Initialize Git Repository: 'Traefik'

root/DEBIAN/conffiles

@@ -0,0 +1,6 @@
+/etc/traefik/providers.yml
+/etc/traefik/traefik.env
+/etc/traefik/traefik.yml
+/etc/traefik/acme/00-export
+/etc/traefik/acme/01-changelog
+/etc/traefik/acme/acme.env

root/DEBIAN/control

@@ -0,0 +1,10 @@
+Package: traefik
+Version: 3.6.7
+Architecture:
+Installed-Size:
+Depends: jq
+Priority: optional
+Section: misc
+Homepage: http://www.privlab.it
+Maintainer: PrivLab <repository@privlab.it>
+Description: Traefik HTTP reverse proxy and load balancer

root/DEBIAN/postinst

@@ -0,0 +1,54 @@
+#!/usr/bin/sh
+
+set -e
+set -u
+
+if [ -d '/run/systemd/system' ]; then
+  /usr/bin/systemctl --system daemon-reload > '/dev/null' || true
+fi
+ 
+case "${1}" in
+  configure)
+    if [ -x '/usr/bin/deb-systemd-helper' ]; then
+      /usr/bin/deb-systemd-helper unmask 'traefik.service' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+      /usr/bin/deb-systemd-helper unmask 'traefik-acme.path' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+      /usr/bin/deb-systemd-helper unmask 'traefik-acme.service' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+    fi
+    if /usr/bin/deb-systemd-helper --quiet was-enabled 'traefik.service'; then
+      /usr/bin/deb-systemd-helper enable 'traefik.service' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+    else
+      /usr/bin/deb-systemd-helper update-state 'traefik.service' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+    fi
+    if /usr/bin/deb-systemd-helper --quiet was-enabled 'traefik-acme.path'; then
+      /usr/bin/deb-systemd-helper enable 'traefik-acme.path' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+    else
+      /usr/bin/deb-systemd-helper update-state 'traefik-acme.path' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+    fi
+    if [ -x '/etc/init.d/traefik' ]; then
+      /usr/sbin/update-rc.d 'traefik' defaults > '/dev/null' || true
+    fi
+    /usr/bin/install --directory --group='traefik' --mode='750' --owner='traefik' '/var/lib/traefik'
+    /usr/bin/install --directory --group='traefik' --mode='750' --owner='traefik' '/var/log/traefik'
+    /usr/bin/install --directory --group='traefik' --mode='750' --owner='traefik' '/var/logrotate/traefik'
+    /usr/bin/chown --quiet --recursive 'traefik' '/etc/traefik'
+    if [ -x '/usr/bin/deb-systemd-invoke' ]; then
+      /usr/bin/systemctl --system daemon-reload > '/dev/null' || true
+      if [ -n "${2}" ]; then
+        _dh_action='restart'
+      else
+        _dh_action='start'
+      fi
+      /usr/bin/deb-systemd-invoke "${_dh_action}" 'traefik.service' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+      /usr/bin/deb-systemd-invoke "${_dh_action}" 'traefik-acme.path' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+    fi
+  ;;
+esac

root/DEBIAN/postrm

@@ -0,0 +1,43 @@
+#!/usr/bin/sh
+
+set -e
+set -u
+
+if [ -d '/run/systemd/system' ]; then
+  /usr/bin/systemctl --system daemon-reload > '/dev/null' 2>&1 || \
+    /usr/bin/true
+fi
+
+case "${1}" in
+  remove)
+    if [ -x '/usr/bin/deb-systemd-helper' ]; then
+      /usr/bin/deb-systemd-helper mask 'traefik.service' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+      /usr/bin/deb-systemd-helper mask 'traefik-acme.path' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+    fi
+  ;;
+  purge)
+    if [ -x '/usr/bin/deb-systemd-helper' ]; then
+      /usr/bin/deb-systemd-helper purge 'traefik.service' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+      /usr/bin/deb-systemd-helper unmask 'traefik.service' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+      /usr/bin/deb-systemd-helper purge 'traefik-acme.path' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+      /usr/bin/deb-systemd-helper unmask 'traefik-acme.path' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+    fi
+    if /usr/bin/getent passwd 'traefik' > '/dev/null' 2>&1; then
+      /usr/sbin/deluser 'traefik' > '/dev/null' 2>&1
+    fi
+    if /usr/bin/getent group 'traefik' > '/dev/null' 2>&1; then
+      /usr/sbin/deluser --group 'traefik' > '/dev/null' 2>&1
+    fi
+    /usr/bin/rm --force --recursive '/etc/traefik'
+    /usr/bin/rm --force --recursive '/var/lib/traefik'
+  ;;
+esac
+
+/usr/bin/rm --force --recursive '/var/log/traefik'
+/usr/bin/rm --force --recursive '/var/logrotate/traefik'

