traefik: harden websecure defaults (crowdsec, headers, tls12)

docker-compose.yaml

@@ -16,6 +16,7 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - ./certs:/letsencrypt
+      - ./secrets:/secrets:ro
       #- ./dashboard_authfile:/dashboard_authfile:ro
       - ./dynamic.d:/dynamic.d
       - ./traefik.yml:/traefik.yml
@@ -30,6 +31,11 @@ services:
       - "traefik.http.routers.traefik.entrypoints=internal_websecure"
       - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
       - "traefik.http.routers.traefik.service=api@internal"
+      # CrowdSec bouncer middleware (defined via Docker provider so the LAPI key isn't stored in git-tracked files).
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.enabled=true"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecMode=stream"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiHost=localhost:8080"
+      - "traefik.http.middlewares.crowdsec.plugin.bouncer.crowdsecLapiKey=${CROWDSEC_LAPI_KEY}"
       - "com.centurylinklabs.watchtower.enable=true" # Added label for Watchtower
       # "traefik.http.middlewares.auth.basicauth.usersfile=/dashboard_authfile"
       - "traefik.http.services.traefik.loadbalancer.server.port=9090"