adding untested changes and new dockers

tools/wireguard/traefik/dynamic.yml

@@ -0,0 +1,97 @@
+# =============================================================================
+# Traefik Dynamic Configuration
+# This file defines your routers, services, and middlewares.
+#
+# HTTP → HTTPS redirection is handled globally in traefik.yml, so each service
+# only needs a single router for HTTPS.
+#
+# Sections marked "No changes needed" are reusable building blocks.
+# Sections marked "CONFIGURE" are where you add your own services.
+# =============================================================================
+
+http:
+    # --- No changes needed ---------------------------------------------------
+    middlewares:
+        https-headers:
+            # Required for services that need to know the original protocol
+            # (e.g. Mastodon, Matrix/Synapse)
+            headers:
+                customRequestHeaders:
+                    X-Forwarded-Proto: "https"
+
+    serversTransports:
+        # Use this for backend containers that use self-signed TLS certs
+        # (e.g. Nextcloud). Reference it in a service with:
+        #   serversTransport: insecure-transport
+        insecure-transport:
+            insecureSkipVerify: true
+    # -------------------------------------------------------------------------
+
+    # --- CONFIGURE -----------------------------------------------------------
+    routers:
+        # Basic service
+        my-service:
+            rule: "Host(`service.example.com`)"  # <-- change domain
+            entryPoints:
+                - websecure
+            service: my-service
+            tls:
+                certResolver: letsencrypt
+
+        # Service that needs X-Forwarded-Proto (e.g. Mastodon, Synapse)
+        my-service-with-headers:
+            rule: "Host(`other.example.com`)"  # <-- change domain
+            entryPoints:
+                - websecure
+            service: my-service-with-headers
+            middlewares:
+                - https-headers
+            tls:
+                certResolver: letsencrypt
+
+        # Service with a self-signed cert on the backend (e.g. Nextcloud)
+        my-https-backend:
+            rule: "Host(`secure.example.com`)"  # <-- change domain
+            entryPoints:
+                - websecure
+            service: my-https-backend
+            tls:
+                certResolver: letsencrypt
+
+    services:
+        my-service:
+            loadBalancer:
+                servers:
+                    - url: "http://container-name:PORT"  # <-- change container name and port
+
+        my-service-with-headers:
+            loadBalancer:
+                servers:
+                    - url: "http://container-name:PORT"  # <-- change container name and port
+
+        my-https-backend:
+            loadBalancer:
+                servers:
+                    - url: "https://container-name:PORT"  # <-- change container name and port
+                serversTransport: insecure-transport
+    # -------------------------------------------------------------------------
+
+# =============================================================================
+# TCP — only needed for raw TCP services (game servers, etc.)
+# Remove this section entirely if you don't need it.
+# =============================================================================
+tcp:
+    # --- CONFIGURE -----------------------------------------------------------
+    routers:
+        my-tcp-service:
+            rule: "HostSNI(`*`)"
+            entryPoints:
+                - my-tcp-entrypoint  # <-- must match an entrypoint defined in traefik.yml
+            service: my-tcp-service
+
+    services:
+        my-tcp-service:
+            loadBalancer:
+                servers:
+                    - address: "container-name:PORT"  # <-- change container name and port
+    # -------------------------------------------------------------------------