root/DEBIAN/preinst

@@ -0,0 +1,20 @@
+#!/usr/bin/sh
+
+set -e
+set -u
+
+case "${1}" in
+  install)
+    if ! /usr/bin/getent passwd 'traefik' > '/dev/null' 2>&1; then
+      /usr/sbin/adduser --quiet \
+                        --system \
+                        --home '/nonexistent' \
+                        --shell '/usr/sbin/nologin' \
+                        --no-create-home \
+                        --group \
+                        --disabled-password \
+                        --disabled-login \
+                        'traefik' > '/dev/null' 2>&1
+    fi
+  ;;
+esac

root/DEBIAN/prerm

@@ -0,0 +1,25 @@
+#!/usr/bin/sh
+
+set -e
+set -u
+
+case "${1}" in
+  remove)
+    if [ -x '/usr/bin/deb-systemd-invoke' ]; then
+      /usr/bin/deb-systemd-invoke stop 'traefik.service' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+      /usr/bin/deb-systemd-invoke stop 'traefik-acme.path' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+      /usr/bin/deb-systemd-invoke stop 'traefik-acme.service' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+      /usr/bin/deb-systemd-invoke disable 'traefik.service' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+      /usr/bin/deb-systemd-invoke disable 'traefik-acme.path' > '/dev/null' 2>&1 || \
+        /usr/bin/true
+    fi
+    if [ -x '/etc/init.d/traefik' ]; then
+      /usr/sbin/update-rc.d 'traefik' remove > '/dev/null' 2>&1 || \
+        /usr/bin/true
+    fi
+  ;;
+esac

root/etc/init.d/traefik

@@ -0,0 +1,87 @@
+#!/usr/bin/sh
+
+### BEGIN INIT INFO
+# Provides:          traefik
+# Required-Start:    $local_fs $network $remote_fs
+# Required-Stop:     $local_fs $network $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Traefik Reverse Proxy
+# Description:       Traefik is an open-source reverse proxy and load balancer
+#                    designed for microservices and containerized applications.
+#                    It automatically discovers services and routes traffic
+#                    based on defined rules. Traefik supports HTTP, HTTPS, and
+#                    TCP protocols, offers automatic SSL certificate
+#                    management, and provides a user-friendly dashboard for
+#                    monitoring traffic and service health.
+### END INIT INFO
+
+NAME='traefik'
+DESC='Traefik Reverse Proxy'
+USER='traefik'
+GROUP='traefik'
+PIDFOLDER="/run/${NAME}"
+PIDFILE="${PIDFOLDER}/${NAME}.pid"
+DAEMON='/usr/sbin/traefik'
+DAEMON_CONFIG='/etc/traefik/traefik.yml'
+DAEMON_OPTS="--configfile ${DAEMON_CONFIG}"
+
+set -e
+
+[ -f "${DAEMON_CONFIG}" ]
+
+. /lib/lsb/init-functions
+
+[ -x "${DAEMON}" ]
+
+case "${1}" in
+  start)
+    /usr/bin/install --directory --group="${GROUP}" ---mode='0755' --owner="${USER}" "${PIDFOLDER}"
+    log_daemon_msg "Starting ${DESC}" "${NAME}"
+    if /usr/sbin/start-stop-daemon --quiet \
+                                   --start \
+                                   --oknodo \
+                                   --make-pidfile \
+                                   --pidfile "${PIDFILE}" \
+                                   --user "${USER}" \
+                                   --group "${GROUP}" \
+                                   --exec "${DAEMON}" -- "${DAEMON_OPTS}"; then
+      log_end_msg 0
+    else
+      log_end_msg 1
+      /usr/bin/test -f "${PIDFILE}" && \
+        /usr/bin/rm --force "${PIDFILE}"
+    fi
+  ;;
+  stop)
+    log_daemon_msg "Stopping ${DESC}" "${NAME}"
+    if /usr/sbin/start-stop-daemon --quiet \
+                                   --stop \
+                                   --oknodo \
+                                   --retry 30 \
+                                   --remove-pidfile \
+                                   --pidfile "${PIDFILE}" \
+                                   --user "${USER}" \
+                                   --group "${GROUP}" \
+                                   --exec "${DAEMON}"; then
+      /usr/bin/test -f "${PIDFILE}" && \
+        /usr/bin/rm --force "${PIDFILE}"
+      log_end_msg 0
+    else
+      log_end_msg 1
+    fi
+  ;;
+  restart)
+    "${0}" stop
+    "${0}" start
+  ;;
+  status)
+    status_of_proc -p "${PIDFILE}" "${DAEMON}" "${NAME}" && \
+      exit 0 || \
+      exit "${?}"
+  ;;
+  *)
+    echo "Usage: /etc/init.d/${NAME} {start|stop|restart|status}" >&2
+    exit 1
+  ;;
+esac

