From 322824d250f4189843b8eaa5e4c5a4af1008c1a9 Mon Sep 17 00:00:00 2001
From: Jim Madge <jmadge@turing.ac.uk>
Date: Tue, 6 Jul 2021 11:19:41 +0100
Subject: [PATCH] Add traefik dynamic configuration template

---
 .../guacamole/traefik_dynamic_conf.yml.j2     | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 ansible/templates/guacamole/traefik_dynamic_conf.yml.j2

diff --git a/ansible/templates/guacamole/traefik_dynamic_conf.yml.j2 b/ansible/templates/guacamole/traefik_dynamic_conf.yml.j2
new file mode 100644
index 0000000..a61eb71
--- /dev/null
+++ b/ansible/templates/guacamole/traefik_dynamic_conf.yml.j2
@@ -0,0 +1,28 @@
+---
+
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+      cipherSuites:
+        # TLS 1.3 ciphers
+        - TLS_AES_128_GCM_SHA256
+        - TLS_AES_256_GCM_SHA384
+        - TLS_CHACHA20_POLY1305_SHA256
+        # TLS 1.2 ciphers
+        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+      preferServerCipherSuites: true
+{% if lets_encrypt %}
+      sniStrict: true
+{% endif %}
+
+http:
+  middlewares:
+    hsts-headers:
+      headers:
+        stsSeconds: 31536000
+        forceSTSHeader: true
+        stsPreload: true
+        stsIncludeSubdomains: true