CERTFILE}:/certs.json
 
 networks:
   traefik:

env.dnsprovider.example

@@ -0,0 +1 @@
+HETZNER_API_KEY=

env.example

@@ -1,19 +1,30 @@
 # General environment
-TRAEFIK_VERSION=2.4
+TRAEFIK_VERSION=latest
 TRAEFIK_CERTRESOLVER=letsencrypt
-TRAEFIK_CONTAINER_NAME=traefik.mydomain.com
 TRAEFIK_DASHBOARD_WHITELIST=1.2.3.4/24
 TRAEFIK_ENABLED=true
 TRAEFIK_NETWORK=traefik
-TRAEFIK_MATCHRULE=traefik.mydomain.com
-TRAEFIK_ROUTER=traefik_mydomain_com
-TRAEFIK_PILOT_TOKEN=
+TRAEFIK_MATCHRULE=Host(`traefik.example.com`)
+TRAEFIK_ROUTER=traefik_example_com
+TRAEFIK_HTTP_MIDDLEWARES=dashboard-whitelist,http-to-https
+TRAEFIK_HTTPS_MIDDLEWARES=dashboard-whitelist,hsts
+
+# Security
 TRAEFIK_TLSENABLED=true
+TRAEFIK_STS_SECONDS=15552000
+TRAEFIK_STS_SUBDOMAINS=true
+TRAEFIK_STS_PRELOAD=true
 
 # Certificate provider
-HETZNER_API_KEY=
-LETSENCRYPT_EMAIL=admin@mydomain.com
+TRAEFIK_DNSPROVIDER=hetzner
+TRAEFIK_DNSPROVIDER_ENVFILE=./.env.dnsprovider
+TRAEFIK_DNSRESOLVERS=1.1.1.1:53,1.0.0.1:53
+LETSENCRYPT_EMAIL=admin@example.com
 
 # Debugging
 TRAEFIK_ACCESSLOG=false
 TRAEFIK_LOGLEVEL=INFO
+
+# Volumes
+TRAEFIK_DYNAMIC=./config
+TRAEFIK_CERTFILE=./certs.json