root/etc/logrotate.d/traefik

@@ -0,0 +1,71 @@
+/var/log/traefik/*.log {
+  # Truncate the original log file in place after creating a copy,
+  # instead of moving the old log file and optionally creating a
+  # new one. It can be used when some program cannot be told to
+  # close its logfile and thus might continue writing (appending)
+  # to the previous log file forever. Note that there is a very
+  # small time slice between copying the file and truncating it, so
+  # some logging data might be lost. When this option is used, the
+  # create option will have no effect, as the old log file stays in
+  # place.
+  copytruncate
+
+  # Log files are rotated every day.
+  daily
+
+  # Archive old versions of log files adding a daily extension like
+  # YYYYMMDD instead of simply adding a number. The extension may
+  # be configured using the dateformat option.
+  dateext
+
+  # Specify the extension for dateext using the notation similar to
+  # strftime(3) function. Only %Y %m %d and %s specifiers are allowed.
+  # The default value is -%Y%m%d. Note that also the character
+  # separating log name from the extension is part of the dateformat
+  # string. The system clock must be set past Sep 9th 2001 for %s to
+  # work correctly. Note that the datestamps generated by this format
+  # must be lexically sortable (i.e., first the year, then the month
+  # then the day. e.g., 2001/12/01 is ok, but 01/12/2001 is not, since
+  # 01/11/2002 would sort lower while it is later). This is because when
+  # using the rotate option, logrotate sorts all rotated filenames to
+  # find out which logfiles are older and should be removed.
+  dateformat .%Y-%m-%d
+
+  # Use yesterday's instead of today's date to create the dateext
+  # extension, so that the rotated log file has a date in its name that
+  # is the same as the timestamps within it.
+  dateyesterday
+
+  # Postpone compression of the previous log file to the next rotation
+  # cycle. This only has effect when used in combination with compress.
+  # It can be used when some program cannot be told to close its logfile
+  # and thus might continue writing to the previous log file for some time.
+  delaycompress
+
+  # Do not copy the original log file and leave it in place.
+  nocopy
+
+  # New log files are not created.
+  nocreate
+
+  # Don't mail old log files to any address.
+  nomail
+
+  # Do not use shred when deleting old log files.
+  noshred
+
+  # Do not rotate the log if it is empty.
+  notifempty
+
+  # Logs are moved into directory for rotation. The directory must be on the
+  # same physical device as the log file being rotated, and is assumed to be
+  # relative to the directory holding the log file unless an absolute path
+  # name is specified. When this option is used all old versions of the log
+  # end up in directory.
+  olddir /var/logrotate/traefik
+
+  # Log files are rotated count times before being removed or mailed to the
+  # address specified in a mail directive. If count is 0, old versions are
+  # removed rather than rotated.
+  rotate 7
+}

