From 084fda4ba66932b130d871ecc0392751b62dbcba Mon Sep 17 00:00:00 2001
From: Nikolaos Karaolidis <nick@karaolidis.com>
Date: Mon, 28 Jul 2025 11:59:19 +0100
Subject: [PATCH] Add traefik security headers, short url

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
---
 .../configs/console/podman/shlink/default.nix |  9 ++++++++
 .../console/podman/traefik/default.nix        | 22 ++++++++++++++-----
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix b/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix
index 766828d..bfd203b 100644
--- a/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/shlink/default.nix
@@ -72,8 +72,17 @@ in
             environmentFiles = [ hmConfig.sops.templates.shlink-env.path ];
             labels = [
               "traefik.enable=true"
+
               "traefik.http.routers.shlink.rule=Host(`url.karaolidis.com`)"
               "traefik.http.routers.shlink.middlewares=authelia@docker"
+
+              "traefik.http.routers.shlink-short.rule=Host(`u.karaolidis.com`)"
+              "traefik.http.routers.shlink-short.middlewares=redirect-shlink-short@docker"
+              "traefik.http.routers.shlink-short.service=noop@internal"
+
+              "traefik.http.middlewares.redirect-shlink-short.redirectregex.regex=^https://u\.karaolidis\.com(/.*)?$"
+              "traefik.http.middlewares.redirect-shlink-short.redirectregex.replacement=https://url.karaolidis.com$\${1}"
+              "traefik.http.middlewares.redirect-shlink-short.redirectregex.permanent=true"
             ];
           };
 
diff --git a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
index c4ba504..c9f80f1 100644
--- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
@@ -72,7 +72,6 @@ in
               "--entrypoints.http.http.redirections.entryPoint.to=https"
               "--entrypoints.http.http.redirections.entryPoint.scheme=https"
               "--entryPoints.http.http3"
-              "--entrypoints.http.forwardedHeaders.insecure=true"
 
               "--entryPoints.https.address=:443"
               "--entryPoints.https.asDefault=true"
@@ -81,10 +80,9 @@ in
               "--entrypoints.https.http.tls.domains[0].main=karaolidis.com"
               "--entrypoints.https.http.tls.domains[0].sans=*.karaolidis.com,*.tunnel.karaolidis.com,*.gaming.karaolidis.com"
               "--entrypoints.https.http.tls.domains[1].main=krlds.com"
-              "--entrypoints.https.http.tls.domains[1].sans=*.krlds.com,*.tunnel.krlds.com,*.gaming.krlds.com"
-              "--entrypoints.https.http.middlewares=compress@docker"
+              "--entrypoints.https.http.tls.domains[1].sans=*.krlds.com"
               "--entryPoints.https.http3"
-              "--entrypoints.https.forwardedHeaders.insecure=true"
+              "--entrypoints.https.http.middlewares=compress@docker,security-headers@docker"
 
               "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
               "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
@@ -104,8 +102,22 @@ in
               "traefik.http.routers.traefik-api.service=api@internal"
               "traefik.http.routers.traefik-api.middlewares=authelia@docker"
 
+              "traefik.http.routers.krlds.rule=HostRegexp(`^(.+\.)?krlds\.com$`)"
+              "traefik.http.routers.krlds.middlewares=redirect-krlds-to-karaolidis@docker"
+              "traefik.http.routers.krlds.service=noop@internal"
+
+              "traefik.http.middlewares.redirect-krlds-to-karaolidis.redirectregex.regex=^https://([^/]+\.)?krlds\.com(/.*)?$"
+              "traefik.http.middlewares.redirect-krlds-to-karaolidis.redirectregex.replacement=https://$\${1}karaolidis.com$\${2}"
+              "traefik.http.middlewares.redirect-krlds-to-karaolidis.redirectregex.permanent=true"
+
               "traefik.http.middlewares.compress.compress=true"
-              # TODO: Middlewares: Headers (Security + Performance)
+
+              "traefik.http.middlewares.security-headers.headers.referrerPolicy=strict-origin-when-cross-origin"
+              "traefik.http.middlewares.security-headers.headers.stsSeconds=63072000"
+              "traefik.http.middlewares.security-headers.headers.stsIncludeSubdomains=true"
+              "traefik.http.middlewares.security-headers.headers.stsPreload=true"
+              "traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true"
+              "traefik.http.middlewares.security-headers.headers.frameDeny=true"
             ];
             environmentFiles = [ hmConfig.sops.templates.traefik-env.path ];
           };