first commit, i i have no idea what i have done

traefik/.env

@@ -0,0 +1 @@
+TRAEFIK_DASHBOARD_CREDENTIALS=admin:$$2y$$05$$PWLMUBMexlqDK6yXZvKWFeFaMULMlVb4Fp7.XUvFpvVhuqxeVLeMq

traefik/config/config.yaml

@@ -0,0 +1,19 @@
+http:
+  middlewares:    
+    default-security-headers:
+      headers:
+        customBrowserXSSValue: 0                            # X-XSS-Protection=1; mode=block
+        contentTypeNosniff: true                          # X-Content-Type-Options=nosniff
+        forceSTSHeader: true                              # Add the Strict-Transport-Security header even when the connection is HTTP
+        frameDeny: false                                   # X-Frame-Options=deny
+        referrerPolicy: "strict-origin-when-cross-origin"
+        stsIncludeSubdomains: true                        # Add includeSubdomains to the Strict-Transport-Security header
+        stsPreload: true                                  # Add preload flag appended to the Strict-Transport-Security header
+        stsSeconds: 3153600                              # Set the max-age of the Strict-Transport-Security header (63072000 = 2 years)
+        contentSecurityPolicy: "default-src 'self'"     
+        customRequestHeaders:
+          X-Forwarded-Proto: https
+    https-redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true

traefik/config/traefik.yaml

@@ -0,0 +1,37 @@
+api:
+  dashboard: true
+  debug: true
+entryPoints:
+  http:
+    address: ":80"
+    http:
+    #  middlewares: # uncomment if using CrowdSec - see my video
+    #    - crowdsec-bouncer@file
+      redirections:
+        entryPoint:
+          to: https
+          scheme: https
+  https:
+    address: ":443"
+    # http:
+    #  middlewares: # uncomment if using CrowdSec - see my video
+    #    - crowdsec-bouncer@file
+  # tcp:
+   # address: ":10000"
+  # apis:
+   # address: ":33073"
+serversTransport:
+  insecureSkipVerify: true
+providers:
+  docker:
+    endpoint: "unix:///var/run/docker.sock"
+    exposedByDefault: false
+  file:
+    filename: /config.yaml # example provided gives A+ rating https://www.ssllabs.com/ssltest/
+
+
+log:
+  level: "INFO"
+  filePath: "/var/log/traefik/traefik.log"
+accessLog:
+  filePath: "/var/log/traefik/access.log"

traefik/docker-compose.yaml

@@ -0,0 +1,49 @@
+services:
+  traefik:
+    image: traefik:latest  # or pin a specific v3.x version
+    container_name: traefik
+    restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true  
+    env_file:
+      - .env  # should define TRAEFIK_DASHBOARD_CREDENTIALS
+    networks:
+      - proxy
+    ports:
+      - "80:80"
+      - "443:443"
+    environment:
+      - TRAEFIK_DASHBOARD_CREDENTIALS=${TRAEFIK_DASHBOARD_CREDENTIALS}
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - ${XDG_RUNTIME_DIR}/podman/podman.sock:/var/run/docker.sock:Z
+      # Static (static) config
+      - ./config/traefik.yaml:/traefik.yaml:ro,Z
+      # Dynamic (file provider) config
+      - ./config/config.yaml:/config.yaml:ro,Z
+      # Your self-signed wildcard cert
+      - ./certs/wildcard.192.168.205.130.nip.io.crt:/certs/wildcard.192.168.205.130.nip.io.crt:ro
+      - ./certs/wildcard.192.168.205.130.nip.io.key:/certs/wildcard.192.168.205.130.nip.io.key:ro
+      # Logs
+      - ./logs:/var/log/traefik:Z
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.traefik.entrypoints=http"  # expose dashboard on HTTP :contentReference[oaicite:2]{index=2}
+      - "traefik.http.routers.traefik.rule=Host(`traefik.192.168.205.130.nip.io`)"
+      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
+      # Redirect HTTP → HTTPS
+      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
+      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
+      # Secure (HTTPS) dashboard
+      - "traefik.http.routers.traefik-secure.entrypoints=https"
+      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.192.168.205.130.nip.io`)"
+      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
+      - "traefik.http.routers.traefik-secure.tls=true"
+      - "traefik.http.routers.traefik-secure.tls.domains[0].main=192.168.205.130.nip.io"
+      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.192.168.205.130.nip.io"
+      - "traefik.http.routers.traefik-secure.service=api@internal"
+
+networks:
+  proxy:
+    external: true  
+