root/etc/traefik/acme/00-export

@@ -0,0 +1,84 @@
+#!/usr/bin/bash
+
+
+#
+# Export the certificates and keys from 'acme.json'
+#
+
+
+###
+#
+# Options Section
+#
+###
+
+set -e
+set -u
+set -o pipefail
+
+
+###
+#
+# Variables Section
+#
+###
+
+source '/etc/traefik/acme/acme.env'
+ACME_STORAGE="${ACME_STORAGE:='/var/lib/traefik/acme'}"
+ACME_DATABASE="${ACME_DATABASE:='/var/lib/traefik/acme.json'}"
+
+
+###
+#
+# Runtime Environment
+#
+###
+
+if [[ "${EUID}" -ne '0' && "${USER}" != 'traefik' ]]; then
+  /usr/bin/echo -e 'Error: Permission Denied'
+  exit 1
+fi
+
+if [[ -d "${ACME_STORAGE}" ]]; then
+  /usr/bin/rm --force --recursive "${ACME_STORAGE}"
+fi
+
+/usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}"
+
+for RESOLVER in $(/usr/bin/jq --raw-output --exit-status 'keys[]' "${ACME_DATABASE}"); do
+  ACCOUNT=$(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --exit-status '.[$resolver].Account.PrivateKey' "${ACME_DATABASE}")
+  /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/.${RESOLVER}"
+  /usr/bin/echo -e "-----BEGIN RSA PRIVATE KEY-----\n${ACCOUNT}\n-----END RSA PRIVATE KEY-----" | \
+    /usr/bin/openssl 'rsa' -inform 'pem' -out "${ACME_STORAGE}/.${RESOLVER}/account.key" &> '/dev/null'
+  /usr/bin/chmod '0400' "${ACME_STORAGE}/.${RESOLVER}/account.key"
+  /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/.${RESOLVER}/account.key"
+  for DOMAIN in $(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --exit-status '.[$resolver].Certificates[].domain.main' "${ACME_DATABASE}"); do
+    CERTIFICATE=$(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --arg domain "${DOMAIN}" --exit-status '.[$resolver].Certificates[] | select (.domain.main == $domain ) | .certificate' "${ACME_DATABASE}")
+    KEY=$(/usr/bin/jq --raw-output --arg resolver "${RESOLVER}" --arg domain "${DOMAIN}" --exit-status '.[$resolver].Certificates[] | select (.domain.main == $domain ) | .key' "${ACME_DATABASE}")
+    /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/${DOMAIN}"
+    case "${RESOLVER}" in
+      *rsa*)
+        /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/${DOMAIN}/rsa"
+	      /usr/bin/echo "${CERTIFICATE}" | \
+          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/rsa/root.crt"
+        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/rsa/root.crt"
+        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/rsa/root.crt"
+	      /usr/bin/echo "${KEY}" | \
+          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/rsa/root.key"
+        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/rsa/root.key"
+        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/rsa/root.key"
+      ;;
+      *ecdsa*)
+        /usr/bin/install --directory --group='traefik' --mode='0700' --owner='traefik' "${ACME_STORAGE}/${DOMAIN}/ecc"
+	      /usr/bin/echo "${CERTIFICATE}" | \
+          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/ecc/root.crt"
+        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/ecc/root.crt"
+        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/ecc/root.crt"
+	      /usr/bin/echo "${KEY}" | \
+          /usr/bin/base64 --decode > "${ACME_STORAGE}/${DOMAIN}/ecc/root.key"
+        /usr/bin/chmod '0400' "${ACME_STORAGE}/${DOMAIN}/ecc/root.key"
+        /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE}/${DOMAIN}/ecc/root.key"
+      ;;
+    esac
+  done
+done

