Delete commit history along with sensitive data

ingress/Traefik2.x/chart-values.yml

@@ -0,0 +1,44 @@
+ports:
+  web:
+#    port: 80
+#    exposedPort: 80
+    redirectTo: websecure
+#  websecure:
+#    port: 443
+#    exposedPort: 443
+
+volumes:
+  - name: traefik-configmap
+    mountPath: /etc/traefik
+    type: configMap
+
+persistence:
+  enabled: true
+  accessMode: ReadWriteMany
+  path: /data
+  existingClaim: "traefik"
+#  size: 1Gi
+#  subPath: 'acme.json'
+
+env:
+  - name: CF_API_EMAIL
+    valueFrom: 
+      secretKeyRef:
+        name: traefik-cloudflare
+        key: CF_API_EMAIL
+  - name: CF_API_KEY
+    valueFrom: 
+      secretKeyRef:
+        name: traefik-cloudflare
+        key: CF_API_KEY
+
+securityContext:
+  capabilities:
+    drop: []
+  readOnlyRootFilesystem: true
+  runAsGroup: 0
+  runAsNonRoot: false
+  runAsUser: 0
+
+podSecurityContext:
+  fsGroup: 0

ingress/Traefik2.x/configMap_traefik.yml

@@ -0,0 +1,112 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: traefik-configmap
+  namespace: kube-system
+data:
+  traefik.yml: |
+    global:
+      checkNewVersion: true
+      sendAnonymousUsage: true
+    entryPoints:
+      web:
+        address: :8000
+      websecure:
+        address: :8443
+        forwardedHeaders:
+          insecure: true
+        http:
+          tls:
+            options: defaults@file
+            certResolver: default
+            domains:
+              - main: '*.spamasaurus.com'
+                sans:
+                  - 'spamasaurus.com'
+              - main: '*.bessems.com'
+                sans:
+                  - 'bessems.com'
+              - main: '*.bessems.eu'
+                sans:
+                  - 'bessems.eu'
+              - main: '*.gabaldon.eu'
+                sans:
+                  - 'gabaldon.eu'
+              - main: '*.gabaldon.nl'
+                sans:
+                  - 'gabaldon.nl'
+              - main: '*.itch.fyi'
+                sans:
+                  - 'itch.fyi'
+    #      trustedIPs:
+    #        - "127.0.0.0/8"
+    #        - "192.168.5.0/24"
+    #        - "192.168.11.0/24"
+      ssh:
+        address: :2222
+      traefik:
+        address: :9000
+    providers:
+      file:
+        filename: /etc/traefik/dynamic.yml
+      kubernetesCRD: {}
+    api:
+      dashboard: true
+    ping: {}
+    #accessLog: {}
+    log:
+      level: INFO
+    #  level: DEBUG
+    certificatesResolvers:
+      default:
+        acme:
+          email: letsencrypt.org.danny@spamasaurus.com
+          storage: /data/acme.json
+          dnsChallenge:
+            provider: cloudflare
+            delayBeforeCheck: 5m0s
+            resolvers:
+            - 1.1.1.1:53
+            - 1.0.0.1:53
+  dynamic.yml: |
+    http:
+      middlewares:
+        force-tls:
+          redirectScheme:
+            scheme: https
+        2fa-authentication:
+          forwardAuth:
+            address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/"
+            trustForwardHeader: true
+        security-headers:
+          headers:
+            forceSTSHeader: true
+            stsSeconds: 315360000
+            stsIncludeSubdomains: true
+            stsPreload: true
+      routers:
+        force-tls:
+          entryPoints:
+            - "web"
+          rule: "HostRegexp(`{any:.+}`)"
+          middlewares:
+            - "force-tls"
+          service: noop@internal
+    tls:
+      options:
+        defaults:
+          minVersion: VersionTLS12
+          sniStrict: true
+          curvePreferences:
+            - secp521r1
+            - secp384r1
+          cipherSuites:
+            - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+            - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+            - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+            - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+            - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+            - TLS_AES_128_GCM_SHA256
+            - TLS_AES_256_GCM_SHA384
+            - TLS_CHACHA20_POLY1305_SHA256
+            - TLS_FALLBACK_SCSV

ingress/Traefik2.x/ingressRoute_traefik.yaml

@@ -0,0 +1,25 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`ingress.spamasaurus.com`)
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+      middlewares:
+        - name: 2fa-authentication@file
+        - name: security-headers@file
+  tls:
+    certResolver: default
+    options:
+      name: defaults@file
+    domains:
+    - main: '*.spamasaurus.com'
+      sans:
+      - 'spamasaurus.com'

ingress/Traefik2.x/pvc_traefik.yml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: flexvolsmb-traefik-data
+  namespace: kube-system
+spec:
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-traefik-data
+  flexVolume:
+    driver: mount/smb
+    secretRef:
+      name: smb-secret
+      namespace: default
+    options:
+      opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl
+      server: 192.168.11.225
+      share: /K3s.Volumes/traefik/data
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: flexvolsmb-traefik-data
+  resources:
+    requests:
+      storage: 1Gi