traefik/config.yml

http:
  routers:
    # Router for Gogs (if it's running outside Docker or on different network)
    gogs:
      rule: "Host(`git.pkartchner.com`)"
      entryPoints:
        - https
      service: gogs
      middlewares:
        - geoblock
        - secure-headers
        - crowdsec-bouncer
      tls:
        certResolver: letsencrypt

  services:
    # Service for Gogs
    gogs:
      loadBalancer:
        servers:
          - url: "http://gogs.pkartchner.com:3000"

  middlewares:
    # Security headers
    secure-headers:
      headers:
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customFrameOptionsValue: "SAMEORIGIN"
        contentTypeNosniff: true
        browserXssFilter: true
        referrerPolicy: "same-origin"

    # IP whitelist for internal network access only
    internal-whitelist:
      ipWhiteList:
        sourceRange:
          - "10.20.10.0/24"
          - "10.20.140.0/24"
          - "127.0.0.1/32"

    # Crowdsec bouncer middleware
    crowdsec-bouncer:
      plugin:
        bouncer:
          enabled: true
          crowdsecMode: live
          crowdsecLapiKey: zQB3/JX6G+wxzYf4TvpMkmFLhSODYnfRhSkh8+y4+Zo
          crowdsecLapiHost: crowdsec:8080
          crowdsecLapiScheme: http
          forwardedHeadersCustomName: X-Custom-Header

    # GeoIP blocking - Allow only US traffic
    geoblock:
      plugin:
        geoblock:
          silentStartUp: false
          allowLocalRequests: true
          logLocalRequests: false
          logAllowedRequests: false
          logApiRequests: false
          api: https://get.geojs.io/v1/ip/country/{ip}
          apiTimeoutMs: 750
          cacheSize: 25
          forceMonthlyUpdate: true
          allowUnknownCountries: false
          unknownCountryApiResponse: nil
          countries:
            - US