root/etc/traefik/acme/01-changelog

@@ -0,0 +1,62 @@
+#!/usr/bin/bash
+
+
+#
+# Generate changelog with hashsum from the exported certificates
+#
+
+
+###
+#
+# Options Section
+#
+###
+
+set -e
+set -u
+set -o pipefail
+
+
+###
+#
+# Variables Section
+#
+###
+
+source '/etc/traefik/acme/acme.env'
+ACME_STORAGE="${ACME_STORAGE:='/var/lib/traefik/acme'}"
+ACME_STORAGE_HASH="${ACME_STORAGE_HASH:='/var/lib/traefik/acme.md5sum'}"
+ACME_STORAGE_CHANGELOG="${ACME_STORAGE_CHANGELOG:='/var/lib/traefik/acme.log'}"
+
+
+###
+#
+# Runtime Environment
+#
+###
+
+if [[ "${EUID}" -ne '0' && "${USER}" != 'traefik' ]]; then
+  /usr/bin/echo -e 'Error: Permission Denied'
+  exit 1
+fi
+
+TMP_DIRECTORY=$(/usr/bin/mktemp --directory --quiet)
+trap "/usr/bin/rm --force --recursive ${TMP_DIRECTORY}" EXIT
+
+if [[ ! -f "${ACME_STORAGE_HASH}" ]]; then
+  /usr/bin/find "${ACME_STORAGE}" -type f -exec /usr/bin/md5sum {} + > "${ACME_STORAGE_HASH}"
+  /usr/bin/chmod 0400 "${ACME_STORAGE_HASH}"
+  /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE_HASH}"
+  /usr/bin/diff '/dev/null' "${ACME_STORAGE_HASH}" | /usr/bin/grep '^>' | /usr/bin/mawk '{print $3}' > "${ACME_STORAGE_CHANGELOG}" || \
+    /usr/bin/true
+  /usr/bin/chmod 0400 "${ACME_STORAGE_CHANGELOG}"
+  /usr/bin/chown 'traefik':'traefik' "${ACME_STORAGE_CHANGELOG}"
+  exit 0
+fi
+
+/usr/bin/find "${ACME_STORAGE}" -type f -exec /usr/bin/md5sum {} + > "${TMP_DIRECTORY}/traefik_acme.md5sum"
+
+/usr/bin/diff "${ACME_STORAGE_HASH}" "${TMP_DIRECTORY}/traefik_acme.md5sum" | /usr/bin/grep '^>' | /usr/bin/mawk '{print $3}' > "${ACME_STORAGE_CHANGELOG}" || \
+  /usr/bin/true
+
+/usr/bin/cat "${TMP_DIRECTORY}/traefik_acme.md5sum" > "${ACME_STORAGE_HASH}"

root/etc/traefik/acme/acme.env

@@ -0,0 +1,25 @@
+#
+# Traefik ACME Configuration
+#
+
+
+###############################
+# --- ACME Configurartion --- #
+###############################
+
+# Default: '/var/lib/traefik/acme.json'
+ACME_DATABASE='/var/lib/traefik/acme.json'
+
+# Default: '/var/lib/traefik/acme'
+ACME_STORAGE='/var/lib/traefik/acme'
+
+# Default: '/var/lib/traefik/acme.md5sum'
+ACME_STORAGE_HASH='/var/lib/traefik/acme.md5sum'
+
+# Default: '/var/lib/traefik/acme.log'
+ACME_STORAGE_CHANGELOG='/var/lib/traefik/acme.log'
+
+
+################################
+# --- Custom Configuration --- #
+################################

root/etc/traefik/providers.yml

@@ -0,0 +1,101 @@
+# - - - - - HTTP - - - - - #
+
+http:
+  middlewares:
+    auth:
+      digestAuth:
+        users:
+          # User: root
+          # Password: root
+          - root:traefik:d73fbe874041cb3659ad7d8ca0415268
+    compress:
+      compress:
+        defaultEncoding: gzip
+        minResponseBodyBytes: 256
+    headers:
+      headers:
+        browserXssFilter: true
+        contentTypeNosniff: true
+        forceSTSHeader: true
+        referrerPolicy: strict-origin-when-cross-origin
+        stsIncludeSubdomains: true
+        stsSeconds: 31536000
+    redirectscheme:
+      redirectScheme:
+        scheme: https
+        permanent: true
+  routers:
+    catchall:
+      entryPoints:
+        - http
+      middlewares:
+        - compress
+        - redirectscheme
+      priority: 1
+      rule: HostRegexp(`^.*$`)
+      service: catchall
+    catchall-tls:
+      entryPoints:
+        - https
+      middlewares:
+        - compress
+        - headers
+      priority: 1
+      rule: HostRegexp(`^.*$`)
+      service: catchall
+      tls: {}
+    traefik:
+      entryPoints:
+        - http
+      middlewares:
+        - auth
+        - compress
+        - redirectscheme
+      priority: 2
+      rule: Host(`localhost`)
+      service: api@internal
+    traefik-tls:
+      entryPoints:
+        - https
+      middlewares:
+        - auth
+        - compress
+        - headers
+      priority: 2
+      rule: Host(`localhost`)
+      service: api@internal
+      tls: {}
+  services:
+    catchall:
+      loadBalancer:
+        servers:
+          - url: http://localhost
+
+# - - - - - TCP - - - - - #
+
+tcp:
+  routers:
+    acme:
+      rule: HostSNI(`*`)
+      service: acme
+      tls:
+        passthrough: true
+        certResolver: dns-01
+        domains:
+          - main: example.com
+            sans:
+              - '*.example.com'
+  services:
+    acme:
+      loadBalancer:
+        servers:
+          - address: localhost:80
+
+# - - - - - TLS - - - - - #
+
+tls:
+  stores:
+    default:
+      defaultCertificate:
+        certFile: /etc/ssl/traefik/root.crt
+        keyFile: /etc/ssl/traefik/root.key

