Add advanced traefik example

Author: Flash1232

examples/traefik-advanced/.env

@@ -0,0 +1,3 @@
+MYSQL_DATABASE=anonaddy
+MYSQL_USER=anonaddy
+MYSQL_PASSWORD=anonaddy

examples/traefik-advanced/README.md

@@ -0,0 +1,30 @@
+This is a strongly opinionated AnonAddy Docker + Traefik config template that provides some production quality features.
+Note that you must further tweak the configuration and then run Docker in Swarm mode to ensure e.g. encrypted network traffic and scaling for serious production usage.
+You should also use something like Hashicorp Vault to protect any secrets as Docker secret files are still stored in plain text on the filesystem as well as disable root user access in containers.
+
+## Features
+ - Automatic creation of ACME SSL Wildcard Certificates using DNS Challenge resolver
+ - [Tecnativa's Docker Socket Proxy](https://github.com/Tecnativa/docker-socket-proxy) (reduce risk of Docker socket exposure)
+ - Automatic Postfix TLS management using [traefik-certs-dumper](https://github.com/kereis/traefik-certs-dumper)
+   - Auto-dumping of Let's Encrypt certificates to Postfix cert directory
+   - Watch & restart AnonAddy container on certificate renewal
+   - Hardened TLS cipher configuration
+ - Watchtower for automatic AnonAddy container updates upon new release
+ - CrowdSec with Traefik bouncer for SPAM detection and mitigation. Please refer to the [CrowdSec documentation](https://docs.crowdsec.net/docs/getting_started/install_crowdsec) for initial setup instructions.
+ - Enabled Rspamd and exposed Web UI (also covered by CrowdSec bouncer)
+
+**Note**: Does not ensure Zero Downtime deployment!
+
+## Usage
+
+Use these files for full SMTP(D) TLS/ DKIM/ DMARC/ PGP signing functionalities. \
+
+```bash
+mkdir letsencrypt
+touch letsencrypt/acme.json
+chmod 600 letsencrypt/acme.json
+docker-compose up -d
+docker-compose logs -f
+```
+
+You will also need to create secret files containing the DNS Challenge provider credentials. For more information, please refer to the [Traefik Docs](https://doc.traefik.io/traefik/https/acme/#providers).

examples/traefik-advanced/anonaddy.env

@@ -0,0 +1,43 @@
+TZ=Europe/Paris
+PUID=1000
+PGID=1000
+
+MEMORY_LIMIT=256M
+UPLOAD_MAX_SIZE=16M
+OPCACHE_MEM_SIZE=128
+REAL_IP_FROM=0.0.0.0/32
+REAL_IP_HEADER=X-Forwarded-For
+LOG_IP_VAR=http_x_forwarded_for
+#LISTEN_IPV6=false
+
+APP_KEY=
+APP_DEBUG=false
+APP_URL=https://anonaddy.example.com
+
+ANONADDY_RETURN_PATH=[email protected]
+ANONADDY_ADMIN_USERNAME=anonaddy
+ANONADDY_ENABLE_REGISTRATION=true
+ANONADDY_DOMAIN=example.com
+ANONADDY_ALL_DOMAINS=example.com
+ANONADDY_HOSTNAME=anonaddy.example.com
+ANONADDY_DNS_RESOLVER=127.0.0.1
+ANONADDY_SECRET=
+ANONADDY_LIMIT=200
+ANONADDY_BANDWIDTH_LIMIT=104857600
+ANONADDY_NEW_ALIAS_LIMIT=10
+ANONADDY_ADDITIONAL_USERNAME_LIMIT=3
+# See [Generate GPG key](https://github.com/anonaddy/docker#generate-gpg-key)
+#ANONADDY_SIGNING_KEY_FINGERPRINT=
+
+MAIL_FROM_NAME=AnonAddy
+MAIL_FROM_ADDRESS=[email protected]
+
+# See [Generate DKIM private/public keypair](https://github.com/anonaddy/docker#generate-dkim-privatepublic-keypair)
+RSPAMD_ENABLE=true
+RSPAMD_WEB_PASSWORD=<PASSWORD>
+
+POSTFIX_DEBUG=false
+POSTFIX_SMTPD_TLS=true
+POSTFIX_SMTPD_TLS_CERT_FILE=/data/output/mydomain.com/cert.pem
+POSTFIX_SMTPD_TLS_KEY_FILE=/data/output/mydomain.com/key.pem
+POSTFIX_SMTP_TLS=true

examples/traefik-advanced/config/ciphers.yaml

@@ -0,0 +1,16 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      sniStrict: true
+      cipherSuites:
+        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
+
+    mintls13:
+      minVersion: VersionTLS13
+      sniStrict: true

examples/traefik-advanced/config/dynamic.yaml

@@ -0,0 +1,65 @@
+http:
+  routers:
+    anonaddy:
+      service: anonaddy
+      entrypoints:
+        - https
+      rule: "Host(`anonaddy.example.com`)"
+      middlewares:
+        - crowdsec-bouncer
+      tls:
+        certResolver: dnschallenge
+        domains:
+          - main: "example.com"
+            sans:
+              - "example.com"
+              - "anonaddy.example.com"
+              - "www.example.com"
+    rspamd:
+      service: rspamd
+      entrypoints:
+        - https
+      rule: "Host(`spam.example.com`)"
+      middlewares:
+        - crowdsec-bouncer
+      tls:
+        certResolver: dnschallenge
+        domains:
+          - main: "spam.example.com"
+            sans:
+              - "spam.example.com"
+  middlewares:
+    crowdsec-bouncer:
+      forwardAuth:
+        address: "http://bouncer:8080/api/v1/forwardAuth"
+    redirect-https:
+      redirectScheme:
+        scheme: https
+        permanent: true
+    default-middlewares:
+      chain:
+        middlewares:
+          - default-headers-https@file
+          - default-compress@file
+    default-headers-https:
+      headers:
+        customBrowserXSSValue: "0"
+        contentTypeNosniff: true
+        customResponseHeaders:
+          Server: ""
+        forceSTSHeader: true
+        frameDeny: true
+        stsSeconds: 31536000
+        stsPreload: true
+        stsIncludeSubdomains: true
+    default-compress:
+      compress: {}
+  services:
+    anonaddy:
+      loadbalancer:
+        servers:
+          - url: http://172.21.0.8:8000
+    rspamd:
+      loadbalancer:
+        servers:
+          - url: http://172.21.0.8:11334