Implement security HTTP headers' middleware

roles/traefik/defaults/main.yml

@@ -2,6 +2,8 @@ traefik_name: traefik
 traefik_dashboard: false
 traefik_root: "/opt/{{ traefik_name }}"
 traefik_production: false
+traefik_hsts_preload: false
+traefik_hsts_seconds: 0
 traefik_ports:
   - "80:80"
   - "443:443"

roles/traefik/files/tls.yml

@@ -1,4 +0,0 @@
-tls:
-  options:
-    default:
-      minVersion: VersionTLS12

roles/traefik/tasks/main.yml

@@ -9,10 +9,10 @@
     dest: "{{ traefik_root }}/config/traefik.yml"
   notify: restart_traefik
 
-- name: Install dynamic Traefik configuration
-  copy:
-    src: tls.yml
-    dest: "{{ traefik_root }}/config/dynamic/tls.yml"
+- name: Install dynamic security configuration
+  template:
+    src: security.yml.j2
+    dest: "{{ traefik_root }}/config/dynamic/security.yml"
     owner: root
     group: root
     mode: 0600

roles/traefik/templates/security.yml.j2

@@ -0,0 +1,15 @@
+tls:
+  options:
+    default:
+      minVersion: VersionTLS12
+
+http:
+  middlewares:
+    securehttps:
+      headers:
+        frameDeny: true
+        sslRedirect: true
+        browserXssFilter: true
+        contentTypeNosniff: true
+        stsPreload: {{ traefik_hsts_preload }}
+        stsSeconds: {{ traefik_hsts_seconds }}