root/etc/traefik/traefik.yml

@@ -0,0 +1,63 @@
+# - - - - - Access Log - - - - - #
+
+accessLog:
+  filePath: /var/log/traefik/access.log
+
+# - - - - - API - - - - - #
+
+api:
+  disableDashboardAd: true
+
+# - - - - - Certificates Resolver - - - - - #
+
+#certificatesResolvers:
+#  http:
+#    acme:
+#      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+#      email: hostmaster@localhost
+#      storage: /var/lib/traefik/acme.json
+#      keyType: [RSA4096|EC384] # Select
+#      httpChallenge:
+#        entryPoint: http
+#  tls:
+#    acme:
+#      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+#      email: hostmaster@localhost
+#      storage: /var/lib/traefik/acme.json
+#      keyType: [RSA4096|EC384] # Select
+#      tlsChallenge: {}
+#  dns-01:
+#    acme:
+#      caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+#      email: hostmaster@localhost
+#      storage: /var/lib/traefik/acme.json
+#      keyType: [RSA4096|EC384] # Select
+#      dnsChallenge:
+#        resolvers:
+#          - "localhost:53"
+#        propagation:
+#          delayBeforeChecks: 60s
+#          requireAllRNS: true
+#        provider:
+
+# - - - - - Entry Points - - - - - #
+
+entryPoints:
+  http:
+    address: :80
+  https:
+    address: :443
+
+# - - - - - Log - - - - - #
+
+log:
+  filePath: /var/log/traefik/error.log
+  level: ERROR
+  maxSize: 64
+
+# - - - - - Providers - - - - - #
+
+providers:
+  file:
+    filename: /etc/traefik/providers.yml
+    watch: true

root/lib/systemd/system/traefik-acme.path

@@ -0,0 +1,9 @@
+[Unit]
+Description=Traefik ACME Certificate Exporter
+ConditionFileNotEmpty=/var/lib/traefik/acme.json
+
+[Path]
+PathModified=/var/lib/traefik/acme.json
+
+[Install]
+WantedBy=multi-user.target

root/lib/systemd/system/traefik-acme.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Traefik ACME Certificate Exporter
+ConditionPathIsDirectory=/etc/traefik/acme
+ConditionFileNotEmpty=/var/lib/traefik/acme.json
+
+[Service]
+Type=simple
+EnvironmentFile=/etc/traefik/acme/acme.env
+ExecStartPre=/usr/bin/sleep 3s
+ExecStart=/usr/bin/run-parts --exit-on-error --new-session /etc/traefik/acme
+User=traefik
+Group=traefik
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+ReadWriteDirectories=/var/lib/traefik
+WorkingDirectory=/var/lib/traefik

root/lib/systemd/system/traefik.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=Traefik Reverse Proxy
+ConditionPathExists=/etc/traefik/traefik.yml
+StartLimitBurst=3
+StartLimitIntervalSec=60
+After=network.target network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+EnvironmentFile=/etc/traefik/traefik.env
+Restart=on-failure
+ExecStart=/usr/sbin/traefik --configfile '/etc/traefik/traefik.yml'
+ExecStartPost=/usr/bin/sh -c "umask '022'; /usr/bin/pgrep --newest 'traefik' > '/run/traefik/traefik.pid'"
+ExecStop=/usr/bin/rm --force '/run/traefik/traefik.pid'
+User=traefik
+Group=traefik
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+ReadWriteDirectories=/var/lib/traefik
+ReadWriteDirectories=/var/log/traefik
+RuntimeDirectory=traefik
+RuntimeDirectoryMode=755
+RuntimeDirectoryPreserve=yes
+WorkingDirectory=/var/lib/traefik
+
+[Install]
+WantedBy=multi-user.target

root/usr/lib/sysusers.d/traefik.conf

@@ -0,0 +1,2 @@
+g traefik - -
+u traefik - "traefik" /nonexistent /usr/sbin/nologin